diff options
| author | Marcin Kuzminski <marcin@python-works.com> | 2012-12-30 23:06:03 +0100 |
|---|---|---|
| committer | Marcin Kuzminski <marcin@python-works.com> | 2012-12-30 23:06:03 +0100 |
| commit | b8e1df75b21aad11a161aa3930eb7f26c1c45770 (patch) | |
| tree | fcc9b54514288e334d5cf135ecb0e28fb12053bb | |
| parent | 41981be79eefe651870aab3138d143296a4205a2 (diff) | |
Added UserIpMap interface for allowed IP addresses and IP restriction access
ref #264 IP restriction for users and user groups
--HG--
branch : beta
extra : amend_source : b1cad1d9ff6ef50b570689dacec7902a8909895b
| -rw-r--r-- | rhodecode/__init__.py | 2 | ||||
| -rw-r--r-- | rhodecode/config/routing.py | 4 | ||||
| -rw-r--r-- | rhodecode/controllers/admin/permissions.py | 81 | ||||
| -rw-r--r-- | rhodecode/controllers/admin/users.py | 44 | ||||
| -rw-r--r-- | rhodecode/controllers/api/__init__.py | 15 | ||||
| -rw-r--r-- | rhodecode/controllers/api/api.py | 3 | ||||
| -rw-r--r-- | rhodecode/lib/auth.py | 32 | ||||
| -rw-r--r-- | rhodecode/lib/base.py | 20 | ||||
| -rw-r--r-- | rhodecode/lib/db_manage.py | 3 | ||||
| -rw-r--r-- | rhodecode/lib/dbmigrate/versions/010_version_1_5_2.py | 34 | ||||
| -rw-r--r-- | rhodecode/lib/helpers.py | 7 | ||||
| -rw-r--r-- | rhodecode/lib/ipaddr.py | 1901 | ||||
| -rw-r--r-- | rhodecode/lib/middleware/simplegit.py | 8 | ||||
| -rw-r--r-- | rhodecode/lib/middleware/simplehg.py | 8 | ||||
| -rwxr-xr-x | rhodecode/model/db.py | 28 | ||||
| -rw-r--r-- | rhodecode/model/forms.py | 9 | ||||
| -rw-r--r-- | rhodecode/model/user.py | 32 | ||||
| -rw-r--r-- | rhodecode/model/validators.py | 41 | ||||
| -rw-r--r-- | rhodecode/public/css/style.css | 16 | ||||
| -rw-r--r-- | rhodecode/templates/admin/permissions/permissions.html | 121 | ||||
| -rw-r--r-- | rhodecode/templates/admin/users/user_edit.html | 56 |
21 files changed, 2397 insertions, 68 deletions
diff --git a/rhodecode/__init__.py b/rhodecode/__init__.py index 867322d3..67ae2403 100644 --- a/rhodecode/__init__.py +++ b/rhodecode/__init__.py @@ -38,7 +38,7 @@ except ImportError: __version__ = ('.'.join((str(each) for each in VERSION[:3])) + '.'.join(VERSION[3:])) -__dbversion__ = 9 # defines current db version for migrations +__dbversion__ = 10 # defines current db version for migrations __platform__ = platform.system() __license__ = 'GPLv3' __py_version__ = sys.version_info diff --git a/rhodecode/config/routing.py b/rhodecode/config/routing.py index 1018e35b..2f62c74b 100644 --- a/rhodecode/config/routing.py +++ b/rhodecode/config/routing.py @@ -222,6 +222,10 @@ def make_map(config): action="add_email", conditions=dict(method=["PUT"])) m.connect("user_emails_delete", "/users_emails/{id}", action="delete_email", conditions=dict(method=["DELETE"])) + m.connect("user_ips", "/users_ips/{id}", + action="add_ip", conditions=dict(method=["PUT"])) + m.connect("user_ips_delete", "/users_ips/{id}", + action="delete_ip", conditions=dict(method=["DELETE"])) #ADMIN USERS GROUPS REST ROUTES with rmap.submapper(path_prefix=ADMIN_PREFIX, diff --git a/rhodecode/controllers/admin/permissions.py b/rhodecode/controllers/admin/permissions.py index bdbaeddd..8acee302 100644 --- a/rhodecode/controllers/admin/permissions.py +++ b/rhodecode/controllers/admin/permissions.py @@ -33,11 +33,12 @@ from pylons.controllers.util import abort, redirect from pylons.i18n.translation import _ from rhodecode.lib import helpers as h -from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator +from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator,\ + AuthUser from rhodecode.lib.base import BaseController, render from rhodecode.model.forms import DefaultPermissionsForm from rhodecode.model.permission import PermissionModel -from rhodecode.model.db import User +from rhodecode.model.db import User, UserIpMap from rhodecode.model.meta import Session log = logging.getLogger(__name__) @@ -105,36 +106,41 @@ class PermissionsController(BaseController): # h.form(url('permission', id=ID), # method='put') # url('permission', id=ID) - - permission_model = PermissionModel() - - _form = DefaultPermissionsForm([x[0] for x in self.repo_perms_choices], - [x[0] for x in self.group_perms_choices], - [x[0] for x in self.register_choices], - [x[0] for x in self.create_choices], - [x[0] for x in self.fork_choices])() - - try: - form_result = _form.to_python(dict(request.POST)) - form_result.update({'perm_user_name': id}) - permission_model.update(form_result) - Session().commit() - h.flash(_('Default permissions updated successfully'), - category='success') - - except formencode.Invalid, errors: - defaults = errors.value - - return htmlfill.render( - render('admin/permissions/permissions.html'), - defaults=defaults, - errors=errors.error_dict or {}, - prefix_error=False, - encoding="UTF-8") - except Exception: - log.error(traceback.format_exc()) - h.flash(_('error occurred during update of permissions'), - category='error') + if id == 'default': + c.user = default_user = User.get_by_username('default') + c.perm_user = AuthUser(user_id=default_user.user_id) + c.user_ip_map = UserIpMap.query()\ + .filter(UserIpMap.user == default_user).all() + permission_model = PermissionModel() + + _form = DefaultPermissionsForm( + [x[0] for x in self.repo_perms_choices], + [x[0] for x in self.group_perms_choices], + [x[0] for x in self.register_choices], + [x[0] for x in self.create_choices], + [x[0] for x in self.fork_choices])() + + try: + form_result = _form.to_python(dict(request.POST)) + form_result.update({'perm_user_name': id}) + permission_model.update(form_result) + Session().commit() + h.flash(_('Default permissions updated successfully'), + category='success') + + except formencode.Invalid, errors: + defaults = errors.value + + return htmlfill.render( + render('admin/permissions/permissions.html'), + defaults=defaults, + errors=errors.error_dict or {}, + prefix_error=False, + encoding="UTF-8") + except Exception: + log.error(traceback.format_exc()) + h.flash(_('error occurred during update of permissions'), + category='error') return redirect(url('edit_permission', id=id)) @@ -157,10 +163,11 @@ class PermissionsController(BaseController): #this form can only edit default user permissions if id == 'default': - default_user = User.get_by_username('default') - defaults = {'_method': 'put', - 'anonymous': default_user.active} - + c.user = default_user = User.get_by_username('default') + defaults = {'anonymous': default_user.active} + c.perm_user = AuthUser(user_id=default_user.user_id) + c.user_ip_map = UserIpMap.query()\ + .filter(UserIpMap.user == default_user).all() for p in default_user.user_perms: if p.permission.permission_name.startswith('repository.'): defaults['default_repo_perm'] = p.permission.permission_name @@ -181,7 +188,7 @@ class PermissionsController(BaseController): render('admin/permissions/permissions.html'), defaults=defaults, encoding="UTF-8", - force_defaults=True, + force_defaults=False ) else: return redirect(url('admin_home')) diff --git a/rhodecode/controllers/admin/users.py b/rhodecode/controllers/admin/users.py index e8d222ef..6b815bf4 100644 --- a/rhodecode/controllers/admin/users.py +++ b/rhodecode/controllers/admin/users.py @@ -41,7 +41,7 @@ from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator, \ AuthUser from rhodecode.lib.base import BaseController, render -from rhodecode.model.db import User, UserEmailMap +from rhodecode.model.db import User, UserEmailMap, UserIpMap from rhodecode.model.forms import UserForm from rhodecode.model.user import UserModel from rhodecode.model.meta import Session @@ -159,7 +159,7 @@ class UsersController(BaseController): user_model = UserModel() c.user = user_model.get(id) c.ldap_dn = c.user.ldap_dn - c.perm_user = AuthUser(user_id=id) + c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr) _form = UserForm(edit=True, old_data={'user_id': id, 'email': c.user.email})() form_result = {} @@ -178,6 +178,8 @@ class UsersController(BaseController): except formencode.Invalid, errors: c.user_email_map = UserEmailMap.query()\ .filter(UserEmailMap.user == c.user).all() + c.user_ip_map = UserIpMap.query()\ + .filter(UserIpMap.user == c.user).all() defaults = errors.value e = errors.error_dict or {} defaults.update({ @@ -231,12 +233,14 @@ class UsersController(BaseController): h.flash(_("You can't edit this user"), category='warning') return redirect(url('users')) - c.perm_user = AuthUser(user_id=id) + c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr) c.user.permissions = {} c.granted_permissions = UserModel().fill_perms(c.user)\ .permissions['global'] c.user_email_map = UserEmailMap.query()\ .filter(UserEmailMap.user == c.user).all() + c.user_ip_map = UserIpMap.query()\ + .filter(UserIpMap.user == c.user).all() user_model = UserModel() c.ldap_dn = c.user.ldap_dn defaults = c.user.get_dict() @@ -299,7 +303,6 @@ class UsersController(BaseController): """POST /user_emails:Add an existing item""" # url('user_emails', id=ID, method='put') - #TODO: validation and form !!! email = request.POST.get('new_email') user_model = UserModel() @@ -324,3 +327,36 @@ class UsersController(BaseController): Session().commit() h.flash(_("Removed email from user"), category='success') return redirect(url('edit_user', id=id)) + + def add_ip(self, id): + """POST /user_ips:Add an existing item""" + # url('user_ips', id=ID, method='put') + + ip = request.POST.get('new_ip') + user_model = UserModel() + + try: + user_model.add_extra_ip(id, ip) + Session().commit() + h.flash(_("Added ip %s to user") % ip, category='success') + except formencode.Invalid, error: + msg = error.error_dict['ip'] + h.flash(msg, category='error') + except Exception: + log.error(traceback.format_exc()) + h.flash(_('An error occurred during ip saving'), + category='error') + if 'default_user' in request.POST: + return redirect(url('edit_permission', id='default')) + return redirect(url('edit_user', id=id)) + + def delete_ip(self, id): + """DELETE /user_ips_delete/id: Delete an existing item""" + # url('user_ips_delete', id=ID, method='delete') + user_model = UserModel() + user_model.delete_extra_ip(id, request.POST.get('del_ip')) + Session().commit() + h.flash(_("Removed ip from user"), category='success') + if 'default_user' in request.POST: + return redirect(url('edit_permission', id='default')) + return redirect(url('edit_user', id=id)) diff --git a/rhodecode/controllers/api/__init__.py b/rhodecode/controllers/api/__init__.py index 13fd7033..01cfe118 100644 --- a/rhodecode/controllers/api/__init__.py +++ b/rhodecode/controllers/api/__init__.py @@ -43,7 +43,7 @@ from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError, \ HTTPBadRequest, HTTPError from rhodecode.model.db import User -from rhodecode.lib.auth import AuthUser +from rhodecode.lib.auth import AuthUser, check_ip_access from rhodecode.lib.base import _get_ip_addr, _get_access_path from rhodecode.lib.utils2 import safe_unicode @@ -99,6 +99,7 @@ class JSONRPCController(WSGIController): controller and if it exists, dispatch to it. """ start = time.time() + ip_addr = self._get_ip_addr(environ) self._req_id = None if 'CONTENT_LENGTH' not in environ: log.debug("No Content-Length") @@ -144,7 +145,17 @@ class JSONRPCController(WSGIController): if u is None: return jsonrpc_error(retid=self._req_id, message='Invalid API KEY') - auth_u = AuthUser(u.user_id, self._req_api_key) + #check if we are allowed to use this IP + allowed_ips = AuthUser.get_allowed_ips(u.user_id) + if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips) is False: + log.info('Access for IP:%s forbidden, ' + 'not in %s' % (ip_addr, allowed_ips)) + return jsonrpc_error(retid=self._req_id, + message='request from IP:%s not allowed' % (ip_addr)) + else: + log.info('Access for IP:%s allowed' % (ip_addr)) + + auth_u = AuthUser(u.user_id, self._req_api_key, ip_addr=ip_addr) except Exception, e: return jsonrpc_error(retid=self._req_id, message='Invalid API KEY') diff --git a/rhodecode/controllers/api/api.py b/rhodecode/controllers/api/api.py index 8a0b2dfe..c3b31c58 100644 --- a/rhodecode/controllers/api/api.py +++ b/rhodecode/controllers/api/api.py @@ -140,6 +140,9 @@ class ApiController(JSONRPCController): errors that happens """ + def _get_ip_addr(self, environ): + from rhodecode.lib.base import _get_ip_addr + return _get_ip_addr(environ) @HasPermissionAllDecorator('hg.admin') def pull(self, apiuser, repoid): diff --git a/rhodecode/lib/auth.py b/rhodecode/lib/auth.py index d234e3e2..2fb087c1 100644 --- a/rhodecode/lib/auth.py +++ b/rhodecode/lib/auth.py @@ -45,7 +45,7 @@ from rhodecode.lib.auth_ldap import AuthLdap from rhodecode.model import meta from rhodecode.model.user import UserModel -from rhodecode.model.db import Permission, RhodeCodeSetting, User +from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap log = logging.getLogger(__name__) @@ -313,11 +313,12 @@ class AuthUser(object): in """ - def __init__(self, user_id=None, api_key=None, username=None): + def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None): self.user_id = user_id self.api_key = None self.username = username + self.ip_addr = ip_addr self.name = '' self.lastname = '' @@ -326,6 +327,7 @@ class AuthUser(object): self.admin = False self.inherit_default_permissions = False self.permissions = {} + self.allowed_ips = set() self._api_key = api_key self.propagate_data() self._instance = None @@ -375,6 +377,8 @@ class AuthUser(object): log.debug('Auth User is now %s' % self) user_model.fill_perms(self) + log.debug('Filling Allowed IPs') + self.allowed_ips = AuthUser.get_allowed_ips(self.user_id) @property def is_admin(self): @@ -406,6 +410,14 @@ class AuthUser(object): api_key = cookie_store.get('api_key') return AuthUser(user_id, api_key, username) + @classmethod + def get_allowed_ips(cls, user_id): + _set = set() + user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id).all() + for ip in user_ips: + _set.add(ip.ip_addr) + return _set or set(['0.0.0.0/0']) + def set_available_permissions(config): """ @@ -821,3 +833,19 @@ class HasPermissionAnyMiddleware(object): ) ) return False + + +def check_ip_access(source_ip, allowed_ips=None): + """ + Checks if source_ip is a subnet of any of allowed_ips. + + :param source_ip: + :param allowed_ips: list of allowed ips together with mask + """ + from rhodecode.lib import ipaddr + log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips)) + if isinstance(allowed_ips, (tuple, list, set)): + for ip in allowed_ips: + if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip): + return True + return False diff --git a/rhodecode/lib/base.py b/rhodecode/lib/base.py index bf60b70f..7b29dc03 100644 --- a/rhodecode/lib/base.py +++ b/rhodecode/lib/base.py @@ -20,7 +20,7 @@ from rhodecode import __version__, BACKENDS from rhodecode.lib.utils2 import str2bool, safe_unicode, AttributeDict,\ safe_str, safe_int from rhodecode.lib.auth import AuthUser, get_container_username, authfunc,\ - HasPermissionAnyMiddleware, CookieStoreWrapper + HasPermissionAnyMiddleware, CookieStoreWrapper, check_ip_access from rhodecode.lib.utils import get_repo_slug, invalidate_cache from rhodecode.model import meta @@ -101,7 +101,7 @@ class BaseVCSController(object): #authenticate this mercurial request using authfunc self.authenticate = BasicAuth('', authfunc, config.get('auth_ret_code')) - self.ipaddr = '0.0.0.0' + self.ip_addr = '0.0.0.0' def _handle_request(self, environ, start_response): raise NotImplementedError() @@ -136,7 +136,7 @@ class BaseVCSController(object): """ invalidate_cache('get_repo_cached_%s' % repo_name) - def _check_permission(self, action, user, repo_name): + def _check_permission(self, action, user, repo_name, ip_addr=None): """ Checks permissions using action (push/pull) user and repository name @@ -145,6 +145,14 @@ class BaseVCSController(object): :param user: user instance :param repo_name: repository name """ + #check IP + allowed_ips = AuthUser.get_allowed_ips(user.user_id) + if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips) is False: + log.info('Access for IP:%s forbidden, ' + 'not in %s' % (ip_addr, allowed_ips)) + return False + else: + log.info('Access for IP:%s allowed' % (ip_addr)) if action == 'push': if not HasPermissionAnyMiddleware('repository.write', 'repository.admin')(user, @@ -235,6 +243,9 @@ class BaseVCSController(object): class BaseController(WSGIController): def __before__(self): + """ + __before__ is called before controller methods and after __call__ + """ c.rhodecode_version = __version__ c.rhodecode_instanceid = config.get('instance_id') c.rhodecode_name = config.get('rhodecode_title') @@ -258,7 +269,6 @@ class BaseController(WSGIController): self.sa = meta.Session self.scm_model = ScmModel(self.sa) - self.ip_addr = '' def __call__(self, environ, start_response): """Invoke the Controller""" @@ -273,7 +283,7 @@ class BaseController(WSGIController): cookie_store = CookieStoreWrapper(session.get('rhodecode_user')) user_id = cookie_store.get('user_id', None) username = get_container_username(environ, config) - auth_user = AuthUser(user_id, api_key, username) + auth_user = AuthUser(user_id, api_key, username, self.ip_addr) request.user = auth_user self.rhodecode_user = c.rhodecode_user = auth_user if not self.rhodecode_user.is_authenticated and \ diff --git a/rhodecode/lib/db_manage.py b/rhodecode/lib/db_manage.py index 872db568..bc99d138 100644 --- a/rhodecode/lib/db_manage.py +++ b/rhodecode/lib/db_manage.py @@ -286,6 +286,9 @@ class DbManage(object): 'Please validate and check default permissions ' 'in admin panel') + def step_10(self): + pass + upgrade_steps = [0] + range(curr_version + 1, __dbversion__ + 1) # CALL THE PROPER ORDER OF STEPS TO PERFORM FULL UPGRADE diff --git a/rhodecode/lib/dbmigrate/versions/010_version_1_5_2.py b/rhodecode/lib/dbmigrate/versions/010_version_1_5_2.py new file mode 100644 index 00000000..928513fa --- /dev/null +++ b/rhodecode/lib/dbmigrate/versions/010_version_1_5_2.py @@ -0,0 +1,34 @@ +import logging +import datetime + +from sqlalchemy import * +from sqlalchemy.exc import DatabaseError +from sqlalchemy.orm import relation, backref, class_mapper, joinedload +from sqlalchemy.orm.session import Session +from sqlalchemy.ext.declarative import declarative_base + +from rhodecode.lib.dbmigrate.migrate import * +from rhodecode.lib.dbmigrate.migrate.changeset import * + +from rhodecode.model.meta import Base +from rhodecode.model import meta + +log = logging.getLogger(__name__) + + +def upgrade(migrate_engine): + """ + Upgrade operations go here. + Don't create your own engine; bind migrate_engine to your metadata + """ + #========================================================================== + # USER LOGS + #========================================================================== + from rhodecode.lib.dbmigrate.schema.db_1_5_0 import UserIpMap + tbl = UserIpMap.__table__ + tbl.create() + + +def downgrade(migrate_engine): + meta = MetaData() + meta.bind = migrate_engine diff --git a/rhodecode/lib/helpers.py b/rhodecode/lib/helpers.py index a4a210c4..21bd554b 100644 --- a/rhodecode/lib/helpers.py +++ b/rhodecode/lib/helpers.py @@ -1164,3 +1164,10 @@ def not_mapped_error(repo_name): ' it was created or renamed from the filesystem' ' please run the application again' ' in order to rescan repositories') % repo_name, category='error') + + +def ip_range(ip_addr): + from rhodecode.model.db import UserIpMap + s, e = UserIpMap._get_ip_range(ip_addr) + return '%s - %s' % (s, e) + diff --git a/rhodecode/lib/ipaddr.py b/rhodecode/lib/ipaddr.py new file mode 100644 index 00000000..72fda26f --- /dev/null +++ b/rhodecode/lib/ipaddr.py @@ -0,0 +1,1901 @@ +# Copyright 2007 Google Inc. +# Licensed to PSF under a Contributor Agreement. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. See the License for the specific language governing +# permissions and limitations under the License. + +"""A fast, lightweight IPv4/IPv6 manipulation library in Python. + +This library is used to create/poke/manipulate IPv4 and IPv6 addresses +and networks. + +""" + +__version__ = 'trunk' + +import struct + +IPV4LENGTH = 32 +IPV6LENGTH = 128 + + +class AddressValueError(ValueError): + """A Value Error related to the address.""" + + +class NetmaskValueError(ValueError): + """A Value Error related to the netmask.""" + + +def IPAddress(address, version=None): + """Take an IP string/int and return an object of the correct type. + + Args: + address: A string or integer, the IP address. Either IPv4 or + IPv6 addresses may be supplied; integers less than 2**32 will + be considered to be IPv4 by default. + version: An Integer, 4 or 6. If set, don't try to automatically + determine what the IP address type is. important for things + like IPAddress(1), which could be IPv4, '0.0.0.1', or IPv6, + '::1'. + + Returns: + An IPv4Address or IPv6Address object. + + Raises: + ValueError: if the string passed isn't either a v4 or a v6 + address. + + """ + if version: + if version == 4: + return IPv4Address(address) + elif version == 6: + return IPv6Address(address) + + try: + return IPv4Address(address) + except (AddressValueError, NetmaskValueError): + pass + + try: + return IPv6Address(address) + except (AddressValueError, NetmaskValueError): + pass + + raise ValueError('%r does not appear to be an IPv4 or IPv6 address' % + address) + + +def IPNetwork(address, version=None, strict=False): + """Take an IP string/int and return an object of the correct type. + + Args: + address: A string or integer, the IP address. Either IPv4 or + IPv6 addresses may be supplied; integers less than 2**32 will + be considered to be IPv4 by default. + version: An Integer, if set, don't try to automatically + determine what the IP address type is. important for things + like IPNetwork(1), which could be IPv4, '0.0.0.1/32', or IPv6, + '::1/128'. + + Returns: + An IPv4Network or IPv6Network object. + + Raises: + ValueError: if the string passed isn't either a v4 or a v6 + address. Or if a strict network was requested and a strict + network wasn't given. + + """ + if version: + if version == 4: + return IPv4Network(address, strict) + elif version == 6: + return IPv6Network(address, strict) + + try: + return IPv4Network(address, strict) + except (AddressValueError, NetmaskValueError): + pass + + try: + return IPv6Network(address, strict) + except (AddressValueError, NetmaskValueError): + pass + + raise ValueError('%r does not appear to be an IPv4 or IPv6 network' % + address) + + +def v4_int_to_packed(address): + """The binary representation of this address. + + Args: + address: An integer representation of an IPv4 IP address. + + Returns: + The binary representation of this address. + + Raises: + ValueError: If the integer is too large to be an IPv4 IP + address. + """ + if address > _BaseV4._ALL_ONES: + raise ValueError('Address too large for IPv4') + return Bytes(struct.pack('!I', address)) + + +def v6_int_to_packed(address): + """The binary representation of this address. + + Args: + address: An integer representation of an IPv6 IP address. + + Returns: + The binary representation of this address. + """ + return Bytes(struct.pack('!QQ', address >> 64, address & (2 ** 64 - 1))) + + +def _find_address_range(addresses): + """Find a sequence of addresses. + + Args: + addresses: a list of IPv4 or IPv6 addresses. + + Returns: + A tuple containing the first and last IP addresses in the sequence. + + """ + first = last = addresses[0] + for ip in addresses[1:]: + if ip._ip == last._ip + 1: + last = ip + else: + break + return (first, last) + + +def _get_prefix_length(number1, number2, bits): + """Get the number of leading bits that are same for two numbers. + + Args: + number1: an integer. + number2: another integer. + bits: the maximum number of bits to compare. + + Returns: + The number of leading bits that are the same for two numbers. + + """ + for i in range(bits): + if number1 >> i == number2 >> i: + return bits - i + return 0 + + +def _count_righthand_zero_bits(number, bits): + """Count the number of zero bits on the right hand side. + + Args: + number: an integer. + bits: maximum number of bits to count. + + Returns: + The number of zero bits on the right hand side of the number. + + """ + if number == 0: + return bits + for i in range(bits): + if (number >> i) % 2: + return i + + +def summarize_address_range(first, last): + """Summarize a network range given the first and last IP addresses. + + Example: + >>> summarize_address_range(IPv4Address('1.1.1.0'), + IPv4Address('1.1.1.130')) + [IPv4Network('1.1.1.0/25'), IPv4Network('1.1.1.128/31'), + IPv4Network('1.1.1.130/32')] + + Args: + first: the first IPv4Address or IPv6Address in the range. + last: the last IPv4Address or IPv6Address in the range. + + Returns: + The address range collapsed to a list of IPv4Network's or + IPv6Network's. + + Raise: + TypeError: + If the first and last objects are not IP addresses. + If the first and last objects are not the same version. + ValueError: + If the last object is not greater than the first. + If the version is not 4 or 6. + + """ + if not (isinstance(first, _BaseIP) and isinstance(last, _BaseIP)): + raise TypeError('first and last must be IP addresses, not networks') + if first.version != last.version: + raise TypeError("%s and %s are not of the same version" % ( + str(first), str(last))) + if first > last: + raise ValueError('last IP address must be greater than first') + + networks = [] + + if first.version == 4: + ip = IPv4Network + elif first.version == 6: + ip = IPv6Network + else: + raise ValueError('unknown IP version') + + ip_bits = first._max_prefixlen + first_int = first._ip + last_int = last._ip + while first_int <= last_int: + nbits = _count_righthand_zero_bits(first_int, ip_bits) + current = None + while nbits >= 0: + addend = 2 ** nbits - 1 + current = first_int + addend + nbits -= 1 + if current <= last_int: + break + prefix = _get_prefix_length(first_int, current, ip_bits) + net = ip('%s/%d' % (str(first), prefix)) + networks.append(net) + if current == ip._ALL_ONES: + break + first_int = current + 1 + first = IPAddress(first_int, version=first._version) + return networks + + +def _collapse_address_list_recursive(addresses): + """Loops through the addresses, collapsing concurrent netblocks. + + Example: + + ip1 = IPv4Network('1.1.0.0/24') + ip2 = IPv4Network('1.1.1.0/24') + ip3 = IPv4Network('1.1.2.0/24') + ip4 = IPv4Network('1.1.3.0/24') + ip5 = IPv4Network('1.1.4.0/24') + ip6 = IPv4Network('1.1.0.1/22') + + _collapse_address_list_recursive([ip1, ip2, ip3, ip4, ip5, ip6]) -> + [IPv4Network('1.1.0.0/22'), IPv4Network('1.1.4.0/24')] + + This shouldn't be called directly; it is called via + collapse_address_list([]). + + Args: + addresses: A list of IPv4Network's or IPv6Network's + + Returns: + A list of IPv4Network's or IPv6Network's depending on what we were + passed. + + """ + ret_array = [] + optimized = False + + for cur_addr in addresses: + if not ret_array: + ret_array.append(cur_addr) + continue + if cur_addr in ret_array[-1]: + optimized = True + elif cur_addr == ret_array[-1].supernet().subnet()[1]: + ret_array.append(ret_array.pop().supernet()) + optimized = True + else: + ret_array.append(cur_addr) + + if optimized: + return _collapse_address_list_recursive(ret_array) + + return ret_array + + +def collapse_address_list(addresses): + """Collapse a list of IP objects. + + Example: + collapse_address_list([IPv4('1.1.0.0/24'), IPv4('1.1.1.0/24')]) -> + [IPv4('1.1.0.0/23')] + + Args: + addresses: A list of IPv4Network or IPv6Network objects. + + Returns: + A list of IPv4Network or IPv6Network objects depending on what we + were passed. + + Raises: + TypeError: If passed a list of mixed version objects. + + """ + i = 0 + addrs = [] + ips = [] + nets = [] + + # split IP addresses and networks + for ip in addresses: + if isinstance(ip, _BaseIP): + if ips and ips[-1]._version != ip._version: + raise TypeError("%s and %s are not of the same version" % ( + str(ip), str(ips[-1]))) + ips.append(ip) + elif ip._prefixlen == ip._max_prefixlen: + if ips and ips[-1]._version != ip._version: + raise TypeError("%s and %s are not of the same version" % ( + str(ip), str(ips[-1]))) + ips.append(ip.ip) + else: + if nets and nets[-1]._version != ip._version: + raise TypeError("%s and %s are not of the same version" % ( + str(ip), str(nets[-1]))) + nets.append(ip) + + # sort and dedup + ips = sorted(set(ips)) + nets = sorted(set(nets)) + + while i < len(ips): + (first, last) = _find_address_range(ips[i:]) + i = ips.index(last) + 1 + addrs.extend(summarize_address_range(first, last)) + + return _collapse_address_list_recursive(sorted( + addrs + nets, key=_BaseNet._get_networks_key)) + +# backwards compatibility +CollapseAddrList = collapse_address_list + +# We need to distinguish between the string and packed-bytes representations +# of an IP address. For example, b'0::1' is the IPv4 address 48.58.58.49, +# while '0::1' is an IPv6 address. +# +# In Python 3, the native 'bytes' type already provides this functionality, +# so we use it directly. For earlier implementations where bytes is not a +# distinct type, we create a subclass of str to serve as a tag. +# +# Usage example (Python 2): +# ip = ipaddr.IPAddress(ipaddr.Bytes('xxxx')) +# +# Usage example (Python 3): +# ip = ipaddr.IPAddress(b'xxxx') +try: + if bytes is str: + raise TypeError("bytes is not a distinct type") + Bytes = bytes +except (NameError, TypeError): + class Bytes(str): + def __repr__(self): + return 'Bytes(%s)' % str.__repr__(self) + + +def get_mixed_type_key(obj): + """Return a key suitable for sorting between networks and addresses. + + Address and Network objects are not sortable by default; they're + fundamentally different so the expression + + IPv4Address('1.1.1.1') <= IPv4Network('1.1.1.1/24') + + doesn't make any sense. There are some times however, where you may wish + to have ipaddr sort these for you anyway. If you need to do this, you + can use this function as the key= argument to sorted(). + + Args: + obj: either a Network or Address object. + Returns: + appropriate key. + + """ + if isinstance(obj, _BaseNet): + return obj._get_networks_key() + elif isinstance(obj, _BaseIP): + return obj._get_address_key() + return NotImplemented + + +class _IPAddrBase(object): + + """The mother class.""" + + def __index__(self): + return self._ip + + def __int__(self): + return self._ip + + def __hex__(self): + return hex(self._ip) + + @property + def exploded(self): + """Return the longhand version of the IP address as a string.""" + return self._explode_shorthand_ip_string() + + @property + def compressed(self): + """Return the shorthand version of the IP address as a string.""" + return str(self) + + +class _BaseIP(_IPAddrBase): + + """A generic IP object. + + This IP class contains the version independent methods which are + used by single IP addresses. + + """ + + def __eq__(self, other): + try: + return (self._ip == other._ip + and self._version == other._version) + except AttributeError: + return NotImplemented + + def __ne__(self, other): + eq = self.__eq__(other) + if eq is NotImplemented: + return NotImplemented + return not eq + + def __le__(self, other): + gt = self.__gt__(other) + if gt is NotImplemented: + return NotImplemented + return not gt + + def __ge__(self, other): + lt = self.__lt__(other) + if lt is NotImplemented: + return NotImplemented + return not lt + + def __lt__(self, other): + if self._version != other._version: + raise TypeError('%s and %s are not of the same version' % ( + str(self), str(other))) + if not isinstance(other, _BaseIP): + raise TypeError('%s and %s are not of the same type' % ( + str(self), str(other))) + if self._ip != other._ip: + return self._ip < other._ip + return False + + def __gt__(self, other): + if self._version != other._version: + raise TypeError('%s and %s are not of the same version' % ( + str(self), str(other))) + if not isinstance(other, _BaseIP): + raise TypeError('%s and %s are not of the same type' % ( + str(self), str(other))) + if self._ip != other._ip: + return self._ip > other._ip + return False + + # Shorthand for Integer addition and subtraction. This is not + # meant to ever support addition/subtraction of addresses. + def __add__(self, other): + if not isinstance(other, int): + return NotImplemented + return IPAddress(int(self) + other, version=self._version) + + def __sub__(self, other): + if not isinstance(other, int): + return NotImplemented + return IPAddress(int(self) - other, version=self._version) + + def __repr__(self): + return '%s(%r)' % (self.__class__.__name__, str(self)) + + def __str__(self): + return '%s' % self._string_from_ip_int(self._ip) + + def __hash__(self): + return hash(hex(long(self._ip))) + + def _get_address_key(self): + return (self._version, self) + + @property + def version(self): + raise NotImplementedError('BaseIP has no version') + + +class _BaseNet(_IPAddrBase): + + """A generic IP object. + + This IP class contains the version independent methods which are + used by networks. + + """ + + def __init__(self, address): + self._cache = {} + + def __repr__(self): + return '%s(%r)' % (self.__class__.__name__, str(self)) + + def iterhosts(self): + """Generate Iterator over usable hosts in a network. + + This is like __iter__ except it doesn't return the network + or broadcast addresses. + + """ + cur = int(self.network) + 1 + bcast = int(self.broadcast) - 1 + while cur <= bcast: + cur += 1 + yield IPAddress(cur - 1, version=self._version) + + def __iter__(self): + cur = int(self.network) + bcast = int(self.broadcast) + while cur <= bcast: + cur += 1 + yield IPAddress(cur - 1, version=self._version) + + def __getitem__(self, n): + network = int(self.network) + broadcast = int(self.broadcast) + if n >= 0: + if network + n > broadcast: + raise IndexError + return IPAddress(network + n, version=self._version) + else: + n += 1 + if broadcast + n < network: + raise IndexError + return IPAddress(broadcast + n, version=self._version) + + def __lt__(self, other): + if self._version != other._version: + raise TypeError('%s and %s are not of the same version' % ( + str(self), str(other))) + if not isinstance(other, _BaseNet): + raise TypeError('%s and %s are not of the same type' % ( + str(self), str(other))) + if self.network != other.network: + return self.network < other.network + if self.netmask != other.netmask: + return self.netmask < other.netmask + return False + + def __gt__(self, other): + if self._version != other._version: + raise TypeError('%s and %s are not of the same version' % ( + str(self), str(other))) + if not isinstance(other, _BaseNet): + raise TypeError('%s and %s are not of the same type' % ( + str(self), str(other))) + if self.network != other.network: + return self.network > other.network + if self.netmask != other.netmask: + return self.netmask > other.netmask + return False + + def __le__(self, other): + gt = self.__gt__(other) + if gt is NotImplemented: + return NotImplemented + return not gt + + def __ge__(self, other): + lt = self.__lt__(other) + if lt is NotImplemented: + return NotImplemented + return not lt + + def __eq__(self, other): + try: + return (self._version == other._version + and self.network == other.network + and int(self.netmask) == int(other.netmask)) + except AttributeError: + if isinstance(other, _BaseIP): + return (self._version == other._version + and self._ip == other._ip) + + def __ne__(self, other): + eq = self.__eq__(other) + if eq is NotImplemented: + return NotImplemented + return not eq + + def __str__(self): + return '%s/%s' % (str(self.ip), + str(self._prefixlen)) + + def __hash__(self): + return hash(int(self.network) ^ int(self.netmask)) + + def __contains__(self, other): + # always false if one is v4 and the other is v6. + if self._version != other._version: + return False + # dealing with another network. + if isinstance(other, _BaseNet): + return (self.network <= other.network and + self.broadcast >= other.broadcast) + # dealing with another address + else: + return (int(self.network) <= int(other._ip) <= + int(self.broadcast)) + + def overlaps(self, other): + """Tell if self is partly contained in other.""" + return self.network in other or self.broadcast in other or ( + other.network in self or other.broadcast in self) + + @property + def network(self): + x = self._cache.get('network') + if x is None: + x = IPAddress(self._ip & int(self.netmask), version=self._version) + self._cache['network'] = x + return x + + @property + def broadcast(self): + x = self._cache.get('broadcast') + if x is None: + x = IPAddress(self._ip | int(self.hostmask), version=self._version) + self._cache['broadcast'] = x + return x + + @property + def hostmask(self): + x = self._cache.get('hostmask') + if x is None: + x = IPAddress(int(self.netmask) ^ self._ALL_ONES, + version=self._version) + self._cache['hostmask'] = x + return x + + @property + def with_prefixlen(self): + return '%s/%d' % (str(self.ip), self._prefixlen) + + @property + def with_netmask(self): + return '%s/%s' % (str(self.ip), str(self.netmask)) + + @property + def with_hostmask(self): + return '%s/%s' % (str(self.ip), str(self.hostmask)) + + @property + def numhosts(self): + """Number of hosts in the current subnet.""" + return int(self.broadcast) - int(self.network) + 1 + + @property + def version(self): + raise NotImplementedError('BaseNet has no version') + + @property + def prefixlen(self): + return self._prefixlen + + def address_exclude(self, other): + """Remove an address from a larger block. + + For example: + + addr1 = IPNetwork('10.1.1.0/24') + addr2 = IPNetwork('10.1.1.0/26') + addr1.address_exclude(addr2) = + [IPNetwork('10.1.1.64/26'), IPNetwork('10.1.1.128/25')] + + or IPv6: + + addr1 = IPNetwork('::1/32') + addr2 = IPNetwork('::1/128') + addr1.address_exclude(addr2) = [IPNetwork('::0/128'), + IPNetwork('::2/127'), + IPNetwork('::4/126'), + IPNetwork('::8/125'), + ... + IPNetwork('0:0:8000::/33')] + + Args: + other: An IPvXNetwork object of the same type. + + Returns: + A sorted list of IPvXNetwork objects addresses which is self + minus other. + + Raises: + TypeError: If self and other are of difffering address + versions, or if other is not a network object. + ValueError: If other is not completely contained by self. + + """ + if not self._version == other._version: + raise TypeError("%s and %s are not of the same version" % ( + str(self), str(other))) + + if not isinstance(other, _BaseNet): + raise TypeError("%s is not a network object" % str(other)) + + if other not in self: + raise ValueError('%s not contained in %s' % (str(other), + str(self))) + if other == self: + return [] + + ret_addrs = [] + + # Make sure we're comparing the network of other. + other = IPNetwork('%s/%s' % (str(other.network), str(other.prefixlen)), + version=other._version) + + s1, s2 = self.subnet() + while s1 != other and s2 != other: + if other in s1: + ret_addrs.append(s2) + s1, s2 = s1.subnet() + elif other in s2: + ret_addrs.append(s1) + s1, s2 = s2.subnet() + else: + # If we got here, there's a bug somewhere. + assert True == False, ('Error performing exclusion: ' + 's1: %s s2: %s other: %s' % + (str(s1), str(s2), str(other))) + if s1 == other: + ret_addrs.append(s2) + elif s2 == other: + ret_addrs.append(s1) + else: + # If we got here, there's a bug somewhere. + assert True == False, ('Error performing exclusion: ' + 's1: %s s2: %s other: %s' % + (str(s1), str(s2), str(other))) + + return sorted(ret_addrs, key=_BaseNet._get_networks_key) + + def compare_networks(self, other): + """Compare two IP objects. + + This is only concerned about the comparison of the integer + representation of the network addresses. This means that the + host bits aren't considered at all in this method. If you want + to compare host bits, you can easily enough do a + 'HostA._ip < HostB._ip' + + Args: + other: An IP object. + + Returns: + If the IP versions of self and other are the same, returns: + + -1 if self < other: + eg: IPv4('1.1.1.0/24') < IPv4('1.1.2.0/24') + IPv6('1080::200C:417A') < IPv6('1080::200B:417B') + 0 if self == other + eg: IPv4('1.1.1.1/24') == IPv4('1.1.1.2/24') + IPv6('1080::200C:417A/96') == IPv6('1080::200C:417B/96') + 1 if self > other + eg: IPv4('1.1.1.0/24') > IPv4('1.1.0.0/24') + IPv6('1080::1:200C:417A/112') > + IPv6('1080::0:200C:417A/112') + + If the IP versions of self and other are different, returns: + + -1 if self._version < other._version + eg: IPv4('10.0.0.1/24') < IPv6('::1/128') + 1 if self._version > other._version + eg: IPv6('::1/128') > IPv4('255.255.255.0/24') + + """ + if self._version < other._version: + return -1 + if self._version > other._version: + return 1 + # self._version == other._version below here: + if self.network < other.network: + return -1 + if self.network > other.network: + return 1 + # self.network == other.network below here: + if self.netmask < other.netmask: + return -1 + if self.netmask > other.netmask: + return 1 + # self.network == other.network and self.netmask == other.netmask + return 0 + + def _get_networks_key(self): + """Network-only key function. + + Returns an object that identifies this address' network and + netmask. This function is a suitable "key" argument for sorted() + and list.sort(). + + """ + return (self._version, self.network, self.netmask) + + def _ip_int_from_prefix(self, prefixlen=None): + """Turn the prefix length netmask into a int for comparison. + + Args: + prefixlen: An integer, the prefix length. + + Returns: + An integer. + + """ + if not prefixlen and prefixlen != 0: + prefixlen = self._prefixlen + return self._ALL_ONES ^ (self._ALL_ONES >> prefixlen) + + def _prefix_from_ip_int(self, ip_int, mask=32): + """Return prefix length from the decimal netmask. + + Args: + ip_int: An integer, the IP address. + mask: The netmask. Defaults to 32. + + Returns: + An integer, the prefix length. + + """ + while mask: + if ip_int & 1 == 1: + break + ip_int >>= 1 + mask -= 1 + + return mask + + def _ip_string_from_prefix(self, prefixlen=None): + """Turn a prefix length into a dotted decimal string. + + Args: + prefixlen: An integer, the netmask prefix length. + + Returns: + A string, the dotted decimal netmask string. + + """ + if not prefixlen: + prefixlen = self._prefixlen + return self._string_from_ip_int(self._ip_int_from_prefix(prefixlen)) + + def iter_subnets(self, prefixlen_diff=1, new_prefix=None): + """The subnets which join to make the current subnet. + + In the case that self contains only one IP + (self._prefixlen == 32 for IPv4 or self._prefixlen == 128 + for IPv6), return a list with just ourself. + + Args: + prefixlen_diff: An integer, the amount the prefix length + should be increased by. This should not be set if + new_prefix is also set. + new_prefix: The desired new prefix length. This must be a + larger number (smaller prefix) than the existing prefix. + This should not be set if prefixlen_diff is also set. + + Returns: + An iterator of IPv(4|6) objects. + + Raises: + ValueError: The prefixlen_diff is too small or too large. + OR + prefixlen_diff and new_prefix are both set or new_prefix + is a smaller number than the current prefix (smaller + number means a larger network) + + """ + if self._prefixlen == self._max_prefixlen: + yield self + return + + if new_prefix is not None: + if new_prefix < self._prefixlen: + raise ValueError('new prefix must be longer') + if prefixlen_diff != 1: + raise ValueError('cannot set prefixlen_diff and new_prefix') + prefixlen_diff = new_prefix - self._prefixlen + + if prefixlen_diff < 0: + raise ValueError('prefix length diff must be > 0') + new_prefixlen = self._prefixlen + prefixlen_diff + + if not self._is_valid_netmask(str(new_prefixlen)): + raise ValueError( + 'prefix length diff %d is invalid for netblock %s' % ( + new_prefixlen, str(self))) + + first = IPNetwork('%s/%s' % (str(self.network), + str(self._prefixlen + prefixlen_diff)), + version=self._version) + + yield first + current = first + while True: + broadcast = current.broadcast + if broadcast == self.broadcast: + return + new_addr = IPAddress(int(broadcast) + 1, version=self._version) + current = IPNetwork('%s/%s' % (str(new_addr), str(new_prefixlen)), + version=self._version) + + yield current + + def masked(self): + """Return the network object with the host bits masked out.""" + return IPNetwork('%s/%d' % (self.network, self._prefixlen), + version=self._version) + + def subnet(self, prefixlen_diff=1, new_prefix=None): + """Return a list of subnets, rather than an iterator.""" + return list(self.iter_subnets(prefixlen_diff, new_prefix)) + + def supernet(self, prefixlen_diff=1, new_prefix=None): + """The supernet containing the current network. + + Args: + prefixlen_diff: An integer, the amount the prefix length of + the network should be decreased by. For example, given a + /24 network and a prefixlen_diff of 3, a supernet with a + /21 netmask is returned. + + Returns: + An IPv4 network object. + + Raises: + ValueError: If self.prefixlen - prefixlen_diff < 0. I.e., you have a + negative prefix length. + OR + If prefixlen_diff and new_prefix are both set or new_prefix is a + larger number than the current prefix (larger number means a + smaller network) + + """ + if self._prefixlen == 0: + return self + + if new_prefix is not None: + if new_prefix > self._prefixlen: + raise ValueError('new prefix must be shorter') + if prefixlen_diff != 1: + raise ValueError('cannot set prefixlen_diff and new_prefix') + prefixlen_diff = self._prefixlen - new_prefix + + if self.prefixlen - prefixlen_diff < 0: + raise ValueError( + 'current prefixlen is %d, cannot have a prefixlen_diff of %d' % + (self.prefixlen, prefixlen_diff)) + return IPNetwork('%s/%s' % (str(self.network), + str(self.prefixlen - prefixlen_diff)), + version=self._version) + + # backwards compatibility + Subnet = subnet + Supernet = supernet + AddressExclude = address_exclude + CompareNetworks = compare_networks + Contains = __contains__ + + +class _BaseV4(object): + + """Base IPv4 object. + + The following methods are used by IPv4 objects in both single IP + addresses and networks. + + """ + + # Equivalent to 255.255.255.255 or 32 bits of 1's. + _ALL_ONES = (2 ** IPV4LENGTH) - 1 + _DECIMAL_DIGITS = frozenset('0123456789') + + def __init__(self, address): + self._version = 4 + self._max_prefixlen = IPV4LENGTH + + def _explode_shorthand_ip_string(self): + return str(self) + + def _ip_int_from_string(self, ip_str): + """Turn the given IP string into an integer for comparison. + + Args: + ip_str: A string, the IP ip_str. + + Returns: + The IP ip_str as an integer. + + Raises: + AddressValueError: if ip_str isn't a valid IPv4 Address. + + """ + octets = ip_str.split('.') + if len(octets) != 4: + raise AddressValueError(ip_str) + + packed_ip = 0 + for oc in octets: + try: + packed_ip = (packed_ip << 8) | self._parse_octet(oc) + except ValueError: + raise AddressValueError(ip_str) + return packed_ip + + def _parse_octet(self, octet_str): + """Convert a decimal octet into an integer. + + Args: + octet_str: A string, the number to parse. + + Returns: + The octet as an integer. + + Raises: + ValueError: if the octet isn't strictly a decimal from [0..255]. + + """ + # Whitelist the characters, since int() allows a lot of bizarre stuff. + if not self._DECIMAL_DIGITS.issuperset(octet_str): + raise ValueError + octet_int = int(octet_str, 10) + # Disallow leading zeroes, because no clear standard exists on + # whether these should be interpreted as decimal or octal. + if octet_int > 255 or (octet_str[0] == '0' and len(octet_str) > 1): + raise ValueError + return octet_int + + def _string_from_ip_int(self, ip_int): + """Turns a 32-bit integer into dotted decimal notation. + + Args: + ip_int: An integer, the IP address. + + Returns: + The IP address as a string in dotted decimal notation. + + """ + octets = [] + for _ in xrange(4): + octets.insert(0, str(ip_int & 0xFF)) + ip_int >>= 8 + return '.'.join(octets) + + @property + def max_prefixlen(self): + return self._max_prefixlen + + @property + def packed(self): + """The binary representation of this address.""" + return v4_int_to_packed(self._ip) + + @property + def version(self): + return self._version + + @property + def is_reserved(self): + """Test if the address is otherwise IETF reserved. + + Returns: + A boolean, True if the address is within the + reserved IPv4 Network range. + + """ + return self in IPv4Network('240.0.0.0/4') + + @property + def is_private(self): + """Test if this address is allocated for private networks. + + Returns: + A boolean, True if the address is reserved per RFC 1918. + + """ + return (self in IPv4Network('10.0.0.0/8') or + self in IPv4Network('172.16.0.0/12') or + self in IPv4Network('192.168.0.0/16')) + + @property + def is_multicast(self): + """Test if the address is reserved for multicast use. + + Returns: + A boolean, True if the address is multicast. + See RFC 3171 for details. + + """ + return self in IPv4Network('224.0.0.0/4') + + @property + def is_unspecified(self): + """Test if the address is unspecified. + + Returns: + A boolean, True if this is the unspecified address as defined in + RFC 5735 3. + + """ + return self in IPv4Network('0.0.0.0') + + @property + def is_loopback(self): + """Test if the address is a loopback address. + + Returns: + A boolean, True if the address is a loopback per RFC 3330. + + """ + return self in IPv4Network('127.0.0.0/8') + + @property + def is_link_local(self): + """Test if the address is reserved for link-local. + + Returns: + A boolean, True if the address is link-local per RFC 3927. + + """ + return self in IPv4Network('169.254.0.0/16') + + +class IPv4Address(_BaseV4, _BaseIP): + + """Represent and manipulate single IPv4 Addresses.""" + + def __init__(self, address): + + """ + Args: + address: A string or integer representing the IP + '192.168.1.1' + + Additionally, an integer can be passed, so + IPv4Address('192.168.1.1') == IPv4Address(3232235777). + or, more generally + IPv4Address(int(IPv4Address('192.168.1.1'))) == + IPv4Address('192.168.1.1') + + Raises: + AddressValueError: If ipaddr isn't a valid IPv4 address. + + """ + _BaseV4.__init__(self, address) + + # Efficient constructor from integer. + if isinstance(address, (int, long)): + self._ip = address + if address < 0 or address > self._ALL_ONES: + raise AddressValueError(address) + return + + # Constructing from a packed address + if isinstance(address, Bytes): + try: + self._ip, = struct.unpack('!I', address) + except struct.error: + raise AddressValueError(address) # Wrong length. + return + + # Assume input argument to be string or any object representation + # which converts into a formatted IP string. + addr_str = str(address) + self._ip = self._ip_int_from_string(addr_str) + + +class IPv4Network(_BaseV4, _BaseNet): + + """This class represents and manipulates 32-bit IPv4 networks. + + Attributes: [examples for IPv4Network('1.2.3.4/27')] + ._ip: 16909060 + .ip: IPv4Address('1.2.3.4') + .network: IPv4Address('1.2.3.0') + .hostmask: IPv4Address('0.0.0.31') + .broadcast: IPv4Address('1.2.3.31') + .netmask: IPv4Address('255.255.255.224') + .prefixlen: 27 + + """ + + # the valid octets for host and netmasks. only useful for IPv4. + _valid_mask_octets = set((255, 254, 252, 248, 240, 224, 192, 128, 0)) + + def __init__(self, address, strict=False): + """Instantiate a new IPv4 network object. + + Args: + address: A string or integer representing the IP [& network]. + '192.168.1.1/24' + '192.168.1.1/255.255.255.0' + '192.168.1.1/0.0.0.255' + are all functionally the same in IPv4. Similarly, + '192.168.1.1' + '192.168.1.1/255.255.255.255' + '192.168.1.1/32' + are also functionaly equivalent. That is to say, failing to + provide a subnetmask will create an object with a mask of /32. + + If the mask (portion after the / in the argument) is given in + dotted quad form, it is treated as a netmask if it starts with a + non-zero field (e.g. /255.0.0.0 == /8) and as a hostmask if it + starts with a zero field (e.g. 0.255.255.255 == /8), with the + single exception of an all-zero mask which is treated as a + netmask == /0. If no mask is given, a default of /32 is used. + + Additionally, an integer can be passed, so + IPv4Network('192.168.1.1') == IPv4Network(3232235777). + or, more generally + IPv4Network(int(IPv4Network('192.168.1.1'))) == + IPv4Network('192.168.1.1') + + strict: A boolean. If true, ensure that we have been passed + A true network address, eg, 192.168.1.0/24 and not an + IP address on a network, eg, 192.168.1.1/24. + + Raises: + AddressValueError: If ipaddr isn't a valid IPv4 address. + NetmaskValueError: If the netmask isn't valid for + an IPv4 address. + ValueError: If strict was True and a network address was not + supplied. + + """ + _BaseNet.__init__(self, address) + _BaseV4.__init__(self, address) + + # Constructing from an integer or packed bytes. + if isinstance(address, (int, long, Bytes)): + self.ip = IPv4Address(address) + self._ip = self.ip._ip + self._prefixlen = self._max_prefixlen + self.netmask = IPv4Address(self._ALL_ONES) + return + + # Assume input argument to be string or any object representation + # which converts into a formatted IP prefix string. + addr = str(address).split('/') + + if len(addr) > 2: + raise AddressValueError(address) + + self._ip = self._ip_int_from_string(addr[0]) + self.ip = IPv4Address(self._ip) + + if len(addr) == 2: + mask = addr[1].split('.') + if len(mask) == 4: + # We have dotted decimal netmask. + if self._is_valid_netmask(addr[1]): + self.netmask = IPv4Address(self._ip_int_from_string( + addr[1])) + elif self._is_hostmask(addr[1]): + self.netmask = IPv4Address( + self._ip_int_from_string(addr[1]) ^ self._ALL_ONES) + else: + raise NetmaskValueError('%s is not a valid netmask' + % addr[1]) + + self._prefixlen = self._prefix_from_ip_int(int(self.netmask)) + else: + # We have a netmask in prefix length form. + if not self._is_valid_netmask(addr[1]): + raise NetmaskValueError(addr[1]) + self._prefixlen = int(addr[1]) + self.netmask = IPv4Address(self._ip_int_from_prefix( + self._prefixlen)) + else: + self._prefixlen = self._max_prefixlen + self.netmask = IPv4Address(self._ip_int_from_prefix( + self._prefixlen)) + if strict: + if self.ip != self.network: + raise ValueError('%s has host bits set' % + self.ip) + if self._prefixlen == (self._max_prefixlen - 1): + self.iterhosts = self.__iter__ + + def _is_hostmask(self, ip_str): + """Test if the IP string is a hostmask (rather than a netmask). + + Args: + ip_str: A string, the potential hostmask. + + Returns: + A boolean, True if the IP string is a hostmask. + + """ + bits = ip_str.split('.') + try: + parts = [int(x) for x in bits if int(x) in self._valid_mask_octets] + except ValueError: + return False + if len(parts) != len(bits): + return False + if parts[0] < parts[-1]: + return True + return False + + def _is_valid_netmask(self, netmask): + """Verify that the netmask is valid. + + Args: + netmask: A string, either a prefix or dotted decimal + netmask. + + Returns: + A boolean, True if the prefix represents a valid IPv4 + netmask. + + """ + mask = netmask.split('.') + if len(mask) == 4: + if [x for x in mask if int(x) not in self._valid_mask_octets]: + return False + if [y for idx, y in enumerate(mask) if idx > 0 and + y > mask[idx - 1]]: + return False + return True + try: + netmask = int(netmask) + except ValueError: + return False + return 0 <= netmask <= self._max_prefixlen + + # backwards compatibility + IsRFC1918 = lambda self: self.is_private + IsMulticast = lambda self: self.is_multicast + IsLoopback = lambda self: self.is_loopback + IsLinkLocal = lambda self: self.is_link_local + + +class _BaseV6(object): + + """Base IPv6 object. + + The following methods are used by IPv6 objects in both single IP + addresses and networks. + + """ + + _ALL_ONES = (2 ** IPV6LENGTH) - 1 + _HEXTET_COUNT = 8 + _HEX_DIGITS = frozenset('0123456789ABCDEFabcdef') + + def __init__(self, address): + self._version = 6 + self._max_prefixlen = IPV6LENGTH + + def _ip_int_from_string(self, ip_str): + """Turn an IPv6 ip_str into an integer. + + Args: + ip_str: A string, the IPv6 ip_str. + + Returns: + A long, the IPv6 ip_str. + + Raises: + AddressValueError: if ip_str isn't a valid IPv6 Address. + + """ + parts = ip_str.split(':') + + # An IPv6 address needs at least 2 colons (3 parts). + if len(parts) < 3: + raise AddressValueError(ip_str) + + # If the address has an IPv4-style suffix, convert it to hexadecimal. + if '.' in parts[-1]: + ipv4_int = IPv4Address(parts.pop())._ip + parts.append('%x' % ((ipv4_int >> 16) & 0xFFFF)) + parts.append('%x' % (ipv4_int & 0xFFFF)) + + # An IPv6 address can't have more than 8 colons (9 parts). + if len(parts) > self._HEXTET_COUNT + 1: + raise AddressValueError(ip_str) + + # Disregarding the endpoints, find '::' with nothing in between. + # This indicates that a run of zeroes has been skipped. + try: + skip_index, = ( + [i for i in xrange(1, len(parts) - 1) if not parts[i]] or + [None]) + except ValueError: + # Can't have more than one '::' + raise AddressValueError(ip_str) + + # parts_hi is the number of parts to copy from above/before the '::' + # parts_lo is the number of parts to copy from below/after the '::' + if skip_index is not None: + # If we found a '::', then check if it also covers the endpoints. + parts_hi = skip_index + parts_lo = len(parts) - skip_index - 1 + if not parts[0]: + parts_hi -= 1 + if parts_hi: + raise AddressValueError(ip_str) # ^: requires ^:: + if not parts[-1]: + parts_lo -= 1 + if parts_lo: + raise AddressValueError(ip_str) # :$ requires ::$ + parts_skipped = self._HEXTET_COUNT - (parts_hi + parts_lo) + if parts_skipped < 1: + raise AddressValueError(ip_str) + else: + # Otherwise, allocate the entire address to parts_hi. The endpoints + # could still be empty, but _parse_hextet() will check for that. + if len(parts) != self._HEXTET_COUNT: + raise AddressValueError(ip_str) + parts_hi = len(parts) + parts_lo = 0 + parts_skipped = 0 + + try: + # Now, parse the hextets into a 128-bit integer. + ip_int = 0L + for i in xrange(parts_hi): + ip_int <<= 16 + ip_int |= self._parse_hextet(parts[i]) + ip_int <<= 16 * parts_skipped + for i in xrange(-parts_lo, 0): + ip_int <<= 16 + ip_int |= self._parse_hextet(parts[i]) + return ip_int + except ValueError: + raise AddressValueError(ip_str) + + def _parse_hextet(self, hextet_str): + """Convert an IPv6 hextet string into an integer. + + Args: + hextet_str: A string, the number to parse. + + Returns: + The hextet as an integer. + + Raises: + ValueError: if the input isn't strictly a hex number from [0..FFFF]. + + """ + # Whitelist the characters, since int() allows a lot of bizarre stuff. + if not self._HEX_DIGITS.issuperset(hextet_str): + raise ValueError + if len(hextet_str) > 4: + raise ValueError + hextet_int = int(hextet_str, 16) + if hextet_int > 0xFFFF: + raise ValueError + return hextet_int + + def _compress_hextets(self, hextets): + """Compresses a list of hextets. + + Compresses a list of strings, replacing the longest continuous + sequence of "0" in the list with "" and adding empty strings at + the beginning or at the end of the string such that subsequently + calling ":".join(hextets) will produce the compressed version of + the IPv6 address. + + Args: + hextets: A list of strings, the hextets to compress. + + Returns: + A list of strings. + + """ + best_doublecolon_start = -1 + best_doublecolon_len = 0 + doublecolon_start = -1 + doublecolon_len = 0 + for index in range(len(hextets)): + if hextets[index] == '0': + doublecolon_len += 1 + if doublecolon_start == -1: + # Start of a sequence of zeros. + doublecolon_start = index + if doublecolon_len > best_doublecolon_len: + # This is the longest sequence of zeros so far. + best_doublecolon_len = doublecolon_len + best_doublecolon_start = doublecolon_start + else: + doublecolon_len = 0 + doublecolon_start = -1 + + if best_doublecolon_len > 1: + best_doublecolon_end = (best_doublecolon_start + + best_doublecolon_len) + # For zeros at the end of the address. + if best_doublecolon_end == len(hextets): + hextets += [''] + hextets[best_doublecolon_start:best_doublecolon_end] = [''] + # For zeros at the beginning of the address. + if best_doublecolon_start == 0: + hextets = [''] + hextets + + return hextets + + def _string_from_ip_int(self, ip_int=None): + """Turns a 128-bit integer into hexadecimal notation. + + Args: + ip_int: An integer, the IP address. + + Returns: + A string, the hexadecimal representation of the address. + + Raises: + ValueError: The address is bigger than 128 bits of all ones. + + """ + if not ip_int and ip_int != 0: + ip_int = int(self._ip) + + if ip_int > self._ALL_ONES: + raise ValueError('IPv6 address is too large') + + hex_str = '%032x' % ip_int + hextets = [] + for x in range(0, 32, 4): + hextets.append('%x' % int(hex_str[x:x + 4], 16)) + + hextets = self._compress_hextets(hextets) + return ':'.join(hextets) + + def _explode_shorthand_ip_string(self): + """Expand a shortened IPv6 address. + + Args: + ip_str: A string, the IPv6 address. + + Returns: + A string, the expanded IPv6 address. + + """ + if isinstance(self, _BaseNet): + ip_str = str(self.ip) + else: + ip_str = str(self) + + ip_int = self._ip_int_from_string(ip_str) + parts = [] + for i in xrange(self._HEXTET_COUNT): + parts.append('%04x' % (ip_int & 0xFFFF)) + ip_int >>= 16 + parts.reverse() + if isinstance(self, _BaseNet): + return '%s/%d' % (':'.join(parts), self.prefixlen) + return ':'.join(parts) + + @property + def max_prefixlen(self): + return self._max_prefixlen + + @property + def packed(self): + """The binary representation of this address.""" + return v6_int_to_packed(self._ip) + + @property + def version(self): + return self._version + + @property + def is_multicast(self): + """Test if the address is reserved for multicast use. + + Returns: + A boolean, True if the address is a multicast address. + See RFC 2373 2.7 for details. + + """ + return self in IPv6Network('ff00::/8') + + @property + def is_reserved(self): + """Test if the address is otherwise IETF reserved. + + Returns: + A boolean, True if the address is within one of the + reserved IPv6 Network ranges. + + """ + return (self in IPv6Network('::/8') or + self in IPv6Network('100::/8') or + self in IPv6Network('200::/7') or + self in IPv6Network('400::/6') or + self in IPv6Network('800::/5') or + self in IPv6Network('1000::/4') or + self in IPv6Network('4000::/3') or + self in IPv6Network('6000::/3') or + self in IPv6Network('8000::/3') or + self in IPv6Network('A000::/3') or + self in IPv6Network('C000::/3') or + self in IPv6Network('E000::/4') or + self in IPv6Network('F000::/5') or + self in IPv6Network('F800::/6') or + self in IPv6Network('FE00::/9')) + + @property + def is_unspecified(self): + """Test if the address is unspecified. + + Returns: + A boolean, True if this is the unspecified address as defined in + RFC 2373 2.5.2. + + """ + return self._ip == 0 and getattr(self, '_prefixlen', 128) == 128 + + @property + def is_loopback(self): + """Test if the address is a loopback address. + + Returns: + A boolean, True if the address is a loopback address as defined in + RFC 2373 2.5.3. + + """ + return self._ip == 1 and getattr(self, '_prefixlen', 128) == 128 + + @property + def is_link_local(self): + """Test if the address is reserved for link-local. + + Returns: + A boolean, True if the address is reserved per RFC 4291. + + """ + return self in IPv6Network('fe80::/10') + + @property + def is_site_local(self): + """Test if the address is reserved for site-local. + + Note that the site-local address space has been deprecated by RFC 3879. + Use is_private to test if this address is in the space of unique local + addresses as defined by RFC 4193. + + Returns: + A boolean, True if the address is reserved per RFC 3513 2.5.6. + + """ + return self in IPv6Network('fec0::/10') + + @property + def is_private(self): + """Test if this address is allocated for private networks. + + Returns: + A boolean, True if the address is reserved per RFC 4193. + + """ + return self in IPv6Network('fc00::/7') + + @property + def ipv4_mapped(self): + """Return the IPv4 mapped address. + + Returns: + If the IPv6 address is a v4 mapped address, return the + IPv4 mapped address. Return None otherwise. + + """ + if (self._ip >> 32) != 0xFFFF: + return None + return IPv4Address(self._ip & 0xFFFFFFFF) + + @property + def teredo(self): + """Tuple of embedded teredo IPs. + + Returns: + Tuple of the (server, client) IPs or None if the address + doesn't appear to be a teredo address (doesn't start with + 2001::/32) + + """ + if (self._ip >> 96) != 0x20010000: + return None + return (IPv4Address((self._ip >> 64) & 0xFFFFFFFF), + IPv4Address(~self._ip & 0xFFFFFFFF)) + + @property + def sixtofour(self): + """Return the IPv4 6to4 embedded address. + + Returns: + The IPv4 6to4-embedded address if present or None if the + address doesn't appear to contain a 6to4 embedded address. + + """ + if (self._ip >> 112) != 0x2002: + return None + return IPv4Address((self._ip >> 80) & 0xFFFFFFFF) + + +class IPv6Address(_BaseV6, _BaseIP): + + """Represent and manipulate single IPv6 Addresses. + """ + + def __init__(self, address): + """Instantiate a new IPv6 address object. + + Args: + address: A string or integer representing the IP + + Additionally, an integer can be passed, so + IPv6Address('2001:4860::') == + IPv6Address(42541956101370907050197289607612071936L). + or, more generally + IPv6Address(IPv6Address('2001:4860::')._ip) == + IPv6Address('2001:4860::') + + Raises: + AddressValueError: If address isn't a valid IPv6 address. + + """ + _BaseV6.__init__(self, address) + + # Efficient constructor from integer. + if isinstance(address, (int, long)): + self._ip = address + if address < 0 or address > self._ALL_ONES: + raise AddressValueError(address) + return + + # Constructing from a packed address + if isinstance(address, Bytes): + try: + hi, lo = struct.unpack('!QQ', address) + except struct.error: + raise AddressValueError(address) # Wrong length. + self._ip = (hi << 64) | lo + return + + # Assume input argument to be string or any object representation + # which converts into a formatted IP string. + addr_str = str(address) + if not addr_str: + raise AddressValueError('') + + self._ip = self._ip_int_from_string(addr_str) + + +class IPv6Network(_BaseV6, _BaseNet): + + """This class represents and manipulates 128-bit IPv6 networks. + + Attributes: [examples for IPv6('2001:658:22A:CAFE:200::1/64')] + .ip: IPv6Address('2001:658:22a:cafe:200::1') + .network: IPv6Address('2001:658:22a:cafe::') + .hostmask: IPv6Address('::ffff:ffff:ffff:ffff') + .broadcast: IPv6Address('2001:658:22a:cafe:ffff:ffff:ffff:ffff') + .netmask: IPv6Address('ffff:ffff:ffff:ffff::') + .prefixlen: 64 + + """ + + def __init__(self, address, strict=False): + """Instantiate a new IPv6 Network object. + + Args: + address: A string or integer representing the IPv6 network or the IP + and prefix/netmask. + '2001:4860::/128' + '2001:4860:0000:0000:0000:0000:0000:0000/128' + '2001:4860::' + are all functionally the same in IPv6. That is to say, + failing to provide a subnetmask will create an object with + a mask of /128. + + Additionally, an integer can be passed, so + IPv6Network('2001:4860::') == + IPv6Network(42541956101370907050197289607612071936L). + or, more generally + IPv6Network(IPv6Network('2001:4860::')._ip) == + IPv6Network('2001:4860::') + + strict: A boolean. If true, ensure that we have been passed + A true network address, eg, 192.168.1.0/24 and not an + IP address on a network, eg, 192.168.1.1/24. + + Raises: + AddressValueError: If address isn't a valid IPv6 address. + NetmaskValueError: If the netmask isn't valid for + an IPv6 address. + ValueError: If strict was True and a network address was not + supplied. + + """ + _BaseNet.__init__(self, address) + _BaseV6.__init__(self, address) + + # Constructing from an integer or packed bytes. + if isinstance(address, (int, long, Bytes)): + self.ip = IPv6Address(address) + self._ip = self.ip._ip + self._prefixlen = self._max_prefixlen + self.netmask = IPv6Address(self._ALL_ONES) + return + + # Assume input argument to be string or any object representation + # which converts into a formatted IP prefix string. + addr = str(address).split('/') + + if len(addr) > 2: + raise AddressValueError(address) + + self._ip = self._ip_int_from_string(addr[0]) + self.ip = IPv6Address(self._ip) + + if len(addr) == 2: + if self._is_valid_netmask(addr[1]): + self._prefixlen = int(addr[1]) + else: + raise NetmaskValueError(addr[1]) + else: + self._prefixlen = self._max_prefixlen + + self.netmask = IPv6Address(self._ip_int_from_prefix(self._prefixlen)) + + if strict: + if self.ip != self.network: + raise ValueError('%s has host bits set' % + self.ip) + if self._prefixlen == (self._max_prefixlen - 1): + self.iterhosts = self.__iter__ + + def _is_valid_netmask(self, prefixlen): + """Verify that the netmask/prefixlen is valid. + + Args: + prefixlen: A string, the netmask in prefix length format. + + Returns: + A boolean, True if the prefix represents a valid IPv6 + netmask. + + """ + try: + prefixlen = int(prefixlen) + except ValueError: + return False + return 0 <= prefixlen <= self._max_prefixlen + + @property + def with_netmask(self): + return self.with_prefixlen diff --git a/rhodecode/lib/middleware/simplegit.py b/rhodecode/lib/middleware/simplegit.py index e196bc62..1dedf17b 100644 --- a/rhodecode/lib/middleware/simplegit.py +++ b/rhodecode/lib/middleware/simplegit.py @@ -109,7 +109,7 @@ class SimpleGit(BaseVCSController): if not self._check_ssl(environ, start_response): return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response) - ipaddr = self._get_ip_addr(environ) + ip_addr = self._get_ip_addr(environ) username = None self._git_first_op = False # skip passing error to error controller @@ -140,7 +140,7 @@ class SimpleGit(BaseVCSController): anonymous_user = self.__get_user('default') username = anonymous_user.username anonymous_perm = self._check_permission(action, anonymous_user, - repo_name) + repo_name, ip_addr) if anonymous_perm is not True or anonymous_user.active is False: if anonymous_perm is not True: @@ -182,7 +182,7 @@ class SimpleGit(BaseVCSController): return HTTPInternalServerError()(environ, start_response) #check permissions for this repository - perm = self._check_permission(action, user, repo_name) + perm = self._check_permission(action, user, repo_name, ip_addr) if perm is not True: return HTTPForbidden()(environ, start_response) @@ -191,7 +191,7 @@ class SimpleGit(BaseVCSController): from rhodecode import CONFIG server_url = get_server_url(environ) extras = { - 'ip': ipaddr, + 'ip': ip_addr, 'username': username, 'action': action, 'repository': repo_name, diff --git a/rhodecode/lib/middleware/simplehg.py b/rhodecode/lib/middleware/simplehg.py index 6834a51b..2a6ea397 100644 --- a/rhodecode/lib/middleware/simplehg.py +++ b/rhodecode/lib/middleware/simplehg.py @@ -73,7 +73,7 @@ class SimpleHg(BaseVCSController): if not self._check_ssl(environ, start_response): return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response) - ipaddr = self._get_ip_addr(environ) + ip_addr = self._get_ip_addr(environ) username = None # skip passing error to error controller environ['pylons.status_code_redirect'] = True @@ -103,7 +103,7 @@ class SimpleHg(BaseVCSController): anonymous_user = self.__get_user('default') username = anonymous_user.username anonymous_perm = self._check_permission(action, anonymous_user, - repo_name) + repo_name, ip_addr) if anonymous_perm is not True or anonymous_user.active is False: if anonymous_perm is not True: @@ -145,7 +145,7 @@ class SimpleHg(BaseVCSController): return HTTPInternalServerError()(environ, start_response) #check permissions for this repository - perm = self._check_permission(action, user, repo_name) + perm = self._check_permission(action, user, repo_name, ip_addr) if perm is not True: return HTTPForbidden()(environ, start_response) @@ -154,7 +154,7 @@ class SimpleHg(BaseVCSController): from rhodecode import CONFIG server_url = get_server_url(environ) extras = { - 'ip': ipaddr, + 'ip': ip_addr, 'username': username, 'action': action, 'repository': repo_name, diff --git a/rhodecode/model/db.py b/rhodecode/model/db.py index 1d5ab5ba..6030b468 100755 --- a/rhodecode/model/db.py +++ b/rhodecode/model/db.py @@ -518,6 +518,33 @@ class UserEmailMap(Base, BaseModel): self._email = val.lower() if val else None +class UserIpMap(Base, BaseModel): + __tablename__ = 'user_ip_map' + __table_args__ = ( + UniqueConstraint('user_id', 'ip_addr'), + {'extend_existing': True, 'mysql_engine': 'InnoDB', + 'mysql_charset': 'utf8'} + ) + __mapper_args__ = {} + + ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True) + user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None) + ip_addr = Column("ip_addr", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=False, default=None) + user = relationship('User', lazy='joined') + + @classmethod + def _get_ip_range(cls, ip_addr): + from rhodecode.lib import ipaddr + net = ipaddr.IPv4Network(ip_addr) + return [str(net.network), str(net.broadcast)] + + def __json__(self): + return dict( + ip_addr=self.ip_addr, + ip_range=self._get_ip_range(self.ip_addr) + ) + + class UserLog(Base, BaseModel): __tablename__ = 'user_logs' __table_args__ = ( @@ -637,6 +664,7 @@ class Repository(Base, BaseModel): landing_rev = Column("landing_revision", String(255, convert_unicode=False, assert_unicode=None), nullable=False, unique=False, default=None) enable_locking = Column("enable_locking", Boolean(), nullable=False, unique=None, default=False) _locked = Column("locked", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=False, default=None) + #changeset_cache = Column("changeset_cache", LargeBinary(), nullable=False) #JSON data fork_id = Column("fork_id", Integer(), ForeignKey('repositories.repo_id'), nullable=True, unique=False, default=None) group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=True, unique=False, default=None) diff --git a/rhodecode/model/forms.py b/rhodecode/model/forms.py index b46e6274..851640d8 100644 --- a/rhodecode/model/forms.py +++ b/rhodecode/model/forms.py @@ -345,11 +345,16 @@ def LdapSettingsForm(tls_reqcert_choices, search_scope_choices, def UserExtraEmailForm(): class _UserExtraEmailForm(formencode.Schema): - email = All(v.UniqSystemEmail(), v.Email) - + email = All(v.UniqSystemEmail(), v.Email(not_empty=True)) return _UserExtraEmailForm +def UserExtraIpForm(): + class _UserExtraIpForm(formencode.Schema): + ip = v.ValidIp()(not_empty=True) + return _UserExtraIpForm + + def PullRequestForm(repo_id): class _PullRequestForm(formencode.Schema): allow_extra_fields = True diff --git a/rhodecode/model/user.py b/rhodecode/model/user.py index 89657793..51cc28e4 100644 --- a/rhodecode/model/user.py +++ b/rhodecode/model/user.py @@ -40,7 +40,7 @@ from rhodecode.model import BaseModel from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \ UserToPerm, UsersGroupRepoToPerm, UsersGroupToPerm, UsersGroupMember, \ Notification, RepoGroup, UserRepoGroupToPerm, UsersGroupRepoGroupToPerm, \ - UserEmailMap + UserEmailMap, UserIpMap from rhodecode.lib.exceptions import DefaultUserException, \ UserOwnsReposException @@ -705,3 +705,33 @@ class UserModel(BaseModel): obj = UserEmailMap.query().get(email_id) if obj: self.sa.delete(obj) + + def add_extra_ip(self, user, ip): + """ + Adds ip address to UserIpMap + + :param user: + :param ip: + """ + from rhodecode.model import forms + form = forms.UserExtraIpForm()() + data = form.to_python(dict(ip=ip)) + user = self._get_user(user) + + obj = UserIpMap() + obj.user = user + obj.ip_addr = data['ip'] + self.sa.add(obj) + return obj + + def delete_extra_ip(self, user, ip_id): + """ + Removes ip address from UserIpMap + + :param user: + :param ip_id: + """ + user = self._get_user(user) + obj = UserIpMap.query().get(ip_id) + if obj: + self.sa.delete(obj) diff --git a/rhodecode/model/validators.py b/rhodecode/model/validators.py index 9923f28e..a9fe81fe 100644 --- a/rhodecode/model/validators.py +++ b/rhodecode/model/validators.py @@ -11,7 +11,7 @@ from webhelpers.pylonslib.secure_form import authentication_token from formencode.validators import ( UnicodeString, OneOf, Int, Number, Regex, Email, Bool, StringBoolean, Set, - NotEmpty + NotEmpty, IPAddress, CIDR ) from rhodecode.lib.compat import OrderedSet from rhodecode.lib.utils import repo_name_slug @@ -23,7 +23,7 @@ from rhodecode.lib.auth import HasReposGroupPermissionAny # silence warnings and pylint UnicodeString, OneOf, Int, Number, Regex, Email, Bool, StringBoolean, Set, \ - NotEmpty + NotEmpty, IPAddress, CIDR log = logging.getLogger(__name__) @@ -706,3 +706,40 @@ def NotReviewedRevisions(repo_id): ) return _validator + + +def ValidIp(): + class _validator(CIDR): + messages = dict( + badFormat=_('Please enter a valid IP address (a.b.c.d)'), + illegalOctets=_('The octets must be within the range of 0-255' + ' (not %(octet)r)'), + illegalBits=_('The network size (bits) must be within the range' + ' of 0-32 (not %(bits)r)')) + + def validate_python(self, value, state): + try: + # Split into octets and bits + if '/' in value: # a.b.c.d/e + addr, bits = value.split('/') + else: # a.b.c.d + addr, bits = value, 32 + # Use IPAddress validator to validate the IP part + IPAddress.validate_python(self, addr, state) + # Bits (netmask) correct? + if not 0 <= int(bits) <= 32: + raise formencode.Invalid( + self.message('illegalBits', state, bits=bits), + value, state) + # Splitting faild: wrong syntax + except ValueError: + raise formencode.Invalid(self.message('badFormat', state), + value, state) + + def to_python(self, value, state): + v = super(_validator, self).to_python(value, state) + #if IP doesn't end with a mask, add /32 + if '/' not in value: + v += '/32' + return v + return _validator diff --git a/rhodecode/public/css/style.css b/rhodecode/public/css/style.css index c9222015..b33ac26e 100644 --- a/rhodecode/public/css/style.css +++ b/rhodecode/public/css/style.css @@ -4040,6 +4040,22 @@ div#legend_container table td,div#legend_choices table td { float: left
}
+.ips_wrap{
+ padding: 0px 20px;
+}
+
+.ips_wrap .ip_entry{
+ height: 30px;
+ padding:0px 0px 0px 10px;
+}
+.ips_wrap .ip_entry .ip{
+ float: left
+}
+.ips_wrap .ip_entry .ip_action{
+ float: left
+}
+
+
/*README STYLE*/
div.readme {
diff --git a/rhodecode/templates/admin/permissions/permissions.html b/rhodecode/templates/admin/permissions/permissions.html index 653600c1..b36b0e92 100644 --- a/rhodecode/templates/admin/permissions/permissions.html +++ b/rhodecode/templates/admin/permissions/permissions.html @@ -16,7 +16,7 @@ </%def> <%def name="main()"> -<div class="box"> +<div class="box box-left"> <!-- box / title --> <div class="title"> ${self.breadcrumbs()} @@ -89,10 +89,127 @@ </div> </div> <div class="buttons"> - ${h.submit('set',_('set'),class_="ui-btn large")} + ${h.submit('save',_('Save'),class_="ui-btn large")} + ${h.reset('reset',_('Reset'),class_="ui-btn large")} </div> </div> </div> ${h.end_form()} </div> + +<div style="min-height:780px" class="box box-right"> + <!-- box / title --> + <div class="title"> + <h5>${_('Default User Permissions')}</h5> + </div> + + ## permissions overview + <div id="perms" class="table"> + %for section in sorted(c.perm_user.permissions.keys()): + <div class="perms_section_head">${section.replace("_"," ").capitalize()}</div> + %if not c.perm_user.permissions[section]: + <span class="empty_data">${_('Nothing here yet')}</span> + %else: + <div id='tbl_list_wrap_${section}' class="yui-skin-sam"> + <table id="tbl_list_${section}"> + <thead> + <tr> + <th class="left">${_('Name')}</th> + <th class="left">${_('Permission')}</th> + <th class="left">${_('Edit Permission')}</th> + </thead> + <tbody> + %for k in c.perm_user.permissions[section]: + <% + if section != 'global': + section_perm = c.perm_user.permissions[section].get(k) + _perm = section_perm.split('.')[-1] + else: + _perm = section_perm = None + %> + <tr> + <td> + %if section == 'repositories': + <a href="${h.url('summary_home',repo_name=k)}">${k}</a> + %elif section == 'repositories_groups': + <a href="${h.url('repos_group_home',group_name=k)}">${k}</a> + %else: + ${h.get_permission_name(k)} + %endif + </td> + <td> + %if section == 'global': + ${h.bool2icon(k.split('.')[-1] != 'none')} + %else: + <span class="perm_tag ${_perm}">${section_perm}</span> + %endif + </td> + <td> + %if section == 'repositories': + <a href="${h.url('edit_repo',repo_name=k,anchor='permissions_manage')}">${_('edit')}</a> + %elif section == 'repositories_groups': + <a href="${h.url('edit_repos_group',id=k,anchor='permissions_manage')}">${_('edit')}</a> + %else: + -- + %endif + </td> + </tr> + %endfor + </tbody> + </table> + </div> + %endif + %endfor + </div> +</div> +<div class="box box-left" style="clear:left"> + <!-- box / title --> + <div class="title"> + <h5>${_('Allowed IP addresses')}</h5> + </div> + + <div class="ips_wrap"> + <table class="noborder"> + %if c.user_ip_map: + %for ip in c.user_ip_map: + <tr> + <td><div class="ip">${ip.ip_addr}</div></td> + <td><div class="ip">${h.ip_range(ip.ip_addr)}</div></td> + <td> + ${h.form(url('user_ips_delete', id=c.user.user_id),method='delete')} + ${h.hidden('del_ip',ip.ip_id)} + ${h.hidden('default_user', 'True')} + ${h.submit('remove_',_('delete'),id="remove_ip_%s" % ip.ip_id, + class_="delete_icon action_button", onclick="return confirm('"+_('Confirm to delete this ip: %s') % ip.ip_addr+"');")} + ${h.end_form()} + </td> + </tr> + %endfor + %else: + <tr><td><div class="ip">${_('All IP addresses are allowed')}</div></td></tr> + %endif + </table> + </div> + + ${h.form(url('user_ips', id=c.user.user_id),method='put')} + <div class="form"> + <!-- fields --> + <div class="fields"> + <div class="field"> + <div class="label"> + <label for="new_ip">${_('New ip address')}:</label> + </div> + <div class="input"> + ${h.hidden('default_user', 'True')} + ${h.text('new_ip', class_='medium')} + </div> + </div> + <div class="buttons"> + ${h.submit('save',_('Add'),class_="ui-btn large")} + ${h.reset('reset',_('Reset'),class_="ui-btn large")} + </div> + </div> + </div> + ${h.end_form()} +</div> </%def> diff --git a/rhodecode/templates/admin/users/user_edit.html b/rhodecode/templates/admin/users/user_edit.html index 0b8e1fb7..71bd3a3a 100644 --- a/rhodecode/templates/admin/users/user_edit.html +++ b/rhodecode/templates/admin/users/user_edit.html @@ -43,7 +43,11 @@ <label>${_('API key')}</label> ${c.user.api_key} </div> </div> - + <div class="field"> + <div class="label"> + <label>${_('Your IP')}</label> ${c.perm_user.ip_addr or "?"} + </div> + </div> <div class="fields"> <div class="field"> <div class="label"> @@ -271,7 +275,7 @@ <div class="fields"> <div class="field"> <div class="label"> - <label for="email">${_('New email address')}:</label> + <label for="new_email">${_('New email address')}:</label> </div> <div class="input"> ${h.text('new_email', class_='medium')} @@ -285,4 +289,52 @@ </div> ${h.end_form()} </div> +<div class="box box-left" style="clear:left"> + <!-- box / title --> + <div class="title"> + <h5>${_('Allowed IP addresses')}</h5> + </div> + + <div class="ips_wrap"> + <table class="noborder"> + %if c.user_ip_map: + %for ip in c.user_ip_map: + <tr> + <td><div class="ip">${ip.ip_addr}</div></td> + <td><div class="ip">${h.ip_range(ip.ip_addr)}</div></td> + <td> + ${h.form(url('user_ips_delete', id=c.user.user_id),method='delete')} + ${h.hidden('del_ip',ip.ip_id)} + ${h.submit('remove_',_('delete'),id="remove_ip_%s" % ip.ip_id, + class_="delete_icon action_button", onclick="return confirm('"+_('Confirm to delete this ip: %s') % ip.ip_addr+"');")} + ${h.end_form()} + </td> + </tr> + %endfor + %else: + <tr><td><div class="ip">${_('All IP addresses are allowed')}</div></td></tr> + %endif + </table> + </div> + + ${h.form(url('user_ips', id=c.user.user_id),method='put')} + <div class="form"> + <!-- fields --> + <div class="fields"> + <div class="field"> + <div class="label"> + <label for="new_ip">${_('New ip address')}:</label> + </div> + <div class="input"> + ${h.text('new_ip', class_='medium')} + </div> + </div> + <div class="buttons"> + ${h.submit('save',_('Add'),class_="ui-btn large")} + ${h.reset('reset',_('Reset'),class_="ui-btn large")} + </div> + </div> + </div> + ${h.end_form()} +</div> </%def> |