Merge branch...

Merge branch '25-print-warning-if-token-containing-file-is-readable-to-someone-other-than-user' into 'master' Resolve "Print warning if token-containing file is readable to someone other than user" Closes #25 See merge request !23

Merge branch...
76e23ea1 · Eric · 8019820a · 597d8fdf · 76e23ea1 · 76e23ea1
Commit 76e23ea1 authored 4 years ago by Eric
--- a/pyiricdata/Client.py
+++ b/pyiricdata/Client.py
@@ -29,12 +29,25 @@ class Client:
    api_my_datasets = 'api/v1/my-datasets/list/json/'
    """ python client to IRICdata API"""
-    def __init__(self, username, password=None, token=None,
+    def __init__(self, username, password=None, token_file='.irdatatoken',
-                 url='https://thepond.bioinfo.iric.ca'):
+                 url='https://thepond.bioinfo.iric.ca', warnings=False):
        self.url = url
        self.user = username
        self.pwd = password
-        self.token = token
+        self.token = None
+        self.warnings = warnings
+        try:
+            self.token = open(token_file, 'r').read().strip()
+            if self.warnings:
+                if int(oct(os.stat(token_file).st_mode)[-3:][1:]):
+                    sys.stderr.write(
+                        'WARNING: PAT file permissions are ' +
+                        'potentially unsafe. Group and Other should not ' +
+                        'have read, write or execute permission.\n'
+                    )
+        except FileNotFoundError:
+            pass
        if self.token is None and self.pwd is None:
            self.pwd = getpass()
@@ -42,16 +55,16 @@ class Client:
        session = requests.session()
        if self.token is not None:
-            if self.pwd is not None:
+            if self.pwd is not None and self.warnings:
                sys.stderr.write(
-                    'WARNING: Amiguous authentification, ' +
+                    'WARNING: Ambiguous authentification, ' +
-                    'ignoring password in favor of PAT\n'
+                    'in the future please use either username/password ' +
+                    'combination or PAT.\n'
                )
-            self.token = self.token.strip()
            session.headers.update({'Iric-Auth-Token': F'{self.token}'})
-        elif self.user is not None and self.pwd is not None:
+        if self.user is not None and self.pwd is not None:
            login_url = os.path.join(self.url, 'login/')
            session.get(login_url)
            csrftoken = session.cookies['csrftoken']

--- a/pyiricdata/__main__.py
+++ b/pyiricdata/__main__.py
@@ -9,8 +9,8 @@ def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("-u", "--username", help="Username", type=str, required=True)
    parser.add_argument("-p", "--password", help="Password", type=str, default=None)
-    parser.add_argument("-t", "--token-file-path", type=str, default=None,
+    parser.add_argument("-t", "--token-file-path", type=str, default='.irdatatoken',
-            help="File containing Personal Authentication Token (PAT)")
+            help="File containg Personal Authentication Token (PAT)")
    parser.add_argument("--url", help="URL", type=str, default='https://thepond.bioinfo.iric.ca')
    parser.add_argument("--dataset-id", help="Dataset ID", type=str, default=None)
    parser.add_argument("--datafile-id", help="Datafile ID", type=str, default=None)
@@ -21,12 +21,15 @@ def main():
    args = parser.parse_args().__dict__
-    if args['token_file_path'] is not None:
+    token = args['token_file_path']
-        token = open(args['token_file_path'], 'r').read().strip()
-    else:
-        token = None
-    client = Client(username=args['username'], password=args['password'], token=token, url=args['url'])
+    client = Client(
+        username=args['username'],
+        password=args['password'],
+        token_file=token,
+        url=args['url'],
+        warnings=True
+    )
    if args['download']:
        dsid = args['dataset_id']