lenticular_cloud2/lenticular_cloud/model.py

from flask import current_app
from flask_login import UserMixin
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from collections.abc import MutableSequence
from datetime import datetime
from dateutil import tz
import pyotp
import json
import logging
import crypt
from flask_sqlalchemy import SQLAlchemy, orm
from flask_migrate import Migrate
from datetime import datetime
import uuid
import pyotp
from typing import Optional, Callable
from cryptography.x509 import Certificate as CertificateObj
from sqlalchemy.ext.asyncio import create_async_engine

logger = logging.getLogger(__name__)


db = SQLAlchemy()  # type: SQLAlchemy
migrate = Migrate()

class SecurityUser(UserMixin):

    def __init__(self, username):
        self._username = username

    def get_id(self):
        return self._username


class Service(object):

    def __init__(self, name):
        self._name = name
        self._client_cert = False
        self._pki_config = {
                    'cn': '{username}',
                    'email': '{username}@{domain}'
                }

    @staticmethod
    def from_config(name, config):
        """
        """
        service = Service(name)
        if 'client_cert' in config:
            service._client_cert = bool(config['client_cert'])
        if 'pki_config' in config:
            service._pki_config.update(config['pki_config'])

        return service

    @property
    def name(self):
        return self._name

    @property
    def client_cert(self):
        return self._client_cert

    @property
    def pki_config(self):
        if not self._client_cert:
            raise Exception('invalid call')
        return self._pki_config


class Certificate(object):

    def __init__(self, cn, ca_name: str, cert_data: CertificateObj, revoked=False):
        self._cn = cn
        self._ca_name = ca_name
        self._cert_data = cert_data
        self._revoked = revoked
        self._cert_data.not_valid_after.replace(tzinfo=tz.tzutc())
        self._cert_data.not_valid_before.replace(tzinfo=tz.tzutc())

    @property
    def cn(self):
        return self._cn

    @property
    def ca_name(self):
        return self._ca_name

    @property
    def not_valid_before(self) -> datetime:
        return self._cert_data.not_valid_before.replace(tzinfo=tz.tzutc()).astimezone(tz.tzlocal()).replace(tzinfo=None)

    @property
    def not_valid_after(self) -> datetime:
        return self._cert_data.not_valid_after.replace(tzinfo=tz.tzutc()).astimezone(tz.tzlocal()).replace(tzinfo=None)

    @property
    def serial_number(self) -> int:
        return self._cert_data.serial_number

    @property
    def serial_number_hex(self) -> str:
        return f'{self._cert_data.serial_number:X}'

    def fingerprint(self, algorithm=hashes.SHA256()) -> bytes:
        return self._cert_data.fingerprint(algorithm)

    @property
    def is_valid(self) -> bool:
        return self.not_valid_after > datetime.now() and not self._revoked

    def pem(self) -> str:
        return self._cert_data.public_bytes(encoding=serialization.Encoding.PEM).decode()

    @property
    def raw(self):
        return self._cert_data

    def __str__(self):
        return f'Certificate(cn={self._cn}, ca_name={self._ca_name}, not_valid_before={self.not_valid_before}, not_valid_after={self.not_valid_after})'


def generate_uuid():
    return str(uuid.uuid4())


class User(db.Model):
    id = db.Column(
            db.String(length=36), primary_key=True, default=generate_uuid)
    username = db.Column(
            db.String, unique=True, nullable=False)
    password_hashed = db.Column(
            db.String, nullable=False)
    alternative_email = db.Column(
            db.String, nullable=True)
    created_at = db.Column(db.DateTime, nullable=False,
                            default=datetime.now)
    modified_at = db.Column(db.DateTime, nullable=False,
                            default=datetime.now, onupdate=datetime.now)
    last_login = db.Column(db.DateTime, nullable=True)

    enabled = db.Column(db.Boolean, nullable=False, default=False)

    totps = db.relationship('Totp', back_populates='user')
    webauthn_credentials = db.relationship('WebauthnCredential', back_populates='user', cascade='delete,delete-orphan', passive_deletes=True)

    def __init__(self, **kwargs):
        super(db.Model).__init__(**kwargs)

    @property
    def is_authenticated(self):
        return True  # TODO

    def get(self, key):
        print(f'getitem: {key}') # TODO

    @property
    def groups(self) -> list[str]:
        if self.username == 'tuxcoder':
            return [Group(name='admin')]
        else:
            return []

    @property
    def email(self) -> str:
        domain = current_app.config['DOMAIN']
        return f'{self.username}@{domain}'

    def change_password(self, password_new: str) -> bool:
        password_hashed = crypt.crypt(password_new)
        return True

class AppToken(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    service_name = db.Column(db.String, nullable=False)
    token = db.Column(db.String, nullable=False)
    name = db.Column(db.String, nullable=False)


class Totp(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    secret = db.Column(db.String, nullable=False)
    name = db.Column(db.String, nullable=False)
    created_at = db.Column(db.DateTime, default=datetime.now, nullable=False)

    user_id = db.Column(
            db.String(length=36),
            db.ForeignKey(User.id), nullable=False)
    user = db.relationship(User)

    def verify(self, token: str):
        totp = pyotp.TOTP(self.secret)
        return totp.verify(token)


class WebauthnCredential(db.Model):  # pylint: disable=too-few-public-methods
    """Webauthn credential model"""

    id = db.Column(db.Integer, primary_key=True)
    user_id = db.Column(db.String(length=36), db.ForeignKey('user.id', ondelete='CASCADE'), nullable=False)
    user_handle = db.Column(db.String(64), nullable=False)
    credential_data = db.Column(db.LargeBinary, nullable=False)
    name = db.Column(db.String(250))
    registered = db.Column(db.DateTime, default=datetime.utcnow)

    user = db.relationship('User', back_populates='webauthn_credentials')


class Group(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    name = db.Column(db.String(), nullable=False, unique=True)
init commit 2020-05-09 18:00:07 +00:00			`from flask import current_app`
			`from flask_login import UserMixin`
			`from cryptography.hazmat.primitives import hashes`
			`from cryptography.hazmat.primitives import serialization`
add 2fa totp 2020-05-10 12:34:28 +00:00			`from collections.abc import MutableSequence`
			`from datetime import datetime`
add more pki features, bug fixes, try not to use jquery 2020-05-25 18:23:27 +00:00			`from dateutil import tz`
add 2fa totp 2020-05-10 12:34:28 +00:00			`import pyotp`
			`import json`
merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00			`import logging`
			`import crypt`
			`from flask_sqlalchemy import SQLAlchemy, orm`
fix bug for migration 2022-02-20 15:54:35 +00:00			`from flask_migrate import Migrate`
merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00			`from datetime import datetime`
			`import uuid`
			`import pyotp`
bugfix hydra changes 2022-02-11 15:09:40 +00:00			`from typing import Optional, Callable`
remove ldap 2022-06-17 11:38:49 +00:00			`from cryptography.x509 import Certificate as CertificateObj`
			`from sqlalchemy.ext.asyncio import create_async_engine`
init commit 2020-05-09 18:00:07 +00:00
merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00			`logger = logging.getLogger(__name__)`
init commit 2020-05-09 18:00:07 +00:00
merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00
add more registration stuff, admin interface 2020-06-01 21:43:10 +00:00
init commit 2020-05-09 18:00:07 +00:00
remove ldap 2022-06-17 11:38:49 +00:00			`db = SQLAlchemy() # type: SQLAlchemy`
			`migrate = Migrate()`

init commit 2020-05-09 18:00:07 +00:00			`class SecurityUser(UserMixin):`

			`def __init__(self, username):`
			`self._username = username`

			`def get_id(self):`
			`return self._username`


			`class Service(object):`

			`def __init__(self, name):`
			`self._name = name`
			`self._client_cert = False`
			`self._pki_config = {`
			`'cn': '{username}',`
			`'email': '{username}@{domain}'`
			`}`

			`@staticmethod`
			`def from_config(name, config):`
			`"""`
			`"""`
			`service = Service(name)`
			`if 'client_cert' in config:`
			`service._client_cert = bool(config['client_cert'])`
			`if 'pki_config' in config:`
flexebel email address in certs 2020-05-10 17:37:57 +00:00			`service._pki_config.update(config['pki_config'])`
init commit 2020-05-09 18:00:07 +00:00
			`return service`

			`@property`
			`def name(self):`
			`return self._name`

			`@property`
			`def client_cert(self):`
			`return self._client_cert`

			`@property`
			`def pki_config(self):`
			`if not self._client_cert:`
			`raise Exception('invalid call')`
			`return self._pki_config`


			`class Certificate(object):`

remove ldap 2022-06-17 11:38:49 +00:00			`def __init__(self, cn, ca_name: str, cert_data: CertificateObj, revoked=False):`
init commit 2020-05-09 18:00:07 +00:00			`self._cn = cn`
			`self._ca_name = ca_name`
			`self._cert_data = cert_data`
add more pki features, bug fixes, try not to use jquery 2020-05-25 18:23:27 +00:00			`self._revoked = revoked`
			`self._cert_data.not_valid_after.replace(tzinfo=tz.tzutc())`
			`self._cert_data.not_valid_before.replace(tzinfo=tz.tzutc())`
init commit 2020-05-09 18:00:07 +00:00
			`@property`
			`def cn(self):`
			`return self._cn`

			`@property`
			`def ca_name(self):`
			`return self._ca_name`

			`@property`
add more pki features, bug fixes, try not to use jquery 2020-05-25 18:23:27 +00:00			`def not_valid_before(self) -> datetime:`
			`return self._cert_data.not_valid_before.replace(tzinfo=tz.tzutc()).astimezone(tz.tzlocal()).replace(tzinfo=None)`
init commit 2020-05-09 18:00:07 +00:00
			`@property`
add more pki features, bug fixes, try not to use jquery 2020-05-25 18:23:27 +00:00			`def not_valid_after(self) -> datetime:`
			`return self._cert_data.not_valid_after.replace(tzinfo=tz.tzutc()).astimezone(tz.tzlocal()).replace(tzinfo=None)`
init commit 2020-05-09 18:00:07 +00:00
add more pki features, bug fixes, try not to use jquery 2020-05-25 18:23:27 +00:00			`@property`
			`def serial_number(self) -> int:`
			`return self._cert_data.serial_number`

			`@property`
			`def serial_number_hex(self) -> str:`
			`return f'{self._cert_data.serial_number:X}'`

			`def fingerprint(self, algorithm=hashes.SHA256()) -> bytes:`
init commit 2020-05-09 18:00:07 +00:00			`return self._cert_data.fingerprint(algorithm)`

add more pki features, bug fixes, try not to use jquery 2020-05-25 18:23:27 +00:00			`@property`
			`def is_valid(self) -> bool:`
			`return self.not_valid_after > datetime.now() and not self._revoked`

			`def pem(self) -> str:`
init commit 2020-05-09 18:00:07 +00:00			`return self._cert_data.public_bytes(encoding=serialization.Encoding.PEM).decode()`

add more pki features, bug fixes, try not to use jquery 2020-05-25 18:23:27 +00:00			`@property`
			`def raw(self):`
			`return self._cert_data`

init commit 2020-05-09 18:00:07 +00:00			`def __str__(self):`
			`return f'Certificate(cn={self._cn}, ca_name={self._ca_name}, not_valid_before={self.not_valid_before}, not_valid_after={self.not_valid_after})'`

add 2fa totp 2020-05-10 12:34:28 +00:00
merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00			`def generate_uuid():`
			`return str(uuid.uuid4())`
add 2fa totp 2020-05-10 12:34:28 +00:00

remove ldap 2022-06-17 11:38:49 +00:00			`class User(db.Model):`
merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00			`id = db.Column(`
			`db.String(length=36), primary_key=True, default=generate_uuid)`
			`username = db.Column(`
add more registration stuff, admin interface 2020-06-01 21:43:10 +00:00			`db.String, unique=True, nullable=False)`
remove ldap 2022-06-17 11:38:49 +00:00			`password_hashed = db.Column(`
			`db.String, nullable=False)`
bugfixes, cleanup 2022-02-06 22:57:01 +00:00			`alternative_email = db.Column(`
			`db.String, nullable=True)`
add more registration stuff, admin interface 2020-06-01 21:43:10 +00:00			`created_at = db.Column(db.DateTime, nullable=False,`
			`default=datetime.now)`
			`modified_at = db.Column(db.DateTime, nullable=False,`
			`default=datetime.now, onupdate=datetime.now)`
			`last_login = db.Column(db.DateTime, nullable=True)`
add 2fa totp 2020-05-10 12:34:28 +00:00
remove ldap 2022-06-17 11:38:49 +00:00			`enabled = db.Column(db.Boolean, nullable=False, default=False)`

merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00			`totps = db.relationship('Totp', back_populates='user')`
add partial fido2/WebAuthn 2022-04-08 19:28:22 +00:00			`webauthn_credentials = db.relationship('WebauthnCredential', back_populates='user', cascade='delete,delete-orphan', passive_deletes=True)`
add 2fa totp 2020-05-10 12:34:28 +00:00
add more registration stuff, admin interface 2020-06-01 21:43:10 +00:00			`def __init__(self, **kwargs):`
merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00			`super(db.Model).__init__(**kwargs)`
add 2fa totp 2020-05-10 12:34:28 +00:00
init commit 2020-05-09 18:00:07 +00:00			`@property`
			`def is_authenticated(self):`
			`return True # TODO`

			`def get(self, key):`
bugfixes, cleanup 2022-02-06 22:57:01 +00:00			`print(f'getitem: {key}') # TODO`
init commit 2020-05-09 18:00:07 +00:00
add more registration stuff, admin interface 2020-06-01 21:43:10 +00:00			`@property`
bugfixes, cleanup 2022-02-06 22:57:01 +00:00			`def groups(self) -> list[str]:`
add more registration stuff, admin interface 2020-06-01 21:43:10 +00:00			`if self.username == 'tuxcoder':`
			`return [Group(name='admin')]`
			`else:`
			`return []`

init commit 2020-05-09 18:00:07 +00:00			`@property`
bugfixes, cleanup 2022-02-06 22:57:01 +00:00			`def email(self) -> str:`
bugfixes 2020-05-30 21:43:55 +00:00			`domain = current_app.config['DOMAIN']`
			`return f'{self.username}@{domain}'`
init commit 2020-05-09 18:00:07 +00:00
bugfixes, cleanup 2022-02-06 22:57:01 +00:00			`def change_password(self, password_new: str) -> bool:`
merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00			`password_hashed = crypt.crypt(password_new)`
bugfixes, cleanup 2022-02-06 22:57:01 +00:00			`return True`
init commit 2020-05-09 18:00:07 +00:00
remove ldap 2022-06-17 11:38:49 +00:00			`class AppToken(db.Model):`
			`id = db.Column(db.Integer, primary_key=True)`
			`service_name = db.Column(db.String, nullable=False)`
			`token = db.Column(db.String, nullable=False)`
			`name = db.Column(db.String, nullable=False)`
init commit 2020-05-09 18:00:07 +00:00

merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00			`class Totp(db.Model):`
			`id = db.Column(db.Integer, primary_key=True)`
			`secret = db.Column(db.String, nullable=False)`
			`name = db.Column(db.String, nullable=False)`
			`created_at = db.Column(db.DateTime, default=datetime.now, nullable=False)`

			`user_id = db.Column(`
			`db.String(length=36),`
			`db.ForeignKey(User.id), nullable=False)`
			`user = db.relationship(User)`

			`def verify(self, token: str):`
			`totp = pyotp.TOTP(self.secret)`
			`return totp.verify(token)`

add partial fido2/WebAuthn 2022-04-08 19:28:22 +00:00
			`class WebauthnCredential(db.Model): # pylint: disable=too-few-public-methods`
			`"""Webauthn credential model"""`

			`id = db.Column(db.Integer, primary_key=True)`
move migration, bugfixes, .... 2022-04-08 19:29:23 +00:00			`user_id = db.Column(db.String(length=36), db.ForeignKey('user.id', ondelete='CASCADE'), nullable=False)`
add partial fido2/WebAuthn 2022-04-08 19:28:22 +00:00			`user_handle = db.Column(db.String(64), nullable=False)`
			`credential_data = db.Column(db.LargeBinary, nullable=False)`
			`name = db.Column(db.String(250))`
			`registered = db.Column(db.DateTime, default=datetime.utcnow)`

			`user = db.relationship('User', back_populates='webauthn_credentials')`


remove ldap 2022-06-17 11:38:49 +00:00			`class Group(db.Model):`
add registration form 2020-05-27 19:16:14 +00:00			`id = db.Column(db.Integer, primary_key=True)`
add more registration stuff, admin interface 2020-06-01 21:43:10 +00:00			`name = db.Column(db.String(), nullable=False, unique=True)`