71 lines
1.8 KiB
Python
71 lines
1.8 KiB
Python
import logging
|
|
import os
|
|
import base64
|
|
|
|
from flask import request, abort, session
|
|
from flask.ext.login import login_user, UserMixin
|
|
from flask.ext.principal import identity_changed
|
|
|
|
from data import model
|
|
from app import app, login_manager
|
|
from auth.permissions import QuayDeferredPermissionUser
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
@login_manager.user_loader
|
|
def load_user(username):
|
|
logger.debug('Loading user: %s' % username)
|
|
return _LoginWrappedDBUser(username)
|
|
|
|
class _LoginWrappedDBUser(UserMixin):
|
|
def __init__(self, db_username, db_user=None):
|
|
|
|
self._db_username = db_username
|
|
self._db_user = db_user
|
|
|
|
def db_user(self):
|
|
if not self._db_user:
|
|
self._db_user = model.get_user(self._db_username)
|
|
return self._db_user
|
|
|
|
def is_authenticated(self):
|
|
return self.db_user() is not None
|
|
|
|
def is_active(self):
|
|
return self.db_user().verified
|
|
|
|
def get_id(self):
|
|
return unicode(self._db_username)
|
|
|
|
|
|
def common_login(db_user):
|
|
if login_user(_LoginWrappedDBUser(db_user.username, db_user)):
|
|
logger.debug('Successfully signed in as: %s' % db_user.username)
|
|
new_identity = QuayDeferredPermissionUser(db_user.username, 'username')
|
|
identity_changed.send(app, identity=new_identity)
|
|
return True
|
|
else:
|
|
logger.debug('User could not be logged in, inactive?.')
|
|
return False
|
|
|
|
|
|
@app.before_request
|
|
def csrf_protect():
|
|
if request.method != "GET" and request.method != "HEAD":
|
|
token = session.get('_csrf_token', None)
|
|
found_token = request.values.get('_csrf_token', None)
|
|
|
|
# TODO: add if not token here, once we are sure all sessions have a token.
|
|
if token != found_token:
|
|
abort(403)
|
|
|
|
|
|
def generate_csrf_token():
|
|
if '_csrf_token' not in session:
|
|
session['_csrf_token'] = base64.b64encode(os.urandom(48))
|
|
|
|
return session['_csrf_token']
|
|
|
|
app.jinja_env.globals['csrf_token'] = generate_csrf_token
|