a&a

2021-01-27 14:13:49 +01:00 · 2021-01-27 14:13:49 +01:00 · d91cd9a3da
commit d91cd9a3da
parent e0f57e9de6
5 changed files with 51 additions and 17 deletions
--- a/Mieter.py
+++ b/Mieter.py
@ -1,6 +1,8 @@
 from dbpool import getConnection, getMany, getOne
+from auth import check_scope

-def get_mieters():
+def get_mieters(token_info):
+    check_scope(token_info, [ "mieter/read", "wohnung/read", "objekt/read" ])
    return getMany("""
 SELECT m.id as id, 
       o.id as objekt,
@ -21,7 +23,8 @@ SELECT m.id as id,
        w.id = m.wohnung
    """, [], "Mieter")

-def get_mieter(id=None):
+def get_mieter(id, token_info):
+    check_scope(token_info, [ "mieter/read", "wohnung/read", "objekt/read" ])
    return getOne("""
 SELECT m.id as id, 
       o.id as objekt,
--- a/Objekte.py
+++ b/Objekte.py
@ -1,8 +1,11 @@
 from dbpool import getConnection, getMany, getOne
+from auth import check_scope

-def get_objekte():
+def get_objekte(token_info):
+    check_scope(token_info, "objekt/read")
    return getMany("SELECT id, shortname, flaeche FROM objekt", [], "Objekt")

-def get_objekt(id=None):
+def get_objekt(id, token_info):
+    check_scope(token_info, "objekt/read")
    return getOne("SELECT id, shortname, flaeche FROM objekt WHERE id = ?", 
                  (id,), "Objekt")
--- a/Wohnungen.py
+++ b/Wohnungen.py
@ -1,6 +1,9 @@
 from dbpool import getConnection, getOne, getMany
+from auth import check_scope

-def get_wohnungen():
+
+def get_wohnungen(token_info):
+    check_scope(token_info, "wohnung/read")
    return getMany("""
 SELECT w.id as id, 
       w.objekt as objekt, 
@ -11,7 +14,8 @@ SELECT w.id as id,
  WHERE o.id = w.objekt
 """, [], "Wohnung")

-def get_wohnung(id=None):
+def get_wohnung(id, token_info):
+    check_scope(token_info, [ "wohnung/read", "objekt/read" ])
    return getOne("""
 SELECT w.id as id, 
       w.objekt as objekt, 
@ -23,7 +27,8 @@ SELECT w.id as id,
        w.id = ?
 """, (id, ), "Wohnung")

-def get_wohnungen_by_objekt(id):
+def get_wohnungen_by_objekt(id, token_info):
+    check_scope(token_info, [ "wohnung/read", "objekt/read" ])
    return getMany("""
 SELECT w.id as id, 
       w.objekt as objekt, 
--- a/ZahlungenForderungen.py
+++ b/ZahlungenForderungen.py
@ -2,8 +2,10 @@ from dbpool import getConnection, getOne, getMany, putOne
 import datetime
 import decimal
 import dateparser
+from auth import check_scope

-def get_zahlungen_by_mieter(mieter_id):
+def get_zahlungen_by_mieter(mieter_id, token_info):
+  check_scope(token_info, "zahlung/read")
  return getMany("""
 SELECT id, 
       mieter, 
@ -28,7 +30,8 @@ SELECT id,
 """, [ id ], "Zahlung")


-def get_forderungen_by_mieter(mieter_id):
+def get_forderungen_by_mieter(mieter_id, token_info):
+  check_scope(token_info, "forderung/read")
  return getMany("""
 SELECT id, 
       mieter,
@ -40,7 +43,8 @@ SELECT id,
  WHERE mieter = ?
 """, [ mieter_id ], "Forderung")

-def get_forderung(id):
+def get_forderung(id, token_info):
+  check_scope(token_info, "forderung/read")
  return getOne("""
 SELECT id, 
       mieter,
@ -52,7 +56,8 @@ SELECT id,
  WHERE id = ?
 """, [ id ], "Forderung")

-def get_zahlungforderung_by_mieter_and_year(mieter_id, year):
+def get_zahlungforderung_by_mieter_and_year(mieter_id, year, token_info):
+  check_scope(token_info, [ "forderung/read", "zahlung/read", "mieter/read" ])
  if year == 0:
    year = datetime.datetime.now().year
  start_date = "{}-01-01".format(year)
@ -72,7 +77,8 @@ WHERE mieter = ? AND
  datum_soll BETWEEN ? AND ?
 """, [mieter_id, start_date, end_date], "ZahlungForderung")

-def get_saldo_by_mieter_and_year(mieter_id, year):
+def get_saldo_by_mieter_and_year(mieter_id, year, token_info):
+  check_scope(token_info, [ "forderung/read", "zahlung/read", "mieter/read" ])
  if year == 0:
    year = datetime.datetime.now().year
  start_date = "{}-01-01".format(year)
@ -106,7 +112,8 @@ WHERE mieter = ? AND
    "zahlungen": float(sumZ)
  }

-def put_zahlung(zahlung):
+def put_zahlung(zahlung, token_info):
+  check_scope(token_info, "zahlung/write")
  print("Input of put_zahlung: {} {}".format(type(zahlung), zahlung))
  datum_soll = dateparser.parse(zahlung["datum_soll"], languages=["de"])
  datum_ist = dateparser.parse(zahlung["datum_ist"], languages=["de"])
--- a/auth.py
+++ b/auth.py
@ -1,7 +1,6 @@
 import time
 import connexion
-import six
-from werkzeug.exceptions import Unauthorized
+from werkzeug.exceptions import Unauthorized, Forbidden
 from jose import JWTError, jwt
 import os

@ -11,10 +10,26 @@ JWT_SECRET = os.environ['JWT_SECRET']

 def decode_token(token):
    try:
-        return jwt.decode(token, JWT_SECRET)
+        print("DEBUG decode_token: try to decode")
+        token_info = jwt.decode(token, JWT_SECRET)
+        print("DEBUG decode_token: token_info: {}".format(token_info))
+        return token_info
    except JWTError as e:
-        six.raise_from(Unauthorized, e)
+        print("ERROR decode_token: error when decoding token: {}".format(e))
+        raise Unauthorized()

+def check_token(token, key, value):
+    if (key in token) and ((token[key] == value) or (isinstance(token[key], list) and (value in token[key]))):
+        return True
+    print("WARN: check_token: {} -> {} required but not granted".format(key, value))
+    raise Forbidden()
+
+def check_scope(token, value):
+    if isinstance(value, list):
+        for v in value:
+            check_token(token, "x-scope", v)
+    else:
+        check_token(token, "x-scope", value)

 def get_secret(user, token_info) -> str:
    return '''
@ -23,6 +38,7 @@ def get_secret(user, token_info) -> str:
    '''.format(user=user, token_info=token_info)


+
 def _current_timestamp() -> int:
    return int(time.time())