def ms_initialize():
"""
Initialize the Syndicate MS
"""
admin = SyndicateUser.Read(ADMIN_EMAIL)
if admin is None:
admin_key = SyndicateUser.CreateAdmin(ADMIN_EMAIL, ADMIN_ID,
ADMIN_PUBKEY, SYNDICATE_PRIVKEY)
def delete_user(email, **kw):
"""
Delete the given user. Only an admin can do this,
and only if the user was created by that admin.
"""
caller_user = _check_authenticated(kw)
if not caller_user.is_admin:
raise Exception("Only an admin can call this method")
user = SyndicateUser.Read(email)
if user is None:
raise Exception("No such user")
if not caller_user.is_admin:
raise Exception("Caller is not an admin")
if user.admin_id != caller_user.owner_id:
raise Exception("Admin '%s' did not create user '%s'" %
(caller_user.email, email))
ret = SyndicateUser.Delete(email)
return {'result': ret}
def register_request_verify(reg_req):
"""
Verify that a user (SyndicateUser) sent a registration request (ms_pb2.ms_register_request)
Return the user on success; None if the user doesn't exist; False if the signature doesn't match.
"""
username = reg_req.username
sig_b64 = reg_req.signature
reg_req.signature = ""
reg_req_str = reg_req.SerializeToString()
sig = base64.b64decode(sig_b64)
user = SyndicateUser.Authenticate(username, reg_req_str, sig)
return user
def pubkey_verifier(cls, method, args, kw, request_body, syndicate_data,
data, **verifier_kw):
"""
Verify a request from a user, using public-key signature verification.
"""
if not isinstance(method, AuthMethod):
log.error("Invalid method '%s'" % method)
return False
username = syndicate_data.get("username")
sig = syndicate_data.get("signature")
authenticated_user = SyndicateUser.Authenticate(
username, request_body, sig)
if not authenticated_user:
# failed to authenticate via keys.
log.error("Failed to authenticate user %s" % (username))
return False
method.authenticated_user = authenticated_user
return True
def update_user(email, **fields):
SyndicateUser.Update(email, **fields)
return True
def read_user(email_or_user_id):
return SyndicateUser.Read(email_or_user_id)
def create_user(email, openid_url, **fields):
user_key = SyndicateUser.Create(email, openid_url=openid_url, **fields)
return user_key.get()
def reset_account_credentials(email, password_salt, password_hash):
return SyndicateUser.Reset(email, password_salt, password_hash)
def register_account(email, password, signing_public_key):
return SyndicateUser.Register(email,
password,
signing_public_key=signing_public_key)
def list_users(attrs=None, **q_opts):
return SyndicateUser.ListAll(attrs, **q_opts)
def delete_user(email):
return SyndicateUser.Delete(email)
def ms_initialize(): """ Initialize the Syndicate MS """ admin_key = SyndicateUser.CreateAdmin( ADMIN_EMAIL, ADMIN_OPENID_URL, ADMIN_PUBLIC_KEY, ADMIN_REGISTER_PASSWORD )
def validate_gateway_cert(gateway_cert, signing_user_id):
"""
Given a deserialized gateway certificate, check its validity:
* make sure the user and volume it points to exist
* make sure the user in the cert signed it, or verify that the user identified by signing_user_id did
(e.g. signing_user_id might correspond to a volume owner or admin)
Return the user, volume, and signing user (if found) on success
Raise an exception on error
"""
from common.api import verify_data
# user and volume must both exist
user, volume = _read_user_and_volume(gateway_cert.owner_id,
gateway_cert.volume_id)
signing_user = None
if user is None and gateway_cert.owner_id != USER_ID_ANON:
raise Exception("No such user '%s'" % gateway_cert.owner_id)
if (volume is None or volume.deleted):
raise Exception("No such volume '%s'" % gateway_cert.volume_id)
pubkey = None
signer_email = None
signing_user = None
if signing_user_id is not None:
signing_user = SyndicateUser.Read(signing_user_id)
if signing_user is None:
raise Exception("No such signing user '%s'" % signing_user_id)
pubkey = signing_user.public_key
signer_email = signing_user.email
elif gateway_cert.owner_id == USER_ID_ANON:
signing_user = SyndicateUser.Read(volume.owner_id)
if signing_user is None:
raise Exception("No such signing user '%s'" % volume.owner_id)
pubkey = signing_user.public_key
signer_email = signing_user.email
user = signing_user
else:
pubkey = user.public_key
signer_email = user.email
# verify that the user (or signing user) has signed the cert
owner_sig = gateway_cert.signature
gateway_cert.signature = ""
gateway_cert_nosigs = gateway_cert.SerializeToString()
rc = verify_data(pubkey, gateway_cert_nosigs, base64.b64decode(owner_sig))
gateway_cert.signature = owner_sig
if not rc:
raise Exception("Gateway certificate not signed by user '%s'" %
signer_email)
return (user, volume)
def read_user(email_or_user_id):
"""
Read a user, given either its email or user ID.
"""
return SyndicateUser.Read(email_or_user_id)
traceback.print_exc()
raise Exception("Failed to parse serialized user cert")
caller_user = _check_authenticated(fields)
if not caller_user.is_admin:
raise Exception("Only an admin can call this method")
_, admin_user = validate_user_cert(user_cert,
caller_user.owner_id,
check_admin=True)
if admin_user.owner_id != caller_user.owner_id:
raise Exception("This admin user did not sign the user cert")
user_key = SyndicateUser.Create(user_cert)
return user_key.get()
# ----------------------------------
def read_user(email_or_user_id):
"""
Read a user, given either its email or user ID.
"""
return SyndicateUser.Read(email_or_user_id)
# ----------------------------------
def delete_user(email, **kw):
"""
Delete the given user. Only an admin can do this,
