Commit aeff0eba authored by echel0n's avatar echel0n

Refactored gitlab ci/cd script to clone to a depth of 10

Web-UI refreshes oauth2 access tokens for users currently logged in.
parent 10eb8def
......@@ -6,6 +6,9 @@ stages:
- release_sentry
- release_deploy
variables:
GIT_DEPTH: 10
#review:webpack:
# stage: review_webpack
# image:
......
......@@ -45,20 +45,24 @@ class API(object):
@token.setter
@CacheDB.with_session
def token(self, value, session=None):
query = session.query(CacheDB.OAuth2Token)
if query.count():
token = query.first()
sickrage.app.oidc_client.logout(token.refresh_token)
query.delete()
if value:
session.add(CacheDB.OAuth2Token(**{
'access_token': value.get('access_token'),
'refresh_token': value.get('refresh_token'),
'expires_in': value.get('expires_in'),
'expires_at': value.get('expires_at', int(time.time() + value.get('expires_in'))),
'scope': value.scope if isinstance(value, OAuth2Token) else value.get('scope')
}))
new_token = {
'access_token': value.get('access_token'),
'refresh_token': value.get('refresh_token'),
'expires_in': value.get('expires_in'),
'expires_at': value.get('expires_at', int(time.time() + value.get('expires_in'))),
'scope': value.scope if isinstance(value, OAuth2Token) else value.get('scope')
}
try:
token = session.query(CacheDB.OAuth2Token).one()
token.update(**new_token)
except orm.exc.NoResultFound:
session.add(CacheDB.OAuth2Token(**new_token))
@token.deleter
@CacheDB.with_session
def token(self, session=None):
session.query(CacheDB.OAuth2Token).delete()
@property
def token_url(self):
......@@ -71,6 +75,9 @@ class API(object):
def userinfo(self):
return self._request('GET', 'userinfo')
def logout(self):
sickrage.app.oidc_client.logout(self.token.get('refresh_token'))
def refresh_token(self):
extra = {
'client_id': self.client_id,
......
......@@ -101,10 +101,19 @@ class BaseHandler(RequestHandler, ABC):
webroot=sickrage.app.config.web_root))
def get_current_user(self):
cookie = self.get_secure_cookie('_sr')
if not cookie:
return
try:
token = json.loads(self.get_secure_cookie('_sr'))
return sickrage.app.oidc_client.userinfo(token['access_token'])
except (KeycloakClientError, HTTPError, JSONDecodeError, OSError):
token = json.loads(cookie)
try:
return sickrage.app.oidc_client.userinfo(token['access_token'])
except KeycloakClientError as e:
token = sickrage.app.oidc_client.refresh_token(token['refresh_token'])
self.set_secure_cookie('_sr', json.dumps(token))
return sickrage.app.oidc_client.userinfo(token['access_token'])
except Exception:
pass
def render_string(self, template_name, **kwargs):
......
......@@ -51,11 +51,13 @@ class LoginHandler(BaseHandler, ABC):
if API().token:
allowed_usernames = API().allowed_usernames()['data']
if not userinfo['preferred_username'] in allowed_usernames:
sickrage.app.log.debug("USERNAME:{} IP:{} - ACCESS DENIED".format(userinfo['preferred_username'], self.request.remote_ip))
sickrage.app.log.debug("USERNAME:{} IP:{} - WEB-UI ACCESS DENIED".format(userinfo['preferred_username'], self.request.remote_ip))
return self.redirect('/logout')
else:
return self.redirect('/logout')
else:
if API().token:
API().logout()
API().token = token
except Exception as e:
return self.redirect('/logout')
......@@ -67,5 +69,5 @@ class LoginHandler(BaseHandler, ABC):
redirect_uri = self.get_argument('next', "/{}/".format(sickrage.app.config.default_page))
return self.redirect("{}".format(redirect_uri))
else:
authorization_url = sickrage.app.oidc_client.authorization_url(redirect_uri=redirect_uri)
authorization_url = sickrage.app.oidc_client.authorization_url(redirect_uri=redirect_uri, scope="profile email offline_access")
return super(BaseHandler, self).redirect(authorization_url)
......@@ -29,6 +29,6 @@ class LogoutHandler(BaseHandler, ABC):
logout_uri = sickrage.app.oidc_client.get_url('end_session_endpoint')
redirect_uri = "{}://{}{}/login".format(self.request.protocol, self.request.host, sickrage.app.config.web_root)
self.clear_all_cookies()
self.clear_cookie('_sr')
return super(BaseHandler, self).redirect('{}?redirect_uri={}'.format(logout_uri, redirect_uri))
......@@ -237,8 +237,8 @@ class UnlinkHandler(BaseHandler, ABC):
sickrage.app.config.sub_id = ""
sickrage.app.config.save()
sickrage.app.oidc_client.logout(API().token['refresh_token'])
API().token = {}
API().logout()
del API().token
return self.redirect('/logout/')
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment