def get_service(id): ''' Get service metadata and all credentials for this service. This endpoint allows basic authentication. ''' if authnz.user_in_role('service') and not authnz.user_is_service(id): log.warning('Authz failed for service {0}.'.format(id)) msg = 'Authenticated user is not authorized.' return jsonify({'error': msg}), 401 log.debug('Authz succeeded for service {0}.'.format(id)) try: service = Service.get(id) except Service.DoesNotExist: return jsonify({}), 404 if (service.data_type != 'service' and service.data_type != 'archive-service'): return jsonify({}), 404 try: credentials = _get_credentials(service.credentials) except KeyError: return jsonify({'error': 'Decryption error.'}), 500 return jsonify({ 'id': service.id, 'credentials': credentials, 'enabled': service.enabled, 'revision': service.revision, 'modified_date': service.modified_date, 'modified_by': service.modified_by })
def decorated(*args, **kwargs): if not app.config.get('USE_AUTH'): return f(*args, **kwargs) auth = request.authorization headers = request.headers using_basic_kms_auth = (auth and auth.get('username') and auth.get('password') != '') using_kms_auth = ('X-Auth-Token' in headers and 'X-Auth-From' in headers) # User suppplied basic auth info if using_basic_kms_auth or using_kms_auth: if using_basic_kms_auth: _from = auth['username'] token = auth['password'] else: _from = headers['X-Auth-From'] token = headers['X-Auth-Token'] try: with stats.timer('decrypt_token'): payload = keymanager.decrypt_token(token, _from) log.debug('Auth request had the following payload:' ' {0}'.format(payload)) role = 'service' msg = 'Authenticated {0} with role {1} via kms auth' msg = msg.format(_from, role) log.debug(msg) if role_has_privilege(role, f.func_name): g.auth_role = role g.username = _from return f(*args, **kwargs) else: msg = '{0} is not authorized to access {1}.' msg = msg.format(_from, f.func_name) log.warning(msg) return abort(403) except keymanager.TokenDecryptionError: msg = 'Access denied for {0}. Authentication Failed.' msg = msg.format(_from) log.warning(msg) return abort(403) # If not using kms auth, require google auth. else: role = 'user' if not role_has_privilege(role, f.func_name): return abort(403) if 'email' in session.get('google_oauth2', []): if (app.config['USERS_FILE'] and get_logged_in_user_email() not in users): msg = 'User not authorized: {0}' log.warning(msg.format(get_logged_in_user_email())) return abort(403) else: g.auth_role = role return f(*args, **kwargs) response = make_response() if request.is_secure: secure_cookie = True else: secure_cookie = False result = _authomatic.login( WerkzeugAdapter(request, response), 'google', session=session, session_saver=lambda: app.save_session(session, response), secure_cookie=secure_cookie) if result: if result.error: msg = 'Google auth failed with error: {0}' log.error(msg.format(result.error.message)) return abort(403) if result.user: result.user.update() user = result.user email_suffix = app.config['GOOGLE_AUTH_EMAIL_SUFFIX'] if email_suffix and not user.email.endswith(email_suffix): return abort(403) session['google_oauth2'] = {} session['google_oauth2']['email'] = user.email session['google_oauth2']['first_name'] = user.first_name session['google_oauth2']['last_name'] = user.last_name g.auth_role = role # TODO: find a way to save the angular args # authomatic adds url params google auth has stripped the # angular args anyway, so let's just redirect back to the # index. return redirect(url_for('index')) return response return abort(403)
def decorated(*args, **kwargs): if not app.config.get("USE_AUTH"): return f(*args, **kwargs) auth = request.authorization headers = request.headers using_basic_kms_auth = auth and auth.get("username") and auth.get("password") != "" using_kms_auth = "X-Auth-Token" in headers and "X-Auth-From" in headers # User suppplied basic auth info if using_basic_kms_auth or using_kms_auth: if using_basic_kms_auth: _from = auth["username"] token = auth["password"] else: _from = headers["X-Auth-From"] token = headers["X-Auth-Token"] try: with stats.timer("decrypt_token"): payload = keymanager.decrypt_token(token, _from) log.debug("Auth request had the following payload:" " {0}".format(payload)) role = "service" msg = "Authenticated {0} with role {1} via kms auth" msg = msg.format(_from, role) log.debug(msg) if role_has_privilege(role, f.func_name): g.auth_role = role g.username = _from return f(*args, **kwargs) else: msg = "{0} is not authorized to access {1}." msg = msg.format(_from, f.func_name) log.warning(msg) return abort(403) except keymanager.TokenDecryptionError: msg = "Access denied for {0}. Authentication Failed." msg = msg.format(_from) log.warning(msg) return abort(403) # If not using kms auth, require google auth. else: role = "user" if not role_has_privilege(role, f.func_name): return abort(403) if "email" in session.get("google_oauth2", []): if app.config["USERS_FILE"] and get_logged_in_user_email() not in users: msg = "User not authorized: {0}" log.warning(msg.format(get_logged_in_user_email())) return abort(403) else: g.auth_role = role return f(*args, **kwargs) response = make_response() if request.is_secure: secure_cookie = True else: secure_cookie = False result = _authomatic.login( WerkzeugAdapter(request, response), "google", session=session, session_saver=lambda: app.save_session(session, response), secure_cookie=secure_cookie, ) if result: if result.error: msg = "Google auth failed with error: {0}" log.error(msg.format(result.error.message)) return abort(403) if result.user: result.user.update() user = result.user email_suffix = app.config["GOOGLE_AUTH_EMAIL_SUFFIX"] if email_suffix and not user.email.endswith(email_suffix): return abort(403) session["google_oauth2"] = {} session["google_oauth2"]["email"] = user.email session["google_oauth2"]["first_name"] = user.first_name session["google_oauth2"]["last_name"] = user.last_name g.auth_role = role # TODO: find a way to save the angular args # authomatic adds url params google auth has stripped the # angular args anyway, so let's just redirect back to the # index. return redirect(url_for("index")) return response return abort(403)