def test_get_domain_by_record_acl_email_fail(self):
account = Account()
account.email = "*****@*****.**"
account.in_global_acl_emails = MagicMock(return_value=False)
self.assertFalse(
account.get_domain_by_record_acl(1, "example.com", "TXT"))
def cookie_authenticate(self):
supplied_cookie = self.request.cookies.get("vegadns")
if supplied_cookie is None:
raise AuthException('Invalid cookie supplied')
split = supplied_cookie.split("-")
if len(split) is not 2:
raise AuthException('Invalid cookie supplied')
account_id = split[0]
try:
account = Account.get(
Account.account_id == account_id,
Account.status == 'active'
)
except peewee.DoesNotExist:
raise AuthException("Invalid cookie supplied")
user_agent = self.request.headers.get('User-Agent')
generated_cookie = account.generate_cookie_value(account, user_agent)
if supplied_cookie != generated_cookie:
raise AuthException("Invalid cookie supplied")
self.account = account
self.authUsed = "cookie"
def delete(self, account_id):
if self.auth.account.account_type != "senior_admin":
abort(403, message="Insufficient privileges to delete account")
if self.auth.account.account_id == account_id:
abort(400, message="Sorry, you can't delete yourself")
try:
account = ModelAccount.get(ModelAccount.account_id == account_id)
except peewee.DoesNotExist:
abort(404, message="account does not exist")
# update existing domains to be owned by account 0
domains = ModelDomain.select().where(
ModelDomain.owner_id == account_id
)
for domain in domains:
domain.owner_id == 0
domain.save()
account.delete_instance()
self.dns_log(
0,
(
"deleted account " + account.first_name + " " +
account.last_name + ", " + account.email
)
)
return {'status': 'ok'}
def get_account_by_oauth_token(self, token):
now = int(time.time())
# First, remove old tokens every 4 requests or so
if random.randint(1, 4) == 1:
q = OauthAccessToken.delete().where(
OauthAccessToken.expires_at < now
)
deleted = q.execute()
# print "Old tokens deleted: " + str(deleted)
try:
access_token = OauthAccessToken.get(
OauthAccessToken.access_token == token,
OauthAccessToken.expires_at > now
)
except peewee.DoesNotExist:
raise Unauthorized('invalid_token')
try:
return Account.get(
Account.account_id == access_token.account_id,
Account.status == 'active'
)
except peewee.DoesNotExist:
raise Unauthorized('Account not found')
def cookie_authenticate(self):
supplied_cookie = self.request.cookies.get("vegadns")
if supplied_cookie is None:
raise Unauthorized('Invalid cookie supplied')
split = supplied_cookie.split("-")
if len(split) is not 2:
raise Unauthorized('Invalid cookie supplied')
account_id = split[0]
try:
account = Account.get(
Account.account_id == account_id,
Account.status == 'active'
)
except peewee.DoesNotExist:
raise Unauthorized("Invalid cookie supplied")
user_agent = self.request.headers.get('User-Agent')
generated_cookie = account.generate_cookie_value(account, user_agent)
if supplied_cookie != generated_cookie:
raise Unauthorized("Invalid cookie supplied")
self.account = account
self.authUsed = "cookie"
def post(self):
email = request.form.get("email", None)
password = request.form.get("password", None)
if email is None or password is None:
return abort(400, message="email and password required")
if not Validate().email(email):
return abort(400, message="invalid email")
try:
account = ModelAccount.get(ModelAccount.email == email,
ModelAccount.status == 'active')
except peewee.DoesNotExist:
return abort(401, message="invalid email or password")
# check password!
if not account.check_password(password):
return abort(401, message="invalid email or password")
# update to bcrypt
if account.get_password_algo() != "bcrypt":
account.set_password(password)
account.save()
user_agent = request.headers.get('User-Agent')
generated_cookie = account.generate_cookie_value(account, user_agent)
data = {"status": "ok", "account": account.to_clean_dict()}
response = make_response(self.serialize(data))
response.mimetype = 'application/json'
response.set_cookie('vegadns', generated_cookie)
return response
def put(self, token):
"""Resets the password and deletes token"""
storedToken = self.fetchToken(token)
password = request.form.get("password", None)
if password is None:
abort(400, message="password is required")
account = ModelAccount.get(
ModelAccount.account_id == storedToken.account_id
)
# update password
account.set_password(password)
account.save()
# delete token
storedToken.delete_instance()
# prep email data
name = account.first_name + " " + account.last_name
data = {'name': name}
body = vegadns.api.email.parseTemplate('password_was_reset', data)
to = account.email
subject = "Your VegaDNS password has been reset"
# send email
common = vegadns.api.email.common.Common()
vegadns.api.email.send(to, subject, body)
return {'status': 'ok'}
def get_account_by_email(self, email):
try:
return Account.get(
Account.email == email,
Account.status == 'active'
)
except peewee.DoesNotExist:
raise Unauthorized('Account not found')
def get_account_by_email(self, email):
try:
return Account.get(
Account.email == email,
Account.status == 'active'
)
except peewee.DoesNotExist:
raise AuthException('Account not found')
def get_account_list(self):
query = ModelAccount.select()
search = request.args.get('search', None)
if (search is not None):
query = query.where((ModelAccount.first_name**(search + '%'))
| (ModelAccount.last_name**(search + '%'))
| (ModelAccount.email**('%' + search + '%')))
return query
def mock_auth(email, password, active=True):
h = "$2b$12$lqzxUnknwA/BYMJo2hFq5OBkkxsXP/7bupeNhizTFVa9WHaMOY6de"
ph = "bcrypt||" + h
account = Account()
account.first_name = "Example"
account.last_name = "User"
account.email = '*****@*****.**'
account.account_type = "senior_admin"
account.password = ph
if active is True:
account.status = 'active'
else:
account.status = 'inactive'
account.load_domains = MagicMock(return_value=None)
vegadns.api.common.Auth.get_account_by_email = MagicMock(
return_value=account)
def get_account_list(self):
query = ModelAccount.select()
search = request.args.get("search", None)
if search is not None:
query = query.where(
(ModelAccount.first_name ** (search + "%"))
| (ModelAccount.last_name ** (search + "%"))
| (ModelAccount.email ** ("%" + search + "%"))
)
return query
def get_account_by_oauth_token(self, token):
now = int(time.time())
try:
access_token = OauthAccessToken.get(
OauthAccessToken.access_token == token,
OauthAccessToken.expires_at > now)
except peewee.DoesNotExist:
raise AuthException('invalid_token')
try:
return Account.get(Account.account_id == access_token.account_id,
Account.status == 'active')
except peewee.DoesNotExist:
raise AuthException('Account not found')
def post(self):
email = request.form.get("email", None)
if email is None:
abort(400, message="email is required")
if not Validate().email(email):
abort(400, message="invalid email address")
try:
account = ModelAccount.get(ModelAccount.email == email)
except peewee.DoesNotExist:
abort(400, message="email does not exist")
# create token
now = round(time.time())
token = ModelToken()
token.account_id = account.account_id
token.token_value = token.generateToken()
token.date_created = now
token.save()
# cleanup old tokens
oldtokens = ModelToken.delete().where(
ModelToken.date_created < now - ModelToken.EXPIRE_IN
)
oldtokens.execute()
# prep email data
name = account.first_name + " " + account.last_name
url = config.get(
'ui_server', 'ui_url'
) + "#passwordReset?token=" + token.token_value
data = {
'name': name,
'url': url,
}
body = vegadns.api.email.parseTemplate('password_reset_request', data)
to = account.email
subject = "VegaDNS Password Reset Request"
# send email
common = vegadns.api.email.common.Common()
vegadns.api.email.send(to, subject, body)
return {'status': 'ok'}
def test_get_domain_by_record_acl_domain_success(self):
account = Account()
account.email = "*****@*****.**"
account.in_global_acl_emails = MagicMock(return_value=True)
dm = MagicMock()
dm.domain = "example.com"
domain = MagicMock()
domain.get = MagicMock(return_value=dm)
account.get_domain_object = MagicMock(return_value=domain)
account.get_global_acl_labels = MagicMock(return_value=["DOMAIN"])
self.assertEquals(
dm, account.get_domain_by_record_acl(1, "example.com", "TXT"))
def mock_auth(email, password, active=True):
h = "$2b$12$lqzxUnknwA/BYMJo2hFq5OBkkxsXP/7bupeNhizTFVa9WHaMOY6de"
ph = "bcrypt||" + h
account = Account()
account.first_name = "Example"
account.last_name = "User"
account.email = '*****@*****.**'
account.account_type = "senior_admin"
account.password = ph
if active is True:
account.status = 'active'
else:
account.status = 'inactive'
vegadns.api.common.Auth.get_account_by_email = MagicMock(
return_value=account
)
def get_account_by_oauth_token(self, token):
now = int(time.time())
try:
access_token = OauthAccessToken.get(
OauthAccessToken.access_token == token,
OauthAccessToken.expires_at > now
)
except peewee.DoesNotExist:
raise AuthException('invalid_token')
try:
return Account.get(
Account.account_id == access_token.account_id,
Account.status == 'active'
)
except peewee.DoesNotExist:
raise AuthException('Account not found')
def test_get_domain_by_record_acl_multiple_label_failure_two(self):
account = Account()
account.email = "*****@*****.**"
account.in_global_acl_emails = MagicMock(return_value=True)
dm = MagicMock()
dm.domain = "example.com"
domain = MagicMock()
domain.get = MagicMock(return_value=dm)
account.get_domain_object = MagicMock(return_value=domain)
account.get_global_acl_labels = MagicMock(
return_value=["_acme-challenge", "DOMAIN"])
self.assertFalse(
account.get_domain_by_record_acl(1, "foo.bar.example.com", "TXT"))
def test_get_domain_by_record_acl_multiple_label_success_no_match(self):
account = Account()
account.email = "*****@*****.**"
account.in_global_acl_emails = MagicMock(return_value=True)
dm = MagicMock()
dm.domain = "example.com"
dm.domain_id = 1
dget = Mock()
dget.side_effect = [dm, peewee.DoesNotExist, peewee.DoesNotExist]
domain = MagicMock()
domain.get = dget
account.get_domain_object = MagicMock(return_value=domain)
account.get_global_acl_labels = MagicMock(
return_value=["_acme-challenge", "DOMAIN"])
self.assertEquals(
dm,
account.get_domain_by_record_acl(
1, "_acme-challenge.foo.bar.example.com", "TXT"))
def post(self):
email = request.form.get("email", None)
password = request.form.get("password", None)
if email is None or password is None:
return abort(400, message="email and password required")
if not Validate().email(email):
return abort(400, message="invalid email")
try:
account = ModelAccount.get(
ModelAccount.email == email,
ModelAccount.status == 'active'
)
except peewee.DoesNotExist:
return abort(401, message="invalid email or password")
# check password!
if not account.check_password(password):
return abort(401, message="invalid email or password")
# update to bcrypt
if account.get_password_algo() != "bcrypt":
account.set_password(password)
account.save()
user_agent = request.headers.get('User-Agent')
generated_cookie = account.generate_cookie_value(account, user_agent)
data = {
"status": "ok",
"account": account.to_clean_dict()
}
response = make_response(self.serialize(data))
response.mimetype = 'application/json'
response.set_cookie('vegadns', generated_cookie)
return response
def delete(self, account_id):
if self.auth.account.account_type != "senior_admin":
abort(403, message="Insufficient privileges to delete account")
if self.auth.account.account_id == account_id:
abort(400, message="Sorry, you can't delete yourself")
try:
account = ModelAccount.get(ModelAccount.account_id == account_id)
except peewee.DoesNotExist:
abort(404, message="account does not exist")
# update existing domains to be owned by account 0
domains = ModelDomain.select().where(
ModelDomain.owner_id == account_id
)
for domain in domains:
domain.owner_id == 0
domain.save()
account.delete_instance()
return {'status': 'ok'}
def post(self):
description = request.form.get("description", "")
account_id = request.form.get("account_id", None)
if account_id is not None:
if account_id != self.auth.account.account_id:
if self.auth.account.account_type != "senior_admin":
message = ("Insufficient privileges to create an api key "
"for another user")
abort(403, message=message)
try:
account = ModelAccount.get(
ModelAccount.account_id == account_id)
account_id = account.account_id
except peewee.DoesNotExist:
abort(400, message="account_id does not exist")
else:
account_id = self.auth.account.account_id
apikey = self.create_api_key(description, account_id)
return {'status': 'ok', 'apikey': apikey.to_dict()}, 201
def post(self):
description = request.form.get("description", "")
account_id = request.form.get("account_id", None)
if account_id is not None:
if account_id != self.auth.account.account_id:
if self.auth.account.account_type != "senior_admin":
message = ("Insufficient privileges to create an api key "
"for another user")
abort(403, message=message)
try:
account = ModelAccount.get(
ModelAccount.account_id == account_id
)
account_id = account.account_id
except peewee.DoesNotExist:
abort(400, message="account_id does not exist")
else:
account_id = self.auth.account.account_id
apikey = self.create_api_key(description, account_id)
return {'status': 'ok', 'apikey': apikey.to_dict()}, 201
def test_get_domain_by_record_acl_multiple_label_failure_collision(self):
account = Account()
account.email = "*****@*****.**"
account.in_global_acl_emails = MagicMock(return_value=True)
dm = MagicMock()
dm.domain = "example.com"
dm.domain_id = 1
dm2 = MagicMock()
dm2.domain = "bar.example.com"
dm2.domain_id = 2
dget = Mock()
dget.side_effect = [dm, peewee.DoesNotExist, dm2]
domain = Mock()
domain.get = dget
account.get_domain_object = MagicMock(return_value=domain)
account.get_global_acl_labels = MagicMock(
return_value=["_acme-challenge", "DOMAIN"])
self.assertFalse(
account.get_domain_by_record_acl(
1, "_acme-challenge.foo.bar.example.com", "TXT"))
def put(self, account_id):
if self.auth.account.account_type != 'senior_admin':
if self.auth.account.account_id != account_id:
abort(
403,
message="Insufficient privileges to edit this account"
)
first_name = request.form.get("first_name", None)
last_name = request.form.get("last_name", None)
if first_name is None or last_name is None:
abort(400, message="first_name and last_name are required")
email = request.form.get("email", None)
if not Validate().email(email):
abort(400, message="invalid email")
try:
existing_account = ModelAccount.get(
ModelAccount.email == email,
ModelAccount.account_id != account_id
)
abort(400, message="Email address already in use")
except peewee.DoesNotExist:
# Expected
pass
account_type = request.form.get("account_type", None)
if account_type not in ["senior_admin", "user"]:
abort(
400,
message="account_type must be either system_admin or user"
)
status = request.form.get("status", None)
if status not in ["active", "inactive"]:
abort(400, message="status must be 'active' or 'inactive'")
phone = request.form.get("phone", None)
# Configurable password regex?
password = request.form.get("password", None)
try:
account = ModelAccount.get(ModelAccount.account_id == account_id)
except peewee.DoesNotExist:
abort(404, message="Account does not exist")
account.first_name = first_name
account.last_name = last_name
account.email = email
account.account_type = account_type
account.phone = phone
account.status = status
# only set password if it was provided
if password is not None:
account.set_password(password)
account.save()
data = {
"status": "ok",
"account": account.to_clean_dict()
}
response = make_response(self.serialize(data))
response.mimetype = 'application/json'
if (password is not None and
account.account_id == self.auth.account.account_id):
user_agent = request.headers.get('User-Agent')
generated_cookie = account.generate_cookie_value(
account,
user_agent
)
response.set_cookie('vegadns', generated_cookie)
return response
def test_status_validation(self):
account = Account()
account.first_name = "Test"
account.last_name = "User"
account.email = "*****@*****.**"
account.account_type = "senior_admin"
# good
account.status = "active"
self.assertIsNone(account.validate())
# good
account.status = "inactive"
self.assertIsNone(account.validate())
# bad
account.status = "foobar"
with self.assertRaises(Exception) as cm:
account.validate()
self.assertEquals('Invalid status: foobar', cm.exception.message)
def test_get_domain_by_record_acl_fail_soa(self):
account = Account()
self.assertFalse(
account.get_domain_by_record_acl(1, "example.com", "SOA"))
def test_get_domain(self):
account = Account()
self.assertEquals(peewee.BaseModel, type(account.get_domain_object()))
def get(self, account_id):
try:
account = ModelAccount.get(ModelAccount.account_id == account_id)
except peewee.DoesNotExist:
abort(404, message="account does not exist")
return {'status': 'ok', 'account': account.to_clean_dict()}
def get_account(self, account_id):
return ModelAccount.get(
ModelAccount.account_id == account_id
)
def get(self, account_id):
try:
account = ModelAccount.get(ModelAccount.account_id == account_id)
except peewee.DoesNotExist:
abort(404, message="account does not exist")
return {'status': 'ok', 'account': account.to_clean_dict()}
def post(self):
if self.auth.account.account_type != "senior_admin":
abort(403, message="Insufficient privileges to create accounts")
first_name = request.form.get("first_name", None)
last_name = request.form.get("last_name", None)
if first_name is None or last_name is None:
abort(400, message="first_name and last_name are required")
email = request.form.get("email", None)
if not Validate().email(email):
abort(400, message="invalid email")
try:
existing_account = ModelAccount.get(ModelAccount.email == email)
abort(400, message="Email address already in use")
except peewee.DoesNotExist:
# Expected
pass
account_type = request.form.get("account_type", None)
if account_type not in ["senior_admin", "user"]:
abort(400, message="account_type must be either senior_admin or user")
phone = request.form.get("phone", "")
# Configurable password regex?
password = request.form.get("password", None)
account = ModelAccount()
account.first_name = first_name
account.last_name = last_name
account.email = email
account.account_type = account_type
account.phone = phone
account.status = "active"
account.set_password(password)
account.save()
return {"status": "ok", "account": account.to_clean_dict()}, 201
def test_status_validation(self):
account = Account()
account.first_name = "Test"
account.last_name = "User"
account.email = "*****@*****.**"
account.account_type = "senior_admin"
# good
account.status = "active"
self.assertIsNone(account.validate())
# good
account.status = "inactive"
self.assertIsNone(account.validate())
# bad
account.status = "foobar"
with self.assertRaises(Exception) as cm:
account.validate()
self.assertEquals('Invalid status: foobar', cm.exception.message)
def put(self, account_id):
if self.auth.account.account_type != 'senior_admin':
if self.auth.account.account_id != account_id:
abort(
403,
message="Insufficient privileges to edit this account"
)
first_name = request.form.get("first_name", None)
last_name = request.form.get("last_name", None)
if first_name is None or last_name is None:
abort(400, message="first_name and last_name are required")
email = request.form.get("email", None)
if not Validate().email(email):
abort(400, message="invalid email")
try:
existing_account = ModelAccount.get(
ModelAccount.email == email,
ModelAccount.account_id != account_id
)
abort(400, message="Email address already in use")
except peewee.DoesNotExist:
# Expected
pass
account_type = request.form.get("account_type", None)
if account_type not in ["senior_admin", "user"]:
abort(
400,
message="account_type must be either system_admin or user"
)
status = request.form.get("status", None)
if status not in ["active", "inactive"]:
abort(400, message="status must be 'active' or 'inactive'")
phone = request.form.get("phone", None)
# Configurable password regex?
password = request.form.get("password", None)
try:
account = ModelAccount.get(ModelAccount.account_id == account_id)
except peewee.DoesNotExist:
abort(404, message="Account does not exist")
account.first_name = first_name
account.last_name = last_name
account.email = email
account.account_type = account_type
account.phone = phone
account.status = status
# only set password if it was provided
if password is not None:
account.set_password(password)
account.save()
data = {
"status": "ok",
"account": account.to_clean_dict()
}
response = make_response(self.serialize(data))
response.mimetype = 'application/json'
if (password is not None and
account.account_id == self.auth.account.account_id):
user_agent = request.headers.get('User-Agent')
generated_cookie = account.generate_cookie_value(
account,
user_agent
)
response.set_cookie('vegadns', generated_cookie)
return response
def post(self):
if self.auth.account.account_type != 'senior_admin':
abort(403, message="Insufficient privileges to create accounts")
first_name = request.form.get("first_name", None)
last_name = request.form.get("last_name", None)
if first_name is None or last_name is None:
abort(400, message="first_name and last_name are required")
email = request.form.get("email", None)
if not Validate().email(email):
abort(400, message="invalid email")
try:
existing_account = ModelAccount.get(ModelAccount.email == email)
abort(400, message="Email address already in use")
except peewee.DoesNotExist:
# Expected
pass
account_type = request.form.get("account_type", None)
if account_type not in ["senior_admin", "user"]:
abort(400,
message="account_type must be either senior_admin or user")
phone = request.form.get("phone", "")
# Configurable password regex?
password = request.form.get("password", None)
account = ModelAccount()
account.first_name = first_name
account.last_name = last_name
account.email = email
account.account_type = account_type
account.phone = phone
account.status = 'active'
account.set_password(password)
account.save()
self.dns_log(0, ("created account " + account.first_name + " " +
account.last_name + ", " + account.email))
return {'status': 'ok', 'account': account.to_clean_dict()}, 201
def get_or_create_account_oidc(self, email, userinfo):
try:
return Account.get(
Account.email == email,
Account.status == 'active'
)
except peewee.DoesNotExist:
pass
oidc_conf = config['oidc']
account = Account()
account.email = email
account.account_type = 'user'
account.status = 'active'
account.first_name = userinfo.get(oidc_conf.get('firstname_key'),'')
account.last_name = userinfo.get(oidc_conf.get('lastname_key'),'')
account.phone = userinfo.get(oidc_conf.get('phone_key'),'')
# Save the new user to the DB
account.save()
return account
def get_account(self, account_id):
return ModelAccount.get(
ModelAccount.account_id == account_id
)