def get_boto_client(client,
region=None,
aws_access_key_id=None,
aws_secret_access_key=None,
aws_session_token=None,
config=None,
endpoint_url=None):
"""Get a boto3 client connection."""
if config is None:
config = {}
cache_key = '{0}:{1}:{2}:{3}:{4}'.format(client, region, aws_access_key_id,
config.get('name'), endpoint_url)
if not aws_session_token:
if cache_key in CLIENT_CACHE:
return CLIENT_CACHE[cache_key]
session = get_boto_session(region, aws_access_key_id,
aws_secret_access_key, aws_session_token)
if not session:
logger.error("Failed to get {0} client.".format(client))
return None
CLIENT_CACHE[cache_key] = session.client(client,
config=config.get('config'),
endpoint_url=endpoint_url)
return CLIENT_CACHE[cache_key]
def handle_message(client, queue_url):
try:
response = client.receive_message(
QueueUrl=queue_url,
AttributeNames=['SentTimestamp'],
MaxNumberOfMessages=1,
MessageAttributeNames=['All'],
VisibilityTimeout=60,
WaitTimeSeconds=10
)
if 'Messages' in response:
messages = response['Messages']
message = messages[0]
if 'type' not in message['MessageAttributes']:
logger.error('SQS message does not have a type attribute.')
return
m_type = message['MessageAttributes']['type']['StringValue']
logger.debug('Received SQS message of type {}'.format(m_type))
if m_type == 'github_webhook':
try:
handle_webhook(message)
except Exception:
logger.exception(
'Failed to handle webhook SQS message'
)
return
elif m_type == 'signature':
try:
handle_signature(message)
except Exception:
logger.exception(
'Failed to handle signature SQS message'
)
return
else:
logger.error(
'{} is an unsupported message type.'.format(m_type)
)
client.delete_message(
QueueUrl=queue_url,
ReceiptHandle=message['ReceiptHandle']
)
else:
logger.debug('No messages, continuing')
return
except Exception:
logger.exception('General error')
def decorated(*args, **kwargs):
try:
email = get_logged_in_user_email()
is_admin = False
try:
orgs = get_logged_in_user_orgs()
for org in orgs:
if org.get('login') == app.config['ORGANIZATION']:
is_admin = True
except OrgsNotFound:
if not role_has_privilege('user', f.__name__):
raise AdminAccessNeeded()
else:
pass
if is_admin:
role = 'admin'
else:
role = 'user'
g.auth_role = role
except (UserEmailNotFound, AdminAccessNeeded):
logger.info('Attempting to log in a user using Github auth')
response = make_response()
if request.is_secure:
secure_cookie = True
else:
secure_cookie = False
if role_has_privilege('user', f.__name__):
result = _authomatic.login(
WerkzeugAdapter(request, response),
'github',
session=session,
session_saver=lambda: app.save_session(session, response),
secure_cookie=secure_cookie
)
fetch_orgs = False
else:
# This function requires admin, we need to fetch the orgs,
# which requires different scopes, use the admin login.
result = _authomatic_admin.login(
WerkzeugAdapter(request, response),
'github',
session=session,
session_saver=lambda: app.save_session(session, response),
secure_cookie=secure_cookie
)
fetch_orgs = True
if result:
if result.error:
msg = 'Github auth failed with error: {0}'
logger.error(msg.format(result.error.message))
return abort(403)
if result.user:
result.user.update()
user = result.user
session['github_oauth2'] = {}
session['github_oauth2']['name'] = user.name
session['github_oauth2']['username'] = user.username
g.auth_type = 'oauth'
email_addresses = _authomatic.access(
credentials=user.credentials,
url='https://api.github.com/user/emails'
).data
session['github_oauth2']['email'] = email_addresses
if fetch_orgs:
organizations = _authomatic.access(
credentials=user.credentials,
url='https://api.github.com/user/orgs'
).data
session['github_oauth2']['orgs'] = organizations
# TODO: find a way to save the angular args
# authomatic adds url params google auth has stripped the
# angular args anyway, so let's just redirect back to the
# index.
return redirect(url_for('index'))
return response
if role_has_privilege(role, f.__name__):
return f(*args, **kwargs)
else:
msg = ('User with email {0}, role {1}, attempted to access'
' function {2} without correct privileges')
logger.warning(msg.format(email, role, f.__name__))
return abort(403)