routes.py

try:
    from Cryptodome.Cipher import PKCS1_OAEP, AES
    from Cryptodome.PublicKey import RSA
except:
    from Crypto.Cipher import PKCS1_OAEP, AES
    from Crypto.PublicKey import RSA
from dateutil.tz import tzutc, gettz
from dateutil import parser, utils
from time import time
from .oauth2 import authorization, require_oauth, OAuth2Client
from .models import AccessCode, Color, ColorAllocation, OAuth2AuthorizationCode, OAuth2Token, db, User, Setting
from authlib.oauth2 import OAuth2Error
from authlib.integrations.flask_oauth2 import current_token
import base64
import hashlib
import uuid
import os
from werkzeug.security import gen_salt
from datetime import date, datetime
from flask import Blueprint, request, session, send_file, jsonify, redirect
import json


bp = Blueprint('home', __name__)

# init private key and decryptor for /check
if os.path.isfile("output/private_key.pem"):
    file = open("output/private_key.pem", "r")
    privateKey = RSA.import_key(extern_key=file.read())
    file.close()
    decryptor = PKCS1_OAEP.new(privateKey)

# init key for signing seeds
if os.path.isfile("output/seed_key.aes"):
    file = open("output/seed_key.aes", "rb")
    seedKey = file.read()
    file.close()

# init key for signing tickets
if os.path.isfile("output/signing_key.aes"):
    file = open("output/signing_key.aes", "rb")
    signKey = file.read()
    file.close()


def current_user():
    if 'id' in session:
        uid = session['id']
        return User.query.get(uid)
    return None


def split_by_crlf(s):
    return [v for v in s.splitlines() if v]


@bp.route('/health')
def health():
    return 'service is running', 200


@bp.route('/')
def home():
    return redirect('https://hilfe.uni-paderborn.de/Anleitung_zur_Nutzung_des_digitalen_3G-Nachweises', code=302)


@bp.route('/oauth/authorize', methods=['GET', 'POST'])
def authorize():
    user = current_user()
    if request.method == 'GET':
        try:
            grant = authorization.validate_consent_request(end_user=user)
            return 'ok', 200
        except OAuth2Error as error:
            return error.error
    if not user and 'username' in request.form:
        username = request.form.get('username')
        user = User.query.filter_by(username=username).first()
    if request.form['confirm']:
        grant_user = user
    else:
        grant_user = None
    return authorization.create_authorization_response(grant_user=grant_user)


@bp.route('/get_client', methods=['POST'])
def get_client():
    user = User.query.filter_by(username=request.json['username']).first()
    if user == None:
        return 'user not existent', 400
    if user.scope == request.json['scope']:
        old_client = db.session.query(OAuth2Client).filter(
            OAuth2Client.user_id == user.id).first()
        if old_client != None:
            return jsonify({'client_id': old_client.client_id, 'client_secret': old_client.client_secret})

        client_id = gen_salt(24)
        client_id_issued_at = int(time())
        client = OAuth2Client(
            client_id=client_id,
            client_id_issued_at=client_id_issued_at,
            user_id=user.id,
        )

        client_metadata = {
            "client_name": user.uuid,
            "client_uri": "*",
            "grant_types": [request.json['grant_type']],
            "redirect_uris": [],
            "response_types": ["code"],
            "scope": user.scope,
            "token_endpoint_auth_method": "client_secret_basic"
        }
        client.set_client_metadata(client_metadata)

        client_secret = gen_salt(48)
        client.client_secret = client_secret

        db.session.add(client)
        db.session.commit()

        return jsonify({'client_id': client_id, 'client_secret': client_secret})
    else:
        return 'wrong scope', 400


@bp.route('/oauth/token', methods=['POST'])
def issue_token():
    user = User.query.filter_by(username=request.form['username']).first()
    if user == None:
        return 'user not existent', 401
    if user.scope == request.form['scope']:
        response = authorization.create_token_response(request=request)
        print(response.response)
        return response
    else:
        return 'wrong scope', 401


@bp.route('/oauth/revoke', methods=['POST'])
def revoke_token():
    return authorization.create_endpoint_response('revocation')


@bp.route("/check", methods=['POST'])
def check():
    # decode signed ticket and split into parts for AES
    decoded = base64.b64decode(str(request.json))
    nonce = decoded[:16]
    tag = decoded[16:32]
    ciphertext = decoded[32:]

    # decrypt and verify parsed AES payload
    cipher = AES.new(signKey, AES.MODE_EAX, nonce)
    try:
        data = cipher.decrypt_and_verify(ciphertext, tag)
    except:
        return 'error: signing', 400

    # decrypt the ticket
    correct_key, decrypted = decrypt_ticket(data)
    if not correct_key:
        return 'error: encryption', 400

    # check if valid datetime
    valid = check_ticket(decrypted)

    # respond with color code according to current day
    if valid != None and valid:
        alloc = ColorAllocation.query.filter_by(day=date.today()).first()
        if alloc != None:
            return jsonify(
                verified=True,
                color=alloc.color.hex,
                inverse=alloc.color.inverse,
            )
        else:
            return jsonify(
                verified=True,
                color=None,
                inverse=None,
            )
    else:
        return jsonify(
            verified=False,
            color=None,
            inverse=None,
        )


def decrypt_ticket(ticket):
    try:
        # decode and parse request body into datetime object
        decrypted = decryptor.decrypt(ticket)
        return True, parser.isoparse(decrypted)
    except:
        return False, None


def check_ticket(decrypted):
    # compare current time with request's datetime in utc
    return decrypted > datetime.now(tzutc())


@bp.route("/genticket", methods=['POST'])
def generate_ticket():
    # decode signed ticket and split into parts for AES
    decoded = base64.b64decode(str(request.json))
    nonce = decoded[:16]
    tag = decoded[16:32]
    ciphertext = decoded[32:]

    # decrypt and verify parsed AES payload
    cipher = AES.new(seedKey, AES.MODE_EAX, nonce)
    try:
        data = cipher.decrypt_and_verify(ciphertext, tag)
    except:
        return 'error: signing', 400

    json_seed = json.loads(data.decode('utf-8'))
    epoch_timestamp = parser.isoparse(json_seed['timestamp']).timestamp()

    if datetime.now(tzutc()).timestamp() - epoch_timestamp > 60.0:
        return 'error: oldseed', 400

    # sign RSA ticket with AES encryption
    cipher = AES.new(signKey, AES.MODE_EAX)
    ciphertext, tag = cipher.encrypt_and_digest(
        base64.b64decode(json_seed['ticket']))
    combined = str(base64.b64encode(
        cipher.nonce + tag + ciphertext), encoding='utf-8')

    return jsonify(combined)


@bp.route('/makeseed', methods=['POST'])
@require_oauth('user')
def make_seed():
    # this is the same process as in the (soon to be deprecated) sign with some added security features
    # decode body to get raw RSA encrypted data
    body = base64.b64decode(str(request.json))

    # check validity of ticket to sign before proceeding
    # decrypt the ticket
    correct_key, decrypted = decrypt_ticket(body)
    if not correct_key:
        return 'error: encryption', 400

    # check if valid datetime
    valid = check_ticket(decrypted)

    if valid != None and valid:
        # save current timestamp
        timestamp = datetime.now(tzutc())
        seed = jsonify(timestamp=timestamp.isoformat(),
                       ticket=str(request.json)).data
        # sign seed with AES encryption
        cipher = AES.new(seedKey, AES.MODE_EAX)
        ciphertext, tag = cipher.encrypt_and_digest(seed)
        combined = str(base64.b64encode(
            cipher.nonce + tag + ciphertext), encoding='utf-8')
        return combined
    else:
        return 'error: expired', 400


@DeprecationWarning
@bp.route('/sign', methods=['POST'])
@require_oauth('user')
def sign_ticket():
    # decode body to get raw RSA encrypted data
    body = base64.b64decode(str(request.json))

    # check validity of ticket to sign before proceeding
    # decrypt the ticket
    correct_key, decrypted = decrypt_ticket(body)
    if not correct_key:
        return 'error: encryption', 400

    # check if valid datetime
    valid = check_ticket(decrypted)

    if valid != None and valid:
        # sign RSA ticket with AES encryption
        cipher = AES.new(signKey, AES.MODE_EAX)
        ciphertext, tag = cipher.encrypt_and_digest(body)
        combined = str(base64.b64encode(
            cipher.nonce + tag + ciphertext), encoding='utf-8')
        return jsonify(combined=combined)
    else:
        return 'error: expired', 400


@bp.route('/pubkey', methods=['GET'])
@require_oauth('user')
def public_key():
    try:
        return send_file('../output/public_key.pem', attachment_filename='public_key.pem')
    except Exception as e:
        return str(e)


@bp.route('/api/me')
@require_oauth(['admin', 'user'])
def api_me():
    user = current_token.user
    return jsonify(id=user.id, username=user.username)


@bp.route('/users', methods=['GET', 'POST'])
@require_oauth('admin')
def get_users():
    if request.method == 'GET':
        users = User.query.all()
        users_map = []
        for user in users:
            users_map.append({'id': user.id, 'username': user.username,
                              'name': user.name, 'surname': user.surname, 'uuid': user.uuid, 'scope': user.scope})
        return jsonify(users_map)
    elif request.method == 'POST':
        # create user object and insert to db
        password = request.json['password']
        if len(password) < 5:
            return 'minimum password length is 5 characters', 400
        salt = gen_salt(32).encode('utf-8')
        key = hashlib.pbkdf2_hmac(
            'sha256', request.json['password'].encode('utf-8'), salt, 100000)
        user = User(username=request.json['username'], password=key,
                    salt=salt, uuid=uuid.uuid4().urn[9:], scope=request.json['scope'], name=request.json['name'] if 'name' in request.json else None, surname=request.json['surname'] if 'surname' in request.json else None)
        db.session.add(user)
        db.session.commit()

        # read new user from db to validate and return with user id
        new_user = User.query.filter_by(username=user.username).first()
        return make_user_response(new_user)


def make_user_response(user):
    return jsonify(id=user.id, username=user.username,
                   name=user.name, surname=user.surname, uuid=user.uuid, scope=user.scope)


@bp.route('/users/<int:user_id>', methods=['GET', 'PUT', 'DELETE'])
@require_oauth('admin')
def get_user(user_id):
    if request.method == 'GET':
        user = User.query.filter_by(id=user_id).first()
        if (user == None):
            return 'not found', 404
        return make_user_response(user)
    elif request.method == 'PUT':
        if db.session.query(User).filter(User.id == user_id).update(request.json) < 1:
            return 'not found', 404
        db.session.commit()
        new_user = User.query.filter_by(id=user_id).first()
        return make_user_response(new_user)
    elif request.method == 'DELETE':
        # delete all corresponding entries in other tables
        db.session.query(AccessCode).filter(
            AccessCode.user_id == user_id).delete()
        db.session.query(OAuth2Client).filter(
            OAuth2Client.user_id == user_id).delete()
        db.session.query(OAuth2Token).filter(
            OAuth2Token.user_id == user_id).delete()
        db.session.query(OAuth2AuthorizationCode).filter(
            OAuth2AuthorizationCode.user_id == user_id).delete()
        # delete user
        if db.session.query(User).filter(User.id == user_id).delete() < 1:
            return 'not found', 404
        db.session.commit()
        return 'success', 200


def make_code_response(code):
    return jsonify(id=code.id, code=code.code, scope=code.scope, user_id=code.user_id)


@bp.route('/access_codes', methods=['GET', 'POST'])
@require_oauth('admin')
def get_access_codes():
    if request.method == 'GET':
        codes = AccessCode.query.all()
        codes_map = []
        for code in codes:
            codes_map.append({'id': code.id, 'code': code.code,
                              'scope': code.scope, 'user_id': code.user_id})
        return jsonify(codes_map)
    elif request.method == 'POST':
        if len(request.json['code']) >= 16:
            if AccessCode.query.filter_by(
                    code=request.json['code']).first() != None:
                return 'code exists already', 400

            db.session.add(AccessCode(
                code=request.json['code'], scope=request.json['scope']))
            db.session.commit()
            new_code = AccessCode.query.filter_by(
                code=request.json['code']).first()
            return make_code_response(new_code)
        else:
            return 'code not long enough', 400


@bp.route('/access_codes/<int:code_id>', methods=['GET', 'DELETE'])
@require_oauth('admin')
def get_code(code_id):
    if request.method == 'GET':
        code = AccessCode.query.filter_by(id=code_id).first()
        if (code == None):
            return 'not found', 404
        return make_code_response(code)
    elif request.method == 'DELETE':
        if db.session.query(AccessCode).filter(AccessCode.id == code_id).delete() < 1:
            return 'not found', 404
        db.session.commit()
        return 'success', 200


@bp.route('/register', methods=['POST'])
def register():
    code = AccessCode.query.filter_by(code=request.json['code']).first()
    if (code == None):
        return 'code does not exist', 404
    if (code.user_id != None):
        return 'code already consumed', 400
    if 'username' in request.json and 'password' in request.json:
        if User.query.filter_by(username=request.json['username']).first() != None:
            return 'username taken', 400
        salt = gen_salt(32).encode('utf-8')
        key = hashlib.pbkdf2_hmac(
            'sha256', request.json['password'].encode('utf-8'), salt, 100000)
        user = User(username=request.json['username'], password=key,
                    salt=salt, uuid=uuid.uuid4().urn[9:], scope=code.scope, name=request.json['name'] if 'name' in request.json else None, surname=request.json['surname'] if 'surname' in request.json else None)
        db.session.add(user)
        db.session.commit()
        new_user = User.query.filter_by(username=user.username).first()
        db.session.query(AccessCode).filter(
            AccessCode.id == code.id).update({AccessCode.user_id: new_user.id})
        db.session.commit()
        return make_user_response(new_user)
    else:
        return 'incomplete json', 400


def make_color_response(color):
    return jsonify(id=color.id, hex=color.hex, inverse=color.inverse, name=color.name)


@bp.route('/colors', methods=['GET', 'POST'])
@require_oauth('admin')
def get_colors():
    if request.method == 'GET':
        colors = Color.query.all()
        colors_map = []
        for color in colors:
            colors_map.append(
                {'id': color.id, 'hex': color.hex, 'inverse': color.inverse, 'name': color.name})
        return jsonify(colors_map)
    elif request.method == 'POST':
        if len(request.json['hex']) >= 6 and 'inverse' in request.json:
            test = db.session.query(Color).filter(
                Color.hex == request.json['hex']).first()
            if test != None and test.inverse == request.json['inverse']:
                print(str(test.hex), '\t', str(test.inverse))
                return 'color exists already', 400
            db.session.add(Color(
                hex=request.json['hex'], name=request.json['name'] if 'name' in request.json else None, inverse=request.json['inverse'] if 'inverse' in request.json else False))
            db.session.commit()
            new_color = db.session.query(Color).filter(
                Color.hex == request.json['hex'], Color.inverse == request.json['inverse']).first()
            return make_color_response(new_color)
        else:
            return 'no valid color', 400


@bp.route('/colors/<int:color_id>', methods=['GET', 'DELETE', 'PUT'])
@require_oauth('admin')
def get_color(color_id):
    if request.method == 'GET':
        color = AccessCode.query.filter_by(id=color_id).first()
        if (color == None):
            return 'not found', 404
        return make_color_response(color)
    elif request.method == 'PUT':
        if db.session.query(Color).filter(Color.id == color_id).update(request.json) < 1:
            return 'not found', 404
        db.session.commit()
        new_color = Color.query.filter_by(id=color_id).first()
        return make_color_response(new_color)
    elif request.method == 'DELETE':
        if db.session.query(Color).filter(Color.id == color_id).delete() < 1:
            return 'not found', 404
        db.session.query(ColorAllocation).filter(
            ColorAllocation.color_id == color_id).delete()
        db.session.commit()
        return 'success', 200


def make_color_allocation_response(alloc):
    return jsonify(id=alloc.id, day=alloc.day.isoformat(), color_id=alloc.color_id, color_hex=alloc.color.hex, color_name=alloc.color.name, color_inverse=alloc.color.inverse)


@bp.route('/color_allocations', methods=['GET', 'POST'])
@require_oauth('admin')
def get_color_allocations():
    if request.method == 'GET':
        allocs = ColorAllocation.query.all()
        allocs_map = []
        for alloc in allocs:
            allocs_map.append(
                {'id': alloc.id, 'day': alloc.day.isoformat(), 'color_id': alloc.color_id, 'color_hex': alloc.color.hex, 'color_name': alloc.color.name, 'color_inverse': alloc.color.inverse})
        return jsonify(allocs_map)
    elif request.method == 'POST':
        if Color.query.filter_by(
                id=request.json['color_id']).first() != None:
            if ColorAllocation.query.filter_by(
                    day=request.json['day']).first() != None:
                return 'color allocation for this day exists already', 400
            alloc = ColorAllocation(
                day=parser.parse(request.json['day']), color_id=request.json['color_id'])
            db.session.add(alloc)
            db.session.commit()
            new_alloc = ColorAllocation.query.filter_by(day=alloc.day).first()
            return make_color_allocation_response(new_alloc)
        else:
            return 'color does not exist', 400


@bp.route('/color_allocations/<int:alloc_id>', methods=['GET', 'DELETE', 'PUT'])
@require_oauth('admin')
def get_color_allocation(alloc_id):
    if request.method == 'GET':
        alloc = ColorAllocation.query.filter_by(id=alloc_id).first()
        if (alloc == None):
            return 'not found', 404
        return make_color_allocation_response(alloc)
    elif request.method == 'PUT':
        request.json['day'] = parser.parse(request.json['day'])
        if db.session.query(ColorAllocation).filter(ColorAllocation.id == alloc_id).update(request.json) < 1:
            return 'not found', 404
        db.session.commit()
        new_alloc = ColorAllocation.query.filter_by(id=alloc_id).first()
        return make_color_allocation_response(new_alloc)
    elif request.method == 'DELETE':
        if db.session.query(ColorAllocation).filter(ColorAllocation.id == alloc_id).delete() < 1:
            return 'not found', 404
        db.session.commit()
        return 'success', 200


@bp.route('/current_color_admin', methods=['GET'])
@require_oauth('admin')
def current_color_admin():
    alloc = ColorAllocation.query.filter_by(
        day=utils.today(tzinfo=gettz()).date()).first()
    if (alloc == None):
        return 'no color found for today', 404
    return make_color_allocation_response(alloc)


@bp.route('/current_color', methods=['GET'])
@require_oauth('user')
def current_color():
    alloc = ColorAllocation.query.filter_by(
        day=utils.today(tzinfo=gettz()).date()).first()
    if (alloc == None):
        return 'no color found for today', 404
    return jsonify(color=alloc.color.hex, inverse=alloc.color.inverse)


def get_settings():
    settings = Setting.query.all()
    settings_map = {}
    for setting in settings:
        settings_map[setting.key] = setting.value
    return jsonify(settings_map)


@bp.route('/admin/settings', methods=['GET', 'POST'])
@require_oauth('admin')
def admin_settings():
    if request.method == 'GET':
        return get_settings()
    if request.method == 'POST':
        setting = Setting(
            key=request.json['key'], value=request.json['value'])
        try:
            db.session.add(setting)
            db.session.commit()
            new_setting = Setting.query.filter_by(key=setting.key).first()
            return jsonify({new_setting.key: new_setting.value})
        except:
            return 'failed to add setting, check for duplicate key', 400


@bp.route('/admin/settings/<string:key>', methods=['GET', 'PUT', 'DELETE'])
@require_oauth('admin')
def single_setting(key):
    if request.method == 'GET':
        setting = Setting.query.filter_by(key=key).first()
        return jsonify({setting.key: setting.value})
    if request.method == 'PUT':
        if db.session.query(Setting).filter(Setting.key == key).update({Setting.value: request.json['value']}) < 1:
            return 'not found', 404
        db.session.commit()
        new_setting = Setting.query.filter_by(key=key).first()
        return jsonify({new_setting.key: new_setting.value})
    if request.method == 'DELETE':
        if db.session.query(Setting).filter(Setting.key == key).delete() < 1:
            return 'not found', 404
        db.session.commit()
        return 'success', 200


@bp.route('/settings', methods=['GET'])
@require_oauth('user')
def user_settings():
    return get_settings()


@bp.route('/motd', methods=['GET'])
def motd():
    setting = Setting.query.filter_by(key='motd_public').first()
    return setting.value