コード例 #1
0
def create_authority_roles(roles, owner, plugin_title, creator):
    """
    Creates all of the necessary authority roles.
    :param creator:
    :param roles:
    :return:
    """
    role_objs = []
    for r in roles:
        role = role_service.get_by_name(r["name"])
        # error out if the role already exists, because we want a unique role per authority
        if role:
            raise Exception(
                "Unable to create authority role {} because it already exists".
                format(r["name"]))
        role = role_service.create(
            r["name"],
            password=r["password"],
            description="Auto generated role for {0}".format(plugin_title),
            username=r["username"],
        )

        role_objs.append(role)

    # get or create a role for the owner
    owner_role = role_service.get_by_name(owner)
    if not owner_role:
        owner_role = role_service.create(
            owner,
            description="Auto generated role based on owner: {0}".format(
                owner))

    role_objs.append(owner_role)
    return role_objs
コード例 #2
0
ファイル: service.py プロジェクト: EADPCloudSeattle/lemur
def create_authority_roles(roles, owner, plugin_title):
    """
    Creates all of the necessary authority roles.
    :param roles:
    :return:
    """
    role_objs = []
    for r in roles:
        role = role_service.get_by_name(r['name'])
        if not role:
            role = role_service.create(
                r['name'],
                password=r['password'],
                description="Auto generated role for {0}".format(plugin_title),
                username=r['username'])

        # the user creating the authority should be able to administer it
        if role.username == 'admin':
            g.current_user.roles.append(role)

        role_objs.append(role)

    # create an role for the owner and assign it
    owner_role = role_service.get_by_name(owner)
    if not owner_role:
        owner_role = role_service.create(
            owner,
            description="Auto generated role based on owner: {0}".format(owner)
        )

    role_objs.append(owner_role)
    return role_objs
コード例 #3
0
def create_authority_roles(roles, owner, plugin_title, creator):
    """
    Creates all of the necessary authority roles.
    :param creator:
    :param roles:
    :return:
    """
    role_objs = []
    for r in roles:
        role = role_service.get_by_name(r['name'])
        if not role:
            role = role_service.create(
                r['name'],
                password=r['password'],
                description="Auto generated role for {0}".format(plugin_title),
                username=r['username'])

        # the user creating the authority should be able to administer it
        if role.username == 'admin':
            creator.roles.append(role)

        role_objs.append(role)

    # create an role for the owner and assign it
    owner_role = role_service.get_by_name(owner)
    if not owner_role:
        owner_role = role_service.create(
            owner,
            description="Auto generated role based on owner: {0}".format(
                owner))

    role_objs.append(owner_role)
    return role_objs
コード例 #4
0
def create_user_roles(profile):
    """Creates new roles based on profile information.

    :param profile:
    :return:
    """
    roles = []

    # update their google 'roles'
    if "googleGroups" in profile:
        for group in profile["googleGroups"]:
            role = role_service.get_by_name(group)
            if not role:
                role = role_service.create(
                    group,
                    description=
                    "This is a google group based role created by Lemur",
                    third_party=True,
                )
            if (group != 'admin') and (not role.third_party):
                role = role_service.set_third_party(role.id,
                                                    third_party_status=True)
            roles.append(role)
    else:
        current_app.logger.warning(
            "'googleGroups' not sent by identity provider, no specific roles will assigned to the user."
        )

    role = role_service.get_by_name(profile["email"])

    if not role:
        role = role_service.create(
            profile["email"],
            description="This is a user specific role",
            third_party=True,
        )
    if not role.third_party:
        role = role_service.set_third_party(role.id, third_party_status=True)

    roles.append(role)

    # every user is an operator (tied to a default role)
    if current_app.config.get("LEMUR_DEFAULT_ROLE"):
        default = role_service.get_by_name(
            current_app.config["LEMUR_DEFAULT_ROLE"])
        if not default:
            default = role_service.create(
                current_app.config["LEMUR_DEFAULT_ROLE"],
                description="This is the default Lemur role.",
            )
        if not default.third_party:
            role_service.set_third_party(default.id, third_party_status=True)
        roles.append(default)

    return roles
コード例 #5
0
ファイル: manage.py プロジェクト: bossadvisors/lemur
 def run(self, name, users, description):
     user_objs = []
     for u in users:
         user_obj = user_service.get_by_username(u)
         if user_obj:
             user_objs.append(user_obj)
         else:
             sys.stderr.write("[!] Cannot find user {0}".format(u))
             sys.exit(1)
     role_service.create(name, description=description, users=users)
     sys.stdout.write("[+] Created new role: {0}".format(name))
コード例 #6
0
 def run(self, name, users, description):
     user_objs = []
     for u in users:
         user_obj = user_service.get_by_username(u)
         if user_obj:
             user_objs.append(user_obj)
         else:
             sys.stderr.write("[!] Cannot find user {0}".format(u))
             sys.exit(1)
     role_service.create(name, description=description, users=users)
     sys.stdout.write("[+] Created new role: {0}".format(name))
コード例 #7
0
ファイル: service.py プロジェクト: ebgcdev/lemur
def create(kwargs):
    """
    Create a new authority.

    :return:
    """

    issuer = plugins.get(kwargs.get('pluginName'))

    kwargs['creator'] = g.current_user.email
    cert_body, intermediate, issuer_roles = issuer.create_authority(kwargs)

    cert = Certificate(cert_body, chain=intermediate)
    cert.owner = kwargs['ownerEmail']

    if kwargs['caType'] == 'subca':
        cert.description = "This is the ROOT certificate for the {0} sub certificate authority the parent \
                                authority is {1}.".format(
            kwargs.get('caName'), kwargs.get('caParent'))
    else:
        cert.description = "This is the ROOT certificate for the {0} certificate authority.".format(
            kwargs.get('caName'))

    cert.user = g.current_user

    cert.notifications = notification_service.create_default_expiration_notifications(
        'DEFAULT_SECURITY',
        current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))

    # we create and attach any roles that the issuer gives us
    role_objs = []
    for r in issuer_roles:

        role = role_service.create(
            r['name'],
            password=r['password'],
            description="{0} auto generated role".format(
                kwargs.get('pluginName')),
            username=r['username'])

        # the user creating the authority should be able to administer it
        if role.username == 'admin':
            g.current_user.roles.append(role)

        role_objs.append(role)

    authority = Authority(kwargs.get('caName'),
                          kwargs['ownerEmail'],
                          kwargs['pluginName'],
                          cert_body,
                          description=kwargs['caDescription'],
                          chain=intermediate,
                          roles=role_objs)

    database.update(cert)
    authority = database.create(authority)

    g.current_user.authorities.append(authority)

    return authority
コード例 #8
0
def create_user_roles(profile):
    """Creates new roles based on profile information.

    :param profile:
    :return:
    """
    roles = []

    # update their google 'roles'
    for group in profile['googleGroups']:
        role = role_service.get_by_name(group)
        if not role:
            role = role_service.create(
                group,
                description=
                'This is a google group based role created by Lemur',
                third_party=True)
        if not role.third_party:
            role = role_service.set_third_party(role.id,
                                                third_party_status=True)
        roles.append(role)

    role = role_service.get_by_name(profile['email'])

    if not role:
        role = role_service.create(profile['email'],
                                   description='This is a user specific role',
                                   third_party=True)
    if not role.third_party:
        role = role_service.set_third_party(role.id, third_party_status=True)

    roles.append(role)

    # every user is an operator (tied to a default role)
    if current_app.config.get('LEMUR_DEFAULT_ROLE'):
        default = role_service.get_by_name(
            current_app.config['LEMUR_DEFAULT_ROLE'])
        if not default:
            default = role_service.create(
                current_app.config['LEMUR_DEFAULT_ROLE'],
                description='This is the default Lemur role.')
        if not default.third_party:
            role_service.set_third_party(default.id, third_party_status=True)
        roles.append(default)

    return roles
コード例 #9
0
    def post(self):
        """
        .. http:post:: /roles

           Creates a new role

           **Example request**:

           .. sourcecode:: http

              POST /roles HTTP/1.1
              Host: example.com
              Accept: application/json, text/javascript

              {
                 "name": "role3",
                 "description": "this is role3",
                 "username": null,
                 "password": null,
                 "users": []
              }

           **Example response**:

           .. sourcecode:: http

              HTTP/1.1 200 OK
              Vary: Accept
              Content-Type: text/javascript

              {
                  "id": 3,
                  "description": "this is role3",
                  "name": "role3"
              }

           :arg name: name for new role
           :arg description: description for new role
           :arg password: password for new role
           :arg username: username for new role
           :arg users: list, of users to associate with role
           :reqheader Authorization: OAuth token to authenticate
           :statuscode 200: no error
           :statuscode 403: unauthenticated
        """
        self.reqparse.add_argument('name',
                                   type=str,
                                   location='json',
                                   required=True)
        self.reqparse.add_argument('description', type=str, location='json')
        self.reqparse.add_argument('username', type=str, location='json')
        self.reqparse.add_argument('password', type=str, location='json')
        self.reqparse.add_argument('users', type=list, location='json')

        args = self.reqparse.parse_args()
        return service.create(args['name'], args.get('password'),
                              args.get('description'), args.get('username'),
                              args.get('users'))
コード例 #10
0
ファイル: service.py プロジェクト: terinjokes/lemur
def create_certificate_roles(**kwargs):
    # create an role for the owner and assign it
    owner_role = role_service.get_by_name(kwargs['owner'])
    if not owner_role:
        owner_role = role_service.create(
            kwargs['owner'],
            description="Auto generated role based on owner: {0}".format(kwargs['owner'])
        )

    return [owner_role]
コード例 #11
0
ファイル: views.py プロジェクト: kinzer1/lemur
    def post(self):
        """
        .. http:post:: /roles

           Creates a new role

           **Example request**:

           .. sourcecode:: http

              POST /roles HTTP/1.1
              Host: example.com
              Accept: application/json, text/javascript

              {
                 "name": "role3",
                 "description": "this is role3",
                 "username": null,
                 "password": null,
                 "users": []
              }

           **Example response**:

           .. sourcecode:: http

              HTTP/1.1 200 OK
              Vary: Accept
              Content-Type: text/javascript

              {
                  "id": 3,
                  "description": "this is role3",
                  "name": "role3"
              }

           :arg name: name for new role
           :arg description: description for new role
           :arg password: password for new role
           :arg username: username for new role
           :arg users: list, of users to associate with role
           :reqheader Authorization: OAuth token to authenticate
           :statuscode 200: no error
           :statuscode 403: unauthenticated
        """
        self.reqparse.add_argument("name", type=str, location="json", required=True)
        self.reqparse.add_argument("description", type=str, location="json")
        self.reqparse.add_argument("username", type=str, location="json")
        self.reqparse.add_argument("password", type=str, location="json")
        self.reqparse.add_argument("users", type=list, location="json")

        args = self.reqparse.parse_args()
        return service.create(
            args["name"], args.get("password"), args.get("description"), args.get("username"), args.get("users")
        )
コード例 #12
0
ファイル: views.py プロジェクト: vsnine/lemur
    def post(self, data=None):
        """
        .. http:post:: /roles

           Creates a new role

           **Example request**:

           .. sourcecode:: http

              POST /roles HTTP/1.1
              Host: example.com
              Accept: application/json, text/javascript
              Content-Type: application/json;charset=UTF-8

              {
                 "name": "role3",
                 "description": "this is role3",
                 "username": null,
                 "password": null,
                 "users": [
                    {"id": 1}
                 ]
              }

           **Example response**:

           .. sourcecode:: http

              HTTP/1.1 200 OK
              Vary: Accept
              Content-Type: text/javascript

              {
                  "id": 3,
                  "description": "this is role3",
                  "name": "role3"
              }

           :arg name: name for new role
           :arg description: description for new role
           :arg password: password for new role
           :arg username: username for new role
           :arg users: list, of users to associate with role
           :reqheader Authorization: OAuth token to authenticate
           :statuscode 200: no error
           :statuscode 403: unauthenticated
        """
        return service.create(
            data["name"],
            data.get("password"),
            data.get("description"),
            data.get("username"),
            data.get("users"),
        )
コード例 #13
0
ファイル: service.py プロジェクト: rhoml/lemur
def create(kwargs):
    """
    Create a new authority.

    :rtype : Authority
    :return:
    """

    issuer = plugins.get(kwargs.get('pluginName'))

    kwargs['creator'] = g.current_user.email
    cert_body, intermediate, issuer_roles = issuer.create_authority(kwargs)

    cert = Certificate(cert_body, chain=intermediate)
    cert.owner = kwargs['ownerEmail']
    cert.description = "This is the ROOT certificate for the {0} certificate authority".format(kwargs.get('caName'))
    cert.user = g.current_user

    cert.notifications = notification_service.create_default_expiration_notifications(
        'DEFAULT_SECURITY',
        current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')
    )

    # we create and attach any roles that the issuer gives us
    role_objs = []
    for r in issuer_roles:

        role = role_service.create(
            r['name'],
            password=r['password'],
            description="{0} auto generated role".format(kwargs.get('pluginName')),
            username=r['username'])

        # the user creating the authority should be able to administer it
        if role.username == 'admin':
            g.current_user.roles.append(role)

        role_objs.append(role)

    authority = Authority(
        kwargs.get('caName'),
        kwargs['ownerEmail'],
        kwargs['pluginName'],
        cert_body,
        description=kwargs['caDescription'],
        chain=intermediate,
        roles=role_objs
    )

    database.update(cert)
    authority = database.create(authority)

    g.current_user.authorities.append(authority)

    return authority
コード例 #14
0
ファイル: conftest.py プロジェクト: kinzer1/lemur
def db(app, request):
    _db.drop_all()
    _db.create_all()

    _db.app = app

    user = user_service.create('user', 'test', '*****@*****.**', True, None, [])
    admin_role = role_service.create('admin')
    admin = user_service.create('admin', 'admin', '*****@*****.**', True, None, [admin_role])
    _db.session.commit()
    yield _db
コード例 #15
0
    def run(self, password):
        create()
        user = user_service.get_by_username("lemur")

        if not user:
            if not password:
                sys.stdout.write(
                    "We need to set Lemur's password to continue!\n")
                password = prompt_pass("Password")
                password1 = prompt_pass("Confirm Password")

                if password != password1:
                    sys.stderr.write("[!] Passwords do not match!\n")
                    sys.exit(1)

            role = role_service.get_by_name('admin')

            if role:
                sys.stdout.write(
                    "[-] Admin role already created, skipping...!\n")
            else:
                # we create an admin role
                role = role_service.create(
                    'admin',
                    description='this is the lemur administrator role')
                sys.stdout.write("[+] Created 'admin' role\n")

            user_service.create("lemur", password, 'lemur@nobody', True, None,
                                [role])
            sys.stdout.write(
                "[+] Added a 'lemur' user and added it to the 'admin' role!\n")

        else:
            sys.stdout.write(
                "[-] Default user has already been created, skipping...!\n")

        sys.stdout.write("[+] Creating expiration email notifications!\n")
        sys.stdout.write(
            "[!] Using {0} as specified by LEMUR_SECURITY_TEAM_EMAIL for notifications\n"
            .format("LEMUR_SECURITY_TEAM_EMAIL"))

        intervals = current_app.config.get(
            "LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS", [])
        sys.stdout.write(
            "[!] Creating {num} notifications for {intervals} days as specified by LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS\n"
            .format(num=len(intervals),
                    intervals=",".join([str(x) for x in intervals])))

        recipients = current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')
        notification_service.create_default_expiration_notifications(
            "DEFAULT_SECURITY", recipients=recipients)

        sys.stdout.write("[/] Done!\n")
コード例 #16
0
ファイル: conftest.py プロジェクト: rtdean/lemur
def db(app, request):
    _db.drop_all()
    _db.create_all()

    _db.app = app

    user = user_service.create('user', 'test', '*****@*****.**', True, None,
                               [])
    admin_role = role_service.create('admin')
    admin = user_service.create('admin', 'admin', '*****@*****.**', True,
                                None, [admin_role])
    _db.session.commit()
    yield _db
コード例 #17
0
    def _authorize(self):
        """
        check groups and roles to confirm access.
        return a list of roles if ok.
        raise an exception on error.
        """
        if not self.ldap_principal:
            return None

        if self.ldap_required_group:
            # ensure the user has the required group in their group list
            if self.ldap_required_group not in self.ldap_groups:
                return None

        roles = set()
        if self.ldap_default_role:
            role = role_service.get_by_name(self.ldap_default_role)
            if role:
                if not role.third_party:
                    role = role.set_third_party(role.id,
                                                third_party_status=True)
                roles.add(role)

        # update their 'roles'
        role = role_service.get_by_name(self.ldap_principal)
        if not role:
            description = "auto generated role based on owner: {0}".format(
                self.ldap_principal)
            role = role_service.create(self.ldap_principal,
                                       description=description,
                                       third_party=True)
        if not role.third_party:
            role = role_service.set_third_party(role.id,
                                                third_party_status=True)
        roles.add(role)
        if not self.ldap_groups_to_roles:
            return roles

        for ldap_group_name, role_name in self.ldap_groups_to_roles.items():
            role = role_service.get_by_name(role_name)
            if role:
                if ldap_group_name in self.ldap_groups:
                    current_app.logger.debug(
                        "assigning role {0} to ldap user {1}".format(
                            self.ldap_principal, role))
                    if not role.third_party:
                        role = role_service.set_third_party(
                            role.id, third_party_status=True)
                    roles.add(role)
        return roles
コード例 #18
0
ファイル: views.py プロジェクト: harmw/lemur
    def post(self, data=None):
        """
        .. http:post:: /roles

           Creates a new role

           **Example request**:

           .. sourcecode:: http

              POST /roles HTTP/1.1
              Host: example.com
              Accept: application/json, text/javascript

              {
                 "name": "role3",
                 "description": "this is role3",
                 "username": null,
                 "password": null,
                 "users": [
                    {'id': 1}
                 ]
              }

           **Example response**:

           .. sourcecode:: http

              HTTP/1.1 200 OK
              Vary: Accept
              Content-Type: text/javascript

              {
                  "id": 3,
                  "description": "this is role3",
                  "name": "role3"
              }

           :arg name: name for new role
           :arg description: description for new role
           :arg password: password for new role
           :arg username: username for new role
           :arg users: list, of users to associate with role
           :reqheader Authorization: OAuth token to authenticate
           :statuscode 200: no error
           :statuscode 403: unauthenticated
        """
        return service.create(data['name'], data.get('password'), data.get('description'), data.get('username'),
                              data.get('users'))
コード例 #19
0
ファイル: views.py プロジェクト: Netflix/lemur
def create_user_roles(profile):
    """Creates new roles based on profile information.

    :param profile:
    :return:
    """
    roles = []

    # update their google 'roles'
    for group in profile['googleGroups']:
        role = role_service.get_by_name(group)
        if not role:
            role = role_service.create(group, description='This is a google group based role created by Lemur', third_party=True)
        if not role.third_party:
            role = role_service.set_third_party(role.id, third_party_status=True)
        roles.append(role)

    role = role_service.get_by_name(profile['email'])

    if not role:
        role = role_service.create(profile['email'], description='This is a user specific role', third_party=True)
    if not role.third_party:
        role = role_service.set_third_party(role.id, third_party_status=True)

    roles.append(role)

    # every user is an operator (tied to a default role)
    if current_app.config.get('LEMUR_DEFAULT_ROLE'):
        default = role_service.get_by_name(current_app.config['LEMUR_DEFAULT_ROLE'])
        if not default:
            default = role_service.create(current_app.config['LEMUR_DEFAULT_ROLE'], description='This is the default Lemur role.')
        if not default.third_party:
            role_service.set_third_party(default.id, third_party_status=True)
        roles.append(default)

    return roles
コード例 #20
0
ファイル: service.py プロジェクト: pdinavahi/lemur
def create_certificate_roles(**kwargs):
    # create an role for the owner and assign it
    owner_role = role_service.get_by_name(kwargs['owner'])

    if not owner_role:
        owner_role = role_service.create(
            kwargs['owner'],
            description="Auto generated role based on owner: {0}".format(kwargs['owner'])
        )

    # ensure that the authority's owner is also associated with the certificate
    if kwargs.get('authority'):
        authority_owner_role = role_service.get_by_name(kwargs['authority'].owner)
        return [owner_role, authority_owner_role]

    return [owner_role]
コード例 #21
0
ファイル: service.py プロジェクト: Netflix/lemur
def create_certificate_roles(**kwargs):
    # create an role for the owner and assign it
    owner_role = role_service.get_by_name(kwargs['owner'])

    if not owner_role:
        owner_role = role_service.create(
            kwargs['owner'],
            description="Auto generated role based on owner: {0}".format(kwargs['owner'])
        )

    # ensure that the authority's owner is also associated with the certificate
    if kwargs.get('authority'):
        authority_owner_role = role_service.get_by_name(kwargs['authority'].owner)
        return [owner_role, authority_owner_role]

    return [owner_role]
コード例 #22
0
ファイル: manage.py プロジェクト: CameronNemo/lemur
    def run(self, password):
        create()
        user = user_service.get_by_username("lemur")

        if not user:
            if not password:
                sys.stdout.write("We need to set Lemur's password to continue!\n")
                password = prompt_pass("Password")
                password1 = prompt_pass("Confirm Password")

                if password != password1:
                    sys.stderr.write("[!] Passwords do not match!\n")
                    sys.exit(1)

            role = role_service.get_by_name("admin")

            if role:
                sys.stdout.write("[-] Admin role already created, skipping...!\n")
            else:
                # we create an admin role
                role = role_service.create("admin", description="this is the lemur administrator role")
                sys.stdout.write("[+] Created 'admin' role\n")

            user_service.create("lemur", password, "lemur@nobody", True, None, [role])
            sys.stdout.write("[+] Added a 'lemur' user and added it to the 'admin' role!\n")

        else:
            sys.stdout.write("[-] Default user has already been created, skipping...!\n")

        sys.stdout.write("[+] Creating expiration email notifications!\n")
        sys.stdout.write(
            "[!] Using {0} as specified by LEMUR_SECURITY_TEAM_EMAIL for notifications\n".format(
                "LEMUR_SECURITY_TEAM_EMAIL"
            )
        )

        intervals = current_app.config.get("LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS", [])
        sys.stdout.write(
            "[!] Creating {num} notifications for {intervals} days as specified by LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS\n".format(
                num=len(intervals), intervals=",".join([str(x) for x in intervals])
            )
        )

        recipients = current_app.config.get("LEMUR_SECURITY_TEAM_EMAIL")
        notification_service.create_default_expiration_notifications("DEFAULT_SECURITY", recipients=recipients)

        sys.stdout.write("[/] Done!\n")
コード例 #23
0
ファイル: ldap.py プロジェクト: harmw/lemur
    def _authorize(self):
        """
        check groups and roles to confirm access.
        return a list of roles if ok.
        raise an exception on error.
        """
        if not self.ldap_principal:
            return None

        if self.ldap_required_group:
            # ensure the user has the required group in their group list
            if self.ldap_required_group not in self.ldap_groups:
                return None

        roles = set()
        if self.ldap_default_role:
            role = role_service.get_by_name(self.ldap_default_role)
            if role:
                roles.add(role)

        # update their 'roles'
        role = role_service.get_by_name(self.ldap_principal)
        if not role:
            description = "auto generated role based on owner: {0}".format(self.ldap_principal)
            role = role_service.create(self.ldap_principal, description=description)
        roles.add(role)
        if not self.ldap_groups_to_roles:
            return roles

        for ldap_group_name, role_name in self.ldap_groups_to_roles.items():
            role = role_service.get_by_name(role_name)
            if role:
                if ldap_group_name in self.ldap_groups:
                    current_app.logger.debug("assigning role {0} to ldap user {1}".format(self.ldap_principal, role))
                    roles.add(role)
        return roles
コード例 #24
0
ファイル: views.py プロジェクト: mikegrima/lemur
    def post(self):
        self.reqparse.add_argument("clientId", type=str, required=True, location="json")
        self.reqparse.add_argument("redirectUri", type=str, required=True, location="json")
        self.reqparse.add_argument("code", type=str, required=True, location="json")

        args = self.reqparse.parse_args()

        # take the information we have received from the provider to create a new request
        params = {
            "client_id": args["clientId"],
            "grant_type": "authorization_code",
            "scope": "openid email profile address",
            "redirect_uri": args["redirectUri"],
            "code": args["code"],
        }

        # you can either discover these dynamically or simply configure them
        access_token_url = current_app.config.get("PING_ACCESS_TOKEN_URL")
        user_api_url = current_app.config.get("PING_USER_API_URL")

        # the secret and cliendId will be given to you when you signup for the provider
        token = "{0}:{1}".format(args["clientId"], current_app.config.get("PING_SECRET"))

        if sys.version_info >= (3, 0):
            basic = base64.b64encode(bytes(token, "utf-8"))
            headers = {"authorization": "basic {0}".format(basic.decode("utf-8"))}
        else:
            basic = base64.b64encode(token, "utf-8")
            headers = {"authorization": "basic {0}".format(basic)}

        # exchange authorization code for access token.

        r = requests.post(access_token_url, headers=headers, params=params)
        id_token = r.json()["id_token"]
        access_token = r.json()["access_token"]

        # fetch token public key
        header_data = fetch_token_header(id_token)
        jwks_url = current_app.config.get("PING_JWKS_URL")

        # retrieve the key material as specified by the token header
        r = requests.get(jwks_url)
        for key in r.json()["keys"]:
            if key["kid"] == header_data["kid"]:
                secret = get_rsa_public_key(key["n"], key["e"])
                algo = header_data["alg"]
                break
        else:
            return dict(message="Key not found"), 403

        # validate your token based on the key it was signed with
        try:
            if sys.version_info >= (3, 0):
                jwt.decode(id_token, secret.decode("utf-8"), algorithms=[algo], audience=args["clientId"])
            else:
                jwt.decode(id_token, secret, algorithms=[algo], audience=args["clientId"])
        except jwt.DecodeError:
            return dict(message="Token is invalid"), 403
        except jwt.ExpiredSignatureError:
            return dict(message="Token has expired"), 403
        except jwt.InvalidTokenError:
            return dict(message="Token is invalid"), 403

        user_params = dict(access_token=access_token, schema="profile")

        # retrieve information about the current user.
        r = requests.get(user_api_url, params=user_params)
        profile = r.json()

        user = user_service.get_by_email(profile["email"])
        metrics.send("successful_login", "counter", 1)

        # update their google 'roles'
        roles = []

        for group in profile["googleGroups"]:
            role = role_service.get_by_name(group)
            if not role:
                role = role_service.create(group, description="This is a google group based role created by Lemur")
            roles.append(role)

        role = role_service.get_by_name(profile["email"])
        if not role:
            role = role_service.create(profile["email"], description="This is a user specific role")
        roles.append(role)

        # if we get an sso user create them an account
        if not user:
            # every user is an operator (tied to a default role)
            if current_app.config.get("LEMUR_DEFAULT_ROLE"):
                v = role_service.get_by_name(current_app.config.get("LEMUR_DEFAULT_ROLE"))
                if v:
                    roles.append(v)

            user = user_service.create(
                profile["email"],
                get_psuedo_random_string(),
                profile["email"],
                True,
                profile.get("thumbnailPhotoUrl"),
                roles,
            )

        else:
            # we add 'lemur' specific roles, so they do not get marked as removed
            for ur in user.roles:
                if ur.authority_id:
                    roles.append(ur)

            # update any changes to the user
            user_service.update(
                user.id,
                profile["email"],
                profile["email"],
                True,
                profile.get("thumbnailPhotoUrl"),  # incase profile isn't google+ enabled
                roles,
            )

        # Tell Flask-Principal the identity changed
        identity_changed.send(current_app._get_current_object(), identity=Identity(user.id))

        return dict(token=create_token(user))
コード例 #25
0
ファイル: views.py プロジェクト: kevgliss/lemur
    def post(self):
        self.reqparse.add_argument('clientId', type=str, required=True, location='json')
        self.reqparse.add_argument('redirectUri', type=str, required=True, location='json')
        self.reqparse.add_argument('code', type=str, required=True, location='json')

        args = self.reqparse.parse_args()

        # take the information we have received from the provider to create a new request
        params = {
            'client_id': args['clientId'],
            'grant_type': 'authorization_code',
            'scope': 'openid email profile address',
            'redirect_uri': args['redirectUri'],
            'code': args['code']
        }

        # you can either discover these dynamically or simply configure them
        access_token_url = current_app.config.get('PING_ACCESS_TOKEN_URL')
        user_api_url = current_app.config.get('PING_USER_API_URL')

        # the secret and cliendId will be given to you when you signup for the provider
        basic = base64.b64encode('{0}:{1}'.format(args['clientId'], current_app.config.get("PING_SECRET")))
        headers = {'Authorization': 'Basic {0}'.format(basic)}

        # exchange authorization code for access token.

        r = requests.post(access_token_url, headers=headers, params=params)
        id_token = r.json()['id_token']
        access_token = r.json()['access_token']

        # fetch token public key
        header_data = fetch_token_header(id_token)
        jwks_url = current_app.config.get('PING_JWKS_URL')

        # retrieve the key material as specified by the token header
        r = requests.get(jwks_url)
        for key in r.json()['keys']:
            if key['kid'] == header_data['kid']:
                secret = get_rsa_public_key(key['n'], key['e'])
                algo = header_data['alg']
                break
        else:
            return dict(message='Key not found'), 403

        # validate your token based on the key it was signed with
        try:
            jwt.decode(id_token, secret, algorithms=[algo], audience=args['clientId'])
        except jwt.DecodeError:
            return dict(message='Token is invalid'), 403
        except jwt.ExpiredSignatureError:
            return dict(message='Token has expired'), 403
        except jwt.InvalidTokenError:
            return dict(message='Token is invalid'), 403

        user_params = dict(access_token=access_token, schema='profile')

        # retrieve information about the current user.
        r = requests.get(user_api_url, params=user_params)
        profile = r.json()

        user = user_service.get_by_email(profile['email'])

        # update their google 'roles'
        roles = []

        for group in profile['googleGroups']:
            role = role_service.get_by_name(group)
            if not role:
                role = role_service.create(group, description='This is a google group based role created by Lemur')
            roles.append(role)

        # if we get an sso user create them an account
        # we still pick a random password in case sso is down
        if not user:

            # every user is an operator (tied to a default role)
            if current_app.config.get('LEMUR_DEFAULT_ROLE'):
                v = role_service.get_by_name(current_app.config.get('LEMUR_DEFAULT_ROLE'))
                if v:
                    roles.append(v)

            user = user_service.create(
                profile['email'],
                get_psuedo_random_string(),
                profile['email'],
                True,
                profile.get('thumbnailPhotoUrl'),
                roles
            )

        else:
            # we add 'lemur' specific roles, so they do not get marked as removed
            for ur in user.roles:
                if ur.authority_id:
                    roles.append(ur)

            # update any changes to the user
            user_service.update(
                user.id,
                profile['email'],
                profile['email'],
                True,
                profile.get('thumbnailPhotoUrl'),  # incase profile isn't google+ enabled
                roles
            )

        # Tell Flask-Principal the identity changed
        identity_changed.send(current_app._get_current_object(), identity=Identity(user.id))

        return dict(token=create_token(user))
コード例 #26
0
ファイル: manage.py プロジェクト: intgr/lemur
    def run(self, password):
        create()
        user = user_service.get_by_username("lemur")

        admin_role = role_service.get_by_name('admin')

        if admin_role:
            sys.stdout.write("[-] Admin role already created, skipping...!\n")
        else:
            # we create an admin role
            admin_role = role_service.create('admin', description='This is the Lemur administrator role.')
            sys.stdout.write("[+] Created 'admin' role\n")

        operator_role = role_service.get_by_name('operator')

        if operator_role:
            sys.stdout.write("[-] Operator role already created, skipping...!\n")
        else:
            # we create an operator role
            operator_role = role_service.create('operator', description='This is the Lemur operator role.')
            sys.stdout.write("[+] Created 'operator' role\n")

        read_only_role = role_service.get_by_name('read-only')

        if read_only_role:
            sys.stdout.write("[-] Read only role already created, skipping...!\n")
        else:
            # we create an read only role
            read_only_role = role_service.create('read-only', description='This is the Lemur read only role.')
            sys.stdout.write("[+] Created 'read-only' role\n")

        if not user:
            if not password:
                sys.stdout.write("We need to set Lemur's password to continue!\n")
                password = prompt_pass("Password")
                password1 = prompt_pass("Confirm Password")

                if password != password1:
                    sys.stderr.write("[!] Passwords do not match!\n")
                    sys.exit(1)

            user_service.create("lemur", password, '*****@*****.**', True, None, [admin_role])
            sys.stdout.write("[+] Created the user 'lemur' and granted it the 'admin' role!\n")

        else:
            sys.stdout.write("[-] Default user has already been created, skipping...!\n")

        intervals = current_app.config.get("LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS", [])
        sys.stdout.write(
            "[!] Creating {num} notifications for {intervals} days as specified by LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS\n".format(
                num=len(intervals),
                intervals=",".join([str(x) for x in intervals])
            )
        )

        recipients = current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')
        sys.stdout.write("[+] Creating expiration email notifications!\n")
        sys.stdout.write("[!] Using {0} as specified by LEMUR_SECURITY_TEAM_EMAIL for notifications\n".format(recipients))
        notification_service.create_default_expiration_notifications("DEFAULT_SECURITY", recipients=recipients)

        _DEFAULT_ROTATION_INTERVAL = 'default'
        default_rotation_interval = policy_service.get_by_name(_DEFAULT_ROTATION_INTERVAL)

        if default_rotation_interval:
            sys.stdout.write("[-] Default rotation interval policy already created, skipping...!\n")
        else:
            days = current_app.config.get("LEMUR_DEFAULT_ROTATION_INTERVAL", 30)
            sys.stdout.write("[+] Creating default certificate rotation policy of {days} days before issuance.\n".format(
                days=days))
            policy_service.create(days=days, name=_DEFAULT_ROTATION_INTERVAL)

        sys.stdout.write("[/] Done!\n")
コード例 #27
0
ファイル: service.py プロジェクト: bossadvisors/lemur
def create(kwargs):
    """
    Create a new authority.

    :return:
    """

    issuer = kwargs['plugin']['plugin_object']

    kwargs['creator'] = g.current_user.email
    cert_body, intermediate, issuer_roles = issuer.create_authority(kwargs)

    cert = Certificate(cert_body, chain=intermediate)
    cert.owner = kwargs['owner']

    if kwargs['type'] == 'subca':
        cert.description = "This is the ROOT certificate for the {0} sub certificate authority the parent \
                                authority is {1}.".format(kwargs.get('name'), kwargs.get('parent'))
    else:
        cert.description = "This is the ROOT certificate for the {0} certificate authority.".format(
            kwargs.get('name')
        )

    cert.user = g.current_user

    cert.notifications = notification_service.create_default_expiration_notifications(
        'DEFAULT_SECURITY',
        current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')
    )

    # we create and attach any roles that the issuer gives us
    role_objs = []
    for r in issuer_roles:

        role = role_service.create(
            r['name'],
            password=r['password'],
            description="{0} auto generated role".format(issuer.title),
            username=r['username'])

        # the user creating the authority should be able to administer it
        if role.username == 'admin':
            g.current_user.roles.append(role)

        role_objs.append(role)

    authority = Authority(
        kwargs.get('name'),
        kwargs['owner'],
        issuer.slug,
        cert_body,
        description=kwargs['description'],
        chain=intermediate,
        roles=role_objs
    )

    database.update(cert)
    authority = database.create(authority)

    # the owning dl or role should have this authority associated with it
    owner_role = role_service.get_by_name(kwargs['owner'])

    if not owner_role:
        owner_role = role_service.create(kwargs['owner'])

    owner_role.authority = authority

    g.current_user.authorities.append(authority)

    return authority
コード例 #28
0
    def run(self, password):
        create()
        user = user_service.get_by_username("lemur")

        admin_role = role_service.get_by_name("admin")

        if admin_role:
            sys.stdout.write("[-] Admin role already created, skipping...!\n")
        else:
            # we create an admin role
            admin_role = role_service.create(
                "admin", description="This is the Lemur administrator role.")
            sys.stdout.write("[+] Created 'admin' role\n")

        operator_role = role_service.get_by_name("operator")

        if operator_role:
            sys.stdout.write(
                "[-] Operator role already created, skipping...!\n")
        else:
            # we create an operator role
            operator_role = role_service.create(
                "operator", description="This is the Lemur operator role.")
            sys.stdout.write("[+] Created 'operator' role\n")

        read_only_role = role_service.get_by_name("read-only")

        if read_only_role:
            sys.stdout.write(
                "[-] Read only role already created, skipping...!\n")
        else:
            # we create an read only role
            read_only_role = role_service.create(
                "read-only", description="This is the Lemur read only role.")
            sys.stdout.write("[+] Created 'read-only' role\n")

        if not user:
            if not password:
                sys.stdout.write(
                    "We need to set Lemur's password to continue!\n")
                password = prompt_pass("Password")
                password1 = prompt_pass("Confirm Password")

                if password != password1:
                    sys.stderr.write("[!] Passwords do not match!\n")
                    sys.exit(1)

            user_service.create("lemur", password, "*****@*****.**", True,
                                None, [admin_role])
            sys.stdout.write(
                "[+] Created the user 'lemur' and granted it the 'admin' role!\n"
            )

        else:
            sys.stdout.write(
                "[-] Default user has already been created, skipping...!\n")

        intervals = current_app.config.get(
            "LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS", [])
        sys.stdout.write(
            "[!] Creating {num} notifications for {intervals} days as specified by LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS\n"
            .format(num=len(intervals),
                    intervals=",".join([str(x) for x in intervals])))

        recipients = current_app.config.get("LEMUR_SECURITY_TEAM_EMAIL")
        sys.stdout.write("[+] Creating expiration email notifications!\n")
        sys.stdout.write(
            "[!] Using {0} as specified by LEMUR_SECURITY_TEAM_EMAIL for notifications\n"
            .format(recipients))
        notification_service.create_default_expiration_notifications(
            "DEFAULT_SECURITY", recipients=recipients)

        _DEFAULT_ROTATION_INTERVAL = "default"
        default_rotation_interval = policy_service.get_by_name(
            _DEFAULT_ROTATION_INTERVAL)

        if default_rotation_interval:
            sys.stdout.write(
                "[-] Default rotation interval policy already created, skipping...!\n"
            )
        else:
            days = current_app.config.get("LEMUR_DEFAULT_ROTATION_INTERVAL",
                                          30)
            sys.stdout.write(
                "[+] Creating default certificate rotation policy of {days} days before issuance.\n"
                .format(days=days))
            policy_service.create(days=days, name=_DEFAULT_ROTATION_INTERVAL)

        sys.stdout.write("[/] Done!\n")
コード例 #29
0
ファイル: views.py プロジェクト: norsig/lemur
    def post(self):
        self.reqparse.add_argument('clientId',
                                   type=str,
                                   required=True,
                                   location='json')
        self.reqparse.add_argument('redirectUri',
                                   type=str,
                                   required=True,
                                   location='json')
        self.reqparse.add_argument('code',
                                   type=str,
                                   required=True,
                                   location='json')

        args = self.reqparse.parse_args()

        # take the information we have received from the provider to create a new request
        params = {
            'grant_type': 'authorization_code',
            'scope': 'openid email profile groups',
            'redirect_uri': args['redirectUri'],
            'code': args['code'],
        }

        # you can either discover these dynamically or simply configure them
        access_token_url = current_app.config.get('OAUTH2_ACCESS_TOKEN_URL')
        user_api_url = current_app.config.get('OAUTH2_USER_API_URL')
        verify_cert = current_app.config.get('OAUTH2_VERIFY_CERT', True)

        # the secret and cliendId will be given to you when you signup for the provider
        token = '{0}:{1}'.format(args['clientId'],
                                 current_app.config.get("OAUTH2_SECRET"))

        basic = base64.b64encode(bytes(token, 'utf-8'))

        headers = {
            'Content-Type': 'application/x-www-form-urlencoded',
            'authorization': 'basic {0}'.format(basic.decode('utf-8'))
        }

        # exchange authorization code for access token.
        # Try Params first
        r = requests.post(access_token_url,
                          headers=headers,
                          params=params,
                          verify=verify_cert)
        if r.status_code == 400:
            r = requests.post(access_token_url,
                              headers=headers,
                              data=params,
                              verify=verify_cert)
        id_token = r.json()['id_token']
        access_token = r.json()['access_token']

        # fetch token public key
        header_data = fetch_token_header(id_token)
        jwks_url = current_app.config.get('OAUTH2_JWKS_URL')

        # retrieve the key material as specified by the token header
        r = requests.get(jwks_url, verify=verify_cert)
        for key in r.json()['keys']:
            if key['kid'] == header_data['kid']:
                secret = get_rsa_public_key(key['n'], key['e'])
                algo = header_data['alg']
                break
        else:
            return dict(message='Key not found'), 401

        # validate your token based on the key it was signed with
        try:
            if sys.version_info >= (3, 0):
                jwt.decode(id_token,
                           secret.decode('utf-8'),
                           algorithms=[algo],
                           audience=args['clientId'])
            else:
                jwt.decode(id_token,
                           secret,
                           algorithms=[algo],
                           audience=args['clientId'])
        except jwt.DecodeError:
            return dict(message='Token is invalid'), 401
        except jwt.ExpiredSignatureError:
            return dict(message='Token has expired'), 401
        except jwt.InvalidTokenError:
            return dict(message='Token is invalid'), 401

        headers = {'authorization': 'Bearer {0}'.format(access_token)}

        # retrieve information about the current user.
        r = requests.get(user_api_url, headers=headers, verify=verify_cert)
        profile = r.json()

        user = user_service.get_by_email(profile['email'])
        metrics.send('successful_login', 'counter', 1)

        # update with roles sent by identity provider
        roles = []

        if 'roles' in profile:
            for group in profile['roles']:
                role = role_service.get_by_name(group)
                if not role:
                    role = role_service.create(
                        group,
                        description=
                        'This is a group configured by identity provider',
                        third_party=True)
                if not role.third_party:
                    role = role_service.set_third_party(
                        role.id, third_party_status=True)
                roles.append(role)

        role = role_service.get_by_name(profile['email'])
        if not role:
            role = role_service.create(
                profile['email'],
                description='This is a user specific role',
                third_party=True)
        if not role.third_party:
            role = role_service.set_third_party(role.id,
                                                third_party_status=True)
        roles.append(role)

        # if we get an sso user create them an account
        if not user:
            # every user is an operator (tied to a default role)
            if current_app.config.get('LEMUR_DEFAULT_ROLE'):
                v = role_service.get_by_name(
                    current_app.config.get('LEMUR_DEFAULT_ROLE'))
                if not v.third_party:
                    v = role_service.set_third_party(v.id,
                                                     third_party_status=True)
                if v:
                    roles.append(v)

            user = user_service.create(profile['name'],
                                       get_psuedo_random_string(),
                                       profile['email'], True,
                                       profile.get('thumbnailPhotoUrl'), roles)

        else:
            # we add 'lemur' specific roles, so they do not get marked as removed
            for ur in user.roles:
                if not ur.third_party:
                    roles.append(ur)

            # update any changes to the user
            user_service.update(
                user.id,
                profile['name'],
                profile['email'],
                True,
                profile.get('thumbnailPhotoUrl'
                            ),  # incase profile isn't google+ enabled
                roles)

        # Tell Flask-Principal the identity changed
        identity_changed.send(current_app._get_current_object(),
                              identity=Identity(user.id))

        return dict(token=create_token(user))
コード例 #30
0
    def post(self):
        self.reqparse.add_argument('clientId',
                                   type=str,
                                   required=True,
                                   location='json')
        self.reqparse.add_argument('redirectUri',
                                   type=str,
                                   required=True,
                                   location='json')
        self.reqparse.add_argument('code',
                                   type=str,
                                   required=True,
                                   location='json')

        args = self.reqparse.parse_args()

        # take the information we have received from the provider to create a new request
        params = {
            'client_id': args['clientId'],
            'grant_type': 'authorization_code',
            'scope': 'openid email profile address',
            'redirect_uri': args['redirectUri'],
            'code': args['code']
        }

        # you can either discover these dynamically or simply configure them
        access_token_url = current_app.config.get('PING_ACCESS_TOKEN_URL')
        user_api_url = current_app.config.get('PING_USER_API_URL')

        # the secret and cliendId will be given to you when you signup for the provider
        basic = base64.b64encode('{0}:{1}'.format(
            args['clientId'], current_app.config.get("PING_SECRET")))
        headers = {'Authorization': 'Basic {0}'.format(basic)}

        # exchange authorization code for access token.

        r = requests.post(access_token_url, headers=headers, params=params)
        id_token = r.json()['id_token']
        access_token = r.json()['access_token']

        # fetch token public key
        header_data = fetch_token_header(id_token)
        jwks_url = current_app.config.get('PING_JWKS_URL')

        # retrieve the key material as specified by the token header
        r = requests.get(jwks_url)
        for key in r.json()['keys']:
            if key['kid'] == header_data['kid']:
                secret = get_rsa_public_key(key['n'], key['e'])
                algo = header_data['alg']
                break
        else:
            return dict(message='Key not found'), 403

        # validate your token based on the key it was signed with
        try:
            jwt.decode(id_token,
                       secret,
                       algorithms=[algo],
                       audience=args['clientId'])
        except jwt.DecodeError:
            return dict(message='Token is invalid'), 403
        except jwt.ExpiredSignatureError:
            return dict(message='Token has expired'), 403
        except jwt.InvalidTokenError:
            return dict(message='Token is invalid'), 403

        user_params = dict(access_token=access_token, schema='profile')

        # retrieve information about the current user.
        r = requests.get(user_api_url, params=user_params)
        profile = r.json()

        user = user_service.get_by_email(profile['email'])

        # update their google 'roles'
        roles = []

        for group in profile['googleGroups']:
            role = role_service.get_by_name(group)
            if not role:
                role = role_service.create(
                    group,
                    description=
                    'This is a google group based role created by Lemur')
            roles.append(role)

        # if we get an sso user create them an account
        # we still pick a random password in case sso is down
        if not user:

            # every user is an operator (tied to a default role)
            if current_app.config.get('LEMUR_DEFAULT_ROLE'):
                v = role_service.get_by_name(
                    current_app.config.get('LEMUR_DEFAULT_ROLE'))
                if v:
                    roles.append(v)

            user = user_service.create(profile['email'],
                                       get_psuedo_random_string(),
                                       profile['email'], True,
                                       profile.get('thumbnailPhotoUrl'), roles)

        else:
            # we add 'lemur' specific roles, so they do not get marked as removed
            for ur in user.roles:
                if ur.authority_id:
                    roles.append(ur)

            # update any changes to the user
            user_service.update(
                user.id,
                profile['email'],
                profile['email'],
                True,
                profile.get('thumbnailPhotoUrl'
                            ),  # incase profile isn't google+ enabled
                roles)

        # Tell Flask-Principal the identity changed
        identity_changed.send(current_app._get_current_object(),
                              identity=Identity(user.id))

        return dict(token=create_token(user))