Better handle auth enabling

This commit is contained in:
Joshua Boniface 2019-07-07 00:15:05 -04:00
parent 4724f79877
commit 425392f2e6
2 changed files with 21 additions and 9 deletions

View File

@ -53,8 +53,9 @@ try:
'coordinators': o_config['pvc']['coordinators'], 'coordinators': o_config['pvc']['coordinators'],
'listen_address': o_config['pvc']['api']['listen_address'], 'listen_address': o_config['pvc']['api']['listen_address'],
'listen_port': int(o_config['pvc']['api']['listen_port']), 'listen_port': int(o_config['pvc']['api']['listen_port']),
'authentication_tokens': o_config['pvc']['api']['authentication']['tokens'], 'auth_enabled': o_config['pvc']['api']['authentication']['enabled'],
'secret_key': o_config['pvc']['api']['secret_key'], 'auth_secret_key': o_config['pvc']['api']['authentication']['secret_key'],
'auth_tokens': o_config['pvc']['api']['authentication']['tokens'],
'ssl_enabled': o_config['pvc']['api']['ssl']['enabled'], 'ssl_enabled': o_config['pvc']['api']['ssl']['enabled'],
'ssl_key_file': o_config['pvc']['api']['ssl']['key_file'], 'ssl_key_file': o_config['pvc']['api']['ssl']['key_file'],
'ssl_cert_file': o_config['pvc']['api']['ssl']['cert_file'] 'ssl_cert_file': o_config['pvc']['api']['ssl']['cert_file']
@ -66,12 +67,13 @@ except Exception as e:
print('ERROR: {}.'.format(e)) print('ERROR: {}.'.format(e))
exit(1) exit(1)
api.config["SECRET_KEY"] = config['secret_key'] if config['auth_enabled']:
api.config["SECRET_KEY"] = config['auth_secret_key']
def authenticator(function): def authenticator(function):
def authenticate(*args, **kwargs): def authenticate(*args, **kwargs):
# Check if authentication is enabled # Check if authentication is enabled
if not config['authentication_tokens']: if not config['auth_enabled']:
return function(*args, **kwargs) return function(*args, **kwargs)
else: else:
# Session-based authentication # Session-based authentication
@ -79,7 +81,7 @@ def authenticator(function):
return function(*args, **kwargs) return function(*args, **kwargs)
# Direct token-based authentication # Direct token-based authentication
if 'token' in flask.request.values: if 'token' in flask.request.values:
if any(token for token in config['authentication_tokens'] if flask.request.values['token'] in token['token']): if any(token for token in config['auth_tokens'] if flask.request.values['token'] in token['token']):
return function(*args, **kwargs) return function(*args, **kwargs)
else: else:
return flask.jsonify({"message":"Authentication failed"}), 401 return flask.jsonify({"message":"Authentication failed"}), 401
@ -95,8 +97,12 @@ def api_root():
@api.route('/api/v1/auth/login', methods=['GET', 'POST']) @api.route('/api/v1/auth/login', methods=['GET', 'POST'])
def api_auth_login(): def api_auth_login():
# Just return a 200 if auth is disabled
if not config['auth_enabled']:
return flask.jsonify({"message":"Authentication is disabled."}), 200
if flask.request.method == 'POST': if flask.request.method == 'POST':
if any(token for token in config['authentication_tokens'] if flask.request.values['token'] in token['token']): if any(token for token in config['auth_tokens'] if flask.request.values['token'] in token['token']):
flask.session['token'] = flask.request.form['token'] flask.session['token'] = flask.request.form['token']
return flask.redirect(flask.url_for('api_root')) return flask.redirect(flask.url_for('api_root'))
else: else:
@ -113,6 +119,10 @@ def api_auth_login():
@api.route('/api/v1/auth/logout', methods=['GET', 'POST']) @api.route('/api/v1/auth/logout', methods=['GET', 'POST'])
def api_auth_logout(): def api_auth_logout():
# Just return a 200 if auth is disabled
if not config['auth_enabled']:
return flask.jsonify({"message":"Authentication is disabled."}), 200
# remove the username from the session if it's there # remove the username from the session if it's there
flask.session.pop('token', None) flask.session.pop('token', None)
return flask.redirect(flask.url_for('api_root')) return flask.redirect(flask.url_for('api_root'))

View File

@ -19,10 +19,12 @@ pvc:
listen_address: "127.0.0.1" listen_address: "127.0.0.1"
# listen_port: TCP port to listen on, usually 7370 # listen_port: TCP port to listen on, usually 7370
listen_port: "7370" listen_port: "7370"
# secret_key: Per-cluster secret key for API cookies; generate with uuidgen or pwgen
secret_key: ""
# authentication: Authentication and security settings # authentication: Authentication and security settings
authentication: authentication:
# enabled: Enable or disable authentication (True/False)
enabled: False
# secret_key: Per-cluster secret key for API cookies; generate with uuidgen or pwgen
secret_key: ""
# tokens: a list of authentication tokens; leave as an empty list to disable authentication # tokens: a list of authentication tokens; leave as an empty list to disable authentication
tokens: tokens:
# description: token description for management # description: token description for management
@ -31,7 +33,7 @@ pvc:
token: "" token: ""
# ssl: SSL configuration # ssl: SSL configuration
ssl: ssl:
# Enabled or disable SSL operation # enabled: Enabled or disable SSL operation (True/False)
enabled: False enabled: False
# cert_file: SSL certificate file # cert_file: SSL certificate file
cert_file: "" cert_file: ""