def process_request(self, request): headers = ['fiware-oauth-token', 'fiware-openstack-token'] filtered = [ header for header in headers if header in request['headers'] ] if len(filtered) == 0: return for header in filtered: del request['headers'][header] if not IDM_SUPPORT_ENABLED: raise ValidationError(_('IdM support not enabled')) elif request['workspace'] is None: raise ValidationError( _('IdM tokens can only be inyected on Ajax requests coming from authorized widgets' )) tenantid = request['headers'].get("fiware-openstack-tenant-id") source = 'user' if 'fiware-oauth-source' in request['headers']: source = request['headers']['fiware-oauth-source'] del request['headers']['fiware-oauth-source'] if source == 'user': token = get_access_token( request['user'], _('Current user has not an active FIWARE profile')) if 'fiware-openstack-token' in filtered: openstacktoken = self.openstack_manager.get_token( request['user'], tenantid) elif source == 'workspaceowner': token = get_access_token( request['workspace'].creator, _('Workspace owner has not an active FIWARE profile')) if 'fiware-openstack-token' in filtered: openstacktoken = self.openstack_manager.get_token( request['workspace'].creator, tenantid) else: raise ValidationError(_('Invalid FIWARE OAuth token source')) if 'fiware-oauth-token' in filtered: replace_get_parameter(request, ["fiware-oauth-get-parameter"], token) replace_header_name(request, ["fiware-oauth-header-name"], token) replace_body_pattern(request, ["fiware-oauth-body-pattern"], token) if 'fiware-openstack-token' in filtered: replace_get_parameter(request, ["fiware-openstack-get-parameter"], openstacktoken) replace_header_name(request, ["fiware-openstack-header-name"], openstacktoken) replace_body_pattern(request, ["fiware-openstack-body-pattern"], openstacktoken)
def get_access_token(user, error_msg): "Gets the access_token of a user using python-social-auth" try: oauth_info = user.social_auth.get(provider='fiware') if oauth_info.access_token is None: raise Exception return oauth_info.access_token except: raise ValidationError(error_msg)
def process_secure_data(text, request): definitions = text.split('&') cache_manager = VariableValueCacheManager(request['workspace'], request['user']) for definition in definitions: params = definition.split(',') if len(params) == 1 and params[0].strip() == '': continue options = {} for pair in params: tokens = pair.split('=') option_name = unquote(tokens[0].strip()) options[option_name] = unquote(tokens[1].strip()) action = options.get('action', 'data') if action == 'data': substr = options.get('substr', '') var_ref = options.get('var_ref', '') check_empty_params(substr=substr, var_ref=var_ref) value = get_variable_value_by_ref(var_ref, cache_manager) check_invalid_refs(var_ref=value) encoding = options.get('encoding', 'none') substr = substr.encode('utf8') if encoding == 'url': value = urlquote(value).encode('utf8') elif encoding == 'base64': value = base64.b64encode(value.encode('utf8'))[:-1] else: value = value.encode('utf8') new_body = request['data'].read().replace(substr, value) request['headers']['content-length'] = "%s" % len(new_body) request['data'] = BytesIO(new_body) elif action == 'basic_auth': user_ref = options.get('user_ref', '') password_ref = options.get('pass_ref', '') check_empty_params(user_ref=user_ref, password_ref=password_ref) user_value = get_variable_value_by_ref(user_ref, cache_manager) password_value = get_variable_value_by_ref(password_ref, cache_manager) check_invalid_refs(user_ref=user_value, password_ref=password_value) token = base64.b64encode( (user_value + ':' + password_value).encode('utf8'))[:-1] request['headers']['Authorization'] = 'Basic ' + token.decode( 'ascii') else: raise ValidationError('Unsupported action: %s' % action)
def check_invalid_refs(**kargs): invalid_params = [] for param_name in kargs: if kargs[param_name] is None: invalid_params.append(param_name) if len(invalid_params) > 0: msg = _( 'X-WireCloud-Secure-Data: The following required parameters are invalid: %(params)s' ) raise ValidationError(msg % {'params': ', '.join(invalid_params)})
def check_empty_params(**kargs): missing_params = [] for param_name in kargs: if kargs[param_name] == '': missing_params.append(param_name) if len(missing_params) > 0: msg = _( 'X-WireCloud-Secure-Data: The following required parameters are missing: %(params)s' ) raise ValidationError(msg % {'params': ', '.join(missing_params)})
def get_variable_value_by_ref(ref, cache_manager): result = VAR_REF_RE.match(ref) try: if result.group('iwidget_id') == 'c': return result.group('var_name') else: return cache_manager.get_variable_value_from_varname( result.group('iwidget_id'), result.group('var_name')) except (IWidget.DoesNotExist, KeyError): return None except: raise ValidationError('Invalid variable reference: %s' % ref)
def get_access_token(user, error_msg): "Gets the access_token of a user using python-social-auth" try: oauth_info = user.social_auth.get(provider='keycloak_oidc') if oauth_info.access_token is None: raise Exception # Refresh the token if expired if oauth_info.access_token_expired(): oauth_info.refresh_token(STRATEGY) return oauth_info.access_token except: raise ValidationError(error_msg)
def get_token(self, user, tenantid=None): oauth_info = user.social_auth.get(provider='fiware') if oauth_info.access_token is None: raise ValidationError("User doesn't have an access token") opentok = oauth_info.extra_data.get('openstack_token') tenantid = "__default__" if tenantid is None else tenantid if opentok is None or opentok.get(tenantid): opentok = self.get_openstack_token(user.username, oauth_info.access_token, tenantid) oauth_info.extra_data['openstack_token'][tenantid] = opentok oauth_info.save() return opentok
def get_access_token(user, error_msg): "Gets the access_token of a user using python-social-auth" try: oauth_info = user.social_auth.get(provider='fiware') if oauth_info.access_token is None: raise Exception # Refresh the token if the token has been expired or the token expires # in less than 30 seconds # Also refresh the token if expires_on information does not exist yet if time.time() > oauth_info.extra_data.get('expires_on', 0) - 30: oauth_info.refresh_token(STRATEGY) return oauth_info.access_token except: raise ValidationError(error_msg)
def parse_request_headers(request, request_data): request_data.setdefault("cookies", SimpleCookie()) request_data.setdefault("headers", {}) if 'HTTP_TRANSFER_ENCODING' in request.META: raise ValidationError( build_error_response( request, 422, "WireCloud doesn't support requests using the Transfer-Encoding header" )) for header in request.META.items(): header_name = header[0].lower() if header_name == 'content_type' and header[1]: request_data['headers']["content-type"] = header[1] elif header_name == 'content_length' and header[1]: # Only take into account request body if the request has a # Content-Length header (we don't support chunked requests) request_data['data'] = request request_data['headers']['content-length'] = "%s" % header[1] request_data['data'].len = int(header[1]) elif header_name == 'cookie' or header_name == 'http_cookie': cookie_parser = SimpleCookie(str(header[1])) del cookie_parser[str(settings.SESSION_COOKIE_NAME)] if str(settings.CSRF_COOKIE_NAME) in cookie_parser: del cookie_parser[str(settings.CSRF_COOKIE_NAME)] request_data['cookies'].update(cookie_parser) elif HTTP_HEADER_RE.match( header_name) and header_name not in BLACKLISTED_HTTP_HEADERS: fixed_name = header_name.replace("http_", "", 1).replace('_', '-') request_data['headers'][fixed_name] = header[1]
def process_request(self, request): if 'x-fi-ware-oauth-token' not in request['headers']: return if not IDM_SUPPORT_ENABLED: raise ValidationError(_('IdM support not enabled')) elif request['workspace'] is None: raise ValidationError( _('IdM tokens can only be inyected on Ajax requests coming from authorized widgets' )) header_name = None source = 'user' if 'x-fi-ware-oauth-source' in request['headers']: source = request['headers']['x-fi-ware-oauth-source'] del request['headers']['x-fi-ware-oauth-source'] if source == 'user': token = get_access_token( request['user'], _('Current user has not an active FIWARE profile')) elif source == 'workspaceowner': token = get_access_token( request['workspace'].creator, _('Workspace owner has not an active FIWARE profile')) else: raise ValidationError(_('Invalid FIWARE OAuth token source')) if 'x-fi-ware-oauth-get-parameter' in request['headers']: header_name = request['headers']['x-fi-ware-oauth-get-parameter'] url = request['url'] if '?' in url: url += '&' else: url += '?' url += urlquote_plus( request['headers'] ['x-fi-ware-oauth-get-parameter']) + '=' + urlquote_plus(token) request['url'] = url del request['headers']['x-fi-ware-oauth-get-parameter'] if 'x-fi-ware-oauth-header-name' in request['headers']: header_name = request['headers']['x-fi-ware-oauth-header-name'] if header_name == "Authorization": token_pattern = "Bearer {token}" else: token_pattern = "{token}" request['headers'][header_name] = token_pattern.format(token=token) del request['headers']['x-fi-ware-oauth-header-name'] if 'x-fi-ware-oauth-token-body-pattern' in request['headers']: pattern = request['headers']['x-fi-ware-oauth-token-body-pattern'] new_body = request['data'].read().replace(pattern.encode('utf8'), token.encode('utf8')) request['headers']['content-length'] = "%s" % len(new_body) request['data'] = BytesIO(new_body) del request['headers']['x-fi-ware-oauth-token-body-pattern'] del request['headers']['x-fi-ware-oauth-token']