moat-kv 0.70.20__py3-none-any.whl → 0.70.23__py3-none-any.whl

moat/kv/auth/password.py

@@ -1,232 +0,0 @@
-#
-"""
-Password-based auth method.
-
-Does not limit anything, allows everything.
-"""
-
-import nacl.secret
-
-from ..client import Client, NoData
-from ..exceptions import AuthFailedError
-from ..model import Entry
-from ..server import StreamCommand
-from . import (
-    BaseClientAuth,
-    BaseClientAuthMaker,
-    BaseServerAuthMaker,
-    RootServerUser,
-    null_client_login,
-    null_server_login,
-)
-
-
-def load(typ: str, *, make: bool = False, server: bool):
-    if typ == "client":
-        if server:
-            return null_server_login
-        else:
-            return null_client_login
-    if typ != "user":
-        raise NotImplementedError("This module only handles users")
-    if server:
-        if make:
-            return ServerUserMaker
-        else:
-            return ServerUser
-    else:
-        if make:
-            return ClientUserMaker
-        else:
-            return ClientUser
-
-
-async def pack_pwd(client, password, length):
-    """Client side: encrypt password"""
-    secret = await client.dh_secret(length=length)
-    from hashlib import sha256
-
-    pwd = sha256(password).digest()
-    box = nacl.secret.SecretBox(secret)
-    pwd = box.encrypt(pwd)
-    return pwd
-
-
-async def unpack_pwd(client, password):
-    """Server side: extract password"""
-    box = nacl.secret.SecretBox(client.dh_key)
-    pwd = box.decrypt(password)
-    return pwd
-    # TODO check with Argon2
-
-
-class ServerUserMaker(BaseServerAuthMaker):
-    _name = None
-    _aux = None
-    password: str = None
-
-    @property
-    def ident(self):
-        return self._name
-
-    @classmethod
-    async def recv(cls, cmd, data):
-        self = cls()
-        self._name = data["ident"]
-        self._aux = data.get("aux")
-        pwd = data.get("password")
-        pwd = await unpack_pwd(cmd.client, pwd)
-
-        # TODO use Argon2 to re-hash this
-        self.password = pwd
-        return self
-
-    async def send(self, cmd):
-        return  # nothing to do, we don't share the hash
-
-    @classmethod
-    def load(cls, data):
-        self = super().load(data)
-        self._name = data.path[-1]
-        return self
-
-    def save(self):
-        res = super().save()
-        res["password"] = self.password
-        return res
-
-
-class ServerUser(RootServerUser):
-    @classmethod
-    def load(cls, data: Entry):
-        """Create a ServerUser object from existing stored data"""
-        self = super().load(data)
-        self._name = data.name
-        return self
-
-    async def auth(self, cmd: StreamCommand, data):
-        """Verify that @data authenticates this user."""
-        await super().auth(cmd, data)
-
-        pwd = await unpack_pwd(cmd.client, data.password)
-        if pwd != self.password:  # pylint: disable=no-member
-            # pylint: disable=no-member
-            raise AuthFailedError("Password hashes do not match", self._name)
-
-
-class ClientUserMaker(BaseClientAuthMaker):
-    gen_schema = dict(
-        type="object",
-        additionalProperties=True,
-        properties=dict(
-            name=dict(type="string", minLength=1, pattern="^[a-zA-Z][a-zA-Z0-9_]*$"),
-            password=dict(type="string", minLength=5),
-        ),
-        required=["name", "password"],
-    )
-    mod_schema = dict(
-        type="object",
-        additionalProperties=True,
-        properties=dict(password=dict(type="string", minLength=5)),
-        # required=[],
-    )
-    _name = None
-    _pass = None
-    _length = 1024
-
-    @property
-    def ident(self):
-        return self._name
-
-    # Overly-complicated methods of exchanging the user name
-
-    @classmethod
-    def build(cls, user, _initial=True):
-        self = super().build(user, _initial=_initial)
-        self._name = user["name"]
-        if "password" in user:
-            self._pass = user["password"].encode("utf-8")
-        return self
-
-    @classmethod
-    async def recv(cls, client: Client, ident: str, _kind: str = "user", _initial=True):
-        """Read a record representing a user from the server."""
-        m = await client._request(
-            action="auth_get",
-            typ=cls._auth_method,
-            kind=_kind,
-            ident=ident,
-            nchain=0 if _initial else 2,
-        )
-        # just to verify that the user exists
-        # There's no reason to send the password hash back
-        self = cls(_initial=_initial)
-        self._name = m.name
-        try:
-            self._chain = m.chain
-        except AttributeError:
-            pass
-        return self
-
-    async def send(self, client: Client, _kind="user", **msg):  # pylint: disable=unused-argument,arguments-differ
-        """Send a record representing this user to the server."""
-        if self._pass is not None:
-            msg["password"] = await pack_pwd(client, self._pass, self._length)
-
-        await client._request(
-            action="auth_set",
-            ident=self._name,
-            typ=type(self)._auth_method,
-            kind=_kind,
-            chain=self._chain,
-            **msg,
-        )
-
-    def export(self):
-        """Return the data required to re-create the user via :meth:`build`."""
-        res = super().export()
-        res["name"] = self._name
-        return res
-
-
-class ClientUser(BaseClientAuth):
-    schema = dict(
-        type="object",
-        additionalProperties=True,
-        properties=dict(
-            name=dict(type="string", minLength=1, pattern="^[a-zA-Z][a-zA-Z0-9_]*$"),
-            password=dict(type="string", minLength=5),
-        ),
-        required=["name", "password"],
-    )
-    _name = None
-    _pass = None
-    _length = 1024
-
-    @property
-    def ident(self):
-        return self._name
-
-    @classmethod
-    def build(cls, user):
-        self = super().build(user)
-        self._name = user["name"]
-        self._pass = user["password"].encode("utf-8")
-        return self
-
-    async def auth(self, client: Client, chroot=()):
-        """
-        Authorizes this user with the server.
-        """
-        try:
-            pw = await pack_pwd(client, self._pass, self._length)
-            await client._request(
-                action="auth",
-                typ=self._auth_method,
-                iter=False,
-                ident=self.ident,
-                password=pw,
-                **self.auth_data(),
-            )
-        except NoData:
-            pass

moat/kv/auth/root.py

@@ -1,56 +0,0 @@
-#
-"""
-Null auth method.
-
-Does not limit anything, allows everything.
-"""
-
-from . import (
-    BaseClientAuth,
-    BaseClientAuthMaker,
-    BaseServerAuthMaker,
-    RootServerUser,
-    null_client_login,
-    null_server_login,
-)
-
-
-def load(typ: str, *, make: bool = False, server: bool):
-    if typ == "client":
-        if server:
-            return null_server_login
-        else:
-            return null_client_login
-    if typ != "user":
-        raise NotImplementedError("This module only handles users")
-    if server:
-        if make:
-            return ServerUserMaker
-        else:
-            return ServerUser
-    else:
-        if make:
-            return ClientUserMaker
-        else:
-            return ClientUser
-
-
-class ServerUserMaker(BaseServerAuthMaker):
-    schema = {"type": "object", "additionalProperties": False}
-
-
-class ServerUser(RootServerUser):
-    schema = {"type": "object", "additionalProperties": False}
-
-
-class ClientUserMaker(BaseClientAuthMaker):
-    gen_schema = {"type": "object", "additionalProperties": False}
-    mod_schema = {"type": "object", "additionalProperties": False}
-
-    @property
-    def ident(self):
-        return "*"
-
-
-class ClientUser(BaseClientAuth):
-    schema = {"type": "object", "additionalProperties": False}

moat/kv/backend/__init__.py

@@ -1,66 +0,0 @@
-from abc import ABCMeta, abstractmethod
-from contextlib import asynccontextmanager
-
-import anyio
-
-__all__ = ["get_backend", "Backend"]
-
-
-class Backend(metaclass=ABCMeta):
-    def __init__(self, tg):
-        self._tg = tg
-        self._njobs = 0
-        self._ended = None
-
-    @abstractmethod
-    @asynccontextmanager
-    async def connect(self, *a, **k):
-        """
-        This async context manager returns a connection.
-        """
-
-    async def aclose(self):
-        """
-        Force-close the connection.
-        """
-        self._tg.cancel_scope.cancel()
-        if self._njobs > 0:
-            with anyio.move_on_after(2):
-                await self._ended.wait()
-
-    async def spawn(self, p, *a, **kw):
-        async def _run(p, a, kw, *, task_status):
-            if self._ended is None:
-                self._ended = anyio.Event()
-            self._njobs += 1
-            task_status.started()
-            try:
-                return await p(*a, **kw)
-            finally:
-                self._njobs -= 1
-                if not self._njobs:
-                    self._ended.set()
-                    self._ended = None
-
-        return await self._tg.start(_run, p, a, kw)
-
-    @abstractmethod
-    @asynccontextmanager
-    async def monitor(self, *topic):
-        """
-        Return an async iterator that listens to this topic.
-        """
-
-    @abstractmethod
-    async def send(self, *topic, payload):
-        """
-        Send this payload to this topic.
-        """
-
-
-def get_backend(name):
-    from importlib import import_module
-
-    if "." not in name:
-        name = "moat.kv.backend." + name
-    return import_module(name).connect

moat/kv/backend/mqtt.py

@@ -1,74 +0,0 @@
-import logging
-from contextlib import asynccontextmanager
-
-import anyio
-from moat.mqtt.client import MQTTClient
-from moat.mqtt.codecs import NoopCodec
-
-from . import Backend
-
-logger = logging.getLogger(__name__)
-
-# Simply setting connect=asyncserf.serf_client interferes with mocking
-# when testing.
-
-
-class MqttMessage:
-    def __init__(self, topic, payload):
-        self.topic = topic
-        self.payload = payload
-
-
-class MqttBackend(Backend):
-    client = None
-
-    @asynccontextmanager
-    async def connect(self, *a, **kw):
-        codec = kw.pop("codec", None)
-        if codec is None:
-            codec = NoopCodec()
-        C = MQTTClient(self._tg, codec=codec)
-        try:
-            await C.connect(*a, **kw)
-            self.client = C
-            yield self
-        finally:
-            self.client = None
-            with anyio.CancelScope(shield=True):
-                await self.aclose()
-                await C.disconnect()
-
-    @asynccontextmanager
-    async def monitor(self, *topic):
-        topic = "/".join(str(x) for x in topic)
-        logger.info("Monitor %s start", topic)
-        try:
-            async with self.client.subscription(topic) as sub:
-
-                async def sub_get(sub):
-                    async for msg in sub:
-                        yield MqttMessage(msg.topic.split("/"), msg.data)
-
-                yield sub_get(sub)
-        except anyio.get_cancelled_exc_class():
-            raise
-        except BaseException as exc:
-            logger.exception("Monitor %s end: %r", topic, exc)
-            raise
-        else:
-            logger.info("Monitor %s end", topic)
-
-    def send(self, *topic, payload):  # pylint: disable=invalid-overridden-method
-        """
-        Send this payload to this topic.
-        """
-        # client.publish is also async, pass-thru
-        return self.client.publish("/".join(str(x) for x in topic), message=payload)
-
-
-@asynccontextmanager
-async def connect(**kw):
-    async with anyio.create_task_group() as tg:
-        c = MqttBackend(tg)
-        async with c.connect(**kw):
-            yield c

moat/kv/backend/serf.py

@@ -1,44 +0,0 @@
-from contextlib import asynccontextmanager
-
-import anyio
-import asyncserf
-
-from . import Backend
-
-# Simply setting connect=asyncserf.serf_client interferes with mocking
-# when testing.
-
-
-class SerfBackend(Backend):
-    client = None
-
-    @asynccontextmanager
-    async def connect(self, *a, **k):
-        async with asyncserf.serf_client(*a, **k) as c:
-            self.client = c
-            try:
-                yield self
-            finally:
-                with anyio.CancelScope(shield=True):
-                    await self.aclose()
-                self.client = None
-
-    def monitor(self, *topic):  # pylint: disable=invalid-overridden-method
-        topic = "user:" + ".".join(topic)
-        # self.client.stream is also async, pass thru
-        return self.client.stream(topic)
-
-    def send(self, *topic, payload):  # pylint: disable=invalid-overridden-method
-        """
-        Send this payload to this topic.
-        """
-        # self.client.event is also async, pass thru
-        return self.client.event(".".join(topic), payload=payload, coalesce=False)
-
-
-@asynccontextmanager
-async def connect(*a, **kw):
-    async with anyio.create_task_group() as tg:
-        c = SerfBackend(tg)
-        async with c.connect(*a, **kw):
-            yield c

moat/kv/command/__init__.py

@@ -1 +0,0 @@
-# empty

moat/kv/command/acl.py

@@ -1,174 +0,0 @@
-# command line interface
-
-import sys
-
-import asyncclick as click
-from moat.util import P, Path, yprint
-
-from moat.kv.data import data_get
-
-ACL = set("rwdcxena")
-# read, write, delete, create, access, enumerate
-
-
-@click.group()  # pylint: disable=undefined-variable
-async def cli():
-    """Manage ACLs. Usage: … acl …"""
-    pass
-
-
-@cli.command("list")
-@click.pass_obj
-async def list_(obj):
-    """List ACLs."""
-    res = await obj.client._request(
-        action="enum_internal", path=("acl",), iter=False, nchain=obj.meta, empty=True
-    )
-    yprint(res if obj.meta else res.result, stream=obj.stdout)
-
-
-@cli.command()
-@click.option(
-    "-d",
-    "--as-dict",
-    default=None,
-    help="Structure as dictionary. The argument is the key to use "
-    "for values. Default: return as list",
-)
-@click.argument("name", nargs=1)
-@click.argument("path", nargs=1)
-@click.pass_obj
-async def dump(obj, name, path, as_dict):
-    """Dump a complete (or partial) ACL."""
-    path = P(path)
-    await data_get(obj, Path("acl", name, path), internal=True, as_dict=as_dict)
-
-
-@cli.command()
-@click.argument("name", nargs=1)
-@click.argument("path", nargs=1)
-@click.pass_obj
-async def get(obj, name, path):
-    """Read an ACL.
-
-    This command does not test a path. Use "… acl test …" for that.
-    """
-    path = P(path)
-    if not len(path):
-        raise click.UsageError("You need a non-empty path.")
-    res = await obj.client._request(
-        action="get_internal", path=("acl", name) + path, iter=False, nchain=obj.meta
-    )
-
-    if not obj.meta:
-        try:
-            res = res.value
-        except KeyError:
-            if obj.debug:
-                print("No value.", file=sys.stderr)
-            return
-    yprint(res, stream=obj.stdout)
-
-
-@cli.command(name="set")
-@click.option(
-    "-a",
-    "--acl",
-    default="+x",
-    help="The value to set. Start with '+' to add, '-' to remove rights.",
-)
-@click.argument("name", nargs=1)
-@click.argument("path", nargs=1)
-@click.pass_obj
-async def set_(obj, acl, name, path):
-    """Set or change an ACL."""
-
-    path = P(path)
-    if not len(path):
-        raise click.UsageError("You need a non-empty path.")
-    if len(acl) > 1 and acl[0] in "+-":
-        mode = acl[0]
-        acl = acl[1:]
-    else:
-        mode = "x"
-    acl = set(acl)
-
-    if acl - ACL:
-        raise click.UsageError(
-            f"You're trying to set an unknown ACL flag: {acl - ACL !r}"
-        )
-
-    res = await obj.client._request(
-        action="get_internal",
-        path=("acl", name) + path,
-        iter=False,
-        nchain=3 if obj.meta else 1,
-    )
-    ov = set(res.get("value", ""))
-    if ov - ACL:
-        print(f"Warning: original ACL contains unknown: {ov - acl !r}", file=sys.stderr)
-
-    if mode == "-" and not acl:
-        res = await obj.client._request(
-            action="delete_internal",
-            path=("acl", name) + path,
-            iter=False,
-            chain=res.chain,
-        )
-        v = "-"
-
-    else:
-        if mode == "+":
-            v = ov + acl
-        elif mode == "-":
-            v = ov - acl
-        else:
-            v = acl
-        res = await obj.client._request(
-            action="set_internal",
-            path=("acl", name) + path,
-            value="".join(v),
-            iter=False,
-            chain=res.get("chain", None),
-        )
-
-    if obj.meta:
-        res = {
-            "old": "".join(ov),
-            "new": "".join(v),
-            "chain": res.chain,
-            "tock": res.tock,
-        }
-        yprint(res, stream=obj.stdout)
-    else:
-        res = {"old": "".join(ov), "new": "".join(v)}
-        yprint(res, stream=obj.stdout)
-
-
-@cli.command()
-@click.option("-m", "--mode", default=None, help="Mode letter to test.")
-@click.option("-a", "--acl", default=None, help="ACL to test. Default: current")
-@click.argument("path", nargs=1)
-@click.pass_obj
-async def test(obj, path, acl, mode):
-    """Test which ACL entry matches a path"""
-    path = P(path)
-    if not len(path):
-        raise click.UsageError("You need a non-empty path.")
-
-    if mode is not None and len(mode) != 1:
-        raise click.UsageError("Mode must be one letter.")
-    res = await obj.client._request(
-        action="test_acl",
-        path=path,
-        iter=False,
-        nchain=obj.meta,
-        **({} if mode is None else {"mode": mode}),
-        **({} if acl is None else {"acl": acl}),
-    )
-    if obj.meta:
-        yprint(res, stream=obj.stdout)
-    elif isinstance(res.access, bool):
-        print("+" if res.access else "-", file=obj.stdout)
-    else:
-        print(res.access, file=obj.stdout)