Implement Control Location IP permissions

CHANGELOG.rst

@@ -5,15 +5,16 @@ Version History
 v5.13.0
 --------
 
+* Implement Control Location IP permissions `<https://github.com/lsst-ts/LOVE-manager/pull/194>`_
 * LOVE screen sizes enhancement `<https://github.com/lsst-ts/LOVE-manager/pull/188>`_
 
 v5.12.0
 --------
 
-* Extend Manager to receive configuration for querying Commander `<https://github.com/lsst-ts/LOVE-manager/pull/189>`_
 * Add changelog checker github action `<https://github.com/lsst-ts/LOVE-manager/pull/193>`_
 * Fix file handling on RemoteStorage class `<https://github.com/lsst-ts/LOVE-manager/pull/192>`_
 * Hotfix/v5.11.0 `<https://github.com/lsst-ts/LOVE-manager/pull/191>`_
+* Extend Manager to receive configuration for querying Commander `<https://github.com/lsst-ts/LOVE-manager/pull/189>`_
 * Bump cryptography from 39.0.1 to 41.0.0 in /manager `<https://github.com/lsst-ts/LOVE-manager/pull/187>`_
 * ScriptQueue Upgrade implementation `<https://github.com/lsst-ts/LOVE-manager/pull/186>`_
 

README.md

@@ -39,6 +39,7 @@ All these variables are initialized with default variables defined in :code:`.en
 - `AUTH_LDAP_BIND_PASSWORD`: defines the password to use to bind to the LDAP server. This is the password of the provided user for LDAP actions: svc_love.
 - `LOVE_SITE`: defines the site name of the LOVE system. This value is used to identify the LOVE system in the LOVE-manager.
 - `REMOTE_STORAGE`: defines if remote storage is used. If this variable is defined, then the LOVE-manager will connect to the LFA to upload files. If not defined, then the LOVE-manager will store the files locally.
+- `COMMANDING_PERMISSION_TYPE`: defines the type of permission to use for commanding. Currently two options are available: `user` and `location`. If `user` is used, then requests from users with `api.command.execute_command` permission are allowed. If `location` is used, then only requests from the configured location of control will be allowed. If not defined, then `user` will be used.
 
 # Local load for development
 

manager/api/migrations/0016_controllocation_ip_whitelist.py

@@ -0,0 +1,18 @@
+# Generated by Django 3.1.14 on 2023-06-17 21:07
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("api", "0015_scriptconfiguration"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="controllocation",
+            name="ip_whitelist",
+            field=models.TextField(blank=True),
+        ),
+    ]

manager/api/models.py

@@ -256,6 +256,9 @@ class ControlLocation(BaseModel):
     selected = models.BooleanField(default=False)
     """Control location is selected"""
 
+    ip_whitelist = models.TextField(blank=True)
+    """IP whitelist"""
+
     def save(self, *args, **kwargs):
         if self.selected:
             # Check if user is super user

manager/api/serializers.py

@@ -13,6 +13,7 @@
     ScriptConfiguration,
 )
 from typing import Union
+from manager.utils import CommandPermission
 
 
 class UserSerializer(serializers.ModelSerializer):
@@ -47,7 +48,8 @@ def can_execute_commands(self, user) -> bool:
         Bool
             True if the user can execute commands, False if not.
         """
-        return user.has_perm("api.command.execute_command")
+        request = self.context.get("request")
+        return CommandPermission().has_permission(request, None)
 
     def is_authlist_admin(self, user) -> bool:
         """Define wether or not the given user has permissions of authlist administration.
@@ -114,7 +116,8 @@ def get_permissions(self, token):
         Bool
             True if the user can execute commands, False if not.
         """
-        return UserPermissionsSerializer(token.user).data
+        request = self.context.get("request")
+        return UserPermissionsSerializer(token.user, context={"request": request}).data
 
     def get_token(self, token):
         """Return the token key.