core/homeassistant/auth/models.py

"""Auth models."""
from datetime import datetime, timedelta
import secrets
from typing import Dict, List, NamedTuple, Optional
import uuid

import attr

from homeassistant.util import dt as dt_util

from . import permissions as perm_mdl
from .const import GROUP_ID_ADMIN

TOKEN_TYPE_NORMAL = "normal"
TOKEN_TYPE_SYSTEM = "system"
TOKEN_TYPE_LONG_LIVED_ACCESS_TOKEN = "long_lived_access_token"


@attr.s(slots=True)
class Group:
    """A group."""

    name = attr.ib(type=Optional[str])
    policy = attr.ib(type=perm_mdl.PolicyType)
    id = attr.ib(type=str, factory=lambda: uuid.uuid4().hex)
    system_generated = attr.ib(type=bool, default=False)


@attr.s(slots=True)
class User:
    """A user."""

    name = attr.ib(type=Optional[str])
    perm_lookup = attr.ib(type=perm_mdl.PermissionLookup, eq=False, order=False)
    id = attr.ib(type=str, factory=lambda: uuid.uuid4().hex)
    is_owner = attr.ib(type=bool, default=False)
    is_active = attr.ib(type=bool, default=False)
    system_generated = attr.ib(type=bool, default=False)

    groups = attr.ib(type=List[Group], factory=list, eq=False, order=False)

    # List of credentials of a user.
    credentials = attr.ib(type=List["Credentials"], factory=list, eq=False, order=False)

    # Tokens associated with a user.
    refresh_tokens = attr.ib(
        type=Dict[str, "RefreshToken"], factory=dict, eq=False, order=False
    )

    _permissions = attr.ib(
        type=Optional[perm_mdl.PolicyPermissions],
        init=False,
        eq=False,
        order=False,
        default=None,
    )

    @property
    def permissions(self) -> perm_mdl.AbstractPermissions:
        """Return permissions object for user."""
        if self.is_owner:
            return perm_mdl.OwnerPermissions

        if self._permissions is not None:
            return self._permissions

        self._permissions = perm_mdl.PolicyPermissions(
            perm_mdl.merge_policies([group.policy for group in self.groups]),
            self.perm_lookup,
        )

        return self._permissions

    @property
    def is_admin(self) -> bool:
        """Return if user is part of the admin group."""
        if self.is_owner:
            return True

        return self.is_active and any(gr.id == GROUP_ID_ADMIN for gr in self.groups)

    def invalidate_permission_cache(self) -> None:
        """Invalidate permission cache."""
        self._permissions = None


@attr.s(slots=True)
class RefreshToken:
    """RefreshToken for a user to grant new access tokens."""

    user = attr.ib(type=User)
    client_id = attr.ib(type=Optional[str])
    access_token_expiration = attr.ib(type=timedelta)
    client_name = attr.ib(type=Optional[str], default=None)
    client_icon = attr.ib(type=Optional[str], default=None)
    token_type = attr.ib(
        type=str,
        default=TOKEN_TYPE_NORMAL,
        validator=attr.validators.in_(
            (TOKEN_TYPE_NORMAL, TOKEN_TYPE_SYSTEM, TOKEN_TYPE_LONG_LIVED_ACCESS_TOKEN)
        ),
    )
    id = attr.ib(type=str, factory=lambda: uuid.uuid4().hex)
    created_at = attr.ib(type=datetime, factory=dt_util.utcnow)
    token = attr.ib(type=str, factory=lambda: secrets.token_hex(64))
    jwt_key = attr.ib(type=str, factory=lambda: secrets.token_hex(64))

    last_used_at = attr.ib(type=Optional[datetime], default=None)
    last_used_ip = attr.ib(type=Optional[str], default=None)


@attr.s(slots=True)
class Credentials:
    """Credentials for a user on an auth provider."""

    auth_provider_type = attr.ib(type=str)
    auth_provider_id = attr.ib(type=Optional[str])

    # Allow the auth provider to store data to represent their auth.
    data = attr.ib(type=dict)

    id = attr.ib(type=str, factory=lambda: uuid.uuid4().hex)
    is_new = attr.ib(type=bool, default=True)


class UserMeta(NamedTuple):
    """User metadata."""

    name: Optional[str]
    is_active: bool
Reorg auth (#15443) 2018-07-13 09:43:08 +00:00			`"""Auth models."""`
			`from datetime import datetime, timedelta`
Remove no longer needed auth.util, use secrets instead (#29861) 2019-12-12 15:46:33 +00:00			`import secrets`
Migrate legacy typehints in core to PEP-526 (#26403) * Migrate legacy typehints in core to PEP-526 * Fix one type 2019-09-04 03:36:04 +00:00			`from typing import Dict, List, NamedTuple, Optional`
Reorg auth (#15443) 2018-07-13 09:43:08 +00:00			`import uuid`

			`import attr`

			`from homeassistant.util import dt as dt_util`

Add permissions foundation (#16890) * Add permission foundation * Address comments * typing * False > True * Convert more lambdas * Use constants * Remove support for False * Fix only allow True 2018-10-11 17:24:25 +00:00			`from . import permissions as perm_mdl`
Add permission checks to Rest API (#18639) * Add permission checks to Rest API * Clean up unnecessary method * Remove all the tuple stuff from entity check * Simplify perms * Correct param name for owner permission * Hass.io make/update user to be admin * Types 2018-11-25 17:04:48 +00:00			`from .const import GROUP_ID_ADMIN`
Reorg auth (#15443) 2018-07-13 09:43:08 +00:00
Black 2019-07-31 19:25:30 +00:00			`TOKEN_TYPE_NORMAL = "normal"`
			`TOKEN_TYPE_SYSTEM = "system"`
			`TOKEN_TYPE_LONG_LIVED_ACCESS_TOKEN = "long_lived_access_token"`
Long-lived access token (#16453) * Allow create refresh_token with specific access_token_expiration * Add token_type, client_name and client_icon * Add unit test * Add websocket API to create long-lived access token * Allow URL use as client_id for long-lived access token * Remove mutate_refresh_token method * Use client name as id for long_lived_access_token type refresh token * Minor change * Do not allow duplicate client name * Update docstring * Remove unnecessary `list` 2018-09-11 10:05:15 +00:00
Reorg auth (#15443) 2018-07-13 09:43:08 +00:00
Add group foundation (#16935) Add group foundation 2018-10-08 14:35:38 +00:00			`@attr.s(slots=True)`
			`class Group:`
			`"""A group."""`

Use PEP 526 type annotations, add some type hints (#26464) * Add some more type hints to helpers.event * Change most type comments to variable types * Remove some superfluous type hints 2019-09-07 06:48:58 +00:00			`name = attr.ib(type=Optional[str])`
Add permissions foundation (#16890) * Add permission foundation * Address comments * typing * False > True * Convert more lambdas * Use constants * Remove support for False * Fix only allow True 2018-10-11 17:24:25 +00:00			`policy = attr.ib(type=perm_mdl.PolicyType)`
Add group foundation (#16935) Add group foundation 2018-10-08 14:35:38 +00:00			`id = attr.ib(type=str, factory=lambda: uuid.uuid4().hex)`
System groups (#18303) * Add read only and admin policies * Migrate to 2 system groups * Add system groups * Add system groups admin & read only * Dont' mutate parameters * Fix types 2018-11-08 11:57:00 +00:00			`system_generated = attr.ib(type=bool, default=False)`
Add group foundation (#16935) Add group foundation 2018-10-08 14:35:38 +00:00

Reorg auth (#15443) 2018-07-13 09:43:08 +00:00			`@attr.s(slots=True)`
			`class User:`
			`"""A user."""`

Use PEP 526 type annotations, add some type hints (#26464) * Add some more type hints to helpers.event * Change most type comments to variable types * Remove some superfluous type hints 2019-09-07 06:48:58 +00:00			`name = attr.ib(type=Optional[str])`
Replace cmp option with eq and order (#31423) 2020-02-03 04:28:52 +00:00			`perm_lookup = attr.ib(type=perm_mdl.PermissionLookup, eq=False, order=False)`
Make it easier for auth to consume newer formats (#17127) 2018-10-04 08:41:13 +00:00			`id = attr.ib(type=str, factory=lambda: uuid.uuid4().hex)`
Reorg auth (#15443) 2018-07-13 09:43:08 +00:00			`is_owner = attr.ib(type=bool, default=False)`
			`is_active = attr.ib(type=bool, default=False)`
			`system_generated = attr.ib(type=bool, default=False)`

Replace cmp option with eq and order (#31423) 2020-02-03 04:28:52 +00:00			`groups = attr.ib(type=List[Group], factory=list, eq=False, order=False)`
Add group foundation (#16935) Add group foundation 2018-10-08 14:35:38 +00:00
Reorg auth (#15443) 2018-07-13 09:43:08 +00:00			`# List of credentials of a user.`
Replace cmp option with eq and order (#31423) 2020-02-03 04:28:52 +00:00			`credentials = attr.ib(type=List["Credentials"], factory=list, eq=False, order=False)`
Reorg auth (#15443) 2018-07-13 09:43:08 +00:00
			`# Tokens associated with a user.`
Replace cmp option with eq and order (#31423) 2020-02-03 04:28:52 +00:00			`refresh_tokens = attr.ib(`
			`type=Dict[str, "RefreshToken"], factory=dict, eq=False, order=False`
			`)`
Reorg auth (#15443) 2018-07-13 09:43:08 +00:00
Add permissions foundation (#16890) * Add permission foundation * Address comments * typing * False > True * Convert more lambdas * Use constants * Remove support for False * Fix only allow True 2018-10-11 17:24:25 +00:00			`_permissions = attr.ib(`
Replace cmp option with eq and order (#31423) 2020-02-03 04:28:52 +00:00			`type=Optional[perm_mdl.PolicyPermissions],`
			`init=False,`
			`eq=False,`
			`order=False,`
			`default=None,`
Add permissions foundation (#16890) * Add permission foundation * Address comments * typing * False > True * Convert more lambdas * Use constants * Remove support for False * Fix only allow True 2018-10-11 17:24:25 +00:00			`)`

			`@property`
			`def permissions(self) -> perm_mdl.AbstractPermissions:`
			`"""Return permissions object for user."""`
			`if self.is_owner:`
			`return perm_mdl.OwnerPermissions`

			`if self._permissions is not None:`
			`return self._permissions`

			`self._permissions = perm_mdl.PolicyPermissions(`
Black 2019-07-31 19:25:30 +00:00			`perm_mdl.merge_policies([group.policy for group in self.groups]),`
			`self.perm_lookup,`
			`)`
Add permissions foundation (#16890) * Add permission foundation * Address comments * typing * False > True * Convert more lambdas * Use constants * Remove support for False * Fix only allow True 2018-10-11 17:24:25 +00:00
			`return self._permissions`

Add permission checks to Rest API (#18639) * Add permission checks to Rest API * Clean up unnecessary method * Remove all the tuple stuff from entity check * Simplify perms * Correct param name for owner permission * Hass.io make/update user to be admin * Types 2018-11-25 17:04:48 +00:00			`@property`
			`def is_admin(self) -> bool:`
			`"""Return if user is part of the admin group."""`
			`if self.is_owner:`
			`return True`

Black 2019-07-31 19:25:30 +00:00			`return self.is_active and any(gr.id == GROUP_ID_ADMIN for gr in self.groups)`
Add permission checks to Rest API (#18639) * Add permission checks to Rest API * Clean up unnecessary method * Remove all the tuple stuff from entity check * Simplify perms * Correct param name for owner permission * Hass.io make/update user to be admin * Types 2018-11-25 17:04:48 +00:00
			`def invalidate_permission_cache(self) -> None:`
			`"""Invalidate permission cache."""`
			`self._permissions = None`

Reorg auth (#15443) 2018-07-13 09:43:08 +00:00
			`@attr.s(slots=True)`
			`class RefreshToken:`
			`"""RefreshToken for a user to grant new access tokens."""`

			`user = attr.ib(type=User)`
Long-lived access token (#16453) * Allow create refresh_token with specific access_token_expiration * Add token_type, client_name and client_icon * Add unit test * Add websocket API to create long-lived access token * Allow URL use as client_id for long-lived access token * Remove mutate_refresh_token method * Use client name as id for long_lived_access_token type refresh token * Minor change * Do not allow duplicate client name * Update docstring * Remove unnecessary `list` 2018-09-11 10:05:15 +00:00			`client_id = attr.ib(type=Optional[str])`
			`access_token_expiration = attr.ib(type=timedelta)`
			`client_name = attr.ib(type=Optional[str], default=None)`
			`client_icon = attr.ib(type=Optional[str], default=None)`
Black 2019-07-31 19:25:30 +00:00			`token_type = attr.ib(`
			`type=str,`
			`default=TOKEN_TYPE_NORMAL,`
			`validator=attr.validators.in_(`
			`(TOKEN_TYPE_NORMAL, TOKEN_TYPE_SYSTEM, TOKEN_TYPE_LONG_LIVED_ACCESS_TOKEN)`
			`),`
			`)`
Make it easier for auth to consume newer formats (#17127) 2018-10-04 08:41:13 +00:00			`id = attr.ib(type=str, factory=lambda: uuid.uuid4().hex)`
			`created_at = attr.ib(type=datetime, factory=dt_util.utcnow)`
Remove no longer needed auth.util, use secrets instead (#29861) 2019-12-12 15:46:33 +00:00			`token = attr.ib(type=str, factory=lambda: secrets.token_hex(64))`
			`jwt_key = attr.ib(type=str, factory=lambda: secrets.token_hex(64))`
Reorg auth (#15443) 2018-07-13 09:43:08 +00:00
Track refresh token last usage information (#16408) * Extend refresh_token to support last_used_at and last_used_by * Address code review comment * Remove unused code * Add it to websocket response * Fix typing 2018-09-12 11:24:16 +00:00			`last_used_at = attr.ib(type=Optional[datetime], default=None)`
			`last_used_ip = attr.ib(type=Optional[str], default=None)`

Reorg auth (#15443) 2018-07-13 09:43:08 +00:00
			`@attr.s(slots=True)`
			`class Credentials:`
			`"""Credentials for a user on an auth provider."""`

			`auth_provider_type = attr.ib(type=str)`
Track refresh token last usage information (#16408) * Extend refresh_token to support last_used_at and last_used_by * Address code review comment * Remove unused code * Add it to websocket response * Fix typing 2018-09-12 11:24:16 +00:00			`auth_provider_id = attr.ib(type=Optional[str])`
Reorg auth (#15443) 2018-07-13 09:43:08 +00:00
			`# Allow the auth provider to store data to represent their auth.`
			`data = attr.ib(type=dict)`

Make it easier for auth to consume newer formats (#17127) 2018-10-04 08:41:13 +00:00			`id = attr.ib(type=str, factory=lambda: uuid.uuid4().hex)`
Reorg auth (#15443) 2018-07-13 09:43:08 +00:00			`is_new = attr.ib(type=bool, default=True)`
Add type hints to homeassistant.auth (#15853) * Always load users in auth store before use * Use namedtuple instead of dict for user meta * Ignore auth store tokens with invalid created_at * Add type hints to homeassistant.auth 2018-08-16 20:25:41 +00:00

Use PEP 526 syntax with NamedTuples (#33081) 2020-03-21 09:18:32 +00:00			`class UserMeta(NamedTuple):`
			`"""User metadata."""`

			`name: Optional[str]`
			`is_active: bool`