def __init__(self):
super(ConfdAuth, self).__init__()
self.get_password(accesswebservice_dao.get_password)
self.auth_verifier = AuthVerifier()
self._auth_host = None
self._auth_port = None
self._allowed_port = None
from flask_restful import Resource
from functools import wraps
from xivo import (
mallow_helpers,
rest_api_helpers,
)
from xivo.auth_verifier import AuthVerifier
from .exceptions import (
AsteriskARIError,
AsteriskARIUnreachable,
)
auth_verifier = AuthVerifier()
def handle_ari_exception(func):
@wraps(func)
def wrapper(*args, **kwargs):
try:
return func(*args, **kwargs)
except ARIHTTPError as e:
raise AsteriskARIError({'base_url': e.client.base_url},
e.original_error, e.original_message)
except ARIException as e:
raise AsteriskARIUnreachable({'base_url': e.client.base_url},
e.original_error, e.original_message)
return wrapper
def get_tenants(self, user_uuid):
tenants = current_app.config['user_service'].list_tenants(user_uuid)
return {
'items': [
{'uuid': tenant['uuid'], 'name': tenant['name']}
for tenant in tenants
]
}
def __init__(self):
self.token = self.TokenCommand()
self.users = self.UsersCommand()
auth_verifier = AuthVerifier(extract_token_id=extract_token_id_from_query_or_header)
auth_verifier.set_client(AuthClientFacade())
def handle_manager_exception(func):
@functools.wraps(func)
def wrapper(*args, **kwargs):
try:
return func(*args, **kwargs)
except exceptions.TokenServiceException as error:
return _error(error.code, str(error))
return wrapper
class ErrorCatchingResource(Resource):
class ConfdAuth(HTTPDigestAuth):
ALLOWED_HOST = '127.0.0.1'
def __init__(self):
super(ConfdAuth, self).__init__()
self.get_password(accesswebservice_dao.get_password)
self.auth_verifier = AuthVerifier()
self._auth_host = None
self._auth_port = None
self._allowed_port = None
def set_config(self, config):
self._auth_host = config['auth']['host']
self._auth_port = config['auth']['port']
try:
self._allowed_port = str(config['rest_api']['http']['port'])
except KeyError:
pass # None is fine if http is not enabled
self.auth_verifier.set_config(config['auth'])
def login_required(self, func):
auth_func = super(ConfdAuth, self).login_required(func)
@wraps(func)
def decorated(*args, **kwargs):
if self._remote_address_allowed():
return func(*args, **kwargs)
elif self._verify_token(func, *args, **kwargs):
return func(*args, **kwargs)
return auth_func(*args, **kwargs)
return decorated
def _remote_address_allowed(self):
# check localhost first to avoid accessing the database for nothing
remote_addr = request.remote_addr
remote_port = request.environ['SERVER_PORT']
if remote_addr == self.ALLOWED_HOST and remote_port == self._allowed_port:
return True
return remote_addr in accesswebservice_dao.get_allowed_hosts()
def _verify_token(self, func, *args, **kwargs):
try:
token = self.auth_verifier.token()
required_acl = self._acl(func, *args, **kwargs)
token_is_valid = self.auth_verifier.client().token.is_valid(
token, required_acl)
except requests.RequestException as e:
message = 'Authentication server on {host}:{port} unreachable: {error}'
logger.error(
message.format(host=self._auth_host,
port=self._auth_port,
error=e))
return False
return token_is_valid
def _acl(self, func, *args, **kwargs):
required_acl = self.auth_verifier.acl(func, *args, **kwargs)
if not required_acl:
return 'confd.#'
return required_acl
