This repository has been archived on 2020-03-24. You can view files and clone it, but cannot push or open issues or pull requests.
quay/endpoints/api/__init__.py

465 lines
13 KiB
Python
Raw Normal View History

import logging
import datetime
import json
from app import app, metric_queue
from flask import Blueprint, request, make_response, jsonify, session
from flask.ext.restful import Resource, abort, Api, reqparse
from flask.ext.restful.utils.cors import crossdomain
from calendar import timegm
from email.utils import formatdate
2014-03-11 03:54:55 +00:00
from functools import partial, wraps
from jsonschema import validate, ValidationError
from data import model
from util.names import parse_namespace_repository
from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission,
AdministerRepositoryPermission, UserReadPermission,
UserAdminPermission)
2014-03-12 16:37:06 +00:00
from auth import scopes
from auth.auth_context import get_authenticated_user, get_validated_oauth_token
from auth.auth import process_oauth
from endpoints.csrf import csrf_protect
from endpoints.decorators import check_anon_protection
from util.saas.metricqueue import time_decorator
from util.security.aes import AESCipher
2014-03-11 03:54:55 +00:00
logger = logging.getLogger(__name__)
api_bp = Blueprint('api', __name__)
2014-03-17 19:23:49 +00:00
api = Api()
api.init_app(api_bp)
api.decorators = [csrf_protect,
crossdomain(origin='*', headers=['Authorization', 'Content-Type']),
process_oauth, time_decorator(api_bp.name, metric_queue)]
class ApiException(Exception):
def __init__(self, error_type, status_code, error_description, payload=None):
Exception.__init__(self)
self.error_description = error_description
self.status_code = status_code
self.payload = payload
self.error_type = error_type
def to_dict(self):
rv = dict(self.payload or ())
if self.error_description is not None:
rv['error_description'] = self.error_description
rv['error_type'] = self.error_type
return rv
2015-10-13 21:26:40 +00:00
class ExternalServiceTimeout(ApiException):
def __init__(self, error_description, payload=None):
ApiException.__init__(self, 'external_service_timeout', 520, error_description, payload)
class InvalidRequest(ApiException):
def __init__(self, error_description, payload=None):
ApiException.__init__(self, 'invalid_request', 400, error_description, payload)
2015-10-13 21:26:40 +00:00
2014-11-25 21:08:01 +00:00
class InvalidResponse(ApiException):
def __init__(self, error_description, payload=None):
ApiException.__init__(self, 'invalid_response', 400, error_description, payload)
class InvalidToken(ApiException):
def __init__(self, error_description, payload=None):
ApiException.__init__(self, 'invalid_token', 401, error_description, payload)
class Unauthorized(ApiException):
def __init__(self, payload=None):
2014-03-19 17:57:36 +00:00
user = get_authenticated_user()
if user is None or user.organization:
ApiException.__init__(self, 'invalid_token', 401, "Requires authentication", payload)
else:
ApiException.__init__(self, 'insufficient_scope', 403, 'Unauthorized', payload)
class FreshLoginRequired(ApiException):
def __init__(self, payload=None):
ApiException.__init__(self, 'fresh_login_required', 401, "Requires fresh login", payload)
class ExceedsLicenseException(ApiException):
def __init__(self, payload=None):
ApiException.__init__(self, None, 402, 'Payment Required', payload)
class NotFound(ApiException):
def __init__(self, payload=None):
ApiException.__init__(self, None, 404, 'Not Found', payload)
class DownstreamIssue(ApiException):
def __init__(self, payload=None):
ApiException.__init__(self, None, 520, 'Downstream Issue', payload)
@api_bp.app_errorhandler(ApiException)
@crossdomain(origin='*', headers=['Authorization', 'Content-Type'])
def handle_api_error(error):
response = jsonify(error.to_dict())
response.status_code = error.status_code
if error.error_type is not None:
response.headers['WWW-Authenticate'] = ('Bearer error="%s" error_description="%s"' %
(error.error_type, error.error_description))
return response
def resource(*urls, **kwargs):
def wrapper(api_resource):
if not api_resource:
return None
api.add_resource(api_resource, *urls, **kwargs)
return api_resource
return wrapper
def show_if(value):
def f(inner):
if not value:
return None
return inner
return f
def hide_if(value):
def f(inner):
if value:
return None
return inner
return f
def truthy_bool(param):
return param not in {False, 'false', 'False', '0', 'FALSE', '', 'null'}
def format_date(date):
""" Output an RFC822 date format. """
if date is None:
return None
return formatdate(timegm(date.utctimetuple()))
def add_method_metadata(name, value):
def modifier(func):
if func is None:
return None
if '__api_metadata' not in dir(func):
2014-03-11 03:54:55 +00:00
func.__api_metadata = {}
func.__api_metadata[name] = value
return func
return modifier
def method_metadata(func, name):
if func is None:
return None
if '__api_metadata' in dir(func):
2014-03-11 03:54:55 +00:00
return func.__api_metadata.get(name, None)
return None
nickname = partial(add_method_metadata, 'nickname')
related_user_resource = partial(add_method_metadata, 'related_user_resource')
2014-03-14 22:07:03 +00:00
internal_only = add_method_metadata('internal', True)
2014-08-06 21:47:32 +00:00
def path_param(name, description):
def add_param(func):
if not func:
return func
2014-11-25 21:08:01 +00:00
2014-08-06 21:47:32 +00:00
if '__api_path_params' not in dir(func):
func.__api_path_params = {}
func.__api_path_params[name] = {
'name': name,
'description': description
}
return func
return add_param
def query_param(name, help_str, type=reqparse.text_type, default=None,
choices=(), required=False):
def add_param(func):
if '__api_query_params' not in dir(func):
func.__api_query_params = []
func.__api_query_params.append({
'name': name,
'type': type,
'help': help_str,
'default': default,
'choices': choices,
'required': required,
'location': ('args')
})
return func
return add_param
def page_support(func):
""" Adds pagination support to an API endpoint. The decorated API will have an
added query parameter named 'next_page'. Works in tandem with the
modelutil paginate method.
"""
@wraps(func)
@query_param('next_page', 'The page token for the next page', type=str)
def wrapper(self, query_args, *args, **kwargs):
page_token = None
unecrypted = None
if query_args['next_page']:
# Decrypt the page token.
cipher = AESCipher(app.config['PAGE_TOKEN_KEY'])
try:
unecrypted = cipher.decrypt(query_args['next_page'])
except TypeError:
pass
if unecrypted is not None:
try:
page_token = json.loads(unecrypted)
except ValueError:
pass
(result, next_page_token) = func(self, query_args, page_token, *args, **kwargs)
if next_page_token is not None:
cipher = AESCipher(app.config['PAGE_TOKEN_KEY'])
result['next_page'] = cipher.encrypt(json.dumps(next_page_token))
return result
return wrapper
def parse_args(func):
@wraps(func)
def wrapper(self, *args, **kwargs):
if '__api_query_params' not in dir(func):
abort(500)
parser = reqparse.RequestParser()
for arg_spec in func.__api_query_params:
parser.add_argument(**arg_spec)
parsed_args = parser.parse_args()
return func(self, parsed_args, *args, **kwargs)
return wrapper
2014-03-11 03:54:55 +00:00
def parse_repository_name(func):
@wraps(func)
def wrapper(repository, *args, **kwargs):
(namespace, repository) = parse_namespace_repository(repository, app.config['LIBRARY_NAMESPACE'])
2014-03-11 03:54:55 +00:00
return func(namespace, repository, *args, **kwargs)
return wrapper
class ApiResource(Resource):
method_decorators = [check_anon_protection]
def options(self):
return None, 200
class RepositoryParamResource(ApiResource):
method_decorators = [check_anon_protection, parse_repository_name]
2014-03-11 03:54:55 +00:00
2014-03-12 16:37:06 +00:00
def require_repo_permission(permission_class, scope, allow_public=False):
2014-03-11 03:54:55 +00:00
def wrapper(func):
2014-03-12 16:37:06 +00:00
@add_method_metadata('oauth2_scope', scope)
2014-03-11 03:54:55 +00:00
@wraps(func)
def wrapped(self, namespace, repository, *args, **kwargs):
logger.debug('Checking permission %s for repo: %s/%s', permission_class, namespace,
repository)
2014-03-11 03:54:55 +00:00
permission = permission_class(namespace, repository)
if (permission.can() or
(allow_public and
model.repository.repository_is_public(namespace, repository))):
2014-03-11 03:54:55 +00:00
return func(self, namespace, repository, *args, **kwargs)
raise Unauthorized()
2014-03-11 03:54:55 +00:00
return wrapped
return wrapper
2014-03-12 16:37:06 +00:00
require_repo_read = require_repo_permission(ReadRepositoryPermission, scopes.READ_REPO, True)
require_repo_write = require_repo_permission(ModifyRepositoryPermission, scopes.WRITE_REPO)
require_repo_admin = require_repo_permission(AdministerRepositoryPermission, scopes.ADMIN_REPO)
2014-03-11 03:54:55 +00:00
def require_user_permission(permission_class, scope=None):
def wrapper(func):
@add_method_metadata('oauth2_scope', scope)
@wraps(func)
def wrapped(self, *args, **kwargs):
user = get_authenticated_user()
if not user:
2014-03-19 17:57:36 +00:00
raise Unauthorized()
logger.debug('Checking permission %s for user %s', permission_class, user.username)
permission = permission_class(user.username)
if permission.can():
return func(self, *args, **kwargs)
raise Unauthorized()
return wrapped
return wrapper
2014-03-19 17:57:36 +00:00
require_user_read = require_user_permission(UserReadPermission, scopes.READ_USER)
require_user_admin = require_user_permission(UserAdminPermission, None)
require_fresh_user_admin = require_user_permission(UserAdminPermission, None)
def verify_not_prod(func):
@add_method_metadata('enterprise_only', True)
@wraps(func)
def wrapped(*args, **kwargs):
# Verify that we are not running on a production (i.e. hosted) stack. If so, we fail.
# This should never happen (because of the feature-flag on SUPER_USERS), but we want to be
# absolutely sure.
if app.config['SERVER_HOSTNAME'].find('quay.io') >= 0:
logger.error('!!! Super user method called IN PRODUCTION !!!')
raise NotFound()
return func(*args, **kwargs)
return wrapped
def require_fresh_login(func):
@add_method_metadata('requires_fresh_login', True)
@wraps(func)
def wrapped(*args, **kwargs):
user = get_authenticated_user()
if not user:
raise Unauthorized()
oauth_token = get_validated_oauth_token()
if oauth_token:
return func(*args, **kwargs)
logger.debug('Checking fresh login for user %s', user.username)
last_login = session.get('login_time', datetime.datetime.min)
valid_span = datetime.datetime.now() - datetime.timedelta(minutes=10)
if not user.password_hash or last_login >= valid_span:
return func(*args, **kwargs)
2014-11-25 21:08:01 +00:00
raise FreshLoginRequired()
return wrapped
def require_scope(scope_object):
def wrapper(func):
@add_method_metadata('oauth2_scope', scope_object)
@wraps(func)
def wrapped(*args, **kwargs):
return func(*args, **kwargs)
return wrapped
return wrapper
2014-03-11 03:54:55 +00:00
def validate_json_request(schema_name):
def wrapper(func):
@add_method_metadata('request_schema', schema_name)
@wraps(func)
def wrapped(self, *args, **kwargs):
2014-03-11 03:54:55 +00:00
schema = self.schemas[schema_name]
try:
json_data = request.get_json()
if json_data is None:
raise InvalidRequest('Missing JSON body')
validate(json_data, schema)
return func(self, *args, **kwargs)
2014-03-11 03:54:55 +00:00
except ValidationError as ex:
2014-03-18 18:22:14 +00:00
raise InvalidRequest(ex.message)
2014-03-11 03:54:55 +00:00
return wrapped
return wrapper
def request_error(exception=None, **kwargs):
data = kwargs.copy()
message = 'Request error.'
if exception:
message = exception.message
raise InvalidRequest(message, data)
def license_error(exception=None):
raise ExceedsLicenseException()
def log_action(kind, user_or_orgname, metadata=None, repo=None):
if not metadata:
metadata = {}
oauth_token = get_validated_oauth_token()
if oauth_token:
metadata['oauth_token_id'] = oauth_token.id
metadata['oauth_token_application_id'] = oauth_token.application.client_id
metadata['oauth_token_application'] = oauth_token.application.name
performer = get_authenticated_user()
model.log.log_action(kind, user_or_orgname, performer=performer, ip=request.remote_addr,
metadata=metadata, repository=repo)
2014-03-11 03:54:55 +00:00
2014-10-02 19:08:32 +00:00
def define_json_response(schema_name):
def wrapper(func):
@add_method_metadata('response_schema', schema_name)
@wraps(func)
def wrapped(self, *args, **kwargs):
schema = self.schemas[schema_name]
resp = func(self, *args, **kwargs)
if app.config['TESTING']:
try:
validate(resp, schema)
except ValidationError as ex:
raise InvalidResponse(ex.message)
return resp
return wrapped
return wrapper
2014-03-14 19:35:20 +00:00
import endpoints.api.billing
import endpoints.api.build
2014-03-14 17:24:01 +00:00
import endpoints.api.discovery
import endpoints.api.image
2014-03-14 20:02:13 +00:00
import endpoints.api.logs
import endpoints.api.organization
2014-03-14 17:24:01 +00:00
import endpoints.api.permission
import endpoints.api.prototype
2014-03-14 17:24:01 +00:00
import endpoints.api.repository
import endpoints.api.repositorynotification
import endpoints.api.repoemail
2014-03-14 17:24:01 +00:00
import endpoints.api.repotoken
2014-03-14 20:02:13 +00:00
import endpoints.api.robot
2014-03-14 17:24:01 +00:00
import endpoints.api.search
2015-01-04 19:38:41 +00:00
import endpoints.api.suconfig
import endpoints.api.superuser
import endpoints.api.tag
2014-03-14 18:20:51 +00:00
import endpoints.api.team
2014-03-14 17:24:01 +00:00
import endpoints.api.trigger
import endpoints.api.user
import endpoints.api.secscan
2015-01-04 19:38:41 +00:00