def aMessage(self,msg): ''' handles incoming messages and delegates to corresponding methods ''' try: recv=json.loads(msg.decode()) except Exception as e: Log.debug("invalid control command") self.protocolError() return try: if not self.authenticated: if self.inObj(["cmd","user","password"],recv) and recv['cmd'] == Message.CMD_AUTHREQ: if recv["user"] == StdConfig.getInstance().getCtrlUsername() and recv["password"] == StdConfig.getInstance().getCtrlPassword(): self.toClient(Message("", "", Message.STATUS_LOGINOK)) self.authenticated=True Log.debug("logged in") else: Log.debug("log in rejected"); self.toClient(Message("", "", Message.STATUS_AUTHENTICATION_REJECTED)) self.wronglogins+=1 if self.wronglogins >= 3: self.doDisconnect() else: self.toClient(Message("", "", Message.STATUS_NOT_AUTHENTICATED)) else: #authenticated if self.inObj(["cmd","user","password"],recv) and recv['cmd'] == Message.CMD_AUTHREQ: #already autenticated self.toClient(Message("", "", Message.STATUS_OK)) return if self.inObj(["cmd","status"], recv) and recv["status"] == "cmd": if recv['cmd'] in self._cmds: body="" if "body" in recv: body=recv["body"] self._cmds[recv['cmd']](body) return self.protocolError() except Exception as e: self.protocolError() raise e
def _cmdDelete(self,args,update=True): Log.debug("delete " + args) self._policyControl.removeRule(args) if update: self._cmdList()
def hasAccess(self,type_,src_,destination,auth): ''' checks if the script has access @param type_: TCP,UDP,UNIX @param src: the source url of the script [is null if local] @param destination: the destination url/ip to connect to @param auth: ''' #Log.debug("checking policy: \n type: %s \n src: %s \n dest: %s \n auth: %s"%(type_,src_, destination,auth)) d_uri, d_port = Policies.splitURI(destination) src = src_.decode() if src == "null": src = "localhost" incomingRequestPolicy = Policy("", d_uri, d_port,src, type_) #print(str(self.policies)) matchcount=0 matchaction = None for k,rule in self.policies.specificRules.items(): if self.matches(rule,incomingRequestPolicy): if matchcount != 0 and matchaction != rule.action: Log.warning("multiple rules with conflicting actions detected: %s"%k) matchcount += 1 matchaction = rule.action if matchaction != None: return self.__proceed(matchaction,incomingRequestPolicy) Log.debug("passed specific") #no specific rule found: #testing for: # trustedSource # trustedDest # localSource # general rule SALTLEN = 8 for authElem in auth: # trustedSource if chr(authElem[0]) == "S": authString1 = Authentication.hash(b"", authElem[1:SALTLEN+1])[1].encode() if authString1 == authElem[SALTLEN+1:]: #trusted source detected Log.policycontrol("Sourcekey detected") return self.__proceed(self.policies.trustedSource,incomingRequestPolicy,"sourcekey") Log.debug("passed srckey") # trustedDest if chr(authElem[0]) == "H": deststr = d_uri+":"+str(d_port) authString1 = Authentication.hash(deststr.encode(), authElem[1:SALTLEN+1])[1].encode() authString2 = Authentication.hash(d_uri.encode(), authElem[1:SALTLEN+1])[1].encode() if authString1 == authElem[SALTLEN+1:] or authString2 == authElem[SALTLEN+1:]: Log.policycontrol("Hostkey detected") return self.__proceed(self.policies.trustedDest,incomingRequestPolicy,"hostkey") Log.debug("passed hostkey") # localSource if src == b"localhost": return self.__proceed(self.policies.localSource,incomingRequestPolicy) Log.debug("passed local") # general rule return self.__proceed(self.policies.unknownPolicyRule,incomingRequestPolicy) Log.debug("passed general") return False