Пример #1
0
    def test_get_domain_by_record_acl_email_fail(self):
        account = Account()
        account.email = "*****@*****.**"
        account.in_global_acl_emails = MagicMock(return_value=False)

        self.assertFalse(
            account.get_domain_by_record_acl(1, "example.com", "TXT"))
Пример #2
0
    def cookie_authenticate(self):
        supplied_cookie = self.request.cookies.get("vegadns")
        if supplied_cookie is None:
            raise AuthException('Invalid cookie supplied')

        split = supplied_cookie.split("-")
        if len(split) is not 2:
            raise AuthException('Invalid cookie supplied')
        account_id = split[0]

        try:
            account = Account.get(
                Account.account_id == account_id,
                Account.status == 'active'
            )
        except peewee.DoesNotExist:
            raise AuthException("Invalid cookie supplied")

        user_agent = self.request.headers.get('User-Agent')
        generated_cookie = account.generate_cookie_value(account, user_agent)

        if supplied_cookie != generated_cookie:
            raise AuthException("Invalid cookie supplied")

        self.account = account
        self.authUsed = "cookie"
Пример #3
0
    def delete(self, account_id):
        if self.auth.account.account_type != "senior_admin":
            abort(403, message="Insufficient privileges to delete account")

        if self.auth.account.account_id == account_id:
            abort(400, message="Sorry, you can't delete yourself")

        try:
            account = ModelAccount.get(ModelAccount.account_id == account_id)
        except peewee.DoesNotExist:
            abort(404, message="account does not exist")

        # update existing domains to be owned by account 0
        domains = ModelDomain.select().where(
            ModelDomain.owner_id == account_id
        )
        for domain in domains:
            domain.owner_id == 0
            domain.save()

        account.delete_instance()

        self.dns_log(
            0,
            (
                "deleted account " + account.first_name + " " +
                account.last_name + ", " + account.email
            )
        )

        return {'status': 'ok'}
Пример #4
0
    def get_account_by_oauth_token(self, token):
        now = int(time.time())

        # First, remove old tokens every 4 requests or so
        if random.randint(1, 4) == 1:
            q = OauthAccessToken.delete().where(
                OauthAccessToken.expires_at < now
            )
            deleted = q.execute()
            # print "Old tokens deleted: " + str(deleted)

        try:
            access_token = OauthAccessToken.get(
                OauthAccessToken.access_token == token,
                OauthAccessToken.expires_at > now
            )
        except peewee.DoesNotExist:
            raise Unauthorized('invalid_token')

        try:
            return Account.get(
                Account.account_id == access_token.account_id,
                Account.status == 'active'
            )
        except peewee.DoesNotExist:
            raise Unauthorized('Account not found')
Пример #5
0
    def cookie_authenticate(self):
        supplied_cookie = self.request.cookies.get("vegadns")
        if supplied_cookie is None:
            raise Unauthorized('Invalid cookie supplied')

        split = supplied_cookie.split("-")
        if len(split) is not 2:
            raise Unauthorized('Invalid cookie supplied')
        account_id = split[0]

        try:
            account = Account.get(
                Account.account_id == account_id,
                Account.status == 'active'
            )
        except peewee.DoesNotExist:
            raise Unauthorized("Invalid cookie supplied")

        user_agent = self.request.headers.get('User-Agent')
        generated_cookie = account.generate_cookie_value(account, user_agent)

        if supplied_cookie != generated_cookie:
            raise Unauthorized("Invalid cookie supplied")

        self.account = account
        self.authUsed = "cookie"
Пример #6
0
    def post(self):
        email = request.form.get("email", None)
        password = request.form.get("password", None)

        if email is None or password is None:
            return abort(400, message="email and password required")

        if not Validate().email(email):
            return abort(400, message="invalid email")

        try:
            account = ModelAccount.get(ModelAccount.email == email,
                                       ModelAccount.status == 'active')
        except peewee.DoesNotExist:
            return abort(401, message="invalid email or password")

        # check password!
        if not account.check_password(password):
            return abort(401, message="invalid email or password")

        # update to bcrypt
        if account.get_password_algo() != "bcrypt":
            account.set_password(password)
            account.save()

        user_agent = request.headers.get('User-Agent')
        generated_cookie = account.generate_cookie_value(account, user_agent)

        data = {"status": "ok", "account": account.to_clean_dict()}
        response = make_response(self.serialize(data))
        response.mimetype = 'application/json'
        response.set_cookie('vegadns', generated_cookie)

        return response
Пример #7
0
    def put(self, token):
        """Resets the password and deletes token"""

        storedToken = self.fetchToken(token)
        password = request.form.get("password", None)
        if password is None:
            abort(400, message="password is required")

        account = ModelAccount.get(
            ModelAccount.account_id == storedToken.account_id
        )

        # update password
        account.set_password(password)
        account.save()

        # delete token
        storedToken.delete_instance()

        # prep email data
        name = account.first_name + " " + account.last_name
        data = {'name': name}
        body = vegadns.api.email.parseTemplate('password_was_reset', data)
        to = account.email
        subject = "Your VegaDNS password has been reset"

        # send email
        common = vegadns.api.email.common.Common()
        vegadns.api.email.send(to, subject, body)

        return {'status': 'ok'}
Пример #8
0
 def get_account_by_email(self, email):
     try:
         return Account.get(
             Account.email == email,
             Account.status == 'active'
         )
     except peewee.DoesNotExist:
         raise Unauthorized('Account not found')
Пример #9
0
 def get_account_by_email(self, email):
     try:
         return Account.get(
             Account.email == email,
             Account.status == 'active'
         )
     except peewee.DoesNotExist:
         raise AuthException('Account not found')
Пример #10
0
    def get_account_list(self):
        query = ModelAccount.select()
        search = request.args.get('search', None)
        if (search is not None):
            query = query.where((ModelAccount.first_name**(search + '%'))
                                | (ModelAccount.last_name**(search + '%'))
                                | (ModelAccount.email**('%' + search + '%')))

        return query
Пример #11
0
    def mock_auth(email, password, active=True):
        h = "$2b$12$lqzxUnknwA/BYMJo2hFq5OBkkxsXP/7bupeNhizTFVa9WHaMOY6de"
        ph = "bcrypt||" + h

        account = Account()
        account.first_name = "Example"
        account.last_name = "User"
        account.email = '*****@*****.**'
        account.account_type = "senior_admin"
        account.password = ph
        if active is True:
            account.status = 'active'
        else:
            account.status = 'inactive'

        account.load_domains = MagicMock(return_value=None)

        vegadns.api.common.Auth.get_account_by_email = MagicMock(
            return_value=account)
Пример #12
0
    def get_account_list(self):
        query = ModelAccount.select()
        search = request.args.get("search", None)
        if search is not None:
            query = query.where(
                (ModelAccount.first_name ** (search + "%"))
                | (ModelAccount.last_name ** (search + "%"))
                | (ModelAccount.email ** ("%" + search + "%"))
            )

        return query
Пример #13
0
    def get_account_by_oauth_token(self, token):
        now = int(time.time())
        try:
            access_token = OauthAccessToken.get(
                OauthAccessToken.access_token == token,
                OauthAccessToken.expires_at > now)
        except peewee.DoesNotExist:
            raise AuthException('invalid_token')

        try:
            return Account.get(Account.account_id == access_token.account_id,
                               Account.status == 'active')
        except peewee.DoesNotExist:
            raise AuthException('Account not found')
Пример #14
0
    def post(self):
        email = request.form.get("email", None)

        if email is None:
            abort(400, message="email is required")

        if not Validate().email(email):
            abort(400, message="invalid email address")

        try:
            account = ModelAccount.get(ModelAccount.email == email)
        except peewee.DoesNotExist:
            abort(400, message="email does not exist")

        # create token
        now = round(time.time())

        token = ModelToken()
        token.account_id = account.account_id
        token.token_value = token.generateToken()
        token.date_created = now

        token.save()

        # cleanup old tokens
        oldtokens = ModelToken.delete().where(
            ModelToken.date_created < now - ModelToken.EXPIRE_IN
        )
        oldtokens.execute()

        # prep email data
        name = account.first_name + " " + account.last_name
        url = config.get(
            'ui_server', 'ui_url'
        ) + "#passwordReset?token=" + token.token_value
        data = {
            'name': name,
            'url': url,
        }
        body = vegadns.api.email.parseTemplate('password_reset_request', data)
        to = account.email
        subject = "VegaDNS Password Reset Request"

        # send email
        common = vegadns.api.email.common.Common()
        vegadns.api.email.send(to, subject, body)

        return {'status': 'ok'}
Пример #15
0
    def test_get_domain_by_record_acl_domain_success(self):
        account = Account()
        account.email = "*****@*****.**"
        account.in_global_acl_emails = MagicMock(return_value=True)

        dm = MagicMock()
        dm.domain = "example.com"
        domain = MagicMock()
        domain.get = MagicMock(return_value=dm)
        account.get_domain_object = MagicMock(return_value=domain)

        account.get_global_acl_labels = MagicMock(return_value=["DOMAIN"])
        self.assertEquals(
            dm, account.get_domain_by_record_acl(1, "example.com", "TXT"))
Пример #16
0
    def mock_auth(email, password, active=True):
        h = "$2b$12$lqzxUnknwA/BYMJo2hFq5OBkkxsXP/7bupeNhizTFVa9WHaMOY6de"
        ph = "bcrypt||" + h

        account = Account()
        account.first_name = "Example"
        account.last_name = "User"
        account.email = '*****@*****.**'
        account.account_type = "senior_admin"
        account.password = ph
        if active is True:
            account.status = 'active'
        else:
            account.status = 'inactive'

        vegadns.api.common.Auth.get_account_by_email = MagicMock(
            return_value=account
        )
Пример #17
0
    def get_account_by_oauth_token(self, token):
        now = int(time.time())
        try:
            access_token = OauthAccessToken.get(
                OauthAccessToken.access_token == token,
                OauthAccessToken.expires_at > now
            )
        except peewee.DoesNotExist:
            raise AuthException('invalid_token')

        try:
            return Account.get(
                Account.account_id == access_token.account_id,
                Account.status == 'active'
            )
        except peewee.DoesNotExist:
            raise AuthException('Account not found')
Пример #18
0
    def test_get_domain_by_record_acl_multiple_label_failure_two(self):
        account = Account()
        account.email = "*****@*****.**"
        account.in_global_acl_emails = MagicMock(return_value=True)

        dm = MagicMock()
        dm.domain = "example.com"
        domain = MagicMock()
        domain.get = MagicMock(return_value=dm)
        account.get_domain_object = MagicMock(return_value=domain)

        account.get_global_acl_labels = MagicMock(
            return_value=["_acme-challenge", "DOMAIN"])
        self.assertFalse(
            account.get_domain_by_record_acl(1, "foo.bar.example.com", "TXT"))
Пример #19
0
    def test_get_domain_by_record_acl_multiple_label_success_no_match(self):
        account = Account()
        account.email = "*****@*****.**"
        account.in_global_acl_emails = MagicMock(return_value=True)

        dm = MagicMock()
        dm.domain = "example.com"
        dm.domain_id = 1
        dget = Mock()
        dget.side_effect = [dm, peewee.DoesNotExist, peewee.DoesNotExist]
        domain = MagicMock()
        domain.get = dget
        account.get_domain_object = MagicMock(return_value=domain)

        account.get_global_acl_labels = MagicMock(
            return_value=["_acme-challenge", "DOMAIN"])
        self.assertEquals(
            dm,
            account.get_domain_by_record_acl(
                1, "_acme-challenge.foo.bar.example.com", "TXT"))
Пример #20
0
    def post(self):
        email = request.form.get("email", None)
        password = request.form.get("password", None)

        if email is None or password is None:
            return abort(400, message="email and password required")

        if not Validate().email(email):
            return abort(400, message="invalid email")

        try:
            account = ModelAccount.get(
                ModelAccount.email == email,
                ModelAccount.status == 'active'
            )
        except peewee.DoesNotExist:
            return abort(401, message="invalid email or password")

        # check password!
        if not account.check_password(password):
            return abort(401, message="invalid email or password")

        # update to bcrypt
        if account.get_password_algo() != "bcrypt":
            account.set_password(password)
            account.save()

        user_agent = request.headers.get('User-Agent')
        generated_cookie = account.generate_cookie_value(account, user_agent)

        data = {
            "status": "ok",
            "account": account.to_clean_dict()
        }
        response = make_response(self.serialize(data))
        response.mimetype = 'application/json'
        response.set_cookie('vegadns', generated_cookie)

        return response
Пример #21
0
    def delete(self, account_id):
        if self.auth.account.account_type != "senior_admin":
            abort(403, message="Insufficient privileges to delete account")

        if self.auth.account.account_id == account_id:
            abort(400, message="Sorry, you can't delete yourself")

        try:
            account = ModelAccount.get(ModelAccount.account_id == account_id)
        except peewee.DoesNotExist:
            abort(404, message="account does not exist")

        # update existing domains to be owned by account 0
        domains = ModelDomain.select().where(
            ModelDomain.owner_id == account_id
        )
        for domain in domains:
            domain.owner_id == 0
            domain.save()

        account.delete_instance()

        return {'status': 'ok'}
Пример #22
0
    def post(self):
        description = request.form.get("description", "")
        account_id = request.form.get("account_id", None)

        if account_id is not None:
            if account_id != self.auth.account.account_id:
                if self.auth.account.account_type != "senior_admin":
                    message = ("Insufficient privileges to create an api key "
                               "for another user")
                    abort(403, message=message)

            try:
                account = ModelAccount.get(
                    ModelAccount.account_id == account_id)
                account_id = account.account_id
            except peewee.DoesNotExist:
                abort(400, message="account_id does not exist")
        else:
            account_id = self.auth.account.account_id

        apikey = self.create_api_key(description, account_id)

        return {'status': 'ok', 'apikey': apikey.to_dict()}, 201
Пример #23
0
    def post(self):
        description = request.form.get("description", "")
        account_id = request.form.get("account_id", None)

        if account_id is not None:
            if account_id != self.auth.account.account_id:
                if self.auth.account.account_type != "senior_admin":
                    message = ("Insufficient privileges to create an api key "
                               "for another user")
                    abort(403, message=message)

            try:
                account = ModelAccount.get(
                    ModelAccount.account_id == account_id
                )
                account_id = account.account_id
            except peewee.DoesNotExist:
                abort(400, message="account_id does not exist")
        else:
            account_id = self.auth.account.account_id

        apikey = self.create_api_key(description, account_id)

        return {'status': 'ok', 'apikey': apikey.to_dict()}, 201
Пример #24
0
    def test_get_domain_by_record_acl_multiple_label_failure_collision(self):
        account = Account()
        account.email = "*****@*****.**"
        account.in_global_acl_emails = MagicMock(return_value=True)

        dm = MagicMock()
        dm.domain = "example.com"
        dm.domain_id = 1
        dm2 = MagicMock()
        dm2.domain = "bar.example.com"
        dm2.domain_id = 2

        dget = Mock()
        dget.side_effect = [dm, peewee.DoesNotExist, dm2]
        domain = Mock()
        domain.get = dget
        account.get_domain_object = MagicMock(return_value=domain)

        account.get_global_acl_labels = MagicMock(
            return_value=["_acme-challenge", "DOMAIN"])
        self.assertFalse(
            account.get_domain_by_record_acl(
                1, "_acme-challenge.foo.bar.example.com", "TXT"))
Пример #25
0
    def put(self, account_id):
        if self.auth.account.account_type != 'senior_admin':
            if self.auth.account.account_id != account_id:
                abort(
                    403,
                    message="Insufficient privileges to edit this account"
                )

        first_name = request.form.get("first_name", None)
        last_name = request.form.get("last_name", None)

        if first_name is None or last_name is None:
            abort(400, message="first_name and last_name are required")

        email = request.form.get("email", None)
        if not Validate().email(email):
            abort(400, message="invalid email")

        try:
            existing_account = ModelAccount.get(
                ModelAccount.email == email,
                ModelAccount.account_id != account_id
            )
            abort(400, message="Email address already in use")
        except peewee.DoesNotExist:
            # Expected
            pass

        account_type = request.form.get("account_type", None)
        if account_type not in ["senior_admin", "user"]:
            abort(
                400,
                message="account_type must be either system_admin or user"
            )

        status = request.form.get("status", None)
        if status not in ["active", "inactive"]:
            abort(400, message="status must be 'active' or 'inactive'")

        phone = request.form.get("phone", None)
        # Configurable password regex?
        password = request.form.get("password", None)

        try:
            account = ModelAccount.get(ModelAccount.account_id == account_id)
        except peewee.DoesNotExist:
            abort(404, message="Account does not exist")

        account.first_name = first_name
        account.last_name = last_name
        account.email = email
        account.account_type = account_type
        account.phone = phone
        account.status = status
        # only set password if it was provided
        if password is not None:
            account.set_password(password)

        account.save()

        data = {
            "status": "ok",
            "account": account.to_clean_dict()
        }
        response = make_response(self.serialize(data))
        response.mimetype = 'application/json'

        if (password is not None and
           account.account_id == self.auth.account.account_id):

            user_agent = request.headers.get('User-Agent')
            generated_cookie = account.generate_cookie_value(
                account,
                user_agent
            )
            response.set_cookie('vegadns', generated_cookie)

        return response
Пример #26
0
    def test_status_validation(self):
        account = Account()

        account.first_name = "Test"
        account.last_name = "User"
        account.email = "*****@*****.**"
        account.account_type = "senior_admin"

        # good
        account.status = "active"
        self.assertIsNone(account.validate())

        # good
        account.status = "inactive"
        self.assertIsNone(account.validate())

        # bad
        account.status = "foobar"
        with self.assertRaises(Exception) as cm:
            account.validate()
        self.assertEquals('Invalid status: foobar', cm.exception.message)
Пример #27
0
 def test_get_domain_by_record_acl_fail_soa(self):
     account = Account()
     self.assertFalse(
         account.get_domain_by_record_acl(1, "example.com", "SOA"))
Пример #28
0
    def test_get_domain(self):
        account = Account()

        self.assertEquals(peewee.BaseModel, type(account.get_domain_object()))
Пример #29
0
 def get(self, account_id):
     try:
         account = ModelAccount.get(ModelAccount.account_id == account_id)
     except peewee.DoesNotExist:
         abort(404, message="account does not exist")
     return {'status': 'ok', 'account': account.to_clean_dict()}
Пример #30
0
 def get_account(self, account_id):
     return ModelAccount.get(
         ModelAccount.account_id == account_id
     )
Пример #31
0
 def get(self, account_id):
     try:
         account = ModelAccount.get(ModelAccount.account_id == account_id)
     except peewee.DoesNotExist:
         abort(404, message="account does not exist")
     return {'status': 'ok', 'account': account.to_clean_dict()}
Пример #32
0
    def post(self):
        if self.auth.account.account_type != "senior_admin":
            abort(403, message="Insufficient privileges to create accounts")
        first_name = request.form.get("first_name", None)
        last_name = request.form.get("last_name", None)

        if first_name is None or last_name is None:
            abort(400, message="first_name and last_name are required")

        email = request.form.get("email", None)
        if not Validate().email(email):
            abort(400, message="invalid email")

        try:
            existing_account = ModelAccount.get(ModelAccount.email == email)
            abort(400, message="Email address already in use")
        except peewee.DoesNotExist:
            # Expected
            pass

        account_type = request.form.get("account_type", None)
        if account_type not in ["senior_admin", "user"]:
            abort(400, message="account_type must be either senior_admin or user")

        phone = request.form.get("phone", "")
        # Configurable password regex?
        password = request.form.get("password", None)

        account = ModelAccount()
        account.first_name = first_name
        account.last_name = last_name
        account.email = email
        account.account_type = account_type
        account.phone = phone
        account.status = "active"
        account.set_password(password)

        account.save()

        return {"status": "ok", "account": account.to_clean_dict()}, 201
Пример #33
0
    def test_status_validation(self):
        account = Account()

        account.first_name = "Test"
        account.last_name = "User"
        account.email = "*****@*****.**"
        account.account_type = "senior_admin"

        # good
        account.status = "active"
        self.assertIsNone(account.validate())

        # good
        account.status = "inactive"
        self.assertIsNone(account.validate())

        # bad
        account.status = "foobar"
        with self.assertRaises(Exception) as cm:
            account.validate()
        self.assertEquals('Invalid status: foobar', cm.exception.message)
Пример #34
0
    def put(self, account_id):
        if self.auth.account.account_type != 'senior_admin':
            if self.auth.account.account_id != account_id:
                abort(
                    403,
                    message="Insufficient privileges to edit this account"
                )

        first_name = request.form.get("first_name", None)
        last_name = request.form.get("last_name", None)

        if first_name is None or last_name is None:
            abort(400, message="first_name and last_name are required")

        email = request.form.get("email", None)
        if not Validate().email(email):
            abort(400, message="invalid email")

        try:
            existing_account = ModelAccount.get(
                ModelAccount.email == email,
                ModelAccount.account_id != account_id
            )
            abort(400, message="Email address already in use")
        except peewee.DoesNotExist:
            # Expected
            pass

        account_type = request.form.get("account_type", None)
        if account_type not in ["senior_admin", "user"]:
            abort(
                400,
                message="account_type must be either system_admin or user"
            )

        status = request.form.get("status", None)
        if status not in ["active", "inactive"]:
            abort(400, message="status must be 'active' or 'inactive'")

        phone = request.form.get("phone", None)
        # Configurable password regex?
        password = request.form.get("password", None)

        try:
            account = ModelAccount.get(ModelAccount.account_id == account_id)
        except peewee.DoesNotExist:
            abort(404, message="Account does not exist")

        account.first_name = first_name
        account.last_name = last_name
        account.email = email
        account.account_type = account_type
        account.phone = phone
        account.status = status
        # only set password if it was provided
        if password is not None:
            account.set_password(password)

        account.save()

        data = {
            "status": "ok",
            "account": account.to_clean_dict()
        }
        response = make_response(self.serialize(data))
        response.mimetype = 'application/json'

        if (password is not None and
           account.account_id == self.auth.account.account_id):

            user_agent = request.headers.get('User-Agent')
            generated_cookie = account.generate_cookie_value(
                account,
                user_agent
            )
            response.set_cookie('vegadns', generated_cookie)

        return response
Пример #35
0
    def post(self):
        if self.auth.account.account_type != 'senior_admin':
            abort(403, message="Insufficient privileges to create accounts")
        first_name = request.form.get("first_name", None)
        last_name = request.form.get("last_name", None)

        if first_name is None or last_name is None:
            abort(400, message="first_name and last_name are required")

        email = request.form.get("email", None)
        if not Validate().email(email):
            abort(400, message="invalid email")

        try:
            existing_account = ModelAccount.get(ModelAccount.email == email)
            abort(400, message="Email address already in use")
        except peewee.DoesNotExist:
            # Expected
            pass

        account_type = request.form.get("account_type", None)
        if account_type not in ["senior_admin", "user"]:
            abort(400,
                  message="account_type must be either senior_admin or user")

        phone = request.form.get("phone", "")
        # Configurable password regex?
        password = request.form.get("password", None)

        account = ModelAccount()
        account.first_name = first_name
        account.last_name = last_name
        account.email = email
        account.account_type = account_type
        account.phone = phone
        account.status = 'active'
        account.set_password(password)

        account.save()
        self.dns_log(0, ("created account " + account.first_name + " " +
                         account.last_name + ", " + account.email))

        return {'status': 'ok', 'account': account.to_clean_dict()}, 201
Пример #36
0
    def get_or_create_account_oidc(self, email, userinfo):
        try:
            return Account.get(
                Account.email == email,
                Account.status == 'active'
            )
        except peewee.DoesNotExist:
            pass
        oidc_conf = config['oidc']
        account = Account()
        account.email = email
        account.account_type = 'user'
        account.status = 'active'
        account.first_name = userinfo.get(oidc_conf.get('firstname_key'),'')
        account.last_name = userinfo.get(oidc_conf.get('lastname_key'),'')
        account.phone = userinfo.get(oidc_conf.get('phone_key'),'')
        # Save the new user to the DB
        account.save()

        return account
Пример #37
0
 def get_account(self, account_id):
     return ModelAccount.get(
         ModelAccount.account_id == account_id
     )