"""Auth utilities."""
import time
from airavata.model.security.ttypes import AuthzToken
from django.conf import settings
from django.contrib.auth import authenticate
from django.core.mail import EmailMessage
from django.http.request import split_domain_port
from django.template import Context, Template
from oauthlib.oauth2 import BackendApplicationClient
from requests_oauthlib import OAuth2Session
from . import models
def get_authz_token(request, user=None, access_token=None):
"""Construct AuthzToken instance from session; refresh token if needed."""
if access_token is not None:
return _create_authz_token(request, user=user, access_token=access_token)
elif is_request_access_token(request):
return _create_authz_token(request, user=user)
elif is_session_access_token(request) and not is_session_access_token_expired(request, user=user):
return _create_authz_token(request, user=user, access_token=access_token)
elif not is_refresh_token_expired(request):
# Have backend reauthenticate the user with the refresh token
user = authenticate(request)
if user:
return _create_authz_token(request, user=user)
return None
def get_service_account_authz_token():
client_id = settings.KEYCLOAK_CLIENT_ID
client_secret = settings.KEYCLOAK_CLIENT_SECRET
token_url = settings.KEYCLOAK_TOKEN_URL
verify_ssl = settings.KEYCLOAK_VERIFY_SSL
client = BackendApplicationClient(client_id=client_id)
oauth = OAuth2Session(client=client)
verify = verify_ssl
if verify_ssl and hasattr(settings, 'KEYCLOAK_CA_CERTFILE'):
verify = settings.KEYCLOAK_CA_CERTFILE
token = oauth.fetch_token(
token_url=token_url,
client_id=client_id,
client_secret=client_secret,
verify=verify)
access_token = token.get('access_token')
return AuthzToken(
accessToken=access_token,
# This is a service account, so leaving out userName for now
claimsMap={'gatewayID': settings.GATEWAY_ID})
def _create_authz_token(request, user=None, access_token=None):
if access_token is None:
access_token = _get_access_token(request)
if user is None:
user = request.user
username = user.username
gateway_id = settings.GATEWAY_ID
return AuthzToken(accessToken=access_token,
claimsMap={'gatewayID': gateway_id,
'userName': username})
def _get_access_token_source(request):
if hasattr(request, 'auth') and request.auth is not None:
return 'request'
elif 'ACCESS_TOKEN' in request.session:
return 'session'
else:
return None
def _get_access_token(request):
source = _get_access_token_source(request)
if source == 'request':
return request.auth
elif source == 'session':
return request.session['ACCESS_TOKEN']
else:
return None
def is_session_access_token(request):
"""Return True if access token is stored in the user's session."""
return _get_access_token_source(request) == 'session'
def is_request_access_token(request):
"""Return True if access token passed in request, e.g., a Bearer token."""
return _get_access_token_source(request) == 'request'
def is_session_access_token_expired(request, user=None):
"""Return True if session access_token is not available or is expired."""
user = user if user is not None else request.user
now = time.time()
return not user.is_authenticated \
or 'ACCESS_TOKEN' not in request.session \
or 'ACCESS_TOKEN_EXPIRES_AT' not in request.session \
or request.session['ACCESS_TOKEN_EXPIRES_AT'] < now
def is_refresh_token_expired(request):
"""Return True if refresh_token is not available or is expired."""
now = time.time()
return 'REFRESH_TOKEN' not in request.session \
or 'REFRESH_TOKEN_EXPIRES_AT' not in request.session \
or request.session['REFRESH_TOKEN_EXPIRES_AT'] < now
def send_new_user_email(request, username, email, first_name, last_name):
"""Send new user email notification to portal admins."""
new_user_email_template = models.EmailTemplate.objects.get(
pk=models.NEW_USER_EMAIL_TEMPLATE)
domain, port = split_domain_port(request.get_host())
context = Context({
"username": username,
"email": email,
"first_name": first_name,
"last_name": last_name,
"portal_title": settings.PORTAL_TITLE,
"gateway_id": settings.GATEWAY_ID,
"http_host": domain,
})
subject = Template(new_user_email_template.subject).render(context)
body = Template(new_user_email_template.body).render(context)
send_email_to_admins(subject, body)
def send_admin_alert_about_uninitialized_username(request, username, email, first_name, last_name):
domain, port = split_domain_port(request.get_host())
context = Context({
"username": username,
"email": email,
"first_name": first_name,
"last_name": last_name,
"portal_title": settings.PORTAL_TITLE,
"gateway_id": settings.GATEWAY_ID,
"http_host": domain,
})
subject = Template("Please fix username: a user of {{portal_title}} ({{http_host}}) has been assigned an auto-generated username ({{username}})").render(context)
body = Template("""
Dear Admin,
The following user has an auto-generated username because the system could
not determine a proper username:
Username: {{username}}
Name: {{first_name}} {{last_name}}
Email: {{email}}
This likely happened because there was no appropriate user attribute
(typically email address) to use for the user's username when the user
logged in through an external identity provider. Please update the username
to the user's email address or some other appropriate value in the Manage Users view in the
portal.
""".strip()).render(context)
send_email_to_admins(subject, body)
def send_admin_user_completed_profile(request, user_profile):
domain, port = split_domain_port(request.get_host())
user = user_profile.user
extended_profile_values = user_profile.extended_profile_values.filter(
ext_user_profile_field__deleted=False).order_by("ext_user_profile_field__order").all()
context = Context({
"username": user.username,
"email": user.email,
"first_name": user.first_name,
"last_name": user.last_name,
"portal_title": settings.PORTAL_TITLE,
"gateway_id": settings.GATEWAY_ID,
"http_host": domain,
"extended_profile_values": extended_profile_values
})
user_profile_completed_template = models.EmailTemplate.objects.get(
pk=models.USER_PROFILE_COMPLETED_TEMPLATE)
subject = Template(user_profile_completed_template.subject).render(context)
body = Template(user_profile_completed_template.body).render(context)
send_email_to_admins(subject, body)
def send_email_to_admins(subject, body):
msg = EmailMessage(subject=subject,
body=body,
from_email=f'"{settings.PORTAL_TITLE}" <{settings.SERVER_EMAIL}>',
to=[f'"{a[0]}" <{a[1]}>' for a in getattr(settings,
'PORTAL_ADMINS',
settings.ADMINS)])
msg.content_subtype = 'html'
msg.send()
def send_email_to_user(template_id, context):
email_template = models.EmailTemplate.objects.get(pk=template_id)
subject = Template(email_template.subject).render(context)
body = Template(email_template.body).render(context)
msg = EmailMessage(
subject=subject,
body=body,
from_email="\"{}\" <{}>".format(settings.PORTAL_TITLE,
settings.SERVER_EMAIL),
to=["\"{} {}\" <{}>".format(context['first_name'],
context['last_name'],
context['email'])],
reply_to=[f"\"{a[0]}\" <{a[1]}>" for a in getattr(settings,
'PORTAL_ADMINS',
settings.ADMINS)]
)
msg.content_subtype = 'html'
msg.send()