From 68acde0220c3f895300b5491f941ca611212a206 Mon Sep 17 00:00:00 2001 From: Bruno Wagner Date: Fri, 5 Jun 2015 17:16:26 -0300 Subject: Moved extensions to their own folder, so support has more meaning --- service/pixelated/extensions/__init__.py | 0 .../pixelated/extensions/esmtp_sender_factory.py | 27 +++++++ .../extensions/incoming_decrypt_header.py | 35 +++++++++ .../pixelated/extensions/keymanager_fetch_key.py | 60 ++++++++++++++++ service/pixelated/extensions/protobuf_socket.py | 37 ++++++++++ service/pixelated/extensions/requests_urllib3.py | 82 ++++++++++++++++++++++ service/pixelated/extensions/shared_db.py | 16 +++++ .../pixelated/extensions/soledad_sync_exception.py | 22 ++++++ service/pixelated/extensions/sqlcipher_wal.py | 24 +++++++ 9 files changed, 303 insertions(+) create mode 100644 service/pixelated/extensions/__init__.py create mode 100644 service/pixelated/extensions/esmtp_sender_factory.py create mode 100644 service/pixelated/extensions/incoming_decrypt_header.py create mode 100644 service/pixelated/extensions/keymanager_fetch_key.py create mode 100644 service/pixelated/extensions/protobuf_socket.py create mode 100644 service/pixelated/extensions/requests_urllib3.py create mode 100644 service/pixelated/extensions/shared_db.py create mode 100644 service/pixelated/extensions/soledad_sync_exception.py create mode 100644 service/pixelated/extensions/sqlcipher_wal.py (limited to 'service/pixelated/extensions') diff --git a/service/pixelated/extensions/__init__.py b/service/pixelated/extensions/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/service/pixelated/extensions/esmtp_sender_factory.py b/service/pixelated/extensions/esmtp_sender_factory.py new file mode 100644 index 00000000..59aa90c8 --- /dev/null +++ b/service/pixelated/extensions/esmtp_sender_factory.py @@ -0,0 +1,27 @@ +# +# Copyright (c) 2014 ThoughtWorks, Inc. +# +# Pixelated is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Pixelated is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with Pixelated. If not, see . + +from twisted.mail import smtp + + +def no_require_transport_security(f): + def wrapper(*args, **kwargs): + kwargs['requireTransportSecurity'] = False + return f(*args, **kwargs) + return wrapper + + +smtp.ESMTPSenderFactory = no_require_transport_security(smtp.ESMTPSenderFactory) diff --git a/service/pixelated/extensions/incoming_decrypt_header.py b/service/pixelated/extensions/incoming_decrypt_header.py new file mode 100644 index 00000000..2db5dd1d --- /dev/null +++ b/service/pixelated/extensions/incoming_decrypt_header.py @@ -0,0 +1,35 @@ +import leap.mail.imap.fetch as fetch + + +def mark_as_encrypted_inline(f): + + def w(*args, **kwargs): + msg, valid_sign = f(*args) + is_encrypted = fetch.PGP_BEGIN in args[1].as_string() and fetch.PGP_END in args[1].as_string() + decrypted_successfully = fetch.PGP_BEGIN not in msg.as_string() and fetch.PGP_END not in msg.as_string() + + if not is_encrypted: + encrypted = 'false' + else: + if decrypted_successfully: + encrypted = 'true' + else: + encrypted = 'fail' + + msg.add_header('X-Pixelated-encryption-status', encrypted) + return msg, valid_sign + + return w + + +def mark_as_encrypted_multipart(f): + + def w(*args, **kwargs): + msg, valid_sign = f(*args) + msg.add_header('X-Pixelated-encryption-status', 'true') + return msg, valid_sign + return w + + +fetch.LeapIncomingMail._maybe_decrypt_inline_encrypted_msg = mark_as_encrypted_inline(fetch.LeapIncomingMail._maybe_decrypt_inline_encrypted_msg) +fetch.LeapIncomingMail._decrypt_multipart_encrypted_msg = mark_as_encrypted_multipart(fetch.LeapIncomingMail._decrypt_multipart_encrypted_msg) diff --git a/service/pixelated/extensions/keymanager_fetch_key.py b/service/pixelated/extensions/keymanager_fetch_key.py new file mode 100644 index 00000000..d39d1f96 --- /dev/null +++ b/service/pixelated/extensions/keymanager_fetch_key.py @@ -0,0 +1,60 @@ +# +# Copyright (c) 2014 ThoughtWorks, Inc. +# +# Pixelated is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Pixelated is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with Pixelated. If not, see . +import leap.keymanager +import requests +import logging +from leap.keymanager.errors import KeyNotFound +from leap.keymanager.openpgp import OpenPGPKey + + +logger = logging.getLogger(__name__) + + +def patched_fetch_keys_from_server(self, address): + """ + Fetch keys bound to C{address} from nickserver and insert them in + local database. + + Instead of raising a KeyNotFound only for 404 responses, this implementation + raises a KeyNotFound exception for all problems. + + For original see: https://github.com/leapcode/keymanager/blob/develop/src/leap/keymanager/__init__.py + + :param address: The address bound to the keys. + :type address: str + + :raise KeyNotFound: If the key was not found on nickserver. + """ + # request keys from the nickserver + res = None + try: + res = self._get(self._nickserver_uri, {'address': address}) + res.raise_for_status() + server_keys = res.json() + # insert keys in local database + if self.OPENPGP_KEY in server_keys: + self._wrapper_map[OpenPGPKey].put_ascii_key( + server_keys['openpgp']) + except requests.exceptions.HTTPError as e: + logger.warning("HTTP error retrieving key: %r" % (e,)) + logger.warning("%s" % (res.content,)) + raise KeyNotFound(address) + except Exception as e: + logger.warning("Error retrieving key: %r" % (e,)) + raise KeyNotFound(address) + + +leap.keymanager.KeyManager._fetch_keys_from_server = patched_fetch_keys_from_server diff --git a/service/pixelated/extensions/protobuf_socket.py b/service/pixelated/extensions/protobuf_socket.py new file mode 100644 index 00000000..548f5fd6 --- /dev/null +++ b/service/pixelated/extensions/protobuf_socket.py @@ -0,0 +1,37 @@ +# +# Copyright (c) 2014 ThoughtWorks, Inc. +# +# Pixelated is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Pixelated is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with Pixelated. If not, see . + +from __future__ import print_function +from sys import platform as _platform + +import protobuf.socketrpc.server + +# protobuf throws a lot of 'Socket is not connected' exceptions on OSX but they are not an issue. +# refer too https://code.google.com/p/protobuf-socket-rpc/issues/detail?id=10 and +# or https://leap.se/code/issues/2187 +if _platform == 'darwin': + def try_except_decorator(func): + def wrapper(*args, **kwargs): + try: + func(*args, **kwargs) + pass + except: + pass + + return wrapper + + protobuf.socketrpc.server.SocketHandler.handle = try_except_decorator( + protobuf.socketrpc.server.SocketHandler.handle) diff --git a/service/pixelated/extensions/requests_urllib3.py b/service/pixelated/extensions/requests_urllib3.py new file mode 100644 index 00000000..c4ec2438 --- /dev/null +++ b/service/pixelated/extensions/requests_urllib3.py @@ -0,0 +1,82 @@ +# +# Copyright (c) 2014 ThoughtWorks, Inc. +# +# Pixelated is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Pixelated is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with Pixelated. If not, see . + +import requests + + +if requests.__version__ == '2.0.0': + try: + import requests.packages.urllib3.connectionpool + from socket import error as SocketError, timeout as SocketTimeout + from requests.packages.urllib3.packages.ssl_match_hostname import CertificateError, match_hostname + import socket + import ssl + + from requests.packages.urllib3.exceptions import ( + ClosedPoolError, + ConnectTimeoutError, + EmptyPoolError, + HostChangedError, + MaxRetryError, + SSLError, + ReadTimeoutError, + ProxyError, + ) + + from requests.packages.urllib3.util import ( + assert_fingerprint, + get_host, + is_connection_dropped, + resolve_cert_reqs, + resolve_ssl_version, + ssl_wrap_socket, + Timeout, + ) + + def patched_connect(self): + # Add certificate verification + try: + sock = socket.create_connection(address=(self.host, self.port), timeout=self.timeout) + except SocketTimeout: + raise ConnectTimeoutError(self, "Connection to %s timed out. (connect timeout=%s)" % (self.host, self.timeout)) + + resolved_cert_reqs = resolve_cert_reqs(self.cert_reqs) + resolved_ssl_version = resolve_ssl_version(self.ssl_version) + + if self._tunnel_host: + self.sock = sock + # Calls self._set_hostport(), so self.host is + # self._tunnel_host below. + self._tunnel() + + # Wrap socket using verification with the root certs in + # trusted_root_certs + self.sock = ssl_wrap_socket(sock, self.key_file, self.cert_file, + cert_reqs=resolved_cert_reqs, + ca_certs=self.ca_certs, + server_hostname=self.host, + ssl_version=resolved_ssl_version) + + if self.assert_fingerprint: + assert_fingerprint(self.sock.getpeercert(binary_form=True), + self.assert_fingerprint) + elif resolved_cert_reqs != ssl.CERT_NONE and self.assert_hostname is not False: + match_hostname(self.sock.getpeercert(), + self.assert_hostname or self.host) + + requests.packages.urllib3.connectionpool.VerifiedHTTPSConnection.connect = patched_connect + except ImportError: + pass # The patch is specific for the debian package. Ignore it if it can't be found diff --git a/service/pixelated/extensions/shared_db.py b/service/pixelated/extensions/shared_db.py new file mode 100644 index 00000000..3e8a978e --- /dev/null +++ b/service/pixelated/extensions/shared_db.py @@ -0,0 +1,16 @@ +from leap.soledad.client.auth import TokenBasedAuth +import base64 +from u1db import errors + + +def patched_sign_request(self, method, url_query, params): + if 'token' in self._creds: + uuid, token = self._creds['token'] + auth = '%s:%s' % (uuid, token) + return [('Authorization', 'Token %s' % base64.b64encode(auth))] + else: + raise errors.UnknownAuthMethod( + 'Wrong credentials: %s' % self._creds) + + +TokenBasedAuth._sign_request = patched_sign_request diff --git a/service/pixelated/extensions/soledad_sync_exception.py b/service/pixelated/extensions/soledad_sync_exception.py new file mode 100644 index 00000000..cb3204ad --- /dev/null +++ b/service/pixelated/extensions/soledad_sync_exception.py @@ -0,0 +1,22 @@ +import leap.soledad.client as client +import urlparse +from leap.soledad.client.events import ( + SOLEDAD_DONE_DATA_SYNC, + signal +) + + +def patched_sync(self, defer_decryption=True): + if self._db: + try: + local_gen = self._db.sync( + urlparse.urljoin(self.server_url, 'user-%s' % self._uuid), + creds=self._creds, autocreate=False, + defer_decryption=defer_decryption) + signal(SOLEDAD_DONE_DATA_SYNC, self._uuid) + return local_gen + except Exception as e: + client.logger.error("Soledad exception when syncing: %s - %s" % (e.__class__.__name__, e.message)) + + +client.Soledad.sync = patched_sync diff --git a/service/pixelated/extensions/sqlcipher_wal.py b/service/pixelated/extensions/sqlcipher_wal.py new file mode 100644 index 00000000..776087bf --- /dev/null +++ b/service/pixelated/extensions/sqlcipher_wal.py @@ -0,0 +1,24 @@ +# +# Copyright (c) 2014 ThoughtWorks, Inc. +# +# Pixelated is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Pixelated is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with Pixelated. If not, see . + +from sys import platform as _platform + +import leap.soledad.client.sqlcipher + +# WAL is breaking for the debian sqlcipher package so we need to disable it +# refer to https://leap.se/code/issues/5562 +if _platform == 'linux2': + leap.soledad.client.sqlcipher.SQLCipherDatabase._pragma_write_ahead_logging = lambda x, y: None -- cgit v1.2.3