def update_logins(self, username): """Update login DB""" # We don't have a handle_request for server so expire here instead if self.last_expire + self.min_expire_delay < time.time(): self.last_expire = time.time() expired = expire_rate_limit(configuration, "ftps") logger.debug("expired rate limit entries: %s" % expired) # TODO: only refresh for username? daemon_conf = configuration.daemon_conf logger.debug("update user list") # automatic reload of users if more than refresh_delay seconds old refresh_delay = 5 if daemon_conf['time_stamp'] + refresh_delay < time.time(): daemon_conf = refresh_users(configuration, 'ftps') logger.debug("update usermap") usermap = {} for user_obj in daemon_conf['users']: if not usermap.has_key(user_obj.username): usermap[user_obj.username] = [] usermap[user_obj.username].append(user_obj) self.users = usermap logger.info("updated usermap: %s" % self.users) logger.debug("update user_table") # Fill users in dictionary for fast lookup. We create a list of # matching User objects since each user may have multiple logins (e.g. # public keys) for (username, user_obj_list) in self.users.items(): if self.has_user(username): self.remove_user(username) # We prefer last entry with password but fall back to any entry # to assure at least a hit user_obj = (user_obj_list + [i for i in user_obj_list \ if i.password is not None])[-1] home_path = os.path.join(daemon_conf['root_dir'], user_obj.home) logger.debug("add user to user_table: %s" % user_obj) # The add_user format and perm string meaning is explained at: # http://code.google.com/p/pyftpdlib/wiki/Tutorial#2.2_-_Users self.add_user(username, user_obj.password, home_path, perm='elradfmwM') logger.debug("updated user_table: %s" % self.user_table)
def start_service(configuration): """Service launcher""" host = configuration.user_openid_address port = configuration.user_openid_port data_path = configuration.openid_store daemon_conf = configuration.daemon_conf nossl = daemon_conf['nossl'] addr = (host, port) # TODO: is this threaded version robust enough (thread safety)? #OpenIDServer = OpenIDHTTPServer OpenIDServer = ThreadedOpenIDHTTPServer httpserver = OpenIDServer(addr, ServerHandler) # Instantiate OpenID consumer store and OpenID consumer. If you # were connecting to a database, you would create the database # connection and instantiate an appropriate store here. store = FileOpenIDStore(data_path) oidserver = server.Server(store, httpserver.base_url + 'openidserver') httpserver.setOpenIDServer(oidserver) # Wrap in SSL if enabled if nossl: logger.warning('Not wrapping connections in SSL - only for testing!') else: cert_path = configuration.user_openid_key if not os.path.isfile(cert_path): logger.error('No such server key: %s' % cert_path) sys.exit(1) logger.info('Wrapping connections in SSL') httpserver.socket = ssl.wrap_socket(httpserver.socket, certfile=cert_path, server_side=True) print 'Server running at:' print httpserver.base_url min_expire_delay = 300 last_expire = time.time() while True: httpserver.handle_request() if last_expire + min_expire_delay < time.time(): last_expire = time.time() expired = expire_rate_limit(configuration, "openid") logger.debug("expired: %s" % expired)
def run(configuration): """SSL wrap HTTP server for secure DAV access""" handler = MiGDAVAuthHandler # Force AuthRequestHandler to HTTP/1.1 to allow persistent connections handler.protocol_version = 'HTTP/1.1' # Extract server address for daemon and DAV URIs host = configuration.user_davs_address.strip() port = configuration.user_davs_port # Pass conf options to DAV handler in required object format. # Server accepts empty address to mean all available IPs but URIs need # a real FQDN dav_conf_dict = configuration.dav_cfg if host: dav_conf_dict['host'] = host else: from socket import getfqdn dav_conf_dict['host'] = getfqdn() dav_conf_dict['port'] = port dav_conf = setup_dummy_config(**dav_conf_dict) # inject options handler.server_conf = configuration handler._config = dav_conf server = ThreadedHTTPServer directory = dav_conf_dict['directory'].strip().rstrip('/') verbose = dav_conf.DAV.getboolean('verbose') noauth = dav_conf.DAV.getboolean('noauth') nossl = dav_conf.DAV.getboolean('nossl') if not os.path.isdir(directory): logger.error('%s is not a valid directory!' % directory) return sys.exit(233) # basic checks against wrong hosts if host.find('/') != -1 or host.find(':') != -1: logger.error('Malformed host %s' % host) return sys.exit(233) # no root directory if directory == '/': logger.error('Root directory not allowed!') sys.exit(233) # put some extra vars handler.verbose = verbose if noauth: logger.warning('Authentication disabled!') handler.DO_AUTH = False logger.info('Serving data from %s' % directory) init_filesystem_handler(handler, directory, host, port, verbose) # initialize server on specified address and port runner = server((host, port), handler) # Wrap in SSL if enabled if nossl: logger.warning('Not wrapping connections in SSL - only for testing!') else: cert_path = configuration.user_davs_key if not os.path.isfile(cert_path): logger.error('No such server key: %s' % cert_path) sys.exit(1) logger.info('Wrapping connections in SSL') runner.socket = ssl.wrap_socket(runner.socket, certfile=cert_path, server_side=True) print('Listening on %s (%i)' % (host, port)) min_expire_delay = 300 last_expire = time.time() try: while True: runner.handle_request() if last_expire + min_expire_delay < time.time(): last_expire = time.time() expired = expire_rate_limit(configuration, "davs") logger.debug("Expired rate limit entries: %s" % expired) except KeyboardInterrupt: # forward KeyboardInterrupt to main thread raise
# automatic reload of users if more than refresh_delay seconds old refresh_delay = 5 if daemon_conf['time_stamp'] + refresh_delay < time.time(): daemon_conf = refresh_users(configuration, 'sftp') daemon_conf = refresh_jobs(configuration, 'sftp') logger.info("Handling session from %s %s" % (client, addr)) worker = threading.Thread(target=accept_client, args=[client, addr, daemon_conf['root_dir'], daemon_conf['users'], daemon_conf['jobs'], daemon_conf['host_rsa_key'], daemon_conf,]) worker.start() if last_expire + min_expire_delay < time.time(): last_expire = time.time() expired = expire_rate_limit(configuration, "sftp-*") logger.debug("Expired rate limit entries: %s" % expired) if __name__ == "__main__": configuration = get_configuration_object() # Use separate logger logger = daemon_logger("sftp", configuration.user_sftp_log, "info") # Allow configuration overrides on command line if sys.argv[1:]: configuration.user_sftp_address = sys.argv[1] if sys.argv[2:]:
def _expire_rate_limit(self): """Expire old entries in the rate limit dictionary""" expired = expire_rate_limit(configuration, "davs") logger.debug("Expired rate limit entries: %s" % expired)