soledad/server.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

# -*- coding: utf-8 -*-
"""
A U1DB server that stores data using couchdb.

This should be run with:
    twistd -n web --wsgi=leap.soledad.server.application
"""

import configparser
from wsgiref.util import shift_path_info
import httplib
try:
    import simplejson as json
except ImportError:
    import json  # noqa
from urlparse import parse_qs

from twisted.web.wsgi import WSGIResource
from twisted.internet import reactor

from u1db.remote import http_app

from leap.soledad.backends.couch import CouchServerState


#-----------------------------------------------------------------------------
# Authentication
#-----------------------------------------------------------------------------

class Unauthorized(Exception):
    """
    User authentication failed.
    """


class SoledadAuthMiddleware(object):
    """
    Soledad Authentication WSGI middleware.

    In general, databases are accessed using a token provided by the LEAP API.
    Some special databases can be read without authentication.
    """

    def __init__(self, app, prefix, public_dbs=None):
        self.app = app
        self.prefix = prefix
        self.public_dbs = public_dbs

    def _error(self, start_response, status, description, message=None):
        start_response("%d %s" % (status, httplib.responses[status]),
                       [('content-type', 'application/json')])
        err = {"error": description}
        if message:
            err['message'] = message
        return [json.dumps(err)]

    def __call__(self, environ, start_response):
        if self.prefix and not environ['PATH_INFO'].startswith(self.prefix):
            return self._error(start_response, 400, "bad request")
        shift_path_info(environ)
        qs = parse_qs(environ.get('QUERY_STRING'), strict_parsing=True)
        if 'auth_token' not in qs:
            if self.need_auth(environ):
                return self._error(start_response, 401, "unauthorized",
                                   "Missing Authentication Token.")
        else:
            token = qs['auth_token'][0]
            try:
                self.verify_token(environ, token)
            except Unauthorized:
                return self._error(
                    start_response, 401, "unauthorized",
                    "Incorrect password or login.")
            # remove auth token from query string.
            del qs['auth_token']
            qs_str = ''
            if qs:
                qs_str = reduce(lambda x, y: '&'.join([x, y]),
                                map(lambda (x, y): '='.join([x, str(y)]),
                                    qs.iteritems()))
            environ['QUERY_STRING'] = qs_str
        return self.app(environ, start_response)

    def verify_token(self, environ, token):
        """
        Verify if token is valid for authenticating this action.
        """
        # TODO: implement token verification
        raise NotImplementedError(self.verify_token)

    def need_auth(self, environ):
        """
        Check if action can be performed on database without authentication.

        For now, just allow access to /shared/*.
        """
        # TODO: design unauth verification.
        return not environ.get('PATH_INFO').startswith('/shared/')


#-----------------------------------------------------------------------------
# Soledad WSGI application
#-----------------------------------------------------------------------------

class SoledadApp(http_app.HTTPApp):
    """
    Soledad WSGI application
    """

    def __call__(self, environ, start_response):
        return super(SoledadApp, self).__call__(environ, start_response)


#-----------------------------------------------------------------------------
# Auxiliary functions
#-----------------------------------------------------------------------------

def load_configuration(file_path):
    conf = {
        'couch_url': 'http://localhost:5984',
        'working_dir': '/tmp',
        'public_dbs': 'keys',
        'prefix': '/soledad/',
    }
    config = configparser.ConfigParser()
    config.read(file_path)
    if 'soledad-server' in config:
        for key in conf:
            if key in config['soledad-server']:
                conf[key] = config['soledad-server'][key]
    # TODO: implement basic parsing/sanitization of options comming from
    # config file.
    return conf


#-----------------------------------------------------------------------------
# Run as Twisted WSGI Resource
#-----------------------------------------------------------------------------

# TODO: create command-line option for choosing config file.
conf = load_configuration('/etc/leap/soledad-server.ini')
state = CouchServerState(conf['couch_url'])
# TODO: change working dir to something meaningful (maybe eliminate it)
state.set_workingdir(conf['working_dir'])

application = SoledadAuthMiddleware(
    SoledadApp(state),
    conf['prefix'],
    conf['public_dbs'].split(','))

resource = WSGIResource(reactor, reactor.getThreadPool(), application)