watobo 0.9.9.pre3 → 0.9.9

data/lib/watobo/core/interceptor.rb

@@ -20,27 +20,124 @@
 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 # .
 module Watobo
-  INTERCEPT_NONE = 0x00
-  INTERCEPT_REQUEST = 0x01
-  INTERCEPT_RESPONSE = 0x02
-  INTERCEPT_BOTH = 0x03
+  module Interceptor
+    INTERCEPT_NONE = 0x00
+    INTERCEPT_REQUEST = 0x01
+    INTERCEPT_RESPONSE = 0x02
+    INTERCEPT_BOTH = 0x03
+
+    REWRITE_NONE = 0x00
+    REWRITE_REQUEST = 0x01
+    REWRITE_RESPONSE = 0x02
+    REWRITE_BOTH = 0x04
+
+    INTERCEPT_DEFAULT_PORT = 8081
+
+    MODE_REGULAR = 0x01
+    MODE_TRANSPARENT = 0x02
+
+    @proxy_mode ||= MODE_REGULAR
+    @intercept_mode ||= INTERCEPT_NONE
+    @rewrite_mode ||= REWRITE_NONE
+
+    @proxy = nil
+    #@proxy_mode = Watobo::Conf::Interceptor.proxy_mode if Watobo::Conf::Interceptor.respond_to? :proxy_mode
+    def self.proxy_mode
+      @proxy_mode
+    end
+
+    def self.proxy_mode=(mode)
+      @proxy_mode = mode
+    end
+
+    def self.rewrite_mode
+      @rewrite_mode
+    end
+
+    def self.rewrite_mode=(mode)
+      @rewrite_mode = mode
+    end
+
+    def self.intercept_mode
+      @intercept_mode
+    end
+
+    def self.intercept_mode=(mode)
+      @intercept_mode = mode
+    end
+
+    def self.transparent?
+      return true if ( @proxy_mode & MODE_TRANSPARENT ) > 0
+      return false
+    end
+
+    def self.intercept_requests?
+      return true if ( @intercept_mode & INTERCEPT_REQUEST ) > 0
+      return false
+    end
+
+    def self.intercept_responses?
+      return true if ( @intercept_mode & INTERCEPT_RESPONSE ) > 0
+      return false
+    end
+
+    def self.rewrite_requests?
+      return true if ( @rewrite_mode & REWRITE_REQUEST ) > 0
+      return false
+    end
+
+    def self.rewrite_responses?
+      return true if ( @rewrite_mode & REWRITE_RESPONSE ) > 0
+      return false
+    end
+
+    def self.active?
+      return false if @proxy.nil?
+      return true
+    end
+
+    def self.start
+      @proxy = Watobo::InterceptProxy.new()
+
+      @proxy.subscribe(:new_interception) { |chat|
+        Thread.new(chat) { |c|
+          Watobo.project.addChat(c) unless Watobo.project.nil?
+        }
+      }
+
+      @proxy.start()
+      puts "DEBUG: Proxy running" if $DEBUG
+      #   puts "* set www_auth for interceptor"
+      #   puts YAML.dump(@project.settings[:www_auth])
+      #@proxy.www_auth = Watobo.project.settings[:www_auth] unless Watobo.project.nil?
+    end
+    
+    def self.proxy
+      @proxy
+    end
+
+    def self.stop
+      @proxy.stop
+      @proxy = nil
+    end
+    
+  end
 
-  INTERCEPT_DEFAULT_PORT = 8081
   #   I N T E R C E P T P R O X Y
   #
   class InterceptProxy
 
     include Watobo::Constants
-    #  include Watobo::Conf::Interceptor
+    # include Watobo::Interceptor
 
     attr :port
 
-    attr_accessor :mode
+    attr_accessor :proxy_mode
 
     attr_accessor :contentLength
     attr_accessor :contentTypes
     attr_accessor :target
-    attr_accessor :www_auth
+    attr :www_auth
     attr_accessor :client_certificates
     def server
       @bind_addr
@@ -68,7 +165,16 @@ module Watobo
 
     def setRequestFilter(new_settings)
       @request_filter_settings.update new_settings unless new_settings.nil?
-      puts @request_filter_settings.to_yaml
+    # puts @request_filter_settings.to_yaml
+    end
+
+    def clear_request_carvers
+      @request_carvers.clear unless @request_carvers.nil?
+
+    end
+
+    def clear_response_carvers
+      @response_carvers.clear unless @response_carvers.nil?
     end
 
     # def getRequestFilter
@@ -88,9 +194,11 @@ module Watobo
     def stop()
       begin
         puts "[#{self.class}] stop"
-        puts @t_server.status
+        if @t_server.respond_to? :status
+          puts @t_server.status
         @t_server.kill
         @intercept_srv.close
+        end
       rescue IOError => bang
         puts bang
         puts bang.backtrace if $DEBUG
@@ -101,16 +209,16 @@ module Watobo
     # R U N
     #
 
-    def run(settings={})
-      begin
-      # @server = '127.0.0.1'
-      # @port = settings[:port] if settings[:port]
-      # @server = settings[:server] if settings[:server]
-      # @contentLength = settings[:content_length] if settings[:content_length]
-      # @contentTypes = settings[:content_types] if settings[:content_types]
+    def start()
+
+      if transparent?
+        DRb.start_service
+        @connections = DRbObject.new nil, "druby://127.0.0.1:666"
+      end
 
+      begin
         @intercept_srv = TCPServer.new(@bind_addr, @port)
-        @intercept_srv.setsockopt( Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, 1)
+        @intercept_srv.setsockopt( Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, 1 )
 
       rescue => bang
         puts "\n!!!Could not start InterceptProxy"
@@ -119,28 +227,32 @@ module Watobo
       end
       puts "\n* Intercepor started on #{@bind_addr}:#{@port}"
       session_list = []
+      puts "!!! TRANSPARENT MODE ENABLED !!!" if transparent?
 
       @t_server = Thread.new(@intercept_srv) { |server|
         while (new_session = server.accept)
           #  new_session.sync = true
           Thread.new(new_session) { |session|
+            flags = []
             begin
+
               request, c_sock = read_request(session)
 
               if request.nil? or request.empty? then
                 #   puts "! empty request ? :("
-                c_sock.close
+                closeSocket(c_sock)
                 Thread.current.exit
               #return
               end
               puts "*[I] #{request.url}"
 
             rescue => bang
-             # puts "!!! Error reading client request "
-             # puts bang
+              puts "!!! Error reading client request "
+              puts bang
              # puts bang.backtrace
              # puts request
              # puts request
+             closeSocket(c_sock)
               Thread.current.exit
             #break
             end
@@ -160,17 +272,24 @@ module Watobo
                   closeSocket(c_sock)
                 end
               end
-            next
+            #next
+            Thread.current.exit
             end
+
             request_intercepted = false
             # no preview, check if interception request is turned on
-            if @target and @mode & INTERCEPT_REQUEST > 0 then
-
+            if Watobo::Interceptor.rewrite_requests? then
+              Interceptor::RequestCarver.shape(request, flags)
+              puts "FLAGS >>"
+              puts flags
+            end
+           
+            if @target and Watobo::Interceptor.intercept_requests? then
               if matchRequestFilter(request)
                 @awaiting_requests += 1
                 request_intercepted = true
 
-                if @target.respond_to? :modifyRequest
+                if @target.respond_to? :addRequest
                   #  puts "*INTERCEPT REQUEST"
                   #  puts @target
                   #notify(:modify_request, request, Thread.current)
@@ -190,12 +309,14 @@ module Watobo
             #p "getHTTPHeader"
             #s_sock, req, resp = @sender.getHTTPHeader(request, :update_sids => true, :update_session => false, :update_contentlength => true)
             begin
+
             s_sock, req, resp = @sender.sendHTTPRequest(request, :update_sids => true, :update_session => false, :update_contentlength => true, :www_auth => @www_auth, :client_certificates => @client_certificates)
             if s_sock.nil? then
               c_sock.print resp.join unless resp.nil?
               closeSocket(c_sock)
             next
             end
+
             rescue => bang
               puts bang
               puts bang.backtrace if $DEBUG
@@ -245,7 +366,10 @@ module Watobo
 
                 end
               else
+                # don't try to read body if request method is HEAD
+                unless req.method =~ /^head/i
                 @sender.readHTTPBody(s_sock, resp, req, :update_sids => true)
+                 end
               end
             rescue => bang
               puts "!!! could not send request !!!"
@@ -255,7 +379,17 @@ module Watobo
             end
 
             begin
-              if @target and @mode & INTERCEPT_RESPONSE > 0 then
+              Watobo::Response.create resp
+             # puts "* unchunk response ..."
+              resp.unchunk
+              # puts "* unzip response ..."
+              resp.unzip
+
+              if Watobo::Interceptor.rewrite_responses? then
+                 Interceptor::ResponseCarver.shape(resp, flags)
+              end
+
+              if @target and Watobo::Interceptor.intercept_responses? then
                 if matchResponseFilter(resp)
                   #  if resp.content_type =~ /text/ or resp.content_type =~ /application\/javascript/ then
                   if @target.respond_to? :modifyResponse
@@ -267,8 +401,12 @@ module Watobo
                 end
               end
 
+             # puts ">> SEND TO CLIENT"
               c_sock.write resp.join
-              closeSocket(c_sock)
+             # puts resp.join
+             # puts "-----"
+             # closeSocket(c_sock)
+
             rescue Errno::ECONNRESET
               print "x"
               #  puts "!!! ERROR (Reset): reading body"
@@ -285,8 +423,12 @@ module Watobo
             #return
             end
             #if req then # when req == nil an error occured -> no chat necessary
-            chat = Chat.new(request, resp, :source => CHAT_SOURCE_INTERCEPT)
+
+            rc = YAML.load(YAML.dump(request))
+            sc = YAML.load(YAML.dump(resp))
+            chat = Chat.new(rc, sc, :source => CHAT_SOURCE_INTERCEPT)
             notify(:new_interception, chat)
+            closeSocket(c_sock)
           # end
           #else
           #  puts "* got no response"
@@ -295,6 +437,10 @@ module Watobo
         end
       }
     end
+    
+    def refresh_www_auth
+       @www_auth = Watobo::Conf::Scanner.www_auth      
+    end
 
     def initialize(settings=nil)
       @event_dispatcher_listeners = Hash.new
@@ -307,22 +453,11 @@ module Watobo
         # @port = @settings[:intercept_port]
         #   puts settings.to_yaml
 
-        @mode = INTERCEPT_NONE
-        @www_auth = {}
-        @client_certificates = {}
-        @target = nil
-        @sender = Watobo::Session.new(@target)
+        #  @proxy_mode = Watobo::Interceptor.proxy_mode
 
-        @bind_addr = Watobo::Conf::Interceptor.server
-        puts "> Server: #{@bind_addr}"
-        @port = Watobo::Conf::Interceptor.port
-        puts "> Port: #{@port}"
+        #Watobo::Interceptor.proxy_mode = INTERCEPT_NONE
 
-        pt = Watobo::Conf::Interceptor.pass_through
-        @contentLength = pt[:content_length]
-        puts "> PT-ContentLength: #{@contentLength}"
-        @contentTypes = pt[:content_types]
-        puts "> PT-ContentTypes: #{@contentTypes}"
+        init_instance_vars
 
         @awaiting_requests = 0
         @awaiting_responses = 0
@@ -358,28 +493,20 @@ module Watobo
         # p @settings[:certificate_path]
         # p @settings[:cert_file]
         # p @settings[:key_file]
-        crt_path = Watobo::Conf::Interceptor.certificate_path
-        crt_file = Watobo::Conf::Interceptor.cert_file
-        key_file = Watobo::Conf::Interceptor.key_file
-        dh_key_file = Watobo::Conf::Interceptor.dh_key_file
-
-        crt_filename = File.join(Watobo.base_directory, crt_path, crt_file)
-        key_filename = File.join(Watobo.base_directory, crt_path, key_file)
-        dh_filename = File.join(Watobo.base_directory, crt_path, dh_key_file)
-        unless File.exist? dh_filename
-          #puts "* no dh key file found"
-          File.open(dh_filename,"w") do |fh|
-            puts "* creating SSL key (DH 1024) ... "
-            fh.write OpenSSL::PKey::DH.new(1024).to_pem
-            print " DONE\r\n"
-          end
-        end
+        # crt_path = Watobo::Conf::Interceptor.certificate_path
+        # crt_file = Watobo::Conf::Interceptor.cert_file
+        # key_file = Watobo::Conf::Interceptor.key_file
+        # dh_key_file = Watobo::Conf::Interceptor.dh_key_file
+
+        # crt_filename = File.join(Watobo.base_directory, crt_path, crt_file)
+        # key_filename = File.join(Watobo.base_directory, crt_path, key_file)
 
         #  @ctx = OpenSSL::SSL::SSLContext.new('SSLv23_server')
-        @cert = OpenSSL::X509::Certificate.new(File.read(crt_filename))
-        @key = OpenSSL::PKey::RSA.new(File.read(key_filename))
+        # @cert = OpenSSL::X509::Certificate.new(File.read(crt_filename))
+        # @key = OpenSSL::PKey::RSA.new(File.read(key_filename))
 
-        @dh_key = OpenSSL::PKey::DH.new(File.read(dh_filename))
+        #@dh_key = OpenSSL::PKey::DH.new(File.read(dh_filename))
+        @dh_key = Watobo::CA.dh_key
         #  @ctx.ciphers = nil # ['TLSv1/SSLv3', 56, 56 ]
 
       rescue => bang
@@ -391,6 +518,57 @@ module Watobo
     end
 
     private
+    
+    def init_instance_vars
+      @www_auth = Watobo::Conf::Scanner.www_auth
+        @fake_certs = {}
+        @client_certificates = {}
+        @target = nil
+        @sender = Watobo::Session.new(@target)
+
+        @bind_addr = Watobo::Conf::Interceptor.bind_addr
+        puts "> Server: #{@bind_addr}"
+        @port = Watobo::Conf::Interceptor.port
+        puts "> Port: #{@port}"
+        @proxy_mode = Watobo::Conf::Interceptor.proxy_mode
+
+        pt = Watobo::Conf::Interceptor.pass_through
+        @contentLength = pt[:content_length]
+        puts "> PT-ContentLength: #{@contentLength}"
+        @contentTypes = pt[:content_types]
+        puts "> PT-ContentTypes: #{@contentTypes}"
+    end
+
+    def get_ssl_cert_cn(host,port)
+      cn = ""
+      begin
+        tcp_socket = TCPSocket.new( host, port )
+        tcp_socket.setsockopt( Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, 1)
+        tcp_socket.sync = true
+        ctx = OpenSSL::SSL::SSLContext.new()
+
+        ctx.tmp_dh_callback = proc { |*args|
+          OpenSSL::PKey::DH.new(128)
+        }
+
+        socket = OpenSSL::SSL::SSLSocket.new(tcp_socket, ctx)
+
+        socket.connect
+        cert = socket.peer_cert
+
+        if cert.subject.to_s =~ /cn=([^\/]*)/i
+        cn = $1
+        end
+        puts "Peer-Cert CN: #{cn}"
+        socket.io.shutdown(2)
+      rescue => bang
+        puts bang
+        cn = host
+      ensure
+        socket.close if socket.respond_to? :close
+      end
+      cn
+    end
 
     #
     #
@@ -531,14 +709,15 @@ module Watobo
         #print "~]"
           return if buf.nil?
         rescue Errno::ECONNRESET
-          puts "!!! ERROR (Reset): reading body"
-          puts "* last data seen on socket: #{buf}"
+        # puts "!!! ERROR (Reset): reading body"
+        # puts "* last data seen on socket: #{buf}"
+          print "R"
           return if buf.nil?
         rescue Timeout::Error
-          puts "!!! ERROR (Timeout): reading body"
-          puts "* last data seen on socket:"
-          #client.write buf if buf
-          print "!~]"
+        #puts "!!! ERROR (Timeout): reading body"
+        #puts "* last data seen on socket:"
+        #client.write buf if buf
+          print "T"
           return if buf.nil?
         rescue => bang
           puts "!!! could not read body !!!"
@@ -583,16 +762,76 @@ module Watobo
       end
     end
 
+    def transparent?
+      return true if ( @proxy_mode & Watobo::Interceptor::MODE_TRANSPARENT ) > 0
+      return false
+    end
+
     def read_request(socket)
       request = []
       # read http header lines
       session = socket
-      # puts "* read header ..."
-      Watobo::HTTP.read_header(socket) do |line|
-       # puts line
+
+      ra = socket.remote_address
+      cport = ra.ip_port
+      caddr = ra.ip_address
+
+      if transparent?
+
+        ci = @connections.info({ 'host' => caddr, 'port' => cport } )
+        unless ci['target'].empty? or ci['cn'].empty?
+          puts "SSL-REQUEST FROM #{caddr}:#{cport}"
+
+          ctx = Watobo::CertStore.acquire_ssl_ctx ci['target'], ci['cn']
+
+          begin
+            ssl_socket = OpenSSL::SSL::SSLSocket.new(socket, ctx)
+            ssl_socket.setsockopt( Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, 1)
+            # ssl_socket.sync_close = true
+            ssl_socket.sync = true
+            # puts ssl_socket.methods.sort
+            session = ssl_socket.accept
+          rescue OpenSSL::SSL::SSLError => e
+            puts ">> SSLError"
+            puts e
+            return nil, session
+          rescue => bang
+            puts bang
+            puts bang.backtrace
+            return nil, session
+          end
+        else
+          puts ci['host']
+          puts ci['cn']
+        end
+      end
+
+      Watobo::HTTP.read_header(session) do |line|
+      # puts line
         request.push line
       end
 
+      if transparent?
+        #puts "> get hostname ..."
+        thn = nil
+        request.each do |l|
+          if l =~ /^Host: (.*)/
+          thn = $1.strip
+          #   puts ">> #{thn}"
+          end
+        end
+        # puts session.class
+        # puts "* fix request line ..."
+        # puts request.first
+        # puts ">>"
+        if session.is_a? OpenSSL::SSL::SSLSocket
+          request.first.gsub!(/(^[^[:space:]]{1,}) (.*) (HTTP.*)/i,"\\1 https://#{thn}\\2 \\3")
+        else
+          request.first.gsub!(/(^[^[:space:]]{1,}) (.*) (HTTP.*)/i,"\\1 http://#{thn}\\2 \\3")
+        end
+      #puts request.first
+      end
+
       if request.first =~ /^CONNECT (.*):(\d{1,5}) HTTP\/1\./ then
         target = $1
         tport = $2
@@ -606,13 +845,31 @@ module Watobo
         bscount = 0 # bad handshake counter
         #  puts "* wait for ssl handshake ..."
         begin
-
+          dst = "#{target}:#{tport}"
+          unless @fake_certs.has_key? dst
+            puts "NEW CERTIFICATE FOR >> #{dst} <<"
+            cn = get_ssl_cert_cn(target, tport)
+            puts "CN=#{cn}"
+
+            cert = {
+              :hostname => cn,
+              :type => 'server',
+              :user => 'watobo',
+              :email => 'a.schmidt@siberas.de',
+            }
+            cert_file, key_file = Watobo::CA.create_cert cert
+            @fake_certs[dst] = {
+              :cert => OpenSSL::X509::Certificate.new(File.read(cert_file)),
+              :key => OpenSSL::PKey::RSA.new(File.read(key_file))
+            }
+          end
           ctx = OpenSSL::SSL::SSLContext.new()
 
-          ctx.cert = @cert
+          #ctx.cert = @cert
+          ctx.cert = @fake_certs[dst][:cert]
           #  @ctx.key = OpenSSL::PKey::DSA.new(File.read(key_file))
-          ctx.key = @key
-
+          #ctx.key = @key
+          ctx.key = @fake_certs[dst][:key]
           ctx.tmp_dh_callback = proc { |*args|
             @dh_key
           }
@@ -622,7 +879,7 @@ module Watobo
 
           ssl_socket = OpenSSL::SSL::SSLSocket.new(socket, ctx)
           ssl_socket.setsockopt( Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, 1)
-          #ssl_socket.sync_close = true
+          #  ssl_socket.sync_close = true
           ssl_socket.sync = true
           # puts ssl_socket.methods.sort
 
@@ -652,9 +909,10 @@ module Watobo
         request.first.gsub!(/(^[^[:space:]]{1,})( )(\/.*)/, "\\1 https://#{target}:#{tport}\\3")
       end
       #puts request
-      request.extend Watobo::Mixin::Parser::Url
-      request.extend Watobo::Mixin::Parser::Web10
-      request.extend Watobo::Mixin::Shaper::Web10
+      # request.extend Watobo::Mixin::Parser::Url
+      # request.extend Watobo::Mixin::Parser::Web10
+      # request.extend Watobo::Mixin::Shaper::Web10
+      Watobo::Request.create request
 
       clen = request.content_length
       if  clen > 0 then
@@ -673,6 +931,8 @@ module Watobo
       begin
         reason = nil
         clen = response.content_length
+        # no pass-through necessary if request method is HEAD
+        return false if request.method =~ /^head/i
 
         if matchContentType?(response.content_type) then
           # first forward headers
@@ -718,17 +978,20 @@ module Watobo
 
     def closeSocket(socket)
       #puts socket.class
+      return false if socket.nil?
       begin
       #if socket.class.to_s =~ /SSLSocket/
         if socket.is_a? OpenSSL::SSL::SSLSocket
         socket.io.shutdown(2)
+        #socket.sysclose
         else
         socket.shutdown(2)
         end
-        socket.close
+        socket.close if socket.respond_to? :close
       rescue => bang
         puts bang
         puts bang.backtrace if $DEBUG
+
       end
     end