Fix the problem with login on new triggers.

2014-03-26 15:52:24 -04:00 · 2014-03-26 15:52:24 -04:00 · 4d2e090bea
commit 4d2e090bea
parent fa3af789b2
3 changed files with 64 additions and 66 deletions
--- a/auth/auth.py
+++ b/auth/auth.py
@ -21,7 +21,17 @@ from util.http import abort
 logger = logging.getLogger(__name__)


-def validate_and_apply_oauth_token(token):
+def _load_user_from_cookie():
+  if not current_user.is_anonymous():
+    logger.debug('Loading user from cookie: %s', current_user.get_id())
+    set_authenticated_user_deferred(current_user.get_id())
+    loaded = QuayDeferredPermissionUser(current_user.get_id(), 'username', {scopes.DIRECT_LOGIN})
+    identity_changed.send(app, identity=loaded)
+    return current_user.db_user()
+  return None
+
+
+def _validate_and_apply_oauth_token(token):
  validated = oauth.validate_access_token(token)
  if not validated:
    logger.warning('OAuth access token could not be validated: %s', token)
@ -80,7 +90,7 @@ def process_basic_auth(auth):

  elif credentials[0] == '$oauthtoken':
    oauth_token = credentials[1]
-    validate_and_apply_oauth_token(oauth_token)
+    _validate_and_apply_oauth_token(oauth_token)

  elif '+' in credentials[0]:
    logger.debug('Trying robot auth with credentials %s' % str(credentials))
@ -146,8 +156,8 @@ def process_token(auth):
  identity_changed.send(app, identity=Identity(token_data.code, 'token'))


-def process_oauth(f):
-  @wraps(f)
+def process_oauth(func):
+  @wraps(func)
  def wrapper(*args, **kwargs):
    auth = request.headers.get('authorization', '')
    if auth:
@ -157,20 +167,15 @@ def process_oauth(f):
        return

      token = normalized[1]
-      validate_and_apply_oauth_token(token)
-    elif not current_user.is_anonymous():
-      logger.debug('Loading user from cookie: %s', current_user.get_id())
-      set_authenticated_user_deferred(current_user.get_id())
-      loaded = QuayDeferredPermissionUser(current_user.get_id(), 'username', {scopes.DIRECT_LOGIN})
-      identity_changed.send(app, identity=loaded)
-    else:
+      _validate_and_apply_oauth_token(token)
+    elif _load_user_from_cookie() is None:
      logger.debug('No auth header or login cookie.')
-    return f(*args, **kwargs)
+    return func(*args, **kwargs)
  return wrapper


-def process_auth(f):
-  @wraps(f)
+def process_auth(func):
+  @wraps(func)
  def wrapper(*args, **kwargs):
    auth = request.headers.get('authorization', '')

@ -181,16 +186,26 @@ def process_auth(f):
    else:
      logger.debug('No auth header.')

-    return f(*args, **kwargs)
+    return func(*args, **kwargs)
  return wrapper


-def extract_namespace_repo_from_session(f):
-  @wraps(f)
+def require_session_login(func):
+  @wraps(func)
+  def wrapper(*args, **kwargs):
+    loaded = _load_user_from_cookie()
+    if loaded is None or loaded.organization:
+      abort(401, message='Method requires login and no valid login could be loaded.')
+    return func(*args, **kwargs)
+  return wrapper
+
+
+def extract_namespace_repo_from_session(func):
+  @wraps(func)
  def wrapper(*args, **kwargs):
    if 'namespace' not in session or 'repository' not in session:
      logger.error('Unable to load namespace or repository from session: %s' % session)
      abort(400, message='Missing namespace in request')

-    return f(session['namespace'], session['repository'], *args, **kwargs)
+    return func(session['namespace'], session['repository'], *args, **kwargs)
  return wrapper
--- a/endpoints/callbacks.py
+++ b/endpoints/callbacks.py
@ -1,7 +1,7 @@
 import logging

 from flask import request, redirect, url_for, Blueprint
-from flask.ext.login import login_required, current_user
+from flask.ext.login import current_user

 from endpoints.common import render_page_template, common_login
 from app import app, mixpanel
@ -9,6 +9,7 @@ from data import model
 from util.names import parse_repository_name
 from util.http import abort
 from auth.permissions import AdministerRepositoryPermission
+from auth.auth import require_session_login


 logger = logging.getLogger(__name__)
@ -100,7 +101,7 @@ def github_oauth_callback():


@callback.route('/github/callback/attach', methods=['GET'])
-@login_required
+@require_session_login
 def github_oauth_attach():
  token = exchange_github_code_for_token(request.args.get('code'))
  user_data = get_github_user(token)
@ -111,7 +112,7 @@ def github_oauth_attach():


@callback.route('/github/callback/trigger/<path:repository>', methods=['GET'])
-@login_required
+@require_session_login
@parse_repository_name
 def attach_github_build_trigger(namespace, repository):
  permission = AdministerRepositoryPermission(namespace, repository)
@ -124,7 +125,8 @@ def attach_github_build_trigger(namespace, repository):

    trigger = model.create_build_trigger(repo, 'github', token, current_user.db_user())
    admin_path = '%s/%s/%s' % (namespace, repository, 'admin')
-    full_url = url_for('web.repository', path=admin_path) + '?tab=trigger&new_trigger=' + trigger.uuid
+    full_url = '%s%s%s' % (url_for('web.repository', path=admin_path), '?tab=trigger&new_trigger=',
+                           trigger.uuid)
    logger.debug('Redirecting to full url: %s' % full_url)
    return redirect(full_url)

--- a/endpoints/realtime.py
+++ b/endpoints/realtime.py
@ -1,71 +1,52 @@
 import logging
-import redis
 import json

-from functools import wraps
-from flask import request, make_response, Blueprint, abort, Response
-from flask.ext.login import current_user, logout_user
-from data import model, userevent
-from app import app
+from flask import request, Blueprint, abort, Response
+from flask.ext.login import current_user
+from data import userevent
+from auth.auth import require_session_login

 logger = logging.getLogger(__name__)

 realtime = Blueprint('realtime', __name__)

-def api_login_required(f):
-  @wraps(f)
-  def decorated_view(*args, **kwargs):
-    if not current_user.is_authenticated():
-      abort(401)
-
-    if (current_user and current_user.db_user() and
-        current_user.db_user().organization):
-      abort(401)
-
-    if (current_user and current_user.db_user() and
-        current_user.db_user().robot):
-      abort(401)
-
-    return f(*args, **kwargs)
-  return decorated_view
-

@realtime.route("/user/")
-@api_login_required
+@require_session_login
 def index():
-    debug_template = """
-     <html>
-       <head>
-       </head>
-       <body>
-         <h1>Server sent events</h1>
-         <div id="event"></div>
-         <script type="text/javascript">
+  debug_template = """
+    <html>
+      <head>
+      </head>
+      <body>
+        <h1>Server sent events</h1>
+        <div id="event"></div>
+        <script type="text/javascript">

-         var eventOutputContainer = document.getElementById("event");
-         var evtSrc = new EventSource("/realtime/user/subscribe?events=docker-cli");
+        var eventOutputContainer = document.getElementById("event");
+        var evtSrc = new EventSource("/realtime/user/subscribe?events=docker-cli");

-         evtSrc.onmessage = function(e) {
-             console.log(e.data);
-             eventOutputContainer.innerHTML = e.data;
-         };
+        evtSrc.onmessage = function(e) {
+            console.log(e.data);
+            eventOutputContainer.innerHTML = e.data;
+        };

-         </script>
-       </body>
-     </html>
+        </script>
+      </body>
+    </html>
    """
-    return(debug_template)
+  return(debug_template)


@realtime.route("/user/test")
-@api_login_required
+@require_session_login
 def user_test():
  evt = userevent.UserEvent('logs.quay.io', current_user.db_user().username)
  evt.publish_event_data('test', {'foo': 2})
  return 'OK'

@realtime.route("/user/subscribe")
-@api_login_required
+@require_session_login
 def user_subscribe():
  def wrapper(listener):
    for event_id, data in listener.event_stream():