def test_checkorigin(self): self.assertTrue(check_origin("http://127.0.0.1")) self.assertTrue(check_origin("http://localhost:5000")) self.assertTrue(check_origin("https://abc.com")) self.assertTrue(check_origin("https://abc.com:8443")) self.assertFalse(check_origin("ftp://192.168.1.2")) self.assertFalse(check_origin("rsync://192.168.1.2")) self.assertFalse(check_origin("192.168.1.2")) self.assertFalse(check_origin("example.com")) self.assertFalse(check_origin("localhost")) self.assertFalse(check_origin("127.0.0.1:8000")) self.assertFalse(check_origin("://127.0.0.1/hello-world")) self.assertEqual(get_origin("http://abc.com/hello"), "http://abc.com") self.assertEqual(get_origin("https://abc.com/"), "https://abc.com") self.assertTrue(check_ip("127.0.0.1")) self.assertTrue(check_ip("1.2.3.4")) self.assertTrue(check_ip("255.255.255.0")) self.assertFalse(check_ip("1.2.3")) self.assertFalse(check_ip("a.1.2.3")) self.assertFalse(check_ip("999.1.2.3"))
def test_checkorigin(self): self.assertTrue(check_origin('http://127.0.0.1')) self.assertTrue(check_origin('http://localhost:5000')) self.assertTrue(check_origin('https://abc.com')) self.assertTrue(check_origin('https://abc.com:8443')) self.assertFalse(check_origin('ftp://192.168.1.2')) self.assertFalse(check_origin('rsync://192.168.1.2')) self.assertFalse(check_origin('192.168.1.2')) self.assertFalse(check_origin('example.com')) self.assertFalse(check_origin('localhost')) self.assertFalse(check_origin('127.0.0.1:8000')) self.assertFalse(check_origin('://127.0.0.1/hello-world')) self.assertEqual(get_origin("http://abc.com/hello"), "http://abc.com") self.assertEqual(get_origin("https://abc.com/"), "https://abc.com") self.assertTrue(check_ip("127.0.0.1")) self.assertTrue(check_ip("1.2.3.4")) self.assertTrue(check_ip("255.255.255.0")) self.assertFalse(check_ip("1.2.3")) self.assertFalse(check_ip("a.1.2.3")) self.assertFalse(check_ip("999.1.2.3"))
def link(): res = dict(code=1, msg=None) ltk = rsp("linktokens") username = g.userinfo.username def check_body(): """校验post、put参数,返回值有效说明校验不通过""" allow_origin = request.form.get("allow_origin") allow_ip = request.form.get("allow_ip") allow_ep = request.form.get("allow_ep") allow_method = request.form.get("allow_method") er = request.form.get("exterior_relation") ir = request.form.get("interior_relation") if allow_origin: origins = parse_valid_comma(allow_origin) if not origins or not isinstance(origins, (tuple, list)): return "Invalid url address" for url in origins: if url and not check_origin(url): return "Invalid url address" if allow_ip: ips = parse_valid_comma(allow_ip) if not ips or not isinstance(ips, (tuple, list)): return "Invalid IP address" for ip in ips: if ip and not check_ip(ip): return "Invalid IP address" if allow_ep: eps = parse_valid_comma(allow_ep) if not eps or not isinstance(eps, (tuple, list)): return "Not found the endpoint" for ep in eps: if ep and ep not in current_app.view_functions.keys(): return "Not found the endpoint" if allow_method: methods = parse_valid_comma(allow_method) if not methods or not isinstance(methods, (tuple, list)): return "Invalid HTTP method" for md in methods: if md and md.upper() not in ["GET", "POST", "PUT", "DELETE"]: return "Invalid HTTP method" if er: if not er_pat.match(er.strip()): return "Invalid exterior_relation" if ir: if not ir_pat.match(ir.strip()): return "Invalid interior_relation" else: try: check_ir(ir) except (ValueError, TypeError): return "Invalid interior_relation" if request.method == "GET": is_mgr = is_true(request.args.get("is_mgr")) linktokens = g.rc.hgetall(ltk) pipe = g.rc.pipeline() for ltid, usr in iteritems(linktokens): if is_mgr and g.is_admin: pipe.hgetall(rsp("linktoken", ltid)) else: if username == usr: pipe.hgetall(rsp("linktoken", ltid)) try: result = pipe.execute() except RedisError: res.update(msg="Program data storage service error") else: res.update(code=0, data=result, count=len(result)) elif request.method == "POST": comment = request.form.get("comment") or "" #: 定义此引用上传图片时默认设置的相册名 album = request.form.get("album") or "" #: 定义以下几个权限之间的允许访问条件,opt and/or/not opt er = request.form.get("exterior_relation", "").strip() #: 定义权限内部允许访问条件 in/not in:opt, ir = request.form.get("interior_relation", "").strip() #: 定义权限项及默认值,检测参数时不包含默认值 allow_origin = request.form.get("allow_origin") or "" allow_ip = request.form.get("allow_ip") or "" allow_ep = request.form.get("allow_ep") or "api.upload" allow_method = request.form.get("allow_method") or "post" #: 判断用户是否有token ak = rsp("account", username) if not g.rc.hget(ak, "token"): res.update(msg="No tokens yet") return res cv = check_body() if cv: res.update(msg=cv) return res if allow_origin: allow_origin = ",".join([ get_origin(url) for url in parse_valid_comma(allow_origin) if url ]) #: 生成一个引用 LinkId = gen_uuid() LinkSecret = generate_password_hash(LinkId) lid = "%s:%s:%s" % (get_current_timestamp(), LinkId, hmac_sha256(LinkId, LinkSecret)) LinkToken = b64encode(lid.encode("utf-8")).decode("utf-8") pipe = g.rc.pipeline() pipe.hset(ltk, LinkId, username) pipe.hmset( rsp("linktoken", LinkId), dict( LinkId=LinkId, LinkSecret=LinkSecret, LinkToken=LinkToken, ctime=get_current_timestamp(), user=username, comment=comment, album=album, status=1, # 状态,1是启用,0是禁用 allow_origin=allow_origin, allow_ip=allow_ip, allow_ep=allow_ep, allow_method=allow_method, exterior_relation=er, interior_relation=ir, )) try: pipe.execute() except RedisError: res.update(msg="Program data storage service error") else: res.update(code=0, LinkToken=LinkToken) elif request.method == "PUT": LinkId = request.form.get("LinkId") Action = request.args.get("Action") key = rsp("linktoken", LinkId) if Action == "disable": try: g.rc.hset(key, "status", 0) except RedisError: res.update(msg="Program data storage service error") else: res.update(code=0) return res elif Action == "enable": try: g.rc.hset(key, "status", 1) except RedisError: res.update(msg="Program data storage service error") else: res.update(code=0) return res if LinkId and g.rc.exists(key): comment = request.form.get("comment") or "" album = request.form.get("album") or "" er = request.form.get("exterior_relation", "").strip() ir = request.form.get("interior_relation", "").strip() allow_origin = request.form.get("allow_origin") or "" allow_ip = request.form.get("allow_ip") or "" allow_ep = request.form.get("allow_ep") or "api.upload" allow_method = request.form.get("allow_method") or "post" cv = check_body() if cv: res.update(msg=cv) return res if allow_origin: allow_origin = ",".join([ get_origin(url) for url in parse_valid_comma(allow_origin) if url ]) pipe = g.rc.pipeline() pipe.hset(ltk, LinkId, username) pipe.hmset( key, dict( mtime=get_current_timestamp(), comment=comment, album=album, allow_origin=allow_origin, allow_ip=allow_ip, allow_ep=allow_ep, allow_method=allow_method, exterior_relation=er, interior_relation=ir, )) try: pipe.execute() except RedisError: res.update(msg="Program data storage service error") else: res.update(code=0) else: res.update(msg="Not found the LinkId") elif request.method == "DELETE": LinkId = request.form.get("LinkId") if LinkId: pipe = g.rc.pipeline() pipe.hdel(ltk, LinkId) pipe.delete(rsp("linktoken", LinkId)) try: pipe.execute() except RedisError: res.update(msg="Program data storage service error") else: res.update(code=0) else: res.update(msg="Parameter error") return res