def test_secure_obj_only_failure(self):
class Foo(object): pass
try:
secure(Foo())
except Exception, e:
assert isinstance(e, TypeError)
def test_secure_obj_only_failure(self):
class Foo(object):
pass
try:
secure(Foo())
except Exception as e:
assert isinstance(e, TypeError)
class RestApi(object):
@classmethod
def authorize(cls):
username = (request.headers.get('Cr-User')
or request.headers.get('X-Cr-User'))
token = (request.headers.get('Cr-Token')
or request.headers.get('X-Cr-Token'))
if not username or not token:
return False
reg = CacheRegistry()
with reg.reader('') as cache:
token = cache.get_user_token(username, token)
if not token:
LOG.warn("Missing or expired token for %s" % username)
return False
request.user = Wrap(id=token['uid'],
username=username,
org=token['org'],
email=token['email'],
email_hash=token['email_hash'],
token=token['token'],
permissions=token['permissions'],
tier=Wrap(**token['tier']))
return True
return False
@classmethod
def lazy_authorize(cls):
RestApi.authorize()
# Always return True
return True
@expose('json')
def version(self):
return dict(name='CloudRunner.IO REST API', version=VERSION)
auth = Auth()
billing = secure(Billing(), 'authorize')
my = secure(Profile(), 'authorize')
deployments = secure(Deployments(), 'authorize')
dispatch = secure(Dispatch(), 'authorize')
library = secure(Library(), 'authorize')
# scheduler = secure(Jobs(), 'authorize')
logs = secure(Logs(), 'authorize')
clouds = secure(Clouds(), 'authorize')
manage = secure(Manage(), 'authorize')
# Exec
execute = secure(Execute(), 'lazy_authorize')
# SSE
status = EntityStatus()
# Docs
html = HtmlDocs()
class SecretController(SecureController):
authorized = False
independent_authorization = False
@expose()
def _lookup(self, someID, *remainder):
if someID == 'notfound':
return None
elif someID == 'lookup_wrapped':
return self.wrapped, remainder
return SubController(someID), remainder
@secure('independent_check_permissions')
@expose()
def independent(self):
return 'Independent Security'
wrapped = secure(SubController('wrapped'),
'independent_check_permissions')
@classmethod
def check_permissions(cls):
permissions_checked.add('secretcontroller')
return cls.authorized
@classmethod
def independent_check_permissions(cls):
permissions_checked.add('independent')
return cls.independent_authorization
class RootController(object):
sub = secure(SecureController(), lambda: authorized)
class RootController(object):
@expose()
def index(self):
return 'Hello from root!'
sub = secure(SubController(), lambda: authorized)
class SlugController(object):
def __init__(self, slug):
self.slug = slug
# Make sure the provided slug is valid
if not slug:
redirect(request.context['recipe'].slugs[0].slug)
if slug not in [slug.slug for slug in request.context['recipe'].slugs]:
abort(404)
@expose('recipes/builder/index.html')
@expose('json', content_type='application/json')
def index(self):
recipe = request.context['recipe']
if recipe.state == "DRAFT":
if recipe.author and recipe.author != request.context['user']:
abort(404)
if not recipe.author and recipe != request.context['trial_recipe']:
abort(404)
# Log a view for the recipe (if the viewer *is not* the author)
if recipe.author != request.context['user'] and \
request.pecan.get('content_type') == 'application/json':
model.RecipeView(recipe=recipe)
return dict(recipe=recipe, editable=False)
@expose(content_type='application/xml')
def xml(self):
recipe = request.context['recipe']
if recipe.state == "DRAFT":
if recipe.author and recipe.author != request.context['user']:
abort(404)
response.headers['Content-Disposition'] = \
'attachment; filename="%s.xml"' % self.slug
return export.to_xml([request.context['recipe']])
@expose(generic=True)
def draft(self):
abort(405)
@draft.when(method="POST")
def do_draft(self):
source = request.context['recipe']
if source.author is None or source.author != request.context['user']:
abort(401)
if source.state != "PUBLISHED":
abort(401)
draft = source.draft()
draft.flush()
redirect("%sbuilder" % draft.url())
@expose(generic=True)
def copy(self):
abort(405)
@copy.when(method="POST")
def do_copy(self):
source = request.context['recipe']
if request.context['user'] is None:
redirect("/signup")
if source.author is None:
abort(401)
diff_user = source.author != request.context['user']
name = source.name if diff_user else "%s (Duplicate)" % source.name
copy = source.duplicate({
'name': name,
'author': request.context['user']
})
if diff_user:
copy.copied_from = source
redirect("/")
@expose(generic=True)
def delete(self):
abort(405)
@delete.when(method="POST")
def do_delete(self):
source = request.context['recipe']
if source.author is None or source.author != request.context['user']:
abort(401)
source.delete()
redirect("/")
builder = secure(RecipeBuilderController(),
RecipeBuilderController.check_permissions)
