diff options
| author | Jason Gunthorpe <jgg@mellanox.com> | 2020-05-28 10:13:37 -0300 |
|---|---|---|
| committer | Jason Gunthorpe <jgg@mellanox.com> | 2020-05-28 11:41:47 -0300 |
| commit | 192d633a13adf2d552f4257f4975b066204b9da9 (patch) | |
| tree | 544fd2e7ec777e2bbf123369fd3de064958425c6 /cloud_mdir_sync/credsrv.py | |
| parent | 72b3e5ff5d68d9f70257f9556068cc1e5de23e1c (diff) | |
| download | cloud_mdir_sync-192d633a13adf2d552f4257f4975b066204b9da9.tar.gz cloud_mdir_sync-192d633a13adf2d552f4257f4975b066204b9da9.tar.bz2 cloud_mdir_sync-192d633a13adf2d552f4257f4975b066204b9da9.zip | |
Add OAUTH Credential server
The OAUTH credential server allows CMS to ack as an OAUTH broker and
supply bearer tokens to other applications in the system. Currently this
only support SMTP tokens for outbound mail delivery.
A UNIX domain socket is used to communicate between the SMTP agent and CMS.
A simple one line protocol is used to specify the account requested and
CMS returns the plain XAOUTH2 response string. The agent is responsible to
base64 encode it.
This works for GMail and O365 mailboxes.
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Diffstat (limited to 'cloud_mdir_sync/credsrv.py')
| -rw-r--r-- | cloud_mdir_sync/credsrv.py | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/cloud_mdir_sync/credsrv.py b/cloud_mdir_sync/credsrv.py new file mode 100644 index 0000000..97357bc --- /dev/null +++ b/cloud_mdir_sync/credsrv.py @@ -0,0 +1,65 @@ +# SPDX-License-Identifier: GPL-2.0+ +import asyncio +import contextlib +import os +import re +from typing import List + +from . import config, oauth + + +class CredentialServer(object): + """Serve XOAUTH2 bearer tokens over a unix domain socket. The client + writes the user to obtain a token for and the server responds with the + token""" + def __init__(self, + cfg: config.Config, + path: str, + accounts: List[oauth.Account], + umask=0o600): + self.cfg = cfg + self.path = os.path.abspath(os.path.expanduser(path)) + self.umask = umask + self.accounts = {} + for I in accounts: + I.oauth_smtp = True + self.accounts[I.user] = I + + async def go(self): + old_umask = os.umask(self.umask) + try: + self.server = await asyncio.start_unix_server( + self.handle_client, self.path) + finally: + os.umask(old_umask) + os.chmod(self.path, self.umask) + + async def close(self): + pass + + async def handle_client(self, reader: asyncio.StreamReader, + writer: asyncio.StreamWriter) -> None: + with contextlib.closing(writer): + req = await reader.read() + g = re.match(r"([^ ,]+)(?:,(\S+))? (\S+@\S+)", req.decode()) + if g is None: + self.cfg.logger.error(f"Invalid credential request {req!r}") + return + proto, opts_str, user = g.groups() + if opts_str: + opts = opts_str.split(',') + else: + opts = [] + + self.cfg.logger.debug( + f"Credential request {proto!r} {opts} {user!r}") + + account = self.accounts.get(user) + if account is None: + return + + xoauth2 = await account.get_xoauth2_bytes("SMTP") + if xoauth2 is None: + return + writer.write(xoauth2) + await writer.drain() |