|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
# Copyright 2010 - 2017 RhodeCode GmbH and the AppEnlight project authors
|
|
|
#
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
# You may obtain a copy of the License at
|
|
|
#
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
#
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
# See the License for the specific language governing permissions and
|
|
|
# limitations under the License.
|
|
|
|
|
|
import datetime
|
|
|
import logging
|
|
|
|
|
|
from pyramid.httpexceptions import HTTPForbidden, HTTPTooManyRequests
|
|
|
|
|
|
from appenlight.models.services.config import ConfigService
|
|
|
from appenlight.lib.redis_keys import REDIS_KEYS
|
|
|
|
|
|
log = logging.getLogger(__name__)
|
|
|
|
|
|
|
|
|
def rate_limiting(request, resource, section, to_increment=1):
|
|
|
tsample = datetime.datetime.utcnow().replace(second=0, microsecond=0)
|
|
|
key = REDIS_KEYS["rate_limits"][section].format(tsample, resource.resource_id)
|
|
|
redis_pipeline = request.registry.redis_conn.pipeline()
|
|
|
redis_pipeline.incr(key, to_increment)
|
|
|
redis_pipeline.expire(key, 3600 * 24)
|
|
|
results = redis_pipeline.execute()
|
|
|
current_count = results[0]
|
|
|
config = ConfigService.by_key_and_section(section, "global")
|
|
|
limit = config.value if config else 1000
|
|
|
if current_count > int(limit):
|
|
|
log.info("RATE LIMITING: {}: {}, {}".format(section, resource, current_count))
|
|
|
abort_msg = "Rate limits are in effect for this application"
|
|
|
raise HTTPTooManyRequests(abort_msg, headers={"X-AppEnlight": abort_msg})
|
|
|
|
|
|
|
|
|
def check_cors(request, application, should_return=True):
|
|
|
"""
|
|
|
Performs a check and validation if request comes from authorized domain for
|
|
|
application, otherwise return 403
|
|
|
"""
|
|
|
origin_found = False
|
|
|
origin = request.headers.get("Origin")
|
|
|
if should_return:
|
|
|
log.info("CORS for %s" % origin)
|
|
|
if not origin:
|
|
|
return False
|
|
|
for domain in application.domains.split("\n"):
|
|
|
if domain in origin:
|
|
|
origin_found = True
|
|
|
if origin_found:
|
|
|
request.response.headers.add("Access-Control-Allow-Origin", origin)
|
|
|
request.response.headers.add("XDomainRequestAllowed", "1")
|
|
|
request.response.headers.add(
|
|
|
"Access-Control-Allow-Methods", "GET, POST, OPTIONS"
|
|
|
)
|
|
|
request.response.headers.add(
|
|
|
"Access-Control-Allow-Headers",
|
|
|
"Accept-Encoding, Accept-Language, "
|
|
|
"Content-Type, "
|
|
|
"Depth, User-Agent, X-File-Size, "
|
|
|
"X-Requested-With, If-Modified-Since, "
|
|
|
"X-File-Name, "
|
|
|
"Cache-Control, Host, Pragma, Accept, "
|
|
|
"Origin, Connection, "
|
|
|
"Referer, Cookie, "
|
|
|
"X-appenlight-public-api-key, "
|
|
|
"x-appenlight-public-api-key",
|
|
|
)
|
|
|
request.response.headers.add("Access-Control-Max-Age", "86400")
|
|
|
return request.response
|
|
|
else:
|
|
|
return HTTPForbidden()
|
|
|
|