2014-04-07 16:43:39 -04:00
|
|
|
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
|
|
|
|
|
|
|
|
# Copyright 2014 IBM Corporation
|
|
|
|
|
#
|
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
|
#
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
#
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
|
# limitations under the License.
|
2013-09-14 11:08:48 -04:00
|
|
|
# ALl rights reserved
|
|
|
|
|
|
|
|
|
|
# This is the socket api layer.
|
|
|
|
|
# It implement unix and tls sockets
|
2013-10-10 14:17:08 -04:00
|
|
|
#
|
2013-09-14 11:08:48 -04:00
|
|
|
# TODO: SO_PEERCRED for unix socket
|
2014-02-09 10:43:26 -05:00
|
|
|
import confluent.auth as auth
|
|
|
|
|
import confluent.common.tlvdata as tlvdata
|
2013-11-02 13:25:56 -04:00
|
|
|
import confluent.consoleserver as consoleserver
|
2013-11-02 16:58:38 -04:00
|
|
|
import confluent.config.configmanager as configmanager
|
2014-02-09 17:35:49 -05:00
|
|
|
import confluent.exceptions as exc
|
2014-04-18 10:36:51 -04:00
|
|
|
import confluent.log as log
|
2014-02-09 17:35:49 -05:00
|
|
|
import confluent.messages
|
|
|
|
|
import confluent.pluginapi as pluginapi
|
2013-09-14 11:08:48 -04:00
|
|
|
import eventlet.green.socket as socket
|
|
|
|
|
import eventlet.green.ssl as ssl
|
2013-09-14 20:21:58 -04:00
|
|
|
import eventlet
|
2014-02-09 17:35:49 -05:00
|
|
|
import json
|
2013-10-14 09:21:55 -04:00
|
|
|
import os
|
2014-02-10 09:41:08 -05:00
|
|
|
import pwd
|
|
|
|
|
import stat
|
2013-10-14 09:21:55 -04:00
|
|
|
import struct
|
2014-04-18 10:36:51 -04:00
|
|
|
import traceback
|
2013-10-14 09:21:55 -04:00
|
|
|
|
2014-04-18 10:36:51 -04:00
|
|
|
tracelog = None
|
|
|
|
|
auditlog = None
|
2013-10-14 09:21:55 -04:00
|
|
|
SO_PEERCRED = 17
|
2013-09-14 11:08:48 -04:00
|
|
|
|
2014-02-09 10:43:26 -05:00
|
|
|
class ClientConsole(object):
|
|
|
|
|
def __init__(self, client):
|
2014-02-10 09:16:29 -05:00
|
|
|
self.client = client
|
|
|
|
|
self.xmit = False
|
2014-04-02 15:48:31 -04:00
|
|
|
self.pendingdata = []
|
2014-02-09 10:43:26 -05:00
|
|
|
|
|
|
|
|
def sendall(self, data):
|
2014-02-10 09:16:29 -05:00
|
|
|
if not self.xmit:
|
2014-04-02 15:48:31 -04:00
|
|
|
self.pendingdata.append(data)
|
2014-02-10 09:16:29 -05:00
|
|
|
return
|
2014-03-04 17:12:19 -05:00
|
|
|
tlvdata.send(self.client, data)
|
2014-02-09 10:43:26 -05:00
|
|
|
|
2014-02-10 09:16:29 -05:00
|
|
|
def startsending(self):
|
|
|
|
|
self.xmit = True
|
2014-04-02 15:48:31 -04:00
|
|
|
for datum in self.pendingdata:
|
|
|
|
|
tlvdata.send(self.client, datum)
|
2014-02-10 09:16:29 -05:00
|
|
|
self.pendingdata = None
|
|
|
|
|
|
|
|
|
|
|
2014-03-10 13:15:31 -04:00
|
|
|
def sessionhdl(connection, authname, skipauth):
|
2014-02-09 10:43:26 -05:00
|
|
|
# For now, trying to test the console stuff, so let's just do n4.
|
|
|
|
|
authenticated = False
|
2014-02-10 09:19:22 -05:00
|
|
|
authdata = None
|
2014-03-10 13:15:31 -04:00
|
|
|
if skipauth:
|
2014-02-09 10:43:26 -05:00
|
|
|
authenticated = True
|
|
|
|
|
cfm = configmanager.ConfigManager(tenant=None)
|
|
|
|
|
elif authname:
|
|
|
|
|
authdata = auth.authorize(authname, element=None)
|
2014-02-10 09:41:08 -05:00
|
|
|
if authdata is not None:
|
|
|
|
|
cfm = authdata[1]
|
|
|
|
|
authenticated = True
|
2014-03-04 17:12:19 -05:00
|
|
|
tlvdata.send(connection,"Confluent -- v0 --")
|
2014-02-09 10:43:26 -05:00
|
|
|
while not authenticated: # prompt for name and passphrase
|
2014-03-04 17:12:19 -05:00
|
|
|
tlvdata.send(connection, {'authpassed': 0})
|
|
|
|
|
response = tlvdata.recv(connection)
|
2014-03-09 20:34:39 -04:00
|
|
|
authname = response['username']
|
2014-02-09 10:43:26 -05:00
|
|
|
passphrase = response['passphrase']
|
2014-02-09 17:35:49 -05:00
|
|
|
# note(jbjohnso): here, we need to authenticate, but not
|
2014-02-09 10:43:26 -05:00
|
|
|
# authorize a user. When authorization starts understanding
|
|
|
|
|
# element path, that authorization will need to be called
|
|
|
|
|
# per request the user makes
|
2014-03-09 20:34:39 -04:00
|
|
|
authdata = auth.check_user_passphrase(authname, passphrase)
|
2014-04-18 10:36:51 -04:00
|
|
|
if authdata is None:
|
|
|
|
|
auditlog.log(
|
|
|
|
|
{'operation': 'connect', 'user': authname, 'allowed': False})
|
|
|
|
|
else:
|
2014-02-09 10:43:26 -05:00
|
|
|
authenticated = True
|
|
|
|
|
cfm = authdata[1]
|
2014-03-04 17:12:19 -05:00
|
|
|
tlvdata.send(connection, {'authpassed': 1})
|
|
|
|
|
request = tlvdata.recv(connection)
|
2014-02-09 17:35:49 -05:00
|
|
|
while request is not None:
|
2014-03-03 15:52:12 -05:00
|
|
|
try:
|
2014-04-18 10:36:51 -04:00
|
|
|
process_request(
|
|
|
|
|
connection, request, cfm, authdata, authname, skipauth)
|
|
|
|
|
except exc.ForbiddenRequest as e:
|
|
|
|
|
tlvdata.send(connection, {'errorcode': 403,
|
|
|
|
|
'error': 'Forbidden'})
|
|
|
|
|
tlvdata.send(connection, {'_requestdone': 1})
|
2014-03-03 15:52:12 -05:00
|
|
|
except:
|
2014-04-18 10:36:51 -04:00
|
|
|
tracelog.log(traceback.format_exc(), ltype=log.DataTypes.event,
|
|
|
|
|
event=log.Events.stacktrace)
|
2014-03-04 17:12:19 -05:00
|
|
|
tlvdata.send(connection, {'errorcode': 500,
|
2014-03-03 15:52:12 -05:00
|
|
|
'error': 'Unexpected error'})
|
2014-03-04 17:12:19 -05:00
|
|
|
tlvdata.send(connection, {'_requestdone': 1})
|
|
|
|
|
request = tlvdata.recv(connection)
|
2014-02-09 17:35:49 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def send_response(responses, connection):
|
2014-02-09 19:26:48 -05:00
|
|
|
if responses is None:
|
|
|
|
|
return
|
2014-02-09 17:35:49 -05:00
|
|
|
for rsp in responses:
|
2014-03-04 17:12:19 -05:00
|
|
|
tlvdata.send(connection, rsp.raw())
|
|
|
|
|
tlvdata.send(connection, {'_requestdone': 1})
|
2014-02-09 19:26:48 -05:00
|
|
|
|
2014-02-09 17:35:49 -05:00
|
|
|
|
2014-04-18 10:36:51 -04:00
|
|
|
def process_request(connection, request, cfm, authdata, authname, skipauth):
|
2014-02-09 17:35:49 -05:00
|
|
|
#TODO(jbjohnso): authorize each request
|
2014-04-18 10:36:51 -04:00
|
|
|
if not isinstance(request, dict):
|
|
|
|
|
raise ValueError
|
|
|
|
|
operation = request['operation']
|
|
|
|
|
path = request['path']
|
|
|
|
|
params = request.get('parameters', None)
|
|
|
|
|
hdlr = None
|
|
|
|
|
if not skipauth:
|
|
|
|
|
authdata = auth.authorize(authdata[2], path, authdata[3], operation)
|
|
|
|
|
auditmsg = {
|
|
|
|
|
'operation': operation,
|
|
|
|
|
'user': authdata[2],
|
|
|
|
|
'target': path,
|
|
|
|
|
}
|
|
|
|
|
if authdata[3] is not None:
|
|
|
|
|
auditmsg['tenant'] = authdata[3]
|
|
|
|
|
if authdata is None:
|
|
|
|
|
auditmsg['allowed'] = False
|
|
|
|
|
auditlog.log(auditmsg)
|
|
|
|
|
raise exc.ForbiddenRequest()
|
|
|
|
|
auditmsg['allowed'] = True
|
|
|
|
|
auditlog.log(auditmsg)
|
|
|
|
|
try:
|
|
|
|
|
if operation == 'start':
|
|
|
|
|
elems = path.split('/')
|
|
|
|
|
if elems[3] != "console":
|
|
|
|
|
raise exc.InvalidArgumentException()
|
|
|
|
|
node = elems[2]
|
|
|
|
|
ccons = ClientConsole(connection)
|
|
|
|
|
consession = consoleserver.ConsoleSession(
|
|
|
|
|
node=node, configmanager=cfm, username=authname,
|
|
|
|
|
datacallback=ccons.sendall)
|
|
|
|
|
if consession is None:
|
|
|
|
|
raise Exception("TODO")
|
|
|
|
|
tlvdata.send(connection, {'started': 1})
|
|
|
|
|
ccons.startsending()
|
|
|
|
|
while consession is not None:
|
|
|
|
|
data = tlvdata.recv(connection)
|
|
|
|
|
if type(data) == dict:
|
|
|
|
|
if data['operation'] == 'stop':
|
2014-02-10 09:16:29 -05:00
|
|
|
consession.destroy()
|
|
|
|
|
return
|
2014-04-18 10:36:51 -04:00
|
|
|
elif data['operation'] == 'break':
|
|
|
|
|
consession.send_break()
|
|
|
|
|
continue
|
|
|
|
|
else:
|
|
|
|
|
raise Exception("TODO")
|
|
|
|
|
if not data:
|
|
|
|
|
consession.destroy()
|
|
|
|
|
return
|
|
|
|
|
consession.write(data)
|
|
|
|
|
else:
|
|
|
|
|
hdlr = pluginapi.handle_path(path, operation, cfm, params)
|
|
|
|
|
except exc.NotFoundException:
|
|
|
|
|
tlvdata.send(connection, {"errorcode": 404,
|
|
|
|
|
"error": "Target not found"})
|
|
|
|
|
tlvdata.send(connection, {"_requestdone": 1})
|
|
|
|
|
except exc.InvalidArgumentException:
|
|
|
|
|
tlvdata.send(connection, {"errorcode": 400,
|
|
|
|
|
"error": "Bad Request"})
|
|
|
|
|
tlvdata.send(connection, {"_requestdone": 1})
|
|
|
|
|
send_response(hdlr, connection)
|
2014-02-09 17:35:49 -05:00
|
|
|
return
|
2013-09-14 11:08:48 -04:00
|
|
|
|
|
|
|
|
|
2013-10-14 09:21:55 -04:00
|
|
|
def _tlshandler():
|
2013-09-14 11:08:48 -04:00
|
|
|
plainsocket = socket.socket()
|
2013-10-09 20:14:34 -04:00
|
|
|
plainsocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
2014-02-22 14:12:39 -05:00
|
|
|
plainsocket.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
|
2013-09-14 11:08:48 -04:00
|
|
|
srv = ssl.wrap_socket(plainsocket, keyfile="/etc/confluent/privkey.pem",
|
2013-09-14 20:21:58 -04:00
|
|
|
certfile="/etc/confluent/srvcert.pem",
|
|
|
|
|
ssl_version=ssl.PROTOCOL_TLSv1,
|
|
|
|
|
server_side=True)
|
2013-09-14 11:08:48 -04:00
|
|
|
srv.bind(('0.0.0.0', 4001))
|
|
|
|
|
srv.listen(5)
|
2013-10-14 11:28:07 -04:00
|
|
|
authname = None
|
2013-09-14 11:08:48 -04:00
|
|
|
while (1): # TODO: exithook
|
|
|
|
|
cnn, addr = srv.accept()
|
2013-10-14 11:28:07 -04:00
|
|
|
eventlet.spawn_n(sessionhdl, cnn, authname)
|
2013-09-14 11:08:48 -04:00
|
|
|
|
2013-10-14 09:21:55 -04:00
|
|
|
|
|
|
|
|
def _unixdomainhandler():
|
|
|
|
|
unixsocket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
|
|
|
|
try:
|
|
|
|
|
os.remove("/var/run/confluent/api.sock")
|
|
|
|
|
except OSError: # if file does not exist, no big deal
|
|
|
|
|
pass
|
|
|
|
|
unixsocket.bind("/var/run/confluent/api.sock")
|
2014-02-10 09:41:08 -05:00
|
|
|
os.chmod("/var/run/confluent/api.sock",
|
|
|
|
|
stat.S_IWOTH | stat.S_IROTH | stat.S_IWGRP |
|
|
|
|
|
stat.S_IRGRP | stat.S_IWUSR | stat.S_IRUSR)
|
2013-10-14 09:21:55 -04:00
|
|
|
unixsocket.listen(5)
|
|
|
|
|
while (1):
|
|
|
|
|
cnn, addr = unixsocket.accept()
|
|
|
|
|
creds = cnn.getsockopt(socket.SOL_SOCKET, SO_PEERCRED,
|
|
|
|
|
struct.calcsize('3i'))
|
2013-10-14 11:28:07 -04:00
|
|
|
pid, uid, gid = struct.unpack('3i',creds)
|
2014-03-10 13:15:31 -04:00
|
|
|
skipauth = False
|
2013-10-14 11:28:07 -04:00
|
|
|
if uid in (os.getuid(), 0):
|
|
|
|
|
#this is where we happily accept the person
|
|
|
|
|
#to do whatever. This allows the server to
|
|
|
|
|
#start with no configuration whatsoever
|
|
|
|
|
#and yet still be configurable by some means
|
2014-03-10 13:15:31 -04:00
|
|
|
skipauth = True
|
|
|
|
|
try:
|
|
|
|
|
authname = pwd.getpwuid(uid).pw_name
|
|
|
|
|
except:
|
|
|
|
|
authname = "UNKNOWN SUPERUSER"
|
2013-10-14 11:28:07 -04:00
|
|
|
else:
|
|
|
|
|
try:
|
|
|
|
|
authname = pwd.getpwuid(uid).pw_name
|
|
|
|
|
except KeyError:
|
|
|
|
|
cnn.close()
|
|
|
|
|
return
|
2014-03-10 13:15:31 -04:00
|
|
|
eventlet.spawn_n(sessionhdl, cnn, authname, skipauth)
|
2013-10-14 09:21:55 -04:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2013-09-14 11:08:48 -04:00
|
|
|
class SockApi(object):
|
|
|
|
|
def start(self):
|
2014-04-18 10:36:51 -04:00
|
|
|
global auditlog
|
|
|
|
|
global tracelog
|
|
|
|
|
tracelog = log.Logger('trace')
|
|
|
|
|
auditlog = log.Logger('audit')
|
2013-10-14 09:21:55 -04:00
|
|
|
self.tlsserver = eventlet.spawn(_tlshandler)
|
|
|
|
|
self.unixdomainserver = eventlet.spawn(_unixdomainhandler)
|
