Commit | Line | Data |
---|---|---|
a2916c06 MW |
1 | ### -*-python-*- |
2 | ### | |
3 | ### Services | |
4 | ### | |
5 | ### (c) 2013 Mark Wooding | |
6 | ### | |
7 | ||
8 | ###----- Licensing notice --------------------------------------------------- | |
9 | ### | |
10 | ### This file is part of Chopwood: a password-changing service. | |
11 | ### | |
12 | ### Chopwood is free software; you can redistribute it and/or modify | |
13 | ### it under the terms of the GNU Affero General Public License as | |
14 | ### published by the Free Software Foundation; either version 3 of the | |
15 | ### License, or (at your option) any later version. | |
16 | ### | |
17 | ### Chopwood is distributed in the hope that it will be useful, | |
18 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
19 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
20 | ### GNU Affero General Public License for more details. | |
21 | ### | |
22 | ### You should have received a copy of the GNU Affero General Public | |
23 | ### License along with Chopwood; if not, see | |
24 | ### <http://www.gnu.org/licenses/>. | |
25 | ||
26 | from __future__ import with_statement | |
27 | ||
28 | import os as OS | |
29 | import re as RX | |
30 | import subprocess as SUB | |
31 | ||
32 | from auto import HOME | |
33 | import backend as B | |
ac377b4f | 34 | import cgi as CGI |
a2916c06 MW |
35 | import config as CONF; CFG = CONF.CFG |
36 | import hash as H | |
37 | import util as U | |
38 | ||
39 | ###-------------------------------------------------------------------------- | |
40 | ### Protocol. | |
41 | ### | |
42 | ### A service is a thing for which a user might have an account, with a login | |
43 | ### name and password. The service protocol is fairly straightforward: a | |
44 | ### password can be set to a particular value using `setpasswd' (which | |
45 | ### handles details of hashing and so on), or cleared (i.e., preventing | |
46 | ### logins using a password) using `clearpasswd'. Services also present | |
47 | ### `friendly' names, used by the user interface. | |
48 | ### | |
49 | ### A service may be local or remote. Local services are implemented in | |
50 | ### terms of a backend and hashing scheme. Information about a particular | |
51 | ### user of a service is maintained in an `account' object which keeps track | |
52 | ### of the backend record and hashing scheme; the service protocol operations | |
53 | ### are handed off to the account. Accounts provide additional protocol for | |
54 | ### clients which are willing to restrict themselves to the use of local | |
55 | ### services. | |
56 | ### | |
57 | ### A remote service doesn't have local knowledge of the password database: | |
58 | ### instead, it simply sends commands corresponding to the service protocol | |
59 | ### operations to some external service which is expected to act on them. | |
60 | ### The implementation here uses SSH, and the remote end is expected to be | |
61 | ### provided by another instance of `chpwd', but that needn't be the case: | |
62 | ### the protocol is very simple. | |
63 | ||
64 | UnknownUser = B.UnknownUser | |
65 | ||
66 | class IncorrectPassword (Exception): | |
67 | """ | |
68 | A failed password check is reported via an exception. | |
69 | ||
70 | This is /not/ an `ExpectedError', since we anticipate that whoever called | |
71 | `check' will have made their own arrangements to deal with the failure in | |
72 | some more useful way. | |
73 | """ | |
74 | pass | |
75 | ||
76 | class BasicService (object): | |
77 | """ | |
78 | A simple base class for services. | |
79 | """ | |
80 | ||
788a729c | 81 | def __init__(me, friendly, name = None, *args, **kw): |
a2916c06 | 82 | super(BasicService, me).__init__(*args) |
788a729c | 83 | me.name = name |
a2916c06 MW |
84 | me.friendly = friendly |
85 | me.meta = kw | |
86 | ||
87 | ###-------------------------------------------------------------------------- | |
88 | ### Local services. | |
89 | ||
90 | class Account (object): | |
91 | """ | |
92 | An account represents information about a user of a particular service. | |
93 | ||
94 | From here, we can implement the service protocol operations, and also check | |
95 | passwords. | |
96 | ||
97 | Users are expected to acquire account objects via the `lookup' method of a | |
98 | `LocalService' or similar. | |
99 | """ | |
100 | ||
101 | def __init__(me, svc, rec): | |
102 | """ | |
103 | Create a new account, for the service SVC, holding the user record REC. | |
104 | """ | |
105 | me._svc = svc | |
106 | me._rec = rec | |
107 | me._hash = svc.hash | |
108 | ||
109 | def check(me, passwd): | |
110 | """ | |
111 | Check the password PASSWD against the information we have. If the | |
112 | password is correct, return normally; otherwise, raise | |
113 | `IncorrectPassword'. | |
114 | """ | |
115 | if not me._hash.check(me._rec, me._rec.passwd, passwd): | |
116 | raise IncorrectPassword | |
117 | ||
118 | def clearpasswd(me): | |
119 | """Service protocol: clear the user's password.""" | |
120 | if me._hash.NULL is None: | |
121 | raise U.ExpectedError, (400, "Can't clear this password") | |
122 | me._rec.passwd = me._hash.NULL | |
123 | me._rec.write() | |
124 | ||
125 | def setpasswd(me, passwd): | |
126 | """Service protocol: set the user's password to PASSWD.""" | |
127 | passwd = me._hash.hash(me._rec, passwd) | |
128 | me._rec.passwd = passwd | |
129 | me._rec.write() | |
130 | ||
131 | class LocalService (BasicService): | |
132 | """ | |
133 | A local service has immediate knowledge of a hashing scheme and a password | |
134 | storage backend. (Knowing connection details for a remote database server | |
135 | is enough to qualify for being a `local' service. The important bit is | |
136 | that the hashed passwords are exposed to us.) | |
137 | ||
138 | The service protocol is implemented via an `Account', acquired through the | |
139 | `find' method. Mainly for the benefit of the `Account' class, the | |
140 | service's hashing scheme is exposed in the `hash' attribute. | |
141 | """ | |
142 | ||
143 | def __init__(me, backend, hash, *args, **kw): | |
144 | """ | |
145 | Create a new local service with a FRIENDLY name, using the given BACKEND | |
146 | and HASH scheme. | |
147 | """ | |
148 | super(LocalService, me).__init__(*args, **kw) | |
149 | me._be = backend | |
150 | me.hash = hash | |
151 | ||
152 | def find(me, user): | |
153 | """Find the named USER, returning an `Account' object.""" | |
154 | rec = me._be.lookup(user) | |
155 | return Account(me, rec) | |
156 | ||
157 | def setpasswd(me, user, passwd): | |
158 | """Service protcol: set USER's password to PASSWD.""" | |
159 | me.find(user).setpasswd(passwd) | |
160 | ||
161 | def clearpasswd(me, user): | |
162 | """Service protocol: clear USER's password, preventing logins.""" | |
163 | me.find(user).clearpasswd() | |
164 | ||
165 | CONF.export('LocalService') | |
166 | ||
167 | ###-------------------------------------------------------------------------- | |
168 | ### Remote services. | |
169 | ||
170 | class BasicRemoteService (BasicService): | |
171 | """ | |
172 | A remote service transmits the simple service protocol operations to some | |
173 | remote system, which presumably is better able to implement them than we | |
174 | are. This is useful if, for example, the password file isn't available to | |
175 | us, or we don't have (or can't be allowed to have) access to the database | |
176 | tables containing password hashes, or must synchronize updates with some | |
177 | remote process. It can also be useful to integrate with services which | |
178 | don't present a conventional password file. | |
179 | ||
180 | This class provides common machinery for communicating with various kinds | |
181 | of remote service. Specific subclasses are provided for transporting | |
182 | requests through SSH and GNU Userv; others can be added easily in local | |
183 | configuration. | |
184 | """ | |
185 | ||
186 | def _run(me, cmd, input = None): | |
187 | """ | |
188 | This is the core of the remote service machinery. It issues a command | |
189 | and parses the response. It will generate strings of informational | |
190 | output from the command; error responses cause appropriate exceptions to | |
191 | be raised. | |
192 | ||
193 | The command is determined by passing the CMD argument to the `_mkcmd' | |
194 | method, which a subclass must implement; it should return a list of | |
195 | command-line arguments suitable for `subprocess.Popen'. The INPUT is a | |
196 | string to make available on the command's stdin; if None, then no input | |
197 | is provided to the command. The `_describe' method must provide a | |
198 | description of the remote service for use in timeout messages. | |
199 | ||
200 | We expect output on stdout in a simple line-based format. The first | |
201 | whitespace-separated token on each line is a type code: `OK' means the | |
202 | command completed successfully; `INFO' means the rest of the line is some | |
203 | useful (and expected) information; and `ERR' means an error occurred: the | |
204 | next token is an HTTP integer status code, and the remainder is a | |
205 | human-readable message. | |
206 | """ | |
207 | ||
208 | ## Run the command and collect its output and status. | |
ac377b4f | 209 | with U.timeout(30, "waiting for remote service %s" % me._describe()): |
a2916c06 MW |
210 | proc = SUB.Popen(me._mkcmd(cmd), |
211 | stdin = input is not None and SUB.PIPE or None, | |
212 | stdout = SUB.PIPE, stderr = SUB.PIPE) | |
213 | out, err = proc.communicate(input) | |
214 | st = proc.wait() | |
215 | ||
216 | ## If the program failed then report this: it obviously didn't work | |
217 | ## properly. | |
218 | if st or err: | |
219 | raise U.ExpectedError, ( | |
220 | 500, 'Remote service error: %r (rc = %d)' % (err, st)) | |
221 | ||
222 | ## Split a word off the front of a string; return the word and the | |
223 | ## remaining string. | |
224 | def nextword(line): | |
225 | ww = line.split(None, 1) | |
226 | n = len(ww) | |
227 | if not n: return None | |
228 | elif n == 1: return ww[0], '' | |
229 | else: return ww | |
230 | ||
231 | ## Work through the lines, parsing them. | |
232 | win = False | |
233 | for line in out.splitlines(): | |
234 | type, rest = nextword(line) | |
235 | if type == 'ERR': | |
236 | code, msg = nextword(rest) | |
237 | raise U.ExpectedError, (int(code), msg) | |
238 | elif type == 'INFO': | |
239 | yield rest | |
240 | elif type == 'OK': | |
241 | win = True | |
242 | else: | |
243 | raise U.ExpectedError, \ | |
244 | (500, 'Incomprehensible reply from remote service: %r' % line) | |
245 | ||
246 | ## If we didn't get any kind of verdict then something weird has | |
247 | ## happened. | |
248 | if not win: | |
249 | raise U.ExpectedError, (500, 'No reply from remote service') | |
250 | ||
251 | def _run_noout(me, cmd, input = None): | |
252 | """Like `_run', but expect no output.""" | |
253 | for _ in me._run(cmd, input): | |
254 | raise U.ExpectedError, (500, 'Unexpected output from remote service') | |
255 | ||
256 | class SSHRemoteService (BasicRemoteService): | |
257 | """ | |
258 | A remote service transported over SSH. | |
259 | ||
260 | The remote service is given commands of the form | |
261 | ||
262 | `set SERVICE USER' | |
263 | Set USER's password for SERVICE to the password provided on the next | |
264 | line of standard input. | |
265 | ||
266 | `clear SERVICE USER' | |
267 | Clear the USER's password for SERVICE. | |
268 | ||
269 | Arguments are form-url-encoded, since SSH doesn't preserve token boundaries | |
270 | in its argument list. | |
271 | ||
272 | It is expected that the remote user has an `.ssh/authorized_keys' file | |
273 | entry for us specifying a program to be run; the above commands will be | |
274 | left available to this program in the environment variable | |
275 | `SSH_ORIGINAL_COMMAND'. | |
276 | """ | |
277 | ||
278 | def __init__(me, remote, name, *args, **kw): | |
279 | """ | |
280 | Initialize an SSH remote service, contacting the SSH user REMOTE | |
281 | (probably of the form `LOGIN@HOSTNAME') and referring to the service | |
282 | NAME. | |
283 | """ | |
284 | super(SSHRemoteService, me).__init__(*args, **kw) | |
285 | me._remote = remote | |
286 | me._name = name | |
287 | ||
288 | def _describe(me): | |
289 | """Description of the remote service.""" | |
290 | return "`%s' via SSH to `%s'" % (me._name, me._remote), | |
291 | ||
292 | def _mkcmd(me, cmd): | |
293 | """Format a command for SSH. Mainly escaping arguments.""" | |
ac377b4f | 294 | return ['ssh', me._remote, ' '.join(map(CGI.urlencode, cmd))] |
a2916c06 MW |
295 | |
296 | def setpasswd(me, user, passwd): | |
297 | """Service protocol: set the USER's password to PASSWD.""" | |
298 | me._run_noout(['set', me._name, user], passwd + '\n') | |
299 | ||
300 | def clearpasswd(me, user): | |
301 | """Service protocol: clear the USER's password.""" | |
302 | me._run_noout(['clear', me._name, user]) | |
303 | ||
304 | CONF.export('SSHRemoteService') | |
305 | ||
306 | class CommandRemoteService (BasicRemoteService): | |
307 | """ | |
308 | A remote service transported over a standard Unix command. | |
309 | ||
310 | This is left rather generic. We need to know some command lists SET and | |
311 | CLEAR containing the relevant service names and arguments. These are | |
312 | simply executed, after simple placeholder substitution. | |
313 | ||
314 | The SET command should read a password as its first line on stdin, and set | |
315 | that as the user's new password. The CLEAR command should simply prevent | |
316 | the user from logging in with a password. On success, the commands should | |
317 | print a line `OK' to standard output, and on any kind of anticipated | |
318 | failure, they should print `ERR' followed by an HTTP status code and a | |
319 | message; in either case, the program should exit with status zero. In | |
320 | disastrous cases, it's acceptable to print an error message to stderr | |
321 | and/or exit with a nonzero status. | |
322 | ||
323 | The placeholders are as follows. | |
324 | ||
325 | `%u' the user's name | |
326 | `%%' a single `%' character | |
327 | """ | |
328 | ||
329 | R_PAT = RX.compile('%(.)') | |
330 | ||
331 | def __init__(me, set, clear, *args, **kw): | |
74b87214 | 332 | """Initialize the command remote service.""" |
a2916c06 MW |
333 | super(CommandRemoteService, me).__init__(*args, **kw) |
334 | me._set = set | |
335 | me._clear = clear | |
336 | me._map = dict(u = user) | |
337 | ||
99968b29 MW |
338 | def _describe(me): |
339 | """Description of the remote service.""" | |
340 | return "`%s' command service (%s)" % (me.name, ' '.join(me._default)) | |
341 | ||
a2916c06 MW |
342 | def _subst(me, c): |
343 | """Return the substitution for the placeholder `%C'.""" | |
344 | return me._map.get(c, c) | |
345 | ||
346 | def _mkcmd(me, cmd): | |
347 | """Construct the command to be executed, by substituting placeholders.""" | |
348 | return [me.R_PAT.sub(lambda m: me._subst(m.group(1))) for arg in cmd] | |
349 | ||
350 | def setpasswd(me, user, passwd): | |
351 | """Service protocol: set the USER's password to PASSWD.""" | |
352 | me._run_noout(me._set, passwd + '\n') | |
353 | ||
354 | def clearpasswd(me, user): | |
355 | """Service protocol: clear the USER's password.""" | |
356 | me._run_noout(me._clear) | |
357 | ||
358 | CONF.export('CommandRemoteService') | |
359 | ||
360 | ###-------------------------------------------------------------------------- | |
361 | ### Services registry. | |
362 | ||
363 | ## The registry of services. | |
364 | SERVICES = {} | |
365 | CONF.export('SERVICES') | |
366 | ||
367 | ## Set some default configuration. | |
368 | CONF.DEFAULTS.update( | |
369 | ||
370 | ## The master database, as a pair (MODNAME, MODARGS). | |
371 | DB = ('sqlite3', [OS.path.join(HOME, 'chpwd.db')]), | |
372 | ||
373 | ## The hash to use for our master password database. | |
374 | HASH = H.CryptHash('md5')) | |
375 | ||
376 | ## Post-configuration hook: add the master service. | |
377 | @CONF.hook | |
378 | def add_master_service(): | |
379 | dbmod, dbargs = CFG.DB | |
380 | SERVICES['master'] = \ | |
381 | LocalService(B.DatabaseBackend(dbmod, dbargs, | |
382 | 'users', 'user', 'passwd'), | |
383 | CFG.HASH, | |
384 | friendly = 'Password changing service') | |
788a729c MW |
385 | for name, svc in SERVICES.iteritems(): |
386 | if svc.name is None: svc.name = name | |
a2916c06 MW |
387 | |
388 | ###----- That's all, folks -------------------------------------------------- |