forked from Krautspace/doorstatus
merge with ssl branch
branch ssl merged into master. new files statusd.conf, statusd.conf.template, statusd.service. statusd.py conflicts resolved.
This commit is contained in:
commit
c8814f322b
5 changed files with 170 additions and 48 deletions
29
setstatus.py
29
setstatus.py
|
@ -10,6 +10,7 @@
|
||||||
# input is 0 or 1.
|
# input is 0 or 1.
|
||||||
|
|
||||||
import socket
|
import socket
|
||||||
|
import ssl
|
||||||
from sys import exit, argv, byteorder
|
from sys import exit, argv, byteorder
|
||||||
|
|
||||||
|
|
||||||
|
@ -51,8 +52,12 @@ def read_argument():
|
||||||
|
|
||||||
def main(*status):
|
def main(*status):
|
||||||
|
|
||||||
HOST = 'nr18.space'
|
HOST = 'localhost'
|
||||||
PORT = 10001
|
PORT = 10001
|
||||||
|
SERVER_NAME = 'server.status.kraut.space'
|
||||||
|
CLIENT_CERT = './certs/client.crt'
|
||||||
|
CLIENT_KEY = './certs/client.key'
|
||||||
|
SERVER_CERT = './certs/server.crt'
|
||||||
BOM = byteorder
|
BOM = byteorder
|
||||||
STATUS = None
|
STATUS = None
|
||||||
RESPONSE = None
|
RESPONSE = None
|
||||||
|
@ -69,21 +74,35 @@ def main(*status):
|
||||||
if STATUS == None:
|
if STATUS == None:
|
||||||
STATUS = read_argument()
|
STATUS = read_argument()
|
||||||
|
|
||||||
|
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile = SERVER_CERT)
|
||||||
|
context.options &= ~ssl.PROTOCOL_TLS
|
||||||
|
context.verify_mode = ssl.CERT_OPTIONAL
|
||||||
|
# context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS')
|
||||||
|
context.load_cert_chain(certfile = CLIENT_CERT, keyfile = CLIENT_KEY)
|
||||||
|
print('SSL context created')
|
||||||
|
|
||||||
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
|
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
|
||||||
print('Socket created')
|
print('Socket created')
|
||||||
try:
|
try:
|
||||||
mySocket.connect((HOST, PORT))
|
conn = context.wrap_socket(mySocket, server_side = False, \
|
||||||
|
server_hostname = SERVER_NAME)
|
||||||
|
print('Connection wrapped with ssl.context')
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
print('{}'.format(e))
|
print('Context wrapper failed: [}'.format(e))
|
||||||
|
try:
|
||||||
|
conn.connect((HOST, PORT))
|
||||||
|
print('SSL established: {}'.format(conn.getpeercert()))
|
||||||
|
except Exception as e:
|
||||||
|
print('SSL handshake failed: {}'.format(e))
|
||||||
exit(1)
|
exit(1)
|
||||||
try:
|
try:
|
||||||
print('Send new status: {}'.format(STATUS))
|
print('Send new status: {}'.format(STATUS))
|
||||||
mySocket.send(STATUS)
|
conn.send(STATUS)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
print('Error: {}'.format(e))
|
print('Error: {}'.format(e))
|
||||||
exit(2)
|
exit(2)
|
||||||
try:
|
try:
|
||||||
RESPONSE = mySocket.recv(1)
|
RESPONSE = conn.recv(1)
|
||||||
print('Server returns: {}'.format(RESPONSE))
|
print('Server returns: {}'.format(RESPONSE))
|
||||||
if RESPONSE == STATUS:
|
if RESPONSE == STATUS:
|
||||||
print('Status sucessfull updated')
|
print('Status sucessfull updated')
|
||||||
|
|
19
statusd.conf
19
statusd.conf
|
@ -5,17 +5,22 @@
|
||||||
|
|
||||||
# host, where server lives (string with fqdn or ipv4). default ist
|
# host, where server lives (string with fqdn or ipv4). default ist
|
||||||
# localhost.
|
# localhost.
|
||||||
HOST = 127.0.0.1
|
HOST = '127.0.0.1'
|
||||||
|
|
||||||
# port, where the server is listen. default is 100001
|
# port, where the server is listen. default is 100001
|
||||||
PORT = 10001
|
PORT = 10001
|
||||||
|
|
||||||
# path for ssl key and certificate. default ist current directory.
|
# timeout for connection
|
||||||
# CERT = './certs/certificate.pem'
|
TIMEOUT = 5
|
||||||
KEY = ./certs/key.pem
|
|
||||||
|
|
||||||
# path to api file
|
# path for ssl keys and certificates. default is the current directory.
|
||||||
API = ./api
|
SERVER_CERT = './certs/server.crt'
|
||||||
|
SERVER_KEY = './certs/server.key'
|
||||||
|
CLIENT_CERT = './certs/client.crt'
|
||||||
|
|
||||||
|
# path to api files
|
||||||
|
API_TEMPLATE = './api_template'
|
||||||
|
API = './api'
|
||||||
|
|
||||||
# loglevel (maybe ERROR, INFO, DEBUG) - not implementet at the moment.
|
# loglevel (maybe ERROR, INFO, DEBUG) - not implementet at the moment.
|
||||||
# VERBOSITY = 'debug'
|
VERBOSITY = 'error'
|
||||||
|
|
26
statusd.conf.template
Normal file
26
statusd.conf.template
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
# file: statusd.conf
|
||||||
|
|
||||||
|
# Configuration file for the server, who is manage the api for door status
|
||||||
|
# from krautspace jena.
|
||||||
|
|
||||||
|
# host, where server lives (string with fqdn or ipv4). default ist
|
||||||
|
# localhost.
|
||||||
|
HOST = 'localhost'
|
||||||
|
|
||||||
|
# port, where the server is listen. default is 100001
|
||||||
|
PORT = 10001
|
||||||
|
|
||||||
|
# timeout for connection
|
||||||
|
TIMEOUT = 5
|
||||||
|
|
||||||
|
# path for ssl keys and certificates. default is the current directory.
|
||||||
|
SERVER_CERT = './server.crt'
|
||||||
|
SERVER_KEY = './server.key'
|
||||||
|
CLIENT_CERT = './client.crt'
|
||||||
|
|
||||||
|
# path to api files
|
||||||
|
API_TEMPLATE = './api_template'
|
||||||
|
API = '/path/to//api'
|
||||||
|
|
||||||
|
# loglevel (maybe ERROR, INFO, DEBUG) - not implementet at the moment.
|
||||||
|
VERBOSITY = 'info'
|
130
statusd.py
130
statusd.py
|
@ -4,9 +4,11 @@
|
||||||
# date: 26.07.2019
|
# date: 26.07.2019
|
||||||
# email: berhsi@web.de
|
# email: berhsi@web.de
|
||||||
|
|
||||||
# server, who listen for ipv4 connections at port 10001.
|
# server, who listen for ipv4 connections at port 10001. now with ssl
|
||||||
|
# encrypted connection and client side authentication.
|
||||||
|
|
||||||
import socket
|
import socket
|
||||||
|
import ssl
|
||||||
import os
|
import os
|
||||||
import logging
|
import logging
|
||||||
import json
|
import json
|
||||||
|
@ -28,10 +30,11 @@ def read_config(CONFIGFILE, CONFIG):
|
||||||
logging.debug('Configfile successfull read')
|
logging.debug('Configfile successfull read')
|
||||||
for line in config.readlines():
|
for line in config.readlines():
|
||||||
if not line[0] in ('#', ';', '\n', '\r'):
|
if not line[0] in ('#', ';', '\n', '\r'):
|
||||||
logging.debug('Read entry')
|
|
||||||
key, value = (line.strip().split('='))
|
key, value = (line.strip().split('='))
|
||||||
CONFIG[key.upper().strip()] = value.strip()
|
key = strip_argument(key).upper()
|
||||||
logging.debug('Set {} to {}'.format(key.upper().strip(), value.strip()))
|
value = strip_argument(value)
|
||||||
|
CONFIG[key] = value
|
||||||
|
logging.debug('Set {} to {}'.format(key, value))
|
||||||
else:
|
else:
|
||||||
logging.error('Failed to read {}'.format(CONFIGFILE))
|
logging.error('Failed to read {}'.format(CONFIGFILE))
|
||||||
logging.error('Using default values')
|
logging.error('Using default values')
|
||||||
|
@ -39,6 +42,32 @@ def read_config(CONFIGFILE, CONFIG):
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
||||||
|
def certs_readable(config):
|
||||||
|
'''
|
||||||
|
checks at start, if the needed certificates defined (no nullstring) and readable.
|
||||||
|
param 1: dictionary
|
||||||
|
return: boolean
|
||||||
|
'''
|
||||||
|
for i in (config['SERVER_KEY'], config['SERVER_CERT'], config['CLIENT_CERT']):
|
||||||
|
if i == '' or os.access(i, os.R_OK) == False:
|
||||||
|
logging.error('Cant read {}'.format(i))
|
||||||
|
return False
|
||||||
|
return True
|
||||||
|
|
||||||
|
|
||||||
|
def strip_argument(argument):
|
||||||
|
'''
|
||||||
|
Becomes a string and strips at first whitespaces, second apostrops and
|
||||||
|
returns the clear string.
|
||||||
|
param 1: string
|
||||||
|
return: string
|
||||||
|
'''
|
||||||
|
argument = argument.strip()
|
||||||
|
argument = argument.strip('"')
|
||||||
|
argument = argument.strip("'")
|
||||||
|
return argument
|
||||||
|
|
||||||
|
|
||||||
def print_config(CONFIG):
|
def print_config(CONFIG):
|
||||||
'''
|
'''
|
||||||
Prints the used configuration, if loglevel ist debug.
|
Prints the used configuration, if loglevel ist debug.
|
||||||
|
@ -51,14 +80,21 @@ def print_config(CONFIG):
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
||||||
|
def display_peercert(cert):
|
||||||
|
for i in cert.keys():
|
||||||
|
print(i)
|
||||||
|
for j in cert[i]:
|
||||||
|
print('\t{}'.format(j))
|
||||||
|
return
|
||||||
|
|
||||||
|
|
||||||
def receive_buffer_is_valid(raw_data):
|
def receive_buffer_is_valid(raw_data):
|
||||||
'''
|
'''
|
||||||
checks, if the received buffer from the connection is valid or not.
|
checks, if the received buffer from the connection is valid or not.
|
||||||
param 1: byte
|
param 1: byte
|
||||||
return: boolean
|
return: boolean
|
||||||
'''
|
'''
|
||||||
data = bytes2int(raw_data)
|
if raw_data == b'\x00' or raw_data == b'\x01':
|
||||||
if data == 0 or data == 1:
|
|
||||||
logging.debug('Argument is valid: {}'.format(raw_data))
|
logging.debug('Argument is valid: {}'.format(raw_data))
|
||||||
return True
|
return True
|
||||||
else:
|
else:
|
||||||
|
@ -66,23 +102,6 @@ def receive_buffer_is_valid(raw_data):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
||||||
def bytes2int(raw_data):
|
|
||||||
'''
|
|
||||||
Convert a given byte value into a integer. If it is possible, it returns
|
|
||||||
the integer, otherwise false.
|
|
||||||
param 1: byte
|
|
||||||
return: integer or false
|
|
||||||
'''
|
|
||||||
bom = byteorder
|
|
||||||
|
|
||||||
try:
|
|
||||||
data = int.from_bytes(raw_data, bom)
|
|
||||||
except Exception as e:
|
|
||||||
logging.error('Unabele to convert raw data to int: {}'.format(raw_data))
|
|
||||||
return False
|
|
||||||
return data
|
|
||||||
|
|
||||||
|
|
||||||
def change_status(raw_data, api):
|
def change_status(raw_data, api):
|
||||||
'''
|
'''
|
||||||
Becomes the received byte and the path to API file. Grabs the content of
|
Becomes the received byte and the path to API file. Grabs the content of
|
||||||
|
@ -149,33 +168,62 @@ def set_values(raw_data):
|
||||||
return: tuple
|
return: tuple
|
||||||
'''
|
'''
|
||||||
timestamp = str(time()).split('.')[0]
|
timestamp = str(time()).split('.')[0]
|
||||||
callback = bytes2int(raw_data)
|
if raw_data == b'\x01':
|
||||||
if callback == 1:
|
|
||||||
status = "true"
|
status = "true"
|
||||||
else:
|
else:
|
||||||
status = "false"
|
status = "false"
|
||||||
|
logging.debug('Set values for timestamp: {} and status: {}'.format(timestamp, status))
|
||||||
return (status, timestamp)
|
return (status, timestamp)
|
||||||
|
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
'''
|
'''
|
||||||
The main function - opens a socket und listen for connections.
|
The main function - opens a socket, create a ssl context, load certs and
|
||||||
|
listen for connections. at ssl context we set some security options like
|
||||||
|
OP_NO_SSLv2 (SSLv3): they are insecure
|
||||||
|
PROTOCOL_TLS: only use tls
|
||||||
|
OP_NO_COMPRESSION: prevention against crime attack
|
||||||
|
OP_DONT_ISERT_EMPTY_FRAGMENTS: prevention agains cbc 4 attack (cve-2011-3389)
|
||||||
|
|
||||||
'''
|
'''
|
||||||
CONFIG = {
|
CONFIG = {
|
||||||
'HOST': 'localhost',
|
'HOST': 'localhost',
|
||||||
'PORT': 10001,
|
'PORT': 10001,
|
||||||
'CERT': None,
|
'SERVER_CERT': './server.crt',
|
||||||
'KEY' : None,
|
'SERVER_KEY' : './server.key',
|
||||||
|
'CLIENT_CERT': './client.crt',
|
||||||
'TIMEOUT': 3.0,
|
'TIMEOUT': 3.0,
|
||||||
'API': './api'
|
'API': './api',
|
||||||
|
'API_TEMPLATE': './api_template',
|
||||||
|
'VERBOSITY': 'info'
|
||||||
}
|
}
|
||||||
CONFIG_FILE = './statusd.conf'
|
CONFIG_FILE = './statusd.conf'
|
||||||
|
FINGERPRINT = \
|
||||||
|
'35:8E:35:FA:58:0A:DD:2B:C8:6A:F9:EA:A3:7B:10:F5:62:89:AB:D0:AB:53:3E:B5:8B:AB:E1:23:CF:93:F5:F9'
|
||||||
|
|
||||||
loglevel = logging.DEBUG
|
loglevel = logging.DEBUG
|
||||||
logging.basicConfig(format='%(levelname)s: %(asctime)s: %(message)s', level=loglevel)
|
logging.basicConfig(format='%(levelname)s: %(message)s', level=loglevel)
|
||||||
read_config(CONFIG_FILE, CONFIG)
|
read_config(CONFIG_FILE, CONFIG)
|
||||||
print_config(CONFIG)
|
print_config(CONFIG)
|
||||||
|
|
||||||
|
if certs_readable(CONFIG) == False:
|
||||||
|
logging.error('Cert check failed\nExit')
|
||||||
|
exit()
|
||||||
|
|
||||||
|
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
|
||||||
|
context.options &= ~ssl.OP_NO_SSLv2
|
||||||
|
context.options &= ~ssl.OP_NO_SSLv3
|
||||||
|
context.options &= ~ssl.PROTOCOL_TLS
|
||||||
|
context.options &= ~ssl.OP_CIPHER_SERVER_PREFERENCE
|
||||||
|
# context.options &= ~ssl.OP_DONT_INSERT_EMPTY_FRAGMENTS
|
||||||
|
context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0)
|
||||||
|
# context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS')
|
||||||
|
context.verify_mode = ssl.CERT_REQUIRED
|
||||||
|
context.load_cert_chain(certfile = CONFIG['SERVER_CERT'],
|
||||||
|
keyfile = CONFIG['SERVER_KEY'])
|
||||||
|
context.load_verify_locations(cafile = CONFIG['CLIENT_CERT'])
|
||||||
|
logging.debug('SSL context created')
|
||||||
|
|
||||||
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
|
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
|
||||||
logging.debug('Socket created')
|
logging.debug('Socket created')
|
||||||
try:
|
try:
|
||||||
|
@ -188,15 +236,21 @@ def main():
|
||||||
exit()
|
exit()
|
||||||
while True:
|
while True:
|
||||||
try:
|
try:
|
||||||
conn, addr = mySocket.accept()
|
fromSocket, fromAddr = mySocket.accept()
|
||||||
logging.info('Connection from {}:{}'.format(addr[0], addr[1]))
|
logging.info('Client connected: {}:{}'.format(fromAddr[0], fromAddr[1]))
|
||||||
try:
|
try:
|
||||||
conn.settimeout(float(CONFIG['TIMEOUT']))
|
fromSocket.settimeout(float(CONFIG['TIMEOUT']))
|
||||||
logging.debug('Connection timeout set to {}'.format(CONFIG['TIMEOUT']))
|
logging.debug('Connection timeout set to {}'.format(CONFIG['TIMEOUT']))
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
logging.error('Canot set timeout to {}'.format(CONFIG['TIMEOUT']))
|
logging.error('Canot set timeout to {}'.format(CONFIG['TIMEOUT']))
|
||||||
logging.error('Use default value: 3.0')
|
logging.error('Use default value: 3.0')
|
||||||
conn.settimeout(3.0)
|
fromSocket.settimeout(3.0)
|
||||||
|
try:
|
||||||
|
conn = context.wrap_socket(fromSocket, server_side = True)
|
||||||
|
# display_peercert(conn.getpeercert())
|
||||||
|
logging.debug('SSL established. Peer: {}'.format(conn.getpeercert()))
|
||||||
|
except Exception as e:
|
||||||
|
logging.error('SSL handshake failed: {}'.format(e))
|
||||||
raw_data = conn.recv(1)
|
raw_data = conn.recv(1)
|
||||||
if receive_buffer_is_valid(raw_data) == True:
|
if receive_buffer_is_valid(raw_data) == True:
|
||||||
if change_status(raw_data, CONFIG['API']) == True:
|
if change_status(raw_data, CONFIG['API']) == True:
|
||||||
|
@ -205,12 +259,14 @@ def main():
|
||||||
# change_status returns false:
|
# change_status returns false:
|
||||||
else:
|
else:
|
||||||
logging.info('Failed to change status')
|
logging.info('Failed to change status')
|
||||||
conn.send(b'\x03')
|
if conn:
|
||||||
|
conn.send(b'\x03')
|
||||||
# recive_handle returns false:
|
# recive_handle returns false:
|
||||||
else:
|
else:
|
||||||
logging.info('Inalid argument recived: {}'.format(raw_data))
|
logging.info('Inalid argument recived: {}'.format(raw_data))
|
||||||
logging.debug('Send {} back'.format(b'\x03'))
|
logging.debug('Send {} back'.format(b'\x03'))
|
||||||
conn.send(b'\x03')
|
if conn:
|
||||||
|
conn.send(b'\x03')
|
||||||
sleep(0.1) # protection against dos
|
sleep(0.1) # protection against dos
|
||||||
except KeyboardInterrupt:
|
except KeyboardInterrupt:
|
||||||
print('\rExit')
|
print('\rExit')
|
||||||
|
@ -218,6 +274,8 @@ def main():
|
||||||
exit()
|
exit()
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
logging.error('{}'.format(e))
|
logging.error('{}'.format(e))
|
||||||
|
continue
|
||||||
|
return 0
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
|
|
14
statusd.service
Normal file
14
statusd.service
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Deamon for setting status API
|
||||||
|
After=systemd-network.service network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
WorkingDirectory=/opt/doorstatus/
|
||||||
|
ExecStart=/opt/doorstatus/statusd.py
|
||||||
|
SyslogIdentifier=statusd
|
||||||
|
User=status
|
||||||
|
Group=status
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
Loading…
Reference in a new issue