Beispiel #1
0
    def handle_auth(self,
                    request,
                    headers=None,
                    remote_addr=None,
                    remote_user=None,
                    authorization=None,
                    **kwargs):
        remote_addr = headers.get('x-forwarded-for', remote_addr)
        extra = {'remote_addr': remote_addr}

        if remote_user:
            ttl = getattr(request, 'ttl', None)
            username = self._get_username_for_request(remote_user, request)
            try:
                token = self._create_token_for_user(username=username, ttl=ttl)
            except TTLTooLargeException as e:
                abort_request(status_code=http_client.BAD_REQUEST,
                              message=e.message)
            return token

        LOG.audit('Access denied to anonymous user.', extra=extra)
        abort_request()
Beispiel #2
0
    def _get_username_for_request(self, username, request):
        impersonate_user = getattr(request, 'user', None)

        if impersonate_user is not None:
            # check this is a service account
            try:
                if not User.get_by_name(username).is_service:
                    message = "Current user is not a service and cannot " \
                              "request impersonated tokens"
                    abort_request(status_code=http_client.BAD_REQUEST,
                                  message=message)
                    return
                username = impersonate_user
            except (UserNotFoundError, StackStormDBObjectNotFoundError):
                message = "Could not locate user %s" % \
                          (impersonate_user)
                abort_request(status_code=http_client.BAD_REQUEST,
                              message=message)
                return
        else:
            impersonate_user = getattr(request, 'impersonate_user', None)
            nickname_origin = getattr(request, 'nickname_origin', None)
            if impersonate_user is not None:
                try:
                    # check this is a service account
                    if not User.get_by_name(username).is_service:
                        raise NotServiceUserError()
                    username = User.get_by_nickname(impersonate_user,
                                                    nickname_origin).name
                except NotServiceUserError:
                    message = "Current user is not a service and cannot " \
                              "request impersonated tokens"
                    abort_request(status_code=http_client.BAD_REQUEST,
                                  message=message)
                    return
                except (UserNotFoundError, StackStormDBObjectNotFoundError):
                    message = "Could not locate user %s@%s" % \
                              (impersonate_user, nickname_origin)
                    abort_request(status_code=http_client.BAD_REQUEST,
                                  message=message)
                    return
                except NoNicknameOriginProvidedError:
                    message = "Nickname origin is not provided for nickname '%s'" % \
                              impersonate_user
                    abort_request(status_code=http_client.BAD_REQUEST,
                                  message=message)
                    return
                except AmbiguousUserError:
                    message = "%s@%s matched more than one username" % \
                              (impersonate_user, nickname_origin)
                    abort_request(status_code=http_client.BAD_REQUEST,
                                  message=message)
                    return
        return username
Beispiel #3
0
    def handle_auth(self,
                    request,
                    headers=None,
                    remote_addr=None,
                    remote_user=None,
                    authorization=None,
                    **kwargs):
        auth_backend = self._auth_backend.__class__.__name__

        extra = {'auth_backend': auth_backend, 'remote_addr': remote_addr}

        if not authorization:
            LOG.audit('Authorization header not provided', extra=extra)
            abort_request()
            return

        auth_type, auth_value = authorization
        if auth_type.lower() not in ['basic']:
            extra['auth_type'] = auth_type
            LOG.audit('Unsupported authorization type: %s' % (auth_type),
                      extra=extra)
            abort_request()
            return

        try:
            auth_value = base64.b64decode(auth_value)
        except Exception:
            LOG.audit('Invalid authorization header', extra=extra)
            abort_request()
            return

        split = auth_value.split(':')
        if len(split) != 2:
            LOG.audit('Invalid authorization header', extra=extra)
            abort_request()
            return

        username, password = split
        result = self._auth_backend

        result = self._auth_backend.authenticate(username=username,
                                                 password=password)
        if result is True:
            ttl = getattr(request, 'ttl', None)
            username = self._get_username_for_request(username, request)
            try:
                token = self._create_token_for_user(username=username, ttl=ttl)
                return token
            except TTLTooLargeException as e:
                abort_request(status_code=http_client.BAD_REQUEST,
                              message=e.message)
                return

        LOG.audit('Invalid credentials provided', extra=extra)
        abort_request()