cherrypy-foundation 1.0.0__py3-none-any.whl

cherrypy_foundation/passwd.py

@@ -0,0 +1,65 @@
+# Cherrypy-foundation
+# Copyright (C) 2026 IKUS Software
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import hashlib
+import os
+from base64 import b64decode, b64encode
+
+try:
+    import argon2
+
+    _argon = argon2.PasswordHasher()
+
+    def hash_password(password):
+        assert password and isinstance(password, str)
+        return _argon.hash(password)
+
+except ImportError:
+    _argon = None
+
+    def hash_password(password):
+        assert password and isinstance(password, str)
+        password = password.encode(encoding='utf8')
+        salt = os.urandom(4)
+        h = hashlib.sha1(password)
+        h.update(salt)
+        return "{SSHA}" + b64encode(h.digest() + salt).decode('latin1')
+
+
+def check_password(password, challenge):
+    """
+    Check if the password matches the challenge.
+    The challenge is an encrypted password.
+    """
+    if not password or not challenge:
+        return False
+    assert isinstance(password, str)
+    assert isinstance(challenge, str)
+    if _argon and challenge.startswith('$argon2'):
+        try:
+            return _argon.verify(challenge, password)
+        except Exception:
+            return False
+    elif challenge.startswith('{SSHA}'):
+        digest_salt = b64decode(challenge[6:])
+        digest = digest_salt[:20]
+        sha = hashlib.sha1(password.encode(encoding='utf8'))
+        sha.update(digest_salt[20:])
+        return digest == sha.digest()
+    else:
+        # Fallback to previous SHA
+        sha = hashlib.sha1(password.encode('utf8'))
+        return challenge == sha.hexdigest()

cherrypy_foundation/plugins/db.py

@@ -0,0 +1,286 @@
+# SQLAlchemy plugins for cherrypy
+# Copyright (C) 2022-2026 IKUS Software
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+import logging
+import re
+
+import cherrypy
+from cherrypy.process.plugins import SimplePlugin
+from sqlalchemy import create_engine, event, inspect
+from sqlalchemy.engine import Engine
+from sqlalchemy.exc import IntegrityError, SQLAlchemyError
+from sqlalchemy.orm import declarative_base, scoped_session, sessionmaker
+
+
+@event.listens_for(Engine, 'connect')
+def _set_sqlite_journal_mode_wal(connection, connection_record):
+    """
+    Enable WAL journaling for concurrent read and write operation.
+    """
+    if 'sqlite3' in str(connection.__class__):
+        cursor = connection.cursor()
+        cursor.execute('PRAGMA journal_mode=WAL;')
+        cursor.execute("PRAGMA foreign_keys=ON;")
+        cursor.close()
+
+
+@event.listens_for(Engine, "handle_error")
+def enhance_database_errors(exception_context):
+    """
+    Enhance SQLAlchemy error by adding more information.
+    """
+    if isinstance(exception_context.sqlalchemy_exception, IntegrityError):
+        constraint = _find_constraint(exception_context.sqlalchemy_exception)
+        exception_context.sqlalchemy_exception.constraint = constraint
+
+
+def _find_constraint(exception):
+    """
+    Search reference of constraint within the error message. Return None if not found.
+    """
+    # Extract the constraint name for Postgresql and SQLite
+    # Postgresql: duplicate key value violates unique constraint "subnet_name_key"\nDETAIL:  Key (name)=() already exists.\n
+    # Postgresql: violates check constraint "dnsrecord_value_domain_name"
+    # Postgresql: foreign key constraint "dnsrecord_dnszone_subnet_fk"
+    # SQLite: UNIQUE constrain: subnet.name
+    # SQLite: UNIQUE constraint failed: index 'dnszone_name_index'
+    # SQLite: CHECK constraint failed: dnsrecord_value_domain_name
+    error = exception._message()
+    constraint_match = (
+        re.search(r'unique constraint "([^"]+)"', error)
+        or re.search(r'check constraint "([^"]+)"', error)
+        or re.search(r"UNIQUE constraint failed: index '([^']+)'", error)
+        or re.search(r"UNIQUE constraint failed: (.+)$", error)
+        or re.search(r"CHECK constraint failed: (.+)", error)
+        or re.search(r'foreign key constraint "([^"]+)"', error)
+    )
+    if not constraint_match:
+        return None
+    name = constraint_match[1]
+
+    # Use a lookup cache to simplify the search of index and constraints.
+    if not getattr(_find_constraint, '_cache', False):
+        cache = {}
+        metadata = cherrypy.db.get_base().metadata
+        for table in metadata.tables.values():
+            for item in table.constraints:
+                if item.name:
+                    cache[item.name] = item
+            for item in table.indexes:
+                # Keep reference to unique index only.
+                if item.unique:
+                    if item.name:
+                        cache[item.name] = item
+                    # SQLite return <table>.<column>
+                    key = ', '.join([f'{table.name}.{c.name}' for c in item.columns])
+                    cache[key] = item
+        _find_constraint._cache = cache
+
+    return _find_constraint._cache.get(name, None)
+
+
+def _get_model_changes(model):
+    """
+    Return a dictionary containing changes made to the model since it was
+    fetched from the database.
+
+    The dictionary is of the form {'property_name': [old_value, new_value]}
+    """
+    state = inspect(model)
+    changes = {}
+    for attr in state.attrs:
+        hist = attr.history
+        if not hist.has_changes():
+            continue
+        if isinstance(attr.value, (list, tuple)) or len(hist.deleted) > 1 or len(hist.added) > 1:
+            # If array, store array
+            changes[attr.key] = [hist.deleted, hist.added]
+        else:
+            # If primitive, store primitive
+            changes[attr.key] = [
+                hist.deleted[0] if len(hist.deleted) >= 1 else None,
+                hist.added[0] if len(hist.added) >= 1 else None,
+            ]
+    return changes
+
+
+class Base:
+    '''
+    Extends declarative base to provide convenience methods to models similar to
+    functionality found in Elixir. Works in python3.
+
+    For example, given the model User:
+    # no need to write init methods for models, simply pass keyword arguments or
+    # override if needed.
+    User(name="daniel", email="daniel@dasa.cc").add()
+    User.query # returns session.query(User)
+    User.query.all() # instead of session.query(User).all()
+    changed = User.from_dict({}) # update record based on dict argument passed in and returns any keys changed
+    '''
+
+    def add(self):
+        """
+        Add current object to session.
+        """
+        self.__class__.session.add(self)
+        return self
+
+    def delete(self):
+        self.__class__.session.delete(self)
+        return self
+
+    def commit(self):
+        self.__class__.session.commit()
+        return self
+
+    def flush(self):
+        self.__class__.session.flush()
+        return self
+
+    def expire(self):
+        self.__class__.session.expire(self)
+        return self
+
+    def rollback(self):
+        self.__class__.session.rollback()
+        return self
+
+
+class SQLA(SimplePlugin):
+    uri = None
+    debug = False
+
+    _base = None
+    _session = None
+    _engine = None
+
+    @property
+    def engine(self):
+        return self._engine
+
+    def start(self):
+        if self.uri is None:
+            return
+        # Adjust debug level.
+        if self.debug:
+            logging.getLogger('sqlalchemy.engine').setLevel(logging.DEBUG)
+        # Create connection to database
+        self._engine = create_engine(self.uri)
+        # Clean-up previous session.
+        self.clear_sessions()
+        # Associate our session to our engine
+        self.get_session().configure(bind=self._engine)
+        self.bus.log("database session plugin started")
+
+    # This is slightly lower priority to get database started first.
+    start.priority = 45
+
+    def stop(self):
+        if self._session:
+            self.clear_sessions()
+        if self._engine:
+            self._engine.dispose()
+        self.bus.log("database session plugin stopped")
+
+    def graceful(self):
+        """Reload of subscribers."""
+        self.stop()
+        self.start()
+
+    def create_all(self):
+        try:
+            # Create tables
+            base = self.get_base()
+            conn = self.get_session().connection()
+            base.metadata.create_all(bind=conn)
+            self.get_session().commit()
+        finally:
+            # Release opened sessions.
+            self.clear_sessions()
+
+    def drop_all(self):
+        try:
+            # Drop all
+            base = self.get_base()
+            base.metadata.drop_all(bind=self._engine)
+            self.get_session().commit()
+        finally:
+            # Release opened sessions.
+            self.clear_sessions()
+
+    def get_base(self):
+        """
+        Return a singleton instance of the Base classe for ORM.
+        """
+        if self._base is None:
+            self._base = declarative_base(cls=Base)
+            # Provide a friendly ObjectName.query.
+            self._base.session = self.get_session()
+            self._base.query = self.get_session().query_property()
+        return self._base
+
+    def get_session(self):
+        """
+        Return a singleton database session.
+        """
+        if self._session is None:
+            self._session_factory = sessionmaker(autoflush=False, autocommit=False)
+            self._session = scoped_session(self._session_factory)
+        return self._session
+
+    def after_request(self):
+        self.clear_sessions()
+
+    def clear_sessions(self):
+        """
+        Used to clean-up session and raise error if session are not clean.
+        """
+        if self._session is None:
+            return
+        try:
+            # When terminating, raise an error if objects are not commit.
+            if self._session.dirty or self._session.new or self._session.deleted:
+                cherrypy.log(
+                    'database session dirty; uncommitted objects detected — potential application bug',
+                    context='DB',
+                    severity=logging.ERROR,
+                )
+                if self._session.dirty:
+                    changes = ', '.join([str(_get_model_changes(obj)) for obj in self._session.dirty])
+                    cherrypy.log(
+                        f'database session dirty_objects={self._session.dirty}', context='DB', severity=logging.ERROR
+                    )
+                    cherrypy.log(f'database session pending_changes={changes}', context='DB', severity=logging.ERROR)
+                if self._session.new:
+                    cherrypy.log(
+                        f'database session new_objects={self._session.new}', context='DB', severity=logging.ERROR
+                    )
+                if self._session.deleted:
+                    cherrypy.log(
+                        f'database session deleted_objects={self._session.deleted}',
+                        context='DB',
+                        severity=logging.ERROR,
+                    )
+                raise SQLAlchemyError('session is dirty')
+        finally:
+            self._session.rollback()
+            self._session.expunge_all()
+            self._session.remove()
+
+
+cherrypy.db = SQLA(cherrypy.engine)
+cherrypy.db.subscribe()
+
+cherrypy.config.namespaces['db'] = lambda key, value: setattr(cherrypy.db, key, value)

cherrypy_foundation/plugins/ldap.py

@@ -0,0 +1,257 @@
+# LDAP Plugins for cherrypy
+# Copyright (C) 2026 IKUS Software
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import logging
+
+import cherrypy
+import ldap3
+from cherrypy.process.plugins import SimplePlugin
+from ldap3.core.exceptions import LDAPException, LDAPInvalidCredentialsResult
+
+_safe = ldap3.utils.conv.escape_filter_chars
+
+
+def all_attribute(attributes, keys, default=None):
+    """
+    Extract all values from LDAP attributes.
+    """
+    # Skip loopkup if key is not defined.
+    if not keys:
+        return default
+    # Convert key to a list.
+    keys = keys if isinstance(keys, list) else [keys]
+    # Loop on each attribute name.
+    values = []
+    for attr in keys:
+        try:
+            value = attributes[attr]
+            if isinstance(value, list) and len(value) > 0:
+                values.append(value[0])
+            else:
+                values.append(value)
+        except KeyError:
+            pass
+    # Default to None.
+    return values if values else default
+
+
+def first_attribute(attributes, keys, default=None):
+    """
+    Extract the first value from LDAP attributes.
+    """
+    # Skip loopkup if key is not defined.
+    if not keys:
+        return default
+    # Convert key to a list.
+    keys = keys if isinstance(keys, list) else [keys]
+    # Loop on each attribute name to find a value.
+    for attr in keys:
+        try:
+            value = attributes[attr]
+            if isinstance(value, list):
+                if len(value) == 0:
+                    continue
+                return value[0]
+            else:
+                return value
+        except KeyError:
+            pass
+    # Default to None.
+    return default
+
+
+class LdapPlugin(SimplePlugin):
+    """
+    Used this plugin to authenticate user against an LDAP server.
+
+    `authenticate(login, password)` return None if the credentials are not
+    valid. Otherwise it return a tuple or login and extra attributes.
+    The extra attribute may contains `_fullname` and `_email`.
+    """
+
+    uri = None
+    base_dn = None
+    bind_dn = ''
+    bind_password = ''
+    scope = 'subtree'
+    tls = False
+    user_filter = '(objectClass=*)'
+    login_attribute = ['uid']
+    required_group = None
+    group_attribute = 'member'
+    group_attribute_is_dn = False
+    group_filter = '(objectClass=*)'
+    version = 3
+    network_timeout = 10
+    timeout = 10
+    fullname_attribute = None
+    firstname_attribute = None
+    lastname_attribute = None
+    email_attribute = None
+    pool_size = 10
+
+    def start(self):
+        # Don't configure this plugin if the ldap URI is not provided.
+        if not self.uri:
+            return
+        self.bus.log('Start LDAP connection')
+        # Set up the LDAP server object
+        server = ldap3.Server(self.uri, connect_timeout=self.network_timeout, mode=ldap3.IP_V4_PREFERRED)
+        # Create a pool of reusable connections
+        self._pool = ldap3.Connection(
+            server,
+            user=self.bind_dn,
+            password=self.bind_password,
+            auto_bind=ldap3.AUTO_BIND_TLS_BEFORE_BIND if self.tls else ldap3.AUTO_BIND_NO_TLS,
+            version=self.version,
+            raise_exceptions=True,
+            client_strategy=ldap3.REUSABLE,
+            pool_size=self.pool_size,
+        )
+
+    def stop(self):
+        self.bus.log('Stop LDAP connection')
+        # Release the connection pool.
+        if hasattr(self, '_pool'):
+            self._pool.unbind()
+
+    def graceful(self):
+        """Reload of subscribers."""
+        self.stop()
+        self.start()
+
+    def authenticate(self, login, password):
+        """
+        Check if the given credential as valid according to LDAP.
+        Return False if invalid.
+        Return None if the plugin is unavailable to validate credentials or if the plugin is disabled.
+        Return tuple (<login>, <attributes>) if the credentials are valid.
+        """
+        assert isinstance(login, str)
+        assert isinstance(password, str)
+
+        if not hasattr(self, '_pool'):
+            return None
+
+        # Connect to LDAP Server.
+        with self._pool as conn:
+            try:
+                # Search the LDAP server for user's DN.
+                safe_login = _safe(login)
+                attr_filter = ''.join([f'({_safe(attr)}={safe_login})' for attr in self.login_attribute])
+                search_filter = f"(&{self.user_filter}(|{attr_filter}))"
+                response = self._search(conn, search_filter)
+                if not response:
+                    cherrypy.log(f"lookup failed login={login} reason=not_found", context='LDAP')
+                    return False
+                cherrypy.log(f"lookup successful login={login}", context='LDAP')
+                user_dn = response[0]['dn']
+
+                # Use a separate connection to validate credentials
+                login_conn = ldap3.Connection(
+                    self._pool.server,
+                    user=user_dn,
+                    password=password,
+                    version=self.version,
+                    raise_exceptions=True,
+                    client_strategy=ldap3.ASYNC,
+                )
+                if not login_conn.bind():
+                    cherrypy.log(
+                        f'ldap authentication failed login={login} reason=wrong_password',
+                        context='LDAP',
+                        severity=logging.WARNING,
+                    )
+                    return False
+
+                # Get user's login
+                attrs = response[0]['attributes']
+                new_login = first_attribute(attrs, self.login_attribute[0])
+                if not new_login:
+                    cherrypy.log(
+                        f"object missing login attribute user_dn={user_dn} attribute={self.login_attribute[0]}",
+                        context='LDAP',
+                        severity=logging.WARNING,
+                    )
+                    return False
+
+                # Verify if the user is member of the required group
+                if self.required_group:
+                    if not isinstance(self.required_group, list):
+                        self.required_group = [self.required_group]
+                    user_value = user_dn if self.group_attribute_is_dn else new_login
+                    group_filter = '(&(%s=%s)(|%s)%s)' % (
+                        _safe(self.group_attribute),
+                        _safe(user_value),
+                        ''.join(['(cn=%s)' % _safe(group) for group in self.required_group]),
+                        self.group_filter,
+                    )
+                    # Search LDAP Server for matching groups.
+                    cherrypy.log(
+                        f"group check start login={user_value} required_groups={' '.join(self.required_group)}",
+                        context='LDAP',
+                    )
+                    response = self._search(conn, group_filter, attributes=['cn'])
+                    if not response:
+                        cherrypy.log(
+                            f"group check failed login={user_value} required_groups={' '.join(self.required_group)}",
+                            context='LDAP',
+                        )
+                        return False
+
+                # Extract common attribute from LDAP
+                attrs['dn'] = user_dn
+                attrs['email'] = first_attribute(attrs, self.email_attribute)
+                attrs['fullname'] = fullname = first_attribute(attrs, self.fullname_attribute)
+                if not fullname:
+                    firstname = first_attribute(attrs, self.firstname_attribute, '')
+                    lastname = first_attribute(attrs, self.lastname_attribute, '')
+                    attrs['fullname'] = ' '.join([name for name in [firstname, lastname] if name])
+                return (new_login, attrs)
+            except LDAPInvalidCredentialsResult:
+                return False
+            except LDAPException:
+                cherrypy.log(f"unexpected error login={login}", context='LDAP', severity=logging.ERROR, traceback=True)
+            return None
+
+    def search(self, filter, attributes=ldap3.ALL_ATTRIBUTES, search_base=None, paged_size=None):
+        with self._pool as conn:
+            return self._search(
+                conn, filter=filter, attributes=attributes, search_base=search_base, paged_size=paged_size
+            )
+
+    def _search(self, conn, filter, attributes=ldap3.ALL_ATTRIBUTES, search_base=None, paged_size=None):
+        search_scope = {'base': ldap3.BASE, 'onelevel': ldap3.LEVEL, 'subtree': ldap3.SUBTREE}.get(
+            self.scope, ldap3.SUBTREE
+        )
+        search_base = search_base or self.base_dn
+        cherrypy.log(f"search {self.uri}/{search_base}?{search_scope}?{filter}", context='LDAP')
+        msg_id = conn.search(
+            search_base=search_base,
+            search_filter=filter,
+            search_scope=search_scope,
+            time_limit=self.timeout,
+            attributes=attributes,
+            paged_size=paged_size,
+        )
+        response, _result_unused = conn.get_response(msg_id)
+        return response
+
+
+cherrypy.ldap = LdapPlugin(cherrypy.engine)
+cherrypy.ldap.subscribe()
+
+cherrypy.config.namespaces['ldap'] = lambda key, value: setattr(cherrypy.ldap, key, value)

cherrypy_foundation/plugins/restapi.py

@@ -0,0 +1,74 @@
+# RestAPI plugin for cherrypy
+# Copyright (C) 2024-2026 IKUS Software
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import cherrypy
+
+
+class Dispatcher(cherrypy.dispatch.Dispatcher):
+    """
+    Dispatcher using HTTP method to find the proper function to be called.
+
+    e.g.:
+    GET /api/users            -> list()
+    GET /api/users/3          -> get(3)
+    GET /api/users/my/path    -> get('my/path')
+    DELETE /api/users/3       -> delete(3)
+    DELETE /api/users/my/path -> delete('my/path')
+
+    POST /api/users     -> post(data)
+    POST /api/users/3   -> post(3, data)
+    PUT /api/users      -> post(data)
+    PUT /api/users/3    -> post(3, data)
+
+    """
+
+    supported_method = ['get', 'delete', 'post', 'put']
+
+    def __call__(self, path):
+        request = cherrypy.serving.request
+        # To simplify implementation reuse default dispatcher function.
+        # But strip the last segment
+        resource, vpath = self.find_handler(path)
+
+        if not resource:
+            request.handler = cherrypy.NotFound()
+            return
+
+        # Two scenario possible. Either we have found our GET handler.
+        # Or we need to look into the resource for it.
+        meth = request.method.lower()
+        if meth not in self.supported_method:
+            request.handler = cherrypy.HTTPError(405)
+        if meth == 'get' and not hasattr(resource, 'list') and not hasattr(resource, 'get'):
+            request.handler = cherrypy.dispatch.LateParamPageHandler(resource, *vpath)
+            return
+
+        # Call "list()" instead of "get()" when path doesn't have an id or name.
+        if meth == 'get' and not vpath and hasattr(resource, 'list'):
+            meth = 'list'
+        # Find the subhandler
+        func = getattr(resource, meth, None)
+        if func:
+            # Grab any _cp_config on the subhandler.
+            if hasattr(func, '_cp_config'):
+                request.config.update(func._cp_config)
+
+            # Decode any leftover %2F in the virtual_path atoms.
+            if vpath:
+                vpath = ['/'.join([x.replace('%2F', '/') for x in vpath])]
+            request.handler = cherrypy.dispatch.LateParamPageHandler(func, *vpath)
+        else:
+            request.handler = cherrypy.HTTPError(405)