Clients are now authorized by client= argument in URL, schema and client lib...

Clients are now authorized by client= argument in URL, schema and client lib is updated accordingly. Method authentication defined in "expose" decorator. Added Client container class for deterministic logging. Schema update to consistent InnoDB and utf8mb4 everywhere.

warden3/warden_client/warden_client.py

@@ -211,7 +211,7 @@ class Client(object):
                 Error("Unable to setup syslog logging", self.logger, exc=exc_info())
 
         if not (errlog or filelog or syslog):
-            # User wants explicitly no logging, so let him shoot its socks off.
+            # User wants explicitly no logging, so let him shoot his socks off.
             # This silences complaining of logging module about no suitable
             # handler.
             self.logger.addHandler(logging.NullHandler())
@@ -252,6 +252,8 @@ class Client(object):
 
     def sendRequest(self, func="", payload=None, **kwargs):
 
+        kwargs["client"] = self.name
+
         if kwargs:
             for k in kwargs.keys():
                 if kwargs[k] is None:

warden3/warden_client/warden_curl_test.sh

@@ -6,7 +6,8 @@
 keyfile='key.pem'
 certfile='cert.pem'
 cafile='tcs-ca-bundle.pem'
-url='https://warden.example.com/warden3'
+url="$1"
+client="$2"
 
 #    --fail \
 #    --show-error \
@@ -19,7 +20,7 @@ curl \
     --cacert $cafile \
     --connect-timeout 3 \
     --request POST \
-    $url/blefub
+    "$url/blefub?client=$2"
 echo
 
 echo "Test  404"
@@ -29,7 +30,27 @@ curl \
     --cacert $cafile \
     --connect-timeout 3 \
     --request POST \
-    $url/
+    "$url/?client=$2"
+echo
+
+echo "Test  403 - no client"
+curl \
+    --key $keyfile \
+    --cert $certfile \
+    --cacert $cafile \
+    --connect-timeout 3 \
+    --request POST \
+    "$url/getEvents"
+echo
+
+echo "Test  403 - wrong client"
+curl \
+    --key $keyfile \
+    --cert $certfile \
+    --cacert $cafile \
+    --connect-timeout 3 \
+    --request POST \
+    "$url/getEvents?client=asdf.blefub"
 echo
 
 echo "Test  Deserialization"
@@ -40,7 +61,7 @@ curl \
     --connect-timeout 3 \
     --request POST \
     --data '{#$%^' \
-    $url/getEvents
+    "$url/getEvents?client=$2"
 echo
 
 echo "Test  Called with unknown category"
@@ -50,7 +71,7 @@ curl \
     --cacert $cafile \
     --connect-timeout 3 \
     --request POST \
-    $url/getEvents?cat=bflm
+    "$url/getEvents?client=$2&cat=bflm"
 echo
 
 echo "Test  Called with both cat and nocat"
@@ -60,7 +81,7 @@ curl \
     --cacert $cafile \
     --connect-timeout 3 \
     --request POST \
-    "$url/getEvents?cat=Other&nocat=Test"
+    "$url/getEvents?client=$2&cat=Other&nocat=Test"
 echo
 
 echo "Test  Invalid data for getEvents - silently discarded"
@@ -71,7 +92,7 @@ curl \
     --connect-timeout 3 \
     --request POST \
     --data '[1]' \
-    $url/getEvents
+    "$url/getEvents?client=$2"
 echo
 
 echo "Test  Called with internal args - just in log"
@@ -81,7 +102,7 @@ curl \
     --cacert $cafile \
     --connect-timeout 3 \
     --request POST \
-    $url/getEvents?self=test
+    "$url/getEvents?client=$2&self=test"
 echo
 
 echo "Test  Called with superfluous args - just in log"
@@ -91,7 +112,7 @@ curl \
     --cacert $cafile \
     --connect-timeout 3 \
     --request POST \
-    $url/getEvents?bad=guy
+    "$url/getEvents?client=$2&bad=guy"
 echo
 
 echo "Test  getEvents with no args - should be OK"
@@ -101,7 +122,7 @@ curl \
     --cacert $cafile \
     --connect-timeout 3 \
     --request POST \
-    $url/getEvents
+    "$url/getEvents?client=$2"
 echo
 
 echo "Test  getEvents - should be OK"
@@ -111,7 +132,7 @@ curl \
     --cacert $cafile \
     --connect-timeout 3 \
     --request POST \
-    "$url/getEvents?count=3&id=10"
+    "$url/getEvents?client=$2&count=3&id=10"
 echo
 
 echo "Test  getDebug"
@@ -121,7 +142,7 @@ curl \
     --cacert $cafile \
     --connect-timeout 3 \
     --request POST \
-    $url/getDebug
+    "$url/getDebug?client=$2"
 echo
 
 echo "Test  getInfo"
@@ -131,7 +152,7 @@ curl \
     --cacert $cafile \
     --connect-timeout 3 \
     --request POST \
-    $url/getInfo
+    "$url/getInfo?client=$2"
 echo
 
 #curl \

warden3/warden_server/warden3.0-alpha.sql

@@ -32,7 +32,7 @@ CREATE TABLE IF NOT EXISTS `categories` (
   `subcategory` varchar(64) DEFAULT NULL,
   `cat_subcat` varchar(129) NOT NULL,
   KEY `cat_sub` (`cat_subcat`)
-) ENGINE=MyISAM DEFAULT CHARSET=latin1;
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
 
 --
 -- Dumping data for table `categories`
@@ -90,37 +90,56 @@ INSERT INTO `categories` (`id`, `category`, `subcategory`, `cat_subcat`) VALUES
 
 CREATE TABLE IF NOT EXISTS `clients` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
-  `hostname` varchar(256) NOT NULL,
   `registered` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
   `requestor` varchar(256) NOT NULL,
+  `hostname` varchar(256) NOT NULL,
+  `service` varchar(256) NOT NULL,
   `note` text NOT NULL,
   `valid` tinyint(1) NOT NULL DEFAULT '1',
-  `read` tinyint(1) NOT NULL DEFAULT '0',
+  `identity` varchar(64) NOT NULL,
+  `read` tinyint(1) NOT NULL DEFAULT '1',
   `debug` tinyint(1) NOT NULL DEFAULT '0',
+  `write` tinyint(1) NOT NULL DEFAULT '0',
+  `test` int(11) NOT NULL DEFAULT '0',
   PRIMARY KEY (`id`)
-) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=29 ;
+) ENGINE=InnoDB  DEFAULT CHARSET=utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci AUTO_INCREMENT=31 ;
 
 --
 -- Dumping data for table `clients`
 --
 
-INSERT INTO `clients` (`id`, `hostname`, `registered`, `requestor`, `note`, `valid`, `read`, `debug`) VALUES
-(1, 'afrodita.civ.zcu.cz', '0000-00-00 00:00:00', '', '', 1, 1, 1),
-(3, 'au1.cesnet.cz', '0000-00-00 00:00:00', '', '', 1, 1, 0),
-(12, 'au2.cesnet.cz', '0000-00-00 00:00:00', '', '', 1, 1, 0),
-(13, 'bee.net.vutbr.cz', '0000-00-00 00:00:00', '', '', 1, 1, 0),
-(14, 'buldog.vsb.cz', '0000-00-00 00:00:00', '', '', 1, 1, 0),
-(15, 'collector-nemea.liberouter.org', '0000-00-00 00:00:00', '', '', 1, 1, 0),
-(17, 'collector.liberouter.org', '0000-00-00 00:00:00', '', '', 1, 1, 0),
-(18, 'holly.cesnet.cz', '0000-00-00 00:00:00', '', '', 1, 1, 0),
-(19, 'kryten.cesnet.cz', '0000-00-00 00:00:00', '', '', 1, 1, 0),
-(20, 'mentat.cesnet.cz', '0000-00-00 00:00:00', '', '', 1, 1, 0),
-(21, 'miel.opf.slu.cz', '0000-00-00 00:00:00', '', '', 1, 1, 0),
-(23, 'nfsen.ics.muni.cz', '0000-00-00 00:00:00', '', '', 1, 1, 0),
-(25, 'vinovago.cesnet.cz', '0000-00-00 00:00:00', '', '', 1, 1, 0),
-(26, 'ward.tul.cz', '0000-00-00 00:00:00', '', '', 1, 1, 0),
-(28, 'kostik.zcu.cz', '0000-00-00 00:00:00', 'kostenec@civ.zcu.cz', '', 1, 1, 1),
-(29, 'grey.cesnet.cz', '2014-12-11 13:51:14', 'ph@cesnet.cz', '', 1, 1, 1);
+INSERT INTO `clients` (`id`, `registered`, `requestor`, `hostname`, `service`, `note`, `valid`, `identity`, `read`, `debug`, `write`, `test`) VALUES
+(1, '0000-00-00 00:00:00', '', 'afrodita.civ.zcu.cz', 'hihat', '', 1, 'cz.zcu.civ.afrodita.hihat', 1, 0, 1, 0),
+(2, '0000-00-00 00:00:00', '', 'afrodita.civ.zcu.cz', 'labrea', '', 1, 'cz.zcu.civ.afrodita.labrea', 1, 0, 1, 0),
+(3, '0000-00-00 00:00:00', '', 'au1.cesnet.cz', 'cesnet_ids', '', 1, 'cz.cesnet.au1.cesnet_ids', 1, 0, 1, 0),
+(4, '0000-00-00 00:00:00', '', 'au1.cesnet.cz', 'cesnet_sserv', '', 1, 'cz.cesnet.au1.cesnet_sserv', 1, 0, 1, 0),
+(5, '0000-00-00 00:00:00', '', 'au1.cesnet.cz', 'n6d-dorkbot', '', 1, 'cz.cesnet.au1.n6d-dorkbot', 1, 0, 1, 0),
+(6, '0000-00-00 00:00:00', '', 'au1.cesnet.cz', 'n6e-certplsinkhole', '', 1, 'cz.cesnet.au1.n6e-certplsinkhole', 1, 0, 1, 0),
+(7, '0000-00-00 00:00:00', '', 'au1.cesnet.cz', 'n6i-citadelsinkhole', '', 1, 'cz.cesnet.au1.n6i-citadelsinkhole', 1, 0, 1, 0),
+(8, '0000-00-00 00:00:00', '', 'au1.cesnet.cz', 'n6i-citadelsinkholeqd', '', 1, 'cz.cesnet.au1.n6i-citadelsinkholeqd', 1, 0, 1, 0),
+(9, '0000-00-00 00:00:00', '', 'au1.cesnet.cz', 'n6n-openntp', '', 1, 'cz.cesnet.au1.n6n-openntp', 1, 0, 1, 0),
+(10, '0000-00-00 00:00:00', '', 'au1.cesnet.cz', 'n6o-botszeroaccess', '', 1, 'cz.cesnet.au1.n6o-botszeroaccess', 1, 0, 1, 0),
+(11, '0000-00-00 00:00:00', '', 'au1.cesnet.cz', 'report_n6v-virut', '', 1, 'cz.cesnet.au1.report_n6v-virut', 1, 0, 1, 0),
+(12, '0000-00-00 00:00:00', '', 'au2.cesnet.cz', 'ids-cz', '', 1, 'cz.cesnet.au2.ids-cz', 1, 0, 1, 0),
+(13, '0000-00-00 00:00:00', '', 'bee.net.vutbr.cz', 'hpscan', '', 1, 'cz.vutbr.net.bee.hpscan', 1, 0, 1, 0),
+(14, '0000-00-00 00:00:00', '', 'buldog.vsb.cz', 'kippo', '', 1, 'cz.vsb.buldog.kippo', 1, 0, 1, 0),
+(15, '0000-00-00 00:00:00', '', 'collector-nemea.liberouter.org', 'nemea', '', 1, 'org.liberouter.collector-nemea.nemea', 1, 0, 1, 0),
+(16, '0000-00-00 00:00:00', '', 'collector.liberouter.org', 'hoststats', '', 1, 'org.liberouter.collector.hoststats', 1, 0, 1, 0),
+(17, '0000-00-00 00:00:00', '', 'collector.liberouter.org', 'synscandetector_1_0', '', 1, 'org.liberouter.collector.synscandetector_1_0', 1, 0, 1, 0),
+(18, '0000-00-00 00:00:00', '', 'holly.cesnet.cz', 'kippohoneypot', '', 1, 'cz.cesnet.holly.kippohoneypot', 1, 0, 1, 0),
+(19, '0000-00-00 00:00:00', '', 'kryten.cesnet.cz', 'dionaeahoneypot', '', 1, 'cz.cesnet.kryten.dionaeahoneypot', 1, 0, 1, 0),
+(20, '0000-00-00 00:00:00', '', 'mentat.cesnet.cz', 'mentat', '', 1, 'cz.cesnet.mentat.mentat', 1, 0, 1, 0),
+(21, '0000-00-00 00:00:00', '', 'miel.opf.slu.cz', 'kippo', '', 1, 'cz.slu.opf.miel.kippo', 1, 0, 1, 0),
+(22, '0000-00-00 00:00:00', '', 'nfsen.ics.muni.cz', 'honeyscan', '', 1, 'cz.muni.ics.nfsen.honeyscan', 1, 0, 1, 0),
+(23, '0000-00-00 00:00:00', '', 'nfsen.ics.muni.cz', 'scandetector_1_0', '', 1, 'cz.muni.ics.nfsen.scandetector_1_0', 1, 0, 1, 0),
+(24, '0000-00-00 00:00:00', '', 'nfsen.ics.muni.cz', 'sshbruteforce-1_n', '', 1, 'cz.muni.ics.nfsen.sshbruteforce-1_n', 1, 0, 1, 0),
+(25, '0000-00-00 00:00:00', '', 'vinovago.cesnet.cz', 'fail2ban', '', 1, 'cz.cesnet.vinovago.fail2ban', 1, 0, 1, 0),
+(26, '0000-00-00 00:00:00', '', 'ward.tul.cz', 'dionaeatul', '', 1, 'cz.tul.ward.dionaeatul', 1, 0, 1, 0),
+(27, '0000-00-00 00:00:00', '', 'ward.tul.cz', 'kippo', '', 1, 'cz.tul.ward.kippo', 1, 0, 1, 0),
+(28, '0000-00-00 00:00:00', 'kostenec@civ.zcu.cz', 'kostik.zcu.cz', 'com.example.test-node', '', 1, 'com.example.test-node', 1, 0, 0, 0),
+(29, '0000-00-00 00:00:00', 'kostenec@civ.zcu.cz', 'kostik.zcu.cz', 'com.example.test-node2', '', 1, 'com.example.test-node2', 1, 0, 0, 0),
+(30, '0000-00-00 00:00:00', 'kostenec@civ.zcu.cz', 'kostik.zcu.cz', 'Test', '', 1, 'com.example.test-node3', 1, 0, 0, 0),
+(31, '2014-12-11 13:51:18', 'ph@cesnet.cz', 'grey.cesnet.cz', 'Test', '', 1, 'cz.cesnet.grey.test', 1, 1, 1, 0);
 
 -- --------------------------------------------------------
 
@@ -131,13 +150,12 @@ INSERT INTO `clients` (`id`, `hostname`, `registered`, `requestor`, `note`, `val
 CREATE TABLE IF NOT EXISTS `events` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `received` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
-  `service_id` int(11) NOT NULL,
+  `client_id` int(11) NOT NULL,
   `data` text NOT NULL,
   `valid` tinyint(1) NOT NULL DEFAULT '1',
   PRIMARY KEY (`id`),
-  KEY `detected` (`detected`),
-  KEY `id` (`id`,`service_id`)
-) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
+  KEY `id` (`id`,`client_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4  DEFAULT COLLATE utf8mb4_unicode_ci AUTO_INCREMENT=1 ;
 
 -- --------------------------------------------------------
 
@@ -149,7 +167,7 @@ CREATE TABLE IF NOT EXISTS `event_category_mapping` (
   `event_id` int(11) NOT NULL,
   `category_id` int(11) NOT NULL,
   KEY `event_id_2` (`event_id`,`category_id`)
-) ENGINE=MyISAM DEFAULT CHARSET=latin1;
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
 
 -- --------------------------------------------------------
 
@@ -161,7 +179,7 @@ CREATE TABLE IF NOT EXISTS `event_tag_mapping` (
   `event_id` int(11) NOT NULL,
   `tag_id` int(11) NOT NULL,
   KEY `event_id_2` (`event_id`,`tag_id`)
-) ENGINE=MyISAM DEFAULT CHARSET=latin1;
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
 
 -- --------------------------------------------------------
 
@@ -176,64 +194,7 @@ CREATE TABLE IF NOT EXISTS `last_events` (
   `timestamp` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
   PRIMARY KEY (`id`),
   KEY `client_id` (`client_id`,`event_id`)
-) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
-
--- --------------------------------------------------------
-
---
--- Table structure for table `services`
---
-
-CREATE TABLE IF NOT EXISTS `services` (
-  `service_id` int(11) NOT NULL AUTO_INCREMENT,
-  `client_id` int(11) NOT NULL,
-  `registered` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
-  `requestor` varchar(256) NOT NULL,
-  `service` varchar(256) NOT NULL,
-  `note` text NOT NULL,
-  `valid` tinyint(1) NOT NULL DEFAULT '1',
-  `identity` varchar(64) NOT NULL,
-  `write` tinyint(1) NOT NULL DEFAULT '0',
-  `test` int(11) NOT NULL DEFAULT '0',
-  PRIMARY KEY (`service_id`)
-) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=31 ;
-
---
--- Dumping data for table `services`
---
-
-INSERT INTO `services` (`service_id`, `client_id`, `registered`, `requestor`, `service`, `note`, `valid`, `identity`, `write`, `test`) VALUES
-(1, 1, '0000-00-00 00:00:00', '', 'hihat', '', 1, 'cz.zcu.civ.afrodita.hihat', 1, 0),
-(2, 1, '0000-00-00 00:00:00', '', 'labrea', '', 1, 'cz.zcu.civ.afrodita.labrea', 1, 0),
-(3, 3, '0000-00-00 00:00:00', '', 'cesnet_ids', '', 1, 'cz.cesnet.au1.cesnet_ids', 1, 0),
-(4, 3, '0000-00-00 00:00:00', '', 'cesnet_sserv', '', 1, 'cz.cesnet.au1.cesnet_sserv', 1, 0),
-(5, 3, '0000-00-00 00:00:00', '', 'n6d-dorkbot', '', 1, 'cz.cesnet.au1.n6d-dorkbot', 1, 0),
-(6, 3, '0000-00-00 00:00:00', '', 'n6e-certplsinkhole', '', 1, 'cz.cesnet.au1.n6e-certplsinkhole', 1, 0),
-(7, 3, '0000-00-00 00:00:00', '', 'n6i-citadelsinkhole', '', 1, 'cz.cesnet.au1.n6i-citadelsinkhole', 1, 0),
-(8, 3, '0000-00-00 00:00:00', '', 'n6i-citadelsinkholeqd', '', 1, 'cz.cesnet.au1.n6i-citadelsinkholeqd', 1, 0),
-(9, 3, '0000-00-00 00:00:00', '', 'n6n-openntp', '', 1, 'cz.cesnet.au1.n6n-openntp', 1, 0),
-(10, 3, '0000-00-00 00:00:00', '', 'n6o-botszeroaccess', '', 1, 'cz.cesnet.au1.n6o-botszeroaccess', 1, 0),
-(11, 3, '0000-00-00 00:00:00', '', 'report_n6v-virut', '', 1, 'cz.cesnet.au1.report_n6v-virut', 1, 0),
-(12, 12, '0000-00-00 00:00:00', '', 'ids-cz', '', 1, 'cz.cesnet.au2.ids-cz', 1, 0),
-(13, 13, '0000-00-00 00:00:00', '', 'hpscan', '', 1, 'cz.vutbr.net.bee.hpscan', 1, 0),
-(14, 14, '0000-00-00 00:00:00', '', 'kippo', '', 1, 'cz.vsb.buldog.kippo', 1, 0),
-(15, 15, '0000-00-00 00:00:00', '', 'nemea', '', 1, 'org.liberouter.collector-nemea.nemea', 1, 0),
-(16, 16, '0000-00-00 00:00:00', '', 'hoststats', '', 1, 'org.liberouter.collector.hoststats', 1, 0),
-(17, 17, '0000-00-00 00:00:00', '', 'synscandetector_1_0', '', 1, 'org.liberouter.collector.synscandetector_1_0', 1, 0),
-(18, 18, '0000-00-00 00:00:00', '', 'kippohoneypot', '', 1, 'cz.cesnet.holly.kippohoneypot', 1, 0),
-(19, 19, '0000-00-00 00:00:00', '', 'dionaeahoneypot', '', 1, 'cz.cesnet.kryten.dionaeahoneypot', 1, 0),
-(20, 20, '0000-00-00 00:00:00', '', 'mentat', '', 1, 'cz.cesnet.mentat.mentat', 1, 0),
-(21, 21, '0000-00-00 00:00:00', '', 'kippo', '', 1, 'cz.slu.opf.miel.kippo', 1, 0),
-(22, 23, '0000-00-00 00:00:00', '', 'honeyscan', '', 1, 'cz.muni.ics.nfsen.honeyscan', 1, 0),
-(23, 23, '0000-00-00 00:00:00', '', 'scandetector_1_0', '', 1, 'cz.muni.ics.nfsen.scandetector_1_0', 1, 0),
-(24, 23, '0000-00-00 00:00:00', '', 'sshbruteforce-1_n', '', 1, 'cz.muni.ics.nfsen.sshbruteforce-1_n', 1, 0),
-(25, 25, '0000-00-00 00:00:00', '', 'fail2ban', '', 1, 'cz.cesnet.vinovago.fail2ban', 1, 0),
-(26, 26, '0000-00-00 00:00:00', '', 'dionaeatul', '', 1, 'cz.tul.ward.dionaeatul', 1, 0),
-(27, 26, '0000-00-00 00:00:00', '', 'kippo', '', 1, 'cz.tul.ward.kippo', 1, 0),
-(28, 28, '0000-00-00 00:00:00', 'kostenec@civ.zcu.cz', 'com.example.test-node', '', 1, 'com.example.test-node', 0, 0),
-(29, 28, '0000-00-00 00:00:00', 'kostenec@civ.zcu.cz', 'com.example.test-node2', '', 1, 'com.example.test-node2', 0, 0),
-(30, 28, '0000-00-00 00:00:00', 'kostenec@civ.zcu.cz', 'Test', '', 1, 'com.example.test-node3', 0, 0),
-(31, 29, '2014-12-11 13:51:18', 'ph@cesnet.cz', 'Test', '', 1, 'cz.cesnet.grey.test', 1, 0);
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci AUTO_INCREMENT=1 ;
 
 -- --------------------------------------------------------
 
@@ -246,7 +207,7 @@ CREATE TABLE IF NOT EXISTS `tags` (
   `tag` varchar(64) NOT NULL,
   KEY `id_tag_name` (`id`,`tag`),
   KEY `tag_name` (`tag`)
-) ENGINE=MyISAM DEFAULT CHARSET=latin1;
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
 
 --
 -- Dumping data for table `tags`

warden3/warden_server/warden_server.py

@@ -14,6 +14,7 @@ import M2Crypto.X509
 import json
 import MySQLdb as my
 import MySQLdb.cursors as mycursors
+from collections import namedtuple
 from uuid import uuid4
 from time import time, gmtime
 from math import trunc
@@ -57,7 +58,7 @@ class Error(Exception):
 
 
     def info_str(self):
-        return ("Detail: %s" % self.detail) or ""
+        return ("Detail: %s" % self.detail) if self.detail else ""
 
 
     def debug_str(self):
@@ -173,6 +174,13 @@ class Object(object):
 
 
 
+# Simple container class definition shortcut
+Client = namedtuple("Client",
+    ["id", "registered", "requestor", "hostname", "service", "note",
+    "identity", "read", "debug", "write", "test"])
+
+
+
 class Request(Object):
     """ Simple container for info about ongoing request.
         One instance gets created before server startup, and all other
@@ -200,9 +208,9 @@ class Request(Object):
 
 
     def reset(self, env=None, client=None, path=None, req_id=None):
-        self.env = {} if env is None else env
-        self.client = {} if client is None else client
-        self.path = "" if path is None else path
+        self.env = env
+        self.client = client
+        self.path = path or ""
         if req_id is not None:
             self.req_id = req_id
         else:
@@ -214,7 +222,6 @@ class Request(Object):
 
 
 
-
 class ObjectReq(Object):
 
     def __init__(self, req):
@@ -226,17 +233,18 @@ class ObjectReq(Object):
         return "%s(req=%s)" % (type(self).__name__, type(self.req).__name__)
 
 
+
 class NoAuthenticator(ObjectReq):
 
     def __init__(self, req):
         ObjectReq.__init__(self, req)
 
 
-    def authenticate (self, env):
+    def authenticate (self, env, args):
         return "anybody"    # or None
 
 
-    def authorize(self, env, client, path, event):
+    def authorize(self, env, client, path, method):
         return (client is not None)
 
 
@@ -268,49 +276,44 @@ class X509Authenticator(NoAuthenticator):
         return [firstcommon] + list(set(altnames+commons) - set([firstcommon]))
 
 
-    def authenticate (self, env):
-        names = self.get_cert_dns_names(env["SSL_CLIENT_CERT"])
-        return self.db.get_client_by_name(names)
-
+    def authenticate (self, env, args):
+        try:
+            identity = args["client"][0]
+        except KeyError:
+            logging.info("authenticate: bad or missing client argument")
+            return None
 
-    def authorize(self, env, client, path, event):
-        # Authorize for debug
-        if (path == 'getDebug'):
-            if not client["debug"]:
-                logging.info("Auth failed: client does not have debug enabled")
+        try:
+            cert_names = self.get_cert_dns_names(env["SSL_CLIENT_CERT"])
+        except:
+            logging.info("authenticate: cannot get or parse certificate from env")
             return None
-            return client
             
-        if path in ['getInfo', 'getEvents']:
+        client = self.db.get_client_by_name(identity, cert_names)
+
+        if not client:
+            logging.info("authenticate: client not found")
+        
+        logging.info("authenticate: ok, client=%s" % str(client))
         return client
 
-        try:
-            identity = event['Node'][0]['Name'].lower()
-        except (KeyError, TypeError):
-            # Event does not bear valid Node attribute
-            logging.info("Auth failed: event does not bear valid Node attribute")
-            return None
 
-        try:
-            service = client["services"][identity]
-        except KeyError:
-            # We are unable to pair service in message to service in db
-            logging.info("authorize: failed, '%s' from event not found in services for client %i" % (identity, client["id"]))
+    def authorize(self, env, client, path, method):
+        if method.debug:
+            if not client.debug:
+                logging.info("authorize: failed, client does not have debug enabled")
                 return None
+            return client
 
-        client["service"] = service
-        
-        # Authorize for sending events
-        if (path == "sendEvents"):
-            if not (service["write"] or service["test"]):
-                logging.info("authorize: failed, service %i (%s) is not allowed to write or test" % (service["service_id"], identity))
+        if method.read:
+            if not client.read:
+                logging.info("authorize: failed, client does not have read enabled")
                 return None
+            return client
 
-            test = 'Test' in event.get('Category', [])
-            # if not test:
-            #     logging.info("authorize: failed, service %i (%s) does not send Test category in event" % (service["service_id"], identity))
-            if test and not service['test']:
-                logging.info("authorize: failed, service %i (%s) is not allowed to send Test category in event" % (service["service_id"], identity))
+        if method.write:
+            if not (client.write or client.test):
+                logging.info("authorize: failed, client is not allowed to write or test")
                 return None
 
         return client
@@ -393,27 +396,18 @@ class MySQL(ObjectReq):
             type(self).__name__, type(self.req).__name__, self.host, self.user, self.dbname, self.port, self.catmap_filename, self.tagmap_filename)
 
 
-    def get_client_by_name(self, name):
-        format_strings = ','.join(['%s'] * len(name))
-        self.crs.execute("SELECT cl.`id`, cl.`hostname`, s.`service`, s.`service_id`, s.`identity`, cl.`read`, s.`write`, s.`test`, cl.`debug` FROM `clients` cl LEFT JOIN `services` s ON cl.`id` = s.`client_id` WHERE cl.`valid` = 1 AND s.`valid` = 1 AND `hostname` IN (%s)" % format_strings, tuple(name))
+    def get_client_by_name(self, identity, cert_names):
+        format_strings = ','.join(['%s'] * len(cert_names))
+        query = "SELECT id, registered, requestor, hostname, service, note, identity, `read`, debug, `write`, test FROM clients WHERE valid = 1 AND identity = %%s AND hostname IN (%s)" % format_strings
+        self.crs.execute(query, [identity] + cert_names)
         rows = self.crs.fetchall()
-        if not rows:
-            return None
-
-        client = {}
-        for n in ["id", "hostname", "read", "debug"]:
-            client[n] = rows[0][n]
 
-        services = {}
-        for row in rows:
-            service = {}
-            for n in ["service", "service_id", "identity", "write", "test"]:
-                service[n] = row[n]
-            services[row["identity"]] = service
+        if len(rows)>1:
+            logging.warn("get_client_by_name: query returned more than one result: %s" % str(rows))
+            return None
 
-        client["services"] = services
+        client = Client(**rows[0]) if rows else None
 
-        logging.debug("get_client_by_name: %s", str(client))
         return client
 
 
@@ -475,7 +469,7 @@ class MySQL(ObjectReq):
         sqlwhere = []
         sqlparams = []
 
-        sqlwhere.append("SELECT e.id, e.data FROM services s RIGHT JOIN events e ON s.service_id = e.service_id WHERE e.id > %s")
+        sqlwhere.append("SELECT e.id, e.data FROM clients c RIGHT JOIN events e ON c.id = e.client_id WHERE e.id > %s")
         sqlparams.append(id or 0)
 
         if cat or nocat:
@@ -497,7 +491,7 @@ class MySQL(ObjectReq):
             not_op = "" if group else "NOT"
             
             for identity in (group or nogroup):
-                sqlwhere.append(" AND s.identity %s LIKE %%s" % not_op)
+                sqlwhere.append(" AND c.identity %s LIKE %%s" % not_op)
                 sqlparams.append(identity + "%")
 
         sqlwhere.append(" AND e.valid = 1 LIMIT %s")
@@ -525,7 +519,7 @@ class MySQL(ObjectReq):
 
     def store_event(self, client, event):
         try:
-            self.crs.execute("INSERT INTO events (received,service_id,data) VALUES (NOW(), %s, %s)", (client["service"]["service_id"], json.dumps(event)))
+            self.crs.execute("INSERT INTO events (received,client_id,data) VALUES (NOW(), %s, %s)", (client.id, json.dumps(event)))
             lastid = self.crs.lastrowid
             logging.debug("store_event: Last ID in events - %i" % lastid)
 
@@ -552,8 +546,8 @@ class MySQL(ObjectReq):
 
 
     def insertLastReceivedId(self, client, id):
-        logging.debug("insertLastReceivedId: id %i for client %i(%s)" % (id, client["id"], client["hostname"]))
-        self.crs.execute("INSERT INTO last_events(client_id, event_id, timestamp) VALUES(%s, %s, NOW())", (client["id"], id))
+        logging.debug("insertLastReceivedId: id %i for client %i(%s)" % (id, client.id, client.hostname))
+        self.crs.execute("INSERT INTO last_events(client_id, event_id, timestamp) VALUES(%s, %s, NOW())", (client.id, id))
 
     def getLastEventId(self):
         self.crs.execute("SELECT MAX(id) as id FROM events")
@@ -562,20 +556,27 @@ class MySQL(ObjectReq):
         return row['id'] if row['id'] is not None else 0
 
     def getLastReceivedId(self, client):
-        self.crs.execute("SELECT MAX(event_id) as id FROM last_events WHERE client_id = %s", client["id"])
+        self.crs.execute("SELECT MAX(event_id) as id FROM last_events WHERE client_id = %s", client.id)
         row = self.crs.fetchone()
 
         id = row['id'] if row is not None else 0
-        logging.debug("getLastReceivedId: id %i for client %i(%s)" % (id, client["id"], client["hostname"]))
+        logging.debug("getLastReceivedId: id %i for client %i(%s)" % (id, client.id, client.hostname))
 
         return id
 
 
 
-def expose(meth):
+def expose(read=1, write=0, debug=0):
+
+    def expose_deco(meth):
         meth.exposed = True
+        meth.read = read
+        meth.write = write
+        meth.debug = debug
         return meth
 
+    return expose_deco
+
 
 class Server(ObjectReq):
 
@@ -629,21 +630,26 @@ class Server(ObjectReq):
             except Exception:
                 raise self.req.error("You've fallen of the cliff.", 404)
 
-            self.req.client = client = self.auth.authenticate(environ)
+            self.req.args = args = parse_qs(environ.get('QUERY_STRING', ""))
+            logging.debug("arguments: %s" % str(args))
+
+            self.req.client = client = self.auth.authenticate(environ, args)
             if not client:
                 raise self.req.error("I'm watching. Authenticate.", 403)
 
             try:
                 events = json.loads(injson) if injson else None
             except Exception as e:
-                raise self.req.error("Deserialization error", 400,
+                raise self.req.error("Deserialization error.", 400,
                     sys.exc_info(), detail={"args": injson, "parser": str(e)})
-
-            args = parse_qs(environ.get('QUERY_STRING', ""))
-            logging.debug("calling handler with %s" % str(args))
             if events:
                 args["events"] = events
 
+            auth = self.auth.authorize(self.req.env, self.req.client, self.req.path, method)
+            if not auth:
+                raise self.req.error("I'm watching. Not authorized.", 403, detail={"client": client.identity})
+
+            args.pop("client", None)
             args = self.sanitize_args(path, method, args)
             result = method(**args)   # call requested method
 
@@ -709,15 +715,11 @@ class WardenHandler(ObjectReq):
             self.get_events_limit, self.send_events_limit, self.description)
 
 
-    @expose
+    @expose(read=1, debug=1)
     def getDebug(self):
-        auth = self.auth.authorize(self.req.env, self.req.client, self.req.path, None)
-        if not auth:
-            raise self.req.error("I'm watching. Authorize.", 403, detail={"client": self.req.client["hostname"]})
-
         return {
             "environment": self.req.env,
-            "client": self.req.client,
+            "client": self.req.client.__dict__,
             "database": self.db.get_debug(),
             "system": {
                 "uname": os.uname()
@@ -736,12 +738,8 @@ class WardenHandler(ObjectReq):
         }
 
 
-    @expose
+    @expose(read=1)
     def getInfo(self):
-        auth = self.auth.authorize(self.req.env, self.req.client, self.req.path, None)
-        if not auth:
-            raise self.req.error("I'm watching. Authorize.", 403, detail={"client": self.req.client["hostname"]})
-
         info = {
             "version": VERSION,
             "send_events_limit": self.send_events_limit,
@@ -752,16 +750,12 @@ class WardenHandler(ObjectReq):
         return info
 
 
-    @expose
+    @expose(read=1)
     def getEvents(self, id=None, count=None,
             cat=None, nocat=None,
             tag=None, notag=None,
             group=None, nogroup=None):
 
-        auth = self.auth.authorize(self.req.env, self.req.client, self.req.path, None)
-        if not auth:
-            raise self.req.error("I'm watching. Authorize.", 403, detail={"client": self.req.client["hostname"]})
-
         try:
             id = int(id[0])
         except (ValueError, TypeError, IndexError):
@@ -799,7 +793,18 @@ class WardenHandler(ObjectReq):
         return res
 
 
-    @expose
+    def checkNode(self, event, identity):
+        try:
+            ev_id = event['Node'][0]['Name'].lower()
+        except (KeyError, TypeError):
+            # Event does not bear valid Node attribute
+            return ["Event does not bear valid Node attribute"]
+        if ev_id != identity:
+            return ["Node does not correspond with saving client"]
+        return []
+
+
+    @expose(write=1)
     def sendEvents(self, events=[]):
         if not isinstance(events, list):
             raise self.req.error("List of events expected.", 400)
@@ -811,19 +816,20 @@ class WardenHandler(ObjectReq):
         saved = 0
         errs = {}
         for i, event in enumerate(events):
-            ev_errs = []
-            
-            auth_cl = self.auth.authorize(self.req.env, self.req.client, self.req.path, event)
-            if not auth_cl:
-                errs[i] = ["Client %i(%s) does not correspond with event Node info or is not allowed to write" % (self.req.client["service"]["service_id"], self.req.client["service"]["identity"])]
-                continue
-
             v_errs = self.validator.check(event)
             if v_errs:
                 errs[i] = v_errs
                 continue
 
-            db_errs = self.db.store_event(auth_cl, event)
+            node_errs = self.checkNode(event, self.req.client.identity)
+            if node_errs:
+                errs[i] = node_errs
+                continue
+
+            if self.req.client.test and not 'Test' in event.get('Category', []):
+                errs[i] = ["You're allowed to send only messages, containing \"Test\" among categories."]
+
+            db_errs = self.db.store_event(self.req.client, event)
             if db_errs:
                 errs[i] = db_errs
                 continue