catflap 0.0.2 → 1.0.1

data/ui/index.rhtml

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8" />
+<script src="https://code.jquery.com/jquery-2.2.0.min.js"></script>
+<script src="/js/sha256.js"></script>
+<script src="/js/catflap.js"></script>
+<link rel="stylesheet" href="/css/catflap.css" />
+<title>Catflap | No dogs allowed!</title>
+</head>
+<body id="home">
+<div id="logo-wrapper"><img id="logo" class="centered" src="/images/catflap.png" /></div>
+<div id="passphrase-form-wrapper" class="centered">
+    <input id="passphrase" name="passphrase" type="text" class="default-value" value="Enter your pass phrase here." />
+    <div id="message-wrapper" class="centered">
+      <div id="locked-message" class="message centered">The site you are trying to access is locked. You must enter a valid pass phrase
+  to enter the site.</div>
+      <div id="failed-message" class="message centered hidden">Sorry, but we don't recognize that pass phrase. Please try again and if you
+        are still having trouble email your contact for further instructions.</div>
+    </div>
+</div>
+</body>
+</html>

data/ui/js/catflap.js

@@ -0,0 +1,85 @@
+(function($) { $(document).ready(function() {
+
+  // Hide default text
+  $('.default-value').each(function() {
+      var default_value = this.value;
+      $(this).focus(function() {
+          if(this.value === default_value) {
+              this.value = '';
+          }
+      });
+      $(this).blur(function() {
+          if(this.value === '') {
+              this.value = default_value;
+          }
+      });
+  });
+
+  // Bind token input field with 'enter' keypress.
+  $('input#passphrase').keypress(function(e) {
+    if(e.which == 13) {
+      var pass = $('input#passphrase').val();
+
+      // Get the first word to send as the key for the pass phrase.
+      // The first word is any part that comes before a special
+      // character (including spaces) other than the underscore.
+      var matches = pass.match(/^(\w+)\W+/);
+      // If there is nothing that looks like a key then don't make
+      // an authentication request.
+      if (matches === null) {
+        return;
+      }
+
+      // Handshake with the Catflap server by requesting a timestamp.
+      ts = 0;
+      $.ajax({
+        url: '/catflap/sync',
+        method: 'POST',
+        success: function(jsonData){
+          data = JSON.parse(jsonData);
+          ts = data.Timestamp;
+
+          // Construct our data packet to send to the server.
+          var data = {
+            "_key" : matches[1],
+            "ts" : ts
+          };
+          data.token = Sha256.hash(pass + ts);
+
+          $.ajax({
+            url: '/catflap/knock',
+            method: 'POST',
+            data: data,
+            success: function(jsonData){
+              data = JSON.parse(jsonData);
+
+              switch (data.StatusCode) {
+                case 200:
+                  if (data.RedirectUrl == "reload") {
+                    location.reload(true);
+                  } else {
+                    $(location).attr('href', data.RedirectUrl);
+                  }
+                  break;
+                default:
+                  $('#passphrase').addClass('failed');
+                  $('#locked-message').hide();
+                  $('#failed-message').show();
+                  break;
+              }
+            }
+          })
+          .fail(function(jsonData){
+            console.log('Unable to authenticate with the server: ' + jsonData);
+          });
+        }
+      })
+      .fail(function(jsonData){
+        console.log('Sync handshake failed: ' + jsonData);
+        return;
+      });
+
+    }
+  });
+});
+})(jQuery);

data/ui/js/sha256.js

@@ -0,0 +1,166 @@
+/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
+/*  SHA-256 implementation in JavaScript                (c) Chris Veness 2002-2014 / MIT Licence  */
+/*                                                                                                */
+/*  - see http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html                              */
+/*        http://csrc.nist.gov/groups/ST/toolkit/examples.html                                    */
+/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
+
+/* jshint node:true *//* global define, escape, unescape */
+'use strict';
+
+
+/**
+ * SHA-256 hash function reference implementation.
+ *
+ * @namespace
+ */
+var Sha256 = {};
+
+
+/**
+ * Generates SHA-256 hash of string.
+ *
+ * @param   {string} msg - String to be hashed
+ * @returns {string} Hash of msg as hex character string
+ */
+Sha256.hash = function(msg) {
+    // convert string to UTF-8, as SHA only deals with byte-streams
+    msg = msg.utf8Encode();
+
+    // constants [§4.2.2]
+    var K = [
+        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 ];
+    // initial hash value [§5.3.1]
+    var H = [
+        0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 ];
+
+    // PREPROCESSING
+
+    msg += String.fromCharCode(0x80);  // add trailing '1' bit (+ 0's padding) to string [§5.1.1]
+
+    // convert string msg into 512-bit/16-integer blocks arrays of ints [§5.2.1]
+    var l = msg.length/4 + 2; // length (in 32-bit integers) of msg + ‘1’ + appended length
+    var N = Math.ceil(l/16);  // number of 16-integer-blocks required to hold 'l' ints
+    var M = new Array(N);
+
+    for (var i=0; i<N; i++) {
+        M[i] = new Array(16);
+        for (var j=0; j<16; j++) {  // encode 4 chars per integer, big-endian encoding
+            M[i][j] = (msg.charCodeAt(i*64+j*4)<<24) | (msg.charCodeAt(i*64+j*4+1)<<16) |
+                      (msg.charCodeAt(i*64+j*4+2)<<8) | (msg.charCodeAt(i*64+j*4+3));
+        } // note running off the end of msg is ok 'cos bitwise ops on NaN return 0
+    }
+    // add length (in bits) into final pair of 32-bit integers (big-endian) [§5.1.1]
+    // note: most significant word would be (len-1)*8 >>> 32, but since JS converts
+    // bitwise-op args to 32 bits, we need to simulate this by arithmetic operators
+    M[N-1][14] = ((msg.length-1)*8) / Math.pow(2, 32); M[N-1][14] = Math.floor(M[N-1][14]);
+    M[N-1][15] = ((msg.length-1)*8) & 0xffffffff;
+
+
+    // HASH COMPUTATION [§6.1.2]
+
+    var W = new Array(64); var a, b, c, d, e, f, g, h;
+    for (var i=0; i<N; i++) {
+
+        // 1 - prepare message schedule 'W'
+        for (var t=0;  t<16; t++) W[t] = M[i][t];
+        for (var t=16; t<64; t++) W[t] = (Sha256.σ1(W[t-2]) + W[t-7] + Sha256.σ0(W[t-15]) + W[t-16]) & 0xffffffff;
+
+        // 2 - initialise working variables a, b, c, d, e, f, g, h with previous hash value
+        a = H[0]; b = H[1]; c = H[2]; d = H[3]; e = H[4]; f = H[5]; g = H[6]; h = H[7];
+
+        // 3 - main loop (note 'addition modulo 2^32')
+        for (var t=0; t<64; t++) {
+            var T1 = h + Sha256.Σ1(e) + Sha256.Ch(e, f, g) + K[t] + W[t];
+            var T2 =     Sha256.Σ0(a) + Sha256.Maj(a, b, c);
+            h = g;
+            g = f;
+            f = e;
+            e = (d + T1) & 0xffffffff;
+            d = c;
+            c = b;
+            b = a;
+            a = (T1 + T2) & 0xffffffff;
+        }
+         // 4 - compute the new intermediate hash value (note 'addition modulo 2^32')
+        H[0] = (H[0]+a) & 0xffffffff;
+        H[1] = (H[1]+b) & 0xffffffff;
+        H[2] = (H[2]+c) & 0xffffffff;
+        H[3] = (H[3]+d) & 0xffffffff;
+        H[4] = (H[4]+e) & 0xffffffff;
+        H[5] = (H[5]+f) & 0xffffffff;
+        H[6] = (H[6]+g) & 0xffffffff;
+        H[7] = (H[7]+h) & 0xffffffff;
+    }
+
+    return Sha256.toHexStr(H[0]) + Sha256.toHexStr(H[1]) + Sha256.toHexStr(H[2]) + Sha256.toHexStr(H[3]) +
+           Sha256.toHexStr(H[4]) + Sha256.toHexStr(H[5]) + Sha256.toHexStr(H[6]) + Sha256.toHexStr(H[7]);
+};
+
+
+/**
+ * Rotates right (circular right shift) value x by n positions [§3.2.4].
+ * @private
+ */
+Sha256.ROTR = function(n, x) {
+    return (x >>> n) | (x << (32-n));
+};
+
+/**
+ * Logical functions [§4.1.2].
+ * @private
+ */
+Sha256.Σ0  = function(x) { return Sha256.ROTR(2,  x) ^ Sha256.ROTR(13, x) ^ Sha256.ROTR(22, x); };
+Sha256.Σ1  = function(x) { return Sha256.ROTR(6,  x) ^ Sha256.ROTR(11, x) ^ Sha256.ROTR(25, x); };
+Sha256.σ0  = function(x) { return Sha256.ROTR(7,  x) ^ Sha256.ROTR(18, x) ^ (x>>>3);  };
+Sha256.σ1  = function(x) { return Sha256.ROTR(17, x) ^ Sha256.ROTR(19, x) ^ (x>>>10); };
+Sha256.Ch  = function(x, y, z) { return (x & y) ^ (~x & z); };
+Sha256.Maj = function(x, y, z) { return (x & y) ^ (x & z) ^ (y & z); };
+
+
+/**
+ * Hexadecimal representation of a number.
+ * @private
+ */
+Sha256.toHexStr = function(n) {
+    // note can't use toString(16) as it is implementation-dependant,
+    // and in IE returns signed numbers when used on full words
+    var s="", v;
+    for (var i=7; i>=0; i--) { v = (n>>>(i*4)) & 0xf; s += v.toString(16); }
+    return s;
+};
+
+
+/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
+
+
+/** Extend String object with method to encode multi-byte string to utf8
+ *  - monsur.hossa.in/2012/07/20/utf-8-in-javascript.html */
+if (typeof String.prototype.utf8Encode == 'undefined') {
+    String.prototype.utf8Encode = function() {
+        return unescape( encodeURIComponent( this ) );
+    };
+}
+
+/** Extend String object with method to decode utf8 string to multi-byte */
+if (typeof String.prototype.utf8Decode == 'undefined') {
+    String.prototype.utf8Decode = function() {
+        try {
+            return decodeURIComponent( escape( this ) );
+        } catch (e) {
+            return this; // invalid UTF-8? return as-is
+        }
+    };
+}
+
+
+/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
+if (typeof module != 'undefined' && module.exports) module.exports = Sha256; // CommonJs export
+if (typeof define == 'function' && define.amd) define([], function() { return Sha256; }); // AMD

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: catflap
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 1.0.1
   prerelease: 
 platform: ruby
 authors:
@@ -9,19 +9,116 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-12-08 00:00:00.000000000 Z
-dependencies: []
-description: A simple solution to provide on-demand service access (e.g. port 80 on
-  webserver), where a more robust and secure VPN solution is not available.
-email: nyk@demotix.com
+date: 2016-03-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.8.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.8.3
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.11'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: ! "A simple solution to provide on-demand service access (e.g.\n  port
+  80 on webserver), where a more robust and secure VPN solution is not\n  available.
+  Essentially, it is a more user-friendly form of \"port knocking\".\n  The original
+  proof-of-concept implementation was run for almost three years\n  by Demotix, to
+  protect development and staging servers from search engine\n  crawlers and other
+  unwanted traffic."
+email: nykcowham@gmail.com
 executables:
 - catflap
 extensions: []
 extra_rdoc_files: []
 files:
-- lib/catflap.rb
-- lib/catflap-http.rb
+- .gitignore
+- .rspec
+- .rubocop.yml
+- .rubocop_todo.yml
+- CODE_OF_CONDUCT.md
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
 - bin/catflap
+- bin/console
+- bin/setup
+- catflap.gemspec
+- etc/config.yaml
+- etc/init.d/catflap
+- etc/passfile.yaml
+- lib/catflap.rb
+- lib/catflap/command.rb
+- lib/catflap/firewall.rb
+- lib/catflap/http.rb
+- lib/catflap/netfilter/writer.rb
+- lib/catflap/plugins/firewall/iptables.rb
+- lib/catflap/plugins/firewall/netfilter.rb
+- lib/catflap/plugins/firewall/plugin.rb
+- lib/catflap/version.rb
+- lib/netfilter/writer.rb
+- ui/css/catflap.css
+- ui/images/catflap.png
+- ui/index.rhtml
+- ui/js/catflap.js
+- ui/js/sha256.js
 homepage: https://github.com/nyk/catflap
 licenses:
 - MIT
@@ -44,9 +141,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements:
 - NetFilters (iptables) installed and working.
 rubyforge_project: 
-rubygems_version: 1.8.11
+rubygems_version: 1.8.23
 signing_key: 
 specification_version: 3
-summary: Manage NetFilter-based rules to grant port access on-demand via commandline
-  or REST API requests.
+summary: Manage NetFilter-based rules to grant port access on-demand commandline or
+  REST API requests.
 test_files: []
+has_rdoc: 

data/lib/catflap-http.rb

@@ -1,111 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'catflap'
-require 'webrick'
-include WEBrick
-
-module CatflapWebserver
-
-  def self.generate_server port
-    config = {:Port => port}
-    server = HTTPServer.new(config)
-    yield server if block_given?
-    ['INT', 'TERM'].each {|signal| 
-      trap(signal) {server.shutdown}
-    }
-    server.start
-  end
-
-  def self.start_server cf
-    generate_server cf.port do |server|
-      server.mount '/', Servlet, cf
-    end
-  end
-
-  class Servlet < HTTPServlet::AbstractServlet
-
-    def initialize server, cf
-      super server
-      @cf = cf
-    end
-
-    def do_GET req, resp
-      # Split the path into piece
-      path = req.path[1..-1].split('/')
-      raise HTTPStatus::OK if path[0] == 'favicon.ico'
-      response_class = CatflapRestService.const_get 'Service'
-       
-      if response_class and response_class.is_a? Class
-        # There was a method given
-        if path[0]
-          response_method = path[0].to_sym
-          # Make sure the method exists in the class
-          raise HTTPStatus::NotFound if !response_class.respond_to? response_method
-
-          if path[0] == "enter"
-            url = response_class.send response_method, req, resp, @cf
-            resp.set_redirect HTTPStatus::Redirect, url
-          end
-
-          # Remaining path segments get passed in as arguments to the method
-          if path.length > 1
-            resp.body = response_class.send response_method, req, resp, @cf, path[1..-1]
-          else
-            resp.body = response_class.send response_method, req, resp, @cf
-          end
-          raise HTTPStatus::OK
-
-        # No method was given, so check for an "index" method instead
-        else
-          raise HTTPStatus::NotFound if !response_class.respond_to? :index
-          resp.body = response_class.send :index
-          raise HTTPStatus::OK
-        end
-      else
-        raise HTTPStatus::NotFound
-      end
-    end
-  end
-end
-
-module CatflapRestService
-  class Service
-
-    def self.index
-      return "hello world"
-    end
- 
-    def self.enter req, resp, cf
-      ip = req.peeraddr.pop
-      host = req.addr[2]
-      cf.add_address! ip unless cf.check_address ip
-      return "http://" << host << ":80"
-    end
-
-    def self.add req, resp, cf, args
-      ip = args[0]
-      unless cf.check_address ip
-        cf.add_address! ip
-        return "#{ip} has been granted access"
-      else
-        return "#{ip} already has access"
-      end
-    end
-
-    def self.remove req, resp, cf, args
-      ip = args[0]
-      cf.delete_address! ip
-      return "Access granted to #{ip} has been removed"
-    end
-
-    def self.check req, resp, cf, args
-      ip = args[0]
-      
-      if cf.check_address ip
-        return "#{ip} has access to ports: #{cf.dports}"
-      else
-        return "#{ip} does not have access to ports: #{cf.dports}"
-      end
-    end
-  end
-end