[X2Go-Commits] [x2gobroker] 04/04: x2gobroker/brokers/base_broker.py: Entire rewrite of check_profile_acls() method. (Fixes: #1234).
git-admin at x2go.org
git-admin at x2go.org
Mon Feb 12 15:56:22 CET 2018
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch master
in repository x2gobroker.
commit 75bc19eea6433110733d53e4de23ab2703b19179
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date: Mon Feb 12 15:53:33 2018 +0100
x2gobroker/brokers/base_broker.py: Entire rewrite of check_profile_acls() method. (Fixes: #1234).
---
debian/changelog | 2 ++
x2gobroker/brokers/base_broker.py | 48 ++++++++++++++++-----------------------
2 files changed, 21 insertions(+), 29 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 2d7940e..116897b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,8 @@ x2gobroker (0.0.4.0-0x2go1) UNRELEASED; urgency=medium
- x2gobroker/basicauth.py: Fix call of base64.decodestring on Python3.
- Unit tests: Fix deep misunderstanding in the way allow-deny vs.
deny-allow should actually work.
+ - x2gobroker/brokers/base_broker.py: Entire rewrite of
+ check_profile_acls() method. (Fixes: #1234).
* debian/{control,compat}: Bump to DH version level 9.
* debian/{control,x2gobroker-common.install}:
+ Split out common files into non-Pythonian bin:pkg.
diff --git a/x2gobroker/brokers/base_broker.py b/x2gobroker/brokers/base_broker.py
index b6a6ee6..9a96fb5 100644
--- a/x2gobroker/brokers/base_broker.py
+++ b/x2gobroker/brokers/base_broker.py
@@ -363,19 +363,14 @@ class X2GoBroker(object):
# if one stays False, the related session profile will not be returned to the querying
# X2Go client...
_grant_availability = {
- 'by_user': False,
- # FIXME: leaving the group access to False for now, we need methods that give us a generic
- # acces to the list of groups a user belongs to. One generic access is asking libnss, but:
- # are there others?
- 'by_group': False,
- # FIXME: set the client access to True for now as we have not a way to check that available...
- 'by_client': True,
+ 'by_user': None,
+ 'by_group': None,
+ 'by_client': None,
}
### CHECKING on a per-client basis...
### clients access is granted first, if that fails then we return False here...
-
if len( _acls['acl-clients-allow'] + _acls['acl-clients-deny'] ) > 0:
_acls_clients_allow = copy.deepcopy(_acls['acl-clients-allow'])
@@ -394,7 +389,7 @@ class X2GoBroker(object):
_acls_clients_deny.insert(idx, '::/0')
_allow_address_set = []
- _deny_address_set = ['ALL']
+ _deny_address_set = []
try:
_allow_address_set = netaddr.IPSet(_acls_clients_allow)
_deny_address_set = netaddr.IPSet(_acls_clients_deny)
@@ -406,15 +401,14 @@ class X2GoBroker(object):
_allow_client = self._client_address in _allow_address_set
_deny_client = self._client_address in _deny_address_set
- if not (_allow_client or _deny_client):
- # client was not in either of the rules, so we presume that the client is allowed to access
- _grant_availability['by_client']
if _order['clients'] == 'allow-deny':
- _grant_availability['by_client'] = _allow_client and (not _deny_client)
+ if _allow_client: _grant_availability['by_client'] = True
+ elif _deny_client : _grant_availability['by_client'] = False
else:
- _grant_availability['by_client'] = (not _deny_client) or _allow_client
+ if _deny_client : _grant_availability['by_client'] = False
+ elif _allow_client: _grant_availability['by_client'] = True
- if not _grant_availability['by_client']:
+ if _grant_availability['by_client'] is not True:
return False
### no user/group ACLs are in use, allow access then...
@@ -424,26 +418,23 @@ class X2GoBroker(object):
### CHECKING on a per-user basis...
- _allow_user_override = False
- _explicitly_deny_user = False
if len( _acls['acl-users-allow'] + _acls['acl-users-deny'] ) > 0:
_allow_user = False
_deny_user = False
if username in _acls['acl-users-allow'] or 'ALL' in _acls['acl-users-allow']:
- _allow_user_override = True
_allow_user = True
- if username in _acls['acl-users-deny']:
- _explicitly_deny_user = True
- if _explicitly_deny_user or ('ALL' in _acls['acl-users-deny']):
+ if username in _acls['acl-users-deny'] or 'ALL' in _acls['acl-users-deny']:
_deny_user = True
if _order['users'] == 'allow-deny':
- _grant_availability['by_user'] = (_allow_user or _deny_user) and (_allow_user and (not _deny_user))
+ if _allow_user: _grant_availability['by_user'] = True
+ elif _deny_user : _grant_availability['by_user'] = False
else:
- _grant_availability['by_user'] = (_allow_user or _deny_user) and ((not _deny_user) or _allow_user)
+ if _deny_user : _grant_availability['by_user'] = False
+ elif _allow_user: _grant_availability['by_user'] = True
# if a user has been granted access directly, then the corresponding session profile(s)
# will be provided to him/her, it does not matter what the group acl will have to say to this...
@@ -462,14 +453,13 @@ class X2GoBroker(object):
_deny_group = bool(len(set(_user_groups).intersection( set(_acls['acl-groups-deny']) )))
if _order['groups'] == 'allow-deny':
- _grant_availability['by_group'] = (_allow_group or _deny_group) and (_allow_group and (not _deny_group))
+ if _allow_group: _grant_availability['by_group'] = True
+ elif _deny_group : _grant_availability['by_group'] = False
else:
- _grant_availability['by_group'] = (_allow_group or _deny_group) and (not _deny_group) or _allow_group
+ if _deny_group : _grant_availability['by_group'] = False
+ elif _allow_group: _grant_availability['by_group'] = True
- # if a group has been granted access, with one exception: if the thread model for users is
- # allow-deny, then we presume that the acl-users-deny entry has precendence over
- # acl-groups-allow/acl-groups-deny.
- if (_grant_availability['by_group'] and not _explicitly_deny_user) or _allow_user_override:
+ if _grant_availability['by_group'] and _grant_availability['by_user'] is not False:
return True
return False
--
Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
More information about the x2go-commits
mailing list