Differential D1108

Add OpenID Connect auth module for POST requests
ClosedPublic
Actions

Authored by puiterwijk on Feb 2 2017, 11:05 AM.

Details

Reviewers
tflink
jskladan
mkrizek
Group Reviewers
resultsdb
Commits
rRSDBa8cd18abfc92: Add OpenID Connect auth module for POST requests
Test Plan

Enable AUTH_MODULE='oidc', setup a client_secrets.json file and verify that new auth requests need to specify a valid access_token.

Diff Detail

Repository
rRSDB resultsdb
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
puiterwijk retitled this revision from to Add OpenID Connect auth module for POST requests.Feb 2 2017, 11:05 AM
puiterwijk updated this object.
puiterwijk edited the test plan for this revision. (Show Details)
puiterwijk set the repository for this revision to rRSDB resultsdb.
puiterwijk updated this revision to Diff 2826.Feb 2 2017, 11:27 AM
puiterwijk removed rRSDB resultsdb as the repository for this revision.
puiterwijk added reviewers: jskladan, mkrizek, tflink.Feb 2 2017, 11:30 AM
puiterwijk added a subscriber: adamwill.

Tim says I need to add these people as reviewers.

kparal set the repository for this revision to rRSDB resultsdb.Mar 13 2017, 3:51 PM
kparal added a project: resultsdb.
mkrizek resigned from this revision.Thu, Jul 13, 9:03 AM
puiterwijk updated this revision to Diff 3096.Wed, Jul 19, 11:13 AM

Now making more use of the flask-oidc 1.1 features to do less token checking inside resultsdb itself.

puiterwijk updated this revision to Diff 3097.Wed, Jul 19, 12:09 PM
Closed by commit rRSDBa8cd18abfc92: Add OpenID Connect auth module for POST requests (authored by Patrick Uiterwijk <puiterwi@redhat.com>, committed by Josef Skladanka <jskladan@redhat.com>). · Explain WhyWed, Jul 19, 4:40 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathPackages
Mresultsdb/__init__.py (42 lines)
Mresultsdb/config.py (10 lines)

Diff 3098

View Options

resultsdb/__init__.py

Show First 20 LinesShow All 125 Lines▼ Show 20 Line(s)
126 126
127if app.config['SHOW_DB_URI']: 127if app.config['SHOW_DB_URI']:
128 app.logger.debug('using DBURI: %s' % app.config['SQLALCHEMY_DATABASE_URI']) 128 app.logger.debug('using DBURI: %s' % app.config['SQLALCHEMY_DATABASE_URI'])
129 129
130 130
131# database 131# database
132db = SQLAlchemy(app) 132db = SQLAlchemy(app)
133 133
134# Register auth
135if app.config['AUTH_MODULE'] == 'oidc':
136 from flask.ext.oidc import OpenIDConnect
137 oidc = OpenIDConnect(app)
138
139 def _check():
140 if flask.request.method == 'POST':
141 # We don't need to do auth for any non-POST
142 # Prefer POSTed access token: they don't get into the httpd logs
143 token = flask.request.form.get('access_token')
144 if token is None:
145 flask.request.args.get('access_token')
146 if not token:
147 app.logger.error('No token submitted')
148 return False
149 validation = oidc.validate_token(token, app.config['OIDC_SCOPE'])
150 if validity is not True:
151 app.logger.error('Token validation error: %s', validity)
152 return False
153 try:
154 token_info = oidc._get_token_info(token)
155 except Exception as ex:
156 app.logger.error('get_token failed: %s' % ex)
157 return False
158 if token_info.get('sub') not in app.config['OIDC_ADMINS']:
159 app.logger.error('Subject %s is not admin' %
160 token_info.get('sub'))
161 return False
162 return True
163
164 def check_token():
165 result = _check()
166 if result is None:
167 return flask.jsonify({'error': 'server_error'})
168 elif result is False:
169 return flask.jsonify({'error': 'invalid_token',
170 'error_description': 'Invalid or no token'})
171 # If the check passed, we fall through. This returns None, telling
172 # Flask that it can proceed further with the request
173
174 app.before_request(check_token)
175
134# register blueprints 176# register blueprints
135from resultsdb.controllers.main import main 177from resultsdb.controllers.main import main
136app.register_blueprint(main) 178app.register_blueprint(main)
137 179
138from resultsdb.controllers.api_v1 import api as api_v1 180from resultsdb.controllers.api_v1 import api as api_v1
139app.register_blueprint(api_v1, url_prefix="/api/v1.0") 181app.register_blueprint(api_v1, url_prefix="/api/v1.0")
140 182
141from resultsdb.controllers.api_v2 import api as api_v2 183from resultsdb.controllers.api_v2 import api as api_v2
142app.register_blueprint(api_v2, url_prefix="/api/v2.0") 184app.register_blueprint(api_v2, url_prefix="/api/v2.0")
View Options

resultsdb/config.py

Show First 20 LinesShow All 46 Lines▼ Show 20 Line(s)22class Config(object):
47 # If you want to set some result's extra-data as required, you can do so by 47 # If you want to set some result's extra-data as required, you can do so by
48 # prepending 'data.' to the name (e.g. 'data.arch'). 48 # prepending 'data.' to the name (e.g. 'data.arch').
49 REQUIRED_DATA = { 49 REQUIRED_DATA = {
50 'create_result': [], 50 'create_result': [],
51 'create_group': [], 51 'create_group': [],
52 'create_testcase': [], 52 'create_testcase': [],
53 } 53 }
54 54
55 # Supported module: "oidc"
56 AUTH_MODULE = 'none'
57
58 # OIDC Configuration
59 OIDC_ADMINS = ['tflink']
60 OIDC_CLIENT_SECRETS = 'client_secrets.json'
61 OIDC_AUD = 'My-Client-ID'
62 OIDC_SCOPE = 'https://pagure.io/taskotron/resultsdb/access'
63 OIDC_RESOURCE_SERVER_ONLY = True
64
55class ProductionConfig(Config): 65class ProductionConfig(Config):
56 DEBUG = False 66 DEBUG = False
57 PRODUCTION = True 67 PRODUCTION = True
58 MESSAGE_BUS_PLUGIN = 'fedmsg' 68 MESSAGE_BUS_PLUGIN = 'fedmsg'
59 MESSAGE_BUS_KWARGS = {'modname': 'resultsdb'} 69 MESSAGE_BUS_KWARGS = {'modname': 'resultsdb'}
60 70
61 71
62class DevelopmentConfig(Config): 72class DevelopmentConfig(Config):
Show All 10 Lines