def invalidate_all_tokens(self, user=None): if user is None: user = self.get_user() user.uuid = getUUID() user.save() return True
def fill_payload(self, userobj, expiration=None, token_type=None): """ Informations to store inside the JWT token, starting from the user obtained from the current service Claim attributes listed here: http://blog.apcelent.com/json-web-token-tutorial-example-python.html TTL is measured in seconds """ if expiration is None: expiration = timedelta(seconds=self.longTTL) payload = {'user_id': userobj.uuid, 'jti': getUUID()} short_jwt = \ Detector.get_global_var('AUTH_FULL_JWT_PAYLOAD', '') \ .lower() == 'false' if token_type is not None: if token_type == self.PWD_RESET or \ token_type == self.ACTIVATE_ACCOUNT: short_jwt = True payload["t"] = token_type if not short_jwt: now = datetime.now(pytz.utc) nbf = now # you can add a timedelta exp = now + expiration payload['iat'] = now payload['nbf'] = nbf payload['exp'] = exp return self.fill_custom_payload(userobj, payload)
def invalidate_all_tokens(self, user=None): """ To invalidate all tokens the user uuid is changed """ if user is None: user = self._user user.uuid = getUUID() user.save() log.warning("User uuid changed to: %s", user.uuid) return True
def test(): # 7de267d0-4680-4530-9861-d3c5204a2e46 regexp = r"[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}" u = getUUID() assert u is not None assert isinstance(u, str) assert len(u) == 36 assert re.match(regexp, u) is not None assert u != getUUID() u = getUUIDfromString("test") assert u is not None assert isinstance(u, str) assert len(u) == 36 assert re.match(regexp, u) is not None assert u == getUUIDfromString("test") assert u != getUUIDfromString("test2")
def write_key_and_cert(self, key, cert): proxycertcontent = cert.decode() if proxycertcontent is None or proxycertcontent.strip() == '': return None tempfile = "/tmp/%s" % getUUID() flags = os.O_WRONLY | os.O_CREAT | os.O_EXCL with os.fdopen(os.open(tempfile, flags, 0o600), 'w') as f: f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key).decode()) f.write(proxycertcontent) return tempfile
def invalidate_all_tokens(self, user=None): """ To invalidate all tokens the user uuid is changed """ if user is None: user = self._user user.uuid = getUUID() self.db.session.add(user) self.db.session.commit() log.warning("User uuid changed to: %s", user.uuid) return True
def __init__(self, services, app=None): sql = services.get('sqlalchemy', None) if sql is None: log.critical("Unable to retrieve sqlalchemy service") return if app is None: log.critical("Unable to retrieve app context") return if os.environ.get('SEADATA_PROJECT', False): with app.app_context(): users = os.environ.get('SEADATA_PRIVILEGED_USERS') if users is None or users == "": users = [] else: users = users.replace(' ', '').split(',') # users = ['stresstest', 'svanderhorst'] roles = ['normal_user', 'staff_user'] if len(users) == 0: log.info("No privileged user found") else: for username in users: if username == "": log.warning("Invalid username: [%s]", username) continue try: log.info("Creating user %s", username) userdata = { "uuid": getUUID(), "email": username, "name": username, "surname": 'iCAT', "authmethod": 'irods', } user = sql.User(**userdata) for r in roles: user.roles.append( sql.Role.query.filter_by(name=r).first()) sql.session.add(user) sql.session.commit() log.info("User %s created with roles: %s", username, roles) except BaseException as e: log.error("Errors creating user %s: %s", username, str(e))
def irods_user(self, username, session): # create user user = self.db.User( email=username, name=username, surname='iCAT', uuid=getUUID(), authmethod='irods', session=session, ) # add role user.roles.append( self.db.Role.query.filter_by(name=self.default_role).first()) # save self.db.session.add(user) from sqlalchemy.exc import IntegrityError try: self.db.session.commit() log.info('Cached iRODS user: %s', username) except IntegrityError: # rollback current commit self.db.session.rollback() log.warning("iRODS user already cached: %s", username) # get the existing object user = self.get_user_object(username) # update only the session field user.session = session # token token, jti = self.create_token(self.fill_payload(user)) now = datetime.now(pytz.utc) if user.first_login is None: user.first_login = now user.last_login = now self.db.session.add(user) self.db.session.commit() self.save_token(user, token, jti) return token, username
def init_users_and_roles(self): missing_role = missing_user = False try: # if no roles missing_role = not self.db.Role.query.first() if missing_role: log.warning("No roles inside db. Injected defaults.") for role in self.default_roles: sqlrole = self.db.Role(name=role, description="automatic") self.db.session.add(sqlrole) # if no users missing_user = not self.db.User.query.first() if missing_user: log.warning("No users inside db. Injected default.") self.create_user( { 'uuid': getUUID(), 'email': self.default_user, # 'authmethod': 'credentials', 'name': 'Default', 'surname': 'User', # 'password': self.hash_password(self.default_password) 'password': self.default_password }, roles=self.default_roles) except sqlalchemy.exc.OperationalError: raise AttributeError("Existing SQL tables are not consistent " + "to existing models. Please consider " + "rebuilding your DB.") if missing_user or missing_role: self.db.session.commit()
def store_oauth2_user(self, current_user, token): """ Allow external accounts (oauth2 credentials) to be connected to internal local user """ try: values = current_user.data except BaseException: return None, "Authorized response is invalid" # print("TEST", values, type(values)) if not isinstance(values, dict) or len(values) < 1: return None, "Authorized response is empty" email = values.get('email') cn = values.get('cn') ui = values.get('unity:persistent') # DN very strange: the current key is something like 'urn:oid:2.5.4.49' # is it going to change? dn = None for key, _ in values.items(): if 'urn:oid' in key: dn = values.get(key) if dn is None: return None, "Missing DN from authorized response..." # Check if a user already exists with this email internal_user = None internal_users = self.db.User.query.filter( self.db.User.email == email).all() # If something found if len(internal_users) > 0: # Should never happen, please if len(internal_users) > 1: log.critical("Multiple users?") return None, "Server misconfiguration" internal_user = internal_users.pop() log.debug("Existing internal user: %s", internal_user) # A user already locally exists with another authmethod. Not good. if internal_user.authmethod != 'oauth2': return None, "Creating a user which locally already exists" # If missing, add it locally else: # Create new one internal_user = self.db.User(uuid=getUUID(), email=email, authmethod='oauth2') # link default role into users internal_user.roles.append( self.db.Role.query.filter_by(name=self.default_role).first()) self.db.session.add(internal_user) self.db.session.commit() log.info("Created internal user %s", internal_user) # Get ExternalAccount for the oauth2 data if exists external_user = self.db.ExternalAccounts \ .query.filter_by(username=email).first() # or create it otherwise if external_user is None: external_user = self.db.ExternalAccounts(username=email, unity=ui) # Connect the external account to the current user external_user.main_user = internal_user # Note: for pre-production release # we allow only one external account per local user log.info("Created external user %s", external_user) # Update external user data to latest info received external_user.email = email external_user.token = token external_user.certificate_cn = cn external_user.certificate_dn = dn self.db.session.add(external_user) self.db.session.commit() log.debug("Updated external user %s", external_user) return internal_user, external_user
def init_users_and_roles(self): missing_role = missing_user = False roles = [] transactions = [] try: # if no roles cursor = self.db.Role.objects.all() missing_role = len(list(cursor)) < 1 for role in self.default_roles: role = self.db.Role(name=role, description="automatic") if missing_role: transactions.append(role) roles.append(role) if missing_role: log.warning("No roles inside mongo. Injected defaults.") # if no users cursor = self.db.User.objects.all() missing_user = len(list(cursor)) < 1 if missing_user: self.create_user( { 'uuid': getUUID(), 'email': self.default_user, # 'authmethod': 'credentials', 'name': 'Default', 'surname': 'User', # 'password': self.hash_password(self.default_password) 'password': self.default_password }, roles=roles) # user = self.db.User( # uuid=getUUID(), # email=self.default_user, # authmethod='credentials', # name='Default', surname='User', # password=self.hash_password(self.default_password)) # link roles into users # user.roles = roles # for role in roles: # user.roles.append(role) # transactions.append(user) log.warning("No users inside mongo. Injected default.") except BaseException as e: raise AttributeError("Models for auth are wrong:\n%s" % e) if missing_user or missing_role: for transaction in transactions: transaction.save() log.info("Saved init transactions")
def custom_user_properties(self, userdata): new_userdata = super(Authentication, self).custom_user_properties(userdata) if not new_userdata.get('uuid'): new_userdata['uuid'] = getUUID() return new_userdata