def decode_token_with_latest_public_key(token):
"""Get the latest public key and decode the JWT token with it. This
function is usefull when the SSO server rotated its key."""
conf = dci_config.CONFIG
try:
latest_public_key = get_latest_public_key()
except Exception as e:
raise dci_exc.DCIException(
'Unable to get last SSO public key: %s' % str(e), # noqa
status_code=401)
# SSO server didn't update its public key
if conf['SSO_PUBLIC_KEY'] == latest_public_key:
raise dci_exc.DCIException('Invalid JWT token.',
status_code=401) # noqa
try:
decoded_token = auth.decode_jwt(token, latest_public_key,
conf['SSO_CLIENT_ID'])
conf['SSO_PUBLIC_KEY'] = latest_public_key
return decoded_token
except (jwt_exc.DecodeError, TypeError):
raise dci_exc.DCIException('Invalid JWT token.',
status_code=401) # noqa
except jwt_exc.ExpiredSignatureError:
raise dci_exc.DCIException(
'JWT token expired, please refresh.', # noqa
status_code=401)
def authenticate(self):
auth_header = self.request.headers.get('Authorization').split(' ')
if len(auth_header) != 2:
return False
bearer, token = auth_header
conf = dci_config.CONFIG
try:
decoded_token = auth.decode_jwt(token, conf['SSO_PUBLIC_KEY'],
conf['SSO_CLIENT_ID'])
except (jwt_exc.DecodeError, ValueError):
decoded_token = sso.decode_token_with_latest_public_key(token)
except jwt_exc.ExpiredSignatureError:
raise dci_exc.DCIException('JWT token expired, please refresh.',
status_code=401)
team_id = None
ro_group = conf['SSO_READ_ONLY_GROUP']
realm_access = decoded_token['realm_access']
if 'roles' in realm_access and ro_group in realm_access['roles']:
team_id = flask.g.team_redhat_id
user_info = self._get_user_info(decoded_token, team_id)
try:
self.identity = self._get_or_create_user(user_info)
except sa_exc.IntegrityError:
raise dci_exc.DCICreationConflict(models.USERS.name, 'username')
return True
def test_decode_jwt(m_datetime, access_token):
pubkey = dci_config.generate_conf()['SSO_PUBLIC_KEY']
m_utcnow = mock.MagicMock()
m_utcnow.utctimetuple.return_value = datetime.datetime.\
fromtimestamp(1505564918).timetuple()
m_datetime.utcnow.return_value = m_utcnow
decoded_jwt = auth.decode_jwt(access_token, pubkey, 'dci-cs')
assert decoded_jwt['username'] == 'dci'
assert decoded_jwt['email'] == '*****@*****.**'
def authenticate(self):
auth_header = self.request.headers.get('Authorization').split(' ')
if len(auth_header) != 2:
return False
bearer, token = auth_header
conf = dci_config.generate_conf()
try:
decoded_token = auth.decode_jwt(token, conf['SSO_PUBLIC_KEY'],
conf['SSO_CLIENT_ID'])
except jwt_exc.DecodeError:
raise dci_exc.DCIException('Invalid JWT token.', status_code=401)
except jwt_exc.ExpiredSignatureError:
raise dci_exc.DCIException('JWT token expired, please refresh.',
status_code=401)
sso_username = decoded_token['username']
self.identity = self._get_user_from_sso_username(sso_username)
if self.identity is None:
self.identity = self._create_user_and_get(decoded_token)
if self.identity is None:
return False