libervia-pubsub: sat_pubsub/backend.py comparison

comparison sat_pubsub/backend.py @ 330:82d1259b3e36

backend, pgsql storage: better items/notification handling, various fixes: - replaced const.VAL_AMODEL_ROSTER by const.VAL_AMODEL_PUBLISHER_ROSTER to follow change in pgsql schema - implemented whitelist access model - fixed bad access check during items retrieval (access was checked on recipient instead of requestor/sender) - getItemsData and notification filtering now use inline callbacks: this make these complexe workflows far mor easy to read, and clarity is imperative in these security critical sections. - publisher-roster access model now need to have only one owner, else it will fail. The idea is to use this model only when owner=publisher, else there is ambiguity on the roster to use to check access - replaced getNodeOwner by node.getOwners, as a node can have several owners - notifications filtering has been fixed in a similar way - psql: simplified withPEP method, pep_table argument is actually not needed - removed error.NotInRoster: error.Forbidden is used instead - notifications now notify all the owners, not only the first one

author	Goffi <goffi@goffi.org>
date	Sun, 26 Mar 2017 20:52:32 +0200
parents	29c2553ef863
children	e93a9fd329d9

comparison

equal deleted inserted replaced

-:98409ef42c94
+:82d1259b3e36
 const.OPT_ACCESS_MODEL:
 {"type": "list-single",
 "label": "Who can subscribe to this node",
 "options": {
 const.VAL_AMODEL_OPEN: "Public node",
-const.VAL_AMODEL_ROSTER: "Node restricted to some roster groups",
+const.VAL_AMODEL_PUBLISHER_ROSTER: "Node restricted to some groups of publisher's roster",
-const.VAL_AMODEL_JID: "Node restricted to some jids",
+const.VAL_AMODEL_WHITELIST: "Node restricted to some jids",
 }
 },
 const.OPT_ROSTER_GROUPS_ALLOWED:
 {"type": "list-multi",
 "label": "Groups of the roster allowed to access the node",
 def getAffiliations(self, entity):
 return self.storage.getAffiliations(entity)
-def getItems(self, nodeIdentifier, recipient, maxItems=None,
+def getItems(self, nodeIdentifier, requestor, recipient, maxItems=None,
 itemIdentifiers=None, ext_data=None):
-d = self.getItemsData(nodeIdentifier, recipient, maxItems, itemIdentifiers, ext_data)
+d = self.getItemsData(nodeIdentifier, requestor, recipient, maxItems, itemIdentifiers, ext_data)
 d.addCallback(lambda items_data: [item_data.item for item_data in items_data])
 return d
-def getItemsData(self, nodeIdentifier, recipient, maxItems=None,
+@defer.inlineCallbacks
+def getOwnerRoster(self, node, owners=None):
+if owners is None:
+owners = yield node.getOwners()
+if len(owners) != 1:
+log.msg('publisher-roster access is not allowed with more than 1 owner')
+return
+owner_jid = owners[0]
+try:
+roster = yield self.privilege.getRoster(owner_jid)
+except Exception as e:
+log.msg("Error while getting roster of {owner_jid}: {msg}".format(
+owner_jid = owner_jid.full(),
+msg = e))
+return
+defer.returnValue(roster)
+@defer.inlineCallbacks
+def getItemsData(self, nodeIdentifier, requestor, recipient, maxItems=None,
 itemIdentifiers=None, ext_data=None):
 """like getItems but return the whole ItemData"""
+if maxItems == 0:
+log.msg("WARNING: maxItems=0 on items retrieval")
+defer.returnValue([])
 if ext_data is None:
 ext_data = {}
-d = self.storage.getNode(nodeIdentifier, ext_data.get('pep', False), recipient)
+node = yield self.storage.getNode(nodeIdentifier, ext_data.get('pep', False), recipient)
-d.addCallback(_getAffiliation, recipient)
+node, affiliation = yield _getAffiliation(node, requestor)
-d.addCallback(self._doGetItems, recipient, maxItems, itemIdentifiers,
-ext_data)
+if not iidavoll.ILeafNode.providedBy(node):
-return d
+defer.returnValue([])
-def checkGroup(self, roster_groups, entity):
+if affiliation == 'outcast':
-"""Check that entity is authorized and in roster
+raise error.Forbidden()
-@param roster_group: tuple which 2 items:
-- roster: mapping of jid to RosterItem as given by self.privilege.getRoster
-- groups: list of authorized groups
+# node access check
-@param entity: entity which must be in group
+owner = affiliation == 'owner'
-@return: (True, roster) if entity is in roster and authorized
+access_model = node.getAccessModel()
-(False, roster) if entity is in roster but not authorized
+roster = None
-@raise: error.NotInRoster if entity is not in roster"""
-roster, authorized_groups = roster_groups
+if access_model == const.VAL_AMODEL_OPEN or owner:
-_entity = entity.userhostJID()
+pass
+elif access_model == const.VAL_AMODEL_PUBLISHER_ROSTER:
-if not _entity in roster:
+roster = yield self.getOwnerRoster(node)
-raise error.NotInRoster
-return (roster[_entity].groups.intersection(authorized_groups), roster)
+if roster is None:
+raise error.Forbidden()
-def _getNodeGroups(self, roster, nodeIdentifier, pep):
-d = self.storage.getNodeGroups(nodeIdentifier, pep)
+if requestor not in roster:
-d.addCallback(lambda groups: (roster, groups))
+raise error.Forbidden()
-return d
+authorized_groups = yield node.getAuthorizedGroups()
-def _rosterEb(self, failure, owner_jid):
-log.msg("Error while getting roster of {}: {}".format(unicode(owner_jid), failure.value))
+if not roster[requestor].groups.intersection(authorized_groups):
-return {}
+# requestor is in roster but not in one of the allowed groups
+raise error.Forbidden()
-def _doGetItems(self, result, requestor, maxItems, itemIdentifiers,
+elif access_model == const.VAL_AMODEL_WHITELIST:
-ext_data):
+affiliations = yield node.getAffiliations()
-node, affiliation = result
+try:
-if maxItems == 0:
+affiliation = affiliations[requestor.userhostJID()]
-log.msg("WARNING: maxItems=0 on items retrieval")
+except KeyError:
-return []
+raise error.Forbidden()
+else:
-def append_item_config(items_data):
+if affiliation not in ('owner', 'publisher', 'member'):
-"""Add item config data form to items with roster access model"""
+raise error.Forbidden()
+else:
+raise Exception(u"Unknown access_model")
+# at this point node access is checked
+if owner:
+# requestor_groups is only used in restricted access
+requestor_groups = None
+else:
+if roster is None:
+roster = yield self.getOwnerRoster(node)
+if roster is None:
+roster = {}
+roster_item = roster.get(requestor.userhostJID())
+requestor_groups = tuple(roster_item.groups) if roster_item else tuple()
+if itemIdentifiers:
+items_data = yield node.getItemsById(requestor_groups, owner, itemIdentifiers)
+else:
+items_data = yield node.getItems(requestor_groups, owner, maxItems, ext_data)
+if owner:
+# Add item config data form to items with roster access model
 for item_data in items_data:
 if item_data.access_model == const.VAL_AMODEL_OPEN:
 pass
-elif item_data.access_model == const.VAL_AMODEL_ROSTER:
+elif item_data.access_model == const.VAL_AMODEL_PUBLISHER_ROSTER:
 form = data_form.Form('submit', formNamespace=const.NS_ITEM_CONFIG)
-access = data_form.Field(None, const.OPT_ACCESS_MODEL, value=const.VAL_AMODEL_ROSTER)
+access = data_form.Field(None, const.OPT_ACCESS_MODEL, value=const.VAL_AMODEL_PUBLISHER_ROSTER)
 allowed = data_form.Field(None, const.OPT_ROSTER_GROUPS_ALLOWED, values=item_data.config[const.OPT_ROSTER_GROUPS_ALLOWED])
 form.addField(access)
 form.addField(allowed)
 item_data.item.addChild(form.toElement())
-elif access_model == const.VAL_AMODEL_JID:
+elif access_model == const.VAL_AMODEL_WHITELIST:
-#FIXME: manage jid
+#FIXME
 raise NotImplementedError
 else:
 raise error.BadAccessTypeError(access_model)
-return items_data
+yield self._items_rsm(items_data, node, requestor_groups, owner, itemIdentifiers, ext_data)
-def access_checked(access_data):
+defer.returnValue(items_data)
-authorized, roster = access_data
-if not authorized:
-raise error.NotAuthorized()
-roster_item = roster.get(requestor.userhostJID())
-authorized_groups = tuple(roster_item.groups) if roster_item else tuple()
-owner = affiliation == 'owner'
-if itemIdentifiers:
-d = node.getItemsById(authorized_groups, owner, itemIdentifiers)
-else:
-d = node.getItems(authorized_groups, owner, maxItems, ext_data)
-if owner:
-d.addCallback(append_item_config)
-d.addCallback(self._items_rsm, node, authorized_groups,
-owner, itemIdentifiers,
-ext_data)
-return d
-if not iidavoll.ILeafNode.providedBy(node):
-return []
-if affiliation == 'outcast':
-raise error.Forbidden()
-access_model = node.getAccessModel()
-d = node.getNodeOwner()
-def gotOwner(owner_jid):
-d_roster = self.privilege.getRoster(owner_jid)
-d_roster.addErrback(self._rosterEb, owner_jid)
-return d_roster
-d.addCallback(gotOwner)
-if access_model == const.VAL_AMODEL_OPEN or affiliation == 'owner':
-d.addCallback(lambda roster: (True, roster))
-d.addCallback(access_checked)
-elif access_model == const.VAL_AMODEL_ROSTER:
-d.addCallback(self._getNodeGroups, node.nodeIdentifier, ext_data.get('pep', False))
-d.addCallback(self.checkGroup, requestor)
-d.addCallback(access_checked)
-return d
 def _setCount(self, value, response):
 response.count = value
 def _setIndex(self, value, response, adjust):
 _errorMap = {
 error.NodeNotFound: ('item-not-found', None, None),
 error.NodeExists: ('conflict', None, None),
 error.Forbidden: ('forbidden', None, None),
 error.NotAuthorized: ('not-authorized', None, None),
-error.NotInRoster: ('not-authorized', 'not-in-roster-group', None),
 error.ItemNotFound: ('item-not-found', None, None),
 error.ItemForbidden: ('bad-request', 'item-forbidden', None),
 error.ItemRequired: ('bad-request', 'item-required', None),
 error.NoInstantNodes: ('not-acceptable',
 'unsupported',
 node = data['node']
 pep = data['pep']
 recipient = data['recipient']
 def afterPrepare(result):
-owner_jid, notifications_filtered = result
+owners, notifications_filtered = result
-#we notify the owner
+#we notify the owners
 #FIXME: check if this comply with XEP-0060 (option needed ?)
 #TODO: item's access model have to be sent back to owner
 #TODO: same thing for getItems
 def getFullItem(item_data):
 new_item = deepcopy(item)
 if item_config:
 new_item.addChild(item_config.toElement())
 return new_item
-notifications_filtered.append((owner_jid,
+for owner_jid in owners:
-set([pubsub.Subscription(node.nodeIdentifier,
+notifications_filtered.append(
-owner_jid,
+(owner_jid,
-'subscribed')]),
+set([pubsub.Subscription(node.nodeIdentifier,
-[getFullItem(item_data) for item_data in items_data]))
+owner_jid,
+'subscribed')]),
+[getFullItem(item_data) for item_data in items_data]))
 if pep:
 return self.backend.privilege.notifyPublish(
 recipient,
 node.nodeIdentifier,
 node = data['node']
 pep = data['pep']
 recipient = data['recipient']
 def afterPrepare(result):
-owner_jid, notifications_filtered = result
+owners, notifications_filtered = result
-#we add the owner
+#we add the owners
-notifications_filtered.append((owner_jid,
+for owner_jid in owners:
-set([pubsub.Subscription(node.nodeIdentifier,
+notifications_filtered.append(
-owner_jid,
+(owner_jid,
-'subscribed')]),
+set([pubsub.Subscription(node.nodeIdentifier,
-[item_data.item for item_data in items_data]))
+owner_jid,
+'subscribed')]),
+[item_data.item for item_data in items_data]))
 if pep:
 return self.backend.privilege.notifyRetract(
 recipient,
 node.nodeIdentifier,
 d = self._prepareNotify(items_data, node, data.get('subscription'))
 d.addCallback(afterPrepare)
 return d
+@defer.inlineCallbacks
 def _prepareNotify(self, items_data, node, subscription=None):
 """Do a bunch of permissions check and filter notifications
 The owner is not added to these notifications,
 it must be called by the calling method
 - notifications_filtered
 - node_owner_jid
 - items_data
 """
-def filterNotifications(result):
-"""Check access of subscriber for each item, and keep only allowed ones"""
+if subscription is None:
-notifications, (owner_jid,roster) = result
+notifications = yield self.backend.getNotifications(node.nodeDbId, items_data)
+else:
-#we filter items not allowed for the subscribers
+notifications = [(subscription.subscriber, [subscription], items_data)]
-notifications_filtered = []
+owners = node.getOwners()
-for subscriber, subscriptions, items_data in notifications:
+owner_roster = None
-if subscriber == owner_jid:
-# as notification is always sent to owner,
+# now we check access of subscriber for each item, and keep only allowed ones
-# we ignore owner if he is here
-continue
+#we filter items not allowed for the subscribers
-allowed_items = [] #we keep only item which subscriber can access
+notifications_filtered = []
-for item_data in items_data:
+for subscriber, subscriptions, items_data in notifications:
-item, access_model = item_data.item, item_data.access_model
+subscriber_bare = subscriber.userhostJID()
-access_list = item_data.config
+if subscriber_bare in owners:
-if access_model == const.VAL_AMODEL_OPEN:
+# as notification is always sent to owner,
+# we ignore owner if he is here
+continue
+allowed_items = [] #we keep only item which subscriber can access
+for item_data in items_data:
+item, access_model = item_data.item, item_data.access_model
+access_list = item_data.config
+if access_model == const.VAL_AMODEL_OPEN:
+allowed_items.append(item)
+elif access_model == const.VAL_AMODEL_PUBLISHER_ROSTER:
+if owner_roster is None:
+owner_roster= yield self.getOwnerRoster(node, owners)
+if owner_roster is None:
+owner_roster = {}
+if not subscriber_bare in owner_roster:
+continue
+#the subscriber is known, is he in the right group ?
+authorized_groups = access_list[const.OPT_ROSTER_GROUPS_ALLOWED]
+if owner_roster[subscriber_bare].groups.intersection(authorized_groups):
 allowed_items.append(item)
-elif access_model == const.VAL_AMODEL_ROSTER:
+else: #unknown access_model
-_subscriber = subscriber.userhostJID()
+# TODO: white list access
-if not _subscriber in roster:
+raise NotImplementedError
-continue
-#the subscriber is known, is he in the right group ?
+if allowed_items:
-authorized_groups = access_list[const.OPT_ROSTER_GROUPS_ALLOWED]
+notifications_filtered.append((subscriber, subscriptions, allowed_items))
-if roster[_subscriber].groups.intersection(authorized_groups):
-allowed_items.append(item)
+defer.returnValue((owners, notifications_filtered))
-else: #unknown access_model
-raise NotImplementedError
-if allowed_items:
-notifications_filtered.append((subscriber, subscriptions, allowed_items))
-return (owner_jid, notifications_filtered)
-if subscription is None:
-d1 = self.backend.getNotifications(node.nodeDbId, items_data)
-else:
-d1 = defer.succeed([(subscription.subscriber, [subscription],
-items_data)])
-def _got_owner(owner_jid):
-#return a tuple with owner_jid and roster
-def rosterEb(failure):
-log.msg("Error while getting roster of {}: {}".format(unicode(owner_jid), failure.value))
-return (owner_jid, {})
-d = self.backend.privilege.getRoster(owner_jid)
-d.addErrback(rosterEb)
-d.addCallback(lambda roster: (owner_jid,roster))
-return d
-d2 = node.getNodeOwner()
-d2.addCallback(_got_owner)
-d = defer.gatherResults([d1, d2])
-d.addCallback(filterNotifications)
-return d
 def _preDelete(self, data, pep, recipient):
 nodeIdentifier = data['node'].nodeIdentifier
 redirectURI = data.get('redirectURI', None)
 d = self.backend.getSubscribers(nodeIdentifier, pep, recipient)
 self.serviceJID,
 nodeIdentifier,
 subscribers,
 redirectURI))
 return d
 def _mapErrors(self, failure):
 e = failure.trap(*self._errorMap.keys())
 condition, pubsubCondition, feature = self._errorMap[e]
 try:
 ext_data['pep'] = request.delegated
 except AttributeError:
 pass
 d = self.backend.getItems(request.nodeIdentifier,
+request.sender,
 request.recipient,
 request.maxItems,
 request.itemIdentifiers,
 ext_data)
 return d.addErrback(self._mapErrors)

Mercurial > libervia-pubsub

comparison sat_pubsub/backend.py @ 330:82d1259b3e36