kallithea Changeset - 9cf90371d0f1

Changeset - 9cf90371d0f1

Parent rev.

Child rev.

[Not reviewed]

default

0 4 0

Søren Løvborg - 9 years ago 2017-01-02 18:51:37
sorenl@unity3d.com

auth: add support for "Bearer" auth scheme (API key variant)

This allows the API key to be passed in a header instead of the query
string, reducing the risk of accidental API key leaks:

Authorization: Bearer <api key>

The Bearer authorization scheme is standardized in RFC 6750, though
used here outside the full OAuth 2.0 authorization framework. (Full
OAuth can still be added later without breaking existing users.)

4 files changed with 47 insertions and 9 deletions:

docs/api/api.rst

kallithea/lib/base.py

kallithea/lib/utils2.py

kallithea/tests/functional/test_login.py

0 comments (0 inline, 0 general)

docs/api/api.rst

➞

Show inline comments

@@ @@ -1016,11 +1016,17 @@ For example, to enable API access to pat @@
     api_access_controllers_whitelist =
         ChangesetController:changeset_patch,
         ChangesetController:changeset_raw,
         FilesController:raw,
         FilesController:archivefile
 After this change, a Kallithea view can be accessed without login by adding a
 GET parameter ``?api_key=<api_key>`` to the URL.
 After this change, a Kallithea view can be accessed without login using
 bearer authentication, by including this header with the request::
     Authentication: Bearer <api_key>
 Alternatively, the API key can be passed in the URL query string using
 ``?api_key=<api_key>``, though this is not recommended due to the increased
 risk of API key leaks, and support will likely be removed in the future.
 Exposing raw diffs is a good way to integrate with
 third-party services like code review, or build farms that can download archives.

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -362,17 +362,21 @@ class BaseController(WSGIController): @@
         c.my_pr_count = PullRequest.query(reviewer_id=c.authuser.user_id, include_closed=False).count()
         self.sa = meta.Session
         self.scm_model = ScmModel(self.sa)
     @staticmethod
     def _determine_auth_user(api_key, session_authuser):
     def _determine_auth_user(api_key, bearer_token, session_authuser):
         """
         Create an `AuthUser` object given the API key/bearer token
         (if any) and the value of the authuser session cookie.
         """
         Create an `AuthUser` object given the API key (if any) and the
         value of the authuser session cookie.
         """
         # Authenticate by bearer token
         if bearer_token is not None:
             api_key = bearer_token
         # Authenticate by API key
         if api_key is not None:
             au = AuthUser(dbuser=User.get_by_api_key(api_key),
                 authenticating_api_key=api_key, is_external_auth=True)
             if au.is_anonymous:
@@ @@ -456,14 +460,26 @@ class BaseController(WSGIController): @@
             self.ip_addr = _get_ip_addr(environ)
             # make sure that we update permissions each time we call controller
             self._basic_security_checks()
             #set globals for auth user
             bearer_token = None
             try:
                 # Request.authorization may raise ValueError on invalid input
                 type, params = request.authorization
             except (ValueError, TypeError):
                 pass
             else:
                 if type.lower() == 'bearer':
                     bearer_token = params
             self.authuser = c.authuser = request.user = self._determine_auth_user(
                 request.GET.get('api_key'),
                 bearer_token,
                 session.get('authuser'),
+            )
             log.info('IP: %s User: %s accessed %s',
                 self.ip_addr, self.authuser,
                 safe_unicode(_get_access_path(environ)),

kallithea/lib/utils2.py

➞

Show inline comments

@@ @@ -128,13 +128,20 @@ def detect_mode(line, default): @@
         return default
 def generate_api_key():
     """
     Generates a random (presumably unique) API key.
     This value is used in URLs and "Bearer" HTTP Authorization headers,
     which in practice means it should only contain URL-safe characters
     (RFC 3986):
         unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
     """
     # Hexadecimal certainly qualifies as URL-safe.
     return binascii.hexlify(os.urandom(20))
 def safe_int(val, default=None):
     """
     Returns int() of val if val is not convertable to int use default

kallithea/tests/functional/test_login.py

➞

Show inline comments

@@ @@ -432,28 +432,37 @@ class TestLoginController(TestController @@
     def _get_api_whitelist(self, values=None):
         config = {'api_access_controllers_whitelist': values or []}
         return config
     def _api_key_test(self, api_key, status):
         """Verifies HTTP status code for accessing an auth-requiring page,
         using the given api_key URL parameter. If api_key is None, no api_key
         parameter is passed at all. If api_key is True, a real, working API key
         is used.
         using the given api_key URL parameter as well as using the API key
         with bearer authentication.
         If api_key is None, no api_key is passed at all. If api_key is True,
         a real, working API key is used.
         """
         with fixture.anon_access(False):
             if api_key is None:
                 params = {}
                 headers = {}
             else:
                 if api_key is True:
                     api_key = User.get_first_admin().api_key
                 params = {'api_key': api_key}
                 headers = {'Authorization': 'Bearer ' + str(api_key)}
             self.app.get(url(controller='changeset', action='changeset_raw',
                              repo_name=HG_REPO, revision='tip', **params),
                          status=status)
             self.app.get(url(controller='changeset', action='changeset_raw',
                              repo_name=HG_REPO, revision='tip'),
                          headers=headers,
                          status=status)
     @parametrize('test_name,api_key,code', [
         ('none', None, 302),
         ('empty_string', '', 403),
         ('fake_number', '123456', 403),
         ('proper_api_key', True, 403)
     ])

0 comments (0 inline, 0 general)