From e9beffc799390c4a6f61d1b6e83fda610dc4b14c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= Date: Fri, 14 Nov 2014 17:58:42 +0100 Subject: [PATCH] Properly recognize app session keys everywhere. Also fixed a bug where the ApiUser was not properly provisioned with his roles. --- src/octoprint/server/__init__.py | 3 +++ src/octoprint/server/util/__init__.py | 9 ++++----- src/octoprint/server/util/flask.py | 24 +----------------------- src/octoprint/users.py | 2 +- 4 files changed, 9 insertions(+), 29 deletions(-) diff --git a/src/octoprint/server/__init__.py b/src/octoprint/server/__init__.py index 0de8e70f..b1e75cee 100644 --- a/src/octoprint/server/__init__.py +++ b/src/octoprint/server/__init__.py @@ -165,6 +165,9 @@ def on_identity_loaded(sender, identity): def load_user(id): + if id == "_api": + return users.ApiUser() + if session and "usersession.id" in session: sessionid = session["usersession.id"] else: diff --git a/src/octoprint/server/util/__init__.py b/src/octoprint/server/util/__init__.py index 4e964e3f..e840fca2 100644 --- a/src/octoprint/server/util/__init__.py +++ b/src/octoprint/server/util/__init__.py @@ -18,14 +18,13 @@ from . import watchdog def get_user_for_apikey(apikey): if settings().get(["api", "enabled"]) and apikey is not None: - if apikey == settings().get(["api", "key"]): - # master key was used + if apikey == settings().get(["api", "key"]) or octoprint.server.appSessionManager.validate(apikey): + # master key or an app session key was used return ApiUser() - else: + elif octoprint.server.userManager is not None: # user key might have been used return octoprint.server.userManager.findUser(apikey=apikey) - else: - return None + return None def get_api_key(request): diff --git a/src/octoprint/server/util/flask.py b/src/octoprint/server/util/flask.py index ed664fb5..8a275bcd 100644 --- a/src/octoprint/server/util/flask.py +++ b/src/octoprint/server/util/flask.py @@ -123,15 +123,7 @@ def restricted_access(func, api_enabled=True): # if API is globally enabled, enabled for this request and an api key is provided that is not the current UI API key, try to use that apikey = octoprint.server.util.get_api_key(flask.request) if settings().get(["api", "enabled"]) and api_enabled and apikey is not None and apikey != octoprint.server.UI_API_KEY: - if apikey == settings().get(["api", "key"]): - # master key was used - user = octoprint.users.ApiUser() - elif octoprint.server.appSessionManager.validate(apikey): - # valid app session key was used - user = octoprint.users.ApiUser() - else: - # user key might have been used - user = octoprint.server.userManager.findUser(apikey=apikey) + user = octoprint.server.util.get_user_for_apikey(apikey) if user is None: return flask.make_response("Invalid API key", 401) @@ -144,20 +136,6 @@ def restricted_access(func, api_enabled=True): return decorated_view -def api_access(func): - @functools.wraps(func) - def decorated_view(*args, **kwargs): - if not settings().get(["api", "enabled"]): - flask.make_response("API disabled", 401) - apikey = octoprint.server.util.get_api_key(flask.request) - if apikey is None: - flask.make_response("No API key provided", 401) - if apikey != settings().get(["api", "key"]): - flask.make_response("Invalid API key", 403) - return func(*args, **kwargs) - return decorated_view - - class AppSessionManager(object): VALIDITY_UNVERIFIED = 1 * 60 # 1 minute diff --git a/src/octoprint/users.py b/src/octoprint/users.py index 2d01a53e..be5b36d5 100644 --- a/src/octoprint/users.py +++ b/src/octoprint/users.py @@ -411,4 +411,4 @@ def dummy_identity_loader(): class ApiUser(User): def __init__(self): - User.__init__(self, "api", "", True, UserManager.valid_roles) + User.__init__(self, "_api", "", True, UserManager.valid_roles)