def revoke_current_user_tokens():
"""Revoke all current user's tokens"""
with TokenManager() as tm:
with AuthenticationManager() as am:
tm.add_user_roles_rules(users={am.get_user(common.current_user.get())['id']})
return WazuhResult({'message': f'User {common.current_user.get()} was successfully logged out'})
def revoke_tokens():
"""Revoke all tokens in current node."""
change_secret()
with TokenManager() as tm:
tm.delete_all_rules()
return {'result': 'True'}
def revoke_tokens():
""" Revoke all tokens """
change_secret()
with TokenManager() as tm:
tm.delete_all_rules()
return WazuhResult({'msg': 'Tokens revoked successfully'})
def invalid_roles_tokens(roles: list = None):
"""Add the necessary rules to invalidate all affected role's tokens
Parameters
----------
roles : list
List of modified roles
"""
with TokenManager() as tm:
tm.add_user_roles_rules(roles=set(roles))
def invalid_users_tokens(roles: list = None, users: list = None):
"""Add the necessary rules to invalidate all affected user's tokens
Parameters
----------
roles : list
List of modified roles
users : str
Modified user
"""
related_users = check_relationships(roles=roles)
if users:
for user in users:
related_users.add(user)
with TokenManager() as tm:
tm.add_user_rules(users=related_users)
def check_token(username, roles, token_nbf_time, run_as):
"""Check the validity of a token with the current time and the generation time of the token.
Parameters
----------
username : str
Unique username
roles : list
List of roles related with the current token
token_nbf_time : int
Issued at time of the current token
run_as : bool
Indicate if the token has been granted through run_as endpoint
Returns
-------
Dict with the result
"""
# Check that the user exists
with AuthenticationManager() as am:
user = am.get_user(username=username)
if not user:
return {'valid': False}
user_id = user['id']
with UserRolesManager() as urm:
user_roles = [
role['id']
for role in map(Roles.to_dict,
urm.get_all_roles_from_user(user_id=user_id))
]
if not am.user_allow_run_as(
user['username']) and set(user_roles) != set(roles):
return {'valid': False}
with TokenManager() as tm:
for role in user_roles:
if not tm.is_token_valid(
role_id=role,
user_id=user_id,
token_nbf_time=int(token_nbf_time),
run_as=run_as):
return {'valid': False}
policies = optimize_resources(roles)
return {'valid': True, 'policies': policies}
def check_token(username, token_iat_time):
"""Check the validity of a token with the current time and the generation time of the token.
Parameters
----------
username : str
Unique username
token_iat_time : int
Issued at time of the current token
Returns
-------
Dict with the result
"""
with TokenManager() as tm:
result = tm.is_token_valid(username=username,
token_iat_time=int(token_iat_time))
return {'valid': result}
def remove_users(user_ids):
"""Remove a specified list of users
Parameters
----------
user_ids : list
List of IDs
Returns
-------
Status message
"""
result = AffectedItemsWazuhResult(
none_msg='No user was deleted',
some_msg='Some users were not deleted',
all_msg='Users were successfully deleted')
with AuthenticationManager() as auth:
for user_id in user_ids:
user_id = int(user_id)
current_user = auth.get_user(common.current_user.get())
if not isinstance(current_user, bool) and user_id == int(
current_user['id']) and user_id > max_id_reserved:
result.add_failed_item(id_=user_id, error=WazuhError(5008))
continue
user = auth.get_user_id(user_id)
query = auth.delete_user(user_id)
if not query:
result.add_failed_item(id_=user_id, error=WazuhError(5001))
elif query == SecurityError.ADMIN_RESOURCES:
result.add_failed_item(id_=user_id, error=WazuhError(5004))
elif query == SecurityError.RELATIONSHIP_ERROR:
result.add_failed_item(id_=user_id, error=WazuhError(4025))
elif user:
with TokenManager() as tm:
tm.add_user_roles_rules(users={user_id})
result.affected_items.append(user)
result.total_affected_items += 1
result.affected_items.sort(key=str)
return result
def invalid_run_as_tokens():
"""Add the necessary rules to invalidate all affected run_as's tokens
"""
with TokenManager() as tm:
tm.add_user_roles_rules(run_as=True)