Switched to a more secure default for auth

mwatts15 · mwatts15 · commit fa4e9e8a16f8 · 2017-02-27T19:54:46.000-06:00
- Added settings overrides to allow tests to pass
diff --git a/codespeed/auth.py b/codespeed/auth.py
@@ -5,21 +5,24 @@
 from django.conf import settings
 from base64 import b64decode
 
+__ALL__ = ['basic_auth_required']
+
 
 def basic_auth_required(realm='default'):
     def _helper(func):
         @wraps(func)
         def _decorator(request, *args, **kwargs):
             allowed = False
+            logging.info('request is secure? {}'.format(request.is_secure()))
             if settings.ALLOW_ANONYMOUS_POST:
                 allowed = True
             elif 'HTTP_AUTHORIZATION' in request.META:
+                if settings.REQUIRE_SECURE_AUTH and not request.is_secure():
+                    return insecure_connection_response()
                 http_auth = request.META['HTTP_AUTHORIZATION']
                 authmeth, auth = http_auth.split(' ', 1)
                 if authmeth.lower() == 'basic':
-                    authb = b64decode(auth.strip())
-                    auth = authb.decode()
-                    username, password = auth.split(':', 1)
+                    username, password = decode_basic_auth(auth)
                     user = authenticate(username=username, password=password)
                     if user is None:
                         logging.info(
@@ -29,11 +32,25 @@ def _decorator(request, *args, **kwargs):
                         return HttpResponseForbidden()
             if allowed:
                 return func(request, *args, **kwargs)
-            res = HttpResponse()
-            res.status_code = 401
-            res.reason_phrase = 'Unauthorized'
-            res['WWW-Authenticate'] = 'Basic realm="{}"'.format(realm)
-            return res
+
+            if settings.REQUIRE_SECURE_AUTH and not request.is_secure():
+                return insecure_connection_response()
+            else:
+                res = HttpResponse()
+                res.status_code = 401
+                res.reason_phrase = 'Unauthorized'
+                res['WWW-Authenticate'] = 'Basic realm="{}"'.format(realm)
+                return res
         return _decorator
 
     return _helper
+
+
+def insecure_connection_response():
+    return HttpResponseForbidden('Secure connection required')
+
+
+def decode_basic_auth(auth):
+    authb = b64decode(auth.strip())
+    auth = authb.decode()
+    return auth.split(':', 1)
diff --git a/codespeed/settings.py b/codespeed/settings.py
@@ -70,4 +70,5 @@
 USE_MEDIAN_BANDS = True # True to enable median bands on Timeline view
 
 
-ALLOW_ANONYMOUS_POST = True  # Whether anonymous users be allowed to post results
+ALLOW_ANONYMOUS_POST = False  # Whether anonymous users can post results
+REQUIRE_SECURE_AUTH = True  # Whether auth needs to be over a secure channel
diff --git a/codespeed/tests/test_views.py b/codespeed/tests/test_views.py
@@ -3,13 +3,14 @@
 import copy
 import json
 
-from django.test import TestCase
+from django.test import TestCase, override_settings
 from django.core.urlresolvers import reverse
 
 from codespeed.models import (Project, Benchmark, Revision, Branch, Executable,
                               Environment, Result, Report)
 
 
+@override_settings(ALLOW_ANONYMOUS_POST=True)
 class TestAddResult(TestCase):
 
     def setUp(self):
@@ -162,6 +163,7 @@ def test_add_result_with_no_project(self):
             response.content.decode(), "Result data saved successfully")
 
 
+@override_settings(ALLOW_ANONYMOUS_POST=True)
 class TestAddJSONResults(TestCase):
 
     def setUp(self):
@@ -361,6 +363,7 @@ def test_gettimelinedata(self):
             [u'2011/04/13 17:04:22 ', 2000.0, 1.11111, u'2', u'', u'default'])
 
 
+@override_settings(ALLOW_ANONYMOUS_POST=True)
 class TestReports(TestCase):
 
     def setUp(self):
