gns3-server/gns3server/api/routes/controller/dependencies/authentication.py

#
# Copyright (C) 2020 GNS3 Technologies Inc.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import re

from fastapi import Request, Query, Depends, HTTPException, WebSocket, status
from fastapi.security import OAuth2PasswordBearer
from typing import Optional

from gns3server import schemas
from gns3server.db.repositories.users import UsersRepository
from gns3server.db.repositories.rbac import RbacRepository
from gns3server.services import auth_service
from .database import get_repository

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/v3/access/users/login", auto_error=False)


async def get_user_from_token(
        bearer_token: str = Depends(oauth2_scheme),
        user_repo: UsersRepository = Depends(get_repository(UsersRepository)),
        token: Optional[str] = Query(None, include_in_schema=False)
) -> schemas.User:

    if bearer_token:
        # bearer token is used first, then any token passed as a URL parameter
        token = bearer_token

    if token is None:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Not authenticated",
            headers={"WWW-Authenticate": "Bearer"},
        )

    username = auth_service.get_username_from_token(token)
    user = await user_repo.get_user_by_username(username)
    if user is None:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Could not validate credentials",
            headers={"WWW-Authenticate": "Bearer"},
        )
    return user


async def get_current_active_user(
        request: Request,
        current_user: schemas.User = Depends(get_user_from_token),
        rbac_repo: RbacRepository = Depends(get_repository(RbacRepository))
) -> schemas.User:

    # Super admin is always authorized
    if current_user.is_superadmin:
        return current_user

    if not current_user.is_active:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Not an active user",
            headers={"WWW-Authenticate": "Bearer"},
        )

    return current_user


async def get_current_active_user_from_websocket(
        websocket: WebSocket,
        token: str = Query(...),
        user_repo: UsersRepository = Depends(get_repository(UsersRepository)),
) -> Optional[schemas.User]:

    await websocket.accept()

    try:
        username = auth_service.get_username_from_token(token)
        user = await user_repo.get_user_by_username(username)

        if user is None:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail=f"Could not validate credentials for '{username}'"
            )

        # Super admin is always authorized
        if user.is_superadmin:
            return user

        if not user.is_active:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail=f"'{username}' is not an active user"
            )

        return user

    except HTTPException as e:
        websocket_error = {"action": "log.error", "event": {"message": f"Could not authenticate while connecting to "
                                                                       f"WebSocket: {e.detail}"}}
        await websocket.send_json(websocket_error)
        await websocket.close(code=1008)
Refactor tests and start work on database integration. 2020-12-02 08:09:08 +00:00			`#`
			`# Copyright (C) 2020 GNS3 Technologies Inc.`
			`#`
			`# This program is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`

Add user permissions + RBAC tests. 2021-06-03 06:10:12 +00:00			`import re`
Refactor tests and start work on database integration. 2020-12-02 08:09:08 +00:00
Secure websocket endpoints 2021-11-01 06:15:14 +00:00			`from fastapi import Request, Query, Depends, HTTPException, WebSocket, status`
Refactor tests and start work on database integration. 2020-12-02 08:09:08 +00:00			`from fastapi.security import OAuth2PasswordBearer`
Secure websocket endpoints 2021-11-01 06:15:14 +00:00			`from typing import Optional`
Refactor tests and start work on database integration. 2020-12-02 08:09:08 +00:00
			`from gns3server import schemas`
			`from gns3server.db.repositories.users import UsersRepository`
Basic functional RBAC support. 2021-05-27 07:58:44 +00:00			`from gns3server.db.repositories.rbac import RbacRepository`
Refactor tests and start work on database integration. 2020-12-02 08:09:08 +00:00			`from gns3server.services import auth_service`
User authentication with tests. 2020-12-07 06:22:36 +00:00			`from .database import get_repository`
Refactor tests and start work on database integration. 2020-12-02 08:09:08 +00:00
Fix OAuth2PasswordBearer token URL 2023-09-03 10:31:05 +00:00			`oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/v3/access/users/login", auto_error=False)`
Refactor tests and start work on database integration. 2020-12-02 08:09:08 +00:00

User authentication with tests. 2020-12-07 06:22:36 +00:00			`async def get_user_from_token(`
Allow auth token to be passed as a URL param 2022-07-11 12:19:47 +00:00			`bearer_token: str = Depends(oauth2_scheme),`
			`user_repo: UsersRepository = Depends(get_repository(UsersRepository)),`
Don't show optional token param in API docs 2022-07-19 22:29:42 +00:00			`token: Optional[str] = Query(None, include_in_schema=False)`
User authentication with tests. 2020-12-07 06:22:36 +00:00			`) -> schemas.User:`
Refactor tests and start work on database integration. 2020-12-02 08:09:08 +00:00
Allow auth token to be passed as a URL param 2022-07-11 12:19:47 +00:00			`if bearer_token:`
			`# bearer token is used first, then any token passed as a URL parameter`
			`token = bearer_token`

			`if token is None:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Not authenticated",`
			`headers={"WWW-Authenticate": "Bearer"},`
			`)`

Refactor tests and start work on database integration. 2020-12-02 08:09:08 +00:00			`username = auth_service.get_username_from_token(token)`
			`user = await user_repo.get_user_by_username(username)`
			`if user is None:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Could not validate credentials",`
Use black with -l 120 param. 2021-04-13 09:16:50 +00:00			`headers={"WWW-Authenticate": "Bearer"},`
Refactor tests and start work on database integration. 2020-12-02 08:09:08 +00:00			`)`
			`return user`


Basic functional RBAC support. 2021-05-27 07:58:44 +00:00			`async def get_current_active_user(`
			`request: Request,`
			`current_user: schemas.User = Depends(get_user_from_token),`
			`rbac_repo: RbacRepository = Depends(get_repository(RbacRepository))`
			`) -> schemas.User:`
Refactor tests and start work on database integration. 2020-12-02 08:09:08 +00:00
Secure users API and handle manual password recovery. 2021-04-19 00:10:04 +00:00			`# Super admin is always authorized`
			`if current_user.is_superadmin:`
			`return current_user`

Refactor tests and start work on database integration. 2020-12-02 08:09:08 +00:00			`if not current_user.is_active:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Not an active user",`
Use black with -l 120 param. 2021-04-13 09:16:50 +00:00			`headers={"WWW-Authenticate": "Bearer"},`
Refactor tests and start work on database integration. 2020-12-02 08:09:08 +00:00			`)`
Basic functional RBAC support. 2021-05-27 07:58:44 +00:00
Refactor tests and start work on database integration. 2020-12-02 08:09:08 +00:00			`return current_user`
Secure websocket endpoints 2021-11-01 06:15:14 +00:00

			`async def get_current_active_user_from_websocket(`
			`websocket: WebSocket,`
			`token: str = Query(...),`
			`user_repo: UsersRepository = Depends(get_repository(UsersRepository)),`
			`) -> Optional[schemas.User]:`

			`await websocket.accept()`

			`try:`
			`username = auth_service.get_username_from_token(token)`
			`user = await user_repo.get_user_by_username(username)`

			`if user is None:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=f"Could not validate credentials for '{username}'"`
			`)`

			`# Super admin is always authorized`
			`if user.is_superadmin:`
			`return user`

			`if not user.is_active:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=f"'{username}' is not an active user"`
			`)`

			`return user`

			`except HTTPException as e:`
			`websocket_error = {"action": "log.error", "event": {"message": f"Could not authenticate while connecting to "`
			`f"WebSocket: {e.detail}"}}`
			`await websocket.send_json(websocket_error)`
			`await websocket.close(code=1008)`