--- /dev/null
+# -------------------------------------------------------------------------
+# Copyright (c) 2015-2017 AT&T Intellectual Property
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# -------------------------------------------------------------------------
+#
+
+import base64
+import re
+from datetime import datetime, timedelta
+from flask import request
+
+from osdf.config.base import osdf_config
+from osdf.logging.osdf_logging import error_log, debug_log
+from osdf.utils.interfaces import RestClient
+
+AUTHZ_PERMS_USER = '{}/authz/perms/user/{}'
+
+EXPIRE_TIME = 'expire_time'
+
+perm_cache = {}
+deploy_config = osdf_config.deployment
+
+
+def clear_cache():
+ perm_cache.clear()
+
+
+def authenticate(uid, passwd):
+ try:
+ perms = get_aaf_permissions(uid, passwd)
+ return has_valid_role(perms)
+ except Exception as exp:
+ error_log.error("Error Authenticating the user {} : {}: ".format(uid, exp))
+ pass
+ return False
+
+
+"""
+Check whether the user has valid permissions
+return True if the user has valid permissions
+else return false
+"""
+
+
+def has_valid_role(perms):
+ aaf_user_roles = deploy_config['aaf_user_roles']
+
+ for roles in aaf_user_roles:
+ path_perm = roles.split(':')
+ uri = path_perm[0]
+ role = path_perm[1].split('|')[0]
+ if re.search(uri, request.path) and perms:
+ roles = perms.get('roles')
+ if roles:
+ perm_list = roles.get('perm')
+ for p in perm_list:
+ if role == p['type']:
+ return True
+ return False
+
+"""
+Make the remote aaf api call if user is not in the cache.
+
+Return the perms
+"""
+def get_aaf_permissions(uid, passwd):
+ key = base64.b64encode(bytes("{}_{}".format(uid, passwd), "ascii"))
+ time_delta = timedelta(hours=deploy_config.get('aaf_cache_expiry_hrs', 3))
+
+ perms = perm_cache.get(key)
+
+ if perms and datetime.now() < perms.get(EXPIRE_TIME):
+ debug_log.debug("Returning cached value")
+ return perms
+ debug_log.debug("Invoking AAF authentication API")
+ perms = {EXPIRE_TIME: datetime.now() + time_delta, 'roles': remote_api(passwd, uid)}
+ perm_cache[key] = perms
+ return perms
+
+
+def remote_api(passwd, uid):
+ headers = {"Accept": "application/Users+xml;q=1.0;charset=utf-8;version=2.0,text/xml;q=1.0;version=2.0",
+ "Accept": "application/Users+json;q=1.0;charset=utf-8;version=2.0,application/json;q=1.0;version=2.0,*/*;q=1.0"}
+ url = AUTHZ_PERMS_USER.format(deploy_config['aaf_url'], uid)
+ rc = RestClient(userid=uid, passwd=passwd, headers=headers, url=url, log_func=debug_log.debug,
+ req_id='aaf_user_id', service='aaf_authentication_service')
+ return rc.request(method='GET', asjson=True)
Code Review / optf / osdf.git / commitdiff