def test_acc_get_uid_from_request(self):
"""webapikey - Login user from request using REST key"""
path = '/search'
params = 'ln=es&sc=1&c=Articles & Preprints&action_search=Buscar&p=ellis'
self.assertEqual(0, len(web_api_key.show_web_api_keys(uid=self.id_admin)))
web_api_key.create_new_web_api_key(self.id_admin, "Test key I")
key_info = run_sql("SELECT id FROM webapikey WHERE id_user=%s", (self.id_admin,))
url = web_api_key.build_web_request(path, params, api_key=key_info[0][0])
url = string.split(url, '?')
uid = web_api_key.acc_get_uid_from_request(url[0], url[1])
self.assertEqual(uid, self.id_admin)
url = web_api_key.build_web_request(path, params, api_key=key_info[0][0])
url += "123" # corrupt the key
url = string.split(url, '?')
uid = web_api_key.acc_get_uid_from_request(url[0], url[1])
self.assertEqual(uid, -1)
path = '/bad'
uid = web_api_key.acc_get_uid_from_request(path, "")
self.assertEqual(uid, -1)
params = { 'nocache': 'yes', 'limit': 123 }
url = web_api_key.build_web_request(path, params, api_key=key_info[0][0])
url = string.split(url, '?')
uid = web_api_key.acc_get_uid_from_request(url[0], url[1])
self.assertEqual(uid, -1)
run_sql("DELETE FROM webapikey")
def test_acc_get_uid_from_request(self):
"""webapikey - Login user from request using REST key"""
path = '/search'
params = 'ln=es&sc=1&c=Articles & Preprints&action_search=Buscar&p=ellis'
self.assertEqual(0,
len(web_api_key.show_web_api_keys(uid=self.id_admin)))
web_api_key.create_new_web_api_key(self.id_admin, "Test key I")
key_info = run_sql("SELECT id FROM webapikey WHERE id_user=%s",
(self.id_admin, ))
url = web_api_key.build_web_request(path,
params,
api_key=key_info[0][0])
url = string.split(url, '?')
uid = web_api_key.acc_get_uid_from_request(url[0], url[1])
self.assertEqual(uid, self.id_admin)
url = web_api_key.build_web_request(path,
params,
api_key=key_info[0][0])
url += "123" # corrupt the key
url = string.split(url, '?')
uid = web_api_key.acc_get_uid_from_request(url[0], url[1])
self.assertEqual(uid, -1)
path = '/bad'
uid = web_api_key.acc_get_uid_from_request(path, "")
self.assertEqual(uid, -1)
params = {'nocache': 'yes', 'limit': 123}
url = web_api_key.build_web_request(path,
params,
api_key=key_info[0][0])
url = string.split(url, '?')
uid = web_api_key.acc_get_uid_from_request(url[0], url[1])
self.assertEqual(uid, -1)
run_sql("DELETE FROM webapikey")
def _handler(req):
""" This handler is invoked by mod_python with the apache request."""
allowed_methods = ("GET", "POST", "HEAD", "OPTIONS", "PUT")
#req.allow_methods(allowed_methods, 1)
#if req.method not in allowed_methods:
# raise apache.SERVER_RETURN, apache.HTTP_METHOD_NOT_ALLOWED
if req.method == 'OPTIONS':
## OPTIONS is used to now which method are allowed
req.headers_out['Allow'] = ', '.join(allowed_methods)
raise apache.SERVER_RETURN, apache.OK
# Set user agent for fckeditor.py, which needs it here
os.environ["HTTP_USER_AGENT"] = req.headers_in.get('User-Agent', '')
# Check if REST authentication can be performed
if req.args:
args = cgi.parse_qs(req.args)
if 'apikey' in args and req.is_https():
uid = web_api_key.acc_get_uid_from_request(req.uri, req.args)
if uid < 0:
raise apache.SERVER_RETURN, apache.HTTP_UNAUTHORIZED
else:
setUid(req=req, uid=uid)
guest_p = isGuestUser(getUid(req), run_on_slave=False)
uri = req.uri
if uri == '/':
path = ['']
else:
## Let's collapse multiple slashes into a single /
uri = RE_SLASHES.sub('/', uri)
path = uri[1:].split('/')
if CFG_ACCESS_CONTROL_LEVEL_SITE > 1:
## If the site is under maintainance mode let's return
## 503 to casual crawler to avoid having the site being
## indexed
req.status = 503
g = _RE_BAD_MSIE.search(req.headers_in.get('User-Agent', "MSIE 6.0"))
bad_msie = g and float(g.group(1)) < 9.0
if uri.startswith('/yours') or not guest_p:
## Private/personalized request should not be cached
if bad_msie and req.is_https():
req.headers_out['Cache-Control'] = 'private, max-age=0, must-revalidate'
else:
req.headers_out['Cache-Control'] = 'private, no-cache, no-store, max-age=0, must-revalidate'
req.headers_out['Pragma'] = 'no-cache'
req.headers_out['Vary'] = '*'
elif not (bad_msie and req.is_https()):
req.headers_out['Cache-Control'] = 'public, max-age=3600'
req.headers_out['Vary'] = 'Cookie, ETag, Cache-Control'
try:
if req.header_only and not RE_SPECIAL_URI.match(req.uri):
return root._traverse(req, path, True, guest_p)
else:
## bibdocfile have a special treatment for HEAD
return root._traverse(req, path, False, guest_p)
except TraversalError:
raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
except apache.SERVER_RETURN:
## This is one of mod_python way of communicating
raise
except IOError, exc:
if 'Write failed, client closed connection' not in "%s" % exc:
## Workaround for considering as false positive exceptions
## rised by mod_python when the user close the connection
## or in some other rare and not well identified cases.
register_exception(req=req, alert_admin=True)
raise
def _handler(req):
""" This handler is invoked by mod_python with the apache request."""
allowed_methods = ("GET", "POST", "HEAD", "OPTIONS", "PUT")
req.allow_methods(allowed_methods, 1)
if req.method not in allowed_methods:
raise apache.SERVER_RETURN, apache.HTTP_METHOD_NOT_ALLOWED
if req.method == 'OPTIONS':
## OPTIONS is used to now which method are allowed
req.headers_out['Allow'] = ', '.join(allowed_methods)
raise apache.SERVER_RETURN, apache.OK
# Set user agent for fckeditor.py, which needs it here
os.environ["HTTP_USER_AGENT"] = req.headers_in.get('User-Agent', '')
# Check if REST authentication can be performed
if req.args:
args = cgi.parse_qs(req.args)
if 'apikey' in args and req.is_https():
uid = web_api_key.acc_get_uid_from_request(req.uri, req.args)
if uid < 0:
raise apache.SERVER_RETURN, apache.HTTP_UNAUTHORIZED
else:
setUid(req=req, uid=uid)
guest_p = isGuestUser(getUid(req), run_on_slave=False)
uri = req.uri
if uri == '/':
path = ['']
else:
## Let's collapse multiple slashes into a single /
uri = RE_SLASHES.sub('/', uri)
path = uri[1:].split('/')
if CFG_ACCESS_CONTROL_LEVEL_SITE > 1:
## If the site is under maintainance mode let's return
## 503 to casual crawler to avoid having the site being
## indexed
req.status = 503
g = _RE_BAD_MSIE.search(req.headers_in.get('User-Agent', "MSIE 6.0"))
bad_msie = g and float(g.group(1)) < 9.0
if uri.startswith('/yours') or not guest_p:
## Private/personalized request should not be cached
if bad_msie and req.is_https():
req.headers_out['Cache-Control'] = 'private, max-age=0, must-revalidate'
else:
req.headers_out['Cache-Control'] = 'private, no-cache, no-store, max-age=0, must-revalidate'
req.headers_out['Pragma'] = 'no-cache'
req.headers_out['Vary'] = '*'
elif not (bad_msie and req.is_https()):
req.headers_out['Cache-Control'] = 'public, max-age=3600'
req.headers_out['Vary'] = 'Cookie, ETag, Cache-Control'
try:
if req.header_only and not RE_SPECIAL_URI.match(req.uri):
return root._traverse(req, path, True, guest_p)
else:
## bibdocfile have a special treatment for HEAD
return root._traverse(req, path, False, guest_p)
except TraversalError:
raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
except apache.SERVER_RETURN:
## This is one of mod_python way of communicating
raise
except IOError, exc:
if 'Write failed, client closed connection' not in "%s" % exc:
## Workaround for considering as false positive exceptions
## rised by mod_python when the user close the connection
## or in some other rare and not well identified cases.
register_exception(req=req, alert_admin=True)
raise
