1 files changed, 40 insertions, 55 deletions

diff --git a/service/pixelated/resources/root_resource.py b/service/pixelated/resources/root_resource.py
index 8df76c70..0788ffb1 100644
--- a/service/pixelated/resources/root_resource.py
+++ b/service/pixelated/resources/root_resource.py
@@ -13,12 +13,11 @@
 #
 # You should have received a copy of the GNU Affero General Public License
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
-import hashlib
 import json
 import os
-from string import Template
 from pixelated.resources.users import UsersResource
 
+import pixelated
 from pixelated.resources import BaseResource, UnAuthorizedResource, UnavailableResource
 from pixelated.resources import IPixelatedSession
 from pixelated.resources.attachments_resource import AttachmentsResource
@@ -33,43 +32,48 @@ from pixelated.resources.mail_resource import MailResource
 from pixelated.resources.mails_resource import MailsResource
 from pixelated.resources.tags_resource import TagsResource
 from pixelated.resources.keys_resource import KeysResource
+from pixelated.resources.inbox_resource import InboxResource, MODE_STARTUP, MODE_RUNNING
 from twisted.web.resource import NoResource
 from twisted.web.static import File
 
 from twisted.logger import Logger
 
-log = Logger()
+logger = Logger()
 
 
-CSRF_TOKEN_LENGTH = 32
+class PublicRootResource(BaseResource):
 
-MODE_STARTUP = 1
-MODE_RUNNING = 2
+    def __init__(self, services_factory):
+        BaseResource.__init__(self, services_factory)
 
 
-class RootResource(BaseResource):
+class RootResource(PublicRootResource):
+
     def __init__(self, services_factory):
-        BaseResource.__init__(self, services_factory)
+        PublicRootResource.__init__(self, services_factory)
+        self._assets_folder = self._get_assets_folder()
         self._startup_assets_folder = self._get_startup_folder()
         self._static_folder = self._get_static_folder()
         self._html_template = open(os.path.join(self._static_folder, 'index.html')).read()
         self._services_factory = services_factory
-        self._child_resources = ChildResourcesMap()
         with open(os.path.join(self._startup_assets_folder, 'Interstitial.html')) as f:
             self.interstitial = f.read()
+        self._inbox_resource = InboxResource(services_factory)
         self._startup_mode()
 
     def _startup_mode(self):
+        self.putChild('assets', File(self._assets_folder))
         self.putChild('startup-assets', File(self._startup_assets_folder))
         self._mode = MODE_STARTUP
+        logger.debug('Root in STARTUP mode. %s' % self)
 
-    def getChild(self, path, request):
+    def getChildWithDefault(self, path, request):
         if path == '':
-            return self
+            return self._inbox_resource
         if self._mode == MODE_STARTUP:
             return UnavailableResource()
         if self._is_xsrf_valid(request):
-            return self._child_resources.get(path)
+            return BaseResource.getChildWithDefault(self, path, request)
         return UnAuthorizedResource()
 
     def _is_xsrf_valid(self, request):
@@ -78,7 +82,9 @@ class RootResource(BaseResource):
             return True
 
         xsrf_token = request.getCookie('XSRF-TOKEN')
+        logger.debug('CSRF token: %s' % xsrf_token)
 
+        # TODO: how is comparing the cookie-csrf with the HTTP-header-csrf adding any csrf protection?
         ajax_request = (request.getHeader('x-requested-with') == 'XMLHttpRequest')
         if ajax_request:
             xsrf_header = request.getHeader('x-xsrf-token')
@@ -88,24 +94,30 @@ class RootResource(BaseResource):
         return csrf_input and csrf_input == xsrf_token
 
     def initialize(self, provider=None, disclaimer_banner=None, authenticator=None):
-        self._child_resources.add('sandbox', SandboxResource(self._static_folder))
-        self._child_resources.add('assets', File(self._static_folder))
-        self._child_resources.add('keys', KeysResource(self._services_factory))
-        self._child_resources.add(AttachmentsResource.BASE_URL, AttachmentsResource(self._services_factory))
-        self._child_resources.add('contacts', ContactsResource(self._services_factory))
-        self._child_resources.add('features', FeaturesResource(provider))
-        self._child_resources.add('tags', TagsResource(self._services_factory))
-        self._child_resources.add('mails', MailsResource(self._services_factory))
-        self._child_resources.add('mail', MailResource(self._services_factory))
-        self._child_resources.add('feedback', FeedbackResource(self._services_factory))
-        self._child_resources.add('user-settings', UserSettingsResource(self._services_factory))
-        self._child_resources.add('users', UsersResource(self._services_factory))
-        self._child_resources.add(LoginResource.BASE_URL,
-                                  LoginResource(self._services_factory, provider, disclaimer_banner=disclaimer_banner, authenticator=authenticator))
-        self._child_resources.add(LogoutResource.BASE_URL, LogoutResource(self._services_factory))
-
+        self.putChild('sandbox', SandboxResource(self._static_folder))
+        self.putChild('keys', KeysResource(self._services_factory))
+        self.putChild(AttachmentsResource.BASE_URL, AttachmentsResource(self._services_factory))
+        self.putChild('contacts', ContactsResource(self._services_factory))
+        self.putChild('features', FeaturesResource(provider))
+        self.putChild('tags', TagsResource(self._services_factory))
+        self.putChild('mails', MailsResource(self._services_factory))
+        self.putChild('mail', MailResource(self._services_factory))
+        self.putChild('feedback', FeedbackResource(self._services_factory))
+        self.putChild('user-settings', UserSettingsResource(self._services_factory))
+        self.putChild('users', UsersResource(self._services_factory))
+        self.putChild(LoginResource.BASE_URL,
+                      LoginResource(self._services_factory, provider, disclaimer_banner=disclaimer_banner, authenticator=authenticator))
+        self.putChild(LogoutResource.BASE_URL, LogoutResource(self._services_factory))
+
+        self._inbox_resource.initialize()
         self._mode = MODE_RUNNING
+        logger.debug('Root in RUNNING mode. %s' % self)
+
+    def _get_assets_folder(self):
+        pixelated_path = os.path.dirname(os.path.abspath(pixelated.__file__))
+        return os.path.join(pixelated_path, '..', '..', 'web-ui', 'public')
 
+    # TODO: use the public folder for this
     def _get_startup_folder(self):
         path = os.path.dirname(os.path.abspath(__file__))
         return os.path.join(path, '..', 'assets')
@@ -119,30 +131,3 @@ class RootResource(BaseResource):
         if not os.path.exists(static_folder):
             static_folder = os.path.join('/', 'usr', 'share', 'pixelated-user-agent')
         return static_folder
-
-    def _is_starting(self):
-        return self._mode == MODE_STARTUP
-
-    def _add_csrf_cookie(self, request):
-        csrf_token = hashlib.sha256(os.urandom(CSRF_TOKEN_LENGTH)).hexdigest()
-        request.addCookie('XSRF-TOKEN', csrf_token)
-
-    def render_GET(self, request):
-        self._add_csrf_cookie(request)
-        if self._is_starting():
-            return self.interstitial
-        else:
-            account_email = self.mail_service(request).account_email
-            response = Template(self._html_template).safe_substitute(account_email=account_email)
-            return str(response)
-
-
-class ChildResourcesMap(object):
-    def __init__(self):
-        self._registry = {}
-
-    def add(self, path, resource):
-        self._registry[path] = resource
-
-    def get(self, path):
-        return self._registry.get(path) or NoResource()