Merge branch 'main' into remove-codowners

Author: veluca93

cms/db/__init__.py

@@ -81,7 +81,7 @@
 
 # Instantiate or import these objects.
 
-version = 44
+version = 45
 
 engine = create_engine(config.database, echo=config.database_debug,
                        pool_timeout=60, pool_recycle=120)

cms/db/submission.py

@@ -27,6 +27,7 @@
 """
 
 from datetime import datetime
+import random
 from sqlalchemy import Boolean
 from sqlalchemy.dialects.postgresql import ARRAY, JSONB
 from sqlalchemy.orm import relationship
@@ -46,6 +47,15 @@ class Submission(Base):
 
     """
     __tablename__ = 'submissions'
+    __table_args__ = (
+        UniqueConstraint("participation_id", "opaque_id",
+                         name="participation_opaque_unique"),
+    )
+
+    # Opaque ID to be used to refer to this submission.
+    opaque_id: int = Column(
+        BigInteger,
+        nullable=False)
 
     # Auto increment primary key.
     id: int = Column(
@@ -177,6 +187,25 @@ def tokened(self) -> bool:
         """
         return self.token is not None
 
+    @classmethod
+    def generate_opaque_id(cls, session, participation_id):
+        randint_upper_bound = 2**63-1
+
+        opaque_id = random.randint(0, randint_upper_bound)
+
+        # Note that in theory this may cause the transaction to fail by
+        # generating a non-actually-unique ID. This is however extremely
+        # unlikely (prob. ~num_parallel_submissions_per_contestant^2/2**63).
+        while (session
+               .query(Submission)
+               .filter(Submission.participation_id == participation_id)
+               .filter(Submission.opaque_id == opaque_id)
+               .first()
+               is not None):
+            opaque_id = random.randint(0, randint_upper_bound)
+
+        return opaque_id
+
 
 class File(Base):
     """Class to store information about one file submitted within a

cms/server/contest/handlers/__init__.py

@@ -23,9 +23,24 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from .communication import \
-    CommunicationHandler, \
-    QuestionHandler
+from .taskusertest import \
+    UserTestInterfaceHandler, \
+    UserTestHandler, \
+    UserTestStatusHandler, \
+    UserTestDetailsHandler, \
+    UserTestIOHandler, \
+    UserTestFileHandler
+from .tasksubmission import \
+    SubmitHandler, \
+    TaskSubmissionsHandler, \
+    SubmissionStatusHandler, \
+    SubmissionDetailsHandler, \
+    SubmissionFileHandler, \
+    UseTokenHandler
+from .task import \
+    TaskDescriptionHandler, \
+    TaskStatementViewHandler, \
+    TaskAttachmentViewHandler
 from .main import \
     LoginHandler, \
     LogoutHandler, \
@@ -34,24 +49,14 @@
     NotificationsHandler, \
     PrintingHandler, \
     DocumentationHandler
-from .task import \
-    TaskDescriptionHandler, \
-    TaskStatementViewHandler, \
-    TaskAttachmentViewHandler
-from .tasksubmission import \
-    SubmitHandler, \
-    TaskSubmissionsHandler, \
-    SubmissionStatusHandler, \
-    SubmissionDetailsHandler, \
-    SubmissionFileHandler, \
-    UseTokenHandler
-from .taskusertest import \
-    UserTestInterfaceHandler, \
-    UserTestHandler, \
-    UserTestStatusHandler, \
-    UserTestDetailsHandler, \
-    UserTestIOHandler, \
-    UserTestFileHandler
+from .communication import \
+    CommunicationHandler, \
+    QuestionHandler
+from .api import \
+    ApiLoginHandler, \
+    ApiSubmissionListHandler, \
+    ApiSubmitHandler, \
+    ApiTaskListHandler
 
 
 HANDLERS = [
@@ -97,6 +102,12 @@
     (r"/communication", CommunicationHandler),
     (r"/question", QuestionHandler),
 
+    # API
+    (r"/api/login", ApiLoginHandler),
+    (r"/api/task_list", ApiTaskListHandler),
+    (r"/api/(.*)/submit", ApiSubmitHandler),
+    (r"/api/(.*)/submission_list", ApiSubmissionListHandler),
+
     # The following prefixes are handled by WSGI middlewares:
     # * /static, defined in cms/io/web_service.py
     # * /docs, defined in cms/server/contest/server.py

cms/server/contest/handlers/api.py

@@ -0,0 +1,148 @@
+#!/usr/bin/env python3
+
+# Contest Management System - http://cms-dev.github.io/
+# Copyright © 2025 Luca Versari <veluca93@gmail.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+"""API handlers for CMS.
+
+"""
+
+import ipaddress
+import logging
+
+try:
+    import tornado4.web as tornado_web
+except ImportError:
+    import tornado.web as tornado_web
+
+from cms.db.submission import Submission
+from cms.server import multi_contest
+from cms.server.contest.authentication import validate_login
+from cms.server.contest.submission import \
+    UnacceptableSubmission, accept_submission
+from .contest import ContestHandler
+from ..phase_management import actual_phase_required
+
+logger = logging.getLogger(__name__)
+
+
+class ApiLoginHandler(ContestHandler):
+    """Login handler.
+
+    """
+    @multi_contest
+    def post(self):
+        username = self.get_argument("username", "")
+        password = self.get_argument("password", "")
+
+        try:
+            ip_address = ipaddress.ip_address(self.request.remote_ip)
+        except ValueError:
+            logger.warning("Invalid IP address provided by Tornado: %s",
+                           self.request.remote_ip)
+            return None
+
+        participation, login_data = validate_login(
+            self.sql_session, self.contest, self.timestamp, username, password,
+            ip_address)
+
+        if participation is None:
+            self.json({"error": "Login failed"}, 403)
+        elif login_data is not None:
+            cookie_name = self.contest.name + "_login"
+            self.json({"login_data": self.create_signed_value(
+                cookie_name, login_data).decode()})
+        else:
+            self.json({})
+
+    def check_xsrf_cookie(self):
+        pass
+
+
+class ApiTaskListHandler(ContestHandler):
+    """Handler to list all tasks and their statements.
+
+    """
+    @tornado_web.authenticated
+    @actual_phase_required(0, 3)
+    @multi_contest
+    def get(self):
+        contest = self.contest
+        tasks = []
+        for task in contest.tasks:
+            name = task.name
+            statements = [s for s in task.statements]
+            sub_format = task.submission_format
+            tasks.append({"name": name,
+                          "statements": statements,
+                          "submission_format": sub_format})
+        self.json({"tasks": tasks})
+
+
+class ApiSubmitHandler(ContestHandler):
+    """Handles the received submissions.
+
+    """
+    @tornado_web.authenticated
+    @actual_phase_required(0, 3)
+    @multi_contest
+    def post(self, task_name: str):
+        task = self.get_task(task_name)
+        if task is None:
+            self.json({"error": "Not found"}, 404)
+            return
+
+        # Only set the official bit when the user can compete and we are not in
+        # analysis mode.
+        official = self.r_params["actual_phase"] == 0
+
+        try:
+            submission = accept_submission(
+                self.sql_session, self.service.file_cacher, self.current_user,
+                task, self.timestamp, self.request.files,
+                self.get_argument("language", None), official)
+            self.sql_session.commit()
+        except UnacceptableSubmission as e:
+            logger.info("API submission rejected: `%s' - `%s'",
+                        e.subject, e.formatted_text)
+            self.json({"error": e.subject, "details": e.formatted_text}, 400)
+        else:
+            logger.info(
+                f'API submission accepted: Submission ID {submission.id}')
+            self.service.evaluation_service.new_submission(
+                submission_id=submission.id)
+            self.json({'id': str(submission.opaque_id)})
+
+
+class ApiSubmissionListHandler(ContestHandler):
+    """Retrieves the list of submissions on a task.
+
+    """
+    @tornado_web.authenticated
+    @actual_phase_required(0, 3)
+    @multi_contest
+    def get(self, task_name: str):
+        task = self.get_task(task_name)
+        if task is None:
+            self.json({"error": "Not found"}, 404)
+            return
+        submissions: list[Submission] = (
+            self.sql_session.query(Submission)
+            .filter(Submission.participation == self.current_user)
+            .filter(Submission.task == task)
+            .all()
+        )
+        self.json({'list': [{"id": str(s.opaque_id)} for s in submissions]})

cms/server/contest/handlers/contest.py

@@ -30,6 +30,7 @@
 """
 
 import ipaddress
+import json
 import logging
 
 import collections
@@ -159,6 +160,11 @@ def get_current_user(self) -> Participation | None:
         """
         cookie_name = self.contest.name + "_login"
         cookie = self.get_secure_cookie(cookie_name)
+        authorization_header = self.request.headers.get(
+            "X-CMS-Authorization", None)
+        if authorization_header is not None:
+            authorization_header = tornado_web.decode_signed_value(self.application.settings["cookie_secret"],
+                                                                   cookie_name, authorization_header)
 
         try:
             ip_address = ipaddress.ip_address(self.request.remote_ip)
@@ -170,7 +176,7 @@ def get_current_user(self) -> Participation | None:
         participation, cookie = authenticate_request(
             self.sql_session, self.contest,
             self.timestamp, cookie,
-            self.request.headers.get("X-CMS-Authorization", None),
+            authorization_header,
             ip_address)
 
         if cookie is None:
@@ -250,7 +256,7 @@ def get_task(self, task_name: str) -> Task | None:
             .filter(Task.name == task_name) \
             .one_or_none()
 
-    def get_submission(self, task: Task, submission_num: str) -> Submission | None:
+    def get_submission(self, task: Task, opaque_id: str | int) -> Submission | None:
         """Return the num-th contestant's submission on the given task.
 
         task: a task for the contest that is being served.
@@ -265,8 +271,7 @@ def get_submission(self, task: Task, submission_num: str) -> Submission | None:
         return self.sql_session.query(Submission) \
             .filter(Submission.participation == self.current_user) \
             .filter(Submission.task == task) \
-            .order_by(Submission.timestamp) \
-            .offset(int(submission_num) - 1) \
+            .filter(Submission.opaque_id == int(opaque_id)) \
             .first()
 
     def get_user_test(self, task: Task, user_test_num: int) -> UserTest | None:
@@ -310,6 +315,19 @@ def notify_warning(
     def notify_error(self, subject: str, text: str, text_params: object | None = None):
         self.add_notification(subject, text, NOTIFICATION_ERROR, text_params)
 
+    def json(self, data, status_code=200):
+        self.set_header("Content-type", "application/json; charset=utf-8")
+        self.set_status(status_code)
+        self.write(json.dumps(data))
+
+    def check_xsrf_cookie(self):
+        # We don't need to check for xsrf if the request came with a custom
+        # header, as those are not set by the browser.
+        if "X-CMS-Authorization" in self.request.headers:
+            pass
+        else:
+            super().check_xsrf_cookie()
+
 
 class FileHandler(ContestHandler, FileHandlerMixin):
     pass