#!/bin/env python

# -*- coding: utf-8 -*-

# ------------------------------------------------------------

# opensecurity_client_restful_server

# 

# the OpenSecurity client RESTful server

#

# Autor: Oliver Maurhart, <oliver.maurhart@ait.ac.at>

#

# Copyright (C) 2013 AIT Austrian Institute of Technology

# AIT Austrian Institute of Technology GmbH

# Donau-City-Strasse 1 | 1220 Vienna | Austria

# http://www.ait.ac.at

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation version 2.

# 

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

# 

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin Street, Fifth Floor, 

# Boston, MA  02110-1301, USA.

# ------------------------------------------------------------

# ------------------------------------------------------------

# imports

import getpass

import json

import os

import os.path

import platform

import socket

import subprocess

import sys

import urllib

import urllib2

import web

import threading

import time

import string

from opensecurity_util import logger, setupLogger, OpenSecurityException

if sys.platform == 'win32' or sys.platform == 'cygwin':

    from cygwin import Cygwin

# local

import __init__ as opensecurity

# ------------------------------------------------------------

# const

"""All the URLs we know mapping to class handler"""

opensecurity_urls = (

    '/credentials',             'os_credentials',

    '/keyfile',                 'os_keyfile',

    '/log',                     'os_log',

    '/notification',            'os_notification',

    '/password',                'os_password',

    '/netmount',                'os_netmount',

    '/netumount',               'os_netumount',

    '/',                        'os_root'

)

# ------------------------------------------------------------

# vars

"""The REST server object"""

server = None

# ------------------------------------------------------------

# code

class os_credentials:

    """OpenSecurity '/credentials' handler.

    This is called on GET /credentials?text=TEXT.

    Ideally this should pop up a user dialog to insert his

    credentials based the given TEXT.

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # remember remote ip

        remote_ip = web.ctx.environ['REMOTE_ADDR']

        # create the process which queries the user

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

        process_command = [sys.executable, dlg_image, 'credentials', args.text]

        process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

        # run process result handling in seprate thread (not to block main one)

        bouncer = ProcessResultBouncer(process, remote_ip, '/credentials')

        bouncer.start()

        return 'user queried for credentials'

class os_keyfile:

    """OpenSecurity '/keyfile' handler.

    This is called on GET /keyfile?text=TEXT.

    Ideally this should pop up a user dialog to insert his

    password along with a keyfile.

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # remember remote ip

        remote_ip = web.ctx.environ['REMOTE_ADDR']

        # create the process which queries the user

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

        process_command = [sys.executable, dlg_image, 'keyfile', args.text]

        process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

        # run process result handling in seprate thread (not to block main one)

        bouncer = ProcessResultBouncer(process, remote_ip, '/keyfile')

        bouncer.start()

        return 'user queried for password and keyfile'

class os_log:

    """OpenSecurity '/log' handler.

    This is called on GET or POST on the log function /log

    """

    def GET(self):

        # pick the arguments

        self.POST()

    def POST(self):

        # pick the arguments

        args = web.input()

        args['user'] = getpass.getuser()

        args['system'] = platform.node() + " " + platform.system() + " " + platform.release()

        # bounce log data

        url_addr = 'http://GIMME-SERVER-TO-LOG-TO/log'

        # by provided a 'data' we turn this into a POST statement

        d = urllib.urlencode(args)

        req = urllib2.Request(url_addr, d)

        try:

            res = urllib2.urlopen(req)

        except:

            print('failed to contact: ' + url_addr)

            print('log data: ' + d)

            return "Failed"

        return "Ok"

class os_notification:

    """OpenSecurity '/notification' handler.

    This is called on GET /notification?msgtype=TYPE&text=TEXT.

    This will pop up an OpenSecurity notifcation window

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a type

        if not "msgtype" in args:

            raise web.badrequest('no msgtype given')

        if not args.msgtype in ['information', 'warning', 'critical']:

            raise web.badrequest('Unknown value for msgtype')

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # invoke the user dialog as a subprocess

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.py')

        process_command = [sys.executable, dlg_image, 'notification-' + args.msgtype, args.text]

        process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)

        return "Ok"

class os_password:

    """OpenSecurity '/password' handler.

    This is called on GET /password?text=TEXT.

    Ideally this should pop up a user dialog to insert his

    password based device name.

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # remember remote ip

        remote_ip = web.ctx.environ['REMOTE_ADDR']

        # create the process which queries the user

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

        process_command = [sys.executable, dlg_image, 'password', args.text]

        process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

        # run process result handling in seprate thread (not to block main one)

        bouncer = ProcessResultBouncer(process, remote_ip, '/password')

        bouncer.start()

        return 'user queried for password'

# handles netumount request                    

class MountNetworkDriveHandler(threading.Thread): 

    drive = None

    resource = None

    def __init__(self, drv, net_path):

        threading.Thread.__init__(self)

        self.drive = drv

        self.networkPath = net_path

    def run(self):

        #Check for drive availability

        if os.path.exists(self.drive):

            logger.error("Drive letter is already in use: " + self.drive)

            return 1

        #Check for network resource availability

        retry = 5

        while not os.path.exists(self.networkPath):

            time.sleep(1)

            if retry == 0:

                return 1

            logger.info("Path not accessible: " + self.networkPath + " retrying")

            retry-=1

        command = 'USE ' + self.drive + ' ' + self.networkPath + ' /PERSISTENT:NO'

        result = Cygwin.checkResult(Cygwin.execute('C:\\Windows\\system32\\NET', command))

        if string.find(result[1], 'successfully',) == -1:

            logger.error("Failed: NET " + command)

            return 1

        return 0

class os_netmount:

    """OpenSecurity '/netmount' handler"""

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a net_resource

        if not "net_resource" in args:

            raise web.badrequest('no net_resource given')

        # we _need_ a drive_letter

        if not "drive_letter" in args:

            raise web.badrequest('no drive_letter given')

        driveHandler = MountNetworkDriveHandler(args['drive_letter'], args['net_resource'])

        driveHandler.start()

        return 'Ok'

# handles netumount request                    

class UmountNetworkDriveHandler(threading.Thread): 

    drive = None

    running = True

    def __init__(self, drv):

        threading.Thread.__init__(self)

        self.drive = drv

    def run(self):

        while self.running:

            result = Cygwin.checkResult(Cygwin.execute('C:\\Windows\\system32\\net.exe', 'USE'))

            mappedDrives = list()

            for line in result[1].splitlines():

                if 'USB' in line or 'Download' in line:

                    parts = line.split()

                    mappedDrives.append(parts[1])

            logger.info(mappedDrives)

            logger.info(self.drive)

            if self.drive not in mappedDrives:

                self.running = False

            else:

                command = 'USE ' + self.drive + ' /DELETE /YES' 

                result = Cygwin.checkResult(Cygwin.execute('C:\\Windows\\system32\\net.exe', command)) 

                if string.find(str(result[1]), 'successfully',) == -1:

                    logger.error(result[2])

                    continue

class os_netumount:

    """OpenSecurity '/netumount' handler"""

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a drive_letter

        if not "drive_letter" in args:

            raise web.badrequest('no drive_letter given')

        driveHandler = UmountNetworkDriveHandler(args['drive_letter'])

        driveHandler.start()

        return 'Ok'

class os_root:

    """OpenSecurity '/' handler"""

    def GET(self):

        res = "OpenSecurity-Client RESTFul Server { \"version\": \"%s\" }" % opensecurity.__version__

        # add some sample links

        res = res + """

USAGE EXAMPLES:

Request a password: 

    (copy paste this into your browser's address field after the host:port)

    /password?text=Give+me+a+password+for+device+%22My+USB+Drive%22+(ID%3A+32090-AAA-X0)

    (eg.: http://127.0.0.1:8090/password?text=Give+me+a+password+for+device+%22My+USB+Drive%22+(ID%3A+32090-AAA-X0))

    NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

Request a combination of user and password:

    (copy paste this into your browser's address field after the host:port)

    /credentials?text=Tell+the+NSA+which+credentials+to+use+in+order+to+avoid+hacking+noise+on+wire.

    (eg.: http://127.0.0.1:8090/credentials?text=Tell+the+NSA+which+credentials+to+use+in+order+to+avoid+hacking+noise+on+wire.)

    NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

Request a combination of password and keyfile:

    (copy paste this into your browser's address field after the host:port)

    /keyfile?text=Your%20private%20RSA%20Keyfile%3A

    (eg.: http://127.0.0.1:8090//keyfile?text=Your%20private%20RSA%20Keyfile%3A)

    NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

Start a Browser:

    (copy paste this into your browser's address field after the host:port)

    /application?vm=Debian+7&app=Browser

    (e.g. http://127.0.0.1:8090/application?vm=Debian+7&app=Browser)

        """

        return res

class ProcessResultBouncer(threading.Thread):

    """A class to post the result of a given process - assuming it to be in JSON - to a REST Api."""

    def __init__(self, process, remote_ip, resource): 

        """ctor"""

        threading.Thread.__init__(self)

        self._process = process

        self._remote_ip = remote_ip

        self._resource = resource

    def stop(self):

        """stop thread"""

        self.running = False

    def run(self):

        """run the thread"""

        # invoke the user dialog as a subprocess

        result = self._process.communicate()[0]

        if self._process.returncode != 0:

            print 'user request has been aborted.'

            return

        # all ok, tell send request back appropriate destination

        try:

            j = json.loads(result)

        except:

            print 'error in password parsing'

            return

        # TODO: it would be WAY easier and secure if we just 

        #       add the result json to a HTTP-POST here.

        url_addr = 'http://' + self._remote_ip + ':58080' + self._resource

        # by provided a 'data' we turn this into a POST statement

        req = urllib2.Request(url_addr, urllib.urlencode(j))

        try:

            res = urllib2.urlopen(req)

        except:

            print 'failed to contact: ' + url_addr

            return 

class RESTServerThread(threading.Thread):

    """Thread for serving the REST API."""

    def __init__(self, port): 

        """ctor"""

        threading.Thread.__init__(self)

        self._port = port 

    def stop(self):

        """stop thread"""

        self.running = False

    def run(self):

        """run the thread"""

        _serve(self._port)

def is_already_running(port = 8090):

    """check if this is started twice"""

    try:

        s = socket.create_connection(('127.0.0.1', port), 0.5)

    except:

        return False

    return True

def _serve(port):

    """Start the REST server"""

    global server

    # trick the web.py server 

    sys.argv = [__file__, str(port)]

    server = web.application(opensecurity_urls, globals())

    server.run()

def serve(port = 8090, background = False):

    """Start serving the REST Api

    port ... port number to listen on

    background ... cease into background (spawn thread) and return immediately"""

    # start threaded or direct version

    if background == True:

        t = RESTServerThread(port)

        t.start()

    else:

        _serve(port)

def stop():

    """Stop serving the REST Api"""

    global server

    if server is None:

        return

    server.stop()

# start

if __name__ == "__main__":

    serve()