Пример #1
0
    def auth(self, username, password):
        """
        Returns a dict of user information.
        Raises AutheError otherwise.
        """
        password = self.digest(password)
        with self.session as session:
            query = session.query(AuthRecord)
            if not query.first():
                raise AuthError("No username / password configured in indexd")

            # Select on username / password.
            query = query.filter(AuthRecord.username == username)
            query = query.filter(AuthRecord.password == password)

            try:
                query.one()
            except NoResultFound as err:
                raise AuthError("username / password mismatch")

        context = {
            "username": username,
            # TODO include other user information
        }

        return context
Пример #2
0
    def authz(self, method, resource):
        if not self.arborist:
            raise AuthError(
                "Arborist is not configured; cannot perform authorization check"
            )

        try:
            # A successful call from arborist returns a bool, else returns ArboristError
            try:
                authorized = self.arborist.auth_request(
                    get_jwt_token(), "indexd", method, resource)
            except Exception as e:
                logger.error(
                    f"Request to Arborist failed; now checking admin access. Details:\n{e}"
                )
                authorized = False
            if not authorized:
                # admins can perform all operations
                is_admin = self.arborist.auth_request(
                    get_jwt_token(), "indexd", method,
                    ["/services/indexd/admin"])
                if not is_admin and not resource:
                    # if `authz` is empty (no `resource`), admin == access to
                    # `/programs` (deprecated - for backwards compatibility).
                    is_admin = self.arborist.auth_request(
                        get_jwt_token(), "indexd", method, ["/programs"])
                    if is_admin:
                        logger.warning(
                            "The indexd admin '/programs' logic is deprecated. Please update your policy to '/services/indexd/admin'"
                        )
                if not is_admin:
                    raise AuthError("Permission denied.")
        except Exception as err:
            logger.error(err)
            raise AuthzError(err)
Пример #3
0
 def authz(self, method, resource):
     if not self.arborist:
         raise AuthError(
             "Arborist is not configured; cannot perform authorization check"
         )
     if not resource:
         # TODO: fix this. Setting authz to [] throws this error but
         # admins should be able to do it
         raise AuthError("Permission denied.")
     if not self.arborist.auth_request(get_jwt_token(), "indexd", method,
                                       resource):
         raise AuthError("Permission denied.")
Пример #4
0
 def authz(self, method, resource):
     if not self.arborist:
         raise AuthError(
             "Arborist is not configured; cannot perform authorization check"
         )
     if not resource:
         # if the `authz` is empty, admins should still be able to perform
         # operations on the record. For now, admin = access to `/programs`.
         # TODO: Figure out how to handle Gen3 operational admins in a better way
         resource = ["/programs"]
     if not self.arborist.auth_request(get_jwt_token(), "indexd", method,
                                       resource):
         raise AuthError("Permission denied.")
Пример #5
0
 def get_signed_url_for_object(self, object_id, access_id):
     fence_server = self.url
     api_url = fence_server.rstrip("/") + "/data/download/"
     url = api_url + object_id
     headers = flask.request.headers
     if "AUTHORIZATION" not in headers:
         logger.error("Bearer Token not available.")
         raise AuthError("Not Authorized. Access Token Required.")
     if access_id:
         url += "?protocol=" + access_id
     try:
         req = requests.get(url, headers=headers)
     except Exception as e:
         logger.error("failed to reach fence at {0}: {1}".format(
             url + object_id, e))
         raise IndexdUnexpectedError("Failed to retrieve access url")
     if req.status_code == 404:
         logger.error(
             "Not found. Fence could not find {}: {} with access id: {}".
             format(url + object_id, req.text, access_id))
         raise IndexNoRecordFound(
             "No document with id:{} with access_id:{}".format(
                 object_id, access_id))
     if req.status_code == 401:
         raise AuthzError(
             "Unauthorized: Access denied due to invalid credentials.")
     elif req.status_code != 200:
         err_msg = "Unable to get presigned URL from Fence"
         logger.error("{} - code: {} - details:\n{}".format(
             err_msg, req.status_code, req.text))
         raise IndexdUnexpectedError(code=req.status_code, message=err_msg)
     return req.json()
Пример #6
0
 def delete(self, username):
     with self.session as session:
         user = (session.query(AuthRecord).filter(
             AuthRecord.username == username).first())
         if not user:
             raise AuthError("User {} doesn't exist".format(username))
         session.delete(user)
Пример #7
0
 def get_signed_url_for_object(self, object_id, access_id):
     fence_server = self.url
     api_url = fence_server.rstrip("/") + "/data/download/"
     url = api_url + object_id
     headers = flask.request.headers
     if "AUTHORIZATION" not in headers:
         logger.error("Bearer Token not available.")
         raise AuthError("Not Authorized. Access Token Required.")
     if access_id:
         url += "?protocol=" + access_id
     try:
         req = requests.get(url, headers=headers)
     except Exception as e:
         logger.error("failed to reach fence at {0}: {1}".format(
             url + object_id, e))
         raise UnexpectedError("Failed to retrieve access url")
     if req.status_code == 404:
         logger.error(
             "Not found. Fence could not find {}: {} with access id: {}".
             format(url + object_id, req.text, access_id))
         raise IndexNoRecordFound(
             "No document with id:{} with access_id:{}".format(
                 object_id, access_id))
     elif req.status_code != 200:
         raise UnexpectedError(req.text)
     return req.json()
Пример #8
0
 def mock_authz(method, resources):
     for resource in resources:
         if (method, resource) not in allowed_permissions:
             raise AuthError(
                 "Mock indexd.auth.authz: ({},{}) is not one of the allowed permissions: {}".format(
                     method, resource, allowed_permissions
                 )
             )
Пример #9
0
    def add(self, username, password):
        password = self.digest(password)
        with self.session as session:
            if (session.query(AuthRecord).filter(
                    AuthRecord.username == username).first()):
                raise AuthError("User {} already exists".format(username))

            new_record = AuthRecord(username=username, password=password)
            session.add(new_record)
Пример #10
0
    def authz(self, method, resource):
        if not self.arborist:
            raise AuthError(
                "Arborist is not configured; cannot perform authorization check"
            )

        try:
            # A successful call from arborist returns a bool, else returns ArboristError
            if not self.arborist.auth_request(get_jwt_token(), "indexd",
                                              method, resource):
                # admins can perform all operations
                is_admin = self.arborist.auth_request(
                    get_jwt_token(), "indexd", method,
                    ["/services/indexd/admin"])
                if not is_admin and not resource:
                    # if `authz` is empty (no `resource`), admin == access to
                    # `/programs` (deprecated - for backwards compatibility).
                    is_admin = self.arborist.auth_request(
                        get_jwt_token(), "indexd", method, ["/programs"])
                if not is_admin:
                    raise AuthError("Permission denied.")
        except Exception as err:
            logger.error(err)
            raise AuthzError(err)
Пример #11
0
    def auth(self, username, password):
        '''
        Returns a dict of user information.
        Raises AutheError otherwise.
        '''
        password = self.digest(password)
        with self.session as session:
            query = session.query(AuthRecord)

            # Select on username / password.
            query = query.filter(AuthRecord.username == username)
            query = query.filter(AuthRecord.password == password)

            try:
                query.one()
            except NoResultFound as err:
                raise AuthError('username / password mismatch')

        context = {
            'username': username,
            # TODO include other user information
        }

        return context