def change_passwd(): password = request.json.get('password') password_repeat = request.json.get('password_repeat') if not password or not password_repeat: # Request body is not complete. return error_response(errors.AUTH_RESET_MISSING, 400) if password != password_repeat: # Password do not match. return error_response(errors.AUTH_PASSWD_MATCH, 400) if current_user.is_authenticated: # No need to check password hash object or email. user = current_user else: email = request.json.get('email') hashstr = request.json.get('hashstr') if not email or not hashstr: # Request body is not complete for not authenticated # request, ie, uses password reset hash. return error_response(errors.AUTH_RESET_MISSING, 400) reset = db.session.query(PasswdReset).join(User).\ filter(User.email == email, PasswdReset.active == True).\ filter(PasswdReset.hashstr == hashstr).\ first() if not reset: return error_response(errors.AUTH_RESET_HASH, 404) db.session.add(reset) reset.active = False user = reset.user user.password = encrypt_password(password) db.session.add(user) db.session.commit() return jsonify({})
def reset_passwd_request(): if 'email' not in request.json: return error_response(errors.AUTH_EMAIL_MISSING, 400) email = request.json['email'] user = User.query.filter_by(email=email).first() if not user: return error_response(errors.AUTH_NOT_FOUND.format(email), 404) hashstr = hashlib.sha1(str(random.getrandbits(128)) + user.email).hexdigest() # Deactivate all other password resets for this user. PasswdReset.query.filter_by(user=user).update({'active': False}) reset = PasswdReset(hashstr=hashstr, active=True, user=user) db.session.add(reset) db.session.commit() # Send password reset email to user. from hnp import hnp msg = Message(html=reset.email_body, subject='hnp Password reset', recipients=[user.email], sender=hnp.config['DEFAULT_MAIL_SENDER']) try: mail.send(msg) except: return error_response(errors.AUTH_SMTP_ERROR, 500) else: return jsonify({})
def create_user(): missing = User.check_required(request.json) if missing: return error_response(apierrors.API_FIELDS_MISSING.format(missing), 400) else: user = get_datastore().create_user(email=request.json.get('email'), password=encrypt_password( request.json.get('password'))) userrole = user_datastore.find_role('admin') user_datastore.add_role_to_user(user, userrole) try: db.session.add(user) db.session.flush() apikey = ApiKey(user_id=user.id, api_key=str(uuid.uuid4()).replace("-", "")) db.session.add(apikey) db.session.commit() except IntegrityError: return error_response(errors.AUTH_USERNAME_EXISTS, 400) else: return jsonify(user.to_dict())
def update_rule(rule_id): rule = Rule.query.filter_by(id=rule_id).first_or_404() for field in request.json.keys(): if field in Rule.editable_fields(): setattr(rule, field, request.json[field]) elif field in Rule.fields(): return error_response(errors.API_FIELD_NOT_EDITABLE.format(field), 400) else: return error_response(errors.API_FIELD_INVALID.format(field), 400) else: db.session.commit() return jsonify(rule.to_dict())
def create_rule_source(): missing = RuleSource.check_required(request.json) if missing: return error_response(errors.API_FIELDS_MISSING.format(missing), 400) else: rsource = RuleSource(**request.json) try: db.session.add(rsource) db.session.commit() except IntegrityError: return error_response( errors.API_SOURCE_EXISTS.format(request.json['uri']), 400) else: return jsonify(rsource.to_dict())
def login_user(): if 'email' not in request.json: return error_response(errors.AUTH_EMAIL_MISSING, 400) if 'password' not in request.json: return error_response(errors.AUTH_PSSWD_MISSING, 400) # email and password are in the posted data. user = User.query.filter_by(email=request.json.get('email')).first() psswd_check = False if user: psswd_check = verify_and_update_password(request.json.get('password'), user) if user and psswd_check: login(user, remember=True) return jsonify(user.to_dict()) else: return error_response(errors.AUTH_INCORRECT_CREDENTIALS, 401)
def delete_user(user_id): user = User.query.get(user_id) if not user: return error_response(errors.AUTH_NOT_FOUND.format(user_id), 404) user.active = False db.session.add(user) db.session.commit() return jsonify({})
def update_sensor(uuid): sensor = Sensor.query.filter_by(uuid=uuid).first_or_404() for field in request.json.keys(): if field in Sensor.editable_fields(): setattr(sensor, field, request.json[field]) elif field in Sensor.fields(): return error_response(errors.API_FIELD_NOT_EDITABLE.format(field), 400) else: return error_response(errors.API_FIELD_INVALID.format(field), 400) else: try: db.session.commit() except IntegrityError: return error_response( errors.API_SENSOR_EXISTS.format(request.json['name']), 400) return jsonify(sensor.to_dict())
def create_sensor(): missing = Sensor.check_required(request.json) if missing: return error_response(errors.API_FIELDS_MISSING.format(missing), 400) else: sensor = Sensor(**request.json) sensor.uuid = str(uuid1()) sensor.ip = request.remote_addr Clio().authkey.new(**sensor.new_auth_dict()).post() try: db.session.add(sensor) db.session.commit() except IntegrityError: return error_response( errors.API_SENSOR_EXISTS.format(request.json['name']), 400) else: return jsonify(sensor.to_dict())
def wrapped_view(*args, **kwargs): if current_user and current_user.is_authenticated: return view(*args, **kwargs) elif request.authorization: auth = request.authorization if auth and auth.get('username') == auth.get('password') and\ Sensor.query.filter_by(uuid=auth.get('username')).count() == 1: return view(*args, **kwargs) return error_response(errors.API_NOT_AUTHORIZED, 401)
def wrapped_view(*args, **kwargs): if current_user and current_user.is_authenticated: return view(*args, **kwargs) elif 'deploy_key' in request.json: server_key = current_app.config['DEPLOY_KEY'] passed_key = request.json['deploy_key'] if server_key == passed_key: return view(*args, **kwargs) return error_response(errors.API_NOT_AUTHORIZED, 401)
def _get_one_resource(resource, res_id): try: res = resource.get(_id=res_id) except InvalidId: res = None if not res: return error_response(errors.API_RESOURCE_NOT_FOUND, 404) else: return jsonify(res.to_dict())
def create_script(): missing = Script.check_required(request.json) if missing: return error_response(errors.API_FIELDS_MISSING.format(missing), 400) else: script = Script(**request.json) script.user = current_user db.session.add(script) db.session.commit() return jsonify(script.to_dict())
def wrapped_view(*args, **kwargs): if current_user and current_user.is_authenticated: return view(*args, **kwargs) api_key = request.args.get('api_key', '') if api_key: key = ApiKey.query.filter_by(api_key=api_key).first() if key: return view(*args, **kwargs) return error_response(errors.API_NOT_AUTHORIZED, 401)
def get_script(): if request.args.get('script_id'): script = DeployScript.query.get(request.args.get('script_id')) else: return error_response(errors.API_RESOURCE_NOT_FOUND, 404) if request.args.get('text') in ['1', 'true']: resp = make_response(script.script) resp.headers['Content-Disposition'] = "attachment; filename=deploy.sh" return resp else: return jsonify(script.to_dict())