quay/auth/credentials.py

import logging

from enum import Enum

import features

from app import authentication
from auth.oauth import validate_oauth_token
from auth.validateresult import ValidateResult, AuthKind
from auth.credential_consts import (ACCESS_TOKEN_USERNAME, OAUTH_TOKEN_USERNAME,
                                    APP_SPECIFIC_TOKEN_USERNAME)
from data import model
from util.names import parse_robot_username

logger = logging.getLogger(__name__)


class CredentialKind(Enum):
  user = 'user'
  robot = 'robot'
  token = ACCESS_TOKEN_USERNAME
  oauth_token = OAUTH_TOKEN_USERNAME
  app_specific_token = APP_SPECIFIC_TOKEN_USERNAME


def validate_credentials(auth_username, auth_password_or_token):
  """ Validates a pair of auth username and password/token credentials. """
  # Check for access tokens.
  if auth_username == ACCESS_TOKEN_USERNAME:
    logger.debug('Found credentials for access token')
    try:
      token = model.token.load_token_data(auth_password_or_token)
      logger.debug('Successfully validated credentials for access token %s', token.id)
      return ValidateResult(AuthKind.credentials, token=token), CredentialKind.token
    except model.DataModelException:
      logger.warning('Failed to validate credentials for access token %s', auth_password_or_token)
      return (ValidateResult(AuthKind.credentials, error_message='Invalid access token'),
              CredentialKind.token)

  # Check for App Specific tokens.
  if features.APP_SPECIFIC_TOKENS and auth_username == APP_SPECIFIC_TOKEN_USERNAME:
    logger.debug('Found credentials for app specific auth token')
    token = model.appspecifictoken.access_valid_token(auth_password_or_token)
    if token is None:
      logger.debug('Failed to validate credentials for app specific token: %s',
                   auth_password_or_token)
      return (ValidateResult(AuthKind.credentials, error_message='Invalid token'),
              CredentialKind.app_specific_token)

    if not token.user.enabled:
      logger.debug('Tried to use an app specific token for a disabled user: %s',
                   token.uuid)
      return (ValidateResult(AuthKind.credentials,
              error_message='This user has been disabled. Please contact your administrator.'),
              CredentialKind.app_specific_token)

    logger.debug('Successfully validated credentials for app specific token %s', token.id)
    return (ValidateResult(AuthKind.credentials, appspecifictoken=token),
            CredentialKind.app_specific_token)

  # Check for OAuth tokens.
  if auth_username == OAUTH_TOKEN_USERNAME:
    return validate_oauth_token(auth_password_or_token), CredentialKind.oauth_token

  # Check for robots and users.
  is_robot = parse_robot_username(auth_username)
  if is_robot:
    logger.debug('Found credentials header for robot %s', auth_username)
    try:
      robot = model.user.verify_robot(auth_username, auth_password_or_token)
      logger.debug('Successfully validated credentials for robot %s', auth_username)
      return ValidateResult(AuthKind.credentials, robot=robot), CredentialKind.robot
    except model.InvalidRobotException as ire:
      logger.warning('Failed to validate credentials for robot %s: %s', auth_username, ire)
      return ValidateResult(AuthKind.credentials, error_message=str(ire)), CredentialKind.robot

  # Otherwise, treat as a standard user.
  (authenticated, err) = authentication.verify_and_link_user(auth_username, auth_password_or_token,
                                                             basic_auth=True)
  if authenticated:
    logger.debug('Successfully validated credentials for user %s', authenticated.username)
    return ValidateResult(AuthKind.credentials, user=authenticated), CredentialKind.user
  else:
    logger.warning('Failed to validate credentials for user %s: %s', auth_username, err)
    return ValidateResult(AuthKind.credentials, error_message=err), CredentialKind.user