confidant.authnz package

Submodules

confidant.authnz.errors module

exception confidant.authnz.errors.AuthenticationError

Bases: Exception

exception confidant.authnz.errors.NotAuthorized

Bases: Exception

exception confidant.authnz.errors.TokenVersionError

Bases: Exception

exception confidant.authnz.errors.UserUnknownError

Bases: Exception

confidant.authnz.rbac module

confidant.authnz.rbac.default_acl(*args, **kwargs)

Default ACLs for confidant: Allow access to all resource types and actions for users, except for certificate resource_type. Deny access to all resource types and actions for services, except:

  • resource_type: service actions: metadata, get resource_id: must match logged-in user’s username

  • resource_type: certificate actions: get resource_id: must match against ACM_PRIVATE_CA_DOMAIN_REGEX setting

    for the CA for the CN in the CSR, and for all SAN values in the CSR, and the server_name named group in the regex must match the logged in user’s username.

    kwargs (ca): CA used for this get kwargs (san): A list of subject alternative names in the CSR

confidant.authnz.rbac.no_acl(*args, **kwargs)

Stub function that always returns true This function is set by settings.py by the variable ACL_MODULE When you’d like to integrate a custom RBAC module, the ACL_MODULE should be repointed from this function to the function that will perform the ACL checks.

confidant.authnz.userauth module

class confidant.authnz.userauth.AbstractUserAuthenticator

Bases: object

property allowed_email_suffix

A whitelisted suffix for email addresses. Loaded from config[‘USER_EMAIL_SUFFIX’].

Returns either a string or None.

property allowed_email_whitelist

A whitelist of authorized email addresses or None. Loaded from config[‘USERS_FILE’] as YAML.

abstract property auth_type

A string describing the type of authentication used

check_authorization()
check_csrf_token()
clear_session()
current_email()
current_first_name()
current_last_name()
current_user()
get_csrf_token()
is_authenticated()
is_expired()
abstract log_in()

Perform steps needed to start the SSO login process.

This method must return a Flask response.

Initially this method will probably return a redirect to an external login page for SSO.

This handler MAY also be used to handle login callbacks from the SSO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call set_current_user() to set user data on the session, then redirect to the desired post-login page (e.g. with redirect_to_index()).

On failure, this method should likely return abort(403).

log_out()

Perform steps needed to start the SLO (SingleLogOut) process.

This method must return a Flask response.

This handler MAY also be used to handle logout callbacks from the SSO/SLO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call clear_session(), then redirect to the desired post-logout page (e.g. with redirect_to_goodbye()).

passes_email_suffix(email)
passes_email_whitelist(email)
redirect_to_goodbye()
redirect_to_index()
set_csrf_token(resp)
set_current_user(email, first_name=None, last_name=None)
set_expiration()
class confidant.authnz.userauth.GoogleOauthAuthenticator

Bases: AbstractUserAuthenticator

User authenticator class implementing Google OAuth.

property auth_type

A string describing the type of authentication used

log_in()

Perform steps needed to start the SSO login process.

This method must return a Flask response.

Initially this method will probably return a redirect to an external login page for SSO.

This handler MAY also be used to handle login callbacks from the SSO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call set_current_user() to set user data on the session, then redirect to the desired post-login page (e.g. with redirect_to_index()).

On failure, this method should likely return abort(403).

class confidant.authnz.userauth.HeaderAuthenticator

Bases: AbstractUserAuthenticator

User authenticator that pulls user information from HTTP headers. Note that this assumes we’re running behind some form of load-balancer or reverse proxy that performs the authentication, and that simply being able to make requests to this service implies that the user is authenticated.

assert_headers()

Asserts that the current request contains the appropriate headers.

property auth_type

A string describing the type of authentication used

check_authorization()

Header users are always authorized

current_user()
is_authenticated()

Any user that is able to make requests is authenticated

is_expired()

Sessions are not managed here and do not expire

log_in()

Perform steps needed to start the SSO login process.

This method must return a Flask response.

Initially this method will probably return a redirect to an external login page for SSO.

This handler MAY also be used to handle login callbacks from the SSO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call set_current_user() to set user data on the session, then redirect to the desired post-login page (e.g. with redirect_to_index()).

On failure, this method should likely return abort(403).

class confidant.authnz.userauth.NullUserAuthenticator

Bases: AbstractUserAuthenticator

Fake user authenticator class that performs no authentication.

property auth_type

A string describing the type of authentication used

check_authorization()

Null users are always authorized

current_user()
is_authenticated()

Null users are always authenticated

is_expired()

Null users are never expired

log_in()

Perform steps needed to start the SSO login process.

This method must return a Flask response.

Initially this method will probably return a redirect to an external login page for SSO.

This handler MAY also be used to handle login callbacks from the SSO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call set_current_user() to set user data on the session, then redirect to the desired post-login page (e.g. with redirect_to_index()).

On failure, this method should likely return abort(403).

class confidant.authnz.userauth.SamlAuthenticator

Bases: AbstractUserAuthenticator

User authenticator class implementing SAML.

_current_saml_session_id()
_current_user_nameid()

Get the SAML name_id of the currently logged in user.

_load_rsa_for_saml(path, password=None)

Load an RSA private key file.

_load_x509_for_saml(path)

Load an X.509 certificate from a PEM file.

_render_saml_errors_json(auth)

Log and handle SAML errors, returning as json. Return a Response object appropriate to return in a route handler.

Parameters:

auth (onelogin.saml2.auth.OneLogin_Saml2_Auth) – The python-saml Auth class.

Returns:

a flask response

Return type:

flask.Response

_render_saml_settings_dict()

Given the configuration present in current_app.config, render a settings dict suitable for passing to OneLogin_Saml2_Auth() in initialization.

_saml_auth(req_dict=None)

Instantiate a OneLogin_Saml2_Auth object from the current request data (or from req_dict, if given).

Parameters:

req_dict (dict) – A dict containing request information, optional.

Returns:

a SAML Auth object

Return type:

onelogin.saml2.auth.OneLogin_Saml2_Auth

_saml_req_dict_from_request(flask_request=None)

Given a Flask Request object, return a dict of request information in the format that python-saml expects it for Auth objects.

Parameters:

flask_request (flask.Request) – A request object to pull data from.

Returns:

python-saml settings data

Return type:

dict

property auth_type

A string describing the type of authentication used

consume_saml_assertion()

This method is called in routes implementing a SAML attribute consumer service, which receives POST callbacks from the IdP after the user has authenticated.

generate_metadata()

Generate SAML metadata XML describing the service endpoints.

log_in()

SAML log-in redirect.

This method initiates the SAML authentication process by directing the browser to forward along an AuthNRequest to the IdP.

A separate method handles the post-authentication callback, which will hit /v1/saml/consume, processed by consume_saml_assertion().

log_out()

Initiate SAML SLO redirect.

log_out_callback(clear_session_on_errors=True)

Callback for SAML logout requests.

Request must have a SAMLResponse GET parameter.

On failure, renders error JSON. On success, redirects to /goodbye.

login_redirect_url(return_to='/', auth=None)
confidant.authnz.userauth.init_user_auth_class(*args, **kwargs)

Module contents

confidant.authnz._get_kms_auth_data()
confidant.authnz._get_validator()
confidant.authnz.account_for_key_alias(key_alias)
confidant.authnz.get_logged_in_user()

Retrieve logged-in user’s email that is stored in cache

confidant.authnz.log_in()
confidant.authnz.redirect_to_logout_if_no_auth(f)

Decorator for redirecting users to the logout page when they are not authenticated.

confidant.authnz.require_auth(f)
confidant.authnz.require_csrf_token(f)
confidant.authnz.require_logout_for_goodbye(f)
confidant.authnz.service_in_account(account)
confidant.authnz.user_is_service(service)
confidant.authnz.user_is_user_type(user_type)