Refactor repo auth to use entrypoints

Pulp's repo auth now allows for pluggable authentication methods. These can be configured via a new entry point. The `repo_auth.wsgi` file was also refactored to move code into a Python module to make testing easier. More information is available in the 'contentauth' doc. Additionally, the 'auth_handler_framework' was determined to be unused and has been removed. fixes #720
pulp · Apr 16, 2015 · 602ca89 · 602ca89
1 parent c4a8d30
commit 602ca89
Show file tree

Hide file tree

Showing 11 changed files with 257 additions and 294 deletions.
diff --git a/docs/dev-guide/contentauth.rst b/docs/dev-guide/contentauth.rst
@@ -0,0 +1,45 @@
+.. _content_auth_mechanisms:
+
+Content Authentication Mechanisms
+=================================
+
+Pulp allows administrators to require users to authenticate in order to receive
+content. Typically this is done by checking an SSL client certificate.
+
+Content authentication is primarly done in conjunction with a Katello instance
+and is outside the scope of this document. However, users may want to add their
+own authentication methods. This is done by writing a method that returns
+either True or False depending on if the user is allowed access and then
+telling Pulp about this method via Python entry points.
+
+Note that **all** authenticators must return True in order to let the request
+through. Authentication is typically based on the contents of the ``environ``
+parameter. This is a dictionary containing various environment variables from
+Apache. When authoring plugins, it may be helpful to log the contents of
+``environ`` to see what is being passed in.
+
+For example, if you wanted to create a simple method that let everyone through
+but logged a message, you could do something like this:
+
+::
+    def authenticate(environ):
+        print "No checking here, just let the user through!"
+        return True
+
+Then, tell Pulp about this via an entry point in ``setup.py``. In this example,
+our ``authenticate()`` method lives in ``example_auth.example``.
+
+::
+
+    entry_points={
+        'pulp_content_authenticators': [
+            'example_auth=example_auth.example:authenticate'
+        ]
+    }
+
+You should be all set at this point. Simply make a request and check
+``/var/log/httpd/error_log`` to see if the message printed. Your request will
+need to pass all auth checks to see the log message; once one check fails then
+the rest are not executed. If the ``authenticate`` method raises an exception
+for any reason then mod_wsgi will write a message to ``ssl_error_log`` and deny
+the request.
diff --git a/docs/dev-guide/index.rst b/docs/dev-guide/index.rst
@@ -9,6 +9,7 @@ Developer Guide
    conventions/index
    policies/index
    newtypesupport/index
+   contentauth
    integration/index
    glossary
    troubleshooting
diff --git a/docs/user-guide/release-notes/2.7.x.rst b/docs/user-guide/release-notes/2.7.x.rst
@@ -0,0 +1,65 @@
+=======================
+Pulp 2.7 Release Notes
+=======================
+
+Pulp 2.7.0
+==========
+
+New Features
+------------
+
+- Pulp now allows users to add their own :ref:`content authentication mechanisms <content_auth_mechanisms>`.
+
+Deprecation
+-----------
+
+.. _2.6.x_upgrade_to_2.7.0:
+
+Upgrade Instructions for 2.6.x --> 2.7.0
+-----------------------------------------
+
+All services should be stopped. At that point you can issue an upgrade via:
+
+::
+
+    sudo yum update
+
+After yum completes you should migrate the database using:
+
+::
+
+    sudo -u apache pulp-manage-db
+
+After the database migrations finish, restart `httpd`, `pulp_workers`, `pulp_celerybeat`, and
+`pulp_resource_manager`.
+
+Bugs
+----
+
+This release has fixes for :fixedbugs:`these issues <2.7.0>`.
+
+Known Issues
+------------
+
+* None at this time.
+
+Client Changes
+--------------
+
+Agent Changes
+-------------
+
+Rest API Changes
+----------------
+
+Binding API Changes
+-------------------
+
+Plugin API Changes
+------------------
+
+Thank You
+---------
+
+Thank you to all of Pulp's contributors, especially these new ones!
+
diff --git a/repoauth/pulp/repoauth/auth_handler_framework.py b/repoauth/pulp/repoauth/auth_handler_framework.py
diff --git a/repoauth/pulp/repoauth/wsgi.py b/repoauth/pulp/repoauth/wsgi.py
@@ -0,0 +1,40 @@
+from pkg_resources import iter_entry_points
+
+from pulp.repoauth import auth_enabled_validation
+
+AUTH_ENTRY_POINT = 'pulp_content_authenticators'
+
+
+def allow_access(environ, host):
+    """
+    Hook into mod_wsgi to be invoked when a request is determining
+    authentication.  If the authentication is successful, this method returns
+    True.  If validation fails, False is returned.
+
+    :param environ: environ passed in from mod_wsgi
+    :type  environ: dict of env vars
+
+    :param host: hostname passed from mod_wsgi (not used)
+    :type  host: str
+
+    :return: True if the request is authorized or validation is disabled, otherwise False.
+    :rtype:  Boolean
+    """
+
+    # If auth is disabled, then let the request continue. Note that this returns
+    # True if auth is disabled.
+    if auth_enabled_validation.authenticate(environ):
+        return True
+
+    # find all of the authenticator methods we need to try
+    authenticators = {}
+    for ep in iter_entry_points(group=AUTH_ENTRY_POINT):
+        authenticators.update({ep.name: ep.load()})
+
+    # loop through authenticators. If any return False, kick the user out.
+    for auth_method in authenticators:
+        if not authenticators[auth_method](environ):
+            return False
+
+    # if we get this far then the user is authorized
+    return True
diff --git a/repoauth/setup.py b/repoauth/setup.py
@@ -8,4 +8,9 @@
     packages=find_packages(exclude=['test']),
     author='Pulp Team',
     author_email='pulp-list@redhat.com',
+    entry_points={
+        'pulp_content_authenticators': [
+            'oid_validation=pulp.repoauth.oid_validation:authenticate'
+        ]
+    },
 )
diff --git a/repoauth/test/test_auth_handler_framework.py b/repoauth/test/test_auth_handler_framework.py