def test_build_challenge_response(self): response = HttpDigestAuthenticator().build_challenge_response() self.assertEqual(401, response.status_code) self.assertEqual('digest ', response["WWW-Authenticate"][:7].lower()) parts = parse_parts(response["WWW-Authenticate"][7:]) self.assertEqual(DEFAULT_REALM, parts['realm']) with patch(settings, DIGEST_REALM='CUSTOM'): response = HttpDigestAuthenticator().build_challenge_response() parts = parse_parts(response["WWW-Authenticate"][7:]) self.assertEqual('CUSTOM', parts['realm'])
def test_authenticate_nonce(self): testuser = User.objects.create_user( username='******', email='*****@*****.**', password='******') User.objects.create_user( username='******', email='*****@*****.**', password='******') nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will fail second_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) # same nonce, new nonce count, it works third_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce, nonce_count=2) third_request.user = testuser authenticator = HttpDigestAuthenticator() with self.mocker: self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials( first_request )) with transaction.commit_on_success(): self.assertTrue(authenticator.authenticate(first_request)) self.assertFalse(authenticator.authenticate(second_request)) transaction.rollback() self.assertTrue(authenticator.authenticate(third_request))
def xformsManifest(request, username, id_string): # pylint: disable=C0103 """ XFormManifest view, part of OpenRosa Form Discovery API 1.0. """ xform_kwargs = { 'id_string__iexact': id_string, 'user__username__iexact': username } xform = get_form(xform_kwargs) formlist_user = xform.user profile, __ = UserProfile.objects.get_or_create(user=formlist_user) if profile.require_auth: authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() response = render( request, "xformsManifest.xml", { 'host': request.build_absolute_uri().replace(request.get_full_path(), ''), 'media_files': MetaData.media_upload(xform, download=True) }, content_type="text/xml; charset=utf-8") response['X-OpenRosa-Version'] = '1.0' response['Date'] = datetime.now(pytz.timezone(settings.TIME_ZONE))\ .strftime('%a, %d %b %Y %H:%M:%S %Z') return response
def xformsManifest(request, username, id_string): xform = get_object_or_404(XForm, id_string__exact=id_string, user__username__iexact=username) formlist_user = xform.user profile, created = \ UserProfile.objects.get_or_create(user=formlist_user) if profile.require_auth: authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() response = render( request, "xformsManifest.xml", { 'host': request.build_absolute_uri().replace(request.get_full_path(), ''), 'media_files': MetaData.media_upload(xform, download=True) }, content_type="text/xml; charset=utf-8") response['X-OpenRosa-Version'] = '1.0' tz = pytz.timezone(settings.TIME_ZONE) dt = datetime.now(tz).strftime('%a, %d %b %Y %H:%M:%S %Z') response['Date'] = dt return response
def wrapper(request, *args, **kwargs): authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() response = f(request, *args, **kwargs) if hasattr(response, 'status_code') and response.status_code in [401, 403]: return authenticator.build_challenge_response() if 200 <= response.status_code < 300: digest = python_digest.parse_digest_credentials( request.META['HTTP_AUTHORIZATION']) nc = "%08d" % digest.nc partial_digest = authenticator._account_storage.get_partial_digest( digest.username) parameters = { "username": request.user.username, "ha1": partial_digest, "nonce": digest.nonce, "cnonce": digest.cnonce, "method": digest.algorithm, "uri": digest.uri, "nc": nc, } rspauth = calc_rspauth(parameters) info = 'rspauth="%s",cnonce="%s",nc=%s,qop=%s' % ( rspauth, digest.cnonce, nc, digest.qop) response["Authentication-Info"] = info return response
def test_authenticate_basic(self): # a request for Basic auth thirteenth_request = self.create_mock_request_for_header( 'Basic YmxhaDpibGFo') authenticator = HttpDigestAuthenticator() self.assertFalse(authenticator.authenticate(thirteenth_request))
def form_upload(request, username): form_user = get_object_or_404(User, username__iexact=username) profile, created = \ UserProfile.objects.get_or_create(user=form_user) authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() if form_user != request.user: return HttpResponseForbidden( _(u"Not allowed to upload form[s] to %(user)s account." % {'user': form_user})) if request.method == 'HEAD': response = OpenRosaResponse(status=204) response['Location'] = request.build_absolute_uri().replace( request.get_full_path(), '/%s/formUpload' % form_user.username) return response xform_def = request.FILES.get('form_def_file', None) content = u"" if isinstance(xform_def, File): do_form_upload = PublishXForm(xform_def, form_user) dd = publish_form(do_form_upload.publish_xform) status = 201 if isinstance(dd, XForm): content = _(u"%s successfully published." % dd.id_string) else: content = dd['text'] if isinstance(content, Exception): content = content.message status = 500 else: status = 400 return OpenRosaResponse(content, status=status)
def test_authenticate_invalid(self): testuser = User.objects.create_user(username='******', email='*****@*****.**', password='******') otheruser = User.objects.create_user(username='******', email='*****@*****.**', password='******') nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) # an invalid request fourth_request = self.create_mock_request_for_header( 'Digest blah blah blah') # an invalid request fifth_request = self.create_mock_request_for_header(None) # an invalid nonce sixth_request = self.create_mock_request( username=testuser.username, password='******', nonce_count=1, nonce=python_digest.calculate_nonce(time.time(), secret='bad secret')) # an invalid request digest (wrong password) seventh_request = self.create_mock_request( username=testuser.username, password='******', nonce=nonce, nonce_count=3) # attack attempts / failures don't invalidate the session or increment nonce_cont eighth_request = self.create_mock_request( username=testuser.username, password='******', nonce=nonce, nonce_count=3) eighth_request.user = testuser # mismatched URI ninth_request = self.create_mock_request( username=testuser.username, nonce=nonce, password='******', nonce_count=4, request_path='/different/path') # stale nonce tenth_request = self.create_mock_request( username=testuser.username, password='******', nonce_count=4, nonce=python_digest.calculate_nonce( time.time()-60000, secret=settings.SECRET_KEY)) # once the nonce is used by one user, can't be reused by another eleventh_request = self.create_mock_request( username=otheruser.username, password='******', nonce=nonce, nonce_count=4) authenticator = HttpDigestAuthenticator() with self.mocker: self.assertFalse(authenticator.authenticate(fourth_request)) self.assertFalse(authenticator.authenticate(fifth_request)) self.assertFalse(authenticator.authenticate(sixth_request)) self.assertFalse(authenticator.authenticate(seventh_request)) self.assertTrue(authenticator.authenticate(eighth_request)) self.assertFalse(authenticator.authenticate(ninth_request)) self.assertFalse(authenticator.authenticate(tenth_request)) self.assertFalse(authenticator.authenticate(eleventh_request))
def formList(request, username): formlist_user = get_object_or_404(User, username=username) content_user = get_object_or_404(User, username=username) profile, created = UserProfile.objects.get_or_create(user=formlist_user) if profile.require_auth: authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() # unauthorized if user in auth request does not match user in path # unauthorized if user not active if not request.user.is_active: return HttpResponseNotAuthorized() #xforms = XForm.objects.filter(downloadable=True, user__username=username) # forms shared with user print str(formlist_user.id) frm_qry = "select xform_id from vwrolewiseformpermission where can_submit=1 and user_id=" + str( formlist_user.id) cursor = connection.cursor() cursor.execute(frm_qry) tmp_db_value = cursor.fetchall() frm_list = [] if tmp_db_value is not None: for every in tmp_db_value: frm_list.append(every[0]) cursor.close() xforms = XForm.objects.filter( reduce(operator.or_, [Q(id=c) for c in frm_list])) #xfct = ContentType.objects.get(app_label='logger', model='xform') #xfs = content_user.userobjectpermission_set.filter(content_type=xfct) #shared_forms_pks = list(set([xf.object_pk for xf in xfs])) #xforms = XForm.objects.filter( # pk__in=shared_forms_pks).select_related('user') audit = {} audit_log(Actions.USER_FORMLIST_REQUESTED, request.user, formlist_user, _("Requested forms list."), audit, request) response = render_to_response("xformsList.xml", { 'host': request.build_absolute_uri().replace(request.get_full_path(), ''), 'xforms': xforms }, mimetype="text/xml; charset=utf-8") response['X-OpenRosa-Version'] = '1.0' tz = pytz.timezone(settings.TIME_ZONE) dt = datetime.now(tz).strftime('%a, %d %b %Y %H:%M:%S %Z') response['Date'] = dt return response
def __call__(self, request): authenticator = HttpDigestAuthenticator() if (not authenticator.authenticate(request) and (get_setting("DIGEST_REQUIRE_AUTHENTICATION", False) or authenticator.contains_digest_credentials(request))): return authenticator.build_challenge_response() response = self.get_response(request) if response.status_code == 401: return authenticator.build_challenge_response() return response
def httpdigest(*args, **kwargs): ''' May be used in one of three ways: * as a decorator factory (with the arguments being parameters to an instance of HttpDigestAuthenticator used to protect the decorated view) * as a decorator (protecting the decorated view with a default-constructed instance of HttpDigestAuthenticator) * as a decorator factory (with the argument being a pre-constructed HttpDigestAuthenticator instance used to protect the decorated view) ''' if len(args) == 1 and not kwargs and isCallable(args[0]): authenticator = HttpDigestAuthenticator() return decorator(partial(_httpdigest, authenticator), args[0]) if len(args) == 1 and not kwargs and isinstance(args[0], HttpDigestAuthenticator): authenticator = args[0] else: authenticator = HttpDigestAuthenticator(*args, **kwargs) return lambda (f): decorator(partial(_httpdigest, authenticator), f)
def formList(request, username): # pylint: disable=C0103 """ formList view, /formList OpenRosa Form Discovery API 1.0. """ formlist_user = get_object_or_404(User, username__iexact=username) profile = cache.get(f'{USER_PROFILE_PREFIX}{formlist_user.username}') if not profile: profile, __ = UserProfile.objects.get_or_create( user__username=formlist_user.username) if profile.require_auth: authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() # unauthorized if user in auth request does not match user in path # unauthorized if user not active if not request.user.is_active: return HttpResponseNotAuthorized() # filter private forms (where require_auth=False) # for users who are non-owner if request.user.username == profile.user.username: xforms = XForm.objects.filter(downloadable=True, deleted_at__isnull=True, user__username__iexact=username) else: xforms = XForm.objects.filter(downloadable=True, deleted_at__isnull=True, user__username__iexact=username, require_auth=False) audit = {} audit_log(Actions.USER_FORMLIST_REQUESTED, request.user, formlist_user, _("Requested forms list."), audit, request) data = { 'host': request.build_absolute_uri().replace(request.get_full_path(), ''), 'xforms': xforms } response = render(request, "xformsList.xml", data, content_type="text/xml; charset=utf-8") response['X-OpenRosa-Version'] = '1.0' response['Date'] = datetime.now(pytz.timezone(settings.TIME_ZONE))\ .strftime('%a, %d %b %Y %H:%M:%S %Z') return response
def formList(request, username): """ This is where ODK Collect gets its download list. """ if username.lower() == 'crowdforms': xforms = XForm.objects.filter(is_crowd_form=True)\ .exclude(user__username=username) else: formlist_user = get_object_or_404(User, username=username) profile, created = \ UserProfile.objects.get_or_create(user=formlist_user) if profile.require_auth: authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() # unauthorized if user in auth request does not match user in path # unauthorized if user not active if formlist_user.username != request.user.username or\ not request.user.is_active: return HttpResponseNotAuthorized() xforms = \ XForm.objects.filter(downloadable=True, user__username=username) # retrieve crowd_forms for this user crowdforms = XForm.objects.filter( metadata__data_type=MetaData.CROWDFORM_USERS, metadata__data_value=username) xforms = chain(xforms, crowdforms) audit = {} audit_log(Actions.USER_FORMLIST_REQUESTED, request.user, formlist_user, _("Requested forms list."), audit, request) response = render_to_response( "xformsList.xml", { #'urls': urls, 'host': request.build_absolute_uri().replace(request.get_full_path(), ''), 'xforms': xforms }, mimetype="text/xml; charset=utf-8") response['X-OpenRosa-Version'] = '1.0' tz = pytz.timezone(settings.TIME_ZONE) dt = datetime.now(tz).strftime('%a, %d %b %Y %H:%M:%S %Z') response['Date'] = dt return response
def view_submission_list(request, username): """ Submission list view. Briefcase Aggregate API view/submissionList. """ form_user = get_object_or_404(User, username__iexact=username) __, ___ = UserProfile.objects.get_or_create(user=form_user) authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() id_string = request.GET.get('formId', None) xform_kwargs = { 'id_string__iexact': id_string, 'user__username__iexact': username } xform = get_form(xform_kwargs) if not has_permission(xform, form_user, request, xform.shared_data): return HttpResponseForbidden('Not shared.') num_entries = request.GET.get('numEntries', None) cursor = request.GET.get('cursor', None) instances = xform.instances.filter(deleted_at=None).order_by('pk') cursor = _parse_int(cursor) if cursor: instances = instances.filter(pk__gt=cursor) num_entries = _parse_int(num_entries) if num_entries: instances = instances[:num_entries] data = {'instances': instances} resumption_cursor = 0 if instances.count(): last_instance = instances[instances.count() - 1] resumption_cursor = last_instance.pk elif instances.count() == 0 and cursor: resumption_cursor = cursor data['resumptionCursor'] = resumption_cursor return render( request, 'submissionList.xml', data, content_type="text/xml; charset=utf-8")
def view_submission_list(request, username): form_user = get_object_or_404(User, username=username) profile, created = \ UserProfile.objects.get_or_create(user=form_user) authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() context = RequestContext(request) id_string = request.GET.get('formId', None) xform = get_object_or_404(XForm, id_string=id_string, user__username=username) if not has_permission(xform, form_user, request, xform.shared_data): return HttpResponseForbidden('Not shared.') num_entries = request.GET.get('numEntries', None) cursor = request.GET.get('cursor', None) instances = xform.surveys.filter(deleted_at=None).order_by('pk') if cursor: try: cursor = int(cursor) except ValueError: pass else: instances = instances.filter(pk__gt=cursor) if num_entries: try: num_entries = int(num_entries) except ValueError: pass else: instances = instances[:num_entries] context.instances = instances if instances.count(): last_instance = instances[instances.count() - 1] context.resumptionCursor = last_instance.pk elif instances.count() == 0 and cursor: context.resumptionCursor = cursor else: context.resumptionCursor = 0 return render_to_response('submissionList.xml', context_instance=context, mimetype="text/xml; charset=utf-8")
def formList(request, username): """ This is where ODK Collect gets its download list. """ formlist_user = get_object_or_404(User, username__iexact=username) profile, created = UserProfile.objects.get_or_create(user=formlist_user) if profile.require_auth: authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() # unauthorized if user in auth request does not match user in path # unauthorized if user not active if not request.user.is_active: return HttpResponseNotAuthorized() # filter private forms (where require_auth=False) # for users who are non-owner if request.user.username == profile.user.username: xforms = XForm.objects.filter(downloadable=True, user__username__iexact=username) else: xforms = XForm.objects.filter(downloadable=True, user__username__iexact=username, require_auth=False) audit = {} audit_log(Actions.USER_FORMLIST_REQUESTED, request.user, formlist_user, _("Requested forms list."), audit, request) data = { 'host': request.build_absolute_uri().replace(request.get_full_path(), ''), 'xforms': xforms } response = render(request, "xformsList.xml", data, content_type="text/xml; charset=utf-8") response['X-OpenRosa-Version'] = '1.0' tz = pytz.timezone(settings.TIME_ZONE) dt = datetime.now(tz).strftime('%a, %d %b %Y %H:%M:%S %Z') response['Date'] = dt return response
def view_download_submission(request, username): """ Submission download view. Briefcase Aggregate API view/downloadSubmissionList. """ form_user = get_object_or_404(User, username__iexact=username) __, ___ = UserProfile.objects.get_or_create(user=form_user) authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() data = {} form_id = request.GET.get('formId', None) if not isinstance(form_id, six.string_types): return HttpResponseBadRequest() id_string = form_id[0:form_id.find('[')] form_id_parts = form_id.split('/') if form_id_parts.__len__() < 2: return HttpResponseBadRequest() uuid = _extract_uuid(form_id_parts[1]) instance = get_object_or_404( Instance, xform__id_string__iexact=id_string, uuid=uuid, xform__user__username=username, deleted_at__isnull=True) xform = instance.xform if not has_permission(xform, form_user, request, xform.shared_data): return HttpResponseForbidden('Not shared.') submission_xml_root_node = instance.get_root_node() submission_xml_root_node.setAttribute('instanceID', u'uuid:%s' % instance.uuid) submission_xml_root_node.setAttribute('submissionDate', instance.date_created.isoformat()) data['submission_data'] = submission_xml_root_node.toxml() data['media_files'] = Attachment.objects.filter(instance=instance) data['host'] = request.build_absolute_uri().replace( request.get_full_path(), '') return render( request, 'downloadSubmission.xml', data, content_type="text/xml; charset=utf-8")
def test_authenticate_missing(self): testuser = User.objects.create_user(username='******', email='*****@*****.**', password='******') User.objects.create_user(username='******', email='*****@*****.**', password='******') python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) # if the partial digest is not in the DB, authentication fails twelfth_request = self.create_mock_request(username=testuser.username, password='******', nonce_count=3) authenticator = HttpDigestAuthenticator() PartialDigest.objects.all().delete() self.assertFalse(authenticator.authenticate(twelfth_request))
def view_download_submission(request, username): def extract_uuid(text): text = text[text.find("@key="):-1].replace("@key=", "") if text.startswith("uuid:"): text = text.replace("uuid:", "") return text form_user = get_object_or_404(User, username=username) profile, created = \ UserProfile.objects.get_or_create(user=form_user) authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() context = RequestContext(request) formId = request.GET.get('formId', None) if not isinstance(formId, basestring): return HttpResponseBadRequest() id_string = formId[0:formId.find('[')] form_id_parts = formId.split('/') if form_id_parts.__len__() < 2: return HttpResponseBadRequest() uuid = extract_uuid(form_id_parts[1]) try: instance = Instance.objects.filter(xform__id_string=id_string, uuid=uuid, user__username=username, deleted_at=None)[0] xform = instance.xform if not has_permission(xform, form_user, request, xform.shared_data): return HttpResponseForbidden('Not shared.') submission_xml_root_node = instance.get_root_node() submission_xml_root_node.setAttribute('instanceID', u'uuid:%s' % instance.uuid) submission_xml_root_node.setAttribute( 'submissionDate', instance.date_created.isoformat()) context.submission_data = submission_xml_root_node.toxml() context.media_files = Attachment.objects.filter(instance=instance) context.host = request.build_absolute_uri().replace( request.get_full_path(), '') return render_to_response('downloadSubmission.xml', context_instance=context, mimetype="text/xml; charset=utf-8") except IndexError: raise Http404
def test_decorator_with_pre_constructed_authenticator(self): response = self.mocker.mock(count=False) expect(response.status_code).result(200) @httpdigest(HttpDigestAuthenticator(realm='MY_TEST_REALM')) def test_view(request): return response testuser = User.objects.create_user('testuser', '*****@*****.**', 'pass') request = self.create_mock_request_for_header(None) request.user = testuser with self.mocker: final_response = test_view(request) self.assertEqual(401, final_response.status_code) self.assertTrue('WWW-Authenticate' in final_response) self.assertTrue('MY_TEST_REALM' in final_response['WWW-Authenticate'])
def odk_get_form(req, pk): # if forms are restricted, force digest authentication if getattr(settings, 'AUTHENTICATE_XFORMS', False): authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(req): return authenticator.build_challenge_response() xform = get_object_or_404(XForm, pk=pk) if not xform.does_user_have_permission(req.user): return HttpResponse("You do not have permission to view this form", status=403) resp = render_to_response("xforms/odk_get_form.xml", {'xform': xform}, mimetype="text/xml", context_instance=RequestContext(req)) resp[ 'Content-Disposition'] = 'attachment;filename="%s.xml"' % xform.keyword return resp
def odk_list_forms(req): # if forms are restricted, force digest authentication if getattr(settings, 'AUTHENTICATE_XFORMS', False): authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(req): return authenticator.build_challenge_response() xforms = [] for form in XForm.on_site.filter(active=True): if form.does_user_have_permission(req.user): xforms.append(form) return render_to_response("xforms/odk_list_forms.xml", { 'xforms': xforms, 'host': settings.XFORMS_HOST }, mimetype="text/xml", context_instance=RequestContext(req))
def test_authenticate_nonce(self): testuser = User.objects.create_user(username='******', email='*****@*****.**', password='******') User.objects.create_user(username='******', email='*****@*****.**', password='******') nonce = python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will fail second_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) # same nonce, new nonce count, it works third_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce, nonce_count=2) third_request.user = testuser authenticator = HttpDigestAuthenticator() assert 'HTTP_AUTHORIZATION' in first_request.META assert python_digest.is_digest_credential( first_request.META['HTTP_AUTHORIZATION']) self.assertTrue( HttpDigestAuthenticator.contains_digest_credentials(first_request)) transaction.set_autocommit(False) self.assertTrue(authenticator.authenticate(first_request)) self.assertFalse(authenticator.authenticate(second_request)) transaction.rollback() self.assertTrue(authenticator.authenticate(third_request)) transaction.commit() transaction.set_autocommit(True)
def download_xform(request, username, id_string): user = get_object_or_404(User, username__iexact=username) xform = get_object_or_404(XForm, user=user, id_string__exact=id_string) profile, created =\ UserProfile.objects.get_or_create(user=user) if profile.require_auth: authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() audit = {"xform": xform.id_string} audit_log( Actions.FORM_XML_DOWNLOADED, request.user, xform.user, _("Downloaded XML for form '%(id_string)s'.") % {"id_string": xform.id_string}, audit, request) response = response_with_mimetype_and_name('xml', id_string, show_date=False) response.content = xform.xml return response
def formList(request, username): """ This is where ODK Collect gets its download list. """ print '####' formlist_user = get_object_or_404(User, username=username) content_user = get_object_or_404(User, username=username) profile, created = UserProfile.objects.get_or_create(user=formlist_user) if profile.require_auth: authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() # unauthorized if user in auth request does not match user in path # unauthorized if user not active if not request.user.is_active: return HttpResponseNotAuthorized() #xforms = XForm.objects.filter(downloadable=True, user__username=username) # forms shared with user xfct = ContentType.objects.get(app_label='logger', model='xform') xfs = content_user.userobjectpermission_set.filter(content_type=xfct) shared_forms_pks = list(set([xf.object_pk for xf in xfs])) xforms = XForm.objects.filter( pk__in=shared_forms_pks).select_related('user') audit = {} audit_log(Actions.USER_FORMLIST_REQUESTED, request.user, formlist_user, _("Requested forms list."), audit, request) response = render_to_response("xformsList.xml", { 'host': request.build_absolute_uri().replace( request.get_full_path(), ''), 'xforms': xforms }, mimetype="text/xml; charset=utf-8") response['X-OpenRosa-Version'] = '1.0' tz = pytz.timezone(settings.TIME_ZONE) dt = datetime.now(tz).strftime('%a, %d %b %Y %H:%M:%S %Z') response['Date'] = dt return response
def test_disable_nonce_count_enforcement(self): with patch(settings, DIGEST_ENFORCE_NONCE_COUNT=False): testuser = User.objects.create_user(username='******', email='*****@*****.**', password='******') nonce = python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request( username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will succeed second_request = self.create_mock_request( username=testuser.username, password='******', nonce=nonce) second_request.user = testuser authenticator = HttpDigestAuthenticator() self.assertTrue(authenticator.authenticate(first_request)) self.assertTrue(authenticator.authenticate(second_request))
def form_upload(request, username): class DoXmlFormUpload(): def __init__(self, xml_file, user): self.xml_file = xml_file self.user = user def publish(self): return publish_xml_form(self.xml_file, self.user) form_user = get_object_or_404(User, username=username) profile, created = \ UserProfile.objects.get_or_create(user=form_user) authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() if request.method == 'HEAD': response = OpenRosaResponse(status=204) response['Location'] = request.build_absolute_uri().replace( request.get_full_path(), '/%s/formUpload' % form_user.username) return response xform_def = request.FILES.get('form_def_file', None) content = u"" if isinstance(xform_def, File): do_form_upload = DoXmlFormUpload(xform_def, form_user) dd = publish_form(do_form_upload.publish) status = 201 if isinstance(dd, XForm): content = _(u"%s successfully published." % dd.id_string) else: content = dd['text'] if isinstance(content, Exception): content = content.message status = 500 else: status = 400 return OpenRosaResponse(content, status=status)
def __init__(self): self.authenticator = HttpDigestAuthenticator()
def submission(request, username=None): if username: formlist_user = get_object_or_404(User, username__iexact=username) profile, created = UserProfile.objects.get_or_create( user=formlist_user) if profile.require_auth: authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() if request.method == 'HEAD': response = OpenRosaResponse(status=204) if username: response['Location'] = request.build_absolute_uri().replace( request.get_full_path(), '/%s/submission' % username) else: response['Location'] = request.build_absolute_uri().replace( request.get_full_path(), '/submission') return response xml_file_list = [] media_files = [] # request.FILES is a django.utils.datastructures.MultiValueDict # for each key we have a list of values try: xml_file_list = request.FILES.pop("xml_submission_file", []) if len(xml_file_list) != 1: return OpenRosaResponseBadRequest( _(u"There should be a single XML submission file.")) # save this XML file and media files as attachments media_files = request.FILES.values() # get uuid from post request uuid = request.POST.get('uuid') error, instance = safe_create_instance(username, xml_file_list[0], media_files, uuid, request) if error: return error elif instance is None: return OpenRosaResponseBadRequest( _(u"Unable to create submission.")) audit = {"xform": instance.xform.id_string} audit_log( Actions.SUBMISSION_CREATED, request.user, instance.xform.user, _("Created submission on form %(id_string)s.") % {"id_string": instance.xform.id_string}, audit, request) # response as html if posting with a UUID if not username and uuid: response = _html_submission_response(request, instance) else: response = _submission_response(request, instance) # ODK needs two things for a form to be considered successful # 1) the status code needs to be 201 (created) # 2) The location header needs to be set to the host it posted to response.status_code = 201 response['Location'] = request.build_absolute_uri(request.path) return response except IOError as e: if _bad_request(e): return OpenRosaResponseBadRequest( _(u"File transfer interruption.")) else: raise finally: if len(xml_file_list): [_file.close() for _file in xml_file_list] if len(media_files): [_file.close() for _file in media_files]
def submission(request, username=None): if username and username.lower() != 'crowdforms': formlist_user = get_object_or_404(User, username=username.lower()) profile, created = \ UserProfile.objects.get_or_create(user=formlist_user) if profile.require_auth: authenticator = HttpDigestAuthenticator() if not authenticator.authenticate(request): return authenticator.build_challenge_response() if request.method == 'HEAD': response = OpenRosaResponse(status=204) if username: response['Location'] = request.build_absolute_uri().replace( request.get_full_path(), '/%s/submission' % username) else: response['Location'] = request.build_absolute_uri().replace( request.get_full_path(), '/submission') return response context = RequestContext(request) xml_file_list = [] media_files = [] html_response = False # request.FILES is a django.utils.datastructures.MultiValueDict # for each key we have a list of values try: xml_file_list = request.FILES.pop("xml_submission_file", []) if len(xml_file_list) != 1: return OpenRosaResponseBadRequest( _(u"There should be a single XML submission file.")) # save this XML file and media files as attachments media_files = request.FILES.values() # get uuid from post request uuid = request.POST.get('uuid') # response as html if posting with a UUID if not username and uuid: html_response = True try: instance = create_instance(username, xml_file_list[0], media_files, uuid=uuid, request=request) except InstanceInvalidUserError: return OpenRosaResponseBadRequest(_(u"Username or ID required.")) except IsNotCrowdformError: return OpenRosaResponseNotAllowed( _(u"Sorry but the crowd form you submitted to is closed.")) except InstanceEmptyError: return OpenRosaResponseBadRequest( _(u"Received empty submission. No instance was created")) except FormInactiveError: return OpenRosaResponseNotAllowed(_(u"Form is not active")) except XForm.DoesNotExist: return OpenRosaResponseNotFound( _(u"Form does not exist on this account")) except ExpatError: return OpenRosaResponseBadRequest(_(u"Improperly formatted XML.")) except DuplicateInstance: response = OpenRosaResponse(_(u"Duplicate submission")) response.status_code = 202 response['Location'] = request.build_absolute_uri(request.path) return response except PermissionDenied, e: return OpenRosaResponseNotAllowed(e.message) except Exception, e: raise