2013-09-20 15:55:44 +00:00
|
|
|
import logging
|
|
|
|
|
|
|
|
from functools import wraps
|
2014-03-12 20:31:37 +00:00
|
|
|
from datetime import datetime
|
2014-02-25 20:07:24 +00:00
|
|
|
from flask import request, _request_ctx_stack, session
|
2013-09-20 22:38:17 +00:00
|
|
|
from flask.ext.principal import identity_changed, Identity
|
2013-09-20 15:55:44 +00:00
|
|
|
from base64 import b64decode
|
|
|
|
|
2013-09-25 16:45:12 +00:00
|
|
|
from data import model
|
2014-03-12 20:31:37 +00:00
|
|
|
from data.model import oauth
|
2013-09-25 20:46:28 +00:00
|
|
|
from app import app
|
2013-10-15 18:48:49 +00:00
|
|
|
from permissions import QuayDeferredPermissionUser
|
2014-03-12 20:31:37 +00:00
|
|
|
import scopes
|
2013-09-20 15:55:44 +00:00
|
|
|
|
2014-02-25 19:15:12 +00:00
|
|
|
from util.http import abort
|
2013-09-20 15:55:44 +00:00
|
|
|
|
2013-09-20 22:38:17 +00:00
|
|
|
|
2013-09-20 15:55:44 +00:00
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
2014-03-12 16:37:06 +00:00
|
|
|
|
2013-10-01 04:37:28 +00:00
|
|
|
def process_basic_auth(auth):
|
2013-09-20 15:55:44 +00:00
|
|
|
normalized = [part.strip() for part in auth.split(' ') if part]
|
|
|
|
if normalized[0].lower() != 'basic' or len(normalized) != 2:
|
|
|
|
logger.debug('Invalid basic auth format.')
|
2013-09-26 19:58:11 +00:00
|
|
|
return
|
2013-09-20 15:55:44 +00:00
|
|
|
|
2014-02-10 04:59:30 +00:00
|
|
|
credentials = b64decode(normalized[1]).split(':', 1)
|
2013-09-20 15:55:44 +00:00
|
|
|
|
|
|
|
if len(credentials) != 2:
|
2013-10-16 18:24:10 +00:00
|
|
|
logger.debug('Invalid basic auth credential format.')
|
2013-09-20 15:55:44 +00:00
|
|
|
|
2013-12-19 20:18:14 +00:00
|
|
|
elif credentials[0] == '$token':
|
2013-10-16 18:24:10 +00:00
|
|
|
# Use as token auth
|
|
|
|
try:
|
|
|
|
token = model.load_token_data(credentials[1])
|
|
|
|
logger.debug('Successfully validated token: %s' % credentials[1])
|
|
|
|
ctx = _request_ctx_stack.top
|
|
|
|
ctx.validated_token = token
|
2013-09-20 15:55:44 +00:00
|
|
|
|
2013-10-16 18:24:10 +00:00
|
|
|
identity_changed.send(app, identity=Identity(token.code, 'token'))
|
|
|
|
return
|
2013-09-20 15:55:44 +00:00
|
|
|
|
2013-10-16 18:24:10 +00:00
|
|
|
except model.DataModelException:
|
|
|
|
logger.debug('Invalid token: %s' % credentials[1])
|
|
|
|
|
2013-11-21 00:43:19 +00:00
|
|
|
elif '+' in credentials[0]:
|
|
|
|
logger.debug('Trying robot auth with credentials %s' % str(credentials))
|
|
|
|
# Use as robot auth
|
|
|
|
try:
|
|
|
|
robot = model.verify_robot(credentials[0], credentials[1])
|
|
|
|
logger.debug('Successfully validated robot: %s' % credentials[0])
|
|
|
|
ctx = _request_ctx_stack.top
|
|
|
|
ctx.authenticated_user = robot
|
|
|
|
|
2014-03-12 20:31:37 +00:00
|
|
|
deferred_robot = QuayDeferredPermissionUser(robot.username, 'username')
|
|
|
|
identity_changed.send(app, identity=deferred_robot)
|
2013-11-21 00:43:19 +00:00
|
|
|
return
|
|
|
|
except model.InvalidRobotException:
|
|
|
|
logger.debug('Invalid robot or password for robot: %s' % credentials[0])
|
|
|
|
|
2013-10-16 18:24:10 +00:00
|
|
|
else:
|
|
|
|
authenticated = model.verify_user(credentials[0], credentials[1])
|
|
|
|
|
|
|
|
if authenticated:
|
|
|
|
logger.debug('Successfully validated user: %s' % authenticated.username)
|
|
|
|
ctx = _request_ctx_stack.top
|
|
|
|
ctx.authenticated_user = authenticated
|
|
|
|
|
2014-03-12 20:31:37 +00:00
|
|
|
new_identity = QuayDeferredPermissionUser(authenticated.username, 'username')
|
2013-10-16 18:24:10 +00:00
|
|
|
identity_changed.send(app, identity=new_identity)
|
|
|
|
return
|
2013-09-20 15:55:44 +00:00
|
|
|
|
|
|
|
# We weren't able to authenticate via basic auth.
|
2013-09-26 19:58:11 +00:00
|
|
|
logger.debug('Basic auth present but could not be validated.')
|
2013-09-20 15:55:44 +00:00
|
|
|
|
|
|
|
|
2013-10-01 04:37:28 +00:00
|
|
|
def process_token(auth):
|
2013-09-20 15:55:44 +00:00
|
|
|
normalized = [part.strip() for part in auth.split(' ') if part]
|
2013-09-26 00:00:22 +00:00
|
|
|
if normalized[0].lower() != 'token' or len(normalized) != 2:
|
2013-10-16 18:24:10 +00:00
|
|
|
logger.debug('Not an auth token: %s' % auth)
|
2013-09-26 19:58:11 +00:00
|
|
|
return
|
2013-09-20 15:55:44 +00:00
|
|
|
|
2013-09-26 00:00:22 +00:00
|
|
|
token_details = normalized[1].split(',')
|
2013-09-20 15:55:44 +00:00
|
|
|
|
2013-10-16 18:24:10 +00:00
|
|
|
if len(token_details) != 1:
|
|
|
|
logger.warning('Invalid token format: %s' % auth)
|
2014-02-25 19:15:12 +00:00
|
|
|
abort(401, message="Invalid token format: %(auth)", issue='invalid-auth-token', auth=auth)
|
2013-09-20 15:55:44 +00:00
|
|
|
|
2013-09-20 22:38:17 +00:00
|
|
|
token_vals = {val[0]: val[1] for val in
|
2013-09-20 15:55:44 +00:00
|
|
|
(detail.split('=') for detail in token_details)}
|
2013-10-16 18:24:10 +00:00
|
|
|
if 'signature' not in token_vals:
|
|
|
|
logger.warning('Token does not contain signature: %s' % auth)
|
2014-03-12 16:37:06 +00:00
|
|
|
abort(401, message="Token does not contain a valid signature: %(auth)",
|
|
|
|
issue='invalid-auth-token', auth=auth)
|
2013-09-20 15:55:44 +00:00
|
|
|
|
2013-10-16 18:24:10 +00:00
|
|
|
try:
|
|
|
|
token_data = model.load_token_data(token_vals['signature'])
|
2013-09-26 00:00:22 +00:00
|
|
|
|
2013-10-16 18:24:10 +00:00
|
|
|
except model.InvalidTokenException:
|
2014-03-12 20:31:37 +00:00
|
|
|
logger.warning('Token could not be validated: %s', token_vals['signature'])
|
2014-03-12 16:37:06 +00:00
|
|
|
abort(401, message="Token could not be validated: %(auth)", issue='invalid-auth-token',
|
|
|
|
auth=auth)
|
2013-09-20 15:55:44 +00:00
|
|
|
|
2014-03-12 20:31:37 +00:00
|
|
|
logger.debug('Successfully validated token: %s', token_data.code)
|
2013-10-16 18:24:10 +00:00
|
|
|
ctx = _request_ctx_stack.top
|
|
|
|
ctx.validated_token = token_data
|
2013-09-20 15:55:44 +00:00
|
|
|
|
2013-10-16 18:24:10 +00:00
|
|
|
identity_changed.send(app, identity=Identity(token_data.code, 'token'))
|
2013-09-20 15:55:44 +00:00
|
|
|
|
|
|
|
|
2014-03-12 20:31:37 +00:00
|
|
|
def process_oauth(auth):
|
|
|
|
normalized = [part.strip() for part in auth.split(' ') if part]
|
|
|
|
if normalized[0].lower() != 'bearer' or len(normalized) != 2:
|
|
|
|
logger.debug('Invalid oauth bearer token format.')
|
|
|
|
return
|
|
|
|
|
|
|
|
token = normalized[1]
|
|
|
|
validated = oauth.validate_access_token(token)
|
|
|
|
if not validated:
|
|
|
|
logger.warning('OAuth access token could not be validated: %s', token)
|
|
|
|
authenticate_header = {
|
|
|
|
'WWW-Authenticate': ('Bearer error="invalid_token", '
|
|
|
|
'error_description="The access token is invalid"'),
|
|
|
|
}
|
|
|
|
abort(401, message="OAuth access token could not be validated: %(token)",
|
|
|
|
issue='invalid-oauth-token', token=token, header=authenticate_header)
|
|
|
|
elif validated.expires_at <= datetime.now():
|
|
|
|
logger.info('OAuth access with an expired token: %s', token)
|
|
|
|
authenticate_header = {
|
|
|
|
'WWW-Authenticate': ('Bearer error="invalid_token", '
|
|
|
|
'error_description="The access token expired"'),
|
|
|
|
}
|
|
|
|
abort(401, message="OAuth access token has expired: %(token)", issue='invalid-oauth-token',
|
|
|
|
token=token, headers=authenticate_header)
|
|
|
|
|
|
|
|
# We have a valid token
|
|
|
|
scope_set = scopes.scopes_from_scope_string(validated.scope)
|
|
|
|
logger.debug('Successfully validated oauth access token: %s with scope: %s', token,
|
|
|
|
scope_set)
|
|
|
|
|
|
|
|
ctx = _request_ctx_stack.top
|
|
|
|
ctx.authenticated_user = validated.authorized_user
|
|
|
|
|
|
|
|
new_identity = QuayDeferredPermissionUser(validated.authorized_user.username, 'username',
|
|
|
|
scope_set)
|
|
|
|
identity_changed.send(app, identity=new_identity)
|
|
|
|
|
|
|
|
|
2013-09-20 22:38:17 +00:00
|
|
|
def process_auth(f):
|
2013-09-20 15:55:44 +00:00
|
|
|
@wraps(f)
|
|
|
|
def wrapper(*args, **kwargs):
|
2013-10-01 04:37:28 +00:00
|
|
|
auth = request.headers.get('authorization', '')
|
|
|
|
|
|
|
|
if auth:
|
|
|
|
logger.debug('Validating auth header: %s' % auth)
|
|
|
|
process_token(auth)
|
|
|
|
process_basic_auth(auth)
|
2014-03-12 20:31:37 +00:00
|
|
|
process_oauth(auth)
|
2013-10-01 04:37:28 +00:00
|
|
|
else:
|
|
|
|
logger.debug('No auth header.')
|
|
|
|
|
2013-09-20 15:55:44 +00:00
|
|
|
return f(*args, **kwargs)
|
|
|
|
return wrapper
|
2013-09-26 00:00:22 +00:00
|
|
|
|
|
|
|
|
|
|
|
def extract_namespace_repo_from_session(f):
|
|
|
|
@wraps(f)
|
|
|
|
def wrapper(*args, **kwargs):
|
|
|
|
if 'namespace' not in session or 'repository' not in session:
|
2014-03-12 20:31:37 +00:00
|
|
|
logger.error('Unable to load namespace or repository from session: %s' % session)
|
2014-02-25 19:15:12 +00:00
|
|
|
abort(400, message="Missing namespace in request")
|
2013-09-26 00:00:22 +00:00
|
|
|
|
|
|
|
return f(session['namespace'], session['repository'], *args, **kwargs)
|
2013-09-26 20:32:09 +00:00
|
|
|
return wrapper
|