def testPut(self, incr, get_current_user): incr.return_value = 1 get_current_user.side_effect = base.AccessDeniedError('no user') log = base.AccessLog() log.put() incr.assert_called_once_with('AccessLogCounter', initial_value=0)
def VerifyPermissions(required_permission, user, permission_type): """Verifies a valid user is logged in. Args: required_permission: permission string from permissions.*. user: base.User entity; default current user. permission_type: string, one of permission.TYPE_* variables. Raises: base.AccessDeniedError: there was a permissions issue. """ if not permission_type: raise base.AccessDeniedError('permission_type not specified') try: if not user.HasPerm(required_permission, permission_type=permission_type): raise base.AccessDeniedError( 'User lacks %s permission' % required_permission) except ValueError: raise base.AccessDeniedError( 'unknown permission_type: %s' % permission_type)
def VerifyXsrfToken(self, action): """Verifies a valid XSRF token was passed for the current request. Args: action: String, validate the token against this action. Returns: Boolean. True if the XSRF Token was valid. Raises: base.AccessDeniedError: the XSRF token was invalid or not supplied. """ xsrf_token = self.request.get('xsrf-token', None) if settings.XSRF_PROTECTION_ENABLED: if not util.XsrfTokenValidate(xsrf_token, action): raise base.AccessDeniedError('Valid XSRF token not provided') elif not xsrf_token: logging.info( 'Ignoring missing XSRF token; settings.XSRF_PROTECTION_ENABLED=False') return True
def get(self): """Handles GET requests.""" if self.request.get('json', '0') != '1': search_type = self.request.get('search_type') field1 = urllib.quote(self.request.get('field1')) value1 = urllib.quote(self.request.get('value1').strip()) prefix_search = urllib.quote(self.request.get( 'prefix_search', '0')) if search_type and field1 and value1: self.redirect('/ui/#/search/%s/%s/%s/%s' % (search_type, field1, value1, prefix_search)) else: self.redirect('/ui/', permanent=True) return tag = self.request.get('tag', 'default') search_type = self.request.get('search_type') field1 = self.request.get('field1') value1 = self.request.get('value1').strip() prefix_search = self.request.get('prefix_search', '0') == '1' try: model = models_util.TypeNameToModel(search_type) except ValueError: raise passphrase_handler.InvalidArgumentError( 'Invalid search_type %s' % search_type) if not (field1 and value1): raise base_handler.InvalidArgumentError('Missing field1 or value1') # Get the user's search and retrieve permissions for all permission types. search_perms = base_handler.VerifyAllPermissionTypes( permissions.SEARCH) retrieve_perms = base_handler.VerifyAllPermissionTypes( permissions.RETRIEVE_OWN) retrieve_created = base_handler.VerifyAllPermissionTypes( permissions.RETRIEVE_CREATED_BY) # user is performing a search, ensure they have permissions. if (not search_perms.get(search_type) and not retrieve_perms.get(search_type) and not retrieve_created.get(search_type)): raise base.AccessDeniedError('User lacks %s permission' % search_type) try: passphrases = _PassphrasesForQuery(model, field1, value1, prefix_search) except ValueError: self.error(httplib.NOT_FOUND) return skipped = False if not search_perms.get(search_type): results_len = len(passphrases) email = base.GetCurrentUser().user.email() passphrases = [x for x in passphrases if x.owner == email] skipped = len(passphrases) != results_len too_many_results = len(passphrases) >= MAX_PASSPHRASES_PER_QUERY passphrases = [ v.ToDict(skip_secret=True) for v in passphrases if v.tag == tag ] if model.ALLOW_OWNER_CHANGE: for passphrase in passphrases: if not passphrase['active']: continue link = '/api/internal/change-owner/%s/%s/' % (search_type, passphrase['id']) passphrase['change_owner_link'] = link self.response.out.write( util.ToSafeJson({ 'passphrases': passphrases, 'too_many_results': too_many_results, 'results_access_warning': skipped, }))
def get(self): # pylint: disable=g-bad-name """Handles GET requests.""" # TODO(user): Users with retrieve_own should not need to search to # retrieve their escrowed secrets. if self.request.get('json', '0') != '1': search_type = self.request.get('search_type') field1 = urllib.quote(self.request.get('field1')) value1 = urllib.quote(self.request.get('value1').strip()) prefix_search = urllib.quote(self.request.get( 'prefix_search', '0')) if search_type and field1 and value1: self.redirect('/ui/#/search/%s/%s/%s/%s' % (search_type, field1, value1, prefix_search)) else: self.redirect('/ui/', permanent=True) return tag = self.request.get('tag', 'default') search_type = self.request.get('search_type') field1 = self.request.get('field1') value1 = self.request.get('value1').strip() prefix_search = self.request.get('prefix_search', '0') == '1' try: model = volumes.TypeNameToModel(search_type) except ValueError: raise handlers.InvalidArgumentError('Invalid search_type %s' % search_type) if not (field1 and value1): raise handlers.InvalidArgumentError('Missing field1 or value1') # Get the user's search and retrieve permissions for all permission types. search_perms = handlers.VerifyAllPermissionTypes(permissions.SEARCH) retrieve_perms = handlers.VerifyAllPermissionTypes( permissions.RETRIEVE_OWN) retrieve_created = handlers.VerifyAllPermissionTypes( permissions.RETRIEVE_CREATED_BY) # user is performing a search, ensure they have permissions. if (not search_perms.get(search_type) and not retrieve_perms.get(search_type) and not retrieve_created.get(search_type)): raise base.AccessDeniedError('User lacks %s permission' % search_type) # TODO(user): implement multi-field search by building query here # or better yet using JavaScript. q = '%s:%s' % (field1, value1) try: passphrases = _PassphrasesForQuery(model, q, prefix_search) except ValueError: self.error(httplib.NOT_FOUND) return if not search_perms.get(search_type): username = base.GetCurrentUser().user.nickname() passphrases = [x for x in passphrases if x.owner == username] passphrases = [ v.ToDict(skip_secret=True) for v in passphrases if v.tag == tag ] if model.ALLOW_OWNER_CHANGE: for passphrase in passphrases: if not passphrase['active']: continue link = '/api/internal/change-owner/%s/%s/' % (search_type, passphrase['id']) passphrase['change_owner_link'] = link self.response.out.write(util.ToSafeJson(passphrases))