binproxy 1.0.0

data/lib/binproxy/class_loader.rb

@@ -0,0 +1,64 @@
+module BinProxy
+  class ClassLoader
+    include BinProxy::Logger
+
+    def initialize(root_path)
+      @root_path = root_path
+    end
+
+    def load_class(class_name, explicit_file_path = nil)
+      #unload top-level module for old class
+      #XXX This is a bit aggressive, maybe need a manual param to tune it?
+      top_level_name = class_name.split('::')[0]
+      old_const = Object.send(:remove_const, top_level_name) if Object.const_defined?(top_level_name)
+      try_load_class(class_name, explicit_file_path)
+    rescue StandardError
+      Object.const_set(top_level_name, old_const) if old_const
+      raise
+    end
+
+    private
+    def try_load_class(class_name, explicit_file_path)
+      file_path = explicit_file_path.presence || find_file_for_class(class_name)
+      log.info "Loading class file: #{File.absolute_path(file_path)}"
+      load File.absolute_path(file_path)
+      return class_name.constantize
+    rescue LoadError => e
+      log.error "Unexpected LoadError: #{e}" # This shouldn't happen except in weird cases like bad permissions or races
+      raise StandardError.new "Couldn't load class file '#{file_path}'"
+    rescue NameError => e
+      raise StandardError.new "Loaded file '#{file_path}' successfully, but class '#{class_name}' not found."
+    end
+
+    def unstack_path(p,arr)
+      arr << p
+    end
+
+    def find_file_for_class(class_name)
+      un = class_name.underscore + ".rb"
+      names = [un.dup]
+      loop do
+        m = un.match %r|^(.+)/[^/]+\.rb$|
+        break unless m
+        un = m[1] + ".rb"
+        names << un
+      end
+      # this does some extra work
+      fn = names.map {|n| find_file(n) }.find {|f| f }
+      unless fn
+        raise StandardError.new "Could not find any of #{names.inspect} for #{class_name}"
+      end
+      return fn
+    end
+
+    def find_file(fn)
+      [
+        "./#{fn}",
+        "./lib/#{fn}",
+        "#{@root_path}/lib/binproxy/parsers/#{fn}",
+        "#{@root_path}/test/#{fn}"
+      ].find {|f| File.exists? f}
+    end
+
+  end
+end

data/lib/binproxy/connection.rb

@@ -0,0 +1,105 @@
+require 'stringio'
+require 'observer'
+require 'eventmachine'
+require 'ipaddr'
+
+require_relative 'proxy_message'
+require_relative 'logger'
+require_relative 'connection/filters'
+
+module BinProxy
+  # This module is included in an anonymous subclass of EM::Connection; each
+  # instance represents a TCP connection between the proxy and the client or
+  # server, so each Session has two Connections.
+  module Connection
+    include BinProxy::Logger
+    include Observable
+
+    attr_accessor :parser
+    attr_reader :opts, :peer, :filters
+
+    def initialize(opts)
+      @opts = opts
+      @peer = opts[:peer] # :client or :server
+      @buffer = StringIO.new
+      @filters = opts[:filter_classes].map do |c| c.new(self) end
+    end
+
+    def post_init
+      @filters.each do |f|
+        log.debug "initializing filter #{f}"
+        f.init
+      end
+    end
+
+    # Used by filters to initiate upstream connection in response to
+    # inbound connection
+    def connect(host=nil, port=nil, &cb)
+      host ||= opts[:upstream_host] || raise('no upstream host')
+      port ||= opts[:upstream_port] || raise('no upstream port')
+      cb   ||= lambda { |conn| opts[:session_callback].call(self, conn) }
+      log.debug "Making upstream connection to #{host}:#{port}"
+      EM.connect(host, port, Connection, opts[:upstream_args], &cb)
+    end
+
+    # EM callback
+    def connection_completed
+      log.debug "connection_completed callback"
+      changed
+      notify_observers(:connection_completed, self)
+    end
+
+    # called by session
+    def upstream_connected(upstream_conn)
+      @filters.each do |f|
+        f.upstream_connected(upstream_conn)
+      end
+    end
+
+    def receive_data(data)
+      @filters.each do |f|
+        data = f.read data
+        return if data.nil? or data == ''
+      end
+
+      @buffer.string << data #does not update @buffer's pos
+
+      parser.parse @buffer, peer do |pm|
+        log.debug "parsed proxy message: #{pm.inspect}"
+        changed
+        notify_observers(:message_received, pm)
+      end
+
+      if (pos = @buffer.pos) > 0
+        @buffer.string = @buffer.string[pos .. -1] #resets pos to 0
+      end
+
+
+    rescue Exception => e
+      puts e, e.backtrace
+      raise e
+    end
+
+    # called with a ProxyMessage
+    def send_message(pm)
+      log.error "OOPS! message going the wrong way (to #{peer})" if pm.dest != peer
+
+      data = pm.to_binary_s
+      @filters.each do |f|
+        data = f.write data
+        return if data.nil? or data == ''
+      end
+      send_data(data)
+    end
+
+    def unbind(reason)
+      log.debug "unbind called"
+      changed
+      notify_observers(:connection_lost, peer, reason)
+    rescue Exception => e
+      puts e, e.backtrace
+      raise e
+    end
+
+  end
+end

data/lib/binproxy/connection/filters.rb

@@ -0,0 +1,190 @@
+module BinProxy::Connection; end
+module BinProxy::Connection::Filters
+  class Base
+    attr_reader :conn
+    def initialize(connection)
+      @conn = connection
+    end
+
+    def init; end
+    def upstream_connected(upstream_conn); end
+    def session_closing(reason); end
+
+    def read(data); data; end
+    def write(data); data; end
+  end
+
+  # Fortunately, we don't have to implement TLS ourself, just tell EM to
+  # use it on opening the connection.
+  #
+  # TODO: The "magical" nature of the start_tls connection upgrade doesn't play
+  # well with the filter concept, data might be buffered into filters before
+  # start_tls happens.  There's also no way to do STARTTLS-like protocols that
+  # pass plaintext data all the way through.
+  class InboundTLS < Base
+    include BinProxy::Logger
+    def init
+      @state = :new
+    end
+    def upstream_connected(upstream_conn)
+      #TODO no way to set tls_args for upstream connection currently
+      conn.start_tls(conn.opts[:tls_args]||{})
+      @state = :tls
+    end
+    def read(data)
+      if @state != :tls
+        #XXX we might want this in the case of STARTTLS?
+        log.fatal "DATA RECEIVED BY FILTER BEFORE START_TLS #{conn}"
+      end
+      data
+    end
+  end
+  class UpstreamTLS < Base
+    def init
+      #TODO no way to set tls_args for upstream connection currently
+      conn.start_tls(conn.opts[:tls_args]||{})
+    end
+  end
+
+  class Logger < Base
+    include BinProxy::Logger
+    def init
+      log.debug "CONNECTION CREATED #{conn}"
+    end
+    def read(data)
+      log.debug "READ #{conn}\n#{data.hexdump}"
+      data
+    end
+    def write(data)
+      log.debug "WRITE #{conn}\n#{data.hexdump}"
+      data
+    end
+  end
+
+  class StaticUpstream < Base
+    def init
+      conn.connect
+    end
+  end
+
+  class Socks < Base
+    SOCKS_OK =  "\x00\x5a" + "\x00" * 6
+    SOCKS_ERR = "\x00\x5b" + "\x00" * 6
+    include BinProxy::Logger
+    attr_reader :socks_state, :header
+    class ClientHeader < BinData::Record #TODO just handles v4/v4a for now
+      uint8 :version
+      uint8 :command_code
+      uint16be :port
+      uint32be :ip
+      stringz :user
+      stringz :host, onlyif: :bogus_ip?
+
+      def host_or_ip
+        if host? then host else IPAddr.new(ip, Socket::AF_INET).to_s end
+      end
+
+      def bogus_ip?
+        # an IP value of 0.0.0.x (x > 0) is a SOCKSv4a flag for server-side DNS.
+        ip > 0 && ip <= 255
+      end
+    end
+    def init
+      @buf = StringIO.new
+      @state = :new
+    end
+    def read(data)
+      return data unless @state == :new
+
+      @buf.string << data
+      @header = ClientHeader.read(@buf)
+
+      # no exception means we've read a full header...
+      log.debug "Read SOCKS header #{@header}"
+      @state = :connecting
+
+      conn.connect @header.host_or_ip, @header.port
+
+      # return any extra data
+      @buf.read
+    rescue EOFError, IOError
+      #partial read of header, reset to try again on next packet
+      @buf.pos = 0
+      nil
+    rescue EM::ConnectionError => e
+      #synchronous error when connecting upstream, e.g. bogus hostname
+      log.warn "Can't connect to '#{@header.host_or_ip}': #{e.message}"
+      #TODO -close the connection
+      nil
+    end
+    def upstream_connected(upstream_conn)
+      log.error "unexpected upstream_connected in state #{@state}" unless @state == :connecting
+      @state = :connected
+      conn.send_data SOCKS_OK
+    end
+    def session_closing(reason)
+      conn.send_data SOCKS_ERR if @state == :connecting
+    end
+  end
+
+  #TODO - lots of copy-paste from SOCKS, could stand to refactor
+  class HTTPConnect < Base
+    include BinProxy::Logger
+    def init
+      @buf = StringIO.new
+      @state = :new
+    end
+    def read(data)
+      log.debug "HTTPConnect read data #{data.inspect} in state #{@state}"
+      return data if @state == :connected
+      raise "unexpected data while connecting" if @state == :connecting
+
+      #append, but keep current position
+      p = @buf.pos
+      @buf << data
+      @buf.pos = p
+
+      while line = @buf.gets #XXX assumes we get whole lines
+        log.debug "processing line #{line}, state=#{@state}"
+        case @state
+        when :new
+          if m = line.match( %r<\ACONNECT ([\w.-]+):(\d+) HTTP/1.1\r\n\z> )
+            @host, @port = m[1], m[2]
+            @state = :headers
+            log.debug "Got CONNECT message to #{@host}:#{@port}"
+          else
+            log.warn "expected a CONNECT request, got #{line.inspect}"
+          end
+        when :headers
+          if line == "\r\n"
+            log.debug "End of CONNECT headers"
+            @state = :connecting
+            conn.connect @host, @port
+            return nil #XXX TODO confirm that @buf is empty
+          else
+            log.debug "Extra header on CONNECT: #{line.inspect}"
+          end
+        else
+          log.fatal "HTTPConnect filter in bad state: #{@state}"
+        end
+      end
+      log.debug "loop terminated with line #{line.inspect}"
+
+      #not done with CONNECT yet
+      nil
+    rescue EM::ConnectionError => e
+      #synchronous error when connecting upstream, e.g. bogus hostname
+      log.warn "Can't connect to '#{m[1]}:#{m[2]}': #{e.message}"
+      #TODO -close the connection
+      nil
+    end
+    def upstream_connected(upstream_conn)
+      log.error "unexpected upstream_connected in state #{@state}, conn=#{conn}" unless @state == :connecting
+      @state = :connected
+      conn.send_data "HTTP/1.1 200 BINPROXY OK\r\n\r\n"
+    end
+    def session_closing(reason)
+      conn.send_data "HTTP/1.1 502 BINPROXY FAIL\r\n\r\n" if @state == :connecting
+    end
+  end
+end

data/lib/binproxy/logger.rb

@@ -0,0 +1,17 @@
+require 'logger'
+module BinProxy; end
+module BinProxy::Logger
+  class BPLogger < Logger
+    def err_trace(e, context = nil, level = Logger::ERROR)
+      add level, "Error while #{context}:" if context
+      add level, "#{e.class}: #{e.message}\n#{(e.backtrace - caller).join "\n"}"
+    end
+  end
+
+  def log
+    @@logger ||= BPLogger.new(STDOUT).tap do |log|
+      log.level = Logger::WARN
+    end
+  end
+  module_function :log
+end

data/lib/binproxy/parser.rb

@@ -0,0 +1,76 @@
+require_relative 'logger'
+
+module BinProxy
+  class Parser
+    include BinProxy::Logger
+
+    class << self
+      attr_accessor :proxy, :message_class, :validate
+    end
+    def message_class; self.class.message_class; end
+    def validate; self.class.validate; end
+
+    def self.subclass(proxy, mc)
+      unless mc.class == Class
+        BinProxy::Logger::log.fatal "#{mc} is a #{mc.class}, not a Class."
+        exit!
+      end
+      c = Class.new(self) do
+        @proxy = proxy #XXX I don't love the tight coupling here; need a better way to pass messages up the chain
+        @message_class = mc
+      end
+    end
+
+    def initialize
+      @protocol_state = message_class.initial_state
+    rescue => e
+      log.warn "Exception while getting initial state for #{message_class}: e"
+      if e.message.match /undefined method `initial_state'/ then
+        log.warn "This is possibly not a subclass of BinData::Base"
+      end
+      # try to proceed with a default value
+      BinData::Base.initial_state
+    end
+
+    # Try to parse one or more messages from the buffer, and yield them
+    def parse(raw_buffer, peer)
+      start_pos = nil
+      loop do
+        break if raw_buffer.eof?
+
+        start_pos = raw_buffer.pos
+
+        log.debug "at #{start_pos} of #{raw_buffer.length} in buffer"
+
+        read_fn = lambda { message_class.new(src: peer.to_s, protocol_state: @protocol_state).read(raw_buffer) }
+
+        message = if log.debug?
+          BinData::trace_reading &read_fn
+        else
+          read_fn.call
+        end
+
+        bytes_read = raw_buffer.pos - start_pos
+        log.debug "read #{bytes_read} bytes"
+
+        # Go back and grab raw bytes for validation of serialization
+        raw_buffer.pos = start_pos
+        raw_m = raw_buffer.read bytes_read
+
+        @protocol_state = message.update_state
+        log.debug "protocol state is now #{@protocol_state.inspect}"
+
+        pm = ProxyMessage.new(raw_m, message)
+        pm.src = peer
+        yield pm
+      end
+    rescue EOFError, IOError
+      log.info "Hit end of buffer while parsing.  Consumed #{raw_buffer.pos - start_pos} bytes."
+      raw_buffer.pos = start_pos #rewind partial read
+      #todo, warn to client if validate flag set?
+    rescue Exception => e
+      log.err_trace(e, 'parsing message (probably an issue with user BinData class)', ::Logger::WARN)
+      self.class.proxy.on_bindata_error('parsing', e)
+    end
+  end
+end