Exemplo n.º 1
0
def password_authentication():
    username, password = http.username_password()
    if username is not None:
        userid = factory.authentication_manager().check_username_password(
            username, password)
        if userid is None:
            raise PulpCodedAuthenticationException(
                error_code=error_codes.PLP0030, user=username)
        else:
            _logger.debug("User [%s] authenticated with password" % username)
            return userid
Exemplo n.º 2
0
def oauth_authentication():
    if not config.getboolean('oauth', 'enabled'):
        return None, False

    username = http.request_info('HTTP_PULP_USER')
    auth = http.http_authorization()
    cert_pem = http.ssl_client_cert()
    if username is None or auth is None:
        if cert_pem is not None:
            raise PulpCodedAuthenticationException(
                error_code=error_codes.PLP0027, user=username)
        return None, False
    meth = http.request_info('REQUEST_METHOD')
    url = http.request_url()
    query = http.request_info('QUERY_STRING')
    userid, is_consumer = factory.authentication_manager().check_oauth(
        username, meth, url, auth, query)
    if userid is None:
        raise PulpCodedAuthenticationException(error_code=error_codes.PLP0028,
                                               user=username)
    _logger.debug("User authenticated with Oauth: %s" % userid)
    return userid, is_consumer
Exemplo n.º 3
0
def check_preauthenticated():
    # Support web server level authentication of users
    username = http.request_info("REMOTE_USER")
    if username is not None:
        # Omitting the password = assume preauthenticated
        userid = factory.authentication_manager().check_username_password(
            username)
        if userid is None:
            # User is not in the local database, nor in LDAP
            raise PulpCodedAuthenticationException(
                error_code=error_codes.PLP0029, user=username)
        else:
            _logger.debug("User preauthenticated: %s" % username)
            return userid
Exemplo n.º 4
0
    def test_pulp_exception_no_debug(self, mock_error_obj, mock_dumps):
        """
        Tests that when the debug flag is False, Pulp exceptions result in logging to info
        rather than logging to error with the traceback.
        """
        # Setup
        self.mock_app.side_effect = PulpCodedAuthenticationException(
            error_code=error_codes.PLP0025)

        # Test
        self.handler('environ', mock.Mock())
        # Assert the http_error_obj is called with the exception's http status code
        self.assertEquals(1, mock_error_obj.call_count)
        self.assertEquals(self.mock_app.side_effect.http_status_code,
                          mock_error_obj.call_args[0][0])
        # Assert that the response has the expected keys and values
        response = mock_dumps.call_args[0][0]
        self.assertEquals(response['error'],
                          self.mock_app.side_effect.to_dict())
        self.assertFalse('exception' in response)
        self.assertFalse('traceback' in response)
Exemplo n.º 5
0
    def test_pulp_exception_with_debug(self, mock_error_obj, mock_dumps,
                                       mock_format_exception, mock_format_tb):
        """
        Tests that when the debug flag is True, Pulp exceptions result logging the exception
        and including the exception and traceback in the response.
        """
        # Setup
        handler = ExceptionHandlerMiddleware(self.mock_app, debug=True)
        self.mock_app.side_effect = PulpCodedAuthenticationException(
            error_code=error_codes.PLP0025)
        mock_format_exception.return_value = 'Formatted exception'
        mock_format_tb.return_value = 'tb'

        # Test
        handler('environ', mock.Mock())
        # Assert the http_error_obj is called with the exception's status code
        self.assertEquals(1, mock_error_obj.call_count)
        self.assertEquals(self.mock_app.side_effect.http_status_code,
                          mock_error_obj.call_args[0][0])
        # Assert that the response has the expected keys and values
        response = mock_dumps.call_args[0][0]
        self.assertEquals(response['exception'], 'Formatted exception')
        self.assertEquals(response['traceback'], 'tb')
Exemplo n.º 6
0
def _verify_auth(self, operation, super_user_only, method, *args, **kwargs):
    """
    Internal method for checking authentication and authorization. This code
    is kept outside of the decorator which calls it so that it can be mocked.
    This allows for the decorator itself which calls here to have assertions
    made about the operation and super_user values set in the view code.

    An operation of None means not to check authorization; only check
    authentication.

    The super_user_only flag set to True means that only members of the
    built in SuperUsers role are authorized.

    :type operation: int or None
    :param operation: The operation a user needs permission for, or None to
                      skip authorization.

    :type super_user_only: bool
    :param super_user_only: Only authorize a user if they are a super user.
    """
    # Check Authentication

    # Run through each registered and enabled auth function
    is_consumer = False
    registered_auth_functions = [
        check_preauthenticated, password_authentication,
        user_cert_authentication, consumer_cert_authentication,
        oauth_authentication
    ]

    user_authenticated = False
    for authenticate_user in registered_auth_functions:
        if authenticate_user == oauth_authentication:
            userid, is_consumer = authenticate_user()
        else:
            userid = authenticate_user()

        if userid is not None:
            user_authenticated = True
            if authenticate_user == consumer_cert_authentication:
                is_consumer = True
            break

    if not user_authenticated:
        raise PulpCodedAuthenticationException(error_code=error_codes.PLP0025)

    # Check Authorization

    principal_manager = factory.principal_manager()
    user_query_manager = factory.user_query_manager()

    if super_user_only and not user_query_manager.is_superuser(userid):
        raise PulpCodedAuthenticationException(
            error_code=error_codes.PLP0026,
            user=userid,
            operation=OPERATION_NAMES[operation])
    # if the operation is None, don't check authorization
    elif operation is not None:
        if is_consumer:
            if is_consumer_authorized(http.resource_path(), userid, operation):
                # set default principal = SYSTEM
                principal_manager.set_principal()
            else:
                raise PulpCodedAuthenticationException(
                    error_code=error_codes.PLP0026,
                    user=userid,
                    operation=OPERATION_NAMES[operation])
        elif user_query_manager.is_authorized(http.resource_path(), userid,
                                              operation):
            user = user_query_manager.find_by_login(userid)
            principal_manager.set_principal(user)
        else:
            raise PulpCodedAuthenticationException(
                error_code=error_codes.PLP0026,
                user=userid,
                operation=OPERATION_NAMES[operation])

    # Authentication and authorization succeeded. Call method and then clear principal.
    value = method(self, *args, **kwargs)
    principal_manager.clear_principal()
    return value
Exemplo n.º 7
0
        def _auth_decorator(self, *args, **kwargs):

            # Check Authentication

            # Run through each registered and enabled auth function
            is_consumer = False
            registered_auth_functions = [
                check_preauthenticated, password_authentication,
                user_cert_authentication, consumer_cert_authentication,
                oauth_authentication
            ]

            user_authenticated = False
            for authenticate_user in registered_auth_functions:
                if authenticate_user == oauth_authentication:
                    userid, is_consumer = authenticate_user()
                else:
                    userid = authenticate_user()

                if userid is not None:
                    user_authenticated = True
                    if authenticate_user == consumer_cert_authentication:
                        is_consumer = True
                    break

            if not user_authenticated:
                raise PulpCodedAuthenticationException(
                    error_code=error_codes.PLP0025)

            # Check Authorization
            principal_manager = factory.principal_manager()
            user_query_manager = factory.user_query_manager()
            if super_user_only and not user_query_manager.is_superuser(userid):
                raise PulpCodedAuthenticationException(
                    error_code=error_codes.PLP0026,
                    user=userid,
                    operation=OPERATION_NAMES[operation])
            # if the operation is None, don't check authorization
            elif operation is not None:
                if is_consumer:
                    if is_consumer_authorized(http.resource_path(), userid,
                                              operation):
                        # set default principal = SYSTEM
                        principal_manager.set_principal()
                    else:
                        raise PulpCodedAuthenticationException(
                            error_code=error_codes.PLP0026,
                            user=userid,
                            operation=OPERATION_NAMES[operation])
                elif user_query_manager.is_authorized(http.resource_path(),
                                                      userid, operation):
                    user = user_query_manager.find_by_login(userid)
                    principal_manager.set_principal(user)
                else:
                    raise PulpCodedAuthenticationException(
                        error_code=error_codes.PLP0026,
                        user=userid,
                        operation=OPERATION_NAMES[operation])

            # Authentication and authorization succeeded. Call method and then clear principal.
            value = method(self, *args, **kwargs)
            principal_manager.clear_principal()
            return value