Current File : //opt/imunify360/venv/lib64/python3.11/site-packages/defence360agent/internals/iaid.py
import asyncio
import grp
import json
import os
import random
import time
from contextlib import suppress
from dataclasses import dataclass
from logging import getLogger
from pathlib import Path
from typing import Callable
from urllib.parse import urljoin
from urllib.request import Request

from defence360agent.api.server import API, APIError
from defence360agent.contracts.license import LicenseCLN
from defence360agent.utils import atomic_rewrite
from defence360agent.utils.common import DAY
from defence360agent.internals.global_scope import g

logger = getLogger(__name__)


_MAX_TRIES = 10
_TIMEOUT_MULTIPLICATOR = 0.5
"""
>>> _MAX_TRIES_FOR_DOWNLOAD = 10
>>> _TIMEOUT_MULTIPLICATOR = 0.5
>>> [(1 << i) * _TIMEOUT_MULTIPLICATOR for i in range(1, _MAX_TRIES_FOR_DOWNLOAD)]  # noqa
[1.0, 2.0, 4.0, 8.0, 16.0, 32.0, 64.0, 128.0, 256.0]
"""
_ACTIVATE_MINIMUM_TIMEOUT = 60


class IAIDTokenError(RuntimeError):
    """Can't get iaid token for any reason."""


class IndependentAgentIDAPI(API):
    API_PATH = "/api/auth/agent/{}"
    REGISTER_URL = urljoin(API._BASE_URL, API_PATH.format("register"))
    ACTIVATE_URL = urljoin(API._BASE_URL, API_PATH.format("activate"))
    LOGIN_URL = urljoin(API._BASE_URL, API_PATH.format("login"))
    TOKEN_INFO = urljoin(API._BASE_URL, API_PATH.format("token-info"))

    IAID_DIR = Path("/var/imunify360")
    IAID_FILE = IAID_DIR / "iaid"
    IAID_PASSWORD_FILE = IAID_DIR / "iaid-password"
    IAID_TOKEN_FILE = IAID_DIR / "iaid-token"
    IAID_ACTIVATED_FILE = IAID_DIR / "iaid-activated"
    _tasks = {
        "register": [],
        "activate": [],
        "login": [],
    }
    _register_lock = asyncio.Lock()
    _activate_lock = asyncio.Lock()

    @dataclass(frozen=True)
    class TokenInfo:
        __slots__ = [
            "valid",
            "iaid",
            "license_status",
            "server_id",
            "need_renew",
        ]
        valid: bool
        iaid: str
        license_status: str  # "ok", "ok-av", "ok-avp", "ok-trial"
        server_id: str
        need_renew: bool

    @staticmethod
    async def _retry_on_error(coro: Callable, *args, attempt, timeout=0):
        # Exponential backoff retry
        await asyncio.sleep(
            timeout + random.randrange(1 << attempt) * _TIMEOUT_MULTIPLICATOR
        )
        await coro(*args)

    @classmethod
    def _add_task(cls, type, coro: Callable, *args, attempt, timeout=0):
        cls._tasks[type] = [
            task for task in cls._tasks[type] if not task.done()
        ]
        if len(cls._tasks[type]) <= 1:
            loop = asyncio.get_event_loop()
            cls._tasks[type].append(
                loop.create_task(
                    cls._retry_on_error(
                        coro, *args, attempt=attempt, timeout=timeout
                    )
                )
            )
        else:
            logger.info("Task %s already in retry queue", type)

    @classmethod
    def add_initial_task(cls):
        cls._add_task("activate", cls.activate, attempt=0)

    @classmethod
    async def shutdown(cls):
        for type, tasks in cls._tasks.items():
            for task in tasks:
                if not task.done():
                    task.cancel()
                    with suppress(asyncio.CancelledError):
                        await task
                    logger.info("Retry task %s was canceled.", type)

    @staticmethod
    def _gid():
        return grp.getgrnam("_imunify").gr_gid

    @classmethod
    def get_iaid(cls):
        if cls.IAID_FILE.exists():
            return cls.IAID_FILE.read_text()
        return None

    @staticmethod
    def _request(url, headers=None, method="POST", **kwargs):
        _headers = {"Content-Type": "application/json"}
        if headers is not None:
            _headers.update(headers)
        return Request(
            url,
            method=method,
            headers=_headers,
            data=json.dumps(kwargs).encode() if kwargs else None,
        )

    @classmethod
    def is_registered(cls):
        return all(
            iaid_file.exists()
            for iaid_file in (cls.IAID_FILE, cls.IAID_PASSWORD_FILE)
        )

    @classmethod
    async def get_token(cls):
        """Ensure that iaid token is up to date
        Return iaid token or raise IAIDTokenError."""
        if IndependentAgentIDAPI.is_token_expired():
            await IndependentAgentIDAPI.login()
            if IndependentAgentIDAPI.is_token_expired():
                raise IAIDTokenError("IAID token is expired")
        try:
            token = cls.IAID_TOKEN_FILE.read_text(encoding="ascii")
            if not token:
                raise IAIDTokenError(f"IAID_TOKEN_FILE is empty")
            return token
        except Exception as e:
            raise IAIDTokenError(f"Can't get iaid token, reason: {e}") from e

    @classmethod
    async def _get_token_info(cls) -> TokenInfo:
        iaid_token = await cls.get_token()
        headers = {"X-Auth": iaid_token}
        request = cls._request(cls.TOKEN_INFO, headers=headers, method="GET")
        result = await cls.async_request(request)
        token = result.get("token_info")
        if token is None:
            raise APIError("wrong response %r", result)
        return cls.TokenInfo(**token)

    @classmethod
    def is_token_expired(cls):
        try:
            stat = os.stat(cls.IAID_TOKEN_FILE)
        except FileNotFoundError:
            st_mtime = 0.0
        else:
            st_mtime = stat.st_mtime
        return time.time() - st_mtime > DAY

    @classmethod
    async def register(cls, force=False, attempt=1):
        async with cls._register_lock:
            if not force and cls.is_registered():
                return

            payload = dict()
            server_id = LicenseCLN.get_server_id()
            if server_id:
                payload["server_id"] = server_id

            request = cls._request(cls.REGISTER_URL, **payload)
            try:
                result = await cls.async_request(request)
                cls.IAID_ACTIVATED_FILE.unlink(missing_ok=True)
            except APIError as e:
                logger.warning(
                    "Something went wrong on register %r - attempt %s",
                    e,
                    attempt,
                )
                if (
                    e.status_code is None
                    or e.status_code >= 500
                    or e.status_code == 402
                ) and attempt < _MAX_TRIES:
                    # internal error we may try again
                    cls._add_task(
                        "register",
                        cls.register,
                        force,
                        attempt + 1,
                        attempt=attempt,
                    )
                else:
                    logger.error(
                        "Failed to register (%s) after %s attempts: %r",
                        request.full_url,
                        attempt,
                        e,
                    )
                return
            else:
                atomic_rewrite(
                    str(cls.IAID_FILE),
                    result["iaid"],
                    backup=cls.IAID_FILE.exists(),
                    uid=-1,
                    gid=cls._gid(),
                    permissions=0o640,
                )
                atomic_rewrite(
                    str(cls.IAID_PASSWORD_FILE),
                    result["password"],
                    backup=cls.IAID_PASSWORD_FILE.exists(),
                    permissions=0o600,
                )
                await cls.activate()

    @classmethod
    async def ensure_is_activated_and_valid(cls):
        """Check whether the agent activated"""

        if not cls.IAID_ACTIVATED_FILE.exists():
            await cls.activate()
            return
        lic = LicenseCLN.get_token()
        token = await cls._get_token_info()
        if token.license_status != lic.get(
            "status"
        ) or token.server_id != lic.get("id"):
            logger.error("Got a corrupted token: %r", token)
            await cls.reactivate()
            return
        iaid = cls.IAID_FILE.read_text()
        if not token.valid or token.iaid != iaid or token.need_renew:
            await cls.login()

    @classmethod
    async def activate(cls, attempt=1):
        if cls.IAID_ACTIVATED_FILE.exists():
            g["iaid"] = cls.get_iaid()
            return
        if not cls.is_registered():
            logger.warning("need to register first before activate")
            await cls.register()
            return
        if LicenseCLN.is_free():
            g["iaid"] = cls.get_iaid()
            if cls.is_token_expired():
                await cls.login()
            return
        lic = LicenseCLN.get_token()
        if not lic:
            logger.warning(
                "Can't continue iaid activation: no valid license is found"
            )
            return
        async with cls._activate_lock:
            iaid = cls.IAID_FILE.read_text()
            password = cls.IAID_PASSWORD_FILE.read_text()
            request = cls._request(
                cls.ACTIVATE_URL, iaid=iaid, password=password, license=lic
            )
            g["iaid"] = iaid
            need_to_register = False
            try:
                await cls.async_request(request)
                cls.IAID_ACTIVATED_FILE.touch()
            except APIError as e:
                logger.warning(
                    "Something went wrong on activate %r attempt %s",
                    e,
                    attempt,
                )
                if e.status_code and e.status_code == 401:
                    # need to register again, do it outside of lock
                    need_to_register = True
                elif (
                    e.status_code
                    and (e.status_code >= 500 or e.status_code == 402)
                    and attempt < _MAX_TRIES
                ):
                    # internal error we may try again
                    # 402 - if it is fresh registration it may take
                    # time to sync CLN db
                    cls._add_task(
                        "activate",
                        cls.activate,
                        attempt + 1,
                        attempt=attempt,
                        timeout=_ACTIVATE_MINIMUM_TIMEOUT,
                    )
                else:
                    logger.error(
                        "Failed to activate (%s) after %s attempts: %r",
                        request.full_url,
                        attempt,
                        e,
                    )
            else:
                cls.IAID_TOKEN_FILE.unlink(missing_ok=True)
                await cls.login()
        if need_to_register:
            await cls.register(force=True)

    @classmethod
    async def reactivate(cls):
        cls.IAID_ACTIVATED_FILE.unlink(missing_ok=True)
        await cls.activate()

    @classmethod
    async def login(cls, attempt=1):
        if not cls.is_registered():
            logger.error("need to register first before login")
            return
        iaid = cls.IAID_FILE.read_text()
        password = cls.IAID_PASSWORD_FILE.read_text()

        request = cls._request(cls.LOGIN_URL, iaid=iaid, password=password)
        try:
            result = await cls.async_request(request)
        except APIError as e:
            logger.warning(
                "Something wrong happened on login %r attempt %s", e, attempt
            )
            if attempt < _MAX_TRIES:
                if e.status_code is None or e.status_code >= 500:
                    # internal error we may try again
                    cls._add_task(
                        "login", cls.login, attempt + 1, attempt=attempt
                    )
                elif e.status_code == 401:
                    await cls.register(force=True)
            else:
                logger.error(
                    "Failed to login (%s) after %s attempts: %r",
                    request.full_url,
                    attempt,
                    e,
                )
        else:
            atomic_rewrite(
                str(cls.IAID_TOKEN_FILE),
                result["token"],
                backup=cls.IAID_TOKEN_FILE.exists(),
                uid=-1,
                gid=cls._gid(),
                permissions=0o640,
            )