Allow auth.get_user() method to be called multiple times.

The `ImportModuleAPI` calls the `auth.get_user()` which auths the user using Kerberos. the `ImportModuleAPI` later calls `SCMHandler` which in its `__init__` method calls the `auth.get_user()` again. This leads to traceback in GSSAPI, because the user is already authed. This commit fixes this by caching the auth results in `flask.g`, which is reset after each request based on the Note in http://flask.pocoo.org/docs/1.0/appcontext/#storing-data. This commit also marks mutual auth as OPTIONAL in `mbs-cli`, because MBS server currently does not do mutual auth.
2026-04-23 18:21:42 +08:00 · 2019-03-07 09:37:14 +01:00
parent ac0bd8ceb8
commit c5a9a1b8af
3 changed files with 32 additions and 14 deletions
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -32,6 +32,7 @@ from werkzeug.exceptions import Unauthorized as FlaskUnauthorized
 import module_build_service.auth
 import module_build_service.errors
 import module_build_service.config as mbs_config
+from module_build_service import app


 class TestAuthModule:
@@ -44,7 +45,8 @@ class TestAuthModule:
            request.cookies.return_value = {}

            with pytest.raises(module_build_service.errors.Unauthorized) as cm:
-                module_build_service.auth.get_user(request)
+                with app.app_context():
+                    module_build_service.auth.get_user(request)
                assert str(cm.value) == "No 'authorization' header found."

    @patch('module_build_service.auth._get_token_info')
@@ -71,7 +73,8 @@ class TestAuthModule:
            request.headers.__contains__.side_effect = headers.__contains__

            with pytest.raises(module_build_service.errors.Unauthorized) as cm:
-                module_build_service.auth.get_user(request)
+                with app.app_context():
+                    module_build_service.auth.get_user(request)
                assert str(cm.value) == "OIDC token invalid or expired."

    @pytest.mark.parametrize('allowed_users', (set(), set(['Joey Jo Jo Junior Shabadoo'])))
@@ -100,13 +103,21 @@ class TestAuthModule:
            request.headers.__setitem__.side_effect = headers.__setitem__
            request.headers.__contains__.side_effect = headers.__contains__

-            username, groups = module_build_service.auth.get_user(request)
+            with app.app_context():
+                username, groups = module_build_service.auth.get_user(request)
+                username_second_call, groups_second_call = module_build_service.auth.get_user(
+                    request)
            assert username == name
            if allowed_users:
                assert groups == set()
            else:
                assert groups == set(get_user_info.return_value["groups"])

+            # Test the real auth method has been called just once.
+            get_user_info.assert_called_once()
+            assert username_second_call == username
+            assert groups_second_call == groups
+
    @patch.object(mbs_config.Config, 'no_auth', new_callable=PropertyMock, return_value=True)
    def test_disable_authentication(self, conf_no_auth):
        request = mock.MagicMock()
@@ -118,7 +129,8 @@ class TestAuthModule:
    def test_misconfiguring_oidc_client_secrets_should_be_failed(self):
        request = mock.MagicMock()
        with pytest.raises(module_build_service.errors.Forbidden) as cm:
-            module_build_service.auth.get_user(request)
+            with app.app_context():
+                module_build_service.auth.get_user(request)
            assert str(cm.value) == "OIDC_CLIENT_SECRETS must be set in server config."

    @patch('module_build_service.auth._get_token_info')
@@ -145,7 +157,8 @@ class TestAuthModule:
            request.headers.__contains__.side_effect = headers.__contains__

            with pytest.raises(module_build_service.errors.Unauthorized) as cm:
-                module_build_service.auth.get_user(request)
+                with app.app_context():
+                    module_build_service.auth.get_user(request)
                assert str(cm.value) == ("Required OIDC scope 'mbs-scope' not present: "
                                         "['openid', 'https://id.fedoraproject.org/scope/groups']")

@@ -172,7 +185,8 @@ class TestAuthModule:
            request.headers.__contains__.side_effect = headers.__contains__

            with pytest.raises(module_build_service.errors.Forbidden) as cm:
-                module_build_service.auth.get_user(request)
+                with app.app_context():
+                    module_build_service.auth.get_user(request)
                assert str(cm.value) == "OIDC_REQUIRED_SCOPE must be set in server config."