Skip to content

add new backend support for wott #1165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 32 commits into from
Jun 21, 2019
Merged

add new backend support for wott #1165

merged 32 commits into from
Jun 21, 2019

Conversation

eugenosm
Copy link
Contributor

closes #1149
based on #1148 (PR #1162)

a-martynovich and others added 19 commits June 14, 2019 16:34
@a-martynovich
Move auth code to auth.py.
6ad4a24 
Introduce abstract Auth class, BasicAuth providing HTTP Authentication and its dummy subclass WoTTAuth.
Move assetdir initialization to a separate function run by Flask.
@a-martynovich
Add docs to Auth class.
0a889d0
@a-martynovich
More docstrings and TODOs for WoTTAuth.
590a069
@a-martynovich
Configurable auth backend in ScreenlySettings.
0c1f18c 
Let Auth classes specify their config.
@a-martynovich
Rename auth backend config groups.
5e3f0d3 
Rewrite auth settings update procedure.
@a-martynovich
Fix pep8 warnings.
0531b6d
@a-martynovich
Auth backend select UI.
da05e74
@a-martynovich
Pass list of auth backends to settings template.
4784146 
Add NoAuth backend ("Disabled").
@a-martynovich
Only show username/password settings for auth_basic.
5417d1c
@a-martynovich
Fix pep8 warnings.
4e93a37
@a-martynovich
Make auth backends UI-modular.
f297535
@a-martynovich
Fix auth backend switching error.
62109ff
@eugenosm
add wott-credentials authority
0f403b0
@eugenosm
merge with last Screenly#1148 updates (modular ui)
280f144
@eugenosm
documentation added.
1cd9fc1
@eugenosm
change two credentials records to one with value in form "user:password"
3b27831
@eugenosm
change two credentials records to one with value in form "user:password"
602e03c
@eugenosm
documentation update
5fac65a
@eugenosm
codacy - corrections
6c8db20
@eugenosm
Copy link
Contributor Author

and it need to do something with permission to acces to credentials file

@vpetersson
Copy link
Contributor

@a-martynovich Could you review the last part of this?

a-martynovich
a-martynovich reviewed Jun 17, 2019
View reviewed changes
auth.py Outdated

# self.settings['user'] = self.user
# self.settings['password'] = self.password
# self.settings['openpass'] = self.openpass
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There're no settings, so update_settings shouldn't do anything.

a-martynovich
a-martynovich reviewed Jun 17, 2019
View reviewed changes
auth.py Outdated
def update_settings(self, current_password):
auth_backend = self.settings['auth_backend']
current_pass_correct = True if auth_backend == '' \
else self.settings.auth_backends[auth_backend].check_password(current_password)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eugenosm Please rebase your branch on top of #1162 . In my PR this line looks different.

@a-martynovich a-martynovich force-pushed the 1149-add-new-backend-support-for-WoTT branch from 144c30c to 6ccde00 Compare June 18, 2019 18:23
@a-martynovich
Renaming Auth methods:
31ce68e 
is_authorized -> is_authenticated, authorize -> authenticate_if_needed.
@a-martynovich
Copy link
Contributor

@vpetersson what should happen if we can't load WoTT credentials? Hide the backend from the dropdown? Act as if auth is disabled? Show error when switching to WoTT backend (and disallow switching)?

@vpetersson
Copy link
Contributor

@vpetersson what should happen if we can't load WoTT credentials? Hide the backend from the dropdown? Act as if auth is disabled? Show error when switching to WoTT backend (and disallow switching)?

That's an interesting use case.I don't think we should disable auth, as that's a potential attack vector. I'd suggest throwing a 50x maybe?

@a-martynovich
Copy link
Contributor

I meant what if we can’t load wott credentials when we have other backend selected? Should we allow switching to wott backend in Settings (but show error after saving settings)? Or should we hide the option?

@vpetersson
Copy link
Contributor

I meant what if we can’t load wott credentials when we have other backend selected? Should we allow switching to wott backend in Settings (but show error after saving settings)? Or should we hide the option?

Oh, i was purely talking about if WoTT was selected. If WoTT isn't selected, then it doesn't really matter. In that case we should probably just log it.

@a-martynovich
Copy link
Contributor

I’m asking about th UI. Should we allow switching to wott backend in Settings (but show error after saving settings)? Or should we hide the option?

@vpetersson
Copy link
Contributor

After a discussion on Slack.

  • If the file (normally /opt/wott/credentials/screenly.json unless overridden in config) is absent, prevent save and display “Can’t load /opt/wott/credentials/screenly.json”.
  • If the folder /opt/wott is absent, then assume the WoTT agent is not installed.

These are somewhat naive assumptions, but will do the trick for now.

korvyashka
korvyashka suggested changes Jun 20, 2019
View reviewed changes
auth.py Outdated
from flask import request, Response

WOTT_CREDENTIALS_PATH = '/opt/wott/credentials'
WOTT_SCREENLY_CREDENTIAL_NAME = 'screenly_credentials'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it is used only to be appended with ".json" - I guess it could be named WOTT_SCREENLY_CREDENTIAL_FILE

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, the logic implies that this name will be used in WoTT Credentials UI in the "Name" field.

auth.py Outdated
login_record = login_record.split(':', 1)
if len(login_record) == 2:
self.user, password = login_record
self.password = '' if password == '' else hashlib.sha256(password).hexdigest()
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems password is stored in raw form in file - I'm not sure if it is fine, but I guess that is wott cred format.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly so.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's actually the way that the basic auth is done in Screenly OSE too. It's not good, but that's a problem for another day.

auth.py
return True


class BasicAuth(Auth):
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be the same code as in #1162 and I guess will be removed after requested by you rebase.

auth.py Outdated
return True

self.user = ''
self.password = ''
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few minor comments here.

  1. Can't it be done stateless, without need of storing user and password in the object? Just by reading them from cred during the check? Probably cached with cache decorators f.e?
  2. I believe this function can be simplified by common practices:
  • Return early
  • Reverse if and return early
  • Moving these 2 statements to top of the func.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. It can, but why? We already have username/password in settings (basic auth) loaded into memory from screenly.conf

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. done

@a-martynovich a-martynovich mentioned this pull request Jun 20, 2019
Closed
eugenosm and others added 4 commits June 20, 2019 20:44
@eugenosm
add owner subfolder to wott credentials path
57b59ec
@eugenosm
remove unused import
091c842
@a-martynovich
Rename credential name and key.
6387e1d 
Rewrite fetch_credentials.
Hide WoTTAuth option if it can't load credentials at startup.
Respond with 503 if auth backend raises ValueError.
@a-martynovich
Rename credential name and key.
986d4ec 
Rewrite fetch_credentials. Hide WoTTAuth option if it can't load credentials at startup. Respond with 503 if auth backend raises ValueError.
@a-martynovich
Copy link
Contributor

a-martynovich commented Jun 20, 2019
edited
Loading

Follow-up changes:

  • WoTT option will be hidden if there's no /opt/wott directory.
  • Server will respond with 503 if credentials file suddenly disappears while WoTT backend is active.
  • Credentials are read at every request. There're few requests right now so it shouldn't be a problem (later we can add cache and stuff).

If credential file is missing when switching to WoTT backend in settings an error will be shown (it was already done by @eugenosm ).

@vpetersson vpetersson merged commit a4235a6 into Screenly:master Jun 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vpetersson vpetersson vpetersson left review comments

+2 more reviewers

@a-martynovich a-martynovich a-martynovich left review comments

@korvyashka korvyashka korvyashka requested changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add new backend support for WoTT
4 participants
@eugenosm @vpetersson @a-martynovich @korvyashka