def post(self): """ Creates a new user. """ # Ensure that we are using database auth. if app.config["AUTHENTICATION_TYPE"] != "Database": raise InvalidRequest("Cannot create a user in a non-database auth system") user_information = request.get_json() if SuperUserPermission().can(): # Generate a temporary password for the user. random = SystemRandom() password = "".join( [random.choice(string.ascii_uppercase + string.digits) for _ in range(32)] ) # Create the user. username = user_information["username"] email = user_information.get("email") install_user, confirmation_code = pre_oci_model.create_install_user( username, password, email ) if features.MAILING: send_confirmation_email( install_user.username, install_user.email, confirmation_code ) return { "username": username, "email": email, "password": password, "encrypted_password": authentication.encrypt_user_password(password), } raise Unauthorized()
def put(self, username): """ Updates information about the specified user. """ if SuperUserPermission().can(): user = pre_oci_model.get_nonrobot_user(username) if user is None: raise NotFound() if superusers.is_superuser(username): raise InvalidRequest('Cannot update a superuser') user_data = request.get_json() if 'password' in user_data: # Ensure that we are using database auth. if app.config['AUTHENTICATION_TYPE'] != 'Database': raise InvalidRequest( 'Cannot change password in non-database auth') pre_oci_model.change_password(username, user_data['password']) if 'email' in user_data: # Ensure that we are using database auth. if app.config['AUTHENTICATION_TYPE'] not in [ 'Database', 'AppToken' ]: raise InvalidRequest( 'Cannot change e-mail in non-database auth') pre_oci_model.update_email(username, user_data['email'], auto_verify=True) if 'enabled' in user_data: # Disable/enable the user. pre_oci_model.update_enabled(username, bool(user_data['enabled'])) if 'superuser' in user_data: config_object = config_provider.get_config() superusers_set = set(config_object['SUPER_USERS']) if user_data['superuser']: superusers_set.add(username) elif username in superusers_set: superusers_set.remove(username) config_object['SUPER_USERS'] = list(superusers_set) config_provider.save_config(config_object) return_value = user.to_dict() if user_data.get('password') is not None: password = user_data.get('password') return_value[ 'encrypted_password'] = authentication.encrypt_user_password( password) if user_data.get('email') is not None: return_value['email'] = user_data.get('email') return return_value raise Unauthorized()
def put(self, username): """ Updates information about the specified user. """ if SuperUserPermission().can(): user = pre_oci_model.get_nonrobot_user(username) if user is None: raise NotFound() if superusers.is_superuser(username): raise InvalidRequest("Cannot update a superuser") user_data = request.get_json() if "password" in user_data: # Ensure that we are using database auth. if app.config["AUTHENTICATION_TYPE"] != "Database": raise InvalidRequest("Cannot change password in non-database auth") pre_oci_model.change_password(username, user_data["password"]) if "email" in user_data: # Ensure that we are using database auth. if app.config["AUTHENTICATION_TYPE"] not in ["Database", "AppToken"]: raise InvalidRequest("Cannot change e-mail in non-database auth") pre_oci_model.update_email(username, user_data["email"], auto_verify=True) if "enabled" in user_data: # Disable/enable the user. pre_oci_model.update_enabled(username, bool(user_data["enabled"])) if "superuser" in user_data: config_object = config_provider.get_config() superusers_set = set(config_object["SUPER_USERS"]) if user_data["superuser"]: superusers_set.add(username) elif username in superusers_set: superusers_set.remove(username) config_object["SUPER_USERS"] = list(superusers_set) config_provider.save_config(config_object) return_value = user.to_dict() if user_data.get("password") is not None: password = user_data.get("password") return_value["encrypted_password"] = authentication.encrypt_user_password( password ).decode("ascii") if user_data.get("email") is not None: return_value["email"] = user_data.get("email") return return_value raise Unauthorized()
def post(self): """ Return's the user's private client key. """ if not authentication.supports_encrypted_credentials: raise NotFound() username = get_authenticated_user().username password = request.get_json()["password"] (result, error_message) = authentication.confirm_existing_user(username, password) if not result: raise request_error(message=error_message) return {"key": authentication.encrypt_user_password(password)}
def user_view(user, password=None): user_data = { "kind": "user", "name": user.username, "username": user.username, "email": user.email, "verified": user.verified, "avatar": avatar.get_data_for_user(user), "super_user": superusers.is_superuser(user.username), "enabled": user.enabled, } if password is not None: user_data["encrypted_password"] = authentication.encrypt_user_password(password) return user_data
def user_view(user, password=None): user_data = { 'kind': 'user', 'name': user.username, 'username': user.username, 'email': user.email, 'verified': user.verified, 'avatar': avatar.get_data_for_user(user), 'super_user': superusers.is_superuser(user.username), 'enabled': user.enabled, } if password is not None: user_data['encrypted_password'] = authentication.encrypt_user_password( password) return user_data
def user_initialize(): """ Create initial user in an empty database """ # Ensure that we are using database auth. if not features.USER_INITIALIZE: response = jsonify({ "message": "Cannot initialize user, FEATURE_USER_INITIALIZE is False" }) response.status_code = 400 return response # Ensure that we are using database auth. if app.config["AUTHENTICATION_TYPE"] != "Database": response = jsonify({ "message": "Cannot initialize user in a non-database auth system" }) response.status_code = 400 return response if has_users(): response = jsonify( {"message": "Cannot initialize user in a non-empty database"}) response.status_code = 400 return response user_data = request.get_json() try: prompts = model.user.get_default_user_prompts(features) new_user = model.user.create_user( user_data["username"], user_data["password"], user_data.get("email"), auto_verify=True, email_required=features.MAILING, is_possible_abuser=False, prompts=prompts, ) success, headers = common_login(new_user.uuid) if not success: response = jsonify( {"message": "Could not login. Failed to initialize user"}) response.status_code = 403 return response result = { "username": user_data["username"], "email": user_data.get("email"), "encrypted_password": authentication.encrypt_user_password( user_data["password"]).decode("ascii"), } if user_data.get("access_token"): model.oauth.create_application( new_user, "automation", "", "", client_id=user_data["username"], description= "Application token generated via /api/v1/user/initialize", ) scope = "org:admin repo:admin repo:create repo:read repo:write super:user user:admin user:read" created, access_token = model.oauth.create_user_access_token( new_user, user_data["username"], scope) result["access_token"] = access_token return (result, 200, headers) except model.user.DataModelException as ex: response = jsonify( {"message": "Failed to initialize user: " + str(ex)}) response.status_code = 400 return response
def process_resources(resources): response = [] changed = False for resource in resources: if resource["work_queue"] == True: resource["task"] = "skopeo" enqueue("skopeo", resource) continue p_user = resource["user"] p_password = resource["password"] p_state = resource["state"] p_project = resource["project"] p_repository = resource["repository"] p_tag = resource["tag"] p_src_credentials = resource["src_credentials"] p_src_image = resource["src_image"] p_src_tag = resource["src_tag"] p_src_tls_verify = resource["src_tls_verify"] p_dest_credentials = resource["dest_credentials"] p_dest_image = resource["dest_image"] p_dest_tag = resource["dest_tag"] p_dest_tls_verify = resource["dest_tls_verify"] repository = model.repository.get_repository(p_project, p_repository) if repository is None: response.append("Repository '%s/%s' does not exist" % (p_project, p_repository)) return {"failed": True, "msg": response}, 400 ### auth_token = jwt_bearer_token(p_user, p_project, p_repository) if p_state == "present": args = [ "/usr/bin/skopeo", "copy", "--dest-creds", "%s:%s" % (p_user, authentication.encrypt_user_password(p_password)), "--src-tls-verify=%s" % p_src_tls_verify, "--dest-tls-verify=false", "docker://%s:%s" % (p_src_image, p_src_tag), "docker://%s/%s/%s:%s" % (app.config["SERVER_HOSTNAME"], p_project, p_repository, p_tag), ] if p_src_credentials: command = command + ["--src-creds", p_src_credentials] job = subprocess.Popen(args, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout_data, stderr_data = job.communicate() if job.returncode != 0: response.append( "Source '%s:%s' failed to sync.\nSTDOUT: %s\nSTDERR: %s" % (p_src_image, p_src_tag, stdout_data, stderr_data)) return { "failed": True, "changed": changed, "msg": response }, 400 else: changed = True response.append( "Source '%s:%s' synced.\nSTDOUT: %s\nSTDERR: %s" % (p_src_image, p_src_tag, stdout_data, stderr_data)) return {"failed": False, "changed": changed, "meta": response}, 200