diff options
| author | Matthieu Huin <mhuin@redhat.com> | 2020-06-08 18:22:09 +0200 |
|---|---|---|
| committer | Matthieu Huin <mhuin@redhat.com> | 2020-06-17 07:38:31 +0000 |
| commit | 9c463fc1853745981e7f136429426850c9765f87 (patch) | |
| tree | eac082d7baa6c9f986cc46782c235d59aefc71ce /zuul/web | |
| parent | 74ff81998f76178ebb233240fa6c5885ac97072d (diff) | |
| download | zuul-9c463fc1853745981e7f136429426850c9765f87.tar.gz | |
zuul-web: refactor auth token handling code
Remove some code redundancy in the auth token validation logic.
Change-Id: I58f6f0a222c469e16622f6383bc3669671bf3fd2
Diffstat (limited to 'zuul/web')
| -rwxr-xr-x | zuul/web/__init__.py | 82 |
1 files changed, 31 insertions, 51 deletions
diff --git a/zuul/web/__init__.py b/zuul/web/__init__.py index 34520ea78..d731879d7 100755 --- a/zuul/web/__init__.py +++ b/zuul/web/__init__.py @@ -261,6 +261,21 @@ class ZuulWebAPI(object): 'error': e, 'realm': self.zuulweb.authenticators.default_realm} + def _auth_token_check(self): + rawToken = \ + cherrypy.request.headers['Authorization'][len('Bearer '):] + try: + claims = self.zuulweb.authenticators.authenticate(rawToken) + except exceptions.AuthTokenException as e: + for header, contents in e.getAdditionalHeaders().items(): + cherrypy.response.headers[header] = contents + cherrypy.response.status = e.HTTPError + return ({}, + {'description': e.error_description, + 'error': e.error, + 'realm': e.realm}) + return (claims, None) + @cherrypy.expose @cherrypy.tools.json_in() @cherrypy.tools.json_out(content_type='application/json; charset=utf-8') @@ -272,16 +287,9 @@ class ZuulWebAPI(object): if cherrypy.request.method != 'POST': raise cherrypy.HTTPError(405) # AuthN/AuthZ - rawToken = cherrypy.request.headers['Authorization'][len('Bearer '):] - try: - claims = self.zuulweb.authenticators.authenticate(rawToken) - except exceptions.AuthTokenException as e: - for header, contents in e.getAdditionalHeaders().items(): - cherrypy.response.headers[header] = contents - cherrypy.response.status = e.HTTPError - return {'description': e.error_description, - 'error': e.error, - 'realm': e.realm} + claims, token_error = self._auth_token_check() + if token_error is not None: + return token_error self.is_authorized(claims, tenant) msg = 'User "%s" requesting "%s" on %s/%s' self.log.info( @@ -317,16 +325,9 @@ class ZuulWebAPI(object): if cherrypy.request.method != 'POST': raise cherrypy.HTTPError(405) # AuthN/AuthZ - rawToken = cherrypy.request.headers['Authorization'][len('Bearer '):] - try: - claims = self.zuulweb.authenticators.authenticate(rawToken) - except exceptions.AuthTokenException as e: - for header, contents in e.getAdditionalHeaders().items(): - cherrypy.response.headers[header] = contents - cherrypy.response.status = e.HTTPError - return {'description': e.error_description, - 'error': e.error, - 'realm': e.realm} + claims, token_error = self._auth_token_check() + if token_error is not None: + return token_error self.is_authorized(claims, tenant) msg = 'User "%s" requesting "%s" on %s/%s' self.log.info( @@ -394,17 +395,9 @@ class ZuulWebAPI(object): if basic_error is not None: return basic_error # AuthN/AuthZ - rawToken = \ - cherrypy.request.headers['Authorization'][len('Bearer '):] - try: - claims = self.zuulweb.authenticators.authenticate(rawToken) - except exceptions.AuthTokenException as e: - for header, contents in e.getAdditionalHeaders().items(): - cherrypy.response.headers[header] = contents - cherrypy.response.status = e.HTTPError - return {'description': e.error_description, - 'error': e.error, - 'realm': e.realm} + claims, token_error = self._auth_token_check() + if token_error is not None: + return token_error self.is_authorized(claims, tenant) msg = 'User "%s" requesting "%s" on %s/%s' self.log.info( @@ -510,16 +503,9 @@ class ZuulWebAPI(object): if basic_error is not None: return basic_error # AuthN/AuthZ - rawToken = cherrypy.request.headers['Authorization'][len('Bearer '):] - try: - claims = self.zuulweb.authenticators.authenticate(rawToken) - except exceptions.AuthTokenException as e: - for header, contents in e.getAdditionalHeaders().items(): - cherrypy.response.headers[header] = contents - cherrypy.response.status = e.HTTPError - return {'description': e.error_description, - 'error': e.error, - 'realm': e.realm} + claims, token_error = self._auth_token_check() + if token_error is not None: + return token_error self.is_authorized(claims, request['tenant']) msg = 'User "%s" requesting "%s" on %s/%s' self.log.info( @@ -619,16 +605,10 @@ class ZuulWebAPI(object): basic_error = self._basic_auth_header_check() if basic_error is not None: return basic_error - rawToken = cherrypy.request.headers['Authorization'][len('Bearer '):] - try: - claims = self.zuulweb.authenticators.authenticate(rawToken) - except exceptions.AuthTokenException as e: - for header, contents in e.getAdditionalHeaders().items(): - cherrypy.response.headers[header] = contents - cherrypy.response.status = e.HTTPError - return {'description': e.error_description, - 'error': e.error, - 'realm': e.realm} + # AuthN/AuthZ + claims, token_error = self._auth_token_check() + if token_error is not None: + return token_error if 'zuul' in claims and 'admin' in claims.get('zuul', {}): return {'zuul': {'admin': claims['zuul']['admin']}, } job = self.rpc.submitJob('zuul:get_admin_tenants', |