Changeset View
Changeset View
Standalone View
Standalone View
swh/web/auth/utils.py
# Copyright (C) 2020-2021 The Software Heritage developers | # Copyright (C) 2020-2021 The Software Heritage developers | ||||
# See the AUTHORS file at the top-level directory of this distribution | # See the AUTHORS file at the top-level directory of this distribution | ||||
# License: GNU Affero General Public License version 3, or any later version | # License: GNU Affero General Public License version 3, or any later version | ||||
# See top-level LICENSE file for more information | # See top-level LICENSE file for more information | ||||
from base64 import urlsafe_b64encode | from base64 import urlsafe_b64encode | ||||
from typing import List | |||||
from cryptography.fernet import Fernet | from cryptography.fernet import Fernet | ||||
from cryptography.hazmat.backends import default_backend | from cryptography.hazmat.backends import default_backend | ||||
from cryptography.hazmat.primitives import hashes | from cryptography.hazmat.primitives import hashes | ||||
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC | from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC | ||||
from django.http.request import HttpRequest | |||||
OIDC_SWH_WEB_CLIENT_ID = "swh-web" | OIDC_SWH_WEB_CLIENT_ID = "swh-web" | ||||
SWH_AMBASSADOR_PERMISSION = "swh.ambassador" | SWH_AMBASSADOR_PERMISSION = "swh.ambassador" | ||||
API_SAVE_ORIGIN_PERMISSION = "swh.web.api.save_origin" | |||||
def _get_fernet(password: bytes, salt: bytes) -> Fernet: | def _get_fernet(password: bytes, salt: bytes) -> Fernet: | ||||
""" | """ | ||||
Instantiate a Fernet system from a password and a salt value | Instantiate a Fernet system from a password and a salt value | ||||
(see https://cryptography.io/en/latest/fernet/). | (see https://cryptography.io/en/latest/fernet/). | ||||
Args: | Args: | ||||
▲ Show 20 Lines • Show All 43 Lines • ▼ Show 20 Lines | Args: | ||||
salt: value that will be used to generate a Fernet key | salt: value that will be used to generate a Fernet key | ||||
derivation function | derivation function | ||||
Returns: | Returns: | ||||
The decrypted data | The decrypted data | ||||
""" | """ | ||||
return _get_fernet(password, salt).decrypt(data) | return _get_fernet(password, salt).decrypt(data) | ||||
def privileged_user(request) -> bool: | def privileged_user(request: HttpRequest, permissions: List[str] = []) -> bool: | ||||
"""Determine whether a user is authenticated and is a privileged one (e.g ambassador). | """Determine whether a user is authenticated and is a privileged one (e.g ambassador). | ||||
This allows such user to have access to some more actions (e.g. bypass save code now | This allows such user to have access to some more actions (e.g. bypass save code now | ||||
review, access to 'archives' type...) | review, access to 'archives' type...). | ||||
A user is considered as privileged if he is a staff member or has any permission | |||||
from those provided as parameters. | |||||
Args: | |||||
request: Input django HTTP request | |||||
permissions: list of permission names to determine if user is privileged or not | |||||
Returns: | |||||
Whether the user is privileged or not. | |||||
""" | """ | ||||
user = request.user | user = request.user | ||||
return user.is_authenticated and ( | return user.is_authenticated and ( | ||||
user.is_staff or user.has_perm(SWH_AMBASSADOR_PERMISSION) | user.is_staff or any([user.has_perm(perm) for perm in permissions]) | ||||
) | ) |