Initial snapshot.

lib/auth.py

@@ -0,0 +1,69 @@
+# Copyright 2014, Ian Gulliver
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import hashlib
+import hmac
+import random
+import string
+
+from google.appengine.api import memcache
+from google.appengine.ext import db
+
+
+class BadSignature(Exception):
+  pass
+
+
+class AuthKey(db.Model):
+  auth_key = db.ByteStringProperty(required=True)
+  live = db.BooleanProperty(required=True, default=True)
+
+
+_KEY_CHARS = string.ascii_letters + string.digits
+_KEY_LENGTH = 64
+
+def GetAuthKey():
+  auth_key = memcache.get('auth_key')
+  if auth_key:
+    return auth_key
+
+  for key in AuthKey.all().filter('live =', True):
+    auth_key = key.auth_key
+
+  if not auth_key:
+    auth_key = ''.join(random.choice(_KEY_CHARS) for _ in xrange(_KEY_LENGTH))
+    AuthKey(auth_key=auth_key).put()
+
+  memcache.set('auth_key', auth_key)
+  return auth_key
+
+
+def Sign(value):
+  sig = hmac.new(GetAuthKey(), str(value), hashlib.sha512) 
+  return '%s:%s' % (value, sig.hexdigest())
+
+
+def Parse(token):
+  if not token:
+    return None
+  value, sig_digest = token.split(':', 1)
+  if token != Sign(value):
+    raise BadSignature
+  return value
+
+
+def ParseKey(token):
+  if not token:
+    return None
+  return db.Key(encoded=Parse(token))

lib/models.py

@@ -0,0 +1,111 @@
+# -*- coding: utf-8 -*-
+# Copyright 2014, Ian Gulliver
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import json
+import logging
+
+from google.appengine.api import channel
+from google.appengine.ext import db
+
+
+# Profile
+# ↳ Client
+# ↳ StateEntry
+#
+# Subject
+# ↳ Subscription (⤴︎ Client)
+
+
+class Profile(db.Model):
+  google_user = db.UserProperty()
+
+  @classmethod
+  def FromGoogleUser(cls, google_user):
+    if not google_user:
+      profile = Profile()
+      profile.put()
+      return profile
+
+    profiles = Profile.all().filter('google_user =', google_user).fetch(1)
+    if profiles:
+      return profiles[0]
+    else:
+      # TODO(flamingcow): Fetch-then-store uniqueness is a race.
+      profile = Profile(google_user=google_user)
+      profile.put()
+      return profile
+
+  @db.transactional(xg=True)
+  def MergeFrom(self, source_profile):
+    # Merge from another profile into this one, using last_set time as the
+    # arbiter.
+    my_states = {}
+    for state_entry in (StateEntry.all()
+                        .ancestor(self)
+                        .run()):
+      my_states[state_entry.entry_key] = state_entry
+
+    for state_entry in (StateEntry.all()
+                        .ancestor(source_profile)
+                        .run()):
+      my_state_entry = my_states.get(state_entry.entry_key, None)
+      if my_state_entry:
+        if state_entry.last_set > my_state_entry.last_set:
+          # newer, merge in
+          my_state_entry.entry_value = state_entry.entry_value
+          my_state_entry.put()
+      else:
+        # entirely new, add
+        StateEntry(parent=self,
+            entry_key=state_entry.entry_key,
+            entry_value=state_entry.entry_value
+            ).put()
+
+
+class Client(db.Model):
+  first_seen = db.DateTimeProperty(required=True, auto_now_add=True)
+  channel_active = db.BooleanProperty(required=True, default=False)
+
+  @classmethod
+  def FromProfile(cls, profile):
+    client = cls(parent=profile)
+    client.put()
+    return client
+
+  @classmethod
+  def FromGoogleUser(cls, google_user):
+    profile = Profile.FromGoogleUser(google_user)
+    return cls.FromProfile(profile)
+
+
+class StateEntry(db.Model):
+  last_set = db.DateTimeProperty(required=True, auto_now=True)
+  entry_key = db.StringProperty(required=True)
+  entry_value = db.StringProperty(required=True)
+
+  def SendToClient(self, client_id):
+    channel.send_message(str(client_id), json.dumps({
+        'message_type': 'state',
+        'key': self.entry_key,
+        'value': self.entry_value,
+    }))
+
+
+class Subject(db.Model):
+  name = db.StringProperty(required=True)
+
+
+class Subscription(db.Model):
+  client = db.ReferenceProperty(reference_class=Client)

lib/security.py

@@ -0,0 +1,70 @@
+# Copyright 2014, Ian Gulliver
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import functools
+
+from google.appengine.api import users
+
+from cosmopolite.lib import auth
+
+
+def google_user_xsrf_protection(handler):
+  """Validate google user cookie.
+
+  We can't trust that the action being requested is being made by this user due
+  to XSRF concerns (since google user is stored in a cookie). We have to make
+  sure that this user can actually receive responses, so we ask them to pass a
+  second token about their user that we can validate.
+  """
+
+  @functools.wraps(handler)
+  def ValidateGoogleUser(self):
+    self.verified_google_user = None
+
+    google_user = users.get_current_user()
+    if not google_user:
+      return handler(self)
+
+    google_user_id = auth.Parse(self.request.get('google_user_id', None))
+    if (not google_user_id or 
+        google_user_id != google_user.user_id()):
+      return {
+        'status': 'retry',
+        'google_user_id': auth.Sign(google_user.user_id()),
+      }
+
+    self.verified_google_user = google_user
+    return handler(self)
+
+  return ValidateGoogleUser
+
+
+def weak_security_checks(handler):
+
+  @functools.wraps(handler)
+  def CheckOriginHeader(self):
+    origin = self.request.headers.get('Origin')
+    if origin:
+      host = self.request.headers.get('Host')
+      possible_origins = {
+        'http://%s' % host,
+        'https://%s' % host,
+      }
+      if origin not in possible_origins:
+        self.error(403)
+        self.response.out.write('Origin/Host header mismatch')
+        return
+    return handler(self)
+
+  return CheckOriginHeader

lib/session.py

@@ -0,0 +1,88 @@
+# Copyright 2014, Ian Gulliver
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import functools
+
+from google.appengine.api import users
+
+from cosmopolite.lib import auth
+from cosmopolite.lib import models
+
+
+def _CheckClientAndGoogleUser(client, google_user):
+  if not google_user:
+    # Nothing to check. If there's a user on the profile, it can stay there.
+    return client
+
+  client_profile_google_user = client.parent().google_user
+  if client_profile_google_user:
+    if client_profile_google_user == google_user:
+      return client
+    else:
+      # Shared computer? Google account wins.
+      return models.Client.FromGoogleUser(google_user)
+
+  # User just signed in. Their anonymous profile gets permanently
+  # associated with this Google account.
+  profiles = (models.Profile.all()
+              .filter('google_user =', google_user)
+              .fetch(1))
+  if profiles:
+    # We can't convert the anonymous profile because there's already
+    # a profile for this Google user. Create a new client_id pointing to that
+    # profile.
+    # TODO(flamingcow): Fetch-then-store uniqueness is a race.
+    google_profile = profiles[0]
+    google_profile.MergeFrom(client.parent_key())
+    return models.Client.FromProfile(google_profile)
+
+  # First time signin.
+  client_profile = client.parent()
+  client_profile.google_user = google_user
+  client_profile.put()
+  return client
+
+
+def session_required(handler):
+  """Find or create a session for this user.
+
+  Find or create a Client and Profile for this user. Muck with the return value
+  to wrap it in an object that contains session info for the client.
+
+  Make sure to wrap this in google_user_xsrf_protection.
+  """
+
+  @functools.wraps(handler)
+  def FindOrCreateSession(self):
+    client_key = auth.ParseKey(self.request.get('client_id', None))
+
+    # The hunt for a Profile begins.
+    if client_key:
+      self.client = _CheckClientAndGoogleUser(
+          models.Client.get(client_key),
+          self.verified_google_user)
+    else:
+      self.client = models.Client.FromGoogleUser(self.verified_google_user)
+
+    ret = {
+        'status': 'ok',
+        'response': handler(self),
+    }
+    if client_key != self.client.key():
+      # Tell the client that this changed
+      ret['client_id'] = auth.Sign(self.client.key())
+
+    return ret
+
+  return FindOrCreateSession

lib/utils.py

@@ -0,0 +1,56 @@
+# Copyright 2014, Ian Gulliver
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import functools
+import json
+import random
+
+from google.appengine.api import namespace_manager
+
+from cosmopolite import config
+
+from cosmopolite.lib import auth
+
+
+def returns_json(handler):
+
+  @functools.wraps(handler)
+  def SerializeResult(self):
+    json.dump(handler(self), self.response.out)
+
+  return SerializeResult
+
+
+def chaos_monkey(handler):
+
+  @functools.wraps(handler)
+  def IntroduceFailures(self):
+    if random.random() < config.CHAOS_PROBABILITY:
+      self.response.headers['Retry-After'] = '0'
+      self.error(503)
+      return
+    return handler(self)
+
+  return IntroduceFailures
+
+
+def local_namespace(handler):
+
+  @functools.wraps(handler)
+  def SetNamespace(self):
+    import logging
+    namespace_manager.set_namespace(config.NAMESPACE)
+    return handler(self)
+
+  return SetNamespace