def test_get_from_memcache(self):
dbconfig['sticky'] = 'stuck'
self.assertEqual(dbconfig['sticky'], 'stuck')
for c in Config.all():
c.delete()
# should be in memcache:
self.assertEqual(dbconfig['sticky'], 'stuck')
def wrapped(*args, **kwargs):
if Config.get_value('CSRF_PROTECT'):
# only apply CSRF protection to POSTs
if request.method == 'POST':
csrf_token = session.pop('csrf_token', None)
untrusted_token = request.values.get('csrf_token')
if not csrf_token or untrusted_token != csrf_token:
flash('CSRF detected!')
return redirect(request.referrer)
return func(*args, **kwargs)
def parse_jwt():
request.jwt = {}
token = request.cookies.get('access_token')
if Config.get_value('BEARER_AUTH_ENABLE'):
token = get_bearer_token(request.headers)
try:
payload = jwt.decode(token, current_app.config['SECRET_KEY'])
except:
return
request.jwt = payload
def config():
# simulate the latency of an external API request
import time
time.sleep(0.25)
# hide the existence of this route if not an admin
if not g.user or ROLES[g.user.role] != ROLES[0]:
return abort(404)
if request.method == 'POST':
Config.get_by_name('CSRF_PROTECT').value = request.form.get(
'csrf_protect') == 'on' or False
Config.get_by_name('BEARER_AUTH_ENABLE').value = request.form.get(
'bearer_enable') == 'on' or False
Config.get_by_name('CORS_RESTRICT').value = request.form.get(
'cors_restrict') == 'on' or False
Config.get_by_name('OIDC_ENABLE').value = request.form.get(
'oidc_enable') == 'on' or False
db.session.commit()
flash('Configuration updated')
return render_template('config.html')
def test_warmup(self):
dbconfig = DBConfig()
dbconfig['foo'] = 'bar'
assert memcache.flush_all()
r = self.client.get('/_ah/warmup')
self.assertEquals(r.status_code, 200)
self.assertTasksInQueue(1, url='/api/current_playlist')
for c in Config.all():
c.delete()
self.assertEqual(dbconfig['foo'], 'bar')
def test_warmup(self):
dbconfig = DBConfig()
dbconfig['foo'] = 'bar'
assert memcache.flush_all()
r = self.client.get('/_ah/warmup')
self.assertEquals(r.status_code, 200)
self.assertTasksInQueue(1, url='/api/current_playlist')
for c in Config.all():
c.delete()
self.assertEqual(dbconfig['foo'], 'bar')
def test_load_dbconfig_into_memcache(self):
dbconfig['one'] = '1'
dbconfig['two'] = '2'
dbconfig['three'] = 'three'
assert memcache.flush_all()
load_dbconfig_into_memcache()
for c in Config.all():
c.delete()
# should be in memcache:
self.assertEqual(dbconfig['one'], '1')
self.assertEqual(dbconfig['two'], '2')
self.assertEqual(dbconfig['three'], 'three')
def test_load_dbconfig_into_memcache(self):
dbconfig['one'] = '1'
dbconfig['two'] = '2'
dbconfig['three'] = 'three'
assert memcache.flush_all()
load_dbconfig_into_memcache()
for c in Config.all():
c.delete()
# should be in memcache:
self.assertEqual(dbconfig['one'], '1')
self.assertEqual(dbconfig['two'], '2')
self.assertEqual(dbconfig['three'], 'three')
def wrapped(*args, **kwargs):
if not Config.get_value('BEARER_AUTH_ENABLE'):
# no Bearer token means cookies (default) are used and CSRF is an issue
csrf_token = request.headers.get(current_app.config['CSRF_TOKEN_NAME'])
try:
untrusted_csrf_obj = jsonpickle.decode(base64.b64decode(csrf_token))
untrusted_csrf_obj.sign(current_app.config['SECRET_KEY'])
trusted_csrf_obj = CsrfToken(g.user.id, untrusted_csrf_obj.ts)
trusted_csrf_obj.sign(current_app.config['SECRET_KEY'])
except:
untrusted_csrf_obj = None
if not untrusted_csrf_obj or trusted_csrf_obj.sig != untrusted_csrf_obj.sig:
abort(400, 'CSRF detected.')
return func(*args, **kwargs)
def _init_config(request):
q = Config.all()
if q.count(1) == 0:
c = Config()
c.varname = "dummy"
c.value = "you can safely delete this after creating new var/vals"
c.put()
return HttpResponse("""Config initialized. You can now add new values
in the <a href="/_ah/admin">Datastore admin</a>.""")
else:
return HttpResponse("""Config does not need initialization. You can
edit the config in the <a href="/_ah/admin">Datastore admin</a>."""
)
def _init_config(request):
q = Config.all()
if q.count(1) == 0:
c = Config()
c.varname = "dummy"
c.value = "you can safely delete this after creating new var/vals"
c.put()
return HttpResponse(
"""Config initialized. You can now add new values
in the <a href="/_ah/admin">Datastore admin</a>."""
)
else:
return HttpResponse(
"""Config does not need initialization. You can
edit the config in the <a href="/_ah/admin">Datastore admin</a>."""
)
def settings(request):
if request.method == "GET":
context = {
'path1': '全局设置',
'path2': '编辑',
'config': SysConfig().sys_config
}
return render(request, 'common/settings.html', context)
else:
if not request.user.has_perm('auth.perm_common_settings_edit'):
return JsonResponse({'code': 1, 'errmsg': '权限不足,无法修改!'})
configs = request.POST.get('configs', None)
try:
if configs is None or len(json.loads(configs)) == 0:
return JsonResponse({'code': 1, 'errmsg': '提交内容为空!'})
with transaction.atomic():
Config.objects.all().delete()
Config.objects.bulk_create(
[Config(item=items['key'], value=items['value']) for items in json.loads(configs)])
except Exception as e:
return JsonResponse({'code': 1, 'errmsg': str(e)})
return JsonResponse({'code': 0, 'result': '保存成功!'})
def post(self):
'''Returns a JWT for the user that owns the provided credentials.'''
id_token = request.json.get('id_token')
username = request.json.get('username')
password = request.json.get('password')
user = None
if id_token:
payload = get_unverified_jwt_payload(id_token)
user = User.get_by_email(payload['email'])
elif username and password:
user = User.get_by_username(username)
if user and not user.check_password(password):
user = None
if user and user.is_enabled:
data = {'user': user.serialize()}
# build other claims
claims = {}
path = os.path.join(current_app.config['UPLOAD_FOLDER'],
md5(str(user.id).encode()).hexdigest())
if not os.path.exists(path):
os.makedirs(path)
claims['upload_folder'] = path
# create a JWT
token = encode_jwt(user.id, claims=claims)
# send the JWT as a Bearer token when the feature is enabled
if Config.get_value('BEARER_AUTH_ENABLE'):
data['token'] = token
# remove any existing access token cookie
return data, 200, {
'Set-Cookie':
'access_token=; Expires=Thu, 01-Jan-1970 00:00:00 GMT'
}
# set the JWT as a HttpOnly cookie by default
return data, 200, {
'Set-Cookie': 'access_token=' + token + '; HttpOnly'
}
return {'message': 'Invalid username or password.'}
def config_cors(response):
if Config.get_value('CORS_RESTRICT'):
# apply the CORS whitelist from the config
if not is_allowed_origin(response):
response = remove_cors_headers(response)
return response
def setUp(self):
assert memcache.flush_all()
for c in Config.all():
c.delete()
def setUp(self):
assert memcache.flush_all()
for c in Config.all():
c.delete()