Changeset c004bc in indico

Timestamp:

11/25/11 09:26:26 (19 months ago)

Author:

Jose Benito <jose.benito.gonzalez@…>

Branches:

master, hello-world-walkthrough, ipv6, v0.98-series, v0.98.2, v0.98.3, v0.99, b8c30da8ebdbdcbd675a873997cc3e95f567de49, 4287315ec967a3da168d83963c14001db8487d53

Children:

dfa9c9

Parents:

71df20

git-author:

Adrian Moennich <jerome.ernst.monnich@…> (09/27/11 14:28:29)

git-committer:

Jose Benito <jose.benito.gonzalez@…> (11/25/11 09:26:26)

Message:

[IMP] Support persistent api requests (w/o tstamp)

Files:

• doc/guides/ExportAPI/access.rst (modified) (5 diffs)
• indico/MaKaC/webinterface/rh/api.py (modified) (1 diff)
• indico/MaKaC/webinterface/tpls/UserAPI.tpl (modified) (1 diff)
• indico/MaKaC/webinterface/urlHandlers.py (modified) (1 diff)
• indico/htdocs/userAPI.py (modified) (1 diff)
• indico/web/http_api/auth.py (modified) (2 diffs)
• indico/web/http_api/handlers.py (modified) (2 diffs)

doc/guides/ExportAPI/access.rst

@@ -80 +80 @@
 You can find example code for Python and PHP in the following sections.
 
+If persistent signatures are enabled, you can also omit the timestamp.
+In this case the URL is valid forever. When using this feature, please
+make sure to use these URLs only where necessary - use timestamped
+URLs whenever possible.
+
 Request Signing for Python
 ^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -91 +96 @@
 
 
-    def build_indico_request(path, params, api_key=None, secret_key=None, only_public=False):
+    def build_indico_request(path, params, api_key=None, secret_key=None, only_public=False, persistent=False):
         items = params.items() if hasattr(params, 'items') else list(params)
         if api_key:
@@ -98 +103 @@
             items.append(('onlypublic', 'yes'))
         if secret_key:
-            items.append(('timestamp', str(int(time.time()))))
+            if not persistent:
+                items.append(('timestamp', str(int(time.time()))))
             items = sorted(items, key=lambda x: x[0].lower())
             url = '%s?%s' % (path, urllib.urlencode(items))
@@ -125 +131 @@
     <?php
 
-    function build_indico_request($path, $params, $api_key = null, $secret_key = null, $only_public = false) {
+    function build_indico_request($path, $params, $api_key = null, $secret_key = null, $only_public = false, $persistent = false) {
         if($api_key) {
             $params['apikey'] = $api_key;
@@ -135 +141 @@
 
         if($secret_key) {
-            $params['timestamp'] = time();
+            if(!$persistent) {
+                $params['timestamp'] = time();
+            }
             uksort($params, 'strcasecmp');
             $url = $path . '?' . http_build_query($params);

indico/MaKaC/webinterface/rh/api.py

@@ -47 +47 @@
             ak.newKey()
             ak.newSignKey()
+        self._redirect(urlHandlers.UHUserAPI.getURL(self._avatar))
+
+class RHUserAPIPersistent(RHUserBase):
+    def _checkParams(self, params):
+        RHUserBase._checkParams(self, params)
+        self._ak = self._avatar.getAPIKey()
+
+    def _checkProtection(self):
+        RHUserBase._checkProtection(self)
+        ak = self._avatar.getAPIKey()
+        if ak and ak.isBlocked():
+            raise AccessError()
+
+    def _process(self):
+        self._ak.setPersistentAllowed(not self._ak.isPersistentAllowed())
         self._redirect(urlHandlers.UHUserAPI.getURL(self._avatar))
 

indico/MaKaC/webinterface/tpls/UserAPI.tpl

@@ -61 +61 @@
             <td>
                 % if not apiKey:
-                    <form action="${urlHandlers.UHUserAPICreate.getURL(avatar)}" method="POST" onsubmit="return confirm('${_("Please only create an API key if you actually need one. Unused API keys might be deleted after some time.")}');">
+                    <form action="${urlHandlers.UHUserAPICreate.getURL(avatar)}" method="POST" onsubmit="return confirm($T('Please only create an API key if you actually need one. Unused API keys might be deleted after some time.'));">
                         <input type="submit" value="${_('Create API key')}" />
                     </form>
                 % else:
-                    <form action="${urlHandlers.UHUserAPICreate.getURL(avatar)}" method="POST" onsubmit="return confirm('${_("Warning: When creating a new API key pair, your old key pair will stop working immediately!")}');">
+                    <form action="${urlHandlers.UHUserAPICreate.getURL(avatar)}" method="POST" onsubmit="return confirm($T('Warning: When creating a new API key pair, your old key pair will stop working immediately!'));">
                         <input type="submit" value="${_('Create a new API key pair')}" />
                     </form>
+                    % if apiKey.isPersistentAllowed():
+                        <form action="${urlHandlers.UHUserAPIPersistent.getURL(avatar)}" method="POST" onsubmit="return confirm($T('When disabling persistent signatures, all signed requests need a valid timestamp again. If you enable them again, old persistent links will start working again - if you need to to invalidate them, you need to create a new API key!'));">
+                            <input type="submit" value="${_('Disable persistent signatures')}" />
+                        </form>
+                    % else:
+                        <form action="${urlHandlers.UHUserAPIPersistent.getURL(avatar)}" method="POST" onsubmit="return confirm($T('With persistent signatures signed requests without a timestamp are allowed. By enabling them you agree to keep those links private and ensure that no unauthorized people will use them.'));">
+                            <input type="submit" value="${_('Enable persistent signatures')}" />
+                        </form>
+                    % endif
                 % endif
             </td>

indico/MaKaC/webinterface/urlHandlers.py

@@ -1977 +1977 @@
 class UHUserAPICreate( URLHandler ):
     _relativeURL = "userAPI.py/create"
+
+class UHUserAPIPersistent( URLHandler ):
+    _relativeURL = "userAPI.py/persistent"
 
 class UHUserAPIBlock( URLHandler ):

indico/htdocs/userAPI.py

@@ -8 +8 @@
     return api.RHUserAPICreate(req).process(params)
 
+def persistent(req, **params):
+    return api.RHUserAPIPersistent(req).process(params)
+
 def block(req, **params):
     return api.RHUserAPIBlock(req).process(params)

indico/web/http_api/auth.py

@@ -47 +47 @@
         self._lastUseAuthenticated = False
         self._oldKeys = PersistentList()
+        self._persistentAllowed = False
 
     def getUser(self):
@@ -100 +101 @@
         return self._oldKeys
 
+    def isPersistentAllowed(self):
+        return getattr(self, '_persistentAllowed', False)
+
+    def setPersistentAllowed(self, val):
+        self._persistentAllowed = val
+
     def used(self, ip, path, query, authenticated):
         self._lastUsedDT = datetime.datetime.now()

indico/web/http_api/handlers.py

@@ -75 +75 @@
 
 
-def validateSignature(key, signature, timestamp, path, query):
+def validateSignature(ak, signature, timestamp, path, query):
     ttl = HelperMaKaCInfo.getMaKaCInfoInstance().getAPISignatureTTL()
-    if not timestamp:
+    if not timestamp and not ak.isPersistentAllowed():
         raise HTTPAPIError('Signature invalid (no timestamp)', apache.HTTP_FORBIDDEN)
-    elif abs(timestamp - int(time.time())) > ttl:
+    elif timestamp and abs(timestamp - int(time.time())) > ttl:
         raise HTTPAPIError('Signature invalid (bad timestamp)', apache.HTTP_FORBIDDEN)
-    digest = hmac.new(key, normalizeQuery(path, query), hashlib.sha1).hexdigest()
+    digest = hmac.new(ak.getSignKey(), normalizeQuery(path, query), hashlib.sha1).hexdigest()
     if signature != digest:
         raise HTTPAPIError('Signature invalid', apache.HTTP_FORBIDDEN)
@@ -102 +102 @@
     onlyPublic = False
     if signature:
-        validateSignature(ak.getSignKey(), signature, timestamp, path, query)
+        validateSignature(ak, signature, timestamp, path, query)
     elif apiMode in (API_MODE_SIGNED, API_MODE_ALL_SIGNED):
         raise HTTPAPIError('Signature missing', apache.HTTP_FORBIDDEN)