def __init__(self): super(ConfdAuth, self).__init__() self.get_password(accesswebservice_dao.get_password) self.auth_verifier = AuthVerifier() self._auth_host = None self._auth_port = None self._allowed_port = None
from flask_restful import Resource from functools import wraps from xivo import ( mallow_helpers, rest_api_helpers, ) from xivo.auth_verifier import AuthVerifier from .exceptions import ( AsteriskARIError, AsteriskARIUnreachable, ) auth_verifier = AuthVerifier() def handle_ari_exception(func): @wraps(func) def wrapper(*args, **kwargs): try: return func(*args, **kwargs) except ARIHTTPError as e: raise AsteriskARIError({'base_url': e.client.base_url}, e.original_error, e.original_message) except ARIException as e: raise AsteriskARIUnreachable({'base_url': e.client.base_url}, e.original_error, e.original_message) return wrapper
def get_tenants(self, user_uuid): tenants = current_app.config['user_service'].list_tenants(user_uuid) return { 'items': [ {'uuid': tenant['uuid'], 'name': tenant['name']} for tenant in tenants ] } def __init__(self): self.token = self.TokenCommand() self.users = self.UsersCommand() auth_verifier = AuthVerifier(extract_token_id=extract_token_id_from_query_or_header) auth_verifier.set_client(AuthClientFacade()) def handle_manager_exception(func): @functools.wraps(func) def wrapper(*args, **kwargs): try: return func(*args, **kwargs) except exceptions.TokenServiceException as error: return _error(error.code, str(error)) return wrapper class ErrorCatchingResource(Resource):
class ConfdAuth(HTTPDigestAuth): ALLOWED_HOST = '127.0.0.1' def __init__(self): super(ConfdAuth, self).__init__() self.get_password(accesswebservice_dao.get_password) self.auth_verifier = AuthVerifier() self._auth_host = None self._auth_port = None self._allowed_port = None def set_config(self, config): self._auth_host = config['auth']['host'] self._auth_port = config['auth']['port'] try: self._allowed_port = str(config['rest_api']['http']['port']) except KeyError: pass # None is fine if http is not enabled self.auth_verifier.set_config(config['auth']) def login_required(self, func): auth_func = super(ConfdAuth, self).login_required(func) @wraps(func) def decorated(*args, **kwargs): if self._remote_address_allowed(): return func(*args, **kwargs) elif self._verify_token(func, *args, **kwargs): return func(*args, **kwargs) return auth_func(*args, **kwargs) return decorated def _remote_address_allowed(self): # check localhost first to avoid accessing the database for nothing remote_addr = request.remote_addr remote_port = request.environ['SERVER_PORT'] if remote_addr == self.ALLOWED_HOST and remote_port == self._allowed_port: return True return remote_addr in accesswebservice_dao.get_allowed_hosts() def _verify_token(self, func, *args, **kwargs): try: token = self.auth_verifier.token() required_acl = self._acl(func, *args, **kwargs) token_is_valid = self.auth_verifier.client().token.is_valid( token, required_acl) except requests.RequestException as e: message = 'Authentication server on {host}:{port} unreachable: {error}' logger.error( message.format(host=self._auth_host, port=self._auth_port, error=e)) return False return token_is_valid def _acl(self, func, *args, **kwargs): required_acl = self.auth_verifier.acl(func, *args, **kwargs) if not required_acl: return 'confd.#' return required_acl