powerdns-admin/powerdnsadmin/decorators.py

253 lines
7.5 KiB
Python
Raw Normal View History

import base64
import binascii
from functools import wraps
from flask import g, request, abort, current_app, render_template
from flask_login import current_user
from .models import User, ApiKey, Setting, Domain
from .lib.errors import RequestIsNotJSON, NotEnoughPrivileges
from .lib.errors import DomainAccessForbidden
def admin_role_required(f):
2018-08-31 04:57:06 +00:00
"""
Grant access if user is in Administrator role
"""
@wraps(f)
def decorated_function(*args, **kwargs):
if current_user.role.name != 'Administrator':
abort(403)
return f(*args, **kwargs)
return decorated_function
2018-08-31 04:57:06 +00:00
def operator_role_required(f):
"""
Grant access if user is in Operator role or higher
"""
@wraps(f)
def decorated_function(*args, **kwargs):
if current_user.role.name not in ['Administrator', 'Operator']:
abort(403)
2018-08-31 04:57:06 +00:00
return f(*args, **kwargs)
2018-08-31 04:57:06 +00:00
return decorated_function
def can_access_domain(f):
2018-08-31 04:57:06 +00:00
"""
Grant access if:
- user is in Operator role or higher, or
- user is in granted Account, or
- user is in granted Domain
"""
@wraps(f)
def decorated_function(*args, **kwargs):
if current_user.role.name not in ['Administrator', 'Operator']:
domain_name = kwargs.get('domain_name')
domain = Domain.query.filter(Domain.name == domain_name).first()
if not domain:
abort(404)
valid_access = Domain(id=domain.id).is_valid_access(
current_user.id)
if not valid_access:
abort(403)
return f(*args, **kwargs)
return decorated_function
def can_configure_dnssec(f):
2018-08-31 04:57:06 +00:00
"""
Grant access if:
- user is in Operator role or higher, or
- dnssec_admins_only is off
"""
@wraps(f)
def decorated_function(*args, **kwargs):
if current_user.role.name not in [
'Administrator', 'Operator'
] and Setting().get('dnssec_admins_only'):
abort(403)
return f(*args, **kwargs)
return decorated_function
def can_create_domain(f):
"""
Grant access if:
- user is in Operator role or higher, or
- allow_user_create_domain is on
"""
@wraps(f)
def decorated_function(*args, **kwargs):
if current_user.role.name not in [
'Administrator', 'Operator'
] and not Setting().get('allow_user_create_domain'):
abort(403)
2019-03-01 22:49:31 +00:00
return f(*args, **kwargs)
2019-03-01 22:49:31 +00:00
return decorated_function
def api_basic_auth(f):
@wraps(f)
def decorated_function(*args, **kwargs):
auth_header = request.headers.get('Authorization')
if auth_header:
auth_header = auth_header.replace('Basic ', '', 1)
try:
auth_header = str(base64.b64decode(auth_header), 'utf-8')
username, password = auth_header.split(":")
except binascii.Error as e:
current_app.logger.error(
'Invalid base64-encoded of credential. Error {0}'.format(
e))
abort(401)
2019-03-01 22:49:31 +00:00
except TypeError as e:
current_app.logger.error('Error: {0}'.format(e))
2019-03-01 22:49:31 +00:00
abort(401)
user = User(username=username,
password=password,
plain_text_password=password)
2019-03-01 22:49:31 +00:00
try:
auth_method = request.args.get('auth_method', 'LOCAL')
auth_method = 'LDAP' if auth_method != 'LOCAL' else 'LOCAL'
auth = user.is_validate(method=auth_method,
src_ip=request.remote_addr)
2019-03-01 22:49:31 +00:00
if not auth:
current_app.logger.error('Checking user password failed')
2019-03-01 22:49:31 +00:00
abort(401)
else:
user = User.query.filter(User.username == username).first()
2019-12-08 11:23:36 +00:00
current_user = user # lgtm [py/unused-local-variable]
2019-03-01 22:49:31 +00:00
except Exception as e:
current_app.logger.error('Error: {0}'.format(e))
2019-03-01 22:49:31 +00:00
abort(401)
else:
current_app.logger.error('Error: Authorization header missing!')
2019-03-01 22:49:31 +00:00
abort(401)
return f(*args, **kwargs)
2019-03-01 22:49:31 +00:00
return decorated_function
def is_json(f):
@wraps(f)
def decorated_function(*args, **kwargs):
if request.method in ['POST', 'PUT', 'PATCH']:
if not request.is_json:
raise RequestIsNotJSON()
return f(*args, **kwargs)
return decorated_function
2019-03-01 22:49:31 +00:00
def api_can_create_domain(f):
"""
Grant access if:
- user is in Operator role or higher, or
- allow_user_create_domain is on
"""
@wraps(f)
def decorated_function(*args, **kwargs):
if current_user.role.name not in [
'Administrator', 'Operator'
] and not Setting().get('allow_user_create_domain'):
2019-03-01 22:49:31 +00:00
msg = "User {0} does not have enough privileges to create domain"
current_app.logger.error(msg.format(current_user.username))
2019-03-01 22:49:31 +00:00
raise NotEnoughPrivileges()
return f(*args, **kwargs)
2019-03-01 22:49:31 +00:00
return decorated_function
def apikey_is_admin(f):
"""
Grant access if user is in Administrator role
"""
@wraps(f)
def decorated_function(*args, **kwargs):
if g.apikey.role.name != 'Administrator':
msg = "Apikey {0} does not have enough privileges to create domain"
current_app.logger.error(msg.format(g.apikey.id))
2019-03-01 22:49:31 +00:00
raise NotEnoughPrivileges()
return f(*args, **kwargs)
2019-03-01 22:49:31 +00:00
return decorated_function
def apikey_can_access_domain(f):
@wraps(f)
def decorated_function(*args, **kwargs):
apikey = g.apikey
if g.apikey.role.name not in ['Administrator', 'Operator']:
domains = apikey.domains
zone_id = kwargs.get('zone_id')
domain_names = [item.name for item in domains]
if zone_id not in domain_names:
raise DomainAccessForbidden()
return f(*args, **kwargs)
2019-03-01 22:49:31 +00:00
return decorated_function
def apikey_auth(f):
@wraps(f)
def decorated_function(*args, **kwargs):
auth_header = request.headers.get('X-API-KEY')
if auth_header:
try:
apikey_val = str(base64.b64decode(auth_header), 'utf-8')
except binascii.Error as e:
current_app.logger.error(
'Invalid base64-encoded of credential. Error {0}'.format(
e))
abort(401)
2019-03-01 22:49:31 +00:00
except TypeError as e:
current_app.logger.error('Error: {0}'.format(e))
2019-03-01 22:49:31 +00:00
abort(401)
apikey = ApiKey(key=apikey_val)
2019-03-01 22:49:31 +00:00
apikey.plain_text_password = apikey_val
try:
auth_method = 'LOCAL'
auth = apikey.is_validate(method=auth_method,
src_ip=request.remote_addr)
2019-03-01 22:49:31 +00:00
g.apikey = auth
except Exception as e:
current_app.logger.error('Error: {0}'.format(e))
2019-03-01 22:49:31 +00:00
abort(401)
else:
current_app.logger.error('Error: API key header missing!')
2019-03-01 22:49:31 +00:00
abort(401)
return f(*args, **kwargs)
return decorated_function
def dyndns_login_required(f):
@wraps(f)
def decorated_function(*args, **kwargs):
if current_user.is_authenticated is False:
return render_template('dyndns.html', response='badauth'), 200
return f(*args, **kwargs)
return decorated_function