Add support for encrypted client tokens via basic auth (for the docker CLI) and a feature flag to disable normal passwords

2015-03-25 18:43:12 -04:00 · 2015-03-25 18:43:12 -04:00 · e4b659f107
commit e4b659f107
parent a7a8571396
10 changed files with 222 additions and 8 deletions
--- a/data/users.py
+++ b/data/users.py
@ -1,6 +1,7 @@
 import ldap
 import logging

+from flask.sessions import SecureCookieSessionInterface, BadSignature
 from util.validation import generate_valid_usernames
 from data import model

@ -138,5 +139,30 @@ class UserAuthentication(object):
    app.extensions['authentication'] = users
    return users

+  def verify_user(self, username_or_email, password, basic_auth=False):
+    # First try to decode the password as a signed token.
+    if basic_auth:
+      from app import app
+      import features
+
+      ser = SecureCookieSessionInterface().get_signing_serializer(app)
+
+      try:
+        token_data = ser.loads(password)
+        password = token_data.get('password', password)
+      except BadSignature:
+        # This is a normal password.
+        if features.REQUIRE_ENCRYPTED_BASIC_AUTH:
+          msg = ('Client login with passwords is disabled. Please generate a client token ' +
+                 'and use it in place of your password.')
+          return (None, msg)
+
+    result = self.state.verify_user(username_or_email, password)
+    if result:
+      return (result, '')
+    else:
+      return (result, 'Invalid password')
+
+
  def __getattr__(self, name):
    return getattr(self.state, name, None)