# <center> Tornado Server Example
## <center> <img src="https://www.engr.colostate.edu/~jdaily/Systems-EN-CSU-1-C357.svg" width="400" /> 

This notebook is a complete server. Once the program is running, you have to restart the Kernel to modify the code.

## HTTP Request Methods
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods

Most internet traffic is taken care of using GET and POST commands. We will write a small server to accomodate those commands. This server, using the tornado framework, will reply to post and get requests.

Also, we'll add an endpoint that will use the Fernet recipe to send encyrpted traffic. However, we don't want to send the key over the socket, so we'll have to use an ECDH key exchange to get the symmetric session key.

## Tornado Server
Use `pip install tornado` to get things going if your version of Python doesn't have the tornado site package. 

In [1]:
import tornado.ioloop
import tornado.web
import time
import json
import os

### Main Handler
The GET handler for the root of the endpoint will send back a time stamp. This could be used as a nonce.

The POST response will echo the data it receives with a time stamp.

In [2]:
class MainHandler(tornado.web.RequestHandler):
    def get(self):
        self.write(json.dumps(
            {'message': "The current time is {}".format(time.asctime())}
        ))
    def post(self):
        data = json.loads(self.request.body.decode('utf-8'))
        print('Got JSON data: ', data)
        self.write(json.dumps({ 'data': data, 'time': time.time()}))

### Encrypted Handler
We'll assume we have a closed ecosystem with some known users. Each known user will have a known public key.

To secure these communications, we'll need to have a user database (i.e. a dictionary), and some methods for key exchange.

In [3]:
#Use this to generate a private key
from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey
from cryptography.hazmat.primitives import serialization
private_key = X25519PrivateKey.generate()
pem_bytes = private_key.private_bytes(
                encoding=serialization.Encoding.PEM,
                format=serialization.PrivateFormat.PKCS8,
                encryption_algorithm=serialization.NoEncryption()
           )
with open('private_ed25519key.pem','wb') as f:
    f.write(pem_bytes) 
print(pem_bytes.decode('ascii'))

-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VuBCIEIMBdKDC9yts/gh2Z2RPGcOeQi8KpoEF/fldVJtgsXEdK
-----END PRIVATE KEY-----



In [4]:
#use this to print out the public key
with open('private_ed25519key.pem','rb') as f:
    private_pem = f.read()
private_key = serialization.load_pem_private_key(private_pem, password=None)
pub_key  = private_key.public_key()
public_bytes = pub_key.public_bytes(
     encoding=serialization.Encoding.PEM,
     format=serialization.PublicFormat.SubjectPublicKeyInfo,
)
print(public_bytes)

b'-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VuAyEAu9YeVw4X2iMQJKKqa7cch0XSSGdndpuvSIwJOsjBLkg=\n-----END PUBLIC KEY-----\n'


In [5]:
users = {
    1:{'name':'jeremy',
       'role':'instructor',
       'pub_key':b'-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VuAyEA7n07LnIGILC8CPV0uHVftIztbQ7R2339QGpwS6vBGxI=\n-----END PUBLIC KEY-----\n'},
    2:{'name':'tom',
       'role':'chairman',
       'pub_key':''},
    3:{'name':'steve',
       'role':'advisor',
       'pub_key':''}
}

In [6]:
from cryptography.fernet import Fernet
from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey
from cryptography.hazmat.primitives import serialization
import base64 
import uuid

client_keys = {}  # Maps client_id → X25519PrivateKey
shared_secrets = {}  # Maps client to shared secret

class EncryptedHandler(tornado.web.RequestHandler):
    # Class-level setup: one key pair per handler instance
    def get(self):
        # Assign a client ID
        client_id = str(uuid.uuid4())
    
        # Generate and store private key
        private_key = X25519PrivateKey.generate()
        client_keys[client_id] = private_key
        #Note: If this was an IOT system, the private key would likely     
        # Generate public key to send back
        public_bytes = private_key.public_key().public_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PublicFormat.SubjectPublicKeyInfo
        )
    
        self.set_header("Content-Type", "application/json")
        self.write(json.dumps({
            "client_id": client_id,
            "pub": public_bytes.decode("utf-8")
        }))
        print("Sending our server public key. It is not signed.")
        # This is still subject to a middleperson attack. The key should be signed.
    
    def post(self):
        try:
            data = json.loads(self.request.body.decode('utf-8'))
        except json.JSONDecodeError:
            self.set_status(400)
            self.write(json.dumps({'error': 'Unable to parse JSON'}))
            return
        client_id = data.get("client_id")
        if not client_id or client_id not in client_keys:
            self.set_status(400)
            self.write(json.dumps({"error": "Missing or unknown client_id"}))
            return
        print(f"client_id: {client_id}")
        
        private_key = client_keys[client_id]
        
        if 'cipher_text' in data:
            #try:
                print(f"Using session key: {shared_secrets[client_id]}")
                cipher_text = data['cipher_text'].encode('utf-8')
                #This is critical to make sure the fernet key is base64
                fernet_key = base64.urlsafe_b64encode(shared_secrets[client_id])
                session_cipher = Fernet(fernet_key)
                decrypted_data = session_cipher.decrypt(cipher_text)
                print("Decrypted data:", decrypted_data.decode('utf-8'))
                self.write(json.dumps({'message': 'Successfully Decrypted Data'}))
           # except Exception as e:
           #     self.set_status(400)
            #    self.write(json.dumps({'error': 'Decryption failed', 'details': str(e)}))
        
        elif 'pub_key' in data:
            try:
                user_pub_key = serialization.load_pem_public_key(data['pub_key'].encode('utf-8'))
                shared_key = private_key.exchange(user_pub_key)
                #Cache the shared key. It will change with each client. 
                shared_secrets[client_id] = shared_key
                # Fernet requires 32-byte base64-encoded key
                self.write(json.dumps({'message': 'Shared secret successfully calculated'}))
            except Exception as e:
                self.set_status(400)
                self.write(json.dumps({'error': 'Key exchange failed', 'details': str(e)}))
        else:
            self.set_status(400)
            self.write(json.dumps({'error': 'Bad request. Expected cipher_text or pub_key'}))

## Questions for consideration


In [7]:
#try:
port = 8080
app = tornado.web.Application([
    (r"/", MainHandler),
    (r"/encrypted/", EncryptedHandler)
   ], debug = True) #turn off debugging for production

app.listen(port)
print("Listening on port {} on address {}".format(port,"localhost"))
    #Restart Kernel in Jupyter to stop
##except OSError:
#    os._exit(0)

#Be sure to run all cells in order for everything to work correctly. 

Listening on port 8080 on address localhost
Sending our server public key. It is not signed.
client_id: 9b6a676f-48b4-4180-8511-5cb89483d1fc
client_id: 9b6a676f-48b4-4180-8511-5cb89483d1fc
Sending our server public key. It is not signed.
client_id: 7a7f5b19-b77b-4b65-afd9-c1054f5ee849
shared_key (Do not print this normally) b'\xe1\tDn\xd7,\x05\xcc\xb2\x0c\xbb\x14:x\x08\nF\x13\x88m\xd58\xa4\x15\xd38\xa2\xa0\xe0\xff\x9a\x1a'
client_id: 7a7f5b19-b77b-4b65-afd9-c1054f5ee849
Using session key: b'\xe1\tDn\xd7,\x05\xcc\xb2\x0c\xbb\x14:x\x08\nF\x13\x88m\xd58\xa4\x15\xd38\xa2\xa0\xe0\xff\x9a\x1a'
Decrypted data: I have a dream that my four little children will one day live in a nation where they will not be judged by the color of their skin but by the content of their character.
