import logging
import re
-from osm_nbi.authconn import Authconn, AuthException # , AuthconnOperationException
+from osm_nbi.authconn import (
+ Authconn,
+ AuthException,
+ AuthconnConflictException,
+) # , AuthconnOperationException
from osm_common.dbbase import DbException
from osm_nbi.base_topic import BaseTopic
+from osm_nbi.utils import cef_event, cef_event_builder
from osm_nbi.validation import is_valid_uuid
from time import time, sleep
from http import HTTPStatus
# To be Confirmed
self.sess = None
+ self.cef_logger = cef_event_builder(config)
def validate_token(self, token):
"""
if user:
user_content = self.validate_user(user, password)
if not user_content:
+ cef_event(
+ self.cef_logger,
+ {
+ "name": "User login",
+ "sourceUserName": user,
+ "message": "Invalid username/password Project={} Outcome=Failure".format(
+ project
+ ),
+ "severity": "3",
+ },
+ )
+ self.logger.exception("{}".format(self.cef_logger))
raise AuthException(
"Invalid username/password", http_code=HTTPStatus.UNAUTHORIZED
)
BaseTopic.format_on_new(user_info, make_public=False)
salt = uuid4().hex
user_info["_admin"]["salt"] = salt
+ present = time()
+ if not user_info["username"] == "admin":
+ if self.config.get("pwd_expiry_check"):
+ user_info["_admin"]["modified_time"] = present
+ user_info["_admin"]["expire_time"] = present
if "password" in user_info:
user_info["password"] = sha256(
user_info["password"].encode("utf-8") + salt.encode("utf-8")
:param user_info: user info modifications
"""
uid = user_info["_id"]
+ old_pwd = user_info.get("old_password")
user_data = self.db.get_one(
self.users_collection, {BaseTopic.id_field("users", uid): uid}
)
+ if old_pwd:
+ salt = user_data["_admin"]["salt"]
+ shadow_password = sha256(
+ old_pwd.encode("utf-8") + salt.encode("utf-8")
+ ).hexdigest()
+ if shadow_password != user_data["password"]:
+ raise AuthconnConflictException(
+ "Incorrect password", http_code=HTTPStatus.CONFLICT
+ )
BaseTopic.format_on_edit(user_data, user_info)
# User Name
usnm = user_info.get("username")
if pswd and (
len(pswd) != 64 or not re.match("[a-fA-F0-9]*", pswd)
): # TODO: Improve check?
+ cef_event(
+ self.cef_logger,
+ {
+ "name": "Change Password",
+ "sourceUserName": user_data["username"],
+ "message": "Changing Password for user, Outcome=Success",
+ "severity": "2",
+ },
+ )
+ self.logger.info("{}".format(self.cef_logger))
salt = uuid4().hex
if "_admin" not in user_data:
user_data["_admin"] = {}
user_data["password"] = sha256(
pswd.encode("utf-8") + salt.encode("utf-8")
).hexdigest()
+ if not user_data["username"] == "admin":
+ if self.config.get("pwd_expiry_check"):
+ present = time()
+ if self.config.get("days"):
+ expire = present + 86400 * self.config.get("days")
+ user_data["_admin"]["modified_time"] = present
+ user_data["_admin"]["expire_time"] = expire
# Project-Role Mappings
# TODO: Check that user_info NEVER includes "project_role_mappings"
if "project_role_mappings" not in user_data: