diff options
Diffstat (limited to 'bonafide/src/leap/bonafide/session.py')
-rw-r--r-- | bonafide/src/leap/bonafide/session.py | 219 |
1 files changed, 0 insertions, 219 deletions
diff --git a/bonafide/src/leap/bonafide/session.py b/bonafide/src/leap/bonafide/session.py deleted file mode 100644 index 4180041a..00000000 --- a/bonafide/src/leap/bonafide/session.py +++ /dev/null @@ -1,219 +0,0 @@ -# -*- coding: utf-8 -*- -# session.py -# Copyright (C) 2015 LEAP -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -""" -LEAP Session management. -""" -from twisted.internet import defer, reactor -from twisted.python import log - -from leap.bonafide import _srp -from leap.bonafide import provider -from leap.bonafide._http import httpRequest, cookieAgentFactory - -OK = 'ok' - - -def _auth_required(func): - """ - Decorate a method so that it will not be called if the instance - attribute `is_authenticated` does not evaluate to True. - """ - def decorated(*args, **kwargs): - instance = args[0] - allowed = getattr(instance, 'is_authenticated') - if not allowed: - raise RuntimeError('This method requires authentication') - return func(*args, **kwargs) - return decorated - - -class Session(object): - - def __init__(self, credentials, api, provider_cert): - # TODO check if an anonymous credentials is passed. - # TODO move provider_cert to api object. - # On creation, it should be able to retrieve all the info it needs - # (calling bootstrap). - # TODO could get a "provider" object instead. - # this provider can have an api attribute, - # and a "autoconfig" attribute passed on initialization. - # TODO get a file-descriptor for password if not in credentials - # TODO merge self._request with config.Provider._http_request ? - - self.username = credentials.username - self.password = credentials.password - self._provider_cert = provider_cert - self._api = api - self._initialize_session() - - def _initialize_session(self): - self._agent = cookieAgentFactory(self._provider_cert) - username = self.username or '' - password = self.password or '' - self._srp_auth = _srp.SRPAuthMechanism(username, password) - self._srp_signup = _srp.SRPSignupMechanism() - self._token = None - self._uuid = None - - # Session - - @property - def token(self): - return self._token - - @property - def uuid(self): - return self._uuid - - @property - def is_authenticated(self): - return self._srp_auth.srp_user.authenticated() - - @defer.inlineCallbacks - def authenticate(self): - uri = self._api.get_handshake_uri() - met = self._api.get_handshake_method() - log.msg("%s to %s" % (met, uri)) - params = self._srp_auth.get_handshake_params() - - handshake = yield self._request(self._agent, uri, values=params, - method=met) - - self._srp_auth.process_handshake(handshake) - uri = self._api.get_authenticate_uri(login=self.username) - met = self._api.get_authenticate_method() - - log.msg("%s to %s" % (met, uri)) - params = self._srp_auth.get_authentication_params() - - auth = yield self._request(self._agent, uri, values=params, - method=met) - - uuid, token = self._srp_auth.process_authentication(auth) - self._srp_auth.verify_authentication() - - self._uuid = uuid - self._token = token - defer.returnValue(OK) - - @_auth_required - @defer.inlineCallbacks - def logout(self): - uri = self._api.get_logout_uri() - met = self._api.get_logout_method() - auth = yield self._request(self._agent, uri, method=met) - print 'AUTH', auth - print 'resetting user/pass' - self.username = None - self.password = None - self._initialize_session() - defer.returnValue(OK) - - # User certificates - - def get_vpn_cert(self): - # TODO pass it to the provider object so that it can save it in the - # right path. - uri = self._api.get_vpn_cert_uri() - met = self._api.get_vpn_cert_method() - return self._request(self._agent, uri, method=met) - - @_auth_required - def get_smtp_cert(self): - # TODO pass it to the provider object so that it can save it in the - # right path. - uri = self._api.get_smtp_cert_uri() - met = self._api.get_smtp_cert_method() - print met, "to", uri - return self._request(self._agent, uri, method=met) - - def _request(self, *args, **kw): - kw['token'] = self._token - return httpRequest(*args, **kw) - - # User management - - @defer.inlineCallbacks - def signup(self, username, password): - # XXX should check that it_IS_NOT_authenticated - provider.validate_username(username) - uri = self._api.get_signup_uri() - met = self._api.get_signup_method() - params = self._srp_signup.get_signup_params( - username, password) - - signup = yield self._request(self._agent, uri, values=params, - method=met) - registered_user = self._srp_signup.process_signup(signup) - self.username = username - self.password = password - defer.returnValue((OK, registered_user)) - - @_auth_required - def update_user_record(self): - # FIXME to be implemented - pass - - # Authentication-protected configuration - - @defer.inlineCallbacks - def fetch_provider_configs(self, uri, path): - config = yield self._request(self._agent, uri) - with open(path, 'w') as cf: - cf.write(config) - defer.returnValue('ok') - - -if __name__ == "__main__": - import os - import sys - from twisted.cred.credentials import UsernamePassword - - if len(sys.argv) != 4: - print "Usage:", sys.argv[0], "provider", "username", "password" - sys.exit() - _provider, username, password = sys.argv[1], sys.argv[2], sys.argv[3] - api = provider.Api('https://api.%s:4430' % _provider) - credentials = UsernamePassword(username, password) - cdev_pem = os.path.expanduser( - '~/.config/leap/providers/%s/keys/ca/cacert.pem' % _provider) - session = Session(credentials, api, cdev_pem) - - def print_result(result): - print result - return result - - def cbShutDown(ignored): - reactor.stop() - - def auth_eb(failure): - print "[ERROR!]", failure.getErrorMessage() - log.err(failure) - - d = session.authenticate() - d.addCallback(print_result) - d.addErrback(auth_eb) - - d.addCallback(lambda _: session.get_smtp_cert()) - #d.addCallback(lambda _: session.get_vpn_cert()) - d.addCallback(print_result) - d.addErrback(auth_eb) - - d.addCallback(lambda _: session.logout()) - d.addErrback(auth_eb) - d.addBoth(cbShutDown) - reactor.run() |