auth Package

permissions Module

class lemur.auth.permissions.ApiKeyCreatorPermission

Bases: flask_principal.Permission

lemur.auth.permissions.AuthorityCreator

alias of lemur.auth.permissions.authority

lemur.auth.permissions.AuthorityOwner

alias of lemur.auth.permissions.authority

class lemur.auth.permissions.AuthorityPermission(authority_id, roles)

Bases: flask_principal.Permission

lemur.auth.permissions.CertificateOwner

alias of lemur.auth.permissions.certificate

class lemur.auth.permissions.CertificatePermission(owner, roles)

Bases: flask_principal.Permission

lemur.auth.permissions.RoleMember

alias of lemur.auth.permissions.role

class lemur.auth.permissions.RoleMemberPermission(role_id)

Bases: flask_principal.Permission

class lemur.auth.permissions.SensitiveDomainPermission

Bases: flask_principal.Permission

service Module

class lemur.auth.service.AuthenticatedResource

Bases: flask_restful.Resource

Inherited by all resources that need to be protected by authentication.

method_decorators = [<function login_required>]

lemur.auth.service.create_token(user, aid=None, ttl=None)

Create a valid JWT for a given user/api key, this token is then used to authenticate sessions until the token expires.

Parameters

user –

Returns

lemur.auth.service.fetch_token_header(token)

Fetch the header out of the JWT token.

Parameters

token –

Returns

raise jwt.DecodeError

lemur.auth.service.get_rsa_public_key(n, e)

Retrieve an RSA public key based on a module and exponent as provided by the JWKS format.

Parameters

• n –

• e –

Returns

a RSA Public Key in PEM format

lemur.auth.service.login_required(f)

Validates the JWT and ensures that is has not expired and the user is still active.

Parameters

f –

Returns

lemur.auth.service.on_identity_loaded(sender, identity)

Sets the identity of a given option, assigns additional permissions based on the role that the user is a part of.

Parameters

• sender –

• identity –

views Module

class lemur.auth.views.Google

Bases: flask_restful.Resource

endpoint = 'google'

mediatypes()

methods = {'POST'}

A list of methods this view can handle.

post()

class lemur.auth.views.Login

Bases: flask_restful.Resource

Provides an endpoint for Lemur’s basic authentication. It takes a username and password combination and returns a JWT token.

This token token is required for each API request and must be provided in the Authorization Header for the request.

Authorization:Bearer <token>

Tokens have a set expiration date. You can inspect the token expiration by base64 decoding the token and inspecting it’s contents.

Note

It is recommended that the token expiration is fairly short lived (hours not days). This will largely depend on your uses cases but. It is important to not that there is currently no build in method to revoke a users token and force re-authentication.

endpoint = 'login'

mediatypes()

methods = {'POST'}

A list of methods this view can handle.

post()

POST /auth/login

Login with username:password

Example request:

POST /auth/login HTTP/1.1
Host: example.com
Accept: application/json, text/javascript
Content-Type: application/json;charset=UTF-8

{
  "username": "test",
  "password": "test"
}

Example response:

HTTP/1.1 200 OK
Vary: Accept
Content-Type: text/javascript

{
  "token": "12343243243"
}

Parameters

• username – username

• password – password

Status Codes

• 401 Unauthorized – invalid credentials

• 200 OK – no error

class lemur.auth.views.OAuth2

Bases: flask_restful.Resource

endpoint = 'oauth2'

get()

mediatypes()

methods = {'GET', 'POST'}

A list of methods this view can handle.

post()

class lemur.auth.views.Ping

Bases: flask_restful.Resource

This class serves as an example of how one might implement an SSO provider for use with Lemur. In this example we use an OpenIDConnect authentication flow, that is essentially OAuth2 underneath. If you have an OAuth2 provider you want to use Lemur there would be two steps:

1. Define your own class that inherits from flask_restful.Resource and create the HTTP methods the provider uses for its callbacks.

2. Add or change the Lemur AngularJS Configuration to point to your new provider

endpoint = 'ping'

get()

mediatypes()

methods = {'GET', 'POST'}

A list of methods this view can handle.

post()

class lemur.auth.views.Providers

Bases: flask_restful.Resource

endpoint = 'providers'

get()

mediatypes()

methods = {'GET'}

A list of methods this view can handle.

lemur.auth.views.build_hmac()

lemur.auth.views.create_user_roles(profile)

Creates new roles based on profile information.

Parameters

profile –

Returns

lemur.auth.views.exchange_for_access_token(code, redirect_uri, client_id, secret, access_token_url=None, verify_cert=True)

Exchanges authorization code for access token.

Parameters

• code –

• redirect_uri –

• client_id –

• secret –

• access_token_url –

• verify_cert –

Returns

Returns

lemur.auth.views.generate_state_token()

lemur.auth.views.retrieve_user(user_api_url, access_token)

Fetch user information from provided user api_url.

Parameters

• user_api_url –

• access_token –

Returns

lemur.auth.views.retrieve_user_memberships(user_api_url, user_membership_provider, access_token)

lemur.auth.views.update_user(user, profile, roles)

Updates user with current profile information and associated roles.

Parameters

• user –

• profile –

• roles –

lemur.auth.views.validate_id_token(id_token, client_id, jwks_url)

Ensures that the token we receive is valid.

Parameters

• id_token –

• client_id –

• jwks_url –

Returns

lemur.auth.views.verify_state_token(token)