External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-02 23:25:29 -02:30
Code Issues Packages Projects Releases Wiki Activity

don't allow OAuth2 token creation for "external" users

Browse Source 
see: https://github.com/ansible/tower/issues/2326
This commit is contained in:
Ryan Petrello
2018-07-10 11:51:37 -04:00
parent d9713f9b3f
commit df0e28ec65
8 changed files with 99 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
awx/api/conf.py
View File

@@ -47,3 +47,14 @@ register(
category=_('Authentication'),
category_slug='authentication',
)
register(
'ALLOW_OAUTH2_FOR_EXTERNAL_USERS',
field_class=fields.BooleanField,
default=False,
label=_('Allow External Users to Create OAuth2 Tokens'),
help_text=_('For security reasons, users from external auth providers (LDAP, SAML, '
'SSO, Radius, and others) are not allowed to create OAuth2 tokens. '
'To change this behavior, enable this setting.'),
category=_('Authentication'),
category_slug='authentication',
)

29
awx/api/serializers.py
View File

@@ -13,6 +13,7 @@ from collections import OrderedDict
from datetime import timedelta
# OAuth2
from oauthlib import oauth2
from oauthlib.common import generate_token
# Django
@@ -54,7 +55,7 @@ from awx.main.utils import (
get_type_for_model, get_model_for_type, timestamp_apiformat,
camelcase_to_underscore, getattrd, parse_yaml_or_json,
has_model_field_prefetched, extract_ansible_vars, encrypt_dict,
prefetch_page_capabilities)
prefetch_page_capabilities, get_external_account)
from awx.main.utils.filters import SmartFilter
from awx.main.redact import REPLACE_STR
@@ -932,23 +933,7 @@ class UserSerializer(BaseSerializer):
obj.save(update_fields=['password'])
def get_external_account(self, obj):
account_type = None
if getattr(settings, 'AUTH_LDAP_SERVER_URI', None) and feature_enabled('ldap'):
try:
if obj.pk and obj.profile.ldap_dn and not obj.has_usable_password():
account_type = "ldap"
except AttributeError:
pass
if (getattr(settings, 'SOCIAL_AUTH_GOOGLE_OAUTH2_KEY', None) or
getattr(settings, 'SOCIAL_AUTH_GITHUB_KEY', None) or
getattr(settings, 'SOCIAL_AUTH_GITHUB_ORG_KEY', None) or
getattr(settings, 'SOCIAL_AUTH_GITHUB_TEAM_KEY', None) or
getattr(settings, 'SOCIAL_AUTH_SAML_ENABLED_IDPS', None)) and obj.social_auth.all():
account_type = "social"
if (getattr(settings, 'RADIUS_SERVER', None) or
getattr(settings, 'TACACSPLUS_HOST', None)) and obj.enterprise_auth.all():
account_type = "enterprise"
return account_type
return get_external_account(obj)
def create(self, validated_data):
new_password = validated_data.pop('password', None)
@@ -1082,7 +1067,13 @@ class BaseOAuth2TokenSerializer(BaseSerializer):
'Must be a simple space-separated string with allowed scopes {}.'
).format(self.ALLOWED_SCOPES))
return value
def create(self, validated_data):
try:
return super(BaseOAuth2TokenSerializer, self).create(validated_data)
except oauth2.AccessDeniedError as e:
raise PermissionDenied(str(e))
class UserAuthorizedTokenSerializer(BaseOAuth2TokenSerializer):

17
awx/api/urls/oauth2_root.py
View File

@@ -3,16 +3,29 @@
from django.conf.urls import url
from oauth2_provider.urls import base_urlpatterns
from oauthlib import oauth2
from oauth2_provider import views
from awx.api.views import (
ApiOAuthAuthorizationRootView,
)
class TokenView(views.TokenView):
def create_token_response(self, request):
try:
return super(TokenView, self).create_token_response(request)
except oauth2.AccessDeniedError as e:
return request.build_absolute_uri(), {}, str(e), '403'
urls = [
url(r'^$', ApiOAuthAuthorizationRootView.as_view(), name='oauth_authorization_root_view'),
] + base_urlpatterns
url(r"^authorize/$", views.AuthorizationView.as_view(), name="authorize"),
url(r"^token/$", TokenView.as_view(), name="token"),
url(r"^revoke_token/$", views.RevokeTokenView.as_view(), name="revoke-token"),
]
__all__ = ['urls']