def create_authority_roles(roles, owner, plugin_title, creator):
"""
Creates all of the necessary authority roles.
:param creator:
:param roles:
:return:
"""
role_objs = []
for r in roles:
role = role_service.get_by_name(r["name"])
# error out if the role already exists, because we want a unique role per authority
if role:
raise Exception(
"Unable to create authority role {} because it already exists".
format(r["name"]))
role = role_service.create(
r["name"],
password=r["password"],
description="Auto generated role for {0}".format(plugin_title),
username=r["username"],
)
role_objs.append(role)
# get or create a role for the owner
owner_role = role_service.get_by_name(owner)
if not owner_role:
owner_role = role_service.create(
owner,
description="Auto generated role based on owner: {0}".format(
owner))
role_objs.append(owner_role)
return role_objs
def create_authority_roles(roles, owner, plugin_title):
"""
Creates all of the necessary authority roles.
:param roles:
:return:
"""
role_objs = []
for r in roles:
role = role_service.get_by_name(r['name'])
if not role:
role = role_service.create(
r['name'],
password=r['password'],
description="Auto generated role for {0}".format(plugin_title),
username=r['username'])
# the user creating the authority should be able to administer it
if role.username == 'admin':
g.current_user.roles.append(role)
role_objs.append(role)
# create an role for the owner and assign it
owner_role = role_service.get_by_name(owner)
if not owner_role:
owner_role = role_service.create(
owner,
description="Auto generated role based on owner: {0}".format(owner)
)
role_objs.append(owner_role)
return role_objs
def create_authority_roles(roles, owner, plugin_title, creator):
"""
Creates all of the necessary authority roles.
:param creator:
:param roles:
:return:
"""
role_objs = []
for r in roles:
role = role_service.get_by_name(r['name'])
if not role:
role = role_service.create(
r['name'],
password=r['password'],
description="Auto generated role for {0}".format(plugin_title),
username=r['username'])
# the user creating the authority should be able to administer it
if role.username == 'admin':
creator.roles.append(role)
role_objs.append(role)
# create an role for the owner and assign it
owner_role = role_service.get_by_name(owner)
if not owner_role:
owner_role = role_service.create(
owner,
description="Auto generated role based on owner: {0}".format(
owner))
role_objs.append(owner_role)
return role_objs
def create_user_roles(profile):
"""Creates new roles based on profile information.
:param profile:
:return:
"""
roles = []
# update their google 'roles'
if "googleGroups" in profile:
for group in profile["googleGroups"]:
role = role_service.get_by_name(group)
if not role:
role = role_service.create(
group,
description=
"This is a google group based role created by Lemur",
third_party=True,
)
if (group != 'admin') and (not role.third_party):
role = role_service.set_third_party(role.id,
third_party_status=True)
roles.append(role)
else:
current_app.logger.warning(
"'googleGroups' not sent by identity provider, no specific roles will assigned to the user."
)
role = role_service.get_by_name(profile["email"])
if not role:
role = role_service.create(
profile["email"],
description="This is a user specific role",
third_party=True,
)
if not role.third_party:
role = role_service.set_third_party(role.id, third_party_status=True)
roles.append(role)
# every user is an operator (tied to a default role)
if current_app.config.get("LEMUR_DEFAULT_ROLE"):
default = role_service.get_by_name(
current_app.config["LEMUR_DEFAULT_ROLE"])
if not default:
default = role_service.create(
current_app.config["LEMUR_DEFAULT_ROLE"],
description="This is the default Lemur role.",
)
if not default.third_party:
role_service.set_third_party(default.id, third_party_status=True)
roles.append(default)
return roles
def run(self, name, users, description):
user_objs = []
for u in users:
user_obj = user_service.get_by_username(u)
if user_obj:
user_objs.append(user_obj)
else:
sys.stderr.write("[!] Cannot find user {0}".format(u))
sys.exit(1)
role_service.create(name, description=description, users=users)
sys.stdout.write("[+] Created new role: {0}".format(name))
def run(self, name, users, description):
user_objs = []
for u in users:
user_obj = user_service.get_by_username(u)
if user_obj:
user_objs.append(user_obj)
else:
sys.stderr.write("[!] Cannot find user {0}".format(u))
sys.exit(1)
role_service.create(name, description=description, users=users)
sys.stdout.write("[+] Created new role: {0}".format(name))
def create(kwargs):
"""
Create a new authority.
:return:
"""
issuer = plugins.get(kwargs.get('pluginName'))
kwargs['creator'] = g.current_user.email
cert_body, intermediate, issuer_roles = issuer.create_authority(kwargs)
cert = Certificate(cert_body, chain=intermediate)
cert.owner = kwargs['ownerEmail']
if kwargs['caType'] == 'subca':
cert.description = "This is the ROOT certificate for the {0} sub certificate authority the parent \
authority is {1}.".format(
kwargs.get('caName'), kwargs.get('caParent'))
else:
cert.description = "This is the ROOT certificate for the {0} certificate authority.".format(
kwargs.get('caName'))
cert.user = g.current_user
cert.notifications = notification_service.create_default_expiration_notifications(
'DEFAULT_SECURITY',
current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
# we create and attach any roles that the issuer gives us
role_objs = []
for r in issuer_roles:
role = role_service.create(
r['name'],
password=r['password'],
description="{0} auto generated role".format(
kwargs.get('pluginName')),
username=r['username'])
# the user creating the authority should be able to administer it
if role.username == 'admin':
g.current_user.roles.append(role)
role_objs.append(role)
authority = Authority(kwargs.get('caName'),
kwargs['ownerEmail'],
kwargs['pluginName'],
cert_body,
description=kwargs['caDescription'],
chain=intermediate,
roles=role_objs)
database.update(cert)
authority = database.create(authority)
g.current_user.authorities.append(authority)
return authority
def create_user_roles(profile):
"""Creates new roles based on profile information.
:param profile:
:return:
"""
roles = []
# update their google 'roles'
for group in profile['googleGroups']:
role = role_service.get_by_name(group)
if not role:
role = role_service.create(
group,
description=
'This is a google group based role created by Lemur',
third_party=True)
if not role.third_party:
role = role_service.set_third_party(role.id,
third_party_status=True)
roles.append(role)
role = role_service.get_by_name(profile['email'])
if not role:
role = role_service.create(profile['email'],
description='This is a user specific role',
third_party=True)
if not role.third_party:
role = role_service.set_third_party(role.id, third_party_status=True)
roles.append(role)
# every user is an operator (tied to a default role)
if current_app.config.get('LEMUR_DEFAULT_ROLE'):
default = role_service.get_by_name(
current_app.config['LEMUR_DEFAULT_ROLE'])
if not default:
default = role_service.create(
current_app.config['LEMUR_DEFAULT_ROLE'],
description='This is the default Lemur role.')
if not default.third_party:
role_service.set_third_party(default.id, third_party_status=True)
roles.append(default)
return roles
def post(self):
"""
.. http:post:: /roles
Creates a new role
**Example request**:
.. sourcecode:: http
POST /roles HTTP/1.1
Host: example.com
Accept: application/json, text/javascript
{
"name": "role3",
"description": "this is role3",
"username": null,
"password": null,
"users": []
}
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Vary: Accept
Content-Type: text/javascript
{
"id": 3,
"description": "this is role3",
"name": "role3"
}
:arg name: name for new role
:arg description: description for new role
:arg password: password for new role
:arg username: username for new role
:arg users: list, of users to associate with role
:reqheader Authorization: OAuth token to authenticate
:statuscode 200: no error
:statuscode 403: unauthenticated
"""
self.reqparse.add_argument('name',
type=str,
location='json',
required=True)
self.reqparse.add_argument('description', type=str, location='json')
self.reqparse.add_argument('username', type=str, location='json')
self.reqparse.add_argument('password', type=str, location='json')
self.reqparse.add_argument('users', type=list, location='json')
args = self.reqparse.parse_args()
return service.create(args['name'], args.get('password'),
args.get('description'), args.get('username'),
args.get('users'))
def create_certificate_roles(**kwargs):
# create an role for the owner and assign it
owner_role = role_service.get_by_name(kwargs['owner'])
if not owner_role:
owner_role = role_service.create(
kwargs['owner'],
description="Auto generated role based on owner: {0}".format(kwargs['owner'])
)
return [owner_role]
def post(self):
"""
.. http:post:: /roles
Creates a new role
**Example request**:
.. sourcecode:: http
POST /roles HTTP/1.1
Host: example.com
Accept: application/json, text/javascript
{
"name": "role3",
"description": "this is role3",
"username": null,
"password": null,
"users": []
}
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Vary: Accept
Content-Type: text/javascript
{
"id": 3,
"description": "this is role3",
"name": "role3"
}
:arg name: name for new role
:arg description: description for new role
:arg password: password for new role
:arg username: username for new role
:arg users: list, of users to associate with role
:reqheader Authorization: OAuth token to authenticate
:statuscode 200: no error
:statuscode 403: unauthenticated
"""
self.reqparse.add_argument("name", type=str, location="json", required=True)
self.reqparse.add_argument("description", type=str, location="json")
self.reqparse.add_argument("username", type=str, location="json")
self.reqparse.add_argument("password", type=str, location="json")
self.reqparse.add_argument("users", type=list, location="json")
args = self.reqparse.parse_args()
return service.create(
args["name"], args.get("password"), args.get("description"), args.get("username"), args.get("users")
)
def post(self, data=None):
"""
.. http:post:: /roles
Creates a new role
**Example request**:
.. sourcecode:: http
POST /roles HTTP/1.1
Host: example.com
Accept: application/json, text/javascript
Content-Type: application/json;charset=UTF-8
{
"name": "role3",
"description": "this is role3",
"username": null,
"password": null,
"users": [
{"id": 1}
]
}
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Vary: Accept
Content-Type: text/javascript
{
"id": 3,
"description": "this is role3",
"name": "role3"
}
:arg name: name for new role
:arg description: description for new role
:arg password: password for new role
:arg username: username for new role
:arg users: list, of users to associate with role
:reqheader Authorization: OAuth token to authenticate
:statuscode 200: no error
:statuscode 403: unauthenticated
"""
return service.create(
data["name"],
data.get("password"),
data.get("description"),
data.get("username"),
data.get("users"),
)
def create(kwargs):
"""
Create a new authority.
:rtype : Authority
:return:
"""
issuer = plugins.get(kwargs.get('pluginName'))
kwargs['creator'] = g.current_user.email
cert_body, intermediate, issuer_roles = issuer.create_authority(kwargs)
cert = Certificate(cert_body, chain=intermediate)
cert.owner = kwargs['ownerEmail']
cert.description = "This is the ROOT certificate for the {0} certificate authority".format(kwargs.get('caName'))
cert.user = g.current_user
cert.notifications = notification_service.create_default_expiration_notifications(
'DEFAULT_SECURITY',
current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')
)
# we create and attach any roles that the issuer gives us
role_objs = []
for r in issuer_roles:
role = role_service.create(
r['name'],
password=r['password'],
description="{0} auto generated role".format(kwargs.get('pluginName')),
username=r['username'])
# the user creating the authority should be able to administer it
if role.username == 'admin':
g.current_user.roles.append(role)
role_objs.append(role)
authority = Authority(
kwargs.get('caName'),
kwargs['ownerEmail'],
kwargs['pluginName'],
cert_body,
description=kwargs['caDescription'],
chain=intermediate,
roles=role_objs
)
database.update(cert)
authority = database.create(authority)
g.current_user.authorities.append(authority)
return authority
def db(app, request):
_db.drop_all()
_db.create_all()
_db.app = app
user = user_service.create('user', 'test', '*****@*****.**', True, None, [])
admin_role = role_service.create('admin')
admin = user_service.create('admin', 'admin', '*****@*****.**', True, None, [admin_role])
_db.session.commit()
yield _db
def run(self, password):
create()
user = user_service.get_by_username("lemur")
if not user:
if not password:
sys.stdout.write(
"We need to set Lemur's password to continue!\n")
password = prompt_pass("Password")
password1 = prompt_pass("Confirm Password")
if password != password1:
sys.stderr.write("[!] Passwords do not match!\n")
sys.exit(1)
role = role_service.get_by_name('admin')
if role:
sys.stdout.write(
"[-] Admin role already created, skipping...!\n")
else:
# we create an admin role
role = role_service.create(
'admin',
description='this is the lemur administrator role')
sys.stdout.write("[+] Created 'admin' role\n")
user_service.create("lemur", password, 'lemur@nobody', True, None,
[role])
sys.stdout.write(
"[+] Added a 'lemur' user and added it to the 'admin' role!\n")
else:
sys.stdout.write(
"[-] Default user has already been created, skipping...!\n")
sys.stdout.write("[+] Creating expiration email notifications!\n")
sys.stdout.write(
"[!] Using {0} as specified by LEMUR_SECURITY_TEAM_EMAIL for notifications\n"
.format("LEMUR_SECURITY_TEAM_EMAIL"))
intervals = current_app.config.get(
"LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS", [])
sys.stdout.write(
"[!] Creating {num} notifications for {intervals} days as specified by LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS\n"
.format(num=len(intervals),
intervals=",".join([str(x) for x in intervals])))
recipients = current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')
notification_service.create_default_expiration_notifications(
"DEFAULT_SECURITY", recipients=recipients)
sys.stdout.write("[/] Done!\n")
def db(app, request):
_db.drop_all()
_db.create_all()
_db.app = app
user = user_service.create('user', 'test', '*****@*****.**', True, None,
[])
admin_role = role_service.create('admin')
admin = user_service.create('admin', 'admin', '*****@*****.**', True,
None, [admin_role])
_db.session.commit()
yield _db
def _authorize(self):
"""
check groups and roles to confirm access.
return a list of roles if ok.
raise an exception on error.
"""
if not self.ldap_principal:
return None
if self.ldap_required_group:
# ensure the user has the required group in their group list
if self.ldap_required_group not in self.ldap_groups:
return None
roles = set()
if self.ldap_default_role:
role = role_service.get_by_name(self.ldap_default_role)
if role:
if not role.third_party:
role = role.set_third_party(role.id,
third_party_status=True)
roles.add(role)
# update their 'roles'
role = role_service.get_by_name(self.ldap_principal)
if not role:
description = "auto generated role based on owner: {0}".format(
self.ldap_principal)
role = role_service.create(self.ldap_principal,
description=description,
third_party=True)
if not role.third_party:
role = role_service.set_third_party(role.id,
third_party_status=True)
roles.add(role)
if not self.ldap_groups_to_roles:
return roles
for ldap_group_name, role_name in self.ldap_groups_to_roles.items():
role = role_service.get_by_name(role_name)
if role:
if ldap_group_name in self.ldap_groups:
current_app.logger.debug(
"assigning role {0} to ldap user {1}".format(
self.ldap_principal, role))
if not role.third_party:
role = role_service.set_third_party(
role.id, third_party_status=True)
roles.add(role)
return roles
def post(self, data=None):
"""
.. http:post:: /roles
Creates a new role
**Example request**:
.. sourcecode:: http
POST /roles HTTP/1.1
Host: example.com
Accept: application/json, text/javascript
{
"name": "role3",
"description": "this is role3",
"username": null,
"password": null,
"users": [
{'id': 1}
]
}
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Vary: Accept
Content-Type: text/javascript
{
"id": 3,
"description": "this is role3",
"name": "role3"
}
:arg name: name for new role
:arg description: description for new role
:arg password: password for new role
:arg username: username for new role
:arg users: list, of users to associate with role
:reqheader Authorization: OAuth token to authenticate
:statuscode 200: no error
:statuscode 403: unauthenticated
"""
return service.create(data['name'], data.get('password'), data.get('description'), data.get('username'),
data.get('users'))
def create_user_roles(profile):
"""Creates new roles based on profile information.
:param profile:
:return:
"""
roles = []
# update their google 'roles'
for group in profile['googleGroups']:
role = role_service.get_by_name(group)
if not role:
role = role_service.create(group, description='This is a google group based role created by Lemur', third_party=True)
if not role.third_party:
role = role_service.set_third_party(role.id, third_party_status=True)
roles.append(role)
role = role_service.get_by_name(profile['email'])
if not role:
role = role_service.create(profile['email'], description='This is a user specific role', third_party=True)
if not role.third_party:
role = role_service.set_third_party(role.id, third_party_status=True)
roles.append(role)
# every user is an operator (tied to a default role)
if current_app.config.get('LEMUR_DEFAULT_ROLE'):
default = role_service.get_by_name(current_app.config['LEMUR_DEFAULT_ROLE'])
if not default:
default = role_service.create(current_app.config['LEMUR_DEFAULT_ROLE'], description='This is the default Lemur role.')
if not default.third_party:
role_service.set_third_party(default.id, third_party_status=True)
roles.append(default)
return roles
def create_certificate_roles(**kwargs):
# create an role for the owner and assign it
owner_role = role_service.get_by_name(kwargs['owner'])
if not owner_role:
owner_role = role_service.create(
kwargs['owner'],
description="Auto generated role based on owner: {0}".format(kwargs['owner'])
)
# ensure that the authority's owner is also associated with the certificate
if kwargs.get('authority'):
authority_owner_role = role_service.get_by_name(kwargs['authority'].owner)
return [owner_role, authority_owner_role]
return [owner_role]
def create_certificate_roles(**kwargs):
# create an role for the owner and assign it
owner_role = role_service.get_by_name(kwargs['owner'])
if not owner_role:
owner_role = role_service.create(
kwargs['owner'],
description="Auto generated role based on owner: {0}".format(kwargs['owner'])
)
# ensure that the authority's owner is also associated with the certificate
if kwargs.get('authority'):
authority_owner_role = role_service.get_by_name(kwargs['authority'].owner)
return [owner_role, authority_owner_role]
return [owner_role]
def run(self, password):
create()
user = user_service.get_by_username("lemur")
if not user:
if not password:
sys.stdout.write("We need to set Lemur's password to continue!\n")
password = prompt_pass("Password")
password1 = prompt_pass("Confirm Password")
if password != password1:
sys.stderr.write("[!] Passwords do not match!\n")
sys.exit(1)
role = role_service.get_by_name("admin")
if role:
sys.stdout.write("[-] Admin role already created, skipping...!\n")
else:
# we create an admin role
role = role_service.create("admin", description="this is the lemur administrator role")
sys.stdout.write("[+] Created 'admin' role\n")
user_service.create("lemur", password, "lemur@nobody", True, None, [role])
sys.stdout.write("[+] Added a 'lemur' user and added it to the 'admin' role!\n")
else:
sys.stdout.write("[-] Default user has already been created, skipping...!\n")
sys.stdout.write("[+] Creating expiration email notifications!\n")
sys.stdout.write(
"[!] Using {0} as specified by LEMUR_SECURITY_TEAM_EMAIL for notifications\n".format(
"LEMUR_SECURITY_TEAM_EMAIL"
)
)
intervals = current_app.config.get("LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS", [])
sys.stdout.write(
"[!] Creating {num} notifications for {intervals} days as specified by LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS\n".format(
num=len(intervals), intervals=",".join([str(x) for x in intervals])
)
)
recipients = current_app.config.get("LEMUR_SECURITY_TEAM_EMAIL")
notification_service.create_default_expiration_notifications("DEFAULT_SECURITY", recipients=recipients)
sys.stdout.write("[/] Done!\n")
def _authorize(self):
"""
check groups and roles to confirm access.
return a list of roles if ok.
raise an exception on error.
"""
if not self.ldap_principal:
return None
if self.ldap_required_group:
# ensure the user has the required group in their group list
if self.ldap_required_group not in self.ldap_groups:
return None
roles = set()
if self.ldap_default_role:
role = role_service.get_by_name(self.ldap_default_role)
if role:
roles.add(role)
# update their 'roles'
role = role_service.get_by_name(self.ldap_principal)
if not role:
description = "auto generated role based on owner: {0}".format(self.ldap_principal)
role = role_service.create(self.ldap_principal, description=description)
roles.add(role)
if not self.ldap_groups_to_roles:
return roles
for ldap_group_name, role_name in self.ldap_groups_to_roles.items():
role = role_service.get_by_name(role_name)
if role:
if ldap_group_name in self.ldap_groups:
current_app.logger.debug("assigning role {0} to ldap user {1}".format(self.ldap_principal, role))
roles.add(role)
return roles
def post(self):
self.reqparse.add_argument("clientId", type=str, required=True, location="json")
self.reqparse.add_argument("redirectUri", type=str, required=True, location="json")
self.reqparse.add_argument("code", type=str, required=True, location="json")
args = self.reqparse.parse_args()
# take the information we have received from the provider to create a new request
params = {
"client_id": args["clientId"],
"grant_type": "authorization_code",
"scope": "openid email profile address",
"redirect_uri": args["redirectUri"],
"code": args["code"],
}
# you can either discover these dynamically or simply configure them
access_token_url = current_app.config.get("PING_ACCESS_TOKEN_URL")
user_api_url = current_app.config.get("PING_USER_API_URL")
# the secret and cliendId will be given to you when you signup for the provider
token = "{0}:{1}".format(args["clientId"], current_app.config.get("PING_SECRET"))
if sys.version_info >= (3, 0):
basic = base64.b64encode(bytes(token, "utf-8"))
headers = {"authorization": "basic {0}".format(basic.decode("utf-8"))}
else:
basic = base64.b64encode(token, "utf-8")
headers = {"authorization": "basic {0}".format(basic)}
# exchange authorization code for access token.
r = requests.post(access_token_url, headers=headers, params=params)
id_token = r.json()["id_token"]
access_token = r.json()["access_token"]
# fetch token public key
header_data = fetch_token_header(id_token)
jwks_url = current_app.config.get("PING_JWKS_URL")
# retrieve the key material as specified by the token header
r = requests.get(jwks_url)
for key in r.json()["keys"]:
if key["kid"] == header_data["kid"]:
secret = get_rsa_public_key(key["n"], key["e"])
algo = header_data["alg"]
break
else:
return dict(message="Key not found"), 403
# validate your token based on the key it was signed with
try:
if sys.version_info >= (3, 0):
jwt.decode(id_token, secret.decode("utf-8"), algorithms=[algo], audience=args["clientId"])
else:
jwt.decode(id_token, secret, algorithms=[algo], audience=args["clientId"])
except jwt.DecodeError:
return dict(message="Token is invalid"), 403
except jwt.ExpiredSignatureError:
return dict(message="Token has expired"), 403
except jwt.InvalidTokenError:
return dict(message="Token is invalid"), 403
user_params = dict(access_token=access_token, schema="profile")
# retrieve information about the current user.
r = requests.get(user_api_url, params=user_params)
profile = r.json()
user = user_service.get_by_email(profile["email"])
metrics.send("successful_login", "counter", 1)
# update their google 'roles'
roles = []
for group in profile["googleGroups"]:
role = role_service.get_by_name(group)
if not role:
role = role_service.create(group, description="This is a google group based role created by Lemur")
roles.append(role)
role = role_service.get_by_name(profile["email"])
if not role:
role = role_service.create(profile["email"], description="This is a user specific role")
roles.append(role)
# if we get an sso user create them an account
if not user:
# every user is an operator (tied to a default role)
if current_app.config.get("LEMUR_DEFAULT_ROLE"):
v = role_service.get_by_name(current_app.config.get("LEMUR_DEFAULT_ROLE"))
if v:
roles.append(v)
user = user_service.create(
profile["email"],
get_psuedo_random_string(),
profile["email"],
True,
profile.get("thumbnailPhotoUrl"),
roles,
)
else:
# we add 'lemur' specific roles, so they do not get marked as removed
for ur in user.roles:
if ur.authority_id:
roles.append(ur)
# update any changes to the user
user_service.update(
user.id,
profile["email"],
profile["email"],
True,
profile.get("thumbnailPhotoUrl"), # incase profile isn't google+ enabled
roles,
)
# Tell Flask-Principal the identity changed
identity_changed.send(current_app._get_current_object(), identity=Identity(user.id))
return dict(token=create_token(user))
def post(self):
self.reqparse.add_argument('clientId', type=str, required=True, location='json')
self.reqparse.add_argument('redirectUri', type=str, required=True, location='json')
self.reqparse.add_argument('code', type=str, required=True, location='json')
args = self.reqparse.parse_args()
# take the information we have received from the provider to create a new request
params = {
'client_id': args['clientId'],
'grant_type': 'authorization_code',
'scope': 'openid email profile address',
'redirect_uri': args['redirectUri'],
'code': args['code']
}
# you can either discover these dynamically or simply configure them
access_token_url = current_app.config.get('PING_ACCESS_TOKEN_URL')
user_api_url = current_app.config.get('PING_USER_API_URL')
# the secret and cliendId will be given to you when you signup for the provider
basic = base64.b64encode('{0}:{1}'.format(args['clientId'], current_app.config.get("PING_SECRET")))
headers = {'Authorization': 'Basic {0}'.format(basic)}
# exchange authorization code for access token.
r = requests.post(access_token_url, headers=headers, params=params)
id_token = r.json()['id_token']
access_token = r.json()['access_token']
# fetch token public key
header_data = fetch_token_header(id_token)
jwks_url = current_app.config.get('PING_JWKS_URL')
# retrieve the key material as specified by the token header
r = requests.get(jwks_url)
for key in r.json()['keys']:
if key['kid'] == header_data['kid']:
secret = get_rsa_public_key(key['n'], key['e'])
algo = header_data['alg']
break
else:
return dict(message='Key not found'), 403
# validate your token based on the key it was signed with
try:
jwt.decode(id_token, secret, algorithms=[algo], audience=args['clientId'])
except jwt.DecodeError:
return dict(message='Token is invalid'), 403
except jwt.ExpiredSignatureError:
return dict(message='Token has expired'), 403
except jwt.InvalidTokenError:
return dict(message='Token is invalid'), 403
user_params = dict(access_token=access_token, schema='profile')
# retrieve information about the current user.
r = requests.get(user_api_url, params=user_params)
profile = r.json()
user = user_service.get_by_email(profile['email'])
# update their google 'roles'
roles = []
for group in profile['googleGroups']:
role = role_service.get_by_name(group)
if not role:
role = role_service.create(group, description='This is a google group based role created by Lemur')
roles.append(role)
# if we get an sso user create them an account
# we still pick a random password in case sso is down
if not user:
# every user is an operator (tied to a default role)
if current_app.config.get('LEMUR_DEFAULT_ROLE'):
v = role_service.get_by_name(current_app.config.get('LEMUR_DEFAULT_ROLE'))
if v:
roles.append(v)
user = user_service.create(
profile['email'],
get_psuedo_random_string(),
profile['email'],
True,
profile.get('thumbnailPhotoUrl'),
roles
)
else:
# we add 'lemur' specific roles, so they do not get marked as removed
for ur in user.roles:
if ur.authority_id:
roles.append(ur)
# update any changes to the user
user_service.update(
user.id,
profile['email'],
profile['email'],
True,
profile.get('thumbnailPhotoUrl'), # incase profile isn't google+ enabled
roles
)
# Tell Flask-Principal the identity changed
identity_changed.send(current_app._get_current_object(), identity=Identity(user.id))
return dict(token=create_token(user))
def run(self, password):
create()
user = user_service.get_by_username("lemur")
admin_role = role_service.get_by_name('admin')
if admin_role:
sys.stdout.write("[-] Admin role already created, skipping...!\n")
else:
# we create an admin role
admin_role = role_service.create('admin', description='This is the Lemur administrator role.')
sys.stdout.write("[+] Created 'admin' role\n")
operator_role = role_service.get_by_name('operator')
if operator_role:
sys.stdout.write("[-] Operator role already created, skipping...!\n")
else:
# we create an operator role
operator_role = role_service.create('operator', description='This is the Lemur operator role.')
sys.stdout.write("[+] Created 'operator' role\n")
read_only_role = role_service.get_by_name('read-only')
if read_only_role:
sys.stdout.write("[-] Read only role already created, skipping...!\n")
else:
# we create an read only role
read_only_role = role_service.create('read-only', description='This is the Lemur read only role.')
sys.stdout.write("[+] Created 'read-only' role\n")
if not user:
if not password:
sys.stdout.write("We need to set Lemur's password to continue!\n")
password = prompt_pass("Password")
password1 = prompt_pass("Confirm Password")
if password != password1:
sys.stderr.write("[!] Passwords do not match!\n")
sys.exit(1)
user_service.create("lemur", password, '*****@*****.**', True, None, [admin_role])
sys.stdout.write("[+] Created the user 'lemur' and granted it the 'admin' role!\n")
else:
sys.stdout.write("[-] Default user has already been created, skipping...!\n")
intervals = current_app.config.get("LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS", [])
sys.stdout.write(
"[!] Creating {num} notifications for {intervals} days as specified by LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS\n".format(
num=len(intervals),
intervals=",".join([str(x) for x in intervals])
)
)
recipients = current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')
sys.stdout.write("[+] Creating expiration email notifications!\n")
sys.stdout.write("[!] Using {0} as specified by LEMUR_SECURITY_TEAM_EMAIL for notifications\n".format(recipients))
notification_service.create_default_expiration_notifications("DEFAULT_SECURITY", recipients=recipients)
_DEFAULT_ROTATION_INTERVAL = 'default'
default_rotation_interval = policy_service.get_by_name(_DEFAULT_ROTATION_INTERVAL)
if default_rotation_interval:
sys.stdout.write("[-] Default rotation interval policy already created, skipping...!\n")
else:
days = current_app.config.get("LEMUR_DEFAULT_ROTATION_INTERVAL", 30)
sys.stdout.write("[+] Creating default certificate rotation policy of {days} days before issuance.\n".format(
days=days))
policy_service.create(days=days, name=_DEFAULT_ROTATION_INTERVAL)
sys.stdout.write("[/] Done!\n")
def create(kwargs):
"""
Create a new authority.
:return:
"""
issuer = kwargs['plugin']['plugin_object']
kwargs['creator'] = g.current_user.email
cert_body, intermediate, issuer_roles = issuer.create_authority(kwargs)
cert = Certificate(cert_body, chain=intermediate)
cert.owner = kwargs['owner']
if kwargs['type'] == 'subca':
cert.description = "This is the ROOT certificate for the {0} sub certificate authority the parent \
authority is {1}.".format(kwargs.get('name'), kwargs.get('parent'))
else:
cert.description = "This is the ROOT certificate for the {0} certificate authority.".format(
kwargs.get('name')
)
cert.user = g.current_user
cert.notifications = notification_service.create_default_expiration_notifications(
'DEFAULT_SECURITY',
current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')
)
# we create and attach any roles that the issuer gives us
role_objs = []
for r in issuer_roles:
role = role_service.create(
r['name'],
password=r['password'],
description="{0} auto generated role".format(issuer.title),
username=r['username'])
# the user creating the authority should be able to administer it
if role.username == 'admin':
g.current_user.roles.append(role)
role_objs.append(role)
authority = Authority(
kwargs.get('name'),
kwargs['owner'],
issuer.slug,
cert_body,
description=kwargs['description'],
chain=intermediate,
roles=role_objs
)
database.update(cert)
authority = database.create(authority)
# the owning dl or role should have this authority associated with it
owner_role = role_service.get_by_name(kwargs['owner'])
if not owner_role:
owner_role = role_service.create(kwargs['owner'])
owner_role.authority = authority
g.current_user.authorities.append(authority)
return authority
def run(self, password):
create()
user = user_service.get_by_username("lemur")
admin_role = role_service.get_by_name("admin")
if admin_role:
sys.stdout.write("[-] Admin role already created, skipping...!\n")
else:
# we create an admin role
admin_role = role_service.create(
"admin", description="This is the Lemur administrator role.")
sys.stdout.write("[+] Created 'admin' role\n")
operator_role = role_service.get_by_name("operator")
if operator_role:
sys.stdout.write(
"[-] Operator role already created, skipping...!\n")
else:
# we create an operator role
operator_role = role_service.create(
"operator", description="This is the Lemur operator role.")
sys.stdout.write("[+] Created 'operator' role\n")
read_only_role = role_service.get_by_name("read-only")
if read_only_role:
sys.stdout.write(
"[-] Read only role already created, skipping...!\n")
else:
# we create an read only role
read_only_role = role_service.create(
"read-only", description="This is the Lemur read only role.")
sys.stdout.write("[+] Created 'read-only' role\n")
if not user:
if not password:
sys.stdout.write(
"We need to set Lemur's password to continue!\n")
password = prompt_pass("Password")
password1 = prompt_pass("Confirm Password")
if password != password1:
sys.stderr.write("[!] Passwords do not match!\n")
sys.exit(1)
user_service.create("lemur", password, "*****@*****.**", True,
None, [admin_role])
sys.stdout.write(
"[+] Created the user 'lemur' and granted it the 'admin' role!\n"
)
else:
sys.stdout.write(
"[-] Default user has already been created, skipping...!\n")
intervals = current_app.config.get(
"LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS", [])
sys.stdout.write(
"[!] Creating {num} notifications for {intervals} days as specified by LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS\n"
.format(num=len(intervals),
intervals=",".join([str(x) for x in intervals])))
recipients = current_app.config.get("LEMUR_SECURITY_TEAM_EMAIL")
sys.stdout.write("[+] Creating expiration email notifications!\n")
sys.stdout.write(
"[!] Using {0} as specified by LEMUR_SECURITY_TEAM_EMAIL for notifications\n"
.format(recipients))
notification_service.create_default_expiration_notifications(
"DEFAULT_SECURITY", recipients=recipients)
_DEFAULT_ROTATION_INTERVAL = "default"
default_rotation_interval = policy_service.get_by_name(
_DEFAULT_ROTATION_INTERVAL)
if default_rotation_interval:
sys.stdout.write(
"[-] Default rotation interval policy already created, skipping...!\n"
)
else:
days = current_app.config.get("LEMUR_DEFAULT_ROTATION_INTERVAL",
30)
sys.stdout.write(
"[+] Creating default certificate rotation policy of {days} days before issuance.\n"
.format(days=days))
policy_service.create(days=days, name=_DEFAULT_ROTATION_INTERVAL)
sys.stdout.write("[/] Done!\n")
def post(self):
self.reqparse.add_argument('clientId',
type=str,
required=True,
location='json')
self.reqparse.add_argument('redirectUri',
type=str,
required=True,
location='json')
self.reqparse.add_argument('code',
type=str,
required=True,
location='json')
args = self.reqparse.parse_args()
# take the information we have received from the provider to create a new request
params = {
'grant_type': 'authorization_code',
'scope': 'openid email profile groups',
'redirect_uri': args['redirectUri'],
'code': args['code'],
}
# you can either discover these dynamically or simply configure them
access_token_url = current_app.config.get('OAUTH2_ACCESS_TOKEN_URL')
user_api_url = current_app.config.get('OAUTH2_USER_API_URL')
verify_cert = current_app.config.get('OAUTH2_VERIFY_CERT', True)
# the secret and cliendId will be given to you when you signup for the provider
token = '{0}:{1}'.format(args['clientId'],
current_app.config.get("OAUTH2_SECRET"))
basic = base64.b64encode(bytes(token, 'utf-8'))
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'authorization': 'basic {0}'.format(basic.decode('utf-8'))
}
# exchange authorization code for access token.
# Try Params first
r = requests.post(access_token_url,
headers=headers,
params=params,
verify=verify_cert)
if r.status_code == 400:
r = requests.post(access_token_url,
headers=headers,
data=params,
verify=verify_cert)
id_token = r.json()['id_token']
access_token = r.json()['access_token']
# fetch token public key
header_data = fetch_token_header(id_token)
jwks_url = current_app.config.get('OAUTH2_JWKS_URL')
# retrieve the key material as specified by the token header
r = requests.get(jwks_url, verify=verify_cert)
for key in r.json()['keys']:
if key['kid'] == header_data['kid']:
secret = get_rsa_public_key(key['n'], key['e'])
algo = header_data['alg']
break
else:
return dict(message='Key not found'), 401
# validate your token based on the key it was signed with
try:
if sys.version_info >= (3, 0):
jwt.decode(id_token,
secret.decode('utf-8'),
algorithms=[algo],
audience=args['clientId'])
else:
jwt.decode(id_token,
secret,
algorithms=[algo],
audience=args['clientId'])
except jwt.DecodeError:
return dict(message='Token is invalid'), 401
except jwt.ExpiredSignatureError:
return dict(message='Token has expired'), 401
except jwt.InvalidTokenError:
return dict(message='Token is invalid'), 401
headers = {'authorization': 'Bearer {0}'.format(access_token)}
# retrieve information about the current user.
r = requests.get(user_api_url, headers=headers, verify=verify_cert)
profile = r.json()
user = user_service.get_by_email(profile['email'])
metrics.send('successful_login', 'counter', 1)
# update with roles sent by identity provider
roles = []
if 'roles' in profile:
for group in profile['roles']:
role = role_service.get_by_name(group)
if not role:
role = role_service.create(
group,
description=
'This is a group configured by identity provider',
third_party=True)
if not role.third_party:
role = role_service.set_third_party(
role.id, third_party_status=True)
roles.append(role)
role = role_service.get_by_name(profile['email'])
if not role:
role = role_service.create(
profile['email'],
description='This is a user specific role',
third_party=True)
if not role.third_party:
role = role_service.set_third_party(role.id,
third_party_status=True)
roles.append(role)
# if we get an sso user create them an account
if not user:
# every user is an operator (tied to a default role)
if current_app.config.get('LEMUR_DEFAULT_ROLE'):
v = role_service.get_by_name(
current_app.config.get('LEMUR_DEFAULT_ROLE'))
if not v.third_party:
v = role_service.set_third_party(v.id,
third_party_status=True)
if v:
roles.append(v)
user = user_service.create(profile['name'],
get_psuedo_random_string(),
profile['email'], True,
profile.get('thumbnailPhotoUrl'), roles)
else:
# we add 'lemur' specific roles, so they do not get marked as removed
for ur in user.roles:
if not ur.third_party:
roles.append(ur)
# update any changes to the user
user_service.update(
user.id,
profile['name'],
profile['email'],
True,
profile.get('thumbnailPhotoUrl'
), # incase profile isn't google+ enabled
roles)
# Tell Flask-Principal the identity changed
identity_changed.send(current_app._get_current_object(),
identity=Identity(user.id))
return dict(token=create_token(user))
def post(self):
self.reqparse.add_argument('clientId',
type=str,
required=True,
location='json')
self.reqparse.add_argument('redirectUri',
type=str,
required=True,
location='json')
self.reqparse.add_argument('code',
type=str,
required=True,
location='json')
args = self.reqparse.parse_args()
# take the information we have received from the provider to create a new request
params = {
'client_id': args['clientId'],
'grant_type': 'authorization_code',
'scope': 'openid email profile address',
'redirect_uri': args['redirectUri'],
'code': args['code']
}
# you can either discover these dynamically or simply configure them
access_token_url = current_app.config.get('PING_ACCESS_TOKEN_URL')
user_api_url = current_app.config.get('PING_USER_API_URL')
# the secret and cliendId will be given to you when you signup for the provider
basic = base64.b64encode('{0}:{1}'.format(
args['clientId'], current_app.config.get("PING_SECRET")))
headers = {'Authorization': 'Basic {0}'.format(basic)}
# exchange authorization code for access token.
r = requests.post(access_token_url, headers=headers, params=params)
id_token = r.json()['id_token']
access_token = r.json()['access_token']
# fetch token public key
header_data = fetch_token_header(id_token)
jwks_url = current_app.config.get('PING_JWKS_URL')
# retrieve the key material as specified by the token header
r = requests.get(jwks_url)
for key in r.json()['keys']:
if key['kid'] == header_data['kid']:
secret = get_rsa_public_key(key['n'], key['e'])
algo = header_data['alg']
break
else:
return dict(message='Key not found'), 403
# validate your token based on the key it was signed with
try:
jwt.decode(id_token,
secret,
algorithms=[algo],
audience=args['clientId'])
except jwt.DecodeError:
return dict(message='Token is invalid'), 403
except jwt.ExpiredSignatureError:
return dict(message='Token has expired'), 403
except jwt.InvalidTokenError:
return dict(message='Token is invalid'), 403
user_params = dict(access_token=access_token, schema='profile')
# retrieve information about the current user.
r = requests.get(user_api_url, params=user_params)
profile = r.json()
user = user_service.get_by_email(profile['email'])
# update their google 'roles'
roles = []
for group in profile['googleGroups']:
role = role_service.get_by_name(group)
if not role:
role = role_service.create(
group,
description=
'This is a google group based role created by Lemur')
roles.append(role)
# if we get an sso user create them an account
# we still pick a random password in case sso is down
if not user:
# every user is an operator (tied to a default role)
if current_app.config.get('LEMUR_DEFAULT_ROLE'):
v = role_service.get_by_name(
current_app.config.get('LEMUR_DEFAULT_ROLE'))
if v:
roles.append(v)
user = user_service.create(profile['email'],
get_psuedo_random_string(),
profile['email'], True,
profile.get('thumbnailPhotoUrl'), roles)
else:
# we add 'lemur' specific roles, so they do not get marked as removed
for ur in user.roles:
if ur.authority_id:
roles.append(ur)
# update any changes to the user
user_service.update(
user.id,
profile['email'],
profile['email'],
True,
profile.get('thumbnailPhotoUrl'
), # incase profile isn't google+ enabled
roles)
# Tell Flask-Principal the identity changed
identity_changed.send(current_app._get_current_object(),
identity=Identity(user.id))
return dict(token=create_token(user))
