tailbone/tailbone/auth.py

# -*- coding: utf-8; -*-
################################################################################
#
#  Rattail -- Retail Software Framework
#  Copyright © 2010-2021 Lance Edgar
#
#  This file is part of Rattail.
#
#  Rattail is free software: you can redistribute it and/or modify it under the
#  terms of the GNU General Public License as published by the Free Software
#  Foundation, either version 3 of the License, or (at your option) any later
#  version.
#
#  Rattail is distributed in the hope that it will be useful, but WITHOUT ANY
#  WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
#  FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
#  details.
#
#  You should have received a copy of the GNU General Public License along with
#  Rattail.  If not, see <http://www.gnu.org/licenses/>.
#
################################################################################
"""
Authentication & Authorization
"""

from __future__ import unicode_literals, absolute_import

import logging

from rattail import enum
from rattail.util import prettify, NOTSET

from zope.interface import implementer
from pyramid.interfaces import IAuthorizationPolicy
from pyramid.security import remember, forget, Everyone, Authenticated

from tailbone.db import Session


log = logging.getLogger(__name__)


def login_user(request, user, timeout=NOTSET):
    """
    Perform the steps necessary to login the given user.  Note that this
    returns a ``headers`` dict which you should pass to the redirect.
    """
    user.record_event(enum.USER_EVENT_LOGIN)
    headers = remember(request, user.uuid)
    if timeout is NOTSET:
        timeout = session_timeout_for_user(user)
    log.debug("setting session timeout for '{}' to {}".format(user.username, timeout))
    set_session_timeout(request, timeout)
    return headers


def logout_user(request):
    """
    Perform the logout action for the given request.  Note that this returns a
    ``headers`` dict which you should pass to the redirect.
    """
    user = request.user
    if user:
        user.record_event(enum.USER_EVENT_LOGOUT)
    request.session.delete()
    request.session.invalidate()
    headers = forget(request)
    return headers


def session_timeout_for_user(user):
    """
    Returns the "max" session timeout for the user, according to roles
    """
    from rattail.db.auth import authenticated_role

    roles = user.roles + [authenticated_role(Session())]
    timeouts = [role.session_timeout for role in roles
                if role.session_timeout is not None]
    if timeouts and 0 not in timeouts:
        return max(timeouts)


def set_session_timeout(request, timeout):
    """
    Set the server-side session timeout to the given value.
    """
    request.session['_timeout'] = timeout or None


@implementer(IAuthorizationPolicy)
class TailboneAuthorizationPolicy(object):

    def permits(self, context, principals, permission):
        config = context.request.rattail_config
        model = config.get_model()
        app = config.get_app()
        auth = app.get_auth_handler()

        for userid in principals:
            if userid not in (Everyone, Authenticated):
                if context.request.user and context.request.user.uuid == userid:
                    return context.request.has_perm(permission)
                else:
                    # this is pretty rare, but can happen in dev after
                    # re-creating the database, which means new user uuids.
                    # TODO: the odds of this query returning a user in that
                    # case, are probably nil, and we should just skip this bit?
                    user = Session.query(model.User).get(userid)
                    if user:
                        if auth.has_permission(Session(), user, permission):
                            return True
        if Everyone in principals:
            return auth.has_permission(Session(), None, permission)
        return False

    def principals_allowed_by_permission(self, context, permission):
        raise NotImplementedError


def add_permission_group(config, key, label=None, overwrite=True):
    """
    Add a permission group to the app configuration.
    """
    def action():
        perms = config.get_settings().get('tailbone_permissions', {})
        if key not in perms or overwrite:
            group = perms.setdefault(key, {'key': key})
            group['label'] = label or prettify(key)
        config.add_settings({'tailbone_permissions': perms})
    config.action(None, action)


def add_permission(config, groupkey, key, label=None):
    """
    Add a permission to the app configuration.
    """
    def action():
        perms = config.get_settings().get('tailbone_permissions', {})
        group = perms.setdefault(groupkey, {'key': groupkey})
        group.setdefault('label', prettify(groupkey))
        perm = group.setdefault('perms', {}).setdefault(key, {'key': key})
        perm['label'] = label or prettify(key)
        config.add_settings({'tailbone_permissions': perms})
    config.action(None, action)
Add logic to core View class, to force logout if user becomes inactive Also, expose "active sticky" field for user views 2017-03-27 21:37:45 -05:00			`# -- coding: utf-8; --`
Major overhaul for standalone operation. This removes some of the `edbob` reliance, as well as borrowing some templates and styling etc. from Dtail. 2013-09-01 17:31:50 -05:00			`################################################################################`
			`#`
			`# Rattail -- Retail Software Framework`
Invoke the auth handler to cache user permissions etc. various changes for sake of "synced" roles feature 2021-10-14 09:39:54 -05:00			`# Copyright © 2010-2021 Lance Edgar`
Major overhaul for standalone operation. This removes some of the `edbob` reliance, as well as borrowing some templates and styling etc. from Dtail. 2013-09-01 17:31:50 -05:00			`#`
			`# This file is part of Rattail.`
			`#`
			`# Rattail is free software: you can redistribute it and/or modify it under the`
Switch license to GPL v3 (no longer Affero) refs #2 2017-07-06 23:47:56 -05:00			`# terms of the GNU General Public License as published by the Free Software`
			`# Foundation, either version 3 of the License, or (at your option) any later`
			`# version.`
Major overhaul for standalone operation. This removes some of the `edbob` reliance, as well as borrowing some templates and styling etc. from Dtail. 2013-09-01 17:31:50 -05:00			`#`
			`# Rattail is distributed in the hope that it will be useful, but WITHOUT ANY`
			`# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS`
Switch license to GPL v3 (no longer Affero) refs #2 2017-07-06 23:47:56 -05:00			`# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more`
			`# details.`
Major overhaul for standalone operation. This removes some of the `edbob` reliance, as well as borrowing some templates and styling etc. from Dtail. 2013-09-01 17:31:50 -05:00			`#`
Switch license to GPL v3 (no longer Affero) refs #2 2017-07-06 23:47:56 -05:00			`# You should have received a copy of the GNU General Public License along with`
			`# Rattail. If not, see <http://www.gnu.org/licenses/>.`
Major overhaul for standalone operation. This removes some of the `edbob` reliance, as well as borrowing some templates and styling etc. from Dtail. 2013-09-01 17:31:50 -05:00			`#`
			`################################################################################`
			`"""`
			`Authentication & Authorization`
			`"""`

Remove last references to 'edbob' package 2016-10-09 21:12:13 -05:00			`from __future__ import unicode_literals, absolute_import`
Overhaul how available permissions are registered in app config. Permissions must now be regsistered just like routes and views. This should make things much nicer going forward. 2015-08-11 17:26:04 -05:00
Refactor logic used to login a user, for easier sharing 2017-02-11 17:08:27 -06:00			`import logging`

Record basic user login/logout events 2017-08-04 16:48:33 -05:00			`from rattail import enum`
Add way for `login_user()` to set different timeout depending on nature of login This was added for the sake of a "clock in/out" mechanism 2017-02-13 19:23:24 -06:00			`from rattail.util import prettify, NOTSET`
Overhaul how available permissions are registered in app config. Permissions must now be regsistered just like routes and views. This should make things much nicer going forward. 2015-08-11 17:26:04 -05:00
Major overhaul for standalone operation. This removes some of the `edbob` reliance, as well as borrowing some templates and styling etc. from Dtail. 2013-09-01 17:31:50 -05:00			`from zope.interface import implementer`
			`from pyramid.interfaces import IAuthorizationPolicy`
Add logic to core View class, to force logout if user becomes inactive Also, expose "active sticky" field for user views 2017-03-27 21:37:45 -05:00			`from pyramid.security import remember, forget, Everyone, Authenticated`
Major overhaul for standalone operation. This removes some of the `edbob` reliance, as well as borrowing some templates and styling etc. from Dtail. 2013-09-01 17:31:50 -05:00
Overhaul how available permissions are registered in app config. Permissions must now be regsistered just like routes and views. This should make things much nicer going forward. 2015-08-11 17:26:04 -05:00			`from tailbone.db import Session`
Major overhaul for standalone operation. This removes some of the `edbob` reliance, as well as borrowing some templates and styling etc. from Dtail. 2013-09-01 17:31:50 -05:00

Refactor logic used to login a user, for easier sharing 2017-02-11 17:08:27 -06:00			`log = logging.getLogger(__name__)`


Expose/honor per-role session timeouts 2017-02-21 13:12:23 -06:00			`def login_user(request, user, timeout=NOTSET):`
Refactor logic used to login a user, for easier sharing 2017-02-11 17:08:27 -06:00			`"""`
			`Perform the steps necessary to login the given user. Note that this`
			returns a ``headers`` dict which you should pass to the redirect.
			`"""`
Record basic user login/logout events 2017-08-04 16:48:33 -05:00			`user.record_event(enum.USER_EVENT_LOGIN)`
Refactor logic used to login a user, for easier sharing 2017-02-11 17:08:27 -06:00			`headers = remember(request, user.uuid)`
Add way for `login_user()` to set different timeout depending on nature of login This was added for the sake of a "clock in/out" mechanism 2017-02-13 19:23:24 -06:00			`if timeout is NOTSET:`
Expose/honor per-role session timeouts 2017-02-21 13:12:23 -06:00			`timeout = session_timeout_for_user(user)`
Refactor logic used to login a user, for easier sharing 2017-02-11 17:08:27 -06:00			`log.debug("setting session timeout for '{}' to {}".format(user.username, timeout))`
			`set_session_timeout(request, timeout)`
			`return headers`


Add logic to core View class, to force logout if user becomes inactive Also, expose "active sticky" field for user views 2017-03-27 21:37:45 -05:00			`def logout_user(request):`
			`"""`
			`Perform the logout action for the given request. Note that this returns a`
			``headers`` dict which you should pass to the redirect.
			`"""`
Record basic user login/logout events 2017-08-04 16:48:33 -05:00			`user = request.user`
			`if user:`
			`user.record_event(enum.USER_EVENT_LOGOUT)`
Add logic to core View class, to force logout if user becomes inactive Also, expose "active sticky" field for user views 2017-03-27 21:37:45 -05:00			`request.session.delete()`
			`request.session.invalidate()`
			`headers = forget(request)`
			`return headers`


Expose/honor per-role session timeouts 2017-02-21 13:12:23 -06:00			`def session_timeout_for_user(user):`
Refactor logic used to login a user, for easier sharing 2017-02-11 17:08:27 -06:00			`"""`
Expose/honor per-role session timeouts 2017-02-21 13:12:23 -06:00			`Returns the "max" session timeout for the user, according to roles`
Refactor logic used to login a user, for easier sharing 2017-02-11 17:08:27 -06:00			`"""`
Rearrange some imports to ensure `rattail.db.model` comes last this is necessary for Continuum versioning 2017-05-26 12:44:06 -05:00			`from rattail.db.auth import authenticated_role`

Expose/honor per-role session timeouts 2017-02-21 13:12:23 -06:00			`roles = user.roles + [authenticated_role(Session())]`
			`timeouts = [role.session_timeout for role in roles`
			`if role.session_timeout is not None]`
			`if timeouts and 0 not in timeouts:`
			`return max(timeouts)`
Refactor logic used to login a user, for easier sharing 2017-02-11 17:08:27 -06:00

			`def set_session_timeout(request, timeout):`
			`"""`
			`Set the server-side session timeout to the given value.`
			`"""`
			`request.session['_timeout'] = timeout or None`


Major overhaul for standalone operation. This removes some of the `edbob` reliance, as well as borrowing some templates and styling etc. from Dtail. 2013-09-01 17:31:50 -05:00			`@implementer(IAuthorizationPolicy)`
			`class TailboneAuthorizationPolicy(object):`

			`def permits(self, context, principals, permission):`
Refactor to leverage all existing methods of auth handler instead of importing and calling functions from core rattail 2021-10-14 20:42:16 -05:00			`config = context.request.rattail_config`
			`model = config.get_model()`
			`app = config.get_app()`
			`auth = app.get_auth_handler()`

Major overhaul for standalone operation. This removes some of the `edbob` reliance, as well as borrowing some templates and styling etc. from Dtail. 2013-09-01 17:31:50 -05:00			`for userid in principals:`
			`if userid not in (Everyone, Authenticated):`
Let any 'admin' user elevate to 'root' for full system access But otherwise, let the Administrator role be "normal" and have perms of its own. Hopefully cuts down on unwanted screen noise for admins. 2016-10-18 16:59:38 -05:00			`if context.request.user and context.request.user.uuid == userid:`
			`return context.request.has_perm(permission)`
			`else:`
Avoid unhelpful error when perm check happens for "re-created" DB user kind of an edge case, should only apply to dev 2020-09-20 16:32:44 -05:00			`# this is pretty rare, but can happen in dev after`
			`# re-creating the database, which means new user uuids.`
			`# TODO: the odds of this query returning a user in that`
			`# case, are probably nil, and we should just skip this bit?`
Let any 'admin' user elevate to 'root' for full system access But otherwise, let the Administrator role be "normal" and have perms of its own. Hopefully cuts down on unwanted screen noise for admins. 2016-10-18 16:59:38 -05:00			`user = Session.query(model.User).get(userid)`
			`if user:`
Invoke the auth handler to cache user permissions etc. various changes for sake of "synced" roles feature 2021-10-14 09:39:54 -05:00			`if auth.has_permission(Session(), user, permission):`
Let any 'admin' user elevate to 'root' for full system access But otherwise, let the Administrator role be "normal" and have perms of its own. Hopefully cuts down on unwanted screen noise for admins. 2016-10-18 16:59:38 -05:00			`return True`
Major overhaul for standalone operation. This removes some of the `edbob` reliance, as well as borrowing some templates and styling etc. from Dtail. 2013-09-01 17:31:50 -05:00			`if Everyone in principals:`
Refactor to leverage all existing methods of auth handler instead of importing and calling functions from core rattail 2021-10-14 20:42:16 -05:00			`return auth.has_permission(Session(), None, permission)`
Major overhaul for standalone operation. This removes some of the `edbob` reliance, as well as borrowing some templates and styling etc. from Dtail. 2013-09-01 17:31:50 -05:00			`return False`

			`def principals_allowed_by_permission(self, context, permission):`
			`raise NotImplementedError`
Overhaul how available permissions are registered in app config. Permissions must now be regsistered just like routes and views. This should make things much nicer going forward. 2015-08-11 17:26:04 -05:00

Add 'restart datasync' button to datasync changes list page. 2016-01-19 17:29:19 -06:00			`def add_permission_group(config, key, label=None, overwrite=True):`
Overhaul how available permissions are registered in app config. Permissions must now be regsistered just like routes and views. This should make things much nicer going forward. 2015-08-11 17:26:04 -05:00			`"""`
			`Add a permission group to the app configuration.`
			`"""`
			`def action():`
			`perms = config.get_settings().get('tailbone_permissions', {})`
Add 'restart datasync' button to datasync changes list page. 2016-01-19 17:29:19 -06:00			`if key not in perms or overwrite:`
			`group = perms.setdefault(key, {'key': key})`
			`group['label'] = label or prettify(key)`
Overhaul how available permissions are registered in app config. Permissions must now be regsistered just like routes and views. This should make things much nicer going forward. 2015-08-11 17:26:04 -05:00			`config.add_settings({'tailbone_permissions': perms})`
			`config.action(None, action)`


			`def add_permission(config, groupkey, key, label=None):`
			`"""`
			`Add a permission to the app configuration.`
			`"""`
			`def action():`
			`perms = config.get_settings().get('tailbone_permissions', {})`
			`group = perms.setdefault(groupkey, {'key': groupkey})`
			`group.setdefault('label', prettify(groupkey))`
			`perm = group.setdefault('perms', {}).setdefault(key, {'key': key})`
			`perm['label'] = label or prettify(key)`
			`config.add_settings({'tailbone_permissions': perms})`
			`config.action(None, action)`