def create_perm():
try:
perm = Permission.parse(request.json)
except ValueError as e:
raise ApiError(str(e), 400)
if perm.match in ['admin', 'user']:
raise ApiError('{} role already exists'.format(perm.match), 409)
for want_scope in perm.scopes:
if not Permission.is_in_scope(want_scope, have_scopes=g.scopes):
raise ApiError("Requested scope '{}' not in existing scopes: {}".format(
want_scope, ','.join(g.scopes)), 403)
try:
perm = perm.create()
except Exception as e:
raise ApiError(str(e), 500)
admin_audit_trail.send(current_app._get_current_object(), event='permission-created', message='', user=g.login,
customers=g.customers, scopes=g.scopes, resource_id=perm.id, type='permission', request=request)
if perm:
return jsonify(status='ok', id=perm.id, permission=perm.serialize), 201
else:
raise ApiError('create API key failed', 500)
def update_user(user_id):
if not request.json:
raise ApiError('nothing to change', 400)
user = User.find_by_id(user_id)
if not user:
raise ApiError('not found', 404)
if request.json.get('email'):
user_by_email = User.find_by_email(request.json['email'])
if user_by_email and user_by_email.id != user.id:
raise ApiError('user with email already exists', 409)
admin_audit_trail.send(current_app._get_current_object(),
event='user-updated',
message='',
user=g.user,
customers=g.customers,
scopes=g.scopes,
resource_id=user.id,
type='user',
request=request)
if user.update(**request.json):
return jsonify(status='ok')
else:
raise ApiError('failed to update user', 500)
def create_group():
try:
group = Group.parse(request.json)
except ValueError as e:
raise ApiError(str(e), 400)
try:
group = group.create()
except Exception as e:
raise ApiError(str(e), 500)
admin_audit_trail.send(current_app._get_current_object(),
event='group-created',
message='',
user=g.login,
customers=g.customers,
scopes=g.scopes,
resource_id=group.id,
type='group',
request=request)
if group:
return jsonify(status='ok', id=group.id, group=group.serialize), 201
else:
raise ApiError('create user group failed', 500)
def update_user(user_id):
if not request.json:
raise ApiError('nothing to change', 400)
user = User.find_by_id(user_id)
if not user:
raise ApiError('not found', 404)
if request.json.get('email'):
user_by_email = User.find_by_email(request.json['email'])
if user_by_email and user_by_email.id != user.id:
raise ApiError('user with that email already exists', 409)
if request.json.get('roles'):
want_scopes = Permission.lookup(login='', roles=request.json['roles'])
for want_scope in want_scopes:
if not Permission.is_in_scope(want_scope, have_scopes=g.scopes):
raise ApiError("Requested scope '{}' not in existing scopes: {}".format(
want_scope, ','.join(g.scopes)), 403)
admin_audit_trail.send(current_app._get_current_object(), event='user-updated', message='', user=g.login,
customers=g.customers, scopes=g.scopes, resource_id=user.id, type='user', request=request)
if user.update(**request.json):
return jsonify(status='ok')
else:
raise ApiError('failed to update user', 500)
def create_perm():
try:
perm = Permission.parse(request.json)
except ValueError as e:
raise ApiError(str(e), 400)
if perm.match in ['admin', 'user']:
raise ApiError('{} role already exists'.format(perm.match), 409)
for want_scope in perm.scopes:
if not Permission.is_in_scope(want_scope, have_scopes=g.scopes):
raise ApiError("Requested scope '{}' not in existing scopes: {}".format(
want_scope, ','.join(g.scopes)), 403)
try:
perm = perm.create()
except Exception as e:
raise ApiError(str(e), 500)
admin_audit_trail.send(current_app._get_current_object(), event='permission-created', message='', user=g.user,
customers=g.customers, scopes=g.scopes, resource_id=perm.id, type='permission', request=request)
if perm:
return jsonify(status='ok', id=perm.id, permission=perm.serialize), 201
else:
raise ApiError('create API key failed', 500)
def update_key(key):
if not request.json:
raise ApiError('nothing to change', 400)
if not current_app.config['AUTH_REQUIRED']:
key = ApiKey.find_by_id(key)
elif Scope.admin in g.scopes or Scope.admin_keys in g.scopes:
key = ApiKey.find_by_id(key)
else:
key = ApiKey.find_by_id(key, user=g.login)
if not key:
raise ApiError('not found', 404)
update = request.json
update['customer'] = assign_customer(wanted=update.get('customer'), permission=Scope.admin_keys)
for want_scope in update.get('scopes', []):
if not Permission.is_in_scope(want_scope, have_scopes=g.scopes):
raise ApiError("Requested scope '{}' not in existing scopes: {}".format(
want_scope, ','.join(g.scopes)), 403)
admin_audit_trail.send(current_app._get_current_object(), event='apikey-updated', message='', user=g.login,
customers=g.customers, scopes=g.scopes, resource_id=key.id, type='apikey', request=request)
if key.update(**request.json):
return jsonify(status='ok')
else:
raise ApiError('failed to update API key', 500)
def create_user():
try:
user = User.parse(request.json)
except Exception as e:
raise ApiError(str(e), 400)
# check allowed domain
if not_authorized('ALLOWED_EMAIL_DOMAINS', groups=[user.domain]):
raise ApiError('unauthorized domain', 403)
if User.find_by_email(email=user.email):
raise ApiError('username already exists', 409)
try:
user = user.create()
except Exception as e:
ApiError(str(e), 500)
# if email verification is enforced, send confirmation email
if current_app.config['EMAIL_VERIFICATION'] and not user.email_verified:
user.send_confirmation()
admin_audit_trail.send(current_app._get_current_object(), event='user-created', message='', user=g.user,
customers=g.customers, scopes=g.scopes, resource_id=user.id, type='user', request=request)
if user:
return jsonify(status='ok', id=user.id, user=user.serialize), 201
else:
raise ApiError('create user failed', 500)
def update_user(user_id):
if not request.json:
raise ApiError('nothing to change', 400)
user = User.find_by_id(user_id)
if not user:
raise ApiError('not found', 404)
if request.json.get('email'):
user_by_email = User.find_by_email(request.json['email'])
if user_by_email and user_by_email.id != user.id:
raise ApiError('user with that email already exists', 409)
if request.json.get('roles'):
want_scopes = Permission.lookup(login='', roles=request.json['roles'])
for want_scope in want_scopes:
if not Permission.is_in_scope(want_scope, have_scopes=g.scopes):
raise ApiError("Requested scope '{}' not in existing scopes: {}".format(
want_scope, ','.join(g.scopes)), 403)
updated = user.update(**request.json)
admin_audit_trail.send(current_app._get_current_object(), event='user-updated', message='', user=g.login,
customers=g.customers, scopes=g.scopes, resource_id=user.id, type='user', request=request)
if updated:
return jsonify(status='ok', user=updated.serialize)
else:
raise ApiError('failed to update user', 500)
def create_customer():
try:
customer = Customer.parse(request.json)
except ValueError as e:
raise ApiError(str(e), 400)
try:
customer = customer.create()
except Exception as e:
raise ApiError(str(e), 500)
admin_audit_trail.send(current_app._get_current_object(),
event='customer-created',
message='',
user=g.login,
customers=g.customers,
scopes=g.scopes,
resource_id=customer.id,
type='customer',
request=request)
if customer:
return jsonify(status='ok',
id=customer.id,
customer=customer.serialize), 201
else:
raise ApiError('create customer lookup failed', 500)
def update_perm(perm_id):
if not request.json:
raise ApiError('nothing to change', 400)
for s in request.json.get('scopes', []):
if s not in list(Scope):
raise ApiError("'{}' is not a valid Scope".format(s), 400)
perm = Permission.find_by_id(perm_id)
if not perm:
raise ApiError('not found', 404)
admin_audit_trail.send(current_app._get_current_object(),
event='permission-updated',
message='',
user=g.login,
customers=g.customers,
scopes=g.scopes,
resource_id=perm.id,
type='permission',
request=request)
if perm.update(**request.json):
return jsonify(status='ok')
else:
raise ApiError('failed to update permission', 500)
def delete_key(key):
key = ApiKey.find_by_id(key)
if not key:
raise ApiError('not found', 404)
admin_audit_trail.send(current_app._get_current_object(), event='apikey-deleted', message='', user=g.login,
customers=g.customers, scopes=g.scopes, resource_id=key.id, type='apikey', request=request)
if key.delete():
return jsonify(status='ok')
else:
raise ApiError('failed to delete API key', 500)
def delete_group(group_id):
group = Group.find_by_id(group_id)
if not group:
raise ApiError('not found', 404)
admin_audit_trail.send(current_app._get_current_object(), event='group-deleted', message='', user=g.login,
customers=g.customers, scopes=g.scopes, resource_id=group.id, type='group', request=request)
if group.delete():
return jsonify(status='ok')
else:
raise ApiError('failed to delete user group', 500)
def delete_perm(perm_id):
perm = Permission.find_by_id(perm_id)
if not perm:
raise ApiError('not found', 404)
admin_audit_trail.send(current_app._get_current_object(), event='permission-deleted', message='', user=g.login,
customers=g.customers, scopes=g.scopes, resource_id=perm.id, type='permission', request=request)
if perm.delete():
return jsonify(status='ok')
else:
raise ApiError('failed to delete permission', 500)
def delete_user(user_id):
user = User.find_by_id(user_id)
if not user:
raise ApiError('not found', 404)
admin_audit_trail.send(current_app._get_current_object(), event='user-deleted', message='', user=g.login,
customers=g.customers, scopes=g.scopes, resource_id=user.id, type='user', request=request)
if user.delete():
return jsonify(status='ok')
else:
raise ApiError('failed to delete user', 500)
def delete_customer(customer_id):
customer = Customer.find_by_id(customer_id)
if not customer:
raise ApiError('not found', 404)
admin_audit_trail.send(current_app._get_current_object(), event='customer-deleted', message='', user=g.login,
customers=g.customers, scopes=g.scopes, resource_id=customer.id, type='customer', request=request)
if customer.delete():
return jsonify(status='ok')
else:
raise ApiError('failed to delete customer', 500)
def delete_perm(perm_id):
perm = Permission.find_by_id(perm_id)
if not perm:
raise ApiError('not found', 404)
admin_audit_trail.send(current_app._get_current_object(), event='permission-deleted', message='', user=g.user,
customers=g.customers, scopes=g.scopes, resource_id=perm.id, type='permission', request=request)
if perm.delete():
return jsonify(status='ok')
else:
raise ApiError('failed to delete permission', 500)
def create_user():
if current_app.config['AUTH_PROVIDER'] != 'basic':
raise ApiError(
'must use {} login flow to create new user'.format(
current_app.config['AUTH_PROVIDER']), 400)
try:
user = User.parse(request.json)
except Exception as e:
raise ApiError(str(e), 400)
# check allowed domain
if not_authorized('ALLOWED_EMAIL_DOMAINS', groups=[user.domain]):
raise ApiError('unauthorized domain', 403)
if User.find_by_username(username=user.email):
raise ApiError('user with that email already exists', 409)
want_scopes = Permission.lookup(login=user.email, roles=user.roles)
for want_scope in want_scopes:
if not Permission.is_in_scope(want_scope, have_scopes=g.scopes):
raise ApiError(
"Requested scope '{}' not in existing scopes: {}".format(
want_scope, ','.join(g.scopes)), 403)
try:
user = user.create()
except Exception as e:
ApiError(str(e), 500)
# if email verification is enforced, send confirmation email
if current_app.config['EMAIL_VERIFICATION'] and not user.email_verified:
user.send_confirmation()
admin_audit_trail.send(current_app._get_current_object(),
event='user-created',
message='',
user=g.login,
customers=g.customers,
scopes=g.scopes,
resource_id=user.id,
type='user',
request=request)
if user:
return jsonify(status='ok', id=user.id, user=user.serialize), 201
else:
raise ApiError('create user failed', 500)
def update_user_attributes(user_id):
if not request.json.get('attributes', None):
raise ApiError("must supply 'attributes' as json data", 400)
user = User.find_by_id(user_id)
if not user:
raise ApiError('not found', 404)
admin_audit_trail.send(current_app._get_current_object(), event='user-attributes-updated', message='', user=g.login,
customers=g.customers, scopes=g.scopes, resource_id=user.id, type='user', request=request)
if user.update_attributes(request.json['attributes']):
return jsonify(status='ok')
else:
raise ApiError('failed to update attributes', 500)
def update_user_attributes(user_id):
if not request.json.get('attributes', None):
raise ApiError("must supply 'attributes' as json data", 400)
user = User.find_by_id(user_id)
if not user:
raise ApiError('not found', 404)
admin_audit_trail.send(current_app._get_current_object(), event='user-attributes-updated', message='', user=g.login,
customers=g.customers, scopes=g.scopes, resource_id=user.id, type='user', request=request)
if user.update_attributes(request.json['attributes']):
return jsonify(status='ok')
else:
raise ApiError('failed to update attributes', 500)
def remove_user_from_group(group_id, user_id):
group = Group.find_by_id(group_id)
if not group:
raise ApiError('not found', 404)
user = User.find_by_id(user_id)
if not user:
raise ApiError('invalid user', 400)
admin_audit_trail.send(current_app._get_current_object(), event='user-attributes-updated', message='', user=g.login,
customers=g.customers, scopes=g.scopes, resource_id=user.id, type='user', request=request)
if group.remove_user(user_id):
return jsonify(status='ok')
else:
raise ApiError('failed to remove user from group', 500)
def create_customer():
try:
customer = Customer.parse(request.json)
except ValueError as e:
raise ApiError(str(e), 400)
try:
customer = customer.create()
except Exception as e:
raise ApiError(str(e), 500)
admin_audit_trail.send(current_app._get_current_object(), event='customer-created', message='', user=g.login,
customers=g.customers, scopes=g.scopes, resource_id=customer.id, type='customer', request=request)
if customer:
return jsonify(status='ok', id=customer.id, customer=customer.serialize), 201
else:
raise ApiError('create customer lookup failed', 500)
def delete_key(key):
key = ApiKey.find_by_id(key)
if not key:
raise ApiError('not found', 404)
admin_audit_trail.send(current_app._get_current_object(),
event='apikey-deleted',
message='',
user=g.login,
customers=g.customers,
scopes=g.scopes,
resource_id=key.id,
type='apikey',
request=request)
if key.delete():
return jsonify(status='ok')
else:
raise ApiError('failed to delete API key', 500)
def create_user():
if current_app.config['AUTH_PROVIDER'] != 'basic':
raise ApiError(
'must use {} login flow to create new user'.format(current_app.config['AUTH_PROVIDER']), 400)
try:
user = User.parse(request.json)
except Exception as e:
raise ApiError(str(e), 400)
# check allowed domain
if not_authorized('ALLOWED_EMAIL_DOMAINS', groups=[user.domain]):
raise ApiError('unauthorized domain', 403)
if User.find_by_username(username=user.email):
raise ApiError('user with that email already exists', 409)
want_scopes = Permission.lookup(login=user.email, roles=user.roles)
for want_scope in want_scopes:
if not Permission.is_in_scope(want_scope, have_scopes=g.scopes):
raise ApiError("Requested scope '{}' not in existing scopes: {}".format(
want_scope, ','.join(g.scopes)), 403)
try:
user = user.create()
except Exception as e:
ApiError(str(e), 500)
# if email verification is enforced, send confirmation email
if current_app.config['EMAIL_VERIFICATION'] and not user.email_verified:
user.send_confirmation()
admin_audit_trail.send(current_app._get_current_object(), event='user-created', message='', user=g.login,
customers=g.customers, scopes=g.scopes, resource_id=user.id, type='user', request=request)
if user:
return jsonify(status='ok', id=user.id, user=user.serialize), 201
else:
raise ApiError('create user failed', 500)
def update_key(key):
if not request.json:
raise ApiError('nothing to change', 400)
if not current_app.config['AUTH_REQUIRED']:
key = ApiKey.find_by_id(key)
elif Scope.admin in g.scopes or Scope.admin_keys in g.scopes:
key = ApiKey.find_by_id(key)
else:
key = ApiKey.find_by_id(key, user=g.login)
if not key:
raise ApiError('not found', 404)
update = request.json
update['customer'] = assign_customer(wanted=update.get('customer'),
permission=Scope.admin_keys)
for want_scope in update.get('scopes', []):
if not Permission.is_in_scope(want_scope, have_scopes=g.scopes):
raise ApiError(
"Requested scope '{}' not in existing scopes: {}".format(
want_scope, ','.join(g.scopes)), 403)
admin_audit_trail.send(current_app._get_current_object(),
event='apikey-updated',
message='',
user=g.login,
customers=g.customers,
scopes=g.scopes,
resource_id=key.id,
type='apikey',
request=request)
updated = key.update(**request.json)
if updated:
return jsonify(status='ok', key=updated.serialize)
else:
raise ApiError('failed to update API key', 500)
def update_customer(customer_id):
if not request.json:
raise ApiError('nothing to change', 400)
customer = Customer.find_by_id(customer_id)
if not customer:
raise ApiError('not found', 404)
admin_audit_trail.send(current_app._get_current_object(),
event='customer-updated',
message='',
user=g.login,
customers=g.customers,
scopes=g.scopes,
resource_id=customer.id,
type='customer',
request=request)
if customer.update(**request.json):
return jsonify(status='ok')
else:
raise ApiError('failed to update customer', 500)
def update_group(group_id):
if not request.json:
raise ApiError('nothing to change', 400)
group = Group.find_by_id(group_id)
if not group:
raise ApiError('not found', 404)
admin_audit_trail.send(current_app._get_current_object(),
event='group-updated',
message='',
user=g.user,
customers=g.customers,
scopes=g.scopes,
resource_id=group.id,
type='group',
request=request)
if group.update(**request.json):
return jsonify(status='ok')
else:
raise ApiError('failed to update user group', 500)
def update_key(key):
if not request.json:
raise ApiError('nothing to change', 400)
key = ApiKey.find_by_id(key)
if not key:
raise ApiError('not found', 404)
admin_audit_trail.send(current_app._get_current_object(),
event='apikey-updated',
message='',
user=g.user,
customers=g.customers,
scopes=g.scopes,
resource_id=key.id,
type='apikey',
request=request)
if key.update(**request.json):
return jsonify(status='ok')
else:
raise ApiError('failed to update API key', 500)