From 2c2f7ebc5f2faab4e303f698fffe17440a6db765 Mon Sep 17 00:00:00 2001 From: Duncan Sommerville Date: Wed, 21 Jan 2015 15:34:15 -0500 Subject: [PATCH 1/3] Initial commit for update to ACL for REST module; NEEDS TESTING --- airtime_mvc/application/configs/ACL.php | 7 ++++++- airtime_mvc/application/controllers/plugins/Acl_plugin.php | 5 ----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/airtime_mvc/application/configs/ACL.php b/airtime_mvc/application/configs/ACL.php index 842778065..2dbb6f5cd 100644 --- a/airtime_mvc/application/configs/ACL.php +++ b/airtime_mvc/application/configs/ACL.php @@ -29,7 +29,10 @@ $ccAcl->add(new Zend_Acl_Resource('library')) ->add(new Zend_Acl_Resource('audiopreview')) ->add(new Zend_Acl_Resource('webstream')) ->add(new Zend_Acl_Resource('locale')) - ->add(new Zend_Acl_Resource('upgrade')); + ->add(new Zend_Acl_Resource('upgrade')) + ->add(new Zend_Acl_Resource('downgrade')) + ->add(new Zend_Acl_Resource('rest:media')) + ->add(new Zend_Acl_Resource('billing')); /** Creating permissions */ $ccAcl->allow('G', 'index') @@ -44,6 +47,8 @@ $ccAcl->allow('G', 'index') ->allow('G', 'webstream') ->allow('G', 'locale') ->allow('G', 'upgrade') + ->allow('G', 'downgrade') + ->allow('G', 'rest:media') ->allow('H', 'preference', 'is-import-in-progress') ->allow('H', 'usersettings') ->allow('H', 'plupload') diff --git a/airtime_mvc/application/controllers/plugins/Acl_plugin.php b/airtime_mvc/application/controllers/plugins/Acl_plugin.php index 9d0f9cdb3..32ddb157d 100644 --- a/airtime_mvc/application/controllers/plugins/Acl_plugin.php +++ b/airtime_mvc/application/controllers/plugins/Acl_plugin.php @@ -113,11 +113,6 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract //Ignore authentication for all access to the rest API. We do auth via API keys for this //and/or by OAuth. - if (strtolower($request->getModuleName()) == "rest") - { - return; - } - if (in_array($controller, array("api", "auth", "locale", "upgrade"))) { $this->setRoleName("G"); } elseif (!Zend_Auth::getInstance()->hasIdentity()) { From a40067ca554d6c7ee9454ca0b30868e6d59e8488 Mon Sep 17 00:00:00 2001 From: Duncan Sommerville Date: Wed, 21 Jan 2015 17:20:04 -0500 Subject: [PATCH 2/3] Moved REST authorization boilerplate to Zend Acl_plugin --- .../controllers/plugins/Acl_plugin.php | 54 ++++++++- .../rest/controllers/MediaController.php | 105 ------------------ 2 files changed, 50 insertions(+), 109 deletions(-) diff --git a/airtime_mvc/application/controllers/plugins/Acl_plugin.php b/airtime_mvc/application/controllers/plugins/Acl_plugin.php index 32ddb157d..1918430ea 100644 --- a/airtime_mvc/application/controllers/plugins/Acl_plugin.php +++ b/airtime_mvc/application/controllers/plugins/Acl_plugin.php @@ -110,12 +110,17 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract { $controller = strtolower($request->getControllerName()); Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance()); - - //Ignore authentication for all access to the rest API. We do auth via API keys for this - //and/or by OAuth. + if (in_array($controller, array("api", "auth", "locale", "upgrade"))) { $this->setRoleName("G"); } elseif (!Zend_Auth::getInstance()->hasIdentity()) { + + // If we don't have an identity and we're making a RESTful request, + // we need to do API key verification + if ($request->getModuleName() == "rest") { + $this->verifyAuth(); + return; + } if ($controller !== 'login') { @@ -138,7 +143,12 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract } } } else { - + // If we have an identity and we're making a RESTful request, + // we need to check the CSRF token + if ($request->_action != "get" && $request->getModuleName() == "rest") { + $this->verifyCSRFToken($request->getParam("csrf_token")); + } + $userInfo = Zend_Auth::getInstance()->getStorage()->read(); $this->setRoleName($userInfo->type); @@ -164,6 +174,42 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract } } + private function verifyAuth() { + if ($this->verifyAPIKey()) { + return true; + } + + $this->getResponse() + ->setHttpResponseCode(401) + ->appendBody("ERROR: Incorrect API key."); + return false; + } + + private function verifyCSRFToken($token) { + $current_namespace = new Zend_Session_Namespace('csrf_namespace'); + $observed_csrf_token = $token; + $expected_csrf_token = $current_namespace->authtoken; + + $this->getResponse() + ->setHttpResponseCode(401) + ->appendBody("ERROR: CSRF token mismatch."); + + return ($observed_csrf_token == $expected_csrf_token); + } + + private function verifyAPIKey() { + // The API key is passed in via HTTP "basic authentication": + // http://en.wikipedia.org/wiki/Basic_access_authentication + $CC_CONFIG = Config::getConfig(); + + // Decode the API key that was passed to us in the HTTP request. + $authHeader = $this->getRequest()->getHeader("Authorization"); + $encodedRequestApiKey = substr($authHeader, strlen("Basic ")); + $encodedStoredApiKey = base64_encode($CC_CONFIG["apiKey"][0] . ":"); + + return ($encodedRequestApiKey === $encodedStoredApiKey); + } + /** * Deny Access Function * Redirects to errorPage, this can be called from an action using the action helper diff --git a/airtime_mvc/application/modules/rest/controllers/MediaController.php b/airtime_mvc/application/modules/rest/controllers/MediaController.php index 232ac3529..a5ee08fd9 100644 --- a/airtime_mvc/application/modules/rest/controllers/MediaController.php +++ b/airtime_mvc/application/modules/rest/controllers/MediaController.php @@ -30,11 +30,6 @@ class Rest_MediaController extends Zend_Rest_Controller public function indexAction() { - if (!$this->verifyAuth(true, true)) - { - return; - } - $files_array = array(); foreach (CcFilesQuery::create()->find() as $file) { @@ -54,11 +49,6 @@ class Rest_MediaController extends Zend_Rest_Controller public function downloadAction() { - if (!$this->verifyAuth(true, true)) - { - return; - } - $id = $this->getId(); if (!$id) { return; @@ -80,11 +70,6 @@ class Rest_MediaController extends Zend_Rest_Controller public function getAction() { - if (!$this->verifyAuth(true, true)) - { - return; - } - $id = $this->getId(); if (!$id) { return; @@ -103,11 +88,6 @@ class Rest_MediaController extends Zend_Rest_Controller public function postAction() { - if (!$this->verifyAuth(true, true)) - { - return; - } - //If we do get an ID on a POST, then that doesn't make any sense //since POST is only for creating. if ($id = $this->_getParam('id', false)) { @@ -168,11 +148,6 @@ class Rest_MediaController extends Zend_Rest_Controller public function putAction() { - if (!$this->verifyAuth(true, true)) - { - return; - } - $id = $this->getId(); if (!$id) { return; @@ -236,11 +211,6 @@ class Rest_MediaController extends Zend_Rest_Controller public function deleteAction() { - if (!$this->verifyAuth(true, true)) - { - return; - } - $id = $this->getId(); if (!$id) { return; @@ -271,81 +241,6 @@ class Rest_MediaController extends Zend_Rest_Controller return $id; } - private function verifyAuth($checkApiKey, $checkSession) - { - // Session takes precedence over API key for now: - if ($checkSession && $this->verifySession()) { - // CSRF token validation only applies to session based authorization. - if(!$this->verifyCSRFToken($this->_getParam('csrf_token'))){ - $resp = $this->getResponse(); - $resp->setHttpResponseCode(401); - $resp->appendBody("ERROR: Token Missmatch."); - return false; - } - return true; - } - - if ($checkApiKey && $this->verifyAPIKey()) - { - return true; - } - - $resp = $this->getResponse(); - $resp->setHttpResponseCode(401); - $resp->appendBody("ERROR: Incorrect API key."); - - return false; - } - - private function verifyCSRFToken($token){ - $current_namespace = new Zend_Session_Namespace('csrf_namespace'); - $observed_csrf_token = $token; - $expected_csrf_token = $current_namespace->authtoken; - - if($observed_csrf_token == $expected_csrf_token){ - return true; - }else{ - return false; - } - } - - private function verifyAPIKey() - { - //The API key is passed in via HTTP "basic authentication": - // http://en.wikipedia.org/wiki/Basic_access_authentication - - $CC_CONFIG = Config::getConfig(); - - //Decode the API key that was passed to us in the HTTP request. - $authHeader = $this->getRequest()->getHeader("Authorization"); - $encodedRequestApiKey = substr($authHeader, strlen("Basic ")); - $encodedStoredApiKey = base64_encode($CC_CONFIG["apiKey"][0] . ":"); - - if ($encodedRequestApiKey === $encodedStoredApiKey) - { - return true; - } else { - return false; - } - - return false; - } - - private function verifySession() - { - $auth = Zend_Auth::getInstance(); - if ($auth->hasIdentity()) - { - return true; - } - return false; - - //Token checking stub code. We'd need to change LoginController.php to generate a token too, but - //but luckily all the token code already exists and works. - //$auth = new Application_Model_Auth(); - //$auth->checkToken(Application_Model_Preference::getUserId(), $token); - } - private function fileNotFoundResponse() { $resp = $this->getResponse(); From 38a2924849ff41d317afda173bce6ecfb2acdbe6 Mon Sep 17 00:00:00 2001 From: drigato Date: Thu, 22 Jan 2015 11:08:34 -0500 Subject: [PATCH 3/3] SAAS-555: Analyzer calculates wrong cue out --- .../airtime_analyzer/airtime_analyzer/cuepoint_analyzer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python_apps/airtime_analyzer/airtime_analyzer/cuepoint_analyzer.py b/python_apps/airtime_analyzer/airtime_analyzer/cuepoint_analyzer.py index 1e1dee6bd..8a99626c6 100644 --- a/python_apps/airtime_analyzer/airtime_analyzer/cuepoint_analyzer.py +++ b/python_apps/airtime_analyzer/airtime_analyzer/cuepoint_analyzer.py @@ -24,7 +24,7 @@ class CuePointAnalyzer(Analyzer): the unit test on the short m4a file fails. With the new setting, it gets the correct cue-in time and all the unit tests pass. ''' - command = [CuePointAnalyzer.SILAN_EXECUTABLE, '-b', '-F', '0.99', '-f', 'JSON', filename] + command = [CuePointAnalyzer.SILAN_EXECUTABLE, '-b', '-F', '0.99', '-f', 'JSON', '-t', '1.0', filename] try: results_json = subprocess.check_output(command, stderr=subprocess.STDOUT, close_fds=True) silan_results = json.loads(results_json)