From 2214a2c7ad97bac3cd27cf7932582c4e276783aa Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 12 Dec 2017 16:00:38 -0500 Subject: [PATCH] Disable fresh login check in auth engines that won't support it --- data/users/__init__.py | 5 +++++ data/users/apptoken.py | 4 ++++ data/users/database.py | 4 ++++ data/users/federated.py | 4 ++++ endpoints/api/__init__.py | 5 +++-- 5 files changed, 20 insertions(+), 2 deletions(-) diff --git a/data/users/__init__.py b/data/users/__init__.py index 6d52d5b94..a18ef6ba9 100644 --- a/data/users/__init__.py +++ b/data/users/__init__.py @@ -187,6 +187,11 @@ class UserAuthentication(object): """ Returns whether this auth system supports using encrypted credentials. """ return self.state.supports_encrypted_credentials + @property + def supports_fresh_login(self): + """ Returns whether this auth system supports the fresh login check. """ + return self.state.supports_fresh_login + def query_users(self, query, limit=20): """ Performs a lookup against the user system for the specified query. The returned tuple will be of the form (results, federated_login_id, err_msg). If the method is unsupported, diff --git a/data/users/apptoken.py b/data/users/apptoken.py index 271b8eef7..638b2b040 100644 --- a/data/users/apptoken.py +++ b/data/users/apptoken.py @@ -12,6 +12,10 @@ class AppTokenInternalAuth(object): """ Forces all internal credential login to go through an app token, by disabling all other access. """ + @property + def supports_fresh_login(self): + # Since there is no password. + return False @property def federated_service(self): diff --git a/data/users/database.py b/data/users/database.py index 6c85db3bc..a71669c44 100644 --- a/data/users/database.py +++ b/data/users/database.py @@ -5,6 +5,10 @@ class DatabaseUsers(object): def federated_service(self): return None + @property + def supports_fresh_login(self): + return True + def ping(self): """ Always assumed to be working. If the DB is broken, other checks will handle it. """ return (True, None) diff --git a/data/users/federated.py b/data/users/federated.py index 047234a65..424779eee 100644 --- a/data/users/federated.py +++ b/data/users/federated.py @@ -24,6 +24,10 @@ class FederatedUsers(object): def federated_service(self): return self._federated_service + @property + def supports_fresh_login(self): + return True + @property def supports_encrypted_credentials(self): return True diff --git a/endpoints/api/__init__.py b/endpoints/api/__init__.py index 625e1926a..209b2d013 100644 --- a/endpoints/api/__init__.py +++ b/endpoints/api/__init__.py @@ -10,7 +10,7 @@ from flask_restful import Resource, abort, Api, reqparse from flask_restful.utils.cors import crossdomain from jsonschema import validate, ValidationError -from app import app, metric_queue +from app import app, metric_queue, authentication from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission, AdministerRepositoryPermission, UserReadPermission, UserAdminPermission) @@ -300,7 +300,8 @@ def require_fresh_login(func): last_login = session.get('login_time', datetime.datetime.min) valid_span = datetime.datetime.now() - datetime.timedelta(minutes=10) - if not user.password_hash or last_login >= valid_span: + if (not user.password_hash or last_login >= valid_span or + not authentication.supports_fresh_login): return func(*args, **kwargs) raise FreshLoginRequired()