From cf3c5018820f982ae64c2e062391b0a3b6e52f21 Mon Sep 17 00:00:00 2001 From: drebs Date: Wed, 11 Mar 2015 14:33:10 -0300 Subject: [feat] use monthly tokens database Any solead release that includes this commit will be incompatible with LEAP Platform < 0.6.1 because only from that version on the platform implements the ephemeral monthly tokens databases. Closes: #6785. --- server/src/leap/soledad/server/auth.py | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) (limited to 'server/src/leap') diff --git a/server/src/leap/soledad/server/auth.py b/server/src/leap/soledad/server/auth.py index 57f600a1..7af4e54b 100644 --- a/server/src/leap/soledad/server/auth.py +++ b/server/src/leap/soledad/server/auth.py @@ -21,10 +21,10 @@ Authentication facilities for Soledad Server. """ +import time import httplib import simplejson as json - from u1db import DBNAME_CONSTRAINTS, errors as u1db_errors from abc import ABCMeta, abstractmethod from routes.mapper import Mapper @@ -32,12 +32,8 @@ from couchdb.client import Server from twisted.python import log from hashlib import sha512 - -from leap.soledad.common import ( - SHARED_DB_NAME, - SHARED_DB_LOCK_DOC_ID_PREFIX, - USER_DB_PREFIX, -) +from leap.soledad.common import SHARED_DB_NAME +from leap.soledad.common import USER_DB_PREFIX from leap.soledad.common.errors import InvalidAuthTokenError @@ -354,7 +350,8 @@ class SoledadTokenAuthMiddleware(SoledadAuthMiddleware): Token based authentication. """ - TOKENS_DB = "tokens" + TOKENS_DB_PREFIX = "tokens_" + TOKENS_DB_EXPIRE = 30 * 24 * 3600 # 30 days in seconds TOKENS_TYPE_KEY = "type" TOKENS_TYPE_DEF = "Token" TOKENS_USER_ID_KEY = "user_id" @@ -414,7 +411,14 @@ class SoledadTokenAuthMiddleware(SoledadAuthMiddleware): invalid. """ server = Server(url=self._app.state.couch_url) - dbname = self.TOKENS_DB + # the tokens db rotates every 30 days, and the current db name is + # "tokens_NNN", where NNN is the number of seconds since epoch divided + # by the rotate period in seconds. When rotating, old and new tokens + # db coexist during a certain window of time and valid tokens are + # replicated from the old db to the new one. See: + # https://leap.se/code/issues/6785 + dbname = self.TOKENS_DB_PREFIX + \ + str(int(time.time() / self.TOKENS_DB_EXPIRE)) db = server[dbname] # lookup key is a hash of the token to prevent timing attacks. token = db.get(sha512(token).hexdigest()) -- cgit v1.2.3 From 5a9eac4ba0d4ddc419fdaaee4d08dbc7d8115294 Mon Sep 17 00:00:00 2001 From: drebs Date: Thu, 9 Apr 2015 12:20:19 -0300 Subject: [fix] remove unneded params to CouchServerState This commit removes some leftover code from a time when Soledad Server used to check for permissions on certain databases when starting (i.e. shared and tokens databases). This was later removed as correct permissions enforcement was relayed to tapicero. Closes: #6833. --- server/src/leap/soledad/server/__init__.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'server/src/leap') diff --git a/server/src/leap/soledad/server/__init__.py b/server/src/leap/soledad/server/__init__.py index cd006f51..adb5b561 100644 --- a/server/src/leap/soledad/server/__init__.py +++ b/server/src/leap/soledad/server/__init__.py @@ -296,10 +296,7 @@ def load_configuration(file_path): def application(environ, start_response): conf = load_configuration('/etc/leap/soledad-server.conf') - state = CouchServerState( - conf['couch_url'], - SoledadApp.SHARED_DB_NAME, - SoledadTokenAuthMiddleware.TOKENS_DB) + state = CouchServerState(conf['couch_url']) # WSGI application that may be used by `twistd -web` application = GzipMiddleware( SoledadTokenAuthMiddleware(SoledadApp(state))) -- cgit v1.2.3