5 ### (c) 2013 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This file is part of Chopwood: a password-changing service.
12 ### Chopwood is free software; you can redistribute it and/or modify
13 ### it under the terms of the GNU Affero General Public License as
14 ### published by the Free Software Foundation; either version 3 of the
15 ### License, or (at your option) any later version.
17 ### Chopwood is distributed in the hope that it will be useful,
18 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
19 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 ### GNU Affero General Public License for more details.
22 ### You should have received a copy of the GNU Affero General Public
23 ### License along with Chopwood; if not, see
24 ### <http://www.gnu.org/licenses/>.
26 from __future__ import with_statement
28 import contextlib as CTX
29 import os as OS; ENV = OS.environ
33 import traceback as TB
35 from auto import HOME, PACKAGE, VERSION
36 import config as CONF; CFG = CONF.CFG
38 import output as O; OUT = O.OUT; PRINT = O.PRINT
39 import subcommand as SC
42 ###--------------------------------------------------------------------------
43 ### Configuration tweaks.
45 _script_name = ENV.get('SCRIPT_NAME', '/cgi-bin/chpwd')
49 ## The URL of this program, when it's run through CGI.
50 SCRIPT_NAME = _script_name,
52 ## A (maybe relative) URL for static content. By default this comes from
53 ## the main script, but we hope that user agents cache it.
54 STATIC = _script_name + '/static')
56 ###--------------------------------------------------------------------------
57 ### Escaping and encoding.
59 ## Some handy regular expressions.
60 R_URLESC = RX.compile('%([0-9a-fA-F]{2})')
61 R_URLBAD = RX.compile('[^-\\w,.!]')
62 R_HTMLBAD = RX.compile('[&<>]')
65 """Decode a single form-url-encoded string S."""
66 return R_URLESC.sub(lambda m: chr(int(m.group(1), 16)),
71 """Encode a single string S using form-url-encoding."""
72 return R_URLBAD.sub(lambda m: '%%%02x' % ord(m.group(0)), s)
75 """Escape a literal string S so that HTML doesn't misinterpret it."""
76 return R_HTMLBAD.sub(lambda m: '&#x%02x;' % ord(m.group(0)), s)
78 ## Some standard character sequences, and HTML entity names for prettier
80 _quotify = U.StringSubst({
89 """Return a pretty HTML version of S."""
90 return _quotify(htmlescape(s))
92 ###--------------------------------------------------------------------------
95 class HTTPOutput (O.FileOutput):
97 Output driver providing an automatic HTTP header.
99 The `headerp' attribute is true if we've written a header. The `header'
100 method will print a custom header if this is wanted.
103 def __init__(me, *args, **kw):
104 """Constructor: initialize `headerp' flag."""
105 super(HTTPOutput, me).__init__(*args, **kw)
109 """Output protocol: print a header if we've not written one already."""
110 if not me.headerp: me.header('text/plain')
111 super(HTTPOutput, me).write(msg)
113 def header(me, content_type = 'text/plain', **kw):
115 Print a header, if none has yet been printed.
117 Keyword arguments can be passed to emit HTTP headers: see `http_header'
118 for the formatting rules.
120 if me.headerp: return
122 for h in O.http_headers(content_type = content_type, **kw):
126 def cookie(name, value, **kw):
128 Return a HTTP `Set-Cookie' header.
130 The NAME and VALUE give the name and value of the cookie; both are
131 form-url-encoded to prevent misinterpretation (fortunately, `cgiparse'
132 knows to undo this transformation). The KW are other attributes to
133 declare: the names are forced to lower-case and underscores `_' are
134 replaced by hyphens `-'; a `True' value is assumed to indicate that the
135 attribute is boolean, and omitted.
138 for k, v in kw.iteritems():
139 k = '-'.join(i.lower() for i in k.split('_'))
141 try: maxage = int(attr['max-age'])
142 except KeyError: pass
144 attr['expires'] = T.strftime('%a, %d %b %Y %H:%M:%S GMT',
145 T.gmtime(U.NOW + maxage))
146 return '; '.join(['%s=%s' % (urlencode(name), urlencode(value))] +
147 [v is not True and '%s=%s' % (k, v) or k
148 for k, v in attr.iteritems()])
150 def action(*v, **kw):
152 Build a URL invoking this script.
154 The positional arguments V are used to construct a path which is appended
155 to the (deduced or configured) script name (and presumably will be read
156 back as `PATH_INFO'). The keyword arguments are (form-url-encoded and)
157 appended as a query string, if present.
159 url = '/'.join([CFG.SCRIPT_NAME] + list(v))
161 url += '?' + ';'.join('%s=%s' % (urlencode(k), urlencode(kw[k]))
163 return htmlescape(url)
166 """Build a URL for the static file NAME."""
167 return htmlescape(CFG.STATIC + '/' + name)
169 def redirect(where, **kw):
171 Write a complete redirection to some other URL.
173 OUT.header(content_type = 'text/html',
174 status = 302, location = where,
178 <head><title>No, sorry, it's moved again.</title></head>
179 <body><p>I'm <a href="%s">over here</a> now.<body>
180 </html>""" % htmlescape(where))
182 ###--------------------------------------------------------------------------
185 ## Where we find our templates.
188 ## Keyword arguments for templates.
192 ## Set some basic keyword arguments.
194 def set_template_keywords():
198 script = CFG.SCRIPT_NAME,
201 class TemplateFinder (object):
203 A magical fake dictionary whose keys are templates.
205 def __init__(me, dir):
208 def __getitem__(me, key):
209 try: return me._cache[key]
210 except KeyError: pass
211 with open(OS.path.join(me._dir, key)) as f: tmpl = f.read()
212 me._cache[key] = tmpl
214 TMPL = TemplateFinder(TMPLDIR)
219 Context manager: execute the body with additional keyword arguments
224 with STATE.bind(kw = d): yield
228 class FormatHTML (F.SimpleFormatOperation):
230 ~H: escape output suitable for inclusion in HTML.
232 With `:', instead apply form-urlencoding.
234 def _convert(me, arg):
235 if me.colonp: return html_quotify(arg)
236 else: return htmlescape(arg)
237 FORMATOPS['H'] = FormatHTML
239 def format_tmpl(control, **kw):
240 with F.COMPILE.bind(opmaps = [FORMATOPS, F.BASEOPS]):
242 F.format(OUT, control, **STATE.kw)
244 def page(template, header = {}, title = 'Chopwood', **kw):
245 header = dict(header, content_type = 'text/html')
247 format_tmpl(TMPL['wrapper.fhtml'],
248 title = title, payload = TMPL[template], **kw)
250 ###--------------------------------------------------------------------------
254 def cgi_errors(hook = None):
256 Context manager: report errors in the body as useful HTML.
258 If HOOK is given, then call it before reporting errors. It may have set up
265 if isinstance(e, U.ExpectedError) and not OUT.headerp:
267 headers = dict(status = e.code),
268 title = 'Chopwood: error', error = e)
270 exty, exval, extb = SYS.exc_info()
271 with tmplkw(exception = TB.format_exception_only(exty, exval),
272 traceback = TB.extract_tb(extb),
273 PARAM = sorted(PARAM),
274 COOKIE = sorted(COOKIE.items()),
276 ENV = sorted(ENV.items())):
278 format_tmpl(TMPL['exception.fhtml'], toplevel = False)
280 page('exception.fhtml',
281 headers = dict(status = 500),
282 title = 'Chopwood: internal error',
285 ###--------------------------------------------------------------------------
288 ## Lots of global variables to be filled in by `cgiparse'.
295 ## Regular expressions for splitting apart query and cookie strings.
296 R_QSPLIT = RX.compile('[;&]')
297 R_CSPLIT = RX.compile(';')
299 def split_keyvalue(string, delim, default):
301 Split a STRING, and generate the resulting KEY=VALUE pairs.
303 The string is split at DELIM; the components are parsed into KEY[=VALUE]
304 pairs. The KEYs and VALUEs are stripped of leading and trailing
305 whitespace, and form-url-decoded. If the VALUE is omitted, then the
306 DEFAULT is used unless the DEFAULT is `None' in which case the component is
309 for kv in delim.split(string):
311 k, v = kv.split('=', 1)
313 if default is None: continue
314 else: k, v = kv, default
315 k, v = k.strip(), v.strip()
317 k, v = urldecode(k), urldecode(v)
322 Process all of the various exciting CGI environment variables.
324 We read environment variables and populate some tables left in global
325 variables: it's all rather old-school. Variables set are as follows.
328 A dictionary mapping cookie names to the values provided by the user
332 A dictionary holding some special query parameters which are of
333 interest at a global level, and should not be passed to a subcommand
334 handler. No new entries will be added to this dictionary, though
335 values will be modified to reflect the query parameters discovered.
336 Conventionally, such parameters have names beginning with `%'.
339 The query parameters as a list of (KEY, VALUE) pairs. Special
340 parameters are omitted.
343 The query parameters as a dictionary. Special parameters, and
344 parameters which appear more than once, are omitted.
347 The trailing `PATH_INFO' path, split at `/' markers, with any
348 trailing empty component removed.
353 except KeyError: raise U.ExpectedError, (500, "No `%s' supplied" % var)
355 ## Yes, we want the request method.
356 method = getenv('REQUEST_METHOD')
358 ## Acquire the query string.
360 q = getenv('QUERY_STRING')
362 elif method == 'POST':
364 ## We must read the query string from stdin.
365 n = getenv('CONTENT_LENGTH')
367 raise U.ExpectedError, (500, "Invalid CONTENT_LENGTH")
369 if getenv('CONTENT_TYPE') != 'application/x-www-form-urlencoded':
370 raise U.ExpectedError, (500, "Unexpected content type `%s'" % ct)
371 q = SYS.stdin.read(n)
373 raise U.ExpectedError, (500, "Failed to read correct length")
376 raise U.ExpectedError, (500, "Unexpected request method `%s'" % method)
378 ## Populate the `SPECIAL', `PARAM' and `PARAMDICT' tables.
380 for k, v in split_keyvalue(q, R_QSPLIT, 't'):
391 ## Parse out the cookies, if any.
392 try: c = ENV['HTTP_COOKIE']
393 except KeyError: pass
395 for k, v in split_keyvalue(c, R_CSPLIT, None): COOKIE[k] = v
397 ## Set up the `PATH'.
398 try: p = ENV['PATH_INFO']
399 except KeyError: pass
401 pp = p.lstrip('/').split('/')
402 if pp and not pp[-1]: pp.pop()
405 ###--------------------------------------------------------------------------
408 class Subcommand (SC.Subcommand):
410 A CGI subcommand object.
412 As for `subcommand.Subcommand', but with additional protocol for processing
416 def cgi(me, param, path):
418 Invoke the subcommand given a collection of CGI parameters.
420 PARAM is a list of (KEY, VALUE) pairs from the CGI query. The CGI query
421 parameters are checked against the subcommand's parameters (making sure
422 that mandatory parameters are supplied, that any switches are given
423 boolean values, and that only the `rest' parameter, if any, is
426 PATH is a list of trailing path components. They are used to satisfy the
427 `rest' parameter if there is one and there are no query parameters which
428 satisfy the `rest' parameter; otherwise, an `ExpectedError' is raised if
429 the list of path elements is non-empty.
432 ## We're going to make a pass over the supplied parameters, and we'll
433 ## check them off against the formal parameters as we go; so we'll need
434 ## to be able to look them up. We'll also keep track of the ones we've
435 ## seen so that we can make sure that all of the mandatory parameters
436 ## were actually supplied.
438 ## To that end: `want' is a dictionary mapping parameter names to
439 ## functions which will do something useful with the value; `seen' is a
440 ## set of the parameters which have been assigned; and `kw' is going to
441 ## be the keyword-argument dictionary we pass to the handler function.
446 """Set a simple value: we shouldn't see multiple values."""
448 raise U.ExpectedError, (400, "Repeated parameter `%s'" % k)
451 """Set a simple boolean value: for switches."""
452 set_value(k, v.lower() in ['true', 't', 'yes', 'y'])
454 """Append the value to a list: for the `rest' parameter."""
455 kw.setdefault(k, []).append(v)
457 ## Set up the `want' map.
459 if o.argname: want[o.name] = set_value
460 else: want[o.name] = set_bool
461 for p in me.params: want[p.name] = set_value
462 for p in me.oparams: want[p.name] = set_value
463 if me.rparam: want[me.rparam.name] = set_list
465 ## Work through the list of supplied parameters.
471 raise U.ExpectedError, (400, "Unexpected parameter `%s'" % k)
475 ## Deal with a path, if there is one.
477 if me.rparam and me.rparam.name not in kw:
478 kw[me.rparam.name] = path
480 raise U.ExpectedError, (404, "Superfluous path elements")
482 ## Make sure we saw all of the mandatory parameters.
485 raise U.ExpectedError, (400, "Missing parameter `%s'" % p.name)
487 ## Invoke the subcommand.
490 def subcommand(name, contexts, desc, cls = Subcommand, *args, **kw):
491 """Decorator for defining CGI subcommands."""
492 return SC.subcommand(name, contexts, desc, cls = cls, *args, **kw)
494 ###----- That's all, folks --------------------------------------------------