hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-19 16:03:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2268 from vilhelmen/auth_data_sharing

Browse Source 
Share authenticated dict with auth functions
This commit is contained in:
Min RK
2019-02-15 15:33:36 +01:00
committed by GitHub
parent 52d8f74eb1 701b93d226
commit fec3d959f2
3 changed files with 72 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
jupyterhub/app.py
View File

@@ -1505,7 +1505,7 @@ class JupyterHub(Application):
db.add(group)
for username in usernames:
username = self.authenticator.normalize_username(username)
if not (await maybe_future(self.authenticator.check_whitelist(username))):
if not (await maybe_future(self.authenticator.check_whitelist(username, None))):
raise ValueError("Username %r is not in whitelist" % username)
user = orm.User.find(db, name=username)
if user is None:
@@ -1529,7 +1529,7 @@ class JupyterHub(Application):
for token, name in token_dict.items():
if kind == 'user':
name = self.authenticator.normalize_username(name)
if not (await maybe_future(self.authenticator.check_whitelist(name))):
if not (await maybe_future(self.authenticator.check_whitelist(name, None))):
raise ValueError("Token name %r is not in whitelist" % name)
if not self.authenticator.validate_username(name):
raise ValueError("Token name %r is not valid" % name)

57
jupyterhub/auth.py
View File

@@ -4,11 +4,13 @@
# Distributed under the terms of the Modified BSD License.
from concurrent.futures import ThreadPoolExecutor
import inspect
import pipes
import re
from shutil import which
import sys
from subprocess import Popen, PIPE, STDOUT
import warnings
try:
import pamela
@@ -214,6 +216,38 @@ class Authenticator(LoggingConfigurable):
"""
)
def __init__(self, **kwargs):
super().__init__(**kwargs)
for method_name in ('check_whitelist', 'check_blacklist', 'check_group_whitelist'):
original_method = getattr(self, method_name, None)
if original_method is None:
# no such method (check_group_whitelist is optional)
continue
signature = inspect.signature(original_method)
if 'authentication' not in signature.parameters:
# adapt to pre-1.0 signature for compatibility
warnings.warn(
"""
{0}.{1} does not support the authentication argument,
added in JupyterHub 1.0.
It should have the signature:
def {1}(self, username, authentication=None):
...
Adapting for compatibility.
""".format(
self.__class__.__name__,
method_name,
),
DeprecationWarning
)
def wrapped_method(username, authentication=None, **kwargs):
return original_method(username, **kwargs)
setattr(self, method_name, wrapped_method)
def normalize_username(self, username):
"""Normalize the given username and return it
@@ -226,20 +260,23 @@ class Authenticator(LoggingConfigurable):
username = self.username_map.get(username, username)
return username
def check_whitelist(self, username):
def check_whitelist(self, username, authentication=None):
"""Check if a username is allowed to authenticate based on whitelist configuration
Return True if username is allowed, False otherwise.
No whitelist means any username is allowed.
Names are normalized *before* being checked against the whitelist.
.. versionchanged:: 1.0
Signature updated to accept authentication data and any future changes
"""
if not self.whitelist:
# No whitelist means any name is allowed
return True
return username in self.whitelist
def check_blacklist(self, username):
def check_blacklist(self, username, authentication=None):
"""Check if a username is blocked to authenticate based on blacklist configuration
Return True if username is allowed, False otherwise.
@@ -248,6 +285,9 @@ class Authenticator(LoggingConfigurable):
Names are normalized *before* being checked against the blacklist.
.. versionadded: 0.9
.. versionchanged:: 1.0
Signature updated to accept authentication data as second argument
"""
if not self.blacklist:
# No blacklist means any name is allowed
@@ -294,8 +334,9 @@ class Authenticator(LoggingConfigurable):
self.log.warning("Disallowing invalid username %r.", username)
return
blacklist_pass = await maybe_future(self.check_blacklist(username))
whitelist_pass = await maybe_future(self.check_whitelist(username))
blacklist_pass = await maybe_future(self.check_blacklist(username, authenticated))
whitelist_pass = await maybe_future(self.check_whitelist(username, authenticated))
if blacklist_pass:
pass
else:
@@ -562,13 +603,13 @@ class LocalAuthenticator(Authenticator):
"Ignoring username whitelist because group whitelist supplied!"
)
def check_whitelist(self, username):
def check_whitelist(self, username, authentication=None):
if self.group_whitelist:
return self.check_group_whitelist(username)
return self.check_group_whitelist(username, authentication)
else:
return super().check_whitelist(username)
return super().check_whitelist(username, authentication)
def check_group_whitelist(self, username):
def check_group_whitelist(self, username, authentication=None):
"""
If group_whitelist is configured, check if authenticating user is part of group.
"""

20
jupyterhub/tests/test_auth.py
View File

@@ -232,6 +232,26 @@ async def test_pam_auth_blacklist():
assert authorized['name'] == 'kaylee'
async def test_deprecated_signatures():
def deprecated_xlist(self, username):
return True
with mock.patch.multiple(
MockPAMAuthenticator,
check_whitelist=deprecated_xlist,
check_group_whitelist=deprecated_xlist,
check_blacklist=deprecated_xlist,
):
deprecated_authenticator = MockPAMAuthenticator()
authorized = await deprecated_authenticator.get_authenticated_user(None, {
'username': 'test',
'password': 'test'
})
assert authorized is not None
async def test_pam_auth_no_such_group():
authenticator = MockPAMAuthenticator(group_whitelist={'nosuchcrazygroup'})
authorized = await authenticator.get_authenticated_user(None, {