def aMessage(self,msg):
'''
handles incoming messages and delegates to corresponding methods
'''
try:
recv=json.loads(msg.decode())
except Exception as e:
Log.debug("invalid control command")
self.protocolError()
return
try:
if not self.authenticated:
if self.inObj(["cmd","user","password"],recv) and recv['cmd'] == Message.CMD_AUTHREQ:
if recv["user"] == StdConfig.getInstance().getCtrlUsername() and recv["password"] == StdConfig.getInstance().getCtrlPassword():
self.toClient(Message("", "", Message.STATUS_LOGINOK))
self.authenticated=True
Log.debug("logged in")
else:
Log.debug("log in rejected");
self.toClient(Message("", "", Message.STATUS_AUTHENTICATION_REJECTED))
self.wronglogins+=1
if self.wronglogins >= 3:
self.doDisconnect()
else:
self.toClient(Message("", "", Message.STATUS_NOT_AUTHENTICATED))
else:
#authenticated
if self.inObj(["cmd","user","password"],recv) and recv['cmd'] == Message.CMD_AUTHREQ:
#already autenticated
self.toClient(Message("", "", Message.STATUS_OK))
return
if self.inObj(["cmd","status"], recv) and recv["status"] == "cmd":
if recv['cmd'] in self._cmds:
body=""
if "body" in recv:
body=recv["body"]
self._cmds[recv['cmd']](body)
return
self.protocolError()
except Exception as e:
self.protocolError()
raise e
def _cmdDelete(self,args,update=True):
Log.debug("delete " + args)
self._policyControl.removeRule(args)
if update:
self._cmdList()
def hasAccess(self,type_,src_,destination,auth):
'''
checks if the script has access
@param type_: TCP,UDP,UNIX
@param src: the source url of the script [is null if local]
@param destination: the destination url/ip to connect to
@param auth:
'''
#Log.debug("checking policy: \n type: %s \n src: %s \n dest: %s \n auth: %s"%(type_,src_, destination,auth))
d_uri, d_port = Policies.splitURI(destination)
src = src_.decode()
if src == "null":
src = "localhost"
incomingRequestPolicy = Policy("", d_uri, d_port,src, type_)
#print(str(self.policies))
matchcount=0
matchaction = None
for k,rule in self.policies.specificRules.items():
if self.matches(rule,incomingRequestPolicy):
if matchcount != 0 and matchaction != rule.action:
Log.warning("multiple rules with conflicting actions detected: %s"%k)
matchcount += 1
matchaction = rule.action
if matchaction != None:
return self.__proceed(matchaction,incomingRequestPolicy)
Log.debug("passed specific")
#no specific rule found:
#testing for:
# trustedSource
# trustedDest
# localSource
# general rule
SALTLEN = 8
for authElem in auth:
# trustedSource
if chr(authElem[0]) == "S":
authString1 = Authentication.hash(b"", authElem[1:SALTLEN+1])[1].encode()
if authString1 == authElem[SALTLEN+1:]:
#trusted source detected
Log.policycontrol("Sourcekey detected")
return self.__proceed(self.policies.trustedSource,incomingRequestPolicy,"sourcekey")
Log.debug("passed srckey")
# trustedDest
if chr(authElem[0]) == "H":
deststr = d_uri+":"+str(d_port)
authString1 = Authentication.hash(deststr.encode(), authElem[1:SALTLEN+1])[1].encode()
authString2 = Authentication.hash(d_uri.encode(), authElem[1:SALTLEN+1])[1].encode()
if authString1 == authElem[SALTLEN+1:] or authString2 == authElem[SALTLEN+1:]:
Log.policycontrol("Hostkey detected")
return self.__proceed(self.policies.trustedDest,incomingRequestPolicy,"hostkey")
Log.debug("passed hostkey")
# localSource
if src == b"localhost":
return self.__proceed(self.policies.localSource,incomingRequestPolicy)
Log.debug("passed local")
# general rule
return self.__proceed(self.policies.unknownPolicyRule,incomingRequestPolicy)
Log.debug("passed general")
return False
