osm_nbi/authconn_internal.py

# -*- coding: utf-8 -*-

# Copyright 2018 Telefonica S.A.
# Copyright 2018 ALTRAN Innovación S.L.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# For those usages not covered by the Apache License, Version 2.0 please
# contact: esousa@whitestack.com or glavado@whitestack.com
##

"""
AuthconnInternal implements implements the connector for
OSM Internal Authentication Backend and leverages the RBAC model
"""

__author__ = (
    "Pedro de la Cruz Ramos <pdelacruzramos@altran.com>, "
    "Alfonso Tierno <alfonso.tiernosepulveda@telefoncia.com"
)
__date__ = "$06-jun-2019 11:16:08$"

import logging
import re
import secrets
from osm_nbi.authconn import (
    Authconn,
    AuthException,
    AuthconnConflictException,
)  # , AuthconnOperationException
from osm_common.dbbase import DbException
from osm_nbi.base_topic import BaseTopic
from osm_nbi.utils import cef_event, cef_event_builder
from osm_nbi.password_utils import (
    hash_password,
    verify_password,
    verify_password_sha256,
)
from osm_nbi.validation import is_valid_uuid, email_schema
from time import time, sleep
from http import HTTPStatus
from uuid import uuid4
from copy import deepcopy
import smtplib
from email.message import EmailMessage
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart


class AuthconnInternal(Authconn):
    token_time_window = 2  # seconds
    token_delay = 1  # seconds to wait upon second request within time window

    users_collection = "users"
    roles_collection = "roles"
    projects_collection = "projects"
    tokens_collection = "tokens"

    def __init__(self, config, db, role_permissions):
        Authconn.__init__(self, config, db, role_permissions)
        self.logger = logging.getLogger("nbi.authenticator.internal")

        self.db = db
        # self.msg = msg
        # self.token_cache = token_cache

        # To be Confirmed
        self.sess = None
        self.cef_logger = cef_event_builder(config)

    def validate_token(self, token):
        """
        Check if the token is valid.

        :param token: token to validate
        :return: dictionary with information associated with the token:
            "_id": token id
            "project_id": project id
            "project_name": project name
            "user_id": user id
            "username": user name
            "roles": list with dict containing {name, id}
            "expires": expiration date
        If the token is not valid an exception is raised.
        """

        try:
            if not token:
                raise AuthException(
                    "Needed a token or Authorization HTTP header",
                    http_code=HTTPStatus.UNAUTHORIZED,
                )

            now = time()

            # get from database if not in cache
            # if not token_info:
            token_info = self.db.get_one(self.tokens_collection, {"_id": token})
            if token_info["expires"] < now:
                raise AuthException(
                    "Expired Token or Authorization HTTP header",
                    http_code=HTTPStatus.UNAUTHORIZED,
                )

            return token_info

        except DbException as e:
            if e.http_code == HTTPStatus.NOT_FOUND:
                raise AuthException(
                    "Invalid Token or Authorization HTTP header",
                    http_code=HTTPStatus.UNAUTHORIZED,
                )
            else:
                raise
        except AuthException:
            raise
        except Exception:
            self.logger.exception(
                "Error during token validation using internal backend"
            )
            raise AuthException(
                "Error during token validation using internal backend",
                http_code=HTTPStatus.UNAUTHORIZED,
            )

    def revoke_token(self, token):
        """
        Invalidate a token.

        :param token: token to be revoked
        """
        try:
            # self.token_cache.pop(token, None)
            self.db.del_one(self.tokens_collection, {"_id": token})
            return True
        except DbException as e:
            if e.http_code == HTTPStatus.NOT_FOUND:
                raise AuthException(
                    "Token '{}' not found".format(token), http_code=HTTPStatus.NOT_FOUND
                )
            else:
                # raise
                exmsg = "Error during token revocation using internal backend"
                self.logger.exception(exmsg)
                raise AuthException(exmsg, http_code=HTTPStatus.UNAUTHORIZED)

    def validate_user(self, user, password, otp=None):
        """
        Validate username and password via appropriate backend.
        :param user: username of the user.
        :param password: password to be validated.
        """
        user_rows = self.db.get_list(
            self.users_collection, {BaseTopic.id_field("users", user): user}
        )
        now = time()
        user_content = None
        if user:
            user_rows = self.db.get_list(
                self.users_collection,
                {BaseTopic.id_field(self.users_collection, user): user},
            )
            if user_rows:
                user_content = user_rows[0]
                # Updating user_status for every system_admin id role login
                mapped_roles = user_content.get("project_role_mappings")
                for role in mapped_roles:
                    role_id = role.get("role")
                    role_assigned = self.db.get_one(
                        self.roles_collection,
                        {BaseTopic.id_field(self.roles_collection, role_id): role_id},
                    )

                    if role_assigned.get("permissions")["admin"]:
                        if role_assigned.get("permissions")["default"]:
                            if self.config.get("user_management"):
                                filt = {}
                                users = self.db.get_list(self.users_collection, filt)
                                for user_info in users:
                                    if not user_info.get("username") == "admin":
                                        if not user_info.get("_admin").get(
                                            "account_expire_time"
                                        ):
                                            expire = now + 86400 * self.config.get(
                                                "account_expire_days"
                                            )
                                            self.db.set_one(
                                                self.users_collection,
                                                {"_id": user_info["_id"]},
                                                {"_admin.account_expire_time": expire},
                                            )
                                        else:
                                            if now > user_info.get("_admin").get(
                                                "account_expire_time"
                                            ):
                                                self.db.set_one(
                                                    self.users_collection,
                                                    {"_id": user_info["_id"]},
                                                    {"_admin.user_status": "expired"},
                                                )
                                break

                # To add "admin" user_status key while upgrading osm setup with feature enabled
                if user_content.get("username") == "admin":
                    if self.config.get("user_management"):
                        self.db.set_one(
                            self.users_collection,
                            {"_id": user_content["_id"]},
                            {"_admin.user_status": "always-active"},
                        )

                if not user_content.get("username") == "admin":
                    if self.config.get("user_management"):
                        if not user_content.get("_admin").get("account_expire_time"):
                            account_expire_time = now + 86400 * self.config.get(
                                "account_expire_days"
                            )
                            self.db.set_one(
                                self.users_collection,
                                {"_id": user_content["_id"]},
                                {"_admin.account_expire_time": account_expire_time},
                            )
                        else:
                            account_expire_time = user_content.get("_admin").get(
                                "account_expire_time"
                            )

                        if now > account_expire_time:
                            self.db.set_one(
                                self.users_collection,
                                {"_id": user_content["_id"]},
                                {"_admin.user_status": "expired"},
                            )
                            raise AuthException(
                                "Account expired", http_code=HTTPStatus.UNAUTHORIZED
                            )

                        if user_content.get("_admin").get("user_status") == "locked":
                            raise AuthException(
                                "Failed to login as the account is locked due to MANY FAILED ATTEMPTS"
                            )
                        elif user_content.get("_admin").get("user_status") == "expired":
                            raise AuthException(
                                "Failed to login as the account is expired"
                            )
                if otp:
                    return user_content
                correct_pwd = False
                if user_content.get("hashing_function") == "bcrypt":
                    correct_pwd = verify_password(
                        password=password, hashed_password_hex=user_content["password"]
                    )
                else:
                    correct_pwd = verify_password_sha256(
                        password=password,
                        hashed_password_hex=user_content["password"],
                        salt=user_content["_admin"]["salt"],
                    )
                if not correct_pwd:
                    count = 1
                    if user_content.get("_admin").get("retry_count") >= 0:
                        count += user_content.get("_admin").get("retry_count")
                        self.db.set_one(
                            self.users_collection,
                            {"_id": user_content["_id"]},
                            {"_admin.retry_count": count},
                        )
                        self.logger.debug(
                            "Failed Authentications count: {}".format(count)
                        )

                    if user_content.get("username") == "admin":
                        user_content = None
                    else:
                        if not self.config.get("user_management"):
                            user_content = None
                        else:
                            if (
                                user_content.get("_admin").get("retry_count")
                                >= self.config["max_pwd_attempt"] - 1
                            ):
                                self.db.set_one(
                                    self.users_collection,
                                    {"_id": user_content["_id"]},
                                    {"_admin.user_status": "locked"},
                                )
                                raise AuthException(
                                    "Failed to login as the account is locked due to MANY FAILED ATTEMPTS"
                                )
                            else:
                                user_content = None
                elif correct_pwd and user_content.get("hashing_function") != "bcrypt":
                    # Update the database using a more secure hashing function to store the password
                    user_content["password"] = hash_password(
                        password=password,
                        rounds=self.config.get("password_rounds", 12),
                    )
                    user_content["hashing_function"] = "bcrypt"
                    user_content["_admin"]["password_history_sha256"] = user_content[
                        "_admin"
                    ]["password_history"]
                    user_content["_admin"]["password_history"] = [
                        user_content["password"]
                    ]
                    del user_content["_admin"]["salt"]

                    uid = user_content["_id"]
                    idf = BaseTopic.id_field("users", uid)
                    self.db.set_one(self.users_collection, {idf: uid}, user_content)
        return user_content

    def authenticate(self, credentials, token_info=None):
        """
        Authenticate a user using username/password or previous token_info plus project; its creates a new token

        :param credentials: dictionary that contains:
            username: name, id or None
            password: password or None
            project_id: name, id, or None. If None first found project will be used to get an scope token
            other items are allowed and ignored
        :param token_info: previous token_info to obtain authorization
        :return: the scoped token info or raises an exception. The token is a dictionary with:
            _id:  token string id,
            username: username,
            project_id: scoped_token project_id,
            project_name: scoped_token project_name,
            expires: epoch time when it expires,
        """

        now = time()
        user_content = None
        user = credentials.get("username")
        password = credentials.get("password")
        project = credentials.get("project_id")
        otp_validation = credentials.get("otp")

        # Try using username/password
        if otp_validation:
            user_content = self.validate_user(user, password=None, otp=otp_validation)
        elif user:
            user_content = self.validate_user(user, password)
            if not user_content:
                cef_event(
                    self.cef_logger,
                    {
                        "name": "User login",
                        "sourceUserName": user,
                        "message": "Invalid username/password Project={} Outcome=Failure".format(
                            project
                        ),
                        "severity": "3",
                    },
                )
                self.logger.exception("{}".format(self.cef_logger))
                raise AuthException(
                    "Invalid username/password", http_code=HTTPStatus.UNAUTHORIZED
                )
            if not user_content.get("_admin", None):
                raise AuthException(
                    "No default project for this user.",
                    http_code=HTTPStatus.UNAUTHORIZED,
                )
        elif token_info:
            user_rows = self.db.get_list(
                self.users_collection, {"username": token_info["username"]}
            )
            if user_rows:
                user_content = user_rows[0]
            else:
                raise AuthException("Invalid token", http_code=HTTPStatus.UNAUTHORIZED)
        else:
            raise AuthException(
                "Provide credentials: username/password or Authorization Bearer token",
                http_code=HTTPStatus.UNAUTHORIZED,
            )
        # Delay upon second request within time window
        if (
            now - user_content["_admin"].get("last_token_time", 0)
            < self.token_time_window
        ):
            sleep(self.token_delay)
        # user_content["_admin"]["last_token_time"] = now
        # self.db.replace("users", user_content["_id"], user_content)   # might cause race conditions
        user_data = {
            "_admin.last_token_time": now,
            "_admin.retry_count": 0,
        }
        self.db.set_one(
            self.users_collection,
            {"_id": user_content["_id"]},
            user_data,
        )

        # Generate a secure random 32 byte array base64 encoded for use in URLs
        token_id = secrets.token_urlsafe(32)

        # projects = user_content.get("projects", [])
        prm_list = user_content.get("project_role_mappings", [])

        if not project:
            project = prm_list[0]["project"] if prm_list else None
        if not project:
            raise AuthException(
                "can't find a default project for this user",
                http_code=HTTPStatus.UNAUTHORIZED,
            )

        projects = [prm["project"] for prm in prm_list]

        proj = self.db.get_one(
            self.projects_collection, {BaseTopic.id_field("projects", project): project}
        )
        project_name = proj["name"]
        project_id = proj["_id"]
        if project_name not in projects and project_id not in projects:
            raise AuthException(
                "project {} not allowed for this user".format(project),
                http_code=HTTPStatus.UNAUTHORIZED,
            )

        # TODO remove admin, this vill be used by roles RBAC
        if project_name == "admin":
            token_admin = True
        else:
            token_admin = proj.get("admin", False)

        # add token roles
        roles = []
        roles_list = []
        for prm in prm_list:
            if prm["project"] in [project_id, project_name]:
                role = self.db.get_one(
                    self.roles_collection,
                    {BaseTopic.id_field("roles", prm["role"]): prm["role"]},
                )
                rid = role["_id"]
                if rid not in roles:
                    rnm = role["name"]
                    roles.append(rid)
                    roles_list.append({"name": rnm, "id": rid})
        if not roles_list:
            rid = self.db.get_one(self.roles_collection, {"name": "project_admin"})[
                "_id"
            ]
            roles_list = [{"name": "project_admin", "id": rid}]

        login_count = user_content.get("_admin").get("retry_count")
        last_token_time = user_content.get("_admin").get("last_token_time")

        admin_show = False
        user_show = False
        if self.config.get("user_management"):
            for role in roles_list:
                role_id = role.get("id")
                permission = self.db.get_one(
                    self.roles_collection,
                    {BaseTopic.id_field(self.roles_collection, role_id): role_id},
                )
                if permission.get("permissions")["admin"]:
                    if permission.get("permissions")["default"]:
                        admin_show = True
                        break
            else:
                user_show = True
        new_token = {
            "issued_at": now,
            "expires": now + 3600,
            "_id": token_id,
            "id": token_id,
            "project_id": proj["_id"],
            "project_name": proj["name"],
            "username": user_content["username"],
            "user_id": user_content["_id"],
            "admin": token_admin,
            "roles": roles_list,
            "login_count": login_count,
            "last_login": last_token_time,
            "admin_show": admin_show,
            "user_show": user_show,
        }

        self.db.create(self.tokens_collection, new_token)
        return deepcopy(new_token)

    def get_role_list(self, filter_q={}):
        """
        Get role list.

        :return: returns the list of roles.
        """
        return self.db.get_list(self.roles_collection, filter_q)

    def create_role(self, role_info):
        """
        Create a role.

        :param role_info: full role info.
        :return: returns the role id.
        :raises AuthconnOperationException: if role creation failed.
        """
        # TODO: Check that role name does not exist ?
        rid = str(uuid4())
        role_info["_id"] = rid
        rid = self.db.create(self.roles_collection, role_info)
        return rid

    def delete_role(self, role_id):
        """
        Delete a role.

        :param role_id: role identifier.
        :raises AuthconnOperationException: if role deletion failed.
        """
        rc = self.db.del_one(self.roles_collection, {"_id": role_id})
        self.db.del_list(self.tokens_collection, {"roles.id": role_id})
        return rc

    def update_role(self, role_info):
        """
        Update a role.

        :param role_info: full role info.
        :return: returns the role name and id.
        :raises AuthconnOperationException: if user creation failed.
        """
        rid = role_info["_id"]
        self.db.set_one(self.roles_collection, {"_id": rid}, role_info)
        return {"_id": rid, "name": role_info["name"]}

    def create_user(self, user_info):
        """
        Create a user.

        :param user_info: full user info.
        :return: returns the username and id of the user.
        """
        BaseTopic.format_on_new(user_info, make_public=False)
        user_info["_admin"]["user_status"] = "active"
        present = time()
        if not user_info["username"] == "admin":
            if self.config.get("user_management"):
                user_info["_admin"]["modified"] = present
                user_info["_admin"]["password_expire_time"] = present
                account_expire_time = present + 86400 * self.config.get(
                    "account_expire_days"
                )
                user_info["_admin"]["account_expire_time"] = account_expire_time

        user_info["_admin"]["retry_count"] = 0
        user_info["_admin"]["last_token_time"] = present
        if "password" in user_info:
            user_info["password"] = hash_password(
                password=user_info["password"],
                rounds=self.config.get("password_rounds", 12),
            )
            user_info["hashing_function"] = "bcrypt"
            user_info["_admin"]["password_history"] = [user_info["password"]]
        # "projects" are not stored any more
        if "projects" in user_info:
            del user_info["projects"]
        self.db.create(self.users_collection, user_info)
        return {"username": user_info["username"], "_id": user_info["_id"]}

    def update_user(self, user_info):
        """
        Change the user name and/or password.

        :param user_info: user info modifications
        """
        uid = user_info["_id"]
        old_pwd = user_info.get("old_password")
        unlock = user_info.get("unlock")
        renew = user_info.get("renew")
        permission_id = user_info.get("system_admin_id")
        now = time()

        user_data = self.db.get_one(
            self.users_collection, {BaseTopic.id_field("users", uid): uid}
        )
        if old_pwd:
            correct_pwd = False
            if user_data.get("hashing_function") == "bcrypt":
                correct_pwd = verify_password(
                    password=old_pwd, hashed_password_hex=user_data["password"]
                )
            else:
                correct_pwd = verify_password_sha256(
                    password=old_pwd,
                    hashed_password_hex=user_data["password"],
                    salt=user_data["salt"],
                )
            if not correct_pwd:
                raise AuthconnConflictException(
                    "Incorrect password", http_code=HTTPStatus.CONFLICT
                )
        # Unlocking the user
        if unlock:
            system_user = None
            unlock_state = False
            if not permission_id:
                raise AuthconnConflictException(
                    "system_admin_id is the required field to unlock the user",
                    http_code=HTTPStatus.CONFLICT,
                )
            else:
                system_user = self.db.get_one(
                    self.users_collection,
                    {
                        BaseTopic.id_field(
                            self.users_collection, permission_id
                        ): permission_id
                    },
                )
                mapped_roles = system_user.get("project_role_mappings")
                for role in mapped_roles:
                    role_id = role.get("role")
                    role_assigned = self.db.get_one(
                        self.roles_collection,
                        {BaseTopic.id_field(self.roles_collection, role_id): role_id},
                    )
                    if role_assigned.get("permissions")["admin"]:
                        if role_assigned.get("permissions")["default"]:
                            user_data["_admin"]["retry_count"] = 0
                            if now > user_data["_admin"]["account_expire_time"]:
                                user_data["_admin"]["user_status"] = "expired"
                            else:
                                user_data["_admin"]["user_status"] = "active"
                            unlock_state = True
                            break
                if not unlock_state:
                    raise AuthconnConflictException(
                        "User '{}' does not have the privilege to unlock the user".format(
                            permission_id
                        ),
                        http_code=HTTPStatus.CONFLICT,
                    )
        # Renewing the user
        if renew:
            system_user = None
            renew_state = False
            if not permission_id:
                raise AuthconnConflictException(
                    "system_admin_id is the required field to renew the user",
                    http_code=HTTPStatus.CONFLICT,
                )
            else:
                system_user = self.db.get_one(
                    self.users_collection,
                    {
                        BaseTopic.id_field(
                            self.users_collection, permission_id
                        ): permission_id
                    },
                )
                mapped_roles = system_user.get("project_role_mappings")
                for role in mapped_roles:
                    role_id = role.get("role")
                    role_assigned = self.db.get_one(
                        self.roles_collection,
                        {BaseTopic.id_field(self.roles_collection, role_id): role_id},
                    )
                    if role_assigned.get("permissions")["admin"]:
                        if role_assigned.get("permissions")["default"]:
                            present = time()
                            account_expire = (
                                present + 86400 * self.config["account_expire_days"]
                            )
                            user_data["_admin"]["modified"] = present
                            user_data["_admin"]["account_expire_time"] = account_expire
                            if (
                                user_data["_admin"]["retry_count"]
                                >= self.config["max_pwd_attempt"]
                            ):
                                user_data["_admin"]["user_status"] = "locked"
                            else:
                                user_data["_admin"]["user_status"] = "active"
                            renew_state = True
                            break
                if not renew_state:
                    raise AuthconnConflictException(
                        "User '{}' does not have the privilege to renew the user".format(
                            permission_id
                        ),
                        http_code=HTTPStatus.CONFLICT,
                    )
        BaseTopic.format_on_edit(user_data, user_info)
        # User Name
        usnm = user_info.get("username")
        email_id = user_info.get("email_id")
        if usnm:
            user_data["username"] = usnm
        if email_id:
            user_data["email_id"] = email_id
        # If password is given and is not already encripted
        pswd = user_info.get("password")
        if pswd and (
            len(pswd) != 64 or not re.match("[a-fA-F0-9]*", pswd)
        ):  # TODO: Improve check?
            cef_event(
                self.cef_logger,
                {
                    "name": "Change Password",
                    "sourceUserName": user_data["username"],
                    "message": "User {} changing Password for user {}, Outcome=Success".format(
                        user_info.get("session_user"), user_data["username"]
                    ),
                    "severity": "2",
                },
            )
            self.logger.info("{}".format(self.cef_logger))
            if "_admin" not in user_data:
                user_data["_admin"] = {}
            if user_data.get("_admin").get("password_history"):
                old_pwds = user_data.get("_admin").get("password_history")
            else:
                old_pwds = []
            for v in old_pwds:
                if verify_password(password=pswd, hashed_password_hex=v):
                    raise AuthconnConflictException(
                        "Password is used before", http_code=HTTPStatus.CONFLICT
                    )

            # Backwards compatibility for SHA256 hashed passwords
            if user_data.get("_admin").get("password_history_sha256"):
                old_pwds_sha256 = user_data.get("_admin").get("password_history_sha256")
            else:
                old_pwds_sha256 = {}
            for k, v in old_pwds_sha256.items():
                if verify_password_sha256(password=pswd, hashed_password_hex=v, salt=k):
                    raise AuthconnConflictException(
                        "Password is used before", http_code=HTTPStatus.CONFLICT
                    )

            # Finally, hash the password to be updated
            user_data["password"] = hash_password(
                password=pswd, rounds=self.config.get("password_rounds", 12)
            )
            user_data["hashing_function"] = "bcrypt"

            if len(old_pwds) >= 3:
                old_pwds.pop(list(old_pwds.keys())[0])
            old_pwds.append([user_data["password"]])
            user_data["_admin"]["password_history"] = old_pwds
            if not user_data["username"] == "admin":
                if self.config.get("user_management"):
                    present = time()
                    if self.config.get("pwd_expire_days"):
                        expire = present + 86400 * self.config.get("pwd_expire_days")
                        user_data["_admin"]["modified"] = present
                        user_data["_admin"]["password_expire_time"] = expire
        # Project-Role Mappings
        # TODO: Check that user_info NEVER includes "project_role_mappings"
        if "project_role_mappings" not in user_data:
            user_data["project_role_mappings"] = []
        for prm in user_info.get("add_project_role_mappings", []):
            user_data["project_role_mappings"].append(prm)
        for prm in user_info.get("remove_project_role_mappings", []):
            for pidf in ["project", "project_name"]:
                for ridf in ["role", "role_name"]:
                    try:
                        user_data["project_role_mappings"].remove(
                            {"role": prm[ridf], "project": prm[pidf]}
                        )
                    except KeyError:
                        pass
                    except ValueError:
                        pass
        idf = BaseTopic.id_field("users", uid)
        self.db.set_one(self.users_collection, {idf: uid}, user_data)
        if user_info.get("remove_project_role_mappings"):
            idf = "user_id" if idf == "_id" else idf
            if not user_data.get("project_role_mappings") or user_info.get(
                "remove_session_project"
            ):
                self.db.del_list(self.tokens_collection, {idf: uid})

    def delete_user(self, user_id):
        """
        Delete user.

        :param user_id: user identifier.
        :raises AuthconnOperationException: if user deletion failed.
        """
        self.db.del_one(self.users_collection, {"_id": user_id})
        self.db.del_list(self.tokens_collection, {"user_id": user_id})
        return True

    def get_user_list(self, filter_q=None):
        """
        Get user list.

        :param filter_q: dictionary to filter user list by:
            name (username is also admitted).  If a user id is equal to the filter name, it is also provided
            other
        :return: returns a list of users.
        """
        filt = filter_q or {}
        if "name" in filt:  # backward compatibility
            filt["username"] = filt.pop("name")
        if filt.get("username") and is_valid_uuid(filt["username"]):
            # username cannot be a uuid. If this is the case, change from username to _id
            filt["_id"] = filt.pop("username")
        users = self.db.get_list(self.users_collection, filt)
        project_id_name = {}
        role_id_name = {}
        for user in users:
            prms = user.get("project_role_mappings")
            projects = user.get("projects")
            if prms:
                projects = []
                # add project_name and role_name. Generate projects for backward compatibility
                for prm in prms:
                    project_id = prm["project"]
                    if project_id not in project_id_name:
                        pr = self.db.get_one(
                            self.projects_collection,
                            {BaseTopic.id_field("projects", project_id): project_id},
                            fail_on_empty=False,
                        )
                        project_id_name[project_id] = pr["name"] if pr else None
                    prm["project_name"] = project_id_name[project_id]
                    if prm["project_name"] not in projects:
                        projects.append(prm["project_name"])

                    role_id = prm["role"]
                    if role_id not in role_id_name:
                        role = self.db.get_one(
                            self.roles_collection,
                            {BaseTopic.id_field("roles", role_id): role_id},
                            fail_on_empty=False,
                        )
                        role_id_name[role_id] = role["name"] if role else None
                    prm["role_name"] = role_id_name[role_id]
                user["projects"] = projects  # for backward compatibility
            elif projects:
                # user created with an old version. Create a project_role mapping with role project_admin
                user["project_role_mappings"] = []
                role = self.db.get_one(
                    self.roles_collection,
                    {BaseTopic.id_field("roles", "project_admin"): "project_admin"},
                )
                for p_id_name in projects:
                    pr = self.db.get_one(
                        self.projects_collection,
                        {BaseTopic.id_field("projects", p_id_name): p_id_name},
                    )
                    prm = {
                        "project": pr["_id"],
                        "project_name": pr["name"],
                        "role_name": "project_admin",
                        "role": role["_id"],
                    }
                    user["project_role_mappings"].append(prm)
            else:
                user["projects"] = []
                user["project_role_mappings"] = []

        return users

    def get_project_list(self, filter_q={}):
        """
        Get role list.

        :return: returns the list of projects.
        """
        return self.db.get_list(self.projects_collection, filter_q)

    def create_project(self, project_info):
        """
        Create a project.

        :param project: full project info.
        :return: the internal id of the created project
        :raises AuthconnOperationException: if project creation failed.
        """
        pid = self.db.create(self.projects_collection, project_info)
        return pid

    def delete_project(self, project_id):
        """
        Delete a project.

        :param project_id: project identifier.
        :raises AuthconnOperationException: if project deletion failed.
        """
        idf = BaseTopic.id_field("projects", project_id)
        r = self.db.del_one(self.projects_collection, {idf: project_id})
        idf = "project_id" if idf == "_id" else "project_name"
        self.db.del_list(self.tokens_collection, {idf: project_id})
        return r

    def update_project(self, project_id, project_info):
        """
        Change the name of a project

        :param project_id: project to be changed
        :param project_info: full project info
        :return: None
        :raises AuthconnOperationException: if project update failed.
        """
        self.db.set_one(
            self.projects_collection,
            {BaseTopic.id_field("projects", project_id): project_id},
            project_info,
        )

    def generate_otp(self):
        otp = "".join(str(secrets.randbelow(10)) for i in range(0, 4))
        return otp

    def send_email(self, indata):
        user = indata.get("username")
        user_rows = self.db.get_list(self.users_collection, {"username": user})
        sender_password = None
        otp_expiry_time = self.config.get("otp_expiry_time", 300)
        if not re.match(email_schema["pattern"], indata.get("email_id")):
            raise AuthException(
                "Invalid email-id",
                http_code=HTTPStatus.BAD_REQUEST,
            )
        if self.config.get("sender_email"):
            sender_email = self.config["sender_email"]
        else:
            raise AuthException(
                "sender_email not found",
                http_code=HTTPStatus.NOT_FOUND,
            )
        if self.config.get("smtp_server"):
            smtp_server = self.config["smtp_server"]
        else:
            raise AuthException(
                "smtp server not found",
                http_code=HTTPStatus.NOT_FOUND,
            )
        if self.config.get("smtp_port"):
            smtp_port = self.config["smtp_port"]
        else:
            raise AuthException(
                "smtp port not found",
                http_code=HTTPStatus.NOT_FOUND,
            )
        sender_password = self.config.get("sender_password") or None
        if user_rows:
            user_data = user_rows[0]
            user_status = user_data["_admin"]["user_status"]
            if not user_data.get("project_role_mappings", None):
                raise AuthException(
                    "can't find a default project for this user",
                    http_code=HTTPStatus.UNAUTHORIZED,
                )
            if user_status != "active" and user_status != "always-active":
                raise AuthException(
                    f"User account is {user_status}.Please contact the system administrator.",
                    http_code=HTTPStatus.UNAUTHORIZED,
                )
            if user_data.get("email_id"):
                if user_data["email_id"] == indata.get("email_id"):
                    otp = self.generate_otp()
                    encode_otp = hash_password(
                        password=otp, rounds=self.config.get("password_rounds", 12)
                    )
                    otp_field = {encode_otp: time() + otp_expiry_time, "retries": 0}
                    user_data["OTP"] = otp_field
                    uid = user_data["_id"]
                    idf = BaseTopic.id_field("users", uid)
                    reciever_email = user_data["email_id"]
                    email_template_path = self.config.get("email_template")
                    with open(email_template_path, "r") as et:
                        email_template = et.read()
                    msg = EmailMessage()
                    msg = MIMEMultipart("alternative")
                    html_content = email_template.format(
                        username=user_data["username"],
                        otp=otp,
                        validity=otp_expiry_time // 60,
                    )
                    html = MIMEText(html_content, "html")
                    msg["Subject"] = "OSM password reset request"
                    msg.attach(html)
                    with smtplib.SMTP(smtp_server, smtp_port) as smtp:
                        smtp.starttls()
                        if sender_password:
                            smtp.login(sender_email, sender_password)
                        smtp.sendmail(sender_email, reciever_email, msg.as_string())
                        self.db.set_one(self.users_collection, {idf: uid}, user_data)
                return {"email": "sent"}
            else:
                raise AuthException(
                    "No email id is registered for this user.Please contact the system administrator.",
                    http_code=HTTPStatus.NOT_FOUND,
                )
        else:
            raise AuthException(
                "user not found",
                http_code=HTTPStatus.NOT_FOUND,
            )

    def validate_otp(self, indata):
        otp = indata.get("otp")
        user = indata.get("username")
        user_rows = self.db.get_list(self.users_collection, {"username": user})
        user_data = user_rows[0]
        uid = user_data["_id"]
        idf = BaseTopic.id_field("users", uid)
        retry_count = self.config.get("retry_count", 3)
        if user_data:
            if not user_data.get("OTP"):
                otp_field = {"retries": 1}
                user_data["OTP"] = otp_field
                self.db.set_one(self.users_collection, {idf: uid}, user_data)
                return {"retries": user_data["OTP"]["retries"]}
            for key, value in user_data["OTP"].items():
                curr_time = time()
                if (
                    verify_password(password=otp, hashed_password_hex=key)
                    and curr_time < value
                ):
                    user_data["OTP"] = {}
                    self.db.set_one(self.users_collection, {idf: uid}, user_data)
                    return {"valid": "True", "password_change": "True"}
                else:
                    user_data["OTP"]["retries"] += 1
                    self.db.set_one(self.users_collection, {idf: uid}, user_data)
                    if user_data["OTP"].get("retries") >= retry_count:
                        raise AuthException(
                            "Invalid OTP. Maximum retries exceeded",
                            http_code=HTTPStatus.TOO_MANY_REQUESTS,
                        )
                    return {"retry_count": user_data["OTP"]["retries"]}