def _get_or_create_account(self, domain, userid, username):
acct_hash = hashlib.sha1("%s#%s" %
((username or '').encode('utf-8'),
(userid or '').encode('utf-8'))).hexdigest()
keys = [k for k in session.get('account_keys', '').split(',') if k]
# Find or create an account
for k in keys:
acct = session[k]
if acct['domain'] == domain and acct['userid'] == userid:
metrics.track(request,
'account-auth',
domain=domain,
acct_id=acct_hash)
break
else:
acct = dict(key=str(uuid1()),
domain=domain,
userid=userid,
username=username)
metrics.track(request,
'account-create',
domain=domain,
acct_id=acct_hash)
keys.append(acct['key'])
session['account_keys'] = ','.join(keys)
return acct
def __call__(self, environ, start_response):
request = Request(environ)
session = environ['beaker.session']
csrf_token = session.get('csrf')
if not csrf_token:
csrf_token = session['csrf'] = str(random.getrandbits(128))
session.save()
if request.method == 'POST':
# check to see if we want to process the post at all
if (self.unprotected_path is not None
and request.path_info.startswith(self.unprotected_path)):
resp = request.get_response(self.app)
resp.headers['X-Frame-Options'] = 'SAMEORIGIN'
resp.set_cookie('csrf', csrf_token, max_age=3600)
return resp(environ, start_response)
# check incoming token
try:
account_data = request.POST.get('account', None)
request_csrf_token = environ.get('HTTP_X_CSRF',
request.POST.get('csrftoken'))
if account_data is None and request_csrf_token != csrf_token:
resp = HTTPForbidden(_ERROR_MSG)
metrics.track(request, 'invalid-session')
resp.headers['X-Error'] = 'CSRF'
else:
resp = request.get_response(self.app)
except KeyError:
resp = HTTPForbidden(_ERROR_MSG)
resp.headers['X-Error'] = 'CSRF'
# if we're a get, we don't do any checking
else:
resp = request.get_response(self.app)
if resp.status_int != 200:
return resp(environ, start_response)
resp.headers['X-Frame-Options'] = 'SAMEORIGIN'
resp.set_cookie('csrf', csrf_token, max_age=3600)
if resp.content_type.split(';')[0] in _HTML_TYPES:
# ensure we don't add the 'id' attribute twice (HTML validity)
idattributes = itertools.chain(('id="csrfmiddlewaretoken"', ),
itertools.repeat(''))
def add_csrf_field(match):
"""Returns the matched <form> tag plus the added <input> element"""
return match.group() + '<div style="display:none;">' + \
'<input type="hidden" ' + idattributes.next() + \
' name="csrftoken" value="' + csrf_token + \
'" /></div>'
# Modify any POST forms and fix content-length
resp.body = _POST_FORM_RE.sub(add_csrf_field, resp.body)
return resp(environ, start_response)
def __call__(self, environ, start_response):
request = Request(environ)
session = environ['beaker.session']
csrf_token = session.get('csrf')
if not csrf_token:
csrf_token = session['csrf'] = str(random.getrandbits(128))
session.save()
if request.method == 'POST':
# check to see if we want to process the post at all
if (self.unprotected_path is not None
and request.path_info.startswith(self.unprotected_path)):
resp = request.get_response(self.app)
resp.headers['X-Frame-Options'] = 'SAMEORIGIN'
resp.set_cookie('csrf', csrf_token, max_age=3600)
return resp(environ, start_response)
# check incoming token
try:
account_data = request.POST.get('account', None)
request_csrf_token = environ.get('HTTP_X_CSRF', request.POST.get('csrftoken'))
if account_data is None and request_csrf_token != csrf_token:
resp = HTTPForbidden(_ERROR_MSG)
metrics.track(request, 'invalid-session')
resp.headers['X-Error'] = 'CSRF'
else:
resp = request.get_response(self.app)
except KeyError:
resp = HTTPForbidden(_ERROR_MSG)
resp.headers['X-Error'] = 'CSRF'
# if we're a get, we don't do any checking
else:
resp = request.get_response(self.app)
if resp.status_int != 200:
return resp(environ, start_response)
resp.headers['X-Frame-Options'] = 'SAMEORIGIN'
resp.set_cookie('csrf', csrf_token, max_age=3600)
if resp.content_type.split(';')[0] in _HTML_TYPES:
# ensure we don't add the 'id' attribute twice (HTML validity)
idattributes = itertools.chain(('id="csrfmiddlewaretoken"',),
itertools.repeat(''))
def add_csrf_field(match):
"""Returns the matched <form> tag plus the added <input> element"""
return match.group() + '<div style="display:none;">' + \
'<input type="hidden" ' + idattributes.next() + \
' name="csrftoken" value="' + csrf_token + \
'" /></div>'
# Modify any POST forms and fix content-length
resp.body = _POST_FORM_RE.sub(add_csrf_field, resp.body)
return resp(environ, start_response)
def _get_or_create_account(self, domain, userid, username):
acct_hash = hashlib.sha1(
"%s#%s" % ((username or "").encode("utf-8"), (userid or "").encode("utf-8"))
).hexdigest()
keys = [k for k in session.get("account_keys", "").split(",") if k]
# Find or create an account
for k in keys:
acct = session[k]
if acct["domain"] == domain and acct["userid"] == userid:
metrics.track(request, "account-auth", domain=domain, acct_id=acct_hash)
break
else:
acct = dict(key=str(uuid1()), domain=domain, userid=userid, username=username)
metrics.track(request, "account-create", domain=domain, acct_id=acct_hash)
keys.append(acct["key"])
session["account_keys"] = ",".join(keys)
return acct
def _get_or_create_account(self, domain, userid, username):
acct_hash = hashlib.sha1("%s#%s" % ((username or '').encode('utf-8'), (userid or '').encode('utf-8'))).hexdigest()
keys = [k for k in session.get('account_keys', '').split(',') if k]
# Find or create an account
for k in keys:
acct = session[k]
if acct['domain']==domain and acct['userid']==userid:
metrics.track(request, 'account-auth', domain=domain,
acct_id=acct_hash)
break
else:
acct = dict(key=str(uuid1()), domain=domain, userid=userid,
username=username)
metrics.track(request, 'account-create', domain=domain, acct_id=acct_hash)
keys.append(acct['key'])
session['account_keys'] = ','.join(keys)
return acct
def json_exception_response(func, *args, **kwargs):
try:
return func(*args, **kwargs)
except HTTPException:
raise
except Exception, e:
log.exception("%s(%s, %s) failed", func, args, kwargs)
#pylons = get_pylons(args)
#pylons.response.status_int = 500
metrics.track(get_pylons(args).request, 'unhandled-exception',
function=func.__name__, error=e.__class__.__name__)
return {
'result': None,
'error': {
'name': e.__class__.__name__,
'message': str(e)
}
}
def get(self, domain):
username = request.POST.get('username')
userid = request.POST.get('userid')
group = request.POST.get('group', None)
startIndex = int(request.POST.get('startindex', '0'))
maxResults = int(request.POST.get('maxresults', '25'))
keys = session.get('account_keys', '').split(',')
account_data = request.POST.get('account', None)
if not keys:
error = {
'provider': domain,
'message': "no user session exists, auth required",
'status': 401
}
metrics.track(request, 'contacts-unauthed', domain=domain)
return {'result': None, 'error': error}
provider = get_provider(domain)
# even if we have a session key, we must have an account for that
# user for the specified domain.
if account_data is not None:
acct = json.loads(account_data)
else:
# support for old accounts in the session store
acct = None
for k in keys:
a = session.get(k)
if a and a.get('domain') == domain and (
not username or a.get('username') == username
and not userid or a.get('userid') == userid):
acct = a
break
if not acct:
metrics.track(request, 'contacts-noaccount', domain=domain)
error = {
'provider': domain,
'message': "not logged in or no user account for that domain",
'status': 401
}
return {'result': None, 'error': error}
try:
result, error = provider.api(acct).getcontacts(
startIndex, maxResults, group)
except OAuthKeysException, e:
# more than likely we're missing oauth tokens for some reason.
error = {
'provider': domain,
'message': "not logged in or no user account for that domain",
'status': 401
}
result = None
metrics.track(request,
'contacts-oauth-keys-missing',
domain=domain)
def get(self, domain):
username = request.POST.get('username')
userid = request.POST.get('userid')
group = request.POST.get('group', None)
startIndex = int(request.POST.get('startindex','0'))
maxResults = int(request.POST.get('maxresults','25'))
keys = session.get('account_keys', '').split(',')
account_data = request.POST.get('account', None)
if not keys:
error = {'provider': domain,
'message': "no user session exists, auth required",
'status': 401
}
metrics.track(request, 'contacts-unauthed', domain=domain)
return {'result': None, 'error': error}
provider = get_provider(domain)
# even if we have a session key, we must have an account for that
# user for the specified domain.
if account_data is not None:
acct = json.loads(account_data)
else:
# support for old accounts in the session store
acct = None
for k in keys:
a = session.get(k)
if a and a.get('domain') == domain and (not username or a.get('username')==username and not userid or a.get('userid')==userid):
acct = a
break
if not acct:
metrics.track(request, 'contacts-noaccount', domain=domain)
error = {'provider': domain,
'message': "not logged in or no user account for that domain",
'status': 401
}
return {'result': None, 'error': error}
try:
result, error = provider.api(acct).getcontacts(startIndex, maxResults, group)
except OAuthKeysException, e:
# more than likely we're missing oauth tokens for some reason.
error = {'provider': domain,
'message': "not logged in or no user account for that domain",
'status': 401
}
result = None
metrics.track(request, 'contacts-oauth-keys-missing', domain=domain)
def send(self):
result = {}
error = None
# If we don't have a key in our session we bail early with a
# 401
domain = request.POST.get('domain')
message = request.POST.get('message', '')
username = request.POST.get('username')
longurl = request.POST.get('link')
shorten = asbool(request.POST.get('shorten', 0))
shorturl = request.POST.get('shorturl')
userid = request.POST.get('userid')
to = request.POST.get('to')
account_data = request.POST.get('account', None)
if not domain:
error = {
'message': "'domain' is not optional",
'code': constants.INVALID_PARAMS
}
return {'result': result, 'error': error}
keys = session.get('account_keys', '').split(',')
if not keys:
error = {'provider': domain,
'message': "no user session exists, auth required",
'status': 401
}
metrics.track(request, 'send-unauthed', domain=domain)
return {'result': result, 'error': error}
provider = get_provider(domain)
# even if we have a session key, we must have an account for that
# user for the specified domain.
if account_data is not None:
acct = json.loads(account_data)
else:
# support for old account data in session store
acct = None
for k in keys:
a = session.get(k)
if a and a.get('domain') == domain and (a.get('username')==username or a.get('userid')==userid):
acct = a
break
if not acct:
metrics.track(request, 'send-noaccount', domain=domain)
error = {'provider': domain,
'message': "not logged in or no user account for that domain",
'status': 401
}
return {'result': result, 'error': error}
args = copy.copy(request.POST)
if shorten and not shorturl and longurl:
link_timer = metrics.start_timer(request, long_url=longurl)
u = urlparse(longurl)
if not u.scheme:
longurl = 'http://' + longurl
shorturl = shorten_link(longurl)
link_timer.track('link-shorten', short_url=shorturl)
args['shorturl'] = shorturl
acct_hash = hashlib.sha1("%s#%s" % ((username or '').encode('utf-8'), (userid or '').encode('utf-8'))).hexdigest()
timer = metrics.start_timer(request, domain=domain, message_len=len(message),
long_url=longurl, short_url=shorturl, acct_id=acct_hash)
# send the item.
try:
result, error = provider.api(acct).sendmessage(message, args)
except OAuthKeysException, e:
# XXX - I doubt we really want a full exception logged here?
#log.exception('error providing item to %s: %s', domain, e)
# XXX we need to handle this better, but if for some reason the
# oauth values are bad we will get a ValueError raised
error = {'provider': domain,
'message': "not logged in or no user account for that domain",
'status': 401
}
metrics.track(request, 'send-oauth-keys-missing', domain=domain)
timer.track('send-error', error=error)
return {'result': result, 'error': error}
def send(self):
result = {}
error = None
# If we don't have a key in our session we bail early with a
# 401
domain = request.POST.get('domain')
message = request.POST.get('message', '')
username = request.POST.get('username')
longurl = request.POST.get('link')
shorten = asbool(request.POST.get('shorten', 0))
shorturl = request.POST.get('shorturl')
userid = request.POST.get('userid')
to = request.POST.get('to')
account_data = request.POST.get('account', None)
if not domain:
error = {
'message': "'domain' is not optional",
'code': constants.INVALID_PARAMS
}
return {'result': result, 'error': error}
keys = session.get('account_keys', '').split(',')
if not keys:
error = {
'provider': domain,
'message': "no user session exists, auth required",
'status': 401
}
metrics.track(request, 'send-unauthed', domain=domain)
return {'result': result, 'error': error}
provider = get_provider(domain)
# even if we have a session key, we must have an account for that
# user for the specified domain.
if account_data is not None:
acct = json.loads(account_data)
else:
# support for old account data in session store
acct = None
for k in keys:
a = session.get(k)
if a and a.get('domain') == domain and (
a.get('username') == username
or a.get('userid') == userid):
acct = a
break
if not acct:
metrics.track(request, 'send-noaccount', domain=domain)
error = {
'provider': domain,
'message': "not logged in or no user account for that domain",
'status': 401
}
return {'result': result, 'error': error}
args = copy.copy(request.POST)
if shorten and not shorturl and longurl:
link_timer = metrics.start_timer(request, long_url=longurl)
u = urlparse(longurl)
if not u.scheme:
longurl = 'http://' + longurl
shorturl = shorten_link(longurl)
link_timer.track('link-shorten', short_url=shorturl)
args['shorturl'] = shorturl
acct_hash = hashlib.sha1("%s#%s" %
((username or '').encode('utf-8'),
(userid or '').encode('utf-8'))).hexdigest()
timer = metrics.start_timer(request,
domain=domain,
message_len=len(message),
long_url=longurl,
short_url=shorturl,
acct_id=acct_hash)
# send the item.
try:
result, error = provider.api(acct).sendmessage(message, args)
except OAuthKeysException, e:
# XXX - I doubt we really want a full exception logged here?
#log.exception('error providing item to %s: %s', domain, e)
# XXX we need to handle this better, but if for some reason the
# oauth values are bad we will get a ValueError raised
error = {
'provider': domain,
'message': "not logged in or no user account for that domain",
'status': 401
}
metrics.track(request, 'send-oauth-keys-missing', domain=domain)
timer.track('send-error', error=error)
return {'result': result, 'error': error}
