def create_user_roles(profile):
"""Creates new roles based on profile information.
:param profile:
:return:
"""
roles = []
# update their google 'roles'
if "googleGroups" in profile:
for group in profile["googleGroups"]:
role = role_service.get_by_name(group)
if not role:
role = role_service.create(
group,
description=
"This is a google group based role created by Lemur",
third_party=True,
)
if (group != 'admin') and (not role.third_party):
role = role_service.set_third_party(role.id,
third_party_status=True)
roles.append(role)
else:
current_app.logger.warning(
"'googleGroups' not sent by identity provider, no specific roles will assigned to the user."
)
role = role_service.get_by_name(profile["email"])
if not role:
role = role_service.create(
profile["email"],
description="This is a user specific role",
third_party=True,
)
if not role.third_party:
role = role_service.set_third_party(role.id, third_party_status=True)
roles.append(role)
# every user is an operator (tied to a default role)
if current_app.config.get("LEMUR_DEFAULT_ROLE"):
default = role_service.get_by_name(
current_app.config["LEMUR_DEFAULT_ROLE"])
if not default:
default = role_service.create(
current_app.config["LEMUR_DEFAULT_ROLE"],
description="This is the default Lemur role.",
)
if not default.third_party:
role_service.set_third_party(default.id, third_party_status=True)
roles.append(default)
return roles
def _authorize(self):
"""
check groups and roles to confirm access.
return a list of roles if ok.
raise an exception on error.
"""
if not self.ldap_principal:
return None
if self.ldap_required_group:
# ensure the user has the required group in their group list
if self.ldap_required_group not in self.ldap_groups:
return None
roles = set()
if self.ldap_default_role:
role = role_service.get_by_name(self.ldap_default_role)
if role:
if not role.third_party:
role = role.set_third_party(role.id,
third_party_status=True)
roles.add(role)
# update their 'roles'
role = role_service.get_by_name(self.ldap_principal)
if not role:
description = "auto generated role based on owner: {0}".format(
self.ldap_principal)
role = role_service.create(self.ldap_principal,
description=description,
third_party=True)
if not role.third_party:
role = role_service.set_third_party(role.id,
third_party_status=True)
roles.add(role)
if not self.ldap_groups_to_roles:
return roles
for ldap_group_name, role_name in self.ldap_groups_to_roles.items():
role = role_service.get_by_name(role_name)
if role:
if ldap_group_name in self.ldap_groups:
current_app.logger.debug(
"assigning role {0} to ldap user {1}".format(
self.ldap_principal, role))
if not role.third_party:
role = role_service.set_third_party(
role.id, third_party_status=True)
roles.add(role)
return roles
def create_user_roles(profile):
"""Creates new roles based on profile information.
:param profile:
:return:
"""
roles = []
# update their google 'roles'
for group in profile['googleGroups']:
role = role_service.get_by_name(group)
if not role:
role = role_service.create(
group,
description=
'This is a google group based role created by Lemur',
third_party=True)
if not role.third_party:
role = role_service.set_third_party(role.id,
third_party_status=True)
roles.append(role)
role = role_service.get_by_name(profile['email'])
if not role:
role = role_service.create(profile['email'],
description='This is a user specific role',
third_party=True)
if not role.third_party:
role = role_service.set_third_party(role.id, third_party_status=True)
roles.append(role)
# every user is an operator (tied to a default role)
if current_app.config.get('LEMUR_DEFAULT_ROLE'):
default = role_service.get_by_name(
current_app.config['LEMUR_DEFAULT_ROLE'])
if not default:
default = role_service.create(
current_app.config['LEMUR_DEFAULT_ROLE'],
description='This is the default Lemur role.')
if not default.third_party:
role_service.set_third_party(default.id, third_party_status=True)
roles.append(default)
return roles
def create_user_roles(profile):
"""Creates new roles based on profile information.
:param profile:
:return:
"""
roles = []
# update their google 'roles'
for group in profile['googleGroups']:
role = role_service.get_by_name(group)
if not role:
role = role_service.create(group, description='This is a google group based role created by Lemur', third_party=True)
if not role.third_party:
role = role_service.set_third_party(role.id, third_party_status=True)
roles.append(role)
role = role_service.get_by_name(profile['email'])
if not role:
role = role_service.create(profile['email'], description='This is a user specific role', third_party=True)
if not role.third_party:
role = role_service.set_third_party(role.id, third_party_status=True)
roles.append(role)
# every user is an operator (tied to a default role)
if current_app.config.get('LEMUR_DEFAULT_ROLE'):
default = role_service.get_by_name(current_app.config['LEMUR_DEFAULT_ROLE'])
if not default:
default = role_service.create(current_app.config['LEMUR_DEFAULT_ROLE'], description='This is the default Lemur role.')
if not default.third_party:
role_service.set_third_party(default.id, third_party_status=True)
roles.append(default)
return roles
def post(self):
self.reqparse.add_argument('clientId',
type=str,
required=True,
location='json')
self.reqparse.add_argument('redirectUri',
type=str,
required=True,
location='json')
self.reqparse.add_argument('code',
type=str,
required=True,
location='json')
args = self.reqparse.parse_args()
# take the information we have received from the provider to create a new request
params = {
'grant_type': 'authorization_code',
'scope': 'openid email profile groups',
'redirect_uri': args['redirectUri'],
'code': args['code'],
}
# you can either discover these dynamically or simply configure them
access_token_url = current_app.config.get('OAUTH2_ACCESS_TOKEN_URL')
user_api_url = current_app.config.get('OAUTH2_USER_API_URL')
verify_cert = current_app.config.get('OAUTH2_VERIFY_CERT', True)
# the secret and cliendId will be given to you when you signup for the provider
token = '{0}:{1}'.format(args['clientId'],
current_app.config.get("OAUTH2_SECRET"))
basic = base64.b64encode(bytes(token, 'utf-8'))
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'authorization': 'basic {0}'.format(basic.decode('utf-8'))
}
# exchange authorization code for access token.
# Try Params first
r = requests.post(access_token_url,
headers=headers,
params=params,
verify=verify_cert)
if r.status_code == 400:
r = requests.post(access_token_url,
headers=headers,
data=params,
verify=verify_cert)
id_token = r.json()['id_token']
access_token = r.json()['access_token']
# fetch token public key
header_data = fetch_token_header(id_token)
jwks_url = current_app.config.get('OAUTH2_JWKS_URL')
# retrieve the key material as specified by the token header
r = requests.get(jwks_url, verify=verify_cert)
for key in r.json()['keys']:
if key['kid'] == header_data['kid']:
secret = get_rsa_public_key(key['n'], key['e'])
algo = header_data['alg']
break
else:
return dict(message='Key not found'), 401
# validate your token based on the key it was signed with
try:
if sys.version_info >= (3, 0):
jwt.decode(id_token,
secret.decode('utf-8'),
algorithms=[algo],
audience=args['clientId'])
else:
jwt.decode(id_token,
secret,
algorithms=[algo],
audience=args['clientId'])
except jwt.DecodeError:
return dict(message='Token is invalid'), 401
except jwt.ExpiredSignatureError:
return dict(message='Token has expired'), 401
except jwt.InvalidTokenError:
return dict(message='Token is invalid'), 401
headers = {'authorization': 'Bearer {0}'.format(access_token)}
# retrieve information about the current user.
r = requests.get(user_api_url, headers=headers, verify=verify_cert)
profile = r.json()
user = user_service.get_by_email(profile['email'])
metrics.send('successful_login', 'counter', 1)
# update with roles sent by identity provider
roles = []
if 'roles' in profile:
for group in profile['roles']:
role = role_service.get_by_name(group)
if not role:
role = role_service.create(
group,
description=
'This is a group configured by identity provider',
third_party=True)
if not role.third_party:
role = role_service.set_third_party(
role.id, third_party_status=True)
roles.append(role)
role = role_service.get_by_name(profile['email'])
if not role:
role = role_service.create(
profile['email'],
description='This is a user specific role',
third_party=True)
if not role.third_party:
role = role_service.set_third_party(role.id,
third_party_status=True)
roles.append(role)
# if we get an sso user create them an account
if not user:
# every user is an operator (tied to a default role)
if current_app.config.get('LEMUR_DEFAULT_ROLE'):
v = role_service.get_by_name(
current_app.config.get('LEMUR_DEFAULT_ROLE'))
if not v.third_party:
v = role_service.set_third_party(v.id,
third_party_status=True)
if v:
roles.append(v)
user = user_service.create(profile['name'],
get_psuedo_random_string(),
profile['email'], True,
profile.get('thumbnailPhotoUrl'), roles)
else:
# we add 'lemur' specific roles, so they do not get marked as removed
for ur in user.roles:
if not ur.third_party:
roles.append(ur)
# update any changes to the user
user_service.update(
user.id,
profile['name'],
profile['email'],
True,
profile.get('thumbnailPhotoUrl'
), # incase profile isn't google+ enabled
roles)
# Tell Flask-Principal the identity changed
identity_changed.send(current_app._get_current_object(),
identity=Identity(user.id))
return dict(token=create_token(user))