misc: do not trace on invalid HTTP auth (#42784)
This commit is contained in:
parent
da747f414c
commit
6f43d36ad8
|
@ -78,10 +78,17 @@ def get_request_users(request):
|
||||||
users.extend(ApiUser.objects.filter(keytype='API', key=request.GET['apikey']))
|
users.extend(ApiUser.objects.filter(keytype='API', key=request.GET['apikey']))
|
||||||
|
|
||||||
elif 'HTTP_AUTHORIZATION' in request.META:
|
elif 'HTTP_AUTHORIZATION' in request.META:
|
||||||
(scheme, param) = request.META['HTTP_AUTHORIZATION'].split(' ', 1)
|
http_authorization = request.META['HTTP_AUTHORIZATION'].split(' ', 1)
|
||||||
if scheme.lower() == 'basic':
|
scheme = http_authorization[0].lower()
|
||||||
username, password = force_text(base64.b64decode(force_bytes(param.strip()))).split(':', 1)
|
if scheme == 'basic' and len(http_authorization) > 1:
|
||||||
users.extend(ApiUser.objects.filter(keytype='SIGN', username=username, key=password))
|
param = http_authorization[1]
|
||||||
|
try:
|
||||||
|
decoded = force_text(base64.b64decode(force_bytes(param.strip())))
|
||||||
|
username, password = decoded.split(':', 1)
|
||||||
|
except (TypeError, ValueError):
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
users.extend(ApiUser.objects.filter(keytype='SIGN', username=username, key=password))
|
||||||
|
|
||||||
def ip_match(ip, match):
|
def ip_match(ip, match):
|
||||||
if not ip:
|
if not ip:
|
||||||
|
|
|
@ -0,0 +1,71 @@
|
||||||
|
# Copyright (C) 2019 Entr'ouvert
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or modify it
|
||||||
|
# under the terms of the GNU Affero General Public License as published
|
||||||
|
# by the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU Affero General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU Affero General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
import base64
|
||||||
|
|
||||||
|
from django.utils.encoding import force_str
|
||||||
|
|
||||||
|
from passerelle.base.models import ApiUser
|
||||||
|
from passerelle.base.signature import sign_query
|
||||||
|
from passerelle.utils import get_request_users
|
||||||
|
|
||||||
|
|
||||||
|
def test_get_request_users_publik_signature(db, rf):
|
||||||
|
request = rf.get('/?' + sign_query('orig=orig', key='publikkey'))
|
||||||
|
assert get_request_users(request) == []
|
||||||
|
|
||||||
|
api_user = ApiUser.objects.create(keytype='SIGN', username='orig', key='publikkey')
|
||||||
|
assert get_request_users(request) == [api_user]
|
||||||
|
|
||||||
|
request = rf.get('/?orig=orig&signature=xxx')
|
||||||
|
assert get_request_users(request) == []
|
||||||
|
|
||||||
|
|
||||||
|
def test_get_request_users_apikey(db, rf):
|
||||||
|
request = rf.get('/', data={'apikey': 'apikey'})
|
||||||
|
assert get_request_users(request) == []
|
||||||
|
|
||||||
|
api_user = ApiUser.objects.create(keytype='API', key='apikey')
|
||||||
|
assert get_request_users(request) == [api_user]
|
||||||
|
|
||||||
|
|
||||||
|
def test_get_request_users_http_auth_basic(db, rf):
|
||||||
|
api_user = ApiUser.objects.create(keytype='SIGN', username='john', key='password')
|
||||||
|
encoded = force_str(base64.b64encode(b'john:password'))
|
||||||
|
request = rf.get('/', HTTP_AUTHORIZATION='Basic ' + encoded)
|
||||||
|
assert get_request_users(request) == [api_user]
|
||||||
|
|
||||||
|
|
||||||
|
def test_get_request_users_http_auth_invalid(db, rf):
|
||||||
|
request = rf.get('/', HTTP_AUTHORIZATION='')
|
||||||
|
assert get_request_users(request) == []
|
||||||
|
|
||||||
|
# no param
|
||||||
|
request = rf.get('/', HTTP_AUTHORIZATION='Basic')
|
||||||
|
assert get_request_users(request) == []
|
||||||
|
|
||||||
|
# invalid base64
|
||||||
|
request = rf.get('/', HTTP_AUTHORIZATION='Basic xx')
|
||||||
|
assert get_request_users(request) == []
|
||||||
|
|
||||||
|
# missing : in decoded base64
|
||||||
|
request = rf.get('/', HTTP_AUTHORIZATION='Basic ' + force_str(base64.b64encode(b'x')))
|
||||||
|
assert get_request_users(request) == []
|
||||||
|
|
||||||
|
# other schemes are ignored
|
||||||
|
request = rf.get('/', HTTP_AUTHORIZATION='Bearer')
|
||||||
|
assert get_request_users(request) == []
|
||||||
|
request = rf.get('/', HTTP_AUTHORIZATION='Digest kjkjlkjlkjljlkj')
|
||||||
|
assert get_request_users(request) == []
|
Loading…
Reference in New Issue