diff options
Diffstat (limited to 'src/leap')
-rw-r--r-- | src/leap/soledad/server/_config.py | 2 | ||||
-rw-r--r-- | src/leap/soledad/server/_resource.py | 4 | ||||
-rw-r--r-- | src/leap/soledad/server/auth.py | 32 | ||||
-rw-r--r-- | src/leap/soledad/server/entrypoints.py (renamed from src/leap/soledad/server/entrypoint.py) | 6 | ||||
-rw-r--r-- | src/leap/soledad/server/server.tac | 14 |
5 files changed, 34 insertions, 24 deletions
diff --git a/src/leap/soledad/server/_config.py b/src/leap/soledad/server/_config.py index 3f3d7640..12c286f5 100644 --- a/src/leap/soledad/server/_config.py +++ b/src/leap/soledad/server/_config.py @@ -31,7 +31,7 @@ CONFIG_DEFAULTS = { 'batching': True, 'blobs': False, 'blobs_path': '/srv/leap/soledad/blobs', - 'services_tokens_file': '/dev/null', + 'services_tokens_file': '/etc/soledad/incoming.tokens', }, 'database-security': { 'members': ['soledad'], diff --git a/src/leap/soledad/server/_resource.py b/src/leap/soledad/server/_resource.py index a9f854b6..7b326fef 100644 --- a/src/leap/soledad/server/_resource.py +++ b/src/leap/soledad/server/_resource.py @@ -24,7 +24,7 @@ from ._incoming import IncomingResource from ._wsgi import get_sync_resource -__all__ = ['SoledadResource', 'SoledadAnonResource'] +__all__ = ['PublicResource', 'SoledadAnonResource'] class _Robots(Resource): @@ -60,7 +60,7 @@ class LocalResource(Resource): self.putChild('incoming', IncomingResource()) -class SoledadResource(Resource): +class PublicResource(Resource): """ This is a dummy twisted resource, used only to allow different entry points for the Soledad Server. diff --git a/src/leap/soledad/server/auth.py b/src/leap/soledad/server/auth.py index 4dbe9a6d..89626ead 100644 --- a/src/leap/soledad/server/auth.py +++ b/src/leap/soledad/server/auth.py @@ -17,6 +17,7 @@ """ Twisted http token auth. """ +import os import binascii import time @@ -38,7 +39,7 @@ from twisted.web.resource import IResource from leap.soledad.common.couch import couch_server -from ._resource import SoledadResource, SoledadAnonResource +from ._resource import PublicResource, SoledadAnonResource from ._resource import LocalResource from ._blobs import BlobsResource from ._config import get_config @@ -59,7 +60,7 @@ class SoledadRealm(object): conf['blobs_path']) if blobs else None self.anon_resource = SoledadAnonResource( enable_blobs=blobs) - self.auth_resource = SoledadResource( + self.auth_resource = PublicResource( blobs_resource=blobs_resource, sync_pool=sync_pool) @@ -81,9 +82,8 @@ class SoledadRealm(object): @implementer(IRealm) class LocalServicesRealm(object): - def __init__(self, conf=None): - if conf is None: - conf = get_config() + def __init__(self): + conf = get_config() self.anon_resource = SoledadAnonResource( enable_blobs=conf['blobs']) self.auth_resource = LocalResource() @@ -108,12 +108,16 @@ class FileTokenChecker(object): credentialInterfaces = [IUsernamePassword, IAnonymous] def __init__(self, conf=None): + # conf parameter is only used during tests conf = conf or get_config() self._trusted_services_tokens = {} self._tokens_file_path = conf['services_tokens_file'] self._reload_tokens() def _reload_tokens(self): + if not os.path.isfile(self._tokens_file_path): + log.warn("No local token auth file at %s" % self._tokens_file_path) + return with open(self._tokens_file_path) as tokens_file: for line in tokens_file.readlines(): line = line.strip() @@ -128,6 +132,7 @@ class FileTokenChecker(object): service = credentials.username token = credentials.password + # TODO: Use constant time comparison if self._trusted_services_tokens[service] != token: return defer.fail(error.UnauthorizedLogin()) @@ -221,16 +226,17 @@ class TokenCredentialFactory(object): raise error.LoginFailed('Invalid credentials') -def portalFactory(public=True, sync_pool=None): +def publicPortal(sync_pool): database_checker = CouchDBTokenChecker() + realm = SoledadRealm(sync_pool=sync_pool) + auth_checkers = [database_checker] + return Portal(realm, auth_checkers) + + +def localPortal(): file_checker = FileTokenChecker() - if public: - assert sync_pool - realm = SoledadRealm(sync_pool=sync_pool) - auth_checkers = [database_checker] - else: - realm = LocalServicesRealm() - auth_checkers = [file_checker, database_checker] + realm = LocalServicesRealm() + auth_checkers = [file_checker] return Portal(realm, auth_checkers) diff --git a/src/leap/soledad/server/entrypoint.py b/src/leap/soledad/server/entrypoints.py index 7115007b..ff2f333a 100644 --- a/src/leap/soledad/server/entrypoint.py +++ b/src/leap/soledad/server/entrypoints.py @@ -24,7 +24,7 @@ or the systemd script. from twisted.internet import reactor from twisted.python import threadpool -from .auth import portalFactory +from .auth import localPortal, publicPortal from .session import SoledadSession from ._config import get_config from ._wsgi import init_couch_state @@ -40,14 +40,14 @@ class SoledadEntrypoint(SoledadSession): pool = threadpool.ThreadPool(name='wsgi') reactor.callWhenRunning(pool.start) reactor.addSystemEventTrigger('after', 'shutdown', pool.stop) - portal = portalFactory(public=True, sync_pool=pool) + portal = publicPortal(sync_pool=pool) SoledadSession.__init__(self, portal) class LocalServicesEntrypoint(SoledadSession): def __init__(self): - portal = portalFactory(public=False) + portal = localPortal() SoledadSession.__init__(self, portal) # see the comments in application.py recarding why couch state has to be diff --git a/src/leap/soledad/server/server.tac b/src/leap/soledad/server/server.tac index b443e632..1a4e53ee 100644 --- a/src/leap/soledad/server/server.tac +++ b/src/leap/soledad/server/server.tac @@ -5,14 +5,14 @@ from twisted.application import service, strports from twisted.web import server from twisted.python import log -from leap.soledad.server import entrypoint +from leap.soledad.server import entrypoints application = service.Application('soledad-server') # local entrypoint -local_port = os.getenv('LOCAL_SERVICES_PORT', 2323) +local_port = os.getenv('LOCAL_SERVICES_PORT', 2525) local_description = 'tcp:%s:interface=127.0.0.1' % local_port -local_site = server.Site(entrypoint.LocalServicesEntrypoint()) +local_site = server.Site(entrypoints.LocalServicesEntrypoint()) local_server = strports.service(local_description, local_site) local_server.setServiceParent(application) @@ -33,9 +33,13 @@ if port: 'privateKey=' + privateKey, 'certKey=' + certKey, 'sslmethod=' + sslmethod]) -else: +elif os.getenv('DEBUG_SERVER', False): public_description = 'tcp:port=2424:interface=0.0.0.0' -public_site = server.Site(entrypoint.SoledadEntrypoint()) +else: + log.err("HTTPS_PORT env var is required to be set!") + sys.exit(20) + +public_site = server.Site(entrypoints.SoledadEntrypoint()) public_server = strports.service(public_description, public_site) public_server.setServiceParent(application) |