示例#1
0
 def addRule(self,policy):
     
     if policy in self.specificRules:
         raise PolicyAlreadyExistsException
     
     Log.policycontrol("rule added %s"%str(policy))
     self.specificRules[str(policy)]=policy
示例#2
0
    def handshakeSuccessful(self, respHeader,c):
        c=list(map(lambda s: s.lstrip(),c.split(b",")))
        
        self._socketType = None
        if b"proxy" not in c:
            Log.error("An incoming connection has no proxy field",False)
            self.doDisconnect()
            return 
            
        self.uri=base64.b64decode(self.uri)
        if(b"TCP" in c):

            if self._policyControl.tcpAllowed():
                self._socket=SocketModeFactory.TCP.generateSocket()
                self._socketType="TCP"
            else:
                Log.policycontrol("An incoming tcp connection was rejected: TCP socket types disabled")
                self.doDisconnect()
                return
        
        if(b"UNIX" in c):
            if self._policyControl.unixAllowed():
                self._socket=SocketModeFactory.UNIX.generateSocket()
                self._socketType="UNIX"
            else:
                Log.policycontrol("An incoming unix connection was rejected: UNIX socket types disabled")
                self.doDisconnect()
                return
            
        if(b"UDP" in c):
            if self._policyControl.udpAllowed():
                self._socketType="UDP"
                self._socket=SocketModeFactory.UDP.generateSocket()
            else:
                Log.policycontrol("An incoming udp connection was rejected: UDP socket types disabled")
                self.doDisconnect()
                return
        
        if self._socketType is None:
            Log.warning("Incoming request has no socket specified")
            self.doDisconnect()
            return
        
        if self._socketType=="UNIX":
            uri=self.uri
            destination=uri
        else:
            port=self.uri[self.uri.rfind(b":")+1:]
            uri=self.uri[:self.uri.rfind(b":")]    
            destination=(uri,int(port))
        
        #policy control
        authStrings = list( filter(lambda elem: len(elem)>10 and ( chr(elem[0])=="H" or chr(elem[0])=="S") ,c)) 
        
        if self._policyControl.hasAccess(self._socketType,self.requestHeader[b'Origin'],destination, authStrings):
            self.connectRemote(destination,respHeader,c)
        else:
            Log.policycontrol("Access denied for: %s connection to %s"%(self._socketType,destination))
            self.doDisconnect(False)
示例#3
0
 def removeRule(self,rule):
     if type(rule)==type(""):
         del self.specificRules[rule]
     elif type(rule)==type(Policy()):
         del self.specificRules[str(rule)]
     Log.policycontrol("rule removed %s"%str(rule))
示例#4
0
    def hasAccess(self,type_,src_,destination,auth):
        '''
        checks if the script has access 
        @param type_: TCP,UDP,UNIX
        @param src: the source url of the script [is null if local]
        @param destination: the destination url/ip to connect to   
        @param auth:
        '''
        #Log.debug("checking policy: \n type: %s \n  src: %s \n dest: %s \n auth: %s"%(type_,src_, destination,auth))
        d_uri, d_port = Policies.splitURI(destination)
        src = src_.decode() 
        if src == "null":
            src = "localhost"
        incomingRequestPolicy = Policy("", d_uri, d_port,src, type_)
        

        #print(str(self.policies))
        matchcount=0
        matchaction = None
        for k,rule in self.policies.specificRules.items():
            if self.matches(rule,incomingRequestPolicy):
                if matchcount != 0 and matchaction != rule.action:
                    Log.warning("multiple rules with conflicting actions detected: %s"%k)
                    
                matchcount += 1
                matchaction = rule.action
                
        
        if matchaction != None:
            return self.__proceed(matchaction,incomingRequestPolicy)
        Log.debug("passed specific")    
                        
        
        #no specific rule found:
        #testing for:
        #    trustedSource
        #    trustedDest
        #    localSource
        #    general rule
        
        SALTLEN = 8 
        for authElem in auth:
            
            
            #    trustedSource
            if chr(authElem[0]) == "S":
                authString1 = Authentication.hash(b"", authElem[1:SALTLEN+1])[1].encode()
                if authString1 == authElem[SALTLEN+1:]:
                    #trusted source detected
                    Log.policycontrol("Sourcekey detected")
                    return self.__proceed(self.policies.trustedSource,incomingRequestPolicy,"sourcekey")
                    
            Log.debug("passed srckey")
            #    trustedDest
            if chr(authElem[0]) == "H":
                deststr = d_uri+":"+str(d_port)
                authString1 = Authentication.hash(deststr.encode(), authElem[1:SALTLEN+1])[1].encode()
                authString2 = Authentication.hash(d_uri.encode(), authElem[1:SALTLEN+1])[1].encode()
                if authString1 == authElem[SALTLEN+1:] or authString2 == authElem[SALTLEN+1:]:
                    Log.policycontrol("Hostkey detected")
                    return self.__proceed(self.policies.trustedDest,incomingRequestPolicy,"hostkey")
                    
        
        Log.debug("passed hostkey")    
        #    localSource
        if src == b"localhost":
            return self.__proceed(self.policies.localSource,incomingRequestPolicy)
        Log.debug("passed local")            
            
        #    general rule
        return self.__proceed(self.policies.unknownPolicyRule,incomingRequestPolicy)
        Log.debug("passed general")
        return False