def load_token(access_token=None, refresh_token=None): """ Callback to retrieve token info from given token string. Called from verify_request. Expiration verification is done afterwards in the library. """ log.info("OAuth:load_token(access=%s, refresh=%s)", access_token, refresh_token) try: if access_token: token_id = str("access_token_%s" % access_token) with _token_lock: token_obj = ui_instance.container.object_store.read(token_id) token = OAuthTokenObj.from_security_token(token_obj) if not token.is_valid(): log.info("OAuth: client used invalid access token") return None flask.g.oauth_user = token.user flask.g.actor_id = token.user["actor_id"] if "noextend" not in request.headers.get("scion-session", "") and \ ui_instance.extend_session_timeout and token.is_valid(check_expiry=True): new_expires = get_ion_ts_millis() + 1000 * ui_instance.session_timeout if ui_instance.max_session_validity: # Make sure token does not exceed maximum validity new_expires = min(new_expires, token_obj.attributes.get("ts_created", 0) + 1000 * ui_instance.max_session_validity) if (ui_instance.session_timeout <= 120 and new_expires > int(token_obj.expires)) or \ (ui_instance.session_timeout > 120 and new_expires - 60000 > int(token_obj.expires)): # Only extend session if by 60 sec (unless session is very short as in testing) # This reduces the likelihood of an extension for i in xrange(3): token_obj.expires = str(new_expires) try: ui_instance.container.object_store.update(token_obj) break except Conflict: # Concurrency conflict: random wait, then get most recent object rev gevent.sleep(random.random() * 0.05 * (i+1)) # Add some random delays token_obj = ui_instance.container.object_store.read(token_id) token = OAuthTokenObj.from_security_token(token_obj) log.info("Access token extended for user=%s", token.user["actor_id"]) # IGNORE session in ActorIdentity return token elif refresh_token: token_id = str("refresh_token_%s" % refresh_token) token_obj = ui_instance.container.object_store.read(token_id) token = OAuthTokenObj.from_security_token(token_obj) if not token.is_valid(): log.info("OAuth: client used invalid refresh token") return None flask.g.oauth_user = token.user flask.g.actor_id = token.user["actor_id"] return token except NotFound: pass return None
def load_token(access_token=None, refresh_token=None): """ Callback to retrieve token info from given token string. Called from verify_request. Expiration verification is done afterwards in the library. """ log.info("OAuth:load_token(access=%s, refresh=%s)", access_token, refresh_token) try: if access_token: token_id = str("access_token_%s" % access_token) token_obj = ui_instance.container.object_store.read(token_id) token = OAuthTokenObj.from_security_token(token_obj) if not token.is_valid(): log.info("OAuth: client used invalid access token") return None flask.g.oauth_user = token.user flask.g.actor_id = token.user["actor_id"] if ui_instance.extend_session_timeout and token.is_valid(check_expiry=True): new_expires = get_ion_ts_millis() + 1000 * ui_instance.session_timeout if ui_instance.max_session_validity: # Make sure token does not exceed maximum validity new_expires = min(new_expires, token_obj.attributes.get("ts_created", 0) + 1000 * ui_instance.max_session_validity) if new_expires > int(token_obj.expires): token_obj.expires = str(new_expires) ui_instance.container.object_store.update(token_obj) token = OAuthTokenObj.from_security_token(token_obj) log.info("Access token extended for user=%s", token.user["actor_id"]) # IGNORE session in ActorIdentity return token elif refresh_token: token_id = str("refresh_token_%s" % refresh_token) token_obj = ui_instance.container.object_store.read(token_id) token = OAuthTokenObj.from_security_token(token_obj) if not token.is_valid(): log.info("OAuth: client used invalid refresh token") return None flask.g.oauth_user = token.user flask.g.actor_id = token.user["actor_id"] return token except NotFound: pass return None
def load_token(access_token=None, refresh_token=None): log.info("OAuth:load_token access=%s refresh=%s", access_token, refresh_token) try: if access_token: token_id = str("access_token_%s" % access_token) token_obj = ui_instance.container.object_store.read(token_id) token = OAuthTokenObj.from_security_token(token_obj) flask.g.oauth_user = token.user flask.g.actor_id = token.user["actor_id"] flask.session["access_token"] = access_token flask.session["actor_id"] = token.user["actor_id"] return token elif refresh_token: token_id = str("refresh_token_%s" % refresh_token) token_obj = ui_instance.container.object_store.read(token_id) token = OAuthTokenObj.from_security_token(token_obj) flask.g.oauth_user = token.user flask.g.actor_id = token.user["actor_id"] return token except NotFound: pass return None
def get_governance_info_from_request(self, json_params=None): # Default values for governance headers. actor_id = DEFAULT_ACTOR_ID expiry = DEFAULT_EXPIRY authtoken = "" user_session = get_auth() #if user_session.get("actor_id", None) and user_session.get("valid_until", 0): if user_session.get("actor_id", None): # Get info from current server session # NOTE: Actor id may be inside server session expiry = int(user_session.get("valid_until", 0)) * 1000 if expiry: # This was a proper non-token server session authentication expiry = str(expiry) actor_id = user_session["actor_id"] log.info("Request associated with session actor_id=%s, expiry=%s", actor_id, expiry) else: # We are just taking the user_id out of the session # TODO: Need to check access token here expiry = str(expiry) if self.token_from_session: actor_id = user_session["actor_id"] log.info("Request associated with actor's token from session; actor_id=%s, expiry=%s", actor_id, expiry) # Developer access using api_key if self.develop_mode and "api_key" in request.args and request.args["api_key"]: actor_id = str(request.args["api_key"]) expiry = str(int(user_session.get("valid_until", 0)) * 1000) if 0 < int(expiry) < current_time_millis(): expiry = str(current_time_millis() + 10000) # flask.session["valid_until"] = int(expiry / 1000) log.info("Request associated with actor_id=%s, expiry=%s from developer api_key", actor_id, expiry) # Check in headers for OAuth2 bearer token auth_hdr = request.headers.get("authorization", None) if auth_hdr: valid, req = self.process.oauth.verify_request([self.process.oauth_scope]) if valid: actor_id = flask.g.oauth_user.get("actor_id", "") if actor_id: log.info("Request associated with actor_id=%s, expiry=%s from OAuth token", actor_id, expiry) return actor_id, DEFAULT_EXPIRY # Try to find auth token override if not authtoken: if json_params: if "authtoken" in json_params: authtoken = json_params["authtoken"] else: if "authtoken" in request.args: authtoken = str(request.args["authtoken"]) # Enable temporary authentication tokens to resolve to actor ids if authtoken: try: if authtoken.startswith(("Bearer_")): # Backdoor way for OAuth2 access tokens as request args for GET URLs authtoken = authtoken[7:] token_id = "access_token_" + str(authtoken) token_obj = self.process.container.object_store.read(token_id) token = OAuthTokenObj.from_security_token(token_obj) if token.is_valid(check_expiry=True): actor_id = token.user["actor_id"] expiry = str(token._token_obj.expires) log.info("Resolved OAuth2 token %s into actor_id=%s expiry=%s", authtoken, actor_id, expiry) else: token_info = self.idm_client.check_authentication_token(authtoken, headers=self._get_gateway_headers()) actor_id = token_info.get("actor_id", actor_id) expiry = token_info.get("expiry", expiry) log.info("Resolved token %s into actor_id=%s expiry=%s", authtoken, actor_id, expiry) except NotFound: log.info("Provided authentication token not found: %s", authtoken) except Unauthorized: log.info("Authentication token expired or invalid: %s", authtoken) except Exception as ex: log.exception("Problem resolving authentication token") return actor_id, expiry