def token_verify(): token = request.form.get('access_token') client_resource = request.form.get('resource') # Can only be a single resource if not client_resource: # No resource specified by caller return resource_error('no_resource') if not token: # No token specified by caller return resource_error('no_token') if not current_auth.client.namespace: # This client has not defined any resources return api_result('error', error='client_no_resources') authtoken = AuthToken.get(token=token) if not authtoken: # No such auth token return api_result('error', error='no_token') if (current_auth.client.namespace + ':' + client_resource not in authtoken.effective_scope) and ( current_auth.client.namespace + ':*' not in authtoken.effective_scope): # Token does not grant access to this resource return api_result('error', error='access_denied') if '/' in client_resource: parts = client_resource.split('/') if len(parts) != 2: return api_result('error', error='invalid_scope') resource_name, action_name = parts else: resource_name = client_resource action_name = None if resource_name != '*': resource = Resource.get(resource_name, client=current_auth.client) if not resource: # Resource does not exist or does not belong to this client return api_result('error', error='access_denied') if action_name and action_name != '*': action = ResourceAction.query.filter_by(name=action_name, resource=resource).first() if not action: return api_result('error', error='access_denied') # All validations passed. Token is valid for this client and scope. Return with information on the token # TODO: Don't return validity. Set the HTTP cache headers instead. params = {'validity': 120} # Period (in seconds) for which this assertion may be cached. if authtoken.user: params['userinfo'] = get_userinfo(authtoken.user, current_auth.client, scope=authtoken.effective_scope) params['clientinfo'] = { 'title': authtoken.client.title, 'userid': authtoken.client.owner.buid, 'buid': authtoken.client.owner.buid, 'uuid': authtoken.client.owner.uuid, 'owner_title': authtoken.client.owner.pickername, 'website': authtoken.client.website, 'key': authtoken.client.key, 'trusted': authtoken.client.trusted, } return api_result('ok', **params)
def token_verify(): token = request.form.get('access_token') client_resource = request.form.get( 'resource') # Can only be a single resource if not client_resource: # No resource specified by caller return resource_error('no_resource') if not token: # No token specified by caller return resource_error('no_token') authtoken = AuthToken.query.filter_by(token=token).first() if not authtoken: # No such auth token return api_result('error', error='no_token') # TODO: Add support for wildcard scopes in here if g.client.namespace + ':' + client_resource not in authtoken.scope: # Token does not grant access to this resource return api_result('error', error='access_denied') if '/' in client_resource: parts = client_resource.split('/') if len(parts) != 2: return api_result('error', error='invalid_scope') resource_name, action_name = parts else: resource_name = client_resource action_name = None resource = Resource.get(resource_name, client=g.client) if not resource: # Resource does not exist or does not belong to this client return api_result('error', error='access_denied') if action_name: action = ResourceAction.query.filter_by(name=action_name, resource=resource).first() if not action: return api_result('error', error='access_denied') # All validations passed. Token is valid for this client and scope. Return with information on the token # TODO: Don't return validity. Set the HTTP cache headers instead. params = { 'validity': 120 } # Period (in seconds) for which this assertion may be cached. if authtoken.user: params['userinfo'] = get_userinfo(authtoken.user, g.client, scope=authtoken.scope) params['clientinfo'] = { 'title': authtoken.client.title, 'userid': authtoken.client.user.userid, 'buid': authtoken.client.user.userid, 'owner_title': authtoken.client.owner.pickername, 'website': authtoken.client.website, 'key': authtoken.client.key, 'trusted': authtoken.client.trusted, } return api_result('ok', **params)
def validate_name(self, field): if not valid_username(field.data): raise wtforms.ValidationError("Name contains invalid characters.") if field.data in resource_registry: raise wtforms.ValidationError("This name is reserved for internal use") existing = Resource.get(name=field.data) if existing and existing.id != self.edit_id: raise wtforms.ValidationError("A resource with that name already exists")
def verifyscope(scope, client): """ Verify if requested scope is valid for this client. Scope must be a list. """ resources = {} # resource_object: [action_object, ...] for item in scope: if item not in resource_registry: # Validation is only required for non-internal resources # Validation 1: namespace:resource/action is properly formatted if ':' not in item: raise ScopeException( u"No namespace specified for external resource ‘{scope}’ in scope" .format(scope=item)) itemparts = item.split(':') if len(itemparts) != 2: raise ScopeException( u"Too many ‘:’ characters in ‘{scope}’ in scope".format( scope=item)) namespace, item = itemparts if '/' in item: parts = item.split('/') if len(parts) != 2: raise ScopeException( u"Too many / characters in ‘{scope}’ in scope".format( scope=item)) resource_name, action_name = parts else: resource_name = item action_name = None resource = Resource.get(name=resource_name, namespace=namespace) # Validation 2: Resource exists and client has access to it if not resource: raise ScopeException( u"Unknown resource ‘{resource}’ under namespace ‘{namespace}’ in scope" .format(resource=resource_name, namespace=namespace)) if resource.restricted and resource.client.owner != client.owner: raise ScopeException( u"This application does not have access to resource ‘{resource}’ in scope" .format(resource=resource_name)) # Validation 3: Action is valid if action_name: action = resource.get_action(action_name) if not action: raise ScopeException( u"Unknown action ‘{action}’ on resource ‘{resource}’ under namespace ‘{namespace}’" .format(action=action_name, resource=resource_name, namespace=namespace)) resources.setdefault(resource, []).append(action) else: resources.setdefault(resource, []) return resources
def validate_name(self, field): field.data = field.data.lower() if not valid_username(field.data): raise forms.ValidationError(_("Name contains invalid characters")) if field.data in resource_registry: raise forms.ValidationError(_("This name is reserved for internal use")) existing = Resource.get(name=field.data, client=self.client) if existing and existing.id != self.edit_id: raise forms.ValidationError(_("A resource with that name already exists"))
def resource_new(client): form = ResourceForm() form.client = client form.edit_id = None if form.validate_on_submit(): resource = Resource(client=client) form.populate_obj(resource) db.session.add(resource) db.session.commit() flash(_("Your new resource has been saved"), 'success') return render_redirect(url_for('.client_info', key=client.key), code=303) return render_form(form=form, title=_("Define a resource"), formid='resource_new', submit=_("Define resource"), ajax=True)
def verifyscope(scope, client): """ Verify if requested scope is valid for this client. Scope must be a list. """ resources = {} # resource_object: [action_object, ...] for item in scope: if item not in resource_registry: # Validation is only required for non-internal resources # Validation 1: namespace:resource/action is properly formatted if ':' not in item: raise ScopeException(u"No namespace specified for external resource ‘{scope}’ in scope".format(scope=item)) itemparts = item.split(':') if len(itemparts) != 2: raise ScopeException(u"Too many ‘:’ characters in ‘{scope}’ in scope".format(scope=item)) namespace, item = itemparts if '/' in item: parts = item.split('/') if len(parts) != 2: raise ScopeException(u"Too many / characters in ‘{scope}’ in scope".format(scope=item)) resource_name, action_name = parts else: resource_name = item action_name = None resource = Resource.get(name=resource_name, namespace=namespace) # Validation 2: Resource exists and client has access to it if not resource: raise ScopeException(u"Unknown resource ‘{resource}’ under namespace ‘{namespace}’ in scope".format(resource=resource_name, namespace=namespace)) if resource.restricted and resource.client.owner != client.owner: raise ScopeException( u"This application does not have access to resource ‘{resource}’ in scope".format(resource=resource_name)) # Validation 3: Action is valid if action_name: action = resource.get_action(action_name) if not action: raise ScopeException(u"Unknown action ‘{action}’ on resource ‘{resource}’ under namespace ‘{namespace}’".format( action=action_name, resource=resource_name, namespace=namespace)) resources.setdefault(resource, []).append(action) else: resources.setdefault(resource, []) return resources
def verifyscope(scope, client): """ Verify if requested scope is valid for this client. Scope must be a list. """ internal_resources = [] # Names of internal resources external_resources = {} # resource_object: [action_object, ...] full_client_access = [] # Clients linked to namespace:* scope for item in scope: if item == '*': # The '*' resource (full access) is only available to trusted clients if not client.trusted: raise ScopeException(_(u"Full access is only available to trusted clients")) elif item in resource_registry: if resource_registry[item]['trusted'] and not client.trusted: raise ScopeException(_(u"The resource {scope} is only available to trusted clients").format(scope=item)) internal_resources.append(item) else: # Validation 0: Is this an internal wildcard resource? if item.endswith('/*'): found_internal = False wildcard_base = item[:-2] for key in resource_registry: if key == wildcard_base or key.startswith(wildcard_base + '/'): if resource_registry[key]['trusted'] and not client.trusted: # Skip over trusted resources if the client is not trusted continue internal_resources.append(key) found_internal = True if found_internal: continue # Continue to next item in scope, skipping the following # Further validation is only required for non-internal resources # Validation 1: namespace:resource/action is properly formatted if ':' not in item: raise ScopeException(_(u"No namespace specified for external resource ‘{scope}’ in scope").format(scope=item)) itemparts = item.split(':') if len(itemparts) != 2: raise ScopeException(_(u"Too many ‘:’ characters in ‘{scope}’ in scope").format(scope=item)) namespace, subitem = itemparts if '/' in subitem: parts = subitem.split('/') if len(parts) != 2: raise ScopeException(_(u"Too many ‘/’ characters in ‘{scope}’ in scope").format(scope=item)) resource_name, action_name = parts else: resource_name = subitem action_name = None if resource_name == '*' and not action_name: resource_client = Client.get(namespace=namespace) if resource_client: if resource_client.owner == client.owner: full_client_access.append(resource_client) else: raise ScopeException( _(u"This application does not have access to all resources of app ‘{client}’").format( client=resource_client.title)) else: raise ScopeException(_(u"Unknown resource namespace ‘{namespace}’ in scope").format( namespace=namespace)) else: resource = Resource.get(name=resource_name, namespace=namespace) # Validation 2: Resource exists and client has access to it if not resource: raise ScopeException(_(u"Unknown resource ‘{resource}’ under namespace ‘{namespace}’ in scope").format(resource=resource_name, namespace=namespace)) if resource.restricted and resource.client.owner != client.owner: raise ScopeException( _(u"This application does not have access to resource ‘{resource}’ in scope").format(resource=resource_name)) # Validation 3: Action is valid if action_name: action = resource.get_action(action_name) if not action: raise ScopeException(_(u"Unknown action ‘{action}’ on resource ‘{resource}’ under namespace ‘{namespace}’").format( action=action_name, resource=resource_name, namespace=namespace)) external_resources.setdefault(resource, []).append(action) else: external_resources.setdefault(resource, []) internal_resources.sort() return internal_resources, external_resources, full_client_access
def sync_resources(): resources = request.get_json().get('resources', []) actions_list = {} results = {} for name in resources: if '/' in name: parts = name.split('/') if len(parts) != 2: results[name] = {'status': 'error', 'error': _(u"Invalid resource name {name}").format(name=name)} continue resource_name, action_name = parts else: resource_name = name action_name = None description = resources[name].get('description') siteresource = getbool(resources[name].get('siteresource')) restricted = getbool(resources[name].get('restricted')) actions_list.setdefault(resource_name, []) resource = Resource.get(name=resource_name, client=g.client) if resource: results[resource.name] = {'status': 'exists', 'actions': {}} if not action_name and resource.description != description: resource.description = description results[resource.name]['status'] = 'updated' if not action_name and resource.siteresource != siteresource: resource.siteresource = siteresource results[resource.name]['status'] = 'updated' if not action_name and resource.restricted != restricted: resource.restricted = restricted results[resource.name]['status'] = 'updated' else: resource = Resource(client=g.client, name=resource_name, title=resources.get(resource_name, {}).get('title') or resource_name.title(), description=resources.get(resource_name, {}).get('description') or u'') db.session.add(resource) results[resource.name] = {'status': 'added', 'actions': {}} if action_name: if action_name not in actions_list[resource_name]: actions_list[resource_name].append(action_name) action = resource.get_action(name=action_name) if action: if description != action.description: action.description = description results[resource.name]['actions'][action.name] = {'status': 'updated'} else: results[resource.name]['actions'][action.name] = {'status': 'exists'} else: # FIXME: What is "title" here? This assignment doesn't seem right action = ResourceAction(resource=resource, name=action_name, title=resources[name].get('title') or action_name.title() + " " + resource.title, description=description) db.session.add(action) results[resource.name]['actions'][action.name] = {'status': 'added'} # Deleting resources & actions not defined in client application. for resource_name in actions_list: resource = Resource.get(name=resource_name, client=g.client) actions = ResourceAction.query.filter( ~ResourceAction.name.in_(actions_list[resource_name]), ResourceAction.resource == resource) for action in actions.all(): results[resource_name]['actions'][action.name] = {'status': 'deleted'} actions.delete(synchronize_session='fetch') del_resources = Resource.query.filter( ~Resource.name.in_(actions_list.keys()), Resource.client == g.client) for resource in del_resources.all(): ResourceAction.query.filter_by(resource=resource).delete(synchronize_session='fetch') results[resource.name] = {'status': 'deleted'} del_resources.delete(synchronize_session='fetch') db.session.commit() return api_result('ok', results=results)
def sync_resources(): resources = request.get_json().get('resources', []) actions_list = {} results = {} for name in resources: if '/' in name: parts = name.split('/') if len(parts) != 2: results[name] = { 'status': 'error', 'error': _(u"Invalid resource name {name}").format(name=name) } continue resource_name, action_name = parts else: resource_name = name action_name = None description = resources[name].get('description') siteresource = getbool(resources[name].get('siteresource')) restricted = getbool(resources[name].get('restricted')) actions_list.setdefault(resource_name, []) resource = Resource.get(name=resource_name, client=g.client) if resource: results[resource.name] = {'status': 'exists', 'actions': {}} if not action_name and resource.description != description: resource.description = description results[resource.name]['status'] = 'updated' if not action_name and resource.siteresource != siteresource: resource.siteresource = siteresource results[resource.name]['status'] = 'updated' if not action_name and resource.restricted != restricted: resource.restricted = restricted results[resource.name]['status'] = 'updated' else: resource = Resource( client=g.client, name=resource_name, title=resources.get(resource_name, {}).get('title') or resource_name.title(), description=resources.get(resource_name, {}).get('description') or u'') db.session.add(resource) results[resource.name] = {'status': 'added', 'actions': {}} if action_name: if action_name not in actions_list[resource_name]: actions_list[resource_name].append(action_name) action = resource.get_action(name=action_name) if action: if description != action.description: action.description = description results[resource.name]['actions'][action.name] = { 'status': 'updated' } else: results[resource.name]['actions'][action.name] = { 'status': 'exists' } else: # FIXME: What is "title" here? This assignment doesn't seem right action = ResourceAction( resource=resource, name=action_name, title=resources[name].get('title') or action_name.title() + " " + resource.title, description=description) db.session.add(action) results[resource.name]['actions'][action.name] = { 'status': 'added' } # Deleting resources & actions not defined in client application. for resource_name in actions_list: resource = Resource.get(name=resource_name, client=g.client) actions = ResourceAction.query.filter( ~ResourceAction.name.in_(actions_list[resource_name]), ResourceAction.resource == resource) for action in actions.all(): results[resource_name]['actions'][action.name] = { 'status': 'deleted' } actions.delete(synchronize_session='fetch') del_resources = Resource.query.filter( ~Resource.name.in_(actions_list.keys()), Resource.client == g.client) for resource in del_resources.all(): ResourceAction.query.filter_by(resource=resource).delete( synchronize_session='fetch') results[resource.name] = {'status': 'deleted'} del_resources.delete(synchronize_session='fetch') db.session.commit() return api_result('ok', results=results)
def make_fixtures(self): """ Create users, attach them to organizations. Create test client app, add test resource, action and message. """ crusoe = User(username=u"crusoe", fullname=u"Crusoe Celebrity Dachshund") oakley = User(username=u"oakley") piglet = User(username=u"piglet") nameless = User(fullname="Nameless") db.session.add_all([crusoe, oakley, piglet, nameless]) self.crusoe = crusoe self.oakley = oakley self.piglet = piglet self.nameless = nameless crusoe_email = UserEmail(email=u"*****@*****.**", primary=True, user=crusoe) crusoe_phone = UserPhone(phone=u"+8080808080", primary=True, user=crusoe) oakley_email = UserEmail(email=u"*****@*****.**", user=oakley) db.session.add_all([crusoe_email, crusoe_phone, oakley_email]) self.crusoe_email = crusoe_email self.crusoe_phone = crusoe_phone batdog = Organization(name=u'batdog', title=u'Batdog') batdog.owners.users.append(crusoe) batdog.members.users.append(oakley) db.session.add(batdog) self.batdog = batdog specialdachs = Organization(name=u"specialdachs", title=u"Special Dachshunds") specialdachs.owners.users.append(oakley) specialdachs.members.users.append(piglet) db.session.add(specialdachs) self.specialdachs = specialdachs client = Client(title=u"Batdog Adventures", org=batdog, confidential=True, namespace=u'fun.batdogadventures.com', website=u"http://batdogadventures.com") db.session.add(client) self.client = client dachshunds = Team(title=u"Dachshunds", org=batdog) db.session.add(dachshunds) self.dachshunds = dachshunds team_client_permission = TeamClientPermissions( team=dachshunds, client=client, access_permissions=u"admin") self.team_client_permission = team_client_permission db.session.add(team_client_permission) client_team_access = ClientTeamAccess( org=batdog, client=client, access_level=CLIENT_TEAM_ACCESS.ALL) db.session.add(client_team_access) bdfl = Permission(name=u"bdfl", title=u"BDFL", user=crusoe) db.session.add(bdfl) self.bdfl = bdfl user_client_permissions = UserClientPermissions(user=crusoe, client=client) db.session.add(user_client_permissions) self.user_client_permissions = user_client_permissions resource = Resource(name=u"test_resource", title=u"Test Resource", client=client) db.session.add(resource) self.resource = resource resource_action = ResourceAction(name=u'Fun', resource=resource, title=u'fun') db.session.add(resource_action) self.resource_action = resource_action action = ResourceAction(name=u"read", title=u"Read", resource=resource) db.session.add(action) self.action = action message = SMSMessage(phone_number=crusoe_phone.phone, transaction_id=u"Ruff" * 5, message=u"Wuff Wuff") db.session.add(message) db.session.commit() self.message = message