auth Package¶
permissions
Module¶
-
class
lemur.auth.permissions.
ApiKeyCreatorPermission
Bases:
flask_principal.Permission
-
lemur.auth.permissions.
AuthorityCreator
alias of
lemur.auth.permissions.authority
-
lemur.auth.permissions.
AuthorityOwner
alias of
lemur.auth.permissions.authority
-
class
lemur.auth.permissions.
AuthorityPermission
(authority_id, roles) Bases:
flask_principal.Permission
-
lemur.auth.permissions.
CertificateOwner
alias of
lemur.auth.permissions.certificate
-
class
lemur.auth.permissions.
CertificatePermission
(owner, roles) Bases:
flask_principal.Permission
-
lemur.auth.permissions.
RoleMember
alias of
lemur.auth.permissions.role
-
class
lemur.auth.permissions.
RoleMemberPermission
(role_id) Bases:
flask_principal.Permission
-
class
lemur.auth.permissions.
SensitiveDomainPermission
Bases:
flask_principal.Permission
service
Module¶
-
class
lemur.auth.service.
AuthenticatedResource
Bases:
flask_restful.Resource
Inherited by all resources that need to be protected by authentication.
-
method_decorators
= [<function login_required>]
-
-
lemur.auth.service.
create_token
(user, aid=None, ttl=None) Create a valid JWT for a given user/api key, this token is then used to authenticate sessions until the token expires.
- Parameters
user –
- Returns
-
lemur.auth.service.
fetch_token_header
(token) Fetch the header out of the JWT token.
- Parameters
token –
- Returns
- raise jwt.DecodeError
-
lemur.auth.service.
get_rsa_public_key
(n, e) Retrieve an RSA public key based on a module and exponent as provided by the JWKS format.
- Parameters
n –
e –
- Returns
a RSA Public Key in PEM format
-
lemur.auth.service.
login_required
(f) Validates the JWT and ensures that is has not expired and the user is still active.
- Parameters
f –
- Returns
-
lemur.auth.service.
on_identity_loaded
(sender, identity) Sets the identity of a given option, assigns additional permissions based on the role that the user is a part of.
- Parameters
sender –
identity –
views
Module¶
-
class
lemur.auth.views.
Google
Bases:
flask_restful.Resource
-
endpoint
= 'google'
-
mediatypes
()
-
methods
= {'POST'} A list of methods this view can handle.
-
post
()
-
-
class
lemur.auth.views.
Login
Bases:
flask_restful.Resource
Provides an endpoint for Lemur’s basic authentication. It takes a username and password combination and returns a JWT token.
This token token is required for each API request and must be provided in the Authorization Header for the request.
Authorization:Bearer <token>
Tokens have a set expiration date. You can inspect the token expiration by base64 decoding the token and inspecting it’s contents.
Note
It is recommended that the token expiration is fairly short lived (hours not days). This will largely depend on your uses cases but. It is important to not that there is currently no build in method to revoke a users token and force re-authentication.
-
endpoint
= 'login'
-
mediatypes
()
-
methods
= {'POST'} A list of methods this view can handle.
-
post
() -
POST
/auth/login
¶ Login with username:password
Example request:
POST /auth/login HTTP/1.1 Host: example.com Accept: application/json, text/javascript Content-Type: application/json;charset=UTF-8 { "username": "test", "password": "test" }
Example response:
HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "token": "12343243243" }
- Parameters
username – username
password – password
- Status Codes
401 Unauthorized – invalid credentials
200 OK – no error
-
-
-
class
lemur.auth.views.
OAuth2
Bases:
flask_restful.Resource
-
endpoint
= 'oauth2'
-
get
()
-
mediatypes
()
-
methods
= {'GET', 'POST'} A list of methods this view can handle.
-
post
()
-
-
class
lemur.auth.views.
Ping
Bases:
flask_restful.Resource
This class serves as an example of how one might implement an SSO provider for use with Lemur. In this example we use an OpenIDConnect authentication flow, that is essentially OAuth2 underneath. If you have an OAuth2 provider you want to use Lemur there would be two steps:
Define your own class that inherits from
flask_restful.Resource
and create the HTTP methods the provider uses for its callbacks.Add or change the Lemur AngularJS Configuration to point to your new provider
-
endpoint
= 'ping'
-
get
()
-
mediatypes
()
-
methods
= {'GET', 'POST'} A list of methods this view can handle.
-
post
()
-
class
lemur.auth.views.
Providers
Bases:
flask_restful.Resource
-
endpoint
= 'providers'
-
get
()
-
mediatypes
()
-
methods
= {'GET'} A list of methods this view can handle.
-
-
lemur.auth.views.
build_hmac
()
-
lemur.auth.views.
create_user_roles
(profile) Creates new roles based on profile information.
- Parameters
profile –
- Returns
-
lemur.auth.views.
exchange_for_access_token
(code, redirect_uri, client_id, secret, access_token_url=None, verify_cert=True) Exchanges authorization code for access token.
- Parameters
code –
redirect_uri –
client_id –
secret –
access_token_url –
verify_cert –
- Returns
- Returns
-
lemur.auth.views.
generate_state_token
()
-
lemur.auth.views.
retrieve_user
(user_api_url, access_token) Fetch user information from provided user api_url.
- Parameters
user_api_url –
access_token –
- Returns
-
lemur.auth.views.
retrieve_user_memberships
(user_api_url, user_membership_provider, access_token)
-
lemur.auth.views.
update_user
(user, profile, roles) Updates user with current profile information and associated roles.
- Parameters
user –
profile –
roles –
-
lemur.auth.views.
validate_id_token
(id_token, client_id, jwks_url) Ensures that the token we receive is valid.
- Parameters
id_token –
client_id –
jwks_url –
- Returns
-
lemur.auth.views.
verify_state_token
(token)