infrastructure/ansible
1
0
Fork 0
Code Pull requests 7 Activity Actions

revert 602405b5 - copr is on F20 and does not need hotfix any more

Browse source
This commit is contained in:
Miroslav Suchý 2014-07-17 09:57:40 +00:00
parent fc85af9aba
commit 16d5a369a0
2 changed files with 0 additions and 162 deletions
Download patch file Download diff file Expand all files Collapse all files

153
files/copr/fe/hotfix/misc.py
View file

@ -1,153 +0,0 @@
import base64
import datetime
import functools
import flask
from coprs import app
from coprs import db
from coprs import helpers
from coprs import models
from coprs import oid
@app.before_request
def lookup_current_user():
flask.g.user = None
if "openid" in flask.session:
flask.g.user = models.User.query.filter(
models.User.openid_name == flask.session["openid"]).first()
@app.errorhandler(404)
def page_not_found(message):
return flask.render_template("404.html", message=message), 404
misc = flask.Blueprint("misc", __name__)
@misc.route("/login/", methods=["GET"])
@oid.loginhandler
def login():
if flask.g.user is not None:
return flask.redirect("https://copr.fedoraproject.org")
else:
return oid.try_login("https://id.fedoraproject.org/",
ask_for=["email", "timezone"])
@oid.after_login
def create_or_login(resp):
flask.session["openid"] = resp.identity_url
fasusername = resp.identity_url.replace(
".id.fedoraproject.org/", "").replace("http://", "")
# kidding me.. or not
if fasusername and ((app.config["USE_ALLOWED_USERS"]
and fasusername in app.config["ALLOWED_USERS"])
or not app.config["USE_ALLOWED_USERS"]):
user = models.User.query.filter(
models.User.openid_name == resp.identity_url).first()
if not user: # create if not created already
expiration_date_token = datetime.date.today() + \
datetime.timedelta(
days=flask.current_app.config["API_TOKEN_EXPIRATION"])
copr64 = base64.b64encode("copr") + "##"
user = models.User(openid_name=resp.identity_url, mail=resp.email,
timezone=resp.timezone,
api_login=copr64 + helpers.generate_api_token(
app.config["API_TOKEN_LENGTH"] - len(copr64)),
api_token=helpers.generate_api_token(
app.config["API_TOKEN_LENGTH"]),
api_token_expiration=expiration_date_token)
else:
user.mail = resp.email
user.timezone = resp.timezone
db.session.add(user)
db.session.commit()
flask.flash(u"Welcome, {0}".format(user.name))
flask.g.user = user
if flask.request.url_root == oid.get_next_url():
return flask.redirect(flask.url_for("coprs_ns.coprs_by_owner",
username=user.name))
return flask.redirect("https://copr.fedoraproject.org")
else:
flask.flash("User '{0}' is not allowed".format(user.name))
return flask.redirect("https://copr.fedoraproject.org")
@misc.route("/logout/")
def logout():
flask.session.pop("openid", None)
flask.flash(u"You were signed out")
return flask.redirect("https://copr.fedoraproject.org")
def api_login_required(f):
@functools.wraps(f)
def decorated_function(*args, **kwargs):
token = None
username = None
if "Authorization" in flask.request.headers:
base64string = flask.request.headers["Authorization"]
base64string = base64string.split()[1].strip()
userstring = base64.b64decode(base64string)
(username, token) = userstring.split(":")
token_auth = False
if token and username:
user = models.User.query.filter(
models.User.api_login == username).first()
if (user and user.api_token == token and
user.api_token_expiration >= datetime.date.today()):
token_auth = True
flask.g.user = user
if not token_auth:
output = {"output": "notok", "error": "Login invalid/expired"}
jsonout = flask.jsonify(output)
jsonout.status_code = 500
return jsonout
return f(*args, **kwargs)
return decorated_function
def login_required(role=helpers.RoleEnum("user")):
def view_wrapper(f):
@functools.wraps(f)
def decorated_function(*args, **kwargs):
if flask.g.user is None:
return flask.redirect(flask.url_for("misc.login",
next=flask.request.url))
if role == helpers.RoleEnum("admin") and not flask.g.user.admin:
flask.flash("You are not allowed to access admin section.")
return flask.redirect(flask.url_for("coprs_ns.coprs_show"))
return f(*args, **kwargs)
return decorated_function
# hack: if login_required is used without params, the "role" parameter
# is in fact the decorated function, so we need to return
# the wrapped function, not the wrapper
# proper solution would be to use login_required() with parentheses
# everywhere, even if they"re empty - TODO
if callable(role):
return view_wrapper(role)
else:
return view_wrapper
# backend authentication
def backend_authenticated(f):
@functools.wraps(f)
def decorated_function(*args, **kwargs):
auth = flask.request.authorization
if not auth or auth.password != app.config["BACKEND_PASSWORD"]:
return "You have to provide the correct password", 401
return f(*args, **kwargs)
return decorated_function

9
playbooks/hosts/copr-fe.cloud.fedoraproject.org.yml
View file

@ -64,15 +64,6 @@
tags: tags:
- config - config
#- name: HOTFIX install a patch to mitigate the Covert Redirect vuln
# copy: >
# src="{{ files }}/copr/fe/hotfix/misc.py"
# dest=/usr/share/copr/coprs_frontend/coprs/views/misc.py
# notify:
# - restart httpd
# tags:
# - hotfix
- name: copy apache files to conf.d - name: copy apache files to conf.d
action: copy src="{{ files }}/copr/fe/httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" action: copy src="{{ files }}/copr/fe/httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}"
with_items: with_items: