X-Git-Url: https://osm.etsi.org/gitweb/?a=blobdiff_plain;f=osm_nbi%2Fauthconn_internal.py;h=3f495d864243a6552352bea78e1b65932a62ecc2;hb=7802ff80245ba7ba6055bc927b91e4f8b1f42542;hp=e342150039c9b4c603f1319825d358c0a943702b;hpb=4568a372eb5a204e04d917213de03ec51f9110c1;p=osm%2FNBI.git diff --git a/osm_nbi/authconn_internal.py b/osm_nbi/authconn_internal.py index e342150..3f495d8 100644 --- a/osm_nbi/authconn_internal.py +++ b/osm_nbi/authconn_internal.py @@ -33,9 +33,14 @@ __date__ = "$06-jun-2019 11:16:08$" import logging import re -from osm_nbi.authconn import Authconn, AuthException # , AuthconnOperationException +from osm_nbi.authconn import ( + Authconn, + AuthException, + AuthconnConflictException, +) # , AuthconnOperationException from osm_common.dbbase import DbException from osm_nbi.base_topic import BaseTopic +from osm_nbi.utils import cef_event, cef_event_builder from osm_nbi.validation import is_valid_uuid from time import time, sleep from http import HTTPStatus @@ -64,6 +69,7 @@ class AuthconnInternal(Authconn): # To be Confirmed self.sess = None + self.cef_logger = cef_event_builder(config) def validate_token(self, token): """ @@ -189,6 +195,18 @@ class AuthconnInternal(Authconn): if user: user_content = self.validate_user(user, password) if not user_content: + cef_event( + self.cef_logger, + { + "name": "User login", + "sourceUserName": user, + "message": "Invalid username/password Project={} Outcome=Failure".format( + project + ), + "severity": "3", + }, + ) + self.logger.exception("{}".format(self.cef_logger)) raise AuthException( "Invalid username/password", http_code=HTTPStatus.UNAUTHORIZED ) @@ -352,6 +370,11 @@ class AuthconnInternal(Authconn): BaseTopic.format_on_new(user_info, make_public=False) salt = uuid4().hex user_info["_admin"]["salt"] = salt + present = time() + if not user_info["username"] == "admin": + if self.config.get("pwd_expiry_check"): + user_info["_admin"]["modified_time"] = present + user_info["_admin"]["expire_time"] = present if "password" in user_info: user_info["password"] = sha256( user_info["password"].encode("utf-8") + salt.encode("utf-8") @@ -369,9 +392,19 @@ class AuthconnInternal(Authconn): :param user_info: user info modifications """ uid = user_info["_id"] + old_pwd = user_info.get("old_password") user_data = self.db.get_one( self.users_collection, {BaseTopic.id_field("users", uid): uid} ) + if old_pwd: + salt = user_data["_admin"]["salt"] + shadow_password = sha256( + old_pwd.encode("utf-8") + salt.encode("utf-8") + ).hexdigest() + if shadow_password != user_data["password"]: + raise AuthconnConflictException( + "Incorrect password", http_code=HTTPStatus.CONFLICT + ) BaseTopic.format_on_edit(user_data, user_info) # User Name usnm = user_info.get("username") @@ -382,6 +415,16 @@ class AuthconnInternal(Authconn): if pswd and ( len(pswd) != 64 or not re.match("[a-fA-F0-9]*", pswd) ): # TODO: Improve check? + cef_event( + self.cef_logger, + { + "name": "Change Password", + "sourceUserName": user_data["username"], + "message": "Changing Password for user, Outcome=Success", + "severity": "2", + }, + ) + self.logger.info("{}".format(self.cef_logger)) salt = uuid4().hex if "_admin" not in user_data: user_data["_admin"] = {} @@ -389,6 +432,13 @@ class AuthconnInternal(Authconn): user_data["password"] = sha256( pswd.encode("utf-8") + salt.encode("utf-8") ).hexdigest() + if not user_data["username"] == "admin": + if self.config.get("pwd_expiry_check"): + present = time() + if self.config.get("days"): + expire = present + 86400 * self.config.get("days") + user_data["_admin"]["modified_time"] = present + user_data["_admin"]["expire_time"] = expire # Project-Role Mappings # TODO: Check that user_info NEVER includes "project_role_mappings" if "project_role_mappings" not in user_data: