def get_service(id):
'''
Get service metadata and all credentials for this service. This endpoint
allows basic authentication.
'''
if authnz.user_in_role('service') and not authnz.user_is_service(id):
log.warning('Authz failed for service {0}.'.format(id))
msg = 'Authenticated user is not authorized.'
return jsonify({'error': msg}), 401
log.debug('Authz succeeded for service {0}.'.format(id))
try:
service = Service.get(id)
except Service.DoesNotExist:
return jsonify({}), 404
if (service.data_type != 'service'
and service.data_type != 'archive-service'):
return jsonify({}), 404
try:
credentials = _get_credentials(service.credentials)
except KeyError:
return jsonify({'error': 'Decryption error.'}), 500
return jsonify({
'id': service.id,
'credentials': credentials,
'enabled': service.enabled,
'revision': service.revision,
'modified_date': service.modified_date,
'modified_by': service.modified_by
})
def get_service(id):
'''
Get service metadata and all credentials for this service. This endpoint
allows basic authentication.
'''
if authnz.user_in_role('service') and not authnz.user_is_service(id):
log.warning('Authz failed for service {0}.'.format(id))
msg = 'Authenticated user is not authorized.'
return jsonify({'error': msg}), 401
log.debug('Authz succeeded for service {0}.'.format(id))
try:
service = Service.get(id)
except Service.DoesNotExist:
return jsonify({}), 404
if (service.data_type != 'service' and
service.data_type != 'archive-service'):
return jsonify({}), 404
try:
credentials = _get_credentials(service.credentials)
except KeyError:
return jsonify({'error': 'Decryption error.'}), 500
return jsonify({
'id': service.id,
'credentials': credentials,
'enabled': service.enabled,
'revision': service.revision,
'modified_date': service.modified_date,
'modified_by': service.modified_by
})
def decorated(*args, **kwargs):
if not app.config.get('USE_AUTH'):
return f(*args, **kwargs)
auth = request.authorization
headers = request.headers
using_basic_kms_auth = (auth and auth.get('username')
and auth.get('password') != '')
using_kms_auth = ('X-Auth-Token' in headers
and 'X-Auth-From' in headers)
# User suppplied basic auth info
if using_basic_kms_auth or using_kms_auth:
if using_basic_kms_auth:
_from = auth['username']
token = auth['password']
else:
_from = headers['X-Auth-From']
token = headers['X-Auth-Token']
try:
with stats.timer('decrypt_token'):
payload = keymanager.decrypt_token(token, _from)
log.debug('Auth request had the following payload:'
' {0}'.format(payload))
role = 'service'
msg = 'Authenticated {0} with role {1} via kms auth'
msg = msg.format(_from, role)
log.debug(msg)
if role_has_privilege(role, f.func_name):
g.auth_role = role
g.username = _from
return f(*args, **kwargs)
else:
msg = '{0} is not authorized to access {1}.'
msg = msg.format(_from, f.func_name)
log.warning(msg)
return abort(403)
except keymanager.TokenDecryptionError:
msg = 'Access denied for {0}. Authentication Failed.'
msg = msg.format(_from)
log.warning(msg)
return abort(403)
# If not using kms auth, require google auth.
else:
role = 'user'
if not role_has_privilege(role, f.func_name):
return abort(403)
if 'email' in session.get('google_oauth2', []):
if (app.config['USERS_FILE']
and get_logged_in_user_email() not in users):
msg = 'User not authorized: {0}'
log.warning(msg.format(get_logged_in_user_email()))
return abort(403)
else:
g.auth_role = role
return f(*args, **kwargs)
response = make_response()
if request.is_secure:
secure_cookie = True
else:
secure_cookie = False
result = _authomatic.login(
WerkzeugAdapter(request, response),
'google',
session=session,
session_saver=lambda: app.save_session(session, response),
secure_cookie=secure_cookie)
if result:
if result.error:
msg = 'Google auth failed with error: {0}'
log.error(msg.format(result.error.message))
return abort(403)
if result.user:
result.user.update()
user = result.user
email_suffix = app.config['GOOGLE_AUTH_EMAIL_SUFFIX']
if email_suffix and not user.email.endswith(email_suffix):
return abort(403)
session['google_oauth2'] = {}
session['google_oauth2']['email'] = user.email
session['google_oauth2']['first_name'] = user.first_name
session['google_oauth2']['last_name'] = user.last_name
g.auth_role = role
# TODO: find a way to save the angular args
# authomatic adds url params google auth has stripped the
# angular args anyway, so let's just redirect back to the
# index.
return redirect(url_for('index'))
return response
return abort(403)
def decorated(*args, **kwargs):
if not app.config.get("USE_AUTH"):
return f(*args, **kwargs)
auth = request.authorization
headers = request.headers
using_basic_kms_auth = auth and auth.get("username") and auth.get("password") != ""
using_kms_auth = "X-Auth-Token" in headers and "X-Auth-From" in headers
# User suppplied basic auth info
if using_basic_kms_auth or using_kms_auth:
if using_basic_kms_auth:
_from = auth["username"]
token = auth["password"]
else:
_from = headers["X-Auth-From"]
token = headers["X-Auth-Token"]
try:
with stats.timer("decrypt_token"):
payload = keymanager.decrypt_token(token, _from)
log.debug("Auth request had the following payload:" " {0}".format(payload))
role = "service"
msg = "Authenticated {0} with role {1} via kms auth"
msg = msg.format(_from, role)
log.debug(msg)
if role_has_privilege(role, f.func_name):
g.auth_role = role
g.username = _from
return f(*args, **kwargs)
else:
msg = "{0} is not authorized to access {1}."
msg = msg.format(_from, f.func_name)
log.warning(msg)
return abort(403)
except keymanager.TokenDecryptionError:
msg = "Access denied for {0}. Authentication Failed."
msg = msg.format(_from)
log.warning(msg)
return abort(403)
# If not using kms auth, require google auth.
else:
role = "user"
if not role_has_privilege(role, f.func_name):
return abort(403)
if "email" in session.get("google_oauth2", []):
if app.config["USERS_FILE"] and get_logged_in_user_email() not in users:
msg = "User not authorized: {0}"
log.warning(msg.format(get_logged_in_user_email()))
return abort(403)
else:
g.auth_role = role
return f(*args, **kwargs)
response = make_response()
if request.is_secure:
secure_cookie = True
else:
secure_cookie = False
result = _authomatic.login(
WerkzeugAdapter(request, response),
"google",
session=session,
session_saver=lambda: app.save_session(session, response),
secure_cookie=secure_cookie,
)
if result:
if result.error:
msg = "Google auth failed with error: {0}"
log.error(msg.format(result.error.message))
return abort(403)
if result.user:
result.user.update()
user = result.user
email_suffix = app.config["GOOGLE_AUTH_EMAIL_SUFFIX"]
if email_suffix and not user.email.endswith(email_suffix):
return abort(403)
session["google_oauth2"] = {}
session["google_oauth2"]["email"] = user.email
session["google_oauth2"]["first_name"] = user.first_name
session["google_oauth2"]["last_name"] = user.last_name
g.auth_role = role
# TODO: find a way to save the angular args
# authomatic adds url params google auth has stripped the
# angular args anyway, so let's just redirect back to the
# index.
return redirect(url_for("index"))
return response
return abort(403)
