openwebrx-clone/owrx/controllers/admin.py

from owrx.controllers.session import SessionStorage
from owrx.users import UserList
from urllib import parse
from http.cookies import SimpleCookie

import logging

logger = logging.getLogger(__name__)


class Authentication(object):
    def getUser(self, request):
        if "owrx-session" not in request.cookies:
            return None
        session_id = request.cookies["owrx-session"].value
        storage = SessionStorage.getSharedInstance()
        session = storage.getSession(session_id)
        if session is None:
            return None
        if "user" not in session:
            return None
        userList = UserList.getSharedInstance()
        user = None
        try:
            user = userList[session["user"]]
            storage.prolongSession(session_id)
        except KeyError:
            pass
        return user


class AuthorizationMixin(object):
    def __init__(self, handler, request, options):
        self.authentication = Authentication()
        self.user = self.authentication.getUser(request)
        super().__init__(handler, request, options)

    def isAuthorized(self):
        return self.user is not None and self.user.is_enabled() and not self.user.must_change_password

    def handle_request(self):
        if self.isAuthorized():
            super().handle_request()
        else:
            cookie = SimpleCookie()
            cookie["owrx-session"] = ""
            cookie["owrx-session"]["expires"] = "Thu, 01 Jan 1970 00:00:00 GMT"
            self.set_response_cookies(cookie)
            if (
                "x-requested-with" in self.request.headers
                and self.request.headers["x-requested-with"] == "XMLHttpRequest"
            ):
                self.send_response("{}", code=403)
            else:
                target = "{}login?{}".format(self.get_document_root(), parse.urlencode({"ref": self.request.path[1:]}))
                self.send_redirect(target)
clear session cookie if invalid 2021-05-03 21:22:28 +00:00			`from owrx.controllers.session import SessionStorage`
thoroughly validate user 2021-02-08 16:09:22 +00:00			`from owrx.users import UserList`
implement redirect on login 2020-04-25 23:54:48 +00:00			`from urllib import parse`
clear session cookie if invalid 2021-05-03 21:22:28 +00:00			`from http.cookies import SimpleCookie`
implement redirect on login 2020-04-25 23:54:48 +00:00
			`import logging`

			`logger = logging.getLogger(__name__)`
prepare route protection 2020-02-23 18:23:18 +00:00

			`class Authentication(object):`
implement forced password change for generated passwords 2021-02-08 17:30:54 +00:00			`def getUser(self, request):`
thoroughly validate user 2021-02-08 16:09:22 +00:00			`if "owrx-session" not in request.cookies:`
implement forced password change for generated passwords 2021-02-08 17:30:54 +00:00			`return None`
implement session timeout 2021-05-03 21:07:27 +00:00			`session_id = request.cookies["owrx-session"].value`
			`storage = SessionStorage.getSharedInstance()`
			`session = storage.getSession(session_id)`
thoroughly validate user 2021-02-08 16:09:22 +00:00			`if session is None:`
implement forced password change for generated passwords 2021-02-08 17:30:54 +00:00			`return None`
thoroughly validate user 2021-02-08 16:09:22 +00:00			`if "user" not in session:`
implement forced password change for generated passwords 2021-02-08 17:30:54 +00:00			`return None`
thoroughly validate user 2021-02-08 16:09:22 +00:00			`userList = UserList.getSharedInstance()`
implement session timeout 2021-05-03 21:07:27 +00:00			`user = None`
thoroughly validate user 2021-02-08 16:09:22 +00:00			`try:`
implement session timeout 2021-05-03 21:07:27 +00:00			`user = userList[session["user"]]`
			`storage.prolongSession(session_id)`
thoroughly validate user 2021-02-08 16:09:22 +00:00			`except KeyError:`
implement session timeout 2021-05-03 21:07:27 +00:00			`pass`
			`return user`
prepare route protection 2020-02-23 18:23:18 +00:00

refactor authentication / authorization into a mixin 2021-02-10 19:21:45 +00:00			`class AuthorizationMixin(object):`
prepare route protection 2020-02-23 18:23:18 +00:00			`def __init__(self, handler, request, options):`
			`self.authentication = Authentication()`
implement forced password change for generated passwords 2021-02-08 17:30:54 +00:00			`self.user = self.authentication.getUser(request)`
prepare route protection 2020-02-23 18:23:18 +00:00			`super().__init__(handler, request, options)`

implement forced password change for generated passwords 2021-02-08 17:30:54 +00:00			`def isAuthorized(self):`
			`return self.user is not None and self.user.is_enabled() and not self.user.must_change_password`

prepare route protection 2020-02-23 18:23:18 +00:00			`def handle_request(self):`
implement forced password change for generated passwords 2021-02-08 17:30:54 +00:00			`if self.isAuthorized():`
prepare route protection 2020-02-23 18:23:18 +00:00			`super().handle_request()`
			`else:`
clear session cookie if invalid 2021-05-03 21:22:28 +00:00			`cookie = SimpleCookie()`
			`cookie["owrx-session"] = ""`
			`cookie["owrx-session"]["expires"] = "Thu, 01 Jan 1970 00:00:00 GMT"`
			`self.set_response_cookies(cookie)`
don't redirect XHR calls to the login page, 403 instead 2021-03-27 22:45:21 +00:00			`if (`
			`"x-requested-with" in self.request.headers`
			`and self.request.headers["x-requested-with"] == "XMLHttpRequest"`
			`):`
			`self.send_response("{}", code=403)`
			`else:`
fix login for path routed environment 2021-04-18 13:59:05 +00:00			`target = "{}login?{}".format(self.get_document_root(), parse.urlencode({"ref": self.request.path[1:]}))`
don't redirect XHR calls to the login page, 403 instead 2021-03-27 22:45:21 +00:00			`self.send_redirect(target)`