mirror of https://github.com/etesync/server
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
430 lines
17 KiB
430 lines
17 KiB
# Copyright © 2017 Tom Hacohen
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, version 3.
|
|
#
|
|
# This library is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import json
|
|
|
|
from django.conf import settings
|
|
from django.contrib.auth import get_user_model
|
|
from django.db import transaction, IntegrityError
|
|
from django.db.models import Max
|
|
from django.http import HttpResponseBadRequest, HttpResponse, Http404
|
|
from django.shortcuts import get_object_or_404
|
|
|
|
from rest_framework import status
|
|
from rest_framework import viewsets
|
|
from rest_framework import parsers
|
|
from rest_framework.decorators import action as action_decorator
|
|
from rest_framework.response import Response
|
|
from rest_framework.authtoken.models import Token
|
|
|
|
import nacl.encoding
|
|
import nacl.signing
|
|
import nacl.secret
|
|
import nacl.hash
|
|
|
|
from . import app_settings
|
|
from .models import Collection, CollectionItem, CollectionItemRevision
|
|
from .serializers import (
|
|
b64encode,
|
|
AuthenticationSignupSerializer,
|
|
AuthenticationLoginChallengeSerializer,
|
|
AuthenticationLoginSerializer,
|
|
CollectionSerializer,
|
|
CollectionItemSerializer,
|
|
CollectionItemRevisionSerializer,
|
|
CollectionItemChunkSerializer
|
|
)
|
|
|
|
|
|
User = get_user_model()
|
|
|
|
|
|
class BaseViewSet(viewsets.ModelViewSet):
|
|
authentication_classes = tuple(app_settings.API_AUTHENTICATORS)
|
|
permission_classes = tuple(app_settings.API_PERMISSIONS)
|
|
stoken_id_field = None
|
|
|
|
def get_serializer_class(self):
|
|
serializer_class = self.serializer_class
|
|
|
|
if self.request.method == 'PUT':
|
|
serializer_class = getattr(self, 'serializer_update_class', serializer_class)
|
|
|
|
return serializer_class
|
|
|
|
def get_collection_queryset(self, queryset=Collection.objects):
|
|
user = self.request.user
|
|
return queryset.filter(members__user=user)
|
|
|
|
def filter_by_stoken_and_limit(self, request, queryset):
|
|
stoken = request.GET.get('stoken', None)
|
|
limit = int(request.GET.get('limit', 50))
|
|
|
|
stoken_id_field = self.stoken_id_field + '__id'
|
|
|
|
if stoken is not None:
|
|
last_rev = get_object_or_404(CollectionItemRevision.objects.all(), uid=stoken)
|
|
filter_by = {stoken_id_field + '__gt': last_rev.id}
|
|
queryset = queryset.filter(**filter_by)
|
|
|
|
new_stoken_id = queryset.aggregate(stoken_id=Max(stoken_id_field))['stoken_id']
|
|
new_stoken = CollectionItemRevision.objects.get(id=new_stoken_id).uid if new_stoken_id is not None else stoken
|
|
|
|
return queryset[:limit], new_stoken
|
|
|
|
|
|
class CollectionViewSet(BaseViewSet):
|
|
allowed_methods = ['GET', 'POST', 'DELETE']
|
|
permission_classes = BaseViewSet.permission_classes
|
|
queryset = Collection.objects.all()
|
|
serializer_class = CollectionSerializer
|
|
lookup_field = 'uid'
|
|
stoken_id_field = 'items__revisions'
|
|
|
|
def get_queryset(self, queryset=None):
|
|
if queryset is None:
|
|
queryset = type(self).queryset
|
|
return self.get_collection_queryset(queryset)
|
|
|
|
def get_serializer_context(self):
|
|
context = super().get_serializer_context()
|
|
inline = 'inline' in self.request.query_params
|
|
context.update({'request': self.request, 'inline': inline})
|
|
return context
|
|
|
|
def destroy(self, request, uid=None):
|
|
# FIXME: implement
|
|
return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
|
|
|
|
def partial_update(self, request, uid=None):
|
|
return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
|
|
|
|
def create(self, request, *args, **kwargs):
|
|
serializer = self.serializer_class(data=request.data, context=self.get_serializer_context())
|
|
if serializer.is_valid():
|
|
try:
|
|
serializer.save(owner=self.request.user)
|
|
except IntegrityError:
|
|
content = {'code': 'integrity_error'}
|
|
return Response(content, status=status.HTTP_400_BAD_REQUEST)
|
|
|
|
return Response({}, status=status.HTTP_201_CREATED)
|
|
|
|
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
|
|
|
|
def list(self, request):
|
|
queryset = self.get_queryset()
|
|
queryset, new_stoken = self.filter_by_stoken_and_limit(request, queryset)
|
|
|
|
serializer = self.serializer_class(queryset, context=self.get_serializer_context(), many=True)
|
|
|
|
ret = {
|
|
'data': serializer.data,
|
|
}
|
|
return Response(ret, headers={'X-EteSync-SToken': new_stoken})
|
|
|
|
|
|
class CollectionItemViewSet(BaseViewSet):
|
|
allowed_methods = ['GET', 'POST', 'PUT']
|
|
permission_classes = BaseViewSet.permission_classes
|
|
queryset = CollectionItem.objects.all()
|
|
serializer_class = CollectionItemSerializer
|
|
lookup_field = 'uid'
|
|
stoken_id_field = 'revisions'
|
|
|
|
def get_queryset(self):
|
|
collection_uid = self.kwargs['collection_uid']
|
|
try:
|
|
collection = self.get_collection_queryset(Collection.objects).get(uid=collection_uid)
|
|
except Collection.DoesNotExist:
|
|
raise Http404("Collection does not exist")
|
|
# XXX Potentially add this for performance: .prefetch_related('revisions__chunks')
|
|
queryset = type(self).queryset.filter(collection__pk=collection.pk,
|
|
revisions__current=True,
|
|
revisions__deleted=False)
|
|
|
|
return queryset
|
|
|
|
def get_serializer_context(self):
|
|
context = super().get_serializer_context()
|
|
inline = 'inline' in self.request.query_params
|
|
context.update({'request': self.request, 'inline': inline})
|
|
return context
|
|
|
|
def create(self, request, collection_uid=None):
|
|
collection_object = get_object_or_404(self.get_collection_queryset(Collection.objects), uid=collection_uid)
|
|
|
|
# FIXME: change this to also support bulk update, or have another endpoint for that.
|
|
# See https://www.django-rest-framework.org/api-guide/serializers/#customizing-multiple-update
|
|
many = isinstance(request.data, list)
|
|
serializer = self.serializer_class(data=request.data, many=many)
|
|
if serializer.is_valid():
|
|
try:
|
|
serializer.save(collection=collection_object)
|
|
except IntegrityError:
|
|
content = {'code': 'integrity_error'}
|
|
return Response(content, status=status.HTTP_400_BAD_REQUEST)
|
|
|
|
return Response({}, status=status.HTTP_201_CREATED)
|
|
|
|
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
|
|
|
|
def destroy(self, request, collection_uid=None, uid=None):
|
|
# We can't have destroy because we need to get data from the user (in the body) such as hmac.
|
|
return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
|
|
|
|
def partial_update(self, request, collection_uid=None, uid=None):
|
|
# FIXME: implement, or should it be implemented elsewhere?
|
|
return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
|
|
|
|
def list(self, request, collection_uid=None):
|
|
queryset = self.get_queryset()
|
|
queryset, new_stoken = self.filter_by_stoken_and_limit(request, queryset)
|
|
|
|
serializer = self.serializer_class(queryset, context=self.get_serializer_context(), many=True)
|
|
|
|
ret = {
|
|
'data': serializer.data,
|
|
}
|
|
return Response(ret, headers={'X-EteSync-SToken': new_stoken})
|
|
|
|
@action_decorator(detail=True, methods=['GET'])
|
|
def revision(self, request, collection_uid=None, uid=None):
|
|
# FIXME: need pagination support
|
|
col = get_object_or_404(self.get_collection_queryset(Collection.objects), uid=collection_uid)
|
|
col_it = get_object_or_404(col.items, uid=uid)
|
|
|
|
serializer = CollectionItemRevisionSerializer(col_it.revisions.order_by('-id'), many=True)
|
|
ret = {
|
|
'data': serializer.data,
|
|
}
|
|
return Response(ret)
|
|
|
|
@action_decorator(detail=False, methods=['POST'])
|
|
def bulk_get(self, request, collection_uid=None):
|
|
queryset = self.get_queryset()
|
|
|
|
if isinstance(request.data, list):
|
|
queryset = queryset.filter(uid__in=request.data)
|
|
|
|
queryset, new_stoken = self.filter_by_stoken_and_limit(request, queryset)
|
|
|
|
serializer = self.get_serializer_class()(queryset, context=self.get_serializer_context(), many=True)
|
|
|
|
ret = {
|
|
'data': serializer.data,
|
|
}
|
|
return Response(ret, headers={'X-EteSync-SToken': new_stoken})
|
|
|
|
@action_decorator(detail=False, methods=['POST'])
|
|
def transaction(self, request, collection_uid=None):
|
|
collection_object = get_object_or_404(self.get_collection_queryset(Collection.objects), uid=collection_uid)
|
|
|
|
items = request.data.get('items')
|
|
# FIXME: deps should actually be just pairs of uid and stoken
|
|
deps = request.data.get('deps', None)
|
|
serializer = self.get_serializer_class()(data=items, context=self.get_serializer_context(), many=True)
|
|
deps_serializer = self.get_serializer_class()(data=deps, context=self.get_serializer_context(), many=True)
|
|
if serializer.is_valid() and (deps is None or deps_serializer.is_valid()):
|
|
try:
|
|
with transaction.atomic():
|
|
collections = serializer.save(collection=collection_object)
|
|
except IntegrityError:
|
|
content = {'code': 'integrity_error'}
|
|
return Response(content, status=status.HTTP_400_BAD_REQUEST)
|
|
|
|
ret = {
|
|
"data": [collection.stoken for collection in collections],
|
|
}
|
|
return Response(ret, status=status.HTTP_201_CREATED)
|
|
|
|
return Response(
|
|
{
|
|
"items": serializer.errors,
|
|
"deps": deps_serializer.errors if deps is not None else [],
|
|
},
|
|
status=status.HTTP_400_BAD_REQUEST)
|
|
|
|
|
|
class CollectionItemChunkViewSet(viewsets.ViewSet):
|
|
allowed_methods = ['GET', 'POST']
|
|
parser_classes = (parsers.MultiPartParser, )
|
|
authentication_classes = BaseViewSet.authentication_classes
|
|
permission_classes = BaseViewSet.permission_classes
|
|
serializer_class = CollectionItemChunkSerializer
|
|
lookup_field = 'uid'
|
|
|
|
def get_collection_queryset(self, queryset=Collection.objects):
|
|
user = self.request.user
|
|
return queryset.filter(members__user=user)
|
|
|
|
def create(self, request, collection_uid=None, collection_item_uid=None):
|
|
col = get_object_or_404(self.get_collection_queryset(), uid=collection_uid)
|
|
col_it = get_object_or_404(col.items, uid=collection_item_uid)
|
|
|
|
serializer = self.serializer_class(data=request.data)
|
|
if serializer.is_valid():
|
|
try:
|
|
serializer.save(item=col_it)
|
|
except IntegrityError:
|
|
content = {'code': 'integrity_error'}
|
|
return Response(content, status=status.HTTP_400_BAD_REQUEST)
|
|
|
|
return Response({}, status=status.HTTP_201_CREATED)
|
|
|
|
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
|
|
|
|
@action_decorator(detail=True, methods=['GET'])
|
|
def download(self, request, collection_uid=None, collection_item_uid=None, uid=None):
|
|
import os
|
|
from django.views.static import serve
|
|
|
|
col = get_object_or_404(self.get_collection_queryset(), uid=collection_uid)
|
|
col_it = get_object_or_404(col.items, uid=collection_item_uid)
|
|
chunk = get_object_or_404(col_it.chunks, uid=uid)
|
|
|
|
filename = chunk.chunkFile.path
|
|
dirname = os.path.dirname(filename)
|
|
basename = os.path.basename(filename)
|
|
|
|
# FIXME: DO NOT USE! Use django-send file or etc instead.
|
|
return serve(request, basename, dirname)
|
|
|
|
|
|
class AuthenticationViewSet(viewsets.ViewSet):
|
|
allowed_methods = ['POST']
|
|
|
|
def get_encryption_key(self, salt):
|
|
key = nacl.hash.blake2b(settings.SECRET_KEY.encode(), encoder=nacl.encoding.RawEncoder)
|
|
return nacl.hash.blake2b(b'', key=key, salt=salt, person=b'etesync-auth', encoder=nacl.encoding.RawEncoder)
|
|
|
|
def get_queryset(self):
|
|
return User.objects.all()
|
|
|
|
def list(self, request):
|
|
return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
|
|
|
|
@action_decorator(detail=False, methods=['POST'])
|
|
def signup(self, request):
|
|
serializer = AuthenticationSignupSerializer(data=request.data)
|
|
if serializer.is_valid():
|
|
serializer.save()
|
|
|
|
return Response({}, status=status.HTTP_201_CREATED)
|
|
|
|
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
|
|
|
|
def get_login_user(self, serializer):
|
|
username = serializer.validated_data.get('username')
|
|
email = serializer.validated_data.get('email')
|
|
if username:
|
|
kwargs = {User.USERNAME_FIELD: username}
|
|
user = get_object_or_404(self.get_queryset(), **kwargs)
|
|
elif email:
|
|
kwargs = {User.EMAIL_FIELD: email}
|
|
user = get_object_or_404(self.get_queryset(), **kwargs)
|
|
|
|
return user
|
|
|
|
@action_decorator(detail=False, methods=['POST'])
|
|
def login_challenge(self, request):
|
|
from datetime import datetime
|
|
|
|
serializer = AuthenticationLoginChallengeSerializer(data=request.data)
|
|
if serializer.is_valid():
|
|
user = self.get_login_user(serializer)
|
|
|
|
salt = user.userinfo.salt
|
|
enc_key = self.get_encryption_key(salt)
|
|
box = nacl.secret.SecretBox(enc_key)
|
|
|
|
challenge_data = {
|
|
"timestamp": int(datetime.now().timestamp()),
|
|
"userId": user.id,
|
|
}
|
|
challenge = box.encrypt(json.dumps(
|
|
challenge_data, separators=(',', ':')).encode(), encoder=nacl.encoding.RawEncoder)
|
|
|
|
ret = {
|
|
"salt": b64encode(salt),
|
|
"challenge": b64encode(challenge),
|
|
}
|
|
return Response(ret, status=status.HTTP_200_OK)
|
|
|
|
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
|
|
|
|
@action_decorator(detail=False, methods=['POST'])
|
|
def login(self, request):
|
|
from datetime import datetime
|
|
|
|
serializer = AuthenticationLoginSerializer(
|
|
data=request.data, context={'host': request.get_host()})
|
|
if serializer.is_valid():
|
|
user = self.get_login_user(serializer)
|
|
challenge = serializer.validated_data['challenge']
|
|
signature = serializer.validated_data['signature']
|
|
|
|
salt = user.userinfo.salt
|
|
enc_key = self.get_encryption_key(salt)
|
|
box = nacl.secret.SecretBox(enc_key)
|
|
|
|
challenge_data = json.loads(box.decrypt(challenge).decode())
|
|
now = int(datetime.now().timestamp())
|
|
if now - challenge_data['timestamp'] > app_settings.CHALLENGE_VALID_SECONDS:
|
|
content = {'code': 'challenge_expired', 'detail': 'Login challange has expired'}
|
|
return Response(content, status=status.HTTP_400_BAD_REQUEST)
|
|
elif challenge_data['userId'] != user.id:
|
|
content = {'code': 'wrong_user', 'detail': 'This challenge is for the wrong user'}
|
|
return Response(content, status=status.HTTP_400_BAD_REQUEST)
|
|
|
|
host_hash = nacl.hash.blake2b(
|
|
serializer.validated_data['host'].encode(), encoder=nacl.encoding.RawEncoder)
|
|
verify_key = nacl.signing.VerifyKey(user.userinfo.pubkey, encoder=nacl.encoding.RawEncoder)
|
|
verify_key.verify(challenge + host_hash, signature)
|
|
|
|
data = {
|
|
'token': Token.objects.get_or_create(user=user)[0].key,
|
|
}
|
|
return Response(data, status=status.HTTP_200_OK)
|
|
|
|
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
|
|
|
|
@action_decorator(detail=False, methods=['POST'])
|
|
def logout(self, request):
|
|
# FIXME: expire the token - we need better token handling - using knox? Something else?
|
|
return Response({}, status=status.HTTP_400_BAD_REQUEST)
|
|
|
|
|
|
class ResetViewSet(BaseViewSet):
|
|
allowed_methods = ['POST']
|
|
|
|
def post(self, request, *args, **kwargs):
|
|
# Only run when in DEBUG mode! It's only used for tests
|
|
if not settings.DEBUG:
|
|
return HttpResponseBadRequest("Only allowed in debug mode.")
|
|
|
|
# Only allow local users, for extra safety
|
|
if not getattr(request.user, User.USERNAME_FIELD).endswith('@localhost'):
|
|
return HttpResponseBadRequest("Endpoint not allowed for user.")
|
|
|
|
# Delete all of the journal data for this user for a clear test env
|
|
request.user.collection_set.all().delete()
|
|
|
|
# FIXME: also delete chunk files!!!
|
|
|
|
return HttpResponse()
|
|
|
|
|
|
reset = ResetViewSet.as_view({'post': 'post'})
|