mirror of
https://github.com/dkmstr/openuds.git
synced 2025-01-20 14:03:49 +03:00
Refactor network_from_str function to handle IPv6 addresses
Added sample set proxies list from cloudflare list
This commit is contained in:
parent
093c7b3094
commit
81c5429f40
126
server/samples/set-proxies-from-cloudflare.py
Normal file
126
server/samples/set-proxies-from-cloudflare.py
Normal file
@ -0,0 +1,126 @@
|
|||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
|
||||||
|
#
|
||||||
|
# Copyright (c) 2024 Virtual Cable S.L.U.
|
||||||
|
# All rights reserved.
|
||||||
|
#
|
||||||
|
# Redistribution and use in source and binary forms, with or without modification,
|
||||||
|
# are permitted provided that the following conditions are met:
|
||||||
|
#
|
||||||
|
# * Redistributions of source code must retain the above copyright notice,
|
||||||
|
# this list of conditions and the following disclaimer.
|
||||||
|
# * Redistributions in binary form must reproduce the above copyright notice,
|
||||||
|
# this list of conditions and the following disclaimer in the documentation
|
||||||
|
# and/or other materials provided with the distribution.
|
||||||
|
# * Neither the name of Virtual Cable S.L.U. nor the names of its contributors
|
||||||
|
# may be used to endorse or promote products derived from this software
|
||||||
|
# without specific prior written permission.
|
||||||
|
#
|
||||||
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||||
|
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||||
|
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||||
|
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
||||||
|
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||||
|
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||||
|
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
||||||
|
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||||
|
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
|
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
|
||||||
|
'''
|
||||||
|
Author: Adolfo Gómez, dkmaster at dkmon dot com
|
||||||
|
'''
|
||||||
|
import typing
|
||||||
|
import asyncio
|
||||||
|
import aiohttp
|
||||||
|
|
||||||
|
AUTH_NAME: typing.Final[str] = 'interna'
|
||||||
|
AUTH_USER: typing.Final[str] = 'admin'
|
||||||
|
AUTH_PASS: typing.Final[str] = 'temporal'
|
||||||
|
|
||||||
|
REST_URL: typing.Final[str] = 'http://172.27.0.1:8000/uds/rest/'
|
||||||
|
|
||||||
|
|
||||||
|
class RESTException(Exception):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
class AuthException(RESTException):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
class LogoutException(RESTException):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
# Hace login con el root, puede usarse cualquier autenticador y cualquier usuario, pero en la 1.5 solo está implementado poder hacer
|
||||||
|
# este tipo de login con el usuario "root"
|
||||||
|
async def login(session: aiohttp.ClientSession) -> None:
|
||||||
|
parameters = {
|
||||||
|
'auth': AUTH_NAME,
|
||||||
|
'username': AUTH_USER,
|
||||||
|
'password': AUTH_PASS,
|
||||||
|
}
|
||||||
|
|
||||||
|
response = await session.post(REST_URL + 'auth/login', json=parameters)
|
||||||
|
|
||||||
|
if not response.ok:
|
||||||
|
raise AuthException('Error logging in')
|
||||||
|
|
||||||
|
# resp contiene las cabeceras, content el contenido de la respuesta (que es json), pero aún está en formato texto
|
||||||
|
res = await response.json()
|
||||||
|
print(res)
|
||||||
|
|
||||||
|
if res['result'] != 'ok': # Authentication error
|
||||||
|
raise AuthException('Authentication error')
|
||||||
|
|
||||||
|
session.headers.update({'X-Auth-Token': res['token']})
|
||||||
|
session.headers.update({'Scrambler': res['scrambler']})
|
||||||
|
|
||||||
|
# Fix user agent, so we indicate we are on Linux
|
||||||
|
session.headers.update({'User-Agent': 'SampleClient/1.0 (Linux)'})
|
||||||
|
|
||||||
|
|
||||||
|
async def logout(session: aiohttp.ClientSession) -> None:
|
||||||
|
response = await session.get(REST_URL + 'auth/logout')
|
||||||
|
|
||||||
|
if not response.ok:
|
||||||
|
raise LogoutException('Error logging out')
|
||||||
|
|
||||||
|
|
||||||
|
async def set_config_var(section: str, name: str, value: str, session: aiohttp.ClientSession) -> None:
|
||||||
|
response = await session.put(
|
||||||
|
REST_URL + 'config',
|
||||||
|
json={
|
||||||
|
section: {
|
||||||
|
name: {
|
||||||
|
'value': value,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
)
|
||||||
|
|
||||||
|
if not response.ok:
|
||||||
|
raise RESTException('Error setting config var')
|
||||||
|
|
||||||
|
|
||||||
|
async def main():
|
||||||
|
async with aiohttp.ClientSession() as session:
|
||||||
|
await login(session) # Will raise an exception if error
|
||||||
|
|
||||||
|
# Get ipv4 and ipv6 from cloudflare
|
||||||
|
ips: typing.List[str] = []
|
||||||
|
for url in ['https://www.cloudflare.com/ips-v4', 'https://www.cloudflare.com/ips-v6']:
|
||||||
|
response = await session.get(url)
|
||||||
|
if not response.ok:
|
||||||
|
raise RESTException('Error getting cloudflare ips')
|
||||||
|
ips += (await response.text()).strip().split('\n')
|
||||||
|
|
||||||
|
await set_config_var('Security', 'Allowed IP Forwarders', ','.join(ips), session)
|
||||||
|
|
||||||
|
await logout(session)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
loop = asyncio.new_event_loop()
|
||||||
|
loop.run_until_complete(main())
|
@ -127,18 +127,18 @@ class Login(Handler):
|
|||||||
):
|
):
|
||||||
raise exceptions.rest.RequestError('Invalid parameters (no auth)')
|
raise exceptions.rest.RequestError('Invalid parameters (no auth)')
|
||||||
|
|
||||||
authId: typing.Optional[str] = self._params.get(
|
auth_id: typing.Optional[str] = self._params.get(
|
||||||
'auth_id',
|
'auth_id',
|
||||||
self._params.get('authId', None), # Old compat, alias
|
self._params.get('authId', None), # Old compat, alias
|
||||||
)
|
)
|
||||||
authLabel: typing.Optional[str] = self._params.get(
|
auth_label: typing.Optional[str] = self._params.get(
|
||||||
'auth_label',
|
'auth_label',
|
||||||
self._params.get(
|
self._params.get(
|
||||||
'authSmallName', # Old compat name
|
'authSmallName', # Old compat name
|
||||||
self._params.get('authLabel', None), # Old compat name
|
self._params.get('authLabel', None), # Old compat name
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
authName: typing.Optional[str] = self._params.get('auth', None)
|
auth_name: typing.Optional[str] = self._params.get('auth', None)
|
||||||
platform: str = self._params.get('platform', self._request.os.os.value[0])
|
platform: str = self._params.get('platform', self._request.os.os.value[0])
|
||||||
|
|
||||||
username: str = self._params['username']
|
username: str = self._params['username']
|
||||||
@ -148,12 +148,12 @@ class Login(Handler):
|
|||||||
# Generate a random scrambler
|
# Generate a random scrambler
|
||||||
scrambler: str = CryptoManager.manager().random_string(32)
|
scrambler: str = CryptoManager.manager().random_string(32)
|
||||||
if (
|
if (
|
||||||
authName == 'admin'
|
auth_name == 'admin'
|
||||||
or authLabel == 'admin'
|
or auth_label == 'admin'
|
||||||
or authId == '00000000-0000-0000-0000-000000000000'
|
or auth_id == '00000000-0000-0000-0000-000000000000'
|
||||||
or (not authId and not authName and not authLabel)
|
or (not auth_id and not auth_name and not auth_label)
|
||||||
):
|
):
|
||||||
if GlobalConfig.SUPER_USER_LOGIN.get(True) == username and CryptoManager().check_hash(
|
if GlobalConfig.SUPER_USER_LOGIN.get(True) == username and CryptoManager.manager().check_hash(
|
||||||
password, GlobalConfig.SUPER_USER_PASS.get(True)
|
password, GlobalConfig.SUPER_USER_PASS.get(True)
|
||||||
):
|
):
|
||||||
self.gen_auth_token(-1, username, password, locale, platform, True, True, scrambler)
|
self.gen_auth_token(-1, username, password, locale, platform, True, True, scrambler)
|
||||||
@ -161,12 +161,12 @@ class Login(Handler):
|
|||||||
return Login.result(error='Invalid credentials')
|
return Login.result(error='Invalid credentials')
|
||||||
|
|
||||||
# Will raise an exception if no auth found
|
# Will raise an exception if no auth found
|
||||||
if authId:
|
if auth_id:
|
||||||
auth = Authenticator.objects.get(uuid=process_uuid(authId))
|
auth = Authenticator.objects.get(uuid=process_uuid(auth_id))
|
||||||
elif authName:
|
elif auth_name:
|
||||||
auth = Authenticator.objects.get(name=authName)
|
auth = Authenticator.objects.get(name__iexact=auth_name)
|
||||||
else:
|
else:
|
||||||
auth = Authenticator.objects.get(small_name=authLabel)
|
auth = Authenticator.objects.get(small_name__iexact=auth_label)
|
||||||
|
|
||||||
# No matter in fact the password, just not empty (so it can be encrypted, but will be invalid anyway)
|
# No matter in fact the password, just not empty (so it can be encrypted, but will be invalid anyway)
|
||||||
password = password or CryptoManager().random_string(32)
|
password = password or CryptoManager().random_string(32)
|
||||||
|
@ -180,7 +180,9 @@ def needs_trusted_source(
|
|||||||
"""
|
"""
|
||||||
|
|
||||||
@wraps(view_func)
|
@wraps(view_func)
|
||||||
def _wrapped_view(request: 'types.requests.ExtendedHttpRequest', *args: typing.Any, **kwargs: typing.Any) -> HttpResponse:
|
def _wrapped_view(
|
||||||
|
request: 'types.requests.ExtendedHttpRequest', *args: typing.Any, **kwargs: typing.Any
|
||||||
|
) -> HttpResponse:
|
||||||
"""
|
"""
|
||||||
Wrapped function for decorator
|
Wrapped function for decorator
|
||||||
"""
|
"""
|
||||||
@ -202,7 +204,9 @@ def needs_trusted_source(
|
|||||||
# it's designed to be used in ajax calls mainly
|
# it's designed to be used in ajax calls mainly
|
||||||
def deny_non_authenticated(view_func: collections.abc.Callable[..., RT]) -> collections.abc.Callable[..., RT]:
|
def deny_non_authenticated(view_func: collections.abc.Callable[..., RT]) -> collections.abc.Callable[..., RT]:
|
||||||
@wraps(view_func)
|
@wraps(view_func)
|
||||||
def _wrapped_view(request: 'types.requests.ExtendedHttpRequest', *args: typing.Any, **kwargs: typing.Any) -> RT:
|
def _wrapped_view(
|
||||||
|
request: 'types.requests.ExtendedHttpRequest', *args: typing.Any, **kwargs: typing.Any
|
||||||
|
) -> RT:
|
||||||
if not request.user or not request.authorized:
|
if not request.user or not request.authorized:
|
||||||
return HttpResponseForbidden() # type: ignore
|
return HttpResponseForbidden() # type: ignore
|
||||||
return view_func(request, *args, **kwargs)
|
return view_func(request, *args, **kwargs)
|
||||||
@ -215,6 +219,7 @@ def register_user(
|
|||||||
auth_instance: AuthenticatorInstance,
|
auth_instance: AuthenticatorInstance,
|
||||||
username: str,
|
username: str,
|
||||||
request: 'types.requests.ExtendedHttpRequest',
|
request: 'types.requests.ExtendedHttpRequest',
|
||||||
|
skip_callbacks: bool = False,
|
||||||
) -> types.auth.LoginResult:
|
) -> types.auth.LoginResult:
|
||||||
"""
|
"""
|
||||||
Check if this user already exists on database with this authenticator, if don't, create it with defaults
|
Check if this user already exists on database with this authenticator, if don't, create it with defaults
|
||||||
@ -239,7 +244,7 @@ def register_user(
|
|||||||
browser=request.os.browser,
|
browser=request.os.browser,
|
||||||
version=request.os.version,
|
version=request.os.version,
|
||||||
)
|
)
|
||||||
# Try to notify callback if needed
|
if not skip_callbacks:
|
||||||
callbacks.weblogin(usr)
|
callbacks.weblogin(usr)
|
||||||
|
|
||||||
return types.auth.LoginResult(user=usr)
|
return types.auth.LoginResult(user=usr)
|
||||||
@ -252,19 +257,17 @@ def authenticate(
|
|||||||
password: str,
|
password: str,
|
||||||
authenticator: models.Authenticator,
|
authenticator: models.Authenticator,
|
||||||
request: 'types.requests.ExtendedHttpRequest',
|
request: 'types.requests.ExtendedHttpRequest',
|
||||||
|
skip_callbacks: bool = False,
|
||||||
) -> types.auth.LoginResult:
|
) -> types.auth.LoginResult:
|
||||||
"""
|
"""
|
||||||
Given an username, password and authenticator, try to authenticate user
|
Authenticate user with provided credentials
|
||||||
@param username: username to authenticate
|
|
||||||
@param password: password to authenticate this user
|
|
||||||
@param authenticator: Authenticator (database object) used to authenticate with provided credentials
|
|
||||||
@param request: Request object
|
|
||||||
|
|
||||||
@return:
|
|
||||||
An types.auth.LoginResult indicating:
|
|
||||||
user if success in logging in field user or None if not
|
|
||||||
url if not success in logging in field url so instead of error UDS will redirect to this url
|
|
||||||
|
|
||||||
|
Args:
|
||||||
|
username (str): username to authenticate
|
||||||
|
password (str): password to authenticate this user
|
||||||
|
authenticator (models.Authenticator): Authenticator (database object) used to authenticate with provided credentials
|
||||||
|
request (ExtendedHttpRequestWithUser): Request object
|
||||||
|
skip_callbacks (bool, optional): Skip callbacks. Defaults to False.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
logger.debug('Authenticating user %s with authenticator %s', username, authenticator)
|
logger.debug('Authenticating user %s with authenticator %s', username, authenticator)
|
||||||
@ -354,13 +357,12 @@ def authenticate_via_callback(
|
|||||||
if result.success == types.auth.AuthenticationState.REDIRECT:
|
if result.success == types.auth.AuthenticationState.REDIRECT:
|
||||||
return types.auth.LoginResult(url=result.url)
|
return types.auth.LoginResult(url=result.url)
|
||||||
|
|
||||||
if result.username:
|
if not result.username:
|
||||||
return register_user(authenticator, auth_instance, result.username or '', request)
|
|
||||||
else:
|
|
||||||
logger.warning('Authenticator %s returned empty username', authenticator.name)
|
logger.warning('Authenticator %s returned empty username', authenticator.name)
|
||||||
|
|
||||||
raise exceptions.auth.InvalidUserException('User doesn\'t has access to UDS')
|
raise exceptions.auth.InvalidUserException('User doesn\'t has access to UDS')
|
||||||
|
|
||||||
|
return register_user(authenticator, auth_instance, result.username, request)
|
||||||
|
|
||||||
|
|
||||||
def authenticate_callback_url(authenticator: models.Authenticator) -> str:
|
def authenticate_callback_url(authenticator: models.Authenticator) -> str:
|
||||||
"""
|
"""
|
||||||
@ -447,7 +449,9 @@ def web_password(request: HttpRequest) -> str:
|
|||||||
return CryptoManager().symmetric_decrypt(passkey, uds_cookie(request)) # recover as original unicode string
|
return CryptoManager().symmetric_decrypt(passkey, uds_cookie(request)) # recover as original unicode string
|
||||||
|
|
||||||
|
|
||||||
def web_logout(request: 'types.requests.ExtendedHttpRequest', exit_url: typing.Optional[str] = None) -> HttpResponse:
|
def web_logout(
|
||||||
|
request: 'types.requests.ExtendedHttpRequest', exit_url: typing.Optional[str] = None
|
||||||
|
) -> HttpResponse:
|
||||||
"""
|
"""
|
||||||
Helper function to clear user related data from session. If this method is not used, the session we be cleaned anyway
|
Helper function to clear user related data from session. If this method is not used, the session we be cleaned anyway
|
||||||
by django in regular basis.
|
by django in regular basis.
|
||||||
|
@ -30,6 +30,7 @@
|
|||||||
"""
|
"""
|
||||||
Author: Adolfo Gómez, dkmaster at dkmon dot com
|
Author: Adolfo Gómez, dkmaster at dkmon dot com
|
||||||
"""
|
"""
|
||||||
|
import functools
|
||||||
import ipaddress
|
import ipaddress
|
||||||
import logging
|
import logging
|
||||||
import re
|
import re
|
||||||
@ -210,29 +211,32 @@ def network_from_str_ipv6(strNets: str) -> NetworkType:
|
|||||||
|
|
||||||
|
|
||||||
def network_from_str(
|
def network_from_str(
|
||||||
strNets: str,
|
network_str: str,
|
||||||
version: typing.Literal[0, 4, 6] = 0,
|
version: typing.Literal[0, 4, 6] = 0,
|
||||||
) -> NetworkType:
|
) -> NetworkType:
|
||||||
if not ':' in strNets and version != 6:
|
try:
|
||||||
return network_from_str_ipv4(strNets)
|
if not ':' in network_str and version != 6:
|
||||||
|
return network_from_str_ipv4(network_str)
|
||||||
# ':' in strNets or version == 6:
|
# ':' in strNets or version == 6:
|
||||||
# If is in fact an IPv4 address, return None network, this will not be used
|
# If is in fact an IPv4 address, return None network, this will not be used
|
||||||
if '.' in strNets:
|
if '.' in network_str:
|
||||||
|
return NetworkType(0, 0, 0)
|
||||||
|
return network_from_str_ipv6(network_str)
|
||||||
|
except ValueError:
|
||||||
return NetworkType(0, 0, 0)
|
return NetworkType(0, 0, 0)
|
||||||
return network_from_str_ipv6(strNets)
|
|
||||||
|
|
||||||
|
|
||||||
|
@functools.lru_cache(maxsize=32)
|
||||||
def networks_from_str(
|
def networks_from_str(
|
||||||
nets: str,
|
networks_str: str,
|
||||||
version: typing.Literal[0, 4, 6] = 0,
|
version: typing.Literal[0, 4, 6] = 0,
|
||||||
) -> list[NetworkType]:
|
) -> list[NetworkType]:
|
||||||
"""
|
"""
|
||||||
If allowMultipleNetworks is True, it allows ',' and ';' separators (and, ofc, more than 1 network)
|
If allowMultipleNetworks is True, it allows ',' and ';' separators (and, ofc, more than 1 network)
|
||||||
Returns a list of networks tuples in the form [(start1, end1), (start2, end2) ...]
|
Returns a list of networks tuples in the form [(start1, end1), (start2, end2) ...]
|
||||||
"""
|
"""
|
||||||
return [network_from_str(str_net, version) for str_net in re.split('[;,]', nets) if str_net]
|
return [network_from_str(str_net, version) for str_net in re.split('[;,]', networks_str) if str_net]
|
||||||
|
|
||||||
|
|
||||||
|
@functools.lru_cache(maxsize=32)
|
||||||
def contains(
|
def contains(
|
||||||
networks: typing.Union[str, NetworkType, list[NetworkType]],
|
networks: typing.Union[str, NetworkType, list[NetworkType]],
|
||||||
ip: typing.Union[str, int],
|
ip: typing.Union[str, int],
|
||||||
|
Loading…
x
Reference in New Issue
Block a user