Created separate handler for disabled evaluate api

docs/security.md

@@ -14,5 +14,6 @@ you may want to consider the following as you use TabPy:
   - Install new Python packages which can contain binary code.
   - Execute operating system commands.
   - Open network connections to other servers and download files.
-- Evaluate endpoint can be disabled by setting "TABPY_EVALUATE_ENABLE" to
-  false in config file
+- Execution of ad-hoc Python scripts can be disabled by turning off the 
+  /evaluate endpoint. To disable /evaluate endpoint, set "TABPY_EVALUATE_ENABLE"
+  to false in config file.

docs/server-config.md

@@ -87,8 +87,8 @@ at [`logging.config` documentation page](https://docs.python.org/3.6/library/log
 - `TABPY_MAX_REQUEST_SIZE_MB` - maximal request size supported by TabPy server
   in Megabytes. All requests of exceeding size are rejected. Default value is
   100 Mb.
-- `TABPY_EVALUATE_ENABLE` - enable evaluate api. Default
-  value - `true`.
+- `TABPY_EVALUATE_ENABLE` - enable evaluate api to execute ad-hoc Python scripts
+  Default value - `true`.
 - `TABPY_EVALUATE_TIMEOUT` - script evaluation timeout in seconds. Default
   value - `30`. This timeout does not apply when evaluating models either
   through the `/query` method, or using the `tabpy.query(...)` syntax with
@@ -127,8 +127,8 @@ settings._
 # Default value is 100 Mb.
 # TABPY_MAX_REQUEST_SIZE_MB = 100
 
-# Toggle for evaluate API
-# Enabled by default. Disabling it will result in 400 error.
+# Enable evaluate api to execute ad-hoc Python scripts
+# Enabled by default. Disabling it will result in 404 error.
 # TABPY_EVALUATE_ENABLE = true
 
 # Configure how long a custom script provided to the /evaluate method

tabpy/tabpy_server/app/app.py

@@ -18,6 +18,7 @@
     EndpointHandler,
     EndpointsHandler,
     EvaluationPlaneHandler,
+    EvaluationPlaneDisabledHandler,
     QueryPlaneHandler,
     ServiceInfoHandler,
     StatusHandler,
@@ -150,7 +151,8 @@ def try_exit(self):
                 ),
                 (
                     self.subdirectory + r"/evaluate",
-                    EvaluationPlaneHandler,
+                    EvaluationPlaneHandler if self.settings[SettingsParameters.EvaluateEnabled]
+                    else EvaluationPlaneDisabledHandler,
                     dict(executor=executor, app=self),
                 ),
                 (

tabpy/tabpy_server/common/default.conf

@@ -25,8 +25,8 @@
 # Default value is 100 Mb.
 # TABPY_MAX_REQUEST_SIZE_MB = 100
 
-# Toggle for evaluate API
-# Enabled by default. Disabling it will result in 400 error.
+# Enable evaluate api to execute ad-hoc Python scripts
+# Enabled by default. Disabling it will result in 404 error.
 # TABPY_EVALUATE_ENABLE = true
 
 # Configure how long a custom script provided to the /evaluate method

tabpy/tabpy_server/handlers/__init__.py

@@ -3,6 +3,7 @@
 
 from tabpy.tabpy_server.handlers.endpoint_handler import EndpointHandler
 from tabpy.tabpy_server.handlers.endpoints_handler import EndpointsHandler
+from tabpy.tabpy_server.handlers.evaluation_plane_handler import EvaluationPlaneDisabledHandler
 from tabpy.tabpy_server.handlers.evaluation_plane_handler import EvaluationPlaneHandler
 from tabpy.tabpy_server.handlers.query_plane_handler import QueryPlaneHandler
 from tabpy.tabpy_server.handlers.service_info_handler import ServiceInfoHandler

tabpy/tabpy_server/handlers/base_handler.py

@@ -126,7 +126,6 @@ def initialize(self, app):
         self.credentials = app.credentials
         self.username = None
         self.password = None
-        self.eval_enabled = self.settings[SettingsParameters.EvaluateEnabled]
         self.eval_timeout = self.settings[SettingsParameters.EvaluateTimeout]
 
         self.logger = ContextLoggerWrapper(self.request)

tabpy/tabpy_server/handlers/evaluation_plane_handler.py

@@ -29,6 +29,21 @@ def query(self, name, *args, **kwargs):
         return response.json()
 
 
+class EvaluationPlaneDisabledHandler(BaseHandler):
+    """
+    EvaluationPlaneDisabledHandler responds with error message when ad-hoc scripts have been disabled.
+    """
+
+    def initialize(self, executor, app):
+        super(EvaluationPlaneDisabledHandler, self).initialize(app)
+        self.executor = executor
+
+    @gen.coroutine
+    def post(self):
+        self.error_out(404, "Ad-hoc scripts have been disabled on this analytics extension, please contact your "
+                            "administrator.")
+
+
 class EvaluationPlaneHandler(BaseHandler):
     """
     EvaluationPlaneHandler is responsible for running arbitrary python scripts.
@@ -44,11 +59,6 @@ def initialize(self, executor, app):
 
     @gen.coroutine
     def _post_impl(self):
-        if not self.eval_enabled:
-            self.error_out(400, "Ad-hoc scripts have been disabled on this analytics extension, please contact your "
-                                "administrator.")
-            return
-
         body = json.loads(self.request.body.decode("utf-8"))
         self.logger.log(logging.DEBUG, f"Processing POST request '{body}'...")
         if "script" not in body:

tests/unit/server_tests/test_evaluation_plane_handler.py

@@ -323,7 +323,7 @@ def test_evaluation_disabled_fails(self):
             method="POST",
             body=self.script
         )
-        self.assertEqual(400, response.code)
+        self.assertEqual(404, response.code)
 
 
 class TestEvaluationPlainHandlerEnabled(AsyncHTTPTestCase):