def delete_invoices(conn, where):
invoices = select_dict(conn, 'invoices', 'id', where=where)
deleted_invoice_ids = []
for id, invoice in invoices.iteritems():
delete(conn, 'invoice_status', where={'id_invoice': id})
invoice_id = delete(conn, 'invoices', where={'id': id}, returning='id')
deleted_invoice_ids.append(invoice_id)
logging.info('invoice %s deleted for %s', invoice_id, where)
return deleted_invoice_ids
def _user_verify(conn, users_id, user_auth, ip, headers):
""" Verify user information for the request.
conn: database connection.
users_id: user's id.
user_auth: pre-image for user's password.
ip: IP address for the request.
headers: request header information.
"""
# XXX enforce expiry time
expiry = datetime.datetime.strptime(user_auth['exp'], EXPIRY_FORMAT)
if expiry < datetime.datetime.utcnow():
raise ValidationError('LOGIN_REQUIRED_ERR_EXPIRED_AUTH')
columns = ('password', 'hash_algorithm', 'csrf_token', 'users_logins.id')
where = {
'users.id': users_id,
'users_logins.headers': headers,
'users_logins.ip_address': ip,
'users_logins.cookie_expiry__gt': datetime.datetime.utcnow()
}
result = db_utils.join(conn, ('users', 'users_logins'),
columns=columns,
on=[('users.id', 'users_logins.users_id')],
where=where,
limit=1)
if not result or len(result) == 0:
raise ValidationError('LOGIN_REQUIRED_ERR_INVALID_USER')
exp_auth, hash_algo, exp_csrf, login_id = result[0]
try:
# XXX use the hash algorithm specified in the user account
cur_auth = get_authenticator(hash_algo, user_auth['auth'])
if cur_auth != exp_auth:
raise ValidationError('LOGIN_REQUIRED_ERR_INVALID_AUTH')
# XXX always verify the CSRF token
if user_auth['csrf'] != exp_csrf:
logging.error("Invalid csrf: cur: %s, exp: %s" %
(user_auth['csrf'], exp_csrf))
raise ValidationError('LOGIN_REQUIRED_ERR_INVALID_CSRF')
except ValidationError, e:
# XXX delete the compromised session and propagate the exception
# TODO: Maybe log the attacker informations somewhere?
# That would be useful to display some Gmail-like warnings:
# Somebody from <somewhere> tried to access your account on <datetime>
logging.error('Delete compromised session for id %s '
'with error:%s' % (login_id, str(e)))
db_utils.delete(conn, 'users_logins', where={'id': login_id})
raise e
def _on_post(self, req, resp, conn, **kwargs):
try:
super(SensorIncomesResource, self)._on_post(req, resp, conn, **kwargs)
order_list = req.get_param('order_list')
if order_list:
where = {'order_id__in': tuple(order_list)}
delete(self.conn, 'incomes_log', where=where)
logging.info('incomes_log_del: %s', order_list)
return {'POST_R': {'res': RESP_RESULT.S}}
except Exception, e:
logging.error('incomes_log_del_err: %s', e, exc_info=True)
return {'POST_R': {'res': RESP_RESULT.F}}
def _on_post(self, req, resp, conn, **kwargs):
try:
super(SensorBoughtHistoryResource,
self)._on_post(req, resp, conn, **kwargs)
id_list = req.get_param('id_list')
if id_list:
where = {'id__in': tuple(id_list)}
delete(self.conn, 'bought_history', where=where)
logging.info('bought_history_del: %s', id_list)
return {'POST_R': {'res': RESP_RESULT.S}}
except Exception, e:
logging.error('bought_history_del_err: %s', e, exc_info=True)
return {'POST_R': {'res': RESP_RESULT.F}}
def _on_post(self, req, resp, conn, **kwargs):
f = StringIO(req.query_string)
data = decrypt_json_resp(f,
settings.SERVER_APIKEY_URI_MAP[SERVICES.USR],
settings.PRIVATE_KEY_PATH)
f.close()
form_params = cgi.parse_qs(data)
for p in form_params:
form_params[p] = form_params[p][0]
action = form_params.get('action')
id_user = form_params.get('id_user')
email = form_params.get('email')
imo = form_params.get('imo')
mmsi = form_params.get('mmsi')
if action not in ('add', 'delete'):
raise ValidationError('INVALID_REQUEST')
if not id_user or not email or not imo or not mmsi:
raise ValidationError('INVALID_REQUEST')
values = {
'id_user': id_user,
'email': email,
'imo': imo,
'mmsi': mmsi,
'done': False,
}
if action == 'add':
records = db_utils.select(conn,
"vessel_arrival_notif",
columns=("imo", "mmsi"),
where=values)
if len(records) == 0:
db_utils.insert(conn, "vessel_arrival_notif", values=values)
elif action == 'delete':
db_utils.delete(conn, "vessel_arrival_notif", where=values)
return {'res': RESP_RESULT.S}
def main():
size = settings.HMAC_KEY_SIZE
path = settings.HMAC_KEY_FILE_PATH
hmac_key = os.urandom(size)
with open(path, 'w') as f:
f.write(hmac_key)
f.close()
logging.info('HMAC key updated at %s UTC: %s' %
(datetime.utcnow(), hmac_key))
with db_utils.get_conn(settings.DATABASE) as conn:
result = db_utils.delete(
conn,
'users_logins',
where={'cookie_expiry__lt': datetime.utcnow()},
returning='*')
if result:
logging.info('Delete expiry login sessions at %s UTC: %s' %
(datetime.utcnow(), result))
else:
logging.info('No sessions expired')
def update(self, shipment_ids):
where = {'id_shipment__in': tuple(shipment_ids)}
delete(self.conn, 'free_shipping_fee', where=where)
delete(self.conn, 'shipment_status', where=where)
delete(self.conn, 'shipping_fee', where=where)
delete(self.conn, 'shipping_list', where=where)
delete(self.conn, 'shipping_supported_services', where=where)
delete_invoices(self.conn, where)
delete(self.conn, 'shipments', where={'id__in': tuple(shipment_ids)})
logging.info('delete shipment %s for order modify', shipment_ids)
self.create()
if is_edit:
db_utils.update(conn, 'coupons',
values=coupon_values,
where={'id': id_coupon})
else:
id_coupon = db_utils.insert(conn, 'coupons',
values=coupon_values,
returning='id')[0]
if is_edit:
for table in (
'coupon_given_to', 'coupon_accepted_at', 'coupon_condition',
'store_credit', 'coupon_discount', 'coupon_give_away',
'coupon_gift'):
db_utils.delete(conn, table,
where={'id_coupon': id_coupon})
if id_users:
for id_user in id_users:
db_utils.insert(conn, 'coupon_given_to',
values={'id_coupon': id_coupon,
'id_user': id_user})
if id_shops:
for id_shop in id_shops:
db_utils.insert(conn, 'coupon_accepted_at',
values={'id_coupon': id_coupon,
'id_shop': id_shop})
if require and cond_list:
for cond_values in cond_list:
cond_values.update({'id_coupon': id_coupon})