zulip/zerver/views/zephyr.py

import base64
import logging
import re
import subprocess
from typing import Optional

import ujson
from django.conf import settings
from django.http import HttpRequest, HttpResponse
from django.utils.translation import ugettext as _

from zerver.decorator import authenticated_json_view
from zerver.lib.ccache import make_ccache
from zerver.lib.pysa import mark_sanitized
from zerver.lib.request import REQ, has_request_variables
from zerver.lib.response import json_error, json_success
from zerver.lib.users import get_api_key
from zerver.models import UserProfile

# Hack for mit.edu users whose Kerberos usernames don't match what they zephyr
# as.  The key is for Kerberos and the value is for zephyr.
kerberos_alter_egos = {
    'golem': 'ctl',
}

@authenticated_json_view
@has_request_variables
def webathena_kerberos_login(request: HttpRequest, user_profile: UserProfile,
                             cred: Optional[str]=REQ(default=None)) -> HttpResponse:
    global kerberos_alter_egos
    if cred is None:
        return json_error(_("Could not find Kerberos credential"))
    if not user_profile.realm.webathena_enabled:
        return json_error(_("Webathena login not enabled"))

    try:
        parsed_cred = ujson.loads(cred)
        user = parsed_cred["cname"]["nameString"][0]
        if user in kerberos_alter_egos:
            user = kerberos_alter_egos[user]
        assert(user == user_profile.email.split("@")[0])
        # Limit characters in usernames to valid MIT usernames
        # This is important for security since DNS is not secure.
        assert(re.match(r'^[a-z0-9_.-]+$', user) is not None)
        ccache = make_ccache(parsed_cred)

        # 'user' has been verified to contain only benign characters that won't
        # help with shell injection.
        user = mark_sanitized(user)

        # 'ccache' is only written to disk by the script and used as a kerberos
        # credential cache file.
        ccache = mark_sanitized(ccache)
    except Exception:
        return json_error(_("Invalid Kerberos cache"))

    # TODO: Send these data via (say) rabbitmq
    try:
        api_key = get_api_key(user_profile)
        subprocess.check_call(["ssh", settings.PERSONAL_ZMIRROR_SERVER, "--",
                               "/home/zulip/python-zulip-api/zulip/integrations/zephyr/process_ccache",
                               user,
                               api_key,
                               base64.b64encode(ccache).decode("utf-8")])
    except Exception:
        logging.exception("Error updating the user's ccache")
        return json_error(_("We were unable to setup mirroring for you"))

    return json_success()
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00			`import base64`
			`import logging`
			`import re`
			`import subprocess`
			`from typing import Optional`

			`import ujson`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`from django.conf import settings`
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00			`from django.http import HttpRequest, HttpResponse`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`from django.utils.translation import ugettext as _`
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`from zerver.decorator import authenticated_json_view`
			`from zerver.lib.ccache import make_ccache`
pysa: Introduce sanitizers, models, and inline marking safe. This commit adds three `.pysa` model files: `false_positives.pysa` for ruling out false positive flows with `Sanitize` annotations, `req_lib.pysa` for educating pysa about Zulip's `REQ()` pattern for extracting user input, and `redirects.pysa` for capturing the risk of open redirects within Zulip code. Additionally, this commit introduces `mark_sanitized`, an identity function which can be used to selectively clear taint in cases where `Sanitize` models will not work. This commit also puts `mark_sanitized` to work removing known false postive flows. 2019-12-20 00:00:45 +01:00			`from zerver.lib.pysa import mark_sanitized`
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00			`from zerver.lib.request import REQ, has_request_variables`
			`from zerver.lib.response import json_error, json_success`
users: Get all API keys via wrapper method. Now reading API keys from a user is done with the get_api_key wrapper method, rather than directly fetching it from the user object. Also, every place where an action should be done for each API key is now using get_all_api_keys. This method returns for the moment a single-item list, containing the specified user's API key. This commit is the first step towards allowing users have multiple API keys. 2018-08-01 10:53:40 +02:00			`from zerver.lib.users import get_api_key`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`from zerver.models import UserProfile`

test-backend: Raise zerver/views/zephyr.py test coverage to 100%. 2017-02-27 05:18:58 +01:00			`# Hack for mit.edu users whose Kerberos usernames don't match what they zephyr`
			`# as. The key is for Kerberos and the value is for zephyr.`
			`kerberos_alter_egos = {`
			`'golem': 'ctl',`
			`}`

Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`@authenticated_json_view`
			`@has_request_variables`
mypy: Use Python 3 type syntax in zerver/views. 2017-12-29 14:34:49 +01:00			`def webathena_kerberos_login(request: HttpRequest, user_profile: UserProfile,`
zephyr: Fix typing for cred parameter. 2019-07-28 22:45:04 +02:00			`cred: Optional[str]=REQ(default=None)) -> HttpResponse:`
test-backend: Raise zerver/views/zephyr.py test coverage to 100%. 2017-02-27 05:18:58 +01:00			`global kerberos_alter_egos`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`if cred is None:`
			`return json_error(_("Could not find Kerberos credential"))`
			`if not user_profile.realm.webathena_enabled:`
			`return json_error(_("Webathena login not enabled"))`

			`try:`
			`parsed_cred = ujson.loads(cred)`
			`user = parsed_cred["cname"]["nameString"][0]`
test-backend: Raise zerver/views/zephyr.py test coverage to 100%. 2017-02-27 05:18:58 +01:00			`if user in kerberos_alter_egos:`
			`user = kerberos_alter_egos[user]`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`assert(user == user_profile.email.split("@")[0])`
zephyr: Add strict assertion about username format. This ensures that even if it were possible to create an MIT Kerberos account with a malicious username and/or hack webathena to pretend that's the case, one couldn't do anything malicious. This security improvement only impacts a single installation of Zulip where Zephyr mirroring is in use that has already had the fix applied, so there's no reason to do a security notice for it. Found by Graham Bleaney using pysa. 2020-03-17 13:31:14 +01:00			`# Limit characters in usernames to valid MIT usernames`
			`# This is important for security since DNS is not secure.`
			`assert(re.match(r'^[a-z0-9_.-]+$', user) is not None)`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`ccache = make_ccache(parsed_cred)`
pysa: Introduce sanitizers, models, and inline marking safe. This commit adds three `.pysa` model files: `false_positives.pysa` for ruling out false positive flows with `Sanitize` annotations, `req_lib.pysa` for educating pysa about Zulip's `REQ()` pattern for extracting user input, and `redirects.pysa` for capturing the risk of open redirects within Zulip code. Additionally, this commit introduces `mark_sanitized`, an identity function which can be used to selectively clear taint in cases where `Sanitize` models will not work. This commit also puts `mark_sanitized` to work removing known false postive flows. 2019-12-20 00:00:45 +01:00
			`# 'user' has been verified to contain only benign characters that won't`
			`# help with shell injection.`
			`user = mark_sanitized(user)`

			`# 'ccache' is only written to disk by the script and used as a kerberos`
			`# credential cache file.`
			`ccache = mark_sanitized(ccache)`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`except Exception:`
			`return json_error(_("Invalid Kerberos cache"))`

			`# TODO: Send these data via (say) rabbitmq`
			`try:`
users: Get all API keys via wrapper method. Now reading API keys from a user is done with the get_api_key wrapper method, rather than directly fetching it from the user object. Also, every place where an action should be done for each API key is now using get_all_api_keys. This method returns for the moment a single-item list, containing the specified user's API key. This commit is the first step towards allowing users have multiple API keys. 2018-08-01 10:53:40 +02:00			`api_key = get_api_key(user_profile)`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`subprocess.check_call(["ssh", settings.PERSONAL_ZMIRROR_SERVER, "--",`
zephyr: Update path to process_cache for repository split. This should have been done long ago, but better late than never. 2017-10-05 21:26:54 +02:00			`"/home/zulip/python-zulip-api/zulip/integrations/zephyr/process_ccache",`
python: Remove now-unnecessary str_utils library. This library was absolutely essential as part of our Python 2->3 migration process, but all of its calls should be either no-ops or encode/decode operations. Note also that the library has been wrong since the incorrect refactoring in 1f9244e060895dbc1a752a23e157f25ebcc92a7f. Fixes #10807. 2018-11-27 20:24:23 +01:00			`user,`
			`api_key,`
			`base64.b64encode(ccache).decode("utf-8")])`
Move webathena views to its own file. 2016-08-19 03:26:49 +02:00			`except Exception:`
			`logging.exception("Error updating the user's ccache")`
			`return json_error(_("We were unable to setup mirroring for you"))`

			`return json_success()`