diff options
author | Joel Martin <github@martintribe.org> | 2012-08-14 15:33:42 -0500 |
---|---|---|
committer | Joel Martin <github@martintribe.org> | 2012-08-14 15:35:48 -0500 |
commit | 4dd1bb1ecbd49c112c2f7ff4bd66016ebe38d063 (patch) | |
tree | 87ee60e333d3e3540af201ae9359c41266ddf5bc /utils | |
parent | af1527b27610da9339c27439886766b9e65da2b9 (diff) | |
download | novnc-4dd1bb1ecbd49c112c2f7ff4bd66016ebe38d063.tar.gz |
Pull in latest websockify.
Pull in version 376872d99.
Several changes including:
- binary/typed array support in websock.js
- unix socket support
- multiple target support via config file(s)
- prefer IPv6 option
Diffstat (limited to 'utils')
-rw-r--r-- | utils/websocket.py | 194 | ||||
-rwxr-xr-x | utils/websockify | 131 |
2 files changed, 218 insertions, 107 deletions
diff --git a/utils/websocket.py b/utils/websocket.py index d3bb48c..11f718c 100644 --- a/utils/websocket.py +++ b/utils/websocket.py @@ -18,7 +18,6 @@ as taken from http://docs.python.org/dev/library/ssl.html#certificates import os, sys, time, errno, signal, socket, traceback, select import array, struct -from cgi import parse_qsl from base64 import b64encode, b64decode # Imports that vary by python version @@ -36,8 +35,6 @@ try: from io import StringIO except: from cStringIO import StringIO try: from http.server import SimpleHTTPRequestHandler except: from SimpleHTTPServer import SimpleHTTPRequestHandler -try: from urllib.parse import urlsplit -except: from urlparse import urlsplit # python 2.6 differences try: from hashlib import md5, sha1 @@ -75,6 +72,7 @@ class WebSocketServer(object): buffer_size = 65536 + server_handshake_hixie = """HTTP/1.1 101 Web Socket Protocol Handshake\r Upgrade: WebSocket\r Connection: Upgrade\r @@ -109,11 +107,12 @@ Sec-WebSocket-Accept: %s\r self.verbose = verbose self.listen_host = listen_host self.listen_port = listen_port + self.prefer_ipv6 = source_is_ipv6 self.ssl_only = ssl_only self.daemon = daemon self.run_once = run_once self.timeout = timeout - + self.launch_time = time.time() self.ws_connection = False self.handler_id = 1 @@ -163,7 +162,7 @@ Sec-WebSocket-Accept: %s\r # @staticmethod - def socket(host, port=None, connect=False, prefer_ipv6=False): + def socket(host, port=None, connect=False, prefer_ipv6=False, unix_socket=None, use_ssl=False): """ Resolve a host (and optional port) to an IPv4 or IPv6 address. Create a socket. Bind to it if listen is set, otherwise connect to it. Return the socket. @@ -171,24 +170,36 @@ Sec-WebSocket-Accept: %s\r flags = 0 if host == '': host = None - if connect and not port: + if connect and not (port or unix_socket): raise Exception("Connect mode requires a port") + if use_ssl and not ssl: + raise Exception("SSL socket requested but Python SSL module not loaded."); + if not connect and use_ssl: + raise Exception("SSL only supported in connect mode (for now)") if not connect: flags = flags | socket.AI_PASSIVE - addrs = socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM, - socket.IPPROTO_TCP, flags) - if not addrs: - raise Exception("Could resolve host '%s'" % host) - addrs.sort(key=lambda x: x[0]) - if prefer_ipv6: - addrs.reverse() - sock = socket.socket(addrs[0][0], addrs[0][1]) - if connect: - sock.connect(addrs[0][4]) - else: - sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) - sock.bind(addrs[0][4]) - sock.listen(100) + + if not unix_socket: + addrs = socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM, + socket.IPPROTO_TCP, flags) + if not addrs: + raise Exception("Could not resolve host '%s'" % host) + addrs.sort(key=lambda x: x[0]) + if prefer_ipv6: + addrs.reverse() + sock = socket.socket(addrs[0][0], addrs[0][1]) + if connect: + sock.connect(addrs[0][4]) + if use_ssl: + sock = ssl.wrap_socket(sock) + else: + sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + sock.bind(addrs[0][4]) + sock.listen(100) + else: + sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + sock.connect(unix_socket) + return sock @staticmethod @@ -552,6 +563,72 @@ Sec-WebSocket-Accept: %s\r # No orderly close for 75 + def do_websocket_handshake(self, headers, path): + h = self.headers = headers + self.path = path + + prot = 'WebSocket-Protocol' + protocols = h.get('Sec-'+prot, h.get(prot, '')).split(',') + + ver = h.get('Sec-WebSocket-Version') + if ver: + # HyBi/IETF version of the protocol + + # HyBi-07 report version 7 + # HyBi-08 - HyBi-12 report version 8 + # HyBi-13 reports version 13 + if ver in ['7', '8', '13']: + self.version = "hybi-%02d" % int(ver) + else: + raise self.EClose('Unsupported protocol version %s' % ver) + + key = h['Sec-WebSocket-Key'] + + # Choose binary if client supports it + if 'binary' in protocols: + self.base64 = False + elif 'base64' in protocols: + self.base64 = True + else: + raise self.EClose("Client must support 'binary' or 'base64' protocol") + + # Generate the hash value for the accept header + accept = b64encode(sha1(s2b(key + self.GUID)).digest()) + + response = self.server_handshake_hybi % b2s(accept) + if self.base64: + response += "Sec-WebSocket-Protocol: base64\r\n" + else: + response += "Sec-WebSocket-Protocol: binary\r\n" + response += "\r\n" + + else: + # Hixie version of the protocol (75 or 76) + + if h.get('key3'): + trailer = self.gen_md5(h) + pre = "Sec-" + self.version = "hixie-76" + else: + trailer = "" + pre = "" + self.version = "hixie-75" + + # We only support base64 in Hixie era + self.base64 = True + + response = self.server_handshake_hixie % (pre, + h['Origin'], pre, self.scheme, h['Host'], path) + + if 'base64' in protocols: + response += "%sWebSocket-Protocol: base64\r\n" % pre + else: + self.msg("Warning: client does not report 'base64' protocol support") + response += "\r\n" + trailer + + return response + + def do_handshake(self, sock, address): """ do_handshake does the following: @@ -569,10 +646,10 @@ Sec-WebSocket-Accept: %s\r - Send a WebSockets handshake server response. - Return the socket for this WebSocket client. """ - stype = "" - ready = select.select([sock], [], [], 3)[0] + + if not ready: raise self.EClose("ignoring socket not ready") # Peek, but do not read the data so that we have a opportunity @@ -613,7 +690,7 @@ Sec-WebSocket-Accept: %s\r else: raise - scheme = "wss" + self.scheme = "wss" stype = "SSL/TLS (wss://)" elif self.ssl_only: @@ -621,7 +698,7 @@ Sec-WebSocket-Accept: %s\r else: retsock = sock - scheme = "ws" + self.scheme = "ws" stype = "Plain non-SSL (ws://)" wsh = WSRequestHandler(retsock, address, not self.web) @@ -637,67 +714,7 @@ Sec-WebSocket-Accept: %s\r else: raise self.EClose("") - h = self.headers = wsh.headers - path = self.path = wsh.path - - prot = 'WebSocket-Protocol' - protocols = h.get('Sec-'+prot, h.get(prot, '')).split(',') - - ver = h.get('Sec-WebSocket-Version') - if ver: - # HyBi/IETF version of the protocol - - # HyBi-07 report version 7 - # HyBi-08 - HyBi-12 report version 8 - # HyBi-13 reports version 13 - if ver in ['7', '8', '13']: - self.version = "hybi-%02d" % int(ver) - else: - raise self.EClose('Unsupported protocol version %s' % ver) - - key = h['Sec-WebSocket-Key'] - - # Choose binary if client supports it - if 'binary' in protocols: - self.base64 = False - elif 'base64' in protocols: - self.base64 = True - else: - raise self.EClose("Client must support 'binary' or 'base64' protocol") - - # Generate the hash value for the accept header - accept = b64encode(sha1(s2b(key + self.GUID)).digest()) - - response = self.server_handshake_hybi % b2s(accept) - if self.base64: - response += "Sec-WebSocket-Protocol: base64\r\n" - else: - response += "Sec-WebSocket-Protocol: binary\r\n" - response += "\r\n" - - else: - # Hixie version of the protocol (75 or 76) - - if h.get('key3'): - trailer = self.gen_md5(h) - pre = "Sec-" - self.version = "hixie-76" - else: - trailer = "" - pre = "" - self.version = "hixie-75" - - # We only support base64 in Hixie era - self.base64 = True - - response = self.server_handshake_hixie % (pre, - h['Origin'], pre, scheme, h['Host'], path) - - if 'base64' in protocols: - response += "%sWebSocket-Protocol: base64\r\n" % pre - else: - self.msg("Warning: client does not report 'base64' protocol support") - response += "\r\n" + trailer + response = self.do_websocket_handshake(wsh.headers, wsh.path) self.msg("%s: %s WebSocket connection" % (address[0], stype)) self.msg("%s: Version %s, base64: '%s'" % (address[0], @@ -750,7 +767,7 @@ Sec-WebSocket-Accept: %s\r self.rec = None self.start_time = int(time.time()*1000) - # handler process + # handler process try: try: self.client = self.do_handshake(startsock, address) @@ -801,7 +818,7 @@ Sec-WebSocket-Accept: %s\r is a WebSockets client then call new_client() method (which must be overridden) for each new client connection. """ - lsock = self.socket(self.listen_host, self.listen_port) + lsock = self.socket(self.listen_host, self.listen_port, False, self.prefer_ipv6) if self.daemon: self.daemonize(keepfd=lsock.fileno(), chdir=self.web) @@ -848,7 +865,7 @@ Sec-WebSocket-Accept: %s\r continue else: raise - + if self.run_once: # Run in same process if run_once self.top_new_client(startsock, address) @@ -927,4 +944,3 @@ class WSRequestHandler(SimpleHTTPRequestHandler): def log_message(self, f, *args): # Save instead of printing self.last_message = f % args - diff --git a/utils/websockify b/utils/websockify index 550dff7..965ce13 100755 --- a/utils/websockify +++ b/utils/websockify @@ -13,9 +13,11 @@ as taken from http://docs.python.org/dev/library/ssl.html#certificates import socket, optparse, time, os, sys, subprocess from select import select -from websocket import WebSocketServer +import websocket +try: from urllib.parse import parse_qs, urlparse +except: from urlparse import parse_qs, urlparse -class WebSocketProxy(WebSocketServer): +class WebSocketProxy(websocket.WebSocketServer): """ Proxy traffic to and from a WebSockets client to a normal TCP socket server target. All traffic to/from the client is base64 @@ -43,6 +45,9 @@ Traffic Legend: self.target_port = kwargs.pop('target_port') self.wrap_cmd = kwargs.pop('wrap_cmd') self.wrap_mode = kwargs.pop('wrap_mode') + self.unix_target = kwargs.pop('unix_target') + self.ssl_target = kwargs.pop('ssl_target') + self.target_cfg = kwargs.pop('target_cfg') # Last 3 timestamps command was run self.wrap_times = [0, 0, 0] @@ -58,6 +63,7 @@ Traffic Legend: if not self.rebinder: raise Exception("rebind.so not found, perhaps you need to run make") + self.rebinder = os.path.abspath(self.rebinder) self.target_host = "127.0.0.1" # Loopback # Find a free high port @@ -71,7 +77,10 @@ Traffic Legend: "REBIND_OLD_PORT": str(kwargs['listen_port']), "REBIND_NEW_PORT": str(self.target_port)}) - WebSocketServer.__init__(self, *args, **kwargs) + if self.target_cfg: + self.target_cfg = os.path.abspath(self.target_cfg) + + websocket.WebSocketServer.__init__(self, *args, **kwargs) def run_wrap_cmd(self): print("Starting '%s'" % " ".join(self.wrap_cmd)) @@ -88,14 +97,26 @@ Traffic Legend: # Need to call wrapped command after daemonization so we can # know when the wrapped command exits if self.wrap_cmd: - print(" - proxying from %s:%s to '%s' (port %s)\n" % ( - self.listen_host, self.listen_port, - " ".join(self.wrap_cmd), self.target_port)) - self.run_wrap_cmd() + dst_string = "'%s' (port %s)" % (" ".join(self.wrap_cmd), self.target_port) + elif self.unix_target: + dst_string = self.unix_target else: - print(" - proxying from %s:%s to %s:%s\n" % ( - self.listen_host, self.listen_port, - self.target_host, self.target_port)) + dst_string = "%s:%s" % (self.target_host, self.target_port) + + if self.target_cfg: + msg = " - proxying from %s:%s to targets in %s" % ( + self.listen_host, self.listen_port, self.target_cfg) + else: + msg = " - proxying from %s:%s to %s" % ( + self.listen_host, self.listen_port, dst_string) + + if self.ssl_target: + msg += " (using SSL)" + + print(msg + "\n") + + if self.wrap_cmd: + self.run_wrap_cmd() def poll(self): # If we are wrapping a command, check it's status @@ -137,12 +158,26 @@ Traffic Legend: """ Called after a new WebSocket connection has been established. """ + # Checks if we receive a token, and look + # for a valid target for it then + if self.target_cfg: + (self.target_host, self.target_port) = self.get_target(self.target_cfg, self.path) # Connect to the target - self.msg("connecting to: %s:%s" % ( - self.target_host, self.target_port)) + if self.wrap_cmd: + msg = "connecting to command: %s" % (" ".join(self.wrap_cmd), self.target_port) + elif self.unix_target: + msg = "connecting to unix socket: %s" % self.unix_target + else: + msg = "connecting to: %s:%s" % ( + self.target_host, self.target_port) + + if self.ssl_target: + msg += " (using SSL)" + self.msg(msg) + tsock = self.socket(self.target_host, self.target_port, - connect=True) + connect=True, use_ssl=self.ssl_target, unix_socket=self.unix_target) if self.verbose and not self.daemon: print(self.traffic_legend) @@ -154,10 +189,49 @@ Traffic Legend: if tsock: tsock.shutdown(socket.SHUT_RDWR) tsock.close() - self.vmsg("%s:%s: Target closed" %( + self.vmsg("%s:%s: Closed target" %( self.target_host, self.target_port)) raise + def get_target(self, target_cfg, path): + """ + Parses the path, extracts a token, and looks for a valid + target for that token in the configuration file(s). Sets + target_host and target_port if successful + """ + # The files in targets contain the lines + # in the form of token: host:port + + # Extract the token parameter from url + args = parse_qs(urlparse(path)[4]) # 4 is the query from url + + if not len(args['token']): + raise self.EClose("Token not present") + + token = args['token'][0].rstrip('\n') + + # target_cfg can be a single config file or directory of + # config files + if os.path.isdir(target_cfg): + cfg_files = [os.path.join(target_cfg, f) + for f in os.listdir(target_cfg)] + else: + cfg_files = [target_cfg] + + targets = {} + for f in cfg_files: + for line in [l.strip() for l in file(f).readlines()]: + if line and not line.startswith('#'): + ttoken, target = line.split(': ') + targets[ttoken] = target.strip() + + self.vmsg("Target config: %s" % repr(targets)) + + if targets.has_key(token): + return targets[token].split(':') + else: + raise self.EClose("Token '%s' not found" % token) + def do_proxy(self, target): """ Proxy client WebSocket to normal target socket. @@ -191,6 +265,8 @@ Traffic Legend: # Receive target data, encode it and queue for client buf = target.recv(self.buffer_size) if len(buf) == 0: + self.vmsg("%s:%s: Target closed connection" %( + self.target_host, self.target_port)) raise self.CClose(1000, "Target closed") cqueue.append(buf) @@ -211,11 +287,13 @@ Traffic Legend: if closed: # TODO: What about blocking on client socket? + self.vmsg("%s:%s: Client closed connection" %( + self.target_host, self.target_port)) raise self.CClose(closed['code'], closed['reason']) def websockify_init(): usage = "\n %prog [options]" - usage += " [source_addr:]source_port target_addr:target_port" + usage += " [source_addr:]source_port [target_addr:target_port]" usage += "\n %prog [options]" usage += " [source_addr:]source_port -- WRAP_COMMAND_LINE" parser = optparse.OptionParser(usage=usage) @@ -235,17 +313,29 @@ def websockify_init(): parser.add_option("--key", default=None, help="SSL key file (if separate from cert)") parser.add_option("--ssl-only", action="store_true", - help="disallow non-encrypted connections") + help="disallow non-encrypted client connections") + parser.add_option("--ssl-target", action="store_true", + help="connect to SSL target as SSL client") + parser.add_option("--unix-target", + help="connect to unix socket target", metavar="FILE") parser.add_option("--web", default=None, metavar="DIR", help="run webserver on same port. Serve files from DIR.") parser.add_option("--wrap-mode", default="exit", metavar="MODE", choices=["exit", "ignore", "respawn"], help="action to take when the wrapped program exits " "or daemonizes: exit (default), ignore, respawn") + parser.add_option("--prefer-ipv6", "-6", + action="store_true", dest="source_is_ipv6", + help="prefer IPv6 when resolving source_addr") + parser.add_option("--target-config", metavar="FILE", + dest="target_cfg", + help="Configuration file containing valid targets " + "in the form 'token: host:port' or, alternatively, a " + "directory containing configuration files of this form") (opts, args) = parser.parse_args() # Sanity checks - if len(args) < 2: + if len(args) < 2 and not opts.target_cfg: parser.error("Too few arguments") if sys.argv.count('--'): opts.wrap_cmd = args[1:] @@ -254,24 +344,29 @@ def websockify_init(): if len(args) > 2: parser.error("Too many arguments") + if not websocket.ssl and opts.ssl_target: + parser.error("SSL target requested and Python SSL module not loaded."); + if opts.ssl_only and not os.path.exists(opts.cert): parser.error("SSL only and %s not found" % opts.cert) # Parse host:port and convert ports to numbers if args[0].count(':') > 0: opts.listen_host, opts.listen_port = args[0].rsplit(':', 1) + opts.listen_host = opts.listen_host.strip('[]') else: opts.listen_host, opts.listen_port = '', args[0] try: opts.listen_port = int(opts.listen_port) except: parser.error("Error parsing listen port") - if opts.wrap_cmd: + if opts.wrap_cmd or opts.unix_target or opts.target_cfg: opts.target_host = None opts.target_port = None else: if args[1].count(':') > 0: opts.target_host, opts.target_port = args[1].rsplit(':', 1) + opts.target_host = opts.target_host.strip('[]') else: parser.error("Error parsing target") try: opts.target_port = int(opts.target_port) |