client/fetcher.py

#!/usr/bin/python3

import argparse
import codecs
import json
import hashlib
import os
import re
import requests
import shutil
import socket
import struct
import subprocess
import tempfile
from OpenSSL import crypto


parser = argparse.ArgumentParser(description='iconograph fetcher')
parser.add_argument(
    '--base-url',
    dest='base_url',
    action='store',
    required=True)
parser.add_argument(
    '--ca-cert',
    dest='ca_cert',
    action='store',
    required=True)
parser.add_argument(
    '--https-ca-cert',
    dest='https_ca_cert',
    action='store')
parser.add_argument(
    '--https-client-cert',
    dest='https_client_cert',
    action='store')
parser.add_argument(
    '--https-client-key',
    dest='https_client_key',
    action='store')
parser.add_argument(
    '--image-dir',
    dest='image_dir',
    action='store',
    required=True)
parser.add_argument(
    '--max-images',
    dest='max_images',
    action='store',
    type=int,
    default=5)
FLAGS = parser.parse_args()


class Error(Exception):
  pass


class InvalidHash(Error):
  pass


class NoValidImage(Error):
  pass


class ManifestTimeRegressed(Error):
  pass


class Fetcher(object):

  _BUF_SIZE = 2 ** 16
  _MAX_BP = 10000
  _FILE_REGEX = re.compile('^(?P<timestamp>\d+)\.iso$')

  def __init__(self, base_url, ca_cert, image_dir, https_ca_cert, https_client_cert, https_client_key):
    self._base_url = base_url
    self._ca_cert_path = ca_cert
    self._image_dir = image_dir
    self._session = requests.Session()
    if https_ca_cert:
      self._session.verify = https_ca_cert
    if https_client_cert and https_client_key:
      self._session.cert = (https_client_cert, https_client_key)

  def _VerifyChain(self, untrusted_certs, cert):
    tempdir = tempfile.mkdtemp()

    try:
      untrusted_path = os.path.join(tempdir, 'untrusted.pem')
      with open(untrusted_path, 'w') as fh:
        for cert_str in untrusted_certs:
          fh.write(cert_str)

      cert_path = os.path.join(tempdir, 'cert.pem')
      with open(cert_path, 'w') as fh:
        fh.write(cert)

      # Rely on pipe buffering to eat the stdout junk
      subprocess.check_call([
          'openssl', 'verify',
          '-CAfile', self._ca_cert_path,
          '-untrusted', untrusted_path,
          cert_path,
      ], stdout=subprocess.PIPE)
    finally:
      shutil.rmtree(tempdir)

  def _Unwrap(self, wrapped):
    self._VerifyChain(wrapped.get('other_certs', []), wrapped['cert'])

    cert = crypto.load_certificate(crypto.FILETYPE_PEM, wrapped['cert'])
    sig = codecs.decode(wrapped['sig'], 'hex')
    crypto.verify(
        cert,
        sig,
        wrapped['inner'].encode('utf8'),
        'sha256')

    return json.loads(wrapped['inner'])

  def _GetManifest(self):
    url = '%s/manifest.json' % (self._base_url)
    resp = self._session.get(url)
    unwrapped = self._Unwrap(resp.json())
    self._ValidateManifest(unwrapped)
    return unwrapped

  def _ValidateManifest(self, new_manifest):
    path = os.path.join(self._image_dir, 'manifest.json')
    try:
      with open(path, 'r') as fh:
        old_manifest = json.load(fh)

      # This checks for replay of an old manifest. Injecting an older manifest
      # could allow an attacker to cause us to revert to an older image with
      # security issues. Manifest timestamps are therefor required to always
      # increase.
      if old_manifest['timestamp'] > new_manifest['timestamp']:
        raise ManifestTimeRegressed
    except FileNotFoundError:
      pass

    with open(path, 'w') as fh:
      json.dump(new_manifest, fh, indent=4)

  def _ChooseImage(self, manifest):
    hostname = socket.gethostname()
    hash_base = hashlib.sha256(hostname.encode('ascii'))
    for image in manifest['images']:
      hashobj = hash_base.copy()
      hashobj.update(struct.pack('!L', image['timestamp']))
      my_bp = struct.unpack('!I', hashobj.digest()[-4:])[0] % self._MAX_BP
      if my_bp < image['rollout_‱']:
        return image
    raise NoValidImage

  def _FetchImage(self, image):
    filename = '%d.iso' % (image['timestamp'])
    path = os.path.join(self._image_dir, filename)

    if os.path.exists(path):
      return

    url = '%s/%s' % (self._base_url, filename)
    print('Fetching:', url)
    resp = self._session.get(url, stream=True)

    hash_obj = hashlib.sha256()
    try:
      fh = tempfile.NamedTemporaryFile(dir=self._image_dir, delete=False)
      for data in resp.iter_content(self._BUF_SIZE):
        hash_obj.update(data)
        fh.write(data)
      if hash_obj.hexdigest() != image['hash']:
        raise InvalidHash
      os.rename(fh.name, path)
    except:
      os.unlink(fh.name)
      raise

  def _SetCurrent(self, image):
    filename = '%d.iso' % (image['timestamp'])
    path = os.path.join(self._image_dir, filename)
    current_path = os.path.join(self._image_dir, 'current')

    try:
      link = os.readlink(current_path)
      link_path = os.path.join(self._image_dir, link)
      if link_path == path:
        return
    except FileNotFoundError:
      pass

    print('Changing current link to:', filename)
    temp_path = tempfile.mktemp(dir=self._image_dir)
    os.symlink(filename, temp_path)
    os.rename(temp_path, current_path)

  def Fetch(self):
    manifest = self._GetManifest()
    image = self._ChooseImage(manifest)
    self._FetchImage(image)
    self._SetCurrent(image)

  def DeleteOldImages(self, max_images):
    if not max_images:
      return
    images = []
    for filename in os.listdir(self._image_dir):
      match = self._FILE_REGEX.match(filename)
      if not match:
        continue
      images.append((int(match.group('timestamp')), filename))
    images.sort(reverse=True)
    for timestamp, filename in images[max_images:]:
      print('Deleting old image:', filename)
      path = os.path.join(self._image_dir, filename)
      os.unlink(path)


def main():
  fetcher = Fetcher(
      FLAGS.base_url,
      FLAGS.ca_cert,
      FLAGS.image_dir,
      FLAGS.https_ca_cert,
      FLAGS.https_client_cert,
      FLAGS.https_client_key)
  fetcher.Fetch()
  fetcher.DeleteOldImages(FLAGS.max_images)


if __name__ == '__main__':
  main()
Initial manifest parsing 2016-03-28 22:06:04 -07:00			`#!/usr/bin/python3`

			`import argparse`
Cert chain verification 2016-03-29 17:43:21 -07:00			`import codecs`
Initial manifest parsing 2016-03-28 22:06:04 -07:00			`import json`
			`import hashlib`
Cert chain verification 2016-03-29 17:43:21 -07:00			`import os`
Client-side image lifetime management. 2016-04-02 13:22:24 -07:00			`import re`
Add fetcher and imager support for HTTPS client/server auth. 2016-04-05 17:39:16 -07:00			`import requests`
Cert chain verification 2016-03-29 17:43:21 -07:00			`import shutil`
Initial manifest parsing 2016-03-28 22:06:04 -07:00			`import socket`
			`import struct`
Cert chain verification 2016-03-29 17:43:21 -07:00			`import subprocess`
			`import tempfile`
			`from OpenSSL import crypto`
Initial manifest parsing 2016-03-28 22:06:04 -07:00

			`parser = argparse.ArgumentParser(description='iconograph fetcher')`
			`parser.add_argument(`
Style cleanup. 2016-03-29 10:24:22 -07:00			`'--base-url',`
			`dest='base_url',`
			`action='store',`
			`required=True)`
File wrapping framework. 2016-03-29 11:27:10 -07:00			`parser.add_argument(`
			`'--ca-cert',`
			`dest='ca_cert',`
			`action='store',`
			`required=True)`
Add fetcher and imager support for HTTPS client/server auth. 2016-04-05 17:39:16 -07:00			`parser.add_argument(`
			`'--https-ca-cert',`
			`dest='https_ca_cert',`
			`action='store')`
			`parser.add_argument(`
			`'--https-client-cert',`
			`dest='https_client_cert',`
			`action='store')`
			`parser.add_argument(`
			`'--https-client-key',`
			`dest='https_client_key',`
			`action='store')`
Download images, verify hashes, set current link. 2016-03-29 20:54:45 -07:00			`parser.add_argument(`
			`'--image-dir',`
			`dest='image_dir',`
			`action='store',`
			`required=True)`
Client-side image lifetime management. 2016-04-02 13:22:24 -07:00			`parser.add_argument(`
			`'--max-images',`
			`dest='max_images',`
			`action='store',`
			`type=int,`
			`default=5)`
Initial manifest parsing 2016-03-28 22:06:04 -07:00			`FLAGS = parser.parse_args()`


Download images, verify hashes, set current link. 2016-03-29 20:54:45 -07:00			`class Error(Exception):`
			`pass`


			`class InvalidHash(Error):`
			`pass`


			`class NoValidImage(Error):`
			`pass`


Check for time regression in manifest that could indicate a replay attack. 2016-04-02 13:30:04 -07:00			`class ManifestTimeRegressed(Error):`
			`pass`


Initial manifest parsing 2016-03-28 22:06:04 -07:00			`class Fetcher(object):`

Download images, verify hashes, set current link. 2016-03-29 20:54:45 -07:00			`_BUF_SIZE = 2 ** 16`
Initial manifest parsing 2016-03-28 22:06:04 -07:00			`_MAX_BP = 10000`
Client-side image lifetime management. 2016-04-02 13:22:24 -07:00			`_FILE_REGEX = re.compile('^(?P<timestamp>\d+)\.iso$')`
Initial manifest parsing 2016-03-28 22:06:04 -07:00
Add fetcher and imager support for HTTPS client/server auth. 2016-04-05 17:39:16 -07:00			`def __init__(self, base_url, ca_cert, image_dir, https_ca_cert, https_client_cert, https_client_key):`
Initial manifest parsing 2016-03-28 22:06:04 -07:00			`self._base_url = base_url`
Cert chain verification 2016-03-29 17:43:21 -07:00			`self._ca_cert_path = ca_cert`
Download images, verify hashes, set current link. 2016-03-29 20:54:45 -07:00			`self._image_dir = image_dir`
Add fetcher and imager support for HTTPS client/server auth. 2016-04-05 17:39:16 -07:00			`self._session = requests.Session()`
			`if https_ca_cert:`
			`self._session.verify = https_ca_cert`
			`if https_client_cert and https_client_key:`
			`self._session.cert = (https_client_cert, https_client_key)`
Cert chain verification 2016-03-29 17:43:21 -07:00
			`def _VerifyChain(self, untrusted_certs, cert):`
			`tempdir = tempfile.mkdtemp()`

			`try:`
			`untrusted_path = os.path.join(tempdir, 'untrusted.pem')`
			`with open(untrusted_path, 'w') as fh:`
			`for cert_str in untrusted_certs:`
			`fh.write(cert_str)`

			`cert_path = os.path.join(tempdir, 'cert.pem')`
			`with open(cert_path, 'w') as fh:`
			`fh.write(cert)`

			`# Rely on pipe buffering to eat the stdout junk`
			`subprocess.check_call([`
			`'openssl', 'verify',`
			`'-CAfile', self._ca_cert_path,`
			`'-untrusted', untrusted_path,`
			`cert_path,`
			`], stdout=subprocess.PIPE)`
			`finally:`
			`shutil.rmtree(tempdir)`
File wrapping framework. 2016-03-29 11:27:10 -07:00
			`def _Unwrap(self, wrapped):`
Cert chain verification 2016-03-29 17:43:21 -07:00			`self._VerifyChain(wrapped.get('other_certs', []), wrapped['cert'])`

File wrapping framework. 2016-03-29 11:27:10 -07:00			`cert = crypto.load_certificate(crypto.FILETYPE_PEM, wrapped['cert'])`
Cert chain verification 2016-03-29 17:43:21 -07:00			`sig = codecs.decode(wrapped['sig'], 'hex')`
File wrapping framework. 2016-03-29 11:27:10 -07:00			`crypto.verify(`
			`cert,`
Cert chain verification 2016-03-29 17:43:21 -07:00			`sig,`
			`wrapped['inner'].encode('utf8'),`
File wrapping framework. 2016-03-29 11:27:10 -07:00			`'sha256')`
Initial manifest parsing 2016-03-28 22:06:04 -07:00
Cert chain verification 2016-03-29 17:43:21 -07:00			`return json.loads(wrapped['inner'])`

Initial manifest parsing 2016-03-28 22:06:04 -07:00			`def _GetManifest(self):`
Drop image-type across the board 2016-03-31 17:28:25 -07:00			`url = '%s/manifest.json' % (self._base_url)`
Add fetcher and imager support for HTTPS client/server auth. 2016-04-05 17:39:16 -07:00			`resp = self._session.get(url)`
			`unwrapped = self._Unwrap(resp.json())`
Check for time regression in manifest that could indicate a replay attack. 2016-04-02 13:30:04 -07:00			`self._ValidateManifest(unwrapped)`
			`return unwrapped`

			`def _ValidateManifest(self, new_manifest):`
			`path = os.path.join(self._image_dir, 'manifest.json')`
			`try:`
			`with open(path, 'r') as fh:`
			`old_manifest = json.load(fh)`

			`# This checks for replay of an old manifest. Injecting an older manifest`
			`# could allow an attacker to cause us to revert to an older image with`
			`# security issues. Manifest timestamps are therefor required to always`
			`# increase.`
			`if old_manifest['timestamp'] > new_manifest['timestamp']:`
			`raise ManifestTimeRegressed`
			`except FileNotFoundError:`
			`pass`

			`with open(path, 'w') as fh:`
			`json.dump(new_manifest, fh, indent=4)`
Initial manifest parsing 2016-03-28 22:06:04 -07:00
			`def _ChooseImage(self, manifest):`
			`hostname = socket.gethostname()`
			`hash_base = hashlib.sha256(hostname.encode('ascii'))`
Move code into main() 2016-03-29 20:11:37 -07:00			`for image in manifest['images']:`
Initial manifest parsing 2016-03-28 22:06:04 -07:00			`hashobj = hash_base.copy()`
			`hashobj.update(struct.pack('!L', image['timestamp']))`
			`my_bp = struct.unpack('!I', hashobj.digest()[-4:])[0] % self._MAX_BP`
			`if my_bp < image['rollout_‱']:`
			`return image`
Download images, verify hashes, set current link. 2016-03-29 20:54:45 -07:00			`raise NoValidImage`

			`def _FetchImage(self, image):`
Drop image-type across the board 2016-03-31 17:28:25 -07:00			`filename = '%d.iso' % (image['timestamp'])`
Download images, verify hashes, set current link. 2016-03-29 20:54:45 -07:00			`path = os.path.join(self._image_dir, filename)`

			`if os.path.exists(path):`
			`return`

			`url = '%s/%s' % (self._base_url, filename)`
			`print('Fetching:', url)`
Add fetcher and imager support for HTTPS client/server auth. 2016-04-05 17:39:16 -07:00			`resp = self._session.get(url, stream=True)`
Download images, verify hashes, set current link. 2016-03-29 20:54:45 -07:00
			`hash_obj = hashlib.sha256()`
			`try:`
			`fh = tempfile.NamedTemporaryFile(dir=self._image_dir, delete=False)`
Add fetcher and imager support for HTTPS client/server auth. 2016-04-05 17:39:16 -07:00			`for data in resp.iter_content(self._BUF_SIZE):`
Download images, verify hashes, set current link. 2016-03-29 20:54:45 -07:00			`hash_obj.update(data)`
			`fh.write(data)`
			`if hash_obj.hexdigest() != image['hash']:`
			`raise InvalidHash`
			`os.rename(fh.name, path)`
			`except:`
			`os.unlink(fh.name)`
			`raise`

			`def _SetCurrent(self, image):`
Drop image-type across the board 2016-03-31 17:28:25 -07:00			`filename = '%d.iso' % (image['timestamp'])`
Download images, verify hashes, set current link. 2016-03-29 20:54:45 -07:00			`path = os.path.join(self._image_dir, filename)`
			`current_path = os.path.join(self._image_dir, 'current')`

			`try:`
			`link = os.readlink(current_path)`
			`link_path = os.path.join(self._image_dir, link)`
			`if link_path == path:`
			`return`
			`except FileNotFoundError:`
			`pass`

Slightly cleaner logging 2016-03-31 17:40:26 -07:00			`print('Changing current link to:', filename)`
Download images, verify hashes, set current link. 2016-03-29 20:54:45 -07:00			`temp_path = tempfile.mktemp(dir=self._image_dir)`
Add image 2016-03-31 14:46:29 -07:00			`os.symlink(filename, temp_path)`
Download images, verify hashes, set current link. 2016-03-29 20:54:45 -07:00			`os.rename(temp_path, current_path)`
Initial manifest parsing 2016-03-28 22:06:04 -07:00
			`def Fetch(self):`
			`manifest = self._GetManifest()`
Cert chain verification 2016-03-29 17:43:21 -07:00			`image = self._ChooseImage(manifest)`
Download images, verify hashes, set current link. 2016-03-29 20:54:45 -07:00			`self._FetchImage(image)`
			`self._SetCurrent(image)`
Initial manifest parsing 2016-03-28 22:06:04 -07:00
Client-side image lifetime management. 2016-04-02 13:22:24 -07:00			`def DeleteOldImages(self, max_images):`
			`if not max_images:`
			`return`
			`images = []`
			`for filename in os.listdir(self._image_dir):`
			`match = self._FILE_REGEX.match(filename)`
			`if not match:`
			`continue`
			`images.append((int(match.group('timestamp')), filename))`
			`images.sort(reverse=True)`
			`for timestamp, filename in images[max_images:]:`
			`print('Deleting old image:', filename)`
			`path = os.path.join(self._image_dir, filename)`
			`os.unlink(path)`

Initial manifest parsing 2016-03-28 22:06:04 -07:00
Move code into main() 2016-03-29 20:11:37 -07:00			`def main():`
Add fetcher and imager support for HTTPS client/server auth. 2016-04-05 17:39:16 -07:00			`fetcher = Fetcher(`
			`FLAGS.base_url,`
			`FLAGS.ca_cert,`
			`FLAGS.image_dir,`
			`FLAGS.https_ca_cert,`
			`FLAGS.https_client_cert,`
			`FLAGS.https_client_key)`
Move code into main() 2016-03-29 20:11:37 -07:00			`fetcher.Fetch()`
Client-side image lifetime management. 2016-04-02 13:22:24 -07:00			`fetcher.DeleteOldImages(FLAGS.max_images)`
Move code into main() 2016-03-29 20:11:37 -07:00

			`if __name__ == '__main__':`
			`main()`