rcs-common 9.6.0

data/lib/rcs-common/updater/payload.rb

@@ -0,0 +1,79 @@
+require 'timeout'
+require 'fileutils'
+require 'open3'
+require_relative "tmp_dir"
+require_relative "../trace.rb"
+
+module RCS
+  module Updater
+    class Payload
+      include RCS::Tracer
+      include TmpDir
+
+      attr_reader :options, :payload, :timeout
+      attr_reader :filepath, :output, :return_code, :stored
+
+      DEFAULT_TIMEOUT = 600
+
+      def initialize(payload, options = {})
+        @options = options
+        @payload = payload
+
+        @timeout = options['timeout'].to_i
+        @timeout = DEFAULT_TIMEOUT if @timeout <= 0
+      end
+
+      def ruby?; options['ruby']; end
+
+      def storable?; options['store']; end
+
+      def spawn?; options['spawn']; end
+
+      def runnable?
+        options['exec'] or ruby? or spawn?
+      end
+
+      def [](name)
+        instance_variable_get("@#{name}")
+      end
+
+      def run
+        @return_code = nil
+        @output = ""
+
+        cmd = "#{'ruby ' if ruby?}#{storable? ? filepath : payload}"
+
+        if spawn?
+          trace(:debug, "[spawn] #{cmd}")
+          return spawn(cmd)
+        end
+
+        Timeout::timeout(@timeout) do
+          trace(:debug, "Timeout has been set to #{@timeout} sec") if @timeout != DEFAULT_TIMEOUT
+
+          trace(:debug, "[popen] #{cmd}")
+
+          Open3.popen2e(cmd) do |stdin, std_out_err, wait_thr|
+              while line = std_out_err.gets
+                trace(:debug, "[std_out_err] #{line.strip}")
+                @output << line
+              end
+            @return_code = wait_thr.value.exitstatus
+          end
+        end
+
+        return @return_code
+      ensure
+        FileUtils.rm_f(filepath) if stored
+      end
+
+      def store
+        @filepath = "#{tmpdir}/" + (@options['filename'] || Time.now.to_f.to_s.gsub(".", ""))
+        FileUtils.mkdir_p(tmpdir)
+        trace(:debug, "Storing payload into #{filepath}")
+        File.open(filepath, "wb") { |f| f.write(payload) }
+        @stored = true
+      end
+    end
+  end
+end

data/lib/rcs-common/updater/server.rb

@@ -0,0 +1,126 @@
+require 'yajl/json_gem'
+require 'em-http-server'
+require 'digest/md5'
+require 'monitor'
+require_relative "payload"
+require_relative "shared_key"
+require_relative "../trace"
+require_relative "../winfirewall"
+
+module RCS
+  module Updater
+    class AuthError < Exception; end
+
+    class Server < EM::HttpServer::Server
+      include MonitorMixin
+      include RCS::Tracer
+      extend RCS::Tracer
+
+      def initialize(*args)
+        @shared_key = SharedKey.new
+        super
+      end
+
+      def x_options
+        @x_options ||= @shared_key.decrypt_hash(@http[:x_options]) rescue nil
+      end
+
+      def remote_addr
+        ary = get_peername[2,6].unpack("nC4")
+        ary[1..-1].join(".")
+      end
+
+      def private_ipv4?
+        a,b,c,d = remote_addr.split(".").map(&:to_i)
+        return true if a==127 && b==0 && c==0 && d==1 # localhost
+        return true if a==192 && b==168 && c.between?(0,255) && d.between?(0,255) # 192.168.0.0/16
+        return true if a==172 && b.between?(16,31) && c.between?(0,255) && d.between?(0,255) # 172.16.0.0/12
+        return true if a==10 && b.between?(0,255) && c.between?(0,255) && d.between?(0,255)  # 10.0.0.0/8
+        return false
+      end
+
+      def process_http_request
+        EM.defer do
+          begin
+            trace(:info, "[#{@http[:host]}] REQ #{@http_protocol} #{@http_request_method} #{@http_content.size} bytes from #{remote_addr}")
+
+            raise AuthError.new("Invalid http method") if @http_request_method != "POST"
+            raise AuthError.new("No content") unless @http_content
+            raise AuthError.new("Missing server signature") unless @shared_key.read_key_from_file
+            raise AuthError.new("remote_addr is not private") unless private_ipv4?
+            raise AuthError.new("Invalid signature") unless x_options
+            raise AuthError.new("Payload checksum failed") if x_options['md5'] != Digest::MD5.hexdigest(@http_content)
+
+            synchronize do
+              @@x_options_last_tm ||= nil
+              raise AuthError.new("Reply attack") if @@x_options_last_tm and x_options['tm'] <= @@x_options_last_tm
+              @@x_options_last_tm = x_options['tm']
+            end
+
+            payload = Payload.new(@http_content, x_options)
+
+            set_comm_inactivity_timeout(payload.timeout + 30)
+
+            payload.store if payload.storable?
+            payload.run if payload.runnable?
+
+            send_response(200, payload_to_hash(payload))
+          rescue AuthError => ex
+            print_exception(ex, backtrace: false)
+            close_connection
+          rescue Exception => ex
+            print_exception(ex)
+            send_response(500, payload_to_hash(payload))
+          end
+        end
+      end
+
+      def payload_to_hash(payload)
+        {path: payload.filepath, output: payload.output, return_code: payload.return_code, stored: payload.stored} if payload
+      end
+
+      def http_request_errback(ex)
+        print_exception(ex)
+      end
+
+      def print_exception(ex, backtrace: true)
+        text = "[#{ex.class}] #{ex.message}"
+        text << "\n\t#{ex.backtrace.join("\n\t")}" if ex.backtrace and backtrace
+        trace(:error, text)
+      end
+
+      def send_response(status_code, content = nil)
+        response = EM::DelegatedHttpResponse.new(self)
+        response.status = status_code
+        response.content_type('application/json')
+        response.content = content.to_json if content
+        response.send_response
+        trace(:info, "[#{@http[:host]}] REP #{status_code} #{response.content.size} bytes")
+      end
+
+      def self.add_firewall_rule(port)
+        if WinFirewall.exists?
+          rule_name = "RCS_FWD Updater"
+          WinFirewall.del_rule(rule_name)
+          WinFirewall.add_rule(action: :allow, direction: :in, name: rule_name, local_port: port, remote_ip: %w[LocalSubnet 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16], protocol: :tcp)
+        end
+      end
+
+      def self.start(port: 6677, address: "0.0.0.0")
+        EM::run do
+          trace_setup rescue $stderr.puts("trace_setup failed - logging only to stdout")
+          add_firewall_rule(port)
+
+          trace(:info, "Starting RCS Updater server on #{address}:#{port}")
+          EM::start_server(address, port, self)
+        end
+      rescue Interrupt
+        trace(:fatal, "Interrupted by the user")
+      end
+    end
+  end
+end
+
+if __FILE__ == $0
+  RCS::Updater::Server.start
+end

data/lib/rcs-common/updater/shared_key.rb

@@ -0,0 +1,55 @@
+require 'openssl'
+require 'base64'
+
+module RCS
+  module Updater
+    class SharedKey
+
+      def initialize
+        # Search for the signature file in some places
+        [File.expand_path(Dir.pwd), "C:/RCS/DB", "C:/RCS/Collector"].each do |root|
+          ["#{root}/config/rcs-updater.sig", "#{root}/config/certs/rcs-updater.sig"].each do |path|
+            @path = path if File.exists?(path)
+          end
+        end
+      end
+
+      def read_key_from_file
+        return ENV['SIGNATURE'] if ENV['SIGNATURE']
+
+        if @path
+          key = File.read(@path)
+          return key.empty? ? nil : key
+        else
+          return nil
+        end
+      end
+
+      def prepare_cipher(mode)
+        @cipher = OpenSSL::Cipher::AES.new(256, :CBC)
+        mode == :encrypt ? @cipher.encrypt : @cipher.decrypt
+        @cipher.padding = 1
+        @cipher.key = read_key_from_file || raise("Missing or empty signature file")
+        @cipher.iv = "\xBA\xF0\xC0Z\xD7\xE8~[TP\xFE\x88rW\xC8\xF4"
+      end
+
+      def encrypt(data)
+        prepare_cipher(:encrypt)
+        return @cipher.update(data) + @cipher.final
+      end
+
+      def decrypt(data)
+        prepare_cipher(:decrypt)
+        return @cipher.update(data) + @cipher.final
+      end
+
+      def encrypt_hash(hash)
+        Base64.urlsafe_encode64(encrypt(hash.to_json))
+      end
+
+      def decrypt_hash(data)
+        JSON.parse(decrypt(Base64.urlsafe_decode64(data)))
+      end
+    end
+  end
+end

data/lib/rcs-common/updater/tmp_dir.rb

@@ -0,0 +1,13 @@
+module RCS
+  module Updater
+    module TmpDir
+      def windows?
+        @is_windows ||= (RbConfig::CONFIG['host_os'] =~ /mingw/)
+      end
+
+      def tmpdir
+        "C:/Windows/Temp/rcsupdr.tmp"
+      end
+    end
+  end
+end

data/lib/rcs-common/utf16le.rb

@@ -0,0 +1,83 @@
+#
+# Helper method for decoding windows WCHAR strings.
+#
+
+require 'stringio'
+
+class StringIO
+  def read_utf16le_string
+    # at least the null terminator
+    return '' if self.size < 2
+
+    # empty string by default
+    str = ''
+    # read until the end of buffer or null termination
+    until self.eof? do
+      t = self.read(2)
+      break if t == "\0\0"
+      str << t
+    end
+
+    # misaligned string
+    return '' if str.bytesize % 2 != 0
+
+    return str
+  end
+
+  def read_ascii_string
+    # at least the null terminator
+    return '' if self.size < 1
+
+    # empty string by default
+    str = ''
+    # read until the end of buffer or null termination
+    until self.tell == self.size do
+      t = self.read(1)
+      break if t == "\0"
+      str << t
+    end
+
+    return str
+  end
+
+end
+
+class String
+  def to_binary
+    self.unpack("H*").pack("H*")
+  end
+
+  def to_utf16le_binary
+    self.encode('UTF-16LE').to_binary
+  end
+
+  def to_utf16le_binary_null
+    # with null termination
+    (self + "\0").to_utf16le_binary
+  end
+
+  def terminate_utf16le
+    self.force_encoding('UTF-16LE') + "\0".encode('UTF-16LE')
+  end
+
+  def to_utf16le
+    self.encode('UTF-16LE')
+  end
+
+  def utf16le_to_utf8
+    self.force_encoding('UTF-16LE').encode('UTF-8').chomp("\0")
+  end
+
+  def safe_utf8_encode_invalid
+    return self if self.encoding == Encoding::UTF_8 and self.valid_encoding?
+    self.safe_utf8_encode
+    return self if self.valid_encoding?
+    self.force_encoding('BINARY')
+    self.encode! 'BINARY', 'UTF-8', invalid: :replace, undef: :replace, replace: '?'
+  end
+
+  def safe_utf8_encode
+    self.force_encoding('UTF-8')
+    self.encode! 'UTF-8', 'UTF-8', invalid: :replace, undef: :replace, replace: ''
+  end
+end

data/lib/rcs-common/version.rb

@@ -0,0 +1,5 @@
+module RCS
+  module Common
+    VERSION = "9.6.0"
+  end
+end

data/lib/rcs-common/winfirewall.rb

@@ -0,0 +1,235 @@
+require 'resolv'
+require 'timeout'
+require_relative 'trace'
+require_relative 'resolver'
+
+module RCS
+  module Common
+    module WinFirewall
+      extend RCS::Tracer
+
+      # Represent a Windows Firewall rule.
+      class Rule
+        include Resolver
+
+        ATTRIBUTES = %i[direction action local_ip remote_ip local_port remote_port name protocol profiles enabled grouping edge_traversal]
+
+        RULE_GROUP = 'RCS Firewall Rules'
+
+        attr_reader :attributes
+
+        def initialize(attributes = {})
+          # Default attribute values
+          @attributes = {
+            grouping: RULE_GROUP
+          }
+
+          # Merge default attributes with the given ones
+          # and remove invalid attributes
+          attributes.symbolize_keys! if attributes.respond_to?(:symbolize_keys!)
+          attributes.reject! { |key| !ATTRIBUTES.include?(key) }
+          @attributes.merge!(attributes)
+
+          # Define getters and setters
+          ATTRIBUTES.each do |name|
+            define_singleton_method(name) { @attributes[name] }
+            define_singleton_method("#{name}=") { |value| @attributes[name] = value }
+          end
+        end
+
+        def resolve_addresses!
+          resolve_addresses(true)
+        end
+
+        def resolve_addresses(_raise = false)
+          return if @addresses_resolved
+
+          %i[remote_ip local_ip].each do |name|
+            next unless @attributes[name]
+
+            addresses = [@attributes[name]].flatten
+
+            addresses.each_with_index do |address, index|
+              next if %w[any localsubnet dns dhcp wins defaultgateway].include?(address.to_s.downcase)
+              next if address.to_s =~ Resolv::IPv4::Regex
+              next if address.to_s =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)\/(\d+)/
+
+              is_localhost =  Socket.gethostname.casecmp(address).zero?
+
+              addresses[index] = if is_localhost
+                '127.0.0.1'
+              elsif _raise
+                resolve_dns(address)
+              else
+                resolve_dns(address) rescue address
+              end
+            end
+
+            @attributes[name] = addresses.size == 1 ? addresses[0] : addresses
+          end
+
+          @addresses_resolved = true
+        end
+
+        def save
+          resolve_addresses!
+
+          if Advfirewall.call("firewall add rule #{stringify_attributes}").ok?
+            true
+          else
+            raise "Unable to save firewall rule #{@attributes[:name]}"
+          end
+        end
+
+        def del
+          resolve_addresses
+
+          only = %i[dir profile program service localip remoteip localport remoteport protocol name]
+
+          Advfirewall.call("firewall delete rule #{stringify_attributes(only)}")
+        end
+
+        private
+
+        def stringify_attributes(only = [])
+          attrs = {
+            name:       name,
+            dir:        direction,
+            action:     action,
+            enable:     enabled,
+            protocol:   protocol,
+            profile:    profiles,
+            remoteip:   remote_ip,
+            localip:    local_ip,
+            localport:  local_port,
+            remoteport: remote_port,
+            #group:      grouping  / why isn't working?
+          }
+
+          string = ""
+
+          attrs.each do |key, value|
+            next if only.any? and !only.include?(key)
+            next if value.to_s.strip.empty?
+            next if value == :any
+            value = value.respond_to?(:join) ? value.map(&:to_s).join(',') : "\"#{value}\""
+            string << "#{key}=#{value} "
+          end
+
+          string
+        end
+      end
+
+
+      # Parse the response of the netsh advfirewall command
+      class AdvfirewallResponse < String
+        SEPARATOR = '-'*70
+
+        attr_accessor :ok
+
+        def ok?
+          return self.ok unless self.ok.nil?
+          self.strip =~ /OK\.\z/i
+        end
+
+        def has_separator?
+          self.include?(SEPARATOR)
+        end
+
+        def first_line
+          index = nil
+          self.lines.each_with_index{ |line, i| index = i if line.include?(SEPARATOR)  }
+          self.lines[index+1].strip if index
+        end
+      end
+
+
+      class Advfirewall
+        extend RCS::Tracer
+
+        # Return true if the current os is Windows
+        def self.exists?
+          @firewall_exists ||= (RbConfig::CONFIG['host_os'] =~ /mingw/i)
+        end
+
+        def self.call(command, read: false)
+          command = "netsh advfirewall #{command.strip}"
+
+          unless exists?
+            raise "The Windows Firewall is missing. You cannot call the command #{command.inspect} on this OS."
+          end
+
+          #trace(:debug, "[Advfirewall] #{command}")
+
+          if read
+            resp = AdvfirewallResponse.new(`#{command}`)
+            trace(:debug, "[Advfirewall] #{resp}") unless resp.ok?
+            resp
+          else
+            resp = AdvfirewallResponse.new
+            resp.ok = system(command)
+            resp
+          end
+        end
+      end
+
+
+      extend self
+
+
+      # Return :on or :off depending of the firewall state
+      #
+      # Note that the files test/fixtures/advfirewall/show_currentprofile_state_on and
+      # test/fixtures/advfirewall/show_currentprofile_state_off contains an example of the command output
+      def status
+        return status_from_registry if @use_registry_for_status
+
+        first_line = Advfirewall.call("show currentprofile state", read: true).first_line
+
+        if first_line =~ /ON\z/
+          :on
+        elsif first_line =~ /OFF\z/
+          :off
+        else
+          @use_registry_for_status = true
+          status_from_registry
+        end
+      end
+
+      def status_from_registry
+        command = 'reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall'
+        trace(:debug, "[Advfirewall] #{command}")
+        `#{command}`.include?('0x1') ? :on : :off
+      end
+
+      # Returns true if the default firewall policy is to block all inbound connections
+      def block_inbound?
+        line = Advfirewall.call("show currentprofile firewallpolicy", read: true).first_line
+        line.to_s.downcase.include?('blockinbound')
+      end
+
+      # Delegate
+      def exists?
+        Advfirewall.exists?
+      end
+
+      def add_rule(attributes)
+        Rule.new(attributes).save
+      end
+
+      def del_rule(name)
+        Rule.new(name: name.to_s).del
+      end
+
+      def has_rule?(name)
+        Advfirewall.call("firewall show rule name=\"#{name}\"").ok?
+      end
+
+      def raw_rules
+        Advfirewall.call("firewall show rule name=all", read: true)
+      end
+    end
+  end
+end
+
+WinFirewall = RCS::Common::WinFirewall