Skip to content
Snippets Groups Projects
Select Git revision
  • test-release
  • master default protected
  • release-candidate-3933
  • shahbaz/VAN-1274
  • release
  • release-candidate-3932
  • release-mergeback-to-master
  • release-candidate-3931
  • release-candidate-3930
  • saad/INF-776
  • release-candidate-3929
  • change-boto-ses-exception
  • release-candidate-3927
  • release-candidate-3928
  • release-candidate-3926
  • release-candidate-3925
  • release-candidate-3924
  • release-candidate-3923
  • release-candidate-3922
  • release-candidate-3921
  • release-2023-02-17-11.15
  • release-2023-02-17-11.07
  • release-2023-02-17-09.39
  • release-2023-02-17-08.45
  • release-2023-02-17-07.08
  • release-2023-02-17-08.18
  • release-2023-02-17-06.26
  • release-2023-02-17-04.57
  • release-2023-02-16-22.25
  • release-2023-02-16-22.03
  • release-2023-02-16-16.21
  • release-2023-02-15-17.03
  • release-2023-02-14-14.30
  • release-2023-02-14-10.35
  • release-2023-02-13-17.48
  • release-2023-02-13-16.25
  • release-2023-02-13-15.00
  • release-2023-02-13-04.08
  • release-2023-02-13-03.46
  • release-2023-02-13-02.45
40 results
Blame History Permalink
  • Manjinder Singh's avatar
    Adding metrics to oauth2authentication class (#22970) · eb694528
    Manjinder Singh authored 
    Currently, we are working on removing the rest_framework_auth library from edx-platform. For this push, we need to remove the oauth2Authentication class. This PR creates a new class oauth2AuthenticationDeprecated that adds additional new relic metrics. The metrics would allow us to see how often this class is used and its success rate. The hope is that this information will help us with transitioning to a different authentication class.
    Unverified
    eb694528
authentication.py 5.11 KiB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128 






""" Common Authentication Handlers used across projects. """


import logging

import django.utils.timezone
from oauth2_provider import models as dot_models
from provider.oauth2 import models as dop_models
from rest_framework.exceptions import AuthenticationFailed
from rest_framework_oauth.authentication import OAuth2Authentication
from edx_django_utils.monitoring import set_custom_metric


OAUTH2_TOKEN_ERROR = u'token_error'
OAUTH2_TOKEN_ERROR_EXPIRED = u'token_expired'
OAUTH2_TOKEN_ERROR_MALFORMED = u'token_malformed'
OAUTH2_TOKEN_ERROR_NONEXISTENT = u'token_nonexistent'
OAUTH2_TOKEN_ERROR_NOT_PROVIDED = u'token_not_provided'


log = logging.getLogger(__name__)


class OAuth2AuthenticationDeprecated(OAuth2Authentication):
    """
    This child class was added to add new_relic metrics to OAuth2Authentication. This should be very temporary.
    """

    def authenticate(self, request):
        """
        Returns two-tuple of (user, token) if access token authentication
        succeeds, None if the user did not try to authenticate using an access
        token, or raises an AuthenticationFailed (HTTP 401) if authentication
        fails.
        """
        set_custom_metric("OAuth2AuthenticationDeprecated", "Failed")
        output = super(OAuth2AuthenticationDeprecated, self).authenticate(request)
        if output is None:
            set_custom_metric("OAuth2AuthenticationDeprecated", "None")
        else:
            set_custom_metric("OAuth2AuthenticationDeprecated", "Success")
        return output


class OAuth2AuthenticationAllowInactiveUser(OAuth2AuthenticationDeprecated):
    """
    This is a temporary workaround while the is_active field on the user is coupled
    with whether or not the user has verified ownership of their claimed email address.
    Once is_active is decoupled from verified_email, we will no longer need this
    class override.
    But until then, this authentication class ensures that the user is logged in,
    but does not require that their account "is_active".
    This class can be used for an OAuth2-accessible endpoint that allows users to access
    that endpoint without having their email verified.  For example, this is used
    for mobile endpoints.
    """

    def authenticate(self, request):
        """
        Returns two-tuple of (user, token) if access token authentication
        succeeds, raises an AuthenticationFailed (HTTP 401) if authentication
        fails or None if the user did not try to authenticate using an access
        token.
        """

        try:
            return super(OAuth2AuthenticationAllowInactiveUser, self).authenticate(request)
        except AuthenticationFailed as exc:
            if isinstance(exc.detail, dict):
                developer_message = exc.detail['developer_message']
                error_code = exc.detail['error_code']
            else:
                developer_message = exc.detail
                if 'No credentials provided' in developer_message:
                    error_code = OAUTH2_TOKEN_ERROR_NOT_PROVIDED
                elif 'Token string should not contain spaces' in developer_message:
                    error_code = OAUTH2_TOKEN_ERROR_MALFORMED
                else:
                    error_code = OAUTH2_TOKEN_ERROR
            raise AuthenticationFailed({
                u'error_code': error_code,
                u'developer_message': developer_message
            })

    def authenticate_credentials(self, request, access_token):
        """
        Authenticate the request, given the access token.
        Overrides base class implementation to discard failure if user is
        inactive.
        """

        token = self.get_access_token(access_token)
        if not token:
            raise AuthenticationFailed({
                u'error_code': OAUTH2_TOKEN_ERROR_NONEXISTENT,
                u'developer_message': u'The provided access token does not match any valid tokens.'
            })
        elif token.expires < django.utils.timezone.now():
            raise AuthenticationFailed({
                u'error_code': OAUTH2_TOKEN_ERROR_EXPIRED,
                u'developer_message': u'The provided access token has expired and is no longer valid.',
            })
        else:
            return token.user, token

    def get_access_token(self, access_token):
        """
        Return a valid access token that exists in one of our OAuth2 libraries,
        or None if no matching token is found.
        """
        return self._get_dot_token(access_token) or self._get_dop_token(access_token)

    def _get_dop_token(self, access_token):
        """
        Return a valid access token stored by django-oauth2-provider (DOP), or
        None if no matching token is found.
        """
        token_query = dop_models.AccessToken.objects.select_related('user')
        return token_query.filter(token=access_token).first()

    def _get_dot_token(self, access_token):
        """
        Return a valid access token stored by django-oauth-toolkit (DOT), or
        None if no matching token is found.
        """
        token_query = dot_models.AccessToken.objects.select_related('user')
        return token_query.filter(token=access_token).first()