diff --git a/files/copr/fe/hotfix/misc.py b/files/copr/fe/hotfix/misc.py deleted file mode 100644 index 5823347e28..0000000000 --- a/files/copr/fe/hotfix/misc.py +++ /dev/null @@ -1,153 +0,0 @@ -import base64 -import datetime -import functools - -import flask - -from coprs import app -from coprs import db -from coprs import helpers -from coprs import models -from coprs import oid - - -@app.before_request -def lookup_current_user(): - flask.g.user = None - if "openid" in flask.session: - flask.g.user = models.User.query.filter( - models.User.openid_name == flask.session["openid"]).first() - - -@app.errorhandler(404) -def page_not_found(message): - return flask.render_template("404.html", message=message), 404 - - -misc = flask.Blueprint("misc", __name__) - - -@misc.route("/login/", methods=["GET"]) -@oid.loginhandler -def login(): - if flask.g.user is not None: - return flask.redirect("https://copr.fedoraproject.org") - else: - return oid.try_login("https://id.fedoraproject.org/", - ask_for=["email", "timezone"]) - - -@oid.after_login -def create_or_login(resp): - flask.session["openid"] = resp.identity_url - fasusername = resp.identity_url.replace( - ".id.fedoraproject.org/", "").replace("http://", "") - - # kidding me.. or not - if fasusername and ((app.config["USE_ALLOWED_USERS"] - and fasusername in app.config["ALLOWED_USERS"]) - or not app.config["USE_ALLOWED_USERS"]): - - user = models.User.query.filter( - models.User.openid_name == resp.identity_url).first() - if not user: # create if not created already - expiration_date_token = datetime.date.today() + \ - datetime.timedelta( - days=flask.current_app.config["API_TOKEN_EXPIRATION"]) - - copr64 = base64.b64encode("copr") + "##" - user = models.User(openid_name=resp.identity_url, mail=resp.email, - timezone=resp.timezone, - api_login=copr64 + helpers.generate_api_token( - app.config["API_TOKEN_LENGTH"] - len(copr64)), - api_token=helpers.generate_api_token( - app.config["API_TOKEN_LENGTH"]), - api_token_expiration=expiration_date_token) - else: - user.mail = resp.email - user.timezone = resp.timezone - - db.session.add(user) - db.session.commit() - flask.flash(u"Welcome, {0}".format(user.name)) - flask.g.user = user - - if flask.request.url_root == oid.get_next_url(): - return flask.redirect(flask.url_for("coprs_ns.coprs_by_owner", - username=user.name)) - return flask.redirect("https://copr.fedoraproject.org") - else: - flask.flash("User '{0}' is not allowed".format(user.name)) - return flask.redirect("https://copr.fedoraproject.org") - - -@misc.route("/logout/") -def logout(): - flask.session.pop("openid", None) - flask.flash(u"You were signed out") - return flask.redirect("https://copr.fedoraproject.org") - - -def api_login_required(f): - @functools.wraps(f) - def decorated_function(*args, **kwargs): - token = None - username = None - if "Authorization" in flask.request.headers: - base64string = flask.request.headers["Authorization"] - base64string = base64string.split()[1].strip() - userstring = base64.b64decode(base64string) - (username, token) = userstring.split(":") - token_auth = False - if token and username: - user = models.User.query.filter( - models.User.api_login == username).first() - if (user and user.api_token == token and - user.api_token_expiration >= datetime.date.today()): - - token_auth = True - flask.g.user = user - if not token_auth: - output = {"output": "notok", "error": "Login invalid/expired"} - jsonout = flask.jsonify(output) - jsonout.status_code = 500 - return jsonout - return f(*args, **kwargs) - return decorated_function - - -def login_required(role=helpers.RoleEnum("user")): - def view_wrapper(f): - @functools.wraps(f) - def decorated_function(*args, **kwargs): - if flask.g.user is None: - return flask.redirect(flask.url_for("misc.login", - next=flask.request.url)) - - if role == helpers.RoleEnum("admin") and not flask.g.user.admin: - flask.flash("You are not allowed to access admin section.") - return flask.redirect(flask.url_for("coprs_ns.coprs_show")) - - return f(*args, **kwargs) - return decorated_function - # hack: if login_required is used without params, the "role" parameter - # is in fact the decorated function, so we need to return - # the wrapped function, not the wrapper - # proper solution would be to use login_required() with parentheses - # everywhere, even if they"re empty - TODO - if callable(role): - return view_wrapper(role) - else: - return view_wrapper - - -# backend authentication -def backend_authenticated(f): - @functools.wraps(f) - def decorated_function(*args, **kwargs): - auth = flask.request.authorization - if not auth or auth.password != app.config["BACKEND_PASSWORD"]: - return "You have to provide the correct password", 401 - - return f(*args, **kwargs) - return decorated_function diff --git a/playbooks/hosts/copr-fe.cloud.fedoraproject.org.yml b/playbooks/hosts/copr-fe.cloud.fedoraproject.org.yml index 04273cce16..4ea95482d0 100644 --- a/playbooks/hosts/copr-fe.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/copr-fe.cloud.fedoraproject.org.yml @@ -64,15 +64,6 @@ tags: - config - #- name: HOTFIX install a patch to mitigate the Covert Redirect vuln - # copy: > - # src="{{ files }}/copr/fe/hotfix/misc.py" - # dest=/usr/share/copr/coprs_frontend/coprs/views/misc.py - # notify: - # - restart httpd - # tags: - # - hotfix - - name: copy apache files to conf.d action: copy src="{{ files }}/copr/fe/httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" with_items: