Merge pull request #904 from ansible/oauth_n_session

Implement session-based  and OAuth 2 authentications

awx/main/access.py

@@ -17,6 +17,9 @@ from django.core.exceptions import ObjectDoesNotExist
 # Django REST Framework
 from rest_framework.exceptions import ParseError, PermissionDenied, ValidationError
 
+# Django OAuth Toolkit
+from awx.main.models.oauth import OAuth2Application, OAuth2AccessToken
+
 # AWX
 from awx.main.utils import (
     get_object_or_400,
@@ -117,6 +120,8 @@ def check_user_access(user, model_class, action, *args, **kwargs):
     Return True if user can perform action against model_class with the
     provided parameters.
     '''
+    if 'write' not in getattr(user, 'oauth_scopes', ['write']) and action != 'read':
+        return False
     access_class = access_registry[model_class]
     access_instance = access_class(user)
     access_method = getattr(access_instance, 'can_%s' % action)
@@ -468,7 +473,7 @@ class InstanceGroupAccess(BaseAccess):
 class UserAccess(BaseAccess):
     '''
     I can see user records when:
-     - I'm a useruser
+     - I'm a superuser
      - I'm in a role with them (such as in an organization or team)
      - They are in a role which includes a role of mine
      - I am in a role that includes a role of theirs
@@ -552,6 +557,73 @@ class UserAccess(BaseAccess):
         return super(UserAccess, self).can_unattach(obj, sub_obj, relationship, *args, **kwargs)
 
 
+class OAuth2ApplicationAccess(BaseAccess):
+    '''
+    I can read, change or delete OAuth applications when:
+     - I am a superuser.
+     - I am the admin of the organization of the user of the application.
+     - I am the user of the application.
+    I can create OAuth applications when:
+     - I am a superuser.
+     - I am the admin of the organization of the user of the application.
+    '''
+
+    model = OAuth2Application
+    select_related = ('user',)
+
+    def filtered_queryset(self):
+        accessible_users = User.objects.filter(
+            pk__in=self.user.admin_of_organizations.values('member_role__members')
+        ) | User.objects.filter(pk=self.user.pk)
+        return self.model.objects.filter(user__in=accessible_users)
+
+    def can_change(self, obj, data):
+        return self.can_read(obj)
+
+    def can_delete(self, obj):
+        return self.can_read(obj)
+
+    def can_add(self, data):
+        if self.user.is_superuser:
+            return True
+        user = get_object_from_data('user', User, data)
+        if not user:
+            return False
+        return set(self.user.admin_of_organizations.all()) & set(user.organizations.all())
+
+
+class OAuth2TokenAccess(BaseAccess):
+    '''
+    I can read, change or delete an OAuth2 token when:
+     - I am a superuser.
+     - I am the admin of the organization of the user of the token.
+     - I am the user of the token.
+    I can create an OAuth token when:
+     - I have the read permission of the related application.
+    '''
+
+    model = OAuth2AccessToken
+    select_related = ('user', 'application')
+
+    def filtered_queryset(self):
+        accessible_users = User.objects.filter(
+            pk__in=self.user.admin_of_organizations.values('member_role__members')
+        ) | User.objects.filter(pk=self.user.pk)
+        return self.model.objects.filter(user__in=accessible_users)
+
+    def can_change(self, obj, data):
+        return self.can_read(obj)
+
+    def can_delete(self, obj):
+        return self.can_read(obj)
+
+    def can_add(self, data):
+        app = get_object_from_data('application', OAuth2Application, data)
+        if not app:
+            return True
+        return OAuth2ApplicationAccess(self.user).can_read(app)
+
+
 class OrganizationAccess(BaseAccess):
     '''
     I can see organizations when: