def migrate_database(db):
driver = SQLAlchemyDriver(db)
migrate(driver)
logger.info("Done.")
def get_db_session(db=None):
if db:
return SQLAlchemyDriver(db).Session()
else:
return current_session
def force_update_google_link(DB, username, google_email, expires_in=None):
"""
WARNING: This function circumvents Google Auth flow, and should only be
used for internal testing!
WARNING: This function assumes that a user already has a proxy group!
Adds user's google account to proxy group and/or updates expiration for
that google account's access.
WARNING: This assumes that provided arguments represent valid information.
This BLINDLY adds without verification. Do verification
before this.
Specifically, this ASSUMES that the proxy group provided belongs to the
given user and that the user has ALREADY authenticated to prove the
provided google_email is also their's.
Args:
DB
username (str): Username to link with
google_email (str): Google email to link to
Raises:
NotFound: Linked Google account not found
Unauthorized: Couldn't determine user
Returns:
Expiration time of the newly updated google account's access
"""
cirrus_config.update(**config["CIRRUS_CFG"])
db = SQLAlchemyDriver(DB)
with db.session as session:
user_account = query_for_user(session=session, username=username)
if user_account:
user_id = user_account.id
proxy_group_id = user_account.google_proxy_group_id
else:
raise Unauthorized("Could not determine authed user "
"from session. Unable to link Google account.")
user_google_account = (session.query(UserGoogleAccount).filter(
UserGoogleAccount.email == google_email).first())
if not user_google_account:
user_google_account = add_new_user_google_account(
user_id, google_email, session)
# timestamp at which the SA will lose bucket access
# by default: use configured time or 7 days
expiration = int(time.time()) + config.get(
"GOOGLE_USER_SERVICE_ACCOUNT_ACCESS_EXPIRES_IN", 604800)
if expires_in:
is_valid_expiration(expires_in)
# convert it to timestamp
requested_expiration = int(time.time()) + expires_in
expiration = min(expiration, requested_expiration)
force_update_user_google_account_expiration(user_google_account,
proxy_group_id,
google_email, expiration,
session)
session.commit()
return expiration
def create_client(
username,
urls,
DB,
name="",
description="",
auto_approve=False,
is_admin=False,
grant_types=None,
confidential=True,
arborist=None,
policies=None,
allowed_scopes=None,
):
client_id = random_str(40)
if arborist is not None:
arborist.create_client(client_id, policies)
grant_types = grant_types
driver = SQLAlchemyDriver(DB)
client_secret = None
hashed_secret = None
if confidential:
client_secret = random_str(55)
hashed_secret = bcrypt.hashpw(
client_secret.encode("utf-8"), bcrypt.gensalt()
).decode("utf-8")
auth_method = "client_secret_basic" if confidential else "none"
allowed_scopes = allowed_scopes or config["CLIENT_ALLOWED_SCOPES"]
if not set(allowed_scopes).issubset(set(config["CLIENT_ALLOWED_SCOPES"])):
raise ValueError(
"Each allowed scope must be one of: {}".format(
config["CLIENT_ALLOWED_SCOPES"]
)
)
if "openid" not in allowed_scopes:
allowed_scopes.append("openid")
logger.warning('Adding required "openid" scope to list of allowed scopes.')
with driver.session as s:
user = query_for_user(session=s, username=username)
if not user:
user = User(username=username, is_admin=is_admin)
s.add(user)
if s.query(Client).filter(Client.name == name).first():
if arborist is not None:
arborist.delete_client(client_id)
raise Exception("client {} already exists".format(name))
client = Client(
client_id=client_id,
client_secret=hashed_secret,
user=user,
redirect_uris=urls,
_allowed_scopes=" ".join(allowed_scopes),
description=description,
name=name,
auto_approve=auto_approve,
grant_types=grant_types,
is_confidential=confidential,
token_endpoint_auth_method=auth_method,
)
s.add(client)
s.commit()
return client_id, client_secret