Skip to content

Commit

Permalink
Merge pull request #71 from andersonluisribeiro/master
Browse files Browse the repository at this point in the history 
bugfix removing user from kong
  • Loading branch information
@andersonluisribeiro
andersonluisribeiro committed Jan 25, 2019
2 parents 78aa95e + 60a6225 commit e909f32
Show file tree
Hide file tree
Showing 5 changed files with 62 additions and 5 deletions.
2 changes: 1 addition & 1 deletion auth/controller/CRUDController.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -299,7 +299,7 @@ def delete_user(db_session, username: str, requester):
log().info(f"user {user.username} deleted by {requester['username']}")
log().info(user.safe_dict())

kongUtils.remove_from_kong(user)
kongUtils.remove_from_kong(user.username)
MVUserPermission.refresh()
MVGroupPermission.refresh()
db_session.commit()
Expand Down
13 changes: 9 additions & 4 deletions auth/controller/PDPController.py
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import re

from database.Models import PermissionEnum
from database.Models import PermissionEnum, UserGroup
from database.Models import MVUserPermission, MVGroupPermission
from database.flaskAlchemyInit import HTTPRequestError
from controller.AuthenticationController import get_jwt_payload
Expand Down Expand Up @@ -32,11 +32,14 @@ def pdp_main(db_session, pdp_request):
if cached_veredict:
log().info('user ' + str(user_id) + ' '
+ cached_veredict + ' to ' + pdp_request['action']
+ ' on ' + pdp_request['resource'])
+ ' on ' + pdp_request['resource'] + ' from cache')
return cached_veredict


user_groups = [g.group_id for g in UserGroup.query.filter_by(user_id=user_id).all()]

veredict = iterate_permissions(user_id,
jwt_payload['groups'],
user_groups,
pdp_request['action'],
pdp_request['resource'])
# Registry this veredict on cache
Expand All @@ -47,7 +50,7 @@ def pdp_main(db_session, pdp_request):

log().info('user ' + str(user_id) + ' '
+ veredict + ' to ' + pdp_request['action']
+ ' on ' + pdp_request['resource'])
+ ' on ' + pdp_request['resource'] + ' registered on cache')
return veredict


Expand All @@ -56,6 +59,7 @@ def iterate_permissions(user_id, groups_list, action, resource):

# check user direct permissions
for p in MVUserPermission.query.filter_by(user_id=user_id):
log().info('checking for user permissions')
granted = make_decision(p, action, resource)
# user permissions have precedence over group permissions
if granted != PermissionEnum.notApplicable:
Expand All @@ -64,6 +68,7 @@ def iterate_permissions(user_id, groups_list, action, resource):
# check user group permissions
for g in groups_list:
for p in MVGroupPermission.query.filter_by(group_id=g):
log().info('checking for group permissions')
granted = make_decision(p, action, resource)
# deny have precedence over permits
if granted == PermissionEnum.deny:
Expand Down
8 changes: 8 additions & 0 deletions auth/controller/RelationshipController.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,10 @@ def add_user_group(db_session, user, group, requester):
r = UserGroup(user_id=user.id, group_id=group.id)
db_session.add(r)
cache.delete_key(userid=user.id)

user.reset_token()
db_session.add(user)

log().info(f"user {user.username} added to group {group.name} by {requester['username']}")

db_session.commit()
Expand All @@ -46,6 +50,10 @@ def remove_user_group(db_session, user, group, requester):
.filter_by(user_id=user.id, group_id=group.id).one()
db_session.delete(relation)
cache.delete_key(userid=user.id)

user.reset_token()
db_session.add(user)

log().info(f"user {user.username} removed from {group.name} by {requester['username']}")
db_session.commit()
except orm_exceptions.NoResultFound:
Expand Down
9 changes: 9 additions & 0 deletions auth/database/Models.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@

import enum
import datetime
import kongUtils

from .inputConf import UserLimits, PermissionLimits, GroupLimits
from .flaskAlchemyInit import db
Expand Down Expand Up @@ -108,6 +109,14 @@ def safe_dict(self):
if c.name not in self.sensibleFields
}

def reset_token(self):
kong_data = kongUtils.reset_kong_secret(self.username, self.kongId)

if kong_data is not None:
self.secret = kong_data['secret']
self.key = kong_data['key']
self.kongId = kong_data['kongid']

@staticmethod
def get_by_name_or_id(name_or_id: str):
"""
Expand Down
35 changes: 35 additions & 0 deletions auth/kongUtils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,41 @@ def revoke_kong_secret(username, token_id):
except ConnectionError:
LOGGER.error("Failed to connect to kong")
raise HTTPRequestError(500, "Failed to connect to kong")


# Invalidate old kong shared secret and generates a new one
def reset_kong_secret(username, token_id):
if conf.kongURL == 'DISABLED':
return
try:
delete_response = requests.delete("%s/consumers/%s/jwt/%s"
% (conf.kongURL, username, token_id))

if not (200 <= delete_response.status_code < 300):
LOGGER.error("failed to delete key: %d %s"
% (delete_response.status_code, delete_response.reason))
LOGGER.error(delete_response.json())
return None

headers = {"content-type": "application/x-www-form-urlencoded"}
response = requests.post('%s/consumers/%s/jwt'
% (conf.kongURL, username), headers=headers)
if not (200 <= response.status_code < 300):
LOGGER.error("failed to create key: %d %s"
% (response.status_code, response.reason))
LOGGER.error(response.json())
return None

reply = response.json()

return {
'key': reply['key'],
'secret': reply['secret'],
'kongid': reply['id']
}
except ConnectionError:
LOGGER.error("Failed to connect to kong")
raise HTTPRequestError(500, "Failed to connect to kong")


def remove_from_kong(user):
Expand Down

0 comments on commit e909f32

Please sign in to comment.