def test_get_request(self): db.c.update("DELETE FROM r4_listeners") db.c.update("DELETE FROM r4_request_store") u = User(2) u.authorize(1, None, None, True) u.put_in_request_line(1) # TODO: Use proper request class here instead of DB call db.c.update("INSERT INTO r4_listeners (sid, user_id, listener_icecast_id) VALUES (1, %s, 1)", (u.id,)) db.c.update("INSERT INTO r4_request_store (user_id, song_id, sid) VALUES (%s, %s, 1)", (u.id, self.song1.id,)) e = Election.create(1) req = e.get_request() self.assertNotEqual(None, req) self.assertEqual(self.song1.id, req.id)
def test_check_song_for_conflict(self): db.c.update("DELETE FROM r4_listeners") db.c.update("DELETE FROM r4_request_store") e = Election.create(1) self.assertEqual(False, e._check_song_for_conflict(self.song1)) u = User(2) u.authorize(1, None, None, True) self.assertEqual(1, u.put_in_request_line(1)) # TODO: Use proper request/user methods here instead of DB call db.c.update("UPDATE r4_request_line SET line_top_song_id = %s, line_expiry_tune_in = %s WHERE user_id = %s", (self.song1.id, time.time()+9999, u.id)) db.c.update("INSERT INTO r4_listeners (sid, user_id, listener_icecast_id) VALUES (1, %s, 1)", (u.id,)) db.c.update("INSERT INTO r4_request_store (user_id, song_id, sid) VALUES (%s, %s, 1)", (u.id, self.song1.id)) request.update_cache(1) cache.update_local_cache_for_sid(1) self.assertEqual(True, e._check_song_for_conflict(self.song1)) self.assertEqual(False, e._check_song_for_conflict(self.song5)) self.assertEqual(event.ElecSongTypes.conflict, self.song5.data['entry_type']) self.assertEqual(event.ElecSongTypes.request, self.song1.data['entry_type'])
def setup_rainwave_session_and_redirect(self, user_id, destination): session_id = str(uuid.uuid4()) db.c.update( "INSERT INTO r4_sessions (session_id, user_id) VALUES (%s, %s)", ( session_id, user_id, )) self.set_cookie("r4_session_id", session_id, expires_days=365) if destination == "app" or destination == "rw": user = User(user_id) user.authorize(1, None, bypass=True) self.redirect( "rw://%s:%[email protected]" % (user.id, user.ensure_api_key()), ) elif destination == "rwpath": user = User(user_id) user.authorize(1, None, bypass=True) self.redirect( "rwpath://rainwave.cc/%s/%s" % (user.id, user.ensure_api_key()), ) else: self.redirect("/")
class WSHandler(tornado.websocket.WebSocketHandler): is_websocket = True local_only = False help_hidden = False locale = None sid = None uuid = None def check_origin(self, origin): if websocket_allow_from == "*": return True parsed_origin = urlparse.urlparse(origin) return parsed_origin.netloc.endswith(websocket_allow_from) def open(self, *args, **kwargs): super(WSHandler, self).open(*args, **kwargs) try: self.sid = int(args[0]) except Exception: pass if not self.sid: self.write_message({ "wserror": { "tl_key": "missing_station_id", "text": self.locale.translate("missing_station_id") } }) return if not self.sid in config.station_ids: self.write_message({ "wserror": { "tl_key": "invalid_station_id", "text": self.locale.translate("invalid_station_id") } }) return self.locale = get_browser_locale(self) self.authorized = False self.msg_times = [] self.throttled = False self.throttled_msgs = [] def rw_finish(self, *args, **kwargs): self.close() def keep_alive(self): self.write_message({ "ping": { "timestamp": timestamp() }}) def on_close(self): global sessions self.throttled_msgs = [] if self.sid: sessions[self.sid].remove(self) super(WSHandler, self).on_close() def write_message(self, obj, *args, **kwargs): message = json.dumps(obj) try: super(WSHandler, self).write_message(message, *args, **kwargs) except tornado.websocket.WebSocketClosedError: self.on_close() except tornado.websocket.WebSocketError as e: log.exception("websocket", "WebSocket Error", e) try: self.close() except Exception: self.on_close() def refresh_user(self): self.user.refresh(self.sid) # TODO: DJ permission checks def process_throttle(self): if not len(self.throttled_msgs): self.throttled = False return self.throttled_msgs.sort() # log.debug("throttle", "Throttled with %s messages" % len(self.throttled_msgs)) action = self.throttled_msgs[0]['action'] msg = None if not action in nonunique_actions: msgs = [ m for m in self.throttled_msgs if m['action'] == action ] msg = msgs.pop() for m in msgs: if "message_id" in m and fieldtypes.zero_or_greater_integer(m['message_id']): self.write_message({ "wsthrottle": { "tl_key": "websocket_throttle", "text": self.locale.translate("websocket_throttle") }, "message_id": { "message_id": fieldtypes.zero_or_greater_integer(m['message_id']), "success": False, "tl_key": "websocket_throttle" } }) self.throttled_msgs = [ m for m in self.throttled_msgs if m['action'] != action ] # log.debug("throttle", "Handling last throttled %s message." % action) else: msg = self.throttled_msgs.pop(0) # log.debug("throttle", "Handling last throttled %s message." % action) if msg: self._process_message(msg, is_throttle_process=True) tornado.ioloop.IOLoop.instance().add_timeout(datetime.timedelta(seconds=0.5), self.process_throttle) def should_vote_throttle(self): if not self.votes_by_key in votes_by: return 0 vote_limit = 3 # log.debug("vote_throttle", "%s - %s - %s" % (vote_limit, votes_by[self.votes_by_key], (timestamp() < (last_vote_by[self.votes_by_key] + vote_once_every_seconds)))) if (votes_by[self.votes_by_key] >= vote_limit) and (timestamp() < (last_vote_by[self.votes_by_key] + vote_once_every_seconds)): # log.debug("vote_throttle", (last_vote_by[self.votes_by_key] + vote_once_every_seconds) - timestamp()) return (last_vote_by[self.votes_by_key] + vote_once_every_seconds) - timestamp() return 0 def on_message(self, message_text): try: message = WSMessage() message.update(json.loads(message_text)) except: self.write_message({ "wserror": { "tl_key": "invalid_json", "text": self.locale.translate("invalid_json") } }) return if not "action" in message or not message['action']: self.write_message({ "wserror": { "tl_key": "missing_argument", "text": self.locale.translate("missing_argument", argument="action") } }) return if not self.authorized and message['action'] != "auth": self.write_message({ "wserror": { "tl_key": "auth_required", "text": self.locale.translate("auth_required") } }) return if not self.authorized and message['action'] == "auth": self._do_auth(message) return if message['action'] == "vote": if not message['entry_id']: self.write_message({ "wserror": { "tl_key": "missing_argument", "text": self.locale.translate("missing_argument", argument="entry_id") } }) elif not fieldtypes.integer(message['entry_id']): self.write_message({ "wserror": { "tl_key": "invalid_argument", "text": self.locale.translate("missing_argument", argument="entry_id", reason=fieldtypes.integer_error) } }) message['elec_id'] = rainwave.schedule.get_elec_id_for_entry(self.sid, message['entry_id']) self._process_message(message) def _process_message(self, message, is_throttle_process=False): message_id = None if "message_id" in message: message_id = fieldtypes.zero_or_greater_integer(message['message_id']) throt_t = timestamp() - 3 self.msg_times = [ t for t in self.msg_times if t > throt_t ] if not is_throttle_process: self.msg_times.append(timestamp()) # log.debug("throttle", "%s - %s" % (len(self.msg_times), message['action'])) if self.throttled: # log.debug("throttle", "Currently throttled, adding to queue.") self.throttled_msgs.append(message) return elif len(self.msg_times) >= 5: # log.debug("throttle", "Too many messages, throttling.") self.throttled = True self.throttled_msgs.append(message) tornado.ioloop.IOLoop.instance().add_timeout(datetime.timedelta(seconds=0.5), self.process_throttle) return if message['action'] == "ping": self.write_message({ "pong": { "timestamp": timestamp() } }) return if message['action'] == "pong": self.write_message({ "pongConfirm": { "timestamp": timestamp() } }) return if message['action'] == "vote": zeromq.publish({ "action": "vote_by", "by": self.votes_by_key }) if message['action'] == "check_sched_current_id": self._do_sched_check(message) return message['action'] = "/api4/%s" % message['action'] if not message['action'] in api_endpoints: self.write_message({ "wserror": { "tl_key": "websocket_404", "text": self.locale.translate("websocket_404") } }) return endpoint = api_endpoints[message['action']](websocket=True) endpoint.locale = self.locale endpoint.request = FakeRequestObject(message, self.request.cookies) endpoint.sid = message['sid'] if ('sid' in message and message['sid']) else self.sid endpoint.user = self.user #pylint: disable=W0212 try: startclock = timestamp() # TODO: this should be a part of prepare_standalone! # it's required to see if another person on the same IP address has overriden the vote # for the in-memory user here, so it requires a DB fetch. if message['action'] == "/api4/vote" and self.user.is_anonymous(): self.user.refresh(self.sid) if "message_id" in message: if message_id == None: endpoint.prepare_standalone() raise APIException("invalid_argument", argument="message_id", reason=fieldtypes.zero_or_greater_integer_error, http_code=400) endpoint.prepare_standalone(message_id) else: endpoint.prepare_standalone() endpoint.post() endpoint.append("api_info", { "exectime": timestamp() - startclock, "time": round(timestamp()) }) if endpoint.sync_across_sessions: if endpoint.return_name in endpoint._output and isinstance(endpoint._output[endpoint.return_name], dict) and not endpoint._output[endpoint.return_name]['success']: pass else: zeromq.publish({ "action": "result_sync", "sid": self.sid, "user_id": self.user.id, "data": endpoint._output, "uuid_exclusion": self.uuid }) if message['action'] == "/api4/vote" and endpoint.return_name in endpoint._output and isinstance(endpoint._output[endpoint.return_name], dict) and endpoint._output[endpoint.return_name]['success']: live_voting = rainwave.schedule.update_live_voting(self.sid) endpoint.append("live_voting", live_voting) if self.should_vote_throttle(): zeromq.publish({ "action": "delayed_live_voting", "sid": self.sid, "uuid_exclusion": self.uuid, "data": { "live_voting": live_voting } }) else: zeromq.publish({ "action": "live_voting", "sid": self.sid, "uuid_exclusion": self.uuid, "data": { "live_voting": live_voting } }) except Exception as e: endpoint.write_error(500, exc_info=sys.exc_info(), no_finish=True) log.exception("websocket", "API Exception during operation.", e) finally: self.write_message(endpoint._output) #pylint: enable=W0212 def update(self): handler = APIHandler(websocket=True) handler.locale = self.locale handler.request = FakeRequestObject({}, self.request.cookies) handler.sid = self.sid handler.user = self.user handler.return_name = "sync_result" try: startclock = timestamp() handler.prepare_standalone() if not cache.get_station(self.sid, "backend_ok"): raise APIException("station_offline") self.refresh_user() api_requests.info.attach_info_to_request(handler, live_voting=True) if self.user.is_dj(): api_requests.info.attach_dj_info_to_request(handler) handler.append("user", self.user.to_private_dict()) handler.append("api_info", { "exectime": timestamp() - startclock, "time": round(timestamp()) }) except Exception as e: if handler: handler.write_error(500, exc_info=sys.exc_info(), no_finish=True) log.exception("websocket", "Exception during update.", e) finally: if handler: self.write_message(handler._output) #pylint: disable=W0212 def update_user(self): self.write_message({ "user": self.user.to_private_dict() }) def login_mixup_warn(self): self.write_message({ "sync_result": { "tl_key": "redownload_m3u", "text": self.locale.translate("redownload_m3u") } }) def _do_auth(self, message): try: if not "user_id" in message or not message['user_id']: self.write_message({ "wserror": { "tl_key": "missing_argument", "text": self.locale.translate("missing_argument", argument="user_id") } }) if not isinstance(message['user_id'], numbers.Number): self.write_message({ "wserror": { "tl_key": "invalid_argument", "text": self.locale.translate("invalid_argument", argument="user_id") } }) if not "key" in message or not message['key']: self.write_message({ "wserror": { "tl_key": "missing_argument", "text": self.locale.translate("missing_argument", argument="key") } }) self.user = User(message['user_id']) self.user.ip_address = self.request.remote_ip self.user.authorize(None, message['key']) if not self.user.authorized: self.write_message({ "wserror": { "tl_key": "auth_failed", "text": self.locale.translate("auth_failed") } }) self.close() return self.authorized = True self.uuid = str(uuid.uuid4()) global sessions sessions[self.sid].append(self) self.votes_by_key = self.request.remote_ip if self.user.is_anonymous() else self.user.id self.refresh_user() # no need to send the user's data to the user as that would have come with bootstrap # and will come with each synchronization of the schedule anyway self.write_message({ "wsok": True }) # since this will be the first action in any websocket interaction though, # it'd be a good time to send a station offline message. self._station_offline_check() except Exception as e: log.exception("websocket", "Exception during authentication.", e) self.close() def _station_offline_check(self): if not cache.get_station(self.sid, "backend_ok"): # shamelessly fake an error. self.write_message({ "sync_result": { "tl_key": "station_offline", "text": self.locale.translate("station_offline") } }) def _do_sched_check(self, message): if not "sched_id" in message or not message['sched_id']: self.write_message({ "wserror": { "tl_key": "missing_argument", "text": self.locale.translate("missing_argument", argument="sched_id") } }) return if not isinstance(message['sched_id'], numbers.Number): self.write_message({ "wserror": { "tl_key": "invalid_argument", "text": self.locale.translate("invalid_argument", argument="sched_id") } }) self._station_offline_check() if cache.get_station(self.sid, "sched_current_dict") and (cache.get_station(self.sid, "sched_current_dict")['id'] != message['sched_id']): self.update() self.write_message({ "outdated_data_warning": { "outdated": True } })
class RainwaveHandler(tornado.web.RequestHandler): # The following variables can be overridden by you. # Fields is a hash with { "form_name" => (fieldtypes.[something], True|False|None) } format, so that automatic form validation can be done for you. True/False values are for required/optional. # A True requirement means it must be present and valid # A False requirement means it is optional, but if present, must be valid # A None requirement means it is optional, and if present and invalid, will be set to None fields = {} # This URL variable is setup by the server decorator - DON'T TOUCH IT. url = False # Do we need a Rainwave auth key for this request? auth_required = True # return_name is used for documentation, can be an array. # If not inherited, return_key automatically turns into url + "_result". Useful for simple requests like rate, vote, etc. return_name = None # Validate user's tuned in status first. tunein_required = False # Validate user's logged in status first. login_required = False # User must be a DJ for the next, current, or history[0] event dj_required = False # User must have an unused DJ-able event in the future dj_preparation = False # Validate user is a station administrator. admin_required = False # Do we need a valid SID as part of the submitted form? sid_required = True # Description string for documentation. description = "Undocumented." # Error codes for documentation. return_codes = None # Restricts requests to config.get("api_trusted_ip_addresses") (presumably 127.0.0.1) local_only = False # Should the user be free to vote and rate? unlocked_listener_only = False # Do we allow GET HTTP requests to this URL? (standard is "no") allow_get = False # Use phpBB session/token auth? phpbb_auth = False # Does the user need perks (donor/beta/etc) to see this request/page? perks_required = False # hide from help, meant really only for things like redirect pages help_hidden = False # automatically add pagination to an API request. use self.get_sql_limit_string()! pagination = False # allow access to station ID 0 allow_sid_zero = False # set to allow from any source allow_cors = False # sync result across all user's websocket sessions sync_across_sessions = False def __init__(self, *args, **kwargs): if not 'websocket' in kwargs: super(RainwaveHandler, self).__init__(*args, **kwargs) self.cleaned_args = {} self.sid = None self._startclock = timestamp() self.user = None self._output = None self._output_array = False self.mobile = False def initialize(self, **kwargs): super(RainwaveHandler, self).initialize(**kwargs) if self.pagination: self.fields['per_page'] = (fieldtypes.zero_or_greater_integer, False) self.fields['page_start'] = (fieldtypes.zero_or_greater_integer, False) def set_cookie(self, name, value, *args, **kwargs): if isinstance(value, (int, long)): value = repr(value) super(RainwaveHandler, self).set_cookie(name, value, *args, **kwargs) def get_argument(self, name, default=None, **kwargs): if name in self.cleaned_args: return self.cleaned_args[name] if name in self.request.arguments: if isinstance(self.request.arguments[name], list): return self.request.arguments[name][-1].strip() return self.request.arguments[name] return default def set_argument(self, name, value): self.cleaned_args[name] = value def get_browser_locale(self, default="en_CA"): return get_browser_locale(self, default) def setup_output(self): if not self.return_name: self.return_name = self.url[self.url.rfind("/") + 1:] + "_result" else: self.return_name = self.return_name def arg_parse(self): for field, field_attribs in self.__class__.fields.iteritems(): type_cast, required = field_attribs parsed = None if required and field not in self.request.arguments: raise APIException("missing_argument", argument=field, http_code=400) elif field in self.request.arguments: parsed = type_cast(self.get_argument(field), self) if parsed == None and required != None: raise APIException( "invalid_argument", argument=field, reason="%s %s" % (field, getattr(fieldtypes, "%s_error" % type_cast.__name__)), http_code=400) self.cleaned_args[field] = parsed def sid_check(self): if self.sid is None and not self.sid_required: self.sid = config.get("default_station") if self.sid == 0 and self.allow_sid_zero: pass elif not self.sid in config.station_ids: raise APIException("invalid_station_id", http_code=400) def permission_checks(self): if (self.login_required or self.admin_required or self.dj_required) and (not self.user or self.user.is_anonymous()): raise APIException("login_required", http_code=403) if self.tunein_required and (not self.user or not self.user.is_tunedin()): raise APIException("tunein_required", http_code=403) if self.admin_required and (not self.user or not self.user.is_admin()): raise APIException("admin_required", http_code=403) if self.perks_required and (not self.user or not self.user.has_perks()): raise APIException("perks_required", http_code=403) if self.unlocked_listener_only and not self.user: raise APIException("auth_required", http_code=403) elif self.unlocked_listener_only and self.user.data[ 'lock'] and self.user.data['lock_sid'] != self.sid: raise APIException( "unlocked_only", station=config.station_id_friendly[self.user.data['lock_sid']], lock_counter=self.user.data['lock_counter'], http_code=403) is_dj = False if self.dj_required and not self.user: raise APIException("dj_required", http_code=403) if self.dj_required and not self.user.is_admin(): potential_djs = cache.get_station(self.sid, "dj_user_ids") if not potential_djs or not self.user.id in potential_djs: raise APIException("dj_required", http_code=403) is_dj = True self.user.data['dj'] = True elif self.dj_required and self.user.is_admin(): is_dj = True self.user.data['dj'] = True if self.dj_preparation and not is_dj and not self.user.is_admin(): if not db.c.fetch_var( "SELECT COUNT(*) FROM r4_schedule WHERE sched_used = 0 AND sched_dj_user_id = %s", (self.user.id, )): raise APIException("dj_required", http_code=403) # Called by Tornado, allows us to setup our request as we wish. User handling, form validation, etc. take place here. def prepare(self): if self.local_only and not self.request.remote_ip in config.get( "api_trusted_ip_addresses"): log.info( "api", "Rejected %s request from %s, untrusted address." % (self.url, self.request.remote_ip)) raise APIException( "rejected", text="You are not coming from a trusted address.") if self.allow_cors: self.set_header("Access-Control-Allow-Origin", "*") self.set_header("Access-Control-Max-Age", "600") self.set_header("Access-Control-Allow-Credentials", "false") if not isinstance(self.locale, locale.RainwaveLocale): self.locale = self.get_browser_locale() self.setup_output() if 'in_order' in self.request.arguments: self._output = [] self._output_array = True else: self._output = {} self.sid = fieldtypes.integer(self.get_cookie("r4_sid", None)) hostname = self.request.headers.get('Host', None) if hostname: hostname = unicode(hostname).split(":")[0] if hostname in config.station_hostnames: self.sid = config.station_hostnames[hostname] sid_arg = fieldtypes.integer(self.get_argument("sid", None)) if sid_arg is not None: self.sid = sid_arg if self.sid is None and self.sid_required: raise APIException("missing_station_id", http_code=400) self.arg_parse() self.sid_check() if self.sid: self.set_cookie("r4_sid", str(self.sid), expires_days=365, domain=config.get("cookie_domain")) if self.phpbb_auth: self.do_phpbb_auth() else: self.rainwave_auth() if not self.user and self.auth_required: raise APIException("auth_required", http_code=403) elif not self.user and not self.auth_required: self.user = User(1) self.user.ip_address = self.request.remote_ip self.user.refresh(self.sid) if self.user and config.get("store_prefs"): self.user.save_preferences(self.request.remote_ip, self.get_cookie("r4_prefs", None)) self.permission_checks() # works without touching cookies or headers, primarily used for websocket requests def prepare_standalone(self, message_id=None): self._output = {} if message_id != None: self.append("message_id", {"message_id": message_id}) self.setup_output() self.arg_parse() self.sid_check() self.permission_checks() def do_phpbb_auth(self): phpbb_cookie_name = config.get("phpbb_cookie_name") + "_" user_id = fieldtypes.integer( self.get_cookie(phpbb_cookie_name + "u", "")) if not user_id: pass else: if self._verify_phpbb_session(user_id): # update_phpbb_session is done by verify_phpbb_session if successful self.user = User(user_id) self.user.ip_address = self.request.remote_ip self.user.authorize(self.sid, None, bypass=True) return True if not self.user and self.get_cookie(phpbb_cookie_name + "k"): can_login = db.c.fetch_var( "SELECT 1 FROM phpbb_sessions_keys WHERE key_id = %s AND user_id = %s", (hashlib.md5(self.get_cookie(phpbb_cookie_name + "k")).hexdigest(), user_id)) if can_login == 1: self._update_phpbb_session( self._get_phpbb_session(user_id)) self.user = User(user_id) self.user.ip_address = self.request.remote_ip self.user.authorize(self.sid, None, bypass=True) return True return False def _verify_phpbb_session(self, user_id=None): # TODO: Do we want to enhance this with IP checking and other bits and pieces like phpBB does? if not user_id and not self.user: return None if not user_id: user_id = self.user.id cookie_session = self.get_cookie( config.get("phpbb_cookie_name") + "_sid") if cookie_session: if cookie_session == db.c.fetch_var( "SELECT session_id FROM phpbb_sessions WHERE session_user_id = %s AND session_id = %s", (user_id, cookie_session)): self._update_phpbb_session(cookie_session) return cookie_session return None def _get_phpbb_session(self, user_id=None): return db.c.fetch_var( "SELECT session_id FROM phpbb_sessions WHERE session_user_id = %s ORDER BY session_last_visit DESC LIMIT 1", (user_id, )) def _update_phpbb_session(self, session_id): db.c.update( "UPDATE phpbb_sessions SET session_last_visit = %s, session_page = %s WHERE session_id = %s", (int(timestamp()), "rainwave", session_id)) def rainwave_auth(self): user_id_present = "user_id" in self.request.arguments if self.auth_required and not user_id_present: raise APIException("missing_argument", argument="user_id", http_code=400) if user_id_present and not fieldtypes.numeric( self.get_argument("user_id")): # do not spit out the user ID back at them, that would create a potential XSS hack raise APIException("invalid_argument", argument="user_id", reason="not numeric.", http_code=400) if (self.auth_required or user_id_present) and not "key" in self.request.arguments: raise APIException("missing_argument", argument="key", http_code=400) if user_id_present: self.user = User(long(self.get_argument("user_id"))) self.user.ip_address = self.request.remote_ip self.user.authorize(self.sid, self.get_argument("key")) if not self.user.authorized: raise APIException("auth_failed", http_code=403) else: self._update_phpbb_session( self._get_phpbb_session(self.user.id)) # Handles adding dictionaries for JSON output # Will return a "code" if it exists in the hash passed in, if not, returns True def append(self, key, dct): if dct == None: return if self._output_array: self._output.append({key: dct}) else: self._output[key] = dct if isinstance(dct, dict) and "code" in dct: return dct["code"] return True def append_standard(self, tl_key, text=None, success=True, return_name=None, **kwargs): if not text: text = self.locale.translate(tl_key, **kwargs) kwargs.update({"success": success, "tl_key": tl_key, "text": text}) if return_name: self.append(return_name, kwargs) else: self.append(self.return_name, kwargs) def write_error(self, status_code, **kwargs): if kwargs.has_key("exc_info"): exc = kwargs['exc_info'][1] if isinstance(exc, APIException): exc.localize(self.locale) log.debug("exception", exc.reason) def get_sql_limit_string(self): if not self.pagination: return "" limit = "" if self.get_argument("per_page") != None: if not self.get_argument("per_page"): limit = "LIMIT ALL" else: limit = "LIMIT %s" % self.get_argument("per_page") else: limit = "LIMIT 100" if self.get_argument("page_start"): limit += " OFFSET %s" % self.get_argument("page_start") return limit
class RainwaveHandler(tornado.web.RequestHandler): # The following variables can be overridden by you. # Fields is a hash with { "form_name" => (fieldtypes.[something], True|False|None } format, so that automatic form validation can be done for you. True/False values are for required/optional. # A True requirement means it must be present and valid # A False requirement means it is optional, but if present, must be valid # A None requirement means it is optional, and if present and invalid, will be set to None fields = {} # This URL variable is setup by the server decorator - DON'T TOUCH IT. url = False # Do we need a Rainwave auth key for this request? auth_required = True # return_name is used for documentation, can be an array. # If not inherited, return_key automatically turns into url + "_result". Useful for simple requests like rate, vote, etc. return_name = None # Validate user's tuned in status first. tunein_required = False # Validate user's logged in status first. login_required = False # Validate user is a station administrator. admin_required = False # Validate user is currently DJing. dj_required = False # Do we need a valid SID as part of the submitted form? sid_required = True # Description string for documentation. description = "Undocumented." # Error codes for documentation. return_codes = None # Restricts requests to config.get("api_trusted_ip_addresses") (presumably 127.0.0.1) local_only = False # Should the user be free to vote and rate? unlocked_listener_only = False # Do we allow GET HTTP requests to this URL? (standard is "no") allow_get = False # Use phpBB session/token auth? phpbb_auth = False # Does the user need perks (donor/beta/etc) to see this request/page? perks_required = False # hide from help, meant really only for things like redirect pages help_hidden = False # automatically add pagination to an API request. use self.get_sql_limit_string()! pagination = False def __init__(self, *args, **kwargs): super(RainwaveHandler, self).__init__(*args, **kwargs) self.cleaned_args = {} self.cookie_prefs = {} self.sid = None self._startclock = time.time() self.user = None self._output = None self._output_array = False self.mobile = False def initialize(self, **kwargs): super(RainwaveHandler, self).initialize(**kwargs) if self.pagination: self.fields['per_page'] = (fieldtypes.zero_or_greater_integer, False) self.fields['page_start'] = (fieldtypes.zero_or_greater_integer, False) def set_cookie(self, name, value, *args, **kwargs): if isinstance(value, (int, long)): value = repr(value) super(RainwaveHandler, self).set_cookie(name, value, *args, **kwargs) def get_argument(self, name, *args, **kwargs): if name in self.cleaned_args: return self.cleaned_args[name] return super(RainwaveHandler, self).get_argument(name, *args, **kwargs) def set_argument(self, name, value): self.cleaned_args[name] = value def get_browser_locale(self, default="en_CA"): """Determines the user's locale from ``Accept-Language`` header. Copied from Tornado, adapted slightly. See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.4 """ if "rw_lang" in self.cookies: if locale.RainwaveLocale.exists(self.cookies['rw_lang'].value): return locale.RainwaveLocale.get(self.cookies['rw_lang'].value) if "Accept-Language" in self.request.headers: languages = self.request.headers["Accept-Language"].split(",") locales = [] for language in languages: parts = language.strip().split(";") if len(parts) > 1 and parts[1].startswith("q="): try: score = float(parts[1][2:]) except (ValueError, TypeError): score = 0.0 else: score = 1.0 locales.append((parts[0], score)) if locales: locales.sort(key=lambda pair: pair[1], reverse=True) codes = [l[0] for l in locales] return locale.RainwaveLocale.get_closest(codes) return locale.RainwaveLocale.get(default) # Called by Tornado, allows us to setup our request as we wish. User handling, form validation, etc. take place here. def prepare(self): if self.local_only and not self.request.remote_ip in config.get( "api_trusted_ip_addresses"): log.info( "api", "Rejected %s request from %s, untrusted address." % (self.url, self.request.remote_ip)) raise APIException( "rejected", text="You are not coming from a trusted address.") if not isinstance(self.locale, locale.RainwaveLocale): self.locale = self.get_browser_locale() if not self.return_name: self.return_name = self.url[self.url.rfind("/") + 1:] + "_result" else: self.return_name = self.return_name if self.admin_required or self.dj_required: self.login_required = True if 'in_order' in self.request.arguments: self._output = [] self._output_array = True else: self._output = {} self.sid = fieldtypes.integer(self.get_cookie("r4_sid", None)) hostname = self.request.headers.get('Host', None) if hostname: hostname = unicode(hostname).split(":")[0] if hostname in config.station_hostnames: self.sid = config.station_hostnames[hostname] self.sid = fieldtypes.integer(self.get_argument("sid", None)) or self.sid if self.sid and not self.sid in config.station_ids: self.sid = None if not self.sid and self.sid_required: raise APIException("missing_station_id", http_code=400) for field, field_attribs in self.__class__.fields.iteritems(): type_cast, required = field_attribs if required and field not in self.request.arguments: raise APIException("missing_argument", argument=field, http_code=400) elif not required and field not in self.request.arguments: self.cleaned_args[field] = None else: parsed = type_cast(self.get_argument(field), self) if parsed == None and required != None: raise APIException( "invalid_argument", argument=field, reason="%s %s" % (field, getattr(fieldtypes, "%s_error" % type_cast.__name__)), http_code=400) else: self.cleaned_args[field] = parsed if not self.sid and not self.sid_required: self.sid = 5 if not self.sid in config.station_ids: raise APIException("invalid_station_id", http_code=400) self.set_cookie("r4_sid", str(self.sid), expires_days=365, domain=config.get("cookie_domain")) if self.phpbb_auth: self.do_phpbb_auth() else: self.rainwave_auth() if not self.user and self.auth_required: raise APIException("auth_required", http_code=403) elif not self.user and not self.auth_required: self.user = User(1) self.user.ip_address = self.request.remote_ip self.user.refresh(self.sid) if self.login_required and (not self.user or self.user.is_anonymous()): raise APIException("login_required", http_code=403) if self.tunein_required and (not self.user or not self.user.is_tunedin()): raise APIException("tunein_required", http_code=403) if self.admin_required and (not self.user or not self.user.is_admin()): raise APIException("admin_required", http_code=403) if self.dj_required and (not self.user or not self.user.is_dj()): raise APIException("dj_required", http_code=403) if self.perks_required and (not self.user or not self.user.has_perks()): raise APIException("perks_required", http_code=403) if self.unlocked_listener_only and not self.user: raise APIException("auth_required", http_code=403) elif self.unlocked_listener_only and self.user.data[ 'lock'] and self.user.data['lock_sid'] != self.sid: raise APIException( "unlocked_only", station=config.station_id_friendly[self.user.data['lock_sid']], lock_counter=self.user.data['lock_counter'], http_code=403) def do_phpbb_auth(self): phpbb_cookie_name = config.get("phpbb_cookie_name") user_id = fieldtypes.integer( self.get_cookie(phpbb_cookie_name + "u", "")) if not user_id: pass else: if self._verify_phpbb_session(user_id): # update_phpbb_session is done by verify_phpbb_session if successful self.user = User(user_id) self.user.ip_address = self.request.remote_ip self.user.authorize(self.sid, None, bypass=True) return True if not self.user and self.get_cookie(phpbb_cookie_name + "k"): can_login = db.c.fetch_var( "SELECT 1 FROM phpbb_sessions_keys WHERE key_id = %s AND user_id = %s", (hashlib.md5(self.get_cookie(phpbb_cookie_name + "k")).hexdigest(), user_id)) if can_login == 1: self._update_phpbb_session( self._get_phpbb_session(user_id)) self.user = User(user_id) self.user.ip_address = self.request.remote_ip self.user.authorize(self.sid, None, bypass=True) return True return False def _verify_phpbb_session(self, user_id=None): # TODO: Do we want to enhance this with IP checking and other bits and pieces like phpBB does? if not user_id and not self.user: return None if not user_id: user_id = self.user.id cookie_session = self.get_cookie( config.get("phpbb_cookie_name") + "sid") if cookie_session: if cookie_session == db.c.fetch_var( "SELECT session_id FROM phpbb_sessions WHERE session_user_id = %s AND session_id = %s", (user_id, cookie_session)): self._update_phpbb_session(cookie_session) return cookie_session return None def _get_phpbb_session(self, user_id=None): return db.c.fetch_var( "SELECT session_id FROM phpbb_sessions WHERE session_user_id = %s ORDER BY session_last_visit DESC LIMIT 1", (user_id, )) def _update_phpbb_session(self, session_id): db.c.update( "UPDATE phpbb_sessions SET session_last_visit = %s, session_page = %s WHERE session_id = %s", (int(time.time()), "rainwave", session_id)) def rainwave_auth(self): user_id_present = "user_id" in self.request.arguments if self.auth_required and not user_id_present: raise APIException("missing_argument", argument="user_id", http_code=400) if user_id_present and not fieldtypes.numeric( self.get_argument("user_id")): # do not spit out the user ID back at them, that would create a potential XSS hack raise APIException("invalid_argument", argument="user_id", reason="not numeric.", http_code=400) if (self.auth_required or user_id_present) and not "key" in self.request.arguments: raise APIException("missing_argument", argument="key", http_code=400) if user_id_present: self.user = User(long(self.get_argument("user_id"))) self.user.ip_address = self.request.remote_ip self.user.authorize(self.sid, self.get_argument("key")) if not self.user.authorized: raise APIException("auth_failed", http_code=403) else: self._update_phpbb_session( self._get_phpbb_session(self.user.id)) # Handles adding dictionaries for JSON output # Will return a "code" if it exists in the hash passed in, if not, returns True def append(self, key, dct): if dct == None: return if self._output_array: self._output.append({key: dct}) else: self._output[key] = dct if "code" in dct: return dct["code"] return True def append_standard(self, tl_key, text=None, success=True, return_name=None, **kwargs): if not text: text = self.locale.translate(tl_key, **kwargs) kwargs.update({"success": success, "tl_key": tl_key, "text": text}) if return_name: self.append(return_name, kwargs) else: self.append(self.return_name, kwargs) def write_error(self, status_code, **kwargs): if kwargs.has_key("exc_info"): exc = kwargs['exc_info'][1] if isinstance(exc, APIException): exc.localize(self.locale) log.debug("exception", exc.reason) def get_sql_limit_string(self): if not self.pagination: return "" limit = "" if self.get_argument("per_page") != None: if self.get_argument("per_page") == "0": limit = "LIMIT ALL" else: limit = "LIMIT %s" % self.get_argument("per_page") else: limit = "LIMIT 100" if self.get_argument("page_start"): limit += " OFFSET %s" % self.get_argument("page_start") return limit
class RainwaveHandler(tornado.web.RequestHandler): # The following variables can be overridden by you. # Fields is a hash with { "form_name" => (fieldtypes.[something], True|False|None } format, so that automatic form validation can be done for you. True/False values are for required/optional. # A True requirement means it must be present and valid # A False requirement means it is optional, but if present, must be valid # A None requirement means it is optional, and if present and invalid, will be set to None fields = {} # This URL variable is setup by the server decorator - DON'T TOUCH IT. url = False # Do we need a Rainwave auth key for this request? auth_required = True # return_name is used for documentation, can be an array. # If not inherited, return_key automatically turns into url + "_result". Useful for simple requests like rate, vote, etc. return_name = None # Validate user's tuned in status first. tunein_required = False # Validate user's logged in status first. login_required = False # Validate user is a station administrator. admin_required = False # Validate user is currently DJing. dj_required = False # Do we need a valid SID as part of the submitted form? sid_required = True # Description string for documentation. description = "Undocumented." # Error codes for documentation. return_codes = None # Restricts requests to config.get("api_trusted_ip_addresses") (presumably 127.0.0.1) local_only = False # Should the user be free to vote and rate? unlocked_listener_only = False # Do we allow GET HTTP requests to this URL? (standard is "no") allow_get = False # Use phpBB session/token auth? phpbb_auth = False # Does the user need perks (donor/beta/etc) to see this request/page? perks_required = False def initialize(self, **kwargs): super(RainwaveHandler, self).initialize(**kwargs) self.cleaned_args = {} def set_cookie(self, name, value, **kwargs): if isinstance(value, (int, long)): value = repr(value) super(RainwaveHandler, self).set_cookie(name, value, **kwargs) def get_argument(self, name): if name in self.cleaned_args: return self.cleaned_args[name] return super(RainwaveHandler, self).get_argument(name) def set_argument(self, name, value): self.cleaned_args[name] = value def get_browser_locale(self, default="en_CA"): """Determines the user's locale from ``Accept-Language`` header. Copied from Tornado, adapted slightly. See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.4 """ if "Accept-Language" in self.request.headers: languages = self.request.headers["Accept-Language"].split(",") locales = [] for language in languages: parts = language.strip().split(";") if len(parts) > 1 and parts[1].startswith("q="): try: score = float(parts[1][2:]) except (ValueError, TypeError): score = 0.0 else: score = 1.0 locales.append((parts[0], score)) if locales: locales.sort(key=lambda pair: pair[1], reverse=True) codes = [l[0] for l in locales] return locale.RainwaveLocale.get_closest(codes) return locale.RainwaveLocale.get(default) # Called by Tornado, allows us to setup our request as we wish. User handling, form validation, etc. take place here. def prepare(self): self._startclock = time.time() self.user = None if self.local_only and not self.request.remote_ip in config.get("api_trusted_ip_addresses"): log.info("api", "Rejected %s request from %s" % (self.url, self.request.remote_ip)) self.set_status(403) self.finish() if not isinstance(self.locale, locale.RainwaveLocale): self.locale = self.get_browser_locale() if not self.return_name: self.return_name = self.url[self.url.rfind("/")+1:] + "_result" else: self.return_name = self.return_name if self.admin_required or self.dj_required: self.login_required = True if 'in_order' in self.request.arguments: self._output = [] self._output_array = True else: self._output = {} self._output_array = False self.sid = fieldtypes.integer(self.get_cookie("r4_sid", "1")) if "sid" in self.request.arguments: self.sid = int(self.get_argument("sid")) elif not self.sid: for possible_sid in config.station_ids: if self.request.host == config.get_station(possible_sid, "host"): self.sid = possible_sid break if not self.sid and self.sid_required: raise APIException("missing_station_id", http_code=400) if self.sid and not self.sid in config.station_ids: raise APIException("invalid_station_id", http_code=400) self.set_cookie("r4_sid", str(self.sid), expires_days=365, domain=config.get("cookie_domain")) for field, field_attribs in self.__class__.fields.iteritems(): type_cast, required = field_attribs if required and field not in self.request.arguments: raise APIException("missing_argument", argument=field, http_code=400) elif not required and field not in self.request.arguments: self.cleaned_args[field] = None else: parsed = type_cast(self.get_argument(field), self) if parsed == None and required != None: raise APIException("invalid_argument", argument=field, reason=getattr(fieldtypes, "%s_error" % type_cast.__name__), http_code=400) else: self.cleaned_args[field] = parsed if self.phpbb_auth: self.do_phpbb_auth() else: self.rainwave_auth() if self.auth_required and not self.user: raise APIException("auth_required", http_code=403) if self.login_required and (not self.user or self.user.is_anonymous()): raise APIException("login_required", http_code=403) if self.tunein_required and (not self.user or not self.user.is_tunedin()): raise APIException("tunein_required", http_code=403) if self.admin_required and (not self.user or not self.user.is_admin()): raise APIException("admin_required", http_code=403) if self.dj_required and (not self.user or not self.user.is_dj()): raise APIException("dj_required", http_code=403) if self.perks_required and (not self.user or not self.user.has_perks()): raise APIException("perks_required", http_code=403) if self.unlocked_listener_only and not self.user: raise APIException("auth_required", http_code=403) elif self.unlocked_listener_only and self.user.data['listener_lock'] and self.user.data['listener_lock_sid'] != self.sid: raise APIException("unlocked_only", station=config.station_id_friendly[self.user.data['listener_lock_sid']], lock_counter=self.user.data['listener_lock_counter'], http_code=403) def do_phpbb_auth(self): phpbb_cookie_name = config.get("phpbb_cookie_name") self.user = None if not fieldtypes.integer(self.get_cookie(phpbb_cookie_name + "u", "")): self.user = User(1) else: user_id = int(self.get_cookie(phpbb_cookie_name + "u")) if self._verify_phpbb_session(user_id): # update_phpbb_session is done by verify_phpbb_session if successful self.user = User(user_id) self.user.authorize(self.sid, None, None, True) return True if not self.user and self.get_cookie(phpbb_cookie_name + "k"): can_login = db.c_old.fetch_var("SELECT 1 FROM phpbb_sessions_keys WHERE key_id = %s AND user_id = %s", (hashlib.md5(self.get_cookie(phpbb_cookie_name + "k")).hexdigest(), user_id)) if can_login == 1: self._update_phpbb_session(self._get_phpbb_session(user_id)) self.user = User(user_id) self.user.authorize(self.sid, None, None, True) return True return False def _verify_phpbb_session(self, user_id = None): # TODO: Do we want to enhance this with IP checking and other bits and pieces like phpBB does? if not user_id and not self.user: return None if not user_id: user_id = self.user.id cookie_session = self.get_cookie(config.get("phpbb_cookie_name") + "sid") if cookie_session: if cookie_session == db.c_old.fetch_var("SELECT session_id FROM phpbb_sessions WHERE session_user_id = %s AND session_id = %s", (user_id, cookie_session)): self._update_phpbb_session(cookie_session) return cookie_session return None def _get_phpbb_session(self, user_id = None): return db.c_old.fetch_var("SELECT session_id FROM phpbb_sessions WHERE session_user_id = %s ORDER BY session_last_visit DESC LIMIT 1", (user_id,)) def _update_phpbb_session(self, session_id): db.c_old.update("UPDATE phpbb_sessions SET session_last_visit = %s, session_page = %s WHERE session_id = %s", (int(time.time()), "rainwave", session_id)) def rainwave_auth(self): user_id_present = "user_id" in self.request.arguments if self.auth_required and not user_id_present: raise APIException("missing_argument", argument="user_id", http_code=400) if user_id_present and not fieldtypes.numeric(self.get_argument("user_id")): # do not spit out the user ID back at them, that would create a potential XSS hack raise APIException("invalid_argument", argument="user_id", reason="not numeric.", http_code=400) if (self.auth_required or user_id_present) and not "key" in self.request.arguments: raise APIException("missing_argument", argument="key", http_code=400) self.user = None if user_id_present: self.user = User(long(self.get_argument("user_id"))) self.user.authorize(self.sid, self.request.remote_ip, self.get_argument("key")) if not self.user.authorized: raise APIException("auth_failed", http_code=403) # In case the raise is suppressed self.user = None else: self._update_phpbb_session(self._get_phpbb_session(self.user.id)) self.sid = self.user.request_sid # Handles adding dictionaries for JSON output # Will return a "code" if it exists in the hash passed in, if not, returns True def append(self, key, hash): if hash == None: return if self._output_array: self._output.append({ key: hash }) else: self._output[key] = hash if "code" in hash: return hash["code"] return True def append_standard(self, tl_key, text = None, success = True, **kwargs): if not text: text = self.locale.translate(tl_key, **kwargs) kwargs.update({ "success": success, "tl_key": tl_key, "text": text }) self.append(self.return_name, kwargs)
class RainwaveHandler(tornado.web.RequestHandler): # The following variables can be overridden by you. # Fields is a hash with { "form_name" => (fieldtypes.[something], True|False|None) } format, so that automatic form validation can be done for you. True/False values are for required/optional. # A True requirement means it must be present and valid # A False requirement means it is optional, but if present, must be valid # A None requirement means it is optional, and if present and invalid, will be set to None fields = {} # This URL variable is setup by the server decorator - DON'T TOUCH IT. url = False # Do we need a Rainwave auth key for this request? auth_required = True # return_name is used for documentation, can be an array. # If not inherited, return_key automatically turns into url + "_result". Useful for simple requests like rate, vote, etc. return_name = None # Validate user's tuned in status first. tunein_required = False # Validate user's logged in status first. login_required = False # User must be a DJ for the next, current, or history[0] event dj_required = False # User must have an unused DJ-able event in the future dj_preparation = False # Validate user is a station administrator. admin_required = False # Do we need a valid SID as part of the submitted form? sid_required = True # Description string for documentation. description = "Undocumented." # Error codes for documentation. return_codes = None # Restricts requests to config.get("api_trusted_ip_addresses") (presumably 127.0.0.1) local_only = False # Should the user be free to vote and rate? unlocked_listener_only = False # Do we allow GET HTTP requests to this URL? (standard is "no") allow_get = False # Use phpBB session/token auth? phpbb_auth = False # Does the user need perks (donor/beta/etc) to see this request/page? perks_required = False # hide from help, meant really only for things like redirect pages help_hidden = False # automatically add pagination to an API request. use self.get_sql_limit_string()! pagination = False # allow access to station ID 0 allow_sid_zero = False # set to allow from any source allow_cors = False # sync result across all user's websocket sessions sync_across_sessions = False def __init__(self, *args, **kwargs): if not 'websocket' in kwargs: super(RainwaveHandler, self).__init__(*args, **kwargs) self.cleaned_args = {} self.sid = None self._startclock = timestamp() self.user = None self._output = None self._output_array = False self.mobile = False def initialize(self, **kwargs): super(RainwaveHandler, self).initialize(**kwargs) if self.pagination: self.fields['per_page'] = (fieldtypes.zero_or_greater_integer, False) self.fields['page_start'] = (fieldtypes.zero_or_greater_integer, False) def set_cookie(self, name, value, *args, **kwargs): if isinstance(value, (int, long)): value = repr(value) super(RainwaveHandler, self).set_cookie(name, value, *args, **kwargs) def get_argument(self, name, default=None, **kwargs): if name in self.cleaned_args: return self.cleaned_args[name] if name in self.request.arguments: if isinstance(self.request.arguments[name], list): return self.request.arguments[name][-1].strip() return self.request.arguments[name] return default def set_argument(self, name, value): self.cleaned_args[name] = value def get_browser_locale(self, default="en_CA"): return get_browser_locale(self, default) def setup_output(self): if not self.return_name: self.return_name = self.url[self.url.rfind("/")+1:] + "_result" else: self.return_name = self.return_name def arg_parse(self): for field, field_attribs in self.__class__.fields.iteritems(): type_cast, required = field_attribs parsed = None if required and field not in self.request.arguments: raise APIException("missing_argument", argument=field, http_code=400) elif field in self.request.arguments: parsed = type_cast(self.get_argument(field), self) if parsed == None and required != None: raise APIException("invalid_argument", argument=field, reason="%s %s" % (field, getattr(fieldtypes, "%s_error" % type_cast.__name__)), http_code=400) self.cleaned_args[field] = parsed def sid_check(self): if self.sid is None and not self.sid_required: self.sid = config.get("default_station") if self.sid == 0 and self.allow_sid_zero: pass elif not self.sid in config.station_ids: raise APIException("invalid_station_id", http_code=400) def permission_checks(self): if (self.login_required or self.admin_required or self.dj_required) and (not self.user or self.user.is_anonymous()): raise APIException("login_required", http_code=403) if self.tunein_required and (not self.user or not self.user.is_tunedin()): raise APIException("tunein_required", http_code=403) if self.admin_required and (not self.user or not self.user.is_admin()): raise APIException("admin_required", http_code=403) if self.perks_required and (not self.user or not self.user.has_perks()): raise APIException("perks_required", http_code=403) if self.unlocked_listener_only and not self.user: raise APIException("auth_required", http_code=403) elif self.unlocked_listener_only and self.user.data['lock'] and self.user.data['lock_sid'] != self.sid: raise APIException("unlocked_only", station=config.station_id_friendly[self.user.data['lock_sid']], lock_counter=self.user.data['lock_counter'], http_code=403) is_dj = False if self.dj_required and not self.user: raise APIException("dj_required", http_code=403) if self.dj_required and not self.user.is_admin(): potential_djs = cache.get_station(self.sid, "dj_user_ids") if not potential_djs or not self.user.id in potential_djs: raise APIException("dj_required", http_code=403) is_dj = True self.user.data['dj'] = True elif self.dj_required and self.user.is_admin(): is_dj = True self.user.data['dj'] = True if self.dj_preparation and not is_dj and not self.user.is_admin(): if not db.c.fetch_var("SELECT COUNT(*) FROM r4_schedule WHERE sched_used = 0 AND sched_dj_user_id = %s", (self.user.id,)): raise APIException("dj_required", http_code=403) # Called by Tornado, allows us to setup our request as we wish. User handling, form validation, etc. take place here. def prepare(self): if self.local_only and not self.request.remote_ip in config.get("api_trusted_ip_addresses"): log.info("api", "Rejected %s request from %s, untrusted address." % (self.url, self.request.remote_ip)) raise APIException("rejected", text="You are not coming from a trusted address.") if self.allow_cors: self.set_header("Access-Control-Allow-Origin", "*") self.set_header("Access-Control-Max-Age", "600") self.set_header("Access-Control-Allow-Credentials", "false") if not isinstance(self.locale, locale.RainwaveLocale): self.locale = self.get_browser_locale() self.setup_output() if 'in_order' in self.request.arguments: self._output = [] self._output_array = True else: self._output = {} if not self.sid: self.sid = fieldtypes.integer(self.get_cookie("r4_sid", None)) hostname = self.request.headers.get('Host', None) if hostname: hostname = unicode(hostname).split(":")[0] if hostname in config.station_hostnames: self.sid = config.station_hostnames[hostname] sid_arg = fieldtypes.integer(self.get_argument("sid", None)) if sid_arg is not None: self.sid = sid_arg if self.sid is None and self.sid_required: raise APIException("missing_station_id", http_code=400) self.arg_parse() self.sid_check() if self.sid: self.set_cookie("r4_sid", str(self.sid), expires_days=365) if self.phpbb_auth: self.do_phpbb_auth() else: self.rainwave_auth() if not self.user and self.auth_required: raise APIException("auth_required", http_code=403) elif not self.user and not self.auth_required: self.user = User(1) self.user.ip_address = self.request.remote_ip self.user.refresh(self.sid) if self.user and config.get("store_prefs"): self.user.save_preferences(self.request.remote_ip, self.get_cookie("r4_prefs", None)) self.permission_checks() # works without touching cookies or headers, primarily used for websocket requests def prepare_standalone(self, message_id=None): self._output = {} if message_id != None: self.append("message_id", { "message_id": message_id }) self.setup_output() self.arg_parse() self.sid_check() self.permission_checks() def do_phpbb_auth(self): phpbb_cookie_name = config.get("phpbb_cookie_name") + "_" user_id = fieldtypes.integer(self.get_cookie(phpbb_cookie_name + "u", "")) if not user_id: pass else: if self._verify_phpbb_session(user_id): # update_phpbb_session is done by verify_phpbb_session if successful self.user = User(user_id) self.user.ip_address = self.request.remote_ip self.user.authorize(self.sid, None, bypass=True) return True if not self.user and self.get_cookie(phpbb_cookie_name + "k"): can_login = db.c.fetch_var("SELECT 1 FROM phpbb_sessions_keys WHERE key_id = %s AND user_id = %s", (hashlib.md5(self.get_cookie(phpbb_cookie_name + "k")).hexdigest(), user_id)) if can_login == 1: self._update_phpbb_session(self._get_phpbb_session(user_id)) self.user = User(user_id) self.user.ip_address = self.request.remote_ip self.user.authorize(self.sid, None, bypass=True) return True return False def _verify_phpbb_session(self, user_id = None): # TODO: Do we want to enhance this with IP checking and other bits and pieces like phpBB does? if not user_id and not self.user: return None if not user_id: user_id = self.user.id cookie_session = self.get_cookie(config.get("phpbb_cookie_name") + "_sid") if cookie_session: if cookie_session == db.c.fetch_var("SELECT session_id FROM phpbb_sessions WHERE session_user_id = %s AND session_id = %s", (user_id, cookie_session)): self._update_phpbb_session(cookie_session) return cookie_session return None def _get_phpbb_session(self, user_id = None): return db.c.fetch_var("SELECT session_id FROM phpbb_sessions WHERE session_user_id = %s ORDER BY session_last_visit DESC LIMIT 1", (user_id,)) def _update_phpbb_session(self, session_id): db.c.update("UPDATE phpbb_sessions SET session_last_visit = %s, session_page = %s WHERE session_id = %s", (int(timestamp()), "rainwave", session_id)) def rainwave_auth(self): user_id_present = "user_id" in self.request.arguments if self.auth_required and not user_id_present: raise APIException("missing_argument", argument="user_id", http_code=400) if user_id_present and not fieldtypes.numeric(self.get_argument("user_id")): # do not spit out the user ID back at them, that would create a potential XSS hack raise APIException("invalid_argument", argument="user_id", reason="not numeric.", http_code=400) if (self.auth_required or user_id_present) and not "key" in self.request.arguments: raise APIException("missing_argument", argument="key", http_code=400) if user_id_present: self.user = User(long(self.get_argument("user_id"))) self.user.ip_address = self.request.remote_ip self.user.authorize(self.sid, self.get_argument("key")) if not self.user.authorized: raise APIException("auth_failed", http_code=403) else: self._update_phpbb_session(self._get_phpbb_session(self.user.id)) # Handles adding dictionaries for JSON output # Will return a "code" if it exists in the hash passed in, if not, returns True def append(self, key, dct): if dct == None: return if self._output_array: self._output.append({ key: dct }) else: self._output[key] = dct if isinstance(dct, dict) and "code" in dct: return dct["code"] return True def append_standard(self, tl_key, text = None, success = True, return_name = None, **kwargs): if not text: text = self.locale.translate(tl_key, **kwargs) kwargs.update({ "success": success, "tl_key": tl_key, "text": text }) if return_name: self.append(return_name, kwargs) else: self.append(self.return_name, kwargs) def write_error(self, status_code, **kwargs): if kwargs.has_key("exc_info"): exc = kwargs['exc_info'][1] if isinstance(exc, APIException): exc.localize(self.locale) log.debug("exception", exc.reason) def get_sql_limit_string(self): if not self.pagination: return "" limit = "" if self.get_argument("per_page") != None: if not self.get_argument("per_page"): limit = "LIMIT ALL" else: limit = "LIMIT %s" % self.get_argument("per_page") else: limit = "LIMIT 100" if self.get_argument("page_start"): limit += " OFFSET %s" % self.get_argument("page_start") return limit
class RequestHandler(tornado.web.RequestHandler): # The following variables can be overridden by you. # Fields is a hash with { "form_name" => (fieldtypes.[something], True|False } format, so that automatic form validation can be done for you. True/False values are for required/optional. fields = {} # This URL variable is setup by the server decorator - DON'T TOUCH IT. url = False # Do we need a Rainwave auth key for this request? auth_required = True # return_name is used for documentation, can be an array. # If not inherited, return_key automatically turns into url + "_result". Useful for simple requests like rate, vote, etc. return_name = False # Validate user's tuned in status first. tunein_required = False # Validate user's logged in status first. login_required = False # Validate user is a station administrator. admin_required = False # Validate user is currently DJing. dj_required = False # Do we need a valid SID as part of the submitted form? sid_required = True # Description string for documentation. description = "Undocumented." # Only for the backend to be called local_only = False # Should the user be free to vote and rate? unlocked_listener_only = False # Called by Tornado, allows us to setup our request as we wish. User handling, form validation, etc. take place here. def prepare(self): self._startclock = time.clock() self.request_ok = False self.user = None if self.local_only and not self.request.remote_ip in config.get("trusted_ips"): self.failed = True self.set_status(403) self.finish() if self.return_name == False: self.return_name = self.__class__.url + "_result" else: self.return_name = self.__class__.return_name if self.admin_required or self.dj_required: self.login_required = True if 'in_order' in self.request.arguments: self._output = [] self._output_array = True else: self._output = {} self._output_array = False request_ok = True self.args = {} for field, field_attribs in self.__class__.fields.iteritems(): type_cast, required = field_attribs if required and field not in self.request.arguments: self.append("error", api.returns.ErrorReturn(-1000, "Missing %s argument." % field)) request_ok = False elif not required and field not in self.request.arguments: pass else: parsed = type_cast(self.get_argument(field)) if parsed == None: self.append("error", api.returns.ErrorReturn(-1000, "Invalid argument %s: %s" % (field, getattr(fieldtypes, "%s_error" % type_cast.__name__)))) request_ok = False else: self.args[field] = parsed self.sid = None if "sid" in self.request.arguments: self.sid = int(self.get_argument("sid")) elif self.sid_required: self.append("error", api.returns.ErrorReturn(-1000, "Missing station ID argument.")) request_ok = False if request_ok and self.sid and not self.sid in config.station_ids: self.append("error", api.returns.ErrorReturn(-1000, "Invalid station ID.")) request_ok = False if request_ok: authorized = self.rainwave_auth() if self.auth_required and not authorized: request_ok = False if self.unlocked_listener_only and self.user and self.user.data['listener_lock']: request_ok = False self.append("error", api.returns.ErrorReturn(-1000, "Listener locked to %s for %s more songs." % (config.station_id_friendly[self.user.data['listener_lock_sid']], self.user.data['listener_lock_count']))) self.request_ok = request_ok if not request_ok: self.finish() def rainwave_auth(self): request_ok = True user_id_present = "user_id" in self.request.arguments if self.auth_required and not user_id_present: self.append("error", api.returns.ErrorReturn(-1000, "Missing user_id argument.")) request_ok = False if user_id_present and not fieldtypes.numeric(self.get_argument("user_id")): self.append("error", api.returns.ErrorReturn(-1000, "Invalid user ID %s.")) request_ok = False if (self.auth_required or user_id_present) and not "key" in self.request.arguments: self.append("error", api.returns.ErrorReturn(-1000, "Missing 'key' argument.")) request_ok = False self.user = None if request_ok and user_id_present: self.user = User(long(self.get_argument("user_id"))) self.user.authorize(self.sid, self.request.remote_ip, self.get_argument("key")) if not self.user.authorized: self.append("error", api.returns.ErrorReturn(403, "Authorization failed.")) request_ok = False else: self.sid = self.user.request_sid if self.auth_required and not self.user: self.append("error", api.returns.ErrorReturn(403, "Authorization required.")) request_ok = False if self.user and request_ok: if self.login_required and not user.is_anonymous(): self.append("error", api.returns.ErrorReturn(-1001, "Login required for %s." % url)) request_ok = False if self.tunein_required and not user.is_tunedin(): self.append("error", api.returns.ErrorReturn(-1001, "You must be tuned in to use %s." % url)) request_ok = False if self.admin_required and not user.is_admin(): self.append("error", api.returns.ErrorReturn(-1001, "You must be an admin to use %s." % url)) request_ok = False if self.dj_required and not user.is_dj(): self.append("error", api.returns.ErrorReturn(-1001, "You must be DJing to use %s." % url)) request_ok = False return request_ok # Handles adding dictionaries for JSON output # Will return a "code" if it exists in the hash passed in, if not, returns True def append(self, key, hash): if hash == None: return if self._output_array: self._output.append({ key: hash }) else: self._output[key] = hash if "code" in hash: return hash["code"] return True # Sends off the data to the user. def finish(self, chunk=None): self.set_header("Content-Type", "application/json") if hasattr(self, "_output"): if hasattr(self, "_startclock"): exectime = time.clock() - self._startclock else: exectime = -1 self.append("api_info", { "exectime": exectime, "time": round(time.time()) }) self.write(tornado.escape.json_encode(self._output)) super(RequestHandler, self).finish(chunk)
class MainIndex(tornado.web.RequestHandler): def prepare(self): # TODO: Language self.info = [] self.sid = fieldtypes.integer(self.get_cookie("r4sid", "1")) if not self.sid: self.sid = 1 if self.request.host == "game.rainwave.cc": self.sid = 1 elif self.request.host == "ocr.rainwave.cc": self.sid = 2 elif self.request.host == "covers.rainwave.cc" or self.request.host == "cover.rainwave.cc": self.sid = 3 elif self.request.host == "chiptune.rainwave.cc": self.sid = 4 elif self.request.host == "all.rainwave.cc": self.sid = 5 self.set_cookie("r4sid", str(self.sid), expires_days=365, domain=".rainwave.cc") self.user = None if not fieldtypes.integer(self.get_cookie("phpbb3_38ie8_u", "")): self.user = User(1) else: user_id = int(self.get_cookie("phpbb3_38ie8_u")) if self.get_cookie("phpbb3_38ie8_sid"): session_id = db.c_old.fetch_var("SELECT session_id FROM phpbb_sessions WHERE session_id = %s AND session_user_id = %s", (self.get_cookie("phpbb3_38ie8_sid"), user_id)) if session_id: db.c_old.update("UPDATE phpbb_sessions SET session_last_visit = %s, session_page = %s WHERE session_id = %s", (time.time(), "rainwave", session_id)) self.user = User(user_id) self.user.authorize(self.sid, None, None, True) if not self.user and self.get_cookie("phpbb3_38ie8_k"): can_login = db.c_old.fetch_var("SELECT 1 FROM phpbb_sessions_keys WHERE key_id = %s AND user_id = %s", (hashlib.md5(self.get_cookie("phpbb3_38ie8_k")).hexdigest(), user_id)) if can_login == 1: self.user = User(user_id) self.user.authorize(self.sid, None, None, True) if not self.user: self.user = User(1) self.user.ensure_api_key(self.request.remote_ip) self.user.data['sid'] = self.sid # this is so that get_info can be called, makes us compatible with the custom web handler used elsewhere in RW def append(self, key, value): self.info.append({ key: value }) def get(self): info.attach_info_to_request(self) self.set_header("Content-Type", "text/plain") self.render("index.html", user=self.user, info=tornado.escape.json_encode(self.info), sid=self.sid) # @handle_url("authtest_beta") # class BetaIndex(MainIndex): # def get(self): # if self.user.data['group_id'] not in (5, 4, 8, 12, 15, 14, 17): # self.send_error(403) # else: # info.attach_info_to_request(self) # self.set_header("Content-Type", "text/plain") # self.render("index.html", user=self.user, info=tornado.escape.json_encode(self.info), sid=self.sid)