Newer
Older
#!/usr/bin/python
# -*- coding: UTF-8 -*-
from cStringIO import StringIO
from email.mime.application import MIMEApplication
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from logging.config import dictConfig
from threading import Thread
import functools
from PIL import Image, ImageDraw, ImageFont
from flask import render_template, send_from_directory
from flask import request, has_request_context
from flask import send_file
from flask import session
from flask import url_for
from flask_compress import Compress
from werkzeug import abort, redirect
from werkzeug.middleware.proxy_fix import ProxyFix
import pytz
import time
from PiAnoS import caseExistsInDB
import utils
from functions import redis_cache
from functions import dek_generate, do_encrypt_dek, do_decrypt_dek, dek_check
from functions import do_encrypt_user_session, do_decrypt_user_session
from functions import no_preview_image
################################################################################
from version import __version__, __branch__, __commit__, __commiturl__, __treeurl__
################################################################################
Marco De Donno
committed
Image.MAX_IMAGE_PIXELS = 1 * 1024 * 1024 * 1024
################################################################################
class RequestFormatter( logging.Formatter ):
def format( self, record ):
if has_request_context():
try:
username = session[ "username" ]
except:
username = "-"
record.msg = "{REMOTE_ADDR} (" + username + ") - " + record.msg
record.msg = record.msg.format( **request.headers.environ )
return super( RequestFormatter, self ).format( record )
dictConfig( {
'version': 1,
'formatters': {
'default': {
'()': 'module.RequestFormatter',
'format': '[%(asctime)s] %(levelname)s: \t%(message)s',
}
},
'handlers': {
'console': {
'class': 'logging.StreamHandler',
'formatter': 'default'
}
},
'root': {
'level': 'INFO',
'handlers': [ 'console' ]
}
} )
################################################################################
if config.PROXY:
app.wsgi_app = ProxyFix( app.wsgi_app )
baseurl = os.environ.get( "BASEURL", "" )
envtype = os.environ.get( "ENVTYPE", "" )
################################################################################
gnupg._parsers.Verify.TRUST_LEVELS[ "ENCRYPTION_COMPLIANCE_MODE" ] = 23
################################################################################
Marco De Donno
committed
# Decorators
Marco De Donno
committed
def session_field_required( field, value ):
def decorator( func ):
@functools.wraps( func )
def wrapper_login_required( *args, **kwargs ):
if not field in session:
return redirect( url_for( "login" ) )
elif not session.get( field ) == value:
return redirect( url_for( "login" ) )
return func( *args, **kwargs )
return wrapper_login_required
return decorator
def login_required( func ):
@functools.wraps( func )
def wrapper_login_required( *args, **kwargs ):
return redirect( url_for( "login" ) )
return func( *args, **kwargs )
return wrapper_login_required
def referer_required( func ):
@functools.wraps( func )
def wrapper_login_required( *args, **kwargs ):
if not request.headers.get( "Referer", False ):
return "referrer needed", 404
return func( *args, **kwargs )
return wrapper_login_required
def admin_required( func ):
@functools.wraps( func )
def wrapper_login_required( *args, **kwargs ):
if not session.get( "logged", False ) or not session.get( "account_type", None ) == 1:
return redirect( url_for( "login" ) )
return func( *args, **kwargs )
return wrapper_login_required
@redis_cache( 15 * 60 )
def check_correct_submitter( submission_id, submitter_id ):
sql = """
SELECT count( * )
FROM submissions
WHERE uuid = %s AND submitter_id = %s
"""
check = config.db.query_fetchone( sql, ( submission_id, submitter_id, ) )[ "count" ]
return check == 1
def submission_has_access( func ):
@functools.wraps( func )
def wrapper_login_required( *args, **kwargs ):
submission_id = request.view_args.get( "submission_id", None )
user_id = session.get( "user_id" )
if not session.get( "logged", False ) or not session.get( "account_type", None ) == 3:
return redirect( url_for( "login" ) )
elif submission_id != None and not check_correct_submitter( submission_id, user_id ):
return abort( 403 )
else:
return func( *args, **kwargs )
return wrapper_login_required
################################################################################
# Overloads
def my_render_template( *args, **kwargs ):
kwargs[ "baseurl" ] = baseurl
kwargs[ "envtype" ] = envtype
kwargs[ "js" ] = config.cdnjs
kwargs[ "css" ] = config.cdncss
kwargs[ "session_timeout" ] = config.session_timeout
kwargs[ "session_security_key" ] = session.get( "session_security_key" )
kwargs[ "account_type" ] = session.get( "account_type", None )
kwargs[ "nist_file_extensions" ] = json.dumps( config.NIST_file_extensions )
Marco De Donno
committed
if session.get( "account_type", False ):
at = account_type_id_name[ session.get( "account_type" ) ]
kwargs[ "navigation" ] = "navigations/{}.html".format( at.lower() )
kwargs[ "pianosendpoint" ] = config.pianosendpoint
return render_template( *args, **kwargs )
################################################################################
# Generic routing
@app.route( "/ping" )
@app.route( baseurl + "/ping" )
"""
Ping function to check if the web application is healthy.
This function need to check all important element of the web application, i.e. the flask app and the postgresql database.
If the application report a error 500, the healthcheck done by the container orchestrator will fail, hence re-scheduling the container as needed.
"""
config.db.connect() # Try to re-connect to the database to try to serve the requests before the rescheduling
return abort( 500 )
else:
return "pong"
"""
Function to report the version of the web app.
The version.py file is re-generated by the CI/CD for production.
"""
"error": False,
"version": __version__,
"branch": __branch__,
"commit": __commit__,
"commiturl": __commiturl__,
"treeurl": __treeurl__
} )
except:
return jsonify( {
"error": True
} )
################################################################################
# CDN serving
@app.route( baseurl + "/cdn/<path:subpath>" )
def send_cdn_files( subpath ):
"""
Serve the files from the cdn directory.
"""
return send_from_directory( "cdn", subpath )
################################################################################
# App serving
@app.route( baseurl + "/app/<path:subpath>" )
def send_app_files( subpath ):
"""
Serve the file from the app directory (all files related to the ICNML application).
"""
return send_from_directory( "app", subpath )
@app.route( baseurl + "/static/<path:subpath>" )
def send_static_files( subpath ):
"""
Serve static files from the static directory.
"""
return send_from_directory( "static", subpath )
################################################################################
# Sessions
@app.before_request
def renew_session():
"""
Reset the timer before the automatic-logout.
This function is called before every HTTP call.
"""
session.permanent = True
app.permanent_session_lifetime = timedelta( seconds = config.session_timeout )
"""
App route to know if the user is logged in the ICNML main application.
This route is used by nginx to protect some other locations, for example
the PiAnoS dedicated pages.
The session countdown timer is resetted to allow the user to use the protected
location for the rest of the timeout.
"""
app.logger.info( "Check if the user is connected" )
if session.get( "logged", False ):
return "ok"
else:
return abort( 403 )
"""
Logout the user, clear the session and redirect to the login page.
"""
app.logger.info( "Logout and clear session" )
session_clear_and_prepare()
def session_clear_and_prepare():
"""
Clear the session related to the user and initialize the login related variables.
"""
session[ "process" ] = "login"
session[ "need_to_check" ] = [ "password" ]
session[ "logged" ] = False
session[ "session_security_key" ] = str( uuid4() )
"""
Route to serve the login.html page.
"""
app.logger.info( "Login start" )
return my_render_template( "login.html" )
@app.route( baseurl + "/do/login", methods = [ "POST" ] )
"""
Function to manadge the login workflow and check the username, password and TOTP data.
This function is called multiple times because the check is done only for one data
type at the time.
If all the checks are OK, the user has provided all needed information, hence is logged in.
"""
#TODO: double-check this function with someone external
#TODO: combine the security key checks in this function
need_to_check = session.get( "need_to_check", [ "password" ] )
try:
current_check = need_to_check[ 0 ]
except:
current_check = None
session[ "need_to_check" ] = need_to_check
app.logger.info( "Current check: {}".format( current_check ) )
############################################################################
# Username and password check
q = config.db.query( "SELECT * FROM users WHERE username = %s", ( request.form.get( "username" ), ) )
app.logger.error( "Username not found in the database" )
} )
form_password = request.form.get( "password", None )
if form_password == None or not utils.hash.pbkdf2( form_password, user[ "password" ] ).verify():
app.logger.error( "Password not validated" )
app.logger.error( "User not active" )
return jsonify( {
"error": False,
"logged": False,
"message": "Your account is not activated. Please contact an administrator (icnml@unil.ch)."
} )
else:
session[ "username" ] = user[ "username" ]
session[ "user_id" ] = user[ "id" ]
session[ "password_check" ] = True
Loading
Loading full blame...