def get_document(doc_id): resp = service.get("documents/" + doc_id) if not resp.ok: abort(resp.status_code) document = resp.json() if get_user_permissions(document).view: log.access_flask_view_document(document) return service.convert_response(resp) else: raise exceptions.Unauthorized()
def __init__(self, limit): self.limit = limit # Set defaults self.code = 429 self.body = self.get_body() self.headers = self.get_headers() # Get the description if limit.error_message: self.description = limit.error_message if not callable( limit.error_message) else limit.error_message() else: self.description = text_type(limit.limit) # If error is given, get body & headers if self.limit.error_code: self.code = limit.error_code exception = exceptions.HTTPException(description=self.description) # Some common error codes, can add more here if self.code == 400: exception = exceptions.BadRequest() elif self.code == 401: exception = exceptions.Unauthorized() elif self.code == 403: exception = exceptions.Forbidden() elif self.code == 404: exception = exceptions.NotFound() elif self.code == 405: exception = exceptions.MethodNotAllowed() elif self.code == 406: exception = exceptions.NotAcceptable() elif self.code == 418: exception = exceptions.ImATeapot() # <3 elif self.code == 500: exception = exceptions.InternalServerError() elif self.code == 501: exception = exceptions.NotImplemented() # Update body & headers self.body = exception.get_body() self.headers = exception.get_headers() else: exception = exceptions.TooManyRequests( description=self.description) # Update body & headers self.body = exception.get_body() self.headers = exception.get_headers() super(RateLimitExceeded, self).__init__(description=self.description, response=Response(self.body, self.code, self.headers))
def handle_wrapper(*args, **kwargs): """Wrapper for handle exceptions during exporting""" try: return handle_function(*args, **kwargs) except query_exceptions.BadQueryException as exception: raise wzg_exceptions.BadRequest(exception.message) except wzg_exceptions.Unauthorized as ex: raise wzg_exceptions.Unauthorized("%s %s" % (ex.message, app_errors.RELOAD_PAGE)) except errors.HttpError as e: message = json.loads(e.content).get("error").get("message") if e.resp.code == 401: raise wzg_exceptions.Unauthorized("%s %s" % (message, app_errors.RELOAD_PAGE)) raise wzg_exceptions.InternalServerError(message) except Exception as e: # pylint: disable=broad-except logger.exception(e.message) if settings.TESTING: raise raise wzg_exceptions.InternalServerError( app_errors.INTERNAL_SERVER_ERROR.format(job_type="Export"))
def update_user_password(self): body = request.get_json() current_password = body["current_password"] new_password = body["new_password"] valid = password.check_password( current_password, session["auth"]["user_data"]["passwdhash"]) if not valid: raise exceptions.Unauthorized( description="Current password does not match.") users.set_user_password_by_id(self.get_logged_in_user()["id"], new_password) return jsonify(True)
def add_document(): document = request.get_json() if not document or "collection_id" not in document or not document[ "collection_id"]: raise exceptions.BadRequest() if not collections.user_can_add_documents_or_images_by_id( document["collection_id"]): raise exceptions.Unauthorized() resp = service.post("documents", json=document) if resp.ok: log.access_flask_add_document(resp.json()) return service.convert_response(resp)
def post_collection_image(collection_id, path): if not is_cached_last_collection(collection_id): if not get_user_permissions_by_id(collection_id).add_images: raise exceptions.Unauthorized() if "file" not in request.files: raise exceptions.BadRequest("Missing file form part.") update_cached_last_collection(collection_id) return jsonify( _upload_collection_image_file(collection_id, path, request.files["file"]))
def test_create_comment_401_disables_source(self): self.expect_mention().AndRaise(exceptions.Unauthorized('no way')) self.mox.ReplayAll() self.assert_error('no way', status=401) source = self.source.key.get() self.assertEqual('disabled', source.status) bw = BlogWebmention.get_by_id( 'http://bar.com/reply http://foo.com/post/1') self.assertEqual('failed', bw.status) self.assertEqual(self.mention_html, bw.html)
def create_token(email, password): """ If the provided email and password combination is valid, generates a JWT for client-use which expires in 7 days. """ existing_user = User.query.filter_by(email=email).first_or_404() if not PasswordManager.context.verify(password, existing_user.password_hash): raise exceptions.Unauthorized( description='Email or password were not correct.') token = generate_token_for_user(existing_user) return jsonify(snake_to_camel_case_dict({'token': token.decode("utf-8")}))
def wrapper(manager_id, *args, **kwargs): from flamenco import current_flamenco from pillar.api.utils import str2id, mongo manager_id = str2id(manager_id) manager = mongo.find_one_or_404('flamenco_managers', manager_id) if not current_flamenco.manager_manager.user_manages(mngr_doc=manager): user_id = authentication.current_user_id() log.warning( 'Service account %s sent startup notification for manager %s of another ' 'service account', user_id, manager_id) raise wz_exceptions.Unauthorized() return wrapped(manager_id, request.json, *args, **kwargs)
def wrapped(*args, **kwargs): authorization_header = flask.request.headers.get('Authorization', None) if not authorization_header: raise exceptions.Unauthorized('Authorization header is not present.') token = authorization_header.replace('Bearer ', '', 1) if not token: raise exceptions.Unauthorized('Bearer token is not present.') try: decrypted = decode_token(token) except: raise exceptions.Unauthorized('Token is malformed.') if decrypted['expiration'] < datetime.utcnow().timestamp(): raise exceptions.Unauthorized('Token has expired.') user = '******' in decrypted and User.query.get(decrypted['id']) if not user: raise exceptions.NotFound('User does not exist.') kwargs['user'] = user return func(*args, **kwargs)
def api_run_command(self, request): body = request.get_json(force=True) if ('name' not in body or 'params' not in body or not isinstance(body['params'], dict)): raise http_exc.BadRequest('Missing or invalid name or params') token = request.args.get('agent_token', None) if not self.agent.validate_agent_token(token): raise http_exc.Unauthorized('Token invalid.') with metrics_utils.get_metrics_logger(__name__).timer('run_command'): result = self.agent.execute_command(body['name'], **body['params']) wait = request.args.get('wait') if wait and wait.lower() == 'true': result.join() return jsonify(result)
def _check_documents(documents) -> dict: collection_ids = set() for document in documents: if not isinstance(document, dict) or "collection_id" not in document or not document["collection_id"]: raise exceptions.BadRequest() collection_ids.add(document["collection_id"]) collections_by_id = {} for collection_id in collection_ids: collection = service.get_item_by_id("collections", collection_id, params=service.params({ "projection": collections.user_permissions_projection() })) if not collections.get_user_permissions(collection).add_documents: raise exceptions.Unauthorized() collections_by_id[collection_id] = collection return collections_by_id
def _check_collection_and_get_image_dir(collection_id, path): # make sure user can view collection if not user_can_view_by_id(collection_id): raise exceptions.Unauthorized() image_dir = current_app.config["DOCUMENT_IMAGE_DIR"] if image_dir == None or len(image_dir) == 0: raise exceptions.InternalServerError() # "static" is a special path that grabs images not associated with a particular collection # this is mostly for testing if not path.startswith("static/"): image_dir = os.path.join(image_dir, "by_collection", collection_id) return os.path.realpath(image_dir)
def get_collection(collection_id): """ Return the collection object for the collection matching the provided collection id. This object has the fields: 'creator_id', 'annotators', 'viewers', 'labels', 'metadata', 'archived', and 'configuration'. :param collection_id: str :return: Response """ resp = service.get(["collections", collection_id]) if not resp.ok: abort(resp.status_code) collection = resp.json() if get_user_permissions(collection).view: return service.convert_response(resp) else: raise exceptions.Unauthorized()
def get_all_documents_in_collection(col_id): truncate = json.loads(request.args.get("truncate", "true")) truncate_length = json.loads(request.args.get("truncateLength", "50")) collection = service.get_item_by_id("collections", col_id) if not collections.get_user_permissions(collection).view: raise exceptions.Unauthorized() params = service.where_params({"collection_id": col_id}) if truncate: if truncate_length == 0: params["projection"] = json.dumps({"metadata": 0, "text": 0}) else: params["projection"] = json.dumps({"metadata": 0}) params["truncate"] = truncate_length return jsonify(service.get_all("documents", params=params))
def decorated(*args, **kwargs): auth = request.authorization if auth is None: raise exceptions.Unauthorized() # 获取用户id user_id = self._service.basic_authorization( auth.username, auth.password) # 获取用户所有权限 permissions = self._service.get_user_permissions(user_id) if not permission in permissions: raise exceptions.Forbidden() return f(*args, **kwargs)
async def _handle_ws_reverse(self, adapter: str): websocket: QuartWebSocket = _websocket ws = WebSocket(websocket.http_version, websocket.scheme, websocket.path, websocket.query_string, dict(websocket.headers), websocket) if adapter not in self._adapters: logger.warning( f'Unknown adapter {adapter}. Please register the adapter before use.' ) raise exceptions.NotFound() BotClass = self._adapters[adapter] self_id, response = await BotClass.check_permission(self, ws) if not self_id: raise exceptions.Unauthorized( description=(response and response.body or b"").decode()) if self_id in self._clients: logger.opt(colors=True).warning( "There's already a websocket connection, " f"<y>{escape_tag(adapter.upper())} Bot {escape_tag(self_id)}</y> ignored." ) raise exceptions.Forbidden(description='Client already exists.') bot = BotClass(self_id, ws) await ws.accept() logger.opt(colors=True).info( f"WebSocket Connection from <y>{escape_tag(adapter.upper())} " f"Bot {escape_tag(self_id)}</y> Accepted!") self._bot_connect(bot) try: while not ws.closed: try: data = await ws.receive() except asyncio.CancelledError: logger.warning("WebSocket disconnected by peer.") break except Exception as e: logger.opt(exception=e).error( "Error when receiving data from websocket.") break asyncio.create_task(bot.handle_message(data.encode())) finally: self._bot_disconnect(bot)
def authenticate(): """ Endpoint for admin authentication. Returns encrypted cookie with login time and username. """ username = request.values["username"] password = request.values["password"] user = models.get_user(username) if user is None or not check_password_hash(user.password, password): raise excp.Unauthorized("Invalid username or password") session["last_login"] = datetime.datetime.now() session["username"] = username return json.dumps({"success": "OK"}), 200
def user_login(): """get a token to use for authentication throughout the rest of the site""" #NOTE: no permission required for this part because it uses an #alternative login method (username & password rather than token) #and declares the user object on its own #CONSIDER: add a delay for password based login to prevent excessive attempts check_args('username', 'password') g.user = user.auth(g.args['username'], g.args['password'], ip=request.remote_addr) if not g.user: raise ex.Unauthorized('Bad username or password.') return { 'message': 'login successful', 'token': g.user.token, }
def index(): if auth_header not in request.headers: raise exceptions.BadRequest("No Auth header exists") hdr = request.headers[auth_header].strip() if not hdr.startswith("Bearer"): raise exceptions.BadRequest("Unexpected auth type") spl = hdr.split() if len(spl) != 2: raise exceptions.BadRequest("Unexpected bearer format") token = spl[1] claims = jwtverifier.getClaims(token) if not claims: raise exceptions.Unauthorized("Unable to authenticate JWT token") return "JWT Claims: " + str(claims) + "\n"
def _get_authorization(self, request): """ :type request: werkzeug.wrappers.request.Request :rtype: dict[str] :raises werkzeug.exceptions.Unauthorized: If authorization information not available in `request` """ auth = request.authorization or {} username = auth.get('username', '').strip() password = auth.get('password', '').strip() if not username: raise exceptions.Unauthorized( www_authenticate='Basic realm="Simple index"') self._auth = { 'username': username, 'password': password } if username and password else { 'token': username }
def count_documents_in_collection(col_id): collection = service.get_item_by_id("collections", col_id) if not collections.get_user_permissions(collection).view: raise exceptions.Unauthorized() params = service.params({ "where": { "collection_id": col_id }, "projection": { "_id": 1 }, "max_results": 1 }) resp = service.get("documents", params=params) if not resp.ok: abort(resp.status_code) resp = resp.json() if "_meta" not in resp or resp["_meta"]["max_results"] != 1 or "total" not in resp["_meta"]: raise exceptions.InternalServerError("Pagination has not been turned on or correctly configured for documents.") return jsonify(resp["_meta"]["total"])
def decorated_function(*args, **kwargs): check_args('token') token = g.args['token'] # store user object in g (thread safe context) users may only # authenticate with a token, this is to prevent users from # transmitting their username & password with every request #the token gets escaped when sent, so decode it first g.user = user.token_auth( token, ip=request.remote_addr, ) if not g.user: raise ex.Unauthorized('bad token') for permission in permissions: if not g.user.has_perm(permission): raise ex.Forbidden() return f(*args, **kwargs)
def add_label_to_collection(collection_id): new_label = json.loads(request.form["new_label"]) resp = service.get(["collections", collection_id]) if not resp.ok: abort(resp.status_code) collection = resp.json() if not get_user_permissions(collection).modify_labels: raise exceptions.Unauthorized() if new_label not in collection["labels"]: LOGGER.info("new label: adding to collection") collection["labels"].append(new_label) to_patch = { "labels": collection["labels"] } headers = {'Content-Type': 'application/json', 'If-Match': collection["_etag"]} resp = service.patch(["collections", collection["_id"]], json=to_patch, headers=headers) if not resp.ok: abort(resp.status_code, resp.content) return service.convert_response(resp) else: abort(409, "Label already exists in collection")
def on_proxy(self, request, user_token, url): proxy_tile = self.proxy_url_and_coords(url) if not proxy_tile: raise exceptions.BadRequest('unknown proxy url') if request.method not in ('GET', 'HEAD'): raise exceptions.MethodNotAllowed(valid_methods=['GET', 'HEAD']) try: if not self.tile_coverages.is_permitted(user_token, proxy_tile.layer, proxy_tile.tile_coord): raise exceptions.Forbidden() except InvalidUserToken: raise exceptions.Unauthorized() headers = end_to_end_headers(request.headers) try: resp = requests.request(request.method, proxy_tile.url, headers=headers, stream=True) except requests.exceptions.RequestException, ex: raise exceptions.BadGateway('source returned: %s' % ex)
def archive_or_unarchive_collection(collection_id, archive): """ Set the "archived" boolean flag for the collection matching the provided collection_id. :param collection_id: str :param archive: Bool :return: Response """ resp = service.get("collections/" + collection_id) if not resp.ok: abort(resp.status_code) collection = resp.json() if not get_user_permissions(collection).archive: raise exceptions.Unauthorized() if collection["archived"] != archive: collection["archived"] = archive headers = {"If-Match": collection["_etag"]} service.remove_nonupdatable_fields(collection) resp = service.put(["collections", collection_id], json = collection, headers = headers) if not resp.ok: abort(resp.status_code) return get_collection(collection_id)
def search(self, query, user_token): from gbi_server.model import User user = User.by_authproxy_token(user_token) if not user: raise exceptions.Unauthorized() coverage = self.limiter.coverage(user_token) if not coverage: current_app.logger.debug("found no coverage user=%s query=%s", user, request.url) return None query.intersection(coverage, 3857) # query.ids(['072578-040-00042/000']) # f.near((7.88475, 49.859677), 4326, dist=500) # q = sql.select([parcel_table]).where(parcel_table.c.number == cleanup_id('072578-040-00042/000')) features = [] query.limit(1000) sub = query.as_sa() q = sql.select([ sub.c.identifier, sql.func.st_astext(sql.func.st_transform(sub.c.geometry, '3857')).label('geometry') ]) with self.engine.connect() as conn: for r in conn.execute(q): features.append({ "type": "Feature", "properties": { "id": r.identifier, }, "geometry": mapping(shapely.wkt.loads(r.geometry)), }) return features
def get_documents_in_collection(col_id, page): truncate = json.loads(request.args.get("truncate", "true")) truncate_length = json.loads(request.args.get("truncateLength", "50")) collection = service.get_item_by_id("collections", col_id) if not collections.user_can_view(collection): raise exceptions.Unauthorized() params = service.where_params({"collection_id": col_id}) if truncate: params["projection"] = json.dumps({"metadata": 0}) params["truncate"] = truncate_length if page == "all": return jsonify(service.get_all_using_pagination("documents", params)) if page: params["page"] = page resp = service.get("documents", params=params) if not resp.ok: abort(resp.status_code, resp.content) data = resp.json() if truncate: for document in data["_items"]: document["text"] = document["text"][0:truncate_length] return jsonify(data)
def on_proxy(self, request, user_token, url): proxy_couch = self.proxy_url_and_db(url) if not proxy_couch: raise exceptions.BadRequest('unknown proxy url') headers = end_to_end_headers(request.headers) content_length = request.headers.get('content-length') if not content_length: data = None else: data = LimitedStream(request.stream) dbname = url.split('/', 1)[0] try: if not self.dblimit.is_permitted(user_token, dbname, request.method): raise exceptions.Forbidden() except InvalidUserToken: raise exceptions.Unauthorized() try: resp = requests.request(request.method, proxy_couch.url, data=data, headers=headers, auth=( current_app.config['COUCH_DB_ADMIN_USER'], current_app.config['COUCH_DB_ADMIN_PASSWORD'] ), params=request.args, stream=True) chunked_response = resp.headers.get('Transfer-Encoding') == 'chunked' line_based = resp.headers.get('Content-type', '').startswith(('text/plain', 'application/json')) except requests.exceptions.RequestException, ex: raise exceptions.BadGateway('source returned: %s' % ex)
def archive_or_unarchive_collection(collection_id, archive): """ Set the "archived" boolean flag for the collection matching the provided collection_id. :param collection_id: str :param archive: Bool :return: Response """ user_id = auth.get_logged_in_user()["id"] resp = service.get("collections/" + collection_id) if not resp.ok: abort(resp.status_code) collection = resp.json() if not auth.is_flat() and collection["creator_id"] != user_id: raise exceptions.Unauthorized( "Only the creator can archive a collection.") collection["archived"] = archive headers = {"If-Match": collection["_etag"]} service.remove_nonupdatable_fields(collection) resp = service.put(["collections", collection_id], json=collection, headers=headers) if not resp.ok: abort(resp.status_code) return get_collection(collection_id)