GithubFollow/One-KVM
1
0
Fork 0
mirror of https://github.com/mofeng-git/One-KVM.git synced 2026-01-29 00:51:53 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

single-shot auth using headers

Browse Source
This commit is contained in:
Devaev Maxim
2019-04-27 05:16:00 +03:00
parent 3476f52da9
commit 493d160a6e
7 changed files with 46 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
kvmd/apps/kvmd/auth.py
View File

@@ -47,33 +47,40 @@ class AuthManager:
) -> None:
self.__internal_service = get_auth_service_class(internal_type)(**internal_kwargs)
get_logger().info("Using internal login service %r", self.__internal_service.PLUGIN_NAME)
get_logger().info("Using internal auth service %r", self.__internal_service.PLUGIN_NAME)
self.__external_service: Optional[BaseAuthService] = None
if external_type:
self.__external_service = get_auth_service_class(external_type)(**external_kwargs)
get_logger().info("Using external login service %r", self.__external_service.PLUGIN_NAME)
get_logger().info("Using external auth service %r", self.__external_service.PLUGIN_NAME)
self.__internal_users = internal_users
self.__tokens: Dict[str, str] = {} # {token: user}
async def login(self, user: str, passwd: str) -> Optional[str]:
async def authorize(self, user: str, passwd: str) -> bool:
if user not in self.__internal_users and self.__external_service:
service = self.__external_service
else:
service = self.__internal_service
if (await service.login(user, passwd)):
ok = (await service.authorize(user, passwd))
if ok:
get_logger().info("Authorized user %r via auth service %r", user, service.PLUGIN_NAME)
else:
get_logger().error("Got access denied for user %r from auth service %r", user, service.PLUGIN_NAME)
return ok
async def login(self, user: str, passwd: str) -> Optional[str]:
if (await self.authorize(user, passwd)):
for (token, token_user) in self.__tokens.items():
if user == token_user:
return token
token = secrets.token_hex(32)
self.__tokens[token] = user
get_logger().info("Logged in user %r via login service %r", user, service.PLUGIN_NAME)
get_logger().info("Logged in user %r", user)
return token
else:
get_logger().error("Access denied for user %r from login service %r", user, service.PLUGIN_NAME)
return None
def logout(self, token: str) -> None:

22
kvmd/apps/kvmd/server.py
View File

@@ -82,11 +82,11 @@ except ImportError:
from aiohttp.helpers import AccessLogger # type: ignore # pylint: disable=ungrouped-imports
_ATTR_KVMD_USER = "kvmd_user"
_ATTR_KVMD_AUTH_INFO = "kvmd_auth_info"
def _format_P(request: aiohttp.web.BaseRequest, *_, **__) -> str: # type: ignore # pylint: disable=invalid-name
return (getattr(request, _ATTR_KVMD_USER, None) or "-")
return (getattr(request, _ATTR_KVMD_AUTH_INFO, None) or "-")
AccessLogger._format_P = staticmethod(_format_P) # type: ignore # pylint: disable=protected-access
@@ -148,6 +148,9 @@ _ATTR_EXPOSED_METHOD = "exposed_method"
_ATTR_EXPOSED_PATH = "exposed_path"
_ATTR_SYSTEM_TASK = "system_task"
_HEADER_AUTH_USER = "X-KVMD-User"
_HEADER_AUTH_PASSWD = "X-KVMD-Passwd"
_COOKIE_AUTH_TOKEN = "auth_token"
@@ -156,12 +159,23 @@ def _exposed(http_method: str, path: str, auth_required: bool=True) -> Callable:
async def wrap(self: "Server", request: aiohttp.web.Request) -> aiohttp.web.Response:
try:
if auth_required:
user = request.headers.get(_HEADER_AUTH_USER, "")
passwd = request.headers.get(_HEADER_AUTH_PASSWD, "")
token = request.cookies.get(_COOKIE_AUTH_TOKEN, "")
if token:
if user:
user = valid_user(user)
setattr(request, _ATTR_KVMD_AUTH_INFO, "%s (xhdr)" % (user))
if not (await self._auth_manager.authorize(user, valid_passwd(passwd))):
raise ForbiddenError("Forbidden")
elif token:
user = self._auth_manager.check(valid_auth_token(token))
if not user:
setattr(request, _ATTR_KVMD_AUTH_INFO, "- (token)")
raise ForbiddenError("Forbidden")
setattr(request, _ATTR_KVMD_USER, user)
setattr(request, _ATTR_KVMD_AUTH_INFO, "%s (token)" % (user))
else:
raise UnauthorizedError("Unauthorized")