def auth_archiver():
logger = get_logger()
logger.debug("Headers: {}".format(request.headers))
logger.debug("Cookies: {}".format(request.cookies))
basic_headers = {
"WWW-Authenticate": "Basic",
"Cache-Control": "no-store",
"Set-Cookie": "valid=yes; Max-Age=10; HttpOnly",
}
# Check if the auth has expired
if "valid" not in request.cookies:
logger.warn("Authorization expired!")
return f"Authorization expired", 401, basic_headers
auth = Auth(request.headers)
user, passw = auth.get_user_pass()
if not auth.authenticate(user, passw):
logger.warn("Access denied!")
return f"Access denied!", 401, basic_headers
return f"Authorized!", 200
def auth_token_expire():
""" Forcefully expire a "TOKEN" passed by a cookies """
logger = get_logger()
if "TOKEN" not in request.cookies:
logger.warn("No TOKEN found.")
return f"TOKEN not found", 401
delete_token(token=request.cookies["TOKEN"])
res = flask.make_response()
res.set_cookie("TOKEN", value="deleted", expires=datetime.datetime.now())
return res
def auth_token_authorization():
""" Get the Authorization Basic from TOKEN """
logger = get_logger()
# Check if the auth has expired
# Check if TOKEN
# Check if TOKEN is valid, return the authorization and add it to the request
# Signal that client should be disconnected?
if "TOKEN" not in request.cookies:
logger.warn("TOKEN not found in cookies.")
return f"TOKEN not found", 401
try:
authorization = get_from_token(request.cookies["TOKEN"])
return f"Authorized", 200, {"Authorization": authorization}
except Exception as e:
return f"{e}", 401
def auth_token_generate():
""" Generate a TOKEN cookie using LDAP and Basic Authorization """
logger = get_logger()
try:
auth = Auth(request.headers)
user, passw = auth.get_user_pass()
except Exception as e:
logger.error(f"{e}")
return f"{e}", 401
if not auth.authenticate(user, passw):
logger.warn("Access denied!")
return f"Access denied!", 401
token = generate_token(auth.authorization)
response = make_response("Token generated", 200)
response.set_cookie("TOKEN", token)
return response
import base64
import ldap
from application.utils import get_logger
logger = get_logger()
class Auth:
def __init__(self, headers):
# fmt: off
self.authorization = headers.get("Authorization", None)
self.bind_dn = headers.get("X-Ldap-BindDN", "cn=admin,dc=lnls,dc=br")
self.bind_pass = headers.get("X-Ldap-BindPass", None)
self.group_base_dn = headers.get(
"X-Ldap-Group-BaseDN", "ou=epics-archiver,ou=groups,dc=lnls,dc=br")
self.group_cns = headers.get("X-Ldap-Group-CNs",
"cn=archiver-admins").split(",")
self.realm = headers.get("X-Ldap-Realm",
"EPICS Archiver - MGMT Actions")
self.starttls = headers.get("X-Ldap-Starttls", "false")
self.url = headers.get("X-Ldap-URL", "ldap://10.0.38.42:389")
self.user_base_dn = headers.get("X-Ldap-User-BaseDN",
"ou=users,dc=lnls,dc=br")
# fmt: on
def get_user_pass(self):
if self.authorization is None:
raise Exception("No Authorization header!")