Beispiel #1
0
    def group_data(self, force_refresh=None):
        '''Return administrators/sponsors/users and group type for all groups

        :arg force_refresh: If true, the returned data will be queried from the
            database, as opposed to memcached.
        :raises AppError: if the query failed on the server
        :returns: A dict mapping group names to the group type and the
            user IDs of the administrator, sponsors, and users of the group.

        .. versionadded:: 0.3.8
        '''
        params = {}
        if force_refresh:
            params['force_refresh'] = True

        try:
            request = self.send_request('json/fas_client/group_data',
                                        req_params=params,
                                        auth=True)
            if request['success']:
                return request['data']
            else:
                raise AppError(message='FAS server unable to retrieve'
                               ' group members',
                               name='FASError')
        except FedoraServiceError:
            raise
Beispiel #2
0
    def people_query(self, constraints=None, columns=None):
        '''Returns a list of dicts representing database rows

        :arg constraints: A dictionary specifying WHERE constraints on columns
        :arg columns: A list of columns to be selected in the query
        :raises AppError: if the query failed on the server (most likely
            because  the server was given a bad query)
        :returns: A list of dicts representing database rows (the keys of
            the dict are the columns requested)

        .. versionadded:: 0.3.12.1
        '''
        if constraints is None:
            constraints = {}
        if columns is None:
            columns = []

        req_params = {}
        req_params.update(constraints)
        req_params['columns'] = ','.join(columns)

        try:
            request = self.send_request('json/people_query',
                                        req_params=req_params,
                                        auth=True)
            if request['success']:
                return request['data']
            else:
                raise AppError(message=request['error'], name='FASError')
        except FedoraServiceError:
            raise
Beispiel #3
0
 def group_by_name(self, groupname):
     '''Returns a group object based on its name'''
     params = {'groupname': groupname}
     request = self.send_request('json/group_by_name',
                                 auth=True,
                                 req_params=params)
     if request['success']:
         return request['group']
     else:
         raise AppError(message='FAS server unable to retrieve group'
                        ' %(group)s' % {'group': to_bytes(groupname)},
                        name='FASError')
Beispiel #4
0
    def set_config(self, username, application, attribute, value):
        '''Set a config entry in FAS for the user.

        Note: authentication on the server will prevent anyone but the user
        or a fas admin from viewing or changing their configs.

        :arg username: Username of the person
        :arg application: Application for which the config is set
        :arg attribute: The name of the config key that we're setting
        :arg value: The value to set this to
        :raises AppError: if the server returns an exception
        '''
        request = self.send_request('config/set/%s/%s/%s' %
                                    (username, application, attribute),
                                    req_params={'value': value},
                                    auth=True)

        if 'exc' in request:
            raise AppError(name=request['exc'], message=request['tg_flash'])
Beispiel #5
0
    def get_configs_like(self, username, application, pattern=u'*'):
        '''Return the config entries that match the keys and the pattern.

        Note: authentication on the server will prevent anyone but the user
        or a fas admin from viewing or changing their configs.

        :arg username: Username of the person
        :arg application: Application for which the config is set
        :kwarg pattern: A pattern to select values for.  This accepts * as a
            wildcard character. Default='*'
        :raises AppError: if the server returns an exception
        :returns: A dict mapping ``attribute`` to ``value``.
        '''
        request = self.send_request('config/list/%s/%s/%s' %
                                    (username, application, pattern),
                                    auth=True)
        if 'exc' in request:
            raise AppError(name=request['exc'], message=request['tg_flash'])

        return request['configs']
Beispiel #6
0
    def get_config(self, username, application, attribute):
        '''Return the config entry for the key values.

        :arg username: Username of the person
        :arg application: Application for which the config is set
        :arg attribute: Attribute key to lookup
        :raises AppError: if the server returns an exception
        :returns: The unicode string that describes the value.  If no entry
            matched the username, application, and attribute then None is
            returned.
        '''
        request = self.send_request('config/list/%s/%s/%s' %
                                    (username, application, attribute),
                                    auth=True)
        if 'exc' in request:
            raise AppError(name=request['exc'], message=request['tg_flash'])

        # Return the value if it exists, else None.
        if 'configs' in request and attribute in request['configs']:
            return request['configs'][attribute]
        return None
Beispiel #7
0
    def user_data(self):
        '''Return user data for all users in FAS

        Note: If the user is not authorized to see password hashes,
        '*' is returned for the hash.

        :raises AppError: if the query failed on the server
        :returns: A dict mapping user IDs to a username, password hash,
            SSH public key, email address, and status.

        .. versionadded:: 0.3.8
        '''
        try:
            request = self.send_request('json/fas_client/user_data', auth=True)
            if request['success']:
                return request['data']
            else:
                raise AppError(message='FAS server unable to retrieve user'
                               ' information',
                               name='FASError')
        except FedoraServiceError:
            raise
Beispiel #8
0
    def send_request(self,
                     method,
                     req_params=None,
                     auth_params=None,
                     file_params=None,
                     retries=None,
                     timeout=None):
        '''Make an HTTP request to a server method.

        The given method is called with any parameters set in ``req_params``.
        If auth is True, then the request is made with an authenticated session
        cookie.  Note that path parameters should be set by adding onto the
        method, not via ``req_params``.

        :arg method: Method to call on the server.  It's a url fragment that
            comes after the base_url set in __init__().  Note that any
            parameters set as extra path information should be listed here,
            not in ``req_params``.
        :kwarg req_params: dict containing extra parameters to send to the
            server
        :kwarg auth_params: dict containing one or more means of authenticating
            to the server.  Valid entries in this dict are:

            :cookie: **Deprecated** Use ``session_id`` instead.  If both
                ``cookie`` and ``session_id`` are set, only ``session_id`` will
                be used.  A ``Cookie.SimpleCookie`` to send as a session cookie
                to the server
            :session_id: Session id to put in a cookie to construct an identity
                for the server
            :username: Username to send to the server
            :password: Password to use with username to send to the server
            :httpauth: If set to ``basic`` then use HTTP Basic Authentication
                to send the username and password to the server.  This may be
                extended in the future to support other httpauth types than
                ``basic``.

            Note that cookie can be sent alone but if one of username or
            password is set the other must as well.  Code can set all of these
            if it wants and all of them will be sent to the server.  Be careful
            of sending cookies that do not match with the username in this
            case as the server can decide what to do in this case.
        :kwarg file_params: dict of files where the key is the name of the
            file field used in the remote method and the value is the local
            path of the file to be uploaded.  If you want to pass multiple
            files to a single file field, pass the paths as a list of paths.
        :kwarg retries: if we get an unknown or possibly transient error from
            the server, retry this many times.  Setting this to a negative
            number makes it try forever.  Default to use the :attr:`retries`
            value set on the instance or in :meth:`__init__`.
        :kwarg timeout: A float describing the timeout of the connection. The
            timeout only affects the connection process itself, not the
            downloading of the response body. Defaults to the :attr:`timeout`
            value set on the instance or in :meth:`__init__`.
        :returns: If ProxyClient is created with session_as_cookie=True (the
            default), a tuple of session cookie and data from the server.
            If ProxyClient was created with session_as_cookie=False, a tuple
            of session_id and data instead.
        :rtype: tuple of session information and data from server

        .. versionchanged:: 0.3.17
            No longer send tg_format=json parameter.  We rely solely on the
            Accept: application/json header now.
        .. versionchanged:: 0.3.21
            * Return data as a Bunch instead of a DictContainer
            * Add file_params to allow uploading files
        .. versionchanged:: 0.3.33
            Added the timeout kwarg
        '''
        self.log.debug('proxyclient.send_request: entered')

        # parameter mangling
        file_params = file_params or {}

        # Check whether we need to authenticate for this request
        session_id = None
        username = None
        password = None
        if auth_params:
            if 'session_id' in auth_params:
                session_id = auth_params['session_id']
            elif 'cookie' in auth_params:
                warnings.warn(
                    'Giving a cookie to send_request() to'
                    ' authenticate is deprecated and will be removed in 0.4.'
                    ' Please port your code to use session_id instead.',
                    DeprecationWarning,
                    stacklevel=2)
                session_id = auth_params['cookie'].output(attrs=[],
                                                          header='').strip()
            if 'username' in auth_params and 'password' in auth_params:
                username = auth_params['username']
                password = auth_params['password']
            elif 'username' in auth_params or 'password' in auth_params:
                raise AuthError('username and password must both be set in'
                                ' auth_params')
            if not (session_id or username):
                raise AuthError(
                    'No known authentication methods'
                    ' specified: set "cookie" in auth_params or set both'
                    ' username and password in auth_params')

        # urljoin is slightly different than os.path.join().  Make sure method
        # will work with it.
        method = method.lstrip('/')
        # And join to make our url.
        url = urljoin(self.base_url, quote(method))

        data = None  # decoded JSON via json.load()

        # Set standard headers
        headers = {
            'User-agent': self.useragent,
            'Accept': 'application/json',
        }

        # Files to upload
        for field_name, local_file_name in file_params:
            file_params[field_name] = open(local_file_name, 'rb')

        cookies = requests.cookies.RequestsCookieJar()
        # If we have a session_id, send it
        if session_id:
            # Anytime the session_id exists, send it so that visit tracking
            # works.  Will also authenticate us if there's a need.  Note that
            # there's no need to set other cookie attributes because this is a
            # cookie generated client-side.
            cookies.set(self.session_name, session_id)

        complete_params = req_params or {}
        if session_id:
            # Add the csrf protection token
            token = sha_constructor(to_bytes(session_id))
            complete_params.update({'_csrf_token': token.hexdigest()})

        auth = None
        if username and password:
            if auth_params.get('httpauth', '').lower() == 'basic':
                # HTTP Basic auth login
                auth = (username, password)
            else:
                # TG login
                # Adding this to the request data prevents it from being
                # logged by apache.
                complete_params.update({
                    'user_name': to_bytes(username),
                    'password': to_bytes(password),
                    'login': '******',
                })

        # If debug, give people our debug info
        self.log.debug('Creating request %(url)s' % {'url': to_bytes(url)})
        self.log.debug('Headers: %(header)s' %
                       {'header': to_bytes(headers, nonstring='simplerepr')})
        if self.debug and complete_params:
            debug_data = copy.deepcopy(complete_params)

            if 'password' in debug_data:
                debug_data['password'] = '******'

            self.log.debug('Data: %r' % debug_data)

        if retries is None:
            retries = self.retries

        if timeout is None:
            timeout = self.timeout

        num_tries = 0
        while True:
            try:
                response = requests.post(
                    url,
                    data=complete_params,
                    cookies=cookies,
                    headers=headers,
                    auth=auth,
                    verify=not self.insecure,
                    timeout=timeout,
                )
            except (requests.Timeout, requests.exceptions.SSLError) as e:
                if isinstance(e, requests.exceptions.SSLError):
                    # And now we know how not to code a library exception
                    # hierarchy...  We're expecting that requests is raising
                    # the following stupidity:
                    # requests.exceptions.SSLError(
                    #   urllib3.exceptions.SSLError(
                    #     ssl.SSLError('The read operation timed out')))
                    # If we weren't interested in reraising the exception with
                    # full tracdeback we could use a try: except instead of
                    # this gross conditional.  But we need to code defensively
                    # because we don't want to raise an unrelated exception
                    # here and if requests/urllib3 can do this sort of
                    # nonsense, they may change the nonsense in the future
                    #
                    # And a note on the __class__.__name__/__module__ parsing:
                    # On top of all the other things it does wrong, requests
                    # is bundling a copy of urllib3.  Distros can unbundle it.
                    # But because of the bundling, python will think
                    # exceptions raised by the version downloaded by pypi
                    # (requests.packages.urllib3.exceptions.SSLError) are
                    # different than the exceptions raised by the unbundled
                    # distro version (urllib3.exceptions.SSLError).  We could
                    # do a try: except trying to import both of these
                    # SSLErrors and then code to detect either one of them but
                    # the whole thing is just stupid.  So we'll use a stupid
                    # hack of our own that (1) means we don't have to depend
                    # on urllib3 just for this exception and (2) is (slightly)
                    # less likely to break on the whims of the requests
                    # author.
                    if not (e.args
                            and e.args[0].__class__.__name__ == 'SSLError'
                            and e.args[0].__class__.__module__.endswith(
                                'urllib3.exceptions') and e.args[0].args
                            and isinstance(e.args[0].args[0], ssl.SSLError)
                            and e.args[0].args[0].args
                            and 'timed out' in e.args[0].args[0].args[0]):
                        # We're only interested in timeouts here
                        raise
                self.log.debug('Request timed out')
                if retries < 0 or num_tries < retries:
                    num_tries += 1
                    self.log.debug('Attempt #%(try)s failed' %
                                   {'try': num_tries})
                    time.sleep(0.5)
                    continue
                # Fail and raise an error
                # Raising our own exception protects the user from the
                # implementation detail of requests vs pycurl vs urllib
                raise ServerError(
                    url, -1, 'Request timed out after %s seconds' % timeout)

            # When the python-requests module gets a response, it attempts to
            # guess the encoding using chardet (or a fork)
            # That process can take an extraordinarily long time for long
            # response.text strings.. upwards of 30 minutes for FAS queries to
            # /accounts/user/list JSON api!  Therefore, we cut that codepath
            # off at the pass by assuming that the response is 'utf-8'.  We can
            # make that assumption because we're only interfacing with servers
            # that we run (and we know that they all return responses
            # encoded 'utf-8').
            response.encoding = 'utf-8'

            # Check for auth failures
            # Note: old TG apps returned 403 Forbidden on authentication
            # failures.
            # Updated apps return 401 Unauthorized
            # We need to accept both until all apps are updated to return 401.
            http_status = response.status_code
            if http_status in (401, 403):
                # Wrong username or password
                self.log.debug('Authentication failed logging in')
                raise AuthError(
                    'Unable to log into server.  Invalid'
                    ' authentication tokens.  Send new username and password')
            elif http_status >= 400:
                if retries < 0 or num_tries < retries:
                    # Retry the request
                    num_tries += 1
                    self.log.debug('Attempt #%(try)s failed' %
                                   {'try': num_tries})
                    time.sleep(0.5)
                    continue
                # Fail and raise an error
                try:
                    msg = http.client.responses[http_status]
                except (KeyError, AttributeError):
                    msg = 'Unknown HTTP Server Response'
                raise ServerError(url, http_status, msg)
            # Successfully returned data
            break

        # In case the server returned a new session cookie to us
        new_session = response.cookies.get(self.session_name, '')

        try:
            data = response.json()
        except ValueError as e:
            # The response wasn't JSON data
            raise ServerError(
                url, http_status, 'Error returned from'
                ' json module while processing %(url)s: %(err)s' % {
                    'url': to_bytes(url),
                    'err': to_bytes(e)
                })

        if 'exc' in data:
            name = data.pop('exc')
            message = data.pop('tg_flash')
            raise AppError(name=name, message=message, extras=data)

        # If we need to return a cookie for deprecated code, convert it here
        if self.session_as_cookie:
            cookie = http.cookies.SimpleCookie()
            cookie[self.session_name] = new_session
            new_session = cookie

        self.log.debug('proxyclient.send_request: exited')
        data = munchify(data)
        return new_session, data