selfprivacy-rest-api/selfprivacy_api/utils/__init__.py

#!/usr/bin/env python3
"""Various utility functions"""
import datetime
from enum import Enum
import json
import os
import subprocess
import portalocker
import typing


USERDATA_FILE = "/etc/nixos/userdata.json"
SECRETS_FILE = "/etc/selfprivacy/secrets.json"
DKIM_DIR = "/var/dkim/"


class UserDataFiles(Enum):
    """Enum for userdata files"""

    USERDATA = 0
    SECRETS = 3


def get_domain():
    """Get domain from userdata.json"""
    with ReadUserData() as user_data:
        return user_data["domain"]


class WriteUserData(object):
    """Write userdata.json with lock"""

    def __init__(self, file_type=UserDataFiles.USERDATA):
        if file_type == UserDataFiles.USERDATA:
            self.userdata_file = open(USERDATA_FILE, "r+", encoding="utf-8")
        elif file_type == UserDataFiles.SECRETS:
            # Make sure file exists
            if not os.path.exists(SECRETS_FILE):
                with open(SECRETS_FILE, "w", encoding="utf-8") as secrets_file:
                    secrets_file.write("{}")
            self.userdata_file = open(SECRETS_FILE, "r+", encoding="utf-8")
        else:
            raise ValueError("Unknown file type")
        portalocker.lock(self.userdata_file, portalocker.LOCK_EX)
        self.data = json.load(self.userdata_file)

    def __enter__(self):
        return self.data

    def __exit__(self, exc_type, exc_value, traceback):
        if exc_type is None:
            self.userdata_file.seek(0)
            json.dump(self.data, self.userdata_file, indent=4)
            self.userdata_file.truncate()
        portalocker.unlock(self.userdata_file)
        self.userdata_file.close()


class ReadUserData(object):
    """Read userdata.json with lock"""

    def __init__(self, file_type=UserDataFiles.USERDATA):
        if file_type == UserDataFiles.USERDATA:
            self.userdata_file = open(USERDATA_FILE, "r", encoding="utf-8")
        elif file_type == UserDataFiles.SECRETS:
            if not os.path.exists(SECRETS_FILE):
                with open(SECRETS_FILE, "w", encoding="utf-8") as secrets_file:
                    secrets_file.write("{}")
            self.userdata_file = open(SECRETS_FILE, "r", encoding="utf-8")
        else:
            raise ValueError("Unknown file type")
        portalocker.lock(self.userdata_file, portalocker.LOCK_SH)
        self.data = json.load(self.userdata_file)

    def __enter__(self) -> dict:
        return self.data

    def __exit__(self, *args):
        portalocker.unlock(self.userdata_file)
        self.userdata_file.close()


def validate_ssh_public_key(key):
    """Validate SSH public key.
    It may be ssh-ed25519, ssh-rsa or ecdsa-sha2-nistp256."""
    if not key.startswith("ssh-ed25519"):
        if not key.startswith("ssh-rsa"):
            if not key.startswith("ecdsa-sha2-nistp256"):
                return False
    return True


def is_username_forbidden(username):
    forbidden_prefixes = ["systemd", "nixbld"]

    forbidden_usernames = [
        "root",
        "messagebus",
        "postfix",
        "polkituser",
        "dovecot2",
        "dovenull",
        "nginx",
        "postgres",
        "prosody",
        "opendkim",
        "rspamd",
        "sshd",
        "selfprivacy-api",
        "restic",
        "redis",
        "pleroma",
        "ocserv",
        "nextcloud",
        "memcached",
        "knot-resolver",
        "gitea",
        "bitwarden_rs",
        "vaultwarden",
        "acme",
        "virtualMail",
        "nobody",
    ]

    for prefix in forbidden_prefixes:
        if username.startswith(prefix):
            return True

    for forbidden_username in forbidden_usernames:
        if username == forbidden_username:
            return True

    return False


def parse_date(date_str: str) -> datetime.datetime:
    """Parse date string which can be in one of these formats:
    - %Y-%m-%dT%H:%M:%S.%fZ
    - %Y-%m-%dT%H:%M:%S.%f
    - %Y-%m-%d %H:%M:%S.%fZ
    - %Y-%m-%d %H:%M:%S.%f
    """
    try:
        return datetime.datetime.strptime(date_str, "%Y-%m-%d %H:%M:%S.%fZ")
    except ValueError:
        pass
    try:
        return datetime.datetime.strptime(date_str, "%Y-%m-%d %H:%M:%S.%f")
    except ValueError:
        pass
    try:
        return datetime.datetime.strptime(date_str, "%Y-%m-%dT%H:%M:%S.%fZ")
    except ValueError:
        pass
    try:
        return datetime.datetime.strptime(date_str, "%Y-%m-%dT%H:%M:%S.%f")
    except ValueError:
        pass
    raise ValueError("Invalid date string")


def parse_dkim(dkim: str) -> str:
    # extract key from file
    dkim = dkim.split("(")[1]
    dkim = dkim.split(")")[0]
    # replace all quotes with nothing
    dkim = dkim.replace('"', "")
    # trim whitespace, remove newlines and tabs
    dkim = dkim.strip()
    dkim = dkim.replace("\n", "")
    dkim = dkim.replace("\t", "")
    # remove all redundant spaces
    dkim = " ".join(dkim.split())
    return dkim


def get_dkim_key(domain: str, parse: bool = True) -> typing.Optional[str]:
    """Get DKIM key from /var/dkim/<domain>.selector.txt"""

    dkim_path = os.path.join(DKIM_DIR, domain + ".selector.txt")
    if os.path.exists(dkim_path):
        with open(dkim_path, encoding="utf-8") as dkim_file:
            dkim = dkim_file.read()
            if parse:
                dkim = parse_dkim(dkim)
        return dkim
    return None


def hash_password(password):
    hashing_command = ["mkpasswd", "-m", "sha-512", password]
    password_hash_process_descriptor = subprocess.Popen(
        hashing_command,
        shell=False,
        stdout=subprocess.PIPE,
        stderr=subprocess.STDOUT,
    )
    hashed_password = password_hash_process_descriptor.communicate()[0]
    hashed_password = hashed_password.decode("ascii")
    hashed_password = hashed_password.rstrip()
    return hashed_password
Decomposition 2021-11-11 18:31:28 +00:00			`#!/usr/bin/env python3`
Input sanitization, added swagger 2021-11-16 16:14:01 +00:00			`"""Various utility functions"""`
add auth check 2022-06-24 17:08:58 +00:00			`import datetime`
Inital auth work, untested 2022-01-14 05:38:53 +00:00			`from enum import Enum`
Add SSH and system settings endpoints 2021-11-22 16:50:50 +00:00			`import json`
Add more tests 2022-07-05 05:14:37 +00:00			`import os`
			`import subprocess`
Add SSH and system settings endpoints 2021-11-22 16:50:50 +00:00			`import portalocker`
test(services, system): untie dkim tests from rest 2023-11-24 11:26:13 +00:00			`import typing`
Input sanitization, added swagger 2021-11-16 16:14:01 +00:00
Decomposition 2021-11-11 18:31:28 +00:00
refactor: Adapt API to the NixOS configuration changes 2024-01-09 18:58:09 +00:00			`USERDATA_FILE = "/etc/nixos/userdata.json"`
			`SECRETS_FILE = "/etc/selfprivacy/secrets.json"`
refactor(dkim): do not use popen 2023-12-25 13:49:36 +00:00			`DKIM_DIR = "/var/dkim/"`
First wave of unit tests, and bugfixes caused by them 2021-11-29 19:16:08 +00:00
Reformat code with Black 2021-11-30 21:53:39 +00:00
Inital auth work, untested 2022-01-14 05:38:53 +00:00			`class UserDataFiles(Enum):`
			`"""Enum for userdata files"""`

			`USERDATA = 0`
refactor: Adapt API to the NixOS configuration changes 2024-01-09 18:58:09 +00:00			`SECRETS = 3`
Inital auth work, untested 2022-01-14 05:38:53 +00:00

Decomposition 2021-11-11 18:31:28 +00:00			`def get_domain():`
refactor: Adapt API to the NixOS configuration changes 2024-01-09 18:58:09 +00:00			`"""Get domain from userdata.json"""`
			`with ReadUserData() as user_data:`
			`return user_data["domain"]`
Add SSH and system settings endpoints 2021-11-22 16:50:50 +00:00

			`class WriteUserData(object):`
			`"""Write userdata.json with lock"""`

Inital auth work, untested 2022-01-14 05:38:53 +00:00			`def __init__(self, file_type=UserDataFiles.USERDATA):`
			`if file_type == UserDataFiles.USERDATA:`
			`self.userdata_file = open(USERDATA_FILE, "r+", encoding="utf-8")`
refactor: Adapt API to the NixOS configuration changes 2024-01-09 18:58:09 +00:00			`elif file_type == UserDataFiles.SECRETS:`
Migrate to FastAPI (#13) Co-authored-by: inexcode <inex.code@selfprivacy.org> Reviewed-on: https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api/pulls/13 2022-08-25 17:03:56 +00:00			`# Make sure file exists`
refactor: Adapt API to the NixOS configuration changes 2024-01-09 18:58:09 +00:00			`if not os.path.exists(SECRETS_FILE):`
			`with open(SECRETS_FILE, "w", encoding="utf-8") as secrets_file:`
			`secrets_file.write("{}")`
			`self.userdata_file = open(SECRETS_FILE, "r+", encoding="utf-8")`
Inital auth work, untested 2022-01-14 05:38:53 +00:00			`else:`
			`raise ValueError("Unknown file type")`
Add SSH and system settings endpoints 2021-11-22 16:50:50 +00:00			`portalocker.lock(self.userdata_file, portalocker.LOCK_EX)`
			`self.data = json.load(self.userdata_file)`

			`def __enter__(self):`
			`return self.data`

			`def __exit__(self, exc_type, exc_value, traceback):`
			`if exc_type is None:`
			`self.userdata_file.seek(0)`
			`json.dump(self.data, self.userdata_file, indent=4)`
			`self.userdata_file.truncate()`
			`portalocker.unlock(self.userdata_file)`
			`self.userdata_file.close()`


			`class ReadUserData(object):`
			`"""Read userdata.json with lock"""`

Inital auth work, untested 2022-01-14 05:38:53 +00:00			`def __init__(self, file_type=UserDataFiles.USERDATA):`
			`if file_type == UserDataFiles.USERDATA:`
			`self.userdata_file = open(USERDATA_FILE, "r", encoding="utf-8")`
refactor: Adapt API to the NixOS configuration changes 2024-01-09 18:58:09 +00:00			`elif file_type == UserDataFiles.SECRETS:`
			`if not os.path.exists(SECRETS_FILE):`
			`with open(SECRETS_FILE, "w", encoding="utf-8") as secrets_file:`
			`secrets_file.write("{}")`
			`self.userdata_file = open(SECRETS_FILE, "r", encoding="utf-8")`
Inital auth work, untested 2022-01-14 05:38:53 +00:00			`else:`
			`raise ValueError("Unknown file type")`
Add SSH and system settings endpoints 2021-11-22 16:50:50 +00:00			`portalocker.lock(self.userdata_file, portalocker.LOCK_SH)`
			`self.data = json.load(self.userdata_file)`

Add volume management 2022-07-25 14:08:31 +00:00			`def __enter__(self) -> dict:`
Add SSH and system settings endpoints 2021-11-22 16:50:50 +00:00			`return self.data`

			`def __exit__(self, *args):`
			`portalocker.unlock(self.userdata_file)`
			`self.userdata_file.close()`
Move SSH key validation to utils 2021-11-23 18:32:51 +00:00

			`def validate_ssh_public_key(key):`
feat(ssh): Add support for ecdsa keys 2023-10-03 13:51:06 +00:00			`"""Validate SSH public key.`
			`It may be ssh-ed25519, ssh-rsa or ecdsa-sha2-nistp256."""`
Move SSH key validation to utils 2021-11-23 18:32:51 +00:00			`if not key.startswith("ssh-ed25519"):`
			`if not key.startswith("ssh-rsa"):`
feat(ssh): Add support for ecdsa keys 2023-10-03 13:51:06 +00:00			`if not key.startswith("ecdsa-sha2-nistp256"):`
			`return False`
Move SSH key validation to utils 2021-11-23 18:32:51 +00:00			`return True`
More unit tests and bugfixes (#7) Reviewed-on: https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api/pulls/7 Co-authored-by: Inex Code <inex.code@selfprivacy.org> Co-committed-by: Inex Code <inex.code@selfprivacy.org> 2022-01-10 20:35:00 +00:00

			`def is_username_forbidden(username):`
			`forbidden_prefixes = ["systemd", "nixbld"]`

			`forbidden_usernames = [`
			`"root",`
			`"messagebus",`
			`"postfix",`
			`"polkituser",`
			`"dovecot2",`
			`"dovenull",`
			`"nginx",`
			`"postgres",`
			`"prosody",`
			`"opendkim",`
			`"rspamd",`
			`"sshd",`
			`"selfprivacy-api",`
			`"restic",`
			`"redis",`
			`"pleroma",`
			`"ocserv",`
			`"nextcloud",`
			`"memcached",`
			`"knot-resolver",`
			`"gitea",`
			`"bitwarden_rs",`
			`"vaultwarden",`
			`"acme",`
			`"virtualMail",`
			`"nobody",`
			`]`

			`for prefix in forbidden_prefixes:`
			`if username.startswith(prefix):`
			`return True`

			`for forbidden_username in forbidden_usernames:`
			`if username == forbidden_username:`
			`return True`

			`return False`
add auth check 2022-06-24 17:08:58 +00:00
add basic system getters 2022-06-24 18:14:20 +00:00
add auth check 2022-06-24 17:08:58 +00:00			`def parse_date(date_str: str) -> datetime.datetime:`
Change datetime formats, more tests 2022-07-08 15:28:08 +00:00			`"""Parse date string which can be in one of these formats:`
			`- %Y-%m-%dT%H:%M:%S.%fZ`
			`- %Y-%m-%dT%H:%M:%S.%f`
			`- %Y-%m-%d %H:%M:%S.%fZ`
			`- %Y-%m-%d %H:%M:%S.%f`
			`"""`
			`try:`
			`return datetime.datetime.strptime(date_str, "%Y-%m-%d %H:%M:%S.%fZ")`
			`except ValueError:`
			`pass`
			`try:`
			`return datetime.datetime.strptime(date_str, "%Y-%m-%d %H:%M:%S.%f")`
			`except ValueError:`
			`pass`
			`try:`
			`return datetime.datetime.strptime(date_str, "%Y-%m-%dT%H:%M:%S.%fZ")`
			`except ValueError:`
			`pass`
			`try:`
			`return datetime.datetime.strptime(date_str, "%Y-%m-%dT%H:%M:%S.%f")`
			`except ValueError:`
			`pass`
			`raise ValueError("Invalid date string")`
Add more tests 2022-07-05 05:14:37 +00:00
fix recovery tests 2022-07-07 13:53:19 +00:00
refactor(dkim): do not use popen 2023-12-25 13:49:36 +00:00			`def parse_dkim(dkim: str) -> str:`
			`# extract key from file`
			`dkim = dkim.split("(")[1]`
			`dkim = dkim.split(")")[0]`
			`# replace all quotes with nothing`
			`dkim = dkim.replace('"', "")`
			`# trim whitespace, remove newlines and tabs`
			`dkim = dkim.strip()`
			`dkim = dkim.replace("\n", "")`
			`dkim = dkim.replace("\t", "")`
			`# remove all redundant spaces`
			`dkim = " ".join(dkim.split())`
			`return dkim`


test(services, system): untie dkim tests from rest 2023-11-24 11:26:13 +00:00			`def get_dkim_key(domain: str, parse: bool = True) -> typing.Optional[str]:`
Add more tests 2022-07-05 05:14:37 +00:00			`"""Get DKIM key from /var/dkim/<domain>.selector.txt"""`
refactor(dkim): do not use popen 2023-12-25 13:49:36 +00:00
			`dkim_path = os.path.join(DKIM_DIR, domain + ".selector.txt")`
			`if os.path.exists(dkim_path):`
			`with open(dkim_path, encoding="utf-8") as dkim_file:`
			`dkim = dkim_file.read()`
			`if parse:`
			`dkim = parse_dkim(dkim)`
			`return dkim`
Add more tests 2022-07-05 05:14:37 +00:00			`return None`
Add GraphQJ user and ssh management (#12) Co-authored-by: Inex Code <inex.code@selfprivacy.org> Reviewed-on: https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api/pulls/12 Co-authored-by: def <dettlaff@riseup.net> Co-committed-by: def <dettlaff@riseup.net> 2022-08-01 10:40:40 +00:00

			`def hash_password(password):`
			`hashing_command = ["mkpasswd", "-m", "sha-512", password]`
			`password_hash_process_descriptor = subprocess.Popen(`
			`hashing_command,`
			`shell=False,`
			`stdout=subprocess.PIPE,`
			`stderr=subprocess.STDOUT,`
			`)`
			`hashed_password = password_hash_process_descriptor.communicate()[0]`
			`hashed_password = hashed_password.decode("ascii")`
			`hashed_password = hashed_password.rstrip()`
			`return hashed_password`