コード例 #1
0
ファイル: auth.py プロジェクト: vanhauser-thc/clusterfuzz
def get_current_user():
    """Get the current logged in user, or None."""
    if environment.is_local_development():
        return User('user@localhost')

    current_request = request_cache.get_current_request()
    if local_config.AuthConfig().get('enable_loas'):
        loas_user = current_request.headers.get(
            'X-AppEngine-LOAS-Peer-Username')
        if loas_user:
            return User(loas_user + '@google.com')

    iap_email = get_iap_email(current_request)
    if iap_email:
        return User(iap_email)

    cache_backing = request_cache.get_cache_backing()
    oauth_email = getattr(cache_backing, '_oauth_email', None)
    if oauth_email:
        return User(oauth_email)

    cached_email = getattr(cache_backing, '_cached_email', None)
    if cached_email:
        return User(cached_email)

    session_cookie = get_session_cookie()
    if not session_cookie:
        return None

    try:
        decoded_claims = decode_claims(get_session_cookie())
    except AuthError:
        logs.log_warn('Invalid session cookie.')
        return None

    allowed_firebase_providers = local_config.ProjectConfig().get(
        'firebase.auth_providers', ['google.com'])
    firebase_info = decoded_claims.get('firebase', {})
    sign_in_provider = firebase_info.get('sign_in_provider')

    if sign_in_provider not in allowed_firebase_providers:
        logs.log_error(f'Firebase provider {sign_in_provider} is not enabled.')
        return None

    # Per https://docs.github.com/en/authentication/
    #       keeping-your-account-and-data-secure/authorizing-oauth-apps
    # GitHub requires emails to be verified before an OAuth app can be
    # authorized, so we make an exception.
    if (not decoded_claims.get('email_verified')
            and sign_in_provider != 'github.com'):
        return None

    email = decoded_claims.get('email')
    if not email:
        return None

    # We cache the email for this request if we've validated the user to make
    # subsequent get_current_user() calls fast.
    setattr(cache_backing, '_cached_email', email)
    return User(email)
コード例 #2
0
def get_current_user():
    """Get the current logged in user, or None."""
    if environment.is_local_development():
        return User('user@localhost')

    current_request = request_cache.get_current_request()
    if local_config.AuthConfig().get('enable_loas'):
        loas_user = current_request.headers.get(
            'X-AppEngine-LOAS-Peer-Username')
        if loas_user:
            return User(loas_user + '@google.com')

    iap_email = get_iap_email(current_request)
    if iap_email:
        return User(iap_email)

    cache_backing = request_cache.get_cache_backing()
    oauth_email = getattr(cache_backing, '_oauth_email', None)
    if oauth_email:
        return User(oauth_email)

    cached_email = getattr(cache_backing, '_cached_email', None)
    if cached_email:
        return User(cached_email)

    session_cookie = get_session_cookie()
    if not session_cookie:
        return None

    try:
        decoded_claims = decode_claims(get_session_cookie())
    except AuthError:
        logs.log_warn('Invalid session cookie.')
        return None

    if not decoded_claims.get('email_verified'):
        return None

    email = decoded_claims.get('email')
    if not email:
        return None

    # We cache the email for this request if we've validated the user to make
    # subsequent get_current_user() calls fast.
    setattr(cache_backing, '_cached_email', email)
    return User(email)
コード例 #3
0
def get_session_cookie():
    """Get the current session cookie."""
    return request_cache.get_current_request().cookies.get('session')