def get_session(self): try: # Get session based on OAuth token auth_hdr = request.headers.get("authorization", None) if auth_hdr: valid, req = self.oauth.verify_request([self.oauth_scope]) if valid: actor_id = flask.g.oauth_user.get("actor_id", "") actor_user = self.idm_client.read_actor_identity(actor_id) session_attrs = dict(is_logged_in=True, is_registered=True, attributes={"roles":actor_user.details.contact.roles}, roles={}) if actor_user.session: session_attrs.update(actor_user.session) return build_json_response(session_attrs) # Support quick reload access_token = flask.session.get("access_token", None) actor_id = flask.session.get("actor_id", None) if access_token and actor_id: actor_user = self.idm_client.read_actor_identity(actor_id) session_attrs = dict(access_token=access_token, is_logged_in=True, is_registered=True, attributes={"roles":actor_user.details.contact.roles}, roles={}) if actor_user.session: session_attrs.update(actor_user.session) return build_json_response(session_attrs) # Get session from Flask session and cookie user_info = get_auth() if 0 < int(user_info.get("valid_until", 0)) * 1000 < current_time_millis(): clear_auth() user_info = get_auth() return build_json_response(user_info) except Exception: return build_json_error()
def auth_external(self, username, ext_user_id, ext_id_provider="ext"): """ Given username and user identifier from an external identity provider (IdP), retrieve actor_id and establish user session. Return user info from session. Convention is that system local username is ext_id_provider + ":" + username, e.g. "ext_johnbean" Return NotFound if user not registered in system. Caller can react and create a user account through the normal system means @param username the user name the user recognizes. @param ext_user_id a unique identifier coming from the external IdP @param ext_id_provider identifies the external IdP service """ try: if ext_user_id and ext_id_provider and username: local_username = "******" % (ext_id_provider, username) actor_id = self.idm_client.find_actor_identity_by_username(local_username) user_info = self._set_server_session(actor_id, local_username) return build_json_response(user_info) else: raise BadRequest("External user info missing") except Exception: return build_json_error()
def login(self): try: username = get_arg("username") password = get_arg("password") if username and password: actor_id = self.idm_client.check_actor_credentials(username, password) user_info = self._get_user_info(actor_id, username) return build_json_response(user_info) else: raise BadRequest("Username or password missing") except Exception: return build_json_error()
def login(self): """ Explicit (non-token) login and creation of a server session (Cookie based). """ try: username = get_arg("username") password = get_arg("password") if username and password: actor_id = self.idm_client.check_actor_credentials(username, password) user_info = self._set_server_session(actor_id, username) return build_json_response(user_info) else: raise BadRequest("Username or password missing") except Exception: return build_json_error()
def logout(self): try: access_token = get_req_bearer_token() or flask.session.get("access_token", None) if access_token: try: # Invalidate access token token_id = str("access_token_%s" % access_token) token_obj = ui_instance.container.object_store.read(token_id) token_obj.status = "CANCELLED" token_obj.attributes["cancel_ts"] = get_ion_ts_millis() token_obj.attributes["cancel_msg"] = "User logout" ui_instance.container.object_store.update(token_obj) log.info("Invalidated stored access token for user=%s", token_obj.actor_id) except NotFound: pass except Exception: log.exception("Error invalidating access token") clear_auth() return build_json_response("OK") except Exception: return build_json_error()
def get_session(self): """ Returns user session information for current authentication. This can be polled regularly by client code to detect changes in session state and expiration. """ def call_extend_session_attrs(session_attrs, actor_user): """ Call UI extensions to make additions to user session """ for ext_obj in self.extension_objs: func = getattr(ext_obj, "extend_user_session_attributes", None) if func: try: func(session_attrs, actor_user) except Exception: log.exception("Error calling UI extension extend_user_session_attributes()") try: # Get user session from OAuth access token in HTTP Authorization header auth_hdr = request.headers.get("authorization", None) if auth_hdr: valid, req = self.oauth.verify_request([self.oauth_scope]) # Note: Do NOT extend session timeout here! if valid: actor_id = flask.g.oauth_user.get("actor_id", "") actor_user = self.idm_client.read_actor_identity(actor_id) session_attrs = dict(is_logged_in=True, is_registered=True, attributes={"roles": actor_user.details.contact.roles}, roles={}) if actor_user.session: session_attrs.update(actor_user.session) call_extend_session_attrs(session_attrs, actor_user) return build_json_response(session_attrs) if self.remember_user: # Get user session from user_id/access_token placed inside server session (Cookie) # This is a feature to allow returning users to resume a session if still valid access_token = flask.session.get("access_token", None) actor_id = flask.session.get("actor_id", None) if access_token and actor_id: actor_user = self.idm_client.read_actor_identity(actor_id) session_attrs = dict(access_token=access_token, is_logged_in=True, is_registered=True, attributes={"roles": actor_user.details.contact.roles}, roles={}) if actor_user.session: # Check validity in persisted user session if 0 < int(actor_user.session.get("valid_until", 0)) * 1000 < current_time_millis(): clear_auth() return build_json_response(get_auth()) session_attrs.update(actor_user.session) else: # No trace of existing session in user object clear_auth() return build_json_response(get_auth()) call_extend_session_attrs(session_attrs, actor_user) return build_json_response(session_attrs) # Get user session from Flask session and cookie (non-token mode) user_info = get_auth() if 0 < int(user_info.get("valid_until", 0)) * 1000 < current_time_millis(): clear_auth() # Clear expired session user_info = get_auth() call_extend_session_attrs(user_info, None) return build_json_response(user_info) except Exception: return build_json_error()
def logout(self): try: clear_auth() return build_json_response("OK") except Exception: return build_json_error()