def authenticate(self, request):
user = self._internal_auth(request)
is_bootstrap_admin = user and user.is_bootstrap_admin
if self.external_auth_configured \
and not is_bootstrap_admin \
and not self.token_based_auth:
self.logger.debug('using external auth')
user = user_handler.get_user_from_auth(request.authorization)
response = self.external_auth.authenticate(request, user)
if isinstance(response, Response):
return response
user = response
if not user:
raise NoAuthProvided()
self.logger.debug('Authenticated user: {0}'.format(user))
if request.authorization:
# Reset the counter only when using basic authentication
# (User + Password), otherwise the counter will be reset on
# every UI refresh (every 4 sec) and accounts won't be locked.
user.failed_logins_counter = 0
now = datetime.now()
if not user.last_login_at:
user.first_login_at = now
user.last_login_at = now
user_datastore.commit()
return user
def __init__(self, load_config=True):
_detect_debug_environment()
super(CloudifyFlaskApp, self).__init__(__name__)
if load_config:
config.instance.load_configuration()
self._set_sql_alchemy()
# This must be the first before_request, otherwise db access may break
# after db failovers or db proxy restarts
self.before_request(cope_with_db_failover)
# These two need to be called after the configuration was loaded
if config.instance.rest_service_log_path:
setup_logger(self.logger)
if premium_enabled and config.instance.file_server_root:
self.external_auth = configure_auth(self.logger)
self.before_request(LicenseHandler.check_license_expiration_date)
else:
self.external_auth = None
self.before_request(log_request)
self.before_request(maintenance_mode_handler)
self.after_request(log_response)
self._set_flask_security()
with self.app_context():
roles = config.instance.authorization_roles
if roles:
for role in roles:
user_datastore.find_or_create_role(name=role['name'])
user_datastore.commit()
with self._prevent_flask_restful_error_handling():
setup_resources(Api(self))
self.register_blueprint(app_errors)
def __init__(self, load_config=True):
_detect_debug_environment()
super(CloudifyFlaskApp, self).__init__(__name__)
if load_config:
config.instance.load_configuration()
self._set_sql_alchemy()
# These two need to be called after the configuration was loaded
if config.instance.rest_service_log_path:
setup_logger(self.logger)
if premium_enabled and config.instance.file_server_root:
self.external_auth = configure_auth(self.logger)
self.before_request(LicenseHandler.check_license_expiration_date)
else:
self.external_auth = None
self.before_request(log_request)
self.before_request(maintenance_mode_handler)
self.after_request(log_response)
self._set_exception_handlers()
self._set_flask_security()
with self.app_context():
roles = config.instance.authorization_roles
if roles:
for role in roles:
user_datastore.find_or_create_role(name=role['name'])
user_datastore.commit()
setup_resources(Api(self))
self.register_blueprint(app_errors)
def __init__(self, load_config=True):
_detect_debug_environment()
super(CloudifyFlaskApp, self).__init__(__name__)
if load_config:
config.instance.load_configuration()
self._set_sql_alchemy()
if load_config:
with self.app_context():
config.instance.load_from_db()
# These two need to be called after the configuration was loaded
setup_logger(self.logger)
if premium_enabled:
self.external_auth = configure_auth(self.logger)
else:
self.external_auth = None
self.before_request(log_request)
self.before_request(maintenance_mode_handler)
self.after_request(log_response)
self._set_exception_handlers()
self._set_flask_security()
with self.app_context():
roles = config.instance.authorization_roles
if roles:
for role in roles:
user_datastore.find_or_create_role(name=role['name'])
user_datastore.commit()
setup_resources(Api(self))
self.register_blueprint(app_errors)
def create_default_user_tenant_and_roles(admin_username,
admin_password,
amqp_manager,
authorization_file_path):
"""
Create the bootstrap admin, the default tenant and the security roles,
as well as a RabbitMQ vhost and user corresponding to the default tenant
:return: The default tenant
"""
admin_role = _create_roles(authorization_file_path)
default_tenant = _create_default_tenant()
amqp_manager.create_tenant_vhost_and_user(tenant=default_tenant)
admin_user = user_datastore.create_user(
id=constants.BOOTSTRAP_ADMIN_ID,
username=admin_username,
password=hash_password(admin_password),
roles=[admin_role]
)
# User role assigned to admin user as a member of default tenant
# This is the default role when adding a user is added to a tenant.
# Anyway, `sys_admin` will be the effective role since is the system role.
user_role = user_datastore.find_role(constants.DEFAULT_TENANT_ROLE)
user_tenant_association = UserTenantAssoc(
user=admin_user,
tenant=default_tenant,
role=user_role,
)
admin_user.tenant_associations.append(user_tenant_association)
user_datastore.commit()
return default_tenant
def create_default_user_tenant_and_roles(admin_username, admin_password,
amqp_manager,
authorization_file_path):
"""
Create the bootstrap admin, the default tenant and the security roles,
as well as a RabbitMQ vhost and user corresponding to the default tenant
:return: The default tenant
"""
admin_role = _create_roles(authorization_file_path)
default_tenant = _create_default_tenant()
amqp_manager.create_tenant_vhost_and_user(tenant=default_tenant)
admin_user = user_datastore.create_user(
id=constants.BOOTSTRAP_ADMIN_ID,
username=admin_username,
password=encrypt_password(admin_password),
roles=[admin_role])
# User role assigned to admin user as a member of default tenant
# This is the default role when adding a user is added to a tenant.
# Anyway, `sys_admin` will be the effective role since is the system role.
user_role = user_datastore.find_role(constants.DEFAULT_TENANT_ROLE)
user_tenant_association = UserTenantAssoc(
user=admin_user,
tenant=default_tenant,
role=user_role,
)
admin_user.tenant_associations.append(user_tenant_association)
user_datastore.commit()
return default_tenant
def authenticate(self, request):
user = None
auth = request.authorization
token = user_handler.get_token_from_request(request)
api_token = user_handler.get_api_token_from_request(request)
if auth: # Basic authentication (User + Password)
user = user_handler.get_user_from_auth(auth)
user = self._authenticate_password(user, auth)
elif token: # Token authentication
user = self._authenticate_token(token)
elif api_token: # API token authentication
user, user_token_key = user_handler.extract_api_token(api_token)
if not user or user.api_token_key != user_token_key:
raise_unauthorized_user_error(
'API token authentication failed')
elif self.okta_configured and \
current_app.okta.okta_saml_inside(request):
user = user_handler.get_okta_user(request.data, logger=self.logger)
if not user:
raise_unauthorized_user_error('OKTA authentication failed')
if not user:
raise_unauthorized_user_error('No authentication info provided')
self.logger.info('Authenticated user: {0}'.format(user))
user.last_login_at = datetime.now()
user_datastore.commit()
return user
def _update_admin_password(new_password):
"""Update the admin user's password."""
with setup_flask_app().app_context():
user = user_datastore.get_user('admin')
user.password = hash_password(new_password)
# Unlock account
user.failed_logins_counter = 0
user_datastore.commit()
def _update_admin_password(new_password):
"""Update the admin user's password."""
with setup_flask_app().app_context():
config.instance.load_configuration()
user = user_datastore.get_user('admin')
user.password = hash_password(new_password)
# Unlock account
user.failed_logins_counter = 0
user.active = True
user_datastore.commit()
def add_users_to_db(user_list):
default_tenant = Tenant.query.get(DEFAULT_TENANT_ID)
for user in user_list:
role = user_datastore.find_role(user['role'])
user_obj = user_datastore.create_user(username=user['username'],
password=encrypt_password(
user['password']),
roles=[role])
user_obj.active = user.get('active', True)
user_obj.tenants.append(default_tenant)
user_datastore.commit()
def authenticate(self, request):
user = self._internal_auth(request)
is_bootstrap_admin = user and user.is_bootstrap_admin
if self.external_auth \
and not is_bootstrap_admin \
and not self.token_based_auth:
self.logger.debug('using external auth')
user = user_handler.get_user_from_auth(request.authorization)
user = self.external_auth.authenticate(request, user)
if not user:
raise_unauthorized_user_error('No authentication info provided')
self.logger.info('Authenticated user: {0}'.format(user))
user.last_login_at = datetime.now()
user_datastore.commit()
return user
def create_default_user_tenant_and_roles(admin_username, admin_password):
"""Create the bootstrap admin, the default tenant and the security roles
:return: The default tenant
"""
admin_role = _create_roles()
default_tenant = _create_default_tenant()
admin_user = user_datastore.create_user(
id=constants.BOOTSTRAP_ADMIN_ID,
username=admin_username,
password=encrypt_password(admin_password),
roles=[admin_role])
admin_user.tenants.append(default_tenant)
user_datastore.commit()
return default_tenant
def add_users_to_db(user_list):
default_tenant = Tenant.query.get(DEFAULT_TENANT_ID)
for user in user_list:
role = user_datastore.find_role(user['role'])
user_obj = user_datastore.create_user(username=user['username'],
password=hash_password(
user['password']),
roles=[role])
default_tenant_role = user_datastore.find_role(DEFAULT_TENANT_ROLE)
user_obj.active = user.get('active', True)
user_tenant_association = UserTenantAssoc(
user=user_obj,
tenant=default_tenant,
role=default_tenant_role,
)
user_obj.tenant_associations.append(user_tenant_association)
user_datastore.commit()
def authenticate(self, request):
auth = request.authorization
token = user_handler.get_token_from_request(request)
api_token = user_handler.get_api_token_from_request(request)
if auth: # User + Password authentication
user = user_handler.get_user_from_auth(auth)
user = self._authenticate_password(user, auth)
elif token: # Token authentication
user = self._authenticate_token(token)
elif api_token: # API token authentication
user, user_token_key = user_handler.extract_api_token(api_token)
if not user or user.api_token_key != user_token_key:
raise_unauthorized_user_error(
'API token authentication failed')
else:
raise_unauthorized_user_error('No authentication ' 'info provided')
user.last_login_at = datetime.now()
user_datastore.commit()
return user
def create_default_user_tenant_and_roles(admin_username,
admin_password,
amqp_manager):
"""
Create the bootstrap admin, the default tenant and the security roles,
as well as a RabbitMQ vhost and user corresponding to the default tenant
:return: The default tenant
"""
admin_role = _create_roles()
default_tenant = _create_default_tenant()
amqp_manager.create_tenant_vhost_and_user(tenant=default_tenant)
admin_user = user_datastore.create_user(
id=constants.BOOTSTRAP_ADMIN_ID,
username=admin_username,
password=encrypt_password(admin_password),
roles=[admin_role]
)
admin_user.tenants.append(default_tenant)
user_datastore.commit()
return default_tenant
def create_status_reporter_user_and_assign_role(username, password, role,
user_id):
"""Creates a user and assigns its given role.
"""
user = user_datastore.create_user(username=username,
password=hash_password(password),
roles=[role],
id=user_id)
default_tenant = Tenant.query.filter_by(
id=constants.DEFAULT_TENANT_ID).first()
reporter_role = user_datastore.find_role(role)
if not reporter_role:
raise NotFoundError("The username \"{0}\" cannot have the role \"{1}\""
" as the role doesn't exist"
"".format(username, role))
user_tenant_association = UserTenantAssoc(
user=user,
tenant=default_tenant,
role=reporter_role,
)
user.tenant_associations.append(user_tenant_association)
user_datastore.commit()
return user
def authenticate(self, request):
user = self._internal_auth(request)
is_bootstrap_admin = user and user.is_bootstrap_admin
if self.external_auth_configured \
and not is_bootstrap_admin \
and not self.token_based_auth:
self.logger.debug('using external auth')
user = user_handler.get_user_from_auth(request.authorization)
response = self.external_auth.authenticate(request, user)
if isinstance(response, Response):
return response
user = response
if not user:
raise_unauthorized_user_error('No authentication info provided')
self.logger.debug('Authenticated user: {0}'.format(user))
if request.authorization:
# Reset the counter only when using basic authentication
# (User + Password), otherwise the counter will be reset on
# every UI refresh (every 4 sec) and accounts won't be locked.
user.failed_logins_counter = 0
user.last_login_at = datetime.now()
user_datastore.commit()
return user
def _update_admin_password(new_password):
adm = user_datastore.get_user('admin')
if verify_password(new_password, adm.password): # no change
return
adm.password = hash_password(new_password)
user_datastore.commit()
def _increment_failed_logins_counter(user):
user.last_failed_login_at = datetime.now()
user.failed_logins_counter += 1
user_datastore.commit()
def _increment_failed_logins_counter(user):
user.last_failed_login_at = datetime.now()
user.failed_logins_counter += 1
user_datastore.commit()
