PyPI - cmdbox - Versions diffs - 0.6.0.3__py3-none-any.whl → 0.6.1__py3-none-any.whl - Mend

cmdbox 0.6.0.3py3-none-any.whl → 0.6.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of cmdbox might be problematic. Click here for more details.

Files changed (233) hide show

cmdbox/app/app.py CHANGED Viewed

@@ -9,9 +9,9 @@ import time
 import sys
-def main(args_list:list=None):
+def main(args_list:list=None, webcall:bool=False):
     app = CmdBoxApp.getInstance(appcls=CmdBoxApp, ver=version)
-    return app.main(args_list)[0]
+    return app.main(args_list, webcall=webcall)[0]
 class CmdBoxApp:
     _instance = None

cmdbox/app/auth/signin.py CHANGED Viewed

@@ -1,11 +1,16 @@
 from cmdbox.app import common, options
+from cryptography import x509
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.backends import default_backend
 from fastapi import Request, Response, HTTPException, WebSocket
 from fastapi.responses import RedirectResponse
 from pathlib import Path
 from typing import Dict, Any, Tuple, List, Union
+import argparse
 import copy
 import contextvars
 import logging
+import jwt
 import string
@@ -87,7 +92,7 @@ class Signin(object):
         if self.signin_file_data is None:
             return None
         if 'signin' in req.session:
-            self.signin_file_data = Signin.load_signin_file(self.signin_file, self.signin_file_data) # サインインファイルの更新をチェック
+            self.signin_file_data = Signin.load_signin_file(self.signin_file, self.signin_file_data, self=self) # サインインファイルの更新をチェック
         return Signin._check_signin(req, res, self.signin_file_data, self.logger)
     @classmethod
@@ -157,17 +162,37 @@ class Signin(object):
         if not auth.startswith('Bearer '):
             #self.logger.warning(f"Bearer not found. headers={req.headers}")
             return RedirectResponse(url=f'/signin{req.url.path}?error=apikeyfail')
-        bearer, apikey = auth.split(' ')
-        apikey = common.hash_password(apikey.strip(), 'sha1')
+        bearer, apikey = auth.split(' ').strip()
         if logger.level == logging.DEBUG:
-            logger.debug(f"hashed apikey: {apikey}")
+            logger.debug(f"received apikey: {apikey}")
         find_user = None
+        jwt_enabled = signin_file_data['apikey']['verify_jwt']['enabled']
         for user in signin_file_data['users']:
             if 'apikeys' not in user:
                 continue
             for ak, key in user['apikeys'].items():
                 if apikey == key:
-                    find_user = user
+                    if jwt_enabled:
+                        publickey = None
+                        if hasattr(cls, 'verify_jwt_certificate') and cls.verify_jwt_certificate is not None:
+                            publickey = cls.verify_jwt_certificate.public_key()
+                        if hasattr(cls, 'verify_jwt_publickey') and cls.verify_jwt_publickey is not None:
+                            publickey = cls.verify_jwt_publickey
+                        algorithm = signin_file_data['apikey']['verify_jwt']['algorithm']
+                        issuer = signin_file_data['apikey']['verify_jwt']['issuer']
+                        audience = signin_file_data['apikey']['verify_jwt']['audience']
+                        claims = jwt.decode(apikey, publickey, algorithms=[algorithm],
+                                            issuer=issuer, audience=audience,
+                                            options={'verify_iss': issuer is not None,
+                                                     'verify_aud': audience is not None},)
+                        find_user = dict(**claims, **user)
+                        find_user['uid'] = find_user['uid'] if 'uid' in find_user else -1
+                        find_user['name'] = find_user['name'] if 'name' in find_user else None
+                        find_user['groups'] = find_user['groups'] if 'groups' in find_user else None
+                        find_user['email'] = find_user['email'] if 'email' in find_user else None
+                        find_user['apikey_name'] = find_user['apikey_name'] if 'apikey_name' in find_user else None
+                    else:
+                        find_user = user
         if find_user is None:
             logger.warning(f"No matching user found for apikey.")
             return RedirectResponse(url=f'/signin{req.url.path}?error=apikeyfail')
@@ -196,7 +221,22 @@ class Signin(object):
         return RedirectResponse(url=f'/signin{req.url.path}?error=unauthorizedsite')
     @classmethod
-    def load_signin_file(cls, signin_file:Path, signin_file_data:Dict[str, Any]=None) -> Dict[str, Any]:
+    def load_pem_private_key(cls, data:bytes, passphrase:str=None):
+        return serialization.load_pem_private_key(
+            data,
+            password=passphrase.encode('utf-8') if passphrase else None,
+            backend=default_backend())
+    @classmethod
+    def load_pem_public_key(cls, data:bytes):
+        return serialization.load_pem_public_key(data, backend=default_backend())
+    @classmethod
+    def load_pem_x509_certificate(cls, data:bytes):
+        return x509.load_pem_x509_certificate(data, backend=default_backend())
+    @classmethod
+    def load_signin_file(cls, signin_file:Path, signin_file_data:Dict[str, Any]=None, self=None) -> Dict[str, Any]:
         """
         サインインファイルを読み込む
@@ -390,6 +430,90 @@ class Signin(object):
                 raise HTTPException(status_code=500, detail=f'signin_file format error. "reset" not found in "password.lockout". ({signin_file})')
             if type(yml['password']['lockout']['reset']) is not int:
                 raise HTTPException(status_code=500, detail=f'signin_file format error. "reset" not int type in "password.lockout". ({signin_file})')
+        # apikeyのフォーマットチェック
+        if 'apikey' not in yml:
+            raise HTTPException(status_code=500, detail=f'signin_file format error. "apikey" not found. ({signin_file})')
+        if 'gen_cert' not in yml['apikey']:
+            raise HTTPException(status_code=500, detail=f'signin_file format error. "gen_cert" not found in "apikey". ({signin_file})')
+        if 'enabled' not in yml['apikey']['gen_cert']:
+            raise HTTPException(status_code=500, detail=f'signin_file format error. "enabled" not found in "apikey.gen_cert". ({signin_file})')
+        if type(yml['apikey']['gen_cert']['enabled']) is not bool:
+            raise HTTPException(status_code=500, detail=f'signin_file format error. "enabled" not bool type in "apikey.gen_cert". ({signin_file})')
+        if yml['apikey']['gen_cert']['enabled']:
+            if 'privatekey' not in yml['apikey']['gen_cert']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "privatekey" not found in "apikey.gen_cert". ({signin_file})')
+            if 'certificate' not in yml['apikey']['gen_cert']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "certificate" not found in "apikey.gen_cert". ({signin_file})')
+            if 'publickey' not in yml['apikey']['gen_cert']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "publickey" not found in "apikey.gen_cert". ({signin_file})')
+            if not Path(yml['apikey']['gen_cert']['certificate']).is_file():
+                from cmdbox.app.features.cli.cmdbox_web_gencert import WebGencert
+                gencert = WebGencert(self.appcls, self.ver)
+                opt = dict(webhost=self.ver.__appid__, overwrite=True,
+                           output_cert=yml['apikey']['gen_cert']['certificate'], output_cert_format='PEM',
+                           output_pkey=yml['apikey']['gen_cert']['publickey'], output_pkey_format='PEM',
+                           output_key=yml['apikey']['gen_cert']['privatekey'], output_key_format='PEM',)
+                args = argparse.Namespace(**opt)
+                status, res, _ = gencert.apprun(self.logger, args, 0, [])
+                if status != 0:
+                    raise HTTPException(status_code=500, detail=f'signin_file format error. "gen_cert" generate error in "apikey.gen_cert". ({signin_file}) {res}')
+        if 'gen_jwt' not in yml['apikey']:
+            raise HTTPException(status_code=500, detail=f'signin_file format error. "gen_jwt" not found in "apikey". ({signin_file})')
+        if 'enabled' not in yml['apikey']['gen_jwt']:
+            raise HTTPException(status_code=500, detail=f'signin_file format error. "enabled" not found in "apikey.gen_jwt". ({signin_file})')
+        if type(yml['apikey']['gen_jwt']['enabled']) is not bool:
+            raise HTTPException(status_code=500, detail=f'signin_file format error. "enabled" not bool type in "apikey.gen_jwt". ({signin_file})')
+        if yml['apikey']['gen_jwt']['enabled']:
+            if 'privatekey' not in yml['apikey']['gen_jwt']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "privatekey" not found in "apikey.gen_jwt". ({signin_file})')
+            if 'privatekey_passphrase' not in yml['apikey']['gen_jwt']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "privatekey_passphrase" not found in "apikey.gen_jwt". ({signin_file})')
+            if not Path(yml['apikey']['gen_jwt']['privatekey']).is_file():
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "privatekey" file not found in "apikey.gen_jwt". ({signin_file})')
+            with open(yml['apikey']['gen_jwt']['privatekey'], 'rb') as f:
+                cls.gen_jwt_privatekey = cls.load_pem_private_key(f.read(), yml['apikey']['gen_jwt'].get('privatekey_passphrase', None))
+            if 'algorithm' not in yml['apikey']['gen_jwt']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "algorithm" not found in "apikey.gen_jwt". ({signin_file})')
+            cls.gen_jwt_algorithm = yml['apikey']['gen_jwt']['algorithm']
+            if 'claims' not in yml['apikey']['gen_jwt']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "claims" not found in "apikey.gen_jwt". ({signin_file})')
+            cls.gen_jwt_claims = yml['apikey']['gen_jwt']['claims'].copy()
+            if type(yml['apikey']['gen_jwt']['claims']) is not dict:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "claims" not dict type in "apikey.gen_jwt". ({signin_file})')
+        if 'verify_jwt' not in yml['apikey']:
+            raise HTTPException(status_code=500, detail=f'signin_file format error. "verify_jwt" not found in "apikey". ({signin_file})')
+        if 'enabled' not in yml['apikey']['verify_jwt']:
+            raise HTTPException(status_code=500, detail=f'signin_file format error. "enabled" not found in "apikey.verify_jwt". ({signin_file})')
+        if type(yml['apikey']['verify_jwt']['enabled']) is not bool:
+            raise HTTPException(status_code=500, detail=f'signin_file format error. "enabled" not bool type in "apikey.verify_jwt". ({signin_file})')
+        if yml['apikey']['verify_jwt']['enabled']:
+            if 'certificate' not in yml['apikey']['verify_jwt']:
+                if 'publickey' not in yml['apikey']['verify_jwt']:
+                    raise HTTPException(status_code=500, detail=f'signin_file format error. "certificate" or "publickey" not found in "apikey.verify_jwt". ({signin_file})')
+                if not Path(yml['apikey']['verify_jwt']['publickey']).is_file():
+                    raise HTTPException(status_code=500, detail=f'signin_file format error. "publickey" file not found in "apikey.verify_jwt". ({signin_file})')
+                with open(yml['apikey']['verify_jwt']['publickey'], 'rb') as f:
+                    cls.verify_jwt_publickey_str = f.read()
+                    cls.verify_jwt_publickey = cls.load_pem_public_key(cls.verify_jwt_publickey_str)
+                    cls.verify_jwt_publickey_str = cls.verify_jwt_publickey_str.decode('utf-8')
+            else:
+                if not Path(yml['apikey']['verify_jwt']['certificate']).is_file():
+                    raise HTTPException(status_code=500, detail=f'signin_file format error. "certificate" file not found in "apikey.verify_jwt". ({signin_file})')
+                with open(yml['apikey']['verify_jwt']['certificate'], 'rb') as f:
+                    cls.verify_jwt_certificate = cls.load_pem_x509_certificate(f.read())
+                    cls.verify_jwt_publickey = cls.verify_jwt_certificate.public_key()
+                    cls.verify_jwt_publickey_str = cls.verify_jwt_publickey.public_bytes(
+                        encoding=serialization.Encoding.PEM,
+                        format=serialization.PublicFormat.SubjectPublicKeyInfo).decode('utf-8')
+            if 'issuer' not in yml['apikey']['verify_jwt']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "issuer" not found in "apikey.verify_jwt". ({signin_file})')
+            cls.verify_jwt_issuer = yml['apikey']['verify_jwt']['issuer']
+            if 'audience' not in yml['apikey']['verify_jwt']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "audience" not found in "apikey.verify_jwt". ({signin_file})')
+            cls.verify_jwt_audience = yml['apikey']['verify_jwt']['audience']
+            if 'algorithm' not in yml['apikey']['verify_jwt']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "algorithm" not found in "apikey.verify_jwt". ({signin_file})')
+            cls.verify_jwt_algorithm = yml['apikey']['verify_jwt']['algorithm']
         # oauth2のフォーマットチェック
         if 'oauth2' not in yml:
             raise HTTPException(status_code=500, detail=f'signin_file format error. "oauth2" not found. ({signin_file})')
@@ -485,7 +609,7 @@ class Signin(object):
             group_names (List[str]): グループ名リスト
             master_groups (List[Dict[str, Any]], optional): 親グループ名. Defaults to None.
         """
-        copy_signin_data = copy.deepcopy(signin_file_data)
+        copy_signin_data = copy.deepcopy(dict(groups=signin_file_data['groups']))
         master_groups = copy_signin_data['groups'] if master_groups is None else master_groups
         gns = []
         for gn in group_names.copy():
@@ -788,16 +912,12 @@ async def create_request_scope(req:Request=None, res:Response=None, websocket:We
     これは、FastAPIのDependsで使用されることを意図しています。
     次のように使用します。
-    Example:
-        ::
+    from cmdbox.app.auth import signin
+    from fastapi import Depends, Request, Response
-        from cmdbox.app.auth import signin
-        from fastapi import Depends, Request, Response
-        @app.get("/some-endpoint")
-        async def some_endpoint(req: Request, res: Response, scope=Depends(signin.create_request_scope)):
-            # 何らかの処理
+    @app.get("/some-endpoint")
+    async def some_endpoint(req: Request, res: Response, scope=Depends(signin.create_request_scope)):
+        pass
     Args:
         req (Request): リクエスト
@@ -818,18 +938,14 @@ def get_request_scope() -> Dict[str, Any]:
     """
     FastAPIのDepends用に、ContextVarからリクエストスコープを取得します。
-    Example:
-        ::
-        from cmdbox.app.auth import signin
-        from fastapi import Request, Response
-        scope = signin.get_request_scope()
-        scope['req']  # Requestオブジェクト
-        scope['res']  # Responseオブジェクト
-        scope['session']  # sessionを表す辞書
-        scope['websocket']  # WebSocket接続
-        scope['logger']  # loggerオブジェクト
+    from cmdbox.app.auth import signin
+    from fastapi import Request, Response
+    scope = signin.get_request_scope()
+    scope['req']  # Requestオブジェクト
+    scope['res']  # Responseオブジェクト
+    scope['session']  # sessionを表す辞書
+    scope['websocket']  # WebSocket接続
+    scope['logger']  # loggerオブジェクト
     Returns:
         Dict[str, Any]: リクエストとレスポンスとWebSocket接続

cmdbox/app/common.py CHANGED Viewed

@@ -93,7 +93,33 @@ def save_yml(yml_path:Path, data:dict) -> None:
     with open(yml_path, 'w') as f:
         yaml.dump(data, f, default_flow_style=False, sort_keys=False)
-def reset_logger(name:str, stderr:bool=False, fmt:str='[%(asctime)s] %(levelname)s - %(message)s', datefmt:str='%Y-%m-%d %H:%M:%S') -> None:
+class CommonValue:
+    _map = dict()
+def set_common_value(key:str, value:Any) -> None:
+    """
+    共通の値を設定します。
+    Args:
+        key (str): キー
+        value (Any): 値
+    """
+    CommonValue._map[key] = value
+def get_common_value(key:str, default:Any=None) -> Any:
+    """
+    共通の値を取得します。
+    Args:
+        key (str): キー
+        default (Any, optional): デフォルト値. Defaults to None.
+    Returns:
+        Any: 取得した値。存在しない場合はdefault値を返します。
+    """
+    return CommonValue._map.get(key, default)
+def reset_logger(name:str, stderr:bool=False, fmt:str='[%(asctime)s] %(levelname)s - %(message)s', datefmt:str='%Y-%m-%d %H:%M:%S', level:int=logging.INFO) -> None:
     """
     指定されたロガーのハンドラをクリアし、新しいハンドラを追加します。
     Args:
@@ -101,13 +127,21 @@ def reset_logger(name:str, stderr:bool=False, fmt:str='[%(asctime)s] %(levelname
         stderr (bool, optional): 標準エラー出力を使用するかどうか. Defaults to False.
         fmt (str, optional): ログフォーマット. Defaults to '[%(asctime)s] %(levelname)s - %(message)s'.
         datefmt (str, optional): 日時フォーマット. Defaults to '%Y-%m-%d %H:%M:%S'.
+        level (int, optional): ログレベル. Defaults to logging.INFO.
     """
     logger = logging.getLogger(name)
     logger.handlers.clear()
     logger.propagate = False
-    logger.addHandler(create_log_handler(stderr, fmt, datefmt))
+    logger.setLevel(level)
+    logger.addHandler(create_log_handler(stderr, fmt, datefmt, level))
+    if get_common_value('webcall', False):
+        # webcallの場合はStreamHandlerを削除
+        for handler in logger.handlers:
+            hc = handler.__class__
+            if issubclass(hc, logging.StreamHandler) and not issubclass(hc, logging.FileHandler):
+                logger.removeHandler(handler)
-def create_log_handler(stderr:bool=False, fmt:str='[%(asctime)s] %(levelname)s - %(message)s', datefmt:str='%Y-%m-%d %H:%M:%S') -> logging.Handler:
+def create_log_handler(stderr:bool=False, fmt:str='[%(asctime)s] %(levelname)s - %(message)s', datefmt:str='%Y-%m-%d %H:%M:%S', level:int=logging.INFO) -> logging.Handler:
     """
     ログハンドラを生成します。
@@ -123,6 +157,7 @@ def create_log_handler(stderr:bool=False, fmt:str='[%(asctime)s] %(levelname)s -
     #                      tracebacks_word_wrap=False, log_time_format='[%Y-%m-%d %H:%M]')
     handler = loghandler.ColorfulStreamHandler(sys.stdout if not stderr else sys.stderr)
     handler.setFormatter(formatter)
+    handler.setLevel(level)
     return handler
 def create_console(stderr:bool=False, file=None) -> Console:
@@ -135,8 +170,10 @@ def create_console(stderr:bool=False, file=None) -> Console:
     Returns:
         Console: コンソール
     """
-    console = Console(height=False,
-                      soft_wrap=False, stderr=stderr, file=file, log_time=True, log_path=False, log_time_format='[%Y-%m-%d %H:%M:%S]')
+    #console = Console(soft_wrap=True, height=True, highlighter=loghandler.LogLevelHighlighter(), theme=loghandler.theme,
+    #                  stderr=stderr, file=file)
+    console = Console(height=True, highlighter=loghandler.LogLevelHighlighter(), theme=loghandler.theme,
+                      soft_wrap=True, stderr=stderr, file=file, log_time=True, log_path=False, log_time_format='[%Y-%m-%d %H:%M:%S]')
     #console = Console(soft_wrap=True, stderr=stderr, file=file, log_time=True, log_path=False, log_time_format='[%Y-%m-%d %H:%M:%S]')
     return console
@@ -153,6 +190,7 @@ def default_logger(debug:bool=False, ver=version, webcall:bool=False) -> logging
         logging.Logger: ロガー
     """
     logger = logging.getLogger(ver.__appid__)
+    set_common_value('webcall', webcall)
     if not webcall:
         handler = create_log_handler()
         handler.setLevel(logging.DEBUG if debug else logging.INFO)
@@ -197,6 +235,7 @@ def load_config(mode:str, debug:bool=False, data=HOME_DIR, webcall:bool=False, v
     with open(log_conf_path) as f:
         log_config = yaml.safe_load(f)
     std_key = None
+    set_common_value('webcall', webcall)
     for k, h in log_config['handlers'].items():
         if 'filename' in h:
             h['filename'] = data / h['filename']

cmdbox/app/edge.py CHANGED Viewed

@@ -450,7 +450,7 @@ class Edge(object):
             status, res, headers = self.site_request(self.session.post, "/dosignin/gui", data=dict(name=user, password=password), ok_status=[200, 307])
             if status != 0 or headers.get('signin') is None:
-                return 1, dict(warn=f"Signin failed.")
+                return 1, dict(warn=f"Signin failed.", headers=headers)
             status, self.user_info = self.load_user_info()
             self.user_info['auth_type'] = auth_type
             self.user_info['password'] = password

cmdbox/app/edge_tool.py CHANGED Viewed

@@ -56,7 +56,7 @@ class Tool(object):
         """
         self.session = session
         self.svcert_no_verify = svcert_no_verify
-        self.endpoint = endpoint
+        self.endpoint = endpoint.rstrip('/')
         self.icon_path = icon_path
         self.user = user_info
         self.oauth2 = oauth2

cmdbox 0.6.0.3__py3-none-any.whl → 0.6.1__py3-none-any.whl

Potentially problematic release.

cmdbox 0.6.0.3py3-none-any.whl → 0.6.1py3-none-any.whl