moat-kv 0.70.23__py3-none-any.whl → 0.71.0__py3-none-any.whl

debian/moat-kv/usr/lib/python3/dist-packages/moat/kv/auth/_test.py

@@ -0,0 +1,166 @@
+#
+"""
+Test auth method.
+
+Does not limit anything, allows everything.
+"""
+
+from __future__ import annotations
+
+import logging
+
+log = logging.getLogger(__name__)
+
+from ..client import Client
+from . import (
+    BaseClientAuth,
+    BaseClientAuthMaker,
+    BaseServerAuthMaker,
+    RootServerUser,
+    null_client_login,
+    null_server_login,
+)
+
+
+def load(typ: str, *, make: bool = False, server: bool):
+    if typ == "client":
+        if server:
+            return null_server_login
+        else:
+            return null_client_login
+    if typ != "user":
+        raise NotImplementedError("This module only handles users")
+    if server:
+        if make:
+            return ServerUserMaker
+        else:
+            return ServerUser
+    else:
+        if make:
+            return ClientUserMaker
+        else:
+            return ClientUser
+
+
+class ServerUserMaker(BaseServerAuthMaker):
+    name = None
+
+    @property
+    def ident(self):
+        return self.name
+
+    # Overly-complicated methods of exchanging the user name
+
+    @classmethod
+    async def recv(cls, cmd, data):
+        await cmd.send(step="GiveName")
+        msg = await cmd.recv()
+        assert msg.step == "HasName"
+        self = cls()
+        self.name = msg.name
+        return self
+
+    async def send(self, cmd):
+        await cmd.send(step="SendWant")
+        msg = await cmd.recv()
+        assert msg.step == "WantName"
+        await cmd.send(step="SendName", name=self.name, chain=self._chain.serialize(nchain=3))
+        msg = await cmd.recv()
+
+    # Annoying methods to read+save the user name from/to KV
+
+    @classmethod
+    def load(cls, data):
+        self = super().load(data)
+        self.name = data.name
+        return self
+
+
+class ServerUser(RootServerUser):
+    pass
+
+
+class ClientUserMaker(BaseClientAuthMaker):
+    gen_schema = dict(
+        type="object",
+        additionalProperties=False,
+        properties=dict(name=dict(type="string", minLength=1, pattern="^[a-zA-Z][a-zA-Z0-9_]*$")),
+        required=["name"],
+    )
+    mod_schema = dict(
+        type="object",
+        additionalProperties=False,
+        properties=dict(name=dict(type="string", minLength=1, pattern="^[a-zA-Z][a-zA-Z0-9_]*$")),
+        # required=[],
+    )
+    name = None
+
+    @property
+    def ident(self):
+        return self.name
+
+    # Overly-complicated methods of exchanging the user name
+
+    @classmethod
+    async def recv(cls, client: Client, ident: str, _kind: str = "user", _initial=True):
+        """Read a record representing a user from the server."""
+        async with client._stream(
+            action="auth_get",
+            typ=cls._auth_method,
+            kind=_kind,
+            ident=ident,
+            stream=True,
+            nchain=0 if _initial else 2,
+        ) as s:
+            m = await s.recv()
+            assert m.step == "SendWant", m
+            await s.send(step="WantName")
+            m = await s.recv()
+            assert m.step == "SendName", m
+            assert m.name == ident
+
+            self = cls(name=m.name, _initial=_initial)
+            self._chain = m.chain
+            return self
+
+    async def send(self, client: Client, _kind="user"):
+        """Send a record representing this user to the server."""
+        async with client._stream(
+            action="auth_set",
+            typ=type(self)._auth_method,
+            kind=_kind,
+            ident=self.ident,
+            stream=True,
+        ) as s:
+            # we could initially send the ident but don't here, for testing
+            m = await s.recv()
+            assert m.step == "GiveName", m
+            await s.send(step="HasName", name=self.name, chain=self._chain)
+            m = await s.recv()
+            assert m.chain.prev is None
+
+    def export(self):
+        """Return the data required to re-create the user via :meth:`build`."""
+        return {"name": self.name}
+
+
+class ClientUser(BaseClientAuth):
+    name = None
+
+    schema = dict(
+        type="object",
+        additionalProperties=False,
+        properties=dict(name=dict(type="string", minLength=1, pattern="^[a-zA-Z][a-zA-Z0-9_]*$")),
+        required=["name"],
+    )
+    _name = None
+
+    @property
+    def ident(self):
+        return self.name
+
+    @classmethod
+    def build(cls, user):
+        self = super().build(user)
+        self.name = user["name"]
+        return self

debian/moat-kv/usr/lib/python3/dist-packages/moat/kv/auth/password.py

@@ -0,0 +1,234 @@
+#
+"""
+Password-based auth method.
+
+Does not limit anything, allows everything.
+"""
+
+from __future__ import annotations
+
+import nacl.secret
+
+from ..client import Client, NoData
+from ..exceptions import AuthFailedError
+from ..model import Entry
+from ..server import StreamCommand
+from . import (
+    BaseClientAuth,
+    BaseClientAuthMaker,
+    BaseServerAuthMaker,
+    RootServerUser,
+    null_client_login,
+    null_server_login,
+)
+
+
+def load(typ: str, *, make: bool = False, server: bool):
+    if typ == "client":
+        if server:
+            return null_server_login
+        else:
+            return null_client_login
+    if typ != "user":
+        raise NotImplementedError("This module only handles users")
+    if server:
+        if make:
+            return ServerUserMaker
+        else:
+            return ServerUser
+    else:
+        if make:
+            return ClientUserMaker
+        else:
+            return ClientUser
+
+
+async def pack_pwd(client, password, length):
+    """Client side: encrypt password"""
+    secret = await client.dh_secret(length=length)
+    from hashlib import sha256
+
+    pwd = sha256(password).digest()
+    box = nacl.secret.SecretBox(secret)
+    pwd = box.encrypt(pwd)
+    return pwd
+
+
+async def unpack_pwd(client, password):
+    """Server side: extract password"""
+    box = nacl.secret.SecretBox(client.dh_key)
+    pwd = box.decrypt(password)
+    return pwd
+    # TODO check with Argon2
+
+
+class ServerUserMaker(BaseServerAuthMaker):
+    _name = None
+    _aux = None
+    password: str = None
+
+    @property
+    def ident(self):
+        return self._name
+
+    @classmethod
+    async def recv(cls, cmd, data):
+        self = cls()
+        self._name = data["ident"]
+        self._aux = data.get("aux")
+        pwd = data.get("password")
+        pwd = await unpack_pwd(cmd.client, pwd)
+
+        # TODO use Argon2 to re-hash this
+        self.password = pwd
+        return self
+
+    async def send(self, cmd):
+        return  # nothing to do, we don't share the hash
+
+    @classmethod
+    def load(cls, data):
+        self = super().load(data)
+        self._name = data.path[-1]
+        return self
+
+    def save(self):
+        res = super().save()
+        res["password"] = self.password
+        return res
+
+
+class ServerUser(RootServerUser):
+    @classmethod
+    def load(cls, data: Entry):
+        """Create a ServerUser object from existing stored data"""
+        self = super().load(data)
+        self._name = data.name
+        return self
+
+    async def auth(self, cmd: StreamCommand, data):
+        """Verify that @data authenticates this user."""
+        await super().auth(cmd, data)
+
+        pwd = await unpack_pwd(cmd.client, data.password)
+        if pwd != self.password:  # pylint: disable=no-member
+            # pylint: disable=no-member
+            raise AuthFailedError("Password hashes do not match", self._name)
+
+
+class ClientUserMaker(BaseClientAuthMaker):
+    gen_schema = dict(
+        type="object",
+        additionalProperties=True,
+        properties=dict(
+            name=dict(type="string", minLength=1, pattern="^[a-zA-Z][a-zA-Z0-9_]*$"),
+            password=dict(type="string", minLength=5),
+        ),
+        required=["name", "password"],
+    )
+    mod_schema = dict(
+        type="object",
+        additionalProperties=True,
+        properties=dict(password=dict(type="string", minLength=5)),
+        # required=[],
+    )
+    _name = None
+    _pass = None
+    _length = 1024
+
+    @property
+    def ident(self):
+        return self._name
+
+    # Overly-complicated methods of exchanging the user name
+
+    @classmethod
+    def build(cls, user, _initial=True):
+        self = super().build(user, _initial=_initial)
+        self._name = user["name"]
+        if "password" in user:
+            self._pass = user["password"].encode("utf-8")
+        return self
+
+    @classmethod
+    async def recv(cls, client: Client, ident: str, _kind: str = "user", _initial=True):
+        """Read a record representing a user from the server."""
+        m = await client._request(
+            action="auth_get",
+            typ=cls._auth_method,
+            kind=_kind,
+            ident=ident,
+            nchain=0 if _initial else 2,
+        )
+        # just to verify that the user exists
+        # There's no reason to send the password hash back
+        self = cls(_initial=_initial)
+        self._name = m.name
+        try:
+            self._chain = m.chain
+        except AttributeError:
+            pass
+        return self
+
+    async def send(self, client: Client, _kind="user", **msg):  # pylint: disable=unused-argument,arguments-differ
+        """Send a record representing this user to the server."""
+        if self._pass is not None:
+            msg["password"] = await pack_pwd(client, self._pass, self._length)
+
+        await client._request(
+            action="auth_set",
+            ident=self._name,
+            typ=type(self)._auth_method,
+            kind=_kind,
+            chain=self._chain,
+            **msg,
+        )
+
+    def export(self):
+        """Return the data required to re-create the user via :meth:`build`."""
+        res = super().export()
+        res["name"] = self._name
+        return res
+
+
+class ClientUser(BaseClientAuth):
+    schema = dict(
+        type="object",
+        additionalProperties=True,
+        properties=dict(
+            name=dict(type="string", minLength=1, pattern="^[a-zA-Z][a-zA-Z0-9_]*$"),
+            password=dict(type="string", minLength=5),
+        ),
+        required=["name", "password"],
+    )
+    _name = None
+    _pass = None
+    _length = 1024
+
+    @property
+    def ident(self):
+        return self._name
+
+    @classmethod
+    def build(cls, user):
+        self = super().build(user)
+        self._name = user["name"]
+        self._pass = user["password"].encode("utf-8")
+        return self
+
+    async def auth(self, client: Client, chroot=()):
+        """
+        Authorizes this user with the server.
+        """
+        try:
+            pw = await pack_pwd(client, self._pass, self._length)
+            await client._request(
+                action="auth",
+                typ=self._auth_method,
+                iter=False,
+                ident=self.ident,
+                password=pw,
+                **self.auth_data(),
+            )
+        except NoData:
+            pass

debian/moat-kv/usr/lib/python3/dist-packages/moat/kv/auth/root.py

@@ -0,0 +1,58 @@
+#
+"""
+Null auth method.
+
+Does not limit anything, allows everything.
+"""
+
+from __future__ import annotations
+
+from . import (
+    BaseClientAuth,
+    BaseClientAuthMaker,
+    BaseServerAuthMaker,
+    RootServerUser,
+    null_client_login,
+    null_server_login,
+)
+
+
+def load(typ: str, *, make: bool = False, server: bool):
+    if typ == "client":
+        if server:
+            return null_server_login
+        else:
+            return null_client_login
+    if typ != "user":
+        raise NotImplementedError("This module only handles users")
+    if server:
+        if make:
+            return ServerUserMaker
+        else:
+            return ServerUser
+    else:
+        if make:
+            return ClientUserMaker
+        else:
+            return ClientUser
+
+
+class ServerUserMaker(BaseServerAuthMaker):
+    schema = {"type": "object", "additionalProperties": False}
+
+
+class ServerUser(RootServerUser):
+    schema = {"type": "object", "additionalProperties": False}
+
+
+class ClientUserMaker(BaseClientAuthMaker):
+    gen_schema = {"type": "object", "additionalProperties": False}
+    mod_schema = {"type": "object", "additionalProperties": False}
+
+    @property
+    def ident(self):
+        return "*"
+
+
+class ClientUser(BaseClientAuth):
+    schema = {"type": "object", "additionalProperties": False}

debian/moat-kv/usr/lib/python3/dist-packages/moat/kv/backend/__init__.py

@@ -0,0 +1,67 @@
+from __future__ import annotations
+from abc import ABCMeta, abstractmethod
+from contextlib import asynccontextmanager
+
+import anyio
+
+__all__ = ["get_backend", "Backend"]
+
+
+class Backend(metaclass=ABCMeta):
+    def __init__(self, tg):
+        self._tg = tg
+        self._njobs = 0
+        self._ended = None
+
+    @abstractmethod
+    @asynccontextmanager
+    async def connect(self, *a, **k):
+        """
+        This async context manager returns a connection.
+        """
+
+    async def aclose(self):
+        """
+        Force-close the connection.
+        """
+        self._tg.cancel_scope.cancel()
+        if self._njobs > 0:
+            with anyio.move_on_after(2):
+                await self._ended.wait()
+
+    async def spawn(self, p, *a, **kw):
+        async def _run(p, a, kw, *, task_status):
+            if self._ended is None:
+                self._ended = anyio.Event()
+            self._njobs += 1
+            task_status.started()
+            try:
+                return await p(*a, **kw)
+            finally:
+                self._njobs -= 1
+                if not self._njobs:
+                    self._ended.set()
+                    self._ended = None
+
+        return await self._tg.start(_run, p, a, kw)
+
+    @abstractmethod
+    @asynccontextmanager
+    async def monitor(self, *topic):
+        """
+        Return an async iterator that listens to this topic.
+        """
+
+    @abstractmethod
+    async def send(self, *topic, payload):
+        """
+        Send this payload to this topic.
+        """
+
+
+def get_backend(name):
+    from importlib import import_module
+
+    if "." not in name:
+        name = "moat.kv.backend." + name
+    return import_module(name).connect

debian/moat-kv/usr/lib/python3/dist-packages/moat/kv/backend/mqtt.py

@@ -0,0 +1,71 @@
+from __future__ import annotations
+import logging
+from contextlib import asynccontextmanager
+
+import anyio
+from moat.mqtt.client import MQTTClient
+from moat.mqtt.codecs import NoopCodec
+from moat.util import NotGiven
+
+from . import Backend
+
+logger = logging.getLogger(__name__)
+
+
+class MqttMessage:
+    def __init__(self, topic, payload):
+        self.topic = topic
+        self.payload = payload
+
+
+class MqttBackend(Backend):
+    client = None
+
+    @asynccontextmanager
+    async def connect(self, *a, **kw):
+        codec = kw.pop("codec", NotGiven)
+        C = MQTTClient(self._tg, codec=codec)
+        try:
+            await C.connect(*a, **kw)
+            self.client = C
+            yield self
+        finally:
+            self.client = None
+            with anyio.CancelScope(shield=True):
+                await self.aclose()
+                await C.disconnect()
+
+    @asynccontextmanager
+    async def monitor(self, *topic):
+        topic = "/".join(str(x) for x in topic)
+        logger.info("Monitor %s start", topic)
+        try:
+            async with self.client.subscription(topic) as sub:
+
+                async def sub_get(sub):
+                    async for msg in sub:
+                        yield MqttMessage(msg.topic.split("/"), msg.data)
+
+                yield sub_get(sub)
+        except anyio.get_cancelled_exc_class():
+            raise
+        except BaseException as exc:
+            logger.exception("Monitor %s end: %r", topic, exc)
+            raise
+        else:
+            logger.info("Monitor %s end", topic)
+
+    def send(self, *topic, payload):  # pylint: disable=invalid-overridden-method
+        """
+        Send this payload to this topic.
+        """
+        # client.publish is also async, pass-thru
+        return self.client.publish("/".join(str(x) for x in topic), message=payload)
+
+
+@asynccontextmanager
+async def connect(**kw):
+    async with anyio.create_task_group() as tg:
+        c = MqttBackend(tg)
+        async with c.connect(**kw):
+            yield c