def decroated(self, data, req_info, curs):
auth = Authenticator()
session_id = data.get('session_id')
session = auth.get_session(session_id)
f = UserFilter(session, {'id': session.user_id}, {}, {})
user = f.filter_one_obj(curs)
try:
if user.environment_id != session.environment_id:
raise HelixauthError('User and session from different environments')
if not user.is_active:
raise UserInactive()
auth.check_access(session, Service.TYPE_AUTH, method.__name__, req_info)
data.pop('session_id', None)
custom_actor_info = data.pop('custom_actor_info', None)
try:
result = method(self, data, req_info, session, curs)
except Exception, e:
data['environment_id'] = session.environment_id
_add_log_info(data, session, custom_actor_info)
raise e
_add_log_info(data, session, custom_actor_info)
return result
def register_user(self, data, req_info, curs=None):
env_name = data.get('environment_name')
env_f = EnvironmentFilter({'name': env_name}, {}, None)
env = env_f.filter_one_obj(curs)
# creating user
a = Authenticator()
salt = a.salt()
lang = data.get('lang', User.DEFAULT_LANG)
u_data = {'environment_id': env.id, 'email': data.get('email'),
'password': a.encrypt_password(data.get('password'), salt),
'salt': salt, 'role': User.ROLE_USER,
'lang': lang}
group_f = GroupFilter(env.id, {'is_default': True}, {}, None)
groups = group_f.filter_objs(curs)
groups_ids = [g.id for g in groups]
u_data['groups_ids'] = groups_ids
user = User(**u_data)
# For correct action logging
data['environment_id'] = env.id
try:
mapping.save(curs, user)
except ObjectCreationError:
raise UserAlreadyExists
auth = Authenticator()
session = auth.create_session(curs, env, user, req_info)
_add_log_info(data, session)
n = Notifier()
n_process = n.register_user(curs, user, session)
return response_ok(session_id=session.session_id, id=user.id,
notification=n_process)
def add_user(self, data, req_info, session, curs=None):
a = Authenticator()
env_id = session.environment_id
salt = a.salt()
u_data = {'environment_id': env_id, 'email': data.get('email'),
'role': data.get('role', User.ROLE_USER),
'password': a.encrypt_password(data.get('password'), salt),
'salt': salt, 'is_active': data.get('is_active', True),
'lang': data.get('lang', User.DEFAULT_LANG)
}
if u_data['role'] == User.ROLE_SUPER:
raise SuperUserCreationDenied
groups_ids = data.get('groups_ids', [])
filtered_g_ids = self._filter_existed_groups(curs, session, groups_ids)
u_data['groups_ids'] = filtered_g_ids
user = User(**u_data)
try:
mapping.save(curs, user)
except ObjectCreationError:
raise HelixauthObjectAlreadyExists
# For correct action logging
data['id'] = [user.id]
n = Notifier()
n_process = n.register_user(curs, user, session)
return response_ok(id=user.id, notification=n_process)
def add_environment(self, data, req_info, curs=None):
env_data = {'name': data.get('name')}
env = Environment(**env_data)
try:
mapping.save(curs, env)
except ObjectCreationError:
raise HelixauthObjectAlreadyExists('Environment %s already exists' % env.name)
# creating user
a = Authenticator()
salt = a.salt()
u_data = {'environment_id': env.id, 'email': data.get('su_email'),
'password': a.encrypt_password(data.get('su_password'), salt),
'salt': salt, 'role': User.ROLE_SUPER,
'lang': User.DEFAULT_LANG}
user = User(**u_data)
mapping.save(curs, user)
# creating default services and groups
self._create_default_objects(req_info, curs, env)
# creating session for super user
auth = Authenticator()
session = auth.create_session(curs, env, user, req_info)
_add_log_info(data, session)
return response_ok(session_id=session.session_id,
environment_id=env.id, user_id=session.user_id)
def login(self, data, req_info, curs=None):
f = EnvironmentFilter(data, {}, None)
env = f.filter_one_obj(curs)
# Required for proper logging action
data['environment_id'] = env.id
f_params = {'environment_id': env.id, 'email': data.get('email')}
f = SubjectUserFilter(env.id, f_params, {}, None)
try:
user = f.filter_one_obj(curs)
except UserNotFound:
raise UserAuthError
if not user.is_active:
raise UserInactive()
# checking password
auth = Authenticator()
enc_p = auth.encrypt_password(data.get('password'), user.salt)
if enc_p != user.password:
raise UserAuthError
# creating session
bind_to_ip = data.get('bind_to_ip', False)
lt_minutes = data.get('fixed_lifetime_minutes')
session = auth.create_session(curs, env, user, req_info,
bind_to_ip=bind_to_ip, lifetime_minutes=lt_minutes)
_add_log_info(data, session)
return response_ok(session_id=session.session_id,
user_id=session.user_id, environment_id=session.environment_id)
def set_password_self(self, data, req_info, session, curs=None):
f = UserFilter(session, {'id': session.user_id}, {}, None)
d = {}
a = Authenticator()
salt = a.salt()
d['new_salt'] = salt
d['new_password'] = a.encrypt_password(data['new_password'], salt)
loader = partial(f.filter_one_obj, curs, for_update=True)
self.update_obj(curs, d, loader)
return response_ok()
def test_encrypt_password(self):
a = Authenticator()
p = a.encrypt_password('pass', 'salt')
self.assertNotEquals(None, p)
self.assertNotEquals('', p)
enc_p1 = a.encrypt_password('1', '2')
enc_p2 = a.encrypt_password('1', '2')
self.assertEquals(enc_p1, enc_p2)
enc_p2 = a.encrypt_password(u'чук', '2')
def _change_session_ip(self, sess_id, curs=None):
# changing ip in session
f = SessionFilter({"session_id": sess_id}, {}, None)
s = f.filter_one_obj(curs)
data = json.loads(s.serialized_data)
data["ip"] = "new_%s" % data["ip"]
s.serialized_data = json.dumps(data)
mapping.save(curs, s)
a = Authenticator()
a._save_session_to_cache(s)
def check_access(self, data, req_info, session, curs=None):
a = Authenticator()
srv_type = data.get('service_type', None)
p = data.get('property', None)
try:
a.check_access(session, srv_type, p, req_info)
return response_ok(user_id=session.user_id,
environment_id=session.environment_id, access='granted')
except (UserAccessDenied, SessionIpChanged):
return response_ok(user_id=session.user_id,
environment_id=session.environment_id, access='denied')
def test_create_restore_password_session(self, curs=None):
a = Authenticator()
self.create_actor_env()
env = self.get_environment_by_name(self.actor_env_name)
user = self.get_subj_user(env.id, self.actor_login)
req_info = RequestInfo()
sess = a.create_restore_password_session(curs, env, user,
req_info, bind_to_ip=False, lifetime_minutes=None)
sess_data = json.loads(sess.serialized_data)
rights = sess_data['rights']
self.assertEquals({Service.TYPE_AUTH: ['set_password_self']},
rights)
def modify_users(self, data, req_info, session, curs=None):
u_ids = data['ids']
f = UserFilter(session, {'roles': [User.ROLE_SUPER]}, {}, None)
su = f.filter_one_obj(curs)
if su.id in u_ids:
raise SuperUserModificationDenied()
groups_ids = data.get('new_groups_ids', [])
filtered_g_ids = self._filter_existed_groups(curs, session, groups_ids)
data['new_groups_ids'] = filtered_g_ids
if 'new_password' in data:
a = Authenticator()
salt = a.salt()
data['new_password'] = a.encrypt_password(data['new_password'], salt)
data['new_salt'] = salt
f = UserFilter(session, {'ids': u_ids}, {}, None)
loader = partial(f.filter_objs, curs, for_update=True)
self.update_objs(curs, data, loader)
return response_ok()
def modify_user_self(self, data, req_info, session, curs=None):
f = UserFilter(session, {'id': session.user_id}, {}, None)
user = f.filter_one_obj(curs)
old_password = data.get('old_password')
new_password = data.get('new_password')
d = {}
if 'new_lang' in data:
d['new_lang'] = data['new_lang']
if old_password is not None:
if new_password is None or len(new_password) == 0:
raise UserNewPasswordNotSet("Empty new password can't be set")
a = Authenticator()
if user.password != a.encrypt_password(old_password, user.salt):
raise UserWrongOldPassword()
salt = a.salt()
d['new_salt'] = salt
d['new_password'] = a.encrypt_password(data['new_password'], salt)
loader = partial(f.filter_one_obj, curs, for_update=True)
self.update_obj(curs, d, loader)
return response_ok()
def restore_password(self, data, req_info, curs=None):
env_name = data.get('environment_name')
env_f = EnvironmentFilter({'name': env_name}, {}, None)
env = env_f.filter_one_obj(curs)
# For correct action logging
data['environment_id'] = env.id
user_f = SubjectUserFilter(env.id, {'email': data.get('email')}, {}, None)
user = user_f.filter_one_obj(curs)
# creating user session
auth = Authenticator()
session = auth.create_restore_password_session(curs, env, user, req_info,
lifetime_minutes=settings.session_restore_password_lifetime_minutes)
_add_log_info(data, session)
n = Notifier()
n_process = n.restore_password(curs, user, session)
return response_ok(notification=n_process)
def test_salt(self):
a = Authenticator()
for _ in xrange(1000):
s = a.salt()
self.assertNotEquals(None, s)
self.assertNotEquals('', s)
def get_api_actions(self, data, req_info):
a = Authenticator()
actions = a.get_auth_api_actions()
return response_ok(actions=actions)
