From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 1 Nov 2023 10:05:51 +0000 (+0000)
Subject: builders: Fix API authentication
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5b83990f5606f26db2ffdc87b90f2788db0dc04;p=pbs.git

builders: Fix API authentication

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/web/base.py b/src/web/base.py
index cea68c5c..91e1855e 100644
--- a/src/web/base.py
+++ b/src/web/base.py
@@ -336,10 +336,13 @@ class APIError(tornado.web.HTTPError):
 		return self.message
 
 
-class APIMixin(KerberosAuthMixin, BackendMixin):
+class APIMixin(KerberosAuthMixin):
 	# Generally do not permit users to authenticate against the API
 	allow_users = False
 
+	# Allow builders to authenticate?
+	allow_builders = True
+
 	# Do not perform any XSRF cookie validation on API calls
 	def check_xsrf_cookie(self):
 		pass
@@ -361,17 +364,14 @@ class APIMixin(KerberosAuthMixin, BackendMixin):
 		principal, delimiter, realm = principal.partition("@")
 
 		# Return any builders
-		if principal.startswith("host/"):
+		if self.allow_builders and principal.startswith("host/"):
 			hostname = principal.removeprefix("host/")
 
 			return self.backend.builders.get_by_name(hostname)
 
-		# End here if users are not allowed to authenticate
-		if not self.allow_users:
-			return
-
-		# Return users
-		return self.backend.users.get_by_name(principal)
+		# Return any users
+		if self.allow_users:
+			return self.backend.users.get_by_name(principal)
 
 	def get_user_locale(self):
 		return self.get_browser_locale()
diff --git a/src/web/builders.py b/src/web/builders.py
index f3705b77..fa11c644 100644
--- a/src/web/builders.py
+++ b/src/web/builders.py
@@ -9,8 +9,13 @@ from . import ui_modules
 # Setup logging
 log = logging.getLogger("pbs.web.builders")
 
-class APIv1ControlHandler(base.APIMixin, tornado.websocket.WebSocketHandler):
-	@tornado.web.authenticated
+class APIv1ControlHandler(base.APIMixin, base.BackendMixin, tornado.websocket.WebSocketHandler):
+	@base.negotiate
+	def prepare(self):
+		# This is here to require authentication before
+		# the websocket connection is being negotiated.
+		pass
+
 	async def open(self):
 		# The builder has opened a new connection
 		self.current_user.connected(self)
diff --git a/src/web/uploads.py b/src/web/uploads.py
index dbce3d47..f31c5235 100644
--- a/src/web/uploads.py
+++ b/src/web/uploads.py
@@ -27,7 +27,7 @@ from . import base
 from .. import uploads
 from .. import users
 
-class APIv1IndexHandler(base.APIMixin, tornado.web.RequestHandler):
+class APIv1IndexHandler(base.APIMixin, base.BaseHandler):
 	# Allow users to perform uploads
 	allow_users = True
 
@@ -103,7 +103,7 @@ class APIv1IndexHandler(base.APIMixin, tornado.web.RequestHandler):
 
 
 @tornado.web.stream_request_body
-class APIv1DetailHandler(base.APIMixin, tornado.web.RequestHandler):
+class APIv1DetailHandler(base.APIMixin, base.BaseHandler):
 	# Allow users to perform uploads
 	allow_users = True