Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unquote necessary url parts during routing #85

Merged
merged 3 commits into from
May 25, 2016
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions auslib/admin/base.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
import urllib

from flask import Flask, request
from flask_compress import Compress

Expand All @@ -20,6 +22,21 @@
create_dockerflow_endpoints(app)


# When running under uwsgi, paths will not get decoded before hitting the app.
# We need to handle this ourselves in certain fields, and adding converters
# for them is the best way to do this.
class UnquotingMiddleware(object):
def __init__(self, app):
self.app = app

def __call__(self, environ, start_response):
environ["PATH_INFO"] = urllib.unquote(environ["PATH_INFO"])
return self.app(environ, start_response)


app.wsgi_app = UnquotingMiddleware(app.wsgi_app)


@app.errorhandler(500)
def ise(error):
log.error("Caught ISE 500 error.")
Expand All @@ -37,6 +54,7 @@ def add_security_headers(response):

Compress(app)


# Endpoints required for the Balrog 2.0 UI.
# In the Mozilla deployments of Balrog, both the the admin API (these endpoints)
# and the static admin UI are hosted on the same domain. This API wsgi app is
Expand Down
31 changes: 31 additions & 0 deletions auslib/test/admin/views/test_permissions.py
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,37 @@ def testPermissionPut(self):
query = query.where(dbo.permissions.permission == 'admin')
self.assertEqual(query.execute().fetchone(), ('admin', 'bob', None, 1))

def testPermissionPutWithEmail(self):
ret = self._put('/users/[email protected]/permissions/admin')
self.assertStatusCode(ret, 201)
self.assertEqual(ret.data, json.dumps(dict(new_data_version=1)), "Data: %s" % ret.data)
query = dbo.permissions.t.select()
query = query.where(dbo.permissions.username == '[email protected]')
query = query.where(dbo.permissions.permission == 'admin')
self.assertEqual(query.execute().fetchone(), ('admin', '[email protected]', None, 1))

# This test is meant to verify that the app properly unquotes URL parts
# as part of routing, because it is required when running under uwsgi.
# Unfortunately, Werkzeug's test Client will unquote URL parts before
# the app sees them, so this test doesn't actually verify that case...
def testPermissionPutWithQuotedEmail(self):
ret = self._put('/users/bob%40bobsworld.com/permissions/admin')
self.assertStatusCode(ret, 201)
self.assertEqual(ret.data, json.dumps(dict(new_data_version=1)), "Data: %s" % ret.data)
query = dbo.permissions.t.select()
query = query.where(dbo.permissions.username == '[email protected]')
query = query.where(dbo.permissions.permission == 'admin')
self.assertEqual(query.execute().fetchone(), ('admin', '[email protected]', None, 1))

def testPermissionPutWithQuotedUrl(self):
ret = self._put('/users/bob/permissions/%2frules')
self.assertStatusCode(ret, 201)
self.assertEqual(ret.data, json.dumps(dict(new_data_version=1)), "Data: %s" % ret.data)
query = dbo.permissions.t.select()
query = query.where(dbo.permissions.username == 'bob')
query = query.where(dbo.permissions.permission == '/rules')
self.assertEqual(query.execute().fetchone(), ('/rules', 'bob', None, 1))

def testPermissionsPostWithHttpRemoteUser(self):
ret = self._httpRemoteUserPost('/users/bill/permissions/admin', username="bob", data=dict(options="", data_version=1))
self.assertEqual(ret.status_code, 200, "Status Code: %d" % ret.status_code)
Expand Down