kinto 23.2.1__py3-none-any.whl

kinto/__init__.py

@@ -0,0 +1,92 @@
+import logging
+
+import pkg_resources
+from pyramid.authorization import Authenticated, Everyone
+from pyramid.config import Configurator
+from pyramid.settings import asbool
+
+import kinto.core
+from kinto.authorization import RouteFactory
+from kinto.core import utils
+
+
+# Module version, as defined in PEP-0396.
+__version__ = pkg_resources.get_distribution(__package__).version
+
+# Implemented HTTP API Version
+HTTP_API_VERSION = "1.23"
+
+# Main kinto logger
+logger = logging.getLogger(__name__)
+
+
+DEFAULT_SETTINGS = {
+    "retry_after_seconds": 3,
+    "cache_backend": "kinto.core.cache.memory",
+    "permission_backend": "kinto.core.permission.memory",
+    "storage_backend": "kinto.core.storage.memory",
+    "project_docs": "https://kinto.readthedocs.io/",
+    "bucket_create_principals": Authenticated,
+    "permissions_read_principals": Everyone,
+    "multiauth.authorization_policy": ("kinto.authorization.AuthorizationPolicy"),
+    "experimental_collection_schema_validation": False,
+    "experimental_permissions_endpoint": False,
+    "http_api_version": utils.json_serializer(HTTP_API_VERSION),
+    "bucket_id_generator": "kinto.views.NameGenerator",
+    "collection_id_generator": "kinto.views.NameGenerator",
+    "group_id_generator": "kinto.views.NameGenerator",
+    "record_id_generator": "kinto.views.RelaxedUUID",
+    "project_name": "kinto",
+    "admin_assets_path": None,
+    "metrics_matchdict_fields": ["bucket_id", "collection_id", "group_id", "record_id"],
+}
+
+
+def main(global_config, config=None, **settings):
+    if not config:
+        config = Configurator(settings=settings, root_factory=RouteFactory)
+
+    config.registry.command = global_config and global_config.get("command", None)
+
+    # Force settings prefix.
+    config.add_settings({"kinto.settings_prefix": "kinto"})
+
+    kinto.core.initialize(config, version=__version__, default_settings=DEFAULT_SETTINGS)
+
+    settings = config.get_settings()
+
+    # Expose capability
+    schema_enabled = asbool(settings["experimental_collection_schema_validation"])
+    if schema_enabled:
+        config.add_api_capability(
+            "schema",
+            description="Validates collection records with JSON schemas.",
+            url="https://kinto.readthedocs.io/en/latest/api/1.x/"
+            "collections.html#collection-json-schema",
+        )
+
+    # Scan Kinto views.
+    kwargs = {}
+
+    # Permissions endpoint enabled if permission backend is setup.
+    is_admin_enabled = "kinto.plugins.admin" in settings["includes"]
+    permissions_endpoint_enabled = (
+        is_admin_enabled or asbool(settings["experimental_permissions_endpoint"])
+    ) and hasattr(config.registry, "permission")
+    if permissions_endpoint_enabled:
+        config.add_api_capability(
+            "permissions_endpoint",
+            description="The permissions endpoint can be used to list all "
+            "user objects permissions.",
+            url="https://kinto.readthedocs.io/en/latest/configuration/"
+            "settings.html#activating-the-permissions-endpoint",
+        )
+    else:
+        kwargs.setdefault("ignore", []).append("kinto.views.permissions")
+
+    config.scan("kinto.views", **kwargs)
+
+    app = config.make_wsgi_app()
+
+    # Install middleware (no-op if disabled)
+    return kinto.core.install_middlewares(app, settings)

kinto/__main__.py

@@ -0,0 +1,249 @@
+import argparse
+import logging
+import logging.config
+import os
+import subprocess
+import sys
+
+from pyramid.paster import bootstrap
+from pyramid.scripts import pserve
+
+from kinto import __version__
+from kinto.config import init
+from kinto.core import scripts as core_scripts
+from kinto.plugins.accounts import scripts as accounts_scripts
+
+
+DEFAULT_CONFIG_FILE = os.getenv("KINTO_INI", "config/kinto.ini")
+DEFAULT_PORT = 8888
+DEFAULT_LOG_LEVEL = logging.INFO
+DEFAULT_LOG_FORMAT = "%(levelname)-5.5s  %(message)s"
+
+
+def main(args=None):
+    """The main routine."""
+    if args is None:
+        args = sys.argv[1:]
+
+    parser = argparse.ArgumentParser(description="Kinto Command-Line Interface")
+    commands = (
+        "init",
+        "start",
+        "migrate",
+        "flush-cache",
+        "version",
+        "create-user",
+        "purge-deleted",
+    )
+    subparsers = parser.add_subparsers(
+        title="subcommands",
+        description="Main Kinto CLI commands",
+        dest="subcommand",
+        help="Choose and run with --help",
+    )
+    subparsers.required = True
+
+    for command in commands:
+        subparser = subparsers.add_parser(command)
+        subparser.set_defaults(which=command)
+
+        subparser.add_argument(
+            "--ini",
+            help="Application configuration file",
+            dest="ini_file",
+            required=False,
+            default=DEFAULT_CONFIG_FILE,
+        )
+
+        subparser.add_argument(
+            "-q",
+            "--quiet",
+            action="store_const",
+            const=logging.CRITICAL,
+            dest="verbosity",
+            help="Show only critical errors.",
+        )
+
+        subparser.add_argument(
+            "-v",
+            "--debug",
+            action="store_const",
+            const=logging.DEBUG,
+            dest="verbosity",
+            help="Show all messages, including debug messages.",
+        )
+
+        if command == "init":
+            subparser.add_argument(
+                "--backend",
+                help="{memory,postgresql}",
+                dest="backend",
+                required=False,
+                default=None,
+            )
+            subparser.add_argument(
+                "--cache-backend",
+                help="{memory,postgresql,memcached}",
+                dest="cache-backend",
+                required=False,
+                default=None,
+            )
+            subparser.add_argument(
+                "--host",
+                help="Host to listen() on.",
+                dest="host",
+                required=False,
+                default="127.0.0.1",
+            )
+
+        elif command == "migrate":
+            subparser.add_argument(
+                "--dry-run",
+                action="store_true",
+                help="Simulate the migration operations and show information",
+                dest="dry_run",
+                required=False,
+                default=False,
+            )
+
+        elif command == "start":
+            subparser.add_argument(
+                "--reload",
+                action="store_true",
+                help="Restart when code or config changes",
+                required=False,
+                default=False,
+            )
+            subparser.add_argument(
+                "--port",
+                type=int,
+                help="Listening port number",
+                required=False,
+                default=DEFAULT_PORT,
+            )
+
+        elif command == "create-user":
+            subparser.add_argument(
+                "-u", "--username", help="Superuser username", required=False, default=None
+            )
+            subparser.add_argument(
+                "-p", "--password", help="Superuser password", required=False, default=None
+            )
+        elif command == "purge-deleted":
+            subparser.add_argument(
+                "resources",  # No '--' → positional
+                nargs="+",  # Accepts one or more
+                help="List of resources (e.g. record bucket group)",
+                default=["record"],
+            )
+            subparser.add_argument(
+                "max-retained",
+                help="The maximum number of tombstones to keep per resource and per parent",
+                type=int,
+            )
+
+    # Parse command-line arguments
+    parsed_args = vars(parser.parse_args(args))
+
+    config_file = parsed_args["ini_file"]
+    which_command = parsed_args["which"]
+
+    # Initialize logging from
+    level = parsed_args.get("verbosity") or DEFAULT_LOG_LEVEL
+    logging.basicConfig(level=level, format=DEFAULT_LOG_FORMAT)
+
+    if which_command == "init":
+        if os.path.exists(config_file):
+            print(f"{config_file} already exists.", file=sys.stderr)
+            return 1
+
+        backend = parsed_args["backend"]
+        cache_backend = parsed_args["cache-backend"]
+        if not backend:
+            while True:
+                prompt = (
+                    "Select the backend you would like to use: (1 - postgresql, default - memory) "
+                )
+                answer = input(prompt).strip()
+                try:
+                    backends = {"1": "postgresql", "": "memory"}
+                    backend = backends[answer]
+                    break
+                except KeyError:
+                    pass
+
+        if not cache_backend:
+            while True:
+                prompt = (
+                    "Select the cache backend you would like to use: "
+                    "(1 - postgresql, 2 - memcached, default - memory) "
+                )
+                answer = input(prompt).strip()
+                try:
+                    cache_backends = {
+                        "1": "postgresql",
+                        "2": "memcached",
+                        "": "memory",
+                    }
+                    cache_backend = cache_backends[answer]
+                    break
+                except KeyError:
+                    pass
+
+        init(config_file, backend, cache_backend, parsed_args["host"])
+
+        # Install postgresql libraries if necessary
+        if backend == "postgresql" or cache_backend == "postgresql":
+            try:
+                import psycopg2  # NOQA
+            except ImportError:
+                subprocess.check_call(
+                    [sys.executable, "-m", "pip", "install", "kinto[postgresql]"]
+                )
+        elif cache_backend == "memcached":
+            try:
+                import memcache  # NOQA
+            except ImportError:
+                subprocess.check_call([sys.executable, "-m", "pip", "install", "kinto[memcached]"])
+
+    elif which_command == "migrate":
+        dry_run = parsed_args["dry_run"]
+        env = bootstrap(config_file, options={"command": "migrate"})
+        core_scripts.migrate(env, dry_run=dry_run)
+
+    elif which_command == "flush-cache":
+        env = bootstrap(config_file, options={"command": "flush-cache"})
+        core_scripts.flush_cache(env)
+
+    elif which_command == "create-user":
+        username = parsed_args["username"]
+        password = parsed_args["password"]
+        env = bootstrap(config_file, options={"command": "create-user"})
+        return accounts_scripts.create_user(env, username=username, password=password)
+
+    elif which_command == "purge-deleted":
+        env = bootstrap(config_file)
+        return core_scripts.purge_deleted(
+            env, parsed_args["resources"], parsed_args["max-retained"]
+        )
+
+    elif which_command == "start":
+        pserve_argv = ["pserve"]
+
+        if parsed_args["reload"]:
+            pserve_argv.append("--reload")
+
+        if level == logging.DEBUG:
+            pserve_argv.append("-v")
+
+        if level == logging.CRITICAL:
+            pserve_argv.append("-q")
+
+        pserve_argv.append(config_file)
+        pserve_argv.append(f"http_port={parsed_args['port']}")
+        pserve.main(argv=pserve_argv)
+
+    else:
+        print(__version__)
+
+    return 0

kinto/authorization.py

@@ -0,0 +1,134 @@
+from pyramid.interfaces import IAuthorizationPolicy
+from zope.interface import implementer
+
+from kinto.core import authorization as core_authorization
+
+
+# Vocab really matters when you deal with permissions. Let's do a quick recap
+# of the terms used here:
+#
+# Object URI:
+#    An unique identifier for an object.
+#    for instance, /buckets/blog/collections/articles/records/article1
+#
+# Object:
+#    A common denomination of an object (e.g. "collection" or "record")
+#
+# Unbound permission:
+#    A permission not bound to an object (e.g. "create")
+#
+# Bound permission:
+#    A permission bound to an object (e.g. "collection:create")
+
+
+# Dictionary that associates single permissions to any other permission that
+# automatically provides it
+# Ex: bucket:read is granted by both bucket:write and bucket:read
+PERMISSIONS_INHERITANCE_TREE = {
+    "root": {"bucket:create": {}, "write": {}, "read": {}},  # Granted via settings only.
+    "bucket": {
+        "write": {"bucket": ["write"]},
+        "read": {"bucket": ["write", "read"]},
+        "read:attributes": {"bucket": ["write", "read", "collection:create", "group:create"]},
+        "group:create": {"bucket": ["write", "group:create"]},
+        "collection:create": {"bucket": ["write", "collection:create"]},
+    },
+    "group": {
+        "write": {"bucket": ["write"], "group": ["write"]},
+        "read": {"bucket": ["write", "read"], "group": ["write", "read"]},
+    },
+    "collection": {
+        "write": {"bucket": ["write"], "collection": ["write"]},
+        "read": {"bucket": ["write", "read"], "collection": ["write", "read"]},
+        "read:attributes": {
+            "bucket": ["write", "read"],
+            "collection": ["write", "read", "record:create"],
+        },
+        "record:create": {"bucket": ["write"], "collection": ["write", "record:create"]},
+    },
+    "record": {
+        "write": {"bucket": ["write"], "collection": ["write"], "record": ["write"]},
+        "read": {
+            "bucket": ["write", "read"],
+            "collection": ["write", "read"],
+            "record": ["write", "read"],
+        },
+    },
+}
+
+
+def _resource_endpoint(object_uri):
+    """Determine the resource name and whether it is the plural endpoint from
+    the specified `object_uri`. Returns `(None, None)` for the root URL plural
+    endpoint.
+    """
+    obj_parts = object_uri.split("/")
+    plural_endpoint = len(obj_parts) % 2 == 0
+    if plural_endpoint:
+        # /buckets/bid/collections -> /buckets/bid
+        obj_parts = obj_parts[:-1]
+
+    if len(obj_parts) <= 2:
+        # Root URL /buckets -> ('', False)
+        return "", False
+
+    # /buckets/bid -> buckets
+    resource_name = obj_parts[-2]
+    # buckets -> bucket
+    resource_name = resource_name.rstrip("s")
+    return resource_name, plural_endpoint
+
+
+def _relative_object_uri(resource_name, object_uri):
+    """Returns object_uri"""
+    obj_parts = object_uri.split("/")
+    for length in range(len(obj_parts) + 1):
+        parent_uri = "/".join(obj_parts[:length])
+        parent_resource_name, _ = _resource_endpoint(parent_uri)
+        if resource_name == parent_resource_name:
+            return parent_uri
+
+    error_msg = f"Cannot get URL of resource '{resource_name}' from parent '{object_uri}'."
+    raise ValueError(error_msg)
+
+
+def _inherited_permissions(object_uri, permission):
+    """Build the list of all permissions that can grant access to the given
+    object URI and permission.
+
+    >>> _inherited_permissions('/buckets/blog/collections/article', 'read')
+    [('/buckets/blog/collections/article', 'write'),
+     ('/buckets/blog/collections/article', 'read'),
+     ('/buckets/blog', 'write'),
+     ('/buckets/blog', 'read')]
+
+    """
+    resource_name, plural = _resource_endpoint(object_uri)
+    try:
+        object_perms_tree = PERMISSIONS_INHERITANCE_TREE[resource_name]
+    except KeyError:
+        return []  # URL that are not resources have no inherited perms.
+
+    # When requesting permissions for a single object, we check if they are any
+    # specific inherited permissions for the attributes.
+    attributes_permission = f"{permission}:attributes" if not plural else permission
+    inherited_perms = object_perms_tree.get(attributes_permission, object_perms_tree[permission])
+
+    granters = set()
+    for related_resource_name, implicit_permissions in inherited_perms.items():
+        for permission in implicit_permissions:
+            related_uri = _relative_object_uri(related_resource_name, object_uri)
+            granters.add((related_uri, permission))
+
+    # Sort by ascending URLs.
+    return sorted(granters, key=lambda uri_perm: len(uri_perm[0]), reverse=True)
+
+
+@implementer(IAuthorizationPolicy)
+class AuthorizationPolicy(core_authorization.AuthorizationPolicy):
+    def get_bound_permissions(self, *args, **kwargs):
+        return _inherited_permissions(*args, **kwargs)
+
+
+class RouteFactory(core_authorization.RouteFactory):
+    pass

kinto/config/__init__.py

@@ -0,0 +1,94 @@
+import codecs
+import logging
+import os
+from datetime import datetime
+from functools import lru_cache
+from hashlib import sha256
+from time import strftime
+
+from kinto import __version__
+from kinto.core import utils as core_utils
+
+
+logger = logging.getLogger(__name__)
+
+HERE = os.path.dirname(__file__)
+
+
+def render_template(template, destination, **kwargs):
+    template = os.path.join(HERE, template)
+    folder = os.path.dirname(destination)
+
+    if folder and not os.path.exists(folder):
+        os.makedirs(folder)
+
+    logger.info(f"Created config {os.path.abspath(destination)}")
+
+    with codecs.open(template, "r", encoding="utf-8") as f:
+        raw_template = f.read()
+        rendered = raw_template.format_map(kwargs)
+        with codecs.open(destination, "w+", encoding="utf-8") as output:
+            output.write(rendered)
+
+
+postgresql_url = "postgresql://postgres:postgres@localhost/postgres"
+
+backend_to_values = {
+    "postgresql": {
+        "storage_backend": "kinto.core.storage.postgresql",
+        "storage_url": postgresql_url,
+        "permission_backend": "kinto.core.permission.postgresql",
+        "permission_url": postgresql_url,
+    },
+    "memory": {
+        "storage_backend": "kinto.core.storage.memory",
+        "storage_url": "",
+        "permission_backend": "kinto.core.permission.memory",
+        "permission_url": "",
+    },
+}
+
+cache_backend_to_values = {
+    "postgresql": {"cache_backend": "kinto.core.cache.postgresql", "cache_url": postgresql_url},
+    "memcached": {
+        "cache_backend": "kinto.core.cache.memcached",
+        "cache_url": "127.0.0.1:11211 127.0.0.2:11211",
+    },
+    "memory": {"cache_backend": "kinto.core.cache.memory", "cache_url": ""},
+}
+
+
+def init(config_file, backend, cache_backend, host="127.0.0.1"):
+    values = {}
+
+    values["host"] = host
+    values["secret"] = core_utils.random_bytes_hex(32)
+    values["bucket_id_salt"] = core_utils.random_bytes_hex(32)
+
+    values["kinto_version"] = __version__
+    values["config_file_timestamp"] = str(strftime("%a, %d %b %Y %H:%M:%S %z"))
+
+    values.update(backend_to_values[backend])
+    values.update(cache_backend_to_values[cache_backend])
+
+    render_template("kinto.tpl", config_file, **values)
+
+
+@lru_cache(maxsize=1)
+def config_attributes():
+    """
+    Returns a hash of the config `.ini` file content.
+    The path is only known from `app.wsgi`, so we have to read
+    the environment variable again. Since tests are not run through
+    WSGI, then the variable is not set.
+    """
+    # WARNING: this default value should be the same as `app.wsgi`
+    ini_path = os.environ.get("KINTO_INI", os.path.join(".", "config", "kinto.ini"))
+    if not os.path.exists(ini_path):
+        logger.error(f"Could not find config file at {ini_path}")
+        return None
+    return {
+        "path": ini_path,
+        "hash": sha256(open(ini_path, "rb").read()).hexdigest(),
+        "modified": datetime.fromtimestamp(os.path.getmtime(ini_path)).isoformat(),
+    }