manage permissions for keyring files and directories INDY-323

plenum/cli/cli.py

@@ -26,7 +26,7 @@
 from plenum.cli.helper import getUtilGrams, getNodeGrams, getClientGrams, \
     getAllGrams
 from plenum.cli.phrase_word_completer import PhraseWordCompleter
-from plenum.client.wallet import Wallet
+from plenum.client.wallet import Wallet, WalletStorageHelper
 from plenum.common.exceptions import NameAlreadyExists, KeysNotFoundException
 from plenum.common.keygen_utils import learnKeysFromOthers, tellKeysToOthers, areKeysSetup
 from plenum.common.plugin_helper import loadPlugins
@@ -75,8 +75,8 @@
 from plenum.client.client import Client
 from plenum.common.util import getMaxFailures, \
     firstValue, randomString, bootstrapClientKeys, \
-    getFriendlyIdentifier, saveGivenWallet, \
-    normalizedWalletFileName, getWalletFilePath, getWalletByPath, \
+    getFriendlyIdentifier, \
+    normalizedWalletFileName, getWalletFilePath, \
     getLastSavedWalletFileName
 from stp_core.common.log import \
     getlogger, Logger, getRAETLogFilePath, getRAETLogLevelFromConfig
@@ -179,6 +179,9 @@ def __init__(self, looper, basedirpath, nodeReg=None, cliNodeReg=None,
         self._wallets = {}  # type: Dict[str, Wallet]
         self._activeWallet = None  # type: Wallet
         self.keyPairs = {}
+
+        self._walletSaver = None
+
         '''
         examples:
         status
@@ -344,6 +347,16 @@ def config(self):
             self._config = getConfig()
             return self._config
 
+
+    @property
+    def walletSaver(self):
+        if self._walletSaver is None:
+            self._walletSaver = WalletStorageHelper(
+                    self.getKeyringsBaseDir(),
+                    dmode=self.config.KEYRING_DIR_MODE,
+                    fmode=self.config.KEYRING_FILE_MODE)
+        return self._walletSaver
+
     @property
     def allGrams(self):
         if not self._allGrams:
@@ -1375,6 +1388,7 @@ def _newWallet(self, walletName=None):
 
     def _listKeyringsAction(self, matchedVars):
         if matchedVars.get('list_krs') == 'list keyrings':
+            # TODO move file system related routine to WalletStorageHelper
             keyringBaseDir = self.getKeyringsBaseDir()
             contextDirPath = self.getContextBasedKeyringsBaseDir()
             dirs_to_scan = self.getAllSubDirNamesForKeyrings()
@@ -1735,7 +1749,7 @@ def performValidationCheck(self, wallet, walletFilePath, override=False):
 
     def restoreWalletByPath(self, walletFilePath, copyAs=None, override=False):
         try:
-            wallet = getWalletByPath(walletFilePath)
+            wallet = self.walletSaver.loadWallet(walletFilePath)
 
             if copyAs:
                 wallet.name=copyAs
@@ -1838,6 +1852,7 @@ def isAnyWalletFileExistsForGivenEnv(self, env):
         return self.isAnyWalletFileExistsForGivenContext(pattern)
 
     def isAnyWalletFileExistsForGivenContext(self, pattern):
+        # TODO move that to WalletStorageHelper
         files = glob.glob(pattern)
         if files:
             return True
@@ -1871,8 +1886,9 @@ def performCompatibilityCheckBeforeSave(self):
 
     def _saveActiveWalletInDir(self, contextDir, printMsgs=True):
         try:
-            walletFilePath = saveGivenWallet(self._activeWallet,
-                                             self.walletFileName, contextDir)
+            walletFilePath = self.walletSaver.saveWallet(
+                self._activeWallet,
+                getWalletFilePath(contextDir, self.walletFileName))
             if printMsgs:
                 self.print('Active keyring "{}" saved'.format(
                     self._activeWallet.name), newline=False)

plenum/client/wallet.py

@@ -1,4 +1,8 @@
 from typing import Optional, Dict, NamedTuple
+import os
+import sys
+import stat
+from pathlib import Path
 
 import jsonpickle
 from libnacl import crypto_secretbox_open, randombytes, \
@@ -265,3 +269,131 @@ def _getIdData(self,
         signer = self.idsToSigners.get(idr)
         idData = self.ids.get(idr)
         return IdData(signer, idData.lastReqId if idData else None)
+
+
+class WalletStorageHelper:
+    """Manages wallets
+
+    :param ``keyringsBaseDir``: keyrings base directory
+    :param dmode: (optional) permissions for directories inside
+        including the base one, default is 0700
+    :param fmode: (optional) permissions for files inside,
+        default is 0600
+    """
+    def __init__(self, keyringsBaseDir, dmode=0o700, fmode=0o600):
+        self.dmode = dmode
+        self.fmode = fmode
+        self.keyringsBaseDir = keyringsBaseDir
+
+    @property
+    def keyringsBaseDir(self):
+        return str(self._baseDir)
+
+    @keyringsBaseDir.setter
+    def keyringsBaseDir(self, path):
+        self._baseDir = self._resolve(Path(path))
+
+        self._createDirIfNotExists(self._baseDir)
+        self._ensurePermissions(self._baseDir, self.dmode)
+
+    def _ensurePermissions(self, path, mode):
+        if stat.S_IMODE(path.stat().st_mode) != mode:
+            path.chmod(mode)
+
+    def _createDirIfNotExists(self, dpath):
+        if dpath.exists():
+            if not dpath.is_dir():
+                raise NotADirectoryError("{}".format(dpath))
+        else:
+            dpath.mkdir(parents=True, exist_ok=True)
+
+    def _resolve(self, path):
+        # ``strict`` argument appeared only version 3.6 of python
+        if sys.version_info < (3, 6, 0):
+            return Path(os.path.realpath(str(path)))
+        else:
+            return path.resolve(strict=False)
+
+    def _normalize(self, fpath):
+        return self._resolve(self._baseDir / fpath)
+
+    def encode(self, data):
+        return jsonpickle.encode(data, keys=True)
+
+    def decode(self, data):
+        return jsonpickle.decode(data, keys=True)
+
+    def saveWallet(self, wallet, fpath):
+        """Save wallet into specified localtion.
+
+        Returns the canonical path for the ``fpath`` where ``wallet``
+        has been stored.
+
+        Error cases:
+            - ``fpath`` is not inside the keyrings base dir - ValueError raised
+            - directory part of ``fpath`` exists and it's not a directory -
+              NotADirectoryError raised
+            - ``fpath`` exists and it's a directory - IsADirectoryError raised
+
+        :param wallet: wallet to save
+        :param fpath: wallet file path, absolute or relative to
+            keyrings base dir
+        """
+        if not fpath:
+            raise ValueError("empty path")
+
+        _fpath = self._normalize(fpath)
+        _dpath = _fpath.parent
+
+        try:
+            _dpath.relative_to(self._baseDir)
+        except ValueError:
+            raise ValueError(
+                "path {} is not is not relative to the keyrings {}".format(
+                    fpath, self._baseDir))
+
+        self._createDirIfNotExists(_dpath)
+
+        # ensure permissions from the bottom of the directory hierarchy
+        while _dpath != self._baseDir:
+            self._ensurePermissions(_dpath, self.dmode)
+            _dpath = _dpath.parent
+
+        with _fpath.open("w") as wf:
+            self._ensurePermissions(_fpath, self.fmode)
+            encodedWallet = self.encode(wallet)
+            wf.write(encodedWallet)
+            logger.debug("stored wallet '{}' in {}".format(
+                wallet.name, _fpath))
+
+        return str(_fpath)
+
+    def loadWallet(self, fpath):
+        """Load wallet from specified localtion.
+
+        Returns loaded wallet.
+
+        Error cases:
+            - ``fpath`` is not inside the keyrings base dir - ValueError raised
+            - ``fpath`` exists and it's a directory - IsADirectoryError raised
+
+        :param fpath: wallet file path, absolute or relative to
+            keyrings base dir
+        """
+        if not fpath:
+            raise ValueError("empty path")
+
+        _fpath = self._normalize(fpath)
+        _dpath = _fpath.parent
+
+        try:
+            _dpath.relative_to(self._baseDir)
+        except ValueError:
+            raise ValueError(
+                "path {} is not is not relative to the keyrings {}".format(
+                    fpath, self._baseDir))
+
+        with _fpath.open() as wf:
+            wallet = self.decode(wf.read())
+
+        return wallet

plenum/common/util.py

@@ -506,23 +506,8 @@ def getWalletFilePath(basedir, walletFileName):
     return os.path.join(basedir, walletFileName)
 
 
-def saveGivenWallet(wallet, fileName, contextDir):
-    createDirIfNotExists(contextDir)
-    walletFilePath = getWalletFilePath(
-        contextDir, fileName)
-    with open(walletFilePath, "w+") as walletFile:
-        encodedWallet = encode(wallet, keys=True)
-        walletFile.write(encodedWallet)
-    return walletFilePath
-
-
-def getWalletByPath(walletFilePath):
-    with open(walletFilePath) as walletFile:
-        wallet = decode(walletFile.read(), keys=True)
-        return wallet
-
-
 def getLastSavedWalletFileName(dir):
+    # TODO move that to WalletStorageHelper
     def getLastModifiedTime(file):
         return os.stat(file).st_mtime_ns
 

plenum/config.py

@@ -187,6 +187,9 @@
 CLIENT_MAX_RETRY_ACK = 5
 CLIENT_MAX_RETRY_REPLY = 5
 
-
 VIEW_CHANGE_TIMEOUT = 60  # seconds
 MAX_CATCHUPS_DONE_DURING_VIEW_CHANGE = 5
+
+# permissions for keyring dirs/files
+KEYRING_DIR_MODE = 0o700  # drwx------ 
+KEYRING_FILE_MODE = 0o600  # -rw-------

plenum/test/cli/helper.py

@@ -1,5 +1,6 @@
 import ast
 import os
+import stat
 import re
 import traceback
 from tempfile import gettempdir, mkdtemp
@@ -586,6 +587,10 @@ def checkWalletFilePersisted(filePath):
     assert os.path.exists(filePath)
 
 
+def checkPermissions(path, mode):
+    assert stat.S_IMODE(os.stat(path).st_mode) == mode
+
+
 def checkWalletRestored(cli, expectedWalletKeyName,
                        expectedIdentifiers):
 
@@ -627,6 +632,15 @@ def useAndAssertKeyring(do, name, expectedName=None, expectedMsgs=None):
     )
 
 
+def saveAndAssertKeyring(do, name, expectedName=None, expectedMsgs=None):
+    keyringName = expectedName or name
+    finalExpectedMsgs = expectedMsgs or \
+                        ['Active keyring "{}" saved'.format(keyringName)]
+    do('save keyring'.format(name),
+       expect=finalExpectedMsgs
+    )
+
+
 def exitFromCli(do):
     import pytest
     with pytest.raises(cli.Exit):

plenum/test/cli/test_save_wallet.py

@@ -0,0 +1,25 @@
+import pytest
+
+from plenum.common.util import getWalletFilePath
+from plenum.test.cli.helper import createAndAssertNewCreation, \
+    checkWalletFilePersisted, checkPermissions, saveAndAssertKeyring
+
+
+def createNewKey(do, cli, keyringName):
+    createAndAssertNewCreation(do, cli, keyringName)
+
+
+def testSaveWallet(do, be, cli):
+    be(cli)
+    assert cli._activeWallet is None
+    createNewKey(do, cli, keyringName="Default")
+    saveAndAssertKeyring(do, "Default")
+    filePath = getWalletFilePath(
+        cli.getContextBasedKeyringsBaseDir(),
+        cli.walletFileName)
+
+    checkPermissions(cli.getKeyringsBaseDir(), cli.config.KEYRING_DIR_MODE)
+    checkPermissions(cli.getContextBasedKeyringsBaseDir(),
+                     cli.config.KEYRING_DIR_MODE)
+    checkWalletFilePersisted(filePath)
+    checkPermissions(filePath, cli.config.KEYRING_FILE_MODE)