Ejemplo n.º 1
0
def load_token(access_token=None, refresh_token=None):
    """ Callback to retrieve token info from given token string.
    Called from verify_request. Expiration verification is done afterwards in the library.
    """
    log.info("OAuth:load_token(access=%s, refresh=%s)", access_token, refresh_token)
    try:
        if access_token:
            token_id = str("access_token_%s" % access_token)
            with _token_lock:
                token_obj = ui_instance.container.object_store.read(token_id)
                token = OAuthTokenObj.from_security_token(token_obj)
                if not token.is_valid():
                    log.info("OAuth: client used invalid access token")
                    return None

                flask.g.oauth_user = token.user
                flask.g.actor_id = token.user["actor_id"]
                if "noextend" not in request.headers.get("scion-session", "") and \
                    ui_instance.extend_session_timeout and token.is_valid(check_expiry=True):
                    new_expires = get_ion_ts_millis() + 1000 * ui_instance.session_timeout
                    if ui_instance.max_session_validity:
                        # Make sure token does not exceed maximum validity
                        new_expires = min(new_expires, token_obj.attributes.get("ts_created", 0) +
                                          1000 * ui_instance.max_session_validity)
                    if (ui_instance.session_timeout <= 120 and new_expires > int(token_obj.expires)) or \
                            (ui_instance.session_timeout > 120 and new_expires - 60000 > int(token_obj.expires)):
                        # Only extend session if by 60 sec (unless session is very short as in testing)
                        # This reduces the likelihood of an extension
                        for i in xrange(3):
                            token_obj.expires = str(new_expires)
                            try:
                                ui_instance.container.object_store.update(token_obj)
                                break
                            except Conflict:
                                # Concurrency conflict: random wait, then get most recent object rev
                                gevent.sleep(random.random() * 0.05 * (i+1))  # Add some random delays
                                token_obj = ui_instance.container.object_store.read(token_id)
                        token = OAuthTokenObj.from_security_token(token_obj)
                        log.info("Access token extended for user=%s", token.user["actor_id"])
                        # IGNORE session in ActorIdentity
                return token

        elif refresh_token:
            token_id = str("refresh_token_%s" % refresh_token)
            token_obj = ui_instance.container.object_store.read(token_id)
            token = OAuthTokenObj.from_security_token(token_obj)
            if not token.is_valid():
                log.info("OAuth: client used invalid refresh token")
                return None

            flask.g.oauth_user = token.user
            flask.g.actor_id = token.user["actor_id"]
            return token
    except NotFound:
        pass
    return None
Ejemplo n.º 2
0
def load_token(access_token=None, refresh_token=None):
    """ Callback to retrieve token info from given token string.
    Called from verify_request. Expiration verification is done afterwards in the library.
    """
    log.info("OAuth:load_token(access=%s, refresh=%s)", access_token, refresh_token)
    try:
        if access_token:
            token_id = str("access_token_%s" % access_token)
            token_obj = ui_instance.container.object_store.read(token_id)
            token = OAuthTokenObj.from_security_token(token_obj)
            if not token.is_valid():
                log.info("OAuth: client used invalid access token")
                return None

            flask.g.oauth_user = token.user
            flask.g.actor_id = token.user["actor_id"]
            if ui_instance.extend_session_timeout and token.is_valid(check_expiry=True):
                new_expires = get_ion_ts_millis() + 1000 * ui_instance.session_timeout
                if ui_instance.max_session_validity:
                    # Make sure token does not exceed maximum validity
                    new_expires = min(new_expires, token_obj.attributes.get("ts_created", 0) +
                                      1000 * ui_instance.max_session_validity)
                if new_expires > int(token_obj.expires):
                    token_obj.expires = str(new_expires)
                    ui_instance.container.object_store.update(token_obj)
                    token = OAuthTokenObj.from_security_token(token_obj)
                    log.info("Access token extended for user=%s", token.user["actor_id"])
                    # IGNORE session in ActorIdentity
            return token

        elif refresh_token:
            token_id = str("refresh_token_%s" % refresh_token)
            token_obj = ui_instance.container.object_store.read(token_id)
            token = OAuthTokenObj.from_security_token(token_obj)
            if not token.is_valid():
                log.info("OAuth: client used invalid refresh token")
                return None

            flask.g.oauth_user = token.user
            flask.g.actor_id = token.user["actor_id"]
            return token
    except NotFound:
        pass
    return None
Ejemplo n.º 3
0
def load_token(access_token=None, refresh_token=None):
    log.info("OAuth:load_token access=%s refresh=%s", access_token, refresh_token)
    try:
        if access_token:
            token_id = str("access_token_%s" % access_token)
            token_obj = ui_instance.container.object_store.read(token_id)
            token = OAuthTokenObj.from_security_token(token_obj)
            flask.g.oauth_user = token.user
            flask.g.actor_id = token.user["actor_id"]
            flask.session["access_token"] = access_token
            flask.session["actor_id"] = token.user["actor_id"]
            return token
        elif refresh_token:
            token_id = str("refresh_token_%s" % refresh_token)
            token_obj = ui_instance.container.object_store.read(token_id)
            token = OAuthTokenObj.from_security_token(token_obj)
            flask.g.oauth_user = token.user
            flask.g.actor_id = token.user["actor_id"]
            return token
    except NotFound:
        pass
    return None
Ejemplo n.º 4
0
    def get_governance_info_from_request(self, json_params=None):
        # Default values for governance headers.
        actor_id = DEFAULT_ACTOR_ID
        expiry = DEFAULT_EXPIRY
        authtoken = ""
        user_session = get_auth()
        #if user_session.get("actor_id", None) and user_session.get("valid_until", 0):
        if user_session.get("actor_id", None):
            # Get info from current server session
            # NOTE: Actor id may be inside server session
            expiry = int(user_session.get("valid_until", 0)) * 1000
            if expiry:
                # This was a proper non-token server session authentication
                expiry = str(expiry)
                actor_id = user_session["actor_id"]
                log.info("Request associated with session actor_id=%s, expiry=%s", actor_id, expiry)
            else:
                # We are just taking the user_id out of the session
                # TODO: Need to check access token here
                expiry = str(expiry)
                if self.token_from_session:
                    actor_id = user_session["actor_id"]
                    log.info("Request associated with actor's token from session; actor_id=%s, expiry=%s", actor_id, expiry)

        # Developer access using api_key
        if self.develop_mode and "api_key" in request.args and request.args["api_key"]:
            actor_id = str(request.args["api_key"])
            expiry = str(int(user_session.get("valid_until", 0)) * 1000)
            if 0 < int(expiry) < current_time_millis():
                expiry = str(current_time_millis() + 10000)
                # flask.session["valid_until"] = int(expiry / 1000)
            log.info("Request associated with actor_id=%s, expiry=%s from developer api_key", actor_id, expiry)

        # Check in headers for OAuth2 bearer token
        auth_hdr = request.headers.get("authorization", None)
        if auth_hdr:
            valid, req = self.process.oauth.verify_request([self.process.oauth_scope])
            if valid:
                actor_id = flask.g.oauth_user.get("actor_id", "")
                if actor_id:
                    log.info("Request associated with actor_id=%s, expiry=%s from OAuth token", actor_id, expiry)
                    return actor_id, DEFAULT_EXPIRY

        # Try to find auth token override
        if not authtoken:
            if json_params:
                if "authtoken" in json_params:
                    authtoken = json_params["authtoken"]
            else:
                if "authtoken" in request.args:
                    authtoken = str(request.args["authtoken"])

        # Enable temporary authentication tokens to resolve to actor ids
        if authtoken:
            try:
                if authtoken.startswith(("Bearer_")):
                    # Backdoor way for OAuth2 access tokens as request args for GET URLs
                    authtoken = authtoken[7:]
                    token_id = "access_token_" + str(authtoken)
                    token_obj = self.process.container.object_store.read(token_id)
                    token = OAuthTokenObj.from_security_token(token_obj)
                    if token.is_valid(check_expiry=True):
                        actor_id = token.user["actor_id"]
                        expiry = str(token._token_obj.expires)
                        log.info("Resolved OAuth2 token %s into actor_id=%s expiry=%s", authtoken, actor_id, expiry)
                else:
                    token_info = self.idm_client.check_authentication_token(authtoken, headers=self._get_gateway_headers())
                    actor_id = token_info.get("actor_id", actor_id)
                    expiry = token_info.get("expiry", expiry)
                    log.info("Resolved token %s into actor_id=%s expiry=%s", authtoken, actor_id, expiry)
            except NotFound:
                log.info("Provided authentication token not found: %s", authtoken)
            except Unauthorized:
                log.info("Authentication token expired or invalid: %s", authtoken)
            except Exception as ex:
                log.exception("Problem resolving authentication token")

        return actor_id, expiry