def create_token(value): if pkconfig.channel_in_internal_test() and cfg.create_token_secret: v = base64.b32encode( hashlib.sha256( pkcompat.to_bytes(value + cfg.create_token_secret)).digest()) return pkcompat.from_bytes(v[:TOKEN_SIZE]) return random_base62(TOKEN_SIZE)
def _do_download_data_file(msg, template): try: r = template.get_data_file( msg.runDir, msg.analysisModel, msg.frame, options=PKDict(suffix=msg.suffix), ) if not isinstance(r, PKDict): if isinstance(r, str): r = msg.runDir.join(r, abs=1) r = PKDict(filename=r) u = r.get('uri') if u is None: u = r.filename.basename c = r.get('content') if c is None: c = pkcompat.to_bytes(pkio.read_text(r.filename)) \ if u.endswith(('py', 'txt', 'csv')) \ else r.filename.read_binary() requests.put( msg.dataFileUri + u, data=c, verify=job.cfg.verify_tls, ).raise_for_status() return PKDict() except Exception as e: return PKDict(state=job.ERROR, error=e, stack=pkdexc())
def install_crt_and_login(compt, j2_ctx): from rsconf.pkcli import tls if not update_j2_ctx(j2_ctx): return jf = db.secret_path(j2_ctx, _PASSWD_SECRET_JSON_F, visibility=_PASSWD_VISIBILITY) with jf.open() as f: y = pkjson.load_any(jf) u = j2_ctx.rsconf_db.host p = y.get(u, None) if not p: return j2_ctx.docker.auths[j2_ctx.docker_registry.http_addr] = dict( auth=pkcompat.from_bytes( base64.b64encode( pkcompat.to_bytes(u + ':' + pkcompat.from_bytes(p))), ), ) compt.install_access(mode='700', owner=j2_ctx.docker_registry.run_u) crt = component.tls_key_and_crt(j2_ctx, j2_ctx.docker_registry.host).crt if not tls.is_self_signed_crt(crt): return compt.install_directory(_CERTS_D) d = _CERTS_D.join(j2_ctx.docker_registry.http_addr) compt.install_directory(d) compt.install_access(mode='400', owner=j2_ctx.docker_registry.run_u) compt.install_abspath(crt, d.join('ca.crt')) # need in /etc/pki as well (now) # https://success.docker.com/article/i-get-x509-certificate-signed-by-unknown-authority-error-when-i-try-to-login-to-my-dtr-with-default-certificates compt.install_abspath( crt, _CA_TRUST_D.join(j2_ctx.docker_registry.host + '.crt')) compt.append_root_bash('update-ca-trust')
def test_from_bytes(): from pykern import pkcompat from pykern.pkunit import pkeq b = pkcompat.to_bytes('你好') s = pkcompat.from_bytes(b) pkeq(s, '你好') pkeq(b, b'\xe4\xbd\xa0\xe5\xa5\xbd') if six.PY2: pkeq(b, s) else: pkeq(False, b == s)
def _passwd_entry(j2_ctx, host): from rsconf import db import subprocess pw = db.random_string() pf = passwd_secret_f(j2_ctx) p = subprocess.Popen( ['openssl', 'passwd', '-stdin', '-apr1'], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, ) out, err = p.communicate(input=pkcompat.to_bytes(pw)) with pf.open(mode='at') as f: f.write('{}:{}\n'.format(host, pkcompat.from_bytes(out).rstrip())) return pw
def test_create_zip(fc): from pykern import pkio from pykern import pkunit from pykern import pkcompat from pykern.pkcollections import PKDict from pykern.pkdebug import pkdp, pkdpretty from pykern.pkunit import pkeq from sirepo import srunit import base64 import re import zipfile imported = _import(fc) for sim_type, sim_name, expect in imported + [ ('elegant', 'bunchComp - fourDipoleCSR', ['WAKE-inputfile.knsl45.liwake.sdds', 'run.py', 'sirepo-data.json']), ('srw', 'Tabulated Undulator Example', ['magnetic_measurements.zip', 'run.py', 'sirepo-data.json']), ('warppba', 'Laser Pulse', ['run.py', 'sirepo-data.json']), ]: sim_id = fc.sr_sim_data( sim_name, sim_type)['models']['simulation']['simulationId'] with pkio.save_chdir(pkunit.work_dir()) as d: for t in 'zip', 'html': r = fc.sr_get( 'exportArchive', PKDict( simulation_type=sim_type, simulation_id=sim_id, filename='anything.' + t, )) p = d.join(sim_name + '.' + t) x = r.data if t == 'html': x = pkcompat.from_bytes(x) m = re.search(r'name="zip" \S+ value="([^"]+)"', x, flags=re.DOTALL) x = base64.b64decode(pkcompat.to_bytes(m.group(1))) p.write_binary(x) e = expect if t == 'html': e.remove('run.py') pkeq( e, sorted(zipfile.ZipFile(str(p)).namelist()), )
def do_form(form): """Self-extracting archive post Args: form (flask.request.Form): what to import Returns: dict: data """ from sirepo import simulation_db if not 'zip' in form: sirepo.util.raise_not_found('missing zip in form') data = read_zip(base64.decodebytes(pkcompat.to_bytes(form['zip']))) data.models.simulation.folder = '/Import' data.models.simulation.isExample = False return simulation_db.save_new_simulation(data)
def auth_hash(req, verify=False): now = int(time.time()) if not 'authNonce' in req: if verify: util.raise_unauthorized('authNonce: missing field in request') req.authNonce = str(now) + _AUTH_NONCE_SEPARATOR + util.random_base62() h = hashlib.sha256() h.update( pkcompat.to_bytes( _AUTH_HASH_SEPARATOR.join([ req.authNonce, req.simulationType, req.simulationId, cfg.secret, ])), ) res = 'v1:' + pkcompat.from_bytes(base64.urlsafe_b64encode(h.digest()), ) if not verify: req.authHash = res return if res != req.authHash: util.raise_unauthorized( '{}: hash mismatch expected={} nonce={}', req.authHash, res, req.authNonce, ) t = req.authNonce.split(_AUTH_NONCE_SEPARATOR)[0] try: t = int(t) except ValueError as e: util.raise_unauthorized( '{}: auth_nonce prefix not an int: nonce={}', t, req.authNonce, ) delta = now - t if abs(delta) > _AUTH_NONCE_REPLAY_SECS: util.raise_unauthorized( '{}: auth_nonce time outside replay window={} now={} nonce={}', t, _AUTH_NONCE_REPLAY_SECS, now, req.authNonce, )
def test_srw_auth_hash_copy(): from pykern import pkconfig pkconfig.reset_state_for_testing({ 'SIREPO_AUTH_BLUESKY_SECRET': 'anything', 'SIREPO_AUTH_METHODS': 'bluesky', 'SIREPO_FEATURE_CONFIG_SIM_TYPES': 'srw:myapp', }) from pykern import pkcollections from pykern import pkcompat from pykern.pkdebug import pkdp from pykern.pkunit import pkeq from sirepo.auth import bluesky import base64 import hashlib import numconv import random import time bluesky.init_apis() req = dict( simulationType='xyz', simulationId='1234', ) r = random.SystemRandom() req['authNonce'] = str(int(time.time())) + '-' + ''.join( r.choice(numconv.BASE62) for x in range(32) ) h = hashlib.sha256() h.update( pkcompat.to_bytes( ':'.join([ req['authNonce'], req['simulationType'], req['simulationId'], bluesky.cfg.secret, ]), ), ) req['authHash'] = 'v1:' + pkcompat.from_bytes( base64.urlsafe_b64encode(h.digest()), ) bluesky.auth_hash(pkcollections.Dict(req), verify=True)
def test_basic(auth_fc, monkeypatch): from pykern import pkconfig, pkcompat from pykern.pkunit import pkeq from sirepo import srunit import base64 import sirepo.auth.basic u = auth_fc.sr_login_as_guest() sirepo.auth.basic.cfg.uid = u import sirepo.status auth_fc.cookie_jar.clear() # monkeypatch so status doesn't take so long sirepo.status._SIM_TYPE = 'myapp' sirepo.status._SIM_NAME = 'Scooby Doo' sirepo.status._SIM_REPORT = 'heightWeightReport' pkeq(401, auth_fc.sr_get('serverStatus').status_code) r = auth_fc.sr_get_json( 'serverStatus', headers=PKDict(Authorization='Basic ' + pkcompat.from_bytes( base64.b64encode(pkcompat.to_bytes(u + ':' + 'pass')), ), ), ) pkeq('ok', r.state)
def host_init(hdb, host): jf = db.secret_path(hdb, _PASSWD_SECRET_JSON_F, visibility=_PASSWD_VISIBILITY) if jf.check(): with jf.open() as f: y = pkjson.load_any(f) else: y = PKDict() assert not host in y, \ '{}: host already exists'.format(host) y[host] = db.random_string() pkjson.dump_pretty(y, filename=jf) pf = db.secret_path(hdb, _PASSWD_SECRET_F, visibility=_PASSWD_VISIBILITY) with pf.open(mode='at') as f: f.write( '{}:{}\n'.format( host, pkcompat.from_bytes( bcrypt.hashpw( pkcompat.to_bytes(y[host]), bcrypt.gensalt(5), ), ), ), )
def avatar_uri(model, size): return 'https://www.gravatar.com/avatar/{}?d=mp&s={}'.format( hashlib.md5(pkcompat.to_bytes(model.user_name)).hexdigest(), size, )
def _encrypt(self, text): return base64.urlsafe_b64encode( self._crypto().encrypt(pkcompat.to_bytes(text)), )
def _decrypt(self, value): d = self._crypto().decrypt( base64.urlsafe_b64decode(pkcompat.to_bytes(value)), ) pkdc('{}', d) return pkcompat.from_bytes(d)
def url_safe_hash(value): return hashlib.md5(pkcompat.to_bytes(value)).hexdigest()