simplifying user management
This commit is contained in:
parent
60401254cd
commit
b9b2eb0781
2 changed files with 80 additions and 105 deletions
151
clientsdb.py
151
clientsdb.py
|
@ -4,8 +4,6 @@
|
|||
|
||||
#import site packages
|
||||
import json
|
||||
import hmac
|
||||
import bcrypt
|
||||
|
||||
#import local packages
|
||||
import ioconfig
|
||||
|
@ -20,12 +18,13 @@ def addclient(vmid, vmname, clientid, clientname, clientemail, vmpass):
|
|||
else:
|
||||
ioconfig.logger.info('client[{}]> does not exist. creating...'.format(clientid))
|
||||
#generate password and send it to the client
|
||||
newpass = utils.genpassword(30)
|
||||
ioconfig.logger.info('client[{}]> initial password is: {}'.format(clientid, newpass))
|
||||
salt = bcrypt.gensalt()
|
||||
b_newpass = newpass.encode('ascii')
|
||||
encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')
|
||||
vcard = { 'name':str(clientname), 'email':str(clientemail), 'encpasswd':str(encpasswd), 'id':str(clientid) }
|
||||
#newpass = utils.genpassword(30)
|
||||
#ioconfig.logger.info('client[{}]> initial password is: {}'.format(clientid, newpass))
|
||||
#salt = bcrypt.gensalt()
|
||||
#b_newpass = newpass.encode('ascii')
|
||||
#encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')
|
||||
#vcard = { 'name':str(clientname), 'email':str(clientemail), 'encpasswd':str(encpasswd), 'id':str(clientid) }
|
||||
vcard = { 'name':str(clientname), 'email':str(clientemail), 'id':str(clientid) }
|
||||
newclient = { str(clientid):vcard }
|
||||
clientsdb.update(newclient)
|
||||
#Send initial email to the user as we will use the internal auth from now on.
|
||||
|
@ -38,84 +37,25 @@ def addclient(vmid, vmname, clientid, clientname, clientemail, vmpass):
|
|||
writeclientsdb(clientsdb)
|
||||
|
||||
|
||||
def setencpasswd(clientemail, newpass):
|
||||
""" setup a new management password """
|
||||
salt = bcrypt.gensalt()
|
||||
b_newpass = newpass.encode('ascii')
|
||||
encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')
|
||||
|
||||
try:
|
||||
clientsdb = readclientsdb()
|
||||
path = utils.get_path(clientsdb, clientemail)
|
||||
c_id = str(path[0])
|
||||
#check the returned path with forward query
|
||||
query = clientsdb[c_id]['email']
|
||||
#ioconfig.logger.info('client[{}]> path={}'.format(c_id, str(path)))
|
||||
except:
|
||||
ioconfig.logger.critical('clients> client {} not found'.format(clientemail))
|
||||
raise
|
||||
|
||||
if query != clientemail:
|
||||
ioconfig.logger.critical('clients> test query returns different vmname! check clients db for consistency!')
|
||||
raise
|
||||
else:
|
||||
clientsdb[c_id]['encpasswd'] = encpasswd
|
||||
ioconfig.logger.info('client[{}]> {} password changed!'.format(c_id, clientemail))
|
||||
writeclientsdb(clientsdb)
|
||||
#TODO: Send new email to the client to notify the password change. This time sending the password in plain text is not needed.
|
||||
|
||||
|
||||
def checkin(clientid):
|
||||
def inventory(clientid):
|
||||
""" returns a list of owned vmids if client id matches the client database. (logged-in users)"""
|
||||
#1. search for the client
|
||||
try:
|
||||
clientsdb = readclientsdb()
|
||||
c_id = clientsdb[str(clientid)]
|
||||
#c_id.pop('encpasswd')
|
||||
email = c_id['email']
|
||||
ioconfig.logger.info('client[{}]> {} active'.format(clientid, email))
|
||||
return c_id
|
||||
except:
|
||||
ioconfig.logger.error('clients> user id: {} could not be checked.'.format(clientid))
|
||||
return None
|
||||
user = clientsdb[str(clientid)]
|
||||
email = user['email']
|
||||
|
||||
|
||||
def validate(clientemail, password):
|
||||
""" returns a list of owned vmids if credentials match an user from the database. (fresh logins)"""
|
||||
#1. search for the client
|
||||
try:
|
||||
clientsdb = readclientsdb()
|
||||
path = utils.get_path(clientsdb, clientemail)
|
||||
c_id = str(path[0])
|
||||
except:
|
||||
ioconfig.logger.error('clients> {} was not found in the database!'.format(clientemail))
|
||||
#log bad ips here...
|
||||
return None
|
||||
|
||||
#2. check the password
|
||||
encpass = clientsdb[c_id]['encpasswd']
|
||||
b_srvpass = password.encode('ascii', 'ignore')
|
||||
b_encpass = encpass.encode('ascii', 'ignore')
|
||||
|
||||
if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
|
||||
#login successful
|
||||
ioconfig.logger.info('client[{}]> {} logged in successfully'.format(c_id, clientemail))
|
||||
#TODO: Notify admin
|
||||
#3. generate vmlist to return the owned ids to the client.
|
||||
return clientvms(clientsdb[c_id])
|
||||
else:
|
||||
ioconfig.logger.warning('client[{}]> {} access denied!'.format(c_id, clientemail))
|
||||
#cant compare password
|
||||
#TODO: Log attempts and block.
|
||||
return None
|
||||
|
||||
|
||||
def clientvms(vmlist):
|
||||
""" generate vmlist """
|
||||
response = {}
|
||||
for vmid,data in vmlist.items():
|
||||
for vmid,data in user.items()
|
||||
response[vmid] = data
|
||||
response.pop('id')
|
||||
response.pop('email')
|
||||
response.pop('name')
|
||||
|
||||
ioconfig.logger.info('client[{}]> {} inventory sent.'.format(clientid, email))
|
||||
return response
|
||||
except:
|
||||
ioconfig.logger.error('clients> user id: {} could not be listed.'.format(clientid))
|
||||
return None
|
||||
|
||||
|
||||
def vmowner(vmid, vmname, verbose):
|
||||
|
@ -153,6 +93,57 @@ def writeclientsdb(clientsdb):
|
|||
dbw.close()
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
if __name__ == '__main__'
|
||||
setencpasswd('fqdn', '123456')
|
||||
|
||||
|
||||
#def validate(clientemail, password):
|
||||
# """ returns a list of owned vmids if credentials match an user from the database. (fresh logins)"""
|
||||
# #1. search for the client
|
||||
# try:
|
||||
# clientsdb = readclientsdb()
|
||||
# path = utils.get_path(clientsdb, clientemail)
|
||||
# c_id = str(path[0])
|
||||
# except:
|
||||
# ioconfig.logger.error('clients> {} was not found in the database!'.format(clientemail))
|
||||
# #log bad ips here...
|
||||
# return None
|
||||
# #2. check the password
|
||||
# encpass = clientsdb[c_id]['encpasswd']
|
||||
# b_srvpass = password.encode('ascii', 'ignore')
|
||||
# b_encpass = encpass.encode('ascii', 'ignore')
|
||||
# if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
|
||||
# #login successful
|
||||
# ioconfig.logger.info('client[{}]> {} logged in successfully'.format(c_id, clientemail))
|
||||
# #3. generate vmlist to return the owned ids to the client.
|
||||
# return clientvms(clientsdb[c_id])
|
||||
# else:
|
||||
# ioconfig.logger.warning('client[{}]> {} access denied!'.format(c_id, clientemail))
|
||||
# #cant compare password
|
||||
# return None
|
||||
#
|
||||
#
|
||||
#def setencpasswd(clientemail, newpass):
|
||||
# """ setup a new management password """
|
||||
# salt = bcrypt.gensalt()
|
||||
# b_newpass = newpass.encode('ascii')
|
||||
# encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')
|
||||
# try:
|
||||
# clientsdb = readclientsdb()
|
||||
# path = utils.get_path(clientsdb, clientemail)
|
||||
# c_id = str(path[0])
|
||||
# #check the returned path with forward query
|
||||
# query = clientsdb[c_id]['email']
|
||||
# #ioconfig.logger.info('client[{}]> path={}'.format(c_id, str(path)))
|
||||
# except:
|
||||
# ioconfig.logger.critical('clients> client {} not found'.format(clientemail))
|
||||
# raise
|
||||
#
|
||||
# if query != clientemail:
|
||||
# ioconfig.logger.critical('clients> test query returns different vmname! check clients db for consistency!')
|
||||
# raise
|
||||
# else:
|
||||
# clientsdb[c_id]['encpasswd'] = encpasswd
|
||||
# ioconfig.logger.info('client[{}]> {} password changed!'.format(c_id, clientemail))
|
||||
# writeclientsdb(clientsdb)
|
||||
|
||||
|
|
|
@ -27,7 +27,7 @@ def welcome():
|
|||
def selector(fn, req, vmid=0):
|
||||
""" try to exec commands """
|
||||
json = req.context['doc']
|
||||
#print(json) #TODO: remove debug print
|
||||
#print(json)
|
||||
apipass = json['apikey']
|
||||
if apipass != config.get('general', 'apipass'):
|
||||
status = falcon.HTTP_403
|
||||
|
@ -36,15 +36,9 @@ def selector(fn, req, vmid=0):
|
|||
return status, body
|
||||
|
||||
try:
|
||||
if fn == 'validate':
|
||||
clientemail = json['clientemail']
|
||||
passwd = json['password']
|
||||
#logger.info('grid> access requested for {} with {}'.format(clientemail, passwd))
|
||||
body = clientsdb.validate(clientemail, passwd)
|
||||
|
||||
elif fn == 'checkin':
|
||||
if fn == 'inventory':
|
||||
clientid = json['clientid']
|
||||
body = clientsdb.checkin(clientid)
|
||||
body = clientsdb.inventory(clientid)
|
||||
|
||||
elif fn == 'vmcreate':
|
||||
body = plugin.vmcreate(json)
|
||||
|
@ -147,18 +141,11 @@ def max_body(limit):
|
|||
return hook
|
||||
|
||||
|
||||
class ValidateResource(object):
|
||||
@falcon.before(max_body(64 * 1024))
|
||||
def on_post(self, req, resp):
|
||||
""" get clientemail and password, compare it with the client db and returns a list of managed objects """
|
||||
resp.status, response = selector('validate', req)
|
||||
req.context['result'] = response
|
||||
|
||||
class CheckInResource(object):
|
||||
class InventoryResource(object):
|
||||
@falcon.before(max_body(64 * 1024))
|
||||
def on_post(self, req, resp):
|
||||
""" get client id, compare it with the client db and returns a list of managed objects """
|
||||
resp.status, response = selector('checkin', req)
|
||||
resp.status, response = selector('inventory', req)
|
||||
req.context['result'] = response
|
||||
|
||||
class CreateResource(object):
|
||||
|
@ -250,11 +237,8 @@ wsgi_app = api = application = falcon.API(middleware=[
|
|||
])
|
||||
|
||||
# setup routes
|
||||
res_validate = ValidateResource()
|
||||
api.add_route('/validate', res_validate)
|
||||
|
||||
res_checkin = CheckInResource()
|
||||
api.add_route('/checkin', res_checkin)
|
||||
res_inventory = InventoryResource()
|
||||
api.add_route('/inventory', res_inventory)
|
||||
|
||||
res_create = CreateResource()
|
||||
api.add_route('/vmcreate', res_create)
|
||||
|
|
Loading…
Reference in a new issue