summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/leap/soledad/server/_config.py2
-rw-r--r--src/leap/soledad/server/_resource.py4
-rw-r--r--src/leap/soledad/server/auth.py32
-rw-r--r--src/leap/soledad/server/entrypoints.py (renamed from src/leap/soledad/server/entrypoint.py)6
-rw-r--r--src/leap/soledad/server/server.tac14
5 files changed, 34 insertions, 24 deletions
diff --git a/src/leap/soledad/server/_config.py b/src/leap/soledad/server/_config.py
index 3f3d7640..12c286f5 100644
--- a/src/leap/soledad/server/_config.py
+++ b/src/leap/soledad/server/_config.py
@@ -31,7 +31,7 @@ CONFIG_DEFAULTS = {
'batching': True,
'blobs': False,
'blobs_path': '/srv/leap/soledad/blobs',
- 'services_tokens_file': '/dev/null',
+ 'services_tokens_file': '/etc/soledad/incoming.tokens',
},
'database-security': {
'members': ['soledad'],
diff --git a/src/leap/soledad/server/_resource.py b/src/leap/soledad/server/_resource.py
index a9f854b6..7b326fef 100644
--- a/src/leap/soledad/server/_resource.py
+++ b/src/leap/soledad/server/_resource.py
@@ -24,7 +24,7 @@ from ._incoming import IncomingResource
from ._wsgi import get_sync_resource
-__all__ = ['SoledadResource', 'SoledadAnonResource']
+__all__ = ['PublicResource', 'SoledadAnonResource']
class _Robots(Resource):
@@ -60,7 +60,7 @@ class LocalResource(Resource):
self.putChild('incoming', IncomingResource())
-class SoledadResource(Resource):
+class PublicResource(Resource):
"""
This is a dummy twisted resource, used only to allow different entry points
for the Soledad Server.
diff --git a/src/leap/soledad/server/auth.py b/src/leap/soledad/server/auth.py
index 4dbe9a6d..89626ead 100644
--- a/src/leap/soledad/server/auth.py
+++ b/src/leap/soledad/server/auth.py
@@ -17,6 +17,7 @@
"""
Twisted http token auth.
"""
+import os
import binascii
import time
@@ -38,7 +39,7 @@ from twisted.web.resource import IResource
from leap.soledad.common.couch import couch_server
-from ._resource import SoledadResource, SoledadAnonResource
+from ._resource import PublicResource, SoledadAnonResource
from ._resource import LocalResource
from ._blobs import BlobsResource
from ._config import get_config
@@ -59,7 +60,7 @@ class SoledadRealm(object):
conf['blobs_path']) if blobs else None
self.anon_resource = SoledadAnonResource(
enable_blobs=blobs)
- self.auth_resource = SoledadResource(
+ self.auth_resource = PublicResource(
blobs_resource=blobs_resource,
sync_pool=sync_pool)
@@ -81,9 +82,8 @@ class SoledadRealm(object):
@implementer(IRealm)
class LocalServicesRealm(object):
- def __init__(self, conf=None):
- if conf is None:
- conf = get_config()
+ def __init__(self):
+ conf = get_config()
self.anon_resource = SoledadAnonResource(
enable_blobs=conf['blobs'])
self.auth_resource = LocalResource()
@@ -108,12 +108,16 @@ class FileTokenChecker(object):
credentialInterfaces = [IUsernamePassword, IAnonymous]
def __init__(self, conf=None):
+ # conf parameter is only used during tests
conf = conf or get_config()
self._trusted_services_tokens = {}
self._tokens_file_path = conf['services_tokens_file']
self._reload_tokens()
def _reload_tokens(self):
+ if not os.path.isfile(self._tokens_file_path):
+ log.warn("No local token auth file at %s" % self._tokens_file_path)
+ return
with open(self._tokens_file_path) as tokens_file:
for line in tokens_file.readlines():
line = line.strip()
@@ -128,6 +132,7 @@ class FileTokenChecker(object):
service = credentials.username
token = credentials.password
+ # TODO: Use constant time comparison
if self._trusted_services_tokens[service] != token:
return defer.fail(error.UnauthorizedLogin())
@@ -221,16 +226,17 @@ class TokenCredentialFactory(object):
raise error.LoginFailed('Invalid credentials')
-def portalFactory(public=True, sync_pool=None):
+def publicPortal(sync_pool):
database_checker = CouchDBTokenChecker()
+ realm = SoledadRealm(sync_pool=sync_pool)
+ auth_checkers = [database_checker]
+ return Portal(realm, auth_checkers)
+
+
+def localPortal():
file_checker = FileTokenChecker()
- if public:
- assert sync_pool
- realm = SoledadRealm(sync_pool=sync_pool)
- auth_checkers = [database_checker]
- else:
- realm = LocalServicesRealm()
- auth_checkers = [file_checker, database_checker]
+ realm = LocalServicesRealm()
+ auth_checkers = [file_checker]
return Portal(realm, auth_checkers)
diff --git a/src/leap/soledad/server/entrypoint.py b/src/leap/soledad/server/entrypoints.py
index 7115007b..ff2f333a 100644
--- a/src/leap/soledad/server/entrypoint.py
+++ b/src/leap/soledad/server/entrypoints.py
@@ -24,7 +24,7 @@ or the systemd script.
from twisted.internet import reactor
from twisted.python import threadpool
-from .auth import portalFactory
+from .auth import localPortal, publicPortal
from .session import SoledadSession
from ._config import get_config
from ._wsgi import init_couch_state
@@ -40,14 +40,14 @@ class SoledadEntrypoint(SoledadSession):
pool = threadpool.ThreadPool(name='wsgi')
reactor.callWhenRunning(pool.start)
reactor.addSystemEventTrigger('after', 'shutdown', pool.stop)
- portal = portalFactory(public=True, sync_pool=pool)
+ portal = publicPortal(sync_pool=pool)
SoledadSession.__init__(self, portal)
class LocalServicesEntrypoint(SoledadSession):
def __init__(self):
- portal = portalFactory(public=False)
+ portal = localPortal()
SoledadSession.__init__(self, portal)
# see the comments in application.py recarding why couch state has to be
diff --git a/src/leap/soledad/server/server.tac b/src/leap/soledad/server/server.tac
index b443e632..1a4e53ee 100644
--- a/src/leap/soledad/server/server.tac
+++ b/src/leap/soledad/server/server.tac
@@ -5,14 +5,14 @@ from twisted.application import service, strports
from twisted.web import server
from twisted.python import log
-from leap.soledad.server import entrypoint
+from leap.soledad.server import entrypoints
application = service.Application('soledad-server')
# local entrypoint
-local_port = os.getenv('LOCAL_SERVICES_PORT', 2323)
+local_port = os.getenv('LOCAL_SERVICES_PORT', 2525)
local_description = 'tcp:%s:interface=127.0.0.1' % local_port
-local_site = server.Site(entrypoint.LocalServicesEntrypoint())
+local_site = server.Site(entrypoints.LocalServicesEntrypoint())
local_server = strports.service(local_description, local_site)
local_server.setServiceParent(application)
@@ -33,9 +33,13 @@ if port:
'privateKey=' + privateKey,
'certKey=' + certKey,
'sslmethod=' + sslmethod])
-else:
+elif os.getenv('DEBUG_SERVER', False):
public_description = 'tcp:port=2424:interface=0.0.0.0'
-public_site = server.Site(entrypoint.SoledadEntrypoint())
+else:
+ log.err("HTTPS_PORT env var is required to be set!")
+ sys.exit(20)
+
+public_site = server.Site(entrypoints.SoledadEntrypoint())
public_server = strports.service(public_description, public_site)
public_server.setServiceParent(application)