def get_document(doc_id):
resp = service.get("documents/" + doc_id)
if not resp.ok:
abort(resp.status_code)
document = resp.json()
if get_user_permissions(document).view:
log.access_flask_view_document(document)
return service.convert_response(resp)
else:
raise exceptions.Unauthorized()
def __init__(self, limit):
self.limit = limit
# Set defaults
self.code = 429
self.body = self.get_body()
self.headers = self.get_headers()
# Get the description
if limit.error_message:
self.description = limit.error_message if not callable(
limit.error_message) else limit.error_message()
else:
self.description = text_type(limit.limit)
# If error is given, get body & headers
if self.limit.error_code:
self.code = limit.error_code
exception = exceptions.HTTPException(description=self.description)
# Some common error codes, can add more here
if self.code == 400:
exception = exceptions.BadRequest()
elif self.code == 401:
exception = exceptions.Unauthorized()
elif self.code == 403:
exception = exceptions.Forbidden()
elif self.code == 404:
exception = exceptions.NotFound()
elif self.code == 405:
exception = exceptions.MethodNotAllowed()
elif self.code == 406:
exception = exceptions.NotAcceptable()
elif self.code == 418:
exception = exceptions.ImATeapot() # <3
elif self.code == 500:
exception = exceptions.InternalServerError()
elif self.code == 501:
exception = exceptions.NotImplemented()
# Update body & headers
self.body = exception.get_body()
self.headers = exception.get_headers()
else:
exception = exceptions.TooManyRequests(
description=self.description)
# Update body & headers
self.body = exception.get_body()
self.headers = exception.get_headers()
super(RateLimitExceeded,
self).__init__(description=self.description,
response=Response(self.body, self.code,
self.headers))
def handle_wrapper(*args, **kwargs):
"""Wrapper for handle exceptions during exporting"""
try:
return handle_function(*args, **kwargs)
except query_exceptions.BadQueryException as exception:
raise wzg_exceptions.BadRequest(exception.message)
except wzg_exceptions.Unauthorized as ex:
raise wzg_exceptions.Unauthorized("%s %s" % (ex.message,
app_errors.RELOAD_PAGE))
except errors.HttpError as e:
message = json.loads(e.content).get("error").get("message")
if e.resp.code == 401:
raise wzg_exceptions.Unauthorized("%s %s" % (message,
app_errors.RELOAD_PAGE))
raise wzg_exceptions.InternalServerError(message)
except Exception as e: # pylint: disable=broad-except
logger.exception(e.message)
if settings.TESTING:
raise
raise wzg_exceptions.InternalServerError(
app_errors.INTERNAL_SERVER_ERROR.format(job_type="Export"))
def update_user_password(self):
body = request.get_json()
current_password = body["current_password"]
new_password = body["new_password"]
valid = password.check_password(
current_password, session["auth"]["user_data"]["passwdhash"])
if not valid:
raise exceptions.Unauthorized(
description="Current password does not match.")
users.set_user_password_by_id(self.get_logged_in_user()["id"],
new_password)
return jsonify(True)
def add_document():
document = request.get_json()
if not document or "collection_id" not in document or not document[
"collection_id"]:
raise exceptions.BadRequest()
if not collections.user_can_add_documents_or_images_by_id(
document["collection_id"]):
raise exceptions.Unauthorized()
resp = service.post("documents", json=document)
if resp.ok:
log.access_flask_add_document(resp.json())
return service.convert_response(resp)
def post_collection_image(collection_id, path):
if not is_cached_last_collection(collection_id):
if not get_user_permissions_by_id(collection_id).add_images:
raise exceptions.Unauthorized()
if "file" not in request.files:
raise exceptions.BadRequest("Missing file form part.")
update_cached_last_collection(collection_id)
return jsonify(
_upload_collection_image_file(collection_id, path,
request.files["file"]))
def test_create_comment_401_disables_source(self):
self.expect_mention().AndRaise(exceptions.Unauthorized('no way'))
self.mox.ReplayAll()
self.assert_error('no way', status=401)
source = self.source.key.get()
self.assertEqual('disabled', source.status)
bw = BlogWebmention.get_by_id(
'http://bar.com/reply http://foo.com/post/1')
self.assertEqual('failed', bw.status)
self.assertEqual(self.mention_html, bw.html)
def create_token(email, password):
"""
If the provided email and password combination is valid, generates a JWT for client-use which expires in 7 days.
"""
existing_user = User.query.filter_by(email=email).first_or_404()
if not PasswordManager.context.verify(password,
existing_user.password_hash):
raise exceptions.Unauthorized(
description='Email or password were not correct.')
token = generate_token_for_user(existing_user)
return jsonify(snake_to_camel_case_dict({'token': token.decode("utf-8")}))
def wrapper(manager_id, *args, **kwargs):
from flamenco import current_flamenco
from pillar.api.utils import str2id, mongo
manager_id = str2id(manager_id)
manager = mongo.find_one_or_404('flamenco_managers', manager_id)
if not current_flamenco.manager_manager.user_manages(mngr_doc=manager):
user_id = authentication.current_user_id()
log.warning(
'Service account %s sent startup notification for manager %s of another '
'service account', user_id, manager_id)
raise wz_exceptions.Unauthorized()
return wrapped(manager_id, request.json, *args, **kwargs)
def wrapped(*args, **kwargs):
authorization_header = flask.request.headers.get('Authorization', None)
if not authorization_header:
raise exceptions.Unauthorized('Authorization header is not present.')
token = authorization_header.replace('Bearer ', '', 1)
if not token:
raise exceptions.Unauthorized('Bearer token is not present.')
try:
decrypted = decode_token(token)
except:
raise exceptions.Unauthorized('Token is malformed.')
if decrypted['expiration'] < datetime.utcnow().timestamp():
raise exceptions.Unauthorized('Token has expired.')
user = '******' in decrypted and User.query.get(decrypted['id'])
if not user:
raise exceptions.NotFound('User does not exist.')
kwargs['user'] = user
return func(*args, **kwargs)
def api_run_command(self, request):
body = request.get_json(force=True)
if ('name' not in body or 'params' not in body
or not isinstance(body['params'], dict)):
raise http_exc.BadRequest('Missing or invalid name or params')
token = request.args.get('agent_token', None)
if not self.agent.validate_agent_token(token):
raise http_exc.Unauthorized('Token invalid.')
with metrics_utils.get_metrics_logger(__name__).timer('run_command'):
result = self.agent.execute_command(body['name'], **body['params'])
wait = request.args.get('wait')
if wait and wait.lower() == 'true':
result.join()
return jsonify(result)
def _check_documents(documents) -> dict:
collection_ids = set()
for document in documents:
if not isinstance(document, dict) or "collection_id" not in document or not document["collection_id"]:
raise exceptions.BadRequest()
collection_ids.add(document["collection_id"])
collections_by_id = {}
for collection_id in collection_ids:
collection = service.get_item_by_id("collections", collection_id, params=service.params({
"projection": collections.user_permissions_projection()
}))
if not collections.get_user_permissions(collection).add_documents:
raise exceptions.Unauthorized()
collections_by_id[collection_id] = collection
return collections_by_id
def _check_collection_and_get_image_dir(collection_id, path):
# make sure user can view collection
if not user_can_view_by_id(collection_id):
raise exceptions.Unauthorized()
image_dir = current_app.config["DOCUMENT_IMAGE_DIR"]
if image_dir == None or len(image_dir) == 0:
raise exceptions.InternalServerError()
# "static" is a special path that grabs images not associated with a particular collection
# this is mostly for testing
if not path.startswith("static/"):
image_dir = os.path.join(image_dir, "by_collection", collection_id)
return os.path.realpath(image_dir)
def get_collection(collection_id):
"""
Return the collection object for the collection matching the provided collection id. This object has the fields:
'creator_id', 'annotators', 'viewers', 'labels', 'metadata', 'archived', and 'configuration'.
:param collection_id: str
:return: Response
"""
resp = service.get(["collections", collection_id])
if not resp.ok:
abort(resp.status_code)
collection = resp.json()
if get_user_permissions(collection).view:
return service.convert_response(resp)
else:
raise exceptions.Unauthorized()
def get_all_documents_in_collection(col_id):
truncate = json.loads(request.args.get("truncate", "true"))
truncate_length = json.loads(request.args.get("truncateLength", "50"))
collection = service.get_item_by_id("collections", col_id)
if not collections.get_user_permissions(collection).view:
raise exceptions.Unauthorized()
params = service.where_params({"collection_id": col_id})
if truncate:
if truncate_length == 0:
params["projection"] = json.dumps({"metadata": 0, "text": 0})
else:
params["projection"] = json.dumps({"metadata": 0})
params["truncate"] = truncate_length
return jsonify(service.get_all("documents", params=params))
def decorated(*args, **kwargs):
auth = request.authorization
if auth is None:
raise exceptions.Unauthorized()
# 获取用户id
user_id = self._service.basic_authorization(
auth.username, auth.password)
# 获取用户所有权限
permissions = self._service.get_user_permissions(user_id)
if not permission in permissions:
raise exceptions.Forbidden()
return f(*args, **kwargs)
async def _handle_ws_reverse(self, adapter: str):
websocket: QuartWebSocket = _websocket
ws = WebSocket(websocket.http_version, websocket.scheme,
websocket.path, websocket.query_string,
dict(websocket.headers), websocket)
if adapter not in self._adapters:
logger.warning(
f'Unknown adapter {adapter}. Please register the adapter before use.'
)
raise exceptions.NotFound()
BotClass = self._adapters[adapter]
self_id, response = await BotClass.check_permission(self, ws)
if not self_id:
raise exceptions.Unauthorized(
description=(response and response.body or b"").decode())
if self_id in self._clients:
logger.opt(colors=True).warning(
"There's already a websocket connection, "
f"<y>{escape_tag(adapter.upper())} Bot {escape_tag(self_id)}</y> ignored."
)
raise exceptions.Forbidden(description='Client already exists.')
bot = BotClass(self_id, ws)
await ws.accept()
logger.opt(colors=True).info(
f"WebSocket Connection from <y>{escape_tag(adapter.upper())} "
f"Bot {escape_tag(self_id)}</y> Accepted!")
self._bot_connect(bot)
try:
while not ws.closed:
try:
data = await ws.receive()
except asyncio.CancelledError:
logger.warning("WebSocket disconnected by peer.")
break
except Exception as e:
logger.opt(exception=e).error(
"Error when receiving data from websocket.")
break
asyncio.create_task(bot.handle_message(data.encode()))
finally:
self._bot_disconnect(bot)
def authenticate():
"""
Endpoint for admin authentication. Returns encrypted cookie with login
time and username.
"""
username = request.values["username"]
password = request.values["password"]
user = models.get_user(username)
if user is None or not check_password_hash(user.password, password):
raise excp.Unauthorized("Invalid username or password")
session["last_login"] = datetime.datetime.now()
session["username"] = username
return json.dumps({"success": "OK"}), 200
def user_login():
"""get a token to use for authentication throughout the rest of the site"""
#NOTE: no permission required for this part because it uses an
#alternative login method (username & password rather than token)
#and declares the user object on its own
#CONSIDER: add a delay for password based login to prevent excessive attempts
check_args('username', 'password')
g.user = user.auth(g.args['username'],
g.args['password'],
ip=request.remote_addr)
if not g.user:
raise ex.Unauthorized('Bad username or password.')
return {
'message': 'login successful',
'token': g.user.token,
}
def index():
if auth_header not in request.headers:
raise exceptions.BadRequest("No Auth header exists")
hdr = request.headers[auth_header].strip()
if not hdr.startswith("Bearer"):
raise exceptions.BadRequest("Unexpected auth type")
spl = hdr.split()
if len(spl) != 2:
raise exceptions.BadRequest("Unexpected bearer format")
token = spl[1]
claims = jwtverifier.getClaims(token)
if not claims:
raise exceptions.Unauthorized("Unable to authenticate JWT token")
return "JWT Claims: " + str(claims) + "\n"
def _get_authorization(self, request):
"""
:type request: werkzeug.wrappers.request.Request
:rtype: dict[str]
:raises werkzeug.exceptions.Unauthorized: If authorization information not available in `request`
"""
auth = request.authorization or {}
username = auth.get('username', '').strip()
password = auth.get('password', '').strip()
if not username:
raise exceptions.Unauthorized(
www_authenticate='Basic realm="Simple index"')
self._auth = {
'username': username,
'password': password
} if username and password else {
'token': username
}
def count_documents_in_collection(col_id):
collection = service.get_item_by_id("collections", col_id)
if not collections.get_user_permissions(collection).view:
raise exceptions.Unauthorized()
params = service.params({
"where": {
"collection_id": col_id
},
"projection": {
"_id": 1
},
"max_results": 1
})
resp = service.get("documents", params=params)
if not resp.ok:
abort(resp.status_code)
resp = resp.json()
if "_meta" not in resp or resp["_meta"]["max_results"] != 1 or "total" not in resp["_meta"]:
raise exceptions.InternalServerError("Pagination has not been turned on or correctly configured for documents.")
return jsonify(resp["_meta"]["total"])
def decorated_function(*args, **kwargs):
check_args('token')
token = g.args['token']
# store user object in g (thread safe context) users may only
# authenticate with a token, this is to prevent users from
# transmitting their username & password with every request
#the token gets escaped when sent, so decode it first
g.user = user.token_auth(
token,
ip=request.remote_addr,
)
if not g.user:
raise ex.Unauthorized('bad token')
for permission in permissions:
if not g.user.has_perm(permission):
raise ex.Forbidden()
return f(*args, **kwargs)
def add_label_to_collection(collection_id):
new_label = json.loads(request.form["new_label"])
resp = service.get(["collections", collection_id])
if not resp.ok:
abort(resp.status_code)
collection = resp.json()
if not get_user_permissions(collection).modify_labels:
raise exceptions.Unauthorized()
if new_label not in collection["labels"]:
LOGGER.info("new label: adding to collection")
collection["labels"].append(new_label)
to_patch = {
"labels": collection["labels"]
}
headers = {'Content-Type': 'application/json', 'If-Match': collection["_etag"]}
resp = service.patch(["collections", collection["_id"]], json=to_patch, headers=headers)
if not resp.ok:
abort(resp.status_code, resp.content)
return service.convert_response(resp)
else:
abort(409, "Label already exists in collection")
def on_proxy(self, request, user_token, url):
proxy_tile = self.proxy_url_and_coords(url)
if not proxy_tile:
raise exceptions.BadRequest('unknown proxy url')
if request.method not in ('GET', 'HEAD'):
raise exceptions.MethodNotAllowed(valid_methods=['GET', 'HEAD'])
try:
if not self.tile_coverages.is_permitted(user_token, proxy_tile.layer, proxy_tile.tile_coord):
raise exceptions.Forbidden()
except InvalidUserToken:
raise exceptions.Unauthorized()
headers = end_to_end_headers(request.headers)
try:
resp = requests.request(request.method, proxy_tile.url, headers=headers, stream=True)
except requests.exceptions.RequestException, ex:
raise exceptions.BadGateway('source returned: %s' % ex)
def archive_or_unarchive_collection(collection_id, archive):
"""
Set the "archived" boolean flag for the collection matching the provided collection_id.
:param collection_id: str
:param archive: Bool
:return: Response
"""
resp = service.get("collections/" + collection_id)
if not resp.ok:
abort(resp.status_code)
collection = resp.json()
if not get_user_permissions(collection).archive:
raise exceptions.Unauthorized()
if collection["archived"] != archive:
collection["archived"] = archive
headers = {"If-Match": collection["_etag"]}
service.remove_nonupdatable_fields(collection)
resp = service.put(["collections", collection_id], json = collection, headers = headers)
if not resp.ok:
abort(resp.status_code)
return get_collection(collection_id)
def search(self, query, user_token):
from gbi_server.model import User
user = User.by_authproxy_token(user_token)
if not user:
raise exceptions.Unauthorized()
coverage = self.limiter.coverage(user_token)
if not coverage:
current_app.logger.debug("found no coverage user=%s query=%s",
user, request.url)
return None
query.intersection(coverage, 3857)
# query.ids(['072578-040-00042/000'])
# f.near((7.88475, 49.859677), 4326, dist=500)
# q = sql.select([parcel_table]).where(parcel_table.c.number == cleanup_id('072578-040-00042/000'))
features = []
query.limit(1000)
sub = query.as_sa()
q = sql.select([
sub.c.identifier,
sql.func.st_astext(sql.func.st_transform(sub.c.geometry,
'3857')).label('geometry')
])
with self.engine.connect() as conn:
for r in conn.execute(q):
features.append({
"type":
"Feature",
"properties": {
"id": r.identifier,
},
"geometry":
mapping(shapely.wkt.loads(r.geometry)),
})
return features
def get_documents_in_collection(col_id, page):
truncate = json.loads(request.args.get("truncate", "true"))
truncate_length = json.loads(request.args.get("truncateLength", "50"))
collection = service.get_item_by_id("collections", col_id)
if not collections.user_can_view(collection):
raise exceptions.Unauthorized()
params = service.where_params({"collection_id": col_id})
if truncate:
params["projection"] = json.dumps({"metadata": 0})
params["truncate"] = truncate_length
if page == "all":
return jsonify(service.get_all_using_pagination("documents", params))
if page: params["page"] = page
resp = service.get("documents", params=params)
if not resp.ok:
abort(resp.status_code, resp.content)
data = resp.json()
if truncate:
for document in data["_items"]:
document["text"] = document["text"][0:truncate_length]
return jsonify(data)
def on_proxy(self, request, user_token, url):
proxy_couch = self.proxy_url_and_db(url)
if not proxy_couch:
raise exceptions.BadRequest('unknown proxy url')
headers = end_to_end_headers(request.headers)
content_length = request.headers.get('content-length')
if not content_length:
data = None
else:
data = LimitedStream(request.stream)
dbname = url.split('/', 1)[0]
try:
if not self.dblimit.is_permitted(user_token, dbname, request.method):
raise exceptions.Forbidden()
except InvalidUserToken:
raise exceptions.Unauthorized()
try:
resp = requests.request(request.method, proxy_couch.url,
data=data, headers=headers,
auth=(
current_app.config['COUCH_DB_ADMIN_USER'],
current_app.config['COUCH_DB_ADMIN_PASSWORD']
),
params=request.args, stream=True)
chunked_response = resp.headers.get('Transfer-Encoding') == 'chunked'
line_based = resp.headers.get('Content-type', '').startswith(('text/plain', 'application/json'))
except requests.exceptions.RequestException, ex:
raise exceptions.BadGateway('source returned: %s' % ex)
def archive_or_unarchive_collection(collection_id, archive):
"""
Set the "archived" boolean flag for the collection matching the provided collection_id.
:param collection_id: str
:param archive: Bool
:return: Response
"""
user_id = auth.get_logged_in_user()["id"]
resp = service.get("collections/" + collection_id)
if not resp.ok:
abort(resp.status_code)
collection = resp.json()
if not auth.is_flat() and collection["creator_id"] != user_id:
raise exceptions.Unauthorized(
"Only the creator can archive a collection.")
collection["archived"] = archive
headers = {"If-Match": collection["_etag"]}
service.remove_nonupdatable_fields(collection)
resp = service.put(["collections", collection_id],
json=collection,
headers=headers)
if not resp.ok:
abort(resp.status_code)
return get_collection(collection_id)