A corporation manager and dashboard for EVE Online
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

300 lines
10 KiB

  1. # -*- coding: utf-8 -*-
  2. from datetime import datetime, timedelta
  3. from flask import g, session, url_for
  4. from itsdangerous import BadSignature, URLSafeSerializer
  5. from . import baseLogger
  6. from .exceptions import AccessDeniedError
  7. __all__ = ["AuthManager"]
  8. _SCOPES = ["publicData", "characterAssetsRead"] # ...
  9. class AuthManager:
  10. """Authentication manager. Handles user access and management."""
  11. EXPIRY_THRESHOLD = 30
  12. def __init__(self, config, eve):
  13. self._config = config
  14. self._eve = eve
  15. self._logger = baseLogger.getChild("auth")
  16. self._debug = self._logger.debug
  17. def _get_session_id(self):
  18. """Return the current session ID, allocating a new one if necessary."""
  19. if "id" not in session:
  20. session["id"] = g.db.new_session()
  21. self._debug("Allocated session id=%d", session["id"])
  22. g._session_checked = True
  23. g._session_expired = False
  24. return session["id"]
  25. def _invalidate_session(self):
  26. """Mark the current session as invalid.
  27. Remove it from the database and from the user's cookies.
  28. """
  29. if "id" in session:
  30. sid = session["id"]
  31. g.db.drop_session(sid)
  32. self._debug("Dropped session id=%d", sid)
  33. del session["id"]
  34. def _check_session(self):
  35. """Return whether the user has a valid, non-expired session.
  36. This checks for the session existing in the database, but does not
  37. check that the user is logged in or has any particular access roles.
  38. """
  39. if "id" not in session:
  40. return False
  41. if hasattr(g, "_session_checked"):
  42. return g._session_checked
  43. g._session_checked = check = g.db.has_session(session["id"])
  44. if not check:
  45. g._session_expired = True
  46. self._debug("Session expired id=%d", session["id"])
  47. self._invalidate_session()
  48. return check
  49. def _get_state_hash(self):
  50. """Return a hash of the user's session ID suitable for OAuth2 state.
  51. Allocates a new session ID if necessary.
  52. """
  53. key = self._config.get("auth.session_key")
  54. serializer = URLSafeSerializer(key)
  55. return serializer.dumps(self._get_session_id())
  56. def _verify_state_hash(self, state):
  57. """Confirm that a state hash is correct for the user's session.
  58. Assumes we've already checked the session ID. If the state is invalid,
  59. the session will be invalidated.
  60. """
  61. key = self._config.get("auth.session_key")
  62. serializer = URLSafeSerializer(key)
  63. try:
  64. value = serializer.loads(state)
  65. except BadSignature:
  66. self._debug("Bad signature for session id=%d", session["id"])
  67. self._invalidate_session()
  68. return False
  69. if value != session["id"]:
  70. self._debug("Got session id=%d, expected id=%d", value,
  71. session["id"])
  72. self._invalidate_session()
  73. return False
  74. return True
  75. def _fetch_new_token(self, code, refresh=False):
  76. """Given an auth code or refresh token, get a new token and other data.
  77. If refresh is True, code should be a refresh token, otherwise an auth
  78. code. If successful, we'll return a 5-tuple of (access_token,
  79. token_expiry, refresh_token, char_id, char_name). If the token was
  80. invalid, we'll return None. We may also raise EVEAPIError if there was
  81. an internal API error.
  82. """
  83. cid = self._config.get("auth.client_id")
  84. secret = self._config.get("auth.client_secret")
  85. result = self._eve.sso.get_access_token(cid, secret, code, refresh)
  86. if not result:
  87. return None
  88. token, expiry, refresh = result
  89. expires = datetime.utcnow() + timedelta(seconds=expiry)
  90. result = self._eve.sso.get_character_info(token)
  91. if not result:
  92. return None
  93. char_id, char_name = result
  94. return token, expires, refresh, char_id, char_name
  95. def _get_token(self, cid):
  96. """Return a valid access token for the given character, or None.
  97. If the database doesn't have an auth entry for this character, return
  98. None. If the database's token is expired but the refresh token is
  99. valid, then refresh it, update the database, and return the new token.
  100. If the token has become invalid and couldn't be refreshed, drop the
  101. auth information from the database and return None.
  102. """
  103. result = g.db.get_auth(cid)
  104. if not result:
  105. self._debug("No auth info in database for char id=%d", cid)
  106. return None
  107. token, expires, refresh = result
  108. seconds_til_expiry = (expires - datetime.utcnow()).total_seconds()
  109. if seconds_til_expiry >= self.EXPIRY_THRESHOLD:
  110. self._debug("Using cached access token for char id=%d", cid)
  111. return token
  112. result = self._fetch_new_token(refresh, refresh=True)
  113. if not result:
  114. self._debug("Couldn't refresh token for char id=%d", cid)
  115. g.db.drop_auth(cid)
  116. return None
  117. token, expires, refresh, char_id, char_name = result
  118. if char_id != cid:
  119. self._debug("Refreshed token has incorrect char id=%d for "
  120. "char id=%d", char_id, cid)
  121. g.db.drop_auth(cid)
  122. return None
  123. self._debug("Using fresh access token for char id=%d", cid)
  124. g.db.put_character(cid, char_name)
  125. g.db.update_auth(cid, token, expires, refresh)
  126. return token
  127. def _check_access(self, token, char_id):
  128. """"Check whether the given character is allowed to access this site.
  129. If allowed, do nothing. If not, raise AccessDeniedError.
  130. """
  131. resp = self._eve.esi(token).v3.characters(char_id).get()
  132. if resp.get("corporation_id") != self._config.get("corp.id"):
  133. self._debug("Access denied per corp membership for char id=%d "
  134. "session id=%d", char_id, session["id"])
  135. g.db.drop_auth(char_id)
  136. self._invalidate_session()
  137. raise AccessDeniedError()
  138. def get_character_id(self):
  139. """Return the character ID associated with the current session.
  140. Returns None if the session is invalid or is not associated with a
  141. character.
  142. """
  143. if not self._check_session():
  144. return None
  145. if not hasattr(g, "_character_id"):
  146. g._character_id = g.db.read_session(session["id"])
  147. return g._character_id
  148. def get_character_prop(self, prop):
  149. """Look up a property for the current session's character.
  150. Returns None if the session is invalid, is not associated with a
  151. character, or the property has no non-default value.
  152. """
  153. cid = self.get_character_id()
  154. if not cid:
  155. return None
  156. if not hasattr(g, "_character_props"):
  157. g._character_props = g.db.read_character(cid)
  158. return g._character_props.get(prop)
  159. def set_character_style(self, style):
  160. """Update the current user's style and return whether successful."""
  161. cid = self.get_character_id()
  162. if not cid:
  163. return False
  164. style = style.strip().lower()
  165. if style not in self._config.get("style.enabled"):
  166. return False
  167. self._debug("Setting style to %s for char id=%d", style, cid)
  168. g.db.update_character(cid, "style", style)
  169. if hasattr(g, "_character_props"):
  170. delattr(g, "_character_props")
  171. return True
  172. def is_authenticated(self):
  173. """Return whether the user has permission to access this site.
  174. We confirm that they have a valid, non-expired session that is
  175. associated with a character that is permitted to be here.
  176. EVEAPIError or AccessDeniedError may be raised.
  177. """
  178. cid = self.get_character_id()
  179. if not cid:
  180. return False
  181. self._debug("Checking auth for session id=%d", session["id"])
  182. token = self._get_token(cid)
  183. if not token:
  184. self._debug("No valid token for char id=%d session id=%d", cid,
  185. session["id"])
  186. self._invalidate_session()
  187. return False
  188. self._check_access(token, cid)
  189. self._debug("Access granted for char id=%d session id=%d", cid,
  190. session["id"])
  191. g.db.touch_session(session["id"])
  192. return True
  193. def make_login_link(self):
  194. """Return a complete EVE SSO link that the user can use to log in."""
  195. cid = self._config.get("auth.client_id")
  196. target = url_for("login", _external=True, _scheme=self._config.scheme)
  197. scopes = _SCOPES
  198. state = self._get_state_hash()
  199. return self._eve.sso.get_authorize_url(cid, target, scopes, state)
  200. def handle_login(self, code, state):
  201. """Given an OAuth2 code and state, try to authenticate the user.
  202. If the user has a legitimate session and the state is valid, we'll
  203. check the code with EVE SSO to fetch an authentication token. If the
  204. token corresponds to a character that is allowed to access the site,
  205. we'll update their session to indicate so.
  206. Return whether authentication was successful. EVEAPIError or
  207. AccessDeniedError may be raised.
  208. """
  209. if not code or not state:
  210. return False
  211. if "id" in session:
  212. self._debug("Logging in session id=%d", session["id"])
  213. if not self._check_session():
  214. return False
  215. if not self._verify_state_hash(state):
  216. return False
  217. sid = session["id"]
  218. result = self._fetch_new_token(code)
  219. if not result:
  220. self._debug("Couldn't fetch token for session id=%d", sid)
  221. self._invalidate_session()
  222. return False
  223. token, expires, refresh, char_id, char_name = result
  224. self._check_access(token, char_id)
  225. self._debug("Logged in char id=%d session id=%d", char_id, sid)
  226. g.db.put_character(char_id, char_name)
  227. g.db.set_auth(char_id, token, expires, refresh)
  228. g.db.attach_session(sid, char_id)
  229. g.db.touch_session(sid)
  230. return True
  231. def handle_logout(self):
  232. """Log out the user if they are logged in.
  233. Invalidates their session and clears the session cookie.
  234. """
  235. if "id" in session:
  236. self._debug("Logging out session id=%d", session["id"])
  237. self._invalidate_session()
  238. session.clear()