def post(self, namespace): """ Takes ownership of the specified organization or user. """ if SuperUserPermission().can(): # Disallow for superusers. if superusers.is_superuser(namespace): raise InvalidRequest("Cannot take ownership of a superuser") authed_user = get_authenticated_user() entity_id, was_user = pre_oci_model.take_ownership(namespace, authed_user) if entity_id is None: raise NotFound() # Log the change. log_metadata = { "entity_id": entity_id, "namespace": namespace, "was_user": was_user, "superuser": authed_user.username, } log_action("take_ownership", authed_user.username, log_metadata) return jsonify({"namespace": namespace}) raise Unauthorized()
def post(self, kid): if SuperUserPermission().can(): notes = request.get_json().get("notes", "") approver = get_authenticated_user() try: key = pre_oci_model.approve_service_key( kid, approver, ServiceKeyApprovalType.SUPERUSER, notes=notes ) # Log the approval of the service key. key_log_metadata = { "kid": kid, "service": key.service, "name": key.name, "expiration_date": key.expiration_date, } log_action("service_key_approve", None, key_log_metadata) except ServiceKeyDoesNotExist: raise NotFound() except ServiceKeyAlreadyApproved: pass return make_response("", 201) raise Unauthorized()
def put(self, username): """ Updates information about the specified user. """ if SuperUserPermission().can(): user = pre_oci_model.get_nonrobot_user(username) if user is None: raise NotFound() if superusers.is_superuser(username): raise InvalidRequest('Cannot update a superuser') user_data = request.get_json() if 'password' in user_data: # Ensure that we are using database auth. if app.config['AUTHENTICATION_TYPE'] != 'Database': raise InvalidRequest( 'Cannot change password in non-database auth') pre_oci_model.change_password(username, user_data['password']) if 'email' in user_data: # Ensure that we are using database auth. if app.config['AUTHENTICATION_TYPE'] not in [ 'Database', 'AppToken' ]: raise InvalidRequest( 'Cannot change e-mail in non-database auth') pre_oci_model.update_email(username, user_data['email'], auto_verify=True) if 'enabled' in user_data: # Disable/enable the user. pre_oci_model.update_enabled(username, bool(user_data['enabled'])) if 'superuser' in user_data: config_object = config_provider.get_config() superusers_set = set(config_object['SUPER_USERS']) if user_data['superuser']: superusers_set.add(username) elif username in superusers_set: superusers_set.remove(username) config_object['SUPER_USERS'] = list(superusers_set) config_provider.save_config(config_object) return_value = user.to_dict() if user_data.get('password') is not None: password = user_data.get('password') return_value[ 'encrypted_password'] = authentication.encrypt_user_password( password) if user_data.get('email') is not None: return_value['email'] = user_data.get('email') return return_value raise Unauthorized()
def get(self, kid): if SuperUserPermission().can(): try: key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False) return jsonify(key.to_dict()) except ServiceKeyDoesNotExist: raise NotFound() raise Unauthorized()
def get(self, token_uuid): """ Returns a specific app token for the user. """ token = model.appspecifictoken.get_token_by_uuid(token_uuid, owner=get_authenticated_user()) if token is None: raise NotFound() return { "token": token_view(token, include_code=True), }
def get(self, namespace, repository): """ Fetches the list of signed tags for the repository. """ if not model.is_trust_enabled(namespace, repository): raise NotFound() return { 'delegations': tuf_metadata_api.get_all_tags_with_expiration( namespace, repository) }
def get(self, username): """ Returns information about the specified user. """ if SuperUserPermission().can(): user = pre_oci_model.get_nonrobot_user(username) if user is None: raise NotFound() return user.to_dict() raise Unauthorized()
def put(self, username): """ Updates information about the specified user. """ if SuperUserPermission().can(): user = pre_oci_model.get_nonrobot_user(username) if user is None: raise NotFound() if superusers.is_superuser(username): raise InvalidRequest("Cannot update a superuser") user_data = request.get_json() if "password" in user_data: # Ensure that we are using database auth. if app.config["AUTHENTICATION_TYPE"] != "Database": raise InvalidRequest("Cannot change password in non-database auth") pre_oci_model.change_password(username, user_data["password"]) if "email" in user_data: # Ensure that we are using database auth. if app.config["AUTHENTICATION_TYPE"] not in ["Database", "AppToken"]: raise InvalidRequest("Cannot change e-mail in non-database auth") pre_oci_model.update_email(username, user_data["email"], auto_verify=True) if "enabled" in user_data: # Disable/enable the user. pre_oci_model.update_enabled(username, bool(user_data["enabled"])) if "superuser" in user_data: config_object = config_provider.get_config() superusers_set = set(config_object["SUPER_USERS"]) if user_data["superuser"]: superusers_set.add(username) elif username in superusers_set: superusers_set.remove(username) config_object["SUPER_USERS"] = list(superusers_set) config_provider.save_config(config_object) return_value = user.to_dict() if user_data.get("password") is not None: password = user_data.get("password") return_value["encrypted_password"] = authentication.encrypt_user_password( password ).decode("ascii") if user_data.get("email") is not None: return_value["email"] = user_data.get("email") return return_value raise Unauthorized()
def put(self, kid): if SuperUserPermission().can(): body = request.get_json() try: key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False) except ServiceKeyDoesNotExist: raise NotFound() key_log_metadata = { "kid": key.kid, "service": key.service, "name": body.get("name", key.name), "expiration_date": key.expiration_date, } if "expiration" in body: expiration_date = body["expiration"] if expiration_date is not None and expiration_date != "": try: expiration_date = datetime.utcfromtimestamp( float(expiration_date)) except ValueError as ve: raise InvalidRequest("Invalid expiration date: %s" % ve) if expiration_date <= datetime.now(): raise InvalidRequest( "Cannot have an expiration date in the past") key_log_metadata.update({ "old_expiration_date": key.expiration_date, "expiration_date": expiration_date, }) log_action("service_key_extend", None, key_log_metadata) pre_oci_model.set_key_expiration(kid, expiration_date) if "name" in body or "metadata" in body: key_name = body.get("name") if not validate_service_key_name(key_name): raise InvalidRequest( "Invalid service key friendly name: %s" % key_name) pre_oci_model.update_service_key(kid, key_name, body.get("metadata")) log_action("service_key_modify", None, key_log_metadata) updated_key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False) return jsonify(updated_key.to_dict()) raise Unauthorized()
def put(self, kid): if SuperUserPermission().can(): body = request.get_json() try: key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False) except ServiceKeyDoesNotExist: raise NotFound() key_log_metadata = { 'kid': key.kid, 'service': key.service, 'name': body.get('name', key.name), 'expiration_date': key.expiration_date, } if 'expiration' in body: expiration_date = body['expiration'] if expiration_date is not None and expiration_date != '': try: expiration_date = datetime.utcfromtimestamp( float(expiration_date)) except ValueError as ve: raise InvalidRequest('Invalid expiration date: %s' % ve) if expiration_date <= datetime.now(): raise InvalidRequest( 'Cannot have an expiration date in the past') key_log_metadata.update({ 'old_expiration_date': key.expiration_date, 'expiration_date': expiration_date, }) log_action('service_key_extend', None, key_log_metadata) pre_oci_model.set_key_expiration(kid, expiration_date) if 'name' in body or 'metadata' in body: key_name = body.get('name') if not validate_service_key_name(key_name): raise InvalidRequest( 'Invalid service key friendly name: %s' % key_name) pre_oci_model.update_service_key(kid, key_name, body.get('metadata')) log_action('service_key_modify', None, key_log_metadata) updated_key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False) return jsonify(updated_key.to_dict()) raise Unauthorized()
def get(self, build_uuid): """ Returns information about a build. """ if SuperUserPermission().can(): try: build = pre_oci_model.get_repository_build(build_uuid) except InvalidRepositoryBuildException: raise NotFound() return build.to_dict() raise Unauthorized()
def delete(self, username): """ Deletes the specified user. """ if SuperUserPermission().can(): user = pre_oci_model.get_nonrobot_user(username) if user is None: raise NotFound() if superusers.is_superuser(username): raise InvalidRequest("Cannot delete a superuser") pre_oci_model.mark_user_for_deletion(username) return "", 204 raise Unauthorized()
def delete(self, token_uuid): """ Revokes a specific app token for the user. """ token = model.appspecifictoken.revoke_token_by_uuid( token_uuid, owner=get_authenticated_user() ) if token is None: raise NotFound() log_action( "revoke_app_specific_token", get_authenticated_user().username, {"app_specific_token_title": token.title, "app_specific_token": token.uuid}, ) return "", 204
def post(self, username): # Ensure that we are using database auth. if app.config["AUTHENTICATION_TYPE"] != "Database": raise InvalidRequest("Cannot send a recovery e-mail for non-database auth") if SuperUserPermission().can(): user = pre_oci_model.get_nonrobot_user(username) if user is None: raise NotFound() if superusers.is_superuser(username): raise InvalidRequest("Cannot send a recovery email for a superuser") code = pre_oci_model.create_reset_password_email_code(user.email) send_recovery_email(user.email, code) return {"email": user.email} raise Unauthorized()
def delete(self, kid): if SuperUserPermission().can(): try: key = pre_oci_model.delete_service_key(kid) except ServiceKeyDoesNotExist: raise NotFound() key_log_metadata = { "kid": kid, "service": key.service, "name": key.name, "created_date": key.created_date, "expiration_date": key.expiration_date, } log_action("service_key_delete", None, key_log_metadata) return make_response("", 204) raise Unauthorized()