Merge branch 'release/0.4.7'

Author: timsavage

README.rst

@@ -171,3 +171,32 @@ Start the flask app and you can browse to the swagger UI to try out the API::
 
     http://localhost:5000/api/v1/swagger/ui
 
+
+
+CORS
+====
+
+To enable CORS your API Interface (for Flask this is `ApiBlueprint`) needs to
+be wrapped with the CORS wrapper eg::
+
+    from flask import Flask
+    from odinweb.flask import ApiBlueprint
+    from odinweb.cors import CORS, AnyOrigin
+
+    app = flask.Flask(__name__)
+
+    app.register_blueprint(
+        CORS(
+            ApiBlueprint(
+                api.ApiVersion(
+                    UserApi()
+                )
+            ),
+            origins=AnyOrigin
+        )
+    )
+
+For customisation the CORS class can easily be inherited to customise how the
+origin is determined (handy if your application is behind a reverse proxy).
+The CORS wrapper also accepts `max_age`, `allow_credentials`, `expose_headers`
+and `allow_headers` options.

odinweb/api.py

@@ -9,9 +9,36 @@
 __author_email__ = "tim@savage.company"
 __copyright__ = "Copyright (C) 2016-2017 Tim Savage"
 
-from .constants import *  # noqa
-from .containers import *  # noqa
-from .decorators import *  # noqa
-from .exceptions import *  # noqa
-from .helpers import *  # noqa
-from .data_structures import UrlPath, PathParam  # noqa
+from .constants import (
+    HTTPStatus,
+    Method,
+    PathType,
+    In,
+    Type,
+)  # noqa
+from .containers import (
+    ResourceApi,
+    ApiCollection,
+    ApiVersion,
+)  # noqa
+from .decorators import (
+    Operation, ListOperation, ResourceOperation, security,
+    # Basic routes
+    collection, collection_action, action, operation,
+    # Shortcuts
+    listing, create, detail, update, patch, delete,
+)  # noqa
+from .exceptions import (
+    ImmediateHttpResponse,
+    HttpError,
+    PermissionDenied,
+    AccessDenied,
+)  # noqa
+from .helpers import (
+    get_resource,
+    create_response,
+)  # noqa
+from .data_structures import (
+    UrlPath,
+    PathParam,
+)  # noqa

odinweb/constants.py

@@ -3,8 +3,6 @@
 
 from odin import fields
 
-__all__ = ('HTTPStatus', 'Method', 'PathType', 'In', 'Type')
-
 try:
     from http import HTTPStatus
 except ImportError:

odinweb/containers.py

@@ -7,27 +7,26 @@
 """
 from __future__ import absolute_import
 
-import logging
-
-# Imports for typing support
 import collections
-from typing import Union, Tuple, Any, Generator, Dict, Type  # noqa
-from odin import Resource  # noqa
+import logging
 
 from odin.codecs import json_codec
 from odin.exceptions import ValidationError
 from odin.utils import getmeta
 
+# Imports for typing support
+from typing import Union, Tuple, Any, Generator, Dict, Type  # noqa
+from odin import Resource  # noqa
+
 from . import _compat
 from . import content_type_resolvers
 from .constants import Method, HTTPStatus
 from .data_structures import UrlPath, NoPath, HttpResponse, MiddlewareList
-from .decorators import Operation
+from .decorators import Operation, Tags
 from .exceptions import ImmediateHttpResponse
 from .helpers import resolve_content_type, create_response
 from .resources import Error
 
-__all__ = ('ResourceApi', 'ApiCollection', 'ApiVersion')
 
 logger = logging.getLogger(__name__)
 
@@ -157,7 +156,7 @@ def __init__(self, *containers, **options):
         for container in self.containers:
             container.parent = self
 
-        # Having options at the end is  work around until support for
+        # Having options at the end is work around until support for
         # Python < 3.5 is dropped, at that point keyword only args will
         # be used in place of the options kwargs. eg:
         #   (*containers:Union[Operation, ApiContainer], name:str=None, path_prefix:Union[str, UrlPath]=None) -> None
@@ -382,14 +381,17 @@ def _dispatch(self, operation, request, path_args):
 
     def dispatch(self, operation, request, **path_args):
         """
-        Dispatch incoming request and capture top level exeptions.
+        Dispatch incoming request and capture top level exceptions.
         """
         # Add current operation to the request (for convenience in middleware methods)
         request.current_operation = operation
 
         try:
             for middleware in self.middleware.pre_request:
-                middleware(request, path_args)
+                response = middleware(request, path_args)
+                # Return HttpResponse if one is returned.
+                if isinstance(response, HttpResponse):
+                    return response
 
             response = self._dispatch(operation, request, path_args)
 

odinweb/cors.py

@@ -0,0 +1,139 @@
+from __future__ import absolute_import
+
+from . import api
+from .data_structures import HttpResponse, UrlPath
+from .utils import dict_filter
+
+# Imports for typing support
+from typing import Optional, Any, Sequence, Tuple, Dict, Union, List, Type  # noqa
+from .containers import ApiInterfaceBase  # noqa
+
+
+class AnyOrigin(object):
+    pass
+
+
+Origins = Union[Sequence[str], Type[AnyOrigin]]
+
+
+class CORS(object):
+    """
+    CORS (Cross-Origin Request Sharing) support for OdinWeb APIs.
+
+    See `MDN documentation <https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS>`_
+    for a technical description of CORS.
+
+    :param origins: List of whitelisted origins or use `AnyOrigin` to return a
+        '*' or allow all.
+    :param max_age: Max length of time access control headers can be cached
+        in seconds. `None`, disables this header; a value of -1 will disable
+        caching, requiring a pre-flight *OPTIONS* check for all calls.
+    :param allow_credentials: Indicate that credentials can be submitted to
+        this API.
+    :param expose_headers: Request headers can be access by a client beyond
+        the simple headers, *Cache-Control*, *Content-Language*,
+        *Content-Type*, *Expires*, *Last-Modified*, *Pragma*.
+    :param allow_headers: Headers that are allowed to be sent by the browser
+        beyond the simple headers, *Accept*, *Accept-Language*,
+        *Content-Language*, *Content-Type*.
+
+    """
+    priority = 1
+
+    def __new__(cls, api_interface, *args, **kwargs):
+        # type: (CORS, ApiInterfaceBase, *Any, **Any) -> ApiInterfaceBase
+        instance = object.__new__(cls)
+        instance.__init__(api_interface, *args, **kwargs)
+
+        # Add instance as middleware
+        api_interface.middleware.append(instance)
+
+        return api_interface
+
+    def __init__(self, api_interface, origins, max_age=None, allow_credentials=None,
+                 expose_headers=None, allow_headers=None):
+        # type: (ApiInterfaceBase, Origins, Optional[int], Optional[bool], Sequence[str], Sequence[str]) -> None
+        self.origins = origins if origins is AnyOrigin else set(origins)
+        self.max_age = max_age
+        self.expose_headers = expose_headers
+        self.allow_headers = allow_headers
+        self.allow_credentials = allow_credentials
+
+        self._register_options(api_interface)
+
+    def _register_options(self, api_interface):
+        # type: (ApiInterfaceBase) -> None
+        """
+        Register CORS options endpoints.
+        """
+        op_paths = api_interface.op_paths(collate_methods=True)
+        for path, operations in op_paths.items():
+            if api.Method.OPTIONS not in operations:
+                self._options_operation(api_interface, path, operations.keys())
+
+    def _options_operation(self, api_interface, path, methods):
+        # type: (ApiInterfaceBase, UrlPath, List[api.Method]) -> None
+        """
+        Generate an options operation for the specified path
+        """
+        # Trim off path prefix.
+        if path.startswith(api_interface.path_prefix):
+            path = path[len(api_interface.path_prefix):]
+
+        methods = set(methods)
+        methods.add(api.Method.OPTIONS)
+
+        @api_interface.operation(path, api.Method.OPTIONS)
+        def _cors_options(request, **_):
+            return HttpResponse(None, headers=self.option_headers(request, methods))
+
+        _cors_options.operation_id = path.format(separator='.') + '.cors_options'
+
+    def origin_components(self, request):
+        # type: (Any) -> Tuple[str, str]
+        """
+        Return URL components that make up the origin.
+
+        This allows for customisation in the case or custom headers/proxy
+        configurations.
+
+        :return: Tuple consisting of Scheme, Host/Port
+
+        """
+        return request.scheme, request.host
+
+    def allow_origin(self, request):
+        # type: (Any) -> str
+        """
+        Generate allow origin header
+        """
+        origins = self.origins
+        if origins is AnyOrigin:
+            return '*'
+        else:
+            origin = "{}://{}".format(*self.origin_components(request))
+            return origin if origin in origins else ''
+
+    def option_headers(self, request, methods):
+        # type: (Any, Sequence[api.Method]) -> Dict[str, str]
+        """
+        Generate option headers.
+        """
+        return dict_filter({
+            'Access-Control-Allow-Origin': self.allow_origin(request),
+            'Access-Control-Allow-Methods': ', '.join(m.value for m in methods),
+            'Access-Control-Allow-Credentials': {True: 'true', False: 'false'}.get(self.allow_credentials),
+            'Access-Control-Allow-Headers': ', '.join(self.allow_headers) if self.allow_headers else None,
+            'Access-Control-Expose-Headers': ', '.join(self.expose_headers) if self.expose_headers else None,
+            'Access-Control-Max-Age': str(self.max_age) if self.max_age else None,
+            'Cache-Control': 'no-cache, no-store'
+        })
+
+    def post_request(self, request, response):
+        # type: (Any, HttpResponse) -> HttpResponse
+        """
+        Post-request hook to allow CORS headers to responses.
+        """
+        if request.method != api.Method.OPTIONS:
+            response.headers['Access-Control-Allow-Origin'] = self.allow_origin(request)
+        return response

odinweb/data_structures.py

@@ -12,8 +12,6 @@
 from .constants import HTTPStatus, In, Type
 from .utils import dict_filter, sort_by_priority
 
-__all__ = ('DefaultResource', 'HttpResponse', 'UrlPath', 'PathParam', 'NoPath', 'Param', 'Response')
-
 
 class DefaultResource(object):
     """
@@ -98,7 +96,7 @@ def _to_swagger(base=None, description=None, resource=None, options=None):
 
 
 # Naming scheme that follows standard python naming rules for variables/methods
-PATH_NODE_RE = re.compile(r'^{([a-zA-Z]\w*)(?::([a-zA-Z]\w*))?(?::([-^$+*:\w\\\[\]\|]+))?}$')
+PATH_NODE_RE = re.compile(r'^{([a-zA-Z]\w*)(?::([a-zA-Z]\w*))?(?::([-^$+*:\w\\\[\]|]+))?}$')
 
 
 class UrlPath(object):
@@ -167,6 +165,9 @@ def __hash__(self):
     def __str__(self):
         return self.format()
 
+    def __len__(self):
+        return len(self._nodes)
+
     def __repr__(self):
         return "{}({})".format(
             self.__class__.__name__,
@@ -201,6 +202,18 @@ def __getitem__(self, item):
         # type: (Union[int, slice]) -> UrlPath
         return UrlPath(*force_tuple(self._nodes[item]))
 
+    def startswith(self, other):
+        # type: (UrlPath) -> bool
+        """
+        Return True if this path starts with the other path.
+        """
+        try:
+            other = UrlPath.from_object(other)
+        except ValueError:
+            raise TypeError('startswith first arg must be UrlPath, str, PathParam, not {}'.format(type(other)))
+        else:
+            return self._nodes[:len(other._nodes)] == other._nodes
+
     def apply_args(self, **kwargs):
         # type: (**str) -> UrlPath
         """
@@ -249,7 +262,7 @@ def odinweb_node_formatter(path_node):
             args.append(path_node.type_args)
         return "{{{}}}".format(':'.join(args))
 
-    def format(self, node_formatter=None):
+    def format(self, node_formatter=None, separator='/'):
         # type: (Optional[Callable[[PathParam], str]]) -> str
         """
         Format a URL path.
@@ -259,10 +272,10 @@ def format(self, node_formatter=None):
         
         """
         if self._nodes == ('',):
-            return '/'
+            return separator
         else:
             node_formatter = node_formatter or self.odinweb_node_formatter
-            return '/'.join(node_formatter(n) if isinstance(n, PathParam) else n for n in self._nodes)
+            return separator.join(node_formatter(n) if isinstance(n, PathParam) else n for n in self._nodes)
 
 
 NoPath = UrlPath()
@@ -759,7 +772,7 @@ def values(self, multi=False):
     itervalues = values
 
     def valuelists(self):
-        # type: (bool) -> Iterator[List[Any]]
+        # type: () -> Iterator[List[Any]]
         """
         Return an iterator of all values associated with a key.  Zipping
         :meth:`keys` and this is the same as calling :meth:`lists`: