Show More
| @@ -732,8 +732,6 b' class User(Base, BaseModel):' | |||
|
|
732 | 732 | if not auth_token: |
|
|
733 | 733 | return False |
|
|
734 | 734 | |
|
|
735 | crypto_backend = auth.crypto_backend() | |
|
|
736 | ||
|
|
737 | 735 | roles = (roles or []) + [UserApiKeys.ROLE_ALL] |
|
|
738 | 736 | tokens_q = UserApiKeys.query()\ |
|
|
739 | 737 | .filter(UserApiKeys.user_id == self.user_id)\ |
| @@ -742,39 +740,42 b' class User(Base, BaseModel):' | |||
|
|
742 | 740 | |
|
|
743 | 741 | tokens_q = tokens_q.filter(UserApiKeys.role.in_(roles)) |
|
|
744 | 742 | |
|
|
745 | plain_tokens = [] | |
|
|
746 |
|
|
|
|
747 | ||
|
|
748 |
|
|
|
|
749 | log.debug('Found %s user tokens to check for authentication', len(user_tokens)) | |
|
|
750 | for token in user_tokens: | |
|
|
751 | log.debug('AUTH_TOKEN: checking if user token with id `%s` matches', | |
|
|
752 |
|
|
|
|
753 | # verify scope first, since it's way faster than hash calculation of | |
|
|
754 | # encrypted tokens | |
|
|
755 | if token.repo_id: | |
|
|
756 | # token has a scope, we need to verify it | |
|
|
757 | if scope_repo_id != token.repo_id: | |
|
|
743 | crypto_backend = auth.crypto_backend() | |
|
|
744 | enc_token_map = {} | |
|
|
745 | plain_token_map = {} | |
|
|
746 | for token in tokens_q: | |
|
|
747 | if token.api_key.startswith(crypto_backend.ENC_PREF): | |
|
|
748 | enc_token_map[token.api_key] = token | |
|
|
749 | else: | |
|
|
750 | plain_token_map[token.api_key] = token | |
|
|
751 | log.debug( | |
|
|
752 | 'Found %s plain and %s encrypted user tokens to check for authentication', | |
|
|
753 | len(plain_token_map), len(enc_token_map)) | |
|
|
754 | ||
|
|
755 | # plain token match comes first | |
|
|
756 | match = plain_token_map.get(auth_token) | |
|
|
757 | ||
|
|
758 | # check encrypted tokens now | |
|
|
759 | if not match: | |
|
|
760 | for token_hash, token in enc_token_map.items(): | |
|
|
761 | # NOTE(marcink): this is expensive to calculate, but most secure | |
|
|
762 | if crypto_backend.hash_check(auth_token, token_hash): | |
|
|
763 | match = token | |
|
|
764 | break | |
|
|
765 | ||
|
|
766 | if match: | |
|
|
767 | log.debug('Found matching token %s', match) | |
|
|
768 | if match.repo_id: | |
|
|
769 | log.debug('Found scope, checking for scope match of token %s', match) | |
|
|
770 | if match.repo_id == scope_repo_id: | |
|
|
771 | return True | |
|
|
772 | else: | |
|
|
758 | 773 | log.debug( |
|
|
759 | 774 | 'AUTH_TOKEN: scope mismatch, token has a set repo scope: %s, ' |
|
|
760 | 775 | 'and calling scope is:%s, skipping further checks', |
|
|
761 |
|
|
|
|
762 | # token has a scope, and it doesn't match, skip token | |
|
|
763 | continue | |
|
|
764 | ||
|
|
765 | if token.api_key.startswith(crypto_backend.ENC_PREF): | |
|
|
766 | hash_tokens.append(token.api_key) | |
|
|
776 | match.repo, scope_repo_id) | |
|
|
777 | return False | |
|
|
767 | 778 | else: |
|
|
768 | plain_tokens.append(token.api_key) | |
|
|
769 | ||
|
|
770 | is_plain_match = auth_token in plain_tokens | |
|
|
771 | if is_plain_match: | |
|
|
772 | return True | |
|
|
773 | ||
|
|
774 | for hashed in hash_tokens: | |
|
|
775 | # NOTE(marcink): this is expensive to calculate, but most secure | |
|
|
776 | match = crypto_backend.hash_check(auth_token, hashed) | |
|
|
777 | if match: | |
|
|
778 | 779 | return True |
|
|
779 | 780 | |
|
|
780 | 781 | return False |
General Comments 0
You need to be logged in to leave comments.
Login now