summaryrefslogtreecommitdiff
path: root/service/pixelated/application.py
blob: ad13e7b608e1d4349eac76b7f16778710c76d9bf (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
#
# Copyright (c) 2015 ThoughtWorks, Inc.
#
# Pixelated is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Pixelated is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with Pixelated. If not, see <http://www.gnu.org/licenses/>.

import os

from OpenSSL import SSL
from OpenSSL import crypto
from leap.common.events import (server as events_server,
                                register, catalog as events)
from leap.soledad.common.errors import InvalidAuthTokenError
from twisted.logger import Logger
from twisted.conch import manhole_tap
from twisted.cred import portal
from twisted.cred.checkers import AllowAnonymousAccess, FilePasswordDB
from twisted.internet import defer
from twisted.internet import reactor
from twisted.internet import ssl
from twisted.internet.task import LoopingCall
from twisted.plugin import getPlugins

from pixelated.adapter.welcome_mail import add_welcome_mail
from pixelated.config import arguments
from pixelated.config import logger
from pixelated.config import services
from pixelated.config.leap import initialize_leap_single_user, init_monkeypatches, initialize_leap_provider
from pixelated.config.services import ServicesFactory, SingleUserServicesFactory
from pixelated.config.site import PixelatedSite
from pixelated.resources.auth import LeapPasswordChecker, PixelatedRealm, PixelatedAuthSessionWrapper, SessionChecker
from pixelated.resources.login_resource import LoginResource
from pixelated.resources.root_resource import RootResource
from pixelated.support.loglinegenerator import ILogLineGenerator

log = Logger()


class UserAgentMode(object):
    def __init__(self, is_single_user):
        self.is_single_user = is_single_user


@defer.inlineCallbacks
def start_user_agent_in_single_user_mode(root_resource, services_factory, leap_home, leap_session):
    log.info('Bootstrap done, loading services for user %s' % leap_session.user_auth.username)

    _services = services.Services(leap_session)
    yield _services.setup()

    if leap_session.fresh_account:
        yield add_welcome_mail(leap_session.mail_store)

    services_factory.add_session(leap_session.user_auth.uuid, _services)

    root_resource.initialize()

    # soledad needs lots of threads
    reactor.getThreadPool().adjustPoolsize(5, 15)
    log.info('Done, the user agent is ready to be used')


def _ssl_options(sslkey, sslcert):
    with open(sslkey) as keyfile:
        pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, keyfile.read())
    with open(sslcert) as certfile:
        cert = crypto.load_certificate(crypto.FILETYPE_PEM, certfile.read())

    acceptable = ssl.AcceptableCiphers.fromOpenSSLCipherString(
        u'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH')
    options = ssl.CertificateOptions(privateKey=pkey,
                                     certificate=cert,
                                     method=SSL.TLSv1_2_METHOD,
                                     acceptableCiphers=acceptable)
    return options


def _create_service_factory(args):
    if args.single_user:
        return SingleUserServicesFactory(UserAgentMode(is_single_user=True))
    else:
        return ServicesFactory(UserAgentMode(is_single_user=False))


def initialize():
    log.info('Starting the Pixelated user agent')
    args = arguments.parse_user_agent_args()
    logger.init(debug=args.debug)
    services_factory = _create_service_factory(args)
    resource = RootResource(services_factory)

    def start():
        start_async = _start_mode(args, resource, services_factory)
        add_top_level_system_callbacks(start_async, services_factory)

    log.info('Running the reactor')
    reactor.callWhenRunning(start)
    reactor.run()


def start_plugins():
    log.info('start_plugins')

    def logGeneratedLines():
        for p in getPlugins(ILogLineGenerator):
            logLine = p.getLogLine()
            if logLine is not None:
                log.debug(logLine)

    LoopingCall(logGeneratedLines).start(1)


def add_top_level_system_callbacks(deferred, services_factory):

    def _quit_on_error(failure):
        failure.printTraceback()
        reactor.stop()

    def _log_user_out(event, user_data):
        log.info('Invalid soledad token, logging out %s' % user_data)
        user_data = {'user_id': user_data['uuid']} if 'uuid' in user_data else {'user_id': user_data, 'using_email': True}
        services_factory.destroy_session(**user_data)

    def _log_user_out_on_token_expire(leap_session):
        register(events.SOLEDAD_INVALID_AUTH_TOKEN, _log_user_out)
        return leap_session

    deferred.addCallback(_log_user_out_on_token_expire)
    deferred.addErrback(_quit_on_error)


def _start_mode(args, resource, services_factory):
    log.debug('_start_mode')
    if services_factory.mode.is_single_user:
        deferred = _start_in_single_user_mode(args, resource, services_factory)
    else:
        deferred = _start_in_multi_user_mode(args, resource, services_factory)
    return deferred


def _start_in_multi_user_mode(args, root_resource, services_factory):
    try:
        protected_resources = _setup_multi_user(args, root_resource, services_factory)
        start_site(args, protected_resources)
        reactor.getThreadPool().adjustPoolsize(5, 15)
        return defer.succeed(None)
    except Exception as e:
        return defer.fail(e)


def _setup_multi_user(args, root_resource, services_factory):
    if args.provider is None:
        raise ValueError('Multi-user mode: provider name is required')
    init_monkeypatches()
    events_server.ensure_server()
    provider = initialize_leap_provider(args.provider, args.leap_provider_cert, args.leap_provider_cert_fingerprint, args.leap_home)
    protected_resource = set_up_protected_resources(root_resource, provider, services_factory, banner=args.banner)
    return protected_resource


def set_up_protected_resources(root_resource, provider, services_factory, checker=None, banner=None):
    if not checker:
        checker = LeapPasswordChecker(provider)
    session_checker = SessionChecker(services_factory)

    realm = PixelatedRealm()
    _portal = portal.Portal(realm, [checker, session_checker, AllowAnonymousAccess()])

    anonymous_resource = LoginResource(services_factory, _portal, disclaimer_banner=banner)
    protected_resource = PixelatedAuthSessionWrapper(_portal, root_resource, anonymous_resource, [])
    root_resource.initialize(_portal, disclaimer_banner=banner)
    return protected_resource


def _start_in_single_user_mode(args, resource, services_factory):
    start_site(args, resource)
    deferred = initialize_leap_single_user(args.leap_provider_cert,
                                           args.leap_provider_cert_fingerprint,
                                           args.credentials_file,
                                           args.leap_home)

    def _handle_error(exception):
        if(exception.type is InvalidAuthTokenError):
            log.critical('Got an invalid soledad token, the user agent can\'t synchronize data, exiting')
            os._exit(1)
        else:
            exception.raiseException()

    deferred.addCallbacks(
        lambda leap_session: start_user_agent_in_single_user_mode(
            resource,
            services_factory,
            args.leap_home,
            leap_session), _handle_error)
    return deferred


def start_site(config, resource):
    log.info('Starting the API on port %s' % config.port)

    if config.manhole:
        log.info('Starting the manhole on port 8008')

        start_plugins()

        multiService = manhole_tap.makeService(dict(namespace=globals(),
                                                    telnetPort='8008',
                                                    sshPort='8009',
                                                    sshKeyDir='sshKeyDir',
                                                    sshKeyName='id_rsa',
                                                    sshKeySize=4096,
                                                    passwd='passwd'))
        telnetService, sshService = multiService.services
        telnetFactory = telnetService.factory
        sshFactory = sshService.factory

        reactor.listenTCP(8008, telnetFactory, interface='localhost')
        reactor.listenTCP(8009, sshFactory, interface='localhost')

    if config.sslkey and config.sslcert:
        reactor.listenSSL(config.port, PixelatedSite(resource), _ssl_options(config.sslkey, config.sslcert),
                          interface=config.host)
    else:
        reactor.listenTCP(config.port, PixelatedSite(resource), interface=config.host)