libervia-backend: sat/plugins/plugin_xep

comparison sat/plugins/plugin_xep_0384.py @ 3237:b0c57c9a4bd8

plugin XEP-0384: OMEMO trust policy: OMEMO trust policy can now be specified. For now there are 2 policies: - `manual`: each new device fingerprint must be explicitly trusted or not before the device can be used, and the message sent - `BTBV` (Blind Trust Before Verification): each new device fingerprint is automically trusted, until user manually trust or not a device, in which case the behaviour becomes the same as for `manual` for the entity. When using the Trust UI, user can put the entity back to blind trust if they wish. A message is send as feedback to user when a new device is/must be trusted, trying to explain clearly what's happening to the user. Devices which have been automically trusted are marked, so user can know which ones may cause security issue.

author	Goffi <goffi@goffi.org>
date	Fri, 27 Mar 2020 10:02:14 +0100
parents	9477f3197981
children	d85b68e44297

comparison

equal deleted inserted replaced

-:9477f3197981
+:b0c57c9a4bd8
 # GNU Affero General Public License for more details.
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import logging
+import random
+import base64
+from functools import partial
+from xml.sax.saxutils import quoteattr
 from sat.core.i18n import _, D_
 from sat.core.constants import Const as C
 from sat.core.log import getLogger
 from sat.core import exceptions
 from twisted.internet import defer, reactor
 from twisted.words.xish import domish
 from twisted.words.protocols.jabber import jid
 from twisted.words.protocols.jabber import error as jabber_error
 from sat.memory import persistent
-from functools import partial
 from sat.tools import xml_tools
-import logging
-import random
-import base64
 try:
 import omemo
 from omemo import exceptions as omemo_excpt
 from omemo.extendedpublicbundle import ExtendedPublicBundle
 except ImportError:
 NS_OMEMO_BUNDLE = NS_OMEMO + ".bundles:{device_id}"
 KEY_STATE = "STATE"
 KEY_DEVICE_ID = "DEVICE_ID"
 KEY_SESSION = "SESSION"
 KEY_TRUST = "TRUST"
+# devices which have been automatically trusted by policy like BTBV
+KEY_AUTO_TRUST = "AUTO_TRUST"
+# list of peer bare jids where trust UI has been used at least once
+# this is useful to activate manual trust with BTBV policy
+KEY_MANUAL_TRUST = "MANUAL_TRUST"
 KEY_ACTIVE_DEVICES = "DEVICES"
 KEY_INACTIVE_DEVICES = "INACTIVE_DEVICES"
 KEY_ALL_JIDS = "ALL_JIDS"
 # time before plaintext cache for MUC is expired
 # expressed in seconds, reset on each new MUC message
 MUC_CACHE_TTL = 60 * 5
+PARAM_CATEGORY = "Security"
+PARAM_NAME = "omemo_policy"
 # we want to manage log emitted by omemo module ourselves
 class SatHandler(logging.Handler):
 return d
 class OmemoStorage(omemo.Storage):
-def __init__(self, client, device_id, all_jids, persistent_dict):
+def __init__(self, client, device_id, all_jids):
-"""
-@param persistent_dict(persistent.LazyPersistentBinaryDict): object which will
-store data in SàT database
-"""
 self.own_bare_jid_s = client.jid.userhost()
 self.device_id = device_id
 self.all_jids = all_jids
-self.data = persistent_dict
+self.data = client._xep_0384_data
 @property
 def is_async(self):
 return True
 d = defer.DeferredList(d_list)
 d.addCallback(self._deleteJID_logResults)
 return d
 def deleteJID(self, callback, bare_jid):
-"""Retrieve all (in)actives of bare_jid, and delete all related keys"""
+"""Retrieve all (in)actives devices of bare_jid, and delete all related keys"""
 d_list = []
 key = '\n'.join([KEY_ACTIVE_DEVICES, bare_jid])
 d_list.append(self.data.get(key, []))
 return promise2Deferred(get_trust_p)
 class OMEMO:
+params = """
+<params>
+<individual>
+<category name="{category_name}" label="{category_label}">
+<param name="{param_name}" label={param_label} type="list" security="3">
+<option value="manual" label={opt_manual_lbl} />
+<option value="btbv" label={opt_btbv_lbl} selected="true" />
+</param>
+</category>
+</individual>
+</params>
+""".format(
+category_name=PARAM_CATEGORY,
+category_label=D_("Security"),
+param_name=PARAM_NAME,
+param_label=quoteattr(D_("OMEMO default trust policy")),
+opt_manual_lbl=quoteattr(D_("Manual trust (more secure)")),
+opt_btbv_lbl=quoteattr(
+D_("Blind Trust Before Verification (more user friendly)")),
+)
 def __init__(self, host):
 log.info(_("OMEMO plugin initialization (omemo module v{version})").format(
 version=omemo.__version__))
 version = tuple(map(int, omemo.__version__.split('.')[:3]))
 if version < OMEMO_MIN_VER:
 log.warning(_(
 "Your version of omemo module is too old: {v[0]}.{v[1]}.{v[2]} is "
 "minimum required, please update.").format(v=OMEMO_MIN_VER))
 raise exceptions.CancelError("module is too old")
 self.host = host
+host.memory.updateParams(self.params)
 self._p_hints = host.plugins["XEP-0334"]
 self._p_carbons = host.plugins["XEP-0280"]
 self._p = host.plugins["XEP-0060"]
 self._m = host.plugins.get("XEP-0045")
 self._sid = host.plugins.get("XEP-0359")
 feedback = _("OMEMO session has been reset")
 self.text_cmds.feedBack(client, feedback, mess_data)
 return False
-@defer.inlineCallbacks
+async def trustUICb(
-def trustUICb(self, xmlui_data, trust_data, expect_problems=None,
+self, xmlui_data, trust_data, expect_problems=None, profile=C.PROF_KEY_NONE):
-profile=C.PROF_KEY_NONE):
 if C.bool(xmlui_data.get('cancelled', 'false')):
-defer.returnValue({})
+return {}
 client = self.host.getClient(profile)
 session = client._xep_0384_session
+stored_data = client._xep_0384_data
+manual_trust = await stored_data.get(KEY_MANUAL_TRUST, set())
+auto_trusted_cache = {}
 answer = xml_tools.XMLUIResult2DataFormResult(xmlui_data)
+blind_trust = C.bool(answer.get('blind_trust', C.BOOL_FALSE))
 for key, value in answer.items():
 if key.startswith('trust_'):
 trust_id = key[6:]
 else:
 continue
 data = trust_data[trust_id]
+if blind_trust:
+# user request to restore blind trust for this entity
+# so if the entity is present in manual trust, we remove it
+if data["jid"].full() in manual_trust:
+manual_trust.remove(data["jid"].full())
+await stored_data.aset(KEY_MANUAL_TRUST, manual_trust)
+elif data["jid"].full() not in manual_trust:
+# validating this trust UI implies that we activate manual mode for
+# this entity (used for BTBV policy)
+manual_trust.add(data["jid"].full())
+await stored_data.aset(KEY_MANUAL_TRUST, manual_trust)
 trust = C.bool(value)
-yield session.setTrust(
+if not trust:
+# if device is not trusted, we check if it must be removed from auto
+# trusted devices list
+bare_jid_s = data['jid'].userhost()
+key = f"{KEY_AUTO_TRUST}\n{bare_jid_s}"
+if bare_jid_s not in auto_trusted_cache:
+auto_trusted_cache[bare_jid_s] = await stored_data.get(
+key, default=set())
+auto_trusted = auto_trusted_cache[bare_jid_s]
+if data['device'] in auto_trusted:
+# as we don't trust this device anymore, we can remove it from the
+# list of automatically trusted devices
+auto_trusted.remove(data['device'])
+await stored_data.aset(key, auto_trusted)
+log.info(D_(
+"device {device} from {peer_jid} is not an auto-trusted device "
+"anymore").format(device=data['device'], peer_jid=bare_jid_s))
+await session.setTrust(
 data["jid"],
 data["device"],
 data["ik"],
 trusted=trust,
 )
 if not trust and expect_problems is not None:
 expect_problems.setdefault(data['jid'].userhost(), set()).add(
 data['device']
 )
-defer.returnValue({})
+return {}
-@defer.inlineCallbacks
+async def getTrustUI(self, client, entity_jid=None, trust_data=None, submit_id=None):
-def getTrustUI(self, client, entity_jid=None, trust_data=None, submit_id=None):
 """Generate a XMLUI to manage trust
 @param entity_jid(None, jid.JID): jid of entity to manage
 None to use trust_data
 @param trust_data(None, dict): devices data:
 assert entity_jid and not trust_data or not entity_jid and trust_data
 if entity_jid and entity_jid.resource:
 raise ValueError("A bare jid is expected")
 session = client._xep_0384_session
+stored_data = client._xep_0384_data
 if trust_data is None:
 cache = client._xep_0384_cache.setdefault(entity_jid, {})
 trust_data = {}
 if self._m is not None and self._m.isJoinedRoom(client, entity_jid):
 trust_jids = self.getJIDsForRoom(client, entity_jid)
 else:
 trust_jids = [entity_jid]
 for trust_jid in trust_jids:
-trust_session_data = yield session.getTrustForJID(trust_jid)
+trust_session_data = await session.getTrustForJID(trust_jid)
 bare_jid_s = trust_jid.userhost()
 for device_id, trust_info in trust_session_data['active'].items():
 if trust_info is None:
 # device has never been (un)trusted, we have to retrieve its
 # fingerprint (i.e. identity key or "ik") through public bundle
 if device_id not in cache:
-bundles, missing = yield self.getBundles(client,
+bundles, missing = await self.getBundles(client,
 trust_jid,
 [device_id])
 if device_id not in bundles:
 log.warning(_(
 "Can't find bundle for device {device_id} of user "
 "ik": ik,
 "trusted": trust_info["trusted"],
 }
 if submit_id is None:
-submit_id = self.host.registerCallback(partial(self.trustUICb,
+submit_id = self.host.registerCallback(
-trust_data=trust_data),
+lambda data, profile: defer.ensureDeferred(
-with_data=True,
+self.trustUICb(data, trust_data=trust_data, profile=profile)),
-one_shot=True)
+with_data=True,
+one_shot=True)
 xmlui = xml_tools.XMLUI(
 panel_type = C.XMLUI_FORM,
 title = D_("OMEMO trust management"),
 submit_id = submit_id
 )
 fp_human = ' '.join([ik_hex[i:i+8] for i in range(0, len(ik_hex), 8)])
 xmlui.addText(fp_human)
 xmlui.addEmpty()
 xmlui.addEmpty()
+if entity_jid is not None:
+omemo_policy = self.host.memory.getParamA(
+PARAM_NAME, PARAM_CATEGORY, profile_key=client.profile
+)
+if omemo_policy == 'btbv':
+xmlui.addLabel(D_("Automatically trust new devices?"))
+# blind trust is always disabled when UI is requested
+# as submitting UI is a verification which should disable it.
+xmlui.addBool("blind_trust", value=C.BOOL_FALSE)
+xmlui.addEmpty()
+xmlui.addEmpty()
+auto_trust_cache = {}
 for trust_id, data in trust_data.items():
+bare_jid_s = data['jid'].userhost()
+if bare_jid_s not in auto_trust_cache:
+key = f"{KEY_AUTO_TRUST}\n{bare_jid_s}"
+auto_trust_cache[bare_jid_s] = await stored_data.get(key, set())
 xmlui.addLabel(D_("Contact"))
 xmlui.addJid(data['jid'])
 xmlui.addLabel(D_("Device ID"))
 xmlui.addText(str(data['device']))
 xmlui.addLabel(D_("Fingerprint"))
 fp_human = ' '.join([ik_hex[i:i+8] for i in range(0, len(ik_hex), 8)])
 xmlui.addText(fp_human)
 xmlui.addLabel(D_("Trust this device?"))
 xmlui.addBool("trust_{}".format(trust_id),
 value=C.boolConst(data.get('trusted', False)))
+if data['device'] in auto_trust_cache[bare_jid_s]:
+xmlui.addEmpty()
+xmlui.addLabel(D_("(automatically trusted)"))
 xmlui.addEmpty()
 xmlui.addEmpty()
-defer.returnValue(xmlui)
+return xmlui
 @defer.inlineCallbacks
 def profileConnected(self, client):
 if self._m is not None:
 # we keep plain text message for MUC messages we send
 # FIXME: is _xep_0384_ready needed? can we use profileConnecting?
 #        Workflow should be checked
 client._xep_0384_ready = defer.Deferred()
 # we first need to get devices ids (including our own)
 persistent_dict = persistent.LazyPersistentBinaryDict("XEP-0384", client.profile)
+client._xep_0384_data = persistent_dict
 # all known devices of profile
 devices = yield self.getDevices(client)
 # and our own device id
 device_id = yield persistent_dict.get(KEY_DEVICE_ID)
 if device_id is None:
 devices.add(device_id)
 yield defer.ensureDeferred(self.setDevices(client, devices))
 all_jids = yield persistent_dict.get(KEY_ALL_JIDS, set())
-omemo_storage = OmemoStorage(client, device_id, all_jids, persistent_dict)
+omemo_storage = OmemoStorage(client, device_id, all_jids)
 omemo_session = yield OmemoSession.create(client, omemo_storage, device_id)
 client._xep_0384_cache = {}
 client._xep_0384_session = omemo_session
 client._xep_0384_device_id = device_id
 yield omemo_session.newDeviceList(client.jid, devices)
 devices.add(own_device)
 await self.setDevices(client, devices)
 ## triggers
-@defer.inlineCallbacks
+async def policyBTBV(self, client, feedback_jid, expect_problems, undecided):
-def handleProblems(self, client, feedback_jid, bundles, expect_problems, problems):
+session = client._xep_0384_session
+stored_data = client._xep_0384_data
+for pb in undecided.values():
+peer_jid = jid.JID(pb.bare_jid)
+device = pb.device
+ik = pb.ik
+key = f"{KEY_AUTO_TRUST}\n{pb.bare_jid}"
+auto_trusted = await stored_data.get(key, default=set())
+auto_trusted.add(device)
+await stored_data.aset(key, auto_trusted)
+await session.setTrust(peer_jid, device, ik, True)
+user_msg =  D_(
+"Not all destination devices are trusted, unknown devices will be blind "
+"trusted due to the OMEMO Blind Trust Before Verification policy. If you "
+"want a more secure workflow, please activate \"manual\" OMEMO policy in "
+"settings' \"Security\" tab.\nFollowing fingerprint have been automatically "
+"trusted:\n{devices}"
+).format(
+devices = ', '.join(
+f"- {pb.device} ({pb.bare_jid}): {pb.ik.hex().upper()}"
+for pb in undecided.values()
+)
+)
+client.feedback(feedback_jid, user_msg)
+async def policyManual(self, client, feedback_jid, expect_problems, undecided):
+trust_data = {}
+for trust_id, data in undecided.items():
+trust_data[trust_id] = {
+'jid': jid.JID(data.bare_jid),
+'device':  data.device,
+'ik': data.ik}
+user_msg =  D_("Not all destination devices are trusted, we can't encrypt "
+"message in such a situation. Please indicate if you trust "
+"those devices or not in the trust manager before we can "
+"send this message")
+client.feedback(feedback_jid, user_msg)
+xmlui = await self.getTrustUI(client, trust_data=trust_data, submit_id="")
+answer = await xml_tools.deferXMLUI(
+self.host,
+xmlui,
+action_extra={
+"meta_encryption_trust": NS_OMEMO,
+},
+profile=client.profile)
+await self.trustUICb(answer, trust_data, expect_problems, client.profile)
+async def handleProblems(
+self, client, feedback_jid, bundles, expect_problems, problems):
 """Try to solve problems found by EncryptMessage
 @param feedback_jid(jid.JID): bare jid where the feedback message must be sent
 @param bundles(dict): bundles data as used in EncryptMessage
 already filled with known bundles, missing bundles
 entity_cache = cache.setdefault(pb_entity, {})
 entity_bundles = bundles.setdefault(pb_entity, {})
 if problem.device in entity_cache:
 entity_bundles[problem.device] = entity_cache[problem.device]
 else:
-found_bundles, missing = yield self.getBundles(
+found_bundles, missing = await self.getBundles(
 client, pb_entity, [problem.device])
 entity_cache.update(bundles)
 entity_bundles.update(found_bundles)
 if problem.device in missing:
 missing_bundles.setdefault(pb_entity, set()).add(
 "his/her device(s) (bundle on device {devices}), the message won't  "
 "be readable on this/those device.").format(
 peer=peer_jid.full(), devices=", ".join(devices_s)))
 if undecided:
-trust_data = {}
+omemo_policy = self.host.memory.getParamA(
-for trust_id, data in undecided.items():
+PARAM_NAME, PARAM_CATEGORY, profile_key=client.profile
-trust_data[trust_id] = {
+)
-'jid': jid.JID(data.bare_jid),
+if omemo_policy == 'btbv':
-'device':  data.device,
+# we first separate entities which have been trusted manually
-'ik': data.ik}
+manual_trust = await client._xep_0384_data.get(KEY_MANUAL_TRUST)
+if manual_trust:
-user_msg =  D_("Not all destination devices are trusted, we can't encrypt "
+manual_undecided = {}
-"message in such a situation. Please indicate if you trust "
+for hash_, pb in undecided.items():
-"those devices or not in the trust manager before we can "
+if pb.bare_jid in manual_trust:
-"send this message")
+manual_undecided[hash_] = pb
-client.feedback(feedback_jid, user_msg)
+for hash_ in manual_undecided:
-xmlui = yield self.getTrustUI(client, trust_data=trust_data, submit_id="")
+del undecided[hash_]
+else:
-answer = yield xml_tools.deferXMLUI(
+manual_undecided = None
-self.host,
-xmlui,
+if undecided:
-action_extra={
+# we do the automatic trust here
-"meta_encryption_trust": NS_OMEMO,
+await self.policyBTBV(
-},
+client, feedback_jid, expect_problems, undecided)
-profile=client.profile)
+if manual_undecided:
-yield self.trustUICb(answer, trust_data, expect_problems, client.profile)
+# here user has to manually trust new devices from entities already
+# verified
-@defer.inlineCallbacks
+await self.policyManual(
-def encryptMessage(self, client, entity_bare_jids, message, feedback_jid=None):
+client, feedback_jid, expect_problems, manual_undecided)
+elif omemo_policy == 'manual':
+await self.policyManual(
+client, feedback_jid, expect_problems, undecided)
+else:
+raise exceptions.InternalError(f"Unexpected OMEMO policy: {omemo_policy}")
+async def encryptMessage(self, client, entity_bare_jids, message, feedback_jid=None):
 if feedback_jid is None:
 if len(entity_bare_jids) != 1:
 log.error(
 "feedback_jid must be provided when message is encrypted for more "
 "than one entities")
 msg = _("Too many iterations in encryption loop")
 log.error(msg)
 raise exceptions.InternalError(msg)
 # encryptMessage may fail, in case of e.g. trust issue or missing bundle
 try:
-encrypted = yield omemo_session.encryptMessage(
+encrypted = await omemo_session.encryptMessage(
 entity_bare_jids,
 message,
 bundles,
 expect_problems = expect_problems)
 except omemo_excpt.EncryptionProblemsException as e:
 # we know the problem to solve, we can try to fix them
-yield self.handleProblems(
+await self.handleProblems(
 client,
 feedback_jid=feedback_jid,
 bundles=bundles,
 expect_problems=expect_problems,
 problems=e.problems)
 timer.reset(MUC_CACHE_TTL)
 # we use origin-id when possible, to identifiy the message in a stable way
 if self._sid is not None:
 self._sid.addOriginId(message_elt, mess_data['uid'])
-encryption_data = yield self.encryptMessage(
+encryption_data = yield defer.ensureDeferred(self.encryptMessage(
-client, to_jids, body, feedback_jid=feedback_jid)
+client, to_jids, body, feedback_jid=feedback_jid))
 encrypted_elt = message_elt.addElement((NS_OMEMO, 'encrypted'))
 header_elt = encrypted_elt.addElement('header')
 header_elt['sid'] = str(encryption_data['sid'])

Mercurial > libervia-backend

comparison sat/plugins/plugin_xep_0384.py @ 3237:b0c57c9a4bd8