Vendor cornice and cornice.ext.swagger (#3497)

* Vendor cornice in kinto.core

* Remove cornice from dependencies

* Vendor cornice.ext.swagger

* from kinto.core.cornice

* Disable coverage for imported code

Author: leplatrem

constraints.in

@@ -1,8 +1,6 @@
 # main dependencies
 bcrypt
 colander
-cornice
-cornice_swagger
 dockerflow
 jsonschema
 jsonpatch

constraints.txt

@@ -25,17 +25,9 @@ certifi==2024.7.4
 charset-normalizer==3.3.2
     # via requests
 colander==2.0
-    # via
-    #   -r constraints.in
-    #   cornice-swagger
+    # via -r constraints.in
 colorama==0.4.6
     # via logging-color-formatter
-cornice==6.0.1
-    # via
-    #   -r constraints.in
-    #   cornice-swagger
-cornice-swagger==1.0.1
-    # via -r constraints.in
 coverage==7.6.4
     # via pytest-cov
 dockerflow==2024.4.2
@@ -45,9 +37,7 @@ execnet==2.0.2
 fqdn==1.5.1
     # via jsonschema
 greenlet==3.1.1
-    # via
-    #   playwright
-    #   sqlalchemy
+    # via playwright
 hupper==1.12
     # via pyramid
 idna==3.7
@@ -111,7 +101,6 @@ pyproject-hooks==1.0.0
 pyramid==2.0.2
     # via
     #   -r constraints.in
-    #   cornice
     #   pyramid-mailer
     #   pyramid-multiauth
     #   pyramid-tm
@@ -172,7 +161,6 @@ simplejson==3.19.2
 six==1.16.0
     # via
     #   bravado-core
-    #   cornice-swagger
     #   python-dateutil
     #   rfc3339-validator
 soupsieve==2.5
@@ -211,9 +199,7 @@ urllib3==2.2.2
     #   requests
     #   sentry-sdk
 venusian==3.1.0
-    # via
-    #   cornice
-    #   pyramid
+    # via pyramid
 waitress==3.0.2
     # via
     #   -r constraints.in

docs/conf.py

@@ -109,7 +109,7 @@
     ("py:class", "str"),
     ("py:class", "tuple"),
     ("py:class", "Exception"),
-    ("py:class", "cornice.Service"),
+    ("py:class", "kinto.core.cornice.Service"),
     # Member autodoc fails with those:
     # kinto.core.resource.schema
     ("py:class", "Integer"),
@@ -163,7 +163,6 @@ def setup(app):
 
 intersphinx_mapping = {
     "colander": ("https://colander.readthedocs.io/en/latest/", None),
-    "cornice": ("https://cornice.readthedocs.io/en/latest/", None),
     "pyramid": ("https://pyramid.readthedocs.io/en/latest/", None),
 }
 

docs/requirements.txt

@@ -6,7 +6,6 @@ sphinx-github-changelog==1.4.0
 kinto
 mock==5.1.0
 webtest==3.0.4
-cornice==6.1.0
 pyramid==2.0.2
 python-rapidjson==1.20
 SQLAlchemy==2.0.38

docs/troubleshooting.rst

@@ -104,7 +104,7 @@ You might get some error like::
     File "./kinto/__init__.py", line 4, in <module>
       import kinto.core
     File "./kinto/core/__init__.py", line 5, in <module>
-      from cornice import Service as CorniceService
+      from kinto.core.cornice import Service as CorniceService
   ImportError: No module named cornice
   unable to load app 0 (mountpoint='') (callable not found or import error)
 

kinto/core/__init__.py

@@ -4,11 +4,11 @@
 import tempfile
 
 import pkg_resources
-from cornice import Service as CorniceService
 from dockerflow import logging as dockerflow_logging
 from pyramid.settings import aslist
 
 from kinto.core import errors, events
+from kinto.core.cornice import Service as CorniceService
 from kinto.core.initialization import (  # NOQA
     initialize,
     install_middlewares,
@@ -186,10 +186,10 @@ def add_api_capability(config, identifier, description="", url="", **kw):
     config.add_request_method(events.notify_resource_event, name="notify_resource_event")
 
     # Setup cornice.
-    config.include("cornice")
+    config.include("kinto.core.cornice")
 
     # Setup cornice api documentation
-    config.include("cornice_swagger")
+    config.include("kinto.core.cornice_swagger")
 
     # Per-request transaction.
     config.include("pyramid_tm")

kinto/core/cornice/__init__.py

@@ -0,0 +1,93 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this file,
+# You can obtain one at http://mozilla.org/MPL/2.0/.
+import logging
+from functools import partial
+
+from pyramid.events import NewRequest
+from pyramid.httpexceptions import HTTPForbidden, HTTPNotFound
+from pyramid.security import NO_PERMISSION_REQUIRED
+from pyramid.settings import asbool, aslist
+
+from kinto.core.cornice.errors import Errors  # NOQA
+from kinto.core.cornice.pyramidhook import (
+    handle_exceptions,
+    register_resource_views,
+    register_service_views,
+    wrap_request,
+)
+from kinto.core.cornice.renderer import CorniceRenderer
+from kinto.core.cornice.service import Service  # NOQA
+from kinto.core.cornice.util import ContentTypePredicate, current_service
+
+
+logger = logging.getLogger("cornice")
+
+
+def set_localizer_for_languages(event, available_languages, default_locale_name):
+    """
+    Sets the current locale based on the incoming Accept-Language header, if
+    present, and sets a localizer attribute on the request object based on
+    the current locale.
+
+    To be used as an event handler, this function needs to be partially applied
+    with the available_languages and default_locale_name arguments. The
+    resulting function will be an event handler which takes an event object as
+    its only argument.
+    """
+    request = event.request
+    if request.accept_language:
+        accepted = request.accept_language.lookup(available_languages, default=default_locale_name)
+        request._LOCALE_ = accepted
+
+
+def setup_localization(config):
+    """
+    Setup localization based on the available_languages and
+    pyramid.default_locale_name settings.
+
+    These settings are named after suggestions from the "Internationalization
+    and Localization" section of the Pyramid documentation.
+    """
+    try:
+        config.add_translation_dirs("colander:locale/")
+        settings = config.get_settings()
+        available_languages = aslist(settings["available_languages"])
+        default_locale_name = settings.get("pyramid.default_locale_name", "en")
+        set_localizer = partial(
+            set_localizer_for_languages,
+            available_languages=available_languages,
+            default_locale_name=default_locale_name,
+        )
+        config.add_subscriber(set_localizer, NewRequest)
+    except ImportError:  # pragma: no cover
+        # add_translation_dirs raises an ImportError if colander is not
+        # installed
+        pass
+
+
+def includeme(config):
+    """Include the Cornice definitions"""
+    # attributes required to maintain services
+    config.registry.cornice_services = {}
+
+    settings = config.get_settings()
+
+    # localization request subscriber must be set before first call
+    # for request.localizer (in wrap_request)
+    if settings.get("available_languages"):
+        setup_localization(config)
+
+    config.add_directive("add_cornice_service", register_service_views)
+    config.add_directive("add_cornice_resource", register_resource_views)
+    config.add_subscriber(wrap_request, NewRequest)
+    config.add_renderer("cornicejson", CorniceRenderer())
+    config.add_view_predicate("content_type", ContentTypePredicate)
+    config.add_request_method(current_service, reify=True)
+
+    if asbool(settings.get("handle_exceptions", True)):
+        config.add_view(handle_exceptions, context=Exception, permission=NO_PERMISSION_REQUIRED)
+        config.add_view(handle_exceptions, context=HTTPNotFound, permission=NO_PERMISSION_REQUIRED)
+        config.add_view(
+            handle_exceptions, context=HTTPForbidden, permission=NO_PERMISSION_REQUIRED
+        )

kinto/core/cornice/cors.py

@@ -0,0 +1,144 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this file,
+# You can obtain one at http://mozilla.org/MPL/2.0/.
+import fnmatch
+import functools
+
+from pyramid.settings import asbool
+
+
+CORS_PARAMETERS = (
+    "cors_headers",
+    "cors_enabled",
+    "cors_origins",
+    "cors_credentials",
+    "cors_max_age",
+    "cors_expose_all_headers",
+)
+
+
+def get_cors_preflight_view(service):
+    """Return a view for the OPTION method.
+
+    Checks that the User-Agent is authorized to do a request to the server, and
+    to this particular service, and add the various checks that are specified
+    in http://www.w3.org/TR/cors/#resource-processing-model.
+    """
+
+    def _preflight_view(request):
+        response = request.response
+        origin = request.headers.get("Origin")
+        supported_headers = service.cors_supported_headers_for()
+
+        if not origin:
+            request.errors.add("header", "Origin", "this header is mandatory")
+
+        requested_method = request.headers.get("Access-Control-Request-Method")
+        if not requested_method:
+            request.errors.add(
+                "header", "Access-Control-Request-Method", "this header is mandatory"
+            )
+
+        if not (requested_method and origin):
+            return
+
+        requested_headers = request.headers.get("Access-Control-Request-Headers", ())
+
+        if requested_headers:
+            requested_headers = map(str.strip, requested_headers.split(","))
+
+        if requested_method not in service.cors_supported_methods:
+            request.errors.add("header", "Access-Control-Request-Method", "Method not allowed")
+
+        if not service.cors_expose_all_headers:
+            for h in requested_headers:
+                if h.lower() not in [s.lower() for s in supported_headers]:
+                    request.errors.add(
+                        "header", "Access-Control-Request-Headers", 'Header "%s" not allowed' % h
+                    )
+
+        supported_headers = set(supported_headers) | set(requested_headers)
+
+        response.headers["Access-Control-Allow-Headers"] = ",".join(supported_headers)
+
+        response.headers["Access-Control-Allow-Methods"] = ",".join(service.cors_supported_methods)
+
+        max_age = service.cors_max_age_for(requested_method)
+        if max_age is not None:
+            response.headers["Access-Control-Max-Age"] = str(max_age)
+
+        return None
+
+    return _preflight_view
+
+
+def _get_method(request):
+    """Return what's supposed to be the method for CORS operations.
+    (e.g if the verb is options, look at the A-C-Request-Method header,
+    otherwise return the HTTP verb).
+    """
+    if request.method == "OPTIONS":
+        method = request.headers.get("Access-Control-Request-Method", request.method)
+    else:
+        method = request.method
+    return method
+
+
+def ensure_origin(service, request, response=None, **kwargs):
+    """Ensure that the origin header is set and allowed."""
+    response = response or request.response
+
+    # Don't check this twice.
+    if not request.info.get("cors_checked", False):
+        method = _get_method(request)
+
+        origin = request.headers.get("Origin")
+
+        if not origin:
+            always_cors = asbool(request.registry.settings.get("cornice.always_cors"))
+            # With this setting, if the service origins has "*", then
+            # always return CORS headers.
+            origins = getattr(service, "cors_origins", [])
+            if always_cors and "*" in origins:
+                origin = "*"
+
+        if origin:
+            if not any([fnmatch.fnmatchcase(origin, o) for o in service.cors_origins_for(method)]):
+                request.errors.add("header", "Origin", "%s not allowed" % origin)
+            elif service.cors_support_credentials_for(method):
+                response.headers["Access-Control-Allow-Origin"] = origin
+            else:
+                if any([o == "*" for o in service.cors_origins_for(method)]):
+                    response.headers["Access-Control-Allow-Origin"] = "*"
+                else:
+                    response.headers["Access-Control-Allow-Origin"] = origin
+        request.info["cors_checked"] = True
+    return response
+
+
+def get_cors_validator(service):
+    return functools.partial(ensure_origin, service)
+
+
+def apply_cors_post_request(service, request, response):
+    """Handles CORS-related post-request things.
+
+    Add some response headers, such as the Expose-Headers and the
+    Allow-Credentials ones.
+    """
+    response = ensure_origin(service, request, response)
+    method = _get_method(request)
+
+    if (
+        service.cors_support_credentials_for(method)
+        and "Access-Control-Allow-Credentials" not in response.headers
+    ):
+        response.headers["Access-Control-Allow-Credentials"] = "true"
+
+    if request.method != "OPTIONS":
+        # Which headers are exposed?
+        supported_headers = service.cors_supported_headers_for(request.method)
+        if supported_headers:
+            response.headers["Access-Control-Expose-Headers"] = ", ".join(supported_headers)
+
+    return response