zulip/zerver/views/zephyr.py

import base64
import logging
import re
import shlex
import subprocess
from email.headerregistry import Address
from typing import Optional

import orjson
from django.conf import settings
from django.http import HttpRequest, HttpResponse
from django.utils.translation import gettext as _

from zerver.decorator import authenticated_json_view
from zerver.lib.ccache import make_ccache
from zerver.lib.exceptions import JsonableError
from zerver.lib.pysa import mark_sanitized
from zerver.lib.request import REQ, has_request_variables
from zerver.lib.response import json_success
from zerver.lib.users import get_api_key
from zerver.models import UserProfile

# Hack for mit.edu users whose Kerberos usernames don't match what they zephyr
# as.  The key is for Kerberos and the value is for zephyr.
kerberos_alter_egos = {
    "golem": "ctl",
}


@authenticated_json_view
@has_request_variables
def webathena_kerberos_login(
    request: HttpRequest, user_profile: UserProfile, cred: Optional[str] = REQ(default=None)
) -> HttpResponse:
    if cred is None:
        raise JsonableError(_("Could not find Kerberos credential"))
    if not user_profile.realm.webathena_enabled:
        raise JsonableError(_("Webathena login not enabled"))

    try:
        parsed_cred = orjson.loads(cred)
        user = parsed_cred["cname"]["nameString"][0]
        if user in kerberos_alter_egos:
            user = kerberos_alter_egos[user]
        assert user == Address(addr_spec=user_profile.email).username
        # Limit characters in usernames to valid MIT usernames
        # This is important for security since DNS is not secure.
        assert re.match(r"^[a-z0-9_.-]+$", user) is not None
        ccache = make_ccache(parsed_cred)

        # 'user' has been verified to contain only benign characters that won't
        # help with shell injection.
        user = mark_sanitized(user)

        # 'ccache' is only written to disk by the script and used as a kerberos
        # credential cache file.
        ccache = mark_sanitized(ccache)
    except Exception:
        raise JsonableError(_("Invalid Kerberos cache"))

    if settings.PERSONAL_ZMIRROR_SERVER is None:
        logging.error("PERSONAL_ZMIRROR_SERVER is not properly configured", stack_info=True)
        raise JsonableError(_("We were unable to set up mirroring for you"))

    # TODO: Send these data via (say) RabbitMQ
    try:
        api_key = get_api_key(user_profile)
        command = [
            "/home/zulip/python-zulip-api/zulip/integrations/zephyr/process_ccache",
            user,
            api_key,
            base64.b64encode(ccache).decode(),
        ]
        subprocess.check_call(["ssh", settings.PERSONAL_ZMIRROR_SERVER, "--", shlex.join(command)])
    except subprocess.CalledProcessError:
        logging.exception("Error updating the user's ccache", stack_info=True)
        raise JsonableError(_("We were unable to set up mirroring for you"))

    return json_success(request)
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00			`import base64`
			`import logging`
			`import re`
zephyr: Use correct shell quoting for ssh. ssh always runs its command through a shell (after naïvely joining multiple arguments with spaces), so it needs an extra level of shell quoting. This should have no effect because we already validated user with a regex, but it’s better for escaping to be locally correct in case the context changes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-10-09 03:22:31 +02:00			`import shlex`
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00			`import subprocess`
python: Use a real parser for email addresses. Now that we can assume Python 3.6+, we can use the email.headerregistry module to replace hacky manual email address parsing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2022-07-27 23:33:49 +02:00			`from email.headerregistry import Address`
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00			`from typing import Optional`

python: Replace ujson with orjson. Fixes #6507. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-08-07 01:09:47 +02:00			`import orjson`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`from django.conf import settings`
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00			`from django.http import HttpRequest, HttpResponse`
python: Convert deprecated Django ugettext alias to gettext. django.utils.translation.ugettext is a deprecated alias of django.utils.translation.gettext as of Django 3.0, and will be removed in Django 4.0. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-04-16 00:57:30 +02:00			`from django.utils.translation import gettext as _`
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`from zerver.decorator import authenticated_json_view`
			`from zerver.lib.ccache import make_ccache`
python: Migrate most json_error => JsonableError. JsonableError has two major benefits over json_error: * It can be raised from anywhere in the codebase, rather than being a return value, which is much more convenient for refactoring, as one doesn't potentially need to change error handling style when extracting a bit of view code to a function. * It is guaranteed to contain the `code` property, which is helpful for API consistency. Various stragglers are not updated because JsonableError requires subclassing in order to specify custom data or HTTP status codes. 2021-06-30 18:35:50 +02:00			`from zerver.lib.exceptions import JsonableError`
pysa: Introduce sanitizers, models, and inline marking safe. This commit adds three `.pysa` model files: `false_positives.pysa` for ruling out false positive flows with `Sanitize` annotations, `req_lib.pysa` for educating pysa about Zulip's `REQ()` pattern for extracting user input, and `redirects.pysa` for capturing the risk of open redirects within Zulip code. Additionally, this commit introduces `mark_sanitized`, an identity function which can be used to selectively clear taint in cases where `Sanitize` models will not work. This commit also puts `mark_sanitized` to work removing known false postive flows. 2019-12-20 00:00:45 +01:00			`from zerver.lib.pysa import mark_sanitized`
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00			`from zerver.lib.request import REQ, has_request_variables`
python: Migrate most json_error => JsonableError. JsonableError has two major benefits over json_error: * It can be raised from anywhere in the codebase, rather than being a return value, which is much more convenient for refactoring, as one doesn't potentially need to change error handling style when extracting a bit of view code to a function. * It is guaranteed to contain the `code` property, which is helpful for API consistency. Various stragglers are not updated because JsonableError requires subclassing in order to specify custom data or HTTP status codes. 2021-06-30 18:35:50 +02:00			`from zerver.lib.response import json_success`
users: Get all API keys via wrapper method. Now reading API keys from a user is done with the get_api_key wrapper method, rather than directly fetching it from the user object. Also, every place where an action should be done for each API key is now using get_all_api_keys. This method returns for the moment a single-item list, containing the specified user's API key. This commit is the first step towards allowing users have multiple API keys. 2018-08-01 10:53:40 +02:00			`from zerver.lib.users import get_api_key`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`from zerver.models import UserProfile`

test-backend: Raise zerver/views/zephyr.py test coverage to 100%. 2017-02-27 05:18:58 +01:00			`# Hack for mit.edu users whose Kerberos usernames don't match what they zephyr`
			`# as. The key is for Kerberos and the value is for zephyr.`
			`kerberos_alter_egos = {`
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:20:45 +01:00			`"golem": "ctl",`
test-backend: Raise zerver/views/zephyr.py test coverage to 100%. 2017-02-27 05:18:58 +01:00			`}`

python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`@authenticated_json_view`
			`@has_request_variables`
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`def webathena_kerberos_login(`
			`request: HttpRequest, user_profile: UserProfile, cred: Optional[str] = REQ(default=None)`
			`) -> HttpResponse:`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`if cred is None:`
python: Migrate most json_error => JsonableError. JsonableError has two major benefits over json_error: * It can be raised from anywhere in the codebase, rather than being a return value, which is much more convenient for refactoring, as one doesn't potentially need to change error handling style when extracting a bit of view code to a function. * It is guaranteed to contain the `code` property, which is helpful for API consistency. Various stragglers are not updated because JsonableError requires subclassing in order to specify custom data or HTTP status codes. 2021-06-30 18:35:50 +02:00			`raise JsonableError(_("Could not find Kerberos credential"))`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`if not user_profile.realm.webathena_enabled:`
python: Migrate most json_error => JsonableError. JsonableError has two major benefits over json_error: * It can be raised from anywhere in the codebase, rather than being a return value, which is much more convenient for refactoring, as one doesn't potentially need to change error handling style when extracting a bit of view code to a function. * It is guaranteed to contain the `code` property, which is helpful for API consistency. Various stragglers are not updated because JsonableError requires subclassing in order to specify custom data or HTTP status codes. 2021-06-30 18:35:50 +02:00			`raise JsonableError(_("Webathena login not enabled"))`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00
			`try:`
python: Replace ujson with orjson. Fixes #6507. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-08-07 01:09:47 +02:00			`parsed_cred = orjson.loads(cred)`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`user = parsed_cred["cname"]["nameString"][0]`
test-backend: Raise zerver/views/zephyr.py test coverage to 100%. 2017-02-27 05:18:58 +01:00			`if user in kerberos_alter_egos:`
			`user = kerberos_alter_egos[user]`
python: Use a real parser for email addresses. Now that we can assume Python 3.6+, we can use the email.headerregistry module to replace hacky manual email address parsing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2022-07-27 23:33:49 +02:00			`assert user == Address(addr_spec=user_profile.email).username`
zephyr: Add strict assertion about username format. This ensures that even if it were possible to create an MIT Kerberos account with a malicious username and/or hack webathena to pretend that's the case, one couldn't do anything malicious. This security improvement only impacts a single installation of Zulip where Zephyr mirroring is in use that has already had the fix applied, so there's no reason to do a security notice for it. Found by Graham Bleaney using pysa. 2020-03-17 13:31:14 +01:00			`# Limit characters in usernames to valid MIT usernames`
			`# This is important for security since DNS is not secure.`
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:20:45 +01:00			`assert re.match(r"^[a-z0-9_.-]+$", user) is not None`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`ccache = make_ccache(parsed_cred)`
pysa: Introduce sanitizers, models, and inline marking safe. This commit adds three `.pysa` model files: `false_positives.pysa` for ruling out false positive flows with `Sanitize` annotations, `req_lib.pysa` for educating pysa about Zulip's `REQ()` pattern for extracting user input, and `redirects.pysa` for capturing the risk of open redirects within Zulip code. Additionally, this commit introduces `mark_sanitized`, an identity function which can be used to selectively clear taint in cases where `Sanitize` models will not work. This commit also puts `mark_sanitized` to work removing known false postive flows. 2019-12-20 00:00:45 +01:00
			`# 'user' has been verified to contain only benign characters that won't`
			`# help with shell injection.`
			`user = mark_sanitized(user)`

			`# 'ccache' is only written to disk by the script and used as a kerberos`
			`# credential cache file.`
			`ccache = mark_sanitized(ccache)`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`except Exception:`
python: Migrate most json_error => JsonableError. JsonableError has two major benefits over json_error: * It can be raised from anywhere in the codebase, rather than being a return value, which is much more convenient for refactoring, as one doesn't potentially need to change error handling style when extracting a bit of view code to a function. * It is guaranteed to contain the `code` property, which is helpful for API consistency. Various stragglers are not updated because JsonableError requires subclassing in order to specify custom data or HTTP status codes. 2021-06-30 18:35:50 +02:00			`raise JsonableError(_("Invalid Kerberos cache"))`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00
zephyr: Check PERSONAL_ZMIRROR_SERVER before updating cache. Signed-off-by: Zixuan James Li <p359101898@gmail.com> 2022-07-28 21:16:40 +02:00			`if settings.PERSONAL_ZMIRROR_SERVER is None:`
			`logging.error("PERSONAL_ZMIRROR_SERVER is not properly configured", stack_info=True)`
			`raise JsonableError(_("We were unable to set up mirroring for you"))`

docs: Fix more capitalization issues. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-10-23 02:43:28 +02:00			`# TODO: Send these data via (say) RabbitMQ`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`try:`
users: Get all API keys via wrapper method. Now reading API keys from a user is done with the get_api_key wrapper method, rather than directly fetching it from the user object. Also, every place where an action should be done for each API key is now using get_all_api_keys. This method returns for the moment a single-item list, containing the specified user's API key. This commit is the first step towards allowing users have multiple API keys. 2018-08-01 10:53:40 +02:00			`api_key = get_api_key(user_profile)`
zephyr: Use correct shell quoting for ssh. ssh always runs its command through a shell (after naïvely joining multiple arguments with spaces), so it needs an extra level of shell quoting. This should have no effect because we already validated user with a regex, but it’s better for escaping to be locally correct in case the context changes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-10-09 03:22:31 +02:00			`command = [`
			`"/home/zulip/python-zulip-api/zulip/integrations/zephyr/process_ccache",`
			`user,`
			`api_key,`
python: Remove default "utf8" argument for encode(), decode(). Partially generated by pyupgrade. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-08-02 23:20:39 +02:00			`base64.b64encode(ccache).decode(),`
zephyr: Use correct shell quoting for ssh. ssh always runs its command through a shell (after naïvely joining multiple arguments with spaces), so it needs an extra level of shell quoting. This should have no effect because we already validated user with a regex, but it’s better for escaping to be locally correct in case the context changes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-10-09 03:22:31 +02:00			`]`
python: Use Python 3.8 shlex.join function. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2022-04-27 02:10:28 +02:00			`subprocess.check_call(["ssh", settings.PERSONAL_ZMIRROR_SERVER, "--", shlex.join(command)])`
python: Catch specific exceptions from subprocess. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-10-09 03:32:00 +02:00			`except subprocess.CalledProcessError:`
logging: Report stack_info on logging.exception calls. The exception trace only goes from where the exception was thrown up to where the `logging.exception` call is; any context as to where _that_ was called from is lost, unless `stack_info` is passed as well. Having the stack is particularly useful for Sentry exceptions, which gain the full stack trace. Add `stack_info=True` on all `logging.exception` calls with a non-trivial stack; we omit `wsgi.py`. Adjusts tests to match. 2020-08-11 03:19:00 +02:00			`logging.exception("Error updating the user's ccache", stack_info=True)`
python: Migrate most json_error => JsonableError. JsonableError has two major benefits over json_error: * It can be raised from anywhere in the codebase, rather than being a return value, which is much more convenient for refactoring, as one doesn't potentially need to change error handling style when extracting a bit of view code to a function. * It is guaranteed to contain the `code` property, which is helpful for API consistency. Various stragglers are not updated because JsonableError requires subclassing in order to specify custom data or HTTP status codes. 2021-06-30 18:35:50 +02:00			`raise JsonableError(_("We were unable to set up mirroring for you"))`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00
backend: Add request as parameter to json_success. Adds request as a parameter to json_success as a refactor towards making `ignored_parameters_unsupported` functionality available for all API endpoints. Also, removes any data parameters that are an empty dict or a dict with the generic success response values. 2022-01-31 13:44:02 +01:00			`return json_success(request)`