def process_request(self, req, resp): """Performs content type enforcement on behalf of REST verbs.""" valid_content_types = ['application/x-yaml'] # GET and DELETE should never carry a message body, and have # no content type. Check for content-length or # transfer-encoding to determine if a content-type header # is required. requires_content_type = (req.method not in ['GET', 'DELETE'] and ( (req.content_length is not None and req.content_length > 0) or req.get_header('transfer-encoding') is not None)) if requires_content_type: content_type = (req.content_type.split(';', 1)[0].strip() if req.content_type else '') if not content_type: raise falcon.HTTPMissingHeader('Content-Type') elif content_type not in valid_content_types: message = ( "Unexpected content type: {type}. Expected content types " "are: {expected}.").format(type=six.b( req.content_type).decode('utf-8'), expected=valid_content_types) raise falcon.HTTPUnsupportedMediaType(description=message)
def _validate_content_type(req): """Validate content type. Function validates request against correct content type. If Content-Type cannot be established (i.e. header is missing), :py:class:`falcon.HTTPMissingHeader` is thrown. If Content-Type is not **application/json**(supported contents types are define in SUPPORTED_CONTENT_TYPES variable), :py:class:`falcon.HTTPUnsupportedMediaType` is thrown. :param falcon.Request req: current request :exception: :py:class:`falcon.HTTPMissingHeader` :exception: :py:class:`falcon.HTTPUnsupportedMediaType` """ content_type = req.content_type LOG.debug('Content-type is {0}'.format(content_type)) if content_type is None or len(content_type) == 0: raise falcon.HTTPMissingHeader('Content-Type') if content_type not in SUPPORTED_CONTENT_TYPES: types = ','.join(SUPPORTED_CONTENT_TYPES) details = ( 'Only [{0}] are accepted as events representation'.format(types)) raise falcon.HTTPUnsupportedMediaType(description=details)
def validate_content_type(req, allowed): """Validates content type. Method validates request against correct content type. If content-type cannot be established (i.e. header is missing), :py:class:`falcon.HTTPMissingHeader` is thrown. If content-type is not **application/json** or **text/plain**, :py:class:`falcon.HTTPUnsupportedMediaType` is thrown. :param falcon.Request req: current request :param iterable allowed: allowed content type :exception: :py:class:`falcon.HTTPMissingHeader` :exception: :py:class:`falcon.HTTPUnsupportedMediaType` """ content_type = req.content_type LOG.debug('Content-Type is %s', content_type) if content_type is None or len(content_type) == 0: raise falcon.HTTPMissingHeader('Content-Type') if content_type not in allowed: sup_types = ', '.join(allowed) details = ('Only [%s] are accepted as logs representations' % str(sup_types)) raise falcon.HTTPUnsupportedMediaType(description=details)
def authUser(req, resp, permissions): authHeader = req.get_header('Authorization') if authHeader == None: raise falcon.HTTPMissingHeader('Authorization') try: user = User.objects.get({"auth_b64": authHeader[6:]}) diff_perms = list(set(permissions) - set(User.valid_permissions)) if len(diff_perms) > 0: raise falcon.HTTPForbidden( 'Forbidden', "%s does not have the required permissions: %s" % (user.username, ', '.join(diff_perms))) except User.DoesNotExist: req.context['logger'].debug({ 'message': 'Failed login attempt', 'action': 'login' }) raise falcon.HTTPUnauthorized('Unauthorized', 'Username and password does not exist.', ['Basic realm="WallyWorld"']) else: req.context['user'] = user req.context['logger'].debug({ 'message': "'%s' logged in." % user.username, 'action': 'login' })
def do_auth(self, req, resp, resource, params): if resource._conf.get('auth', False): if not req.auth: raise falcon.HTTPMissingHeader("Missing OAuth token", "Authorization") try: bearer, token = req.auth.split() assert(bearer == "OAuth") except AssertionError as exp: raise falcon.HTTPInvalidHeader("Malformed Authorization header", "Authorization") parts = token.split('.') if len(parts) != 3: raise falcon.HTTPUnauthorized("Token is not a valid JWT token") itok = ".".join(parts[:2]) sig = hmac.new(resource._conf.get('secret', "there is no secret").encode('utf-8'), itok.encode('utf-8'), digestmod=hashlib.sha256).digest() if not hmac.compare_digest(base64.urlsafe_b64encode(sig), parts[2].encode('utf-8')): raise falcon.HTTPForbidden() payload = json.loads(base64.urlsafe_b64decode(parts[1]).decode('utf-8')) if payload["exp"] < int(time.time()): raise falcon.HTTPForbidden(description="Token has expired") if not resource.authorize(payload['prv']): raise falcon.HTTPForbidden(description="User does not have permission to use this function") self._usr = payload["iss"]
def encode_response(self, req, resp, resource): if not req.get_header("Accept"): raise falcon.HTTPMissingHeader("Accept") if req.client_accepts(MIME['PSJSON']) or req.client_accepts(MIME['JSON']): resp.body = json.dumps(resp.body) elif req.client_accepts(MIME['PSBSON']) or req.client_accepts(MIME['BSON']): resp.body = bson.dumps(resp.body)
def validate(self, user_name, user_id, req): try: header_name = req.headers[self.username_header] token = req.headers[self.token_header] except KeyError as err: logging.exception(req.headers) raise falcon.HTTPMissingHeader(err.args[0]) else: if user_name == header_name: return self.noncer.validate_token(user_name, token) return False
def authorize(self, req): if "AUTHORIZATION" not in req.headers: raise falcon.HTTPMissingHeader("Authorization") components = req.headers["AUTHORIZATION"].split(" ") if len(components) != 2: raise falcon.HTTPInvalidHeader("Expected <type> <credentials>", "Authorization") type,creds = components if type not in self.supportedAuthorizationTypes: raise falcon.HTTPInvalidHeader("Unsupported credential type", "Authorization") if creds not in self.db.authKeys(): raise falcon.HTTPInvalidHeader("Invalid credentials", "Authorization")
def process_request(self, req, resp): """Performs content type enforcement on behalf of REST verbs.""" valid_content_types = ['application/x-yaml'] content_type = (req.content_type.split(';', 1)[0].strip() if req.content_type else '') if not content_type: raise falcon.HTTPMissingHeader('Content-Type') elif content_type not in valid_content_types: message = ( "Unexpected content type: {type}. Expected content types " "are: {expected}.").format(type=six.b( req.content_type).decode('utf-8'), expected=valid_content_types) raise falcon.HTTPUnsupportedMediaType(description=message)
def __call__(self, req, resp, resource, params): """Authorize request.""" authentication = req.headers.get('AUTHORIZATION') _ = req.context['user'].get('language') if not authentication: raise falcon.HTTPMissingHeader("AUTHORIZATION") try: user = jwt.decode( authentication, os.getenv('JWT_SECRET'), verify='True', algorithms=['HS512'], # options={'verify_exp': True} # if you want to verify token (session) expiration, uncomment. ) user_deleted = user.get('deleted') user_validated = user.get('validated') user_aproved_by_admin = user.get('status') == 'accepted' if user_deleted: raise falcon.HTTPUnauthorized(_('User deleted.')) if not user_validated: raise falcon.HTTPUnauthorized(_('User not validated.')) if not user_aproved_by_admin: raise falcon.HTTPUnauthorized(_('User unapproved.')) except jwt.ExpiredSignatureError as e: raise falcon.HTTPUnauthorized(_('JWT expired'), str(e)) except jwt.DecodeError as e: raise falcon.HTTPUnauthorized(_('JWT decode error'), str(e)) except Exception: req.context['user'].update({'_id': None, 'role': 'external'}) else: req.context['user'].update({ '_id': user.get('_id'), 'role': user.get('role') })
def on_get(self, req, resp): raise falcon.HTTPMissingHeader('X-Auth-Token')