Exemple #1
0
def register_subtoken(subtoken, rule, intent, caller_ip):
    """Creates new AuthDelegationSubtoken entity in the datastore, returns its ID.

  Args:
    subtoken: delegation_pb2.Subtoken describing the token.
    intent: intent supplied when creating the token.
    rule: config_pb2.DelegationConfig.Rule that allows the operation
    caller_ip: ipaddr.IP of the caller.

  Returns:
    int64 with ID of the new entity.
  """
    entity = AuthDelegationSubtoken(
        subtoken=subtoken.SerializeToString(),
        rule=rule.SerializeToString(),
        intent=intent,
        caller_ip=ipaddr.ip_to_string(caller_ip),
        auth_service_version=utils.get_app_version(),
        delegated_identity=subtoken.delegated_identity,
        creation_time=utils.timestamp_to_datetime(subtoken.creation_time *
                                                  1e6),
        services=list(subtoken.services),
        requestor_identity=subtoken.requestor_identity)
    entity.put(use_cache=False, use_memcache=False)
    subtoken_id = entity.key.integer_id()

    # Keep a logging entry (extractable via BigQuery) too.
    logging.info(
        'subtoken: subtoken_id=%d caller_ip=%s '
        'delegated_identity=%s requestor_identity=%s', subtoken_id,
        entity.caller_ip, entity.delegated_identity, entity.requestor_identity)

    return subtoken_id
Exemple #2
0
 def test_ip_to_string_v6_ok(self):
   call = lambda val: ipaddr.ip_to_string(ipaddr.IP(128, val))
   self.assertEqual('0:0:0:0:0:0:0:0', call(0))
   self.assertEqual('ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff', call(2**128-1))
   self.assertEqual('0:0:0:0:0:0:0:ffff', call(0xffff))
   self.assertEqual(
       'ffff:0:0:0:0:0:0:0', call(0xffff0000000000000000000000000000L))
Exemple #3
0
def validate_bot_id_and_fetch_config(bot_id):
    """Verifies ID reported by a bot matches the credentials being used.

  Expected to be called in a context of some bot API request handler. Uses
  bots.cfg config to look up what credentials are expected to be used by the bot
  with given ID.

  Raises auth.AuthorizationError if bot_id is unknown or bot is using invalid
  credentials.

  On success returns the configuration for this bot (BotGroupConfig tuple), as
  defined in bots.cfg
  """
    cfg = bot_groups_config.get_bot_group_config(bot_id)
    if not cfg:
        logging.error(
            'bot_auth: unknown bot_id, not in the config\nbot_id: "%s"',
            bot_id)
        raise auth.AuthorizationError('Unknown bot ID, not in config')

    peer_ident = auth.get_peer_identity()
    if cfg.require_luci_machine_token:
        if not _is_valid_ident_for_bot(peer_ident, bot_id):
            logging.error(
                'bot_auth: bot ID doesn\'t match the machine token used\n'
                'bot_id: "%s", peer_ident: "%s"', bot_id,
                peer_ident.to_bytes())
            raise auth.AuthorizationError(
                'Bot ID doesn\'t match the token used')
    elif cfg.require_service_account:
        expected_id = auth.Identity(auth.IDENTITY_USER,
                                    cfg.require_service_account)
        if peer_ident != expected_id:
            logging.error(
                'bot_auth: bot is not using expected service account\n'
                'bot_id: "%s", expected_id: "%s", peer_ident: "%s"', bot_id,
                expected_id.to_bytes(), peer_ident.to_bytes())
            raise auth.AuthorizationError(
                'bot is not using expected service account')
    elif not cfg.ip_whitelist:
        # This branch should not be hit for validated configs.
        logging.error(
            'bot_auth: invalid bot group config, no auth method defined\n'
            'bot_id: "%s"', bot_id)
        raise auth.AuthorizationError('Invalid bot group config')

    # Check that IP whitelist applies (in addition to credentials).
    if cfg.ip_whitelist:
        ip = auth.get_peer_ip()
        if not auth.is_in_ip_whitelist(cfg.ip_whitelist, ip):
            logging.error(
                'bot_auth: bot IP is not whitelisted\n'
                'bot_id: "%s", peer_ip: "%s", ip_whitelist: "%s"', bot_id,
                ipaddr.ip_to_string(ip), cfg.ip_whitelist)
            raise auth.AuthorizationError('Not IP whitelisted')

    return cfg
Exemple #4
0
 def check_ip_and_finish(auth_method, condition):
     if bot_auth.ip_whitelist:
         if not auth.is_in_ip_whitelist(bot_auth.ip_whitelist, ip):
             error(
                 'bot_auth: bot IP is not whitelisted\n'
                 'bot_id: "%s", peer_ip: "%s", ip_whitelist: "%s"', bot_id,
                 ipaddr.ip_to_string(ip), bot_auth.ip_whitelist)
             return 'Not IP whitelisted', errors
     ts_mon_metrics.on_bot_auth_success(auth_method, condition)
     return None, []
 def test_ip_to_string_v6_bad(self):
     with self.assertRaises(ValueError):
         ipaddr.ip_to_string(ipaddr.IP(128, 2**128))
 def test_ip_to_string_v4_bad(self):
     with self.assertRaises(ValueError):
         ipaddr.ip_to_string(ipaddr.IP(8, 0))
     with self.assertRaises(ValueError):
         ipaddr.ip_to_string(ipaddr.IP(32, 2**32))
 def test_ip_to_string_v4_ok(self):
     call = lambda val: ipaddr.ip_to_string(ipaddr.IP(32, val))
     self.assertEqual('0.0.0.0', call(0))
     self.assertEqual('255.255.255.255', call(2**32 - 1))
     self.assertEqual('0.0.0.255', call(255))
     self.assertEqual('127.0.0.1', call(0x7f000001))
Exemple #8
0
 def get(self):
     self.response.write(ipaddr.ip_to_string(api.get_peer_ip()))
Exemple #9
0
 def get(self):
   self.response.write(ipaddr.ip_to_string(api.get_current_identity_ip()))
Exemple #10
0
 def test_ip_to_string_v6_bad(self):
     with self.assertRaises(ValueError):
         ipaddr.ip_to_string(ipaddr.IP(128, 2 ** 128))
Exemple #11
0
 def test_ip_to_string_v6_ok(self):
     call = lambda val: ipaddr.ip_to_string(ipaddr.IP(128, val))
     self.assertEqual("0:0:0:0:0:0:0:0", call(0))
     self.assertEqual("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", call(2 ** 128 - 1))
     self.assertEqual("0:0:0:0:0:0:0:ffff", call(0xFFFF))
     self.assertEqual("ffff:0:0:0:0:0:0:0", call(0xFFFF0000000000000000000000000000L))
Exemple #12
0
 def test_ip_to_string_v4_bad(self):
     with self.assertRaises(ValueError):
         ipaddr.ip_to_string(ipaddr.IP(8, 0))
     with self.assertRaises(ValueError):
         ipaddr.ip_to_string(ipaddr.IP(32, 2 ** 32))
Exemple #13
0
 def test_ip_to_string_v4_ok(self):
     call = lambda val: ipaddr.ip_to_string(ipaddr.IP(32, val))
     self.assertEqual("0.0.0.0", call(0))
     self.assertEqual("255.255.255.255", call(2 ** 32 - 1))
     self.assertEqual("0.0.0.255", call(255))
     self.assertEqual("127.0.0.1", call(0x7F000001))
Exemple #14
0
 def test_ip_to_string_v4_ok(self):
   call = lambda val: ipaddr.ip_to_string(ipaddr.IP(32, val))
   self.assertEqual('0.0.0.0', call(0))
   self.assertEqual('255.255.255.255', call(2**32 - 1))
   self.assertEqual('0.0.0.255', call(255))
   self.assertEqual('127.0.0.1', call(0x7f000001))
 def get(self):
   self.response.write(ipaddr.ip_to_string(api.get_peer_ip()))