upstream/kallithea Commit - r6347:9cf90371

auth: add support for "Bearer" auth scheme (API key variant)...

Søren Løvborg -

r6347:9cf90371 default

parent child

docs/api/api.rst

0 +8 -2

                     FilesController:raw,
                     FilesController:archivefile
-            After this change, a Kallithea view can be accessed without login by adding a
+            After this change, a Kallithea view can be accessed without login using
-            GET parameter ``?api_key=<api_key>`` to the URL.
+            bearer authentication, by including this header with the request::
+                Authentication: Bearer <api_key>
+            Alternatively, the API key can be passed in the URL query string using
+            ``?api_key=<api_key>``, though this is not recommended due to the increased
+            risk of API key leaks, and support will likely be removed in the future.
             Exposing raw diffs is a good way to integrate with
             third-party services like code review, or build farms that can download archives.

kallithea/lib/base.py

0 +20 -4

                     self.scm_model = ScmModel(self.sa)
                 @staticmethod
-                def _determine_auth_user(api_key, session_authuser):
+                def _determine_auth_user(api_key, bearer_token, session_authuser):
+                    """
+                    Create an `AuthUser` object given the API key/bearer token
+                    (if any) and the value of the authuser session cookie.
                     """
-                    Create an `AuthUser` object given the API key (if any) and the
-                    value of the authuser session cookie.
+                    # Authenticate by bearer token
-                    """
+                    if bearer_token is not None:
+                        api_key = bearer_token
                     # Authenticate by API key
                     if api_key is not None:
                         self._basic_security_checks()
                         #set globals for auth user
+                        bearer_token = None
+                        try:
+                            # Request.authorization may raise ValueError on invalid input
+                            type, params = request.authorization
+                        except (ValueError, TypeError):
+                            pass
+                        else:
+                            if type.lower() == 'bearer':
+                                bearer_token = params
                         self.authuser = c.authuser = request.user = self._determine_auth_user(
                             request.GET.get('api_key'),
+                            bearer_token,
                             session.get('authuser'),
                         )

kallithea/lib/utils2.py

0 +7 0

             def generate_api_key():
                 """
                 Generates a random (presumably unique) API key.
+                This value is used in URLs and "Bearer" HTTP Authorization headers,
+                which in practice means it should only contain URL-safe characters
+                (RFC 3986):
+                    unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
                 """
+                # Hexadecimal certainly qualifies as URL-safe.
                 return binascii.hexlify(os.urandom(20))

kallithea/tests/functional/test_login.py

0 +12 -3

                 def _api_key_test(self, api_key, status):
                     """Verifies HTTP status code for accessing an auth-requiring page,
-                    using the given api_key URL parameter. If api_key is None, no api_key
+                    using the given api_key URL parameter as well as using the API key
-                    parameter is passed at all. If api_key is True, a real, working API key
+                    with bearer authentication.
-                    is used.
+                    If api_key is None, no api_key is passed at all. If api_key is True,
+                    a real, working API key is used.
                     """
                     with fixture.anon_access(False):
                         if api_key is None:
                             params = {}
+                            headers = {}
                         else:
                             if api_key is True:
                                 api_key = User.get_first_admin().api_key
                             params = {'api_key': api_key}
+                            headers = {'Authorization': 'Bearer ' + str(api_key)}
                         self.app.get(url(controller='changeset', action='changeset_raw',
                                          repo_name=HG_REPO, revision='tip', **params),
                                      status=status)
+                        self.app.get(url(controller='changeset', action='changeset_raw',
+                                         repo_name=HG_REPO, revision='tip'),
+                                     headers=headers,
+                                     status=status)
                 @parametrize('test_name,api_key,code', [
                     ('none', None, 302),
                     ('empty_string', '', 403),

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages