{ "info": { "author": "UNKNOWN", "author_email": "UNKNOWN", "bugtrack_url": null, "classifiers": [], "description": "# bdfu: a \"brain dead\"-simple file upload server\n\n[![Build Status](https://travis-ci.org/rjw57/bdfu.svg?branch=master)](https://travis-ci.org/rjw57/bdfu)\n\nBDFU is designed to solve the single problem of letting one or more users\nupload files to some server in an authenticated manner. Specifically, the\nfollowing simplifications are made:\n\n* The users may not choose the filename of the uploaded file; each file is\n named with a\n [UUID](http://en.wikipedia.org/wiki/Universally_unique_identifier).\n\n* Users may not access the files once uploaded. Allowing users read-access to\n the uploaded files is an orthogonal problem.\n\n* Users are authenticated with finite-lifetime [JWT](http://jwt.io/) tokens\n which may be issued manually or automatically.\n\n* The server requires nothing more than Python and a CGI-capable web-server\n although is available as a\n [WSGI](http://en.wikipedia.org/wiki/Web_Server_Gateway_Interface)\n application for greater performance.\n\n## Installation\n\nInstallation is done via ``pip`` or ``easy_install``:\n\n```console\n$ pip install bdfu\n```\n\nThe development version may be installed directly from this repository:\n\n```console\n$ pip install -e git+https://github.com/rjw57/bdfu#egg=bdfu\n```\n\n## Configuration\n\nThere is an [example configuration](examples/simple-server.cfg) shipped with\nthe source code to bdfu. A simplified version is below:\n\n```python\n# Save this as simple-server.cfg\nJWT_SECRET_KEY = 'supersecret'\nSTORAGE_DIR = '/tmp/bdfu-storage-example'\n```\n\nThe configuration file is itself a Python script and so one may calculate the\nvalues of any of these options.\n\nIn production, one can tell BDFU about this file by setting the environment\nvariable ``BDFU_SETTINGS`` to the *absolute* path of the configuration file.\n\n## Getting started\n\nFirstly, run the example server with the example configuration:\n\n```console\n$ bdfu server /path/to/simple-server.cfg\n```\n\nThis will cause the server to run on http://localhost:8080/. Now, generate a\ntoken for the \"sally\" user:\n\n```console\n$ bdfu gen-token sally supersecret >token-sally.txt\n```\n\nThis token is, by default, set to expire one minute after generation. The\nexpiry time can be set via the ``--expires-in`` option to ``bdfu gen-token``.\n\nTry uploading a 1K file of random data:\n\n```console\n$ dd if=/dev/urandom of=test-file.bin bs=1024 count=1\n$ bdfu upload http://localhost:8080/ `cat token-sally.txt` test-file.bin\necbfb21578ad49548472d955b38ac65b\n```\n\nThe string output by the ``bdfu upload`` is a unique ID for that file. The file\nis uploaded to ``$STORAGE_DIR/$USER/$FILE_ID`` which we can check:\n\n```console\n$ ls /tmp/bdfu-storage-example/sally/\necbfb21578ad49548472d955b38ac65b\n$ diff -qs /tmp/bdfu-storage-example/sally/ecbfb21578ad49548472d955b38ac65b test-file.bin\nFiles /tmp/bdfu-storage-example/sally/ecbfb21578ad49548472d955b38ac65b and test-file.bin are identical\n```\n\n## Token generation\n\nIn addition to the ``bdfu gen-token`` command, there is a [standalone\nexample](examples/make-token.py) shipped with the source. Token generation can\nbe performed by anyone in possession of the server secret. Tokens are standard\n[JWT](http://jwt.io) tokens. Indeed, one can paste the tokens generated by\n``bdfu gen-token`` into the JWT website to see their structure yourself.\n\nTokens may either be generated manually by server administrators and given to\nusers or they may be generated automatically by some gateway in possession of\nthe secret. For example, a particular institution may wrap a token-generator in\na web application which is protected by an existing identity provider.\nSimilarly administrators are free to choose the expiry time for the tokens on a\nper-user basis using whichever policy they see fit.\n\n## Server Deployment\n\n### WSGI\n\nThe BDFU web application is exposed as a standard WSGI application suitable for\nrunning via ``mod_wsgi`` in Apache or similar. There is a [standalone\nserver](examples/simple-server.py) example shipped with the source code.\n\nThe application requires that the HTTP ``Authorization`` header be passed on by\nthe web server. This may not be the default configuration of your server. For\nexample, the Apache web server will require the following directive:\n\n```\nWSGIPassAuthorization On\n```\n\n### CGI\n\nThere is an example [CGI wrapper script](examples/cgi-bin/bdfu) shipped with\nthe source.\n\nThe application requires that the HTTP ``Authorization`` header be passed on by\nthe web server to the CGI script. This may not be the default configuration of\nyour server. For example, the Apache web server will require the following\ndirectives:\n\n```\nRewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule .* - [e=HTTP_AUTHORIZATION:%1]\n```\n\n## Security considerations\n\nAs a \"brain dead\" solution, BDFU aims to be very simple in its security model;\nanyone with access to the server secret can generate tokens and *must* be\ntrusted. For example, no attempt is made to sanitise usernames with respect to\npath separators, etc. A foolish server administrator is free to create a user\ncalled ``../../../../etc/passwd`` if they wish. BDFU assumes the server\nadministrator knows what they're doing.\n\nIn general, BDFU aims to be secure up to the point where the token has been\nvalidated but assumes that the claims within the token have not been generated\nby an adversary.", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "UNKNOWN", "keywords": null, "license": "UNKNOWN", "maintainer": null, "maintainer_email": null, "name": "bdfu", "package_url": "https://pypi.org/project/bdfu/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/bdfu/", "project_urls": { "Download": "UNKNOWN", "Homepage": "UNKNOWN" }, "release_url": "https://pypi.org/project/bdfu/1.0.3/", "requires_dist": null, "requires_python": null, "summary": "A \"brain dead\"-simple file upload server", "version": "1.0.3" }, "last_serial": 1439244, "releases": { "1.0.0": [ { "comment_text": "", "digests": { "md5": "ebc9a21fdad763453fe478cdf2aea1fb", "sha256": "b81b668a46dc3c6059883d659357e7c712443bedcbe8aac4496f7926b82e5f09" }, "downloads": -1, "filename": "bdfu-1.0.0.tar.gz", "has_sig": false, "md5_digest": "ebc9a21fdad763453fe478cdf2aea1fb", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6448, "upload_time": "2015-02-26T13:20:16", "url": "https://files.pythonhosted.org/packages/27/67/5590a91860c126c7d67642a8289232e16bbb4a024a63979ae18642b6b373/bdfu-1.0.0.tar.gz" } ], "1.0.1": [ { "comment_text": "", "digests": { "md5": "a90e05e2e84ddf2337130dd89349d4d2", "sha256": "bafd83a24c887b02fd8c61cfadae412802234e355b52728d5550c1767fd5f364" }, "downloads": -1, "filename": "bdfu-1.0.1.tar.gz", "has_sig": false, "md5_digest": "a90e05e2e84ddf2337130dd89349d4d2", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8137, "upload_time": "2015-02-26T13:22:28", "url": "https://files.pythonhosted.org/packages/82/20/fd2260dc02e2eba39c7c0633d1ca555482e09cabd5c2e5888cfd54dfd998/bdfu-1.0.1.tar.gz" } ], "1.0.2": [ { "comment_text": "", "digests": { "md5": "70ac65a5751cf98134f9d99f66b748fd", "sha256": "fc07acaddc4e31f25a5ac39e7c6a82fa3487589a7f07d0b092deef82b351ecb0" }, "downloads": -1, "filename": "bdfu-1.0.2.tar.gz", "has_sig": false, "md5_digest": "70ac65a5751cf98134f9d99f66b748fd", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8202, "upload_time": "2015-02-26T13:25:43", "url": "https://files.pythonhosted.org/packages/af/34/51328dab7234b8644cbd3a24ba2f610f77a1806281ca6ec1ab3cbb754997/bdfu-1.0.2.tar.gz" } ], "1.0.3": [ { "comment_text": "", "digests": { "md5": "bdfde38386594219f4c83b08c5c745ae", "sha256": "e061d9e05f4d9b7808ad9b936f8e802301a990e4431c46a0236d85ff78756926" }, "downloads": -1, "filename": "bdfu-1.0.3.tar.gz", "has_sig": false, "md5_digest": "bdfde38386594219f4c83b08c5c745ae", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8967, "upload_time": "2015-02-26T13:29:13", "url": "https://files.pythonhosted.org/packages/46/d3/780ebd03cebd7f9cfc8821e961d136ef1e68ebce8e6234c0579102ddcb0a/bdfu-1.0.3.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "bdfde38386594219f4c83b08c5c745ae", "sha256": "e061d9e05f4d9b7808ad9b936f8e802301a990e4431c46a0236d85ff78756926" }, "downloads": -1, "filename": "bdfu-1.0.3.tar.gz", "has_sig": false, "md5_digest": "bdfde38386594219f4c83b08c5c745ae", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8967, "upload_time": "2015-02-26T13:29:13", "url": "https://files.pythonhosted.org/packages/46/d3/780ebd03cebd7f9cfc8821e961d136ef1e68ebce8e6234c0579102ddcb0a/bdfu-1.0.3.tar.gz" } ] }