No longer hash auth tokens + store the token scopes

This partially reverts commit c57aefd48b.
The code to check against hashed tokens remains, because existing tokens
should still work.

The unhashed tokens are necessary for fetching badges from Blender ID.

tests/test_api/test_auth.py

@@ -114,15 +114,16 @@ class AuthenticationTests(AbstractPillarTest):
             past = now - datetime.timedelta(days=1)
             subclient = self.app.config['BLENDER_ID_SUBCLIENT_ID']
 
+        with self.app.test_request_context():
             auth.store_token(user_id, 'nonexpired-main', future, None)
             auth.store_token(user_id, 'nonexpired-sub', future, subclient)
             token3 = auth.store_token(user_id, 'expired-sub', past, subclient)
 
-            # We should not find the given tokens as unhashed tokens.
+            # We should find the given tokens as unhashed tokens.
             tokens_coll = self.app.db('tokens')
-            self.assertIsNone(tokens_coll.find_one({'token': 'nonespired-main'}))
-            self.assertIsNone(tokens_coll.find_one({'token': 'nonespired-sub'}))
-            self.assertIsNone(tokens_coll.find_one({'token': 'expired-sub'}))
+            self.assertIsNotNone(tokens_coll.find_one({'token': 'nonexpired-main'}))
+            self.assertIsNotNone(tokens_coll.find_one({'token': 'nonexpired-sub'}))
+            self.assertIsNotNone(tokens_coll.find_one({'token': 'expired-sub'}))
 
         with self.app.test_request_context(
                 headers={'Authorization': self.make_header('nonexpired-main')}):
@@ -206,19 +207,19 @@ class AuthenticationTests(AbstractPillarTest):
         with self.app.test_request_context():
             from pillar.api.utils import authentication as auth
 
-            tokdat_le = auth.store_token(user_id, 'long-expired',
-                                         now - datetime.timedelta(days=365), None)
-            tokdat_se = auth.store_token(user_id, 'short-expired',
-                                         now - datetime.timedelta(seconds=5), None)
-            tokdat_ne = auth.store_token(user_id, 'not-expired',
-                                         now + datetime.timedelta(days=1), None)
+            auth.store_token(user_id, 'long-expired',
+                             now - datetime.timedelta(days=365), None)
+            auth.store_token(user_id, 'short-expired',
+                             now - datetime.timedelta(seconds=5), None)
+            auth.store_token(user_id, 'not-expired',
+                             now + datetime.timedelta(days=1), None)
 
             # Validation should clean up old tokens.
             auth.validate_this_token('je', 'moeder')
 
             token_coll = self.app.data.driver.db['tokens']
-            self.assertEqual({tokdat_se['token_hashed'], tokdat_ne['token_hashed']},
-                             {item['token_hashed'] for item in token_coll.find()})
+            self.assertEqual({'short-expired', 'not-expired'},
+                             {item['token'] for item in token_coll.find()})
 
     def test_token_hashing_cli(self):
         from dateutil.parser import parse

tests/test_api/test_blender_id_subclient.py

@@ -42,8 +42,6 @@ class BlenderIdSubclientTest(AbstractPillarTest):
 
     @responses.activate
     def test_store_multiple_tokens(self):
-        from pillar.api.utils.authentication import hash_auth_token
-
         scst1 = '%s-1' % TEST_SUBCLIENT_TOKEN
         scst2 = '%s-2' % TEST_SUBCLIENT_TOKEN
         db_user1 = self._common_user_test(201, scst=scst1)
@@ -53,10 +51,8 @@ class BlenderIdSubclientTest(AbstractPillarTest):
         # Now there should be two tokens.
         with self.app.test_request_context():
             tokens = self.app.data.driver.db['tokens']
-            self.assertIsNotNone(tokens.find_one(
-                {'user': db_user1['_id'], 'token_hashed': hash_auth_token(scst1)}))
-            self.assertIsNotNone(tokens.find_one(
-                {'user': db_user1['_id'], 'token_hashed': hash_auth_token(scst2)}))
+            self.assertIsNotNone(tokens.find_one({'user': db_user1['_id'], 'token': scst1}))
+            self.assertIsNotNone(tokens.find_one({'user': db_user1['_id'], 'token': scst2}))
 
         # There should still be only one auth element for blender-id in the user doc.
         self.assertEqual(1, len(db_user1['auth']))
@@ -80,8 +76,6 @@ class BlenderIdSubclientTest(AbstractPillarTest):
     def _common_user_test(self, expected_status_code, scst=TEST_SUBCLIENT_TOKEN,
                           expected_full_name=TEST_FULL_NAME,
                           mock_happy_blender_id=True):
-        from pillar.api.utils.authentication import hash_auth_token
-
         if mock_happy_blender_id:
             self.mock_blenderid_validate_happy()
 
@@ -110,7 +104,7 @@ class BlenderIdSubclientTest(AbstractPillarTest):
             # Check that the token was succesfully stored.
             tokens = self.app.data.driver.db['tokens']
             db_token = tokens.find_one({'user': db_user['_id'],
-                                        'token_hashed': hash_auth_token(scst)})
+                                        'token': scst})
             self.assertIsNotNone(db_token)
 
         return db_user

tests/test_api/test_local_auth.py

@@ -38,8 +38,6 @@ class LocalAuthTest(AbstractPillarTest):
         self.assertEqual(200, resp.status_code, resp.data)
 
     def test_login_expired_token(self):
-        from pillar.api.utils.authentication import hash_auth_token
-
         user_id = self.create_test_user()
 
         resp = self.client.post('/api/auth/make-token',
@@ -54,7 +52,7 @@ class LocalAuthTest(AbstractPillarTest):
             tokens = self.app.data.driver.db['tokens']
 
             exp = datetime.datetime.now(tz=tz_util.utc) - datetime.timedelta(1)
-            result = tokens.update_one({'token_hashed': hash_auth_token(token)},
+            result = tokens.update_one({'token': token},
                                        {'$set': {'expire_time': exp}})
             self.assertEqual(1, result.modified_count)
 

tests/test_api/test_organizations.py

@@ -989,8 +989,6 @@ class IPRangeLoginRolesTest(AbstractIPRangeSingleOrgTest):
             ]})
 
     def _test_api(self, headers: dict, env: dict):
-        from pillar.api.utils.authentication import hash_auth_token
-
         self.mock_blenderid_validate_happy()
         # This should check the IP of the user agains the organization IP ranges and update the
         # user in the database.
@@ -1003,7 +1001,7 @@ class IPRangeLoginRolesTest(AbstractIPRangeSingleOrgTest):
         tokens_coll = self.app.db('tokens')
         token = tokens_coll.find_one({
             'user': bson.ObjectId(me['_id']),
-            'token_hashed': hash_auth_token('usertoken'),
+            'token': 'usertoken',
         })
         self.assertEqual(self.org_roles, set(token['org_roles']))
 
@@ -1033,7 +1031,6 @@ class IPRangeLoginRolesTest(AbstractIPRangeSingleOrgTest):
         self._test_api_remote_addr('192.168.3.254')
 
     def _test_web_forwarded_for(self, ip_addr: str, ip_roles: typing.Set[str]):
-        from pillar.api.utils.authentication import hash_auth_token
         from pillar import auth
         self.mock_blenderid_validate_happy()
 
@@ -1053,7 +1050,7 @@ class IPRangeLoginRolesTest(AbstractIPRangeSingleOrgTest):
         tokens_coll = self.app.db('tokens')
         token = tokens_coll.find_one({
             'user': bson.ObjectId(my_id),
-            'token_hashed': hash_auth_token('usertoken'),
+            'token': 'usertoken',
             'expire_time': {'$gt': datetime.datetime.now(tz_util.utc)},
         })
         self.assertEqual(ip_roles, set(token.get('org_roles', [])))