Show More
| @@ -732,8 +732,6 b' class User(Base, BaseModel):' | |||||
| 732 | if not auth_token: |
|
732 | if not auth_token: | |
| 733 | return False |
|
733 | return False | |
| 734 |
|
734 | |||
| 735 | crypto_backend = auth.crypto_backend() |
|
|||
| 736 |
|
||||
| 737 | roles = (roles or []) + [UserApiKeys.ROLE_ALL] |
|
735 | roles = (roles or []) + [UserApiKeys.ROLE_ALL] | |
| 738 | tokens_q = UserApiKeys.query()\ |
|
736 | tokens_q = UserApiKeys.query()\ | |
| 739 | .filter(UserApiKeys.user_id == self.user_id)\ |
|
737 | .filter(UserApiKeys.user_id == self.user_id)\ | |
| @@ -742,39 +740,42 b' class User(Base, BaseModel):' | |||||
| 742 |
|
740 | |||
| 743 | tokens_q = tokens_q.filter(UserApiKeys.role.in_(roles)) |
|
741 | tokens_q = tokens_q.filter(UserApiKeys.role.in_(roles)) | |
| 744 |
|
742 | |||
| 745 | plain_tokens = [] |
|
743 | crypto_backend = auth.crypto_backend() | |
| 746 |
|
|
744 | enc_token_map = {} | |
| 747 |
|
745 | plain_token_map = {} | ||
| 748 |
|
|
746 | for token in tokens_q: | |
| 749 | log.debug('Found %s user tokens to check for authentication', len(user_tokens)) |
|
747 | if token.api_key.startswith(crypto_backend.ENC_PREF): | |
| 750 | for token in user_tokens: |
|
748 | enc_token_map[token.api_key] = token | |
| 751 | log.debug('AUTH_TOKEN: checking if user token with id `%s` matches', |
|
749 | else: | |
| 752 |
|
|
750 | plain_token_map[token.api_key] = token | |
| 753 | # verify scope first, since it's way faster than hash calculation of |
|
751 | log.debug( | |
| 754 | # encrypted tokens |
|
752 | 'Found %s plain and %s encrypted user tokens to check for authentication', | |
| 755 | if token.repo_id: |
|
753 | len(plain_token_map), len(enc_token_map)) | |
| 756 | # token has a scope, we need to verify it |
|
754 | ||
| 757 | if scope_repo_id != token.repo_id: |
|
755 | # plain token match comes first | |
|
|
756 | match = plain_token_map.get(auth_token) | |||
|
|
757 | ||||
|
|
758 | # check encrypted tokens now | |||
|
|
759 | if not match: | |||
|
|
760 | for token_hash, token in enc_token_map.items(): | |||
|
|
761 | # NOTE(marcink): this is expensive to calculate, but most secure | |||
|
|
762 | if crypto_backend.hash_check(auth_token, token_hash): | |||
|
|
763 | match = token | |||
|
|
764 | break | |||
|
|
765 | ||||
|
|
766 | if match: | |||
|
|
767 | log.debug('Found matching token %s', match) | |||
|
|
768 | if match.repo_id: | |||
|
|
769 | log.debug('Found scope, checking for scope match of token %s', match) | |||
|
|
770 | if match.repo_id == scope_repo_id: | |||
|
|
771 | return True | |||
|
|
772 | else: | |||
| 758 | log.debug( |
|
773 | log.debug( | |
| 759 | 'AUTH_TOKEN: scope mismatch, token has a set repo scope: %s, ' |
|
774 | 'AUTH_TOKEN: scope mismatch, token has a set repo scope: %s, ' | |
| 760 | 'and calling scope is:%s, skipping further checks', |
|
775 | 'and calling scope is:%s, skipping further checks', | |
| 761 |
|
|
776 | match.repo, scope_repo_id) | |
| 762 | # token has a scope, and it doesn't match, skip token |
|
777 | return False | |
| 763 | continue |
|
|||
| 764 |
|
||||
| 765 | if token.api_key.startswith(crypto_backend.ENC_PREF): |
|
|||
| 766 | hash_tokens.append(token.api_key) |
|
|||
| 767 | else: |
|
778 | else: | |
| 768 | plain_tokens.append(token.api_key) |
|
|||
| 769 |
|
||||
| 770 | is_plain_match = auth_token in plain_tokens |
|
|||
| 771 | if is_plain_match: |
|
|||
| 772 | return True |
|
|||
| 773 |
|
||||
| 774 | for hashed in hash_tokens: |
|
|||
| 775 | # NOTE(marcink): this is expensive to calculate, but most secure |
|
|||
| 776 | match = crypto_backend.hash_check(auth_token, hashed) |
|
|||
| 777 | if match: |
|
|||
| 778 | return True |
|
779 | return True | |
| 779 |
|
780 | |||
| 780 | return False |
|
781 | return False | |
General Comments 0
You need to be logged in to leave comments.
Login now