rhodecode-enterprise-ce Commit - r1421:5088d9a7

auth-tokens: updated logic of authentication to a common shared user method.

marcink -

r1421:5088d9a7 default

parent child

rhodecode/api/__init__.py

0 +8 -8

                     request.rpc_user = auth_u
                     # now check if token is valid for API
-                    role = UserApiKeys.ROLE_API
+                    auth_token = request.rpc_api_key
-                    extra_auth_tokens = [
+                    token_match = api_user.authenticate_by_token(
-                        x.api_key for x in User.extra_valid_auth_tokens(api_user, role=role)]
+                        auth_token, roles=[UserApiKeys.ROLE_API], include_builtin_token=True)
-                    active_tokens = [api_user.api_key] + extra_auth_tokens
+                    invalid_token = not token_match
-                    log.debug('Checking if API key has proper role')
+                    log.debug('Checking if API KEY is valid with proper role')
-                    if request.rpc_api_key not in active_tokens:
+                    if invalid_token:
                         return jsonrpc_error(
                             request, retid=request.rpc_id,
-                            message='API KEY has bad role for an API call')
+                            message='API KEY invalid or, has bad role for an API call')
-                except Exception as e:
+                except Exception:
                     log.exception('Error on API AUTH')
                     return jsonrpc_error(
                         request, retid=request.rpc_id, message='Invalid API KEY')

rhodecode/authentication/plugins/auth_token.py

0 +4 -4

                     log.debug('Authenticating user with args %s', user_attrs)
                     if userobj.active:
-                        role = UserApiKeys.ROLE_VCS
+                        token_match = userobj.authenticate_by_token(
-                        active_tokens = [x.api_key for x in
+                            password, roles=[UserApiKeys.ROLE_VCS])
-                                         User.extra_valid_auth_tokens(userobj, role=role)]
-                        if userobj.username == username and password in active_tokens:
+                        if userobj.username == username and token_match:
                             log.info(
                                 'user `%s` successfully authenticated via %s',
                                 user_attrs['username'], self.name)

rhodecode/controllers/feed.py

0 +3 -4

             from pylons import url, response, tmpl_context as c
             from pylons.i18n.translation import _
-            from beaker.cache import cache_region, region_invalidate
+            from beaker.cache import cache_region
             from webhelpers.feedgenerator import Atom1Feed, Rss201rev2Feed
-            from rhodecode.model.db import CacheKey
+            from rhodecode.model.db import CacheKey, UserApiKeys
             from rhodecode.lib import helpers as h
-            from rhodecode.lib import caches
             from rhodecode.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator
             from rhodecode.lib.base import BaseRepoController
             from rhodecode.lib.diffs import DiffProcessor, LimitedDiffContainer
                             safe_int(config.get('rss_cut_off_limit', 32 * 1024)),
                     }
-                @LoginRequired(auth_token_access=True)
+                @LoginRequired(auth_token_access=[UserApiKeys.ROLE_FEED])
                 def __before__(self):
                     super(FeedController, self).__before__()
                     config = self._get_config()

rhodecode/controllers/journal.py

0 +5 -5

             from pylons.i18n.translation import _
             from rhodecode.controllers.admin.admin import _journal_filter
-            from rhodecode.model.db import UserLog, UserFollowing, User
+            from rhodecode.model.db import UserLog, UserFollowing, User, UserApiKeys
             from rhodecode.model.meta import Session
             import rhodecode.lib.helpers as h
             from rhodecode.lib.helpers import Page
                     return render('journal/journal.mako')
-                @LoginRequired(auth_token_access=True)
+                @LoginRequired(auth_token_access=[UserApiKeys.ROLE_FEED])
                 @NotAnonymous()
                 def journal_atom(self):
                     """
                         .all()
                     return self._atom_feed(following, public=False)
-                @LoginRequired(auth_token_access=True)
+                @LoginRequired(auth_token_access=[UserApiKeys.ROLE_FEED])
                 @NotAnonymous()
                 def journal_rss(self):
                     """
                         return c.journal_data
                     return render('journal/public_journal.mako')
-                @LoginRequired(auth_token_access=True)
+                @LoginRequired(auth_token_access=[UserApiKeys.ROLE_FEED])
                 def public_journal_atom(self):
                     """
                     Produce an atom-1.0 feed via feedgenerator module
                     return self._atom_feed(c.following)
-                @LoginRequired(auth_token_access=True)
+                @LoginRequired(auth_token_access=[UserApiKeys.ROLE_FEED])
                 def public_journal_rss(self):
                     """
                     Produce an rss2 feed via feedgenerator module

rhodecode/lib/auth.py

0 +19 -17

             class _RhodeCodeCryptoBase(object):
+                ENC_PREF = None
                 def hash_create(self, str_):
                     """
             class _RhodeCodeCryptoBCrypt(_RhodeCodeCryptoBase):
+                ENC_PREF = '$2a$10'
                 def hash_create(self, str_):
                     self._assert_bytes(str_)
             class _RhodeCodeCryptoSha256(_RhodeCodeCryptoBase):
+                ENC_PREF = '_'
                 def hash_create(self, str_):
                     self._assert_bytes(str_)
             class _RhodeCodeCryptoMd5(_RhodeCodeCryptoBase):
+                ENC_PREF = '_'
                 def hash_create(self, str_):
                     self._assert_bytes(str_)
                         self._permissions_scoped_cache[cache_key] = res
                     return self._permissions_scoped_cache[cache_key]
-                @property
-                def auth_tokens(self):
-                    return self.get_auth_tokens()
                 def get_instance(self):
                     return User.get(self.user_id)
                     log.debug('PERMISSION tree computed %s' % (result_repr,))
                     return result
-                def get_auth_tokens(self):
-                    auth_tokens = [self.api_key]
-                    for api_key in UserApiKeys.query()\
-                            .filter(UserApiKeys.user_id == self.user_id)\
-                            .filter(or_(UserApiKeys.expires == -1,
-                                        UserApiKeys.expires >= time.time())).all():
-                        auth_tokens.append(api_key.api_key)
-                    return auth_tokens
                 @property
                 def is_default(self):
                     return self.username == User.DEFAULT_USER
                 :param api_access: if enabled this checks only for valid auth token
                     and grants access based on valid token
                 """
-                def __init__(self, auth_token_access=False):
+                def __init__(self, auth_token_access=None):
                     self.auth_token_access = auth_token_access
                 def __call__(self, func):
                         ip_access_valid = False
                     # check if we used an APIKEY and it's a valid one
-                    # defined whitelist of controllers which API access will be enabled
+                    # defined white-list of controllers which API access will be enabled
                     _auth_token = request.GET.get(
                         'auth_token', '') or request.GET.get('api_key', '')
                     auth_token_access_valid = allowed_auth_token_access(
                     # explicit controller is enabled or API is in our whitelist
                     if self.auth_token_access or auth_token_access_valid:
                         log.debug('Checking AUTH TOKEN access for %s' % (cls,))
+                        db_user = user.get_instance()
-                        if _auth_token and _auth_token in user.auth_tokens:
+                        if db_user:
+                            if self.auth_token_access:
+                                roles = self.auth_token_access
+                            else:
+                                roles = [UserApiKeys.ROLE_HTTP]
+                            token_match = db_user.authenticate_by_token(
+                                _auth_token, roles=roles, include_builtin_token=True)
+                        else:
+                            log.debug('Unable to fetch db instance for auth user: %s', user)
+                            token_match = False
+                        if _auth_token and token_match:
                             auth_token_access_valid = True
                             log.debug('AUTH TOKEN ****%s is VALID' % (_auth_token[-4:],))
                         else:

rhodecode/model/db.py

0 +52 -5

@@ -581,15 +581,16 b' class User(Base, BaseModel):'
581		581
582	@property	582	@property
583	def feed_token(self):	583	def feed_token(self):
		584	return self.get_feed_token()
		585
		586	def get_feed_token(self):
584	feed_tokens = UserApiKeys.query()\	587	feed_tokens = UserApiKeys.query()\
585	.filter(UserApiKeys.user == self)\	588	.filter(UserApiKeys.user == self)\
586	.filter(UserApiKeys.role == UserApiKeys.ROLE_FEED)\	589	.filter(UserApiKeys.role == UserApiKeys.ROLE_FEED)\
587	.all()	590	.all()
588	if feed_tokens:	591	if feed_tokens:
589	return feed_tokens[0].api_key	592	return feed_tokens[0].api_key
590	else:	593	return 'NO_FEED_TOKEN_AVAILABLE'
591	# use the main token so we don't end up with nothing...
592	return self.api_key
593		594
594	@classmethod	595	@classmethod
595	def extra_valid_auth_tokens(cls, user, role=None):	596	def extra_valid_auth_tokens(cls, user, role=None):
@@ -601,11 +602,57 b' class User(Base, BaseModel):'
601	UserApiKeys.role == UserApiKeys.ROLE_ALL))	602	UserApiKeys.role == UserApiKeys.ROLE_ALL))
602	return tokens.all()	603	return tokens.all()
603		604
		605	def authenticate_by_token(self, auth_token, roles=None,
		606	include_builtin_token=False):
		607	from rhodecode.lib import auth
		608
		609	log.debug('Trying to authenticate user: %s via auth-token, '
		610	'and roles: %s', self, roles)
		611
		612	if not auth_token:
		613	return False
		614
		615	crypto_backend = auth.crypto_backend()
		616
		617	roles = (roles or []) + [UserApiKeys.ROLE_ALL]
		618	tokens_q = UserApiKeys.query()\
		619	.filter(UserApiKeys.user_id == self.user_id)\
		620	.filter(or_(UserApiKeys.expires == -1,
		621	UserApiKeys.expires >= time.time()))
		622
		623	tokens_q = tokens_q.filter(UserApiKeys.role.in_(roles))
		624
		625	maybe_builtin = []
		626	if include_builtin_token:
		627	maybe_builtin = [AttributeDict({'api_key': self.api_key})]
		628
		629	plain_tokens = []
		630	hash_tokens = []
		631
		632	for token in tokens_q.all() + maybe_builtin:
		633	if token.api_key.startswith(crypto_backend.ENC_PREF):
		634	hash_tokens.append(token.api_key)
		635	else:
		636	plain_tokens.append(token.api_key)
		637
		638	is_plain_match = auth_token in plain_tokens
		639	if is_plain_match:
		640	return True
		641
		642	for hashed in hash_tokens:
		643	# marcink: this is expensive to calculate, but the most secure
		644	match = crypto_backend.hash_check(auth_token, hashed)
		645	if match:
		646	return True
		647
		648	return False
		649
604	@property	650	@property
605	def builtin_token_roles(self):	651	def builtin_token_roles(self):
606	return map(UserApiKeys._get_role_name, [	652	roles = [
607	UserApiKeys.ROLE_API, UserApiKeys.ROLE_FEED, UserApiKeys.ROLE_HTTP	653	UserApiKeys.ROLE_API, UserApiKeys.ROLE_FEED, UserApiKeys.ROLE_HTTP
608	])	654	]
		655	return map(UserApiKeys._get_role_name, roles)
609		656
610	@property	657	@property
611	def ip_addresses(self):	658	def ip_addresses(self):

rhodecode/tests/functional/test_feed.py

0 +26 -5

@@ -17,7 +17,7 b''
17	# This program is dual-licensed. If you wish to learn more about the	17	# This program is dual-licensed. If you wish to learn more about the
18	# RhodeCode Enterprise Edition, including its added features, Support services,	18	# RhodeCode Enterprise Edition, including its added features, Support services,
19	# and proprietary license terms, please see https://rhodecode.com/licenses/	19	# and proprietary license terms, please see https://rhodecode.com/licenses/
20		20	from rhodecode.model.auth_token import AuthTokenModel
21	from rhodecode.model.db import User	21	from rhodecode.model.db import User
22	from rhodecode.tests import *	22	from rhodecode.tests import *
23		23
@@ -32,15 +32,36 b' class TestFeedController(TestController)'
32	assert response.content_type == "application/rss+xml"	32	assert response.content_type == "application/rss+xml"
33	assert """<rss version="2.0">""" in response	33	assert """<rss version="2.0">""" in response
34		34
35	def test_rss_with_auth_token(self, backend):	35	def test_rss_with_auth_token(self, backend, user_admin):
36	auth_token = ~~User~~.~~get_first_sup~~er_admin().feed_token	36	auth_token = user_admin.feed_token
37	assert auth_token != ''	37	assert auth_token != ''
38	response = self.app.get(~~url~~(~~controller~~=~~'feed'~~, ~~action~~=~~'rss'~~,	38	response = self.app.get(
39	repo_name=backend.repo_name, auth_token=auth_token))	39	url(controller='feed', action='rss',
		40	repo_name=backend.repo_name, auth_token=auth_token,
		41	status=200))
40		42
41	assert response.content_type == "application/rss+xml"	43	assert response.content_type == "application/rss+xml"
42	assert """<rss version="2.0">""" in response	44	assert """<rss version="2.0">""" in response
43		45
		46	def test_rss_with_auth_token_of_wrong_type(self, backend, user_util):
		47	user = user_util.create_user()
		48	auth_token = AuthTokenModel().create(
		49	user.user_id, 'test-token', -1, AuthTokenModel.cls.ROLE_API)
		50	auth_token = auth_token.api_key
		51
		52	self.app.get(
		53	url(controller='feed', action='rss',
		54	repo_name=backend.repo_name, auth_token=auth_token),
		55	status=302)
		56
		57	auth_token = AuthTokenModel().create(
		58	user.user_id, 'test-token', -1, AuthTokenModel.cls.ROLE_FEED)
		59	auth_token = auth_token.api_key
		60	self.app.get(
		61	url(controller='feed', action='rss',
		62	repo_name=backend.repo_name, auth_token=auth_token),
		63	status=200)
		64
44	def test_atom(self, backend):	65	def test_atom(self, backend):
45	self.log_user()	66	self.log_user()
46	response = self.app.get(url(controller='feed', action='atom',	67	response = self.app.get(url(controller='feed', action='atom',

rhodecode/tests/functional/test_login.py

0 +13 -10

                     ('fake_number', '123456'),
                     ('proper_auth_token', None)
                 ])
-                def test_access_not_whitelisted_page_via_auth_token(self, test_name,
+                def test_access_not_whitelisted_page_via_auth_token(
-                                                                    auth_token):
+                        self, test_name, auth_token, user_admin):
                     whitelist = self._get_api_whitelist([])
                     with mock.patch.dict('rhodecode.CONFIG', whitelist):
                         assert [] == whitelist['api_access_controllers_whitelist']
                         if test_name == 'proper_auth_token':
                             # use builtin if api_key is None
-                            auth_token = User.get_first_super_admin().api_key
+                            auth_token = user_admin.api_key
                         with fixture.anon_access(False):
                             self.app.get(url(controller='changeset',
                     ('fake_number', '123456', 302),
                     ('proper_auth_token', None, 200)
                 ])
-                def test_access_whitelisted_page_via_auth_token(self, test_name,
+                def test_access_whitelisted_page_via_auth_token(
-                                                                auth_token, code):
+                        self, test_name, auth_token, code, user_admin):
-                    whitelist = self._get_api_whitelist(
-                        ['ChangesetController:changeset_raw'])
+                    whitelist_entry = ['ChangesetController:changeset_raw']
+                    whitelist = self._get_api_whitelist(whitelist_entry)
                     with mock.patch.dict('rhodecode.CONFIG', whitelist):
-                        assert ['ChangesetController:changeset_raw'] == \
+                        assert whitelist_entry == whitelist['api_access_controllers_whitelist']
-                            whitelist['api_access_controllers_whitelist']
                         if test_name == 'proper_auth_token':
-                            auth_token = User.get_first_super_admin().api_key
+                            auth_token = user_admin.api_key
                         with fixture.anon_access(False):
                             self.app.get(url(controller='changeset',

rhodecode/tests/lib/test_auth.py

0 +26 0

@@ -26,6 +26,7 b' from mock import patch'
26		26
27	from rhodecode.lib import auth	27	from rhodecode.lib import auth
28	from rhodecode.lib.utils2 import md5	28	from rhodecode.lib.utils2 import md5
		29	from rhodecode.model.auth_token import AuthTokenModel
29	from rhodecode.model.db import User	30	from rhodecode.model.db import User
30	from rhodecode.model.repo import RepoModel	31	from rhodecode.model.repo import RepoModel
31	from rhodecode.model.user import UserModel	32	from rhodecode.model.user import UserModel
@@ -580,3 +581,28 b' class TestGenerateAuthToken(object):'
580	result = auth.generate_auth_token(user_name)	581	result = auth.generate_auth_token(user_name)
581	expected_result = sha1(user_name + random_salt).hexdigest()	582	expected_result = sha1(user_name + random_salt).hexdigest()
582	assert result == expected_result	583	assert result == expected_result
		584
		585
		586	@pytest.mark.parametrize("test_token, test_roles, auth_result, expected_tokens", [
		587	('', None, False,
		588	[]),
		589	('wrongtoken', None, False,
		590	[]),
		591	('abracadabra_vcs', [AuthTokenModel.cls.ROLE_API], False,
		592	[('abracadabra_api', AuthTokenModel.cls.ROLE_API, -1)]),
		593	('abracadabra_api', [AuthTokenModel.cls.ROLE_API], True,
		594	[('abracadabra_api', AuthTokenModel.cls.ROLE_API, -1)]),
		595	('abracadabra_api', [AuthTokenModel.cls.ROLE_API], True,
		596	[('abracadabra_api', AuthTokenModel.cls.ROLE_API, -1),
		597	('abracadabra_http', AuthTokenModel.cls.ROLE_HTTP, -1)]),
		598	])
		599	def test_auth_by_token(test_token, test_roles, auth_result, expected_tokens,
		600	user_util):
		601	user = user_util.create_user()
		602	user_id = user.user_id
		603	for token, role, expires in expected_tokens:
		604	new_token = AuthTokenModel().create(user_id, 'test-token', expires, role)
		605	new_token.api_key = token # inject known name for testing...
		606
		607	assert auth_result == user.authenticate_by_token(
		608	test_token, roles=test_roles, include_builtin_token=True)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages