Exemplo n.º 1
0
def get_alias_id():
    """Get the alias from the request path."""
    path_split = request.path.split("/")
    if len(path_split) < 4:
        logger.error(
            "Unrecognized request -- could not find the alias. path_split: {}".
            format(path_split))
        raise PermissionsException("Not authorized.")
    alias = path_split[3]
    logger.debug("alias: {}".format(alias))
    return Alias.generate_alias_id(g.tenant, alias)
Exemplo n.º 2
0
def check_nonce():
    """
    This function is an agaveflask authentication callback used to process the existence of a query parameter,
    x-nonce, an alternative authentication mechanism to JWT.
    
    When an x-nonce query parameter is provided, the request context is updated with the identity of the user owning
    the actor to which the nonce belongs. Note that the roles of said user will not be calculated so, in particular, 
    any privileged action cannot be taken via a nonce. 
    """
    logger.debug("top of check_nonce")
    try:
        nonce_id = request.args['x-nonce']
    except KeyError:
        raise PermissionsException("No JWT or nonce provided.")
    logger.debug("checking nonce with id: {}".format(nonce_id))
    # the nonce encodes the tenant in its id:
    g.tenant = Nonce.get_tenant_from_nonce_id(nonce_id)
    g.api_server = get_api_server(g.tenant)
    logger.debug("tenant associated with nonce: {}".format(g.tenant))
    # get the actor_id base on the request path
    actor_id, actor_identifier = get_db_id()
    logger.debug("db_id: {}; actor_identifier: {}".format(
        actor_id, actor_identifier))
    level = required_level(request)

    # if the actor_identifier is an alias, then the nonce must be attached to that, so we must pass that in the
    # nonce check:
    if is_hashid(actor_identifier):
        Nonce.check_and_redeem_nonce(actor_id=actor_id,
                                     alias=None,
                                     nonce_id=nonce_id,
                                     level=level)
    else:
        alias_id = Alias.generate_alias_id(tenant=g.tenant,
                                           alias=actor_identifier)
        Nonce.check_and_redeem_nonce(actor_id=None,
                                     alias=alias_id,
                                     nonce_id=nonce_id,
                                     level=level)
    # if we were able to redeem the nonce, update auth context with the actor owner data:
    logger.debug("nonce valid and redeemed.")
    if is_hashid(actor_identifier):
        nonce = Nonce.get_nonce(actor_id=actor_id,
                                alias=None,
                                nonce_id=nonce_id)
    else:
        nonce = Nonce.get_nonce(actor_id=None,
                                alias=alias_id,
                                nonce_id=nonce_id)
    g.user = nonce.owner
    # update roles data with that stored on the nonce:
    g.roles = nonce.roles
    # now, manually call our authorization function:
    authorization()