1 # -------------------------------------------------------------------------
2 # Copyright (c) 2015-2017 AT&T Intellectual Property
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
16 # -------------------------------------------------------------------------
21 from datetime import datetime, timedelta
22 from flask import request
24 from osdf.config.base import osdf_config
25 from osdf.logging.osdf_logging import error_log, debug_log
26 from osdf.utils.interfaces import RestClient
28 AUTHZ_PERMS_USER = '{}/authz/perms/user/{}'
30 EXPIRE_TIME = 'expire_time'
33 deploy_config = osdf_config.deployment
40 def authenticate(uid, passwd):
42 perms = get_aaf_permissions(uid, passwd)
43 return has_valid_role(perms)
44 except Exception as exp:
45 error_log.error("Error Authenticating the user {} : {}: ".format(uid, exp))
50 Check whether the user has valid permissions
51 return True if the user has valid permissions
56 def has_valid_role(perms):
57 aaf_user_roles = deploy_config['aaf_user_roles']
59 aaf_roles = get_role_list(perms)
61 for roles in aaf_user_roles:
62 path_perm = roles.split(':')
64 perm = path_perm[1].split('|')
65 p = (perm[0], perm[1], perm[2].split()[0])
66 if re.search(uri, request.path) and p in aaf_roles:
72 Build a list of roles tuples from the AAF response.
77 def get_role_list(perms):
80 roles = perms.get('roles')
82 perm = roles.get('perm', [])
84 role_list.append((p['type'], p['instance'], p['action']))
88 def get_aaf_permissions(uid, passwd):
89 key = base64.b64encode(bytes("{}_{}".format(uid, passwd), "ascii"))
90 time_delta = timedelta(minutes=deploy_config.get('aaf_cache_expiry_mins', 5))
92 perms = perm_cache.get(key)
94 if perms and datetime.now() < perms.get(EXPIRE_TIME):
95 debug_log.debug("Returning cached value")
97 debug_log.debug("Invoking AAF authentication API")
98 perms = {EXPIRE_TIME: datetime.now() + time_delta, 'roles': remote_api(passwd, uid)}
99 perm_cache[key] = perms
103 def remote_api(passwd, uid):
104 headers = {"Accept": "application/Users+xml;q=1.0;charset=utf-8;version=2.0,text/xml;q=1.0;version=2.0",
105 "Accept": "application/Users+json;q=1.0;charset=utf-8;version=2.0,application/json;q=1.0;version=2.0,*/*;q=1.0"}
106 url = AUTHZ_PERMS_USER.format(deploy_config['aaf_url'], uid)
107 rc = RestClient(userid=uid, passwd=passwd, headers=headers, url=url, log_func=debug_log.debug,
108 req_id='aaf_user_id')
109 return rc.request(method='GET', asjson=True)