def createUser(dbSession, user, requester): # drop invalid fields user = {k: user[k] for k in user if k in User.fillable} checkUser(user) anotherUser = dbSession.query(User.id) \ .filter_by(username=user['username']).one_or_none() if anotherUser: raise HTTPRequestError(400, "username '" + user['username'] + "' is in use.") anotherUser = dbSession.query(User.id) \ .filter_by(email=user['email']).one_or_none() if anotherUser: raise HTTPRequestError(400, "Email '" + user['email'] + "' is in use.") if conf.emailHost == 'NOEMAIL': user['salt'], user['hash'] = passwd.createPwd(conf.temporaryPassword) user['created_by'] = requester['userid'] newUser = User(**user) log().info('user ' + user['username'] + ' created by ' + requester['username'], newUser.safeDict()) return newUser
def getUserDirectPermissions(dbSession, user): try: user = User.getByNameOrID(user) except sqlalchemy.orm.exc.NoResultFound: raise HTTPRequestError(404, "No user found with this username or ID") return user.permissions
def getUserGrups(dbSession, user): try: user = User.getByNameOrID(user) except sqlalchemy.orm.exc.NoResultFound: raise HTTPRequestError(404, "No user found with this username or ID") else: return user.groups
def get_user_groups(db_session, user): try: user = User.getByNameOrID(user) except orm_exceptions.NoResultFound: raise HTTPRequestError(404, "No user found with this username or ID") else: return user.groups
def add_user_group(db_session, user, group, requester): try: user = User.get_by_name_or_id(user) except orm_exceptions.NoResultFound: raise HTTPRequestError(404, f"No user found with this ID or name: {user}") try: group = Group.get_by_name_or_id(group) except orm_exceptions.NoResultFound: raise HTTPRequestError( 404, f"No group found with this ID or name: {group}") if db_session.query(UserGroup).filter_by(user_id=user.id, group_id=group.id).one_or_none(): raise HTTPRequestError(409, "User is already a member of the group") r = UserGroup(user_id=user.id, group_id=group.id) db_session.add(r) cache.delete_key(userid=user.id) user.reset_token() db_session.add(user) log().info( f"user {user.username} added to group {group.name} by {requester['username']}" ) db_session.commit()
def updateUser(dbSession, user, updatedInfo, requester): # Drop invalid fields updatedInfo = { k: updatedInfo[k] for k in updatedInfo if k in User.fillable } oldUser = User.getByNameOrID(user) if 'username' in updatedInfo.keys() \ and updatedInfo['username'] != oldUser.username: raise HTTPRequestError(400, "usernames can't be updated") checkUser(updatedInfo) # Verify if the email is in use by another user if 'email' in updatedInfo.keys() and updatedInfo['email'] != oldUser.email: anotherUser = dbSession.query(User) \ .filter_by(email=updatedInfo['email']) \ .one_or_none() if anotherUser: raise HTTPRequestError(400, "email already in use") log().info('user ' + oldUser.username + ' updated by ' + requester['username'], {'oldUser': oldUser.safeDict(), 'newUser': updatedInfo}) if 'name' in updatedInfo.keys(): oldUser.name = updatedInfo['name'] if 'service' in updatedInfo.keys(): oldUser.service = updatedInfo['service'] if 'email' in updatedInfo.keys(): oldUser.email = updatedInfo['email'] return oldUser
def deleteUser(dbSession, user, requester): try: user = User.getByNameOrID(user) if user.id == requester['userid']: raise HTTPRequestError(400, "a user can't remove himself") dbSession.execute( UserPermission.__table__.delete(UserPermission.user_id == user.id) ) dbSession.execute( UserGroup.__table__.delete(UserGroup.user_id == user.id) ) cache.deleteKey(userid=user.id) # The user is not hardDeleted. # it should be copied to inactiveUser table inactiveTables.PasswdInactive.createInactiveFromUser(dbSession, user,) inactiveTables.UserInactive.createInactiveFromUser(dbSession, user, requester['userid']) passwd.expirePasswordResetRequests(dbSession, user.id) dbSession.delete(user) log().info('user ' + user.username + ' deleted by ' + requester['username'], user.safeDict()) except sqlalchemy.orm.exc.NoResultFound: raise HTTPRequestError(404, "No user found with this ID")
def create_users(): predef_users = [ { "name": "testadm", "username": "******", "service": "admin", "email": "*****@*****.**", "profile": "testadm", "passwd": "admin" } ] for user in predef_users: # check if the user already exists # if the user exist, chances are this scrip has been run before print("Querying database for user {}".format(user)) another_user = db.session.query(User.id) \ .filter_by(username=user['username']) \ .one_or_none() if another_user: print("This is not the first container run. Skipping") exit(0) print("Database access returned.") # mark the user as automatically created user['created_by'] = 0 # hash the password user['salt'] = str(binascii.hexlify(os.urandom(8)), 'ascii') user['hash'] = crypt(user['passwd'], user['salt'], 1000).split('$').pop() del user['passwd'] print("Creating a new instance of this user.") new_user = User(**user) print("New instance created.") # configure kong shared secret kong_data = kong.configure_kong(new_user.username) if kong_data is None: print('failed to configure verification subsystem') exit(-1) new_user.secret = kong_data['secret'] new_user.key = kong_data['key'] new_user.kongId = kong_data['kongid'] db.session.add(new_user) db.session.commit()
def update_user(db_session, user: str, updated_info, requester) -> (dict, str): """ Updates all the information about a particular user. :param db_session: The postgres session to be used. :param user: The user ID to be updated. :param updated_info: The new data. :param requester: Who is requiring this update. :return: The old information (a dictionary containing the old information about the user and the old service. :raises HTTPRequestError: If the username is different from the original (this field cannot be updated). """ # Drop invalid fields updated_info = { k: updated_info[k] for k in updated_info if k in User.fillable } user = User.get_by_name_or_id(user) old_user = user.safe_dict() old_service = user.service if 'username' in updated_info.keys() \ and updated_info['username'] != user.username: raise HTTPRequestError(400, "usernames can't be updated") # check_user function needs username. updated_info['username'] = user.username check_user(updated_info) # Verify if the email is in use by another user if 'email' in updated_info.keys() and updated_info['email'] != user.email: if db_session.query(User).filter_by( email=updated_info['email']).one_or_none(): raise HTTPRequestError(400, "email already in use") log().info(f"user {user.username} updated by {requester['username']}") log().info({'oldUser': user.safe_dict(), 'newUser': updated_info}) # Update all new data. if 'name' in updated_info.keys(): user.name = updated_info['name'] if 'service' in updated_info.keys(): user.service = updated_info['service'] if 'email' in updated_info.keys(): user.email = updated_info['email'] db_session.add(user) db_session.commit() # Publish messages related to service creation/deletion if count_tenant_users(db_session, old_service) == 0: log().info(f"will emit tenant lifecycle event {old_service} - DELETE") Publisher.send_notification({"type": 'DELETE', 'tenant': old_service}) if count_tenant_users(db_session, user.service) == 1: log().info(f"will emit tenant lifecycle event {user.service} - CREATE") Publisher.send_notification({"type": 'CREATE', 'tenant': user.service}) return old_user, old_service
def createUsers(): predefusers = [ { "name": "Admin (superuser)", "username": "******", "service": "admin", "email": "*****@*****.**", "profile": "admin", "passwd": "admin" } ] for user in predefusers: # check if the user already exist # if the user exist, chances are this scrip has been run before anotherUser = db.session.query(User.id) \ .filter_by(username=user['username']) \ .one_or_none() if anotherUser: print("That not the first container run. Skipping") exit(0) # mark the user as automatically created user['created_by'] = 0 # hash the password user['salt'] = str(binascii.hexlify(os.urandom(8)), 'ascii') user['hash'] = crypt(user['passwd'], user['salt'], 1000).split('$').pop() del user['passwd'] newUser = User(**user) # configure kong shared secret kongData = kong.configureKong(newUser.username) if kongData is None: print('failed to configure verification subsystem') exit(-1) newUser.secret = kongData['secret'] newUser.key = kongData['key'] newUser.kongId = kongData['kongid'] db.session.add(newUser) db.session.commit()
def delete_user(db_session, username: str, requester): """ Deletes an user from the system :param db_session: The postgres session to be used :param username: String The user to be removed :param requester: Who is creating this user. This is a dictionary with two keys: "userid" and "username" :return: The removed user :raises HTTPRequestError: If the user tries to remove itself. :raises HTTPRequestError: Can't delete the admin user. :raises HTTPRequestError: If the user is not in the database. """ try: user = User.get_by_name_or_id(username) if user.id == requester['userid']: raise HTTPRequestError(400, "a user can't remove himself") elif user.username == 'admin': raise HTTPRequestError(405, "Can't delete the admin user") db_session.execute( UserPermission.__table__.delete(UserPermission.user_id == user.id)) db_session.execute( UserGroup.__table__.delete(UserGroup.user_id == user.id)) cache.delete_key(userid=user.id) # The user is not hardDeleted. # it should be copied to inactiveUser table inactiveTables.PasswdInactive.createInactiveFromUser( db_session, user, ) inactiveTables.UserInactive.createInactiveFromUser( db_session, user, requester['userid']) password.expire_password_reset_requests(db_session, user.id) db_session.delete(user) LOGGER.info(f"user {user.username} deleted by {requester['username']}") LOGGER.info(user.safe_dict()) kongUtils.remove_from_kong(user.username) MVUserPermission.refresh() MVGroupPermission.refresh() db_session.commit() if count_tenant_users(db_session, user.service) == 0: LOGGER.info( f"will emit tenant lifecycle event {user.service} - DELETE") Publisher.send_notification({ "type": 'DELETE', 'tenant': user.service }) return user except orm_exceptions.NoResultFound: raise HTTPRequestError(404, "No user found with this ID")
def get_all_user_permissions(db_session, user): try: user = User.getByNameOrID(user) except orm_exceptions.NoResultFound: raise HTTPRequestError(404, "No user found with this username or ID") permissions = user.permissions permissions += [ perm for group in user.groups for perm in group.permissions ] # drop possible duplicates return list({v.id: v for v in permissions}.values())
def add_user_groups(): predef_user_group = [ { "name": "admin", "groups": ["admin"] }, ] for user in predef_user_group: user_id = User.getByNameOrID(user['name']).id for group_name in user['groups']: r = UserGroup(user_id=user_id, group_id=Group.getByNameOrID(group_name).id) db.session.add(r) db.session.commit()
def add_user_groups(): predef_user_group = [ { "name": "testadm", "groups": ["testadm"] }, ] for user in predef_user_group: user_id = User.get_by_name_or_id(user['name']).id for group_name in user['groups']: r = UserGroup(user_id=user_id, group_id=Group.get_by_name_or_id(group_name).id) db.session.add(r) db.session.commit()
def removeUserGroup(dbSession, user, group, requester): try: user = User.getByNameOrID(user) except sqlalchemy.orm.exc.NoResultFound: raise HTTPRequestError(404, "No user found with this ID or name") try: group = Group.getByNameOrID(group) except sqlalchemy.orm.exc.NoResultFound: raise HTTPRequestError(404, "No group found with this ID or name") try: relation = dbSession.query(UserGroup) \ .filter_by(user_id=user.id, group_id=group.id).one() dbSession.delete(relation) cache.deleteKey(userid=user.id) log().info('user ' + user.username + ' removed from ' + group.name + ' by ' + requester['username']) except sqlalchemy.orm.exc.NoResultFound: raise HTTPRequestError(404, "User is not a member of the group")
def remove_user_group(db_session, user, group, requester): try: user = User.get_by_name_or_id(user) except orm_exceptions.NoResultFound: raise HTTPRequestError(404, "No user found with this ID or name") try: group = Group.get_by_name_or_id(group) except orm_exceptions.NoResultFound: raise HTTPRequestError(404, "No group found with this ID or name") try: relation = db_session.query(UserGroup) \ .filter_by(user_id=user.id, group_id=group.id).one() db_session.delete(relation) cache.delete_key(userid=user.id) log().info(f"user {user.username} removed from {group.name} by {requester['username']}") db_session.commit() except orm_exceptions.NoResultFound: raise HTTPRequestError(404, "User is not a member of the group")
def removeUserPermission(dbSession, user, permission, requester): try: user = User.getByNameOrID(user) except sqlalchemy.orm.exc.NoResultFound: raise HTTPRequestError(404, "No user found with this ID or name") try: perm = Permission.getByNameOrID(permission) except sqlalchemy.orm.exc.NoResultFound: raise HTTPRequestError(404, "No permission found with this ID") try: relation = dbSession.query(UserPermission) \ .filter_by(user_id=user.id, permission_id=perm.id).one() dbSession.delete(relation) cache.deleteKey(userid=user.id, action=perm.method, resource=perm.path) log().info('user ' + user.username + ' removed permission ' + perm.name + ' by ' + requester['username']) except sqlalchemy.orm.exc.NoResultFound: raise HTTPRequestError(404, "User does not have this permission")
def resetPassword(dbSession, link, resetData): if 'passwd' not in resetData.keys(): raise HTTPRequestError(400, 'missing password') try: resetRequest = dbSession.query(PasswordRequest). \ filter_by(link=link).one() if chechRequestValidity(dbSession, resetRequest): user = User.getByNameOrID(resetRequest.user_id) user.salt, user.hash = update(dbSession, user, resetData['passwd']) # remove this used reset request PasswordRequestInactive.createInactiveFromRequest( dbSession, resetRequest) dbSession.delete(resetRequest) return user else: raise HTTPRequestError(404, 'Page not found or expired') except sqlalchemy.orm.exc.NoResultFound: raise HTTPRequestError(404, 'Page not found or expired')
def reset_password(db_session, link, reset_data): if 'passwd' not in reset_data.keys(): raise HTTPRequestError(400, 'missing password') try: reset_request = db_session.query(PasswordRequest). \ filter_by(link=link).one() if check_request_validity(db_session, reset_request): user = User.get_by_name_or_id(reset_request.user_id) user.salt, user.hash = update(db_session, user, reset_data['passwd']) # remove this used reset request PasswordRequestInactive.createInactiveFromRequest(db_session, reset_request) db_session.delete(reset_request) return user else: raise HTTPRequestError(404, 'Page not found or expired') except orm_exceptions.NoResultFound: raise HTTPRequestError(404, 'Page not found or expired')
def addUserGroup(dbSession, user, group, requester): try: user = User.getByNameOrID(user) except sqlalchemy.orm.exc.NoResultFound: raise HTTPRequestError(404, "No user found with this ID or name") try: group = Group.getByNameOrID(group) except sqlalchemy.orm.exc.NoResultFound: raise HTTPRequestError(404, "No group found with this ID or name") if dbSession.query(UserGroup).filter_by(user_id=user.id, group_id=group.id).one_or_none(): raise HTTPRequestError(409, "User is already a member of the group") r = UserGroup(user_id=user.id, group_id=group.id) dbSession.add(r) cache.deleteKey(userid=user.id) log().info('user ' + user.username + ' added to group ' + group.name + ' by ' + requester['username'])
def remove_user_permission(db_session, user, permission, requester): try: user = User.get_by_name_or_id(user) except orm_exceptions.NoResultFound: raise HTTPRequestError(404, "No user found with this ID or name") try: perm = Permission.get_by_name_or_id(permission) except orm_exceptions.NoResultFound: raise HTTPRequestError(404, "No permission found with this ID") try: relation = db_session.query(UserPermission) \ .filter_by(user_id=user.id, permission_id=perm.id).one() db_session.delete(relation) cache.delete_key(userid=user.id, action=perm.method, resource=perm.path) log().info(f"permission {perm.name} for user {user.username} was revoked by {requester['username']}") MVUserPermission.refresh() db_session.commit() except orm_exceptions.NoResultFound: raise HTTPRequestError(404, "User does not have this permission")
def add_user_permission(db_session, user, permission, requester): try: user = User.getByNameOrID(user) except orm_exceptions.NoResultFound: raise HTTPRequestError(404, "No user found with this ID or name") try: perm = Permission.getByNameOrID(permission) except orm_exceptions.NoResultFound: raise HTTPRequestError(404, "No permission found with this ID") if db_session.query(UserPermission) \ .filter_by(user_id=user.id, permission_id=perm.id).one_or_none(): raise HTTPRequestError(409, "User already have this permission") r = UserPermission(user_id=user.id, permission_id=perm.id) db_session.add(r) cache.delete_key(userid=user.id, action=perm.method, resource=perm.path) log().info('user ' + user.username + ' received permission ' + perm.name + ' by ' + requester['username'])
def add_user_permission(db_session, user, permission, requester): try: user = User.get_by_name_or_id(user) except orm_exceptions.NoResultFound: raise HTTPRequestError(404, "No user found with this ID or name") try: perm = Permission.get_by_name_or_id(permission) except orm_exceptions.NoResultFound: raise HTTPRequestError(404, "No permission found with this ID") if db_session.query(UserPermission) \ .filter_by(user_id=user.id, permission_id=perm.id).one_or_none(): raise HTTPRequestError(409, "User already have this permission") r = UserPermission(user_id=user.id, permission_id=perm.id) db_session.add(r) cache.delete_key(userid=user.id, action=perm.method, resource=perm.path) MVUserPermission.refresh() db_session.commit() log().info( f"user {user.username} received permission {perm.name} by {requester['username']}" )
def get_user_direct_permissions(db_session, user): try: user = User.get_by_name_or_id(user) except orm_exceptions.NoResultFound: raise HTTPRequestError(404, "No user found with this username or ID") return user.permissions
def create_user(db_session, user: User, requester): """ Create a new user. :param db_session: The postgres db session to be used :param user: User The user to be created. This is a simple dictionary with all 'fillable' field listed in Models.User class. :param requester: Who is creating this user. This is a dictionary with two keys: "userid" and "username" :return: The result of creating this user. :raises HTTPRequestError: If username is already in use :raises HTTPRequestError: If e-mail is already in use :raises HTTPRequestError: If any problem occurs while configuring Kong """ # Drop invalid fields user = {k: user[k] for k in user if k in User.fillable} check_user(user) # Sanity checks # Check whether username and e-mail are unique. if db_session.query( User.id).filter_by(username=user['username']).one_or_none(): raise HTTPRequestError(400, f"Username {user['username']} is in use.") if db_session.query(User.id).filter_by(email=user['email']).one_or_none(): raise HTTPRequestError(400, f"E-mail {user['email']} is in use.") if conf.emailHost == 'NOEMAIL': user['salt'], user['hash'] = password.create_pwd( conf.temporaryPassword) # Last field to be filled automatically, before parsing user['created_by'] = requester['userid'] # User structure is finished. new_user = User(**user) log().info(f"User {user['username']} created by {requester['username']}") log().info(new_user) # If no problems occur to create user (no exceptions), configure kong kong_data = kongUtils.configure_kong(new_user.username) if kong_data is None: raise HTTPRequestError(500, 'failed to configure verification subsystem') new_user.secret = kong_data['secret'] new_user.key = kong_data['key'] new_user.kongId = kong_data['kongid'] # Add the new user to the database db_session.add(new_user) db_session.commit() # Configuring groups and user profiles group_success = [] group_failed = [] if 'profile' in user.keys(): group_success, group_failed = rship. \ add_user_many_groups(db_session, new_user.id, user['profile'], requester) db_session.commit() if conf.emailHost != 'NOEMAIL': pwdc.create_password_set_request(db_session, new_user) db_session.commit() if count_tenant_users(db_session, new_user.service) == 1: log().info( f"Will emit tenant lifecycle event {new_user.service} - CREATE") send_notification({"type": 'CREATE', 'tenant': new_user.service}) ret = { "user": new_user.safe_dict(), "groups": group_success, "could not add": group_failed, "message": "user created" } return ret
def getUser(dbSession, user): try: user = User.getByNameOrID(user) return user except (sqlalchemy.orm.exc.NoResultFound, ValueError): raise HTTPRequestError(404, "No user found with this ID")
def get_user(db_session, user): try: user = User.get_by_name_or_id(user) return user except (orm_exceptions.NoResultFound, ValueError): raise HTTPRequestError(404, "No user found with this ID")
def create_user(db_session, user: User, requester): """ Create a new user. :param db_session: The postgres db session to be used :param user: User The user to be created. This is a simple dictionary with all 'fillable' field listed in Models.User class. :param requester: Who is creating this user. This is a dictionary with two keys: "userid" and "username" :return: The result of creating this user. :raises HTTPRequestError: If username is already in use :raises HTTPRequestError: If e-mail is already in use :raises HTTPRequestError: If any problem occurs while configuring Kong """ # Drop invalid fields user = {k: user[k] for k in user if k in User.fillable} LOGGER.debug("Checking user data...") check_user(user) LOGGER.debug("... user data is OK.") if not user.get('profile', ""): raise HTTPRequestError(400, "Missing profile") if len(user['profile']) > UserLimits.profile: raise HTTPRequestError(400, "Profile name too long") # Sanity checks # Check whether username and e-mail are unique. LOGGER.debug("Checking whether user already exist...") if db_session.query( User.id).filter_by(username=user['username']).one_or_none(): LOGGER.warning("User already exists.") raise HTTPRequestError(400, f"Username {user['username']} is in use.") LOGGER.debug("... user doesn't exist.") LOGGER.debug("Checking whether user e-mail is already being used...") if db_session.query(User.id).filter_by(email=user['email']).one_or_none(): LOGGER.warning("User e-mail is already being used.") raise HTTPRequestError(400, f"E-mail {user['email']} is in use.") LOGGER.debug("... user e-mail is not being used.") if conf.emailHost == 'NOEMAIL': user['salt'], user['hash'] = password.create_pwd( conf.temporaryPassword) # Last field to be filled automatically, before parsing user['created_by'] = requester['userid'] # User structure is finished. LOGGER.debug("Creating user instance...") new_user = User(**user) LOGGER.debug("... user instance was created.") LOGGER.debug( f"User data is: {user['username']} created by {requester['username']}") # If no problems occur to create user (no exceptions), configure kong LOGGER.debug("Configuring Kong...") kong_data = kongUtils.configure_kong(new_user.username) if kong_data is None: LOGGER.warning("Could not configure Kong.") raise HTTPRequestError(500, 'failed to configure verification subsystem') LOGGER.debug("... Kong was successfully configured.") new_user.secret = kong_data['secret'] new_user.key = kong_data['key'] new_user.kongId = kong_data['kongid'] # Add the new user to the database LOGGER.debug("Adding new user to database session...") db_session.add(new_user) LOGGER.debug("... new user was added to database session.") LOGGER.debug("Committing database changes...") db_session.commit() LOGGER.debug("... database changes were committed.") # Configuring groups and user profiles group_success = [] group_failed = [] LOGGER.debug("Configuring user profile...") if 'profile' in user.keys(): group_success, group_failed = rship. \ add_user_many_groups(db_session, new_user.id, user['profile'], requester) db_session.commit() LOGGER.debug("... user profile was configured.") LOGGER.debug("Configuring user password...") if conf.emailHost != 'NOEMAIL': try: pwdc.create_password_set_request(db_session, new_user) db_session.commit() except Exception as e: LOGGER.warning(e) LOGGER.debug("... user password was configured.") LOGGER.debug("Sending tenant creation message to other components...") if count_tenant_users(db_session, new_user.service) == 1: LOGGER.info( f"Will emit tenant lifecycle event {new_user.service} - CREATE") Publisher.send_notification({ "type": 'CREATE', 'tenant': new_user.service }) LOGGER.debug("... tenant creation message was sent.") ret = { "user": new_user.safe_dict(), "groups": group_success, "could not add": group_failed, "message": "user created" } return ret