def get_default_account(identity, type, oldest_if_none=False, session=None): """ Retrieves the default account mapped to an identity. :param identity: The identity key name. For example, x509DN, or a username. :param type: The type of the authentication (x509, gss, userpass, saml, oidc). :param oldest_if_none: If True and no default account it found the oldes known account of that identity will be chosen, if False and no default account is found, exception will be raised. :param session: The database session to use. :returns: The default account name, None otherwise. """ tmp = session.query(models.IdentityAccountAssociation).filter_by(identity=identity, identity_type=type, is_default=True).first() if tmp is None: if oldest_if_none: tmp = session.query(models.IdentityAccountAssociation)\ .filter_by(identity=identity, identity_type=type)\ .order_by(asc(models.IdentityAccountAssociation.created_at)).first() if tmp is None: raise exception.IdentityError('There is no account for identity (%s, %s)' % (identity, type)) else: raise exception.IdentityError('There is no default account for identity (%s, %s)' % (identity, type)) return tmp.account
def add_identity(identity, type, email, password=None, session=None): """ Creates a user identity. :param identity: The identity key name. For example x509 DN, or a username. :param type: The type of the authentication (x509, gss, userpass, ssh, saml, oidc) :param email: The Email address associated with the identity. :param password: If type==userpass, this sets the password. :param session: The database session in use. """ if type == IdentityType.USERPASS and password is None: raise exception.IdentityError('You must provide a password!') new_id = models.Identity() new_id.update({'identity': identity, 'identity_type': type, 'email': email}) if type == IdentityType.USERPASS and password is not None: salt = os.urandom(255) # make sure the salt has the length of the hash if six.PY3: decoded_salt = b64encode(salt).decode() salted_password = ('%s%s' % (decoded_salt, password)).encode() else: salted_password = '******' % (salt, str(password)) password = hashlib.sha256(salted_password).hexdigest() # hash it new_id.update({'salt': salt, 'password': password, 'email': email}) try: new_id.save(session=session) except IntegrityError as e: if match('.*IntegrityError.*1062.*Duplicate entry.*for key.*', e.args[0]): raise exception.Duplicate('Identity pair \'%s\',\'%s\' already exists!' % (identity, type)) raise exception.DatabaseException(str(e))
def del_identity(identity, type, session=None): """ Deletes a user identity. :param identity: The identity key name. For example x509 DN, or a username. :param type: The type of the authentication (x509, gss, userpass, saml, oidc). :param session: The database session in use. """ id = session.query(models.Identity).filter_by(identity=identity, identity_type=type).first() if id is None: raise exception.IdentityError('Identity (\'%s\',\'%s\') does not exist!' % (identity, type)) id.delete(session=session)
def del_account_identity(identity, type, account, session=None): """ Removes a membership association between identity and account. :param identity: The identity key name. For example x509 DN, or a username. :param type: The type of the authentication (x509, gss, userpass, saml, oidc). :param account: The account name. :param session: The database session in use. """ aid = session.query(models.IdentityAccountAssociation).filter_by(identity=identity, identity_type=type, account=account).first() if aid is None: raise exception.IdentityError('Identity (\'%s\',\'%s\') does not exist!' % (identity, type)) aid.delete(session=session)
def get_default_account(identity, type, session=None): """ Retrieves the default account mapped to an identity. :param identity: The identity key name. For example, x509DN, or a username. :param type: The type of the authentication (x509, gss, userpass). :param session: The database session to use. :returns: The default account name, None otherwise. """ tmp = session.query(models.IdentityAccountAssociation).filter_by(identity=identity, identity_type=type, is_default=True).first() if tmp is None: raise exception.IdentityError('There is no default account for identity (%s, %s)' % (identity, type)) return tmp.account