def test_values(self):
user = AnonymousUserMixin()
self.assertFalse(user.is_active)
self.assertFalse(user.is_authenticated)
self.assertTrue(user.is_anonymous)
self.assertIsNone(user.get_id())
def test_values(self):
user = AnonymousUserMixin()
self.assertFalse(user.is_active)
self.assertFalse(user.is_authenticated)
self.assertTrue(user.is_anonymous)
self.assertIsNone(user.get_id())
def from_ip(cls, ip):
try:
userData = do_api_call('find?ip=' + ip)
except ConnectionError:
return AnonymousUserMixin()
if not userData:
return AnonymousUserMixin()
return cls(user_data=userData)
def authenticate_by_password(username, password):
try:
results = mc.authLogin(username, password)
if 'error' in results:
return AnonymousUserMixin()
profile = results['profile']
key = profile['api_key']
user = User(username, key, profile=profile)
User.cached[user.id] = user
return user
except Exception:
return AnonymousUserMixin()
def verify_token(token):
g.current_user = AnonymousUserMixin()
user = g.User.get_by_token(token)
if user:
g.current_user = user
return True
return False
def wraper(*args, **kwargs):
conf = load_config(kwargs.pop('app_config').copy())
app = create_app(conf)
reqctx = kwargs.pop('request_ctx')
reqctx.push()
task_id = 'task:' + getattr(request, 'request_id')
user_id = kwargs.pop('user_id', None)
if user_id:
from app.user_system.models import User
user = User.get(id=user_id)
else:
from flask_login import AnonymousUserMixin
user = AnonymousUserMixin()
setattr(_request_ctx_stack.top, 'user', user)
with app.app_context():
info = {'status_code': 200,
'message': '开始执行任务'}
redis.db.set(task_id, json.dumps(info))
try:
func(*args, **kwargs)
info['message'] = '任务执行成功'
except HTTPException, e:
app.logger.error(e)
info = e.data
except Exception:
info['status_code'] = 500
info['message'] = '任务执行失败'
def embedded(
self,
dashboard_id_or_slug: str,
add_extra_log_payload: Callable[..., None] = lambda **kwargs: None,
) -> FlaskResponse:
"""
Server side rendering for a dashboard
:param dashboard_id_or_slug: identifier for dashboard. used in the decorators
:param add_extra_log_payload: added by `log_this_with_manual_updates`, set a
default value to appease pylint
"""
if not is_feature_enabled("EMBEDDED_SUPERSET"):
return Response(status=404)
# Log in as an anonymous user, just for this view.
# This view needs to be visible to all users,
# and building the page fails if g.user and/or ctx.user aren't present.
login_manager: LoginManager = security_manager.lm
login_manager.reload_user(AnonymousUserMixin())
add_extra_log_payload(
dashboard_id=dashboard_id_or_slug, dashboard_version="v2",
)
bootstrap_data = {
"common": common_bootstrap_payload(),
}
return self.render_template(
"superset/spa.html",
entry="embedded",
bootstrap_data=json.dumps(
bootstrap_data, default=utils.pessimistic_json_iso_dttm_ser
),
)
def authenticate_user(username, password):
global db
hashword = hashlib.sha1(password).hexdigest()
result = db.users.find_one({u'username': username, u'password': hashword})
if (result):
return User(result['username'], result['username'])
return AnonymousUserMixin()
def authenticate_user_key(username, key):
try:
user = User(username, key)
User.cached[key] = user
return user
except Exception:
return AnonymousUserMixin()
def verify_password(username, password):
g.current_user = AnonymousUserMixin()
user = g.User.get_by_account(username, password)
if user:
g.current_user = user
return True
return False
def authenticate_by_key(username, key):
user_mc = mcapi.MediaCloud(key)
if user_mc.verifyAuthToken():
profile = user_mc.userProfile()
user = User(username, key, profile=profile)
User.cached[user.id] = user
return user
return AnonymousUserMixin()
def user(self, name=None):
"""See :func:`burpui.misc.auth.interface.BUIhandler.user`"""
if name not in self.users:
self.users[name] = LocalUser(self.local, name)
ret = self.users[name]
if not ret.active:
return AnonymousUserMixin()
return ret
def get(cls, username, **kwargs):
"""Static method for flask-login user_loader,
used before _every_ request.
"""
user = LdapConnector.fetch_user(username)
if user:
return cls(user['uid'], user['mail'], **kwargs)
return AnonymousUserMixin()
def load_user(username):
"""Loads a User object from/into the session at every request
"""
dormitory = backends.get_dormitory(session.get('dormitory', None))
if dormitory:
return dormitory.datasource.user_class.get(username)
else:
return AnonymousUserMixin()
def load_user(user_id):
from app.database import db_session
from app.model.models import User
user = db_session.query(User).get(user_id)
if not user:
return AnonymousUserMixin()
return user
def get(cls, username):
"""Static method for flask-login user_loader,
used before _every_ request.
"""
if username in config:
return cls(username)
else:
return AnonymousUserMixin()
def authenticate_user(username, password):
try:
key = mc.userAuthToken(username, password)
user = User(username, key)
User.cached[key] = user
return user
except Exception:
return AnonymousUserMixin()
def user(self, name=None):
"""See :func:`burpui.misc.auth.interface.BUIhandler.user`"""
if name not in self.users:
self.change = self.basic.load_users()
self.users[name] = BasicUser(self.basic, name)
ret = self.users[name]
if not ret.active:
return AnonymousUserMixin()
return ret
def get(cls, username):
"""Used by user_loader. Return a User Instance.
Returns a valid User instance if a psql user with the given
username exists, else AnonymousUserMixin().
"""
bare_user = cls(uid=username)
return bare_user if bare_user._pg_account else AnonymousUserMixin()
def test_anon_user_can_view_public_task(self):
# given
task = Task('task', is_public=True)
anon = AnonymousUserMixin()
self.pl.add(task)
self.pl.commit()
# when
result = TaskUserOps.user_can_view_task(task, anon)
# then
self.assertTrue(result)
def user_from_ip(self, ip):
"""Return the User that corresponds to ``ip`` according to the
datasource.
:param str ip: The ip
:return: The corresponding User in the sense of the
datasource.
:rtype: The corresponding datasources ``user_class``.
"""
dormitory = self.dormitory_from_ip(ip)
if not dormitory:
return AnonymousUserMixin()
datasource = dormitory.datasource
if datasource is None:
return AnonymousUserMixin()
return datasource.user_class.from_ip(ip)
def test_anon_user_cannot_edit_private_task(self):
# given
task = Task('task')
anon = AnonymousUserMixin()
self.pl.add(task)
self.pl.commit()
# when
result = TaskUserOps.user_can_edit_task(task, anon)
# then
self.assertFalse(result)
def test_check_user_can_validate_bookings_returns_false_when_user_is_not_logged_in(
self, app):
# Given
user = AnonymousUserMixin()
# When
result = check_user_can_validate_bookings(user, None)
# Then
assert result is False
def from_ip(cls, ip):
"""Return a user based on an ip.
If there is no user associated with this ip, return AnonymousUserMixin.
"""
account_name = db.session.query(IP).filter_by(ip=ip).one().account
if not account_name:
return AnonymousUserMixin()
return cls.get(account_name)
def embedded(
self,
uuid: str,
add_extra_log_payload: Callable[..., None] = lambda **kwargs: None,
) -> FlaskResponse:
"""
Server side rendering for the embedded dashboard page
:param uuid: identifier for embedded dashboard
:param add_extra_log_payload: added by `log_this_with_manual_updates`, set a
default value to appease pylint
"""
if not is_feature_enabled("EMBEDDED_SUPERSET"):
abort(404)
embedded = EmbeddedDAO.find_by_id(uuid)
if not embedded:
abort(404)
# validate request referrer in allowed domains
is_referrer_allowed = not embedded.allowed_domains
for domain in embedded.allowed_domains:
if same_origin(request.referrer, domain):
is_referrer_allowed = True
break
if not is_referrer_allowed:
abort(403)
# Log in as an anonymous user, just for this view.
# This view needs to be visible to all users,
# and building the page fails if g.user and/or ctx.user aren't present.
login_manager: LoginManager = security_manager.lm
login_manager.reload_user(AnonymousUserMixin())
add_extra_log_payload(
embedded_dashboard_id=uuid,
dashboard_version="v2",
)
bootstrap_data = {
"common": common_bootstrap_payload(),
"embedded": {
"dashboard_id": embedded.dashboard_id,
},
}
return self.render_template(
"superset/spa.html",
entry="embedded",
bootstrap_data=json.dumps(
bootstrap_data, default=utils.pessimistic_json_iso_dttm_ser),
)
def from_ip(cls, ip):
try:
sql_nutzer = (db.session.query(Nutzer)
.join(Computer)
.filter_by(c_ip=ip)
.filter(Nutzer.status.in_(ACTIVE_STATUS))
.one())
except NoResultFound:
return AnonymousUserMixin()
username = sql_nutzer.unix_account
user = cls.get(username)
if not user:
logger.warning("User %s could not be fetched from LDAP",
username, extra={'data': {
'username': username,
'user_id': sql_nutzer.nutzer_id,
}})
return AnonymousUserMixin()
return user
def user(self, name=None, refresh=False):
"""The :func:`burpui.misc.auth.interface.BUIhandler.user` function
returns the :class:`flask_login:flask_login.UserMixin` object
corresponding to the given user name.
:param name: Name of the user
:type name: str
:param refresh: Whether we need to re-create a fresh user or not
:type refresh: bool
:returns: :class:`burpui.misc.auth.interface.BUIuser`
"""
return AnonymousUserMixin()
def get_current_user():
current_user = getattr(g, 'current_user', None)
if not current_user:
username = request.authorization.get('username')
password = request.authorization.get('password')
get_user_method = [g.User.get_by_token,
g.User.get_by_account][password]
current_user = get_user_method(username, password)
if not current_user:
current_user = AnonymousUserMixin()
return current_user
def verify_password(email_or_token, password):
if email_or_token == '':
g.current_user = AnonymousUserMixin()
return True
if password == '':
g.current_user = User.verify_auth_token(email_or_token)
g.token_used = True
return g.current_user is not None
user = User.query.filter_by(email=email_or_token).first()
if not user:
return False
g.current_user = user
g.token_used = False
return user.verify_password(password)
def test_check_privileges(db_session, db_user: User, db_privilege: Privilege):
"""Checks the low level authentication checking responds as designed.
:param db_session: Pytest fixture allocated session.:
:param db_user: Default test user object.
:param db_privilege: Default test privilege object.
:return:
"""
# Test logged in user can access with empty privilege list.
assert check_privileges([], db_session, db_user)
# Test logged in user can access if named in privilege list.
assert check_privileges([db_privilege.name], db_session, db_user)
# Test admin can access all views without explicitly defined.
admin_privilege = Privilege(id=999, name=PrivilegeNames.ADMIN.name)
db_session.add(admin_privilege)
db_session.add(
UserPrivilege(user_id=db_user.id, privilege_id=admin_privilege.id))
db_session.flush()
assert check_privileges(["InvalidPrivilege"], db_session, db_user)
db_session.rollback() # get rid of that admin stuff
# Test not logged in user is denied with empty privilege list.
assert not check_privileges([], db_session, AnonymousUserMixin())
# Test logged in user blocked if not named in privilege list.
assert not check_privileges([PrivilegeNames.READ], db_session, db_user)
def get_anonymous_user(self) -> User: # pylint: disable=no-self-use
return AnonymousUserMixin()
def __init__(self):
self.username = '******'
self.password = ''
self.id = -1
User.__init__(self)
AnonymousUserMixin.__init__(self)