From 45b231072881f02616172c3ce7f7eb4212faf35f Mon Sep 17 00:00:00 2001
From: Igor Ponomarev <igor.ponomarev@collabora.com>
Date: Mon, 4 Jul 2022 12:06:29 +0300
Subject: [PATCH] Fix lavacli not working when REQUIRE_LOGIN is activated

lavacli sends token as basic auth instead of `Token`
authentication header.

Upstream MR: https://git.lavasoftware.org/lava/lava/-/merge_requests/1800
---
 lava_server/security.py | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/lava_server/security.py b/lava_server/security.py
index 5a23e0996..f2c4ab383 100644
--- a/lava_server/security.py
+++ b/lava_server/security.py
@@ -17,12 +17,15 @@
 # along with Lava Server.  If not, see <http://www.gnu.org/licenses/>.
 from __future__ import annotations
 
+from base64 import b64decode
 from pathlib import PurePosixPath
 from typing import ClassVar
 
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 
+from linaro_django_xmlrpc.models import AuthToken
+
 
 class LavaRequireLoginMiddleware:
     HOME_PATH: ClassVar[PurePosixPath] = PurePosixPath("/") / settings.MOUNT_POINT
@@ -52,14 +55,25 @@ class LavaRequireLoginMiddleware:
         except ValueError:
             return False
 
-        if not auth_method.lower() == "token":
+        if auth_method.lower() == "token":
+            token_str = auth_value
+        elif auth_method.lower() == "basic":
+            # HACK: lavacli sends token as a password of basic auth
+            try:
+                basic_auth_decoded = b64decode(auth_value).decode("utf-8")
+            except UnicodeDecodeError:
+                return False
+
+            try:
+                _, token_str = basic_auth_decoded.split(":")
+            except ValueError:
+                return False
+        else:
             return False
 
-        from linaro_django_xmlrpc.models import AuthToken
-
         try:
             token_object = AuthToken.objects.select_related("user").get(
-                secret=auth_value
+                secret=token_str
             )
         except AuthToken.DoesNotExist:
             return False
@@ -70,12 +84,12 @@ class LavaRequireLoginMiddleware:
         return True
 
     def __call__(self, request):
-        if self.passthrough_valid_token(request.META.get("HTTP_AUTHORIZATION", "")):
-            return self.get_response(request)
-
         path = PurePosixPath(request.path)
 
         if self.is_login_not_required(path):
             return self.get_response(request)
 
+        if self.passthrough_valid_token(request.META.get("HTTP_AUTHORIZATION", "")):
+            return self.get_response(request)
+
         return self.require_login(request)
-- 
GitLab