Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password
This commit is contained in:
Joseph Schorr
parent
53b762a875
commit
524d77f527
50 changed files with 943 additions and 289 deletions
|
|
@ -2,6 +2,8 @@ import logging
|
|||
|
||||
from enum import Enum
|
||||
|
||||
import features
|
||||
|
||||
from app import authentication
|
||||
from auth.oauth import validate_oauth_token
|
||||
from auth.validateresult import ValidateResult, AuthKind
|
||||
|
|
@ -12,6 +14,7 @@ logger = logging.getLogger(__name__)
|
|||
|
||||
ACCESS_TOKEN_USERNAME = '$token'
|
||||
OAUTH_TOKEN_USERNAME = '$oauthtoken'
|
||||
APP_SPECIFIC_TOKEN_USERNAME = '$app'
|
||||
|
||||
|
||||
class CredentialKind(Enum):
|
||||
|
|
@ -19,22 +22,44 @@ class CredentialKind(Enum):
|
|||
robot = 'robot'
|
||||
token = ACCESS_TOKEN_USERNAME
|
||||
oauth_token = OAUTH_TOKEN_USERNAME
|
||||
app_specific_token = APP_SPECIFIC_TOKEN_USERNAME
|
||||
|
||||
|
||||
def validate_credentials(auth_username, auth_password_or_token):
|
||||
""" Validates a pair of auth username and password/token credentials. """
|
||||
# Check for access tokens.
|
||||
if auth_username == ACCESS_TOKEN_USERNAME:
|
||||
logger.debug('Found basic auth header for access token')
|
||||
logger.debug('Found credentials for access token')
|
||||
try:
|
||||
token = model.token.load_token_data(auth_password_or_token)
|
||||
logger.debug('Successfully validated basic auth for access token %s', token.id)
|
||||
logger.debug('Successfully validated credentials for access token %s', token.id)
|
||||
return ValidateResult(AuthKind.credentials, token=token), CredentialKind.token
|
||||
except model.DataModelException:
|
||||
logger.warning('Failed to validate basic auth for access token %s', auth_password_or_token)
|
||||
logger.warning('Failed to validate credentials for access token %s', auth_password_or_token)
|
||||
return (ValidateResult(AuthKind.credentials, error_message='Invalid access token'),
|
||||
CredentialKind.token)
|
||||
|
||||
# Check for App Specific tokens.
|
||||
if features.APP_SPECIFIC_TOKENS and auth_username == APP_SPECIFIC_TOKEN_USERNAME:
|
||||
logger.debug('Found credentials for app specific auth token')
|
||||
token = model.appspecifictoken.access_valid_token(auth_password_or_token)
|
||||
if token is None:
|
||||
logger.debug('Failed to validate credentials for app specific token: %s',
|
||||
auth_password_or_token)
|
||||
return (ValidateResult(AuthKind.credentials, error_message='Invalid token'),
|
||||
CredentialKind.app_specific_token)
|
||||
|
||||
if not token.user.enabled:
|
||||
logger.debug('Tried to use an app specific token for a disabled user: %s',
|
||||
token.uuid)
|
||||
return (ValidateResult(AuthKind.credentials,
|
||||
error_message='This user has been disabled. Please contact your administrator.'),
|
||||
CredentialKind.app_specific_token)
|
||||
|
||||
logger.debug('Successfully validated credentials for app specific token %s', token.id)
|
||||
return (ValidateResult(AuthKind.credentials, appspecifictoken=token),
|
||||
CredentialKind.app_specific_token)
|
||||
|
||||
# Check for OAuth tokens.
|
||||
if auth_username == OAUTH_TOKEN_USERNAME:
|
||||
return validate_oauth_token(auth_password_or_token), CredentialKind.oauth_token
|
||||
|
|
@ -42,21 +67,21 @@ def validate_credentials(auth_username, auth_password_or_token):
|
|||
# Check for robots and users.
|
||||
is_robot = parse_robot_username(auth_username)
|
||||
if is_robot:
|
||||
logger.debug('Found basic auth header for robot %s', auth_username)
|
||||
logger.debug('Found credentials header for robot %s', auth_username)
|
||||
try:
|
||||
robot = model.user.verify_robot(auth_username, auth_password_or_token)
|
||||
logger.debug('Successfully validated basic auth for robot %s', auth_username)
|
||||
logger.debug('Successfully validated credentials for robot %s', auth_username)
|
||||
return ValidateResult(AuthKind.credentials, robot=robot), CredentialKind.robot
|
||||
except model.InvalidRobotException as ire:
|
||||
logger.warning('Failed to validate basic auth for robot %s: %s', auth_username, ire.message)
|
||||
logger.warning('Failed to validate credentials for robot %s: %s', auth_username, ire.message)
|
||||
return ValidateResult(AuthKind.credentials, error_message=ire.message), CredentialKind.robot
|
||||
|
||||
# Otherwise, treat as a standard user.
|
||||
(authenticated, err) = authentication.verify_and_link_user(auth_username, auth_password_or_token,
|
||||
basic_auth=True)
|
||||
if authenticated:
|
||||
logger.debug('Successfully validated basic auth for user %s', authenticated.username)
|
||||
logger.debug('Successfully validated credentials for user %s', authenticated.username)
|
||||
return ValidateResult(AuthKind.credentials, user=authenticated), CredentialKind.user
|
||||
else:
|
||||
logger.warning('Failed to validate basic auth for user %s: %s', auth_username, err)
|
||||
logger.warning('Failed to validate credentials for user %s: %s', auth_username, err)
|
||||
return ValidateResult(AuthKind.credentials, error_message=err), CredentialKind.user
|
||||
|
|
|
|||
Reference in a new issue