From c9a5ce6701fa28514ffa3d5670a4dbea777393e6 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 23 Mar 2017 15:07:46 -0400
Subject: [PATCH] Start validating login in CNR

Fixes https://www.pivotaltracker.com/story/show/142342305
---
 endpoints/appr/registry.py           | 19 +++++++++++-------
 endpoints/appr/test/test_registry.py | 30 ++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 7 deletions(-)
 create mode 100644 endpoints/appr/test/test_registry.py

diff --git a/endpoints/appr/registry.py b/endpoints/appr/registry.py
index 00401813b..701c74ffd 100644
--- a/endpoints/appr/registry.py
+++ b/endpoints/appr/registry.py
@@ -11,6 +11,7 @@ from cnr.exception import (CnrException, InvalidUsage, InvalidParams, InvalidRel
                            PackageAlreadyExists, PackageNotFound, PackageReleaseNotFound)
 from flask import request, jsonify
 
+from app import authentication
 from auth.process import process_auth
 from auth.auth_context import get_authenticated_user
 from auth.permissions import CreateRepositoryPermission, ModifyRepositoryPermission
@@ -50,13 +51,17 @@ def version():
 @appr_bp.route("/api/v1/users/login", methods=['POST'])
 @anon_allowed
 def login():
-  """
-    Todo:
-      * Implement better login protocol
-  """
-  values = request.get_json(force=True, silent=True)
-  return jsonify({'token': "basic " + b64encode("%s:%s" % (values['user']['username'],
-                                                           values['user']['password']))})
+  values = request.get_json(force=True, silent=True) or {}
+  username = values.get('user', {}).get('username')
+  password = values.get('user', {}).get('password')
+  if not username or not password:
+    raise InvalidUsage('Missing username or password')
+
+  user, err = authentication.verify_credentials(username, password)
+  if err is not None:
+    raise UnauthorizedAccess(err)
+
+  return jsonify({'token': "basic " + b64encode("%s:%s" % (user.username, password))})
 
 
 # @TODO: Redirect to S3 url
diff --git a/endpoints/appr/test/test_registry.py b/endpoints/appr/test/test_registry.py
new file mode 100644
index 000000000..50a5bdc64
--- /dev/null
+++ b/endpoints/appr/test/test_registry.py
@@ -0,0 +1,30 @@
+import json
+import pytest
+
+from flask import url_for
+
+from data import model
+from endpoints.test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
+from endpoints.appr.registry import appr_bp
+
+def test_invalid_login(app, client):
+  app.register_blueprint(appr_bp, url_prefix='/cnr')
+
+  url = url_for('appr.login')
+  headers = {'Content-Type': 'application/json'}
+  data = {'user': {'username': 'foo', 'password': 'bar'}}
+
+  rv = client.open(url, method='POST', data=json.dumps(data), headers=headers)
+  assert rv.status_code == 401
+
+
+def test_valid_login(app, client):
+  app.register_blueprint(appr_bp, url_prefix='/cnr')
+
+  url = url_for('appr.login')
+  headers = {'Content-Type': 'application/json'}
+  data = {'user': {'username': 'devtable', 'password': 'password'}}
+
+  rv = client.open(url, method='POST', data=json.dumps(data), headers=headers)
+  assert rv.status_code == 200
+