Change abort() calls to JSON responses

This makes the responses more consistent. Now, all responses are JSON.
Deduplicate code in keyctl.py and add comments
2020-09-05 15:43:36 -05:00 · 2020-09-04 19:44:46 -05:00 · 2020-09-04 14:32:53 -07:00 · 2020-09-04 15:37:34 -05:00 · 2020-09-04 15:24:49 -05:00 · 2020-09-04 15:19:40 -05:00
8 changed files with 255 additions and 37 deletions
--- a/.gitignore
+++ b/.gitignore
@ -132,3 +132,5 @@ dmypy.json
 uploadkeys
 savelog.log
 uwsgi.log
 settings.py
 functions.py
--- a/README.md
+++ b/README.md
@ -1,4 +1,26 @@
 # imgupload
-Python Flask uWSGI application to receive and save images over POST requests.
+![CodeFactor Grade](https://img.shields.io/codefactor/grade/github/BBaoVanC/imgupload/master?color=purple) ![GitHub repo size](https://img.shields.io/github/repo-size/bbaovanc/imgupload?color=purple) ![GitHub All Releases](https://img.shields.io/github/downloads/bbaovanc/imgupload/total?color=purple) ![GitHub issues](https://img.shields.io/github/issues/bbaovanc/imgupload?color=purple) ![GitHub closed issues](https://img.shields.io/github/issues-closed/bbaovanc/imgupload?color=purple) ![GitHub](https://img.shields.io/github/license/bbaovanc/imgupload?color=purple)
-This project is still in development. Use at your own risk!
+### What is imgupload?
 imgupload is a Flask + uWSGI application to serve as an all-purpose image/file uploader over POST requests.
 ### Installation
 1. Clone the repository: `git clone https://github.com/BBaoVanC/imgupload.git`
 2. Enter the imgupload directory: `cd imgupload`
 3. Create a virtualenv: `python3 -m venv env`
 4. Enter the virtualenv: `source env/bin/activate`
 5. Install dependencies: `python3 -m pip install -r requirements.txt`
 6. Run the Flask app
 ## Running the Flask app
 ### Using uWSGI
 [https://uwsgi-docs.readthedocs.io/en/latest/Configuration.html](https://uwsgi-docs.readthedocs.io/en/latest/Configuration.html)
 Instructions specific to imgupload are coming soon
 ### Using Flask development server
 ```shell
 $ source env/bin/activate  # if you haven't already entered the virtualenv
 $ export FLASK_APP=imgupload.py
 $ flask run
 ```
--- a/configtest.py
+++ b/configtest.py
@ -1,3 +1,9 @@
 #!/usr/bin/env python3
 """
 configtest.py
 Tests the validity of your configuration in settings.py.
 """
 import os
 import settings as settings
@ -9,7 +15,6 @@ defaults = {
    "ROOTURL": "https://img.bbaovanc.com/",
    "SAVELOG": "savelog.log",
    "SAVELOG_CHMOD": "0o644",
    "UPLOADKEYS_CHMOD": "0o400",
    "SAVELOG_KEYPREFIX": 4,
 }
@ -19,7 +24,6 @@ deftypes = {
    "ROOTURL": str,
    "SAVELOG": str,
    "SAVELOG_CHMOD": int,
    "UPLOADKEYS_CHMOD": int,
    "SAVELOG_KEYPREFIX": int,
 }
--- a/functions.py.default
+++ b/functions.py.default
@ -0,0 +1,14 @@
 #!/usr/bin/env python3
 """
 functions.py
 Functions used by imgupload which can be easily customized.
 """
 import string
 import random
 def generate_name():
    chars = string.ascii_letters + string.digits  # uppercase, lowercase, and numbers
    name = ''.join((random.choice(chars) for i in range(8)))  # generate name
    return name
--- a/imgupload.py
+++ b/imgupload.py
@ -1,15 +1,17 @@
-from flask import Flask, request, jsonify, abort, Response
+#!/usr/bin/env python3
 """
 imgupload.py
 Flask application for processing images uploaded through POST requests.
 """
 from flask import Flask, request, jsonify, Response
 from flask_api import status
 from pathlib import Path
 import string
 import random
 import os
 import datetime
 import settings  # app settings (such as allowed extensions)
-
+import functions  # custom functions
 ALPHANUMERIC = string.ascii_letters + string.digits  # uppercase, lowercase, and numbers
 app = Flask(__name__)  # app is the app
@ -21,15 +23,6 @@ def allowed_extension(testext):
        return False
 def generate_name(extension):
    namefound = False
    while not namefound:
        fname = ''.join((random.choice(ALPHANUMERIC) for i in range(8))) + str(extension)
        if not Path(fname).is_file():
            namefound = True
    return fname
 def log_savelog(key, ip, savedname):
    if settings.SAVELOG_KEYPREFIX > 0:
        with open(settings.SAVELOG, "a+") as slogf:
@ -40,21 +33,16 @@ def log_savelog(key, ip, savedname):
            slogf.write("[{0}] {1} - {2}\n".format(datetime.datetime.now(), ip, savedname))
        os.chmod(settings.SAVELOG, settings.SAVELOG_CHMOD)
@app.route("/upload", methods = ["POST"])
 def upload():
    if request.method == "POST":  # sanity check: make sure it's a POST request
        print("Request method was POST!")
        os.chmod("uploadkeys", settings.UPLOADKEYS_CHMOD)
        print("Changed permissions of `uploadkeys`")
        with open("uploadkeys", "r") as keyfile:  # load valid keys
            validkeys = keyfile.readlines()
        validkeys = [x.strip("\n") for x in validkeys]
        while "" in validkeys:
            validkeys.remove("")
            print("removed blank key")
        print("Valid keys: {0}".format(validkeys))
        print("Loaded validkeys")
        if "uploadKey" in request.form:  # if an uploadKey was provided
@ -63,7 +51,6 @@ def upload():
                if "imageUpload" in request.files:  # check if image to upload was provided
                    f = request.files["imageUpload"]  # f is the image to upload
                    print("Found uploaded image")
                else:
                    print("No image upload was found!")
                    return jsonify({'status': 'error', 'error': 'NO_IMAGE_UPLOADED'}), status.HTTP_400_BAD_REQUEST
@ -73,42 +60,42 @@ def upload():
                    return jsonify({'status': 'error', 'error': 'FILENAME_BLANK'}), status.HTTP_400_BAD_REQUEST
                fext = Path(f.filename).suffix  # get the uploaded extension
                print("Uploaded file extensions is {0}".format(fext))
                if allowed_extension(fext):  # if the extension is allowed
-                    fname = generate_name(fext)  # generate file name
+                    print("Generating file with extension {0}".format(fext))
                    fname = functions.generate_name() + fext  # generate file name
                    print("Generated name: {0}".format(fname))
                    if f:  # if the uploaded image exists
-                        print("Uploaded image exists, obviously.")
+                        print("Uploaded image exists")
                        f.save(os.path.join(settings.UPLOAD_FOLDER, fname))  # save the image
                        print("Saved to {0}".format(fname))
                        url = settings.ROOTURL + fname  # construct the url to the image
                        if settings.SAVELOG != "/dev/null":
                            print("Saving to savelog")
                            log_savelog(request.form["uploadKey"], request.remote_addr, fname)
                            print("Logged message to savelog")
                        print("Returning json response")
                        return jsonify({'status': 'success', 'url': url, 'name': fname, 'uploadedName': f.filename}), status.HTTP_201_CREATED
                    else:  # this shouldn't happen
-                        print("Um... uploaded image is nonexistent..? Please report this error!")
+                        print("Um... uploaded image... is nonexistent? Please report this error!")
                        return jsonify({'status': 'error', 'error': 'UPLOADED_IMAGE_FAILED_SANITY_CHECK_1'}), status.HTTP_400_BAD_REQUEST
                else:  # if the extension was invalid
                    print("Uploaded extension is invalid!")
-                    abort(415)
+                    return jsonify({'status': 'error', 'error': 'INVALID_EXTENSION'}), status.HTTP_415_UNSUPPORTED_MEDIA_TYPE
            else:  # if the key was not valid
                print("Key is invalid!")
                print("Request key: {0}".format(request.form["uploadKey"]))
-                abort(401)
+                return jsonify({'status': 'error', 'error': 'UNAUTHORIZED'}), status.HTTP_401_UNAUTHORIZED
        else:  # if uploadKey was not found in request body
            print("No uploadKey found in request!")
-            abort(401)
+            return jsonify({'status': 'error', 'error': 'UNAUTHORIZED'}), status.HTTP_401_UNAUTHORIZED
    else:  # if the request method wasn't post
        print("Request method was not POST!")
-        abort(405)
+        return jsonify({'status': 'error', 'error': 'METHOD_NOT_ALLOWED'}), status.HTTP_405_METHOD_NOT_ALLOWED
 if __name__ == "__main__":
    print("Run with `flask` or a WSGI server!")
--- a/keyctl.py
+++ b/keyctl.py
@ -0,0 +1,181 @@
 #!/usr/bin/env python3
 """
 keyctl.py
 Command-line utility for easy management of the uploadkeys file.
 """
 from pathlib import Path
 import argparse
 import logging
 import secrets
 import string
 def read_keyfile():
    with open("uploadkeys", "r") as keyfile:  # open uploadkeys
        keys = keyfile.readlines()  # read all the keys
        logging.debug("Read uploadkeys")
    keys = [x.strip("\n") for x in keys]  # strip newlines from keys
    logging.debug("Stripped newlines from keys")
    return keys
 def genkey(length):
    key = ''.join(secrets.choice(string.ascii_letters + string.digits) for x in range(length))
    return key
 def savekey(key):
    if not Path("uploadkeys").is_file():  # if uploadkeys doesn't exist, log an info message
        logging.info("uploadkeys file doesn't exist, it will be created.")
    with open("uploadkeys", "a+") as keyfile:
        keyfile.write(str(key) + "\n")  # add the key
    logging.debug("Saved a key to uploadkeys: {0}".format(key))
 def rmkey(delkey):
    removedkey = False
    allkeys = read_keyfile()
    if delkey in allkeys:  # if the key to remove exists
        allkeys.remove(delkey)  # remove the first instance of the key
        removedkey = True
        logging.debug("Removed one instance of the key")
    with open("uploadkeys", "w") as keyfile:
        for k in allkeys:
            keyfile.write(k + "\n")  # write the remaining keys
    if removedkey:
        return True
    else:
        return False
 def find_duplicates():
    allkeys = read_keyfile()
    seen = set()
    ukeys = []
    dupkeys = []
    for x in allkeys:
        if x not in seen:
            ukeys.append(x)
            seen.add(x)
        else:
            dupkeys.append(x)
    return dupkeys
 def get_keys():
    validkeys = read_keyfile()
    while "" in validkeys:
        validkeys.remove("")
    logging.debug("Removed blank keys")
    return validkeys
 def cmd_list(args):
    validkeys = get_keys()
    print("List of upload keys:")
    for i in range(len(validkeys)):
        showkey = validkeys[i][:6]
        if len(validkeys[i]) > 6:
            showkey += "..."  # add ellipses since the key was shortened in list
        print("    [{0}] {1}".format(i+1, showkey))
 def cmd_generate(args):
    k = genkey(args.length)
    logging.debug("Generated a new key: {0}".format(k))
    savekey(k)
    print("Your new key is: {0}".format(k))
 def cmd_add(args):
    print("Please type/paste the key you would like to add.")
    akr = input("> ")
    ak = akr.strip()
    print()
    logging.debug("Ran strip() on key")
    print(ak)
    if input("Is the above key correct? [y/N] ").lower() == "y":
        logging.debug("Interpreted as yes")
        ask_for_key = False
        savekey(ak)
        logging.info("Added.")
    else:
        logging.debug("Interpreted as no")
        print("No key has been saved.")
 def cmd_remove(args):
    if rmkey(args.key):
        logging.debug("Successfully removed the requested key")
    else:
        logging.info("No key was removed.")
 def cmd_dedupe(args):
    dupes = find_duplicates()
    if len(dupes) > 0:
        for d in dupes:
            r = rmkey(d)
            logging.debug(r)
            logging.info("Removed duplicate key: {0}".format(d))
    else:
        logging.info("[" + u"\u2713" + "] No duplicate keys found!")
 def cmd_show(args):
    for k in get_keys():
        if k[:6] == args.prefix:
            print("Key: {0}".format(k))
            break
 parser = argparse.ArgumentParser()  # create instance of argument parser class
 parlog = parser.add_mutually_exclusive_group()
 parlog.add_argument("-v", "--verbose", help="show debugging messages", action="store_true")
 parlog.add_argument("-q", "--quiet", help="show only warning messages and up", action="store_true")
 subparsers = parser.add_subparsers(help="sub-commands")
 parser_list = subparsers.add_parser("list", help="list the beginning of each key")
 parser_list.set_defaults(func=cmd_list)
 parser_gen = subparsers.add_parser("generate", help="generate a key and save it to uploadkeys")
 parser_gen.add_argument("length", help="length of key to generate", default=64, type=int, nargs="?")
 parser_gen.set_defaults(func=cmd_generate)
 parser_add = subparsers.add_parser("add", help="prompts for a key to add to uploadkeys")
 parser_add.set_defaults(func=cmd_add)
 parser_remove = subparsers.add_parser("remove", help="remove (one instance of) a key from uploadkeys")
 parser_remove.add_argument("key", help="key to remove")
 parser_remove.set_defaults(func=cmd_remove)
 parser_dedupe = subparsers.add_parser("dedupe", help="remove duplicate keys")
 parser_dedupe.set_defaults(func=cmd_dedupe)
 parser_show = subparsers.add_parser("show", help="show the full key based on the first 6 characters")
 parser_show.add_argument("prefix", help="first 6 characters of key (shown by `python3 keyctl.py list`)")
 parser_show.set_defaults(func=cmd_show)
 args = parser.parse_args()  # parse the arguments
 if args.verbose:
    loglevel = logging.DEBUG
 elif args.quiet:
    loglevel = logging.WARNING
 else:
    loglevel = logging.INFO
 logging.basicConfig(level=loglevel, format="%(levelname)s: %(message)s")
 try:
    args.func(args)
 except AttributeError:
    logging.error("AttributeError")
    parser.print_help()
--- a/requirements.txt
+++ b/requirements.txt
@ -0,0 +1,2 @@
 Flask_API==2.0
 Flask==1.1.2
--- a/settings.py.default
+++ b/settings.py.default
@ -1,7 +1,13 @@
-UPLOAD_FOLDER = "/var/www/img"
+#!/usr/bin/env python3
 """
 settings.py
 User-defined settings used by imgupload.py.
 """
 UPLOAD_FOLDER = "/path/to/images"
 ALLOWED_EXTENSIONS = [".png", ".jpg", ".jpeg", ".svg", ".bmp", ".gif", ".ico",  ".webp"]
-ROOTURL = "https://img.bbaovanc.com/"
+ROOTURL = "https://example.com/"
 SAVELOG = "savelog.log"
 SAVELOG_CHMOD = 0o644
 UPLOADKEYS_CHMOD = 0o600
 SAVELOG_KEYPREFIX = 4
Author	SHA1	Message	Date
BBaoVanC	b8b5a2518c	Change abort() calls to JSON responses This makes the responses more consistent. Now, all responses are JSON.	2020-09-05 15:43:36 -05:00
BBaoVanC	805e545b39	Deduplicate code in keyctl.py and add comments	2020-09-04 19:44:46 -05:00
ItHertzSoGood	9a117817f7	Changed random to secrets for cryptographic security	2020-09-04 14:32:53 -07:00
BBaoVanC	c9cd6469a9	Change a couple print statements to logging.info Quiet mode is now a little more useful!	2020-09-04 15:37:34 -05:00
BBaoVanC	6f64890e34	Remove unused imports from imgupload.py	2020-09-04 15:24:49 -05:00
BBaoVanC	91db522363	Add keyctl.py for easy management of uploadkeys	2020-09-04 15:19:40 -05:00
BBaoVanC	9d9b93a9ee	Add proper shebangs and block comments	2020-09-04 10:47:20 -05:00
BBaoVanC	565a91e4ec	Remove uploadkeys encryption features It doesn't really make sense to encrypt the keys, but store the secret literally in the same directory. uploadkeys will now be stored in plaintext. The branch `legacy` has the old code from before this commit.	2020-09-03 21:44:58 -05:00
BBaoVanC	3fcdaa2b10	Fix formatting of README.md	2020-09-02 21:52:13 -05:00
BBaoVanC	4309225185	Add Installation section to README.md - Added Installation section to README.md - Removed old Usage section	2020-09-02 21:43:31 -05:00
BBaoVanC	065296f84a	Rename functions.py to functions.py.default Since this is default settings and the user might want to customize them, functions.py has been renamed. This also will prevent conflicts if the user has updated their functions.py and then tries to pull.	2020-09-02 18:04:41 -05:00
BBaoVanC	841bb513d3	Allow easy customization of filename generation Added a new file called functions.py which contains user-customizable functions, instead of requiring the user to edit imgupload.py.	2020-09-02 17:14:28 -05:00
BBaoVanC	f0bb30a747	Change keygen.py to not require root keygen.py now recommends that you run it as the user you want to have ownership of secret.key and uploadkeys (such as www-data for nginx). Then, if uploadkeys or secret.key don't exist, they will be created with the correct ownership.	2020-09-02 14:26:57 -05:00
BBaoVanC	7fce3f57e9	Remove secrets from requirements.txt On macOS, a dependency of secrets fails to install using pip. After testing, it looks like the secrets module is not required.	2020-08-31 23:46:28 -05:00
dependabot-preview[bot]	a587040809	Bump cryptography from 2.8 to 3.1 (#2 )	2020-09-01 04:41:50 +00:00
BBaoVanC	8a95dbb0fa	Remove trailing whitespace from lines	2020-08-31 23:09:39 -05:00
BBaoVanC	a5a22b7c88	Remove UPLOADKEYS_CHMOD option due to keygen.py Since keygen.py is run as root, uploadkeys is owned by root. This causes issues when imgupload.py tries to chmod the uploadkeys file since it doesn't have permissions to chmod it. Solution: remove UPLOADKEYS_CHMOD option	2020-08-31 21:14:09 -05:00
BBaoVanC	7ccaafc6c6	Bugfixes in keygen.py - Handle if uploadkeys becomes corrupted - Disambiguate variable names - Handle case where the uploadkeys file doesn't already exist	2020-08-31 20:32:00 -05:00
BBaoVanC	797bebb1a1	Fix ENCKEY_PATH check in configtest.py	2020-08-31 20:29:07 -05:00
quiprr	08f9e13da0	Merge pull request #1 from BBaoVanC/dev added encryption to uploadkeys and added a key generator	2020-08-31 17:13:24 -07:00
ItHertzSoGood	3d1304b3b0	added encryption to uploadkeys and added a key generator	2020-08-31 17:12:39 -07:00
BBaoVanC	4b624f3fed	Ignore settings.py and add settings.py.default	2020-08-31 18:48:22 -05:00