306 lines
8.7 KiB
Python
306 lines
8.7 KiB
Python
# Copyright (c) 2015, Frappe Technologies Pvt. Ltd. and Contributors
|
|
# License: MIT. See LICENSE
|
|
import base64
|
|
import binascii
|
|
import json
|
|
from typing import Literal
|
|
from urllib.parse import urlencode, urlparse
|
|
|
|
import frappe
|
|
import frappe.client
|
|
import frappe.handler
|
|
from frappe import _
|
|
from frappe.utils.data import sbool
|
|
from frappe.utils.response import build_response
|
|
|
|
|
|
def handle():
|
|
"""
|
|
Handler for `/api` methods
|
|
|
|
### Examples:
|
|
|
|
`/api/method/{methodname}` will call a whitelisted method
|
|
|
|
`/api/resource/{doctype}` will query a table
|
|
examples:
|
|
- `?fields=["name", "owner"]`
|
|
- `?filters=[["Task", "name", "like", "%005"]]`
|
|
- `?limit_start=0`
|
|
- `?limit_page_length=20`
|
|
|
|
`/api/resource/{doctype}/{name}` will point to a resource
|
|
`GET` will return doclist
|
|
`POST` will insert
|
|
`PUT` will update
|
|
`DELETE` will delete
|
|
|
|
`/api/resource/{doctype}/{name}?run_method={method}` will run a whitelisted controller method
|
|
"""
|
|
|
|
parts = frappe.request.path[1:].split("/", 3)
|
|
call = doctype = name = None
|
|
|
|
if len(parts) > 1:
|
|
call = parts[1]
|
|
|
|
if len(parts) > 2:
|
|
doctype = parts[2]
|
|
|
|
if len(parts) > 3:
|
|
name = parts[3]
|
|
|
|
return _RESTAPIHandler(call, doctype, name).get_response()
|
|
|
|
|
|
class _RESTAPIHandler:
|
|
def __init__(self, call: Literal["method", "resource"], doctype: str | None, name: str | None):
|
|
self.call = call
|
|
self.doctype = doctype
|
|
self.name = name
|
|
|
|
def get_response(self):
|
|
"""Prepare and get response based on URL and form body.
|
|
|
|
Note: most methods of this class directly operate on the response local.
|
|
"""
|
|
match self.call:
|
|
case "method":
|
|
return self.handle_method()
|
|
case "resource":
|
|
self.handle_resource()
|
|
case _:
|
|
raise frappe.DoesNotExistError
|
|
|
|
return build_response("json")
|
|
|
|
def handle_method(self):
|
|
frappe.local.form_dict.cmd = self.doctype
|
|
return frappe.handler.handle()
|
|
|
|
def handle_resource(self):
|
|
if self.doctype and self.name:
|
|
self.handle_document_resource()
|
|
elif self.doctype:
|
|
self.handle_doctype_resource()
|
|
else:
|
|
raise frappe.DoesNotExistError
|
|
|
|
def handle_document_resource(self):
|
|
if "run_method" in frappe.local.form_dict:
|
|
self.execute_doc_method()
|
|
return
|
|
|
|
match frappe.local.request.method:
|
|
case "GET":
|
|
self.get_doc()
|
|
case "PUT":
|
|
self.update_doc()
|
|
case "DELETE":
|
|
self.delete_doc()
|
|
case _:
|
|
raise frappe.DoesNotExistError
|
|
|
|
def handle_doctype_resource(self):
|
|
match frappe.local.request.method:
|
|
case "GET":
|
|
self.get_doc_list()
|
|
case "POST":
|
|
self.create_doc()
|
|
case _:
|
|
raise frappe.DoesNotExistError
|
|
|
|
def execute_doc_method(self):
|
|
method = frappe.local.form_dict.pop("run_method")
|
|
doc = frappe.get_doc(self.doctype, self.name)
|
|
doc.is_whitelisted(method)
|
|
|
|
if frappe.local.request.method == "GET":
|
|
if not doc.has_permission("read"):
|
|
frappe.throw(_("Not permitted"), frappe.PermissionError)
|
|
frappe.local.response.update({"data": doc.run_method(method, **frappe.local.form_dict)})
|
|
|
|
elif frappe.local.request.method == "POST":
|
|
if not doc.has_permission("write"):
|
|
frappe.throw(_("Not permitted"), frappe.PermissionError)
|
|
|
|
frappe.local.response.update({"data": doc.run_method(method, **frappe.local.form_dict)})
|
|
frappe.db.commit()
|
|
|
|
def get_doc(self):
|
|
doc = frappe.get_doc(self.doctype, self.name)
|
|
if not doc.has_permission("read"):
|
|
raise frappe.PermissionError
|
|
doc.apply_fieldlevel_read_permissions()
|
|
frappe.local.response.update({"data": doc})
|
|
|
|
def update_doc(self):
|
|
data = get_request_form_data()
|
|
|
|
doc = frappe.get_doc(self.doctype, self.name, for_update=True)
|
|
|
|
if "flags" in data:
|
|
del data["flags"]
|
|
|
|
# Not checking permissions here because it's checked in doc.save
|
|
doc.update(data)
|
|
|
|
frappe.local.response.update({"data": doc.save().as_dict()})
|
|
|
|
# check for child table doctype
|
|
if doc.get("parenttype"):
|
|
frappe.get_doc(doc.parenttype, doc.parent).save()
|
|
frappe.db.commit()
|
|
|
|
def delete_doc(self):
|
|
# Not checking permissions here because it's checked in delete_doc
|
|
frappe.delete_doc(self.doctype, self.name, ignore_missing=False)
|
|
frappe.local.response.http_status_code = 202
|
|
frappe.local.response.message = "ok"
|
|
frappe.db.commit()
|
|
|
|
def get_doc_list(self):
|
|
if frappe.local.form_dict.get("fields"):
|
|
frappe.local.form_dict["fields"] = json.loads(frappe.local.form_dict["fields"])
|
|
|
|
# set limit of records for frappe.get_list
|
|
frappe.local.form_dict.setdefault(
|
|
"limit_page_length",
|
|
frappe.local.form_dict.limit or frappe.local.form_dict.limit_page_length or 20,
|
|
)
|
|
|
|
# convert strings to native types - only as_dict and debug accept bool
|
|
for param in ["as_dict", "debug"]:
|
|
param_val = frappe.local.form_dict.get(param)
|
|
if param_val is not None:
|
|
frappe.local.form_dict[param] = sbool(param_val)
|
|
|
|
# evaluate frappe.get_list
|
|
data = frappe.call(frappe.client.get_list, self.doctype, **frappe.local.form_dict)
|
|
|
|
# set frappe.get_list result to response
|
|
frappe.local.response.update({"data": data})
|
|
|
|
def create_doc(self):
|
|
data = get_request_form_data()
|
|
data.update({"doctype": self.doctype})
|
|
|
|
# insert document from request data
|
|
doc = frappe.get_doc(data).insert()
|
|
|
|
# set response data
|
|
frappe.local.response.update({"data": doc.as_dict()})
|
|
|
|
# commit for POST requests
|
|
frappe.db.commit()
|
|
|
|
|
|
def get_request_form_data():
|
|
if frappe.local.form_dict.data is None:
|
|
data = frappe.safe_decode(frappe.local.request.get_data())
|
|
else:
|
|
data = frappe.local.form_dict.data
|
|
|
|
try:
|
|
return frappe.parse_json(data)
|
|
except ValueError:
|
|
return frappe.local.form_dict
|
|
|
|
|
|
def validate_auth():
|
|
"""
|
|
Authenticate and sets user for the request.
|
|
"""
|
|
authorization_header = frappe.get_request_header("Authorization", "").split(" ")
|
|
|
|
if len(authorization_header) == 2:
|
|
validate_oauth(authorization_header)
|
|
validate_auth_via_api_keys(authorization_header)
|
|
|
|
validate_auth_via_hooks()
|
|
|
|
|
|
def validate_oauth(authorization_header):
|
|
"""
|
|
Authenticate request using OAuth and set session user
|
|
|
|
Args:
|
|
authorization_header (list of str): The 'Authorization' header containing the prefix and token
|
|
"""
|
|
|
|
from frappe.integrations.oauth2 import get_oauth_server
|
|
from frappe.oauth import get_url_delimiter
|
|
|
|
form_dict = frappe.local.form_dict
|
|
token = authorization_header[1]
|
|
req = frappe.request
|
|
parsed_url = urlparse(req.url)
|
|
access_token = {"access_token": token}
|
|
uri = (
|
|
parsed_url.scheme + "://" + parsed_url.netloc + parsed_url.path + "?" + urlencode(access_token)
|
|
)
|
|
http_method = req.method
|
|
headers = req.headers
|
|
body = req.get_data()
|
|
if req.content_type and "multipart/form-data" in req.content_type:
|
|
body = None
|
|
|
|
try:
|
|
required_scopes = frappe.db.get_value("OAuth Bearer Token", token, "scopes").split(
|
|
get_url_delimiter()
|
|
)
|
|
valid, oauthlib_request = get_oauth_server().verify_request(
|
|
uri, http_method, body, headers, required_scopes
|
|
)
|
|
if valid:
|
|
frappe.set_user(frappe.db.get_value("OAuth Bearer Token", token, "user"))
|
|
frappe.local.form_dict = form_dict
|
|
except AttributeError:
|
|
pass
|
|
|
|
|
|
def validate_auth_via_api_keys(authorization_header):
|
|
"""
|
|
Authenticate request using API keys and set session user
|
|
|
|
Args:
|
|
authorization_header (list of str): The 'Authorization' header containing the prefix and token
|
|
"""
|
|
|
|
try:
|
|
auth_type, auth_token = authorization_header
|
|
authorization_source = frappe.get_request_header("Frappe-Authorization-Source")
|
|
if auth_type.lower() == "basic":
|
|
api_key, api_secret = frappe.safe_decode(base64.b64decode(auth_token)).split(":")
|
|
validate_api_key_secret(api_key, api_secret, authorization_source)
|
|
elif auth_type.lower() == "token":
|
|
api_key, api_secret = auth_token.split(":")
|
|
validate_api_key_secret(api_key, api_secret, authorization_source)
|
|
except binascii.Error:
|
|
frappe.throw(
|
|
_("Failed to decode token, please provide a valid base64-encoded token."),
|
|
frappe.InvalidAuthorizationToken,
|
|
)
|
|
except (AttributeError, TypeError, ValueError):
|
|
pass
|
|
|
|
|
|
def validate_api_key_secret(api_key, api_secret, frappe_authorization_source=None):
|
|
"""frappe_authorization_source to provide api key and secret for a doctype apart from User"""
|
|
doctype = frappe_authorization_source or "User"
|
|
doc = frappe.db.get_value(doctype=doctype, filters={"api_key": api_key}, fieldname=["name"])
|
|
form_dict = frappe.local.form_dict
|
|
doc_secret = frappe.utils.password.get_decrypted_password(doctype, doc, fieldname="api_secret")
|
|
if api_secret == doc_secret:
|
|
if doctype == "User":
|
|
user = frappe.db.get_value(doctype="User", filters={"api_key": api_key}, fieldname=["name"])
|
|
else:
|
|
user = frappe.db.get_value(doctype, doc, "user")
|
|
if frappe.local.login_manager.user in ("", "Guest"):
|
|
frappe.set_user(user)
|
|
frappe.local.form_dict = form_dict
|
|
|
|
|
|
def validate_auth_via_hooks():
|
|
for auth_hook in frappe.get_hooks("auth_hooks", []):
|
|
frappe.get_attr(auth_hook)()
|