Merge pull request #2462 from coreos-inc/cnr-login

Start validating login in CNR
2017-03-23 15:27:15 -04:00 · 2017-03-23 15:27:15 -04:00 · 295b09a201
commit 295b09a201
parent 71e27496db c9a5ce6701
2 changed files with 42 additions and 7 deletions
--- a/endpoints/appr/registry.py
+++ b/endpoints/appr/registry.py
@ -11,6 +11,7 @@ from cnr.exception import (CnrException, InvalidUsage, InvalidParams, InvalidRel
                           PackageAlreadyExists, PackageNotFound, PackageReleaseNotFound)
 from flask import request, jsonify

+from app import authentication
 from auth.process import process_auth
 from auth.auth_context import get_authenticated_user
 from auth.permissions import CreateRepositoryPermission, ModifyRepositoryPermission
@ -50,13 +51,17 @@ def version():
@appr_bp.route("/api/v1/users/login", methods=['POST'])
@anon_allowed
 def login():
-  """
-    Todo:
-      * Implement better login protocol
-  """
-  values = request.get_json(force=True, silent=True)
-  return jsonify({'token': "basic " + b64encode("%s:%s" % (values['user']['username'],
-                                                           values['user']['password']))})
+  values = request.get_json(force=True, silent=True) or {}
+  username = values.get('user', {}).get('username')
+  password = values.get('user', {}).get('password')
+  if not username or not password:
+    raise InvalidUsage('Missing username or password')
+
+  user, err = authentication.verify_credentials(username, password)
+  if err is not None:
+    raise UnauthorizedAccess(err)
+
+  return jsonify({'token': "basic " + b64encode("%s:%s" % (user.username, password))})


 # @TODO: Redirect to S3 url
--- a/endpoints/appr/test/test_registry.py
+++ b/endpoints/appr/test/test_registry.py
@ -0,0 +1,30 @@
+import json
+import pytest
+
+from flask import url_for
+
+from data import model
+from endpoints.test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
+from endpoints.appr.registry import appr_bp
+
+def test_invalid_login(app, client):
+  app.register_blueprint(appr_bp, url_prefix='/cnr')
+
+  url = url_for('appr.login')
+  headers = {'Content-Type': 'application/json'}
+  data = {'user': {'username': 'foo', 'password': 'bar'}}
+
+  rv = client.open(url, method='POST', data=json.dumps(data), headers=headers)
+  assert rv.status_code == 401
+
+
+def test_valid_login(app, client):
+  app.register_blueprint(appr_bp, url_prefix='/cnr')
+
+  url = url_for('appr.login')
+  headers = {'Content-Type': 'application/json'}
+  data = {'user': {'username': 'devtable', 'password': 'password'}}
+
+  rv = client.open(url, method='POST', data=json.dumps(data), headers=headers)
+  assert rv.status_code == 200
+