zokor 0.2.1

data/double-proxy.rb

@@ -0,0 +1,58 @@
+#!/usr/bin/env ruby
+require 'uri'
+require 'webrick'
+require 'webrick/httpproxy'
+
+def usage
+  STDERR.puts <<-EOM
+usage: #{File.basename($0)} PORT [PROXY_URL]
+  EOM
+end
+
+def serve(port, proxy_url=nil)
+  puts 'Starting up double proxy server!'
+
+  puts "Listening on port #{port.inspect}"
+  opts = {Port: port}
+
+  if proxy_url
+    puts "Forwarding through proxy #{proxy_url.inspect}"
+    opts[:ProxyURI] = URI.parse(proxy_url)
+  end
+
+  proxy = WEBrick::HTTPProxyServer.new(opts)
+
+  Signal.trap('INT') { proxy.shutdown }
+  Signal.trap('QUIT') { proxy.shutdown }
+  Signal.trap('TERM') { proxy.shutdown }
+
+  proxy.start
+end
+
+def main(args)
+  begin
+    port = args.fetch(0)
+  rescue IndexError
+    usage
+    exit 1
+  end
+
+  begin
+    port = Integer(port)
+  rescue ArgumentError => err
+    usage
+    STDERR.puts err
+    exit 1
+  end
+
+  proxy_url = args[1]
+  if proxy_url && proxy_url.empty?
+    proxy_url = nil
+  end
+
+  serve(port, proxy_url)
+end
+
+if $0 == __FILE__
+  main(ARGV)
+end

data/lib/zokor.rb

@@ -0,0 +1,18 @@
+require 'openssl'
+
+require_relative 'zokor/version'
+require_relative 'zokor/logger'
+
+require_relative 'zokor/config'
+require_relative 'zokor/proxy_connection'
+require_relative 'zokor/proxy_magic'
+
+module Zokor
+  unless defined?(self::SafeOpenSSLSettings)
+    SafeOpenSSLSettings = true
+    OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_COMPRESSION
+    OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2
+    OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv3
+    OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers] = 'HIGH:!TLSv1:!SSLv3:!aNULL:!eNULL'
+  end
+end

data/lib/zokor/config.rb

@@ -0,0 +1,178 @@
+require 'etc'
+require 'fileutils'
+require 'openssl'
+require 'socket'
+require 'yaml'
+
+module Zokor
+  class Config
+    DEFAULT_CONFIG_DIR = File.join(File.expand_path('~'), '.config', 'zokor')
+
+    attr_reader :config_dir
+
+    # @param config_dir [String] (DEFAULT_CONFIG_DIR)
+    def initialize(config_dir=nil)
+      @config_dir = config_dir || DEFAULT_CONFIG_DIR
+    end
+
+    def load_config(filename=nil)
+      filename ||= config_yaml_file
+      YAML.load_file(filename)
+    end
+
+    def config_yaml_file
+      config_file('zokor.yaml')
+    end
+
+    def config_file(name)
+      File.join(config_dir, name)
+    end
+
+    def interactive_install_cert(filename='client.crt')
+      path = config_file(filename)
+      log.debug('Will install certificate to ' + path.inspect)
+      puts 'Please paste your certificate now from -----BEGIN CERTIFICATE-----'
+
+      cert_data = ''
+
+      in_cert = false
+      while line = STDIN.gets
+        next if line.strip.empty?
+
+        # check for begin marker
+        if !in_cert
+          if line.strip == '-----BEGIN CERTIFICATE-----'
+            in_cert = true
+          else
+            log.warn "Certificate should start with: -----BEGIN CERTIFICATE-----"
+            return false
+          end
+        end
+
+        cert_data << line
+
+        # end
+        break if line.strip == '-----END CERTIFICATE-----'
+      end
+
+      File.open(path, File::WRONLY|File::CREAT|File::EXCL, 0644) do |f|
+        f.write(cert_data)
+      end
+
+      log.info("Saved certificate to #{path.inspect}")
+
+      path
+    end
+
+    def interactive_init(opts)
+      unless opts[:remote_host]
+        log.error('Please pass --ext-host')
+        return false
+      end
+      unless opts[:remote_port]
+        log.error('Please pass --ext-port')
+        return false
+      end
+
+      init_config(opts.fetch(:remote_host), opts.fetch(:remote_port))
+    end
+
+    def init_config(remote_host, remote_port,
+                    local_host: '127.0.0.1', local_port: 8080)
+      unless Dir.exist?(config_dir)
+        log.info("mkdir #{config_dir}")
+        FileUtils.mkdir_p(config_dir)
+      end
+
+      path = config_yaml_file
+
+      if File.exist?(path)
+        log.warn('Config file already exists: ' + path)
+        return false
+      end
+
+      data = {
+        use_ssl: true,
+        ssl_opts: {
+          ca_file: :builtin,
+          cert_file: config_file('client.crt'),
+          key_file: config_file('client.key'),
+        },
+        local_host: local_host,
+        local_port: local_port,
+        remote_host: remote_host,
+        remote_port: remote_port,
+      }
+
+      log.info('Initializing config: ' + YAML.dump(data))
+
+      File.write(path, YAML.dump(data))
+
+      create_client_keypair(config_file('client.key'),
+                            config_file('client.csr'))
+    end
+
+    # @param key_file [String] Key filename
+    # @param csr_file [String] CSR filename
+    def create_client_keypair(key_file, csr_file)
+      log.info('Generating SSL/TLS key and certificate request')
+
+      key = generate_rsa_key
+      File.open(key_file, File::WRONLY|File::CREAT|File::EXCL, 0600) do |f|
+        f.write(key.to_s)
+      end
+
+      log.info("Wrote key to #{key_file.inspect}")
+
+      csr = generate_csr(key, user_address)
+      csr.to_s
+
+      File.write(csr_file, csr.to_s)
+
+      log.info("Wrote request to #{csr_file.inspect}")
+
+      log.warn('Certificate request follows:')
+
+      puts csr.to_s
+
+      log.warn('Please send the above certificate request.')
+
+      return true
+    end
+
+    private
+
+    def generate_rsa_key(bits=2048)
+      OpenSSL::PKey::RSA.generate(bits)
+    end
+
+    def generate_csr(key, common_name)
+      request = OpenSSL::X509::Request.new
+      request.version = 0
+
+      # don't bother including much of anything in the subject
+      request.subject = OpenSSL::X509::Name.new([
+        # ['C',  options[:country],         OpenSSL::ASN1::PRINTABLESTRING],
+        # ['ST', options[:state],           OpenSSL::ASN1::UTF8STRING],
+        # ['L',  options[:city],            OpenSSL::ASN1::UTF8STRING],
+        # ['O',  options[:organization],    OpenSSL::ASN1::UTF8STRING],
+        # ['OU', options[:department],      OpenSSL::ASN1::UTF8STRING],
+        ['CN', common_name,               OpenSSL::ASN1::UTF8STRING],
+        # ['emailAddress', options[:email], OpenSSL::ASN1::UTF8STRING]
+      ])
+
+      request.public_key = key.public_key
+      request.sign(key, OpenSSL::Digest::SHA256.new)
+
+      request
+    end
+
+    def user_address
+      "#{Etc.getlogin}@#{Socket.gethostname}"
+    end
+
+    def log
+      @log ||= Zokor::ProgLogger.new('config')
+    end
+  end
+end

data/lib/zokor/logger.rb

@@ -0,0 +1,97 @@
+require 'logger'
+
+module Zokor
+  def self.log_level
+    @log_level ||= log_level!
+  end
+  def self.log_level=(level)
+    @log_level = Integer(level)
+  end
+  def self.log_level!
+    level = ENV['LOG_LEVEL']
+    return Integer(level) if level && !level.empty?
+
+    Logger::INFO
+  end
+
+  module TermColors
+    NOTHING      = '0;0'
+    BLACK        = '0;30'
+    RED          = '0;31'
+    GREEN        = '0;32'
+    BROWN        = '0;33'
+    BLUE         = '0;34'
+    PURPLE       = '0;35'
+    CYAN         = '0;36'
+    LIGHT_GRAY   = '0;37'
+    DARK_GRAY    = '1;30'
+    LIGHT_RED    = '1;31'
+    LIGHT_GREEN  = '1;32'
+    YELLOW       = '1;33'
+    LIGHT_BLUE   = '1;34'
+    LIGHT_PURPLE = '1;35'
+    LIGHT_CYAN   = '1;36'
+    WHITE        = '1;37'
+    BG_BLACK     = '1;40'
+    BG_RED       = '1;41'
+    BG_GREEN     = '1;42'
+    BG_YELLOW    = '1;43'
+    BG_BLUE      = '1;44'
+    BG_PURPLE    = '1;45'
+    BG_CYAN      = '1;46'
+    BG_WHITE     = '1;47'
+    RED_ON_WHITE = '1;31;47'
+
+    SCHEMA = {
+      STDOUT => %w[nothing green brown red purple cyan],
+      STDERR => %w[dark_gray nothing yellow light_red bg_red light_cyan],
+    }
+  end
+
+  class ColoredLogger < Logger
+    def format_message(level, *args)
+      if TermColors::SCHEMA[@logdev.dev] && @logdev.dev.tty?
+        begin
+          index = self.class.const_get(level.sub('ANY', 'UNKNOWN'))
+          color_name = TermColors::SCHEMA[@logdev.dev][index]
+          color = TermColors.const_get(color_name.to_s.upcase)
+        rescue NameError
+          color = '0;0'
+        end
+        message = super(level, *args)
+        if message.end_with?("\n")
+          # make sure color is turned off before any trailing newline
+          "\e[#{color}m#{message[0...-1]}\e[0;0m\n"
+        else
+          "\e[#{color}m#{message}\e[0;0m"
+        end
+      else
+        super(level, *args)
+      end
+    end
+
+    def rainbow(*args)
+      SEV_LABEL.each_with_index do |level, i|
+        add(i, *args)
+      end
+    end
+  end
+
+  class ProgLogger < ColoredLogger
+    def initialize(name, opts={})
+      opts[:stream] ||= STDERR
+
+      @chunder = !!ENV['LOG_CHUNDER']
+
+      super(opts.fetch(:stream))
+      self.level = Zokor.log_level
+      self.progname = name
+    end
+
+    def chunder(*args, &blk)
+      return unless @chunder
+      debug(*args, &blk)
+    end
+  end
+end
+

data/lib/zokor/proxy_connection.rb

@@ -0,0 +1,329 @@
+require 'openssl'
+require 'socket'
+
+require 'proxifier'
+
+module Zokor
+  class ProxyConnection
+    BlockSize = 1024 * 4
+
+    BUILTIN_CA_FILE = File.join(File.dirname(__FILE__), '..', '..',
+                                'ca-certs-small.crt')
+
+    # Create a new connection object to wrap a local client connection and
+    # ferry packets through the proxies.
+    #
+    # @param local_socket [TCPSocket] The local inbound connection.
+    # @param remote_host [String]
+    # @param remote_port [Integer]
+    # @param opts [Hash]
+    #
+    # @option opts [String] :proxy_url Intermediate proxy URL to connect
+    #   through.
+    # @option opts [Boolean] :use_ssl Whether to use SSL/TLS for the external
+    #   proxy connection
+    # @option opts [Hash] :ssl_opts A hash of SSL options to pass to
+    #   {ProxyConnection#create_ssl_socket}. Supports some custom options like
+    #   :key_file and :cert_file (override :key and :cert). Pass
+    #   :ca_file => :builtin to use the CA bundle that ships with this library.
+    #
+    def initialize(local_socket, remote_host, remote_port, opts={})
+      @local_socket = local_socket
+      @remote_host = remote_host
+      @remote_port = remote_port
+
+      @proxy_url = opts[:proxy_url]
+      @use_ssl = opts[:use_ssl]
+      @ssl_opts = opts.fetch(:ssl_opts, {})
+
+      # process ssl_opts
+      if @ssl_opts[:ca_file] == :builtin || @ssl_opts[:ca_file] == ':builtin'
+        log.debug('Using built-in CA file')
+        @ssl_opts[:ca_file] = BUILTIN_CA_FILE
+      end
+
+      key_file = @ssl_opts.delete(:key_file)
+      if key_file
+        # TODO: support other keys besides RSA
+        @ssl_opts[:key] = OpenSSL::PKey::RSA.new(File.open(key_file))
+      end
+
+      cert_file = @ssl_opts.delete(:cert_file)
+      if cert_file
+        @ssl_opts[:cert] = OpenSSL::X509::Certificate.new(File.open(cert_file))
+      end
+
+      log.info('new local connection')
+    end
+
+    # Connect to the proxies and begin ferrying packets. This method will loop
+    # indefinitely until the connection is closed by client or server.
+    def connect
+
+      local = @local_socket
+
+      # open connection to remote server
+      remote = create_outbound_tcp_socket
+
+      # SSL remote main loop
+      loop do
+        log.debug('IO.select()')
+        read_set = [local, remote]
+        if remote.is_a?(OpenSSL::SSL::SSLSocket)
+          # TODO: determine whether this is needed
+          read_set << remote.io
+        end
+
+        rd_ready, _, _ = IO.select(read_set, nil, nil, 2)
+
+        if rd_ready.nil?
+          log.chunder('select TIMEOUT')
+          next
+        end
+
+        log.chunder {'read ready: ' + rd_ready.inspect}
+
+        if rd_ready.include?(local)
+          data = local.recv(BlockSize)
+          if data.empty?
+            log.info('Local end closed connection')
+            return
+          end
+          log.debug("=> #{data.length} bytes to remote")
+          socket_write(remote, data)
+          log.chunder('writen')
+        end
+        if rd_ready.include?(remote)
+          while true
+            data = socket_read(remote, BlockSize)
+            if data.empty?
+              log.info('Remote end closed connection')
+              return
+            end
+            log.debug("<= #{data.length} bytes from remote")
+            local.write(data)
+            log.chunder('written')
+
+            if data.length < BlockSize
+              log.chunder("data.length < blocksize, done")
+              break
+            else
+              log.chunder("data.length >= blocksize, continuing")
+            end
+          end
+        end
+      end
+
+    rescue Errno::ECONNRESET, Errno::ENETUNREACH, Errno::EPIPE, EOFError => err
+      log.warn(err.inspect)
+
+    ensure
+      local.close if local && !local.closed?
+      remote.close if remote && !remote.closed?
+
+      log.info('Connection closed')
+    end
+
+    def to_s
+      "<#{self.class.name} to #{label}>"
+    end
+
+    private
+
+    # Initiate a TCP connection to our configured remote host.
+    #
+    # If @proxy_url is set, create a fake connection object that goes
+    # through the proxy.
+    #
+    # If @use_ssl is set, open an SSL socket on this connection.
+    #
+    # @return [TCPSocket, OpenSSL::SSL::SSLSocket]
+    #
+    def create_outbound_tcp_socket
+      label = "#{@remote_host}:#{@remote_port}"
+      if @proxy_url
+        log.info("Connecting to #{label} through proxy #{@proxy_url}")
+        @proxy = Proxifier::Proxy(@proxy_url)
+        tcp_socket = @proxy.open(@remote_host, @remote_port)
+      else
+        log.info("Connecting to #{label}")
+        tcp_socket = TCPSocket.new(@remote_host, @remote_port)
+      end
+
+      if @use_ssl
+        create_ssl_socket(tcp_socket, @ssl_opts)
+      else
+        tcp_socket
+      end
+    end
+
+    # @param [TCPSocket] tcp_socket
+    # @param [Hash] opts
+    #
+    # @option opts [String] :ca_file
+    # @option opts [String] :ca_path
+    # @option opts [OpenSSL::X509::Certificate] :cert
+    # @option opts [OpenSSL::PKey::PKey] :key
+    #
+    # @return [OpenSSL::SSL::SSLSocket]
+    def create_ssl_socket(tcp_socket, opts)
+      log.info('Beginning SSL handshake')
+      ssl_context = OpenSSL::SSL::SSLContext.new()
+      ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+      # by default, use default cert store
+      if !opts[:ca_file] && !opts[:ca_path]
+        ssl_context.cert_store = default_cert_store
+      end
+
+      ssl_context.set_params(opts)
+
+      # ssl_context.cert = File.open(opts[:cert]) if opts[:cert]
+      # ssl_context.key = File.open(opts[:key]) if opts[:key]
+      # ssl_context.ca_file = opts[:ca_file] if opts[:ca_file]
+      # ssl_context.ca_path = opts[:ca_path] if opts[:ca_path]
+
+      ssl_socket = OpenSSL::SSL::SSLSocket.new(tcp_socket, ssl_context)
+      ssl_socket.sync_close = true
+
+      begin
+        ssl_socket.connect
+      rescue StandardError => err
+        log.warn(err.message)
+        raise
+      end
+
+      log.info('Connected!')
+
+      ssl_socket
+    end
+
+    # Abstract over SSL and TCP socket read().
+    #
+    # @param [TCPSocket, OpenSSL::SSL::SSLSocket] socket
+    # @param [Integer] bytes
+    #
+    # @return [String] data
+    #
+    def socket_read(socket, bytes, until_blocked=false)
+      case socket
+      when TCPSocket
+        socket.recv(bytes)
+      when OpenSSL::SSL::SSLSocket
+        ssl_socket_read(socket, bytes)
+      else
+        raise ArgumentError.new("Unexpected socket type: #{socket.inspect}")
+      end
+    end
+
+    # Abstract over SSL ant TCP socket write().
+    #
+    # @param [TCPSocket, OpenSSL::SSL::SSLSocket] socket
+    # @param [String] data
+    #
+    # @return [Integer] bytes written
+    #
+    def socket_write(socket, data)
+      case socket
+      when TCPSocket
+        socket.write(data)
+      when OpenSSL::SSL::SSLSocket
+        ssl_socket_write(socket, data)
+      else
+        raise ArgumentError.new("Unexpected socket type: #{socket.inspect}")
+      end
+    end
+
+    # Write in a blocking fashion to the given SSLSocket.
+    # This handles the appropriate subtleties of waiting for necessary
+    # reads/writes with the underlying IO, which makes a simple IO.select and
+    # normal blocking write impossible.
+    # https://bugs.ruby-lang.org/issues/8875
+    #
+    # @param [OpenSSL::SSL::SSLSocket] ssl_socket
+    # @param [String] data
+    #
+    # @return [Integer] number of bytes written
+    #
+    # @see [OpenSSL::Buffering#write_nonblock]
+    #
+    def ssl_socket_write(ssl_socket, data)
+      log.chunder('ssl_socket_write')
+
+      begin
+        return ssl_socket.write_nonblock(data)
+      rescue IO::WaitReadable
+        log.chunder('WaitReadable') # XXX
+        IO.select([ssl_socket.io])
+        log.chunder('WaitReadable retry') # XXX
+        retry
+      rescue IO::WaitWritable
+        log.chunder('WaitWritable') # XXX
+        IO.select(nil, [ssl_socket.io])
+        log.chunder('WaitWritable retry') # XXX
+        retry
+      end
+    ensure
+      log.chunder('done ssl_socket_write')
+    end
+
+    # Read in a blocking fashion from the given SSLSocket.
+    # This handles the appropriate subtleties of waiting for necessary
+    # reads/writes with the underlying IO, which makes a simple IO.select and
+    # normal blocking read impossible.
+    # https://bugs.ruby-lang.org/issues/8875
+    #
+    # @param [OpenSSL::SSL::SSLSocket] ssl_socket
+    # @param [Integer] bytes Maximum number of bytes to read
+    #
+    # @return [String] data read
+    #
+    # @see [OpenSSL::Buffering#write_nonblock]
+    #
+    def ssl_socket_read(ssl_socket, bytes)
+      log.chunder('ssl_socket_read')
+
+      begin
+        return ssl_socket.read_nonblock(bytes)
+      rescue IO::WaitReadable
+        log.chunder('WaitReadable') # XXX
+        IO.select([ssl_socket.io])
+        log.chunder('WaitReadable retry') # XXX
+        retry
+      rescue IO::WaitWritable
+        log.chunder('WaitWritable') # XXX
+        IO.select(nil, [ssl_socket.io])
+        log.chunder('WaitWritable retry') # XXX
+        retry
+      end
+
+    ensure
+      log.chunder('done ssl_socket_read')
+    end
+
+    # Return an OpenSSL X509 CA certificate store wrapping the system default
+    # certificate authorities.
+    #
+    # TODO: make this work on Windows
+    #
+    # @return [OpenSSL::X509::Store]
+    def default_cert_store
+      store = OpenSSL::X509::Store.new
+      store.set_default_paths
+
+      store
+    end
+
+    def label
+      @label ||= label!
+    end
+    def label!
+      port, name = @local_socket.peeraddr[1..2]
+      "#{name}:#{port}"
+    end
+
+    def log
+      @log ||= Zokor::ProgLogger.new("<#{label}>")
+    end
+  end
+end