Onionr/onionr/api.py

'''
    Onionr - Private P2P Communication

    This file handles all incoming http requests to the client, using Flask
'''
'''
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <https://www.gnu.org/licenses/>.
'''
import threading, hmac, base64, time, os
from gevent.pywsgi import WSGIServer
import flask
from flask import request, Response, abort, send_from_directory
import core
import onionrexceptions, onionrcrypto, logger, config
import httpapi
from httpapi import friendsapi, profilesapi, configapi, miscpublicapi, miscclientapi, insertblock, onionrsitesapi
from onionrservices import httpheaders
import onionr
from onionrutils import bytesconverter, stringvalidators, epoch, mnemonickeys
from httpapi import apiutils, security, fdsafehandler

config.reload()

class PublicAPI:
    '''
        The new client api server, isolated from the public api
    '''
    def __init__(self, clientAPI):
        assert isinstance(clientAPI, API)
        app = flask.Flask('PublicAPI')
        app.config['MAX_CONTENT_LENGTH'] = 5 * 1024 * 1024
        self.i2pEnabled = config.get('i2p.host', False)
        self.hideBlocks = [] # Blocks to be denied sharing
        self.host = apiutils.setbindip.set_bind_IP(clientAPI._core.publicApiHostFile, clientAPI._core)
        self.torAdder = clientAPI._core.hsAddress
        self.i2pAdder = clientAPI._core.i2pAddress
        self.bindPort = config.get('client.public.port')
        self.lastRequest = 0
        self.hitCount = 0 # total rec requests to public api since server started
        self.config = config
        self.clientAPI = clientAPI
        self.API_VERSION = onionr.API_VERSION
        logger.info('Running public api on %s:%s' % (self.host, self.bindPort))

        # Set instances, then startup our public api server
        clientAPI.setPublicAPIInstance(self)
        while self.torAdder == '':
            clientAPI._core.refreshFirstStartVars()
            self.torAdder = clientAPI._core.hsAddress
            time.sleep(0.1)
        
        app.register_blueprint(security.public.PublicAPISecurity(self).public_api_security_bp)
        app.register_blueprint(miscpublicapi.endpoints.PublicEndpoints(self).public_endpoints_bp)
        self.httpServer = WSGIServer((self.host, self.bindPort), app, log=None, handler_class=fdsafehandler.FDSafeHandler)
        self.httpServer.serve_forever()

class API:
    '''
        Client HTTP api
    '''

    callbacks = {'public' : {}, 'private' : {}}

    def __init__(self, onionrInst, debug, API_VERSION):
        '''
            Initialize the api server, preping variables for later use

            This initialization defines all of the API entry points and handlers for the endpoints and errors
            This also saves the used host (random localhost IP address) to the data folder in host.txt
        '''

        self.debug = debug
        self._core = onionrInst.onionrCore
        self.startTime = epoch.get_epoch()
        self._crypto = onionrcrypto.OnionrCrypto(self._core)
        app = flask.Flask(__name__)
        bindPort = int(config.get('client.client.port', 59496))
        self.bindPort = bindPort

        self.clientToken = config.get('client.webpassword')
        self.timeBypassToken = base64.b16encode(os.urandom(32)).decode()

        self.publicAPI = None # gets set when the thread calls our setter... bad hack but kinda necessary with flask
        #threading.Thread(target=PublicAPI, args=(self,)).start()
        self.host = apiutils.setbindip.set_bind_IP(self._core.privateApiHostFile, self._core)
        logger.info('Running api on %s:%s' % (self.host, self.bindPort))
        self.httpServer = ''

        self.queueResponse = {}
        onionrInst.setClientAPIInst(self)
        app.register_blueprint(security.client.ClientAPISecurity(self).client_api_security_bp)
        app.register_blueprint(friendsapi.friends)
        app.register_blueprint(profilesapi.profile_BP)
        app.register_blueprint(configapi.config_BP)
        app.register_blueprint(insertblock.ib)
        app.register_blueprint(miscclientapi.getblocks.client_get_blocks)
        app.register_blueprint(miscclientapi.staticfiles.static_files_bp)
        app.register_blueprint(miscclientapi.endpoints.PrivateEndpoints(self).private_endpoints_bp)
        app.register_blueprint(onionrsitesapi.site_api)
        app.register_blueprint(apiutils.shutdown.shutdown_bp)
        httpapi.load_plugin_blueprints(app)
        self.get_block_data = apiutils.GetBlockData(self)

        self.httpServer = WSGIServer((self.host, bindPort), app, log=None, handler_class=fdsafehandler.FDSafeHandler)
        self.httpServer.serve_forever()

    def setPublicAPIInstance(self, inst):
        assert isinstance(inst, PublicAPI)
        self.publicAPI = inst

    def validateToken(self, token):
        '''
            Validate that the client token matches the given token. Used to prevent CSRF and data exfiltration
        '''
        if len(self.clientToken) == 0:
            logger.error("client password needs to be set")
            return False
        try:
            if not hmac.compare_digest(self.clientToken, token):
                return False
            else:
                return True
        except TypeError:
            return False

    def getUptime(self):
        while True:
            try:
                return epoch.get_epoch() - self.startTime
            except (AttributeError, NameError):
                # Don't error on race condition with startup
                pass

    def getBlockData(self, bHash, decrypt=False, raw=False, headerOnly=False):
        return self.get_block_data.get_block_data(bHash, decrypt=decrypt, raw=raw, headerOnly=headerOnly)
initial commit 2017-12-26 07:25:29 +00:00			`'''`
* Progress in adjust tagline in files, license boilerplate fixes * Import adjustments 2019-06-12 00:05:15 +00:00			`Onionr - Private P2P Communication`
work on adding peers, improved documentation, improved the way the daemon is run, daemon can now be killed from background 2018-01-14 08:48:23 +00:00
			`This file handles all incoming http requests to the client, using Flask`
			`'''`
			`'''`
initial commit 2017-12-26 07:25:29 +00:00			`This program is free software: you can redistribute it and/or modify`
			`it under the terms of the GNU General Public License as published by`
			`the Free Software Foundation, either version 3 of the License, or`
			`(at your option) any later version.`

			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU General Public License for more details.`

			`You should have received a copy of the GNU General Public License`
			`along with this program. If not, see <https://www.gnu.org/licenses/>.`
			`'''`
refactored api servers, especially the public server. Client server to recieve similar refactoring soon 2019-07-02 06:32:26 +00:00			`import threading, hmac, base64, time, os`
			`from gevent.pywsgi import WSGIServer`
Started reducing unnecessary disk i/o: * Spawn core.Core() much less 2019-06-15 18:56:57 +00:00			`import flask`
added static dir and serving for web ui 2018-07-27 05:48:22 +00:00			`from flask import request, Response, abort, send_from_directory`
Added API check in requests 2018-10-27 03:29:25 +00:00			`import core`
refactored api servers, especially the public server. Client server to recieve similar refactoring soon 2019-07-02 06:32:26 +00:00			`import onionrexceptions, onionrcrypto, logger, config`
work on plugins doing http endpoints 2019-03-02 06:22:59 +00:00			`import httpapi`
incomplete work on refactoring client api endpoints 2019-07-01 20:38:55 +00:00			`from httpapi import friendsapi, profilesapi, configapi, miscpublicapi, miscclientapi, insertblock, onionrsitesapi`
more work on direct connections 2019-03-26 04:25:46 +00:00			`from onionrservices import httpheaders`
work on UI friends manager 2019-02-21 20:25:45 +00:00			`import onionr`
OnionrUtils fully removed (but not fully bug free) flow now uses daemon thread for displaying output 2019-06-25 23:07:35 +00:00			`from onionrutils import bytesconverter, stringvalidators, epoch, mnemonickeys`
refactored api servers, especially the public server. Client server to recieve similar refactoring soon 2019-07-02 06:32:26 +00:00			`from httpapi import apiutils, security, fdsafehandler`
Started reducing unnecessary disk i/o: * Spawn core.Core() much less 2019-06-15 18:56:57 +00:00
+ added powchoice.py to use old pow on windows, temporary fix for subprocess method not working there * various bug fixes 2019-06-15 01:31:01 +00:00			`config.reload()`
API reformat 2019-01-08 05:51:39 +00:00
			`class PublicAPI:`
			`'''`
			`The new client api server, isolated from the public api`
			`'''`
			`def __init__(self, clientAPI):`
			`assert isinstance(clientAPI, API)`
			`app = flask.Flask('PublicAPI')`
reject large requests 2019-07-03 02:50:22 +00:00			`app.config['MAX_CONTENT_LENGTH'] = 5 * 1024 * 1024`
Refactor Onionr 2018-06-14 04:17:58 +00:00			`self.i2pEnabled = config.get('i2p.host', False)`
onionr now waits for a block to be uploaded to share it, unless the node exits 2018-11-13 17:07:46 +00:00			`self.hideBlocks = [] # Blocks to be denied sharing`
refactored api servers, especially the public server. Client server to recieve similar refactoring soon 2019-07-02 06:32:26 +00:00			`self.host = apiutils.setbindip.set_bind_IP(clientAPI._core.publicApiHostFile, clientAPI._core)`
API reformat 2019-01-08 05:51:39 +00:00			`self.torAdder = clientAPI._core.hsAddress`
			`self.i2pAdder = clientAPI._core.i2pAddress`
			`self.bindPort = config.get('client.public.port')`
work on tests and various fixes 2019-02-14 23:48:41 +00:00			`self.lastRequest = 0`
+ added hit count stat - removed bypass_tor_check as defunct config option * actually fixed connect stat in cli for real this time * improved ui stats more 2019-06-16 22:34:43 +00:00			`self.hitCount = 0 # total rec requests to public api since server started`
refactored api servers, especially the public server. Client server to recieve similar refactoring soon 2019-07-02 06:32:26 +00:00			`self.config = config`
			`self.clientAPI = clientAPI`
			`self.API_VERSION = onionr.API_VERSION`
API reformat 2019-01-08 05:51:39 +00:00			`logger.info('Running public api on %s:%s' % (self.host, self.bindPort))`
work on api, client, and added protection against HTTP metadata leaks (timebleed) 2017-12-27 01:13:19 +00:00
code cleanup, defunct code removal 2019-02-12 05:30:56 +00:00			`# Set instances, then startup our public api server`
API reformat 2019-01-08 05:51:39 +00:00			`clientAPI.setPublicAPIInstance(self)`
			`while self.torAdder == '':`
			`clientAPI._core.refreshFirstStartVars()`
			`self.torAdder = clientAPI._core.hsAddress`
fixed forward secrecy time conflicts, adjusted tests 2019-02-20 23:12:11 +00:00			`time.sleep(0.1)`
refactored api servers, especially the public server. Client server to recieve similar refactoring soon 2019-07-02 06:32:26 +00:00
			`app.register_blueprint(security.public.PublicAPISecurity(self).public_api_security_bp)`
			`app.register_blueprint(miscpublicapi.endpoints.PublicEndpoints(self).public_endpoints_bp)`
			`self.httpServer = WSGIServer((self.host, self.bindPort), app, log=None, handler_class=fdsafehandler.FDSafeHandler)`
API reformat 2019-01-08 05:51:39 +00:00			`self.httpServer.serve_forever()`
Code consistency updates - Improved formatting - Added comments - URL encoded values in netcontroller.performGET - Kept SQL statement case consistency 2018-02-04 03:44:29 +00:00
API reformat 2019-01-08 05:51:39 +00:00			`class API:`
			`'''`
			`Client HTTP api`
			`'''`
Code consistency updates - Improved formatting - Added comments - URL encoded values in netcontroller.performGET - Kept SQL statement case consistency 2018-02-04 03:44:29 +00:00
API reformat 2019-01-08 05:51:39 +00:00			`callbacks = {'public' : {}, 'private' : {}}`
Merge wot 2018-12-09 17:29:39 +00:00
API reformat 2019-01-08 05:51:39 +00:00			`def __init__(self, onionrInst, debug, API_VERSION):`
			`'''`
			`Initialize the api server, preping variables for later use`
work on api, client, and added protection against HTTP metadata leaks (timebleed) 2017-12-27 01:13:19 +00:00
fixed dumb print leftover spamming hashes 2019-04-23 02:02:09 +00:00			`This initialization defines all of the API entry points and handlers for the endpoints and errors`
API reformat 2019-01-08 05:51:39 +00:00			`This also saves the used host (random localhost IP address) to the data folder in host.txt`
Code consistency updates - Improved formatting - Added comments - URL encoded values in netcontroller.performGET - Kept SQL statement case consistency 2018-02-04 03:44:29 +00:00			`'''`
Add logger 2018-01-26 07:22:48 +00:00
API reformat 2019-01-08 05:51:39 +00:00			`self.debug = debug`
improved api-communicator integration, panel 2019-01-20 22:54:04 +00:00			`self._core = onionrInst.onionrCore`
OnionrUtils fully removed (but not fully bug free) flow now uses daemon thread for displaying output 2019-06-25 23:07:35 +00:00			`self.startTime = epoch.get_epoch()`
API reformat 2019-01-08 05:51:39 +00:00			`self._crypto = onionrcrypto.OnionrCrypto(self._core)`
			`app = flask.Flask(__name__)`
			`bindPort = int(config.get('client.client.port', 59496))`
			`self.bindPort = bindPort`
Merge I2P Branch (#19) * work on i2p support * work on i2p support * redid socks check * redid socks check * redid socks check * work on i2p and fixed broken block processing * fixed no newline delim on block list in api * fixed no newline delim on block list in api * fixed no newline delim on block list in api * use extend instead of append for blocklist after newline changes 2018-05-19 21:32:21 +00:00
API reformat 2019-01-08 05:51:39 +00:00			`self.clientToken = config.get('client.webpassword')`
			`self.timeBypassToken = base64.b16encode(os.urandom(32)).decode()`
Merge I2P Branch (#19) * work on i2p support * work on i2p support * redid socks check * redid socks check * redid socks check * work on i2p and fixed broken block processing * fixed no newline delim on block list in api * fixed no newline delim on block list in api * fixed no newline delim on block list in api * use extend instead of append for blocklist after newline changes 2018-05-19 21:32:21 +00:00
API reformat 2019-01-08 05:51:39 +00:00			`self.publicAPI = None # gets set when the thread calls our setter... bad hack but kinda necessary with flask`
			`#threading.Thread(target=PublicAPI, args=(self,)).start()`
refactored api servers, especially the public server. Client server to recieve similar refactoring soon 2019-07-02 06:32:26 +00:00			`self.host = apiutils.setbindip.set_bind_IP(self._core.privateApiHostFile, self._core)`
API reformat 2019-01-08 05:51:39 +00:00			`logger.info('Running api on %s:%s' % (self.host, self.bindPort))`
			`self.httpServer = ''`
work on gui, dbstorage, daemon queue responses 2019-01-07 05:50:20 +00:00
			`self.queueResponse = {}`
API reformat 2019-01-08 05:51:39 +00:00			`onionrInst.setClientAPIInst(self)`
refactored api servers, especially the public server. Client server to recieve similar refactoring soon 2019-07-02 06:32:26 +00:00			`app.register_blueprint(security.client.ClientAPISecurity(self).client_api_security_bp)`
work on UI friends manager 2019-02-21 20:25:45 +00:00			`app.register_blueprint(friendsapi.friends)`
fixes for mail, work on specs, and added files for profile viewer 2019-04-09 17:30:54 +00:00			`app.register_blueprint(profilesapi.profile_BP)`
work on ui 2019-04-27 15:43:16 +00:00			`app.register_blueprint(configapi.config_BP)`
* fixed fd handler probably * fixed security level in ui redesign * moved client api insertblock to its own blueprint 2019-06-29 20:17:48 +00:00			`app.register_blueprint(insertblock.ib)`
incomplete work on refactoring client api endpoints 2019-07-01 20:38:55 +00:00			`app.register_blueprint(miscclientapi.getblocks.client_get_blocks)`
			`app.register_blueprint(miscclientapi.staticfiles.static_files_bp)`
* refactored client api endpoints to their own file and class 2019-07-02 23:16:04 +00:00			`app.register_blueprint(miscclientapi.endpoints.PrivateEndpoints(self).private_endpoints_bp)`
incomplete work on refactoring client api endpoints 2019-07-01 20:38:55 +00:00			`app.register_blueprint(onionrsitesapi.site_api)`
			`app.register_blueprint(apiutils.shutdown.shutdown_bp)`
work on plugins doing http endpoints 2019-03-02 06:22:59 +00:00			`httpapi.load_plugin_blueprints(app)`
incomplete work on refactoring client api endpoints 2019-07-01 20:38:55 +00:00			`self.get_block_data = apiutils.GetBlockData(self)`
convert human readable keys back to base32, work on mail sending from web ui 2019-02-10 02:21:36 +00:00
refactored api servers, especially the public server. Client server to recieve similar refactoring soon 2019-07-02 06:32:26 +00:00			`self.httpServer = WSGIServer((self.host, bindPort), app, log=None, handler_class=fdsafehandler.FDSafeHandler)`
API reformat 2019-01-08 05:51:39 +00:00			`self.httpServer.serve_forever()`
Add web api callbacks 2018-07-30 00:37:12 +00:00
API reformat 2019-01-08 05:51:39 +00:00			`def setPublicAPIInstance(self, inst):`
			`assert isinstance(inst, PublicAPI)`
			`self.publicAPI = inst`
Add web api callbacks 2018-07-30 00:37:12 +00:00
API reformat 2019-01-08 05:51:39 +00:00			`def validateToken(self, token):`
			`'''`
code cleanup, defunct code removal 2019-02-12 05:30:56 +00:00			`Validate that the client token matches the given token. Used to prevent CSRF and data exfiltration`
API reformat 2019-01-08 05:51:39 +00:00			`'''`
			`if len(self.clientToken) == 0:`
			`logger.error("client password needs to be set")`
			`return False`
			`try:`
			`if not hmac.compare_digest(self.clientToken, token):`
			`return False`
			`else:`
			`return True`
			`except TypeError:`
			`return False`
work on serialization and communication, misc work on web, run files 2019-01-13 22:20:10 +00:00
			`def getUptime(self):`
improved uploading and fixed announce 2019-01-28 22:49:04 +00:00			`while True:`
			`try:`
OnionrUtils fully removed (but not fully bug free) flow now uses daemon thread for displaying output 2019-06-25 23:07:35 +00:00			`return epoch.get_epoch() - self.startTime`
updated docs and cleaned up api somewhat 2019-04-12 17:14:16 +00:00			`except (AttributeError, NameError):`
improved uploading and fixed announce 2019-01-28 22:49:04 +00:00			`# Don't error on race condition with startup`
moved a couple files, work on mail interface, improvements to web + blockapi for block decryption 2019-02-01 06:38:12 +00:00			`pass`
incomplete work on refactoring client api endpoints 2019-07-01 20:38:55 +00:00
more work on mail 2019-02-04 23:48:21 +00:00			`def getBlockData(self, bHash, decrypt=False, raw=False, headerOnly=False):`
* fixed some mail elements for bulma redesign * added dll, exe to .gitignore * fixed some miscpublicapi endpoints httpapi calls 2019-07-02 22:34:26 +00:00			`return self.get_block_data.get_block_data(bHash, decrypt=decrypt, raw=raw, headerOnly=headerOnly)`