def main(global_config, **settings): config = Configurator(settings=settings) config.set_authentication_policy(AuthenticationPolicy(None)) config.set_authorization_policy(AuthorizationPolicy()) config.add_renderer('prettyjson', JSON(indent=4)) config.add_renderer('jsonp', JSONP(param_name='opt_jsonp')) config.add_renderer('prettyjsonp', JSONP(indent=4, param_name='opt_jsonp')) config.add_subscriber(set_renderer, NewRequest) config.include("cornice") config.route_prefix = '/api/{}'.format(VERSION) config.scan("openprocurement.api.views") # CouchDB connection server = Server(settings.get('couchdb.url')) config.registry.couchdb_server = server db_name = os.environ.get('DB_NAME', settings['couchdb.db_name']) if db_name not in server: server.create(db_name) config.registry.db = server[db_name] # sync couchdb views sync_design(config.registry.db) # migrate data migrate_data(config.registry.db) # S3 connection if 'aws.access_key' in settings and 'aws.secret_key' in settings and 'aws.bucket' in settings: connection = S3Connection(settings['aws.access_key'], settings['aws.secret_key']) config.registry.s3_connection = connection bucket_name = settings['aws.bucket'] if bucket_name not in [b.name for b in connection.get_all_buckets()]: connection.create_bucket(bucket_name, location=Location.EU) config.registry.bucket_name = bucket_name return config.make_wsgi_app()
def setUp(self): self.db_name += uuid4().hex self.couchdb_server.create(self.db_name) db = self.couchdb_server[self.db_name] sync_design(db) self.app.app.registry.db = db self.db = self.app.app.registry.db self.db_name = self.db.name self.app.authorization = self.initial_auth
def setUp(self): self.db_name += uuid4().hex self.couchdb_server.create(self.db_name) db = self.couchdb_server[self.db_name] sync_design(db) self.app.app.registry.db = db self.db = self.app.app.registry.db self.db_name = self.db.name self.app.authorization = ('Basic', ('token', ''))
def tearDown(self): if self.docservice: self.setUpDS() self.couchdb_server.delete(self.db_name) self.couchdb_server.create(self.db_name) db = self.couchdb_server[self.db_name] # sync couchdb views sync_design(db) self.app.app.registry.db = db self.db = self.app.app.registry.db
def main(global_config, **settings): config = Configurator(settings=settings) config.add_renderer('prettyjson', JSON(indent=4)) config.add_renderer('jsonp', JSONP(param_name='opt_jsonp')) config.add_renderer('prettyjsonp', JSONP(indent=4, param_name='opt_jsonp')) config.add_subscriber(set_renderer, NewRequest) config.include("cornice") config.route_prefix = '/api/{}'.format(VERSION) config.scan("openprocurement.api.views") # CouchDB connection server = Server(settings.get('couchdb.url')) config.registry.couchdb_server = server db_name = os.environ.get('DB_NAME', settings['couchdb.db_name']) if db_name not in server: server.create(db_name) config.registry.db = server[db_name] # sync couchdb views sync_design(config.registry.db) # migrate data migrate_data(config.registry.db) return config.make_wsgi_app()
def main(global_config, **settings): config = Configurator( autocommit=True, settings=settings, authentication_policy=AuthenticationPolicy(settings['auth.file'], __name__), authorization_policy=AuthorizationPolicy(), route_prefix=route_prefix(settings), ) config.include('pyramid_exclog') config.include("cornice") config.add_forbidden_view(forbidden) config.add_request_method(request_params, 'params', reify=True) config.add_request_method(authenticated_role, reify=True) config.add_request_method(extract_tender, 'tender', reify=True) config.add_request_method(check_accreditation) config.add_renderer('prettyjson', JSON(indent=4)) config.add_renderer('jsonp', JSONP(param_name='opt_jsonp')) config.add_renderer('prettyjsonp', JSONP(indent=4, param_name='opt_jsonp')) config.add_subscriber(add_logging_context, NewRequest) config.add_subscriber(set_logging_context, ContextFound) config.add_subscriber(set_renderer, NewRequest) config.add_subscriber(beforerender, BeforeRender) config.scan("openprocurement.edge.views.spore") config.scan("openprocurement.edge.views.health") config.scan("openprocurement.edge.views.tenders") if auctions_core: config.add_request_method(extract_auction, 'auction', reify=True) config.scan("openprocurement.edge.views.auctions") add_auction_design() if contracting: config.add_request_method(extract_contract, 'contract', reify=True) config.scan("openprocurement.edge.views.contracts") add_contract_design() if planning: config.add_request_method(extract_plan, 'plan', reify=True) config.scan("openprocurement.edge.views.plans") add_plan_design() # CouchDB connection db_name = os.environ.get('DB_NAME', settings['couchdb.db_name']) server = Server(settings.get('couchdb.url'), session=Session(retry_delays=range(10))) if 'couchdb.admin_url' not in settings and server.resource.credentials: try: server.version() except Unauthorized: server = Server( extract_credentials(settings.get('couchdb.url'))[0]) config.registry.couchdb_server = server if 'couchdb.admin_url' in settings and server.resource.credentials: aserver = Server(settings.get('couchdb.admin_url'), session=Session(retry_delays=range(10))) config.registry.admin_couchdb_server = aserver users_db = aserver['_users'] if SECURITY != users_db.security: LOGGER.info("Updating users db security", extra={'MESSAGE_ID': 'update_users_security'}) users_db.security = SECURITY username, password = server.resource.credentials user_doc = users_db.get( 'org.couchdb.user:{}'.format(username), {'_id': 'org.couchdb.user:{}'.format(username)}) if not user_doc.get( 'derived_key', '') or PBKDF2(password, user_doc.get( 'salt', ''), user_doc.get('iterations', 10)).hexread( int(len(user_doc.get('derived_key', '')) / 2)) != user_doc.get('derived_key', ''): user_doc.update({ "name": username, "roles": [], "type": "user", "password": password }) LOGGER.info("Updating edge db main user", extra={'MESSAGE_ID': 'update_edge_main_user'}) users_db.save(user_doc) security_users = [ username, ] if 'couchdb.reader_username' in settings and 'couchdb.reader_password' in settings: reader_username = settings.get('couchdb.reader_username') reader = users_db.get( 'org.couchdb.user:{}'.format(reader_username), {'_id': 'org.couchdb.user:{}'.format(reader_username)}) if not reader.get('derived_key', '') or PBKDF2( settings.get('couchdb.reader_password'), reader.get('salt', ''), reader.get( 'iterations', 10)).hexread( int(len(reader.get('derived_key', '')) / 2)) != reader.get('derived_key', ''): reader.update({ "name": reader_username, "roles": ['reader'], "type": "user", "password": settings.get('couchdb.reader_password') }) LOGGER.info("Updating edge db reader user", extra={'MESSAGE_ID': 'update_edge_reader_user'}) users_db.save(reader) security_users.append(reader_username) if db_name not in aserver: aserver.create(db_name) db = aserver[db_name] SECURITY[u'members'][u'names'] = security_users if SECURITY != db.security: LOGGER.info("Updating edge db security", extra={'MESSAGE_ID': 'update_edge_security'}) db.security = SECURITY auth_doc = db.get(VALIDATE_DOC_ID, {'_id': VALIDATE_DOC_ID}) if auth_doc.get( 'validate_doc_update') != VALIDATE_DOC_UPDATE % username: auth_doc['validate_doc_update'] = VALIDATE_DOC_UPDATE % username LOGGER.info("Updating edge db validate doc", extra={'MESSAGE_ID': 'update_edge_validate_doc'}) db.save(auth_doc) # sync couchdb views sync_design(db) db = server[db_name] else: if db_name not in server: server.create(db_name) db = server[db_name] # sync couchdb views sync_design(db) config.registry.db = db config.registry.server_id = settings.get('id', '') config.registry.health_threshold = float( settings.get('health_threshold', 99)) config.registry.update_after = asbool(settings.get('update_after', True)) return config.make_wsgi_app()
def main(global_config, **settings): config = Configurator( autocommit=True, settings=settings, authentication_policy=AuthenticationPolicy(settings['auth.file'], __name__), authorization_policy=AuthorizationPolicy(), route_prefix=route_prefix(settings), ) config.include('pyramid_exclog') config.include("cornice") config.add_forbidden_view(forbidden) config.add_request_method(request_params, 'params', reify=True) config.add_request_method(authenticated_role, reify=True) config.add_request_method(extract_tender, 'tender', reify=True) config.add_request_method(check_accreditation) config.add_request_method(json_body, 'json_body', reify=True) config.add_renderer('json', JSON(serializer=simplejson.dumps)) config.add_renderer('prettyjson', JSON(indent=4, serializer=simplejson.dumps)) config.add_renderer('jsonp', JSONP(param_name='opt_jsonp', serializer=simplejson.dumps)) config.add_renderer('prettyjsonp', JSONP(indent=4, param_name='opt_jsonp', serializer=simplejson.dumps)) config.add_subscriber(add_logging_context, NewRequest) config.add_subscriber(set_logging_context, ContextFound) config.add_subscriber(set_renderer, NewRequest) config.add_subscriber(beforerender, BeforeRender) config.scan("openprocurement.api.views.spore") config.scan("openprocurement.api.views.health") # tender procurementMethodType plugins support config.add_route_predicate('procurementMethodType', isTender) config.registry.tender_procurementMethodTypes = {} config.add_request_method(tender_from_data) config.add_directive('add_tender_procurementMethodType', register_tender_procurementMethodType) # search for plugins plugins = settings.get('plugins') and settings['plugins'].split(',') for entry_point in iter_entry_points('openprocurement.api.plugins'): if not plugins or entry_point.name in plugins: plugin = entry_point.load() plugin(config) # CouchDB connection db_name = os.environ.get('DB_NAME', settings['couchdb.db_name']) server = Server(settings.get('couchdb.url'), session=Session(retry_delays=range(10))) if 'couchdb.admin_url' not in settings and server.resource.credentials: try: server.version() except Unauthorized: server = Server(extract_credentials(settings.get('couchdb.url'))[0]) config.registry.couchdb_server = server if 'couchdb.admin_url' in settings and server.resource.credentials: aserver = Server(settings.get('couchdb.admin_url'), session=Session(retry_delays=range(10))) config.registry.admin_couchdb_server = aserver users_db = aserver['_users'] if SECURITY != users_db.security: LOGGER.info("Updating users db security", extra={'MESSAGE_ID': 'update_users_security'}) users_db.security = SECURITY username, password = server.resource.credentials user_doc = users_db.get('org.couchdb.user:{}'.format(username), {'_id': 'org.couchdb.user:{}'.format(username)}) if not user_doc.get('derived_key', '') or PBKDF2(password, user_doc.get('salt', ''), user_doc.get('iterations', 10)).hexread(int(len(user_doc.get('derived_key', '')) / 2)) != user_doc.get('derived_key', ''): user_doc.update({ "name": username, "roles": [], "type": "user", "password": password }) LOGGER.info("Updating api db main user", extra={'MESSAGE_ID': 'update_api_main_user'}) users_db.save(user_doc) security_users = [username, ] if 'couchdb.reader_username' in settings and 'couchdb.reader_password' in settings: reader_username = settings.get('couchdb.reader_username') reader = users_db.get('org.couchdb.user:{}'.format(reader_username), {'_id': 'org.couchdb.user:{}'.format(reader_username)}) if not reader.get('derived_key', '') or PBKDF2(settings.get('couchdb.reader_password'), reader.get('salt', ''), reader.get('iterations', 10)).hexread(int(len(reader.get('derived_key', '')) / 2)) != reader.get('derived_key', ''): reader.update({ "name": reader_username, "roles": ['reader'], "type": "user", "password": settings.get('couchdb.reader_password') }) LOGGER.info("Updating api db reader user", extra={'MESSAGE_ID': 'update_api_reader_user'}) users_db.save(reader) security_users.append(reader_username) if db_name not in aserver: aserver.create(db_name) db = aserver[db_name] SECURITY[u'members'][u'names'] = security_users if SECURITY != db.security: LOGGER.info("Updating api db security", extra={'MESSAGE_ID': 'update_api_security'}) db.security = SECURITY auth_doc = db.get(VALIDATE_DOC_ID, {'_id': VALIDATE_DOC_ID}) if auth_doc.get('validate_doc_update') != VALIDATE_DOC_UPDATE % username: auth_doc['validate_doc_update'] = VALIDATE_DOC_UPDATE % username LOGGER.info("Updating api db validate doc", extra={'MESSAGE_ID': 'update_api_validate_doc'}) db.save(auth_doc) # sync couchdb views sync_design(db) db = server[db_name] else: if db_name not in server: server.create(db_name) db = server[db_name] # sync couchdb views sync_design(db) config.registry.db = db # readjust couchdb json decoder couchdb_json_decode() # Document Service key config.registry.docservice_url = settings.get('docservice_url') config.registry.docservice_username = settings.get('docservice_username') config.registry.docservice_password = settings.get('docservice_password') config.registry.docservice_upload_url = settings.get('docservice_upload_url') config.registry.docservice_key = dockey = Signer(settings.get('dockey', '').decode('hex')) config.registry.keyring = keyring = {} dockeys = settings.get('dockeys') if 'dockeys' in settings else dockey.hex_vk() for key in dockeys.split('\0'): keyring[key[:8]] = Verifier(key) # migrate data if not os.environ.get('MIGRATION_SKIP'): for entry_point in iter_entry_points('openprocurement.api.migrations'): plugin = entry_point.load() plugin(config.registry) config.registry.server_id = settings.get('id', '') config.registry.health_threshold = float(settings.get('health_threshold', 99)) config.registry.update_after = asbool(settings.get('update_after', True)) return config.make_wsgi_app()
def set_api_security(settings): # CouchDB connection db_name = os.environ.get("DB_NAME", settings["couchdb.db_name"]) server = Server(settings.get("couchdb.url"), session=Session(retry_delays=range(10))) if "couchdb.admin_url" not in settings and server.resource.credentials: try: server.version() except Unauthorized: server = Server( extract_credentials(settings.get("couchdb.url"))[0]) if "couchdb.admin_url" in settings and server.resource.credentials: aserver = Server(settings.get("couchdb.admin_url"), session=Session(retry_delays=range(10))) users_db = aserver["_users"] if SECURITY != users_db.security: LOGGER.info("Updating users db security", extra={"MESSAGE_ID": "update_users_security"}) users_db.security = SECURITY username, password = server.resource.credentials user_doc = users_db.get( "org.couchdb.user:{}".format(username), {"_id": "org.couchdb.user:{}".format(username)}) if not user_doc.get( "derived_key", "") or PBKDF2(password, user_doc.get( "salt", ""), user_doc.get("iterations", 10)).hexread( int(len(user_doc.get("derived_key", "")) / 2)) != user_doc.get("derived_key", ""): user_doc.update({ "name": username, "roles": [], "type": "user", "password": password }) LOGGER.info("Updating api db main user", extra={"MESSAGE_ID": "update_api_main_user"}) users_db.save(user_doc) security_users = [username] if "couchdb.reader_username" in settings and "couchdb.reader_password" in settings: reader_username = settings.get("couchdb.reader_username") reader = users_db.get( "org.couchdb.user:{}".format(reader_username), {"_id": "org.couchdb.user:{}".format(reader_username)}) if not reader.get("derived_key", "") or PBKDF2( settings.get("couchdb.reader_password"), reader.get("salt", ""), reader.get( "iterations", 10)).hexread( int(len(reader.get("derived_key", "")) / 2)) != reader.get("derived_key", ""): reader.update({ "name": reader_username, "roles": ["reader"], "type": "user", "password": settings.get("couchdb.reader_password"), }) LOGGER.info("Updating api db reader user", extra={"MESSAGE_ID": "update_api_reader_user"}) users_db.save(reader) security_users.append(reader_username) if db_name not in aserver: aserver.create(db_name) db = aserver[db_name] SECURITY[u"members"][u"names"] = security_users if SECURITY != db.security: LOGGER.info("Updating api db security", extra={"MESSAGE_ID": "update_api_security"}) db.security = SECURITY auth_doc = db.get(VALIDATE_DOC_ID, {"_id": VALIDATE_DOC_ID}) if auth_doc.get( "validate_doc_update") != VALIDATE_DOC_UPDATE % username: auth_doc["validate_doc_update"] = VALIDATE_DOC_UPDATE % username LOGGER.info("Updating api db validate doc", extra={"MESSAGE_ID": "update_api_validate_doc"}) db.save(auth_doc) # sync couchdb views sync_design(db) db = server[db_name] else: if db_name not in server: server.create(db_name) db = server[db_name] # sync couchdb views sync_design(db) aserver = None return aserver, server, db
def main(global_config, **settings): config = Configurator( settings=settings, root_factory=factory, authentication_policy=AuthenticationPolicy(settings['auth.file'], __name__), authorization_policy=AuthorizationPolicy(), route_prefix=ROUTE_PREFIX, ) config.add_forbidden_view(forbidden) config.add_request_method(authenticated_role, reify=True) config.add_renderer('prettyjson', JSON(indent=4)) config.add_renderer('jsonp', JSONP(param_name='opt_jsonp')) config.add_renderer('prettyjsonp', JSONP(indent=4, param_name='opt_jsonp')) config.add_subscriber(add_logging_context, NewRequest) config.add_subscriber(set_logging_context, ContextFound) config.add_subscriber(set_renderer, NewRequest) config.add_subscriber(beforerender, BeforeRender) config.include('pyramid_exclog') config.include("cornice") config.scan("openprocurement.api.views") # CouchDB connection db_name = os.environ.get('DB_NAME', settings['couchdb.db_name']) server = Server(settings.get('couchdb.url'), session=Session(retry_delays=range(10))) if 'couchdb.admin_url' not in settings and server.resource.credentials: try: server.version() except Unauthorized: server = Server(extract_credentials(settings.get('couchdb.url'))[0]) config.registry.couchdb_server = server if 'couchdb.admin_url' in settings and server.resource.credentials: aserver = Server(settings.get('couchdb.admin_url'), session=Session(retry_delays=range(10))) users_db = aserver['_users'] if SECURITY != users_db.security: LOGGER.info("Updating users db security", extra={'MESSAGE_ID': 'update_users_security'}) users_db.security = SECURITY username, password = server.resource.credentials user_doc = users_db.get('org.couchdb.user:{}'.format(username), {'_id': 'org.couchdb.user:{}'.format(username)}) if not user_doc.get('derived_key', '') or PBKDF2(password, user_doc.get('salt', ''), user_doc.get('iterations', 10)).hexread(int(len(user_doc.get('derived_key', '')) / 2)) != user_doc.get('derived_key', ''): user_doc.update({ "name": username, "roles": [], "type": "user", "password": password }) LOGGER.info("Updating api db main user", extra={'MESSAGE_ID': 'update_api_main_user'}) users_db.save(user_doc) security_users = [username, ] if 'couchdb.reader_username' in settings and 'couchdb.reader_password' in settings: reader_username = settings.get('couchdb.reader_username') reader = users_db.get('org.couchdb.user:{}'.format(reader_username), {'_id': 'org.couchdb.user:{}'.format(reader_username)}) if not reader.get('derived_key', '') or PBKDF2(settings.get('couchdb.reader_password'), reader.get('salt', ''), reader.get('iterations', 10)).hexread(int(len(reader.get('derived_key', '')) / 2)) != reader.get('derived_key', ''): reader.update({ "name": reader_username, "roles": ['reader'], "type": "user", "password": settings.get('couchdb.reader_password') }) LOGGER.info("Updating api db reader user", extra={'MESSAGE_ID': 'update_api_reader_user'}) users_db.save(reader) security_users.append(reader_username) if db_name not in aserver: aserver.create(db_name) db = aserver[db_name] SECURITY[u'members'][u'names'] = security_users if SECURITY != db.security: LOGGER.info("Updating api db security", extra={'MESSAGE_ID': 'update_api_security'}) db.security = SECURITY auth_doc = db.get(VALIDATE_DOC_ID, {'_id': VALIDATE_DOC_ID}) if auth_doc.get('validate_doc_update') != VALIDATE_DOC_UPDATE % username: auth_doc['validate_doc_update'] = VALIDATE_DOC_UPDATE % username LOGGER.info("Updating api db validate doc", extra={'MESSAGE_ID': 'update_api_validate_doc'}) db.save(auth_doc) # sync couchdb views sync_design(db) db = server[db_name] else: if db_name not in server: server.create(db_name) db = server[db_name] # sync couchdb views sync_design(db) config.registry.db = db # migrate data migrate_data(config.registry.db) # S3 connection if 'aws.access_key' in settings and 'aws.secret_key' in settings and 'aws.s3_bucket' in settings: connection = S3Connection(settings['aws.access_key'], settings['aws.secret_key']) config.registry.s3_connection = connection bucket_name = settings['aws.s3_bucket'] if bucket_name not in [b.name for b in connection.get_all_buckets()]: connection.create_bucket(bucket_name, location=Location.EU) config.registry.bucket_name = bucket_name config.registry.server_id = settings.get('id', '') return config.make_wsgi_app()
def create_db(self): db_name = os.environ.get( "DB_NAME", self.app.registry.settings[COUCHBD_NAME_SETTING]) self.app.registry.db = self.app.registry.couchdb_server.create(db_name) sync_design(self.app.registry.db) return self.app.registry.db
def set_api_security(settings): # CouchDB connection db_name = os.environ.get('DB_NAME', settings['couchdb.db_name']) server = Server(settings.get('couchdb.url'), session=Session(retry_delays=range(10))) if 'couchdb.admin_url' not in settings and server.resource.credentials: try: server.version() except Unauthorized: server = Server(extract_credentials( settings.get('couchdb.url'))[0]) if 'couchdb.admin_url' in settings and server.resource.credentials: aserver = Server(settings.get('couchdb.admin_url'), session=Session(retry_delays=range(10))) users_db = aserver['_users'] if SECURITY != users_db.security: LOGGER.info("Updating users db security", extra={'MESSAGE_ID': 'update_users_security'}) users_db.security = SECURITY username, password = server.resource.credentials user_doc = users_db.get( 'org.couchdb.user:{}'.format(username), {'_id': 'org.couchdb.user:{}'.format(username)}) if (not user_doc.get('derived_key', '') or PBKDF2(password, user_doc.get('salt', ''), user_doc.get('iterations', 10)).hexread( int(len(user_doc.get('derived_key', '')) / 2)) != user_doc.get('derived_key', '')): user_doc.update({ "name": username, "roles": [], "type": "user", "password": password }) LOGGER.info("Updating api db main user", extra={'MESSAGE_ID': 'update_api_main_user'}) users_db.save(user_doc) security_users = [username, ] if ('couchdb.reader_username' in settings and 'couchdb.reader_password' in settings): reader_username = settings.get('couchdb.reader_username') reader = users_db.get( 'org.couchdb.user:{}'.format(reader_username), {'_id': 'org.couchdb.user:{}'.format(reader_username)}) if (not reader.get('derived_key', '') or PBKDF2(settings.get('couchdb.reader_password'), reader.get('salt', ''), reader.get( 'iterations', 10)).hexread(int(len(reader.get( 'derived_key', '')) / 2)) != reader.get('derived_key', '')): reader.update({ "name": reader_username, "roles": ['reader'], "type": "user", "password": settings.get('couchdb.reader_password') }) LOGGER.info("Updating api db reader user", extra={'MESSAGE_ID': 'update_api_reader_user'}) users_db.save(reader) security_users.append(reader_username) if db_name not in aserver: aserver.create(db_name) db = aserver[db_name] SECURITY[u'members'][u'names'] = security_users if SECURITY != db.security: LOGGER.info("Updating api db security", extra={'MESSAGE_ID': 'update_api_security'}) db.security = SECURITY auth_doc = db.get(VALIDATE_DOC_ID, {'_id': VALIDATE_DOC_ID}) if (auth_doc.get('validate_doc_update') != VALIDATE_DOC_UPDATE % username): auth_doc['validate_doc_update'] = VALIDATE_DOC_UPDATE % username LOGGER.info("Updating api db validate doc", extra={'MESSAGE_ID': 'update_api_validate_doc'}) db.save(auth_doc) # sync couchdb views sync_design(db) db = server[db_name] else: if db_name not in server: server.create(db_name) db = server[db_name] # sync couchdb views sync_design(db) aserver = None return aserver, server, db
def set_api_security(settings): # CouchDB connection db_name = os.environ.get("DB_NAME", settings["couchdb.db_name"]) server = Server(settings.get("couchdb.url"), session=Session(retry_delays=list(range(10)))) # removing provided credentials from url and create a new connection without any ?? if "couchdb.admin_url" not in settings and server.resource.credentials: try: server.version() except Unauthorized: server = Server(extract_credentials(settings.get("couchdb.url"))[0]) # admin_url is provided and url contains credentials if "couchdb.admin_url" in settings and server.resource.credentials: # init admin connection aserver = Server(settings.get("couchdb.admin_url"), session=Session(retry_delays=list(range(10)))) # updating _users security for "_users" database ?? # in fact this drops security as "names" are empty at the moment users_db = aserver["_users"] if SECURITY != users_db.security: LOGGER.info("Updating users db security", extra={"MESSAGE_ID": "update_users_security"}) users_db.security = SECURITY # non admin user credentials from couchdb.url username, password = server.resource.credentials # update non-admin user's password ?? user_doc = users_db.get("org.couchdb.user:{}".format(username), {"_id": "org.couchdb.user:{}".format(username)}) if not user_doc.get("derived_key", "") \ or build_derived_key(password, user_doc) != user_doc.get("derived_key", ""): user_doc.update({"name": username, "roles": [], "type": "user", "password": password}) LOGGER.info("Updating api db main user", extra={"MESSAGE_ID": "update_api_main_user"}) users_db.save(user_doc) # adding non-admin user to SECURITY["members"]["names"] ?? security_users = [username] # updating reader user password and adding it to SECURITY["members"]["names"] if "couchdb.reader_username" in settings and "couchdb.reader_password" in settings: reader_username = settings.get("couchdb.reader_username") reader_password = settings.get("couchdb.reader_password") reader = users_db.get( "org.couchdb.user:{}".format(reader_username), {"_id": "org.couchdb.user:{}".format(reader_username)} ) if not reader.get("derived_key", "") \ or build_derived_key(reader_password, reader) != reader.get("derived_key", ""): reader.update( { "name": reader_username, "roles": ["reader"], "type": "user", "password": reader_password, } ) LOGGER.info("Updating api db reader user", extra={"MESSAGE_ID": "update_api_reader_user"}) users_db.save(reader) security_users.append(reader_username) # ensure database exists if db_name not in aserver: aserver.create(db_name) # updating application database SECURITY db = aserver[db_name] SECURITY["members"]["names"] = security_users if SECURITY != db.security: LOGGER.info("Updating api db security", extra={"MESSAGE_ID": "update_api_security"}) db.security = SECURITY # updating validation document # VALIDATE_DOC_UPDATE: 1) forbids deleting documents with the tenderId field # 2) allows _design document updates for users with _admin role ( # Is this forbidden without this doc? No -_-, It works for `username` as well # 3) allows updates only for `username` (user from couchdb.url), any other user cannot update anything # seems application can perfectly work without this auth_doc = db.get(VALIDATE_DOC_ID, {"_id": VALIDATE_DOC_ID}) if auth_doc.get("validate_doc_update") != VALIDATE_DOC_UPDATE % username: auth_doc["validate_doc_update"] = VALIDATE_DOC_UPDATE % username LOGGER.info("Updating api db validate doc", extra={"MESSAGE_ID": "update_api_validate_doc"}) db.save(auth_doc) # sync couchdb views sync_design(db) db = server[db_name] else: # ensure database exists # in fact non admin user can't do this if db_name not in server: server.create(db_name) db = server[db_name] # sync couchdb views sync_design(db) aserver = None return aserver, server, db
def set_api_security(settings): # CouchDB connection db_name = os.environ.get('DB_NAME', settings['couchdb.db_name']) server = Server(settings.get('couchdb.url'), session=Session(retry_delays=range(10))) if 'couchdb.admin_url' not in settings and server.resource.credentials: try: server.version() except Unauthorized: server = Server( extract_credentials(settings.get('couchdb.url'))[0]) if 'couchdb.admin_url' in settings and server.resource.credentials: aserver = Server(settings.get('couchdb.admin_url'), session=Session(retry_delays=range(10))) users_db = aserver['_users'] if SECURITY != users_db.security: LOGGER.info("Updating users db security", extra={'MESSAGE_ID': 'update_users_security'}) users_db.security = SECURITY username, password = server.resource.credentials user_doc = users_db.get( 'org.couchdb.user:{}'.format(username), {'_id': 'org.couchdb.user:{}'.format(username)}) if (not user_doc.get('derived_key', '') or PBKDF2(password, user_doc.get('salt', ''), user_doc.get('iterations', 10)).hexread( int(len(user_doc.get('derived_key', '')) / 2)) != user_doc.get('derived_key', '')): user_doc.update({ "name": username, "roles": [], "type": "user", "password": password }) LOGGER.info("Updating api db main user", extra={'MESSAGE_ID': 'update_api_main_user'}) users_db.save(user_doc) security_users = [ username, ] if ('couchdb.reader_username' in settings and 'couchdb.reader_password' in settings): reader_username = settings.get('couchdb.reader_username') reader = users_db.get( 'org.couchdb.user:{}'.format(reader_username), {'_id': 'org.couchdb.user:{}'.format(reader_username)}) if (not reader.get('derived_key', '') or PBKDF2(settings.get('couchdb.reader_password'), reader.get('salt', ''), reader.get('iterations', 10)).hexread( int(len(reader.get('derived_key', '')) / 2)) != reader.get('derived_key', '')): reader.update({ "name": reader_username, "roles": ['reader'], "type": "user", "password": settings.get('couchdb.reader_password') }) LOGGER.info("Updating api db reader user", extra={'MESSAGE_ID': 'update_api_reader_user'}) users_db.save(reader) security_users.append(reader_username) if db_name not in aserver: aserver.create(db_name) db = aserver[db_name] SECURITY[u'members'][u'names'] = security_users if SECURITY != db.security: LOGGER.info("Updating api db security", extra={'MESSAGE_ID': 'update_api_security'}) db.security = SECURITY auth_doc = db.get(VALIDATE_DOC_ID, {'_id': VALIDATE_DOC_ID}) if (auth_doc.get('validate_doc_update') != VALIDATE_DOC_UPDATE % username): auth_doc['validate_doc_update'] = VALIDATE_DOC_UPDATE % username LOGGER.info("Updating api db validate doc", extra={'MESSAGE_ID': 'update_api_validate_doc'}) db.save(auth_doc) # sync couchdb views sync_design(db) db = server[db_name] else: if db_name not in server: server.create(db_name) db = server[db_name] # sync couchdb views sync_design(db) aserver = None return aserver, server, db
def main(global_config, **settings): config = Configurator( autocommit=True, settings=settings, authentication_policy=AuthenticationPolicy(settings['auth.file'], __name__), authorization_policy=AuthorizationPolicy(), route_prefix=ROUTE_PREFIX, ) config.include('pyramid_exclog') config.include("cornice") config.add_forbidden_view(forbidden) config.add_request_method(request_params, 'params', reify=True) config.add_request_method(authenticated_role, reify=True) config.add_request_method(extract_tender, 'tender', reify=True) config.add_renderer('prettyjson', JSON(indent=4)) config.add_renderer('jsonp', JSONP(param_name='opt_jsonp')) config.add_renderer('prettyjsonp', JSONP(indent=4, param_name='opt_jsonp')) config.add_subscriber(add_logging_context, NewRequest) config.add_subscriber(set_logging_context, ContextFound) config.add_subscriber(set_renderer, NewRequest) config.add_subscriber(beforerender, BeforeRender) config.scan("openprocurement.api.views.spore") # tender procurementMethodType plugins support config.add_route_predicate('procurementMethodType', isTender) config.registry.tender_procurementMethodTypes = {} config.add_request_method(tender_from_data) config.add_directive('add_tender_procurementMethodType', register_tender_procurementMethodType) # search for plugins plugins = settings.get('plugins') and settings['plugins'].split(',') for entry_point in iter_entry_points('openprocurement.api.plugins'): if not plugins or entry_point.name in plugins: plugin = entry_point.load() plugin(config) # CouchDB connection db_name = os.environ.get('DB_NAME', settings['couchdb.db_name']) server = Server(settings.get('couchdb.url'), session=Session(retry_delays=range(10))) if 'couchdb.admin_url' not in settings and server.resource.credentials: try: server.version() except Unauthorized: server = Server( extract_credentials(settings.get('couchdb.url'))[0]) config.registry.couchdb_server = server if 'couchdb.admin_url' in settings and server.resource.credentials: aserver = Server(settings.get('couchdb.admin_url'), session=Session(retry_delays=range(10))) users_db = aserver['_users'] if SECURITY != users_db.security: LOGGER.info("Updating users db security", extra={'MESSAGE_ID': 'update_users_security'}) users_db.security = SECURITY username, password = server.resource.credentials user_doc = users_db.get( 'org.couchdb.user:{}'.format(username), {'_id': 'org.couchdb.user:{}'.format(username)}) if not user_doc.get( 'derived_key', '') or PBKDF2(password, user_doc.get( 'salt', ''), user_doc.get('iterations', 10)).hexread( int(len(user_doc.get('derived_key', '')) / 2)) != user_doc.get('derived_key', ''): user_doc.update({ "name": username, "roles": [], "type": "user", "password": password }) LOGGER.info("Updating api db main user", extra={'MESSAGE_ID': 'update_api_main_user'}) users_db.save(user_doc) security_users = [ username, ] if 'couchdb.reader_username' in settings and 'couchdb.reader_password' in settings: reader_username = settings.get('couchdb.reader_username') reader = users_db.get( 'org.couchdb.user:{}'.format(reader_username), {'_id': 'org.couchdb.user:{}'.format(reader_username)}) if not reader.get('derived_key', '') or PBKDF2( settings.get('couchdb.reader_password'), reader.get('salt', ''), reader.get( 'iterations', 10)).hexread( int(len(reader.get('derived_key', '')) / 2)) != reader.get('derived_key', ''): reader.update({ "name": reader_username, "roles": ['reader'], "type": "user", "password": settings.get('couchdb.reader_password') }) LOGGER.info("Updating api db reader user", extra={'MESSAGE_ID': 'update_api_reader_user'}) users_db.save(reader) security_users.append(reader_username) if db_name not in aserver: aserver.create(db_name) db = aserver[db_name] SECURITY[u'members'][u'names'] = security_users if SECURITY != db.security: LOGGER.info("Updating api db security", extra={'MESSAGE_ID': 'update_api_security'}) db.security = SECURITY auth_doc = db.get(VALIDATE_DOC_ID, {'_id': VALIDATE_DOC_ID}) if auth_doc.get( 'validate_doc_update') != VALIDATE_DOC_UPDATE % username: auth_doc['validate_doc_update'] = VALIDATE_DOC_UPDATE % username LOGGER.info("Updating api db validate doc", extra={'MESSAGE_ID': 'update_api_validate_doc'}) db.save(auth_doc) # sync couchdb views sync_design(db) db = server[db_name] else: if db_name not in server: server.create(db_name) db = server[db_name] # sync couchdb views sync_design(db) config.registry.db = db # migrate data migrate_data(config.registry.db) # S3 connection if 'aws.access_key' in settings and 'aws.secret_key' in settings and 'aws.s3_bucket' in settings: connection = S3Connection(settings['aws.access_key'], settings['aws.secret_key']) config.registry.s3_connection = connection bucket_name = settings['aws.s3_bucket'] if bucket_name not in [b.name for b in connection.get_all_buckets()]: connection.create_bucket(bucket_name, location=Location.EU) config.registry.bucket_name = bucket_name config.registry.server_id = settings.get('id', '') return config.make_wsgi_app()
def main(global_config, **settings): config = Configurator( autocommit=True, settings=settings, authentication_policy=AuthenticationPolicy(settings['auth.file'], __name__), authorization_policy=AuthorizationPolicy(), route_prefix=route_prefix(settings), ) config.include('pyramid_exclog') config.include("cornice") config.add_forbidden_view(forbidden) config.add_request_method(request_params, 'params', reify=True) config.add_request_method(authenticated_role, reify=True) config.add_request_method(extract_tender, 'tender', reify=True) config.add_request_method(check_accreditation) config.add_renderer('prettyjson', JSON(indent=4)) config.add_renderer('jsonp', JSONP(param_name='opt_jsonp')) config.add_renderer('prettyjsonp', JSONP(indent=4, param_name='opt_jsonp')) config.add_subscriber(add_logging_context, NewRequest) config.add_subscriber(set_logging_context, ContextFound) config.add_subscriber(set_renderer, NewRequest) config.add_subscriber(beforerender, BeforeRender) config.scan("openprocurement.edge.views.spore") config.scan("openprocurement.edge.views.health") config.scan("openprocurement.edge.views.tenders") if auctions_core: config.add_request_method(extract_auction, 'auction', reify=True) config.scan("openprocurement.edge.views.auctions") add_auction_design() if contracting: config.add_request_method(extract_contract, 'contract', reify=True) config.scan("openprocurement.edge.views.contracts") add_contract_design() if planning: config.add_request_method(extract_plan, 'plan', reify=True) config.scan("openprocurement.edge.views.plans") add_plan_design() # CouchDB connection db_name = os.environ.get('DB_NAME', settings['couchdb.db_name']) server = Server(settings.get('couchdb.url'), session=Session(retry_delays=range(10))) if 'couchdb.admin_url' not in settings and server.resource.credentials: try: server.version() except Unauthorized: server = Server(extract_credentials(settings.get('couchdb.url'))[0]) config.registry.couchdb_server = server if 'couchdb.admin_url' in settings and server.resource.credentials: aserver = Server(settings.get('couchdb.admin_url'), session=Session(retry_delays=range(10))) config.registry.admin_couchdb_server = aserver users_db = aserver['_users'] if SECURITY != users_db.security: LOGGER.info("Updating users db security", extra={'MESSAGE_ID': 'update_users_security'}) users_db.security = SECURITY username, password = server.resource.credentials user_doc = users_db.get('org.couchdb.user:{}'.format(username), {'_id': 'org.couchdb.user:{}'.format(username)}) if not user_doc.get('derived_key', '') or PBKDF2(password, user_doc.get('salt', ''), user_doc.get('iterations', 10)).hexread(int(len(user_doc.get('derived_key', '')) / 2)) != user_doc.get('derived_key', ''): user_doc.update({ "name": username, "roles": [], "type": "user", "password": password }) LOGGER.info("Updating edge db main user", extra={'MESSAGE_ID': 'update_edge_main_user'}) users_db.save(user_doc) security_users = [username, ] if 'couchdb.reader_username' in settings and 'couchdb.reader_password' in settings: reader_username = settings.get('couchdb.reader_username') reader = users_db.get('org.couchdb.user:{}'.format(reader_username), {'_id': 'org.couchdb.user:{}'.format(reader_username)}) if not reader.get('derived_key', '') or PBKDF2(settings.get('couchdb.reader_password'), reader.get('salt', ''), reader.get('iterations', 10)).hexread(int(len(reader.get('derived_key', '')) / 2)) != reader.get('derived_key', ''): reader.update({ "name": reader_username, "roles": ['reader'], "type": "user", "password": settings.get('couchdb.reader_password') }) LOGGER.info("Updating edge db reader user", extra={'MESSAGE_ID': 'update_edge_reader_user'}) users_db.save(reader) security_users.append(reader_username) if db_name not in aserver: aserver.create(db_name) db = aserver[db_name] SECURITY[u'members'][u'names'] = security_users if SECURITY != db.security: LOGGER.info("Updating edge db security", extra={'MESSAGE_ID': 'update_edge_security'}) db.security = SECURITY auth_doc = db.get(VALIDATE_DOC_ID, {'_id': VALIDATE_DOC_ID}) if auth_doc.get('validate_doc_update') != VALIDATE_DOC_UPDATE % username: auth_doc['validate_doc_update'] = VALIDATE_DOC_UPDATE % username LOGGER.info("Updating edge db validate doc", extra={'MESSAGE_ID': 'update_edge_validate_doc'}) db.save(auth_doc) # sync couchdb views sync_design(db) db = server[db_name] else: if db_name not in server: server.create(db_name) db = server[db_name] # sync couchdb views sync_design(db) config.registry.db = db config.registry.server_id = settings.get('id', '') config.registry.health_threshold = float(settings.get('health_threshold', 99)) config.registry.update_after = asbool(settings.get('update_after', True)) return config.make_wsgi_app()