Change abort() calls to JSON responses

This makes the responses more consistent. Now, all responses are JSON.
Deduplicate code in keyctl.py and add comments
2020-09-05 15:43:36 -05:00 · 2020-09-04 19:44:46 -05:00 · 2020-09-04 14:32:53 -07:00 · 2020-09-04 15:37:34 -05:00 · 2020-09-04 15:24:49 -05:00 · 2020-09-04 15:19:40 -05:00
8 changed files with 255 additions and 37 deletions
--- a/.gitignore
+++ b/.gitignore
@ -132,3 +132,5 @@ dmypy.json
 uploadkeys
 savelog.log
 uwsgi.log
+settings.py
+functions.py
--- a/README.md
+++ b/README.md
@ -1,4 +1,26 @@
 # imgupload
-Python Flask uWSGI application to receive and save images over POST requests.
+![CodeFactor Grade](https://img.shields.io/codefactor/grade/github/BBaoVanC/imgupload/master?color=purple) ![GitHub repo size](https://img.shields.io/github/repo-size/bbaovanc/imgupload?color=purple) ![GitHub All Releases](https://img.shields.io/github/downloads/bbaovanc/imgupload/total?color=purple) ![GitHub issues](https://img.shields.io/github/issues/bbaovanc/imgupload?color=purple) ![GitHub closed issues](https://img.shields.io/github/issues-closed/bbaovanc/imgupload?color=purple) ![GitHub](https://img.shields.io/github/license/bbaovanc/imgupload?color=purple)

-This project is still in development. Use at your own risk!
+### What is imgupload?
+imgupload is a Flask + uWSGI application to serve as an all-purpose image/file uploader over POST requests.
+
+### Installation
+1. Clone the repository: `git clone https://github.com/BBaoVanC/imgupload.git`
+2. Enter the imgupload directory: `cd imgupload`
+3. Create a virtualenv: `python3 -m venv env`
+4. Enter the virtualenv: `source env/bin/activate`
+5. Install dependencies: `python3 -m pip install -r requirements.txt`
+6. Run the Flask app
+
+## Running the Flask app
+### Using uWSGI
+[https://uwsgi-docs.readthedocs.io/en/latest/Configuration.html](https://uwsgi-docs.readthedocs.io/en/latest/Configuration.html)
+
+Instructions specific to imgupload are coming soon
+
+### Using Flask development server
+```shell
+$ source env/bin/activate  # if you haven't already entered the virtualenv
+$ export FLASK_APP=imgupload.py
+$ flask run
+```
--- a/configtest.py
+++ b/configtest.py
@ -1,3 +1,9 @@
+#!/usr/bin/env python3
+"""
+configtest.py
+
+Tests the validity of your configuration in settings.py.
+"""
 import os
 import settings as settings

@ -9,7 +15,6 @@ defaults = {
    "ROOTURL": "https://img.bbaovanc.com/",
    "SAVELOG": "savelog.log",
    "SAVELOG_CHMOD": "0o644",
-    "UPLOADKEYS_CHMOD": "0o400",
    "SAVELOG_KEYPREFIX": 4,
 }

@ -19,7 +24,6 @@ deftypes = {
    "ROOTURL": str,
    "SAVELOG": str,
    "SAVELOG_CHMOD": int,
-    "UPLOADKEYS_CHMOD": int,
    "SAVELOG_KEYPREFIX": int,
 }

--- a/functions.py.default
+++ b/functions.py.default
@ -0,0 +1,14 @@
+#!/usr/bin/env python3
+"""
+functions.py
+
+Functions used by imgupload which can be easily customized.
+"""
+import string
+import random
+
+
+def generate_name():
+    chars = string.ascii_letters + string.digits  # uppercase, lowercase, and numbers
+    name = ''.join((random.choice(chars) for i in range(8)))  # generate name
+    return name
--- a/imgupload.py
+++ b/imgupload.py
@ -1,15 +1,17 @@
-from flask import Flask, request, jsonify, abort, Response
+#!/usr/bin/env python3
+"""
+imgupload.py
+
+Flask application for processing images uploaded through POST requests.
+"""
+from flask import Flask, request, jsonify, Response
 from flask_api import status
 from pathlib import Path
-import string
-import random
 import os
 import datetime

 import settings  # app settings (such as allowed extensions)
-
-
-ALPHANUMERIC = string.ascii_letters + string.digits  # uppercase, lowercase, and numbers
+import functions  # custom functions

 app = Flask(__name__)  # app is the app

@ -21,15 +23,6 @@ def allowed_extension(testext):
        return False


-def generate_name(extension):
-    namefound = False
-    while not namefound:
-        fname = ''.join((random.choice(ALPHANUMERIC) for i in range(8))) + str(extension)
-        if not Path(fname).is_file():
-            namefound = True
-    return fname
-
-
 def log_savelog(key, ip, savedname):
    if settings.SAVELOG_KEYPREFIX > 0:
        with open(settings.SAVELOG, "a+") as slogf:
@ -40,21 +33,16 @@ def log_savelog(key, ip, savedname):
            slogf.write("[{0}] {1} - {2}\n".format(datetime.datetime.now(), ip, savedname))
        os.chmod(settings.SAVELOG, settings.SAVELOG_CHMOD)

-
@app.route("/upload", methods = ["POST"])
 def upload():
    if request.method == "POST":  # sanity check: make sure it's a POST request
        print("Request method was POST!")

-        os.chmod("uploadkeys", settings.UPLOADKEYS_CHMOD)
-        print("Changed permissions of `uploadkeys`")
        with open("uploadkeys", "r") as keyfile:  # load valid keys
            validkeys = keyfile.readlines()
        validkeys = [x.strip("\n") for x in validkeys]
        while "" in validkeys:
            validkeys.remove("")
-            print("removed blank key")
-        print("Valid keys: {0}".format(validkeys))
        print("Loaded validkeys")

        if "uploadKey" in request.form:  # if an uploadKey was provided
@ -63,7 +51,6 @@ def upload():

                if "imageUpload" in request.files:  # check if image to upload was provided
                    f = request.files["imageUpload"]  # f is the image to upload
-                    print("Found uploaded image")
                else:
                    print("No image upload was found!")
                    return jsonify({'status': 'error', 'error': 'NO_IMAGE_UPLOADED'}), status.HTTP_400_BAD_REQUEST
@ -73,42 +60,42 @@ def upload():
                    return jsonify({'status': 'error', 'error': 'FILENAME_BLANK'}), status.HTTP_400_BAD_REQUEST

                fext = Path(f.filename).suffix  # get the uploaded extension
-                print("Uploaded file extensions is {0}".format(fext))
                if allowed_extension(fext):  # if the extension is allowed
-                    fname = generate_name(fext)  # generate file name
+                    print("Generating file with extension {0}".format(fext))
+                    fname = functions.generate_name() + fext  # generate file name
                    print("Generated name: {0}".format(fname))

                    if f:  # if the uploaded image exists
-                        print("Uploaded image exists, obviously.")
+                        print("Uploaded image exists")
                        f.save(os.path.join(settings.UPLOAD_FOLDER, fname))  # save the image
                        print("Saved to {0}".format(fname))
                        url = settings.ROOTURL + fname  # construct the url to the image
                        if settings.SAVELOG != "/dev/null":
+                            print("Saving to savelog")
                            log_savelog(request.form["uploadKey"], request.remote_addr, fname)
-                            print("Logged message to savelog")
                        print("Returning json response")
                        return jsonify({'status': 'success', 'url': url, 'name': fname, 'uploadedName': f.filename}), status.HTTP_201_CREATED
                    else:  # this shouldn't happen
-                        print("Um... uploaded image is nonexistent..? Please report this error!")
+                        print("Um... uploaded image... is nonexistent? Please report this error!")
                        return jsonify({'status': 'error', 'error': 'UPLOADED_IMAGE_FAILED_SANITY_CHECK_1'}), status.HTTP_400_BAD_REQUEST

                else:  # if the extension was invalid
                    print("Uploaded extension is invalid!")
-                    abort(415)
+                    return jsonify({'status': 'error', 'error': 'INVALID_EXTENSION'}), status.HTTP_415_UNSUPPORTED_MEDIA_TYPE

            else:  # if the key was not valid
                print("Key is invalid!")
                print("Request key: {0}".format(request.form["uploadKey"]))
-                abort(401)
+                return jsonify({'status': 'error', 'error': 'UNAUTHORIZED'}), status.HTTP_401_UNAUTHORIZED

        else:  # if uploadKey was not found in request body
            print("No uploadKey found in request!")
-            abort(401)
+            return jsonify({'status': 'error', 'error': 'UNAUTHORIZED'}), status.HTTP_401_UNAUTHORIZED


    else:  # if the request method wasn't post
        print("Request method was not POST!")
-        abort(405)
+        return jsonify({'status': 'error', 'error': 'METHOD_NOT_ALLOWED'}), status.HTTP_405_METHOD_NOT_ALLOWED

 if __name__ == "__main__":
    print("Run with `flask` or a WSGI server!")
--- a/keyctl.py
+++ b/keyctl.py
@ -0,0 +1,181 @@
+#!/usr/bin/env python3
+"""
+keyctl.py
+
+Command-line utility for easy management of the uploadkeys file.
+"""
+
+from pathlib import Path
+import argparse
+import logging
+import secrets
+import string
+
+
+def read_keyfile():
+    with open("uploadkeys", "r") as keyfile:  # open uploadkeys
+        keys = keyfile.readlines()  # read all the keys
+        logging.debug("Read uploadkeys")
+    keys = [x.strip("\n") for x in keys]  # strip newlines from keys
+    logging.debug("Stripped newlines from keys")
+    return keys
+
+
+def genkey(length):
+    key = ''.join(secrets.choice(string.ascii_letters + string.digits) for x in range(length))
+    return key
+
+
+def savekey(key):
+    if not Path("uploadkeys").is_file():  # if uploadkeys doesn't exist, log an info message
+        logging.info("uploadkeys file doesn't exist, it will be created.")
+    with open("uploadkeys", "a+") as keyfile:
+        keyfile.write(str(key) + "\n")  # add the key
+    logging.debug("Saved a key to uploadkeys: {0}".format(key))
+
+
+def rmkey(delkey):
+    removedkey = False
+    allkeys = read_keyfile()
+    if delkey in allkeys:  # if the key to remove exists
+        allkeys.remove(delkey)  # remove the first instance of the key
+        removedkey = True
+        logging.debug("Removed one instance of the key")
+
+    with open("uploadkeys", "w") as keyfile:
+        for k in allkeys:
+            keyfile.write(k + "\n")  # write the remaining keys
+
+    if removedkey:
+        return True
+    else:
+        return False
+
+
+def find_duplicates():
+    allkeys = read_keyfile()
+
+    seen = set()
+    ukeys = []
+    dupkeys = []
+    for x in allkeys:
+        if x not in seen:
+            ukeys.append(x)
+            seen.add(x)
+        else:
+            dupkeys.append(x)
+    return dupkeys
+
+
+def get_keys():
+    validkeys = read_keyfile()
+    while "" in validkeys:
+        validkeys.remove("")
+    logging.debug("Removed blank keys")
+    return validkeys
+
+
+
+def cmd_list(args):
+    validkeys = get_keys()
+
+    print("List of upload keys:")
+    for i in range(len(validkeys)):
+        showkey = validkeys[i][:6]
+        if len(validkeys[i]) > 6:
+            showkey += "..."  # add ellipses since the key was shortened in list
+
+        print("    [{0}] {1}".format(i+1, showkey))
+
+
+def cmd_generate(args):
+    k = genkey(args.length)
+    logging.debug("Generated a new key: {0}".format(k))
+    savekey(k)
+    print("Your new key is: {0}".format(k))
+
+
+def cmd_add(args):
+    print("Please type/paste the key you would like to add.")
+    akr = input("> ")
+    ak = akr.strip()
+    print()
+    logging.debug("Ran strip() on key")
+    print(ak)
+    if input("Is the above key correct? [y/N] ").lower() == "y":
+        logging.debug("Interpreted as yes")
+        ask_for_key = False
+        savekey(ak)
+        logging.info("Added.")
+    else:
+        logging.debug("Interpreted as no")
+        print("No key has been saved.")
+
+
+def cmd_remove(args):
+    if rmkey(args.key):
+        logging.debug("Successfully removed the requested key")
+    else:
+        logging.info("No key was removed.")
+
+def cmd_dedupe(args):
+    dupes = find_duplicates()
+    if len(dupes) > 0:
+        for d in dupes:
+            r = rmkey(d)
+            logging.debug(r)
+            logging.info("Removed duplicate key: {0}".format(d))
+    else:
+        logging.info("[" + u"\u2713" + "] No duplicate keys found!")
+
+def cmd_show(args):
+    for k in get_keys():
+        if k[:6] == args.prefix:
+            print("Key: {0}".format(k))
+            break
+
+
+parser = argparse.ArgumentParser()  # create instance of argument parser class
+
+parlog = parser.add_mutually_exclusive_group()
+parlog.add_argument("-v", "--verbose", help="show debugging messages", action="store_true")
+parlog.add_argument("-q", "--quiet", help="show only warning messages and up", action="store_true")
+
+subparsers = parser.add_subparsers(help="sub-commands")
+parser_list = subparsers.add_parser("list", help="list the beginning of each key")
+parser_list.set_defaults(func=cmd_list)
+
+parser_gen = subparsers.add_parser("generate", help="generate a key and save it to uploadkeys")
+parser_gen.add_argument("length", help="length of key to generate", default=64, type=int, nargs="?")
+parser_gen.set_defaults(func=cmd_generate)
+
+parser_add = subparsers.add_parser("add", help="prompts for a key to add to uploadkeys")
+parser_add.set_defaults(func=cmd_add)
+
+parser_remove = subparsers.add_parser("remove", help="remove (one instance of) a key from uploadkeys")
+parser_remove.add_argument("key", help="key to remove")
+parser_remove.set_defaults(func=cmd_remove)
+
+parser_dedupe = subparsers.add_parser("dedupe", help="remove duplicate keys")
+parser_dedupe.set_defaults(func=cmd_dedupe)
+
+parser_show = subparsers.add_parser("show", help="show the full key based on the first 6 characters")
+parser_show.add_argument("prefix", help="first 6 characters of key (shown by `python3 keyctl.py list`)")
+parser_show.set_defaults(func=cmd_show)
+
+
+args = parser.parse_args()  # parse the arguments
+
+if args.verbose:
+    loglevel = logging.DEBUG
+elif args.quiet:
+    loglevel = logging.WARNING
+else:
+    loglevel = logging.INFO
+logging.basicConfig(level=loglevel, format="%(levelname)s: %(message)s")
+
+try:
+    args.func(args)
+except AttributeError:
+    logging.error("AttributeError")
+    parser.print_help()
--- a/requirements.txt
+++ b/requirements.txt
@ -0,0 +1,2 @@
+Flask_API==2.0
+Flask==1.1.2
--- a/settings.py.default
+++ b/settings.py.default
@ -1,7 +1,13 @@
-UPLOAD_FOLDER = "/var/www/img"
+#!/usr/bin/env python3
+"""
+settings.py
+
+User-defined settings used by imgupload.py.
+"""
+
+UPLOAD_FOLDER = "/path/to/images"
 ALLOWED_EXTENSIONS = [".png", ".jpg", ".jpeg", ".svg", ".bmp", ".gif", ".ico",  ".webp"]
-ROOTURL = "https://img.bbaovanc.com/"
+ROOTURL = "https://example.com/"
 SAVELOG = "savelog.log"
 SAVELOG_CHMOD = 0o644
-UPLOADKEYS_CHMOD = 0o600
 SAVELOG_KEYPREFIX = 4
Author	SHA1	Message	Date
BBaoVanC	b8b5a2518c	Change abort() calls to JSON responses This makes the responses more consistent. Now, all responses are JSON.	2020-09-05 15:43:36 -05:00
BBaoVanC	805e545b39	Deduplicate code in keyctl.py and add comments	2020-09-04 19:44:46 -05:00
ItHertzSoGood	9a117817f7	Changed random to secrets for cryptographic security	2020-09-04 14:32:53 -07:00
BBaoVanC	c9cd6469a9	Change a couple print statements to logging.info Quiet mode is now a little more useful!	2020-09-04 15:37:34 -05:00
BBaoVanC	6f64890e34	Remove unused imports from imgupload.py	2020-09-04 15:24:49 -05:00
BBaoVanC	91db522363	Add keyctl.py for easy management of uploadkeys	2020-09-04 15:19:40 -05:00
BBaoVanC	9d9b93a9ee	Add proper shebangs and block comments	2020-09-04 10:47:20 -05:00
BBaoVanC	565a91e4ec	Remove uploadkeys encryption features It doesn't really make sense to encrypt the keys, but store the secret literally in the same directory. uploadkeys will now be stored in plaintext. The branch `legacy` has the old code from before this commit.	2020-09-03 21:44:58 -05:00
BBaoVanC	3fcdaa2b10	Fix formatting of README.md	2020-09-02 21:52:13 -05:00
BBaoVanC	4309225185	Add Installation section to README.md - Added Installation section to README.md - Removed old Usage section	2020-09-02 21:43:31 -05:00
BBaoVanC	065296f84a	Rename functions.py to functions.py.default Since this is default settings and the user might want to customize them, functions.py has been renamed. This also will prevent conflicts if the user has updated their functions.py and then tries to pull.	2020-09-02 18:04:41 -05:00
BBaoVanC	841bb513d3	Allow easy customization of filename generation Added a new file called functions.py which contains user-customizable functions, instead of requiring the user to edit imgupload.py.	2020-09-02 17:14:28 -05:00
BBaoVanC	f0bb30a747	Change keygen.py to not require root keygen.py now recommends that you run it as the user you want to have ownership of secret.key and uploadkeys (such as www-data for nginx). Then, if uploadkeys or secret.key don't exist, they will be created with the correct ownership.	2020-09-02 14:26:57 -05:00
BBaoVanC	7fce3f57e9	Remove secrets from requirements.txt On macOS, a dependency of secrets fails to install using pip. After testing, it looks like the secrets module is not required.	2020-08-31 23:46:28 -05:00
dependabot-preview[bot]	a587040809	Bump cryptography from 2.8 to 3.1 (#2 )	2020-09-01 04:41:50 +00:00
BBaoVanC	8a95dbb0fa	Remove trailing whitespace from lines	2020-08-31 23:09:39 -05:00
BBaoVanC	a5a22b7c88	Remove UPLOADKEYS_CHMOD option due to keygen.py Since keygen.py is run as root, uploadkeys is owned by root. This causes issues when imgupload.py tries to chmod the uploadkeys file since it doesn't have permissions to chmod it. Solution: remove UPLOADKEYS_CHMOD option	2020-08-31 21:14:09 -05:00
BBaoVanC	7ccaafc6c6	Bugfixes in keygen.py - Handle if uploadkeys becomes corrupted - Disambiguate variable names - Handle case where the uploadkeys file doesn't already exist	2020-08-31 20:32:00 -05:00
BBaoVanC	797bebb1a1	Fix ENCKEY_PATH check in configtest.py	2020-08-31 20:29:07 -05:00
quiprr	08f9e13da0	Merge pull request #1 from BBaoVanC/dev added encryption to uploadkeys and added a key generator	2020-08-31 17:13:24 -07:00
ItHertzSoGood	3d1304b3b0	added encryption to uploadkeys and added a key generator	2020-08-31 17:12:39 -07:00
BBaoVanC	4b624f3fed	Ignore settings.py and add settings.py.default	2020-08-31 18:48:22 -05:00