def password_login():
"""Provides email and password authentication."""
data = request_data()
email = data.get('email')
password = data.get('password')
if not email or not password:
abort(404)
log_event(request)
q = Role.by_email(email)
q = q.filter(Role.password_digest != None) # noqa
role = q.first()
# Try a password authentication and an LDAP authentication if it is enabled
if role and role.check_password(password) is False:
return Unauthorized("Authentication has failed.")
elif not role:
role = Role.authenticate_using_ldap(email, password)
if not role:
return Unauthorized("Authentication has failed.")
session['user'] = role.id
session['next_url'] = extract_next_url(request)
return jsonify({
'logout': url_for('.logout'),
'api_key': role.api_key,
'role': role
})
def create():
require(not request.authz.in_maintenance,
get_config('PASSWORD_REGISTRATION'))
data = parse_request(schema=RoleCreateSchema)
try:
code = data.get('code')
email = Role.SIGNATURE.loads(code, max_age=Role.SIGNATURE_MAX_AGE)
assert email == data.get('email')
except Exception:
raise BadRequest("Invalid signature")
role = Role.by_email(email).first()
status = 200
if role is None:
status = 201
role = Role.load_or_create(
foreign_id='password:{}'.format(email),
type=Role.USER,
name=data.get('name') or email,
email=email
)
role.set_password(data.get('password'))
db.session.add(role)
db.session.commit()
request.authz.id = role.id
return jsonify(role, schema=RoleSchema, status=status)
def handle_oauth(provider, oauth_token):
from aleph.model import Role
token = provider.parse_id_token(oauth_token)
if token is None:
return None
name = token.get("name", token.get("given_name"))
email = token.get("email", token.get("upn"))
role_id = "%s:%s" % (settings.OAUTH_HANDLER, token.get("sub", email))
role = Role.by_foreign_id(role_id)
if settings.OAUTH_MIGRATE_SUB and role is None:
role = Role.by_email(email)
if role is not None:
role.foreign_id = role_id
role.update({"name": name})
if role is None:
role = Role.load_or_create(role_id, Role.USER, name, email=email)
if not role.is_actor:
return None
role.clear_roles()
for group in _get_groups(provider, oauth_token, token):
if group == settings.OAUTH_ADMIN_GROUP:
role.is_admin = True
continue
foreign_id = "group:%s" % group
group_role = Role.load_or_create(foreign_id, Role.GROUP, group)
role.add_role(group_role)
log.debug("User %r is member of %r", role, group_role)
return role
def ooemail_authorized():
'''
This is a callback for when we are returning from the
external auth provider.
So, we use this to handle our sign-in
'''
usr = Role.by_email(request.args.get('email'))
if usr is None:
return jsonify({
'status': 'error',
'message': 'You are not authorized to do this.',
'roles': request.auth_roles,
'user': request.auth_role
}, status=403)
ok = usr.check_pw(request.args.get('password'))
if ok:
store_login(usr)
return 'oo email authorized'
else:
return jsonify({
'status': 'error',
'message': 'You are not authorized to do this.',
'roles': request.auth_roles,
'user': request.auth_role
}, status=403)
def create():
require(not request.authz.in_maintenance, settings.PASSWORD_LOGIN)
data = parse_request(RoleCreateSchema)
try:
email = Role.SIGNATURE.loads(data.get('code'),
max_age=Role.SIGNATURE_MAX_AGE)
except BadSignature:
return jsonify({
'status': 'error',
'message': gettext('Invalid code')
}, status=400)
role = Role.by_email(email)
if role is not None:
return jsonify({
'status': 'error',
'message': gettext('Email is already registered')
}, status=409)
role = Role.load_or_create(
foreign_id='password:{}'.format(email),
type=Role.USER,
name=data.get('name') or email,
email=email
)
role.set_password(data.get('password'))
db.session.add(role)
db.session.commit()
update_role(role)
# Let the serializer return more info about this user
request.authz.id = role.id
tag_request(role_id=role.id)
return RoleSerializer.jsonify(role, status=201)
def create():
require(not request.authz.in_maintenance, settings.PASSWORD_LOGIN)
data = parse_request(schema=RoleCreateSchema)
try:
email = Role.SIGNATURE.loads(data.get('code'),
max_age=Role.SIGNATURE_MAX_AGE)
except BadSignature:
return jsonify({
'status': 'error',
'message': 'Invalid code'
},
status=400)
role = Role.by_email(email).first()
if role is not None:
return jsonify(
{
'status': 'error',
'message': 'Email is already registered'
},
status=409)
role = Role.load_or_create(foreign_id='password:{}'.format(email),
type=Role.USER,
name=data.get('name') or email,
email=email)
role.set_password(data.get('password'))
db.session.add(role)
db.session.commit()
# Let the serializer return more info about this user
request.authz.id = role.id
return jsonify(role, schema=RoleSchema, status=201)
def password_login():
"""Provides email and password authentication."""
data = parse_request(LoginSchema)
q = Role.by_email(data.get('email'))
q = q.filter(Role.password_digest != None) # noqa
role = q.first()
if role is None:
return Unauthorized("Authentication has failed.")
if not role.check_password(data.get('password')):
return Unauthorized("Authentication has failed.")
return jsonify({'status': 'ok', 'token': create_token(role)})
def test_create_success(self):
email = self.fake.email()
password = self.fake.password()
payload = dict(
email=email,
password=password,
code=Role.SIGNATURE_SERIALIZER.dumps(email, salt=email)
)
res = self.client.post('/api/1/roles', data=payload)
self.assertEqual(res.status_code, 201)
self.assertEqual(res.json['role']['email'], email)
self.assertTrue(Role.by_email(email).first().check_password(password))
def password_login():
"""Provides email and password authentication."""
data = parse_request(LoginSchema)
role = Role.by_email(data.get('email'))
if role is None or not role.has_password:
return Unauthorized("Authentication has failed.")
if not role.check_password(data.get('password')):
return Unauthorized("Authentication has failed.")
update_role(role)
db.session.commit()
authz = Authz.from_role(role)
return jsonify({'status': 'ok', 'token': authz.to_token(role=role)})
def create():
"""Create a user role.
---
post:
summary: Create a user account
description: >
Create a user role by supplying the required account details.
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/RoleCreate'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/Role'
tags:
- Role
"""
require(settings.PASSWORD_LOGIN)
require(not request.authz.in_maintenance)
data = parse_request("RoleCreate")
try:
email = Role.SIGNATURE.loads(data.get("code"),
max_age=Role.SIGNATURE_MAX_AGE)
except BadSignature:
return jsonify({
"status": "error",
"message": gettext("Invalid code")
},
status=400)
role = Role.by_email(email)
if role is not None:
return jsonify(
{
"status": "error",
"message": gettext("Email is already registered")
},
status=409,
)
role = create_user(email, data.get("name"), data.get("password"))
# Let the serializer return more info about this user
request.authz = Authz.from_role(role)
tag_request(role_id=role.id)
return RoleSerializer.jsonify(role, status=201)
def password_login():
"""Provides email and password authentication."""
require(settings.PASSWORD_LOGIN)
data = parse_request(LoginSchema)
role = Role.by_email(data.get('email'))
if role is None or not role.has_password:
raise BadRequest(gettext("Invalid user or password."))
if not role.check_password(data.get('password')):
raise BadRequest(gettext("Invalid user or password."))
db.session.commit()
update_role(role)
authz = Authz.from_role(role)
request.authz = authz
return jsonify({'status': 'ok', 'token': authz.to_token(role=role)})
def test_create_success(self):
self.app.config['PASSWORD_REGISTRATION'] = True
email = self.fake.email()
name = self.fake.name()
password = self.fake.password()
payload = dict(name=name,
password=password,
code=Role.SIGNATURE.dumps(email))
res = self.client.post('/api/2/roles', data=payload)
db.session.close()
self.assertEqual(res.status_code, 201)
self.assertEqual(res.json['email'], email)
role = Role.by_email(email).first()
self.assertIsNotNone(role)
self.assertTrue(role.check_password(password))
self.assertEqual(role.name, payload['name'])
def test_create_on_existing_email(self):
email = self.fake.email()
password = self.fake.password()
payload = dict(
email=email,
name=self.fake.name(),
password=password,
code=Role.SIGNATURE_SERIALIZER.dumps(email, salt=email)
)
RoleFactory.create(email=email)
res = self.client.post('/api/1/roles', data=payload)
self.assertEqual(res.status_code, 200)
self.assertEqual(res.json['status'], 'ok')
role = Role.by_email(email).first()
self.assertIsNotNone(role)
self.assertFalse(role.check_password(password))
def test_create_success(self):
settings.PASSWORD_LOGIN = True
email = self.fake.email()
name = self.fake.name()
password = self.fake.password()
payload = dict(name=name,
password=password,
code=Role.SIGNATURE.dumps(email))
res = self.client.post("/api/2/roles", data=payload)
db.session.close()
self.assertEqual(res.status_code, 201)
self.assertEqual(res.json.get("email"), email)
role = Role.by_email(email)
self.assertIsNotNone(role)
self.assertTrue(role.check_password(password))
self.assertEqual(role.name, payload["name"])
def password_login():
"""Provides email and password authentication.
---
post:
summary: Log in as a user
description: Create a session token using a username and password.
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/Login'
responses:
'200':
description: OK
content:
application/json:
schema:
type: object
properties:
status:
type: string
token:
type: string
tags:
- Role
"""
require(settings.PASSWORD_LOGIN)
data = parse_request("Login")
role = Role.by_email(data.get("email"))
if role is None or not role.has_password:
raise BadRequest(gettext("Invalid user or password."))
if not role.check_password(data.get("password")):
raise BadRequest(gettext("Invalid user or password."))
if role.is_blocked:
raise Unauthorized(gettext("Your account is blocked."))
role.touch()
db.session.commit()
update_role(role)
authz = Authz.from_role(role)
request.authz = authz
return jsonify({"status": "ok", "token": authz.to_token(role=role)})
def test_create_success(self):
email = self.fake.email()
password = self.fake.password()
payload = dict(
email=email,
name=self.fake.name(),
password=password,
code=Role.SIGNATURE_SERIALIZER.dumps(email, salt=email)
)
res = self.client.post('/api/1/roles', data=payload)
self.assertEqual(res.status_code, 201)
self.assertEqual(res.json['status'], 'ok')
role = Role.by_email(email).first()
self.assertIsNotNone(role)
self.assertTrue(role.check_password(password))
self.assertEqual(role.name, payload['email'])
self.assertEqual(role.email, payload['email'])
def password_login():
"""Provides email and password authentication."""
data = parse_request(LoginSchema)
role = Role.by_email(data.get('email'))
if role is None or not role.has_password:
return Unauthorized("Authentication has failed.")
if not role.check_password(data.get('password')):
return Unauthorized("Authentication has failed.")
db.session.commit()
update_role(role)
authz = Authz.from_role(role)
request.authz = authz
record_audit(Audit.ACT_LOGIN)
return jsonify({
'status': 'ok',
'token': authz.to_token(role=role)
})
def test_create_success(self):
settings.PASSWORD_LOGIN = True
email = self.fake.email()
name = self.fake.name()
password = self.fake.password()
payload = dict(
name=name,
password=password,
code=Role.SIGNATURE.dumps(email)
)
res = self.client.post('/api/2/roles', data=payload)
db.session.close()
self.assertEqual(res.status_code, 201)
self.assertEqual(res.json['email'], email)
role = Role.by_email(email)
self.assertIsNotNone(role)
self.assertTrue(role.check_password(password))
self.assertEqual(role.name, payload['name'])
def create():
data = request_data()
email = data.get('email')
name = data.get('name') or email
password = data.get('password')
signature = data.get('code')
if not email or not password or not signature:
abort(400)
try:
# Make sure registration is allowed
assert get_config('PASSWORD_REGISTRATION')
# Make sure password is set and not too short
assert len(password) >= Role.PASSWORD_MIN_LENGTH
# Make sure the signature is valid
assert email == Role.SIGNATURE_SERIALIZER.loads(
signature, salt=email, max_age=Role.SIGNATURE_MAX_AGE)
except:
abort(400)
role = Role.by_email(email).first()
if role:
return jsonify(dict(status='ok')), 200
role = Role.load_or_create(foreign_id='password:{}'.format(email),
type=Role.USER,
name=name,
email=email)
role.set_password(password)
db.session.add(role)
db.session.commit()
return jsonify(dict(status='ok')), 201
def password_login():
"""Provides email and password authentication."""
data = request_data()
email = data.get('email')
password = data.get('password')
if not email or not password:
abort(404)
log_event(request)
role = Role.by_email(email).filter(Role.password_digest != None).first()
if not (role and role.check_password(password)):
return Unauthorized("Authentication has failed.")
session['user'] = role.id
session['next_url'] = extract_next_url(request)
return jsonify({
'logout': url_for('.logout'),
'api_key': role.api_key,
'role': role
})
def test_by_email_matches(self):
self.assertEqual(Role.by_email(self.role.email), self.role)
def test_by_email_matches(self):
self.assertEqual(Role.by_email(self.role.email).first(), self.role)
def test_by_email_does_not_match(self):
self.assertIsNone(Role.by_email(self.fake.email()).first())
def test_by_email_when_blank_email(self):
self.assertIsNone(Role.by_email(None))
def test_by_email_when_blank_email(self):
self.assertIsNone(Role.by_email(None))
def test_by_email_does_not_match(self):
self.assertIsNone(Role.by_email(self.fake.email()))
