kiwi-vpn/api/kiwi_vpn_api/routers/_common.py

"""
Common dependencies for routers.
"""


from fastapi import Depends, HTTPException, status
from fastapi.security import OAuth2PasswordBearer

from ..config import Config, Settings
from ..db import Device, User, UserCapabilityType

oauth2_scheme = OAuth2PasswordBearer(
    tokenUrl=f"{Settings._.api_v1_prefix}/user/authenticate"
)


class Responses:
    """
    Just a namespace.

    Describes API response status codes.
    """

    OK = {
        "content": None,
    }
    INSTALLED = {
        "description": "kiwi-vpn already installed",
        "content": None,
    }
    NOT_INSTALLED = {
        "description": "kiwi-vpn not installed",
        "content": None,
    }
    NEEDS_USER = {
        "description": "Must be logged in",
        "content": None,
    }
    NEEDS_ADMIN = {
        "description": "Must be admin",
        "content": None,
    }
    NEEDS_REQUESTED_USER = {
        "description": "Must be the requested user",
        "content": None,
    }
    ENTRY_EXISTS = {
        "description": "Entry exists in database",
        "content": None,
    }
    ENTRY_DOESNT_EXIST = {
        "description": "Entry does not exist in database",
        "content": None,
    }
    CANT_TARGET_SELF = {
        "description": "Operation can't target yourself",
        "content": None,
    }


async def get_current_user(
    token: str = Depends(oauth2_scheme),
    current_config: Config | None = Depends(Config.load),
) -> User | None:
    """
    Get the currently logged-in user from the database.
    """

    # can't connect to an unconfigured database
    if current_config is None:
        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST)

    username = await current_config.jwt.decode_token(token)

    return User.get(username)


async def get_current_user_if_exists(
    current_user: User | None = Depends(get_current_user),
) -> User:
    """
    Get the currently logged-in user if it exists.
    """

    # fail if not requested by a user
    if current_user is None:
        # don't use error 404 here: possible user enumeration
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)

    return current_user


async def get_current_user_if_admin(
    current_user: User = Depends(get_current_user_if_exists),
) -> User:
    """
    Fail if the currently logged-in user is not an admin.
    """

    if not current_user.can(UserCapabilityType.admin):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)

    return current_user


async def get_user_by_name(
    user_name: str,
    current_config: Config | None = Depends(Config.load),
) -> User | None:
    """
    Get a user by name.
    """

    # can't connect to an unconfigured database
    if current_config is None:
        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST)

    return User.get(user_name)


async def get_user_by_name_if_editable(
    user: User | None = Depends(get_user_by_name),
    current_user: User = Depends(get_current_user_if_exists),
) -> User:
    """
    Get a user by name if it can be edited by the current user.
    """

    # fail if user doesn't exist
    if user is None:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)

    # fail if user isn't editable by the current user
    if not current_user.can_edit(user):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)

    return user


async def get_device_by_id(
    device_id: int,
    current_config: Config | None = Depends(Config.load),
) -> Device | None:

    # can't connect to an unconfigured database
    if current_config is None:
        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST)

    return Device.get(device_id)


async def get_device_by_id_if_editable(
    device: Device | None = Depends(get_device_by_id),
    current_user: User = Depends(get_current_user_if_exists),
) -> Device:

    # fail if device doesn't exist
    if device is None:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)

    # fail if device is not owned by current user
    if not current_user.owns(device):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)

    return device
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`"""`
			`Common dependencies for routers.`
			`"""`


add and remove capabilities 2022-03-23 00:39:19 +00:00			`from fastapi import Depends, HTTPException, status`
get_current_user into deps 2022-03-19 04:07:19 +00:00			`from fastapi.security import OAuth2PasswordBearer`

fix user router 2022-03-28 20:18:19 +00:00			`from ..config import Config, Settings`
deleting a device 2022-03-29 15:56:12 +00:00			`from ..db import Device, User, UserCapabilityType`
get_current_user into deps 2022-03-19 04:07:19 +00:00
fix user router 2022-03-28 20:18:19 +00:00			`oauth2_scheme = OAuth2PasswordBearer(`
			`tokenUrl=f"{Settings._.api_v1_prefix}/user/authenticate"`
			`)`
get_current_user into deps 2022-03-19 04:07:19 +00:00

"install" endpoint 2022-03-19 17:11:52 +00:00			`class Responses:`
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`"""`
			`Just a namespace.`

			`Describes API response status codes.`
			`"""`

			`OK = {`
"install" endpoint 2022-03-19 17:11:52 +00:00			`"content": None,`
			`}`
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`INSTALLED = {`
"install" endpoint 2022-03-19 17:11:52 +00:00			`"description": "kiwi-vpn already installed",`
			`"content": None,`
			`}`
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`NOT_INSTALLED = {`
"install" endpoint 2022-03-19 17:11:52 +00:00			`"description": "kiwi-vpn not installed",`
			`"content": None,`
			`}`
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`NEEDS_USER = {`
"install" endpoint 2022-03-19 17:11:52 +00:00			`"description": "Must be logged in",`
			`"content": None,`
			`}`
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`NEEDS_ADMIN = {`
"install" endpoint 2022-03-19 17:11:52 +00:00			`"description": "Must be admin",`
			`"content": None,`
			`}`
POST /device route 2022-03-29 00:01:12 +00:00			`NEEDS_REQUESTED_USER = {`
Endpoint POST api/dn 2022-03-23 15:44:35 +00:00			`"description": "Must be the requested user",`
			`"content": None,`
			`}`
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`ENTRY_EXISTS = {`
new user creation 2022-03-19 18:06:28 +00:00			`"description": "Entry exists in database",`
			`"content": None,`
			`}`
User creation/deletion 2022-03-23 13:25:00 +00:00			`ENTRY_DOESNT_EXIST = {`
			`"description": "Entry does not exist in database",`
			`"content": None,`
			`}`
don't delete yourself 2022-03-29 15:38:36 +00:00			`CANT_TARGET_SELF = {`
			`"description": "Operation can't target yourself",`
			`"content": None,`
			`}`
"install" endpoint 2022-03-19 17:11:52 +00:00

get_current_user into deps 2022-03-19 04:07:19 +00:00			`async def get_current_user(`
			`token: str = Depends(oauth2_scheme),`
			`current_config: Config \| None = Depends(Config.load),`
add and remove capabilities 2022-03-23 00:39:19 +00:00			`) -> User \| None:`
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`"""`
			`Get the currently logged-in user from the database.`
			`"""`

			`# can't connect to an unconfigured database`
get_current_user into deps 2022-03-19 04:07:19 +00:00			`if current_config is None:`
fix common getters 2022-03-24 15:51:36 +00:00			`raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST)`
get_current_user into deps 2022-03-19 04:07:19 +00:00
			`username = await current_config.jwt.decode_token(token)`

rework common and admin router for new db 2022-03-28 01:31:37 +00:00			`return User.get(username)`
add and remove capabilities 2022-03-23 00:39:19 +00:00

fix common getters 2022-03-24 15:51:36 +00:00			`async def get_current_user_if_exists(`
add and remove capabilities 2022-03-23 00:39:19 +00:00			`current_user: User \| None = Depends(get_current_user),`
			`) -> User:`
			`"""`
fix common getters 2022-03-24 15:51:36 +00:00			`Get the currently logged-in user if it exists.`
add and remove capabilities 2022-03-23 00:39:19 +00:00			`"""`

brevity 2022-03-23 01:14:02 +00:00			`# fail if not requested by a user`
			`if current_user is None:`
possible security flaw 2022-03-29 16:12:29 +00:00			`# don't use error 404 here: possible user enumeration`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)`
brevity 2022-03-23 01:14:02 +00:00
fix common getters 2022-03-24 15:51:36 +00:00			`return current_user`


rename rollback 2022-03-29 15:39:02 +00:00			`async def get_current_user_if_admin(`
fix common getters 2022-03-24 15:51:36 +00:00			`current_user: User = Depends(get_current_user_if_exists),`
			`) -> User:`
			`"""`
cleanup in _common 2022-03-29 00:13:38 +00:00			`Fail if the currently logged-in user is not an admin.`
fix common getters 2022-03-24 15:51:36 +00:00			`"""`

Capability -> UserCapabilityType 2022-03-28 21:41:49 +00:00			`if not current_user.can(UserCapabilityType.admin):`
brevity 2022-03-23 01:14:02 +00:00			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)`

rename rollback 2022-03-29 15:39:02 +00:00			`return current_user`

brevity 2022-03-23 01:14:02 +00:00
POST /device route 2022-03-29 00:01:12 +00:00			`async def get_user_by_name(`
brevity 2022-03-23 01:14:02 +00:00			`user_name: str,`
refactor get_user_by_name_if_editable 2022-03-29 16:12:55 +00:00			`current_config: Config \| None = Depends(Config.load),`
			`) -> User \| None:`
brevity 2022-03-23 01:14:02 +00:00			`"""`
POST /device route 2022-03-29 00:01:12 +00:00			`Get a user by name.`
brevity 2022-03-23 01:14:02 +00:00			`"""`

refactor get_user_by_name_if_editable 2022-03-29 16:12:55 +00:00			`# can't connect to an unconfigured database`
			`if current_config is None:`
			`raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST)`

			`return User.get(user_name)`


			`async def get_user_by_name_if_editable(`
			`user: User \| None = Depends(get_user_by_name),`
			`current_user: User = Depends(get_current_user_if_exists),`
			`) -> User:`
			`"""`
			`Get a user by name if it can be edited by the current user.`
			`"""`
POST /device route 2022-03-29 00:01:12 +00:00
refactor get_user_by_name_if_editable 2022-03-29 16:12:55 +00:00			`# fail if user doesn't exist`
			`if user is None:`
			`raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)`
POST /device route 2022-03-29 00:01:12 +00:00
refactor get_user_by_name_if_editable 2022-03-29 16:12:55 +00:00			`# fail if user isn't editable by the current user`
			`if not current_user.can_edit(user):`
add and remove capabilities 2022-03-23 00:39:19 +00:00			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)`
fix common getters 2022-03-24 15:51:36 +00:00
POST /device route 2022-03-29 00:01:12 +00:00			`return user`
deleting a device 2022-03-29 15:56:12 +00:00

			`async def get_device_by_id(`
			`device_id: int,`
			`current_config: Config \| None = Depends(Config.load),`
			`) -> Device \| None:`

			`# can't connect to an unconfigured database`
			`if current_config is None:`
			`raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST)`

			`return Device.get(device_id)`


			`async def get_device_by_id_if_editable(`
			`device: Device \| None = Depends(get_device_by_id),`
			`current_user: User = Depends(get_current_user_if_exists),`
			`) -> Device:`

			`# fail if device doesn't exist`
			`if device is None:`
			`raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)`

			`# fail if device is not owned by current user`
			`if not current_user.owns(device):`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)`

			`return device`