def unindex_object(obj, catalog=''):
"""Un-index given object from catalog"""
LOGGER.debug("Un-indexing object {0!r}".format(obj))
intids = query_utility(IIntIds)
if intids is not None:
object_id = intids.queryId(obj)
if object_id is not None:
if isinstance(catalog, str):
catalog = query_utility(ICatalog, name=catalog)
if catalog is not None:
catalog.unindex_doc(object_id)
def reindex_object(obj, catalog=''):
"""Reindex given object into catalog"""
LOGGER.debug("Re-indexing object {0!r}".format(obj))
intids = query_utility(IIntIds)
if intids is not None:
object_id = intids.queryId(obj)
if object_id is not None:
if isinstance(catalog, str):
catalog = query_utility(ICatalog, name=catalog)
if catalog is not None:
get_pyramid_registry().notify(BeforeObjectIndexEvent(obj))
catalog.reindex_doc(object_id, obj)
def check_required_utilities(site, utilities):
"""Utility function to check for required utilities
:param ISite site: the site manager into which configuration may be checked
:param tuple utilities: each element of the tuple is another tuple made of the utility
interface, the utility registration name, the utility factory and the object name when
creating the utility, as in:
.. code-block:: python
REQUIRED_UTILITIES = ((ISecurityManager, '', SecurityManager, 'Security manager'),
(IPrincipalAnnotationUtility, '', PrincipalAnnotationUtility,
'User profiles'))
"""
registry = get_current_registry()
for interface, name, factory, default_id in utilities:
utility = query_utility(interface, name=name)
if utility is None:
lsm = site.getSiteManager()
if default_id in lsm:
continue
if factory is None:
factory = get_object_factory(interface)
utility = factory()
registry.notify(ObjectCreatedEvent(utility))
lsm[default_id] = utility
lsm.registerUtility(utility, interface, name=name)
def get_current_jwt_token(request):
"""Get current JWT token for authenticated principal"""
manager = query_utility(ISecurityManager)
if manager is None:
raise HTTPServiceUnavailable()
configuration = IJWTSecurityConfiguration(manager)
if not configuration.enabled:
raise HTTPServiceUnavailable()
if Authenticated not in request.effective_principals:
raise HTTPForbidden()
custom_claims = request.params.get('claims', {})
request.response.cache_expires(configuration.refresh_expiration)
return {
'status':
'success',
configuration.access_token_name:
create_jwt_token(request,
request.authenticated_userid,
expiration=configuration.access_expiration,
obj=ACCESS_OBJECT,
**custom_claims),
configuration.refresh_token_name:
create_jwt_token(request,
request.authenticated_userid,
expiration=configuration.refresh_expiration,
obj=REFRESH_OBJECT)
}
def refresh_jwt_token(request):
"""JWT token refresh service"""
sm = query_utility(ISecurityManager) # pylint: disable=invalid-name
if sm is None:
raise HTTPServiceUnavailable()
configuration = IJWTSecurityConfiguration(sm)
if not configuration.enabled:
raise HTTPServiceUnavailable()
# user remote authentication authority
if configuration.proxy_mode:
handler = IJWTProxyHandler(sm, None)
if handler is not None:
status_code, token = handler.refresh_token(request) # pylint: disable=assignment-from-no-return
request.response.status_code = status_code
return token
# refresh token locally
claims = get_jwt_claims(request)
if not claims:
raise HTTPForbidden()
principal_id = claims.get('sub')
if not principal_id:
raise HTTPUnauthorized()
params = request.params if TEST_MODE else request.validated
custom_claims = params.get('claims', {})
return {
'status':
'success',
configuration.access_token_name:
create_jwt_token(request,
principal_id,
expiration=configuration.access_expiration,
obj=ACCESS_OBJECT,
**custom_claims)
}
def index_object(obj, catalog='', ignore_notyet=False):
"""Index given object into catalog"""
LOGGER.debug("Indexing object {0!r}".format(obj))
intids = query_utility(IIntIds)
if intids is not None:
try:
object_id = intids.register(obj)
except NotYet:
if not ignore_notyet:
raise
else:
if isinstance(catalog, str):
catalog = query_utility(ICatalog, name=catalog)
if catalog is not None:
get_pyramid_registry().notify(BeforeObjectIndexEvent(obj))
catalog.index_doc(object_id, obj)
def handle_new_engine_data_extraction(event):
"""Handle new engine data"""
name = event.data['name'] or ''
engine = query_utility(IAlchemyEngineUtility, name=name)
if engine is not None:
event.form.widgets.errors += (Invalid(_("An SQLAlchemy engine is already "
"registered with this name!")),)
def __acl__(self):
"""Get ACL for current context
The result is stored into current request annotations, so it's not supposed to change
during request lifetime.
"""
# always grant all permissions to system manager
# and 'public' permission to everyone
result = [(Allow, ADMIN_USER_ID, ALL_PERMISSIONS),
(Allow, Everyone, {PUBLIC_PERMISSION})]
# grant access to all roles permissions
for role_id in self.get_granted_roles():
role = query_utility(IRole, role_id)
if role is not None:
result.append(
(Allow, ROLE_ID.format(role_id), role.permissions))
# add denied permissions to everyone and authenticated
permissions = self.get_everyone_denied()
if permissions:
result.append((Deny, Everyone, permissions))
permissions = self.get_authenticated_denied()
if permissions:
result.append((Deny, Authenticated, permissions))
# add allowed permissions to everyone and authenticated
permissions = self.get_authenticated_granted()
if permissions:
result.append((Allow, Authenticated, permissions))
permissions = self.get_everyone_granted()
if permissions:
result.append((Allow, Everyone, permissions))
# deny all parent permissions if inheritance is disabled
if not self.inherit_parent_security:
result.append(DENY_ALL)
LOGGER.debug('ACL({0!r}) = {1}'.format(self.__parent__, str(result)))
return result
def get_engine(engine, use_pool=True):
"""Get engine matching given utility name"""
if isinstance(engine, str):
engine = query_utility(IAlchemyEngineUtility, name=engine)
if engine is not None:
return engine.get_engine(use_pool), engine.twophase
return None
def notify_user_activation(user, request=None):
"""Send mail for user activation"""
security = query_utility(ISecurityManager)
settings = INotificationSettings(security)
if not settings.enable_notifications: # pylint: disable=assignment-from-no-return
LOGGER.info("Security notifications disabled, no message sent...")
return
mailer = settings.get_mailer() # pylint: disable=assignment-from-no-return
if mailer is None:
LOGGER.warning("Can't find mailer utility, no notification message sent!")
return
if request is None:
request = check_request()
translate = request.localizer.translate
i18n_settings = II18n(settings)
message_text, template_name = None, None
if user.self_registered:
# pylint: disable=assignment-from-no-return
message_text = i18n_settings.query_attribute('registration_template', request=request)
if not message_text:
template_name = 'templates/register-message.pt'
elif user.wait_confirmation:
# pylint: disable=assignment-from-no-return
message_text = i18n_settings.query_attribute('confirmation_template', request=request)
if not message_text:
template_name = 'templates/register-info.pt'
site = get_parent(request.context, ISite)
if message_text is not None:
message_text = message_text.format(**user.to_dict())
elif template_name is not None:
message_text = render(template_name, request=request, value={
'user': user,
'site': site,
'settings': settings
})
html_body = render('templates/register-body.pt', request=request, value={
'user': user,
'site': site,
'settings': settings,
'message': message_text
})
message = Message(
subject=translate(_("{prefix}Please confirm registration")).format(
prefix="{prefix} ".format(prefix=settings.subject_prefix)
if settings.subject_prefix else ''),
sender='{name} <{email}>'.format(name=settings.sender_name,
email=settings.sender_email),
recipients=("{firstname} {lastname} <{email}>".format(firstname=user.firstname,
lastname=user.lastname,
email=user.email),),
html=Attachment(data=html_body,
content_type='text/html; charset=utf-8',
disposition='inline',
transfer_encoding='quoted-printable'),
body=Attachment(data=html_to_text(html_body),
content_type='text/plain; charset=utf-8',
disposition='inline',
transfer_encoding='quoted-printable'))
mailer.send(message)
def oid(self):
"""Get context ID in hexadecimal form"""
intids = query_utility(IIntIds)
if intids is not None:
object_id = intids.register(self.context)
if object_id is not None:
return hex(object_id)[2:]
return None
def title(self):
"""Title getter"""
translate = self.request.localizer.translate
scheduler = query_utility(IScheduler)
task = get_parent(self.context, ITask)
return '<small>{}</small><br />{}'.format(
get_object_label(scheduler, self.request, self),
translate(_("Task: {}")).format(task.name))
def check_password(self, password):
"""Check given password with encoded one"""
if not (self.activated and self.password):
return False
manager = query_utility(IPasswordManager, name=self.password_manager)
if manager is None:
return False
return manager.checkPassword(self.password, password)
def __init__(self, *args, **kwargs): # pylint: disable=unused-argument
terms = []
manager = query_utility(ISecurityManager)
if manager is not None:
for name, plugin in manager.items():
if IUsersFolderPlugin.providedBy(plugin):
terms.append(SimpleTerm(name, title=plugin.title))
super().__init__(terms)
def configuration(self): # pylint: disable=no-self-use
"""JWT configuration getter"""
try:
manager = query_utility(ISecurityManager)
if manager is not None:
return IJWTSecurityConfiguration(manager)
except ConnectionStateError:
return None
return None
def get_principal(request, principal_id=None):
"""Get principal associated with given request"""
manager = query_utility(ISecurityManager)
if manager is not None:
if principal_id is None:
principal_id = request.authenticated_userid
if principal_id:
return manager.get_principal(principal_id)
return UnknownPrincipal
return None
def tzinfo(request=None): # pylint: disable=unused-argument
"""request to timezone adapter
There is no easy way to get timezone from a request.
This adapter assumes that the timezone is given by
a registered utility...
"""
util = query_utility(IServerTimezone)
if util is not None:
return pytz.timezone(util.timezone)
return GMT
def create_jwt_token(request,
principal,
expiration=None,
audience=None,
**claims):
# pylint: disable=unused-argument
"""Create JWT token"""
plugin = query_utility(IJWTAuthenticationPlugin)
if (plugin is not None) and plugin.enabled:
return plugin.create_token(principal, expiration, audience, **claims)
return None
def __init__(self, context=None): # pylint: disable=unused-argument
terms = []
negotiator = query_utility(INegotiator)
if negotiator is not None:
translate = check_request().localizer.translate
for lang in negotiator.offered_languages:
terms.append(
SimpleTerm(lang,
title=translate(
BASE_LANGUAGES.get(lang)
or _("<unknown>"))))
super(I18nOfferedLanguages, self).__init__(terms)
def schedule_mode(self, value):
"""Scheduler mode setter"""
if self._schedule_mode is not None:
mode = query_utility(ITaskSchedulingMode, name=self._schedule_mode)
if (mode is not None) and mode.marker_interface.providedBy(self):
noLongerProvides(self, mode.marker_interface)
self._schedule_mode = value
if value:
mode = get_utility(ITaskSchedulingMode, name=value)
alsoProvides(self, mode.marker_interface)
mode.schema(self).active = False
if self.__parent__ is not None:
self.reset()
def verify_jwt_token(request):
"""JWT token verification view"""
manager = query_utility(ISecurityManager)
if manager is None:
raise HTTPServiceUnavailable()
configuration = IJWTSecurityConfiguration(manager)
if not configuration.enabled:
raise HTTPServiceUnavailable()
claims = get_jwt_claims(request)
if not claims:
raise HTTPForbidden()
request.response.status_code = HTTPAccepted.code
return {'status': 'success'}
def __call__(self, **kwargs):
"""Get and return layout template which is calling widget/render"""
layout = self.layout
if layout is None:
registry = self.request.registry
layout = registry.getMultiAdapter((self.context, self.request, self.form,
self.field, self),
IWidgetLayoutTemplate, name=self.mode)
cdict = {
'context': self.context,
'request': self.request,
'view': self,
'translate': query_utility(IChameleonTranslate)
}
cdict.update(kwargs)
return layout(**cdict)
def __call__(self, instance, *args, **keywords):
request = instance.request
registry = request.registry
template = registry.getMultiAdapter(
(request.context, request, instance.form, instance.field,
instance),
self.provides,
name=instance.mode)
keywords.update({
'context': instance.context,
'request': instance.request,
'view': instance,
'translate': query_utility(IChameleonTranslate)
})
return template(*args, **keywords)
def execute(self, task, action, job_id, registry=None):
"""Execute scheduler action"""
scheduler = query_utility(IScheduler)
if scheduler is not None:
registry = registry if registry is not None else get_pyramid_registry()
handler = registry.settings.get(SCHEDULER_HANDLER_KEY, False)
if handler:
zmq_settings = {
'zodb_name': scheduler.zodb_name,
'task_name': task.__name__,
'job_id': job_id
}
LOGGER.debug(f"Starting '{action}' on task {task.name} with {zmq_settings!r}")
socket = zmq_socket(handler, auth=registry.settings.get(SCHEDULER_AUTH_KEY))
socket.send_json([action, zmq_settings])
zmq_response(socket)
def get_jwt_token(request):
"""REST login endpoint for JWT authentication"""
# check security manager utility
sm = query_utility(ISecurityManager) # pylint: disable=invalid-name
if sm is None:
raise HTTPServiceUnavailable()
configuration = IJWTSecurityConfiguration(sm)
if not configuration.enabled:
raise HTTPServiceUnavailable()
# check request params
params = request.params if TEST_MODE else request.validated
login = params.get('login')
if not login:
raise HTTPBadRequest()
credentials = Credentials('jwt', id=login, **params)
# use remote authentication authority
if configuration.proxy_mode:
handler = IJWTProxyHandler(sm, None)
if handler is not None:
status_code, tokens = handler.get_tokens(request, credentials) # pylint: disable=assignment-from-no-return
request.response.status_code = status_code
return tokens
# authenticate principal in security manager
principal_id = sm.authenticate(credentials, request)
if principal_id is not None:
custom_claims = params.get('claims', {})
request.response.cache_expires(configuration.refresh_expiration)
return {
'status':
'success',
configuration.access_token_name:
create_jwt_token(request,
principal_id,
expiration=configuration.access_expiration,
obj=ACCESS_OBJECT,
**custom_claims),
configuration.refresh_token_name:
create_jwt_token(request,
principal_id,
expiration=configuration.refresh_expiration,
obj=REFRESH_OBJECT)
}
request.response.status_code = HTTPUnauthorized.code
return {
'status': 'error',
'message': request.localizer.translate(_("Invalid credentials!"))
}
def get_contents(self, data, mode='r'):
"""Extract archive contents"""
data, extractor = self._initialize(data, mode)
members = extractor.getmembers()
for member in members:
filename = member.name
content = extractor.extractfile(member)
if content is not None:
content = content.read()
if not content:
continue
mime_type = get_magic_content_type(content[:CHUNK_SIZE])
archiver = query_utility(IArchiveExtractor, name=mime_type)
if archiver is not None:
yield from archiver.get_contents(content)
else:
yield content, filename
def get_jwt_claims(request):
"""Extract claims from provided JWT token"""
sm = query_utility(ISecurityManager) # pylint: disable=invalid-name
if sm is None:
raise HTTPServiceUnavailable()
configuration = IJWTSecurityConfiguration(sm)
if not configuration.enabled:
raise HTTPServiceUnavailable()
params = request.params if TEST_MODE else request.validated
obj = params.get('obj')
if configuration.proxy_mode:
handler = IJWTProxyHandler(sm, None)
if handler is not None:
status_code, claims = handler.get_claims(request, obj) # pylint: disable=assignment-from-no-return
request.response.status_code = status_code
return claims
return get_request_claims(request, obj)
def handle_removed_task(event):
"""Handle removed task"""
request = check_request()
if request.registry is not None:
handler = request.registry.settings.get(SCHEDULER_HANDLER_KEY, False)
if handler:
task = event.object
scheduler_util = query_utility(IScheduler)
zmq_settings = {
'zodb_name': scheduler_util.zodb_name,
'task_name': task.__name__,
'job_id': task.internal_id
}
LOGGER.debug("Removing task {0.name} with {1!r}".format(task, zmq_settings))
socket = zmq_socket(handler, auth=request.registry.settings.get(SCHEDULER_AUTH_KEY))
socket.send_json(['remove_task', zmq_settings])
zmq_response(socket)
def locale_negotiator(request):
"""Negotiate language based on server, browser, request and user settings
Locale is extracted from request's "lang" parameter, from browser settings or from
negotiator utility
"""
negotiator = query_utility(INegotiator)
if negotiator is not None:
locale_name = negotiator.get_language(request)
else:
locale_name = get_browser_language(request)
if not locale_name:
registry = request.registry
locale_name = registry.settings.get('pyramid.default_locale_name',
'en')
if '-' in locale_name:
# remove 'sub-locale' to prevent Babel and Zope exceptions for unknown locales
locale_name = locale_name.split('-')[0]
return locale_name
def __init__(self, context):
terms = []
translate = check_request().localizer.translate
negotiator = query_utility(INegotiator)
if negotiator is not None:
terms.append(
SimpleTerm(negotiator.server_language,
title=translate(
BASE_LANGUAGES.get(
negotiator.server_language))))
manager = get_parent(context, II18nManager)
if manager is not None:
for lang in manager.languages: # pylint: disable=not-an-iterable
if (negotiator is None) or (lang !=
negotiator.server_language):
terms.append(
SimpleTerm(lang,
title=translate(
BASE_LANGUAGES.get(lang)
or _("<unknown>"))))
super(I18nContentLanguages, self).__init__(terms)
