예제 #1
0
def _auth_config():
    """Return a config with auth root."""
    global _auth_config_obj
    if not _auth_config_obj:
        _auth_config_obj = local_config.AuthConfig()

    return _auth_config_obj
예제 #2
0
def _is_domain_allowed(email):
  """Check if the email's domain is allowed."""
  domains = local_config.AuthConfig().get('whitelisted_domains', default=[])
  for domain in domains:
    if utils.normalize_email(email).endswith('@%s' % domain.lower()):
      return True

  return False
예제 #3
0
def _is_privileged_user(email):
    """Check if an email is in the privileged users list."""
    if local_config.AuthConfig().get('all_users_privileged'):
        return True

    privileged_user_emails = (db_config.get_value('privileged_users')
                              or '').splitlines()
    return any(
        utils.emails_equal(email, privileged_user_email)
        for privileged_user_email in privileged_user_emails)
예제 #4
0
    def setUp(self):
        test_helpers.patch(self, [
            'config.db_config.get_value',
            'config.local_config._load_yaml_file',
            'requests.post',
        ])

        self.mock.get_value.side_effect = mocked_db_config_get_value
        self.mock._load_yaml_file.side_effect = mocked_load_yaml_file  # pylint: disable=protected-access

        config = local_config.AuthConfig()
        self.test_clusterfuzz_tools_oauth_client_id = config.get(
            'clusterfuzz_tools_oauth_client_id')
예제 #5
0
  def setUp(self):
    test_helpers.patch(self, [
        'config.db_config.get_value',
        'config.local_config._load_yaml_file',
        'libs.handler.get_access_token',
        'requests.get',
    ])

    self.mock.get_value.side_effect = mocked_db_config_get_value
    self.mock._load_yaml_file.side_effect = mocked_load_yaml_file  # pylint: disable=protected-access

    config = local_config.AuthConfig()
    self.test_whitelisted_oauth_client_ids = config.get(
        'whitelisted_oauth_client_ids')
    self.test_whitelisted_oauth_emails = config.get('whitelisted_oauth_emails')
예제 #6
0
def get_current_user():
    """Get the current logged in user, or None."""
    if environment.is_local_development():
        return User('user@localhost')

    current_request = request_cache.get_current_request()
    if local_config.AuthConfig().get('enable_loas'):
        loas_user = current_request.headers.get(
            'X-AppEngine-LOAS-Peer-Username')
        if loas_user:
            return User(loas_user + '@google.com')

    iap_email = get_iap_email(current_request)
    if iap_email:
        return User(iap_email)

    cache_backing = request_cache.get_cache_backing()
    oauth_email = getattr(cache_backing, '_oauth_email', None)
    if oauth_email:
        return User(oauth_email)

    cached_email = getattr(cache_backing, '_cached_email', None)
    if cached_email:
        return User(cached_email)

    session_cookie = get_session_cookie()
    if not session_cookie:
        return None

    try:
        decoded_claims = decode_claims(get_session_cookie())
    except AuthError:
        logs.log_warn('Invalid session cookie.')
        return None

    if not decoded_claims.get('email_verified'):
        return None

    email = decoded_claims.get('email')
    if not email:
        return None

    # We cache the email for this request if we've validated the user to make
    # subsequent get_current_user() calls fast.
    setattr(cache_backing, '_cached_email', email)
    return User(email)
예제 #7
0
  def setUp(self):
    test_helpers.patch(self, [
        'config.db_config.get_value',
        'config.local_config._load_yaml_file',
        'google.appengine.api.urlfetch.fetch',
        'libs.handler.get_access_token',
    ])

    self.mock.get_value.side_effect = mocked_db_config_get_value
    self.mock._load_yaml_file.side_effect = mocked_load_yaml_file  # pylint: disable=protected-access

    config = local_config.AuthConfig()
    self.test_clusterfuzz_tools_oauth_client_id = config.get(
        'clusterfuzz_tools_oauth_client_id')
    self.test_whitelisted_oauth_client_ids = config.get(
        'whitelisted_oauth_client_ids')
    self.test_whitelisted_oauth_emails = config.get('whitelisted_oauth_emails')
예제 #8
0
def create_data_bundle_bucket_and_iams(data_bundle_name, emails):
  """Creates a data bundle bucket and adds iams for access."""
  bucket_name = get_data_bundle_bucket_name(data_bundle_name)
  if not storage.create_bucket_if_needed(bucket_name):
    return False

  client = storage.create_discovery_storage_client()
  iam_policy = storage.get_bucket_iam_policy(client, bucket_name)
  if not iam_policy:
    return False

  members = []

  # Add access for the domains allowed in project.
  domains = local_config.AuthConfig().get('whitelisted_domains', default=[])
  for domain in domains:
    members.append('domain:%s' % domain)

  # Add access for the emails provided in function arguments.
  for email in emails:
    members.append('user:%s' % email)

  if not members:
    # No members to add, bail out.
    return True

  binding = storage.get_bucket_iam_binding(iam_policy,
                                           DATA_BUNDLE_DEFAULT_BUCKET_IAM_ROLE)
  if binding:
    binding['members'] = members
  else:
    binding = {
        'role': DATA_BUNDLE_DEFAULT_BUCKET_IAM_ROLE,
        'members': members,
    }
    iam_policy['bindings'].append(binding)

  return bool(storage.set_bucket_iam_policy(client, bucket_name, iam_policy))