Home Explore Help
Sign In
bux
/
tracim_v2
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
62 Commits
1 Branches
Tree: a06ce49993
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a06ce49993'
${ noResults }
tracim_v2/tracim/models/auth.py

auth.py 10KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320 
  1. # -*- coding: utf-8 -*-

  2. """

  3. Auth* related model.

  4. 

  5. This is where the models used by the authentication stack are defined.

  6. 

  7. It's perfectly fine to re-use this definition in the tracim application,

  8. though.

  9. """

  10. import os

  11. import time

  12. import uuid

  13. 

  14. from datetime import datetime

  15. from hashlib import sha256

  16. from typing import TYPE_CHECKING

  17. 

  18. from sqlalchemy import Column

  19. from sqlalchemy import ForeignKey

  20. from sqlalchemy import Sequence

  21. from sqlalchemy import Table

  22. from sqlalchemy.ext.hybrid import hybrid_property

  23. from sqlalchemy.orm import relation

  24. from sqlalchemy.orm import relationship

  25. from sqlalchemy.orm import synonym

  26. from sqlalchemy.types import Boolean

  27. from sqlalchemy.types import DateTime

  28. from sqlalchemy.types import Integer

  29. from sqlalchemy.types import Unicode

  30. 

  31. from tracim.lib.utils.translation import fake_translator as l_

  32. from tracim.models.meta import DeclarativeBase

  33. from tracim.models.meta import metadata

  34. if TYPE_CHECKING:

  35.     from tracim.models.data import Workspace

  36.     from tracim.models.data import UserRoleInWorkspace

  37. __all__ = ['User', 'Group', 'Permission']

  38. 

  39. # This is the association table for the many-to-many relationship between

  40. # groups and permissions.

  41. group_permission_table = Table('group_permission', metadata,

  42.     Column('group_id', Integer, ForeignKey('groups.group_id',

  43.         onupdate="CASCADE", ondelete="CASCADE"), primary_key=True),

  44.     Column('permission_id', Integer, ForeignKey('permissions.permission_id',

  45.         onupdate="CASCADE", ondelete="CASCADE"), primary_key=True)

  46. )

  47. 

  48. # This is the association table for the many-to-many relationship between

  49. # groups and members - this is, the memberships.

  50. user_group_table = Table('user_group', metadata,

  51.     Column('user_id', Integer, ForeignKey('users.user_id',

  52.         onupdate="CASCADE", ondelete="CASCADE"), primary_key=True),

  53.     Column('group_id', Integer, ForeignKey('groups.group_id',

  54.         onupdate="CASCADE", ondelete="CASCADE"), primary_key=True)

  55. )

  56. 

  57. 

  58. class Group(DeclarativeBase):

  59. 

  60.     TIM_NOBODY = 0

  61.     TIM_USER = 1

  62.     TIM_MANAGER = 2

  63.     TIM_ADMIN = 3

  64. 

  65.     TIM_NOBODY_GROUPNAME = 'nobody'

  66.     TIM_USER_GROUPNAME = 'users'

  67.     TIM_MANAGER_GROUPNAME = 'managers'

  68.     TIM_ADMIN_GROUPNAME = 'administrators'

  69. 

  70.     __tablename__ = 'groups'

  71. 

  72.     group_id = Column(Integer, Sequence('seq__groups__group_id'), autoincrement=True, primary_key=True)

  73.     group_name = Column(Unicode(16), unique=True, nullable=False)

  74.     display_name = Column(Unicode(255))

  75.     created = Column(DateTime, default=datetime.utcnow)

  76. 

  77.     users = relationship('User', secondary=user_group_table, backref='groups')

  78. 

  79.     def __repr__(self):

  80.         return '<Group: name=%s>' % repr(self.group_name)

  81. 

  82.     def __unicode__(self):

  83.         return self.group_name

  84. 

  85.     @classmethod

  86.     def by_group_name(cls, group_name, dbsession):

  87.         """Return the user object whose email address is ``email``."""

  88.         return dbsession.query(cls).filter_by(group_name=group_name).first()

  89. 

  90. 

  91. class Profile(object):

  92.     """This model is the "max" group associated to a given user."""

  93. 

  94.     _NAME = [Group.TIM_NOBODY_GROUPNAME,

  95.              Group.TIM_USER_GROUPNAME,

  96.              Group.TIM_MANAGER_GROUPNAME,

  97.              Group.TIM_ADMIN_GROUPNAME]

  98. 

  99.     _LABEL = [l_('Nobody'),

  100.               l_('Users'),

  101.               l_('Global managers'),

  102.               l_('Administrators')]

  103. 

  104.     def __init__(self, profile_id):

  105.         assert isinstance(profile_id, int)

  106.         self.id = profile_id

  107.         self.name = Profile._NAME[profile_id]

  108.         self.label = Profile._LABEL[profile_id]

  109. 

  110. 

  111. class User(DeclarativeBase):

  112.     """

  113.     User definition.

  114. 

  115.     This is the user definition used by :mod:`repoze.who`, which requires at

  116.     least the ``email`` column.

  117.     """

  118. 

  119.     __tablename__ = 'users'

  120. 

  121.     user_id = Column(Integer, Sequence('seq__users__user_id'), autoincrement=True, primary_key=True)

  122.     email = Column(Unicode(255), unique=True, nullable=False)

  123.     display_name = Column(Unicode(255))

  124.     _password = Column('password', Unicode(128))

  125.     created = Column(DateTime, default=datetime.utcnow)

  126.     is_active = Column(Boolean, default=True, nullable=False)

  127.     imported_from = Column(Unicode(32), nullable=True)

  128.     timezone = Column(Unicode(255), nullable=False, server_default='')

  129.     # TODO - G.M - 04-04-2018 - [auth] Check if this is already needed

  130.     # with new auth system

  131.     auth_token = Column(Unicode(255))

  132.     auth_token_created = Column(DateTime)

  133. 

  134.     @hybrid_property

  135.     def email_address(self):

  136.         return self.email

  137. 

  138.     def __repr__(self):

  139.         return '<User: email=%s, display=%s>' % (

  140.                 repr(self.email), repr(self.display_name))

  141. 

  142.     def __unicode__(self):

  143.         return self.display_name or self.email

  144. 

  145.     @property

  146.     def permissions(self):

  147.         """Return a set with all permissions granted to the user."""

  148.         perms = set()

  149.         for g in self.groups:

  150.             perms = perms | set(g.permissions)

  151.         return perms

  152. 

  153.     @property

  154.     def profile(self) -> Profile:

  155.         profile_id = 0

  156.         if len(self.groups) > 0:

  157.             profile_id = max(group.group_id for group in self.groups)

  158.         return Profile(profile_id)

  159. 

  160.     # TODO - G-M - 27-03-2018 - [Calendar] Check about calendar code

  161.     # @property

  162.     # def calendar_url(self) -> str:

  163.     #     # TODO - 20160531 - Bastien: Cyclic import if import in top of file

  164.     #     from tracim.lib.calendar import CalendarManager

  165.     #     calendar_manager = CalendarManager(None)

  166.     #

  167.     #     return calendar_manager.get_user_calendar_url(self.user_id)

  168. 

  169.     @classmethod

  170.     def by_email_address(cls, email, dbsession):

  171.         """Return the user object whose email address is ``email``."""

  172.         return dbsession.query(cls).filter_by(email=email).first()

  173. 

  174.     @classmethod

  175.     def by_user_name(cls, username, dbsession):

  176.         """Return the user object whose user name is ``username``."""

  177.         return dbsession.query(cls).filter_by(email=username).first()

  178. 

  179.     @classmethod

  180.     def _hash_password(cls, cleartext_password: str) -> str:

  181.         salt = sha256()

  182.         salt.update(os.urandom(60))

  183.         salt = salt.hexdigest()

  184. 

  185.         hash = sha256()

  186.         # Make sure password is a str because we cannot hash unicode objects

  187.         hash.update((cleartext_password + salt).encode('utf-8'))

  188.         hash = hash.hexdigest()

  189. 

  190.         ciphertext_password = salt + hash

  191. 

  192.         # Make sure the hashed password is a unicode object at the end of the

  193.         # process because SQLAlchemy _wants_ unicode objects for Unicode cols

  194.         # FIXME - D.A. - 2013-11-20 - The following line has been removed since using python3. Is this normal ?!

  195.         # password = password.decode('utf-8')

  196. 

  197.         return ciphertext_password

  198. 

  199.     def _set_password(self, cleartext_password: str) -> None:

  200.         """

  201.         Set ciphertext password from cleartext password.

  202. 

  203.         Hash cleartext password on the fly,

  204.         Store its ciphertext version,

  205.         """

  206.         self._password = self._hash_password(cleartext_password)

  207. 

  208.     def _get_password(self) -> str:

  209.         """Return the hashed version of the password."""

  210.         return self._password

  211. 

  212.     password = synonym('_password', descriptor=property(_get_password,

  213.                                                         _set_password))

  214. 

  215.     def validate_password(self, cleartext_password: str) -> bool:

  216.         """

  217.         Check the password against existing credentials.

  218. 

  219.         :param cleartext_password: the password that was provided by the user

  220.             to try and authenticate. This is the clear text version that we

  221.             will need to match against the hashed one in the database.

  222.         :type cleartext_password: unicode object.

  223.         :return: Whether the password is valid.

  224.         :rtype: bool

  225. 

  226.         """

  227.         result = False

  228.         if self.password:

  229.             hash = sha256()

  230.             hash.update((cleartext_password + self.password[:64]).encode('utf-8'))

  231.             result = self.password[64:] == hash.hexdigest()

  232.         return result

  233. 

  234.     def get_display_name(self, remove_email_part: bool=False) -> str:

  235.         """

  236.         Get a name to display from corresponding member or email.

  237. 

  238.         :param remove_email_part: If True and display name based on email,

  239.             remove @xxx.xxx part of email in returned value

  240.         :return: display name based on user name or email.

  241.         """

  242.         if self.display_name:

  243.             return self.display_name

  244.         else:

  245.             if remove_email_part:

  246.                 at_pos = self.email.index('@')

  247.                 return self.email[0:at_pos]

  248.             return self.email

  249. 

  250.     def get_role(self, workspace: 'Workspace') -> int:

  251.         for role in self.roles:

  252.             if role.workspace == workspace:

  253.                 return role.role

  254. 

  255.         return UserRoleInWorkspace.NOT_APPLICABLE

  256. 

  257.     def get_active_roles(self) -> ['UserRoleInWorkspace']:

  258.         """

  259.         :return: list of roles of the user for all not-deleted workspaces

  260.         """

  261.         roles = []

  262.         for role in self.roles:

  263.             if not role.workspace.is_deleted:

  264.                 roles.append(role)

  265.         return roles

  266. 

  267.     # TODO - G.M - 04-04-2018 - [auth] Check if this is already needed

  268.     # with new auth system

  269.     def ensure_auth_token(self, validity_seconds, session) -> None:

  270.         """

  271.         Create auth_token if None, regenerate auth_token if too much old.

  272. 

  273.         auth_token validity is set in

  274.         :return:

  275.         """

  276. 

  277.         if not self.auth_token or not self.auth_token_created:

  278.             self.auth_token = str(uuid.uuid4())

  279.             self.auth_token_created = datetime.utcnow()

  280.             session.flush()

  281.             return

  282. 

  283.         now_seconds = time.mktime(datetime.utcnow().timetuple())

  284.         auth_token_seconds = time.mktime(self.auth_token_created.timetuple())

  285.         difference = now_seconds - auth_token_seconds

  286. 

  287.         if difference > validity_seconds:

  288.             self.auth_token = str(uuid.uuid4())

  289.             self.auth_token_created = datetime.utcnow()

  290.             session.flush()

  291. 

  292. 

  293. class Permission(DeclarativeBase):

  294.     """

  295.     Permission definition.

  296. 

  297.     Only the ``permission_name`` column is required.

  298. 

  299.     """

  300. 

  301.     __tablename__ = 'permissions'

  302. 

  303.     permission_id = Column(

  304.         Integer,

  305.         Sequence('seq__permissions__permission_id'),

  306.         autoincrement=True,

  307.         primary_key=True

  308.     )

  309.     permission_name = Column(Unicode(63), unique=True, nullable=False)

  310.     description = Column(Unicode(255))

  311. 

  312.     groups = relation(Group, secondary=group_permission_table,

  313.                       backref='permissions')

  314. 

  315.     def __repr__(self):

  316.         return '<Permission: name=%s>' % repr(self.permission_name)

  317. 

  318.     def __unicode__(self):

  319.         return self.permission_name