##// END OF EJS Templates
auth: simplified auth-token matching code.
marcink -
r3464:97b77727 default
parent child Browse files
Show More
@@ -732,8 +732,6 b' class User(Base, BaseModel):'
732 if not auth_token:
732 if not auth_token:
733 return False
733 return False
734
734
735 crypto_backend = auth.crypto_backend()
736
737 roles = (roles or []) + [UserApiKeys.ROLE_ALL]
735 roles = (roles or []) + [UserApiKeys.ROLE_ALL]
738 tokens_q = UserApiKeys.query()\
736 tokens_q = UserApiKeys.query()\
739 .filter(UserApiKeys.user_id == self.user_id)\
737 .filter(UserApiKeys.user_id == self.user_id)\
@@ -742,39 +740,42 b' class User(Base, BaseModel):'
742
740
743 tokens_q = tokens_q.filter(UserApiKeys.role.in_(roles))
741 tokens_q = tokens_q.filter(UserApiKeys.role.in_(roles))
744
742
745 plain_tokens = []
743 crypto_backend = auth.crypto_backend()
746 hash_tokens = []
744 enc_token_map = {}
747
745 plain_token_map = {}
748 user_tokens = tokens_q.all()
746 for token in tokens_q:
749 log.debug('Found %s user tokens to check for authentication', len(user_tokens))
747 if token.api_key.startswith(crypto_backend.ENC_PREF):
750 for token in user_tokens:
748 enc_token_map[token.api_key] = token
751 log.debug('AUTH_TOKEN: checking if user token with id `%s` matches',
749 else:
752 token.user_api_key_id)
750 plain_token_map[token.api_key] = token
753 # verify scope first, since it's way faster than hash calculation of
751 log.debug(
754 # encrypted tokens
752 'Found %s plain and %s encrypted user tokens to check for authentication',
755 if token.repo_id:
753 len(plain_token_map), len(enc_token_map))
756 # token has a scope, we need to verify it
754
757 if scope_repo_id != token.repo_id:
755 # plain token match comes first
756 match = plain_token_map.get(auth_token)
757
758 # check encrypted tokens now
759 if not match:
760 for token_hash, token in enc_token_map.items():
761 # NOTE(marcink): this is expensive to calculate, but most secure
762 if crypto_backend.hash_check(auth_token, token_hash):
763 match = token
764 break
765
766 if match:
767 log.debug('Found matching token %s', match)
768 if match.repo_id:
769 log.debug('Found scope, checking for scope match of token %s', match)
770 if match.repo_id == scope_repo_id:
771 return True
772 else:
758 log.debug(
773 log.debug(
759 'AUTH_TOKEN: scope mismatch, token has a set repo scope: %s, '
774 'AUTH_TOKEN: scope mismatch, token has a set repo scope: %s, '
760 'and calling scope is:%s, skipping further checks',
775 'and calling scope is:%s, skipping further checks',
761 token.repo, scope_repo_id)
776 match.repo, scope_repo_id)
762 # token has a scope, and it doesn't match, skip token
777 return False
763 continue
764
765 if token.api_key.startswith(crypto_backend.ENC_PREF):
766 hash_tokens.append(token.api_key)
767 else:
778 else:
768 plain_tokens.append(token.api_key)
769
770 is_plain_match = auth_token in plain_tokens
771 if is_plain_match:
772 return True
773
774 for hashed in hash_tokens:
775 # NOTE(marcink): this is expensive to calculate, but most secure
776 match = crypto_backend.hash_check(auth_token, hashed)
777 if match:
778 return True
779 return True
779
780
780 return False
781 return False
General Comments 0
You need to be logged in to leave comments. Login now