rhodecode-enterprise-ce Commit - r1995:11838527

auth: allow binding the whitelist views to specific tokens

marcink -

r1995:11838527 default

parent child

rhodecode/apps/login/tests/test_login.py

0 +25 0

		@@ -492,6 +492,31 b' class TestLoginController(object):'
492	492	params=dict(api_key=auth_token)),
493	493	status=code)
494	494
	495	@pytest.mark.parametrize("test_name, auth_token, code", [
	496	('proper_auth_token', None, 200),
	497	('wrong_auth_token', '123456', 302),
	498	])
	499	def test_access_whitelisted_page_via_auth_token_bound_to_token(
	500	self, test_name, auth_token, code, user_admin):
	501
	502	expected_token = auth_token
	503	if test_name == 'proper_auth_token':
	504	auth_token = user_admin.api_key
	505	expected_token = auth_token
	506	assert auth_token
	507
	508	whitelist = self._get_api_whitelist([
	509	'RepoCommitsView:repo_commit_raw@{}'.format(expected_token)])
	510
	511	with mock.patch.dict('rhodecode.CONFIG', whitelist):
	512
	513	with fixture.anon_access(False):
	514	self.app.get(
	515	route_path('repo_commit_raw',
	516	repo_name=HG_REPO, commit_id='tip',
	517	params=dict(api_key=auth_token)),
	518	status=code)
	519
495	520	def test_access_page_via_extra_auth_token(self):
496	521	whitelist = self._get_api_whitelist(whitelist_view)
497	522	with mock.patch.dict('rhodecode.CONFIG', whitelist):

rhodecode/lib/auth.py

0 +12 -5

                      }
-             def allowed_auth_token_access(view_name, whitelist=None, auth_token=None):
+             def allowed_auth_token_access(view_name, auth_token, whitelist=None):
                  """
                  Check if given controller_name is in whitelist of auth token access
                  """
                      from rhodecode import CONFIG
                      whitelist = aslist(
                          CONFIG.get('api_access_controllers_whitelist'), sep=',')
-                     log.debug(
-                         'Allowed controllers for AUTH TOKEN access: %s' % (whitelist,))
+                 log.debug(
+                     'Allowed views for AUTH TOKEN access: %s' % (whitelist,))
+                 auth_token_access_valid = False
-                 auth_token_access_valid = False
                  for entry in whitelist:
-                     if fnmatch.fnmatch(view_name, entry):
+                     token_match = True
+                     if '@' in entry:
+                         # specific AuthToken
+                         entry, allowed_token = entry.split('@', 1)
+                         token_match = auth_token == allowed_token
+                     if fnmatch.fnmatch(view_name, entry) and token_match:
                          auth_token_access_valid = True
                          break

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages