You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by ma...@apache.org on 2020/09/22 21:07:38 UTC

[airavata-django-portal] 05/05: AIRAVATA-3346 Handle failed bearer token authentication

This is an automated email from the ASF dual-hosted git repository.

machristie pushed a commit to branch AIRAVATA-3346-implement-remote-fs-abstraction-of-user-storage
in repository https://gitbox.apache.org/repos/asf/airavata-django-portal.git

commit c592887583ffee67a59a0fbd494b03e634fcfdd1
Author: Marcus Christie <ma...@apache.org>
AuthorDate: Tue Sep 22 17:07:15 2020 -0400

    AIRAVATA-3346 Handle failed bearer token authentication
---
 django_airavata/apps/api/authentication.py | 3 +++
 django_airavata/apps/auth/backends.py      | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/django_airavata/apps/api/authentication.py b/django_airavata/apps/api/authentication.py
index acda113..fd282ba 100644
--- a/django_airavata/apps/api/authentication.py
+++ b/django_airavata/apps/api/authentication.py
@@ -14,6 +14,9 @@ class OAuthAuthentication(authentication.BaseAuthentication):
         if 'HTTP_AUTHORIZATION' in request.META:
             try:
                 user = authenticate(request=request)
+                if user is None:
+                    raise exceptions.AuthenticationFailed(
+                        "Token failed to authenticate")
                 _, token = request.META.get('HTTP_AUTHORIZATION').split()
 
                 # authz_token_middleware has already run, so must manually add
diff --git a/django_airavata/apps/auth/backends.py b/django_airavata/apps/auth/backends.py
index 4dd913d..1c9591d 100644
--- a/django_airavata/apps/auth/backends.py
+++ b/django_airavata/apps/auth/backends.py
@@ -39,6 +39,7 @@ class KeycloakBackend(object):
                 bearer, token = request.META.get('HTTP_AUTHORIZATION').split()
                 if bearer != "Bearer":
                     raise Exception("Unexpected Authorization header")
+                # implicitly validate token by using it to get userinfo
                 userinfo = self._get_userinfo_from_token(request, token)
                 # Token should be added as a request attribute (request.auth)
                 # self._process_token(request, token)
@@ -154,6 +155,11 @@ class KeycloakBackend(object):
             oauth2_session.verify = settings.KEYCLOAK_CA_CERTFILE
         userinfo = oauth2_session.get(
             userinfo_url, verify=verify_ssl).json()
+        if 'error' in userinfo:
+            msg = userinfo.get('error_description')
+            if msg is None:
+                msg = f"Error fetching userinfo: {userinfo['error']}"
+            raise Exception(msg)
         return userinfo
 
     def _process_token(self, request, token):