def get_default_account(identity, type, oldest_if_none=False, session=None):
"""
Retrieves the default account mapped to an identity.
:param identity: The identity key name. For example, x509DN, or a username.
:param type: The type of the authentication (x509, gss, userpass, saml, oidc).
:param oldest_if_none: If True and no default account it found the oldes known
account of that identity will be chosen, if False and
no default account is found, exception will be raised.
:param session: The database session to use.
:returns: The default account name, None otherwise.
"""
tmp = session.query(models.IdentityAccountAssociation).filter_by(identity=identity,
identity_type=type,
is_default=True).first()
if tmp is None:
if oldest_if_none:
tmp = session.query(models.IdentityAccountAssociation)\
.filter_by(identity=identity, identity_type=type)\
.order_by(asc(models.IdentityAccountAssociation.created_at)).first()
if tmp is None:
raise exception.IdentityError('There is no account for identity (%s, %s)' % (identity, type))
else:
raise exception.IdentityError('There is no default account for identity (%s, %s)' % (identity, type))
return tmp.account
def add_identity(identity, type, email, password=None, session=None):
"""
Creates a user identity.
:param identity: The identity key name. For example x509 DN, or a username.
:param type: The type of the authentication (x509, gss, userpass, ssh, saml, oidc)
:param email: The Email address associated with the identity.
:param password: If type==userpass, this sets the password.
:param session: The database session in use.
"""
if type == IdentityType.USERPASS and password is None:
raise exception.IdentityError('You must provide a password!')
new_id = models.Identity()
new_id.update({'identity': identity, 'identity_type': type, 'email': email})
if type == IdentityType.USERPASS and password is not None:
salt = os.urandom(255) # make sure the salt has the length of the hash
if six.PY3:
decoded_salt = b64encode(salt).decode()
salted_password = ('%s%s' % (decoded_salt, password)).encode()
else:
salted_password = '******' % (salt, str(password))
password = hashlib.sha256(salted_password).hexdigest() # hash it
new_id.update({'salt': salt, 'password': password, 'email': email})
try:
new_id.save(session=session)
except IntegrityError as e:
if match('.*IntegrityError.*1062.*Duplicate entry.*for key.*', e.args[0]):
raise exception.Duplicate('Identity pair \'%s\',\'%s\' already exists!' % (identity, type))
raise exception.DatabaseException(str(e))
def del_identity(identity, type, session=None):
"""
Deletes a user identity.
:param identity: The identity key name. For example x509 DN, or a username.
:param type: The type of the authentication (x509, gss, userpass, saml, oidc).
:param session: The database session in use.
"""
id = session.query(models.Identity).filter_by(identity=identity, identity_type=type).first()
if id is None:
raise exception.IdentityError('Identity (\'%s\',\'%s\') does not exist!' % (identity, type))
id.delete(session=session)
def del_account_identity(identity, type, account, session=None):
"""
Removes a membership association between identity and account.
:param identity: The identity key name. For example x509 DN, or a username.
:param type: The type of the authentication (x509, gss, userpass, saml, oidc).
:param account: The account name.
:param session: The database session in use.
"""
aid = session.query(models.IdentityAccountAssociation).filter_by(identity=identity, identity_type=type, account=account).first()
if aid is None:
raise exception.IdentityError('Identity (\'%s\',\'%s\') does not exist!' % (identity, type))
aid.delete(session=session)
def get_default_account(identity, type, session=None):
"""
Retrieves the default account mapped to an identity.
:param identity: The identity key name. For example, x509DN, or a username.
:param type: The type of the authentication (x509, gss, userpass).
:param session: The database session to use.
:returns: The default account name, None otherwise.
"""
tmp = session.query(models.IdentityAccountAssociation).filter_by(identity=identity,
identity_type=type,
is_default=True).first()
if tmp is None:
raise exception.IdentityError('There is no default account for identity (%s, %s)' % (identity, type))
return tmp.account
