kinto 23.2.1__py3-none-any.whl

kinto/plugins/accounts/authentication.py

@@ -0,0 +1,63 @@
+import bcrypt
+from pyramid import authentication as base_auth
+
+from kinto.core import utils
+from kinto.core.storage import exceptions as storage_exceptions
+
+from .utils import (
+    ACCOUNT_CACHE_KEY,
+    ACCOUNT_POLICY_NAME,
+)
+
+
+def account_check(username, password, request):
+    settings = request.registry.settings
+    hmac_secret = settings["userid_hmac_secret"]
+    cache_key = utils.hmac_digest(hmac_secret, ACCOUNT_CACHE_KEY.format(username))
+    cache_ttl = int(settings.get("account_cache_ttl_seconds", 30))
+    hashed_password = utils.hmac_digest(cache_key, password)
+
+    # Check cache to see whether somebody has recently logged in with the same
+    # username and password.
+    cache = request.registry.cache
+    cache_result = cache.get(cache_key)
+
+    # Username and password have been verified previously. No need to compare hashes
+    if cache_result == hashed_password:
+        # Refresh the cache TTL.
+        cache.expire(cache_key, cache_ttl)
+        return True
+
+    # Back to standard procedure
+    parent_id = username
+    try:
+        existing = request.registry.storage.get(
+            parent_id=parent_id, resource_name="account", object_id=username
+        )
+    except storage_exceptions.ObjectNotFoundError:
+        return None
+
+    hashed = existing["password"].encode(encoding="utf-8")
+    pwd_str = password.encode(encoding="utf-8")
+    # Check if password is valid (it is a very expensive computation)
+    if bcrypt.checkpw(pwd_str, hashed):
+        cache.set(cache_key, hashed_password, ttl=cache_ttl)
+        return True
+
+
+class AccountsAuthenticationPolicy(base_auth.BasicAuthAuthenticationPolicy):
+    """Accounts authentication policy.
+
+    It will check that the credentials exist in the account resource.
+    """
+
+    name = ACCOUNT_POLICY_NAME
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(account_check, *args, **kwargs)
+
+    def effective_principals(self, request):
+        # Bypass default Pyramid construction of principals because
+        # Pyramid multiauth already adds userid, Authenticated and Everyone
+        # principals.
+        return []

kinto/plugins/accounts/scripts.py

@@ -0,0 +1,61 @@
+import getpass
+import logging
+
+import transaction as current_transaction
+from pyramid.settings import asbool
+
+from .utils import hash_password
+from .views import AccountIdGenerator
+
+
+logger = logging.getLogger(__name__)
+
+
+def create_user(env, username=None, password=None):
+    """Administrative command to create a new user."""
+    registry = env["registry"]
+    settings = registry.settings
+    readonly_mode = asbool(settings.get("readonly", False))
+    if readonly_mode:
+        message = "Cannot create a user with a readonly server."
+        logger.error(message)
+        return 51
+
+    if "kinto.plugins.accounts" not in settings["includes"]:
+        message = "Cannot create a user when the accounts plugin is not installed."
+        logger.error(message)
+        return 52
+
+    try:
+        validator = AccountIdGenerator()
+        if username is None:
+            username = input("Username: ")
+        while not validator.match(username):
+            print("{} is not a valid username.")
+            print(f"Username should match {validator.regexp}, please try again.")
+            username = input("Username: ")
+
+        if password is None:
+            while True:  # The user didn't entered twice the same password
+                password = getpass.getpass(f"Please enter a password for {username}: ")
+                confirm = getpass.getpass("Please confirm the password: ")
+
+                if password == confirm:
+                    break
+                print("Sorry, passwords do not match, please try again.")
+    except EOFError:
+        print("User creation aborted")
+        return 53
+
+    print(f"Creating user '{username}'")
+    entry = {"id": username, "password": hash_password(password)}
+    registry.storage.update(
+        resource_name="account", parent_id=username, object_id=username, obj=entry
+    )
+    registry.permission.add_principal_to_ace(
+        f"/accounts/{username}", "write", f"account:{username}"
+    )
+
+    current_transaction.commit()
+
+    return 0

kinto/plugins/accounts/utils.py

@@ -0,0 +1,13 @@
+import bcrypt
+
+
+ACCOUNT_CACHE_KEY = "accounts:{}:verified"
+ACCOUNT_POLICY_NAME = "account"
+
+
+def hash_password(password):
+    # Store password safely in database as str
+    # (bcrypt.hashpw returns base64 bytes).
+    pwd_str = password.encode(encoding="utf-8")
+    hashed = bcrypt.hashpw(pwd_str, bcrypt.gensalt())
+    return hashed.decode(encoding="utf-8")

kinto/plugins/accounts/views.py

@@ -0,0 +1,136 @@
+import colander
+from pyramid import httpexceptions
+from pyramid.authorization import Authenticated, Everyone
+from pyramid.decorator import reify
+from pyramid.events import subscriber
+from pyramid.settings import aslist
+
+from kinto.core import resource, utils
+from kinto.core.errors import http_error, raise_invalid
+from kinto.core.events import ACTIONS, ResourceChanged
+from kinto.views import NameGenerator
+
+from .utils import ACCOUNT_CACHE_KEY, ACCOUNT_POLICY_NAME, hash_password
+
+
+def _extract_posted_body_id(request):
+    try:
+        # Anonymous creation with POST.
+        return request.json["data"]["id"]
+    except (ValueError, KeyError):
+        # Bad POST data.
+        if request.method.lower() == "post":
+            error_details = {"name": "data.id", "description": "data.id in body: Required"}
+            raise_invalid(request, **error_details)
+        # Anonymous GET
+        error_msg = "Cannot read accounts."
+        raise http_error(httpexceptions.HTTPUnauthorized(), error=error_msg)
+
+
+class AccountIdGenerator(NameGenerator):
+    """Allow @ signs in account IDs."""
+
+    regexp = r"^[a-zA-Z0-9][+.@a-zA-Z0-9_-]*$"
+
+
+class AccountSchema(resource.ResourceSchema):
+    password = colander.SchemaNode(colander.String())
+
+
+@resource.register()
+class Account(resource.Resource):
+    schema = AccountSchema
+
+    def __init__(self, request, context):
+        settings = request.registry.settings
+        # Store if current user is administrator (before accessing get_parent_id())
+        allowed_from_settings = settings.get("account_write_principals", [])
+        context.is_administrator = (
+            len(set(aslist(allowed_from_settings)) & set(request.prefixed_principals)) > 0
+        )
+        # Shortcut to check if current is anonymous (before get_parent_id()).
+        context.is_anonymous = Authenticated not in request.effective_principals
+
+        super().__init__(request, context)
+
+        # Overwrite the current principal set by Resource.
+        if self.model.current_principal == Everyone or context.is_administrator:
+            # Creation is anonymous, but author with write perm is this:
+            self.model.current_principal = f"{ACCOUNT_POLICY_NAME}:{self.model.parent_id}"
+
+    @reify
+    def id_generator(self):
+        # This generator is used for ID validation.
+        return AccountIdGenerator()
+
+    def get_parent_id(self, request):
+        # The whole challenge here is that we want to isolate what
+        # authenticated users can list, but give access to everything to
+        # administrators.
+        # Plus when anonymous create accounts, we have to set their parent id
+        # to the same value they would obtain when authenticated.
+        if self.context.is_administrator:
+            if self.context.on_plural_endpoint:
+                # Accounts created by admin should have userid as parent.
+                if request.method.lower() == "post":
+                    return _extract_posted_body_id(request)
+                else:
+                    # Admin see all accounts.
+                    return "*"
+            else:
+                # No pattern matching for admin on single record.
+                return request.matchdict["id"]
+
+        if not self.context.is_anonymous:
+            # Authenticated users see their own account only.
+            return request.selected_userid
+
+        # Anonymous creation with PUT.
+        if "id" in request.matchdict:
+            return request.matchdict["id"]
+
+        return _extract_posted_body_id(request)
+
+    def process_object(self, new, old=None):
+        new = super(Account, self).process_object(new, old)
+
+        if "data" in self.request.json and "password" in self.request.json["data"]:
+            new["password"] = hash_password(new["password"])
+
+        # Do not let accounts be created without usernames.
+        if self.model.id_field not in new:
+            error_details = {"name": "data.id", "description": "Accounts must have an ID."}
+            raise_invalid(self.request, **error_details)
+
+        # Administrators can reach other accounts and anonymous have no
+        # selected_userid. So do not try to enforce.
+        if self.context.is_administrator or self.context.is_anonymous:
+            return new
+
+        # Otherwise, we force the id to match the authenticated username.
+        if new[self.model.id_field] != self.request.selected_userid:
+            error_details = {
+                "name": "data.id",
+                "description": "Username and account ID do not match.",
+            }
+            raise_invalid(self.request, **error_details)
+
+        return new
+
+
+# Clear cache on account change
+@subscriber(
+    ResourceChanged, for_resources=("account",), for_actions=(ACTIONS.UPDATE, ACTIONS.DELETE)
+)
+def on_account_changed(event):
+    request = event.request
+    cache = request.registry.cache
+    settings = request.registry.settings
+    hmac_secret = settings["userid_hmac_secret"]
+
+    for obj in event.impacted_objects:
+        # Extract username and password from current user
+        username = obj["old"]["id"]
+        cache_key = utils.hmac_digest(hmac_secret, ACCOUNT_CACHE_KEY.format(username))
+        # Delete cache
+        cache.delete(cache_key)

kinto/plugins/admin/README.md

@@ -0,0 +1,3 @@
+# kinto-admin plugin setup
+
+Update the `kinto-admin` version you want in the VERSION file of this plugin

kinto/plugins/admin/VERSION

@@ -0,0 +1 @@
+5.0.1

kinto/plugins/admin/__init__.py

@@ -0,0 +1,40 @@
+from pathlib import Path
+
+from pyramid.httpexceptions import HTTPTemporaryRedirect
+from pyramid.static import static_view
+
+from .views import admin_home_view
+
+
+def includeme(config):
+    admin_assets_path = config.registry.settings["admin_assets_path"]
+    if not admin_assets_path:
+        # Use bundled admin.
+        admin_assets_path = "kinto.plugins.admin:build"
+        version_file_parent = Path(__file__).parent
+    else:
+        version_file_parent = Path(admin_assets_path)
+
+    admin_version = (version_file_parent / "VERSION").read_text().strip()
+
+    # Expose capability.
+    config.add_api_capability(
+        "admin",
+        version=admin_version,
+        description="Serves the admin console.",
+        url="https://github.com/Kinto/kinto-admin/",
+    )
+
+    config.add_route("admin_home", "/admin/")
+    config.add_view(admin_home_view, route_name="admin_home")
+
+    build_dir = static_view(admin_assets_path, use_subpath=True)
+    config.add_route("catchall_static", "/admin/*subpath")
+    config.add_view(build_dir, route_name="catchall_static")
+
+    # Setup redirect without trailing slash.
+    def admin_redirect_view(request):
+        raise HTTPTemporaryRedirect(request.path + "/")
+
+    config.add_route("admin_redirect", "/admin")
+    config.add_view(admin_redirect_view, route_name="admin_redirect")

kinto/plugins/admin/build/VERSION

@@ -0,0 +1 @@
+5.0.1