Пример #1
0
 def __init__(self, options=None):
     if options is None:
         options = {}
     params = dict(self.defaults, **options)
     self.options = Bunch()
     self.options.merge(params)
     self.configure()
 def __init__(self, options=None):
     if options is None:
         options = {}
     params = dict(self.defaults, **options)
     self.validate_store_option(params)
     self.options = Bunch()
     self.options.merge(params)
 def get_account(self, userkey):
     """
     Gets the account with the given key.
     :param userkey: key of the user (e.g. email or username)
     """
     data = self.options.store.get_account(userkey)
     if data is None:
         return None
     result = Bunch()
     result.merge(data)
     return result
 def get_account(self, userkey):
     """
     Gets the account with the given key.
     :param userkey: key of the user (e.g. email or username)
     """
     data = self.options.store.get_account(userkey)
     if data is None:
         return None
     result = Bunch()
     result.merge(data)
     return result
Пример #5
0
 def __init__(self):
     store = self.get_membership_store()
     options = self.get_options()
     require_params(store=store)
     if options is None:
         options = {}
     params = dict(self.defaults, **options)
     self.validate_store(store)
     self.store = store
     self.options = Bunch()
     self.options.merge(params)
     self.principal_type = self.get_principal_type()
 def get_account_by_id(self, account_id):
     """
     Gets the account details by id
     :param id: account id
     :return: account
     """
     data = self.options.store.get_account_by_id(account_id)
     if data is None:
         return None
     del data["salt"]
     del data["hash"]
     result = Bunch()
     result.merge(data)
     return result
 def get_account_by_id(self, account_id):
     """
     Gets the account details by id
     :param id: account id
     :return: account
     """
     data = self.options.store.get_account_by_id(account_id)
     if data is None:
         return None
     del data["salt"]
     del data["hash"]
     result = Bunch()
     result.merge(data)
     return result
 def __init__(self, options = None):
     if options is None:
         options = {}
     params = dict(self.defaults, **options)
     self.options = Bunch()
     self.options.merge(params)
     self.configure()
 def __init__(self, options = None):
     if options is None:
         options = {}
     params = dict(self.defaults, **options)
     self.validate_store_option(params)
     self.options = Bunch()
     self.options.merge(params)
class MembershipStore(MongoStore):
    """
    Represents a Sessions and Accounts Storage manager for MongoDB utilized to manage Membership for an application.
    It can be used to handle global authentication; or per-area authentication.
    Contains data access logic for accounts and sessions.
    """

    defaults = {
        "accounts_collection": "accounts",
        "sessions_collection": "sessions",
        "login_attempts_collection": "login_attempts",
        "user_key_field": "email"
    }


    def __init__(self, options = None):
        if options is None:
            options = {}
        params = dict(self.defaults, **options)
        self.options = Bunch()
        self.options.merge(params)
        self.configure()


    def configure(self):
        """
        Configure the db, creating the needed collections and theirs indexes.
        :return: self
        """
        opt = self.options
        db_collections = db.collection_names(include_system_collections=False)

        accounts_collection = opt.accounts_collection
        sessions_collection = opt.sessions_collection
        login_attempts_collection = opt.login_attempts_collection
        user_key_field = opt.user_key_field

        if accounts_collection not in db_collections:
            # create the account collection
            accounts = db.create_collection(accounts_collection)
            accounts.create_index([(user_key_field, ASCENDING)])

        if sessions_collection not in db_collections:
            # create the sessions collection
            sessions = db.create_collection(sessions_collection)
            sessions.create_index([(user_key_field, ASCENDING)])
            sessions.create_index([("guid", ASCENDING)])

        if login_attempts_collection and login_attempts_collection not in db_collections:
            # create the login attempts collection
            login_attempts = db.create_collection(login_attempts_collection)
            login_attempts.create_index([(user_key_field, ASCENDING)])

        return self


    def get_account_condition(self, userkey):
        """
        Returns account search condition.
        :param userkey: user key
        :return: condition for a mongodb search
        """
        a = {
            self.options.user_key_field: userkey
        }
        return a


    def get_account(self, userkey):
        """
        Gets the account data associated with the user with the given key.
        :param userkey: user key
        :return:
        """
        collection = db[self.options.accounts_collection]
        condition = self.get_account_condition(userkey)
        data = collection.find_one(condition)
        return self.normalize_id(data)


    def get_account_by_id(self, account_id):
        """
        Gets the account data associated with the user with the given id.
        :param id: user id
        :return:
        """
        collection = db[self.options.accounts_collection]
        condition = {
            "_id": ObjectId(account_id)
        }
        data = collection.find_one(condition)
        return self.normalize_id(data)


    def get_accounts(self, options):
        """
        Gets a list of all application accounts.
        """
        collection = db[self.options.accounts_collection]
        return self.get_catalog_page(collection, options)


    def get_sessions(self, options):
        """
        Gets a list of current sessions.
        """
        collection = db[self.options.sessions_collection]
        return self.get_catalog_page(collection, options)


    def get_session(self, sessionkey):
        """
        Gets the session with the given key.
        :param sessionkey: session guid
        :return:
        """
        collection = db[self.options.sessions_collection]
        data = collection.find_one({ "guid": sessionkey })
        if not data:
            return None
        #set user key
        data["userkey"] = data[self.options.user_key_field]
        return self.normalize_id(data)


    def create_session(self, userkey, expiration, client_ip, client_data):
        """
        Creates a session in the database.
        :param userkey: key of the user for whom we are initializing the session
        :param expiration: expiration datetime of the session
        :param client_ip: ip of the client for whom this function is invoked
        :param client_data: client speficif information (e.g. browser navigator)
        :return:
        """
        collection = db[self.options.sessions_collection]
        data = {
          "guid": str(uuid.uuid1()),
          self.options.user_key_field: userkey,
          "anonymous": userkey is None or userkey == False,
          "expiration": expiration,
          "client_ip": client_ip,
          "client_data": client_data,
          "timestamp": datetime.now()
        }

        result = collection.insert_one(data)
        session_id = result.inserted_id
        data = collection.find_one({ "_id": session_id })
        return self.normalize_id(data)


    def create_account(self, userkey, hashedpassword, salt, data, roles = None):
        """
        Creates a new account
        :param userkey: user key (e.g. email or username)
        :param hashedpassword: hashed password
        :param salt: salt used to hash the account password
        :param data: extra account data
        """
        collection = db[self.options.accounts_collection]
        account_data = {
            self.options.user_key_field: userkey,
            "hash": hashedpassword,
            "salt": salt,
            "data": data,
            "roles": roles,
            "timestamp": datetime.now()
        }
        result = collection.insert_one(account_data)
        return {
            "id": str(result.inserted_id)
        }


    def save_session_data(self, sessionkey, data):
        """
        Stores data for the session with the given key.
        :param sessionkey: session guid.
        :param data: session data
        """
        collection = db[self.options.sessions_collection]
        condition = {
            "guid": sessionkey
        }
        update = {
            "data": data
        }
        collection.update_one(condition, update)


    def get_session_data(self, sessionkey):
        """
        Gets the data associated with the session with the given key.
        :param sessionkey: session guid.
        """
        collection = db[self.options.sessions_collection]
        condition = {
            "guid": sessionkey
        }
        session = collection.find_one(condition)
        return session["data"]


    def destroy_session(self, sessionkey):
        collection = db[self.options.sessions_collection]
        condition = {
            "guid": sessionkey
        }
        collection.delete_one(condition)


    def get_failed_login_attempts(self, userkey, start, end):
        """
        Gets the number of failed login attempts for a user with a given key, in the last minutes.
        :param userkey: key of the user for whom we are initializing the session
        :param start: start datetime to check for login attempts
        :param end: end datetime to check for login attempts
        :return:
        """
        condition = {
            self.options.user_key_field: userkey,
            "timestamp": { "$gte": start, "$lt": end }
        }
        collection = db[self.options.login_attempts_collection]
        attempts = collection.find(condition)
        return attempts.count()


    def save_login_attempt(self, userkey, client_ip, time):
        """
        Stores a failed login attempt in database
        :param userkey: key of the user for whom the login attempt must be stored
        :param client_ip: ip of the client for which the method is invoked
        :param time: timestamp of the login attempt
        :return:
        """
        data = {
            self.options.user_key_field: userkey,
            "client_ip": client_ip,
            "timestamp": time
        }
        collection = db[self.options.login_attempts_collection]
        collection.insert_one(data)


    def update_account(self, userkey, data):
        """
        Updates the account associated to the user with the given key.
        :param userkey: key of the user whose account must be deleted
        :param data: new account data
        """
        collection = db[self.options.accounts_collection]
        condition = self.get_account_condition(userkey)
        collection.update_one(condition, { "$set": data })


    def delete_account(self, userkey):
        """
        Deletes the account associated to the user with the given key.
        :param userkey: key of the user whose account must be deleted
        """
        collection = db[self.options.accounts_collection]
        condition = self.get_account_condition(userkey)
        collection.delete_one(condition)
class ReportsStore(MongoStore):
    """
    Represents a storage manager for MongoDB based application reports.
    """

    defaults =  {
      "messages_collection": "app_messages",
      "exceptions_collection": "app_exceptions"
    }


    def __init__(self, options = None):
        if options is None:
            options = {}
        params = dict(self.defaults, **options)
        self.options = Bunch()
        self.options.merge(params)
        self.configure()


    def configure(self):
        """
        Configure the db, creating the needed collections and theirs indexes.
        :return: self
        """
        opt = self.options
        db_collections = db.collection_names(include_system_collections=False)

        messages_collection = opt.messages_collection
        exceptions_collection = opt.exceptions_collection

        if messages_collection not in db_collections:
            # create the messages collection
            messages = db.create_collection(messages_collection)

        if exceptions_collection not in db_collections:
            # create the sessions collection
            exceptions = db.create_collection(exceptions_collection)

        return self


    def store_message(self, message, time, kind = "Normal"):
        """
        Stores an application message in database.
        :param message: message to store
        :param time: timestamp
        :param kind: the kind of message (e.g. Normal, Warning, etc.)
        :return: message data
        """
        collection = db[self.options.messages_collection]
        data = {
          "message": message,
          "timestamp": time,
          "kind": kind
        }

        result = collection.insert_one(data)
        message_id = result.inserted_id
        data = collection.find_one({ "_id": message_id })
        return self.normalize_id(data)


    def store_exception(self, message, time, typename, callstack):
        """
        Stores an application exception in database.
        :param ex: exception to store
        :param time: timestamp
        :param callstack: exception callstack
        :return: data stored in db
        """
        collection = db[self.options.exceptions_collection]
        data = {
          "message": message,
          "timestamp": time,
          "type": typename,
          "callstack": callstack
        }

        result = collection.insert_one(data)
        ex_id = result.inserted_id
        data = collection.find_one({ "_id": ex_id })
        return self.normalize_id(data)


    def get_messages(self, options):
        """
        Gets a paginated subset of application messages.
        """
        collection = db[self.options.messages_collection]
        data = self.get_catalog_page(collection, options)
        return data


    def get_exceptions(self, options):
        """
        Gets a paginated subset of application exceptions.
        """
        collection = db[self.options.exceptions_collection]
        data = self.get_catalog_page(collection, options)
        return data
class MembershipProvider:
    """
    Provides business logic to provide user authentication.
    Generic MembershipProvider utilized to manage Membership for an application.
    It can be used to handle global authentication; or per-area authentication.
    Contains business logic for Login, Logout, ChangePassword.
    """

    defaults =  {
      "store": None,
      "short_time_expiration": 1e3 * 60 * 20,
      "long_time_expiration": 1e3 * 60 * 60 * 24 * 365,
      "failed_login_attempts_limit": 4,
      "minutes_limit": 15,
      "requires_account_confirmation": False
    }


    def __init__(self, options = None):
        if options is None:
            options = {}
        params = dict(self.defaults, **options)
        self.validate_store_option(params)
        self.options = Bunch()
        self.options.merge(params)


    @staticmethod
    def get_hash(password, salt):
        """
        Returns an hashed version of password, created using the given salt
        :param salt: salt to use to hash a password
        :return: hashed version of password
        """
        key = (password + salt).encode("utf-8")
        return hashlib.sha224(key).hexdigest()


    @staticmethod
    def get_new_salt():
        """
        Returns a new salt to be used to hash password
        :return: {String} new salt to be used to hash passwords
        """
        ALPHABET = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
        return ''.join(random.choice(ALPHABET) for i in range(16))


    @staticmethod
    def validate_store_option(params):
        """
        Validates the store option passed when instantiating a MembershipProvider.
        :param params: constructor options
        """
        if params["store"] is None:
          raise Exception("Missing `store` option")
        req = ["get_account",
               "get_accounts",
               "get_session",
               "create_account",
               "update_account",
               "create_session",
               "destroy_session",
               "save_session_data",
               "get_session_data",
               "get_failed_login_attempts",
               "save_login_attempt"]
        for name in req:
            if not hasattr(params["store"], name):
                raise Exception("The given store does not implement `" + name + "` member")


    def get_account(self, userkey):
        """
        Gets the account with the given key.
        :param userkey: key of the user (e.g. email or username)
        """
        data = self.options.store.get_account(userkey)
        if data is None:
            return None
        result = Bunch()
        result.merge(data)
        return result


    def get_account_by_id(self, account_id):
        """
        Gets the account details by id
        :param id: account id
        :return: account
        """
        data = self.options.store.get_account_by_id(account_id)
        if data is None:
            return None
        del data["salt"]
        del data["hash"]
        result = Bunch()
        result.merge(data)
        return result


    def get_accounts(self, options):
        """
        Gets the list of all application accounts.
        """
        # define searchable properties
        options["search_properties"] = ["email", "roles"]
        data = self.options.store.get_accounts(options)
        # NB !!!
        # Salt and hashed password must be kept private in this case.
        for item in data.subset:
            self.prepare_account_data(item)
        return data


    def get_sessions(self, options):
        """
        Gets the list of current user sessions.
        """
        # define searchable properties
        options["search_properties"] = ["email", "client_data.user_agent", "client_ip"]
        data = self.options.store.get_sessions(options)
        for o in data.subset:
            if o["client_data"]:
                o["user_agent"] = o["client_data"]["user_agent"]
            else:
                o["user_agent"] = ""
            del o["client_data"]
        return data


    def prepare_account_data(self, account):
        """
        Prepares account data, to share it outside of bll.
        Salt and hashed password must be never get out of bll.
        """
        del account["salt"]
        del account["hash"]
        if "roles" not in account:
            account["roles"] = []
        return account


    def create_account(self, userkey, password, data = None, roles = None):
        """
        Creates a new user account in db
        :param userkey: key of the user (e.g. email or username)
        :param password: account clear password (e.g. user defined password)
        :param data: dict, optional account data
        :return:
        """
        # verify that an account with the same key doesn't exist already
        account_data = self.options.store.get_account(userkey)
        if account_data is not None:
            return False, "AccountAlreadyExisting"
        if data is None:
            data = {}
        if roles is None:
            roles = []
        salt = self.get_new_salt()
        hashedpassword = self.get_hash(password, salt)
        now = datetime.datetime.now()

        if self.options.requires_account_confirmation:
            # set a confirmation token inside the account data
            data["confirmation_token"] = uuid.uuid1()
        return True, self.options.store.create_account(userkey, hashedpassword, salt, data, roles)


    def update_password(self, userkey, password):
        """
        Updates the password for the account with the given key.
        :param userkey: key of the user (e.g. email or username)
        :param password: account clear password (e.g. user defined password)
        :return:
        """
        account_data = self.options.store.get_account(userkey)
        if account_data is None:
            return False, "Account not found"
        salt = account_data["salt"]
        hashedpassword = self.get_hash(password, salt)
        now = datetime.datetime.now()
        self.options.store.update_account(userkey, { "hash": hashedpassword })
        return True, ""


    def delete_account(self, userkey):
        """
        Deletes the account with the given userkey
        :param userkey: the user key (email address or username)
        :return: success, error
        """
        account = self.options.store.get_account(userkey)
        if account is None:
            return False, "AccountNotFound"
        self.options.store.delete_account(userkey)
        return True


    def confirm_account(self, userkey):
        """
        Confirms the account with the given userkey.
        :param userkey: the user key (email address or username)
        :return: success, error
        """
        return self.update_account(userkey, {
            "confirmed": True
        })


    def ban_account(self, userkey):
        """
        Bans the account with the given userkey.
        :param userkey: the user key (email address or username)
        :return: success, error
        """
        return self.update_account(userkey, {
            "banned": True
        })


    def update_account(self, userkey, data):
        """
        Updates the account with the given key; setting the data.
        :param userkey: the user key (email address or username)
        :param data: account data to update
        :return: self
        """
        account = self.options.store.get_account(userkey)
        if account is None:
            return False, "AccountNotFound"
        self.options.store.update_account(userkey, data)
        return True, None


    def try_login(self, userkey, password, remember, client_ip, client_data = None, options = None):
        """
        Tries to perform a login for the user with the given key (e.g. email or username); password;
        :param userkey: the user key (email address or username)
        :param password:
        :param remember: whether to have a longer expiration time or not
        :param client_ip: ip of the client for which the function has been called
        :param client_data: optional client data
        :param options: extra options
        :return:
        """
        # get account data
        account_data = self.get_account(userkey)
        if account_data is None:
            return False, "AccountNotFound"

        login_attempts = self.get_failed_login_attempts(userkey)
        tooManyAttempts = self.options.failed_login_attempts_limit <= login_attempts
        if tooManyAttempts:
            return False, "TooManyAttempts"
            # error: too many attempts in the last minutes, for this user

        check_password = options is None or options["automatic_no_password"] is None

        if check_password:
            # generate hash of given password, appending salt
            hsh = self.get_hash(password, account_data.salt)
            if account_data.hash != hsh:
                # the key exists, but the password is wrong
                self.report_login_attempt(userkey, client_ip)
                # exit
                return False, "WrongPassword"

        # check if the account is confirmed
        if self.options.requires_account_confirmation and not account_data.confirmed:
            return False, "RequireConfirmation"

        # check if the account was banned
        if hasattr(account_data, "banned") and account_data.banned == True:
            return False, "BannedAccount"

        # get session expiration
        expiration = self.get_new_expiration(remember)
        # save session
        session = self.options.store.create_session(userkey, expiration, client_ip, client_data)

        del account_data.salt
        del account_data.hash
        return True, {
            "principal": Principal(account_data.id,
                                   account_data,
                                   session,
                                   True),
            "session": Session.from_dict(session)
        }

    def report_login_attempt(self, userkey, client_ip):
        """
        Reports a login attempt.
        :param userkey: the user key (email address or username)
        :param client_ip: ip of the client
        """
        now = datetime.datetime.now()
        self.options.store.save_login_attempt(userkey, client_ip, now)
        return self


    def change_password(self, userkey, password_reset_key, new_password):
        pass


    def get_failed_login_attempts(self, userkey):
        """
        Gets the number of failed login attempts for a userkey in the amount of minutes defined by MinutesLimit option.
        :param userkey: the user key (email address or username)
        """
        now = datetime.datetime.now()
        ms = self.options.minutes_limit * 60 * 1e3
        start = now - datetime.timedelta(milliseconds=ms)
        count = self.options.store.get_failed_login_attempts(userkey, start, now)
        return count


    def try_login_by_session_key(self, sessionkey):
        """
        Tries to perform login by user session key.
        :param sessionkey:
        :return: boolean, session, account
        """
        # returns bool, principal
        if sessionkey is None:
            return False, None

        session = self.options.store.get_session(sessionkey)
        if session is None:
            return False, None

        # convert into a class
        session = Session.from_dict(session)

        now = datetime.datetime.now()
        if session.expiration < now:
            return False, None

        if session.anonymous:
            return True, {
            "principal": Principal(None,
                                   None,
                                   session,
                                   False),
            "session": session
        }

        # get account data
        account = self.options.store.get_account(session.userkey)

        if account is None:
            return False, None

        # return session and account data
        return True, {
            "principal": Principal(account["id"],
                                   account,
                                   session,
                                   True),
            "session": session
        }


    def initialize_anonymous_session(self, client_ip, client_data):
        """
        Initializes a session for an anonymous user.
        :param client_ip:
        :param navigator:
        :return:
        """
        expiration = self.get_new_expiration(True)
        userkey = None
        # save session
        session = self.options.store.create_session(userkey, expiration, client_ip, client_data)
        return {
            "principal": Principal(None, None, session, False),
            "session": Session.from_dict(session)
        }


    def get_new_expiration(self, remember = None):
        """
        Returns the expiration for a new session, based on the provider settings and if the user wants to be remembered.
        for longer or not.
        :param remember: boolean
        :return: datetime
        """
        if remember is None:
            remember = False
        now = datetime.datetime.now()
        ms = self.options.long_time_expiration if remember else self.options.short_time_expiration
        expiration = now + datetime.timedelta(milliseconds=ms)
        return expiration


    def save_session_data(self, sessionkey, data):
        """
        Stores session data in the database.
        :param sessionkey: the key of the session
        :param data: dictionary of data to store in database
        :return:
        """
        self.options.store.save_session_data(sessionkey, data)
        return self


    def get_session_data(self, sessionkey):
        """
        Gets the data associated with the given session, in database.
        :param sessionkey: the key of the session
        :return: dict
        """
        return self.options.get_session_data(sessionkey)


    def destroy_session(self, sessionkey):
        """
        Destroys the session with the given key.
        :param sessionkey: key of the session to destroy.
        :return: self
        """
        self.options.store.destroy_session(sessionkey)
        return self


    @staticmethod
    def validate_password(password_one, password_two):
        """
        Validates the two given passwords.
        :param password_one: first password written by user.
        :param password_two: password confirmation.
        :return: success, error
        """
        if not password_one or not password_two:
            return False, "missing password"
        if password_one != password_two:
            return False, "password mismatch"
        v = password_two
        rx = {
          "enforce": "^(?=.*\d)(?=.*[a-zA-Z\.\,\;\@\$\!\?\#\*\-\_\%\&]).{9,}$"
        }
        if not re.match(rx["enforce"], v):
            return False, "password too weak"
        return True, None
class MembershipProvider:
    """
    Provides business logic to provide user authentication.
    Generic MembershipProvider utilized to manage Membership for an application.
    It can be used to handle global authentication; or per-area authentication.
    Contains business logic for Login, Logout, ChangePassword.
    """

    defaults = {
        "store": None,
        "short_time_expiration": 1e3 * 60 * 20,
        "long_time_expiration": 1e3 * 60 * 60 * 24 * 365,
        "failed_login_attempts_limit": 4,
        "minutes_limit": 15,
        "requires_account_confirmation": False
    }

    def __init__(self, options=None):
        if options is None:
            options = {}
        params = dict(self.defaults, **options)
        self.validate_store_option(params)
        self.options = Bunch()
        self.options.merge(params)

    @staticmethod
    def get_hash(password, salt):
        """
        Returns an hashed version of password, created using the given salt
        :param salt: salt to use to hash a password
        :return: hashed version of password
        """
        key = (password + salt).encode("utf-8")
        return hashlib.sha224(key).hexdigest()

    @staticmethod
    def get_new_salt():
        """
        Returns a new salt to be used to hash password
        :return: {String} new salt to be used to hash passwords
        """
        ALPHABET = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
        return ''.join(random.choice(ALPHABET) for i in range(16))

    @staticmethod
    def validate_store_option(params):
        """
        Validates the store option passed when instantiating a MembershipProvider.
        :param params: constructor options
        """
        if params["store"] is None:
            raise Exception("Missing `store` option")
        req = [
            "get_account", "get_accounts", "get_session", "create_account",
            "update_account", "create_session", "destroy_session",
            "save_session_data", "get_session_data",
            "get_failed_login_attempts", "save_login_attempt"
        ]
        for name in req:
            if not hasattr(params["store"], name):
                raise Exception("The given store does not implement `" + name +
                                "` member")

    def get_account(self, userkey):
        """
        Gets the account with the given key.
        :param userkey: key of the user (e.g. email or username)
        """
        data = self.options.store.get_account(userkey)
        if data is None:
            return None
        result = Bunch()
        result.merge(data)
        return result

    def get_account_by_id(self, account_id):
        """
        Gets the account details by id
        :param id: account id
        :return: account
        """
        data = self.options.store.get_account_by_id(account_id)
        if data is None:
            return None
        del data["salt"]
        del data["hash"]
        result = Bunch()
        result.merge(data)
        return result

    def get_accounts(self, options):
        """
        Gets the list of all application accounts.
        """
        # define searchable properties
        options["search_properties"] = ["email", "roles"]
        data = self.options.store.get_accounts(options)
        # NB !!!
        # Salt and hashed password must be kept private in this case.
        for item in data.subset:
            self.prepare_account_data(item)
        return data

    def get_sessions(self, options):
        """
        Gets the list of current user sessions.
        """
        # define searchable properties
        options["search_properties"] = [
            "email", "client_data.user_agent", "client_ip"
        ]
        data = self.options.store.get_sessions(options)
        for o in data.subset:
            if o["client_data"]:
                o["user_agent"] = o["client_data"]["user_agent"]
            else:
                o["user_agent"] = ""
            del o["client_data"]
        return data

    def prepare_account_data(self, account):
        """
        Prepares account data, to share it outside of bll.
        Salt and hashed password must be never get out of bll.
        """
        del account["salt"]
        del account["hash"]
        if "roles" not in account:
            account["roles"] = []
        return account

    def create_account(self, userkey, password, data=None, roles=None):
        """
        Creates a new user account in db
        :param userkey: key of the user (e.g. email or username)
        :param password: account clear password (e.g. user defined password)
        :param data: dict, optional account data
        :return:
        """
        # verify that an account with the same key doesn't exist already
        account_data = self.options.store.get_account(userkey)
        if account_data is not None:
            return False, "AccountAlreadyExisting"
        if data is None:
            data = {}
        if roles is None:
            roles = []
        salt = self.get_new_salt()
        hashedpassword = self.get_hash(password, salt)
        now = datetime.datetime.now()

        if self.options.requires_account_confirmation:
            # set a confirmation token inside the account data
            data["confirmation_token"] = uuid.uuid1()
        return True, self.options.store.create_account(userkey, hashedpassword,
                                                       salt, data, roles)

    def update_password(self, userkey, password):
        """
        Updates the password for the account with the given key.
        :param userkey: key of the user (e.g. email or username)
        :param password: account clear password (e.g. user defined password)
        :return:
        """
        account_data = self.options.store.get_account(userkey)
        if account_data is None:
            return False, "Account not found"
        salt = account_data["salt"]
        hashedpassword = self.get_hash(password, salt)
        now = datetime.datetime.now()
        self.options.store.update_account(userkey, {"hash": hashedpassword})
        return True, ""

    def delete_account(self, userkey):
        """
        Deletes the account with the given userkey
        :param userkey: the user key (email address or username)
        :return: success, error
        """
        account = self.options.store.get_account(userkey)
        if account is None:
            return False, "AccountNotFound"
        self.options.store.delete_account(userkey)
        return True

    def confirm_account(self, userkey):
        """
        Confirms the account with the given userkey.
        :param userkey: the user key (email address or username)
        :return: success, error
        """
        return self.update_account(userkey, {"confirmed": True})

    def ban_account(self, userkey):
        """
        Bans the account with the given userkey.
        :param userkey: the user key (email address or username)
        :return: success, error
        """
        return self.update_account(userkey, {"banned": True})

    def update_account(self, userkey, data):
        """
        Updates the account with the given key; setting the data.
        :param userkey: the user key (email address or username)
        :param data: account data to update
        :return: self
        """
        account = self.options.store.get_account(userkey)
        if account is None:
            return False, "AccountNotFound"
        self.options.store.update_account(userkey, data)
        return True, None

    def try_login(self,
                  userkey,
                  password,
                  remember,
                  client_ip,
                  client_data=None,
                  options=None):
        """
        Tries to perform a login for the user with the given key (e.g. email or username); password;
        :param userkey: the user key (email address or username)
        :param password:
        :param remember: whether to have a longer expiration time or not
        :param client_ip: ip of the client for which the function has been called
        :param client_data: optional client data
        :param options: extra options
        :return:
        """
        # get account data
        account_data = self.get_account(userkey)
        if account_data is None:
            return False, "AccountNotFound"

        login_attempts = self.get_failed_login_attempts(userkey)
        tooManyAttempts = self.options.failed_login_attempts_limit <= login_attempts
        if tooManyAttempts:
            return False, "TooManyAttempts"
            # error: too many attempts in the last minutes, for this user

        check_password = options is None or options[
            "automatic_no_password"] is None

        if check_password:
            # generate hash of given password, appending salt
            hsh = self.get_hash(password, account_data.salt)
            if account_data.hash != hsh:
                # the key exists, but the password is wrong
                self.report_login_attempt(userkey, client_ip)
                # exit
                return False, "WrongPassword"

        # check if the account is confirmed
        if self.options.requires_account_confirmation and not account_data.confirmed:
            return False, "RequireConfirmation"

        # check if the account was banned
        if hasattr(account_data, "banned") and account_data.banned == True:
            return False, "BannedAccount"

        # get session expiration
        expiration = self.get_new_expiration(remember)
        # save session
        session = self.options.store.create_session(userkey, expiration,
                                                    client_ip, client_data)

        del account_data.salt
        del account_data.hash
        return True, {
            "principal": Principal(account_data.id, account_data, session,
                                   True),
            "session": Session.from_dict(session)
        }

    def report_login_attempt(self, userkey, client_ip):
        """
        Reports a login attempt.
        :param userkey: the user key (email address or username)
        :param client_ip: ip of the client
        """
        now = datetime.datetime.now()
        self.options.store.save_login_attempt(userkey, client_ip, now)
        return self

    def change_password(self, userkey, password_reset_key, new_password):
        pass

    def get_failed_login_attempts(self, userkey):
        """
        Gets the number of failed login attempts for a userkey in the amount of minutes defined by MinutesLimit option.
        :param userkey: the user key (email address or username)
        """
        now = datetime.datetime.now()
        ms = self.options.minutes_limit * 60 * 1e3
        start = now - datetime.timedelta(milliseconds=ms)
        count = self.options.store.get_failed_login_attempts(
            userkey, start, now)
        return count

    def try_login_by_session_key(self, sessionkey):
        """
        Tries to perform login by user session key.
        :param sessionkey:
        :return: boolean, session, account
        """
        # returns bool, principal
        if sessionkey is None:
            return False, None

        session = self.options.store.get_session(sessionkey)
        if session is None:
            return False, None

        # convert into a class
        session = Session.from_dict(session)

        now = datetime.datetime.now()
        if session.expiration < now:
            return False, None

        if session.anonymous:
            return True, {
                "principal": Principal(None, None, session, False),
                "session": session
            }

        # get account data
        account = self.options.store.get_account(session.userkey)

        if account is None:
            return False, None

        # return session and account data
        return True, {
            "principal": Principal(account["id"], account, session, True),
            "session": session
        }

    def initialize_anonymous_session(self, client_ip, client_data):
        """
        Initializes a session for an anonymous user.
        :param client_ip:
        :param navigator:
        :return:
        """
        expiration = self.get_new_expiration(True)
        userkey = None
        # save session
        session = self.options.store.create_session(userkey, expiration,
                                                    client_ip, client_data)
        return {
            "principal": Principal(None, None, session, False),
            "session": Session.from_dict(session)
        }

    def get_new_expiration(self, remember=None):
        """
        Returns the expiration for a new session, based on the provider settings and if the user wants to be remembered.
        for longer or not.
        :param remember: boolean
        :return: datetime
        """
        if remember is None:
            remember = False
        now = datetime.datetime.now()
        ms = self.options.long_time_expiration if remember else self.options.short_time_expiration
        expiration = now + datetime.timedelta(milliseconds=ms)
        return expiration

    def save_session_data(self, sessionkey, data):
        """
        Stores session data in the database.
        :param sessionkey: the key of the session
        :param data: dictionary of data to store in database
        :return:
        """
        self.options.store.save_session_data(sessionkey, data)
        return self

    def get_session_data(self, sessionkey):
        """
        Gets the data associated with the given session, in database.
        :param sessionkey: the key of the session
        :return: dict
        """
        return self.options.get_session_data(sessionkey)

    def destroy_session(self, sessionkey):
        """
        Destroys the session with the given key.
        :param sessionkey: key of the session to destroy.
        :return: self
        """
        self.options.store.destroy_session(sessionkey)
        return self

    @staticmethod
    def validate_password(password_one, password_two):
        """
        Validates the two given passwords.
        :param password_one: first password written by user.
        :param password_two: password confirmation.
        :return: success, error
        """
        if not password_one or not password_two:
            return False, "missing password"
        if password_one != password_two:
            return False, "password mismatch"
        v = password_two
        rx = {
            "enforce":
            "^(?=.*\d)(?=.*[a-zA-Z\.\,\;\@\$\!\?\#\*\-\_\%\&]).{9,}$"
        }
        if not re.match(rx["enforce"], v):
            return False, "password too weak"
        return True, None
Пример #14
0
class MembershipProvider:
    """
    Provides business logic to provide user authentication.

    It can be used to handle global authentication; or per-area authentication.
    Contains business logic for Login, Logout, ChangePassword.
    """

    defaults = {
        "host": None,  # the host used when generating emails
        "short_time_expiration": 1e3 * 60 * 20,
        "long_time_expiration": 1e3 * 60 * 60 * 24 * 365,
        "failed_login_attempts_limit": 4,
        "minutes_limit": 15,
        "requires_account_confirmation": False
    }

    def __init__(self):
        store = self.get_membership_store()
        options = self.get_options()
        require_params(store=store)
        if options is None:
            options = {}
        params = dict(self.defaults, **options)
        self.validate_store(store)
        self.store = store
        self.options = Bunch()
        self.options.merge(params)
        self.principal_type = self.get_principal_type()

    def get_membership_store(self):
        """
        Returns the membership store used by this membership provider.

        This method must be implemented in subclasses.
        """
        name = type(self).__name__
        raise NotImplementedError(
            "{} does not implement 'get_membership_store'.".format(name))

    def get_options(self):
        """
        Returns options to override the default parameters.
        """
        return {}

    def get_principal_type(self):
        """
        Returns the membership store used by this membership provider.

        This method can be implemented to set specific Principal types by implementation.
        """
        return Principal

    @staticmethod
    def get_hash(password, salt):
        """
        Returns an hashed version of password, created using the given salt

        :param password: original password, to obfuscate with the given salt
        :param salt: salt to use to hash a password
        :return: hashed version of password
        """
        key = (password + salt).encode("utf-8")
        return hashlib.sha224(key).hexdigest()

    @staticmethod
    def get_new_salt():
        """
        Returns a new salt to be used to hash password

        :return: {String} new salt to be used to hash passwords
        """
        alphabet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
        return ''.join(random.choice(alphabet) for _ in range(16))

    @staticmethod
    def validate_store(store):
        """
        Validates the store option passed when instantiating a MembershipProvider.
        :param store: store
        """
        # TODO: use abstract class!?
        req = [
            "get_account", "get_accounts", "get_session",
            "get_session_by_guid", "create_account", "update_account",
            "create_session", "destroy_session", "save_session_data",
            "get_session_data", "get_failed_login_attempts",
            "save_login_attempt"
        ]
        for name in req:
            if not hasattr(store, name):
                raise Exception("The given store does not implement `" + name +
                                "` member")

    def get_account(self, userkey):
        """
        Gets the account with the given key.
        :param userkey: key of the user (e.g. email or username)
        """
        data = self.store.get_account(userkey)
        if data is None:
            return None
        result = Bunch()
        result.merge(data)
        return result

    def get_account_by_id(self, account_id):
        """
        Gets the account details by id
        :param account_id: account id
        :return: account
        """
        data = self.store.get_account_by_id(account_id)
        if data is None:
            return None
        del data["salt"]
        del data["hash"]
        result = Bunch()
        result.merge(data)
        return result

    def get_accounts(self, options):
        """
        Gets the list of all application accounts.
        """
        # define searchable properties
        options["search_properties"] = ["email", "roles"]
        data = self.store.get_accounts(options)
        # NB !!!
        # Salt and hashed password must be kept private in this case.
        for item in data.subset:
            self.prepare_account_data(item)
        return data

    def get_sessions(self, options):
        """
        Gets the list of current user sessions.
        """
        # define searchable properties
        options["search_properties"] = [
            "email", "client_data.user_agent", "client_ip"
        ]
        data = self.store.get_sessions(options)
        for o in data.subset:
            if o["client_data"]:
                o["user_agent"] = o["client_data"]["user_agent"]
            else:
                o["user_agent"] = ""
            del o["client_data"]
        return data

    def prepare_account_data(self, account):
        """
        Prepares account data, to share it outside of bll.
        Salt and hashed password must be never get out of bll.
        """
        del account["salt"]
        del account["hash"]
        if "roles" not in account:
            account["roles"] = []
        return account

    def validate_userkey(self, userkey):
        if userkey is None or re.match("^\s*$", userkey):
            return False
        return True

    def get_account_defaults(self):
        return {}

    def create_account(self,
                       userkey,
                       password,
                       data=None,
                       roles=None,
                       lang="en"):
        """
        Creates a new user account.

        :param userkey: key of the user (e.g. email or username)
        :param password: account clear password (e.g. user defined password)
        :param data: dict, optional account data
        :return:
        """
        if not self.validate_userkey(userkey) or not self.validate_password(
                password):
            return False, "InvalidParameter"

        # verify that an account with the same key doesn't exist already
        account_data = self.store.get_account(userkey)
        if account_data is not None:
            return False, "AccountAlreadyExisting"
        if data is None:
            data = {}
        if roles is None:
            roles = []
        salt = self.get_new_salt()
        hashedpassword = self.get_hash(password, salt)
        data = dict(self.get_account_defaults(), **data)

        if self.options.requires_account_confirmation:
            # set a confirmation token inside the account data
            confirmation_token = str(uuid.uuid1())
            data["confirmation_token"] = confirmation_token

        account_data = self.store.create_account(userkey, hashedpassword, salt,
                                                 data, roles)

        # TODO: if desired, implement send email logic
        return True, account_data

    def is_password_correct(self, account_id, password):
        require_params(account_id=account_id, password=password)

        if not self.validate_password(password):
            return False

        account_data = self.store.get_account_by_id(account_id)
        if account_data is None:
            raise ValueError("AccountNotFound")

        hsh = self.get_hash(password, account_data["salt"])
        if account_data["hash"] != hsh:
            return False
        return True

    def update_password(self, userkey, password):
        """
        Updates the password for the account with the given key.

        :param userkey: key of the user (e.g. email or username)
        :param password: account clear password (e.g. user defined password)
        :return:
        """
        if not self.validate_userkey(userkey) or not self.validate_password(
                password):
            return False, "InvalidParameter"

        account_data = self.store.get_account(userkey)
        if account_data is None:
            return False, "Account not found"
        salt = account_data["salt"]
        hashedpassword = self.get_hash(password, salt)
        self.store.update_account(userkey, {"hash": hashedpassword})
        return True, ""

    def delete_account(self, userkey):
        """
        Deletes the account with the given userkey
        :param userkey: the user key (email address or username)
        :return: success, error
        """
        account = self.store.get_account(userkey)
        if account is None:
            return False, "AccountNotFound"
        self.store.delete_account(userkey)
        return True, None

    def delete_account_with_validation(self,
                                       account_id,
                                       current_password,
                                       lang="en"):
        """
        Deletes the account with the given id, validating its password.
        :param account_id:
        :param current_password:
        :return:
        """
        account = self.store.get_account_by_id(account_id)
        if account is None:
            return False, "AccountNotFound"
        hsh = self.get_hash(current_password, account["salt"])
        if account.get("hash") != hsh:
            return False, "InvalidPassword"

        # delete the account
        deleted = self.store.delete_account_by_id(account_id)
        if not deleted:
            return False, "NoDocumentDeleted"

        # TODO: if desired, implement farewell email here
        return True, None

    def confirm_account(self, account_id, confirmation_token):
        """
        Confirms the account with the given id and using the given confirmation token.
        """
        if not account_id or account_id.isspace():
            raise ArgumentNullException("account_id")
        if not confirmation_token or confirmation_token.isspace():
            raise ArgumentNullException("confirmation_token")

        account_data = self.store.get_account_by_id(account_id)
        if not account_data:
            raise ValueError("Account not found")

        if account_data.get("confirmed") is True:
            return True

        if account_data.get("confirmation_token") != confirmation_token:
            raise ValueError("Invalid confirmation token for account `%s`" %
                             account_id)

        self.store.update_account_by_id(account_id, {"confirmed": True},
                                        unset_data={"confirmation_token": ""})
        return True

    def ban_account(self, userkey):
        """
        Bans the account with the given userkey.
        :param userkey: the user key (email address or username)
        :return: success, error
        """
        return self.update_account(userkey, {"banned": True})

    def update_account(self, userkey, data):
        """
        Updates the account with the given key; setting the data.
        :param userkey: the user key (email address or username)
        :param data: account data to update
        :return: self
        """
        account = self.store.get_account(userkey)
        if account is None:
            return False, "AccountNotFound"
        self.store.update_account(userkey, data)
        return True, None

    def try_login(self,
                  userkey,
                  password,
                  remember,
                  client_ip,
                  client_data=None,
                  check_password=True):
        """
        Tries to perform a login for the user with the given key (e.g. email or username); password;
        :param userkey: the user key (email address or username)
        :param password:
        :param remember: whether to have a longer expiration time or not
        :param client_ip: ip of the client for which the function has been called
        :param client_data: optional client data
        :param options: extra options
        :return:
        """
        # get account data
        account_data = self.get_account(userkey)
        if account_data is None:
            return False, "WrongCombo"

        login_attempts = self.get_failed_login_attempts(userkey)
        too_many_attempts = self.options.failed_login_attempts_limit <= login_attempts
        if too_many_attempts:
            # log information

            return False, "TooManyAttempts"
            # error: too many attempts in the last minutes, for this user

        if check_password:
            # generate hash of given password, appending salt
            hsh = self.get_hash(password, account_data.salt)
            if account_data.hash != hsh:
                # the key exists, but the password is wrong
                self.report_login_attempt(userkey, client_ip)
                # exit
                return False, "WrongCombo"

        # check if the account is confirmed
        if self.options.requires_account_confirmation and not account_data.confirmed:
            return False, "RequireConfirmation"

        # check if the account was banned
        if hasattr(account_data, "banned") and account_data.banned is True:
            return False, "BannedAccount"

        # get session expiration
        expiration = self.get_new_expiration(remember)
        # save session
        session = self.store.create_session(userkey, expiration, client_ip,
                                            client_data)
        session = Session.from_dict(session)

        del account_data.salt
        del account_data.hash
        principal = self.principal_type

        # TODO: if desired, implement sending of email here "new login from..."

        return True, AuthenticationResult(
            principal(account_data.id, account_data, session, True), session)

    def report_login_attempt(self, userkey, client_ip):
        """
        Reports a login attempt, storing it in the persistence layer.

        :param userkey: the user key (email address or username)
        :param client_ip: ip of the client
        """
        now = datetime.datetime.utcnow()
        self.store.save_login_attempt(userkey, client_ip, now)
        return self

    def validate_password_reset_token(self, account_id, token):
        account_data = self.store.get_account_by_id(account_id)
        if account_data is None:
            return False, "AccountNotFound"

        password_reset_token = account_data.get("passwordResetToken")
        if not password_reset_token or password_reset_token.isspace():
            return False, "MissingPasswordResetToken"

        if password_reset_token != token:
            return False, "InvalidToken"

        return True, None

    def change_password(self, account_id, current_password, password_one,
                        password_two):
        """
        This function is used when a user wants to change a password, using the current password
        """
        require_params(account_id=account_id,
                       current_password=current_password,
                       password_one=password_one,
                       password_two=password_two)

        account_data = self.store.get_account_by_id(account_id)
        if account_data is None:
            raise InvalidOperation("Account not found")

        # validate current password
        if not self.is_password_correct(account_id, current_password):
            raise ValueError("WrongPassword")

        # validate passwords
        valid_passwords, error = self.validate_passwords(
            password_one, password_two)
        if not valid_passwords:
            raise ValueError("Passwords are not valid: " + error)

        # update account password
        salt = self.get_new_salt()
        hashedpassword = self.get_hash(password_one, salt)
        # commit the change:
        self.store.change_password(account_id, hashedpassword, salt)
        return True, None

    def commit_password_reset(self, account_id, token, password_one,
                              password_two):
        """
        This function is used when a user requested a password change, using a token that was sent by email.
        It validates a token that was set previously.

        :param account_id: id of the account of which the password should be changed
        :param token: password reset token
        :param password_one: first password
        :param password_two: password repetition
        :return:
        """
        require_params(account_id=account_id,
                       token=token,
                       password_one=password_one,
                       password_two=password_two)

        account_data = self.store.get_account_by_id(account_id)
        if account_data is None:
            raise InvalidOperation("Account not found")

        password_reset_token = account_data.get("passwordResetToken")
        if not password_reset_token or password_reset_token.isspace():
            raise InvalidOperation("Password reset token not initialized")

        if password_reset_token != token:
            raise ValueError("Invalid password reset token")

        # validate passwords
        valid_passwords, error = self.validate_passwords(
            password_one, password_two)
        if not valid_passwords:
            raise ValueError("Passwords are not valid: " + error)

        salt = self.get_new_salt()
        hashedpassword = self.get_hash(password_one, salt)
        # commit the change:
        self.store.change_password(account_id, hashedpassword, salt)
        return True

    def get_failed_login_attempts(self, userkey):
        """
        Gets the number of failed login attempts for a userkey in the amount of minutes defined by MinutesLimit option.
        :param userkey: the user key (email address or username)
        """
        now = datetime.datetime.utcnow()
        ms = self.options.minutes_limit * 60 * 1e3
        start = now - datetime.timedelta(milliseconds=ms)
        count = self.store.get_failed_login_attempts(userkey, start, now)
        return count

    async def try_login_by_session_key(self, sessionkey):
        """
        Tries to perform login by user session key.
        :param sessionkey:
        :return: boolean, session, account
        """
        # returns bool, principal
        if sessionkey is None:
            return False, None

        session = await self.store.get_session_by_guid(sessionkey)
        if session is None:
            return False, None

        # convert into a class
        session = Session.from_dict(session)

        now = datetime.datetime.utcnow()
        if session.expiration < now:
            return False, None
        principal_type = self.principal_type
        if session.anonymous:
            return True, AuthenticationResult(
                principal_type(None, None, session, False), session)

        # get account data
        account = await self.store.get_account(session.userkey)

        if account is None:
            return False, None

        # return session and account data
        principal_type = self.principal_type
        return True, AuthenticationResult(
            principal_type(account["id"], account, session, True), session)

    async def initialize_anonymous_session(self, client_ip, client_data):
        """
        Initializes a session for an anonymous user.

        :param client_ip: ip of the client
        :param client_data: information about the client software
        :return:
        """
        expiration = self.get_new_expiration(True)
        user_id = None
        session_data = await self.store.create_session(user_id, expiration,
                                                       client_ip, client_data)
        session = Session.from_dict(session_data)
        principal_type = self.principal_type
        return AuthenticationResult(principal_type(None, None, session, False),
                                    session)

    def get_new_expiration(self, remember=None):
        """
        Returns the expiration for a new session, based on the provider settings and if the user wants to be remembered.
        for longer or not.

        :param remember: boolean
        :return: datetime
        """
        if remember is None:
            remember = False
        now = datetime.datetime.utcnow()
        ms = self.options.long_time_expiration if remember else self.options.short_time_expiration
        expiration = now + datetime.timedelta(milliseconds=ms)
        return expiration

    def save_session_data(self, sessionkey, data):
        """
        Stores session data in the database.
        :param sessionkey: the key of the session
        :param data: dictionary of data to store in database
        :return:
        """
        self.store.save_session_data(sessionkey, data)
        return self

    def get_session_data(self, sessionkey):
        """
        Gets the data associated with the given session, in database.
        :param sessionkey: the key of the session
        :return: dict
        """
        return self.options.get_session_data(sessionkey)

    def destroy_session(self, sessionkey):
        """
        Destroys the session with the given key.
        :param sessionkey: key of the session to destroy.
        :return: self
        """
        self.store.destroy_session(sessionkey)
        return self

    def validate_new_passwords(self, pass_one, pass_two):
        if pass_one != pass_two:
            return False
        if not self.validate_password(pass_one):
            return False
        return True

    def validate_passwords(self, password_one, password_two):
        """
        Validates the two given passwords.

        :param password_one: first password written by user.
        :param password_two: password confirmation.
        :return: success, error
        """
        if not password_one or not password_two:
            return False, "missing password"
        if password_one != password_two:
            return False, "password mismatch"
        v = password_two
        valid = self.validate_password(v)
        if not valid:
            return False, "password too weak"
        return True, None

    def validate_password(self, password):
        """
        Validates a single value to see if it's suitable for a password.

        :param password: value to validate.
        """
        if not password or password.isspace():
            return False
        l = len(password)
        if l < 6:
            # too simple, either way
            return False

        if l > 50:
            # too long: the interface allows maximum 50 chars
            return False

        keys = OrderedDict.fromkeys(password).keys()
        keys_length = len(keys)

        if keys_length < 3:
            # the password is too weak, it contains less than 3 different types of character
            return False

        forbidden = {"password", "qwerty", "123456", "1234567"}
        if password.lower() in forbidden:
            return False
        return True
Пример #15
0
class MembershipStore(MongoStore):
    """
    Represents a Sessions and Accounts Storage manager for MongoDB utilized to manage Membership for an application.
    It can be used to handle global authentication; or per-area authentication.
    Contains data access logic for accounts and sessions.
    """

    defaults = {
        "accounts_collection": "accounts",
        "sessions_collection": "sessions",
        "login_attempts_collection": "login_attempts",
        "user_key_field": "email"
    }

    def __init__(self, options=None):
        if options is None:
            options = {}
        params = dict(self.defaults, **options)
        self.options = Bunch()
        self.options.merge(params)
        self.configure()

    def configure(self):
        """
        Configure the db, creating the needed collections and theirs indexes.
        :return: self
        """
        opt = self.options
        db_collections = db.collection_names(include_system_collections=False)

        accounts_collection = opt.accounts_collection
        sessions_collection = opt.sessions_collection
        login_attempts_collection = opt.login_attempts_collection
        user_key_field = opt.user_key_field

        if accounts_collection not in db_collections:
            # create the account collection
            accounts = db.create_collection(accounts_collection)
            accounts.create_index([(user_key_field, ASCENDING)])

        if sessions_collection not in db_collections:
            # create the sessions collection
            sessions = db.create_collection(sessions_collection)
            sessions.create_index([(user_key_field, ASCENDING)])
            sessions.create_index([("guid", ASCENDING)])

        if login_attempts_collection and login_attempts_collection not in db_collections:
            # create the login attempts collection
            login_attempts = db.create_collection(login_attempts_collection)
            login_attempts.create_index([(user_key_field, ASCENDING)])

        return self

    def get_account_condition(self, userkey):
        """
        Returns account search condition.
        :param userkey: user key
        :return: condition for a mongodb search
        """
        a = {self.options.user_key_field: userkey}
        return a

    def get_account(self, userkey):
        """
        Gets the account data associated with the user with the given key.
        :param userkey: user key
        :return:
        """
        collection = db[self.options.accounts_collection]
        condition = self.get_account_condition(userkey)
        data = collection.find_one(condition)
        return self.normalize_id(data)

    def get_account_by_id(self, account_id):
        """
        Gets the account data associated with the user with the given id.
        :param id: user id
        :return:
        """
        collection = db[self.options.accounts_collection]
        condition = {"_id": ObjectId(account_id)}
        data = collection.find_one(condition)
        return self.normalize_id(data)

    def get_accounts(self, options):
        """
        Gets a list of all application accounts.
        """
        collection = db[self.options.accounts_collection]
        return self.get_catalog_page(collection, options)

    def get_sessions(self, options):
        """
        Gets a list of current sessions.
        """
        collection = db[self.options.sessions_collection]
        return self.get_catalog_page(collection, options)

    def get_session(self, sessionkey):
        """
        Gets the session with the given key.
        :param sessionkey: session guid
        :return:
        """
        collection = db[self.options.sessions_collection]
        data = collection.find_one({"guid": sessionkey})
        if not data:
            return None
        #set user key
        data["userkey"] = data[self.options.user_key_field]
        return self.normalize_id(data)

    def create_session(self, userkey, expiration, client_ip, client_data):
        """
        Creates a session in the database.
        :param userkey: key of the user for whom we are initializing the session
        :param expiration: expiration datetime of the session
        :param client_ip: ip of the client for whom this function is invoked
        :param client_data: client speficif information (e.g. browser navigator)
        :return:
        """
        collection = db[self.options.sessions_collection]
        data = {
            "guid": str(uuid.uuid1()),
            self.options.user_key_field: userkey,
            "anonymous": userkey is None or userkey == False,
            "expiration": expiration,
            "client_ip": client_ip,
            "client_data": client_data,
            "timestamp": datetime.now()
        }

        result = collection.insert_one(data)
        session_id = result.inserted_id
        data = collection.find_one({"_id": session_id})
        return self.normalize_id(data)

    def create_account(self, userkey, hashedpassword, salt, data, roles=None):
        """
        Creates a new account
        :param userkey: user key (e.g. email or username)
        :param hashedpassword: hashed password
        :param salt: salt used to hash the account password
        :param data: extra account data
        """
        collection = db[self.options.accounts_collection]
        account_data = {
            self.options.user_key_field: userkey,
            "hash": hashedpassword,
            "salt": salt,
            "data": data,
            "roles": roles,
            "timestamp": datetime.now()
        }
        result = collection.insert_one(account_data)
        return {"id": str(result.inserted_id)}

    def save_session_data(self, sessionkey, data):
        """
        Stores data for the session with the given key.
        :param sessionkey: session guid.
        :param data: session data
        """
        collection = db[self.options.sessions_collection]
        condition = {"guid": sessionkey}
        update = {"data": data}
        collection.update_one(condition, update)

    def get_session_data(self, sessionkey):
        """
        Gets the data associated with the session with the given key.
        :param sessionkey: session guid.
        """
        collection = db[self.options.sessions_collection]
        condition = {"guid": sessionkey}
        session = collection.find_one(condition)
        return session["data"]

    def destroy_session(self, sessionkey):
        collection = db[self.options.sessions_collection]
        condition = {"guid": sessionkey}
        collection.delete_one(condition)

    def get_failed_login_attempts(self, userkey, start, end):
        """
        Gets the number of failed login attempts for a user with a given key, in the last minutes.
        :param userkey: key of the user for whom we are initializing the session
        :param start: start datetime to check for login attempts
        :param end: end datetime to check for login attempts
        :return:
        """
        condition = {
            self.options.user_key_field: userkey,
            "timestamp": {
                "$gte": start,
                "$lt": end
            }
        }
        collection = db[self.options.login_attempts_collection]
        attempts = collection.find(condition)
        return attempts.count()

    def save_login_attempt(self, userkey, client_ip, time):
        """
        Stores a failed login attempt in database
        :param userkey: key of the user for whom the login attempt must be stored
        :param client_ip: ip of the client for which the method is invoked
        :param time: timestamp of the login attempt
        :return:
        """
        data = {
            self.options.user_key_field: userkey,
            "client_ip": client_ip,
            "timestamp": time
        }
        collection = db[self.options.login_attempts_collection]
        collection.insert_one(data)

    def update_account(self, userkey, data):
        """
        Updates the account associated to the user with the given key.
        :param userkey: key of the user whose account must be deleted
        :param data: new account data
        """
        collection = db[self.options.accounts_collection]
        condition = self.get_account_condition(userkey)
        collection.update_one(condition, {"$set": data})

    def delete_account(self, userkey):
        """
        Deletes the account associated to the user with the given key.
        :param userkey: key of the user whose account must be deleted
        """
        collection = db[self.options.accounts_collection]
        condition = self.get_account_condition(userkey)
        collection.delete_one(condition)
Пример #16
0
class ReportsManager():
    """
    Provides business logic to log application specific messages in a database.
    """

    defaults = {"store": None}

    def __init__(self, options=None):
        if options is None:
            options = {}
        params = dict(self.defaults, **options)
        self.validate_store_option(params)
        self.options = Bunch()
        self.options.merge(params)

    def get_messages(self, options):
        """
        Gets a paginated result of messages.
        :param options: pagination options
        :return: catalog page
        """
        if options is None:
            raise Exception("Missing pagination options.")
        options["search_properties"] = ["message"]
        return self.options.store.get_messages(options)

    def get_exceptions(self, options):
        """
        Gets a paginated result of exceptions.
        :param options: pagination options
        :return: catalog page
        """
        if options is None:
            raise Exception("Missing pagination options.")
        options["search_properties"] = ["type", "message", "callstack"]
        return self.options.store.get_exceptions(options)

    def log_message(self, message, kind="Normal"):
        """
        Logs a message
        :param message: application message to store
        :param kind: kind of message
        """
        now = datetime.now()
        return self.options.store.store_message(message, now, kind)

    def log_exception(self, ex=None):
        """
        Logs an exception in database.
        :param ex: exception object
        """
        now = datetime.now()
        exc_type, exc_value, exc_traceback = sys.exc_info()
        if ex is None:
            ex = exc_value
        call_stack = "\n".join(traceback.format_tb(exc_traceback))
        message = ex.message if hasattr(ex, "message") \
            else exc_value.args[0] if len(exc_value.args) > 0 else str(ex)
        return self.options.store.store_exception(message, now, str(exc_type),
                                                  call_stack)

    def try_log_exception(self, ex=None):
        """
        Tries to log an exception in database; does nothing if the log itself causes exception.
        :param ex: exception object
        """
        try:
            self.log_exception(ex)
        except Exception:
            pass

    def log_warning(self, message):
        """
        Logs a warning message
        :param message: application message to store
        """
        now = datetime.now()
        return self.options.store.store_message(message, now, "Warning")

    @staticmethod
    def validate_store_option(params):
        """
        Validates the store option passed when instantiating a ReportsManager.
        :param params: constructor options
        """
        if params["store"] is None:
            raise Exception("Missing `store` option")
        req = [
            "store_message", "store_exception", "get_messages",
            "get_exceptions"
        ]
        for name in req:
            if not hasattr(params["store"], name):
                raise Exception("The given store does not implement `" + name +
                                "` member")