Kiwipycon command line


Published on

My talk at KiwiPyCon 2011 about securely giving your website a command line API

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Kiwipycon command line

  1. 1. Giving your website a command line interface<br />Michael Hudson-Doyle<br /><br />
  2. 2. Linaro and its mission<br />Linaro aims to make Linux work better on ARM processors<br />
  3. 3. The Problem<br />The ARM ecosystem is very fragmented, and the kernel has a lot of copy and paste code<br />"Gaah. Guys, this whole ARM thing is a f*cking pain in the ass."<br />— Linus Torvalds, 17 Mar 2011<br /><br />
  4. 4. Enter Linaro!<br />"Linaro is a not-for-profit software engineering company investing in core Linux software and tools for ARM SoCs."<br />Also about educating the members in how to do open source development...<br />
  5. 5. LAVA - Linaro Automated Validation<br />A bit part of Linaro is about automated validation:<br /><ul><li>Find regressions earlier
  6. 6. Also benchmark toolchain improvements
  7. 7. Maybe even power management changes too...</li></li></ul><li>LAVA<br />We have a bunch of hardware<br />
  8. 8. LAVA<br />Some scripts and tricks that can boot a board with a new kernel and run some tests.<br />Quick Demo<br />(ever the optimist)<br />
  9. 9. LAVA<br />And a website that lets you see whats going on<br />
  10. 10. The Problem (finally!)<br />We want to do things like trigger test runs when a kernel build finishes.<br />This basically means some kind of Remote Procedure Call (RPC).<br />
  11. 11. Paranoia<br />For a bunch of reasons, we need some kind of security in our system:<br /><ul><li>The boards in our lab are a limited resource
  12. 12. Some risk of mischief
  13. 13. Eventually may have test results from unreleased hardware or benchmarks with licenses that forbid publication of results</li></li></ul><li>Protocol Choices<br /><ul><li>We use XML-RPC
  14. 14. We didn't think about this very hard but it is well supported in most languages
  15. 15. Will probably add JSON-RPC support at some point for easier browser access</li></li></ul><li>First idea: OAuth<br />An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.<br />–<br />
  16. 16. The great thing about standards...<br /><bob2> kennethreitz: oauth <br /> is a font of villany <br /> and dispair<br /> -- #python, Jun 09 11:55:08<br />
  17. 17. Also doesn't solve our problem<br />OAuth specifies that various aspects of the request are signed, but not, crucially for us, the body of the request – an important detail, because in XML-RPC the body of the request is where all the important stuff is.<br />
  18. 18. Transport Layer Security, here we come<br />If you're going as far as to cryptographically sign something, it's not much further to go to actually just encrypt it!<br />
  19. 19. And what does everyone know about encryption?<br />Don't implement it yourself<br />(i.e. use HTTPS)<br />
  20. 20. Back to Basic<br />And if you're operating over HTTPS, you might as well just just good old RFC 2617 Basic Authentication...<br />... but with tokens rather than passwords<br />
  21. 21. Tokens > Passwords<br />Because we expect the RPC to be invoked from build systems and so on, there is a moderate chance of the token being leaked – so it should not let you take over the owning user's account.<br />In the future, a token might only let you access some APIs.<br />
  22. 22. Also, we use SSO...<br />In addition we use Launchpad's SSO service for authentication, so most users don't have a LAVA password!<br />
  23. 23. Show me the code!<br />On the server side, we've built a library that lets you add a authenticating XML-RPC to a Django project:<br /><br />It includes views and models (and very very simple templates) for creating and managing tokens.<br />
  24. 24. Server side code<br />example/<br />from linaro_django_xmlrpc.models import ExposedAPI<br />from linaro_django_xmlrpc.globals import mapper<br />class ExampleAPI(ExposedAPI):<br /> def whoami(self):<br /> if self.user:<br /> return self.user.username<br /> else:<br /> return None<br />mapper.register(ExampleAPI)<br />in your urlconf:<br /> url(r'', include('linaro_django_xmlrpc.urls')),<br />
  25. 25. Client side library<br />This isn't properly factored yet really (it's it all mashed up with our toolkit for doing command line tools), but the code is in "lava-tool":<br /><br />It uses python-keyring for token management.<br />
  26. 26. Client-side code<br />from lava_tool.authtoken import <br /> AuthenticatingServerProxy, KeyringAuthBackend<br />auth_backend = KeyringAuthBackend()<br />auth_backend.add_token(<br /> "user", "http://server/RPC2/", token)<br />sp = AuthenticatingServerProxy(<br /> "http://user@server/RPC2/",<br /> auth_backend=auth_backend)<br />print server.whoami()<br />
  27. 27. Demo<br />(assuming the first one wasn't a disaster)<br />
  28. 28. Conclusion<br />The lesson:<br />Don't try to be clever – just use HTTPS and Basic auth.<br />The code:<br />lp:linaro-django-xmlrpc<br />lp:lava-tool<br />
  29. 29. Thanks for listening!<br />Any Questions?<br />