#!/usr/bin/python
# encoding: utf-8
#
# Copyright 2017 Greg Neagle.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""
authrestartd

Created by Greg Neagle on 2017-04-15.

Much code based on and adapted from autopkgserver by Per Olofsson

A helper tool for FileVault authorized restarts.  Allows non-privileged users
to get certain info about FileVault, and to store a password for authrestart.
Root user can trigger an authrestart, possibly using the password stored
earlier by a non-privileged user.

"""

import os
import sys
import time
import stat
import logging
import logging.handlers
import SocketServer
import socket
import plistlib
import struct

from munkilib import authrestart
from munkilib import launchd
from munkilib import prefs


APPNAME = 'authrestartd'
VERSION = '0.2'


class FDEUtilError(Exception):
    '''Exception to raise if there is any error in FDEUtil'''
    pass


class FDEUtil(object):
    '''Class for working with fdesetup'''
    def __init__(self, server, request, uid):
        '''Arguments:
        request A request in plist format.
        uid The uid of the requestor
        '''
        self.server = server
        self.log = server.log
        self.request = request
        self.uid = uid

    def verify_request(self):
        '''Make sure copy request has everything we need'''
        self.log.debug('Verifying request')
        for key in ['task']:
            if not key in self.request:
                raise FDEUtilError('No %s in request' % key)

    def store_password(self, password):
        '''Stores a password for later use for authrestart'''
        self.server.stored_password = password

    def handle(self):
        '''Handle our request'''
        self.verify_request()

        if self.request['task'] == 'restart':
            # Attempt to perform an authrestart, falling back to a regular
            # restart
            self.log.info('Restart request from uid %s', self.uid)
            if self.uid == 0:
                authrestart.do_authorized_or_normal_restart(
                    password=self.server.stored_password)
                return 'RESTARTING'
            else:
                self.log.info('Restart request denied')
                raise FDEUtilError('Restart may only be triggered by root')

        if self.request['task'] == 'store_password':
            # store a password for later fdesetup authrestart
            self.log.info('Store password request')
            username = self.request.get('username')
            # don't store the password if the user isn't enabled for FileVault
            if (username and
                    not authrestart.can_attempt_auth_restart_for(username)):
                self.log.info('User %s can\'t do auth restart', username)
                raise FDEUtilError(
                    'User %s can\'t do FileVault authrestart' % username)
            password = self.request.get('password')
            if not password:
                self.log.info('No password in request')
                raise FDEUtilError('No password provided')
            self.store_password(password)
            self.log.info('Password stored.')
            return 'DONE'

        if self.request['task'] == 'verify_can_attempt_auth_restart':
            # Check if we have all the required bits to attempt an auth
            # restart.
            self.log.info('Verify ready for auth restart')
            if authrestart.can_attempt_auth_restart(
                    have_password=bool(self.server.stored_password)):
                self.log.info('Ready for auth restart attempt')
                return 'READY'
            else:
                self.log.info('Not ready for auth restart attempt')
                raise FDEUtilError('Not ready for auth restart attempt')

        if self.request['task'] == 'verify_recovery_key_present':
            # Check if a plist containing a recovery key or password is
            # present.
            self.log.info('Verify recovery key request')
            if authrestart.get_auth_restart_key(quiet=True) == '':
                self.log.info('No valid recovery key plist')
                raise FDEUtilError('No recovery key plist')
            self.log.info('Valid recovery key plist found')
            return 'PRESENT'

        if self.request['task'] == 'verify_user':
            # Check to see if we can perform an authrestart for this user.
            # FileVault must be active, the hardware must support authrestart,
            # and the user must be enabled for FileVault.
            username = self.request.get('username')
            if not username:
                self.log.info('Verify user request with no username')
                raise FDEUtilError('No username provided')
            self.log.info('Verify user request for %s', username)
            if not authrestart.can_attempt_auth_restart_for(username):
                self.log.info(
                    'User %s can\'t do FileVault authrestart' % username)
                raise FDEUtilError('User not authorized for FileVault')
            self.log.info('User %s ok for auth restart', username)
            return 'USER VERIFIED'

        if self.request['task'] == 'verify_filevault':
            # check if FileVault is active
            self.log.info('Verify FileVault request')
            if not authrestart.filevault_is_active():
                self.log.info('FileVault is not active.')
                raise FDEUtilError('FileVault is not active')
            self.log.info('FileVault is active.')
            return 'FILEVAULT ON'

        # the task is not one we know how to handle
        self.log.info('Unknown task request: %s', self.request['task'])
        raise FDEUtilError('Unknown task')


class RunHandler(SocketServer.StreamRequestHandler):
    '''Handler for restarthelper run requests'''

    def verify_request_syntax(self, plist):
        '''Verify the basic syntax of request plist.'''
        # pylint: disable=no-self-use
        # Keep a list of error messages.
        errors = list()

        # Root should be a dictionary.
        if not isinstance(plist, dict):
            errors.append('Request root is not a dictionary')
            # Bail out early if it's not.
            return False, errors

        syntax_ok = True
        # TO-DO: Actual verification!
        return syntax_ok, errors

    def getpeerid(self):
        '''
        Get peer credentials on a UNIX domain socket.
        Returns uid, gids.
        '''

        # /usr/include/sys/ucred.h
        #
        # struct xucred {
        #         u_int   cr_version;           /* structure layout version */
        #         uid_t   cr_uid;               /* effective user id */
        #         short   cr_ngroups;           /* number of advisory groups */
        #         gid_t   cr_groups[NGROUPS];   /* advisory group list */
        # };

        # pylint: disable=invalid-name
        LOCAL_PEERCRED = 0x001
        XUCRED_VERSION = 0
        NGROUPS = 16
        # pylint: enable=invalid-name
        cr_version = 0
        cr_uid = 1
        cr_ngroups = 2
        cr_groups = 3

        xucred_fmt = 'IIh%dI' % NGROUPS
        res = struct.unpack(
            xucred_fmt,
            self.request.getsockopt(
                0, LOCAL_PEERCRED, struct.calcsize(xucred_fmt)))

        if res[cr_version] != XUCRED_VERSION:
            raise OSError('Incompatible struct xucred version')

        return res[cr_uid], res[cr_groups:cr_groups + res[cr_ngroups]]

    def handle(self):
        '''Handle an incoming run request.'''

        try:
            # Log through server parent.
            self.log = self.server.log
            self.log.debug('Handling request')

            # Get uid and primary gid of connecting peer.
            uid, gids = self.getpeerid()
            gid = gids[0]
            self.log.debug(
                'Got request from uid %d gid %d' % (uid, gid))

            # Receive a plist.
            plist_string = self.request.recv(8192)

            # Try to parse it.
            try:
                plist = plistlib.readPlistFromString(plist_string)
            except BaseException as err:
                self.log.error('Malformed request')
                self.request.send('ERROR:Malformed request\n')
                return
            self.log.debug('Parsed request plist')

            # Verify the plist syntax.
            syntax_ok, errors = self.verify_request_syntax(plist)
            if not syntax_ok:
                self.log.error('Plist syntax error')
                self.request.send(''.join(['ERROR:%s\n' % e for e in errors]))
                return

            self.log.info(
                'Dispatching worker to process request for user %d' % (uid))
            try:
                fdeutil = FDEUtil(self.server, plist, uid)
                result = fdeutil.handle()
                self.request.send(u'OK:%s\n' % result)
            except FDEUtilError as err:
                self.request.send(u'ERROR:%s\n' % unicode(err))
            except BaseException as err:
                self.log.error('Run failed: %s' % unicode(err))
                self.request.send(u'ERROR:%s\n' % unicode(err))

        except BaseException as err:
            self.log.error('Caught exception: %s' % repr(err))
            self.request.send('ERROR:Caught exception: %s' % repr(err))
            return


class RestartHelperDaemonError(Exception):
    '''Exception to raise for RestartHelperDaemon errors'''
    pass


class RestartHelperDaemon(SocketServer.UnixStreamServer):
    '''Daemon that runs as root,
    receiving requests for fdesetup tasks including authrestart.'''

    allow_reuse_address = True
    request_queue_size = 10
    timeout = 10

    def __init__(self, socket_fd, RequestHandlerClass):
        # Avoid initialization of UnixStreamServer as we need to open the
        # socket from a file descriptor instead of creating our own.
        self.socket = socket.fromfd(
            socket_fd, socket.AF_UNIX, socket.SOCK_STREAM)
        self.socket.listen(self.request_queue_size)
        SocketServer.BaseServer.__init__(
            self, self.socket.getsockname(), RequestHandlerClass)
        self.timed_out = False
        self.stored_password = None
        self.log = logging.getLogger(APPNAME)

    def setup_logging(self):
        '''Configure logging'''
        try:
            self.log.setLevel(logging.DEBUG)

            log_console = logging.StreamHandler()
            log_console.setLevel(logging.DEBUG)
            # store the log in the same directory as ManagedSoftwareUpdate.log
            logfilepath = os.path.join(
                os.path.dirname(prefs.pref('LogFile')), APPNAME + '.log')
            log_file = logging.handlers.RotatingFileHandler(
                logfilepath, 'a', 100000, 9, 'utf-8')
            log_file.setLevel(logging.DEBUG)

            console_formatter = logging.Formatter('%(message)s')
            file_formatter = logging.Formatter(
                '%(asctime)s %(module)s[%(process)d]: '
                '%(message)s   (%(funcName)s)')

            log_console.setFormatter(console_formatter)
            log_file.setFormatter(file_formatter)

            self.log.addHandler(log_console)
            self.log.addHandler(log_file)
        except (OSError, IOError) as err:
            raise RestartHelperDaemonError(
                'Can\'t open log: %s' % (err.strerror))

    def handle_timeout(self):
        self.timed_out = True


def main():
    '''Start our daemon, connect to socket and process requests'''
    # Make sure we're launched as root
    if os.geteuid() != 0:
        print >>sys.stderr, '%s must be run as root.' % APPNAME
        # Sleep to avoid respawn.
        time.sleep(10)
        return 1

    # Make sure that the executable and all containing directories are owned
    # by root:wheel or root:admin, and not writeable by other users.
    root_uid = 0
    wheel_gid = 0
    admin_gid = 80

    exepath = os.path.realpath(os.path.abspath(__file__))
    path_ok = True
    while True:
        info = os.stat(exepath)
        if info.st_uid != root_uid:
            print >> sys.stderr, '%s must be owned by root.' % exepath
            path_ok = False
        if info.st_gid not in (wheel_gid, admin_gid):
            print >> sys.stderr, '%s must have group wheel or admin.' % exepath
            path_ok = False
        if info.st_mode & stat.S_IWOTH:
            print >> sys.stderr, '%s mustn\'t be world writeable.' % exepath
            path_ok = False
        exepath = os.path.dirname(exepath)
        if exepath == '/':
            break

    if not path_ok:
        # Sleep to avoid immediate respawn.
        time.sleep(10)
        return 1

    # Keep track of time for launchd.
    start_time = time.time()

    # Get socket file descriptors from launchd.
    socket_fd = launchd.get_socket_fd('authrestartd')
    if not socket_fd:
        print >> sys.stderr, 'No socket provided to us by launchd'
        time.sleep(10)
        return 1

    # Create the daemon object.
    daemon = RestartHelperDaemon(socket_fd, RunHandler)
    daemon.setup_logging()

    daemon.log.info('%s v%s starting', APPNAME, VERSION)

    # Process incoming requests
    while True:
        daemon.handle_request()
        if not daemon.timed_out or daemon.stored_password:
            continue
        # we timed out and we don't have a stored password, so we can exit
        # Keep running for at least 10 seconds make launchd happy.
        run_time = time.time() - start_time
        daemon.log.info("run time: %fs", run_time)
        if run_time < 10.0:
            # Only sleep for a short while in case new requests pop up.
            sleep_time = min(1.0, 10.0 - run_time)
            daemon.log.debug(
                "sleeping for %f seconds to make launchd happy",
                sleep_time)
            time.sleep(sleep_time)
        else:
            daemon.log.info('Nothing to do: exiting')
            break


if __name__ == '__main__':
    sys.exit(main())
