From 0dec5f2d3cc7e2628d7156485a95035615f7793d Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 20 Feb 2017 13:07:27 -0500 Subject: [PATCH 1/4] Remove unused import. --- module_build_service/auth.py | 1 - 1 file changed, 1 deletion(-) diff --git a/module_build_service/auth.py b/module_build_service/auth.py index 6d657256..53dc5942 100644 --- a/module_build_service/auth.py +++ b/module_build_service/auth.py @@ -28,7 +28,6 @@ from module_build_service import app, log import requests import json -from six.moves.urllib.parse import urlencode def _json_loads(content): From 61b7b6f47d30121d42525b86dd36d33ab18af6f6 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 20 Feb 2017 13:12:00 -0500 Subject: [PATCH 2/4] Use an authorization header instead of cookie for oidc token. Fixes #330. --- contrib/submit_build.py | 2 +- module_build_service/auth.py | 12 ++++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/contrib/submit_build.py b/contrib/submit_build.py index e8660ca4..346a7704 100644 --- a/contrib/submit_build.py +++ b/contrib/submit_build.py @@ -99,4 +99,4 @@ print "Using https://%s/module_build_service/module-builds/" % mbs_host print "NOTE: You need to be a Fedora packager for this to work" print -os.system("curl -b 'oidc_token=%s' -k -H 'Content-Type: text/json' --data @submit-build.json https://%s/module-build-service/1/module-builds/ -v" % (token, mbs_host)) +os.system("curl -k -H 'Authorization: Bearer %s' -H 'Content-Type: text/json' --data @submit-build.json https://%s/module-build-service/1/module-builds/ -v" % (token, mbs_host)) diff --git a/module_build_service/auth.py b/module_build_service/auth.py index 53dc5942..c717bb2f 100644 --- a/module_build_service/auth.py +++ b/module_build_service/auth.py @@ -86,11 +86,15 @@ def get_user(request): _load_secrets() - if not "oidc_token" in request.cookies: - raise Unauthorized("Cannot verify OIDC token: No 'oidc_token' " - "cookie found.") + if not "authorization" in request.headers: + raise Unauthorized("No 'authorization' header found.") - token = request.cookies["oidc_token"] + header = request.headers['authorization'] + prefix = 'Bearer ' + if not header.startswith(prefix): + raise Unauthorized("Authorization headers must start with %r" % prefix) + + token = header[len(prefix):] try: data = _get_token_info(token) except Exception as e: From b5e31d73a183a43bbddd6dbabb762db223dceb6c Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 20 Feb 2017 14:37:17 -0500 Subject: [PATCH 3/4] Adjust test string. --- tests/test_views/test_views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_views/test_views.py b/tests/test_views/test_views.py index 6de9da82..2970e214 100644 --- a/tests/test_views/test_views.py +++ b/tests/test_views/test_views.py @@ -270,7 +270,7 @@ class TestViews(unittest.TestCase): data = json.loads(rv.data) self.assertEquals( data['message'], - "Cannot verify OIDC token: No 'oidc_token' cookie found." + "No 'authorization' header found." ) self.assertEquals(data['status'], 401) self.assertEquals(data['error'], 'Unauthorized') From 64fb5e9a1d9a2e8221839cf78e681c5fe6c969fb Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 20 Feb 2017 21:12:30 -0500 Subject: [PATCH 4/4] Be nice. Kill whitespace. --- module_build_service/auth.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/module_build_service/auth.py b/module_build_service/auth.py index c717bb2f..58ebee70 100644 --- a/module_build_service/auth.py +++ b/module_build_service/auth.py @@ -89,12 +89,12 @@ def get_user(request): if not "authorization" in request.headers: raise Unauthorized("No 'authorization' header found.") - header = request.headers['authorization'] + header = request.headers['authorization'].strip() prefix = 'Bearer ' if not header.startswith(prefix): raise Unauthorized("Authorization headers must start with %r" % prefix) - token = header[len(prefix):] + token = header[len(prefix):].strip() try: data = _get_token_info(token) except Exception as e: