certidude/certidude/api/attrib.py

import falcon
import logging
import re
from xattr import setxattr, listxattr, removexattr
from certidude import push
from certidude.decorators import serialize, csrf_protection
from certidude.firewall import whitelist_subject
from certidude.auth import login_required, authorize_admin

logger = logging.getLogger(__name__)

class AttributeResource(object):
    def __init__(self, authority, namespace):
        self.authority = authority
        self.namespace = namespace

    @serialize
    @login_required
    @authorize_admin
    def on_get(self, req, resp, cn):
        """
        Return extended attributes stored on the server.
        This not only contains tags and lease information,
        but might also contain some other sensitive information.
        Results made available only to lease IP address.
        """
        try:
            path, buf, cert, attribs = self.authority.get_attributes(cn, namespace=self.namespace)
        except IOError:
            raise falcon.HTTPNotFound()
        else:
            return attribs

    @csrf_protection
    @whitelist_subject # TODO: sign instead
    def on_post(self, req, resp, cn):
        namespace = ("user.%s." % self.namespace).encode("ascii")
        try:
            path, buf, cert, signed, expires = self.authority.get_signed(cn)
        except IOError:
            raise falcon.HTTPNotFound()
        else:
            for key in req.params:
                if not re.match("[a-z0-9_\.]+$", key):
                    raise falcon.HTTPBadRequest("Invalid key")
            valid = set()
            for key, value in req.params.items():
                identifier = ("user.%s.%s" % (self.namespace, key)).encode("ascii")
                setxattr(path, identifier, value.encode("utf-8"))
                valid.add(identifier)
            for key in listxattr(path):
                if not key.startswith(namespace):
                    continue
                if key not in valid:
                    removexattr(path, key)
            push.publish("attribute-update", cn)
Move leases and tagging backend to filesystem extended attributes 2017-03-26 00:10:09 +00:00			`import falcon`
			`import logging`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`import re`
			`from xattr import setxattr, listxattr, removexattr`
api: attrib: drop usage of global authority import 2018-02-03 10:37:06 +00:00			`from certidude import push`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`from certidude.decorators import serialize, csrf_protection`
			`from certidude.firewall import whitelist_subject`
api: attrib: Drop unused imports 2018-02-03 11:13:46 +00:00			`from certidude.auth import login_required, authorize_admin`
Move leases and tagging backend to filesystem extended attributes 2017-03-26 00:10:09 +00:00
Add file based rotating log handler 2017-04-04 05:02:08 +00:00			`logger = logging.getLogger(__name__)`
Move leases and tagging backend to filesystem extended attributes 2017-03-26 00:10:09 +00:00
			`class AttributeResource(object):`
api: attrib: drop usage of global authority import 2018-02-03 10:37:06 +00:00			`def __init__(self, authority, namespace):`
			`self.authority = authority`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`self.namespace = namespace`

Move leases and tagging backend to filesystem extended attributes 2017-03-26 00:10:09 +00:00			`@serialize`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`@login_required`
			`@authorize_admin`
Move leases and tagging backend to filesystem extended attributes 2017-03-26 00:10:09 +00:00			`def on_get(self, req, resp, cn):`
			`"""`
			`Return extended attributes stored on the server.`
			`This not only contains tags and lease information,`
			`but might also contain some other sensitive information.`
tests: Lease and attribute API call fixes 2017-05-04 10:02:14 +00:00			`Results made available only to lease IP address.`
Move leases and tagging backend to filesystem extended attributes 2017-03-26 00:10:09 +00:00			`"""`
Fix attribute API call whitelist handling 2017-03-26 16:58:29 +00:00			`try:`
api: attrib: drop usage of global authority import 2018-02-03 10:37:06 +00:00			`path, buf, cert, attribs = self.authority.get_attributes(cn, namespace=self.namespace)`
Fix attribute API call whitelist handling 2017-03-26 16:58:29 +00:00			`except IOError:`
			`raise falcon.HTTPNotFound()`
			`else:`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`return attribs`
Move leases and tagging backend to filesystem extended attributes 2017-03-26 00:10:09 +00:00
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`@csrf_protection`
			`@whitelist_subject # TODO: sign instead`
			`def on_post(self, req, resp, cn):`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`namespace = ("user.%s." % self.namespace).encode("ascii")`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`try:`
api: attrib: drop usage of global authority import 2018-02-03 10:37:06 +00:00			`path, buf, cert, signed, expires = self.authority.get_signed(cn)`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`except IOError:`
			`raise falcon.HTTPNotFound()`
			`else:`
			`for key in req.params:`
			`if not re.match("[a-z0-9_\.]+$", key):`
			`raise falcon.HTTPBadRequest("Invalid key")`
			`valid = set()`
			`for key, value in req.params.items():`
			`identifier = ("user.%s.%s" % (self.namespace, key)).encode("ascii")`
			`setxattr(path, identifier, value.encode("utf-8"))`
			`valid.add(identifier)`
			`for key in listxattr(path):`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`if not key.startswith(namespace):`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`continue`
			`if key not in valid:`
			`removexattr(path, key)`
			`push.publish("attribute-update", cn)`
Move leases and tagging backend to filesystem extended attributes 2017-03-26 00:10:09 +00:00