def _check_permissions(model, table, user, object_uuids, owner_ids,
need_permission):
# Validate parameter values
if table == cl_group_bundle_permission:
object_type = 'bundle'
elif table == cl_group_worksheet_permission:
object_type = 'worksheet'
else:
raise IntegrityError('Unexpected table: %s' % table)
if len(object_uuids) == 0:
return
have_permissions = model.get_user_permissions(
table, user.unique_id if user else None, object_uuids, owner_ids)
if min(have_permissions.values()) >= need_permission:
return
if user:
user_str = '%s(%s)' % (user.name, user.unique_id)
else:
user_str = None
raise PermissionError(
"User %s does not have sufficient permissions on %s %s (have %s, need %s)."
% (
user_str,
object_type,
' '.join(object_uuids),
' '.join(map(permission_str, list(have_permissions.values()))),
permission_str(need_permission),
))
def new_worksheet(name):
"""
Create a new worksheet with the given |name|.
"""
if not request.user.is_authenticated:
raise PermissionError("You must be logged in to create a worksheet.")
ensure_unused_worksheet_name(name)
# Don't need any permissions to do this.
worksheet = Worksheet({
'name': name,
'title': None,
'frozen': None,
'items': [],
'owner_id': request.user.user_id
})
local.model.new_worksheet(worksheet)
# Make worksheet publicly readable by default
set_worksheet_permission(worksheet, local.model.public_group_uuid,
GROUP_OBJECT_PERMISSION_READ)
if spec_util.is_dashboard(name):
populate_worksheet(worksheet, 'dashboard', 'CodaLab Dashboard')
if spec_util.is_public_home(name):
populate_worksheet(worksheet, 'home', 'Public Home')
return worksheet.uuid
def inner(*args, **kwargs):
import time
time_delay = 1
if self.verbose >= 2:
print 'remote_bundle_client: %s %s %s' % (command, args,
kwargs)
while True:
try:
return getattr(self.proxy, command)(*args, **kwargs)
except xmlrpclib.ProtocolError, e:
raise UsageError("Could not authenticate on %s: %s" %
(host, e))
except xmlrpclib.Fault, e:
# Transform server-side UsageErrors into client-side UsageErrors.
if 'codalab.common.UsageError' in e.faultString:
index = e.faultString.find(':')
raise UsageError(e.faultString[index + 1:])
if 'codalab.common.NotFoundError' in e.faultString:
index = e.faultString.find(':')
raise NotFoundError(e.faultString[index + 1:])
elif 'codalab.common.PermissionError' in e.faultString:
index = e.faultString.find(':')
raise PermissionError(e.faultString[index + 1:])
elif 'codalab.common.AuthorizationError' in e.faultString:
index = e.faultString.find(':')
raise AuthorizationError(e.faultString[index + 1:])
else:
raise
def get_access_token(self):
if not self.grant or time.time(
) > self.expires_at - self.REFRESH_BUFFER_SECONDS:
self.grant = self.auth_handler.generate_token(
'credentials', self.username, self.password)
if self.grant is None:
raise PermissionError('Invalid username or password.')
self.expires_at = time.time() + self.grant['expires_in']
return self.grant['access_token']
def generate_token(self, grant_type, username, key):
'''
Generate OAuth access token from username/password or from a refresh token.
If the grant succeeds, the method returns a dictionary of the form:
{ 'token_type': 'Bearer',
'access_token': <token>,
'expires_in': <span in seconds>,
'refresh_token': <token> }
If the grant fails because of invalid credentials, None is returned.
'''
if grant_type == 'credentials':
if len(username) < self.min_username_length or len(
key) < self.min_key_length:
raise PermissionError("Invalid username or password.")
return self._generate_new_token(username, key)
if grant_type == 'refresh_token':
return self._refresh_token(username, key)
raise ValueError("Bad request: grant_type is not valid.")
def _check_permissions(model, table, user, object_uuids, need_permission,
session_cache):
if len(object_uuids) == 0:
return {}
have_permissions = model.get_user_permissions(
table, user.unique_id if user else None, object_uuids, session_cache)
#print '_check_permissions %s %s, have %s, need %s' % (user, object_uuids, map(permission_str, have_permissions.values()), permission_str(need_permission))
if min(have_permissions.values()) >= need_permission:
return have_permissions
if user:
user_str = '%s(%s)' % (user.name, user.unique_id)
else:
user_str = None
if table == cl_group_bundle_permission:
object_type = 'bundle'
elif table == cl_group_worksheet_permission:
object_type = 'worksheet'
else:
raise IntegrityError('Unexpected table: %s' % table)
raise PermissionError("User %s does not have sufficient permissions on %s %s (have %s, need %s)." % \
(user_str, object_type, ' '.join(object_uuids), ' '.join(map(permission_str, have_permissions.values())), permission_str(need_permission)))
def check_worksheet_not_frozen(worksheet):
if worksheet.frozen:
raise PermissionError('Cannot mutate frozen worksheet %s(%s).' %
(worksheet.uuid, worksheet.name))
def _authenticate(self, cache_key, auth_handler):
"""
Authenticate with the given client. This will prompt user for password
unless valid credentials are already available. Client state will be
updated if new tokens are generated.
:param cache_key: key by which to cache the access token, typically
the address of the CodaLab instance
:param auth_handler: AuthHandler through which to authenticate
:return: access token
"""
auth = self.state['auth'].get(cache_key, {})
def _cache_token(token_info, username=None):
'''
Helper to update state with new token info and optional username.
Returns the latest access token.
'''
# Make sure this is in sync with auth.py.
token_info['expires_at'] = time.time() + float(
token_info['expires_in'])
del token_info['expires_in']
auth['token_info'] = token_info
if username is not None:
auth['username'] = username
self.save_state()
return token_info['access_token']
# Check the cache for a valid token
if 'token_info' in auth:
token_info = auth['token_info']
expires_at = token_info.get('expires_at', 0.0)
# If token is not nearing expiration, just return it.
if expires_at >= (time.time() + 10 * 60):
return token_info['access_token']
# Otherwise, let's refresh the token.
token_info = auth_handler.generate_token(
'refresh_token', auth['username'], token_info['refresh_token'])
if token_info is not None:
return _cache_token(token_info)
# If we get here, a valid token is not already available.
auth = self.state['auth'][cache_key] = {}
username = os.environ.get('CODALAB_USERNAME')
password = os.environ.get('CODALAB_PASSWORD')
if username is None or password is None:
print('Requesting access at %s' % cache_key)
if username is None:
sys.stdout.write('Username: '******'credentials', username,
password)
if token_info is None:
raise PermissionError("Invalid username or password.")
return _cache_token(token_info, username)
def _authenticate(self, client):
'''
Authenticate with the given client. This will prompt user for password
unless valid credentials are already available. Client state will be
updated if new tokens are generated.
client: The client pointing to the bundle service to authenticate with.
Returns an access token.
'''
address = client.address
auth = self.state['auth'].get(address, {})
def _cache_token(token_info, username=None):
'''
Helper to update state with new token info and optional username.
Returns the latest access token.
'''
# Make sure this is in sync with auth.py.
token_info['expires_at'] = time.time() + float(
token_info['expires_in'])
del token_info['expires_in']
auth['token_info'] = token_info
if username is not None:
auth['username'] = username
self.save_state()
return token_info['access_token']
# Check the cache for a valid token
if 'token_info' in auth:
token_info = auth['token_info']
expires_at = token_info.get('expires_at', 0.0)
if expires_at > time.time():
# Token is usable but check if it's nearing expiration (10 minutes)
# If not nearing, then just return it.
if expires_at >= (time.time() + 10 * 60):
return token_info['access_token']
# Otherwise, let's refresh the token.
token_info = client.login('refresh_token', auth['username'],
token_info['refresh_token'])
if token_info is not None:
return _cache_token(token_info)
# If we get here, a valid token is not already available.
auth = self.state['auth'][address] = {}
username = None
# For a local client with mock credentials, use the default username.
if is_local_address(client.address):
username = self.root_user_name()
password = ''
if not username:
print 'Requesting access at %s' % address
sys.stdout.write('Username: '******'credentials', username, password)
if token_info is None:
raise PermissionError("Invalid username or password.")
return _cache_token(token_info, username)
