From 07626fa7c817864f903541ee9afa5139a77adca8 Mon Sep 17 00:00:00 2001 From: myve Date: Thu, 25 Jul 2024 02:07:59 +0000 Subject: [PATCH] Force add websockify --- .../websockify/.github/workflows/test.yml | 39 + base/app/novnc/utils/websockify/.gitignore | 12 + base/app/novnc/utils/websockify/.gitmodules | 0 base/app/novnc/utils/websockify/CHANGES.txt | 131 +++ base/app/novnc/utils/websockify/COPYING | 165 ++++ base/app/novnc/utils/websockify/MANIFEST.in | 1 + base/app/novnc/utils/websockify/Makefile | 11 + base/app/novnc/utils/websockify/README.md | 208 +++++ .../Windows/Windows Service Readme.md | 61 ++ .../novnc/utils/websockify/docker/Dockerfile | 16 + .../novnc/utils/websockify/docker/build.sh | 5 + .../utils/websockify/docs/latency_results.txt | 114 +++ base/app/novnc/utils/websockify/docs/notes | 6 + .../novnc/utils/websockify/docs/release.txt | 10 + .../novnc/utils/websockify/docs/websockify.1 | 110 +++ base/app/novnc/utils/websockify/rebind | 18 + base/app/novnc/utils/websockify/rebind.c | 94 ++ base/app/novnc/utils/websockify/run | 4 + base/app/novnc/utils/websockify/setup.py | 43 + .../utils/websockify/test-requirements.txt | 5 + .../novnc/utils/websockify/tests/echo.html | 139 +++ base/app/novnc/utils/websockify/tests/echo.py | 76 ++ .../utils/websockify/tests/echo_client.py | 69 ++ .../websockify/tests/fixtures/private.pem | 27 + .../websockify/tests/fixtures/public.pem | 9 + .../websockify/tests/fixtures/symmetric.key | 1 + .../novnc/utils/websockify/tests/latency.html | 261 ++++++ .../novnc/utils/websockify/tests/latency.py | 1 + .../novnc/utils/websockify/tests/load.html | 223 +++++ base/app/novnc/utils/websockify/tests/load.py | 168 ++++ .../utils/websockify/tests/plain_echo.html | 145 +++ .../novnc/utils/websockify/tests/simple.html | 65 ++ .../websockify/tests/test_auth_plugins.py | 28 + .../websockify/tests/test_token_plugins.py | 364 ++++++++ .../utils/websockify/tests/test_websocket.py | 212 +++++ .../websockify/tests/test_websocketproxy.py | 131 +++ .../websockify/tests/test_websocketserver.py | 69 ++ .../websockify/tests/test_websockifyserver.py | 400 ++++++++ base/app/novnc/utils/websockify/tox.ini | 17 + base/app/novnc/utils/websockify/websockify.py | 1 + .../utils/websockify/websockify/__init__.py | 2 + .../utils/websockify/websockify/__main__.py | 4 + .../websockify/websockify/auth_plugins.py | 102 ++ .../websockify/websockify/sysloghandler.py | 118 +++ .../websockify/websockify/token_plugins.py | 333 +++++++ .../utils/websockify/websockify/websocket.py | 874 ++++++++++++++++++ .../websockify/websockify/websocketproxy.py | 800 ++++++++++++++++ .../websockify/websockify/websocketserver.py | 110 +++ .../websockify/websockify/websockifyserver.py | 862 +++++++++++++++++ 49 files changed, 6664 insertions(+) create mode 100644 base/app/novnc/utils/websockify/.github/workflows/test.yml create mode 100644 base/app/novnc/utils/websockify/.gitignore create mode 100644 base/app/novnc/utils/websockify/.gitmodules create mode 100644 base/app/novnc/utils/websockify/CHANGES.txt create mode 100644 base/app/novnc/utils/websockify/COPYING create mode 100644 base/app/novnc/utils/websockify/MANIFEST.in create mode 100644 base/app/novnc/utils/websockify/Makefile create mode 100644 base/app/novnc/utils/websockify/README.md create mode 100644 base/app/novnc/utils/websockify/Windows/Windows Service Readme.md create mode 100644 base/app/novnc/utils/websockify/docker/Dockerfile create mode 100755 base/app/novnc/utils/websockify/docker/build.sh create mode 100644 base/app/novnc/utils/websockify/docs/latency_results.txt create mode 100644 base/app/novnc/utils/websockify/docs/notes create mode 100644 base/app/novnc/utils/websockify/docs/release.txt create mode 100644 base/app/novnc/utils/websockify/docs/websockify.1 create mode 100755 base/app/novnc/utils/websockify/rebind create mode 100644 base/app/novnc/utils/websockify/rebind.c create mode 100755 base/app/novnc/utils/websockify/run create mode 100644 base/app/novnc/utils/websockify/setup.py create mode 100644 base/app/novnc/utils/websockify/test-requirements.txt create mode 100644 base/app/novnc/utils/websockify/tests/echo.html create mode 100755 base/app/novnc/utils/websockify/tests/echo.py create mode 100755 base/app/novnc/utils/websockify/tests/echo_client.py create mode 100644 base/app/novnc/utils/websockify/tests/fixtures/private.pem create mode 100644 base/app/novnc/utils/websockify/tests/fixtures/public.pem create mode 100644 base/app/novnc/utils/websockify/tests/fixtures/symmetric.key create mode 100644 base/app/novnc/utils/websockify/tests/latency.html create mode 120000 base/app/novnc/utils/websockify/tests/latency.py create mode 100644 base/app/novnc/utils/websockify/tests/load.html create mode 100755 base/app/novnc/utils/websockify/tests/load.py create mode 100644 base/app/novnc/utils/websockify/tests/plain_echo.html create mode 100644 base/app/novnc/utils/websockify/tests/simple.html create mode 100644 base/app/novnc/utils/websockify/tests/test_auth_plugins.py create mode 100644 base/app/novnc/utils/websockify/tests/test_token_plugins.py create mode 100644 base/app/novnc/utils/websockify/tests/test_websocket.py create mode 100644 base/app/novnc/utils/websockify/tests/test_websocketproxy.py create mode 100644 base/app/novnc/utils/websockify/tests/test_websocketserver.py create mode 100644 base/app/novnc/utils/websockify/tests/test_websockifyserver.py create mode 100644 base/app/novnc/utils/websockify/tox.ini create mode 120000 base/app/novnc/utils/websockify/websockify.py create mode 100644 base/app/novnc/utils/websockify/websockify/__init__.py create mode 100644 base/app/novnc/utils/websockify/websockify/__main__.py create mode 100644 base/app/novnc/utils/websockify/websockify/auth_plugins.py create mode 100644 base/app/novnc/utils/websockify/websockify/sysloghandler.py create mode 100644 base/app/novnc/utils/websockify/websockify/token_plugins.py create mode 100644 base/app/novnc/utils/websockify/websockify/websocket.py create mode 100644 base/app/novnc/utils/websockify/websockify/websocketproxy.py create mode 100644 base/app/novnc/utils/websockify/websockify/websocketserver.py create mode 100644 base/app/novnc/utils/websockify/websockify/websockifyserver.py diff --git a/base/app/novnc/utils/websockify/.github/workflows/test.yml b/base/app/novnc/utils/websockify/.github/workflows/test.yml new file mode 100644 index 0000000..33b475f --- /dev/null +++ b/base/app/novnc/utils/websockify/.github/workflows/test.yml @@ -0,0 +1,39 @@ +name: Test + +on: [push, pull_request] + +jobs: + test: + runs-on: ubuntu-20.04 + strategy: + matrix: + python-version: + - 3.6 + - 3.7 + - 3.8 + - 3.9 + - "3.10" + - 3.11 + - 3.12 + fail-fast: false + steps: + - uses: actions/checkout@v4 + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python-version }} + - name: Update pip and setuptools + run: | + python -m pip install --upgrade pip + python -m pip install setuptools + - name: Install dependencies + run: | + python -m pip install -e . + python -m pip install -r test-requirements.txt + - name: Install old numpy + run: | + python -m pip install 'numpy<1.17' + if: ${{ matrix.python-version >= '3.4' && matrix.python-version < '3.7' }} + - name: Run tests + run: | + python -m nose2 --verbosity=3 diff --git a/base/app/novnc/utils/websockify/.gitignore b/base/app/novnc/utils/websockify/.gitignore new file mode 100644 index 0000000..4ed77d8 --- /dev/null +++ b/base/app/novnc/utils/websockify/.gitignore @@ -0,0 +1,12 @@ +*.pyc +*.o +*.so +.project +.pydevproject +target.cfg +target.cfg.d +.tox + +build/ +dist/ +*.egg-info diff --git a/base/app/novnc/utils/websockify/.gitmodules b/base/app/novnc/utils/websockify/.gitmodules new file mode 100644 index 0000000..e69de29 diff --git a/base/app/novnc/utils/websockify/CHANGES.txt b/base/app/novnc/utils/websockify/CHANGES.txt new file mode 100644 index 0000000..29ac5ed --- /dev/null +++ b/base/app/novnc/utils/websockify/CHANGES.txt @@ -0,0 +1,131 @@ +Changes +======= + +0.12.0 +------ + +* The simplejson module is no longer needed for redis token support +* redis tokens can now be either JSON or plain text +* websockify can now listen to a Unix socket for incoming connections + +0.11.0 +------ + +* Command line now supports disabling directory listings +* Basic Dockerfile included + +0.10.0 +------ + +* Python 3.4 or newer is now required +* Empty message frames are now supported +* Tokens can now specify a Unix domain socket file to connect to +* Time limits on JWT tokens are now respected +* Whitespace is better tolerated in token files +* Lots of minor fixes... + +0.9.0 +----- + +* Base64 support removed and binary mode is now required +* Low level WebSocket protocol handling now has its own class +* Authentication now optionally required for web server +* Server hostname can be used as the token +* JWT/JWS/JWE can be used for the token +* redis can be used for the token +* Can now log to syslog +* Improved latency by disabling Nagle for proxied connection +* Added client certificate authentication +* Support for password protected certificate key file +* TLS ciphers and options are now configurable +* Can be invoked via inetd +* Lots of minor fixes... + +0.8.0 +----- + +* Make websockify properly terminate children on SIGTERM (#226) +* Remove logging in signal handlers (this can cause Python to hang under certain conditions) (#219) +* Make it easier to log to a file (#205) +* Add support for IPv6 addresses in tokens in the TokenFile token plugins (#197) +* Improve auth plugin framework to enable better support for HTTP auth (#194, #201) +* Fix bug in JSONTokenAPI token plugin (#192) +* Fix a missing variable in the exception handler (#178) + +0.7.0 +----- + +* Python 3 support fixes (#140, #155, #159) +* Generic token-parsing plugins support (#162) +* Generic authentication plugins support (#172) +* Fixed frame corruption on big-endian systems (#161) +* Support heartbeats (via PING) and automatic responses to PONG (#169) +* Automatically reject unmasked client frames by default (strict mode) (#174) +* Automatically restart interrupted select calls (#175) +* Make 'run' respect environment settings (including virtualenv) (#176) + +0.6.1 - May 11, 2015 +-------------------- + +* **PATCH RELEASE**: Fixes a bug causing file_only to not be passed properly + +0.6.0 - Feb 18, 2014 +-------------------- + +* **NOTE** : 0.6.0 will break existing code that sub-classes WebsocketProxy +* Refactor to use standard SocketServer RequestHandler design +* Fix zombie process bug on certain systems when using multiprocessing +* Add better unit tests +* Log information via python `logging` module + +0.5.1 - Jun 27, 2013 +-------------------- + + * use upstream einaros/ws (>=0.4.27) with websockify.js + * file_only and no_parent security options for WSRequestHandler + * Update build of web-socket-js (c0855c6cae) + * add include/web-socket-js-project submodule to gimite/web-socket-js + for DSFG compliance. + * drop Hixie protocol support + +0.4.1 - Mar 12, 2013 +-------------------- + + * ***NOTE*** : 0.5.0 will drop Hixie protocol support + * add include/ directory and remove some dev files from source + distribution. + +0.4.0 - Mar 12, 2013 +-------------------- + + * ***NOTE*** : 0.5.0 will drop Hixie protocol support + * use Buffer base64 support in Node.js implementation + +0.3.0 - Jan 15, 2013 +-------------------- + + * refactor into modules: websocket, websocketproxy + * switch to web-socket-js that uses IETF 6455 + * change to MPL 2.0 license for include/*.js + * fix session recording + +0.2.1 - Oct 15, 2012 +-------------------- + + * re-released with updated version number + +0.2.0 - Sep 17, 2012 +-------------------- + + * Binary data support in websock.js + * Target config file/dir and multiple targets with token selector + * IPv6 fixes + * SSL target support + * Proxy to/from unix socket + + +0.1.0 - May 11, 2012 +-------------------- + + * Initial versioned release. + diff --git a/base/app/novnc/utils/websockify/COPYING b/base/app/novnc/utils/websockify/COPYING new file mode 100644 index 0000000..65c5ca8 --- /dev/null +++ b/base/app/novnc/utils/websockify/COPYING @@ -0,0 +1,165 @@ + GNU LESSER GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + + This version of the GNU Lesser General Public License incorporates +the terms and conditions of version 3 of the GNU General Public +License, supplemented by the additional permissions listed below. + + 0. Additional Definitions. + + As used herein, "this License" refers to version 3 of the GNU Lesser +General Public License, and the "GNU GPL" refers to version 3 of the GNU +General Public License. + + "The Library" refers to a covered work governed by this License, +other than an Application or a Combined Work as defined below. + + An "Application" is any work that makes use of an interface provided +by the Library, but which is not otherwise based on the Library. +Defining a subclass of a class defined by the Library is deemed a mode +of using an interface provided by the Library. + + A "Combined Work" is a work produced by combining or linking an +Application with the Library. The particular version of the Library +with which the Combined Work was made is also called the "Linked +Version". + + The "Minimal Corresponding Source" for a Combined Work means the +Corresponding Source for the Combined Work, excluding any source code +for portions of the Combined Work that, considered in isolation, are +based on the Application, and not on the Linked Version. + + The "Corresponding Application Code" for a Combined Work means the +object code and/or source code for the Application, including any data +and utility programs needed for reproducing the Combined Work from the +Application, but excluding the System Libraries of the Combined Work. + + 1. Exception to Section 3 of the GNU GPL. + + You may convey a covered work under sections 3 and 4 of this License +without being bound by section 3 of the GNU GPL. + + 2. Conveying Modified Versions. + + If you modify a copy of the Library, and, in your modifications, a +facility refers to a function or data to be supplied by an Application +that uses the facility (other than as an argument passed when the +facility is invoked), then you may convey a copy of the modified +version: + + a) under this License, provided that you make a good faith effort to + ensure that, in the event an Application does not supply the + function or data, the facility still operates, and performs + whatever part of its purpose remains meaningful, or + + b) under the GNU GPL, with none of the additional permissions of + this License applicable to that copy. + + 3. Object Code Incorporating Material from Library Header Files. + + The object code form of an Application may incorporate material from +a header file that is part of the Library. You may convey such object +code under terms of your choice, provided that, if the incorporated +material is not limited to numerical parameters, data structure +layouts and accessors, or small macros, inline functions and templates +(ten or fewer lines in length), you do both of the following: + + a) Give prominent notice with each copy of the object code that the + Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the object code with a copy of the GNU GPL and this license + document. + + 4. Combined Works. + + You may convey a Combined Work under terms of your choice that, +taken together, effectively do not restrict modification of the +portions of the Library contained in the Combined Work and reverse +engineering for debugging such modifications, if you also do each of +the following: + + a) Give prominent notice with each copy of the Combined Work that + the Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the Combined Work with a copy of the GNU GPL and this license + document. + + c) For a Combined Work that displays copyright notices during + execution, include the copyright notice for the Library among + these notices, as well as a reference directing the user to the + copies of the GNU GPL and this license document. + + d) Do one of the following: + + 0) Convey the Minimal Corresponding Source under the terms of this + License, and the Corresponding Application Code in a form + suitable for, and under terms that permit, the user to + recombine or relink the Application with a modified version of + the Linked Version to produce a modified Combined Work, in the + manner specified by section 6 of the GNU GPL for conveying + Corresponding Source. + + 1) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (a) uses at run time + a copy of the Library already present on the user's computer + system, and (b) will operate properly with a modified version + of the Library that is interface-compatible with the Linked + Version. + + e) Provide Installation Information, but only if you would otherwise + be required to provide such information under section 6 of the + GNU GPL, and only to the extent that such information is + necessary to install and execute a modified version of the + Combined Work produced by recombining or relinking the + Application with a modified version of the Linked Version. (If + you use option 4d0, the Installation Information must accompany + the Minimal Corresponding Source and Corresponding Application + Code. If you use option 4d1, you must provide the Installation + Information in the manner specified by section 6 of the GNU GPL + for conveying Corresponding Source.) + + 5. Combined Libraries. + + You may place library facilities that are a work based on the +Library side by side in a single library together with other library +facilities that are not Applications and are not covered by this +License, and convey such a combined library under terms of your +choice, if you do both of the following: + + a) Accompany the combined library with a copy of the same work based + on the Library, uncombined with any other library facilities, + conveyed under the terms of this License. + + b) Give prominent notice with the combined library that part of it + is a work based on the Library, and explaining where to find the + accompanying uncombined form of the same work. + + 6. Revised Versions of the GNU Lesser General Public License. + + The Free Software Foundation may publish revised and/or new versions +of the GNU Lesser General Public License from time to time. Such new +versions will be similar in spirit to the present version, but may +differ in detail to address new problems or concerns. + + Each version is given a distinguishing version number. If the +Library as you received it specifies that a certain numbered version +of the GNU Lesser General Public License "or any later version" +applies to it, you have the option of following the terms and +conditions either of that published version or of any later version +published by the Free Software Foundation. If the Library as you +received it does not specify a version number of the GNU Lesser +General Public License, you may choose any version of the GNU Lesser +General Public License ever published by the Free Software Foundation. + + If the Library as you received it specifies that a proxy can decide +whether future versions of the GNU Lesser General Public License shall +apply, that proxy's public statement of acceptance of any version is +permanent authorization for you to choose that version for the +Library. diff --git a/base/app/novnc/utils/websockify/MANIFEST.in b/base/app/novnc/utils/websockify/MANIFEST.in new file mode 100644 index 0000000..e6139bc --- /dev/null +++ b/base/app/novnc/utils/websockify/MANIFEST.in @@ -0,0 +1 @@ +include CHANGES.txt README.md COPYING diff --git a/base/app/novnc/utils/websockify/Makefile b/base/app/novnc/utils/websockify/Makefile new file mode 100644 index 0000000..7dc1bc4 --- /dev/null +++ b/base/app/novnc/utils/websockify/Makefile @@ -0,0 +1,11 @@ +TARGETS=rebind.so +CFLAGS += -fPIC + +all: $(TARGETS) + +rebind.so: rebind.o + $(CC) $(LDFLAGS) $^ -shared -fPIC -ldl -o $@ + +clean: + rm -f rebind.o rebind.so + diff --git a/base/app/novnc/utils/websockify/README.md b/base/app/novnc/utils/websockify/README.md new file mode 100644 index 0000000..c5d14cc --- /dev/null +++ b/base/app/novnc/utils/websockify/README.md @@ -0,0 +1,208 @@ +## websockify: WebSockets support for any application/server + +websockify was formerly named wsproxy and was part of the +[noVNC](https://github.com/novnc/noVNC) project. + +At the most basic level, websockify just translates WebSockets traffic +to normal socket traffic. Websockify accepts the WebSockets handshake, +parses it, and then begins forwarding traffic between the client and +the target in both directions. + +### News/help/contact + +Notable commits, announcements and news are posted to +@noVNC + +If you are a websockify developer/integrator/user (or want to be) +please join the noVNC/websockify +discussion group + +Bugs and feature requests can be submitted via [github +issues](https://github.com/novnc/websockify/issues). + +If you want to show appreciation for websockify you could donate to a great +non-profits such as: [Compassion +International](http://www.compassion.com/), [SIL](http://www.sil.org), +[Habitat for Humanity](http://www.habitat.org), [Electronic Frontier +Foundation](https://www.eff.org/), [Against Malaria +Foundation](http://www.againstmalaria.com/), [Nothing But +Nets](http://www.nothingbutnets.net/), etc. Please tweet @noVNC if you do. + +### WebSockets binary data + +Starting with websockify 0.5.0, only the HyBi / IETF +6455 WebSocket protocol is supported. There is no support for the older +Base64 encoded data format. + + +### Encrypted WebSocket connections (wss://) + +To encrypt the traffic using the WebSocket 'wss://' URI scheme you need to +generate a certificate and key for Websockify to load. By default, Websockify +loads a certificate file name `self.pem` but the `--cert=CERT` and `--key=KEY` +options can override the file name. You can generate a self-signed certificate +using openssl. When asked for the common name, use the hostname of the server +where the proxy will be running: + +``` +openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem +``` + +For a self-signed certificate to work, you need to make your client/browser +understand it. You can do this by installing it as accepted certificate, or by +using that same certificate for a HTTPS connection to which you navigate first +and approve. Browsers generally don't give you the "trust certificate?" prompt +by opening a WSS socket with invalid certificate, hence you need to have it +accept it by either of those two methods. + +The ports may be considered as distinguishing connections by the browser, +for example, if your website url is https://my.local:8443 and your WebSocket +url is wss://my.local:8001, first browse to https://my.local:8001, add the +exception, then browse to https://my.local:8443 and add another exception. +Then an html page served over :8443 will be able to open WSS to :8001 + +If you have a commercial/valid SSL certificate with one or more intermediate +certificates, concat them into one file, server certificate first, then the +intermediate(s) from the CA, etc. Point to this file with the `--cert` option +and then also to the key with `--key`. Finally, use `--ssl-only` as needed. + + +### Additional websockify features + +These are not necessary for the basic operation. + +* Daemonizing: When the `-D` option is specified, websockify runs + in the background as a daemon process. + +* SSL (the wss:// WebSockets URI): This is detected automatically by + websockify by sniffing the first byte sent from the client and then + wrapping the socket if the data starts with '\x16' or '\x80' + (indicating SSL). + +* Session recording: This feature that allows recording of the traffic + sent and received from the client to a file using the `--record` + option. + +* Mini-webserver: websockify can detect and respond to normal web + requests on the same port as the WebSockets proxy. This functionality + is activated with the `--web DIR` option where DIR is the root of the + web directory to serve. + +* Wrap a program: see the "Wrap a Program" section below. + +* Log files: websockify can save all logging information in a file. + This functionality is activated with the `--log-file FILE` option + where FILE is the file where the logs should be saved. + +* Authentication plugins: websockify can demand authentication for + websocket connections and, if you use `--web-auth`, also for normal + web requests. This functionality is activated with the + `--auth-plugin CLASS` and `--auth-source ARG` options, where CLASS is + usually one from auth_plugins.py and ARG is the plugin's configuration. + +* Token plugins: a single instance of websockify can connect clients to + multiple different pre-configured targets, depending on the token sent + by the client using the `token` URL parameter, or the hostname used to + reach websockify, if you use `--host-token`. This functionality is + activated with the `--token-plugin CLASS` and `--token-source ARG` + options, where CLASS is usually one from token_plugins.py and ARG is + the plugin's configuration. + +### Other implementations of websockify + +The primary implementation of websockify is in python. There are +several alternate implementations in other languages available in +our sister repositories [websockify-js](https://github.com/novnc/websockify-js) +(JavaScript/Node.js) and [websockify-other](https://github.com/novnc/websockify-other) + (C, Clojure, Ruby). + +In addition there are several other external projects that implement +the websockify "protocol". See the alternate implementation [Feature +Matrix](https://github.com/novnc/websockify/wiki/Feature_Matrix) for +more information. + + +### Wrap a Program + +In addition to proxying from a source address to a target address +(which may be on a different system), websockify has the ability to +launch a program on the local system and proxy WebSockets traffic to +a normal TCP port owned/bound by the program. + +This is accomplished by the LD_PRELOAD library (`rebind.so`) +which intercepts bind() system calls by the program. The specified +port is moved to a new localhost/loopback free high port. websockify +then proxies WebSockets traffic directed to the original port to the +new (moved) port of the program. + +The program wrap mode is invoked by replacing the target with `--` +followed by the program command line to wrap. + + `./run 2023 -- PROGRAM ARGS` + +The `--wrap-mode` option can be used to indicate what action to take +when the wrapped program exits or daemonizes. + +Here is an example of using websockify to wrap the vncserver command +(which backgrounds itself) for use with +[noVNC](https://github.com/novnc/noVNC): + + `./run 5901 --wrap-mode=ignore -- vncserver -geometry 1024x768 :1` + +Here is an example of wrapping telnetd (from krb5-telnetd). telnetd +exits after the connection closes so the wrap mode is set to respawn +the command: + + `sudo ./run 2023 --wrap-mode=respawn -- telnetd -debug 2023` + +The `wstelnet.html` page in the [websockify-js](https://github.com/novnc/websockify-js) +project demonstrates a simple WebSockets based telnet client (use +'localhost' and '2023' for the host and port respectively). + + +### Installing websockify + +Download one of the releases or the latest development version, extract +it and run `python3 setup.py install` as root in the directory where you +extracted the files. Normally, this will also install numpy for better +performance, if you don't have it installed already. However, numpy is +optional. If you don't want to install numpy or if you can't compile it, +you can edit setup.py and remove the `install_requires=['numpy'],` line +before running `python3 setup.py install`. + +Afterwards, websockify should be available in your path. Run +`websockify --help` to confirm it's installed correctly. + + +### Running with Docker/Podman +You can also run websockify using Docker, Podman, Singularity, udocker or +your favourite container runtime that support OCI container images. + +The entrypoint of the image is the `run` command. + +To build the image: +``` +./docker/build.sh +``` + +Once built you can just launch it with the same +arguments you would give to the `run` command and taking care of +assigning the port mappings: +``` +docker run -it --rm -p : novnc/websockify +``` + +For example to forward traffic from local port 7000 to 10.1.1.1:5902 +you can use: +``` +docker run -it --rm -p 7000:80 novnc/websockify 80 10.1.1.1:5902 +``` + +If you need to include files, like for example for the `--web` or `--cert` +options you can just mount the required files in the `/data` volume and then +you can reference them in the usual way: +``` +docker run -it --rm -p 443:443 -v websockify-data:/data novnc/websockify --cert /data/self.pem --web /data/noVNC :443 --token-plugin TokenRedis --token-source myredis.local:6379 --ssl-only --ssl-version tlsv1_2 +``` diff --git a/base/app/novnc/utils/websockify/Windows/Windows Service Readme.md b/base/app/novnc/utils/websockify/Windows/Windows Service Readme.md new file mode 100644 index 0000000..069692e --- /dev/null +++ b/base/app/novnc/utils/websockify/Windows/Windows Service Readme.md @@ -0,0 +1,61 @@ +Running Websockify as a Windows service +======================================= + +Installation and configuration +------------------------------ + +Download the following software: + + * Python, from https://www.python.org/downloads/windows/ + * SrvAny, from http://simpleauto.byethost8.com/Zip/SrvAny.zip + +Note that there is [a modern alternative for SrvAny](https://github.com/rwmjones/rhsrvany), +but that project does not provide binaries. + +Install Python for all users, not just the current one. Extract Websockify +into a directory, e.g. `C:\Program Files\websockify`, so that e.g. +`README.md` ends up there. Extract the `SrvAny.zip` archive, copy the +`WIN7\SrvAny.exe` file into `C:\Program Files\websockify`. + +Then create a batch file, `C:\Program Files\websockify\run.bat`, that runs +Websockify from its directory with the correct options under the correct +Python interpreter: + +``` +C: +cd "\Program Files\websockify" +"C:\Program Files\Python39\python.exe" -m websockify 5901 127.0.0.1:5900 +``` + +Run it by hand once so that Windows asks you about a firewall exception. +After confirming the exception, press `Ctrl+C` to terminate the script. + +Then create a Windows service for Websockify (use an Administrator command +prompt for that). For paths with spaces, like in this example, double-escaping +is needed: once for `cmd.exe` and once for `SrvAny.exe`. + +``` +C: +cd "\Program Files\websockify" +SrvAny.exe -install Websockify 10s \\\"C:\Program Files\websockify\run.bat\\\" +``` + +In the Windows Control Panel, under Services, a new "Websockify" service will +appear. In its properties dialog, you can change the startup type, e.g. make +it start automatically at boot. Or, you can start the service manually. + +Uninstallation +-------------- + +If you want to remove the service, first set its startup type to Manual, then +reboot the PC. Then run this command using the Administrator command prompt: + +``` +C: +cd "\Program Files\websockify" +SrvAny.exe -remove Websockify +``` + +After that, you will be able to remove the `C:\Program Files\websockify` +directory completely. + diff --git a/base/app/novnc/utils/websockify/docker/Dockerfile b/base/app/novnc/utils/websockify/docker/Dockerfile new file mode 100644 index 0000000..1ae078b --- /dev/null +++ b/base/app/novnc/utils/websockify/docker/Dockerfile @@ -0,0 +1,16 @@ +FROM python + +COPY websockify-*.tar.gz / + +RUN python3 -m pip install websockify-*.tar.gz +RUN rm -rf /websockify-* /root/.cache + +VOLUME /data + +EXPOSE 80 +EXPOSE 443 + +WORKDIR /opt/websockify + +ENTRYPOINT ["/usr/local/bin/websockify"] +CMD ["--help"] diff --git a/base/app/novnc/utils/websockify/docker/build.sh b/base/app/novnc/utils/websockify/docker/build.sh new file mode 100755 index 0000000..1f85626 --- /dev/null +++ b/base/app/novnc/utils/websockify/docker/build.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env sh +set -e -x +cd "$(dirname "$0")" +(cd .. && python3 setup.py sdist --dist-dir docker/) +docker build -t novnc/websockify . diff --git a/base/app/novnc/utils/websockify/docs/latency_results.txt b/base/app/novnc/utils/websockify/docs/latency_results.txt new file mode 100644 index 0000000..454a590 --- /dev/null +++ b/base/app/novnc/utils/websockify/docs/latency_results.txt @@ -0,0 +1,114 @@ +This data is raw copy from the latency tester set to send a frame with +a little over 2000 KB of data every 10ms. + +The number of packets sent and received is just a visual counter and +is just the total when I chose to stop the test (around 3000 or so +packets). + +The latency measure are from the point the packet was sent to when it +was received back again in milliseconds. One notable data point +missing from this is how long it actually took for the client to send +3000 packets because sending large packets can put load on the browser +and it may be a lot longer than 10ms before the timer event to +send the next packet fires. So even with low latency numbers, the +actual send rate may be fairly low because sending the WebSockets +frames is impacting the performance of the browser in general. + + +------------------------------------------------------------ + +Native WebSockets implementations, 2000 byte payload, 10ms delay + +Chrome 8.0.552 - native WebSockets + Packets sent: 2998 + Packets Received: 2998 + Average Latency: 1.84 + 40 Frame Running Average Latency: 1.90 + Minimum Latency: 1.00 + Maximum Latency: 10.00 + +firefox 4.0b9 - WebSockets enabled + Packets sent: 3011 + Packets Received: 3011 + Average Latency: 6.45 + 40 Frame Running Average Latency: 6.08 + Minimum Latency: 5.00 + Maximum Latency: 119.00 + +Opera 11 - WebSockets enabled + Packets sent: 3065 + Packets Received: 3064 + Average Latency: 9.56 + 40 Frame Running Average Latency: 8.15 + Minimum Latency: 4.00 + Maximum Latency: 53.00 + +------------------------------------------------------------ + +New web-socket-js (20f837425d4), 2000 byte payload, 10ms delay + +firefox 4.0b9 - no WebSockets + Packets sent: 3088 + Packets Received: 3087 + Average Latency: 16.71 + 40 Frame Running Average Latency: 16.80 + Minimum Latency: 7.00 + Maximum Latency: 75.00 + + - First 1000 sent in 13 seconds + - Second 1000 sent in 12 seconds + - Third 1000 sent in 12 seconds + +firefox 3.6.10 - no WebSockets + Packets sent: 3100 + Packets Received: 3099 + Average Latency: 17.32 + 40 Frame Running Average Latency: 16.73 + Minimum Latency: 6.00 + Maximum Latency: 72.00 + +Opera 11 - no WebSockets + Packets sent: 3007 + Packets Received: 3007 + Average Latency: 465.91 + 40 Frame Running Average Latency: 147.95 + Minimum Latency: 12.00 + Maximum Latency: 9143.00 + + - average starts at around 28ms + - time for each 500 packets: 13s, 16s, 25s, 37s, 50s, 72s + - also start seeing sent, receive lags around 1200 packets + +--------------------------------------------------------------- + +Old web-socket-js (9e7663771), 2000 byte payload, 10ms delay + +firefox 4.0b9 - no WebSockets + Packets sent: 3024 + Packets Received: 3020 + Average Latency: 80.59 + 40 Frame Running Average Latency: 60.15 + Minimum Latency: 10.00 + Maximm Latency: 348.00 + + +firefox 3.6.10 - no WebSockets + Packets sent: 2777 + Packets Received: 2775 + Average Latency: 34.89 + 40 Frame Running Average Latency: 24.50 + Minimum Latency: 10.00 + Maximum Latency: 208.00 + + +Opera 11 - no Websockets + Packets sent: 3012 + Packets Received: 3011 + Average Latency: 380.87 + 40 Frame Running Average Latency: 341.90 + Minimum Latency: 28.00 + Maximum Latency: 2175.00 + + - average starts at around 290ms + - time for each 1000 packets: 23s, 38s, 65s + diff --git a/base/app/novnc/utils/websockify/docs/notes b/base/app/novnc/utils/websockify/docs/notes new file mode 100644 index 0000000..edb6b1d --- /dev/null +++ b/base/app/novnc/utils/websockify/docs/notes @@ -0,0 +1,6 @@ +Building release tarball: + - not really necessary since tagged revision can be downloaded + from github as tarballs + + git archive --format=tar --prefix=websockify-${WVER}/ v${WVER} > websockify-${WVER}.tar + gzip websockify-${WVER}.tar diff --git a/base/app/novnc/utils/websockify/docs/release.txt b/base/app/novnc/utils/websockify/docs/release.txt new file mode 100644 index 0000000..813af02 --- /dev/null +++ b/base/app/novnc/utils/websockify/docs/release.txt @@ -0,0 +1,10 @@ +- Update setup.py and CHANGES.txt and commit +- Create version tag and tarball from tag + WVER=0.1.0 + git tag v${WVER} + git push origin master + git push origin v${WVER} +- Create the source distribution + python3 setup.py sdist +- Upload the source distribution + python3 -m twine upload dist/websockify-${WVER}.tar.gz diff --git a/base/app/novnc/utils/websockify/docs/websockify.1 b/base/app/novnc/utils/websockify/docs/websockify.1 new file mode 100644 index 0000000..f2aa988 --- /dev/null +++ b/base/app/novnc/utils/websockify/docs/websockify.1 @@ -0,0 +1,110 @@ +.TH websockify 1 "June 7, 2012" "version 0.3" "USER COMMANDS" + +.SH NAME + +websockify - WebSockets to TCP socket bridge + +.SH SYNOPSIS + + websockify [options] [source_addr:]source_port target_addr:target_port + websockify [options] [source_addr:]source_port \-\- WRAP_COMMAND_LINE + +.SH OPTIONS + + -h, --help show this help message and exit + -v, --verbose verbose messages and per frame traffic + --record=FILE record sessions to FILE.[session_number] + -D, --daemon become a daemon (background process) + --run-once handle a single WebSocket connection and exit + --timeout=TIMEOUT after TIMEOUT seconds exit when not connected + --cert=CERT SSL certificate file + --key=KEY SSL key file (if separate from cert) + --ssl-only disallow non-encrypted connections + --web=DIR run webserver on same port. Serve files from DIR. + --wrap-mode=MODE action to take when the wrapped program exits or + daemonizes: exit (default), ignore, respawn + +.SH DESCRIPTION + +At the most basic level, websockify just translates WebSockets traffic to normal TCP socket traffic. Websockify accepts the WebSockets handshake, parses it, and then begins forwarding traffic between the client and the target in both directions. + +websockify was formerly named wsproxy and was part of the noVNC project. + +.SH NOTES + +.SS WebSockets binary data + +Websockify supports all versions of the WebSockets protocol (Hixie and HyBI). The older Hixie versions of the protocol only support UTF-8 text payloads. In order to transport binary data over UTF-8 an encoding must used to encapsulate the data within UTF-8. Websockify uses base64 to encode all traffic to and from the client. This does not affect the data between websockify and the server. + +.SS Encrypted WebSocket connections (wss://) + +To encrypt the traffic using the WebSocket 'wss://' URI scheme you need to generate a certificate for websockify to load. By default websockify loads a certificate file name self.pem but the --cert=CERT option can override the file name. You can generate a self-signed certificate using openssl. When asked for the common name, use the hostname of the server where the proxy will be running: + +openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem + +.SS Additional websockify features + +These are not necessary for the basic operation. + +.IP * +Daemonizing: When the -D option is specified, websockify runs in the background as a daemon process. + +.IP * +SSL (the wss:// WebSockets URI): This is detected automatically by websockify by sniffing the first byte sent from the client and then wrapping the socket if the data starts with '\\x16' or '\\x80' (indicating SSL). + +.IP * +Session recording: This feature that allows recording of the traffic sent and received from the client to a file using the --record option. + +.IP * +Mini-webserver: websockify can detect and respond to normal web requests on the same port as the WebSockets proxy. This functionality is activate with the --web DIR option where DIR is the root of the web directory to serve. + +.IP * +Wrap a program: see the "Wrap a Program" section below. + +.SS Wrap a Program + +In addition to proxying from a source address to a target address (which may be on a different system), websockify has the ability to launch a program on the local system and proxy WebSockets traffic to a normal TCP port owned/bound by the program. + +The is accomplished with a small LD_PRELOAD library (rebind.so) which intercepts bind() system calls by the program. The specified port is moved to a new localhost/loopback free high port. websockify then proxies WebSockets traffic directed to the original port to the new (moved) port of the program. + +The program wrap mode is invoked by replacing the target with -- followed by the program command line to wrap. + +`./websockify 2023 -- PROGRAM ARGS` + +The --wrap-mode option can be used to indicate what action to take when the wrapped program exits or daemonizes. + +Here is an example of using websockify to wrap the vncserver command (which backgrounds itself) for use with noVNC: + +`./websockify 5901 --wrap-mode=ignore -- vncserver -geometry 1024x768 :1` + +Here is an example of wrapping telnetd (from krb5-telnetd). telnetd exits after the connection closes so the wrap mode is set to respawn the command: + +`sudo ./websockify 2023 --wrap-mode=respawn -- telnetd -debug 2023` + +The wstelnet.html page demonstrates a simple WebSockets based telnet client. + +.SS Use client certificate verification + +This feature requires Python 2.7.9 or newer or Python 3.4 or newer. + +The --verify-client option makes the server ask the client for a SSL certificate. Presenting a valid (not expired and trusted by any supplied certificate authority) certificate is required for the client connection. With -auth-plugin=ClientCertCNAuth, the client certificate can be checked against a list of authorised certificate users. Non-encrypted connection attempts always fail during authentication. + +Here is an example of a vncsevrer with password-less, certificate-driven authentication: + +`./websockify 5901 --cert=fullchain.pem --key=privkey.pem --ssl-only --verify-client --cafile=ca-certificates.crt --auth-plugin=ClientCertCNAuth --auth-source='jane@example.com Joe User9824510' --web=noVNC/ --wrap-mode=ignore -- vncserver :1 -geometry 1024x768 -SecurityTypes=None` + +The --auth-source option takes a white-space separated list of common names. Depending on your clients certificates they can be verified email addresses, user-names or any other string used for identification. + +The --cafile option selects a file containing concatenated certificates of authorities trusted for validating clients. If this option is omitted, system default list of CAs is used. Upon connect, the client should supply the whole certificate chain. If your clients are known not to send intermediate certificates, they can be appended to the ca-file as well. + +Note: Most browsers ask the user to select a certificate only while connecting via HTTPS, not WebSockets. Connecting directly to the SSL secured WebSocket may cause the browser to abort the connection. If you want to connect via noVNC, the --web option should point to a copy of noVNC, so it is loaded from the same host. + +.SH AUTHOR +Joel Martin (github@martintribe.org) + +.SH SEE ALSO + +https://github.com/novnc/websockify/ + +https://github.com/novnc/websockify/wiki/ + diff --git a/base/app/novnc/utils/websockify/rebind b/base/app/novnc/utils/websockify/rebind new file mode 100755 index 0000000..2289aaa --- /dev/null +++ b/base/app/novnc/utils/websockify/rebind @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +usage() { + echo "Usage: $(basename $0) OLD_PORT NEW_PORT COMMAND_LINE" + echo + echo "Launch COMMAND_LINE, but intercept system calls to bind" + echo "to OLD_PORT and instead bind them to localhost:NEW_PORT" + exit 2 +} + +# Parameter defaults +mydir=$(readlink -f $(dirname ${0})) + +export REBIND_PORT_OLD="${1}"; shift +export REBIND_PORT_NEW="${1}"; shift + +LD_PRELOAD=${mydir}/rebind.so "${@}" + diff --git a/base/app/novnc/utils/websockify/rebind.c b/base/app/novnc/utils/websockify/rebind.c new file mode 100644 index 0000000..811031c --- /dev/null +++ b/base/app/novnc/utils/websockify/rebind.c @@ -0,0 +1,94 @@ +/* + * rebind: Intercept bind calls and bind to a different port + * Copyright 2010 Joel Martin + * Licensed under LGPL version 3 (see docs/LICENSE.LGPL-3) + * + * Overload (LD_PRELOAD) bind system call. If REBIND_PORT_OLD and + * REBIND_PORT_NEW environment variables are set then bind on the new + * port (of localhost) instead of the old port. + * + * This allows a bridge/proxy (such as websockify) to run on the old port and + * translate traffic to/from the new port. + * + * Usage: + * LD_PRELOAD=./rebind.so \ + * REBIND_PORT_OLD=23 \ + * REBIND_PORT_NEW=2023 \ + * program + */ + +//#define DO_DEBUG 1 + +#include +#include + +#define __USE_GNU 1 // Pull in RTLD_NEXT +#include + +#include +#include + + +#if defined(DO_DEBUG) +#define DEBUG(...) \ + fprintf(stderr, "rebind: "); \ + fprintf(stderr, __VA_ARGS__); +#else +#define DEBUG(...) +#endif + + +int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) +{ + static void * (*func)(); + int do_move = 0; + struct sockaddr_in * addr_in = (struct sockaddr_in *)addr; + struct sockaddr_in addr_tmp; + socklen_t addrlen_tmp; + char * PORT_OLD, * PORT_NEW, * end1, * end2; + int ret, oldport, newport, askport = htons(addr_in->sin_port); + uint32_t askaddr = htons(addr_in->sin_addr.s_addr); + if (!func) func = (void *(*)()) dlsym(RTLD_NEXT, "bind"); + + DEBUG(">> bind(%d, _, %d), askaddr %d, askport %d\n", + sockfd, addrlen, askaddr, askport); + + /* Determine if we should move this socket */ + if (addr_in->sin_family == AF_INET) { + // TODO: support IPv6 + PORT_OLD = getenv("REBIND_OLD_PORT"); + PORT_NEW = getenv("REBIND_NEW_PORT"); + if (PORT_OLD && (*PORT_OLD != '\0') && + PORT_NEW && (*PORT_NEW != '\0')) { + oldport = strtol(PORT_OLD, &end1, 10); + newport = strtol(PORT_NEW, &end2, 10); + if (oldport && (*end1 == '\0') && + newport && (*end2 == '\0') && + (oldport == askport)) { + do_move = 1; + } + } + } + + if (! do_move) { + /* Just pass everything right through to the real bind */ + ret = (long) func(sockfd, addr, addrlen); + DEBUG("<< bind(%d, _, %d) ret %d\n", sockfd, addrlen, ret); + return ret; + } + + DEBUG("binding fd %d on localhost:%d instead of 0x%x:%d\n", + sockfd, newport, ntohl(addr_in->sin_addr.s_addr), oldport); + + /* Use a temporary location for the new address information */ + addrlen_tmp = sizeof(addr_tmp); + memcpy(&addr_tmp, addr, addrlen_tmp); + + /* Bind to other port on the loopback instead */ + addr_tmp.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + addr_tmp.sin_port = htons(newport); + ret = (long) func(sockfd, &addr_tmp, addrlen_tmp); + + DEBUG("<< bind(%d, _, %d) ret %d\n", sockfd, addrlen, ret); + return ret; +} diff --git a/base/app/novnc/utils/websockify/run b/base/app/novnc/utils/websockify/run new file mode 100755 index 0000000..8032dd2 --- /dev/null +++ b/base/app/novnc/utils/websockify/run @@ -0,0 +1,4 @@ +#!/usr/bin/env sh +set -e +cd "$(dirname "$0")" +exec python3 -m websockify "$@" diff --git a/base/app/novnc/utils/websockify/setup.py b/base/app/novnc/utils/websockify/setup.py new file mode 100644 index 0000000..51adeaf --- /dev/null +++ b/base/app/novnc/utils/websockify/setup.py @@ -0,0 +1,43 @@ +from setuptools import setup, find_packages + +version = '0.12.0' +name = 'websockify' +long_description = open("README.md").read() + "\n" + \ + open("CHANGES.txt").read() + "\n" + +setup(name=name, + version=version, + description="Websockify.", + long_description=long_description, + long_description_content_type="text/markdown", + classifiers=[ + "Programming Language :: Python", + "Programming Language :: Python :: 3", + "Programming Language :: Python :: 3 :: Only", + "Programming Language :: Python :: 3.4", + "Programming Language :: Python :: 3.5", + "Programming Language :: Python :: 3.6", + "Programming Language :: Python :: 3.7", + "Programming Language :: Python :: 3.8", + "Programming Language :: Python :: 3.9", + ], + keywords='noVNC websockify', + license='LGPLv3', + url="https://github.com/novnc/websockify", + author="Joel Martin", + author_email="github@martintribe.org", + + packages=['websockify'], + include_package_data=True, + install_requires=[ + 'numpy', 'requests', + 'jwcrypto', + 'redis', + ], + zip_safe=False, + entry_points={ + 'console_scripts': [ + 'websockify = websockify.websocketproxy:websockify_init', + ] + }, + ) diff --git a/base/app/novnc/utils/websockify/test-requirements.txt b/base/app/novnc/utils/websockify/test-requirements.txt new file mode 100644 index 0000000..4eeff97 --- /dev/null +++ b/base/app/novnc/utils/websockify/test-requirements.txt @@ -0,0 +1,5 @@ +mock +nose2 +six +redis +wrapt<=1.12.1;python_version<="3.4" diff --git a/base/app/novnc/utils/websockify/tests/echo.html b/base/app/novnc/utils/websockify/tests/echo.html new file mode 100644 index 0000000..0e300b5 --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/echo.html @@ -0,0 +1,139 @@ + + + + WebSockets Echo Test + + + + + Host:   + Port:   + Encrypt:   +   + + +
+ Log:
+ + + + + + + diff --git a/base/app/novnc/utils/websockify/tests/echo.py b/base/app/novnc/utils/websockify/tests/echo.py new file mode 100755 index 0000000..780891c --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/echo.py @@ -0,0 +1,76 @@ +#!/usr/bin/env python + +''' +A WebSocket server that echos back whatever it receives from the client. +Copyright 2010 Joel Martin +Licensed under LGPL version 3 (see docs/LICENSE.LGPL-3) + +You can make a cert/key with openssl using: +openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem +as taken from http://docs.python.org/dev/library/ssl.html#certificates +''' + +import os, sys, select, optparse, logging +sys.path.insert(0,os.path.join(os.path.dirname(__file__), "..")) +from websockify.websockifyserver import WebSockifyServer, WebSockifyRequestHandler + +class WebSocketEcho(WebSockifyRequestHandler): + """ + WebSockets server that echos back whatever is received from the + client. """ + buffer_size = 8096 + + def new_websocket_client(self): + """ + Echo back whatever is received. + """ + + cqueue = [] + c_pend = 0 + cpartial = "" + rlist = [self.request] + + while True: + wlist = [] + + if cqueue or c_pend: wlist.append(self.request) + ins, outs, excepts = select.select(rlist, wlist, [], 1) + if excepts: raise Exception("Socket exception") + + if self.request in outs: + # Send queued target data to the client + c_pend = self.send_frames(cqueue) + cqueue = [] + + if self.request in ins: + # Receive client data, decode it, and send it back + frames, closed = self.recv_frames() + cqueue.extend(frames) + + if closed: + break + +if __name__ == '__main__': + parser = optparse.OptionParser(usage="%prog [options] listen_port") + parser.add_option("--verbose", "-v", action="store_true", + help="verbose messages and per frame traffic") + parser.add_option("--cert", default="self.pem", + help="SSL certificate file") + parser.add_option("--key", default=None, + help="SSL key file (if separate from cert)") + parser.add_option("--ssl-only", action="store_true", + help="disallow non-encrypted connections") + (opts, args) = parser.parse_args() + + try: + if len(args) != 1: raise ValueError + opts.listen_port = int(args[0]) + except ValueError: + parser.error("Invalid arguments") + + logging.basicConfig(level=logging.INFO) + + opts.web = "." + server = WebSockifyServer(WebSocketEcho, **opts.__dict__) + server.start_server() + diff --git a/base/app/novnc/utils/websockify/tests/echo_client.py b/base/app/novnc/utils/websockify/tests/echo_client.py new file mode 100755 index 0000000..4f238f6 --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/echo_client.py @@ -0,0 +1,69 @@ +#!/usr/bin/env python + +import os +import sys +import optparse +import select + +sys.path.insert(0,os.path.join(os.path.dirname(__file__), "..")) +from websockify.websocket import WebSocket, \ + WebSocketWantReadError, WebSocketWantWriteError + +parser = optparse.OptionParser(usage="%prog URL") +(opts, args) = parser.parse_args() + +if len(args) == 1: + URL = args[0] +else: + parser.error("Invalid arguments") + +sock = WebSocket() +print("Connecting to %s..." % URL) +sock.connect(URL) +print("Connected.") + +def send(msg): + while True: + try: + sock.sendmsg(msg) + break + except WebSocketWantReadError: + msg = '' + ins, outs, excepts = select.select([sock], [], []) + if excepts: raise Exception("Socket exception") + except WebSocketWantWriteError: + msg = '' + ins, outs, excepts = select.select([], [sock], []) + if excepts: raise Exception("Socket exception") + +def read(): + while True: + try: + return sock.recvmsg() + except WebSocketWantReadError: + ins, outs, excepts = select.select([sock], [], []) + if excepts: raise Exception("Socket exception") + except WebSocketWantWriteError: + ins, outs, excepts = select.select([], [sock], []) + if excepts: raise Exception("Socket exception") + +counter = 1 +while True: + msg = "Message #%d" % counter + counter += 1 + send(msg) + print("Sent message: %r" % msg) + + while True: + ins, outs, excepts = select.select([sock], [], [], 1.0) + if excepts: raise Exception("Socket exception") + + if ins == []: + break + + while True: + msg = read() + print("Received message: %r" % msg) + + if not sock.pending(): + break diff --git a/base/app/novnc/utils/websockify/tests/fixtures/private.pem b/base/app/novnc/utils/websockify/tests/fixtures/private.pem new file mode 100644 index 0000000..413cee2 --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/fixtures/private.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEArwNQal2INbSfoVT50dZ0s8lQ+yMhu45TDc91iuwtDjlFBJ50 +E4m3/M6ESBW0S7UTP1bIOGkd/M+u38h0Aruo4qkngdguu9N3BnsU2kOeicdjxc+v +tqRc7/kbkTdT4SrpG8EFP6T2U9U1gtBpLnau02gPrzjaQzyYDLGOBq+Ozt/mN0YJ +UhJ3hlwi18dNKreTzWgJ6mmXQWS0eAmHx8TIs2Nz9x3EfRo9CIMuaaeUjRogIEg5 +Tg4xC00ZtDO0/EfgpFkeHJGVQA2DgdBJsr6rq69MjhMfFxRJItxJMJzP6an2HkJ8 +onUPBtjEBmk3/fnfiaflzRyEb5zdii6r2TD8TwIDAQABAoIBAGDrzu742WQUoYqx +CqDAyWR/is9px1adHTW6vHexD8qewLAsKFBhpnjkzbE2A+EhaIVdRAipfifxxAC+ +fDC/SGouD2kDFe6Cz5nRM90kMXpP59s2hzL4l1d2d2PWZid+ohXysTtr2dbXbokB +bh6DL5J4QKdjLsypk/MDqYneU5IQ1k9ezWzcRgM8/V3M+t+1dLRFLIWsSLbNUgbF +px81efNw8E0voV/d7kZ+6RwUThPHqR0eyLm6djPwHE7/FarZIx4AImwV+9ex44CH +OkrTFOVYenF6jEtYoUuqYCouaWtG7jNVM/f1fksoR8SD6PTq2vn7F4wTLXG1b+K7 +45PKMhECgYEA22NH8mK9ICFVd7S6caeAnki+K9cpwmiOUWEIuDInmPn5FOlv7awE +uBFN86v14PqDBtF7Aagyib0NUPo7rIw5+V5SCBZv8gQatjZUkT0vZvpxPU5jmB++ +w58yfK7zgdAWCepLxIPyTA7CAT1dmiVmuosz2pJjbo4fecVG222IE10CgYEAzDg+ +RVlvMYGy04UMmUoUNeeRlW6km/W6dqQ7EtcxfDv4O7boRDTBSRBzfIsRdXHZhcHN +gCeB2Uiz8IO3s0Yt0+y/6cTI60uJ4S7Mb2JvWJvDCKWhS3pE1BL+LJJC4Hn7khJH +yHYFOLOfnuCbOs8VA7IMmbdTPHirIKWTT5j5H5sCgYEAygK/KweUUlOfWVyHGUQ9 +gIJG6iNzhlm0QmbxGnrET25N1t2kfNsadUsp1igPfhvuLocRltMDxiTYcCoabKWq +dF5PdrcCWX1CA2o/sIUAcvhE8UiPGHKSu5qJaJnIC05KHNMq9UbyAurL5UxWNiwe +TcMD+k01VYV0ojHvLvnKhNkCgYArkoh+xXE7D+A2zzl771lWkvz19DB88jYBoFLW +V0HArw7str7h5pui2ja5yPZFp6/woQQWptdGpAN4erIUNxIKGIZt+0WfJnPZruGB +lnAJaNp5GtXKQ+ExmofOvLo2KPCrHulf9QZyLakN/gBA0PQ74J5docbJrTld8tX2 +cr4cpwKBgHqr2zybmywAmjn8wY0bUjRAyhdN8eiwYaGPtOSFt6IcWxEnNbAo5Jc2 +KsywpagjFsXZsi4Obn2XsqR7VX5bNbpNXIyLaMwBOy7MixyecgPF8tu7I4zo/CWm +7gewTKBhwVPTDAOzHqIpJGrOnUgzJM3ijkCWMn3eAh4ccOjsrKq9 +-----END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/base/app/novnc/utils/websockify/tests/fixtures/public.pem b/base/app/novnc/utils/websockify/tests/fixtures/public.pem new file mode 100644 index 0000000..7b1d284 --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/fixtures/public.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArwNQal2INbSfoVT50dZ0 +s8lQ+yMhu45TDc91iuwtDjlFBJ50E4m3/M6ESBW0S7UTP1bIOGkd/M+u38h0Aruo +4qkngdguu9N3BnsU2kOeicdjxc+vtqRc7/kbkTdT4SrpG8EFP6T2U9U1gtBpLnau +02gPrzjaQzyYDLGOBq+Ozt/mN0YJUhJ3hlwi18dNKreTzWgJ6mmXQWS0eAmHx8TI +s2Nz9x3EfRo9CIMuaaeUjRogIEg5Tg4xC00ZtDO0/EfgpFkeHJGVQA2DgdBJsr6r +q69MjhMfFxRJItxJMJzP6an2HkJ8onUPBtjEBmk3/fnfiaflzRyEb5zdii6r2TD8 +TwIDAQAB +-----END PUBLIC KEY----- diff --git a/base/app/novnc/utils/websockify/tests/fixtures/symmetric.key b/base/app/novnc/utils/websockify/tests/fixtures/symmetric.key new file mode 100644 index 0000000..668b39c --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/fixtures/symmetric.key @@ -0,0 +1 @@ +secret_sauce \ No newline at end of file diff --git a/base/app/novnc/utils/websockify/tests/latency.html b/base/app/novnc/utils/websockify/tests/latency.html new file mode 100644 index 0000000..9904a02 --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/latency.html @@ -0,0 +1,261 @@ + + + + WebSockets Latency Test + + + + + Host:   + Port:   + Encrypt: +
+ Payload Size:   + Send Delay (ms):   +   + +

+ + + + + + + + + + + + + + + + + + + + +
Packets sent:
Packets Received:
Average Latency:
40 Frame Running Average Latency:
Minimum Latency:
Maximum Latency:
+ +
+ Messages:
+ + + + + + + diff --git a/base/app/novnc/utils/websockify/tests/latency.py b/base/app/novnc/utils/websockify/tests/latency.py new file mode 120000 index 0000000..3ae4d96 --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/latency.py @@ -0,0 +1 @@ +echo.py \ No newline at end of file diff --git a/base/app/novnc/utils/websockify/tests/load.html b/base/app/novnc/utils/websockify/tests/load.html new file mode 100644 index 0000000..cb55041 --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/load.html @@ -0,0 +1,223 @@ + + + + WebSockets Load Test + + + + + Host:   + Port:   + Encrypt:   + Send Delay (ms):   +   + +

+ + + + + + + + + + + +
Packets sent:
0
Good Packets Received:
0
Errors (Bad Packets Received:)
0
+ +
+ Errors:
+ + + + + + + diff --git a/base/app/novnc/utils/websockify/tests/load.py b/base/app/novnc/utils/websockify/tests/load.py new file mode 100755 index 0000000..710b593 --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/load.py @@ -0,0 +1,168 @@ +#!/usr/bin/env python + +''' +WebSocket server-side load test program. Sends and receives traffic +that has a random payload (length and content) that is checksummed and +given a sequence number. Any errors are reported and counted. +''' + +import sys, os, select, random, time, optparse, logging +sys.path.insert(0,os.path.join(os.path.dirname(__file__), "..")) +from websockify.websockifyserver import WebSockifyServer, WebSockifyRequestHandler + +class WebSocketLoadServer(WebSockifyServer): + + recv_cnt = 0 + send_cnt = 0 + + def __init__(self, *args, **kwargs): + self.delay = kwargs.pop('delay') + + WebSockifyServer.__init__(self, *args, **kwargs) + + +class WebSocketLoad(WebSockifyRequestHandler): + + max_packet_size = 10000 + + def new_websocket_client(self): + print "Prepopulating random array" + self.rand_array = [] + for i in range(0, self.max_packet_size): + self.rand_array.append(random.randint(0, 9)) + + self.errors = 0 + self.send_cnt = 0 + self.recv_cnt = 0 + + self.responder(self.request) + + print "accumulated errors:", self.errors + self.errors = 0 + + def responder(self, client): + c_pend = 0 + cqueue = [] + cpartial = "" + socks = [client] + last_send = time.time() * 1000 + + while True: + ins, outs, excepts = select.select(socks, socks, socks, 1) + if excepts: raise Exception("Socket exception") + + if client in ins: + frames, closed = self.recv_frames() + + err = self.check(frames) + if err: + self.errors = self.errors + 1 + print err + + if closed: + break + + now = time.time() * 1000 + if client in outs: + if c_pend: + last_send = now + c_pend = self.send_frames() + elif now > (last_send + self.server.delay): + last_send = now + c_pend = self.send_frames([self.generate()]) + + def generate(self): + length = random.randint(10, self.max_packet_size) + numlist = self.rand_array[self.max_packet_size-length:] + # Error in length + #numlist.append(5) + chksum = sum(numlist) + # Error in checksum + #numlist[0] = 5 + nums = "".join( [str(n) for n in numlist] ) + data = "^%d:%d:%d:%s$" % (self.send_cnt, length, chksum, nums) + self.send_cnt += 1 + + return data + + + def check(self, frames): + + err = "" + for data in frames: + if data.count('$') > 1: + raise Exception("Multiple parts within single packet") + if len(data) == 0: + self.traffic("_") + continue + + if data[0] != "^": + err += "buf did not start with '^'\n" + continue + + try: + cnt, length, chksum, nums = data[1:-1].split(':') + cnt = int(cnt) + length = int(length) + chksum = int(chksum) + except ValueError: + print "\n" + repr(data) + "" + err += "Invalid data format\n" + continue + + if self.recv_cnt != cnt: + err += "Expected count %d but got %d\n" % (self.recv_cnt, cnt) + self.recv_cnt = cnt + 1 + continue + + self.recv_cnt += 1 + + if len(nums) != length: + err += "Expected length %d but got %d\n" % (length, len(nums)) + continue + + inv = nums.translate(None, "0123456789") + if inv: + err += "Invalid characters found: %s\n" % inv + continue + + real_chksum = 0 + for num in nums: + real_chksum += int(num) + + if real_chksum != chksum: + err += "Expected checksum %d but real chksum is %d\n" % (chksum, real_chksum) + return err + + +if __name__ == '__main__': + parser = optparse.OptionParser(usage="%prog [options] listen_port") + parser.add_option("--verbose", "-v", action="store_true", + help="verbose messages and per frame traffic") + parser.add_option("--cert", default="self.pem", + help="SSL certificate file") + parser.add_option("--key", default=None, + help="SSL key file (if separate from cert)") + parser.add_option("--ssl-only", action="store_true", + help="disallow non-encrypted connections") + (opts, args) = parser.parse_args() + + try: + if len(args) != 1: raise ValueError + opts.listen_port = int(args[0]) + + if len(args) not in [1,2]: raise ValueError + opts.listen_port = int(args[0]) + if len(args) == 2: + opts.delay = int(args[1]) + else: + opts.delay = 10 + except ValueError: + parser.error("Invalid arguments") + + logging.basicConfig(level=logging.INFO) + + opts.web = "." + server = WebSocketLoadServer(WebSocketLoad, **opts.__dict__) + server.start_server() + diff --git a/base/app/novnc/utils/websockify/tests/plain_echo.html b/base/app/novnc/utils/websockify/tests/plain_echo.html new file mode 100644 index 0000000..be35e54 --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/plain_echo.html @@ -0,0 +1,145 @@ + + + + WebSockets Echo Test + + + + + Host:   + Port:   + Encrypt:   +   + + +
+ Log:
+ + + + + + + diff --git a/base/app/novnc/utils/websockify/tests/simple.html b/base/app/novnc/utils/websockify/tests/simple.html new file mode 100644 index 0000000..8f6a73f --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/simple.html @@ -0,0 +1,65 @@ + + + + Websock Simple Client + + + + WebSocket/websockify URI:   + +

+   +   +

+ Log:
+ + + + + + diff --git a/base/app/novnc/utils/websockify/tests/test_auth_plugins.py b/base/app/novnc/utils/websockify/tests/test_auth_plugins.py new file mode 100644 index 0000000..4b3bfb5 --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/test_auth_plugins.py @@ -0,0 +1,28 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +""" Unit tests for Authentication plugins""" + +from websockify.auth_plugins import BasicHTTPAuth, AuthenticationError +import unittest + + +class BasicHTTPAuthTestCase(unittest.TestCase): + + def setUp(self): + self.plugin = BasicHTTPAuth('Aladdin:open sesame') + + def test_no_auth(self): + headers = {} + self.assertRaises(AuthenticationError, self.plugin.authenticate, headers, 'localhost', '1234') + + def test_invalid_password(self): + headers = {'Authorization': 'Basic QWxhZGRpbjpzZXNhbWUgc3RyZWV0'} + self.assertRaises(AuthenticationError, self.plugin.authenticate, headers, 'localhost', '1234') + + def test_valid_password(self): + headers = {'Authorization': 'Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=='} + self.plugin.authenticate(headers, 'localhost', '1234') + + def test_garbage_auth(self): + headers = {'Authorization': 'Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxx'} + self.assertRaises(AuthenticationError, self.plugin.authenticate, headers, 'localhost', '1234') diff --git a/base/app/novnc/utils/websockify/tests/test_token_plugins.py b/base/app/novnc/utils/websockify/tests/test_token_plugins.py new file mode 100644 index 0000000..f09ae8a --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/test_token_plugins.py @@ -0,0 +1,364 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +""" Unit tests for Token plugins""" + +import sys +import unittest +from unittest.mock import patch, mock_open, MagicMock +from jwcrypto import jwt, jwk + +from websockify.token_plugins import ReadOnlyTokenFile, JWTTokenApi, TokenRedis + +class ReadOnlyTokenFileTestCase(unittest.TestCase): + patch('os.path.isdir', MagicMock(return_value=False)) + def test_empty(self): + plugin = ReadOnlyTokenFile('configfile') + + config = "" + pyopen = mock_open(read_data=config) + + with patch("websockify.token_plugins.open", pyopen, create=True): + result = plugin.lookup('testhost') + + pyopen.assert_called_once_with('configfile') + self.assertIsNone(result) + + patch('os.path.isdir', MagicMock(return_value=False)) + def test_simple(self): + plugin = ReadOnlyTokenFile('configfile') + + config = "testhost: remote_host:remote_port" + pyopen = mock_open(read_data=config) + + with patch("websockify.token_plugins.open", pyopen, create=True): + result = plugin.lookup('testhost') + + pyopen.assert_called_once_with('configfile') + self.assertIsNotNone(result) + self.assertEqual(result[0], "remote_host") + self.assertEqual(result[1], "remote_port") + + patch('os.path.isdir', MagicMock(return_value=False)) + def test_tabs(self): + plugin = ReadOnlyTokenFile('configfile') + + config = "testhost:\tremote_host:remote_port" + pyopen = mock_open(read_data=config) + + with patch("websockify.token_plugins.open", pyopen, create=True): + result = plugin.lookup('testhost') + + pyopen.assert_called_once_with('configfile') + self.assertIsNotNone(result) + self.assertEqual(result[0], "remote_host") + self.assertEqual(result[1], "remote_port") + +class JWSTokenTestCase(unittest.TestCase): + def test_asymmetric_jws_token_plugin(self): + plugin = JWTTokenApi("./tests/fixtures/public.pem") + + key = jwk.JWK() + private_key = open("./tests/fixtures/private.pem", "rb").read() + key.import_from_pem(private_key) + jwt_token = jwt.JWT({"alg": "RS256"}, {'host': "remote_host", 'port': "remote_port"}) + jwt_token.make_signed_token(key) + + result = plugin.lookup(jwt_token.serialize()) + + self.assertIsNotNone(result) + self.assertEqual(result[0], "remote_host") + self.assertEqual(result[1], "remote_port") + + def test_asymmetric_jws_token_plugin_with_illigal_key_exception(self): + plugin = JWTTokenApi("wrong.pub") + + key = jwk.JWK() + private_key = open("./tests/fixtures/private.pem", "rb").read() + key.import_from_pem(private_key) + jwt_token = jwt.JWT({"alg": "RS256"}, {'host': "remote_host", 'port': "remote_port"}) + jwt_token.make_signed_token(key) + + result = plugin.lookup(jwt_token.serialize()) + + self.assertIsNone(result) + + @patch('time.time') + def test_jwt_valid_time(self, mock_time): + plugin = JWTTokenApi("./tests/fixtures/public.pem") + + key = jwk.JWK() + private_key = open("./tests/fixtures/private.pem", "rb").read() + key.import_from_pem(private_key) + jwt_token = jwt.JWT({"alg": "RS256"}, {'host': "remote_host", 'port': "remote_port", 'nbf': 100, 'exp': 200 }) + jwt_token.make_signed_token(key) + mock_time.return_value = 150 + + result = plugin.lookup(jwt_token.serialize()) + + self.assertIsNotNone(result) + self.assertEqual(result[0], "remote_host") + self.assertEqual(result[1], "remote_port") + + @patch('time.time') + def test_jwt_early_time(self, mock_time): + plugin = JWTTokenApi("./tests/fixtures/public.pem") + + key = jwk.JWK() + private_key = open("./tests/fixtures/private.pem", "rb").read() + key.import_from_pem(private_key) + jwt_token = jwt.JWT({"alg": "RS256"}, {'host': "remote_host", 'port': "remote_port", 'nbf': 100, 'exp': 200 }) + jwt_token.make_signed_token(key) + mock_time.return_value = 50 + + result = plugin.lookup(jwt_token.serialize()) + + self.assertIsNone(result) + + @patch('time.time') + def test_jwt_late_time(self, mock_time): + plugin = JWTTokenApi("./tests/fixtures/public.pem") + + key = jwk.JWK() + private_key = open("./tests/fixtures/private.pem", "rb").read() + key.import_from_pem(private_key) + jwt_token = jwt.JWT({"alg": "RS256"}, {'host': "remote_host", 'port': "remote_port", 'nbf': 100, 'exp': 200 }) + jwt_token.make_signed_token(key) + mock_time.return_value = 250 + + result = plugin.lookup(jwt_token.serialize()) + + self.assertIsNone(result) + + def test_symmetric_jws_token_plugin(self): + plugin = JWTTokenApi("./tests/fixtures/symmetric.key") + + secret = open("./tests/fixtures/symmetric.key").read() + key = jwk.JWK() + key.import_key(kty="oct",k=secret) + jwt_token = jwt.JWT({"alg": "HS256"}, {'host': "remote_host", 'port': "remote_port"}) + jwt_token.make_signed_token(key) + + result = plugin.lookup(jwt_token.serialize()) + + self.assertIsNotNone(result) + self.assertEqual(result[0], "remote_host") + self.assertEqual(result[1], "remote_port") + + def test_symmetric_jws_token_plugin_with_illigal_key_exception(self): + plugin = JWTTokenApi("wrong_sauce") + + secret = open("./tests/fixtures/symmetric.key").read() + key = jwk.JWK() + key.import_key(kty="oct",k=secret) + jwt_token = jwt.JWT({"alg": "HS256"}, {'host': "remote_host", 'port': "remote_port"}) + jwt_token.make_signed_token(key) + + result = plugin.lookup(jwt_token.serialize()) + + self.assertIsNone(result) + + def test_asymmetric_jwe_token_plugin(self): + plugin = JWTTokenApi("./tests/fixtures/private.pem") + + private_key = jwk.JWK() + public_key = jwk.JWK() + private_key_data = open("./tests/fixtures/private.pem", "rb").read() + public_key_data = open("./tests/fixtures/public.pem", "rb").read() + private_key.import_from_pem(private_key_data) + public_key.import_from_pem(public_key_data) + jwt_token = jwt.JWT({"alg": "RS256"}, {'host': "remote_host", 'port': "remote_port"}) + jwt_token.make_signed_token(private_key) + jwe_token = jwt.JWT(header={"alg": "RSA-OAEP", "enc": "A256CBC-HS512"}, + claims=jwt_token.serialize()) + jwe_token.make_encrypted_token(public_key) + + result = plugin.lookup(jwt_token.serialize()) + + self.assertIsNotNone(result) + self.assertEqual(result[0], "remote_host") + self.assertEqual(result[1], "remote_port") + +class TokenRedisTestCase(unittest.TestCase): + def setUp(self): + try: + import redis + except ImportError: + patcher = patch.dict(sys.modules, {'redis': MagicMock()}) + patcher.start() + self.addCleanup(patcher.stop) + + @patch('redis.Redis') + def test_empty(self, mock_redis): + plugin = TokenRedis('127.0.0.1:1234') + + instance = mock_redis.return_value + instance.get.return_value = None + + result = plugin.lookup('testhost') + + instance.get.assert_called_once_with('testhost') + self.assertIsNone(result) + + @patch('redis.Redis') + def test_simple(self, mock_redis): + plugin = TokenRedis('127.0.0.1:1234') + + instance = mock_redis.return_value + instance.get.return_value = b'{"host": "remote_host:remote_port"}' + + result = plugin.lookup('testhost') + + instance.get.assert_called_once_with('testhost') + self.assertIsNotNone(result) + self.assertEqual(result[0], 'remote_host') + self.assertEqual(result[1], 'remote_port') + + @patch('redis.Redis') + def test_json_token_with_spaces(self, mock_redis): + plugin = TokenRedis('127.0.0.1:1234') + + instance = mock_redis.return_value + instance.get.return_value = b' {"host": "remote_host:remote_port"} ' + + result = plugin.lookup('testhost') + + instance.get.assert_called_once_with('testhost') + self.assertIsNotNone(result) + self.assertEqual(result[0], 'remote_host') + self.assertEqual(result[1], 'remote_port') + + @patch('redis.Redis') + def test_text_token(self, mock_redis): + plugin = TokenRedis('127.0.0.1:1234') + + instance = mock_redis.return_value + instance.get.return_value = b'remote_host:remote_port' + + result = plugin.lookup('testhost') + + instance.get.assert_called_once_with('testhost') + self.assertIsNotNone(result) + self.assertEqual(result[0], 'remote_host') + self.assertEqual(result[1], 'remote_port') + + @patch('redis.Redis') + def test_text_token_with_spaces(self, mock_redis): + plugin = TokenRedis('127.0.0.1:1234') + + instance = mock_redis.return_value + instance.get.return_value = b' remote_host:remote_port ' + + result = plugin.lookup('testhost') + + instance.get.assert_called_once_with('testhost') + self.assertIsNotNone(result) + self.assertEqual(result[0], 'remote_host') + self.assertEqual(result[1], 'remote_port') + + @patch('redis.Redis') + def test_invalid_token(self, mock_redis): + plugin = TokenRedis('127.0.0.1:1234') + + instance = mock_redis.return_value + instance.get.return_value = b'{"host": "remote_host:remote_port" ' + + result = plugin.lookup('testhost') + + instance.get.assert_called_once_with('testhost') + self.assertIsNone(result) + + def test_src_only_host(self): + plugin = TokenRedis('127.0.0.1') + + self.assertEqual(plugin._server, '127.0.0.1') + self.assertEqual(plugin._port, 6379) + self.assertEqual(plugin._db, 0) + self.assertEqual(plugin._password, None) + + def test_src_with_host_port(self): + plugin = TokenRedis('127.0.0.1:1234') + + self.assertEqual(plugin._server, '127.0.0.1') + self.assertEqual(plugin._port, 1234) + self.assertEqual(plugin._db, 0) + self.assertEqual(plugin._password, None) + + def test_src_with_host_port_db(self): + plugin = TokenRedis('127.0.0.1:1234:2') + + self.assertEqual(plugin._server, '127.0.0.1') + self.assertEqual(plugin._port, 1234) + self.assertEqual(plugin._db, 2) + self.assertEqual(plugin._password, None) + + def test_src_with_host_port_db_pass(self): + plugin = TokenRedis('127.0.0.1:1234:2:verysecret') + + self.assertEqual(plugin._server, '127.0.0.1') + self.assertEqual(plugin._port, 1234) + self.assertEqual(plugin._db, 2) + self.assertEqual(plugin._password, 'verysecret') + + def test_src_with_host_empty_port_empty_db_pass(self): + plugin = TokenRedis('127.0.0.1:::verysecret') + + self.assertEqual(plugin._server, '127.0.0.1') + self.assertEqual(plugin._port, 6379) + self.assertEqual(plugin._db, 0) + self.assertEqual(plugin._password, 'verysecret') + + def test_src_with_host_empty_port_empty_db_empty_pass(self): + plugin = TokenRedis('127.0.0.1:::') + + self.assertEqual(plugin._server, '127.0.0.1') + self.assertEqual(plugin._port, 6379) + self.assertEqual(plugin._db, 0) + self.assertEqual(plugin._password, None) + + def test_src_with_host_empty_port_empty_db_no_pass(self): + plugin = TokenRedis('127.0.0.1::') + + self.assertEqual(plugin._server, '127.0.0.1') + self.assertEqual(plugin._port, 6379) + self.assertEqual(plugin._db, 0) + self.assertEqual(plugin._password, None) + + def test_src_with_host_empty_port_no_db_no_pass(self): + plugin = TokenRedis('127.0.0.1:') + + self.assertEqual(plugin._server, '127.0.0.1') + self.assertEqual(plugin._port, 6379) + self.assertEqual(plugin._db, 0) + self.assertEqual(plugin._password, None) + + def test_src_with_host_empty_port_db_no_pass(self): + plugin = TokenRedis('127.0.0.1::2') + + self.assertEqual(plugin._server, '127.0.0.1') + self.assertEqual(plugin._port, 6379) + self.assertEqual(plugin._db, 2) + self.assertEqual(plugin._password, None) + + def test_src_with_host_port_empty_db_pass(self): + plugin = TokenRedis('127.0.0.1:1234::verysecret') + + self.assertEqual(plugin._server, '127.0.0.1') + self.assertEqual(plugin._port, 1234) + self.assertEqual(plugin._db, 0) + self.assertEqual(plugin._password, 'verysecret') + + def test_src_with_host_empty_port_db_pass(self): + plugin = TokenRedis('127.0.0.1::2:verysecret') + + self.assertEqual(plugin._server, '127.0.0.1') + self.assertEqual(plugin._port, 6379) + self.assertEqual(plugin._db, 2) + self.assertEqual(plugin._password, 'verysecret') + + def test_src_with_host_empty_port_db_empty_pass(self): + plugin = TokenRedis('127.0.0.1::2:') + + self.assertEqual(plugin._server, '127.0.0.1') + self.assertEqual(plugin._port, 6379) + self.assertEqual(plugin._db, 2) + self.assertEqual(plugin._password, None) diff --git a/base/app/novnc/utils/websockify/tests/test_websocket.py b/base/app/novnc/utils/websockify/tests/test_websocket.py new file mode 100644 index 0000000..8ee44f9 --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/test_websocket.py @@ -0,0 +1,212 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright(c)2013 NTT corp. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" Unit tests for websocket """ +import unittest +from websockify import websocket + +class FakeSocket: + def __init__(self): + self.data = b'' + + def send(self, buf): + self.data += buf + return len(buf) + +class AcceptTestCase(unittest.TestCase): + def test_success(self): + ws = websocket.WebSocket() + sock = FakeSocket() + ws.accept(sock, {'upgrade': 'websocket', + 'Sec-WebSocket-Version': '13', + 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) + self.assertEqual(sock.data[:13], b'HTTP/1.1 101 ') + self.assertTrue(b'\r\nUpgrade: websocket\r\n' in sock.data) + self.assertTrue(b'\r\nConnection: Upgrade\r\n' in sock.data) + self.assertTrue(b'\r\nSec-WebSocket-Accept: pczpYSQsvE1vBpTQYjFQPcuoj6M=\r\n' in sock.data) + + def test_bad_version(self): + ws = websocket.WebSocket() + sock = FakeSocket() + self.assertRaises(Exception, ws.accept, + sock, {'upgrade': 'websocket', + 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) + self.assertRaises(Exception, ws.accept, + sock, {'upgrade': 'websocket', + 'Sec-WebSocket-Version': '5', + 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) + self.assertRaises(Exception, ws.accept, + sock, {'upgrade': 'websocket', + 'Sec-WebSocket-Version': '20', + 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) + + def test_bad_upgrade(self): + ws = websocket.WebSocket() + sock = FakeSocket() + self.assertRaises(Exception, ws.accept, + sock, {'Sec-WebSocket-Version': '13', + 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) + self.assertRaises(Exception, ws.accept, + sock, {'upgrade': 'websocket2', + 'Sec-WebSocket-Version': '13', + 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) + + def test_missing_key(self): + ws = websocket.WebSocket() + sock = FakeSocket() + self.assertRaises(Exception, ws.accept, + sock, {'upgrade': 'websocket', + 'Sec-WebSocket-Version': '13'}) + + def test_protocol(self): + class ProtoSocket(websocket.WebSocket): + def select_subprotocol(self, protocol): + return 'gazonk' + + ws = ProtoSocket() + sock = FakeSocket() + ws.accept(sock, {'upgrade': 'websocket', + 'Sec-WebSocket-Version': '13', + 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q==', + 'Sec-WebSocket-Protocol': 'foobar gazonk'}) + self.assertEqual(sock.data[:13], b'HTTP/1.1 101 ') + self.assertTrue(b'\r\nSec-WebSocket-Protocol: gazonk\r\n' in sock.data) + + def test_no_protocol(self): + ws = websocket.WebSocket() + sock = FakeSocket() + ws.accept(sock, {'upgrade': 'websocket', + 'Sec-WebSocket-Version': '13', + 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) + self.assertEqual(sock.data[:13], b'HTTP/1.1 101 ') + self.assertFalse(b'\r\nSec-WebSocket-Protocol:' in sock.data) + + def test_missing_protocol(self): + ws = websocket.WebSocket() + sock = FakeSocket() + self.assertRaises(Exception, ws.accept, + sock, {'upgrade': 'websocket', + 'Sec-WebSocket-Version': '13', + 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q==', + 'Sec-WebSocket-Protocol': 'foobar gazonk'}) + + def test_protocol(self): + class ProtoSocket(websocket.WebSocket): + def select_subprotocol(self, protocol): + return 'oddball' + + ws = ProtoSocket() + sock = FakeSocket() + self.assertRaises(Exception, ws.accept, + sock, {'upgrade': 'websocket', + 'Sec-WebSocket-Version': '13', + 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q==', + 'Sec-WebSocket-Protocol': 'foobar gazonk'}) + +class PingPongTest(unittest.TestCase): + def setUp(self): + self.ws = websocket.WebSocket() + self.sock = FakeSocket() + self.ws.accept(self.sock, {'upgrade': 'websocket', + 'Sec-WebSocket-Version': '13', + 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) + self.assertEqual(self.sock.data[:13], b'HTTP/1.1 101 ') + self.sock.data = b'' + + def test_ping(self): + self.ws.ping() + self.assertEqual(self.sock.data, b'\x89\x00') + + def test_pong(self): + self.ws.pong() + self.assertEqual(self.sock.data, b'\x8a\x00') + + def test_ping_data(self): + self.ws.ping(b'foo') + self.assertEqual(self.sock.data, b'\x89\x03foo') + + def test_pong_data(self): + self.ws.pong(b'foo') + self.assertEqual(self.sock.data, b'\x8a\x03foo') + +class HyBiEncodeDecodeTestCase(unittest.TestCase): + def test_decode_hybi_text(self): + buf = b'\x81\x85\x37\xfa\x21\x3d\x7f\x9f\x4d\x51\x58' + ws = websocket.WebSocket() + res = ws._decode_hybi(buf) + + self.assertEqual(res['fin'], 1) + self.assertEqual(res['opcode'], 0x1) + self.assertEqual(res['masked'], True) + self.assertEqual(res['length'], len(buf)) + self.assertEqual(res['payload'], b'Hello') + + def test_decode_hybi_binary(self): + buf = b'\x82\x04\x01\x02\x03\x04' + ws = websocket.WebSocket() + res = ws._decode_hybi(buf) + + self.assertEqual(res['fin'], 1) + self.assertEqual(res['opcode'], 0x2) + self.assertEqual(res['length'], len(buf)) + self.assertEqual(res['payload'], b'\x01\x02\x03\x04') + + def test_decode_hybi_extended_16bit_binary(self): + data = (b'\x01\x02\x03\x04' * 65) # len > 126 -- len == 260 + buf = b'\x82\x7e\x01\x04' + data + ws = websocket.WebSocket() + res = ws._decode_hybi(buf) + + self.assertEqual(res['fin'], 1) + self.assertEqual(res['opcode'], 0x2) + self.assertEqual(res['length'], len(buf)) + self.assertEqual(res['payload'], data) + + def test_decode_hybi_extended_64bit_binary(self): + data = (b'\x01\x02\x03\x04' * 65) # len > 126 -- len == 260 + buf = b'\x82\x7f\x00\x00\x00\x00\x00\x00\x01\x04' + data + ws = websocket.WebSocket() + res = ws._decode_hybi(buf) + + self.assertEqual(res['fin'], 1) + self.assertEqual(res['opcode'], 0x2) + self.assertEqual(res['length'], len(buf)) + self.assertEqual(res['payload'], data) + + def test_decode_hybi_multi(self): + buf1 = b'\x01\x03\x48\x65\x6c' + buf2 = b'\x80\x02\x6c\x6f' + + ws = websocket.WebSocket() + + res1 = ws._decode_hybi(buf1) + self.assertEqual(res1['fin'], 0) + self.assertEqual(res1['opcode'], 0x1) + self.assertEqual(res1['length'], len(buf1)) + self.assertEqual(res1['payload'], b'Hel') + + res2 = ws._decode_hybi(buf2) + self.assertEqual(res2['fin'], 1) + self.assertEqual(res2['opcode'], 0x0) + self.assertEqual(res2['length'], len(buf2)) + self.assertEqual(res2['payload'], b'lo') + + def test_encode_hybi_basic(self): + ws = websocket.WebSocket() + res = ws._encode_hybi(0x1, b'Hello') + expected = b'\x81\x05\x48\x65\x6c\x6c\x6f' + + self.assertEqual(res, expected) diff --git a/base/app/novnc/utils/websockify/tests/test_websocketproxy.py b/base/app/novnc/utils/websockify/tests/test_websocketproxy.py new file mode 100644 index 0000000..a05e3b1 --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/test_websocketproxy.py @@ -0,0 +1,131 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright(c) 2015 Red Hat, Inc All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" Unit tests for websocketproxy """ + +import sys +import unittest +import unittest +import socket +from io import StringIO +from io import BytesIO +from unittest.mock import patch, MagicMock + +from websockify import websocketproxy +from websockify import token_plugins +from websockify import auth_plugins + + +class FakeSocket(object): + def __init__(self, data=b''): + self._data = data + + def recv(self, amt, flags=None): + res = self._data[0:amt] + if not (flags & socket.MSG_PEEK): + self._data = self._data[amt:] + + return res + + def makefile(self, mode='r', buffsize=None): + if 'b' in mode: + return BytesIO(self._data) + else: + return StringIO(self._data.decode('latin_1')) + + +class FakeServer(object): + class EClose(Exception): + pass + + def __init__(self): + self.token_plugin = None + self.auth_plugin = None + self.wrap_cmd = None + self.ssl_target = None + self.unix_target = None + +class ProxyRequestHandlerTestCase(unittest.TestCase): + def setUp(self): + super(ProxyRequestHandlerTestCase, self).setUp() + self.handler = websocketproxy.ProxyRequestHandler( + FakeSocket(), "127.0.0.1", FakeServer()) + self.handler.path = "https://localhost:6080/websockify?token=blah" + self.handler.headers = None + patch('websockify.websockifyserver.WebSockifyServer.socket').start() + + def tearDown(self): + patch.stopall() + super(ProxyRequestHandlerTestCase, self).tearDown() + + def test_get_target(self): + class TestPlugin(token_plugins.BasePlugin): + def lookup(self, token): + return ("some host", "some port") + + host, port = self.handler.get_target( + TestPlugin(None)) + + self.assertEqual(host, "some host") + self.assertEqual(port, "some port") + + def test_get_target_unix_socket(self): + class TestPlugin(token_plugins.BasePlugin): + def lookup(self, token): + return ("unix_socket", "/tmp/socket") + + _, socket = self.handler.get_target( + TestPlugin(None)) + + self.assertEqual(socket, "/tmp/socket") + + def test_get_target_raises_error_on_unknown_token(self): + class TestPlugin(token_plugins.BasePlugin): + def lookup(self, token): + return None + + with self.assertRaises(FakeServer.EClose): + self.handler.get_target(TestPlugin(None)) + + @patch('websockify.websocketproxy.ProxyRequestHandler.send_auth_error', MagicMock()) + def test_token_plugin(self): + class TestPlugin(token_plugins.BasePlugin): + def lookup(self, token): + return (self.source + token).split(',') + + self.handler.server.token_plugin = TestPlugin("somehost,") + self.handler.validate_connection() + + self.assertEqual(self.handler.server.target_host, "somehost") + self.assertEqual(self.handler.server.target_port, "blah") + + @patch('websockify.websocketproxy.ProxyRequestHandler.send_auth_error', MagicMock()) + def test_auth_plugin(self): + class TestPlugin(auth_plugins.BasePlugin): + def authenticate(self, headers, target_host, target_port): + if target_host == self.source: + raise auth_plugins.AuthenticationError(response_msg="some_error") + + self.handler.server.auth_plugin = TestPlugin("somehost") + self.handler.server.target_host = "somehost" + self.handler.server.target_port = "someport" + + with self.assertRaises(auth_plugins.AuthenticationError): + self.handler.auth_connection() + + self.handler.server.target_host = "someotherhost" + self.handler.auth_connection() + diff --git a/base/app/novnc/utils/websockify/tests/test_websocketserver.py b/base/app/novnc/utils/websockify/tests/test_websocketserver.py new file mode 100644 index 0000000..0e37e3d --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/test_websocketserver.py @@ -0,0 +1,69 @@ + +""" Unit tests for websocketserver """ +import unittest +from unittest.mock import patch, MagicMock + +from websockify.websocketserver import HttpWebSocket + + +class HttpWebSocketTest(unittest.TestCase): + @patch("websockify.websocketserver.WebSocket.__init__", autospec=True) + def test_constructor(self, websock): + # Given + req_obj = MagicMock() + + # When + sock = HttpWebSocket(req_obj) + + # Then + websock.assert_called_once_with(sock) + self.assertEqual(sock.request_handler, req_obj) + + @patch("websockify.websocketserver.WebSocket.__init__", MagicMock(autospec=True)) + def test_send_response(self): + # Given + req_obj = MagicMock() + sock = HttpWebSocket(req_obj) + + # When + sock.send_response(200, "message") + + # Then + req_obj.send_response.assert_called_once_with(200, "message") + + @patch("websockify.websocketserver.WebSocket.__init__", MagicMock(autospec=True)) + def test_send_response_default_message(self): + # Given + req_obj = MagicMock() + sock = HttpWebSocket(req_obj) + + # When + sock.send_response(200) + + # Then + req_obj.send_response.assert_called_once_with(200, None) + + @patch("websockify.websocketserver.WebSocket.__init__", MagicMock(autospec=True)) + def test_send_header(self): + # Given + req_obj = MagicMock() + sock = HttpWebSocket(req_obj) + + # When + sock.send_header("keyword", "value") + + # Then + req_obj.send_header.assert_called_once_with("keyword", "value") + + @patch("websockify.websocketserver.WebSocket.__init__", MagicMock(autospec=True)) + def test_end_headers(self): + # Given + req_obj = MagicMock() + sock = HttpWebSocket(req_obj) + + # When + sock.end_headers() + + # Then + req_obj.end_headers.assert_called_once_with() + diff --git a/base/app/novnc/utils/websockify/tests/test_websockifyserver.py b/base/app/novnc/utils/websockify/tests/test_websockifyserver.py new file mode 100644 index 0000000..79d1b25 --- /dev/null +++ b/base/app/novnc/utils/websockify/tests/test_websockifyserver.py @@ -0,0 +1,400 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright(c)2013 NTT corp. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" Unit tests for websockifyserver """ +import errno +import os +import logging +import select +import shutil +import socket +import ssl +from unittest.mock import patch, MagicMock, ANY +import sys +import tempfile +import unittest +import socket +import signal +from http.server import BaseHTTPRequestHandler +from io import StringIO +from io import BytesIO + +from websockify import websockifyserver + + +def raise_oserror(*args, **kwargs): + raise OSError('fake error') + + +class FakeSocket(object): + def __init__(self, data=b''): + self._data = data + + def recv(self, amt, flags=None): + res = self._data[0:amt] + if not (flags & socket.MSG_PEEK): + self._data = self._data[amt:] + + return res + + def makefile(self, mode='r', buffsize=None): + if 'b' in mode: + return BytesIO(self._data) + else: + return StringIO(self._data.decode('latin_1')) + + +class WebSockifyRequestHandlerTestCase(unittest.TestCase): + def setUp(self): + super(WebSockifyRequestHandlerTestCase, self).setUp() + self.tmpdir = tempfile.mkdtemp('-websockify-tests') + # Mock this out cause it screws tests up + patch('os.chdir').start() + + def tearDown(self): + """Called automatically after each test.""" + patch.stopall() + os.rmdir(self.tmpdir) + super(WebSockifyRequestHandlerTestCase, self).tearDown() + + def _get_server(self, handler_class=websockifyserver.WebSockifyRequestHandler, + **kwargs): + web = kwargs.pop('web', self.tmpdir) + return websockifyserver.WebSockifyServer( + handler_class, listen_host='localhost', + listen_port=80, key=self.tmpdir, web=web, + record=self.tmpdir, daemon=False, ssl_only=0, idle_timeout=1, + **kwargs) + + @patch('websockify.websockifyserver.WebSockifyRequestHandler.send_error') + def test_normal_get_with_only_upgrade_returns_error(self, send_error): + server = self._get_server(web=None) + handler = websockifyserver.WebSockifyRequestHandler( + FakeSocket(b'GET /tmp.txt HTTP/1.1'), '127.0.0.1', server) + + handler.do_GET() + send_error.assert_called_with(405) + + @patch('websockify.websockifyserver.WebSockifyRequestHandler.send_error') + def test_list_dir_with_file_only_returns_error(self, send_error): + server = self._get_server(file_only=True) + handler = websockifyserver.WebSockifyRequestHandler( + FakeSocket(b'GET / HTTP/1.1'), '127.0.0.1', server) + + handler.path = '/' + handler.do_GET() + send_error.assert_called_with(404) + + +class WebSockifyServerTestCase(unittest.TestCase): + def setUp(self): + super(WebSockifyServerTestCase, self).setUp() + self.tmpdir = tempfile.mkdtemp('-websockify-tests') + # Mock this out cause it screws tests up + patch('os.chdir').start() + + def tearDown(self): + """Called automatically after each test.""" + patch.stopall() + os.rmdir(self.tmpdir) + super(WebSockifyServerTestCase, self).tearDown() + + def _get_server(self, handler_class=websockifyserver.WebSockifyRequestHandler, + **kwargs): + return websockifyserver.WebSockifyServer( + handler_class, listen_host='localhost', + listen_port=80, key=self.tmpdir, web=self.tmpdir, + record=self.tmpdir, **kwargs) + + def test_daemonize_raises_error_while_closing_fds(self): + server = self._get_server(daemon=True, ssl_only=1, idle_timeout=1) + patch('os.fork').start().return_value = 0 + patch('signal.signal').start() + patch('os.setsid').start() + patch('os.close').start().side_effect = raise_oserror + self.assertRaises(OSError, server.daemonize, keepfd=None, chdir='./') + + def test_daemonize_ignores_ebadf_error_while_closing_fds(self): + def raise_oserror_ebadf(fd): + raise OSError(errno.EBADF, 'fake error') + + server = self._get_server(daemon=True, ssl_only=1, idle_timeout=1) + patch('os.fork').start().return_value = 0 + patch('signal.signal').start() + patch('os.setsid').start() + patch('os.close').start().side_effect = raise_oserror_ebadf + patch('os.open').start().side_effect = raise_oserror + self.assertRaises(OSError, server.daemonize, keepfd=None, chdir='./') + + def test_handshake_fails_on_not_ready(self): + server = self._get_server(daemon=True, ssl_only=0, idle_timeout=1) + + def fake_select(rlist, wlist, xlist, timeout=None): + return ([], [], []) + + patch('select.select').start().side_effect = fake_select + self.assertRaises( + websockifyserver.WebSockifyServer.EClose, server.do_handshake, + FakeSocket(), '127.0.0.1') + + def test_empty_handshake_fails(self): + server = self._get_server(daemon=True, ssl_only=0, idle_timeout=1) + + sock = FakeSocket('') + + def fake_select(rlist, wlist, xlist, timeout=None): + return ([sock], [], []) + + patch('select.select').start().side_effect = fake_select + self.assertRaises( + websockifyserver.WebSockifyServer.EClose, server.do_handshake, + sock, '127.0.0.1') + + def test_handshake_policy_request(self): + # TODO(directxman12): implement + pass + + def test_handshake_ssl_only_without_ssl_raises_error(self): + server = self._get_server(daemon=True, ssl_only=1, idle_timeout=1) + + sock = FakeSocket(b'some initial data') + + def fake_select(rlist, wlist, xlist, timeout=None): + return ([sock], [], []) + + patch('select.select').start().side_effect = fake_select + self.assertRaises( + websockifyserver.WebSockifyServer.EClose, server.do_handshake, + sock, '127.0.0.1') + + def test_do_handshake_no_ssl(self): + class FakeHandler(object): + CALLED = False + def __init__(self, *args, **kwargs): + type(self).CALLED = True + + FakeHandler.CALLED = False + + server = self._get_server( + handler_class=FakeHandler, daemon=True, + ssl_only=0, idle_timeout=1) + + sock = FakeSocket(b'some initial data') + + def fake_select(rlist, wlist, xlist, timeout=None): + return ([sock], [], []) + + patch('select.select').start().side_effect = fake_select + self.assertEqual(server.do_handshake(sock, '127.0.0.1'), sock) + self.assertTrue(FakeHandler.CALLED, True) + + def test_do_handshake_ssl(self): + # TODO(directxman12): implement this + pass + + def test_do_handshake_ssl_without_ssl_raises_error(self): + # TODO(directxman12): implement this + pass + + def test_do_handshake_ssl_without_cert_raises_error(self): + server = self._get_server(daemon=True, ssl_only=0, idle_timeout=1, + cert='afdsfasdafdsafdsafdsafdas') + + sock = FakeSocket(b"\x16some ssl data") + + def fake_select(rlist, wlist, xlist, timeout=None): + return ([sock], [], []) + + patch('select.select').start().side_effect = fake_select + self.assertRaises( + websockifyserver.WebSockifyServer.EClose, server.do_handshake, + sock, '127.0.0.1') + + def test_do_handshake_ssl_error_eof_raises_close_error(self): + server = self._get_server(daemon=True, ssl_only=0, idle_timeout=1) + + sock = FakeSocket(b"\x16some ssl data") + + def fake_select(rlist, wlist, xlist, timeout=None): + return ([sock], [], []) + + def fake_wrap_socket(*args, **kwargs): + raise ssl.SSLError(ssl.SSL_ERROR_EOF) + + class fake_create_default_context(): + def __init__(self, purpose): + self.verify_mode = None + self.options = 0 + def load_cert_chain(self, certfile, keyfile, password): + pass + def set_default_verify_paths(self): + pass + def load_verify_locations(self, cafile): + pass + def wrap_socket(self, *args, **kwargs): + raise ssl.SSLError(ssl.SSL_ERROR_EOF) + + patch('select.select').start().side_effect = fake_select + patch('ssl.create_default_context').start().side_effect = fake_create_default_context + self.assertRaises( + websockifyserver.WebSockifyServer.EClose, server.do_handshake, + sock, '127.0.0.1') + + def test_do_handshake_ssl_sets_ciphers(self): + test_ciphers = 'TEST-CIPHERS-1:TEST-CIPHER-2' + + class FakeHandler(object): + def __init__(self, *args, **kwargs): + pass + + server = self._get_server(handler_class=FakeHandler, daemon=True, + idle_timeout=1, ssl_ciphers=test_ciphers) + sock = FakeSocket(b"\x16some ssl data") + + def fake_select(rlist, wlist, xlist, timeout=None): + return ([sock], [], []) + + class fake_create_default_context(): + CIPHERS = '' + def __init__(self, purpose): + self.verify_mode = None + self.options = 0 + def load_cert_chain(self, certfile, keyfile, password): + pass + def set_default_verify_paths(self): + pass + def load_verify_locations(self, cafile): + pass + def wrap_socket(self, *args, **kwargs): + pass + def set_ciphers(self, ciphers_to_set): + fake_create_default_context.CIPHERS = ciphers_to_set + + patch('select.select').start().side_effect = fake_select + patch('ssl.create_default_context').start().side_effect = fake_create_default_context + server.do_handshake(sock, '127.0.0.1') + self.assertEqual(fake_create_default_context.CIPHERS, test_ciphers) + + def test_do_handshake_ssl_sets_opions(self): + test_options = 0xCAFEBEEF + + class FakeHandler(object): + def __init__(self, *args, **kwargs): + pass + + server = self._get_server(handler_class=FakeHandler, daemon=True, + idle_timeout=1, ssl_options=test_options) + sock = FakeSocket(b"\x16some ssl data") + + def fake_select(rlist, wlist, xlist, timeout=None): + return ([sock], [], []) + + class fake_create_default_context(object): + OPTIONS = 0 + def __init__(self, purpose): + self.verify_mode = None + self._options = 0 + def load_cert_chain(self, certfile, keyfile, password): + pass + def set_default_verify_paths(self): + pass + def load_verify_locations(self, cafile): + pass + def wrap_socket(self, *args, **kwargs): + pass + def get_options(self): + return self._options + def set_options(self, val): + fake_create_default_context.OPTIONS = val + options = property(get_options, set_options) + + patch('select.select').start().side_effect = fake_select + patch('ssl.create_default_context').start().side_effect = fake_create_default_context + server.do_handshake(sock, '127.0.0.1') + self.assertEqual(fake_create_default_context.OPTIONS, test_options) + + def test_fallback_sigchld_handler(self): + # TODO(directxman12): implement this + pass + + def test_start_server_error(self): + server = self._get_server(daemon=False, ssl_only=1, idle_timeout=1) + sock = server.socket('localhost') + + def fake_select(rlist, wlist, xlist, timeout=None): + raise Exception("fake error") + + patch('websockify.websockifyserver.WebSockifyServer.socket').start() + patch('websockify.websockifyserver.WebSockifyServer.daemonize').start() + patch('select.select').start().side_effect = fake_select + server.start_server() + + def test_start_server_keyboardinterrupt(self): + server = self._get_server(daemon=False, ssl_only=0, idle_timeout=1) + sock = server.socket('localhost') + + def fake_select(rlist, wlist, xlist, timeout=None): + raise KeyboardInterrupt + + patch('websockify.websockifyserver.WebSockifyServer.socket').start() + patch('websockify.websockifyserver.WebSockifyServer.daemonize').start() + patch('select.select').start().side_effect = fake_select + server.start_server() + + def test_start_server_systemexit(self): + server = self._get_server(daemon=False, ssl_only=0, idle_timeout=1) + sock = server.socket('localhost') + + def fake_select(rlist, wlist, xlist, timeout=None): + sys.exit() + + patch('websockify.websockifyserver.WebSockifyServer.socket').start() + patch('websockify.websockifyserver.WebSockifyServer.daemonize').start() + patch('select.select').start().side_effect = fake_select + server.start_server() + + def test_socket_set_keepalive_options(self): + keepcnt = 12 + keepidle = 34 + keepintvl = 56 + + server = self._get_server(daemon=False, ssl_only=0, idle_timeout=1) + sock = server.socket('localhost', + tcp_keepcnt=keepcnt, + tcp_keepidle=keepidle, + tcp_keepintvl=keepintvl) + + if hasattr(socket, 'TCP_KEEPCNT'): + self.assertEqual(sock.getsockopt(socket.SOL_TCP, + socket.TCP_KEEPCNT), keepcnt) + self.assertEqual(sock.getsockopt(socket.SOL_TCP, + socket.TCP_KEEPIDLE), keepidle) + self.assertEqual(sock.getsockopt(socket.SOL_TCP, + socket.TCP_KEEPINTVL), keepintvl) + + sock = server.socket('localhost', + tcp_keepalive=False, + tcp_keepcnt=keepcnt, + tcp_keepidle=keepidle, + tcp_keepintvl=keepintvl) + + if hasattr(socket, 'TCP_KEEPCNT'): + self.assertNotEqual(sock.getsockopt(socket.SOL_TCP, + socket.TCP_KEEPCNT), keepcnt) + self.assertNotEqual(sock.getsockopt(socket.SOL_TCP, + socket.TCP_KEEPIDLE), keepidle) + self.assertNotEqual(sock.getsockopt(socket.SOL_TCP, + socket.TCP_KEEPINTVL), keepintvl) diff --git a/base/app/novnc/utils/websockify/tox.ini b/base/app/novnc/utils/websockify/tox.ini new file mode 100644 index 0000000..526eff6 --- /dev/null +++ b/base/app/novnc/utils/websockify/tox.ini @@ -0,0 +1,17 @@ +# Tox (http://tox.testrun.org/) is a tool for running tests +# in multiple virtualenvs. This configuration file will run the +# test suite on all supported python versions. To use it, "pip install tox" +# and then run "tox" from this directory. + +[tox] +envlist = py34 + +[testenv] +commands = nosetests {posargs} +deps = -r{toxinidir}/test-requirements.txt + +# At some point we should enable this since tox expects it to exist but +# the code will need pep8ising first. +#[testenv:pep8] +#commands = flake8 +#dep = flake8 diff --git a/base/app/novnc/utils/websockify/websockify.py b/base/app/novnc/utils/websockify/websockify.py new file mode 120000 index 0000000..e5224d5 --- /dev/null +++ b/base/app/novnc/utils/websockify/websockify.py @@ -0,0 +1 @@ +run \ No newline at end of file diff --git a/base/app/novnc/utils/websockify/websockify/__init__.py b/base/app/novnc/utils/websockify/websockify/__init__.py new file mode 100644 index 0000000..37a6f47 --- /dev/null +++ b/base/app/novnc/utils/websockify/websockify/__init__.py @@ -0,0 +1,2 @@ +from websockify.websocket import * +from websockify.websocketproxy import * diff --git a/base/app/novnc/utils/websockify/websockify/__main__.py b/base/app/novnc/utils/websockify/websockify/__main__.py new file mode 100644 index 0000000..8378d46 --- /dev/null +++ b/base/app/novnc/utils/websockify/websockify/__main__.py @@ -0,0 +1,4 @@ +import websockify + +if __name__ == '__main__': + websockify.websocketproxy.websockify_init() diff --git a/base/app/novnc/utils/websockify/websockify/auth_plugins.py b/base/app/novnc/utils/websockify/websockify/auth_plugins.py new file mode 100644 index 0000000..36fac52 --- /dev/null +++ b/base/app/novnc/utils/websockify/websockify/auth_plugins.py @@ -0,0 +1,102 @@ +class BasePlugin(): + def __init__(self, src=None): + self.source = src + + def authenticate(self, headers, target_host, target_port): + pass + + +class AuthenticationError(Exception): + def __init__(self, log_msg=None, response_code=403, response_headers={}, response_msg=None): + self.code = response_code + self.headers = response_headers + self.msg = response_msg + + if log_msg is None: + log_msg = response_msg + + super().__init__('%s %s' % (self.code, log_msg)) + + +class InvalidOriginError(AuthenticationError): + def __init__(self, expected, actual): + self.expected_origin = expected + self.actual_origin = actual + + super().__init__( + response_msg='Invalid Origin', + log_msg="Invalid Origin Header: Expected one of " + "%s, got '%s'" % (expected, actual)) + + +class BasicHTTPAuth(): + """Verifies Basic Auth headers. Specify src as username:password""" + + def __init__(self, src=None): + self.src = src + + def authenticate(self, headers, target_host, target_port): + import base64 + auth_header = headers.get('Authorization') + if auth_header: + if not auth_header.startswith('Basic '): + self.auth_error() + + try: + user_pass_raw = base64.b64decode(auth_header[6:]) + except TypeError: + self.auth_error() + + try: + # http://stackoverflow.com/questions/7242316/what-encoding-should-i-use-for-http-basic-authentication + user_pass_as_text = user_pass_raw.decode('ISO-8859-1') + except UnicodeDecodeError: + self.auth_error() + + user_pass = user_pass_as_text.split(':', 1) + if len(user_pass) != 2: + self.auth_error() + + if not self.validate_creds(*user_pass): + self.demand_auth() + + else: + self.demand_auth() + + def validate_creds(self, username, password): + if '%s:%s' % (username, password) == self.src: + return True + else: + return False + + def auth_error(self): + raise AuthenticationError(response_code=403) + + def demand_auth(self): + raise AuthenticationError(response_code=401, + response_headers={'WWW-Authenticate': 'Basic realm="Websockify"'}) + +class ExpectOrigin(): + def __init__(self, src=None): + if src is None: + self.source = [] + else: + self.source = src.split() + + def authenticate(self, headers, target_host, target_port): + origin = headers.get('Origin', None) + if origin is None or origin not in self.source: + raise InvalidOriginError(expected=self.source, actual=origin) + +class ClientCertCNAuth(): + """Verifies client by SSL certificate. Specify src as whitespace separated list of common names.""" + + def __init__(self, src=None): + if src is None: + self.source = [] + else: + self.source = src.split() + + def authenticate(self, headers, target_host, target_port): + if headers.get('SSL_CLIENT_S_DN_CN', None) not in self.source: + raise AuthenticationError(response_code=403) diff --git a/base/app/novnc/utils/websockify/websockify/sysloghandler.py b/base/app/novnc/utils/websockify/websockify/sysloghandler.py new file mode 100644 index 0000000..37ee9dd --- /dev/null +++ b/base/app/novnc/utils/websockify/websockify/sysloghandler.py @@ -0,0 +1,118 @@ +import logging.handlers as handlers, socket, os, time + + +class WebsockifySysLogHandler(handlers.SysLogHandler): + """ + A handler class that sends proper Syslog-formatted messages, + as defined by RFC 5424. + """ + + _legacy_head_fmt = '<{pri}>{ident}[{pid}]: ' + _rfc5424_head_fmt = '<{pri}>1 {timestamp} {hostname} {ident} {pid} - - ' + _head_fmt = _rfc5424_head_fmt + _legacy = False + _timestamp_fmt = '%Y-%m-%dT%H:%M:%SZ' + _max_hostname = 255 + _max_ident = 24 #safer for old daemons + _send_length = False + _tail = '\n' + + + ident = None + + + def __init__(self, address=('localhost', handlers.SYSLOG_UDP_PORT), + facility=handlers.SysLogHandler.LOG_USER, + socktype=None, ident=None, legacy=False): + """ + Initialize a handler. + + If address is specified as a string, a UNIX socket is used. To log to a + local syslogd, "WebsockifySysLogHandler(address="/dev/log")" can be + used. If facility is not specified, LOG_USER is used. If socktype is + specified as socket.SOCK_DGRAM or socket.SOCK_STREAM, that specific + socket type will be used. For Unix sockets, you can also specify a + socktype of None, in which case socket.SOCK_DGRAM will be used, falling + back to socket.SOCK_STREAM. If ident is specified, this string will be + used as the application name in all messages sent. Set legacy to True + to use the old version of the protocol. + """ + + self.ident = ident + + if legacy: + self._legacy = True + self._head_fmt = self._legacy_head_fmt + + super().__init__(address, facility, socktype) + + + def emit(self, record): + """ + Emit a record. + + The record is formatted, and then sent to the syslog server. If + exception information is present, it is NOT sent to the server. + """ + + try: + # Gather info. + text = self.format(record).replace(self._tail, ' ') + if not text: # nothing to log + return + + pri = self.encodePriority(self.facility, + self.mapPriority(record.levelname)) + + timestamp = time.strftime(self._timestamp_fmt, time.gmtime()); + + hostname = socket.gethostname()[:self._max_hostname] + + if self.ident: + ident = self.ident[:self._max_ident] + else: + ident = '' + + pid = os.getpid() # shouldn't need truncation + + # Format the header. + head = { + 'pri': pri, + 'timestamp': timestamp, + 'hostname': hostname, + 'ident': ident, + 'pid': pid, + } + msg = self._head_fmt.format(**head).encode('ascii', 'ignore') + + # Encode text as plain ASCII if possible, else use UTF-8 with BOM. + try: + msg += text.encode('ascii') + except UnicodeEncodeError: + msg += text.encode('utf-8-sig') + + # Add length or tail character, if necessary. + if self.socktype != socket.SOCK_DGRAM: + if self._send_length: + msg = ('%d ' % len(msg)).encode('ascii') + msg + else: + msg += self._tail.encode('ascii') + + # Send the message. + if self.unixsocket: + try: + self.socket.send(msg) + except socket.error: + self._connect_unixsocket(self.address) + self.socket.send(msg) + + else: + if self.socktype == socket.SOCK_DGRAM: + self.socket.sendto(msg, self.address) + else: + self.socket.sendall(msg) + + except (KeyboardInterrupt, SystemExit): + raise + except: + self.handleError(record) diff --git a/base/app/novnc/utils/websockify/websockify/token_plugins.py b/base/app/novnc/utils/websockify/websockify/token_plugins.py new file mode 100644 index 0000000..36a1dbc --- /dev/null +++ b/base/app/novnc/utils/websockify/websockify/token_plugins.py @@ -0,0 +1,333 @@ +import logging +import os +import sys +import time +import re +import json + +logger = logging.getLogger(__name__) + + +class BasePlugin(): + def __init__(self, src): + self.source = src + + def lookup(self, token): + return None + + +class ReadOnlyTokenFile(BasePlugin): + # source is a token file with lines like + # token: host:port + # or a directory of such files + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + self._targets = None + + def _load_targets(self): + if os.path.isdir(self.source): + cfg_files = [os.path.join(self.source, f) for + f in os.listdir(self.source)] + else: + cfg_files = [self.source] + + self._targets = {} + index = 1 + for f in cfg_files: + for line in [l.strip() for l in open(f).readlines()]: + if line and not line.startswith('#'): + try: + tok, target = re.split(':\s', line) + self._targets[tok] = target.strip().rsplit(':', 1) + except ValueError: + logger.error("Syntax error in %s on line %d" % (self.source, index)) + index += 1 + + def lookup(self, token): + if self._targets is None: + self._load_targets() + + if token in self._targets: + return self._targets[token] + else: + return None + + +# the above one is probably more efficient, but this one is +# more backwards compatible (although in most cases +# ReadOnlyTokenFile should suffice) +class TokenFile(ReadOnlyTokenFile): + # source is a token file with lines like + # token: host:port + # or a directory of such files + def lookup(self, token): + self._load_targets() + + return super().lookup(token) + +class TokenFileName(BasePlugin): + # source is a directory + # token is filename + # contents of file is host:port + def __init__(self, src): + super().__init__(src) + if not os.path.isdir(src): + raise Exception("TokenFileName plugin requires a directory") + + def lookup(self, token): + token = os.path.basename(token) + path = os.path.join(self.source, token) + if os.path.exists(path): + return open(path).read().strip().split(':') + else: + return None + + +class BaseTokenAPI(BasePlugin): + # source is a url with a '%s' in it where the token + # should go + + # we import things on demand so that other plugins + # in this file can be used w/o unnecessary dependencies + + def process_result(self, resp): + host, port = resp.text.split(':') + port = port.encode('ascii','ignore') + return [ host, port ] + + def lookup(self, token): + import requests + + resp = requests.get(self.source % token) + + if resp.ok: + return self.process_result(resp) + else: + return None + + +class JSONTokenApi(BaseTokenAPI): + # source is a url with a '%s' in it where the token + # should go + + def process_result(self, resp): + resp_json = resp.json() + return (resp_json['host'], resp_json['port']) + + +class JWTTokenApi(BasePlugin): + # source is a JWT-token, with hostname and port included + # Both JWS as JWE tokens are accepted. With regards to JWE tokens, the key is re-used for both validation and decryption. + + def lookup(self, token): + try: + from jwcrypto import jwt, jwk + import json + + key = jwk.JWK() + + try: + with open(self.source, 'rb') as key_file: + key_data = key_file.read() + except Exception as e: + logger.error("Error loading key file: %s" % str(e)) + return None + + try: + key.import_from_pem(key_data) + except: + try: + key.import_key(k=key_data.decode('utf-8'),kty='oct') + except: + logger.error('Failed to correctly parse key data!') + return None + + try: + token = jwt.JWT(key=key, jwt=token) + parsed_header = json.loads(token.header) + + if 'enc' in parsed_header: + # Token is encrypted, so we need to decrypt by passing the claims to a new instance + token = jwt.JWT(key=key, jwt=token.claims) + + parsed = json.loads(token.claims) + + if 'nbf' in parsed: + # Not Before is present, so we need to check it + if time.time() < parsed['nbf']: + logger.warning('Token can not be used yet!') + return None + + if 'exp' in parsed: + # Expiration time is present, so we need to check it + if time.time() > parsed['exp']: + logger.warning('Token has expired!') + return None + + return (parsed['host'], parsed['port']) + except Exception as e: + logger.error("Failed to parse token: %s" % str(e)) + return None + except ImportError: + logger.error("package jwcrypto not found, are you sure you've installed it correctly?") + return None + + +class TokenRedis(BasePlugin): + """Token plugin based on the Redis in-memory data store. + + The token source is in the format: + + host[:port[:db[:password]]] + + where port, db and password are optional. If port or db are left empty + they will take its default value, ie. 6379 and 0 respectively. + + If your redis server is using the default port (6379) then you can use: + + my-redis-host + + In case you need to authenticate with the redis server and you are using + the default database and port you can use: + + my-redis-host:::verysecretpass + + In the more general case you will use: + + my-redis-host:6380:1:verysecretpass + + The TokenRedis plugin expects the format of the target in one of these two + formats: + + - JSON + + {"host": "target-host:target-port"} + + - Plain text + + target-host:target-port + + Prepare data with: + + redis-cli set my-token '{"host": "127.0.0.1:5000"}' + + Verify with: + + redis-cli --raw get my-token + + Spawn a test "server" using netcat + + nc -l 5000 -v + + Note: This Token Plugin depends on the 'redis' module, so you have + to install it before using this plugin: + + pip install redis + """ + def __init__(self, src): + try: + import redis + except ImportError: + logger.error("Unable to load redis module") + sys.exit() + # Default values + self._port = 6379 + self._db = 0 + self._password = None + try: + fields = src.split(":") + if len(fields) == 1: + self._server = fields[0] + elif len(fields) == 2: + self._server, self._port = fields + if not self._port: + self._port = 6379 + elif len(fields) == 3: + self._server, self._port, self._db = fields + if not self._port: + self._port = 6379 + if not self._db: + self._db = 0 + elif len(fields) == 4: + self._server, self._port, self._db, self._password = fields + if not self._port: + self._port = 6379 + if not self._db: + self._db = 0 + if not self._password: + self._password = None + else: + raise ValueError + self._port = int(self._port) + self._db = int(self._db) + logger.info("TokenRedis backend initilized (%s:%s)" % + (self._server, self._port)) + except ValueError: + logger.error("The provided --token-source='%s' is not in the " + "expected format [:[:[:]]]" % + src) + sys.exit() + + def lookup(self, token): + try: + import redis + except ImportError: + logger.error("package redis not found, are you sure you've installed them correctly?") + sys.exit() + + logger.info("resolving token '%s'" % token) + client = redis.Redis(host=self._server, port=self._port, + db=self._db, password=self._password) + stuff = client.get(token) + if stuff is None: + return None + else: + responseStr = stuff.decode("utf-8").strip() + logger.debug("response from redis : %s" % responseStr) + if responseStr.startswith("{"): + try: + combo = json.loads(responseStr) + host, port = combo["host"].split(":") + except ValueError: + logger.error("Unable to decode JSON token: %s" % + responseStr) + return None + except KeyError: + logger.error("Unable to find 'host' key in JSON token: %s" % + responseStr) + return None + elif re.match(r'\S+:\S+', responseStr): + host, port = responseStr.split(":") + else: + logger.error("Unable to parse token: %s" % responseStr) + return None + logger.debug("host: %s, port: %s" % (host, port)) + return [host, port] + + +class UnixDomainSocketDirectory(BasePlugin): + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + self._dir_path = os.path.abspath(self.source) + + def lookup(self, token): + try: + import stat + + if not os.path.isdir(self._dir_path): + return None + + uds_path = os.path.abspath(os.path.join(self._dir_path, token)) + if not uds_path.startswith(self._dir_path): + return None + + if not os.path.exists(uds_path): + return None + + if not stat.S_ISSOCK(os.stat(uds_path).st_mode): + return None + + return [ 'unix_socket', uds_path ] + except Exception as e: + logger.error("Error finding unix domain socket: %s" % str(e)) + return None diff --git a/base/app/novnc/utils/websockify/websockify/websocket.py b/base/app/novnc/utils/websockify/websockify/websocket.py new file mode 100644 index 0000000..af87d3e --- /dev/null +++ b/base/app/novnc/utils/websockify/websockify/websocket.py @@ -0,0 +1,874 @@ +#!/usr/bin/env python + +''' +Python WebSocket library +Copyright 2011 Joel Martin +Copyright 2016 Pierre Ossman +Licensed under LGPL version 3 (see docs/LICENSE.LGPL-3) + +Supports following protocol versions: + - http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-07 + - http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-10 + - http://tools.ietf.org/html/rfc6455 +''' + +import sys +import array +import email +import errno +import random +import socket +import ssl +import struct +from base64 import b64encode +from hashlib import sha1 +from urllib.parse import urlparse + +try: + import numpy +except ImportError: + import warnings + warnings.warn("no 'numpy' module, HyBi protocol will be slower") + numpy = None + +class WebSocketWantReadError(ssl.SSLWantReadError): + pass +class WebSocketWantWriteError(ssl.SSLWantWriteError): + pass + +class WebSocket(object): + """WebSocket protocol socket like class. + + This provides access to the WebSocket protocol by behaving much + like a real socket would. It shares many similarities with + ssl.SSLSocket. + + The WebSocket protocols requires extra data to be sent and received + compared to the application level data. This means that a socket + that is ready to be read may not hold enough data to decode any + application data, and a socket that is ready to be written to may + not have enough space for an entire WebSocket frame. This is + handled by the exceptions WebSocketWantReadError and + WebSocketWantWriteError. When these are raised the caller must wait + for the socket to become ready again and call the relevant function + again. + + A connection is established by using either connect() or accept(), + depending on if a client or server session is desired. See the + respective functions for details. + + The following methods are passed on to the underlying socket: + + - fileno + - getpeername, getsockname + - getsockopt, setsockopt + - gettimeout, settimeout + - setblocking + """ + + GUID = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11" + + def __init__(self): + """Creates an unconnected WebSocket""" + + self._state = "new" + + self._partial_msg = b'' + + self._recv_buffer = b'' + self._recv_queue = [] + self._send_buffer = b'' + + self._previous_sendmsg = None + + self._sent_close = False + self._received_close = False + + self.close_code = None + self.close_reason = None + + self.socket = None + + def __getattr__(self, name): + # These methods are just redirected to the underlying socket + if name in ["fileno", + "getpeername", "getsockname", + "getsockopt", "setsockopt", + "gettimeout", "settimeout", + "setblocking"]: + assert self.socket is not None + return getattr(self.socket, name) + else: + raise AttributeError("%s instance has no attribute '%s'" % + (self.__class__.__name__, name)) + + def connect(self, uri, origin=None, protocols=[]): + """Establishes a new connection to a WebSocket server. + + This method connects to the host specified by uri and + negotiates a WebSocket connection. origin should be specified + in accordance with RFC 6454 if known. A list of valid + sub-protocols can be specified in the protocols argument. + + The data will be sent in the clear if the "ws" scheme is used, + and encrypted if the "wss" scheme is used. + + Both WebSocketWantReadError and WebSocketWantWriteError can be + raised whilst negotiating the connection. Repeated calls to + connect() must retain the same arguments. + """ + + self.client = True; + + uri = urlparse(uri) + + port = uri.port + if uri.scheme in ("ws", "http"): + if not port: + port = 80 + elif uri.scheme in ("wss", "https"): + if not port: + port = 443 + else: + raise Exception("Unknown scheme '%s'" % uri.scheme) + + # This is a state machine in order to handle + # WantRead/WantWrite events + + if self._state == "new": + self.socket = socket.create_connection((uri.hostname, port)) + + if uri.scheme in ("wss", "https"): + self.socket = ssl.wrap_socket(self.socket) + self._state = "ssl_handshake" + else: + self._state = "headers" + + if self._state == "ssl_handshake": + self.socket.do_handshake() + self._state = "headers" + + if self._state == "headers": + self._key = '' + for i in range(16): + self._key += chr(random.randrange(256)) + self._key = b64encode(self._key.encode("latin-1")).decode("ascii") + + path = uri.path + if not path: + path = "/" + + self.send_request("GET", path) + self.send_header("Host", uri.hostname) + self.send_header("Upgrade", "websocket") + self.send_header("Connection", "upgrade") + self.send_header("Sec-WebSocket-Key", self._key) + self.send_header("Sec-WebSocket-Version", 13) + + if origin is not None: + self.send_header("Origin", origin) + if len(protocols) > 0: + self.send_header("Sec-WebSocket-Protocol", ", ".join(protocols)) + + self.end_headers() + + self._state = "send_headers" + + if self._state == "send_headers": + self._flush() + self._state = "response" + + if self._state == "response": + if not self._recv(): + raise Exception("Socket closed unexpectedly") + + if self._recv_buffer.find(b'\r\n\r\n') == -1: + raise WebSocketWantReadError + + (request, self._recv_buffer) = self._recv_buffer.split(b'\r\n', 1) + request = request.decode("latin-1") + + words = request.split() + if (len(words) < 2) or (words[0] != "HTTP/1.1"): + raise Exception("Invalid response") + if words[1] != "101": + raise Exception("WebSocket request denied: %s" % " ".join(words[1:])) + + (headers, self._recv_buffer) = self._recv_buffer.split(b'\r\n\r\n', 1) + headers = headers.decode('latin-1') + '\r\n' + headers = email.message_from_string(headers) + + if headers.get("Upgrade", "").lower() != "websocket": + print(type(headers)) + raise Exception("Missing or incorrect upgrade header") + + accept = headers.get('Sec-WebSocket-Accept') + if accept is None: + raise Exception("Missing Sec-WebSocket-Accept header"); + + expected = sha1((self._key + self.GUID).encode("ascii")).digest() + expected = b64encode(expected).decode("ascii") + + del self._key + + if accept != expected: + raise Exception("Invalid Sec-WebSocket-Accept header"); + + self.protocol = headers.get('Sec-WebSocket-Protocol') + if len(protocols) == 0: + if self.protocol is not None: + raise Exception("Unexpected Sec-WebSocket-Protocol header") + else: + if self.protocol not in protocols: + raise Exception("Invalid protocol chosen by server") + + self._state = "done" + + return + + raise Exception("WebSocket is in an invalid state") + + def accept(self, socket, headers): + """Establishes a new WebSocket session with a client. + + This method negotiates a WebSocket connection with an incoming + client. The caller must provide the client socket and the + headers from the HTTP request. + + A server can identify that a client is requesting a WebSocket + connection by looking at the "Upgrade" header. It will include + the value "websocket" in such cases. + + WebSocketWantWriteError can be raised if the response cannot be + sent right away. accept() must be called again once more space + is available using the same arguments. + """ + + # This is a state machine in order to handle + # WantRead/WantWrite events + + if self._state == "new": + self.client = False + self.socket = socket + + if headers.get("upgrade", "").lower() != "websocket": + raise Exception("Missing or incorrect upgrade header") + + ver = headers.get('Sec-WebSocket-Version') + if ver is None: + raise Exception("Missing Sec-WebSocket-Version header"); + + # HyBi-07 report version 7 + # HyBi-08 - HyBi-12 report version 8 + # HyBi-13 reports version 13 + if ver in ['7', '8', '13']: + self.version = "hybi-%02d" % int(ver) + else: + raise Exception("Unsupported protocol version %s" % ver) + + key = headers.get('Sec-WebSocket-Key') + if key is None: + raise Exception("Missing Sec-WebSocket-Key header"); + + # Generate the hash value for the accept header + accept = sha1((key + self.GUID).encode("ascii")).digest() + accept = b64encode(accept).decode("ascii") + + self.protocol = '' + protocols = headers.get('Sec-WebSocket-Protocol', '').split(',') + if protocols: + self.protocol = self.select_subprotocol(protocols) + # We are required to choose one of the protocols + # presented by the client + if self.protocol not in protocols: + raise Exception('Invalid protocol selected') + + self.send_response(101, "Switching Protocols") + self.send_header("Upgrade", "websocket") + self.send_header("Connection", "Upgrade") + self.send_header("Sec-WebSocket-Accept", accept) + + if self.protocol: + self.send_header("Sec-WebSocket-Protocol", self.protocol) + + self.end_headers() + + self._state = "flush" + + if self._state == "flush": + self._flush() + self._state = "done" + + return + + raise Exception("WebSocket is in an invalid state") + + def select_subprotocol(self, protocols): + """Returns which sub-protocol should be used. + + This method does not select any sub-protocol by default and is + meant to be overridden by an implementation that wishes to make + use of sub-protocols. It will be called during handling of + accept(). + """ + return "" + + def handle_ping(self, data): + """Called when a WebSocket ping message is received. + + This will be called whilst processing recv()/recvmsg(). The + default implementation sends a pong reply back.""" + self.pong(data) + + def handle_pong(self, data): + """Called when a WebSocket pong message is received. + + This will be called whilst processing recv()/recvmsg(). The + default implementation does nothing.""" + pass + + def recv(self): + """Read data from the WebSocket. + + This will return any available data on the socket (which may + be the empty string if the peer sent an empty message or + messages). If the socket is closed then None will be + returned. The reason for the close is found in the + 'close_code' and 'close_reason' properties. + + Unlike recvmsg() this method may return data from more than one + WebSocket message. It is however not guaranteed to return all + buffered data. Callers should continue calling recv() whilst + pending() returns True. + + Both WebSocketWantReadError and WebSocketWantWriteError can be + raised when calling recv(). + """ + return self.recvmsg() + + def recvmsg(self): + """Read a single message from the WebSocket. + + This will return a single WebSocket message from the socket + (which will be the empty string if the peer sent an empty + message). If the socket is closed then None will be + returned. The reason for the close is found in the + 'close_code' and 'close_reason' properties. + + Unlike recv() this method will not return data from more than + one WebSocket message. Callers should continue calling + recvmsg() whilst pending() returns True. + + Both WebSocketWantReadError and WebSocketWantWriteError can be + raised when calling recvmsg(). + """ + # May have been called to flush out a close + if self._received_close: + self._flush() + return None + + # Anything already queued? + if self.pending(): + return self._recvmsg() + # Note: If self._recvmsg() raised WebSocketWantReadError, + # we cannot proceed to self._recv() here as we may + # have already called it once as part of the caller's + # "while websock.pending():" loop + + # Nope, let's try to read a bit + if not self._recv_frames(): + return None + + # Anything queued now? + return self._recvmsg() + + def pending(self): + """Check if any WebSocket data is pending. + + This method will return True as long as there are WebSocket + frames that have yet been processed. A single recv() from the + underlying socket may return multiple WebSocket frames and it + is therefore important that a caller continues calling recv() + or recvmsg() as long as pending() returns True. + + Note that this function merely tells if there are raw WebSocket + frames pending. Those frames may not contain any application + data. + """ + return len(self._recv_queue) > 0 + + def send(self, bytes): + """Write data to the WebSocket + + This will queue the given data and attempt to send it to the + peer. Unlike sendmsg() this method might coalesce the data with + data from other calls, or split it over multiple messages. + + WebSocketWantWriteError can be raised if there is insufficient + space in the underlying socket. send() must be called again + once more space is available using the same arguments. + """ + if len(bytes) == 0: + return 0 + + return self.sendmsg(bytes) + + def sendmsg(self, msg): + """Write a single message to the WebSocket + + This will queue the given message and attempt to send it to the + peer. Unlike send() this method will preserve the data as a + single WebSocket message. + + WebSocketWantWriteError can be raised if there is insufficient + space in the underlying socket. sendmsg() must be called again + once more space is available using the same arguments. + """ + if not isinstance(msg, bytes): + raise TypeError + + if self._sent_close: + return 0 + + if self._previous_sendmsg is not None: + if self._previous_sendmsg != msg: + raise ValueError + + self._flush() + self._previous_sendmsg = None + + return len(msg) + + try: + self._sendmsg(0x2, msg) + except WebSocketWantWriteError: + self._previous_sendmsg = msg + raise + + return len(msg) + + def send_response(self, code, message): + self._queue_str("HTTP/1.1 %d %s\r\n" % (code, message)) + + def send_header(self, keyword, value): + self._queue_str("%s: %s\r\n" % (keyword, value)) + + def end_headers(self): + self._queue_str("\r\n") + + def send_request(self, type, path): + self._queue_str("%s %s HTTP/1.1\r\n" % (type.upper(), path)) + + def ping(self, data=b''): + """Write a ping message to the WebSocket + + WebSocketWantWriteError can be raised if there is insufficient + space in the underlying socket. ping() must be called again once + more space is available using the same arguments. + """ + if not isinstance(data, bytes): + raise TypeError + + if self._previous_sendmsg is not None: + if self._previous_sendmsg != data: + raise ValueError + + self._flush() + self._previous_sendmsg = None + + return + + try: + self._sendmsg(0x9, data) + except WebSocketWantWriteError: + self._previous_sendmsg = data + raise + + def pong(self, data=b''): + """Write a pong message to the WebSocket + + WebSocketWantWriteError can be raised if there is insufficient + space in the underlying socket. pong() must be called again once + more space is available using the same arguments. + """ + if not isinstance(data, bytes): + raise TypeError + + if self._previous_sendmsg is not None: + if self._previous_sendmsg != data: + raise ValueError + + self._flush() + self._previous_sendmsg = None + + return + + try: + self._sendmsg(0xA, data) + except WebSocketWantWriteError: + self._previous_sendmsg = data + raise + + def shutdown(self, how, code=1000, reason=None): + """Gracefully terminate the WebSocket connection. + + This will start the process to terminate the WebSocket + connection. The caller must continue to calling recv() or + recvmsg() after this function in order to wait for the peer to + acknowledge the close. Calls to send() and sendmsg() will be + ignored. + + WebSocketWantWriteError can be raised if there is insufficient + space in the underlying socket for the close message. shutdown() + must be called again once more space is available using the same + arguments. + + The how argument is currently ignored. + """ + + # Already closing? + if self._sent_close: + self._flush() + return + + # Special code to indicate that we closed the connection + if not self._received_close: + self.close_code = 1000 + self.close_reason = "Locally initiated close" + + self._sent_close = True + + msg = b'' + if code is not None: + msg += struct.pack(">H", code) + if reason is not None: + msg += reason.encode("UTF-8") + + self._sendmsg(0x8, msg) + + def close(self, code=1000, reason=None): + """Terminate the WebSocket connection immediately. + + This will close the WebSocket connection directly after sending + a close message to the peer. + + WebSocketWantWriteError can be raised if there is insufficient + space in the underlying socket for the close message. close() + must be called again once more space is available using the same + arguments. + """ + self.shutdown(socket.SHUT_RDWR, code, reason) + self._close() + + def _recv(self): + # Fetches more data from the socket to the buffer + assert self.socket is not None + + while True: + try: + data = self.socket.recv(4096) + except OSError as exc: + if exc.errno == errno.EWOULDBLOCK: + raise WebSocketWantReadError + raise + + if len(data) == 0: + return False + + self._recv_buffer += data + + # Support for SSLSocket like objects + if hasattr(self.socket, "pending"): + if not self.socket.pending(): + break + else: + break + + return True + + def _recv_frames(self): + # Fetches more data and decodes the frames + if not self._recv(): + if self.close_code is None: + self.close_code = 1006 + self.close_reason = "Connection closed abnormally" + self._sent_close = self._received_close = True + self._close() + return False + + while True: + frame = self._decode_hybi(self._recv_buffer) + if frame is None: + break + self._recv_buffer = self._recv_buffer[frame['length']:] + self._recv_queue.append(frame) + + return True + + def _recvmsg(self): + # Process pending frames and returns any application data + while self._recv_queue: + frame = self._recv_queue.pop(0) + + if not self.client and not frame['masked']: + self.shutdown(socket.SHUT_RDWR, 1002, "Procotol error: Frame not masked") + continue + if self.client and frame['masked']: + self.shutdown(socket.SHUT_RDWR, 1002, "Procotol error: Frame masked") + continue + + if frame["opcode"] == 0x0: + if not self._partial_msg: + self.shutdown(socket.SHUT_RDWR, 1002, "Procotol error: Unexpected continuation frame") + continue + + self._partial_msg += frame["payload"] + + if frame["fin"]: + msg = self._partial_msg + self._partial_msg = b'' + return msg + elif frame["opcode"] == 0x1: + self.shutdown(socket.SHUT_RDWR, 1003, "Unsupported: Text frames are not supported") + elif frame["opcode"] == 0x2: + if self._partial_msg: + self.shutdown(socket.SHUT_RDWR, 1002, "Procotol error: Unexpected new frame") + continue + + if frame["fin"]: + return frame["payload"] + else: + self._partial_msg = frame["payload"] + elif frame["opcode"] == 0x8: + if self._received_close: + continue + + self._received_close = True + + if self._sent_close: + self._close() + return None + + if not frame["fin"]: + self.shutdown(socket.SHUT_RDWR, 1003, "Unsupported: Fragmented close") + continue + + code = None + reason = None + if len(frame["payload"]) >= 2: + code = struct.unpack(">H", frame["payload"][:2])[0] + if len(frame["payload"]) > 2: + reason = frame["payload"][2:] + try: + reason = reason.decode("UTF-8") + except UnicodeDecodeError: + self.shutdown(socket.SHUT_RDWR, 1002, "Procotol error: Invalid UTF-8 in close") + continue + + if code is None: + self.close_code = 1005 + self.close_reason = "No close status code specified by peer" + else: + self.close_code = code + if reason is not None: + self.close_reason = reason + + self.shutdown(None, code, reason) + return None + elif frame["opcode"] == 0x9: + if not frame["fin"]: + self.shutdown(socket.SHUT_RDWR, 1003, "Unsupported: Fragmented ping") + continue + + self.handle_ping(frame["payload"]) + elif frame["opcode"] == 0xA: + if not frame["fin"]: + self.shutdown(socket.SHUT_RDWR, 1003, "Unsupported: Fragmented pong") + continue + + self.handle_pong(frame["payload"]) + else: + self.shutdown(socket.SHUT_RDWR, 1003, "Unsupported: Unknown opcode 0x%02x" % frame["opcode"]) + + raise WebSocketWantReadError + + def _flush(self): + # Writes pending data to the socket + if not self._send_buffer: + return + + assert self.socket is not None + + try: + sent = self.socket.send(self._send_buffer) + except OSError as exc: + if exc.errno == errno.EWOULDBLOCK: + raise WebSocketWantWriteError + raise + + self._send_buffer = self._send_buffer[sent:] + + if self._send_buffer: + raise WebSocketWantWriteError + + # We had a pending close and we've flushed the buffer, + # time to end things + if self._received_close and self._sent_close: + self._close() + + def _send(self, data): + # Queues data and attempts to send it + self._send_buffer += data + self._flush() + + def _queue_str(self, string): + # Queue some data to be sent later. + # Only used by the connecting methods. + self._send_buffer += string.encode("latin-1") + + def _sendmsg(self, opcode, msg): + # Sends a standard data message + if self.client: + mask = b'' + for i in range(4): + mask += random.randrange(256).to_bytes() + frame = self._encode_hybi(opcode, msg, mask) + else: + frame = self._encode_hybi(opcode, msg) + + return self._send(frame) + + def _close(self): + # Close the underlying socket + self.socket.close() + self.socket = None + + def _mask(self, buf, mask): + # Mask a frame + return self._unmask(buf, mask) + + def _unmask(self, buf, mask): + # Unmask a frame + if numpy: + plen = len(buf) + pstart = 0 + pend = plen + b = c = b'' + if plen >= 4: + dtype=numpy.dtype('') + mask = numpy.frombuffer(mask, dtype, count=1) + data = numpy.frombuffer(buf, dtype, count=int(plen / 4)) + #b = numpy.bitwise_xor(data, mask).data + b = numpy.bitwise_xor(data, mask).tobytes() + + if plen % 4: + dtype=numpy.dtype('B') + if sys.byteorder == 'big': + dtype = dtype.newbyteorder('>') + mask = numpy.frombuffer(mask, dtype, count=(plen % 4)) + data = numpy.frombuffer(buf, dtype, + offset=plen - (plen % 4), count=(plen % 4)) + c = numpy.bitwise_xor(data, mask).tobytes() + return b + c + else: + # Slower fallback + data = array.array('B') + data.frombytes(buf) + for i in range(len(data)): + data[i] ^= mask[i % 4] + return data.tobytes() + + def _encode_hybi(self, opcode, buf, mask_key=None, fin=True): + """ Encode a HyBi style WebSocket frame. + Optional opcode: + 0x0 - continuation + 0x1 - text frame + 0x2 - binary frame + 0x8 - connection close + 0x9 - ping + 0xA - pong + """ + + b1 = opcode & 0x0f + if fin: + b1 |= 0x80 + + mask_bit = 0 + if mask_key is not None: + mask_bit = 0x80 + buf = self._mask(buf, mask_key) + + payload_len = len(buf) + if payload_len <= 125: + header = struct.pack('>BB', b1, payload_len | mask_bit) + elif payload_len > 125 and payload_len < 65536: + header = struct.pack('>BBH', b1, 126 | mask_bit, payload_len) + elif payload_len >= 65536: + header = struct.pack('>BBQ', b1, 127 | mask_bit, payload_len) + + if mask_key is not None: + return header + mask_key + buf + else: + return header + buf + + def _decode_hybi(self, buf): + """ Decode HyBi style WebSocket packets. + Returns: + {'fin' : boolean, + 'opcode' : number, + 'masked' : boolean, + 'length' : encoded_length, + 'payload' : decoded_buffer} + """ + + f = {'fin' : 0, + 'opcode' : 0, + 'masked' : False, + 'length' : 0, + 'payload' : None} + + blen = len(buf) + hlen = 2 + + if blen < hlen: + return None + + b1, b2 = struct.unpack(">BB", buf[:2]) + f['opcode'] = b1 & 0x0f + f['fin'] = not not (b1 & 0x80) + f['masked'] = not not (b2 & 0x80) + + if f['masked']: + hlen += 4 + if blen < hlen: + return None + + length = b2 & 0x7f + + if length == 126: + hlen += 2 + if blen < hlen: + return None + length, = struct.unpack('>H', buf[2:4]) + elif length == 127: + hlen += 8 + if blen < hlen: + return None + length, = struct.unpack('>Q', buf[2:10]) + + f['length'] = hlen + length + + if blen < f['length']: + return None + + if f['masked']: + # unmask payload + mask_key = buf[hlen-4:hlen] + f['payload'] = self._unmask(buf[hlen:(hlen+length)], mask_key) + else: + f['payload'] = buf[hlen:(hlen+length)] + + return f + diff --git a/base/app/novnc/utils/websockify/websockify/websocketproxy.py b/base/app/novnc/utils/websockify/websockify/websocketproxy.py new file mode 100644 index 0000000..b6f103c --- /dev/null +++ b/base/app/novnc/utils/websockify/websockify/websocketproxy.py @@ -0,0 +1,800 @@ +#!/usr/bin/env python + +''' +A WebSocket to TCP socket proxy with support for "wss://" encryption. +Copyright 2011 Joel Martin +Licensed under LGPL version 3 (see docs/LICENSE.LGPL-3) + +You can make a cert/key with openssl using: +openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem +as taken from http://docs.python.org/dev/library/ssl.html#certificates + +''' + +import signal, socket, optparse, time, os, sys, subprocess, logging, errno, ssl, stat +from socketserver import ThreadingMixIn +from http.server import HTTPServer + +import select +from websockify import websockifyserver +from websockify import auth_plugins as auth +from urllib.parse import parse_qs, urlparse + +class ProxyRequestHandler(websockifyserver.WebSockifyRequestHandler): + + buffer_size = 65536 + + traffic_legend = """ +Traffic Legend: + } - Client receive + }. - Client receive partial + { - Target receive + + > - Target send + >. - Target send partial + < - Client send + <. - Client send partial +""" + + def send_auth_error(self, ex): + self.send_response(ex.code, ex.msg) + self.send_header('Content-Type', 'text/html') + for name, val in ex.headers.items(): + self.send_header(name, val) + + self.end_headers() + + def validate_connection(self): + if not self.server.token_plugin: + return + + host, port = self.get_target(self.server.token_plugin) + if host == 'unix_socket': + self.server.unix_target = port + + else: + self.server.target_host = host + self.server.target_port = port + + def auth_connection(self): + if not self.server.auth_plugin: + return + + try: + # get client certificate data + client_cert_data = self.request.getpeercert() + # extract subject information + client_cert_subject = client_cert_data['subject'] + # flatten data structure + client_cert_subject = dict([x[0] for x in client_cert_subject]) + # add common name to headers (apache +StdEnvVars style) + self.headers['SSL_CLIENT_S_DN_CN'] = client_cert_subject['commonName'] + except (TypeError, AttributeError, KeyError): + # not a SSL connection or client presented no certificate with valid data + pass + + try: + self.server.auth_plugin.authenticate( + headers=self.headers, target_host=self.server.target_host, + target_port=self.server.target_port) + except auth.AuthenticationError: + ex = sys.exc_info()[1] + self.send_auth_error(ex) + raise + + def new_websocket_client(self): + """ + Called after a new WebSocket connection has been established. + """ + # Checking for a token is done in validate_connection() + + # Connect to the target + if self.server.wrap_cmd: + msg = "connecting to command: '%s' (port %s)" % (" ".join(self.server.wrap_cmd), self.server.target_port) + elif self.server.unix_target: + msg = "connecting to unix socket: %s" % self.server.unix_target + else: + msg = "connecting to: %s:%s" % ( + self.server.target_host, self.server.target_port) + + if self.server.ssl_target: + msg += " (using SSL)" + self.log_message(msg) + + try: + tsock = websockifyserver.WebSockifyServer.socket(self.server.target_host, + self.server.target_port, + connect=True, + use_ssl=self.server.ssl_target, + unix_socket=self.server.unix_target) + except Exception as e: + self.log_message("Failed to connect to %s:%s: %s", + self.server.target_host, self.server.target_port, e) + raise self.CClose(1011, "Failed to connect to downstream server") + + # Option unavailable when listening to unix socket + if not self.server.unix_listen: + self.request.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, 1) + if not self.server.wrap_cmd and not self.server.unix_target: + tsock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, 1) + + self.print_traffic(self.traffic_legend) + + # Start proxying + try: + self.do_proxy(tsock) + finally: + if tsock: + tsock.shutdown(socket.SHUT_RDWR) + tsock.close() + if self.verbose: + self.log_message("%s:%s: Closed target", + self.server.target_host, self.server.target_port) + + def get_target(self, target_plugin): + """ + Gets a token from either the path or the host, + depending on --host-token, and looks up a target + for that token using the token plugin. Used by + validate_connection() to set target_host and target_port. + """ + # The files in targets contain the lines + # in the form of token: host:port + + if self.host_token: + # Use hostname as token + token = self.headers.get('Host') + + # Remove port from hostname, as it'll always be the one where + # websockify listens (unless something between the client and + # websockify is redirecting traffic, but that's beside the point) + if token: + token = token.partition(':')[0] + + else: + # Extract the token parameter from url + args = parse_qs(urlparse(self.path)[4]) # 4 is the query from url + + if 'token' in args and len(args['token']): + token = args['token'][0].rstrip('\n') + else: + token = None + + if token is None: + raise self.server.EClose("Token not present") + + result_pair = target_plugin.lookup(token) + + if result_pair is not None: + return result_pair + else: + raise self.server.EClose("Token '%s' not found" % token) + + def do_proxy(self, target): + """ + Proxy client WebSocket to normal target socket. + """ + cqueue = [] + c_pend = 0 + tqueue = [] + rlist = [self.request, target] + + if self.server.heartbeat: + now = time.time() + self.heartbeat = now + self.server.heartbeat + else: + self.heartbeat = None + + while True: + wlist = [] + + if self.heartbeat is not None: + now = time.time() + if now > self.heartbeat: + self.heartbeat = now + self.server.heartbeat + self.send_ping() + + if tqueue: wlist.append(target) + if cqueue or c_pend: wlist.append(self.request) + try: + ins, outs, excepts = select.select(rlist, wlist, [], 1) + except (select.error, OSError): + exc = sys.exc_info()[1] + if hasattr(exc, 'errno'): + err = exc.errno + else: + err = exc[0] + + if err != errno.EINTR: + raise + else: + continue + + if excepts: raise Exception("Socket exception") + + if self.request in outs: + # Send queued target data to the client + c_pend = self.send_frames(cqueue) + + cqueue = [] + + if self.request in ins: + # Receive client data, decode it, and queue for target + bufs, closed = self.recv_frames() + tqueue.extend(bufs) + + if closed: + + while (len(tqueue) != 0): + # Send queued client data to the target + dat = tqueue.pop(0) + sent = target.send(dat) + if sent == len(dat): + self.print_traffic(">") + else: + # requeue the remaining data + tqueue.insert(0, dat[sent:]) + self.print_traffic(".>") + + # TODO: What about blocking on client socket? + if self.verbose: + self.log_message("%s:%s: Client closed connection", + self.server.target_host, self.server.target_port) + raise self.CClose(closed['code'], closed['reason']) + + + if target in outs: + # Send queued client data to the target + dat = tqueue.pop(0) + sent = target.send(dat) + if sent == len(dat): + self.print_traffic(">") + else: + # requeue the remaining data + tqueue.insert(0, dat[sent:]) + self.print_traffic(".>") + + + if target in ins: + # Receive target data, encode it and queue for client + buf = target.recv(self.buffer_size) + if len(buf) == 0: + + # Target socket closed, flushing queues and closing client-side websocket + # Send queued target data to the client + if len(cqueue) != 0: + c_pend = True + while(c_pend): + c_pend = self.send_frames(cqueue) + + cqueue = [] + + if self.verbose: + self.log_message("%s:%s: Target closed connection", + self.server.target_host, self.server.target_port) + raise self.CClose(1000, "Target closed") + + cqueue.append(buf) + self.print_traffic("{") + +class WebSocketProxy(websockifyserver.WebSockifyServer): + """ + Proxy traffic to and from a WebSockets client to a normal TCP + socket server target. + """ + + buffer_size = 65536 + + def __init__(self, RequestHandlerClass=ProxyRequestHandler, *args, **kwargs): + # Save off proxy specific options + self.target_host = kwargs.pop('target_host', None) + self.target_port = kwargs.pop('target_port', None) + self.wrap_cmd = kwargs.pop('wrap_cmd', None) + self.wrap_mode = kwargs.pop('wrap_mode', None) + self.unix_target = kwargs.pop('unix_target', None) + self.ssl_target = kwargs.pop('ssl_target', None) + self.heartbeat = kwargs.pop('heartbeat', None) + + self.token_plugin = kwargs.pop('token_plugin', None) + self.host_token = kwargs.pop('host_token', None) + self.auth_plugin = kwargs.pop('auth_plugin', None) + + # Last 3 timestamps command was run + self.wrap_times = [0, 0, 0] + + if self.wrap_cmd: + wsdir = os.path.dirname(sys.argv[0]) + rebinder_path = [os.path.join(wsdir, "..", "lib"), + os.path.join(wsdir, "..", "lib", "websockify"), + os.path.join(wsdir, ".."), + wsdir] + self.rebinder = None + + for rdir in rebinder_path: + rpath = os.path.join(rdir, "rebind.so") + if os.path.exists(rpath): + self.rebinder = rpath + break + + if not self.rebinder: + raise Exception("rebind.so not found, perhaps you need to run make") + self.rebinder = os.path.abspath(self.rebinder) + + self.target_host = "127.0.0.1" # Loopback + # Find a free high port + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.bind(('', 0)) + self.target_port = sock.getsockname()[1] + sock.close() + + # Insert rebinder at the head of the (possibly empty) LD_PRELOAD pathlist + ld_preloads = filter(None, [ self.rebinder, os.environ.get("LD_PRELOAD", None) ]) + + os.environ.update({ + "LD_PRELOAD": os.pathsep.join(ld_preloads), + "REBIND_OLD_PORT": str(kwargs['listen_port']), + "REBIND_NEW_PORT": str(self.target_port)}) + + super().__init__(RequestHandlerClass, *args, **kwargs) + + def run_wrap_cmd(self): + self.msg("Starting '%s'", " ".join(self.wrap_cmd)) + self.wrap_times.append(time.time()) + self.wrap_times.pop(0) + self.cmd = subprocess.Popen( + self.wrap_cmd, env=os.environ, preexec_fn=_subprocess_setup) + self.spawn_message = True + + def started(self): + """ + Called after Websockets server startup (i.e. after daemonize) + """ + # Need to call wrapped command after daemonization so we can + # know when the wrapped command exits + if self.wrap_cmd: + dst_string = "'%s' (port %s)" % (" ".join(self.wrap_cmd), self.target_port) + elif self.unix_target: + dst_string = self.unix_target + else: + dst_string = "%s:%s" % (self.target_host, self.target_port) + + if self.listen_fd != None: + src_string = "inetd" + else: + src_string = "%s:%s" % (self.listen_host, self.listen_port) + + if self.token_plugin: + msg = " - proxying from %s to targets generated by %s" % ( + src_string, type(self.token_plugin).__name__) + else: + msg = " - proxying from %s to %s" % ( + src_string, dst_string) + + if self.ssl_target: + msg += " (using SSL)" + + self.msg("%s", msg) + + if self.wrap_cmd: + self.run_wrap_cmd() + + def poll(self): + # If we are wrapping a command, check it's status + + if self.wrap_cmd and self.cmd: + ret = self.cmd.poll() + if ret != None: + self.vmsg("Wrapped command exited (or daemon). Returned %s" % ret) + self.cmd = None + + if self.wrap_cmd and self.cmd == None: + # Response to wrapped command being gone + if self.wrap_mode == "ignore": + pass + elif self.wrap_mode == "exit": + sys.exit(ret) + elif self.wrap_mode == "respawn": + now = time.time() + avg = sum(self.wrap_times)/len(self.wrap_times) + if (now - avg) < 10: + # 3 times in the last 10 seconds + if self.spawn_message: + self.warn("Command respawning too fast") + self.spawn_message = False + else: + self.run_wrap_cmd() + + +def _subprocess_setup(): + # Python installs a SIGPIPE handler by default. This is usually not what + # non-Python successfulbprocesses expect. + signal.signal(signal.SIGPIPE, signal.SIG_DFL) + + +SSL_OPTIONS = { + 'default': ssl.OP_ALL, + 'tlsv1_1': ssl.PROTOCOL_SSLv23 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | + ssl.OP_NO_TLSv1, + 'tlsv1_2': ssl.PROTOCOL_SSLv23 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | + ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1, + 'tlsv1_3': ssl.PROTOCOL_SSLv23 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | + ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2, +} + +def select_ssl_version(version): + """Returns SSL options for the most secure TSL version available on this + Python version""" + if version in SSL_OPTIONS: + return SSL_OPTIONS[version] + else: + # It so happens that version names sorted lexicographically form a list + # from the least to the most secure + keys = list(SSL_OPTIONS.keys()) + keys.sort() + fallback = keys[-1] + logger = logging.getLogger(WebSocketProxy.log_prefix) + logger.warn("TLS version %s unsupported. Falling back to %s", + version, fallback) + + return SSL_OPTIONS[fallback] + +def websockify_init(): + # Setup basic logging to stderr. + stderr_handler = logging.StreamHandler() + stderr_handler.setLevel(logging.DEBUG) + log_formatter = logging.Formatter("%(message)s") + stderr_handler.setFormatter(log_formatter) + root = logging.getLogger() + root.addHandler(stderr_handler) + root.setLevel(logging.INFO) + + # Setup optparse. + usage = "\n %prog [options]" + usage += " [source_addr:]source_port target_addr:target_port" + usage += "\n %prog [options]" + usage += " --token-plugin=CLASS [source_addr:]source_port" + usage += "\n %prog [options]" + usage += " --unix-target=FILE [source_addr:]source_port" + usage += "\n %prog [options]" + usage += " [source_addr:]source_port -- WRAP_COMMAND_LINE" + parser = optparse.OptionParser(usage=usage) + parser.add_option("--verbose", "-v", action="store_true", + help="verbose messages") + parser.add_option("--traffic", action="store_true", + help="per frame traffic") + parser.add_option("--record", + help="record sessions to FILE.[session_number]", metavar="FILE") + parser.add_option("--daemon", "-D", + dest="daemon", action="store_true", + help="become a daemon (background process)") + parser.add_option("--run-once", action="store_true", + help="handle a single WebSocket connection and exit") + parser.add_option("--timeout", type=int, default=0, + help="after TIMEOUT seconds exit when not connected") + parser.add_option("--idle-timeout", type=int, default=0, + help="server exits after TIMEOUT seconds if there are no " + "active connections") + parser.add_option("--cert", default="self.pem", + help="SSL certificate file") + parser.add_option("--key", default=None, + help="SSL key file (if separate from cert)") + parser.add_option("--key-password", default=None, + help="SSL key password") + parser.add_option("--ssl-only", action="store_true", + help="disallow non-encrypted client connections") + parser.add_option("--ssl-target", action="store_true", + help="connect to SSL target as SSL client") + parser.add_option("--verify-client", action="store_true", + help="require encrypted client to present a valid certificate " + "(needs Python 2.7.9 or newer or Python 3.4 or newer)") + parser.add_option("--cafile", metavar="FILE", + help="file of concatenated certificates of authorities trusted " + "for validating clients (only effective with --verify-client). " + "If omitted, system default list of CAs is used.") + parser.add_option("--ssl-version", type="choice", default="default", + choices=["default", "tlsv1_1", "tlsv1_2", "tlsv1_3"], action="store", + help="minimum TLS version to use (default, tlsv1_1, tlsv1_2, tlsv1_3)") + parser.add_option("--ssl-ciphers", action="store", + help="list of ciphers allowed for connection. For a list of " + "supported ciphers run `openssl ciphers`") + parser.add_option("--unix-listen", + help="listen to unix socket", metavar="FILE", default=None) + parser.add_option("--unix-listen-mode", default=None, + help="specify mode for unix socket (defaults to 0600)") + parser.add_option("--unix-target", + help="connect to unix socket target", metavar="FILE") + parser.add_option("--inetd", + help="inetd mode, receive listening socket from stdin", action="store_true") + parser.add_option("--web", default=None, metavar="DIR", + help="run webserver on same port. Serve files from DIR.") + parser.add_option("--web-auth", action="store_true", + help="require authentication to access webserver.") + parser.add_option("--wrap-mode", default="exit", metavar="MODE", + choices=["exit", "ignore", "respawn"], + help="action to take when the wrapped program exits " + "or daemonizes: exit (default), ignore, respawn") + parser.add_option("--prefer-ipv6", "-6", + action="store_true", dest="source_is_ipv6", + help="prefer IPv6 when resolving source_addr") + parser.add_option("--libserver", action="store_true", + help="use Python library SocketServer engine") + parser.add_option("--target-config", metavar="FILE", + dest="target_cfg", + help="Configuration file containing valid targets " + "in the form 'token: host:port' or, alternatively, a " + "directory containing configuration files of this form " + "(DEPRECATED: use `--token-plugin TokenFile --token-source " + " path/to/token/file` instead)") + parser.add_option("--token-plugin", default=None, metavar="CLASS", + help="use a Python class, usually one from websockify.token_plugins, " + "such as TokenFile, to process tokens into host:port pairs") + parser.add_option("--token-source", default=None, metavar="ARG", + help="an argument to be passed to the token plugin " + "on instantiation") + parser.add_option("--host-token", action="store_true", + help="use the host HTTP header as token instead of the " + "token URL query parameter") + parser.add_option("--auth-plugin", default=None, metavar="CLASS", + help="use a Python class, usually one from websockify.auth_plugins, " + "such as BasicHTTPAuth, to determine if a connection is allowed") + parser.add_option("--auth-source", default=None, metavar="ARG", + help="an argument to be passed to the auth plugin " + "on instantiation") + parser.add_option("--heartbeat", type=int, default=0, metavar="INTERVAL", + help="send a ping to the client every INTERVAL seconds") + parser.add_option("--log-file", metavar="FILE", + dest="log_file", + help="File where logs will be saved") + parser.add_option("--syslog", default=None, metavar="SERVER", + help="Log to syslog server. SERVER can be local socket, " + "such as /dev/log, or a UDP host:port pair.") + parser.add_option("--legacy-syslog", action="store_true", + help="Use the old syslog protocol instead of RFC 5424. " + "Use this if the messages produced by websockify seem abnormal.") + parser.add_option("--file-only", action="store_true", + help="use this to disable directory listings in web server.") + + (opts, args) = parser.parse_args() + + + # Validate options. + + if opts.token_source and not opts.token_plugin: + parser.error("You must use --token-plugin to use --token-source") + + if opts.host_token and not opts.token_plugin: + parser.error("You must use --token-plugin to use --host-token") + + if opts.auth_source and not opts.auth_plugin: + parser.error("You must use --auth-plugin to use --auth-source") + + if opts.web_auth and not opts.auth_plugin: + parser.error("You must use --auth-plugin to use --web-auth") + + if opts.web_auth and not opts.web: + parser.error("You must use --web to use --web-auth") + + if opts.legacy_syslog and not opts.syslog: + parser.error("You must use --syslog to use --legacy-syslog") + + + opts.ssl_options = select_ssl_version(opts.ssl_version) + del opts.ssl_version + + + if opts.log_file: + # Setup logging to user-specified file. + opts.log_file = os.path.abspath(opts.log_file) + log_file_handler = logging.FileHandler(opts.log_file) + log_file_handler.setLevel(logging.DEBUG) + log_file_handler.setFormatter(log_formatter) + root = logging.getLogger() + root.addHandler(log_file_handler) + + del opts.log_file + + if opts.syslog: + # Determine how to connect to syslog... + if opts.syslog.count(':'): + # User supplied a host:port pair. + syslog_host, syslog_port = opts.syslog.rsplit(':', 1) + try: + syslog_port = int(syslog_port) + except ValueError: + parser.error("Error parsing syslog port") + syslog_dest = (syslog_host, syslog_port) + else: + # User supplied a local socket file. + syslog_dest = os.path.abspath(opts.syslog) + + from websockify.sysloghandler import WebsockifySysLogHandler + + # Determine syslog facility. + if opts.daemon: + syslog_facility = WebsockifySysLogHandler.LOG_DAEMON + else: + syslog_facility = WebsockifySysLogHandler.LOG_USER + + # Start logging to syslog. + syslog_handler = WebsockifySysLogHandler(address=syslog_dest, + facility=syslog_facility, + ident='websockify', + legacy=opts.legacy_syslog) + syslog_handler.setLevel(logging.DEBUG) + syslog_handler.setFormatter(log_formatter) + root = logging.getLogger() + root.addHandler(syslog_handler) + + del opts.syslog + del opts.legacy_syslog + + if opts.verbose: + root = logging.getLogger() + root.setLevel(logging.DEBUG) + + + # Transform to absolute path as daemon may chdir + if opts.target_cfg: + opts.target_cfg = os.path.abspath(opts.target_cfg) + + if opts.target_cfg: + opts.token_plugin = 'TokenFile' + opts.token_source = opts.target_cfg + + del opts.target_cfg + + if sys.argv.count('--'): + opts.wrap_cmd = args[1:] + else: + opts.wrap_cmd = None + + if not websockifyserver.ssl and opts.ssl_target: + parser.error("SSL target requested and Python SSL module not loaded."); + + if opts.ssl_only and not os.path.exists(opts.cert): + parser.error("SSL only and %s not found" % opts.cert) + + if opts.inetd: + opts.listen_fd = sys.stdin.fileno() + elif opts.unix_listen: + if opts.unix_listen_mode: + try: + # Parse octal notation (like 750) + opts.unix_listen_mode = int(opts.unix_listen_mode, 8) + except ValueError: + parser.error("Error parsing listen unix socket mode") + else: + # Default to 0600 (Owner Read/Write) + opts.unix_listen_mode = stat.S_IREAD | stat.S_IWRITE + else: + if len(args) < 1: + parser.error("Too few arguments") + arg = args.pop(0) + # Parse host:port and convert ports to numbers + if arg.count(':') > 0: + opts.listen_host, opts.listen_port = arg.rsplit(':', 1) + opts.listen_host = opts.listen_host.strip('[]') + else: + opts.listen_host, opts.listen_port = '', arg + + try: + opts.listen_port = int(opts.listen_port) + except ValueError: + parser.error("Error parsing listen port") + + del opts.inetd + + if opts.wrap_cmd or opts.unix_target or opts.token_plugin: + opts.target_host = None + opts.target_port = None + else: + if len(args) < 1: + parser.error("Too few arguments") + arg = args.pop(0) + if arg.count(':') > 0: + opts.target_host, opts.target_port = arg.rsplit(':', 1) + opts.target_host = opts.target_host.strip('[]') + else: + parser.error("Error parsing target") + + try: + opts.target_port = int(opts.target_port) + except ValueError: + parser.error("Error parsing target port") + + if len(args) > 0 and opts.wrap_cmd == None: + parser.error("Too many arguments") + + if opts.token_plugin is not None: + if '.' not in opts.token_plugin: + opts.token_plugin = ( + 'websockify.token_plugins.%s' % opts.token_plugin) + + token_plugin_module, token_plugin_cls = opts.token_plugin.rsplit('.', 1) + + __import__(token_plugin_module) + token_plugin_cls = getattr(sys.modules[token_plugin_module], token_plugin_cls) + + opts.token_plugin = token_plugin_cls(opts.token_source) + + del opts.token_source + + if opts.auth_plugin is not None: + if '.' not in opts.auth_plugin: + opts.auth_plugin = 'websockify.auth_plugins.%s' % opts.auth_plugin + + auth_plugin_module, auth_plugin_cls = opts.auth_plugin.rsplit('.', 1) + + __import__(auth_plugin_module) + auth_plugin_cls = getattr(sys.modules[auth_plugin_module], auth_plugin_cls) + + opts.auth_plugin = auth_plugin_cls(opts.auth_source) + + del opts.auth_source + + # Create and start the WebSockets proxy + libserver = opts.libserver + del opts.libserver + if libserver: + # Use standard Python SocketServer framework + server = LibProxyServer(**opts.__dict__) + server.serve_forever() + else: + # Use internal service framework + server = WebSocketProxy(**opts.__dict__) + server.start_server() + + +class LibProxyServer(ThreadingMixIn, HTTPServer): + """ + Just like WebSocketProxy, but uses standard Python SocketServer + framework. + """ + + def __init__(self, RequestHandlerClass=ProxyRequestHandler, **kwargs): + # Save off proxy specific options + self.target_host = kwargs.pop('target_host', None) + self.target_port = kwargs.pop('target_port', None) + self.wrap_cmd = kwargs.pop('wrap_cmd', None) + self.wrap_mode = kwargs.pop('wrap_mode', None) + self.unix_target = kwargs.pop('unix_target', None) + self.ssl_target = kwargs.pop('ssl_target', None) + self.token_plugin = kwargs.pop('token_plugin', None) + self.auth_plugin = kwargs.pop('auth_plugin', None) + self.heartbeat = kwargs.pop('heartbeat', None) + + self.token_plugin = None + self.auth_plugin = None + self.daemon = False + + # Server configuration + listen_host = kwargs.pop('listen_host', '') + listen_port = kwargs.pop('listen_port', None) + web = kwargs.pop('web', '') + + # Configuration affecting base request handler + self.only_upgrade = not web + self.verbose = kwargs.pop('verbose', False) + record = kwargs.pop('record', '') + if record: + self.record = os.path.abspath(record) + self.run_once = kwargs.pop('run_once', False) + self.handler_id = 0 + + for arg in kwargs.keys(): + print("warning: option %s ignored when using --libserver" % arg) + + if web: + os.chdir(web) + + super().__init__((listen_host, listen_port), RequestHandlerClass) + + + def process_request(self, request, client_address): + """Override process_request to implement a counter""" + self.handler_id += 1 + super().process_request(request, client_address) + + +if __name__ == '__main__': + websockify_init() diff --git a/base/app/novnc/utils/websockify/websockify/websocketserver.py b/base/app/novnc/utils/websockify/websockify/websocketserver.py new file mode 100644 index 0000000..4e62f2e --- /dev/null +++ b/base/app/novnc/utils/websockify/websockify/websocketserver.py @@ -0,0 +1,110 @@ +#!/usr/bin/env python + +''' +Python WebSocket server base +Copyright 2011 Joel Martin +Copyright 2016-2018 Pierre Ossman +Licensed under LGPL version 3 (see docs/LICENSE.LGPL-3) +''' + +import sys +from http.server import BaseHTTPRequestHandler, HTTPServer + +from websockify.websocket import WebSocket, WebSocketWantReadError, WebSocketWantWriteError + +class HttpWebSocket(WebSocket): + """Class to glue websocket and http request functionality together""" + def __init__(self, request_handler): + super().__init__() + + self.request_handler = request_handler + + def send_response(self, code, message=None): + self.request_handler.send_response(code, message) + + def send_header(self, keyword, value): + self.request_handler.send_header(keyword, value) + + def end_headers(self): + self.request_handler.end_headers() + + +class WebSocketRequestHandlerMixIn: + """WebSocket request handler mix-in class + + This class modifies and existing request handler to handle + WebSocket requests. The request handler will continue to function + as before, except that WebSocket requests are intercepted and the + methods handle_upgrade() and handle_websocket() are called. The + standard do_GET() will be called for normal requests. + + The class instance SocketClass can be overridden with the class to + use for the WebSocket connection. + """ + + SocketClass = HttpWebSocket + + def handle_one_request(self): + """Extended request handler + + This is where WebSocketRequestHandler redirects requests to the + new methods. Any sub-classes must call this method in order for + the calls to function. + """ + self._real_do_GET = self.do_GET + self.do_GET = self._websocket_do_GET + try: + super().handle_one_request() + finally: + self.do_GET = self._real_do_GET + + def _websocket_do_GET(self): + # Checks if it is a websocket request and redirects + self.do_GET = self._real_do_GET + + if (self.headers.get('upgrade') and + self.headers.get('upgrade').lower() == 'websocket'): + self.handle_upgrade() + else: + self.do_GET() + + def handle_upgrade(self): + """Initial handler for a WebSocket request + + This method is called when a WebSocket is requested. By default + it will create a WebSocket object and perform the negotiation. + The WebSocket object will then replace the request object and + handle_websocket() will be called. + """ + websocket = self.SocketClass(self) + try: + websocket.accept(self.request, self.headers) + except Exception: + exc = sys.exc_info()[1] + self.send_error(400, str(exc)) + return + + self.request = websocket + + # Other requests cannot follow Websocket data + self.close_connection = True + + self.handle_websocket() + + def handle_websocket(self): + """Handle a WebSocket connection. + + This is called when the WebSocket is ready to be used. A + sub-class should perform the necessary communication here and + return once done. + """ + pass + +# Convenient ready made classes + +class WebSocketRequestHandler(WebSocketRequestHandlerMixIn, + BaseHTTPRequestHandler): + pass + +class WebSocketServer(HTTPServer): + pass diff --git a/base/app/novnc/utils/websockify/websockify/websockifyserver.py b/base/app/novnc/utils/websockify/websockify/websockifyserver.py new file mode 100644 index 0000000..74f9f53 --- /dev/null +++ b/base/app/novnc/utils/websockify/websockify/websockifyserver.py @@ -0,0 +1,862 @@ +#!/usr/bin/env python + +''' +Python WebSocket server base with support for "wss://" encryption. +Copyright 2011 Joel Martin +Copyright 2016 Pierre Ossman +Licensed under LGPL version 3 (see docs/LICENSE.LGPL-3) + +You can make a cert/key with openssl using: +openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem +as taken from http://docs.python.org/dev/library/ssl.html#certificates + +''' + +import os, sys, time, errno, signal, socket, select, logging +import multiprocessing +from http.server import SimpleHTTPRequestHandler + +# Degraded functionality if these imports are missing +for mod, msg in [('ssl', 'TLS/SSL/wss is disabled'), + ('resource', 'daemonizing is disabled')]: + try: + globals()[mod] = __import__(mod) + except ImportError: + globals()[mod] = None + print("WARNING: no '%s' module, %s" % (mod, msg)) + +if sys.platform == 'win32': + # make sockets pickle-able/inheritable + import multiprocessing.reduction + +from websockify.websocket import WebSocketWantReadError, WebSocketWantWriteError +from websockify.websocketserver import WebSocketRequestHandlerMixIn + +class CompatibleWebSocket(WebSocketRequestHandlerMixIn.SocketClass): + def select_subprotocol(self, protocols): + # Handle old websockify clients that still specify a sub-protocol + if 'binary' in protocols: + return 'binary' + else: + return '' + +# HTTP handler with WebSocket upgrade support +class WebSockifyRequestHandler(WebSocketRequestHandlerMixIn, SimpleHTTPRequestHandler): + """ + WebSocket Request Handler Class, derived from SimpleHTTPRequestHandler. + Must be sub-classed with new_websocket_client method definition. + The request handler can be configured by setting optional + attributes on the server object: + + * only_upgrade: If true, SimpleHTTPRequestHandler will not be enabled, + only websocket is allowed. + * verbose: If true, verbose logging is activated. + * daemon: Running as daemon, do not write to console etc + * record: Record raw frame data as JavaScript array into specified filename + * run_once: Handle a single request + * handler_id: A sequence number for this connection, appended to record filename + """ + server_version = "WebSockify" + + protocol_version = "HTTP/1.1" + + SocketClass = CompatibleWebSocket + + # An exception while the WebSocket client was connected + class CClose(Exception): + pass + + def __init__(self, req, addr, server): + # Retrieve a few configuration variables from the server + self.only_upgrade = getattr(server, "only_upgrade", False) + self.verbose = getattr(server, "verbose", False) + self.daemon = getattr(server, "daemon", False) + self.record = getattr(server, "record", False) + self.run_once = getattr(server, "run_once", False) + self.rec = None + self.handler_id = getattr(server, "handler_id", False) + self.file_only = getattr(server, "file_only", False) + self.traffic = getattr(server, "traffic", False) + self.web_auth = getattr(server, "web_auth", False) + self.host_token = getattr(server, "host_token", False) + + self.logger = getattr(server, "logger", None) + if self.logger is None: + self.logger = WebSockifyServer.get_logger() + + super().__init__(req, addr, server) + + def log_message(self, format, *args): + self.logger.info("%s - - [%s] %s" % (self.client_address[0], self.log_date_time_string(), format % args)) + + # + # WebSocketRequestHandler logging/output functions + # + + def print_traffic(self, token="."): + """ Show traffic flow mode. """ + if self.traffic: + sys.stdout.write(token) + sys.stdout.flush() + + def msg(self, msg, *args, **kwargs): + """ Output message with handler_id prefix. """ + prefix = "% 3d: " % self.handler_id + self.logger.log(logging.INFO, "%s%s" % (prefix, msg), *args, **kwargs) + + def vmsg(self, msg, *args, **kwargs): + """ Same as msg() but as debug. """ + prefix = "% 3d: " % self.handler_id + self.logger.log(logging.DEBUG, "%s%s" % (prefix, msg), *args, **kwargs) + + def warn(self, msg, *args, **kwargs): + """ Same as msg() but as warning. """ + prefix = "% 3d: " % self.handler_id + self.logger.log(logging.WARN, "%s%s" % (prefix, msg), *args, **kwargs) + + # + # Main WebSocketRequestHandler methods + # + def send_frames(self, bufs=None): + """ Encode and send WebSocket frames. Any frames already + queued will be sent first. If buf is not set then only queued + frames will be sent. Returns True if any frames could not be + fully sent, in which case the caller should call again when + the socket is ready. """ + + tdelta = int(time.time()*1000) - self.start_time + + if bufs: + for buf in bufs: + if self.rec: + # Python 3 compatible conversion + bufstr = buf.decode('latin1').encode('unicode_escape').decode('ascii').replace("'", "\\'") + self.rec.write("'{{{0}{{{1}',\n".format(tdelta, bufstr)) + self.send_parts.append(buf) + + while self.send_parts: + # Send pending frames + try: + self.request.sendmsg(self.send_parts[0]) + except WebSocketWantWriteError: + self.print_traffic("<.") + return True + self.send_parts.pop(0) + self.print_traffic("<") + + return False + + def recv_frames(self): + """ Receive and decode WebSocket frames. + + Returns: + (bufs_list, closed_string) + """ + + closed = False + bufs = [] + tdelta = int(time.time()*1000) - self.start_time + + while True: + try: + buf = self.request.recvmsg() + except WebSocketWantReadError: + self.print_traffic("}.") + break + + if buf is None: + closed = {'code': self.request.close_code, + 'reason': self.request.close_reason} + return bufs, closed + + self.print_traffic("}") + + if self.rec: + # Python 3 compatible conversion + bufstr = buf.decode('latin1').encode('unicode_escape').decode('ascii').replace("'", "\\'") + self.rec.write("'}}{0}}}{1}',\n".format(tdelta, bufstr)) + + bufs.append(buf) + + if not self.request.pending(): + break + + return bufs, closed + + def send_close(self, code=1000, reason=''): + """ Send a WebSocket orderly close frame. """ + self.request.shutdown(socket.SHUT_RDWR, code, reason) + + def send_pong(self, data=''.encode('ascii')): + """ Send a WebSocket pong frame. """ + self.request.pong(data) + + def send_ping(self, data=''.encode('ascii')): + """ Send a WebSocket ping frame. """ + self.request.ping(data) + + def handle_upgrade(self): + # ensure connection is authorized, and determine the target + self.validate_connection() + self.auth_connection() + + super().handle_upgrade() + + def handle_websocket(self): + # Indicate to server that a Websocket upgrade was done + self.server.ws_connection = True + # Initialize per client settings + self.send_parts = [] + self.recv_part = None + self.start_time = int(time.time()*1000) + + # client_address is empty with, say, UNIX domain sockets + client_addr = "" + is_ssl = False + try: + client_addr = self.client_address[0] + is_ssl = self.client_address[2] + except IndexError: + pass + + if is_ssl: + self.stype = "SSL/TLS (wss://)" + else: + self.stype = "Plain non-SSL (ws://)" + + self.log_message("%s: %s WebSocket connection", client_addr, + self.stype) + if self.path != '/': + self.log_message("%s: Path: '%s'", client_addr, self.path) + + if self.record: + # Record raw frame data as JavaScript array + fname = "%s.%s" % (self.record, + self.handler_id) + self.log_message("opening record file: %s", fname) + self.rec = open(fname, 'w+') + self.rec.write("var VNC_frame_data = [\n") + + try: + self.new_websocket_client() + except self.CClose: + # Close the client + _, exc, _ = sys.exc_info() + self.send_close(exc.args[0], exc.args[1]) + + def do_GET(self): + if self.web_auth: + # ensure connection is authorized, this seems to apply to list_directory() as well + self.auth_connection() + + if self.only_upgrade: + self.send_error(405) + else: + super().do_GET() + + def list_directory(self, path): + if self.file_only: + self.send_error(404) + else: + return super().list_directory(path) + + def new_websocket_client(self): + """ Do something with a WebSockets client connection. """ + raise Exception("WebSocketRequestHandler.new_websocket_client() must be overloaded") + + def validate_connection(self): + """ Ensure that the connection has a valid token, and set the target. """ + pass + + def auth_connection(self): + """ Ensure that the connection is authorized. """ + pass + + def do_HEAD(self): + if self.web_auth: + self.auth_connection() + + if self.only_upgrade: + self.send_error(405) + else: + super().do_HEAD() + + def finish(self): + if self.rec: + self.rec.write("'EOF'];\n") + self.rec.close() + super().finish() + + def handle(self): + # When using run_once, we have a single process, so + # we cannot loop in BaseHTTPRequestHandler.handle; we + # must return and handle new connections + if self.run_once: + self.handle_one_request() + else: + super().handle() + + def log_request(self, code='-', size='-'): + if self.verbose: + super().log_request(code, size) + + +class WebSockifyServer(): + """ + WebSockets server class. + As an alternative, the standard library SocketServer can be used + """ + + policy_response = """\n""" + log_prefix = "websocket" + + # An exception before the WebSocket connection was established + class EClose(Exception): + pass + + class Terminate(Exception): + pass + + def __init__(self, RequestHandlerClass, listen_fd=None, + listen_host='', listen_port=None, source_is_ipv6=False, + verbose=False, cert='', key='', key_password=None, ssl_only=None, + verify_client=False, cafile=None, + daemon=False, record='', web='', web_auth=False, + file_only=False, + run_once=False, timeout=0, idle_timeout=0, traffic=False, + tcp_keepalive=True, tcp_keepcnt=None, tcp_keepidle=None, + tcp_keepintvl=None, ssl_ciphers=None, ssl_options=0, + unix_listen=None, unix_listen_mode=None): + + # settings + self.RequestHandlerClass = RequestHandlerClass + self.verbose = verbose + self.listen_fd = listen_fd + self.unix_listen = unix_listen + self.unix_listen_mode = unix_listen_mode + self.listen_host = listen_host + self.listen_port = listen_port + self.prefer_ipv6 = source_is_ipv6 + self.ssl_only = ssl_only + self.ssl_ciphers = ssl_ciphers + self.ssl_options = ssl_options + self.verify_client = verify_client + self.daemon = daemon + self.run_once = run_once + self.timeout = timeout + self.idle_timeout = idle_timeout + self.traffic = traffic + self.file_only = file_only + self.web_auth = web_auth + + self.launch_time = time.time() + self.ws_connection = False + self.handler_id = 1 + self.terminating = False + + self.logger = self.get_logger() + self.tcp_keepalive = tcp_keepalive + self.tcp_keepcnt = tcp_keepcnt + self.tcp_keepidle = tcp_keepidle + self.tcp_keepintvl = tcp_keepintvl + + # keyfile path must be None if not specified + self.key = None + self.key_password = key_password + + # Make paths settings absolute + self.cert = os.path.abspath(cert) + self.web = self.record = self.cafile = '' + if key: + self.key = os.path.abspath(key) + if web: + self.web = os.path.abspath(web) + if record: + self.record = os.path.abspath(record) + if cafile: + self.cafile = os.path.abspath(cafile) + + if self.web: + os.chdir(self.web) + self.only_upgrade = not self.web + + # Sanity checks + if not ssl and self.ssl_only: + raise Exception("No 'ssl' module and SSL-only specified") + if self.daemon and not resource: + raise Exception("Module 'resource' required to daemonize") + + # Show configuration + self.msg("WebSocket server settings:") + if self.listen_fd != None: + self.msg(" - Listen for inetd connections") + elif self.unix_listen != None: + self.msg(" - Listen on unix socket %s", self.unix_listen) + else: + self.msg(" - Listen on %s:%s", + self.listen_host, self.listen_port) + if self.web: + if self.file_only: + self.msg(" - Web server (no directory listings). Web root: %s", self.web) + else: + self.msg(" - Web server. Web root: %s", self.web) + if ssl: + if os.path.exists(self.cert): + self.msg(" - SSL/TLS support") + if self.ssl_only: + self.msg(" - Deny non-SSL/TLS connections") + else: + self.msg(" - No SSL/TLS support (no cert file)") + else: + self.msg(" - No SSL/TLS support (no 'ssl' module)") + if self.daemon: + self.msg(" - Backgrounding (daemon)") + if self.record: + self.msg(" - Recording to '%s.*'", self.record) + + # + # WebSockifyServer static methods + # + + @staticmethod + def get_logger(): + return logging.getLogger("%s.%s" % ( + WebSockifyServer.log_prefix, + WebSockifyServer.__class__.__name__)) + + @staticmethod + def socket(host, port=None, connect=False, prefer_ipv6=False, + unix_socket=None, unix_socket_mode=None, unix_socket_listen=False, + use_ssl=False, tcp_keepalive=True, tcp_keepcnt=None, + tcp_keepidle=None, tcp_keepintvl=None): + """ Resolve a host (and optional port) to an IPv4 or IPv6 + address. Create a socket. Bind to it if listen is set, + otherwise connect to it. Return the socket. + """ + flags = 0 + if host == '': + host = None + if connect and not (port or unix_socket): + raise Exception("Connect mode requires a port") + if use_ssl and not ssl: + raise Exception("SSL socket requested but Python SSL module not loaded."); + if not connect and use_ssl: + raise Exception("SSL only supported in connect mode (for now)") + if not connect: + flags = flags | socket.AI_PASSIVE + + if not unix_socket: + addrs = socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM, + socket.IPPROTO_TCP, flags) + if not addrs: + raise Exception("Could not resolve host '%s'" % host) + addrs.sort(key=lambda x: x[0]) + if prefer_ipv6: + addrs.reverse() + sock = socket.socket(addrs[0][0], addrs[0][1]) + + if tcp_keepalive: + sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1) + if tcp_keepcnt: + sock.setsockopt(socket.SOL_TCP, socket.TCP_KEEPCNT, + tcp_keepcnt) + if tcp_keepidle: + sock.setsockopt(socket.SOL_TCP, socket.TCP_KEEPIDLE, + tcp_keepidle) + if tcp_keepintvl: + sock.setsockopt(socket.SOL_TCP, socket.TCP_KEEPINTVL, + tcp_keepintvl) + + if connect: + sock.connect(addrs[0][4]) + if use_ssl: + sock = ssl.wrap_socket(sock) + else: + sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + sock.bind(addrs[0][4]) + sock.listen(100) + else: + if unix_socket_listen: + # Make sure the socket does not already exist + try: + os.unlink(unix_socket) + except FileNotFoundError: + pass + sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + oldmask = os.umask(0o777 ^ unix_socket_mode) + try: + sock.bind(unix_socket) + finally: + os.umask(oldmask) + sock.listen(100) + else: + sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + sock.connect(unix_socket) + + return sock + + @staticmethod + def daemonize(keepfd=None, chdir='/'): + + if keepfd is None: + keepfd = [] + + os.umask(0) + if chdir: + os.chdir(chdir) + else: + os.chdir('/') + os.setgid(os.getgid()) # relinquish elevations + os.setuid(os.getuid()) # relinquish elevations + + # Double fork to daemonize + if os.fork() > 0: os._exit(0) # Parent exits + os.setsid() # Obtain new process group + if os.fork() > 0: os._exit(0) # Parent exits + + # Signal handling + signal.signal(signal.SIGTERM, signal.SIG_IGN) + signal.signal(signal.SIGINT, signal.SIG_IGN) + + # Close open files + maxfd = resource.getrlimit(resource.RLIMIT_NOFILE)[1] + if maxfd == resource.RLIM_INFINITY: maxfd = 256 + for fd in reversed(range(maxfd)): + try: + if fd not in keepfd: + os.close(fd) + except OSError: + _, exc, _ = sys.exc_info() + if exc.errno != errno.EBADF: raise + + # Redirect I/O to /dev/null + os.dup2(os.open(os.devnull, os.O_RDWR), sys.stdin.fileno()) + os.dup2(os.open(os.devnull, os.O_RDWR), sys.stdout.fileno()) + os.dup2(os.open(os.devnull, os.O_RDWR), sys.stderr.fileno()) + + def do_handshake(self, sock, address): + """ + do_handshake does the following: + - Peek at the first few bytes from the socket. + - If the connection is an HTTPS/SSL/TLS connection then SSL + wrap the socket. + - Read from the (possibly wrapped) socket. + - If we have received a HTTP GET request and the webserver + functionality is enabled, answer it, close the socket and + return. + - Assume we have a WebSockets connection, parse the client + handshake data. + - Send a WebSockets handshake server response. + - Return the socket for this WebSocket client. + """ + ready = select.select([sock], [], [], 3)[0] + + if not ready: + raise self.EClose("") + # Peek, but do not read the data so that we have a opportunity + # to SSL wrap the socket first + handshake = sock.recv(1024, socket.MSG_PEEK) + #self.msg("Handshake [%s]" % handshake) + + if not handshake: + raise self.EClose("") + + elif handshake[0] in (22, 128): + # SSL wrap the connection + if not ssl: + raise self.EClose("SSL connection but no 'ssl' module") + if not os.path.exists(self.cert): + raise self.EClose("SSL connection but '%s' not found" + % self.cert) + retsock = None + try: + # create new-style SSL wrapping for extended features + context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) + if self.ssl_ciphers is not None: + context.set_ciphers(self.ssl_ciphers) + context.options = self.ssl_options + context.load_cert_chain(certfile=self.cert, keyfile=self.key, password=self.key_password) + if self.verify_client: + context.verify_mode = ssl.CERT_REQUIRED + if self.cafile: + context.load_verify_locations(cafile=self.cafile) + else: + context.set_default_verify_paths() + retsock = context.wrap_socket( + sock, + server_side=True) + except ssl.SSLError: + _, x, _ = sys.exc_info() + if x.args[0] == ssl.SSL_ERROR_EOF: + if len(x.args) > 1: + raise self.EClose(x.args[1]) + else: + raise self.EClose("Got SSL_ERROR_EOF") + else: + raise + + elif self.ssl_only: + raise self.EClose("non-SSL connection received but disallowed") + + else: + retsock = sock + + # If the address is like (host, port), we are extending it + # with a flag indicating SSL. Not many other options + # available... + if len(address) == 2: + address = (address[0], address[1], (retsock != sock)) + + self.RequestHandlerClass(retsock, address, self) + + # Return the WebSockets socket which may be SSL wrapped + return retsock + + # + # WebSockifyServer logging/output functions + # + + def msg(self, *args, **kwargs): + """ Output message as info """ + self.logger.log(logging.INFO, *args, **kwargs) + + def vmsg(self, *args, **kwargs): + """ Same as msg() but as debug. """ + self.logger.log(logging.DEBUG, *args, **kwargs) + + def warn(self, *args, **kwargs): + """ Same as msg() but as warning. """ + self.logger.log(logging.WARN, *args, **kwargs) + + + # + # Events that can/should be overridden in sub-classes + # + def started(self): + """ Called after WebSockets startup """ + self.vmsg("WebSockets server started") + + def poll(self): + """ Run periodically while waiting for connections. """ + #self.vmsg("Running poll()") + pass + + def terminate(self): + if not self.terminating: + self.terminating = True + raise self.Terminate() + + def multiprocessing_SIGCHLD(self, sig, stack): + # TODO: figure out a way to actually log this information without + # calling `log` in the signal handlers + multiprocessing.active_children() + + def fallback_SIGCHLD(self, sig, stack): + # Reap zombies when using os.fork() (python 2.4) + # TODO: figure out a way to actually log this information without + # calling `log` in the signal handlers + try: + result = os.waitpid(-1, os.WNOHANG) + while result[0]: + self.vmsg("Reaped child process %s" % result[0]) + result = os.waitpid(-1, os.WNOHANG) + except (OSError): + pass + + def do_SIGINT(self, sig, stack): + # TODO: figure out a way to actually log this information without + # calling `log` in the signal handlers + self.terminate() + + def do_SIGTERM(self, sig, stack): + # TODO: figure out a way to actually log this information without + # calling `log` in the signal handlers + self.terminate() + + def top_new_client(self, startsock, address): + """ Do something with a WebSockets client connection. """ + # handler process + client = None + try: + try: + client = self.do_handshake(startsock, address) + except self.EClose: + _, exc, _ = sys.exc_info() + # Connection was not a WebSockets connection + if exc.args[0]: + self.msg("%s: %s" % (address[0], exc.args[0])) + except WebSockifyServer.Terminate: + raise + except Exception: + _, exc, _ = sys.exc_info() + self.msg("handler exception: %s" % str(exc)) + self.vmsg("exception", exc_info=True) + finally: + + if client and client != startsock: + # Close the SSL wrapped socket + # Original socket closed by caller + client.close() + + def get_log_fd(self): + """ + Get file descriptors for the loggers. + They should not be closed when the process is forked. + """ + descriptors = [] + for handler in self.logger.parent.handlers: + if isinstance(handler, logging.FileHandler): + descriptors.append(handler.stream.fileno()) + + return descriptors + + def start_server(self): + """ + Daemonize if requested. Listen for for connections. Run + do_handshake() method for each connection. If the connection + is a WebSockets client then call new_websocket_client() method (which must + be overridden) for each new client connection. + """ + + if self.listen_fd != None: + lsock = socket.fromfd(self.listen_fd, socket.AF_INET, socket.SOCK_STREAM) + elif self.unix_listen != None: + lsock = self.socket(host=None, + unix_socket=self.unix_listen, + unix_socket_mode=self.unix_listen_mode, + unix_socket_listen=True) + else: + lsock = self.socket(self.listen_host, self.listen_port, False, + self.prefer_ipv6, + tcp_keepalive=self.tcp_keepalive, + tcp_keepcnt=self.tcp_keepcnt, + tcp_keepidle=self.tcp_keepidle, + tcp_keepintvl=self.tcp_keepintvl) + + if self.daemon: + keepfd = self.get_log_fd() + keepfd.append(lsock.fileno()) + self.daemonize(keepfd=keepfd, chdir=self.web) + + self.started() # Some things need to happen after daemonizing + + # Allow override of signals + original_signals = { + signal.SIGINT: signal.getsignal(signal.SIGINT), + signal.SIGTERM: signal.getsignal(signal.SIGTERM), + } + if getattr(signal, 'SIGCHLD', None) is not None: + original_signals[signal.SIGCHLD] = signal.getsignal(signal.SIGCHLD) + signal.signal(signal.SIGINT, self.do_SIGINT) + signal.signal(signal.SIGTERM, self.do_SIGTERM) + # make sure that _cleanup is called when children die + # by calling active_children on SIGCHLD + if getattr(signal, 'SIGCHLD', None) is not None: + signal.signal(signal.SIGCHLD, self.multiprocessing_SIGCHLD) + + last_active_time = self.launch_time + try: + while True: + try: + try: + startsock = None + pid = err = 0 + child_count = 0 + + # Collect zombie child processes + child_count = len(multiprocessing.active_children()) + + time_elapsed = time.time() - self.launch_time + if self.timeout and time_elapsed > self.timeout: + self.msg('listener exit due to --timeout %s' + % self.timeout) + break + + if self.idle_timeout: + idle_time = 0 + if child_count == 0: + idle_time = time.time() - last_active_time + else: + idle_time = 0 + last_active_time = time.time() + + if idle_time > self.idle_timeout and child_count == 0: + self.msg('listener exit due to --idle-timeout %s' + % self.idle_timeout) + break + + try: + self.poll() + + ready = select.select([lsock], [], [], 1)[0] + if lsock in ready: + startsock, address = lsock.accept() + # Unix Socket will not report address (empty string), but address[0] is logged a bunch + if self.unix_listen != None: + address = [ self.unix_listen ] + else: + continue + except self.Terminate: + raise + except Exception: + _, exc, _ = sys.exc_info() + if hasattr(exc, 'errno'): + err = exc.errno + elif hasattr(exc, 'args'): + err = exc.args[0] + else: + err = exc[0] + if err == errno.EINTR: + self.vmsg("Ignoring interrupted syscall") + continue + else: + raise + + if self.run_once: + # Run in same process if run_once + self.top_new_client(startsock, address) + if self.ws_connection : + self.msg('%s: exiting due to --run-once' + % address[0]) + break + else: + self.vmsg('%s: new handler Process' % address[0]) + p = multiprocessing.Process( + target=self.top_new_client, + args=(startsock, address)) + p.start() + # child will not return + + # parent process + self.handler_id += 1 + + except (self.Terminate, SystemExit, KeyboardInterrupt): + self.msg("In exit") + # terminate all child processes + if not self.run_once: + children = multiprocessing.active_children() + + for child in children: + self.msg("Terminating child %s" % child.pid) + child.terminate() + + break + except Exception: + exc = sys.exc_info()[1] + self.msg("handler exception: %s", str(exc)) + self.vmsg("exception", exc_info=True) + + finally: + if startsock: + startsock.close() + finally: + # Close listen port + self.vmsg("Closing socket listening at %s:%s", + self.listen_host, self.listen_port) + lsock.close() + + # Restore signals + for sig, func in original_signals.items(): + signal.signal(sig, func) + +