run.py:
class HMACAuth(HMACAuth):
def check_auth(self, userid, hmac_hash, headers, data, allowed_roles, resource, method):
accounts = app.data.driver.db['accounts']
user = accounts.find_one({'username': userid})
if user and '_id' in user:
secret_key = user['secret_key']
self.set_request_auth_value(user['_id'])
# in this implementation we only hash request data, ignoring the headers.
hm = hmac.new(bytes(secret_key, encoding='utf-8'), data, sha1).digest()
return user and base64.b64encode(hm).decode() == hmac_hash
settings.py:
vms = {
'additional_lookup': {
'url': 'regex("[\w]+")',
'field': 'name',
},
'cache_control': '',
'cache_expires': 0,
'public_methods': [],
'public_item_methods': [],
'resource_methods': ['GET', 'POST'],
'item_methods': ['GET','PATCH','DELETE'],
'auth_field': 'user_id',
'schema': vm_schema,
}
my problem is that every user is receiving all the VMs info when he/she send a GET request to localhost:5000/vms.
With the TokenAuth authentication this didn't happen.What am I missing??
PS: Eve 0.5-dev on Python 3.3.5
Since everything was working fine with token based authentication, and since there's nothing really different between the two methods expect the custom class itself, I would investigate around its behavior.
I would start by checking if documents are actually being stored with the proper user_id value, maybe by using the mongo shell. If not, make sure that the documents that you are inspecting have been saved with your custom HMAC class active. Add a breakpoint and track your code, simple stuff like that. Hope this helps
Related
I have a situation where I'm writing a custom mutation resolver, and currently have to pass the current_user's ID from my frontend to be able to then perform a ::find on the User model. What would be ideal however, is to be able to use an instance of current_user so that I don't have to rely on passing over an ID to my GraphQL server.
I'm still fairly new to the world of Laravel and GraphQL in general, however I've been reading up on the Lighthouse docs that mention the #auth directive, and other StackOverflow answers that mention using auth('api')->user(), however that returns NULL for me. I should also mention that I'm using the lighthouse-graphql-passport-auth library for dealing with user authentication, if that makes any difference. Does anybody know how to access current_user?
public function __invoke($_, array $args)
{
// $user = \App\Models\User::find($args['id']); <--- not ideal
$user = auth('api')->user(); <--- returns NULL
var_dump($user);
foreach ($user->notifications as $notification) {
$notification->viewed = true;
$notification->save();
}
$notifications = $user->notifications->toArray();
return [
'status' => 'Success',
'notifications' => $notifications
];
}
I found an interesting part in the lighthouse-graphql-passport-auth docs that discuss setting a [global middleware][3] to insert the logged in user into the $context. This was exactly like what I needed, and after adding the line into the middleware section of lighthouse.php config as mentioned in the docs, I was able to use $context->user() to return the currently logged in user.
I am deploying some Databricks clusters using powershell script which takes as an input json file with pre-defined cluster templates, for example:
{
"cluster_name": "test1",
"max_retries": 1,
"spark_version": "5.3.x-scala2.11",
"timeout_seconds": 3600,
"autotermination_minutes": 60,
"node_type_id": "Standard_DS3_v2",
"driver_node_type_id": "Standard_DS3_v2",
"spark_env_vars": {
"PYSPARK_PYTHON": "/databricks/python3/bin/python3"
},
"spark_conf": {
"spark.databricks.delta.preview.enabled": "true"
},
"autoscale": {
"max_workers": 4,
"min_workers": 2
}
}
However, I would like to pre-assign to them some databricks permission groups. Can I do it using such cluster template? I cannot find any property that would allow me to specify those groups.
I can go to one of my clusters that has permissions assigned manually and export it as a json. However, in this case those are also missing from the template.
Thank you in advance!
The workaround that follows is so infinitely hacky, I wouldn't advise anyone to resort to this, if I knew another way. The workaround is to create a web session, log in, get a CSRF token, then issue a POST request to /acl/cluster/<cluster_id> with a map from user_ids to the requested permissions. Here's an example for setting all permissions on a single cluster for a single user (or group) using Python:
import json
import requests
DB_HOST = "db-cluster"
DB_USER = "user"
DB_PASS = "pass"
def change_acl(user_id, cluster_id):
host = DB_HOST
username = DB_USER
password = DB_PASS
session = requests.Session()
login_request = session.post("https://{}/j_security_check".format(host),
data={"j_username": username, "j_password": password})
if login_request.status_code >= 400:
raise Exception("login failed : {}".format(login_request.content))
config_request = session.get("https://{}/config".format(host))
if config_request.status_code >= 400:
raise Exception("config request failed : {}".format(config_request.content))
config = json.loads(config_request.content)
csrf_token = config['csrfToken']
acl_request = session.post(
"https://{}/acl/cluster/{}".format(host, cluster_id),
headers={
"X-CSRF-Token": csrf_token,
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
},
data=json.dumps({
"type": "set",
'permissions': {user_id: ["*"]}
})
)
if acl_request.status_code >= 400:
raise Exception("acl request failed : {}".format(acl_request.content))
If you find a better way, please let me know. The worst thing about this is you have to log in with username and password instead of a bearer token. The second worst thing is that this may break without any notice.
I hope the developers will find the time to implement this functionality in the near future.
Note: You cannot specify the permissions while creating a cluster using Clusters API . You should use "Group API" or "Admin Console"
Request structure of create cluster shown as follows:
Privileges can be granted to users or groups that are created via the groups API and Admin Console. Each user is uniquely identified by their username (which typically maps to their email address) in Databricks. Users who are workspace administrators in Databricks belong to a special admin role and can also access objects that they haven’t been given explicit access to.
Hope this helps.
If this answers your query, do click “Mark as Answer” and "Up-Vote" for the same. And, if you have any further query do let us know.
I am writing a test driven development for my strongloop API code with the help of loopback-testing .
Here they do not have any detailed document on this, so i am stuck with case of argument passing with the API call
Example i have a below case,
Method : PUT
URL : /api/admin/vineyard/<vineyard_id>
i need to pass the below arguments with this URL
1. 'vineyard_id' is a id of vine, it should be an integer .
2. in header = 'token'
3. in body = '{'name':'tastyWine','price':200}'
How can i pass these three arguments with this API ?
I can easily handle ,if there is only two types of arguments
Example :
Method : POST
`/api/user/members/<test_username>/auth'`
arguments : test_username and password
I can handle this like this ,
lt.describe.whenCalledRemotely('POST',
'/api/user/members/'+test_username+'/auth', {
'password': test_passwords
},
But how can i handle the above case , Many thanks for your answers for this example.
I'm not entirely sure what your specific problem is, but I will attempt to walk through everything you should need.
I am assuming you are using the predefined prototype.updateAttributes() method for your model as described here.
Next assumption is that you want to use the built-in authentication and authorization to allow the user to call this method. Given that assumption, you need something like this in your test code:
var vineyard_id = 123; //the id of the test item you want to change
var testUser = {email: 'test#test.com',password: 'test'};
lt.describe.whenCalledByUser(testUser, 'PUT', '/api/admin/vineyard/'+vineyard_id,
{
'name':'tastyWine',
'price':200
},
function () {
it('should update the record and return ok', function() {
assert.equal(this.res.statusCode, 200);
});
}
);
If you are using the out-of-the-box user model, you should be fine, but if you extended the model as is commonly done, you may need something like this early on in your test file:
lt.beforeEach.withUserModel('user');
Also, be aware of a few (currently incomplete) updates to will allow for better handling of built-in model extensions: Suggestions #56, Add support for non-default models #57, and givenLoggedInUser() function throws error #59.
What is the best way to pass the model variables to layout in Grails? Specifically, I'm using Spring security plugin which has User class. I also have Contact class that looks like this:
class Contact {
String realname
String company
String mobile
String fix
String email
User user
...
What are the options for getting the currently logged in person's company in my layout (main.gsp)?
To add to the above answer, you could alternatively set a session variable for the user when you login in whatever controller method gets called.
You can also just set a session variable for the company in the controller method:
session.company = Contact.findByUser(session.user)?.company
or from the example above
session.company = Contact.findByUser(SecurityContextHolder.context.authentication?.principal)?.company
And in your main.gsp, something like:
<span id="companyName">${session.company}</span>
Do you mean that you need to pass this model for every page, automatically, instead of manual passing it at render at each of controllers? You can use filters there:
def filters = {
all(controller: '*', action: '*') {
before = {
request.setAttribute('loggedInPerson', SecurityContextHolder.context.authentication?.principal)
//Notice, that there is used original Authentication, from Spring Security
//If you need you can load your Contact object there, or something
}
after = {
}
afterView = {
}
}
}
and use loggedInPerson at your gsp:
Hello ${loggedInPerson.username}!
Btw, there is also Spring Security tags, that can help you without using your own filter, like:
Hello <sec:loggedInUserInfo field="username"/>!
If you want to add a certain object to the model, you can also use the "interceptors" provided by grails. To add a certain variable to a particular controller, you can use something like this.
def afterInterceptor = {model, modelAndView->
model.loggedInUser = getLoggedInUser() // retrieve your user details here
}
And you can retrieve loggedInUser in the main.gsp layout as ${loggedInUser}.
If you need to get these details in multiple controllers, you can create a BaseController and keep the afterInterceptor in this BaseController. All controllers which need the reference to the logged in user in their corresponding views should extend the BaseController.
I'm using Spring Security Plugin to manage membership and authentication in my Grails app.
I'm trying to associate the User domain class with a Profile domain by a one-to-one association.
I added these line on User.groovy:
static hasOne = [userProfile:UserProfile]
static constraints = {
//...
userProfile unique:true
}
and to UserProfile.groovy:
User user
Alas, I had error when invoking UseRole.create(user,role).
There is some best practice on how to obtain the same functionality I'm looking for. In particular, I want to associate any user with one profile object to extend it.
I want then also add one-to-many relations with posts and other table...
Thanks
best regards
PS:
I obtain this error:
Configuring Spring Security UI ...
2011-03-08 12:18:51,179 [main] ERROR context.GrailsContextLoader - Error executing bootstraps: null
java.lang.NullPointerException
at $Proxy19.save(Unknown Source)
at com.dromedian.xxxxx.security.UserRole.create(UserRole.groovy:32)
at com.dromedian.xxxxx.security.UserRole$create.call(Unknown Source)
at BootStrap$_closure1.doCall(BootStrap.groovy:20)
at grails.util.Environment.evaluateEnvironmentSpecificBlock(Environment.java:251)
at grails.util.Environment.executeForEnvironment(Environment.java:244)
at grails.util.Environment.executeForCurrentEnvironment(Environment.java:220)
at org.grails.tomcat.TomcatServer.start(TomcatServer.groovy:212)
at grails.web.container.EmbeddableServer$start.call(Unknown Source)
at _GrailsRun_groovy$_run_closure5_closure12.doCall(_GrailsRun_groovy:158)
at _GrailsRun_groovy$_run_closure5_closure12.doCall(_GrailsRun_groovy)
at _GrailsSettings_groovy$_run_closure10.doCall(_GrailsSettings_groovy:280)
at _GrailsSettings_groovy$_run_closure10.call(_GrailsSettings_groovy)
at _GrailsRun_groovy$_run_closure5.doCall(_GrailsRun_groovy:149)
at _GrailsRun_groovy$_run_closure5.call(_GrailsRun_groovy)
at _GrailsRun_groovy.runInline(_GrailsRun_groovy:116)
at _GrailsRun_groovy.this$4$runInline(_GrailsRun_groovy)
at _GrailsRun_groovy$_run_closure1.doCall(_GrailsRun_groovy:59)
at RunApp$_run_closure1.doCall(RunApp.groovy:33)
at gant.Gant$_dispatch_closure5.doCall(Gant.groovy:381)
at gant.Gant$_dispatch_closure7.doCall(Gant.groovy:415)
at gant.Gant$_dispatch_closure7.doCall(Gant.groovy)
at gant.Gant.withBuildListeners(Gant.groovy:427)
at gant.Gant.this$2$withBuildListeners(Gant.groovy)
at gant.Gant$this$2$withBuildListeners.callCurrent(Unknown Source)
at gant.Gant.dispatch(Gant.groovy:415)
at gant.Gant.this$2$dispatch(Gant.groovy)
at gant.Gant.invokeMethod(Gant.groovy)
at gant.Gant.executeTargets(Gant.groovy:590)
at gant.Gant.executeTargets(Gant.groovy:589)
Application context shutting down...
The configuration is:
User.groovy (domain class created by spring security plugin)
static hasOne = [userDetail:UserDetail]
static constraints = {
username blank: false, unique: true
password blank: false
userDetail unique:true
}
UserDetail.groovy
static hasOne = [user:User]
static belongsTo = User
BootStrap.groovy
//TODO temporary added - no for production or persistent db
def adminRole = new Role(authority: 'ROLE_ADMIN').save(flush: true)
def userRole = new Role(authority: 'ROLE_USER').save(flush: true)
String password = springSecurityService.encodePassword('password')
def testUser = new User(username: 'me', enabled: true, password: password)
testUser.save(flush: true)
if(testUser != null){
UserRole.create testUser, adminRole, true
}
If I don't call
UserRole.create testUser, adminRole, true
there is no error. I tried to debug, but I can understand where is the error.
As previously explained, your test user is not saved, since a user profile is required. The save method on the user would have returned null, however, you do not check on that.
I usually put a method along those lines in:
def ensureSave(domainObject) {
if(!domainObject.save(flush:true)) {
throw new Exception("not saved successfully: $domainObject");
}
domainObject
}
And then refer to it as follows:
ensureSave(testUser)
or
testUser = ensureSave(new User(...));
HTH
I think you have to set the UserProfile in the constructor. Because you are not providing one, the save() fails, thus giving you the NullPointerException.
UserDetail profile = new UserDetail()
def testUser = new User(username: 'me', enabled: true, password: password, userdetail: profile)
assert testUser.save()
Asserting over the .save() calls has proven quite useful as often when you change some code in your domain class you're constructors won't work in the bootstrap file if you forget to change them. As grails deals fairly gracefully with that, you get weird errors instead getting the message where it would help you most. By placing the asserts it will halt directly where the problem is.
I just ran into a similar issue...and have deduced this:
Your linked class must explicitly be allowed to be null...that is:
static constraints = {
...
userDetail unique:true, nullable: true
...
}
If you don't do this, the constructor call for your class fails (as others have pointed out, and attempting to create a UserRole on null fails)