Пример #1
0
    def get_session(self):
        try:
            # Get session based on OAuth token
            auth_hdr = request.headers.get("authorization", None)
            if auth_hdr:
                valid, req = self.oauth.verify_request([self.oauth_scope])
                if valid:
                    actor_id = flask.g.oauth_user.get("actor_id", "")
                    actor_user = self.idm_client.read_actor_identity(actor_id)
                    session_attrs = dict(is_logged_in=True, is_registered=True, attributes={"roles":actor_user.details.contact.roles}, roles={})
                    if actor_user.session:
                        session_attrs.update(actor_user.session)

                    return build_json_response(session_attrs)

            # Support quick reload
            access_token = flask.session.get("access_token", None)
            actor_id = flask.session.get("actor_id", None)
            if access_token and actor_id:
                actor_user = self.idm_client.read_actor_identity(actor_id)
                session_attrs = dict(access_token=access_token, is_logged_in=True, is_registered=True, attributes={"roles":actor_user.details.contact.roles}, roles={})
                if actor_user.session:
                    session_attrs.update(actor_user.session)

                return build_json_response(session_attrs)

            # Get session from Flask session and cookie
            user_info = get_auth()
            if 0 < int(user_info.get("valid_until", 0)) * 1000 < current_time_millis():
                clear_auth()
                user_info = get_auth()
            return build_json_response(user_info)
        except Exception:
            return build_json_error()
Пример #2
0
    def validate_request(self, ion_actor_id, expiry, in_whitelist=False):
        # There is no point in looking up an anonymous user - so return default values.
        if ion_actor_id == DEFAULT_ACTOR_ID:
            # Since this is an anonymous request, there really is no expiry associated with it
            if not in_whitelist and self.require_login:
                raise Unauthorized("Anonymous access not permitted")
            else:
                return DEFAULT_ACTOR_ID, DEFAULT_EXPIRY

        try:
            user = self.idm_client.read_actor_identity(
                actor_id=ion_actor_id, headers=self._get_gateway_headers())
        except NotFound as e:
            if not in_whitelist and self.require_login:
                # This could be a restart of the system with a new preload.
                # TODO: Invalidate Flask sessions on relaunch/bootstrap with creating new secret
                user_session = get_auth()
                if user_session.get("actor_id", None) == ion_actor_id:
                    clear_auth()
                raise Unauthorized("Invalid identity", exc_id="01.10")
            else:
                # If the user isn't found default to anonymous
                return DEFAULT_ACTOR_ID, DEFAULT_EXPIRY

        # Need to convert to int first in order to compare against current time.
        try:
            int_expiry = int(expiry)
        except Exception as ex:
            raise Inconsistent(
                "Unable to read the expiry value in the request '%s' as an int"
                % expiry)

        # The user has been validated as being known in the system, so not check the expiry and raise exception if
        # the expiry is not set to 0 and less than the current time.
        if 0 < int_expiry < current_time_millis():
            if not in_whitelist and self.require_login:
                raise Unauthorized("User authentication expired")
            else:
                log.warn("User authentication expired")
                return DEFAULT_ACTOR_ID, DEFAULT_EXPIRY

        return ion_actor_id, expiry
Пример #3
0
 def logout(self):
     try:
         access_token = get_req_bearer_token() or flask.session.get("access_token", None)
         if access_token:
             try:
                 # Invalidate access token
                 token_id = str("access_token_%s" % access_token)
                 token_obj = ui_instance.container.object_store.read(token_id)
                 token_obj.status = "CANCELLED"
                 token_obj.attributes["cancel_ts"] = get_ion_ts_millis()
                 token_obj.attributes["cancel_msg"] = "User logout"
                 ui_instance.container.object_store.update(token_obj)
                 log.info("Invalidated stored access token for user=%s", token_obj.actor_id)
             except NotFound:
                 pass
             except Exception:
                 log.exception("Error invalidating access token")
         clear_auth()
         return build_json_response("OK")
     except Exception:
         return build_json_error()
Пример #4
0
 def logout(self):
     try:
         access_token = get_req_bearer_token() or flask.session.get("access_token", None)
         if access_token:
             try:
                 # Invalidate access token
                 token_id = str("access_token_%s" % access_token)
                 token_obj = ui_instance.container.object_store.read(token_id)
                 token_obj.status = "CANCELLED"
                 token_obj.attributes["cancel_ts"] = get_ion_ts_millis()
                 token_obj.attributes["cancel_msg"] = "User logout"
                 ui_instance.container.object_store.update(token_obj)
                 log.info("Invalidated stored access token for user=%s", token_obj.actor_id)
             except NotFound:
                 pass
             except Exception:
                 log.exception("Error invalidating access token")
         clear_auth()
         return build_json_response("OK")
     except Exception:
         return build_json_error()
Пример #5
0
    def validate_request(self, ion_actor_id, expiry, in_whitelist=False):
        # There is no point in looking up an anonymous user - so return default values.
        if ion_actor_id == DEFAULT_ACTOR_ID:
            # Since this is an anonymous request, there really is no expiry associated with it
            if not in_whitelist and self.require_login:
                raise Unauthorized("Anonymous access not permitted")
            else:
                return DEFAULT_ACTOR_ID, DEFAULT_EXPIRY

        try:
            user = self.idm_client.read_actor_identity(actor_id=ion_actor_id, headers=self._get_gateway_headers())
        except NotFound as e:
            if not in_whitelist and self.require_login:
                # This could be a restart of the system with a new preload.
                # TODO: Invalidate Flask sessions on relaunch/bootstrap with creating new secret
                user_session = get_auth()
                if user_session.get("actor_id", None) == ion_actor_id:
                    clear_auth()
                raise Unauthorized("Invalid identity", exc_id="01.10")
            else:
                # If the user isn't found default to anonymous
                return DEFAULT_ACTOR_ID, DEFAULT_EXPIRY

        # Need to convert to int first in order to compare against current time.
        try:
            int_expiry = int(expiry)
        except Exception as ex:
            raise Inconsistent("Unable to read the expiry value in the request '%s' as an int" % expiry)

        # The user has been validated as being known in the system, so not check the expiry and raise exception if
        # the expiry is not set to 0 and less than the current time.
        if 0 < int_expiry < current_time_millis():
            if not in_whitelist and self.require_login:
                raise Unauthorized("User authentication expired")
            else:
                log.warn("User authentication expired")
                return DEFAULT_ACTOR_ID, DEFAULT_EXPIRY

        return ion_actor_id, expiry
Пример #6
0
    def get_session(self):
        """
        Returns user session information for current authentication.
        This can be polled regularly by client code to detect changes in session state and expiration.
        """
        def call_extend_session_attrs(session_attrs, actor_user):
            """ Call UI extensions to make additions to user session """
            for ext_obj in self.extension_objs:
                func = getattr(ext_obj, "extend_user_session_attributes", None)
                if func:
                    try:
                        func(session_attrs, actor_user)
                    except Exception:
                        log.exception("Error calling UI extension extend_user_session_attributes()")

        try:
            # Get user session from OAuth access token in HTTP Authorization header
            auth_hdr = request.headers.get("authorization", None)
            if auth_hdr:
                valid, req = self.oauth.verify_request([self.oauth_scope])  # Note: Do NOT extend session timeout here!
                if valid:
                    actor_id = flask.g.oauth_user.get("actor_id", "")
                    actor_user = self.idm_client.read_actor_identity(actor_id)
                    session_attrs = dict(is_logged_in=True, is_registered=True,
                                         attributes={"roles": actor_user.details.contact.roles}, roles={})
                    if actor_user.session:
                        session_attrs.update(actor_user.session)
                    call_extend_session_attrs(session_attrs, actor_user)

                    return build_json_response(session_attrs)

            if self.remember_user:
                # Get user session from user_id/access_token placed inside server session (Cookie)
                # This is a feature to allow returning users to resume a session if still valid
                access_token = flask.session.get("access_token", None)
                actor_id = flask.session.get("actor_id", None)
                if access_token and actor_id:
                    actor_user = self.idm_client.read_actor_identity(actor_id)
                    session_attrs = dict(access_token=access_token, is_logged_in=True, is_registered=True,
                                         attributes={"roles": actor_user.details.contact.roles}, roles={})
                    if actor_user.session:
                        # Check validity in persisted user session
                        if 0 < int(actor_user.session.get("valid_until", 0)) * 1000 < current_time_millis():
                            clear_auth()
                            return build_json_response(get_auth())
                        session_attrs.update(actor_user.session)
                    else:
                        # No trace of existing session in user object
                        clear_auth()
                        return build_json_response(get_auth())
                    call_extend_session_attrs(session_attrs, actor_user)

                    return build_json_response(session_attrs)

            # Get user session from Flask session and cookie (non-token mode)
            user_info = get_auth()
            if 0 < int(user_info.get("valid_until", 0)) * 1000 < current_time_millis():
                clear_auth()    # Clear expired session
                user_info = get_auth()
            call_extend_session_attrs(user_info, None)
            return build_json_response(user_info)
        except Exception:
            return build_json_error()
Пример #7
0
    def get_session(self):
        """
        Returns user session information for current authentication.
        This can be polled regularly by client code to detect changes in session state and expiration.
        """
        def call_extend_session_attrs(session_attrs, actor_user):
            """ Call UI extensions to make additions to user session """
            for ext_obj in self.extension_objs:
                func = getattr(ext_obj, "extend_user_session_attributes", None)
                if func:
                    try:
                        func(session_attrs, actor_user)
                    except Exception:
                        log.exception("Error calling UI extension extend_user_session_attributes()")

        try:
            # Get user session from OAuth access token in HTTP Authorization header
            auth_hdr = request.headers.get("authorization", None)
            if auth_hdr:
                valid, req = self.oauth.verify_request([self.oauth_scope])  # Note: Do NOT extend session timeout here!
                if valid:
                    actor_id = flask.g.oauth_user.get("actor_id", "")
                    actor_user = self.idm_client.read_actor_identity(actor_id)
                    session_attrs = dict(is_logged_in=True, is_registered=True,
                                         attributes={"roles": actor_user.details.contact.roles}, roles={})
                    if actor_user.session:
                        session_attrs.update(actor_user.session)
                    call_extend_session_attrs(session_attrs, actor_user)

                    return build_json_response(session_attrs)

            if self.remember_user:
                # Get user session from user_id/access_token placed inside server session (Cookie)
                # This is a feature to allow returning users to resume a session if still valid
                access_token = flask.session.get("access_token", None)
                actor_id = flask.session.get("actor_id", None)
                if access_token and actor_id:
                    actor_user = self.idm_client.read_actor_identity(actor_id)
                    session_attrs = dict(access_token=access_token, is_logged_in=True, is_registered=True,
                                         attributes={"roles": actor_user.details.contact.roles}, roles={})
                    if actor_user.session:
                        # Check validity in persisted user session
                        if 0 < int(actor_user.session.get("valid_until", 0)) * 1000 < current_time_millis():
                            clear_auth()
                            return build_json_response(get_auth())
                        session_attrs.update(actor_user.session)
                    else:
                        # No trace of existing session in user object
                        clear_auth()
                        return build_json_response(get_auth())
                    call_extend_session_attrs(session_attrs, actor_user)

                    return build_json_response(session_attrs)

            # Get user session from Flask session and cookie (non-token mode)
            user_info = get_auth()
            if 0 < int(user_info.get("valid_until", 0)) * 1000 < current_time_millis():
                clear_auth()    # Clear expired session
                user_info = get_auth()
            call_extend_session_attrs(user_info, None)
            return build_json_response(user_info)
        except Exception:
            return build_json_error()
Пример #8
0
 def logout(self):
     try:
         clear_auth()
         return build_json_response("OK")
     except Exception:
         return build_json_error()