#!/usr/bin/env python

# -*- coding: utf-8 -*-

# ------------------------------------------------------------

# opensecurity_client_restful_server

# 

# the OpenSecurity client RESTful server

#

# Autor: Oliver Maurhart, <oliver.maurhart@ait.ac.at>

#

# Copyright (C) 2013 AIT Austrian Institute of Technology

# AIT Austrian Institute of Technology GmbH

# Donau-City-Strasse 1 | 1220 Vienna | Austria

# http://www.ait.ac.at

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation version 2.

# 

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

# 

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin Street, Fifth Floor, 

# Boston, MA  02110-1301, USA.

# ------------------------------------------------------------

# ------------------------------------------------------------

# imports

import getpass

import glob

import json

import os

import os.path

import pickle

import platform

import socket

import subprocess

import sys

import threading

import time

import urllib

import urllib2

import web

import threading

import time

import string

import win32api

import win32con

import win32wnet

import win32netcon

import itertools

import ctypes

from PyQt4 import QtGui

from opensecurity_util import logger, setupLogger, OpenSecurityException

if sys.platform == 'win32' or sys.platform == 'cygwin':

    from cygwin import Cygwin

# local

import __init__ as opensecurity

from environment import Environment

# ------------------------------------------------------------

# const

"""All the URLs we know mapping to class handler"""

opensecurity_urls = (

    '/credentials',             'os_credentials',

    '/keyfile',                 'os_keyfile',

    '/log',                     'os_log',

    '/message',                 'os_message',

    '/notification',            'os_notification',

    '/password',                'os_password',

    '/netmount',                'os_netmount',

    '/netumount',               'os_netumount',

    '/netcleanup',              'os_netcleanup',

    '/',                        'os_root'

)

# ------------------------------------------------------------

# vars

"""lock for read/write log file"""

log_file_lock = threading.Lock()

"""timer for the log file bouncer"""

log_file_bouncer = None

"""The REST server object"""

server = None

"""The System Tray Icon instance"""

tray_icon = None

# ------------------------------------------------------------

# code

class os_credentials:

    """OpenSecurity '/credentials' handler.

    This is called on GET /credentials?text=TEXT.

    Ideally this should pop up a user dialog to insert his

    credentials based the given TEXT.

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # remember remote ip

        remote_ip = web.ctx.environ['REMOTE_ADDR']

        # create the process which queries the user

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

        process_command = [sys.executable, dlg_image, 'credentials', args.text]

        # run process result handling in seprate thread (not to block main one)

        bouncer = ProcessResultBouncer(process_command, remote_ip, '/credentials')

        bouncer.start()

        return 'user queried for credentials'

class os_keyfile:

    """OpenSecurity '/keyfile' handler.

    This is called on GET /keyfile?text=TEXT.

    Ideally this should pop up a user dialog to insert his

    password along with a keyfile.

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # remember remote ip

        remote_ip = web.ctx.environ['REMOTE_ADDR']

        # create the process which queries the user

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

        process_command = [sys.executable, dlg_image, 'keyfile', args.text]

        # run process result handling in seprate thread (not to block main one)

        bouncer = ProcessResultBouncer(process_command, remote_ip, '/keyfile')

        bouncer.start()

        return 'user queried for password and keyfile'

class os_log:

    """OpenSecurity '/log' handler.

    This is called on GET or POST on the log function /log

    """

    def GET(self):

        # pick the arguments

        self.POST()

    def POST(self):

        # pick the arguments

        args = web.input()

        args['user'] = getpass.getuser()

        args['system'] = platform.node() + " " + platform.system() + " " + platform.release()

        # add these to new data to log

        global log_file_lock

        log_file_name = os.path.join(Environment('OpenSecurity').log_path, 'vm_new.log')

        log_file_lock.acquire()

        pickle.dump(args,  open(log_file_name, 'ab'))

        log_file_lock.release()

        return "Ok"

class os_message:

    """OpenSecurity '/message' handler.

    This is called on GET /message?text=TEXTi&timeout=TIMEOUT.

    This pops up the typical tray message (like a ballon on windows).

    """

    def POST(self):

        return self.GET()

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        timeout = 5000

        if "timeout" in args:

            try:

                timeout=int(args.timeout)

            except:

                pass

        if tray_icon is None:

            raise web.badrequest('unable to access tray icon instance')

        tray_icon.showMessage('OpenSecurity', args.text, QtGui.QSystemTrayIcon.Information, timeout)

        return 'Shown: ' + args.text + ' timeout: ' + str(timeout) + ' ms'

class os_notification:

    """OpenSecurity '/notification' handler.

    This is called on GET /notification?msgtype=TYPE&text=TEXT.

    This will pop up an OpenSecurity notifcation window

    """

    def POST(self):

        return self.GET()

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a type

        if not "msgtype" in args:

            raise web.badrequest('no msgtype given')

        if not args.msgtype in ['information', 'warning', 'critical']:

            raise web.badrequest('Unknown value for msgtype')

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # invoke the user dialog as a subprocess

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

        process_command = [sys.executable, dlg_image, 'notification-' + args.msgtype, args.text]

        process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)

        return "Ok"

class os_password:

    """OpenSecurity '/password' handler.

    This is called on GET /password?text=TEXT.

    Ideally this should pop up a user dialog to insert his

    password based device name.

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # remember remote ip

        remote_ip = web.ctx.environ['REMOTE_ADDR']

        # create the process which queries the user

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

        process_command = [sys.executable, dlg_image, 'password', args.text]

        # run process result handling in seprate thread (not to block main one)

        bouncer = ProcessResultBouncer(process_command, remote_ip, '/password')

        bouncer.start()

        return 'user queried for password'

def genNetworkDrive():

    logical_drives = getLogicalDrives()

    logger.info("Used logical drive letters: "+ str(logical_drives).strip('[]') )

    drives = list(map(chr, range(68, 91)))  

    for drive in drives:

        if drive not in logical_drives:

            return drive

    return None

def getLogicalDrives():

    drive_bitmask = ctypes.cdll.kernel32.GetLogicalDrives()

    drives = list(itertools.compress(string.ascii_uppercase,  map(lambda x:ord(x) - ord('0'), bin(drive_bitmask)[:1:-1])))

    return drives

def getNetworkPath(drive):

    return win32wnet.WNetGetConnection(drive+':')

def getDriveType(drive):

    return ctypes.cdll.kernel32.GetDriveTypeW(u"%s:\\"%drive)

def getNetworkDrive(path):

    for drive in getLogicalDrives():

        #if is a network drive

        if getDriveType(drive) == 4:

            network_path = getNetworkPath(drive)

            if path in network_path:

                return drive

    return None

def mapDrive(drive, networkPath, user, password):

    if (os.path.exists(networkPath)):

        logger.debug(networkPath + " is found...")

        logger.debug("Trying to map " + networkPath + " on to " + drive + " .....")

        try:

            win32wnet.WNetAddConnection2(win32netcon.RESOURCETYPE_DISK, drive, networkPath, None, user, password)

        except:

            logger.error("Unexpected error...")

            return 1

        logger.info("Mapping successful")

        return 0

    else:

        logger.error("Network path unreachable...")

        return 1    

mount_lock = threading.Lock()

# handles netumount request                    

class MountNetworkDriveHandler(threading.Thread): 

    networkPath = None

    def __init__(self, net_path):

        threading.Thread.__init__(self)

        self.networkPath = net_path

    def run(self):

        #Check for network resource availability

        retry = 20

        while not os.path.exists(self.networkPath):

            if retry == 0:

                break

            logger.info("Path not accessible: " + self.networkPath + " retrying")

            time.sleep(1)

            retry-=1

        with mount_lock:

            drive = genNetworkDrive()

            if not drive:

                logger.error("Failed to assign drive letter for: " + self.networkPath)

                return 1

            else:

                logger.info("Assigned drive " + drive + " to " + self.networkPath)

            #Check for drive availability

            drive = drive+':'

            if os.path.exists(drive):

                logger.error("Drive letter is already in use: " + drive)

                return 1

            return mapDrive(drive, self.networkPath, "", "")

class os_netmount:

    """OpenSecurity '/netmount' handler"""

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a net_resource

        if not "net_resource" in args:

            raise web.badrequest('no net_resource given')

        driveHandler = MountNetworkDriveHandler(args['net_resource'])

        driveHandler.start()

        driveHandler.join(None)

        return 'Ok'

def unmapDrive(drive, force=0):

    logger.debug("drive in use, trying to unmap...")

    if force == 0:

        logger.debug("Executing un-forced call...")

    try:

        win32wnet.WNetCancelConnection2(drive, 1, force)

        logger,info(drive + "successfully unmapped...")

        return 0

    except:

        logger.error("Unmap failed, try again...")

        return 1

# handles netumount request                    

class UmountNetworkDriveHandler(threading.Thread): 

    networkPath = None

    running = True

    def __init__(self, path):

        threading.Thread.__init__(self)

        self.networkPath = path

    def run(self):

        while self.running:

            drive = getNetworkDrive(self.networkPath)

            if not drive:

                logger.info("Failed to retrieve drive letter for: " + self.networkPath + ". Successfully deleted or missing.")

                self.running = False

            else:

                drive = drive+':'

                logger.info("Unmounting drive " + drive + " for " + self.networkPath)

                result = unmapDrive(drive, force=1) 

                if result != 0:

                    continue

class os_netumount:

    """OpenSecurity '/netumount' handler"""

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a net_resource

        if not "net_resource" in args:

            raise web.badrequest('no net_resource given')

        driveHandler = UmountNetworkDriveHandler(args['net_resource'])

        driveHandler.start()

        driveHandler.join(None)

        return 'Ok'

class os_netcleanup:

    """OpenSecurity '/netcleanup' handler"""

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a net_resource

        if not "hostonly_ip" in args:

            raise web.badrequest('no hostonly_ip given')

        ip = args['hostonly_ip']

        ip = ip[:ip.rindex('.')]

        drives = getLogicalDrives()

        for drive in drives:

            # found network drive

            if getDriveType(drive) == 4:

                path = getNetworkPath(drive)

                if ip in path:

                    driveHandler = UmountNetworkDriveHandler(path)

                    driveHandler.start()

                    driveHandler.join(None)

class os_root:

    """OpenSecurity '/' handler"""

    def GET(self):

        res = "OpenSecurity-Client RESTFul Server { \"version\": \"%s\" }" % opensecurity.__version__

        # add some sample links

        res = res + """

USAGE EXAMPLES:

Request a password: 

    (copy paste this into your browser's address field after the host:port)

    /password?text=Give+me+a+password+for+device+%22My+USB+Drive%22+(ID%3A+32090-AAA-X0)

    (eg.: http://127.0.0.1:8090/password?text=Give+me+a+password+for+device+%22My+USB+Drive%22+(ID%3A+32090-AAA-X0))

    NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

Request a combination of user and password:

    (copy paste this into your browser's address field after the host:port)

    /credentials?text=Tell+the+NSA+which+credentials+to+use+in+order+to+avoid+hacking+noise+on+wire.

    (eg.: http://127.0.0.1:8090/credentials?text=Tell+the+NSA+which+credentials+to+use+in+order+to+avoid+hacking+noise+on+wire.)

    NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

Request a combination of password and keyfile:

    (copy paste this into your browser's address field after the host:port)

    /keyfile?text=Your%20private%20RSA%20Keyfile%3A

    (eg.: http://127.0.0.1:8090//keyfile?text=Your%20private%20RSA%20Keyfile%3A)

    NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

Start a Browser:

    (copy paste this into your browser's address field after the host:port)

    /application?vm=Debian+7&app=Browser

    (e.g. http://127.0.0.1:8090/application?vm=Debian+7&app=Browser)

        """

        return res

class ProcessResultBouncer(threading.Thread):

    """A class to post the result of a given process - assuming it to be in JSON - to a REST Api."""

    def __init__(self, process_command, remote_ip, resource): 

        """ctor"""

        threading.Thread.__init__(self)

        self._process_command = process_command

        self._remote_ip = remote_ip

        self._resource = resource

    def stop(self):

        """stop thread"""

        self.running = False

    def run(self):

        """run the thread"""

        while True:

            # invoke the user dialog as a subprocess

            process = subprocess.Popen(self._process_command, shell = False, stdout = subprocess.PIPE)        

            result = process.communicate()[0]

            if process.returncode != 0:

                print 'user request has been aborted.'

                return

            # all ok, tell send request back appropriate destination

            try:

                j = json.loads(result)

            except:

                print 'error in password parsing'

                return

            # by provided a 'data' we turn this into a POST statement

            url_addr = 'http://' + self._remote_ip + ':58080' + self._resource

            req = urllib2.Request(url_addr, urllib.urlencode(j))

            try:

                res = urllib2.urlopen(req)

                if res.getcode() == 200:

                    return

            except urllib2.HTTPError as e:

                # invoke the user dialog as a subprocess

                dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

                dlg_process_command = [sys.executable, dlg_image, 'notification-critical', 'Error is<br/>Code: {0!s}<br/>Reason: {1}<br/>{2}'.format(e.code, e.reason, e.read())]

                dlg_process = subprocess.Popen(dlg_process_command, shell = False, stdout = subprocess.PIPE)

                dlg_process.communicate()[0]

class RESTServerThread(threading.Thread):

    """Thread for serving the REST API."""

    def __init__(self, port): 

        """ctor"""

        threading.Thread.__init__(self)

        self._port = port 

    def stop(self):

        """stop thread"""

        self.running = False

    def run(self):

        """run the thread"""

        _serve(self._port)

def is_already_running(port = 8090):

    """check if this is started twice"""

    try:

        s = socket.create_connection(('127.0.0.1', port), 0.5)

    except:

        return False

    return True

def _bounce_vm_logs():

    """grab all logs from the VMs and push them to the log servers"""

    global log_file_lock

    # pick the highest current number

    cur = 0

    for f in glob.iglob(os.path.join(Environment('OpenSecurity').log_path, 'vm_cur.log.*')):

        try:

            n = f.split('.')[-1:][0]

            if cur < int(n):

                cur = int(n)

        except:

            pass

    cur = cur + 1

    # first add new vm logs to our existing one: rename the log file

    log_file_name_new = os.path.join(Environment('OpenSecurity').log_path, 'vm_new.log')

    log_file_name_cur = os.path.join(Environment('OpenSecurity').log_path, 'vm_cur.log.' + str(cur))

    log_file_lock.acquire()

    try:

        os.rename(log_file_name_new, log_file_name_cur)

        print('new log file: ' + log_file_name_cur)

    except:

        pass

    log_file_lock.release()

    # now we have a list of next log files to dump

    log_files = glob.glob(os.path.join(Environment('OpenSecurity').log_path, 'vm_cur.log.*'))

    log_files.sort()

    for log_file in log_files:

        try:

            f = open(log_file, 'rb')

            while True:

                l = pickle.load(f)

                _push_log(l)

        except EOFError:

            try:

                f.close()

                os.remove(log_file)

            except:

                logger.warning('tried to delete log file (pushed to EOF) "' + log_file + '" but failed')

        except:

            logger.warning('encountered error while pushing log file "' + log_file + '"')

            break

    # start bouncer again ...

    global log_file_bouncer

    log_file_bouncer = threading.Timer(5.0, _bounce_vm_logs)

    log_file_bouncer.start()

def _push_log(log):

    """POST a single log to log server

    @param  log     the log POST param

    """

    log_server_url = "http://extern.x-net.at/opensecurity/log"

    try:

        key = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE, 'SOFTWARE\OpenSecurity')

        log_server_url = str(win32api.RegQueryValueEx(key, 'LogServerURL')[0])

        win32api.RegCloseKey(key)

    except:

        logger.warning('Cannot open Registry HKEY_LOCAL_MACHINE\SOFTWARE\OpenSecurity and get "LogServerURL" value, using default instead')

    # by provided a 'data' we turn this into a POST statement

    d = urllib.urlencode(log)

    req = urllib2.Request(log_server_url, d)

    urllib2.urlopen(req)

    logger.debug('pushed log to server: ' + str(log_server_url))

def _serve(port):

    """Start the REST server"""

    global server

    # start the VM-log bouncer timer

    global log_file_bouncer

    log_file_bouncer = threading.Timer(5.0, _bounce_vm_logs)

    log_file_bouncer.start()

    # trick the web.py server 

    sys.argv = [__file__, str(port)]

    server = web.application(opensecurity_urls, globals())

    server.run()

def serve(port = 8090, background = False):

    """Start serving the REST Api

    port ... port number to listen on

    background ... cease into background (spawn thread) and return immediately"""

    # start threaded or direct version

    if background == True:

        t = RESTServerThread(port)

        t.start()

    else:

        _serve(port)

def stop():

    """Stop serving the REST Api"""

    global server

    if server is None:

        return

    global log_file_bouncer

    if log_file_bouncer is not None:

        log_file_bouncer.cancel()

    server.stop()

# start

if __name__ == "__main__":

    serve()