def validate_dms_token(*args, **kwargs):
if flask.request.args.get("token") != settings.DMS_WEBHOOK_TOKEN:
errors = ForbiddenError()
errors.add_error("token", "Invalid token")
raise errors
return route_function(*args, **kwargs)
def wrapper(*args, **kwargs):
mandatory_authorization_type = "Bearer "
authorization_header = request.headers.get("Authorization")
if authorization_header and mandatory_authorization_type in authorization_header:
adage_jwt = authorization_header.replace(
mandatory_authorization_type, "")
try:
adage_jwt_decoded = user_utils.decode_jwt_token_rs256(
adage_jwt)
except InvalidSignatureError as invalid_signature_error:
logger.error("Signature of adage jwt cannot be verified",
extra={"error": invalid_signature_error})
raise ForbiddenError({"Authorization": "Unrecognized token"})
except ExpiredSignatureError as expired_signature_error:
logger.warning("Token has expired",
extra={"error": expired_signature_error})
raise InvalidTokenError("Token expired")
if not adage_jwt_decoded.get("exp"):
logger.warning("Token does not contain an expiration date")
raise InvalidTokenError("No expiration date provided")
authenticated_information = AuthenticatedInformation(
civility=adage_jwt_decoded.get("civilite"),
lastname=adage_jwt_decoded.get("nom"),
firstname=adage_jwt_decoded.get("prenom"),
email=adage_jwt_decoded.get("mail"),
uai=adage_jwt_decoded.get("uai"),
)
kwargs["authenticated_information"] = authenticated_information
return route_function(*args, **kwargs)
raise ForbiddenError({"Authorization": "Unrecognized token"})
def check_user_can_validate_bookings_v2(user: User, offerer_id: int) -> None:
if not user.has_access(offerer_id):
api_errors = ForbiddenError()
api_errors.add_error(
"user",
"Vous n’avez pas les droits suffisants pour valider cette contremarque car cette réservation n'a pas été faite sur une de vos offres, ou que votre rattachement à la structure est encore en cours de validation",
)
raise api_errors
def check_user_can_validate_bookings_v2(user, offerer_id: int):
if not user.has_access(offerer_id):
api_errors = ForbiddenError()
api_errors.add_error(
"user",
"Vous n'avez pas les droits suffisants pour valider cette contremarque."
)
raise api_errors
def check_user_can_load_config(user: User) -> None:
if settings.IS_PROD and user.email not in settings.SUPER_ADMIN_EMAIL_ADDRESSES:
error = ForbiddenError()
error.add_error(
"type",
"Seuls les membres de l'équipe de validation peuvent éditer cette configuration"
)
raise error
def check_api_key_allows_to_validate_booking(valid_api_key: ApiKey, offerer_id: int) -> None:
if not valid_api_key.offererId == offerer_id:
api_errors = ForbiddenError()
api_errors.add_error(
"user",
"Vous n’avez pas les droits suffisants pour valider cette contremarque car cette réservation n'a pas été faite sur une de vos offres, ou que votre rattachement à la structure est encore en cours de validation",
)
raise api_errors
def check_user_can_create_activation_event(user: User) -> None:
if not user.isAdmin:
error = ForbiddenError()
error.add_error(
"type",
"Seuls les administrateurs du pass Culture peuvent créer des offres d'activation"
)
raise error
def check_user_can_validate_activation_offer(user):
forbidden_error = ForbiddenError()
if not user.isAdmin:
forbidden_error.add_error(
"user",
"Vous n'avez pas les droits suffisants pour valider cette contremarque."
)
raise forbidden_error
def check_api_key_allows_to_cancel_booking(valid_api_key: ApiKey,
offerer_id: int):
if not valid_api_key.offererId == offerer_id:
api_errors = ForbiddenError()
api_errors.add_error(
"user",
"Vous n'avez pas les droits suffisants pour annuler cette réservation."
)
raise api_errors
def check_api_key_allows_to_validate_booking(valid_api_key: ApiKey,
offerer_id: int):
if not valid_api_key.offererId == offerer_id:
api_errors = ForbiddenError()
api_errors.add_error(
"user",
"Vous n'avez pas les droits suffisants pour valider cette contremarque."
)
raise api_errors
def check_user_can_validate_bookings_v2(self, offerer_id: int):
user_has_editors_right = self.hasRights(RightsType.editor, offerer_id)
if not user_has_editors_right:
api_errors = ForbiddenError()
api_errors.add_error(
"user",
"Vous n'avez pas les droits suffisants pour valider cette contremarque."
)
raise api_errors
def check_client_version() -> None:
client_version_header = flask.request.headers.get("app-version", None)
sentry_sdk.set_tag("client.version", client_version_header)
if not client_version_header:
return
try:
client_version = semver.VersionInfo.parse(client_version_header)
except ValueError:
raise ForbiddenError(errors={"code": "UPGRADE_REQUIRED"})
if client_version < settings.NATIVE_APP_MINIMAL_CLIENT_VERSION:
raise ForbiddenError(errors={"code": "UPGRADE_REQUIRED"})
def retrieve_authenticated_user(*args, **kwargs): # type: ignore
email = get_jwt_identity()
user = find_user_by_email(email)
if user is None or not user.isActive:
logger.error("Authenticated user with email %s not found or inactive", email)
raise ForbiddenError({"email": ["Utilisateur introuvable"]})
return route_function(user, *args, **kwargs)
def wrapper(*args, **kwds):
mandatory_authorization_type = "Bearer "
authorization_header = request.headers.get("Authorization")
if authorization_header and mandatory_authorization_type in authorization_header:
adage_api_key = authorization_header.replace(mandatory_authorization_type, "")
if adage_api_key == settings.EAC_API_KEY:
return route_function(*args, **kwds)
raise ForbiddenError({"Authorization": ["Wrong api key"]})
def change_password(user: User, body: ChangePasswordRequest) -> None:
try:
users_repo.check_user_and_credentials(user, body.current_password)
except users_exceptions.InvalidIdentifier:
raise ApiErrors({"code": "INVALID_PASSWORD", "currentPassword": ["Le mot de passe est incorrect"]})
except users_exceptions.CredentialsException:
raise ForbiddenError()
try:
check_password_strength("newPassword", body.new_password)
except ApiErrors:
raise ApiErrors({"code": "WEAK_PASSWORD", "newPassword": ["Le nouveau mot de passe est trop faible"]})
user.setPassword(body.new_password)
repository.save(user)
def retrieve_authenticated_user(*args, **kwargs): # type: ignore
email = get_jwt_identity()
user = find_user_by_email(email)
if user is None or not user.isActive:
logger.info(
"Authenticated user with email %s not found or inactive",
email)
raise ForbiddenError({"email": ["Utilisateur introuvable"]})
# push the user to the current context - similar to flask-login
ctx = _request_ctx_stack.top
ctx.user = user
# the user is set in sentry in before_request, way before we do the
# token auth so it needs to be also set here.
sentry_sdk.set_user({"id": user.id})
sentry_sdk.set_tag("device.id", request.headers.get("device-id", None))
return route_function(user, *args, **kwargs)
def check_demarches_simplifiees_webhook_token(token):
if token != settings.DMS_WEBHOOK_TOKEN:
errors = ForbiddenError()
errors.add_error("token", "Invalid token")
raise errors
def check_user_can_alter_venue(user: User, venue_id: int) -> None:
venue = Venue.query.get(venue_id)
if not user.has_access(venue.managingOffererId):
api_errors = ForbiddenError()
api_errors.add_error("user", "Vous n'avez pas les droits suffisants pour modifier ce lieu.")
raise api_errors