def create_token(value):
if pkconfig.channel_in_internal_test() and cfg.create_token_secret:
v = base64.b32encode(
hashlib.sha256(
pkcompat.to_bytes(value + cfg.create_token_secret)).digest())
return pkcompat.from_bytes(v[:TOKEN_SIZE])
return random_base62(TOKEN_SIZE)
def _do_download_data_file(msg, template):
try:
r = template.get_data_file(
msg.runDir,
msg.analysisModel,
msg.frame,
options=PKDict(suffix=msg.suffix),
)
if not isinstance(r, PKDict):
if isinstance(r, str):
r = msg.runDir.join(r, abs=1)
r = PKDict(filename=r)
u = r.get('uri')
if u is None:
u = r.filename.basename
c = r.get('content')
if c is None:
c = pkcompat.to_bytes(pkio.read_text(r.filename)) \
if u.endswith(('py', 'txt', 'csv')) \
else r.filename.read_binary()
requests.put(
msg.dataFileUri + u,
data=c,
verify=job.cfg.verify_tls,
).raise_for_status()
return PKDict()
except Exception as e:
return PKDict(state=job.ERROR, error=e, stack=pkdexc())
def install_crt_and_login(compt, j2_ctx):
from rsconf.pkcli import tls
if not update_j2_ctx(j2_ctx):
return
jf = db.secret_path(j2_ctx,
_PASSWD_SECRET_JSON_F,
visibility=_PASSWD_VISIBILITY)
with jf.open() as f:
y = pkjson.load_any(jf)
u = j2_ctx.rsconf_db.host
p = y.get(u, None)
if not p:
return
j2_ctx.docker.auths[j2_ctx.docker_registry.http_addr] = dict(
auth=pkcompat.from_bytes(
base64.b64encode(
pkcompat.to_bytes(u + ':' + pkcompat.from_bytes(p))), ), )
compt.install_access(mode='700', owner=j2_ctx.docker_registry.run_u)
crt = component.tls_key_and_crt(j2_ctx, j2_ctx.docker_registry.host).crt
if not tls.is_self_signed_crt(crt):
return
compt.install_directory(_CERTS_D)
d = _CERTS_D.join(j2_ctx.docker_registry.http_addr)
compt.install_directory(d)
compt.install_access(mode='400', owner=j2_ctx.docker_registry.run_u)
compt.install_abspath(crt, d.join('ca.crt'))
# need in /etc/pki as well (now)
# https://success.docker.com/article/i-get-x509-certificate-signed-by-unknown-authority-error-when-i-try-to-login-to-my-dtr-with-default-certificates
compt.install_abspath(
crt, _CA_TRUST_D.join(j2_ctx.docker_registry.host + '.crt'))
compt.append_root_bash('update-ca-trust')
def test_from_bytes():
from pykern import pkcompat
from pykern.pkunit import pkeq
b = pkcompat.to_bytes('你好')
s = pkcompat.from_bytes(b)
pkeq(s, '你好')
pkeq(b, b'\xe4\xbd\xa0\xe5\xa5\xbd')
if six.PY2:
pkeq(b, s)
else:
pkeq(False, b == s)
def _passwd_entry(j2_ctx, host):
from rsconf import db
import subprocess
pw = db.random_string()
pf = passwd_secret_f(j2_ctx)
p = subprocess.Popen(
['openssl', 'passwd', '-stdin', '-apr1'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
stdin=subprocess.PIPE,
)
out, err = p.communicate(input=pkcompat.to_bytes(pw))
with pf.open(mode='at') as f:
f.write('{}:{}\n'.format(host, pkcompat.from_bytes(out).rstrip()))
return pw
def test_create_zip(fc):
from pykern import pkio
from pykern import pkunit
from pykern import pkcompat
from pykern.pkcollections import PKDict
from pykern.pkdebug import pkdp, pkdpretty
from pykern.pkunit import pkeq
from sirepo import srunit
import base64
import re
import zipfile
imported = _import(fc)
for sim_type, sim_name, expect in imported + [
('elegant', 'bunchComp - fourDipoleCSR',
['WAKE-inputfile.knsl45.liwake.sdds', 'run.py', 'sirepo-data.json']),
('srw', 'Tabulated Undulator Example',
['magnetic_measurements.zip', 'run.py', 'sirepo-data.json']),
('warppba', 'Laser Pulse', ['run.py', 'sirepo-data.json']),
]:
sim_id = fc.sr_sim_data(
sim_name, sim_type)['models']['simulation']['simulationId']
with pkio.save_chdir(pkunit.work_dir()) as d:
for t in 'zip', 'html':
r = fc.sr_get(
'exportArchive',
PKDict(
simulation_type=sim_type,
simulation_id=sim_id,
filename='anything.' + t,
))
p = d.join(sim_name + '.' + t)
x = r.data
if t == 'html':
x = pkcompat.from_bytes(x)
m = re.search(r'name="zip" \S+ value="([^"]+)"',
x,
flags=re.DOTALL)
x = base64.b64decode(pkcompat.to_bytes(m.group(1)))
p.write_binary(x)
e = expect
if t == 'html':
e.remove('run.py')
pkeq(
e,
sorted(zipfile.ZipFile(str(p)).namelist()),
)
def do_form(form):
"""Self-extracting archive post
Args:
form (flask.request.Form): what to import
Returns:
dict: data
"""
from sirepo import simulation_db
if not 'zip' in form:
sirepo.util.raise_not_found('missing zip in form')
data = read_zip(base64.decodebytes(pkcompat.to_bytes(form['zip'])))
data.models.simulation.folder = '/Import'
data.models.simulation.isExample = False
return simulation_db.save_new_simulation(data)
def auth_hash(req, verify=False):
now = int(time.time())
if not 'authNonce' in req:
if verify:
util.raise_unauthorized('authNonce: missing field in request')
req.authNonce = str(now) + _AUTH_NONCE_SEPARATOR + util.random_base62()
h = hashlib.sha256()
h.update(
pkcompat.to_bytes(
_AUTH_HASH_SEPARATOR.join([
req.authNonce,
req.simulationType,
req.simulationId,
cfg.secret,
])), )
res = 'v1:' + pkcompat.from_bytes(base64.urlsafe_b64encode(h.digest()), )
if not verify:
req.authHash = res
return
if res != req.authHash:
util.raise_unauthorized(
'{}: hash mismatch expected={} nonce={}',
req.authHash,
res,
req.authNonce,
)
t = req.authNonce.split(_AUTH_NONCE_SEPARATOR)[0]
try:
t = int(t)
except ValueError as e:
util.raise_unauthorized(
'{}: auth_nonce prefix not an int: nonce={}',
t,
req.authNonce,
)
delta = now - t
if abs(delta) > _AUTH_NONCE_REPLAY_SECS:
util.raise_unauthorized(
'{}: auth_nonce time outside replay window={} now={} nonce={}',
t,
_AUTH_NONCE_REPLAY_SECS,
now,
req.authNonce,
)
def test_srw_auth_hash_copy():
from pykern import pkconfig
pkconfig.reset_state_for_testing({
'SIREPO_AUTH_BLUESKY_SECRET': 'anything',
'SIREPO_AUTH_METHODS': 'bluesky',
'SIREPO_FEATURE_CONFIG_SIM_TYPES': 'srw:myapp',
})
from pykern import pkcollections
from pykern import pkcompat
from pykern.pkdebug import pkdp
from pykern.pkunit import pkeq
from sirepo.auth import bluesky
import base64
import hashlib
import numconv
import random
import time
bluesky.init_apis()
req = dict(
simulationType='xyz',
simulationId='1234',
)
r = random.SystemRandom()
req['authNonce'] = str(int(time.time())) + '-' + ''.join(
r.choice(numconv.BASE62) for x in range(32)
)
h = hashlib.sha256()
h.update(
pkcompat.to_bytes(
':'.join([
req['authNonce'],
req['simulationType'],
req['simulationId'],
bluesky.cfg.secret,
]),
),
)
req['authHash'] = 'v1:' + pkcompat.from_bytes(
base64.urlsafe_b64encode(h.digest()),
)
bluesky.auth_hash(pkcollections.Dict(req), verify=True)
def test_basic(auth_fc, monkeypatch):
from pykern import pkconfig, pkcompat
from pykern.pkunit import pkeq
from sirepo import srunit
import base64
import sirepo.auth.basic
u = auth_fc.sr_login_as_guest()
sirepo.auth.basic.cfg.uid = u
import sirepo.status
auth_fc.cookie_jar.clear()
# monkeypatch so status doesn't take so long
sirepo.status._SIM_TYPE = 'myapp'
sirepo.status._SIM_NAME = 'Scooby Doo'
sirepo.status._SIM_REPORT = 'heightWeightReport'
pkeq(401, auth_fc.sr_get('serverStatus').status_code)
r = auth_fc.sr_get_json(
'serverStatus',
headers=PKDict(Authorization='Basic ' + pkcompat.from_bytes(
base64.b64encode(pkcompat.to_bytes(u + ':' + 'pass')), ), ),
)
pkeq('ok', r.state)
def host_init(hdb, host):
jf = db.secret_path(hdb,
_PASSWD_SECRET_JSON_F,
visibility=_PASSWD_VISIBILITY)
if jf.check():
with jf.open() as f:
y = pkjson.load_any(f)
else:
y = PKDict()
assert not host in y, \
'{}: host already exists'.format(host)
y[host] = db.random_string()
pkjson.dump_pretty(y, filename=jf)
pf = db.secret_path(hdb, _PASSWD_SECRET_F, visibility=_PASSWD_VISIBILITY)
with pf.open(mode='at') as f:
f.write(
'{}:{}\n'.format(
host,
pkcompat.from_bytes(
bcrypt.hashpw(
pkcompat.to_bytes(y[host]),
bcrypt.gensalt(5),
), ),
), )
def avatar_uri(model, size):
return 'https://www.gravatar.com/avatar/{}?d=mp&s={}'.format(
hashlib.md5(pkcompat.to_bytes(model.user_name)).hexdigest(),
size,
)
def _encrypt(self, text):
return base64.urlsafe_b64encode(
self._crypto().encrypt(pkcompat.to_bytes(text)), )
def _decrypt(self, value):
d = self._crypto().decrypt(
base64.urlsafe_b64decode(pkcompat.to_bytes(value)), )
pkdc('{}', d)
return pkcompat.from_bytes(d)
def url_safe_hash(value):
return hashlib.md5(pkcompat.to_bytes(value)).hexdigest()
