Package flumotion :: Package common :: Module manhole
[hide private]

Source Code for Module flumotion.common.manhole

  1  # -*- Mode: Python -*- 
  2  # vi:si:et:sw=4:sts=4:ts=4 
  3  # 
  4  # Flumotion - a streaming media server 
  5  # Copyright (C) 2004,2005,2006,2007 Fluendo, S.L. (www.fluendo.com). 
  6  # All rights reserved. 
  7   
  8  # This file may be distributed and/or modified under the terms of 
  9  # the GNU General Public License version 2 as published by 
 10  # the Free Software Foundation. 
 11  # This file is distributed without any warranty; without even the implied 
 12  # warranty of merchantability or fitness for a particular purpose. 
 13  # See "LICENSE.GPL" in the source distribution for more information. 
 14   
 15  # Licensees having purchased or holding a valid Flumotion Advanced 
 16  # Streaming Server license may use this file in accordance with the 
 17  # Flumotion Advanced Streaming Server Commercial License Agreement. 
 18  # See "LICENSE.Flumotion" in the source distribution for more information. 
 19   
 20  # Headers in this file shall remain intact. 
 21   
 22  import os 
 23  import base64 
 24  import binascii 
 25   
 26  from twisted.conch import error, manhole 
 27  from twisted.conch.insults import insults 
 28  from twisted.conch.ssh import keys 
 29  from twisted.cred import credentials 
 30  from twisted.cred.checkers import ICredentialsChecker 
 31  from twisted.cred.error import UnauthorizedLogin 
 32  from twisted.internet import defer, reactor 
 33  from twisted.cred import portal 
 34  from twisted.python import failure 
 35  from zope import interface 
 36   
 37  from flumotion.common import log 
 38   
 39   
 40  # This class is from twisted.conch.checkers, copyright 2001-2007 Paul 
 41  # Swartz, Jp Calderone, and others. Original license: 
 42  # 
 43  # Permission is hereby granted, free of charge, to any person obtaining 
 44  # a copy of this software and associated documentation files (the 
 45  # "Software"), to deal in the Software without restriction, including 
 46  # without limitation the rights to use, copy, modify, merge, publish, 
 47  # distribute, sublicense, and/or sell copies of the Software, and to 
 48  # permit persons to whom the Software is furnished to do so, subject to 
 49  # the following conditions: 
 50   
 51  # The above copyright notice and this permission notice shall be 
 52  # included in all copies or substantial portions of the Software. 
 53   
 54  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
 55  # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 
 56  # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
 57  # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 
 58  # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 
 59  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 
 60  # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 
 61   
 62  # It has been modified to check a particular authorized_keys file 
 63  # instead of poking in users' ~/.ssh directories. 
64 -class SSHPublicKeyChecker(log.Loggable):
65 try: 66 credentialInterfaces = credentials.ISSHPrivateKey, 67 except AttributeError: 68 log.warning('manhole', 'ssh manhole unavailable (old twisted)') 69 # you won't be able to log anything in 70 credentialInterfaces = () 71 72 interface.implements(ICredentialsChecker) 73
74 - def __init__(self, authorizedKeysFile):
75 self.authorizedKeysFile = authorizedKeysFile
76
77 - def requestAvatarId(self, credentials):
78 d = defer.maybeDeferred(self.checkKey, credentials) 79 d.addCallback(self._cbRequestAvatarId, credentials) 80 d.addErrback(self._ebRequestAvatarId) 81 return d
82
83 - def _cbRequestAvatarId(self, validKey, credentials):
84 if not validKey: 85 return failure.Failure(UnauthorizedLogin()) 86 if not credentials.signature: 87 return failure.Failure(error.ValidPublicKey()) 88 else: 89 try: 90 pubKey = keys.getPublicKeyObject(data = credentials.blob) 91 if keys.verifySignature(pubKey, credentials.signature, 92 credentials.sigData): 93 return credentials.username 94 except: # any error should be treated as a failed login 95 f = failure.Failure() 96 log.warning('error checking signature: %r', credentials) 97 return f 98 return failure.Failure(UnauthorizedLogin())
99
100 - def checkKey(self, credentials):
101 filename = self.authorizedKeysFile 102 if not os.path.exists(filename): 103 return 0 104 lines = open(filename).xreadlines() 105 for l in lines: 106 l2 = l.split() 107 if len(l2) < 2: 108 continue 109 try: 110 if base64.decodestring(l2[1]) == credentials.blob: 111 return 1 112 except binascii.Error: 113 continue 114 return 0
115
116 - def _ebRequestAvatarId(self, f):
117 if not f.check(UnauthorizedLogin, error.ValidPublicKey): 118 log.warning('failed login %r', f) 119 return failure.Failure(UnauthorizedLogin()) 120 return f
121
122 -def openSSHManhole(authorizedKeysFile, namespace, portNum=-1):
123 from twisted.conch import manhole_ssh 124 125 def makeProtocol(): 126 return insults.ServerProtocol(manhole.Manhole, namespace)
127 checker = SSHPublicKeyChecker(authorizedKeysFile) 128 sshRealm = manhole_ssh.TerminalRealm() 129 sshRealm.chainedProtocolFactory = makeProtocol 130 sshPortal = portal.Portal(sshRealm, [checker]) 131 sshFactory = manhole_ssh.ConchFactory(sshPortal) 132 port = reactor.listenTCP(portNum, sshFactory, interface='localhost') 133 return port 134
135 -def openAnonymousTelnetManhole(namespace, portNum=-1):
136 from twisted.conch import telnet 137 from twisted.internet import protocol 138 139 def makeProtocol(): 140 return telnet.TelnetTransport(telnet.TelnetBootstrapProtocol, 141 insults.ServerProtocol, 142 manhole.Manhole, namespace)
143 144 telnetFactory = protocol.ServerFactory() 145 telnetFactory.protocol = makeProtocol 146 port = reactor.listenTCP(portNum, telnetFactory, 147 interface='localhost') 148 return port 149