Implementation for:

   http://issues.roundup-tracker.org/issue2550731

Add mechanism for the detectors to be able to tell the source of the
data changes.

  Support for tx_Source property on database handle. Can be
  used by detectors to find out the source of a change in an auditor to
  block changes arriving by unauthenticated mechanisms (e.g. plain email
  where headers can be faked). The property db.tx_Source has the
  following values:
  * None - Default value set to None. May be valid if it's a script
    that is created by the user. Otherwise it's an error and indicates
    that some code path is not properly setting the tx_Source property.
  * "cli" - this string value is set when using roundup-admin and
    supplied scripts.
  * "web" - this string value is set when using any web based
    technique: html interface, xmlrpc ....
  * "email" - this string value is set when using an unauthenticated
    email based technique.
  * "email-sig-openpgp" - this string value is set when email with a
    valid pgp signature is used. (*NOTE* the testing for this mode
    is incomplete. If you have a pgp infrastructure you should test
    and verify that this is properly set.)

This also includes some (possibly incomplete) tests cases for the
modes above and an example of using ts_Source in the customization.txt
document.

Author: rouilj

CHANGES.txt

@@ -7,6 +7,24 @@ Entries without name were done by Richard Jones.
 
 Features:
 
+- Support for tx_Source property on database handle. Can be used by
+  detectors to find out the source of a change in an auditor to block
+  changes arriving by unauthenticated mechanisms (e.g. plain email
+  where headers can be faked). The property db.tx_Source has the
+  following values:
+  * None - Default value set to None. May be valid if it's a script
+    that is created by the user. Otherwise it's an error and indicates
+    that some code path is not properly setting the tx_Source property.
+  * "cli" - this string value is set when using roundup-admin and
+    supplied scripts.
+  * "web" - this string value is set when using any web based
+    technique: html interface, xmlrpc ....
+  * "email" - this string value is set when using an unauthenticated
+    email based technique.
+  * "email-sig-openpgp" - this string value is set when email with a
+    valid pgp signature is used. (*NOTE* the testing for this mode
+    is incomplete. If you have a pgp infrastructure you should test
+    and verify that this is properly set.)
 - Introducing Template Loader API (anatoly techtonik)
 - Experimental support for Jinja2, try 'jinja2' for template_engine
   in config (anatoly techtonik)

doc/customizing.txt

@@ -4539,6 +4539,73 @@ Scalability
     selected these keywords as nosy keywords. This will eliminate the
     loop over all users.
 
+Restricting updates that arrive by email
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Roundup supports multiple update methods:
+
+1. command line
+2. plain email
+3. pgp signed email
+4. web access
+
+in some cases you may need to prevent changes to properties by some of
+these methods. For example you can set up issues that are viewable
+only by people on the nosy list. So you must prevent unauthenticated
+changes to the nosy list.
+
+Since plain email can be easily forged, it does not provide sufficient
+authentication in this senario.
+
+To prevent this we can add a detector that audits the source of the
+transaction and rejects the update if it changes the nosy list.
+
+Create the detector (auditor) module and add it to the detectors
+directory of your tracker::
+
+   from roundup import roundupdb, hyperdb
+   
+   from roundup.mailgw import Unauthorized
+
+   def restrict_nosy_changes(db, cl, nodeid, newvalues):
+       '''Do not permit changes to nosy via email.'''
+
+       if not (newvalues.has_key('nosy')):
+           # the nosy field has not changed so no need to check.
+           return
+
+       if db.tx_Source in ['web', 'email-sig-openpgp', 'cli' ]:
+	   # if the source of the transaction is from an authenticated
+	   # source or a privileged process allow the transaction.
+	   # Other possible sources: 'email'
+	   return
+
+       # otherwise raise an error
+       raise Unauthorized, \
+	   'Changes to nosy property not allowed via %s for this issue.'%\
+           tx_Source
+	
+   def init(db):
+      ''' Install restrict_nosy_changes to run after other auditors. 
+
+          Allow initial creation email to set nosy.
+          So don't execute: db.issue.audit('create', requestedbyauditor)
+
+          Set priority to 110 to run this auditor after other auditors
+          that can cause nosy to change.
+      '''
+      db.issue.audit('set', restrict_nosy_changes, 110)
+
+This detector (auditor) will prevent updates to the nosy field if it
+arrives by email. Since it runs after other auditors (due to the
+priority of 110), it will also prevent changes to the nosy field that
+are done by other auditors if triggered by an email.
+
+Note that db.tx_Source was not present in roundup versions before
+1.4.21, so you must be running a newer version to use this detector.
+Read the CHANGES.txt document in the roundup source code for further
+details on tx_Source.
+
 Changes to Security and Permissions
 -----------------------------------
 

roundup/admin.py

@@ -1475,6 +1475,8 @@ def run_command(self, args):
         if not self.db:
             self.db = tracker.open('admin')
 
+        self.db.tx_Source = 'cli'
+
         # do the command
         ret = 0
         try:

roundup/cgi/client.py

@@ -792,12 +792,15 @@ def opendb(self, username):
         # open the database or only set the user
         if not hasattr(self, 'db'):
             self.db = self.instance.open(username)
+            self.db.tx_Source = "web"
         else:
             if self.instance.optimize:
                 self.db.setCurrentUser(username)
+                self.db.tx_Source = "web"
             else:
                 self.db.close()
                 self.db = self.instance.open(username)
+                self.db.tx_Source = "web"
                 # The old session API refers to the closed database;
                 # we can no longer use it.
                 self.session_api = Session(self)

roundup/instance.py

@@ -121,6 +121,8 @@ def open(self, name=None):
                 extension(self)
             detectors = self.get_extensions('detectors')
         db = env['db']
+        db.tx_Source = None
+
         # apply the detectors
         for detector in detectors:
             detector(db)

roundup/mailgw.py

@@ -1010,6 +1010,9 @@ def pgp_role():
                     "be PGP encrypted.")
             if self.message.pgp_signed():
                 self.message.verify_signature(author_address)
+                # signature has been verified
+                self.db.tx_Source = "email-sig-openpgp"
+
             elif self.message.pgp_encrypted():
                 # Replace message with the contents of the decrypted
                 # message for content extraction
@@ -1019,8 +1022,26 @@ def pgp_role():
                 encr_only = self.config.PGP_REQUIRE_INCOMING == 'encrypted'
                 encr_only = encr_only or not pgp_role()
                 self.crypt = True
-                self.message = self.message.decrypt(author_address,
-                    may_be_unsigned = encr_only)
+                try:
+                    # see if the message has a valid signature
+                    message = self.message.decrypt(author_address,
+                                                   may_be_unsigned = False)
+                    # only set if MailUsageError is not raised
+                    # indicating that we have a valid signature
+                    self.db.tx_Source = "email-sig-openpgp"
+                except MailUsageError:
+                    # if there is no signature or an error in the message
+                    # we get here. Try decrypting it again if we don't
+                    # need signatures.
+                    if encr_only:
+                        message = self.message.decrypt(author_address,
+                                               may_be_unsigned = encr_only)
+                    else:
+                        # something failed with the message decryption/sig
+                        # chain. Pass the error up.
+                        raise
+                # store the decrypted message      
+                self.message = message
             elif pgp_role():
                 raise MailUsageError, _("""
 This tracker has been configured to require all email be PGP signed or
@@ -1537,6 +1558,9 @@ def handle_message(self, message):
         '''
         # get database handle for handling one email
         self.db = self.instance.open ('admin')
+
+        self.db.tx_Source = "email"
+
         try:
             return self._handle_message(message)
         finally:

scripts/add-issue

@@ -28,6 +28,7 @@ message_text = sys.stdin.read().strip()
 # open the tracker
 tracker = instance.open(tracker_home)
 db = tracker.open('admin')
+db.tx_Source = "cli"
 uid = db.user.lookup('admin')
 try:
     # try to open the tracker as the current user

scripts/copy-user.py

@@ -42,6 +42,9 @@ def copy_user(home1, home2, *userids):
     db1 = instance1.open('admin')
     db2 = instance2.open('admin')
 
+    db1.tx_Source = "cli"
+    db2.tx_Source = "cli"
+
     userlist = db1.user.list()
     for userid in userids:
         try:

scripts/spam-remover

@@ -93,6 +93,8 @@ def main():
         cmd.show_help()
     tracker = instance.open(opt.instance)
     db = tracker.open('admin')
+    db.tx_Source = "cli"
+
     users = dict.fromkeys (db.user.lookup(u) for u in opt.users)
     files_to_remove = {}
     for fn in opt.filenames:

test/memorydb.py

@@ -50,6 +50,10 @@ def create(journaltag, create=True, debug=False):
         execfile(os.path.join(dirname, fn), vars)
         vars['init'](db)
 
+    vars = {}
+    execfile("test/tx_Source_detector.py", vars)
+    vars['init'](db)
+
     '''
     status = Class(db, "status", name=String())
     status.setkey("name")
@@ -194,6 +198,7 @@ def __init__(self, config, journaltag=None):
         self.newnodes = {}      # keep track of the new nodes by class
         self.destroyednodes = {}# keep track of the destroyed nodes by class
         self.transactions = []
+        self.tx_Source = None
 
     def filename(self, classname, nodeid, property=None, create=0):
         shutil.copyfile(__file__, __file__+'.dummy')