From 72979288f1ca2742a6ef1d96cbfb97484fb152a4 Mon Sep 17 00:00:00 2001 From: Owen W. Taylor Date: Aug 11 2017 02:55:04 +0000 Subject: Fix operation with 'noauth' backend With the noauth backend, user/groups are not set on the app context, so we can't check them in the requires_role wrapper; skip the checking if the backend is noauth. Automatically set login_disabled in the config, to avoid a confusing interaction between auth_backend and login_disabled. Remove the leftover AUTHORIZED_DISABLED in conf/config.py - it was no longer used for anything. --- diff --git a/server/conf/config.py b/server/conf/config.py index 4d74071..fdc63ea 100644 --- a/server/conf/config.py +++ b/server/conf/config.py @@ -98,11 +98,6 @@ class DevConfiguration(BaseConfiguration): except: pass - # Disable login_required in development environment - LOGIN_DISABLED = True - # Disable authorize in development environment - AUTHORIZE_DISABLED = True - AUTH_BACKEND = 'noauth' AUTH_OPENIDC_USERINFO_URI = 'https://iddev.fedorainfracloud.org/openidc/UserInfo' diff --git a/server/odcs/server/auth.py b/server/odcs/server/auth.py index 9c78b4b..c471095 100644 --- a/server/odcs/server/auth.py +++ b/server/odcs/server/auth.py @@ -169,6 +169,9 @@ def requires_role(role): def wrapper(f): @wraps(f) def wrapped(*args, **kwargs): + if conf.auth_backend == 'noauth': + return f(*args, **kwargs) + groups = getattr(conf, role).get('groups', []) users = getattr(conf, role).get('users', []) in_groups = bool(set(flask.g.groups) & set(groups)) diff --git a/server/odcs/server/config.py b/server/odcs/server/config.py index 3247156..ddc14d0 100644 --- a/server/odcs/server/config.py +++ b/server/odcs/server/config.py @@ -183,10 +183,6 @@ class Config(object): 'type': list, 'default': [], 'desc': 'Required scopes for submitting request to run new compose.'}, - 'authorize_disabled': { - 'type': bool, - 'default': False, - 'desc': 'Disable group based authorization.'}, } def __init__(self, conf_section_obj): @@ -207,6 +203,9 @@ class Config(object): # set item (lower key) self.set_item(key.lower(), getattr(conf_section_obj, key)) + # Used by Flask-Login to disable the @login_required decorator + self.login_disabled = self.auth_backend == 'noauth' + def set_item(self, key, value): """ Set value for configuration item. Creates the self._key = value diff --git a/server/tests/test_views.py b/server/tests/test_views.py index 00a1f7e..fc24595 100644 --- a/server/tests/test_views.py +++ b/server/tests/test_views.py @@ -90,7 +90,13 @@ class TestViews(unittest.TestCase): @contextlib.contextmanager def test_request_context(self, user=None, groups=None, **kwargs): with app.test_request_context(**kwargs): + patch_auth_backend = None if user is not None: + # authentication is disabled with auth_backend=noauth + patch_auth_backend = patch.object(odcs.server.auth.conf, + 'auth_backend', + new='kerberos') + patch_auth_backend.start() if not User.find_user_by_name(user): User.create_user(username=user) db.session.commit() @@ -106,7 +112,11 @@ class TestViews(unittest.TestCase): with self.client.session_transaction() as sess: sess['user_id'] = user sess['_fresh'] = True - yield + try: + yield + finally: + if patch_auth_backend is not None: + patch_auth_backend.stop() def test_submit_build(self): with self.test_request_context(user='dev'):