auth.py

"""
Authentication service
"""
import logging

from flask_jwt_extended import get_jwt_identity

from portal.database.models import Client
from portal.service import errors

log = logging.getLogger(__name__)


class AuthService:
    def __init__(self, rest_service):
        self._rest_service = rest_service

    @property
    def client(self):
        return self.find_client()

    @property
    def gitlab_factory(self):
        from portal import gitlab_factory
        return gitlab_factory

    def login_client(self, **data) -> Client:
        if not data.get('type'):
            raise errors.PortalAPIError(400, message="Missing login type.")

        login_type = data['type']
        types = dict(gitlab=self.login_gitlab,
                     username_password=self.login_username_password,
                     secret=self.login_secret)

        if login_type not in types.keys():
            raise errors.PortalAPIError(400, message="Invalid login type.")
        identifier = data.get('identifier', None)
        secret = data.get('secret', None)

        return types[login_type](identifier, secret)

    def login_gitlab(self, identifier: str, secret: str) -> Client:
        """Verifies GitLab access token and username combination.

            Args:
                identifier(str): username of the user attempting to log in
                secret(str): access token string from gitlab

            Returns(User): the authenticated user
            """
        if secret is None:
            raise errors.PortalAPIError(400, 'No gitlab access token found.')

        self.validate_gitlab_token(secret, username=identifier)

        user = self._rest_service.find.user(identifier, throws=False)
        if user is None:
            raise errors.InvalidGitlabAccessTokenError()
        return user

    def login_username_password(self, identifier: str, secret: str) -> Client:
        """Verifies user login credentials.
        Args:
            identifier(str): username to log in
            secret(str): user's password

        Returns(Client): the authenticated user

        """
        user = self._rest_service.find.user(identifier, throws=False)
        if user is None or secret is None:
            raise errors.IncorrectCredentialsError()

        if user.verify_password(password=secret):
            return user

        raise errors.IncorrectCredentialsError()

    def login_secret(self, identifier: str, secret: str) -> Client:
        """Verifies the provided Client secret.

        Args:
            identifier: identifier of the Client to log in
            secret: the provided secret

        Returns:

        """
        client = self._find_client_helper(identifier)
        if client.verify_secret(secret):
            return client
        raise errors.UnauthorizedError(f"[LOGIN] Invalid secret.")

    def validate_gitlab_token(self, token: str, username: str, throws: bool = True):
        """Validates gitlab access token using the gitlab client
        Args:
            token(str): Gitlab access token
            username(str): Username
            throws(bool): Throws an exception if the token is not valid
        Returns(Bool):
        """
        client = self.gitlab_factory.instance(oauth_token=token)
        client.auth()
        user = client.user
        if user.username != username:
            if throws:
                raise errors.InvalidGitlabAccessTokenError()
            return False
        return True

    def find_client(self, throw=True) -> Client:
        identifier = get_jwt_identity()
        return self._find_client_helper(identifier, throw=throw)

    def _find_client_helper(self, identifier: str, throw=True) -> Client:
        log.trace(f"[FIND] Finding client using identifier: {identifier}")
        client = self._rest_service.find.client(identifier, throws=False)
        if not client and throw:
            raise errors.UnauthorizedError(f"[LOGIN] Unknown client identifier {identifier}.")
        return client