From cf3c5018820f982ae64c2e062391b0a3b6e52f21 Mon Sep 17 00:00:00 2001 From: drebs Date: Wed, 11 Mar 2015 14:33:10 -0300 Subject: [feat] use monthly tokens database Any solead release that includes this commit will be incompatible with LEAP Platform < 0.6.1 because only from that version on the platform implements the ephemeral monthly tokens databases. Closes: #6785. --- server/src/leap/soledad/server/auth.py | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) (limited to 'server/src') diff --git a/server/src/leap/soledad/server/auth.py b/server/src/leap/soledad/server/auth.py index 57f600a1..7af4e54b 100644 --- a/server/src/leap/soledad/server/auth.py +++ b/server/src/leap/soledad/server/auth.py @@ -21,10 +21,10 @@ Authentication facilities for Soledad Server. """ +import time import httplib import simplejson as json - from u1db import DBNAME_CONSTRAINTS, errors as u1db_errors from abc import ABCMeta, abstractmethod from routes.mapper import Mapper @@ -32,12 +32,8 @@ from couchdb.client import Server from twisted.python import log from hashlib import sha512 - -from leap.soledad.common import ( - SHARED_DB_NAME, - SHARED_DB_LOCK_DOC_ID_PREFIX, - USER_DB_PREFIX, -) +from leap.soledad.common import SHARED_DB_NAME +from leap.soledad.common import USER_DB_PREFIX from leap.soledad.common.errors import InvalidAuthTokenError @@ -354,7 +350,8 @@ class SoledadTokenAuthMiddleware(SoledadAuthMiddleware): Token based authentication. """ - TOKENS_DB = "tokens" + TOKENS_DB_PREFIX = "tokens_" + TOKENS_DB_EXPIRE = 30 * 24 * 3600 # 30 days in seconds TOKENS_TYPE_KEY = "type" TOKENS_TYPE_DEF = "Token" TOKENS_USER_ID_KEY = "user_id" @@ -414,7 +411,14 @@ class SoledadTokenAuthMiddleware(SoledadAuthMiddleware): invalid. """ server = Server(url=self._app.state.couch_url) - dbname = self.TOKENS_DB + # the tokens db rotates every 30 days, and the current db name is + # "tokens_NNN", where NNN is the number of seconds since epoch divided + # by the rotate period in seconds. When rotating, old and new tokens + # db coexist during a certain window of time and valid tokens are + # replicated from the old db to the new one. See: + # https://leap.se/code/issues/6785 + dbname = self.TOKENS_DB_PREFIX + \ + str(int(time.time() / self.TOKENS_DB_EXPIRE)) db = server[dbname] # lookup key is a hash of the token to prevent timing attacks. token = db.get(sha512(token).hexdigest()) -- cgit v1.2.3 From 5a9eac4ba0d4ddc419fdaaee4d08dbc7d8115294 Mon Sep 17 00:00:00 2001 From: drebs Date: Thu, 9 Apr 2015 12:20:19 -0300 Subject: [fix] remove unneded params to CouchServerState This commit removes some leftover code from a time when Soledad Server used to check for permissions on certain databases when starting (i.e. shared and tokens databases). This was later removed as correct permissions enforcement was relayed to tapicero. Closes: #6833. --- server/src/leap/soledad/server/__init__.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'server/src') diff --git a/server/src/leap/soledad/server/__init__.py b/server/src/leap/soledad/server/__init__.py index cd006f51..adb5b561 100644 --- a/server/src/leap/soledad/server/__init__.py +++ b/server/src/leap/soledad/server/__init__.py @@ -296,10 +296,7 @@ def load_configuration(file_path): def application(environ, start_response): conf = load_configuration('/etc/leap/soledad-server.conf') - state = CouchServerState( - conf['couch_url'], - SoledadApp.SHARED_DB_NAME, - SoledadTokenAuthMiddleware.TOKENS_DB) + state = CouchServerState(conf['couch_url']) # WSGI application that may be used by `twistd -web` application = GzipMiddleware( SoledadTokenAuthMiddleware(SoledadApp(state))) -- cgit v1.2.3 From 19166618cef9cb03501d91df83a6919c3c4eda80 Mon Sep 17 00:00:00 2001 From: Bruno Wagner Date: Thu, 23 Jul 2015 15:08:13 -0300 Subject: [style] fixed pep8 warnings on the soledad server code --- server/src/leap/soledad/server/__init__.py | 16 +++++++++------- server/src/leap/soledad/server/_version.py | 17 ++++++++--------- server/src/leap/soledad/server/sync.py | 9 +++++---- 3 files changed, 22 insertions(+), 20 deletions(-) (limited to 'server/src') diff --git a/server/src/leap/soledad/server/__init__.py b/server/src/leap/soledad/server/__init__.py index adb5b561..7a03f6fb 100644 --- a/server/src/leap/soledad/server/__init__.py +++ b/server/src/leap/soledad/server/__init__.py @@ -92,16 +92,13 @@ import sys from u1db.remote import http_app, utils +from ._version import get_versions + # Keep OpenSSL's tsafe before importing Twisted submodules so we can put # it back if Twisted==12.0.0 messes with it. from OpenSSL import tsafe -old_tsafe = tsafe from twisted import version -if version.base() == "12.0.0": - # Put OpenSSL's tsafe back into place. This can probably be removed if we - # come to use Twisted>=12.3.0. - sys.modules['OpenSSL.tsafe'] = old_tsafe from leap.soledad.server.auth import SoledadTokenAuthMiddleware from leap.soledad.server.gzip_middleware import GzipMiddleware @@ -115,11 +112,18 @@ from leap.soledad.server.sync import ( from leap.soledad.common import SHARED_DB_NAME from leap.soledad.common.couch import CouchServerState +old_tsafe = tsafe + +if version.base() == "12.0.0": + # Put OpenSSL's tsafe back into place. This can probably be removed if we + # come to use Twisted>=12.3.0. + sys.modules['OpenSSL.tsafe'] = old_tsafe # ---------------------------------------------------------------------------- # Soledad WSGI application # ---------------------------------------------------------------------------- + class SoledadApp(http_app.HTTPApp): """ Soledad WSGI application @@ -303,7 +307,5 @@ def application(environ, start_response): return application(environ, start_response) - -from ._version import get_versions __version__ = get_versions()['version'] del get_versions diff --git a/server/src/leap/soledad/server/_version.py b/server/src/leap/soledad/server/_version.py index ec611c39..61bb57d9 100644 --- a/server/src/leap/soledad/server/_version.py +++ b/server/src/leap/soledad/server/_version.py @@ -1,5 +1,3 @@ - -IN_LONG_VERSION_PY = True # This file helps to compute a version number in source trees obtained from # git-archive tarball (such as those provided by githubs download-from-tag # feature). Distribution tarballs (build by setup.py sdist) and build @@ -10,12 +8,16 @@ IN_LONG_VERSION_PY = True # versioneer-0.7+ (https://github.com/warner/python-versioneer) # these strings will be replaced by git during git-archive -git_refnames = "$Format:%d$" -git_full = "$Format:%H$" - import subprocess import sys +import re +import os.path + +IN_LONG_VERSION_PY = True + +git_refnames = "$Format:%d$" +git_full = "$Format:%H$" def run_command(args, cwd=None, verbose=False): @@ -37,9 +39,6 @@ def run_command(args, cwd=None, verbose=False): return None return stdout -import re -import os.path - def get_expanded_variables(versionfile_source): # the code embedded in _version.py can just fetch the value of these @@ -85,7 +84,7 @@ def versions_from_expanded_variables(variables, tag_prefix, verbose=False): # "stabilization", as well as "HEAD" and "master". tags = set([r for r in refs if re.search(r'\d', r)]) if verbose: - print("discarding '%s', no digits" % ",".join(refs-tags)) + print("discarding '%s', no digits" % ",".join(refs - tags)) if verbose: print("likely tags: %s" % ",".join(sorted(tags))) for ref in sorted(tags): diff --git a/server/src/leap/soledad/server/sync.py b/server/src/leap/soledad/server/sync.py index 6dc99b5a..d2db9055 100644 --- a/server/src/leap/soledad/server/sync.py +++ b/server/src/leap/soledad/server/sync.py @@ -224,7 +224,6 @@ class SyncExchange(sync.SyncExchange): self._sync_state = ServerSyncState( self._db, self.source_replica_uid, sync_id) - def find_changes_to_return(self, received): """ Find changes to return. @@ -286,7 +285,8 @@ class SyncExchange(sync.SyncExchange): doc = self._db.get_doc(changed_doc_id, include_deleted=True) return_doc_cb(doc, gen, trans_id) - def insert_doc_from_source(self, doc, source_gen, trans_id, + def insert_doc_from_source( + self, doc, source_gen, trans_id, number_of_docs=None, doc_idx=None, sync_id=None): """Try to insert synced document from source. @@ -371,8 +371,9 @@ class SyncResource(http_app.SyncResource): self._sync_id = sync_id @http_app.http_method(content_as_args=True) - def post_put(self, id, rev, content, gen, trans_id, number_of_docs, - doc_idx): + def post_put( + self, id, rev, content, gen, + trans_id, number_of_docs, doc_idx): """ Put one incoming document into the server replica. -- cgit v1.2.3 From 0b1e55d3142d7012cd7fef39b6ed77be69d5ee11 Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Tue, 4 Aug 2015 17:56:35 -0400 Subject: [style] pep8 cleanup --- server/src/leap/soledad/server/sync.py | 5 ----- 1 file changed, 5 deletions(-) (limited to 'server/src') diff --git a/server/src/leap/soledad/server/sync.py b/server/src/leap/soledad/server/sync.py index d2db9055..18c4ee40 100644 --- a/server/src/leap/soledad/server/sync.py +++ b/server/src/leap/soledad/server/sync.py @@ -14,17 +14,12 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . - - """ Server side synchronization infrastructure. """ - import json - from leap.soledad.common.couch import CouchDatabase -from itertools import izip from u1db import sync, Document from u1db.remote import http_app -- cgit v1.2.3 From 7e72cafacd1fd12217a734b0d86de983264924f3 Mon Sep 17 00:00:00 2001 From: drebs Date: Mon, 17 Aug 2015 12:18:13 -0300 Subject: [bug] add missing parameter to unauthorized error --- server/src/leap/soledad/server/auth.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'server/src') diff --git a/server/src/leap/soledad/server/auth.py b/server/src/leap/soledad/server/auth.py index 7af4e54b..425758f5 100644 --- a/server/src/leap/soledad/server/auth.py +++ b/server/src/leap/soledad/server/auth.py @@ -264,7 +264,8 @@ class SoledadAuthMiddleware(object): scheme, encoded = auth.split(None, 1) uuid, auth_data = encoded.decode('base64').split(':', 1) if not self._verify_authentication_scheme(scheme): - return self._unauthorized_error("Wrong authentication scheme") + return self._unauthorized_error( + start_response, "Wrong authentication scheme") # verify if user is athenticated try: -- cgit v1.2.3 From 66b58d3222e86916431f5c9cd534619537de5359 Mon Sep 17 00:00:00 2001 From: drebs Date: Mon, 24 Aug 2015 14:38:46 -0300 Subject: [refactor] remove simplejson dep on server --- server/src/leap/soledad/server/auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'server/src') diff --git a/server/src/leap/soledad/server/auth.py b/server/src/leap/soledad/server/auth.py index 425758f5..02b54cca 100644 --- a/server/src/leap/soledad/server/auth.py +++ b/server/src/leap/soledad/server/auth.py @@ -23,7 +23,7 @@ Authentication facilities for Soledad Server. import time import httplib -import simplejson as json +import json from u1db import DBNAME_CONSTRAINTS, errors as u1db_errors from abc import ABCMeta, abstractmethod -- cgit v1.2.3