modules/fm-orchestrator
1
0
Fork 0
mirror of https://pagure.io/fm-orchestrator.git synced 2026-04-13 13:59:53 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Use the 403 Forbidden result in case the user is unauthorized

Browse Source 
The difference between 401 Unauthorized and 403 Forbidden is that 403 Forbidden is "permanent":
it indicates that the user was authenticated correctly, but was not allowed to access this endpoint.
In contrast, 401 Unauthorized means that the request as posted was not allowed, but if the user
were to try again with (new) authorization tokens, it might actually succeed.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
This commit is contained in:
Patrick Uiterwijk
2017-03-13 07:26:30 +00:00
parent 7cf77d0fee
commit a4763ee316
4 changed files with 21 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
module_build_service/auth.py
View File

@@ -23,7 +23,7 @@
"""Auth system based on the client certificate and FAS account"""
from module_build_service.errors import Unauthorized
from module_build_service.errors import Unauthorized, Forbidden
from module_build_service import app, log
import requests
@@ -43,7 +43,7 @@ def _load_secrets():
return
if not "OIDC_CLIENT_SECRETS" in app.config:
raise Unauthorized("OIDC_CLIENT_SECRETS must be set in server config.")
raise Forbidden("OIDC_CLIENT_SECRETS must be set in server config.")
secrets = _json_loads(open(app.config['OIDC_CLIENT_SECRETS'],
'r').read())
@@ -103,7 +103,7 @@ def get_user(request):
except Exception as e:
error = "Cannot verify OIDC token: %s" % str(e)
log.exception(error)
raise Unauthorized(error)
raise Exception(error)
if not data or not "active" in data or not data["active"]:
raise Unauthorized("OIDC token invalid or expired.")
@@ -119,7 +119,7 @@ def get_user(request):
]
for scope in required_scopes:
if scope not in presented_scopes:
raise Unauthorized("Required OIDC scope %r not present: %r" % (
raise Forbidden("Required OIDC scope %r not present: %r" % (
scope, presented_scopes))
try:
@@ -127,13 +127,13 @@ def get_user(request):
except Exception as e:
error = "Cannot verify determine user groups: %s" % str(e)
log.exception(error)
raise Unauthorized(error)
raise Exception(error)
try:
groups = set(extended_data['groups'])
except Exception as e:
error = "Could not find groups in UserInfo from OIDC %s" % str(e)
log.exception(extended_data)
raise Unauthorized(error)
raise Exception(error)
return data["username"], groups