def issue_token(body):
"""Issue a new token. The body should not include a ``token`` or ``id``,
but should include a ``typ`` and the necessary fields for that type. The
response will contain both ``token`` and ``id``. You must have permission
to issue the given token type."""
typ = body.typ
# verify permission to issue this type
perm = p.get('base.tokens.{}.issue'.format(typ))
if not perm.can():
raise Forbidden("You do not have permission to create this token type")
# verify required parameters; any extras will be ignored
for attr in required_token_attributes[typ]:
if getattr(body, attr) is wsme.Unset:
raise BadRequest("missing %s" % attr)
# prohibit silly requests
if body.disabled:
raise BadRequest("can't issue disabled tokens")
# All types have permissions, so handle those here -- ensure the request is
# for a subset of the permissions the user can perform
requested_permissions = [p.get(a) for a in body.permissions]
if None in requested_permissions:
raise BadRequest("bad permissions")
if not set(requested_permissions) <= current_user.permissions:
raise BadRequest("bad permissions")
# Dispatch the rest to the per-type function. Note that WSME has already
# ensured `typ` is one of the recognized types.
token = token_issuers[typ](body, requested_permissions)
logger.info("Issuing {} token #{} to {} with permissions {}".format(
token.typ, token.id or '(no ID)', current_user, requested_permissions))
return token
def issue_token(body):
"""Issue a new token. The body should not include a ``token`` or ``id``,
but should include a ``typ`` and the necessary fields for that type. The
response will contain both ``token`` and ``id``. You must have permission
to issue the given token type."""
typ = body.typ
# verify permission to issue this type
perm = p.get('base.tokens.{}.issue'.format(typ))
if not perm.can():
raise Forbidden("You do not have permission to create this token type")
# verify required parameters; any extras will be ignored
for attr in required_token_attributes[typ]:
if getattr(body, attr) is wsme.Unset:
raise BadRequest("missing %s" % attr)
# prohibit silly requests
if body.disabled:
raise BadRequest("can't issue disabled tokens")
# All types have permissions, so handle those here -- ensure the request is
# for a subset of the permissions the user can perform
requested_permissions = [p.get(a) for a in body.permissions]
if None in requested_permissions:
raise BadRequest("bad permissions")
if not set(requested_permissions) <= current_user.permissions:
raise BadRequest("bad permissions")
# Dispatch the rest to the per-type function. Note that WSME has already
# ensured `typ` is one of the recognized types.
token = token_issuers[typ](body, requested_permissions)
logger.info("Issuing {} token #{} to {} with permissions {}".format(
token.typ, token.id or '(no ID)', current_user, requested_permissions))
return token
def permissions(self):
token_permissions = [p.get(permissionstr)
for permissionstr in self._permissions.split(',')]
# silently ignore any nonexistent permissions; this allows us to remove unused
# permissions without causing tokens permitting those permissions to fail
# completely
return [a for a in token_permissions if a]
def can_access_token(access, typ, user):
# ensure the user can see this token; for non-user-associated
# tokens, that's just a permission check
if typ in ('prm', ):
if not p.get('base.tokens.{}.{}'.format(typ, access)).can():
return False
# for user-associated tokens, if the .all permission is set,
# the access is fine; otherwise very that the user matches and
# the .my permission is set.
elif typ in ('usr', ):
if not p.get('base.tokens.{}.{}.all'.format(typ, access)).can():
email = get_user_email()
if not email or not user or user != email:
return False
if not p.get('base.tokens.{}.{}.my'.format(typ, access)).can():
return False
return True
def can_access_token(access, typ, user):
# ensure the user can see this token; for non-user-associated
# tokens, that's just a permission check
if typ in ('prm',):
if not p.get('base.tokens.{}.{}'.format(typ, access)).can():
return False
# for user-associated tokens, if the .all permission is set,
# the access is fine; otherwise very that the user matches and
# the .my permission is set.
elif typ in ('usr',):
if not p.get('base.tokens.{}.{}.all'.format(typ, access)).can():
email = get_user_email()
if not email or not user or user != email:
return False
if not p.get('base.tokens.{}.{}.my'.format(typ, access)).can():
return False
return True
def permissions(self):
token_permissions = [
p.get(permissionstr)
for permissionstr in self._permissions.split(',')
]
# silently ignore any nonexistent permissions; this allows us to remove unused
# permissions without causing tokens permitting those permissions to fail
# completely
return [a for a in token_permissions if a]
def issue_token(body):
"""Issue a new token. The body should not include a ``token`` or ``id``.
The response will contain both."""
requested_permissions = [p.get(a) for a in body.permissions]
# ensure the request is for a subset of the permissions the user can
# perform
if None in requested_permissions or not set(requested_permissions) <= current_user.permissions:
raise BadRequest("bad permissions")
session = g.db.session('relengapi')
token_row = Token(
description=body.description,
permissions=requested_permissions)
session.add(token_row)
session.commit()
token = current_app.tokenauth_serializer.dumps(
{'v': TOKENAUTH_VERSION, 'id': token_row.id})
rv = token_row.to_jsontoken()
rv.token = token
return rv
def issue_token():
"""Issue a new authentication token. The POST body must contain JSON with keys
'permissions', a list of allowed permissions; and description, a description of the token."""
requested_permissions = [p.get(a) for a in request.json['permissions']]
# ensure the request is for a subset of the permissions the user can
# perform
if None in requested_permissions or not set(requested_permissions) <= current_user.permissions:
raise BadRequest("bad permissions")
if 'description' not in request.json:
raise BadRequest("no description")
session = g.db.session('relengapi')
token_row = Token(
description=request.json['description'],
permissions=requested_permissions)
session.add(token_row)
session.commit()
token = current_app.tokenauth_serializer.dumps(
{'v': TOKENAUTH_VERSION, 'id': token_row.id})
return {'token': token}
def permlist_to_permissions(permlist):
token_permissions = [p.get(s) for s in permlist]
# silently ignore any nonexistent permissions; this allows us to remove unused
# permissions without causing tokens permitting those permissions to fail
# completely
return [perm for perm in token_permissions if perm]
def permlist_to_permissions(permlist):
token_permissions = [p.get(s) for s in permlist]
# silently ignore any nonexistent permissions; this allows us to remove unused
# permissions without causing tokens permitting those permissions to fail
# completely
return [perm for perm in token_permissions if perm]
