##// END OF EJS Templates
auth: allow binding the whitelist views to specific tokens
marcink -
r1995:11838527 default
parent child Browse files
Show More
@@ -492,6 +492,31 b' class TestLoginController(object):'
492 492 params=dict(api_key=auth_token)),
493 493 status=code)
494 494
495 @pytest.mark.parametrize("test_name, auth_token, code", [
496 ('proper_auth_token', None, 200),
497 ('wrong_auth_token', '123456', 302),
498 ])
499 def test_access_whitelisted_page_via_auth_token_bound_to_token(
500 self, test_name, auth_token, code, user_admin):
501
502 expected_token = auth_token
503 if test_name == 'proper_auth_token':
504 auth_token = user_admin.api_key
505 expected_token = auth_token
506 assert auth_token
507
508 whitelist = self._get_api_whitelist([
509 'RepoCommitsView:repo_commit_raw@{}'.format(expected_token)])
510
511 with mock.patch.dict('rhodecode.CONFIG', whitelist):
512
513 with fixture.anon_access(False):
514 self.app.get(
515 route_path('repo_commit_raw',
516 repo_name=HG_REPO, commit_id='tip',
517 params=dict(api_key=auth_token)),
518 status=code)
519
495 520 def test_access_page_via_extra_auth_token(self):
496 521 whitelist = self._get_api_whitelist(whitelist_view)
497 522 with mock.patch.dict('rhodecode.CONFIG', whitelist):
@@ -754,7 +754,7 b' class PermissionCalculator(object):'
754 754 }
755 755
756 756
757 def allowed_auth_token_access(view_name, whitelist=None, auth_token=None):
757 def allowed_auth_token_access(view_name, auth_token, whitelist=None):
758 758 """
759 759 Check if given controller_name is in whitelist of auth token access
760 760 """
@@ -762,12 +762,19 b' def allowed_auth_token_access(view_name,'
762 762 from rhodecode import CONFIG
763 763 whitelist = aslist(
764 764 CONFIG.get('api_access_controllers_whitelist'), sep=',')
765
765 766 log.debug(
766 'Allowed controllers for AUTH TOKEN access: %s' % (whitelist,))
767 'Allowed views for AUTH TOKEN access: %s' % (whitelist,))
768 auth_token_access_valid = False
767 769
768 auth_token_access_valid = False
769 770 for entry in whitelist:
770 if fnmatch.fnmatch(view_name, entry):
771 token_match = True
772 if '@' in entry:
773 # specific AuthToken
774 entry, allowed_token = entry.split('@', 1)
775 token_match = auth_token == allowed_token
776
777 if fnmatch.fnmatch(view_name, entry) and token_match:
771 778 auth_token_access_valid = True
772 779 break
773 780
General Comments 0
You need to be logged in to leave comments. Login now