mirror of
https://github.com/ansible/awx.git
synced 2026-03-10 22:19:28 -02:30
Merge pull request #5499 from ryanpetrello/more-oauth-tinkering
only restrict OAuth2 tokens for external accounts *at creation time* Reviewed-by: https://github.com/apps/softwarefactory-project-zuul
This commit is contained in:
softwarefactory-project-zuul[bot]
GitHub
@@ -124,11 +124,6 @@ class OAuth2AccessToken(AbstractAccessToken):
|
|||||||
def is_valid(self, scopes=None):
|
def is_valid(self, scopes=None):
|
||||||
valid = super(OAuth2AccessToken, self).is_valid(scopes)
|
valid = super(OAuth2AccessToken, self).is_valid(scopes)
|
||||||
if valid:
|
if valid:
|
||||||
try:
|
|
||||||
self.validate_external_users()
|
|
||||||
except oauth2.AccessDeniedError:
|
|
||||||
logger.exception(f'Failed to authenticate {self.user.username}')
|
|
||||||
return False
|
|
||||||
self.last_used = now()
|
self.last_used = now()
|
||||||
|
|
||||||
def _update_last_used():
|
def _update_last_used():
|
||||||
@@ -146,5 +141,6 @@ class OAuth2AccessToken(AbstractAccessToken):
|
|||||||
).format(external_account))
|
).format(external_account))
|
||||||
|
|
||||||
def save(self, *args, **kwargs):
|
def save(self, *args, **kwargs):
|
||||||
self.validate_external_users()
|
if not self.pk:
|
||||||
|
self.validate_external_users()
|
||||||
super(OAuth2AccessToken, self).save(*args, **kwargs)
|
super(OAuth2AccessToken, self).save(*args, **kwargs)
|
||||||
|
|||||||
@@ -69,7 +69,7 @@ def test_token_creation_disabled_for_external_accounts(oauth_application, post,
|
|||||||
|
|
||||||
|
|
||||||
@pytest.mark.django_db
|
@pytest.mark.django_db
|
||||||
def test_existing_token_disabled_for_external_accounts(oauth_application, get, post, admin):
|
def test_existing_token_enabled_for_external_accounts(oauth_application, get, post, admin):
|
||||||
UserEnterpriseAuth(user=admin, provider='radius').save()
|
UserEnterpriseAuth(user=admin, provider='radius').save()
|
||||||
url = drf_reverse('api:oauth_authorization_root_view') + 'token/'
|
url = drf_reverse('api:oauth_authorization_root_view') + 'token/'
|
||||||
with override_settings(RADIUS_SERVER='example.org', ALLOW_OAUTH2_FOR_EXTERNAL_USERS=True):
|
with override_settings(RADIUS_SERVER='example.org', ALLOW_OAUTH2_FOR_EXTERNAL_USERS=True):
|
||||||
@@ -98,9 +98,9 @@ def test_existing_token_disabled_for_external_accounts(oauth_application, get, p
|
|||||||
resp = get(
|
resp = get(
|
||||||
drf_reverse('api:user_me_list', kwargs={'version': 'v2'}),
|
drf_reverse('api:user_me_list', kwargs={'version': 'v2'}),
|
||||||
HTTP_AUTHORIZATION='Bearer ' + token,
|
HTTP_AUTHORIZATION='Bearer ' + token,
|
||||||
status=401
|
status=200
|
||||||
)
|
)
|
||||||
assert b'To establish a login session' in resp.content
|
assert json.loads(resp.content)['results'][0]['username'] == 'admin'
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.django_db
|
@pytest.mark.django_db
|
||||||
|
|||||||
Reference in New Issue
Block a user