X-Git-Url: https://osm.etsi.org/gitweb/?p=osm%2FNBI.git;a=blobdiff_plain;f=osm_nbi%2Fauth.py;h=a99cea7e556067acf9562af6f4a884005af487c0;hp=0b3264fb37ecd6bc9355373e506befa963ca5004;hb=HEAD;hpb=4cd875d2a38488b5e717258d548eeb8e557ec9a8 diff --git a/osm_nbi/auth.py b/osm_nbi/auth.py index 0b3264f..9c8c8d3 100644 --- a/osm_nbi/auth.py +++ b/osm_nbi/auth.py @@ -44,6 +44,7 @@ from osm_nbi.authconn import AuthException, AuthconnException, AuthExceptionUnau from osm_nbi.authconn_keystone import AuthconnKeystone from osm_nbi.authconn_internal import AuthconnInternal from osm_nbi.authconn_tacacs import AuthconnTacacs +from osm_nbi.utils import cef_event, cef_event_builder from osm_common import dbmemory, dbmongo, msglocal, msgkafka from osm_common.dbbase import DbException from osm_nbi.validation import is_valid_uuid @@ -88,6 +89,7 @@ class Authenticator: self.valid_query_string = valid_query_string self.system_admin_role_id = None # system_role id self.test_project_id = None # test_project_id + self.cef_logger = None def start(self, config): """ @@ -98,6 +100,7 @@ class Authenticator: :param config: dictionary containing the relevant parameters for this object. """ self.config = config + self.cef_logger = cef_event_builder(config["authentication"]) try: if not self.db: @@ -249,7 +252,7 @@ class Authenticator: user_desc = { "username": "admin", "password": "admin", - "_admin": {"created": now, "modified": now}, + "_admin": {"created": now, "modified": now, "user_status": "always-active"}, } if project_id: pid = project_id @@ -505,6 +508,18 @@ class Authenticator: item_id, ) self.logger.info("RBAC_auth: {}".format(RBAC_auth)) + if RBAC_auth: + cef_event( + self.cef_logger, + { + "name": "System Access", + "sourceUserName": token_info.get("username"), + "message": "Accessing account with system privileges, Project={}".format( + token_info.get("project_name") + ), + }, + ) + self.logger.info("{}".format(self.cef_logger)) token_info["allow_show_user_project_role"] = RBAC_auth return token_info @@ -776,20 +791,24 @@ class Authenticator: This method will check for password expiry of the user :param outdata: user token information """ - user_content = None + user_list = None present_time = time() user = outdata["username"] - if self.config["authentication"].get("pwd_expiry_check"): - user_content = self.db.get_list("users", {"username": user})[0] - if not user_content.get("username") == "admin": - user_content["_admin"]["modified_time"] = present_time - if user_content.get("_admin").get("expire_time"): - expire_time = user_content["_admin"]["expire_time"] - else: - expire_time = present_time - uid = user_content["_id"] - self.db.set_one("users", {"_id": uid}, user_content) - if not present_time < expire_time: - return True + if self.config["authentication"].get("user_management"): + user_list = self.db.get_list("users", {"username": user}) + if user_list: + user_content = user_list[0] + if not user_content.get("username") == "admin": + user_content["_admin"]["modified"] = present_time + if user_content.get("_admin").get("password_expire_time"): + password_expire_time = user_content["_admin"][ + "password_expire_time" + ] + else: + password_expire_time = present_time + uid = user_content["_id"] + self.db.set_one("users", {"_id": uid}, user_content) + if not present_time < password_expire_time: + return True else: pass