Merge commit from fork

bruntib · web-flow · commit bab47941525d · 2026-04-23T11:26:19.000+02:00
Additional logic for handling missing auth sessions
diff --git a/web/server/codechecker_server/api/authentication.py b/web/server/codechecker_server/api/authentication.py
@@ -68,20 +68,13 @@ def __require_privilaged_access(self):
                 "The server must be start by using privilaged access to "
                 "execute this action.")
 
-    def __has_permission(self, permission) -> bool:
-        """ True if the current user has given permission rights. """
-        if self.__manager.is_enabled and not self.__auth_session:
-            return False
-
-        return self.hasPermission(permission, None)
-
     def __require_permission_view(self):
         """
         Checks if the curret user has PERMISSION_VIEW rights. Throws an
         exception if it is not.
         """
         permission = codechecker_api_shared.ttypes.Permission.PERMISSION_VIEW
-        if not self.__has_permission(permission):
+        if not self.hasPermission(permission, None):
             raise codechecker_api_shared.ttypes.RequestFailed(
                 codechecker_api_shared.ttypes.ErrorCode.UNAUTHORIZED,
                 "You are not authorized to execute this action.")
@@ -598,21 +591,23 @@ def getPermissionsForUser(self, scope, extra_params, perm_filter):
             # handler.
             params = ThriftAuthHandler.__unpack_extra_params(extra_params,
                                                              session)
+            is_auth_enabled = self.__manager.is_enabled
 
             perms = []
             for perm in permissions.get_permissions(scope):
                 should_return = True
                 handler = make_handler(perm, params)
 
                 if should_return and perm_filter.given:
-                    should_return = handler.has_permission(self.__auth_session)
+                    should_return = handler.has_permission(self.__auth_session,
+                                                           is_auth_enabled)
 
                 if should_return and perm_filter.canManage:
                     # If the user has any of the permissions that are
                     # authorised to manage the currently iterated permission,
                     # the filter passes.
                     should_return = require_manager(
-                         perm, params, self.__auth_session)
+                         perm, params, self.__auth_session, is_auth_enabled)
 
                 if should_return:
                     perms.append(perm)
@@ -631,7 +626,8 @@ def getAuthorisedNames(self, permission, extra_params):
             perm, params = ThriftAuthHandler.__create_permission_args(
                 permission, extra_params, session)
 
-            if not require_manager(perm, params, self.__auth_session):
+            if not require_manager(perm, params, self.__auth_session,
+                                   self.__manager.is_enabled):
                 raise codechecker_api_shared.ttypes.RequestFailed(
                     codechecker_api_shared.ttypes.ErrorCode.UNAUTHORIZED,
                     f"You can not manage the permission '{perm.name}'")
@@ -654,7 +650,8 @@ def addPermission(self, permission, auth_name, is_group, extra_params):
             perm, params = ThriftAuthHandler.__create_permission_args(
                 permission, extra_params, session)
 
-            if not require_manager(perm, params, self.__auth_session):
+            if not require_manager(perm, params, self.__auth_session,
+                                   self.__manager.is_enabled):
                 raise codechecker_api_shared.ttypes.RequestFailed(
                     codechecker_api_shared.ttypes.ErrorCode.UNAUTHORIZED,
                     f"You can not manage the permission '{perm.name}'")
@@ -677,7 +674,8 @@ def removePermission(self, permission, auth_name, is_group, extra_params):
             perm, params = ThriftAuthHandler.__create_permission_args(
                 permission, extra_params, session)
 
-            if not require_manager(perm, params, self.__auth_session):
+            if not require_manager(perm, params, self.__auth_session,
+                                   self.__manager.is_enabled):
                 raise codechecker_api_shared.ttypes.RequestFailed(
                     codechecker_api_shared.ttypes.ErrorCode.UNAUTHORIZED,
                     f"You can not manage the permission '{perm.name}'")
@@ -703,7 +701,8 @@ def hasPermission(self, permission, extra_params):
                 permission, extra_params, session)
 
             return require_permission(perm, params,
-                                      self.__auth_session)
+                                      self.__auth_session,
+                                      self.__manager.is_enabled)
 
     # ============= Authorization, permission management =============
 
diff --git a/web/server/codechecker_server/api/product_server.py b/web/server/codechecker_server/api/product_server.py
@@ -76,15 +76,9 @@ def __require_permission(self, required, args=None):
             if 'config_db_session' not in args:
                 args['config_db_session'] = session
 
-            # Anonymous access is only allowed if authentication is
-            # turned off
-            if self.__server.manager.is_enabled and not self.__auth_session:
-                raise codechecker_api_shared.ttypes.RequestFailed(
-                    codechecker_api_shared.ttypes.ErrorCode.UNAUTHORIZED,
-                    "You are not authorized to execute this action.")
-
             if not any(permissions.require_permission(
-                           perm, args, self.__auth_session)
+                           perm, args, self.__auth_session,
+                           self.__server.manager.is_enabled)
                        for perm in required):
                 raise codechecker_api_shared.ttypes.RequestFailed(
                     codechecker_api_shared.ttypes.ErrorCode.UNAUTHORIZED,
@@ -95,11 +89,13 @@ def __require_permission(self, required, args=None):
     def __administrating(self, args):
         """ True if the current user can administrate the given product. """
         if permissions.require_permission(permissions.SUPERUSER, args,
-                                          self.__auth_session):
+                                          self.__auth_session,
+                                          self.__server.manager.is_enabled):
             return True
 
         if permissions.require_permission(permissions.PRODUCT_ADMIN, args,
-                                          self.__auth_session):
+                                          self.__auth_session,
+                                          self.__server.manager.is_enabled):
             return True
 
         return False
@@ -126,9 +122,11 @@ def __get_product(self, session, product):
                 'productID': product.id}
 
         has_product_permission = permissions.require_permission(
-            permissions.PRODUCT_VIEW, args, self.__auth_session)
+            permissions.PRODUCT_VIEW, args, self.__auth_session,
+            self.__server.manager.is_enabled)
         has_global_permission = permissions.require_permission(
-            permissions.PERMISSION_VIEW, args, self.__auth_session)
+            permissions.PERMISSION_VIEW, args, self.__auth_session,
+            self.__server.manager.is_enabled)
         has_access_permission = has_product_permission or has_global_permission
 
         admin_perm_name = permissions.PRODUCT_ADMIN.name
@@ -180,7 +178,8 @@ def isAdministratorOfAnyProduct(self):
                         'productID': prod.id}
                 if permissions.require_permission(
                         permissions.PRODUCT_ADMIN,
-                        args, self.__auth_session):
+                        args, self.__auth_session,
+                        self.__server.manager.is_enabled):
                     return True
 
             return False
diff --git a/web/server/codechecker_server/api/report_server.py b/web/server/codechecker_server/api/report_server.py
@@ -1509,15 +1509,9 @@ def __require_permission(self, required):
             args = dict(self.__permission_args)
             args['config_db_session'] = session
 
-            # Anonymous access is only allowed if authentication is
-            # turned off
-            if self._manager.is_enabled and not self._auth_session:
-                raise codechecker_api_shared.ttypes.RequestFailed(
-                    codechecker_api_shared.ttypes.ErrorCode.UNAUTHORIZED,
-                    "You are not authorized to execute this action.")
-
             if not any(permissions.require_permission(
-                    perm, args, self._auth_session)
+                    perm, args, self._auth_session,
+                    self._manager.is_enabled)
                     for perm in required):
                 raise codechecker_api_shared.ttypes.RequestFailed(
                     codechecker_api_shared.ttypes.ErrorCode.UNAUTHORIZED,
@@ -3023,6 +3017,8 @@ def getGuidelineRules(
         guidelines: List[ttypes.Guideline]
     ):
         """ Return the list of rules to each guideline that given. """
+        self.__require_view()
+        
         guideline_rules = defaultdict(list)
         for guideline in guidelines:
             rules = self._context.guideline.rules_of_guideline(
diff --git a/web/server/codechecker_server/api/tasks.py b/web/server/codechecker_server/api/tasks.py
@@ -22,6 +22,7 @@
 from codechecker_common.logger import get_logger
 
 from codechecker_server.profiler import timeit
+from codechecker_server.session_manager import SessionManager
 
 from ..database.config_db_model import BackgroundTask as DBTask, Product
 from ..database.database import DBSession, conv
@@ -113,9 +114,11 @@ class ThriftTaskHandler:
 
     def __init__(self,
                  configuration_database_sessionmaker,
+                 session_manager: SessionManager,
                  task_manager: TaskManager,
                  auth_session):
         self._config_db = configuration_database_sessionmaker
+        self._session_manager = session_manager
         self._task_manager = task_manager
         self._auth_session = auth_session
 
@@ -152,12 +155,14 @@ def getTaskInfo(self, token: str) -> TaskInfo:
                             permissions.PRODUCT_ACCESS,
                             {"config_db_session": session,
                              "productID": associated_product.id},
-                            self._auth_session)
+                            self._auth_session,
+                            self._session_manager.is_enabled)
             else:
                 has_right_to_query_status = permissions.require_permission(
                     permissions.SUPERUSER,
                     {"config_db_session": session},
-                    self._auth_session)
+                    self._auth_session,
+                    self._session_manager.is_enabled)
 
             if not has_right_to_query_status:
                 raise RequestFailed(
@@ -188,7 +193,8 @@ def getTasks(self, filters: TaskFilter) -> List[AdministratorTaskInfo]:
                 if not permissions.require_permission(
                         permissions.SUPERUSER,
                         {"config_db_session": session},
-                        self._auth_session):
+                        self._auth_session,
+                        self._session_manager.is_enabled):
                     raise RequestFailed(
                         ErrorCode.UNAUTHORIZED,
                         "Querying service tasks (not associated with a "
@@ -199,7 +205,8 @@ def getTasks(self, filters: TaskFilter) -> List[AdministratorTaskInfo]:
                     if not permissions.require_permission(
                         permissions.PRODUCT_ACCESS,
                         {"config_db_session": session, "productID": prod_id},
-                        self._auth_session)]
+                        self._auth_session,
+                        self._session_manager.is_enabled)]
                 if no_access_products:
                     no_access_products = [session.get(Product, product_id)
                                           .endpoint
@@ -299,7 +306,8 @@ def getTasks(self, filters: TaskFilter) -> List[AdministratorTaskInfo]:
                         has_superuser = permissions.require_permission(
                             permissions.SUPERUSER,
                             {"config_db_session": session},
-                            self._auth_session)
+                            self._auth_session,
+                            self._session_manager.is_enabled)
                     if not has_superuser:
                         continue
                 else:
@@ -314,7 +322,8 @@ def getTasks(self, filters: TaskFilter) -> List[AdministratorTaskInfo]:
                                 permissions.PRODUCT_ACCESS,
                                 {"config_db_session": session,
                                  "productID": db_task.product_id},
-                                self._auth_session)
+                                self._auth_session,
+                                self._session_manager.is_enabled)
                         if not product_access_rights[db_task.product_id]:
                             continue
 
@@ -351,12 +360,14 @@ def cancelTask(self, token: str) -> bool:
                             permissions.PRODUCT_ADMIN,
                             {"config_db_session": session,
                                 "productID": associated_product.id},
-                            self._auth_session)
+                            self._auth_session,
+                            self._session_manager.is_enabled)
             else:
                 has_right_to_cancel = permissions.require_permission(
                     permissions.SUPERUSER,
                     {"config_db_session": session},
-                    self._auth_session)
+                    self._auth_session,
+                    self._session_manager.is_enabled)
 
             if not has_right_to_cancel:
                 raise RequestFailed(
diff --git a/web/server/codechecker_server/permissions.py b/web/server/codechecker_server/permissions.py
@@ -198,17 +198,17 @@ def remove_permission(self, auth_name, is_group=False,
                      self._perm_name, 'group' if is_group else 'user',
                      auth_name)
 
-    def has_permission(self, auth_session):
+    def has_permission(self, auth_session, is_auth_enabled):
         """
         Returns whether or not the given authenticated user session
         (or None, if authentication is disabled on the server!) is given
         the current permission.
         """
         if not auth_session:
-            # If the user does not have an auth_session it means it is a guest
-            # and the server is running in authentication disabled mode.
-            # All permissions are automatically granted in this case.
-            return True
+            # If the user does not have an auth_session it means it is a guest.
+            # All permissions are automatically granted when authentication is
+            # not enabled on the server.
+            return not is_auth_enabled
 
         elif auth_session.is_root and self._perm_name == 'SUPERUSER':
             # The special master superuser (root) automatically has the
@@ -644,17 +644,19 @@ def initialise_defaults(scope, extra_params):
             handler._rem_perm_impl('*', False)
 
 
-def require_permission(permission, extra_params, user):
+def require_permission(permission, extra_params, user, is_auth_enabled):
     """
     Returns whether or not the given user has the given permission.
 
     :param extra_params: The scope-specific argument dict, which already
       contains a valid database session.
+    :param is_auth_enabled: Guest users are handled differently when
+      authentication is disabled on the server.
     """
 
     handler = handler_from_scope_params(permission,
                                         extra_params)
-    if handler.has_permission(user):
+    if handler.has_permission(user, is_auth_enabled):
         return True
 
     # If the user for some reason does not have the permission directly
@@ -663,27 +665,29 @@ def require_permission(permission, extra_params, user):
     while ancestors:
         handler = handler_from_scope_params(ancestors[0], extra_params)
 
-        if handler.has_permission(user):
+        if handler.has_permission(user, is_auth_enabled):
             return True
         else:
             ancestors = ancestors[1:] + ancestors[0].inherited_from
 
     return False
 
 
-def require_manager(permission, extra_params, user):
+def require_manager(permission, extra_params, user, is_auth_enabled):
     """
     Returns whether or not the given user has rights to manage the given
     permission.
 
     :param extra_params: The scope-specific argument dict, which already
       contains a valid database session.
+    :param is_auth_enabled: Guest users are handled differently when
+      authentication is disabled on the server.
     """
 
     for manager in permission.managed_by:
         manager_handler = handler_from_scope_params(manager,
                                                     extra_params)
-        if manager_handler.has_permission(user):
+        if manager_handler.has_permission(user, is_auth_enabled):
             return True
 
     return False
diff --git a/web/server/codechecker_server/server.py b/web/server/codechecker_server/server.py
@@ -469,6 +469,7 @@ def do_POST(self):
                     elif request_endpoint == "Tasks":
                         task_handler = TaskHandler_v6(
                             self.server.config_session,
+                            self.server.manager,
                             self.server.task_manager,
                             self.auth_session)
                         processor = TaskAPI_v6.Processor(task_handler)
diff --git a/web/tests/functional/authentication/test_authentication.py b/web/tests/functional/authentication/test_authentication.py
@@ -738,6 +738,8 @@ def test_announcement_showing_in_cli(self):
                                             session_token='_PROHIBIT')
         session_token = auth_client.performLogin(
             "Username:Password", "root:root")
+        auth_client = env.setup_auth_client(self._test_workspace,
+                                            session_token=session_token)
 
         auth_client.addPermission(Permission.SUPERUSER, "root", False, "")
 
diff --git a/web/tests/functional/component/test_component.py b/web/tests/functional/component/test_component.py
@@ -136,8 +136,10 @@ def setup_method(self, _):
                                                   session_token='_PROHIBIT')
 
         # Create a PRODUCT_ADMIN login.
-        admin_token = self._auth_client.performLogin("Username:Password",
-                                                     "admin:admin123")
+        root_token = self._auth_client.performLogin("Username:Password",
+                                                    "root:root")
+        self._auth_client = env.setup_auth_client(self._test_workspace,
+                                                  session_token=root_token)
 
         extra_params = '{"productID":' + str(product_id) + '}'
         ret = self._auth_client.addPermission(Permission.PRODUCT_ADMIN,
@@ -146,6 +148,9 @@ def setup_method(self, _):
                                               extra_params)
         self.assertTrue(ret)
 
+        admin_token = self._auth_client.performLogin("Username:Password",
+                                                     "admin:admin123")
+
         self._cc_client = env.setup_viewer_client(self._test_workspace,
                                                   session_token=admin_token)
         self.assertIsNotNone(self._cc_client)
diff --git a/web/tests/functional/products/test_config_db_share.py b/web/tests/functional/products/test_config_db_share.py
@@ -75,9 +75,14 @@ def setup_method(self, _):
         # Create a SUPERUSER login.
         root_token = self._auth_client.performLogin("Username:Password",
                                                     "root:root")
+        self._auth_client = env.setup_auth_client(self.test_workspace_main,
+                                                  session_token=root_token)
 
         # Add SUPERUSER permission to the root user and test that the white
         # spaces are being removed from the user name.
+        # TODO: I'm not sure if this test makes sense, because "root" user has
+        # SUPERUSER permission already. "root" is set as "super_user" in
+        # server_config.json.
         ret = self._auth_client.addPermission(Permission.SUPERUSER,
                                               "  root  ",
                                               False,
diff --git a/web/tests/functional/server_configuration/test_server_configuration.py b/web/tests/functional/server_configuration/test_server_configuration.py
