ufo-management-server/admin.py at master · UWNetworksLab/ufo-management-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
"""Admin protection for authenticated users."""


from datastore import OAuth
from googleapiclient import errors
from google.appengine.api import users
from google_directory_service import GoogleDirectoryService
import logging
from oauth2client.appengine import OAuth2Decorator

# TODO(eholder): Add tests for this. Probably should test that we only
# request the scopes we need and that the decorator is called with the
# id and secret as intended.
USER = 'https://www.googleapis.com/auth/admin.directory.user'
GROUP = 'https://www.googleapis.com/auth/admin.directory.group.readonly'
MEMBER = 'https://www.googleapis.com/auth/admin.directory.group.member.readonly'
SCOPES = [USER, GROUP, MEMBER]

OAUTH_DECORATOR = OAuth2Decorator(
    client_id=OAuth.GetOrInsertDefault().client_id,
    client_secret=OAuth.GetOrInsertDefault().client_secret,
    scope=SCOPES)

def AbortIfUserIsNotLoggedIn(self, user):
  """Check if the user is logged in and abort if not.

  Args:
    user: The user to check for being logged in.
  """
  if not user or user is None:
    logging.error('User is not logged in.')
    self.abort(403)

def AbortIfUserIsNotAppAdmin(self):
  """Check if the user is an application admin and abort if not."""
  if not users.is_current_user_admin():
    logging.error('User is not an application admin.')
    self.abort(403)


def RequireAppAdmin(func):
  """Decorator to require the user to be an admin."""
  def decorate(self, *args, **kwargs):
    """Actual decorate function that requires admin.

    Args:
      args: Parameters passed on to the specified function if successful.
      kwargs: Parameters passed on to the specified function if successful.
    """
    user = users.get_current_user()
    AbortIfUserIsNotLoggedIn(self, user)
    AbortIfUserIsNotAppAdmin(self)
    return func(self, *args, **kwargs)

  return decorate


def RequireAppOrDomainAdmin(func):
  """Decorator to require the user to be an admin."""
  def decorate(self, *args, **kwargs):
    """Actual decorate function that requires admin.

    Args:
      args: Parameters passed on to the specified function if successful.
      kwargs: Parameters passed on to the specified function if successful.
    """
    user = users.get_current_user()
    AbortIfUserIsNotLoggedIn(self, user)

    # If user is application admin, allow access right away to save the check
    # on domain admin.
    if users.is_current_user_admin():
      return func(self, *args, **kwargs)
    logging.debug('User is not an app admin.')

    identifier = user.email()
    if identifier is None or identifier is '':
      logging.error('No identifier found for the user.')
      self.abort(403)

    is_admin_user = False
    try:
      directory_service = GoogleDirectoryService(OAUTH_DECORATOR)
      is_admin_user = directory_service.IsAdminUser(identifier)
    except errors.HttpError:
      logging.error('Exception when asking dasher for this user.')
      self.abort(403)

    if not is_admin_user:
      logging.error('User is not a domain admin.')
      self.abort(403)

    return func(self, *args, **kwargs)

  return decorate