def load_token(access_token=None, refresh_token=None):
""" Callback to retrieve token info from given token string.
Called from verify_request. Expiration verification is done afterwards in the library.
"""
log.info("OAuth:load_token(access=%s, refresh=%s)", access_token, refresh_token)
try:
if access_token:
token_id = str("access_token_%s" % access_token)
with _token_lock:
token_obj = ui_instance.container.object_store.read(token_id)
token = OAuthTokenObj.from_security_token(token_obj)
if not token.is_valid():
log.info("OAuth: client used invalid access token")
return None
flask.g.oauth_user = token.user
flask.g.actor_id = token.user["actor_id"]
if "noextend" not in request.headers.get("scion-session", "") and \
ui_instance.extend_session_timeout and token.is_valid(check_expiry=True):
new_expires = get_ion_ts_millis() + 1000 * ui_instance.session_timeout
if ui_instance.max_session_validity:
# Make sure token does not exceed maximum validity
new_expires = min(new_expires, token_obj.attributes.get("ts_created", 0) +
1000 * ui_instance.max_session_validity)
if (ui_instance.session_timeout <= 120 and new_expires > int(token_obj.expires)) or \
(ui_instance.session_timeout > 120 and new_expires - 60000 > int(token_obj.expires)):
# Only extend session if by 60 sec (unless session is very short as in testing)
# This reduces the likelihood of an extension
for i in xrange(3):
token_obj.expires = str(new_expires)
try:
ui_instance.container.object_store.update(token_obj)
break
except Conflict:
# Concurrency conflict: random wait, then get most recent object rev
gevent.sleep(random.random() * 0.05 * (i+1)) # Add some random delays
token_obj = ui_instance.container.object_store.read(token_id)
token = OAuthTokenObj.from_security_token(token_obj)
log.info("Access token extended for user=%s", token.user["actor_id"])
# IGNORE session in ActorIdentity
return token
elif refresh_token:
token_id = str("refresh_token_%s" % refresh_token)
token_obj = ui_instance.container.object_store.read(token_id)
token = OAuthTokenObj.from_security_token(token_obj)
if not token.is_valid():
log.info("OAuth: client used invalid refresh token")
return None
flask.g.oauth_user = token.user
flask.g.actor_id = token.user["actor_id"]
return token
except NotFound:
pass
return None
def load_token(access_token=None, refresh_token=None):
""" Callback to retrieve token info from given token string.
Called from verify_request. Expiration verification is done afterwards in the library.
"""
log.info("OAuth:load_token(access=%s, refresh=%s)", access_token, refresh_token)
try:
if access_token:
token_id = str("access_token_%s" % access_token)
token_obj = ui_instance.container.object_store.read(token_id)
token = OAuthTokenObj.from_security_token(token_obj)
if not token.is_valid():
log.info("OAuth: client used invalid access token")
return None
flask.g.oauth_user = token.user
flask.g.actor_id = token.user["actor_id"]
if ui_instance.extend_session_timeout and token.is_valid(check_expiry=True):
new_expires = get_ion_ts_millis() + 1000 * ui_instance.session_timeout
if ui_instance.max_session_validity:
# Make sure token does not exceed maximum validity
new_expires = min(new_expires, token_obj.attributes.get("ts_created", 0) +
1000 * ui_instance.max_session_validity)
if new_expires > int(token_obj.expires):
token_obj.expires = str(new_expires)
ui_instance.container.object_store.update(token_obj)
token = OAuthTokenObj.from_security_token(token_obj)
log.info("Access token extended for user=%s", token.user["actor_id"])
# IGNORE session in ActorIdentity
return token
elif refresh_token:
token_id = str("refresh_token_%s" % refresh_token)
token_obj = ui_instance.container.object_store.read(token_id)
token = OAuthTokenObj.from_security_token(token_obj)
if not token.is_valid():
log.info("OAuth: client used invalid refresh token")
return None
flask.g.oauth_user = token.user
flask.g.actor_id = token.user["actor_id"]
return token
except NotFound:
pass
return None
def load_token(access_token=None, refresh_token=None):
log.info("OAuth:load_token access=%s refresh=%s", access_token, refresh_token)
try:
if access_token:
token_id = str("access_token_%s" % access_token)
token_obj = ui_instance.container.object_store.read(token_id)
token = OAuthTokenObj.from_security_token(token_obj)
flask.g.oauth_user = token.user
flask.g.actor_id = token.user["actor_id"]
flask.session["access_token"] = access_token
flask.session["actor_id"] = token.user["actor_id"]
return token
elif refresh_token:
token_id = str("refresh_token_%s" % refresh_token)
token_obj = ui_instance.container.object_store.read(token_id)
token = OAuthTokenObj.from_security_token(token_obj)
flask.g.oauth_user = token.user
flask.g.actor_id = token.user["actor_id"]
return token
except NotFound:
pass
return None
def get_governance_info_from_request(self, json_params=None):
# Default values for governance headers.
actor_id = DEFAULT_ACTOR_ID
expiry = DEFAULT_EXPIRY
authtoken = ""
user_session = get_auth()
#if user_session.get("actor_id", None) and user_session.get("valid_until", 0):
if user_session.get("actor_id", None):
# Get info from current server session
# NOTE: Actor id may be inside server session
expiry = int(user_session.get("valid_until", 0)) * 1000
if expiry:
# This was a proper non-token server session authentication
expiry = str(expiry)
actor_id = user_session["actor_id"]
log.info("Request associated with session actor_id=%s, expiry=%s", actor_id, expiry)
else:
# We are just taking the user_id out of the session
# TODO: Need to check access token here
expiry = str(expiry)
if self.token_from_session:
actor_id = user_session["actor_id"]
log.info("Request associated with actor's token from session; actor_id=%s, expiry=%s", actor_id, expiry)
# Developer access using api_key
if self.develop_mode and "api_key" in request.args and request.args["api_key"]:
actor_id = str(request.args["api_key"])
expiry = str(int(user_session.get("valid_until", 0)) * 1000)
if 0 < int(expiry) < current_time_millis():
expiry = str(current_time_millis() + 10000)
# flask.session["valid_until"] = int(expiry / 1000)
log.info("Request associated with actor_id=%s, expiry=%s from developer api_key", actor_id, expiry)
# Check in headers for OAuth2 bearer token
auth_hdr = request.headers.get("authorization", None)
if auth_hdr:
valid, req = self.process.oauth.verify_request([self.process.oauth_scope])
if valid:
actor_id = flask.g.oauth_user.get("actor_id", "")
if actor_id:
log.info("Request associated with actor_id=%s, expiry=%s from OAuth token", actor_id, expiry)
return actor_id, DEFAULT_EXPIRY
# Try to find auth token override
if not authtoken:
if json_params:
if "authtoken" in json_params:
authtoken = json_params["authtoken"]
else:
if "authtoken" in request.args:
authtoken = str(request.args["authtoken"])
# Enable temporary authentication tokens to resolve to actor ids
if authtoken:
try:
if authtoken.startswith(("Bearer_")):
# Backdoor way for OAuth2 access tokens as request args for GET URLs
authtoken = authtoken[7:]
token_id = "access_token_" + str(authtoken)
token_obj = self.process.container.object_store.read(token_id)
token = OAuthTokenObj.from_security_token(token_obj)
if token.is_valid(check_expiry=True):
actor_id = token.user["actor_id"]
expiry = str(token._token_obj.expires)
log.info("Resolved OAuth2 token %s into actor_id=%s expiry=%s", authtoken, actor_id, expiry)
else:
token_info = self.idm_client.check_authentication_token(authtoken, headers=self._get_gateway_headers())
actor_id = token_info.get("actor_id", actor_id)
expiry = token_info.get("expiry", expiry)
log.info("Resolved token %s into actor_id=%s expiry=%s", authtoken, actor_id, expiry)
except NotFound:
log.info("Provided authentication token not found: %s", authtoken)
except Unauthorized:
log.info("Authentication token expired or invalid: %s", authtoken)
except Exception as ex:
log.exception("Problem resolving authentication token")
return actor_id, expiry
