def auth_external(self, username, ext_user_id, ext_id_provider="ext"):
"""
Given username and user identifier from an external identity provider (IdP),
retrieve actor_id and establish user session. Return user info from session.
Convention is that system local username is ext_id_provider + ":" + username,
e.g. "ext_johnbean"
Return NotFound if user not registered in system. Caller can react and create
a user account through the normal system means
@param username the user name the user recognizes.
@param ext_user_id a unique identifier coming from the external IdP
@param ext_id_provider identifies the external IdP service
"""
try:
if ext_user_id and ext_id_provider and username:
local_username = "******" % (ext_id_provider, username)
actor_id = self.idm_client.find_actor_identity_by_username(local_username)
user_info = self._set_server_session(actor_id, local_username)
return build_json_response(user_info)
else:
raise BadRequest("External user info missing")
except Exception:
return build_json_error()
def auth_external(self, username, ext_user_id, ext_id_provider="ext"):
"""
Given username and user identifier from an external identity provider (IdP),
retrieve actor_id and establish user session. Return user info from session.
Convention is that system local username is ext_id_provider + ":" + username,
e.g. "ext_johnbean"
Return NotFound if user not registered in system. Caller can react and create
a user account through the normal system means
@param username the user name the user recognizes.
@param ext_user_id a unique identifier coming from the external IdP
@param ext_id_provider identifies the external IdP service
"""
try:
if ext_user_id and ext_id_provider and username:
local_username = "******" % (ext_id_provider, username)
actor_id = self.idm_client.find_actor_identity_by_username(local_username)
user_info = self._set_server_session(actor_id, local_username)
return build_json_response(user_info)
else:
raise BadRequest("External user info missing")
except Exception:
return build_json_error()
def get_session(self):
try:
# Get session based on OAuth token
auth_hdr = request.headers.get("authorization", None)
if auth_hdr:
valid, req = self.oauth.verify_request([self.oauth_scope])
if valid:
actor_id = flask.g.oauth_user.get("actor_id", "")
actor_user = self.idm_client.read_actor_identity(actor_id)
session_attrs = dict(is_logged_in=True, is_registered=True, attributes={"roles":actor_user.details.contact.roles}, roles={})
if actor_user.session:
session_attrs.update(actor_user.session)
return build_json_response(session_attrs)
# Support quick reload
access_token = flask.session.get("access_token", None)
actor_id = flask.session.get("actor_id", None)
if access_token and actor_id:
actor_user = self.idm_client.read_actor_identity(actor_id)
session_attrs = dict(access_token=access_token, is_logged_in=True, is_registered=True, attributes={"roles":actor_user.details.contact.roles}, roles={})
if actor_user.session:
session_attrs.update(actor_user.session)
return build_json_response(session_attrs)
# Get session from Flask session and cookie
user_info = get_auth()
if 0 < int(user_info.get("valid_until", 0)) * 1000 < current_time_millis():
clear_auth()
user_info = get_auth()
return build_json_response(user_info)
except Exception:
return build_json_error()
def login(self):
try:
username = get_arg("username")
password = get_arg("password")
if username and password:
actor_id = self.idm_client.check_actor_credentials(username, password)
user_info = self._get_user_info(actor_id, username)
return build_json_response(user_info)
else:
raise BadRequest("Username or password missing")
except Exception:
return build_json_error()
def login(self):
""" Explicit (non-token) login and creation of a server session (Cookie based). """
try:
username = get_arg("username")
password = get_arg("password")
if username and password:
actor_id = self.idm_client.check_actor_credentials(username, password)
user_info = self._set_server_session(actor_id, username)
return build_json_response(user_info)
else:
raise BadRequest("Username or password missing")
except Exception:
return build_json_error()
def login(self):
""" Explicit (non-token) login and creation of a server session (Cookie based). """
try:
username = get_arg("username")
password = get_arg("password")
if username and password:
actor_id = self.idm_client.check_actor_credentials(username, password)
user_info = self._set_server_session(actor_id, username)
return build_json_response(user_info)
else:
raise BadRequest("Username or password missing")
except Exception:
return build_json_error()
def logout(self):
try:
access_token = get_req_bearer_token() or flask.session.get("access_token", None)
if access_token:
try:
# Invalidate access token
token_id = str("access_token_%s" % access_token)
token_obj = ui_instance.container.object_store.read(token_id)
token_obj.status = "CANCELLED"
token_obj.attributes["cancel_ts"] = get_ion_ts_millis()
token_obj.attributes["cancel_msg"] = "User logout"
ui_instance.container.object_store.update(token_obj)
log.info("Invalidated stored access token for user=%s", token_obj.actor_id)
except NotFound:
pass
except Exception:
log.exception("Error invalidating access token")
clear_auth()
return build_json_response("OK")
except Exception:
return build_json_error()
def logout(self):
try:
access_token = get_req_bearer_token() or flask.session.get("access_token", None)
if access_token:
try:
# Invalidate access token
token_id = str("access_token_%s" % access_token)
token_obj = ui_instance.container.object_store.read(token_id)
token_obj.status = "CANCELLED"
token_obj.attributes["cancel_ts"] = get_ion_ts_millis()
token_obj.attributes["cancel_msg"] = "User logout"
ui_instance.container.object_store.update(token_obj)
log.info("Invalidated stored access token for user=%s", token_obj.actor_id)
except NotFound:
pass
except Exception:
log.exception("Error invalidating access token")
clear_auth()
return build_json_response("OK")
except Exception:
return build_json_error()
def get_session(self):
"""
Returns user session information for current authentication.
This can be polled regularly by client code to detect changes in session state and expiration.
"""
def call_extend_session_attrs(session_attrs, actor_user):
""" Call UI extensions to make additions to user session """
for ext_obj in self.extension_objs:
func = getattr(ext_obj, "extend_user_session_attributes", None)
if func:
try:
func(session_attrs, actor_user)
except Exception:
log.exception("Error calling UI extension extend_user_session_attributes()")
try:
# Get user session from OAuth access token in HTTP Authorization header
auth_hdr = request.headers.get("authorization", None)
if auth_hdr:
valid, req = self.oauth.verify_request([self.oauth_scope]) # Note: Do NOT extend session timeout here!
if valid:
actor_id = flask.g.oauth_user.get("actor_id", "")
actor_user = self.idm_client.read_actor_identity(actor_id)
session_attrs = dict(is_logged_in=True, is_registered=True,
attributes={"roles": actor_user.details.contact.roles}, roles={})
if actor_user.session:
session_attrs.update(actor_user.session)
call_extend_session_attrs(session_attrs, actor_user)
return build_json_response(session_attrs)
if self.remember_user:
# Get user session from user_id/access_token placed inside server session (Cookie)
# This is a feature to allow returning users to resume a session if still valid
access_token = flask.session.get("access_token", None)
actor_id = flask.session.get("actor_id", None)
if access_token and actor_id:
actor_user = self.idm_client.read_actor_identity(actor_id)
session_attrs = dict(access_token=access_token, is_logged_in=True, is_registered=True,
attributes={"roles": actor_user.details.contact.roles}, roles={})
if actor_user.session:
# Check validity in persisted user session
if 0 < int(actor_user.session.get("valid_until", 0)) * 1000 < current_time_millis():
clear_auth()
return build_json_response(get_auth())
session_attrs.update(actor_user.session)
else:
# No trace of existing session in user object
clear_auth()
return build_json_response(get_auth())
call_extend_session_attrs(session_attrs, actor_user)
return build_json_response(session_attrs)
# Get user session from Flask session and cookie (non-token mode)
user_info = get_auth()
if 0 < int(user_info.get("valid_until", 0)) * 1000 < current_time_millis():
clear_auth() # Clear expired session
user_info = get_auth()
call_extend_session_attrs(user_info, None)
return build_json_response(user_info)
except Exception:
return build_json_error()
def get_session(self):
"""
Returns user session information for current authentication.
This can be polled regularly by client code to detect changes in session state and expiration.
"""
def call_extend_session_attrs(session_attrs, actor_user):
""" Call UI extensions to make additions to user session """
for ext_obj in self.extension_objs:
func = getattr(ext_obj, "extend_user_session_attributes", None)
if func:
try:
func(session_attrs, actor_user)
except Exception:
log.exception("Error calling UI extension extend_user_session_attributes()")
try:
# Get user session from OAuth access token in HTTP Authorization header
auth_hdr = request.headers.get("authorization", None)
if auth_hdr:
valid, req = self.oauth.verify_request([self.oauth_scope]) # Note: Do NOT extend session timeout here!
if valid:
actor_id = flask.g.oauth_user.get("actor_id", "")
actor_user = self.idm_client.read_actor_identity(actor_id)
session_attrs = dict(is_logged_in=True, is_registered=True,
attributes={"roles": actor_user.details.contact.roles}, roles={})
if actor_user.session:
session_attrs.update(actor_user.session)
call_extend_session_attrs(session_attrs, actor_user)
return build_json_response(session_attrs)
if self.remember_user:
# Get user session from user_id/access_token placed inside server session (Cookie)
# This is a feature to allow returning users to resume a session if still valid
access_token = flask.session.get("access_token", None)
actor_id = flask.session.get("actor_id", None)
if access_token and actor_id:
actor_user = self.idm_client.read_actor_identity(actor_id)
session_attrs = dict(access_token=access_token, is_logged_in=True, is_registered=True,
attributes={"roles": actor_user.details.contact.roles}, roles={})
if actor_user.session:
# Check validity in persisted user session
if 0 < int(actor_user.session.get("valid_until", 0)) * 1000 < current_time_millis():
clear_auth()
return build_json_response(get_auth())
session_attrs.update(actor_user.session)
else:
# No trace of existing session in user object
clear_auth()
return build_json_response(get_auth())
call_extend_session_attrs(session_attrs, actor_user)
return build_json_response(session_attrs)
# Get user session from Flask session and cookie (non-token mode)
user_info = get_auth()
if 0 < int(user_info.get("valid_until", 0)) * 1000 < current_time_millis():
clear_auth() # Clear expired session
user_info = get_auth()
call_extend_session_attrs(user_info, None)
return build_json_response(user_info)
except Exception:
return build_json_error()
def logout(self):
try:
clear_auth()
return build_json_response("OK")
except Exception:
return build_json_error()
