forked from ansible/django-ansible-base
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Lock down OAuth2 views (ansible#434)
Doing this properly with RBAC depends on ansible#424. For now, we limit Application views to superusers. We limit Token views using a custom DRF permission class based on what was specified in AWX's access.py This also fixes a problem in the activity stream tests where INSTALLED_APPS got permanently modified which made other tests unpredictable. It also fixes a bug where token scope choices were previously limited to only one option. Signed-off-by: Rick Elrod <[email protected]> Co-authored-by: John Westcott IV <[email protected]>
- Loading branch information
1 parent
2a46956
commit 4d9be25
Showing
11 changed files
with
540 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
ansible_base/oauth2_provider/migrations/0004_alter_oauth2accesstoken_scope.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Generated by Django 4.2.11 on 2024-06-06 22:46 | ||
|
||
import ansible_base.oauth2_provider.models.access_token | ||
from django.db import migrations, models | ||
|
||
|
||
class Migration(migrations.Migration): | ||
|
||
dependencies = [ | ||
('dab_oauth2_provider', '0003_remove_oauth2application_logo_data'), | ||
] | ||
|
||
operations = [ | ||
migrations.AlterField( | ||
model_name='oauth2accesstoken', | ||
name='scope', | ||
field=models.CharField(default='write', help_text="Allowed scopes, further restricts user's permissions. Must be a simple space-separated string with allowed scopes ['read', 'write'].", max_length=32, validators=[ansible_base.oauth2_provider.models.access_token.validate_scope]), | ||
), | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,12 @@ | ||
from rest_framework import permissions | ||
from rest_framework.viewsets import ModelViewSet | ||
|
||
from ansible_base.lib.utils.views.django_app_api import AnsibleBaseDjangoAppApiView | ||
from ansible_base.lib.utils.views.permissions import IsSuperuserOrAuditor | ||
from ansible_base.oauth2_provider.models import OAuth2Application | ||
from ansible_base.oauth2_provider.serializers import OAuth2ApplicationSerializer | ||
|
||
|
||
class OAuth2ApplicationViewSet(AnsibleBaseDjangoAppApiView, ModelViewSet): | ||
queryset = OAuth2Application.objects.all() | ||
serializer_class = OAuth2ApplicationSerializer | ||
permission_classes = [permissions.IsAuthenticated] | ||
permission_classes = [IsSuperuserOrAuditor] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
from django.conf import settings | ||
from rest_framework.permissions import SAFE_METHODS, BasePermission | ||
|
||
|
||
class OAuth2TokenPermission(BasePermission): | ||
# An app token is a token that has an application attached to it | ||
# A personal access token (PAT) is a token with no application attached to it | ||
# With that in mind: | ||
# - An app token can be read, changed, or deleted if: | ||
# - I am the superuser | ||
# - I am the admin of the organization of the application of the token | ||
# - I am the user of the token | ||
# - An app token can be created if: | ||
# - I have read access to the application (currently this means: I am the superuser) | ||
# - A PAT can be read, changed, or deleted if: | ||
# - I am the superuser | ||
# - I am the user of the token | ||
# - A PAT can be created if: | ||
# - I am a user | ||
|
||
def has_permission(self, request, view): | ||
# Handle PAT and app token creation separately | ||
if request.method == 'POST': | ||
if request.data.get('application'): | ||
# TODO: Change this once ansible/django-ansible-base#424 is fixed | ||
return request.user.is_superuser | ||
return request.user.is_authenticated | ||
|
||
def has_object_permission(self, request, view, obj): | ||
if request.method in SAFE_METHODS and getattr(request.user, 'is_system_auditor', False): | ||
return True | ||
if request.user.is_superuser: | ||
return True | ||
if 'ansible_base.rbac' in settings.INSTALLED_APPS: | ||
if obj.application and obj.application.organization.access_qs(request.user, "change").exists(): | ||
return True | ||
return request.user == obj.user |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.