def _execute(params):
print 'Bee %i is joining the swarm.' % params['i']
Random.atfork()
try:
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(
params['instance_name'],
username = params['username'],
key_filename = _get_pem_path(params['key_name']))
print 'Bee %i is firing his machine gun. Bang bang!' % params['i']
stdin, stdout, stderr = client.exec_command(params['command'])
response = {}
outres = stdout.read()
errres = stderr.read()
print 'Bee %i is out of ammo.' % params['i']
client.close()
return (outres, errres)
except socket.error, e:
return e
def _prepare_instances(params):
print "Seting up bee %s @ %s." % (params['instance_id'], params['instance_ip'])
time.sleep(20)
Random.atfork()
try:
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(
params['instance_ip'],
username=params['username'],
key_filename=_get_pem_path(params['key_name']))
install_ab_stdin, install_ab_stdout, install_ab_stderr = client.exec_command('sudo apt-get install -y %s' % PACKAGES_TO_INSTALL)
ab_installation = install_ab_stdout.read()
time.sleep(5)
verify_ab_stdin, verify_ab_stdout, verify_ab_stderr = client.exec_command('sudo ab')
verify_ab_stderr = verify_ab_stderr.read()
client.close()
if re.search("Usage: ab \[options\] \[http\[s\]\:\/\/\]hostname\[\:port\]\/path", verify_ab_stderr):
_append_server_list(params['instance_id'])
print 'Bee %s is ready for the attack.' % params['instance_id']
return True
except Exception, e:
print "Exception: %s" % e
def get_random_bytes(size):
try:
return Random.get_random_bytes(size)
except AssertionError, ae:
if len(ae.args) == 1 and ae.args[0] == 'PID check failed. RNG must be re-initialized after fork(). Hint: Try Random.atfork()':
Random.atfork()
return Random.get_random_bytes(size)
def generate_key_pair(self):
Random.atfork()
key = RSA.generate(app_settings.RSA_KEY_LENGTH)
self.private_key = key.exportKey()
# This magic is from
# http://stackoverflow.com/questions/2466401/how-to-generate-ssh-key-pairs-with-python
exponent = '%x' % (key.e, )
if len(exponent) % 2:
exponent = '0' + exponent
ssh_rsa = '00000007' + base64.b16encode('ssh-rsa')
ssh_rsa += '%08x' % (len(exponent) / 2, )
ssh_rsa += exponent
modulus = '%x' % (key.n, )
if len(modulus) % 2:
modulus = '0' + modulus
if modulus[0] in '89abcdef':
modulus = '00' + modulus
ssh_rsa += '%08x' % (len(modulus) / 2, )
ssh_rsa += modulus
self.public_key = 'ssh-rsa %s' % (
base64.b64encode(base64.b16decode(ssh_rsa.upper())),
)
def __init__(self, user=None):
Random.atfork()
self.ADMIN_USER = config["google_apps"]["admin_user"]
self.DOMAIN = config["google_apps"]["domain"]
self.use_proxy = config["defaults"]["http_proxy"]["use_proxy"]
self.user = user
self.admin_email = "%s@%s" % (self.ADMIN_USER, self.DOMAIN)
self.user_email = "%s@%s" % (user, self.DOMAIN)
self.google_oauth = GoogleOAuthApi(config=config)
self.oauth_admin = self.google_oauth.get_oauth_token(self.admin_email)
self.oauth_user = self.google_oauth.get_oauth_token(self.user_email)
self.admin_api = GoogleAdminApi(self.oauth_admin, config=config["google_apps"])
self.gmail_api = GoogleGmailApi(self.oauth_user)
self.drive_api = GoogleDriveApi(self.oauth_user)
self.calendar_api = GoogleCalendarApi(self.oauth_user)
self.ldap_client = LDAPClient(config=config["ldap"])
self.is_valid_user = self._is_valid_user()
self.is_suspended_user = self._is_suspended_user()
self.pagerduty_api = PagerDutyApi(config=config["pagerduty"],
use_proxy=self.use_proxy,
proxy_config=config["defaults"]["http_proxy"])
self.duo_api = DuoAdminApi(config=config["duo"],
use_proxy=self.use_proxy,
proxy_config=config["defaults"]["http_proxy"])
def encrypt(self, raw):
raw = self._pad(raw)
random = Random.new()
Random.atfork()
iv = random.read(AES.block_size)
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return base64.b64encode(iv + cipher.encrypt(raw))
def election_compute_tally(election_id, election_contract_abi):
Random.atfork()
election = Election.objects.get(id=election_id)
election.compute_tally(election_contract_abi)
if election.encrypted_tally:
election_notify_admin.delay(election_id=election_id,
subject="encrypted tally computed",
body="""
The encrypted tally for election %s has been computed.
--
Helios
""" % election.name)
if election.has_helios_trustee():
tally_helios_decrypt.delay(election_id=election.id)
else:
election_notify_admin.delay(election_id=election_id,
subject="election has been hacked",
body="""
The encrypted tally for election %s has not been computed.
The database has been hacked. Check the log!
--
Helios
""" % election.name)
def generate(self):
"""Generates a new RSA keypair and assignes to self."""
from Crypto import Random
Random.atfork()
key = RSA.generate(2048)
self.private = key.exportKey()
self.public = key.exportKey('OpenSSH')
def enc_all(msg, num_layer):
Random.atfork()
blob = wrap_message(msg)
for _ in range(num_layer - 1):
new_blob = wrap_message(blob)
blob = new_blob
return blob
def signal_handler(): # pragma: no cover
"""Signal handler for all worker processes, allowing clean CTRL-C"""
signal.signal(signal.SIGINT, signal.SIG_IGN)
signal.signal(signal.SIGHUP, signal.SIG_IGN)
# when forking using multiprocessing, this is required to re-init random seed
Random.atfork()
def contextualize(self, context_command):
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# Re-initialize RNG after fork to avoid connectivity problems with Paramiko
Random.atfork()
client.connect(self.vm_address, username=self.vm_user, port=22, password=self.vm_user_password)
a,b,c = client.exec_command(context_command)
def create_client(self):
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# Re-initialize RNG after fork to avoid connectivity problems with Paramiko
Random.atfork()
client.connect(self.vm_address, username=self.vm_user, port=22, password=self.vm_user_password)
return client
def encrypt(self, msg, key):
""" Encrypt a message
:param msg: Message to encrypt
:param key: Key to protect the message
:return: The encrypted message
:rtype: bytes
"""
# Creating a key by hashing the password
key = hashlib.sha256(key.encode("utf-8")).digest()
# New seed for PyCrypto
Random.atfork()
# Generating initialization vector
iv = Random.new().read(AES.block_size)
crypto = AES.new(key, AES.MODE_CBC, iv)
plain = msg.encode("utf-8")
# Adding some data at the end to match the block size required by AES
padding_length = AES.block_size - len(plain) % AES.block_size
plain += bytes((padding_length,)) * padding_length
# Finally creating the crypted data
return iv + crypto.encrypt(plain)
def generate(self):
"""Generates a new RSA keypair and assignes to self."""
from Crypto import Random
Random.atfork()
key = RSA.generate(2048)
self.private = key.exportKey()
self.public = key.exportKey('OpenSSH')
def ready(self):
"""
Code run on startup of django.
"""
# Call atfork because on heroku everything is a fork
Random.atfork()
# Patch all the forms to strip whitespace from field input
local_installed_apps = [
app for app in settings.INSTALLED_APPS
if app.startswith('%s.' % __name__)
]
for app in local_installed_apps:
try:
__import__('%s.forms' % app)
except ImportError:
continue
else:
forms_module = sys.modules['%s.forms' % app]
form_classes = inspect.getmembers(
forms_module, lambda member: is_form(member))
for form_name, form in form_classes:
# Wrap the reference to this form with a function that strips the input from whitespace.
if hasattr(form, 'base_fields'):
form_class = autostrip(form)
setattr(forms_module, form_name, form_class)
def _run(self):
# try to fix pycrypto
try:
from Crypto import Random
Random.atfork()
except:
pass
while True:
LOG.info('Start iteration')
try:
g = self.do_iteration()
if CONFIG['interval']:
timeout = self.iteration_timestamp + CONFIG['interval'] - time.time()
else:
timeout = 600
try:
g.get(timeout=timeout)
except gevent.Timeout:
raise IterationTimeoutError()
finally:
if not g.ready():
g.kill()
except KeyboardInterrupt:
raise KeyboardInterrupt
except:
LOG.error('Iteration failed, reason: %s' % helper.exc_info())
POOL.kill()
finally:
LOG.info('End iteration: %s' % (time.time() - self.iteration_timestamp))
if CONFIG['interval']:
sleep_time = self.iteration_timestamp + CONFIG['interval'] - time.time()
time.sleep(sleep_time)
else:
break
def generate_key_pair(self):
Random.atfork()
key = RSA.generate(app_settings.RSA_KEY_LENGTH)
self.private_key = key.exportKey()
# This magic is from
# http://stackoverflow.com/questions/2466401/how-to-generate-ssh-key-pairs-with-python
exponent = '%x' % (key.e, )
if len(exponent) % 2:
exponent = '0' + exponent
ssh_rsa = '00000007' + base64.b16encode('ssh-rsa')
ssh_rsa += '%08x' % (len(exponent) / 2, )
ssh_rsa += exponent
modulus = '%x' % (key.n, )
if len(modulus) % 2:
modulus = '0' + modulus
if modulus[0] in '89abcdef':
modulus = '00' + modulus
ssh_rsa += '%08x' % (len(modulus) / 2, )
ssh_rsa += modulus
self.public_key = 'ssh-rsa %s' % (base64.b64encode(
base64.b16decode(ssh_rsa.upper())), )
def fsinit(self):
# daemon mode RNG hack for PyCrypto
try:
from Crypto import Random
Random.atfork()
except:
pass
def copy_from_old_parallel(args):
Random.atfork()
odte, ndte, i, S = args
ret = []
pw = odte.decode_pw(S)
if not pw: return (i, [])
return (i, ndte.encode_pw(pw))
def start(self):
use_epoll_on_linux()
from twisted.internet import reactor
self.reactor = reactor
logging.debug("Starting the uploader")
Random.atfork()
r = random.Random()
r.seed("start_lbry_uploader")
wallet = FakeWallet()
peer_manager = PeerManager()
peer_finder = FakePeerFinder(5553, peer_manager, 1)
hash_announcer = FakeAnnouncer()
rate_limiter = RateLimiter()
self.sd_identifier = StreamDescriptorIdentifier()
db_dir = "server"
os.mkdir(db_dir)
self.session = Session(
settings.data_rate, db_dir=db_dir, lbryid="abcd",
peer_finder=peer_finder, hash_announcer=hash_announcer, peer_port=5553,
use_upnp=False, rate_limiter=rate_limiter, wallet=wallet,
blob_tracker_class=DummyBlobAvailabilityTracker,
dht_node_class=Node, is_generous=self.is_generous)
stream_info_manager = TempEncryptedFileMetadataManager()
self.lbry_file_manager = EncryptedFileManager(
self.session, stream_info_manager, self.sd_identifier)
if self.ul_rate_limit is not None:
self.session.rate_limiter.set_ul_limit(self.ul_rate_limit)
reactor.callLater(1, self.start_all)
if not reactor.running:
reactor.run()
def start(self):
use_epoll_on_linux()
init_conf_windows()
from twisted.internet import reactor
self.reactor = reactor
logging.debug("Starting the uploader")
Random.atfork()
r = random.Random()
r.seed("start_lbry_uploader")
wallet = FakeWallet()
peer_manager = PeerManager()
peer_finder = FakePeerFinder(5553, peer_manager, 1)
hash_announcer = FakeAnnouncer()
rate_limiter = RateLimiter()
self.sd_identifier = StreamDescriptorIdentifier()
self.db_dir, self.blob_dir = mk_db_and_blob_dir()
self.session = Session(
conf.ADJUSTABLE_SETTINGS['data_rate'][1], db_dir=self.db_dir, blob_dir=self.blob_dir,
node_id="abcd", peer_finder=peer_finder, hash_announcer=hash_announcer,
peer_port=5553, use_upnp=False, rate_limiter=rate_limiter, wallet=wallet,
blob_tracker_class=DummyBlobAvailabilityTracker,
dht_node_class=Node, is_generous=self.is_generous, external_ip="127.0.0.1")
stream_info_manager = DBEncryptedFileMetadataManager(self.db_dir)
self.lbry_file_manager = EncryptedFileManager(
self.session, stream_info_manager, self.sd_identifier)
if self.ul_rate_limit is not None:
self.session.rate_limiter.set_ul_limit(self.ul_rate_limit)
reactor.callLater(1, self.start_all)
if not reactor.running:
reactor.run()
def start_journalist_server():
Random.atfork()
journalist.app.run(
port=journalist_port,
debug=True,
use_reloader=False,
threaded=True)
def _run(self):
# It is necessary to seed random in forked process,
# otherwise - Crypto would throw an error.
Random.atfork()
# It is necessary to init socket in the same process, that would use it,
# to prevent data races.
self.socket = socket.socket(
socket.AF_INET, # Internet
socket.SOCK_DGRAM) # UDP
# To prevent concurrent redis pool usage - centrifuge init's it's own clients handler.
clients = ClientsHandler(self._settings)
while True:
sleep(self.timeout)
for client_id in clients.get_all_clients_ids():
client = clients.get_by_id(client_id)
if not client:
pass
addresses_and_ports = clients.get_ipv4_addresses_and_ports(client.id)
if not addresses_and_ports:
pass
for address, port in addresses_and_ports:
ping = PingResponse()
enc = EncryptedResponse(ping.serialize())
self.socket.sendto(enc.data, (address, port))
if DEBUG:
logging.info(f'PING sent to {address}:{port}')
def start(self):
use_epoll_on_linux()
from twisted.internet import reactor
self.reactor = reactor
logging.debug("Starting the uploader")
Random.atfork()
r = random.Random()
r.seed("start_lbry_uploader")
wallet = FakeWallet()
peer_manager = PeerManager()
peer_finder = FakePeerFinder(5553, peer_manager, 1)
hash_announcer = FakeAnnouncer()
rate_limiter = RateLimiter()
self.sd_identifier = StreamDescriptorIdentifier()
db_dir = "server"
os.mkdir(db_dir)
self.session = Session(
conf.ADJUSTABLE_SETTINGS['data_rate'][1], db_dir=db_dir, lbryid="abcd",
peer_finder=peer_finder, hash_announcer=hash_announcer, peer_port=5553,
use_upnp=False, rate_limiter=rate_limiter, wallet=wallet,
blob_tracker_class=DummyBlobAvailabilityTracker,
dht_node_class=Node, is_generous=self.is_generous)
stream_info_manager = TempEncryptedFileMetadataManager()
self.lbry_file_manager = EncryptedFileManager(
self.session, stream_info_manager, self.sd_identifier)
if self.ul_rate_limit is not None:
self.session.rate_limiter.set_ul_limit(self.ul_rate_limit)
reactor.callLater(1, self.start_all)
if not reactor.running:
reactor.run()
def run(self):
Random.atfork()
#self.start_time = time.process_time()
for i in range(self.loops):
self.ns_client()
#print(json.dumps(['ns-sk', 'RoleA', self.start_time, time.process_time(), self.loops]))
self.socket_a.close()
def mp_setup(ctx):
buckets = ctx.buckets # save buckets before setup resets them
s3setup(ctx)
if len(buckets):
for bucket in buckets:
s3bucket_named(ctx, bucket)
Random.atfork()
def parse_response(self, form, success=True):
"""Parse and return payment response."""
fields = {
# Successful payment
'1101': ('SERVICE', 'VERSION', 'SND_ID', 'REC_ID', 'STAMP', # 1..5
'T_NO', 'AMOUNT', 'CURR', 'REC_ACC', 'REC_NAME', # 6..10
'SND_ACC', 'SND_NAME', 'REF', 'MSG', 'T_DATE'), # 11..15
# Unsuccessful payment
'1901': ('SERVICE', 'VERSION', 'SND_ID', 'REC_ID', 'STAMP', # 1..5
'REF', 'MSG') # 6..7
}
# See which response we got
resp = form.get('VK_SERVICE', None)
if not resp and resp not in fields:
raise InvalidResponseError
success = resp == '1101'
Random.atfork()
# Parse and validate MAC
m = self._build_mac(fields[resp], form)
f = lambda x: form.get('VK_%s' % x)
if not PKCS1_v1_5.new(self.keychain.public_key) \
.verify(SHA.new(m), b64decode(f('MAC'))):
raise InvalidResponseError
# Save payment data
data = {}
if success:
for item in ('T_NO', 'AMOUNT', 'CURR', 'REC_ACC', 'REC_NAME',
'SND_ACC', 'SND_NAME', 'REF', 'MSG', 'T_DATE'):
data[item] = f(item)
return PaymentResponse(self, data, success)
def generate_key_pair(request):
"""
Response to generate private/public RSA key pair
"""
get_user(request, settings.ASTAKOS_AUTH_URL)
if request.method != "POST":
return http.HttpResponseNotAllowed(["POST"])
if not SUPPORT_GENERATE_KEYS:
raise Exception("Application does not support ssh keys generation")
if PublicKeyPair.user_limit_exceeded(request.user_uniq):
return http.HttpResponseServerError("SSH keys limit exceeded")
# generate RSA key
from Crypto import Random
Random.atfork()
key = rsakey.RSA.generate(SSH_KEY_LENGTH)
# get PEM string
pem = exportKey(key, 'PEM')
public_data = Message()
public_data.add_string('ssh-rsa')
public_data.add_mpint(key.key.e)
public_data.add_mpint(key.key.n)
# generate public content
public = str("ssh-rsa %s" % base64.b64encode(str(public_data)))
data = {'private': pem, 'public': public}
return http.HttpResponse(json.dumps(data), mimetype="application/json")
def copy_from_old_parallel( args ):
Random.atfork()
odte, ndte, i, S = args
ret = []
pw = odte.decode_pw(S)
if not pw: return (i,[])
return (i,ndte.encode_pw(pw))
def __init__(self, nr_parallel, worker_func):
master_queue = Queue()
self.master_queue = master_queue
self.worker_queues = [master_queue
] + [Queue() for _ in range(nr_parallel)]
worker_pids = []
self.worker_pids = worker_pids
append = worker_pids.append
for i in range(nr_parallel):
pid = fork()
Random.atfork()
CheapQueue.atfork()
if not pid:
try:
worker_link = AsyncWorkerLink(self, i + 1)
worker_func(worker_link)
finally:
try:
kill(getpid(), SIGKILL)
except:
pass
while 1:
print("PLEASE KILL ME")
sleep(1)
append(pid)
def inner(*args, **kwargs):
# Required for ssh/PyCrypto to be happy in multiprocessing
# (as far as we can tell, this is needed even with the extra such
# calls in newer versions of paramiko.)
if Random:
Random.atfork()
return func(*args, **kwargs)
def create_entry(self, group = None, title = "", image = 1, url = "",
username = "", password = "", comment = "",
y = 2999, mon = 12, d = 28, h = 23, min_ = 59,
s = 59):
"""This method creates a new entry.
The group which should hold the entry is needed.
image must be an unsigned int >0, group a v1Group.
It is possible to give an expire date in the following way:
- y is the year between 1 and 9999 inclusive
- mon is the month between 1 and 12
- d is a day in the given month
- h is a hour between 0 and 23
- min_ is a minute between 0 and 59
- s is a second between 0 and 59
The special date 2999-12-28 23:59:59 means that entry expires never.
"""
if (type(title) is not str or
type(image) is not int or image < 0 or
type(url) is not str or
type(username) is not str or
type(password) is not str or
type(comment) is not str or
type(y) is not int or
type(mon) is not int or
type(d) is not int or
type(h) is not int or
type(min_) is not int
or type(s) is not int or
type(group) is not v1Group):
raise KPError("One argument has not a valid type.")
elif group not in self.groups:
raise KPError("Group doesn't exist.")
elif (y > 9999 or y < 1 or mon > 12 or mon < 1 or d > 31 or d < 1 or
h > 23 or h < 0 or min_ > 59 or min_ < 0 or s > 59 or s < 0):
raise KPError("No legal date")
elif (((mon == 1 or mon == 3 or mon == 5 or mon == 7 or mon == 8 or
mon == 10 or mon == 12) and d > 31) or
((mon == 4 or mon == 6 or mon == 9 or mon == 11) and d > 30) or
(mon == 2 and d > 28)):
raise KPError("Given day doesn't exist in given month")
Random.atfork()
uuid = Random.get_random_bytes(16)
entry = v1Entry(group.id_, group, image, title, url, username,
password, comment,
datetime.now().replace(microsecond = 0),
datetime.now().replace(microsecond = 0),
datetime.now().replace(microsecond = 0),
datetime(y, mon, d, h, min_, s),
uuid)
self.entries.append(entry)
group.entries.append(entry)
self._num_entries += 1
return True
def rsa_base64_decrypt(self, data, key):
'''
1. base64 decrypt
2. rsa decrypt
示例代码
key = RSA.importKey(open('privkey.der').read())
>>>
>>> dsize = SHA.digest_size
>>> sentinel = Random.new().read(15+dsize) # Let's assume that average data length is 15
>>>
>>> cipher = PKCS1_v1_5.new(key)
>>> message = cipher.decrypt(ciphertext, sentinel)
>>>
>>> digest = SHA.new(message[:-dsize]).digest()
>>> if digest==message[-dsize:]: # Note how we DO NOT look for the sentinel
>>> print "Encryption was correct."
>>> else:
>>> print "Encryption was not correct."
'''
cipher = PKCS1_v1_5.new(key)
try:
rng_file = Random.new()
Random.atfork()
return cipher.decrypt(base64.b64decode(data),
rng_file.read(15 + SHA.digest_size))
except Exception, ex:
return ''
def __init__(self, filepath=None, password=None, keyfile=None,
read_only=False, new = False):
""" Initialize a new or an existing database.
If a 'filepath' and a 'masterkey' is passed 'load' will try to open
a database. If 'True' is passed to 'read_only' the database will open
read-only. It's also possible to create a new one, just pass 'True' to
new. This will be ignored if a filepath and a masterkey is given this
will be ignored.
"""
if filepath is not None and password is None and keyfile is None:
raise KPError('Missing argument: Password or keyfile '
'needed additionally to open an existing database!')
elif type(read_only) is not bool or type(new) is not bool:
raise KPError('read_only and new must be bool')
elif ((filepath is not None and type(filepath) is not str) or
(type(password) is not str and password is not None) or
(type(keyfile) is not str and keyfile is not None)):
raise KPError('filepath, masterkey and keyfile must be a string')
elif (filepath is None and password is None and keyfile is None and
new is False):
raise KPError('Either an existing database should be opened or '
'a new should be created.')
self.groups = []
self.entries = []
self.root_group = v1Group()
self.read_only = read_only
self.filepath = filepath
self.password = password
self.keyfile = keyfile
# This are attributes that are needed internally. You should not
# change them directly, it could damage the database!
self._group_order = []
self._entry_order = []
self._signature1 = 0x9AA2D903
self._signature2 = 0xB54BFB65
self._enc_flag = 2
self._version = 0x00030002
self._final_randomseed = ''
self._enc_iv = ''
self._num_groups = 1
self._num_entries = 0
self._contents_hash = ''
Random.atfork()
self._transf_randomseed = Random.get_random_bytes(32)
self._key_transf_rounds = 150000
# Due to the design of KeePass, at least one group is needed.
if new is True:
self._group_order = [("id", 1), (1, 4), (2, 9), (7, 4), (8, 2),
(0xFFFF, 0)]
group = v1Group(1, 'Internet', 1, self, parent = self.root_group)
self.root_group.children.append(group)
self.groups.append(group)
def gen_lbl():
'''
Generate a new Label.
'''
rpool = Random.new()
Random.atfork()
return rpool.read(16).encode("hex")
def load_async_key(key_def, use_pkcs=False):
key = RSA.importKey(key_def)
if use_pkcs:
Random.atfork()
return PKCS1_v1_5.new(key)
return key
def __init__(self, task=None):
"""
Allocates the taskwrapper class with the given task
@param task: task to wrap
"""
Random.atfork()
AbstractTaskWrapper.__init__(self, task)
def __init__(self, task=None):
"""
Allocates the taskwrapper class with the given task
@param task: task to wrap
"""
Random.atfork()
AbstractTaskWrapper.__init__(self, task)
def gen_key():
'''
Generates a new label or shared key.
'''
rpool = Random.new()
Random.atfork()
return rpool.read(16).encode("hex")
def gen_lbl():
'''
Generate a new Label.
'''
rpool = Random.new()
Random.atfork()
return rpool.read(16).encode("hex")
def generate_csrf_token():
if '_csrf_token' not in session:
try:
session['_csrf_token'] = base64.b64encode(Random.new().read(32))
except AssertionError:
Random.atfork()
session['_csrf_token'] = base64.b64encode(Random.new().read(32))
return session['_csrf_token']
def gen_key():
"""
Generates a new label or shared key.
"""
rpool = Random.new()
Random.atfork()
return rpool.read(16).encode("hex")
def post_fork(server, worker):
"""
Called just after a worker has been forked.
A callable that takes a server and worker instance as arguments.
"""
# Random needs to know when it's being run inside a fork, otherwise it throws exceptions.
Random.atfork()
def run(self):
"""Run the server."""
server = ObjectStorageSFTPServer(
(self.options.bind_address, self.options.port),
host_key=self.host_key,
authurl=self.options.authurl,
max_children=self.options.max_children,
keystone=self.options.keystone,
no_scp=self.options.no_scp,
split_size=self.options.split_size,
hide_part_dir=self.options.hide_part_dir,
auth_timeout=self.options.auth_timeout,
negotiation_timeout=self.options.negotiation_timeout,
keepalive=self.options.keepalive,
insecure=self.options.insecure,
secopts=self.options.secopts,
server_ident=self.options.server_ident,
storage_policy=self.options.storage_policy,
)
dc = daemon.DaemonContext()
dc.pidfile = self.pidfile
if self.options.uid:
dc.uid = self.options.uid
if self.options.gid:
dc.gid = self.options.gid
# FIXME: we don't know the fileno for Random open files, but they're < 16
dc.files_preserve = range(server.fileno(), 16)
if self.options.foreground:
dc.detach_process = False
dc.stderr = sys.stderr
with dc:
Random.atfork()
self.setup_log()
try:
if os.getuid() == 0:
self.log.warning(
"UID is 0, running as root is not recommended")
self.log.info("Listening on %s:%s" %
(self.options.bind_address, self.options.port))
server.serve_forever()
except (SystemExit, KeyboardInterrupt):
self.log.info("Terminating...")
if server.active_children:
for pid in server.active_children:
os.kill(pid, signal.SIGTERM)
server.server_close()
if self.pidfile and self.pidfile.i_am_locking():
self.pidfile.release()
return 0
def handle(self):
Random.atfork()
paramiko.util.get_logger("paramiko.transport").setLevel(logging.CRITICAL)
self.log = paramiko.util.get_logger("paramiko")
self.log.debug("%s: start transport" % self.__class__.__name__)
self.server.client_address = self.client_address
t = paramiko.Transport(self.request)
if self.secopts:
secopt = t.get_security_options()
for op, val in self.secopts.items():
try:
setattr(secopt, op, val)
except ValueError as ex:
self.log.error("Failed to setup %s (%r): %s" % (op, val, ex))
else:
self.log.debug("%s set to %r" % (op, val))
t.add_server_key(self.server.host_key)
if self.keepalive:
self.log.debug("%s: setting keepalive to %d" % (self.__class__.__name__, self.keepalive))
t.set_keepalive(self.keepalive)
t.set_subsystem_handler("sftp", paramiko.SFTPServer, SFTPServerInterface, self.server.fs)
if self.server_ident:
# expected format SSH-0.0-string; eg. SSH-2.0-paramiko_1.18
local_version = t.local_version.split("-")[:2]
local_version.append(self.server_ident)
t.local_version = '-'.join(local_version)
# asynchronous negotiation with optional time limit; paramiko has a banner timeout already (15 secs)
start = time()
event = threading.Event()
try:
t.start_server(server=self.server, event=event)
while True:
if event.wait(0.1):
if not t.is_active():
ex = t.get_exception() or "Negotiation failed."
self.log.warning("%r, disconnecting: %s" % (self.client_address, ex))
return
self.log.debug("negotiation was OK")
break
if self.negotiation_timeout > 0 and time()-start > self.negotiation_timeout:
self.log.warning("%r, disconnecting: Negotiation timed out." % (self.client_address,))
return
chan = t.accept(self.auth_timeout)
if chan is None:
self.log.warning("%r, disconnecting: auth failed, channel is None." % (self.client_address,))
return
while t.isAlive():
t.join(timeout=10)
finally:
self.log.info("%r, cleaning up connection: bye." % (self.client_address,))
if self.server.fs.conn:
self.server.fs.conn.close()
t.close()
return
def generateSecureRandom(try_again=True):
try:
return Random.new().read(AES.block_size).encode('hex')
except AssertionError as e:
if try_again:
Random.atfork()
return generateSecureRandom(try_again=False)
return None
def validate_create(self):
e = self._select_for_update(self.election)
Random.atfork()
self.zeus.validate_creating()
self.frozen_at = datetime.datetime.now()
self.save()
e.save()
if e.polls_feature_frozen:
e.frozen_at = datetime.datetime.now()
e.save()
def validate_create(self):
e = self.election.__class__.objects.select_for_update().get(pk=self.election.pk)
Random.atfork()
self.zeus.validate_creating()
self.frozen_at = datetime.datetime.now()
self.save()
e.save()
if e.polls_feature_frozen:
e.frozen_at = datetime.datetime.now()
e.save()
def generate_key(cls):
"""Generate a 256 bits key to be used to encrypt data.
Return a string hex representation of this key.
"""
try:
return binascii.hexlify(Random.new().read(32)).decode()
except AssertionError:
Random.atfork()
return cls.generate_key()
def validate_create(self):
e = self._select_for_update(self.election)
Random.atfork()
self.zeus.validate_creating()
self.frozen_at = datetime.datetime.now()
self.save()
e.save()
if e.polls_feature_frozen:
e.frozen_at = datetime.datetime.now()
e.save()
def _encrypt(self, plain):
"""Encrypt a plaintext string using self.key as the key"""
if not crypto_installed:
sys.exit("Error: PyCrypto is not installed.")
Random.atfork() # A seed for PyCrypto
iv = Random.new().read(AES.block_size)
crypto = AES.new(self.key, AES.MODE_CBC, iv)
plain = plain.encode("utf-8")
plain += b" " * (AES.block_size - len(plain) % AES.block_size)
return iv + crypto.encrypt(plain)
def run(self):
"""Run the server."""
server = ObjectStorageSFTPServer(
(self.options.bind_address, self.options.port),
host_key=self.host_key,
authurl=self.options.authurl,
max_children=self.options.max_children,
keystone=self.options.keystone,
no_scp=self.options.no_scp,
split_size=self.options.split_size,
hide_part_dir=self.options.hide_part_dir,
auth_timeout=self.options.auth_timeout,
negotiation_timeout=self.options.negotiation_timeout,
keepalive=self.options.keepalive,
insecure=self.options.insecure,
secopts=self.options.secopts,
server_ident=self.options.server_ident,
)
dc = daemon.DaemonContext()
dc.pidfile = self.pidfile
if self.options.uid:
dc.uid = self.options.uid
if self.options.gid:
dc.gid = self.options.gid
# FIXME: we don't know the fileno for Random open files, but they're < 16
dc.files_preserve = range(server.fileno(), 16)
if self.options.foreground:
dc.detach_process = False
dc.stderr = sys.stderr
with dc:
Random.atfork()
self.setup_log()
try:
if os.getuid() == 0:
self.log.warning("UID is 0, running as root is not recommended")
self.log.info("Listening on %s:%s" % (self.options.bind_address, self.options.port))
server.serve_forever()
except (SystemExit, KeyboardInterrupt):
self.log.info("Terminating...")
if server.active_children:
for pid in server.active_children:
os.kill(pid, signal.SIGTERM)
server.server_close()
if self.pidfile and self.pidfile.i_am_locking():
self.pidfile.release()
return 0
def validate_create(self):
e = self.election.__class__.objects.select_for_update().get(
pk=self.election.pk)
Random.atfork()
self.zeus.validate_creating()
self.frozen_at = datetime.datetime.now()
self.save()
e.save()
if e.polls_feature_frozen:
e.frozen_at = datetime.datetime.now()
e.save()
def _encrypt(self, plain):
"""Encrypt a plaintext string using self.key as the key"""
if not crypto_installed:
sys.exit("Error: PyCrypto is not installed.")
Random.atfork() # A seed for PyCrypto
iv = Random.new().read(AES.block_size)
crypto = AES.new(self.key, AES.MODE_CBC, iv)
plain = plain.encode("utf-8")
padding_length = AES.block_size - len(plain) % AES.block_size
plain += util.int2byte(padding_length) * padding_length
return iv + crypto.encrypt(plain)
def encrypt(self, raw):
"""Encrypt the provided password and return the encoded password
hash
:param raw: The raw password string to encode
"""
raw = self._pad(raw)
Random.atfork()
iv = Random.new().read(AES.block_size)
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return base64.b64encode(iv + cipher.encrypt(raw))
