def check_current_user_authorised_for_bucket(self, bucket_name):
if not self._bucket_settings_service.is_bucket_recognised(bucket_name):
raise exceptions.APIError(404, 'Bucket name not recognised')
permitted_groups = self._bucket_settings_service.bucket_permitted_groups(bucket_name)
for group_name in permitted_groups:
if self._security_service.is_in_group(self._current_user, group_name):
return
raise exceptions.APIError(403, 'Not authorised for this bucket')
def get_body_attribute(self, key, default=None, required=False, value_type=str):
# pylint: disable=no-member
if key in self.body:
self._check_attribute_is_not_empty(key, default, required, value_type)
return self.body[key]
if required:
raise exceptions.APIError(400, 'Attribute missing')
return default
def bucket_permitted_groups(self, bucket_name):
if bucket_name in self._settings:
return self._settings[bucket_name].groups
self._logger.warning(
f'Permitted groups requested for non-existent bucket "{bucket_name}"'
)
raise exceptions.APIError(404,
f'Bucket "{bucket_name}" does not exist')
def bucket_archive_root_directory(self, bucket_name):
if bucket_name in self._settings:
return self._settings[bucket_name].archive_root_dir
self._logger.warning(
f'Archive root directory requested for non-existent bucket "{bucket_name}"'
)
raise exceptions.APIError(404,
f'Bucket "{bucket_name}" does not exist')
def _check_attribute_is_not_empty(self, key, default, required, value_type):
# pylint: disable=no-member
if value_type == str and is_str_empty(self.body[key]) is False:
return
elif value_type == list and (self.body[key] is not None) and len(self.body[key]) > 0:
return
# If missing see if can use as default
if required:
raise exceptions.APIError(400, f'Attribute "{key}" is empty')
self.body[key] = default
def check_not_trying_to_access_data_outside_root(self, bucket_name, rel_path):
if rel_path is None:
return
root = self._bucket_settings_service.bucket_data_root_directory(bucket_name)
canonical_root_path = self._file_system_helper.canonical_path(root)
full_path = self._file_system_helper.join_paths(canonical_root_path, rel_path)
directory_path = self._file_system_helper.file_directory(full_path) \
if self._file_system_helper.is_file(full_path) \
else full_path
canonical_full_path = self._file_system_helper.canonical_path(directory_path)
if is_sub_dir_of_root(directory_path=canonical_full_path, root_path=canonical_root_path) is False:
raise exceptions.APIError(403, 'Can not access data outside root directory!')
def add_bucket(self, bucket_name, groups, archive_root_dir, data_root_dir):
if self.is_bucket_recognised(bucket_name):
raise exceptions.APIError(
404, f'Bucket "{bucket_name}" already exists')
self._logger.info(f'Adding new bucket "{bucket_name}" to settings')
new_setting = BucketSetting({
'groups': groups,
'archive_root': archive_root_dir,
'data_root': data_root_dir
})
self._settings[bucket_name] = new_setting
self._write_settings()
def fail(message):
raise exceptions.APIError(message)
def _authentication_failed():
raise exceptions.APIError(401, 'Authentication required')
def check_current_user_is_admin(self):
for group_name in self._bucket_settings_service.admin_groups:
if self._security_service.is_in_group(self._current_user, group_name):
return
raise exceptions.APIError(403, 'Administrator authorisation required')
