def test_group_admin(request, group_id):
if not query(Group).filter_by(id=group_id).first():
return vaultMsg(False, "Group not found: %s" % str(group_id))
sess = get_session(request['rpc_args'][0], request)
# Verify if I'm is_admin on that group
ug = query(UserGroup).filter_by(group_id=group_id,
user_id=sess['user_id']).first()
me = query(User).get(sess['user_id'])
# Make sure I'm in that group (to be able to decrypt the groupkey)
if not ug or (not ug.is_admin and not me.is_admin):
return vaultMsg(False, "You are not admin on that group (nor global admin)")
def test_group_admin(request, group_id):
if not query(Group).filter_by(id=group_id).first():
return vaultMsg(False, "Group not found: %s" % str(e))
sess = get_session(request.rpc_args[0], request)
# Verify if I'm is_admin on that group
ug = query(UserGroup).filter_by(group_id=group_id,
user_id=sess['user_id']).first()
me = query(User).get(sess['user_id'])
# Make sure I'm in that group (to be able to decrypt the groupkey)
if not ug or (not ug.is_admin and not me.is_admin):
return vaultMsg(False, "You are not admin on that group (nor global admin)")
def sflvault_authenticate(request, username, cryptok):
"""Receive the *decrypted* cryptok, b64 encoded"""
settings = request['settings']
u = None
db = None
# DEPRECATED: will be removed in 0.9
try:
if settings['sflvault.vault.session_trust'].lower() in ['1', 'true', 't']:
# If the session_trust parameter is true trust the session for the authentication.
try:
sess = get_session(cryptok, request)
except SessionNotFoundError:
sess = None
print "Session not found... "
except SessionExpiredError:
sess = None
print "Session expired... "
if sess:
return vaultMsg(True, 'Authentication successful (cached)', {'authtok': cryptok})
except KeyError:
pass
try:
#u = meta.Session.query(User).filter_by(username=username).one()
db = meta.Session()
u = db.query(User).filter(User.username == username).all()[0]
except:
return vaultMsg(False, 'Invalid user')
if u.logging_timeout < datetime.now():
return vaultMsg(False, 'Login token expired. Now: %s Timeout: %s' % (datetime.now(), u.logging_timeout))
# str() necessary, to convert buffer to string.
if cryptok != str(u.logging_token):
#TODO: Ask about this line.
#raise Exception
return vaultMsg(False, 'Authentication failed')
else:
newtok = b64encode(randfunc(32))
set_session(newtok, {'username': username,
'timeout': datetime.now() + timedelta(0, int(settings['sflvault.vault.session_timeout'])),
'remote_addr': request.get('REMOTE_ADDR', None),
'userobj': u,
'user_id': u.id
})
return vaultMsg(True, 'Authentication successful', {'authtok': newtok})
def sflvault_authenticate(request, username, cryptok):
"""Receive the *decrypted* cryptok, b64 encoded"""
settings = request['settings']
u = None
db = None
# DEPRECATED: will be removed in 0.9
try:
if settings['sflvault.vault.session_trust'].lower() in ['1', 'true', 't']:
# If the session_trust parameter is true trust the session for the authentication.
try:
sess = get_session(cryptok, request)
except SessionNotFoundError:
sess = None
print "Session not found... "
except SessionExpiredError:
sess = None
print "Session expired... "
if sess:
return vaultMsg(True, 'Authentication successful (cached)', {'authtok': cryptok})
except KeyError:
pass
try:
#u = meta.Session.query(User).filter_by(username=username).one()
db = meta.Session()
u = db.query(User).filter(User.username == username).all()[0]
except:
return vaultMsg(False, 'Invalid user')
if u.logging_timeout < datetime.now():
return vaultMsg(False, 'Login token expired. Now: %s Timeout: %s' % (datetime.now(), u.logging_timeout))
# str() necessary, to convert buffer to string.
if cryptok != str(u.logging_token):
#TODO: Ask about this line.
#raise Exception
return vaultMsg(False, 'Authentication failed')
else:
newtok = b64encode(randfunc(32))
set_session(newtok, {'username': username,
'timeout': datetime.now() + timedelta(0, int(settings['sflvault.vault.session_timeout'])),
'remote_addr': request.get('REMOTE_ADDR', None),
'userobj': u,
'user_id': u.id
})
return vaultMsg(True, 'Authentication successful', {'authtok': newtok})
def sflvault_login(request, username, version):
# Require minimal client version.
user_version = LooseVersion(version)
if not version or user_version < MINIMAL_CLIENT_VERSION:
return Response(body=vaultMsg(False, "Minimal client version required: '%s'. "\
"You announced yourself as version '%s'" % \
(MINIMAL_CLIENT_VERSION.vstring, version)))
# Return 'cryptok', encrypted with pubkey.
# Save decoded version to user's db field.
#transaction.begin()
try:
#u = query(User).filter_by(username=username).one()
u = meta.Session.query(User).filter_by(username=username).one()
except Exception, e:
return vaultMsg(False, "User unknown: %s" % e.message)
def sflvault_login(request, username, version):
# Require minimal client version.
user_version = LooseVersion(version)
if not version or user_version < MINIMAL_CLIENT_VERSION:
return vaultMsg(False, "Minimal client version required: '%s'. "\
"You announced yourself as version '%s'" % \
(MINIMAL_CLIENT_VERSION.vstring, version))
# Return 'cryptok', encrypted with pubkey.
# Save decoded version to user's db field.
#transaction.begin()
try:
#u = query(User).filter_by(username=username).one()
u = meta.Session.query(User).filter_by(username=username).one()
except Exception, e:
return vaultMsg(False, "User unknown: %s" % e.message)
def sflvault_service_put(request, authtok, service_id, data):
# 'user_id' required in session.
# TODO: verify I had access to the service previously.
sess = get_session(authtok, request)
req = sql.join(servicegroups_table, usergroups_table,
ServiceGroup.group_id==UserGroup.group_id) \
.join(users_table, User.id==UserGroup.user_id) \
.select() \
.where(User.id==sess['user_id']) \
.where(ServiceGroup.service_id==service_id)
res = list(meta.Session.execute(req))
if not res:
return vaultMsg(False, "You don't have access to that service.")
else:
return vault.service_put(service_id, data)
def sflvault_service_put(request, authtok, service_id, data):
# 'user_id' required in session.
# TODO: verify I had access to the service previously.
sess = get_session(authtok, request)
req = sql.join(servicegroups_table, usergroups_table,
ServiceGroup.group_id==UserGroup.group_id) \
.join(users_table, User.id==UserGroup.user_id) \
.select() \
.where(User.id==sess['user_id']) \
.where(ServiceGroup.service_id==service_id)
res = list(meta.Session.execute(req))
if not res:
return vaultMsg(False, "You don't have access to that service.")
else:
return vault.service_put(service_id, data)
def authenticated_admin(func, request, *args, **kwargs):
"""Aborts if user isn't admin.
Check authenticated_user , everything written then applies here as well.
"""
cryptok = request.rpc_args[0]
ret = _authenticated_user_first(request, cryptok)
if ret:
return ret
try:
sess = get_session(cryptok, request)
except SessionNotFoundError:
sess = None
if sess:
if not sess['userobj'].is_admin:
return vaultMsg(False, "Permission denied, admin priv. required")
return func(request, *args, **kwargs)
def authenticated_admin(func, request, *args, **kwargs):
"""Aborts if user isn't admin.
Check authenticated_user , everything written then applies here as well.
"""
cryptok = request['rpc_args'][0]
ret = _authenticated_user_first(request, cryptok)
if ret:
return ret
try:
sess = get_session(cryptok, request)
except SessionNotFoundError:
sess = None
if sess:
if not sess['userobj'].is_admin:
return vaultMsg(False, "Permission denied, admin priv. required")
return func(request, *args, **kwargs)
def _authenticated_user_first(request, cryptok):
"""DRYed authenticated_user to skip repetition in authenticated_admin"""
try:
s = get_session(cryptok, request)
except SessionNotFoundError:
s = None
error_msg = 'session not found'
except SessionExpiredError:
s = None
error_msg = 'session expired'
if not s:
return vaultMsg(False, "Permission denied (%s)" % error_msg)
sess = s
if 'user_id' in sess:
vault.myself_id = sess['user_id']
if 'username' in sess:
vault.myself_username = sess['username']
def _authenticated_user_first(request, cryptok):
"""DRYed authenticated_user to skip repetition in authenticated_admin"""
try:
s = get_session(cryptok, request)
except SessionNotFoundError:
s = None
error_msg = 'session not found'
except SessionExpiredError:
s = None
error_msg = 'session expired'
if not s:
return vaultMsg(False, "Permission denied (%s)" % error_msg)
sess = s
if 'user_id' in sess:
vault.myself_id = sess['user_id']
if 'username' in sess:
vault.myself_username = sess['username']
return vaultMsg(False, "User unknown: %s" % e.message)
# TODO: implement throttling ?
rnd = randfunc(32)
# 15 seconds to complete login/authenticate round-trip.
u.logging_timeout = datetime.now() + timedelta(0, 15)
u.logging_token = b64encode(rnd)
#a = meta.Session.query(User).filter_by(username=username).one()
e = u.elgamal()
cryptok = serial_elgamal_msg(e.encrypt(rnd, randfunc(32)))
transaction.commit()
#meta.Session.close()
return vaultMsg(True, 'Authenticate please', {'cryptok': cryptok})
@xmlrpc_method(endpoint='sflvault', method='sflvault.user_add')
@authenticated_admin
def user_add(request, authtok, username, is_admin):
return vault.user_add(username, is_admin)
@xmlrpc_method(endpoint='sflvault', method='sflvault.user_setup')
def user_setup(request, username, pubkey):
return vault.user_setup(username, pubkey)
@xmlrpc_method(endpoint='sflvault', method='sflvault.user_del')
@authenticated_admin
def sflvault_user_del(request, authtok, user):
return vault.user_del(user)
# Save decoded version to user's db field.
#transaction.begin()
try:
#u = query(User).filter_by(username=username).one()
u = meta.Session.query(User).filter_by(username=username).one()
except Exception, e:
return vaultMsg(False, "User unknown: %s" % e.message)
# TODO: implement throttling ?
rnd = randfunc(32)
# 15 seconds to complete login/authenticate round-trip.
u.logging_timeout = datetime.now() + timedelta(0, 15)
u.logging_token = b64encode(rnd)
if not u.pubkey:
return vaultMsg(False, "User %s is not set up. Run user-setup first!" % username)
#a = meta.Session.query(User).filter_by(username=username).one()
e = u.elgamal()
cryptok = serial_elgamal_msg(e.encrypt(rnd, randfunc(32)))
transaction.commit()
#meta.Session.close()
return vaultMsg(True, 'Authenticate please', {'cryptok': cryptok})
@xmlrpc_method(endpoint='sflvault', method='sflvault.user_add')
@authenticated_admin
def user_add(request, authtok, username, is_admin):
try:
setup_timeout = request['settings']['sflvault.vault.setup_timeout']
except KeyError, e:
# Save decoded version to user's db field.
#transaction.begin()
try:
#u = query(User).filter_by(username=username).one()
u = meta.Session.query(User).filter_by(username=username).one()
except Exception, e:
return vaultMsg(False, "User unknown: %s" % e.message)
# TODO: implement throttling ?
rnd = randfunc(32)
# 15 seconds to complete login/authenticate round-trip.
u.logging_timeout = datetime.now() + timedelta(0, 15)
u.logging_token = b64encode(rnd)
if not u.pubkey:
return vaultMsg(
False, "User %s is not set up. Run user-setup first!" % username)
#a = meta.Session.query(User).filter_by(username=username).one()
e = u.elgamal()
cryptok = serial_elgamal_msg(e.encrypt(rnd, randfunc(32)))
transaction.commit()
#meta.Session.close()
return vaultMsg(True, 'Authenticate please', {'cryptok': cryptok})
@xmlrpc_method(endpoint='sflvault', method='sflvault.user_add')
@authenticated_admin
def user_add(request, authtok, username, is_admin):
try:
setup_timeout = request['settings']['sflvault.vault.setup_timeout']
