#!/bin/env python

 # -*- coding: utf-8 -*-

 # ------------------------------------------------------------

 # opensecurity_client_restful_server

 # 

 # the OpenSecurity client RESTful server

 #

 # Autor: Oliver Maurhart, <oliver.maurhart@ait.ac.at>

 #

 # Copyright (C) 2013 AIT Austrian Institute of Technology

 # AIT Austrian Institute of Technology GmbH

 # Donau-City-Strasse 1 | 1220 Vienna | Austria

 # http://www.ait.ac.at

 #

 # This program is free software; you can redistribute it and/or

 # modify it under the terms of the GNU General Public License

 # as published by the Free Software Foundation version 2.

 # 

 # This program is distributed in the hope that it will be useful,

 # but WITHOUT ANY WARRANTY; without even the implied warranty of

 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 # GNU General Public License for more details.

 # 

 # You should have received a copy of the GNU General Public License

 # along with this program; if not, write to the Free Software

 # Foundation, Inc., 51 Franklin Street, Fifth Floor, 

 # Boston, MA  02110-1301, USA.

 # ------------------------------------------------------------

 # ------------------------------------------------------------

 # imports

 import getpass

 import json

 import os

 import os.path

 import platform

 import socket

 import subprocess

 import sys

 import urllib

 import urllib2

 import web

 import threading

 import time

 # local

 import __init__ as opensecurity

 # ------------------------------------------------------------

 # const

 """All the URLs we know mapping to class handler"""

 opensecurity_urls = (

     '/credentials',             'os_credentials',

     '/keyfile',                 'os_keyfile',

     '/log',                     'os_log',

     '/notification',            'os_notification',

     '/password',                'os_password',

     '/',                        'os_root'

 )

 # ------------------------------------------------------------

 # vars

 """The REST server object"""

 server = None

 # ------------------------------------------------------------

 # code

 class os_credentials:

     """OpenSecurity '/credentials' handler.

     This is called on GET /credentials?text=TEXT.

     Ideally this should pop up a user dialog to insert his

     credentials based the given TEXT.

     """

     def GET(self):

         # pick the arguments

         args = web.input()

         # we _need_ a text

         if not "text" in args:

             raise web.badrequest('no text given')

         # remember remote ip

         remote_ip = web.ctx.environ['REMOTE_ADDR']

         # create the process which queries the user

         dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

         process_command = [sys.executable, dlg_image, 'credentials', args.text]

         process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

         # run process result handling in seprate thread (not to block main one)

         bouncer = ProcessResultBouncer(process, remote_ip, '/credentials')

         bouncer.start()

         return 'user queried for credentials'

 class os_keyfile:

     """OpenSecurity '/keyfile' handler.

     This is called on GET /keyfile?text=TEXT.

     Ideally this should pop up a user dialog to insert his

     password along with a keyfile.

     """

     def GET(self):

         # pick the arguments

         args = web.input()

         # we _need_ a text

         if not "text" in args:

             raise web.badrequest('no text given')

         # remember remote ip

         remote_ip = web.ctx.environ['REMOTE_ADDR']

         # create the process which queries the user

         dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

         process_command = [sys.executable, dlg_image, 'keyfile', args.text]

         process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

         # run process result handling in seprate thread (not to block main one)

         bouncer = ProcessResultBouncer(process, remote_ip, '/keyfile')

         bouncer.start()

         return 'user queried for password and keyfile'

 class os_log:

     """OpenSecurity '/log' handler.

     This is called on GET or POST on the log function /log

     """

     def GET(self):

         # pick the arguments

         self.POST()

     def POST(self):

         # pick the arguments

         args = web.input()

         args['user'] = getpass.getuser()

         args['system'] = platform.node() + " " + platform.system() + " " + platform.release()

         # bounce log data

         url_addr = 'http://GIMME-SERVER-TO-LOG-TO/log'

         # by provided a 'data' we turn this into a POST statement

         d = urllib.urlencode(args)

         req = urllib2.Request(url_addr, d)

         try:

             res = urllib2.urlopen(req)

         except:

             print('failed to contact: ' + url_addr)

             print('log data: ' + d)

             return "Failed"

         return "Ok"

 class os_notification:

     """OpenSecurity '/notification' handler.

     This is called on GET /notification?msgtype=TYPE&text=TEXT.

     This will pop up an OpenSecurity notifcation window

     """

     def GET(self):

         # pick the arguments

         args = web.input()

         # we _need_ a type

         if not "msgtype" in args:

             raise web.badrequest('no msgtype given')

         if not args.msgtype in ['information', 'warning', 'critical']:

             raise web.badrequest('Unknown value for msgtype')

         # we _need_ a text

         if not "text" in args:

             raise web.badrequest('no text given')

         # invoke the user dialog as a subprocess

         dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.py')

         process_command = [sys.executable, dlg_image, 'notification-' + args.msgtype, args.text]

         process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)

         return "Ok"

 class os_password:

     """OpenSecurity '/password' handler.

     This is called on GET /password?text=TEXT.

     Ideally this should pop up a user dialog to insert his

     password based device name.

     """

     def GET(self):

         # pick the arguments

         args = web.input()

         # we _need_ a text

         if not "text" in args:

             raise web.badrequest('no text given')

         # remember remote ip

         remote_ip = web.ctx.environ['REMOTE_ADDR']

         # create the process which queries the user

         dlg_image = os.path.join(sys.path[0], 'opensecurity_dialog.pyw')

         process_command = [sys.executable, dlg_image, 'password', args.text]

         process = subprocess.Popen(process_command, shell = False, stdout = subprocess.PIPE)        

         # run process result handling in seprate thread (not to block main one)

         bouncer = ProcessResultBouncer(process, remote_ip, '/password')

         bouncer.start()

         return 'user queried for password'

 class os_root:

     """OpenSecurity '/' handler"""

     def GET(self):

         res = "OpenSecurity-Client RESTFul Server { \"version\": \"%s\" }" % opensecurity.__version__

         # add some sample links

         res = res + """

 USAGE EXAMPLES:

 Request a password: 

     (copy paste this into your browser's address field after the host:port)

     /password?text=Give+me+a+password+for+device+%22My+USB+Drive%22+(ID%3A+32090-AAA-X0)

     (eg.: http://127.0.0.1:8090/password?text=Give+me+a+password+for+device+%22My+USB+Drive%22+(ID%3A+32090-AAA-X0))

     NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

 Request a combination of user and password:

     (copy paste this into your browser's address field after the host:port)

     /credentials?text=Tell+the+NSA+which+credentials+to+use+in+order+to+avoid+hacking+noise+on+wire.

     (eg.: http://127.0.0.1:8090/credentials?text=Tell+the+NSA+which+credentials+to+use+in+order+to+avoid+hacking+noise+on+wire.)

     NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

 Request a combination of password and keyfile:

     (copy paste this into your browser's address field after the host:port)

     /keyfile?text=Your%20private%20RSA%20Keyfile%3A

     (eg.: http://127.0.0.1:8090//keyfile?text=Your%20private%20RSA%20Keyfile%3A)

     NOTE: check yout taskbar, the dialog window may not pop up in front of your browser window.

 Start a Browser:

     (copy paste this into your browser's address field after the host:port)

     /application?vm=Debian+7&app=Browser

     (e.g. http://127.0.0.1:8090/application?vm=Debian+7&app=Browser)

         """

         return res

 class ProcessResultBouncer(threading.Thread):

     """A class to post the result of a given process - assuming it to be in JSON - to a REST Api."""

     def __init__(self, process, remote_ip, resource): 

         """ctor"""

         threading.Thread.__init__(self)

         self._process = process

         self._remote_ip = remote_ip

         self._resource = resource

     def stop(self):

         """stop thread"""

         self.running = False

     def run(self):

         """run the thread"""

         # invoke the user dialog as a subprocess

         result = self._process.communicate()[0]

         if self._process.returncode != 0:

             print 'user request has been aborted.'

             return

         # all ok, tell send request back appropriate destination

         try:

             j = json.loads(result)

         except:

             print 'error in password parsing'

             return

         # TODO: it would be WAY easier and secure if we just 

         #       add the result json to a HTTP-POST here.

         url_addr = 'http://' + self._remote_ip + ':58080' + self._resource

         # by provided a 'data' we turn this into a POST statement

         req = urllib2.Request(url_addr, urllib.urlencode(j))

         try:

             res = urllib2.urlopen(req)

         except:

             print 'failed to contact: ' + url_addr

             return 

 class RESTServerThread(threading.Thread):

     """Thread for serving the REST API."""

     def __init__(self, port): 

         """ctor"""

         threading.Thread.__init__(self)

         self._port = port 

     def stop(self):

         """stop thread"""

         self.running = False

     def run(self):

         """run the thread"""

         _serve(self._port)

 def is_already_running(port = 8090):

     """check if this is started twice"""

     try:

         s = socket.create_connection(('127.0.0.1', port), 0.5)

     except:

         return False

     return True

 def _serve(port):

     """Start the REST server"""

     global server

     # trick the web.py server 

     sys.argv = [__file__, str(port)]

     server = web.application(opensecurity_urls, globals())

     server.run()

 def serve(port = 8090, background = False):

     """Start serving the REST Api

     port ... port number to listen on

     background ... cease into background (spawn thread) and return immediately"""

     # start threaded or direct version

     if background == True:

         t = RESTServerThread(port)

         t.start()

     else:

         _serve(port)

 def stop():

     """Stop serving the REST Api"""

     global server

     if server is None:

         return

     server.stop()

 # start

 if __name__ == "__main__":

     serve()