#!/bin/env python

 # -*- coding: utf-8 -*-

 # ------------------------------------------------------------

 # opensecurity_client_restful_server

 # 

 # the OpenSecurity client RESTful server

 #

 # Autor: Oliver Maurhart, <oliver.maurhart@ait.ac.at>

 #

 # Copyright (C) 2013 AIT Austrian Institute of Technology

 # AIT Austrian Institute of Technology GmbH

 # Donau-City-Strasse 1 | 1220 Vienna | Austria

 # http://www.ait.ac.at

 #

 # This program is free software; you can redistribute it and/or

 # modify it under the terms of the GNU General Public License

 # as published by the Free Software Foundation version 2.

 # 

 # This program is distributed in the hope that it will be useful,

 # but WITHOUT ANY WARRANTY; without even the implied warranty of

 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 # GNU General Public License for more details.

 # 

 # You should have received a copy of the GNU General Public License

 # along with this program; if not, write to the Free Software

 # Foundation, Inc., 51 Franklin Street, Fifth Floor, 

 # Boston, MA  02110-1301, USA.

 # ------------------------------------------------------------

 # ------------------------------------------------------------

 # imports

 import getpass

 import glob

 import json

 import os

 import os.path

 import pickle

 import platform

 import socket

 import subprocess

 import sys

 import threading

 import time

 import urllib

 import urllib2

 import web

 from opensecurity_util import logger, setupLogger, OpenSecurityException

 if sys.platform == 'win32' or sys.platform == 'cygwin':

     from cygwin import Cygwin

 # local

 import __init__ as opensecurity

 from environment import Environment

 # ------------------------------------------------------------

 # const

 """All the URLs we know mapping to class handler"""

 opensecurity_urls = (

     '/credentials',             'os_credentials',

     '/keyfile',                 'os_keyfile',

     '/log',                     'os_log',

     '/notification',            'os_notification',

     '/password',                'os_password',

     '/netmount',                'os_netmount',

     '/netumount',               'os_netumount',

     '/',                        'os_root'

 )

 # ------------------------------------------------------------

 # vars

 """lock for read/write log file"""

 log_file_lock = threading.Lock()

 """timer for the log file bouncer"""

 log_file_bouncer = None

 """The REST server object"""

 server = None

 # ------------------------------------------------------------

 # code

 class os_credentials:

     """OpenSecurity '/credentials' handler.

     This is called on GET /credentials?text=TEXT.

     Ideally this should pop up a user dialog to insert his

     credentials based the given TEXT.

     """

     def GET(self):

         # pick the arguments

         args = web.input()

         # we _need_ a text

         if not "text" in args:

             raise web.badrequest('no text given')

         # remember remote ip

         remote_ip = web.ctx.environ['REMOTE_ADDR']

         # create the process which queries the user

         dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

         process_command = [sys.executable, dlg_image, 'credentials', args.text]

         process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

         # run process result handling in seprate thread (not to block main one)

         bouncer = ProcessResultBouncer(process, remote_ip, '/credentials')

         bouncer.start()

         return 'user queried for credentials'

 class os_keyfile:

     """OpenSecurity '/keyfile' handler.

     This is called on GET /keyfile?text=TEXT.

     Ideally this should pop up a user dialog to insert his

     password along with a keyfile.

     """

     def GET(self):

         # pick the arguments

         args = web.input()

         # we _need_ a text

         if not "text" in args:

             raise web.badrequest('no text given')

         # remember remote ip

         remote_ip = web.ctx.environ['REMOTE_ADDR']

         # create the process which queries the user

         dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

         process_command = [sys.executable, dlg_image, 'keyfile', args.text]

         process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

         # run process result handling in seprate thread (not to block main one)

         bouncer = ProcessResultBouncer(process, remote_ip, '/keyfile')

         bouncer.start()

         return 'user queried for password and keyfile'

 class os_log:

     """OpenSecurity '/log' handler.

     This is called on GET or POST on the log function /log

     """

     def GET(self):

         # pick the arguments

         self.POST()

     def POST(self):

         # pick the arguments

         args = web.input()

         args['user'] = getpass.getuser()

         args['system'] = platform.node() + " " + platform.system() + " " + platform.release()

         # add these to new data to log

         global log_file_lock

         log_file_name = os.path.join(Environment('OpenSecurity').log_path, 'vm_new.log')

         log_file_lock.acquire()

         pickle.dump(args,  open(log_file_name, 'ab'))

         log_file_lock.release()

         return "Ok"

 class os_notification:

     """OpenSecurity '/notification' handler.

     This is called on GET /notification?msgtype=TYPE&text=TEXT.

     This will pop up an OpenSecurity notifcation window

     """

     def GET(self):

         # pick the arguments

         args = web.input()

         # we _need_ a type

         if not "msgtype" in args:

             raise web.badrequest('no msgtype given')

         if not args.msgtype in ['information', 'warning', 'critical']:

             raise web.badrequest('Unknown value for msgtype')

         # we _need_ a text

         if not "text" in args:

             raise web.badrequest('no text given')

         # invoke the user dialog as a subprocess

         dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.py')

         process_command = [sys.executable, dlg_image, 'notification-' + args.msgtype, args.text]

         process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)

         return "Ok"

 class os_password:

     """OpenSecurity '/password' handler.

     This is called on GET /password?text=TEXT.

     Ideally this should pop up a user dialog to insert his

     password based device name.

     """

     def GET(self):

         # pick the arguments

         args = web.input()

         # we _need_ a text

         if not "text" in args:

             raise web.badrequest('no text given')

         # remember remote ip

         remote_ip = web.ctx.environ['REMOTE_ADDR']

         # create the process which queries the user

         dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

         process_command = [sys.executable, dlg_image, 'password', args.text]

         process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

         # run process result handling in seprate thread (not to block main one)

         bouncer = ProcessResultBouncer(process, remote_ip, '/password')

         bouncer.start()

         return 'user queried for password'

 # handles netumount request                    

 class MountNetworkDriveHandler(threading.Thread): 

     drive = None

     resource = None

     def __init__(self, drv, net_path):

         threading.Thread.__init__(self)

         self.drive = drv

         self.networkPath = net_path

     def run(self):

         #Check for drive availability

         if os.path.exists(self.drive):

             logger.error("Drive letter is already in use: " + self.drive)

             return 1

         #Check for network resource availability

         retry = 5

         while not os.path.exists(self.networkPath):

             time.sleep(1)

             if retry == 0:

                 return 1

             logger.info("Path not accessible: " + self.networkPath + " retrying")

             retry-=1

         command = 'USE ' + self.drive + ' ' + self.networkPath + ' /PERSISTENT:NO'

         result = Cygwin.checkResult(Cygwin.execute('C:\\Windows\\system32\\NET', command))

         if string.find(result[1], 'successfully',) == -1:

             logger.error("Failed: NET " + command)

             return 1

         return 0

 class os_netmount:

     """OpenSecurity '/netmount' handler"""

     def GET(self):

         # pick the arguments

         args = web.input()

         # we _need_ a net_resource

         if not "net_resource" in args:

             raise web.badrequest('no net_resource given')

         # we _need_ a drive_letter

         if not "drive_letter" in args:

             raise web.badrequest('no drive_letter given')

         driveHandler = MountNetworkDriveHandler(args['drive_letter'], args['net_resource'])

         driveHandler.start()

         return 'Ok'

 # handles netumount request                    

 class UmountNetworkDriveHandler(threading.Thread): 

     drive = None

     running = True

     def __init__(self, drv):

         threading.Thread.__init__(self)

         self.drive = drv

     def run(self):

         while self.running:

             result = Cygwin.checkResult(Cygwin.execute('C:\\Windows\\system32\\net.exe', 'USE'))

             mappedDrives = list()

             for line in result[1].splitlines():

                 if 'USB' in line or 'Download' in line:

                     parts = line.split()

                     mappedDrives.append(parts[1])

             logger.info(mappedDrives)

             logger.info(self.drive)

             if self.drive not in mappedDrives:

                 self.running = False

             else:

                 command = 'USE ' + self.drive + ' /DELETE /YES' 

                 result = Cygwin.checkResult(Cygwin.execute('C:\\Windows\\system32\\net.exe', command)) 

                 if string.find(str(result[1]), 'successfully',) == -1:

                     logger.error(result[2])

                     continue

 class os_netumount:

     """OpenSecurity '/netumount' handler"""

     def GET(self):

         # pick the arguments

         args = web.input()

         # we _need_ a drive_letter

         if not "drive_letter" in args:

             raise web.badrequest('no drive_letter given')

         driveHandler = UmountNetworkDriveHandler(args['drive_letter'])

         driveHandler.start()

         return 'Ok'

 class os_root:

     """OpenSecurity '/' handler"""

     def GET(self):

         res = "OpenSecurity-Client RESTFul Server { \"version\": \"%s\" }" % opensecurity.__version__

         # add some sample links

         res = res + """

 USAGE EXAMPLES:

 Request a password: 

     (copy paste this into your browser's address field after the host:port)

     /password?text=Give+me+a+password+for+device+%22My+USB+Drive%22+(ID%3A+32090-AAA-X0)

     (eg.: http://127.0.0.1:8090/password?text=Give+me+a+password+for+device+%22My+USB+Drive%22+(ID%3A+32090-AAA-X0))

     NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

 Request a combination of user and password:

     (copy paste this into your browser's address field after the host:port)

     /credentials?text=Tell+the+NSA+which+credentials+to+use+in+order+to+avoid+hacking+noise+on+wire.

     (eg.: http://127.0.0.1:8090/credentials?text=Tell+the+NSA+which+credentials+to+use+in+order+to+avoid+hacking+noise+on+wire.)

     NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

 Request a combination of password and keyfile:

     (copy paste this into your browser's address field after the host:port)

     /keyfile?text=Your%20private%20RSA%20Keyfile%3A

     (eg.: http://127.0.0.1:8090//keyfile?text=Your%20private%20RSA%20Keyfile%3A)

     NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

 Start a Browser:

     (copy paste this into your browser's address field after the host:port)

     /application?vm=Debian+7&app=Browser

     (e.g. http://127.0.0.1:8090/application?vm=Debian+7&app=Browser)

         """

         return res

 class ProcessResultBouncer(threading.Thread):

     """A class to post the result of a given process - assuming it to be in JSON - to a REST Api."""

     def __init__(self, process, remote_ip, resource): 

         """ctor"""

         threading.Thread.__init__(self)

         self._process = process

         self._remote_ip = remote_ip

         self._resource = resource

     def stop(self):

         """stop thread"""

         self.running = False

     def run(self):

         """run the thread"""

         # invoke the user dialog as a subprocess

         result = self._process.communicate()[0]

         if self._process.returncode != 0:

             print 'user request has been aborted.'

             return

         # all ok, tell send request back appropriate destination

         try:

             j = json.loads(result)

         except:

             print 'error in password parsing'

             return

         # TODO: it would be WAY easier and secure if we just 

         #       add the result json to a HTTP-POST here.

         url_addr = 'http://' + self._remote_ip + ':58080' + self._resource

         # by provided a 'data' we turn this into a POST statement

         req = urllib2.Request(url_addr, urllib.urlencode(j))

         try:

             res = urllib2.urlopen(req)

         except:

             print 'failed to contact: ' + url_addr

             return 

 class RESTServerThread(threading.Thread):

     """Thread for serving the REST API."""

     def __init__(self, port): 

         """ctor"""

         threading.Thread.__init__(self)

         self._port = port 

     def stop(self):

         """stop thread"""

         self.running = False

     def run(self):

         """run the thread"""

         _serve(self._port)

 def is_already_running(port = 8090):

     """check if this is started twice"""

     try:

         s = socket.create_connection(('127.0.0.1', port), 0.5)

     except:

         return False

     return True

 def _bounce_vm_logs():

     """grab all logs from the VMs and push them to the log servers"""

     global log_file_lock

     # pick the highest current number

     cur = 0

     for f in glob.iglob(os.path.join(Environment('OpenSecurity').log_path, 'vm_cur.log.*')):

         try:

             n = f.split('.')[-1:][0]

             if cur < int(n):

                 cur = int(n)

         except:

             pass

     cur = cur + 1

     # first add new vm logs to our existing one: rename the log file

     log_file_name_new = os.path.join(Environment('OpenSecurity').log_path, 'vm_new.log')

     log_file_name_cur = os.path.join(Environment('OpenSecurity').log_path, 'vm_cur.log.' + str(cur))

     log_file_lock.acquire()

     try:

         os.rename(log_file_name_new, log_file_name_cur)

         print('new log file: ' + log_file_name_cur)

     except:

         pass

     log_file_lock.release()

     # now we have a list of next log files to dump

     log_files = glob.glob(os.path.join(Environment('OpenSecurity').log_path, 'vm_cur.log.*'))

     log_files.sort()

     for log_file in log_files:

         try:

             f = open(log_file, 'rb')

             while True:

                 l = pickle.load(f)

                 _push_log(l)

         except EOFError:

             try:

                 os.remove(log_file)

             except:

                 logger.warning('tried to delete log file (pushed to EOF) "' + log_file + '" but failed')

         except:

             logger.warning('encountered error while pushing log file "' + log_file + '"')

     # start bouncer again ...

     global log_file_bouncer

     log_file_bouncer = threading.Timer(5.0, _bounce_vm_logs)

     log_file_bouncer.start()

 def _push_log(log):

     """POST a single log to log server

     @param  log     the log POST param

     """

     url_addr = 'http://GIMME-SERVER-TO-LOG-TO/log'

     # by provided a 'data' we turn this into a POST statement

     d = urllib.urlencode(log)

     req = urllib2.Request(url_addr, d)

     urllib2.urlopen(req)

     logger.debug('pushed log to server: ' + str(log))

 def _serve(port):

     """Start the REST server"""

     global server

     # start the VM-log bouncer timer

     global log_file_bouncer

     log_file_bouncer = threading.Timer(5.0, _bounce_vm_logs)

     log_file_bouncer.start()

     # trick the web.py server 

     sys.argv = [__file__, str(port)]

     server = web.application(opensecurity_urls, globals())

     server.run()

 def serve(port = 8090, background = False):

     """Start serving the REST Api

     port ... port number to listen on

     background ... cease into background (spawn thread) and return immediately"""

     # start threaded or direct version

     if background == True:

         t = RESTServerThread(port)

         t.start()

     else:

         _serve(port)

 def stop():

     """Stop serving the REST Api"""

     global server

     if server is None:

         return

     global log_file_bouncer

     if log_file_bouncer is not None:

         log_file_bouncer.cancel()

     server.stop()

 # start

 if __name__ == "__main__":

     serve()