quay/auth/credentials.py

import logging

from app import authentication
from auth.oauth import validate_oauth_token
from auth.validateresult import ValidateResult, AuthKind
from data import model
from util.names import parse_robot_username

logger = logging.getLogger(__name__)

ACCESS_TOKEN_USERNAME = '$token'
OAUTH_TOKEN_USERNAME = '$oauthtoken'

def validate_credentials(auth_username, auth_password_or_token):
  """ Validates a pair of auth username and password/token credentials. """
  # Check for access tokens.
  if auth_username == ACCESS_TOKEN_USERNAME:
    logger.debug('Found basic auth header for access token')
    try:
      token = model.token.load_token_data(auth_password_or_token)
      logger.debug('Successfully validated basic auth for access token %s', token.id)
      return ValidateResult(AuthKind.credentials, token=token)
    except model.DataModelException:
      logger.warning('Failed to validate basic auth for access token %s', auth_password_or_token)
      return ValidateResult(AuthKind.credentials, error_message='Invalid access token')

  # Check for OAuth tokens.
  if auth_username == OAUTH_TOKEN_USERNAME:
    return validate_oauth_token(auth_password_or_token)

  # Check for robots and users.
  is_robot = parse_robot_username(auth_username)
  if is_robot:
    logger.debug('Found basic auth header for robot %s', auth_username)
    try:
      robot = model.user.verify_robot(auth_username, auth_password_or_token)

      logger.debug('Successfully validated basic auth for robot %s', auth_username)
      return ValidateResult(AuthKind.credentials, robot=robot)
    except model.InvalidRobotException as ire:
      logger.warning('Failed to validate basic auth for robot %s: %s', auth_username, ire.message)
      return ValidateResult(AuthKind.credentials, error_message=ire.message)

  # Otherwise, treat as a standard user.
  (authenticated, err) = authentication.verify_and_link_user(auth_username, auth_password_or_token,
                                                             basic_auth=True)
  if authenticated:
    logger.debug('Successfully validated basic auth for user %s', authenticated.username)
    return ValidateResult(AuthKind.credentials, user=authenticated)
  else:
    logger.warning('Failed to validate basic auth for user %s: %s', auth_username, err)
    return ValidateResult(AuthKind.credentials, error_message=err)
Extract credential handling into its own module Will be used in Docker V1 and APPR protocols 2017-10-27 18:05:53 +00:00			`import logging`

			`from app import authentication`
			`from auth.oauth import validate_oauth_token`
			`from auth.validateresult import ValidateResult, AuthKind`
			`from data import model`
			`from util.names import parse_robot_username`

			`logger = logging.getLogger(__name__)`

			`ACCESS_TOKEN_USERNAME = '$token'`
			`OAUTH_TOKEN_USERNAME = '$oauthtoken'`

			`def validate_credentials(auth_username, auth_password_or_token):`
			`""" Validates a pair of auth username and password/token credentials. """`
			`# Check for access tokens.`
			`if auth_username == ACCESS_TOKEN_USERNAME:`
			`logger.debug('Found basic auth header for access token')`
			`try:`
			`token = model.token.load_token_data(auth_password_or_token)`
			`logger.debug('Successfully validated basic auth for access token %s', token.id)`
			`return ValidateResult(AuthKind.credentials, token=token)`
			`except model.DataModelException:`
			`logger.warning('Failed to validate basic auth for access token %s', auth_password_or_token)`
			`return ValidateResult(AuthKind.credentials, error_message='Invalid access token')`

			`# Check for OAuth tokens.`
			`if auth_username == OAUTH_TOKEN_USERNAME:`
			`return validate_oauth_token(auth_password_or_token)`

			`# Check for robots and users.`
			`is_robot = parse_robot_username(auth_username)`
			`if is_robot:`
			`logger.debug('Found basic auth header for robot %s', auth_username)`
			`try:`
			`robot = model.user.verify_robot(auth_username, auth_password_or_token)`

			`logger.debug('Successfully validated basic auth for robot %s', auth_username)`
			`return ValidateResult(AuthKind.credentials, robot=robot)`
			`except model.InvalidRobotException as ire:`
			`logger.warning('Failed to validate basic auth for robot %s: %s', auth_username, ire.message)`
			`return ValidateResult(AuthKind.credentials, error_message=ire.message)`

			`# Otherwise, treat as a standard user.`
			`(authenticated, err) = authentication.verify_and_link_user(auth_username, auth_password_or_token,`
			`basic_auth=True)`
			`if authenticated:`
			`logger.debug('Successfully validated basic auth for user %s', authenticated.username)`
			`return ValidateResult(AuthKind.credentials, user=authenticated)`
			`else:`
			`logger.warning('Failed to validate basic auth for user %s: %s', auth_username, err)`
			`return ValidateResult(AuthKind.credentials, error_message=err)`