def inline_authz(self, permission_s: list, authc_token: AuthenticationToken=None): """ Non-decorator impl of the @requires() decorator for isolated and inline invocation. Returns authenticated user identity on success or raises an exception :param permission_s: list of Permission objects :param authc_token: optional authc token to use for the authc portion, if omitted or None, the flask request context is used :return: IdentityContext object """ try: with Yosai.context(self._yosai): # Context Manager functions try: try: if not authc_token: identity = self.authenticate(request_proxy) else: identity = self.authenticate_token(authc_token) if not identity.username: raise UnauthenticatedError('Authentication Required') except: raise UnauthenticatedError('Authentication Required') ApiRequestContextProxy.set_identity(identity) permissions_final = [] # Bind all the permissions as needed for perm in permission_s: domain = perm.domain if perm.domain else '*' action = perm.action if perm.action else '*' target = perm.target if perm.target else '*' permissions_final.append(Permission(domain, action, target)) # Do the authz on the bound permissions try: self.authorize(ApiRequestContextProxy.identity(), permissions_final) except UnauthorizedError as ex: raise ex except Exception as e: logger.exception('Error doing authz: {}'.format(e)) raise UnauthorizedError(permissions_final) return ApiRequestContextProxy.identity() finally: # Teardown the request context ApiRequestContextProxy.set_identity(None) except UnauthorizedError as ex: return make_response_error(str(ex), in_httpcode=403), 403 except UnauthenticatedError as ex: return Response(response='Unauthorized', status=401, headers=[('WWW-Authenticate', 'basic realm="Authentication required"')]) except AnchoreApiError: raise except Exception as ex: logger.exception('Unexpected exception: {}'.format(ex)) return make_response_error('Internal error', in_httpcode=500), 500
def add_credential(credential): """ POST /user/credentials The same logic as /users/{userId}/credentials, but gets the userId from the auth context rather than path. This is for use by regular (non-admin) users to update their own credentials. :param credential: :return: credential json object """ try: if credential['type'] != UserAccessCredentialTypes.password.value: return make_response_error('Invalid credential type', in_httpcode=400), 400 else: cred_type = UserAccessCredentialTypes(credential['type']) with session_scope() as session: mgr = identities.manager_factory.for_session(session) user = ApiRequestContextProxy.identity().username result = mgr.add_user_credential(username=user, credential_type=cred_type, value=credential['value']) return credential_db_to_msg(result), 200 except Exception as ex: logger.exception('API Error') return make_response_error(errmsg=str(ex), in_httpcode=500), 500
def get_user(): """ GET /user :return: User json object """ try: with session_scope() as session: mgr = identities.manager_factory.for_session(session) usr = mgr.get_user(ApiRequestContextProxy.identity().username) return user_db_to_msg(usr), 200 except Exception as ex: logger.exception('API Error') return make_response_error(errmsg=str(ex), in_httpcode=500), 500
def create_analysis_archive_rule(rule): """ POST /archives/rules :param rule: the rule's json object definition :return: """ # Permission check on the system_global field, only admins if rule.get('system_global'): perm = ':'.join( ['createArchiveTransitionRule', GLOBAL_RESOURCE_DOMAIN, '*']) # Will raise exception if unauthorized authorizer.authorize(ApiRequestContextProxy.identity(), [perm]) client = internal_client_for(CatalogClient, ApiRequestContextProxy.namespace()) try: return handle_proxy_response(client.add_analysis_archive_rule(rule)) except Exception as ex: return handle_proxy_response(ex)
def get_credentials(): """ GET /user/credentials Fetches the credentials list for the authenticated user :return: """ try: with session_scope() as session: mgr = identities.manager_factory.for_session(session) usr = mgr.get_user(ApiRequestContextProxy.identity().username) creds = [ credential_db_to_msg( usr.get('credentials')[UserAccessCredentialTypes.password]) ] if creds is None: return [], 200 else: return creds, 200 except Exception as ex: logger.exception('API Error') return make_response_error(errmsg=str(ex), in_httpcode=500), 500
def lookup_account_type_from_identity(identity): if ApiRequestContextProxy.identity().username == identity: return ApiRequestContextProxy.identity().user_account_type else: return None