def process_request(self, req, resp):
"""Performs content type enforcement on behalf of REST verbs."""
valid_content_types = ['application/x-yaml']
# GET and DELETE should never carry a message body, and have
# no content type. Check for content-length or
# transfer-encoding to determine if a content-type header
# is required.
requires_content_type = (req.method not in ['GET', 'DELETE'] and (
(req.content_length is not None and req.content_length > 0)
or req.get_header('transfer-encoding') is not None))
if requires_content_type:
content_type = (req.content_type.split(';', 1)[0].strip()
if req.content_type else '')
if not content_type:
raise falcon.HTTPMissingHeader('Content-Type')
elif content_type not in valid_content_types:
message = (
"Unexpected content type: {type}. Expected content types "
"are: {expected}.").format(type=six.b(
req.content_type).decode('utf-8'),
expected=valid_content_types)
raise falcon.HTTPUnsupportedMediaType(description=message)
def _validate_content_type(req):
"""Validate content type.
Function validates request against correct content type.
If Content-Type cannot be established (i.e. header is missing),
:py:class:`falcon.HTTPMissingHeader` is thrown.
If Content-Type is not **application/json**(supported contents
types are define in SUPPORTED_CONTENT_TYPES variable),
:py:class:`falcon.HTTPUnsupportedMediaType` is thrown.
:param falcon.Request req: current request
:exception: :py:class:`falcon.HTTPMissingHeader`
:exception: :py:class:`falcon.HTTPUnsupportedMediaType`
"""
content_type = req.content_type
LOG.debug('Content-type is {0}'.format(content_type))
if content_type is None or len(content_type) == 0:
raise falcon.HTTPMissingHeader('Content-Type')
if content_type not in SUPPORTED_CONTENT_TYPES:
types = ','.join(SUPPORTED_CONTENT_TYPES)
details = (
'Only [{0}] are accepted as events representation'.format(types))
raise falcon.HTTPUnsupportedMediaType(description=details)
def validate_content_type(req, allowed):
"""Validates content type.
Method validates request against correct
content type.
If content-type cannot be established (i.e. header is missing),
:py:class:`falcon.HTTPMissingHeader` is thrown.
If content-type is not **application/json** or **text/plain**,
:py:class:`falcon.HTTPUnsupportedMediaType` is thrown.
:param falcon.Request req: current request
:param iterable allowed: allowed content type
:exception: :py:class:`falcon.HTTPMissingHeader`
:exception: :py:class:`falcon.HTTPUnsupportedMediaType`
"""
content_type = req.content_type
LOG.debug('Content-Type is %s', content_type)
if content_type is None or len(content_type) == 0:
raise falcon.HTTPMissingHeader('Content-Type')
if content_type not in allowed:
sup_types = ', '.join(allowed)
details = ('Only [%s] are accepted as logs representations'
% str(sup_types))
raise falcon.HTTPUnsupportedMediaType(description=details)
def authUser(req, resp, permissions):
authHeader = req.get_header('Authorization')
if authHeader == None:
raise falcon.HTTPMissingHeader('Authorization')
try:
user = User.objects.get({"auth_b64": authHeader[6:]})
diff_perms = list(set(permissions) - set(User.valid_permissions))
if len(diff_perms) > 0:
raise falcon.HTTPForbidden(
'Forbidden', "%s does not have the required permissions: %s" %
(user.username, ', '.join(diff_perms)))
except User.DoesNotExist:
req.context['logger'].debug({
'message': 'Failed login attempt',
'action': 'login'
})
raise falcon.HTTPUnauthorized('Unauthorized',
'Username and password does not exist.',
['Basic realm="WallyWorld"'])
else:
req.context['user'] = user
req.context['logger'].debug({
'message': "'%s' logged in." % user.username,
'action': 'login'
})
def do_auth(self, req, resp, resource, params):
if resource._conf.get('auth', False):
if not req.auth:
raise falcon.HTTPMissingHeader("Missing OAuth token", "Authorization")
try:
bearer, token = req.auth.split()
assert(bearer == "OAuth")
except AssertionError as exp:
raise falcon.HTTPInvalidHeader("Malformed Authorization header", "Authorization")
parts = token.split('.')
if len(parts) != 3:
raise falcon.HTTPUnauthorized("Token is not a valid JWT token")
itok = ".".join(parts[:2])
sig = hmac.new(resource._conf.get('secret', "there is no secret").encode('utf-8'), itok.encode('utf-8'), digestmod=hashlib.sha256).digest()
if not hmac.compare_digest(base64.urlsafe_b64encode(sig), parts[2].encode('utf-8')):
raise falcon.HTTPForbidden()
payload = json.loads(base64.urlsafe_b64decode(parts[1]).decode('utf-8'))
if payload["exp"] < int(time.time()):
raise falcon.HTTPForbidden(description="Token has expired")
if not resource.authorize(payload['prv']):
raise falcon.HTTPForbidden(description="User does not have permission to use this function")
self._usr = payload["iss"]
def encode_response(self, req, resp, resource):
if not req.get_header("Accept"):
raise falcon.HTTPMissingHeader("Accept")
if req.client_accepts(MIME['PSJSON']) or req.client_accepts(MIME['JSON']):
resp.body = json.dumps(resp.body)
elif req.client_accepts(MIME['PSBSON']) or req.client_accepts(MIME['BSON']):
resp.body = bson.dumps(resp.body)
def validate(self, user_name, user_id, req):
try:
header_name = req.headers[self.username_header]
token = req.headers[self.token_header]
except KeyError as err:
logging.exception(req.headers)
raise falcon.HTTPMissingHeader(err.args[0])
else:
if user_name == header_name:
return self.noncer.validate_token(user_name, token)
return False
def authorize(self, req):
if "AUTHORIZATION" not in req.headers:
raise falcon.HTTPMissingHeader("Authorization")
components = req.headers["AUTHORIZATION"].split(" ")
if len(components) != 2:
raise falcon.HTTPInvalidHeader("Expected <type> <credentials>", "Authorization")
type,creds = components
if type not in self.supportedAuthorizationTypes:
raise falcon.HTTPInvalidHeader("Unsupported credential type", "Authorization")
if creds not in self.db.authKeys():
raise falcon.HTTPInvalidHeader("Invalid credentials", "Authorization")
def process_request(self, req, resp):
"""Performs content type enforcement on behalf of REST verbs."""
valid_content_types = ['application/x-yaml']
content_type = (req.content_type.split(';', 1)[0].strip()
if req.content_type else '')
if not content_type:
raise falcon.HTTPMissingHeader('Content-Type')
elif content_type not in valid_content_types:
message = (
"Unexpected content type: {type}. Expected content types "
"are: {expected}.").format(type=six.b(
req.content_type).decode('utf-8'),
expected=valid_content_types)
raise falcon.HTTPUnsupportedMediaType(description=message)
def __call__(self, req, resp, resource, params):
"""Authorize request."""
authentication = req.headers.get('AUTHORIZATION')
_ = req.context['user'].get('language')
if not authentication:
raise falcon.HTTPMissingHeader("AUTHORIZATION")
try:
user = jwt.decode(
authentication,
os.getenv('JWT_SECRET'),
verify='True',
algorithms=['HS512'],
# options={'verify_exp': True}
# if you want to verify token (session) expiration, uncomment.
)
user_deleted = user.get('deleted')
user_validated = user.get('validated')
user_aproved_by_admin = user.get('status') == 'accepted'
if user_deleted:
raise falcon.HTTPUnauthorized(_('User deleted.'))
if not user_validated:
raise falcon.HTTPUnauthorized(_('User not validated.'))
if not user_aproved_by_admin:
raise falcon.HTTPUnauthorized(_('User unapproved.'))
except jwt.ExpiredSignatureError as e:
raise falcon.HTTPUnauthorized(_('JWT expired'), str(e))
except jwt.DecodeError as e:
raise falcon.HTTPUnauthorized(_('JWT decode error'), str(e))
except Exception:
req.context['user'].update({'_id': None, 'role': 'external'})
else:
req.context['user'].update({
'_id': user.get('_id'),
'role': user.get('role')
})
def on_get(self, req, resp):
raise falcon.HTTPMissingHeader('X-Auth-Token')
