ó @j>Vc@sKddlmZmZddlmZmZddlmZddlmZddl m Z ddl m Z m Z ddlmZddlmZdd lZdd lZdd lZdd lZdd lZdd lZejd d !d d dfkrdGHejdƒnydd lZeZWnek r=eZnXyeWnek r_e ZnXddl!m"Z"ejj#d kZ$e e%ƒZ&de'fd„ƒYZ(de(fd„ƒYZ)de*fd„ƒYZ+de*fd„ƒYZ,de'fd„ƒYZ-d„Z.de+fd„ƒYZ/de+fd „ƒYZ0d!e*fd"„ƒYZ1d S(#iÿÿÿÿ(t b64encodet b64decode(tdatetimet timedelta(t MIMEMultipart(tMIMEText(t getLogger(tSMTPtSMTP_SSL(tThread(ttimeNiiiiisPython >= 2.7.8 is requiredi(t JsonBackendt AAAExceptioncBseZdZRS(s.Generic Authentication/Authorization Exception(t__name__t __module__t__doc__(((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyR 9st AuthExceptioncBseZdZRS(s:Authentication Exception: incorrect username/password pair(R RR(((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyR>stBaseCorkc BsseZdZd#d#d#ed#d#dd#d„Zd#d#d„Zddd„Zd#d#ed#d„Zd„Z d„Z d „Z d#d#d „Z d „Z d „Zed „ƒZed„ƒZd„Zddddd#d„Zd„Zd#d#ddd„Zd„Zd#d#edd„Zd„Zd#d#d„Zed#d„ƒZed#d„ƒZd„Zd d!„Zd"„ZRS($sAbstract classt localhostc CsŽ|r|}nt||ƒ|_d |_||_|p<d|_d|_|d krt|ddddd d d |ƒ|_n ||_d S(s]Auth/Authorization/Accounting class :param directory: configuration directory :type directory: str. :param users_fname: users filename (without .json), defaults to 'users' :type users_fname: str. :param roles_fname: roles filename (without .json), defaults to 'roles' :type roles_fname: str. iisbeaker.sessiontPBKDF2t users_fnametuserst roles_fnametrolestpending_reg_fnametregistert initializeNi€Q( tMailertmailertpassword_reset_timeouttsession_domaintsession_key_nametpreferred_hashing_algorithmtNoneR t_store( tselft directorytbackendt email_senderRRt smtp_servertsmtp_urlR((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyt__init__Fs        cCsÓ||jjkr¹|jj|d}t|dƒrG|jdƒ}n|j|||ƒ}|r¹|j|ƒttjƒƒ|jj|d<|jj ƒ|r²|j |ƒnt Sn|rÏ|j |ƒnt S(s'Check login credentials for an existing user. Optionally redirect the user to another page (typically /login) :param username: username :type username: str or unicode. :param password: cleartext password :type password: str.or unicode :param success_redirect: redirect authorized users (optional) :type success_redirect: str. :param fail_redirect: redirect unauthorized users (optional) :type fail_redirect: str. :returns: True for successful logins, else False thashtencodetasciit last_login( R"RthasattrR+t_verify_passwordt _setup_cookietstrRtutcnowt save_userst _redirecttTruetFalse(R#tusernametpasswordtsuccess_redirectt fail_redirectt salted_hasht authenticated((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pytlogines&   s/logincCsby|j}|jƒWn7tk rP}tjdt|ƒƒ|j|ƒnX|j|ƒdS(süLog the user out, remove cookie :param success_redirect: redirect the user after logging out :type success_redirect: str. :param fail_redirect: redirect the user if it is not logged in :type fail_redirect: str. sException %s while logging out.N(t_beaker_sessiontdeletet ExceptiontlogtdebugtreprR4(R#R9R:tsessionte((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pytlogouts cCsð|dk r0||jjkr0tdƒ‚q0n|rQ|dkrQtdƒ‚n|dk r~||jjkr~tdƒ‚ny |j}Wn9tk rÆ|dkr¶tdƒ‚qÇ|j|ƒnX|j|jjkrëtdƒ‚n|dk r8||jj kr dS|dkr(tdƒ‚n|j|ƒn|r||jjkrTdS|dkrotdƒ‚n|j|ƒn|dk rì|jj|jj}|jj|}||krÁdS|dkrÜtd ƒ‚n|j|ƒndS( sùEnsure the user is logged in has the required role (or higher). Optionally redirect the user to another page (typically /login) If both `username` and `role` are specified, both conditions need to be satisfied. If none is specified, any authenticated user will be authorized. By default, any role with higher level than `role` will be authorized; set fixed_role=True to prevent this. :param username: username (optional) :type username: str. :param role: role :type role: str. :param fixed_role: require user role to match `role` strictly :type fixed_role: bool. :param redirect: redirect unauthorized users (optional) :type redirect: str. sNonexistent users3A role must be specified if fixed_role has been setsRole not foundsUnauthenticated users#Role not found for the current userNs'Unauthorized access: incorrect usernames#Unauthorized access: incorrect rolesUnauthorized access: ( R!R"RR Rt current_userRR4troleR7(R#R7RHt fixed_roleR:tcut current_lvlt threshold_lvl((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pytrequire sJ           cCs‘|jjdkr!tdƒ‚n||jjkrBtdƒ‚nyt|ƒWntk rotdƒ‚nX||jj|<|jjƒdS(sÎCreate a new role. :param role: role name :type role: str. :param level: role level (0=lowest, 100=admin) :type level: int. :raises: AuthException on errors ids&The current user is not authorized to sThe role is already existingsThe level must be numeric.N( RGtlevelRR"RR tintt ValueErrort save_roles(R#RHRN((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyt create_roleïs  cCsf|jjdkr!tdƒ‚n||jjkrBtdƒ‚n|jjj|ƒ|jjƒdS(syDeleta a role. :param role: role name :type role: str. :raises: AuthException on errors ids&The current user is not authorized to sNonexistent role.N(RGRNRR"RR tpopRQ(R#RH((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyt delete_roles ccs6x/t|jjƒD]}||jj|fVqWdS(sUList roles. :returns: (role, role_level) generator (sorted by role) N(tsortedR"R(R#RH((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyt list_rolesscCsó|stdƒ‚|jjdkr3tdƒ‚n||jjkrTtdƒ‚n||jjkrutdƒ‚ntt j ƒƒ}|j ||ƒ}|j dƒ}i|d6|d6|d 6|d 6|d 6|d 6|jj|<|jj ƒd S(séCreate a new user account. This method is available to users with level>=100 :param username: username :type username: str. :param role: role :type role: str. :param password: cleartext password :type password: str. :param email_addr: email address (optional) :type email_addr: str. :param description: description (free form) :type description: str. :raises: AuthException on errors sUsername must be provided.ids3The current user is not authorized to create users.sUser is already existing.sNonexistent user role.R,RHR*t email_addrtdesct creation_dateR-N(tAssertionErrorRGRNRR"RR RR1RR2t_hashtdecodeR3(R#R7RHR8RWt descriptionttstampth((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyt create_users$cCsY|jjdkr!tdƒ‚n||jjkrBtdƒ‚n|j|ƒjƒdS(s¿Delete a user account. This method is available to users with level>=100 :param username: username :type username: str. :raises: Exceptions on errors ids&The current user is not authorized to sNonexistent user.N(RGRNRR"RR tuserR?(R#R7((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyt delete_user@s ccsNxGt|jjƒD]3}|jj|}||d|d|dfVqWdS(s{List users. :return: (username, role, email_addr, description) generator (sorted by username) RHRWRXN(RUR"R(R#tuntd((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyt list_usersNscCs{|j}|jddƒ}|dkr6tdƒ‚n|dk rg||jjkrgt||d|ƒStd|ƒ‚dS(s€Current autenticated user :returns: User() instance, if authenticated :raises: AuthException otherwise R7sUnauthenticated userRDsUnknown user: %sN(R>tgetR!RR"RtUser(R#RDR7((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyRGXs  cCsOy|jd}Wntk r%tSX||jjkrKtd|ƒ‚ntS(s´Check if the current user is anonymous. :returns: True if the user is anonymous, False otherwise :raises: AuthException if the session username is unknown R7sUnknown user: %s(R>tKeyErrorR5R"RRR6(R#R7((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pytuser_is_anonymousgs cCs/|dk r+||jjkr+t||ƒSdS(s[Existing user :returns: User() instance if the user exist, None otherwise N(R!R"RRg(R#R7((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyRaxs Rai2sSignup confirmationsviews/registration_email.tplc  Ksp|stdƒ‚|s$tdƒ‚|s6tdƒ‚||jjkrWtdƒ‚n||jjkrxtdƒ‚n|jj||krtdƒ‚ntjƒj} tt j ƒƒ} t j |d|d|d |d | d | | } |j j||| ƒ|j||ƒ} | jd ƒ} i|d6|d 6| d 6|d6|d6| d 6|jj| <|jjƒdS(s]Register a new user account. An email with a registration validation is sent to the user. WARNING: this method is available to unauthenticated users :param username: username :type username: str. :param password: cleartext password :type password: str. :param role: role (optional), defaults to 'user' :type role: str. :param max_level: maximum role level (optional), defaults to 50 :type max_level: int. :param email_addr: email address :type email_addr: str. :param subject: email subject :type subject: str. :param email_template: email template filename :type email_template: str. :param description: description (free form) :type description: str. :raises: AssertError or AAAException on errors sUsername must be provided.sA password must be provided.s"An email address must be provided.sUser is already existing.sNonexistent rolesUnauthorized roleR7RWRHRYtregistration_codeR,R*RXN(RZR"RR Rtuuidtuuid4thexR1RR2tbottlettemplateRt send_emailR[R\tpending_registrationstsave_pending_registrations(R#R7R8RWRHt max_leveltsubjecttemail_templateR]tkwargsRjRYt email_textR_((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyRs< cCsÏy|jjj|ƒ}Wntk r8tdƒ‚nX|d}||jjkrdtdƒ‚ni|dd6|dd6|dd6|dd6|dd6ttj ƒƒd 6|jj|<|jj ƒd S( s¶Validate pending account registration, create a new account if successful. :param registration_code: registration code :type registration_code: str. sInvalid registration code.R7sUser is already existing.RHR*RWRXRYR-N( R"RqRSRhRRR R1RR2R3(R#RjtdataR7((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pytvalidate_registrationÁs        sPassword reset confirmationsviews/password_reset_emailc KsA|sg|stdƒ‚nxÓ|jjjƒD]&\}}|d|kr.|}Pq.q.Wtdƒ‚nŠ||jjkrˆtdƒ‚n|sÂ|jj|jdd ƒ}|sñtdƒ‚qñn/|jj|d}||krñtdƒ‚n|j||ƒ} tj |d|d|d| |} |j j ||| ƒd S( sœEmail the user with a link to reset his/her password If only one parameter is passed, fetch the other from the users database. If both are passed they will be matched against the users database as a security check. :param username: username :type username: str. :param email_addr: email address :type email_addr: str. :param subject: email subject :type subject: str. :param email_template: email template filename :type email_template: str. :raises: AAAException on missing username or email_addr, AuthException on incorrect username/email_addr pair s6At least `username` or `email_addr` must be specified.RWsEmail address not found.sNonexistent user.sEmail address not available.s&Username/email address pair not found.R7t reset_codeN( R R"Rt iteritemsRfR!Rt _reset_codeRnRoRRp( R#R7RWRtRuRvtktvtstored_email_addrRzRw((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pytsend_password_reset_emailÜs4   cCseyt|ƒjƒ}|jddƒ\}}}}t|ƒ}t|tdƒƒsZt‚t|tdƒƒsut‚t|tdƒƒsœ|jdƒ}nWn#tt fk rÂt dƒ‚nXt ƒ||j krèt dƒ‚nt|tdƒƒst‚|j |||ƒs't dƒ‚n|j|ƒ}|d krQtdƒ‚n|jd |ƒd S( sHValidate reset_code and update the account password The username is extracted from the reset_code token :param reset_code: reset token :type reset_code: str. :param password: new password :type password: str. :raises: AuthException for invalid reset tokens, AAAException t:iutsutf-8sInvalid reset code.sExpired reset code.sNonexistent user.tpwdN(RR\tsplitROt isinstancettypeRZR+t TypeErrorRPRR RR/RaR!R tupdate(R#RzR8R7RWR^R_Ra((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pytreset_passwords&   cs%|‰||||‡fd†}|S(sh Create a decorator to be used for authentication and authorization :param username: A resource can be protected for a specific user :param role: Minimum role level required for authorization :param fixed_role: Only this role gets authorized :param fail_redirect: The URL to redirect to if a login is required. cs‡‡‡‡‡fd†}|S(Ncs=ddl}|jˆƒ‡‡‡‡‡‡fd†ƒ}|S(Niÿÿÿÿc s/ˆjdˆdˆdˆdˆƒˆ||ŽS(NR7RHRIR:(RM(tatka(R:RItfuncRHtsession_managerR7(s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pytwrapperKs (t functoolstwraps(RŒRRŽ(R:RIRHRR7(RŒs:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyt decoratorHs -((R7RHRIR:R‘(R(R:RIRHR7s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyt auth_requireFs ((R#R7RHRIR:R’((Rs:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pytmake_auth_decorator:s   cCs?|j}||d<|jdk r1|j|_n|jƒdS(s+Setup cookie for a user that just logged inR7N(R>RR!tdomaint _save_session(R#R7RD((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyR0Xs   cCsp|dkr|j}n|dkr:|j||d|ƒS|dkr\|j||d|ƒStd|ƒ‚dS(sFHash username and password, generating salt value if required Rtsalttscrypts'Unknown hashing algorithm requested: %sN(R!R t _hash_pbkdf2t _hash_scryptt RuntimeError(R#R7RƒR–talgo((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyR[as    cCs‹tstdƒ‚n|dkr3tjdƒ}nt|ƒdksQtdƒ‚d||f}tj||ƒ}d||}t |ƒS(s‚Hash username and password, generating salt value if required Use scrypt. :returns: base-64 encoded str. s8scrypt.hash required. Please install the scrypt library.i sIncorrect salt lengths%s%stsN( tscrypt_availableR@R!tosturandomtlenRZR—R*R(R7RƒR–t cleartextR_thashed((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyR™os cCsÝ|d krtjdƒ}nt|tƒs3t‚t|ƒdksQtdƒ‚|jdƒ}t|tƒsut‚|jdƒ}t|tƒs™t‚|d|}tj d||dddƒ}d||}t |ƒS( sHash username and password, generating salt value if required Use PBKDF2 from Beaker :returns: base-64 encoded str. i sIncorrect salt lengthsutf-8ttsha1i tdklentpN( R!RžRŸR…tbytesRZR R+thashlibt pbkdf2_hmacR(R7RƒR–R¡R_R¢((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyR˜†s cCsÆt|tdƒƒst‚t|ƒ}|d}t|tƒrOt|ƒ}n|dd!}|dkr‡|j|||ƒ}||kS|dkr²|j|||ƒ}||kStd|ƒ‚dS( sTVerity username/password pair against a salted hash :returns: bool R‚iii!R¦Rœs%Unknown hashing algorithm in hash: %rN( R…R†RZRROtchrR˜R™Rš(R#R7RƒR;tdecodedt hash_typeR–R_((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyR/ s       i`cCs™|jjjƒ}tr't|ƒ}nxk|D]c\}}tj|ddƒ}tjƒ}td|ƒ}|||kr.|jjj |ƒq.q.WdS(s~Purge expired registration requests. :param exp_time: expiration time (hours) :type exp_time: float. RYs%Y-%m-%d %H:%M:%S.%fthoursN( R"Rqtitemstis_py3tlistRtstrptimeR2RRS(R#texp_timetpendingt uuid_codeRxtcreationtnowtmaxdelta((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyt_purge_expired_registrations·s   cCse|j||ƒ}dtƒ}|jdƒ}dj|jdƒ|jdƒ||fƒ}t|ƒS(sÔgenerate a reset_code token :param username: username :type username: str. :param email_addr: email address :type email_addr: str. :returns: Base-64 encoded token s%dsutf-8R(R[R R+tjoinR(R#R7RWR_ttRz((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyR|És  N( R RRR!R6R)R=RFRMRRRTRVR`RbRetpropertyRGRiRaRRyR€R‰R“R0R[t staticmethodR™R˜R/R¸R|(((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyRCsN   )  N    &    =  <     RgcBs/eZdd„Zdddd„Zd„ZRS(cCsÎ||_||jjjks*tdƒ‚||_|jjj|}|d|_|d|_|d|_|jjj|j|_ |dk rÊy+|d|_ |d|_ |d|_ WqÊqÊXndS( s‚Represent an authenticated user, exposing useful attributes: username, role, level, description, email_addr, session_creation_time, session_accessed_time, session_id. The session-related attributes are available for the current user only. :param username: username :type username: str. :param cork_obj: instance of :class:`Cork` s Unknown userRHRXRWt_creation_timet_accessed_timet_idN(t_corkR"RRZR7RHR]RWRRNR!tsession_creation_timetsession_accessed_timet session_id(R#R7tcork_objRDt user_data((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyR)Üs !       cCsì|j}||jjjkr-tdƒ‚n|dk rw||jjjkr]tdƒ‚n||jjj|d.scCs|jjƒdS(N(R>tsave(R#((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyR•3s(R RR¼R4R»R>R•(((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyRÉ)st FlaskCorkcBs/eZed„ƒZed„ƒZd„ZRS(cCst|ƒdS(N(RÈ(RË((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyR48scCsddl}|jS(s Get sessioniÿÿÿÿN(tflaskRD(R#RÐ((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyR><s cCsdS(N((R#((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyR•Bs(R RR¼R4R»R>R•(((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyRÏ7sRcBsDeZded„Zd„Zd„Zd„Zd„Zd„ZRS(icCs:||_||_||_g|_|j|ƒ|_dS(s²Send emails asyncronously :param sender: Sender email address :type sender: str. :param smtp_server: SMTP server :type smtp_server: str. N(tsendert join_timeoutt use_threadst_threadst_parse_smtp_urlt_conf(R#RÑR(RÒRÓ((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyR)Hs     cCsºtjd|tjƒ}|s-tdƒ‚n|jƒ}|dd krVd|dsmtp|starttls|ssl) # Protocol name :// )? ( # Optional user:pass@ (?P[^:]*) # Match every char except ':' (: (?P.*) )? @ # Optional :pass )? (?P # Required FQDN on IP address ()| # Empty string ( # FQDN [a-zA-Z_\-] # First character cannot be a number [a-zA-Z0-9_\-\.]{,254} ) |( # IPv4 ([0-9]{1,3}\.){3} [0-9]{1,3} ) |( # IPv6 \[ # Square brackets ([0-9a-f]{,4}:){1,8} [0-9a-f]{,4} \] ) ) ( # Optional :port : (?P[0-9]{,5}) # Up to 5-digits port )? [/]? $ sSMTP URL seems incorrecttprototsmtptportiiisIncorrect SMTP portN(tretmatchtVERBOSERšt groupdictR!RO(R#turlRÛRd((s:/home/fede/newhome/projects/bottle-cork/tests/cork/cork.pyRÕVs     cCs |jdo|js%tdƒ‚ntdƒ}||d<|j|d<||dsN             ÿÿ™G