quantopian · alex-davis-bird · Aug 17, 2020 · Aug 17, 2020 · Aug 17, 2020 · Aug 25, 2020
diff --git a/client/ubuntu-packages.txt b/client/ubuntu-packages.txt
@@ -20,11 +20,11 @@ gnupg
 iptables
 login
 lvm2
+python3-virtualenv
 python3
 python3-dev
 systemd
 tar
 ubuntu-release-upgrader-core
 update-notifier-common
-virtualenv
 wireless-tools
diff --git a/penguindome/client.py b/penguindome/client.py
@@ -31,7 +31,8 @@
     top_dir,
 )
 
-gpg_command = partial(main_gpg_command, with_user_id=True,
+gpg_user_id = 'penguindome-client'
+gpg_command = partial(main_gpg_command, '-u', gpg_user_id,
                       minimum_version=client_gpg_version)
 session = None
 
@@ -79,7 +80,7 @@ def server_request(cmd, data=None, data_path=None,
                    exit_on_connection_error=False, logger=None,
                    # Clients should never need to use these. They are for
                    # internal use on the server.
-                   local_port=None, signed=True):
+                   local_port=None, signed=True, useServerKeychain=False):
     global session
     if session is None:
         session = requests.Session()
@@ -98,10 +99,21 @@ def server_request(cmd, data=None, data_path=None,
             data_path = temp_data_file.name
         post_data = {'data': data}
         if signed:
-            gpg_command('--armor', '--detach-sign', '-o', signature_file.name,
-                        data_path, log=logger)
-            signature_file.seek(0)
-            post_data['signature'] = signature_file.read()
+            if useServerKeychain:
+                main_gpg_command(
+                    '-u', 'penguindome-server',
+                    '--armor', '--detach-sign', '-o', signature_file.name,
+                    data_path, log=logger, minimum_version=client_gpg_version
+                )
+                signature_file.seek(0)
+                post_data['signature'] = signature_file.read()
+            else:
+                gpg_command(
+                    '--armor', '--detach-sign', '-o', signature_file.name,
+                    data_path, log=logger
+                )
+                signature_file.seek(0)
+                post_data['signature'] = signature_file.read()
 
     kwargs = {
         'data': post_data,

diff --git a/penguindome/penguindome.py b/penguindome/penguindome.py
@@ -21,6 +21,8 @@
 from itertools import chain
 import logbook
 import os
+import pwd
+import sys
 import pickle
 import re
 import socket
@@ -52,10 +54,6 @@
 client_gpg_version = '2.1.11'
 server_pipe_log_filter_re = re.compile(
     r'POST.*/server_pipe/.*/(?:send|receive).* 200 ')
-gpg_user_ids = {
-    'client': 'penguindome-client',
-    'server': 'penguindome-server',
-}
 
 SelectorVariants = namedtuple(
     'SelectorVariants', ['plain_mongo', 'plain_mem', 'enc_mongo', 'enc_mem'])
@@ -105,14 +103,21 @@ def set_gpg(mode):
             mode))
 
     os.environ['GNUPGHOME'] = home
-    os.chmod(home, 0o0700)
+    try:
+        os.chmod(home, 0o0700)
+    except PermissionError:
+        print("It looks like you are trying to run the debug server as " +
+              "your user, please run with `sudo -u " +
+              pwd.getpwuid(os.stat(top_dir).st_uid).pw_name + "`"
+              )
+        sys.exit(1)
     # random seed gets corrupted sometimes because we're copying keyring from
     # server to client
     list(map(os.unlink, glob.glob(os.path.join(home, "random_seed*"))))
     gpg_mode = mode
 
 
-def gpg_command(*cmd, with_user_id=False, with_trustdb=False, quiet=True,
+def gpg_command(*cmd, with_trustdb=False, quiet=True,
                 minimum_version='2.1.15', log=None):
     global gpg_exe, gpg_exe
 
@@ -124,12 +129,28 @@ def gpg_command(*cmd, with_user_id=False, with_trustdb=False, quiet=True,
                 ('gpg2', '--version'),
                 stderr=subprocess.STDOUT).decode('utf8')
         except Exception:
-            output = subprocess.check_output(
-                ('gpg', '--version'),
-                stderr=subprocess.STDOUT).decode('utf8')
-            gpg_exe = 'gpg'
+            try:
+                output = subprocess.check_output(
+                    ('gpg', '--version'),
+                    stderr=subprocess.STDOUT).decode('utf8')
+            except Exception:
+                try:
+                    # We know we installed gpg during the server install
+                    # so chances are the user running this just doent have
+                    # PATH configured right
+                    output = subprocess.check_output(
+                        ('/usr/bin/gpg', '--version'),
+                        stderr=subprocess.STDOUT).decode('utf8')
+                except Exception:
+                    raise Exception("No gpg application found. " +
+                                    "verify gpg or gpg2 is installed!")
+                else:
+                    gpg_exe = '/usr/bin/gpg'
+            else:
+                gpg_exe = "gpg"
         else:
-            gpg_exe = 'gpg2'
+            gpg_exe = "gpg2"
+
         match = re.search(r'^gpg \(GnuPG\) (\d+(?:\.\d+(?:\.\d+)?)?)', output,
                           re.MULTILINE)
         if not match:
@@ -145,18 +166,13 @@ def gpg_command(*cmd, with_user_id=False, with_trustdb=False, quiet=True,
     else:
         trustdb_args = ('--trust-model', 'always')
 
-    if with_user_id:
-        user_id_args = ('-u', gpg_user_ids[gpg_mode])
-    else:
-        user_id_args = ()
-
     if quiet:
         quiet_args = ('--quiet',)
     else:
         quiet_args = ()
 
     cmd = tuple(chain((gpg_exe, '--batch', '--yes'), quiet_args, trustdb_args,
-                      user_id_args, cmd))
+                      cmd))
     try:
         return subprocess.check_output(cmd, stderr=subprocess.STDOUT).\
             decode('utf8')

diff --git a/penguindome/server.py b/penguindome/server.py
@@ -32,7 +32,8 @@
     top_dir,
 )
 
-gpg_command = partial(main_gpg_command, with_user_id=True)
+gpg_user_id = 'penguindome-server'
+gpg_command = partial(main_gpg_command, '-u', gpg_user_id)
 
 valid_client_parameters = (
     # This is a list of other client which should be treated as the same as the
@@ -121,6 +122,10 @@ def get_db(force_db=None):
         replicaset = get_setting('database:replicaset')
         if replicaset:
             kwargs['replicaset'] = replicaset
+        db_ssl_ca = get_setting('database:ssl_ca')
+        if db_ssl_ca:
+            kwargs['ssl'] = True
+            kwargs['ssl_ca_certs'] = db_ssl_ca
         connection = MongoClient(host, **kwargs)
 
     newdb = connection[database_name]

diff --git a/penguindome/shell/__init__.py b/penguindome/shell/__init__.py
@@ -150,9 +150,10 @@ def close(self):
 
 class PenguinDomeServerPeer(InteractionPeer):
     def __init__(self, peer_type, pipe_id=None, local_port=None, logger=None,
-                 client_hostname=None):
+                 client_hostname=None, useServerKeychain=False):
         if peer_type not in ('client', 'server'):
             raise Exception('Invalid peer type "{}"'.format(peer_type))
+        self.useServerKeychain = useServerKeychain
         self.type = peer_type
         self.pipe_id = pipe_id
         self.pending_data = b''
@@ -173,8 +174,16 @@ def __init__(self, peer_type, pipe_id=None, local_port=None, logger=None,
         else:
             response = self._request('open', data=data)
         self.encryptors = {
-            'send': Encryptor(data['encryption_key'], data['encryption_iv']),
-            'receive': Encryptor(data['encryption_key'], data['encryption_iv'])
+            'send':
+                {
+                    'k': data['encryption_key'],
+                    'i': data['encryption_iv']
+                },
+            'receive':
+                {
+                    'k': data['encryption_key'],
+                    'i': data['encryption_iv']
+                }
         }
 
     def _request(self, request, data=None):
@@ -187,7 +196,8 @@ def _request(self, request, data=None):
         response = server_request(
             '/penguindome/v1/server_pipe/{}/{}'.format(self.type, request),
             data=data, local_port=self.local_port, logger=self.logger,
-            signed=request not in ('send', 'receive'))
+            signed=request not in ('send', 'receive'),
+            useServerKeychain=self.useServerKeychain)
         if response.status_code == 404:
             raise FileNotFoundError('Pipe ID {} not found'.format(
                 self.pipe_id))
@@ -203,7 +213,11 @@ def receive(self, timeout=None):
     def send(self, data):
         if self.done:
             raise EOFError()
-        encrypted_data = self.encryptors['send'].encrypt(data)
+        encrypted_data = Encryptor(
+            self.encryptors['send']['k'],
+            self.encryptors['send']['i']
+        ).encrypt(data)
+
         encoded_data = b64encode(encrypted_data).decode('utf8')
         data = self._request('send', {'data': encoded_data})
         if 'eof' in data and data['eof']:
@@ -229,7 +243,12 @@ def poll(self, timeout=None):
         if 'data' in data and data['data']:
             encoded_data = data['data']
             encrypted_data = b64decode(encoded_data)
-            decrypted_data = self.encryptors['receive'].decrypt(encrypted_data)
+
+            decrypted_data = Encryptor(
+                self.encryptors['receive']['k'],
+                self.encryptors['receive']['i']
+            ).decrypt(encrypted_data)
+
             self.pending_data += decrypted_data
         if 'eof' in data and data['eof']:
             self.done = True

diff --git a/server/client_shell.py b/server/client_shell.py
@@ -39,8 +39,8 @@ def main():
     log.info('Requesting remote shell from {}', args.hostname)
     with PenguinDomeServerPeer(
             'server', local_port=get_setting('local_port'),
-            logger=log, client_hostname=args.hostname) as remote, \
-            TerminalPeer() as terminal:
+            logger=log, client_hostname=args.hostname,
+            useServerKeychain=True) as remote, TerminalPeer() as terminal:
         host = args.hostname
         script = '#!/bin/bash\npython client/endpoints/shell.py {}\n'.format(
             remote.pipe_id)