src/leap/bitmask/core/_session.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

# -*- coding: utf-8 -*-
# _session.py
# Copyright (C) 2016 LEAP Encryption Acess Project
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
"""
Service for handling the local sessions.
"""

import binascii
import os

from twisted.application import service
from twisted.logger import Logger

from leap.bitmask.hooks import HookableService


logger = Logger()


class SessionService(HookableService):

    """
    This service holds random local-session tokens, that will be used to
    protect the access to the API resources.

    These tokens are different from the (remote) SRP session tokens: the
    local-session tokens are also ephemeral, but generated by the local Bitmask
    daemon.

    Right now, they are generated when a soledad instance is successfully
    created. This might be subject to further discussion, but this is the
    earliest moment in which we can decide if a user should be authenticated
    locally: it means that the entered password is able to decrypt the local
    store. In this way, we can protect the API resources even in the case that
    we don't have connectivity.
    """

    name = 'sessions'

    def __init__(self, basedir, tokens):
        service.Service.__init__(self)
        self._basedir = basedir
        self._tokens = tokens

    def startService(self):
        logger.info('starting Session Service')
        super(SessionService, self).startService()

    def stopService(self):
        pass

    def hook_on_new_soledad_instance(self, **kw):
        user = kw['user']
        session_token = binascii.hexlify(os.urandom(10))
        self._tokens[user] = session_token