def on_get(self, request, response):
Logger.info(LOCATION,
INCOMING_REQUEST + METHOD_GET + ' ' + PAIRING_ENDPOINT)
configuration = self.configuration_store.get()
if configuration.get_device_status() is not DeviceStatus.NEW:
error = 'Device is already paired.'
Logger.error(LOCATION, error)
raise falcon.HTTPForbidden(description=error)
device_information = configuration.get_device_information()
response.media = json.dumps(device_information)
subprocess.Popen(['make', 'pair'])
def on_patch(self, req: falcon.Request, resp: falcon.Response,
primary_key: str):
"""Write attributes."""
user = req.context.get('user')
if user is None:
raise falcon.HTTPForbidden()
self.view.update_details(user, primary_key, req.media)
if primary_key == user['primaryKey']:
resp.media = self.token_generator(user['primaryKey'])
resp.status = falcon.HTTP_200
def _get_data(self, cleaned, id, *args, **kwargs):
data = cleaned['data']['attributes']
model = self.database_model
try:
return model.objects.update_from_data(id, self.request.user,
data)
except model.DoesNotExist:
raise falcon.HTTPNotFound
except DuplicateSubscriptionName:
raise falcon.HTTPForbidden(
'Subscription with given name already exist')
def on_get(self, req, resp, username: str):
'/user/application/{username}'
# If account have permission, can review all username.
jwt_payload = req.context['user']['user']
if jwt_payload['username'] != username and jwt_payload['permission_level'] < 1:
raise falcon.HTTPForbidden(description=":)")
resp.body = f'{{"data": {self.review_service.get_user_application(username=username)}}}'
resp.media = falcon.MEDIA_JSON
resp.status = falcon.HTTP_200
return True
def clean(self, request, locations=None):
cleaned = super().clean(request, locations=locations)
usr = User.objects.get_or_none(email=cleaned['email'].strip())
if usr:
raise falcon.HTTPForbidden(
description=_('Account for this email already exist'))
# Model validation
usr = User(**cleaned)
self.clean_model(usr)
return cleaned
def _check_permissions(self, user: Dict[str, Any], writing: bool):
if not writing:
if not self._read_permissions:
return
for permission in self._read_permissions:
if user[permission]:
return
for permission in self._permissions:
if user[permission]:
return
raise falcon.HTTPForbidden(description="Insufficient permissions")
def clean(self, *args, **kwargs):
chart = self._get_instance(*args, **kwargs)
if not chart.can_be_updated_by(self.request.user):
raise falcon.HTTPForbidden(
title='You have no permission to update the resource!')
self.deserializer.context.update({
'chart': chart,
'resource': chart.resource,
'user': self.request.user,
})
return super().clean(validators=None, *args, **kwargs)
def login(self, username: str, password: str, fcm_token=None) -> str:
"""basic login function
Args:
username (str): username
password (str): password
Raises:
falcon.HTTPUnauthorized: 401, username or password error
Returns:
str: jwt payload.
JWT_Payload:
{
username
permission_level
}
permission_level:
- 0 is user
- 1 is editor/reviewer
- 2 is admin
"""
if self.redis_account.exists(username):
user_data = json.loads(self.redis_account.get(username))
s = hashlib.sha256()
s.update(password.encode('utf-8'))
_password = s.hexdigest()
if self.is_banned(username):
raise falcon.HTTPForbidden(
title="banned",
description=
"Your account is banned, any question please ask Facebook fan page."
)
if user_data['password'] == _password:
_user_level = 0
if username in ADMIN:
_user_level = 2
elif username in self.get_editor_list():
_user_level = 1
jwt_string = self.jwt_auth.get_auth_token(
user_payload={
"username": username,
"login_type": "General",
"permission_level": _user_level,
"fcm": fcm_token
})
return jwt_string
raise falcon.HTTPUnauthorized()
def user_required(req, resp, resource, params, user_type):
if 'user_session' not in req.cookies:
raise falcon.HTTPUnauthorized()
user = get_user(req.cookies['user_session'])
if not user or user.type != user_type:
raise falcon.HTTPForbidden()
resource.user = user
def google_oauth_login(self, code: str, fcm_token=None) -> str:
user_info_by_google = google_sign_in(code=code)
if user_info_by_google.get("verified_email", False) == False:
falcon.HTTPForbidden("Your email need verified.")
user_mail = user_info_by_google.get('email', False)
if user_mail is False:
falcon.HTTPServiceUnavailable(
description="Get user email error :(")
user_mail = user_mail.lower()
if APPLICANT_HOSTNAME_LIMIT != [] and user_mail not in self.get_editor_list(
):
user_mail_parse = address.parse(user_mail, addr_spec_only=True)
if user_mail_parse is not None:
if isinstance(user_mail_parse, address.EmailAddress) and \
user_mail_parse.hostname not in APPLICANT_HOSTNAME_LIMIT:
raise falcon.HTTPForbidden(
title="mail organization not allow")
if self.is_banned(user_mail):
raise falcon.HTTPForbidden(
title="banned",
description=
"Your account is banned, any question please ask Facebook fan page."
)
_user_level = 0
if user_mail in ADMIN:
_user_level = 2
elif user_mail in self.get_editor_list():
_user_level = 1
jwt_string = self.jwt_auth.get_auth_token(
user_payload={
"username": user_mail,
"login_type": "Oauth2",
"permission_level": _user_level,
"fcm": fcm_token
})
return jwt_string
def apple_sign_in_by_id_token(self,
id_token: str,
bundle_id=None,
fcm_token=None) -> str:
jwt_payload = apple_verify_id_token(id_token=id_token,
bundle_id=bundle_id)
if jwt_payload.get("email", False) == False:
falcon.HTTPServiceUnavailable(
description="Get user email error :(")
user_mail = jwt_payload.get("email", "").lower()
print(user_mail)
if APPLICANT_HOSTNAME_LIMIT != [] and user_mail not in self.get_editor_list(
):
user_mail_parse = address.parse(user_mail, addr_spec_only=True)
if user_mail_parse is not None:
if isinstance(user_mail_parse, address.EmailAddress) and \
user_mail_parse.hostname not in APPLICANT_HOSTNAME_LIMIT:
raise falcon.HTTPForbidden(
title="mail organization not allow")
if self.is_banned(user_mail):
raise falcon.HTTPForbidden(
title="banned",
description=
"Your account is banned, any question please ask Facebook fan page."
)
_user_level = 0
if user_mail in ADMIN:
_user_level = 2
elif user_mail in self.get_editor_list():
_user_level = 1
jwt_string = self.jwt_auth.get_auth_token(
user_payload={
"username": user_mail,
"login_type": "Apple_sign_in",
"permission_level": _user_level,
"fcm": fcm_token
})
return jwt_string
def execute(self, req, resp, params):
auth_header = req.get_header('Authorization')
# import pdb; pdb.set_trace()
if not auth_header:
raise falcon.HTTPUnauthorized(
title='401 Unauthorized',
description=_('Missing authorization header'),
code='token_missing'
)
user_payload = decode_jwt_token(auth_header)['user']
if not set(('session_key', 'email')) <= set(user_payload):
raise falcon.HTTPUnauthorized(
title='401 Unauthorized',
description=_('Invalid authorization header'),
code='token_error'
)
req.session = session_store(user_payload['session_key'])
user = get_user(req)
if not user or (hasattr(user, 'is_anonymous') and user.is_anonymous):
raise falcon.HTTPUnauthorized(
title='401 Unauthorized',
description=_('Invalid token data'),
code='authentication_error'
)
if user.email != user_payload['email']:
raise falcon.HTTPUnauthorized(
title='401 Unauthorized',
description=_('Invalid token data'),
code='authentication_error'
)
if user.state != 'active':
if user.state not in settings.USER_STATE_LIST or user.state == 'deleted':
raise falcon.HTTPUnauthorized(
title='401 Unauthorized',
description=_('Cannot login'),
code='account_unavailable'
)
if user.state in ('draft', 'blocked'):
raise falcon.HTTPUnauthorized(
title='401 Unauthorized',
description=_('Account is blocked'),
code='account_unavailable'
)
if user.state == 'pending':
raise falcon.HTTPForbidden(
title='403 Forbidden',
description=_('Email addres not confirmed'),
code='account_inactive'
)
req.user = user
def on_post(self, req, resp, corpus_id: str = None, corpus_property: str = None, property_value: str = None):
if req.user.role != UserKind.ADMINISTRATOR.value and req.user.role != UserKind.STAFF.value:
raise falcon.HTTPForbidden("Must be admin or staff")
if not corpus_id:
self.create_corpus(req, resp)
elif corpus_property == "assets" and property_value:
self.create_asset(req, resp, corpus_id, property_value)
elif corpus_property == "questions":
self.create_question(req, resp, corpus_id)
else:
raise falcon.HTTPNotFound()
def on_put(self, req, resp, id):
original_id = req.recover_int64_field(id)
if req.user.role == UserKind.ADMINISTRATOR.value or original_id == req.user.id:
# User's changing their own password, or they're an administrator
if "oldPassword" in req.body:
old_password = req.body["oldPassword"]
else:
old_password = None
new_password = req.body["newPassword"]
should_check_password = req.user.id == original_id
u = UserController(req.session)
user = u.get_user_from_id(original_id)
errors = u.change_password(user, old_password, new_password, should_check_password)
if errors:
resp.obj = errors
raise falcon.HTTPForbidden()
resp.status = falcon.HTTP_202
else:
raise falcon.HTTPForbidden()
def _get_instance(self, *args, **kwargs):
instance = getattr(self, '_cached_instance', None)
if not instance:
try:
self._cached_instance = UserSchedule.objects.published(
).get(pk=kwargs['id'])
except UserSchedule.DoesNotExist:
raise falcon.HTTPNotFound
if self._cached_instance.schedule.state == 'archival':
raise falcon.HTTPForbidden(
title='You cannot add new item to archival schedule!')
return self._cached_instance
def _get_data(self, cleaned, activation_code, *args, **kwargs):
try:
instance = self.database_model.objects.get(
activation_code=activation_code, is_active=False)
except self.database_model.DoesNotExist:
raise falcon.HTTPForbidden(
title=_('Invalid action!'),
description=_('The activation link has expired'))
instance.confirm_subscription()
instance.refresh_from_db()
return instance
def on_post(self, req: falcon.Request, res: falcon.Response):
if not req.media:
raise falcon.HTTPBadRequest("Bad or missing user payload")
user = req.media
if 'email' not in user or 'alias' not in user or 'password' not in user or 'captcha' not in user \
or 'code' not in user:
raise falcon.HTTPBadRequest(
"Missing fields for user. Requires email, alias, password, captcha, and code"
)
captcha = user['captcha']
if not captcha['id'] or not captcha['answer']:
raise falcon.HTTPBadRequest(
"Missing captcha fields. Required id and answer")
c = self._db.cursor()
row = c.execute("SELECT [answer] FROM [captcha_tokens] WHERE id = ?",
(captcha["id"], )).fetchone()
if row is None:
raise falcon.HTTPBadRequest("No captcha with id {} found".format(
captcha["id"]))
c.execute(
"DELETE FROM [captcha_tokens] WHERE id = ? OR [time] < date('now', '-1 hour')",
(captcha["id"], ))
self._db.commit()
if row[0] != captcha["answer"]:
raise falcon.HTTPForbidden(
"Captcha answer incorrect. Please try again")
row = c.execute(
"SELECT [campaign_id] FROM campaign_referral WHERE code=?",
(user['code'], )).fetchone()
if not row:
raise falcon.HTTPBadRequest("referral code not found")
campaign_id = row[0]
hash_pw = bcrypt.hashpw(user['password'].encode(), bcrypt.gensalt())
new_id = generate_new_id()
try:
c.execute(
"INSERT INTO [user] ([id], [email], [alias], [password]) VALUES (?, ?, ?, ?)",
(new_id, user['email'], user['alias'], hash_pw))
except sqlite3.IntegrityError:
raise falcon.HTTPBadRequest("Email already exists")
logging.info("Created new user with email [{}]".format(user['email']))
# Create an empty profile, to be populated later
c.execute("INSERT INTO [profile] ([user_id]) VALUES (?)", (new_id, ))
# For now, all new users auto-join the two campaigns until campaign support is added
c.execute(
"""
INSERT INTO [user_campaign_map] ([user_id], [campaign_id])
VALUES (?, ?), (?, ?)""", (new_id, 1, new_id, campaign_id))
self._db.commit()
res.status = falcon.HTTP_CREATED
def on_post(self, req, resp):
username = req.media.get('username')
password = req.media.get('password')
if not self.dao.login(username, password):
msg = "User has not provided valid credentials"
raise falcon.HTTPForbidden("Invalid Credentials", msg)
doc = {"apiKey": self.dao._get_key(username)}
resp.body = json.dumps(doc, ensure_ascii=False)
def check_owner(req, resp, params):
"""
Check that the requester is the resource owner. Must run after check_avatar and check_authorization.
:param req:
:param resp:
:param params:
:return:
"""
if req.context['sub'] != params['aid']:
raise falcon.HTTPForbidden(title="Access Denied",
description="Only owner can access.")
def authenticate(self, req, resp):
"""
Method should be overriden with specific a specific authentication
call for an implementation.
:param req: Request instance that will be passed through.
:type req: falcon.Request
:param resp: Response instance that will be passed through.
:type resp: falcon.Response
:raises: falcon.HTTPForbidden
"""
raise falcon.HTTPForbidden('Forbidden', 'Forbidden')
def on_post(self, req, resp, source, target):
"""
post demo
demo for `query`, `data`, `resp`, `x`
"""
print(f'{source} => {target}')
print(req.context.query)
print(req.context.data)
if random() < 0.5:
raise falcon.HTTPForbidden("Bad luck. You're fobidden.")
return Response(label=int(10 * random()), score=random())
def on_post(self, req, resp):
if self.fedora_repo and (self.fuseki or self.elastic_search):
raise falcon.HTTPForbidden(
"Services Already Running",
"Elastic Search, Fedora 4, and Fuseki already running")
self.__start_services__()
resp.status = falcon.HTTP_201
resp.body = json.dumps({"services": {
"elastic-search": {"pid": self.elastic_search.pid},
"fedora4": {"pid": self.fedora_repo.pid},
# "fedora4-messenger": {"pid": self.fedora_messenger.pid},
"fuseki": {"pid": self.fuseki.pid}}})
def process_resource(self, req, resp, resource, params):
''' Raise Forbidden if JWT Token is invalid in Authorization Header.
Expected header
----------------------------------------
Authorization: Bearer <token>
If resource not require authentication, set `auth` dict with method
to False (Its true by default.)
```
class Resource:
auth = {'get': False}
def on_get(self, req, resp):
'Dont need auth.'
pass
def on_post(self, req, resp):
'Need auth.'
pass
```
'''
auth_map = getattr(resource, 'auth', {})
if auth_map.get(req.method.lower(), True):
authorization_header = req.auth
# check if authorizacion header exists
if not authorization_header:
raise falcon.HTTPUnauthorized('Login required')
# check if authorization is Bearer
if not authorization_header.startswith('Bearer '):
raise falcon.HTTPForbidden('Invalid Authorization header')
# check if is valid token
token = authorization_header.split()[-1]
if utils.is_valid_token(token):
req.user = utils.get_user(token)
else:
raise falcon.HTTPForbidden('Invalid token')
def _get_instance(self, id, *args, **kwargs):
instance = getattr(self, '_cached_instance', None)
if not instance:
try:
self._cached_instance = self.database_model.objects.get(
pk=id)
except self.database_model.DoesNotExist:
raise falcon.HTTPNotFound
if self._cached_instance not in self.request.user.notifications.all(
):
raise falcon.HTTPForbidden(
title='You have no permission to update the resource.')
return self._cached_instance
def on_post(self, req, res):
"""Validate authentication credentials, issuing a new token and cookie
if valid."""
username = req.media.get('username')
password = req.media.get('password')
if auth_user(username, password):
new_token = req.context['encode_token']({'username': username})
res.set_cookie('token', new_token)
res.media = {'token': new_token}
else:
logzero.logger.warning('Log In Failed')
raise falcon.HTTPForbidden()
def wrapped(self, req, resp, *args, **kwargs):
authority = kwargs.get("ca")
# Parse remote IPv4/IPv6 address
remote_addr = ipaddress.ip_network(req.env["REMOTE_ADDR"])
# Check for administration subnet whitelist
print("Comparing:", authority.admin_subnets, "To:", remote_addr)
for subnet in authority.admin_subnets:
if subnet.overlaps(remote_addr):
break
else:
raise falcon.HTTPForbidden("Forbidden", "Remote address %s not whitelisted" % remote_addr)
# Check for username whitelist
kerberos_username, kerberos_realm = kwargs.get("user")
if kerberos_username not in authority.admin_users:
raise falcon.HTTPForbidden("Forbidden", "User %s not whitelisted" % kerberos_username)
# Retain username, TODO: Better abstraction with username, e-mail, sn, gn?
kwargs["user"] = kerberos_username
return func(self, req, resp, *args, **kwargs)
def permission_required(req, resp, resource, params):
login_required(req, resp, resource, params)
# Backdoor for stage development
if req.context['env']['config'] == 'stage' and \
req.headers.get('MAGIC-CODE') == 'WHOSYOURDADDY':
return
session = req.context['session']
user = req.context['session'].user
permissions = req.context['session'].permissions
if not Permission.check_permissions(
req.relative_uri, Permission.Action.name_to_num(req.method),
permissions):
raise falcon.HTTPForbidden('No permission to proceed')
def wrapped(resource, req, resp, *args, **kwargs):
buf = req.get_header("X-SSL-CERT")
if not buf:
logger.info(
"No TLS certificate presented to access administrative API call"
)
raise falcon.HTTPForbidden(
"Forbidden", "Machine not authorized to perform the operation")
header, _, der_bytes = pem.unarmor(
buf.replace("\t", "").encode("ascii"))
cert = x509.Certificate.load(der_bytes) # TODO: validate serial
for extension in cert["tbs_certificate"]["extensions"]:
if extension["extn_id"].native == "extended_key_usage":
if "server_auth" in extension["extn_value"].native:
req.context["machine"] = cert.subject.native["common_name"]
return func(resource, req, resp, *args, **kwargs)
logger.info(
"TLS authenticated machine '%s' not authorized to access administrative API",
cert.subject.native["common_name"])
raise falcon.HTTPForbidden(
"Forbidden", "Machine not authorized to perform the operation")
def only_owner_modify(
review_service: ReviewService,
application_id: str,
applicant_username: str):
origin_application = review_service.get_application_by_id(
application_id=application_id
)
if origin_application is None:
raise falcon.HTTPNotFound()
if json.loads(origin_application)['applicant'] != applicant_username:
raise falcon.HTTPForbidden(title="no permission to update")
def payment_required(req, resp, resource, params):
if 'user_session' not in req.cookies:
raise falcon.HTTPUnauthorized()
user = get_user(req.cookies['user_session'])
if not user:
raise falcon.HTTPUnauthorized()
if not user.payment_complete:
raise falcon.HTTPForbidden()
resource.user = user
