Base sessions on UUIDs.
Now that a backfill has been applied, sessions can now be based on UUIDs because all users will have one.
This commit is contained in:
Jimmy Zelinskie
parent
c918d15979
commit
dee4c389a8
5 changed files with 28 additions and 28 deletions
|
|
@ -25,7 +25,7 @@ def _load_user_from_cookie():
|
||||||
if not current_user.is_anonymous():
|
if not current_user.is_anonymous():
|
||||||
logger.debug('Loading user from cookie: %s', current_user.get_id())
|
logger.debug('Loading user from cookie: %s', current_user.get_id())
|
||||||
set_authenticated_user_deferred(current_user.get_id())
|
set_authenticated_user_deferred(current_user.get_id())
|
||||||
loaded = QuayDeferredPermissionUser(current_user.get_id(), 'user_db_id', {scopes.DIRECT_LOGIN})
|
loaded = QuayDeferredPermissionUser(current_user.get_id(), 'user_uuid', {scopes.DIRECT_LOGIN})
|
||||||
identity_changed.send(app, identity=loaded)
|
identity_changed.send(app, identity=loaded)
|
||||||
return current_user.db_user()
|
return current_user.db_user()
|
||||||
return None
|
return None
|
||||||
|
|
@ -58,7 +58,7 @@ def _validate_and_apply_oauth_token(token):
|
||||||
set_authenticated_user(validated.authorized_user)
|
set_authenticated_user(validated.authorized_user)
|
||||||
set_validated_oauth_token(validated)
|
set_validated_oauth_token(validated)
|
||||||
|
|
||||||
new_identity = QuayDeferredPermissionUser(validated.authorized_user.id, 'user_db_id', scope_set)
|
new_identity = QuayDeferredPermissionUser(validated.authorized_user.uuid, 'user_uuid', scope_set)
|
||||||
identity_changed.send(app, identity=new_identity)
|
identity_changed.send(app, identity=new_identity)
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -98,7 +98,7 @@ def process_basic_auth(auth):
|
||||||
logger.debug('Successfully validated robot: %s' % credentials[0])
|
logger.debug('Successfully validated robot: %s' % credentials[0])
|
||||||
set_authenticated_user(robot)
|
set_authenticated_user(robot)
|
||||||
|
|
||||||
deferred_robot = QuayDeferredPermissionUser(robot.id, 'user_db_id', {scopes.DIRECT_LOGIN})
|
deferred_robot = QuayDeferredPermissionUser(robot.uuid, 'user_uuid', {scopes.DIRECT_LOGIN})
|
||||||
identity_changed.send(app, identity=deferred_robot)
|
identity_changed.send(app, identity=deferred_robot)
|
||||||
return
|
return
|
||||||
except model.InvalidRobotException:
|
except model.InvalidRobotException:
|
||||||
|
|
@ -111,7 +111,7 @@ def process_basic_auth(auth):
|
||||||
logger.debug('Successfully validated user: %s' % authenticated.username)
|
logger.debug('Successfully validated user: %s' % authenticated.username)
|
||||||
set_authenticated_user(authenticated)
|
set_authenticated_user(authenticated)
|
||||||
|
|
||||||
new_identity = QuayDeferredPermissionUser(authenticated.id, 'user_db_id',
|
new_identity = QuayDeferredPermissionUser(authenticated.uuid, 'user_uuid',
|
||||||
{scopes.DIRECT_LOGIN})
|
{scopes.DIRECT_LOGIN})
|
||||||
identity_changed.send(app, identity=new_identity)
|
identity_changed.send(app, identity=new_identity)
|
||||||
return
|
return
|
||||||
|
|
|
||||||
|
|
@ -10,13 +10,13 @@ logger = logging.getLogger(__name__)
|
||||||
def get_authenticated_user():
|
def get_authenticated_user():
|
||||||
user = getattr(_request_ctx_stack.top, 'authenticated_user', None)
|
user = getattr(_request_ctx_stack.top, 'authenticated_user', None)
|
||||||
if not user:
|
if not user:
|
||||||
db_id = getattr(_request_ctx_stack.top, 'authenticated_db_id', None)
|
user_uuid = getattr(_request_ctx_stack.top, 'authenticated_user_uuid', None)
|
||||||
if not db_id:
|
if not user_uuid:
|
||||||
logger.debug('No authenticated user or deferred database id.')
|
logger.debug('No authenticated user or deferred user uuid.')
|
||||||
return None
|
return None
|
||||||
|
|
||||||
logger.debug('Loading deferred authenticated user.')
|
logger.debug('Loading deferred authenticated user.')
|
||||||
loaded = model.get_user_by_id(db_id)
|
loaded = model.get_user_by_uuid(user_uuid)
|
||||||
set_authenticated_user(loaded)
|
set_authenticated_user(loaded)
|
||||||
user = loaded
|
user = loaded
|
||||||
|
|
||||||
|
|
@ -30,10 +30,10 @@ def set_authenticated_user(user_or_robot):
|
||||||
ctx.authenticated_user = user_or_robot
|
ctx.authenticated_user = user_or_robot
|
||||||
|
|
||||||
|
|
||||||
def set_authenticated_user_deferred(user_or_robot_db_id):
|
def set_authenticated_user_deferred(user_or_robot_db_uuid):
|
||||||
logger.debug('Deferring loading of authenticated user object with id: %s', user_or_robot_db_id)
|
logger.debug('Deferring loading of authenticated user object with uuid: %s', user_or_robot_db_uuid)
|
||||||
ctx = _request_ctx_stack.top
|
ctx = _request_ctx_stack.top
|
||||||
ctx.authenticated_db_id = user_or_robot_db_id
|
ctx.authenticated_user_uuid = user_or_robot_db_uuid
|
||||||
|
|
||||||
|
|
||||||
def get_validated_oauth_token():
|
def get_validated_oauth_token():
|
||||||
|
|
|
||||||
|
|
@ -58,8 +58,8 @@ SCOPE_MAX_USER_ROLES.update({
|
||||||
|
|
||||||
|
|
||||||
class QuayDeferredPermissionUser(Identity):
|
class QuayDeferredPermissionUser(Identity):
|
||||||
def __init__(self, db_id, auth_type, scopes):
|
def __init__(self, uuid, auth_type, scopes):
|
||||||
super(QuayDeferredPermissionUser, self).__init__(db_id, auth_type)
|
super(QuayDeferredPermissionUser, self).__init__(uuid, auth_type)
|
||||||
|
|
||||||
self._permissions_loaded = False
|
self._permissions_loaded = False
|
||||||
self._scope_set = scopes
|
self._scope_set = scopes
|
||||||
|
|
@ -88,7 +88,7 @@ class QuayDeferredPermissionUser(Identity):
|
||||||
def can(self, permission):
|
def can(self, permission):
|
||||||
if not self._permissions_loaded:
|
if not self._permissions_loaded:
|
||||||
logger.debug('Loading user permissions after deferring.')
|
logger.debug('Loading user permissions after deferring.')
|
||||||
user_object = model.get_user_by_id(self.id)
|
user_object = model.get_user_by_uuid(self.id)
|
||||||
|
|
||||||
# Add the superuser need, if applicable.
|
# Add the superuser need, if applicable.
|
||||||
if (user_object.username is not None and
|
if (user_object.username is not None and
|
||||||
|
|
@ -228,11 +228,11 @@ def on_identity_loaded(sender, identity):
|
||||||
# We have verified an identity, load in all of the permissions
|
# We have verified an identity, load in all of the permissions
|
||||||
|
|
||||||
if isinstance(identity, QuayDeferredPermissionUser):
|
if isinstance(identity, QuayDeferredPermissionUser):
|
||||||
logger.debug('Deferring permissions for user: %s', identity.id)
|
logger.debug('Deferring permissions for user with uuid: %s', identity.id)
|
||||||
|
|
||||||
elif identity.auth_type == 'user_db_id':
|
elif identity.auth_type == 'user_uuid':
|
||||||
logger.debug('Switching username permission to deferred object: %s', identity.id)
|
logger.debug('Switching username permission to deferred object with uuid: %s', identity.id)
|
||||||
switch_to_deferred = QuayDeferredPermissionUser(identity.id, 'user_db_id', {scopes.DIRECT_LOGIN})
|
switch_to_deferred = QuayDeferredPermissionUser(identity.id, 'user_uuid', {scopes.DIRECT_LOGIN})
|
||||||
identity_changed.send(app, identity=switch_to_deferred)
|
identity_changed.send(app, identity=switch_to_deferred)
|
||||||
|
|
||||||
elif identity.auth_type == 'token':
|
elif identity.auth_type == 'token':
|
||||||
|
|
|
||||||
|
|
@ -85,19 +85,19 @@ def param_required(param_name):
|
||||||
|
|
||||||
|
|
||||||
@login_manager.user_loader
|
@login_manager.user_loader
|
||||||
def load_user(user_db_id):
|
def load_user(user_uuid):
|
||||||
logger.debug('User loader loading deferred user with id: %s' % user_db_id)
|
logger.debug('User loader loading deferred user with uuid: %s' % user_uuid)
|
||||||
return _LoginWrappedDBUser(user_db_id)
|
return _LoginWrappedDBUser(user_uuid)
|
||||||
|
|
||||||
|
|
||||||
class _LoginWrappedDBUser(UserMixin):
|
class _LoginWrappedDBUser(UserMixin):
|
||||||
def __init__(self, user_db_id, db_user=None):
|
def __init__(self, user_uuid, db_user=None):
|
||||||
self._db_id = user_db_id
|
self._uuid = user_uuid
|
||||||
self._db_user = db_user
|
self._db_user = db_user
|
||||||
|
|
||||||
def db_user(self):
|
def db_user(self):
|
||||||
if not self._db_user:
|
if not self._db_user:
|
||||||
self._db_user = model.get_user_by_id(self._db_id)
|
self._db_user = model.get_user_by_uuid(self._uuid)
|
||||||
return self._db_user
|
return self._db_user
|
||||||
|
|
||||||
def is_authenticated(self):
|
def is_authenticated(self):
|
||||||
|
|
@ -107,13 +107,13 @@ class _LoginWrappedDBUser(UserMixin):
|
||||||
return self.db_user().verified
|
return self.db_user().verified
|
||||||
|
|
||||||
def get_id(self):
|
def get_id(self):
|
||||||
return unicode(self._db_id)
|
return unicode(self._uuid)
|
||||||
|
|
||||||
|
|
||||||
def common_login(db_user):
|
def common_login(db_user):
|
||||||
if login_user(_LoginWrappedDBUser(db_user.id, db_user)):
|
if login_user(_LoginWrappedDBUser(db_user.uuid, db_user)):
|
||||||
logger.debug('Successfully signed in as: %s (%s)' % (db_user.username, db_user.uuid))
|
logger.debug('Successfully signed in as: %s (%s)' % (db_user.username, db_user.uuid))
|
||||||
new_identity = QuayDeferredPermissionUser(db_user.id, 'user_db_id', {scopes.DIRECT_LOGIN})
|
new_identity = QuayDeferredPermissionUser(db_user.uuid, 'user_uuid', {scopes.DIRECT_LOGIN})
|
||||||
identity_changed.send(app, identity=new_identity)
|
identity_changed.send(app, identity=new_identity)
|
||||||
session['login_time'] = datetime.datetime.now()
|
session['login_time'] = datetime.datetime.now()
|
||||||
return True
|
return True
|
||||||
|
|
|
||||||
|
|
@ -79,7 +79,7 @@ class ApiTestCase(unittest.TestCase):
|
||||||
with client.session_transaction() as sess:
|
with client.session_transaction() as sess:
|
||||||
if auth_username:
|
if auth_username:
|
||||||
loaded = model.get_user(auth_username)
|
loaded = model.get_user(auth_username)
|
||||||
sess['user_id'] = loaded.id
|
sess['user_id'] = loaded.uuid
|
||||||
sess['login_time'] = datetime.datetime.now()
|
sess['login_time'] = datetime.datetime.now()
|
||||||
sess[CSRF_TOKEN_KEY] = CSRF_TOKEN
|
sess[CSRF_TOKEN_KEY] = CSRF_TOKEN
|
||||||
|
|
||||||
|
|
|
||||||
Reference in a new issue