def get(self): user_id = identify_user(self) execution_service = self.application.execution_service active_executions = execution_service.get_active_executions(user_id) self.write(json.dumps(active_executions))
def wrapper(self, *args, **kwargs): if not has_admin_rights(self): user_id = identify_user(self) LOGGER.warning('User %s (%s) tried to access admin REST service %s', user_id, get_audit_name_from_request(self), self.request.path) raise tornado.web.HTTPError(403, 'Access denied') return func(self, *args, **kwargs)
def open(self, user, execution_id): auth = self.application.auth if not auth.is_authenticated(self): return None execution_service = self.application.execution_service try: self.executor = execution_service.get_active_executor( execution_id, get_user(self)) except Exception as e: self.handle_exception_on_open(e) return self.ioloop = tornado.ioloop.IOLoop.current() self.write_message(wrap_to_server_event('input', 'your input >>')) user_id = identify_user(self) output_stream = execution_service.get_raw_output_stream( execution_id, user_id) pipe_output_to_http(output_stream, self.safe_write) file_download_feature = self.application.file_download_feature web_socket = self def finished(): try: downloadable_files = file_download_feature.get_downloadable_files( execution_id) for file in downloadable_files: filename = os.path.basename(file) url_path = web_socket.prepare_download_url(file) web_socket.safe_write( wrap_to_server_event('file', { 'url': url_path, 'filename': filename })) except: LOGGER.exception('Could not prepare downloadable files') connection = web_socket.ws_connection if (connection is not None) and (hasattr(connection, 'ping_callback')): # we need to stop callback explicitly and as soon as possible, to avoid sending ping after close connection.ping_callback.stop() output_stream.wait_close(timeout=5) web_socket.ioloop.add_callback(web_socket.close, code=1000) file_download_feature.subscribe_on_inline_images( execution_id, self.send_inline_image) execution_service.add_finish_listener(finished, execution_id)
def wrapper(self, *args, **kwargs): auth = self.application.auth authorizer = self.application.authorizer login_url = self.get_login_url() request_path = self.request.path login_resource = is_allowed_during_login(request_path, login_url, self) if login_resource: return func(self, *args, **kwargs) authenticated = auth.is_authenticated(self) access_allowed = authenticated and authorizer.is_allowed_in_app( identify_user(self)) if authenticated and (not access_allowed): user = identify_user(self) LOGGER.warning('User ' + user + ' is not allowed') code = 403 message = 'Access denied. Please contact system administrator' if isinstance(self, tornado.websocket.WebSocketHandler): self.close(code=code, reason=message) else: raise tornado.web.HTTPError(code, message) if authenticated and access_allowed: return func(self, *args, **kwargs) if not isinstance(self, tornado.web.StaticFileHandler): message = 'Not authenticated' code = 401 LOGGER.warning('%s %s %s: user is not authenticated' % (code, self.request.method, request_path)) if isinstance(self, tornado.websocket.WebSocketHandler): self.close(code=code, reason=message) return else: raise tornado.web.HTTPError(code, message) login_url += "?" + urlencode(dict(next=request_path)) redirect_relative(login_url, self) return
def validate_absolute_path(self, root, absolute_path): audit_name = get_audit_name_from_request(self) user_id = identify_user(self) file_download_feature = self.application.file_download_feature file_path = file_utils.relative_path(absolute_path, os.path.abspath(root)) if not file_download_feature.allowed_to_download(file_path, user_id): LOGGER.warning('Access attempt from ' + user_id + '(' + audit_name + ') to ' + absolute_path) raise tornado.web.HTTPError(403) return super(AuthorizedStaticFileHandler, self).validate_absolute_path(root, absolute_path)
def validate_absolute_path(self, root, absolute_path): if not self.application.auth.is_enabled() and (absolute_path.endswith("/login.html")): raise tornado.web.HTTPError(404) relative_path = file_utils.relative_path(absolute_path, root) if self.is_admin_file(relative_path): if not has_admin_rights(self): user_id = identify_user(self) LOGGER.warning('User %s (%s) tried to access admin static file %s', user_id, get_audit_name_from_request(self), relative_path) raise tornado.web.HTTPError(403) return super(AuthorizedStaticFileHandler, self).validate_absolute_path(root, absolute_path)
def validate_execution_id(execution_id, request_handler, only_active=True): if is_empty(execution_id): raise tornado.web.HTTPError(400, reason='Execution id is missing') execution_service = request_handler.application.execution_service if only_active and (not execution_service.is_active(execution_id)): raise tornado.web.HTTPError( 400, reason='No (active) executor found for id ' + execution_id) user_id = identify_user(request_handler) if not execution_service.can_access(execution_id, user_id): LOGGER.warning( 'Prohibited access to not owned execution #%s (user=%s)', execution_id, str(user_id)) raise tornado.web.HTTPError( 403, reason='Prohibited access to not owned execution')
def has_admin_rights(request_handler): user_id = identify_user(request_handler) return request_handler.application.authorizer.is_admin(user_id)