confluent/confluent/sockapi.py

# Copyright 2013 IBM Corporation
# ALl rights reserved

# This is the socket api layer.
# It implement unix and tls sockets
# 
# TODO: SO_PEERCRED for unix socket
import confluent.auth as auth
import confluent.common.tlvdata as tlvdata
import confluent.consoleserver as consoleserver
import confluent.config.configmanager as configmanager
import confluent.exceptions as exc
import confluent.messages
import confluent.pluginapi as pluginapi
import eventlet.green.socket as socket
import eventlet.green.ssl as ssl
import eventlet
import json
import os
import struct

SO_PEERCRED = 17

class ClientConsole(object):
    def __init__(self, client):
        self.client = clientn

    def sendall(self, data):
        tlvdata.send_tlvdata(self.client, data)

def sessionhdl(connection, authname):
    # For now, trying to test the console stuff, so let's just do n4.
    authenticated = False
    if authname and isinstance(authname, bool):
        authenticated = True
        cfm = configmanager.ConfigManager(tenant=None)
    elif authname:
        authenticated = True
        authdata = auth.authorize(authname, element=None)
        cfm = authdata[1]
        authenticated = True
    tlvdata.send_tlvdata(connection,"Confluent -- v0 --")
    while not authenticated:  # prompt for name and passphrase
        tlvdata.send_tlvdata(connection, {'authpassed': 0})
        response = tlvdata.recv_tlvdata(connection)
        username = response['username']
        passphrase = response['passphrase']
        # note(jbjohnso): here, we need to authenticate, but not
        # authorize a user.  When authorization starts understanding
        # element path, that authorization will need to be called
        # per request the user makes
        authdata = auth.check_user_passphrase(username, passphrase)
        if authdata is not None:
            authenticated = True
            cfm = authdata[1]
    tlvdata.send_tlvdata(connection, {'authpassed': 1})
    request = tlvdata.recv_tlvdata(connection)
    while request is not None:
        process_request(connection, request, cfm, authdata)
        request = tlvdata.recv_tlvdata(connection)


def send_response(responses, connection):
    for rsp in responses:
        tlvdata.send_tlvdata(connection, json.dumps(rsp.json()))

def process_request(connection, request, cfm, authdata):
    #TODO(jbjohnso): authorize each request
    if type(request) == dict:
        operation = request['operation']
        path = request['path']
        params = request.get('parameters', None)
        try:
            hdlr = pluginapi.handle_path(path, operation, cfm, params)
        except exc.NotFoundException:
            tlvdata.send_tlvdata(connection, {"errorcode": 404,
                                 "error": "Target not found"})
            return
        except exc.InvalidArgumentException:
            tlvdata.send_tlvdata(connection, {"errorcode": 400,
                                 "error": "Bad Request"})
            return
        send_response(hdlr, connection)
    return
    ccons = ClientConsole(connection)
    consession = consoleserver.ConsoleSession(node='n4', configmanager=cfm,
                                        datacallback=ccons.sendall)
    while (1):
        data = tlvdata.recv_tlvdata(connection)
        if not data:
            consession.destroy()
            return
        consession.write(data)


def _tlshandler():
    plainsocket = socket.socket()
    plainsocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    srv = ssl.wrap_socket(plainsocket, keyfile="/etc/confluent/privkey.pem",
                    certfile="/etc/confluent/srvcert.pem",
                    ssl_version=ssl.PROTOCOL_TLSv1,
                    server_side=True)
    srv.bind(('0.0.0.0', 4001))
    srv.listen(5)
    authname = None
    while (1):  # TODO: exithook
        cnn, addr = srv.accept()
        eventlet.spawn_n(sessionhdl, cnn, authname)


def _unixdomainhandler():
    unixsocket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
    try:
        os.remove("/var/run/confluent/api.sock")
    except OSError:  # if file does not exist, no big deal
        pass
    unixsocket.bind("/var/run/confluent/api.sock")
    unixsocket.listen(5)
    while (1):
        cnn, addr = unixsocket.accept()
        creds = cnn.getsockopt(socket.SOL_SOCKET, SO_PEERCRED,
                                struct.calcsize('3i'))
        pid, uid, gid = struct.unpack('3i',creds)
        if uid in (os.getuid(), 0):
            #this is where we happily accept the person
            #to do whatever.  This allows the server to
            #start with no configuration whatsoever
            #and yet still be configurable by some means
            authname = True
        else:
            try:
                authname = pwd.getpwuid(uid).pw_name
            except KeyError:
                cnn.close()
                return
        eventlet.spawn_n(sessionhdl, cnn, authname)


class SockApi(object):
    def start(self):
        self.tlsserver = eventlet.spawn(_tlshandler)
        self.unixdomainserver = eventlet.spawn(_unixdomainhandler)
Create a test socket api layer 2013-09-14 11:08:48 -04:00			`# Copyright 2013 IBM Corporation`
			`# ALl rights reserved`

			`# This is the socket api layer.`
			`# It implement unix and tls sockets`
-Have master console multiplexer not crash because a handler would have crashed -Have sockapi remove console session handler on client disconnect 2013-10-10 14:17:08 -04:00			`#`
Create a test socket api layer 2013-09-14 11:08:48 -04:00			`# TODO: SO_PEERCRED for unix socket`
Advance state of the socket interface Properly implement authentication and switch the protocol over to the tlv based protocol. Abandon all thought of the socket being directly accessible. Any CLI semantics will be in confetty and an appliance wishing to expose that CLI directly should use standard ssh stuff with a shell of confetty. The unix domain authentication support makes this feasible (requires user creation push name into confluent repository at the moment..) 2014-02-09 10:43:26 -05:00			`import confluent.auth as auth`
			`import confluent.common.tlvdata as tlvdata`
Renome current console to consoleserver and refactor 2013-11-02 13:25:56 -04:00			`import confluent.consoleserver as consoleserver`
Refactor configuration code into a distinct location 2013-11-02 16:58:38 -04:00			`import confluent.config.configmanager as configmanager`
Flesh out the confetty interactive console slightly 2014-02-09 17:35:49 -05:00			`import confluent.exceptions as exc`
			`import confluent.messages`
			`import confluent.pluginapi as pluginapi`
Create a test socket api layer 2013-09-14 11:08:48 -04:00			`import eventlet.green.socket as socket`
			`import eventlet.green.ssl as ssl`
Have sockapi properly run alongside httpapi Have sockapi force TLSv1 2013-09-14 20:21:58 -04:00			`import eventlet`
Flesh out the confetty interactive console slightly 2014-02-09 17:35:49 -05:00			`import json`
Implement unix domain socket in socket api 2013-10-14 09:21:55 -04:00			`import os`
			`import struct`

			`SO_PEERCRED = 17`
Create a test socket api layer 2013-09-14 11:08:48 -04:00
Advance state of the socket interface Properly implement authentication and switch the protocol over to the tlv based protocol. Abandon all thought of the socket being directly accessible. Any CLI semantics will be in confetty and an appliance wishing to expose that CLI directly should use standard ssh stuff with a shell of confetty. The unix domain authentication support makes this feasible (requires user creation push name into confluent repository at the moment..) 2014-02-09 10:43:26 -05:00			`class ClientConsole(object):`
			`def __init__(self, client):`
Flesh out the confetty interactive console slightly 2014-02-09 17:35:49 -05:00			`self.client = clientn`
Advance state of the socket interface Properly implement authentication and switch the protocol over to the tlv based protocol. Abandon all thought of the socket being directly accessible. Any CLI semantics will be in confetty and an appliance wishing to expose that CLI directly should use standard ssh stuff with a shell of confetty. The unix domain authentication support makes this feasible (requires user creation push name into confluent repository at the moment..) 2014-02-09 10:43:26 -05:00
			`def sendall(self, data):`
			`tlvdata.send_tlvdata(self.client, data)`

Begin work to do authentication and authorization on socket api 2013-10-14 11:28:07 -04:00			`def sessionhdl(connection, authname):`
Advance state of the socket interface Properly implement authentication and switch the protocol over to the tlv based protocol. Abandon all thought of the socket being directly accessible. Any CLI semantics will be in confetty and an appliance wishing to expose that CLI directly should use standard ssh stuff with a shell of confetty. The unix domain authentication support makes this feasible (requires user creation push name into confluent repository at the moment..) 2014-02-09 10:43:26 -05:00			`# For now, trying to test the console stuff, so let's just do n4.`
			`authenticated = False`
Begin work to do authentication and authorization on socket api 2013-10-14 11:28:07 -04:00			`if authname and isinstance(authname, bool):`
Advance state of the socket interface Properly implement authentication and switch the protocol over to the tlv based protocol. Abandon all thought of the socket being directly accessible. Any CLI semantics will be in confetty and an appliance wishing to expose that CLI directly should use standard ssh stuff with a shell of confetty. The unix domain authentication support makes this feasible (requires user creation push name into confluent repository at the moment..) 2014-02-09 10:43:26 -05:00			`authenticated = True`
			`cfm = configmanager.ConfigManager(tenant=None)`
			`elif authname:`
			`authenticated = True`
			`authdata = auth.authorize(authname, element=None)`
			`cfm = authdata[1]`
			`authenticated = True`
			`tlvdata.send_tlvdata(connection,"Confluent -- v0 --")`
			`while not authenticated: # prompt for name and passphrase`
			`tlvdata.send_tlvdata(connection, {'authpassed': 0})`
			`response = tlvdata.recv_tlvdata(connection)`
			`username = response['username']`
			`passphrase = response['passphrase']`
Flesh out the confetty interactive console slightly 2014-02-09 17:35:49 -05:00			`# note(jbjohnso): here, we need to authenticate, but not`
Advance state of the socket interface Properly implement authentication and switch the protocol over to the tlv based protocol. Abandon all thought of the socket being directly accessible. Any CLI semantics will be in confetty and an appliance wishing to expose that CLI directly should use standard ssh stuff with a shell of confetty. The unix domain authentication support makes this feasible (requires user creation push name into confluent repository at the moment..) 2014-02-09 10:43:26 -05:00			`# authorize a user. When authorization starts understanding`
			`# element path, that authorization will need to be called`
			`# per request the user makes`
			`authdata = auth.check_user_passphrase(username, passphrase)`
Fix socket api double send of auth failure notification The loop was sending failure back after an iteration of the loop that fails to authenticate and then again at the beginning of the next iteration. Remove the end iteration sending so that there is only one iteration of the message 2014-02-09 14:00:06 -05:00			`if authdata is not None:`
Advance state of the socket interface Properly implement authentication and switch the protocol over to the tlv based protocol. Abandon all thought of the socket being directly accessible. Any CLI semantics will be in confetty and an appliance wishing to expose that CLI directly should use standard ssh stuff with a shell of confetty. The unix domain authentication support makes this feasible (requires user creation push name into confluent repository at the moment..) 2014-02-09 10:43:26 -05:00			`authenticated = True`
			`cfm = authdata[1]`
			`tlvdata.send_tlvdata(connection, {'authpassed': 1})`
Flesh out the confetty interactive console slightly 2014-02-09 17:35:49 -05:00			`request = tlvdata.recv_tlvdata(connection)`
			`while request is not None:`
			`process_request(connection, request, cfm, authdata)`
			`request = tlvdata.recv_tlvdata(connection)`


			`def send_response(responses, connection):`
			`for rsp in responses:`
			`tlvdata.send_tlvdata(connection, json.dumps(rsp.json()))`

			`def process_request(connection, request, cfm, authdata):`
			`#TODO(jbjohnso): authorize each request`
			`if type(request) == dict:`
			`operation = request['operation']`
			`path = request['path']`
			`params = request.get('parameters', None)`
			`try:`
			`hdlr = pluginapi.handle_path(path, operation, cfm, params)`
			`except exc.NotFoundException:`
			`tlvdata.send_tlvdata(connection, {"errorcode": 404,`
			`"error": "Target not found"})`
			`return`
			`except exc.InvalidArgumentException:`
			`tlvdata.send_tlvdata(connection, {"errorcode": 400,`
			`"error": "Bad Request"})`
			`return`
			`send_response(hdlr, connection)`
			`return`
Advance state of the socket interface Properly implement authentication and switch the protocol over to the tlv based protocol. Abandon all thought of the socket being directly accessible. Any CLI semantics will be in confetty and an appliance wishing to expose that CLI directly should use standard ssh stuff with a shell of confetty. The unix domain authentication support makes this feasible (requires user creation push name into confluent repository at the moment..) 2014-02-09 10:43:26 -05:00			`ccons = ClientConsole(connection)`
			`consession = consoleserver.ConsoleSession(node='n4', configmanager=cfm,`
			`datacallback=ccons.sendall)`
Create a test socket api layer 2013-09-14 11:08:48 -04:00			`while (1):`
Advance state of the socket interface Properly implement authentication and switch the protocol over to the tlv based protocol. Abandon all thought of the socket being directly accessible. Any CLI semantics will be in confetty and an appliance wishing to expose that CLI directly should use standard ssh stuff with a shell of confetty. The unix domain authentication support makes this feasible (requires user creation push name into confluent repository at the moment..) 2014-02-09 10:43:26 -05:00			`data = tlvdata.recv_tlvdata(connection)`
Fix socket test case to work multiple times 2013-10-09 20:14:34 -04:00			`if not data:`
-Have master console multiplexer not crash because a handler would have crashed -Have sockapi remove console session handler on client disconnect 2013-10-10 14:17:08 -04:00			`consession.destroy()`
Fix socket test case to work multiple times 2013-10-09 20:14:34 -04:00			`return`
Create a test socket api layer 2013-09-14 11:08:48 -04:00			`consession.write(data)`


Implement unix domain socket in socket api 2013-10-14 09:21:55 -04:00			`def _tlshandler():`
Create a test socket api layer 2013-09-14 11:08:48 -04:00			`plainsocket = socket.socket()`
Fix socket test case to work multiple times 2013-10-09 20:14:34 -04:00			`plainsocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)`
Create a test socket api layer 2013-09-14 11:08:48 -04:00			`srv = ssl.wrap_socket(plainsocket, keyfile="/etc/confluent/privkey.pem",`
Have sockapi properly run alongside httpapi Have sockapi force TLSv1 2013-09-14 20:21:58 -04:00			`certfile="/etc/confluent/srvcert.pem",`
			`ssl_version=ssl.PROTOCOL_TLSv1,`
			`server_side=True)`
Create a test socket api layer 2013-09-14 11:08:48 -04:00			`srv.bind(('0.0.0.0', 4001))`
			`srv.listen(5)`
Begin work to do authentication and authorization on socket api 2013-10-14 11:28:07 -04:00			`authname = None`
Create a test socket api layer 2013-09-14 11:08:48 -04:00			`while (1): # TODO: exithook`
			`cnn, addr = srv.accept()`
Begin work to do authentication and authorization on socket api 2013-10-14 11:28:07 -04:00			`eventlet.spawn_n(sessionhdl, cnn, authname)`
Create a test socket api layer 2013-09-14 11:08:48 -04:00
Implement unix domain socket in socket api 2013-10-14 09:21:55 -04:00
			`def _unixdomainhandler():`
			`unixsocket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)`
			`try:`
			`os.remove("/var/run/confluent/api.sock")`
			`except OSError: # if file does not exist, no big deal`
			`pass`
			`unixsocket.bind("/var/run/confluent/api.sock")`
			`unixsocket.listen(5)`
			`while (1):`
			`cnn, addr = unixsocket.accept()`
			`creds = cnn.getsockopt(socket.SOL_SOCKET, SO_PEERCRED,`
			`struct.calcsize('3i'))`
Begin work to do authentication and authorization on socket api 2013-10-14 11:28:07 -04:00			`pid, uid, gid = struct.unpack('3i',creds)`
			`if uid in (os.getuid(), 0):`
			`#this is where we happily accept the person`
			`#to do whatever. This allows the server to`
			`#start with no configuration whatsoever`
			`#and yet still be configurable by some means`
			`authname = True`
			`else:`
			`try:`
			`authname = pwd.getpwuid(uid).pw_name`
			`except KeyError:`
			`cnn.close()`
			`return`
			`eventlet.spawn_n(sessionhdl, cnn, authname)`
Implement unix domain socket in socket api 2013-10-14 09:21:55 -04:00


Create a test socket api layer 2013-09-14 11:08:48 -04:00			`class SockApi(object):`
			`def start(self):`
Implement unix domain socket in socket api 2013-10-14 09:21:55 -04:00			`self.tlsserver = eventlet.spawn(_tlshandler)`
			`self.unixdomainserver = eventlet.spawn(_unixdomainhandler)`