def check_nonce():
"""
This function is an agaveflask authentication callback used to process the existence of a query parameter,
x-nonce, an alternative authentication mechanism to JWT.
When an x-nonce query parameter is provided, the request context is updated with the identity of the user owning
the actor to which the nonce belongs. Note that the roles of said user will not be calculated so, in particular,
any privileged action cannot be taken via a nonce.
"""
logger.debug("top of check_nonce")
try:
nonce_id = request.args['x-nonce']
except KeyError:
raise PermissionsException("No JWT or nonce provided.")
logger.debug("checking nonce with id: {}".format(nonce_id))
# the nonce encodes the tenant in its id:
g.tenant = Nonce.get_tenant_from_nonce_id(nonce_id)
g.api_server = get_api_server(g.tenant)
logger.debug("tenant associated with nonce: {}".format(g.tenant))
# get the actor_id base on the request path
actor_id = get_db_id()
logger.debug("db_id: {}".format(actor_id))
level = required_level(request)
Nonce.check_and_redeem_nonce(actor_id, nonce_id, level)
# if we were able to redeem the nonce, update auth context with the actor owner data:
logger.debug("nonce valid and redeemed.")
nonce = Nonce.get_nonce(actor_id, nonce_id)
g.user = nonce.owner
# update roles data with that stored on the nonce:
g.roles = nonce.roles
# now, manually call our authorization function:
authorization()
def check_nonce():
"""
This function is an agaveflask authentication callback used to process the existence of a query parameter,
x-nonce, an alternative authentication mechanism to JWT.
When an x-nonce query parameter is provided, the request context is updated with the identity of the user owning
the actor to which the nonce belongs. Note that the roles of said user will not be calculated so, in particular,
any privileged action cannot be taken via a nonce.
"""
logger.debug("top of check_nonce")
# first check whether the request is even valid -
if hasattr(request, 'url_rule'):
logger.debug("request.url_rule: {}".format(request.url_rule))
if hasattr(request.url_rule, 'rule'):
logger.debug("url_rule.rule: {}".format(request.url_rule.rule))
else:
logger.info("url_rule has no rule.")
raise ResourceError(
"Invalid request: the API endpoint does not exist or the provided HTTP method is not allowed.",
405)
else:
logger.info("Request has no url_rule")
raise ResourceError(
"Invalid request: the API endpoint does not exist or the provided HTTP method is not allowed.",
405)
try:
nonce_id = request.args['x-nonce']
except KeyError:
raise PermissionsException("No JWT or nonce provided.")
logger.debug("checking nonce with id: {}".format(nonce_id))
# the nonce encodes the tenant in its id:
g.tenant = Nonce.get_tenant_from_nonce_id(nonce_id)
g.api_server = get_api_server(g.tenant)
logger.debug(
"tenant associated with nonce: {}; api_server assoicated with nonce: {}"
.format(g.tenant, g.api_server))
# get the actor_id base on the request path
actor_id, actor_identifier = get_db_id()
logger.debug("db_id: {}; actor_identifier: {}".format(
actor_id, actor_identifier))
level = required_level(request)
# if the actor_identifier is an alias, then the nonce must be attached to that, so we must pass that in the
# nonce check:
if is_hashid(actor_identifier):
Nonce.check_and_redeem_nonce(actor_id=actor_id,
alias=None,
nonce_id=nonce_id,
level=level)
else:
alias_id = Alias.generate_alias_id(tenant=g.tenant,
alias=actor_identifier)
Nonce.check_and_redeem_nonce(actor_id=None,
alias=alias_id,
nonce_id=nonce_id,
level=level)
# if we were able to redeem the nonce, update auth context with the actor owner data:
logger.debug("nonce valid and redeemed.")
if is_hashid(actor_identifier):
nonce = Nonce.get_nonce(actor_id=actor_id,
alias=None,
nonce_id=nonce_id)
else:
nonce = Nonce.get_nonce(actor_id=None,
alias=alias_id,
nonce_id=nonce_id)
g.user = nonce.owner
# update roles data with that stored on the nonce:
g.roles = nonce.roles
# now, manually call our authorization function:
authorization()
