modules/rietveld/files/wrapper.py - Issue 6155422901731328: Run Rietveld using the AppEngine SDK

Delta Between Two Patch Sets: modules/rietveld/files/wrapper.py

Issue 6155422901731328: Run Rietveld using the AppEngine SDK (Closed)

Left Patch Set: Added missing file and a comment Created June 3, 2015, 4:32 p.m.

Right Patch Set: Addressed comments and added caching Created June 4, 2015, 9:19 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Left: Side by side diff | Download
Right: Side by side diff | Download

LEFT	RIGHT
1 #!/usr/bin/env python	1 #!/usr/bin/env python

2	2

3 from ConfigParser import SafeConfigParser	3 from ConfigParser import SafeConfigParser

4 import hashlib	4 import hashlib

5 import hmac	5 import hmac

6 import json	6 import json

7 import os	7 import os

8 import re	8 import re

9 import sys	9 import sys

10 import urllib	10 import urllib

11	11

12 OAUTH2_AUTHURL = 'https://accounts.google.com/o/oauth2/auth'	12 OAUTH2_AUTHURL = 'https://accounts.google.com/o/oauth2/auth'

13 OAUTH2_TOKENURL = 'https://accounts.google.com/o/oauth2/token'	13 OAUTH2_TOKENURL = 'https://accounts.google.com/o/oauth2/token'

14 OAUTH2_DATAURL = 'https://www.googleapis.com/plus/v1/people/me'	14 OAUTH2_DATAURL = 'https://www.googleapis.com/plus/v1/people/me'

15 OAUTH2_SCOPE = 'email'	15 OAUTH2_SCOPE = 'email'

16	16

	17 OAUTH2_TOKEN_EXPIRATION = 5 * 60

	18

17 def setup_paths(engine_dir):	19 def setup_paths(engine_dir):

18 sys.path.append(engine_dir)	20 sys.path.append(engine_dir)

19	21

20 import wrapper_util	22 import wrapper_util

21 paths = wrapper_util.Paths(engine_dir)	23 paths = wrapper_util.Paths(engine_dir)

22 script_name = os.path.basename(__file__)	24 script_name = os.path.basename(__file__)

23 sys.path[0:0] = paths.script_paths(script_name)	25 sys.path[0:0] = paths.script_paths(script_name)

24 return script_name, paths.script_file(script_name)	26 return script_name, paths.script_file(script_name)

25	27

26 def adjust_server_id():	28 def adjust_server_id():

(...skipping 41 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
68 orig_create_cookie_data = login._create_cookie_data	70 orig_create_cookie_data = login._create_cookie_data

69 def _create_cookie_data(email, admin):	71 def _create_cookie_data(email, admin):

70 result = orig_create_cookie_data(email, admin)	72 result = orig_create_cookie_data(email, admin)

71 result += ':' + calculate_signature(result)	73 result += ':' + calculate_signature(result)

72 return result	74 return result

73 login._create_cookie_data = _create_cookie_data	75 login._create_cookie_data = _create_cookie_data

74	76

75 def enable_oauth2(client_id, client_secret, admins):	77 def enable_oauth2(client_id, client_secret, admins):

76 from google.appengine.tools.devappserver2 import login	78 from google.appengine.tools.devappserver2 import login

77	79

	80 def request(method, url, data):

	81 if method != 'POST':

	82 url += '?' + urllib.urlencode(data)

	83 data = None

	84 else:

	85 data = urllib.urlencode(data)

	86 response = urllib.urlopen(url, data)

	87 try:

	88 return json.loads(response.read())

	89 finally:

	90 response.close()

	91

	92 token_cache = {}

	93 def get_user_info(access_token):

	94 email, is_admin, expiration = token_cache.get(access_token, (None, None, 0))

	95 now = time.mktime(time.gmtime())

	96 if now > expiration:

	97 get_params = {

	98 'access_token': access_token,

	99 }

	100 data = request('GET', OAUTH2_DATAURL, get_params)

	101 emails = [e for e in data.get('emails') if e['type'] == 'account']

	102 if not emails:

	103 return None, None

	104

	105 email = emails[0]['value']

	106 is_admin = email in admins

	107

	108 for token, (_, _, expiration) in token_cache.items():

	109 if now > expiration:

	110 del token_cache[token]

	111 token_cache[access_token] = (email, is_admin, now + OAUTH2_TOKEN_EXPIRATIO N)

	112 return email, is_admin

	113

78 def get(self):	114 def get(self):

79 def request(method, url, data):

80 if method != 'POST':

81 url += '?' + urllib.urlencode(data)

82 data = None

83 else:

84 data = urllib.urlencode(data)

85 response = urllib.urlopen(url, data)

86 try:

87 return json.loads(response.read())

88 finally:

89 response.close()

90

91 def error(text):	115 def error(text):

92 self.response.status = 200	116 self.response.status = 200

93 self.response.headers['Content-Type'] = 'text/plain'	117 self.response.headers['Content-Type'] = 'text/plain'

94 self.response.write(text.encode('utf-8'))	118 self.response.write(text.encode('utf-8'))

95	119

96 def redirect(url):	120 def redirect(url):

97 self.response.status = 302	121 self.response.status = 302

98 self.response.status_message = 'Found'	122 self.response.status_message = 'Found'

99 self.response.headers['Location'] = url.encode('utf-8')	123 self.response.headers['Location'] = url.encode('utf-8')

100	124

(...skipping 19 matching lines...) Expand all Loading...
120 'client_secret': client_secret,	144 'client_secret': client_secret,

121 'redirect_uri': base_url + login.LOGIN_URL_RELATIVE,	145 'redirect_uri': base_url + login.LOGIN_URL_RELATIVE,

122 'grant_type':'authorization_code',	146 'grant_type':'authorization_code',

123 }	147 }

124 data = request('POST', OAUTH2_TOKENURL, token_params)	148 data = request('POST', OAUTH2_TOKENURL, token_params)

125 token = data.get('access_token')	149 token = data.get('access_token')

126 if not token:	150 if not token:

127 error('No token in response: ' + str(data))	151 error('No token in response: ' + str(data))

128 return	152 return

129	153

130 get_params = {	154 email, is_admin = get_user_info(token)

131 'access_token': token,	155 if not email:

132 }

133 data = request('GET', OAUTH2_DATAURL, get_params)

134 emails = [e for e in data.get('emails') if e['type'] == 'account']

135 if not emails:

136 error('No email address in response: ' + str(data))	156 error('No email address in response: ' + str(data))

137 return	157 return

138

139 email = emails[0]['value']

140 is_admin = email in admins

141 self.response.headers['Set-Cookie'] = login._set_user_info_cookie(email, i s_admin)	158 self.response.headers['Set-Cookie'] = login._set_user_info_cookie(email, i s_admin)

142 redirect(continue_url)	159 redirect(continue_url)

143	160

144 action = self.request.get(login.ACTION_PARAM)	161 action = self.request.get(login.ACTION_PARAM)

145 continue_url = self.request.get(login.CONTINUE_PARAM)	162 continue_url = self.request.get(login.CONTINUE_PARAM)

146 continue_url = re.sub(r'^http:', 'https:', continue_url)	163 continue_url = re.sub(r'^http:', 'https:', continue_url)

147 base_url = 'https://%s/' % self.request.environ['HTTP_HOST']	164 base_url = 'https://%s/' % self.request.environ['HTTP_HOST']

148	165

149 if action.lower() == login.LOGOUT_ACTION.lower():	166 if action.lower() == login.LOGOUT_ACTION.lower():

150 logout(continue_url or base_url)	167 logout(continue_url or base_url)

151 elif self.request.get('error'):	168 elif self.request.get('error'):

152 error('Authorization failed: ' + self.request.get('error'))	169 error('Authorization failed: ' + self.request.get('error'))

153 else:	170 else:

154 code = self.request.get('code')	171 code = self.request.get('code')

155 if code:	172 if code:

156 login_step2(code, self.request.get('state') or base_url)	173 login_step2(code, self.request.get('state') or base_url)

157 else:	174 else:

158 login_step1(continue_url or base_url)	175 login_step1(continue_url or base_url)

159	176

160 login.Handler.get = get	177 login.Handler.get = get

161	178

	179 from google.appengine.api import user_service_stub, user_service_pb

	180 from google.appengine.runtime import apiproxy_errors

	181 def _Dynamic_GetOAuthUser(self, request, response, request_id):

	182 environ = self.request_data.get_request_environ(request_id)

	183 match = re.search(r'^OAuth (\S+)', environ.get('HTTP_AUTHORIZATION', ''))

	184 if not match:

	185 raise apiproxy_errors.ApplicationError(

	186 user_service_pb.UserServiceError.OAUTH_INVALID_REQUEST)

	187

	188 email, is_admin = get_user_info(match.group(1))

	189 if not email:

	190 raise apiproxy_errors.ApplicationError(

	191 user_service_pb.UserServiceError.OAUTH_INVALID_TOKEN)

	192

	193 # User ID is based on email address, see appengine.tools.devappserver2.login

	194 user_id_digest = hashlib.md5(email.lower()).digest()

	195 user_id = '1' + ''.join(['%02d' % ord(x) for x in user_id_digest])[:20]
	Sebastian Noack 2015/06/04 21:51:43 WTF this algorithm, but I suppose we have to use i WTF this algorithm, but I suppose we have to use it. Wladimir Palant 2015/06/04 23:19:54 Luckily, it doesn't seem to matter - Rietveld work Show quoted text On 2015/06/04 21:51:43, Sebastian Noack wrote: > WTF this algorithm, but I suppose we have to use it. Luckily, it doesn't seem to matter - Rietveld works only with email addresses, it doesn't care about user IDs. Otherwise this would be a security hole I think, generating a collision with user IDs shouldn't be hard.
	196

	197 response.set_email(email)

	198 response.set_user_id(user_id)

	199 response.set_auth_domain(user_service_stub._DEFAULT_AUTH_DOMAIN)

	200 response.set_is_admin(is_admin)

	201 response.set_client_id(client_id)

	202 response.add_scopes(OAUTH2_SCOPE)

	203

	204 user_service_stub.UserServiceStub._Dynamic_GetOAuthUser = _Dynamic_GetOAuthUse r

	205

162	206

163 if __name__ == '__main__':	207 if __name__ == '__main__':

164 engine_dir = '/opt/google_appengine'	208 engine_dir = '/opt/google_appengine'

165 storage_path = '/var/lib/rietveld'	209 storage_path = '/var/lib/rietveld'

166	210

167 script_name, script_file = setup_paths(engine_dir)	211 script_name, script_file = setup_paths(engine_dir)

168 adjust_server_id()	212 adjust_server_id()

169 fix_request_scheme()	213 fix_request_scheme()

170	214

171 if script_name == 'dev_appserver.py':	215 if script_name == 'dev_appserver.py':

172 config = read_config(os.path.join(storage_path, 'config.ini'))	216 config = read_config(os.path.join(storage_path, 'config.ini'))

173	217

174 set_storage_path(storage_path)	218 set_storage_path(storage_path)

175 replace_runtime()	219 replace_runtime()

176 protect_cookies(config.get('main', 'cookie_secret'))	220 protect_cookies(config.get('main', 'cookie_secret'))

177 enable_oauth2(	221 enable_oauth2(

178 config.get('oauth2', 'client_id'),	222 config.get('oauth2', 'client_id'),

179 config.get('oauth2', 'client_secret'),	223 config.get('oauth2', 'client_secret'),

180 config.get('main', 'admins').split()	224 config.get('main', 'admins').split()

181 )	225 )

182	226

183 execfile(script_file)	227 execfile(script_file)

LEFT	RIGHT