#!/bin/env python

# -*- coding: utf-8 -*-

# ------------------------------------------------------------

# opensecurity_client_restful_server

# 

# the OpenSecurity client RESTful server

#

# Autor: Oliver Maurhart, <oliver.maurhart@ait.ac.at>

#

# Copyright (C) 2013 AIT Austrian Institute of Technology

# AIT Austrian Institute of Technology GmbH

# Donau-City-Strasse 1 | 1220 Vienna | Austria

# http://www.ait.ac.at

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation version 2.

# 

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

# 

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin Street, Fifth Floor, 

# Boston, MA  02110-1301, USA.

# ------------------------------------------------------------

# ------------------------------------------------------------

# imports

import getpass

import json

import os

import os.path

import platform

import socket

import subprocess

import sys

import urllib

import urllib2

import web

import threading

import time

# local

import __init__ as opensecurity

# ------------------------------------------------------------

# const

"""All the URLs we know mapping to class handler"""

opensecurity_urls = (

    '/credentials',             'os_credentials',

    '/keyfile',                 'os_keyfile',

    '/log',                     'os_log',

    '/notification',            'os_notification',

    '/password',                'os_password',

    '/',                        'os_root'

)

# ------------------------------------------------------------

# vars

"""The REST server object"""

server = None

# ------------------------------------------------------------

# code

class os_credentials:

    """OpenSecurity '/credentials' handler.

    This is called on GET /credentials?text=TEXT.

    Ideally this should pop up a user dialog to insert his

    credentials based the given TEXT.

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # remember remote ip

        remote_ip = web.ctx.environ['REMOTE_ADDR']

        # create the process which queries the user

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

        process_command = [sys.executable, dlg_image, 'credentials', args.text]

        process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

        # run process result handling in seprate thread (not to block main one)

        bouncer = ProcessResultBouncer(process, remote_ip, '/credentials')

        bouncer.start()

        return 'user queried for credentials'

class os_keyfile:

    """OpenSecurity '/keyfile' handler.

    This is called on GET /keyfile?text=TEXT.

    Ideally this should pop up a user dialog to insert his

    password along with a keyfile.

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # remember remote ip

        remote_ip = web.ctx.environ['REMOTE_ADDR']

        # create the process which queries the user

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

        process_command = [sys.executable, dlg_image, 'keyfile', args.text]

        process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

        # run process result handling in seprate thread (not to block main one)

        bouncer = ProcessResultBouncer(process, remote_ip, '/keyfile')

        bouncer.start()

        return 'user queried for password and keyfile'

class os_log:

    """OpenSecurity '/log' handler.

    This is called on GET or POST on the log function /log

    """

    def GET(self):

        # pick the arguments

        self.POST()

    def POST(self):

        # pick the arguments

        args = web.input()

        args['user'] = getpass.getuser()

        args['system'] = platform.node() + " " + platform.system() + " " + platform.release()

        # bounce log data

        url_addr = 'http://GIMME-SERVER-TO-LOG-TO/log'

        # by provided a 'data' we turn this into a POST statement

        d = urllib.urlencode(args)

        req = urllib2.Request(url_addr, d)

        try:

            res = urllib2.urlopen(req)

        except:

            print('failed to contact: ' + url_addr)

            print('log data: ' + d)

            return "Failed"

        return "Ok"

class os_notification:

    """OpenSecurity '/notification' handler.

    This is called on GET /notification?msgtype=TYPE&text=TEXT.

    This will pop up an OpenSecurity notifcation window

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a type

        if not "msgtype" in args:

            raise web.badrequest('no msgtype given')

        if not args.msgtype in ['information', 'warning', 'critical']:

            raise web.badrequest('Unknown value for msgtype')

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # invoke the user dialog as a subprocess

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.py')

        process_command = [sys.executable, dlg_image, 'notification-' + args.msgtype, args.text]

        process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)

        return "Ok"

class os_password:

    """OpenSecurity '/password' handler.

    This is called on GET /password?text=TEXT.

    Ideally this should pop up a user dialog to insert his

    password based device name.

    """

    def GET(self):

        # pick the arguments

        args = web.input()

        # we _need_ a text

        if not "text" in args:

            raise web.badrequest('no text given')

        # remember remote ip

        remote_ip = web.ctx.environ['REMOTE_ADDR']

        # create the process which queries the user

        dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

        process_command = [sys.executable, dlg_image, 'password', args.text]

        process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

        # run process result handling in seprate thread (not to block main one)

        bouncer = ProcessResultBouncer(process, remote_ip, '/password')

        bouncer.start()

        return 'user queried for password'

class os_root:

    """OpenSecurity '/' handler"""

    def GET(self):

        res = "OpenSecurity-Client RESTFul Server { \"version\": \"%s\" }" % opensecurity.__version__

        # add some sample links

        res = res + """

USAGE EXAMPLES:

Request a password: 

    (copy paste this into your browser's address field after the host:port)

    /password?text=Give+me+a+password+for+device+%22My+USB+Drive%22+(ID%3A+32090-AAA-X0)

    (eg.: http://127.0.0.1:8090/password?text=Give+me+a+password+for+device+%22My+USB+Drive%22+(ID%3A+32090-AAA-X0))

    NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

Request a combination of user and password:

    (copy paste this into your browser's address field after the host:port)

    /credentials?text=Tell+the+NSA+which+credentials+to+use+in+order+to+avoid+hacking+noise+on+wire.

    (eg.: http://127.0.0.1:8090/credentials?text=Tell+the+NSA+which+credentials+to+use+in+order+to+avoid+hacking+noise+on+wire.)

    NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

Request a combination of password and keyfile:

    (copy paste this into your browser's address field after the host:port)

    /keyfile?text=Your%20private%20RSA%20Keyfile%3A

    (eg.: http://127.0.0.1:8090//keyfile?text=Your%20private%20RSA%20Keyfile%3A)

    NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

Start a Browser:

    (copy paste this into your browser's address field after the host:port)

    /application?vm=Debian+7&app=Browser

    (e.g. http://127.0.0.1:8090/application?vm=Debian+7&app=Browser)

        """

        return res

class ProcessResultBouncer(threading.Thread):

    """A class to post the result of a given process - assuming it to be in JSON - to a REST Api."""

    def __init__(self, process, remote_ip, resource): 

        """ctor"""

        threading.Thread.__init__(self)

        self._process = process

        self._remote_ip = remote_ip

        self._resource = resource

    def stop(self):

        """stop thread"""

        self.running = False

    def run(self):

        """run the thread"""

        # invoke the user dialog as a subprocess

        result = self._process.communicate()[0]

        if self._process.returncode != 0:

            print 'user request has been aborted.'

            return

        # all ok, tell send request back appropriate destination

        try:

            j = json.loads(result)

        except:

            print 'error in password parsing'

            return

        # TODO: it would be WAY easier and secure if we just 

        #       add the result json to a HTTP-POST here.

        url_addr = 'http://' + self._remote_ip + ':58080' + self._resource

        # by provided a 'data' we turn this into a POST statement

        req = urllib2.Request(url_addr, urllib.urlencode(j))

        try:

            res = urllib2.urlopen(req)

        except:

            print 'failed to contact: ' + url_addr

            return 

class RESTServerThread(threading.Thread):

    """Thread for serving the REST API."""

    def __init__(self, port): 

        """ctor"""

        threading.Thread.__init__(self)

        self._port = port 

    def stop(self):

        """stop thread"""

        self.running = False

    def run(self):

        """run the thread"""

        _serve(self._port)

def is_already_running(port = 8090):

    """check if this is started twice"""

    try:

        s = socket.create_connection(('127.0.0.1', port), 0.5)

    except:

        return False

    return True

def _serve(port):

    """Start the REST server"""

    global server

    # trick the web.py server 

    sys.argv = [__file__, str(port)]

    server = web.application(opensecurity_urls, globals())

    server.run()

def serve(port = 8090, background = False):

    """Start serving the REST Api

    port ... port number to listen on

    background ... cease into background (spawn thread) and return immediately"""

    # start threaded or direct version

    if background == True:

        t = RESTServerThread(port)

        t.start()

    else:

        _serve(port)

def stop():

    """Stop serving the REST Api"""

    global server

    if server is None:

        return

    server.stop()

# start

if __name__ == "__main__":

    serve()