#!/bin/env python

# -*- coding: utf-8 -*-

# ------------------------------------------------------------

# opensecurity_client_restful_server

# 

# the OpenSecurity client RESTful server

#

# Autor: Oliver Maurhart, <oliver.maurhart@ait.ac.at>

#

# Copyright (C) 2013 AIT Austrian Institute of Technology

# AIT Austrian Institute of Technology GmbH

# Donau-City-Strasse 1 | 1220 Vienna | Austria

# http://www.ait.ac.at

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation version 2.

# 

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

# 

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin Street, Fifth Floor, 

# Boston, MA  02110-1301, USA.

# ------------------------------------------------------------

# ------------------------------------------------------------

# imports

import getpass

import glob

import json

import os

import os.path

import pickle

import platform

import socket

import subprocess

import sys

import threading

import time

import urllib

import urllib2

import web

import threading

import time

import string

import win32api

import win32con

from opensecurity_util import logger, setupLogger, OpenSecurityException

if sys.platform == 'win32' or sys.platform == 'cygwin':

    from cygwin import Cygwin

# local

import __init__ as opensecurity

from environment import Environment

# ------------------------------------------------------------

# const

"""All the URLs we know mapping to class handler"""

opensecurity_urls = (

    '/credentials',             'os_credentials',

    '/keyfile',                 'os_keyfile',

    '/log',                     'os_log',

    '/notification',            'os_notification',

    '/password',                'os_password',

    '/netmount',                'os_netmount',

    '/netumount',               'os_netumount',

    '/',                        'os_root'

)

# ------------------------------------------------------------

# vars

"""lock for read/write log file"""

log_file_lock = threading.Lock()

"""timer for the log file bouncer"""

log_file_bouncer = None

"""The REST server object"""

server = None

# ------------------------------------------------------------

# code

class os_credentials:

    """OpenSecurity '/credentials' handler.

    This is called on GET /credentials?text=TEXT.

    Ideally this should pop up a user dialog to insert his

    credentials based the given TEXT.

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # remember remote ip

        remote_ip = web.ctx.environ['REMOTE_ADDR']

        # create the process which queries the user

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

        process_command = [sys.executable, dlg_image, 'credentials', args.text]

        process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

        # run process result handling in seprate thread (not to block main one)

        bouncer = ProcessResultBouncer(process, remote_ip, '/credentials')

        bouncer.start()

        return 'user queried for credentials'

class os_keyfile:

    """OpenSecurity '/keyfile' handler.

    This is called on GET /keyfile?text=TEXT.

    Ideally this should pop up a user dialog to insert his

    password along with a keyfile.

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # remember remote ip

        remote_ip = web.ctx.environ['REMOTE_ADDR']

        # create the process which queries the user

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

        process_command = [sys.executable, dlg_image, 'keyfile', args.text]

        process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

        # run process result handling in seprate thread (not to block main one)

        bouncer = ProcessResultBouncer(process, remote_ip, '/keyfile')

        bouncer.start()

        return 'user queried for password and keyfile'

class os_log:

    """OpenSecurity '/log' handler.

    This is called on GET or POST on the log function /log

    """

    def GET(self):

        # pick the arguments

        self.POST()

    def POST(self):

        # pick the arguments

        args = web.input()

        args['user'] = getpass.getuser()

        args['system'] = platform.node() + " " + platform.system() + " " + platform.release()

        # add these to new data to log

        global log_file_lock

        log_file_name = os.path.join(Environment('OpenSecurity').log_path, 'vm_new.log')

        log_file_lock.acquire()

        pickle.dump(args,  open(log_file_name, 'ab'))

        log_file_lock.release()

        return "Ok"

class os_notification:

    """OpenSecurity '/notification' handler.

    This is called on GET /notification?msgtype=TYPE&text=TEXT.

    This will pop up an OpenSecurity notifcation window

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a type

        if not "msgtype" in args:

            raise web.badrequest('no msgtype given')

        if not args.msgtype in ['information', 'warning', 'critical']:

            raise web.badrequest('Unknown value for msgtype')

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # invoke the user dialog as a subprocess

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.py')

        process_command = [sys.executable, dlg_image, 'notification-' + args.msgtype, args.text]

        process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)

        return "Ok"

class os_password:

    """OpenSecurity '/password' handler.

    This is called on GET /password?text=TEXT.

    Ideally this should pop up a user dialog to insert his

    password based device name.

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # remember remote ip

        remote_ip = web.ctx.environ['REMOTE_ADDR']

        # create the process which queries the user

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

        process_command = [sys.executable, dlg_image, 'password', args.text]

        process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

        # run process result handling in seprate thread (not to block main one)

        bouncer = ProcessResultBouncer(process, remote_ip, '/password')

        bouncer.start()

        return 'user queried for password'

# handles netumount request                    

class MountNetworkDriveHandler(threading.Thread): 

    drive = None

    resource = None

    def __init__(self, drv, net_path):

        threading.Thread.__init__(self)

        self.drive = drv

        self.networkPath = net_path

    def run(self):

        #Check for drive availability

        if os.path.exists(self.drive):

            logger.error("Drive letter is already in use: " + self.drive)

            return 1

        #Check for network resource availability

        retry = 5

        while not os.path.exists(self.networkPath):

            time.sleep(1)

            if retry == 0:

                return 1

            logger.info("Path not accessible: " + self.networkPath + " retrying")

            retry-=1

        command = 'USE ' + self.drive + ' ' + self.networkPath + ' /PERSISTENT:NO'

        result = Cygwin.checkResult(Cygwin.execute('C:\\Windows\\system32\\NET', command))

        if string.find(result[1], 'successfully',) == -1:

            logger.error("Failed: NET " + command)

            return 1

        return 0

class os_netmount:

    """OpenSecurity '/netmount' handler"""

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a net_resource

        if not "net_resource" in args:

            raise web.badrequest('no net_resource given')

        # we _need_ a drive_letter

        if not "drive_letter" in args:

            raise web.badrequest('no drive_letter given')

        driveHandler = MountNetworkDriveHandler(args['drive_letter'], args['net_resource'])

        driveHandler.start()

        return 'Ok'

# handles netumount request                    

class UmountNetworkDriveHandler(threading.Thread): 

    drive = None

    running = True

    def __init__(self, drv):

        threading.Thread.__init__(self)

        self.drive = drv

    def run(self):

        while self.running:

            result = Cygwin.checkResult(Cygwin.execute('C:\\Windows\\system32\\net.exe', 'USE'))

            mappedDrives = list()

            for line in result[1].splitlines():

                if 'USB' in line or 'Download' in line:

                    parts = line.split()

                    mappedDrives.append(parts[1])

            logger.info(mappedDrives)

            logger.info(self.drive)

            if self.drive not in mappedDrives:

                self.running = False

            else:

                command = 'USE ' + self.drive + ' /DELETE /YES' 

                result = Cygwin.checkResult(Cygwin.execute('C:\\Windows\\system32\\net.exe', command)) 

                if string.find(str(result[1]), 'successfully',) == -1:

                    logger.error(result[2])

                    continue

class os_netumount:

    """OpenSecurity '/netumount' handler"""

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a drive_letter

        if not "drive_letter" in args:

            raise web.badrequest('no drive_letter given')

        driveHandler = UmountNetworkDriveHandler(args['drive_letter'])

        driveHandler.start()

        return 'Ok'

class os_root:

    """OpenSecurity '/' handler"""

    def GET(self):

        res = "OpenSecurity-Client RESTFul Server { \"version\": \"%s\" }" % opensecurity.__version__

        # add some sample links

        res = res + """

USAGE EXAMPLES:

Request a password: 

    (copy paste this into your browser's address field after the host:port)

    /password?text=Give+me+a+password+for+device+%22My+USB+Drive%22+(ID%3A+32090-AAA-X0)

    (eg.: http://127.0.0.1:8090/password?text=Give+me+a+password+for+device+%22My+USB+Drive%22+(ID%3A+32090-AAA-X0))

    NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

Request a combination of user and password:

    (copy paste this into your browser's address field after the host:port)

    /credentials?text=Tell+the+NSA+which+credentials+to+use+in+order+to+avoid+hacking+noise+on+wire.

    (eg.: http://127.0.0.1:8090/credentials?text=Tell+the+NSA+which+credentials+to+use+in+order+to+avoid+hacking+noise+on+wire.)

    NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

Request a combination of password and keyfile:

    (copy paste this into your browser's address field after the host:port)

    /keyfile?text=Your%20private%20RSA%20Keyfile%3A

    (eg.: http://127.0.0.1:8090//keyfile?text=Your%20private%20RSA%20Keyfile%3A)

    NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

Start a Browser:

    (copy paste this into your browser's address field after the host:port)

    /application?vm=Debian+7&app=Browser

    (e.g. http://127.0.0.1:8090/application?vm=Debian+7&app=Browser)

        """

        return res

class ProcessResultBouncer(threading.Thread):

    """A class to post the result of a given process - assuming it to be in JSON - to a REST Api."""

    def __init__(self, process, remote_ip, resource): 

        """ctor"""

        threading.Thread.__init__(self)

        self._process = process

        self._remote_ip = remote_ip

        self._resource = resource

    def stop(self):

        """stop thread"""

        self.running = False

    def run(self):

        """run the thread"""

        # invoke the user dialog as a subprocess

        result = self._process.communicate()[0]

        if self._process.returncode != 0:

            print 'user request has been aborted.'

            return

        # all ok, tell send request back appropriate destination

        try:

            j = json.loads(result)

        except:

            print 'error in password parsing'

            return

        # by provided a 'data' we turn this into a POST statement

        url_addr = 'http://' + self._remote_ip + ':58080' + self._resource

        req = urllib2.Request(url_addr, urllib.urlencode(j))

        try:

            res = urllib2.urlopen(req)

        except:

            print 'failed to contact: ' + url_addr

            return 

class RESTServerThread(threading.Thread):

    """Thread for serving the REST API."""

    def __init__(self, port): 

        """ctor"""

        threading.Thread.__init__(self)

        self._port = port 

    def stop(self):

        """stop thread"""

        self.running = False

    def run(self):

        """run the thread"""

        _serve(self._port)

def is_already_running(port = 8090):

    """check if this is started twice"""

    try:

        s = socket.create_connection(('127.0.0.1', port), 0.5)

    except:

        return False

    return True

def _bounce_vm_logs():

    """grab all logs from the VMs and push them to the log servers"""

    global log_file_lock

    # pick the highest current number

    cur = 0

    for f in glob.iglob(os.path.join(Environment('OpenSecurity').log_path, 'vm_cur.log.*')):

        try:

            n = f.split('.')[-1:][0]

            if cur < int(n):

                cur = int(n)

        except:

            pass

    cur = cur + 1

    # first add new vm logs to our existing one: rename the log file

    log_file_name_new = os.path.join(Environment('OpenSecurity').log_path, 'vm_new.log')

    log_file_name_cur = os.path.join(Environment('OpenSecurity').log_path, 'vm_cur.log.' + str(cur))

    log_file_lock.acquire()

    try:

        os.rename(log_file_name_new, log_file_name_cur)

        print('new log file: ' + log_file_name_cur)

    except:

        pass

    log_file_lock.release()

    # now we have a list of next log files to dump

    log_files = glob.glob(os.path.join(Environment('OpenSecurity').log_path, 'vm_cur.log.*'))

    log_files.sort()

    for log_file in log_files:

        try:

            f = open(log_file, 'rb')

            while True:

                l = pickle.load(f)

                _push_log(l)

        except EOFError:

            try:

                os.remove(log_file)

            except:

                logger.warning('tried to delete log file (pushed to EOF) "' + log_file + '" but failed')

        except:

            logger.warning('encountered error while pushing log file "' + log_file + '"')

            break

    # start bouncer again ...

    global log_file_bouncer

    log_file_bouncer = threading.Timer(5.0, _bounce_vm_logs)

    log_file_bouncer.start()

def _push_log(log):

    """POST a single log to log server

    @param  log     the log POST param

    """

    try:

        key = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE, 'SOFTWARE\OpenSecurity')

        log_server_url = str(win32api.RegQueryValueEx(key, 'LogServerURL')[0])

        win32api.RegCloseKey(key)

    except:

        logger.critical('Cannot open Registry HKEY_LOCAL_MACHINE\SOFTWARE\OpenSecurity and get LogServerURL value')

        raise

    # by provided a 'data' we turn this into a POST statement

    d = urllib.urlencode(log)

    req = urllib2.Request(log_server_url, d)

    urllib2.urlopen(req)

    logger.debug('pushed log to server: ' + str(log_server_url))

def _serve(port):

    """Start the REST server"""

    global server

    # start the VM-log bouncer timer

    global log_file_bouncer

    log_file_bouncer = threading.Timer(5.0, _bounce_vm_logs)

    log_file_bouncer.start()

    # trick the web.py server 

    sys.argv = [__file__, str(port)]

    server = web.application(opensecurity_urls, globals())

    server.run()

def serve(port = 8090, background = False):

    """Start serving the REST Api

    port ... port number to listen on

    background ... cease into background (spawn thread) and return immediately"""

    # start threaded or direct version

    if background == True:

        t = RESTServerThread(port)

        t.start()

    else:

        _serve(port)

def stop():

    """Stop serving the REST Api"""

    global server

    if server is None:

        return

    global log_file_bouncer

    if log_file_bouncer is not None:

        log_file_bouncer.cancel()

    server.stop()

# start

if __name__ == "__main__":

    serve()