Fix changing of auth_type in existing deployments

Problem: If an existing swauth deployment changes `auth_type` in conf file to a different one (for example: sha1 to sha512), all attempts to authorize existing/old users will fail because of change in encoder type. Fix: With this change, the credentials match is done using an encoder with which the password was initially encoded. This allows swauth deployments to change auth_type and old users will still be able to authorize. Closes-Bug: 1516980 Change-Id: I8a5c397d0796062f4109c59b6dc61b14d4a97e4b Signed-off-by: Prashanth Pai <ppai@redhat.com>
2016-02-26 18:37:34 +05:30 · 2016-02-26 18:37:34 +05:30 · e40938cbb4
commit e40938cbb4
parent ac9698ae4d
2 changed files with 35 additions and 3 deletions
--- a/swauth/middleware.py
+++ b/swauth/middleware.py
@ -1511,14 +1511,21 @@ class Swauth(object):

    def credentials_match(self, user_detail, key):
        """Returns True if the key is valid for the user_detail.
-        It will use self.auth_encoder to check for a key match.
+        It will use auth_encoder type the password was encoded with,
+        to check for a key match.

        :param user_detail: The dict for the user.
        :param key: The key to validate for the user.
        :returns: True if the key is valid for the user, False if not.
        """
-        return user_detail and self.auth_encoder().match(
-          key, user_detail.get('auth'))
+        if user_detail:
+            creds = user_detail.get('auth')
+            auth_type = creds.split(':')[0]
+            auth_encoder = getattr(swauth.authtypes, auth_type.title(), None)
+            if auth_encoder is None:
+                self.logger.error('Invalid auth_type %s' % auth_type)
+                return False
+        return user_detail and auth_encoder().match(key, creds)

    def is_user_changing_own_key(self, req, user):
        """Check if the user is changing his own key.
--- a/test/unit/test_middleware.py
+++ b/test/unit/test_middleware.py
@ -205,6 +205,31 @@ class TestAuth(unittest.TestCase):
        self.assertEqual(ath.dsc_url, 'https://host/path')
        self.assertEqual(ath.dsc_url2, 'http://host2/path2')

+    def test_credentials_match_auth_encoder_type(self):
+        plaintext_auth = {'auth': 'plaintext:key'}
+        sha1_key = ("sha1:T0YFdhqN4uDRWiYLxWa7H2T8AewG4fEYQyJFRLsgcfk=$46c58"
+                    "07eb8a32e8f404fea9eaaeb60b7e1207ff1")
+        sha1_auth = {'auth': sha1_key}
+        sha512_key = ("sha512:aSm0jEeqIp46T5YLZy1r8+cXs/Xzs1S4VUwVauhBs44=$ef"
+                      "7332ec1288bf69c75682eb8d459d5a84baa7e43f45949c242a9af9"
+                      "7130ef16ac361fe1aa33a789e218122b83c54ef1923fc015080741"
+                      "ca21f6187329f6cb7a")
+        sha512_auth = {'auth': sha512_key}
+
+        # test all possible config settings work with all possible auth types
+        for auth_type in ('plaintext', 'sha1', 'sha512'):
+            test_auth = auth.filter_factory({'super_admin_key': 'superkey',
+                'auth_type': auth_type})(FakeApp())
+            for detail in (plaintext_auth, sha1_auth, sha512_auth):
+                self.assertTrue(test_auth.credentials_match(detail, 'key'))
+            # test invalid auth type stored
+            invalid_detail = {'auth': 'Junk:key'}
+            test_auth.logger = mock.Mock()
+            self.assertFalse(test_auth.credentials_match(invalid_detail,
+                                                         'key'))
+            # make sure error is logged
+            test_auth.logger.called_once_with('Invalid auth_type Junk')
+
    def test_top_level_denied(self):
        resp = Request.blank('/').get_response(self.test_auth)
        self.assertEqual(resp.status_int, 401)