def login_password(self, username, password, proxy_user=None): """ Authenticates the current session using the given username and password. The caller may act as a proxy on behalf of another user by passing the *proxy_user* argument. This requires that the caller has 'proxy_auth' permission. :param proxy_user: username on whose behalf the caller is proxying :type proxy_user: string or None """ user = User.by_user_name(username) if user is None: raise LoginException(_(u'Invalid username or password')) if not user.can_log_in(): raise LoginException(_(u'Invalid username or password')) if not user.check_password(password): raise LoginException(_(u'Invalid username or password')) if proxy_user: if not user.has_permission(u'proxy_auth'): raise LoginException(_(u'%s does not have proxy_auth permission') % user.user_name) proxied_user = User.by_user_name(proxy_user) if proxied_user is None: raise LoginException(_(u'Proxy user %s does not exist') % proxy_user) identity.set_authentication(proxied_user, proxied_by=user) else: identity.set_authentication(user) return user.user_name
def login_krbV(self, krb_request, proxy_user=None): """ Authenticates the current session using Kerberos. The caller may act as a proxy on behalf of another user by passing the *proxy_user* argument. This requires that the caller has 'proxy_auth' permission. :param krb_request: KRB_AP_REQ message containing client credentials, as produced by :c:func:`krb5_mk_req` :type krb_request: base64-encoded string :param proxy_user: username on whose behalf the caller is proxying :type proxy_user: string or None This method is also available under the alias :meth:`auth.login_krbv`, for compatibility with `Kobo`_. """ import krbV import base64 context = krbV.default_context() server_principal = krbV.Principal(name=KRB_AUTH_PRINCIPAL, context=context) server_keytab = krbV.Keytab(name=KRB_AUTH_KEYTAB, context=context) auth_context = krbV.AuthContext(context=context) auth_context.flags = krbV.KRB5_AUTH_CONTEXT_DO_SEQUENCE | krbV.KRB5_AUTH_CONTEXT_DO_TIME auth_context.addrs = (socket.gethostbyname( cherrypy.request.remote_host), 0, cherrypy.request.remote_addr, 0) # decode and read the authentication request decoded_request = base64.decodestring(krb_request) auth_context, opts, server_principal, cache_credentials = context.rd_req( decoded_request, server=server_principal, keytab=server_keytab, auth_context=auth_context, options=krbV.AP_OPTS_MUTUAL_REQUIRED) cprinc = cache_credentials[2] # remove @REALM username = cprinc.name.split("@")[0] user = User.by_user_name(username) if user is None: raise LoginException(_(u'Invalid username')) if not user.can_log_in(): raise LoginException(_(u'Invalid username')) if proxy_user: if not user.has_permission(u'proxy_auth'): raise LoginException( _(u'%s does not have proxy_auth permission') % user.user_name) proxied_user = User.by_user_name(proxy_user) if proxied_user is None: raise LoginException( _(u'Proxy user %s does not exist') % proxy_user) identity.set_authentication(proxied_user, proxied_by=user) else: identity.set_authentication(user) return username
def login_oauth2(): """ Authenticates the current session using OAuth2. The caller may act as a proxy on behalf of another user by passing the *proxy_user* key. This requires that the caller has 'proxy_auth' permission. The request body must be a JSON object containing access_token. Proxy_user is optional. :jsonparam string access_token: The OAuth2 access token :jsonparam string proxy_user: Username on whose behalf the caller is proxying """ payload = read_json_request(request) access_token = payload.get('access_token') proxy_user = payload.get('proxy_user') token_info_resp = requests.post( OAUTH2_TOKEN_INFO_URL, timeout=app.config.get('identity.soldapprovider.timeout'), data={ 'client_id': OAUTH2_CLIENT_ID, 'client_secret': OAUTH2_CLIENT_SECRET, 'token': access_token }) token_info_resp.raise_for_status() token_info = token_info_resp.json() if not token_info['active']: raise Unauthorised401(u'Invalid token') if not 'https://beaker-project.org/oidc/scope' in token_info.get( 'scope', '').split(' '): raise Unauthorised401(u'Token missing required scope') username = token_info.get('sub') if not username: raise Unauthorised401(u'Token missing subject') user = User.by_user_name(username) if user is None: raise Unauthorised401(u'Invalid username') if not user.can_log_in(): raise Unauthorised401(u'Invalid username') if proxy_user: if not user.has_permission(u'proxy_auth'): raise Unauthorised401(u'%s does not have proxy_auth permission' % user.user_name) proxied_user = User.by_user_name(proxy_user) if proxied_user is None: raise Unauthorised401(u'Proxy user %s does not exist' % proxy_user) identity.set_authentication(proxied_user, proxied_by=user) else: identity.set_authentication(user) return jsonify({'username': user.user_name})
def login_krbv(): """ Authenticates the current session using Kerberos. The caller may act as a proxy on behalf of another user by passing the *proxy_user* key. This requires that the caller has 'proxy_auth' permission. The request body must be a JSON object containing krb_request. Proxy_user is optional. :jsonparam base64-encoded-string krb_request: KRB_AP_REQ message containing client credentials, as produced by :c:func:`krb5_mk_req` :jsonparam string proxy_user: Username on whose behalf the caller is proxying """ import krbV import base64 payload = read_json_request(request) krb_request = payload.get('krb_request') proxy_user = payload.get('proxy_user') context = krbV.default_context() server_principal = krbV.Principal(name=KRB_AUTH_PRINCIPAL, context=context) server_keytab = krbV.Keytab(name=KRB_AUTH_KEYTAB, context=context) auth_context = krbV.AuthContext(context=context) auth_context.flags = krbV.KRB5_AUTH_CONTEXT_DO_SEQUENCE | krbV.KRB5_AUTH_CONTEXT_DO_TIME auth_context.addrs = (socket.gethostbyaddr(request.remote_addr), 0, request.remote_addr, 0) # decode and read the authentication request decoded_request = base64.decodestring(krb_request) auth_context, opts, server_principal, cache_credentials = context.rd_req( decoded_request, server=server_principal, keytab=server_keytab, auth_context=auth_context, options=krbV.AP_OPTS_MUTUAL_REQUIRED) cprinc = cache_credentials[2] # remove @REALM username = cprinc.name.split("@")[0] user = User.by_user_name(username) if user is None: raise Unauthorised401(u'Invalid username') if not user.can_log_in(): raise Unauthorised401(u'Invalid username') if proxy_user: if not user.has_permission(u'proxy_auth'): raise Unauthorised401(u'%s does not have proxy_auth permission' % user.user_name) proxied_user = User.by_user_name(proxy_user) if proxied_user is None: raise Unauthorised401(u'Proxy user %s does not exist' % proxy_user) identity.set_authentication(proxied_user, proxied_by=user) else: identity.set_authentication(user) return jsonify({'username': user.user_name})
def run(self): with app.test_request_context('/RPC2'): session.begin() self.ready_evt.set() self.start_evt.wait() lc_user = User.by_user_name(self.lc_user_name) identity.set_authentication(lc_user) controller.add_distro_tree(self.distro_data) self.commit_evt.wait() session.commit() self.success = True
def run(self): with app.test_request_context("/RPC2"): session.begin() self.ready_evt.set() self.start_evt.wait() lc_user = User.by_user_name(self.lc_user_name) identity.set_authentication(lc_user) controller.add_distro_tree(self.distro_data) self.commit_evt.wait() session.commit() self.success = True
def login_oauth2(self, access_token, proxy_user=None): """ Authenticates the current session using OAuth2. The caller may act as a proxy on behalf of another user by passing the *proxy_user* argument. This requires that the caller has 'proxy_auth' permission. :param access_token: The OAuth2 access token :type access_token: string :param proxy_user: username on whose behalf the caller is proxying :type proxy_user: string or None """ token_info_resp = requests.post( OAUTH2_TOKEN_INFO_URL, timeout=get('identity.soldapprovider.timeout'), data={ 'client_id': OAUTH2_CLIENT_ID, 'client_secret': OAUTH2_CLIENT_SECRET, 'token': access_token }) token_info_resp.raise_for_status() token_info = token_info_resp.json() if not token_info['active']: raise LoginException(_(u'Invalid token')) if not 'https://beaker-project.org/oidc/scope' in token_info.get( 'scope', '').split(' '): raise LoginException(_(u'Token missing required scope')) username = token_info.get('sub') if not username: raise LoginException(_(u'Token missing subject')) user = User.by_user_name(username) if user is None: raise LoginException(_(u'Invalid username')) if not user.can_log_in(): raise LoginException(_(u'Invalid username')) if proxy_user: if not user.has_permission(u'proxy_auth'): raise LoginException( _(u'%s does not have proxy_auth permission') % user.user_name) proxied_user = User.by_user_name(proxy_user) if proxied_user is None: raise LoginException( _(u'Proxy user %s does not exist') % proxy_user) identity.set_authentication(proxied_user, proxied_by=user) else: identity.set_authentication(user) return username
def login_krbV(self, krb_request, proxy_user=None): """ Authenticates the current session using Kerberos. The caller may act as a proxy on behalf of another user by passing the *proxy_user* argument. This requires that the caller has 'proxy_auth' permission. :param krb_request: KRB_AP_REQ message containing client credentials, as produced by :c:func:`krb5_mk_req` :type krb_request: base64-encoded string :param proxy_user: username on whose behalf the caller is proxying :type proxy_user: string or None This method is also available under the alias :meth:`auth.login_krbv`, for compatibility with `Kobo`_. """ import krbV import base64 context = krbV.default_context() server_principal = krbV.Principal(name=self.KRB_AUTH_PRINCIPAL, context=context) server_keytab = krbV.Keytab(name=self.KRB_AUTH_KEYTAB, context=context) auth_context = krbV.AuthContext(context=context) auth_context.flags = krbV.KRB5_AUTH_CONTEXT_DO_SEQUENCE | krbV.KRB5_AUTH_CONTEXT_DO_TIME auth_context.addrs = (socket.gethostbyname(cherrypy.request.remote_host), 0, cherrypy.request.remote_addr, 0) # decode and read the authentication request decoded_request = base64.decodestring(krb_request) auth_context, opts, server_principal, cache_credentials = context.rd_req(decoded_request, server=server_principal, keytab=server_keytab, auth_context=auth_context, options=krbV.AP_OPTS_MUTUAL_REQUIRED) cprinc = cache_credentials[2] # remove @REALM username = cprinc.name.split("@")[0] user = User.by_user_name(username) if user is None: raise LoginException(_(u'Invalid username')) if not user.can_log_in(): raise LoginException(_(u'Invalid username')) if proxy_user: if not user.has_permission(u'proxy_auth'): raise LoginException(_(u'%s does not have proxy_auth permission') % user.user_name) proxied_user = User.by_user_name(proxy_user) if proxied_user is None: raise LoginException(_(u'Proxy user %s does not exist') % proxy_user) identity.set_authentication(proxied_user, proxied_by=user) else: identity.set_authentication(user) return username
def login_oauth2(self, access_token, proxy_user=None): """ Authenticates the current session using OAuth2. The caller may act as a proxy on behalf of another user by passing the *proxy_user* argument. This requires that the caller has 'proxy_auth' permission. :param access_token: The OAuth2 access token :type access_token: string :param proxy_user: username on whose behalf the caller is proxying :type proxy_user: string or None """ token_info_resp = requests.post( self.OAUTH2_TOKEN_INFO_URL, timeout=get('identity.soldapprovider.timeout'), data={'client_id': self.OAUTH2_CLIENT_ID, 'client_secret': self.OAUTH2_CLIENT_SECRET, 'token': access_token}) token_info_resp.raise_for_status() token_info = token_info_resp.json() if not token_info['active']: raise LoginException(_(u'Invalid token')) if not 'https://beaker-project.org/oidc/scope' in token_info.get('scope', '').split(' '): raise LoginException(_(u'Token missing required scope')) username = token_info.get('sub') if not username: raise LoginException(_(u'Token missing subject')) user = User.by_user_name(username) if user is None: raise LoginException(_(u'Invalid username')) if not user.can_log_in(): raise LoginException(_(u'Invalid username')) if proxy_user: if not user.has_permission(u'proxy_auth'): raise LoginException(_(u'%s does not have proxy_auth permission') % user.user_name) proxied_user = User.by_user_name(proxy_user) if proxied_user is None: raise LoginException(_(u'Proxy user %s does not exist') % proxy_user) identity.set_authentication(proxied_user, proxied_by=user) else: identity.set_authentication(user) return username
def login_password(): """ Authenticates the current session using the given username and password. The caller may act as a proxy on behalf of another user by passing the *proxy_user* key. This requires that the caller has 'proxy_auth' permission. The request body must be a JSON object containing username and password. Proxy_user is optional. :jsonparam string username: Username :jsonparam string password: Password :jsonparam string proxy_user: Username on whose behalf the caller is proxying """ payload = read_json_request(request) username = payload.get('username') password = payload.get('password') proxy_user = payload.get('proxy_user') user = User.by_user_name(username) if user is None: raise Unauthorised401(u'Invalid username or password') if not user.can_log_in(): raise Unauthorised401(u'Invalid username or password') if not user.check_password(password): raise Unauthorised401(u'Invalid username or password') if proxy_user: if not user.has_permission(u'proxy_auth'): raise Unauthorised401(u'%s does not have proxy_auth permission' % user.user_name) proxied_user = User.by_user_name(proxy_user) if proxied_user is None: raise Unauthorised401(u'Proxy user %s does not exist' % proxy_user) identity.set_authentication(proxied_user, proxied_by=user) else: identity.set_authentication(user) return jsonify({'username': user.user_name})
def acquire_cookie(self, user, proxied_by_user=None): # Fake prior successful authentication in order to get a valid cookie. with app.test_request_context(): identity.set_authentication(user, proxied_by_user) return '%s=%s' % (identity._token_cookie_name, identity._generate_token())