def create_user_roles(profile): """Creates new roles based on profile information. :param profile: :return: """ roles = [] # update their google 'roles' if "googleGroups" in profile: for group in profile["googleGroups"]: role = role_service.get_by_name(group) if not role: role = role_service.create( group, description= "This is a google group based role created by Lemur", third_party=True, ) if (group != 'admin') and (not role.third_party): role = role_service.set_third_party(role.id, third_party_status=True) roles.append(role) else: current_app.logger.warning( "'googleGroups' not sent by identity provider, no specific roles will assigned to the user." ) role = role_service.get_by_name(profile["email"]) if not role: role = role_service.create( profile["email"], description="This is a user specific role", third_party=True, ) if not role.third_party: role = role_service.set_third_party(role.id, third_party_status=True) roles.append(role) # every user is an operator (tied to a default role) if current_app.config.get("LEMUR_DEFAULT_ROLE"): default = role_service.get_by_name( current_app.config["LEMUR_DEFAULT_ROLE"]) if not default: default = role_service.create( current_app.config["LEMUR_DEFAULT_ROLE"], description="This is the default Lemur role.", ) if not default.third_party: role_service.set_third_party(default.id, third_party_status=True) roles.append(default) return roles
def _authorize(self): """ check groups and roles to confirm access. return a list of roles if ok. raise an exception on error. """ if not self.ldap_principal: return None if self.ldap_required_group: # ensure the user has the required group in their group list if self.ldap_required_group not in self.ldap_groups: return None roles = set() if self.ldap_default_role: role = role_service.get_by_name(self.ldap_default_role) if role: if not role.third_party: role = role.set_third_party(role.id, third_party_status=True) roles.add(role) # update their 'roles' role = role_service.get_by_name(self.ldap_principal) if not role: description = "auto generated role based on owner: {0}".format( self.ldap_principal) role = role_service.create(self.ldap_principal, description=description, third_party=True) if not role.third_party: role = role_service.set_third_party(role.id, third_party_status=True) roles.add(role) if not self.ldap_groups_to_roles: return roles for ldap_group_name, role_name in self.ldap_groups_to_roles.items(): role = role_service.get_by_name(role_name) if role: if ldap_group_name in self.ldap_groups: current_app.logger.debug( "assigning role {0} to ldap user {1}".format( self.ldap_principal, role)) if not role.third_party: role = role_service.set_third_party( role.id, third_party_status=True) roles.add(role) return roles
def create_user_roles(profile): """Creates new roles based on profile information. :param profile: :return: """ roles = [] # update their google 'roles' for group in profile['googleGroups']: role = role_service.get_by_name(group) if not role: role = role_service.create( group, description= 'This is a google group based role created by Lemur', third_party=True) if not role.third_party: role = role_service.set_third_party(role.id, third_party_status=True) roles.append(role) role = role_service.get_by_name(profile['email']) if not role: role = role_service.create(profile['email'], description='This is a user specific role', third_party=True) if not role.third_party: role = role_service.set_third_party(role.id, third_party_status=True) roles.append(role) # every user is an operator (tied to a default role) if current_app.config.get('LEMUR_DEFAULT_ROLE'): default = role_service.get_by_name( current_app.config['LEMUR_DEFAULT_ROLE']) if not default: default = role_service.create( current_app.config['LEMUR_DEFAULT_ROLE'], description='This is the default Lemur role.') if not default.third_party: role_service.set_third_party(default.id, third_party_status=True) roles.append(default) return roles
def create_user_roles(profile): """Creates new roles based on profile information. :param profile: :return: """ roles = [] # update their google 'roles' for group in profile['googleGroups']: role = role_service.get_by_name(group) if not role: role = role_service.create(group, description='This is a google group based role created by Lemur', third_party=True) if not role.third_party: role = role_service.set_third_party(role.id, third_party_status=True) roles.append(role) role = role_service.get_by_name(profile['email']) if not role: role = role_service.create(profile['email'], description='This is a user specific role', third_party=True) if not role.third_party: role = role_service.set_third_party(role.id, third_party_status=True) roles.append(role) # every user is an operator (tied to a default role) if current_app.config.get('LEMUR_DEFAULT_ROLE'): default = role_service.get_by_name(current_app.config['LEMUR_DEFAULT_ROLE']) if not default: default = role_service.create(current_app.config['LEMUR_DEFAULT_ROLE'], description='This is the default Lemur role.') if not default.third_party: role_service.set_third_party(default.id, third_party_status=True) roles.append(default) return roles
def post(self): self.reqparse.add_argument('clientId', type=str, required=True, location='json') self.reqparse.add_argument('redirectUri', type=str, required=True, location='json') self.reqparse.add_argument('code', type=str, required=True, location='json') args = self.reqparse.parse_args() # take the information we have received from the provider to create a new request params = { 'grant_type': 'authorization_code', 'scope': 'openid email profile groups', 'redirect_uri': args['redirectUri'], 'code': args['code'], } # you can either discover these dynamically or simply configure them access_token_url = current_app.config.get('OAUTH2_ACCESS_TOKEN_URL') user_api_url = current_app.config.get('OAUTH2_USER_API_URL') verify_cert = current_app.config.get('OAUTH2_VERIFY_CERT', True) # the secret and cliendId will be given to you when you signup for the provider token = '{0}:{1}'.format(args['clientId'], current_app.config.get("OAUTH2_SECRET")) basic = base64.b64encode(bytes(token, 'utf-8')) headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'authorization': 'basic {0}'.format(basic.decode('utf-8')) } # exchange authorization code for access token. # Try Params first r = requests.post(access_token_url, headers=headers, params=params, verify=verify_cert) if r.status_code == 400: r = requests.post(access_token_url, headers=headers, data=params, verify=verify_cert) id_token = r.json()['id_token'] access_token = r.json()['access_token'] # fetch token public key header_data = fetch_token_header(id_token) jwks_url = current_app.config.get('OAUTH2_JWKS_URL') # retrieve the key material as specified by the token header r = requests.get(jwks_url, verify=verify_cert) for key in r.json()['keys']: if key['kid'] == header_data['kid']: secret = get_rsa_public_key(key['n'], key['e']) algo = header_data['alg'] break else: return dict(message='Key not found'), 401 # validate your token based on the key it was signed with try: if sys.version_info >= (3, 0): jwt.decode(id_token, secret.decode('utf-8'), algorithms=[algo], audience=args['clientId']) else: jwt.decode(id_token, secret, algorithms=[algo], audience=args['clientId']) except jwt.DecodeError: return dict(message='Token is invalid'), 401 except jwt.ExpiredSignatureError: return dict(message='Token has expired'), 401 except jwt.InvalidTokenError: return dict(message='Token is invalid'), 401 headers = {'authorization': 'Bearer {0}'.format(access_token)} # retrieve information about the current user. r = requests.get(user_api_url, headers=headers, verify=verify_cert) profile = r.json() user = user_service.get_by_email(profile['email']) metrics.send('successful_login', 'counter', 1) # update with roles sent by identity provider roles = [] if 'roles' in profile: for group in profile['roles']: role = role_service.get_by_name(group) if not role: role = role_service.create( group, description= 'This is a group configured by identity provider', third_party=True) if not role.third_party: role = role_service.set_third_party( role.id, third_party_status=True) roles.append(role) role = role_service.get_by_name(profile['email']) if not role: role = role_service.create( profile['email'], description='This is a user specific role', third_party=True) if not role.third_party: role = role_service.set_third_party(role.id, third_party_status=True) roles.append(role) # if we get an sso user create them an account if not user: # every user is an operator (tied to a default role) if current_app.config.get('LEMUR_DEFAULT_ROLE'): v = role_service.get_by_name( current_app.config.get('LEMUR_DEFAULT_ROLE')) if not v.third_party: v = role_service.set_third_party(v.id, third_party_status=True) if v: roles.append(v) user = user_service.create(profile['name'], get_psuedo_random_string(), profile['email'], True, profile.get('thumbnailPhotoUrl'), roles) else: # we add 'lemur' specific roles, so they do not get marked as removed for ur in user.roles: if not ur.third_party: roles.append(ur) # update any changes to the user user_service.update( user.id, profile['name'], profile['email'], True, profile.get('thumbnailPhotoUrl' ), # incase profile isn't google+ enabled roles) # Tell Flask-Principal the identity changed identity_changed.send(current_app._get_current_object(), identity=Identity(user.id)) return dict(token=create_token(user))