auth.py 11KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333
  1. # -*- coding: utf-8 -*-
  2. """
  3. Auth* related model.
  4. This is where the models used by the authentication stack are defined.
  5. It's perfectly fine to re-use this definition in the tracim application,
  6. though.
  7. """
  8. import os
  9. import time
  10. import uuid
  11. from datetime import datetime
  12. from hashlib import sha256
  13. from typing import TYPE_CHECKING
  14. import sqlalchemy
  15. from sqlalchemy import Column
  16. from sqlalchemy import ForeignKey
  17. from sqlalchemy import Sequence
  18. from sqlalchemy import Table
  19. from sqlalchemy.ext.hybrid import hybrid_property
  20. from sqlalchemy.orm import relation
  21. from sqlalchemy.orm import relationship
  22. from sqlalchemy.orm import synonym
  23. from sqlalchemy.types import Boolean
  24. from sqlalchemy.types import DateTime
  25. from sqlalchemy.types import Integer
  26. from sqlalchemy.types import Unicode
  27. from tracim_backend.lib.utils.translation import fake_translator as l_
  28. from tracim_backend.models.meta import DeclarativeBase
  29. from tracim_backend.models.meta import metadata
  30. if TYPE_CHECKING:
  31. from tracim_backend.models.data import Workspace
  32. from tracim_backend.models.data import UserRoleInWorkspace
  33. __all__ = ['User', 'Group', 'Permission']
  34. # This is the association table for the many-to-many relationship between
  35. # groups and permissions.
  36. group_permission_table = Table('group_permission', metadata,
  37. Column('group_id', Integer, ForeignKey('groups.group_id',
  38. onupdate="CASCADE", ondelete="CASCADE"), primary_key=True),
  39. Column('permission_id', Integer, ForeignKey('permissions.permission_id',
  40. onupdate="CASCADE", ondelete="CASCADE"), primary_key=True)
  41. )
  42. # This is the association table for the many-to-many relationship between
  43. # groups and members - this is, the memberships.
  44. user_group_table = Table('user_group', metadata,
  45. Column('user_id', Integer, ForeignKey('users.user_id',
  46. onupdate="CASCADE", ondelete="CASCADE"), primary_key=True),
  47. Column('group_id', Integer, ForeignKey('groups.group_id',
  48. onupdate="CASCADE", ondelete="CASCADE"), primary_key=True)
  49. )
  50. class Group(DeclarativeBase):
  51. TIM_NOBODY = 0
  52. TIM_USER = 1
  53. TIM_MANAGER = 2
  54. TIM_ADMIN = 3
  55. TIM_NOBODY_GROUPNAME = 'nobody'
  56. TIM_USER_GROUPNAME = 'users'
  57. TIM_MANAGER_GROUPNAME = 'managers'
  58. TIM_ADMIN_GROUPNAME = 'administrators'
  59. __tablename__ = 'groups'
  60. group_id = Column(Integer, Sequence('seq__groups__group_id'), autoincrement=True, primary_key=True)
  61. group_name = Column(Unicode(16), unique=True, nullable=False)
  62. display_name = Column(Unicode(255))
  63. created = Column(DateTime, default=datetime.utcnow)
  64. users = relationship('User', secondary=user_group_table, backref='groups')
  65. def __repr__(self):
  66. return '<Group: name=%s>' % repr(self.group_name)
  67. def __unicode__(self):
  68. return self.group_name
  69. @classmethod
  70. def by_group_name(cls, group_name, dbsession):
  71. """Return the user object whose email address is ``email``."""
  72. return dbsession.query(cls).filter_by(group_name=group_name).first()
  73. class Profile(object):
  74. """This model is the "max" group associated to a given user."""
  75. _NAME = [
  76. Group.TIM_NOBODY_GROUPNAME,
  77. Group.TIM_USER_GROUPNAME,
  78. Group.TIM_MANAGER_GROUPNAME,
  79. Group.TIM_ADMIN_GROUPNAME,
  80. ]
  81. _IDS = [
  82. Group.TIM_NOBODY,
  83. Group.TIM_USER,
  84. Group.TIM_MANAGER,
  85. Group.TIM_ADMIN,
  86. ]
  87. # TODO - G.M - 18-04-2018 [Cleanup] Drop this
  88. # _LABEL = [l_('Nobody'),
  89. # l_('Users'),
  90. # l_('Global managers'),
  91. # l_('Administrators')]
  92. def __init__(self, profile_id):
  93. assert isinstance(profile_id, int)
  94. self.id = profile_id
  95. self.name = Profile._NAME[profile_id]
  96. # TODO - G.M - 18-04-2018 [Cleanup] Drop this
  97. # self.label = Profile._LABEL[profile_id]
  98. class User(DeclarativeBase):
  99. """
  100. User definition.
  101. This is the user definition used by :mod:`repoze.who`, which requires at
  102. least the ``email`` column.
  103. """
  104. __tablename__ = 'users'
  105. user_id = Column(Integer, Sequence('seq__users__user_id'), autoincrement=True, primary_key=True)
  106. email = Column(Unicode(255), unique=True, nullable=False)
  107. display_name = Column(Unicode(255))
  108. _password = Column('password', Unicode(128))
  109. created = Column(DateTime, default=datetime.utcnow)
  110. is_active = Column(Boolean, default=True, nullable=False)
  111. is_deleted = Column(Boolean, default=False, nullable=False, server_default=sqlalchemy.sql.expression.literal(False))
  112. imported_from = Column(Unicode(32), nullable=True)
  113. timezone = Column(Unicode(255), nullable=False, server_default='')
  114. # TODO - G.M - 04-04-2018 - [auth] Check if this is already needed
  115. # with new auth system
  116. auth_token = Column(Unicode(255))
  117. auth_token_created = Column(DateTime)
  118. @hybrid_property
  119. def email_address(self):
  120. return self.email
  121. def __repr__(self):
  122. return '<User: email=%s, display=%s>' % (
  123. repr(self.email), repr(self.display_name))
  124. def __unicode__(self):
  125. return self.display_name or self.email
  126. @property
  127. def permissions(self):
  128. """Return a set with all permissions granted to the user."""
  129. perms = set()
  130. for g in self.groups:
  131. perms = perms | set(g.permissions)
  132. return perms
  133. @property
  134. def profile(self) -> Profile:
  135. profile_id = 0
  136. if len(self.groups) > 0:
  137. profile_id = max(group.group_id for group in self.groups)
  138. return Profile(profile_id)
  139. # TODO - G-M - 20-04-2018 - [Calendar] Replace this in context model object
  140. # @property
  141. # def calendar_url(self) -> str:
  142. # # TODO - 20160531 - Bastien: Cyclic import if import in top of file
  143. # from tracim.lib.calendar import CalendarManager
  144. # calendar_manager = CalendarManager(None)
  145. #
  146. # return calendar_manager.get_user_calendar_url(self.user_id)
  147. @classmethod
  148. def by_email_address(cls, email, dbsession):
  149. """Return the user object whose email address is ``email``."""
  150. return dbsession.query(cls).filter_by(email=email).first()
  151. @classmethod
  152. def by_user_name(cls, username, dbsession):
  153. """Return the user object whose user name is ``username``."""
  154. return dbsession.query(cls).filter_by(email=username).first()
  155. @classmethod
  156. def _hash_password(cls, cleartext_password: str) -> str:
  157. salt = sha256()
  158. salt.update(os.urandom(60))
  159. salt = salt.hexdigest()
  160. hash = sha256()
  161. # Make sure password is a str because we cannot hash unicode objects
  162. hash.update((cleartext_password + salt).encode('utf-8'))
  163. hash = hash.hexdigest()
  164. ciphertext_password = salt + hash
  165. # Make sure the hashed password is a unicode object at the end of the
  166. # process because SQLAlchemy _wants_ unicode objects for Unicode cols
  167. # FIXME - D.A. - 2013-11-20 - The following line has been removed since using python3. Is this normal ?!
  168. # password = password.decode('utf-8')
  169. return ciphertext_password
  170. def _set_password(self, cleartext_password: str) -> None:
  171. """
  172. Set ciphertext password from cleartext password.
  173. Hash cleartext password on the fly,
  174. Store its ciphertext version,
  175. """
  176. self._password = self._hash_password(cleartext_password)
  177. def _get_password(self) -> str:
  178. """Return the hashed version of the password."""
  179. return self._password
  180. password = synonym('_password', descriptor=property(_get_password,
  181. _set_password))
  182. def validate_password(self, cleartext_password: str) -> bool:
  183. """
  184. Check the password against existing credentials.
  185. :param cleartext_password: the password that was provided by the user
  186. to try and authenticate. This is the clear text version that we
  187. will need to match against the hashed one in the database.
  188. :type cleartext_password: unicode object.
  189. :return: Whether the password is valid.
  190. :rtype: bool
  191. """
  192. result = False
  193. if self.password:
  194. hash = sha256()
  195. hash.update((cleartext_password + self.password[:64]).encode('utf-8'))
  196. result = self.password[64:] == hash.hexdigest()
  197. return result
  198. def get_display_name(self, remove_email_part: bool=False) -> str:
  199. """
  200. Get a name to display from corresponding member or email.
  201. :param remove_email_part: If True and display name based on email,
  202. remove @xxx.xxx part of email in returned value
  203. :return: display name based on user name or email.
  204. """
  205. if self.display_name:
  206. return self.display_name
  207. else:
  208. if remove_email_part:
  209. at_pos = self.email.index('@')
  210. return self.email[0:at_pos]
  211. return self.email
  212. def get_role(self, workspace: 'Workspace') -> int:
  213. for role in self.roles:
  214. if role.workspace == workspace:
  215. return role.role
  216. return UserRoleInWorkspace.NOT_APPLICABLE
  217. def get_active_roles(self) -> ['UserRoleInWorkspace']:
  218. """
  219. :return: list of roles of the user for all not-deleted workspaces
  220. """
  221. roles = []
  222. for role in self.roles:
  223. if not role.workspace.is_deleted:
  224. roles.append(role)
  225. return roles
  226. # TODO - G.M - 04-04-2018 - [auth] Check if this is already needed
  227. # with new auth system
  228. def ensure_auth_token(self, validity_seconds, session) -> None:
  229. """
  230. Create auth_token if None, regenerate auth_token if too much old.
  231. auth_token validity is set in
  232. :return:
  233. """
  234. if not self.auth_token or not self.auth_token_created:
  235. self.auth_token = str(uuid.uuid4())
  236. self.auth_token_created = datetime.utcnow()
  237. session.flush()
  238. return
  239. now_seconds = time.mktime(datetime.utcnow().timetuple())
  240. auth_token_seconds = time.mktime(self.auth_token_created.timetuple())
  241. difference = now_seconds - auth_token_seconds
  242. if difference > validity_seconds:
  243. self.auth_token = str(uuid.uuid4())
  244. self.auth_token_created = datetime.utcnow()
  245. session.flush()
  246. class Permission(DeclarativeBase):
  247. """
  248. Permission definition.
  249. Only the ``permission_name`` column is required.
  250. """
  251. __tablename__ = 'permissions'
  252. permission_id = Column(
  253. Integer,
  254. Sequence('seq__permissions__permission_id'),
  255. autoincrement=True,
  256. primary_key=True
  257. )
  258. permission_name = Column(Unicode(63), unique=True, nullable=False)
  259. description = Column(Unicode(255))
  260. groups = relation(Group, secondary=group_permission_table,
  261. backref='permissions')
  262. def __repr__(self):
  263. return '<Permission: name=%s>' % repr(self.permission_name)
  264. def __unicode__(self):
  265. return self.permission_name