def validate_token(token_id): token_data = do_validate_token(token_id) if token_data: resp = flask.make_response(json.dumps(token_data)) resp.headers['Content-Type'] = 'application/json' return resp else: flask.abort(404)
def wrapped_f(*args, **kwargs): req = flask.request log.debug("Handling %s to %s" % ( req.method, req.path ) ) # Try to get the user's roles try: token_data = do_validate_token(req.headers['x-auth-token']) except KeyError: flask.abort(401) return log.debug("Token data: %s" % token_data) if token_data is None or token_data is False: flask.abort(401) return # This might be false for a variety of reasons, all of which amount to # failed auth in some form. if len(token_data['user']['roles']) < 1: log.debug("Aborting request due to bad role check") flask.abort(401) return # If the user is disabled, fail, even if other roles are present if 'disabled' in token_data['user']['roles']: log.debug("User is disabled") flask.abort(401) return # We're given a list of allowed roles. If "strict" is on, the user must # be in all roles (AND). If not, the user must be in at least one role (OR). if self.strict: allowed = True for role in token_data['user']['roles']: if role not in self.allowed_roles: allowed = False break if not allowed: log.debug("User is not allowed!") flask.abort(401) return else: allowed = False for role in token_data['user']['roles']: log.debug("Comparing user role %s against allowed roles %s" % ( role, self.allowed_roles ) ) if role in self.allowed_roles: log.debug("User is allowed!") allowed = True break if not allowed: log.debug("User not allowed!") flask.abort(401) return return f(*args, **kwargs)
def token_in_req_contains_role(req, role): """Returns True if the request has a valid X-Auth-Token header that shows the user is in the provided role. Returns False if the token's user is *not* in the role. Returns None if no token was provided. """ try: token_data = do_validate_token(req.headers['x-auth-token']) except KeyError: return None print "Roles: %s" % token_data['user']['roles'] if roles: if role in roles: return True return False
def update_password(username): # Because we need to verify that either the user making the request is # an administrator or that the request is being made to change the password # of the user making the request, this function cannot use the # @Authenticated decorator, and we must do a special kind of auth here. req = flask.request req_data = {} try: req_data = json.loads(req.data) print("Request data: %s" % req_data) except ValueError: flask.abort(400) authorized = False try: token_data = do_validate_token(req.headers['x-auth-token']) except KeyError: token_data = None if token_data is not None: if token_data['user']['username'] == username: authorized = True else: if shared.token_in_req_contains_role(req, 'administrator'): authorized = True # Next line is for debugging ONLY # authorized = True if authorized: session = data.session() users = session.query(data.User).filter_by(username=username) if users.count() >= 1: user = users.first() user.salt = shared.generate_salt() user.pwhash = hashlib.sha512("".join([req_data['password'], user.salt])).hexdigest() session.commit() return '' else: flask.abort(400) else: flask.abort(401)