def hmac_load_user_from_request(request):
signature = request.args.get('signature')
expires = float(request.args.get('expires') or 0)
query_id = request.view_args.get('query_id', None)
user_id = request.args.get('user_id', None)
# TODO: 3600 should be a setting
if signature and time.time() < expires <= time.time() + 3600:
if user_id:
user = models.User.get_by_id(user_id)
calculated_signature = sign(user.api_key, request.path, expires)
if user.api_key and signature == calculated_signature:
return user
if query_id:
query = models.Query.get(models.Query.id == query_id)
calculated_signature = sign(query.api_key, request.path, expires)
if query.api_key and signature == calculated_signature:
return models.ApiUser(query.api_key, query.org,
query.groups.keys())
return None
def test_doesnt_allow_access_to_query_by_different_api_key(self):
query = self.factory.create_query()
other_query = self.factory.create_query()
user = models.ApiUser(other_query.api_key, None, [])
self.assertFalse(has_access(query, user, view_only))
def test_allows_access_to_query_by_query_api_key(self):
query = self.factory.create_query()
user = models.ApiUser(query.api_key, None, [])
self.assertTrue(has_access(query, user, view_only))