def handle_auth(self, request, headers=None, remote_addr=None, remote_user=None, authorization=None, **kwargs): remote_addr = headers.get('x-forwarded-for', remote_addr) extra = {'remote_addr': remote_addr} if remote_user: ttl = getattr(request, 'ttl', None) username = self._get_username_for_request(remote_user, request) try: token = self._create_token_for_user(username=username, ttl=ttl) except TTLTooLargeException as e: abort_request(status_code=http_client.BAD_REQUEST, message=e.message) return token LOG.audit('Access denied to anonymous user.', extra=extra) abort_request()
def _get_username_for_request(self, username, request): impersonate_user = getattr(request, 'user', None) if impersonate_user is not None: # check this is a service account try: if not User.get_by_name(username).is_service: message = "Current user is not a service and cannot " \ "request impersonated tokens" abort_request(status_code=http_client.BAD_REQUEST, message=message) return username = impersonate_user except (UserNotFoundError, StackStormDBObjectNotFoundError): message = "Could not locate user %s" % \ (impersonate_user) abort_request(status_code=http_client.BAD_REQUEST, message=message) return else: impersonate_user = getattr(request, 'impersonate_user', None) nickname_origin = getattr(request, 'nickname_origin', None) if impersonate_user is not None: try: # check this is a service account if not User.get_by_name(username).is_service: raise NotServiceUserError() username = User.get_by_nickname(impersonate_user, nickname_origin).name except NotServiceUserError: message = "Current user is not a service and cannot " \ "request impersonated tokens" abort_request(status_code=http_client.BAD_REQUEST, message=message) return except (UserNotFoundError, StackStormDBObjectNotFoundError): message = "Could not locate user %s@%s" % \ (impersonate_user, nickname_origin) abort_request(status_code=http_client.BAD_REQUEST, message=message) return except NoNicknameOriginProvidedError: message = "Nickname origin is not provided for nickname '%s'" % \ impersonate_user abort_request(status_code=http_client.BAD_REQUEST, message=message) return except AmbiguousUserError: message = "%s@%s matched more than one username" % \ (impersonate_user, nickname_origin) abort_request(status_code=http_client.BAD_REQUEST, message=message) return return username
def handle_auth(self, request, headers=None, remote_addr=None, remote_user=None, authorization=None, **kwargs): auth_backend = self._auth_backend.__class__.__name__ extra = {'auth_backend': auth_backend, 'remote_addr': remote_addr} if not authorization: LOG.audit('Authorization header not provided', extra=extra) abort_request() return auth_type, auth_value = authorization if auth_type.lower() not in ['basic']: extra['auth_type'] = auth_type LOG.audit('Unsupported authorization type: %s' % (auth_type), extra=extra) abort_request() return try: auth_value = base64.b64decode(auth_value) except Exception: LOG.audit('Invalid authorization header', extra=extra) abort_request() return split = auth_value.split(':') if len(split) != 2: LOG.audit('Invalid authorization header', extra=extra) abort_request() return username, password = split result = self._auth_backend result = self._auth_backend.authenticate(username=username, password=password) if result is True: ttl = getattr(request, 'ttl', None) username = self._get_username_for_request(username, request) try: token = self._create_token_for_user(username=username, ttl=ttl) return token except TTLTooLargeException as e: abort_request(status_code=http_client.BAD_REQUEST, message=e.message) return LOG.audit('Invalid credentials provided', extra=extra) abort_request()