This is an automated email from the git hooks/post-receive script. x2go pushed a change to branch master in repository x2gobroker. from ca8e8bd debian/changelog: merge in changes from release/0.0.3.x branch. new 0f1e50d debian/x2gobroker-ssh.prerm: Replace header (was: postrm API, now: prerm API). new 358ba52 x2gobroker/basicauth.py: Fix call of base64.decodestring on Python3. new 134ecd6 unit tests: Fix deep misunderstanding in the way allow-deny vs. deny-allow should actually work. new 75bc19e x2gobroker/brokers/base_broker.py: Entire rewrite of check_profile_acls() method. (Fixes: #1234). The 4 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: debian/changelog | 5 + debian/x2gobroker-ssh.prerm | 19 ++- x2gobroker/basicauth.py | 2 +- x2gobroker/brokers/base_broker.py | 48 +++---- x2gobroker/tests/test_broker_base.py | 213 ++++++++++++++++++++++++-------- x2gobroker/tests/test_broker_inifile.py | 8 +- 6 files changed, 198 insertions(+), 97 deletions(-) -- Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2gobroker. commit 0f1e50d9d064faad9e273d12cb8bd4144d2c125b Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Tue Feb 6 23:37:29 2018 +0100 debian/x2gobroker-ssh.prerm: Replace header (was: postrm API, now: prerm API). --- debian/x2gobroker-ssh.prerm | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/debian/x2gobroker-ssh.prerm b/debian/x2gobroker-ssh.prerm index 0361558..4b096c4 100755 --- a/debian/x2gobroker-ssh.prerm +++ b/debian/x2gobroker-ssh.prerm @@ -2,16 +2,15 @@ # prerm script for x2gobroker-ssh # # see: dh_installdeb(1) -# summary of how this script can be called: -# * <postrm> `remove' -# * <postrm> `purge' -# * <old-postrm> `upgrade' <new-version> -# * <new-postrm> `failed-upgrade' <old-version> -# * <new-postrm> `abort-install' -# * <new-postrm> `abort-install' <old-version> -# * <new-postrm> `abort-upgrade' <old-version> -# * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version> -# for details, see /usr/share/doc/packaging-manual/ +# * <prerm> `remove' +# * <old-prerm> `upgrade' <new-version> +# * <new-prerm> `failed-upgrade' <old-version> +# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version> +# * <deconfigured's-prerm> `deconfigure' `in-favour' +# <package-being-installed> <version> `removing' +# <conflicting-package> <version> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package set -e -- Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2gobroker. commit 358ba529c0c24ff54c946870e22810a4182ba560 Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Mon Feb 12 14:15:26 2018 +0100 x2gobroker/basicauth.py: Fix call of base64.decodestring on Python3. --- debian/changelog | 1 + x2gobroker/basicauth.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index ab4ba30..c9ea885 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,7 @@ x2gobroker (0.0.4.0-0x2go1) UNRELEASED; urgency=medium - Drop left-over debug print() call. - Makefile: Assure that setup.py is run under Python3. - Improve debugging messages during authentication phase. + - x2gobroker/basicauth.py: Fix call of base64.decodestring on Python3. * debian/{control,compat}: Bump to DH version level 9. * debian/{control,x2gobroker-common.install}: + Split out common files into non-Pythonian bin:pkg. diff --git a/x2gobroker/basicauth.py b/x2gobroker/basicauth.py index 9a79935..4ae0620 100644 --- a/x2gobroker/basicauth.py +++ b/x2gobroker/basicauth.py @@ -39,7 +39,7 @@ def require_basic_auth(realm, validate_callback): if auth_header is None or not auth_header.startswith('Basic '): create_auth_header() else: - auth_decoded = base64.decodestring(auth_header[6:]) + auth_decoded = base64.decodestring(auth_header[6:].encode()).decode() username, kwargs['basicauth_pass'] = [ s for s in auth_decoded.split(':', 2) ] kwargs['basicauth_user'], access = validate_callback(username, kwargs['basicauth_pass']) if access: -- Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2gobroker. commit 134ecd67987109ad69e7e33029d08e5132ddfe4e Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Mon Feb 12 14:21:37 2018 +0100 unit tests: Fix deep misunderstanding in the way allow-deny vs. deny-allow should actually work. --- debian/changelog | 2 + x2gobroker/tests/test_broker_base.py | 213 ++++++++++++++++++++++++-------- x2gobroker/tests/test_broker_inifile.py | 8 +- 3 files changed, 166 insertions(+), 57 deletions(-) diff --git a/debian/changelog b/debian/changelog index c9ea885..2d7940e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,8 @@ x2gobroker (0.0.4.0-0x2go1) UNRELEASED; urgency=medium - Makefile: Assure that setup.py is run under Python3. - Improve debugging messages during authentication phase. - x2gobroker/basicauth.py: Fix call of base64.decodestring on Python3. + - Unit tests: Fix deep misunderstanding in the way allow-deny vs. + deny-allow should actually work. * debian/{control,compat}: Bump to DH version level 9. * debian/{control,x2gobroker-common.install}: + Split out common files into non-Pythonian bin:pkg. diff --git a/x2gobroker/tests/test_broker_base.py b/x2gobroker/tests/test_broker_base.py index cb05742..fc132eb 100644 --- a/x2gobroker/tests/test_broker_base.py +++ b/x2gobroker/tests/test_broker_base.py @@ -413,25 +413,25 @@ require-password = false 'acl-users-deny': ['ALL'], 'acl-users-order': 'deny-allow', } - self.assertEqual(base_backend.check_profile_acls(username, acls), True) + self.assertEqual(base_backend.check_profile_acls(username, acls), False) acls = { 'acl-users-allow': ['foo'], 'acl-users-deny': ['ALL'], 'acl-users-order': 'allow-deny', } - self.assertEqual(base_backend.check_profile_acls(username, acls), False) + self.assertEqual(base_backend.check_profile_acls(username, acls), True) acls = { 'acl-users-allow': ['ALL'], 'acl-users-deny': ['foo'], 'acl-users-order': 'deny-allow', } - self.assertEqual(base_backend.check_profile_acls(username, acls), True) + self.assertEqual(base_backend.check_profile_acls(username, acls), False) acls = { 'acl-users-allow': ['ALL'], 'acl-users-deny': ['foo'], 'acl-users-order': 'allow-deny', } - self.assertEqual(base_backend.check_profile_acls(username, acls), False) + self.assertEqual(base_backend.check_profile_acls(username, acls), True) def test_testsuite_nameservice(self): @@ -483,27 +483,54 @@ enable = true } self.assertEqual(base_backend.check_profile_acls(username, acls), True) acls = { + 'acl-groups-allow': ['female'], + 'acl-groups-order': 'deny-allow', + } + self.assertEqual(base_backend.check_profile_acls(username, acls), False) + acls = { 'acl-groups-allow': ['ALL'], 'acl-groups-order': 'allow-deny', } self.assertEqual(base_backend.check_profile_acls(username, acls), True) acls = { - 'acl-groups-allow': [], + 'acl-groups-allow': ['male'], + 'acl-groups-order': 'allow-deny', + } + self.assertEqual(base_backend.check_profile_acls(username, acls), True) + acls = { + 'acl-groups-allow': ['female'], + 'acl-groups-order': 'allow-deny', + } + self.assertEqual(base_backend.check_profile_acls(username, acls), False) + + acls = { 'acl-groups-deny': ['ALL'], - 'acl-groups-order': 'deny-allow', + 'acl-groups-order': 'allow-deny', + } + self.assertEqual(base_backend.check_profile_acls(username, acls), False) + acls = { + 'acl-groups-deny': ['male'], + 'acl-groups-order': 'allow-deny', + } + self.assertEqual(base_backend.check_profile_acls(username, acls), False) + acls = { + 'acl-groups-deny': ['female'], + 'acl-groups-order': 'allow-deny', } self.assertEqual(base_backend.check_profile_acls(username, acls), False) acls = { - 'acl-groups-allow': [], 'acl-groups-deny': ['ALL'], 'acl-groups-order': 'deny-allow', } - # now we set acl-users-allow to [] and we block all groups self.assertEqual(base_backend.check_profile_acls(username, acls), False) acls = { - 'acl-groups-allow': [], - 'acl-groups-deny': ['ALL'], - 'acl-groups-order': 'allow-deny', + 'acl-groups-deny': ['male'], + 'acl-groups-order': 'deny-allow', + } + self.assertEqual(base_backend.check_profile_acls(username, acls), False) + acls = { + 'acl-groups-deny': ['female'], + 'acl-groups-order': 'deny-allow', } self.assertEqual(base_backend.check_profile_acls(username, acls), False) @@ -511,6 +538,75 @@ enable = true username_f = 'flip' # is a male grasshopper username_m = 'maja' # is a female bee username_w = 'willi' # is a drone (male bee) + + # first with order: deny-allow + _config_defaults = copy.deepcopy(x2gobroker.defaults.X2GOBROKER_CONFIG_DEFAULTS) + _config = """ +[global] +default-user-db = testsuite +default-group-db = testsuite + +[broker_base] +enable = true +""" + tf = tempfile.NamedTemporaryFile(mode='w') + tf.write(_config) + tf.seek(0) + base_backend = base.X2GoBroker(config_file=tf.name, config_defaults=_config_defaults) + acls = { + 'acl-groups-deny': ['bees','flip'], + 'acl-groups-allow': ['ALL'], + 'acl-groups-order': 'deny-allow', + } + self.assertEqual(base_backend.check_profile_acls(username_m, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_w, acls), False) + _config_defaults = copy.deepcopy(x2gobroker.defaults.X2GOBROKER_CONFIG_DEFAULTS) + _config = """ +[global] +default-user-db = testsuite +default-group-db = testsuite +ignore-primary-group-memberships = true + +[broker_base] +enable = true +""" + tf = tempfile.NamedTemporaryFile(mode='w') + tf.write(_config) + tf.seek(0) + base_backend = base.X2GoBroker(config_file=tf.name, config_defaults=_config_defaults) + acls = { + 'acl-groups-deny': ['bees','flip'], + 'acl-groups-allow': ['ALL'], + 'acl-groups-order': 'deny-allow', + } + self.assertEqual(base_backend.check_profile_acls(username_m, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_w, acls), False) + _config_defaults = copy.deepcopy(x2gobroker.defaults.X2GOBROKER_CONFIG_DEFAULTS) + _config = """ +[global] +default-user-db = testsuite +default-group-db = testsuite +ignore-primary-group-memberships = false + +[broker_base] +enable = true +""" + tf = tempfile.NamedTemporaryFile(mode='w') + tf.write(_config) + tf.seek(0) + base_backend = base.X2GoBroker(config_file=tf.name, config_defaults=_config_defaults) + acls = { + 'acl-groups-deny': ['bees','flip'], + 'acl-groups-allow': ['ALL'], + 'acl-groups-order': 'deny-allow', + } + self.assertEqual(base_backend.check_profile_acls(username_m, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_f, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_w, acls), False) + + # now with order: allow-deny _config_defaults = copy.deepcopy(x2gobroker.defaults.X2GOBROKER_CONFIG_DEFAULTS) _config = """ [global] @@ -527,7 +623,7 @@ enable = true acls = { 'acl-groups-allow': ['bees','flip'], 'acl-groups-deny': ['ALL'], - 'acl-groups-order': 'deny-allow', + 'acl-groups-order': 'allow-deny', } self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) self.assertEqual(base_backend.check_profile_acls(username_f, acls), False) @@ -549,7 +645,7 @@ enable = true acls = { 'acl-groups-allow': ['bees','flip'], 'acl-groups-deny': ['ALL'], - 'acl-groups-order': 'deny-allow', + 'acl-groups-order': 'allow-deny', } self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) self.assertEqual(base_backend.check_profile_acls(username_f, acls), False) @@ -571,7 +667,7 @@ enable = true acls = { 'acl-groups-allow': ['bees','flip'], 'acl-groups-deny': ['ALL'], - 'acl-groups-order': 'deny-allow', + 'acl-groups-order': 'allow-deny', } self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) @@ -599,33 +695,33 @@ enable = true 'acl-groups-deny': ['ALL'], 'acl-groups-order': 'deny-allow', } - self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_m, acls), False) self.assertEqual(base_backend.check_profile_acls(username_f, acls), False) - self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_w, acls), False) acls = { 'acl-groups-allow': ['ALL'], 'acl-groups-deny': ['bees'], 'acl-groups-order': 'allow-deny', } - self.assertEqual(base_backend.check_profile_acls(username_m, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) - self.assertEqual(base_backend.check_profile_acls(username_w, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) acls = { 'acl-groups-allow': ['ALL'], 'acl-groups-deny': ['bees'], 'acl-groups-order': 'deny-allow', } - self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_m, acls), False) self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) - self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_w, acls), False) acls = { 'acl-groups-allow': ['bees'], 'acl-groups-deny': ['ALL'], 'acl-groups-order': 'allow-deny', } - self.assertEqual(base_backend.check_profile_acls(username_m, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) self.assertEqual(base_backend.check_profile_acls(username_f, acls), False) - self.assertEqual(base_backend.check_profile_acls(username_w, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) acls = { 'acl-groups-allow': ['male'], 'acl-groups-deny': ['bees'], @@ -633,7 +729,7 @@ enable = true } self.assertEqual(base_backend.check_profile_acls(username_m, acls), False) self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) - self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_w, acls), False) acls = { 'acl-groups-allow': ['male'], 'acl-groups-deny': ['bees'], @@ -641,7 +737,7 @@ enable = true } self.assertEqual(base_backend.check_profile_acls(username_m, acls), False) self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) - self.assertEqual(base_backend.check_profile_acls(username_w, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) def test_checkprofileacls_userandgroup_combitests(self): _config_defaults = copy.deepcopy(x2gobroker.defaults.X2GOBROKER_CONFIG_DEFAULTS) @@ -673,7 +769,7 @@ enable = true self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) self.assertEqual(base_backend.check_profile_acls(username_k, acls), True) self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) - self.assertEqual(base_backend.check_profile_acls(username_t, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_t, acls), False) self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) acls = { 'acl-users-allow': ['flip'], @@ -686,7 +782,7 @@ enable = true self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) self.assertEqual(base_backend.check_profile_acls(username_k, acls), True) self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) - self.assertEqual(base_backend.check_profile_acls(username_t, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_t, acls), True) self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) acls = { 'acl-users-allow': ['flip'], @@ -699,7 +795,7 @@ enable = true self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) self.assertEqual(base_backend.check_profile_acls(username_k, acls), True) self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) - self.assertEqual(base_backend.check_profile_acls(username_t, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_t, acls), True) self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) acls = { 'acl-users-allow': [], @@ -709,6 +805,19 @@ enable = true 'acl-groups-deny': ['spiders','grasshoppers'], 'acl-groups-order': 'allow-deny', } + self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_k, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_t, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) + acls = { + 'acl-users-allow': [], + 'acl-users-deny': [], + 'acl-users-order': 'allow-deny', + 'acl-groups-allow': ['male','female'], + 'acl-groups-deny': ['spiders','grasshoppers'], + 'acl-groups-order': 'deny-allow', + } self.assertEqual(base_backend.check_profile_acls(username_f, acls), False) self.assertEqual(base_backend.check_profile_acls(username_k, acls), True) self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) @@ -720,7 +829,7 @@ enable = true 'acl-users-order': 'allow-deny', 'acl-groups-allow': ['male','female'], 'acl-groups-deny': ['spiders','grasshoppers'], - 'acl-groups-order': 'allow-deny', + 'acl-groups-order': 'deny-allow', } self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) self.assertEqual(base_backend.check_profile_acls(username_k, acls), True) @@ -846,7 +955,7 @@ enable = true acls = { 'acl-clients-allow': ['10.0.2.0/24'], 'acl-clients-deny': ['ALL'], - 'acl-clients-order': 'deny-allow', + 'acl-clients-order': 'allow-deny', } base_backend.set_client_address(ipv4_1) self.assertEqual(base_backend.check_profile_acls(username, acls), True) @@ -857,7 +966,7 @@ enable = true acls = { 'acl-clients-allow': ['ALL'], 'acl-clients-deny': ['10.0.2.0/24'], - 'acl-clients-order': 'allow-deny', + 'acl-clients-order': 'deny-allow', } base_backend.set_client_address(ipv4_1) self.assertEqual(base_backend.check_profile_acls(username, acls), False) @@ -868,18 +977,18 @@ enable = true acls = { 'acl-clients-allow': ['10.0.2.0/24'], 'acl-clients-deny': ['10.0.0.0/16', '10.0.3.0/24'], - 'acl-clients-order': 'deny-allow', + 'acl-clients-order': 'allow-deny', } base_backend.set_client_address(ipv4_1) self.assertEqual(base_backend.check_profile_acls(username, acls), True) base_backend.set_client_address(ipv4_2) self.assertEqual(base_backend.check_profile_acls(username, acls), False) base_backend.set_client_address(ipv4_3) - self.assertEqual(base_backend.check_profile_acls(username, acls), True) + self.assertEqual(base_backend.check_profile_acls(username, acls), False) acls = { 'acl-clients-allow': ['10.0.0.0/16', '10.0.3.0/24'], 'acl-clients-deny': ['10.0.2.0/24'], - 'acl-clients-order': 'allow-deny', + 'acl-clients-order': 'deny-allow', } base_backend.set_client_address(ipv4_1) self.assertEqual(base_backend.check_profile_acls(username, acls), False) @@ -920,37 +1029,37 @@ enable = true acls = { 'acl-clients-allow': ['fe80::4f8:900:e5d:2'], 'acl-clients-deny': [], - 'acl-clients-order': 'deny-allow', + 'acl-clients-order': 'allow-deny', } self.assertEqual(base_backend.check_profile_acls(username, acls), True) acls = { 'acl-clients-allow': ['fe80::4f8:900:e5d:2'], 'acl-clients-deny': [], - 'acl-clients-order': 'allow-deny', + 'acl-clients-order': 'deny-allow', } self.assertEqual(base_backend.check_profile_acls(username, acls), True) acls = { 'acl-clients-allow': [], 'acl-clients-deny': ['ALL'], - 'acl-clients-order': 'deny-allow', + 'acl-clients-order': 'allow-deny', } self.assertEqual(base_backend.check_profile_acls(username, acls), False) acls = { 'acl-clients-allow': [], 'acl-clients-deny': ['ALL'], - 'acl-clients-order': 'allow-deny', + 'acl-clients-order': 'deny-allow', } self.assertEqual(base_backend.check_profile_acls(username, acls), False) acls = { 'acl-clients-allow': [], 'acl-clients-deny': ['fe80::4f8:900:e5d:2'], - 'acl-clients-order': 'deny-allow', + 'acl-clients-order': 'allow-deny', } self.assertEqual(base_backend.check_profile_acls(username, acls), False) acls = { 'acl-clients-allow': [], 'acl-clients-deny': ['fe80::4f8:900:e5d:2'], - 'acl-clients-order': 'allow-deny', + 'acl-clients-order': 'deny-allow', } self.assertEqual(base_backend.check_profile_acls(username, acls), False) @@ -966,7 +1075,7 @@ enable = true acls = { 'acl-clients-allow': ['fe80::/64'], 'acl-clients-deny': ['ALL'], - 'acl-clients-order': 'deny-allow', + 'acl-clients-order': 'allow-deny', } base_backend.set_client_address(ipv6_1) self.assertEqual(base_backend.check_profile_acls(username, acls), True) @@ -977,7 +1086,7 @@ enable = true acls = { 'acl-clients-allow': ['ALL'], 'acl-clients-deny': ['fe80::/64'], - 'acl-clients-order': 'allow-deny', + 'acl-clients-order': 'deny-allow', } base_backend.set_client_address(ipv6_1) self.assertEqual(base_backend.check_profile_acls(username, acls), False) @@ -988,18 +1097,18 @@ enable = true acls = { 'acl-clients-allow': ['fe80::/64'], 'acl-clients-deny': ['fe80::/56','fe80:0:0:1::/64'], - 'acl-clients-order': 'deny-allow', + 'acl-clients-order': 'allow-deny', } base_backend.set_client_address(ipv6_1) self.assertEqual(base_backend.check_profile_acls(username, acls), True) base_backend.set_client_address(ipv6_2) self.assertEqual(base_backend.check_profile_acls(username, acls), False) base_backend.set_client_address(ipv6_3) - self.assertEqual(base_backend.check_profile_acls(username, acls), True) + self.assertEqual(base_backend.check_profile_acls(username, acls), False) acls = { 'acl-clients-allow': ['fe80::/56','fe80:0:0:1::/64'], 'acl-clients-deny': ['fe80::/64'], - 'acl-clients-order': 'allow-deny', + 'acl-clients-order': 'deny-allow', } base_backend.set_client_address(ipv6_1) self.assertEqual(base_backend.check_profile_acls(username, acls), False) @@ -1042,7 +1151,7 @@ enable = true 'acl-groups-order': 'deny-allow', 'acl-clients-allow': ['fe80:0:0:1::/64','10.0.3.0/24'], 'acl-clients-deny': ['ALL'], - 'acl-clients-order': 'deny-allow', + 'acl-clients-order': 'allow-deny', } base_backend.set_client_address(ipv4_1) self.assertEqual(base_backend.check_profile_acls(username_f, acls), False) @@ -1054,7 +1163,7 @@ enable = true self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) self.assertEqual(base_backend.check_profile_acls(username_k, acls), True) self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) - self.assertEqual(base_backend.check_profile_acls(username_t, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_t, acls), False) self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) base_backend.set_client_address(ipv4_3) self.assertEqual(base_backend.check_profile_acls(username_f, acls), False) @@ -1072,7 +1181,7 @@ enable = true self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) self.assertEqual(base_backend.check_profile_acls(username_k, acls), True) self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) - self.assertEqual(base_backend.check_profile_acls(username_t, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_t, acls), False) self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) base_backend.set_client_address(ipv6_3) self.assertEqual(base_backend.check_profile_acls(username_f, acls), False) @@ -1089,13 +1198,13 @@ enable = true 'acl-groups-order': 'allow-deny', 'acl-clients-allow': ['fe80::/64','10.0.2.0/24'], 'acl-clients-deny': ['ALL'], - 'acl-clients-order': 'deny-allow', + 'acl-clients-order': 'allow-deny', } base_backend.set_client_address(ipv4_1) self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) self.assertEqual(base_backend.check_profile_acls(username_k, acls), True) self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) - self.assertEqual(base_backend.check_profile_acls(username_t, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_t, acls), True) self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) base_backend.set_client_address(ipv4_2) self.assertEqual(base_backend.check_profile_acls(username_f, acls), False) @@ -1113,7 +1222,7 @@ enable = true self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) self.assertEqual(base_backend.check_profile_acls(username_k, acls), True) self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) - self.assertEqual(base_backend.check_profile_acls(username_t, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_t, acls), True) self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) base_backend.set_client_address(ipv6_2) self.assertEqual(base_backend.check_profile_acls(username_f, acls), False) @@ -1133,10 +1242,10 @@ enable = true 'acl-users-order': 'allow-deny', 'acl-groups-allow': ['male','female'], 'acl-groups-deny': ['spiders','grasshoppers'], - 'acl-groups-order': 'allow-deny', + 'acl-groups-order': 'deny-allow', 'acl-clients-allow': ['ALL'], 'acl-clients-deny': ['fe80::/56','10.0.0.0/8'], - 'acl-clients-order': 'allow-deny', + 'acl-clients-order': 'deny-allow', } base_backend.set_client_address(ipv4_1) self.assertEqual(base_backend.check_profile_acls(username_f, acls), False) diff --git a/x2gobroker/tests/test_broker_inifile.py b/x2gobroker/tests/test_broker_inifile.py index cd97ae4..4f878ff 100644 --- a/x2gobroker/tests/test_broker_inifile.py +++ b/x2gobroker/tests/test_broker_inifile.py @@ -367,21 +367,19 @@ height = 600 applications = TERMINAL, WWWBROWSER acl-groups-allow = bees acl-groups-deny = ALL -acl-groups-order = deny-allow +acl-groups-order = allow-deny [testprofile1] user = command = GNOME acl-users-allow = flip -acl-users-deny = ALL -acl-users-order = deny-allow +acl-users-order = allow-deny [testprofile2] user = command = XFCE acl-users-allow = thekla -acl-users-deny = ALL -acl-users-order = deny-allow +acl-users-order = allow-deny [testprofile3] user = -- Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2gobroker. commit 75bc19eea6433110733d53e4de23ab2703b19179 Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Mon Feb 12 15:53:33 2018 +0100 x2gobroker/brokers/base_broker.py: Entire rewrite of check_profile_acls() method. (Fixes: #1234). --- debian/changelog | 2 ++ x2gobroker/brokers/base_broker.py | 48 ++++++++++++++++----------------------- 2 files changed, 21 insertions(+), 29 deletions(-) diff --git a/debian/changelog b/debian/changelog index 2d7940e..116897b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,8 @@ x2gobroker (0.0.4.0-0x2go1) UNRELEASED; urgency=medium - x2gobroker/basicauth.py: Fix call of base64.decodestring on Python3. - Unit tests: Fix deep misunderstanding in the way allow-deny vs. deny-allow should actually work. + - x2gobroker/brokers/base_broker.py: Entire rewrite of + check_profile_acls() method. (Fixes: #1234). * debian/{control,compat}: Bump to DH version level 9. * debian/{control,x2gobroker-common.install}: + Split out common files into non-Pythonian bin:pkg. diff --git a/x2gobroker/brokers/base_broker.py b/x2gobroker/brokers/base_broker.py index b6a6ee6..9a96fb5 100644 --- a/x2gobroker/brokers/base_broker.py +++ b/x2gobroker/brokers/base_broker.py @@ -363,19 +363,14 @@ class X2GoBroker(object): # if one stays False, the related session profile will not be returned to the querying # X2Go client... _grant_availability = { - 'by_user': False, - # FIXME: leaving the group access to False for now, we need methods that give us a generic - # acces to the list of groups a user belongs to. One generic access is asking libnss, but: - # are there others? - 'by_group': False, - # FIXME: set the client access to True for now as we have not a way to check that available... - 'by_client': True, + 'by_user': None, + 'by_group': None, + 'by_client': None, } ### CHECKING on a per-client basis... ### clients access is granted first, if that fails then we return False here... - if len( _acls['acl-clients-allow'] + _acls['acl-clients-deny'] ) > 0: _acls_clients_allow = copy.deepcopy(_acls['acl-clients-allow']) @@ -394,7 +389,7 @@ class X2GoBroker(object): _acls_clients_deny.insert(idx, '::/0') _allow_address_set = [] - _deny_address_set = ['ALL'] + _deny_address_set = [] try: _allow_address_set = netaddr.IPSet(_acls_clients_allow) _deny_address_set = netaddr.IPSet(_acls_clients_deny) @@ -406,15 +401,14 @@ class X2GoBroker(object): _allow_client = self._client_address in _allow_address_set _deny_client = self._client_address in _deny_address_set - if not (_allow_client or _deny_client): - # client was not in either of the rules, so we presume that the client is allowed to access - _grant_availability['by_client'] if _order['clients'] == 'allow-deny': - _grant_availability['by_client'] = _allow_client and (not _deny_client) + if _allow_client: _grant_availability['by_client'] = True + elif _deny_client : _grant_availability['by_client'] = False else: - _grant_availability['by_client'] = (not _deny_client) or _allow_client + if _deny_client : _grant_availability['by_client'] = False + elif _allow_client: _grant_availability['by_client'] = True - if not _grant_availability['by_client']: + if _grant_availability['by_client'] is not True: return False ### no user/group ACLs are in use, allow access then... @@ -424,26 +418,23 @@ class X2GoBroker(object): ### CHECKING on a per-user basis... - _allow_user_override = False - _explicitly_deny_user = False if len( _acls['acl-users-allow'] + _acls['acl-users-deny'] ) > 0: _allow_user = False _deny_user = False if username in _acls['acl-users-allow'] or 'ALL' in _acls['acl-users-allow']: - _allow_user_override = True _allow_user = True - if username in _acls['acl-users-deny']: - _explicitly_deny_user = True - if _explicitly_deny_user or ('ALL' in _acls['acl-users-deny']): + if username in _acls['acl-users-deny'] or 'ALL' in _acls['acl-users-deny']: _deny_user = True if _order['users'] == 'allow-deny': - _grant_availability['by_user'] = (_allow_user or _deny_user) and (_allow_user and (not _deny_user)) + if _allow_user: _grant_availability['by_user'] = True + elif _deny_user : _grant_availability['by_user'] = False else: - _grant_availability['by_user'] = (_allow_user or _deny_user) and ((not _deny_user) or _allow_user) + if _deny_user : _grant_availability['by_user'] = False + elif _allow_user: _grant_availability['by_user'] = True # if a user has been granted access directly, then the corresponding session profile(s) # will be provided to him/her, it does not matter what the group acl will have to say to this... @@ -462,14 +453,13 @@ class X2GoBroker(object): _deny_group = bool(len(set(_user_groups).intersection( set(_acls['acl-groups-deny']) ))) if _order['groups'] == 'allow-deny': - _grant_availability['by_group'] = (_allow_group or _deny_group) and (_allow_group and (not _deny_group)) + if _allow_group: _grant_availability['by_group'] = True + elif _deny_group : _grant_availability['by_group'] = False else: - _grant_availability['by_group'] = (_allow_group or _deny_group) and (not _deny_group) or _allow_group + if _deny_group : _grant_availability['by_group'] = False + elif _allow_group: _grant_availability['by_group'] = True - # if a group has been granted access, with one exception: if the thread model for users is - # allow-deny, then we presume that the acl-users-deny entry has precendence over - # acl-groups-allow/acl-groups-deny. - if (_grant_availability['by_group'] and not _explicitly_deny_user) or _allow_user_override: + if _grant_availability['by_group'] and _grant_availability['by_user'] is not False: return True return False -- Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
-
git-admin@x2go.org