certidude/certidude/decorators.py

import click
import ipaddress
import json
import logging
import os
import types
from datetime import date, time, datetime, timedelta
from urllib.parse import urlparse

logger = logging.getLogger("api")

def csrf_protection(func):
    """
    Protect resource from common CSRF attacks by checking user agent and referrer
    """
    import falcon
    def wrapped(self, req, resp, *args, **kwargs):
        # Assume curl and python-requests are used intentionally
        if req.user_agent.startswith("curl/") or req.user_agent.startswith("python-requests/"):
            return func(self, req, resp, *args, **kwargs)

        # For everything else assert referrer
        referrer = req.headers.get("REFERER")


        if referrer:
            scheme, netloc, path, params, query, fragment = urlparse(referrer)
            if ":" in netloc:
                host, port = netloc.split(":", 1)
            else:
                host, port = netloc, None
            if host == req.host:
                return func(self, req, resp, *args, **kwargs)

        # Kaboom!
        logger.warning("Prevented clickbait from '%s' with user agent '%s'",
            referrer or "-", req.user_agent)
        raise falcon.HTTPForbidden("Forbidden",
            "No suitable UA or referrer provided, cross-site scripting disabled")
    return wrapped


class MyEncoder(json.JSONEncoder):
    def default(self, obj):
        from certidude.user import User
        if isinstance(obj, ipaddress._IPAddressBase):
            return str(obj)
        if isinstance(obj, set):
            return tuple(obj)
        if isinstance(obj, datetime):
            return obj.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z"
        if isinstance(obj, date):
            return obj.strftime("%Y-%m-%d")
        if isinstance(obj, timedelta):
            return obj.total_seconds()
        if isinstance(obj, types.GeneratorType):
            return tuple(obj)
        if isinstance(obj, User):
            return dict(name=obj.name, given_name=obj.given_name,
                surname=obj.surname, mail=obj.mail)
        return json.JSONEncoder.default(self, obj)


def serialize(func):
    """
    Falcon response serialization
    """
    import falcon
    def wrapped(instance, req, resp, **kwargs):
        retval = func(instance, req, resp, **kwargs)
        if not resp.body and not resp.location:
            if not req.client_accepts("application/json"):
                logger.debug("Client did not accept application/json")
                raise falcon.HTTPUnsupportedMediaType(
                    "Client did not accept application/json")
            resp.set_header("Cache-Control", "no-cache, no-store, must-revalidate")
            resp.set_header("Pragma", "no-cache")
            resp.set_header("Expires", "0")
            resp.body = json.dumps(retval, cls=MyEncoder)
    return wrapped
Add dynamic package installation via decorators 2017-04-13 22:30:20 +00:00			`import click`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00			`import ipaddress`
			`import json`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`import logging`
Add dynamic package installation via decorators 2017-04-13 22:30:20 +00:00			`import os`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00			`import types`
Move leases and tagging backend to filesystem extended attributes 2017-03-26 00:10:09 +00:00			`from datetime import date, time, datetime, timedelta`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`from urllib.parse import urlparse`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00
			`logger = logging.getLogger("api")`

			`def csrf_protection(func):`
			`"""`
			`Protect resource from common CSRF attacks by checking user agent and referrer`
			`"""`
Add dynamic package installation via decorators 2017-04-13 22:30:20 +00:00			`import falcon`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`def wrapped(self, req, resp, args, *kwargs):`
			`# Assume curl and python-requests are used intentionally`
			`if req.user_agent.startswith("curl/") or req.user_agent.startswith("python-requests/"):`
			`return func(self, req, resp, args, *kwargs)`

			`# For everything else assert referrer`
			`referrer = req.headers.get("REFERER")`
Refactor codebase * Replace PyOpenSSL with cryptography.io * Rename constants to const * Drop support for uwsgi * Use systemd to launch certidude server * Signer automatically spawned as part of server * Update requirements.txt * Clean up certidude client configuration handling * Add automatic enroll with Kerberos machine cerdentials 2016-09-17 21:00:14 +00:00

Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`if referrer:`
			`scheme, netloc, path, params, query, fragment = urlparse(referrer)`
Refactor codebase * Replace PyOpenSSL with cryptography.io * Rename constants to const * Drop support for uwsgi * Use systemd to launch certidude server * Signer automatically spawned as part of server * Update requirements.txt * Clean up certidude client configuration handling * Add automatic enroll with Kerberos machine cerdentials 2016-09-17 21:00:14 +00:00			`if ":" in netloc:`
			`host, port = netloc.split(":", 1)`
			`else:`
			`host, port = netloc, None`
			`if host == req.host:`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`return func(self, req, resp, args, *kwargs)`

			`# Kaboom!`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`logger.warning("Prevented clickbait from '%s' with user agent '%s'",`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`referrer or "-", req.user_agent)`
Refactor codebase * Replace PyOpenSSL with cryptography.io * Rename constants to const * Drop support for uwsgi * Use systemd to launch certidude server * Signer automatically spawned as part of server * Update requirements.txt * Clean up certidude client configuration handling * Add automatic enroll with Kerberos machine cerdentials 2016-09-17 21:00:14 +00:00			`raise falcon.HTTPForbidden("Forbidden",`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`"No suitable UA or referrer provided, cross-site scripting disabled")`
			`return wrapped`

Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00
			`class MyEncoder(json.JSONEncoder):`
			`def default(self, obj):`
Several updates #2 * Reverse RDN components for all certs * Less side effects in unittests * Split help dialog shell snippets into separate files * Restore 'admin subnets' config option * Embedded subnets, IKE and ESP proposals now configurable in builder.conf * Use expr instead of bc for math operations in shell * Better frontend support for Let's Encrypt certificates 2018-05-02 08:11:01 +00:00			`from certidude.user import User`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00			`if isinstance(obj, ipaddress._IPAddressBase):`
			`return str(obj)`
			`if isinstance(obj, set):`
			`return tuple(obj)`
			`if isinstance(obj, datetime):`
			`return obj.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z"`
			`if isinstance(obj, date):`
			`return obj.strftime("%Y-%m-%d")`
Move leases and tagging backend to filesystem extended attributes 2017-03-26 00:10:09 +00:00			`if isinstance(obj, timedelta):`
			`return obj.total_seconds()`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00			`if isinstance(obj, types.GeneratorType):`
			`return tuple(obj)`
Refactor users, add OpenVPN and mailing support * Add abstraction for user objects * Mail authority admins about pending, revoked and signed certificates * Add NetworkManager's OpenVPN plugin support * Improve CRL support * Refactor CSRF protection * Update documentation 2016-03-27 20:38:14 +00:00			`if isinstance(obj, User):`
			`return dict(name=obj.name, given_name=obj.given_name,`
			`surname=obj.surname, mail=obj.mail)`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00			`return json.JSONEncoder.default(self, obj)`


			`def serialize(func):`
			`"""`
			`Falcon response serialization`
			`"""`
Add dynamic package installation via decorators 2017-04-13 22:30:20 +00:00			`import falcon`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00			`def wrapped(instance, req, resp, **kwargs):`
api: Fix request submission form 2018-01-02 14:49:06 +00:00			`retval = func(instance, req, resp, **kwargs)`
			`if not resp.body and not resp.location:`
			`if not req.client_accepts("application/json"):`
			`logger.debug("Client did not accept application/json")`
			`raise falcon.HTTPUnsupportedMediaType(`
			`"Client did not accept application/json")`
			`resp.set_header("Cache-Control", "no-cache, no-store, must-revalidate")`
			`resp.set_header("Pragma", "no-cache")`
			`resp.set_header("Expires", "0")`
			`resp.body = json.dumps(retval, cls=MyEncoder)`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00			`return wrapped`