+ """Added is_active to user model.

+ 

+ Revision ID: 2dce48cbfea6

+ Revises: cecf8298b202

+ Create Date: 2017-12-11 18:39:46.343369

+ 

+ """

+ from alembic import op

+ import sqlalchemy as sa

+ 

+ 

+ # revision identifiers, used by Alembic.

+ revision = '2dce48cbfea6'

+ down_revision = 'cecf8298b202'

+ branch_labels = None

+ depends_on = None

+ 

+ 

+ def upgrade():

+     """Add is_active to user table"""

+     # ### commands auto generated by Alembic - please adjust! ###

+     op.add_column('users', sa.Column('is_active', sa.Boolean(), nullable=True))

+     # ### end Alembic commands ###

+ 

+ 

+ def downgrade():

+     """Remove is_active from user table"""

+     # ### commands auto generated by Alembic - please adjust! ###

+     op.drop_column('users', 'is_active')

+     # ### end Alembic commands ###

+ """Added user table.

+ 

+ Revision ID: cecf8298b202

+ Revises: 9ee67bf38f1f

+ Create Date: 2017-11-09 16:50:47.759236

+ 

+ """

+ from alembic import op

+ import sqlalchemy as sa

+ 

+ 

+ # revision identifiers, used by Alembic.

+ revision = 'cecf8298b202'

+ down_revision = '9ee67bf38f1f'

+ branch_labels = None

+ depends_on = None

+ 

+ 

+ def upgrade():

+     """TODO: Add an upgrade description."""

+     # ### commands auto generated by Alembic - please adjust! ###

+     op.create_table('users',

+     sa.Column('id', sa.Integer(), nullable=False),

+     sa.Column('name', sa.Unicode(length=255), nullable=False),

+     sa.Column('email', sa.String(length=255), nullable=False),

+     sa.Column('password_hash', sa.String(length=128), nullable=True),

+     sa.PrimaryKeyConstraint('id'),

+     sa.UniqueConstraint('email')

+     )

+     # ### end Alembic commands ###

+ 

+ 

+ def downgrade():

+     """TODO: Add a downgrade description."""

+     # ### commands auto generated by Alembic - please adjust! ###

+     op.drop_table('users')

+     # ### end Alembic commands ###

+ from flask import Flask, jsonify, abort, make_response

+ from marshmallow.exceptions import ValidationError

+ from kiskadee.model import Package, Fetcher, Version, Analysis, User

+     AnalysisSchema, UserSchema

+ from kiskadee.api.token import token_required

+ from . import mail

+ 

+ @kiskadee.route('/login', methods=['POST'])

+ def login():

+     """Token based login

+ 

+     POST /login

+ 

+     Possible status code:

+         - 200 Ok -> User token

+         - 401 Unauthorized -> Unauthorized, invalid user credentials

+         - 403 Forbidden -> User email not confirmed

+     """

+     json_data = request.get_json()

+     email, password = [json_data.get('email'), json_data.get('password')]

+ 

+     if email and password:

+         db_session = kiskadee_db_session()

+         user = db_session.query(User).filter_by(email=email).first()

+ 

+         if user is not None and not user.is_active:

+             return make_response(jsonify({'error': 'User email not confirmed'}), 403)

+ 

+         if user is not None and user.verify_password(password):

+             token = user.generate_token()

+ 

+             response = {'token': token, 'user': UserSchema().dump(user).data}

+             return make_response(jsonify(response), 200)

+ 

+     return make_response(jsonify({'error': 'Unauthorized, invalid user credentials'}), 401)

+ 

+ 

+ @kiskadee.route('/users', methods=['GET'])

+ @token_required

+ def get_users(token_data):

+     """Get the list of users

+ 

+     GET /users

+ 

+     Possible status code:

+         - 200 Ok -> Users list

+     """

+     db_session = kiskadee_db_session()

+     users = db_session.query(User).all()

+     user_schema = UserSchema(many=True)

+     result = user_schema.dump(users)

+ 

+     return make_response(jsonify({'users': result.data}), 200)

+ 

+ 

+ @kiskadee.route('/users', methods=['POST'])

+ def create_user():

+     """Create a new user

+ 

+     POST /users

+ 

+     Possible status code:

+         - 201 Created -> User created

+         - 400 Bad Request -> Validation error

+         - 403 Forbidden -> User already exists

+     """

+     db_session = kiskadee_db_session()

+     data = request.get_json()

+ 

+     # Verify is user already exists

+     if data.get('email'):

+         user = db_session.query(User).filter_by(

+             email=data.get('email')).first()

+ 

+         if user is not None:

+             return make_response(

+                 jsonify({

+                     'error': 'user already exists'

+                 }), 403)

+ 

+     # Try to create user

+     try:

+         user = UserSchema.create(**data)

+     except ValidationError as error:

+         return make_response(

+             jsonify({

+                 'error': 'Validation error',

+                 'validations': error.args[0]

+             }), 400)

+ 

+     db_session.add(user)

+     db_session.commit()

+     mail.send_confirmation_email(user)

+ 

+     user_schema = UserSchema()

+     result = user_schema.dump(user)

+ 

+     token = user.generate_token()

+ 

+     return make_response(jsonify({'user': result.data, 'token': token}), 201)

+ 

+ 

+ @kiskadee.route('/users/<int:user_id>', methods=['GET'])

+ @token_required

+ def get_user_data(token_data, user_id):

+     """Get the user data

+ 

+     GET /users/:id

+ 

+     Possible status code:

+         - 200 Ok -> User data

+         - 404 Not Found -> User not found

+     """

+     db_session = kiskadee_db_session()

+     user = db_session.query(User).filter_by(id=user_id).first()

+ 

+     if user is None:

+         return make_response(jsonify({'error': 'user not found'}), 404)

+ 

+     user_schema = UserSchema()

+     result = user_schema.dump(user)

+ 

+     return make_response(jsonify({'user': result.data}), 200)

+ 

+ 

+ @kiskadee.route('/users/<int:user_id>', methods=['PUT'])

+ @token_required

+ def update_user(token_data, user_id):

+     """Updates a user

+ 

+     PUT /users/:id

+ 

+     Possible status code:

+         - 200 Ok -> User updated

+         - 400 Bad Request -> Validation error

+         - 403 Forbidden -> Token user does not match to requested user

+         - 404 Not Found -> User not found

+     """

+     db_session = kiskadee_db_session()

+     user = db_session.query(User).filter_by(id=user_id).first()

+ 

+     if user is None:

+         return make_response(jsonify({'error': 'user not found'}), 404)

+ 

+     if token_data['user_id'] != user_id:

+         return make_response(

+             jsonify({

+                 'error': 'token user does not match to requested user'

+             }), 403)

+ 

+     json_data = request.get_json()

+     user_data = UserSchema().dump(user).data

+     user_data.update(json_data)

+ 

+     validation = UserSchema().load(user_data)

+ 

+     if bool(validation.errors):

+         return make_response(

+             jsonify({

+                 'error': 'Validation error',

+                 'validations': validation.errors

+             }), 400)

+ 

+     password = validation.data.get('validation')

+     if password is not None:

+         user.hash_password(password)

+         del validation.data['password']

+ 

+     for (key, value) in validation.data.items():

+         setattr(user, key, value)

+ 

+     db_session.commit()

+ 

+     result = UserSchema().dump(user)

+     return make_response(jsonify({'user': result.data}), 200)

+ 

+ 

+ @kiskadee.route('/users/<int:user_id>', methods=['DELETE'])

+ @token_required

+ def delete_user(token_data, user_id):

+     """Deletes a user

+ 

+     DELETE /users/:id

+ 

+     Possible status code:

+         - 204 No Content -> User deleted

+         - 403 Forbidden -> Token user does not match to requested user

+         - 404 Not Found -> User not found

+     """

+     db_session = kiskadee_db_session()

+     user = db_session.query(User).filter_by(id=user_id).first()

+ 

+     if user is None:

+         return make_response(jsonify({'error': 'user not found'}), 404)

+ 

+     if token_data['user_id'] != user_id:

+         return make_response(

+             jsonify({

+                 'error': 'token user does not match to requested user'

+             }), 403)

+ 

+     db_session.delete(user)

+     db_session.commit()

+ 

+     return make_response(jsonify({}), 204)

+ 

+ 

+     cleaner = mail.UnconfirmedEmailsCleaner()

+     cleaner.start()

+ 

+ import os

+ import datetime

+ import jwt

+ 

+ from threading import Thread

+ from time import sleep

+ 

+ from flask import make_response, jsonify, url_for

+ from flask_mail import Mail, Message

+ 

+ from kiskadee import config

+ from kiskadee.database import Database

+ from kiskadee.model import User

+ from kiskadee.api.app import kiskadee

+ from kiskadee.api.token import token_vefirication

+ 

+ kiskadee.config.update({

+     'MAIL_ENABLED':

+     config['mail']['MAIL_ENABLED'] == 'True',

+     'MAIL_SERVER':

+     config['mail']['MAIL_SERVER'],

+     'MAIL_PORT':

+     config['mail']['MAIL_PORT'],

+     'MAIL_USERNAME':

+     os.environ.get('MAIL_USERNAME'),

+     'MAIL_PASSWORD':

+     os.environ.get('MAIL_PASSWORD'),

+     'MAIL_USE_TLS':

+     config['mail']['MAIL_USE_TLS'] == 'True',

+     'MAIL_USE_SSL':

+     config['mail']['MAIL_USE_SSL'] == 'True',

+     'EMAIL_TOKEN_SECRET_KEY':

+     os.environ.get('EMAIL_TOKEN_SECRET_KEY', 'dev email token'),

+     'MAIL_CONFIRM_REDIRECT':

+     config['mail']['MAIL_CONFIRM_REDIRECT'],

+     'MAIL_UNCONFIRMED_CLEANER_TIMER':

+     config['mail']['MAIL_UNCONFIRMED_CLEANER_TIMER']

+ })

+ 

+ mail = Mail(kiskadee)

+ 

+ 

+ def generate_activation_token(user):

+     """

+     Given a user it generates an activation token and returns it

+     """

+     token = jwt.encode(

+         {

+             'user_id': user.id,

+             'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=24)

+         },

+         kiskadee.config['EMAIL_TOKEN_SECRET_KEY'],

+         algorithm='HS256')

+ 

+     return token

+ 

+ 

+ def send_confirmation_email(user):

+     """

+     Given a user, it check MAIL_ENABLED and if it is True then sends an e-mail

+     to the given user email with a tokenized link to activate the user.

+     """

+     if not kiskadee.config['MAIL_ENABLED']:

+         user.is_active = True

+         return None

+ 

+     token = generate_activation_token(user)

+ 

+     msg = Message(

+         "Kiskadee email confirmation",

+         sender=kiskadee.config['MAIL_USERNAME'],

+         recipients=[user.email])

+ 

+     link = url_for("confirm_email", token=token, _external=True)

+ 

+     msg.body = '''

+     Thank you for registering on kiskadee. Now please confirm your e-mail

+     or your account will be deleted from our servers in a few hours.

+ 

+     Confirmation link: {}

+ 

+     Now if you are receiving this email by mistake, sorry for the

+     inconvenience and please just ignore this message and the account

+     refers to this message will be deleted.

+     '''.format(link)

+ 

+     mail.send(msg)

+ 

+ 

+ @kiskadee.route('/users/confirm_email/<token>', methods=['GET'])

+ def confirm_email(token):

+     """

+     Given an activation token generated by mail.send_confirmation_email

+     if its token is valid it activated the token user

+     or returns a validation error

+ 

+     GET /users/confirm_email/<token>

+ 

+     Possible status code:

+         - 200 Ok -> E-mail confirmed, go back to kiskadee: <Kiskadee link>

+         - 403 Forbidden -> Token expired or Invalid token

+     """

+     vefirication = token_vefirication(

+         token, kiskadee.config['EMAIL_TOKEN_SECRET_KEY'])

+ 

+     if 'error' in vefirication:

+         return make_response(jsonify(vefirication), 403)

+ 

+     db_session = Database().session

+ 

+     user = db_session.query(User).filter_by(

+         id=vefirication['data']['user_id']).first()

+     user.is_active = True

+ 

+     db_session.commit()

+ 

+     confirm_message = '''

+     E-mail confirmed, go back to kiskadee: <a href="{}">Kiskadee</a>

+     '''.format(kiskadee.config['MAIL_CONFIRM_REDIRECT'])

+ 

+     return make_response(confirm_message, 200)

+ 

+ 

+ class UnconfirmedEmailsCleaner(Thread):

+     """

+     If MAIL_ENABLED is True then for every MAIL_UNCONFIRMED_CLEANER_TIMER time

+     it will search for unactivated users and deletes it.

+     """

+ 

+     def run(self):

+         if not kiskadee.config['MAIL_ENABLED']:

+             return None

+ 

+         sleep_time = int(kiskadee.config['MAIL_UNCONFIRMED_CLEANER_TIMER'])

+ 

+         while True:

+             sleep(sleep_time)

+             db_session = Database().session

+             db_session.query(User).filter_by(is_active=False).delete()

+             db_session.commit()

+ from marshmallow import Schema, fields, validate, exceptions

+         Report, Analyzer, User

+ 

+ 

+ class UserSchema(Schema):

+     """Provide a serializer to the User model."""

+ 

+     id = fields.Int(dump_only=True)

+     name = fields.Str(required=True, validate=validate.Length(min=4, max=255))

+     email = fields.Str(

+         required=True,

+         validate=[validate.Email(error='Not a valid email address'),

+                   validate.Length(min=4, max=255)])

+     password = fields.Str(load_only=True,

+                           validate=validate.Length(min=4, max=255))

+     is_active = fields.Bool(default=False)

+ 

+     def make_object(self, data):

+         """Serialize a User object."""

+         print('MAKING OBJECT FROM', data)

+         return User(**data)

+ 

+     @classmethod

+     def create(cls, **data):

+         """User factory that creates a User object without saving it.

+ 

+         If the given data has errors it raises an

+         marshmallow.exceptions.ValidationError, else create an User model

+         and return it widthout saving.

+ 

+         :data: User model attributes

+         """

+         validation = UserSchema().load(data)

+ 

+         if bool(validation.errors):

+             raise exceptions.ValidationError(validation.errors)

+ 

+         password = validation.data.get('password')

+         if password is not None:

+             del validation.data['password']

+ 

+         user = User(**validation.data)

+ 

+         if password is not None:

+             user.hash_password(str(password))

+         else:

+             raise exceptions.ValidationError({

+                 'password': 'Missing data for required field.'

+             })

+ 

+         return user 

+ import jwt

+ import os

+ 

+ from functools import wraps

+ 

+ from flask import request, make_response, jsonify

+ 

+ TOKEN_SECRET_KEY = os.getenv('TOKEN_SECRET_KEY', 'default development key')

+ 

+ 

+ def token_vefirication(token, verification_key):

+     """

+     Token verification. Given a token and its key it will return the token data

+     or one of the following errors: Token expired, Invalid token.

+ 

+     returns:

+         {'data': ...}

+         or

+         {'error': 'Token expired'}

+         or

+         {'error': 'Invalid token'}

+     """

+     try:

+         data = jwt.decode(token, verification_key, algorithms=['HS256'])

+         return {'data': data}

+     except jwt.ExpiredSignatureError:

+         return {'error': 'Token expired'}

+     except jwt.InvalidTokenError:

+         return {'error': 'Invalid token'}

+ 

+ 

+ def token_required(fn):

+     """Token verification decorator. When applyed on a route it will

+     look for the x-access-token on the request header.

+ 

+     If it is valid, the the route is executed.

+     Else, the token is missing or is invalid or has expired, either way

+     the user receive a 403 status code when invalid.

+ 

+     Possible status code:

+         - 403 Forbidden ->

+             "Token is missing" or "Token expired" or "Invalid token"

+     """

+ 

+     @wraps(fn)

+     def decorated(*args, **kwargs):

+         token = None

+ 

+         if 'x-access-token' in request.headers:

+             token = request.headers['x-access-token']

+ 

+         if not token:

+             return make_response(jsonify({'error': 'Token is missing'}), 403)

+ 

+         vefirication = token_vefirication(token, TOKEN_SECRET_KEY)

+ 

+         if 'error' in vefirication:

+             return make_response(jsonify(vefirication), 403)

+         else:

+             params = dict(kwargs, token_data=vefirication['data'])

+             return fn(*args, **params)

+ 

+     return decorated 

+                        Sequence, Unicode, ForeignKey, orm, JSON, String,\

+                        Boolean

+ from passlib.apps import custom_app_context as pwd_context

+ import jwt

+ import os

+ import datetime

+ 

+ TOKEN_SECRET_KEY = os.getenv('TOKEN_SECRET_KEY', 'default development key')

+ 

+     id = Column(

+         Integer, Sequence('packages_id_seq', optional=True), primary_key=True)

+     __table_args__ = (UniqueConstraint('name', 'fetcher_id'), )

+     id = Column(

+         Integer, Sequence('fetchers_id_seq', optional=True), primary_key=True)

+     id = Column(

+         Integer, Sequence('versions_id_seq', optional=True), primary_key=True)

+     __table_args__ = (UniqueConstraint('number', 'package_id'), )

+     id = Column(

+         Integer, Sequence('analyzers_id_seq', optional=True), primary_key=True)

+     id = Column(

+         Integer, Sequence('analysis_id_seq', optional=True), primary_key=True)

+     report = orm.relationship(

+         'Report', uselist=False, back_populates='analysis')

+     id = Column(

+         Integer, Sequence('reports_id_seq', optional=True), primary_key=True)

+         if not (_session.query(Analyzer).filter(Analyzer.name == name).filter(

+                 Analyzer.version == version).first()):

+ 

+ 

+ class User(Base):

+     __tablename__ = 'users'

+     id = Column(

+         Integer, Sequence('users_id_seq', optional=True), primary_key=True)

+     name = Column(Unicode(255), nullable=False)

+     email = Column(String(255), nullable=False, unique=True)

+     password_hash = Column(String(128))

+     is_active = Column(Boolean, unique=False, default=False)

+ 

+     def hash_password(self, password):

+         """Takes a plain password as argument

+         and stores a hash of it with the user.

+         """

+         self.password_hash = pwd_context.hash(password)

+ 

+     def verify_password(self, password):

+         """Takes a plain password as argument and returns

+         True if the password is correct

+         False if not.

+         """

+         try:

+             return pwd_context.verify(password, self.password_hash)

+         except ValueError:

+             return False

+ 

+     def generate_token(self):

+         """Generates user auth token and returns it"""

+         token = jwt.encode(

+             {

+                 'user_id': self.id,

+                 'exp':

+                 datetime.datetime.utcnow() + datetime.timedelta(hours=48)

+             },

+             TOKEN_SECRET_KEY,

+             algorithm='HS256')

+ 

+         return token.decode('UTF-8')

+ import json

+ import unittest

+ from sqlalchemy.orm import sessionmaker

+ from unittest.mock import patch

+ 

+ import kiskadee

+ import kiskadee.api.app

+ 

+ from kiskadee.model import User

+ from kiskadee.api.serializers import UserSchema

+ 

+ 

+ def mock_hash_password(self, password):

+     """Mock for User model hash_password method.

+     It is too slow for the tests.

+     """

+     self.password_hash = str(password)

+ 

+ 

+ class ApiUsersTestCase(unittest.TestCase):

+     def setUp(self):

+         kiskadee.api.app.kiskadee.testing = True

+         self.engine = kiskadee.database.Database('db_test').engine

+         Session = sessionmaker(bind=self.engine)

+         self.session = Session()

+         self.app = kiskadee.api.app.kiskadee.test_client()

+ 

+         kiskadee.model.Base.metadata.create_all(self.engine)

+         self._setup_mock_users()

+ 

+     @patch.object(User, 'hash_password', mock_hash_password)

+     def _setup_mock_users(self):

+         mock_users_data = [{

+             'name': 'test 1',

+             'email': 'test@user1.com',

+             'password': 'test',

+             'is_active': True

+         }, {

+             'name': 'test 2',

+             'email': 'test@user2.com',

+             'password': 'test',

+             'is_active': True

+         }, {

+             'name': 'test 3',

+             'email': 'test@user3.com',

+             'password': 'test',

+             'is_active': True

+         }]

+ 

+         for mock_data in mock_users_data:

+             user = UserSchema.create(**mock_data)

+             self.session.add(user)

+ 

+         self.session.commit()

+ 

+     def tearDown(self):

+         self.session.close()

+         kiskadee.model.Base.metadata.drop_all()

+ 

+     # POST /login -> 200 Ok

+     def test_get_user_token_on_login(self):

+         kiskadee.api.app.kiskadee_db_session = lambda: self.session

+ 

+         user_data = {

+             'name': 'login',

+             'email': 'login@email.com',

+             'password': 'login',

+             'is_active': True

+         }

+ 

+         # Creating a user as user.verify_password inside login route

+         # gives ValueError with users created with mock_hash_password

+         user = UserSchema.create(**user_data)

+         self.session.add(user)

+         self.session.commit()

+ 

+         login_data = {

+             'email': user_data['email'],

+             'password': user_data['password']

+         }

+ 

+         response = self.app.post(

+             "/login",

+             data=json.dumps(login_data),

+             content_type='application/json')

+ 

+         data = json.loads(response.data.decode("utf-8"))

+ 

+         self.assertIn("token", data)

+         self.assertIn("user", data)

+         self.assertEqual(user.id, data['user']['id'])

+         self.assertEqual(200, response.status_code)

+ 

+     # POST /login -> 403 User email not confirmed

+     def test_unconfirmed_user_cant_login(self):

+         kiskadee.api.app.kiskadee_db_session = lambda: self.session

+ 

+         user_data = {