Merge pull request #5 from CESNET/devel

Beta v0.2

Author: petrstehlik

api/README.md

@@ -1,8 +1,10 @@
 ## How to use API as WSGI (example configuration for Apache)
 
+This example is for Apache VirtualHost instance on https. You can of course use it without the virtualhost but remeber to include the whole Liberouter GUI part and if required, change paths accordingly.
+
 ```
 <VirtualHost *:443>
-    DocumentRoot "/var/www/dev"
+    DocumentRoot "/var/www/html"
     ServerName example.com
     SSLEngine on
     SSLCertificateFile "/etc/apache2/server.crt"
@@ -11,17 +13,18 @@
     ErrorLog "/var/log/apache2/secure-error_log"
     CustomLog "/var/log/apache2/secure-access_log" common
 
-	#Options Includes FollowSymLinks MultiViews
-
+	# Liberouter GUI WSGI
     WSGIDaemonProcess libapi user=liberouter group=liberouter threads=5
-	WSGIScriptAlias "/libapi" "/var/www/dev/liberouter-gui/wsgi.py"
+	WSGIScriptAlias "/libapi" "/var/www/html/liberouter-gui/api/wsgi.py"
+	WSGIPassAuthorization on
 
-	<directory "/var/www/dev/liberouter-gui">
+	<directory "/var/www/html/liberouter-gui/api">
         WSGIProcessGroup libapi
         WSGIApplicationGroup %{GLOBAL}
         WSGIScriptReloading On
         Order deny,allow
         Allow from all
     </directory>
+	# END Liberouter GUI WSGI
 </VirtualHost>
 ```

start_api.py renamed to api/__main__.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 
-from api import app, config
+from liberouterapi import app, config
 
 if __name__ == '__main__':
 	app.run(port = app.config["PORT"],

api/auth.py

@@ -0,0 +1,30 @@
+[api]
+debug = false
+secret_key = super-secret
+;host =
+port = 5555
+threaded = true
+version = 1.0
+modules = /modules
+;cors = false
+; timeout in seconds
+;session_timeout = 10
+
+[database]
+; possible values: sqlite, mysql, mongodb
+;	sqlite:	file must be specified, the server and port are ignored
+;	mysql:	server, port and database must be specified, user and password
+;			are for authentication to the db
+;	mongodb: server, port and database must be set
+provider = mongodb
+server = localhost
+port = 27017
+;user =
+;password =
+database = liberouter
+users = users
+
+[ssl]
+enabled = false
+;key =
+;certificate =

api/config-sample.ini

@@ -0,0 +1,107 @@
+import bcrypt
+from functools import wraps
+from flask import request
+from datetime import datetime, timedelta
+
+from .user import User
+from .role import Role
+from .session import SessionException
+from .error import ApiException
+
+class AuthException(ApiException):
+    status_code = 404
+
+class Auth(object):
+    errors = {
+        '0' : 'Username not found.',
+        '1' : 'Username and password doesn\'t match.',
+        '2' : 'Expired session.',
+        '3' : 'Authorization header is missing.'
+    }
+
+    def __init__(self, db, session_manager, secret_key):
+        self.db = db
+        self.session_manager = session_manager
+        self.secret_key = secret_key
+
+    @classmethod
+    def check_password(self, password, hash):
+        return bcrypt.checkpw(password.encode('utf8'), hash)
+
+    @classmethod
+    def create_hash(self, password):
+        return bcrypt.hashpw(password.encode('utf8'), bcrypt.gensalt())
+
+    def auth_error(self, code):
+        msg = {
+            'code' : code,
+            'description' : self.errors[str(code)]
+        }
+        res = json_util.dumps(msg)
+        return msg
+
+    def login(self, user):
+        query = {
+            'username' : user.username
+        }
+
+        res = self.db.users.find_one(query)
+
+        if not res:
+            raise AuthException("User not found")
+
+        if not self.check_password(user.password, res['password']):
+            raise AuthException("Password mismatch")
+
+        # Remove password field from the user
+        del res['password']
+
+        return(res)
+
+    def store_session(self, user):
+        session_id = self.session_manager.create(user)
+        return session_id
+
+    def lookup(self, session_id):
+        try:
+            session = self.session_manager.lookup(session_id)
+            return session
+        except SessionException:
+            print("Couldn't find given session")
+            raise
+
+    def delete(self, session_id):
+        try:
+            self.session_manager.delete(session_id)
+        except SessionException:
+            print("Couldn't find given session")
+            raise
+
+    def required(self, role=Role.undefined):
+        """
+        Decorator for required Authorization JWT token
+
+        Usage: (auth is the initialized Auth object instance)
+        @auth.required() -  Don't look for user's role.
+                            Only check if they have valid session.
+
+        @auth.required(Role.[admin|user|guest]) - check session validity and their role
+        """
+        def auth_decorator(f):
+            @wraps(f)
+            def verify(*args, **kwargs):
+                session_id = request.headers.get('Authorization', None)
+                if not session_id:
+                    raise SessionException("Header field 'Authorization' not found.")
+
+                try:
+                    session = self.lookup(session_id)
+                except SessionException:
+                    raise SessionException("Session not found")
+
+                if role != Role.undefined and role < session["user"].role:
+                    raise SessionException("Insufficient privileges.")
+
+                return f(*args, **kwargs)
+            return verify
+        return auth_decorator

api/dbConnector.py

@@ -0,0 +1,15 @@
+from flask import Response
+from bson import json_util
+
+class ResponseHandler(Response):
+	def __init__(self, content = None, *args, **kwargs):
+		if isinstance(content, (dict, list)):
+			content = json_util.dumps(content)
+		super(Response, self).__init__(content, *args, **kwargs)
+
+	@classmethod
+	def force_type(cls, rv, environ=None):
+		if isinstance(rv, (dict, list)):
+			return cls(rv)
+
+		return super(ResponseHandler, cls).force_type(rv, environ)

api/error.py

@@ -1,6 +1,9 @@
 from flask import Flask
+from .Response import ResponseHandler
 
 class Router(Flask):
+	response_class = ResponseHandler
+
 	def add_route(self, rule, view_func, **options):
 		"""
 		Encapsulate add_url_rule(self, rule, endpoint=None, view_func=None, **options)