def _auth_config(): """Return a config with auth root.""" global _auth_config_obj if not _auth_config_obj: _auth_config_obj = local_config.AuthConfig() return _auth_config_obj
def _is_domain_allowed(email): """Check if the email's domain is allowed.""" domains = local_config.AuthConfig().get('whitelisted_domains', default=[]) for domain in domains: if utils.normalize_email(email).endswith('@%s' % domain.lower()): return True return False
def _is_privileged_user(email): """Check if an email is in the privileged users list.""" if local_config.AuthConfig().get('all_users_privileged'): return True privileged_user_emails = (db_config.get_value('privileged_users') or '').splitlines() return any( utils.emails_equal(email, privileged_user_email) for privileged_user_email in privileged_user_emails)
def setUp(self): test_helpers.patch(self, [ 'config.db_config.get_value', 'config.local_config._load_yaml_file', 'requests.post', ]) self.mock.get_value.side_effect = mocked_db_config_get_value self.mock._load_yaml_file.side_effect = mocked_load_yaml_file # pylint: disable=protected-access config = local_config.AuthConfig() self.test_clusterfuzz_tools_oauth_client_id = config.get( 'clusterfuzz_tools_oauth_client_id')
def setUp(self): test_helpers.patch(self, [ 'config.db_config.get_value', 'config.local_config._load_yaml_file', 'libs.handler.get_access_token', 'requests.get', ]) self.mock.get_value.side_effect = mocked_db_config_get_value self.mock._load_yaml_file.side_effect = mocked_load_yaml_file # pylint: disable=protected-access config = local_config.AuthConfig() self.test_whitelisted_oauth_client_ids = config.get( 'whitelisted_oauth_client_ids') self.test_whitelisted_oauth_emails = config.get('whitelisted_oauth_emails')
def get_current_user(): """Get the current logged in user, or None.""" if environment.is_local_development(): return User('user@localhost') current_request = request_cache.get_current_request() if local_config.AuthConfig().get('enable_loas'): loas_user = current_request.headers.get( 'X-AppEngine-LOAS-Peer-Username') if loas_user: return User(loas_user + '@google.com') iap_email = get_iap_email(current_request) if iap_email: return User(iap_email) cache_backing = request_cache.get_cache_backing() oauth_email = getattr(cache_backing, '_oauth_email', None) if oauth_email: return User(oauth_email) cached_email = getattr(cache_backing, '_cached_email', None) if cached_email: return User(cached_email) session_cookie = get_session_cookie() if not session_cookie: return None try: decoded_claims = decode_claims(get_session_cookie()) except AuthError: logs.log_warn('Invalid session cookie.') return None if not decoded_claims.get('email_verified'): return None email = decoded_claims.get('email') if not email: return None # We cache the email for this request if we've validated the user to make # subsequent get_current_user() calls fast. setattr(cache_backing, '_cached_email', email) return User(email)
def setUp(self): test_helpers.patch(self, [ 'config.db_config.get_value', 'config.local_config._load_yaml_file', 'google.appengine.api.urlfetch.fetch', 'libs.handler.get_access_token', ]) self.mock.get_value.side_effect = mocked_db_config_get_value self.mock._load_yaml_file.side_effect = mocked_load_yaml_file # pylint: disable=protected-access config = local_config.AuthConfig() self.test_clusterfuzz_tools_oauth_client_id = config.get( 'clusterfuzz_tools_oauth_client_id') self.test_whitelisted_oauth_client_ids = config.get( 'whitelisted_oauth_client_ids') self.test_whitelisted_oauth_emails = config.get('whitelisted_oauth_emails')
def create_data_bundle_bucket_and_iams(data_bundle_name, emails): """Creates a data bundle bucket and adds iams for access.""" bucket_name = get_data_bundle_bucket_name(data_bundle_name) if not storage.create_bucket_if_needed(bucket_name): return False client = storage.create_discovery_storage_client() iam_policy = storage.get_bucket_iam_policy(client, bucket_name) if not iam_policy: return False members = [] # Add access for the domains allowed in project. domains = local_config.AuthConfig().get('whitelisted_domains', default=[]) for domain in domains: members.append('domain:%s' % domain) # Add access for the emails provided in function arguments. for email in emails: members.append('user:%s' % email) if not members: # No members to add, bail out. return True binding = storage.get_bucket_iam_binding(iam_policy, DATA_BUNDLE_DEFAULT_BUCKET_IAM_ROLE) if binding: binding['members'] = members else: binding = { 'role': DATA_BUNDLE_DEFAULT_BUCKET_IAM_ROLE, 'members': members, } iam_policy['bindings'].append(binding) return bool(storage.set_bucket_iam_policy(client, bucket_name, iam_policy))