# (c) 2005 Ian Bicking and contributors; written for Paste (http://pythonpaste.org) # Licensed under the MIT license: http://www.opensource.org/licenses/mit-license.php # (c) 2005 Ian Bicking, Clark C. Evans and contributors # This module is part of the Python Paste Project and is released under # the MIT License: http://www.opensource.org/licenses/mit-license.php # Some of this code was funded by http://prometheusresearch.com """ HTTP Exception Middleware This module processes Python exceptions that relate to HTTP exceptions by defining a set of exceptions, all subclasses of HTTPException, and a request handler (`middleware`) that catches these exceptions and turns them into proper responses. This module defines exceptions according to RFC 2068 [1]_ : codes with 100-300 are not really errors; 400's are client errors, and 500's are server errors. According to the WSGI specification [2]_ , the application can call ``start_response`` more then once only under two conditions: (a) the response has not yet been sent, or (b) if the second and subsequent invocations of ``start_response`` have a valid ``exc_info`` argument obtained from ``sys.exc_info()``. The WSGI specification then requires the server or gateway to handle the case where content has been sent and then an exception was encountered. Exceptions in the 5xx range and those raised after ``start_response`` has been called are treated as serious errors and the ``exc_info`` is filled-in with information needed for a lower level module to generate a stack trace and log information. Exception HTTPException HTTPRedirection * 300 - HTTPMultipleChoices * 301 - HTTPMovedPermanently * 302 - HTTPFound * 303 - HTTPSeeOther * 304 - HTTPNotModified * 305 - HTTPUseProxy * 306 - Unused (not implemented, obviously) * 307 - HTTPTemporaryRedirect HTTPError HTTPClientError * 400 - HTTPBadRequest * 401 - HTTPUnauthorized * 402 - HTTPPaymentRequired * 403 - HTTPForbidden * 404 - HTTPNotFound * 405 - HTTPMethodNotAllowed * 406 - HTTPNotAcceptable * 407 - HTTPProxyAuthenticationRequired * 408 - HTTPRequestTimeout * 409 - HTTPConfict * 410 - HTTPGone * 411 - HTTPLengthRequired * 412 - HTTPPreconditionFailed * 413 - HTTPRequestEntityTooLarge * 414 - HTTPRequestURITooLong * 415 - HTTPUnsupportedMediaType * 416 - HTTPRequestRangeNotSatisfiable * 417 - HTTPExpectationFailed * 429 - HTTPTooManyRequests HTTPServerError * 500 - HTTPInternalServerError * 501 - HTTPNotImplemented * 502 - HTTPBadGateway * 503 - HTTPServiceUnavailable * 504 - HTTPGatewayTimeout * 505 - HTTPVersionNotSupported References: .. [1] http://www.python.org/peps/pep-0333.html#error-handling .. [2] http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.5 """ import six from paste.wsgilib import catch_errors_app from paste.response import has_header, header_value, replace_header from paste.request import resolve_relative_url from paste.util.quoting import strip_html, html_quote, no_quote, comment_quote SERVER_NAME = 'WSGI Server' TEMPLATE = """\ <html>\r <head><title>%(title)s</title></head>\r <body>\r <h1>%(title)s</h1>\r <p>%(body)s</p>\r <hr noshade>\r <div align="right">%(server)s</div>\r </body>\r </html>\r """ class HTTPException(Exception): """ the HTTP exception base class This encapsulates an HTTP response that interrupts normal application flow; but one which is not necessarly an error condition. For example, codes in the 300's are exceptions in that they interrupt normal processing; however, they are not considered errors. This class is complicated by 4 factors: 1. The content given to the exception may either be plain-text or as html-text. 2. The template may want to have string-substitutions taken from the current ``environ`` or values from incoming headers. This is especially troublesome due to case sensitivity. 3. The final output may either be text/plain or text/html mime-type as requested by the client application. 4. Each exception has a default explanation, but those who raise exceptions may want to provide additional detail. Attributes: ``code`` the HTTP status code for the exception ``title`` remainder of the status line (stuff after the code) ``explanation`` a plain-text explanation of the error message that is not subject to environment or header substitutions; it is accessible in the template via %(explanation)s ``detail`` a plain-text message customization that is not subject to environment or header substitutions; accessible in the template via %(detail)s ``template`` a content fragment (in HTML) used for environment and header substitution; the default template includes both the explanation and further detail provided in the message ``required_headers`` a sequence of headers which are required for proper construction of the exception Parameters: ``detail`` a plain-text override of the default ``detail`` ``headers`` a list of (k,v) header pairs ``comment`` a plain-text additional information which is usually stripped/hidden for end-users To override the template (which is HTML content) or the plain-text explanation, one must subclass the given exception; or customize it after it has been created. This particular breakdown of a message into explanation, detail and template allows both the creation of plain-text and html messages for various clients as well as error-free substitution of environment variables and headers. """ code = None title = None explanation = '' detail = '' comment = '' template = "%(explanation)s\r\n<br/>%(detail)s\r\n<!-- %(comment)s -->" required_headers = () def __init__(self, detail=None, headers=None, comment=None): assert self.code, "Do not directly instantiate abstract exceptions." assert isinstance(headers, (type(None), list)), ( "headers must be None or a list: %r" % headers) assert isinstance(detail, (type(None), six.binary_type, six.text_type)), ( "detail must be None or a string: %r" % detail) assert isinstance(comment, (type(None), six.binary_type, six.text_type)), ( "comment must be None or a string: %r" % comment) self.headers = headers or tuple() for req in self.required_headers: assert headers and has_header(headers, req), ( "Exception %s must be passed the header %r " "(got headers: %r)" % (self.__class__.__name__, req, headers)) if detail is not None: self.detail = detail if comment is not None: self.comment = comment Exception.__init__(self,"%s %s\n%s\n%s\n" % ( self.code, self.title, self.explanation, self.detail)) def make_body(self, environ, template, escfunc, comment_escfunc=None): comment_escfunc = comment_escfunc or escfunc args = {'explanation': escfunc(self.explanation), 'detail': escfunc(self.detail), 'comment': comment_escfunc(self.comment)} if HTTPException.template != self.template: for (k, v) in environ.items(): args[k] = escfunc(v) if self.headers: for (k, v) in self.headers: args[k.lower()] = escfunc(v) if six.PY2: for key, value in args.items(): if isinstance(value, six.text_type): args[key] = value.encode('utf8', 'xmlcharrefreplace') return template % args def plain(self, environ): """ text/plain representation of the exception """ body = self.make_body(environ, strip_html(self.template), no_quote, comment_quote) return ('%s %s\r\n%s\r\n' % (self.code, self.title, body)) def html(self, environ): """ text/html representation of the exception """ body = self.make_body(environ, self.template, html_quote, comment_quote) return TEMPLATE % { 'title': self.title, 'code': self.code, 'server': SERVER_NAME, 'body': body } def prepare_content(self, environ): if self.headers: headers = list(self.headers) else: headers = [] if 'html' in environ.get('HTTP_ACCEPT','') or \ '*/*' in environ.get('HTTP_ACCEPT',''): replace_header(headers, 'content-type', 'text/html') content = self.html(environ) else: replace_header(headers, 'content-type', 'text/plain') content = self.plain(environ) if isinstance(content, six.text_type): content = content.encode('utf8') cur_content_type = ( header_value(headers, 'content-type') or 'text/html') replace_header( headers, 'content-type', cur_content_type + '; charset=utf8') return headers, content def response(self, environ): from paste.wsgiwrappers import WSGIResponse headers, content = self.prepare_content(environ) resp = WSGIResponse(code=self.code, content=content) resp.headers = resp.headers.fromlist(headers) return resp def wsgi_application(self, environ, start_response, exc_info=None): """ This exception as a WSGI application """ headers, content = self.prepare_content(environ) start_response('%s %s' % (self.code, self.title), headers, exc_info) return [content] __call__ = wsgi_application def __repr__(self): return '<%s %s; code=%s>' % (self.__class__.__name__, self.title, self.code) class HTTPError(HTTPException): """ base class for status codes in the 400's and 500's This is an exception which indicates that an error has occurred, and that any work in progress should not be committed. These are typically results in the 400's and 500's. """ # # 3xx Redirection # # This class of status code indicates that further action needs to be # taken by the user agent in order to fulfill the request. The action # required MAY be carried out by the user agent without interaction with # the user if and only if the method used in the second request is GET or # HEAD. A client SHOULD detect infinite redirection loops, since such # loops generate network traffic for each redirection. # class HTTPRedirection(HTTPException): """ base class for 300's status code (redirections) This is an abstract base class for 3xx redirection. It indicates that further action needs to be taken by the user agent in order to fulfill the request. It does not necessarly signal an error condition. """ class _HTTPMove(HTTPRedirection): """ redirections which require a Location field Since a 'Location' header is a required attribute of 301, 302, 303, 305 and 307 (but not 304), this base class provides the mechanics to make this easy. While this has the same parameters as HTTPException, if a location is not provided in the headers; it is assumed that the detail _is_ the location (this for backward compatibility, otherwise we'd add a new attribute). """ required_headers = ('location',) explanation = 'The resource has been moved to' template = ( '%(explanation)s <a href="%(location)s">%(location)s</a>;\r\n' 'you should be redirected automatically.\r\n' '%(detail)s\r\n<!-- %(comment)s -->') def __init__(self, detail=None, headers=None, comment=None): assert isinstance(headers, (type(None), list)) headers = headers or [] location = header_value(headers,'location') if not location: location = detail detail = '' headers.append(('location', location)) assert location, ("HTTPRedirection specified neither a " "location in the headers nor did it " "provide a detail argument.") HTTPRedirection.__init__(self, location, headers, comment) if detail is not None: self.detail = detail def relative_redirect(cls, dest_uri, environ, detail=None, headers=None, comment=None): """ Create a redirect object with the dest_uri, which may be relative, considering it relative to the uri implied by the given environ. """ location = resolve_relative_url(dest_uri, environ) headers = headers or [] headers.append(('Location', location)) return cls(detail=detail, headers=headers, comment=comment) relative_redirect = classmethod(relative_redirect) def location(self): for name, value in self.headers: if name.lower() == 'location': return value else: raise KeyError("No location set for %s" % self) class HTTPMultipleChoices(_HTTPMove): code = 300 title = 'Multiple Choices' class HTTPMovedPermanently(_HTTPMove): code = 301 title = 'Moved Permanently' class HTTPFound(_HTTPMove): code = 302 title = 'Found' explanation = 'The resource was found at' # This one is safe after a POST (the redirected location will be # retrieved with GET): class HTTPSeeOther(_HTTPMove): code = 303 title = 'See Other' class HTTPNotModified(HTTPRedirection): # @@: but not always (HTTP section 14.18.1)...? # @@: Removed 'date' requirement, as its not required for an ETag # @@: FIXME: This should require either an ETag or a date header code = 304 title = 'Not Modified' message = '' # @@: should include date header, optionally other headers # @@: should not return a content body def plain(self, environ): return '' def html(self, environ): """ text/html representation of the exception """ return '' class HTTPUseProxy(_HTTPMove): # @@: OK, not a move, but looks a little like one code = 305 title = 'Use Proxy' explanation = ( 'The resource must be accessed through a proxy ' 'located at') class HTTPTemporaryRedirect(_HTTPMove): code = 307 title = 'Temporary Redirect' # # 4xx Client Error # # The 4xx class of status code is intended for cases in which the client # seems to have erred. Except when responding to a HEAD request, the # server SHOULD include an entity containing an explanation of the error # situation, and whether it is a temporary or permanent condition. These # status codes are applicable to any request method. User agents SHOULD # display any included entity to the user. # class HTTPClientError(HTTPError): """ base class for the 400's, where the client is in-error This is an error condition in which the client is presumed to be in-error. This is an expected problem, and thus is not considered a bug. A server-side traceback is not warranted. Unless specialized, this is a '400 Bad Request' """ code = 400 title = 'Bad Request' explanation = ('The server could not comply with the request since\r\n' 'it is either malformed or otherwise incorrect.\r\n') class HTTPBadRequest(HTTPClientError): pass class HTTPUnauthorized(HTTPClientError): code = 401 title = 'Unauthorized' explanation = ( 'This server could not verify that you are authorized to\r\n' 'access the document you requested. Either you supplied the\r\n' 'wrong credentials (e.g., bad password), or your browser\r\n' 'does not understand how to supply the credentials required.\r\n') class HTTPPaymentRequired(HTTPClientError): code = 402 title = 'Payment Required' explanation = ('Access was denied for financial reasons.') class HTTPForbidden(HTTPClientError): code = 403 title = 'Forbidden' explanation = ('Access was denied to this resource.') class HTTPNotFound(HTTPClientError): code = 404 title = 'Not Found' explanation = ('The resource could not be found.') class HTTPMethodNotAllowed(HTTPClientError): required_headers = ('allow',) code = 405 title = 'Method Not Allowed' # override template since we need an environment variable template = ('The method %(REQUEST_METHOD)s is not allowed for ' 'this resource.\r\n%(detail)s') class HTTPNotAcceptable(HTTPClientError): code = 406 title = 'Not Acceptable' # override template since we need an environment variable template = ('The resource could not be generated that was ' 'acceptable to your browser (content\r\nof type ' '%(HTTP_ACCEPT)s).\r\n%(detail)s') class HTTPProxyAuthenticationRequired(HTTPClientError): code = 407 title = 'Proxy Authentication Required' explanation = ('Authentication /w a local proxy is needed.') class HTTPRequestTimeout(HTTPClientError): code = 408 title = 'Request Timeout' explanation = ('The server has waited too long for the request to ' 'be sent by the client.') class HTTPConflict(HTTPClientError): code = 409 title = 'Conflict' explanation = ('There was a conflict when trying to complete ' 'your request.') class HTTPGone(HTTPClientError): code = 410 title = 'Gone' explanation = ('This resource is no longer available. No forwarding ' 'address is given.') class HTTPLengthRequired(HTTPClientError): code = 411 title = 'Length Required' explanation = ('Content-Length header required.') class HTTPPreconditionFailed(HTTPClientError): code = 412 title = 'Precondition Failed' explanation = ('Request precondition failed.') class HTTPRequestEntityTooLarge(HTTPClientError): code = 413 title = 'Request Entity Too Large' explanation = ('The body of your request was too large for this server.') class HTTPRequestURITooLong(HTTPClientError): code = 414 title = 'Request-URI Too Long' explanation = ('The request URI was too long for this server.') class HTTPUnsupportedMediaType(HTTPClientError): code = 415 title = 'Unsupported Media Type' # override template since we need an environment variable template = ('The request media type %(CONTENT_TYPE)s is not ' 'supported by this server.\r\n%(detail)s') class HTTPRequestRangeNotSatisfiable(HTTPClientError): code = 416 title = 'Request Range Not Satisfiable' explanation = ('The Range requested is not available.') class HTTPExpectationFailed(HTTPClientError): code = 417 title = 'Expectation Failed' explanation = ('Expectation failed.') class HTTPTooManyRequests(HTTPClientError): code = 429 title = 'Too Many Requests' explanation = ('The client has sent too many requests to the server.') # # 5xx Server Error # # Response status codes beginning with the digit "5" indicate cases in # which the server is aware that it has erred or is incapable of # performing the request. Except when responding to a HEAD request, the # server SHOULD include an entity containing an explanation of the error # situation, and whether it is a temporary or permanent condition. User # agents SHOULD display any included entity to the user. These response # codes are applicable to any request method. # class HTTPServerError(HTTPError): """ base class for the 500's, where the server is in-error This is an error condition in which the server is presumed to be in-error. This is usually unexpected, and thus requires a traceback; ideally, opening a support ticket for the customer. Unless specialized, this is a '500 Internal Server Error' """ code = 500 title = 'Internal Server Error' explanation = ( 'The server has either erred or is incapable of performing\r\n' 'the requested operation.\r\n') class HTTPInternalServerError(HTTPServerError): pass class HTTPNotImplemented(HTTPServerError): code = 501 title = 'Not Implemented' # override template since we need an environment variable template = ('The request method %(REQUEST_METHOD)s is not implemented ' 'for this server.\r\n%(detail)s') class HTTPBadGateway(HTTPServerError): code = 502 title = 'Bad Gateway' explanation = ('Bad gateway.') class HTTPServiceUnavailable(HTTPServerError): code = 503 title = 'Service Unavailable' explanation = ('The server is currently unavailable. ' 'Please try again at a later time.') class HTTPGatewayTimeout(HTTPServerError): code = 504 title = 'Gateway Timeout' explanation = ('The gateway has timed out.') class HTTPVersionNotSupported(HTTPServerError): code = 505 title = 'HTTP Version Not Supported' explanation = ('The HTTP version is not supported.') # abstract HTTP related exceptions __all__ = ['HTTPException', 'HTTPRedirection', 'HTTPError' ] _exceptions = {} for name, value in six.iteritems(dict(globals())): if (isinstance(value, (type, six.class_types)) and issubclass(value, HTTPException) and value.code): _exceptions[value.code] = value __all__.append(name) def get_exception(code): return _exceptions[code] ############################################################ ## Middleware implementation: ############################################################ class HTTPExceptionHandler(object): """ catches exceptions and turns them into proper HTTP responses This middleware catches any exceptions (which are subclasses of ``HTTPException``) and turns them into proper HTTP responses. Note if the headers have already been sent, the stack trace is always maintained as this indicates a programming error. Note that you must raise the exception before returning the app_iter, and you cannot use this with generator apps that don't raise an exception until after their app_iter is iterated over. """ def __init__(self, application, warning_level=None): assert not warning_level or ( warning_level > 99 and warning_level < 600) if warning_level is not None: import warnings warnings.warn('The warning_level parameter is not used or supported', DeprecationWarning, 2) self.warning_level = warning_level or 500 self.application = application def __call__(self, environ, start_response): environ['paste.httpexceptions'] = self environ.setdefault('paste.expected_exceptions', []).append(HTTPException) try: return self.application(environ, start_response) except HTTPException as exc: return exc(environ, start_response) def middleware(*args, **kw): import warnings # deprecated 13 dec 2005 warnings.warn('httpexceptions.middleware is deprecated; use ' 'make_middleware or HTTPExceptionHandler instead', DeprecationWarning, 2) return make_middleware(*args, **kw) def make_middleware(app, global_conf=None, warning_level=None): """ ``httpexceptions`` middleware; this catches any ``paste.httpexceptions.HTTPException`` exceptions (exceptions like ``HTTPNotFound``, ``HTTPMovedPermanently``, etc) and turns them into proper HTTP responses. ``warning_level`` can be an integer corresponding to an HTTP code. Any code over that value will be passed 'up' the chain, potentially reported on by another piece of middleware. """ if warning_level: warning_level = int(warning_level) return HTTPExceptionHandler(app, warning_level=warning_level) __all__.extend(['HTTPExceptionHandler', 'get_exception'])