a 0s/h&{ã@sddZddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl m Z ddlmZddlZddlZddlZddlZddlmZmZGdd„dejƒZGdd „d ejƒZd d „Ze je je jBe j Be j!Be je jBe j Be j!Be j"Be je jBe j Be j!Be j"Be j#Bd œZ$d d„Z%dd„Z&Gdd„de eƒZ'e(dkr`e&ƒdS)aV A WebSocket to TCP socket proxy with support for "wss://" encryption. Copyright 2011 Joel Martin Licensed under LGPL version 3 (see docs/LICENSE.LGPL-3) You can make a cert/key with openssl using: openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem as taken from http://docs.python.org/dev/library/ssl.html#certificates éN)ÚThreadingMixIn)Ú HTTPServer)Úparse_qsÚurlparsec@sDeZdZdZdZdd„Zdd„Zdd„Zd d „Zd d „Z d d„Z dS)ÚProxyRequestHandlerézÆ Traffic Legend: } - Client receive }. - Client receive partial { - Target receive > - Target send >. - Target send partial < - Client send <. - Client send partial cCsH| |j|j¡| dd¡|j ¡D]\}}| ||¡q&| ¡dS)Nz Content-Typez text/html)Ú send_responseÚcodeÚmsgÚ send_headerÚheadersÚitemsÚ end_headers)ÚselfÚexÚnameÚval©rú3/opt/jumpscale7/apps/vncproxy/utils/./websockify.pyÚsend_auth_error(s  z#ProxyRequestHandler.send_auth_errorcCsD|jjs dS| |jj¡\}}|dkr0||j_n||j_||j_dS)NÚ unix_socket)ÚserverÚ token_pluginÚ get_targetÚ unix_targetÚ target_hostÚ target_port)rÚhostÚportrrrÚvalidate_connection0s z'ProxyRequestHandler.validate_connectionc CsÒ|jjs dSdd„|jDƒ}|D] }|j|=q z6|j ¡}|d}tdd„|Dƒƒ}|d|jd<Wntttfy|Yn0z"|jjj |j|jj |jj dWn,t j yÌt ¡d}| |¡‚Yn0dS) NcSsg|]}| d¡r|‘qS)ZSSL_)Ú startswith)Ú.0ÚhrrrÚ Bóz7ProxyRequestHandler.auth_connection..ÚsubjectcSsg|] }|d‘qS)rr)r!Úxrrrr#Lr$Ú commonNameZSSL_CLIENT_S_DN_CN)r rré)rÚ auth_pluginr ÚrequestÚ getpeercertÚdictÚ TypeErrorÚAttributeErrorÚKeyErrorZ authenticaterrÚauthZAuthenticationErrorÚsysÚexc_infor)rZ ssl_headersr"Zclient_cert_dataZclient_cert_subjectrrrrÚauth_connection<s*   þ   z#ProxyRequestHandler.auth_connectionc CsÚ|jjr&| |jj|j¡\|j_|j_|jjrJdd |jj¡|jjf}n*|jjr`d|jj}nd|jj|jjf}|jj r„|d7}|  |¡z*t j j |jj|jjd|jj |jjd}WnJty}z0|  d|jj|jj|¡| d d ¡‚WYd }~n d }~00|jjs"|j t jt jd ¡|jjsH|jjsH| t jt jd ¡| |j¡zF| |¡W|rÖ| t j¡| ¡|jrÖ|  d |jj|jj¡n:|rÔ| t j¡| ¡|jrÔ|  d |jj|jj¡0d S)zO Called after a new WebSocket connection has been established. z%connecting to command: '%s' (port %s)Ú zconnecting to unix socket: %szconnecting to: %s:%sú (using SSL)T)ÚconnectZuse_sslrzFailed to connect to %s:%s: %sióz&Failed to connect to downstream serverNr(z%s:%s: Closed target)rÚ target_cfgrÚpathrrÚwrap_cmdÚjoinrÚ ssl_targetÚ log_messageÚwebsockifyserverÚWebSockifyServerÚsocketÚ ExceptionÚCCloseÚ unix_listenr*Ú setsockoptÚSOL_TCPÚ TCP_NODELAYÚ print_trafficÚtraffic_legendÚdo_proxyÚshutdownÚ SHUT_RDWRÚcloseÚverbose)rr ZtsockÚerrrÚnew_websocket_client\sZ ÿ  ü ÿ"     ÿü  ÿz(ProxyRequestHandler.new_websocket_clientcCs¢|jr&|j d¡}|rd| d¡d}n>tt|jƒdƒ}d|vr`t|dƒr`|dd d¡}nd}|durx|j   d¡‚|  |¡}|durŽ|S|j   d |¡‚dS) zò Gets a token from either the path or the host, depending on --host-token, and looks up a target for that token using the token plugin. Used by validate_connection() to set target_host and target_port. ÚHostú:réÚtokenÚ NzToken not presentzToken '%s' not found) Ú host_tokenr ÚgetÚ partitionrrr8ÚlenÚrstriprÚECloseÚlookup)rZ target_pluginrRÚargsZ result_pairrrrrs    zProxyRequestHandler.get_targetcCsÀg}d}g}|j|g}|jjr6t ¡}||jj|_nd|_g}|jdurrt ¡}||jkrr||jj|_| ¡|r€| |¡|sˆ|r”| |j¡zt ||gd¡\}} } WnJtyøt  ¡d} t | dƒrÚ| j } n| d} | t j krð‚nYqz.>z%s:%s: Client closed connectionr ÚreasonTz%s:%s: Target closed connectionièz Target closedú{)r*rÚ heartbeatÚtimeZ send_pingÚappendÚselectÚOSErrorr1r2Úhasattrr\ZEINTRr@Z send_framesZ recv_framesÚextendrWÚpopÚsendrFÚinsertrLr<rrrAÚrecvÚ buffer_size)rÚtargetZcqueueZc_pendZtqueueZrlistÚnowZwlistZinsZoutsZexceptsÚexcÚerrZbufsÚclosedZdatÚsentÚbufrrrrH¶sˆ                 ÿ       ÿ  zProxyRequestHandler.do_proxyN) Ú__name__Ú __module__Ú __qualname__rkrGrrr3rNrrHrrrrrs   3'rcs@eZdZdZdZef‡fdd„ Zdd„Zdd„Zd d „Z ‡Z S) ÚWebSocketProxyza Proxy traffic to and from a WebSockets client to a normal TCP socket server target. rc sÜ| dd¡|_| dd¡|_| dd¡|_| dd¡|_| dd¡|_| dd¡|_| dd¡|_| dd¡|_| d d¡|_ | d d¡|_ | d d¡|_ gd ¢|_ |jr¾t j tjd ¡}t j |dd¡t j |ddd¡t j |d¡|g}d|_|D]*}t j |d¡}t j |¡rø||_q$qø|js4tdƒ‚t j |j¡|_d|_t tjtj¡}| d¡| ¡d|_| ¡td|jt j dd¡gƒ} t j  t j! | ¡t"|dƒt"|jƒdœ¡t#ƒj$|g|¢Ri|¤ŽdS)Nrrr9Ú wrap_moderr;r`rrTr)r7)rrrrz..ÚlibÚ websockifyz rebind.soz1rebind.so not found, perhaps you need to run makez 127.0.0.1)Úrr(Ú LD_PRELOADÚ listen_port)r{ZREBIND_OLD_PORTZREBIND_NEW_PORT)%rgrrr9rwrr;r`rrTr)r7Ú wrap_timesÚosr8Údirnamer1Úargvr:ZrebinderÚexistsr@Úabspathr?ÚAF_INETÚ SOCK_STREAMÚbindÚ getsocknamerKÚfilterÚenvironrUÚupdateÚpathsepÚstrÚsuperÚ__init__) rÚRequestHandlerClassr[ÚkwargsZwsdirZ rebinder_pathZrdirZrpathÚsockZ ld_preloads©Ú __class__rrr)sP  ý    ýzWebSocketProxy.__init__cCsP| dd |j¡¡|j t ¡¡|j d¡tj|jt j t d|_ d|_ dS)Nz Starting '%s'r4r)ÚenvZ preexec_fnT)r r:r9r}rbrargÚ subprocessÚPopenr~rˆÚ_subprocess_setupÚcmdÚ spawn_message)rrrrÚ run_wrap_cmd]s  ÿzWebSocketProxy.run_wrap_cmdcCs°|jrdd |j¡|jf}n|jr,|j}nd|j|jf}|jdkrLd}nd|j|jf}|jrxd|t |jƒj f}n d||f}|j r’|d7}|  d |¡|jr¬|  ¡dS) zO Called after Websockets server startup (i.e. after daemonize) z'%s' (port %s)r4z%s:%sNÚinetdz/ - proxying from %s to targets generated by %sz - proxying from %s to %sr5z%s)r9r:rrrÚ listen_fdÚ listen_hostr|rÚtypersr;r r™)rZ dst_stringZ src_stringr rrrÚstartedes(  ÿÿ zWebSocketProxy.startedcCsº|jr2|jr2|j ¡}|dkr2| d|¡d|_|jr¶|jdkr¶|jdkrNnh|jdkrdt |¡nR|jdkr¶t ¡}t|j ƒt |j ƒ}||dkr®|j r¶|  d¡d|_ n|  ¡dS)Nz/Wrapped command exited (or daemon). Returned %sÚignoreÚexitÚrespawné zCommand respawning too fastF)r9r—ÚpollZvmsgrwr1r raÚsumr}rWr˜Úwarnr™)rÚretrmZavgrrrr£†s$        zWebSocketProxy.poll) rsrtruÚ__doc__rkrrr™ržr£Ú __classcell__rrr‘rrv!s 4!rvcCst tjtj¡dS)N)ÚsignalÚSIGPIPEÚSIG_DFLrrrrr–¡sr–©ÚdefaultZtlsv1_1Ztlsv1_2Ztlsv1_3cCsR|tvrt|Stt ¡ƒ}| ¡|d}t tj¡}| d||¡t|SdS)zXReturns SSL options for the most secure TSL version available on this Python versionéÿÿÿÿz.TLS version %s unsupported. Falling back to %sN) Ú SSL_OPTIONSÚlistÚkeysÚsortÚloggingÚ getLoggerrvÚ log_prefixr¥)Úversionr±ÚfallbackÚloggerrrrÚselect_ssl_version±s  ÿr¹cCsnt ¡}| tj¡t d¡}| |¡t ¡}| |¡| tj¡d}|d7}|d7}|d7}|d7}|d7}|d7}|d7}t j |d}|j dd d d d |j d d dd |j dddd|j dddd dd|j dd dd |j dt ddd|j dt ddd|j d d!d"d#|j d$dd%d#|j d&dd'd#|j d(d d)d |j d*d d+d |j d,d d-d |j d.dd/d0|j d1d2d3gd4¢d5d6d7|j d8d5d9d |j d:d;ddd<|j d=dd>d#|j d?d@dd|j dAdBd dC|j dDddEdFdG|j dHd dId |j dJdKdLgdM¢dNdO|j dPdQd dRdSdT|j dUd dVd |j dWddXdYdZ|j d[dd\d]dG|j d^dd_d`dG|j dad dbd |j dcdd\dddG|j dedd_dfdG|j dgt ddhdidj|j dkddldmdZ|j dnddodpdG|j dqd drd |j dsd dtd |  ¡\}}|jr*|js*| du¡|jrD|jsD| dv¡|jr^|js^| dw¡|jrx|jsx| dx¡|jr’|js’| dy¡|jr¬|js¬| dz¡t|jƒ|_|`|jrtj |j¡|_t |j¡}| tj¡| |¡t ¡}| |¡|`|jrÔ|j  d{¡rj|j !d{d|¡\}} z t | ƒ} Wnt"y^| d}¡Yn0|| f} ntj |j¡} dd~l#m$} |j%r”| j&} n| j'} | | | d|jd€} |  tj¡|  |¡t ¡}| | ¡|`|`|j(røt ¡}| tj¡|j)rtj |j)¡|_)|j)r&d|_|j)|_|`)t*j+  d‚¡rH|d|d…|_,nd|_,t-j.sh|j/rh| dƒ¡|j0rtj 1|j2¡s| d„|j2¡|j3r¦t*j4 5¡|_6nè|j7rú|j8rêzt |j8d…ƒ|_8Wnt"yæ| d†¡Yn0nt9j:t9j;B|_8n”t<|ƒd|kr| d‡¡| =d¡}|  d{¡dkrP| !d{d|¡\|_>|_?|j> @dˆ¡|_>nd‰||_>|_?zt |j?ƒ|_?Wnt"yŒ| dŠ¡Yn0|`3|j,sª|jAsª|jr¸d|_Bd|_Cnt<|ƒd|krÐ| d‡¡| =d¡}|  d{¡dkr| !d{d|¡\|_B|_C|jB @dˆ¡|_Bn | d‹¡zt |jCƒ|_CWnt"yF| dŒ¡Yn0t<|ƒdkrl|j,dkrl| d¡|jdurÆdŽ|jvrd|j|_|j !dŽd|¡\}}tD|ƒtEt*jF||ƒ}||jƒ|_|`|jdur$dŽ|jvrîd|j|_|j !dŽd|¡\}}tD|ƒtEt*jF||ƒ}||jƒ|_|`|jG}|`G|rRtHfi|jI¤Ž}| J¡ntKfi|jI¤Ž}| L¡dS)‘Nz %(message)sz %prog [options]z2 [source_addr:]source_port target_addr:target_portz/ --token-plugin=CLASS [source_addr:]source_portz- --unix-target=FILE [source_addr:]source_portz/ [source_addr:]source_port -- WRAP_COMMAND_LINE)Úusagez --verbosez-vÚ store_truezverbose messages)ÚactionÚhelpz --trafficzper frame trafficz--recordz(record sessions to FILE.[session_number]ÚFILE)r½Úmetavarz--daemonz-DÚdaemonz$become a daemon (background process))Údestr¼r½z --run-oncez-handle a single WebSocket connection and exitz --timeoutrz-after TIMEOUT seconds exit when not connected)rr­r½z--idle-timeoutzEserver exits after TIMEOUT seconds if there are no active connectionsz--certzself.pemzSSL certificate file)r­r½z--keyz$SSL key file (if separate from cert)z--key-passwordzSSL key passwordz --ssl-onlyz)disallow non-encrypted client connectionsz --ssl-targetz#connect to SSL target as SSL clientz--verify-clientzlrequire encrypted client to present a valid certificate (needs Python 2.7.9 or newer or Python 3.4 or newer)z--cafilez¦file of concatenated certificates of authorities trusted for validating clients (only effective with --verify-client). If omitted, system default list of CAs is used.)r¿r½z --ssl-versionÚchoicer­r¬Ústorez?minimum TLS version to use (default, tlsv1_1, tlsv1_2, tlsv1_3))rr­Úchoicesr¼r½z --ssl-ciphersz]list of ciphers allowed for connection. For a list of supported ciphers run `openssl ciphers`z --unix-listenzlisten to unix socket)r½r¿r­z--unix-listen-modez/specify mode for unix socket (defaults to 0600)z --unix-targetzconnect to unix socket targetz--inetdz/inetd mode, receive listening socket from stdin)r½r¼z--webÚDIRz1run webserver on same port. Serve files from DIR.)r­r¿r½z --web-authz+require authentication to access webserver.z --wrap-moder ÚMODE)r rŸr¡z\action to take when the wrapped program exits or daemonizes: exit (default), ignore, respawn)r­r¿rÄr½z --prefer-ipv6z-6Úsource_is_ipv6z&prefer IPv6 when resolving source_addr)r¼rÁr½z --libserverz&use Python library SocketServer enginez--target-configr7zíConfiguration file containing valid targets in the form 'token: host:port' or, alternatively, a directory containing configuration files of this form (DEPRECATED: use `--token-plugin TokenFile --token-source path/to/token/file` instead))r¿rÁr½z--token-pluginZCLASSzxuse a Python class, usually one from websockify.token_plugins, such as TokenFile, to process tokens into host:port pairsz--token-sourceZARGz=an argument to be passed to the token plugin on instantiationz --host-tokenzJuse the host HTTP header as token instead of the token URL query parameterz --auth-pluginz|use a Python class, usually one from websockify.auth_plugins, such as BasicHTTPAuth, to determine if a connection is allowedz --auth-sourcezrvr–ÚOP_ALLÚPROTOCOL_SSLv23Ú OP_NO_SSLv2Ú OP_NO_SSLv3Ú OP_NO_TLSv1Ú OP_NO_TLSv1_1Ú OP_NO_TLSv1_2r¯r¹rörîrsrrrrÚsL X   ÿÿÿÿÿÿú 55