def update_logins(self, username):
"""Update login DB"""
# We don't have a handle_request for server so expire here instead
if self.last_expire + self.min_expire_delay < time.time():
self.last_expire = time.time()
expired = expire_rate_limit(configuration, "ftps")
logger.debug("expired rate limit entries: %s" % expired)
# TODO: only refresh for username?
daemon_conf = configuration.daemon_conf
logger.debug("update user list")
# automatic reload of users if more than refresh_delay seconds old
refresh_delay = 5
if daemon_conf['time_stamp'] + refresh_delay < time.time():
daemon_conf = refresh_users(configuration, 'ftps')
logger.debug("update usermap")
usermap = {}
for user_obj in daemon_conf['users']:
if not usermap.has_key(user_obj.username):
usermap[user_obj.username] = []
usermap[user_obj.username].append(user_obj)
self.users = usermap
logger.info("updated usermap: %s" % self.users)
logger.debug("update user_table")
# Fill users in dictionary for fast lookup. We create a list of
# matching User objects since each user may have multiple logins (e.g.
# public keys)
for (username, user_obj_list) in self.users.items():
if self.has_user(username):
self.remove_user(username)
# We prefer last entry with password but fall back to any entry
# to assure at least a hit
user_obj = (user_obj_list + [i for i in user_obj_list \
if i.password is not None])[-1]
home_path = os.path.join(daemon_conf['root_dir'], user_obj.home)
logger.debug("add user to user_table: %s" % user_obj)
# The add_user format and perm string meaning is explained at:
# http://code.google.com/p/pyftpdlib/wiki/Tutorial#2.2_-_Users
self.add_user(username, user_obj.password,
home_path, perm='elradfmwM')
logger.debug("updated user_table: %s" % self.user_table)
def start_service(configuration):
"""Service launcher"""
host = configuration.user_openid_address
port = configuration.user_openid_port
data_path = configuration.openid_store
daemon_conf = configuration.daemon_conf
nossl = daemon_conf['nossl']
addr = (host, port)
# TODO: is this threaded version robust enough (thread safety)?
#OpenIDServer = OpenIDHTTPServer
OpenIDServer = ThreadedOpenIDHTTPServer
httpserver = OpenIDServer(addr, ServerHandler)
# Instantiate OpenID consumer store and OpenID consumer. If you
# were connecting to a database, you would create the database
# connection and instantiate an appropriate store here.
store = FileOpenIDStore(data_path)
oidserver = server.Server(store, httpserver.base_url + 'openidserver')
httpserver.setOpenIDServer(oidserver)
# Wrap in SSL if enabled
if nossl:
logger.warning('Not wrapping connections in SSL - only for testing!')
else:
cert_path = configuration.user_openid_key
if not os.path.isfile(cert_path):
logger.error('No such server key: %s' % cert_path)
sys.exit(1)
logger.info('Wrapping connections in SSL')
httpserver.socket = ssl.wrap_socket(httpserver.socket,
certfile=cert_path,
server_side=True)
print 'Server running at:'
print httpserver.base_url
min_expire_delay = 300
last_expire = time.time()
while True:
httpserver.handle_request()
if last_expire + min_expire_delay < time.time():
last_expire = time.time()
expired = expire_rate_limit(configuration, "openid")
logger.debug("expired: %s" % expired)
def run(configuration):
"""SSL wrap HTTP server for secure DAV access"""
handler = MiGDAVAuthHandler
# Force AuthRequestHandler to HTTP/1.1 to allow persistent connections
handler.protocol_version = 'HTTP/1.1'
# Extract server address for daemon and DAV URIs
host = configuration.user_davs_address.strip()
port = configuration.user_davs_port
# Pass conf options to DAV handler in required object format.
# Server accepts empty address to mean all available IPs but URIs need
# a real FQDN
dav_conf_dict = configuration.dav_cfg
if host:
dav_conf_dict['host'] = host
else:
from socket import getfqdn
dav_conf_dict['host'] = getfqdn()
dav_conf_dict['port'] = port
dav_conf = setup_dummy_config(**dav_conf_dict)
# inject options
handler.server_conf = configuration
handler._config = dav_conf
server = ThreadedHTTPServer
directory = dav_conf_dict['directory'].strip().rstrip('/')
verbose = dav_conf.DAV.getboolean('verbose')
noauth = dav_conf.DAV.getboolean('noauth')
nossl = dav_conf.DAV.getboolean('nossl')
if not os.path.isdir(directory):
logger.error('%s is not a valid directory!' % directory)
return sys.exit(233)
# basic checks against wrong hosts
if host.find('/') != -1 or host.find(':') != -1:
logger.error('Malformed host %s' % host)
return sys.exit(233)
# no root directory
if directory == '/':
logger.error('Root directory not allowed!')
sys.exit(233)
# put some extra vars
handler.verbose = verbose
if noauth:
logger.warning('Authentication disabled!')
handler.DO_AUTH = False
logger.info('Serving data from %s' % directory)
init_filesystem_handler(handler, directory, host, port, verbose)
# initialize server on specified address and port
runner = server((host, port), handler)
# Wrap in SSL if enabled
if nossl:
logger.warning('Not wrapping connections in SSL - only for testing!')
else:
cert_path = configuration.user_davs_key
if not os.path.isfile(cert_path):
logger.error('No such server key: %s' % cert_path)
sys.exit(1)
logger.info('Wrapping connections in SSL')
runner.socket = ssl.wrap_socket(runner.socket,
certfile=cert_path,
server_side=True)
print('Listening on %s (%i)' % (host, port))
min_expire_delay = 300
last_expire = time.time()
try:
while True:
runner.handle_request()
if last_expire + min_expire_delay < time.time():
last_expire = time.time()
expired = expire_rate_limit(configuration, "davs")
logger.debug("Expired rate limit entries: %s" % expired)
except KeyboardInterrupt:
# forward KeyboardInterrupt to main thread
raise
# automatic reload of users if more than refresh_delay seconds old
refresh_delay = 5
if daemon_conf['time_stamp'] + refresh_delay < time.time():
daemon_conf = refresh_users(configuration, 'sftp')
daemon_conf = refresh_jobs(configuration, 'sftp')
logger.info("Handling session from %s %s" % (client, addr))
worker = threading.Thread(target=accept_client,
args=[client, addr, daemon_conf['root_dir'],
daemon_conf['users'],
daemon_conf['jobs'],
daemon_conf['host_rsa_key'],
daemon_conf,])
worker.start()
if last_expire + min_expire_delay < time.time():
last_expire = time.time()
expired = expire_rate_limit(configuration, "sftp-*")
logger.debug("Expired rate limit entries: %s" % expired)
if __name__ == "__main__":
configuration = get_configuration_object()
# Use separate logger
logger = daemon_logger("sftp", configuration.user_sftp_log, "info")
# Allow configuration overrides on command line
if sys.argv[1:]:
configuration.user_sftp_address = sys.argv[1]
if sys.argv[2:]:
def _expire_rate_limit(self):
"""Expire old entries in the rate limit dictionary"""
expired = expire_rate_limit(configuration, "davs")
logger.debug("Expired rate limit entries: %s" % expired)