def renderHTTP(self, ctx):
# XXX: refactor this to a helper??
def _xml_escape(x):
return helpers.xml_escape(x)
# XXX: simple base64 encoding does not seem to be enough
def _base64_encode(x):
# base64 produces a newline, strip it away; still not correct tho
return x.encode('base64').strip()
request = inevow.IRequest(ctx)
# figure parameters
server_address = ''
try:
server_address = str(request.getRequestHostname())
except:
_log.exception('cannot figure out server_address')
preshared_key = ''
try:
psk_seq = helpers.get_ui_config().getS(ns_ui.preSharedKeys, rdf.Seq(rdf.Type(ns_ui.PreSharedKey)))
preshared_key = str(psk_seq[0].getS(ns_ui.preSharedKey, rdf.String))
except:
_log.exception('cannot figure out preshared_key')
username = ''
try:
tmp = self.get_logged_in_username()
if tmp is not None:
username = str(tmp)
except:
_log.exception('cannot figure out username')
# Profile name
profile_prefix = 'VPNease'
try:
if os.path.exists(constants.AUTOCONFIG_PROFILE_PREFIX_FILE):
profile_prefix = helpers.read_and_strip_file(constants.AUTOCONFIG_PROFILE_PREFIX_FILE)
except:
_log.exception('failed when checking for alternative profile name')
profile_name = '%s (%s)' % (profile_prefix, server_address)
# Server behind port forward
server_portfw = False
try:
global_st = helpers.get_global_status()
if global_st.hasS(ns.behindNat):
if global_st.getS(ns.behindNat, rdf.Boolean):
server_portfw = True
else:
server_portfw = False
else:
# assume worst - reboot *MAY* be required
server_portfw = True
# markerfile for debugging
if helpers.check_marker_file(constants.FORCE_NATTREBOOT_MARKERFILE):
_log.warning('force nat-t reboot marker file exists, pretending server is behind port forward')
server_portfw = True
except:
_log.exception('cannot determine whether server is behind port forward, may be OK')
#
# Notes about OSX plist for networkConnect
#
# * There are settings for PPP redial counts etc. We don't use them
# because we want to minimize risks.
#
# * DisconnectOnXXX settings only seem to work when inside SystemConfig,
# not inside UserConfigs.
#
# * SystemConfig -> IPv4 -> OverridePrimary=1 should, based on PPP code,
# set 'default route' setting but doesn't seem to work.
#
# * UserConfigs -> IPsec -> ExportedSharedSecret contains the pre-shared
# key for IKE in some sort of encrypted format. The value is base64
# encoded but the pre-shared key is processed (encrypted or masked)
# prior to base64. Note that whatever the unknown (and seemingly
# undocumented transform is, it has to be reversible because IKE needs
# the PSK.
#
# * CCP / MPPC / MPPE are disabled now. They don't actually work in
# Leopard at least.
#
# create xml plist
textdata = textwrap.dedent("""\
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>L2TP</key>
<dict>
<key>SystemConfig</key>
<dict>
<key>PPP</key>
<dict>
<key>DisconnectOnSleep</key>
<integer>1</integer>
<key>DisconnectOnFastUserSwitch</key>
<integer>1</integer>
<key>DisconnectOnLogout</key>
<integer>1</integer>
</dict>
</dict>
<key>UserConfigs</key>
<array>
<dict>
<key>EAP</key>
<dict/>
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>LocalIdentifier</key>
<string></string>
<key>LocalIdentifierType</key>
<string>KeyID</string>
</dict>
<key>PPP</key>
<dict>
<key>AuthName</key>
<string>%(username)s</string>
<key>CommRemoteAddress</key>
<string>%(server_address)s</string>
<key>UserDefinedName</key>
<string>%(profile_name)s</string>
<key>CCPEnabled</key>
<integer>%(ccp_enabled)d</integer>
<key>CCPMPPE128Enabled</key>
<integer>%(ccp_mppe40_enabled)d</integer>
<key>CCPMPPE40Enabled</key>
<integer>%(ccp_mppe128_enabled)d</integer>
</dict>
</dict>
</array>
</dict>
</dict>
</plist>
""") % {
'preshared_key_base64': _xml_escape(_base64_encode(preshared_key)),
'username': _xml_escape(username),
'server_address': _xml_escape(server_address),
'profile_name': _xml_escape(profile_name),
'override_primary': 1, # XXX: force default route
'ccp_enabled': 0,
'ccp_mppe40_enabled': 0,
'ccp_mppe128_enabled': 0,
}
#
# Content-Type is interesting. If this is served as 'text/xml', Safari
# will display the file without offering a save option. Even if it is
# saved, Safari will *refuse* saving the file with '.networkConnect'
# extension.
#
# 'application/octet-stream' causes Safari to save the file, and use can
# double click to run it.
#
return uihelpers.UncachedData(textdata, 'application/octet-stream')
def renderHTTP(self, ctx):
# XXX: refactor this to a helper??
def _xml_escape(x):
return helpers.xml_escape(x)
# XXX: simple base64 encoding does not seem to be enough
def _base64_encode(x):
# base64 produces a newline, strip it away; still not correct tho
return x.encode('base64').strip()
request = inevow.IRequest(ctx)
# figure parameters
server_address = ''
try:
server_address = str(request.getRequestHostname())
except:
_log.exception('cannot figure out server_address')
preshared_key = ''
try:
psk_seq = helpers.get_ui_config().getS(
ns_ui.preSharedKeys, rdf.Seq(rdf.Type(ns_ui.PreSharedKey)))
preshared_key = str(psk_seq[0].getS(ns_ui.preSharedKey,
rdf.String))
except:
_log.exception('cannot figure out preshared_key')
username = ''
try:
tmp = self.get_logged_in_username()
if tmp is not None:
username = str(tmp)
except:
_log.exception('cannot figure out username')
# Profile name
profile_prefix = 'VPNease'
try:
if os.path.exists(constants.AUTOCONFIG_PROFILE_PREFIX_FILE):
profile_prefix = helpers.read_and_strip_file(
constants.AUTOCONFIG_PROFILE_PREFIX_FILE)
except:
_log.exception('failed when checking for alternative profile name')
profile_name = '%s (%s)' % (profile_prefix, server_address)
# Server behind port forward
server_portfw = False
try:
global_st = helpers.get_global_status()
if global_st.hasS(ns.behindNat):
if global_st.getS(ns.behindNat, rdf.Boolean):
server_portfw = True
else:
server_portfw = False
else:
# assume worst - reboot *MAY* be required
server_portfw = True
# markerfile for debugging
if helpers.check_marker_file(
constants.FORCE_NATTREBOOT_MARKERFILE):
_log.warning(
'force nat-t reboot marker file exists, pretending server is behind port forward'
)
server_portfw = True
except:
_log.exception(
'cannot determine whether server is behind port forward, may be OK'
)
#
# Notes about OSX plist for networkConnect
#
# * There are settings for PPP redial counts etc. We don't use them
# because we want to minimize risks.
#
# * DisconnectOnXXX settings only seem to work when inside SystemConfig,
# not inside UserConfigs.
#
# * SystemConfig -> IPv4 -> OverridePrimary=1 should, based on PPP code,
# set 'default route' setting but doesn't seem to work.
#
# * UserConfigs -> IPsec -> ExportedSharedSecret contains the pre-shared
# key for IKE in some sort of encrypted format. The value is base64
# encoded but the pre-shared key is processed (encrypted or masked)
# prior to base64. Note that whatever the unknown (and seemingly
# undocumented transform is, it has to be reversible because IKE needs
# the PSK.
#
# * CCP / MPPC / MPPE are disabled now. They don't actually work in
# Leopard at least.
#
# create xml plist
textdata = textwrap.dedent("""\
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>L2TP</key>
<dict>
<key>SystemConfig</key>
<dict>
<key>PPP</key>
<dict>
<key>DisconnectOnSleep</key>
<integer>1</integer>
<key>DisconnectOnFastUserSwitch</key>
<integer>1</integer>
<key>DisconnectOnLogout</key>
<integer>1</integer>
</dict>
</dict>
<key>UserConfigs</key>
<array>
<dict>
<key>EAP</key>
<dict/>
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>LocalIdentifier</key>
<string></string>
<key>LocalIdentifierType</key>
<string>KeyID</string>
</dict>
<key>PPP</key>
<dict>
<key>AuthName</key>
<string>%(username)s</string>
<key>CommRemoteAddress</key>
<string>%(server_address)s</string>
<key>UserDefinedName</key>
<string>%(profile_name)s</string>
<key>CCPEnabled</key>
<integer>%(ccp_enabled)d</integer>
<key>CCPMPPE128Enabled</key>
<integer>%(ccp_mppe40_enabled)d</integer>
<key>CCPMPPE40Enabled</key>
<integer>%(ccp_mppe128_enabled)d</integer>
</dict>
</dict>
</array>
</dict>
</dict>
</plist>
""") % {
'preshared_key_base64': _xml_escape(_base64_encode(preshared_key)),
'username': _xml_escape(username),
'server_address': _xml_escape(server_address),
'profile_name': _xml_escape(profile_name),
'override_primary': 1, # XXX: force default route
'ccp_enabled': 0,
'ccp_mppe40_enabled': 0,
'ccp_mppe128_enabled': 0,
}
#
# Content-Type is interesting. If this is served as 'text/xml', Safari
# will display the file without offering a save option. Even if it is
# saved, Safari will *refuse* saving the file with '.networkConnect'
# extension.
#
# 'application/octet-stream' causes Safari to save the file, and use can
# double click to run it.
#
return uihelpers.UncachedData(textdata, 'application/octet-stream')
def renderHTTP(self, ctx):
request = inevow.IRequest(ctx)
# read unpatched exe
f = None
exedata = ''
try:
f = open(self.autoconfig_exe_filename, 'rb')
exedata = f.read()
finally:
if f is not None:
f.close()
f = None
# figure parameters
server_address_in_uri = None
try:
server_address_in_uri = str(request.getRequestHostname())
except:
_log.exception('cannot figure out server_address_in_uri')
server_ip = None
try:
server_ip = self._get_server_ip_for_win2k(ctx)
except:
_log.exception('cannot figure out server_ip')
server_address = None
if self.force_server_address_to_ip:
server_address = server_ip
else:
server_address = server_address_in_uri
if (server_address_in_uri is None) or (server_address_in_uri == ''):
raise Exception('server_address_in_uri missing, failing')
if (server_address is None) or (server_address == ''):
raise Exception('server_address missing, failing')
if self.include_win2k_regdata and ((server_ip is None) or (server_ip == '')):
raise Exception('server_ip is needed and missing, failing')
preshared_key = ''
try:
psk_seq = helpers.get_ui_config().getS(ns_ui.preSharedKeys, rdf.Seq(rdf.Type(ns_ui.PreSharedKey)))
preshared_key = str(psk_seq[0].getS(ns_ui.preSharedKey, rdf.String))
except:
_log.exception('cannot figure out preshared_key')
username = ''
try:
tmp = self.get_logged_in_username()
if tmp is not None:
username = str(tmp)
except:
_log.exception('cannot figure out username')
# Profile name, always uses address in URI, even if server address itself forced to IP
profile_prefix = 'VPNease'
try:
if os.path.exists(constants.AUTOCONFIG_PROFILE_PREFIX_FILE):
profile_prefix = helpers.read_and_strip_file(constants.AUTOCONFIG_PROFILE_PREFIX_FILE)
except:
_log.exception('failed when checking for alternative profile name')
profile_name = '%s (%s)' % (profile_prefix, server_address_in_uri)
# Server behind port forward
server_portfw = False
try:
global_st = helpers.get_global_status()
if global_st.hasS(ns.behindNat):
if global_st.getS(ns.behindNat, rdf.Boolean):
server_portfw = True
else:
server_portfw = False
else:
# assume worst - reboot *MAY* be required
server_portfw = True
# markerfile for debugging
if helpers.check_marker_file(constants.FORCE_NATTREBOOT_MARKERFILE):
_log.warning('force nat-t reboot marker file exists, pretending server is behind port forward')
server_portfw = True
except:
_log.exception('cannot determine whether server is behind port forward, may be OK')
# Windows 2000 registry-based IPsec policy + prohibitIpsec
win2k_ipsec_policy_registry_file = ''
try:
if self.include_win2k_regdata:
# Registry data is HEX encoded UTF-16; HEX encoding is used to avoid problems
# with the parameters.cpp mechanism (null termination). The resulting data is
# large, around 50 kilobytes (!).
# Always uses server IP for IPsec policy, because that's what Windows 2000 IPsec wants
t = self._get_win2k_reg_file(server_ip, preshared_key)
t = self._encode_windows_reg_file(t) # UTF-16
win2k_ipsec_policy_registry_file = t.encode('hex') # hex-encoded UTF-16
except:
_log.exception('cannot create win2k registry file')
# Fill paramdict and return
paramdict = {}
paramdict['operation'] = 'configure_profile'
paramdict['profile_name'] = profile_name
paramdict['desktop_shortcut_name'] = '%s.LNK' % profile_name # xxx: for now the same
paramdict['server_address'] = server_address
paramdict['preshared_key'] = preshared_key
paramdict['username'] = username
paramdict['ppp_compression_enabled'] = '1'
paramdict['default_route_enabled'] = '1'
paramdict['create_desktop_shortcut'] = '1'
paramdict['open_profile_after_creation'] = '1'
if server_portfw:
paramdict['server_behind_port_forward'] = '1'
else:
paramdict['server_behind_port_forward'] = '0'
if self.include_win2k_regdata:
paramdict['win2k_registry_file'] = win2k_ipsec_policy_registry_file
return uihelpers.RewritingBinaryResource(exedata, paramdict)
