def create_new_user(context: Dict[str, Any], new_user_data: Dict[str, Any],
project_name: str) -> bool:
analizable_list = list(new_user_data.values())[1:-1]
if (all(validate_alphanumeric_field(field) for field in analizable_list)
and validate_phone_field(new_user_data['phone_number'])
and validate_email_address(new_user_data['email'])):
email = new_user_data['email']
organization = new_user_data['organization']
responsibility = new_user_data['responsibility']
role = new_user_data['role']
phone_number = new_user_data['phone_number']
else:
return False
success = False
if not user_domain.get_data(email, 'email'):
user_domain.create(email.lower(), {
'company': organization.lower(),
'phone': phone_number
})
if not user_domain.is_registered(email):
user_domain.register(email)
user_domain.assign_role(email, role)
user_domain.update(email, organization.lower(), 'company')
elif user_domain.is_registered(email):
user_domain.assign_role(email, role)
if project_name and responsibility and len(responsibility) <= 50:
project_domain.add_access(email, project_name, 'responsibility',
responsibility)
else:
util.cloudwatch_log(
context,
'Security: {email} Attempted to add responsibility to project \
{project} without validation'.format(email=email,
project=project_name))
if phone_number and phone_number[1:].isdigit():
user_domain.add_phone_to_user(email, phone_number)
if project_name and role == 'customeradmin':
project_domain.add_user(project_name.lower(), email.lower(), role)
if project_name and user_domain.update_project_access(
email, project_name, True):
description = project_domain.get_description(project_name.lower())
project_url = \
'https://fluidattacks.com/integrates/dashboard#!/project/' \
+ project_name.lower() + '/indicators'
mail_to = [email]
context = {
'admin': email,
'project': project_name,
'project_description': description,
'project_url': project_url,
}
email_send_thread = \
threading.Thread(name='Access granted email thread',
target=send_mail_access_granted,
args=(mail_to, context,))
email_send_thread.start()
success = True
return success
def resolve_authorized(self, info):
""" Resolve user authorization """
jwt_content = util.get_jwt_content(info.context)
user_email = jwt_content.get('user_email')
self.authorized = user_domain.is_registered(user_email)
return self.authorized
def mutate(_, info, auth_token, provider, push_token):
authorized = False
session_jwt = ''
success = False
if provider == 'google':
try:
user_info = id_token.verify_oauth2_token(
auth_token, requests.Request())
if user_info['iss'] not in [
'accounts.google.com', 'https://accounts.google.com'
]:
rollbar.report_message('Error: Invalid oauth2 issuer',
'error', info.context,
user_info['iss'])
raise GraphQLError('INVALID_AUTH_TOKEN')
if user_info['aud'] not in [
FI_GOOGLE_OAUTH2_KEY_ANDROID, FI_GOOGLE_OAUTH2_KEY_IOS
]:
rollbar.report_message('Error: Invalid oauth2 audience',
'error', info.context,
user_info['aud'])
raise GraphQLError('INVALID_AUTH_TOKEN')
email = user_info['email']
authorized = user_domain.is_registered(email)
if push_token:
user_dal.update(email,
{'devices_to_notify': set(push_token)})
session_jwt = jwt.encode(
{
'user_email':
email,
'user_role':
user_domain.get_data(email, 'role'),
'company':
user_domain.get_data(email, 'company'),
'first_name':
user_info['given_name'],
'last_name':
user_info['family_name'],
'exp':
datetime.utcnow() +
timedelta(seconds=settings.SESSION_COOKIE_AGE)
},
algorithm='HS512',
key=settings.JWT_SECRET,
)
success = True
except ValueError:
util.cloudwatch_log(
info.context,
'Security: Sign in attempt using invalid Google token')
raise GraphQLError('INVALID_AUTH_TOKEN')
else:
rollbar.report_message('Error: Unknown auth provider' + provider,
'error')
raise GraphQLError('UNKNOWN_AUTH_PROVIDER')
return SignIn(authorized, session_jwt, success)
def mutate(_, info, remember):
user_email = util.get_jwt_content(info.context)['user_email']
is_registered = user_domain.is_registered(user_email)
if is_registered:
user_domain.update_legal_remember(user_email, remember)
success = True
else:
success = False
return AcceptLegal(success=success)
def resolve_accept_legal(_, info, remember=False):
"""Resolve accept_legal mutation."""
user_email = util.get_jwt_content(info.context)['user_email']
is_registered = user_domain.is_registered(user_email)
if is_registered:
user_domain.update_legal_remember(user_email, remember)
success = True
else:
success = False
return dict(success=success)
def check_registered(strategy, details, backend, *args, **kwargs):
del args
del kwargs
del backend
email = details['email'].lower()
is_registered = user_domain.is_registered(email)
last_login = user_domain.get_data(email, 'last_login')
role = user_domain.get_data(email, 'role')
company = user_domain.get_data(email, 'company')
strategy.session_set('username', email)
strategy.session_set('registered', is_registered)
if role == 'customeradmin':
role = 'customer'
else:
# different role
pass
strategy.session_set('role', role)
strategy.session_set('company', company)
strategy.session_set('last_login', last_login)
strategy.session_set('projects', {})
def is_registered(user: str) -> bool:
""" Verify if the user is registered. """
return user_domain.is_registered(user)
def _get_authorized(jwt_content):
"""Get user authorization."""
user_email = jwt_content.get('user_email')
result = user_domain.is_registered(user_email)
return dict(authorized=result)
