def verify_request(self, request):
"""Verify that the service request is allowed.
This method verifies that the provided credentials are valid.
Depending on the authentication configuration this could be
a client X509 certificate or an OAuth2 token.
"""
ows_request = OWSRequest(request)
if ows_request.service_allowed() is False:
return False
try:
service_name = request.matchdict.get('service_name')
service = request.owsregistry.get_service_by_name(service_name)
except Exception:
return False
if service.get('public', False) is True:
return True
if ows_request.public_access() is True:
return True
if service.get('auth', '') == 'cert':
# Check the verification result of the client certificate.
# Verifcation is done by nginx.
return request.headers.get('X-Ssl-Client-Verify', '') == 'SUCCESS'
else:
# verify the oauth token for compute scope.
return request.verify_request(scopes=["compute"])
def check_request(self, request):
if request.path.startswith(protected_path):
# TODO: fix this code
try:
service_name = parse_service_name(request.path)
except ValueError:
service_name = None
if service_name and self.service_registry.is_public(service_name):
logger.info('public access for service %s', service_name)
else:
ows_request = OWSRequest(request)
if not ows_request.service_allowed():
raise OWSInvalidParameterValue(
"service %s not supported" % ows_request.service, value="service")
if not ows_request.public_access():
try:
token = self.get_token_param(request)
access_token = self.tokenstore.fetch_by_token(token)
if not access_token:
raise AccessTokenNotFound()
elif access_token.is_expired():
raise OWSAccessForbidden("Access token is expired.")
# update request with user environ from access token
request.environ.update(access_token.user_environ)
except AccessTokenNotFound:
raise OWSAccessForbidden("Access token is required to access this service.")
def test_post_getcaps_request(self):
request = DummyRequest(post={})
request.body = b"""<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GetCapabilities service="WPS" acceptVersions="1.0.0" language="en-CA"/>"""
ows_req = OWSRequest(request)
assert ows_req.request == 'getcapabilities'
assert ows_req.service == 'wps'
def test_get_execute_request(self):
params = dict(request="execute", service="Wps", version="1.0.0")
request = DummyRequest(params=params)
ows_req = OWSRequest(request)
assert ows_req.request == 'execute'
assert ows_req.service == 'wps'
assert ows_req.version == '1.0.0'
def test_get_getmetadata_request(self):
params = dict(REQUEST="GetMetadata", SERVICE="WMS", VERSION="1.3.0")
request = DummyRequest(params=params)
ows_req = OWSRequest(request)
assert ows_req.request == 'getmetadata'
assert ows_req.service == 'wms'
assert ows_req.version == '1.3.0'
def test_get_describeprocess_request(self):
params = dict(request="DescribeProcess",
service="wps",
version="1.0.0")
request = DummyRequest(params=params)
ows_req = OWSRequest(request)
assert ows_req.request == 'describeprocess'
assert ows_req.service == 'wps'
assert ows_req.version == '1.0.0'
def test_get_getcaps_request_downcase(self):
params = dict(REQUEST="getcapabilities",
SERVICE="WMS",
VERSION="1.3.0")
request = DummyRequest(params=params)
ows_req = OWSRequest(request)
assert ows_req.request == 'getcapabilities'
assert ows_req.service == 'wms'
assert ows_req.version == '1.3.0'
def check_request(self, request):
protected_path = request.registry.settings.get('twitcher.ows_proxy_protected_path ', '/ows')
if request.path.startswith(protected_path):
# TODO: refactor this code
try:
service_name = parse_service_name(request.path, protected_path)
service = self.servicestore.fetch_by_name(service_name)
if service.public is True:
LOGGER.warn('public access for service %s', service_name)
except ServiceNotFound:
# TODO: why not raising an exception?
service = Service(url='unregistered', public=False, auth='token')
LOGGER.warn("Service not registered.")
ows_request = OWSRequest(request)
if not ows_request.service_allowed():
raise OWSInvalidParameterValue(
"service %s not supported" % ows_request.service, value="service")
if not ows_request.public_access():
self.verify_access(request, service)
def test_get_getcaps_request(self):
params = dict(request="GetCapabilities",
service="WMS",
version="1.1.1")
request = DummyRequest(params=params)
ows_req = OWSRequest(request)
assert ows_req.request == 'getcapabilities'
assert ows_req.service == 'wms'
assert ows_req.version == '1.1.1'
assert ows_req.public_access
assert ows_req.service_allowed
def test_post_describeprocess_request(self):
request = DummyRequest(post={})
request.body = b"""<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<DescribeProcess service="WPS" version="1.0.0" language="en" xmlns:ows="http://www.opengis.net/ows/1.1">
<ows:Identifier>intersection</ows:Identifier>
<ows:Identifier>union</ows:Identifier>
</DescribeProcess>"""
ows_req = OWSRequest(request)
assert ows_req.request == 'describeprocess'
assert ows_req.service == 'wps'
assert ows_req.version == '1.0.0'
def test_post_execute_request(self):
request = DummyRequest(post={})
request.body = b"""<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<wps:Execute service="WPS" version="1.0.0"
xmlns:wps="http://www.opengis.net/wps/1.0.0"
xmlns:ows="http://www.opengis.net/ows/1.1"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.opengis.net/wps/1.0.0/../wpsExecute_request.xsd">
<ows:Identifier>Buffer</ows:Identifier>
<wps:DataInputs>
<wps:Input>
<ows:Identifier>InputPolygon</ows:Identifier>
<ows:Title>Playground area</ows:Title>
<wps:Reference xlink:href="http://foo.bar/some_WFS_request.xml"/>
</wps:Input>
<wps:Input>
<ows:Identifier>BufferDistance</ows:Identifier>
<ows:Title>Distance which people will walk to get to a playground.</ows:Title>
<wps:Data>
<wps:LiteralData>400</wps:LiteralData>
</wps:Data>
</wps:Input>
</wps:DataInputs>
<wps:ResponseForm>
<wps:ResponseDocument storeExecuteResponse="true">
<wps:Output asReference="true">
<ows:Identifier>BufferedPolygon</ows:Identifier>
<ows:Title>Area serviced by playground.</ows:Title>
<ows:Abstract>Area within which most users of this playground will live.</ows:Abstract>
</wps:Output>
</wps:ResponseDocument>
</wps:ResponseForm>
</wps:Execute>"""
ows_req = OWSRequest(request)
assert ows_req.request == 'execute'
assert ows_req.service == 'wps'
assert ows_req.version == '1.0.0'
def test_get_missing_service(self):
params = dict(request="Execute", version="1.0.0")
request = DummyRequest(params=params)
with pytest.raises(OWSMissingParameterValue):
OWSRequest(request)
def test_get_invalid_request(self):
params = dict(REQUEST="givememore", SERVICE="WMS", VERSION="1.3.0")
request = DummyRequest(params=params)
with pytest.raises(OWSInvalidParameterValue):
OWSRequest(request)
def test_get_getcaps_request(self):
params = dict(request="GetCapabilities", service="WPS")
request = DummyRequest(params=params)
ows_req = OWSRequest(request)
assert ows_req.request == 'getcapabilities'
assert ows_req.service == 'wps'
def test_post_false_service(self):
request = DummyRequest(post={})
request.body = b"""<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GetCapabilities service="ATM" acceptVersions="1.0.0" language="en-CA"/>"""
with pytest.raises(OWSInvalidParameterValue):
OWSRequest(request)
def test_get_false_request(self):
params = dict(request="tellmemore", service="Wps", version="1.0.0")
request = DummyRequest(params=params)
with pytest.raises(OWSInvalidParameterValue):
OWSRequest(request)
def test_get_false_service(self):
params = dict(request="execute", service="ATM", version="1.0.0")
request = DummyRequest(params=params)
with pytest.raises(OWSInvalidParameterValue):
OWSRequest(request)
