def _apikey_create(accountId):
session = builtins.CAS_CONTEXT['db_session']()
account = session.query(DbAccount).filter_by(name=accountId).first()
if account is None:
log_msg = "user '%s' doesn't exist" % accountId
session.close()
return swg_DefaultError(message=log_msg), 404
if len(account.api_keys) > MAX_KEY_PER_ACCOUNT:
log_msg = "user '%s' already has the maximum number of keys (%d)" % (accountId, MAX_KEY_PER_ACCOUNT)
session.close()
return swg_DefaultError(message=log_msg), 401
secret_prefix = secrets.token_hex(4)
secret_main = secrets.token_urlsafe(32)
api_key = "%s-%s" % (secret_prefix, secret_main)
hashed_key = hashlib.sha512(api_key.encode('utf-8')).hexdigest()
dbapi_key = DbApiKey(secret_hash=hashed_key,
creation_date=datetime.datetime.now(),
secret_prefix=secret_prefix,
account_id=account.id,
)
session.add(dbapi_key)
session.commit()
ret = _render_apikey(dbapi_key, fullkey=api_key)
session.close()
return ret
def _account_delete(accountId):
account = access_control()
if account is None:
return _access_deny(log_msg="access deny on account delete")
if account['perm'] not in ['AdminWrite']:
return _access_deny(
log_msg="user '%s' (perm: %s) doesn't have permission to delete an account" % (account['name'], account['perm']),
api_msg="deleting an account requires admin permission",
)
session = builtins.CAS_CONTEXT['db_session']()
account = session.query(DbAccount).filter_by(name=accountId).first()
# TODO handle cascading or error messages when certificates/domains/notifications are
# still present
if account is not None:
for tag in account.tags:
session.delete(tag)
session.query(DbAccount).filter_by(name=accountId).delete()
log_msg = "user '%s' deleted" % accountId
builtins.CAS_CONTEXT['logger'].info(log_msg)
ret = swg_DefaultMessage(message=log_msg)
ret_code = 200
else:
log_msg = "user '%s' doesn't exist, nothing to be done" % accountId
builtins.CAS_CONTEXT['logger'].info(log_msg)
ret = swg_DefaultError(message=log_msg)
ret_code = 404
session.commit()
session.close()
return ret , ret_code
def _apikey_list(accountId, next_id=None):
session = builtins.CAS_CONTEXT['db_session']()
account = session.query(DbAccount).filter_by(name=accountId).first()
if account is None:
log_msg = "cannot list keys, user '%s' doesn't exist" % accountId
builtins.CAS_CONTEXT['logger'].info(log_msg)
session.close()
return swg_DefaultError(code='InvalidInputData', message=log_msg), 404
ret = []
for k in account.api_keys:
ret.append(_render_apikey(k))
return ret
def _apikey_get(accountId, keyId):
session = builtins.CAS_CONTEXT['db_session']()
# TODO: join in one query instead of two queries...
try:
internal_account_id = session.query(DbAccount).filter_by(name=accountId).first().id
except:
log_msg = "cannot delete key, user '%s' doesn't exist" % accountId
builtins.CAS_CONTEXT['logger'].info(log_msg)
session.close()
return swg_DefaultError(code='InvalidInputData', message=log_msg), 404
key = session.query(DbApiKey).filter_by(id=keyId, account_id=internal_account_id).first()
if key is None:
ret_code = 404
log_msg = "key '%s' of user '%s' doesn't exist" % (keyId, accountId)
ret = swg_DefaultError(code='InvalidInputData', message=log_msg)
else:
ret_code = 200
ret = _render_apikey(key)
log_msg = "key '%s' of user '%s' queried" % (keyId, accountId)
builtins.CAS_CONTEXT['logger'].info(log_msg)
return ret, ret_code
def _account_get(accountId):
if account is None:
return _access_deny(log_msg="access deny on account delete")
if account['perm'] in ['AdminWrite', 'AdminRead'] or \
account['name'] != accountId and account['perm'] in ['Read', 'Write', 'SelfRegisterDomain']:
return _access_deny(
log_msg="user '%s' (perm: %s) doesn't have permission to read an account" % (account['name'], account['perm']),
api_msg="read an account requires admin (read) permission",
)
session = builtins.CAS_CONTEXT['db_session']()
account = session.query(DbAccount).filter_by(name=accountId).first()
if account is None:
log_msg = "user '%s' doesn't exist" % accountId
session.close()
return swg_DefaultError(message=log_msg), 404
ret = _render_account(account)
session.close()
if ret is None:
log_msg = 'Account "%s" doesn\'t exist' % accountId
builtins.CAS_CONTEXT['logger'].warning(log_msg)
return swg_DefaultError(code='InvalidInputData', message=log_msg), 404
return ret
def _apikey_delete(accountId, keyId):
session = builtins.CAS_CONTEXT['db_session']()
# TODO: join in one query instead of two queries...
try:
internal_account_id = session.query(DbAccount).filter_by(name=accountId).first().id
except:
log_msg = "cannot delete key, user '%s' doesn't exist" % accountId
builtins.CAS_CONTEXT['logger'].info(log_msg)
session.close()
return swg_DefaultError(code='InvalidInputData', message=log_msg), 404
key = session.query(DbApiKey).filter_by(id=keyId, account_id=internal_account_id).first()
if key is not None:
log_msg = "key '%s' (key: '%s-XXXX') of user '%s' deleted" % (keyId, key.secret_prefix, accountId)
ret = swg_DefaultMessage(message=log_msg)
ret_code = 200
session.delete(key)
session.commit()
else:
log_msg = "cannot delete, key '%s' of user '%s' doesn't exist" % (keyId, accountId)
ret_code = 404
ret = swg_DefaultError(code='InvalidInputData', message=log_msg)
builtins.CAS_CONTEXT['logger'].info(log_msg)
session.close()
return ret, ret_code
def _account_create(body):
account = access_control()
perm = _check_perm(account, ['AdminWrite'], 'create account')
if perm:
return perm
session = builtins.CAS_CONTEXT['db_session']()
name = body.name
permission = body.permission
try:
new_account = DbAccount(
name=name,
permission=permission,
creation_date=datetime.datetime.now(),
last_modification_date=datetime.datetime.now()
)
session.add(new_account)
session.flush()
session.refresh(new_account)
except sqlalchemy.exc.IntegrityError as e:
# loss matching of not unique account name
if 'unique' not in str(e) or 'UNIQUE' not in str(e):
log_msg = 'Duplicate account name, account "%s" already exists' % name
else:
log_msg = 'Invalid/incomplete data in the payload'
#log_msg = str(e)
builtins.CAS_CONTEXT['logger'].info(log_msg)
return swg_DefaultError(code='InvalidInputData', message=log_msg), 400
if body.tag is not None:
for tag in body.tag:
tag = DbTagAccount(key=tag, value=body.tag[tag], account_id=new_account.id)
session.add(tag)
session.commit()
session.refresh(new_account)
ret = _render_account(new_account)
session.close()
return ret
def _account_update(accountId, body):
session = builtins.CAS_CONTEXT['db_session']()
account = session.query(DbAccount).filter_by(name=accountId).first()
if account is None:
log_msg = "user '%s' doesn't exist" % accountId
return swg_DefaultError(message=log_msg), 404
if body.name:
account.name = body.name
if body.permission:
account.permission = body.permission
if account.tags is not None:
for tag in account.tags:
session.delete(tag)
account.last_modification_date = datetime.datetime.now()
for tag in body.tag:
tag = DbTagAccount(key=tag, value=body.tag[tag], account_id=account.id)
session.add(tag)
session.commit()
session.refresh(account)
ret = _render_account(account)
session.close()
return ret
def _insuf_perm(api_msg='access deny, invalid/missing API key',
log_msg='access deny, invalid/missing API key'):
builtins.CAS_CONTEXT['logger'].info(log_msg)
return swg_DefaultError(code='InsufficientPermission', message=api_msg), 403
def _access_deny(api_msg='access deny, invalid/missing API key',
log_msg='access deny, invalid/missing API key'):
builtins.CAS_CONTEXT['logger'].info(log_msg)
return swg_DefaultError(code='AccessDeny', message=api_msg), 403