def test_checkorigin(self):
self.assertTrue(check_origin("http://127.0.0.1"))
self.assertTrue(check_origin("http://localhost:5000"))
self.assertTrue(check_origin("https://abc.com"))
self.assertTrue(check_origin("https://abc.com:8443"))
self.assertFalse(check_origin("ftp://192.168.1.2"))
self.assertFalse(check_origin("rsync://192.168.1.2"))
self.assertFalse(check_origin("192.168.1.2"))
self.assertFalse(check_origin("example.com"))
self.assertFalse(check_origin("localhost"))
self.assertFalse(check_origin("127.0.0.1:8000"))
self.assertFalse(check_origin("://127.0.0.1/hello-world"))
self.assertEqual(get_origin("http://abc.com/hello"), "http://abc.com")
self.assertEqual(get_origin("https://abc.com/"), "https://abc.com")
self.assertTrue(check_ip("127.0.0.1"))
self.assertTrue(check_ip("1.2.3.4"))
self.assertTrue(check_ip("255.255.255.0"))
self.assertFalse(check_ip("1.2.3"))
self.assertFalse(check_ip("a.1.2.3"))
self.assertFalse(check_ip("999.1.2.3"))
def test_checkorigin(self):
self.assertTrue(check_origin('http://127.0.0.1'))
self.assertTrue(check_origin('http://localhost:5000'))
self.assertTrue(check_origin('https://abc.com'))
self.assertTrue(check_origin('https://abc.com:8443'))
self.assertFalse(check_origin('ftp://192.168.1.2'))
self.assertFalse(check_origin('rsync://192.168.1.2'))
self.assertFalse(check_origin('192.168.1.2'))
self.assertFalse(check_origin('example.com'))
self.assertFalse(check_origin('localhost'))
self.assertFalse(check_origin('127.0.0.1:8000'))
self.assertFalse(check_origin('://127.0.0.1/hello-world'))
self.assertEqual(get_origin("http://abc.com/hello"), "http://abc.com")
self.assertEqual(get_origin("https://abc.com/"), "https://abc.com")
self.assertTrue(check_ip("127.0.0.1"))
self.assertTrue(check_ip("1.2.3.4"))
self.assertTrue(check_ip("255.255.255.0"))
self.assertFalse(check_ip("1.2.3"))
self.assertFalse(check_ip("a.1.2.3"))
self.assertFalse(check_ip("999.1.2.3"))
def link():
res = dict(code=1, msg=None)
ltk = rsp("linktokens")
username = g.userinfo.username
def check_body():
"""校验post、put参数,返回值有效说明校验不通过"""
allow_origin = request.form.get("allow_origin")
allow_ip = request.form.get("allow_ip")
allow_ep = request.form.get("allow_ep")
allow_method = request.form.get("allow_method")
er = request.form.get("exterior_relation")
ir = request.form.get("interior_relation")
if allow_origin:
origins = parse_valid_comma(allow_origin)
if not origins or not isinstance(origins, (tuple, list)):
return "Invalid url address"
for url in origins:
if url and not check_origin(url):
return "Invalid url address"
if allow_ip:
ips = parse_valid_comma(allow_ip)
if not ips or not isinstance(ips, (tuple, list)):
return "Invalid IP address"
for ip in ips:
if ip and not check_ip(ip):
return "Invalid IP address"
if allow_ep:
eps = parse_valid_comma(allow_ep)
if not eps or not isinstance(eps, (tuple, list)):
return "Not found the endpoint"
for ep in eps:
if ep and ep not in current_app.view_functions.keys():
return "Not found the endpoint"
if allow_method:
methods = parse_valid_comma(allow_method)
if not methods or not isinstance(methods, (tuple, list)):
return "Invalid HTTP method"
for md in methods:
if md and md.upper() not in ["GET", "POST", "PUT", "DELETE"]:
return "Invalid HTTP method"
if er:
if not er_pat.match(er.strip()):
return "Invalid exterior_relation"
if ir:
if not ir_pat.match(ir.strip()):
return "Invalid interior_relation"
else:
try:
check_ir(ir)
except (ValueError, TypeError):
return "Invalid interior_relation"
if request.method == "GET":
is_mgr = is_true(request.args.get("is_mgr"))
linktokens = g.rc.hgetall(ltk)
pipe = g.rc.pipeline()
for ltid, usr in iteritems(linktokens):
if is_mgr and g.is_admin:
pipe.hgetall(rsp("linktoken", ltid))
else:
if username == usr:
pipe.hgetall(rsp("linktoken", ltid))
try:
result = pipe.execute()
except RedisError:
res.update(msg="Program data storage service error")
else:
res.update(code=0, data=result, count=len(result))
elif request.method == "POST":
comment = request.form.get("comment") or ""
#: 定义此引用上传图片时默认设置的相册名
album = request.form.get("album") or ""
#: 定义以下几个权限之间的允许访问条件,opt and/or/not opt
er = request.form.get("exterior_relation", "").strip()
#: 定义权限内部允许访问条件 in/not in:opt,
ir = request.form.get("interior_relation", "").strip()
#: 定义权限项及默认值,检测参数时不包含默认值
allow_origin = request.form.get("allow_origin") or ""
allow_ip = request.form.get("allow_ip") or ""
allow_ep = request.form.get("allow_ep") or "api.upload"
allow_method = request.form.get("allow_method") or "post"
#: 判断用户是否有token
ak = rsp("account", username)
if not g.rc.hget(ak, "token"):
res.update(msg="No tokens yet")
return res
cv = check_body()
if cv:
res.update(msg=cv)
return res
if allow_origin:
allow_origin = ",".join([
get_origin(url) for url in parse_valid_comma(allow_origin)
if url
])
#: 生成一个引用
LinkId = gen_uuid()
LinkSecret = generate_password_hash(LinkId)
lid = "%s:%s:%s" % (get_current_timestamp(), LinkId,
hmac_sha256(LinkId, LinkSecret))
LinkToken = b64encode(lid.encode("utf-8")).decode("utf-8")
pipe = g.rc.pipeline()
pipe.hset(ltk, LinkId, username)
pipe.hmset(
rsp("linktoken", LinkId),
dict(
LinkId=LinkId,
LinkSecret=LinkSecret,
LinkToken=LinkToken,
ctime=get_current_timestamp(),
user=username,
comment=comment,
album=album,
status=1, # 状态,1是启用,0是禁用
allow_origin=allow_origin,
allow_ip=allow_ip,
allow_ep=allow_ep,
allow_method=allow_method,
exterior_relation=er,
interior_relation=ir,
))
try:
pipe.execute()
except RedisError:
res.update(msg="Program data storage service error")
else:
res.update(code=0, LinkToken=LinkToken)
elif request.method == "PUT":
LinkId = request.form.get("LinkId")
Action = request.args.get("Action")
key = rsp("linktoken", LinkId)
if Action == "disable":
try:
g.rc.hset(key, "status", 0)
except RedisError:
res.update(msg="Program data storage service error")
else:
res.update(code=0)
return res
elif Action == "enable":
try:
g.rc.hset(key, "status", 1)
except RedisError:
res.update(msg="Program data storage service error")
else:
res.update(code=0)
return res
if LinkId and g.rc.exists(key):
comment = request.form.get("comment") or ""
album = request.form.get("album") or ""
er = request.form.get("exterior_relation", "").strip()
ir = request.form.get("interior_relation", "").strip()
allow_origin = request.form.get("allow_origin") or ""
allow_ip = request.form.get("allow_ip") or ""
allow_ep = request.form.get("allow_ep") or "api.upload"
allow_method = request.form.get("allow_method") or "post"
cv = check_body()
if cv:
res.update(msg=cv)
return res
if allow_origin:
allow_origin = ",".join([
get_origin(url) for url in parse_valid_comma(allow_origin)
if url
])
pipe = g.rc.pipeline()
pipe.hset(ltk, LinkId, username)
pipe.hmset(
key,
dict(
mtime=get_current_timestamp(),
comment=comment,
album=album,
allow_origin=allow_origin,
allow_ip=allow_ip,
allow_ep=allow_ep,
allow_method=allow_method,
exterior_relation=er,
interior_relation=ir,
))
try:
pipe.execute()
except RedisError:
res.update(msg="Program data storage service error")
else:
res.update(code=0)
else:
res.update(msg="Not found the LinkId")
elif request.method == "DELETE":
LinkId = request.form.get("LinkId")
if LinkId:
pipe = g.rc.pipeline()
pipe.hdel(ltk, LinkId)
pipe.delete(rsp("linktoken", LinkId))
try:
pipe.execute()
except RedisError:
res.update(msg="Program data storage service error")
else:
res.update(code=0)
else:
res.update(msg="Parameter error")
return res
