2019-07-25 21:03:35 +02:00
|
|
|
from functools import wraps
|
|
|
|
from typing import Any, Callable, Dict
|
2016-06-01 14:39:58 +02:00
|
|
|
|
2016-06-24 02:26:09 +02:00
|
|
|
from django.utils.module_loading import import_string
|
2019-07-25 21:03:35 +02:00
|
|
|
from django.utils.cache import add_never_cache_headers
|
2013-10-17 19:21:18 +02:00
|
|
|
from django.views.decorators.csrf import csrf_exempt, csrf_protect
|
|
|
|
|
|
|
|
from zerver.decorator import authenticated_json_view, authenticated_rest_api_view, \
|
tornado: Rewrite Django integration to duplicate less code.
Since essentially the first use of Tornado in Zulip, we've been
maintaining our Tornado+Django system, AsyncDjangoHandler, with
several hundred lines of Django code copied into it.
The goal for that code was simple: We wanted a way to use our Django
middleware (for code sharing reasons) inside a Tornado process (since
we wanted to use Tornado for our async events system).
As part of the Django 2.2.x upgrade, I looked at upgrading this
implementation to be based off modern Django, and it's definitely
possible to do that:
* Continue forking load_middleware to save response middleware.
* Continue manually running the Django response middleware.
* Continue working out a hack involving copying all of _get_response
to change a couple lines allowing us our Tornado code to not
actually return the Django HttpResponse so we can long-poll. The
previous hack of returning None stopped being viable with the Django 2.2
MiddlewareMixin.__call__ implementation.
But I decided to take this opportunity to look at trying to avoid
copying material Django code, and there is a way to do it:
* Replace RespondAsynchronously with a response.asynchronous attribute
on the HttpResponse; this allows Django to run its normal plumbing
happily in a way that should be stable over time, and then we
proceed to discard the response inside the Tornado `get()` method to
implement long-polling. (Better yet might be raising an
exception?). This lets us eliminate maintaining a patched copy of
_get_response.
* Removing the @asynchronous decorator, which didn't add anything now
that we only have one API endpoint backend (with two frontend call
points) that could call into this. Combined with the last bullet,
this lets us remove a significant hack from our
never_cache_responses function.
* Calling the normal Django `get_response` method from zulip_finish
after creating a duplicate request to process, rather than writing
totally custom code to do that. This lets us eliminate maintaining
a patched copy of Django's load_middleware.
* Adding detailed comments explaining how this is supposed to work,
what problems we encounter, and how we solve various problems, which
is critical to being able to modify this code in the future.
A key advantage of these changes is that the exact same code should
work on Django 1.11, Django 2.2, and Django 3.x, because we're no
longer copying large blocks of core Django code and thus should be
much less vulnerable to refactors.
There may be a modest performance downside, in that we now run both
request and response middleware twice when longpolling (once for the
request we discard). We may be able to avoid the expensive part of
it, Zulip's own request/response middleware, with a bit of additional
custom code to save work for requests where we're planning to discard
the response. Profiling will be important to understanding what's
worth doing here.
2020-02-06 22:09:10 +01:00
|
|
|
process_as_post, authenticated_uploads_api_view, \
|
2019-07-25 21:03:35 +02:00
|
|
|
ReturnT
|
2016-06-23 02:26:47 +02:00
|
|
|
from zerver.lib.response import json_method_not_allowed, json_unauthorized
|
2016-06-03 23:43:58 +02:00
|
|
|
from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
|
2013-10-30 16:33:08 +01:00
|
|
|
from django.conf import settings
|
|
|
|
|
2013-10-17 19:21:18 +02:00
|
|
|
METHODS = ('GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'PATCH')
|
2016-06-25 12:48:33 +02:00
|
|
|
FLAGS = ('override_api_url_scheme')
|
2013-10-17 19:21:18 +02:00
|
|
|
|
2019-10-02 00:10:30 +02:00
|
|
|
def default_never_cache_responses(
|
|
|
|
view_func: Callable[..., HttpResponse]) -> Callable[..., HttpResponse]:
|
|
|
|
"""Patched version of the standard Django never_cache_responses
|
|
|
|
decorator that adds headers to a response so that it will never be
|
|
|
|
cached, unless the view code has already set a Cache-Control
|
|
|
|
header.
|
2019-07-25 21:03:35 +02:00
|
|
|
"""
|
|
|
|
@wraps(view_func)
|
|
|
|
def _wrapped_view_func(request: HttpRequest, *args: Any, **kwargs: Any) -> ReturnT:
|
|
|
|
response = view_func(request, *args, **kwargs)
|
tornado: Rewrite Django integration to duplicate less code.
Since essentially the first use of Tornado in Zulip, we've been
maintaining our Tornado+Django system, AsyncDjangoHandler, with
several hundred lines of Django code copied into it.
The goal for that code was simple: We wanted a way to use our Django
middleware (for code sharing reasons) inside a Tornado process (since
we wanted to use Tornado for our async events system).
As part of the Django 2.2.x upgrade, I looked at upgrading this
implementation to be based off modern Django, and it's definitely
possible to do that:
* Continue forking load_middleware to save response middleware.
* Continue manually running the Django response middleware.
* Continue working out a hack involving copying all of _get_response
to change a couple lines allowing us our Tornado code to not
actually return the Django HttpResponse so we can long-poll. The
previous hack of returning None stopped being viable with the Django 2.2
MiddlewareMixin.__call__ implementation.
But I decided to take this opportunity to look at trying to avoid
copying material Django code, and there is a way to do it:
* Replace RespondAsynchronously with a response.asynchronous attribute
on the HttpResponse; this allows Django to run its normal plumbing
happily in a way that should be stable over time, and then we
proceed to discard the response inside the Tornado `get()` method to
implement long-polling. (Better yet might be raising an
exception?). This lets us eliminate maintaining a patched copy of
_get_response.
* Removing the @asynchronous decorator, which didn't add anything now
that we only have one API endpoint backend (with two frontend call
points) that could call into this. Combined with the last bullet,
this lets us remove a significant hack from our
never_cache_responses function.
* Calling the normal Django `get_response` method from zulip_finish
after creating a duplicate request to process, rather than writing
totally custom code to do that. This lets us eliminate maintaining
a patched copy of Django's load_middleware.
* Adding detailed comments explaining how this is supposed to work,
what problems we encounter, and how we solve various problems, which
is critical to being able to modify this code in the future.
A key advantage of these changes is that the exact same code should
work on Django 1.11, Django 2.2, and Django 3.x, because we're no
longer copying large blocks of core Django code and thus should be
much less vulnerable to refactors.
There may be a modest performance downside, in that we now run both
request and response middleware twice when longpolling (once for the
request we discard). We may be able to avoid the expensive part of
it, Zulip's own request/response middleware, with a bit of additional
custom code to save work for requests where we're planning to discard
the response. Profiling will be important to understanding what's
worth doing here.
2020-02-06 22:09:10 +01:00
|
|
|
if response.has_header("Cache-Control"):
|
2019-10-02 00:10:30 +02:00
|
|
|
return response
|
|
|
|
|
|
|
|
add_never_cache_headers(response)
|
2019-07-25 21:03:35 +02:00
|
|
|
return response
|
|
|
|
return _wrapped_view_func
|
|
|
|
|
2019-10-02 00:10:30 +02:00
|
|
|
@default_never_cache_responses
|
2013-10-17 19:21:18 +02:00
|
|
|
@csrf_exempt
|
2017-11-05 11:15:10 +01:00
|
|
|
def rest_dispatch(request: HttpRequest, **kwargs: Any) -> HttpResponse:
|
2013-10-17 19:21:18 +02:00
|
|
|
"""Dispatch to a REST API endpoint.
|
|
|
|
|
2016-06-23 02:26:47 +02:00
|
|
|
Unauthenticated endpoints should not use this, as authentication is verified
|
|
|
|
in the following ways:
|
|
|
|
* for paths beginning with /api, HTTP Basic auth
|
|
|
|
* for paths beginning with /json (used by the web client), the session token
|
|
|
|
|
2013-10-17 19:21:18 +02:00
|
|
|
This calls the function named in kwargs[request.method], if that request
|
|
|
|
method is supported, and after wrapping that function to:
|
|
|
|
|
|
|
|
* protect against CSRF (if the user is already authenticated through
|
|
|
|
a Django session)
|
|
|
|
* authenticate via an API key (otherwise)
|
|
|
|
* coerce PUT/PATCH/DELETE into having POST-like semantics for
|
|
|
|
retrieving variables
|
|
|
|
|
|
|
|
Any keyword args that are *not* HTTP methods are passed through to the
|
|
|
|
target function.
|
|
|
|
|
2016-06-24 02:26:09 +02:00
|
|
|
Never make a urls.py pattern put user input into a variable called GET, POST,
|
|
|
|
etc, as that is where we route HTTP verbs to target functions.
|
2013-10-17 19:21:18 +02:00
|
|
|
"""
|
python: Convert assignment type annotations to Python 3.6 style.
This commit was split by tabbott; this piece covers the vast majority
of files in Zulip, but excludes scripts/, tools/, and puppet/ to help
ensure we at least show the right error messages for Xenial systems.
We can likely further refine the remaining pieces with some testing.
Generated by com2ann, with whitespace fixes and various manual fixes
for runtime issues:
- invoiced_through: Optional[LicenseLedger] = models.ForeignKey(
+ invoiced_through: Optional["LicenseLedger"] = models.ForeignKey(
-_apns_client: Optional[APNsClient] = None
+_apns_client: Optional["APNsClient"] = None
- notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE)
- signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE)
+ notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE)
+ signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE)
- author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE)
+ author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE)
- bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL)
+ bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL)
- default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE)
- default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE)
+ default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE)
+ default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE)
-descriptors_by_handler_id: Dict[int, ClientDescriptor] = {}
+descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {}
-worker_classes: Dict[str, Type[QueueProcessingWorker]] = {}
-queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {}
+worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {}
+queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {}
-AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None
+AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
|
|
|
supported_methods: Dict[str, Any] = {}
|
2016-06-25 12:48:33 +02:00
|
|
|
|
tornado: Rewrite Django integration to duplicate less code.
Since essentially the first use of Tornado in Zulip, we've been
maintaining our Tornado+Django system, AsyncDjangoHandler, with
several hundred lines of Django code copied into it.
The goal for that code was simple: We wanted a way to use our Django
middleware (for code sharing reasons) inside a Tornado process (since
we wanted to use Tornado for our async events system).
As part of the Django 2.2.x upgrade, I looked at upgrading this
implementation to be based off modern Django, and it's definitely
possible to do that:
* Continue forking load_middleware to save response middleware.
* Continue manually running the Django response middleware.
* Continue working out a hack involving copying all of _get_response
to change a couple lines allowing us our Tornado code to not
actually return the Django HttpResponse so we can long-poll. The
previous hack of returning None stopped being viable with the Django 2.2
MiddlewareMixin.__call__ implementation.
But I decided to take this opportunity to look at trying to avoid
copying material Django code, and there is a way to do it:
* Replace RespondAsynchronously with a response.asynchronous attribute
on the HttpResponse; this allows Django to run its normal plumbing
happily in a way that should be stable over time, and then we
proceed to discard the response inside the Tornado `get()` method to
implement long-polling. (Better yet might be raising an
exception?). This lets us eliminate maintaining a patched copy of
_get_response.
* Removing the @asynchronous decorator, which didn't add anything now
that we only have one API endpoint backend (with two frontend call
points) that could call into this. Combined with the last bullet,
this lets us remove a significant hack from our
never_cache_responses function.
* Calling the normal Django `get_response` method from zulip_finish
after creating a duplicate request to process, rather than writing
totally custom code to do that. This lets us eliminate maintaining
a patched copy of Django's load_middleware.
* Adding detailed comments explaining how this is supposed to work,
what problems we encounter, and how we solve various problems, which
is critical to being able to modify this code in the future.
A key advantage of these changes is that the exact same code should
work on Django 1.11, Django 2.2, and Django 3.x, because we're no
longer copying large blocks of core Django code and thus should be
much less vulnerable to refactors.
There may be a modest performance downside, in that we now run both
request and response middleware twice when longpolling (once for the
request we discard). We may be able to avoid the expensive part of
it, Zulip's own request/response middleware, with a bit of additional
custom code to save work for requests where we're planning to discard
the response. Profiling will be important to understanding what's
worth doing here.
2020-02-06 22:09:10 +01:00
|
|
|
if hasattr(request, "saved_response"):
|
|
|
|
# For completing long-polled Tornado requests, we skip the
|
|
|
|
# view function logic and just return the response.
|
|
|
|
return request.saved_response
|
|
|
|
|
2013-10-17 19:21:18 +02:00
|
|
|
# duplicate kwargs so we can mutate the original as we go
|
|
|
|
for arg in list(kwargs):
|
|
|
|
if arg in METHODS:
|
|
|
|
supported_methods[arg] = kwargs[arg]
|
|
|
|
del kwargs[arg]
|
|
|
|
|
2019-08-12 05:44:35 +02:00
|
|
|
if 'GET' in supported_methods:
|
|
|
|
supported_methods.setdefault('HEAD', supported_methods['GET'])
|
|
|
|
|
2014-07-17 02:51:24 +02:00
|
|
|
if request.method == 'OPTIONS':
|
2017-05-07 17:09:39 +02:00
|
|
|
response = HttpResponse(status=204) # No content
|
2017-03-05 09:31:17 +01:00
|
|
|
response['Allow'] = ', '.join(sorted(supported_methods.keys()))
|
2014-07-17 02:51:24 +02:00
|
|
|
return response
|
|
|
|
|
2013-10-17 19:21:18 +02:00
|
|
|
# Override requested method if magic method=??? parameter exists
|
|
|
|
method_to_use = request.method
|
|
|
|
if request.POST and 'method' in request.POST:
|
|
|
|
method_to_use = request.POST['method']
|
|
|
|
|
2016-01-25 01:27:18 +01:00
|
|
|
if method_to_use in supported_methods:
|
2016-06-25 12:48:33 +02:00
|
|
|
entry = supported_methods[method_to_use]
|
|
|
|
if isinstance(entry, tuple):
|
|
|
|
target_function, view_flags = entry
|
|
|
|
target_function = import_string(target_function)
|
|
|
|
else:
|
|
|
|
target_function = import_string(supported_methods[method_to_use])
|
|
|
|
view_flags = set()
|
2013-10-17 19:21:18 +02:00
|
|
|
|
|
|
|
# Set request._query for update_activity_user(), which is called
|
|
|
|
# by some of the later wrappers.
|
|
|
|
request._query = target_function.__name__
|
|
|
|
|
|
|
|
# We want to support authentication by both cookies (web client)
|
|
|
|
# and API keys (API clients). In the former case, we want to
|
|
|
|
# do a check to ensure that CSRF etc is honored, but in the latter
|
|
|
|
# we can skip all of that.
|
|
|
|
#
|
|
|
|
# Security implications of this portion of the code are minimal,
|
|
|
|
# as we should worst-case fail closed if we miscategorise a request.
|
2016-06-23 02:26:47 +02:00
|
|
|
|
2016-06-25 12:48:33 +02:00
|
|
|
# for some special views (e.g. serving a file that has been
|
|
|
|
# uploaded), we support using the same url for web and API clients.
|
2017-01-24 05:50:04 +01:00
|
|
|
if ('override_api_url_scheme' in view_flags and
|
|
|
|
request.META.get('HTTP_AUTHORIZATION', None) is not None):
|
2018-04-13 19:04:39 +02:00
|
|
|
# This request uses standard API based authentication.
|
2018-12-11 20:46:52 +01:00
|
|
|
# For override_api_url_scheme views, we skip our normal
|
|
|
|
# rate limiting, because there are good reasons clients
|
|
|
|
# might need to (e.g.) request a large number of uploaded
|
|
|
|
# files or avatars in quick succession.
|
|
|
|
target_function = authenticated_rest_api_view(skip_rate_limiting=True)(target_function)
|
2018-04-13 19:04:39 +02:00
|
|
|
elif ('override_api_url_scheme' in view_flags and
|
|
|
|
request.GET.get('api_key') is not None):
|
|
|
|
# This request uses legacy API authentication. We
|
2018-12-11 20:46:52 +01:00
|
|
|
# unfortunately need that in the React Native mobile apps,
|
|
|
|
# because there's no way to set HTTP_AUTHORIZATION in
|
|
|
|
# React Native. See last block for rate limiting notes.
|
|
|
|
target_function = authenticated_uploads_api_view(skip_rate_limiting=True)(target_function)
|
2016-06-23 02:26:47 +02:00
|
|
|
# /json views (web client) validate with a session token (cookie)
|
2017-05-18 11:42:19 +02:00
|
|
|
elif not request.path.startswith("/api") and request.user.is_authenticated:
|
2013-10-17 19:21:18 +02:00
|
|
|
# Authenticated via sessions framework, only CSRF check needed
|
2018-12-11 20:46:52 +01:00
|
|
|
auth_kwargs = {}
|
|
|
|
if 'override_api_url_scheme' in view_flags:
|
|
|
|
auth_kwargs["skip_rate_limiting"] = True
|
|
|
|
target_function = csrf_protect(authenticated_json_view(target_function, **auth_kwargs))
|
2016-06-25 12:48:33 +02:00
|
|
|
|
2016-06-23 02:26:47 +02:00
|
|
|
# most clients (mobile, bots, etc) use HTTP Basic Auth and REST calls, where instead of
|
|
|
|
# username:password, we use email:apiKey
|
2013-10-30 16:33:08 +01:00
|
|
|
elif request.META.get('HTTP_AUTHORIZATION', None):
|
2013-10-17 19:21:18 +02:00
|
|
|
# Wrap function with decorator to authenticate the user before
|
|
|
|
# proceeding
|
2017-08-22 19:01:17 +02:00
|
|
|
view_kwargs = {}
|
|
|
|
if 'allow_incoming_webhooks' in view_flags:
|
|
|
|
view_kwargs['is_webhook'] = True
|
2020-04-22 04:13:37 +02:00
|
|
|
target_function = authenticated_rest_api_view(**view_kwargs)(target_function) # type: ignore[arg-type] # likely mypy bug
|
2016-06-23 02:26:47 +02:00
|
|
|
# Pick a way to tell user they're not authed based on how the request was made
|
2013-10-30 16:33:08 +01:00
|
|
|
else:
|
2016-06-23 02:26:47 +02:00
|
|
|
# If this looks like a request from a top-level page in a
|
|
|
|
# browser, send the user to the login page
|
2013-10-30 16:33:08 +01:00
|
|
|
if 'text/html' in request.META.get('HTTP_ACCEPT', ''):
|
2017-03-05 09:39:36 +01:00
|
|
|
# TODO: It seems like the `?next=` part is unlikely to be helpful
|
2018-12-04 02:12:08 +01:00
|
|
|
return HttpResponseRedirect('%s?next=%s' % (settings.HOME_NOT_LOGGED_IN, request.path))
|
2016-06-23 02:26:47 +02:00
|
|
|
# Ask for basic auth (email:apiKey)
|
2016-05-18 03:42:07 +02:00
|
|
|
elif request.path.startswith("/api"):
|
2019-09-14 00:58:02 +02:00
|
|
|
return json_unauthorized()
|
2018-12-17 00:10:20 +01:00
|
|
|
# Logged out user accessing an endpoint with anonymous user access on JSON; proceed.
|
|
|
|
elif request.path.startswith("/json") and 'allow_anonymous_user_web' in view_flags:
|
|
|
|
auth_kwargs = dict(allow_unauthenticated=True)
|
|
|
|
target_function = csrf_protect(authenticated_json_view(
|
|
|
|
target_function, **auth_kwargs))
|
2016-06-23 02:26:47 +02:00
|
|
|
# Session cookie expired, notify the client
|
2016-05-18 03:42:07 +02:00
|
|
|
else:
|
2019-09-14 00:58:02 +02:00
|
|
|
return json_unauthorized(www_authenticate='session')
|
2013-10-30 16:33:08 +01:00
|
|
|
|
2013-10-17 19:21:18 +02:00
|
|
|
if request.method not in ["GET", "POST"]:
|
|
|
|
# process_as_post needs to be the outer decorator, because
|
|
|
|
# otherwise we might access and thus cache a value for
|
|
|
|
# request.REQUEST.
|
|
|
|
target_function = process_as_post(target_function)
|
2013-12-13 21:52:20 +01:00
|
|
|
|
2013-12-17 22:50:49 +01:00
|
|
|
return target_function(request, **kwargs)
|
2013-12-13 21:52:20 +01:00
|
|
|
|
2016-01-25 01:27:18 +01:00
|
|
|
return json_method_not_allowed(list(supported_methods.keys()))
|