tahoe-lafs/src/allmydata/web/logs.py

from __future__ import (
    print_function,
    unicode_literals,
    absolute_import,
    division,
)

import json

from autobahn.twisted.resource import WebSocketResource
from autobahn.twisted.websocket import (
    WebSocketServerFactory,
    WebSocketServerProtocol,
)
from autobahn.websocket.types import ConnectionDeny

import eliot

from twisted.web.resource import (
    Resource,
)

from allmydata.util.hashutil import (
    timing_safe_compare,
)


class TokenAuthenticatedWebSocketServerProtocol(WebSocketServerProtocol):
    """
    A WebSocket protocol that looks for an `Authorization:` header
    with a `tahoe-lafs` scheme and a token matching our private config
    for `api_auth_token`.
    """

    def onConnect(self, req):
        """
        WebSocket callback
        """
        if b'authorization' in req.headers:
            auth = req.headers[b'authorization'].encode('ascii').split(b' ', 1)
            if len(auth) == 2:
                tag, token = auth
                if tag == b"tahoe-lafs":
                    if timing_safe_compare(token, self.factory.tahoe_client.get_auth_token()):
                        # we don't care what WebSocket sub-protocol is
                        # negotiated, nor do we need to send headers to the
                        # client, so we ask Autobahn to just allow this
                        # connection with the defaults. We could return a
                        # (headers, protocol) pair here instead if required.
                        return None

        # everything else -- i.e. no Authorization header, or it's
        # wrong -- means we deny the websocket connection
        raise ConnectionDeny(
            code=ConnectionDeny.NOT_ACCEPTABLE,
            reason=u"Invalid or missing token"
        )

    def _received_eliot_log(self, message):
        """
        While this WebSocket connection is open, this function is
        registered as an eliot destination
        """
        # probably want a try/except around here? what do we do if
        # transmission fails or anything else bad happens?
        self.sendMessage(json.dumps(message))

    def onOpen(self):
        """
        WebSocket callback
        """
        eliot.add_destination(self._received_eliot_log)

    def onClose(self, wasClean, code, reason):
        """
        WebSocket callback
        """
        try:
            eliot.remove_destination(self._received_eliot_log)
        except ValueError:
            pass


def create_log_streaming_resource(client):
    """
    Create a new resource that accepts WebSocket connections if they
    include a correct `Authorization: tahoe-lafs <api_auth_token>`
    header (where `api_auth_token` matches the private configuration
    value).
    """
    factory = WebSocketServerFactory()
    factory.tahoe_client = client
    factory.protocol = TokenAuthenticatedWebSocketServerProtocol
    return WebSocketResource(factory)


def create_log_resources(client):
    logs = Resource()
    logs.putChild(b"v1", create_log_streaming_resource(client))
    return logs
futurize 2019-03-21 19:01:14 +00:00			`from __future__ import (`
			`print_function,`
			`unicode_literals,`
			`absolute_import,`
			`division,`
			`)`

make more things work 2019-03-21 07:37:47 +00:00			`import json`

prototype token-authenticated WebSocket stream 2019-03-21 00:14:47 +00:00			`from autobahn.twisted.resource import WebSocketResource`
import cleanups 2019-03-21 19:01:25 +00:00			`from autobahn.twisted.websocket import (`
			`WebSocketServerFactory,`
			`WebSocketServerProtocol,`
			`)`
prototype token-authenticated WebSocket stream 2019-03-21 00:14:47 +00:00			`from autobahn.websocket.types import ConnectionDeny`

make more things work 2019-03-21 07:37:47 +00:00			`import eliot`

Create the /private hierarchy 2019-03-21 19:00:57 +00:00			`from twisted.web.resource import (`
			`Resource,`
			`)`
prototype token-authenticated WebSocket stream 2019-03-21 00:14:47 +00:00
import cleanups 2019-03-21 19:01:25 +00:00			`from allmydata.util.hashutil import (`
			`timing_safe_compare,`
			`)`

prototype token-authenticated WebSocket stream 2019-03-21 00:14:47 +00:00
			`class TokenAuthenticatedWebSocketServerProtocol(WebSocketServerProtocol):`
			`"""`
refactor 2019-03-21 07:52:45 +00:00			A WebSocket protocol that looks for an `Authorization:` header
			with a `tahoe-lafs` scheme and a token matching our private config
			for `api_auth_token`.
prototype token-authenticated WebSocket stream 2019-03-21 00:14:47 +00:00			`"""`

			`def onConnect(self, req):`
refactor 2019-03-21 07:52:45 +00:00			`"""`
			`WebSocket callback`
			`"""`
futurize 2019-03-21 19:01:14 +00:00			`if b'authorization' in req.headers:`
			`auth = req.headers[b'authorization'].encode('ascii').split(b' ', 1)`
make more things work 2019-03-21 07:37:47 +00:00			`if len(auth) == 2:`
			`tag, token = auth`
futurize 2019-03-21 19:01:14 +00:00			`if tag == b"tahoe-lafs":`
make more things work 2019-03-21 07:37:47 +00:00			`if timing_safe_compare(token, self.factory.tahoe_client.get_auth_token()):`
			`# we don't care what WebSocket sub-protocol is`
			`# negotiated, nor do we need to send headers to the`
			`# client, so we ask Autobahn to just allow this`
			`# connection with the defaults. We could return a`
			`# (headers, protocol) pair here instead if required.`
			`return None`
prototype token-authenticated WebSocket stream 2019-03-21 00:14:47 +00:00
			`# everything else -- i.e. no Authorization header, or it's`
			`# wrong -- means we deny the websocket connection`
			`raise ConnectionDeny(`
make more things work 2019-03-21 07:37:47 +00:00			`code=ConnectionDeny.NOT_ACCEPTABLE,`
prototype token-authenticated WebSocket stream 2019-03-21 00:14:47 +00:00			`reason=u"Invalid or missing token"`
			`)`

make more things work 2019-03-21 07:37:47 +00:00			`def _received_eliot_log(self, message):`
refactor 2019-03-21 07:52:45 +00:00			`"""`
			`While this WebSocket connection is open, this function is`
			`registered as an eliot destination`
			`"""`
make more things work 2019-03-21 07:37:47 +00:00			`# probably want a try/except around here? what do we do if`
refactor 2019-03-21 07:52:45 +00:00			`# transmission fails or anything else bad happens?`
make more things work 2019-03-21 07:37:47 +00:00			`self.sendMessage(json.dumps(message))`
prototype token-authenticated WebSocket stream 2019-03-21 00:14:47 +00:00
make more things work 2019-03-21 07:37:47 +00:00			`def onOpen(self):`
refactor 2019-03-21 07:52:45 +00:00			`"""`
			`WebSocket callback`
			`"""`
make more things work 2019-03-21 07:37:47 +00:00			`eliot.add_destination(self._received_eliot_log)`
prototype token-authenticated WebSocket stream 2019-03-21 00:14:47 +00:00
make more things work 2019-03-21 07:37:47 +00:00			`def onClose(self, wasClean, code, reason):`
refactor 2019-03-21 07:52:45 +00:00			`"""`
			`WebSocket callback`
			`"""`
make more things work 2019-03-21 07:37:47 +00:00			`try:`
			`eliot.remove_destination(self._received_eliot_log)`
			`except ValueError:`
			`pass`
prototype token-authenticated WebSocket stream 2019-03-21 00:14:47 +00:00

don't compute the url, it doesn't seem to be necessary 2019-03-21 17:58:46 +00:00			`def create_log_streaming_resource(client):`
make more things work 2019-03-21 07:37:47 +00:00			`"""`
			`Create a new resource that accepts WebSocket connections if they`
			include a correct `Authorization: tahoe-lafs <api_auth_token>`
			header (where `api_auth_token` matches the private configuration
			`value).`
			`"""`
don't compute the url, it doesn't seem to be necessary 2019-03-21 17:58:46 +00:00			`factory = WebSocketServerFactory()`
make more things work 2019-03-21 07:37:47 +00:00			`factory.tahoe_client = client`
			`factory.protocol = TokenAuthenticatedWebSocketServerProtocol`
			`return WebSocketResource(factory)`
Create the /private hierarchy 2019-03-21 19:00:57 +00:00

			`def create_log_resources(client):`
			`logs = Resource()`
			`logs.putChild(b"v1", create_log_streaming_resource(client))`
			`return logs`