Skip to content

Commit

Permalink
Store token in protected file (intel#1585)
Browse files Browse the repository at this point in the history
Signed-off-by: bmyrcha <[email protected]>
  • Loading branch information
bmyrcha authored Feb 2, 2024
1 parent b8d98eb commit c6f9cca
Showing 1 changed file with 49 additions and 26 deletions.
75 changes: 49 additions & 26 deletions neural_insights/web/configuration.py
Original file line number Diff line number Diff line change
Expand Up @@ -226,36 +226,59 @@ def dump_token_to_file(self) -> None:
"""Dump token to file."""
token_filepath = os.path.join(WORKDIR_LOCATION, "token")
os.makedirs(os.path.dirname(token_filepath), exist_ok=True)
with open(token_filepath, "w") as token_file:
token_file.write(self.token)

if sys.platform == "win32":
import ntsecuritycon as con # pylint: disable=import-error
import win32api # pylint: disable=import-error
import win32security # pylint: disable=import-error

user, _, _ = win32security.LookupAccountName("", win32api.GetUserName())
security_descriptor = win32security.GetFileSecurity(
token_filepath,
win32security.DACL_SECURITY_INFORMATION,
)
dacl = win32security.ACL()
dacl.AddAccessAllowedAce(
win32security.ACL_REVISION,
con.FILE_GENERIC_READ | con.FILE_GENERIC_WRITE,
user,
)
security_descriptor.SetSecurityDescriptorDacl(1, dacl, 0)
win32security.SetFileSecurity(
token_filepath,
win32security.DACL_SECURITY_INFORMATION,
security_descriptor,
)
else:
os.chown(token_filepath, uid=os.geteuid(), gid=os.getgid())
os.chmod(token_filepath, 0o600)
self.create_secured_token_file_win(token_filepath)

try:
token_file = os.open(token_filepath, flags=os.O_WRONLY | os.O_CREAT, mode=0o600)
os.write(token_file, self.token.encode())
except Exception as err:
raise err
finally:
os.close(token_file)

log.debug(f"Token has been dumped to {token_filepath}.")

@staticmethod
def create_secured_token_file_win(token_filepath: str):
"""Create secured file on Windows OS."""
import ntsecuritycon as con # pylint: disable=import-error
import win32api # pylint: disable=import-error
import win32file # pylint: disable=import-error
import win32security # pylint: disable=import-error

username = win32api.GetUserName()
os.makedirs(os.path.dirname(token_filepath), exist_ok=True)

if os.path.exists(token_filepath):
os.remove(token_filepath)

security_descriptor = win32security.SECURITY_DESCRIPTOR()
user_sid, _, _ = win32security.LookupAccountName("", username)

access_rights = con.FILE_ALL_ACCESS

dacl = win32security.ACL()
dacl.AddAccessAllowedAce(win32security.ACL_REVISION, access_rights, user_sid)

security_descriptor.SetSecurityDescriptorDacl(1, dacl, 0)

security_attributes = win32security.SECURITY_ATTRIBUTES()
security_attributes.SECURITY_DESCRIPTOR = security_descriptor

handle = win32file.CreateFile(
token_filepath,
win32file.GENERIC_WRITE,
win32file.FILE_SHARE_READ,
security_attributes,
win32file.CREATE_NEW,
win32file.FILE_ATTRIBUTE_NORMAL,
None,
)

win32file.CloseHandle(handle)

def _ensure_valid_port(self, port: int) -> None:
"""Validate if proposed port number is allowed by TCP/IP."""
if port < 1:
Expand Down

0 comments on commit c6f9cca

Please sign in to comment.