def update_user(self, user_id, user): with sql.session_for_write() as session: user_ref = self._get_user(session, user_id) old_user_dict = user_ref.to_dict() for k in user: old_user_dict[k] = user[k] new_user = model.User.from_dict(old_user_dict) for attr in model.User.attributes: if attr not in model.User.readonly_attributes: setattr(user_ref, attr, getattr(new_user, attr)) # Move the "_resource_options" attribute over to the real user_ref # so that resource_options.resource_options_ref_to_mapper can # handle the work. setattr(user_ref, '_resource_options', getattr(new_user, '_resource_options', {})) # Move options into the proper attribute mapper construct resource_options.resource_options_ref_to_mapper( user_ref, model.UserOption) if 'password' in user: user_ref.password = user['password'] if self._change_password_required(user_ref): expires_now = datetime.datetime.utcnow() user_ref.password_ref.expires_at = expires_now user_ref.extra = new_user.extra return base.filter_user( user_ref.to_dict(include_extra_dict=True))
def create_user(self, user_id, user): user = utils.hash_user_password(user) with sql.session_for_write() as session: user_ref = model.User.from_dict(user) user_ref.created_at = datetime.datetime.utcnow() session.add(user_ref) return base.filter_user(user_ref.to_dict())
def get_federated_users(self, hints): with sql.session_for_read() as session: query = session.query(model.User).outerjoin(model.LocalUser) query = query.filter(model.User.id == model.FederatedUser.user_id) query = self._update_query_with_federated_statements(hints, query) user_refs = sql.filter_limit_query(model.User, query, hints) return [identity_base.filter_user(x.to_dict()) for x in user_refs]
def list_users(self, hints): with sql.session_for_read() as session: query = session.query(model.User).outerjoin(model.LocalUser) query, hints = self._create_password_expires_query( session, query, hints) user_refs = sql.filter_limit_query(model.User, query, hints) return [base.filter_user(x.to_dict()) for x in user_refs]
def _create_user(self, user_dict, last_active_at): user_dict['id'] = uuid.uuid4().hex with sql.session_for_write() as session: user_ref = model.User.from_dict(user_dict) user_ref.last_active_at = last_active_at session.add(user_ref) return base.filter_user(user_ref.to_dict())
def update_user(self, user_id, user): with sql.session_for_write() as session: user_ref = self._get_user(session, user_id) old_user_dict = user_ref.to_dict() for k in user: old_user_dict[k] = user[k] new_user = model.User.from_dict(old_user_dict) for attr in model.User.attributes: if attr not in model.User.readonly_attributes: setattr(user_ref, attr, getattr(new_user, attr)) # Move the "_resource_options" attribute over to the real user_ref # so that resource_options.resource_options_ref_to_mapper can # handle the work. setattr(user_ref, '_resource_options', getattr(new_user, '_resource_options', {})) # Move options into the proper attribute mapper construct resource_options.resource_options_ref_to_mapper( user_ref, model.UserOption) if 'password' in user: user_ref.password = user['password'] if self._change_password_required(user_ref): expires_now = datetime.datetime.utcnow() user_ref.password_ref.expires_at = expires_now user_ref.extra = new_user.extra return base.filter_user(user_ref.to_dict(include_extra_dict=True))
def _create_user(self, user_dict): user_dict['id'] = uuid.uuid4().hex user_dict = utils.hash_user_password(user_dict) with sql.session_for_write() as session: user_ref = model.User.from_dict(user_dict) session.add(user_ref) return base.filter_user(user_ref.to_dict())
def list_users(self, hints): with sql.session_for_read() as session: query = session.query(model.User).outerjoin(model.LocalUser) query, hints = self._create_password_expires_query(session, query, hints) user_refs = sql.filter_limit_query(model.User, query, hints) return [base.filter_user(x.to_dict()) for x in user_refs]
def list_users_in_group(self, group_id, hints): with sql.session_for_read() as session: self.get_group(group_id) query = session.query(User).outerjoin(LocalUser) query = query.join(UserGroupMembership) query = query.filter(UserGroupMembership.group_id == group_id) query = sql.filter_limit_query(User, query, hints) return [base.filter_user(u.to_dict()) for u in query]
def _create_user_with_federated_user(self, user, fed_dict): with sql.session_for_write() as session: federated_ref = model.FederatedUser.from_dict(fed_dict) user_ref = model.User.from_dict(user) user_ref.created_at = datetime.datetime.utcnow() user_ref.federated_users.append(federated_ref) session.add(user_ref) return identity_base.filter_user(user_ref.to_dict())
def create_federated_user(self, federated_dict): user = {"id": uuid.uuid4().hex, "enabled": True} with sql.session_for_write() as session: federated_ref = model.FederatedUser.from_dict(federated_dict) user_ref = model.User.from_dict(user) user_ref.federated_users.append(federated_ref) session.add(user_ref) return identity_base.filter_user(user_ref.to_dict())
def create_federated_user(self, federated_dict): user = {'id': uuid.uuid4().hex, 'enabled': True} with sql.session_for_write() as session: federated_ref = model.FederatedUser.from_dict(federated_dict) user_ref = model.User.from_dict(user) user_ref.federated_users.append(federated_ref) session.add(user_ref) return identity_base.filter_user(user_ref.to_dict())
def _create_user(self, user_dict, password_created_at): user_dict = utils.hash_user_password(user_dict) with sql.session_for_write() as session: user_ref = model.User.from_dict(user_dict) user_ref.password_ref.created_at = password_created_at user_ref.password_ref.expires_at = ( user_ref._get_password_expires_at(password_created_at)) session.add(user_ref) return base.filter_user(user_ref.to_dict())
def get_federated_user(self, idp_id, protocol_id, unique_id): # NOTE(notmorgan): Open a session here to ensure .to_dict is called # within an active session context. This will prevent lazy-load # relationship failure edge-cases # FIXME(notmorgan): Eventually this should not call `to_dict` here and # rely on something already in the session context to perform the # `to_dict` call. with sql.session_for_read(): user_ref = self._get_federated_user(idp_id, protocol_id, unique_id) return identity_base.filter_user(user_ref.to_dict())
def get_user_by_name(self, user_name, domain_id): LOG.debug("Called get_user_by_name %s, %s" % (user_name, domain_id)) # try SQL first try: user = super(Identity, self).get_user_by_name(user_name, domain_id) except exception.UserNotFound: # then try LDAP return base.filter_user(self.user.get_by_name(user_name)) else: return user
def get_user(self, user_id): LOG.debug("Called get_user %s" % user_id) with sql.session_for_read() as session: user = self._get_user(session, user_id) try: user = user.to_dict() except AttributeError: # LDAP Users are already dicts which is fine pass return base.filter_user(user)
def authenticate(self, user_id, password): with sql.session_for_read() as session: user_ref = None try: user_ref = self._get_user(session, user_id) except exception.UserNotFound: raise AssertionError(_('Invalid user / password')) if not self._check_password(password, user_ref): raise AssertionError(_('Invalid user / password')) return base.filter_user(user_ref.to_dict())
def get_user_by_name(self, user_name, domain_id): with sql.session_for_read() as session: query = session.query(User).join(LocalUser) query = query.filter(sqlalchemy.and_(LocalUser.name == user_name, LocalUser.domain_id == domain_id)) try: user_ref = query.one() except sql.NotFound: raise exception.UserNotFound(user_id=user_name) return base.filter_user(user_ref.to_dict())
def _create_user(self, user_dict, password_created_at): # Bypass business logic and go straight for the identity driver # (SQL in this case) driver = self.identity_api.driver driver.create_user(user_dict['id'], user_dict) with sql.session_for_write() as session: user_ref = session.query(model.User).get(user_dict['id']) user_ref.password_ref.created_at = password_created_at user_ref.password_ref.expires_at = ( user_ref._get_password_expires_at(password_created_at)) return base.filter_user(user_ref.to_dict())
def create_user(self, user_id, user): with sql.session_for_write() as session: user_ref = model.User.from_dict(user) if self._change_password_required(user_ref): user_ref.password_ref.expires_at = datetime.datetime.utcnow() user_ref.created_at = datetime.datetime.utcnow() session.add(user_ref) # Set resource options passed on creation resource_options.resource_options_ref_to_mapper( user_ref, model.UserOption) return base.filter_user(user_ref.to_dict())
def _create_user(self, user_dict, password_created_at): # Bypass business logic and go straight for the identity driver # (SQL in this case) driver = PROVIDERS.identity_api.driver driver.create_user(user_dict['id'], user_dict) with sql.session_for_write() as session: user_ref = session.query(model.User).get(user_dict['id']) user_ref.password_ref.created_at = password_created_at user_ref.password_ref.expires_at = ( user_ref._get_password_expires_at(password_created_at)) return base.filter_user(user_ref.to_dict())
def filter_attributes(self, user): # make sure inactive users are disabled if 'sapObjectStatus' in user: if user['sapObjectStatus'] != STATUS_ACTIVE: user['enabled'] = False if 'camObjectStatus' in user: if user['camObjectStatus'] != CAM_STATUS_ACTIVE: user['enabled'] = False if 'ccObjectStatus' in user: if user['ccObjectStatus'] != STATUS_ACTIVE: user['enabled'] = False # keep CAM from messing with temporary T-users elif re.match(T_REGEX, user['name']): user['enabled'] = True else: # special case for fresh priovisioned CAM users: we transiently enable them to allow a initial login # the following pasword update will take care of setting the ccObjectStatus if not user['enabled'] and user[ 'camObjectStatus'] == CAM_STATUS_ACTIVE: user['enabled'] = True user.pop('sAMAccountName', None) user.pop('sapObjectStatus', None) user.pop('ccObjectStatus', None) user.pop('camObjectStatus', None) # evaluate password_expires_at if 'password_expires_at' in user: if user['password_expires_at'] == '0' or user[ 'password_expires_at'] == '9223372036854775807': user['password_expires_at'] = None else: # convert pwdLastSet to unix epoch ts = (int(user['password_expires_at']) / 10000000) - 11644473600 # TODO: this is over simplified and actually potentially dynamic (AD policy based) # add max 180 days AD policy based password age ts += 15552000 user['password_expires_at'] = datetime.datetime.fromtimestamp( ts) if 'userAccountControl' in user: do_not_expire = int(user['userAccountControl'] ) & 0x10000 # AD PASSWORD_NEVER_EXPIRES bit if do_not_expire: user['password_expires_at'] = None user.pop('userAccountControl', None) if 'password_failures' in user: if user['password_failures'] == '0': user.pop('password_failures', None) return base.filter_user(common_ldap.filter_entity(user))
def create_nonlocal_user(self, user_dict): new_user_dict = copy.deepcopy(user_dict) new_nonlocal_user_dict = { 'domain_id': user_dict['domain_id'], 'name': user_dict['name'] } with sql.session_for_write() as session: new_nonlocal_user_ref = model.NonLocalUser.from_dict( new_nonlocal_user_dict) new_user_ref = model.User.from_dict(new_user_dict) new_user_ref.nonlocal_users.append(new_nonlocal_user_ref) session.add(new_user_ref) return identity_base.filter_user(new_user_ref.to_dict())
def create_federated_user(self, domain_id, federated_dict): user = { 'id': uuid.uuid4().hex, 'domain_id': domain_id, 'enabled': True } with sql.session_for_write() as session: federated_ref = model.FederatedUser.from_dict(federated_dict) user_ref = model.User.from_dict(user) user_ref.created_at = datetime.datetime.utcnow() user_ref.federated_users.append(federated_ref) session.add(user_ref) return identity_base.filter_user(user_ref.to_dict())
def update_user(self, user_id, user): with sql.session_for_write() as session: user_ref = self._get_user(session, user_id) old_user_dict = user_ref.to_dict() user = utils.hash_user_password(user) for k in user: old_user_dict[k] = user[k] new_user = model.User.from_dict(old_user_dict) for attr in model.User.attributes: if attr not in model.User.readonly_attributes: setattr(user_ref, attr, getattr(new_user, attr)) user_ref.extra = new_user.extra return base.filter_user(user_ref.to_dict(include_extra_dict=True))
def update_user(self, user_id, user): with sql.session_for_write() as session: user_ref = self._get_user(session, user_id) old_user_dict = user_ref.to_dict() user = utils.hash_user_password(user) for k in user: old_user_dict[k] = user[k] new_user = model.User.from_dict(old_user_dict) for attr in model.User.attributes: if attr != 'id': setattr(user_ref, attr, getattr(new_user, attr)) user_ref.extra = new_user.extra return base.filter_user( user_ref.to_dict(include_extra_dict=True))
def create_nonlocal_user(self, user_dict): new_user_dict = copy.deepcopy(user_dict) # remove local_user attributes from new_user_dict new_user_dict.pop('name', None) new_user_dict.pop('password', None) # create nonlocal_user dict new_nonlocal_user_dict = {'name': user_dict['name']} with sql.session_for_write() as session: new_nonlocal_user_ref = model.NonLocalUser.from_dict( new_nonlocal_user_dict) new_user_ref = model.User.from_dict(new_user_dict) new_user_ref.created_at = datetime.datetime.utcnow() new_user_ref.nonlocal_user = new_nonlocal_user_ref session.add(new_user_ref) return identity_base.filter_user(new_user_ref.to_dict())
def create_federated_user(self, domain_id, federated_dict, email=None): user = { 'id': uuid.uuid4().hex, 'domain_id': domain_id, 'enabled': True } if email: user['email'] = email with sql.session_for_write() as session: federated_ref = model.FederatedUser.from_dict(federated_dict) user_ref = model.User.from_dict(user) user_ref.created_at = datetime.datetime.utcnow() user_ref.federated_users.append(federated_ref) session.add(user_ref) return identity_base.filter_user(user_ref.to_dict())
def get_federated_users(self, hints): with sql.session_for_read() as session: query = session.query(model.User).outerjoin( model.LocalUser).outerjoin(model.FederatedUser) query = query.filter(model.User.id == model.FederatedUser.user_id) query = self._update_query_with_federated_statements(hints, query) name_filter = None for filter_ in hints.filters: if filter_['name'] == 'name': name_filter = filter_ query = query.filter(model.FederatedUser.display_name == name_filter['value']) break if name_filter: hints.filters.remove(name_filter) user_refs = sql.filter_limit_query(model.User, query, hints) return [identity_base.filter_user(x.to_dict()) for x in user_refs]
def create_nonlocal_user(self, user_dict): new_user_dict = copy.deepcopy(user_dict) # remove local_user attributes from new_user_dict new_user_dict.pop('name', None) new_user_dict.pop('password', None) # create nonlocal_user dict new_nonlocal_user_dict = { 'name': user_dict['name'] } with sql.session_for_write() as session: new_nonlocal_user_ref = model.NonLocalUser.from_dict( new_nonlocal_user_dict) new_user_ref = model.User.from_dict(new_user_dict) new_user_ref.created_at = datetime.datetime.utcnow() new_user_ref.nonlocal_user = new_nonlocal_user_ref session.add(new_user_ref) return identity_base.filter_user(new_user_ref.to_dict())
def authenticate(self, user_id, password): with sql.session_for_read() as session: try: user_ref = self._get_user(session, user_id) except exception.UserNotFound: raise AssertionError(_('Invalid user / password')) if self._is_account_locked(user_id, user_ref): raise exception.AccountLocked(user_id=user_id) elif not self._check_password(password, user_ref): self._record_failed_auth(user_id) raise AssertionError(_('Invalid user / password')) elif not user_ref.enabled: raise exception.UserDisabled(user_id=user_id) # successful auth, reset failed count if present if user_ref.local_user.failed_auth_count: self._reset_failed_auth(user_id) return base.filter_user(user_ref.to_dict())
def get_federated_users(self, hints): with sql.session_for_read() as session: query = session.query(model.User).outerjoin( model.LocalUser).outerjoin(model.FederatedUser) query = query.filter(model.User.id == model.FederatedUser.user_id) query = self._update_query_with_federated_statements(hints, query) name_filter = None for filter_ in hints.filters: if filter_['name'] == 'name': name_filter = filter_ query = query.filter( model.FederatedUser.display_name == name_filter[ 'value']) break if name_filter: hints.filters.remove(name_filter) user_refs = sql.filter_limit_query(model.User, query, hints) return [identity_base.filter_user(x.to_dict()) for x in user_refs]
def authenticate(self, user_id, password): """Authenticate based on a user and password. Tries to authenticate using the SQL backend first, if that fails it tries the LDAP backend. """ if not password: raise AssertionError('Invalid user / password') with sql.session_for_read() as session: try: user_ref = self._get_user(session, user_id) except exception.UserNotFound: raise AssertionError('Invalid user / password') # if the user_ref has a password, it's from the SQL backend and # we can just check if it coincides with the one we got conn = None try: assert utils.check_password(password, user_ref.password) except TypeError: raise AssertionError('Invalid user / password') except (KeyError, AssertionError ): # if it doesn't have a password, it must be LDAP try: user_name = user_ref['name'] # get_connection does a bind for us which checks the password conn = self.user.get_connection( self.user._id_to_dn(user_name), password, end_user_auth=True) assert conn except Exception: raise AssertionError('Invalid user / password') else: LOG.debug("Authenticated user with LDAP.") self.domain_aware = False finally: if conn: conn.unbind_s() else: LOG.debug("Authenticated user with SQL.") return base.filter_user(user_ref.to_dict())
def authenticate(self, user_id, password): with sql.session_for_read() as session: try: user_ref = self._get_user(session, user_id) except exception.UserNotFound: raise AssertionError(_('Invalid user / password')) if self._is_account_locked(user_id, user_ref): raise exception.AccountLocked(user_id=user_id) elif not self._check_password(password, user_ref): self._record_failed_auth(user_id) raise AssertionError(_('Invalid user / password')) elif not user_ref.enabled: raise exception.UserDisabled(user_id=user_id) elif user_ref.password_is_expired: raise exception.PasswordExpired(user_id=user_id) # successful auth, reset failed count if present if user_ref.local_user.failed_auth_count: self._reset_failed_auth(user_id) return base.filter_user(user_ref.to_dict())
def create_federated_user(self, domain_id, federated_dict, email=None): local_entity = { 'domain_id': domain_id, 'local_id': federated_dict['unique_id'], 'entity_type': 'user' } public_id = PROVIDERS.id_generator_api.generate_public_ID(local_entity) user = {'id': public_id, 'domain_id': domain_id, 'enabled': True} if email: user['email'] = email with sql.session_for_write() as session: federated_ref = model.FederatedUser.from_dict(federated_dict) user_ref = model.User.from_dict(user) user_ref.created_at = datetime.datetime.utcnow() user_ref.federated_users.append(federated_ref) session.add(user_ref) return identity_base.filter_user(user_ref.to_dict())
def create_nonlocal_user(self, user_dict): new_user_dict = copy.deepcopy(user_dict) # remove local_user attributes from new_user_dict keys_to_delete = ['domain_id', 'name', 'password'] for key in keys_to_delete: if key in new_user_dict: del new_user_dict[key] # create nonlocal_user dict new_nonlocal_user_dict = { 'domain_id': user_dict['domain_id'], 'name': user_dict['name'] } with sql.session_for_write() as session: new_nonlocal_user_ref = model.NonLocalUser.from_dict( new_nonlocal_user_dict) new_user_ref = model.User.from_dict(new_user_dict) new_user_ref.created_at = datetime.datetime.utcnow() new_user_ref.nonlocal_users.append(new_nonlocal_user_ref) session.add(new_user_ref) return identity_base.filter_user(new_user_ref.to_dict())
def create_federated_user(self, domain_id, federated_dict, email=None): local_entity = {'domain_id': domain_id, 'local_id': federated_dict['unique_id'], 'entity_type': 'user'} public_id = PROVIDERS.id_generator_api.generate_public_ID(local_entity) user = { 'id': public_id, 'domain_id': domain_id, 'enabled': True } if email: user['email'] = email with sql.session_for_write() as session: federated_ref = model.FederatedUser.from_dict(federated_dict) user_ref = model.User.from_dict(user) user_ref.created_at = datetime.datetime.utcnow() user_ref.federated_users.append(federated_ref) session.add(user_ref) return identity_base.filter_user(user_ref.to_dict())
def get_federated_user(self, idp_id, protocol_id, unique_id): user_ref = self._get_federated_user(idp_id, protocol_id, unique_id) return identity_base.filter_user(user_ref.to_dict())
def list_users(self, hints): with sql.session_for_read() as session: query = session.query(User).outerjoin(LocalUser) user_refs = sql.filter_limit_query(User, query, hints) return [base.filter_user(x.to_dict()) for x in user_refs]
def get_user(self, user_id): with sql.session_for_read() as session: user_ref = self._get_user(session, user_id) return identity_base.filter_user(user_ref.to_dict())
def filter_attributes(self, user): return base.filter_user(common_ldap.filter_entity(user))
def get_user(self, user_id): with sql.session_for_read() as session: return base.filter_user( self._get_user(session, user_id).to_dict())
def create_user(self, user_id, user): user = utils.hash_user_password(user) with sql.session_for_write() as session: user_ref = User.from_dict(user) session.add(user_ref) return base.filter_user(user_ref.to_dict())