1 files changed, 135 insertions, 20 deletions
diff --git a/bitbake/bin/bitbake-hashserv b/bitbake/bin/bitbake-hashserv
index 153f65a378..01503736b9 100755
--- a/bitbake/bin/bitbake-hashserv
+++ b/bitbake/bin/bitbake-hashserv
@@ -10,55 +10,170 @@ import sys
 import logging
 import argparse
 import sqlite3
+import warnings
-sys.path.insert(0, os.path.join(os.path.dirname(os.path.dirname(__file__)), 'lib'))
+warnings.simplefilter("default")
+sys.path.insert(0, os.path.join(os.path.dirname(os.path.dirname(__file__)), "lib"))
 import hashserv
+from hashserv.server import DEFAULT_ANON_PERMS
 VERSION = "1.0.0"
-DEFAULT_BIND = 'unix://./hashserve.sock'
+DEFAULT_BIND = "unix://./hashserve.sock"
 def main():
-    parser = argparse.ArgumentParser(description='Hash Equivalence Reference Server. Version=%s' % VERSION,
+    parser = argparse.ArgumentParser(
-                                     epilog='''The bind address is the path to a unix domain socket if it is
+        description="Hash Equivalence Reference Server. Version=%s" % VERSION,
-                                               prefixed with "unix://". Otherwise, it is an IP address
+        formatter_class=argparse.RawTextHelpFormatter,
-                                               and port in form ADDRESS:PORT. To bind to all addresses, leave
+        epilog="""
-                                               the ADDRESS empty, e.g. "--bind :8686". To bind to a specific
+The bind address may take one of the following formats:
-                                               IPv6 address, enclose the address in "[]", e.g.
+    unix://PATH         - Bind to unix domain socket at PATH
-                                               "--bind [::1]:8686"'''
+    ws://ADDRESS:PORT   - Bind to websocket on ADDRESS:PORT
-                                     )
+    ADDRESS:PORT        - Bind to raw TCP socket on ADDRESS:PORT
-    parser.add_argument('-b', '--bind', default=DEFAULT_BIND, help='Bind address (default "%(default)s")')
+To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
-    parser.add_argument('-d', '--database', default='./hashserv.db', help='Database file (default "%(default)s")')
+"--bind ws://:8686". To bind to a specific IPv6 address, enclose the address in
-    parser.add_argument('-l', '--log', default='WARNING', help='Set logging level')
+"[]", e.g. "--bind [::1]:8686" or "--bind ws://[::1]:8686"
-    parser.add_argument('-u', '--upstream', help='Upstream hashserv to pull hashes from')
-    parser.add_argument('-r', '--read-only', action='store_true', help='Disallow write operations from clients')
+Note that the default Anonymous permissions are designed to not break existing
+server instances when upgrading, but are not particularly secure defaults. If
+you want to use authentication, it is recommended that you use "--anon-perms
+@read" to only give anonymous users read access, or "--anon-perms @none" to
+give un-authenticated users no access at all.
+Setting "--anon-perms @all" or "--anon-perms @user-admin" is not allowed, since
+this would allow anonymous users to manage all users accounts, which is a bad
+idea.
+If you are using user authentication, you should run your server in websockets
+mode with an SSL terminating load balancer in front of it (as this server does
+not implement SSL). Otherwise all usernames and passwords will be transmitted
+in the clear. When configured this way, clients can connect using a secure
+websocket, as in "wss://SERVER:PORT"
+The following permissions are supported by the server:
+    @none       - No permissions
+    @read       - The ability to read equivalent hashes from the server
+    @report     - The ability to report equivalent hashes to the server
+    @db-admin   - Manage the hash database(s). This includes cleaning the
+                  database, removing hashes, etc.
+    @user-admin - The ability to manage user accounts. This includes, creating
+                  users, deleting users, resetting login tokens, and assigning
+                  permissions.
+    @all        - All possible permissions, including any that may be added
+                  in the future
+        """,
+    )
+    parser.add_argument(
+        "-b",
+        "--bind",
+        default=os.environ.get("HASHSERVER_BIND", DEFAULT_BIND),
+        help='Bind address (default $HASHSERVER_BIND, "%(default)s")',
+    )
+    parser.add_argument(
+        "-d",
+        "--database",
+        default=os.environ.get("HASHSERVER_DB", "./hashserv.db"),
+        help='Database file (default $HASHSERVER_DB, "%(default)s")',
+    )
+    parser.add_argument(
+        "-l",
+        "--log",
+        default=os.environ.get("HASHSERVER_LOG_LEVEL", "WARNING"),
+        help='Set logging level (default $HASHSERVER_LOG_LEVEL, "%(default)s")',
+    )
+    parser.add_argument(
+        "-u",
+        "--upstream",
+        default=os.environ.get("HASHSERVER_UPSTREAM", None),
+        help="Upstream hashserv to pull hashes from ($HASHSERVER_UPSTREAM)",
+    )
+    parser.add_argument(
+        "-r",
+        "--read-only",
+        action="store_true",
+        help="Disallow write operations from clients ($HASHSERVER_READ_ONLY)",
+    )
+    parser.add_argument(
+        "--db-username",
+        default=os.environ.get("HASHSERVER_DB_USERNAME", None),
+        help="Database username ($HASHSERVER_DB_USERNAME)",
+    )
+    parser.add_argument(
+        "--db-password",
+        default=os.environ.get("HASHSERVER_DB_PASSWORD", None),
+        help="Database password ($HASHSERVER_DB_PASSWORD)",
+    )
+    parser.add_argument(
+        "--anon-perms",
+        metavar="PERM[,PERM[,...]]",
+        default=os.environ.get("HASHSERVER_ANON_PERMS", ",".join(DEFAULT_ANON_PERMS)),
+        help='Permissions to give anonymous users (default $HASHSERVER_ANON_PERMS, "%(default)s")',
+    )
+    parser.add_argument(
+        "--admin-user",
+        default=os.environ.get("HASHSERVER_ADMIN_USER", None),
+        help="Create default admin user with name ADMIN_USER ($HASHSERVER_ADMIN_USER)",
+    )
+    parser.add_argument(
+        "--admin-password",
+        default=os.environ.get("HASHSERVER_ADMIN_PASSWORD", None),
+        help="Create default admin user with password ADMIN_PASSWORD ($HASHSERVER_ADMIN_PASSWORD)",
+    )
+    parser.add_argument(
+        "--reuseport",
+        action="store_true",
+        help="Enable SO_REUSEPORT, allowing multiple servers to bind to the same port for load balancing",
+    )
    args = parser.parse_args()
-    logger = logging.getLogger('hashserv')
+    logger = logging.getLogger("hashserv")
    level = getattr(logging, args.log.upper(), None)
    if not isinstance(level, int):
-        raise ValueError('Invalid log level: %s' % args.log)
+        raise ValueError(
+            "Invalid log level: %s (Try ERROR/WARNING/INFO/DEBUG)" % args.log
+        )
    logger.setLevel(level)
    console = logging.StreamHandler()
    console.setLevel(level)
    logger.addHandler(console)
-    server = hashserv.create_server(args.bind, args.database, upstream=args.upstream, read_only=args.read_only)
+    read_only = (os.environ.get("HASHSERVER_READ_ONLY", "0") == "1") or args.read_only
+    if "," in args.anon_perms:
+        anon_perms = args.anon_perms.split(",")
+    else:
+        anon_perms = args.anon_perms.split()
+    server = hashserv.create_server(
+        args.bind,
+        args.database,
+        upstream=args.upstream,
+        read_only=read_only,
+        db_username=args.db_username,
+        db_password=args.db_password,
+        anon_perms=anon_perms,
+        admin_username=args.admin_user,
+        admin_password=args.admin_password,
+        reuseport=args.reuseport,
+    )
    server.serve_forever()
    return 0
-if __name__ == '__main__':
+if __name__ == "__main__":
    try:
        ret = main()
    except Exception:
        ret = 1
        import traceback
        traceback.print_exc()
    sys.exit(ret)

diff --git a/bitbake/bin/bitbake-hashserv b/bitbake/bin/bitbake-hashserv index 153f65a378..01503736b9 100755 --- a/bitbake/bin/bitbake-hashserv +++ b/bitbake/bin/bitbake-hashserv
@@ -10,55 +10,170 @@ import sys
10	import logging	10	import logging
11	import argparse	11	import argparse
12	import sqlite3	12	import sqlite3
		13	import warnings
13		14
14	sys.path.insert(0, os.path.join(os.path.dirname(os.path.dirname(__file__)), 'lib'))	15	warnings.simplefilter("default")
		16
		17	sys.path.insert(0, os.path.join(os.path.dirname(os.path.dirname(__file__)), "lib"))
15		18
16	import hashserv	19	import hashserv
		20	from hashserv.server import DEFAULT_ANON_PERMS
17		21
18	VERSION = "1.0.0"	22	VERSION = "1.0.0"
19		23
20	DEFAULT_BIND = 'unix://./hashserve.sock'	24	DEFAULT_BIND = "unix://./hashserve.sock"
21		25
22		26
23	def main():	27	def main():
24	parser = argparse.ArgumentParser(description='Hash Equivalence Reference Server. Version=%s' % VERSION,	28	parser = argparse.ArgumentParser(
25	epilog='''The bind address is the path to a unix domain socket if it is	29	description="Hash Equivalence Reference Server. Version=%s" % VERSION,
26	prefixed with "unix://". Otherwise, it is an IP address	30	formatter_class=argparse.RawTextHelpFormatter,
27	and port in form ADDRESS:PORT. To bind to all addresses, leave	31	epilog="""
28	the ADDRESS empty, e.g. "--bind :8686". To bind to a specific	32	The bind address may take one of the following formats:
29	IPv6 address, enclose the address in "[]", e.g.	33	unix://PATH - Bind to unix domain socket at PATH
30	"--bind [::1]:8686"'''	34	ws://ADDRESS:PORT - Bind to websocket on ADDRESS:PORT
31	)	35	ADDRESS:PORT - Bind to raw TCP socket on ADDRESS:PORT
32		36
33	parser.add_argument('-b', '--bind', default=DEFAULT_BIND, help='Bind address (default "%(default)s")')	37	To bind to all addresses, leave the ADDRESS empty, e.g. "--bind :8686" or
34	parser.add_argument('-d', '--database', default='./hashserv.db', help='Database file (default "%(default)s")')	38	"--bind ws://:8686". To bind to a specific IPv6 address, enclose the address in
35	parser.add_argument('-l', '--log', default='WARNING', help='Set logging level')	39	"[]", e.g. "--bind [::1]:8686" or "--bind ws://[::1]:8686"
36	parser.add_argument('-u', '--upstream', help='Upstream hashserv to pull hashes from')	40
37	parser.add_argument('-r', '--read-only', action='store_true', help='Disallow write operations from clients')	41	Note that the default Anonymous permissions are designed to not break existing
		42	server instances when upgrading, but are not particularly secure defaults. If
		43	you want to use authentication, it is recommended that you use "--anon-perms
		44	@read" to only give anonymous users read access, or "--anon-perms @none" to
		45	give un-authenticated users no access at all.
		46
		47	Setting "--anon-perms @all" or "--anon-perms @user-admin" is not allowed, since
		48	this would allow anonymous users to manage all users accounts, which is a bad
		49	idea.
		50
		51	If you are using user authentication, you should run your server in websockets
		52	mode with an SSL terminating load balancer in front of it (as this server does
		53	not implement SSL). Otherwise all usernames and passwords will be transmitted
		54	in the clear. When configured this way, clients can connect using a secure
		55	websocket, as in "wss://SERVER:PORT"
		56
		57	The following permissions are supported by the server:
		58
		59	@none - No permissions
		60	@read - The ability to read equivalent hashes from the server
		61	@report - The ability to report equivalent hashes to the server
		62	@db-admin - Manage the hash database(s). This includes cleaning the
		63	database, removing hashes, etc.
		64	@user-admin - The ability to manage user accounts. This includes, creating
		65	users, deleting users, resetting login tokens, and assigning
		66	permissions.
		67	@all - All possible permissions, including any that may be added
		68	in the future
		69	""",
		70	)
		71
		72	parser.add_argument(
		73	"-b",
		74	"--bind",
		75	default=os.environ.get("HASHSERVER_BIND", DEFAULT_BIND),
		76	help='Bind address (default $HASHSERVER_BIND, "%(default)s")',
		77	)
		78	parser.add_argument(
		79	"-d",
		80	"--database",
		81	default=os.environ.get("HASHSERVER_DB", "./hashserv.db"),
		82	help='Database file (default $HASHSERVER_DB, "%(default)s")',
		83	)
		84	parser.add_argument(
		85	"-l",
		86	"--log",
		87	default=os.environ.get("HASHSERVER_LOG_LEVEL", "WARNING"),
		88	help='Set logging level (default $HASHSERVER_LOG_LEVEL, "%(default)s")',
		89	)
		90	parser.add_argument(
		91	"-u",
		92	"--upstream",
		93	default=os.environ.get("HASHSERVER_UPSTREAM", None),
		94	help="Upstream hashserv to pull hashes from ($HASHSERVER_UPSTREAM)",
		95	)
		96	parser.add_argument(
		97	"-r",
		98	"--read-only",
		99	action="store_true",
		100	help="Disallow write operations from clients ($HASHSERVER_READ_ONLY)",
		101	)
		102	parser.add_argument(
		103	"--db-username",
		104	default=os.environ.get("HASHSERVER_DB_USERNAME", None),
		105	help="Database username ($HASHSERVER_DB_USERNAME)",
		106	)
		107	parser.add_argument(
		108	"--db-password",
		109	default=os.environ.get("HASHSERVER_DB_PASSWORD", None),
		110	help="Database password ($HASHSERVER_DB_PASSWORD)",
		111	)
		112	parser.add_argument(
		113	"--anon-perms",
		114	metavar="PERM[,PERM[,...]]",
		115	default=os.environ.get("HASHSERVER_ANON_PERMS", ",".join(DEFAULT_ANON_PERMS)),
		116	help='Permissions to give anonymous users (default $HASHSERVER_ANON_PERMS, "%(default)s")',
		117	)
		118	parser.add_argument(
		119	"--admin-user",
		120	default=os.environ.get("HASHSERVER_ADMIN_USER", None),
		121	help="Create default admin user with name ADMIN_USER ($HASHSERVER_ADMIN_USER)",
		122	)
		123	parser.add_argument(
		124	"--admin-password",
		125	default=os.environ.get("HASHSERVER_ADMIN_PASSWORD", None),
		126	help="Create default admin user with password ADMIN_PASSWORD ($HASHSERVER_ADMIN_PASSWORD)",
		127	)
		128	parser.add_argument(
		129	"--reuseport",
		130	action="store_true",
		131	help="Enable SO_REUSEPORT, allowing multiple servers to bind to the same port for load balancing",
		132	)
38		133
39	args = parser.parse_args()	134	args = parser.parse_args()
40		135
41	logger = logging.getLogger('hashserv')	136	logger = logging.getLogger("hashserv")
42		137
43	level = getattr(logging, args.log.upper(), None)	138	level = getattr(logging, args.log.upper(), None)
44	if not isinstance(level, int):	139	if not isinstance(level, int):
45	raise ValueError('Invalid log level: %s' % args.log)	140	raise ValueError(
		141	"Invalid log level: %s (Try ERROR/WARNING/INFO/DEBUG)" % args.log
		142	)
46		143
47	logger.setLevel(level)	144	logger.setLevel(level)
48	console = logging.StreamHandler()	145	console = logging.StreamHandler()
49	console.setLevel(level)	146	console.setLevel(level)
50	logger.addHandler(console)	147	logger.addHandler(console)
51		148
52	server = hashserv.create_server(args.bind, args.database, upstream=args.upstream, read_only=args.read_only)	149	read_only = (os.environ.get("HASHSERVER_READ_ONLY", "0") == "1") or args.read_only
		150	if "," in args.anon_perms:
		151	anon_perms = args.anon_perms.split(",")
		152	else:
		153	anon_perms = args.anon_perms.split()
		154
		155	server = hashserv.create_server(
		156	args.bind,
		157	args.database,
		158	upstream=args.upstream,
		159	read_only=read_only,
		160	db_username=args.db_username,
		161	db_password=args.db_password,
		162	anon_perms=anon_perms,
		163	admin_username=args.admin_user,
		164	admin_password=args.admin_password,
		165	reuseport=args.reuseport,
		166	)
53	server.serve_forever()	167	server.serve_forever()
54	return 0	168	return 0
55		169
56		170
57	if __name__ == '__main__':	171	if __name__ == "__main__":
58	try:	172	try:
59	ret = main()	173	ret = main()
60	except Exception:	174	except Exception:
61	ret = 1	175	ret = 1
62	import traceback	176	import traceback
		177
63	traceback.print_exc()	178	traceback.print_exc()
64	sys.exit(ret)	179	sys.exit(ret)