def test_group_admin(request, group_id): if not query(Group).filter_by(id=group_id).first(): return vaultMsg(False, "Group not found: %s" % str(group_id)) sess = get_session(request['rpc_args'][0], request) # Verify if I'm is_admin on that group ug = query(UserGroup).filter_by(group_id=group_id, user_id=sess['user_id']).first() me = query(User).get(sess['user_id']) # Make sure I'm in that group (to be able to decrypt the groupkey) if not ug or (not ug.is_admin and not me.is_admin): return vaultMsg(False, "You are not admin on that group (nor global admin)")
def test_group_admin(request, group_id): if not query(Group).filter_by(id=group_id).first(): return vaultMsg(False, "Group not found: %s" % str(e)) sess = get_session(request.rpc_args[0], request) # Verify if I'm is_admin on that group ug = query(UserGroup).filter_by(group_id=group_id, user_id=sess['user_id']).first() me = query(User).get(sess['user_id']) # Make sure I'm in that group (to be able to decrypt the groupkey) if not ug or (not ug.is_admin and not me.is_admin): return vaultMsg(False, "You are not admin on that group (nor global admin)")
def sflvault_authenticate(request, username, cryptok): """Receive the *decrypted* cryptok, b64 encoded""" settings = request['settings'] u = None db = None # DEPRECATED: will be removed in 0.9 try: if settings['sflvault.vault.session_trust'].lower() in ['1', 'true', 't']: # If the session_trust parameter is true trust the session for the authentication. try: sess = get_session(cryptok, request) except SessionNotFoundError: sess = None print "Session not found... " except SessionExpiredError: sess = None print "Session expired... " if sess: return vaultMsg(True, 'Authentication successful (cached)', {'authtok': cryptok}) except KeyError: pass try: #u = meta.Session.query(User).filter_by(username=username).one() db = meta.Session() u = db.query(User).filter(User.username == username).all()[0] except: return vaultMsg(False, 'Invalid user') if u.logging_timeout < datetime.now(): return vaultMsg(False, 'Login token expired. Now: %s Timeout: %s' % (datetime.now(), u.logging_timeout)) # str() necessary, to convert buffer to string. if cryptok != str(u.logging_token): #TODO: Ask about this line. #raise Exception return vaultMsg(False, 'Authentication failed') else: newtok = b64encode(randfunc(32)) set_session(newtok, {'username': username, 'timeout': datetime.now() + timedelta(0, int(settings['sflvault.vault.session_timeout'])), 'remote_addr': request.get('REMOTE_ADDR', None), 'userobj': u, 'user_id': u.id }) return vaultMsg(True, 'Authentication successful', {'authtok': newtok})
def sflvault_login(request, username, version): # Require minimal client version. user_version = LooseVersion(version) if not version or user_version < MINIMAL_CLIENT_VERSION: return Response(body=vaultMsg(False, "Minimal client version required: '%s'. "\ "You announced yourself as version '%s'" % \ (MINIMAL_CLIENT_VERSION.vstring, version))) # Return 'cryptok', encrypted with pubkey. # Save decoded version to user's db field. #transaction.begin() try: #u = query(User).filter_by(username=username).one() u = meta.Session.query(User).filter_by(username=username).one() except Exception, e: return vaultMsg(False, "User unknown: %s" % e.message)
def sflvault_login(request, username, version): # Require minimal client version. user_version = LooseVersion(version) if not version or user_version < MINIMAL_CLIENT_VERSION: return vaultMsg(False, "Minimal client version required: '%s'. "\ "You announced yourself as version '%s'" % \ (MINIMAL_CLIENT_VERSION.vstring, version)) # Return 'cryptok', encrypted with pubkey. # Save decoded version to user's db field. #transaction.begin() try: #u = query(User).filter_by(username=username).one() u = meta.Session.query(User).filter_by(username=username).one() except Exception, e: return vaultMsg(False, "User unknown: %s" % e.message)
def sflvault_service_put(request, authtok, service_id, data): # 'user_id' required in session. # TODO: verify I had access to the service previously. sess = get_session(authtok, request) req = sql.join(servicegroups_table, usergroups_table, ServiceGroup.group_id==UserGroup.group_id) \ .join(users_table, User.id==UserGroup.user_id) \ .select() \ .where(User.id==sess['user_id']) \ .where(ServiceGroup.service_id==service_id) res = list(meta.Session.execute(req)) if not res: return vaultMsg(False, "You don't have access to that service.") else: return vault.service_put(service_id, data)
def authenticated_admin(func, request, *args, **kwargs): """Aborts if user isn't admin. Check authenticated_user , everything written then applies here as well. """ cryptok = request.rpc_args[0] ret = _authenticated_user_first(request, cryptok) if ret: return ret try: sess = get_session(cryptok, request) except SessionNotFoundError: sess = None if sess: if not sess['userobj'].is_admin: return vaultMsg(False, "Permission denied, admin priv. required") return func(request, *args, **kwargs)
def authenticated_admin(func, request, *args, **kwargs): """Aborts if user isn't admin. Check authenticated_user , everything written then applies here as well. """ cryptok = request['rpc_args'][0] ret = _authenticated_user_first(request, cryptok) if ret: return ret try: sess = get_session(cryptok, request) except SessionNotFoundError: sess = None if sess: if not sess['userobj'].is_admin: return vaultMsg(False, "Permission denied, admin priv. required") return func(request, *args, **kwargs)
def _authenticated_user_first(request, cryptok): """DRYed authenticated_user to skip repetition in authenticated_admin""" try: s = get_session(cryptok, request) except SessionNotFoundError: s = None error_msg = 'session not found' except SessionExpiredError: s = None error_msg = 'session expired' if not s: return vaultMsg(False, "Permission denied (%s)" % error_msg) sess = s if 'user_id' in sess: vault.myself_id = sess['user_id'] if 'username' in sess: vault.myself_username = sess['username']
return vaultMsg(False, "User unknown: %s" % e.message) # TODO: implement throttling ? rnd = randfunc(32) # 15 seconds to complete login/authenticate round-trip. u.logging_timeout = datetime.now() + timedelta(0, 15) u.logging_token = b64encode(rnd) #a = meta.Session.query(User).filter_by(username=username).one() e = u.elgamal() cryptok = serial_elgamal_msg(e.encrypt(rnd, randfunc(32))) transaction.commit() #meta.Session.close() return vaultMsg(True, 'Authenticate please', {'cryptok': cryptok}) @xmlrpc_method(endpoint='sflvault', method='sflvault.user_add') @authenticated_admin def user_add(request, authtok, username, is_admin): return vault.user_add(username, is_admin) @xmlrpc_method(endpoint='sflvault', method='sflvault.user_setup') def user_setup(request, username, pubkey): return vault.user_setup(username, pubkey) @xmlrpc_method(endpoint='sflvault', method='sflvault.user_del') @authenticated_admin def sflvault_user_del(request, authtok, user): return vault.user_del(user)
# Save decoded version to user's db field. #transaction.begin() try: #u = query(User).filter_by(username=username).one() u = meta.Session.query(User).filter_by(username=username).one() except Exception, e: return vaultMsg(False, "User unknown: %s" % e.message) # TODO: implement throttling ? rnd = randfunc(32) # 15 seconds to complete login/authenticate round-trip. u.logging_timeout = datetime.now() + timedelta(0, 15) u.logging_token = b64encode(rnd) if not u.pubkey: return vaultMsg(False, "User %s is not set up. Run user-setup first!" % username) #a = meta.Session.query(User).filter_by(username=username).one() e = u.elgamal() cryptok = serial_elgamal_msg(e.encrypt(rnd, randfunc(32))) transaction.commit() #meta.Session.close() return vaultMsg(True, 'Authenticate please', {'cryptok': cryptok}) @xmlrpc_method(endpoint='sflvault', method='sflvault.user_add') @authenticated_admin def user_add(request, authtok, username, is_admin): try: setup_timeout = request['settings']['sflvault.vault.setup_timeout'] except KeyError, e:
# Save decoded version to user's db field. #transaction.begin() try: #u = query(User).filter_by(username=username).one() u = meta.Session.query(User).filter_by(username=username).one() except Exception, e: return vaultMsg(False, "User unknown: %s" % e.message) # TODO: implement throttling ? rnd = randfunc(32) # 15 seconds to complete login/authenticate round-trip. u.logging_timeout = datetime.now() + timedelta(0, 15) u.logging_token = b64encode(rnd) if not u.pubkey: return vaultMsg( False, "User %s is not set up. Run user-setup first!" % username) #a = meta.Session.query(User).filter_by(username=username).one() e = u.elgamal() cryptok = serial_elgamal_msg(e.encrypt(rnd, randfunc(32))) transaction.commit() #meta.Session.close() return vaultMsg(True, 'Authenticate please', {'cryptok': cryptok}) @xmlrpc_method(endpoint='sflvault', method='sflvault.user_add') @authenticated_admin def user_add(request, authtok, username, is_admin): try: setup_timeout = request['settings']['sflvault.vault.setup_timeout']