Merge pull request #41 from ctreffe/release-v0.4.5

Release v0.4.5

Author: jobrachem

.gitignore

@@ -30,3 +30,4 @@ test.py
 test_copy.py
 test_copy2.py
 .vscode/.ropeproject/config.py
+.vscode/launch.json

NEWS.md

@@ -1,3 +1,20 @@
+# Mortimer v0.4.5
+
+## Security improvements
+
+* We further increased data protection and data security through an improved handling of access to the alfred database from inside experiments.
+
+## Bugfixes
+
+* Fixed a bug that caused JavaScript to crash on some pages.
+* Fixed a bug that caused an error during data encryption using the key introduced in v0.4.4
+* Fixed a bug that prevented the deletion of experiments with specific filenames 
+* Fixed the referrer after changing an experiments title
+
+## Small changes
+
+* Included line wrapping for the experiment log
+
 # Mortimer v0.4.4
 
 ## Encryption Keys
@@ -8,7 +25,7 @@
 
 ## Bugfixes
 
-* Fixed a bug that prevent the deletion of single files in the resources pane to work properly.
+* Fixed a bug that prevented the deletion of single files in the resources pane to work properly.
 
 # Mortimer v0.4.3
 

mortimer/__init__.py

@@ -9,7 +9,7 @@
 from flask_dropzone import Dropzone
 import pymongo
 
-__version__ = '0.4.4'
+__version__ = '0.4.5'
 
 # the EnvironSetter sets enviroment variables for the current session
 # It is not included in the GitHub repository, because it contains sensitive
@@ -45,17 +45,17 @@
 db = MongoEngine()   # mortimer database
 
 # database for querying alfred collections
-client = pymongo.MongoClient(host=Config.MONGODB_ALFRED_SETTINGS["host"],
-                             port=Config.MONGODB_ALFRED_SETTINGS["port"],
-                             username=Config.MONGODB_ALFRED_SETTINGS["username"],
-                             password=Config.MONGODB_ALFRED_SETTINGS["password"],
-                             authSource=Config.MONGODB_ALFRED_SETTINGS["authentication_source"],
+db_config = Config.MONGODB_ALFRED_SETTINGS
+client = pymongo.MongoClient(host=db_config["host"],
+                             port=db_config["port"],
+                             username=db_config["username"],
+                             password=db_config["password"],
+                             authSource=db_config["authentication_source"],
                              ssl=Config.mongodb_ssl,
                              ssl_ca_certs=Config.ssl_ca_path
                              )
 
-alfred_db = client.alfred           # checkin database
-alfred_web_db = alfred_db.web       # web collection
+alfred_db = client[db_config["db"]]           # checkin database
 alfred_local_db = alfred_db.local   # local collection
 
 

mortimer/config.py

@@ -71,7 +71,7 @@ class Config:
     DROPZONE_ALLOWED_FILE_TYPE = (
         ".pdf, image/*, .txt, .xml, .pem, .mp3, .mp4, .ogg, .csv"
     )
-    DROPZONE_MAX_FILE_SIZE = 10
+    DROPZONE_MAX_FILE_SIZE = 100
     DROPZONE_MAX_FILES = 100
     DROPZONE_UPLOAD_ON_CLICK = True
     DROPZONE_UPLOAD_BTN_ID = "upload"

mortimer/local_experiments/routes.py

@@ -1,16 +1,16 @@
-
 # -*- coding: utf-8 -*-
-
-from mortimer import export
-from flask import Blueprint, render_template, url_for, flash, redirect, abort, send_file, request
-from mortimer.forms import ExperimentExportForm, LocalExperimentForm
-from mortimer.models import User, LocalExperiment
-from mortimer import alfred_local_db
-from mortimer.config import Config
-from flask_login import current_user, login_required
 from datetime import datetime
 from uuid import uuid4
 
+from flask import (Blueprint, abort, flash, redirect, render_template, request,
+                   send_file, url_for)
+from flask_login import current_user, login_required
+
+from mortimer import alfred_local_db, export
+from mortimer.config import Config
+from mortimer.forms import ExperimentExportForm, LocalExperimentForm
+from mortimer.models import LocalExperiment, User
+
 local_experiments = Blueprint("local_experiments", __name__)
 
 
@@ -27,13 +27,13 @@ def new_local_experiment():
                                      description=form.description.data, exp_id=form.exp_id.data)
 
         experiment.save()
-        flash("New local experiment added. You can now download the corresponding data.", "success")
+        flash("New local experiment added.", "success")
         return redirect(url_for('local_experiments.local_experiment', username=current_user.username, experiment_title=experiment.title))
 
     return render_template("create_local_experiment.html", form=form, legend="New Local Experiment", id=id)
 
 
-@local_experiments.route("/<username>/local/<path:experiment_title>", methods=["POST", "GET"])
+@local_experiments.route("/local/<username>/<path:experiment_title>", methods=["POST", "GET"])
 @login_required
 def local_experiment(username, experiment_title):
 
@@ -76,8 +76,8 @@ def local_experiment(username, experiment_title):
         first_activity = "none"
         last_activity = "none"
 
-    if not versions:
-        flash('Experiment not found in database.', 'danger')
+    # if not versions:
+    #     flash('Experiment not found in database.', 'danger')
 
     return render_template("local_experiment.html",
                            experiment=experiment, expid=str(experiment.id), datasets=datasets,
@@ -112,7 +112,7 @@ def user_experiments(username):
     return render_template("user_local_experiments.html", experiments=experiments, user=user)
 
 
-@local_experiments.route("/<username>/<path:experiment_title>/local_export", methods=["POST", "GET"])
+@local_experiments.route("/local/<username>/<path:experiment_title>/export", methods=["POST", "GET"])
 @login_required
 def local_export(username, experiment_title):
     experiment = LocalExperiment.objects.get_or_404(
@@ -123,11 +123,12 @@ def local_export(username, experiment_title):
 
     form = ExperimentExportForm()
     cur = alfred_local_db.find(
-        {"exp_author": current_user.email, "exp_title": experiment.title})
-
+        {"exp_id": str(experiment.exp_id)})
+    
     available_versions = ["all versions"]
     for exp in cur:
-        available_versions.append(exp["exp_version"])
+        if exp["exp_version"] not in available_versions:
+            available_versions.append(exp["exp_version"])
     form.version.choices = [(version, version)
                             for version in available_versions]
     form.file_type.choices = [("csv", "csv")]
@@ -146,13 +147,28 @@ def local_export(username, experiment_title):
         else:
             for version in form.version.data:
                 results = []
-            results.append(alfred_local_db.count_documents(
-                {"exp_id": experiment.exp_id, "exp_version": form.version.data}))
+                results.append(
+                    alfred_local_db.count_documents(
+                        {"exp_id": experiment.exp_id, "exp_version": version}
+                    )
+                )
             if max(results) == 0:
                 flash("No data found for this experiment.", "warning")
-                return redirect(url_for('web_experiments.web_export', username=experiment.author, experiment_title=experiment.title))
+                return redirect(
+                    url_for(
+                        "web_experiments.web_export",
+                        username=experiment.author,
+                        experiment_title=experiment.title,
+                    )
+                )
+
+            cur = alfred_local_db.find(
+                {
+                    "exp_id": experiment.exp_id,
+                    "exp_version": {"$in": form.version.data},
+                }
+            )
 
-            cur = alfred_local_db.find({"exp_id": experiment.exp_id, "exp_version": {"$in": form.version.data}})
 
         none_value = None
         # if form.replace_none.data:

mortimer/models.py

@@ -1,12 +1,19 @@
 # -*- coding: utf-8 -*-
+import random
+import string
+from datetime import datetime
 
+from pymongo import MongoClient
+from cryptography.fernet import Fernet
 from flask import current_app
+from flask_login import UserMixin
+from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
+from alfred import settings as alfred_settings
+
 from mortimer import db, login_manager
 from mortimer.utils import create_fernet
-from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
-from datetime import datetime
-from flask_login import UserMixin
-from cryptography.fernet import Fernet
+
+# pylint: disable=no-member
 
 
 @login_manager.user_loader
@@ -22,17 +29,60 @@ class User(db.Document, UserMixin):
     password = db.StringField(required=True)
     experiments = db.ListField(db.ObjectIdField())
 
+    alfred_user = db.StringField()
+    alfred_pw = db.BinaryField()
+    alfred_col = db.StringField()
+
     def get_reset_token(self, expires_sec=1800):
         # methode for creating a token for password reset
         s = Serializer(current_app.config["SECRET_KEY"], expires_sec)
         return s.dumps({"user_id": str(self.id)}).decode("utf-8")
-    
+
     @staticmethod
-    def generate_encryption_key():
+    def generate_encryption_key() -> bytes:
+        """Generate a new fernet encryption key and encrypt it with the apps secret fernet key.
+        """
         key = Fernet.generate_key()
         f = create_fernet()
         encrypted_key = f.encrypt(key)
         return encrypted_key
+    
+    @staticmethod
+    def generate_password() -> bytes:
+        """Generate a random password and encrypt it with the apps secret fernet key.
+        """
+        f = create_fernet()
+        letters = string.ascii_lowercase
+        pw_raw = "".join(random.choice(letters) for i in range(20))
+        pw_enc = f.encrypt(pw_raw.encode())
+        return pw_enc
+
+    def create_db_user(self):
+        """Create a new user in the alfred database.
+        """
+        alfred_db = current_app.config["MONGODB_ALFRED_SETTINGS"]["db"]
+        user_lower = self.username.lower().replace(" ", "_")
+        rolename = "alfredAccess_{}".format(user_lower)
+        res = {"db": alfred_db, "collection": self.alfred_col}
+        act = ["find", "insert", "update"]
+        priv = [{"resource": res, "actions": act}]
+
+        cred = current_app.config["MONGODB_SETTINGS"]
+
+        client = MongoClient(
+            host=cred["host"],
+            port=cred["port"],
+            username=cred["username"],
+            password=cred["password"],
+            ssl=cred["ssl"],
+            ssl_ca_certs=cred["ssl_ca_certs"]
+        )
+
+        client.alfred.command("createRole", rolename, privileges=priv, roles=[])
+
+        client.alfred.command(
+            "createUser", self.alfred_user, pwd=self.alfred_pw, roles=[rolename]
+        )
 
     @staticmethod
     def verify_reset_token(token):
@@ -51,6 +101,7 @@ def __repr__(self):
 
 class WebExperiment(db.Document):
     author = db.StringField(required=True)
+    author_id = db.ObjectIdField()
     title = db.StringField(required=True, unique_with="author")
     version = db.StringField(required=True)
     available_versions = db.ListField(db.StringField())
@@ -75,6 +126,37 @@ class WebExperiment(db.Document):
     web = db.BooleanField()
     active = db.BooleanField(default=False)
 
+    def set_settings(self):
+        """Set experiment settings based on self and alfred.settings.
+        """
+        if not self.id:
+            raise AttributeError("The experiment needs to have an ID before settings can be set.")
+        
+        exp_specific_settings = alfred_settings.ExperimentSpecificSettings()
+
+        settings = {
+            'general': dict(alfred_settings.general),
+
+            'experiment': {
+                'title': self.title, 
+                'author': self.author, 
+                'version': self.version, 
+                'type': alfred_settings.experiment.type, 
+                'exp_id': str(self.id),
+                'qt_fullscreen': alfred_settings.experiment.qt_full_screen,
+                'web_layout': alfred_settings.experiment.web_layout            
+                },
+
+            'mortimer_specific': {'session_id': None, 'path': self.path},
+            'log': dict(alfred_settings.log),
+            'navigation': dict(exp_specific_settings.navigation),
+            'debug': dict(exp_specific_settings.debug), #pylint: disable=no-member
+            'hints': dict(exp_specific_settings.hints),
+            'messages': dict(exp_specific_settings.messages)
+            }
+        
+        self.settings = settings
+
     def __repr__(self):
         return "Experiment(Title: %s, Version: %s, Created: %s, Author: %s)" % (
             self.title,

mortimer/static/futurizing_alfred_scripts/06_custom_modifications.json

@@ -8,6 +8,6 @@
     "set_level": "setLevel",
     "pageGroup": "section",
     "WebCompositePage": "Page",
-    "PageGroup": "Section"
-
+    "PageGroup": "Section",
+    "appends": "append"
 }