diff --git a/lava_server/security.py b/lava_server/security.py index 5a23e0996b9696cce47734579b9d31513706a3f7..f2c4ab38355d052d6dee5e2f9d377788916dda4c 100644 --- a/lava_server/security.py +++ b/lava_server/security.py @@ -17,12 +17,15 @@ # along with Lava Server. If not, see . from __future__ import annotations +from base64 import b64decode from pathlib import PurePosixPath from typing import ClassVar from django.conf import settings from django.contrib.auth.decorators import login_required +from linaro_django_xmlrpc.models import AuthToken + class LavaRequireLoginMiddleware: HOME_PATH: ClassVar[PurePosixPath] = PurePosixPath("/") / settings.MOUNT_POINT @@ -52,14 +55,25 @@ class LavaRequireLoginMiddleware: except ValueError: return False - if not auth_method.lower() == "token": + if auth_method.lower() == "token": + token_str = auth_value + elif auth_method.lower() == "basic": + # HACK: lavacli sends token as a password of basic auth + try: + basic_auth_decoded = b64decode(auth_value).decode("utf-8") + except UnicodeDecodeError: + return False + + try: + _, token_str = basic_auth_decoded.split(":") + except ValueError: + return False + else: return False - from linaro_django_xmlrpc.models import AuthToken - try: token_object = AuthToken.objects.select_related("user").get( - secret=auth_value + secret=token_str ) except AuthToken.DoesNotExist: return False @@ -70,12 +84,12 @@ class LavaRequireLoginMiddleware: return True def __call__(self, request): - if self.passthrough_valid_token(request.META.get("HTTP_AUTHORIZATION", "")): - return self.get_response(request) - path = PurePosixPath(request.path) if self.is_login_not_required(path): return self.get_response(request) + if self.passthrough_valid_token(request.META.get("HTTP_AUTHORIZATION", "")): + return self.get_response(request) + return self.require_login(request)