def anonymous_token(request, job):
querydict = request.GET
user = querydict.get("user", default=None)
token = querydict.get("token", default=None)
# safe to call with (None, None) - returns None
auth_user = AuthToken.get_user_for_secret(username=user, secret=token)
return auth_user
def handler(request, mapper, help_view):
"""
XML-RPC handler.
If post data is defined, it assumes it's XML-RPC and tries to process as
such. Empty POST request and GET requests assumes you're viewing from a
browser and tells you about the service by redirecting you to a dedicated
help page. For backwards compatibility the help view defaults to the
'default_help' that shows what is registered in the global mapper. If you
want to show help specific to your mapper you must specify help_view. It
accepts whatever django.shortcuts.redirect() would.
"""
if len(request.body):
raw_data = request.body
dispatcher = Dispatcher(mapper)
auth_string = request.META.get('HTTP_AUTHORIZATION')
if auth_string is not None:
if ' ' not in auth_string:
return HttpResponse("Invalid HTTP_AUTHORIZATION header",
status=400)
scheme, value = auth_string.split(" ", 1)
if scheme != "Basic":
return HttpResponse(
"Unsupported HTTP_AUTHORIZATION header, only Basic scheme is supported",
status=400)
try:
decoded_value = base64.standard_b64decode(value)
except TypeError:
return HttpResponse(
"Corrupted HTTP_AUTHORIZATION header, bad base64 encoding",
status=400)
try:
username, secret = decoded_value.split(":", 1)
except ValueError:
return HttpResponse(
"Corrupted HTTP_AUTHORIZATION header, no user:pass",
status=400)
user = None
try:
user = AuthToken.get_user_for_secret(username, secret)
except Exception:
logging.exception("bug")
if user is None:
response = HttpResponse("Invalid token", status=401)
response[
'WWW-Authenticate'] = 'Basic realm="XML-RPC Authentication token"'
return response
else:
user = request.user
result = dispatcher.marshalled_dispatch(raw_data, user, request)
response = HttpResponse(content_type="application/xml")
response.write(result)
response['Content-length'] = str(len(response.content))
return response
else:
return redirect(help_view)
def anonymous_token(request, job):
querydict = request.GET
user = querydict.get("user", default=None)
token = querydict.get("token", default=None)
# safe to call with (None, None) - returns None
auth_user = AuthToken.get_user_for_secret(username=user, secret=token)
if not user and not job.is_public:
raise PermissionDenied()
if not auth_user:
raise PermissionDenied()
return auth_user
def anonymous_token(request, job):
querydict = request.GET
user = querydict.get('user', default=None)
token = querydict.get('token', default=None)
# safe to call with (None, None) - returns None
auth_user = AuthToken.get_user_for_secret(username=user, secret=token)
if not user and not job.is_public:
raise PermissionDenied()
if not auth_user:
raise PermissionDenied()
return auth_user
def anonymous_token(request, job):
querydict = request.GET
user = querydict.get('user', default=None)
token = querydict.get('token', default=None)
# safe to call with (None, None) - returns None
auth_user = AuthToken.get_user_for_secret(username=user, secret=token)
if not user and not job.is_public:
raise Http404("Job %d requires authentication to view." % job.id)
if not auth_user:
raise Http404("User '%s' is not able to view job %d" % (user, job.id))
return auth_user
def anonymous_token(request, job):
querydict = request.GET
user = querydict.get('user', default=None)
token = querydict.get('token', default=None)
# safe to call with (None, None) - returns None
auth_user = AuthToken.get_user_for_secret(username=user, secret=token)
if not user and not job.is_public:
raise Http404("Job %d requires authentication to view." % job.id)
if not auth_user:
raise Http404("User '%s' is not able to view job %d" % (user, job.id))
return auth_user
def handler(request, mapper, help_view):
"""
XML-RPC handler.
If post data is defined, it assumes it's XML-RPC and tries to process as
such. Empty POST request and GET requests assumes you're viewing from a
browser and tells you about the service by redirecting you to a dedicated
help page. For backwards compatibility the help view defaults to the
'default_help' that shows what is registered in the global mapper. If you
want to show help specific to your mapper you must specify help_view. It
accepts whatever django.shortcuts.redirect() would.
"""
if len(request.body):
raw_data = request.body
dispatcher = Dispatcher(mapper)
auth_string = request.META.get('HTTP_AUTHORIZATION')
if auth_string is not None:
if ' ' not in auth_string:
return HttpResponse("Invalid HTTP_AUTHORIZATION header", status=400)
scheme, value = auth_string.split(" ", 1)
if scheme != "Basic":
return HttpResponse(
"Unsupported HTTP_AUTHORIZATION header, only Basic scheme is supported", status=400)
try:
decoded_value = base64.standard_b64decode(value)
except TypeError:
return HttpResponse("Corrupted HTTP_AUTHORIZATION header, bad base64 encoding", status=400)
try:
username, secret = decoded_value.split(":", 1)
except ValueError:
return HttpResponse("Corrupted HTTP_AUTHORIZATION header, no user:pass", status=400)
user = None
try:
user = AuthToken.get_user_for_secret(username, secret)
except Exception:
logging.exception("bug")
if user is None:
response = HttpResponse("Invalid token", status=401)
response['WWW-Authenticate'] = 'Basic realm="XML-RPC Authentication token"'
return response
else:
user = request.user
result = dispatcher.marshalled_dispatch(raw_data, user, request)
response = HttpResponse(content_type="application/xml")
response.write(result)
response['Content-length'] = str(len(response.content))
return response
else:
return redirect(help_view)
def test_get_user_for_secret_sets_last_used_on(self):
token = AuthToken.objects.create(user=self.user)
AuthToken.get_user_for_secret(self.user.username, token.secret)
# Refresh token
token = AuthToken.objects.get(id=token.id, user=self.user)
self.assertNotEqual(token.last_used_on, None)
def test_get_user_for_secret_checks_if_the_user_matches(self):
token = AuthToken.objects.create(user=self.user)
user = AuthToken.get_user_for_secret(self._INEXISTING_USER,
token.secret)
self.assertEqual(user, None)
def test_get_user_for_secret_finds_valid_user(self):
token = AuthToken.objects.create(user=self.user)
user = AuthToken.get_user_for_secret(self.user.username, token.secret)
self.assertEqual(user, self.user)
def test_lookup_user_for_secret_returns_none_on_failure(self):
user = AuthToken.get_user_for_secret(self.user.username,
self._INEXISTING_SECRET)
self.assertTrue(user is None)
def test_get_user_for_secret_sets_last_used_on(self):
token = AuthToken.objects.create(user=self.user)
AuthToken.get_user_for_secret(self.user.username, token.secret)
# Refresh token
token = AuthToken.objects.get(id=token.id, user=self.user)
self.assertNotEqual(token.last_used_on, None)
def test_get_user_for_secret_checks_if_the_user_matches(self):
token = AuthToken.objects.create(user=self.user)
user = AuthToken.get_user_for_secret(
self._INEXISTING_USER, token.secret)
self.assertEqual(user, None)
def test_get_user_for_secret_finds_valid_user(self):
token = AuthToken.objects.create(user=self.user)
user = AuthToken.get_user_for_secret(self.user.username, token.secret)
self.assertEqual(user, self.user)
def test_lookup_user_for_secret_returns_none_on_failure(self):
user = AuthToken.get_user_for_secret(
self.user.username, self._INEXISTING_SECRET)
self.assertTrue(user is None)
