pax_global_header00006660000000000000000000000064135245225570014524gustar00rootroot0000000000000052 comment=654cbac77ea07819ed3bcf1ce6410be0211c0f1a websockify-0.9.0/000077500000000000000000000000001352452255700136775ustar00rootroot00000000000000websockify-0.9.0/.gitignore000066400000000000000000000001161352452255700156650ustar00rootroot00000000000000*.pyc *.o *.so .project .pydevproject target.cfg target.cfg.d .tox *.egg-info websockify-0.9.0/.gitmodules000066400000000000000000000000001352452255700160420ustar00rootroot00000000000000websockify-0.9.0/.travis.yml000066400000000000000000000004711352452255700160120ustar00rootroot00000000000000language: python python: - 2.6 - 2.7 - 3.3 - 3.4 # We need trusty for Python 2.6. We can raise this when we no longer # care about 2.6. dist: trusty install: - pip install 'setuptools>=18.5,<=39.0.0' - pip install -r test-requirements.txt script: python setup.py nosetests --verbosity=3 websockify-0.9.0/CHANGES.txt000066400000000000000000000063171352452255700155170ustar00rootroot00000000000000Changes ======= 0.9.0 ----- * Base64 support removed and binary mode is now required * Low level WebSocket protocol handling now has its own class * Authentication now optionally required for web server * Server hostname can be used as the token * JWT/JWS/JWE can be used for the token * redis can be used for the token * Can now log to syslog * Improved latency by disabling Nagle for proxied connection * Added client certificate authentication * Support for password protected certificate key file * TLS ciphers and options are now configurable * Can be invoked via inetd * Lots of minor fixes... 0.8.0 ----- * Make websockify properly terminate children on SIGTERM (#226) * Remove logging in signal handlers (this can cause Python to hang under certain conditions) (#219) * Make it easier to log to a file (#205) * Add support for IPv6 addresses in tokens in the TokenFile token plugins (#197) * Improve auth plugin framework to enable better support for HTTP auth (#194, #201) * Fix bug in JSONTokenAPI token plugin (#192) * Fix a missing variable in the exception handler (#178) 0.7.0 ----- * Python 3 support fixes (#140, #155, #159) * Generic token-parsing plugins support (#162) * Generic authentication plugins support (#172) * Fixed frame corruption on big-endian systems (#161) * Support heartbeats (via PING) and automatic responses to PONG (#169) * Automatically reject unmasked client frames by default (strict mode) (#174) * Automatically restart interrupted select calls (#175) * Make 'run' respect environment settings (including virtualenv) (#176) 0.6.1 - May 11, 2015 -------------------- * **PATCH RELEASE**: Fixes a bug causing file_only to not be passed properly 0.6.0 - Feb 18, 2014 -------------------- * **NOTE** : 0.6.0 will break existing code that sub-classes WebsocketProxy * Refactor to use standard SocketServer RequestHandler design * Fix zombie process bug on certain systems when using multiprocessing * Add better unit tests * Log information via python `logging` module 0.5.1 - Jun 27, 2013 -------------------- * use upstream einaros/ws (>=0.4.27) with websockify.js * file_only and no_parent security options for WSRequestHandler * Update build of web-socket-js (c0855c6cae) * add include/web-socket-js-project submodule to gimite/web-socket-js for DSFG compliance. * drop Hixie protocol support 0.4.1 - Mar 12, 2013 -------------------- * ***NOTE*** : 0.5.0 will drop Hixie protocol support * add include/ directory and remove some dev files from source distribution. 0.4.0 - Mar 12, 2013 -------------------- * ***NOTE*** : 0.5.0 will drop Hixie protocol support * use Buffer base64 support in Node.js implementation 0.3.0 - Jan 15, 2013 -------------------- * refactor into modules: websocket, websocketproxy * switch to web-socket-js that uses IETF 6455 * change to MPL 2.0 license for include/*.js * fix session recording 0.2.1 - Oct 15, 2012 -------------------- * re-released with updated version number 0.2.0 - Sep 17, 2012 -------------------- * Binary data support in websock.js * Target config file/dir and multiple targets with token selector * IPv6 fixes * SSL target support * Proxy to/from unix socket 0.1.0 - May 11, 2012 -------------------- * Initial versioned release. websockify-0.9.0/COPYING000066400000000000000000000167431352452255700147450ustar00rootroot00000000000000 GNU LESSER GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. This version of the GNU Lesser General Public License incorporates the terms and conditions of version 3 of the GNU General Public License, supplemented by the additional permissions listed below. 0. Additional Definitions. As used herein, "this License" refers to version 3 of the GNU Lesser General Public License, and the "GNU GPL" refers to version 3 of the GNU General Public License. "The Library" refers to a covered work governed by this License, other than an Application or a Combined Work as defined below. An "Application" is any work that makes use of an interface provided by the Library, but which is not otherwise based on the Library. Defining a subclass of a class defined by the Library is deemed a mode of using an interface provided by the Library. A "Combined Work" is a work produced by combining or linking an Application with the Library. The particular version of the Library with which the Combined Work was made is also called the "Linked Version". The "Minimal Corresponding Source" for a Combined Work means the Corresponding Source for the Combined Work, excluding any source code for portions of the Combined Work that, considered in isolation, are based on the Application, and not on the Linked Version. The "Corresponding Application Code" for a Combined Work means the object code and/or source code for the Application, including any data and utility programs needed for reproducing the Combined Work from the Application, but excluding the System Libraries of the Combined Work. 1. Exception to Section 3 of the GNU GPL. You may convey a covered work under sections 3 and 4 of this License without being bound by section 3 of the GNU GPL. 2. Conveying Modified Versions. If you modify a copy of the Library, and, in your modifications, a facility refers to a function or data to be supplied by an Application that uses the facility (other than as an argument passed when the facility is invoked), then you may convey a copy of the modified version: a) under this License, provided that you make a good faith effort to ensure that, in the event an Application does not supply the function or data, the facility still operates, and performs whatever part of its purpose remains meaningful, or b) under the GNU GPL, with none of the additional permissions of this License applicable to that copy. 3. Object Code Incorporating Material from Library Header Files. The object code form of an Application may incorporate material from a header file that is part of the Library. You may convey such object code under terms of your choice, provided that, if the incorporated material is not limited to numerical parameters, data structure layouts and accessors, or small macros, inline functions and templates (ten or fewer lines in length), you do both of the following: a) Give prominent notice with each copy of the object code that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the object code with a copy of the GNU GPL and this license document. 4. Combined Works. You may convey a Combined Work under terms of your choice that, taken together, effectively do not restrict modification of the portions of the Library contained in the Combined Work and reverse engineering for debugging such modifications, if you also do each of the following: a) Give prominent notice with each copy of the Combined Work that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the Combined Work with a copy of the GNU GPL and this license document. c) For a Combined Work that displays copyright notices during execution, include the copyright notice for the Library among these notices, as well as a reference directing the user to the copies of the GNU GPL and this license document. d) Do one of the following: 0) Convey the Minimal Corresponding Source under the terms of this License, and the Corresponding Application Code in a form suitable for, and under terms that permit, the user to recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work, in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source. 1) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (a) uses at run time a copy of the Library already present on the user's computer system, and (b) will operate properly with a modified version of the Library that is interface-compatible with the Linked Version. e) Provide Installation Information, but only if you would otherwise be required to provide such information under section 6 of the GNU GPL, and only to the extent that such information is necessary to install and execute a modified version of the Combined Work produced by recombining or relinking the Application with a modified version of the Linked Version. (If you use option 4d0, the Installation Information must accompany the Minimal Corresponding Source and Corresponding Application Code. If you use option 4d1, you must provide the Installation Information in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.) 5. Combined Libraries. You may place library facilities that are a work based on the Library side by side in a single library together with other library facilities that are not Applications and are not covered by this License, and convey such a combined library under terms of your choice, if you do both of the following: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities, conveyed under the terms of this License. b) Give prominent notice with the combined library that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 6. Revised Versions of the GNU Lesser General Public License. The Free Software Foundation may publish revised and/or new versions of the GNU Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library as you received it specifies that a certain numbered version of the GNU Lesser General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that published version or of any later version published by the Free Software Foundation. If the Library as you received it does not specify a version number of the GNU Lesser General Public License, you may choose any version of the GNU Lesser General Public License ever published by the Free Software Foundation. If the Library as you received it specifies that a proxy can decide whether future versions of the GNU Lesser General Public License shall apply, that proxy's public statement of acceptance of any version is permanent authorization for you to choose that version for the Library. websockify-0.9.0/MANIFEST.in000066400000000000000000000000701352452255700154320ustar00rootroot00000000000000include CHANGES.txt README.md LICENSE.txt graft include websockify-0.9.0/Makefile000066400000000000000000000002311352452255700153330ustar00rootroot00000000000000TARGETS=rebind.so CFLAGS += -fPIC all: $(TARGETS) rebind.so: rebind.o $(CC) $(LDFLAGS) $^ -shared -fPIC -ldl -o $@ clean: rm -f rebind.o rebind.so websockify-0.9.0/README.md000066400000000000000000000162641352452255700151670ustar00rootroot00000000000000## websockify: WebSockets support for any application/server websockify was formerly named wsproxy and was part of the [noVNC](https://github.com/novnc/noVNC) project. At the most basic level, websockify just translates WebSockets traffic to normal socket traffic. Websockify accepts the WebSockets handshake, parses it, and then begins forwarding traffic between the client and the target in both directions. ### News/help/contact Notable commits, announcements and news are posted to @noVNC If you are a websockify developer/integrator/user (or want to be) please join the noVNC/websockify discussion group Bugs and feature requests can be submitted via [github issues](https://github.com/novnc/websockify/issues). If you want to show appreciation for websockify you could donate to a great non-profits such as: [Compassion International](http://www.compassion.com/), [SIL](http://www.sil.org), [Habitat for Humanity](http://www.habitat.org), [Electronic Frontier Foundation](https://www.eff.org/), [Against Malaria Foundation](http://www.againstmalaria.com/), [Nothing But Nets](http://www.nothingbutnets.net/), etc. Please tweet @noVNC if you do. ### WebSockets binary data Starting with websockify 0.5.0, only the HyBi / IETF 6455 WebSocket protocol is supported. There is no support for the older Base64 encoded data format. ### Encrypted WebSocket connections (wss://) To encrypt the traffic using the WebSocket 'wss://' URI scheme you need to generate a certificate and key for Websockify to load. By default, Websockify loads a certificate file name `self.pem` but the `--cert=CERT` and `--key=KEY` options can override the file name. You can generate a self-signed certificate using openssl. When asked for the common name, use the hostname of the server where the proxy will be running: ``` openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem ``` For a self-signed certificate to work, you need to make your client/browser understand it. You can do this by installing it as accepted certificate, or by using that same certificate for a HTTPS connection to which you navigate first and approve. Browsers generally don't give you the "trust certificate?" prompt by opening a WSS socket with invalid certificate, hence you need to have it acccept it by either of those two methods. If you have a commercial/valid SSL certificate with one ore more intermediate certificates, concat them into one file, server certificate first, then the intermediate(s) from the CA, etc. Point to this file with the `--cert` option and then also to the key with `--key`. Finally, use `--ssl-only` as needed. ### Additional websockify features These are not necessary for the basic operation. * Daemonizing: When the `-D` option is specified, websockify runs in the background as a daemon process. * SSL (the wss:// WebSockets URI): This is detected automatically by websockify by sniffing the first byte sent from the client and then wrapping the socket if the data starts with '\x16' or '\x80' (indicating SSL). * Session recording: This feature that allows recording of the traffic sent and received from the client to a file using the `--record` option. * Mini-webserver: websockify can detect and respond to normal web requests on the same port as the WebSockets proxy. This functionality is activated with the `--web DIR` option where DIR is the root of the web directory to serve. * Wrap a program: see the "Wrap a Program" section below. * Log files: websockify can save all logging information in a file. This functionality is activated with the `--log-file FILE` option where FILE is the file where the logs should be saved. * Authentication plugins: websockify can demand authentication for websocket connections and, if you use `--web-auth`, also for normal web requests. This functionality is activated with the `--auth-plugin CLASS` and `--auth-source ARG` options, where CLASS is usually one from auth_plugins.py and ARG is the plugin's configuration. * Token plugins: a single instance of websockify can connect clients to multiple different pre-configured targets, depending on the token sent by the client using the `token` URL parameter, or the hostname used to reach websockify, if you use `--host-token`. This functionality is activated with the `--token-plugin CLASS` and `--token-source ARG` options, where CLASS is usually one from token_plugins.py and ARG is the plugin's configuration. ### Other implementations of websockify The primary implementation of websockify is in python. There are several alternate implementations in other languages available in our sister repositories [websockify-js](https://github.com/novnc/websockify-js) (JavaScript/Node.js) and [websockify-other](https://github.com/novnc/websockify-other) (C, Clojure, Ruby). In addition there are several other external projects that implement the websockify "protocol". See the alternate implementation [Feature Matrix](https://github.com/novnc/websockify/wiki/Feature_Matrix) for more information. ### Wrap a Program In addition to proxying from a source address to a target address (which may be on a different system), websockify has the ability to launch a program on the local system and proxy WebSockets traffic to a normal TCP port owned/bound by the program. The is accomplished with a small LD_PRELOAD library (`rebind.so`) which intercepts bind() system calls by the program. The specified port is moved to a new localhost/loopback free high port. websockify then proxies WebSockets traffic directed to the original port to the new (moved) port of the program. The program wrap mode is invoked by replacing the target with `--` followed by the program command line to wrap. `./run 2023 -- PROGRAM ARGS` The `--wrap-mode` option can be used to indicate what action to take when the wrapped program exits or daemonizes. Here is an example of using websockify to wrap the vncserver command (which backgrounds itself) for use with [noVNC](https://github.com/novnc/noVNC): `./run 5901 --wrap-mode=ignore -- vncserver -geometry 1024x768 :1` Here is an example of wrapping telnetd (from krb5-telnetd). telnetd exits after the connection closes so the wrap mode is set to respawn the command: `sudo ./run 2023 --wrap-mode=respawn -- telnetd -debug 2023` The `wstelnet.html` page in the [websockify-js](https://github.com/novnc/websockify-js) project demonstrates a simple WebSockets based telnet client (use 'localhost' and '2023' for the host and port respectively). ### Installing websockify Download one of the releases or the latest development version, extract it and run `python setup.py install` as root in the directory where you extracted the files. Normally, this will also install numpy for better performance, if you don't have it installed already. However, numpy is optional. If you don't want to install numpy or if you can't compile it, you can edit setup.py and remove the `install_requires=['numpy'],` line before running `python setup.py install`. Afterwards, websockify should be available in your path. Run `websockify --help` to confirm it's installed correctly. websockify-0.9.0/Windows/000077500000000000000000000000001352452255700153315ustar00rootroot00000000000000websockify-0.9.0/Windows/Windows Service Readme.txt000066400000000000000000000035041352452255700222650ustar00rootroot00000000000000----------------------------------- Windows noVNC Websockify Service ----------------------------------- The "noVNC Websocket Service.exe" file is a windows service wrapper created with Visual Studio 2010 to create a windows service to start stop the noVNC Websocket Server. All files used to create the wrapper can be found in 'noVNC Websocket Service Project' folder. To download the precompiled executables please grab the zip in the downloads section of websockify project: https://github.com/novnc/websockify --------------------------- Installation --------------------------- 1. This service requires websockify.exe be in the same directory. Instructions on how to compile websockify python script as a windows executable can be found here: https://github.com/novnc/websockify/wiki/Compiling-Websockify-as-Windows-Executable 2.To add this service to a Windows PC you need to run the commandline as administrator and then run this line: sc create "noVNC Websocket Server" binPath= "PATH TO noVNC eg C:\noVNC\utils\Windows\Websocket Service.exe" DisplayName= "noVNC Websocket Server" 3 .Once this is run you will be able to access the service via Control Panel > Admin Tools > Services. In here you can specify whether you want the service to run automatically and start at stop the service. --------------------------- Configuration --------------------------- The file noVNCConfig.ini must be in the same directory as "noVNC Websocket Service.exe". This file contains a single line which is the websockify.exe statup arguements. An example is: 192.168.0.1:5901 192.168.0.1:5900 All websockify supported arguements will work if added here. --------------------------- Deletion --------------------------- You can delete the service at any time by running the commandline as admin and using this command: sc delete "noVNC Websocket Server". websockify-0.9.0/Windows/noVNC Websocket Service Project/000077500000000000000000000000001352452255700231735ustar00rootroot00000000000000websockify-0.9.0/Windows/noVNC Websocket Service Project/Program.cs000066400000000000000000000007671352452255700251430ustar00rootroot00000000000000using System; using System.Collections.Generic; using System.Linq; using System.ServiceProcess; using System.Text; namespace MELT_Command_Websocket { static class Program { /// /// The main entry point for the application. /// static void Main() { ServiceBase[] ServicesToRun; ServicesToRun = new ServiceBase[] { new Service1() }; ServiceBase.Run(ServicesToRun); } } } websockify-0.9.0/Windows/noVNC Websocket Service Project/ProjectInstaller.Designer.cs000066400000000000000000000044531352452255700305530ustar00rootroot00000000000000namespace MELT_Command_Websocket { partial class ProjectInstaller { /// /// Required designer variable. /// private System.ComponentModel.IContainer components = null; /// /// Clean up any resources being used. /// /// true if managed resources should be disposed; otherwise, false. protected override void Dispose(bool disposing) { if (disposing && (components != null)) { components.Dispose(); } base.Dispose(disposing); } #region Component Designer generated code /// /// Required method for Designer support - do not modify /// the contents of this method with the code editor. /// private void InitializeComponent() { this.serviceProcessInstaller1 = new System.ServiceProcess.ServiceProcessInstaller(); this.serviceInstaller1 = new System.ServiceProcess.ServiceInstaller(); // // serviceProcessInstaller1 // this.serviceProcessInstaller1.Account = System.ServiceProcess.ServiceAccount.NetworkService; this.serviceProcessInstaller1.Installers.AddRange(new System.Configuration.Install.Installer[] { this.serviceInstaller1}); this.serviceProcessInstaller1.Password = null; this.serviceProcessInstaller1.Username = null; // // serviceInstaller1 // this.serviceInstaller1.Description = "noVNC Websocket Service"; this.serviceInstaller1.DisplayName = "noVNC Websocket Service"; this.serviceInstaller1.ServiceName = "noVNC Websocket Service"; this.serviceInstaller1.StartType = System.ServiceProcess.ServiceStartMode.Automatic; // // ProjectInstaller // this.Installers.AddRange(new System.Configuration.Install.Installer[] { this.serviceProcessInstaller1}); } #endregion private System.ServiceProcess.ServiceProcessInstaller serviceProcessInstaller1; private System.ServiceProcess.ServiceInstaller serviceInstaller1; } }websockify-0.9.0/Windows/noVNC Websocket Service Project/ProjectInstaller.cs000066400000000000000000000006311352452255700270060ustar00rootroot00000000000000using System; using System.Collections; using System.Collections.Generic; using System.ComponentModel; using System.Configuration.Install; using System.Linq; namespace MELT_Command_Websocket { [RunInstaller(true)] public partial class ProjectInstaller : System.Configuration.Install.Installer { public ProjectInstaller() { InitializeComponent(); } } } websockify-0.9.0/Windows/noVNC Websocket Service Project/ProjectInstaller.resx000066400000000000000000000142201352452255700273610ustar00rootroot00000000000000 text/microsoft-resx 2.0 System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 17, 56 196, 17 False websockify-0.9.0/Windows/noVNC Websocket Service Project/Properties/000077500000000000000000000000001352452255700253275ustar00rootroot00000000000000websockify-0.9.0/Windows/noVNC Websocket Service Project/Properties/AssemblyInfo.cs000066400000000000000000000026361352452255700302600ustar00rootroot00000000000000using System.Reflection; using System.Runtime.CompilerServices; using System.Runtime.InteropServices; // General Information about an assembly is controlled through the following // set of attributes. Change these attribute values to modify the information // associated with an assembly. [assembly: AssemblyTitle("MELT Command Websocket")] [assembly: AssemblyDescription("")] [assembly: AssemblyConfiguration("")] [assembly: AssemblyCompany("Microsoft")] [assembly: AssemblyProduct("MELT Command Websocket")] [assembly: AssemblyCopyright("Copyright © Microsoft 2011")] [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] // Setting ComVisible to false makes the types in this assembly not visible // to COM components. If you need to access a type in this assembly from // COM, set the ComVisible attribute to true on that type. [assembly: ComVisible(false)] // The following GUID is for the ID of the typelib if this project is exposed to COM [assembly: Guid("5ab831cb-6852-4ce1-849c-b26725b0e10b")] // Version information for an assembly consists of the following four values: // // Major Version // Minor Version // Build Number // Revision // // You can specify all the values or you can default the Build and Revision Numbers // by using the '*' as shown below: // [assembly: AssemblyVersion("1.0.*")] [assembly: AssemblyVersion("1.0.0.0")] [assembly: AssemblyFileVersion("1.0.0.0")] websockify-0.9.0/Windows/noVNC Websocket Service Project/Service1.Designer.cs000066400000000000000000000020701352452255700267410ustar00rootroot00000000000000namespace MELT_Command_Websocket { partial class Service1 { /// /// Required designer variable. /// private System.ComponentModel.IContainer components = null; /// /// Clean up any resources being used. /// /// true if managed resources should be disposed; otherwise, false. protected override void Dispose(bool disposing) { if (disposing && (components != null)) { components.Dispose(); } base.Dispose(disposing); } #region Component Designer generated code /// /// Required method for Designer support - do not modify /// the contents of this method with the code editor. /// private void InitializeComponent() { components = new System.ComponentModel.Container(); this.ServiceName = "Service1"; } #endregion } } websockify-0.9.0/Windows/noVNC Websocket Service Project/Service1.cs000066400000000000000000000022221352452255700252010ustar00rootroot00000000000000using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Diagnostics; using System.Linq; using System.ServiceProcess; using System.Text; using System.IO; namespace MELT_Command_Websocket { public partial class Service1 : ServiceBase { Process websockify; public Service1() { InitializeComponent(); } protected override void OnStart(string[] args) { string configpath = AppDomain.CurrentDomain.BaseDirectory + "\\noVNCConfig.ini"; string sockifypath = AppDomain.CurrentDomain.BaseDirectory + "\\websockify.exe"; //Load commandline arguements from config file. StreamReader streamReader = new StreamReader(configpath); string arguements = streamReader.ReadLine(); streamReader.Close(); //Start websockify. websockify = System.Diagnostics.Process.Start(sockifypath, arguements); } protected override void OnStop() { //Service stopped. Close websockify. websockify.Kill(); } } } websockify-0.9.0/Windows/noVNC Websocket Service Project/noVNC Websocket.csproj000066400000000000000000000057411352452255700273160ustar00rootroot00000000000000 Debug x86 8.0.30703 2.0 {6B86AE7B-6BBD-4E74-8802-5995E8B6D27D} WinExe Properties noVNC_Websocket_Service noVNC Websocket Service v3.5 512 x86 true full false bin\Debug\ DEBUG;TRACE prompt 4 x86 pdbonly true bin\Release\ TRACE prompt 4 Component ProjectInstaller.cs Component Service1.cs ProjectInstaller.cs websockify-0.9.0/Windows/noVNC Websocket Service Project/noVNC Websocket.sln000066400000000000000000000015231352452255700266040ustar00rootroot00000000000000 Microsoft Visual Studio Solution File, Format Version 11.00 # Visual Studio 2010 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "noVNC Websocket", "noVNC Websocket.csproj", "{6B86AE7B-6BBD-4E74-8802-5995E8B6D27D}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x86 = Debug|x86 Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {6B86AE7B-6BBD-4E74-8802-5995E8B6D27D}.Debug|x86.ActiveCfg = Debug|x86 {6B86AE7B-6BBD-4E74-8802-5995E8B6D27D}.Debug|x86.Build.0 = Debug|x86 {6B86AE7B-6BBD-4E74-8802-5995E8B6D27D}.Release|x86.ActiveCfg = Release|x86 {6B86AE7B-6BBD-4E74-8802-5995E8B6D27D}.Release|x86.Build.0 = Release|x86 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection EndGlobal websockify-0.9.0/docs/000077500000000000000000000000001352452255700146275ustar00rootroot00000000000000websockify-0.9.0/docs/latency_results.txt000066400000000000000000000101211352452255700206030ustar00rootroot00000000000000This data is raw copy from the latency tester set to send a frame with a little over 2000 KB of data every 10ms. The number of packets sent and received is just a visual counter and is just the total when I chose to stop the test (around 3000 or so packets). The latency measure are from the point the packet was sent to when it was received back again in milliseconds. One notable data point missing from this is how long it actually took for the client to send 3000 packets because sending large packets can put load on the browser and it may be a lot longer than 10ms before the timer event to send the next packet fires. So even with low latency numbers, the actual send rate may be fairly low because sending the WebSockets frames is impacting the performance of the browser in general. ------------------------------------------------------------ Native WebSockets implementations, 2000 byte payload, 10ms delay Chrome 8.0.552 - native WebSockets Packets sent: 2998 Packets Received: 2998 Average Latency: 1.84 40 Frame Running Average Latency: 1.90 Minimum Latency: 1.00 Maximum Latency: 10.00 firefox 4.0b9 - WebSockets enabled Packets sent: 3011 Packets Received: 3011 Average Latency: 6.45 40 Frame Running Average Latency: 6.08 Minimum Latency: 5.00 Maximum Latency: 119.00 Opera 11 - WebSockets enabled Packets sent: 3065 Packets Received: 3064 Average Latency: 9.56 40 Frame Running Average Latency: 8.15 Minimum Latency: 4.00 Maximum Latency: 53.00 ------------------------------------------------------------ New web-socket-js (20f837425d4), 2000 byte payload, 10ms delay firefox 4.0b9 - no WebSockets Packets sent: 3088 Packets Received: 3087 Average Latency: 16.71 40 Frame Running Average Latency: 16.80 Minimum Latency: 7.00 Maximum Latency: 75.00 - First 1000 sent in 13 seconds - Second 1000 sent in 12 seconds - Third 1000 sent in 12 seconds firefox 3.6.10 - no WebSockets Packets sent: 3100 Packets Received: 3099 Average Latency: 17.32 40 Frame Running Average Latency: 16.73 Minimum Latency: 6.00 Maximum Latency: 72.00 Opera 11 - no WebSockets Packets sent: 3007 Packets Received: 3007 Average Latency: 465.91 40 Frame Running Average Latency: 147.95 Minimum Latency: 12.00 Maximum Latency: 9143.00 - average starts at around 28ms - time for each 500 packets: 13s, 16s, 25s, 37s, 50s, 72s - also start seeing sent, receive lags around 1200 packets --------------------------------------------------------------- Old web-socket-js (9e7663771), 2000 byte payload, 10ms delay firefox 4.0b9 - no WebSockets Packets sent: 3024 Packets Received: 3020 Average Latency: 80.59 40 Frame Running Average Latency: 60.15 Minimum Latency: 10.00 Maximm Latency: 348.00 firefox 3.6.10 - no WebSockets Packets sent: 2777 Packets Received: 2775 Average Latency: 34.89 40 Frame Running Average Latency: 24.50 Minimum Latency: 10.00 Maximum Latency: 208.00 Opera 11 - no Websockets Packets sent: 3012 Packets Received: 3011 Average Latency: 380.87 40 Frame Running Average Latency: 341.90 Minimum Latency: 28.00 Maximum Latency: 2175.00 - average starts at around 290ms - time for each 1000 packets: 23s, 38s, 65s websockify-0.9.0/docs/notes000066400000000000000000000003701352452255700157020ustar00rootroot00000000000000Building release tarball: - not really necessary since tagged revision can be downloaded from github as tarballs git archive --format=tar --prefix=websockify-${WVER}/ v${WVER} > websockify-${WVER}.tar gzip websockify-${WVER}.tar websockify-0.9.0/docs/release.txt000066400000000000000000000005131352452255700170070ustar00rootroot00000000000000- Update setup.py and CHANGES.txt and commit - Create version tag and tarball from tag WVER=0.1.0 git tag v${WVER} git push origin master git push origin v${WVER} - Create the source distribution python3 setup.py sdist - Upload the source distribution python3 -m twine upload dist/websockify-${WVER}.tar.gz websockify-0.9.0/docs/websockify.1000066400000000000000000000144231352452255700170620ustar00rootroot00000000000000.TH websockify 1 "June 7, 2012" "version 0.3" "USER COMMANDS" .SH NAME websockify - WebSockets to TCP socket bridge .SH SYNOPSIS websockify [options] [source_addr:]source_port target_addr:target_port websockify [options] [source_addr:]source_port \-\- WRAP_COMMAND_LINE .SH OPTIONS -h, --help show this help message and exit -v, --verbose verbose messages and per frame traffic --record=FILE record sessions to FILE.[session_number] -D, --daemon become a daemon (background process) --run-once handle a single WebSocket connection and exit --timeout=TIMEOUT after TIMEOUT seconds exit when not connected --cert=CERT SSL certificate file --key=KEY SSL key file (if separate from cert) --ssl-only disallow non-encrypted connections --web=DIR run webserver on same port. Serve files from DIR. --wrap-mode=MODE action to take when the wrapped program exits or daemonizes: exit (default), ignore, respawn .SH DESCRIPTION At the most basic level, websockify just translates WebSockets traffic to normal TCP socket traffic. Websockify accepts the WebSockets handshake, parses it, and then begins forwarding traffic between the client and the target in both directions. websockify was formerly named wsproxy and was part of the noVNC project. .SH NOTES .SS WebSockets binary data Websockify supports all versions of the WebSockets protocol (Hixie and HyBI). The older Hixie versions of the protocol only support UTF-8 text payloads. In order to transport binary data over UTF-8 an encoding must used to encapsulate the data within UTF-8. Websockify uses base64 to encode all traffic to and from the client. This does not affect the data between websockify and the server. .SS Encrypted WebSocket connections (wss://) To encrypt the traffic using the WebSocket 'wss://' URI scheme you need to generate a certificate for websockify to load. By default websockify loads a certificate file name self.pem but the --cert=CERT option can override the file name. You can generate a self-signed certificate using openssl. When asked for the common name, use the hostname of the server where the proxy will be running: openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem .SS Additional websockify features These are not necessary for the basic operation. .IP * Daemonizing: When the -D option is specified, websockify runs in the background as a daemon process. .IP * SSL (the wss:// WebSockets URI): This is detected automatically by websockify by sniffing the first byte sent from the client and then wrapping the socket if the data starts with '\\x16' or '\\x80' (indicating SSL). .IP * Session recording: This feature that allows recording of the traffic sent and received from the client to a file using the --record option. .IP * Mini-webserver: websockify can detect and respond to normal web requests on the same port as the WebSockets proxy. This functionality is activate with the --web DIR option where DIR is the root of the web directory to serve. .IP * Wrap a program: see the "Wrap a Program" section below. .SS Wrap a Program In addition to proxying from a source address to a target address (which may be on a different system), websockify has the ability to launch a program on the local system and proxy WebSockets traffic to a normal TCP port owned/bound by the program. The is accomplished with a small LD_PRELOAD library (rebind.so) which intercepts bind() system calls by the program. The specified port is moved to a new localhost/loopback free high port. websockify then proxies WebSockets traffic directed to the original port to the new (moved) port of the program. The program wrap mode is invoked by replacing the target with -- followed by the program command line to wrap. `./websockify 2023 -- PROGRAM ARGS` The --wrap-mode option can be used to indicate what action to take when the wrapped program exits or daemonizes. Here is an example of using websockify to wrap the vncserver command (which backgrounds itself) for use with noVNC: `./websockify 5901 --wrap-mode=ignore -- vncserver -geometry 1024x768 :1` Here is an example of wrapping telnetd (from krb5-telnetd). telnetd exits after the connection closes so the wrap mode is set to respawn the command: `sudo ./websockify 2023 --wrap-mode=respawn -- telnetd -debug 2023` The wstelnet.html page demonstrates a simple WebSockets based telnet client. .SS Use client certificate verification This feature requires Python 2.7.9 or newer or Python 3.4 or newer. The --verify-client option makes the server ask the client for a SSL certificate. Presenting a valid (not expired and trusted by any supplied certificate authority) certificate is required for the client connection. With -auth-plugin=ClientCertCNAuth, the client certificate can be checked against a list of authorised certificate users. Non-encrypted connection attempts always fail during authentication. Here is an example of a vncsevrer with password-less, certificate-driven authentication: `./websockify 5901 --cert=fullchain.pem --key=privkey.pem --ssl-only --verify-client --cafile=ca-certificates.crt --auth-plugin=ClientCertCNAuth --auth-source='jane@example.com Joe User9824510' --web=noVNC/ --wrap-mode=ignore -- vncserver :1 -geometry 1024x768 -SecurityTypes=None` The --auth-source option takes a white-space separated list of common names. Depending on your clients certificates they can be verified email addresses, user-names or any other string used for identification. The --cafile option selects a file containing concatenated certificates of authorities trusted for validating clients. If this option is omitted, system default list of CAs is used. Upon connect, the client should supply the whole certificate chain. If your clients are known not to send intermediate certificates, they can be appended to the ca-file as well. Note: Most browsers ask the user to select a certificate only while connecting via HTTPS, not WebSockets. Connecting directly to the SSL secured WebSocket may cause the browser to abort the connection. If you want to connect via noVNC, the --web option should point to a copy of noVNC, so it is loaded from the same host. .SH AUTHOR Joel Martin (github@martintribe.org) .SH SEE ALSO https://github.com/novnc/websockify/ https://github.com/novnc/websockify/wiki/ websockify-0.9.0/rebind000077500000000000000000000006501352452255700150710ustar00rootroot00000000000000#!/usr/bin/env bash usage() { echo "Usage: $(basename $0) OLD_PORT NEW_PORT COMMAND_LINE" echo echo "Launch COMMAND_LINE, but intercept system calls to bind" echo "to OLD_PORT and instead bind them to localhost:NEW_PORT" exit 2 } # Parameter defaults mydir=$(readlink -f $(dirname ${0})) export REBIND_PORT_OLD="${1}"; shift export REBIND_PORT_NEW="${1}"; shift LD_PRELOAD=${mydir}/rebind.so "${@}" websockify-0.9.0/rebind.c000066400000000000000000000055071352452255700153150ustar00rootroot00000000000000/* * rebind: Intercept bind calls and bind to a different port * Copyright 2010 Joel Martin * Licensed under LGPL version 3 (see docs/LICENSE.LGPL-3) * * Overload (LD_PRELOAD) bind system call. If REBIND_PORT_OLD and * REBIND_PORT_NEW environment variables are set then bind on the new * port (of localhost) instead of the old port. * * This allows a bridge/proxy (such as websockify) to run on the old port and * translate traffic to/from the new port. * * Usage: * LD_PRELOAD=./rebind.so \ * REBIND_PORT_OLD=23 \ * REBIND_PORT_NEW=2023 \ * program */ //#define DO_DEBUG 1 #include #include #define __USE_GNU 1 // Pull in RTLD_NEXT #include #include #include #if defined(DO_DEBUG) #define DEBUG(...) \ fprintf(stderr, "rebind: "); \ fprintf(stderr, __VA_ARGS__); #else #define DEBUG(...) #endif int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { static void * (*func)(); int do_move = 0; struct sockaddr_in * addr_in = (struct sockaddr_in *)addr; struct sockaddr_in addr_tmp; socklen_t addrlen_tmp; char * PORT_OLD, * PORT_NEW, * end1, * end2; int ret, oldport, newport, askport = htons(addr_in->sin_port); uint32_t askaddr = htons(addr_in->sin_addr.s_addr); if (!func) func = (void *(*)()) dlsym(RTLD_NEXT, "bind"); DEBUG(">> bind(%d, _, %d), askaddr %d, askport %d\n", sockfd, addrlen, askaddr, askport); /* Determine if we should move this socket */ if (addr_in->sin_family == AF_INET) { // TODO: support IPv6 PORT_OLD = getenv("REBIND_OLD_PORT"); PORT_NEW = getenv("REBIND_NEW_PORT"); if (PORT_OLD && (*PORT_OLD != '\0') && PORT_NEW && (*PORT_NEW != '\0')) { oldport = strtol(PORT_OLD, &end1, 10); newport = strtol(PORT_NEW, &end2, 10); if (oldport && (*end1 == '\0') && newport && (*end2 == '\0') && (oldport == askport)) { do_move = 1; } } } if (! do_move) { /* Just pass everything right through to the real bind */ ret = (long) func(sockfd, addr, addrlen); DEBUG("<< bind(%d, _, %d) ret %d\n", sockfd, addrlen, ret); return ret; } DEBUG("binding fd %d on localhost:%d instead of 0x%x:%d\n", sockfd, newport, ntohl(addr_in->sin_addr.s_addr), oldport); /* Use a temporary location for the new address information */ addrlen_tmp = sizeof(addr_tmp); memcpy(&addr_tmp, addr, addrlen_tmp); /* Bind to other port on the loopback instead */ addr_tmp.sin_addr.s_addr = htonl(INADDR_LOOPBACK); addr_tmp.sin_port = htons(newport); ret = (long) func(sockfd, &addr_tmp, addrlen_tmp); DEBUG("<< bind(%d, _, %d) ret %d\n", sockfd, addrlen, ret); return ret; } websockify-0.9.0/run000077500000000000000000000001421352452255700144260ustar00rootroot00000000000000#!/usr/bin/env sh BASE_DIR="$(cd $(dirname "$0"); pwd)" cd "$BASE_DIR" python -m websockify $@ websockify-0.9.0/setup.py000066400000000000000000000022171352452255700154130ustar00rootroot00000000000000from setuptools import setup, find_packages version = '0.9.0' name = 'websockify' long_description = open("README.md").read() + "\n" + \ open("CHANGES.txt").read() + "\n" setup(name=name, version=version, description="Websockify.", long_description=long_description, long_description_content_type="text/markdown", classifiers=[ "Programming Language :: Python", "Programming Language :: Python :: 2", "Programming Language :: Python :: 2.6", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.3", "Programming Language :: Python :: 3.4" ], keywords='noVNC websockify', license='LGPLv3', url="https://github.com/novnc/websockify", author="Joel Martin", author_email="github@martintribe.org", packages=['websockify'], include_package_data=True, install_requires=['numpy'], zip_safe=False, entry_points={ 'console_scripts': [ 'websockify = websockify.websocketproxy:websockify_init', ] }, ) websockify-0.9.0/test-requirements.txt000066400000000000000000000002031352452255700201330ustar00rootroot00000000000000mox3 nose jwcrypto;python_version>="2.7" enum34;python_version=="3.3" redis;python_version>="2.7" simplejson;python_version>="2.7" websockify-0.9.0/tests/000077500000000000000000000000001352452255700150415ustar00rootroot00000000000000websockify-0.9.0/tests/echo.html000066400000000000000000000106411352452255700166470ustar00rootroot00000000000000 WebSockets Echo Test Host:   Port:   Encrypt:    
Log:
websockify-0.9.0/tests/echo.py000077500000000000000000000046301352452255700163370ustar00rootroot00000000000000#!/usr/bin/env python ''' A WebSocket server that echos back whatever it receives from the client. Copyright 2010 Joel Martin Licensed under LGPL version 3 (see docs/LICENSE.LGPL-3) You can make a cert/key with openssl using: openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem as taken from http://docs.python.org/dev/library/ssl.html#certificates ''' import os, sys, select, optparse, logging sys.path.insert(0,os.path.join(os.path.dirname(__file__), "..")) from websockify.websockifyserver import WebSockifyServer, WebSockifyRequestHandler class WebSocketEcho(WebSockifyRequestHandler): """ WebSockets server that echos back whatever is received from the client. """ buffer_size = 8096 def new_websocket_client(self): """ Echo back whatever is received. """ cqueue = [] c_pend = 0 cpartial = "" rlist = [self.request] while True: wlist = [] if cqueue or c_pend: wlist.append(self.request) ins, outs, excepts = select.select(rlist, wlist, [], 1) if excepts: raise Exception("Socket exception") if self.request in outs: # Send queued target data to the client c_pend = self.send_frames(cqueue) cqueue = [] if self.request in ins: # Receive client data, decode it, and send it back frames, closed = self.recv_frames() cqueue.extend(frames) if closed: break if __name__ == '__main__': parser = optparse.OptionParser(usage="%prog [options] listen_port") parser.add_option("--verbose", "-v", action="store_true", help="verbose messages and per frame traffic") parser.add_option("--cert", default="self.pem", help="SSL certificate file") parser.add_option("--key", default=None, help="SSL key file (if separate from cert)") parser.add_option("--ssl-only", action="store_true", help="disallow non-encrypted connections") (opts, args) = parser.parse_args() try: if len(args) != 1: raise ValueError opts.listen_port = int(args[0]) except ValueError: parser.error("Invalid arguments") logging.basicConfig(level=logging.INFO) opts.web = "." server = WebSockifyServer(WebSocketEcho, **opts.__dict__) server.start_server() websockify-0.9.0/tests/echo_client.py000077500000000000000000000034301352452255700176720ustar00rootroot00000000000000#!/usr/bin/env python import os import sys import optparse import select sys.path.insert(0,os.path.join(os.path.dirname(__file__), "..")) from websockify.websocket import WebSocket, \ WebSocketWantReadError, WebSocketWantWriteError parser = optparse.OptionParser(usage="%prog URL") (opts, args) = parser.parse_args() if len(args) == 1: URL = args[0] else: parser.error("Invalid arguments") sock = WebSocket() print("Connecting to %s..." % URL) sock.connect(URL) print("Connected.") def send(msg): while True: try: sock.sendmsg(msg) break except WebSocketWantReadError: msg = '' ins, outs, excepts = select.select([sock], [], []) if excepts: raise Exception("Socket exception") except WebSocketWantWriteError: msg = '' ins, outs, excepts = select.select([], [sock], []) if excepts: raise Exception("Socket exception") def read(): while True: try: return sock.recvmsg() except WebSocketWantReadError: ins, outs, excepts = select.select([sock], [], []) if excepts: raise Exception("Socket exception") except WebSocketWantWriteError: ins, outs, excepts = select.select([], [sock], []) if excepts: raise Exception("Socket exception") counter = 1 while True: msg = "Message #%d" % counter counter += 1 send(msg) print("Sent message: %r" % msg) while True: ins, outs, excepts = select.select([sock], [], [], 1.0) if excepts: raise Exception("Socket exception") if ins == []: break while True: msg = read() print("Received message: %r" % msg) if not sock.pending(): break websockify-0.9.0/tests/fixtures/000077500000000000000000000000001352452255700167125ustar00rootroot00000000000000websockify-0.9.0/tests/fixtures/private.pem000066400000000000000000000032121352452255700210650ustar00rootroot00000000000000-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEArwNQal2INbSfoVT50dZ0s8lQ+yMhu45TDc91iuwtDjlFBJ50 E4m3/M6ESBW0S7UTP1bIOGkd/M+u38h0Aruo4qkngdguu9N3BnsU2kOeicdjxc+v tqRc7/kbkTdT4SrpG8EFP6T2U9U1gtBpLnau02gPrzjaQzyYDLGOBq+Ozt/mN0YJ UhJ3hlwi18dNKreTzWgJ6mmXQWS0eAmHx8TIs2Nz9x3EfRo9CIMuaaeUjRogIEg5 Tg4xC00ZtDO0/EfgpFkeHJGVQA2DgdBJsr6rq69MjhMfFxRJItxJMJzP6an2HkJ8 onUPBtjEBmk3/fnfiaflzRyEb5zdii6r2TD8TwIDAQABAoIBAGDrzu742WQUoYqx CqDAyWR/is9px1adHTW6vHexD8qewLAsKFBhpnjkzbE2A+EhaIVdRAipfifxxAC+ fDC/SGouD2kDFe6Cz5nRM90kMXpP59s2hzL4l1d2d2PWZid+ohXysTtr2dbXbokB bh6DL5J4QKdjLsypk/MDqYneU5IQ1k9ezWzcRgM8/V3M+t+1dLRFLIWsSLbNUgbF px81efNw8E0voV/d7kZ+6RwUThPHqR0eyLm6djPwHE7/FarZIx4AImwV+9ex44CH OkrTFOVYenF6jEtYoUuqYCouaWtG7jNVM/f1fksoR8SD6PTq2vn7F4wTLXG1b+K7 45PKMhECgYEA22NH8mK9ICFVd7S6caeAnki+K9cpwmiOUWEIuDInmPn5FOlv7awE uBFN86v14PqDBtF7Aagyib0NUPo7rIw5+V5SCBZv8gQatjZUkT0vZvpxPU5jmB++ w58yfK7zgdAWCepLxIPyTA7CAT1dmiVmuosz2pJjbo4fecVG222IE10CgYEAzDg+ RVlvMYGy04UMmUoUNeeRlW6km/W6dqQ7EtcxfDv4O7boRDTBSRBzfIsRdXHZhcHN gCeB2Uiz8IO3s0Yt0+y/6cTI60uJ4S7Mb2JvWJvDCKWhS3pE1BL+LJJC4Hn7khJH yHYFOLOfnuCbOs8VA7IMmbdTPHirIKWTT5j5H5sCgYEAygK/KweUUlOfWVyHGUQ9 gIJG6iNzhlm0QmbxGnrET25N1t2kfNsadUsp1igPfhvuLocRltMDxiTYcCoabKWq dF5PdrcCWX1CA2o/sIUAcvhE8UiPGHKSu5qJaJnIC05KHNMq9UbyAurL5UxWNiwe TcMD+k01VYV0ojHvLvnKhNkCgYArkoh+xXE7D+A2zzl771lWkvz19DB88jYBoFLW V0HArw7str7h5pui2ja5yPZFp6/woQQWptdGpAN4erIUNxIKGIZt+0WfJnPZruGB lnAJaNp5GtXKQ+ExmofOvLo2KPCrHulf9QZyLakN/gBA0PQ74J5docbJrTld8tX2 cr4cpwKBgHqr2zybmywAmjn8wY0bUjRAyhdN8eiwYaGPtOSFt6IcWxEnNbAo5Jc2 KsywpagjFsXZsi4Obn2XsqR7VX5bNbpNXIyLaMwBOy7MixyecgPF8tu7I4zo/CWm 7gewTKBhwVPTDAOzHqIpJGrOnUgzJM3ijkCWMn3eAh4ccOjsrKq9 -----END RSA PRIVATE KEY-----websockify-0.9.0/tests/fixtures/public.pem000066400000000000000000000007031352452255700206730ustar00rootroot00000000000000-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArwNQal2INbSfoVT50dZ0 s8lQ+yMhu45TDc91iuwtDjlFBJ50E4m3/M6ESBW0S7UTP1bIOGkd/M+u38h0Aruo 4qkngdguu9N3BnsU2kOeicdjxc+vtqRc7/kbkTdT4SrpG8EFP6T2U9U1gtBpLnau 02gPrzjaQzyYDLGOBq+Ozt/mN0YJUhJ3hlwi18dNKreTzWgJ6mmXQWS0eAmHx8TI s2Nz9x3EfRo9CIMuaaeUjRogIEg5Tg4xC00ZtDO0/EfgpFkeHJGVQA2DgdBJsr6r q69MjhMfFxRJItxJMJzP6an2HkJ8onUPBtjEBmk3/fnfiaflzRyEb5zdii6r2TD8 TwIDAQAB -----END PUBLIC KEY----- websockify-0.9.0/tests/fixtures/symmetric.key000066400000000000000000000000141352452255700214330ustar00rootroot00000000000000secret_saucewebsockify-0.9.0/tests/latency.html000066400000000000000000000205501352452255700173700ustar00rootroot00000000000000 WebSockets Latency Test Host:   Port:   Encrypt:
Payload Size:   Send Delay (ms):    

Packets sent:
Packets Received:
Average Latency:
40 Frame Running Average Latency:
Minimum Latency:
Maximum Latency:

Messages:
websockify-0.9.0/tests/latency.py000077700000000000000000000000001352452255700203352echo.pyustar00rootroot00000000000000websockify-0.9.0/tests/load.html000066400000000000000000000170711352452255700166540ustar00rootroot00000000000000 WebSockets Load Test Host:   Port:   Encrypt:   Send Delay (ms):    

Packets sent:
0
Good Packets Received:
0
Errors (Bad Packets Received:)
0

Errors:
websockify-0.9.0/tests/load.py000077500000000000000000000117721352452255700163450ustar00rootroot00000000000000#!/usr/bin/env python ''' WebSocket server-side load test program. Sends and receives traffic that has a random payload (length and content) that is checksummed and given a sequence number. Any errors are reported and counted. ''' import sys, os, select, random, time, optparse, logging sys.path.insert(0,os.path.join(os.path.dirname(__file__), "..")) from websockify.websockifyserver import WebSockifyServer, WebSockifyRequestHandler class WebSocketLoadServer(WebSockifyServer): recv_cnt = 0 send_cnt = 0 def __init__(self, *args, **kwargs): self.delay = kwargs.pop('delay') WebSockifyServer.__init__(self, *args, **kwargs) class WebSocketLoad(WebSockifyRequestHandler): max_packet_size = 10000 def new_websocket_client(self): print "Prepopulating random array" self.rand_array = [] for i in range(0, self.max_packet_size): self.rand_array.append(random.randint(0, 9)) self.errors = 0 self.send_cnt = 0 self.recv_cnt = 0 self.responder(self.request) print "accumulated errors:", self.errors self.errors = 0 def responder(self, client): c_pend = 0 cqueue = [] cpartial = "" socks = [client] last_send = time.time() * 1000 while True: ins, outs, excepts = select.select(socks, socks, socks, 1) if excepts: raise Exception("Socket exception") if client in ins: frames, closed = self.recv_frames() err = self.check(frames) if err: self.errors = self.errors + 1 print err if closed: break now = time.time() * 1000 if client in outs: if c_pend: last_send = now c_pend = self.send_frames() elif now > (last_send + self.server.delay): last_send = now c_pend = self.send_frames([self.generate()]) def generate(self): length = random.randint(10, self.max_packet_size) numlist = self.rand_array[self.max_packet_size-length:] # Error in length #numlist.append(5) chksum = sum(numlist) # Error in checksum #numlist[0] = 5 nums = "".join( [str(n) for n in numlist] ) data = "^%d:%d:%d:%s$" % (self.send_cnt, length, chksum, nums) self.send_cnt += 1 return data def check(self, frames): err = "" for data in frames: if data.count('$') > 1: raise Exception("Multiple parts within single packet") if len(data) == 0: self.traffic("_") continue if data[0] != "^": err += "buf did not start with '^'\n" continue try: cnt, length, chksum, nums = data[1:-1].split(':') cnt = int(cnt) length = int(length) chksum = int(chksum) except ValueError: print "\n" + repr(data) + "" err += "Invalid data format\n" continue if self.recv_cnt != cnt: err += "Expected count %d but got %d\n" % (self.recv_cnt, cnt) self.recv_cnt = cnt + 1 continue self.recv_cnt += 1 if len(nums) != length: err += "Expected length %d but got %d\n" % (length, len(nums)) continue inv = nums.translate(None, "0123456789") if inv: err += "Invalid characters found: %s\n" % inv continue real_chksum = 0 for num in nums: real_chksum += int(num) if real_chksum != chksum: err += "Expected checksum %d but real chksum is %d\n" % (chksum, real_chksum) return err if __name__ == '__main__': parser = optparse.OptionParser(usage="%prog [options] listen_port") parser.add_option("--verbose", "-v", action="store_true", help="verbose messages and per frame traffic") parser.add_option("--cert", default="self.pem", help="SSL certificate file") parser.add_option("--key", default=None, help="SSL key file (if separate from cert)") parser.add_option("--ssl-only", action="store_true", help="disallow non-encrypted connections") (opts, args) = parser.parse_args() try: if len(args) != 1: raise ValueError opts.listen_port = int(args[0]) if len(args) not in [1,2]: raise ValueError opts.listen_port = int(args[0]) if len(args) == 2: opts.delay = int(args[1]) else: opts.delay = 10 except ValueError: parser.error("Invalid arguments") logging.basicConfig(level=logging.INFO) opts.web = "." server = WebSocketLoadServer(WebSocketLoad, **opts.__dict__) server.start_server() websockify-0.9.0/tests/plain_echo.html000066400000000000000000000112331352452255700200300ustar00rootroot00000000000000 WebSockets Echo Test Host:   Port:   Encrypt:    
Log:
websockify-0.9.0/tests/simple.html000066400000000000000000000041211352452255700172160ustar00rootroot00000000000000 Websock Simple Client WebSocket/websockify URI:  

   

Log:
websockify-0.9.0/tests/test_auth_plugins.py000066400000000000000000000020451352452255700211550ustar00rootroot00000000000000# vim: tabstop=4 shiftwidth=4 softtabstop=4 """ Unit tests for Authentication plugins""" from websockify.auth_plugins import BasicHTTPAuth, AuthenticationError import unittest class BasicHTTPAuthTestCase(unittest.TestCase): def setUp(self): self.plugin = BasicHTTPAuth('Aladdin:open sesame') def test_no_auth(self): headers = {} self.assertRaises(AuthenticationError, self.plugin.authenticate, headers, 'localhost', '1234') def test_invalid_password(self): headers = {'Authorization': 'Basic QWxhZGRpbjpzZXNhbWUgc3RyZWV0'} self.assertRaises(AuthenticationError, self.plugin.authenticate, headers, 'localhost', '1234') def test_valid_password(self): headers = {'Authorization': 'Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=='} self.plugin.authenticate(headers, 'localhost', '1234') def test_garbage_auth(self): headers = {'Authorization': 'Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxx'} self.assertRaises(AuthenticationError, self.plugin.authenticate, headers, 'localhost', '1234') websockify-0.9.0/tests/test_websocket.py000066400000000000000000000203701352452255700204420ustar00rootroot00000000000000# vim: tabstop=4 shiftwidth=4 softtabstop=4 # Copyright(c)2013 NTT corp. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. """ Unit tests for websocket """ import unittest from websockify import websocket class FakeSocket: def __init__(self): self.data = b'' def send(self, buf): self.data += buf return len(buf) class AcceptTestCase(unittest.TestCase): def test_success(self): ws = websocket.WebSocket() sock = FakeSocket() ws.accept(sock, {'upgrade': 'websocket', 'Sec-WebSocket-Version': '13', 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) self.assertEqual(sock.data[:13], b'HTTP/1.1 101 ') self.assertTrue(b'\r\nUpgrade: websocket\r\n' in sock.data) self.assertTrue(b'\r\nConnection: Upgrade\r\n' in sock.data) self.assertTrue(b'\r\nSec-WebSocket-Accept: pczpYSQsvE1vBpTQYjFQPcuoj6M=\r\n' in sock.data) def test_bad_version(self): ws = websocket.WebSocket() sock = FakeSocket() self.assertRaises(Exception, ws.accept, sock, {'upgrade': 'websocket', 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) self.assertRaises(Exception, ws.accept, sock, {'upgrade': 'websocket', 'Sec-WebSocket-Version': '5', 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) self.assertRaises(Exception, ws.accept, sock, {'upgrade': 'websocket', 'Sec-WebSocket-Version': '20', 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) def test_bad_upgrade(self): ws = websocket.WebSocket() sock = FakeSocket() self.assertRaises(Exception, ws.accept, sock, {'Sec-WebSocket-Version': '13', 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) self.assertRaises(Exception, ws.accept, sock, {'upgrade': 'websocket2', 'Sec-WebSocket-Version': '13', 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) def test_missing_key(self): ws = websocket.WebSocket() sock = FakeSocket() self.assertRaises(Exception, ws.accept, sock, {'upgrade': 'websocket', 'Sec-WebSocket-Version': '13'}) def test_protocol(self): class ProtoSocket(websocket.WebSocket): def select_subprotocol(self, protocol): return 'gazonk' ws = ProtoSocket() sock = FakeSocket() ws.accept(sock, {'upgrade': 'websocket', 'Sec-WebSocket-Version': '13', 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q==', 'Sec-WebSocket-Protocol': 'foobar gazonk'}) self.assertEqual(sock.data[:13], b'HTTP/1.1 101 ') self.assertTrue(b'\r\nSec-WebSocket-Protocol: gazonk\r\n' in sock.data) def test_no_protocol(self): ws = websocket.WebSocket() sock = FakeSocket() ws.accept(sock, {'upgrade': 'websocket', 'Sec-WebSocket-Version': '13', 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) self.assertEqual(sock.data[:13], b'HTTP/1.1 101 ') self.assertFalse(b'\r\nSec-WebSocket-Protocol:' in sock.data) def test_missing_protocol(self): ws = websocket.WebSocket() sock = FakeSocket() self.assertRaises(Exception, ws.accept, sock, {'upgrade': 'websocket', 'Sec-WebSocket-Version': '13', 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q==', 'Sec-WebSocket-Protocol': 'foobar gazonk'}) def test_protocol(self): class ProtoSocket(websocket.WebSocket): def select_subprotocol(self, protocol): return 'oddball' ws = ProtoSocket() sock = FakeSocket() self.assertRaises(Exception, ws.accept, sock, {'upgrade': 'websocket', 'Sec-WebSocket-Version': '13', 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q==', 'Sec-WebSocket-Protocol': 'foobar gazonk'}) class PingPongTest(unittest.TestCase): def setUp(self): self.ws = websocket.WebSocket() self.sock = FakeSocket() self.ws.accept(self.sock, {'upgrade': 'websocket', 'Sec-WebSocket-Version': '13', 'Sec-WebSocket-Key': 'DKURYVK9cRFul1vOZVA56Q=='}) self.assertEqual(self.sock.data[:13], b'HTTP/1.1 101 ') self.sock.data = b'' def test_ping(self): self.ws.ping() self.assertEqual(self.sock.data, b'\x89\x00') def test_pong(self): self.ws.pong() self.assertEqual(self.sock.data, b'\x8a\x00') def test_ping_data(self): self.ws.ping(b'foo') self.assertEqual(self.sock.data, b'\x89\x03foo') def test_pong_data(self): self.ws.pong(b'foo') self.assertEqual(self.sock.data, b'\x8a\x03foo') class HyBiEncodeDecodeTestCase(unittest.TestCase): def test_decode_hybi_text(self): buf = b'\x81\x85\x37\xfa\x21\x3d\x7f\x9f\x4d\x51\x58' ws = websocket.WebSocket() res = ws._decode_hybi(buf) self.assertEqual(res['fin'], 1) self.assertEqual(res['opcode'], 0x1) self.assertEqual(res['masked'], True) self.assertEqual(res['length'], len(buf)) self.assertEqual(res['payload'], b'Hello') def test_decode_hybi_binary(self): buf = b'\x82\x04\x01\x02\x03\x04' ws = websocket.WebSocket() res = ws._decode_hybi(buf) self.assertEqual(res['fin'], 1) self.assertEqual(res['opcode'], 0x2) self.assertEqual(res['length'], len(buf)) self.assertEqual(res['payload'], b'\x01\x02\x03\x04') def test_decode_hybi_extended_16bit_binary(self): data = (b'\x01\x02\x03\x04' * 65) # len > 126 -- len == 260 buf = b'\x82\x7e\x01\x04' + data ws = websocket.WebSocket() res = ws._decode_hybi(buf) self.assertEqual(res['fin'], 1) self.assertEqual(res['opcode'], 0x2) self.assertEqual(res['length'], len(buf)) self.assertEqual(res['payload'], data) def test_decode_hybi_extended_64bit_binary(self): data = (b'\x01\x02\x03\x04' * 65) # len > 126 -- len == 260 buf = b'\x82\x7f\x00\x00\x00\x00\x00\x00\x01\x04' + data ws = websocket.WebSocket() res = ws._decode_hybi(buf) self.assertEqual(res['fin'], 1) self.assertEqual(res['opcode'], 0x2) self.assertEqual(res['length'], len(buf)) self.assertEqual(res['payload'], data) def test_decode_hybi_multi(self): buf1 = b'\x01\x03\x48\x65\x6c' buf2 = b'\x80\x02\x6c\x6f' ws = websocket.WebSocket() res1 = ws._decode_hybi(buf1) self.assertEqual(res1['fin'], 0) self.assertEqual(res1['opcode'], 0x1) self.assertEqual(res1['length'], len(buf1)) self.assertEqual(res1['payload'], b'Hel') res2 = ws._decode_hybi(buf2) self.assertEqual(res2['fin'], 1) self.assertEqual(res2['opcode'], 0x0) self.assertEqual(res2['length'], len(buf2)) self.assertEqual(res2['payload'], b'lo') def test_encode_hybi_basic(self): ws = websocket.WebSocket() res = ws._encode_hybi(0x1, b'Hello') expected = b'\x81\x05\x48\x65\x6c\x6c\x6f' self.assertEqual(res, expected) websockify-0.9.0/tests/test_websocketproxy.py000066400000000000000000000232111352452255700215410ustar00rootroot00000000000000# vim: tabstop=4 shiftwidth=4 softtabstop=4 # Copyright(c) 2015 Red Hat, Inc All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. """ Unit tests for websocketproxy """ import sys import unittest import unittest import socket from mox3 import stubout from websockify import websockifyserver from websockify import websocketproxy from websockify import token_plugins from websockify import auth_plugins if sys.version_info >= (2,7): from jwcrypto import jwt try: from StringIO import StringIO BytesIO = StringIO except ImportError: from io import StringIO from io import BytesIO class FakeSocket(object): def __init__(self, data=''): if isinstance(data, bytes): self._data = data else: self._data = data.encode('latin_1') def recv(self, amt, flags=None): res = self._data[0:amt] if not (flags & socket.MSG_PEEK): self._data = self._data[amt:] return res def makefile(self, mode='r', buffsize=None): if 'b' in mode: return BytesIO(self._data) else: return StringIO(self._data.decode('latin_1')) class FakeServer(object): class EClose(Exception): pass def __init__(self): self.token_plugin = None self.auth_plugin = None self.wrap_cmd = None self.ssl_target = None self.unix_target = None class ProxyRequestHandlerTestCase(unittest.TestCase): def setUp(self): super(ProxyRequestHandlerTestCase, self).setUp() self.stubs = stubout.StubOutForTesting() self.handler = websocketproxy.ProxyRequestHandler( FakeSocket(''), "127.0.0.1", FakeServer()) self.handler.path = "https://localhost:6080/websockify?token=blah" self.handler.headers = None self.stubs.Set(websockifyserver.WebSockifyServer, 'socket', staticmethod(lambda *args, **kwargs: None)) def tearDown(self): self.stubs.UnsetAll() super(ProxyRequestHandlerTestCase, self).tearDown() def test_get_target(self): class TestPlugin(token_plugins.BasePlugin): def lookup(self, token): return ("some host", "some port") host, port = self.handler.get_target( TestPlugin(None)) self.assertEqual(host, "some host") self.assertEqual(port, "some port") def test_get_target_unix_socket(self): class TestPlugin(token_plugins.BasePlugin): def lookup(self, token): return ("unix_socket", "/tmp/socket") _, socket = self.handler.get_target( TestPlugin(None)) self.assertEqual(socket, "/tmp/socket") def test_get_target_raises_error_on_unknown_token(self): class TestPlugin(token_plugins.BasePlugin): def lookup(self, token): return None self.assertRaises(FakeServer.EClose, self.handler.get_target, TestPlugin(None)) def test_token_plugin(self): class TestPlugin(token_plugins.BasePlugin): def lookup(self, token): return (self.source + token).split(',') self.stubs.Set(websocketproxy.ProxyRequestHandler, 'send_auth_error', staticmethod(lambda *args, **kwargs: None)) self.handler.server.token_plugin = TestPlugin("somehost,") self.handler.validate_connection() self.assertEqual(self.handler.server.target_host, "somehost") self.assertEqual(self.handler.server.target_port, "blah") if sys.version_info >= (2,7): def test_asymmetric_jws_token_plugin(self): key = jwt.JWK() private_key = open("./tests/fixtures/private.pem", "rb").read() key.import_from_pem(private_key) jwt_token = jwt.JWT({"alg": "RS256"}, {'host': "remote_host", 'port': "remote_port"}) jwt_token.make_signed_token(key) self.handler.path = "https://localhost:6080/websockify?token={jwt_token}".format(jwt_token=jwt_token.serialize()) self.stubs.Set(websocketproxy.ProxyRequestHandler, 'send_auth_error', staticmethod(lambda *args, **kwargs: None)) self.handler.server.token_plugin = token_plugins.JWTTokenApi("./tests/fixtures/public.pem") self.handler.validate_connection() self.assertEqual(self.handler.server.target_host, "remote_host") self.assertEqual(self.handler.server.target_port, "remote_port") def test_asymmetric_jws_token_plugin_with_illigal_key_exception(self): key = jwt.JWK() private_key = open("./tests/fixtures/private.pem", "rb").read() key.import_from_pem(private_key) jwt_token = jwt.JWT({"alg": "RS256"}, {'host': "remote_host", 'port': "remote_port"}) jwt_token.make_signed_token(key) self.handler.path = "https://localhost:6080/websockify?token={jwt_token}".format(jwt_token=jwt_token.serialize()) self.stubs.Set(websocketproxy.ProxyRequestHandler, 'send_auth_error', staticmethod(lambda *args, **kwargs: None)) self.handler.server.token_plugin = token_plugins.JWTTokenApi("wrong.pub") self.assertRaises(self.handler.server.EClose, self.handler.validate_connection) def test_symmetric_jws_token_plugin(self): secret = open("./tests/fixtures/symmetric.key").read() key = jwt.JWK() key.import_key(kty="oct",k=secret) jwt_token = jwt.JWT({"alg": "HS256"}, {'host': "remote_host", 'port': "remote_port"}) jwt_token.make_signed_token(key) self.handler.path = "https://localhost:6080/websockify?token={jwt_token}".format(jwt_token=jwt_token.serialize()) self.stubs.Set(websocketproxy.ProxyRequestHandler, 'send_auth_error', staticmethod(lambda *args, **kwargs: None)) self.handler.server.token_plugin = token_plugins.JWTTokenApi("./tests/fixtures/symmetric.key") self.handler.validate_connection() self.assertEqual(self.handler.server.target_host, "remote_host") self.assertEqual(self.handler.server.target_port, "remote_port") def test_symmetric_jws_token_plugin_with_illigal_key_exception(self): secret = open("./tests/fixtures/symmetric.key").read() key = jwt.JWK() key.import_key(kty="oct",k=secret) jwt_token = jwt.JWT({"alg": "HS256"}, {'host': "remote_host", 'port': "remote_port"}) jwt_token.make_signed_token(key) self.handler.path = "https://localhost:6080/websockify?token={jwt_token}".format(jwt_token=jwt_token.serialize()) self.stubs.Set(websocketproxy.ProxyRequestHandler, 'send_auth_error', staticmethod(lambda *args, **kwargs: None)) self.handler.server.token_plugin = token_plugins.JWTTokenApi("wrong_sauce") self.assertRaises(self.handler.server.EClose, self.handler.validate_connection) def test_asymmetric_jwe_token_plugin(self): private_key = jwt.JWK() public_key = jwt.JWK() private_key_data = open("./tests/fixtures/private.pem", "rb").read() public_key_data = open("./tests/fixtures/public.pem", "rb").read() private_key.import_from_pem(private_key_data) public_key.import_from_pem(public_key_data) jwt_token = jwt.JWT({"alg": "RS256"}, {'host': "remote_host", 'port': "remote_port"}) jwt_token.make_signed_token(private_key) jwe_token = jwt.JWT(header={"alg": "RSA1_5", "enc": "A256CBC-HS512"}, claims=jwt_token.serialize()) jwe_token.make_encrypted_token(public_key) self.handler.path = "https://localhost:6080/websockify?token={jwt_token}".format(jwt_token=jwe_token.serialize()) self.stubs.Set(websocketproxy.ProxyRequestHandler, 'send_auth_error', staticmethod(lambda *args, **kwargs: None)) self.handler.server.token_plugin = token_plugins.JWTTokenApi("./tests/fixtures/private.pem") self.handler.validate_connection() self.assertEqual(self.handler.server.target_host, "remote_host") self.assertEqual(self.handler.server.target_port, "remote_port") def test_auth_plugin(self): class TestPlugin(auth_plugins.BasePlugin): def authenticate(self, headers, target_host, target_port): if target_host == self.source: raise auth_plugins.AuthenticationError(response_msg="some_error") self.stubs.Set(websocketproxy.ProxyRequestHandler, 'send_auth_error', staticmethod(lambda *args, **kwargs: None)) self.handler.server.auth_plugin = TestPlugin("somehost") self.handler.server.target_host = "somehost" self.handler.server.target_port = "someport" self.assertRaises(auth_plugins.AuthenticationError, self.handler.auth_connection) self.handler.server.target_host = "someotherhost" self.handler.auth_connection() websockify-0.9.0/tests/test_websockifyserver.py000066400000000000000000000412371352452255700220550ustar00rootroot00000000000000# vim: tabstop=4 shiftwidth=4 softtabstop=4 # Copyright(c)2013 NTT corp. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. """ Unit tests for websockifyserver """ import errno import os import logging import select import shutil import socket import ssl from mox3 import stubout import sys import tempfile import unittest import socket import signal from websockify import websockifyserver try: from BaseHTTPServer import BaseHTTPRequestHandler except ImportError: from http.server import BaseHTTPRequestHandler try: from StringIO import StringIO BytesIO = StringIO except ImportError: from io import StringIO from io import BytesIO def raise_oserror(*args, **kwargs): raise OSError('fake error') class FakeSocket(object): def __init__(self, data=''): if isinstance(data, bytes): self._data = data else: self._data = data.encode('latin_1') def recv(self, amt, flags=None): res = self._data[0:amt] if not (flags & socket.MSG_PEEK): self._data = self._data[amt:] return res def makefile(self, mode='r', buffsize=None): if 'b' in mode: return BytesIO(self._data) else: return StringIO(self._data.decode('latin_1')) class WebSockifyRequestHandlerTestCase(unittest.TestCase): def setUp(self): super(WebSockifyRequestHandlerTestCase, self).setUp() self.stubs = stubout.StubOutForTesting() self.tmpdir = tempfile.mkdtemp('-websockify-tests') # Mock this out cause it screws tests up self.stubs.Set(os, 'chdir', lambda *args, **kwargs: None) self.stubs.Set(BaseHTTPRequestHandler, 'send_response', lambda *args, **kwargs: None) def fake_send_error(self, code, message=None, explain=None): self.last_code = code self.stubs.Set(BaseHTTPRequestHandler, 'send_error', fake_send_error) def tearDown(self): """Called automatically after each test.""" self.stubs.UnsetAll() os.rmdir(self.tmpdir) super(WebSockifyRequestHandlerTestCase, self).tearDown() def _get_server(self, handler_class=websockifyserver.WebSockifyRequestHandler, **kwargs): web = kwargs.pop('web', self.tmpdir) return websockifyserver.WebSockifyServer( handler_class, listen_host='localhost', listen_port=80, key=self.tmpdir, web=web, record=self.tmpdir, daemon=False, ssl_only=0, idle_timeout=1, **kwargs) def test_normal_get_with_only_upgrade_returns_error(self): server = self._get_server(web=None) handler = websockifyserver.WebSockifyRequestHandler( FakeSocket('GET /tmp.txt HTTP/1.1'), '127.0.0.1', server) def fake_send_response(self, code, message=None): self.last_code = code self.stubs.Set(BaseHTTPRequestHandler, 'send_response', fake_send_response) handler.do_GET() self.assertEqual(handler.last_code, 405) def test_list_dir_with_file_only_returns_error(self): server = self._get_server(file_only=True) handler = websockifyserver.WebSockifyRequestHandler( FakeSocket('GET / HTTP/1.1'), '127.0.0.1', server) def fake_send_response(self, code, message=None): self.last_code = code self.stubs.Set(BaseHTTPRequestHandler, 'send_response', fake_send_response) handler.path = '/' handler.do_GET() self.assertEqual(handler.last_code, 404) class WebSockifyServerTestCase(unittest.TestCase): def setUp(self): super(WebSockifyServerTestCase, self).setUp() self.stubs = stubout.StubOutForTesting() self.tmpdir = tempfile.mkdtemp('-websockify-tests') # Mock this out cause it screws tests up self.stubs.Set(os, 'chdir', lambda *args, **kwargs: None) def tearDown(self): """Called automatically after each test.""" self.stubs.UnsetAll() os.rmdir(self.tmpdir) super(WebSockifyServerTestCase, self).tearDown() def _get_server(self, handler_class=websockifyserver.WebSockifyRequestHandler, **kwargs): return websockifyserver.WebSockifyServer( handler_class, listen_host='localhost', listen_port=80, key=self.tmpdir, web=self.tmpdir, record=self.tmpdir, **kwargs) def test_daemonize_raises_error_while_closing_fds(self): server = self._get_server(daemon=True, ssl_only=1, idle_timeout=1) self.stubs.Set(os, 'fork', lambda *args: 0) self.stubs.Set(signal, 'signal', lambda *args: None) self.stubs.Set(os, 'setsid', lambda *args: None) self.stubs.Set(os, 'close', raise_oserror) self.assertRaises(OSError, server.daemonize, keepfd=None, chdir='./') def test_daemonize_ignores_ebadf_error_while_closing_fds(self): def raise_oserror_ebadf(fd): raise OSError(errno.EBADF, 'fake error') server = self._get_server(daemon=True, ssl_only=1, idle_timeout=1) self.stubs.Set(os, 'fork', lambda *args: 0) self.stubs.Set(os, 'setsid', lambda *args: None) self.stubs.Set(signal, 'signal', lambda *args: None) self.stubs.Set(os, 'close', raise_oserror_ebadf) self.stubs.Set(os, 'open', raise_oserror) self.assertRaises(OSError, server.daemonize, keepfd=None, chdir='./') def test_handshake_fails_on_not_ready(self): server = self._get_server(daemon=True, ssl_only=0, idle_timeout=1) def fake_select(rlist, wlist, xlist, timeout=None): return ([], [], []) self.stubs.Set(select, 'select', fake_select) self.assertRaises( websockifyserver.WebSockifyServer.EClose, server.do_handshake, FakeSocket(), '127.0.0.1') def test_empty_handshake_fails(self): server = self._get_server(daemon=True, ssl_only=0, idle_timeout=1) sock = FakeSocket('') def fake_select(rlist, wlist, xlist, timeout=None): return ([sock], [], []) self.stubs.Set(select, 'select', fake_select) self.assertRaises( websockifyserver.WebSockifyServer.EClose, server.do_handshake, sock, '127.0.0.1') def test_handshake_policy_request(self): # TODO(directxman12): implement pass def test_handshake_ssl_only_without_ssl_raises_error(self): server = self._get_server(daemon=True, ssl_only=1, idle_timeout=1) sock = FakeSocket('some initial data') def fake_select(rlist, wlist, xlist, timeout=None): return ([sock], [], []) self.stubs.Set(select, 'select', fake_select) self.assertRaises( websockifyserver.WebSockifyServer.EClose, server.do_handshake, sock, '127.0.0.1') def test_do_handshake_no_ssl(self): class FakeHandler(object): CALLED = False def __init__(self, *args, **kwargs): type(self).CALLED = True FakeHandler.CALLED = False server = self._get_server( handler_class=FakeHandler, daemon=True, ssl_only=0, idle_timeout=1) sock = FakeSocket('some initial data') def fake_select(rlist, wlist, xlist, timeout=None): return ([sock], [], []) self.stubs.Set(select, 'select', fake_select) self.assertEqual(server.do_handshake(sock, '127.0.0.1'), sock) self.assertTrue(FakeHandler.CALLED, True) def test_do_handshake_ssl(self): # TODO(directxman12): implement this pass def test_do_handshake_ssl_without_ssl_raises_error(self): # TODO(directxman12): implement this pass def test_do_handshake_ssl_without_cert_raises_error(self): server = self._get_server(daemon=True, ssl_only=0, idle_timeout=1, cert='afdsfasdafdsafdsafdsafdas') sock = FakeSocket("\x16some ssl data") def fake_select(rlist, wlist, xlist, timeout=None): return ([sock], [], []) self.stubs.Set(select, 'select', fake_select) self.assertRaises( websockifyserver.WebSockifyServer.EClose, server.do_handshake, sock, '127.0.0.1') def test_do_handshake_ssl_error_eof_raises_close_error(self): server = self._get_server(daemon=True, ssl_only=0, idle_timeout=1) sock = FakeSocket("\x16some ssl data") def fake_select(rlist, wlist, xlist, timeout=None): return ([sock], [], []) def fake_wrap_socket(*args, **kwargs): raise ssl.SSLError(ssl.SSL_ERROR_EOF) class fake_create_default_context(): def __init__(self, purpose): self.verify_mode = None self.options = 0 def load_cert_chain(self, certfile, keyfile, password): pass def set_default_verify_paths(self): pass def load_verify_locations(self, cafile): pass def wrap_socket(self, *args, **kwargs): raise ssl.SSLError(ssl.SSL_ERROR_EOF) self.stubs.Set(select, 'select', fake_select) if (hasattr(ssl, 'create_default_context')): # for recent versions of python self.stubs.Set(ssl, 'create_default_context', fake_create_default_context) else: # for fallback for old versions of python self.stubs.Set(ssl, 'wrap_socket', fake_wrap_socket) self.assertRaises( websockifyserver.WebSockifyServer.EClose, server.do_handshake, sock, '127.0.0.1') def test_do_handshake_ssl_sets_ciphers(self): test_ciphers = 'TEST-CIPHERS-1:TEST-CIPHER-2' class FakeHandler(object): def __init__(self, *args, **kwargs): pass server = self._get_server(handler_class=FakeHandler, daemon=True, idle_timeout=1, ssl_ciphers=test_ciphers) sock = FakeSocket("\x16some ssl data") def fake_select(rlist, wlist, xlist, timeout=None): return ([sock], [], []) class fake_create_default_context(): CIPHERS = '' def __init__(self, purpose): self.verify_mode = None self.options = 0 def load_cert_chain(self, certfile, keyfile, password): pass def set_default_verify_paths(self): pass def load_verify_locations(self, cafile): pass def wrap_socket(self, *args, **kwargs): pass def set_ciphers(self, ciphers_to_set): fake_create_default_context.CIPHERS = ciphers_to_set self.stubs.Set(select, 'select', fake_select) if (hasattr(ssl, 'create_default_context')): # for recent versions of python self.stubs.Set(ssl, 'create_default_context', fake_create_default_context) server.do_handshake(sock, '127.0.0.1') self.assertEqual(fake_create_default_context.CIPHERS, test_ciphers) else: # for fallback for old versions of python # not supperted, nothing to test pass def test_do_handshake_ssl_sets_opions(self): test_options = 0xCAFEBEEF class FakeHandler(object): def __init__(self, *args, **kwargs): pass server = self._get_server(handler_class=FakeHandler, daemon=True, idle_timeout=1, ssl_options=test_options) sock = FakeSocket("\x16some ssl data") def fake_select(rlist, wlist, xlist, timeout=None): return ([sock], [], []) class fake_create_default_context(object): OPTIONS = 0 def __init__(self, purpose): self.verify_mode = None self._options = 0 def load_cert_chain(self, certfile, keyfile, password): pass def set_default_verify_paths(self): pass def load_verify_locations(self, cafile): pass def wrap_socket(self, *args, **kwargs): pass def get_options(self): return self._options def set_options(self, val): fake_create_default_context.OPTIONS = val options = property(get_options, set_options) self.stubs.Set(select, 'select', fake_select) if (hasattr(ssl, 'create_default_context')): # for recent versions of python self.stubs.Set(ssl, 'create_default_context', fake_create_default_context) server.do_handshake(sock, '127.0.0.1') self.assertEqual(fake_create_default_context.OPTIONS, test_options) else: # for fallback for old versions of python # not supperted, nothing to test pass def test_fallback_sigchld_handler(self): # TODO(directxman12): implement this pass def test_start_server_error(self): server = self._get_server(daemon=False, ssl_only=1, idle_timeout=1) sock = server.socket('localhost') def fake_select(rlist, wlist, xlist, timeout=None): raise Exception("fake error") self.stubs.Set(websockifyserver.WebSockifyServer, 'socket', lambda *args, **kwargs: sock) self.stubs.Set(websockifyserver.WebSockifyServer, 'daemonize', lambda *args, **kwargs: None) self.stubs.Set(select, 'select', fake_select) server.start_server() def test_start_server_keyboardinterrupt(self): server = self._get_server(daemon=False, ssl_only=0, idle_timeout=1) sock = server.socket('localhost') def fake_select(rlist, wlist, xlist, timeout=None): raise KeyboardInterrupt self.stubs.Set(websockifyserver.WebSockifyServer, 'socket', lambda *args, **kwargs: sock) self.stubs.Set(websockifyserver.WebSockifyServer, 'daemonize', lambda *args, **kwargs: None) self.stubs.Set(select, 'select', fake_select) server.start_server() def test_start_server_systemexit(self): server = self._get_server(daemon=False, ssl_only=0, idle_timeout=1) sock = server.socket('localhost') def fake_select(rlist, wlist, xlist, timeout=None): sys.exit() self.stubs.Set(websockifyserver.WebSockifyServer, 'socket', lambda *args, **kwargs: sock) self.stubs.Set(websockifyserver.WebSockifyServer, 'daemonize', lambda *args, **kwargs: None) self.stubs.Set(select, 'select', fake_select) server.start_server() def test_socket_set_keepalive_options(self): keepcnt = 12 keepidle = 34 keepintvl = 56 server = self._get_server(daemon=False, ssl_only=0, idle_timeout=1) sock = server.socket('localhost', tcp_keepcnt=keepcnt, tcp_keepidle=keepidle, tcp_keepintvl=keepintvl) if hasattr(socket, 'TCP_KEEPCNT'): self.assertEqual(sock.getsockopt(socket.SOL_TCP, socket.TCP_KEEPCNT), keepcnt) self.assertEqual(sock.getsockopt(socket.SOL_TCP, socket.TCP_KEEPIDLE), keepidle) self.assertEqual(sock.getsockopt(socket.SOL_TCP, socket.TCP_KEEPINTVL), keepintvl) sock = server.socket('localhost', tcp_keepalive=False, tcp_keepcnt=keepcnt, tcp_keepidle=keepidle, tcp_keepintvl=keepintvl) if hasattr(socket, 'TCP_KEEPCNT'): self.assertNotEqual(sock.getsockopt(socket.SOL_TCP, socket.TCP_KEEPCNT), keepcnt) self.assertNotEqual(sock.getsockopt(socket.SOL_TCP, socket.TCP_KEEPIDLE), keepidle) self.assertNotEqual(sock.getsockopt(socket.SOL_TCP, socket.TCP_KEEPINTVL), keepintvl) websockify-0.9.0/tox.ini000066400000000000000000000010211352452255700152040ustar00rootroot00000000000000# Tox (http://tox.testrun.org/) is a tool for running tests # in multiple virtualenvs. This configuration file will run the # test suite on all supported python versions. To use it, "pip install tox" # and then run "tox" from this directory. [tox] envlist = py24,py26,py27,py33,py34 [testenv] commands = nosetests {posargs} deps = -r{toxinidir}/test-requirements.txt # At some point we should enable this since tox expects it to exist but # the code will need pep8ising first. #[testenv:pep8] #commands = flake8 #dep = flake8 websockify-0.9.0/websockify.py000077700000000000000000000000001352452255700171402runustar00rootroot00000000000000websockify-0.9.0/websockify/000077500000000000000000000000001352452255700160445ustar00rootroot00000000000000websockify-0.9.0/websockify/__init__.py000066400000000000000000000001131352452255700201500ustar00rootroot00000000000000from websockify.websocket import * from websockify.websocketproxy import * websockify-0.9.0/websockify/__main__.py000066400000000000000000000001361352452255700201360ustar00rootroot00000000000000import websockify if __name__ == '__main__': websockify.websocketproxy.websockify_init() websockify-0.9.0/websockify/auth_plugins.py000066400000000000000000000064121352452255700211230ustar00rootroot00000000000000class BasePlugin(object): def __init__(self, src=None): self.source = src def authenticate(self, headers, target_host, target_port): pass class AuthenticationError(Exception): def __init__(self, log_msg=None, response_code=403, response_headers={}, response_msg=None): self.code = response_code self.headers = response_headers self.msg = response_msg if log_msg is None: log_msg = response_msg super(AuthenticationError, self).__init__('%s %s' % (self.code, log_msg)) class InvalidOriginError(AuthenticationError): def __init__(self, expected, actual): self.expected_origin = expected self.actual_origin = actual super(InvalidOriginError, self).__init__( response_msg='Invalid Origin', log_msg="Invalid Origin Header: Expected one of " "%s, got '%s'" % (expected, actual)) class BasicHTTPAuth(object): """Verifies Basic Auth headers. Specify src as username:password""" def __init__(self, src=None): self.src = src def authenticate(self, headers, target_host, target_port): import base64 auth_header = headers.get('Authorization') if auth_header: if not auth_header.startswith('Basic '): self.auth_error() try: user_pass_raw = base64.b64decode(auth_header[6:]) except TypeError: self.auth_error() try: # http://stackoverflow.com/questions/7242316/what-encoding-should-i-use-for-http-basic-authentication user_pass_as_text = user_pass_raw.decode('ISO-8859-1') except UnicodeDecodeError: self.auth_error() user_pass = user_pass_as_text.split(':', 1) if len(user_pass) != 2: self.auth_error() if not self.validate_creds(*user_pass): self.demand_auth() else: self.demand_auth() def validate_creds(self, username, password): if '%s:%s' % (username, password) == self.src: return True else: return False def auth_error(self): raise AuthenticationError(response_code=403) def demand_auth(self): raise AuthenticationError(response_code=401, response_headers={'WWW-Authenticate': 'Basic realm="Websockify"'}) class ExpectOrigin(object): def __init__(self, src=None): if src is None: self.source = [] else: self.source = src.split() def authenticate(self, headers, target_host, target_port): origin = headers.get('Origin', None) if origin is None or origin not in self.source: raise InvalidOriginError(expected=self.source, actual=origin) class ClientCertCNAuth(object): """Verifies client by SSL certificate. Specify src as whitespace separated list of common names.""" def __init__(self, src=None): if src is None: self.source = [] else: self.source = src.split() def authenticate(self, headers, target_host, target_port): if headers.get('SSL_CLIENT_S_DN_CN', None) not in self.source: raise AuthenticationError(response_code=403) websockify-0.9.0/websockify/sysloghandler.py000066400000000000000000000077501352452255700213050ustar00rootroot00000000000000import logging.handlers as handlers, socket, os, time class WebsockifySysLogHandler(handlers.SysLogHandler): """ A handler class that sends proper Syslog-formatted messages, as defined by RFC 5424. """ _legacy_head_fmt = '<{pri}>{ident}[{pid}]: ' _rfc5424_head_fmt = '<{pri}>1 {timestamp} {hostname} {ident} {pid} - - ' _head_fmt = _rfc5424_head_fmt _legacy = False _timestamp_fmt = '%Y-%m-%dT%H:%M:%SZ' _max_hostname = 255 _max_ident = 24 #safer for old daemons _send_length = False _tail = '\n' ident = None def __init__(self, address=('localhost', handlers.SYSLOG_UDP_PORT), facility=handlers.SysLogHandler.LOG_USER, socktype=None, ident=None, legacy=False): """ Initialize a handler. If address is specified as a string, a UNIX socket is used. To log to a local syslogd, "WebsockifySysLogHandler(address="/dev/log")" can be used. If facility is not specified, LOG_USER is used. If socktype is specified as socket.SOCK_DGRAM or socket.SOCK_STREAM, that specific socket type will be used. For Unix sockets, you can also specify a socktype of None, in which case socket.SOCK_DGRAM will be used, falling back to socket.SOCK_STREAM. If ident is specified, this string will be used as the application name in all messages sent. Set legacy to True to use the old version of the protocol. """ self.ident = ident if legacy: self._legacy = True self._head_fmt = self._legacy_head_fmt handlers.SysLogHandler.__init__(self, address, facility, socktype) def emit(self, record): """ Emit a record. The record is formatted, and then sent to the syslog server. If exception information is present, it is NOT sent to the server. """ try: # Gather info. text = self.format(record).replace(self._tail, ' ') if not text: # nothing to log return pri = self.encodePriority(self.facility, self.mapPriority(record.levelname)) timestamp = time.strftime(self._timestamp_fmt, time.gmtime()); hostname = socket.gethostname()[:self._max_hostname] if self.ident: ident = self.ident[:self._max_ident] else: ident = '' pid = os.getpid() # shouldn't need truncation # Format the header. head = { 'pri': pri, 'timestamp': timestamp, 'hostname': hostname, 'ident': ident, 'pid': pid, } msg = self._head_fmt.format(**head).encode('ascii', 'ignore') # Encode text as plain ASCII if possible, else use UTF-8 with BOM. try: msg += text.encode('ascii') except UnicodeEncodeError: msg += text.encode('utf-8-sig') # Add length or tail character, if necessary. if self.socktype != socket.SOCK_DGRAM: if self._send_length: msg = ('%d ' % len(msg)).encode('ascii') + msg else: msg += self._tail.encode('ascii') # Send the message. if self.unixsocket: try: self.socket.send(msg) except socket.error: self._connect_unixsocket(self.address) self.socket.send(msg) else: if self.socktype == socket.SOCK_DGRAM: self.socket.sendto(msg, self.address) else: self.socket.sendall(msg) except (KeyboardInterrupt, SystemExit): raise except: self.handleError(record) websockify-0.9.0/websockify/token_plugins.py000066400000000000000000000116331352452255700213030ustar00rootroot00000000000000from __future__ import print_function import os import sys class BasePlugin(object): def __init__(self, src): self.source = src def lookup(self, token): return None class ReadOnlyTokenFile(BasePlugin): # source is a token file with lines like # token: host:port # or a directory of such files def __init__(self, *args, **kwargs): super(ReadOnlyTokenFile, self).__init__(*args, **kwargs) self._targets = None def _load_targets(self): if os.path.isdir(self.source): cfg_files = [os.path.join(self.source, f) for f in os.listdir(self.source)] else: cfg_files = [self.source] self._targets = {} index = 1 for f in cfg_files: for line in [l.strip() for l in open(f).readlines()]: if line and not line.startswith('#'): try: tok, target = line.split(': ') self._targets[tok] = target.strip().rsplit(':', 1) except ValueError: print >>sys.stderr, "Syntax error in %s on line %d" % (self.source, index) index += 1 def lookup(self, token): if self._targets is None: self._load_targets() if token in self._targets: return self._targets[token] else: return None # the above one is probably more efficient, but this one is # more backwards compatible (although in most cases # ReadOnlyTokenFile should suffice) class TokenFile(ReadOnlyTokenFile): # source is a token file with lines like # token: host:port # or a directory of such files def lookup(self, token): self._load_targets() return super(TokenFile, self).lookup(token) class BaseTokenAPI(BasePlugin): # source is a url with a '%s' in it where the token # should go # we import things on demand so that other plugins # in this file can be used w/o unnecessary dependencies def process_result(self, resp): host, port = resp.text.split(':') port = port.encode('ascii','ignore') return [ host, port ] def lookup(self, token): import requests resp = requests.get(self.source % token) if resp.ok: return self.process_result(resp) else: return None class JSONTokenApi(BaseTokenAPI): # source is a url with a '%s' in it where the token # should go def process_result(self, resp): resp_json = resp.json() return (resp_json['host'], resp_json['port']) class JWTTokenApi(BasePlugin): # source is a JWT-token, with hostname and port included # Both JWS as JWE tokens are accepted. With regards to JWE tokens, the key is re-used for both validation and decryption. def lookup(self, token): try: from jwcrypto import jwt import json key = jwt.JWK() try: with open(self.source, 'rb') as key_file: key_data = key_file.read() except Exception as e: print("Error loading key file: %s" % str(e), file=sys.stderr) return None try: key.import_from_pem(key_data) except: try: key.import_key(k=key_data.decode('utf-8'),kty='oct') except: print('Failed to correctly parse key data!', file=sys.stderr) return None try: token = jwt.JWT(key=key, jwt=token) parsed_header = json.loads(token.header) if 'enc' in parsed_header: # Token is encrypted, so we need to decrypt by passing the claims to a new instance token = jwt.JWT(key=key, jwt=token.claims) parsed = json.loads(token.claims) return (parsed['host'], parsed['port']) except Exception as e: print("Failed to parse token: %s" % str(e), file=sys.stderr) return None except ImportError as e: print("package jwcrypto not found, are you sure you've installed it correctly?", file=sys.stderr) return None class TokenRedis(object): def __init__(self, src): self._server, self._port = src.split(":") def lookup(self, token): try: import redis import simplejson except ImportError as e: print("package redis or simplejson not found, are you sure you've installed them correctly?", file=sys.stderr) return None client = redis.Redis(host=self._server,port=self._port) stuff = client.get(token) if stuff is None: return None else: combo = simplejson.loads(stuff.decode("utf-8")) pair = combo["host"] return pair.split(':') websockify-0.9.0/websockify/websocket.py000066400000000000000000000667271352452255700204260ustar00rootroot00000000000000#!/usr/bin/env python ''' Python WebSocket library Copyright 2011 Joel Martin Copyright 2016 Pierre Ossman Licensed under LGPL version 3 (see docs/LICENSE.LGPL-3) Supports following protocol versions: - http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-07 - http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-10 - http://tools.ietf.org/html/rfc6455 ''' import sys import array import email import errno import random import socket import ssl import struct from base64 import b64encode from hashlib import sha1 try: import numpy except ImportError: import warnings warnings.warn("no 'numpy' module, HyBi protocol will be slower") numpy = None # python 3.0 differences try: from urllib.parse import urlparse except ImportError: from urlparse import urlparse # SSLWant*Error is 2.7.9+ try: class WebSocketWantReadError(ssl.SSLWantReadError): pass class WebSocketWantWriteError(ssl.SSLWantWriteError): pass except AttributeError: class WebSocketWantReadError(OSError): def __init__(self): OSError.__init__(self, errno.EWOULDBLOCK) class WebSocketWantWriteError(OSError): def __init__(self): OSError.__init__(self, errno.EWOULDBLOCK) class WebSocket(object): """WebSocket protocol socket like class. This provides access to the WebSocket protocol by behaving much like a real socket would. It shares many similarities with ssl.SSLSocket. The WebSocket protocols requires extra data to be sent and received compared to the application level data. This means that a socket that is ready to be read may not hold enough data to decode any application data, and a socket that is ready to be written to may not have enough space for an entire WebSocket frame. This is handled by the exceptions WebSocketWantReadError and WebSocketWantWriteError. When these are raised the caller must wait for the socket to become ready again and call the relevant function again. A connection is established by using either connect() or accept(), depending on if a client or server session is desired. See the respective functions for details. The following methods are passed on to the underlying socket: - fileno - getpeername, getsockname - getsockopt, setsockopt - gettimeout, settimeout - setblocking """ GUID = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11" def __init__(self): """Creates an unconnected WebSocket""" self._state = "new" self._partial_msg = ''.encode("ascii") self._recv_buffer = ''.encode("ascii") self._recv_queue = [] self._send_buffer = ''.encode("ascii") self._sent_close = False self._received_close = False self.close_code = None self.close_reason = None self.socket = None def __getattr__(self, name): # These methods are just redirected to the underlying socket if name in ["fileno", "getpeername", "getsockname", "getsockopt", "setsockopt", "gettimeout", "settimeout", "setblocking"]: assert self.socket is not None return getattr(self.socket, name) else: raise AttributeError("%s instance has no attribute '%s'" % (self.__class__.__name__, name)) def connect(self, uri, origin=None, protocols=[]): """Establishes a new connection to a WebSocket server. This method connects to the host specified by uri and negotiates a WebSocket connection. origin should be specified in accordance with RFC 6454 if known. A list of valid sub-protocols can be specified in the protocols argument. The data will be sent in the clear if the "ws" scheme is used, and encrypted if the "wss" scheme is used. Both WebSocketWantReadError and WebSocketWantWriteError can be raised whilst negotiating the connection. Repeated calls to connect() must retain the same arguments. """ self.client = True; uri = urlparse(uri) port = uri.port if uri.scheme in ("ws", "http"): if not port: port = 80 elif uri.scheme in ("wss", "https"): if not port: port = 443 else: raise Exception("Unknown scheme '%s'" % uri.scheme) # This is a state machine in order to handle # WantRead/WantWrite events if self._state == "new": self.socket = socket.create_connection((uri.hostname, port)) if uri.scheme in ("wss", "https"): self.socket = ssl.wrap_socket(self.socket) self._state = "ssl_handshake" else: self._state = "headers" if self._state == "ssl_handshake": self.socket.do_handshake() self._state = "headers" if self._state == "headers": self._key = '' for i in range(16): self._key += chr(random.randrange(256)) if sys.hexversion >= 0x3000000: self._key = bytes(self._key, "latin-1") self._key = b64encode(self._key).decode("ascii") path = uri.path if not path: path = "/" self._queue_str("GET %s HTTP/1.1\r\n" % path) self._queue_str("Host: %s\r\n" % uri.hostname) self._queue_str("Upgrade: websocket\r\n") self._queue_str("Connection: upgrade\r\n") self._queue_str("Sec-WebSocket-Key: %s\r\n" % self._key) self._queue_str("Sec-WebSocket-Version: 13\r\n") if origin is not None: self._queue_str("Origin: %s\r\n" % origin) if len(protocols) > 0: self._queue_str("Sec-WebSocket-Protocol: %s\r\n" % ", ".join(protocols)) self._queue_str("\r\n") self._state = "send_headers" if self._state == "send_headers": self._flush() self._state = "response" if self._state == "response": if not self._recv(): raise Exception("Socket closed unexpectedly") if self._recv_buffer.find('\r\n\r\n'.encode("ascii")) == -1: raise WebSocketWantReadError (request, self._recv_buffer) = self._recv_buffer.split('\r\n'.encode("ascii"), 1) request = request.decode("latin-1") words = request.split() if (len(words) < 2) or (words[0] != "HTTP/1.1"): raise Exception("Invalid response") if words[1] != "101": raise Exception("WebSocket request denied: %s" % " ".join(words[1:])) (headers, self._recv_buffer) = self._recv_buffer.split('\r\n\r\n'.encode("ascii"), 1) headers = headers.decode('latin-1') + '\r\n' headers = email.message_from_string(headers) if headers.get("Upgrade", "").lower() != "websocket": print(type(headers)) raise Exception("Missing or incorrect upgrade header") accept = headers.get('Sec-WebSocket-Accept') if accept is None: raise Exception("Missing Sec-WebSocket-Accept header"); expected = sha1((self._key + self.GUID).encode("ascii")).digest() expected = b64encode(expected).decode("ascii") del self._key if accept != expected: raise Exception("Invalid Sec-WebSocket-Accept header"); self.protocol = headers.get('Sec-WebSocket-Protocol') if len(protocols) == 0: if self.protocol is not None: raise Exception("Unexpected Sec-WebSocket-Protocol header") else: if self.protocol not in protocols: raise Exception("Invalid protocol chosen by server") self._state = "done" return raise Exception("WebSocket is in an invalid state") def accept(self, socket, headers): """Establishes a new WebSocket session with a client. This method negotiates a WebSocket connection with an incoming client. The caller must provide the client socket and the headers from the HTTP request. A server can identify that a client is requesting a WebSocket connection by looking at the "Upgrade" header. It will include the value "websocket" in such cases. WebSocketWantWriteError can be raised if the response cannot be sent right away. Repeated calls to accept() does not need to retain the arguments. """ # This is a state machine in order to handle # WantRead/WantWrite events if self._state == "new": self.client = False self.socket = socket if headers.get("upgrade", "").lower() != "websocket": raise Exception("Missing or incorrect upgrade header") ver = headers.get('Sec-WebSocket-Version') if ver is None: raise Exception("Missing Sec-WebSocket-Version header"); # HyBi-07 report version 7 # HyBi-08 - HyBi-12 report version 8 # HyBi-13 reports version 13 if ver in ['7', '8', '13']: self.version = "hybi-%02d" % int(ver) else: raise Exception("Unsupported protocol version %s" % ver) key = headers.get('Sec-WebSocket-Key') if key is None: raise Exception("Missing Sec-WebSocket-Key header"); # Generate the hash value for the accept header accept = sha1((key + self.GUID).encode("ascii")).digest() accept = b64encode(accept).decode("ascii") self.protocol = '' protocols = headers.get('Sec-WebSocket-Protocol', '').split(',') if protocols: self.protocol = self.select_subprotocol(protocols) # We are required to choose one of the protocols # presented by the client if self.protocol not in protocols: raise Exception('Invalid protocol selected') self._queue_str("HTTP/1.1 101 Switching Protocols\r\n") self._queue_str("Upgrade: websocket\r\n") self._queue_str("Connection: Upgrade\r\n") self._queue_str("Sec-WebSocket-Accept: %s\r\n" % accept) if self.protocol: self._queue_str("Sec-WebSocket-Protocol: %s\r\n" % self.protocol) self._queue_str("\r\n") self._state = "flush" if self._state == "flush": self._flush() self._state = "done" return raise Exception("WebSocket is in an invalid state") def select_subprotocol(self, protocols): """Returns which sub-protocol should be used. This method does not select any sub-protocol by default and is meant to be overridden by an implementation that wishes to make use of sub-protocols. It will be called during handling of accept(). """ return "" def handle_ping(self, data): """Called when a WebSocket ping message is received. This will be called whilst processing recv()/recvmsg(). The default implementation sends a pong reply back.""" self.pong(data) def handle_pong(self, data): """Called when a WebSocket pong message is received. This will be called whilst processing recv()/recvmsg(). The default implementation does nothing.""" pass def recv(self): """Read data from the WebSocket. This will return any available data on the socket (which may be the empty string if the peer sent an empty message or messages). If the socket is closed then None will be returned. The reason for the close is found in the 'close_code' and 'close_reason' properties. Unlike recvmsg() this method may return data from more than one WebSocket message. It is however not guaranteed to return all buffered data. Callers should continue calling recv() whilst pending() returns True. Both WebSocketWantReadError and WebSocketWantWriteError can be raised when calling recv(). """ return self.recvmsg() def recvmsg(self): """Read a single message from the WebSocket. This will return a single WebSocket message from the socket (which will be the empty string if the peer sent an empty message). If the socket is closed then None will be returned. The reason for the close is found in the 'close_code' and 'close_reason' properties. Unlike recv() this method will not return data from more than one WebSocket message. Callers should continue calling recvmsg() whilst pending() returns True. Both WebSocketWantReadError and WebSocketWantWriteError can be raised when calling recvmsg(). """ # May have been called to flush out a close if self._received_close: self._flush() return None # Anything already queued? if self.pending(): return self._recvmsg() # Note: If self._recvmsg() raised WebSocketWantReadError, # we cannot proceed to self._recv() here as we may # have already called it once as part of the caller's # "while websock.pending():" loop # Nope, let's try to read a bit if not self._recv_frames(): return None # Anything queued now? return self._recvmsg() def pending(self): """Check if any WebSocket data is pending. This method will return True as long as there are WebSocket frames that have yet been processed. A single recv() from the underlying socket may return multiple WebSocket frames and it is therefore important that a caller continues calling recv() or recvmsg() as long as pending() returns True. Note that this function merely tells if there are raw WebSocket frames pending. Those frames may not contain any application data. """ return len(self._recv_queue) > 0 def send(self, bytes): """Write data to the WebSocket This will queue the given data and attempt to send it to the peer. Unlike sendmsg() this method might coalesce the data with data from other calls, or split it over multiple messages. WebSocketWantWriteError can be raised if there is insufficient space in the underlying socket. """ return self.sendmsg(bytes) def sendmsg(self, msg): """Write a single message to the WebSocket This will queue the given message and attempt to send it to the peer. Unlike send() this method will preserve the data as a single WebSocket message. WebSocketWantWriteError can be raised if there is insufficient space in the underlying socket. """ if not self._sent_close: # Only called to flush? if msg: self._sendmsg(0x2, msg) self._flush() return len(msg) def ping(self, data=''.encode('ascii')): """Write a ping message to the WebSocket.""" self._sendmsg(0x9, data) def pong(self, data=''.encode('ascii')): """Write a pong message to the WebSocket.""" self._sendmsg(0xA, data) def shutdown(self, how, code=1000, reason=None): """Gracefully terminate the WebSocket connection. This will start the process to terminate the WebSocket connection. The caller must continue to calling recv() or recvmsg() after this function in order to wait for the peer to acknowledge the close. Calls to send() and sendmsg() will be ignored. WebSocketWantWriteError can be raised if there is insufficient space in the underlying socket for the close message. The how argument is currently ignored. """ # Already closing? if self._sent_close: self._flush() return # Special code to indicate that we closed the connection if not self._received_close: self.close_code = 1000 self.close_reason = "Locally initiated close" self._sent_close = True msg = ''.encode('ascii') if code is not None: msg += struct.pack(">H", code) if reason is not None: msg += reason.encode("UTF-8") self._sendmsg(0x8, msg) def close(self, code=1000, reason=None): """Terminate the WebSocket connection immediately. This will close the WebSocket connection directly after sending a close message to the peer. WebSocketWantWriteError can be raised if there is insufficient space in the underlying socket for the close message. """ self.shutdown(socket.SHUT_RDWR, code, reason) self._close() def _recv(self): # Fetches more data from the socket to the buffer assert self.socket is not None while True: try: data = self.socket.recv(4096) except (socket.error, OSError): exc = sys.exc_info()[1] if hasattr(exc, 'errno'): err = exc.errno else: err = exc[0] if err == errno.EWOULDBLOCK: raise WebSocketWantReadError raise if len(data) == 0: return False self._recv_buffer += data # Support for SSLSocket like objects if hasattr(self.socket, "pending"): if not self.socket.pending(): break else: break return True def _recv_frames(self): # Fetches more data and decodes the frames if not self._recv(): if self.close_code is None: self.close_code = 1006 self.close_reason = "Connection closed abnormally" self._sent_close = self._received_close = True self._close() return False while True: frame = self._decode_hybi(self._recv_buffer) if frame is None: break self._recv_buffer = self._recv_buffer[frame['length']:] self._recv_queue.append(frame) return True def _recvmsg(self): # Process pending frames and returns any application data while self._recv_queue: frame = self._recv_queue.pop(0) if not self.client and not frame['masked']: self.shutdown(socket.SHUT_RDWR, 1002, "Procotol error: Frame not masked") continue if self.client and frame['masked']: self.shutdown(socket.SHUT_RDWR, 1002, "Procotol error: Frame masked") continue if frame["opcode"] == 0x0: if not self._partial_msg: self.shutdown(socket.SHUT_RDWR, 1002, "Procotol error: Unexpected continuation frame") continue self._partial_msg += frame["payload"] if frame["fin"]: msg = self._partial_msg self._partial_msg = ''.decode("ascii") return msg elif frame["opcode"] == 0x1: self.shutdown(socket.SHUT_RDWR, 1003, "Unsupported: Text frames are not supported") elif frame["opcode"] == 0x2: if self._partial_msg: self.shutdown(socket.SHUT_RDWR, 1002, "Procotol error: Unexpected new frame") continue if frame["fin"]: return frame["payload"] else: self._partial_msg = frame["payload"] elif frame["opcode"] == 0x8: if self._received_close: continue self._received_close = True if self._sent_close: self._close() return None if not frame["fin"]: self.shutdown(socket.SHUT_RDWR, 1003, "Unsupported: Fragmented close") continue code = None reason = None if len(frame["payload"]) >= 2: code = struct.unpack(">H", frame["payload"][:2])[0] if len(frame["payload"]) > 2: reason = frame["payload"][2:] try: reason = reason.decode("UTF-8") except UnicodeDecodeError: self.shutdown(socket.SHUT_RDWR, 1002, "Procotol error: Invalid UTF-8 in close") continue if code is None: self.close_code = code = 1005 self.close_reason = "No close status code specified by peer" else: self.close_code = code if reason is not None: self.close_reason = reason self.shutdown(None, code, reason) return None elif frame["opcode"] == 0x9: if not frame["fin"]: self.shutdown(socket.SHUT_RDWR, 1003, "Unsupported: Fragmented ping") continue self.handle_ping(frame["payload"]) elif frame["opcode"] == 0xA: if not frame["fin"]: self.shutdown(socket.SHUT_RDWR, 1003, "Unsupported: Fragmented pong") continue self.handle_pong(frame["payload"]) else: self.shutdown(socket.SHUT_RDWR, 1003, "Unsupported: Unknown opcode 0x%02x" % frame["opcode"]) raise WebSocketWantReadError def _flush(self): # Writes pending data to the socket if not self._send_buffer: return assert self.socket is not None try: sent = self.socket.send(self._send_buffer) except (socket.error, OSError): exc = sys.exc_info()[1] if hasattr(exc, 'errno'): err = exc.errno else: err = exc[0] if err == errno.EWOULDBLOCK: raise WebSocketWantWriteError raise self._send_buffer = self._send_buffer[sent:] if self._send_buffer: raise WebSocketWantWriteError # We had a pending close and we've flushed the buffer, # time to end things if self._received_close and self._sent_close: self._close() def _send(self, data): # Queues data and attempts to send it self._send_buffer += data self._flush() def _queue_str(self, string): # Queue some data to be sent later. # Only used by the connecting methods. self._send_buffer += string.encode("latin-1") def _sendmsg(self, opcode, msg): # Sends a standard data message if self.client: mask = '' for i in range(4): mask += chr(random.randrange(256)) if sys.hexversion >= 0x3000000: mask = bytes(mask, "latin-1") frame = self._encode_hybi(opcode, msg, mask) else: frame = self._encode_hybi(opcode, msg) return self._send(frame) def _close(self): # Close the underlying socket self.socket.close() self.socket = None def _mask(self, buf, mask): # Mask a frame return self._unmask(buf, mask) def _unmask(self, buf, mask): # Unmask a frame if numpy: plen = len(buf) pstart = 0 pend = plen b = c = ''.encode('ascii') if plen >= 4: dtype=numpy.dtype('') mask = numpy.frombuffer(mask, dtype, count=1) data = numpy.frombuffer(buf, dtype, count=int(plen / 4)) #b = numpy.bitwise_xor(data, mask).data b = numpy.bitwise_xor(data, mask).tostring() if plen % 4: dtype=numpy.dtype('B') if sys.byteorder == 'big': dtype = dtype.newbyteorder('>') mask = numpy.frombuffer(mask, dtype, count=(plen % 4)) data = numpy.frombuffer(buf, dtype, offset=plen - (plen % 4), count=(plen % 4)) c = numpy.bitwise_xor(data, mask).tostring() return b + c else: # Slower fallback if sys.hexversion < 0x3000000: mask = [ ord(c) for c in mask ] data = array.array('B') data.fromstring(buf) for i in range(len(data)): data[i] ^= mask[i % 4] return data.tostring() def _encode_hybi(self, opcode, buf, mask_key=None, fin=True): """ Encode a HyBi style WebSocket frame. Optional opcode: 0x0 - continuation 0x1 - text frame 0x2 - binary frame 0x8 - connection close 0x9 - ping 0xA - pong """ b1 = opcode & 0x0f if fin: b1 |= 0x80 mask_bit = 0 if mask_key is not None: mask_bit = 0x80 buf = self._mask(buf, mask_key) payload_len = len(buf) if payload_len <= 125: header = struct.pack('>BB', b1, payload_len | mask_bit) elif payload_len > 125 and payload_len < 65536: header = struct.pack('>BBH', b1, 126 | mask_bit, payload_len) elif payload_len >= 65536: header = struct.pack('>BBQ', b1, 127 | mask_bit, payload_len) if mask_key is not None: return header + mask_key + buf else: return header + buf def _decode_hybi(self, buf): """ Decode HyBi style WebSocket packets. Returns: {'fin' : boolean, 'opcode' : number, 'masked' : boolean, 'length' : encoded_length, 'payload' : decoded_buffer} """ f = {'fin' : 0, 'opcode' : 0, 'masked' : False, 'length' : 0, 'payload' : None} blen = len(buf) hlen = 2 if blen < hlen: return None b1, b2 = struct.unpack(">BB", buf[:2]) f['opcode'] = b1 & 0x0f f['fin'] = not not (b1 & 0x80) f['masked'] = not not (b2 & 0x80) if f['masked']: hlen += 4 if blen < hlen: return None length = b2 & 0x7f if length == 126: hlen += 2 if blen < hlen: return None length, = struct.unpack('>H', buf[2:4]) elif length == 127: hlen += 8 if blen < hlen: return None length, = struct.unpack('>Q', buf[2:10]) f['length'] = hlen + length if blen < f['length']: return None if f['masked']: # unmask payload mask_key = buf[hlen-4:hlen] f['payload'] = self._unmask(buf[hlen:(hlen+length)], mask_key) else: f['payload'] = buf[hlen:(hlen+length)] return f websockify-0.9.0/websockify/websocketproxy.py000066400000000000000000000722651352452255700215220ustar00rootroot00000000000000#!/usr/bin/env python ''' A WebSocket to TCP socket proxy with support for "wss://" encryption. Copyright 2011 Joel Martin Licensed under LGPL version 3 (see docs/LICENSE.LGPL-3) You can make a cert/key with openssl using: openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem as taken from http://docs.python.org/dev/library/ssl.html#certificates ''' import signal, socket, optparse, time, os, sys, subprocess, logging, errno, ssl try: from socketserver import ThreadingMixIn except ImportError: from SocketServer import ThreadingMixIn try: from http.server import HTTPServer except ImportError: from BaseHTTPServer import HTTPServer import select from websockify import websockifyserver from websockify import auth_plugins as auth try: from urllib.parse import parse_qs, urlparse except ImportError: from cgi import parse_qs from urlparse import urlparse class ProxyRequestHandler(websockifyserver.WebSockifyRequestHandler): buffer_size = 65536 traffic_legend = """ Traffic Legend: } - Client receive }. - Client receive partial { - Target receive > - Target send >. - Target send partial < - Client send <. - Client send partial """ def send_auth_error(self, ex): self.send_response(ex.code, ex.msg) self.send_header('Content-Type', 'text/html') for name, val in ex.headers.items(): self.send_header(name, val) self.end_headers() def validate_connection(self): if not self.server.token_plugin: return host, port = self.get_target(self.server.token_plugin) if host == 'unix_socket': self.server.unix_target = port else: self.server.target_host = host self.server.target_port = port def auth_connection(self): if not self.server.auth_plugin: return try: # get client certificate data client_cert_data = self.request.getpeercert() # extract subject information client_cert_subject = client_cert_data['subject'] # flatten data structure client_cert_subject = dict([x[0] for x in client_cert_subject]) # add common name to headers (apache +StdEnvVars style) self.headers['SSL_CLIENT_S_DN_CN'] = client_cert_subject['commonName'] except (TypeError, AttributeError, KeyError): # not a SSL connection or client presented no certificate with valid data pass try: self.server.auth_plugin.authenticate( headers=self.headers, target_host=self.server.target_host, target_port=self.server.target_port) except auth.AuthenticationError: ex = sys.exc_info()[1] self.send_auth_error(ex) raise def new_websocket_client(self): """ Called after a new WebSocket connection has been established. """ # Checking for a token is done in validate_connection() # Connect to the target if self.server.wrap_cmd: msg = "connecting to command: '%s' (port %s)" % (" ".join(self.server.wrap_cmd), self.server.target_port) elif self.server.unix_target: msg = "connecting to unix socket: %s" % self.server.unix_target else: msg = "connecting to: %s:%s" % ( self.server.target_host, self.server.target_port) if self.server.ssl_target: msg += " (using SSL)" self.log_message(msg) try: tsock = websockifyserver.WebSockifyServer.socket(self.server.target_host, self.server.target_port, connect=True, use_ssl=self.server.ssl_target, unix_socket=self.server.unix_target) except Exception: self.log_message("Failed to connect to %s:%s", self.server.target_host, self.server.target_port) raise self.CClose(1011, "Failed to connect to downstream server") self.request.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, 1) if not self.server.wrap_cmd and not self.server.unix_target: tsock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, 1) self.print_traffic(self.traffic_legend) # Start proxying try: self.do_proxy(tsock) finally: if tsock: tsock.shutdown(socket.SHUT_RDWR) tsock.close() if self.verbose: self.log_message("%s:%s: Closed target", self.server.target_host, self.server.target_port) def get_target(self, target_plugin): """ Gets a token from either the path or the host, depending on --host-token, and looks up a target for that token using the token plugin. Used by validate_connection() to set target_host and target_port. """ # The files in targets contain the lines # in the form of token: host:port if self.host_token: # Use hostname as token token = self.headers.get('Host') # Remove port from hostname, as it'll always be the one where # websockify listens (unless something between the client and # websockify is redirecting traffic, but that's beside the point) if token: token = token.partition(':')[0] else: # Extract the token parameter from url args = parse_qs(urlparse(self.path)[4]) # 4 is the query from url if 'token' in args and len(args['token']): token = args['token'][0].rstrip('\n') else: token = None if token is None: raise self.server.EClose("Token not present") result_pair = target_plugin.lookup(token) if result_pair is not None: return result_pair else: raise self.server.EClose("Token '%s' not found" % token) def do_proxy(self, target): """ Proxy client WebSocket to normal target socket. """ cqueue = [] c_pend = 0 tqueue = [] rlist = [self.request, target] if self.server.heartbeat: now = time.time() self.heartbeat = now + self.server.heartbeat else: self.heartbeat = None while True: wlist = [] if self.heartbeat is not None: now = time.time() if now > self.heartbeat: self.heartbeat = now + self.server.heartbeat self.send_ping() if tqueue: wlist.append(target) if cqueue or c_pend: wlist.append(self.request) try: ins, outs, excepts = select.select(rlist, wlist, [], 1) except (select.error, OSError): exc = sys.exc_info()[1] if hasattr(exc, 'errno'): err = exc.errno else: err = exc[0] if err != errno.EINTR: raise else: continue if excepts: raise Exception("Socket exception") if self.request in outs: # Send queued target data to the client c_pend = self.send_frames(cqueue) cqueue = [] if self.request in ins: # Receive client data, decode it, and queue for target bufs, closed = self.recv_frames() tqueue.extend(bufs) if closed: # TODO: What about blocking on client socket? if self.verbose: self.log_message("%s:%s: Client closed connection", self.server.target_host, self.server.target_port) raise self.CClose(closed['code'], closed['reason']) if target in outs: # Send queued client data to the target dat = tqueue.pop(0) sent = target.send(dat) if sent == len(dat): self.print_traffic(">") else: # requeue the remaining data tqueue.insert(0, dat[sent:]) self.print_traffic(".>") if target in ins: # Receive target data, encode it and queue for client buf = target.recv(self.buffer_size) if len(buf) == 0: if self.verbose: self.log_message("%s:%s: Target closed connection", self.server.target_host, self.server.target_port) raise self.CClose(1000, "Target closed") cqueue.append(buf) self.print_traffic("{") class WebSocketProxy(websockifyserver.WebSockifyServer): """ Proxy traffic to and from a WebSockets client to a normal TCP socket server target. """ buffer_size = 65536 def __init__(self, RequestHandlerClass=ProxyRequestHandler, *args, **kwargs): # Save off proxy specific options self.target_host = kwargs.pop('target_host', None) self.target_port = kwargs.pop('target_port', None) self.wrap_cmd = kwargs.pop('wrap_cmd', None) self.wrap_mode = kwargs.pop('wrap_mode', None) self.unix_target = kwargs.pop('unix_target', None) self.ssl_target = kwargs.pop('ssl_target', None) self.heartbeat = kwargs.pop('heartbeat', None) self.token_plugin = kwargs.pop('token_plugin', None) self.host_token = kwargs.pop('host_token', None) self.auth_plugin = kwargs.pop('auth_plugin', None) # Last 3 timestamps command was run self.wrap_times = [0, 0, 0] if self.wrap_cmd: wsdir = os.path.dirname(sys.argv[0]) rebinder_path = [os.path.join(wsdir, "..", "lib"), os.path.join(wsdir, "..", "lib", "websockify"), wsdir] self.rebinder = None for rdir in rebinder_path: rpath = os.path.join(rdir, "rebind.so") if os.path.exists(rpath): self.rebinder = rpath break if not self.rebinder: raise Exception("rebind.so not found, perhaps you need to run make") self.rebinder = os.path.abspath(self.rebinder) self.target_host = "127.0.0.1" # Loopback # Find a free high port sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.bind(('', 0)) self.target_port = sock.getsockname()[1] sock.close() os.environ.update({ "LD_PRELOAD": self.rebinder, "REBIND_OLD_PORT": str(kwargs['listen_port']), "REBIND_NEW_PORT": str(self.target_port)}) websockifyserver.WebSockifyServer.__init__(self, RequestHandlerClass, *args, **kwargs) def run_wrap_cmd(self): self.msg("Starting '%s'", " ".join(self.wrap_cmd)) self.wrap_times.append(time.time()) self.wrap_times.pop(0) self.cmd = subprocess.Popen( self.wrap_cmd, env=os.environ, preexec_fn=_subprocess_setup) self.spawn_message = True def started(self): """ Called after Websockets server startup (i.e. after daemonize) """ # Need to call wrapped command after daemonization so we can # know when the wrapped command exits if self.wrap_cmd: dst_string = "'%s' (port %s)" % (" ".join(self.wrap_cmd), self.target_port) elif self.unix_target: dst_string = self.unix_target else: dst_string = "%s:%s" % (self.target_host, self.target_port) if self.listen_fd != None: src_string = "inetd" else: src_string = "%s:%s" % (self.listen_host, self.listen_port) if self.token_plugin: msg = " - proxying from %s to targets generated by %s" % ( src_string, type(self.token_plugin).__name__) else: msg = " - proxying from %s to %s" % ( src_string, dst_string) if self.ssl_target: msg += " (using SSL)" self.msg("%s", msg) if self.wrap_cmd: self.run_wrap_cmd() def poll(self): # If we are wrapping a command, check it's status if self.wrap_cmd and self.cmd: ret = self.cmd.poll() if ret != None: self.vmsg("Wrapped command exited (or daemon). Returned %s" % ret) self.cmd = None if self.wrap_cmd and self.cmd == None: # Response to wrapped command being gone if self.wrap_mode == "ignore": pass elif self.wrap_mode == "exit": sys.exit(ret) elif self.wrap_mode == "respawn": now = time.time() avg = sum(self.wrap_times)/len(self.wrap_times) if (now - avg) < 10: # 3 times in the last 10 seconds if self.spawn_message: self.warn("Command respawning too fast") self.spawn_message = False else: self.run_wrap_cmd() def _subprocess_setup(): # Python installs a SIGPIPE handler by default. This is usually not what # non-Python successfulbprocesses expect. signal.signal(signal.SIGPIPE, signal.SIG_DFL) try : # First try SSL options for Python 3.4 and above SSL_OPTIONS = { 'default': ssl.OP_ALL, 'tlsv1_1': ssl.PROTOCOL_TLS | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1, 'tlsv1_2': ssl.PROTOCOL_TLS | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1, 'tlsv1_3': ssl.PROTOCOL_TLS | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2, } except AttributeError: try: # Python 3.3 uses a different scheme for SSL options # tlsv1_3 is not supported on older Python versions SSL_OPTIONS = { 'default': ssl.OP_ALL, 'tlsv1_1': ssl.PROTOCOL_TLSv1 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1, 'tlsv1_2': ssl.PROTOCOL_TLSv1 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1, } except AttributeError: # Python 2.6 does not support TLS v1.2, and uses a different scheme # for SSL options SSL_OPTIONS = { 'default': ssl.PROTOCOL_SSLv23, 'tlsv1_1': ssl.PROTOCOL_TLSv1, } def select_ssl_version(version): """Returns SSL options for the most secure TSL version available on this Python version""" if version in SSL_OPTIONS: return SSL_OPTIONS[version] else: # It so happens that version names sorted lexicographically form a list # from the least to the most secure keys = list(SSL_OPTIONS.keys()) keys.sort() fallback = keys[-1] logger = logging.getLogger(WebSocketProxy.log_prefix) logger.warn("TLS version %s unsupported. Falling back to %s", version, fallback) return SSL_OPTIONS[fallback] def websockify_init(): # Setup basic logging to stderr. logger = logging.getLogger(WebSocketProxy.log_prefix) logger.propagate = False logger.setLevel(logging.INFO) stderr_handler = logging.StreamHandler() stderr_handler.setLevel(logging.DEBUG) log_formatter = logging.Formatter("%(message)s") stderr_handler.setFormatter(log_formatter) logger.addHandler(stderr_handler) # Setup optparse. usage = "\n %prog [options]" usage += " [source_addr:]source_port [target_addr:target_port]" usage += "\n %prog [options]" usage += " [source_addr:]source_port -- WRAP_COMMAND_LINE" parser = optparse.OptionParser(usage=usage) parser.add_option("--verbose", "-v", action="store_true", help="verbose messages") parser.add_option("--traffic", action="store_true", help="per frame traffic") parser.add_option("--record", help="record sessions to FILE.[session_number]", metavar="FILE") parser.add_option("--daemon", "-D", dest="daemon", action="store_true", help="become a daemon (background process)") parser.add_option("--run-once", action="store_true", help="handle a single WebSocket connection and exit") parser.add_option("--timeout", type=int, default=0, help="after TIMEOUT seconds exit when not connected") parser.add_option("--idle-timeout", type=int, default=0, help="server exits after TIMEOUT seconds if there are no " "active connections") parser.add_option("--cert", default="self.pem", help="SSL certificate file") parser.add_option("--key", default=None, help="SSL key file (if separate from cert)") parser.add_option("--key-password", default=None, help="SSL key password") parser.add_option("--ssl-only", action="store_true", help="disallow non-encrypted client connections") parser.add_option("--ssl-target", action="store_true", help="connect to SSL target as SSL client") parser.add_option("--verify-client", action="store_true", help="require encrypted client to present a valid certificate " "(needs Python 2.7.9 or newer or Python 3.4 or newer)") parser.add_option("--cafile", metavar="FILE", help="file of concatenated certificates of authorities trusted " "for validating clients (only effective with --verify-client). " "If omitted, system default list of CAs is used.") parser.add_option("--ssl-version", type="choice", default="default", choices=["default", "tlsv1_1", "tlsv1_2", "tlsv1_3"], action="store", help="minimum TLS version to use (default, tlsv1_1, tlsv1_2, tlsv1_3)") parser.add_option("--ssl-ciphers", action="store", help="list of ciphers allowed for connection. For a list of " "supported ciphers run `openssl ciphers`") parser.add_option("--unix-target", help="connect to unix socket target", metavar="FILE") parser.add_option("--inetd", help="inetd mode, receive listening socket from stdin", action="store_true") parser.add_option("--web", default=None, metavar="DIR", help="run webserver on same port. Serve files from DIR.") parser.add_option("--web-auth", action="store_true", help="require authentication to access webserver.") parser.add_option("--wrap-mode", default="exit", metavar="MODE", choices=["exit", "ignore", "respawn"], help="action to take when the wrapped program exits " "or daemonizes: exit (default), ignore, respawn") parser.add_option("--prefer-ipv6", "-6", action="store_true", dest="source_is_ipv6", help="prefer IPv6 when resolving source_addr") parser.add_option("--libserver", action="store_true", help="use Python library SocketServer engine") parser.add_option("--target-config", metavar="FILE", dest="target_cfg", help="Configuration file containing valid targets " "in the form 'token: host:port' or, alternatively, a " "directory containing configuration files of this form " "(DEPRECATED: use `--token-plugin TokenFile --token-source " " path/to/token/file` instead)") parser.add_option("--token-plugin", default=None, metavar="CLASS", help="use a Python class, usually one from websockify.token_plugins, " "such as TokenFile, to process tokens into host:port pairs") parser.add_option("--token-source", default=None, metavar="ARG", help="an argument to be passed to the token plugin " "on instantiation") parser.add_option("--host-token", action="store_true", help="use the host HTTP header as token instead of the " "token URL query parameter") parser.add_option("--auth-plugin", default=None, metavar="CLASS", help="use a Python class, usually one from websockify.auth_plugins, " "such as BasicHTTPAuth, to determine if a connection is allowed") parser.add_option("--auth-source", default=None, metavar="ARG", help="an argument to be passed to the auth plugin " "on instantiation") parser.add_option("--heartbeat", type=int, default=0, metavar="INTERVAL", help="send a ping to the client every INTERVAL seconds") parser.add_option("--log-file", metavar="FILE", dest="log_file", help="File where logs will be saved") parser.add_option("--syslog", default=None, metavar="SERVER", help="Log to syslog server. SERVER can be local socket, " "such as /dev/log, or a UDP host:port pair.") parser.add_option("--legacy-syslog", action="store_true", help="Use the old syslog protocol instead of RFC 5424. " "Use this if the messages produced by websockify seem abnormal.") (opts, args) = parser.parse_args() # Validate options. if opts.token_source and not opts.token_plugin: parser.error("You must use --token-plugin to use --token-source") if opts.host_token and not opts.token_plugin: parser.error("You must use --token-plugin to use --host-token") if opts.auth_source and not opts.auth_plugin: parser.error("You must use --auth-plugin to use --auth-source") if opts.web_auth and not opts.auth_plugin: parser.error("You must use --auth-plugin to use --web-auth") if opts.web_auth and not opts.web: parser.error("You must use --web to use --web-auth") if opts.legacy_syslog and not opts.syslog: parser.error("You must use --syslog to use --legacy-syslog") opts.ssl_options = select_ssl_version(opts.ssl_version) del opts.ssl_version if opts.log_file: # Setup logging to user-specified file. opts.log_file = os.path.abspath(opts.log_file) log_file_handler = logging.FileHandler(opts.log_file) log_file_handler.setLevel(logging.DEBUG) log_file_handler.setFormatter(log_formatter) logger.addHandler(log_file_handler) del opts.log_file if opts.syslog: # Determine how to connect to syslog... if opts.syslog.count(':'): # User supplied a host:port pair. syslog_host, syslog_port = opts.syslog.rsplit(':', 1) try: syslog_port = int(syslog_port) except ValueError: parser.error("Error parsing syslog port") syslog_dest = (syslog_host, syslog_port) else: # User supplied a local socket file. syslog_dest = os.path.abspath(opts.syslog) from websockify.sysloghandler import WebsockifySysLogHandler # Determine syslog facility. if opts.daemon: syslog_facility = WebsockifySysLogHandler.LOG_DAEMON else: syslog_facility = WebsockifySysLogHandler.LOG_USER # Start logging to syslog. syslog_handler = WebsockifySysLogHandler(address=syslog_dest, facility=syslog_facility, ident='websockify', legacy=opts.legacy_syslog) syslog_handler.setLevel(logging.DEBUG) syslog_handler.setFormatter(log_formatter) logger.addHandler(syslog_handler) del opts.syslog del opts.legacy_syslog if opts.verbose: logger.setLevel(logging.DEBUG) # Transform to absolute path as daemon may chdir if opts.target_cfg: opts.target_cfg = os.path.abspath(opts.target_cfg) if opts.target_cfg: opts.token_plugin = 'TokenFile' opts.token_source = opts.target_cfg del opts.target_cfg if sys.argv.count('--'): opts.wrap_cmd = args[1:] else: opts.wrap_cmd = None if not websockifyserver.ssl and opts.ssl_target: parser.error("SSL target requested and Python SSL module not loaded."); if opts.ssl_only and not os.path.exists(opts.cert): parser.error("SSL only and %s not found" % opts.cert) if opts.inetd: opts.listen_fd = sys.stdin.fileno() else: if len(args) < 1: parser.error("Too few arguments") arg = args.pop(0) # Parse host:port and convert ports to numbers if arg.count(':') > 0: opts.listen_host, opts.listen_port = arg.rsplit(':', 1) opts.listen_host = opts.listen_host.strip('[]') else: opts.listen_host, opts.listen_port = '', arg try: opts.listen_port = int(opts.listen_port) except ValueError: parser.error("Error parsing listen port") del opts.inetd if opts.wrap_cmd or opts.unix_target or opts.token_plugin: opts.target_host = None opts.target_port = None else: if len(args) < 1: parser.error("Too few arguments") arg = args.pop(0) if arg.count(':') > 0: opts.target_host, opts.target_port = arg.rsplit(':', 1) opts.target_host = opts.target_host.strip('[]') else: parser.error("Error parsing target") try: opts.target_port = int(opts.target_port) except ValueError: parser.error("Error parsing target port") if len(args) > 0 and opts.wrap_cmd == None: parser.error("Too many arguments") if opts.token_plugin is not None: if '.' not in opts.token_plugin: opts.token_plugin = ( 'websockify.token_plugins.%s' % opts.token_plugin) token_plugin_module, token_plugin_cls = opts.token_plugin.rsplit('.', 1) __import__(token_plugin_module) token_plugin_cls = getattr(sys.modules[token_plugin_module], token_plugin_cls) opts.token_plugin = token_plugin_cls(opts.token_source) del opts.token_source if opts.auth_plugin is not None: if '.' not in opts.auth_plugin: opts.auth_plugin = 'websockify.auth_plugins.%s' % opts.auth_plugin auth_plugin_module, auth_plugin_cls = opts.auth_plugin.rsplit('.', 1) __import__(auth_plugin_module) auth_plugin_cls = getattr(sys.modules[auth_plugin_module], auth_plugin_cls) opts.auth_plugin = auth_plugin_cls(opts.auth_source) del opts.auth_source # Create and start the WebSockets proxy libserver = opts.libserver del opts.libserver if libserver: # Use standard Python SocketServer framework server = LibProxyServer(**opts.__dict__) server.serve_forever() else: # Use internal service framework server = WebSocketProxy(**opts.__dict__) server.start_server() class LibProxyServer(ThreadingMixIn, HTTPServer): """ Just like WebSocketProxy, but uses standard Python SocketServer framework. """ def __init__(self, RequestHandlerClass=ProxyRequestHandler, **kwargs): # Save off proxy specific options self.target_host = kwargs.pop('target_host', None) self.target_port = kwargs.pop('target_port', None) self.wrap_cmd = kwargs.pop('wrap_cmd', None) self.wrap_mode = kwargs.pop('wrap_mode', None) self.unix_target = kwargs.pop('unix_target', None) self.ssl_target = kwargs.pop('ssl_target', None) self.token_plugin = kwargs.pop('token_plugin', None) self.auth_plugin = kwargs.pop('auth_plugin', None) self.heartbeat = kwargs.pop('heartbeat', None) self.token_plugin = None self.auth_plugin = None self.daemon = False # Server configuration listen_host = kwargs.pop('listen_host', '') listen_port = kwargs.pop('listen_port', None) web = kwargs.pop('web', '') # Configuration affecting base request handler self.only_upgrade = not web self.verbose = kwargs.pop('verbose', False) record = kwargs.pop('record', '') if record: self.record = os.path.abspath(record) self.run_once = kwargs.pop('run_once', False) self.handler_id = 0 for arg in kwargs.keys(): print("warning: option %s ignored when using --libserver" % arg) if web: os.chdir(web) HTTPServer.__init__(self, (listen_host, listen_port), RequestHandlerClass) def process_request(self, request, client_address): """Override process_request to implement a counter""" self.handler_id += 1 ThreadingMixIn.process_request(self, request, client_address) if __name__ == '__main__': websockify_init() websockify-0.9.0/websockify/websocketserver.py000066400000000000000000000064321352452255700216400ustar00rootroot00000000000000#!/usr/bin/env python ''' Python WebSocket server base Copyright 2011 Joel Martin Copyright 2016-2018 Pierre Ossman Licensed under LGPL version 3 (see docs/LICENSE.LGPL-3) ''' import sys # python 3.0 differences try: from http.server import BaseHTTPRequestHandler, HTTPServer except ImportError: from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer from websockify.websocket import WebSocket, WebSocketWantReadError, WebSocketWantWriteError class WebSocketRequestHandlerMixIn: """WebSocket request handler mix-in class This class modifies and existing request handler to handle WebSocket requests. The request handler will continue to function as before, except that WebSocket requests are intercepted and the methods handle_upgrade() and handle_websocket() are called. The standard do_GET() will be called for normal requests. The class instance SocketClass can be overridden with the class to use for the WebSocket connection. """ SocketClass = WebSocket def handle_one_request(self): """Extended request handler This is where WebSocketRequestHandler redirects requests to the new methods. Any sub-classes must call this method in order for the calls to function. """ self._real_do_GET = self.do_GET self.do_GET = self._websocket_do_GET try: # super() only works for new style classes if issubclass(WebSocketRequestHandlerMixIn, object): super(WebSocketRequestHandlerMixIn, self).handle_one_request() else: # Assume handle_one_request() hasn't been overriden BaseHTTPRequestHandler.handle_one_request(self) finally: self.do_GET = self._real_do_GET def _websocket_do_GET(self): # Checks if it is a websocket request and redirects self.do_GET = self._real_do_GET if (self.headers.get('upgrade') and self.headers.get('upgrade').lower() == 'websocket'): self.handle_upgrade() else: self.do_GET() def handle_upgrade(self): """Initial handler for a WebSocket request This method is called when a WebSocket is requested. By default it will create a WebSocket object and perform the negotiation. The WebSocket object will then replace the request object and handle_websocket() will be called. """ websocket = self.SocketClass() try: websocket.accept(self.request, self.headers) except Exception: exc = sys.exc_info()[1] self.send_error(400, str(exc)) return self.log_request(101) self.request = websocket # Other requests cannot follow Websocket data self.close_connection = True self.handle_websocket() def handle_websocket(self): """Handle a WebSocket connection. This is called when the WebSocket is ready to be used. A sub-class should perform the necessary communication here and return once done. """ pass # Convenient ready made classes class WebSocketRequestHandler(WebSocketRequestHandlerMixIn, BaseHTTPRequestHandler): pass class WebSocketServer(HTTPServer): pass websockify-0.9.0/websockify/websockifyserver.py000066400000000000000000000770271352452255700220270ustar00rootroot00000000000000#!/usr/bin/env python ''' Python WebSocket server base with support for "wss://" encryption. Copyright 2011 Joel Martin Copyright 2016 Pierre Ossman Licensed under LGPL version 3 (see docs/LICENSE.LGPL-3) You can make a cert/key with openssl using: openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem as taken from http://docs.python.org/dev/library/ssl.html#certificates ''' import os, sys, time, errno, signal, socket, select, logging import multiprocessing # Imports that vary by python version # python 3.0 differences if sys.hexversion > 0x3000000: s2b = lambda s: s.encode('latin_1') else: s2b = lambda s: s # No-op try: from http.server import SimpleHTTPRequestHandler except ImportError: from SimpleHTTPServer import SimpleHTTPRequestHandler # Degraded functionality if these imports are missing for mod, msg in [('ssl', 'TLS/SSL/wss is disabled'), ('resource', 'daemonizing is disabled')]: try: globals()[mod] = __import__(mod) except ImportError: globals()[mod] = None print("WARNING: no '%s' module, %s" % (mod, msg)) if sys.platform == 'win32': # make sockets pickle-able/inheritable import multiprocessing.reduction from websockify.websocket import WebSocket, WebSocketWantReadError, WebSocketWantWriteError from websockify.websocketserver import WebSocketRequestHandlerMixIn class CompatibleWebSocket(WebSocket): def select_subprotocol(self, protocols): # Handle old websockify clients that still specifiy a sub-protocol if 'binary' in protocols: return 'binary' else: return '' # HTTP handler with WebSocket upgrade support class WebSockifyRequestHandler(WebSocketRequestHandlerMixIn, SimpleHTTPRequestHandler): """ WebSocket Request Handler Class, derived from SimpleHTTPRequestHandler. Must be sub-classed with new_websocket_client method definition. The request handler can be configured by setting optional attributes on the server object: * only_upgrade: If true, SimpleHTTPRequestHandler will not be enabled, only websocket is allowed. * verbose: If true, verbose logging is activated. * daemon: Running as daemon, do not write to console etc * record: Record raw frame data as JavaScript array into specified filename * run_once: Handle a single request * handler_id: A sequence number for this connection, appended to record filename """ server_version = "WebSockify" protocol_version = "HTTP/1.1" SocketClass = CompatibleWebSocket # An exception while the WebSocket client was connected class CClose(Exception): pass def __init__(self, req, addr, server): # Retrieve a few configuration variables from the server self.only_upgrade = getattr(server, "only_upgrade", False) self.verbose = getattr(server, "verbose", False) self.daemon = getattr(server, "daemon", False) self.record = getattr(server, "record", False) self.run_once = getattr(server, "run_once", False) self.rec = None self.handler_id = getattr(server, "handler_id", False) self.file_only = getattr(server, "file_only", False) self.traffic = getattr(server, "traffic", False) self.web_auth = getattr(server, "web_auth", False) self.host_token = getattr(server, "host_token", False) self.logger = getattr(server, "logger", None) if self.logger is None: self.logger = WebSockifyServer.get_logger() SimpleHTTPRequestHandler.__init__(self, req, addr, server) def log_message(self, format, *args): self.logger.info("%s - - [%s] %s" % (self.client_address[0], self.log_date_time_string(), format % args)) # # WebSocketRequestHandler logging/output functions # def print_traffic(self, token="."): """ Show traffic flow mode. """ if self.traffic: sys.stdout.write(token) sys.stdout.flush() def msg(self, msg, *args, **kwargs): """ Output message with handler_id prefix. """ prefix = "% 3d: " % self.handler_id self.logger.log(logging.INFO, "%s%s" % (prefix, msg), *args, **kwargs) def vmsg(self, msg, *args, **kwargs): """ Same as msg() but as debug. """ prefix = "% 3d: " % self.handler_id self.logger.log(logging.DEBUG, "%s%s" % (prefix, msg), *args, **kwargs) def warn(self, msg, *args, **kwargs): """ Same as msg() but as warning. """ prefix = "% 3d: " % self.handler_id self.logger.log(logging.WARN, "%s%s" % (prefix, msg), *args, **kwargs) # # Main WebSocketRequestHandler methods # def send_frames(self, bufs=None): """ Encode and send WebSocket frames. Any frames already queued will be sent first. If buf is not set then only queued frames will be sent. Returns True if any frames could not be fully sent, in which case the caller should call again when the socket is ready. """ tdelta = int(time.time()*1000) - self.start_time if bufs: for buf in bufs: if self.rec: # Python 3 compatible conversion bufstr = buf.decode('latin1').encode('unicode_escape').decode('ascii').replace("'", "\\'") self.rec.write("'{{{0}{{{1}',\n".format(tdelta, bufstr)) self.send_parts.append(buf) # Flush any previously queued data try: self.request.sendmsg('') except WebSocketWantWriteError: return True while self.send_parts: # Send pending frames buf = self.send_parts.pop(0) try: self.request.sendmsg(buf) except WebSocketWantWriteError: self.print_traffic("<.") return True self.print_traffic("<") return False def recv_frames(self): """ Receive and decode WebSocket frames. Returns: (bufs_list, closed_string) """ closed = False bufs = [] tdelta = int(time.time()*1000) - self.start_time while True: try: buf = self.request.recvmsg() except WebSocketWantReadError: self.print_traffic("}.") break if buf is None: closed = {'code': self.request.close_code, 'reason': self.request.close_reason} return bufs, closed self.print_traffic("}") if self.rec: # Python 3 compatible conversion bufstr = buf.decode('latin1').encode('unicode_escape').decode('ascii').replace("'", "\\'") self.rec.write("'}}{0}}}{1}',\n".format(tdelta, bufstr)) bufs.append(buf) if not self.request.pending(): break return bufs, closed def send_close(self, code=1000, reason=''): """ Send a WebSocket orderly close frame. """ self.request.shutdown(socket.SHUT_RDWR, code, reason) def send_pong(self, data=''.encode('ascii')): """ Send a WebSocket pong frame. """ self.request.pong(data) def send_ping(self, data=''.encode('ascii')): """ Send a WebSocket ping frame. """ self.request.ping(data) def handle_upgrade(self): # ensure connection is authorized, and determine the target self.validate_connection() self.auth_connection() WebSocketRequestHandlerMixIn.handle_upgrade(self) def handle_websocket(self): # Indicate to server that a Websocket upgrade was done self.server.ws_connection = True # Initialize per client settings self.send_parts = [] self.recv_part = None self.start_time = int(time.time()*1000) # client_address is empty with, say, UNIX domain sockets client_addr = "" is_ssl = False try: client_addr = self.client_address[0] is_ssl = self.client_address[2] except IndexError: pass if is_ssl: self.stype = "SSL/TLS (wss://)" else: self.stype = "Plain non-SSL (ws://)" self.log_message("%s: %s WebSocket connection", client_addr, self.stype) if self.path != '/': self.log_message("%s: Path: '%s'", client_addr, self.path) if self.record: # Record raw frame data as JavaScript array fname = "%s.%s" % (self.record, self.handler_id) self.log_message("opening record file: %s", fname) self.rec = open(fname, 'w+') self.rec.write("var VNC_frame_data = [\n") try: self.new_websocket_client() except self.CClose: # Close the client _, exc, _ = sys.exc_info() self.send_close(exc.args[0], exc.args[1]) def do_GET(self): if self.web_auth: # ensure connection is authorized, this seems to apply to list_directory() as well self.auth_connection() if self.only_upgrade: self.send_error(405, "Method Not Allowed") else: SimpleHTTPRequestHandler.do_GET(self) def list_directory(self, path): if self.file_only: self.send_error(404, "No such file") else: return SimpleHTTPRequestHandler.list_directory(self, path) def new_websocket_client(self): """ Do something with a WebSockets client connection. """ raise Exception("WebSocketRequestHandler.new_websocket_client() must be overloaded") def validate_connection(self): """ Ensure that the connection has a valid token, and set the target. """ pass def auth_connection(self): """ Ensure that the connection is authorized. """ pass def do_HEAD(self): if self.web_auth: self.auth_connection() if self.only_upgrade: self.send_error(405, "Method Not Allowed") else: SimpleHTTPRequestHandler.do_HEAD(self) def finish(self): if self.rec: self.rec.write("'EOF'];\n") self.rec.close() SimpleHTTPRequestHandler.finish(self) def handle(self): # When using run_once, we have a single process, so # we cannot loop in BaseHTTPRequestHandler.handle; we # must return and handle new connections if self.run_once: self.handle_one_request() else: SimpleHTTPRequestHandler.handle(self) def log_request(self, code='-', size='-'): if self.verbose: SimpleHTTPRequestHandler.log_request(self, code, size) class WebSockifyServer(object): """ WebSockets server class. As an alternative, the standard library SocketServer can be used """ policy_response = """\n""" log_prefix = "websocket" # An exception before the WebSocket connection was established class EClose(Exception): pass class Terminate(Exception): pass def __init__(self, RequestHandlerClass, listen_fd=None, listen_host='', listen_port=None, source_is_ipv6=False, verbose=False, cert='', key='', key_password=None, ssl_only=None, verify_client=False, cafile=None, daemon=False, record='', web='', web_auth=False, file_only=False, run_once=False, timeout=0, idle_timeout=0, traffic=False, tcp_keepalive=True, tcp_keepcnt=None, tcp_keepidle=None, tcp_keepintvl=None, ssl_ciphers=None, ssl_options=0): # settings self.RequestHandlerClass = RequestHandlerClass self.verbose = verbose self.listen_fd = listen_fd self.listen_host = listen_host self.listen_port = listen_port self.prefer_ipv6 = source_is_ipv6 self.ssl_only = ssl_only self.ssl_ciphers = ssl_ciphers self.ssl_options = ssl_options self.verify_client = verify_client self.daemon = daemon self.run_once = run_once self.timeout = timeout self.idle_timeout = idle_timeout self.traffic = traffic self.file_only = file_only self.web_auth = web_auth self.launch_time = time.time() self.ws_connection = False self.handler_id = 1 self.terminating = False self.logger = self.get_logger() self.tcp_keepalive = tcp_keepalive self.tcp_keepcnt = tcp_keepcnt self.tcp_keepidle = tcp_keepidle self.tcp_keepintvl = tcp_keepintvl # keyfile path must be None if not specified self.key = None self.key_password = key_password # Make paths settings absolute self.cert = os.path.abspath(cert) self.web = self.record = self.cafile = '' if key: self.key = os.path.abspath(key) if web: self.web = os.path.abspath(web) if record: self.record = os.path.abspath(record) if cafile: self.cafile = os.path.abspath(cafile) if self.web: os.chdir(self.web) self.only_upgrade = not self.web # Sanity checks if not ssl and self.ssl_only: raise Exception("No 'ssl' module and SSL-only specified") if self.daemon and not resource: raise Exception("Module 'resource' required to daemonize") # Show configuration self.msg("WebSocket server settings:") if self.listen_fd != None: self.msg(" - Listen for inetd connections") else: self.msg(" - Listen on %s:%s", self.listen_host, self.listen_port) if self.web: if self.file_only: self.msg(" - Web server (no directory listings). Web root: %s", self.web) else: self.msg(" - Web server. Web root: %s", self.web) if ssl: if os.path.exists(self.cert): self.msg(" - SSL/TLS support") if self.ssl_only: self.msg(" - Deny non-SSL/TLS connections") else: self.msg(" - No SSL/TLS support (no cert file)") else: self.msg(" - No SSL/TLS support (no 'ssl' module)") if self.daemon: self.msg(" - Backgrounding (daemon)") if self.record: self.msg(" - Recording to '%s.*'", self.record) # # WebSockifyServer static methods # @staticmethod def get_logger(): return logging.getLogger("%s.%s" % ( WebSockifyServer.log_prefix, WebSockifyServer.__class__.__name__)) @staticmethod def socket(host, port=None, connect=False, prefer_ipv6=False, unix_socket=None, use_ssl=False, tcp_keepalive=True, tcp_keepcnt=None, tcp_keepidle=None, tcp_keepintvl=None): """ Resolve a host (and optional port) to an IPv4 or IPv6 address. Create a socket. Bind to it if listen is set, otherwise connect to it. Return the socket. """ flags = 0 if host == '': host = None if connect and not (port or unix_socket): raise Exception("Connect mode requires a port") if use_ssl and not ssl: raise Exception("SSL socket requested but Python SSL module not loaded."); if not connect and use_ssl: raise Exception("SSL only supported in connect mode (for now)") if not connect: flags = flags | socket.AI_PASSIVE if not unix_socket: addrs = socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM, socket.IPPROTO_TCP, flags) if not addrs: raise Exception("Could not resolve host '%s'" % host) addrs.sort(key=lambda x: x[0]) if prefer_ipv6: addrs.reverse() sock = socket.socket(addrs[0][0], addrs[0][1]) if tcp_keepalive: sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1) if tcp_keepcnt: sock.setsockopt(socket.SOL_TCP, socket.TCP_KEEPCNT, tcp_keepcnt) if tcp_keepidle: sock.setsockopt(socket.SOL_TCP, socket.TCP_KEEPIDLE, tcp_keepidle) if tcp_keepintvl: sock.setsockopt(socket.SOL_TCP, socket.TCP_KEEPINTVL, tcp_keepintvl) if connect: sock.connect(addrs[0][4]) if use_ssl: sock = ssl.wrap_socket(sock) else: sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.bind(addrs[0][4]) sock.listen(100) else: sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) sock.connect(unix_socket) return sock @staticmethod def daemonize(keepfd=None, chdir='/'): if keepfd is None: keepfd = [] os.umask(0) if chdir: os.chdir(chdir) else: os.chdir('/') os.setgid(os.getgid()) # relinquish elevations os.setuid(os.getuid()) # relinquish elevations # Double fork to daemonize if os.fork() > 0: os._exit(0) # Parent exits os.setsid() # Obtain new process group if os.fork() > 0: os._exit(0) # Parent exits # Signal handling signal.signal(signal.SIGTERM, signal.SIG_IGN) signal.signal(signal.SIGINT, signal.SIG_IGN) # Close open files maxfd = resource.getrlimit(resource.RLIMIT_NOFILE)[1] if maxfd == resource.RLIM_INFINITY: maxfd = 256 for fd in reversed(range(maxfd)): try: if fd not in keepfd: os.close(fd) except OSError: _, exc, _ = sys.exc_info() if exc.errno != errno.EBADF: raise # Redirect I/O to /dev/null os.dup2(os.open(os.devnull, os.O_RDWR), sys.stdin.fileno()) os.dup2(os.open(os.devnull, os.O_RDWR), sys.stdout.fileno()) os.dup2(os.open(os.devnull, os.O_RDWR), sys.stderr.fileno()) def do_handshake(self, sock, address): """ do_handshake does the following: - Peek at the first few bytes from the socket. - If the connection is an HTTPS/SSL/TLS connection then SSL wrap the socket. - Read from the (possibly wrapped) socket. - If we have received a HTTP GET request and the webserver functionality is enabled, answer it, close the socket and return. - Assume we have a WebSockets connection, parse the client handshake data. - Send a WebSockets handshake server response. - Return the socket for this WebSocket client. """ ready = select.select([sock], [], [], 3)[0] if not ready: raise self.EClose("") # Peek, but do not read the data so that we have a opportunity # to SSL wrap the socket first handshake = sock.recv(1024, socket.MSG_PEEK) #self.msg("Handshake [%s]" % handshake) if not handshake: raise self.EClose("") elif handshake[0] in ("\x16", "\x80", 22, 128): # SSL wrap the connection if not ssl: raise self.EClose("SSL connection but no 'ssl' module") if not os.path.exists(self.cert): raise self.EClose("SSL connection but '%s' not found" % self.cert) retsock = None try: if (hasattr(ssl, 'create_default_context') and callable(ssl.create_default_context)): # create new-style SSL wrapping for extended features context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) if self.ssl_ciphers is not None: context.set_ciphers(self.ssl_ciphers) context.options = self.ssl_options context.load_cert_chain(certfile=self.cert, keyfile=self.key, password=self.key_password) if self.verify_client: context.verify_mode = ssl.CERT_REQUIRED if self.cafile: context.load_verify_locations(cafile=self.cafile) else: context.set_default_verify_paths() retsock = context.wrap_socket( sock, server_side=True) else: if self.verify_client: raise self.EClose("Client certificate verification requested, but this Python is too old.") # new-style SSL wrapping is not needed, using to old style retsock = ssl.wrap_socket( sock, server_side=True, certfile=self.cert, keyfile=self.key) except ssl.SSLError: _, x, _ = sys.exc_info() if x.args[0] == ssl.SSL_ERROR_EOF: if len(x.args) > 1: raise self.EClose(x.args[1]) else: raise self.EClose("Got SSL_ERROR_EOF") else: raise elif self.ssl_only: raise self.EClose("non-SSL connection received but disallowed") else: retsock = sock # If the address is like (host, port), we are extending it # with a flag indicating SSL. Not many other options # available... if len(address) == 2: address = (address[0], address[1], (retsock != sock)) self.RequestHandlerClass(retsock, address, self) # Return the WebSockets socket which may be SSL wrapped return retsock # # WebSockifyServer logging/output functions # def msg(self, *args, **kwargs): """ Output message as info """ self.logger.log(logging.INFO, *args, **kwargs) def vmsg(self, *args, **kwargs): """ Same as msg() but as debug. """ self.logger.log(logging.DEBUG, *args, **kwargs) def warn(self, *args, **kwargs): """ Same as msg() but as warning. """ self.logger.log(logging.WARN, *args, **kwargs) # # Events that can/should be overridden in sub-classes # def started(self): """ Called after WebSockets startup """ self.vmsg("WebSockets server started") def poll(self): """ Run periodically while waiting for connections. """ #self.vmsg("Running poll()") pass def terminate(self): if not self.terminating: self.terminating = True raise self.Terminate() def multiprocessing_SIGCHLD(self, sig, stack): # TODO: figure out a way to actually log this information without # calling `log` in the signal handlers multiprocessing.active_children() def fallback_SIGCHLD(self, sig, stack): # Reap zombies when using os.fork() (python 2.4) # TODO: figure out a way to actually log this information without # calling `log` in the signal handlers try: result = os.waitpid(-1, os.WNOHANG) while result[0]: self.vmsg("Reaped child process %s" % result[0]) result = os.waitpid(-1, os.WNOHANG) except (OSError): pass def do_SIGINT(self, sig, stack): # TODO: figure out a way to actually log this information without # calling `log` in the signal handlers self.terminate() def do_SIGTERM(self, sig, stack): # TODO: figure out a way to actually log this information without # calling `log` in the signal handlers self.terminate() def top_new_client(self, startsock, address): """ Do something with a WebSockets client connection. """ # handler process client = None try: try: client = self.do_handshake(startsock, address) except self.EClose: _, exc, _ = sys.exc_info() # Connection was not a WebSockets connection if exc.args[0]: self.msg("%s: %s" % (address[0], exc.args[0])) except WebSockifyServer.Terminate: raise except Exception: _, exc, _ = sys.exc_info() self.msg("handler exception: %s" % str(exc)) self.vmsg("exception", exc_info=True) finally: if client and client != startsock: # Close the SSL wrapped socket # Original socket closed by caller client.close() def get_log_fd(self): """ Get file descriptors for the loggers. They should not be closed when the process is forked. """ descriptors = [] for handler in self.logger.parent.handlers: if isinstance(handler, logging.FileHandler): descriptors.append(handler.stream.fileno()) return descriptors def start_server(self): """ Daemonize if requested. Listen for for connections. Run do_handshake() method for each connection. If the connection is a WebSockets client then call new_websocket_client() method (which must be overridden) for each new client connection. """ if self.listen_fd != None: lsock = socket.fromfd(self.listen_fd, socket.AF_INET, socket.SOCK_STREAM) if sys.hexversion < 0x3000000: # For python 2 we have to wrap the "raw" socket into a socket object, # otherwise ssl wrap_socket doesn't work. lsock = socket.socket(_sock=lsock) else: lsock = self.socket(self.listen_host, self.listen_port, False, self.prefer_ipv6, tcp_keepalive=self.tcp_keepalive, tcp_keepcnt=self.tcp_keepcnt, tcp_keepidle=self.tcp_keepidle, tcp_keepintvl=self.tcp_keepintvl) if self.daemon: keepfd = self.get_log_fd() keepfd.append(lsock.fileno()) self.daemonize(keepfd=keepfd, chdir=self.web) self.started() # Some things need to happen after daemonizing # Allow override of signals original_signals = { signal.SIGINT: signal.getsignal(signal.SIGINT), signal.SIGTERM: signal.getsignal(signal.SIGTERM), } if getattr(signal, 'SIGCHLD', None) is not None: original_signals[signal.SIGCHLD] = signal.getsignal(signal.SIGCHLD) signal.signal(signal.SIGINT, self.do_SIGINT) signal.signal(signal.SIGTERM, self.do_SIGTERM) # make sure that _cleanup is called when children die # by calling active_children on SIGCHLD if getattr(signal, 'SIGCHLD', None) is not None: signal.signal(signal.SIGCHLD, self.multiprocessing_SIGCHLD) last_active_time = self.launch_time try: while True: try: try: startsock = None pid = err = 0 child_count = 0 # Collect zombie child processes child_count = len(multiprocessing.active_children()) time_elapsed = time.time() - self.launch_time if self.timeout and time_elapsed > self.timeout: self.msg('listener exit due to --timeout %s' % self.timeout) break if self.idle_timeout: idle_time = 0 if child_count == 0: idle_time = time.time() - last_active_time else: idle_time = 0 last_active_time = time.time() if idle_time > self.idle_timeout and child_count == 0: self.msg('listener exit due to --idle-timeout %s' % self.idle_timeout) break try: self.poll() ready = select.select([lsock], [], [], 1)[0] if lsock in ready: startsock, address = lsock.accept() else: continue except self.Terminate: raise except Exception: _, exc, _ = sys.exc_info() if hasattr(exc, 'errno'): err = exc.errno elif hasattr(exc, 'args'): err = exc.args[0] else: err = exc[0] if err == errno.EINTR: self.vmsg("Ignoring interrupted syscall") continue else: raise if self.run_once: # Run in same process if run_once self.top_new_client(startsock, address) if self.ws_connection : self.msg('%s: exiting due to --run-once' % address[0]) break else: self.vmsg('%s: new handler Process' % address[0]) p = multiprocessing.Process( target=self.top_new_client, args=(startsock, address)) p.start() # child will not return # parent process self.handler_id += 1 except (self.Terminate, SystemExit, KeyboardInterrupt): self.msg("In exit") # terminate all child processes if not self.run_once: children = multiprocessing.active_children() for child in children: self.msg("Terminating child %s" % child.pid) child.terminate() break except Exception: exc = sys.exc_info()[1] self.msg("handler exception: %s", str(exc)) self.vmsg("exception", exc_info=True) finally: if startsock: startsock.close() finally: # Close listen port self.vmsg("Closing socket listening at %s:%s", self.listen_host, self.listen_port) lsock.close() # Restore signals for sig, func in original_signals.items(): signal.signal(sig, func)