def pre(self, req, resp):
if 'TAC_API' not in os.environ:
raise AccessDenied('Require Tachyonic URI (TAC_API system' +
' environment)')
print('API: %s' % os.environ['TAC_API'])
if 'TAC_DOMAIN' not in os.environ:
domain = None
print('Domain: -*Global*-')
else:
domain = os.environ['TAC_DOMAIN']
print('Domain: %s' % domain)
if 'TAC_USER' not in os.environ:
raise AccessDenied('Require Tachyonic Username (TAC_USER system' +
' environment)')
print('Username: %s' % os.environ['TAC_USER'])
if 'TAC_TENANT_ID' not in os.environ:
tenant_id = None
else:
tenant_id = os.environ['TAC_TENANT_ID']
g.api = api = Client(os.environ['TAC_API'])
password = getpass(prompt='Password: '******'')
api.authenticate(os.environ['TAC_USER'], password, domain)
api.scope(domain, tenant_id)
def scope_token(self, token, domain=None, tenant_id=None):
self.parse_token(token)
if 'user_id' in self._token:
user_id = self._token['user_id']
else:
raise AccessDenied('user_id not in token')
if 'username' in self._token:
username = self._token['username']
else:
raise AccessDenied('username not in token')
if 'expire' in self._token:
expire = self._token['expire']
else:
raise AccessDenied('expire not in token')
if 'domain' in self._token:
if (self._token['domain'] is not None
and self._token['domain'] != domain):
raise AccessDenied('token already scoped in domain')
if 'tenant_id' in self._token:
if (self._token['tenant_id'] is not None
and self._token['tenant_id'] != domain):
raise AccessDenied('token already scoped in tenant')
self.new_token(user_id, username, domain, tenant_id, expire=expire)
def _check_token(self, signature, token):
cert = g.app.app_root.rstrip('/') + '/token.cert'
try:
self._token_sig = pki.verify(cert, signature, token)
except ValueError as e:
log.warning('Invalid Token: %s' % e)
raise AccessDenied('Invalid Token')
def resource(self, req, resp):
# Load policy for request.
req.policy = policy = PolicyEngine(self._compiled, req=req)
tag = req.tag
if tag is not None and not policy.validate(tag):
raise AccessDenied("Access Denied by Policy" + " Rule '%s'" % tag +
" Route '%s'" % req.route +
" Method '%s'" % req.method)
def parse_token(self, token):
self._initial()
token = if_unicode_to_bytes(token)
signature, token = token.split(b'!!!!')
self._token_sig = self._check_token(signature, token)
self._token = js.loads(base64.b64decode(token))
self._token_sig = signature
utc_now = now()
utc_expire = utc(self._token['expire'])
if utc_now > utc_expire:
raise AccessDenied('Token Expired')
def proxy(req, resp):
to = 'http://www.google.com'
relative_uri = req.relative_uri
remote = to + relative_uri
relative_uri = req.relative_uri
if not scan(req.query_params) or not scan(req.form_dict):
resp.content_type = TEXT_HTML
raise AccessDenied('no sql injection please')
response = request(req.method, remote, req.read())
for header in response.headers:
if header.lower() != 'content-encoding':
resp.set_header(header, response.headers[header])
if header.lower() == 'content-type':
resp.content_type = response.headers[header]
return response.body
def login(self, username, password, domain=None):
if self.authenticate(username, password, domain):
return True
else:
log.warning('Invalid login credentials for %s' % username)
raise AccessDenied('Invalid login credentials')