def setup(self): if not self.db.about(ABOUT_TABLE): with self.db.transaction() as t: t.execute( sql_create(ABOUT_TABLE, {"version": "TEXT", "next_id": "INTEGER"}) ) t.execute(sql_insert(ABOUT_TABLE, {"version": "1.0", "next_id": 1000})) t.execute(sql_create(DIGITS_TABLE, {"value": "INTEGER"})) t.execute(sql_insert(DIGITS_TABLE, [{"value": i} for i in range(10)]))
def add_permission(self, user, resource, owner): """ :param user: :param resource: :param owner: :return: """ user = wrap(user) resource = wrap(resource) owner = wrap(owner) # DOES owner HAVE ACCESS TO resource? if not self.verify_allowance(owner, resource): Log.error("not allowed to assign resource") # DOES THIS PERMISSION EXIST ALREADY allowance = self.verify_allowance(user, resource) if allowance: if any(r.owner == owner for r in allowance): Log.error("already allowed via {{allowance}}", allowance=allowance) # ALREADY ALLOWED, BUT MULTIPLE PATHS MAY BE OK with self.db.transaction() as t: t.execute( sql_insert(PERMISSION_TABLE, { "user": user._id, "resource": resource._id, "owner": owner._id }))
def _insert(self, table, records): records = listwrap(records) keys = {"_id"} for r in records: keys.update(r.keys()) if r._id == None: r._id = self.next_id() with self.db.transaction() as t: t.execute(sql_insert(table, records))
def save_session(self, app, session, response): if not session or not session.keys(): return if not session.session_id: session.session_id = generate_sid() session.permanent = True DEBUG and Log.note("save session {{session}}", session=session) now = Date.now().unix session_id = session.session_id result = self.db.query( sql_query({ "from": self.table, "where": { "eq": { "session_id": session_id } } })) saved_record = first(Data(zip(result.header, r)) for r in result.data) expires = min(session.expires, now + self.cookie.inactive_lifetime.seconds) if saved_record: DEBUG and Log.note("found session {{session}}", session=saved_record) saved_record.data = value2json(session) saved_record.expires = expires saved_record.last_used = now with self.db.transaction() as t: t.execute("UPDATE " + quote_column(self.table) + SQL_SET + sql_list( sql_eq(**{k: v}) for k, v in saved_record.items()) + SQL_WHERE + sql_eq(session_id=session_id)) else: new_record = { "session_id": session_id, "data": value2json(session), "expires": expires, "last_used": now, } DEBUG and Log.note("new record for db {{session}}", session=new_record) with self.db.transaction() as t: t.execute(sql_insert(self.table, new_record)) response.set_cookie(app.session_cookie_name, session_id, expires=expires)
def id_generator(db): """ INSTALL AN ID GENERATOR """ about = db.about(VERSION_TABLE) if not about: with db.transaction() as t: t.execute( sql_create(VERSION_TABLE, { "version": "TEXT", "next_id": "LONG" })) t.execute( sql_insert(VERSION_TABLE, { "version": "1.0", "next_id": 1000 })) else: for cid, name, dtype, notnull, dfft_value, pk in about: if name == "next_id": break else: with db.transaction() as t: t.execute("ALTER TABLE " + quote_column(VERSION_TABLE) + " ADD COLUMN next_id LONG") t.execute(SQL_UPDATE + quote_column(VERSION_TABLE) + SQL_SET + sql_eq(next_id=1000)) def _gen_ids(): while True: with db.transaction() as t: top_id = first( first( t.query( sql_query({ "select": "next_id", "from": VERSION_TABLE })).data)) max_id = top_id + 1000 t.execute(SQL_UPDATE + quote_column(VERSION_TABLE) + SQL_SET + sql_eq(next_id=max_id)) while top_id < max_id: yield top_id top_id += 1 return _gen_ids().__next__
def add_permission(self, user, resource, actor): """ :param user: :param resource: :param actor: :return: """ user = wrap(user) resource = wrap(resource) # DOES THIS PERMISSION EXIST ALREADY allowance = self.verify_allowance(user, resource) if allowance: if any(r.owner == actor for r in allowance): Log.error("already allowed via {{allowance}}", allowance=allowance) # ALREADY ALLOWED, BUT MULTIPLE PATHS MAY BE OK actor = wrap(actor) qualified_owners = [ owner for owner in self.is_agent_for(actor) if self.verify_allowance(owner, resource) ] if not qualified_owners: Log.error("not allowed to assign resource") elif actor in qualified_owners: pass elif len(qualified_owners) > 1: Log.error( "more than one owner has access to resource, who are you acting for?" ) owner = qualified_owners[0] with self.db.transaction() as t: t.execute( sql_insert(PERMISSION_TABLE, { "user": user._id, "resource": resource._id, "owner": owner._id }))
def device_register(self, path=None): """ EXPECTING A SIGNED REGISTRATION REQUEST RETURN JSON WITH url FOR LOGIN """ now = Date.now().unix request_body = request.get_data().strip() signed = json2value(request_body.decode("utf8")) command = json2value(base642bytes(signed.data).decode("utf8")) session.public_key = command.public_key rsa_crypto.verify(signed, session.public_key) self.session_manager.setup_session(session) session.expires = now + parse("10minute").seconds session.state = bytes2base64URL(Random.bytes(32)) with self.device.db.transaction() as t: t.execute( sql_insert( self.device.table, { "state": session.state, "session_id": session.session_id }, )) response = value2json( Data( session_id=session.session_id, interval="5second", expiry=session.expires, url=URL( self.device.home, path=self.device.endpoints.login, query={"state": session.state}, ), )) return Response(response, headers={"Content-Type": "application/json"}, status=200)
def create_table_resource(self, table_name, owner): """ CREATE A TABLE, CREATE RESOURCES FOR OPERATIONS, ENSURE CREATOR HAS CONTROL OVER TABLE :param table_name: Create resources for given table :param owner: assign this user as owner :return: """ new_resources = wrap([{ "table": table_name, "operation": op, "owner": 1 } for op in TABLE_OPERATIONS]) self._insert(RESOURCE_TABLE, new_resources) with self.db.transaction() as t: t.execute( sql_insert(PERMISSION_TABLE, [{ "user": owner._id, "resource": r._id, "owner": ROOT_USER._id } for r in new_resources]))
def setup(self): with self.db.transaction() as t: t.execute(sql_create(VERSION_TABLE, {"version": "TEXT"})) t.execute(sql_insert(VERSION_TABLE, {"version": "1.0"})) t.execute( sql_create( GROUP_TABLE, { "_id": "LONG PRIMARY KEY", "name": "TEXT", "group": "TEXT", "email": "TEXT", "issuer": "TEXT", "email_verified": "INTEGER", "description": "TEXT", "owner": "LONG", }, )) t.execute( sql_insert( GROUP_TABLE, [ { "_id": 1, "name": "root", "email": "*****@*****.**", "description": "access for security system", }, { "_id": 11, "group": "public", "description": "everyone with confirmed email", "owner": 1, }, { "_id": 12, "group": "mozillians", "description": "people that mozilla authentication has recongized as mozillian", "owner": 1, }, { "_id": 13, "group": "moz-employee", "description": "people that mozilla authentication has recongized as employee", "owner": 1, }, ], )) t.execute( sql_create( RESOURCE_TABLE, { "_id": "LONG PRIMARY KEY", "table": "TEXT", "operation": "TEXT", "owner": "LONG", }, )) t.execute( sql_insert( RESOURCE_TABLE, [ CREATE_TABLE, { "_id": 101, "table": ".", "operation": "update", "owner": 1 }, { "_id": 102, "table": ".", "operation": "from", "owner": 1 }, ], )) t.execute( sql_create( PERMISSION_TABLE, { "user": "******", "resource": "LONG", "owner": "LONG" }, )) t.execute( sql_insert( PERMISSION_TABLE, [ { "user": 12, "resource": 11, "owner": 1 }, { "user": 13, "resource": 11, "owner": 1 }, { "user": 13, "resource": 12, "owner": 1 }, { "user": 1, "resource": 100, "owner": 1 }, { "user": 1, "resource": 101, "owner": 1 }, { "user": 1, "resource": 102, "owner": 1 }, ], ))