def auth_archiver(): logger = get_logger() logger.debug("Headers: {}".format(request.headers)) logger.debug("Cookies: {}".format(request.cookies)) basic_headers = { "WWW-Authenticate": "Basic", "Cache-Control": "no-store", "Set-Cookie": "valid=yes; Max-Age=10; HttpOnly", } # Check if the auth has expired if "valid" not in request.cookies: logger.warn("Authorization expired!") return f"Authorization expired", 401, basic_headers auth = Auth(request.headers) user, passw = auth.get_user_pass() if not auth.authenticate(user, passw): logger.warn("Access denied!") return f"Access denied!", 401, basic_headers return f"Authorized!", 200
def auth_token_expire(): """ Forcefully expire a "TOKEN" passed by a cookies """ logger = get_logger() if "TOKEN" not in request.cookies: logger.warn("No TOKEN found.") return f"TOKEN not found", 401 delete_token(token=request.cookies["TOKEN"]) res = flask.make_response() res.set_cookie("TOKEN", value="deleted", expires=datetime.datetime.now()) return res
def auth_token_authorization(): """ Get the Authorization Basic from TOKEN """ logger = get_logger() # Check if the auth has expired # Check if TOKEN # Check if TOKEN is valid, return the authorization and add it to the request # Signal that client should be disconnected? if "TOKEN" not in request.cookies: logger.warn("TOKEN not found in cookies.") return f"TOKEN not found", 401 try: authorization = get_from_token(request.cookies["TOKEN"]) return f"Authorized", 200, {"Authorization": authorization} except Exception as e: return f"{e}", 401
def auth_token_generate(): """ Generate a TOKEN cookie using LDAP and Basic Authorization """ logger = get_logger() try: auth = Auth(request.headers) user, passw = auth.get_user_pass() except Exception as e: logger.error(f"{e}") return f"{e}", 401 if not auth.authenticate(user, passw): logger.warn("Access denied!") return f"Access denied!", 401 token = generate_token(auth.authorization) response = make_response("Token generated", 200) response.set_cookie("TOKEN", token) return response
import base64 import ldap from application.utils import get_logger logger = get_logger() class Auth: def __init__(self, headers): # fmt: off self.authorization = headers.get("Authorization", None) self.bind_dn = headers.get("X-Ldap-BindDN", "cn=admin,dc=lnls,dc=br") self.bind_pass = headers.get("X-Ldap-BindPass", None) self.group_base_dn = headers.get( "X-Ldap-Group-BaseDN", "ou=epics-archiver,ou=groups,dc=lnls,dc=br") self.group_cns = headers.get("X-Ldap-Group-CNs", "cn=archiver-admins").split(",") self.realm = headers.get("X-Ldap-Realm", "EPICS Archiver - MGMT Actions") self.starttls = headers.get("X-Ldap-Starttls", "false") self.url = headers.get("X-Ldap-URL", "ldap://10.0.38.42:389") self.user_base_dn = headers.get("X-Ldap-User-BaseDN", "ou=users,dc=lnls,dc=br") # fmt: on def get_user_pass(self): if self.authorization is None: raise Exception("No Authorization header!")