def do_authentication(self, **kwargs) -> str:
if not self._client:
logger.debug('No OpenID Connect Client configured')
raise AuthenticationFailed()
token: str = kwargs.get('token', None)
if not token:
logger.debug('No JWT token provided')
raise AuthenticationFailed()
try:
jwt = JWT(keyjar=self._client.keyjar).unpack(token)
self._client.verify_id_token(jwt, authn_req={})
username = jwt['name']
except Exception as ex:
logger.info(str(ex))
raise AuthenticationFailed()
#
# Assuming the token is valid, if we can't find the user, we
# add them as an admin
#
with dbm.session() as session:
if not AuthManager(session=session).get_principal(username):
self._create_admin(session, username)
return username
def do_authentication(self, **kwargs) -> str:
"""
An authentication implementation that requires a username and
password.
:return str: the username
:raises AuthenticationFailed:
"""
username: str = kwargs.get('username', None)
password: str = kwargs.get('password', None)
if not username or not password:
raise AuthenticationFailed()
with dbm.session() as session:
auth_manager = AuthManager(session=session)
principal = auth_manager.get_principal(username)
if not principal:
#
# See if there is a new admin available
#
auth_manager.reloadPrincipals()
principal = auth_manager.get_principal(username)
if not principal:
raise AuthenticationFailed()
if pbkdf2_sha256.verify(password, principal.get_password()):
return username
raise AuthenticationFailed()
def do_authentication(self, **kwargs):
#
# An instance of tortuga.web_service.websocket.actions.BaseAction
#
action = kwargs.get('action', None)
if not action:
raise AuthenticationFailed()
if action.method != 'jwt':
raise AuthenticationFailed()
token: str = action.data.get('token', None)
if not token:
raise AuthenticationFailed()
return super().do_authentication(token=token, **kwargs)
def do_authentication(self, **kwargs) -> str:
"""
Authenticates trying all authentication methods in order, and stopping
after the first one succeeds.
"""
username = None
for method in self._methods:
try:
#
# Skip the callbacks so that we can defer calling them
# until we know for sure the final result of the
# authentication chain
#
username = method.authenticate(skip_callbacks=True, **kwargs)
if username:
break
except AuthenticationFailed:
pass
if username:
self.on_authentication_succeeded(username)
return username
else:
self.on_authentication_failed()
raise AuthenticationFailed()
def do_authentication(self, **kwargs) -> str:
scheme, value = self.parse_authorization_header()
if scheme.lower() != 'basic':
raise AuthenticationFailed()
username, password = self.parse_username_password(value)
return super().do_authentication(username=username, password=password)
def parse_authorization_header() -> Tuple[str, str]:
"""
Parses an authorization header.
:return (str, str): the (scheme, value) of the authorization header
"""
if 'authorization' not in cherrypy.request.headers:
raise AuthenticationFailed()
header = cherrypy.request.headers['authorization']
parts = header.split(' ', 1)
if len(parts) != 2:
raise AuthenticationFailed()
return parts[0], parts[1]
def do_authentication(self, **kwargs):
#
# An instance of tortuga.web_service.websocket.actions.BaseAction
#
action = kwargs.get('action', None)
if not action:
raise AuthenticationFailed()
if action.method != 'password':
raise AuthenticationFailed()
username: str = action.data.get('username', None)
password: str = action.data.get('password', None)
if not username or not password:
raise AuthenticationFailed()
return super().do_authentication(username=username,
password=password, **kwargs)
def parse_username_password(self, encoded: str) -> Tuple[str, str]: \
# pylint: disable=no-self-use
"""
Parses an base64 encoded header value and extracts the username
and password.
:param encoded: the encoded string
:return (str, str): the username and password
"""
decoded: str = base64.b64decode(encoded).decode()
parts = decoded.split(':')
if len(parts) != 2:
raise AuthenticationFailed()
return parts[0], parts[1]
def do_authentication(self, **kwargs) -> str:
username: str = cherrypy.session.get(self.SESSION_KEY, None)
if not username:
raise AuthenticationFailed()
return username
def do_authentication(self, **kwargs) -> str:
scheme, value = self.parse_authorization_header()
if scheme.lower() != 'bearer':
raise AuthenticationFailed()
return super().do_authentication(token=value)
def raise_authentication_failure_exception(username, **kwargs):
raise AuthenticationFailed()
