simplifying user management
This commit is contained in:
parent
60401254cd
commit
b9b2eb0781
2 changed files with 80 additions and 105 deletions
155
clientsdb.py
155
clientsdb.py
|
@ -4,8 +4,6 @@
|
||||||
|
|
||||||
#import site packages
|
#import site packages
|
||||||
import json
|
import json
|
||||||
import hmac
|
|
||||||
import bcrypt
|
|
||||||
|
|
||||||
#import local packages
|
#import local packages
|
||||||
import ioconfig
|
import ioconfig
|
||||||
|
@ -20,12 +18,13 @@ def addclient(vmid, vmname, clientid, clientname, clientemail, vmpass):
|
||||||
else:
|
else:
|
||||||
ioconfig.logger.info('client[{}]> does not exist. creating...'.format(clientid))
|
ioconfig.logger.info('client[{}]> does not exist. creating...'.format(clientid))
|
||||||
#generate password and send it to the client
|
#generate password and send it to the client
|
||||||
newpass = utils.genpassword(30)
|
#newpass = utils.genpassword(30)
|
||||||
ioconfig.logger.info('client[{}]> initial password is: {}'.format(clientid, newpass))
|
#ioconfig.logger.info('client[{}]> initial password is: {}'.format(clientid, newpass))
|
||||||
salt = bcrypt.gensalt()
|
#salt = bcrypt.gensalt()
|
||||||
b_newpass = newpass.encode('ascii')
|
#b_newpass = newpass.encode('ascii')
|
||||||
encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')
|
#encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')
|
||||||
vcard = { 'name':str(clientname), 'email':str(clientemail), 'encpasswd':str(encpasswd), 'id':str(clientid) }
|
#vcard = { 'name':str(clientname), 'email':str(clientemail), 'encpasswd':str(encpasswd), 'id':str(clientid) }
|
||||||
|
vcard = { 'name':str(clientname), 'email':str(clientemail), 'id':str(clientid) }
|
||||||
newclient = { str(clientid):vcard }
|
newclient = { str(clientid):vcard }
|
||||||
clientsdb.update(newclient)
|
clientsdb.update(newclient)
|
||||||
#Send initial email to the user as we will use the internal auth from now on.
|
#Send initial email to the user as we will use the internal auth from now on.
|
||||||
|
@ -38,86 +37,27 @@ def addclient(vmid, vmname, clientid, clientname, clientemail, vmpass):
|
||||||
writeclientsdb(clientsdb)
|
writeclientsdb(clientsdb)
|
||||||
|
|
||||||
|
|
||||||
def setencpasswd(clientemail, newpass):
|
def inventory(clientid):
|
||||||
""" setup a new management password """
|
|
||||||
salt = bcrypt.gensalt()
|
|
||||||
b_newpass = newpass.encode('ascii')
|
|
||||||
encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')
|
|
||||||
|
|
||||||
try:
|
|
||||||
clientsdb = readclientsdb()
|
|
||||||
path = utils.get_path(clientsdb, clientemail)
|
|
||||||
c_id = str(path[0])
|
|
||||||
#check the returned path with forward query
|
|
||||||
query = clientsdb[c_id]['email']
|
|
||||||
#ioconfig.logger.info('client[{}]> path={}'.format(c_id, str(path)))
|
|
||||||
except:
|
|
||||||
ioconfig.logger.critical('clients> client {} not found'.format(clientemail))
|
|
||||||
raise
|
|
||||||
|
|
||||||
if query != clientemail:
|
|
||||||
ioconfig.logger.critical('clients> test query returns different vmname! check clients db for consistency!')
|
|
||||||
raise
|
|
||||||
else:
|
|
||||||
clientsdb[c_id]['encpasswd'] = encpasswd
|
|
||||||
ioconfig.logger.info('client[{}]> {} password changed!'.format(c_id, clientemail))
|
|
||||||
writeclientsdb(clientsdb)
|
|
||||||
#TODO: Send new email to the client to notify the password change. This time sending the password in plain text is not needed.
|
|
||||||
|
|
||||||
|
|
||||||
def checkin(clientid):
|
|
||||||
""" returns a list of owned vmids if client id matches the client database. (logged-in users)"""
|
""" returns a list of owned vmids if client id matches the client database. (logged-in users)"""
|
||||||
#1. search for the client
|
|
||||||
try:
|
try:
|
||||||
clientsdb = readclientsdb()
|
clientsdb = readclientsdb()
|
||||||
c_id = clientsdb[str(clientid)]
|
user = clientsdb[str(clientid)]
|
||||||
#c_id.pop('encpasswd')
|
email = user['email']
|
||||||
email = c_id['email']
|
|
||||||
ioconfig.logger.info('client[{}]> {} active'.format(clientid, email))
|
response = {}
|
||||||
return c_id
|
for vmid,data in user.items()
|
||||||
|
response[vmid] = data
|
||||||
|
response.pop('id')
|
||||||
|
response.pop('email')
|
||||||
|
response.pop('name')
|
||||||
|
|
||||||
|
ioconfig.logger.info('client[{}]> {} inventory sent.'.format(clientid, email))
|
||||||
|
return response
|
||||||
except:
|
except:
|
||||||
ioconfig.logger.error('clients> user id: {} could not be checked.'.format(clientid))
|
ioconfig.logger.error('clients> user id: {} could not be listed.'.format(clientid))
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
|
||||||
def validate(clientemail, password):
|
|
||||||
""" returns a list of owned vmids if credentials match an user from the database. (fresh logins)"""
|
|
||||||
#1. search for the client
|
|
||||||
try:
|
|
||||||
clientsdb = readclientsdb()
|
|
||||||
path = utils.get_path(clientsdb, clientemail)
|
|
||||||
c_id = str(path[0])
|
|
||||||
except:
|
|
||||||
ioconfig.logger.error('clients> {} was not found in the database!'.format(clientemail))
|
|
||||||
#log bad ips here...
|
|
||||||
return None
|
|
||||||
|
|
||||||
#2. check the password
|
|
||||||
encpass = clientsdb[c_id]['encpasswd']
|
|
||||||
b_srvpass = password.encode('ascii', 'ignore')
|
|
||||||
b_encpass = encpass.encode('ascii', 'ignore')
|
|
||||||
|
|
||||||
if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
|
|
||||||
#login successful
|
|
||||||
ioconfig.logger.info('client[{}]> {} logged in successfully'.format(c_id, clientemail))
|
|
||||||
#TODO: Notify admin
|
|
||||||
#3. generate vmlist to return the owned ids to the client.
|
|
||||||
return clientvms(clientsdb[c_id])
|
|
||||||
else:
|
|
||||||
ioconfig.logger.warning('client[{}]> {} access denied!'.format(c_id, clientemail))
|
|
||||||
#cant compare password
|
|
||||||
#TODO: Log attempts and block.
|
|
||||||
return None
|
|
||||||
|
|
||||||
|
|
||||||
def clientvms(vmlist):
|
|
||||||
""" generate vmlist """
|
|
||||||
response = {}
|
|
||||||
for vmid,data in vmlist.items():
|
|
||||||
response[vmid] = data
|
|
||||||
return response
|
|
||||||
|
|
||||||
|
|
||||||
def vmowner(vmid, vmname, verbose):
|
def vmowner(vmid, vmname, verbose):
|
||||||
""" find the owner of the vm """
|
""" find the owner of the vm """
|
||||||
clientsdb = readclientsdb()
|
clientsdb = readclientsdb()
|
||||||
|
@ -153,6 +93,57 @@ def writeclientsdb(clientsdb):
|
||||||
dbw.close()
|
dbw.close()
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__'
|
||||||
setencpasswd('fqdn', '123456')
|
setencpasswd('fqdn', '123456')
|
||||||
|
|
||||||
|
|
||||||
|
#def validate(clientemail, password):
|
||||||
|
# """ returns a list of owned vmids if credentials match an user from the database. (fresh logins)"""
|
||||||
|
# #1. search for the client
|
||||||
|
# try:
|
||||||
|
# clientsdb = readclientsdb()
|
||||||
|
# path = utils.get_path(clientsdb, clientemail)
|
||||||
|
# c_id = str(path[0])
|
||||||
|
# except:
|
||||||
|
# ioconfig.logger.error('clients> {} was not found in the database!'.format(clientemail))
|
||||||
|
# #log bad ips here...
|
||||||
|
# return None
|
||||||
|
# #2. check the password
|
||||||
|
# encpass = clientsdb[c_id]['encpasswd']
|
||||||
|
# b_srvpass = password.encode('ascii', 'ignore')
|
||||||
|
# b_encpass = encpass.encode('ascii', 'ignore')
|
||||||
|
# if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
|
||||||
|
# #login successful
|
||||||
|
# ioconfig.logger.info('client[{}]> {} logged in successfully'.format(c_id, clientemail))
|
||||||
|
# #3. generate vmlist to return the owned ids to the client.
|
||||||
|
# return clientvms(clientsdb[c_id])
|
||||||
|
# else:
|
||||||
|
# ioconfig.logger.warning('client[{}]> {} access denied!'.format(c_id, clientemail))
|
||||||
|
# #cant compare password
|
||||||
|
# return None
|
||||||
|
#
|
||||||
|
#
|
||||||
|
#def setencpasswd(clientemail, newpass):
|
||||||
|
# """ setup a new management password """
|
||||||
|
# salt = bcrypt.gensalt()
|
||||||
|
# b_newpass = newpass.encode('ascii')
|
||||||
|
# encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')
|
||||||
|
# try:
|
||||||
|
# clientsdb = readclientsdb()
|
||||||
|
# path = utils.get_path(clientsdb, clientemail)
|
||||||
|
# c_id = str(path[0])
|
||||||
|
# #check the returned path with forward query
|
||||||
|
# query = clientsdb[c_id]['email']
|
||||||
|
# #ioconfig.logger.info('client[{}]> path={}'.format(c_id, str(path)))
|
||||||
|
# except:
|
||||||
|
# ioconfig.logger.critical('clients> client {} not found'.format(clientemail))
|
||||||
|
# raise
|
||||||
|
#
|
||||||
|
# if query != clientemail:
|
||||||
|
# ioconfig.logger.critical('clients> test query returns different vmname! check clients db for consistency!')
|
||||||
|
# raise
|
||||||
|
# else:
|
||||||
|
# clientsdb[c_id]['encpasswd'] = encpasswd
|
||||||
|
# ioconfig.logger.info('client[{}]> {} password changed!'.format(c_id, clientemail))
|
||||||
|
# writeclientsdb(clientsdb)
|
||||||
|
|
||||||
|
|
|
@ -27,7 +27,7 @@ def welcome():
|
||||||
def selector(fn, req, vmid=0):
|
def selector(fn, req, vmid=0):
|
||||||
""" try to exec commands """
|
""" try to exec commands """
|
||||||
json = req.context['doc']
|
json = req.context['doc']
|
||||||
#print(json) #TODO: remove debug print
|
#print(json)
|
||||||
apipass = json['apikey']
|
apipass = json['apikey']
|
||||||
if apipass != config.get('general', 'apipass'):
|
if apipass != config.get('general', 'apipass'):
|
||||||
status = falcon.HTTP_403
|
status = falcon.HTTP_403
|
||||||
|
@ -36,15 +36,9 @@ def selector(fn, req, vmid=0):
|
||||||
return status, body
|
return status, body
|
||||||
|
|
||||||
try:
|
try:
|
||||||
if fn == 'validate':
|
if fn == 'inventory':
|
||||||
clientemail = json['clientemail']
|
|
||||||
passwd = json['password']
|
|
||||||
#logger.info('grid> access requested for {} with {}'.format(clientemail, passwd))
|
|
||||||
body = clientsdb.validate(clientemail, passwd)
|
|
||||||
|
|
||||||
elif fn == 'checkin':
|
|
||||||
clientid = json['clientid']
|
clientid = json['clientid']
|
||||||
body = clientsdb.checkin(clientid)
|
body = clientsdb.inventory(clientid)
|
||||||
|
|
||||||
elif fn == 'vmcreate':
|
elif fn == 'vmcreate':
|
||||||
body = plugin.vmcreate(json)
|
body = plugin.vmcreate(json)
|
||||||
|
@ -147,18 +141,11 @@ def max_body(limit):
|
||||||
return hook
|
return hook
|
||||||
|
|
||||||
|
|
||||||
class ValidateResource(object):
|
class InventoryResource(object):
|
||||||
@falcon.before(max_body(64 * 1024))
|
|
||||||
def on_post(self, req, resp):
|
|
||||||
""" get clientemail and password, compare it with the client db and returns a list of managed objects """
|
|
||||||
resp.status, response = selector('validate', req)
|
|
||||||
req.context['result'] = response
|
|
||||||
|
|
||||||
class CheckInResource(object):
|
|
||||||
@falcon.before(max_body(64 * 1024))
|
@falcon.before(max_body(64 * 1024))
|
||||||
def on_post(self, req, resp):
|
def on_post(self, req, resp):
|
||||||
""" get client id, compare it with the client db and returns a list of managed objects """
|
""" get client id, compare it with the client db and returns a list of managed objects """
|
||||||
resp.status, response = selector('checkin', req)
|
resp.status, response = selector('inventory', req)
|
||||||
req.context['result'] = response
|
req.context['result'] = response
|
||||||
|
|
||||||
class CreateResource(object):
|
class CreateResource(object):
|
||||||
|
@ -250,11 +237,8 @@ wsgi_app = api = application = falcon.API(middleware=[
|
||||||
])
|
])
|
||||||
|
|
||||||
# setup routes
|
# setup routes
|
||||||
res_validate = ValidateResource()
|
res_inventory = InventoryResource()
|
||||||
api.add_route('/validate', res_validate)
|
api.add_route('/inventory', res_inventory)
|
||||||
|
|
||||||
res_checkin = CheckInResource()
|
|
||||||
api.add_route('/checkin', res_checkin)
|
|
||||||
|
|
||||||
res_create = CreateResource()
|
res_create = CreateResource()
|
||||||
api.add_route('/vmcreate', res_create)
|
api.add_route('/vmcreate', res_create)
|
||||||
|
|
Loading…
Reference in a new issue