def static_file(filename, root=MEDIA_ROOT):
"""
Выдает статический файл из файловой системы,
указанной в MEDIA_ROOT.
"""
if filename is None:
raise Forbidden("You must specify a file you'd like to access.")
valid_path = filename.strip('/')
valid_path = valid_path.replace('//',
'/').replace('/./',
'/').replace('/../', '/')
desired_path = os.path.join(root, valid_path)
if not os.path.exists(desired_path):
raise NotFound("File does not exist.")
if not os.access(desired_path, os.R_OK):
raise Forbidden("You do not have permission to access this file.")
ct = str(content_type(desired_path))
if ct.startswith('text') or ct.endswith('xml') or ct.endswith('json'):
return open(desired_path, 'r').read()
return open(desired_path, 'rb').read()
def authenticate(self, request):
""" Authenticate request using HTTP Basic authentication protocl.
If the user is successfully identified, the corresponding user
object is stored in `request.user`. If the request has already
been authenticated (i.e. `request.user` has authenticated user
object), this function does nothing.
Raises Forbidden or Unauthorized if the user authentication
fails. If no exception is thrown, the `request.user` will
contain authenticated user object.
"""
# todo: can we trust that request.user variable is even defined?
if request.user and request.user.is_authenticated():
return request.user
if 'HTTP_AUTHORIZATION' in request.META:
auth = request.META['HTTP_AUTHORIZATION'].split()
if len(auth) == 2:
if auth[0].lower() == "basic":
uname, passwd = base64.b64decode(auth[1]).split(':')
user = authenticate(username=uname, password=passwd)
if user is not None:
if user.is_active:
request.user = user
return user
else:
raise Forbidden()
# either no auth header or using some other auth protocol,
# we'll return a challenge for the user anyway
raise Unauthorized()
def hent_bruker_fra_db():
brukernavn = request.environ.get('REMOTE_USER') or "LAN"
bruker = db.brukere.find_one({"brukernavn": brukernavn})
if not bruker:
raise Forbidden("Bruker %s har ingen tilknytning til localbank" %
brukernavn)
return bruker
def build_file_response(path,
cache_timeout=None,
cached_modify_time=None,
mimetype=None,
default_text_mime=DEFAULT_TEXT_MIME,
default_binary_mime=DEFAULT_BINARY_MIME,
file_wrapper=FileWrapper,
response_type=Response):
resp = response_type('')
if cache_timeout and cached_modify_time:
try:
mtime = get_file_mtime(path)
except (ValueError, IOError, OSError): # TODO: winnow this down
raise Forbidden(is_breaking=False)
resp.cache_control.public = True
if mtime <= cached_modify_time:
resp.status_code = 304
resp.cache_control.max_age = cache_timeout
return resp
if not isfile(path):
raise NotFound(is_breaking=False)
try:
file_obj = open(path, 'rb')
mtime = get_file_mtime(path)
fsize = os.path.getsize(path)
except (ValueError, IOError, OSError):
raise Forbidden(is_breaking=False)
if not mimetype:
mimetype, encoding = mimetypes.guess_type(path)
if not mimetype:
peeked = peek_file(file_obj, 1024)
is_binary = is_binary_string(peeked)
if peeked and is_binary:
mimetype = default_binary_mime
else:
mimetype = default_text_mime
resp.response = file_wrapper(file_obj)
resp.content_type = mimetype
resp.content_length = fsize
resp.last_modified = mtime
resp.cache_control.max_age = cache_timeout
return resp
def install(self, event, method='oauth.v2.access'):
# Handle denials
if event.query.get('error'):
logger.error(event.query['error'])
if self.oauth_error_uri:
return None, self.oauth_error_uri
raise Forbidden('OAuth error')
# Check state
if self.state != event.query['state']:
logger.error(
'States do not match: %r != %r',
self.state,
event.query['state'],
)
if self.oauth_error_uri:
return None, self.oauth_error_uri
raise Forbidden('States do not match')
# Set up OAuth
payload = urlencode(
dict(
code=event.query.get('code'),
client_id=self.client_id,
client_secret=self.client_secret,
redirect_uri=self.oauth_redirect_uri,
))
# Execute OAuth and redirect
url = f'https://slack.com/api/{ method }'
headers = {'content-type': 'application/x-www-form-urlencoded'}
result = self.post(url, payload, headers)
app_id = result.get('app_id')
team_id = result.get('team', {}).get('id')
channel_id = result.get('incoming_webhook', {}).get('channel_id')
location = self.oauth_success_uri.format(
APP_ID=app_id or '',
TEAM_ID=team_id or '',
CHANNEL_ID=channel_id or '',
)
return result, location
def verify_slack_signature(self, event):
if not self.verify: # pragma: no cover
logger.warning('VERIFICATION DISABLED')
return True
# 403 FORBIDDEN if message is older than 5min
now = datetime.utcnow().timestamp()
ts = event.headers.get('x-slack-request-timestamp')
delta = int(now) - int(ts or '0')
if delta > 5 * 60:
raise Forbidden('Request too old')
# 403 FORBIDDEN if signatures do not match
data = f'{ self.signing_version }:{ ts }:{ event.body }'.encode()
secret = self.signing_secret.encode()
hex = hmac.new(secret, data, hashlib.sha256).hexdigest()
ret = f'{ self.signing_version }={ hex }'
exp = event.headers.get('x-slack-signature')
if ret != exp:
raise Forbidden('Signatures do not match')
return True
def get_kontekst(bank=None):
bruker = hent_bruker_fra_db()
bank = bank or bruker["defaultBank"]
if bank not in bruker["banker"]:
raise Forbidden("Du har ikke tilgang til bank '%s'" % bank)
kontoer = db.kontoer.find({"bank": bank})
return json.dumps({
"valgtBank": bank,
"bruker": {
"brukernavn": bruker["brukernavn"],
"banker": bruker["banker"],
"admin": bruker.get("admin", False)
},
"kontoer": map(dto.konto, kontoer),
"valuttaer": valuttaer
})
def get_file_response(self, path, request):
try:
if not isinstance(path, basestring):
path = '/'.join(path)
full_path = find_file(self.search_paths, path)
if full_path is None:
raise NotFound(is_breaking=False)
except (ValueError, IOError, OSError):
raise Forbidden(is_breaking=False)
bfr = build_file_response
resp = bfr(full_path,
cache_timeout=self.cache_timeout,
cached_modify_time=request.if_modified_since,
mimetype=None,
default_text_mime=self.default_text_mime,
default_binary_mime=self.default_binary_mime,
file_wrapper=request.environ.get('wsgi.file_wrapper',
FileWrapper))
return resp
def get_file_response(self, path, request):
try:
if not isinstance(path, basestring):
path = '/'.join(path)
full_path = find_file(self.search_paths, path)
if full_path is None:
raise NotFound()
file_obj = open(full_path, 'rb')
mtime = get_file_mtime(full_path)
fsize = os.path.getsize(full_path)
except (ValueError, IOError, OSError):
raise Forbidden()
mimetype, encoding = mimetypes.guess_type(full_path)
if not mimetype:
peeked = peek_file(file_obj, 1024)
is_binary = is_binary_string(peeked)
if peeked and is_binary:
mimetype = self.default_binary_mime
else:
mimetype = self.default_text_mime # TODO: binary
resp = Response('')
cached_mtime = request.if_modified_since
if self.cache_timeout:
resp.cache_control.public = True
if mtime == cached_mtime:
file_obj.close()
resp.status_code = 304
resp.cache_control.max_age = self.cache_timeout
return resp
file_wrapper = request.environ.get('wsgi.file_wrapper', FileWrapper)
resp.response = file_wrapper(file_obj)
resp.content_type = mimetype
resp.content_length = fsize
resp.last_modified = mtime
return resp
def forbidden(self, message=None):
return Forbidden(self.request, self.response, message)
def krev_admin():
if not hent_bruker_fra_db().get("admin", False):
raise Forbidden("Krever admintilgang")
def krev_tilgang_til_bank(bank):
bruker = hent_bruker_fra_db()
if not bank in bruker["banker"] and not bruker.get("admin", False):
raise Forbidden("Du har ikke tilgang til bank '%s'" % bank)