diff options
author | Kali Kaneko <kali@leap.se> | 2015-11-18 19:27:47 -0400 |
---|---|---|
committer | Kali Kaneko <kali@leap.se> | 2015-11-18 19:55:19 -0400 |
commit | aa50bcfddfa16847e4d49d3c6611b0f9bb9fa394 (patch) | |
tree | 200239f3b063aaebbd90595a22230a2274d2ac78 | |
parent | 74a293f5c26ee5a4ab1b254b326809ef8f87602f (diff) |
[feat] bonafide zmq service
-rw-r--r-- | bonafide/README.rst | 2 | ||||
-rwxr-xr-x | bonafide/src/leap/bonafide/bonafide_cli2 | 112 | ||||
-rw-r--r-- | bonafide/src/leap/bonafide/config.py | 152 | ||||
-rw-r--r-- | bonafide/src/leap/bonafide/cred_srp.py | 9 | ||||
-rw-r--r-- | bonafide/src/leap/bonafide/provider.py | 1 | ||||
-rw-r--r-- | bonafide/src/leap/bonafide/service.py | 120 | ||||
-rw-r--r-- | bonafide/src/leap/bonafide/zmq_service.py | 97 |
7 files changed, 487 insertions, 6 deletions
diff --git a/bonafide/README.rst b/bonafide/README.rst index ffcf2ff..044ac71 100644 --- a/bonafide/README.rst +++ b/bonafide/README.rst @@ -17,4 +17,4 @@ the package in development mode by running:: from the parent folder. -Then you can use `bonafide_cli -h` to see the available commands. +Then you can use `bonafide_cli2 -h` to see the available commands. diff --git a/bonafide/src/leap/bonafide/bonafide_cli2 b/bonafide/src/leap/bonafide/bonafide_cli2 new file mode 100755 index 0000000..18506d9 --- /dev/null +++ b/bonafide/src/leap/bonafide/bonafide_cli2 @@ -0,0 +1,112 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# bonafide_cli2.py +# Copyright (C) 2015 LEAP +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +""" +Bonafide command line interface: zmq client. +""" +import sys +import getpass +import argparse + +from colorama import init as color_init +from colorama import Fore +from twisted.internet import reactor +from txzmq import ZmqEndpoint, ZmqFactory, ZmqREQConnection +import zmq + +from leap.bonafide import config + +description = (Fore.YELLOW + 'Manage and configure a LEAP Account ' + 'using the bonafide protocol. This client connects to ' + 'a running Bonafide service.' + Fore.RESET) + +parser = argparse.ArgumentParser(description=description) +parser.add_argument("--stats", dest="do_stats", action="store_true", + help="print service stats") +parser.add_argument("--signup", action="store_true", dest="do_signup", + help="signup new user") +parser.add_argument("--auth", dest="do_auth", action="store_true", + help="authenticate the passed user") +parser.add_argument("--logout", dest="do_logout", action="store_true", + help="logout this user") +parser.add_argument("--username", dest="username", + help="user to operate with") +parser.add_argument("--shutdown", dest="do_shutdown", action="store_true", + help="shutdown the bonafide service.") +ns = parser.parse_args() + + +def get_zmq_connection(): + zf = ZmqFactory() + e = ZmqEndpoint('connect', config.ENDPOINT) + return ZmqREQConnection(zf, e) + + +def error(msg): + print Fore.RED + "[!] %s" % msg + Fore.RESET + sys.exit(1) + +if len(sys.argv) < 2: + error("Too few arguments. Try %s --help" % sys.argv[0]) + + +if (ns.do_signup or ns.do_auth or ns.do_logout) and not ns.username: + error(Fore.RED + "Need to pass a username for signup/auth/logout" + + Fore.RESET) + +if ns.username and '@' not in ns.username: + error(Fore.RED + "Username must be in the form user@provider" + Fore.RESET) + + +def do_print(stuff): + print Fore.GREEN + stuff[0] + Fore.RESET + + +def send_command(): + + cb = do_print + if ns.do_shutdown: + data = ("shutdown",) + + elif ns.do_stats: + data = ("stats",) + + elif ns.do_signup: + passwd = getpass.getpass() + data = ("signup", ns.username, passwd) + + elif ns.do_auth: + passwd = getpass.getpass() + data = ("authenticate", ns.username, passwd) + + elif ns.do_logout: + passwd = getpass.getpass() + data = ("logout", ns.username, passwd) + + s = get_zmq_connection() + try: + d = s.sendMsg(*data) + except zmq.error.Again: + print Fore.RED + "[ERROR] Server is down :(" + Fore.RESET + d.addCallback(cb) + d.addCallback(lambda x: reactor.stop()) + + +if __name__ == "__main__": + color_init() + reactor.callWhenRunning(reactor.callLater, 0, send_command) + reactor.run() diff --git a/bonafide/src/leap/bonafide/config.py b/bonafide/src/leap/bonafide/config.py new file mode 100644 index 0000000..9490f55 --- /dev/null +++ b/bonafide/src/leap/bonafide/config.py @@ -0,0 +1,152 @@ +# -*- coding: utf-8 -*- +# config.py +# Copyright (C) 2015 LEAP +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +""" +Configuration for a LEAP provider. +""" +import datetime +import os +import sys + +from leap.bonafide._http import httpRequest + +from leap.common.check import leap_assert +from leap.common.config import get_path_prefix as common_get_path_prefix +from leap.common.files import check_and_fix_urw_only, get_mtime, mkdir_p + + +APPNAME = "bonafide" +ENDPOINT = "ipc:///tmp/%s.sock" % APPNAME + + +def get_path_prefix(standalone=False): + return common_get_path_prefix(standalone) + + +def get_provider_path(domain): + """ + Returns relative path for provider config. + + :param domain: the domain to which this providerconfig belongs to. + :type domain: str + :returns: the path + :rtype: str + """ + leap_assert(domain is not None, "get_provider_path: We need a domain") + return os.path.join("leap", "providers", domain, "provider.json") + + +def get_modification_ts(path): + """ + Gets modification time of a file. + + :param path: the path to get ts from + :type path: str + :returns: modification time + :rtype: datetime object + """ + ts = os.path.getmtime(path) + return datetime.datetime.fromtimestamp(ts) + + +def update_modification_ts(path): + """ + Sets modification time of a file to current time. + + :param path: the path to set ts to. + :type path: str + :returns: modification time + :rtype: datetime object + """ + os.utime(path, None) + return get_modification_ts(path) + + +def is_file(path): + """ + Returns True if the path exists and is a file. + """ + return os.path.isfile(path) + + +def is_empty_file(path): + """ + Returns True if the file at path is empty. + """ + return os.stat(path).st_size is 0 + + +def make_address(user, provider): + """ + Return a full identifier for an user, as a email-like + identifier. + + :param user: the username + :type user: basestring + :param provider: the provider domain + :type provider: basestring + """ + return "%s@%s" % (user, provider) + + +def get_username_and_provider(full_id): + return full_id.split('@') + + +class ProviderConfig(object): + # TODO add file config for enabled services + + def __init__(self, domain): + self._api_base = None + self._domain = domain + + def is_configured(self): + provider_json = self._get_provider_json_path() + # XXX check if all the services are there + if is_file(provider_json): + return True + return False + + def download_provider_info(self): + """ + Download the provider.json info from the main domain. + This SHOULD only be used once with the DOMAIN url. + """ + # TODO handle pre-seeded providers? + # or let client handle that? We could move them to bonafide. + provider_json = self._get_provider_json_path() + if is_file(provider_json): + raise RuntimeError('File already exists') + + def update_provider_info(self): + """ + Get more recent copy of provider.json from the api URL. + """ + pass + + def _http_request(self, *args, **kw): + # XXX pass if-modified-since header + return httpRequest(*args, **kw) + + def _get_provider_json_path(self): + domain = self._domain.encode(sys.getfilesystemencoding()) + provider_json = os.path.join(get_path_prefix(), get_provider_path(domain)) + return provider_json + +if __name__ == '__main__': + config = ProviderConfig('cdev.bitmask.net') + config.is_configured() + config.download_provider_info() diff --git a/bonafide/src/leap/bonafide/cred_srp.py b/bonafide/src/leap/bonafide/cred_srp.py index 5188830..9fcb97b 100644 --- a/bonafide/src/leap/bonafide/cred_srp.py +++ b/bonafide/src/leap/bonafide/cred_srp.py @@ -31,7 +31,7 @@ from twisted.cred import portal, credentials, error as credError from twisted.cred.checkers import ICredentialsChecker from twisted.internet import defer, reactor -from leap.bonafide.session import LeapSession +from leap.bonafide.session import Session @implementer(ICredentialsChecker) @@ -63,7 +63,7 @@ class SRPCredentialsChecker(object): self._check_srp_auth) def _check_srp_auth(session, username): - if session.authenticated: + if session.is_authenticated: # is ok! --- should add it to some global cache? return defer.succeed(username) else: @@ -72,9 +72,8 @@ class SRPCredentialsChecker(object): def _get_leap_session(credentials): - session = LeapSession(credentials) - d = session.handshake() - d.addCallback(lambda _: session.authenticate()) + session = Session(credentials) + d = session.authenticate() d.addCallback(lambda _: session) return d diff --git a/bonafide/src/leap/bonafide/provider.py b/bonafide/src/leap/bonafide/provider.py index c22be3c..1d0b5b7 100644 --- a/bonafide/src/leap/bonafide/provider.py +++ b/bonafide/src/leap/bonafide/provider.py @@ -93,6 +93,7 @@ class Api(object): # TODO when should the provider-api object be created? # TODO pass a Provider object to constructor, with autoconf flag. # TODO make the actions attribute depend on the api version + # TODO missing UPDATE USER RECORD __metaclass__ = _MetaActionDispatcher _actions = { diff --git a/bonafide/src/leap/bonafide/service.py b/bonafide/src/leap/bonafide/service.py new file mode 100644 index 0000000..1f7295a --- /dev/null +++ b/bonafide/src/leap/bonafide/service.py @@ -0,0 +1,120 @@ +# -*- coding: utf-8 -*- +# service.py +# Copyright (C) 2014 LEAP +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +""" +Bonafide service. +""" +import os +import resource +from collections import defaultdict + +from leap.bonafide import config +from leap.bonafide import provider +from leap.bonafide.session import Session, OK + +from twisted.cred.credentials import UsernamePassword +from twisted.internet.defer import fail +from twisted.python import log + + +# TODO [ ] enable-disable services +# TODO [ ] read provider info + +COMMANDS = 'signup', 'authenticate', 'logout', 'stats' + + +class BonafideService(object): + """ + Expose the Bonafide Service API. + """ + + _apis = defaultdict(None) + _sessions = defaultdict(None) + + def _get_api(self, provider_id): + if provider_id in self._apis: + return self._apis[provider_id] + + # XXX lookup the provider config instead + # TODO defer the autoconfig for the provider if needed... + api = provider.Api('https://api.%s:4430' % provider_id) + self._apis[provider_id] = api + return api + + def _get_session(self, full_id, password=""): + if full_id in self._sessions: + return self._sessions[full_id] + + # TODO if password/username null, then pass AnonymousCreds + # TODO use twisted.cred instead + username, provider_id = config.get_username_and_provider(full_id) + credentials = UsernamePassword(username, password) + api = self._get_api(provider_id) + cdev_pem = os.path.expanduser( + '~/.config/leap/providers/%s/keys/ca/cacert.pem' % + provider_id) + session = Session(credentials, api, cdev_pem) + self._sessions[full_id] = session + return session + + # Service public methods + + def do_signup(self, full_id, password): + # XXX check it's unauthenticated + def return_user(result, _session): + return_code, user = result + if return_code == OK: + return user + + log.msg('SIGNUP for %s' % full_id) + session = self._get_session(full_id, password) + username, provider_id = config.get_username_and_provider(full_id) + + d = session.signup(username, password) + d.addCallback(return_user, session) + return d + + def do_authenticate(self, full_id, password): + def return_token(result, _session): + if result == OK: + return str(_session.token) + + log.msg('AUTH for %s' % full_id) + session = self._get_session(full_id, password) + d = session.authenticate() + d.addCallback(return_token, session) + return d + + def do_logout(self, full_id, password): + # XXX use the AVATAR here + log.msg('LOGOUT for %s' % full_id) + session = self._get_session(full_id) + if not session.is_authenticated: + return fail(RuntimeError("There is no session for such user")) + try: + d = session.logout() + except Exception as exc: + log.err(exc) + return fail(exc) + + d.addCallback(lambda _: self._sessions.pop(full_id)) + d.addCallback(lambda _: '%s logged out' % full_id) + return d + + def do_stats(self): + mem = resource.getrusage(resource.RUSAGE_SELF).ru_maxrss + return '[+] Bonafide service: [%s sessions] [Mem usage: %s KB]' % ( + len(self._sessions), mem / 1024) diff --git a/bonafide/src/leap/bonafide/zmq_service.py b/bonafide/src/leap/bonafide/zmq_service.py new file mode 100644 index 0000000..e33df3d --- /dev/null +++ b/bonafide/src/leap/bonafide/zmq_service.py @@ -0,0 +1,97 @@ +# -*- coding: utf-8 -*- +# zmq_service.py +# Copyright (C) 2015 LEAP +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +""" +Bonafide ZMQ Service +""" +from leap.bonafide import config +from leap.bonafide.service import BonafideService, COMMANDS + +from txzmq import ZmqEndpoint, ZmqFactory, ZmqREPConnection + +from twisted.python import log + + +class BonafideZmqREPConnection(ZmqREPConnection): + + def initialize(self): + self._service = BonafideService() + + def do_greet(self): + print "[+] Bonafide service running..." + + def do_bye(self): + print "[+] Bonafide service stopped. Have a nice day." + reactor.stop() + + def gotMessage(self, msgId, *parts): + def defer_reply(response): + reactor.callLater(0, self.reply, msgId, str(response)) + + def log_err(failure): + log.err(failure) + print "FAILURE", failure + defer_reply("ERROR: %r" % failure) + + cmd = parts[0] + + if cmd == "shutdown": + defer_reply('ok, shutting down') + reactor.callLater(1, self.do_bye) + + if cmd not in COMMANDS: + response = 'INVALID COMMAND' + defer_reply(response) + + elif cmd == 'signup': + username, password = parts[1], parts[2] + d = self._service.do_signup(username, password) + d.addCallback(lambda response: defer_reply( + 'REGISTERED -> %s' % response)) + d.addErrback(log_err) + + elif cmd == 'authenticate': + username, password = parts[1], parts[2] + d = self._service.do_authenticate(username, password) + d.addCallback(lambda response: defer_reply( + 'TOKEN -> %s' % response)) + d.addErrback(log_err) + + elif cmd == 'logout': + username, password = parts[1], parts[2] + d = self._service.do_logout(username, password) + d.addCallback(lambda response: defer_reply( + 'LOGOUT -> ok')) + d.addErrback(log_err) + + elif cmd == 'stats': + response = self._service.do_stats() + defer_reply(response) + + +def get_zmq_connection(): + zf = ZmqFactory() + e = ZmqEndpoint("bind", config.ENDPOINT) + return BonafideZmqREPConnection(zf, e) + + +if __name__ == "__main__": + from twisted.internet import reactor + + s = get_zmq_connection() + reactor.callWhenRunning(s.initialize) + reactor.callWhenRunning(s.do_greet) + reactor.run() |