fh_tool-cli 0.2.2__tar.gz → 0.2.3__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (60) hide show
  1. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/PKG-INFO +18 -2
  2. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/README.md +17 -1
  3. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/pyproject.toml +1 -1
  4. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/account.py +62 -1
  5. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/backends/cfg_cmd.py +15 -3
  6. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/backends/fh_tool.py +25 -1
  7. fh_tool_cli-0.2.3/src/fh_tool_cli/backends/telnet.py +138 -0
  8. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/backends/web_ajax.py +60 -1
  9. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/backup.py +17 -0
  10. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/cli.py +38 -8
  11. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/click_cli.py +28 -11
  12. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/client.py +18 -1
  13. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/commands/web.py +44 -13
  14. fh_tool_cli-0.2.3/src/fh_tool_cli/output.py +100 -0
  15. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/parser.py +2 -0
  16. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/remote.py +25 -4
  17. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli.egg-info/PKG-INFO +18 -2
  18. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli.egg-info/SOURCES.txt +1 -0
  19. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_account.py +19 -12
  20. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_backup.py +26 -0
  21. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_click_cli.py +21 -0
  22. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_remote.py +25 -3
  23. fh_tool_cli-0.2.3/tests/test_telnet_backend.py +73 -0
  24. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_web_ajax.py +172 -10
  25. fh_tool_cli-0.2.3/tests/test_web_ajax_post.py +234 -0
  26. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_web_write_payloads.py +75 -1
  27. fh_tool_cli-0.2.2/src/fh_tool_cli/backends/telnet.py +0 -66
  28. fh_tool_cli-0.2.2/src/fh_tool_cli/output.py +0 -48
  29. fh_tool_cli-0.2.2/tests/test_web_ajax_post.py +0 -128
  30. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/setup.cfg +0 -0
  31. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/__init__.py +0 -0
  32. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/argparse_utils.py +0 -0
  33. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/backends/__init__.py +0 -0
  34. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/backends/local_vm.py +0 -0
  35. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/commands/__init__.py +0 -0
  36. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/config_decrypt.py +0 -0
  37. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/config_store.py +0 -0
  38. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/credential_sources.py +0 -0
  39. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/credentials.py +0 -0
  40. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/crypto.py +0 -0
  41. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/diagnostics.py +0 -0
  42. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/errors.py +0 -0
  43. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/risk.py +0 -0
  44. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/upload.py +0 -0
  45. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/web_discovery.py +0 -0
  46. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli/web_writes.py +0 -0
  47. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli.egg-info/dependency_links.txt +0 -0
  48. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli.egg-info/entry_points.txt +0 -0
  49. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli.egg-info/requires.txt +0 -0
  50. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/src/fh_tool_cli.egg-info/top_level.txt +0 -0
  51. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_cfg_cmd.py +0 -0
  52. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_cli_risk.py +0 -0
  53. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_config_decrypt.py +0 -0
  54. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_credentials.py +0 -0
  55. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_diagnostics.py +0 -0
  56. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_extracted_helpers.py +0 -0
  57. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_local_vm_integration.py +0 -0
  58. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_parser_registration.py +0 -0
  59. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_upload.py +0 -0
  60. {fh_tool_cli-0.2.2 → fh_tool_cli-0.2.3}/tests/test_web_discovery.py +0 -0
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: fh_tool-cli
3
- Version: 0.2.2
3
+ Version: 0.2.3
4
4
  Summary: 用于本地管理 FiberHome fh_tool 接口的 Python CLI
5
5
  Author: Gxxk
6
6
  License-Expression: AGPL-3.0-or-later
@@ -52,6 +52,8 @@ fh-tool --log-file fh-tool.log dev-info
52
52
 
53
53
  `--json` 输出稳定的 machine-readable JSON,不混入日志或样式。当前默认人类输出仍保持 pretty JSON,以兼容已有脚本;后续可以在不影响 `--json` 的前提下逐步增加表格化输出。
54
54
 
55
+ `--log-file` 写入 JSON lines 结构化日志;`-v/-vv` 控制 info/debug 事件,`-q` 只保留 error 级别。日志只记录 command、HTTP method、状态码、cfg path、风险等级等元数据,密码、session、token、LOID、PPPoE 等字段会脱敏。
56
+
55
57
  ## 快速配置
56
58
 
57
59
  保存默认 IP/MAC:
@@ -149,7 +151,7 @@ fh-tool wan list --backend local-vm
149
151
 
150
152
  `local-vm` 只是在本机 proot VM 内执行厂商 `cfg_cmd`。`--vm-root` 必须指向 VM 工作区目录,也就是包含 `bin/proot-shell` 和 `rootfs-vm/fhrom/bin/cfg_cmd` 的目录;默认是 `/mnt/dev-cold/HG5143F-ONU-vm`。不要把它指到里面的 `rootfs-vm/`。
151
153
 
152
- Web AJAX 读取命令只读。需要复用已有 Web session 时加 `--sessionid`;需要登录时可显式传 `--password-stdin` 或 `--password`。未显式提供密码时默认 `--username useradmin --password-source auto`,会依次尝试 `GetAdminAccount` 和 cfg 路径读取 Web superadmin 密码;cfg 来源需要 Telnet 时会默认使用 HG5143F 派生 Telnet 凭据 fallback,可用 `--no-derived-credentials` 关闭。失败不会阻塞只读抓取。sessionid、密码、LOID、PPPoE 等敏感字段默认会脱敏;只有显式加 `--reveal-secrets` 才输出明文。
154
+ Web AJAX 读取命令只读。需要复用已有 Web session 时加 `--sessionid`;需要登录时可显式传 `--password-stdin` 或 `--password`。未显式提供密码时默认 `--username useradmin --password-source auto`,会依次尝试 `GetAdminAccount` 和 cfg 路径读取 Web superadmin 密码;cfg 来源需要 Telnet 时会默认使用 HG5143F 派生 Telnet 凭据 fallback,可用 `--no-derived-credentials` 关闭。失败不会阻塞只读抓取,并会在结果里返回脱敏 login summary。sessionid、密码、LOID、PPPoE 等敏感字段默认会脱敏;只有显式加 `--reveal-secrets` 才输出明文。
153
155
 
154
156
  后台 AJAX 接口发现以 live discovery 为主路径,不需要 HAR,也不需要 rootfs:
155
157
 
@@ -174,6 +176,8 @@ fh-tool web services set --service telnet --enabled 0 --confirm
174
176
 
175
177
  常规 Web 写接口优先使用 typed 参数。`web ajax post` 和 `web ajax replay` 支持任意已知或未知 AJAX method,默认只输出计划,不发 POST;执行必须加 `--confirm`,且默认拒绝空 payload。`--json-payload` 和可重复的 `--param k=v` 仍保留为固件差异逃生口,合并顺序是 typed 参数、JSON、最后 `--param` 覆盖。旧的确认参数会直接报弃用错误。
176
178
 
179
+ Web AJAX 写命令 dry-run 不会登录;加 `--confirm` 后,如果没有显式 `--sessionid`,会要求自动登录成功后才发 POST。
180
+
177
181
  Telnet/cfg/诊断命令在未显式传 Telnet 密码时,会默认使用 HG5143F 派生 Telnet 凭据 fallback;显式传入的用户名/密码始终优先。如果设备不是该规则,或需要保留空凭据/自定义认证,可加 `--no-derived-credentials` 关闭。`--use-derived-credentials` 仍作为兼容参数接受:
178
182
 
179
183
  ```bash
@@ -182,6 +186,8 @@ fh-tool wan list
182
186
  fh-tool cfg get InternetGatewayDevice.DeviceInfo.Manufacturer --no-derived-credentials
183
187
  ```
184
188
 
189
+ 需要 root shell 的 Telnet 操作会自动执行 `su root`,当前 su 密码默认按 HG5143F 规则从 MAC 派生;如果 runtime su 密码已经被你改过,可显式传 `--su-password` 或 `--su-password-stdin`。例如 device restore、`cloud disable-cloudclt --confirm`、`account set-su-runtime-password --confirm` 会走 root runner。`account set-su-runtime-password` 写入的是 `/var/telsu` 的 passwd 格式 md5-crypt 行,不会把明文密码写入远端命令。
190
+
185
191
  诊断命令保持只读;`ip status` 这类依赖 VM/userspace 工具的命令会分别标记每个 probe 的 `ok/output/error`,工具缺失时输出 `partial_failure=true`,不会吞掉其它已成功字段。
186
192
 
187
193
  本地 VM 集成测试默认会跳过;需要显式指定 VM 目录才会运行:
@@ -226,6 +232,8 @@ fh-tool restore backup.tgz \
226
232
 
227
233
  当前 restore 只恢复 allowlist 内的配置文件,且会拒绝路径穿越、绝对路径逃逸和未知文件写入。`/proc/mtd`、runtime password 文件、restore/factory reset flag 等备份内容不会被恢复。恢复后会 read-back/hash verify;不会自动 reboot,也不会自动 factory reset。
228
234
 
235
+ 默认备份清单包含调研确认的 `/fhconf`、`/fhdata`、runtime password、CloudPlat/appframework 状态和 boot/app 信息等只读路径;这些新增调研路径不会自动加入 restore allowlist。
236
+
229
237
  ## CloudPlat / SmartSwitch
230
238
 
231
239
  CloudPlat 默认先做只读审计和计划:
@@ -244,6 +252,14 @@ fh-tool cloud disable-smartswitch --confirm
244
252
 
245
253
  该命令不会修改 LOID、PON、WAN VLAN、ServiceList 或 TR-069 VLAN。
246
254
 
255
+ 只停 CloudPlat 连接优先使用 SAF container 内的 `cloudclt` init 脚本:
256
+
257
+ ```bash
258
+ fh-tool cloud disable-cloudclt --confirm
259
+ ```
260
+
261
+ 该命令通过 `lxc-attach -n saf -- /etc/init.d/cloudclt stop/disable` 执行,需要 root runner;仍然不会 patch 启动脚本或删除 package。
262
+
247
263
  ## 22 个 `/fh_tool/api` method 覆盖
248
264
 
249
265
  已提供 typed command:
@@ -36,6 +36,8 @@ fh-tool --log-file fh-tool.log dev-info
36
36
 
37
37
  `--json` 输出稳定的 machine-readable JSON,不混入日志或样式。当前默认人类输出仍保持 pretty JSON,以兼容已有脚本;后续可以在不影响 `--json` 的前提下逐步增加表格化输出。
38
38
 
39
+ `--log-file` 写入 JSON lines 结构化日志;`-v/-vv` 控制 info/debug 事件,`-q` 只保留 error 级别。日志只记录 command、HTTP method、状态码、cfg path、风险等级等元数据,密码、session、token、LOID、PPPoE 等字段会脱敏。
40
+
39
41
  ## 快速配置
40
42
 
41
43
  保存默认 IP/MAC:
@@ -133,7 +135,7 @@ fh-tool wan list --backend local-vm
133
135
 
134
136
  `local-vm` 只是在本机 proot VM 内执行厂商 `cfg_cmd`。`--vm-root` 必须指向 VM 工作区目录,也就是包含 `bin/proot-shell` 和 `rootfs-vm/fhrom/bin/cfg_cmd` 的目录;默认是 `/mnt/dev-cold/HG5143F-ONU-vm`。不要把它指到里面的 `rootfs-vm/`。
135
137
 
136
- Web AJAX 读取命令只读。需要复用已有 Web session 时加 `--sessionid`;需要登录时可显式传 `--password-stdin` 或 `--password`。未显式提供密码时默认 `--username useradmin --password-source auto`,会依次尝试 `GetAdminAccount` 和 cfg 路径读取 Web superadmin 密码;cfg 来源需要 Telnet 时会默认使用 HG5143F 派生 Telnet 凭据 fallback,可用 `--no-derived-credentials` 关闭。失败不会阻塞只读抓取。sessionid、密码、LOID、PPPoE 等敏感字段默认会脱敏;只有显式加 `--reveal-secrets` 才输出明文。
138
+ Web AJAX 读取命令只读。需要复用已有 Web session 时加 `--sessionid`;需要登录时可显式传 `--password-stdin` 或 `--password`。未显式提供密码时默认 `--username useradmin --password-source auto`,会依次尝试 `GetAdminAccount` 和 cfg 路径读取 Web superadmin 密码;cfg 来源需要 Telnet 时会默认使用 HG5143F 派生 Telnet 凭据 fallback,可用 `--no-derived-credentials` 关闭。失败不会阻塞只读抓取,并会在结果里返回脱敏 login summary。sessionid、密码、LOID、PPPoE 等敏感字段默认会脱敏;只有显式加 `--reveal-secrets` 才输出明文。
137
139
 
138
140
  后台 AJAX 接口发现以 live discovery 为主路径,不需要 HAR,也不需要 rootfs:
139
141
 
@@ -158,6 +160,8 @@ fh-tool web services set --service telnet --enabled 0 --confirm
158
160
 
159
161
  常规 Web 写接口优先使用 typed 参数。`web ajax post` 和 `web ajax replay` 支持任意已知或未知 AJAX method,默认只输出计划,不发 POST;执行必须加 `--confirm`,且默认拒绝空 payload。`--json-payload` 和可重复的 `--param k=v` 仍保留为固件差异逃生口,合并顺序是 typed 参数、JSON、最后 `--param` 覆盖。旧的确认参数会直接报弃用错误。
160
162
 
163
+ Web AJAX 写命令 dry-run 不会登录;加 `--confirm` 后,如果没有显式 `--sessionid`,会要求自动登录成功后才发 POST。
164
+
161
165
  Telnet/cfg/诊断命令在未显式传 Telnet 密码时,会默认使用 HG5143F 派生 Telnet 凭据 fallback;显式传入的用户名/密码始终优先。如果设备不是该规则,或需要保留空凭据/自定义认证,可加 `--no-derived-credentials` 关闭。`--use-derived-credentials` 仍作为兼容参数接受:
162
166
 
163
167
  ```bash
@@ -166,6 +170,8 @@ fh-tool wan list
166
170
  fh-tool cfg get InternetGatewayDevice.DeviceInfo.Manufacturer --no-derived-credentials
167
171
  ```
168
172
 
173
+ 需要 root shell 的 Telnet 操作会自动执行 `su root`,当前 su 密码默认按 HG5143F 规则从 MAC 派生;如果 runtime su 密码已经被你改过,可显式传 `--su-password` 或 `--su-password-stdin`。例如 device restore、`cloud disable-cloudclt --confirm`、`account set-su-runtime-password --confirm` 会走 root runner。`account set-su-runtime-password` 写入的是 `/var/telsu` 的 passwd 格式 md5-crypt 行,不会把明文密码写入远端命令。
174
+
169
175
  诊断命令保持只读;`ip status` 这类依赖 VM/userspace 工具的命令会分别标记每个 probe 的 `ok/output/error`,工具缺失时输出 `partial_failure=true`,不会吞掉其它已成功字段。
170
176
 
171
177
  本地 VM 集成测试默认会跳过;需要显式指定 VM 目录才会运行:
@@ -210,6 +216,8 @@ fh-tool restore backup.tgz \
210
216
 
211
217
  当前 restore 只恢复 allowlist 内的配置文件,且会拒绝路径穿越、绝对路径逃逸和未知文件写入。`/proc/mtd`、runtime password 文件、restore/factory reset flag 等备份内容不会被恢复。恢复后会 read-back/hash verify;不会自动 reboot,也不会自动 factory reset。
212
218
 
219
+ 默认备份清单包含调研确认的 `/fhconf`、`/fhdata`、runtime password、CloudPlat/appframework 状态和 boot/app 信息等只读路径;这些新增调研路径不会自动加入 restore allowlist。
220
+
213
221
  ## CloudPlat / SmartSwitch
214
222
 
215
223
  CloudPlat 默认先做只读审计和计划:
@@ -228,6 +236,14 @@ fh-tool cloud disable-smartswitch --confirm
228
236
 
229
237
  该命令不会修改 LOID、PON、WAN VLAN、ServiceList 或 TR-069 VLAN。
230
238
 
239
+ 只停 CloudPlat 连接优先使用 SAF container 内的 `cloudclt` init 脚本:
240
+
241
+ ```bash
242
+ fh-tool cloud disable-cloudclt --confirm
243
+ ```
244
+
245
+ 该命令通过 `lxc-attach -n saf -- /etc/init.d/cloudclt stop/disable` 执行,需要 root runner;仍然不会 patch 启动脚本或删除 package。
246
+
231
247
  ## 22 个 `/fh_tool/api` method 覆盖
232
248
 
233
249
  已提供 typed command:
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
4
4
 
5
5
  [project]
6
6
  name = "fh_tool-cli"
7
- version = "0.2.2"
7
+ version = "0.2.3"
8
8
  description = "用于本地管理 FiberHome fh_tool 接口的 Python CLI"
9
9
  readme = "README.md"
10
10
  requires-python = ">=3.11"
@@ -3,6 +3,7 @@ from __future__ import annotations
3
3
  import shlex
4
4
  import sys
5
5
  from dataclasses import dataclass
6
+ from hashlib import md5
6
7
  from secrets import token_urlsafe
7
8
  from typing import Any
8
9
 
@@ -13,6 +14,8 @@ WEB_ADMIN_PASSWORD_PATH = "InternetGatewayDevice.DeviceInfo.X_CT-COM_TeleComAcco
13
14
  TELNET_PASSWORD_PATH = "InternetGatewayDevice.DeviceInfo.X_CT-COM_ServiceManage.TelnetPassword"
14
15
  TELNET_USERNAME_PATH = "InternetGatewayDevice.DeviceInfo.X_CT-COM_ServiceManage.TelnetUserName"
15
16
  SU_RUNTIME_PASSWORD_FILE = "/var/telsu"
17
+ _MD5_CRYPT_MAGIC = b"$1$"
18
+ _MD5_CRYPT_ALPHABET = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
16
19
 
17
20
 
18
21
  @dataclass(frozen=True)
@@ -69,7 +72,9 @@ def set_telnet_username(backend: CfgCmdBackend, name: str) -> dict[str, Any]:
69
72
 
70
73
 
71
74
  def set_su_runtime_password(shell_runner: Any, password: str) -> dict[str, Any]:
72
- command = f"printf %s {shlex.quote(password)} > {shlex.quote(SU_RUNTIME_PASSWORD_FILE)}"
75
+ hashed_password = _md5_crypt_empty_salt(password)
76
+ passwd_entry = f"root:{hashed_password}:0:0:Telnet user:/:/bin/ash"
77
+ command = f"printf '%s\\n' {shlex.quote(passwd_entry)} > {shlex.quote(SU_RUNTIME_PASSWORD_FILE)}"
73
78
  shell_runner(command)
74
79
  return {
75
80
  "path": SU_RUNTIME_PASSWORD_FILE,
@@ -80,6 +85,62 @@ def set_su_runtime_password(shell_runner: Any, password: str) -> dict[str, Any]:
80
85
  }
81
86
 
82
87
 
88
+ def _md5_crypt_empty_salt(password: str) -> str:
89
+ return _md5_crypt(password.encode(), b"")
90
+
91
+
92
+ def _md5_crypt(password: bytes, salt: bytes) -> str:
93
+ if len(salt) > 8:
94
+ salt = salt[:8]
95
+
96
+ digest = md5(password + _MD5_CRYPT_MAGIC + salt)
97
+ alternate = md5(password + salt + password).digest()
98
+ password_len = len(password)
99
+
100
+ remaining = password_len
101
+ while remaining > 0:
102
+ digest.update(alternate[: min(16, remaining)])
103
+ remaining -= 16
104
+
105
+ remaining = password_len
106
+ while remaining > 0:
107
+ if remaining & 1:
108
+ digest.update(b"\x00")
109
+ else:
110
+ digest.update(password[:1])
111
+ remaining >>= 1
112
+
113
+ final = digest.digest()
114
+ for index in range(1000):
115
+ digest = md5()
116
+ digest.update(password if index & 1 else final)
117
+ if index % 3:
118
+ digest.update(salt)
119
+ if index % 7:
120
+ digest.update(password)
121
+ digest.update(final if index & 1 else password)
122
+ final = digest.digest()
123
+
124
+ encoded = (
125
+ _md5_crypt_base64(final[0], final[6], final[12], 4)
126
+ + _md5_crypt_base64(final[1], final[7], final[13], 4)
127
+ + _md5_crypt_base64(final[2], final[8], final[14], 4)
128
+ + _md5_crypt_base64(final[3], final[9], final[15], 4)
129
+ + _md5_crypt_base64(final[4], final[10], final[5], 4)
130
+ + _md5_crypt_base64(0, 0, final[11], 2)
131
+ )
132
+ return f"$1${salt.decode()}${encoded}"
133
+
134
+
135
+ def _md5_crypt_base64(byte2: int, byte1: int, byte0: int, length: int) -> str:
136
+ value = (byte2 << 16) | (byte1 << 8) | byte0
137
+ encoded = []
138
+ for _ in range(length):
139
+ encoded.append(_MD5_CRYPT_ALPHABET[value & 0x3F])
140
+ value >>= 6
141
+ return "".join(encoded)
142
+
143
+
83
144
  def _redact_write_result(result: dict[str, Any]) -> dict[str, Any]:
84
145
  redacted = dict(result)
85
146
  redacted["value"] = "[REDACTED]"
@@ -1,6 +1,7 @@
1
1
  from __future__ import annotations
2
2
 
3
3
  import json
4
+ import logging
4
5
  import re
5
6
  import shlex
6
7
  from collections.abc import Callable
@@ -8,6 +9,7 @@ from pathlib import Path
8
9
  from typing import Any
9
10
 
10
11
  from ..errors import CliError
12
+ from ..output import log_event
11
13
 
12
14
  DANGER_CFG_PATH_RE = re.compile(
13
15
  r"(tr-?069|wan|pon|loid|vlan|preconfig|servicelist|smartswitch|cloudplat)",
@@ -57,13 +59,23 @@ class CfgCmdBackend:
57
59
  self.expensive_missing_paths = expensive_missing_paths
58
60
 
59
61
  def get(self, path: str) -> str:
60
- return parse_cfg_get_output(path, self._runner(_cfg_command("get", path)))
62
+ log_event(logging.DEBUG, "cfg.get.start", path=path, risk=cfg_read_risk(path))
63
+ output = self._runner(_cfg_command("get", path))
64
+ value = parse_cfg_get_output(path, output)
65
+ log_event(logging.DEBUG, "cfg.get.success", path=path, risk=cfg_read_risk(path), empty=not bool(value))
66
+ return value
61
67
 
62
68
  def set(self, path: str, value: str) -> str:
63
- return self._runner(_cfg_command("set", path, value))
69
+ log_event(logging.INFO, "cfg.set.start", path=path, risk=cfg_path_risk(path))
70
+ result = self._runner(_cfg_command("set", path, value))
71
+ log_event(logging.INFO, "cfg.set.success", path=path, risk=cfg_path_risk(path))
72
+ return result
64
73
 
65
74
  def attr(self, path: str) -> str:
66
- return self._runner(_cfg_command("attr", path)).strip()
75
+ log_event(logging.DEBUG, "cfg.attr.start", path=path, risk=cfg_read_risk(path))
76
+ result = self._runner(_cfg_command("attr", path)).strip()
77
+ log_event(logging.DEBUG, "cfg.attr.success", path=path, risk=cfg_read_risk(path), empty=not bool(result))
78
+ return result
67
79
 
68
80
 
69
81
  def cfg_set_with_verify(backend: CfgCmdBackend, path: str, value: str) -> dict[str, Any]:
@@ -1,6 +1,7 @@
1
1
  from __future__ import annotations
2
2
 
3
3
  import argparse
4
+ import logging
4
5
  from typing import Any
5
6
 
6
7
  import requests
@@ -8,6 +9,7 @@ import requests
8
9
  from ..config_store import format_mac, resolve_ip, resolve_mac
9
10
  from ..crypto import decrypt_payload, derive_crypto, encrypt_payload
10
11
  from ..errors import FHToolError
12
+ from ..output import log_event
11
13
 
12
14
  FH_TOOL_API_PATH = "/fh_tool/api"
13
15
  FH_TOOL_UPLOAD_PATH = "/fh_tool/upload"
@@ -22,6 +24,8 @@ def fh_tool_call(
22
24
  crypto = derive_crypto(mac)
23
25
  encrypted = encrypt_payload(payload, crypto)
24
26
  url = f"http://{ip}:8080{FH_TOOL_API_PATH}"
27
+ func = str(payload.get("func", "unknown"))
28
+ log_event(logging.INFO, "fh_tool.api.request", ip=ip, path=FH_TOOL_API_PATH, func=func)
25
29
  try:
26
30
  response = requests.post(
27
31
  url,
@@ -34,15 +38,35 @@ def fh_tool_call(
34
38
  allow_redirects=False,
35
39
  )
36
40
  except requests.RequestException as exc:
41
+ log_event(logging.INFO, "fh_tool.api.error", ip=ip, path=FH_TOOL_API_PATH, func=func, error=str(exc))
37
42
  raise FHToolError(f"无法连接 {url}: {exc}") from exc
38
43
 
39
44
  if response.status_code != 200:
45
+ log_event(
46
+ logging.INFO,
47
+ "fh_tool.api.http_error",
48
+ ip=ip,
49
+ path=FH_TOOL_API_PATH,
50
+ func=func,
51
+ status_code=response.status_code,
52
+ )
40
53
  raise FHToolError(f"{FH_TOOL_API_PATH} 返回 HTTP {response.status_code}")
41
54
 
42
55
  try:
43
- return decrypt_payload(response.text, crypto)
56
+ result = decrypt_payload(response.text, crypto)
44
57
  except Exception as exc:
58
+ log_event(logging.INFO, "fh_tool.api.decrypt_error", ip=ip, path=FH_TOOL_API_PATH, func=func)
45
59
  raise FHToolError("响应解密失败,MAC 可能不匹配或固件协议不同") from exc
60
+ log_event(
61
+ logging.INFO,
62
+ "fh_tool.api.response",
63
+ ip=ip,
64
+ path=FH_TOOL_API_PATH,
65
+ func=func,
66
+ status_code=response.status_code,
67
+ result=result.get("result") if isinstance(result, dict) else None,
68
+ )
69
+ return result
46
70
 
47
71
 
48
72
  def api_payload(func: str, params: dict[str, Any] | None = None, index: str = "1") -> dict[str, Any]:
@@ -0,0 +1,138 @@
1
+ from __future__ import annotations
2
+
3
+ import socket
4
+ import logging
5
+ from dataclasses import dataclass
6
+
7
+ from ..config_store import decode_text
8
+ from ..errors import FHToolError
9
+ from ..output import log_event
10
+
11
+
12
+ @dataclass(frozen=True)
13
+ class TelnetCredentials:
14
+ host: str
15
+ port: int = 23
16
+ username: str | None = None
17
+ password: str | None = None
18
+ timeout: float = 5.0
19
+
20
+
21
+ class TelnetShell:
22
+ def __init__(self, credentials: TelnetCredentials):
23
+ self.credentials = credentials
24
+
25
+ def run(self, command: str) -> str:
26
+ log_event(
27
+ logging.INFO,
28
+ "telnet.command.start",
29
+ host=self.credentials.host,
30
+ port=self.credentials.port,
31
+ username_present=bool(self.credentials.username),
32
+ password_present=bool(self.credentials.password),
33
+ )
34
+ try:
35
+ with socket.create_connection(
36
+ (self.credentials.host, self.credentials.port),
37
+ timeout=self.credentials.timeout,
38
+ ) as sock:
39
+ sock.settimeout(self.credentials.timeout)
40
+ if self.credentials.username:
41
+ _read_until(sock, b"login:")
42
+ sock.sendall(self.credentials.username.encode("utf-8") + b"\n")
43
+ if self.credentials.password:
44
+ _read_until(sock, b"Password:")
45
+ sock.sendall(self.credentials.password.encode("utf-8") + b"\n")
46
+ sock.sendall(command.encode("utf-8") + b"\n")
47
+ sock.sendall(b"exit\n")
48
+ output = decode_text(_read_all(sock))
49
+ log_event(
50
+ logging.INFO,
51
+ "telnet.command.success",
52
+ host=self.credentials.host,
53
+ port=self.credentials.port,
54
+ output_bytes=len(output.encode("utf-8")),
55
+ )
56
+ return output
57
+ except OSError as exc:
58
+ log_event(
59
+ logging.INFO,
60
+ "telnet.command.error",
61
+ host=self.credentials.host,
62
+ port=self.credentials.port,
63
+ error=str(exc),
64
+ )
65
+ raise FHToolError(f"Telnet command failed: {exc}") from exc
66
+
67
+ def run_as_root(self, command: str, *, su_password: str) -> str:
68
+ log_event(
69
+ logging.INFO,
70
+ "telnet.root_command.start",
71
+ host=self.credentials.host,
72
+ port=self.credentials.port,
73
+ username_present=bool(self.credentials.username),
74
+ telnet_password_present=bool(self.credentials.password),
75
+ su_password_present=bool(su_password),
76
+ )
77
+ try:
78
+ with socket.create_connection(
79
+ (self.credentials.host, self.credentials.port),
80
+ timeout=self.credentials.timeout,
81
+ ) as sock:
82
+ sock.settimeout(self.credentials.timeout)
83
+ if self.credentials.username:
84
+ _read_until(sock, b"login:")
85
+ sock.sendall(self.credentials.username.encode("utf-8") + b"\n")
86
+ if self.credentials.password:
87
+ _read_until(sock, b"Password:")
88
+ sock.sendall(self.credentials.password.encode("utf-8") + b"\n")
89
+ sock.sendall(b"su root\n")
90
+ _read_until(sock, b"Password:")
91
+ sock.sendall(su_password.encode("utf-8") + b"\n")
92
+ sock.sendall(command.encode("utf-8") + b"\n")
93
+ sock.sendall(b"exit\n")
94
+ sock.sendall(b"exit\n")
95
+ output = decode_text(_read_all(sock))
96
+ log_event(
97
+ logging.INFO,
98
+ "telnet.root_command.success",
99
+ host=self.credentials.host,
100
+ port=self.credentials.port,
101
+ output_bytes=len(output.encode("utf-8")),
102
+ )
103
+ return output
104
+ except OSError as exc:
105
+ log_event(
106
+ logging.INFO,
107
+ "telnet.root_command.error",
108
+ host=self.credentials.host,
109
+ port=self.credentials.port,
110
+ error=str(exc),
111
+ )
112
+ raise FHToolError(f"Telnet root command failed: {exc}") from exc
113
+
114
+
115
+ def _read_until(sock: socket.socket, marker: bytes) -> bytes:
116
+ data = bytearray()
117
+ while marker not in data:
118
+ try:
119
+ chunk = sock.recv(4096)
120
+ except TimeoutError:
121
+ break
122
+ if not chunk:
123
+ break
124
+ data.extend(chunk)
125
+ return bytes(data)
126
+
127
+
128
+ def _read_all(sock: socket.socket) -> bytes:
129
+ data = bytearray()
130
+ while True:
131
+ try:
132
+ chunk = sock.recv(4096)
133
+ except TimeoutError:
134
+ break
135
+ if not chunk:
136
+ break
137
+ data.extend(chunk)
138
+ return bytes(data)
@@ -2,6 +2,7 @@ from __future__ import annotations
2
2
 
3
3
  import base64
4
4
  import hashlib
5
+ import logging
5
6
  import re
6
7
  from typing import Any
7
8
  from urllib.parse import urljoin
@@ -11,6 +12,7 @@ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
11
12
  from cryptography.hazmat.primitives.padding import PKCS7
12
13
 
13
14
  from ..errors import FHToolError
15
+ from ..output import log_event
14
16
 
15
17
  DEFAULT_AJAX_PATH = "/cgi-bin/ajax"
16
18
  DEFAULT_WEB_LOGIN_PORT = "0"
@@ -65,10 +67,13 @@ class WebAjaxClient:
65
67
 
66
68
  def login_check(self) -> dict[str, Any]:
67
69
  url = self.base_url
70
+ log_event(logging.INFO, "web.login_check.start", base_url=self.base_url)
68
71
  try:
69
72
  response = self.session.get(url, timeout=self.timeout, allow_redirects=False)
70
73
  except requests.RequestException as exc:
74
+ log_event(logging.INFO, "web.login_check.error", base_url=self.base_url, error=str(exc))
71
75
  raise FHToolError(f"Web login-check failed {url}: {exc}") from exc
76
+ log_event(logging.INFO, "web.login_check.response", base_url=self.base_url, status_code=response.status_code)
72
77
  result = {
73
78
  "url": url,
74
79
  "status_code": response.status_code,
@@ -112,6 +117,7 @@ class WebAjaxClient:
112
117
  *,
113
118
  port: str = DEFAULT_WEB_LOGIN_PORT,
114
119
  ) -> dict[str, Any]:
120
+ log_event(logging.INFO, "web.login.start", base_url=self.base_url, username=username)
115
121
  brmad = self._fetch_brmad()
116
122
  self.ajax_get("get_operator", use_session=False)
117
123
  loginpd = fiberhome_web_encrypt(
@@ -128,10 +134,21 @@ class WebAjaxClient:
128
134
  )
129
135
  response = result.get("response")
130
136
  login_result = response.get("login_result") if isinstance(response, dict) else None
137
+ ok = result["ok"] and str(login_result) == "0"
138
+ log_event(
139
+ logging.INFO,
140
+ "web.login.response",
141
+ base_url=self.base_url,
142
+ username=username,
143
+ status_code=result["status_code"],
144
+ ok=ok,
145
+ login_result=login_result,
146
+ sessionid_present=bool(self.sessionid),
147
+ )
131
148
  return {
132
149
  "method": "do_login",
133
150
  "status_code": result["status_code"],
134
- "ok": result["ok"] and str(login_result) == "0",
151
+ "ok": ok,
135
152
  "login_result": login_result,
136
153
  "username": username,
137
154
  "sessionid_present": bool(self.sessionid),
@@ -151,6 +168,14 @@ class WebAjaxClient:
151
168
  request_params.update(params)
152
169
  if use_session and self.sessionid:
153
170
  request_params.setdefault("sessionid", self.sessionid)
171
+ log_event(
172
+ logging.DEBUG,
173
+ "web.ajax.request",
174
+ base_url=self.base_url,
175
+ http_method="GET",
176
+ method=method,
177
+ sessionid_present=bool(request_params.get("sessionid")),
178
+ )
154
179
  try:
155
180
  response = self.session.get(
156
181
  url,
@@ -159,6 +184,14 @@ class WebAjaxClient:
159
184
  allow_redirects=False,
160
185
  )
161
186
  except requests.RequestException as exc:
187
+ log_event(
188
+ logging.INFO,
189
+ "web.ajax.error",
190
+ base_url=self.base_url,
191
+ http_method="GET",
192
+ method=method,
193
+ error=str(exc),
194
+ )
162
195
  raise FHToolError(f"Web AJAX GET failed {url}: {exc}") from exc
163
196
  return self._response_result("GET", url, method, response)
164
197
 
@@ -168,6 +201,14 @@ class WebAjaxClient:
168
201
  request_data["ajaxmethod"] = method
169
202
  if self.sessionid:
170
203
  request_data.setdefault("sessionid", self.sessionid)
204
+ log_event(
205
+ logging.DEBUG,
206
+ "web.ajax.request",
207
+ base_url=self.base_url,
208
+ http_method="POST",
209
+ method=method,
210
+ sessionid_present=bool(request_data.get("sessionid")),
211
+ )
171
212
  try:
172
213
  response = self.session.post(
173
214
  url,
@@ -176,6 +217,14 @@ class WebAjaxClient:
176
217
  allow_redirects=False,
177
218
  )
178
219
  except requests.RequestException as exc:
220
+ log_event(
221
+ logging.INFO,
222
+ "web.ajax.error",
223
+ base_url=self.base_url,
224
+ http_method="POST",
225
+ method=method,
226
+ error=str(exc),
227
+ )
179
228
  raise FHToolError(f"Web AJAX POST failed {url}: {exc}") from exc
180
229
  return self._response_result("POST", url, method, response)
181
230
 
@@ -319,6 +368,16 @@ class WebAjaxClient:
319
368
  "content_type": response.headers.get("Content-Type"),
320
369
  "sessionid_present": bool(self.sessionid),
321
370
  }
371
+ log_event(
372
+ logging.DEBUG,
373
+ "web.ajax.response",
374
+ base_url=self.base_url,
375
+ http_method=http_method,
376
+ method=method,
377
+ status_code=response.status_code,
378
+ ok=result["ok"],
379
+ sessionid_present=bool(self.sessionid),
380
+ )
322
381
  try:
323
382
  payload = response.json()
324
383
  except ValueError:
@@ -23,13 +23,30 @@ BACKUP_PATHS = [
23
23
  "/fhconf/status_version_flag",
24
24
  "/fhconf/cfgmgr_restore_flag_conf",
25
25
  "/fhconf/factory_reset_conf",
26
+ "/fhconf/fhcfgmonitor.conf",
27
+ "/fhconf/fac_process_start_list",
28
+ "/fhconf/u_config_conf",
26
29
  "/fhconf/process_start_list",
30
+ "/fhconf/process_monitor_list",
31
+ "/fhconf/normal_reboot_flag",
32
+ "/fhconf/crc_file",
33
+ "/fhconf/usrconfig_dl_conf",
34
+ "/fhconf/usrconfig_dl_flag",
35
+ "/fhconf/gdecms/gdecms_conf",
27
36
  "/fhconf/tr069_control_conf",
28
37
  "/fhconf/xpon_tr069cfg_conf",
29
38
  "/fhdata/factory_conf",
30
39
  "/fhdata/sysinfo_conf",
31
40
  "/fhdata/pre_usrconfig_conf",
32
41
  "/fhdata/pre_attrconfig_conf",
42
+ "/fhdata/tr069_control_conf",
43
+ "/fhdata/voice_digitmap_conf",
44
+ "/fhdata/factorymodeflag",
45
+ "/opt/upt/apps/info/reboot_info",
46
+ "/opt/upt/apps/info/crash_info",
47
+ "/opt/upt/apps/mtd.booting",
48
+ "/opt/upt/apps/upt.mtd",
49
+ "/opt/upt/apps/saf-upgradeinfo",
33
50
  "/var/tel_passwd",
34
51
  "/var/telWan_passwd",
35
52
  "/var/telsu",