def validate_token(token_id):
token_data = do_validate_token(token_id)
if token_data:
resp = flask.make_response(json.dumps(token_data))
resp.headers['Content-Type'] = 'application/json'
return resp
else:
flask.abort(404)
def wrapped_f(*args, **kwargs):
req = flask.request
log.debug("Handling %s to %s" % (
req.method, req.path ) )
# Try to get the user's roles
try:
token_data = do_validate_token(req.headers['x-auth-token'])
except KeyError:
flask.abort(401)
return
log.debug("Token data: %s" % token_data)
if token_data is None or token_data is False:
flask.abort(401)
return
# This might be false for a variety of reasons, all of which amount to
# failed auth in some form.
if len(token_data['user']['roles']) < 1:
log.debug("Aborting request due to bad role check")
flask.abort(401)
return
# If the user is disabled, fail, even if other roles are present
if 'disabled' in token_data['user']['roles']:
log.debug("User is disabled")
flask.abort(401)
return
# We're given a list of allowed roles. If "strict" is on, the user must
# be in all roles (AND). If not, the user must be in at least one role (OR).
if self.strict:
allowed = True
for role in token_data['user']['roles']:
if role not in self.allowed_roles:
allowed = False
break
if not allowed:
log.debug("User is not allowed!")
flask.abort(401)
return
else:
allowed = False
for role in token_data['user']['roles']:
log.debug("Comparing user role %s against allowed roles %s" % (
role, self.allowed_roles ) )
if role in self.allowed_roles:
log.debug("User is allowed!")
allowed = True
break
if not allowed:
log.debug("User not allowed!")
flask.abort(401)
return
return f(*args, **kwargs)
def token_in_req_contains_role(req, role):
"""Returns True if the request has a valid X-Auth-Token header that shows
the user is in the provided role. Returns False if the token's user is
*not* in the role. Returns None if no token was provided.
"""
try:
token_data = do_validate_token(req.headers['x-auth-token'])
except KeyError:
return None
print "Roles: %s" % token_data['user']['roles']
if roles:
if role in roles:
return True
return False
def update_password(username):
# Because we need to verify that either the user making the request is
# an administrator or that the request is being made to change the password
# of the user making the request, this function cannot use the
# @Authenticated decorator, and we must do a special kind of auth here.
req = flask.request
req_data = {}
try:
req_data = json.loads(req.data)
print("Request data: %s" % req_data)
except ValueError:
flask.abort(400)
authorized = False
try:
token_data = do_validate_token(req.headers['x-auth-token'])
except KeyError:
token_data = None
if token_data is not None:
if token_data['user']['username'] == username:
authorized = True
else:
if shared.token_in_req_contains_role(req, 'administrator'):
authorized = True
# Next line is for debugging ONLY
# authorized = True
if authorized:
session = data.session()
users = session.query(data.User).filter_by(username=username)
if users.count() >= 1:
user = users.first()
user.salt = shared.generate_salt()
user.pwhash = hashlib.sha512("".join([req_data['password'], user.salt])).hexdigest()
session.commit()
return ''
else:
flask.abort(400)
else:
flask.abort(401)
