quay/auth/auth.py

import logging

from functools import wraps
from flask import request, _request_ctx_stack, abort, session
from flask.ext.principal import identity_changed, Identity
from base64 import b64decode

from data import model
from app import app
from permissions import QuayDeferredPermissionUser

from util.names import parse_namespace_repository


logger = logging.getLogger(__name__)


def get_authenticated_user():
  return getattr(_request_ctx_stack.top, 'authenticated_user', None)


def get_validated_token():
  return getattr(_request_ctx_stack.top, 'validated_token', None)


def process_basic_auth(auth):
  normalized = [part.strip() for part in auth.split(' ') if part]
  if normalized[0].lower() != 'basic' or len(normalized) != 2:
    logger.debug('Invalid basic auth format.')
    return

  credentials = b64decode(normalized[1]).split(':')

  if len(credentials) != 2:
    logger.debug('Invalid basic auth credential format.')

  elif credentials[0] == '$token':
    # Use as token auth
    try:
      token = model.load_token_data(credentials[1])
      logger.debug('Successfully validated token: %s' % credentials[1])
      ctx = _request_ctx_stack.top
      ctx.validated_token = token

      identity_changed.send(app, identity=Identity(token.code, 'token'))
      return

    except model.DataModelException:
      logger.debug('Invalid token: %s' % credentials[1])

  elif '+' in credentials[0]:
    logger.debug('Trying robot auth with credentials %s' % str(credentials))
    # Use as robot auth
    try:
      robot = model.verify_robot(credentials[0], credentials[1])
      logger.debug('Successfully validated robot: %s' % credentials[0])
      ctx = _request_ctx_stack.top
      ctx.authenticated_user = robot
      
      identity_changed.send(app, identity=Identity(robot.username, 'username'))
      return
    except model.InvalidRobotException:
      logger.debug('Invalid robot or password for robot: %s' % credentials[0])

  else:
    authenticated = model.verify_user(credentials[0], credentials[1])

    if authenticated:
      logger.debug('Successfully validated user: %s' % authenticated.username)
      ctx = _request_ctx_stack.top
      ctx.authenticated_user = authenticated

      new_identity = QuayDeferredPermissionUser(authenticated.username,
                                                'username')
      identity_changed.send(app, identity=new_identity)
      return

  # We weren't able to authenticate via basic auth.
  logger.debug('Basic auth present but could not be validated.')


def process_token(auth):
  normalized = [part.strip() for part in auth.split(' ') if part]
  if normalized[0].lower() != 'token' or len(normalized) != 2:
    logger.debug('Not an auth token: %s' % auth)
    return

  token_details = normalized[1].split(',')

  if len(token_details) != 1:
    logger.warning('Invalid token format: %s' % auth)
    abort(401)

  token_vals = {val[0]: val[1] for val in
                (detail.split('=') for detail in token_details)}
  if 'signature' not in token_vals:
    logger.warning('Token does not contain signature: %s' % auth)
    abort(401)

  try:
    token_data = model.load_token_data(token_vals['signature'])

  except model.InvalidTokenException:
    logger.warning('Token could not be validated: %s' %
                   token_vals['signature'])
    abort(401)

  logger.debug('Successfully validated token: %s' % token_data.code)
  ctx = _request_ctx_stack.top
  ctx.validated_token = token_data

  identity_changed.send(app, identity=Identity(token_data.code, 'token'))


def process_auth(f):
  @wraps(f)
  def wrapper(*args, **kwargs):
    auth = request.headers.get('authorization', '')

    if auth:
      logger.debug('Validating auth header: %s' % auth)
      process_token(auth)
      process_basic_auth(auth)
    else:
      logger.debug('No auth header.')

    return f(*args, **kwargs)
  return wrapper


def extract_namespace_repo_from_session(f):
  @wraps(f)
  def wrapper(*args, **kwargs):
    if 'namespace' not in session or 'repository' not in session:
      logger.error('Unable to load namespace or repository from session: %s' %
                   session)
      abort(400)

    return f(session['namespace'], session['repository'], *args, **kwargs)
  return wrapper