authservice/auth.py

import time
import connexion
from jose import JWTError, jwt
import werkzeug
import os
import mariadb
from collections import namedtuple
from pbkdf2 import crypt

DB_USER = os.environ["DB_USER"]
DB_PASS = os.environ["DB_PASS"]
DB_HOST = os.environ["DB_HOST"]
DB_NAME = os.environ["DB_NAME"]

JWT_ISSUER = os.environ["JWT_ISSUER"]


class NoUserException(Exception): 
    pass

class ManyUsersException(Exception): 
    pass

class PasswordMismatchException(Exception): 
    pass


UserEntry = namedtuple('UserEntry', ['id', 'login', 'expiry', 'claims'])

JWT_PRIV_KEY = ""
with open('/opt/app/config/authservice.key', 'r') as f:
    JWT_PRIV_KEY = f.readlines()

JWT_PUB_KEY = ""
with open('/opt/app/config/authservice.pub', 'r') as f:
    JWT_PUB_KEY = f.readlines()


def getUserEntryFromDB(application: str, login: str):
    conn = None
    cur = None
    try:
        conn = mariadb.connect(user = DB_USER, password = DB_PASS,
                               host = DB_HOST, database = DB_NAME)
        conn.autocommit = False

        cur = conn.cursor(dictionary=True)
        cur.execute("SELECT id, pwhash, expiry FROM user_application" +
                    "  WHERE application = ? AND login = ?", 
                    [application, login])
        resObj = cur.next()
        print("DEBUG: getUserEntryFromDB: resObj: {}".format(resObj))
        if not resObj:
            raise NoUserException()
        invObj = cur.next()
        if invObj:
            raise ManyUsersException()

        userId = resObj["id"]
        cur.execute("SELECT user, `key`, `value` FROM claims_for_user where user = ?", 
                    [userId])
        claims = {}
        for claimObj in cur:
            print("DEBUG: getUserEntryFromDB: add claim {} -> {}".format(claimObj["key"], claimObj["value"]))
            if claimObj["key"] in claims:
                if isinstance(claims[claimObj["key"]], list):
                    claims[claimObj["key"]].append(claimObj["value"])
                else:
                    claims[claimObj["key"]] = [ claims[claimObj["key"]] ]
                    claims[claimObj["key"]].append(claimObj["value"])
            else:
                claims[claimObj["key"]] = claimObj["value"]
                
        userEntry = UserEntry(id=userId, login=login, expiry=resObj["expiry"], claims=claims)

        return userEntry, resObj["pwhash"]
    except mariadb.Error as err:
        raise Exception("Error when connecting to database: {}".format(err))
    finally:
        if cur:
            cur.close()
        if conn:
            conn.rollback()
            conn.close()

def getUserEntry(application, login, password):
    userEntry, pwhash = getUserEntryFromDB(application, login)
    if pwhash != crypt(password, pwhash):
        raise PasswordMismatchException()
    return userEntry

def generateToken(**args):
    try:
        body = args["body"]
        application = body["application"]
        login = body["login"]
        password = body["password"]
    
        userEntry = getUserEntry(application, login, password)
    
        timestamp = int(time.time())
        payload = {
            "iss": JWT_ISSUER,
            "iat": int(timestamp),
            "exp": int(timestamp + userEntry.expiry),
            "sub": str(userEntry.id)
        }
        for claim in userEntry.claims.items():
            # print("DEBUG: generateToken: add claim {} -> {}".format(claim[0], claim[1]))
            payload[claim[0]] = claim[1]

        return jwt.encode(payload, JWT_PRIV_KEY, algorithm='RS256')
    except NoUserException:
        print("ERROR: generateToken: no user found, login or application wrong")
        raise werkzeug.exceptions.Unauthorized()
    except ManyUsersException:
        print("ERROR: generateToken: too many users found")
        raise werkzeug.exceptions.Unauthorized()
    except PasswordMismatchException:
        print("ERROR: generateToken: wrong password")
        raise werkzeug.exceptions.Unauthorized()
    except KeyError:
        print("ERROR: generateToken: application, login or password missing")
        raise werkzeug.exceptions.Unauthorized()
    except Exception as e:
        print("ERROR: generateToken: unspecific exception: {}".format(str(e)))
        raise werkzeug.exceptions.Unauthorized()

def getPubKey():
    return JWT_PUB_KEY
initial 2021-01-25 21:52:52 +01:00			`import time`
			`import connexion`
			`from jose import JWTError, jwt`
changes 2021-01-26 13:43:09 +01:00			`import werkzeug`
initial 2021-01-25 21:52:52 +01:00			`import os`
			`import mariadb`
changes 2021-01-26 13:43:09 +01:00			`from collections import namedtuple`
application and pwhash 2021-01-26 21:27:17 +01:00			`from pbkdf2 import crypt`
initial 2021-01-25 21:52:52 +01:00
			`DB_USER = os.environ["DB_USER"]`
			`DB_PASS = os.environ["DB_PASS"]`
			`DB_HOST = os.environ["DB_HOST"]`
			`DB_NAME = os.environ["DB_NAME"]`

schema fixes 2021-01-27 10:57:54 +01:00			`JWT_ISSUER = os.environ["JWT_ISSUER"]`
pubkey stuff 2021-05-06 16:37:32 +02:00


schema fixes 2021-01-27 10:57:54 +01:00
initial 2021-01-25 21:52:52 +01:00
application and pwhash 2021-01-26 21:27:17 +01:00			`class NoUserException(Exception):`
			`pass`

			`class ManyUsersException(Exception):`
			`pass`

			`class PasswordMismatchException(Exception):`
			`pass`

changes 2021-01-26 13:43:09 +01:00
schema fixes 2021-01-27 10:57:54 +01:00			`UserEntry = namedtuple('UserEntry', ['id', 'login', 'expiry', 'claims'])`
changes 2021-01-26 13:43:09 +01:00
pubkey stuff 2021-05-06 16:37:32 +02:00			`JWT_PRIV_KEY = ""`
			`with open('/opt/app/config/authservice.key', 'r') as f:`
			`JWT_PRIV_KEY = f.readlines()`

			`JWT_PUB_KEY = ""`
			`with open('/opt/app/config/authservice.pub', 'r') as f:`
			`JWT_PUB_KEY = f.readlines()`
changes 2021-01-26 13:43:09 +01:00

crypt and adduser tool 2021-01-26 22:06:39 +01:00			`def getUserEntryFromDB(application: str, login: str):`
initial 2021-01-25 21:52:52 +01:00			`conn = None`
			`cur = None`
			`try:`
			`conn = mariadb.connect(user = DB_USER, password = DB_PASS,`
			`host = DB_HOST, database = DB_NAME)`
			`conn.autocommit = False`

			`cur = conn.cursor(dictionary=True)`
schema fixes 2021-01-27 10:57:54 +01:00			`cur.execute("SELECT id, pwhash, expiry FROM user_application" +`
application and pwhash 2021-01-26 21:27:17 +01:00			`" WHERE application = ? AND login = ?",`
			`[application, login])`
changes 2021-01-26 13:43:09 +01:00			`resObj = cur.next()`
			`print("DEBUG: getUserEntryFromDB: resObj: {}".format(resObj))`
			`if not resObj:`
			`raise NoUserException()`
initial 2021-01-25 21:52:52 +01:00			`invObj = cur.next()`
			`if invObj:`
changes 2021-01-26 13:43:09 +01:00			`raise ManyUsersException()`

			`userId = resObj["id"]`
			cur.execute("SELECT user, `key`, `value` FROM claims_for_user where user = ?",
			`[userId])`
			`claims = {}`
			`for claimObj in cur:`
			`print("DEBUG: getUserEntryFromDB: add claim {} -> {}".format(claimObj["key"], claimObj["value"]))`
			`if claimObj["key"] in claims:`
fix in claims handling 2021-05-06 15:22:43 +02:00			`if isinstance(claims[claimObj["key"]], list):`
changes 2021-01-26 13:43:09 +01:00			`claims[claimObj["key"]].append(claimObj["value"])`
			`else:`
			`claims[claimObj["key"]] = [ claims[claimObj["key"]] ]`
			`claims[claimObj["key"]].append(claimObj["value"])`
			`else:`
			`claims[claimObj["key"]] = claimObj["value"]`

schema fixes 2021-01-27 10:57:54 +01:00			`userEntry = UserEntry(id=userId, login=login, expiry=resObj["expiry"], claims=claims)`
initial 2021-01-25 21:52:52 +01:00
schema fixes 2021-01-27 10:57:54 +01:00			`return userEntry, resObj["pwhash"]`
initial 2021-01-25 21:52:52 +01:00			`except mariadb.Error as err:`
			`raise Exception("Error when connecting to database: {}".format(err))`
			`finally:`
			`if cur:`
			`cur.close()`
			`if conn:`
			`conn.rollback()`
			`conn.close()`

crypt and adduser tool 2021-01-26 22:06:39 +01:00			`def getUserEntry(application, login, password):`
			`userEntry, pwhash = getUserEntryFromDB(application, login)`
			`if pwhash != crypt(password, pwhash):`
application and pwhash 2021-01-26 21:27:17 +01:00			`raise PasswordMismatchException()`
crypt and adduser tool 2021-01-26 22:06:39 +01:00			`return userEntry`
initial 2021-01-25 21:52:52 +01:00
changes 2021-01-26 13:43:09 +01:00			`def generateToken(**args):`
initial 2021-01-25 21:52:52 +01:00			`try:`
changes 2021-01-26 13:43:09 +01:00			`body = args["body"]`
application and pwhash 2021-01-26 21:27:17 +01:00			`application = body["application"]`
changes 2021-01-26 13:43:09 +01:00			`login = body["login"]`
crypt and adduser tool 2021-01-26 22:06:39 +01:00			`password = body["password"]`
application and pwhash 2021-01-26 21:27:17 +01:00
crypt and adduser tool 2021-01-26 22:06:39 +01:00			`userEntry = getUserEntry(application, login, password)`
application and pwhash 2021-01-26 21:27:17 +01:00
changes 2021-01-26 13:43:09 +01:00			`timestamp = int(time.time())`
			`payload = {`
schema fixes 2021-01-27 10:57:54 +01:00			`"iss": JWT_ISSUER,`
changes 2021-01-26 13:43:09 +01:00			`"iat": int(timestamp),`
			`"exp": int(timestamp + userEntry.expiry),`
			`"sub": str(userEntry.id)`
			`}`
			`for claim in userEntry.claims.items():`
			`# print("DEBUG: generateToken: add claim {} -> {}".format(claim[0], claim[1]))`
remove x from private claims 2021-01-27 13:31:34 +01:00			`payload[claim[0]] = claim[1]`
changes 2021-01-26 13:43:09 +01:00
pubkey stuff 2021-05-06 16:37:32 +02:00			`return jwt.encode(payload, JWT_PRIV_KEY, algorithm='RS256')`
changes 2021-01-26 13:43:09 +01:00			`except NoUserException:`
application and pwhash 2021-01-26 21:27:17 +01:00			`print("ERROR: generateToken: no user found, login or application wrong")`
changes 2021-01-26 13:43:09 +01:00			`raise werkzeug.exceptions.Unauthorized()`
			`except ManyUsersException:`
			`print("ERROR: generateToken: too many users found")`
			`raise werkzeug.exceptions.Unauthorized()`
application and pwhash 2021-01-26 21:27:17 +01:00			`except PasswordMismatchException:`
			`print("ERROR: generateToken: wrong password")`
			`raise werkzeug.exceptions.Unauthorized()`
changes 2021-01-26 13:43:09 +01:00			`except KeyError:`
application and pwhash 2021-01-26 21:27:17 +01:00			`print("ERROR: generateToken: application, login or password missing")`
changes 2021-01-26 13:43:09 +01:00			`raise werkzeug.exceptions.Unauthorized()`
			`except Exception as e:`
			`print("ERROR: generateToken: unspecific exception: {}".format(str(e)))`
			`raise werkzeug.exceptions.Unauthorized()`
pubkey stuff 2021-05-06 16:37:32 +02:00
			`def getPubKey():`
			`return JWT_PUB_KEY`