TNL-782 each request should have valid ID Token

.coveragerc

@@ -0,0 +1,3 @@
+[run]
+omit = notesserver/settings*
+       *wsgi.py

.gitignore

@@ -0,0 +1,7 @@
+# Python artifacts
+*.pyc
+
+# Tests / Coverage reports
+.coverage
+.tox
+coverage/

.pep8

@@ -0,0 +1,3 @@
+[pep8]
+ignore=E501
+max_line_length=119

.travis.yml

@@ -0,0 +1,16 @@
+language: python
+python: 2.7
+
+services:
+    - elasticsearch
+
+install:
+    - pip install -r requirements/test.txt
+    - git fetch origin master:refs/remotes/origin/master # https://github.com/edx/diff-cover#troubleshooting
+    - pip install coveralls
+
+script:
+    - make validate
+
+after_success:
+    - coveralls

AUTHORS

@@ -0,0 +1 @@
+Oleg Marshev <oleg@edx.org>

CONTRIBUTING.rst

@@ -0,0 +1,9 @@
+How To Contribute
+=================
+
+Contributions are very welcome.
+
+Please read `How To Contribute <https://github.com/edx/edx-platform/blob/master/CONTRIBUTING.rst>`_ for details.
+
+Even though it was written with ``edx-platform`` in mind, the guidelines
+should be followed for Open edX code in general.

Makefile

@@ -0,0 +1,46 @@
+PACKAGES = notesserver notesapi
+.PHONY: requirements
+
+validate: test.requirements test coverage
+
+test: clean
+	./manage.py test --settings=notesserver.settings.test --with-coverage --with-ignore-docstrings \
+		--exclude-dir=notesserver/settings --cover-inclusive --cover-branches \
+		--cover-html --cover-html-dir=build/coverage/html/ \
+		--cover-xml --cover-xml-file=build/coverage/coverage.xml \
+		$(foreach package,$(PACKAGES),--cover-package=$(package)) \
+		$(PACKAGES)
+
+run:
+	./manage.py runserver 0.0.0.0:8042
+
+shell:
+	./manage.py shell
+
+clean:
+	coverage erase
+
+quality:
+	pep8 --config=.pep8 $(PACKAGES)
+	pylint $(PACKAGES)
+
+diff-coverage:
+	diff-cover build/coverage/coverage.xml --html-report build/coverage/diff_cover.html
+
+diff-quality:
+	diff-quality --violations=pep8 --html-report build/coverage/diff_quality_pep8.html
+	diff-quality --violations=pylint --html-report build/coverage/diff_quality_pylint.html
+
+coverage: diff-coverage diff-quality
+
+create-index:
+	python manage.py create_index
+
+requirements:
+	pip install -q -r requirements/base.txt --exists-action=w
+
+test.requirements: requirements
+	pip install -q -r requirements/test.txt --exists-action=w
+
+develop: test.requirements
+	pip install -q -r requirements/local.txt --exists-action=w

README.rst

@@ -0,0 +1,80 @@
+Part of `edX code`__.
+
+__ http://code.edx.org/
+
+edX Student Notes API |build-status| |coverage-status|
+======================================================
+
+This is a backend store for edX Student Notes.
+
+Overview
+--------
+
+The edX Notes API is designed to be compatible with the
+`Annotator <http://annotatorjs.org/>`__.
+
+Getting Started
+---------------
+
+1. You'll need a recent version `ElasticSearch <http://elasticsearch.org>`__ (>=1.0.0)
+installed.
+
+2. Install the requirements:
+
+   ::
+
+       $ make develop
+
+3. Create index and put mapping:
+
+   ::
+
+       $ make create-index
+
+4. Run the server:
+
+   ::
+
+       $ make run
+
+Running Tests
+-------------
+
+Run ``make validate`` install the requirements, run the tests, and run
+lint.
+
+License
+-------
+
+The code in this repository is licensed under version 3 of the AGPL unless
+otherwise noted.
+
+Please see ``LICENSE.txt`` for details.
+
+How To Contribute
+-----------------
+
+Contributions are very welcome.
+
+Please read `How To Contribute <https://github.com/edx/edx-platform/blob/master/CONTRIBUTING.rst>`_ for details.
+
+Even though it was written with ``edx-platform`` in mind, the guidelines
+should be followed for Open edX code in general.
+
+Reporting Security Issues
+-------------------------
+
+Please do not report security issues in public. Please email security@edx.org
+
+Mailing List and IRC Channel
+----------------------------
+
+You can discuss this code on the `edx-code Google Group`__ or in the
+``edx-code`` IRC channel on Freenode.
+
+__ https://groups.google.com/forum/#!forum/edx-code
+
+.. |build-status| image:: https://travis-ci.org/edx/edx-notes-api.svg?branch=master
+   :target: https://travis-ci.org/edx/edx-notes-api
+.. |coverage-status| image:: https://coveralls.io/repos/edx/edx-notes-api/badge.png?branch=master
+   :target: https://coveralls.io/r/edx/edx-notes-api?branch=master

manage.py

@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+import os
+import sys
+
+if __name__ == "__main__":
+    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "notesserver.settings.dev")
+
+    from django.core.management import execute_from_command_line
+
+    execute_from_command_line(sys.argv)

notesapi/management/commands/create_index.py

@@ -0,0 +1,9 @@
+from django.core.management.base import BaseCommand
+from annotator.annotation import Annotation
+
+
+class Command(BaseCommand):
+    help = 'Creates the mapping in the index.'
+
+    def handle(self, *args, **options):
+        Annotation.create_all()

notesapi/urls.py

@@ -0,0 +1,6 @@
+from django.conf.urls import patterns, url, include
+
+urlpatterns = patterns(
+    '',
+    url(r'^v1/', include('notesapi.v1.urls', namespace='v1')),
+)

notesapi/v1/permissions.py

@@ -0,0 +1,58 @@
+import jwt
+import logging
+from django.conf import settings
+from rest_framework.permissions import BasePermission
+
+logger = logging.getLogger(__name__)
+
+
+class TokenWrongIssuer(Exception):
+    pass
+
+
+class HasAccessToken(BasePermission):
+    """
+    Allow requests having valid ID Token.
+
+    https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-31
+    Expected Token:
+    Header {
+        "alg": "HS256",
+        "typ": "JWT"
+    }
+    Claims {
+        "sub": "<USER_ID>",
+        "exp": <EXPIRATION TIMESTAMP>,
+        "iat": <ISSUED TIMESTAMP>,
+        "aud": "<CLIENT ID"
+    }
+    Should be signed with CLIENT_SECRET
+    """
+    def has_permission(self, request, view):
+        if getattr(settings, 'DISABLE_TOKEN_CHECK', False):
+            return True
+        token = request.META.get('HTTP_X_ANNOTATOR_AUTH_TOKEN', '')
+        if not token:
+            logger.debug("No token found in headers")
+            return False
+        try:
+            data = jwt.decode(token, settings.CLIENT_SECRET)
+            auth_user = data['sub']
+            if data['aud'] != settings.CLIENT_ID:
+                raise TokenWrongIssuer
+            for request_field in ('GET', 'POST', 'DATA'):
+                if 'user' in getattr(request, request_field):
+                    req_user = getattr(request, request_field)['user']
+                    if req_user == auth_user:
+                        return True
+                    else:
+                        logger.debug("Token user {auth_user} did not match {field} user {req_user}".format(
+                            auth_user=auth_user, field=request_field, req_user=req_user
+                        ))
+            logger.info("No user was present to compare in GET, POST or DATA")
+        except jwt.ExpiredSignature:
+            logger.exception("Token was expired: {}".format(token))
+        except jwt.DecodeError:
+            logger.exception("Could not decode token {}".format(token))
+        except TokenWrongIssuer:
+            logger.exception("Token has wrong issuer {}".format(token))

notesapi/v1/tests/helpers.py

@@ -0,0 +1,14 @@
+import jwt
+from calendar import timegm
+from datetime import datetime, timedelta
+from django.conf import settings
+
+
+def get_id_token(user):
+    now = datetime.utcnow()
+    return jwt.encode({
+        'aud': settings.CLIENT_ID,
+        'sub': user,
+        'iat': timegm(now.utctimetuple()),
+        'exp': timegm((now + timedelta(seconds=300)).utctimetuple()),
+    }, settings.CLIENT_SECRET)