confidant.authnz package¶
Submodules¶
confidant.authnz.errors module¶
-
exception
confidant.authnz.errors.
AuthenticationError
¶ Bases:
Exception
-
exception
confidant.authnz.errors.
NotAuthorized
¶ Bases:
Exception
-
exception
confidant.authnz.errors.
TokenVersionError
¶ Bases:
Exception
-
exception
confidant.authnz.errors.
UserUnknownError
¶ Bases:
Exception
confidant.authnz.rbac module¶
-
confidant.authnz.rbac.
default_acl
(*args, **kwargs)¶ Default ACLs for confidant: Allow access to all resource types and actions for users, except for certificate resource_type. Deny access to all resource types and actions for services, except:
resource_type: service actions: metadata, get resource_id: must match logged-in user’s username
resource_type: certificate actions: get resource_id: must match against ACM_PRIVATE_CA_DOMAIN_REGEX setting
for the CA for the CN in the CSR, and for all SAN values in the CSR, and the server_name named group in the regex must match the logged in user’s username.
kwargs (ca): CA used for this get kwargs (san): A list of subject alternative names in the CSR
-
confidant.authnz.rbac.
no_acl
(*args, **kwargs)¶ Stub function that always returns true This function is set by settings.py by the variable ACL_MODULE When you’d like to integrate a custom RBAC module, the ACL_MODULE should be repointed from this function to the function that will perform the ACL checks.
confidant.authnz.userauth module¶
-
class
confidant.authnz.userauth.
AbstractUserAuthenticator
¶ Bases:
object
-
property
allowed_email_suffix
¶ A whitelisted suffix for email addresses. Loaded from config[‘USER_EMAIL_SUFFIX’].
Returns either a string or None.
-
property
allowed_email_whitelist
¶ A whitelist of authorized email addresses or None. Loaded from config[‘USERS_FILE’] as YAML.
-
abstract property
auth_type
¶ A string describing the type of authentication used
-
check_csrf_token
()¶
-
clear_session
()¶
-
current_email
()¶
-
current_first_name
()¶
-
current_last_name
()¶
-
current_user
()¶
-
get_csrf_token
()¶
-
is_authenticated
()¶
-
is_expired
()¶
-
abstract
log_in
()¶ Perform steps needed to start the SSO login process.
This method must return a Flask response.
Initially this method will probably return a redirect to an external login page for SSO.
This handler MAY also be used to handle login callbacks from the SSO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call set_current_user() to set user data on the session, then redirect to the desired post-login page (e.g. with redirect_to_index()).
On failure, this method should likely return abort(403).
-
log_out
()¶ Perform steps needed to start the SLO (SingleLogOut) process.
This method must return a Flask response.
This handler MAY also be used to handle logout callbacks from the SSO/SLO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call clear_session(), then redirect to the desired post-logout page (e.g. with redirect_to_goodbye()).
-
passes_email_suffix
(email)¶
-
passes_email_whitelist
(email)¶
-
redirect_to_goodbye
()¶
-
redirect_to_index
()¶
-
set_csrf_token
(resp)¶
-
set_current_user
(email, first_name=None, last_name=None)¶
-
set_expiration
()¶
-
property
-
class
confidant.authnz.userauth.
GoogleOauthAuthenticator
¶ Bases:
confidant.authnz.userauth.AbstractUserAuthenticator
User authenticator class implementing Google OAuth.
-
property
auth_type
¶ A string describing the type of authentication used
-
log_in
()¶ Perform steps needed to start the SSO login process.
This method must return a Flask response.
Initially this method will probably return a redirect to an external login page for SSO.
This handler MAY also be used to handle login callbacks from the SSO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call set_current_user() to set user data on the session, then redirect to the desired post-login page (e.g. with redirect_to_index()).
On failure, this method should likely return abort(403).
-
property
-
class
confidant.authnz.userauth.
HeaderAuthenticator
¶ Bases:
confidant.authnz.userauth.AbstractUserAuthenticator
User authenticator that pulls user information from HTTP headers. Note that this assumes we’re running behind some form of load-balancer or reverse proxy that performs the authentication, and that simply being able to make requests to this service implies that the user is authenticated.
-
assert_headers
()¶ Asserts that the current request contains the appropriate headers.
-
property
auth_type
¶ A string describing the type of authentication used
Header users are always authorized
-
current_user
()¶
-
is_authenticated
()¶ Any user that is able to make requests is authenticated
-
is_expired
()¶ Sessions are not managed here and do not expire
-
log_in
()¶ Perform steps needed to start the SSO login process.
This method must return a Flask response.
Initially this method will probably return a redirect to an external login page for SSO.
This handler MAY also be used to handle login callbacks from the SSO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call set_current_user() to set user data on the session, then redirect to the desired post-login page (e.g. with redirect_to_index()).
On failure, this method should likely return abort(403).
-
-
class
confidant.authnz.userauth.
NullUserAuthenticator
¶ Bases:
confidant.authnz.userauth.AbstractUserAuthenticator
Fake user authenticator class that performs no authentication.
-
property
auth_type
¶ A string describing the type of authentication used
Null users are always authorized
-
current_user
()¶
-
is_authenticated
()¶ Null users are always authenticated
-
is_expired
()¶ Null users are never expired
-
log_in
()¶ Perform steps needed to start the SSO login process.
This method must return a Flask response.
Initially this method will probably return a redirect to an external login page for SSO.
This handler MAY also be used to handle login callbacks from the SSO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call set_current_user() to set user data on the session, then redirect to the desired post-login page (e.g. with redirect_to_index()).
On failure, this method should likely return abort(403).
-
property
-
class
confidant.authnz.userauth.
SamlAuthenticator
¶ Bases:
confidant.authnz.userauth.AbstractUserAuthenticator
User authenticator class implementing SAML.
-
property
auth_type
¶ A string describing the type of authentication used
-
consume_saml_assertion
()¶ This method is called in routes implementing a SAML attribute consumer service, which receives POST callbacks from the IdP after the user has authenticated.
-
generate_metadata
()¶ Generate SAML metadata XML describing the service endpoints.
-
log_in
()¶ SAML log-in redirect.
This method initiates the SAML authentication process by directing the browser to forward along an AuthNRequest to the IdP.
A separate method handles the post-authentication callback, which will hit /v1/saml/consume, processed by consume_saml_assertion().
-
log_out
()¶ Initiate SAML SLO redirect.
-
log_out_callback
(clear_session_on_errors=True)¶ Callback for SAML logout requests.
Request must have a SAMLResponse GET parameter.
On failure, renders error JSON. On success, redirects to /goodbye.
-
login_redirect_url
(return_to='/', auth=None)¶
-
property
-
confidant.authnz.userauth.
init_user_auth_class
(*args, **kwargs)¶
Module contents¶
-
confidant.authnz.
account_for_key_alias
(key_alias)¶
-
confidant.authnz.
get_logged_in_user
()¶ Retrieve logged-in user’s email that is stored in cache
-
confidant.authnz.
log_in
()¶
-
confidant.authnz.
redirect_to_logout_if_no_auth
(f)¶ Decorator for redirecting users to the logout page when they are not authenticated.
-
confidant.authnz.
require_auth
(f)¶
-
confidant.authnz.
require_csrf_token
(f)¶
-
confidant.authnz.
require_logout_for_goodbye
(f)¶
-
confidant.authnz.
service_in_account
(account)¶
-
confidant.authnz.
user_is_service
(service)¶
-
confidant.authnz.
user_is_user_type
(user_type)¶