def on_init(self): # Retain a pointer to this object for use in routes global ui_instance ui_instance = self # Main references to basic components (if initialized) self.http_server = None self.socket_io = None self.service_gateway = None self.oauth = oauth # Configuration self.server_enabled = self.CFG.get_safe(CFG_PREFIX + ".server.enabled") is True self.server_debug = self.CFG.get_safe(CFG_PREFIX + ".server.debug") is True # Note: this may be the empty string. Using localhost does not make the server publicly accessible self.server_hostname = self.CFG.get_safe(CFG_PREFIX + ".server.hostname", DEFAULT_WEB_SERVER_HOSTNAME) self.server_port = self.CFG.get_safe(CFG_PREFIX + ".server.port", DEFAULT_WEB_SERVER_PORT) self.server_log_access = self.CFG.get_safe(CFG_PREFIX + ".server.log_access") is True self.server_log_errors = self.CFG.get_safe(CFG_PREFIX + ".server.log_errors") is True self.server_socket_io = self.CFG.get_safe(CFG_PREFIX + ".server.socket_io") is True self.server_secret = self.CFG.get_safe(CFG_PREFIX + ".security.secret") or "" self.session_timeout = int(self.CFG.get_safe(CFG_PREFIX + ".security.session_timeout") or DEFAULT_SESSION_TIMEOUT) self.extend_session_timeout = self.CFG.get_safe(CFG_PREFIX + ".security.extend_session_timeout") is True self.max_session_validity = int(self.CFG.get_safe(CFG_PREFIX + ".security.max_session_validity") or DEFAULT_SESSION_TIMEOUT) self.remember_user = self.CFG.get_safe(CFG_PREFIX + ".security.remember_user") is True self.set_cors_headers = self.CFG.get_safe(CFG_PREFIX + ".server.set_cors") is True self.develop_mode = self.CFG.get_safe(CFG_PREFIX + ".server.develop_mode") is True self.oauth_enabled = self.CFG.get_safe(CFG_PREFIX + ".oauth.enabled") is True self.oauth_scope = self.CFG.get_safe(CFG_PREFIX + ".oauth.default_scope") or "scioncc" self.has_service_gateway = self.CFG.get_safe(CFG_PREFIX + ".service_gateway.enabled") is True self.service_gateway_prefix = self.CFG.get_safe(CFG_PREFIX + ".service_gateway.url_prefix", DEFAULT_GATEWAY_PREFIX) self.extensions = self.CFG.get_safe(CFG_PREFIX + ".extensions") or [] self.extension_objs = [] # TODO: What about https? self.base_url = "http://%s:%s" % (self.server_hostname or "localhost", self.server_port) self.gateway_base_url = None self.idm_client = IdentityManagementServiceProcessClient(process=self) # One time setup if self.server_enabled: app.secret_key = self.server_secret or self.__class__.__name__ # Enables encrypted session cookies if self.server_debug: app.debug = True if self.server_socket_io: self.socket_io = SocketIO(app) if self.has_service_gateway: from ion.services.service_gateway import ServiceGateway, sg_blueprint self.gateway_base_url = self.base_url + self.service_gateway_prefix self.service_gateway = ServiceGateway(process=self, config=self.CFG, response_class=app.response_class) app.register_blueprint(sg_blueprint, url_prefix=self.service_gateway_prefix) for ext_cls in self.extensions: try: cls = named_any(ext_cls) except AttributeError as ae: # Try to nail down the error import importlib importlib.import_module(ext_cls.rsplit(".", 1)[0]) raise self.extension_objs.append(cls()) for ext_obj in self.extension_objs: ext_obj.on_init(self, app) if self.extensions: log.info("UI Server: %s extensions initialized", len(self.extensions)) # Start the web server self.start_service() log.info("UI Server: Started server on %s" % self.base_url) else: log.warn("UI Server: Server disabled in config")
class UIServer(SimpleProcess): """ Process to start a generic UI server that can be extended with content and service gateway """ def on_init(self): # Retain a pointer to this object for use in routes global ui_instance ui_instance = self # Main references to basic components (if initialized) self.http_server = None self.socket_io = None self.service_gateway = None self.oauth = oauth # Configuration self.server_enabled = self.CFG.get_safe(CFG_PREFIX + ".server.enabled") is True self.server_debug = self.CFG.get_safe(CFG_PREFIX + ".server.debug") is True # Note: this may be the empty string. Using localhost does not make the server publicly accessible self.server_hostname = self.CFG.get_safe(CFG_PREFIX + ".server.hostname", DEFAULT_WEB_SERVER_HOSTNAME) self.server_port = self.CFG.get_safe(CFG_PREFIX + ".server.port", DEFAULT_WEB_SERVER_PORT) self.server_log_access = self.CFG.get_safe(CFG_PREFIX + ".server.log_access") is True self.server_log_errors = self.CFG.get_safe(CFG_PREFIX + ".server.log_errors") is True self.server_socket_io = self.CFG.get_safe(CFG_PREFIX + ".server.socket_io") is True self.server_secret = self.CFG.get_safe(CFG_PREFIX + ".security.secret") or "" self.session_timeout = int(self.CFG.get_safe(CFG_PREFIX + ".security.session_timeout") or DEFAULT_SESSION_TIMEOUT) self.extend_session_timeout = self.CFG.get_safe(CFG_PREFIX + ".security.extend_session_timeout") is True self.max_session_validity = int(self.CFG.get_safe(CFG_PREFIX + ".security.max_session_validity") or DEFAULT_SESSION_TIMEOUT) self.remember_user = self.CFG.get_safe(CFG_PREFIX + ".security.remember_user") is True self.set_cors_headers = self.CFG.get_safe(CFG_PREFIX + ".server.set_cors") is True self.develop_mode = self.CFG.get_safe(CFG_PREFIX + ".server.develop_mode") is True self.oauth_enabled = self.CFG.get_safe(CFG_PREFIX + ".oauth.enabled") is True self.oauth_scope = self.CFG.get_safe(CFG_PREFIX + ".oauth.default_scope") or "scioncc" self.has_service_gateway = self.CFG.get_safe(CFG_PREFIX + ".service_gateway.enabled") is True self.service_gateway_prefix = self.CFG.get_safe(CFG_PREFIX + ".service_gateway.url_prefix", DEFAULT_GATEWAY_PREFIX) self.extensions = self.CFG.get_safe(CFG_PREFIX + ".extensions") or [] self.extension_objs = [] # TODO: What about https? self.base_url = "http://%s:%s" % (self.server_hostname or "localhost", self.server_port) self.gateway_base_url = None self.idm_client = IdentityManagementServiceProcessClient(process=self) # One time setup if self.server_enabled: app.secret_key = self.server_secret or self.__class__.__name__ # Enables encrypted session cookies if self.server_debug: app.debug = True if self.server_socket_io: self.socket_io = SocketIO(app) if self.has_service_gateway: from ion.services.service_gateway import ServiceGateway, sg_blueprint self.gateway_base_url = self.base_url + self.service_gateway_prefix self.service_gateway = ServiceGateway(process=self, config=self.CFG, response_class=app.response_class) app.register_blueprint(sg_blueprint, url_prefix=self.service_gateway_prefix) for ext_cls in self.extensions: try: cls = named_any(ext_cls) except AttributeError as ae: # Try to nail down the error import importlib importlib.import_module(ext_cls.rsplit(".", 1)[0]) raise self.extension_objs.append(cls()) for ext_obj in self.extension_objs: ext_obj.on_init(self, app) if self.extensions: log.info("UI Server: %s extensions initialized", len(self.extensions)) # Start the web server self.start_service() log.info("UI Server: Started server on %s" % self.base_url) else: log.warn("UI Server: Server disabled in config") def on_quit(self): self.stop_service() def start_service(self): """ Starts the web server. """ if self.http_server is not None: self.stop_service() if self.server_socket_io: self.http_server = SocketIOServer((self.server_hostname, self.server_port), app.wsgi_app, resource='socket.io', log=None) self.http_server._gl = gevent.spawn(self.http_server.serve_forever) log.info("UI Server: Providing web sockets (socket.io) server") else: self.http_server = WSGIServer((self.server_hostname, self.server_port), app, log=None) self.http_server.start() if self.service_gateway: self.service_gateway.start() log.info("UI Server: Service Gateway started on %s", self.gateway_base_url) for ext_obj in self.extension_objs: ext_obj.on_start() return True def stop_service(self): """ Responsible for stopping the gevent based web server. """ for ext_obj in self.extension_objs: ext_obj.on_stop() if self.http_server is not None: self.http_server.stop() if self.service_gateway: self.service_gateway.stop() # Need to terminate the server greenlet? return True # ------------------------------------------------------------------------- # Authentication def auth_external(self, username, ext_user_id, ext_id_provider="ext"): """ Given username and user identifier from an external identity provider (IdP), retrieve actor_id and establish user session. Return user info from session. Convention is that system local username is ext_id_provider + ":" + username, e.g. "ext_johnbean" Return NotFound if user not registered in system. Caller can react and create a user account through the normal system means @param username the user name the user recognizes. @param ext_user_id a unique identifier coming from the external IdP @param ext_id_provider identifies the external IdP service """ try: if ext_user_id and ext_id_provider and username: local_username = "******" % (ext_id_provider, username) actor_id = self.idm_client.find_actor_identity_by_username(local_username) user_info = self._set_server_session(actor_id, local_username) return build_json_response(user_info) else: raise BadRequest("External user info missing") except Exception: return build_json_error() def login(self): """ Explicit (non-token) login and creation of a server session (Cookie based). """ try: username = get_arg("username") password = get_arg("password") if username and password: actor_id = self.idm_client.check_actor_credentials(username, password) user_info = self._set_server_session(actor_id, username) return build_json_response(user_info) else: raise BadRequest("Username or password missing") except Exception: return build_json_error() def _set_server_session(self, actor_id, username=None): """ Sets server session based on user_id and ActorIdentity. """ actor_user = self.idm_client.read_identity_details(actor_id) if actor_user.type_ != OT.UserIdentityDetails: raise BadRequest("Bad identity details") full_name = actor_user.contact.individual_names_given + " " + actor_user.contact.individual_name_family valid_until = int(get_ion_ts_millis() / 1000 + self.session_timeout) set_auth(actor_id, username, full_name, valid_until=valid_until, roles=actor_user.contact.roles) user_info = get_auth() return user_info def get_session(self): """ Returns user session information for current authentication. This can be polled regularly by client code to detect changes in session state and expiration. """ def call_extend_session_attrs(session_attrs, actor_user): """ Call UI extensions to make additions to user session """ for ext_obj in self.extension_objs: func = getattr(ext_obj, "extend_user_session_attributes", None) if func: try: func(session_attrs, actor_user) except Exception: log.exception("Error calling UI extension extend_user_session_attributes()") try: # Get user session from OAuth access token in HTTP Authorization header auth_hdr = request.headers.get("authorization", None) if auth_hdr: valid, req = self.oauth.verify_request([self.oauth_scope]) # Note: Do NOT extend session timeout here! if valid: actor_id = flask.g.oauth_user.get("actor_id", "") actor_user = self.idm_client.read_actor_identity(actor_id) session_attrs = dict(is_logged_in=True, is_registered=True, attributes={"roles": actor_user.details.contact.roles}, roles={}) if actor_user.session: session_attrs.update(actor_user.session) call_extend_session_attrs(session_attrs, actor_user) return build_json_response(session_attrs) if self.remember_user: # Get user session from user_id/access_token placed inside server session (Cookie) # This is a feature to allow returning users to resume a session if still valid access_token = flask.session.get("access_token", None) actor_id = flask.session.get("actor_id", None) if access_token and actor_id: actor_user = self.idm_client.read_actor_identity(actor_id) session_attrs = dict(access_token=access_token, is_logged_in=True, is_registered=True, attributes={"roles": actor_user.details.contact.roles}, roles={}) if actor_user.session: # Check validity in persisted user session if 0 < int(actor_user.session.get("valid_until", 0)) * 1000 < current_time_millis(): clear_auth() return build_json_response(get_auth()) session_attrs.update(actor_user.session) else: # No trace of existing session in user object clear_auth() return build_json_response(get_auth()) call_extend_session_attrs(session_attrs, actor_user) return build_json_response(session_attrs) # Get user session from Flask session and cookie (non-token mode) user_info = get_auth() if 0 < int(user_info.get("valid_until", 0)) * 1000 < current_time_millis(): clear_auth() # Clear expired session user_info = get_auth() call_extend_session_attrs(user_info, None) return build_json_response(user_info) except Exception: return build_json_error() def logout(self): try: access_token = get_req_bearer_token() or flask.session.get("access_token", None) if access_token: try: # Invalidate access token token_id = str("access_token_%s" % access_token) token_obj = ui_instance.container.object_store.read(token_id) token_obj.status = "CANCELLED" token_obj.attributes["cancel_ts"] = get_ion_ts_millis() token_obj.attributes["cancel_msg"] = "User logout" ui_instance.container.object_store.update(token_obj) log.info("Invalidated stored access token for user=%s", token_obj.actor_id) except NotFound: pass except Exception: log.exception("Error invalidating access token") clear_auth() return build_json_response("OK") except Exception: return build_json_error()