From 425392f2e69f1f8236d02ed050dee13302e19365 Mon Sep 17 00:00:00 2001 From: "Joshua M. Boniface" Date: Sun, 7 Jul 2019 00:15:05 -0400 Subject: [PATCH] Better handle auth enabling --- client-api/pvc-api.py | 22 ++++++++++++++++------ client-api/pvc-api.sample.yaml | 8 +++++--- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/client-api/pvc-api.py b/client-api/pvc-api.py index 278272a1..bde07c95 100755 --- a/client-api/pvc-api.py +++ b/client-api/pvc-api.py @@ -53,8 +53,9 @@ try: 'coordinators': o_config['pvc']['coordinators'], 'listen_address': o_config['pvc']['api']['listen_address'], 'listen_port': int(o_config['pvc']['api']['listen_port']), - 'authentication_tokens': o_config['pvc']['api']['authentication']['tokens'], - 'secret_key': o_config['pvc']['api']['secret_key'], + 'auth_enabled': o_config['pvc']['api']['authentication']['enabled'], + 'auth_secret_key': o_config['pvc']['api']['authentication']['secret_key'], + 'auth_tokens': o_config['pvc']['api']['authentication']['tokens'], 'ssl_enabled': o_config['pvc']['api']['ssl']['enabled'], 'ssl_key_file': o_config['pvc']['api']['ssl']['key_file'], 'ssl_cert_file': o_config['pvc']['api']['ssl']['cert_file'] @@ -66,12 +67,13 @@ except Exception as e: print('ERROR: {}.'.format(e)) exit(1) -api.config["SECRET_KEY"] = config['secret_key'] +if config['auth_enabled']: + api.config["SECRET_KEY"] = config['auth_secret_key'] def authenticator(function): def authenticate(*args, **kwargs): # Check if authentication is enabled - if not config['authentication_tokens']: + if not config['auth_enabled']: return function(*args, **kwargs) else: # Session-based authentication @@ -79,7 +81,7 @@ def authenticator(function): return function(*args, **kwargs) # Direct token-based authentication if 'token' in flask.request.values: - if any(token for token in config['authentication_tokens'] if flask.request.values['token'] in token['token']): + if any(token for token in config['auth_tokens'] if flask.request.values['token'] in token['token']): return function(*args, **kwargs) else: return flask.jsonify({"message":"Authentication failed"}), 401 @@ -95,8 +97,12 @@ def api_root(): @api.route('/api/v1/auth/login', methods=['GET', 'POST']) def api_auth_login(): + # Just return a 200 if auth is disabled + if not config['auth_enabled']: + return flask.jsonify({"message":"Authentication is disabled."}), 200 + if flask.request.method == 'POST': - if any(token for token in config['authentication_tokens'] if flask.request.values['token'] in token['token']): + if any(token for token in config['auth_tokens'] if flask.request.values['token'] in token['token']): flask.session['token'] = flask.request.form['token'] return flask.redirect(flask.url_for('api_root')) else: @@ -113,6 +119,10 @@ def api_auth_login(): @api.route('/api/v1/auth/logout', methods=['GET', 'POST']) def api_auth_logout(): + # Just return a 200 if auth is disabled + if not config['auth_enabled']: + return flask.jsonify({"message":"Authentication is disabled."}), 200 + # remove the username from the session if it's there flask.session.pop('token', None) return flask.redirect(flask.url_for('api_root')) diff --git a/client-api/pvc-api.sample.yaml b/client-api/pvc-api.sample.yaml index c9affe59..13e72eb1 100644 --- a/client-api/pvc-api.sample.yaml +++ b/client-api/pvc-api.sample.yaml @@ -19,10 +19,12 @@ pvc: listen_address: "127.0.0.1" # listen_port: TCP port to listen on, usually 7370 listen_port: "7370" - # secret_key: Per-cluster secret key for API cookies; generate with uuidgen or pwgen - secret_key: "" # authentication: Authentication and security settings authentication: + # enabled: Enable or disable authentication (True/False) + enabled: False + # secret_key: Per-cluster secret key for API cookies; generate with uuidgen or pwgen + secret_key: "" # tokens: a list of authentication tokens; leave as an empty list to disable authentication tokens: # description: token description for management @@ -31,7 +33,7 @@ pvc: token: "" # ssl: SSL configuration ssl: - # Enabled or disable SSL operation + # enabled: Enabled or disable SSL operation (True/False) enabled: False # cert_file: SSL certificate file cert_file: ""