diff options
Diffstat (limited to 'server/src/leap/soledad/server/auth.py')
-rw-r--r-- | server/src/leap/soledad/server/auth.py | 61 |
1 files changed, 26 insertions, 35 deletions
diff --git a/server/src/leap/soledad/server/auth.py b/server/src/leap/soledad/server/auth.py index 3bcfcf04..0ae49576 100644 --- a/server/src/leap/soledad/server/auth.py +++ b/server/src/leap/soledad/server/auth.py @@ -32,6 +32,13 @@ from couchdb.client import Server from twisted.python import log +from leap.soledad.common import ( + SHARED_DB_NAME, + SHARED_DB_LOCK_DOC_ID_PREFIX, + USER_DB_PREFIX, +) + + #----------------------------------------------------------------------------- # Authentication #----------------------------------------------------------------------------- @@ -52,7 +59,7 @@ class URLToAuthorization(object): HTTP_METHOD_DELETE = 'DELETE' HTTP_METHOD_POST = 'POST' - def __init__(self, uuid, shared_db_name, user_db_prefix): + def __init__(self, uuid): """ Initialize the mapper. @@ -61,16 +68,13 @@ class URLToAuthorization(object): @param uuid: The user uuid. @type uuid: str - @param shared_db_name: The name of the shared database that holds - user's encrypted secrets. - @type shared_db_name: str @param user_db_prefix: The string prefix of users' databases. @type user_db_prefix: str """ self._map = Mapper(controller_scan=None) - self._user_db_prefix = user_db_prefix - self._shared_db_name = shared_db_name - self._register_auth_info(self._uuid_dbname(uuid)) + self._user_db_name = "%s%s" % (USER_DB_PREFIX, uuid) + self._uuid = uuid + self._register_auth_info() def is_authorized(self, environ): """ @@ -99,22 +103,10 @@ class URLToAuthorization(object): conditions=dict(method=http_methods), requirements={'dbname': DBNAME_CONSTRAINTS}) - def _uuid_dbname(self, uuid): - """ - Return the database name corresponding to C{uuid}. - - @param uuid: The user uid. - @type uuid: str - - @return: The database name corresponding to C{uuid}. - @rtype: str - """ - return '%s%s' % (self._user_db_prefix, uuid) - - def _register_auth_info(self, dbname): + def _register_auth_info(self): """ - Register the authorization info in the mapper using C{dbname} as the - user's database name. + Register the authorization info in the mapper using C{SHARED_DB_NAME} + as the user's database name. This method sets up the following authorization rules: @@ -123,35 +115,37 @@ class URLToAuthorization(object): / | GET /shared-db | GET /shared-db/docs | - - /shared-db/doc/{id} | GET, PUT, DELETE + /shared-db/doc/{any_id} | GET, PUT, DELETE /shared-db/sync-from/{source} | - + /shared-db/lock/{uuid} | PUT, DELETE /user-db | GET, PUT, DELETE /user-db/docs | - /user-db/doc/{id} | - /user-db/sync-from/{source} | GET, PUT, POST - - @param dbname: The name of the user's database. - @type dbname: str """ # auth info for global resource self._register('/', [self.HTTP_METHOD_GET]) # auth info for shared-db database resource self._register( - '/%s' % self._shared_db_name, + '/%s' % SHARED_DB_NAME, [self.HTTP_METHOD_GET]) # auth info for shared-db doc resource self._register( - '/%s/doc/{id:.*}' % self._shared_db_name, + '/%s/doc/{id:.*}' % SHARED_DB_NAME, [self.HTTP_METHOD_GET, self.HTTP_METHOD_PUT, self.HTTP_METHOD_DELETE]) + # auth info for shared-db lock resource + self._register( + '/%s/lock/%s' % (SHARED_DB_NAME, self._uuid), + [self.HTTP_METHOD_PUT, self.HTTP_METHOD_DELETE]) # auth info for user-db database resource self._register( - '/%s' % dbname, + '/%s' % self._user_db_name, [self.HTTP_METHOD_GET, self.HTTP_METHOD_PUT, self.HTTP_METHOD_DELETE]) # auth info for user-db sync resource self._register( - '/%s/sync-from/{source_replica_uid}' % dbname, + '/%s/sync-from/{source_replica_uid}' % self._user_db_name, [self.HTTP_METHOD_GET, self.HTTP_METHOD_PUT, self.HTTP_METHOD_POST]) # generate the regular expressions @@ -165,7 +159,7 @@ class SoledadAuthMiddleware(object): This class must be extended to implement specific authentication methods (see SoledadTokenAuthMiddleware below). - It expects an HTTP_AUTHORIZATION header containing the the concatenation of + It expects an HTTP_AUTHORIZATION header containing the concatenation of the following strings: 1. The authentication scheme. It will be verified by the @@ -342,10 +336,7 @@ class SoledadAuthMiddleware(object): over the requested db. @rtype: bool """ - return URLToAuthorization( - uuid, self._app.SHARED_DB_NAME, - self._app.USER_DB_PREFIX - ).is_authorized(environ) + return URLToAuthorization(uuid).is_authorized(environ) @abstractmethod def _get_auth_error_string(self): |