def password_login(): """Provides email and password authentication.""" data = request_data() email = data.get('email') password = data.get('password') if not email or not password: abort(404) log_event(request) q = Role.by_email(email) q = q.filter(Role.password_digest != None) # noqa role = q.first() # Try a password authentication and an LDAP authentication if it is enabled if role and role.check_password(password) is False: return Unauthorized("Authentication has failed.") elif not role: role = Role.authenticate_using_ldap(email, password) if not role: return Unauthorized("Authentication has failed.") session['user'] = role.id session['next_url'] = extract_next_url(request) return jsonify({ 'logout': url_for('.logout'), 'api_key': role.api_key, 'role': role })
def create(): require(not request.authz.in_maintenance, get_config('PASSWORD_REGISTRATION')) data = parse_request(schema=RoleCreateSchema) try: code = data.get('code') email = Role.SIGNATURE.loads(code, max_age=Role.SIGNATURE_MAX_AGE) assert email == data.get('email') except Exception: raise BadRequest("Invalid signature") role = Role.by_email(email).first() status = 200 if role is None: status = 201 role = Role.load_or_create( foreign_id='password:{}'.format(email), type=Role.USER, name=data.get('name') or email, email=email ) role.set_password(data.get('password')) db.session.add(role) db.session.commit() request.authz.id = role.id return jsonify(role, schema=RoleSchema, status=status)
def handle_oauth(provider, oauth_token): from aleph.model import Role token = provider.parse_id_token(oauth_token) if token is None: return None name = token.get("name", token.get("given_name")) email = token.get("email", token.get("upn")) role_id = "%s:%s" % (settings.OAUTH_HANDLER, token.get("sub", email)) role = Role.by_foreign_id(role_id) if settings.OAUTH_MIGRATE_SUB and role is None: role = Role.by_email(email) if role is not None: role.foreign_id = role_id role.update({"name": name}) if role is None: role = Role.load_or_create(role_id, Role.USER, name, email=email) if not role.is_actor: return None role.clear_roles() for group in _get_groups(provider, oauth_token, token): if group == settings.OAUTH_ADMIN_GROUP: role.is_admin = True continue foreign_id = "group:%s" % group group_role = Role.load_or_create(foreign_id, Role.GROUP, group) role.add_role(group_role) log.debug("User %r is member of %r", role, group_role) return role
def ooemail_authorized(): ''' This is a callback for when we are returning from the external auth provider. So, we use this to handle our sign-in ''' usr = Role.by_email(request.args.get('email')) if usr is None: return jsonify({ 'status': 'error', 'message': 'You are not authorized to do this.', 'roles': request.auth_roles, 'user': request.auth_role }, status=403) ok = usr.check_pw(request.args.get('password')) if ok: store_login(usr) return 'oo email authorized' else: return jsonify({ 'status': 'error', 'message': 'You are not authorized to do this.', 'roles': request.auth_roles, 'user': request.auth_role }, status=403)
def create(): require(not request.authz.in_maintenance, settings.PASSWORD_LOGIN) data = parse_request(RoleCreateSchema) try: email = Role.SIGNATURE.loads(data.get('code'), max_age=Role.SIGNATURE_MAX_AGE) except BadSignature: return jsonify({ 'status': 'error', 'message': gettext('Invalid code') }, status=400) role = Role.by_email(email) if role is not None: return jsonify({ 'status': 'error', 'message': gettext('Email is already registered') }, status=409) role = Role.load_or_create( foreign_id='password:{}'.format(email), type=Role.USER, name=data.get('name') or email, email=email ) role.set_password(data.get('password')) db.session.add(role) db.session.commit() update_role(role) # Let the serializer return more info about this user request.authz.id = role.id tag_request(role_id=role.id) return RoleSerializer.jsonify(role, status=201)
def create(): require(not request.authz.in_maintenance, settings.PASSWORD_LOGIN) data = parse_request(schema=RoleCreateSchema) try: email = Role.SIGNATURE.loads(data.get('code'), max_age=Role.SIGNATURE_MAX_AGE) except BadSignature: return jsonify({ 'status': 'error', 'message': 'Invalid code' }, status=400) role = Role.by_email(email).first() if role is not None: return jsonify( { 'status': 'error', 'message': 'Email is already registered' }, status=409) role = Role.load_or_create(foreign_id='password:{}'.format(email), type=Role.USER, name=data.get('name') or email, email=email) role.set_password(data.get('password')) db.session.add(role) db.session.commit() # Let the serializer return more info about this user request.authz.id = role.id return jsonify(role, schema=RoleSchema, status=201)
def password_login(): """Provides email and password authentication.""" data = parse_request(LoginSchema) q = Role.by_email(data.get('email')) q = q.filter(Role.password_digest != None) # noqa role = q.first() if role is None: return Unauthorized("Authentication has failed.") if not role.check_password(data.get('password')): return Unauthorized("Authentication has failed.") return jsonify({'status': 'ok', 'token': create_token(role)})
def test_create_success(self): email = self.fake.email() password = self.fake.password() payload = dict( email=email, password=password, code=Role.SIGNATURE_SERIALIZER.dumps(email, salt=email) ) res = self.client.post('/api/1/roles', data=payload) self.assertEqual(res.status_code, 201) self.assertEqual(res.json['role']['email'], email) self.assertTrue(Role.by_email(email).first().check_password(password))
def password_login(): """Provides email and password authentication.""" data = parse_request(LoginSchema) role = Role.by_email(data.get('email')) if role is None or not role.has_password: return Unauthorized("Authentication has failed.") if not role.check_password(data.get('password')): return Unauthorized("Authentication has failed.") update_role(role) db.session.commit() authz = Authz.from_role(role) return jsonify({'status': 'ok', 'token': authz.to_token(role=role)})
def create(): """Create a user role. --- post: summary: Create a user account description: > Create a user role by supplying the required account details. requestBody: content: application/json: schema: $ref: '#/components/schemas/RoleCreate' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Role' tags: - Role """ require(settings.PASSWORD_LOGIN) require(not request.authz.in_maintenance) data = parse_request("RoleCreate") try: email = Role.SIGNATURE.loads(data.get("code"), max_age=Role.SIGNATURE_MAX_AGE) except BadSignature: return jsonify({ "status": "error", "message": gettext("Invalid code") }, status=400) role = Role.by_email(email) if role is not None: return jsonify( { "status": "error", "message": gettext("Email is already registered") }, status=409, ) role = create_user(email, data.get("name"), data.get("password")) # Let the serializer return more info about this user request.authz = Authz.from_role(role) tag_request(role_id=role.id) return RoleSerializer.jsonify(role, status=201)
def password_login(): """Provides email and password authentication.""" require(settings.PASSWORD_LOGIN) data = parse_request(LoginSchema) role = Role.by_email(data.get('email')) if role is None or not role.has_password: raise BadRequest(gettext("Invalid user or password.")) if not role.check_password(data.get('password')): raise BadRequest(gettext("Invalid user or password.")) db.session.commit() update_role(role) authz = Authz.from_role(role) request.authz = authz return jsonify({'status': 'ok', 'token': authz.to_token(role=role)})
def test_create_success(self): self.app.config['PASSWORD_REGISTRATION'] = True email = self.fake.email() name = self.fake.name() password = self.fake.password() payload = dict(name=name, password=password, code=Role.SIGNATURE.dumps(email)) res = self.client.post('/api/2/roles', data=payload) db.session.close() self.assertEqual(res.status_code, 201) self.assertEqual(res.json['email'], email) role = Role.by_email(email).first() self.assertIsNotNone(role) self.assertTrue(role.check_password(password)) self.assertEqual(role.name, payload['name'])
def test_create_on_existing_email(self): email = self.fake.email() password = self.fake.password() payload = dict( email=email, name=self.fake.name(), password=password, code=Role.SIGNATURE_SERIALIZER.dumps(email, salt=email) ) RoleFactory.create(email=email) res = self.client.post('/api/1/roles', data=payload) self.assertEqual(res.status_code, 200) self.assertEqual(res.json['status'], 'ok') role = Role.by_email(email).first() self.assertIsNotNone(role) self.assertFalse(role.check_password(password))
def test_create_success(self): settings.PASSWORD_LOGIN = True email = self.fake.email() name = self.fake.name() password = self.fake.password() payload = dict(name=name, password=password, code=Role.SIGNATURE.dumps(email)) res = self.client.post("/api/2/roles", data=payload) db.session.close() self.assertEqual(res.status_code, 201) self.assertEqual(res.json.get("email"), email) role = Role.by_email(email) self.assertIsNotNone(role) self.assertTrue(role.check_password(password)) self.assertEqual(role.name, payload["name"])
def password_login(): """Provides email and password authentication. --- post: summary: Log in as a user description: Create a session token using a username and password. requestBody: content: application/json: schema: $ref: '#/components/schemas/Login' responses: '200': description: OK content: application/json: schema: type: object properties: status: type: string token: type: string tags: - Role """ require(settings.PASSWORD_LOGIN) data = parse_request("Login") role = Role.by_email(data.get("email")) if role is None or not role.has_password: raise BadRequest(gettext("Invalid user or password.")) if not role.check_password(data.get("password")): raise BadRequest(gettext("Invalid user or password.")) if role.is_blocked: raise Unauthorized(gettext("Your account is blocked.")) role.touch() db.session.commit() update_role(role) authz = Authz.from_role(role) request.authz = authz return jsonify({"status": "ok", "token": authz.to_token(role=role)})
def test_create_success(self): email = self.fake.email() password = self.fake.password() payload = dict( email=email, name=self.fake.name(), password=password, code=Role.SIGNATURE_SERIALIZER.dumps(email, salt=email) ) res = self.client.post('/api/1/roles', data=payload) self.assertEqual(res.status_code, 201) self.assertEqual(res.json['status'], 'ok') role = Role.by_email(email).first() self.assertIsNotNone(role) self.assertTrue(role.check_password(password)) self.assertEqual(role.name, payload['email']) self.assertEqual(role.email, payload['email'])
def password_login(): """Provides email and password authentication.""" data = parse_request(LoginSchema) role = Role.by_email(data.get('email')) if role is None or not role.has_password: return Unauthorized("Authentication has failed.") if not role.check_password(data.get('password')): return Unauthorized("Authentication has failed.") db.session.commit() update_role(role) authz = Authz.from_role(role) request.authz = authz record_audit(Audit.ACT_LOGIN) return jsonify({ 'status': 'ok', 'token': authz.to_token(role=role) })
def test_create_success(self): settings.PASSWORD_LOGIN = True email = self.fake.email() name = self.fake.name() password = self.fake.password() payload = dict( name=name, password=password, code=Role.SIGNATURE.dumps(email) ) res = self.client.post('/api/2/roles', data=payload) db.session.close() self.assertEqual(res.status_code, 201) self.assertEqual(res.json['email'], email) role = Role.by_email(email) self.assertIsNotNone(role) self.assertTrue(role.check_password(password)) self.assertEqual(role.name, payload['name'])
def create(): data = request_data() email = data.get('email') name = data.get('name') or email password = data.get('password') signature = data.get('code') if not email or not password or not signature: abort(400) try: # Make sure registration is allowed assert get_config('PASSWORD_REGISTRATION') # Make sure password is set and not too short assert len(password) >= Role.PASSWORD_MIN_LENGTH # Make sure the signature is valid assert email == Role.SIGNATURE_SERIALIZER.loads( signature, salt=email, max_age=Role.SIGNATURE_MAX_AGE) except: abort(400) role = Role.by_email(email).first() if role: return jsonify(dict(status='ok')), 200 role = Role.load_or_create(foreign_id='password:{}'.format(email), type=Role.USER, name=name, email=email) role.set_password(password) db.session.add(role) db.session.commit() return jsonify(dict(status='ok')), 201
def password_login(): """Provides email and password authentication.""" data = request_data() email = data.get('email') password = data.get('password') if not email or not password: abort(404) log_event(request) role = Role.by_email(email).filter(Role.password_digest != None).first() if not (role and role.check_password(password)): return Unauthorized("Authentication has failed.") session['user'] = role.id session['next_url'] = extract_next_url(request) return jsonify({ 'logout': url_for('.logout'), 'api_key': role.api_key, 'role': role })
def test_by_email_matches(self): self.assertEqual(Role.by_email(self.role.email), self.role)
def test_by_email_matches(self): self.assertEqual(Role.by_email(self.role.email).first(), self.role)
def test_by_email_does_not_match(self): self.assertIsNone(Role.by_email(self.fake.email()).first())
def test_by_email_when_blank_email(self): self.assertIsNone(Role.by_email(None))
def test_by_email_does_not_match(self): self.assertIsNone(Role.by_email(self.fake.email()))