def testPut(self, incr, get_current_user):
incr.return_value = 1
get_current_user.side_effect = base.AccessDeniedError('no user')
log = base.AccessLog()
log.put()
incr.assert_called_once_with('AccessLogCounter', initial_value=0)
def VerifyPermissions(required_permission, user, permission_type):
"""Verifies a valid user is logged in.
Args:
required_permission: permission string from permissions.*.
user: base.User entity; default current user.
permission_type: string, one of permission.TYPE_* variables.
Raises:
base.AccessDeniedError: there was a permissions issue.
"""
if not permission_type:
raise base.AccessDeniedError('permission_type not specified')
try:
if not user.HasPerm(required_permission, permission_type=permission_type):
raise base.AccessDeniedError(
'User lacks %s permission' % required_permission)
except ValueError:
raise base.AccessDeniedError(
'unknown permission_type: %s' % permission_type)
def VerifyXsrfToken(self, action):
"""Verifies a valid XSRF token was passed for the current request.
Args:
action: String, validate the token against this action.
Returns:
Boolean. True if the XSRF Token was valid.
Raises:
base.AccessDeniedError: the XSRF token was invalid or not supplied.
"""
xsrf_token = self.request.get('xsrf-token', None)
if settings.XSRF_PROTECTION_ENABLED:
if not util.XsrfTokenValidate(xsrf_token, action):
raise base.AccessDeniedError('Valid XSRF token not provided')
elif not xsrf_token:
logging.info(
'Ignoring missing XSRF token; settings.XSRF_PROTECTION_ENABLED=False')
return True
def get(self):
"""Handles GET requests."""
if self.request.get('json', '0') != '1':
search_type = self.request.get('search_type')
field1 = urllib.quote(self.request.get('field1'))
value1 = urllib.quote(self.request.get('value1').strip())
prefix_search = urllib.quote(self.request.get(
'prefix_search', '0'))
if search_type and field1 and value1:
self.redirect('/ui/#/search/%s/%s/%s/%s' %
(search_type, field1, value1, prefix_search))
else:
self.redirect('/ui/', permanent=True)
return
tag = self.request.get('tag', 'default')
search_type = self.request.get('search_type')
field1 = self.request.get('field1')
value1 = self.request.get('value1').strip()
prefix_search = self.request.get('prefix_search', '0') == '1'
try:
model = models_util.TypeNameToModel(search_type)
except ValueError:
raise passphrase_handler.InvalidArgumentError(
'Invalid search_type %s' % search_type)
if not (field1 and value1):
raise base_handler.InvalidArgumentError('Missing field1 or value1')
# Get the user's search and retrieve permissions for all permission types.
search_perms = base_handler.VerifyAllPermissionTypes(
permissions.SEARCH)
retrieve_perms = base_handler.VerifyAllPermissionTypes(
permissions.RETRIEVE_OWN)
retrieve_created = base_handler.VerifyAllPermissionTypes(
permissions.RETRIEVE_CREATED_BY)
# user is performing a search, ensure they have permissions.
if (not search_perms.get(search_type)
and not retrieve_perms.get(search_type)
and not retrieve_created.get(search_type)):
raise base.AccessDeniedError('User lacks %s permission' %
search_type)
try:
passphrases = _PassphrasesForQuery(model, field1, value1,
prefix_search)
except ValueError:
self.error(httplib.NOT_FOUND)
return
skipped = False
if not search_perms.get(search_type):
results_len = len(passphrases)
email = base.GetCurrentUser().user.email()
passphrases = [x for x in passphrases if x.owner == email]
skipped = len(passphrases) != results_len
too_many_results = len(passphrases) >= MAX_PASSPHRASES_PER_QUERY
passphrases = [
v.ToDict(skip_secret=True) for v in passphrases if v.tag == tag
]
if model.ALLOW_OWNER_CHANGE:
for passphrase in passphrases:
if not passphrase['active']:
continue
link = '/api/internal/change-owner/%s/%s/' % (search_type,
passphrase['id'])
passphrase['change_owner_link'] = link
self.response.out.write(
util.ToSafeJson({
'passphrases': passphrases,
'too_many_results': too_many_results,
'results_access_warning': skipped,
}))
def get(self): # pylint: disable=g-bad-name
"""Handles GET requests."""
# TODO(user): Users with retrieve_own should not need to search to
# retrieve their escrowed secrets.
if self.request.get('json', '0') != '1':
search_type = self.request.get('search_type')
field1 = urllib.quote(self.request.get('field1'))
value1 = urllib.quote(self.request.get('value1').strip())
prefix_search = urllib.quote(self.request.get(
'prefix_search', '0'))
if search_type and field1 and value1:
self.redirect('/ui/#/search/%s/%s/%s/%s' %
(search_type, field1, value1, prefix_search))
else:
self.redirect('/ui/', permanent=True)
return
tag = self.request.get('tag', 'default')
search_type = self.request.get('search_type')
field1 = self.request.get('field1')
value1 = self.request.get('value1').strip()
prefix_search = self.request.get('prefix_search', '0') == '1'
try:
model = volumes.TypeNameToModel(search_type)
except ValueError:
raise handlers.InvalidArgumentError('Invalid search_type %s' %
search_type)
if not (field1 and value1):
raise handlers.InvalidArgumentError('Missing field1 or value1')
# Get the user's search and retrieve permissions for all permission types.
search_perms = handlers.VerifyAllPermissionTypes(permissions.SEARCH)
retrieve_perms = handlers.VerifyAllPermissionTypes(
permissions.RETRIEVE_OWN)
retrieve_created = handlers.VerifyAllPermissionTypes(
permissions.RETRIEVE_CREATED_BY)
# user is performing a search, ensure they have permissions.
if (not search_perms.get(search_type)
and not retrieve_perms.get(search_type)
and not retrieve_created.get(search_type)):
raise base.AccessDeniedError('User lacks %s permission' %
search_type)
# TODO(user): implement multi-field search by building query here
# or better yet using JavaScript.
q = '%s:%s' % (field1, value1)
try:
passphrases = _PassphrasesForQuery(model, q, prefix_search)
except ValueError:
self.error(httplib.NOT_FOUND)
return
if not search_perms.get(search_type):
username = base.GetCurrentUser().user.nickname()
passphrases = [x for x in passphrases if x.owner == username]
passphrases = [
v.ToDict(skip_secret=True) for v in passphrases if v.tag == tag
]
if model.ALLOW_OWNER_CHANGE:
for passphrase in passphrases:
if not passphrase['active']:
continue
link = '/api/internal/change-owner/%s/%s/' % (search_type,
passphrase['id'])
passphrase['change_owner_link'] = link
self.response.out.write(util.ToSafeJson(passphrases))