From 4113fffc993b715629b484fe8f5a06d7efb9f644 Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Tue, 15 Sep 2015 19:51:49 -0300 Subject: [feat] Validate and execute commands by subprocess This commit adds a way to validate and execute commands using an argument validator. Commands are executed via subprocess. --- common/src/leap/soledad/common/command.py | 54 +++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 common/src/leap/soledad/common/command.py diff --git a/common/src/leap/soledad/common/command.py b/common/src/leap/soledad/common/command.py new file mode 100644 index 00000000..978cec91 --- /dev/null +++ b/common/src/leap/soledad/common/command.py @@ -0,0 +1,54 @@ +# -*- coding: utf-8 -*- +# command.py +# Copyright (C) 2015 LEAP +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + + +""" +Utility to sanitize and run shell commands. +""" + + +import subprocess + + +def exec_validated_cmd(cmd, args, validator=None): + """ + Executes cmd, validating args with validator. + + :param cmd: command. + :type dbname: str + :param args: arguments. + :type args: str + :param validator: optional function to validate args + :type validator: function + + :return: exit code and stdout or stderr (if code != 0) + :rtype: (int, str) + """ + if validator and not validator(args): + return 1, "invalid argument" + command = cmd.split(' ') + command.append(args) + try: + process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + except OSError, e: + return 1, e + (out, err) = process.communicate() + code = process.wait() + if code is not 0: + return code, err + else: + return code, out -- cgit v1.2.3 From 66baa09a1760e911a6e58c87bce4f0062bd95805 Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Tue, 15 Sep 2015 19:53:25 -0300 Subject: [tests] Tests for command validation and execution Checks if arguments validation occurs properly and command execution brings back status code and stdout or stderr on some scenarios. --- .../src/leap/soledad/common/tests/test_command.py | 53 ++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 common/src/leap/soledad/common/tests/test_command.py diff --git a/common/src/leap/soledad/common/tests/test_command.py b/common/src/leap/soledad/common/tests/test_command.py new file mode 100644 index 00000000..af4903eb --- /dev/null +++ b/common/src/leap/soledad/common/tests/test_command.py @@ -0,0 +1,53 @@ +# -*- coding: utf-8 -*- +# test_command.py +# Copyright (C) 2015 LEAP +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +""" +Tests for command execution using a validator function for arguments. +""" +from twisted.trial import unittest +from leap.soledad.common.command import exec_validated_cmd + + +class ExecuteValidatedCommandTest(unittest.TestCase): + + def test_argument_validation(self): + validator = lambda arg: True if arg is 'valid' else False + status, out = exec_validated_cmd("command", "invalid arg", validator) + self.assertEquals(status, 1) + self.assertEquals(out, "invalid argument") + status, out = exec_validated_cmd("echo", "valid", validator) + self.assertEquals(status, 0) + self.assertEquals(out, "valid\n") + + def test_return_status_code_success(self): + status, out = exec_validated_cmd("echo", "arg") + self.assertEquals(status, 0) + self.assertEquals(out, "arg\n") + + def test_handle_command_with_spaces(self): + status, out = exec_validated_cmd("echo I am", "an argument") + self.assertEquals(status, 0, out) + self.assertEquals(out, "I am an argument\n") + + def test_handle_oserror_on_invalid_command(self): + status, out = exec_validated_cmd("inexistent command with", "args") + self.assertEquals(status, 1) + self.assertIn("No such file or directory", out) + + def test_return_status_code_number_on_failure(self): + status, out = exec_validated_cmd("ls", "user-bebacafe") + self.assertEquals(status, 2) + self.assertIn('ls: cannot access user-bebacafe: No such file or directory\n', out) -- cgit v1.2.3 From eb6b66da6aa81ade4e61ef153ebbe8fba78cd335 Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Tue, 15 Sep 2015 19:54:34 -0300 Subject: [feat] ensure_database is now able to call a cmd If CouchServerState is created with a create_cmd parameter, it can now use this parameter to invoke a command to create databases. A validator for database name is also used to ensure that command injection is not possible if user manages to manipulate database name argument. --- common/src/leap/soledad/common/couch.py | 46 +++++++++++++++++++++++++-------- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/common/src/leap/soledad/common/couch.py b/common/src/leap/soledad/common/couch.py index 38041c09..cd5185eb 100644 --- a/common/src/leap/soledad/common/couch.py +++ b/common/src/leap/soledad/common/couch.py @@ -60,6 +60,7 @@ from u1db.remote.server_state import ServerState from leap.soledad.common import ddocs, errors +from leap.soledad.common.command import exec_validated_cmd from leap.soledad.common.document import SoledadDocument @@ -1374,13 +1375,29 @@ class CouchSyncTarget(CommonSyncTarget): source_replica_transaction_id) +DB_NAME_MASK = "^user-[a-f0-9]+$" + + +def is_db_name_valid(name): + """ + Validate a user database using DB_NAME_MASK. + + :param name: database name. + :type name: str + + :return: boolean for name vailidity + :rtype: bool + """ + return re.match(DB_NAME_MASK, name) is not None + + class CouchServerState(ServerState): """ Inteface of the WSGI server with the CouchDB backend. """ - def __init__(self, couch_url): + def __init__(self, couch_url, create_cmd=None): """ Initialize the couch server state. @@ -1388,6 +1405,7 @@ class CouchServerState(ServerState): :type couch_url: str """ self.couch_url = couch_url + self.create_cmd = create_cmd def open_database(self, dbname): """ @@ -1409,20 +1427,26 @@ class CouchServerState(ServerState): """ Ensure couch database exists. - Usually, this method is used by the server to ensure the existence of - a database. In our setup, the Soledad user that accesses the underlying - couch server should never have permission to create (or delete) - databases. But, in case it ever does, by raising an exception here we - have one more guarantee that no modified client will be able to - enforce creation of a database when syncing. - :param dbname: The name of the database to ensure. :type dbname: str - :raise Unauthorized: Always, because Soledad server is not allowed to - create databases. + :raise Unauthorized: If disabled or other error was raised. + + :return: The CouchDatabase object and its replica_uid. + :rtype: (CouchDatabase, str) """ - raise Unauthorized() + if not self.create_cmd: + raise Unauthorized() + else: + code, out = exec_validated_cmd(self.create_cmd, dbname, + validator=is_db_name_valid) + if code is not 0: + logger.error(""" + Error while creating database (%s) with (%s) command. + Output: %s + Exit code: %d + """ % (dbname, self.create_cmd, out, code)) + raise Unauthorized() def delete_database(self, dbname): """ -- cgit v1.2.3 From 7591c95951e4618f7775c52340f4d170a1bdd961 Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Tue, 15 Sep 2015 19:56:43 -0300 Subject: [tests] CouchServerState tests for ensure_database Tests that Unauthorized is raised in any failure scenario, leaving user blind for tips on what happened during execution. This should lower chances of information disclosure on execution failure. --- common/src/leap/soledad/common/tests/test_couch.py | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/common/src/leap/soledad/common/tests/test_couch.py b/common/src/leap/soledad/common/tests/test_couch.py index c8d13667..d0a9dc3c 100644 --- a/common/src/leap/soledad/common/tests/test_couch.py +++ b/common/src/leap/soledad/common/tests/test_couch.py @@ -28,6 +28,7 @@ from couchdb.client import Server from uuid import uuid4 from testscenarios import TestWithScenarios +from twisted.trial import unittest from u1db import errors as u1db_errors from u1db import SyncTarget @@ -1498,3 +1499,27 @@ class CouchDatabaseExceptionsTests(CouchDBTestCase): self.db._get_transaction_log) self.create_db(ensure=True, dbname=self.db._dbname) self.db._get_transaction_log() + + +class DatabaseNameValidationTest(unittest.TestCase): + + def test_database_name_validation(self): + self.assertFalse(couch.is_db_name_valid("user-deadbeef | cat /secret")) + self.assertTrue(couch.is_db_name_valid("user-cafe1337")) + + +class CommandBasedDBCreationTest(unittest.TestCase): + + def test_ensure_db_using_custom_command(self): + state = couch.CouchServerState("url", create_cmd="echo") + state.ensure_database("user-1337") # works + + def test_raises_unauthorized_on_failure(self): + state = couch.CouchServerState("url", create_cmd="inexistent") + self.assertRaises(u1db_errors.Unauthorized, + state.ensure_database, "user-1337") + + def test_raises_unauthorized_by_default(self): + state = couch.CouchServerState("url") + self.assertRaises(u1db_errors.Unauthorized, + state.ensure_database, "user-1337") -- cgit v1.2.3 From e76ce03ad29b5582c4763d61a5acaed1aeba87e5 Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Tue, 15 Sep 2015 19:59:14 -0300 Subject: [feat] conf for enabling db creation via custom sh We can now use a custom script to create databases by setting a parameter 'create_cmd' on soledad configuration. This will set CouchServerState to use it on ensure_database. --- server/src/leap/soledad/server/__init__.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/src/leap/soledad/server/__init__.py b/server/src/leap/soledad/server/__init__.py index 1b795016..bb1c6db0 100644 --- a/server/src/leap/soledad/server/__init__.py +++ b/server/src/leap/soledad/server/__init__.py @@ -285,6 +285,7 @@ def load_configuration(file_path): """ conf = { 'couch_url': 'http://localhost:5984', + 'create_cmd': None } config = configparser.ConfigParser() config.read(file_path) @@ -303,7 +304,7 @@ def load_configuration(file_path): def application(environ, start_response): conf = load_configuration('/etc/leap/soledad-server.conf') - state = CouchServerState(conf['couch_url']) + state = CouchServerState(conf['couch_url'], create_cmd=conf['create_cmd']) # WSGI application that may be used by `twistd -web` application = GzipMiddleware( SoledadTokenAuthMiddleware(SoledadApp(state))) -- cgit v1.2.3 From f7ff2e014e25b5c201f4e6209549518b53fc36b2 Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Tue, 15 Sep 2015 20:12:01 -0300 Subject: [bug] ensure_database returns db and replica_uid ensure database needs to return a db and its replica_uid. Updated tests, doc and code to reflect that. --- common/src/leap/soledad/common/couch.py | 2 ++ common/src/leap/soledad/common/tests/test_couch.py | 8 +++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/common/src/leap/soledad/common/couch.py b/common/src/leap/soledad/common/couch.py index cd5185eb..36f6239e 100644 --- a/common/src/leap/soledad/common/couch.py +++ b/common/src/leap/soledad/common/couch.py @@ -1447,6 +1447,8 @@ class CouchServerState(ServerState): Exit code: %d """ % (dbname, self.create_cmd, out, code)) raise Unauthorized() + db = self.open_database(dbname) + return db, db.replica_uid def delete_database(self, dbname): """ diff --git a/common/src/leap/soledad/common/tests/test_couch.py b/common/src/leap/soledad/common/tests/test_couch.py index d0a9dc3c..a56cea21 100644 --- a/common/src/leap/soledad/common/tests/test_couch.py +++ b/common/src/leap/soledad/common/tests/test_couch.py @@ -29,6 +29,7 @@ from uuid import uuid4 from testscenarios import TestWithScenarios from twisted.trial import unittest +from mock import Mock from u1db import errors as u1db_errors from u1db import SyncTarget @@ -1512,7 +1513,12 @@ class CommandBasedDBCreationTest(unittest.TestCase): def test_ensure_db_using_custom_command(self): state = couch.CouchServerState("url", create_cmd="echo") - state.ensure_database("user-1337") # works + mock_db = Mock() + mock_db.replica_uid = 'replica_uid' + state.open_database = Mock(return_value=mock_db) + db, replica_uid = state.ensure_database("user-1337") # works + self.assertEquals(mock_db, db) + self.assertEquals(mock_db.replica_uid, replica_uid) def test_raises_unauthorized_on_failure(self): state = couch.CouchServerState("url", create_cmd="inexistent") -- cgit v1.2.3 From b065492f35006c3d108965b2b50144e080fbe678 Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Thu, 17 Sep 2015 18:30:07 -0300 Subject: [feat] script for user db creation Added a simple script for user db creation and design docs creation. It uses a netrc from /etc/couchdb/couchdb-admin.netrc and same validator used on couch.py for database names. --- server/pkg/create-user-db | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100755 server/pkg/create-user-db diff --git a/server/pkg/create-user-db b/server/pkg/create-user-db new file mode 100755 index 00000000..edcb8a82 --- /dev/null +++ b/server/pkg/create-user-db @@ -0,0 +1,42 @@ +#!/usr/bin/env python +import os +import sys +import netrc +import argparse +from leap.soledad.common.couch import CouchDatabase +from leap.soledad.common.couch import is_db_name_valid + + +description = """ +Creates a user database. +This is meant to be used by Soledad Server. +""" +parser = argparse.ArgumentParser(description=description) +parser.add_argument('dbname', metavar='user-d34db33f', type=str, + help='database name on the format user-{uuid4}') +NETRC_PATH = '/etc/couchdb/couchdb-admin.netrc' + + +def url_for_db(dbname): + if not os.path.exists(NETRC_PATH): + print ('netrc not found in %s' % NETRC_PATH) + sys.exit(1) + parsed_netrc = netrc.netrc(NETRC_PATH) + host, (login, _, password) = parsed_netrc.hosts.items()[0] + url = ('http://%(login)s:%(password)s@%(host)s:5984/%(dbname)s' % { + 'login':login, + 'password':password, + 'host':host, + 'dbname':dbname}) + return url + + +if __name__ == '__main__': + args = parser.parse_args() + if not is_db_name_valid(args.dbname): + print ("Invalid name! %s" % args.dbname) + sys.exit(1) + url = url_for_db(args.dbname) + db = CouchDatabase.open_database(url=url, create=True, + replica_uid=None, ensure_ddocs=True) + print ('success! Created %s, replica_uid: %s' % (db._dbname, db.replica_uid)) -- cgit v1.2.3 From a660f60b9644836b0dbdf54cd04b15f4d4654d0f Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Fri, 18 Sep 2015 17:30:19 -0300 Subject: [feat] ensure security document Beyond ensuring ddocs, it is also necessary to ensure _security doc presence while creating a database. This document will tell couchdb to grant access to 'soledad' user as a member role and no one as admin. --- common/src/leap/soledad/common/couch.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/common/src/leap/soledad/common/couch.py b/common/src/leap/soledad/common/couch.py index 36f6239e..d9ed5026 100644 --- a/common/src/leap/soledad/common/couch.py +++ b/common/src/leap/soledad/common/couch.py @@ -435,6 +435,7 @@ class CouchDatabase(CommonBackend): self._set_replica_uid(replica_uid) if ensure_ddocs: self.ensure_ddocs_on_db() + self.ensure_security() self._cache = None @property @@ -467,6 +468,16 @@ class CouchDatabase(CommonBackend): getattr(ddocs, ddoc_name))) self._database.save(ddoc) + def ensure_security(self): + """ + Make sure that only soledad user is able to access this database as + a member. + """ + security = self._database.security + security['members'] = {'names': ['soledad'], 'roles': []} + security['admins'] = {'names': [], 'roles': []} + self._database.security = security + def get_sync_target(self): """ Return a SyncTarget object, for another u1db to synchronize with. -- cgit v1.2.3 From 7b1591e3d561aa6525318235e702eebeb6708560 Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Fri, 18 Sep 2015 17:31:37 -0300 Subject: [tests] tests for ensure_security As the other tests does. Make sure that a fresh database gets proper security doc after calling ensure_security method. --- common/src/leap/soledad/common/tests/test_couch.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/common/src/leap/soledad/common/tests/test_couch.py b/common/src/leap/soledad/common/tests/test_couch.py index a56cea21..3622bb56 100644 --- a/common/src/leap/soledad/common/tests/test_couch.py +++ b/common/src/leap/soledad/common/tests/test_couch.py @@ -1501,6 +1501,20 @@ class CouchDatabaseExceptionsTests(CouchDBTestCase): self.create_db(ensure=True, dbname=self.db._dbname) self.db._get_transaction_log() + def test_ensure_security_doc(self): + """ + Ensure_security creates a _security ddoc to ensure that only soledad + will have member access to a db. + """ + self.create_db(ensure=False) + self.assertFalse(self.db._database.security) + self.db.ensure_security() + security_ddoc = self.db._database.security + self.assertIn('admins', security_ddoc) + self.assertFalse(security_ddoc['admins']['names']) + self.assertIn('members', security_ddoc) + self.assertIn('soledad', security_ddoc['members']['names']) + class DatabaseNameValidationTest(unittest.TestCase): -- cgit v1.2.3 From c4c280e12bf70dd41183d2d2ffbba200a45d0247 Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Sat, 19 Sep 2015 14:25:30 -0300 Subject: [feat] handle DatabaseDoesNotExist during sync This error raises while getting info on target (or server) replica. On previous implementation there was nothing to do here, but now that we have db creation in place this error should be handled just like u1db original implementation. The reason is that db creation occurs during sync exchange, but before this we try to ask for info and the code that checks for info raises an error that will be used to signal the client that a database will be created and that it must save the replica uid returned by server, after sync exchange (where we send/fetch documents). --- client/src/leap/soledad/client/sync.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/client/src/leap/soledad/client/sync.py b/client/src/leap/soledad/client/sync.py index 110baa0a..225d3e2d 100644 --- a/client/src/leap/soledad/client/sync.py +++ b/client/src/leap/soledad/client/sync.py @@ -69,9 +69,15 @@ class SoledadSynchronizer(Synchronizer): # get target identifier, its current generation, # and its last-seen database generation for this source ensure_callback = None - (self.target_replica_uid, target_gen, target_trans_id, - target_my_gen, target_my_trans_id) = yield \ - sync_target.get_sync_info(self.source._replica_uid) + try: + (self.target_replica_uid, target_gen, target_trans_id, + target_my_gen, target_my_trans_id) = yield \ + sync_target.get_sync_info(self.source._replica_uid) + except errors.DatabaseDoesNotExist: + logger.debug("Database isn't ready on server. Will be created.") + self.target_replica_uid = None + target_gen, target_trans_id = 0, '' + target_my_gen, target_my_trans_id = 0, '' logger.debug( "Soledad target sync info:\n" -- cgit v1.2.3 From de0cf00b4412e253a481ff19803bab66ffc4443e Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Thu, 24 Sep 2015 21:57:26 -0300 Subject: [refactor] kaliy's review and pep8 fixes README with information about latest change, missing docs and licenses, variable naming and pep8. --- README.rst | 33 ++++++++++++++++++++++ common/changes/create_db_cmd | 2 ++ common/src/leap/soledad/common/command.py | 17 +++++------ common/src/leap/soledad/common/couch.py | 19 +++++++------ .../src/leap/soledad/common/tests/test_command.py | 4 ++- common/src/leap/soledad/common/tests/test_couch.py | 4 +-- server/changes/create_db_cmd | 3 ++ server/pkg/create-user-db | 16 +++++++++++ 8 files changed, 79 insertions(+), 19 deletions(-) create mode 100644 common/changes/create_db_cmd create mode 100644 server/changes/create_db_cmd diff --git a/README.rst b/README.rst index b98eec06..a2755f92 100644 --- a/README.rst +++ b/README.rst @@ -55,3 +55,36 @@ to run tests in development mode you must do the following:: Note that to run CouchDB tests, be sure you have ``CouchDB`` installed on your system. + + +Privileges +----- +In order to prevent privilege escalation, Soledad should not be run as a +database administrator. This implies the following side effects: + +----------------- +Database creation: +----------------- +Can be done via a script located in ``server/pkg/create-user-db`` +It reads a netrc file that should be placed on +``/etc/couchdb/couchdb-admin.netrc``. +That file holds the admin credentials in netrc format and should be accessible +only by 'soledad-admin' user. + +The debian package will do the following in order to automate this: + +* create a user ``soledad-admin`` +* make this script available as ``create-user-db`` in ``/usr/bin`` +* grant restricted sudo access, that only enables user ``soledad`` to call this + exact command via ``soledad-admin`` user. + +The server side process, configured via ``/etc/leap/soledad-server.conf``, will +then use a parameter called 'create_cmd' to know which command is used to +allocate new databases. All steps of creation process is then handled +automatically by the server, following the same logic as u1db server. + +------------------ +Database deletion: +------------------ +No code at all handles this and privilege to do so needs to be removed as +explained before. This can be automated via a simple cron job. diff --git a/common/changes/create_db_cmd b/common/changes/create_db_cmd new file mode 100644 index 00000000..00bbdf71 --- /dev/null +++ b/common/changes/create_db_cmd @@ -0,0 +1,2 @@ + o Add a sanitized command executor for database creation and re-enable + user database creation on CouchServerState via command line. diff --git a/common/src/leap/soledad/common/command.py b/common/src/leap/soledad/common/command.py index 978cec91..811bf135 100644 --- a/common/src/leap/soledad/common/command.py +++ b/common/src/leap/soledad/common/command.py @@ -24,26 +24,27 @@ Utility to sanitize and run shell commands. import subprocess -def exec_validated_cmd(cmd, args, validator=None): +def exec_validated_cmd(cmd, argument, validator=None): """ - Executes cmd, validating args with validator. + Executes cmd, validating argument with a validator function. :param cmd: command. :type dbname: str - :param args: arguments. - :type args: str - :param validator: optional function to validate args + :param argument: argument. + :type argument: str + :param validator: optional function to validate argument :type validator: function :return: exit code and stdout or stderr (if code != 0) :rtype: (int, str) """ - if validator and not validator(args): + if validator and not validator(argument): return 1, "invalid argument" command = cmd.split(' ') - command.append(args) + command.append(argument) try: - process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process = subprocess.Popen(command, stdout=subprocess.PIPE, + stderr=subprocess.PIPE) except OSError, e: return 1, e (out, err) = process.communicate() diff --git a/common/src/leap/soledad/common/couch.py b/common/src/leap/soledad/common/couch.py index d9ed5026..4c5f6400 100644 --- a/common/src/leap/soledad/common/couch.py +++ b/common/src/leap/soledad/common/couch.py @@ -435,7 +435,7 @@ class CouchDatabase(CommonBackend): self._set_replica_uid(replica_uid) if ensure_ddocs: self.ensure_ddocs_on_db() - self.ensure_security() + self.ensure_security_ddoc() self._cache = None @property @@ -468,10 +468,15 @@ class CouchDatabase(CommonBackend): getattr(ddocs, ddoc_name))) self._database.save(ddoc) - def ensure_security(self): + def ensure_security_ddoc(self): """ Make sure that only soledad user is able to access this database as - a member. + an unprivileged member, meaning that administration access will + be forbidden even inside an user database. + The goal is to make sure that only the lowest access level is given + to the unprivileged CouchDB user set on the server process. + This is achieved by creating a _security design document, see: + http://docs.couchdb.org/en/latest/api/database/security.html """ security = self._database.security security['members'] = {'names': ['soledad'], 'roles': []} @@ -1386,12 +1391,9 @@ class CouchSyncTarget(CommonSyncTarget): source_replica_transaction_id) -DB_NAME_MASK = "^user-[a-f0-9]+$" - - def is_db_name_valid(name): """ - Validate a user database using DB_NAME_MASK. + Validate a user database using a regular expression. :param name: database name. :type name: str @@ -1399,7 +1401,8 @@ def is_db_name_valid(name): :return: boolean for name vailidity :rtype: bool """ - return re.match(DB_NAME_MASK, name) is not None + db_name_regex = "^user-[a-f0-9]+$" + return re.match(db_name_regex, name) is not None class CouchServerState(ServerState): diff --git a/common/src/leap/soledad/common/tests/test_command.py b/common/src/leap/soledad/common/tests/test_command.py index af4903eb..420f91ae 100644 --- a/common/src/leap/soledad/common/tests/test_command.py +++ b/common/src/leap/soledad/common/tests/test_command.py @@ -50,4 +50,6 @@ class ExecuteValidatedCommandTest(unittest.TestCase): def test_return_status_code_number_on_failure(self): status, out = exec_validated_cmd("ls", "user-bebacafe") self.assertEquals(status, 2) - self.assertIn('ls: cannot access user-bebacafe: No such file or directory\n', out) + self.assertIn( + 'ls: cannot access user-bebacafe: No such file or directory\n', + out) diff --git a/common/src/leap/soledad/common/tests/test_couch.py b/common/src/leap/soledad/common/tests/test_couch.py index 3622bb56..d1a07a3a 100644 --- a/common/src/leap/soledad/common/tests/test_couch.py +++ b/common/src/leap/soledad/common/tests/test_couch.py @@ -1504,11 +1504,11 @@ class CouchDatabaseExceptionsTests(CouchDBTestCase): def test_ensure_security_doc(self): """ Ensure_security creates a _security ddoc to ensure that only soledad - will have member access to a db. + will have the lowest privileged access to an user db. """ self.create_db(ensure=False) self.assertFalse(self.db._database.security) - self.db.ensure_security() + self.db.ensure_security_ddoc() security_ddoc = self.db._database.security self.assertIn('admins', security_ddoc) self.assertFalse(security_ddoc['admins']['names']) diff --git a/server/changes/create_db_cmd b/server/changes/create_db_cmd new file mode 100644 index 00000000..cee0a935 --- /dev/null +++ b/server/changes/create_db_cmd @@ -0,0 +1,3 @@ + o Adds a new config parameter 'create_cmd', which allows sysadmin to specify + which command will create a database. That command was added in + pkg/create-user-db and debian package automates steps needed for sudo access. diff --git a/server/pkg/create-user-db b/server/pkg/create-user-db index edcb8a82..dd68f792 100755 --- a/server/pkg/create-user-db +++ b/server/pkg/create-user-db @@ -1,4 +1,20 @@ #!/usr/bin/env python +# -*- coding: utf-8 -*- +# create-user-db +# Copyright (C) 2015 LEAP +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . import os import sys import netrc -- cgit v1.2.3 From 01314341c8ef1e947b8f921ba023ac67d89a9ce7 Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Mon, 28 Sep 2015 15:43:49 -0300 Subject: [test] remove old mocks Those hardcoded mocks are leaking into other tests and are unnecessary. --- .../soledad/common/tests/test_couch_operations_atomicity.py | 6 ------ common/src/leap/soledad/common/tests/test_server.py | 12 ------------ 2 files changed, 18 deletions(-) diff --git a/common/src/leap/soledad/common/tests/test_couch_operations_atomicity.py b/common/src/leap/soledad/common/tests/test_couch_operations_atomicity.py index 3e8e8cce..507f2984 100644 --- a/common/src/leap/soledad/common/tests/test_couch_operations_atomicity.py +++ b/common/src/leap/soledad/common/tests/test_couch_operations_atomicity.py @@ -35,17 +35,11 @@ from leap.soledad.common.tests.util import ( ) from leap.soledad.common.tests.test_couch import CouchDBTestCase from leap.soledad.common.tests.u1db_tests import TestCaseWithServer -from leap.soledad.common.tests.test_server import _couch_ensure_database REPEAT_TIMES = 20 -# monkey path CouchServerState so it can ensure databases. - -CouchServerState.ensure_database = _couch_ensure_database - - class CouchAtomicityTestCase(CouchDBTestCase, TestCaseWithServer): @staticmethod diff --git a/common/src/leap/soledad/common/tests/test_server.py b/common/src/leap/soledad/common/tests/test_server.py index f512d6c1..19d2907d 100644 --- a/common/src/leap/soledad/common/tests/test_server.py +++ b/common/src/leap/soledad/common/tests/test_server.py @@ -46,18 +46,6 @@ from leap.soledad.server import LockResource from leap.soledad.server.auth import URLToAuthorization -# monkey path CouchServerState so it can ensure databases. - -def _couch_ensure_database(self, dbname): - db = CouchDatabase.open_database( - self.couch_url + '/' + dbname, - create=True, - ensure_ddocs=True) - return db, db._replica_uid - -CouchServerState.ensure_database = _couch_ensure_database - - class ServerAuthorizationTestCase(BaseSoledadTest): """ -- cgit v1.2.3 From 6427b73247e327c27d5f8e5c2036281fb77205b2 Mon Sep 17 00:00:00 2001 From: Gislene Pereira Date: Mon, 28 Sep 2015 16:04:46 -0300 Subject: [test] Making test_command pass on Mac OS X. --- common/src/leap/soledad/common/tests/test_command.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/common/src/leap/soledad/common/tests/test_command.py b/common/src/leap/soledad/common/tests/test_command.py index 420f91ae..c386bdd2 100644 --- a/common/src/leap/soledad/common/tests/test_command.py +++ b/common/src/leap/soledad/common/tests/test_command.py @@ -49,7 +49,5 @@ class ExecuteValidatedCommandTest(unittest.TestCase): def test_return_status_code_number_on_failure(self): status, out = exec_validated_cmd("ls", "user-bebacafe") - self.assertEquals(status, 2) - self.assertIn( - 'ls: cannot access user-bebacafe: No such file or directory\n', - out) + self.assertNotEquals(status, 0) + self.assertIn('No such file or directory\n', out) -- cgit v1.2.3 From 3c7a41574ed1a97ae168bbbc50b127d17694734a Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Mon, 28 Sep 2015 16:35:19 -0300 Subject: [style] pep8 --- server/pkg/create-user-db | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/server/pkg/create-user-db b/server/pkg/create-user-db index dd68f792..1a7e77a7 100755 --- a/server/pkg/create-user-db +++ b/server/pkg/create-user-db @@ -29,7 +29,7 @@ This is meant to be used by Soledad Server. """ parser = argparse.ArgumentParser(description=description) parser.add_argument('dbname', metavar='user-d34db33f', type=str, - help='database name on the format user-{uuid4}') + help='database name on the format user-{uuid4}') NETRC_PATH = '/etc/couchdb/couchdb-admin.netrc' @@ -40,10 +40,10 @@ def url_for_db(dbname): parsed_netrc = netrc.netrc(NETRC_PATH) host, (login, _, password) = parsed_netrc.hosts.items()[0] url = ('http://%(login)s:%(password)s@%(host)s:5984/%(dbname)s' % { - 'login':login, - 'password':password, - 'host':host, - 'dbname':dbname}) + 'login': login, + 'password': password, + 'host': host, + 'dbname': dbname}) return url @@ -55,4 +55,5 @@ if __name__ == '__main__': url = url_for_db(args.dbname) db = CouchDatabase.open_database(url=url, create=True, replica_uid=None, ensure_ddocs=True) - print ('success! Created %s, replica_uid: %s' % (db._dbname, db.replica_uid)) + print ('success! Created %s, replica_uid: %s' % + (db._dbname, db.replica_uid)) -- cgit v1.2.3