def check_request(self, request):
if request.path.startswith(protected_path):
# TODO: fix this code
try:
service_name = parse_service_name(request.path)
except ValueError:
service_name = None
if service_name and self.service_registry.is_public(service_name):
logger.info('public access for service %s', service_name)
else:
ows_request = OWSRequest(request)
if not ows_request.service_allowed():
raise OWSInvalidParameterValue(
"service %s not supported" % ows_request.service, value="service")
if not ows_request.public_access():
try:
token = self.get_token_param(request)
access_token = self.tokenstore.fetch_by_token(token)
if not access_token:
raise AccessTokenNotFound()
elif access_token.is_expired():
raise OWSAccessForbidden("Access token is expired.")
# update request with user environ from access token
request.environ.update(access_token.user_environ)
except AccessTokenNotFound:
raise OWSAccessForbidden("Access token is required to access this service.")
def verify_request(self, request):
"""Verify that the service request is allowed.
This method verifies that the provided credentials are valid.
Depending on the authentication configuration this could be
a client X509 certificate or an OAuth2 token.
"""
ows_request = OWSRequest(request)
if ows_request.service_allowed() is False:
return False
try:
service_name = request.matchdict.get('service_name')
service = request.owsregistry.get_service_by_name(service_name)
except Exception:
return False
if service.get('public', False) is True:
return True
if ows_request.public_access() is True:
return True
if service.get('auth', '') == 'cert':
# Check the verification result of the client certificate.
# Verifcation is done by nginx.
return request.headers.get('X-Ssl-Client-Verify', '') == 'SUCCESS'
else:
# verify the oauth token for compute scope.
return request.verify_request(scopes=["compute"])
def check_request(self, request):
protected_path = request.registry.settings.get('twitcher.ows_proxy_protected_path ', '/ows')
if request.path.startswith(protected_path):
# TODO: refactor this code
try:
service_name = parse_service_name(request.path, protected_path)
service = self.servicestore.fetch_by_name(service_name)
if service.public is True:
LOGGER.warn('public access for service %s', service_name)
except ServiceNotFound:
# TODO: why not raising an exception?
service = Service(url='unregistered', public=False, auth='token')
LOGGER.warn("Service not registered.")
ows_request = OWSRequest(request)
if not ows_request.service_allowed():
raise OWSInvalidParameterValue(
"service %s not supported" % ows_request.service, value="service")
if not ows_request.public_access():
self.verify_access(request, service)