2015-12-12 22:34:08 +00:00
|
|
|
import falcon
|
|
|
|
|
import ipaddress
|
|
|
|
|
import json
|
2016-03-21 21:42:39 +00:00
|
|
|
import logging
|
2015-12-12 22:34:08 +00:00
|
|
|
import types
|
|
|
|
|
from datetime import date, time, datetime
|
2016-03-27 20:38:14 +00:00
|
|
|
from certidude.auth import User
|
2016-09-17 21:00:14 +00:00
|
|
|
from urlparse import urlparse
|
2016-03-21 21:42:39 +00:00
|
|
|
|
|
|
|
|
logger = logging.getLogger("api")
|
|
|
|
|
|
|
|
|
|
def csrf_protection(func):
|
|
|
|
|
"""
|
|
|
|
|
Protect resource from common CSRF attacks by checking user agent and referrer
|
|
|
|
|
"""
|
|
|
|
|
def wrapped(self, req, resp, *args, **kwargs):
|
|
|
|
|
# Assume curl and python-requests are used intentionally
|
|
|
|
|
if req.user_agent.startswith("curl/") or req.user_agent.startswith("python-requests/"):
|
|
|
|
|
return func(self, req, resp, *args, **kwargs)
|
|
|
|
|
|
|
|
|
|
# For everything else assert referrer
|
|
|
|
|
referrer = req.headers.get("REFERER")
|
2016-09-17 21:00:14 +00:00
|
|
|
|
|
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
if referrer:
|
|
|
|
|
scheme, netloc, path, params, query, fragment = urlparse(referrer)
|
2016-09-17 21:00:14 +00:00
|
|
|
if ":" in netloc:
|
|
|
|
|
host, port = netloc.split(":", 1)
|
|
|
|
|
else:
|
|
|
|
|
host, port = netloc, None
|
|
|
|
|
if host == req.host:
|
2016-03-21 21:42:39 +00:00
|
|
|
return func(self, req, resp, *args, **kwargs)
|
|
|
|
|
|
|
|
|
|
# Kaboom!
|
2016-03-29 05:54:55 +00:00
|
|
|
logger.warning(u"Prevented clickbait from '%s' with user agent '%s'",
|
2016-03-21 21:42:39 +00:00
|
|
|
referrer or "-", req.user_agent)
|
2016-09-17 21:00:14 +00:00
|
|
|
raise falcon.HTTPForbidden("Forbidden",
|
2016-03-21 21:42:39 +00:00
|
|
|
"No suitable UA or referrer provided, cross-site scripting disabled")
|
|
|
|
|
return wrapped
|
|
|
|
|
|
2015-12-12 22:34:08 +00:00
|
|
|
|
|
|
|
|
def event_source(func):
|
|
|
|
|
def wrapped(self, req, resp, *args, **kwargs):
|
|
|
|
|
if req.get_header("Accept") == "text/event-stream":
|
|
|
|
|
resp.status = falcon.HTTP_SEE_OTHER
|
|
|
|
|
resp.location = req.context.get("ca").push_server + "/ev/" + req.context.get("ca").uuid
|
|
|
|
|
resp.body = "Redirecting to:" + resp.location
|
|
|
|
|
return func(self, req, resp, *args, **kwargs)
|
|
|
|
|
return wrapped
|
|
|
|
|
|
|
|
|
|
class MyEncoder(json.JSONEncoder):
|
|
|
|
|
def default(self, obj):
|
|
|
|
|
if isinstance(obj, ipaddress._IPAddressBase):
|
|
|
|
|
return str(obj)
|
|
|
|
|
if isinstance(obj, set):
|
|
|
|
|
return tuple(obj)
|
|
|
|
|
if isinstance(obj, datetime):
|
|
|
|
|
return obj.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z"
|
|
|
|
|
if isinstance(obj, date):
|
|
|
|
|
return obj.strftime("%Y-%m-%d")
|
|
|
|
|
if isinstance(obj, types.GeneratorType):
|
|
|
|
|
return tuple(obj)
|
2016-03-27 20:38:14 +00:00
|
|
|
if isinstance(obj, User):
|
|
|
|
|
return dict(name=obj.name, given_name=obj.given_name,
|
|
|
|
|
surname=obj.surname, mail=obj.mail)
|
2015-12-12 22:34:08 +00:00
|
|
|
return json.JSONEncoder.default(self, obj)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def serialize(func):
|
|
|
|
|
"""
|
|
|
|
|
Falcon response serialization
|
|
|
|
|
"""
|
|
|
|
|
def wrapped(instance, req, resp, **kwargs):
|
2017-03-13 11:42:58 +00:00
|
|
|
if not req.client_accepts("application/json"):
|
|
|
|
|
logger.debug("Client did not accept application/json")
|
|
|
|
|
raise falcon.HTTPUnsupportedMediaType(
|
|
|
|
|
"Client did not accept application/json")
|
2016-03-21 21:42:39 +00:00
|
|
|
resp.set_header("Cache-Control", "no-cache, no-store, must-revalidate")
|
|
|
|
|
resp.set_header("Pragma", "no-cache")
|
|
|
|
|
resp.set_header("Expires", "0")
|
2017-03-13 11:42:58 +00:00
|
|
|
resp.body = json.dumps(func(instance, req, resp, **kwargs), cls=MyEncoder)
|
2015-12-12 22:34:08 +00:00
|
|
|
return wrapped
|
|
|
|
|
|
