TMSS-2658: enable permission checks for websockets again, with logging, but...

TMSS-2658: enable permission checks for websockets again, with logging, but for now keep sending to everyone.

SAS/TMSS/backend/services/websocket/lib/websocket_service.py

@@ -55,33 +55,25 @@ class TMSSWebSocket(WebSocket):
         self.authenticated = False
         self.user = None
 
-        # JS 2023-08-11: TODO: fix this! For now we want all users to get updates.
-        self.authenticated = True
-
     def handleMessage(self):
-        # JS 2023-08-11: TODO: fix this! For now we want all users to get updates.
-        self._set_flags_to_default()
-        return
-
-        # try:
-        #     if not self.authenticated:  # Not (yet) authenticated
-        #         token_key = JSONloads(self.data).get('token', '')
-        #
-        #         from rest_framework.authtoken.models import Token
-        #         token_obj = Token.objects.filter(key=token_key).first()
-        #         if token_obj:
-        #             self.user = token_obj.user
-        #             self.authenticated = True
-        #             logger.info('Client authenticated. User: %s from IP: %s' % (self.user, self.address[0]))
-        #         else:
-        #             logger.info('Client not authenticated. IP: %s' % (self.address[0]))
-        #             self.close(1011, u'Please login, so you have a token, and please submit the token in the 1st message after the connection was made.')
-        #     else:
-        #         logger.debug('Client already authenticated, ignoring incoming message. User: %s from IP: %s' % (self.user, self.address[0]))
-        #         # NOTE: We just ignore incoming messages as we treat the communication as one-way only, except for the auth msg.
-        # except Exception as e:
-        #     logger.exception('Error when handling websocket message of User: %s from IP: %s' % (self.user, self.address[0]))
-        #     raise
+        try:
+            if not self.authenticated:  # Not (yet) authenticated
+                token_key = JSONloads(self.data).get('token', '')
+                from rest_framework.authtoken.models import Token
+                token_obj = Token.objects.filter(key=token_key).first()
+                if token_obj:
+                    self.user = token_obj.user
+                    self.authenticated = True
+                    logger.info('Client authenticated. User: %s from IP: %s' % (self.user, self.address[0]))
+                else:
+                    logger.info('Client not authenticated. IP: %s' % (self.address[0]))
+                    self.close(1011, u'Please login, so you have a token, and please submit the token in the 1st message after the connection was made.')
+            else:
+                logger.debug('Client already authenticated, ignoring incoming message. User: %s from IP: %s' % (self.user, self.address[0]))
+                # NOTE: We just ignore incoming messages as we treat the communication as one-way only, except for the auth msg.
+        except Exception as e:
+            logger.exception('Error when handling websocket message of User: %s from IP: %s' % (self.user, self.address[0]))
+            raise
 
     def handleConnected(self):
         # Enforce to initial values be safe
@@ -138,49 +130,48 @@ class TMSSEventMessageHandlerForWebsocket(TMSSEventMessageHandler):
         self.t.join()
 
     def _get_authorised_clients_for_object_in_websocket(self, obj):
-        # JS 2023-08-11: TODO: fix this! For now we want all users to get updates.
-        return list(self._ws_server.connections.values())
-
-        # from django.contrib.auth import get_user_model
-        # User = get_user_model()
-        #
-        # from lofar.sas.tmss.tmss.tmssapp.viewsets.permissions import get_project_roles_for_user, get_project_roles_with_permission
-        # from lofar.sas.tmss.tmss.tmssapp.models import ProjectRole
-        #
-        # auth_clients = []
-        # logger.debug('Checking which of these users should receive websocket update for obj=%s: %s' % (obj, [ws.user for ws in list(self._ws_server.connections.values())]))
-        # for ws in list(self._ws_server.connections.values()):
-        #     if ws.authenticated:    # Check user permissions for the object
-        #         # JS 2023-08-11: TODO: fix this! For now we want all users to get updates.
-        #         auth_clients.append(ws)
-        #         continue
-        #
-        #         user = User.objects.filter(username=ws.user).first()
-        #         if user is None:
-        #             continue
-        #
-        #         if user.is_superuser:
-        #             logger.debug('User=%s is superuser and will receive websocket update for obj=%s' % (user, obj))
-        #             auth_clients.append(ws)
-        #         elif user.has_perm("tmssapp.view_%s" % type(obj).__name__.lower()):
-        #             logger.debug('User=%s has permission=%s and will receive websocket update for obj=%s' % (user, "tmssapp.view_%s" % type(obj).__name__.lower(), obj))
-        #             auth_clients.append(ws)
-        #         else:
-        #             logger.debug('User=%s has no permission=%s, checking for project-based permission to receive websocket update for obj=%s' % (user, "tmssapp.view_%s" % type(obj).__name__.lower(), obj))
-        #             # project-based permission
-        #             permitted_project_roles = get_project_roles_with_permission(type(obj).__name__.lower(), 'GET')
-        #             user_project_roles = get_project_roles_for_user(user)
-        #             related_project = getattr(obj, 'project', None)
-        #             for project_role in user_project_roles:
-        #                 if related_project:
-        #                     if project_role['project'].lower() == related_project.name.lower() and \
-        #                             ProjectRole.objects.get(value=project_role['role']) in permitted_project_roles:
-        #                         auth_clients.append(ws)
-        #                         logger.debug("User=%s has project-based permission for project=%s and will receive websocket update for obj=%s" % (user, project_role['project'].lower(), obj))
-        #                         break
-        #     else:
-        #         logger.debug("%s websocket is not authenticated and will not receive websocket update for obj=%s" % (ws.user, obj))
-        # return auth_clients
+        from django.contrib.auth import get_user_model
+        User = get_user_model()
+
+        from lofar.sas.tmss.tmss.tmssapp.viewsets.permissions import get_project_roles_for_user, get_project_roles_with_permission
+        from lofar.sas.tmss.tmss.tmssapp.models import ProjectRole
+
+        auth_clients = []
+        logger.info('Checking which of these users should receive websocket update for obj=%s: %s' % (obj, [ws.user for ws in list(self._ws_server.connections.values())]))
+        for ws in list(self._ws_server.connections.values()):
+            if ws.authenticated:    # Check user permissions for the object
+                user = User.objects.filter(username=ws.user).first()
+                if user is None:
+                    logger.info('User=%s does not exist in TMSS and will not receive websocket update for obj=%s' % (ws.user, obj))
+                    continue
+                if user.is_superuser:
+                    logger.info('User=%s is superuser and will receive websocket update for obj=%s' % (user, obj))
+                    auth_clients.append(ws)
+                elif user.has_perm("tmssapp.view_%s" % type(obj).__name__.lower()):
+                    logger.info('User=%s has permission=%s and will receive websocket update for obj=%s' % (user, "tmssapp.view_%s" % type(obj).__name__.lower(), obj))
+                    auth_clients.append(ws)
+                else:
+                    logger.info('User=%s has no permission=%s, checking for project-based permission to receive websocket update for obj=%s' % (user, "tmssapp.view_%s" % type(obj).__name__.lower(), obj))
+                    # project-based permission
+                    permitted_project_roles = get_project_roles_with_permission(type(obj).__name__.lower(), 'GET')
+                    user_project_roles = get_project_roles_for_user(user)
+                    related_project = getattr(obj, 'project', None)
+                    for project_role in user_project_roles:
+                        if related_project:
+                            if project_role['project'].lower() == related_project.name.lower() and \
+                                    ProjectRole.objects.get(value=project_role['role']) in permitted_project_roles:
+                                auth_clients.append(ws)
+                                logger.info("User=%s has project-based permission for project=%s and will receive websocket update for obj=%s" % (user, project_role['project'].lower(), obj))
+                                break
+            else:
+                logger.info("%s websocket is not authenticated and will not receive websocket update for obj=%s" % (ws.user, obj))
+
+            # todo: remove this, once the above works as expected. -> TMSS-2658
+            if ws not in auth_clients:
+                logger.warning('Workaround: %s websocket will receive websocket update for obj=%s despite failed permission check' % (ws.user, obj))
+                auth_clients.append(ws)
+
+        return auth_clients
 
     def _broadcast_notify_to_clients_websocket(self, msg, clients):
         # Send a broadcast message to all ws clients passed as argument