fix: make os header optional

..to prevent problems with mail internal hosts

.github/workflows/main.yaml

@@ -5,6 +5,8 @@ on:
     branches:
       - "master"
       - "ldap-ng-dev"
+  schedule:
+      - cron: "0 2 * * 0"
 
 jobs:
   docker:
@@ -29,10 +31,18 @@ jobs:
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_PASS }}
       -
-        name: Build and push signal-event-dispatcher
+        name: Build and push event-dispatcher
         uses: docker/build-push-action@v3
         with:
-          context: .
+          context: ./server/
           platforms: linux/amd64
           push: true
-          tags: "${{ secrets.REGISTRY }}/athq/event-dispatcher:latest"
+          tags: "${{ secrets.REGISTRY }}/atlantishq/event-dispatcher:latest"
+      -
+        name: Build and push event-dispatcher
+        uses: docker/build-push-action@v3
+        with:
+          context: ./client/
+          platforms: linux/amd64
+          push: true
+          tags: "${{ secrets.REGISTRY }}/atlantishq/event-dispatcher-worker:latest"

.gitignore

@@ -1,4 +1,9 @@
 *.swp
+*.sqlite
+sqlite.db
 instance/
 __pycache__/
 signal_targets.txt
+sqlite.db
+substitutions.yaml
+test.env

Dockerfile

@@ -1,25 +0,0 @@
-FROM python:3.9-slim-buster
-
-RUN apt update
-RUN apt install python3-pip -y
-RUN apt install libsasl2-dev python-dev libldap2-dev libssl-dev -y
-RUN python3 -m pip install --upgrade pip
-RUN apt install curl -y
-RUN apt autoremove -y
-RUN apt clean
-
-WORKDIR /app
-
-RUN python3 -m pip install waitress
-
-COPY req.txt .
-RUN python3 -m pip install --no-cache-dir -r req.txt
-
-# precreate database directory for mount (will otherwise be created at before_first_request)
-COPY ./ .
-RUN mkdir /app/instance/
-
-EXPOSE 5000/tcp
-
-ENTRYPOINT ["waitress-serve"]
-CMD ["--host", "0.0.0.0", "--port", "5000", "--call", "app:createApp" ]

client/Dockerfile

@@ -0,0 +1,9 @@
+FROM alpine
+
+WORKDIR /app/
+RUN apk --update --no-cache add python3 py3-requests
+
+COPY ./*.py ./
+
+ENTRYPOINT ["python"]
+CMD ["dispatch-query.py"]

client/dispatch-query.py

@@ -0,0 +1,212 @@
+#!/usr/bin/python3
+
+import sys
+import time
+import argparse
+import subprocess
+import os
+import requests
+import smtphelper
+import json
+
+HTTP_NOT_FOUND = 404
+
+DISPATCH_SERVER = None
+DISPATCH_ACCESS_TOKEN = None
+
+def debug_send(uuid, data, fail_it=False):
+    '''Dummy function to print and ack a dispatch for debugging'''
+
+    print(json.dumps(data, indent=2))
+    if fail_it:
+        report_failed_dispatch(uuid, "Dummy Error for Debugging")
+    else:
+        confirm_dispatch(uuid)
+
+
+def email_send(dispatch_uuid, email_address, message, smtp_target,
+                smtp_target_port, smtp_user, smtp_pass):
+    '''Send message via email'''
+  
+    if not email_address:
+        print("Missing E-Mail Address for STMP send", file=sys.stderr)
+        report_failed_dispatch(dispatch_uuid, "Missing email-field in dispatch infor")
+        return
+
+    subject = "Atlantis Dispatch"
+    smtphelper.smtp_send(smtp_target, smtp_target_port, smtp_user, smtp_pass, email_address,
+                            subject, message)
+    confirm_dispatch(dispatch_uuid)
+
+def ntfy_api_get_topic(ntfy_api_server, ntfy_api_token, username):
+    '''Get the topic of the user'''
+
+    params = {
+        "user" : username,
+        "token" : ntfy_api_token,
+    }
+
+    r = requests.get(ntfy_api_server + "/topic", params=params)
+    if r.status_code != 200:
+        print(r.text)
+        return None
+    else:
+        print(r.text)
+        return r.json().get("topic")
+
+def ntfy_send(dispatch_uuid, user_topic, title, message, ntfy_push_target, ntfy_user, ntfy_pass):
+    '''Send message via NTFY topic'''
+
+    if not user_topic:
+        report_failed_dispatch(dispatch_uuid, "No user topic")
+        return
+
+    try:
+
+        # build message #
+        payload = {
+            "topic" : user_topic,
+            "message" : message,
+            "title" : title or "Atlantis Notify",
+            #"tags" : [],
+            "priority" : 4,
+            #"attach" : None,
+            "click" : "https://vid.pr0gramm.com/2022/11/06/ed66c8c5a9cd1a3b.mp4",
+            #"actions" : []
+        }
+
+        # send #
+        r = requests.post(ntfy_push_target, auth=(ntfy_user, ntfy_pass), json=payload)
+        print(r.status_code, r.text, payload)
+        r.raise_for_status()
+
+        # talk to dispatch #
+        confirm_dispatch(dispatch_uuid)
+
+    except requests.exceptions.HTTPError as e:
+        report_failed_dispatch(dispatch_uuid, str(e))
+    except requests.exceptions.ConnectionError as e:
+        report_failed_dispatch(dispatch_uuid, str(e))
+
+def report_failed_dispatch(uuid, error):
+    '''Inform the server that the dispatch has failed'''
+
+    payload = [{ "uuid" : uuid, "error" : error }]
+    response = requests.post(DISPATCH_SERVER + "/report-dispatch-failed", json=payload)
+
+    if response.status_code not in [200, 204]:
+        print("Failed to report back failed dispatch for {} ({})".format(
+                    uuid, response.text), file=sys.stderr)
+
+def confirm_dispatch(uuid):
+    '''Confirm to server that message has been dispatched and can be removed'''
+
+    payload = [{ "uuid" : uuid }]
+    response = requests.post(DISPATCH_SERVER + "/confirm-dispatch", json=payload)
+
+    if response.status_code not in [200, 204]:
+        print("Failed to confirm dispatch with server for {} ({})".format(
+                    uuid, response.text), file=sys.stderr)
+
+
+if __name__ == "__main__":
+
+    parser = argparse.ArgumentParser(description='Query Atlantis Dispatch for Signal',
+                        formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+
+    parser.add_argument('--dispatch-server')
+    parser.add_argument('--dispatch-access-token')
+
+    parser.add_argument('--ntfy-api-server')
+    parser.add_argument('--ntfy-api-token')
+
+    parser.add_argument('--ntfy-push-target')
+    parser.add_argument('--ntfy-user')
+    parser.add_argument('--ntfy-pass')
+
+    parser.add_argument('--smtp-target')
+    parser.add_argument('--smtp-user')
+    parser.add_argument('--smtp-pass')
+    parser.add_argument('--smtp-port', type=int)
+
+    parser.add_argument('--loop', default=True, action=argparse.BooleanOptionalAction)
+
+    args = parser.parse_args() 
+
+
+    dispatch_server = args.dispatch_server or os.environ.get("DISPATCH_SERVER")
+    dispatch_access_token = args.dispatch_access_token or os.environ.get("DISPATCH_ACCESS_TOKEN")
+
+    # set dispatch server & authentication global #
+    DISPATCH_SERVER = dispatch_server
+    DISPATCH_ACCESS_TOKEN = dispatch_access_token
+
+    ntfy_api_server = args.ntfy_api_server or os.environ.get("NTFY_API_SERVER")
+    ntfy_api_token = args.ntfy_api_token or os.environ.get("NTFY_API_TOKEN")
+
+    ntfy_push_target = args.ntfy_push_target or os.environ.get("NTFY_PUSH_TARGET")
+    ntfy_user = args.ntfy_user or os.environ.get("NTFY_USER")
+    ntfy_pass = args.ntfy_pass or os.environ.get("NTFY_PASS")
+
+    smtp_target = args.smtp_target or os.environ.get("SMTP_TARGET")
+    smtp_user = args.smtp_user or os.environ.get("SMTP_USER")
+    smtp_pass = args.smtp_pass or os.environ.get("SMTP_PASS")
+    smtp_port = args.smtp_port or os.environ.get("SMTP_PORT")
+
+    first_run = True
+    while args.loop or first_run:
+
+        # request dispatches #
+        response = requests.get(dispatch_server + 
+            "/get-dispatch?method=all&timeout=0&dispatch-access-token={}".format(DISPATCH_ACCESS_TOKEN))
+
+        # check status #
+        if response.status_code == HTTP_NOT_FOUND:
+            sys.exit(0)
+
+        # fallback check for status #
+        response.raise_for_status()
+
+        # track dispatches that were confirmed to avoid duplicate confirmation #
+        dispatch_confirmed = []
+
+        # track failed dispatches #
+        errors = dict()
+
+        # iterate over dispatch requests #
+        for entry in response.json():
+
+            user = entry["username"]
+            dispatch_uuid = entry["uuid"]
+            method = entry["method"]
+            message = entry["message"]
+            title = entry.get("title")
+
+            # method dependent fields #
+            phone = entry.get("phone")
+            email_address = entry.get("email")
+
+            # send message #
+            if method == "signal":
+                pass
+            elif method == "ntfy":
+                user_topic = ntfy_api_get_topic(ntfy_api_server, ntfy_api_token, user)
+                ntfy_send(dispatch_uuid, user_topic, title, message,
+                                ntfy_push_target, ntfy_user, ntfy_pass)
+            elif method == "email":
+                email_send(dispatch_uuid, email_address, message, smtp_target,
+                                smtp_port, smtp_user, smtp_pass)
+            elif method == "debug":
+                debug_send(dispatch_uuid, entry)
+            elif method == "debug-fail":
+                debug_send(dispatch_uuid, entry, fail_it=True)
+            else:
+                print("Unsupported dispatch method {}".format(entry["method"]), sys=sys.stderr)
+                continue
+
+        # wait a moment #
+        if args.loop:
+            time.sleep(5)
+        
+        # handle non-loop runs #
+        first_run = False

client/smtphelper.py

@@ -0,0 +1,37 @@
+import smtplib
+from email.mime.text import MIMEText
+from email.mime.multipart import MIMEMultipart
+
+def smtp_send(server, port, user, password, recipient, subject, body):
+
+    # Email and password for authentication
+    sender_email = user
+    sender_password = password
+    
+    # Recipient email address
+    recipient_email = recipient
+    
+    # SMTP server details
+    smtp_server = server
+    smtp_port = port or 25
+    
+    # Create a message
+    message = MIMEMultipart()
+    message['From'] = sender_email
+    message['To'] = recipient_email
+    message['Subject'] = subject
+    
+    # Add body to email
+    body = body
+    message.attach(MIMEText(body, 'plain'))
+    
+    # Establish a connection to the SMTP server
+    server = smtplib.SMTP(smtp_server, smtp_port)
+    server.starttls()  # Secure the connection
+    server.login(sender_email, sender_password)
+    
+    # Send the email
+    server.sendmail(sender_email, recipient_email, message.as_string())
+    
+    # Close the connection
+    server.quit()

interface.py

@@ -1,194 +0,0 @@
-#!/usr/bin/python3
-
-import argparse
-import flask
-import sys
-import subprocess
-import os
-import datetime
-import secrets
-
-import ldaptools
-import messagetools
-
-from sqlalchemy import Column, Integer, String, Boolean, or_, and_
-from sqlalchemy.orm import sessionmaker
-from sqlalchemy.exc import IntegrityError
-from sqlalchemy.sql import func
-import sqlalchemy
-from flask_sqlalchemy import SQLAlchemy
-from sqlalchemy.sql.expression import func
-
-
-HOST = "icinga.atlantishq.de"
-app = flask.Flask("Signal Notification Gateway")
-app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite:///sqlite.db"
-db = SQLAlchemy(app)
-
-class DispatchObject(db.Model):
-
-    __tablename__ = "dispatch_queue"
-
-    username = Column(String, primary_key=True)
-    timestamp = Column(Integer, primary_key=True)
-    phone = Column(String)
-    email = Column(String)
-    message = Column(String, primary_key=True)
-    method = Column(String)
-    dispatch_secret = Column(String)
-
-
-@app.route('/get-dispatch')
-def get_dispatch():
-    '''Retrive consolidated list of dispatched objects'''
-
-    method = flask.request.args.get("method")
-    if not method:
-        return (500, "Missing Dispatch Target (signal|email|phone)")
-
-    # prevent message floods #
-    timeout_cutoff = datetime.datetime.now() - datetime.timedelta(seconds=5)
-    timeout_cutoff_timestamp = timeout_cutoff.timestamp()
-
-    lines_unfiltered = db.session.query(DispatchObject)
-    lines_timeout = lines_unfiltered.filter(DispatchObject.timestamp < timeout_cutoff_timestamp)
-    dispatch_objects = lines_timeout.filter(DispatchObject.method == method).all()
-
-    # accumulate messages by person #
-    dispatch_by_person = dict()
-    dispatch_secrets = []
-    for dobj in dispatch_objects:
-        if dobj.username not in dispatch_by_person:
-            dispatch_by_person.update({ dobj.username : dobj.message })
-            dispatch_secrets.append(dobj.dispatch_secret)
-        else:
-            dispatch_by_person[dobj.username] += "\n{}".format(dobj.message)
-            dispatch_secrets.append(dobj.dispatch_secret)
-
-    response = [ { "person" : str(tupel[0]), "message" : tupel[1], "method" : method, "uids" : dispatch_secrets }
-                    for tupel in dispatch_by_person.items() ]
-
-    return flask.jsonify(response)
-
-
-@app.route('/confirm-dispatch', methods=["POST"])
-def confirm_dispatch():
-    '''Confirm that a message has been dispatched by replying with its dispatch secret/uid'''
-
-    confirms = flask.request.json
-
-    for c in confirms:
-
-        uid = c["uid"]
-        dpo = db.session.query(DispatchObject).filter(DispatchObject.dispatch_secret == uid).first()
-
-        if not dpo:
-            return ("No pending dispatch for this UID/Secret", 404)
-
-        db.session.delete(dpo)
-        db.session.commit()
-
-    return ("", 204)
-
-
-@app.route('/smart-send', methods=["POST"])
-def smart_send_to_clients():
-    '''Send to clients based on querying the LDAP
-        requests MAY include:
-            - list of usernames under key "users"
-            - list of groups    under key "groups"
-            - neither of the above to automatically target the configured administrators group"
-        retuest MUST include:
-            - message as STRING in field "msg"
-            OR
-            - supported struct of type "ICINGA|ZABBIX|GENERIC" (see docs) in field "data"
-    '''
-
-    instructions = flask.request.json
-
-    users = instructions.get("users")
-    groups = instructions.get("groups")
-    message = instructions.get("msg")
-
-    struct = instructions.get("data")
-    if struct:
-        try:
-            message = messagetools.load_struct(struct)
-        except messagetools.UnsupportedStruct as e:
-            return (e.response(), 408)
-
-
-    persons = ldaptools.select_targets(users, groups, app.config["LDAP_ARGS"])
-    save_in_dispatch_queue(persons, message)
-    return ("OK", 200)
-
-
-def save_in_dispatch_queue(persons, message):
-
-    for p in persons:
-
-        if not p:
-            continue
-
-        # this secret will be needed to confirm the message as dispatched #
-        dispatch_secret = secrets.token_urlsafe(32)
-
-        obj = DispatchObject(username=p.username,
-                        phone=p.phone,
-                        email=p.email,
-                        method="signal",
-                        timestamp=datetime.datetime.now().timestamp(),
-                        dispatch_secret=dispatch_secret,
-                        message=message)
-        db.session.merge(obj)
-        db.session.commit()
-
-def create_app():
-
-    db.create_all()
-
-    if not app.config.get("LDAP_NO_READ_ENV"):
-        ldap_args = {
-            "LDAP_SERVER"  : os.environ["LDAP_SERVER"],
-            "LDAP_BIND_DN" : os.environ["LDAP_BIND_DN"],
-            "LDAP_BIND_PW" : os.environ["LDAP_BIND_PW"],
-            "LDAP_BASE_DN" : os.environ["LDAP_BASE_DN"]
-        }
-        app.config["LDAP_ARGS"] = ldap_args
-        print("Setting LDAP_ARGS...")
-
-if __name__ == "__main__":
-
-    parser = argparse.ArgumentParser(description='Simple Telegram Notification Interface',
-                        formatter_class=argparse.ArgumentDefaultsHelpFormatter)
-
-    parser.add_argument('--interface', default="localhost", help='Interface on which to listen')
-    parser.add_argument('--port', default="5000", help='Port on which to listen')
-    parser.add_argument("--signal-cli-bin", default=None, type=str,
-                            help="Path to signal-cli binary if no in $PATH")
-
-    parser.add_argument('--ldap-server')
-    parser.add_argument('--ldap-base-dn')
-    parser.add_argument('--ldap-manager-dn')
-    parser.add_argument('--ldap-manager-password')
-
-    args = parser.parse_args()
-
-    # define ldap args #
-    ldap_args = {
-        "LDAP_SERVER" : args.ldap_server,
-        "LDAP_BIND_DN" : args.ldap_manager_dn,
-        "LDAP_BIND_PW" : args.ldap_manager_password,
-        "LDAP_BASE_DN" : args.ldap_base_dn,
-    }
-    app.config["LDAP_NO_READ_ENV"] = True
-
-    if not any([value is None for value in ldap_args.values()]):
-        app.config["LDAP_ARGS"] = ldap_args
-    else:
-        app.config["LDAP_ARGS"] = None
-
-    with app.app_context():
-        create_app()
-
-    app.run(host=args.interface, port=args.port, debug=True)

messagetools.py

@@ -1,26 +0,0 @@
-class UnsupportedStruct(Exception):
-
-    def __init__(self, struct):
-
-        self.message = "{} is invalid struct and not a message".format(str(struct))
-        super().__init__(self.message)
-
-def make_icinga_message(struct):
-    pass
-
-def make_generic_message(struct):
-    pass
-
-def load_struct(struct):
-    
-    if type(struct) == str:
-        return struct
-    elif not struct.get("type"):
-        raise UnsupportedStruct(struct)
-
-    if struct.get("type") == "icinga":
-        return make_icinga_message(struct)
-    elif struct.get("type") == "generic":
-        return make_generic_message(struct)
-    else:
-        raise UnsupportedStruct(struct)

server/Dockerfile

@@ -0,0 +1,22 @@
+FROM alpine
+
+RUN apk add --update --no-cache python3 py3-pip py3-ldap
+
+WORKDIR /app
+
+RUN python3 -m pip install --no-cache-dir --break-system-packages waitress
+
+COPY req.txt .
+
+# remove python-ldap (installed via apk) #
+RUN sed -i '/^python-ldap.*$/d' req.txt
+RUN python3 -m pip install --no-cache-dir --break-system-packages -r req.txt
+
+# precreate database directory for mount (will otherwise be created at before_first_request)
+COPY ./ .
+RUN mkdir -p /app/instance/
+
+EXPOSE 5000/tcp
+
+ENTRYPOINT ["waitress-serve"]
+CMD ["--host", "0.0.0.0", "--port", "5000", "--call", "app:createApp" ]

server/interface.py

@@ -0,0 +1,526 @@
+#!/usr/bin/python3
+
+import argparse
+import flask
+import sys
+import subprocess
+import os
+import datetime
+import secrets
+import yaml
+
+import ldaptools
+import messagetools
+
+from sqlalchemy import Column, Integer, String, Boolean, or_, and_
+from sqlalchemy.orm import sessionmaker
+from sqlalchemy.exc import IntegrityError
+from sqlalchemy.sql import func
+import sqlalchemy
+from flask_sqlalchemy import SQLAlchemy
+from sqlalchemy.sql.expression import func
+
+OPENSEARCH_HEADER_SEPERATOR = ","
+HOST = "icinga.atlantishq.de"
+app = flask.Flask("Signal Notification Gateway")
+app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite:///sqlite.db"
+db = SQLAlchemy(app)
+
+BAD_DISPATCH_ACCESS_TOKEN = "Invalid or missing dispatch-access-token parameter in URL"
+
+def _apply_substitution(string):
+
+    if not string:
+        return string
+
+    for replace, match in app.config["SUBSTITUTIONS"].items():
+        string = string.replace(match, replace)
+
+    return string
+
+class WebHookPaths(db.Model):
+
+    __tablename__ = "webhook_paths"
+
+    username = Column(String, primary_key=True)
+    path = Column(String, primary_key=True)
+
+class UserSettings(db.Model):
+
+    __tablename__ = "user_settings"
+
+    username = Column(String, primary_key=True)
+    signal_priority = Column(Integer)
+    email_priority = Column(Integer)
+    ntfy_priority = Column(Integer)
+
+    def get_highest_prio_method(self):
+
+        if self.signal_priority >= max(self.email_priority, self.ntfy_priority):
+            return "signal"
+        elif self.email_priority >= max(self.signal_priority, self.ntfy_priority):
+            return "email"
+        else:
+            return "ntfy"
+
+    def serizalize(self):
+        return {
+            "username" : self.username,
+            "signal_priority" : self.signal_priority,
+            "email_priority" : self.email_priority,
+            "ntfy_priority" : self.ntfy_priority,
+        }
+        
+
+class DispatchObject(db.Model):
+
+    __tablename__ = "dispatch_queue"
+
+    username = Column(String, primary_key=True)
+    timestamp = Column(Integer, primary_key=True)
+    phone = Column(String)
+    email = Column(String)
+
+    title = Column(String)
+    message = Column(String, primary_key=True)
+    method = Column(String)
+
+    dispatch_secret = Column(String)
+    dispatch_error = Column(String)
+
+    def serialize(self):
+
+        ret = {
+            "person" : self.username, # legacy field TODO remove at some point
+            "username" : self.username,
+            "timestamp" : self.timestamp,
+            "phone" : self.phone,
+            "email" : self.email,
+            "title" : _apply_substitution(self.title),
+            "message" : _apply_substitution(self.message),
+            "uuid" : self.dispatch_secret,
+            "method" : self.method,
+            "error" : self.dispatch_error,
+        }
+
+        # fix bytes => string from LDAP #
+        for key, value in ret.items():
+            if type(value) == bytes:
+                ret[key] = value.decode("utf-8")
+
+        if ret["method"] == "any":
+            user_settings = db.session.query(UserSettings).filter(
+                                UserSettings.username == ret["username"]).first()
+
+            if not user_settings and self.phone:
+                ret["method"] = "signal"
+            elif not user_settings and self.email:
+                ret["method"] = "email"
+            elif user_settings:
+                ret["method"] = user_settings.get_highest_prio_method()
+            else:
+                ret["method"] = "ntfy"
+
+        return ret
+
+@app.route('/get-dispatch-status')
+def get_dispatch_status():
+    '''Retrive the status of a specific dispatch by it's secret'''
+
+    secret = flask.request.args.get("secret")
+    do = db.session.query(DispatchObject).filter(DispatchObject.dispatch_secret == secret).first()
+    if not do:
+        return ("Not in Queue",  200)
+    else:
+        return ("Waiting for dispatch", 200)
+
+
+@app.route('/webhooks', methods=["GET", "POST", "DELETE"])
+def webhooks():
+
+    # check static access token #
+    token = flask.request.args.get("token")
+    if token != app.config["SETTINGS_ACCESS_TOKEN"]:
+        return ("SETTINGS_ACCESS_TOKEN incorrect. Refusing to access webhooks", 401)
+
+    user = flask.request.args.get("user")
+    if not user:
+        return ("Missing user paramter in URL", 500)
+
+    if flask.request.method == "POST":
+        posted = WebHookPaths(username=user, path=secrets.token_urlsafe(20))
+        db.session.merge(posted)
+        db.session.commit()
+        return ("", 204)
+    elif flask.request.method == "GET":
+        webhooks = db.session.query(WebHookPaths).filter(WebHookPaths.username==user).all()
+        if not webhooks:
+            return flask.jsonify([])
+        else:
+            return flask.jsonify([ wh.path for wh in webhooks])
+    elif flask.request.method == "DELETE":
+        path = flask.request.json["path"]
+        webhook_to_be_deleted = db.session.query(WebHookPaths).filter(WebHookPaths.username==user,
+                                    WebHookPaths.path==path).first()
+        if not webhook_to_be_deleted:
+            return ("Webhook to be deleted was not found ({}, {})".format(user, path), 404)
+        else:
+            db.session.delete(webhook_to_be_deleted)
+            db.session.commit()
+            return ("", 204)
+
+@app.route('/downtime', methods=["GET", "DELETE","POST"])
+def downtime():
+
+    # check static access token #
+    token = flask.request.args.get("token")
+    if token != app.config["SETTINGS_ACCESS_TOKEN"]:
+        return ("SETTINGS_ACCESS_TOKEN incorrect. Refusing to access downtime settings", 401)
+
+    if flask.request.method == "DELETE":
+        app.config["DOWNTIME"] = datetime.datetime.now()
+        return ('Downtime successfully disabled', 200)
+    elif flask.request.method == "POST":
+        minutes = int(flask.request.args.get("minutes") or 5)
+        app.config["DOWNTIME"] = datetime.datetime.now() + datetime.timedelta(minutes=minutes)
+        return ('Downtime set to {}'.format(app.config["DOWNTIME"].isoformat(), 204))
+    elif flask.request.method == "GET":
+        dt = app.config["DOWNTIME"]
+        if dt < datetime.datetime.now():
+            return flask.jsonify({"title" : "No Downtime set at the moment", "message" : ""})
+        else:
+            delta = int((dt - datetime.datetime.now()).total_seconds()/60)
+            return flask.jsonify({"title" : "Downtime set for {}m until {}".format(delta, dt.isoformat()),
+                     "message" : ""})
+
+
+@app.route('/settings', methods=["GET", "POST"])
+def settings():
+
+    # check static access token #
+    token = flask.request.args.get("token")
+    if token != app.config["SETTINGS_ACCESS_TOKEN"]:
+        return ("SETTINGS_ACCESS_TOKEN incorrect. Refusing to access settings", 401)
+
+    user = flask.request.args.get("user")
+    if not user:
+        return ("Missing user paramter in URL", 500)
+
+    if flask.request.method == "POST":
+        posted = UserSettings(username=user,
+                        signal_priority=flask.request.json.get("signal_priority") or 0,
+                        email_priority=flask.request.json.get("email_priority") or 0,
+                        ntfy_priority=flask.request.json.get("ntfy_priority") or 0)
+        db.session.merge(posted)
+        db.session.commit()
+        return ('', 204)
+
+    if flask.request.method == "GET":
+        user_settings = db.session.query(UserSettings).filter(UserSettings.username==user).first()
+        if not user_settings:
+            posted = UserSettings(username=user, signal_priority=5, email_priority=7, ntfy_priority=3)
+            db.session.merge(posted)
+            db.session.commit()
+            user_settings = posted
+        return flask.jsonify(user_settings.serizalize())
+
+
+@app.route('/get-dispatch')
+def get_dispatch():
+    '''Retrive consolidated list of dispatched objects'''
+
+    method = flask.request.args.get("method")
+    timeout = flask.request.args.get("timeout") or 5 # timeout in seconds
+    timeout = int(timeout)
+
+    dispatch_acces_token = flask.request.args.get("dispatch-access-token") or ""
+    if dispatch_acces_token != app.config["DISPATCH_ACCESS_TOKEN"]:
+        return (BAD_DISPATCH_ACCESS_TOKEN, 401)
+
+    if not method:
+        return (500, "Missing Dispatch Target (signal|email|phone|ntfy|all|any)")
+
+    # prevent message floods #
+    timeout_cutoff = datetime.datetime.now() - datetime.timedelta(seconds=timeout)
+    timeout_cutoff_timestamp = timeout_cutoff.timestamp()
+
+    lines_unfiltered = db.session.query(DispatchObject)
+    lines_timeout = lines_unfiltered.filter(DispatchObject.timestamp < timeout_cutoff_timestamp)
+
+    if method != "all":
+
+        dispatch_objects = lines_timeout.filter(DispatchObject.method==method).all()
+
+        dispatch_objects_any = lines_timeout.filter(DispatchObject.method=="any").all()
+        for d in dispatch_objects_any:
+            user_str = str(d.username, "utf-8")
+            user_settings = db.session.query(UserSettings).filter(UserSettings.username==user_str).first()
+            if user_settings and user_settings.get_highest_prio_method() == method:
+                dispatch_objects += [d]
+    else:
+        dispatch_objects = lines_timeout.all()
+
+    # TODO THIS IS THE NEW MASTER PART
+    if method and method != "signal":
+        debug = [ d.serialize() for d in dispatch_objects]
+        if debug:
+            print(debug)
+        return flask.jsonify([ d.serialize() for d in dispatch_objects])
+    else:
+        # TODO THIS PART WILL BE REMOVED ##
+        # accumulate messages by person #
+        dispatch_by_person = dict()
+        dispatch_secrets = []
+        for dobj in dispatch_objects:
+            if dobj.username not in dispatch_by_person:
+                dispatch_by_person.update({ dobj.username : dobj.message })
+                dispatch_secrets.append(dobj.dispatch_secret)
+            else:
+                dispatch_by_person[dobj.username] += "\n{}".format(dobj.message)
+                dispatch_secrets.append(dobj.dispatch_secret)
+
+        # legacy hack #
+        if method == "any":
+            method = "signal"
+
+        response = [ { "person" : tupel[0].decode("utf-8"),
+                        "message" : tupel[1],
+                        "method" : method,
+                        "uids" : dispatch_secrets 
+                      } for tupel in dispatch_by_person.items() ]
+
+        # add phone numbers and emails #
+        for obj in response:
+            for person in dispatch_objects:
+                if obj["person"] == person.username.decode("utf-8"):
+                    if person.email:
+                        obj.update({ "email" : person.email.decode("utf-8") })
+                    if person.phone:
+                        obj.update({ "phone" : person.phone.decode("utf-8") })
+
+        return flask.jsonify(response)
+
+@app.route('/report-dispatch-failed', methods=["POST"])
+def reject_dispatch():
+    '''Inform the server that a dispatch has failed'''
+
+    rejects = flask.request.json
+
+    for r in rejects:
+
+        uuid = r["uuid"]
+        error = r["error"]
+        dpo = db.session.query(DispatchObject).filter(
+                        DispatchObject.dispatch_secret == uuid).first()
+
+        if not dpo:
+            return ("No pending dispatch for this UID/Secret", 404)
+
+        dpo.dispatch_error = error
+        db.session.merge(dpo)
+        db.session.commit()
+
+    return ("", 204)
+
+@app.route('/confirm-dispatch', methods=["POST"])
+def confirm_dispatch():
+    '''Confirm that a message has been dispatched by replying with its dispatch secret/uid'''
+
+    confirms = flask.request.json
+
+    for c in confirms:
+
+        uuid = c["uuid"]
+        dpo = db.session.query(DispatchObject).filter(
+                        DispatchObject.dispatch_secret == uuid).first()
+
+        if not dpo:
+            return ("No pending dispatch for this UID/Secret", 404)
+
+        db.session.delete(dpo)
+        db.session.commit()
+
+    return ("", 204)
+
+
+@app.route('/smart-send/<path:path>', methods=["POST"])
+@app.route('/smart-send', methods=["POST"])
+def smart_send_to_clients(path=None):
+    '''Send to clients based on querying the LDAP
+        requests MAY include:
+            - list of usernames under key "users"
+            - list of groups    under key "groups"
+            - neither of the above to automatically target the configured administrators group"
+        retuest MUST include:
+            - message as STRING in field "msg"
+            OR
+            - supported struct of type "ICINGA|ZABBIX|GENERIC" (see docs) in field "data"
+    '''
+
+    if flask.request.headers.get("opensearch"):
+
+        instructions = {}
+        users = flask.request.headers.get("opensearch-users")
+        groups = flask.request.headers.get("opensearch-groups")
+
+        if groups and OPENSEARCH_HEADER_SEPERATOR in groups:
+            groups = groups.split(OPENSEARCH_HEADER_SEPERATOR)
+
+        if users and OPENSEARCH_HEADER_SEPERATOR in users:
+            users = users.split(OPENSEARCH_HEADER_SEPERATOR)
+
+        message = flask.request.get_data(as_text=True)
+        title = "Opensearch Alert"
+        method = None
+
+    else:
+
+        instructions = flask.request.json
+        users = instructions.get("users")
+        groups = instructions.get("groups")
+        message = instructions.get("msg")
+        title = instructions.get("title")
+        method = instructions.get("method")
+
+    if app.config["DOWNTIME"] > datetime.datetime.now():
+        print("Ignoring because of Downtime:", title, message, users, file=sys.stderr)
+        print("Downtime until", app.config["DOWNTIME"].isoformat(), file=sys.stderr)
+        return ("Ignored because of Downtime", 200)
+
+    # authenticated by access token or webhook path #
+    dispatch_acces_token = flask.request.args.get("dispatch-access-token") or ""
+    print(path)
+    if path:
+        webhook_path = db.session.query(WebHookPaths).filter(WebHookPaths.path==path).first()
+        if webhook_path:
+            users = webhook_path.username
+            groups = None
+        else:
+            return ("Invalid Webhook path", 401)
+    elif dispatch_acces_token != app.config["DISPATCH_ACCESS_TOKEN"]:
+        return (BAD_DISPATCH_ACCESS_TOKEN, 401)
+
+    # allow single use string instead of array #
+    if type(users) == str:
+        users = [users]
+
+    struct = instructions.get("data")
+    if struct:
+        try:
+            message = messagetools.load_struct(struct)
+        except messagetools.UnsupportedStruct as e:
+            print(str(e), file=sys.stderr)
+            return (e.response(), 408)
+
+    if method in ["debug", "debug-fail"]:
+        persons = [ldaptools.Person(cn="none", username=users[0], name="Mr. Debug",
+                        email="invalid@nope.notld", phone="0")]
+    else:
+        persons = ldaptools.select_targets(users, groups, app.config["LDAP_ARGS"])
+
+    dispatch_secrets = save_in_dispatch_queue(persons, title, message, method)
+    return flask.jsonify(dispatch_secrets)
+
+
+def save_in_dispatch_queue(persons, title, message, method):
+
+
+    dispatch_secrets = []
+    for p in persons:
+
+        if not p:
+            continue
+
+        # this secret will be needed to confirm the message as dispatched #
+        dispatch_secret = secrets.token_urlsafe(32)
+
+        master_method = "any"
+        obj = DispatchObject(username=p.username,
+                        phone=p.phone,
+                        email=p.email,
+                        method=method or master_method,
+                        timestamp=datetime.datetime.now().timestamp(),
+                        dispatch_secret=dispatch_secret,
+                        title=title,
+                        message=message)
+
+        db.session.merge(obj)
+        db.session.commit()
+
+        dispatch_secrets.append(dispatch_secret)
+
+    return dispatch_secrets
+
+@app.route("/")
+@app.route("/health")
+def health():
+
+    return ("Not Iplemented, but at least it's running", 200)
+
+def create_app():
+
+    db.create_all()
+
+    if not app.config.get("LDAP_NO_READ_ENV"):
+        ldap_args = {
+            "LDAP_SERVER"  : os.environ["LDAP_SERVER"],
+            "LDAP_BIND_DN" : os.environ["LDAP_BIND_DN"],
+            "LDAP_BIND_PW" : os.environ["LDAP_BIND_PW"],
+            "LDAP_BASE_DN" : os.environ["LDAP_BASE_DN"]
+        }
+        app.config["LDAP_ARGS"] = ldap_args
+        app.config["SETTINGS_ACCESS_TOKEN"] = os.environ["SETTINGS_ACCESS_TOKEN"]
+        app.config["DISPATCH_ACCESS_TOKEN"] = os.environ["DISPATCH_ACCESS_TOKEN"]
+
+    substitution_config_file = os.environ.get("SUBSTITUTION_MAP") or "substitutions.yaml"
+    app.config["SUBSTITUTIONS"] = {}
+    if os.path.isfile(substitution_config_file):
+        with open(substitution_config_file) as f:
+            app.config["SUBSTITUTIONS"] = yaml.safe_load(f)
+
+    print("Loaded subs:", substitution_config_file, app.config["SUBSTITUTIONS"], file=sys.stderr)
+
+    # set small downtime #
+    app.config["DOWNTIME"] = datetime.datetime.now() + datetime.timedelta(minutes=1)
+
+if __name__ == "__main__":
+
+    parser = argparse.ArgumentParser(description='Simple Telegram Notification Interface',
+                        formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+
+    parser.add_argument('--interface', default="localhost", help='Interface on which to listen')
+    parser.add_argument('--port', default="5000", help='Port on which to listen')
+    parser.add_argument("--signal-cli-bin", default=None, type=str,
+                            help="Path to signal-cli binary if no in $PATH")
+
+    parser.add_argument('--ldap-server')
+    parser.add_argument('--ldap-base-dn')
+    parser.add_argument('--ldap-manager-dn')
+    parser.add_argument('--ldap-manager-password')
+
+    parser.add_argument('--settings-access-token')
+    parser.add_argument('--dispatch-access-token')
+
+    args = parser.parse_args()
+
+    # define ldap args #
+    ldap_args = {
+        "LDAP_SERVER" : args.ldap_server,
+        "LDAP_BIND_DN" : args.ldap_manager_dn,
+        "LDAP_BIND_PW" : args.ldap_manager_password,
+        "LDAP_BASE_DN" : args.ldap_base_dn,
+    }
+    app.config["LDAP_NO_READ_ENV"] = True
+
+    app.config["SETTINGS_ACCESS_TOKEN"] = args.settings_access_token
+    app.config["DISPATCH_ACCESS_TOKEN"] = args.dispatch_access_token
+
+    if not any([value is None for value in ldap_args.values()]):
+        app.config["LDAP_ARGS"] = ldap_args
+    else:
+        app.config["LDAP_ARGS"] = None
+
+    with app.app_context():
+        create_app()
+
+    app.run(host=args.interface, port=args.port, debug=True)

server/ldaptools.py

@@ -1,12 +1,6 @@
 import ldap
 import sys
 
-# LDAP server details
-ldap_server = "ldap://localhost:5005"
-base_dn = "ou=People,dc=atlantishq,dc=de"
-manager_dn = "cn=Manager,dc=atlantishq,dc=de"
-manager_password = "flanigan"
-
 class Person:
 
     def __init__(self, cn, username, name, email, phone):
@@ -36,7 +30,7 @@ def ldap_query(search_filter, ldap_args, alt_base_dn=None):
 
     # estabilish connection
     conn = ldap.initialize(ldap_server)
-    conn.simple_bind_s(manager_dn, manager_password)
+    conn.simple_bind_s(manager_dn, manager_pw)
 
     # search in scope #
     search_scope = ldap.SCOPE_SUBTREE
@@ -50,7 +44,7 @@ def _person_from_search_result(cn, entry):
 
     username = entry.get("uid", [None])[0]
     name = entry.get("firstName", [None])[0]
-    email = entry.get("email", [None])[0]
+    email = entry.get("mail", [None])[0]
     phone = entry.get("telephoneNumber", [None])[0]
 
     return Person(cn, username, name, email, phone)
@@ -83,6 +77,7 @@ def get_members_of_group(group, ldap_args):
     search_filter = "(&(objectClass=groupOfNames)(cn={group_name}))".format(group_name=group)
 
     # TODO wtf is this btw??
+    base_dn = ldap_args["LDAP_BASE_DN"]
     groups_dn = ",".join([ s.replace("People","groups") for s in base_dn.split(",")])
     results = ldap_query(search_filter, ldap_args, alt_base_dn=groups_dn)
 
@@ -110,10 +105,11 @@ def select_targets(users, groups, ldap_args, admin_group="pki"):
     '''Returns a list of persons to send notifications to'''
 
     persons = []
-    if users:
+    # FIXME better handling of empty owner/groups
+    if users and not any([ not s for s in users]):
         for username in users:
             persons.append(get_user_by_uid(username, ldap_args))
-    elif groups:
+    elif groups and not any([ not s for s in groups ]):
         for group in groups:
             persons += get_members_of_group(group, ldap_args)
     else:

server/messagetools.py

@@ -0,0 +1,47 @@
+class UnsupportedStruct(Exception):
+
+    def __init__(self, struct):
+
+        self.message = "{} is invalid struct and not a message".format(str(struct))
+        super().__init__(self.message)
+
+def make_icinga_message(struct):
+
+    first_line  = "{state} - {service} ({host})".format(state=struct.get("service_state"),
+                    service=struct.get("service_name"), host=struct.get("service_host"))
+    second_line = struct.get("service_output") or ""
+    #third_line  = "Direkt-Link: {link}".format(link=struct.get("icingaweb_url"))
+
+    if not struct.get("owners") and not struct.get("owner-groups"):
+        fourth_line = "Notification to: admins (default)"
+    else:
+        owners = struct.get("owners") or []
+        groups = struct.get("owner-groups") or []
+        groups_strings = [ g + "-group" for g in groups ]
+        fourth_line = "Notification to: " + ", ".join(owners) + " " + ", ".join(groups_strings)
+
+    if struct.get("comment"):
+        fith_line = "Extra Comment: \n{}".format(struct.get("comment"))
+        return "\n".join([first_line, second_line, fourth_line, fith_line])
+    else:
+        return "\n".join([first_line, second_line, fourth_line])
+
+
+def make_generic_message(struct):
+
+    msg = struct.get("message") or struct.get("msg")
+    return msg
+
+def load_struct(struct):
+    
+    if type(struct) == str:
+        return struct
+    elif not struct.get("type"):
+        raise UnsupportedStruct(struct)
+
+    if struct.get("type") == "icinga":
+        return make_icinga_message(struct)
+    elif struct.get("type") == "generic":
+        return make_generic_message(struct)
+    else:
+        raise UnsupportedStruct(struct)

server/req.txt

@@ -1,4 +1,5 @@
 python-ldap
+pyyaml
 flask
 flask-sqlalchemy
 sqlalchemy

signal-query-dispatch.py

@@ -10,61 +10,98 @@ from functools import wraps
 
 HTTP_NOT_FOUND = 404
 
-def signal_send(user, message):
+def signal_send(phone, message):
     '''Send message via signal'''
-    cmd = [signal_cli_bin, "send", "-m", message, user]
+    cmd = [signal_cli_bin, "send", "-m", "'{}'".format(message.replace("'","")), phone]
     p = subprocess.run(cmd)
+    p.check_returncode()
+
+def report_dispatch_error(target, uid, error):
+    '''Report an error for a give dispatch'''
+
+    pass # TODO
 
 def confirm_dispatch(target, uid):
-
     '''Confirm to server that message has been dispatched and can be removed'''
-    response = requests.post(target + "/confirm-dispatch", json=[{ "uid" : uid }])
+
+    response = requests.post(target + "/confirm-dispatch", json=[{ "uuid" : uid }])
 
     if response.status_code not in [200, 204]:
-        print("Failed to confirm disptach with server for {} ({})".format(uid, response.text), file=sys.stderr)
+        print("Failed to confirm disptach with server for {} ({})".format(
+                    uid, response.text), file=sys.stderr)
 
 
 if __name__ == "__main__":
 
-    # set signal cli from env #
-    signal_cli_bin = os.environ["SIGNAL_CLI_BIN"]
-
     parser = argparse.ArgumentParser(description='Query Atlantis Dispatch for Signal',
                         formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+
     parser.add_argument('--target', required=True)
     parser.add_argument('--method', default="signal")
     parser.add_argument('--no-confirm', action="store_true")
+    parser.add_argument('--signal-cli-bin')
+
+    parser.add_argument('--user')
+    parser.add_argument('--password')
 
     args = parser.parse_args() 
 
+    if args.signal_cli_bin:
+        signal_cli_bin = args.signal_cli_bin
 
-    response = requests.get(args.target + "/get-dispatch?method={}".format(args.method))
+    # request dispatches #
+    response = requests.get(args.target +
+            "/get-dispatch?method={}&dispatch-access-token={}".format(args.method, args.password))
 
     # check status #
     if response.status_code == HTTP_NOT_FOUND:
         sys.exit(0)
 
+    # fallback check for status #
     response.raise_for_status()
 
+    # track dispatches that were confirmed to avoid duplicate confirmation #
     dispatch_confirmed = []
+    dispatch_failed = []
+    errors = {}
+
     for entry in response.json():
 
+        print(entry)
         user = entry["person"]
+        phone = entry.get("phone")
+        if not phone:
+            print("No phone number! Skipping...", file=sys.stderr)
+            continue
+
         message = entry["message"]
         uid_list = entry["uids"]
 
         # send message #
         if entry["method"] == "signal":
-            signal_send(user, message)
+            try:
+                signal_send(phone, message)
+            except subprocess.CalledProcessError as e:
+                for uid in uid_list:
+                    errors.update({uid:str(e)})
+
+                print("Dispatch failed {}".format(e))
+                continue
         else:
-            print("Unsupported dispatch method {}".format(entry["method"]), sys=sys.stderr)
+            print("Unsupported dispatch method {}".format(entry["method"]),
+                        sys=sys.stderr)
     
         # confirm dispatch
         if not args.no_confirm:
             for uid in uid_list:
                 if uid not in dispatch_confirmed:
-                    confirm_dispatch(args.target, uid)
+
-                    dispatch_confirmed.append(uid)
+                    # confirm or report fail #
+                    if errors.get(uid):
+                        report_dispatch_error(args.target, uid, errors[uid])
+                    else:
+                        confirm_dispatch(args.target, uid)
+                        dispatch_confirmed.append(uid)
                 else:
                     continue