From e74eb3ee877073eba0b9d206a6ce9536ec1f8148 Mon Sep 17 00:00:00 2001 From: jakedt Date: Wed, 12 Mar 2014 16:31:37 -0400 Subject: [PATCH] Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly. --- auth/auth.py | 56 +++++++++++++++++++++++++++++++------ auth/permissions.py | 56 +++++++++++++++++++++++++++++++------ auth/scopes.py | 9 ++++++ data/model/oauth.py | 15 ++++++++-- endpoints/api/__init__.py | 9 ++++-- endpoints/api/discovery.py | 6 ++-- endpoints/api/repository.py | 9 ++++-- util/http.py | 8 +++--- 8 files changed, 137 insertions(+), 31 deletions(-) diff --git a/auth/auth.py b/auth/auth.py index c5ee8c5e9..2637cdeda 100644 --- a/auth/auth.py +++ b/auth/auth.py @@ -1,13 +1,16 @@ import logging from functools import wraps +from datetime import datetime from flask import request, _request_ctx_stack, session from flask.ext.principal import identity_changed, Identity from base64 import b64decode from data import model +from data.model import oauth from app import app from permissions import QuayDeferredPermissionUser +import scopes from util.http import abort @@ -49,7 +52,8 @@ def process_basic_auth(auth): ctx = _request_ctx_stack.top ctx.authenticated_user = robot - identity_changed.send(app, identity=Identity(robot.username, 'username')) + deferred_robot = QuayDeferredPermissionUser(robot.username, 'username') + identity_changed.send(app, identity=deferred_robot) return except model.InvalidRobotException: logger.debug('Invalid robot or password for robot: %s' % credentials[0]) @@ -62,8 +66,7 @@ def process_basic_auth(auth): ctx = _request_ctx_stack.top ctx.authenticated_user = authenticated - new_identity = QuayDeferredPermissionUser(authenticated.username, - 'username') + new_identity = QuayDeferredPermissionUser(authenticated.username, 'username') identity_changed.send(app, identity=new_identity) return @@ -94,18 +97,55 @@ def process_token(auth): token_data = model.load_token_data(token_vals['signature']) except model.InvalidTokenException: - logger.warning('Token could not be validated: %s' % - token_vals['signature']) + logger.warning('Token could not be validated: %s', token_vals['signature']) abort(401, message="Token could not be validated: %(auth)", issue='invalid-auth-token', auth=auth) - logger.debug('Successfully validated token: %s' % token_data.code) + logger.debug('Successfully validated token: %s', token_data.code) ctx = _request_ctx_stack.top ctx.validated_token = token_data identity_changed.send(app, identity=Identity(token_data.code, 'token')) +def process_oauth(auth): + normalized = [part.strip() for part in auth.split(' ') if part] + if normalized[0].lower() != 'bearer' or len(normalized) != 2: + logger.debug('Invalid oauth bearer token format.') + return + + token = normalized[1] + validated = oauth.validate_access_token(token) + if not validated: + logger.warning('OAuth access token could not be validated: %s', token) + authenticate_header = { + 'WWW-Authenticate': ('Bearer error="invalid_token", ' + 'error_description="The access token is invalid"'), + } + abort(401, message="OAuth access token could not be validated: %(token)", + issue='invalid-oauth-token', token=token, header=authenticate_header) + elif validated.expires_at <= datetime.now(): + logger.info('OAuth access with an expired token: %s', token) + authenticate_header = { + 'WWW-Authenticate': ('Bearer error="invalid_token", ' + 'error_description="The access token expired"'), + } + abort(401, message="OAuth access token has expired: %(token)", issue='invalid-oauth-token', + token=token, headers=authenticate_header) + + # We have a valid token + scope_set = scopes.scopes_from_scope_string(validated.scope) + logger.debug('Successfully validated oauth access token: %s with scope: %s', token, + scope_set) + + ctx = _request_ctx_stack.top + ctx.authenticated_user = validated.authorized_user + + new_identity = QuayDeferredPermissionUser(validated.authorized_user.username, 'username', + scope_set) + identity_changed.send(app, identity=new_identity) + + def process_auth(f): @wraps(f) def wrapper(*args, **kwargs): @@ -115,6 +155,7 @@ def process_auth(f): logger.debug('Validating auth header: %s' % auth) process_token(auth) process_basic_auth(auth) + process_oauth(auth) else: logger.debug('No auth header.') @@ -126,8 +167,7 @@ def extract_namespace_repo_from_session(f): @wraps(f) def wrapper(*args, **kwargs): if 'namespace' not in session or 'repository' not in session: - logger.error('Unable to load namespace or repository from session: %s' % - session) + logger.error('Unable to load namespace or repository from session: %s' % session) abort(400, message="Missing namespace in request") return f(session['namespace'], session['repository'], *args, **kwargs) diff --git a/auth/permissions.py b/auth/permissions.py index 0e1655337..b92a5116a 100644 --- a/auth/permissions.py +++ b/auth/permissions.py @@ -18,40 +18,78 @@ _OrganizationNeed = namedtuple('organization', ['orgname', 'role']) _TeamNeed = namedtuple('orgteam', ['orgname', 'teamname', 'role']) +REPO_ROLES = [None, 'read', 'write', 'admin'] +TEAM_ROLES = [None, 'member', 'creator', 'admin'] + +SCOPE_MAX_REPO_ROLES = { + 'repo:read': 'read', + 'repo:write': 'write', + 'repo:admin': 'admin', + 'repo:create': None, +} + +SCOPE_MAX_TEAM_ROLES = { + 'repo:read': None, + 'repo:write': None, + 'repo:admin': None, + 'repo:create': 'creator', +} + class QuayDeferredPermissionUser(Identity): - def __init__(self, id, auth_type=None): + def __init__(self, id, auth_type=None, scopes=None): super(QuayDeferredPermissionUser, self).__init__(id, auth_type) self._permissions_loaded = False + self._scope_set = scopes + + def _translate_role_for_scopes(self, cardinality, max_roles, role): + if self._scope_set is None: + return role + + max_for_scopes = max({cardinality.index(max_roles[scope]) for scope in self._scope_set}) + + if max_for_scopes < cardinality.index(role): + logger.debug('Translated permission %s -> %s', role, cardinality[max_for_scopes]) + return cardinality[max_for_scopes] + else: + return role + + def _team_role_for_scopes(self, role): + return self._translate_role_for_scopes(TEAM_ROLES, SCOPE_MAX_TEAM_ROLES, role) + + def _repo_role_for_scopes(self, role): + return self._translate_role_for_scopes(REPO_ROLES, SCOPE_MAX_REPO_ROLES, role) def can(self, permission): if not self._permissions_loaded: logger.debug('Loading user permissions after deferring.') user_object = model.get_user(self.id) - # Add the user specific permissions - user_grant = UserNeed(user_object.username) - self.provides.add(user_grant) + # Add the user specific permissions, only for non-oauth permission + if self._scope_set is None: + user_grant = UserNeed(user_object.username) + self.provides.add(user_grant) # Every user is the admin of their own 'org' - user_namespace = _OrganizationNeed(user_object.username, 'admin') + user_namespace = _OrganizationNeed(user_object.username, self._team_role_for_scopes('admin')) self.provides.add(user_namespace) # Add repository permissions for perm in model.get_all_user_permissions(user_object): - grant = _RepositoryNeed(perm.repository.namespace, - perm.repository.name, perm.role.name) + grant = _RepositoryNeed(perm.repository.namespace, perm.repository.name, + self._repo_role_for_scopes(perm.role.name)) logger.debug('User added permission: {0}'.format(grant)) self.provides.add(grant) # Add namespace permissions derived for team in model.get_org_wide_permissions(user_object): - grant = _OrganizationNeed(team.organization.username, team.role.name) + grant = _OrganizationNeed(team.organization.username, + self._team_role_for_scopes(team.role.name)) logger.debug('Organization team added permission: {0}'.format(grant)) self.provides.add(grant) team_grant = _TeamNeed(team.organization.username, team.name, - team.role.name) + self._team_role_for_scopes(team.role.name)) logger.debug('Team added permission: {0}'.format(team_grant)) self.provides.add(team_grant) diff --git a/auth/scopes.py b/auth/scopes.py index 3a50515a5..6dbda6c72 100644 --- a/auth/scopes.py +++ b/auth/scopes.py @@ -23,3 +23,12 @@ CREATE_REPO = { } ALL_SCOPES = {scope['scope']:scope for scope in (READ_REPO, WRITE_REPO, ADMIN_REPO, CREATE_REPO)} + + +def scopes_from_scope_string(scopes): + return {ALL_SCOPES.get(scope, {}).get('scope', None) for scope in scopes.split(',')} + + +def validate_scope_string(scopes): + decoded = scopes_from_scope_string(scopes) + return None not in decoded and len(decoded) > 0 diff --git a/data/model/oauth.py b/data/model/oauth.py index af1cb1f44..5f64f79f9 100644 --- a/data/model/oauth.py +++ b/data/model/oauth.py @@ -2,7 +2,7 @@ from datetime import datetime, timedelta from oauth2lib.provider import AuthorizationProvider from oauth2lib import utils -from data.database import OAuthApplication, OAuthAuthorizationCode, OAuthAccessToken +from data.database import OAuthApplication, OAuthAuthorizationCode, OAuthAccessToken, User from auth import scopes @@ -34,7 +34,7 @@ class DatabaseAuthorizationProvider(AuthorizationProvider): return False def validate_scope(self, client_id, scope): - return scope in scopes.ALL_SCOPES.keys() + return scopes.validate_scope_string(scope) def validate_access(self): return self.get_authorized_user() is not None @@ -140,3 +140,14 @@ class DatabaseAuthorizationProvider(AuthorizationProvider): def create_application(org, redirect_uri, **kwargs): return OAuthApplication.create(organization=org, redirect_uri=redirect_uri, **kwargs) + +def validate_access_token(access_token): + try: + found = (OAuthAccessToken + .select(OAuthAccessToken, User) + .join(User) + .where(OAuthAccessToken.access_token == access_token) + .get()) + return found + except OAuthAccessToken.DoesNotExist: + return None \ No newline at end of file diff --git a/endpoints/api/__init__.py b/endpoints/api/__init__.py index 7748ab8c3..22c202e4e 100644 --- a/endpoints/api/__init__.py +++ b/endpoints/api/__init__.py @@ -20,7 +20,7 @@ from auth import scopes logger = logging.getLogger(__name__) api_bp = Blueprint('api', __name__) api = Api(api_bp) -api.decorators = [crossdomain(origin='*')] +api.decorators = [crossdomain(origin='*', headers=['Authorization'])] def resource(*urls, **kwargs): @@ -97,7 +97,12 @@ def parse_repository_name(func): return wrapper -class RepositoryParamResource(Resource): +class ApiResource(Resource): + def options(self): + return None, 200 + + +class RepositoryParamResource(ApiResource): method_decorators = [parse_repository_name] diff --git a/endpoints/api/discovery.py b/endpoints/api/discovery.py index 8ff3fa6d8..087b51c1c 100644 --- a/endpoints/api/discovery.py +++ b/endpoints/api/discovery.py @@ -1,9 +1,9 @@ import re import logging -from flask.ext.restful import Resource, reqparse +from flask.ext.restful import reqparse -from endpoints.api import resource, method_metadata, nickname, truthy_bool +from endpoints.api import ApiResource, resource, method_metadata, nickname, truthy_bool from app import app from auth import scopes @@ -131,7 +131,7 @@ def swagger_route_data(): return swagger_data @resource('/v1/discovery') -class DiscoveryResource(Resource): +class DiscoveryResource(ApiResource): """Ability to inspect the API for usage information and documentation.""" @nickname('discovery') def get(self): diff --git a/endpoints/api/repository.py b/endpoints/api/repository.py index 48081809a..10347ffe0 100644 --- a/endpoints/api/repository.py +++ b/endpoints/api/repository.py @@ -1,22 +1,24 @@ import logging import json -from flask.ext.restful import Resource, reqparse, abort +from flask import current_app +from flask.ext.restful import reqparse, abort from flask.ext.login import current_user from data import model from endpoints.api import (truthy_bool, format_date, nickname, log_action, validate_json_request, require_repo_read, RepositoryParamResource, resource, query_param, - parse_args) + parse_args, ApiResource) from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission, AdministerRepositoryPermission) +from auth.auth import process_auth logger = logging.getLogger(__name__) @resource('/v1/repository') -class RepositoryList(Resource): +class RepositoryList(ApiResource): """Operations for creating and listing repositories.""" schemas = { 'NewRepo': { @@ -146,6 +148,7 @@ def image_view(image): @resource('/v1/repository/') class Repository(RepositoryParamResource): """Operations for managing a specific repository.""" + @process_auth @require_repo_read @nickname('getRepo') def get(self, namespace, repository): diff --git a/util/http.py b/util/http.py index 1068696fe..8762d3a13 100644 --- a/util/http.py +++ b/util/http.py @@ -1,7 +1,8 @@ import logging +import json from app import mixpanel -from flask import request, abort as flask_abort, jsonify +from flask import request, abort as flask_abort, make_response from auth.auth_context import get_authenticated_user, get_validated_token logger = logging.getLogger(__name__) @@ -15,7 +16,7 @@ DEFAULT_MESSAGE[404] = 'Not Found' DEFAULT_MESSAGE[409] = 'Conflict' DEFAULT_MESSAGE[501] = 'Not Implemented' -def abort(status_code, message=None, issue=None, **kwargs): +def abort(status_code, message=None, issue=None, headers=None, **kwargs): message = (str(message) % kwargs if message else DEFAULT_MESSAGE.get(status_code, '')) @@ -53,8 +54,7 @@ def abort(status_code, message=None, issue=None, **kwargs): if issue_url: data['info_url'] = issue_url - resp = jsonify(data) - resp.status_code = status_code + resp = make_response(json.dumps(data), status_code, headers) # Report the abort to the user. flask_abort(resp)