Skip to content
Snippets Groups Projects
Commit 39472575 authored by Jörn Künsemöller's avatar Jörn Künsemöller
Browse files

TMSS-2658: enable permission checks for websockets again, with logging, but... 

TMSS-2658: enable permission checks for websockets again, with logging, but for now keep sending to everyone.
parent 962c75b8
No related branches found
No related tags found
1 merge request!1144TMSS-2658: enable permission checks for websockets again, with logging, but...
Hide whitespace changes
Inline Side-by-side
SAS/TMSS/backend/services/websocket/lib/websocket_service.py
+ 60
69
View file @ 39472575
......@@ -55,33 +55,25 @@ class TMSSWebSocket(WebSocket):
self.authenticated = False
self.user = None
# JS 2023-08-11: TODO: fix this! For now we want all users to get updates.
self.authenticated = True
def handleMessage(self):
# JS 2023-08-11: TODO: fix this! For now we want all users to get updates.
self._set_flags_to_default()
return
# try:
# if not self.authenticated: # Not (yet) authenticated
# token_key = JSONloads(self.data).get('token', '')
#
# from rest_framework.authtoken.models import Token
# token_obj = Token.objects.filter(key=token_key).first()
# if token_obj:
# self.user = token_obj.user
# self.authenticated = True
# logger.info('Client authenticated. User: %s from IP: %s' % (self.user, self.address[0]))
# else:
# logger.info('Client not authenticated. IP: %s' % (self.address[0]))
# self.close(1011, u'Please login, so you have a token, and please submit the token in the 1st message after the connection was made.')
# else:
# logger.debug('Client already authenticated, ignoring incoming message. User: %s from IP: %s' % (self.user, self.address[0]))
# # NOTE: We just ignore incoming messages as we treat the communication as one-way only, except for the auth msg.
# except Exception as e:
# logger.exception('Error when handling websocket message of User: %s from IP: %s' % (self.user, self.address[0]))
# raise
try:
if not self.authenticated: # Not (yet) authenticated
token_key = JSONloads(self.data).get('token', '')
from rest_framework.authtoken.models import Token
token_obj = Token.objects.filter(key=token_key).first()
if token_obj:
self.user = token_obj.user
self.authenticated = True
logger.info('Client authenticated. User: %s from IP: %s' % (self.user, self.address[0]))
else:
logger.info('Client not authenticated. IP: %s' % (self.address[0]))
self.close(1011, u'Please login, so you have a token, and please submit the token in the 1st message after the connection was made.')
else:
logger.debug('Client already authenticated, ignoring incoming message. User: %s from IP: %s' % (self.user, self.address[0]))
# NOTE: We just ignore incoming messages as we treat the communication as one-way only, except for the auth msg.
except Exception as e:
logger.exception('Error when handling websocket message of User: %s from IP: %s' % (self.user, self.address[0]))
raise
def handleConnected(self):
# Enforce to initial values be safe
......@@ -138,49 +130,48 @@ class TMSSEventMessageHandlerForWebsocket(TMSSEventMessageHandler):
self.t.join()
def _get_authorised_clients_for_object_in_websocket(self, obj):
# JS 2023-08-11: TODO: fix this! For now we want all users to get updates.
return list(self._ws_server.connections.values())
# from django.contrib.auth import get_user_model
# User = get_user_model()
#
# from lofar.sas.tmss.tmss.tmssapp.viewsets.permissions import get_project_roles_for_user, get_project_roles_with_permission
# from lofar.sas.tmss.tmss.tmssapp.models import ProjectRole
#
# auth_clients = []
# logger.debug('Checking which of these users should receive websocket update for obj=%s: %s' % (obj, [ws.user for ws in list(self._ws_server.connections.values())]))
# for ws in list(self._ws_server.connections.values()):
# if ws.authenticated: # Check user permissions for the object
# # JS 2023-08-11: TODO: fix this! For now we want all users to get updates.
# auth_clients.append(ws)
# continue
#
# user = User.objects.filter(username=ws.user).first()
# if user is None:
# continue
#
# if user.is_superuser:
# logger.debug('User=%s is superuser and will receive websocket update for obj=%s' % (user, obj))
# auth_clients.append(ws)
# elif user.has_perm("tmssapp.view_%s" % type(obj).__name__.lower()):
# logger.debug('User=%s has permission=%s and will receive websocket update for obj=%s' % (user, "tmssapp.view_%s" % type(obj).__name__.lower(), obj))
# auth_clients.append(ws)
# else:
# logger.debug('User=%s has no permission=%s, checking for project-based permission to receive websocket update for obj=%s' % (user, "tmssapp.view_%s" % type(obj).__name__.lower(), obj))
# # project-based permission
# permitted_project_roles = get_project_roles_with_permission(type(obj).__name__.lower(), 'GET')
# user_project_roles = get_project_roles_for_user(user)
# related_project = getattr(obj, 'project', None)
# for project_role in user_project_roles:
# if related_project:
# if project_role['project'].lower() == related_project.name.lower() and \
# ProjectRole.objects.get(value=project_role['role']) in permitted_project_roles:
# auth_clients.append(ws)
# logger.debug("User=%s has project-based permission for project=%s and will receive websocket update for obj=%s" % (user, project_role['project'].lower(), obj))
# break
# else:
# logger.debug("%s websocket is not authenticated and will not receive websocket update for obj=%s" % (ws.user, obj))
# return auth_clients
from django.contrib.auth import get_user_model
User = get_user_model()
from lofar.sas.tmss.tmss.tmssapp.viewsets.permissions import get_project_roles_for_user, get_project_roles_with_permission
from lofar.sas.tmss.tmss.tmssapp.models import ProjectRole
auth_clients = []
logger.info('Checking which of these users should receive websocket update for obj=%s: %s' % (obj, [ws.user for ws in list(self._ws_server.connections.values())]))
for ws in list(self._ws_server.connections.values()):
if ws.authenticated: # Check user permissions for the object
user = User.objects.filter(username=ws.user).first()
if user is None:
logger.info('User=%s does not exist in TMSS and will not receive websocket update for obj=%s' % (ws.user, obj))
continue
if user.is_superuser:
logger.info('User=%s is superuser and will receive websocket update for obj=%s' % (user, obj))
auth_clients.append(ws)
elif user.has_perm("tmssapp.view_%s" % type(obj).__name__.lower()):
logger.info('User=%s has permission=%s and will receive websocket update for obj=%s' % (user, "tmssapp.view_%s" % type(obj).__name__.lower(), obj))
auth_clients.append(ws)
else:
logger.info('User=%s has no permission=%s, checking for project-based permission to receive websocket update for obj=%s' % (user, "tmssapp.view_%s" % type(obj).__name__.lower(), obj))
# project-based permission
permitted_project_roles = get_project_roles_with_permission(type(obj).__name__.lower(), 'GET')
user_project_roles = get_project_roles_for_user(user)
related_project = getattr(obj, 'project', None)
for project_role in user_project_roles:
if related_project:
if project_role['project'].lower() == related_project.name.lower() and \
ProjectRole.objects.get(value=project_role['role']) in permitted_project_roles:
auth_clients.append(ws)
logger.info("User=%s has project-based permission for project=%s and will receive websocket update for obj=%s" % (user, project_role['project'].lower(), obj))
break
else:
logger.info("%s websocket is not authenticated and will not receive websocket update for obj=%s" % (ws.user, obj))
# todo: remove this, once the above works as expected. -> TMSS-2658
if ws not in auth_clients:
logger.warning('Workaround: %s websocket will receive websocket update for obj=%s despite failed permission check' % (ws.user, obj))
auth_clients.append(ws)
return auth_clients
def _broadcast_notify_to_clients_websocket(self, msg, clients):
# Send a broadcast message to all ws clients passed as argument
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment