proxmaster/clientsdb.py

# -*- coding: utf-8
#
# manage clientsdb.json

#import site packages
import json
import hmac
import bcrypt

#import local packages
import ioconfig
import utils

def addclient(vmid, vmname, clientid, clientname, clientemail, vmpass):
    """ add new client with the requested vm to the clientsdb.json """
    clientsdb = readclientsdb()

    if str(clientid) in clientsdb:
        ioconfig.logger.info('client[{}]> already exist. merging.'.format(clientid))
    else:
        ioconfig.logger.info('client[{}]> does not exist. creating...'.format(clientid))
        #generate password and send it to the client
        newpass = utils.genpassword(30)
        ioconfig.logger.info('client[{}]> initial password is: {}'.format(clientid, newpass))
        salt = bcrypt.gensalt()
        b_newpass = newpass.encode('ascii')
        encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')
        vcard = { 'name':str(clientname), 'email':str(clientemail), 'encpasswd':str(encpasswd), 'id':str(clientid) }
        newclient = { str(clientid):vcard }
        clientsdb.update(newclient)
        #Send initial email to the user as we will use the internal auth from now on.
        ###utils.sendmail(clientemail, '{} logged in.'.format)
        #TODO: Sync with proxmaster-admin database (shell command could be used for this one)
    ioconfig.logger.info('client[{}]> vmid {} is now owned by {} ({})'.format(clientid, vmid, clientemail, clientname))

    #create initial vm template
    vmdata = { 'hostname':str(vmname), 'vmid':str(vmid), 'ownerid':str(clientid) }
    clientsdb[str(clientid)][str(vmid)] = vmdata
    writeclientsdb(clientsdb)


def setencpasswd(clientemail, newpass):
    """ setup a new management password """
    salt = bcrypt.gensalt()
    b_newpass = newpass.encode('ascii')
    encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')

    try:
        clientsdb = readclientsdb()
        path = utils.get_path(clientsdb, clientemail)
        c_id = str(path[0])
        #check the returned path with forward query
        query = clientsdb[c_id]['email']
        #ioconfig.logger.info('client[{}]> path={}'.format(c_id, str(path)))
    except:
        ioconfig.logger.critical('clients> client {} not found'.format(clientemail))
        raise

    if query != clientemail:
        ioconfig.logger.critical('clients> test query returns different vmname! check clients db for consistency!')
        raise
    else:
        clientsdb[c_id]['encpasswd'] = encpasswd
        ioconfig.logger.info('client[{}]> {} password changed!'.format(c_id, clientemail))
        writeclientsdb(clientsdb)
        #TODO: Send new email to the client to notify the password change. This time sending the password in plain text is not needed. 


def checkin(clientid):
    """ returns a list of owned vmids if client id matches the client database. (logged-in users)"""
    #1. search for the client
    try:
        clientsdb = readclientsdb()
        c_id = clientsdb[str(clientid)]
        #c_id.pop('encpasswd')
        email = c_id['email']
        ioconfig.logger.info('client[{}]> {} active'.format(clientid, email))
        return c_id
    except:
        ioconfig.logger.error('clients> user id: {} could not be checked.'.format(clientid))
        return None


def validate(clientemail, password):
    """ returns a list of owned vmids if credentials match an user from the database. (fresh logins)"""
    #1. search for the client
    try:
        clientsdb = readclientsdb()
        path = utils.get_path(clientsdb, clientemail) 
        c_id = str(path[0])
    except:
        ioconfig.logger.error('clients> {} was not found in the database!'.format(clientemail))
        #log bad ips here...
        return None

    #2. check the password
    encpass = clientsdb[c_id]['encpasswd']
    b_srvpass = password.encode('ascii', 'ignore')
    b_encpass = encpass.encode('ascii', 'ignore')

    if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
        #login successful
        ioconfig.logger.info('client[{}]> {} logged in successfully'.format(c_id, clientemail))
        #TODO: Notify admin    
        #3. generate vmlist to return the owned ids to the client.
        return clientvms(clientsdb[c_id])
    else:
        ioconfig.logger.warning('client[{}]> {} access denied!'.format(c_id, clientemail))
        #cant compare password
        #TODO: Log attempts and block.
        return None


def clientvms(vmlist):
    """ generate vmlist """
    response = {}
    for vmid,data in vmlist.items():
        response[vmid] = data
    return response


def vmowner(vmid, vmname, verbose):
    """ find the owner of the vm """
    clientsdb = readclientsdb()
    try:
        clientid = utils.find_rec(clientsdb, str(vmid))[0]['ownerid']
        clientname = clientsdb[str(clientid)]['name']
    except:
        raise
        clientid = '0' #unknown owner
        clientname = 'unknown'
    if verbose:
        ioconfig.logger.info('client[{}]> {} is the owner of {} ({})'.format(str(clientid), clientname, str(vmid), vmname))
    return clientid


def readclientsdb():
    """ read client db """
    try:
        with open('clients.json') as dbr:
            clientsdb = json.load(dbr)
        dbr.close()
    except:
        clientsdb = {}
        ioconfig.logger.warning('clients> initializing...')
        #writeclientsdb(clientsdb)
    return clientsdb


def writeclientsdb(clientsdb):
    """ write db """
    with open('clients.json', 'w') as dbw:
        json.dump(clientsdb, dbw)
    dbw.close()


if __name__ == '__main__':
    setencpasswd('fqdn', '123456')
First. 2016-02-15 05:30:43 -05:00			`# -*- coding: utf-8`
			`#`
			`# manage clientsdb.json`

			`#import site packages`
			`import json`
validating password functions 2016-03-03 20:51:54 -05:00			`import hmac`
			`import bcrypt`
First. 2016-02-15 05:30:43 -05:00
			`#import local packages`
			`import ioconfig`
			`import utils`

auth client email with machine password 2016-03-30 19:26:25 -04:00			`def addclient(vmid, vmname, clientid, clientname, clientemail, vmpass):`
			`""" add new client with the requested vm to the clientsdb.json """`
First. 2016-02-15 05:30:43 -05:00			`clientsdb = readclientsdb()`
dealing with passwords 2016-03-01 22:01:33 -05:00
First. 2016-02-15 05:30:43 -05:00			`if str(clientid) in clientsdb:`
major rewrite of the auth function 2016-03-31 10:40:40 -04:00			`ioconfig.logger.info('client[{}]> already exist. merging.'.format(clientid))`
First. 2016-02-15 05:30:43 -05:00			`else:`
major rewrite of the auth function 2016-03-31 10:40:40 -04:00			`ioconfig.logger.info('client[{}]> does not exist. creating...'.format(clientid))`
			`#generate password and send it to the client`
			`newpass = utils.genpassword(30)`
fixing various bugs 2016-03-31 19:37:21 -04:00			`ioconfig.logger.info('client[{}]> initial password is: {}'.format(clientid, newpass))`
major rewrite of the auth function 2016-03-31 10:40:40 -04:00			`salt = bcrypt.gensalt()`
byte encoding changed to ASCII 2016-04-01 19:53:16 -04:00			`b_newpass = newpass.encode('ascii')`
			`encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')`
add check function for logged-in clients 2016-05-21 11:49:53 -04:00			`vcard = { 'name':str(clientname), 'email':str(clientemail), 'encpasswd':str(encpasswd), 'id':str(clientid) }`
First. 2016-02-15 05:30:43 -05:00			`newclient = { str(clientid):vcard }`
			`clientsdb.update(newclient)`
fixing various bugs 2016-03-31 19:37:21 -04:00			`#Send initial email to the user as we will use the internal auth from now on.`
add check function for logged-in clients 2016-05-21 11:49:53 -04:00			`###utils.sendmail(clientemail, '{} logged in.'.format)`
fixing various bugs 2016-03-31 19:37:21 -04:00			`#TODO: Sync with proxmaster-admin database (shell command could be used for this one)`
			`ioconfig.logger.info('client[{}]> vmid {} is now owned by {} ({})'.format(clientid, vmid, clientemail, clientname))`
write vmpass and email 2016-03-30 18:12:38 -04:00
auth client email with machine password 2016-03-30 19:26:25 -04:00			`#create initial vm template`
			`vmdata = { 'hostname':str(vmname), 'vmid':str(vmid), 'ownerid':str(clientid) }`
First. 2016-02-15 05:30:43 -05:00			`clientsdb[str(clientid)][str(vmid)] = vmdata`
			`writeclientsdb(clientsdb)`
validating password functions 2016-03-03 20:51:54 -05:00

major rewrite of the auth function 2016-03-31 10:40:40 -04:00			`def setencpasswd(clientemail, newpass):`
validating password functions 2016-03-03 20:51:54 -05:00			`""" setup a new management password """`
			`salt = bcrypt.gensalt()`
byte encoding changed to ASCII 2016-04-01 19:53:16 -04:00			`b_newpass = newpass.encode('ascii')`
			`encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')`
validating password functions 2016-03-03 20:51:54 -05:00
			`try:`
			`clientsdb = readclientsdb()`
major rewrite of the auth function 2016-03-31 10:40:40 -04:00			`path = utils.get_path(clientsdb, clientemail)`
validating password functions 2016-03-03 20:51:54 -05:00			`c_id = str(path[0])`
			`#check the returned path with forward query`
major rewrite of the auth function 2016-03-31 10:40:40 -04:00			`query = clientsdb[c_id]['email']`
fixing various bugs 2016-03-31 19:37:21 -04:00			`#ioconfig.logger.info('client[{}]> path={}'.format(c_id, str(path)))`
validating password functions 2016-03-03 20:51:54 -05:00			`except:`
json middleware 2016-04-08 10:48:18 -04:00			`ioconfig.logger.critical('clients> client {} not found'.format(clientemail))`
validating password functions 2016-03-03 20:51:54 -05:00			`raise`

major rewrite of the auth function 2016-03-31 10:40:40 -04:00			`if query != clientemail:`
fixing various bugs 2016-03-31 19:37:21 -04:00			`ioconfig.logger.critical('clients> test query returns different vmname! check clients db for consistency!')`
validating password functions 2016-03-03 20:51:54 -05:00			`raise`
			`else:`
major rewrite of the auth function 2016-03-31 10:40:40 -04:00			`clientsdb[c_id]['encpasswd'] = encpasswd`
fixing various bugs 2016-03-31 19:37:21 -04:00			`ioconfig.logger.info('client[{}]> {} password changed!'.format(c_id, clientemail))`
validating password functions 2016-03-03 20:51:54 -05:00			`writeclientsdb(clientsdb)`
major rewrite of the auth function 2016-03-31 10:40:40 -04:00			`#TODO: Send new email to the client to notify the password change. This time sending the password in plain text is not needed.`
validating password functions 2016-03-03 20:51:54 -05:00

add check function for logged-in clients 2016-05-21 11:56:46 -04:00			`def checkin(clientid):`
add vm rrd generator 2016-06-26 11:09:22 -04:00			`""" returns a list of owned vmids if client id matches the client database. (logged-in users)"""`
add check function for logged-in clients 2016-05-21 11:49:53 -04:00			`#1. search for the client`
			`try:`
			`clientsdb = readclientsdb()`
			`c_id = clientsdb[str(clientid)]`
cosmetic changes 2016-05-25 17:56:14 -04:00			`#c_id.pop('encpasswd')`
			`email = c_id['email']`
			`ioconfig.logger.info('client[{}]> {} active'.format(clientid, email))`
add check function for logged-in clients 2016-05-21 11:59:57 -04:00			`return c_id`
add check function for logged-in clients 2016-05-21 11:49:53 -04:00			`except:`
			`ioconfig.logger.error('clients> user id: {} could not be checked.'.format(clientid))`
			`return None`


major rewrite of the auth function 2016-03-31 10:40:40 -04:00			`def validate(clientemail, password):`
add vm rrd generator 2016-06-26 11:09:22 -04:00			`""" returns a list of owned vmids if credentials match an user from the database. (fresh logins)"""`
major rewrite of the auth function 2016-03-31 10:40:40 -04:00			`#1. search for the client`
auth client email with machine password 2016-03-30 19:26:25 -04:00			`try:`
			`clientsdb = readclientsdb()`
			`path = utils.get_path(clientsdb, clientemail)`
			`c_id = str(path[0])`
			`except:`
add check function for logged-in clients 2016-05-21 11:49:53 -04:00			`ioconfig.logger.error('clients> {} was not found in the database!'.format(clientemail))`
auth client email with machine password 2016-03-30 19:26:25 -04:00			`#log bad ips here...`
add check function for logged-in clients 2016-05-21 11:49:53 -04:00			`return None`
auth client email with machine password 2016-03-30 19:26:25 -04:00
major rewrite of the auth function 2016-03-31 10:40:40 -04:00			`#2. check the password`
			`encpass = clientsdb[c_id]['encpasswd']`
ignore unknown ascii symbols with password check. to be rewritten 2016-07-02 19:50:00 -04:00			`b_srvpass = password.encode('ascii', 'ignore')`
			`b_encpass = encpass.encode('ascii', 'ignore')`
major rewrite of the auth function 2016-03-31 10:40:40 -04:00
			`if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):`
			`#login successful`
fixing various bugs 2016-03-31 19:37:21 -04:00			`ioconfig.logger.info('client[{}]> {} logged in successfully'.format(c_id, clientemail))`
major rewrite of the auth function 2016-03-31 10:40:40 -04:00			`#TODO: Notify admin`
			`#3. generate vmlist to return the owned ids to the client.`
			`return clientvms(clientsdb[c_id])`
			`else:`
cosmetic changes 2016-05-23 16:52:27 -04:00			`ioconfig.logger.warning('client[{}]> {} access denied!'.format(c_id, clientemail))`
major rewrite of the auth function 2016-03-31 10:40:40 -04:00			`#cant compare password`
			`#TODO: Log attempts and block.`
add check function for logged-in clients 2016-05-21 11:49:53 -04:00			`return None`
major rewrite of the auth function 2016-03-31 10:40:40 -04:00

			`def clientvms(vmlist):`
			`""" generate vmlist """`
fixing various bugs 2016-03-31 19:37:21 -04:00			`response = {}`
auth client email with machine password 2016-03-30 19:26:25 -04:00			`for vmid,data in vmlist.items():`
fix validated id list 2016-05-16 08:56:40 -04:00			`response[vmid] = data`
auth client email with machine password 2016-03-30 19:26:25 -04:00			`return response`


First. 2016-02-15 05:30:43 -05:00			`def vmowner(vmid, vmname, verbose):`
			`""" find the owner of the vm """`
			`clientsdb = readclientsdb()`
			`try:`
simplifying stuff by removing the journal 2016-03-29 22:50:03 -04:00			`clientid = utils.find_rec(clientsdb, str(vmid))[0]['ownerid']`
First. 2016-02-15 05:30:43 -05:00			`clientname = clientsdb[str(clientid)]['name']`
			`except:`
			`raise`
			`clientid = '0' #unknown owner`
			`clientname = 'unknown'`
			`if verbose:`
json middleware 2016-04-08 10:48:18 -04:00			`ioconfig.logger.info('client[{}]> {} is the owner of {} ({})'.format(str(clientid), clientname, str(vmid), vmname))`
First. 2016-02-15 05:30:43 -05:00			`return clientid`


			`def readclientsdb():`
			`""" read client db """`
			`try:`
			`with open('clients.json') as dbr:`
			`clientsdb = json.load(dbr)`
			`dbr.close()`
			`except:`
			`clientsdb = {}`
			`ioconfig.logger.warning('clients> initializing...')`
			`#writeclientsdb(clientsdb)`
			`return clientsdb`


			`def writeclientsdb(clientsdb):`
			`""" write db """`
			`with open('clients.json', 'w') as dbw:`
			`json.dump(clientsdb, dbw)`
			`dbw.close()`

validating password functions 2016-03-03 20:51:54 -05:00
			`if __name__ == '__main__':`
change api commands names 2016-06-25 11:27:45 -04:00			`setencpasswd('fqdn', '123456')`
fixing various bugs 2016-03-31 19:37:21 -04:00