Better handle auth enabling
This commit is contained in:
parent
4724f79877
commit
425392f2e6
|
|
@ -53,8 +53,9 @@ try:
|
||||||
'coordinators': o_config['pvc']['coordinators'],
|
'coordinators': o_config['pvc']['coordinators'],
|
||||||
'listen_address': o_config['pvc']['api']['listen_address'],
|
'listen_address': o_config['pvc']['api']['listen_address'],
|
||||||
'listen_port': int(o_config['pvc']['api']['listen_port']),
|
'listen_port': int(o_config['pvc']['api']['listen_port']),
|
||||||
'authentication_tokens': o_config['pvc']['api']['authentication']['tokens'],
|
'auth_enabled': o_config['pvc']['api']['authentication']['enabled'],
|
||||||
'secret_key': o_config['pvc']['api']['secret_key'],
|
'auth_secret_key': o_config['pvc']['api']['authentication']['secret_key'],
|
||||||
|
'auth_tokens': o_config['pvc']['api']['authentication']['tokens'],
|
||||||
'ssl_enabled': o_config['pvc']['api']['ssl']['enabled'],
|
'ssl_enabled': o_config['pvc']['api']['ssl']['enabled'],
|
||||||
'ssl_key_file': o_config['pvc']['api']['ssl']['key_file'],
|
'ssl_key_file': o_config['pvc']['api']['ssl']['key_file'],
|
||||||
'ssl_cert_file': o_config['pvc']['api']['ssl']['cert_file']
|
'ssl_cert_file': o_config['pvc']['api']['ssl']['cert_file']
|
||||||
|
|
@ -66,12 +67,13 @@ except Exception as e:
|
||||||
print('ERROR: {}.'.format(e))
|
print('ERROR: {}.'.format(e))
|
||||||
exit(1)
|
exit(1)
|
||||||
|
|
||||||
api.config["SECRET_KEY"] = config['secret_key']
|
if config['auth_enabled']:
|
||||||
|
api.config["SECRET_KEY"] = config['auth_secret_key']
|
||||||
|
|
||||||
def authenticator(function):
|
def authenticator(function):
|
||||||
def authenticate(*args, **kwargs):
|
def authenticate(*args, **kwargs):
|
||||||
# Check if authentication is enabled
|
# Check if authentication is enabled
|
||||||
if not config['authentication_tokens']:
|
if not config['auth_enabled']:
|
||||||
return function(*args, **kwargs)
|
return function(*args, **kwargs)
|
||||||
else:
|
else:
|
||||||
# Session-based authentication
|
# Session-based authentication
|
||||||
|
|
@ -79,7 +81,7 @@ def authenticator(function):
|
||||||
return function(*args, **kwargs)
|
return function(*args, **kwargs)
|
||||||
# Direct token-based authentication
|
# Direct token-based authentication
|
||||||
if 'token' in flask.request.values:
|
if 'token' in flask.request.values:
|
||||||
if any(token for token in config['authentication_tokens'] if flask.request.values['token'] in token['token']):
|
if any(token for token in config['auth_tokens'] if flask.request.values['token'] in token['token']):
|
||||||
return function(*args, **kwargs)
|
return function(*args, **kwargs)
|
||||||
else:
|
else:
|
||||||
return flask.jsonify({"message":"Authentication failed"}), 401
|
return flask.jsonify({"message":"Authentication failed"}), 401
|
||||||
|
|
@ -95,8 +97,12 @@ def api_root():
|
||||||
|
|
||||||
@api.route('/api/v1/auth/login', methods=['GET', 'POST'])
|
@api.route('/api/v1/auth/login', methods=['GET', 'POST'])
|
||||||
def api_auth_login():
|
def api_auth_login():
|
||||||
|
# Just return a 200 if auth is disabled
|
||||||
|
if not config['auth_enabled']:
|
||||||
|
return flask.jsonify({"message":"Authentication is disabled."}), 200
|
||||||
|
|
||||||
if flask.request.method == 'POST':
|
if flask.request.method == 'POST':
|
||||||
if any(token for token in config['authentication_tokens'] if flask.request.values['token'] in token['token']):
|
if any(token for token in config['auth_tokens'] if flask.request.values['token'] in token['token']):
|
||||||
flask.session['token'] = flask.request.form['token']
|
flask.session['token'] = flask.request.form['token']
|
||||||
return flask.redirect(flask.url_for('api_root'))
|
return flask.redirect(flask.url_for('api_root'))
|
||||||
else:
|
else:
|
||||||
|
|
@ -113,6 +119,10 @@ def api_auth_login():
|
||||||
|
|
||||||
@api.route('/api/v1/auth/logout', methods=['GET', 'POST'])
|
@api.route('/api/v1/auth/logout', methods=['GET', 'POST'])
|
||||||
def api_auth_logout():
|
def api_auth_logout():
|
||||||
|
# Just return a 200 if auth is disabled
|
||||||
|
if not config['auth_enabled']:
|
||||||
|
return flask.jsonify({"message":"Authentication is disabled."}), 200
|
||||||
|
|
||||||
# remove the username from the session if it's there
|
# remove the username from the session if it's there
|
||||||
flask.session.pop('token', None)
|
flask.session.pop('token', None)
|
||||||
return flask.redirect(flask.url_for('api_root'))
|
return flask.redirect(flask.url_for('api_root'))
|
||||||
|
|
|
||||||
|
|
@ -19,10 +19,12 @@ pvc:
|
||||||
listen_address: "127.0.0.1"
|
listen_address: "127.0.0.1"
|
||||||
# listen_port: TCP port to listen on, usually 7370
|
# listen_port: TCP port to listen on, usually 7370
|
||||||
listen_port: "7370"
|
listen_port: "7370"
|
||||||
# secret_key: Per-cluster secret key for API cookies; generate with uuidgen or pwgen
|
|
||||||
secret_key: ""
|
|
||||||
# authentication: Authentication and security settings
|
# authentication: Authentication and security settings
|
||||||
authentication:
|
authentication:
|
||||||
|
# enabled: Enable or disable authentication (True/False)
|
||||||
|
enabled: False
|
||||||
|
# secret_key: Per-cluster secret key for API cookies; generate with uuidgen or pwgen
|
||||||
|
secret_key: ""
|
||||||
# tokens: a list of authentication tokens; leave as an empty list to disable authentication
|
# tokens: a list of authentication tokens; leave as an empty list to disable authentication
|
||||||
tokens:
|
tokens:
|
||||||
# description: token description for management
|
# description: token description for management
|
||||||
|
|
@ -31,7 +33,7 @@ pvc:
|
||||||
token: ""
|
token: ""
|
||||||
# ssl: SSL configuration
|
# ssl: SSL configuration
|
||||||
ssl:
|
ssl:
|
||||||
# Enabled or disable SSL operation
|
# enabled: Enabled or disable SSL operation (True/False)
|
||||||
enabled: False
|
enabled: False
|
||||||
# cert_file: SSL certificate file
|
# cert_file: SSL certificate file
|
||||||
cert_file: ""
|
cert_file: ""
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue