tardis.apps.sftp package

Submodules

tardis.apps.sftp.admin module

tardis.apps.sftp.api module

class tardis.apps.sftp.api.SFTPACLAuthorization

Bases: tastypie.authorization.Authorization

create_detail(object_list, bundle)

Returns either True if the user is allowed to create the object in question or throw Unauthorized if they are not.

Returns True by default.

delete_detail(object_list, bundle)

Returns either True if the user is allowed to delete the object in question or throw Unauthorized if they are not.

Returns True by default.

read_detail(object_list, bundle)

Returns either True if the user is allowed to read the object in question or throw Unauthorized if they are not.

Returns True by default.

read_list(object_list, bundle)

Returns a list of all the objects a user is allowed to read.

Should return an empty list if none are allowed.

Returns the entire list by default.

class tardis.apps.sftp.api.SFTPPublicKeyAppResource(api_name=None)

Bases: tastypie.resources.ModelResource

Tastypie model resource for SFTPPublicKey model

class Meta

Bases: object

authentication = <tardis.tardis_portal.api.MyTardisAuthentication object>
authorization
detail_allowed_methods = ['get', 'delete']
filtering = {'id': ('exact',), 'name': ('exact',)}
list_allowed_methods = ['get', 'post']
object_class

alias of tardis.apps.sftp.models.SFTPPublicKey

queryset
resource_name = 'publickey'
validation = <tastypie.validation.FormValidation object>
base_fields = {'added': <tastypie.fields.DateField object>, 'id': <tastypie.fields.IntegerField object>, 'key_type': <tastypie.fields.CharField object>, 'name': <tastypie.fields.CharField object>, 'public_key': <tastypie.fields.CharField object>, 'resource_uri': <tastypie.fields.CharField object>}
declared_fields = {}
dehydrate(bundle)

A hook to allow a final manipulation of data once all fields/methods have built out the dehydrated data.

Useful if you need to access more than one dehydrated field or want to annotate on additional data.

Must return the modified bundle.

hydrate(bundle)

A hook to allow an initial manipulation of data before all methods/fields have built out the hydrated data.

Useful if you need to access more than one hydrated field or want to annotate on additional data.

Must return the modified bundle.

tardis.apps.sftp.apps module

class tardis.apps.sftp.apps.SFTPConfig(app_name, app_module)

Bases: tardis.app_config.AbstractTardisAppConfig

name = 'tardis.apps.sftp'
verbose_name = 'SFTP'

tardis.apps.sftp.default_settings module

tardis.apps.sftp.default_settings.REQUIRE_SSL_TO_GENERATE_KEY = True

Require a secure connection (i.e., HTTPS) to allow key generation.

tardis.apps.sftp.default_settings.SFTP_USERNAME_ATTRIBUTE = 'email'

The attribute from the User model (‘email’ or ‘username’) used to generate the SFTP login example on the sftp_access help page.

tardis.apps.sftp.forms module

class tardis.apps.sftp.forms.KeyAddForm(data=None, files=None, auto_id='id_%s', prefix=None, initial=None, error_class=<class 'django.forms.utils.ErrorList'>, label_suffix=None, empty_permitted=False, field_order=None, use_required_attribute=None, renderer=None)

Bases: django.forms.forms.Form

base_fields = {'key_type': <django.forms.fields.CharField object>, 'name': <django.forms.fields.CharField object>, 'public_key': <django.forms.fields.CharField object>}
clean()

Hook for doing any extra form-wide cleaning after Field.clean() has been called on every field. Any ValidationError raised by this method will not be associated with a particular field; it will have a special-case association with the field named ‘__all__’.

declared_fields = {'key_type': <django.forms.fields.CharField object>, 'name': <django.forms.fields.CharField object>, 'public_key': <django.forms.fields.CharField object>}
media
class tardis.apps.sftp.forms.KeyGenerateForm(data=None, files=None, auto_id='id_%s', prefix=None, initial=None, error_class=<class 'django.forms.utils.ErrorList'>, label_suffix=None, empty_permitted=False, field_order=None, use_required_attribute=None, renderer=None)

Bases: django.forms.forms.Form

base_fields = {'name': <django.forms.fields.CharField object>}
declared_fields = {'name': <django.forms.fields.CharField object>}
media

tardis.apps.sftp.models module

class tardis.apps.sftp.models.SFTPPublicKey(*args, **kwargs)

Bases: django.db.models.base.Model

Model for associated SFTP public keys with users

Parameters:
  • user (ForeignKey for User) – user who owns this public key
  • name (string) – name for this public key
  • public_key (string) – OpenSSH formatted public key
  • added (date) – date the public key was added (Optional)
exception DoesNotExist

Bases: django.core.exceptions.ObjectDoesNotExist

exception MultipleObjectsReturned

Bases: django.core.exceptions.MultipleObjectsReturned

added

A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

get_next_by_added(*, field=<django.db.models.fields.DateField: added>, is_next=True, **kwargs)
get_previous_by_added(*, field=<django.db.models.fields.DateField: added>, is_next=False, **kwargs)
id

A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

key_type

A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

name

A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>
public_key

A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

user

Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

Child.parent is a ForwardManyToOneDescriptor instance.

user_id

tardis.apps.sftp.sftp module

SFTP Server

class tardis.apps.sftp.sftp.DynamicTree(host_obj=None)

Bases: object

add_child(name, obj=None)
add_path(path)
add_path_elems(elems)
clear_children()
get_leaf(path, update=False)
update_all_files()
update_dataset_files()
update_datasets()
update_experiments()
update_nothing()
class tardis.apps.sftp.sftp.MyTSFTPHandle(df, flags=0, optional_args=None)

Bases: paramiko.sftp_handle.SFTPHandle

SFTP File Handle

stat()

Return an L{SFTPAttributes} object referring to this open file, or an error code. This is equivalent to L{SFTPServerInterface.stat}, except it’s called on an open file instead of a path.

@return: an attributes object for the given file, or an SFTP error code (like L{SFTP_PERMISSION_DENIED}). @rtype: L{SFTPAttributes} I{or error code}

class tardis.apps.sftp.sftp.MyTSFTPRequestHandler(request, client_address, server)

Bases: socketserver.BaseRequestHandler

auth_timeout = 60
handle()
handle_timeout()
setup()
timeout = 60
class tardis.apps.sftp.sftp.MyTSFTPServer(*args, **kwargs)

Bases: paramiko.sftp_server.SFTPServer

override SFTPServer to provide channel information to the SFTP subsystem

class tardis.apps.sftp.sftp.MyTSFTPServerInterface(server, *args, **kwargs)

Bases: paramiko.sftp_si.SFTPServerInterface

MyTardis data via SFTP

canonicalize(path)

Return the canonical form of a path on the server.

experiments
list_folder(path)

Returns a list of files within a given folder. The C{path} will use posix notation (C{“/”} separates folder names) and may be an absolute or relative path.

The list of files is expected to be a list of L{SFTPAttributes} objects, which are similar in structure to the objects returned by C{os.stat}. In addition, each object should have its C{filename} field filled in, since this is important to a directory listing and not normally present in C{os.stat} results.

In case of an error, you should return one of the C{SFTP_*} error codes, such as L{SFTP_PERMISSION_DENIED}.

@param path: the requested path (relative or absolute) to be listed. @type path: str @return: a list of the files in the given folder, using L{SFTPAttributes} objects. @rtype: list of L{SFTPAttributes} I{or error code}

lstat(path)

symbolic links are not supported

open(path, flags, attr)

Open a file on the server and create a handle for future operations on that file. On success, a new object subclassed from L{SFTPHandle} should be returned. This handle will be used for future operations on the file (read, write, etc). On failure, an error code such as L{SFTP_PERMISSION_DENIED} should be returned.

C{flags} contains the requested mode for opening (read-only, write-append, etc) as a bitset of flags from the C{os} module:

  • C{os.O_RDONLY}
  • C{os.O_WRONLY}
  • C{os.O_RDWR}
  • C{os.O_APPEND}
  • C{os.O_CREAT}
  • C{os.O_TRUNC}
  • C{os.O_EXCL}

(One of C{os.O_RDONLY}, C{os.O_WRONLY}, or C{os.O_RDWR} will always be set.)

The C{attr} object contains requested attributes of the file if it has to be created. Some or all attribute fields may be missing if the client didn’t specify them.

@note: The SFTP protocol defines all files to be in “binary” mode. There is no equivalent to python’s “text” mode.

Parameters:
  • path (basestring) – the requested datafile path
  • flags (int) – flags or’d together from the C{os} module indicating the requested mode for opening the file.
  • attr (SFTPAttributes) – requested attributes of the file if it is newly created.
Returns:

a new L{SFTPHandle} I{or error code}.
Return type:

SFTPHandle
session_ended()

run cleanup on exceptions or disconnection. idea: collect stats and store them in this function

session_started()

run on connection initialisation

stat(path)

Return an L{SFTPAttributes} object for a path on the server, or an error code. If your server supports symbolic links (also known as “aliases”), you should follow them. (L{lstat} is the corresponding call that doesn’t follow symlinks/aliases.)

@param path: the requested path (relative or absolute) to fetch file statistics for. @type path: str

@return: an attributes object for the given file, or an SFTP error code (like L{SFTP_PERMISSION_DENIED}). @rtype: L{SFTPAttributes} I{or error code}

class tardis.apps.sftp.sftp.MyTSFTPTCPServer(address, host_key, RequestHandlerClass=None)

Bases: socketserver.TCPServer

allow_reuse_address = True
close_request(request)

Called to clean up an individual request.

shutdown_request(request)

Called to shutdown and close an individual request.

class tardis.apps.sftp.sftp.MyTServerInterface

Bases: paramiko.server.ServerInterface

check_auth_interactive(username, submethods)

Begin an interactive authentication challenge, if supported. You should override this method in server mode if you want to support the "keyboard-interactive" auth type, which requires you to send a series of questions for the client to answer.

Return AUTH_FAILED if this auth method isn’t supported. Otherwise, you should return an .InteractiveQuery object containing the prompts and instructions for the user. The response will be sent via a call to check_auth_interactive_response.

The default implementation always returns AUTH_FAILED.

Parameters:
  • username (str) – the username of the authenticating client
  • submethods (str) – a comma-separated list of methods preferred by the client (usually empty)
Returns:

AUTH_FAILED if this auth method isn’t supported; otherwise an object containing queries for the user
Return type:

int or .InteractiveQuery
check_auth_interactive_response(responses)

Continue or finish an interactive authentication challenge, if supported. You should override this method in server mode if you want to support the "keyboard-interactive" auth type.

Return AUTH_FAILED if the responses are not accepted, AUTH_SUCCESSFUL if the responses are accepted and complete the authentication, or AUTH_PARTIALLY_SUCCESSFUL if your authentication is stateful, and this set of responses is accepted for authentication, but more authentication is required. (In this latter case, get_allowed_auths will be called to report to the client what options it has for continuing the authentication.)

If you wish to continue interactive authentication with more questions, you may return an .InteractiveQuery object, which should cause the client to respond with more answers, calling this method again. This cycle can continue indefinitely.

The default implementation always returns AUTH_FAILED.

Parameters:responses – list of str responses from the client
Returns:AUTH_FAILED if the authentication fails; AUTH_SUCCESSFUL if it succeeds; AUTH_PARTIALLY_SUCCESSFUL if the interactive auth is successful, but authentication must continue; otherwise an object containing queries for the user
Return type:int or .InteractiveQuery
check_auth_password(username, password)

Determine if a given username and password supplied by the client is acceptable for use in authentication.

Return AUTH_FAILED if the password is not accepted, AUTH_SUCCESSFUL if the password is accepted and completes the authentication, or AUTH_PARTIALLY_SUCCESSFUL if your authentication is stateful, and this key is accepted for authentication, but more authentication is required. (In this latter case, get_allowed_auths will be called to report to the client what options it has for continuing the authentication.)

The default implementation always returns AUTH_FAILED.

Parameters:
  • username (str) – the username of the authenticating client.
  • password (str) – the password given by the client.
Returns:

AUTH_FAILED if the authentication fails; AUTH_SUCCESSFUL if it succeeds; AUTH_PARTIALLY_SUCCESSFUL if the password auth is successful, but authentication must continue.
Return type:

int
check_auth_publickey(username, key)

Determine if a given key supplied by the client is acceptable for use in authentication. You should override this method in server mode to check the username and key and decide if you would accept a signature made using this key.

Return AUTH_FAILED if the key is not accepted, AUTH_SUCCESSFUL if the key is accepted and completes the authentication, or AUTH_PARTIALLY_SUCCESSFUL if your authentication is stateful, and this password is accepted for authentication, but more authentication is required. (In this latter case, get_allowed_auths will be called to report to the client what options it has for continuing the authentication.)

Note that you don’t have to actually verify any key signtature here. If you’re willing to accept the key, Paramiko will do the work of verifying the client’s signature.

The default implementation always returns AUTH_FAILED.

Parameters:
  • username (str) – the username of the authenticating client
  • key (PKey) – the key object provided by the client
Returns:

AUTH_FAILED if the client can’t authenticate with this key; AUTH_SUCCESSFUL if it can; AUTH_PARTIALLY_SUCCESSFUL if it can authenticate with this key but must continue with authentication
Return type:

int
check_channel_request(kind, chanid)

Determine if a channel request of a given type will be granted, and return OPEN_SUCCEEDED or an error code. This method is called in server mode when the client requests a channel, after authentication is complete.

If you allow channel requests (and an ssh server that didn’t would be useless), you should also override some of the channel request methods below, which are used to determine which services will be allowed on a given channel:

  • check_channel_pty_request
  • check_channel_shell_request
  • check_channel_subsystem_request
  • check_channel_window_change_request
  • check_channel_x11_request
  • check_channel_forward_agent_request

The chanid parameter is a small number that uniquely identifies the channel within a .Transport. A .Channel object is not created unless this method returns OPEN_SUCCEEDED – once a .Channel object is created, you can call .Channel.get_id to retrieve the channel ID.

The return value should either be OPEN_SUCCEEDED (or 0) to allow the channel request, or one of the following error codes to reject it:

  • OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
  • OPEN_FAILED_CONNECT_FAILED
  • OPEN_FAILED_UNKNOWN_CHANNEL_TYPE
  • OPEN_FAILED_RESOURCE_SHORTAGE

The default implementation always returns OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED.

Parameters:
  • kind (str) – the kind of channel the client would like to open (usually "session").
  • chanid (int) – ID of the channel
Returns:

an int success or failure code (listed above)
get_allowed_auths(username)

Return a list of authentication methods supported by the server. This list is sent to clients attempting to authenticate, to inform them of authentication methods that might be successful.

The “list” is actually a string of comma-separated names of types of authentication. Possible values are "password", "publickey", and "none".

The default implementation always returns "password".

Parameters:username (str) – the username requesting authentication.
Returns:a comma-separated str of authentication types
myt_auth(username, password)
tardis.apps.sftp.sftp.start_server(host=None, port=None, keyfile=None)

The SFTP_HOST_KEY setting is required for configuring SFTP access. The SFTP_PORT setting defaults to 2200.

See: tardis/default_settings/sftp.py

tardis.apps.sftp.urls module

tardis.apps.sftp.user_menu_modifiers module

tardis.apps.sftp.user_menu_modifiers.add_ssh_keys_menu_item(request, user_menu)

Add a ‘Manage SSH Keys’ item to the user menu

Parameters:
Returns:

user_menu list
Return type:

list

tardis.apps.sftp.views module

tardis.apps.sftp.views.cybderduck_connection_window(request)
tardis.apps.sftp.views.sftp_access(request)

Show dynamically generated instructions on how to connect to SFTP :param Request request: HttpRequest :return: HttpResponse :rtype: HttpResponse

tardis.apps.sftp.views.sftp_keys(request)

Generate an RSA key pair for a user.

Generates a key pair, stores the public part of the key and provides a one time opportunity for the user to download the private part of the key.

Parameters:request (HttpRequest) – http request
Returns:either returns form on GET request or private key download on POST request
Return type:HttpResponse

Module contents