def api_get_identity(): session = get_current_session() try: auth_plugin = get_auth_plugin() except PluginNotFoundException: google_user = users.get_current_user() if google_user: url = u'https://console.cloud.google.com/iam-admin/iam?project=%s' % app_identity.get_application_id() app_identity.get_application_id() modules = [] for plugin in get_plugins(): plugin_modules = plugin.get_modules() if plugin_modules: modules.extend(plugin_modules) module_strings = [m.name for m in sorted(modules, key=lambda m: m.sort_order)] return IdentityTO(google_user.email(), [], module_strings, [], u'en', u'/logout', url) raise HttpUnAuthorizedException(u'no_authenticated_plugin') try: if not session or not auth_plugin.validate_session(session): raise HttpUnAuthorizedException(data={'login_url': get_base_url() + auth_plugin.get_login_url()}) language = auth_plugin.get_user_language() or get_browser_language() modules = auth_plugin.get_visible_modules() logout_url = auth_plugin.get_logout_url() profile_url = auth_plugin.get_profile_url() permissions = [] for plugin in get_plugins(): permissions.extend(plugin.get_permissions()) return IdentityTO(session.user_id, session.scopes, modules, permissions, language, logout_url, profile_url) except HttpException: raise except Exception: logging.exception('Exception while trying to get identity') raise HttpUnAuthorizedException(data={'login_url': get_base_url() + auth_plugin.get_login_url()})
def _handle_request(self, kwargs, write_result=False): # first try to create the app on rogerthat backend kwargs['route'] = 'restapi/apps' data = json.loads(self.request.body) app_type = data['app_type'] data['type'] = app_type data['name'] = data['title'] self.request.body = json.dumps(data) status_code, content, headers = ProxyHandlerRogerthat._handle_request(self, kwargs, write_result) if status_code != httplib.OK: self.response.headers = headers self.response.status = status_code self.response.write(content) else: # Create app on app configurator only if it was created successfully on backend kwargs['route'] = '/api/apps' data = json.loads(self.request.body) backend_server = get_backend_server(kwargs['backend_id']) data['app_constants'], data['cloud_constants'] = get_backend_constants(backend_server) self.request.body = json.dumps(data) ProxyHandlerConfigurator._handle_request(self, kwargs) if self.response.status_int in (httplib.OK, httplib.CREATED): config = get_config(IYO_NAMESPACE) organization = '%(root_org)s.backends.%(backend_id)s.apps.%(app_id)s' % { 'root_org': config.root_organization.name, 'backend_id': backend_server.id, 'app_id': data['app_id'] } username = get_current_session().user_id deferred.defer(create_organization_with_roles, organization, PermissionType.APP_PERM, username) if not DEBUG and app_type == 1: # only for cityapps deferred.defer(create_app_group, data['app_id'])
def get(self, *args, **kwargs): if get_current_session(): render_logged_in_page(self) else: parameters = {'lang': get_user_language()} render_page(self.response, 'unauthorized_index.html', template_parameters=parameters)
def get_user_language(self): session = get_current_session() if not is_valid_session(session): return None profile = Profile.create_key(session.user_id).get() if not profile: return None return profile.language
def get_itsyouonline_client_from_username(username): session = get_current_session() if not session or session.user_id != username: session = Session.create_key(username).get() if not session: raise Exception('No session found for %s' % username) jwt = session.jwt client = get_itsyouonline_client_from_jwt(jwt) return client
def get(self, *args, **kwargs): if get_current_session(): render_logged_in_page(self) else: parameters = { 'lang': get_user_language(), 'year': unicode(datetime.now().year) } render_page(self.response, 'unauthorized_index.html', template_parameters=parameters)
def get_modules(self): perms = get_permissions_from_scopes(get_current_session().scopes) is_admin = Roles.BACKEND_ADMIN in perms or Roles.BACKEND in perms if is_admin or Roles.BACKEND_READONLY in perms: yield Module(u'tff_orders', [], 1) yield Module(u'tff_global_stats', [], 3) yield Module(u'tff_users', [], 4) yield Module(u'tff_agenda', [], 5) if is_admin: yield Module(u'tff_investment_agreements', [], 2)
def get(self, *args, **kwargs): session = get_current_session() # Another plugin should take care of authentication authenticated = session is not None and not session.deleted if authenticated: render_logged_in_page(self) else: parameters = { 'base_url': '/static/plugins/custom_branding_example/demo' } render_page(self.response, 'unauthorized_index.html', template_parameters=parameters)
def _try_or_refresh(url, method, headers, body, validate_certificate, follow_redirects): session = get_current_session() if session: headers['Authorization'] = str('Bearer %s' % get_current_session().jwt) def _request(): result = urlfetch.fetch(url, body, method, headers, deadline=30, validate_certificate=validate_certificate, follow_redirects=follow_redirects) return result.status_code, result.content, result.headers status_code, content, headers = _request() if status_code in (httplib.UNAUTHORIZED, httplib.FORBIDDEN) and session: # 401: JWT has expired and needs to be refreshed # 403: User may have the permissions but the JWT doesn't reflect these permissions yet, so retry the request # after refreshing the JWT logging.info('Validating/refreshing session due to status code %d', status_code) if get_auth_plugin().validate_session(get_current_session(), force_refresh=True): headers['Authorization'] = 'Bearer %s' % get_current_session().jwt status_code, content, headers = _request() return status_code, content, headers
def get(self): session = get_current_session() if is_valid_session(session): self.redirect('/') return config = get_config(NAMESPACE) if not config.login_with_organization: self.redirect('/login/continue?%s' % self.request.query) return render_page(self.response, os.path.join('unauthenticated', 'signin.html'), plugin_name=NAMESPACE)
def get_modules(self): perms = get_permissions_from_scopes(get_current_session().scopes) modules = [Module(u'review_notes', [], 30), Module(u'contacts', [], 40)] if perms.admin or perms.developer_accounts or perms.apps or perms.developer_accounts_perm: modules.append(Module(u'apps', [], 10)) if perms.admin or perms.developer_accounts or perms.developer_accounts_perm: modules.append(Module(u'developer_accounts', [], 20)) if perms.admin or perms.backend_servers: modules.append(Module(u'backend_servers', [], 10000)) if len(modules) > 1: modules.append(Module(u'home', [], 0)) return modules
def get_modules(self): perms = get_permissions_from_scopes(get_current_session().scopes) is_admin = Roles.BACKEND_ADMIN in perms or Roles.BACKEND in perms if is_admin or Roles.BACKEND_READONLY in perms: yield Module(u'tff_dashboard', [], 0) yield Module(u'tff_orders', [], 1) yield Module(u'tff_global_stats', [], 3) yield Module(u'tff_users', [], 4) yield Module(u'tff_agenda', [], 5) yield Module(u'tff_flow_statistics', [], 6) yield Module(u'tff_installations', [], 7) yield Module(u'tff_nodes', [], 8) if is_admin: yield Module(u'tff_investment_agreements', [], 2)
def get(self, *args, **kwargs): if get_current_session(): render_logged_in_page(self) else: query = self.request.query if self.request.query else '' if not self.request.GET.get('source'): plugin = get_plugin( IYO_AUTH_NAMESPACE) # type: ItsYouOnlineAuthPlugin query += '&scope=user:memberof:%s' % plugin.configuration.root_organization.name parameters = { 'lang': get_user_language(), 'query_params': '?%s' % query } render_page(self.response, 'unauthorized_index.html', template_parameters=parameters)
def has_at_least_one_scope(scopes, args): """ Args: scopes (list of unicode) args (dict) Returns: has_permission(bool) """ user_scopes = get_current_session().scopes for scope in scopes: try: scope = scope.format(**args) if scope in user_scopes: return True except KeyError: pass return False
def get_visible_modules(self): session = get_current_session() user_id = session.user_id scopes = session.scopes visible_modules = set() config = get_config(NAMESPACE) try: if config.login_with_organization: profile = Profile.create_key(user_id).get() if not profile: return [] # todo refactor to use current session scopes instead and remove organization_id property from Profile organization_id = profile.organization_id if not organization_id: return [] if organization_id == config.root_organization.name: return [u'its_you_online_settings'] organization = get_organization(organization_id) for plugin in get_plugins(): for module in plugin.get_modules(): if config.login_with_organization and module.name not in organization.modules: continue module_scopes = [] for scope in module.scopes: if Scopes.get_organization_scope(scope, organization_id) in scopes: module_scopes.append(True) else: module_scopes.append(False) if module.scopes and not any(module_scopes): continue visible_modules.add(module) else: auth_plugin = get_auth_plugin() for plugin in get_plugins(): if plugin != auth_plugin: for module in plugin.get_modules(): visible_modules.add(module) return map(lambda m: m.name, sorted(visible_modules, key=lambda m: m.sort_order)) except: logging.debug('Failed to get visible modules', exc_info=True) return []
def _validate_authentication(handler, f, args, kwargs): # type: (webapp2.RequestHandler, function, tuple, dict) -> None session = get_current_session() if not session: handler.abort(httplib.UNAUTHORIZED) if f.meta['scopes']: scopes = set() simple_kwargs = {} for kwarg in kwargs: if type(kwargs[kwarg]) in simple_types: simple_kwargs[kwarg] = kwargs[kwarg] for scope in f.meta['scopes']: scopes.add(scope.format(**simple_kwargs)) if not any(scope in scopes for scope in session.scopes): handler.abort(httplib.FORBIDDEN)
def audit_log(audit_type, key_args, data, user_id=None): """ Logs an action of the current user. reference_args can be the arguments needed to call the create_key method of the model, or an ndb key. Args: audit_type (mapping.AuditLogType) key_args(Union[string_types, tuple, ndb.Key]) data (Union[TO, dict]) user_id (unicode) Returns: ndb.Future """ if not user_id: session = get_current_session() user_id = session and session.user_id model = mapping.AuditLogMapping.get(audit_type) if not isinstance(model, mapping.AuditLogMappingTypes): logging.error('model %s is not a supported audit log type', model) return if isinstance(key_args, (string_types, int, long)): reference = model.create_key(key_args) elif isinstance(key_args, tuple): # Model must have create_key method reference = model.create_key(*key_args) else: assert isinstance(key_args, ndb.Key) reference = key_args if isinstance(audit_type, Enum): audit_type = audit_type.value data_ = { k: data[k].to_dict() if isinstance(data[k], TO) else data[k] for k in data } return AuditLog(audit_type=audit_type, reference=reference, user_id=user_id, data=data_).put_async()
def set_user_language(self, language): session = get_current_session() profile = Profile.create_key(session.user_id).get() profile.language = language profile.put()
def get_permissions(self): return get_permission_strings(get_current_session().scopes)
def get_session(self): return get_current_session()
def api_get_backend_servers(): # Only returns backends that the current user has access to permissions = get_permissions_from_scopes(get_current_session().scopes) backend_servers = [b.value for b in permissions.backend_servers] + [b.value for b in permissions.apps_perm] return [BackendServerTO.from_model(b) for b in get_backend_servers() if (permissions.admin or b.id in backend_servers)]
def api_set_kyc_status(username, data): username = username.decode('utf-8') # username must be unicode return TffProfileTO.from_model(set_kyc_status(username, data, get_current_session().user_id))
def api_put_investment_agreement(agreement_id, data): app_user = get_app_user_from_iyo_username(get_current_session().user_id) agreement = put_investment_agreement(agreement_id, data, app_user) return InvestmentAgreementDetailTO.from_dict( agreement.to_dict(['username']))
def api_put_investment_agreement(agreement_id, data): user = users.User('%s@%s' % (get_current_session().user_id, get_auth_plugin().configuration.api_domain)) agreement = put_investment_agreement(agreement_id, data, user) return InvestmentAgreementTO.from_model(agreement)