def create_user_token_from_globus_profile(profile, access_token):
"""
Use this method on your Resource Provider (Like Atmosphere)
to exchange a profile (that was retrieved via a tokeninfo endpoint)
for a UserToken that can then be internally validated in an 'authorize' authBackend step..
"""
logger.info(profile)
expiry = profile['exp'] # This is an 'epoch-int'
expiry = _extract_expiry_date(expiry)
issued_at = profile['iat']
raw_username = profile['username'] # username@login_auth.com
raw_name = profile['name']
email = profile['email']
username = _extract_user_from_email(raw_username)
first_name, last_name = _extract_first_last_name(raw_name)
profile_dict = {
'username':username,
'firstName':first_name,
'lastName':last_name,
'email': email,
}
user = get_or_create_user(username, profile_dict)
user_token = create_token(user.username, access_token, expiry)
return user_token
def get(self, request, username):
"""
Create a new token in the database on behalf of 'username'
Returns success 201 Created - Body is JSON and contains
"""
params = request.data
user = request.user
if not username:
return Response("Username was not provided",
status=status.HTTP_400_BAD_REQUEST)
if user.username is not 'admin' and not user.is_superuser:
logger.error("URGENT! User: %s is attempting to emulate a user!"
% user.username)
return Response("Only admin and superusers can emulate accounts. "
"This offense has been reported",
status=status.HTTP_401_UNAUTHORIZED)
if not AtmosphereUser.objects.filter(username=username):
return Response("Username %s does not exist as an AtmosphereUser"
% username, status=status.HTTP_404_NOT_FOUND)
# User is authenticated, username exists. Make a token for them.
token = create_token(username, issuer="DRF-EmulatedUser")
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
# Extra data passed only on emulation..
"emulator": request.user.username,
# Normal token data..
"token": token.key,
"username": token.user.username,
"expires": expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return Response(auth_json, status=status.HTTP_201_CREATED)
def get(self, request, username):
"""
Create a new token in the database on behalf of 'username'
Returns success 201 Created - Body is JSON and contains
"""
params = request.data
user = request.user
if not username:
return Response("Username was not provided",
status=status.HTTP_400_BAD_REQUEST)
if user.username is not 'admin' and not user.is_superuser:
logger.error("URGENT! User: %s is attempting to emulate a user!" %
user.username)
return Response(
"Only admin and superusers can emulate accounts. "
"This offense has been reported",
status=status.HTTP_401_UNAUTHORIZED)
if not AtmosphereUser.objects.filter(username=username):
return Response("Username %s does not exist as an AtmosphereUser" %
username,
status=status.HTTP_404_NOT_FOUND)
# User is authenticated, username exists. Make a token for them.
token = create_token(username, issuer="DRF-EmulatedUser")
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
# Extra data passed only on emulation..
"emulator": request.user.username,
# Normal token data..
"token": token.key,
"username": token.user.username,
"expires": expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return Response(auth_json, status=status.HTTP_201_CREATED)
def create_token_from_jwt(self, jwt_assertion):
"""
This method point represents the 'entry point'
"""
decoded_assertion = self.decode_assertion(jwt_assertion)
user, expiration = self.validate_assertion(decoded_assertion)
auth_token = create_token(user.username, expiration)
return auth_token
def _token_for_username(self, username):
token = create_token(username, issuer="DRF")
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
"token": token.key,
"username": token.user.username,
"expires": expireTime.strftime("%b %d, %Y %H:%M:%S"),
}
return Response(auth_json, status=status.HTTP_201_CREATED)
def _token_for_username(self, username):
token = create_token(username, issuer="DRF")
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return Response(auth_json, status=status.HTTP_201_CREATED)
def get(self, request):
user = request.user
if not user.is_authenticated():
return Response(
"Logged-in User or POST required " "to retrieve AuthToken", status=status.HTTP_403_FORBIDDEN
)
token = lookupSessionToken(request)
if not token:
token = create_token(user.username)
serialized_data = TokenSerializer(token).data
return Response(serialized_data, status=status.HTTP_200_OK)
def get(self, request):
user = request.user
if not user.is_authenticated():
return Response("Logged-in User or POST required "
"to retrieve AuthToken",
status=status.HTTP_403_FORBIDDEN)
token = lookupSessionToken(request)
if not token:
token = create_token(user.username)
serialized_data = TokenSerializer(token).data
return Response(serialized_data, status=status.HTTP_200_OK)
def retrieve(self, *args, **kwargs):
user = self.request.user
# data = self.request.data
username = kwargs.get('username')
expireDate = timezone.now() + secrets.TOKEN_EXPIRY_TIME
new_token = create_token(
username,
token_key='EMULATED-'+str(uuid4()),
remote_ip=request.META['REMOTE_ADDR'],
token_expire=expireDate,
issuer="DRF-EmulatedToken-%s" % user.username)
serialized_data = TokenSerializer(new_token, context={'request':self.request}).data
return Response(serialized_data, status=status.HTTP_201_CREATED)
def retrieve(self, *args, **kwargs):
user = self.request.user
# data = self.request.data
username = kwargs.get('username')
expireDate = timezone.now() + secrets.TOKEN_EXPIRY_TIME
new_token = create_token(username,
token_key='EMULATED-' + str(uuid4()),
remote_ip=request.META['REMOTE_ADDR'],
token_expire=expireDate,
issuer="DRF-EmulatedToken-%s" % user.username)
serialized_data = TokenSerializer(new_token,
context={
'request': self.request
}).data
return Response(serialized_data, status=status.HTTP_201_CREATED)
def emulate_session(request, username=None):
try:
logger.info("Emulate attempt: %s wants to be %s"
% (request.user, username))
logger.info(request.session.__dict__)
if not username and 'emulated_by' in request.session:
logger.info("Clearing emulation attributes from user")
request.session['username'] = request.session['emulated_by']
del request.session['emulated_by']
# Allow user to fall through on line below
try:
user = AtmosphereUser.objects.get(username=username)
except AtmosphereUser.DoesNotExist:
logger.info("Emulate attempt failed. User <%s> does not exist"
% username)
return HttpResponseRedirect(
settings.REDIRECT_URL +
"/api/v2")
logger.info("Emulate success, creating tokens for %s" % username)
expireDate = timezone.now() + secrets.TOKEN_EXPIRY_TIME
token = create_token(
username,
token_key='EMULATED-'+str(uuid4()),
token_expire=expireDate,
remote_ip=request.META['REMOTE_ADDR'],
issuer="DRF-EmulatedSession-%s" % user.username)
token.save()
# Keep original emulator if it exists, or use the last known username
original_emulator = request.session.get(
'emulated_by', request.session['username'])
request.session['emulated_by'] = original_emulator
# Set the username to the user to be emulated
# to whom the token also belongs
request.session['username'] = username
request.session['token'] = token.key
logger.info("Returning emulated user - %s - to api root "
% username)
logger.info(request.session.__dict__)
logger.info(request.user)
serialized_data = TokenSerializer(token, context={'request': request}).data
return Response(serialized_data, status=status.HTTP_201_CREATED)
except Exception as e:
logger.warn("Emulate request failed")
logger.exception(e)
return HttpResponseRedirect(settings.REDIRECT_URL + "/api/v2")
def emulate_session(request, username=None):
try:
logger.info("Emulate attempt: %s wants to be %s" %
(request.user, username))
logger.info(request.session.__dict__)
if not username and 'emulated_by' in request.session:
logger.info("Clearing emulation attributes from user")
request.session['username'] = request.session['emulated_by']
del request.session['emulated_by']
# Allow user to fall through on line below
try:
user = AtmosphereUser.objects.get(username=username)
except AtmosphereUser.DoesNotExist:
logger.info("Emulate attempt failed. User <%s> does not exist" %
username)
return HttpResponseRedirect(settings.REDIRECT_URL + "/api/v2")
logger.info("Emulate success, creating tokens for %s" % username)
expireDate = timezone.now() + secrets.TOKEN_EXPIRY_TIME
token = create_token(username,
token_key='EMULATED-' + str(uuid4()),
token_expire=expireDate,
remote_ip=request.META['REMOTE_ADDR'],
issuer="DRF-EmulatedSession-%s" % user.username)
token.save()
# Keep original emulator if it exists, or use the last known username
original_emulator = request.session.get('emulated_by',
request.session['username'])
request.session['emulated_by'] = original_emulator
# Set the username to the user to be emulated
# to whom the token also belongs
request.session['username'] = username
request.session['token'] = token.key
logger.info("Returning emulated user - %s - to api root " % username)
logger.info(request.session.__dict__)
logger.info(request.user)
serialized_data = TokenSerializer(token, context={
'request': request
}).data
return Response(serialized_data, status=status.HTTP_201_CREATED)
except Exception as e:
logger.warn("Emulate request failed")
logger.exception(e)
return HttpResponseRedirect(settings.REDIRECT_URL + "/api/v2")
def globus_validate_code(request):
"""
This flow is used to create a new Token on behalf of a Service Client
(Like Troposphere)
Validates 'code' returned from the IdP
If valid: Return new AuthToken to be passed to the Resource Provider.
else: Return None
"""
code = request.GET['code']
if not code:
#raise Exception("NO Code found!")
return None
if type(code) == list:
code = code[0]
flow = globus_initFlow()
try:
credentials = flow.step2_exchange(code)
logger.info(credentials.__dict__)
except OAuthError as err:
logger.exception("Error exchanging code w/ globus")
return None
# Parsing
token_profile = credentials.id_token
user_access_token = credentials.access_token
expiry_date = credentials.token_expiry
raw_username = token_profile['preferred_username']
email = token_profile['email']
username = _extract_user_from_email(raw_username)
if not username:
logger.info("User %s is not part of the 'valid mapping' and will be skipped!" % raw_username)
return None
full_name = token_profile['name']
issuer = token_profile['iss']
# Creation
first_name, last_name = _extract_first_last_name(full_name)
user_profile = {
'username':username,
'firstName':first_name,
'lastName':last_name,
'email': email,
}
user = get_or_create_user(username, user_profile)
auth_token = create_token(username, user_access_token, expiry_date, issuer)
return auth_token
