Here are the examples of the python api flask.ext.principal.Identity taken from open source projects. By voting up you can indicate which examples are most useful and appropriate.
19 Examples
3
Example 1
Project: WAPT Source File: decorators.py
def _check_token():
header_key = _security.token_authentication_header
args_key = _security.token_authentication_key
header_token = request.headers.get(header_key, None)
token = request.args.get(args_key, header_token)
if request.get_json(silent=True):
token = request.json.get(args_key, token)
user = _security.login_manager.token_callback(token)
if user and user.is_authenticated():
app = current_app._get_current_object()
_request_ctx_stack.top.user = user
identity_changed.send(app, identity=Identity(user.id))
return True
return False
3
Example 2
Project: WAPT Source File: decorators.py
def _check_http_auth():
auth = request.authorization or BasicAuth(username=None, password=None)
user = _security.datastore.find_user(email=auth.username)
if user and utils.verify_and_update_password(auth.password, user):
_security.datastore.commit()
app = current_app._get_current_object()
_request_ctx_stack.top.user = user
identity_changed.send(app, identity=Identity(user.id))
return True
return False
3
Example 3
Project: cloud-asr Source File: run.py
@app.route('/login/google')
@google_login.oauth2callback
def login_google(token, userinfo, **params):
login_user(users_model.upsert_user(userinfo))
identity = Identity(userinfo['id'])
identity_changed.send(app, identity = identity)
return redirect(url_for('index'))
3
Example 4
def get_identity(self):
"""Returns user's :class:`flask.ext.principal.Identity`."""
identity = Identity(self.id)
for membership in self.memberships:
if membership.allows_management:
need = perms.project_manager(membership.project_id)
else:
need = perms.project_member(membership.project_id)
identity.provides.add(need)
for project in self.owned_projects:
identity.provides.add(perms.project_owner(project.id))
return identity
0
Example 5
def _identity_loader():
if not isinstance(current_user._get_current_object(), AnonymousUser):
identity = Identity(current_user.id)
return identity
0
Example 6
Project: WAPT Source File: utils.py
def login_user(user, remember=None):
"""Performs the login routine.
:param user: The user to login
:param remember: Flag specifying if the remember cookie should be set. Defaults to ``False``
"""
if remember is None:
remember = config_value('DEFAULT_REMEMBER_ME')
if not _login_user(user, remember): # pragma: no cover
return False
if _security.trackable:
if 'X-Forwarded-For' not in request.headers:
remote_addr = request.remote_addr or 'untrackable'
else:
remote_addr = request.headers.getlist("X-Forwarded-For")[0]
old_current_login, new_current_login = user.current_login_at, datetime.utcnow()
old_current_ip, new_current_ip = user.current_login_ip, remote_addr
user.last_login_at = old_current_login or new_current_login
user.current_login_at = new_current_login
user.last_login_ip = old_current_ip or new_current_ip
user.current_login_ip = new_current_ip
user.login_count = user.login_count + 1 if user.login_count else 1
_datastore.put(user)
identity_changed.send(current_app._get_current_object(),
identity=Identity(user.id))
return True
0
Example 7
Project: JARR Source File: common.py
def login_user_bundle(user):
login_user(user)
identity_changed.send(current_app, identity=Identity(user.id))
session_identity_loader()
0
Example 8
Project: bluemonk Source File: authentication.py
@oid.after_login
def create_or_login(response):
'''
This is the hook for OpenID.try_login and is being called after a response
has been received.
'''
session['user'] = {}
session['openid'] = response.identity_url
user = g.user or User.query.filter_by(openid=response.identity_url).first()
if user is None:
name = response.fullname or response.nickname
session['user']['email'] = response.email
params = dict(next=oid.get_next_url(), name = name)
return redirect(url_for('.first_login', **params))
g.user = user
identity = Identity(user.id)
# Notify Principal of the identity change
identity_changed.send(
current_app._get_current_object(),
identity = identity
)
if user.openid != response.identity_url:
user.openid = response.identity_url
db_session.commit()
flash(u'OpenID identity changed')
else:
flash(u'Successfully signed in', 'hurray')
return redirect(oid.get_next_url())
0
Example 9
Project: lemur Source File: service.py
def login_required(f):
"""
Validates the JWT and ensures that is has not expired.
:param f:
:return:
"""
@wraps(f)
def decorated_function(*args, **kwargs):
if not request.headers.get('Authorization'):
response = jsonify(message='Missing authorization header')
response.status_code = 401
return response
try:
token = request.headers.get('Authorization').split()[1]
except Exception as e:
return dict(message='Token is invalid'), 403
try:
payload = jwt.decode(token, current_app.config['LEMUR_TOKEN_SECRET'])
except jwt.DecodeError:
return dict(message='Token is invalid'), 403
except jwt.ExpiredSignatureError:
return dict(message='Token has expired'), 403
except jwt.InvalidTokenError:
return dict(message='Token is invalid'), 403
g.current_user = user_service.get(payload['sub'])
if not g.current_user:
return dict(message='You are not logged in'), 403
# Tell Flask-Principal the identity changed
identity_changed.send(current_app._get_current_object(), identity=Identity(g.current_user.id))
return f(*args, **kwargs)
return decorated_function
0
Example 10
Project: lemur Source File: views.py
def post(self):
"""
.. http:post:: /auth/login
Login with username:password
**Example request**:
.. sourcecode:: http
POST /auth/login HTTP/1.1
Host: example.com
Accept: application/json, text/javascript
{
"username": "test",
"password": "test"
}
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Vary: Accept
Content-Type: text/javascript
{
"token": "12343243243"
}
:arg username: username
:arg password: password
:statuscode 401: invalid credentials
:statuscode 200: no error
"""
self.reqparse.add_argument('username', type=str, required=True, location='json')
self.reqparse.add_argument('password', type=str, required=True, location='json')
args = self.reqparse.parse_args()
if '@' in args['username']:
user = user_service.get_by_email(args['username'])
else:
user = user_service.get_by_username(args['username'])
if user and user.check_password(args['password']):
# Tell Flask-Principal the identity changed
identity_changed.send(current_app._get_current_object(),
identity=Identity(user.id))
metrics.send('successful_login', 'counter', 1)
return dict(token=create_token(user))
metrics.send('invalid_login', 'counter', 1)
return dict(message='The supplied credentials are invalid'), 401
0
Example 11
Project: lemur Source File: views.py
def post(self):
self.reqparse.add_argument('clientId', type=str, required=True, location='json')
self.reqparse.add_argument('redirectUri', type=str, required=True, location='json')
self.reqparse.add_argument('code', type=str, required=True, location='json')
args = self.reqparse.parse_args()
# take the information we have received from the provider to create a new request
params = {
'client_id': args['clientId'],
'grant_type': 'authorization_code',
'scope': 'openid email profile address',
'redirect_uri': args['redirectUri'],
'code': args['code']
}
# you can either discover these dynamically or simply configure them
access_token_url = current_app.config.get('PING_ACCESS_TOKEN_URL')
user_api_url = current_app.config.get('PING_USER_API_URL')
# the secret and cliendId will be given to you when you signup for the provider
token = '{0}:{1}'.format(args['clientId'], current_app.config.get("PING_SECRET"))
if sys.version_info >= (3, 0):
basic = base64.b64encode(bytes(token, 'utf-8'))
headers = {'authorization': 'basic {0}'.format(basic.decode('utf-8'))}
else:
basic = base64.b64encode(token, 'utf-8')
headers = {'authorization': 'basic {0}'.format(basic)}
# exchange authorization code for access token.
r = requests.post(access_token_url, headers=headers, params=params)
id_token = r.json()['id_token']
access_token = r.json()['access_token']
# fetch token public key
header_data = fetch_token_header(id_token)
jwks_url = current_app.config.get('PING_JWKS_URL')
# retrieve the key material as specified by the token header
r = requests.get(jwks_url)
for key in r.json()['keys']:
if key['kid'] == header_data['kid']:
secret = get_rsa_public_key(key['n'], key['e'])
algo = header_data['alg']
break
else:
return dict(message='Key not found'), 403
# validate your token based on the key it was signed with
try:
if sys.version_info >= (3, 0):
jwt.decode(id_token, secret.decode('utf-8'), algorithms=[algo], audience=args['clientId'])
else:
jwt.decode(id_token, secret, algorithms=[algo], audience=args['clientId'])
except jwt.DecodeError:
return dict(message='Token is invalid'), 403
except jwt.ExpiredSignatureError:
return dict(message='Token has expired'), 403
except jwt.InvalidTokenError:
return dict(message='Token is invalid'), 403
user_params = dict(access_token=access_token, schema='profile')
# retrieve information about the current user.
r = requests.get(user_api_url, params=user_params)
profile = r.json()
user = user_service.get_by_email(profile['email'])
metrics.send('successful_login', 'counter', 1)
# update their google 'roles'
roles = []
for group in profile['googleGroups']:
role = role_service.get_by_name(group)
if not role:
role = role_service.create(group, description='This is a google group based role created by Lemur')
roles.append(role)
role = role_service.get_by_name(profile['email'])
if not role:
role = role_service.create(profile['email'], description='This is a user specific role')
roles.append(role)
# if we get an sso user create them an account
if not user:
# every user is an operator (tied to a default role)
if current_app.config.get('LEMUR_DEFAULT_ROLE'):
v = role_service.get_by_name(current_app.config.get('LEMUR_DEFAULT_ROLE'))
if v:
roles.append(v)
user = user_service.create(
profile['email'],
get_psuedo_random_string(),
profile['email'],
True,
profile.get('thumbnailPhotoUrl'),
roles
)
else:
# we add 'lemur' specific roles, so they do not get marked as removed
for ur in user.roles:
if ur.authority_id:
roles.append(ur)
# update any changes to the user
user_service.update(
user.id,
profile['email'],
profile['email'],
True,
profile.get('thumbnailPhotoUrl'), # incase profile isn't google+ enabled
roles
)
# Tell Flask-Principal the identity changed
identity_changed.send(current_app._get_current_object(), identity=Identity(user.id))
return dict(token=create_token(user))
0
Example 12
Project: lemur Source File: conftest.py
@pytest.yield_fixture(scope="function")
def logged_in_user(session, app):
with app.test_request_context():
identity_changed.send(current_app._get_current_object(), identity=Identity(1))
yield
0
Example 13
Project: lemur Source File: conftest.py
@pytest.yield_fixture(scope="function")
def logged_in_admin(session, app):
with app.test_request_context():
identity_changed.send(current_app._get_current_object(), identity=Identity(2))
yield
0
Example 14
Project: security_monkey Source File: views.py
def post(self):
if "ping" not in current_app.config.get("ACTIVE_PROVIDERS"):
return "Ping is not enabled in the config. See the ACTIVE_PROVIDERS section.", 404
default_state = 'clientId,{client_id},redirectUri,{redirectUri},return_to,{return_to}'.format(
client_id=current_app.config.get('PING_CLIENT_ID'),
redirectUri=current_app.config.get('PING_REDIRECT_URI'),
return_to=current_app.config.get('WEB_PATH')
)
self.reqparse.add_argument('code', type=str, required=True)
self.reqparse.add_argument('state', type=str, required=False, default=default_state)
args = self.reqparse.parse_args()
client_id = args['state'].split(',')[1]
redirect_uri = args['state'].split(',')[3]
return_to = args['state'].split(',')[5]
if not validate_redirect_url(return_to):
return_to = current_app.config.get('WEB_PATH')
# take the information we have received from the provider to create a new request
params = {
'client_id': client_id,
'grant_type': 'authorization_code',
'scope': 'openid email profile address',
'redirect_uri': redirect_uri,
'code': args['code']
}
# you can either discover these dynamically or simply configure them
access_token_url = current_app.config.get('PING_ACCESS_TOKEN_URL')
user_api_url = current_app.config.get('PING_USER_API_URL')
# the secret and cliendId will be given to you when you signup for the provider
basic = base64.b64encode(bytes('{0}:{1}'.format(client_id, current_app.config.get("PING_SECRET"))))
headers = {'Authorization': 'Basic {0}'.format(basic.decode('utf-8'))}
# exchange authorization code for access token.
r = requests.post(access_token_url, headers=headers, params=params)
id_token = r.json()['id_token']
access_token = r.json()['access_token']
# fetch token public key
header_data = fetch_token_header_payload(id_token)[0]
jwks_url = current_app.config.get('PING_JWKS_URL')
# retrieve the key material as specified by the token header
r = requests.get(jwks_url)
for key in r.json()['keys']:
if key['kid'] == header_data['kid']:
secret = get_rsa_public_key(key['n'], key['e'])
algo = header_data['alg']
break
else:
return dict(message='Key not found'), 403
# validate your token based on the key it was signed with
try:
current_app.logger.debug(id_token)
current_app.logger.debug(secret)
current_app.logger.debug(algo)
jwt.decode(id_token, secret.decode('utf-8'), algorithms=[algo], audience=client_id)
except jwt.DecodeError:
return dict(message='Token is invalid'), 403
except jwt.ExpiredSignatureError:
return dict(message='Token has expired'), 403
except jwt.InvalidTokenError:
return dict(message='Token is invalid'), 403
user_params = dict(access_token=access_token, schema='profile')
# retrieve information about the current user.
r = requests.get(user_api_url, params=user_params)
profile = r.json()
user = User.query.filter(User.email==profile['email']).first()
# if we get an sso user create them an account
if not user:
user = User(
email=profile['email'],
active=True,
role='View'
# profile_picture=profile.get('thumbnailPhotoUrl')
)
db.session.add(user)
db.session.commit()
db.session.refresh(user)
# Tell Flask-Principal the identity changed
identity_changed.send(current_app._get_current_object(), identity=Identity(user.id))
login_user(user)
return redirect(return_to, code=302)
0
Example 15
Project: security_monkey Source File: views.py
def post(self):
if "google" not in current_app.config.get("ACTIVE_PROVIDERS"):
return "Google is not enabled in the config. See the ACTIVE_PROVIDERS section.", 404
default_state = 'clientId,{client_id},redirectUri,{redirectUri},return_to,{return_to}'.format(
client_id=current_app.config.get("GOOGLE_CLIENT_ID"),
redirectUri=api.url_for(Google),
return_to=current_app.config.get('WEB_PATH')
)
self.reqparse.add_argument('code', type=str, required=True)
self.reqparse.add_argument('state', type=str, required=False, default=default_state)
args = self.reqparse.parse_args()
client_id = args['state'].split(',')[1]
redirect_uri = args['state'].split(',')[3]
return_to = args['state'].split(',')[5]
if not validate_redirect_url(return_to):
return_to = current_app.config.get('WEB_PATH')
access_token_url = 'https://accounts.google.com/o/oauth2/token'
people_api_url = 'https://www.googleapis.com/plus/v1/people/me/openIdConnect'
args = self.reqparse.parse_args()
# Step 1. Exchange authorization code for access token
payload = {
'client_id': client_id,
'grant_type': 'authorization_code',
'redirect_uri': redirect_uri,
'code': args['code'],
'client_secret': current_app.config.get('GOOGLE_SECRET')
}
r = requests.post(access_token_url, data=payload)
token = r.json()
# Step 1bis. Validate (some information of) the id token (if necessary)
google_hosted_domain = current_app.config.get("GOOGLE_HOSTED_DOMAIN")
if google_hosted_domain is not None:
current_app.logger.debug('We need to verify that the token was issued for this hosted domain: %s ' % (google_hosted_domain))
# Get the JSON Web Token
id_token = r.json()['id_token']
current_app.logger.debug('The id_token is: %s' % (id_token))
# Extract the payload
(header_data, payload_data) = fetch_token_header_payload(id_token)
current_app.logger.debug('id_token.header_data: %s' % (header_data))
current_app.logger.debug('id_token.payload_data: %s' % (payload_data))
token_hd = payload_data.get('hd')
if token_hd != google_hosted_domain:
current_app.logger.debug('Verification failed: %s != %s' % (token_hd, google_hosted_domain))
return dict(message='Token is invalid %s' % token), 403
current_app.logger.debug('Verification passed')
# Step 2. Retrieve information about the current user
headers = {'Authorization': 'Bearer {0}'.format(token['access_token'])}
r = requests.get(people_api_url, headers=headers)
profile = r.json()
user = User.query.filter(User.email == profile['email']).first()
# if we get an sso user create them an account
if not user:
user = User(
email=profile['email'],
active=True,
role='View'
# profile_picture=profile.get('thumbnailPhotoUrl')
)
db.session.add(user)
db.session.commit()
db.session.refresh(user)
# Tell Flask-Principal the identity changed
identity_changed.send(current_app._get_current_object(), identity=Identity(user.id))
login_user(user)
return redirect(return_to, code=302)
0
Example 16
Project: security_monkey Source File: views.py
def post(self):
if "onelogin" not in current_app.config.get("ACTIVE_PROVIDERS"):
return "Onelogin is not enabled in the config. See the ACTIVE_PROVIDERS section.", 404
auth = OneLogin_Saml2_Auth(self.req, current_app.config.get("ONELOGIN_SETTINGS"))
self.reqparse.add_argument('return_to', required=False, default=current_app.config.get('WEB_PATH'))
self.reqparse.add_argument('acs', required=False)
self.reqparse.add_argument('sls', required=False)
args = self.reqparse.parse_args()
return_to = args['return_to']
if args['acs'] != None:
# valids the SAML response and checks if successfully authenticated
if self._consumer(auth):
email = auth.get_attribute(current_app.config.get("ONELOGIN_EMAIL_FIELD"))[0]
user = User.query.filter(User.email == email).first()
# if we get an sso user create them an account
if not user:
user = User(
email=email,
active=True,
role=current_app.config.get('ONELOGIN_DEFAULT_ROLE')
# profile_picture=profile.get('thumbnailPhotoUrl')
)
db.session.add(user)
db.session.commit()
db.session.refresh(user)
# Tell Flask-Principal the identity changed
identity_changed.send(current_app._get_current_object(), identity=Identity(user.id))
login_user(user)
self_url = OneLogin_Saml2_Utils.get_self_url(self.req)
if 'RelayState' in request.form and self_url != request.form['RelayState']:
return redirect(auth.redirect_to(request.form['RelayState']), code=302)
else:
return redirect(current_app.config.get('BASE_URL'), code=302)
else:
return dict(message='OneLogin authentication failed.'), 403
elif args['sls'] != None:
return dict(message='OneLogin SLS not implemented yet.'), 405
else:
return redirect(auth.login(return_to=return_to))
0
Example 17
Project: AstroBox Source File: cloud.py
def signin(self, email, password):
from octoprint.server import userManager
from astroprint.network.manager import networkManager
user = None
userLoggedIn = False
online = networkManager().isOnline()
if online:
private_key = self.get_private_key(email, password)
if private_key:
public_key = self.get_public_key(email, private_key)
if public_key:
#Let's protect the box now:
user = userManager.findUser(email)
if user:
userManager.changeUserPassword(email, password)
userManager.changeCloudAccessKeys(email, public_key, private_key)
else:
user = userManager.addUser(email, password, public_key, private_key, True)
userLoggedIn = True
else:
user = userManager.findUser(email)
userLoggedIn = user and user.check_password(userManager.createPasswordHash(password))
if userLoggedIn:
login_user(user, remember=True)
userId = user.get_id()
self.settings.set(["cloudSlicer", "loggedUser"], userId)
self.settings.save()
boxrouterManager().boxrouter_connect()
identity_changed.send(current_app._get_current_object(), identity=Identity(userId))
#let the singleton be recreated again, so new credentials are taken into use
global _instance
_instance = None
eventManager().fire(Events.LOCK_STATUS_CHANGED, userId)
return True
elif not online:
raise AstroPrintCloudNoConnectionException()
return False
0
Example 18
Project: AstroBox Source File: __init__.py
@api.route("/login", methods=["POST"])
def login():
if octoprint.server.userManager is not None and "user" in request.values.keys() and "pass" in request.values.keys():
username = request.values["user"]
password = request.values["pass"]
if "remember" in request.values.keys() and request.values["remember"] == "true":
remember = True
else:
remember = False
user = octoprint.server.userManager.findUser(username)
if user is not None:
if user.check_password(octoprint.server.userManager.createPasswordHash(password)):
login_user(user, remember=remember)
identity_changed.send(current_app._get_current_object(), identity=Identity(user.get_id()))
return jsonify(user.asDict())
return make_response(("User unknown or password incorrect", 401, []))
elif "passive" in request.values.keys():
user = current_user
if user is not None and not user.is_anonymous:
identity_changed.send(current_app._get_current_object(), identity=Identity(user.get_id()))
return jsonify(user.asDict())
elif s().getBoolean(["accessControl", "autologinLocal"]) \
and s().get(["accessControl", "autologinAs"]) is not None \
and s().get(["accessControl", "localNetworks"]) is not None:
autologinAs = s().get(["accessControl", "autologinAs"])
localNetworks = netaddr.IPSet([])
for ip in s().get(["accessControl", "localNetworks"]):
localNetworks.add(ip)
try:
remoteAddr = util.getRemoteAddress(request)
if netaddr.IPAddress(remoteAddr) in localNetworks:
user = octoprint.server.userManager.findUser(autologinAs)
if user is not None:
login_user(user)
identity_changed.send(current_app._get_current_object(), identity=Identity(user.get_id()))
return jsonify(user.asDict())
except:
logger = logging.getLogger(__name__)
logger.exception("Could not autologin user %s for networks %r" % (autologinAs, localNetworks))
return NO_CONTENT
0
Example 19
Project: AstroBox Source File: util.py
def restricted_access(func, apiEnabled=True):
"""
If you decorate a view with this, it will ensure that first setup has been
done for OctoPrint's Access Control plus that any conditions of the
login_required decorator are met. It also allows to login using the masterkey or any
of the user's apikeys if API access is enabled globally and for the decorated view.
If OctoPrint's Access Control has not been setup yet (indicated by the "firstRun"
flag from the settings being set to True and the userManager not indicating
that it's user database has been customized from default), the decorator
will cause a HTTP 403 status code to be returned by the decorated resource.
If an API key is provided and it matches a known key, the user will be logged in and
the view will be called directly. If the provided key doesn't match any known key,
a HTTP 403 status code will be returned by the decorated resource.
Otherwise the result of calling login_required will be returned.
"""
@wraps(func)
def decorated_view(*args, **kwargs):
# if OctoPrint hasn't been set up yet, abort
if settings().getBoolean(["server", "firstRun"]) and (octoprint.server.userManager is None or not octoprint.server.userManager.hasBeenCustomized()):
return make_response("OctoPrint isn't setup yet", 403)
# if API is globally enabled, enabled for this request and an api key is provided that is not the current UI API key, try to use that
apikey = getApiKey(request)
if settings().get(["api", "enabled"]) and apiEnabled and apikey is not None and apikey != octoprint.server.UI_API_KEY:
if apikey == settings().get(["api", "key"]):
# master key was used
user = ApiUser()
else:
# user key might have been used
user = octoprint.server.userManager.findUser(apikey=apikey)
if user is None:
return make_response("Invalid API key", 401)
if login_user(user, remember=False):
identity_changed.send(current_app._get_current_object(), identity=Identity(user.get_id()))
return func(*args, **kwargs)
# call regular login_required decorator
#TODO: remove this temporary disablement of login requirement
#return login_required(func)(*args, **kwargs)
return func(*args, **kwargs)
return decorated_view