def unauthenticated_userid(self, request):
http_creds = extract_http_basic_credentials(request)
if http_creds is None:
self.debug and self._log(
'No HTTP Credentials received, so no auth. Will return None',
'authenticated_userid',
request,
)
return
# username == userid, and password is the token for the actual credentials
cred = get_valid_credentials(http_creds.username,
http_creds.password,
registry=request.registry)
if cred is None:
self.debug and self._log(
"Credentials weren't valid, will return None",
'authenticated_userid',
request,
)
return
else:
self.debug and self._log(
'Valid credentials and user found, will return userid "%s" ' %
cred.userid,
'authenticated_userid',
request,
)
return cred.userid
def _get_auth_client(cls, request):
"""Get a matching auth client if the credentials are valid."""
credentials = extract_http_basic_credentials(request)
if not credentials:
return None
# It is important not to include the secret as part of the SQL query
# because the resulting code may be subject to a timing attack.
try:
auth_client = request.db.query(AuthClient).get(
credentials.username)
except StatementError:
# The auth client id is malformed
return None
if (
# The client must exist
auth_client is None
# Have a secret to compare with
or auth_client.secret is None
# And be the correct type
or auth_client.grant_type != GrantType.client_credentials):
return None
# We fetch the auth_client by its ID and then do a constant-time
# comparison of the secret with that provided in the request.
if not hmac.compare_digest(auth_client.secret, credentials.password):
return None
return auth_client
def _get_credentials(self, request):
# Pyramid < 1.8
policy = base_auth.BasicAuthAuthenticationPolicy
if hasattr(policy, '_get_credentials'): # pragma: no cover
return policy._get_credentials(self, request)
# Pyramid > 1.8
return base_auth.extract_http_basic_credentials(request) # pragma: no cover
def test_compat_with_pyramid(self):
obj = self._cut('1', token="123")
request = testing.DummyRequest()
request.headers['Authorization'] = obj.header()
results = extract_http_basic_credentials(request)
expected = HTTPBasicCredentials(username='******', password='******')
self.assertIsInstance(results, HTTPBasicCredentials)
self.assertEqual(results, expected)
def identity(self, request: PyramidRequest):
credentials = extract_http_basic_credentials(request)
if credentials:
user_name = get_authenticated_user_name(
credentials.username,
credentials.password,
request,
)
return user_name
def identity(self, request: PyramidRequest):
credentials = extract_http_basic_credentials(request)
if credentials:
user_id = check_credentials(
credentials.username,
credentials.password,
request,
)
return user_id
def get_current_user(self, request: TracimRequest) -> typing.Optional[User]:
# check if user is correct
credentials = extract_http_basic_credentials(request)
if not credentials:
return None
user = self._authenticate_user(
request=request, login=credentials.username, password=credentials.password
)
if not user:
return None
return user
def authenticated_userid(self, request):
# check if user is correct
credentials = extract_http_basic_credentials(request)
if not credentials:
return None
user = self._authenticate_user(request=request,
email=credentials.username,
password=credentials.password)
if not user:
return None
return user.user_id
def unauthenticated_userid(self, request):
settings = request.registry.settings
credentials = base_auth.extract_http_basic_credentials(request)
if credentials:
username, password = credentials
if not username:
return
hmac_secret = settings['userid_hmac_secret']
credentials = '{}:{}'.format(*credentials)
userid = utils.hmac_digest(hmac_secret, credentials)
return userid
def userid_for_login_request(self, request):
"""Check the basic auth for email and password"""
credentials = extract_http_basic_credentials(request)
if credentials is not None:
site = request.site
user = site["users"].get_user_by_email(credentials.username)
if (user and user.check_password(credentials.password)
and user.workflow_state == "active"):
return user.user_email
logging.warning(
f"Unable to authenticate with password authentication: {credentials.username}"
)
return None
def unauthenticated_userid(self, request):
settings = request.registry.settings
credentials = base_auth.extract_http_basic_credentials(request)
if credentials:
username, password = credentials
if not username:
return
hmac_secret = settings["userid_hmac_secret"]
credentials = f"{credentials[0]}:{credentials[1]}"
userid = utils.hmac_digest(hmac_secret, credentials)
return userid
def unauthenticated_userid(self, request):
settings = request.registry.settings
credentials = base_auth.extract_http_basic_credentials(request)
if credentials:
username, password = credentials
if not username:
return
hmac_secret = settings["userid_hmac_secret"]
credentials = "{}:{}".format(*credentials)
userid = utils.hmac_digest(hmac_secret, credentials)
return userid
def crear_token(peticion):
credenciales = extract_http_basic_credentials(peticion)
if credenciales:
usuario, password = credenciales
resultado = autenticar_en_samba(usuario, password)
if resultado and usuario in USUARIOS_ADMIN:
try:
direccion = peticion.json_body['direccion']
rol = peticion.json_body['rol']
except:
return exceptions.HTTPBadRequest()
return {'token': peticion.create_token(direccion, rol)}
return exceptions.HTTPForbidden()
def authenticated_userid(self, request):
# check if user is correct
credentials = extract_http_basic_credentials(request)
if not credentials:
return None
user = self._authenticate_user(
request=request,
email=credentials.username,
password=credentials.password,
)
if not user:
return None
return user.user_id
def identity(self, request):
# If we're calling into this API on a request, then we want to register
# a callback which will ensure that the response varies based on the
# Authorization header.
request.add_response_callback(add_vary_callback("Authorization"))
request.authentication_method = AuthenticationMethod.BASIC_AUTH
credentials = extract_http_basic_credentials(request)
if credentials is None:
return None
username, password = credentials
if not _basic_auth_check(username, password, request):
return None
# Like sessions; basic auth can only authenticate users.
login_service = request.find_service(IUserService, context=None)
return login_service.get_user_by_username(username)
def obtain_token_alt(self):
"""
this alt version pre-calculates the client_credentials.
1. 'grant_type' in request.POST, grant_type=='client_credentials'
2. HTTP Basic Authorization contains
username: client_id
password: client_secret
"""
if DEBUG_ROUTE:
print("authority:oauth2:flow_b:obtain_token_alt",
get_csrf_token(self.request))
if LOG_ROUTE:
log.debug(
"authority:oauth2:flow_b:obtain_token_alt %s",
get_csrf_token(self.request),
)
try:
# turn this into a username/password
# HTTPBasicCredentials(username=u'OAUTH2APPKEYOAUTH2APPKEYOAUTH2APPKEYOAUTH2APPKEY', password=u'OAUTH2__APP_SECRET')
credentials = extract_http_basic_credentials(self.request)
credentials = ({
"username": credentials.username,
"password": credentials.password
} if credentials else {})
# logging.basicConfig()
# _loggingOld = logging.getLogger().getEffectiveLevel()
# logging.getLogger().setLevel(logging.DEBUG)
oauth2Provider = new_oauth2Provider(self.request)
rval = oauth2Provider.endopoint__token(credentials=credentials)
return rval
except HTTPException:
raise
except Exception as exc:
# raise custom errors in production
raise exc
def _get_client_creds_from_request(self, request):
"""
Return client credentials based on the current request.
According to the rfc6749, client MAY use the HTTP Basic authentication
scheme as defined in [RFC2617] to authenticate with the authorization
server. The client identifier is encoded using the
"application/x-www-form-urlencoded" encoding algorithm per Appendix B,
and the encoded value is used as the username; the client password is
encoded using the same algorithm and used as the password. The
authorization server MUST support the HTTP Basic authentication scheme
for authenticating clients that were issued a client password.
See `Section 2.3.1`_.
.. _`Section 2.3.1`: https://tools.ietf.org/html/rfc6749#section-2.3.1
IMPORTANT:
When dealing with an AUTHORIZATION header:
- flask-oauthlib precomputes this via Werkzeug into a dict
- pyramid's integration does not precompute right now
"""
if request.client_id is not None:
return request.client_id, request.client_secret
auth = request.headers.get("Authorization")
if auth:
# flask-oauthlib precomputes this via Werkzeug into a dict
if isinstance(auth, dict):
return auth["username"], auth["password"]
# fallback on a full extraction
_auth = extract_http_basic_credentials(request)
if isinstance(_auth, HTTPBasicCredentials):
return _auth.username, _auth.password
return None, None
def identity(self, request: PyramidRequest):
credentials = extract_http_basic_credentials(request)
if credentials:
return credentials.username
def forget(self, request):
http_creds = extract_http_basic_credentials(request)
if http_creds is not None:
remove_credentials(http_creds.username,
http_creds.password,
registry=request.registry)
