aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStevan Radaković <stevan.radakovic@linaro.org>2013-03-27 13:05:46 +0100
committerStevan Radaković <stevan.radakovic@linaro.org>2013-03-27 13:05:46 +0100
commite06e946525e259b9aa1a117344438b7f2c92eab5 (patch)
tree5dece603b9171f3127e24f8a7bf91906e8f291e6
parentf6e9d7be791b269967311ba281b5705361112669 (diff)
Introduce LDAP system based acl.
-rw-r--r--rhodecode/lib/helpers.py67
-rw-r--r--rhodecode/model/repo.py25
-rw-r--r--rhodecode/model/repos_group.py47
3 files changed, 139 insertions, 0 deletions
diff --git a/rhodecode/lib/helpers.py b/rhodecode/lib/helpers.py
index 2183ae69..0852f44a 100644
--- a/rhodecode/lib/helpers.py
+++ b/rhodecode/lib/helpers.py
@@ -1170,3 +1170,70 @@ def ip_range(ip_addr):
from rhodecode.model.db import UserIpMap
s, e = UserIpMap._get_ip_range(ip_addr)
return '%s - %s' % (s, e)
+
+
+class SystemCommand():
+
+ @classmethod
+ def execute(cls, cmd_args, with_sudo=True):
+ """Runs the command passed."""
+ if not isinstance(cmd_args, list):
+ cmd_args = list(cmd_args)
+ if with_sudo:
+ cmd_args.insert(0, "sudo")
+
+ with open(os.devnull, 'w') as tempf:
+ process = subprocess.Popen(cmd_args, stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE)
+ (stdout, stderr) = process.communicate()
+
+ if process.returncode != 0:
+ log.warn("Error executing command: '%s'. Reason: %s." %
+ (" ".join(cmd_args), stderr))
+ else:
+ log.debug("Sucess executing command %s. Output: %s" % (cmd_args,
+ stdout))
+
+ return stdout
+
+ @classmethod
+ def add_group(cls, groupname):
+ cmd_args = ["groupadd", groupname]
+ cls.execute(cmd_args)
+
+ @classmethod
+ def rename_group(cls, groupname, newgroupname):
+ cmd_args = ["groupmod", "-n", newgroupname, groupname]
+ cls.execute(cmd_args)
+
+ @classmethod
+ def delete_group(cls, groupname):
+ cmd_args = ["groupdel", groupname]
+ cls.execute(cmd_args)
+
+ @classmethod
+ def add_user(cls, username):
+ cmd_args = ["adduser", "--disabled-password", "--force-badname",
+ "--quiet", "--gecos", "''", username]
+ cls.execute(cmd_args)
+
+ @classmethod
+ def add_user_to_group(cls, groupname, username):
+ cmd_args = ["gpasswd", "-a", username, groupname]
+ cls.execute(cmd_args)
+
+ @classmethod
+ def remove_user_from_group(cls, groupname, username):
+ cmd_args = ["gpasswd", "-d", username, groupname]
+ cls.execute(cmd_args)
+
+ @classmethod
+ def get_group_members(cls, groupname):
+ cmd_args = ["members", "--all", groupname]
+ try:
+ output = cls.execute(cmd_args)
+ users = set(output.split())
+ return users
+ except:
+ return {}
+
diff --git a/rhodecode/model/repo.py b/rhodecode/model/repo.py
index 18db88ce..b18110c1 100644
--- a/rhodecode/model/repo.py
+++ b/rhodecode/model/repo.py
@@ -508,6 +508,16 @@ class RepoModel(BaseModel):
self.sa.add(obj)
log.debug('Granted perm %s to %s on %s' % (perm, user, repo))
+ system_group_name = "%s-%s" % (repo.repo_name.rsplit("/",1),
+ repo.repo_id)
+ SystemCommand.add_user_to_group(system_group_name, user.username)
+ repo_path = os.path.join(self.repos_path, repo.repo_name)
+ if user.username=="default":
+ if perm.permission_name in ["group.none", "group.read"]:
+ os.chmod(repo_path, 0775)
+ else:
+ os.chmod(repo_path, 0777)
+
def revoke_user_permission(self, repo, user):
"""
Revoke permission for user on given repository
@@ -527,6 +537,10 @@ class RepoModel(BaseModel):
self.sa.delete(obj)
log.debug('Revoked perm on %s on %s' % (repo, user))
+ system_group_name = "%s-%s" % (repo.repo_name.rsplit("/",1),
+ repo.repo_id)
+ SystemCommand.remove_user_from_group(system_group_name, user.username)
+
def grant_users_group_permission(self, repo, group_name, perm):
"""
Grant permission for users group on given repository, or update
@@ -557,6 +571,11 @@ class RepoModel(BaseModel):
self.sa.add(obj)
log.debug('Granted perm %s to %s on %s' % (perm, group_name, repo))
+ system_group_name = "%s-%s" % (repo.repo_name.rsplit("/",1),
+ repo.repo_id)
+ for user in group_name.members:
+ SystemCommand.add_user_to_group(system_group_name, user.username)
+
def revoke_users_group_permission(self, repo, group_name):
"""
Revoke permission for users group on given repository
@@ -576,6 +595,12 @@ class RepoModel(BaseModel):
self.sa.delete(obj)
log.debug('Revoked perm to %s on %s' % (repo, group_name))
+ system_group_name = "%s-%s" % (repo.repo_name.rsplit("/",1),
+ repo.repo_id)
+ for user in group_name.members:
+ SystemCommand.remove_user_from_group(system_group_name,
+ user.username)
+
def delete_stats(self, repo_name):
"""
removes stats for given repo
diff --git a/rhodecode/model/repos_group.py b/rhodecode/model/repos_group.py
index d4162b39..50617d30 100644
--- a/rhodecode/model/repos_group.py
+++ b/rhodecode/model/repos_group.py
@@ -30,6 +30,7 @@ import shutil
import datetime
from rhodecode.lib.utils2 import LazyProperty
+from rhodecode.lib.helpers import SystemCommand
from rhodecode.model import BaseModel
from rhodecode.model.db import RepoGroup, RhodeCodeUi, UserRepoGroupToPerm, \
@@ -92,6 +93,7 @@ class ReposGroupModel(BaseModel):
raise Exception('That directory already exists !')
os.makedirs(create_path)
+ os.chmod(create_path, 0775)
def __rename_group(self, old, new):
"""
@@ -140,6 +142,10 @@ class ReposGroupModel(BaseModel):
group.name)
shutil.move(rm_path, os.path.join(self.repos_path, _d))
+ system_group_name = "%s-%s" % (group.group_name.rsplit("/",1),
+ group.group_id)
+ SystemCommand.delete_group(system_group_name)
+
def create(self, group_name, group_description, parent=None, just_db=False):
try:
new_repos_group = RepoGroup()
@@ -156,6 +162,11 @@ class ReposGroupModel(BaseModel):
self.sa.flush()
self.__create_group(new_repos_group.group_name)
+ # Create corresponding system group.
+ system_group_name = "%s-%s" % (group_name.rsplit("/",1),
+ new_repos_group.group_id)
+ SystemCommand.add_group(system_group_name)
+
return new_repos_group
except:
log.error(traceback.format_exc())
@@ -175,6 +186,10 @@ class ReposGroupModel(BaseModel):
repos_group=obj, user=user, perm=perm
)
elif isinstance(obj, Repository):
+ #we do this ONLY IF repository is non-private
+ if obj.private:
+ return
+
# we set group permission but we have to switch to repo
# permission
perm = perm.replace('group.', 'repository.')
@@ -199,6 +214,7 @@ class ReposGroupModel(BaseModel):
% (repos_group, recursive))
for obj in repos_group.recursive_groups_and_repos():
+ #obj is an instance of a group or repositories in that group
if not recursive:
obj = repos_group
@@ -262,6 +278,12 @@ class ReposGroupModel(BaseModel):
self.__rename_group(old_path, new_path)
+ old_system_name = "%s-%s" % (old_path.rsplit("/",1),
+ repos_group.group_id)
+ new_system_name = "%s-%s" % (new_path.rsplit("/",1),
+ repos_group.group_id)
+ SystemCommand.rename_group(old_system_name, new_system_name)
+
return repos_group
except:
log.error(traceback.format_exc())
@@ -344,6 +366,16 @@ class ReposGroupModel(BaseModel):
self.sa.add(obj)
log.debug('Granted perm %s to %s on %s' % (perm, user, repos_group))
+ system_group_name = "%s-%s" % (repos_group.group_name.rsplit("/",1),
+ repos_group.group_id)
+ SystemCommand.add_user_to_group(system_group_name, user.username)
+ group_path = os.path.join(self.repos_path, repos_group.group_name)
+ if user.username=="default":
+ if perm.permission_name in ["group.none", "group.read"]:
+ os.chmod(group_path, 0775)
+ else:
+ os.chmod(group_path, 0777)
+
def revoke_user_permission(self, repos_group, user):
"""
Revoke permission for user on given repositories group
@@ -364,6 +396,10 @@ class ReposGroupModel(BaseModel):
self.sa.delete(obj)
log.debug('Revoked perm on %s on %s' % (repos_group, user))
+ system_group_name = "%s-%s" % (repos_group.group_name.rsplit("/",1),
+ repos_group.group_id)
+ SystemCommand.remove_user_from_group(system_group_name, user.username)
+
def grant_users_group_permission(self, repos_group, group_name, perm):
"""
Grant permission for users group on given repositories group, or update
@@ -395,6 +431,11 @@ class ReposGroupModel(BaseModel):
self.sa.add(obj)
log.debug('Granted perm %s to %s on %s' % (perm, group_name, repos_group))
+ system_group_name = "%s-%s" % (repos_group.group_name.rsplit("/",1),
+ repos_group.group_id)
+ for user in group_name.members:
+ SystemCommand.add_user_to_group(system_group_name, user.username)
+
def revoke_users_group_permission(self, repos_group, group_name):
"""
Revoke permission for users group on given repositories group
@@ -414,3 +455,9 @@ class ReposGroupModel(BaseModel):
if obj:
self.sa.delete(obj)
log.debug('Revoked perm to %s on %s' % (repos_group, group_name))
+
+ system_group_name = "%s-%s" % (repos_group.group_name.rsplit("/",1),
+ repos_group.group_id)
+ for user in group_name.members:
+ SystemCommand.remove_user_from_group(system_group_name,
+ user.username)