def create_user_token_from_globus_profile(profile, access_token): """ Use this method on your Resource Provider (Like Atmosphere) to exchange a profile (that was retrieved via a tokeninfo endpoint) for a UserToken that can then be internally validated in an 'authorize' authBackend step.. """ logger.info(profile) expiry = profile['exp'] # This is an 'epoch-int' expiry = _extract_expiry_date(expiry) issued_at = profile['iat'] raw_username = profile['username'] # username@login_auth.com raw_name = profile['name'] email = profile['email'] username = _extract_user_from_email(raw_username) first_name, last_name = _extract_first_last_name(raw_name) profile_dict = { 'username':username, 'firstName':first_name, 'lastName':last_name, 'email': email, } user = get_or_create_user(username, profile_dict) user_token = create_token(user.username, access_token, expiry) return user_token
def get(self, request, username): """ Create a new token in the database on behalf of 'username' Returns success 201 Created - Body is JSON and contains """ params = request.data user = request.user if not username: return Response("Username was not provided", status=status.HTTP_400_BAD_REQUEST) if user.username is not 'admin' and not user.is_superuser: logger.error("URGENT! User: %s is attempting to emulate a user!" % user.username) return Response("Only admin and superusers can emulate accounts. " "This offense has been reported", status=status.HTTP_401_UNAUTHORIZED) if not AtmosphereUser.objects.filter(username=username): return Response("Username %s does not exist as an AtmosphereUser" % username, status=status.HTTP_404_NOT_FOUND) # User is authenticated, username exists. Make a token for them. token = create_token(username, issuer="DRF-EmulatedUser") expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { # Extra data passed only on emulation.. "emulator": request.user.username, # Normal token data.. "token": token.key, "username": token.user.username, "expires": expireTime.strftime("%b %d, %Y %H:%M:%S") } return Response(auth_json, status=status.HTTP_201_CREATED)
def get(self, request, username): """ Create a new token in the database on behalf of 'username' Returns success 201 Created - Body is JSON and contains """ params = request.data user = request.user if not username: return Response("Username was not provided", status=status.HTTP_400_BAD_REQUEST) if user.username is not 'admin' and not user.is_superuser: logger.error("URGENT! User: %s is attempting to emulate a user!" % user.username) return Response( "Only admin and superusers can emulate accounts. " "This offense has been reported", status=status.HTTP_401_UNAUTHORIZED) if not AtmosphereUser.objects.filter(username=username): return Response("Username %s does not exist as an AtmosphereUser" % username, status=status.HTTP_404_NOT_FOUND) # User is authenticated, username exists. Make a token for them. token = create_token(username, issuer="DRF-EmulatedUser") expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { # Extra data passed only on emulation.. "emulator": request.user.username, # Normal token data.. "token": token.key, "username": token.user.username, "expires": expireTime.strftime("%b %d, %Y %H:%M:%S") } return Response(auth_json, status=status.HTTP_201_CREATED)
def create_token_from_jwt(self, jwt_assertion): """ This method point represents the 'entry point' """ decoded_assertion = self.decode_assertion(jwt_assertion) user, expiration = self.validate_assertion(decoded_assertion) auth_token = create_token(user.username, expiration) return auth_token
def _token_for_username(self, username): token = create_token(username, issuer="DRF") expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { "token": token.key, "username": token.user.username, "expires": expireTime.strftime("%b %d, %Y %H:%M:%S"), } return Response(auth_json, status=status.HTTP_201_CREATED)
def _token_for_username(self, username): token = create_token(username, issuer="DRF") expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { 'token': token.key, 'username': token.user.username, 'expires': expireTime.strftime("%b %d, %Y %H:%M:%S") } return Response(auth_json, status=status.HTTP_201_CREATED)
def get(self, request): user = request.user if not user.is_authenticated(): return Response( "Logged-in User or POST required " "to retrieve AuthToken", status=status.HTTP_403_FORBIDDEN ) token = lookupSessionToken(request) if not token: token = create_token(user.username) serialized_data = TokenSerializer(token).data return Response(serialized_data, status=status.HTTP_200_OK)
def get(self, request): user = request.user if not user.is_authenticated(): return Response("Logged-in User or POST required " "to retrieve AuthToken", status=status.HTTP_403_FORBIDDEN) token = lookupSessionToken(request) if not token: token = create_token(user.username) serialized_data = TokenSerializer(token).data return Response(serialized_data, status=status.HTTP_200_OK)
def retrieve(self, *args, **kwargs): user = self.request.user # data = self.request.data username = kwargs.get('username') expireDate = timezone.now() + secrets.TOKEN_EXPIRY_TIME new_token = create_token( username, token_key='EMULATED-'+str(uuid4()), remote_ip=request.META['REMOTE_ADDR'], token_expire=expireDate, issuer="DRF-EmulatedToken-%s" % user.username) serialized_data = TokenSerializer(new_token, context={'request':self.request}).data return Response(serialized_data, status=status.HTTP_201_CREATED)
def retrieve(self, *args, **kwargs): user = self.request.user # data = self.request.data username = kwargs.get('username') expireDate = timezone.now() + secrets.TOKEN_EXPIRY_TIME new_token = create_token(username, token_key='EMULATED-' + str(uuid4()), remote_ip=request.META['REMOTE_ADDR'], token_expire=expireDate, issuer="DRF-EmulatedToken-%s" % user.username) serialized_data = TokenSerializer(new_token, context={ 'request': self.request }).data return Response(serialized_data, status=status.HTTP_201_CREATED)
def emulate_session(request, username=None): try: logger.info("Emulate attempt: %s wants to be %s" % (request.user, username)) logger.info(request.session.__dict__) if not username and 'emulated_by' in request.session: logger.info("Clearing emulation attributes from user") request.session['username'] = request.session['emulated_by'] del request.session['emulated_by'] # Allow user to fall through on line below try: user = AtmosphereUser.objects.get(username=username) except AtmosphereUser.DoesNotExist: logger.info("Emulate attempt failed. User <%s> does not exist" % username) return HttpResponseRedirect( settings.REDIRECT_URL + "/api/v2") logger.info("Emulate success, creating tokens for %s" % username) expireDate = timezone.now() + secrets.TOKEN_EXPIRY_TIME token = create_token( username, token_key='EMULATED-'+str(uuid4()), token_expire=expireDate, remote_ip=request.META['REMOTE_ADDR'], issuer="DRF-EmulatedSession-%s" % user.username) token.save() # Keep original emulator if it exists, or use the last known username original_emulator = request.session.get( 'emulated_by', request.session['username']) request.session['emulated_by'] = original_emulator # Set the username to the user to be emulated # to whom the token also belongs request.session['username'] = username request.session['token'] = token.key logger.info("Returning emulated user - %s - to api root " % username) logger.info(request.session.__dict__) logger.info(request.user) serialized_data = TokenSerializer(token, context={'request': request}).data return Response(serialized_data, status=status.HTTP_201_CREATED) except Exception as e: logger.warn("Emulate request failed") logger.exception(e) return HttpResponseRedirect(settings.REDIRECT_URL + "/api/v2")
def emulate_session(request, username=None): try: logger.info("Emulate attempt: %s wants to be %s" % (request.user, username)) logger.info(request.session.__dict__) if not username and 'emulated_by' in request.session: logger.info("Clearing emulation attributes from user") request.session['username'] = request.session['emulated_by'] del request.session['emulated_by'] # Allow user to fall through on line below try: user = AtmosphereUser.objects.get(username=username) except AtmosphereUser.DoesNotExist: logger.info("Emulate attempt failed. User <%s> does not exist" % username) return HttpResponseRedirect(settings.REDIRECT_URL + "/api/v2") logger.info("Emulate success, creating tokens for %s" % username) expireDate = timezone.now() + secrets.TOKEN_EXPIRY_TIME token = create_token(username, token_key='EMULATED-' + str(uuid4()), token_expire=expireDate, remote_ip=request.META['REMOTE_ADDR'], issuer="DRF-EmulatedSession-%s" % user.username) token.save() # Keep original emulator if it exists, or use the last known username original_emulator = request.session.get('emulated_by', request.session['username']) request.session['emulated_by'] = original_emulator # Set the username to the user to be emulated # to whom the token also belongs request.session['username'] = username request.session['token'] = token.key logger.info("Returning emulated user - %s - to api root " % username) logger.info(request.session.__dict__) logger.info(request.user) serialized_data = TokenSerializer(token, context={ 'request': request }).data return Response(serialized_data, status=status.HTTP_201_CREATED) except Exception as e: logger.warn("Emulate request failed") logger.exception(e) return HttpResponseRedirect(settings.REDIRECT_URL + "/api/v2")
def globus_validate_code(request): """ This flow is used to create a new Token on behalf of a Service Client (Like Troposphere) Validates 'code' returned from the IdP If valid: Return new AuthToken to be passed to the Resource Provider. else: Return None """ code = request.GET['code'] if not code: #raise Exception("NO Code found!") return None if type(code) == list: code = code[0] flow = globus_initFlow() try: credentials = flow.step2_exchange(code) logger.info(credentials.__dict__) except OAuthError as err: logger.exception("Error exchanging code w/ globus") return None # Parsing token_profile = credentials.id_token user_access_token = credentials.access_token expiry_date = credentials.token_expiry raw_username = token_profile['preferred_username'] email = token_profile['email'] username = _extract_user_from_email(raw_username) if not username: logger.info("User %s is not part of the 'valid mapping' and will be skipped!" % raw_username) return None full_name = token_profile['name'] issuer = token_profile['iss'] # Creation first_name, last_name = _extract_first_last_name(full_name) user_profile = { 'username':username, 'firstName':first_name, 'lastName':last_name, 'email': email, } user = get_or_create_user(username, user_profile) auth_token = create_token(username, user_access_token, expiry_date, issuer) return auth_token