moat-kv 0.70.23__py3-none-any.whl → 0.71.0__py3-none-any.whl

moat/kv/auth/password.py

@@ -0,0 +1,234 @@
+#
+"""
+Password-based auth method.
+
+Does not limit anything, allows everything.
+"""
+
+from __future__ import annotations
+
+import nacl.secret
+
+from ..client import Client, NoData
+from ..exceptions import AuthFailedError
+from ..model import Entry
+from ..server import StreamCommand
+from . import (
+    BaseClientAuth,
+    BaseClientAuthMaker,
+    BaseServerAuthMaker,
+    RootServerUser,
+    null_client_login,
+    null_server_login,
+)
+
+
+def load(typ: str, *, make: bool = False, server: bool):
+    if typ == "client":
+        if server:
+            return null_server_login
+        else:
+            return null_client_login
+    if typ != "user":
+        raise NotImplementedError("This module only handles users")
+    if server:
+        if make:
+            return ServerUserMaker
+        else:
+            return ServerUser
+    else:
+        if make:
+            return ClientUserMaker
+        else:
+            return ClientUser
+
+
+async def pack_pwd(client, password, length):
+    """Client side: encrypt password"""
+    secret = await client.dh_secret(length=length)
+    from hashlib import sha256
+
+    pwd = sha256(password).digest()
+    box = nacl.secret.SecretBox(secret)
+    pwd = box.encrypt(pwd)
+    return pwd
+
+
+async def unpack_pwd(client, password):
+    """Server side: extract password"""
+    box = nacl.secret.SecretBox(client.dh_key)
+    pwd = box.decrypt(password)
+    return pwd
+    # TODO check with Argon2
+
+
+class ServerUserMaker(BaseServerAuthMaker):
+    _name = None
+    _aux = None
+    password: str = None
+
+    @property
+    def ident(self):
+        return self._name
+
+    @classmethod
+    async def recv(cls, cmd, data):
+        self = cls()
+        self._name = data["ident"]
+        self._aux = data.get("aux")
+        pwd = data.get("password")
+        pwd = await unpack_pwd(cmd.client, pwd)
+
+        # TODO use Argon2 to re-hash this
+        self.password = pwd
+        return self
+
+    async def send(self, cmd):
+        return  # nothing to do, we don't share the hash
+
+    @classmethod
+    def load(cls, data):
+        self = super().load(data)
+        self._name = data.path[-1]
+        return self
+
+    def save(self):
+        res = super().save()
+        res["password"] = self.password
+        return res
+
+
+class ServerUser(RootServerUser):
+    @classmethod
+    def load(cls, data: Entry):
+        """Create a ServerUser object from existing stored data"""
+        self = super().load(data)
+        self._name = data.name
+        return self
+
+    async def auth(self, cmd: StreamCommand, data):
+        """Verify that @data authenticates this user."""
+        await super().auth(cmd, data)
+
+        pwd = await unpack_pwd(cmd.client, data.password)
+        if pwd != self.password:  # pylint: disable=no-member
+            # pylint: disable=no-member
+            raise AuthFailedError("Password hashes do not match", self._name)
+
+
+class ClientUserMaker(BaseClientAuthMaker):
+    gen_schema = dict(
+        type="object",
+        additionalProperties=True,
+        properties=dict(
+            name=dict(type="string", minLength=1, pattern="^[a-zA-Z][a-zA-Z0-9_]*$"),
+            password=dict(type="string", minLength=5),
+        ),
+        required=["name", "password"],
+    )
+    mod_schema = dict(
+        type="object",
+        additionalProperties=True,
+        properties=dict(password=dict(type="string", minLength=5)),
+        # required=[],
+    )
+    _name = None
+    _pass = None
+    _length = 1024
+
+    @property
+    def ident(self):
+        return self._name
+
+    # Overly-complicated methods of exchanging the user name
+
+    @classmethod
+    def build(cls, user, _initial=True):
+        self = super().build(user, _initial=_initial)
+        self._name = user["name"]
+        if "password" in user:
+            self._pass = user["password"].encode("utf-8")
+        return self
+
+    @classmethod
+    async def recv(cls, client: Client, ident: str, _kind: str = "user", _initial=True):
+        """Read a record representing a user from the server."""
+        m = await client._request(
+            action="auth_get",
+            typ=cls._auth_method,
+            kind=_kind,
+            ident=ident,
+            nchain=0 if _initial else 2,
+        )
+        # just to verify that the user exists
+        # There's no reason to send the password hash back
+        self = cls(_initial=_initial)
+        self._name = m.name
+        try:
+            self._chain = m.chain
+        except AttributeError:
+            pass
+        return self
+
+    async def send(self, client: Client, _kind="user", **msg):  # pylint: disable=unused-argument,arguments-differ
+        """Send a record representing this user to the server."""
+        if self._pass is not None:
+            msg["password"] = await pack_pwd(client, self._pass, self._length)
+
+        await client._request(
+            action="auth_set",
+            ident=self._name,
+            typ=type(self)._auth_method,
+            kind=_kind,
+            chain=self._chain,
+            **msg,
+        )
+
+    def export(self):
+        """Return the data required to re-create the user via :meth:`build`."""
+        res = super().export()
+        res["name"] = self._name
+        return res
+
+
+class ClientUser(BaseClientAuth):
+    schema = dict(
+        type="object",
+        additionalProperties=True,
+        properties=dict(
+            name=dict(type="string", minLength=1, pattern="^[a-zA-Z][a-zA-Z0-9_]*$"),
+            password=dict(type="string", minLength=5),
+        ),
+        required=["name", "password"],
+    )
+    _name = None
+    _pass = None
+    _length = 1024
+
+    @property
+    def ident(self):
+        return self._name
+
+    @classmethod
+    def build(cls, user):
+        self = super().build(user)
+        self._name = user["name"]
+        self._pass = user["password"].encode("utf-8")
+        return self
+
+    async def auth(self, client: Client, chroot=()):
+        """
+        Authorizes this user with the server.
+        """
+        try:
+            pw = await pack_pwd(client, self._pass, self._length)
+            await client._request(
+                action="auth",
+                typ=self._auth_method,
+                iter=False,
+                ident=self.ident,
+                password=pw,
+                **self.auth_data(),
+            )
+        except NoData:
+            pass

moat/kv/auth/root.py

@@ -0,0 +1,58 @@
+#
+"""
+Null auth method.
+
+Does not limit anything, allows everything.
+"""
+
+from __future__ import annotations
+
+from . import (
+    BaseClientAuth,
+    BaseClientAuthMaker,
+    BaseServerAuthMaker,
+    RootServerUser,
+    null_client_login,
+    null_server_login,
+)
+
+
+def load(typ: str, *, make: bool = False, server: bool):
+    if typ == "client":
+        if server:
+            return null_server_login
+        else:
+            return null_client_login
+    if typ != "user":
+        raise NotImplementedError("This module only handles users")
+    if server:
+        if make:
+            return ServerUserMaker
+        else:
+            return ServerUser
+    else:
+        if make:
+            return ClientUserMaker
+        else:
+            return ClientUser
+
+
+class ServerUserMaker(BaseServerAuthMaker):
+    schema = {"type": "object", "additionalProperties": False}
+
+
+class ServerUser(RootServerUser):
+    schema = {"type": "object", "additionalProperties": False}
+
+
+class ClientUserMaker(BaseClientAuthMaker):
+    gen_schema = {"type": "object", "additionalProperties": False}
+    mod_schema = {"type": "object", "additionalProperties": False}
+
+    @property
+    def ident(self):
+        return "*"
+
+
+class ClientUser(BaseClientAuth):
+    schema = {"type": "object", "additionalProperties": False}

moat/kv/backend/__init__.py

@@ -0,0 +1,67 @@
+from __future__ import annotations
+from abc import ABCMeta, abstractmethod
+from contextlib import asynccontextmanager
+
+import anyio
+
+__all__ = ["get_backend", "Backend"]
+
+
+class Backend(metaclass=ABCMeta):
+    def __init__(self, tg):
+        self._tg = tg
+        self._njobs = 0
+        self._ended = None
+
+    @abstractmethod
+    @asynccontextmanager
+    async def connect(self, *a, **k):
+        """
+        This async context manager returns a connection.
+        """
+
+    async def aclose(self):
+        """
+        Force-close the connection.
+        """
+        self._tg.cancel_scope.cancel()
+        if self._njobs > 0:
+            with anyio.move_on_after(2):
+                await self._ended.wait()
+
+    async def spawn(self, p, *a, **kw):
+        async def _run(p, a, kw, *, task_status):
+            if self._ended is None:
+                self._ended = anyio.Event()
+            self._njobs += 1
+            task_status.started()
+            try:
+                return await p(*a, **kw)
+            finally:
+                self._njobs -= 1
+                if not self._njobs:
+                    self._ended.set()
+                    self._ended = None
+
+        return await self._tg.start(_run, p, a, kw)
+
+    @abstractmethod
+    @asynccontextmanager
+    async def monitor(self, *topic):
+        """
+        Return an async iterator that listens to this topic.
+        """
+
+    @abstractmethod
+    async def send(self, *topic, payload):
+        """
+        Send this payload to this topic.
+        """
+
+
+def get_backend(name):
+    from importlib import import_module
+
+    if "." not in name:
+        name = "moat.kv.backend." + name
+    return import_module(name).connect

moat/kv/backend/mqtt.py

@@ -0,0 +1,71 @@
+from __future__ import annotations
+import logging
+from contextlib import asynccontextmanager
+
+import anyio
+from moat.mqtt.client import MQTTClient
+from moat.mqtt.codecs import NoopCodec
+from moat.util import NotGiven
+
+from . import Backend
+
+logger = logging.getLogger(__name__)
+
+
+class MqttMessage:
+    def __init__(self, topic, payload):
+        self.topic = topic
+        self.payload = payload
+
+
+class MqttBackend(Backend):
+    client = None
+
+    @asynccontextmanager
+    async def connect(self, *a, **kw):
+        codec = kw.pop("codec", NotGiven)
+        C = MQTTClient(self._tg, codec=codec)
+        try:
+            await C.connect(*a, **kw)
+            self.client = C
+            yield self
+        finally:
+            self.client = None
+            with anyio.CancelScope(shield=True):
+                await self.aclose()
+                await C.disconnect()
+
+    @asynccontextmanager
+    async def monitor(self, *topic):
+        topic = "/".join(str(x) for x in topic)
+        logger.info("Monitor %s start", topic)
+        try:
+            async with self.client.subscription(topic) as sub:
+
+                async def sub_get(sub):
+                    async for msg in sub:
+                        yield MqttMessage(msg.topic.split("/"), msg.data)
+
+                yield sub_get(sub)
+        except anyio.get_cancelled_exc_class():
+            raise
+        except BaseException as exc:
+            logger.exception("Monitor %s end: %r", topic, exc)
+            raise
+        else:
+            logger.info("Monitor %s end", topic)
+
+    def send(self, *topic, payload):  # pylint: disable=invalid-overridden-method
+        """
+        Send this payload to this topic.
+        """
+        # client.publish is also async, pass-thru
+        return self.client.publish("/".join(str(x) for x in topic), message=payload)
+
+
+@asynccontextmanager
+async def connect(**kw):
+    async with anyio.create_task_group() as tg:
+        c = MqttBackend(tg)
+        async with c.connect(**kw):
+            yield c

moat/kv/command/__init__.py

@@ -0,0 +1 @@
+# empty

moat/kv/command/acl.py

@@ -0,0 +1,180 @@
+# command line interface
+from __future__ import annotations
+
+import sys
+
+import asyncclick as click
+from moat.util import P, Path, yprint
+
+from moat.kv.data import data_get
+
+ACL = set("rwdcxena")
+# read, write, delete, create, access, enumerate
+
+
+@click.group()  # pylint: disable=undefined-variable
+async def cli():
+    """Manage ACLs. Usage: … acl …"""
+    pass
+
+
+@cli.command("list")
+@click.pass_obj
+async def list_(obj):
+    """List ACLs."""
+    res = await obj.client._request(
+        action="enum_internal",
+        path=("acl",),
+        iter=False,
+        nchain=obj.meta,
+        empty=True,
+    )
+    yprint(res if obj.meta else res.result, stream=obj.stdout)
+
+
+@cli.command()
+@click.option(
+    "-d",
+    "--as-dict",
+    default=None,
+    help="Structure as dictionary. The argument is the key to use "
+    "for values. Default: return as list",
+)
+@click.argument("name", nargs=1)
+@click.argument("path", nargs=1)
+@click.pass_obj
+async def dump(obj, name, path, as_dict):
+    """Dump a complete (or partial) ACL."""
+    path = P(path)
+    await data_get(obj, Path("acl", name, path), internal=True, as_dict=as_dict)
+
+
+@cli.command()
+@click.argument("name", nargs=1)
+@click.argument("path", nargs=1)
+@click.pass_obj
+async def get(obj, name, path):
+    """Read an ACL.
+
+    This command does not test a path. Use "… acl test …" for that.
+    """
+    path = P(path)
+    if not len(path):
+        raise click.UsageError("You need a non-empty path.")
+    res = await obj.client._request(
+        action="get_internal",
+        path=("acl", name) + path,
+        iter=False,
+        nchain=obj.meta,
+    )
+
+    if not obj.meta:
+        try:
+            res = res.value
+        except KeyError:
+            if obj.debug:
+                print("No value.", file=sys.stderr)
+            return
+    yprint(res, stream=obj.stdout)
+
+
+@cli.command(name="set")
+@click.option(
+    "-a",
+    "--acl",
+    default="+x",
+    help="The value to set. Start with '+' to add, '-' to remove rights.",
+)
+@click.argument("name", nargs=1)
+@click.argument("path", nargs=1)
+@click.pass_obj
+async def set_(obj, acl, name, path):
+    """Set or change an ACL."""
+
+    path = P(path)
+    if not len(path):
+        raise click.UsageError("You need a non-empty path.")
+    if len(acl) > 1 and acl[0] in "+-":
+        mode = acl[0]
+        acl = acl[1:]
+    else:
+        mode = "x"
+    acl = set(acl)
+
+    if acl - ACL:
+        raise click.UsageError(f"You're trying to set an unknown ACL flag: {acl - ACL!r}")
+
+    res = await obj.client._request(
+        action="get_internal",
+        path=("acl", name) + path,
+        iter=False,
+        nchain=3 if obj.meta else 1,
+    )
+    ov = set(res.get("value", ""))
+    if ov - ACL:
+        print(f"Warning: original ACL contains unknown: {ov - acl!r}", file=sys.stderr)
+
+    if mode == "-" and not acl:
+        res = await obj.client._request(
+            action="delete_internal",
+            path=("acl", name) + path,
+            iter=False,
+            chain=res.chain,
+        )
+        v = "-"
+
+    else:
+        if mode == "+":
+            v = ov + acl
+        elif mode == "-":
+            v = ov - acl
+        else:
+            v = acl
+        res = await obj.client._request(
+            action="set_internal",
+            path=("acl", name) + path,
+            value="".join(v),
+            iter=False,
+            chain=res.get("chain", None),
+        )
+
+    if obj.meta:
+        res = {
+            "old": "".join(ov),
+            "new": "".join(v),
+            "chain": res.chain,
+            "tock": res.tock,
+        }
+        yprint(res, stream=obj.stdout)
+    else:
+        res = {"old": "".join(ov), "new": "".join(v)}
+        yprint(res, stream=obj.stdout)
+
+
+@cli.command()
+@click.option("-m", "--mode", default=None, help="Mode letter to test.")
+@click.option("-a", "--acl", default=None, help="ACL to test. Default: current")
+@click.argument("path", nargs=1)
+@click.pass_obj
+async def test(obj, path, acl, mode):
+    """Test which ACL entry matches a path"""
+    path = P(path)
+    if not len(path):
+        raise click.UsageError("You need a non-empty path.")
+
+    if mode is not None and len(mode) != 1:
+        raise click.UsageError("Mode must be one letter.")
+    res = await obj.client._request(
+        action="test_acl",
+        path=path,
+        iter=False,
+        nchain=obj.meta,
+        **({} if mode is None else {"mode": mode}),
+        **({} if acl is None else {"acl": acl}),
+    )
+    if obj.meta:
+        yprint(res, stream=obj.stdout)
+    elif isinstance(res.access, bool):
+        print("+" if res.access else "-", file=obj.stdout)
+    else:
+        print(res.access, file=obj.stdout)