def test_invalid_unicode_robot_2(app):
user = model.user.get_user("devtable")
robot, password = model.user.create_robot("somerobot", user)
token = "“4JPCOLIVMAY32Q3XGVPHC4CBF8SKII5FWNYMASOFDIVSXTC5I5NBU”"
result, kind = validate_credentials("devtable+somerobot", token)
assert kind == CredentialKind.robot
assert not result.auth_valid
msg = "Could not find robot with username: devtable+somerobot and supplied password."
assert result == ValidateResult(AuthKind.credentials, error_message=msg)
def test_unicode_robot(app):
robot, _ = model.user.create_robot("somerobot",
model.user.get_user("devtable"))
result, kind = validate_credentials(robot.username, "some₪code")
assert kind == CredentialKind.robot
assert not result.auth_valid
msg = "Could not find robot with username: devtable+somerobot and supplied password."
assert result == ValidateResult(AuthKind.credentials, error_message=msg)
def test_invalid_app_specific_token_code(app):
user = model.user.get_user("devtable")
app_specific_token = model.appspecifictoken.create_token(
user, "some token")
full_token = app_specific_token.token_name + "something"
result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME,
full_token)
assert kind == CredentialKind.app_specific_token
assert result == ValidateResult(AuthKind.credentials,
error_message="Invalid token")
def test_valid_robot_for_disabled_user(app):
user = model.user.get_user("devtable")
user.enabled = False
user.save()
robot, password = model.user.create_robot("somerobot", user)
result, kind = validate_credentials(robot.username, password)
assert kind == CredentialKind.robot
err = "This user has been disabled. Please contact your administrator."
assert result == ValidateResult(AuthKind.credentials, error_message=err)
def test_valid_app_specific_token(app):
user = model.user.get_user("devtable")
app_specific_token = model.appspecifictoken.create_token(
user, "some token")
full_token = model.appspecifictoken.get_full_token_string(
app_specific_token)
result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME,
full_token)
assert kind == CredentialKind.app_specific_token
assert result == ValidateResult(AuthKind.credentials,
appspecifictoken=app_specific_token)
def login():
values = request.get_json(force=True, silent=True) or {}
username = values.get('user', {}).get('username')
password = values.get('user', {}).get('password')
if not username or not password:
raise InvalidUsage('Missing username or password')
result, _ = validate_credentials(username, password)
if not result.auth_valid:
raise UnauthorizedAccess(result.error_message)
return jsonify({'token': "basic " + b64encode("%s:%s" % (username, password))})
def test_valid_app_specific_token_for_disabled_user(app):
user = model.user.get_user("devtable")
user.enabled = False
user.save()
app_specific_token = model.appspecifictoken.create_token(user, "some token")
full_token = model.appspecifictoken.get_full_token_string(app_specific_token)
result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME, full_token)
assert kind == CredentialKind.app_specific_token
err = "This user has been disabled. Please contact your administrator."
assert result == ValidateResult(AuthKind.credentials, error_message=err)
def login():
values = request.get_json(force=True, silent=True) or {}
username = values.get("user", {}).get("username")
password = values.get("user", {}).get("password")
if not username or not password:
raise InvalidUsage("Missing username or password")
result, _ = validate_credentials(username, password)
if not result.auth_valid:
raise UnauthorizedAccess(result.error_message)
auth = b64encode(b"%s:%s" % (username.encode("ascii"), password.encode("ascii")))
return jsonify({"token": "basic " + auth.decode("ascii")})
def validate_basic_auth(auth_header):
""" Validates the specified basic auth header, returning whether its credentials point
to a valid user or token.
"""
if not auth_header:
return ValidateResult(AuthKind.basic, missing=True)
logger.debug("Attempt to process basic auth header")
# Parse the basic auth header.
assert isinstance(auth_header, basestring)
credentials, err = _parse_basic_auth_header(auth_header)
if err is not None:
logger.debug("Got invalid basic auth header: %s", auth_header)
return ValidateResult(AuthKind.basic, missing=True)
auth_username, auth_password_or_token = credentials
result, _ = validate_credentials(auth_username, auth_password_or_token)
return result.with_kind(AuthKind.basic)
def create_user():
user_data = request.get_json()
if not user_data or not "username" in user_data:
abort(400, "Missing username")
username = user_data["username"]
password = user_data.get("password", "")
# UGH! we have to use this response when the login actually worked, in order
# to get the CLI to try again with a get, and then tell us login succeeded.
success = make_response('"Username or email already exists"', 400)
result, kind = validate_credentials(username, password)
if not result.auth_valid:
if kind == CredentialKind.token:
abort(400, "Invalid access token.", issue="invalid-access-token")
if kind == CredentialKind.robot:
abort(400,
"Invalid robot account or password.",
issue="robot-login-failure")
if kind == CredentialKind.oauth_token:
abort(400,
"Invalid oauth access token.",
issue="invalid-oauth-access-token")
if kind == CredentialKind.user:
# Mark that the login failed.
event = userevents.get_event(username)
event.publish_event_data("docker-cli", {"action": "loginfailure"})
abort(400, result.error_message, issue="login-failure")
# Default case: Just fail.
abort(400, result.error_message, issue="login-failure")
if result.has_nonrobot_user:
# Mark that the user was logged in.
event = userevents.get_event(username)
event.publish_event_data("docker-cli", {"action": "login"})
return success
def test_valid_user(app):
result, kind = validate_credentials("devtable", "password")
assert kind == CredentialKind.user
assert result == ValidateResult(AuthKind.credentials,
user=model.user.get_user("devtable"))
def test_valid_token(app):
access_token = model.token.create_delegate_token("devtable", "simple", "sometoken")
result, kind = validate_credentials(ACCESS_TOKEN_USERNAME, access_token.get_code())
assert kind == CredentialKind.token
assert result == ValidateResult(AuthKind.credentials, token=access_token)
def test_invalid_app_specific_token(app):
result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME,
"somecode")
assert kind == CredentialKind.app_specific_token
assert result == ValidateResult(AuthKind.credentials,
error_message="Invalid token")
def test_unicode(app):
result, kind = validate_credentials("someusername", "some₪code")
assert kind == CredentialKind.user
assert not result.auth_valid
assert result == ValidateResult(
AuthKind.credentials, error_message="Invalid Username or Password")
def test_invalid_user(app):
result, kind = validate_credentials("devtable", "somepassword")
assert kind == CredentialKind.user
assert result == ValidateResult(
AuthKind.credentials, error_message="Invalid Username or Password")
def test_valid_robot(app):
robot, password = model.user.create_robot("somerobot",
model.user.get_user("devtable"))
result, kind = validate_credentials(robot.username, password)
assert kind == CredentialKind.robot
assert result == ValidateResult(AuthKind.credentials, robot=robot)
def test_invalid_user(app):
result, kind = validate_credentials("someinvaliduser", "password")
assert kind == CredentialKind.user
assert not result.authed_user
assert not result.auth_valid
def test_invalid_robot(app):
result, kind = validate_credentials("devtable+doesnotexist", "password")
assert kind == CredentialKind.robot
assert not result.authed_user
assert not result.auth_valid
def test_invalid_user_password(app):
result, kind = validate_credentials("devtable", "somepassword")
assert kind == CredentialKind.user
assert not result.authed_user
assert not result.auth_valid
def test_invalid_robot_token(app):
robot, _ = model.user.create_robot("somerobot", model.user.get_user("devtable"))
result, kind = validate_credentials(robot.username, "invalidpassword")
assert kind == CredentialKind.robot
assert not result.authed_user
assert not result.auth_valid
