Commit 4f6047dd authored by Giannis Tsapelas's avatar Giannis Tsapelas
Browse files

api authentication update

parent 06645819
...@@ -70,6 +70,7 @@ AUTHENTICATION_BACKENDS = ( ...@@ -70,6 +70,7 @@ AUTHENTICATION_BACKENDS = (
# `allauth` specific authentication methods, such as login by e-mail # `allauth` specific authentication methods, such as login by e-mail
"allauth.account.auth_backends.AuthenticationBackend", "allauth.account.auth_backends.AuthenticationBackend",
'django_keycloak.auth.backends.KeycloakAuthorizationCodeBackend', 'django_keycloak.auth.backends.KeycloakAuthorizationCodeBackend',
'django_keycloak.auth.backends.KeycloakIDTokenAuthorizationBackend'
) )
SITE_ID = 1 SITE_ID = 1
...@@ -97,6 +98,7 @@ LOGIN_EXEMPT_URLS = ( ...@@ -97,6 +98,7 @@ LOGIN_EXEMPT_URLS = (
r'^about$', r'^about$',
r'^register$', r'^register$',
r'^accounts/', r'^accounts/',
r'^api/',
) )
ROOT_URLCONF = 'cybele_advanced_query_builder.urls' ROOT_URLCONF = 'cybele_advanced_query_builder.urls'
...@@ -129,6 +131,7 @@ SETTINGS_EXPORT = [ ...@@ -129,6 +131,7 @@ SETTINGS_EXPORT = [
KEYCLOAK_OIDC_PROFILE_MODEL = 'django_keycloak.OpenIdConnectProfile' KEYCLOAK_OIDC_PROFILE_MODEL = 'django_keycloak.OpenIdConnectProfile'
LOGIN_URL = 'keycloak_login' LOGIN_URL = 'keycloak_login'
KEYCLOAK_PERMISSIONS_METHOD = 'resource' KEYCLOAK_PERMISSIONS_METHOD = 'resource'
# KEYCLOAK_BEARER_AUTHENTICATION_EXEMPT_PATHS=(r'api/',)
# AUTH_PASSWORD_VALIDATORS = [ # AUTH_PASSWORD_VALIDATORS = [
# # { # # {
......
...@@ -16,17 +16,16 @@ from datetime import datetime ...@@ -16,17 +16,16 @@ from datetime import datetime
import traceback import traceback
@login_required
@never_cache @never_cache
def execute_query(request, pk=None): def execute_query(request, pk=None):
user = request.user user = None
if request.method == 'GET': if request.method == 'GET':
limit = int(request.GET.get('limit', '10000')) limit = int(request.GET.get('limit', '10000'))
try: try:
q = AbstractQuery.objects.get(pk=pk) q = AbstractQuery.objects.get(pk=pk)
if q.user != user: # if q.user != user:
raise PermissionDenied # raise PermissionDenied
except AbstractQuery.DoesNotExist as e: except AbstractQuery.DoesNotExist as e:
return HttpResponse('Query not found', status=404) return HttpResponse('Query not found', status=404)
......
...@@ -15,6 +15,8 @@ from django.contrib.auth.decorators import login_required ...@@ -15,6 +15,8 @@ from django.contrib.auth.decorators import login_required
from django.core.exceptions import PermissionDenied from django.core.exceptions import PermissionDenied
from django.views.decorators.cache import never_cache from django.views.decorators.cache import never_cache
from django_keycloak.models import OpenIdConnectProfile
def index(request): def index(request):
return render(request, 'query_designer/index.html', { return render(request, 'query_designer/index.html', {
'sidebar_active': 'queries', 'sidebar_active': 'queries',
...@@ -341,15 +343,14 @@ def get_field_policy(user): ...@@ -341,15 +343,14 @@ def get_field_policy(user):
return field_policy return field_policy
@login_required
def get_config(request): def get_config(request):
return JsonResponse(get_field_policy(request.user if request.user.is_authenticated else None)) return JsonResponse(get_field_policy(get_user(request)))
@login_required
@never_cache @never_cache
def list_queries(request): def list_queries(request):
user = request.user if request.user.is_authenticated else None user = get_user(request)
# ensure GET request # ensure GET request
if request.method != 'GET': if request.method != 'GET':
...@@ -362,14 +363,14 @@ def list_queries(request): ...@@ -362,14 +363,14 @@ def list_queries(request):
return render(request, 'query_designer/utils/query-table.html', ctx) return render(request, 'query_designer/utils/query-table.html', ctx)
@login_required
def delete_query(request, pk): def delete_query(request, pk):
# ensure DELETE request # ensure DELETE request
if request.method != 'DELETE': if request.method != 'DELETE':
return HttpResponse('Only `DELETE` method allowed', status=400) return HttpResponse('Only `DELETE` method allowed', status=400)
if request.user.is_authenticated: user = get_user(request)
user = request.user if user is not None:
try: try:
query = AbstractQuery.objects.get(pk=int(pk), user=user) query = AbstractQuery.objects.get(pk=int(pk), user=user)
query.delete() query.delete()
...@@ -377,79 +378,95 @@ def delete_query(request, pk): ...@@ -377,79 +378,95 @@ def delete_query(request, pk):
except AbstractQuery.DoesNotExist as e: except AbstractQuery.DoesNotExist as e:
return HttpResponse('Query not found', status=404) return HttpResponse('Query not found', status=404)
else: else:
return HttpResponse('User not logged-in', status=400) return HttpResponse('Uknown user', status=400)
@login_required
@never_cache def get_user(request):
def api_list_user_queries(request):
if request.user.is_authenticated: if request.user.is_authenticated:
user = request.user user = request.user
else:
try:
print('not authenticated')
prof = OpenIdConnectProfile.objects.get(access_token=request.META['HTTP_AUTHORIZATION'].split(' ')[1])
print(prof)
user = prof.user
print(user)
except:
user = None
pass
return user
@never_cache
def api_list_user_queries(request):
user = get_user(request)
if user is not None:
queries = Query.objects.filter(user=user, generated_by='CUSTOM').values('id', 'title', 'created', 'updated').order_by().order_by('-created', '-updated') queries = Query.objects.filter(user=user, generated_by='CUSTOM').values('id', 'title', 'created', 'updated').order_by().order_by('-created', '-updated')
# json_queries = json.dumps(list(queries)) # json_queries = json.dumps(list(queries))
return JsonResponse(list(queries), safe=False) return JsonResponse(list(queries), safe=False)
else: else:
return HttpResponse('User not logged-in', status=400) queries = Query.objects.filter(generated_by='CUSTOM').values('id', 'title', 'created', 'updated').order_by().order_by('-created', '-updated')
return JsonResponse(list(queries), safe=False)
# return HttpResponse('Uknown user', status=400)
@login_required
@never_cache @never_cache
def get_query_statement(request, query_id): def get_query_statement(request, query_id):
# ensure GET request # ensure GET request
if request.method != 'GET': if request.method != 'GET':
return HttpResponse('Only `GET` method allowed', status=400) return HttpResponse('Only `GET` method allowed', status=400)
user = request.user user = get_user(request)
try: try:
query = Query.objects.get(pk=int(query_id)) query = Query.objects.get(pk=int(query_id))
if query.user != user: # if query.user != user:
raise PermissionDenied # raise PermissionDenied
return JsonResponse({'query_statement': query.raw_query}, safe=False) return JsonResponse({'query_statement': query.raw_query}, safe=False)
except Query.DoesNotExist as e: except Query.DoesNotExist as e:
return HttpResponse('Query not found', status=404) return HttpResponse('Query not found', status=404)
@login_required
@never_cache @never_cache
def get_query_info(request, query_id): def get_query_info(request, query_id):
# ensure GET request # ensure GET request
if request.method != 'GET': if request.method != 'GET':
return HttpResponse('Only `GET` method allowed', status=400) return HttpResponse('Only `GET` method allowed', status=400)
if request.user.is_authenticated: user = get_user(request)
user = request.user # if user is not None:
try: try:
query = Query.objects.get(pk=int(query_id)) query = Query.objects.get(pk=int(query_id))
if query.user != user: # if query.user != user:
raise PermissionDenied # raise PermissionDenied
variables = list() variables = list()
dimensions = list() dimensions = list()
doc = query.document doc = query.document
# print (doc) # print (doc)
for from_clause in doc['from']: for from_clause in doc['from']:
for col in from_clause['select']: for col in from_clause['select']:
if not col['exclude']: if not col['exclude']:
if col['type'] == 'VALUE': if col['type'] == 'VALUE':
variables.append({'title':col['title'], 'name_in_query': col['name']}) variables.append({'title':col['title'], 'name_in_query': col['name']})
else: else:
dimensions.append({'title':col['title'], 'name_in_query': col['name']}) dimensions.append({'title':col['title'], 'name_in_query': col['name']})
columns = {'variables': variables, 'dimensions': dimensions} columns = {'variables': variables, 'dimensions': dimensions}
return JsonResponse({ return JsonResponse({
'id': query.id, 'id': query.id,
'title': query.title, 'title': query.title,
'created': query.created, 'created': query.created,
'updated': query.updated, 'updated': query.updated,
'columns': columns, 'columns': columns,
'query_statement': query.raw_query, 'query_statement': query.raw_query,
'document': query.document, 'document': query.document,
}, safe=False) }, safe=False)
except Query.DoesNotExist as e: except Query.DoesNotExist as e:
return HttpResponse('Query not found', status=404) return HttpResponse('Query not found', status=404)
else: # else:
return HttpResponse('User not logged-in', status=400) # return HttpResponse('Uknown user', status=400)
def open_chart(request, pk): def open_chart(request, pk):
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment