Merge branch 'TMSS-2658' into 'master'

TMSS-2658: enable permission checks for websockets again, with logging, but... Closes TMSS-2658 See merge request !1144

Merge branch 'TMSS-2658' into 'master'
f873ed25 · Jörn Künsemöller · ad090aaa · ba14e19e · f873ed25 · f873ed25
Commit f873ed25 authored 1 year ago by Jörn Künsemöller
--- a/SAS/TMSS/backend/services/websocket/lib/websocket_service.py
+++ b/SAS/TMSS/backend/services/websocket/lib/websocket_service.py
@@ -55,33 +55,24 @@ class TMSSWebSocket(WebSocket):
        self.authenticated = False
        self.user = None
-        # JS 2023-08-11: TODO: fix this! For now we want all users to get updates.
-        self.authenticated = True
    def handleMessage(self):
-        # JS 2023-08-11: TODO: fix this! For now we want all users to get updates.
+        if self.authenticated:
-        self._set_flags_to_default()
+            logger.debug('Client already authenticated, ignoring incoming message. User: %s from IP: %s' % (self.user, self.address[0]))
-        return
+            return
+        try:
-        # try:
+            token_key = JSONloads(self.data).get('token', '')
-        #     if not self.authenticated:  # Not (yet) authenticated
+            from rest_framework.authtoken.models import Token
-        #         token_key = JSONloads(self.data).get('token', '')
+            token_obj = Token.objects.filter(key=token_key).first()
-        #
+            if token_obj:
-        #         from rest_framework.authtoken.models import Token
+                self.user = token_obj.user
-        #         token_obj = Token.objects.filter(key=token_key).first()
+                self.authenticated = True
-        #         if token_obj:
+                logger.info('Client authenticated. User: %s from IP: %s' % (self.user, self.address[0]))
-        #             self.user = token_obj.user
+            else:
-        #             self.authenticated = True
+                logger.info('Client not authenticated. IP: %s' % (self.address[0]))
-        #             logger.info('Client authenticated. User: %s from IP: %s' % (self.user, self.address[0]))
+                self.close(1011, u'Please login, so you have a token, and please submit the token in the 1st message after the connection was made.')
-        #         else:
+        except Exception as e:
-        #             logger.info('Client not authenticated. IP: %s' % (self.address[0]))
+            logger.exception('Error when handling websocket message of User: %s from IP: %s' % (self.user, self.address[0]))
-        #             self.close(1011, u'Please login, so you have a token, and please submit the token in the 1st message after the connection was made.')
+            raise
-        #     else:
-        #         logger.debug('Client already authenticated, ignoring incoming message. User: %s from IP: %s' % (self.user, self.address[0]))
-        #         # NOTE: We just ignore incoming messages as we treat the communication as one-way only, except for the auth msg.
-        # except Exception as e:
-        #     logger.exception('Error when handling websocket message of User: %s from IP: %s' % (self.user, self.address[0]))
-        #     raise
    def handleConnected(self):
        # Enforce to initial values be safe
@@ -138,49 +129,44 @@ class TMSSEventMessageHandlerForWebsocket(TMSSEventMessageHandler):
        self.t.join()
    def _get_authorised_clients_for_object_in_websocket(self, obj):
-        # JS 2023-08-11: TODO: fix this! For now we want all users to get updates.
+        from django.contrib.auth import get_user_model
-        return list(self._ws_server.connections.values())
+        User = get_user_model()
-        # from django.contrib.auth import get_user_model
+        from lofar.sas.tmss.tmss.tmssapp.viewsets.permissions import get_project_roles_for_user, get_project_roles_with_permission
-        # User = get_user_model()
+        from lofar.sas.tmss.tmss.tmssapp.models import ProjectRole
-        #
-        # from lofar.sas.tmss.tmss.tmssapp.viewsets.permissions import get_project_roles_for_user, get_project_roles_with_permission
+        auth_clients = []
-        # from lofar.sas.tmss.tmss.tmssapp.models import ProjectRole
+        logger.info('Checking which of these users should receive websocket update for obj=%s: %s' % (obj, [ws.user for ws in list(self._ws_server.connections.values())]))
-        #
+        for ws in list(self._ws_server.connections.values()):
-        # auth_clients = []
+            if not ws.authenticated:
-        # logger.debug('Checking which of these users should receive websocket update for obj=%s: %s' % (obj, [ws.user for ws in list(self._ws_server.connections.values())]))
+                logger.info("%s websocket is not authenticated and will not receive websocket update for obj=%s" % (ws.user, obj))
-        # for ws in list(self._ws_server.connections.values()):
+                continue
-        #     if ws.authenticated:    # Check user permissions for the object
+            user = User.objects.filter(username=ws.user).first()
-        #         # JS 2023-08-11: TODO: fix this! For now we want all users to get updates.
+            if user is None:
-        #         auth_clients.append(ws)
+                logger.info('User=%s does not exist in TMSS and will not receive websocket update for obj=%s' % (ws.user, obj))
-        #         continue
+                continue
-        #
+            if user.is_superuser:
-        #         user = User.objects.filter(username=ws.user).first()
+                logger.info('User=%s is superuser and will receive websocket update for obj=%s' % (user, obj))
-        #         if user is None:
+                auth_clients.append(ws)
-        #             continue
+                continue
-        #
+            if user.has_perm("tmssapp.view_%s" % type(obj).__name__.lower()):
-        #         if user.is_superuser:
+                logger.info('User=%s has permission=%s and will receive websocket update for obj=%s' % (user, "tmssapp.view_%s" % type(obj).__name__.lower(), obj))
-        #             logger.debug('User=%s is superuser and will receive websocket update for obj=%s' % (user, obj))
+                auth_clients.append(ws)
-        #             auth_clients.append(ws)
+                continue
-        #         elif user.has_perm("tmssapp.view_%s" % type(obj).__name__.lower()):
+            logger.info('User=%s has no permission=%s, checking for project-based permission to receive websocket update for obj=%s' % (user, "tmssapp.view_%s" % type(obj).__name__.lower(), obj))
-        #             logger.debug('User=%s has permission=%s and will receive websocket update for obj=%s' % (user, "tmssapp.view_%s" % type(obj).__name__.lower(), obj))
+            # project-based permission
-        #             auth_clients.append(ws)
+            permitted_project_roles = get_project_roles_with_permission(type(obj).__name__.lower(), 'GET')
-        #         else:
+            user_project_roles = get_project_roles_for_user(user)
-        #             logger.debug('User=%s has no permission=%s, checking for project-based permission to receive websocket update for obj=%s' % (user, "tmssapp.view_%s" % type(obj).__name__.lower(), obj))
+            related_project = getattr(obj, 'project', None)
-        #             # project-based permission
+            if related_project:
-        #             permitted_project_roles = get_project_roles_with_permission(type(obj).__name__.lower(), 'GET')
+                related_project_name = related_project.name.lower()
-        #             user_project_roles = get_project_roles_for_user(user)
+                for project_role in user_project_roles:
-        #             related_project = getattr(obj, 'project', None)
+                    if project_role['project'].lower() == related_project_name and \
-        #             for project_role in user_project_roles:
+                            ProjectRole.objects.get(value=project_role['role']) in permitted_project_roles:
-        #                 if related_project:
+                        auth_clients.append(ws)
-        #                     if project_role['project'].lower() == related_project.name.lower() and \
+                        logger.info("User=%s has project-based permission for project=%s and will receive websocket update for obj=%s" % (user, project_role['project'].lower(), obj))
-        #                             ProjectRole.objects.get(value=project_role['role']) in permitted_project_roles:
+                        break
-        #                         auth_clients.append(ws)
+        return auth_clients
-        #                         logger.debug("User=%s has project-based permission for project=%s and will receive websocket update for obj=%s" % (user, project_role['project'].lower(), obj))
-        #                         break
-        #     else:
-        #         logger.debug("%s websocket is not authenticated and will not receive websocket update for obj=%s" % (ws.user, obj))
-        # return auth_clients
    def _broadcast_notify_to_clients_websocket(self, msg, clients):
        # Send a broadcast message to all ws clients passed as argument

--- a/SAS/TMSS/backend/src/tmss/authentication_backends.py
+++ b/SAS/TMSS/backend/src/tmss/authentication_backends.py
@@ -75,6 +75,8 @@ class TMSSOIDCAuthenticationBackend(OIDCAuthenticationBackend):
    def update_user(self, user, claims):
        logger.info('update user=%s claims=%s' % (user, claims))
+        if not Token.objects.filter(user=user).first():
+            Token.objects.create(user=user)  # required for websockets
        self._set_user_project_roles_from_claims(user, claims)
        self._set_user_system_roles_from_claims(user, claims)
        return user