def check_current_user_authorised_for_bucket(self, bucket_name): if not self._bucket_settings_service.is_bucket_recognised(bucket_name): raise exceptions.APIError(404, 'Bucket name not recognised') permitted_groups = self._bucket_settings_service.bucket_permitted_groups(bucket_name) for group_name in permitted_groups: if self._security_service.is_in_group(self._current_user, group_name): return raise exceptions.APIError(403, 'Not authorised for this bucket')
def get_body_attribute(self, key, default=None, required=False, value_type=str): # pylint: disable=no-member if key in self.body: self._check_attribute_is_not_empty(key, default, required, value_type) return self.body[key] if required: raise exceptions.APIError(400, 'Attribute missing') return default
def bucket_permitted_groups(self, bucket_name): if bucket_name in self._settings: return self._settings[bucket_name].groups self._logger.warning( f'Permitted groups requested for non-existent bucket "{bucket_name}"' ) raise exceptions.APIError(404, f'Bucket "{bucket_name}" does not exist')
def bucket_archive_root_directory(self, bucket_name): if bucket_name in self._settings: return self._settings[bucket_name].archive_root_dir self._logger.warning( f'Archive root directory requested for non-existent bucket "{bucket_name}"' ) raise exceptions.APIError(404, f'Bucket "{bucket_name}" does not exist')
def _check_attribute_is_not_empty(self, key, default, required, value_type): # pylint: disable=no-member if value_type == str and is_str_empty(self.body[key]) is False: return elif value_type == list and (self.body[key] is not None) and len(self.body[key]) > 0: return # If missing see if can use as default if required: raise exceptions.APIError(400, f'Attribute "{key}" is empty') self.body[key] = default
def check_not_trying_to_access_data_outside_root(self, bucket_name, rel_path): if rel_path is None: return root = self._bucket_settings_service.bucket_data_root_directory(bucket_name) canonical_root_path = self._file_system_helper.canonical_path(root) full_path = self._file_system_helper.join_paths(canonical_root_path, rel_path) directory_path = self._file_system_helper.file_directory(full_path) \ if self._file_system_helper.is_file(full_path) \ else full_path canonical_full_path = self._file_system_helper.canonical_path(directory_path) if is_sub_dir_of_root(directory_path=canonical_full_path, root_path=canonical_root_path) is False: raise exceptions.APIError(403, 'Can not access data outside root directory!')
def add_bucket(self, bucket_name, groups, archive_root_dir, data_root_dir): if self.is_bucket_recognised(bucket_name): raise exceptions.APIError( 404, f'Bucket "{bucket_name}" already exists') self._logger.info(f'Adding new bucket "{bucket_name}" to settings') new_setting = BucketSetting({ 'groups': groups, 'archive_root': archive_root_dir, 'data_root': data_root_dir }) self._settings[bucket_name] = new_setting self._write_settings()
def fail(message): raise exceptions.APIError(message)
def _authentication_failed(): raise exceptions.APIError(401, 'Authentication required')
def check_current_user_is_admin(self): for group_name in self._bucket_settings_service.admin_groups: if self._security_service.is_in_group(self._current_user, group_name): return raise exceptions.APIError(403, 'Administrator authorisation required')