Skip to content

Commit

Permalink
Merge pull request #5499 from ryanpetrello/more-oauth-tinkering
Browse files Browse the repository at this point in the history 
only restrict OAuth2 tokens for external accounts *at creation time*

Reviewed-by: https://github.com/apps/softwarefactory-project-zuul
  • Loading branch information
@softwarefactory-project-zuul
softwarefactory-project-zuul[bot] authored Jan 2, 2020
2 parents c6dc69c + a7a3609 commit da44046
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 9 deletions.
8 changes: 2 additions & 6 deletions awx/main/models/oauth.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,11 +124,6 @@ class Meta:
def is_valid(self, scopes=None):
valid = super(OAuth2AccessToken, self).is_valid(scopes)
if valid:
try:
self.validate_external_users()
except oauth2.AccessDeniedError:
logger.exception(f'Failed to authenticate {self.user.username}')
return False
self.last_used = now()

def _update_last_used():
Expand All @@ -146,5 +141,6 @@ def validate_external_users(self):
).format(external_account))

def save(self, *args, **kwargs):
self.validate_external_users()
if not self.pk:
self.validate_external_users()
super(OAuth2AccessToken, self).save(*args, **kwargs)
6 changes: 3 additions & 3 deletions awx/main/tests/functional/api/test_oauth.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ def test_token_creation_disabled_for_external_accounts(oauth_application, post,


@pytest.mark.django_db
def test_existing_token_disabled_for_external_accounts(oauth_application, get, post, admin):
def test_existing_token_enabled_for_external_accounts(oauth_application, get, post, admin):
UserEnterpriseAuth(user=admin, provider='radius').save()
url = drf_reverse('api:oauth_authorization_root_view') + 'token/'
with override_settings(RADIUS_SERVER='example.org', ALLOW_OAUTH2_FOR_EXTERNAL_USERS=True):
Expand Down Expand Up @@ -98,9 +98,9 @@ def test_existing_token_disabled_for_external_accounts(oauth_application, get, p
resp = get(
drf_reverse('api:user_me_list', kwargs={'version': 'v2'}),
HTTP_AUTHORIZATION='Bearer ' + token,
status=401
status=200
)
assert b'To establish a login session' in resp.content
assert json.loads(resp.content)['results'][0]['username'] == 'admin'


@pytest.mark.django_db
Expand Down

0 comments on commit da44046

Please sign in to comment.