def wrapper(*args, **kwargs):
tenant_name = request_tenant or request.headers.get(
CLOUDIFY_TENANT_HEADER)
if tenant_name:
try:
tenant = get_storage_manager().get(
Tenant, tenant_name, filters={'name': tenant_name})
current_app.config[CURRENT_TENANT_CONFIG] = tenant
except NotFoundError:
raise_unauthorized_user_error(
'Provided tenant name unknown: {0}'.format(
tenant_name))
# when running unittests, there is no authorization
if config.instance.test_mode:
return func(*args, **kwargs)
user_roles = current_user.all_tenants.get(tenant_name, []) \
+ [current_user.role]
action_roles = config.instance.authorization_permissions[action]
for user_role in user_roles:
if user_role in action_roles:
return func(*args, **kwargs)
raise UnauthorizedError(
'User {0} is not permitted to perform the action {1}'.format(
current_user.username, action))
def raise_unauthorized_user_error(extra_info=None):
error = 'User unauthorized'
if extra_info:
error += ': {0}'.format(extra_info)
abort_error(UnauthorizedError(error),
current_app.logger,
hide_server_message=True)
def _http_auth(self, user, username, password):
"""Perform basic user authentication
- Check that the password that was passed in the request can be
verified against the password stored in the DB
:param user: The DB user object
:param username: The username from the request
:param password: The password from the request
:return: The DB user object
"""
self.logger.debug('Running basic HTTP authentication')
if not user:
raise UnauthorizedError(failed_auth_message.format(username))
if not verify_password(password, user.password):
self._increment_failed_logins_counter(user)
raise UnauthorizedError(failed_auth_message.format(username))
return user
def _verify_token(self, token, user):
if not self.token_verified_cache.get_verify_hash_result(
token, user.id):
if not verify_hash(compare_data=user.password, hashed_data=token):
raise UnauthorizedError(
failed_auth_message.format(user.username))
else:
self.token_verified_cache.cache_verify_hash_result(
token, user.id)
def _authenticate_token(self, token):
"""Make sure that the token passed exists, is valid, is not expired,
and that the user contained within it exists in the DB
:param token: An authentication token
:return: A tuple: (A user object, its hashed password)
"""
self.logger.debug('Authenticating token')
expired, invalid, user, data, error = \
user_handler.get_token_status(token)
if expired:
raise UnauthorizedError('Token is expired')
elif invalid or (not isinstance(data, list) or len(data) != 2):
raise UnauthorizedError(
'Authentication token is invalid:\n{0}'.format(error))
elif not user:
raise NoAuthProvided()
else:
self._verify_token(token=data[1], user=user)
return user
def _authenticate_execution_token(self):
"""Make sure the token passed exists and valid (by verifying the
current_execution). Valid token is connected to an active execution
:return: A user object
"""
self.logger.debug('Authenticating execution token')
error_msg = 'Authentication failed, invalid Execution Token'
if not current_execution:
self.logger.debug('{0}. Exactly one execution should match this '
'token'.format(error_msg))
raise UnauthorizedError(error_msg)
if current_execution.status not in ExecutionState.ACTIVE_STATES:
if self._is_valid_scheduled_execution() or \
self._is_valid_cancelled_execution():
return current_execution.creator
# Not an active execution
self.logger.debug(
'{0}. The execution is not active'.format(error_msg))
raise UnauthorizedError(error_msg)
return current_execution.creator
def _validate_set_ldap_request():
if not current_user.is_admin:
raise UnauthorizedError('User is not authorized to set LDAP '
'configuration.')
if not _only_admin_in_manager():
raise MethodNotAllowedError('LDAP Configuration may be set only on'
' a clean manager.')
if not current_app.premium_enabled:
raise MethodNotAllowedError('LDAP is only supported in the '
'Cloudify premium edition.')
ldap_config = rest_utils.get_json_and_verify_params({
'ldap_server', 'ldap_username', 'ldap_password', 'ldap_domain',
'ldap_is_active_directory', 'ldap_dn_extra'
})
return ldap_config
def _internal_auth(self, request):
user = None
auth = request.authorization
token = user_handler.get_token_from_request(request)
api_token = user_handler.get_api_token_from_request(request)
execution_token = get_execution_token_from_request(request)
self.token_based_auth = token or api_token or execution_token
if auth: # Basic authentication (User + Password)
user = user_handler.get_user_from_auth(auth)
self._check_if_user_is_locked(user, auth)
user = self._authenticate_password(user, auth)
elif execution_token: # Execution Token authentication
user = self._authenticate_execution_token()
elif token: # Token authentication
user = self._authenticate_token(token)
elif api_token: # API token authentication
user, user_token_key = user_handler.extract_api_token(api_token)
if not user or user.api_token_key != user_token_key:
raise UnauthorizedError('API token authentication failed')
return user
def _check_if_user_is_locked(self, user, auth):
if self.external_auth_configured:
return user
if not user or user.is_locked:
raise UnauthorizedError(failed_auth_message.format(auth.username))
def raise_unauthorized_user_error(extra_info=None):
error = 'User unauthorized'
if extra_info:
error += ': {0}'.format(extra_info)
raise UnauthorizedError(error)