def setup(self):
if not self.db.about(ABOUT_TABLE):
with self.db.transaction() as t:
t.execute(
sql_create(ABOUT_TABLE, {"version": "TEXT", "next_id": "INTEGER"})
)
t.execute(sql_insert(ABOUT_TABLE, {"version": "1.0", "next_id": 1000}))
t.execute(sql_create(DIGITS_TABLE, {"value": "INTEGER"}))
t.execute(sql_insert(DIGITS_TABLE, [{"value": i} for i in range(10)]))
def add_permission(self, user, resource, owner):
"""
:param user:
:param resource:
:param owner:
:return:
"""
user = wrap(user)
resource = wrap(resource)
owner = wrap(owner)
# DOES owner HAVE ACCESS TO resource?
if not self.verify_allowance(owner, resource):
Log.error("not allowed to assign resource")
# DOES THIS PERMISSION EXIST ALREADY
allowance = self.verify_allowance(user, resource)
if allowance:
if any(r.owner == owner for r in allowance):
Log.error("already allowed via {{allowance}}",
allowance=allowance)
# ALREADY ALLOWED, BUT MULTIPLE PATHS MAY BE OK
with self.db.transaction() as t:
t.execute(
sql_insert(PERMISSION_TABLE, {
"user": user._id,
"resource": resource._id,
"owner": owner._id
}))
def _insert(self, table, records):
records = listwrap(records)
keys = {"_id"}
for r in records:
keys.update(r.keys())
if r._id == None:
r._id = self.next_id()
with self.db.transaction() as t:
t.execute(sql_insert(table, records))
def save_session(self, app, session, response):
if not session or not session.keys():
return
if not session.session_id:
session.session_id = generate_sid()
session.permanent = True
DEBUG and Log.note("save session {{session}}", session=session)
now = Date.now().unix
session_id = session.session_id
result = self.db.query(
sql_query({
"from": self.table,
"where": {
"eq": {
"session_id": session_id
}
}
}))
saved_record = first(Data(zip(result.header, r)) for r in result.data)
expires = min(session.expires,
now + self.cookie.inactive_lifetime.seconds)
if saved_record:
DEBUG and Log.note("found session {{session}}",
session=saved_record)
saved_record.data = value2json(session)
saved_record.expires = expires
saved_record.last_used = now
with self.db.transaction() as t:
t.execute("UPDATE " + quote_column(self.table) + SQL_SET +
sql_list(
sql_eq(**{k: v})
for k, v in saved_record.items()) + SQL_WHERE +
sql_eq(session_id=session_id))
else:
new_record = {
"session_id": session_id,
"data": value2json(session),
"expires": expires,
"last_used": now,
}
DEBUG and Log.note("new record for db {{session}}",
session=new_record)
with self.db.transaction() as t:
t.execute(sql_insert(self.table, new_record))
response.set_cookie(app.session_cookie_name,
session_id,
expires=expires)
def id_generator(db):
"""
INSTALL AN ID GENERATOR
"""
about = db.about(VERSION_TABLE)
if not about:
with db.transaction() as t:
t.execute(
sql_create(VERSION_TABLE, {
"version": "TEXT",
"next_id": "LONG"
}))
t.execute(
sql_insert(VERSION_TABLE, {
"version": "1.0",
"next_id": 1000
}))
else:
for cid, name, dtype, notnull, dfft_value, pk in about:
if name == "next_id":
break
else:
with db.transaction() as t:
t.execute("ALTER TABLE " + quote_column(VERSION_TABLE) +
" ADD COLUMN next_id LONG")
t.execute(SQL_UPDATE + quote_column(VERSION_TABLE) + SQL_SET +
sql_eq(next_id=1000))
def _gen_ids():
while True:
with db.transaction() as t:
top_id = first(
first(
t.query(
sql_query({
"select": "next_id",
"from": VERSION_TABLE
})).data))
max_id = top_id + 1000
t.execute(SQL_UPDATE + quote_column(VERSION_TABLE) + SQL_SET +
sql_eq(next_id=max_id))
while top_id < max_id:
yield top_id
top_id += 1
return _gen_ids().__next__
def add_permission(self, user, resource, actor):
"""
:param user:
:param resource:
:param actor:
:return:
"""
user = wrap(user)
resource = wrap(resource)
# DOES THIS PERMISSION EXIST ALREADY
allowance = self.verify_allowance(user, resource)
if allowance:
if any(r.owner == actor for r in allowance):
Log.error("already allowed via {{allowance}}",
allowance=allowance)
# ALREADY ALLOWED, BUT MULTIPLE PATHS MAY BE OK
actor = wrap(actor)
qualified_owners = [
owner for owner in self.is_agent_for(actor)
if self.verify_allowance(owner, resource)
]
if not qualified_owners:
Log.error("not allowed to assign resource")
elif actor in qualified_owners:
pass
elif len(qualified_owners) > 1:
Log.error(
"more than one owner has access to resource, who are you acting for?"
)
owner = qualified_owners[0]
with self.db.transaction() as t:
t.execute(
sql_insert(PERMISSION_TABLE, {
"user": user._id,
"resource": resource._id,
"owner": owner._id
}))
def device_register(self, path=None):
"""
EXPECTING A SIGNED REGISTRATION REQUEST
RETURN JSON WITH url FOR LOGIN
"""
now = Date.now().unix
request_body = request.get_data().strip()
signed = json2value(request_body.decode("utf8"))
command = json2value(base642bytes(signed.data).decode("utf8"))
session.public_key = command.public_key
rsa_crypto.verify(signed, session.public_key)
self.session_manager.setup_session(session)
session.expires = now + parse("10minute").seconds
session.state = bytes2base64URL(Random.bytes(32))
with self.device.db.transaction() as t:
t.execute(
sql_insert(
self.device.table,
{
"state": session.state,
"session_id": session.session_id
},
))
response = value2json(
Data(
session_id=session.session_id,
interval="5second",
expiry=session.expires,
url=URL(
self.device.home,
path=self.device.endpoints.login,
query={"state": session.state},
),
))
return Response(response,
headers={"Content-Type": "application/json"},
status=200)
def create_table_resource(self, table_name, owner):
"""
CREATE A TABLE, CREATE RESOURCES FOR OPERATIONS, ENSURE CREATOR HAS CONTROL OVER TABLE
:param table_name: Create resources for given table
:param owner: assign this user as owner
:return:
"""
new_resources = wrap([{
"table": table_name,
"operation": op,
"owner": 1
} for op in TABLE_OPERATIONS])
self._insert(RESOURCE_TABLE, new_resources)
with self.db.transaction() as t:
t.execute(
sql_insert(PERMISSION_TABLE, [{
"user": owner._id,
"resource": r._id,
"owner": ROOT_USER._id
} for r in new_resources]))
def setup(self):
with self.db.transaction() as t:
t.execute(sql_create(VERSION_TABLE, {"version": "TEXT"}))
t.execute(sql_insert(VERSION_TABLE, {"version": "1.0"}))
t.execute(
sql_create(
GROUP_TABLE,
{
"_id": "LONG PRIMARY KEY",
"name": "TEXT",
"group": "TEXT",
"email": "TEXT",
"issuer": "TEXT",
"email_verified": "INTEGER",
"description": "TEXT",
"owner": "LONG",
},
))
t.execute(
sql_insert(
GROUP_TABLE,
[
{
"_id": 1,
"name": "root",
"email": "*****@*****.**",
"description": "access for security system",
},
{
"_id": 11,
"group": "public",
"description": "everyone with confirmed email",
"owner": 1,
},
{
"_id": 12,
"group": "mozillians",
"description":
"people that mozilla authentication has recongized as mozillian",
"owner": 1,
},
{
"_id": 13,
"group": "moz-employee",
"description":
"people that mozilla authentication has recongized as employee",
"owner": 1,
},
],
))
t.execute(
sql_create(
RESOURCE_TABLE,
{
"_id": "LONG PRIMARY KEY",
"table": "TEXT",
"operation": "TEXT",
"owner": "LONG",
},
))
t.execute(
sql_insert(
RESOURCE_TABLE,
[
CREATE_TABLE,
{
"_id": 101,
"table": ".",
"operation": "update",
"owner": 1
},
{
"_id": 102,
"table": ".",
"operation": "from",
"owner": 1
},
],
))
t.execute(
sql_create(
PERMISSION_TABLE,
{
"user": "******",
"resource": "LONG",
"owner": "LONG"
},
))
t.execute(
sql_insert(
PERMISSION_TABLE,
[
{
"user": 12,
"resource": 11,
"owner": 1
},
{
"user": 13,
"resource": 11,
"owner": 1
},
{
"user": 13,
"resource": 12,
"owner": 1
},
{
"user": 1,
"resource": 100,
"owner": 1
},
{
"user": 1,
"resource": 101,
"owner": 1
},
{
"user": 1,
"resource": 102,
"owner": 1
},
],
))
