def get_session(self):
try:
# Get session based on OAuth token
auth_hdr = request.headers.get("authorization", None)
if auth_hdr:
valid, req = self.oauth.verify_request([self.oauth_scope])
if valid:
actor_id = flask.g.oauth_user.get("actor_id", "")
actor_user = self.idm_client.read_actor_identity(actor_id)
session_attrs = dict(is_logged_in=True, is_registered=True, attributes={"roles":actor_user.details.contact.roles}, roles={})
if actor_user.session:
session_attrs.update(actor_user.session)
return build_json_response(session_attrs)
# Support quick reload
access_token = flask.session.get("access_token", None)
actor_id = flask.session.get("actor_id", None)
if access_token and actor_id:
actor_user = self.idm_client.read_actor_identity(actor_id)
session_attrs = dict(access_token=access_token, is_logged_in=True, is_registered=True, attributes={"roles":actor_user.details.contact.roles}, roles={})
if actor_user.session:
session_attrs.update(actor_user.session)
return build_json_response(session_attrs)
# Get session from Flask session and cookie
user_info = get_auth()
if 0 < int(user_info.get("valid_until", 0)) * 1000 < current_time_millis():
clear_auth()
user_info = get_auth()
return build_json_response(user_info)
except Exception:
return build_json_error()
def validate_request(self, ion_actor_id, expiry, in_whitelist=False):
# There is no point in looking up an anonymous user - so return default values.
if ion_actor_id == DEFAULT_ACTOR_ID:
# Since this is an anonymous request, there really is no expiry associated with it
if not in_whitelist and self.require_login:
raise Unauthorized("Anonymous access not permitted")
else:
return DEFAULT_ACTOR_ID, DEFAULT_EXPIRY
try:
user = self.idm_client.read_actor_identity(
actor_id=ion_actor_id, headers=self._get_gateway_headers())
except NotFound as e:
if not in_whitelist and self.require_login:
# This could be a restart of the system with a new preload.
# TODO: Invalidate Flask sessions on relaunch/bootstrap with creating new secret
user_session = get_auth()
if user_session.get("actor_id", None) == ion_actor_id:
clear_auth()
raise Unauthorized("Invalid identity", exc_id="01.10")
else:
# If the user isn't found default to anonymous
return DEFAULT_ACTOR_ID, DEFAULT_EXPIRY
# Need to convert to int first in order to compare against current time.
try:
int_expiry = int(expiry)
except Exception as ex:
raise Inconsistent(
"Unable to read the expiry value in the request '%s' as an int"
% expiry)
# The user has been validated as being known in the system, so not check the expiry and raise exception if
# the expiry is not set to 0 and less than the current time.
if 0 < int_expiry < current_time_millis():
if not in_whitelist and self.require_login:
raise Unauthorized("User authentication expired")
else:
log.warn("User authentication expired")
return DEFAULT_ACTOR_ID, DEFAULT_EXPIRY
return ion_actor_id, expiry
def logout(self):
try:
access_token = get_req_bearer_token() or flask.session.get("access_token", None)
if access_token:
try:
# Invalidate access token
token_id = str("access_token_%s" % access_token)
token_obj = ui_instance.container.object_store.read(token_id)
token_obj.status = "CANCELLED"
token_obj.attributes["cancel_ts"] = get_ion_ts_millis()
token_obj.attributes["cancel_msg"] = "User logout"
ui_instance.container.object_store.update(token_obj)
log.info("Invalidated stored access token for user=%s", token_obj.actor_id)
except NotFound:
pass
except Exception:
log.exception("Error invalidating access token")
clear_auth()
return build_json_response("OK")
except Exception:
return build_json_error()
def logout(self):
try:
access_token = get_req_bearer_token() or flask.session.get("access_token", None)
if access_token:
try:
# Invalidate access token
token_id = str("access_token_%s" % access_token)
token_obj = ui_instance.container.object_store.read(token_id)
token_obj.status = "CANCELLED"
token_obj.attributes["cancel_ts"] = get_ion_ts_millis()
token_obj.attributes["cancel_msg"] = "User logout"
ui_instance.container.object_store.update(token_obj)
log.info("Invalidated stored access token for user=%s", token_obj.actor_id)
except NotFound:
pass
except Exception:
log.exception("Error invalidating access token")
clear_auth()
return build_json_response("OK")
except Exception:
return build_json_error()
def validate_request(self, ion_actor_id, expiry, in_whitelist=False):
# There is no point in looking up an anonymous user - so return default values.
if ion_actor_id == DEFAULT_ACTOR_ID:
# Since this is an anonymous request, there really is no expiry associated with it
if not in_whitelist and self.require_login:
raise Unauthorized("Anonymous access not permitted")
else:
return DEFAULT_ACTOR_ID, DEFAULT_EXPIRY
try:
user = self.idm_client.read_actor_identity(actor_id=ion_actor_id, headers=self._get_gateway_headers())
except NotFound as e:
if not in_whitelist and self.require_login:
# This could be a restart of the system with a new preload.
# TODO: Invalidate Flask sessions on relaunch/bootstrap with creating new secret
user_session = get_auth()
if user_session.get("actor_id", None) == ion_actor_id:
clear_auth()
raise Unauthorized("Invalid identity", exc_id="01.10")
else:
# If the user isn't found default to anonymous
return DEFAULT_ACTOR_ID, DEFAULT_EXPIRY
# Need to convert to int first in order to compare against current time.
try:
int_expiry = int(expiry)
except Exception as ex:
raise Inconsistent("Unable to read the expiry value in the request '%s' as an int" % expiry)
# The user has been validated as being known in the system, so not check the expiry and raise exception if
# the expiry is not set to 0 and less than the current time.
if 0 < int_expiry < current_time_millis():
if not in_whitelist and self.require_login:
raise Unauthorized("User authentication expired")
else:
log.warn("User authentication expired")
return DEFAULT_ACTOR_ID, DEFAULT_EXPIRY
return ion_actor_id, expiry
def get_session(self):
"""
Returns user session information for current authentication.
This can be polled regularly by client code to detect changes in session state and expiration.
"""
def call_extend_session_attrs(session_attrs, actor_user):
""" Call UI extensions to make additions to user session """
for ext_obj in self.extension_objs:
func = getattr(ext_obj, "extend_user_session_attributes", None)
if func:
try:
func(session_attrs, actor_user)
except Exception:
log.exception("Error calling UI extension extend_user_session_attributes()")
try:
# Get user session from OAuth access token in HTTP Authorization header
auth_hdr = request.headers.get("authorization", None)
if auth_hdr:
valid, req = self.oauth.verify_request([self.oauth_scope]) # Note: Do NOT extend session timeout here!
if valid:
actor_id = flask.g.oauth_user.get("actor_id", "")
actor_user = self.idm_client.read_actor_identity(actor_id)
session_attrs = dict(is_logged_in=True, is_registered=True,
attributes={"roles": actor_user.details.contact.roles}, roles={})
if actor_user.session:
session_attrs.update(actor_user.session)
call_extend_session_attrs(session_attrs, actor_user)
return build_json_response(session_attrs)
if self.remember_user:
# Get user session from user_id/access_token placed inside server session (Cookie)
# This is a feature to allow returning users to resume a session if still valid
access_token = flask.session.get("access_token", None)
actor_id = flask.session.get("actor_id", None)
if access_token and actor_id:
actor_user = self.idm_client.read_actor_identity(actor_id)
session_attrs = dict(access_token=access_token, is_logged_in=True, is_registered=True,
attributes={"roles": actor_user.details.contact.roles}, roles={})
if actor_user.session:
# Check validity in persisted user session
if 0 < int(actor_user.session.get("valid_until", 0)) * 1000 < current_time_millis():
clear_auth()
return build_json_response(get_auth())
session_attrs.update(actor_user.session)
else:
# No trace of existing session in user object
clear_auth()
return build_json_response(get_auth())
call_extend_session_attrs(session_attrs, actor_user)
return build_json_response(session_attrs)
# Get user session from Flask session and cookie (non-token mode)
user_info = get_auth()
if 0 < int(user_info.get("valid_until", 0)) * 1000 < current_time_millis():
clear_auth() # Clear expired session
user_info = get_auth()
call_extend_session_attrs(user_info, None)
return build_json_response(user_info)
except Exception:
return build_json_error()
def get_session(self):
"""
Returns user session information for current authentication.
This can be polled regularly by client code to detect changes in session state and expiration.
"""
def call_extend_session_attrs(session_attrs, actor_user):
""" Call UI extensions to make additions to user session """
for ext_obj in self.extension_objs:
func = getattr(ext_obj, "extend_user_session_attributes", None)
if func:
try:
func(session_attrs, actor_user)
except Exception:
log.exception("Error calling UI extension extend_user_session_attributes()")
try:
# Get user session from OAuth access token in HTTP Authorization header
auth_hdr = request.headers.get("authorization", None)
if auth_hdr:
valid, req = self.oauth.verify_request([self.oauth_scope]) # Note: Do NOT extend session timeout here!
if valid:
actor_id = flask.g.oauth_user.get("actor_id", "")
actor_user = self.idm_client.read_actor_identity(actor_id)
session_attrs = dict(is_logged_in=True, is_registered=True,
attributes={"roles": actor_user.details.contact.roles}, roles={})
if actor_user.session:
session_attrs.update(actor_user.session)
call_extend_session_attrs(session_attrs, actor_user)
return build_json_response(session_attrs)
if self.remember_user:
# Get user session from user_id/access_token placed inside server session (Cookie)
# This is a feature to allow returning users to resume a session if still valid
access_token = flask.session.get("access_token", None)
actor_id = flask.session.get("actor_id", None)
if access_token and actor_id:
actor_user = self.idm_client.read_actor_identity(actor_id)
session_attrs = dict(access_token=access_token, is_logged_in=True, is_registered=True,
attributes={"roles": actor_user.details.contact.roles}, roles={})
if actor_user.session:
# Check validity in persisted user session
if 0 < int(actor_user.session.get("valid_until", 0)) * 1000 < current_time_millis():
clear_auth()
return build_json_response(get_auth())
session_attrs.update(actor_user.session)
else:
# No trace of existing session in user object
clear_auth()
return build_json_response(get_auth())
call_extend_session_attrs(session_attrs, actor_user)
return build_json_response(session_attrs)
# Get user session from Flask session and cookie (non-token mode)
user_info = get_auth()
if 0 < int(user_info.get("valid_until", 0)) * 1000 < current_time_millis():
clear_auth() # Clear expired session
user_info = get_auth()
call_extend_session_attrs(user_info, None)
return build_json_response(user_info)
except Exception:
return build_json_error()
def logout(self):
try:
clear_auth()
return build_json_response("OK")
except Exception:
return build_json_error()
