def _process(self): quiet = request.form.get('quiet') == '1' force = request.form.get('force') == '1' persistent = request.form.get('persistent') == '1' and api_settings.get('allow_persistent') old_key = self.user.api_key if old_key: if not force: raise BadRequest('There is already an API key for this user') if old_key.is_blocked and not session.user.is_admin: raise Forbidden old_key.is_active = False db.session.flush() key = APIKey(user=self.user) db.session.add(key) if persistent: key.is_persistent_allowed = persistent elif old_key: key.is_persistent_allowed = old_key.is_persistent_allowed if not quiet: if old_key: flash(_('Your API key has been successfully replaced.'), 'success') if old_key.use_count: flash(_('Please update any applications which use old key.'), 'warning') else: flash(_('Your API key has been successfully created.'), 'success') db.session.flush() return redirect_or_jsonify(url_for('api.user_profile'), flash=not quiet, is_persistent_allowed=key.is_persistent_allowed)
def _process(self): quiet = request.form.get('quiet') == '1' force = request.form.get('force') == '1' persistent = request.form.get( 'persistent') == '1' and api_settings.get('allow_persistent') old_key = self.user.api_key if old_key: if not force: raise BadRequest('There is already an API key for this user') if old_key.is_blocked and not session.user.is_admin: raise Forbidden old_key.is_active = False db.session.flush() key = APIKey(user=self.user) db.session.add(key) if persistent: key.is_persistent_allowed = persistent elif old_key: key.is_persistent_allowed = old_key.is_persistent_allowed if not quiet: if old_key: flash(_('Your API key has been successfully replaced.'), 'success') if old_key.use_count: flash( _('Please update any applications which use old key.'), 'warning') else: flash(_('Your API key has been successfully created.'), 'success') db.session.flush() return redirect_or_jsonify( url_for('api.user_profile'), flash=not quiet, is_persistent_allowed=key.is_persistent_allowed)
def checkAK(apiKey, signature, timestamp, path, query): apiMode = api_settings.get('security_mode') if not apiKey: if apiMode in { APIMode.ONLYKEY, APIMode.ONLYKEY_SIGNED, APIMode.ALL_SIGNED }: raise HTTPAPIError('API key is missing', 403) return None, True try: UUID(hex=apiKey) except ValueError: raise HTTPAPIError('Malformed API key', 400) ak = APIKey.find_first(token=apiKey, is_active=True) if not ak: raise HTTPAPIError('Invalid API key', 403) if ak.is_blocked: raise HTTPAPIError('API key is blocked', 403) # Signature validation onlyPublic = False if signature: validateSignature(ak, signature, timestamp, path, query) elif apiMode == APIMode.ALL_SIGNED: raise HTTPAPIError('Signature missing', 403) elif apiMode in {APIMode.SIGNED, APIMode.ONLYKEY_SIGNED}: onlyPublic = True return ak, onlyPublic
def _process(self): form = AdminSettingsForm(obj=FormDefaults(**api_settings.get_all())) if form.validate_on_submit(): api_settings.set_multi(form.data) flash(_('Settings saved'), 'success') return redirect(url_for('.admin_settings')) count = APIKey.find(is_active=True).count() return WPAPIAdmin.render_template('admin_settings.html', form=form, count=count)
def _merge_users(target, source, **kwargs): # Get the current active API keys ak_user = target.api_key ak_merged = source.api_key # Move all inactive keys to the new user APIKey.find(user_id=source.id, is_active=False).update({'user_id': target.id}) if ak_merged and not ak_user: ak_merged.user = target elif ak_user and ak_merged: # Both have a key, keep the main one unless it's unused and the merged one isn't. if ak_user.use_count or not ak_merged.use_count: ak_merged.is_active = False ak_merged.user = target else: ak_user.is_active = False db.session.flush() # flush the deactivation so we can reassociate the user ak_merged.user = target
def checkAK(apiKey, signature, timestamp, path, query): apiMode = api_settings.get('security_mode') if not apiKey: if apiMode in {APIMode.ONLYKEY, APIMode.ONLYKEY_SIGNED, APIMode.ALL_SIGNED}: raise HTTPAPIError('API key is missing', 403) return None, True try: UUID(hex=apiKey) except ValueError: raise HTTPAPIError('Malformed API key', 400) ak = APIKey.find_first(token=apiKey, is_active=True) if not ak: raise HTTPAPIError('Invalid API key', 403) if ak.is_blocked: raise HTTPAPIError('API key is blocked', 403) # Signature validation onlyPublic = False if signature: validateSignature(ak, signature, timestamp, path, query) elif apiMode == APIMode.ALL_SIGNED: raise HTTPAPIError('Signature missing', 403) elif apiMode in {APIMode.SIGNED, APIMode.ONLYKEY_SIGNED}: onlyPublic = True return ak, onlyPublic
def _process(self): keys = sorted(APIKey.find_all(is_active=True), key=lambda ak: (ak.use_count == 0, ak.user.full_name)) return WPAPIAdmin.render_template('admin_keys.html', keys=keys)
def _process(self): keys = sorted(APIKey.find_all(is_active=True), key=lambda ak: (ak.use_count == 0, ak.user.full_name)) return WPAPIAdmin.render_template('admin_keys.html', 'api', keys=keys)
def has_data(self): return bool(APIKey.find().count())
def migrate_keys(self): print cformat('%{white!}migrating api keys') for idx_key, ak in committing_iterator( self.zodb_root['apikeys'].iteritems()): if idx_key != ak._key: print cformat( '%{red!}!!!%{reset} ' '%{yellow!}Skipping {} - index key {} does not match' ).format(ak._key, idx_key) continue elif str(ak._user.id) not in self.zodb_root['avatars']: print cformat( '%{red!}!!!%{reset} ' '%{yellow!}Skipping {} - user {} does not exist').format( ak._key, ak._user.id) continue elif ak._user.apiKey != ak: print cformat( '%{red!}!!!%{reset} ' '%{yellow!}Skipping {} - user {} has a different api key set' ).format(ak._key, ak._user.id) continue last_used_uri = None if ak._lastPath and ak._lastQuery: last_used_uri = '{}?{}'.format( convert_to_unicode(ak._lastPath), convert_to_unicode(ak._lastQuery)) elif ak._lastPath: last_used_uri = convert_to_unicode(ak._lastPath) api_key = APIKey(token=ak._key, secret=ak._signKey, user_id=ak._user.id, is_blocked=ak._isBlocked, is_persistent_allowed=getattr( ak, '_persistentAllowed', False), created_dt=self._to_utc(ak._createdDT), last_used_dt=self._to_utc(ak._lastUsedDT), last_used_ip=ak._lastUsedIP, last_used_uri=last_used_uri, last_used_auth=ak._lastUseAuthenticated, use_count=ak._useCount) db.session.add(api_key) print cformat( '%{green}+++%{reset} %{cyan}{}%{reset} [%{blue!}{}%{reset}]' ).format(ak._key, ak._user.email) for old_key in ak._oldKeys: # We have no creation time so we use *something* older.. fake_created_dt = self._to_utc( ak._createdDT) - timedelta(hours=1) # We don't have anything besides the api key for old keys, so we use a random secret old_api_key = APIKey(token=old_key, secret=unicode(uuid4()), user_id=ak._user.id, created_dt=fake_created_dt, is_active=False) db.session.add(old_api_key) print cformat( '%{blue!}***%{reset} %{cyan}{}%{reset} [%{yellow}old%{reset}]' ).format(old_key) db.session.flush()