def test_secure_obj_only_failure(self): class Foo(object): pass try: secure(Foo()) except Exception, e: assert isinstance(e, TypeError)
def test_secure_obj_only_failure(self): class Foo(object): pass try: secure(Foo()) except Exception as e: assert isinstance(e, TypeError)
class RestApi(object): @classmethod def authorize(cls): username = (request.headers.get('Cr-User') or request.headers.get('X-Cr-User')) token = (request.headers.get('Cr-Token') or request.headers.get('X-Cr-Token')) if not username or not token: return False reg = CacheRegistry() with reg.reader('') as cache: token = cache.get_user_token(username, token) if not token: LOG.warn("Missing or expired token for %s" % username) return False request.user = Wrap(id=token['uid'], username=username, org=token['org'], email=token['email'], email_hash=token['email_hash'], token=token['token'], permissions=token['permissions'], tier=Wrap(**token['tier'])) return True return False @classmethod def lazy_authorize(cls): RestApi.authorize() # Always return True return True @expose('json') def version(self): return dict(name='CloudRunner.IO REST API', version=VERSION) auth = Auth() billing = secure(Billing(), 'authorize') my = secure(Profile(), 'authorize') deployments = secure(Deployments(), 'authorize') dispatch = secure(Dispatch(), 'authorize') library = secure(Library(), 'authorize') # scheduler = secure(Jobs(), 'authorize') logs = secure(Logs(), 'authorize') clouds = secure(Clouds(), 'authorize') manage = secure(Manage(), 'authorize') # Exec execute = secure(Execute(), 'lazy_authorize') # SSE status = EntityStatus() # Docs html = HtmlDocs()
class SecretController(SecureController): authorized = False independent_authorization = False @expose() def _lookup(self, someID, *remainder): if someID == 'notfound': return None elif someID == 'lookup_wrapped': return self.wrapped, remainder return SubController(someID), remainder @secure('independent_check_permissions') @expose() def independent(self): return 'Independent Security' wrapped = secure(SubController('wrapped'), 'independent_check_permissions') @classmethod def check_permissions(cls): permissions_checked.add('secretcontroller') return cls.authorized @classmethod def independent_check_permissions(cls): permissions_checked.add('independent') return cls.independent_authorization
class RootController(object): sub = secure(SecureController(), lambda: authorized)
class RootController(object): @expose() def index(self): return 'Hello from root!' sub = secure(SubController(), lambda: authorized)
class SlugController(object): def __init__(self, slug): self.slug = slug # Make sure the provided slug is valid if not slug: redirect(request.context['recipe'].slugs[0].slug) if slug not in [slug.slug for slug in request.context['recipe'].slugs]: abort(404) @expose('recipes/builder/index.html') @expose('json', content_type='application/json') def index(self): recipe = request.context['recipe'] if recipe.state == "DRAFT": if recipe.author and recipe.author != request.context['user']: abort(404) if not recipe.author and recipe != request.context['trial_recipe']: abort(404) # Log a view for the recipe (if the viewer *is not* the author) if recipe.author != request.context['user'] and \ request.pecan.get('content_type') == 'application/json': model.RecipeView(recipe=recipe) return dict(recipe=recipe, editable=False) @expose(content_type='application/xml') def xml(self): recipe = request.context['recipe'] if recipe.state == "DRAFT": if recipe.author and recipe.author != request.context['user']: abort(404) response.headers['Content-Disposition'] = \ 'attachment; filename="%s.xml"' % self.slug return export.to_xml([request.context['recipe']]) @expose(generic=True) def draft(self): abort(405) @draft.when(method="POST") def do_draft(self): source = request.context['recipe'] if source.author is None or source.author != request.context['user']: abort(401) if source.state != "PUBLISHED": abort(401) draft = source.draft() draft.flush() redirect("%sbuilder" % draft.url()) @expose(generic=True) def copy(self): abort(405) @copy.when(method="POST") def do_copy(self): source = request.context['recipe'] if request.context['user'] is None: redirect("/signup") if source.author is None: abort(401) diff_user = source.author != request.context['user'] name = source.name if diff_user else "%s (Duplicate)" % source.name copy = source.duplicate({ 'name': name, 'author': request.context['user'] }) if diff_user: copy.copied_from = source redirect("/") @expose(generic=True) def delete(self): abort(405) @delete.when(method="POST") def do_delete(self): source = request.context['recipe'] if source.author is None or source.author != request.context['user']: abort(401) source.delete() redirect("/") builder = secure(RecipeBuilderController(), RecipeBuilderController.check_permissions)