def ensureTokenScopes(token, scope):
"""
Call this to validate a token scope for endpoints that require tokens
other than a user authentication token. Raises an AccessException if the
required scopes are not allowed by the given token.
:param token: The token object used in the request.
:type token: dict
:param scope: The required scope or set of scopes.
:type scope: `str or list of str`
"""
tokenModel = Token()
if tokenModel.hasScope(token, TokenScope.USER_AUTH):
return
if not tokenModel.hasScope(token, scope):
setCurrentUser(None)
if isinstance(scope, six.string_types):
scope = (scope,)
raise AccessException(
'Invalid token scope.\n'
'Required: %s.\n'
'Allowed: %s' % (
' '.join(scope),
'' if token is None else ' '.join(tokenModel.getAllowedScopes(token))))
def ensureTokenScopes(token, scope):
"""
Call this to validate a token scope for endpoints that require tokens
other than a user authentication token. Raises an AccessException if the
required scopes are not allowed by the given token.
:param token: The token object used in the request.
:type token: dict
:param scope: The required scope or set of scopes.
:type scope: `str or list of str`
"""
tokenModel = Token()
if tokenModel.hasScope(token, TokenScope.USER_AUTH):
return
if not tokenModel.hasScope(token, scope):
setCurrentUser(None)
if isinstance(scope, six.string_types):
scope = (scope,)
raise AccessException(
'Invalid token scope.\n'
'Required: %s.\n'
'Allowed: %s' % (
' '.join(scope),
'' if token is None else ' '.join(tokenModel.getAllowedScopes(token))))
def testHasScope(db):
scope = TokenScope.DATA_READ
tokenModel = Token()
token = tokenModel.createToken(scope=scope)
# If token is None should return False
assert not tokenModel.hasScope(None, scope)
# If scope is None should return True
assert tokenModel.hasScope(token, None)
def testHasScope(self):
scope = TokenScope.DATA_READ
tokenModel = Token()
token = tokenModel.createToken(scope=scope)
# If token is None should return False
self.assertFalse(tokenModel.hasScope(None, scope))
# If scope is None should return True
self.assertTrue(tokenModel.hasScope(token, None))
def executeTask(self, item, jobTitle, includeJobInfo, inputs, outputs):
user = self.getCurrentUser()
if jobTitle is None:
jobTitle = item['name']
task, handler = self._validateTask(item)
if task.get('mode') == 'girder_worker':
return runCeleryTask(item['meta']['itemTaskImport'], inputs)
jobModel = Job()
job = jobModel.createJob(title=jobTitle,
type='item_task',
handler=handler,
user=user)
# If this is a user auth token, we make an IO-enabled token
token = self.getCurrentToken()
tokenModel = Token()
if tokenModel.hasScope(token, TokenScope.USER_AUTH):
token = tokenModel.createToken(user=user,
days=7,
scope=(TokenScope.DATA_READ,
TokenScope.DATA_WRITE))
job['itemTaskTempToken'] = token['_id']
token = tokenModel.addScope(token,
'item_tasks.job_write:%s' % job['_id'])
job.update({
'itemTaskId': item['_id'],
'itemTaskBindings': {
'inputs': inputs,
'outputs': outputs
},
'kwargs': {
'task':
task,
'inputs':
self._transformInputs(inputs, token),
'outputs':
self._transformOutputs(outputs, token, job, task, item['_id']),
'validate':
False,
'auto_convert':
False,
'cleanup':
True
}
})
if includeJobInfo:
job['kwargs']['jobInfo'] = utils.jobInfoSpec(job)
if 'itemTaskCeleryQueue' in item.get('meta', {}):
job['celeryQueue'] = item['meta']['itemTaskCeleryQueue']
job = jobModel.save(job)
jobModel.scheduleJob(job)
return job
def _onUpload(event):
"""
Look at uploads containing references related to this plugin. If found,
they are used to link item task outputs back to a job document.
"""
try:
ref = json.loads(event.info.get('reference', ''))
except ValueError:
return
if isinstance(ref, dict) and ref.get('type') == 'item_tasks.output':
jobModel = Job()
tokenModel = Token()
token = event.info['currentToken']
if tokenModel.hasScope(token, 'item_tasks.job_write:%s' % ref['jobId']):
job = jobModel.load(ref['jobId'], force=True, exc=True)
else:
job = jobModel.load(
ref['jobId'], level=AccessType.WRITE, user=event.info['currentUser'], exc=True)
file = event.info['file']
item = Item().load(file['itemId'], force=True)
# Add link to job model to the output item
jobModel.updateJob(job, otherFields={
'itemTaskBindings.outputs.%s.itemId' % ref['id']: item['_id']
})
# Also a link in the item to the job that created it
item['createdByJob'] = job['_id']
Item().save(item)
def _onUpload(event):
"""
Look at uploads containing references related to this plugin. If found,
they are used to link item task outputs back to a job document.
"""
try:
ref = json.loads(event.info.get('reference', ''))
except ValueError:
return
if isinstance(ref, dict) and ref.get('type') == 'item_tasks.output':
jobModel = Job()
tokenModel = Token()
token = event.info['currentToken']
if tokenModel.hasScope(token, 'item_tasks.job_write:%s' % ref['jobId']):
job = jobModel.load(ref['jobId'], force=True, exc=True)
else:
job = jobModel.load(
ref['jobId'], level=AccessType.WRITE, user=event.info['currentUser'], exc=True)
file = event.info['file']
item = Item().load(file['itemId'], force=True)
# Add link to job model to the output item
jobModel.updateJob(job, otherFields={
'itemTaskBindings.outputs.%s.itemId' % ref['id']: item['_id']
})
# Also a link in the item to the job that created it
item['createdByJob'] = job['_id']
Item().save(item)
def executeTask(self, item, jobTitle, includeJobInfo, inputs, outputs):
user = self.getCurrentUser()
if jobTitle is None:
jobTitle = item['name']
task, handler = self._validateTask(item)
if task.get('mode') == 'girder_worker':
return runCeleryTask(item['meta']['itemTaskImport'], inputs)
jobModel = self.model('job', 'jobs')
jobModel = Job()
job = jobModel.createJob(
title=jobTitle, type='item_task', handler=handler, user=user)
# If this is a user auth token, we make an IO-enabled token
token = self.getCurrentToken()
tokenModel = Token()
if tokenModel.hasScope(token, TokenScope.USER_AUTH):
token = tokenModel.createToken(
user=user, days=7, scope=(TokenScope.DATA_READ, TokenScope.DATA_WRITE))
job['itemTaskTempToken'] = token['_id']
token = tokenModel.addScope(token, 'item_tasks.job_write:%s' % job['_id'])
job.update({
'itemTaskId': item['_id'],
'itemTaskBindings': {
'inputs': inputs,
'outputs': outputs
},
'kwargs': {
'task': task,
'inputs': self._transformInputs(inputs, token),
'outputs': self._transformOutputs(outputs, token, job, task, item['_id']),
'validate': False,
'auto_convert': False,
'cleanup': True
}
})
if includeJobInfo:
job['kwargs']['jobInfo'] = utils.jobInfoSpec(job)
if 'itemTaskCeleryQueue' in item.get('meta', {}):
job['celeryQueue'] = item['meta']['itemTaskCeleryQueue']
job = jobModel.save(job)
jobModel.scheduleJob(job)
return job
def _authorizeInitUpload(event):
"""
Called when initializing an upload, prior to the default handler. Checks if
the user is passing an authorized upload token, and if so, sets the current
request-thread user to be whoever created the token.
"""
token = getCurrentToken()
params = event.info['params']
tokenModel = Token()
parentType = params.get('parentType')
parentId = params.get('parentId', '')
requiredScopes = {TOKEN_SCOPE_AUTHORIZED_UPLOAD, 'authorized_upload_folder_%s' % parentId}
if parentType == 'folder' and tokenModel.hasScope(token=token, scope=requiredScopes):
user = User().load(token['userId'], force=True)
setCurrentUser(user)
def _storeUploadId(event):
"""
Called after an upload is first initialized successfully. Sets the authorized upload ID
in the token, ensuring it can be used for only this upload.
"""
returnVal = event.info['returnVal']
token = getCurrentToken()
tokenModel = Token()
isAuthorizedUpload = tokenModel.hasScope(token, TOKEN_SCOPE_AUTHORIZED_UPLOAD)
if isAuthorizedUpload and returnVal.get('_modelType', 'upload') == 'upload':
params = event.info['params']
token['scope'].remove(TOKEN_SCOPE_AUTHORIZED_UPLOAD)
token['authorizedUploadId'] = returnVal['_id']
token['authorizedUploadDescription'] = params.get('authorizedUploadDescription', '')
token['authorizedUploadEmail'] = params.get('authorizedUploadEmail')
tokenModel.save(token)
def _storeUploadId(event):
"""
Called after an upload is first initialized successfully. Sets the authorized upload ID
in the token, ensuring it can be used for only this upload.
"""
returnVal = event.info['returnVal']
token = getCurrentToken()
tokenModel = Token()
isAuthorizedUpload = tokenModel.hasScope(token,
TOKEN_SCOPE_AUTHORIZED_UPLOAD)
if isAuthorizedUpload and returnVal.get('_modelType',
'upload') == 'upload':
params = event.info['params']
token['scope'].remove(TOKEN_SCOPE_AUTHORIZED_UPLOAD)
token['authorizedUploadId'] = returnVal['_id']
token['authorizedUploadDescription'] = params.get(
'authorizedUploadDescription', '')
token['authorizedUploadEmail'] = params.get('authorizedUploadEmail')
tokenModel.save(token)
def _authorizeInitUpload(event):
"""
Called when initializing an upload, prior to the default handler. Checks if
the user is passing an authorized upload token, and if so, sets the current
request-thread user to be whoever created the token.
"""
token = getCurrentToken()
params = event.info['params']
tokenModel = Token()
parentType = params.get('parentType')
parentId = params.get('parentId', '')
requiredScopes = {
TOKEN_SCOPE_AUTHORIZED_UPLOAD,
'authorized_upload_folder_%s' % parentId
}
if parentType == 'folder' and tokenModel.hasScope(token=token,
scope=requiredScopes):
user = User().load(token['userId'], force=True)
setCurrentUser(user)
