class AccessToken:
""" Access Token Util Class"""
def __init__(self):
self.__instance = JWT()
self.__algorithm = "RS256"
with open(get_root() + 'auth' + os.sep + 'jwtRS256_private.pem',
'rb') as fh:
self.__signing_key = jwk_from_pem(fh.read())
with open(get_root() + 'auth' + os.sep + 'jwtRS256_public.pem',
'rb') as fh:
self.__verifying_key = jwk_from_pem(fh.read())
def create_access_token(self,
*,
data: dict,
expires_delta: timedelta = None) -> str:
"""Create Access Token Using JWT with RSA256 Encryption"""
to_encode = data.copy()
if expires_delta:
expire = datetime.utcnow() + expires_delta
else:
expire = datetime.utcnow() + timedelta(minutes=15)
to_encode.update({"ist": get_int_from_datetime(datetime.utcnow())})
to_encode.update({"exp": get_int_from_datetime(expire)})
encoded_jwt = self.__instance.encode(to_encode, self.__signing_key,
self.__algorithm)
return encoded_jwt
def decode_access_token(self, *, token: str) -> Dict:
""" Decode Access Token """
return self.__instance.decode(token,
self.__verifying_key,
do_time_check=False)
def generate_password_reset_token(self, email: str) -> str:
""" Generate Access Token for password Reset email"""
delta = timedelta(hours=EmailSettings.EMAIL_RESET_TOKEN_EXPIRE_HOURS)
now = datetime.utcnow()
expires = now + delta
encoded_jwt = self.__instance.encode(
{
"exp": get_int_from_datetime(expires),
"ist": get_int_from_datetime(now),
"sub": email
},
self.__signing_key,
alg=self.__algorithm,
)
return encoded_jwt
def verify_password_reset_token(self, token: str) -> Dict:
""" Decode Access Token """
return self.__instance.decode(token,
self.__verifying_key,
do_time_check=False)
def decorated_function(*args, **kwargs):
token = request.headers.get('token')
responseUnauthorized = make_response(jsonify({
'status': 'ng',
'data': {}
}), 401)
if token == None:
#Return unauthorize response
return responseUnauthorized
try:
with open('rsa_public_key.pem', 'rb') as fh:
verifying_key = jwk_from_pem(fh.read())
jwt = JWT()
data = jwt.decode(token, verifying_key)
logging.info(data)
user_id = data['data']['user_id']
user = User.query.filter_by(id = user_id).first()
user = user_schema.dump(user).data
if user == {}:
return responseUnauthorized
request.user = user
except:
#Return unauthorize response
return responseUnauthorized
return f(*args, **kwargs)
def verify_token(token):
jwt = JWT()
with open('public.pem', 'rb') as fh:
public_key = jwk_from_pem(fh.read())
payload = jwt.decode(token, public_key)
return payload
def token_validate(jwt):
# create jwt instance and get all daily public keys
jwt_object = JWT()
pub_keys = get_microsoft_pub_keys()
# get kid from header in jwt
real_kid = get_kid(jwt)
# default username and dec_msg
username = None
dec_msg = ValidationMsg.NO_KEY_FOUND
# check every public key looking for one used for signing this jwt
for p_key in pub_keys.get('keys'):
if p_key.get('kid') == real_kid:
# assemble jwk
jwk_dict = {
'kty': p_key['kty'],
'e': p_key['e'],
'n': p_key['n']
}
jwk = jwk_from_dict(jwk_dict)
try:
# perform decoding of the jwt while verifying integrity, authenticity and expiration
dec_payload = jwt_object.decode(jwt, jwk, do_time_check=True)
dec_msg = ValidationMsg.SUCCESS
username = dec_payload['preferred_username']
except:
# an error occurred while validating the jwt
dec_msg = ValidationMsg.FAILED
return username, dec_msg
def index():
access_token = oidc.get_access_token()
if access_token != None:
jwt = JWT()
info = jwt.decode(access_token, do_verify=False)
return jsonify(info)
else:
return "uh oh"
def check_jwt_token(self, value):
obj = JWT()
data = None
try:
data = obj.decode(value, key=self.verifying_key)
except Exception as e:
print(e)
return data
class TokenDecoder:
def __init__(self):
self.key_number = None
self.keys = None
self.jwt = JWT()
self.last_key_fetch = 0
self.min_key_fetch_time_range = 300.0
def decode(self, token):
logger.info("Checking token: {}".format(token))
if not self.keys:
self.keys = get_keys_from_dex()
self.last_key_fetch = time.time()
logger.info("Fetched keys from dex")
if self.key_number:
try:
logger.debug("Trying to decode key number {}".format(
self.key_number))
return self.jwt.decode(token, self.keys[self.key_number])
except Exception as e:
logger.info("Failed to decode token with default key")
logger.debug(e)
pass
for idx, key in enumerate(self.keys):
try:
logger.info("Trying key number : {}".format(idx))
decoded = self.jwt.decode(token, key)
self.key_number = idx
logger.info("Decoded")
return decoded
except Exception as e:
logger.info("Failed to decode token, reason: {}".format(
str(e)))
stacktrace = traceback.format_exc()
logger.debug(stacktrace)
pass
logger.info("Failed to verify token with any available key")
if self.last_key_fetch < time.time() - self.min_key_fetch_time_range:
logger.info("Fetching new keys from dex and trying again")
self.keys = None
return self.decode(token)
return None
def get_exp(token):
jwt = JWT()
keys_cache = KeyCache(OAUTH_PROVIDERS, datetime.timedelta(minutes=10))
keys = keys_cache.get_keys()
for key in keys:
try:
user_info = jwt.decode(token, key['key'])
return datetime.datetime.utcfromtimestamp(user_info['exp'])
except Exception as e: # todo catch only corresponding exceptions here
pass
return None
def get_jwt():
if "auth" not in request.cookies:
return False
jwt = JWT()
try:
if "none" not in base64.urlsafe_b64decode(request.cookies["auth"].split(".")[0] + "========").decode("utf-8").lower():
msg = jwt.decode(request.cookies["auth"], jwk.OctetJWK(bytes(JWT_SECRET, "utf-8")))
else:
msg = json.loads(base64.urlsafe_b64decode(request.cookies["auth"].split(".")[1] + "========").decode("utf-8"))
except Exception as e:
print(e)
return False
return msg
def validate_access_token(self):
error = ""
instance = JWT()
for key in self._openid_conf["signing_keys"]:
try:
# Validate token and return claims
verifying_key = jwk_from_dict(key)
return instance.decode(
self.token["access_token"], verifying_key, do_time_check=True
)
except JWTDecodeError as exc:
error = str(exc)
raise OAuth2Error(error)
def get_system_user_ticket(self, sys_token, context_id):
"""
returns Ticket credential string.
Attributes
----------
sys_token : str
the tenant-specific system user token.
context_id : str
the customer identifier, i.e. Cust12345.
"""
time_utc = datetime.utcnow()
time_formatted = datetime.strftime(time_utc, "%Y%m%d%H%M")
system_token = sys_token + '.' + time_formatted
key = crypto.load_privatekey(crypto.FILETYPE_PEM, self.private_key)
signature = crypto.sign(key, system_token, 'sha256')
signed_system_token = system_token + "." + \
b64encode(signature).decode('UTF-8')
headers = OrderedDict([('ApplicationToken', self.application_token),
('ContextIdentifier', context_id)])
client = Client('file:%s' % self.wsdl_path)
client.set_options(soapheaders=headers)
client.set_options(
location='https://{env}.superoffice.com/{endpoint}'.format(
env=self.environment, endpoint=self.login_endpoint))
token_type = client.factory.create('TokenType')['Jwt']
response = client.service.Authenticate(signed_system_token, token_type)
if response.IsSuccessful == True:
jwt_token = response.Token
print('Reponse: ' + str(response))
jwt = JWT()
jwksResponse = requests.get(
'https://{env}.superoffice.com/login/.well-known/jwks'.format(
env=self.environment))
jwks = json.loads(jwksResponse.text)
verifying_key = jwk_from_dict(jwks['keys'][0])
message_received = jwt.decode(jwt_token, verifying_key)
return str(message_received[
'http://schemes.superoffice.net/identity/ticket'])
return 'Failed!'
def verify_token(token):
region = 'eu-west-2'
userpool_id = 'eu-west-2_6Mn0M2i9C'
keys_url = 'https://cognito-idp.{}.amazonaws.com/{}/.well-known/jwks.json'.format(
region, userpool_id)
response = requests.get(keys_url).json()
try:
for key in response["keys"]:
verifying_key = jwk_from_dict(key)
jwt = JWT()
return jwt.decode(token, verifying_key)
except Exception as e:
print(e)
return None
def loadCredentials(config):
if not config["tokenfile"]:
quit("You have to provide a token file.")
logging.CRITICAL("You have to provide a token file.")
else:
logging.debug(f"Reading token info from: <{config['tokenfile']}>")
with open(config["tokenfile"], "r") as f:
token = json.load(f)
config["access_token"] = token["access_token"]
config["refresh_token"] = token["refresh_token"]
token = JWT()
decoded_token = token.decode(config["access_token"],
do_verify=False,
algorithms="HS256")
config["user_id"] = decoded_token["user_id"]
class TokenHandler:
def __init__(self):
self.jwt = JWT()
self.key = get_key()
def generate_token(self, user):
payload = {
'id': user.id,
'username': user.username,
'admin': user.is_staff
}
return {'token': self.jwt.encode(payload, self.key, 'RS256')}
def decode_token(self, token):
return self.jwt.decode(token, self.key, 'RS256')
def get_user_id_token(self, token):
payload = self.decode_token(token)
return payload["id"]
def get_user_from_req():
auth_header = request.headers.get('Authorization')
if auth_header:
auth_token = auth_header.split(" ")[1]
else:
auth_token = ''
if auth_token:
jwt = JWT()
m = jwt.decode(auth_token, jwt_key_pub)
user_id = m['sub']
user = datastore.find_user_by_id(user_id)
now = datetime.now()
exp = datetime.utcfromtimestamp(m['exp'])
if m['iss'] == 'dc_games' and user and exp > now:
return user
else:
return None
else:
return None
def obtainCredentials(config):
logger.info("Getting auth token")
if config["verbose"]:
logging.info("Getting auth token")
if (config["clientid"] and config["clientsecret"] and config["username"]
and config["password"]):
if config["verbose"]:
logging.info("All required parameters passed for auth token")
url = "https://api.flumetech.com/oauth/token"
payload = ('{"grant_type":"password","client_id":"' +
config["clientid"] + '","client_secret":"' +
config["clientsecret"] + '","username":"******"username"] + '","password":"******"password"] +
'"}')
headers = {"content-type": "application/json"}
resp = requests.request("POST", url, data=payload, headers=headers)
logging.info(f"Response from server: {resp.text}")
dataJSON = json.loads(resp.text)
if dataJSON["http_code"] == 200:
logging.info("Got 200 response from auth token request.")
config["access_token"] = dataJSON["data"][0]["access_token"]
token = JWT()
decoded_token = token.decode(config["access_token"],
do_verify=False,
algorithms="HS256")
config["user_id"] = decoded_token["user_id"]
config["refresh_token"] = dataJSON["data"][0]["refresh_token"]
if config["tokenfile"]:
outline = {}
outline["access_token"] = config["access_token"]
outline["refresh_token"] = config["refresh_token"]
logging.info("Saving access and refresh token to : " +
config["tokenfile"])
logging.debug(outline)
f = open(config["tokenfile"], "w")
f.write(json.dumps(outline))
f.close()
else:
logging.CRITICAL("ERROR: Failed to obtain credentials")
def login(self, email, password):
r = self.post('/auth/login', {'email': email, 'password': password})
r_json = json.loads(r.text)
if 'status' in r_json and r_json['status'] == 'success':
if r_json['auth_token']:
self.auth_token = r_json['auth_token']
jwt = JWT()
decoded_payload = JWT.decode(jwt,
self.auth_token,
do_verify=False)
self.sub = decoded_payload['sub']
self.team_name = decoded_payload['team_name']
self.team_researcher = decoded_payload['team_researcher']
self.admin = decoded_payload['admin']
self.session.headers.update(
{'Authorization': 'Bearer ' + self.auth_token})
return True
return False
def set_request(self, request, action=None):
log_date = datetime.now()
user_ip = request.remote_addr
action_detail = request.json
instance = JWT()
username = None
if 'token' in action_detail:
token = action_detail['token']
decode = instance.decode(token, self.signing_key)
username = decode['user_name']
del action_detail['token']
if 'action' in action_detail:
action = action_detail['action']
module_ip = check_output(['hostname', '--all-ip-addresses'
]).decode("utf-8").strip()
system_name = check_output(['hostname']).decode("utf-8").strip()
try:
PostGre().set_user_log(self.get_serial(), system_name, username,
user_ip, log_date, action,
json.dumps(action_detail), module_ip)
except Exception as e:
print(e)
def verify_jwt(token) -> object:
signing_key = get_signing_key()
instance = JWT()
return instance.decode(token, signing_key)
def check_auth(self, token, allowed_roles, resource, method):
# TODO: konami code!! Remove when release
# TODO:____________KONAMI CODE START______________________
sub = None
issuer = None
role = None
if token == "UUDDLRLRBA1":
role = "prosumer"
sub = "11111111-1111-1111-1111-111111111111"
issuer = "http://217.182.160.171:9042"
if token == "UUDDLRLRBA11":
role = "prosumer"
sub = "11111111-1111-1111-1111-111111111112"
issuer = "http://217.182.160.171:9043"
if token == "UUDDLRLRBA2":
role = "aggregator"
sub = "22222222-2222-2222-2222-222222222222"
issuer = "http://217.182.160.171:9043"
if token == "UUDDLRLRBA3":
role = "service"
sub = "33333333-3333-3333-3333-333333333333"
issuer = ""
# TODO:____________KONAMI CODE END______________________
if sub is None:
mw_oauth = OAUTH_PROVIDERS[CLIENT_OAUTH]['url']
jwt = JWT()
keys_cache = KeyCache(OAUTH_PROVIDERS, timedelta(minutes=10))
keys = keys_cache.get_keys()
user_info = None
key = None
for key in keys:
try:
user_info = jwt.decode(token, key['key'])
key = key
break
except Exception as e: # todo catch only corresponding exceptions here
pass
if not user_info:
return False
else:
issuer = user_info['iss']
expiration = datetime.utcfromtimestamp(user_info['exp'])
if 'role' in user_info:
role = user_info['role']
if 'sub' in user_info:
sub = user_info['sub']
if role == 'service' and 'clientId' in user_info:
sub = user_info['clientId']
now_time = datetime.utcnow()
if expiration < now_time:
return False
if issuer != key['iss']:
return False
# Roles different to prosumer or aggregator (like 'service' or 'admin') are only accepted
# if issued by the middleware's oAuth server
if role != 'prosumer' and role != 'aggregator' and issuer != mw_oauth:
return False
if sub is None:
raise AuthenticationException(
"No sub was detected, this should not happen")
if issuer is None: # make sure the code above has catched all conditions
raise AuthenticationException(
"No issuer was detected, this should not happen")
if role is None:
raise AuthenticationException(
"No role was detected, this should not happen")
request.role = role
request.account_id = sub
request.aggregator_id = urlsplit(issuer).netloc
return True
def check_auth(self, token):
# TODO: konami code!! Remove when release
# TODO:____________KONAMI CODE START______________________
sub = None
issuer = None
role = None
if token == "UUDDLRLRBA1":
role = "prosumer"
sub = "11111111-1111-1111-1111-111111111111"
issuer = "http://217.182.160.171:9042"
if token == "UUDDLRLRBA11":
role = "prosumer"
sub = "11111111-1111-1111-1111-111111111112"
issuer = "http://217.182.160.171:9043"
if token == "UUDDLRLRBA2":
role = "aggregator"
sub = "22222222-2222-2222-2222-222222222222"
issuer = "http://217.182.160.171:9043"
if token == "UUDDLRLRBA3":
role = "service"
sub = "33333333-3333-3333-3333-333333333333"
issuer = ""
# TODO:____________KONAMI CODE END______________________
if sub is None:
jwt = JWT()
keys_cache = KeyCache(OAUTH_PROVIDERS, timedelta(minutes=10))
keys = keys_cache.get_keys()
user_info = None
key = None
for key in keys:
try:
user_info = jwt.decode(token, key['key'])
key = key
break
except Exception as e: # todo catch only corresponding exceptions here
pass
if not user_info:
return False
else:
issuer = user_info['iss']
expiration = datetime.utcfromtimestamp(user_info['exp'])
role = user_info['role']
sub = user_info['sub']
now_time = datetime.utcnow()
if expiration < now_time:
return False
if issuer != key['iss']:
return False
if sub is None:
raise AuthenticationException(
"No role was detected, this should not happen")
if issuer is None: # make sure the code above has catched all conditions
raise AuthenticationException(
"No issuer was detected, this should not happen")
if role is None:
raise AuthenticationException(
"No role was detected, this should not happen")
request.role = role
request.account_id = sub
request.aggregator_id = urlsplit(issuer).netloc
return True
