Merge branch 'py38-app-engine' of https://github.com/vpython/glowscript into py38-app-engine

Author: stevespicklemire

ide/auth.py

@@ -31,12 +31,56 @@
 
 authNamespace = {} # we need to create the oauth object lazily, this is a "cache" that let's us build the oauth object only when needed.
 
+def getSetting(name, default=None, returnObject=False):
+    """
+    Grab some setting from the datastore. If it's not a string, it should be stored as a JSON representation.
+    Set returnObject to True to force a JSON load. Otherwise use the type of the default to trigger JSON conversion
+    """
+    app.logger.info("Getting setting for:" + str(name))
+    result = models.Setting.get(name).value
+    if result == 'NOT SET':
+        result = default
+    elif ((default is not None) and (type(default) != type(''))) or returnObject:
+        # assume it's a JSON representation of an object, decode it and return that.
+        try:
+            result = json.loads(result)
+        except json.decoder.JSONDecodeError:
+            pass # maybe not?
+
+    app.logger.info("Got result:" + str(result))
+    return result
+
+def get_preview_users():
+    """
+    Get the email addresses of users who are permitted to authenticate with a preview version of the app.
+    """
+    return getSetting('preview_users', ['[email protected]','[email protected]'])
+
+def get_preview_suffixes():
+    """
+    Get the last domain parts of domains permitted for testing.
+    """
+    return getSetting('preview_domain_suffixes',['appspot.com'])
+
+def check_auth_host_for_preview(auth_host):
+    """
+    Check to see of the current auth_host has one of the preview domains as a "suffix".
+    """
+
+    parts = auth_host.split('.')
+    auth_host = '.'.join(parts[-2:]) # just keep last two components
+
+    for phost in get_preview_suffixes():
+        if auth_host.endswith(phost):
+            return True
+    
+    return False
+
 def get_project_name():
     """
     Get the project name from the Datastore.
     """
-    web_setting = models.Setting.get('google_project_name')
-    return web_setting.value
+    return getSetting('google_project_name','glowscript') 
 
 def get_redirect_uri():
     return get_base_url() + '/google/auth'  # get the valid redirect URL from the datastore setting
@@ -45,7 +89,7 @@ def get_base_url():
     """
     Get the base_url from the datastore
     """
-    return models.Setting.get('auth_base_url').value
+    return getSetting('auth_base_url')
 #
 # Robust way to check for running locally. Also easy to modify.
 #
@@ -175,8 +219,8 @@ def auth():
     token = oauth.google.authorize_access_token()
     user = oauth.google.parse_id_token(token)
 
-    if auth_host.endswith('uc.r.appspot.com'): # it's a test server, no sandbox!
-        if user.get('email') not in ['[email protected]','[email protected]']:  # only finish login for these guys
+    if check_auth_host_for_preview(auth_host): # are we in a preview version?
+        if user.get('email') not in get_preview_users():  # only finish login for these guys
             return redirect('/')
 
     session['user'] = user

ide/routes.py

@@ -28,12 +28,7 @@
 # python_version 2.7 works and can be deployed with Google App Engine Launcher 1.7.6
 
 localport = '8080'     # normally 8080
-website = 'glowscript' # normally glowscript
-
-weblocs = ["www."+website+".org", website+".org", "localhost:"+localport,"127.0.0.1:"+localport, 
-           "glowscriptdev.spvi.net","uc.r.appspot.com","www.devbasherwo.org","devbasherwo.org"]
-
-local_hosts = ['http://localhost','http://127.0.0.1']
+weblocs_safe = ["localhost:"+localport, "127.0.0.1:"+localport,] # only need these for local development
 
 import json
 from io import BytesIO
@@ -44,6 +39,7 @@
 import flask
 import traceback
 import functools
+import urllib.parse
 
 from google.cloud import ndb
 from google.auth.transport import requests
@@ -67,10 +63,12 @@ def chrange(b,e): return set(chr(x) for x in range(ord(b), ord(e)+1))
 
 def ndb_wsgi_middleware(wsgi_app):
     """
-    This is helpful for Flask and DNB to play nice together.
+    This is helpful for Flask and NDB to play nice together.
     
     https://cloud.google.com/appengine/docs/standard/python3/migrating-to-cloud-ndb
-    
+
+    We need to be able to access NDB in the application context.
+    If we're running a local datastore, make up a dummy project name.
     """
 
     project = emulator and 'glowscript-dev' or None
@@ -93,10 +91,30 @@ def middleware(environ, start_response):
 
     return middleware
 
+#
+# Now let's deal with the app
+#
+
 from . import app, auth
 
 app.wsgi_app = ndb_wsgi_middleware(app.wsgi_app)  # Wrap the app in middleware.
 
+#
+# set up logging
+#
+
+import logging
+import google.cloud.logging # Don't conflict with standard logging
+from google.cloud.logging.handlers import CloudLoggingHandler
+
+client = google.cloud.logging.Client()
+handler = CloudLoggingHandler(client)
+handler.setLevel(logging.INFO)
+app.logger.addHandler(handler)
+
+def get_weblocs():
+    return auth.getSetting('weblocs', weblocs_safe)
+
 #
 # These next few routes are to serve static files in dev mode. GAE will handle these
 # in production
@@ -161,10 +179,9 @@ def idejs_static():
         ide_js = load_idejs()
 
     host_name = get_auth_host_name()
-    if host_name.endswith('uc.r.appspot.com'): # no sandbox for uc.r.appspot.com test instances
-                                               # since we can't authenticate these instances anyway, no sanbox is needed
-        ide_js = ide_js.replace('WEBSERVER_NAME_TEMPLATE',host_name)
-        ide_js = ide_js.replace('SANDBOX_PREFIX_TEMPLATE','https://')
+    if auth.check_auth_host_for_preview(host_name): # are we running in a preview?
+        ide_js = ide_js.replace('WEBSERVER_NAME_TEMPLATE',host_name) 
+        ide_js = ide_js.replace('SANDBOX_PREFIX_TEMPLATE','https://') # no sandbox
     elif host_name.startswith('www.'):
         ide_js = ide_js.replace('WEBSERVER_NAME_TEMPLATE',host_name[4:])
         ide_js = ide_js.replace('SANDBOX_PREFIX_TEMPLATE','https://sandbox.')
@@ -196,14 +213,10 @@ def favicon_static():
 @app.route('/untrusted/<path:filename>')
 @no_cache
 def untrusted_static(filename):
-    app.logger.info("serving untrusted")
     if filename == 'run.js':
         run_js = module_cache.get('run.js')
         if not run_js:
-            app.logger.info("not found in cache")
             run_js = load_runjs()
-        else:
-            app.logger.info("found in cache")
 
         host_name = get_auth_host_name()
         if host_name.startswith('sandbox.'):
@@ -239,21 +252,22 @@ def get_auth_host_name():
 
 def trim_auth_host_name():
     #
-    # if the host name has more than four parts, trim off the first part.
-    # this allows appspot version to be tested that are not in production
-    # e.g., 20201227t175543-dot-py38-glowscript.uc.r.appspot.com
+    # if the host name has more than two parts, return the last two parts only.
+    # This allows appspot version to be tested that are not in production 
+    # e.g., 20201227t175543-dot-glowscript.appspot.com
     #
+
     host_header = get_auth_host_name()
     parts = host_header.split('.')
-    host_header = '.'.join(parts[1:]) if len(parts)>4 else host_header
+    host_header = '.'.join(parts[-2:]) if len(parts)>2 else host_header
     return host_header
 
 def authorize_host():
     host_header = trim_auth_host_name()
-    result =  host_header in weblocs
+    result =  host_header in get_weblocs()
 
     if not result:
-        print("Host failed to authorize:", host_header)
+        app.logger.info("Host failed to authorize:" + host_header + ":" + str(get_weblocs()))
 
     return result
 
@@ -328,7 +342,13 @@ def parseUrlPath(theRegexp, numGroups):
         for i in range(numGroups):
             value = m.group(i+1)
             if value:
-                names[i] = value
+                newValue = []
+                for char in value:
+                    if char == '%' or char in unreserved:
+                        newValue.append(char)
+                    else:
+                        newValue.append(urllib.parse.quote(char))
+                names[i] = ''.join(newValue)
     except:
         raise ParseUrlPathException('Parsing URL failed', 400)
 

requirements.txt

@@ -11,8 +11,9 @@ google-api-core==1.22.0
 google-api-python-client==1.10.0
 google-auth==1.20.0
 google-auth-httplib2==0.0.4
-google-cloud-core==1.3.0
+google-cloud-core==1.5.0
 google-cloud-datastore==1.13.2
+google-cloud-logging==2.0.2
 google-cloud-ndb==1.4.2
 google-cloud-secret-manager==1.0.0
 googleapis-common-protos==1.52.0
@@ -26,6 +27,7 @@ Jinja2==2.11.2
 lazy-object-proxy==1.4.3
 MarkupSafe==1.1.1
 mccabe==0.6.1
+proto-plus==1.13.0
 protobuf==3.12.4
 pyasn1==0.4.8
 pyasn1-modules==0.2.8