# ------------------------------------------------------------------------- # Copyright (c) 2015-2017 AT&T Intellectual Property # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ------------------------------------------------------------------------- # import base64 import re from datetime import datetime, timedelta from flask import request from osdf.config.base import osdf_config from osdf.logging.osdf_logging import error_log, debug_log from osdf.utils.interfaces import RestClient AUTHZ_PERMS_USER = '{}/authz/perms/user/{}' EXPIRE_TIME = 'expire_time' perm_cache = {} deploy_config = osdf_config.deployment def clear_cache(): perm_cache.clear() def authenticate(uid, passwd): try: perms = get_aaf_permissions(uid, passwd) return has_valid_role(perms) except Exception as exp: error_log.error("Error Authenticating the user {} : {}: ".format(uid, exp)) pass return False """ Check whether the user has valid permissions return True if the user has valid permissions else return false """ def has_valid_role(perms): aaf_user_roles = deploy_config['aaf_user_roles'] for roles in aaf_user_roles: path_perm = roles.split(':') uri = path_perm[0] role = path_perm[1].split('|')[0] if re.search(uri, request.path) and perms: roles = perms.get('roles') if roles: perm_list = roles.get('perm') for p in perm_list: if role == p['type']: return True return False """ Make the remote aaf api call if user is not in the cache. Return the perms """ def get_aaf_permissions(uid, passwd): key = base64.b64encode(bytes("{}_{}".format(uid, passwd), "ascii")) time_delta = timedelta(hours=deploy_config.get('aaf_cache_expiry_hrs', 3)) perms = perm_cache.get(key) if perms and datetime.now() < perms.get(EXPIRE_TIME): debug_log.debug("Returning cached value") return perms debug_log.debug("Invoking AAF authentication API") perms = {EXPIRE_TIME: datetime.now() + time_delta, 'roles': remote_api(passwd, uid)} perm_cache[key] = perms return perms def remote_api(passwd, uid): headers = {"Accept": "application/Users+xml;q=1.0;charset=utf-8;version=2.0,text/xml;q=1.0;version=2.0", "Accept": "application/Users+json;q=1.0;charset=utf-8;version=2.0,application/json;q=1.0;version=2.0,*/*;q=1.0"} url = AUTHZ_PERMS_USER.format(deploy_config['aaf_url'], uid) rc = RestClient(userid=uid, passwd=passwd, headers=headers, url=url, log_func=debug_log.debug, req_id='aaf_user_id') return rc.request(method='GET', asjson=True)