This also removes the outdated comments around authorship of each
file. If there is still interest in this information, one can just
look at the git history.
The `ImportModuleAPI` calls the `auth.get_user()` which auths the
user using Kerberos. the `ImportModuleAPI` later calls `SCMHandler`
which in its `__init__` method calls the `auth.get_user()` again.
This leads to traceback in GSSAPI, because the user is already
authed.
This commit fixes this by caching the auth results in `flask.g`,
which is reset after each request based on the Note in
http://flask.pocoo.org/docs/1.0/appcontext/#storing-data.
This commit also marks mutual auth as OPTIONAL in `mbs-cli`,
because MBS server currently does not do mutual auth.
This is required for monitoring use-cases, where we can have a Kerberos principal for a
service account but no associated account in LDAP to check group membership.
The difference between 401 Unauthorized and 403 Forbidden is that 403 Forbidden is "permanent":
it indicates that the user was authenticated correctly, but was not allowed to access this endpoint.
In contrast, 401 Unauthorized means that the request as posted was not allowed, but if the user
were to try again with (new) authorization tokens, it might actually succeed.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
This removes our query to FAS and fixes#304.
It is more flexible too, where we can now configure production to only
allow in members of the `modularity-wg` group, and then later open it up
to all packagers after F26 is out (as was agreed with FESCo).
In the process of working on this, I discovered that #305 is not
necessary. We don't need our own scope; we can just use the `groups`
scope as done here.
