aurweb.auth: add user credentials and matcher functions

This clones the behavior already present in the PHP implementation, but it uses a global dict with credential constant keys to validation functions to determine if a given user has a credential. Signed-off-by: Kevin Morris <kevr@0cost.org>
2025-02-03 10:43:03 +01:00 · 2021-01-25 16:30:47 -08:00 · 2021-01-25 16:30:47 -08:00 · 07d5907ecd
commit 07d5907ecd
parent 670f711b59
4 changed files with 154 additions and 1 deletions
--- a/aurweb/auth.py
+++ b/aurweb/auth.py
@ -17,6 +17,10 @@ class AnonymousUser:
    def is_authenticated():
        return False

+    @staticmethod
+    def has_credential(credential):
+        return False
+

 class BasicAuthBackend(AuthenticationBackend):
    async def authenticate(self, conn: HTTPConnection):
@ -75,3 +79,100 @@ def auth_required(is_required: bool = True,
        return wrapper

    return decorator
+
+
+CRED_ACCOUNT_CHANGE_TYPE = 1
+CRED_ACCOUNT_EDIT = 2
+CRED_ACCOUNT_EDIT_DEV = 3
+CRED_ACCOUNT_LAST_LOGIN = 4
+CRED_ACCOUNT_SEARCH = 5
+CRED_ACCOUNT_LIST_COMMENTS = 28
+CRED_COMMENT_DELETE = 6
+CRED_COMMENT_UNDELETE = 27
+CRED_COMMENT_VIEW_DELETED = 22
+CRED_COMMENT_EDIT = 25
+CRED_COMMENT_PIN = 26
+CRED_PKGBASE_ADOPT = 7
+CRED_PKGBASE_SET_KEYWORDS = 8
+CRED_PKGBASE_DELETE = 9
+CRED_PKGBASE_DISOWN = 10
+CRED_PKGBASE_EDIT_COMAINTAINERS = 24
+CRED_PKGBASE_FLAG = 11
+CRED_PKGBASE_LIST_VOTERS = 12
+CRED_PKGBASE_NOTIFY = 13
+CRED_PKGBASE_UNFLAG = 15
+CRED_PKGBASE_VOTE = 16
+CRED_PKGREQ_FILE = 23
+CRED_PKGREQ_CLOSE = 17
+CRED_PKGREQ_LIST = 18
+CRED_TU_ADD_VOTE = 19
+CRED_TU_LIST_VOTES = 20
+CRED_TU_VOTE = 21
+
+
+def has_any(user, *account_types):
+    return str(user.AccountType) in set(account_types)
+
+
+def user_developer_or_trusted_user(user):
+    return has_any(user, "User", "Trusted User", "Developer",
+                   "Trusted User & Developer")
+
+
+def trusted_user(user):
+    return has_any(user, "Trusted User", "Trusted User & Developer")
+
+
+def developer(user):
+    return has_any(user, "Developer", "Trusted User & Developer")
+
+
+def trusted_user_or_dev(user):
+    return has_any(user, "Trusted User", "Developer",
+                   "Trusted User & Developer")
+
+
+# A mapping of functions that users must pass to have credentials.
+cred_filters = {
+    CRED_PKGBASE_FLAG: user_developer_or_trusted_user,
+    CRED_PKGBASE_NOTIFY: user_developer_or_trusted_user,
+    CRED_PKGBASE_VOTE: user_developer_or_trusted_user,
+    CRED_PKGREQ_FILE: user_developer_or_trusted_user,
+    CRED_ACCOUNT_CHANGE_TYPE: trusted_user_or_dev,
+    CRED_ACCOUNT_EDIT: trusted_user_or_dev,
+    CRED_ACCOUNT_LAST_LOGIN: trusted_user_or_dev,
+    CRED_ACCOUNT_LIST_COMMENTS: trusted_user_or_dev,
+    CRED_ACCOUNT_SEARCH: trusted_user_or_dev,
+    CRED_COMMENT_DELETE: trusted_user_or_dev,
+    CRED_COMMENT_UNDELETE: trusted_user_or_dev,
+    CRED_COMMENT_VIEW_DELETED: trusted_user_or_dev,
+    CRED_COMMENT_EDIT: trusted_user_or_dev,
+    CRED_COMMENT_PIN: trusted_user_or_dev,
+    CRED_PKGBASE_ADOPT: trusted_user_or_dev,
+    CRED_PKGBASE_SET_KEYWORDS: trusted_user_or_dev,
+    CRED_PKGBASE_DELETE: trusted_user_or_dev,
+    CRED_PKGBASE_EDIT_COMAINTAINERS: trusted_user_or_dev,
+    CRED_PKGBASE_DISOWN: trusted_user_or_dev,
+    CRED_PKGBASE_LIST_VOTERS: trusted_user_or_dev,
+    CRED_PKGBASE_UNFLAG: trusted_user_or_dev,
+    CRED_PKGREQ_CLOSE: trusted_user_or_dev,
+    CRED_PKGREQ_LIST: trusted_user_or_dev,
+    CRED_TU_ADD_VOTE: trusted_user,
+    CRED_TU_LIST_VOTES: trusted_user,
+    CRED_TU_VOTE: trusted_user,
+    CRED_ACCOUNT_EDIT_DEV: developer,
+}
+
+
+def has_credential(user: User,
+                   credential: int,
+                   approved_users: list = tuple()):
+
+    if user in approved_users:
+        return True
+
+    if credential in cred_filters:
+        cred_filter = cred_filters.get(credential)
+        return cred_filter(user)
+
+    return False
--- a/aurweb/models/user.py
+++ b/aurweb/models/user.py
@ -141,6 +141,11 @@ class User:
        request.cookies["AURSID"] = self.session.SessionID
        return self.session.SessionID

+    def has_credential(self, credential: str, approved: list = tuple()):
+        import aurweb.auth
+        cred = getattr(aurweb.auth, credential)
+        return aurweb.auth.has_credential(self, cred, approved)
+
    def logout(self, request):
        from aurweb.db import session

--- a/test/test_auth.py
+++ b/test/test_auth.py
@ -4,8 +4,8 @@ import pytest

 from starlette.authentication import AuthenticationError

+from aurweb.auth import BasicAuthBackend, has_credential
 from aurweb.db import query
-from aurweb.auth import BasicAuthBackend
 from aurweb.models.account_type import AccountType
 from aurweb.testing import setup_test_db
 from aurweb.testing.models import make_session, make_user
@ -78,3 +78,8 @@ async def test_basic_auth_backend():
                 LastUpdateTS=now_ts + 5)
    _, result = await backend.authenticate(request)
    assert result == user
+
+
+def test_has_fake_credential_fails():
+    # Fake credential 666 does not exist.
+    assert not has_credential(user, 666)
--- a/test/test_user.py
+++ b/test/test_user.py
@ -163,6 +163,11 @@ def test_user_minimum_passwd_length():
    assert User.minimum_passwd_length() == passwd_min_len


+def test_user_has_credential():
+    assert user.has_credential("CRED_PKGBASE_FLAG")
+    assert not user.has_credential("CRED_ACCOUNT_CHANGE_TYPE")
+
+
 def test_user_ssh_pub_key():
    from aurweb.db import session

@ -178,3 +183,40 @@ def test_user_ssh_pub_key():

    session.delete(ssh_pub_key)
    session.commit()
+
+
+def test_user_credential_types():
+    from aurweb.db import session
+
+    assert aurweb.auth.user_developer_or_trusted_user(user)
+    assert not aurweb.auth.trusted_user(user)
+    assert not aurweb.auth.developer(user)
+    assert not aurweb.auth.trusted_user_or_dev(user)
+
+    trusted_user_type = query(AccountType,
+                              AccountType.AccountType == "Trusted User")\
+        .first()
+    user.AccountType = trusted_user_type
+    session.commit()
+
+    assert aurweb.auth.trusted_user(user)
+    assert aurweb.auth.trusted_user_or_dev(user)
+
+    developer_type = query(AccountType,
+                           AccountType.AccountType == "Developer")\
+        .first()
+    user.AccountType = developer_type
+    session.commit()
+
+    assert aurweb.auth.developer(user)
+    assert aurweb.auth.trusted_user_or_dev(user)
+
+    type_str = "Trusted User & Developer"
+    elevated_type = query(AccountType,
+                          AccountType.AccountType == type_str).first()
+    user.AccountType = elevated_type
+    session.commit()
+
+    assert aurweb.auth.trusted_user(user)
+    assert aurweb.auth.developer(user)
+    assert aurweb.auth.trusted_user_or_dev(user)