def validate_oauth_token(token): """ Validates the specified OAuth token, returning whether it points to a valid OAuth token. """ validated = model.oauth.validate_access_token(token) if not validated: logger.warning("OAuth access token could not be validated: %s", token) return ValidateResult( AuthKind.oauth, error_message="OAuth access token could not be validated") if validated.expires_at <= datetime.utcnow(): logger.warning("OAuth access with an expired token: %s", token) return ValidateResult(AuthKind.oauth, error_message="OAuth access token has expired") # Don't allow disabled users to login. if not validated.authorized_user.enabled: return ValidateResult( AuthKind.oauth, error_message="Granter of the oauth access token is disabled") # We have a valid token scope_set = scopes_from_scope_string(validated.scope) logger.debug("Successfully validated oauth access token with scope: %s", scope_set) return ValidateResult(AuthKind.oauth, oauthtoken=validated)
def identity(self): """ Returns the identity for the auth context. """ if self.oauthtoken: scope_set = scopes_from_scope_string(self.oauthtoken.scope) return QuayDeferredPermissionUser.for_user(self.oauthtoken.authorized_user, scope_set) if self.authed_user: return QuayDeferredPermissionUser.for_user(self.authed_user) if self.token: return Identity(self.token.get_code(), "token") if self.signed_data: identity = Identity(None, "signed_grant") identity.provides.update(self.signed_data["grants"]) return identity return None
def test_parsing(scopes_string, expected): expected_scope_set = {ALL_SCOPES[scope_name] for scope_name in expected} parsed_scope_set = scopes_from_scope_string(scopes_string) assert parsed_scope_set == expected_scope_set assert validate_scope_string(scopes_string) == bool(expected)