def process_request(self, request):
headers = ['fiware-oauth-token', 'fiware-openstack-token']
filtered = [
header for header in headers if header in request['headers']
]
if len(filtered) == 0:
return
for header in filtered:
del request['headers'][header]
if not IDM_SUPPORT_ENABLED:
raise ValidationError(_('IdM support not enabled'))
elif request['workspace'] is None:
raise ValidationError(
_('IdM tokens can only be inyected on Ajax requests coming from authorized widgets'
))
tenantid = request['headers'].get("fiware-openstack-tenant-id")
source = 'user'
if 'fiware-oauth-source' in request['headers']:
source = request['headers']['fiware-oauth-source']
del request['headers']['fiware-oauth-source']
if source == 'user':
token = get_access_token(
request['user'],
_('Current user has not an active FIWARE profile'))
if 'fiware-openstack-token' in filtered:
openstacktoken = self.openstack_manager.get_token(
request['user'], tenantid)
elif source == 'workspaceowner':
token = get_access_token(
request['workspace'].creator,
_('Workspace owner has not an active FIWARE profile'))
if 'fiware-openstack-token' in filtered:
openstacktoken = self.openstack_manager.get_token(
request['workspace'].creator, tenantid)
else:
raise ValidationError(_('Invalid FIWARE OAuth token source'))
if 'fiware-oauth-token' in filtered:
replace_get_parameter(request, ["fiware-oauth-get-parameter"],
token)
replace_header_name(request, ["fiware-oauth-header-name"], token)
replace_body_pattern(request, ["fiware-oauth-body-pattern"], token)
if 'fiware-openstack-token' in filtered:
replace_get_parameter(request, ["fiware-openstack-get-parameter"],
openstacktoken)
replace_header_name(request, ["fiware-openstack-header-name"],
openstacktoken)
replace_body_pattern(request, ["fiware-openstack-body-pattern"],
openstacktoken)
def get_access_token(user, error_msg):
"Gets the access_token of a user using python-social-auth"
try:
oauth_info = user.social_auth.get(provider='fiware')
if oauth_info.access_token is None:
raise Exception
return oauth_info.access_token
except:
raise ValidationError(error_msg)
def process_secure_data(text, request):
definitions = text.split('&')
cache_manager = VariableValueCacheManager(request['workspace'],
request['user'])
for definition in definitions:
params = definition.split(',')
if len(params) == 1 and params[0].strip() == '':
continue
options = {}
for pair in params:
tokens = pair.split('=')
option_name = unquote(tokens[0].strip())
options[option_name] = unquote(tokens[1].strip())
action = options.get('action', 'data')
if action == 'data':
substr = options.get('substr', '')
var_ref = options.get('var_ref', '')
check_empty_params(substr=substr, var_ref=var_ref)
value = get_variable_value_by_ref(var_ref, cache_manager)
check_invalid_refs(var_ref=value)
encoding = options.get('encoding', 'none')
substr = substr.encode('utf8')
if encoding == 'url':
value = urlquote(value).encode('utf8')
elif encoding == 'base64':
value = base64.b64encode(value.encode('utf8'))[:-1]
else:
value = value.encode('utf8')
new_body = request['data'].read().replace(substr, value)
request['headers']['content-length'] = "%s" % len(new_body)
request['data'] = BytesIO(new_body)
elif action == 'basic_auth':
user_ref = options.get('user_ref', '')
password_ref = options.get('pass_ref', '')
check_empty_params(user_ref=user_ref, password_ref=password_ref)
user_value = get_variable_value_by_ref(user_ref, cache_manager)
password_value = get_variable_value_by_ref(password_ref,
cache_manager)
check_invalid_refs(user_ref=user_value,
password_ref=password_value)
token = base64.b64encode(
(user_value + ':' + password_value).encode('utf8'))[:-1]
request['headers']['Authorization'] = 'Basic ' + token.decode(
'ascii')
else:
raise ValidationError('Unsupported action: %s' % action)
def check_invalid_refs(**kargs):
invalid_params = []
for param_name in kargs:
if kargs[param_name] is None:
invalid_params.append(param_name)
if len(invalid_params) > 0:
msg = _(
'X-WireCloud-Secure-Data: The following required parameters are invalid: %(params)s'
)
raise ValidationError(msg % {'params': ', '.join(invalid_params)})
def check_empty_params(**kargs):
missing_params = []
for param_name in kargs:
if kargs[param_name] == '':
missing_params.append(param_name)
if len(missing_params) > 0:
msg = _(
'X-WireCloud-Secure-Data: The following required parameters are missing: %(params)s'
)
raise ValidationError(msg % {'params': ', '.join(missing_params)})
def get_variable_value_by_ref(ref, cache_manager):
result = VAR_REF_RE.match(ref)
try:
if result.group('iwidget_id') == 'c':
return result.group('var_name')
else:
return cache_manager.get_variable_value_from_varname(
result.group('iwidget_id'), result.group('var_name'))
except (IWidget.DoesNotExist, KeyError):
return None
except:
raise ValidationError('Invalid variable reference: %s' % ref)
def get_access_token(user, error_msg):
"Gets the access_token of a user using python-social-auth"
try:
oauth_info = user.social_auth.get(provider='keycloak_oidc')
if oauth_info.access_token is None:
raise Exception
# Refresh the token if expired
if oauth_info.access_token_expired():
oauth_info.refresh_token(STRATEGY)
return oauth_info.access_token
except:
raise ValidationError(error_msg)
def get_token(self, user, tenantid=None):
oauth_info = user.social_auth.get(provider='fiware')
if oauth_info.access_token is None:
raise ValidationError("User doesn't have an access token")
opentok = oauth_info.extra_data.get('openstack_token')
tenantid = "__default__" if tenantid is None else tenantid
if opentok is None or opentok.get(tenantid):
opentok = self.get_openstack_token(user.username,
oauth_info.access_token,
tenantid)
oauth_info.extra_data['openstack_token'][tenantid] = opentok
oauth_info.save()
return opentok
def get_access_token(user, error_msg):
"Gets the access_token of a user using python-social-auth"
try:
oauth_info = user.social_auth.get(provider='fiware')
if oauth_info.access_token is None:
raise Exception
# Refresh the token if the token has been expired or the token expires
# in less than 30 seconds
# Also refresh the token if expires_on information does not exist yet
if time.time() > oauth_info.extra_data.get('expires_on', 0) - 30:
oauth_info.refresh_token(STRATEGY)
return oauth_info.access_token
except:
raise ValidationError(error_msg)
def parse_request_headers(request, request_data):
request_data.setdefault("cookies", SimpleCookie())
request_data.setdefault("headers", {})
if 'HTTP_TRANSFER_ENCODING' in request.META:
raise ValidationError(
build_error_response(
request, 422,
"WireCloud doesn't support requests using the Transfer-Encoding header"
))
for header in request.META.items():
header_name = header[0].lower()
if header_name == 'content_type' and header[1]:
request_data['headers']["content-type"] = header[1]
elif header_name == 'content_length' and header[1]:
# Only take into account request body if the request has a
# Content-Length header (we don't support chunked requests)
request_data['data'] = request
request_data['headers']['content-length'] = "%s" % header[1]
request_data['data'].len = int(header[1])
elif header_name == 'cookie' or header_name == 'http_cookie':
cookie_parser = SimpleCookie(str(header[1]))
del cookie_parser[str(settings.SESSION_COOKIE_NAME)]
if str(settings.CSRF_COOKIE_NAME) in cookie_parser:
del cookie_parser[str(settings.CSRF_COOKIE_NAME)]
request_data['cookies'].update(cookie_parser)
elif HTTP_HEADER_RE.match(
header_name) and header_name not in BLACKLISTED_HTTP_HEADERS:
fixed_name = header_name.replace("http_", "", 1).replace('_', '-')
request_data['headers'][fixed_name] = header[1]
def process_request(self, request):
if 'x-fi-ware-oauth-token' not in request['headers']:
return
if not IDM_SUPPORT_ENABLED:
raise ValidationError(_('IdM support not enabled'))
elif request['workspace'] is None:
raise ValidationError(
_('IdM tokens can only be inyected on Ajax requests coming from authorized widgets'
))
header_name = None
source = 'user'
if 'x-fi-ware-oauth-source' in request['headers']:
source = request['headers']['x-fi-ware-oauth-source']
del request['headers']['x-fi-ware-oauth-source']
if source == 'user':
token = get_access_token(
request['user'],
_('Current user has not an active FIWARE profile'))
elif source == 'workspaceowner':
token = get_access_token(
request['workspace'].creator,
_('Workspace owner has not an active FIWARE profile'))
else:
raise ValidationError(_('Invalid FIWARE OAuth token source'))
if 'x-fi-ware-oauth-get-parameter' in request['headers']:
header_name = request['headers']['x-fi-ware-oauth-get-parameter']
url = request['url']
if '?' in url:
url += '&'
else:
url += '?'
url += urlquote_plus(
request['headers']
['x-fi-ware-oauth-get-parameter']) + '=' + urlquote_plus(token)
request['url'] = url
del request['headers']['x-fi-ware-oauth-get-parameter']
if 'x-fi-ware-oauth-header-name' in request['headers']:
header_name = request['headers']['x-fi-ware-oauth-header-name']
if header_name == "Authorization":
token_pattern = "Bearer {token}"
else:
token_pattern = "{token}"
request['headers'][header_name] = token_pattern.format(token=token)
del request['headers']['x-fi-ware-oauth-header-name']
if 'x-fi-ware-oauth-token-body-pattern' in request['headers']:
pattern = request['headers']['x-fi-ware-oauth-token-body-pattern']
new_body = request['data'].read().replace(pattern.encode('utf8'),
token.encode('utf8'))
request['headers']['content-length'] = "%s" % len(new_body)
request['data'] = BytesIO(new_body)
del request['headers']['x-fi-ware-oauth-token-body-pattern']
del request['headers']['x-fi-ware-oauth-token']
