Added an authentication layer for the API

Signed-off-by: Miquel Sabaté Solà <[email protected]> Signed-off-by: Vítor Avelino <[email protected]>
SUSE · Jul 18, 2017 · 2129833 · 2129833
1 parent 4cd875c
commit 2129833
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 2 deletions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -2,6 +2,7 @@ class ApplicationController < ActionController::Base
   include Portus::Checks
   before_action :check_requirements
 
+  before_action :authenticate_user_from_authentication_token!
   before_action :authenticate_user!
   before_action :force_update_profile!
   before_action :force_registry_config!
@@ -30,6 +31,16 @@ def after_sign_out_path_for(_resource)
 
   protected
 
+  # Authenticate the user:token as provided in the "PORTUS-AUTH" header.
+  def authenticate_user_from_authentication_token!
+    auth = request.headers["PORTUS-AUTH"].presence
+    return if auth.nil?
+
+    username, password = auth.split(":")
+    user = User.find_by(username: username)
+    sign_in(user, store: false) if user && user.application_token_valid?(password)
+  end
+
   # Redirect users to their profile page if they haven't set up their email
   # account (this happens when signing up through LDAP suppor).
   def force_update_profile!

diff --git a/app/controllers/vulnerabilities_controller.rb b/app/controllers/vulnerabilities_controller.rb
@@ -0,0 +1,20 @@
+class VulnerabilitiesController < ApplicationController
+  before_action :set_repository
+  respond_to :json
+
+  def index
+    response = {}
+    @repository.tags.each do |tag|
+      sec = ::Portus::Security.new(@repository.full_name, tag.name)
+      response[tag.name] = sec.vulnerabilities
+    end
+
+    render json: response.to_json
+  end
+
+  private
+
+  def set_repository
+    @repository = Repository.find(params[:repository_id])
+  end
+end
diff --git a/app/models/application_token.rb b/app/models/application_token.rb
@@ -19,11 +19,10 @@ class ApplicationToken < ActiveRecord::Base
   belongs_to :user
 
   validates :application, uniqueness: { scope: "user_id" }
-
   validate :limit_number_of_tokens_per_user, on: :create
 
   def limit_number_of_tokens_per_user
-    max_reached = ApplicationToken.where(user_id: user_id).count >= User::APPLICATION_TOKENS_MAX
+    max_reached = User.find(user_id).application_tokens.count >= User::APPLICATION_TOKENS_MAX
     errors.add(
       :base,
       "Users cannot have more than #{User::APPLICATION_TOKENS_MAX} " \

diff --git a/config/routes.rb b/config/routes.rb
@@ -23,6 +23,7 @@
   resources :repositories, only: [:index, :show, :destroy] do
     post :toggle_star, on: :member
     resources :comments, only: [:create, :destroy]
+    resources :vulnerabilities, only: [:index]
   end
 
   resources :tags, only: [:destroy]