#718: Aproximación para incluir seguridad en la comunicación OGAgent-OpenGnsys, incluyendo una clave de seguridad aleatoria en la operación de inicio de OGAgent que deberá ser utilizada posteriormente por el servidor OpenGnsys.

git-svn-id: https://opengnsys.es/svn/branches/version1.1@4978 a21b9725-9963-47de-94b9-378ad31fedc9

src/opengnsys/httpserver.py

@@ -90,7 +90,7 @@ class HTTPServerHandler(BaseHTTPRequestHandler):
         Locates witch module will process the message based on path (first folder on url path)
         '''
         try:
-            data = module.processServerMessage(path, getParams, postParams)
+            data = module.processServerMessage(path, getParams, postParams, self)
             self.sendJsonResponse(data)
         except Exception as e:
             logger.exception()

src/opengnsys/modules/server/OpenGnSys/__init__.py

@@ -43,6 +43,8 @@ import thread
 import os
 import platform
 import time
+import random
+import string
 
 # Error handler decorator.
 def catchBackgroundError(fnc):
@@ -57,11 +59,14 @@ def catchBackgroundError(fnc):
 class OpenGnSysWorker(ServerWorker):
     name = 'opengnsys'
     interface = None  # Binded interface for OpenGnsys
-    loggedin = False  #
+    loggedin = False  # User session flag
     locked = {}
+    random = None     # Random string for secure connections
+    length = 32       # Random string length
     
     def onActivation(self):
         self.cmd = None
+        self.random = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(self.length))
         # Ensure cfg has required configuration variables or an exception will be thrown
         
         self.REST = REST(self.service.config.get('opengnsys', 'remote'))
@@ -73,7 +78,7 @@ class OpenGnSysWorker(ServerWorker):
         #self.REST.sendMessage('initialize/{}/{}'.format(self.interface.mac, self.interface.ip))
         
         # Send an POST message
-        self.REST.sendMessage('ogagent/started', {'mac': self.interface.mac, 'ip': self.interface.ip})
+        self.REST.sendMessage('ogagent/started', {'mac': self.interface.mac, 'ip': self.interface.ip, 'secret': self.random})
         
     def onDeactivation(self):
         #self.REST.sendMessage('deinitialize/{}/{}'.format(self.interface.mac, self.interface.ip))
@@ -87,12 +92,16 @@ class OpenGnSysWorker(ServerWorker):
     #   self.sendClientMessage('doit', {'param1': 'test', 'param2': 'test2'})
     #   return 'Processed message for {}, {}, {}'.format(path, getParams, postParams)
     
-    def process_script(self, path, getParams, postParams):
+    def process_script(self, path, getParams, postParams, server):
         '''
         Processes an script execution (script is encoded in base64)
         '''
         logger.debug('Processing script request')
         script = postParams.get('script')
+        secret = getParams.get('secret')
+        if secret != self.random:
+            logger.error('Unauthorized operation.')
+            raise Exception('Unauthorized operation')
         if postParams.get('client', 'false') == 'false':
             thr = ScriptExecutorThread(script=script.decode('base64'))
             thr.start()
@@ -110,14 +119,14 @@ class OpenGnSysWorker(ServerWorker):
     def onLogin(self, user):
         logger.debug('Received login for {}'.format(user))
         self.loggedin = True
-        self.REST.sendMessage('ogagent/loggedin', {'ip': self.interface.ip, 'user': user, 'ostype': operations.osType, 'osversion': operations.osVersion})
-        
+        self.REST.sendMessage('ogagent/loggedin', {'ip': self.interface.ip, 'user': user, 'ostype': operations.osType, 'osversion': operations.osVersion})        
+
     def onLogout(self, user):
         logger.debug('Received logout for {}'.format(user))
         self.loggedin = False
-        self.REST.sendMessage('ogagent/loggedout', {'ip': self.interface.ip, 'user': user, 'ostype': operations.osType, 'osversion': operations.osVersion})
+        self.REST.sendMessage('ogagent/loggedout', {'ip': self.interface.ip, 'user': user, 'ostype': operations.osType, 'osversion': operations.osVersion})        
 
-    def process_ogclient(self, path, getParams, postParams):
+    def process_ogclient(self, path, getParams, postParams, server):
         '''
         This method can be overriden to provide your own message proccessor, or better you can
         implement a method that is called exactly as "process_" + path[0] (module name has been removed from path array) and this default processMessage will invoke it
@@ -144,7 +153,7 @@ class OpenGnSysWorker(ServerWorker):
         return operation(path[1:], getParams, postParams)
        
     ###### EN PRUEBAS ###### 
-    def process_status(self, path, getParams, postParams):
+    def process_status(self, path, getParams, postParams, server):
         '''
         Returns client status.
         '''
@@ -167,7 +176,7 @@ class OpenGnSysWorker(ServerWorker):
             res['status'] = 'OSX'
         return res
     
-    def process_reboot(self, path, getParams, postParams):
+    def process_reboot(self, path, getParams, postParams, server):
         '''
         Launches a system reboot operation.
         '''
@@ -177,7 +186,7 @@ class OpenGnSysWorker(ServerWorker):
         threading.Thread(target=rebt).start()
         return {'op': 'launched'}
 
-    def process_poweroff(self, path, getParams, postParams):
+    def process_poweroff(self, path, getParams, postParams, server):
         '''
         Launches a system power off operation.
         '''
@@ -188,7 +197,7 @@ class OpenGnSysWorker(ServerWorker):
         threading.Thread(target=pwoff).start()
         return {'op': 'launched'}
 
-    def process_logoff(self, path, getParams, postParams):
+    def process_logoff(self, path, getParams, postParams, server):
         '''
         Closes user session.
         '''

src/opengnsys/workers/server_worker.py

@@ -63,7 +63,7 @@ class ServerWorker(object):
         '''
         self.onDeactivation()
         
-    def process(self, getParams, postParams):
+    def process(self, getParams, postParams, server):
         '''
         This method is invoked on a message received with an empty path (that means a message with only the module name, like in "http://example.com/Sample"
         Override it if you expect messages with that pattern
@@ -72,7 +72,7 @@ class ServerWorker(object):
         '''
         raise NotImplementedError('Generic message processor is not supported')
         
-    def processServerMessage(self, path, getParams, postParams):
+    def processServerMessage(self, path, getParams, postParams, server):
         '''
         This method can be overriden to provide your own message proccessor, or better you can
         implement a method that is called exactly as "process_" + path[0] (module name has been removed from path array) and this default processMessage will invoke it
@@ -93,13 +93,13 @@ class ServerWorker(object):
             raise Exception('system is busy')
         
         if len(path) == 0:
-            return self.process(getParams, postParams)
+            return self.process(getParams, postParams, server)
         try:
             operation = getattr(self, 'process_' + path[0])
         except Exception:
             raise Exception('Message processor for "{}" not found'.format(path[0]))
         
-        return operation(path[1:], getParams, postParams)
+        return operation(path[1:], getParams, postParams, server)
         
         
     def processClientMessage(self, message, data):