xpra icon
Bug tracker and wiki

Ticket #1160: per-socket-auth.patch

File per-socket-auth.patch, 39.6 KB (added by Antoine Martin, 7 months ago)

work in progress patch

  • tests/xpra/servers/unrespondingserver.py

     
    7979    dotxpra = DotXpra(opts.socket_dir)
    8080    sockpath = dotxpra.socket_path(display_name)
    8181    socket, cleanup_socket = create_unix_domain_socket(sockpath)
    82     sockets = [socket]
     82    sockets = {socket : {}}
    8383    xvfb = start_Xvfb(opts.xvfb, display_name)
    8484    assert check_xvfb_process(xvfb), "xvfb error"
    8585
  • unittests/unit/server/mixins/servermixintest_util.py

     
    7272        return self.source
    7373
    7474    def create_test_sockets(self):
    75         return ()
     75        return {}
    7676
    7777    def _test_mixin_class(self, mclass, opts, caps=None, source_mixin_class=StubSourceMixin):
    7878        x = self.mixin = mclass()
  • xpra/net/bytestreams.py

     
    126126
    127127
    128128class Connection(object):
    129     def __init__(self, endpoint, socktype, info=None):
     129    def __init__(self, endpoint, socktype, info=None, options=None):
    130130        log("Connection%s", (endpoint, socktype, info))
    131131        self.endpoint = endpoint
    132132        try:
     
    137137        self.socktype_wrapped = socktype
    138138        self.socktype = socktype
    139139        self.info = info or {}
     140        self.options = options or {}
    140141        self.input_bytecount = 0
    141142        self.input_readcount = 0
    142143        self.output_bytecount = 0
     
    268269TCP_SOCKTYPES = ("tcp", "ssl", "ws", "wss")
    269270
    270271class SocketConnection(Connection):
    271     def __init__(self, sock, local, remote, target, socktype, info=None):
     272    def __init__(self, sock, local, remote, target, socktype, info=None, socket_options=None):
    272273        log("SocketConnection%s", (sock, local, remote, target, socktype, info))
    273         Connection.__init__(self, target, socktype, info)
     274        Connection.__init__(self, target, socktype, info, socket_options)
    274275        self._socket = sock
    275276        self.local = local
    276277        self.remote = remote
  • xpra/net/socket_util.py

     
    1414    path_permission_info, monotonic_time, umask_context, WIN32, OSX, POSIX,
    1515    )
    1616from xpra.util import (
    17     envint, envbool, csv,
     17    envint, envbool, csv, parse_simple_dict,
    1818    repr_ellipsized,
    1919    DEFAULT_PORT,
    2020    )
     
    142142        return None
    143143
    144144
    145 def accept_connection(socktype, listener, timeout=None):
     145def accept_connection(socktype, listener, timeout=None, socket_options=None):
    146146    log = get_network_logger()
    147147    try:
    148148        sock, address = listener.accept()
     
    159159    sock.settimeout(timeout)
    160160    sockname = sock.getsockname()
    161161    from xpra.net.bytestreams import SocketConnection
    162     conn = SocketConnection(sock, sockname, address, peername, socktype)
     162    conn = SocketConnection(sock, sockname, address, peername, socktype, None, socket_options)
    163163    log("accept_connection(%s, %s, %s)=%s", listener, socktype, timeout, conn)
    164164    return conn
    165165
     
    201201    bind_rfb = parse_bind_ip(opts.bind_rfb, 5900)
    202202    bind_vsock = parse_bind_vsock(opts.bind_vsock)
    203203
    204     sockets = []
     204    sockets = {}
    205205
    206206    min_port = int(opts.min_port)
    207     def add_tcp_socket(socktype, host_str, iport):
     207    def add_tcp_socket(socktype, host_str, iport, options):
    208208        if iport!=0 and iport<min_port:
    209209            error_cb("invalid %s port number %i (minimum value is %i)" % (socktype, iport, min_port))
    210210        for host in hosts(host_str):
    211211            sock = setup_tcp_socket(host, iport, socktype)
    212212            host, iport = sock[2]
    213             sockets.append(sock)
    214     def add_udp_socket(socktype, host_str, iport):
     213            sockets[sock] = options
     214    def add_udp_socket(socktype, host_str, iport, options):
    215215        if iport!=0 and iport<min_port:
    216216            error_cb("invalid %s port number %i (minimum value is %i)" % (socktype, iport, min_port))
    217217        for host in hosts(host_str):
    218218            sock = setup_udp_socket(host, iport, socktype)
    219219            host, iport = sock[2]
    220             sockets.append(sock)
     220            sockets[sock] = options
    221221    # Initialize the TCP sockets before the display,
    222222    # That way, errors won't make us kill the Xvfb
    223223    # (which may not be ours to kill at that point)
     
    234234            sshlog("import paramiko", exc_info=True)
    235235            sshlog.error("Error: cannot enable SSH socket upgrades:")
    236236            sshlog.error(" %s", e)
    237     log("setting up SSL sockets: %s", csv(bind_ssl))
    238     for host, iport in bind_ssl:
    239         add_tcp_socket("ssl", host, iport)
    240     log("setting up SSH sockets: %s", csv(bind_ssh))
    241     for host, iport in bind_ssh:
    242         add_tcp_socket("ssh", host, iport)
    243     log("setting up https / wss (secure websockets): %s", csv(bind_wss))
    244     for host, iport in bind_wss:
    245         add_tcp_socket("wss", host, iport)
    246     log("setting up TCP sockets: %s", csv(bind_tcp))
    247     for host, iport in bind_tcp:
    248         add_tcp_socket("tcp", host, iport)
     237    for socktype, defs in {
     238        "tcp"   : bind_tcp,
     239        "ssl"   : bind_ssl,
     240        "ssh"   : bind_ssh,
     241        "ws"    : bind_ws,
     242        "wss"   : bind_wss,
     243        "rfb"   : bind_rfb,
     244        }.items():
     245        log("setting up %s sockets: %s", socktype, defs)
     246        for (host, iport), options in defs.items():
     247            add_tcp_socket(socktype, host, iport, options)
    249248    log("setting up UDP sockets: %s", csv(bind_udp))
    250     for host, iport in bind_udp:
    251         add_udp_socket("udp", host, iport)
    252     log("setting up http / ws (websockets): %s", csv(bind_ws))
    253     for host, iport in bind_ws:
    254         add_tcp_socket("ws", host, iport)
    255     log("setting up rfb sockets: %s", csv(bind_rfb))
    256     for host, iport in bind_rfb:
    257         add_tcp_socket("rfb", host, iport)
     249    for (host, iport), options in bind_udp:
     250        add_udp_socket("udp", host, iport, options)
    258251    log("setting up vsock sockets: %s", csv(bind_vsock))
    259     for cid, iport in bind_vsock:
     252    for (cid, iport), options in bind_vsock:
    260253        sock = setup_vsock_socket(cid, iport)
    261         sockets.append(sock)
     254        sockets[sock] = options
    262255
    263256    # systemd socket activation:
    264257    if POSIX and not OSX:
     
    270263            sd_sockets = get_sd_listen_sockets()
    271264            log("systemd sockets: %s", sd_sockets)
    272265            for stype, sock, addr in sd_sockets:
    273                 sockets.append(setup_sd_listen_socket(stype, sock, addr))
     266                sock = setup_sd_listen_socket(stype, sock, addr)
     267                sockets[sock] = {}
    274268                log("%s : %s", (stype, [addr]), sock)
    275269    return sockets
    276270
     
    345339
    346340
    347341def parse_bind_ip(bind_ip, default_port=DEFAULT_PORT):
    348     ip_sockets = set()
     342    ip_sockets = {}
    349343    if bind_ip:
    350344        for spec in bind_ip:
     345            parts = spec.split(",", 1)
     346            ip_port = parts[0]
    351347            if ":" not in spec:
    352348                raise InitException("port must be specified as [HOST]:PORT")
    353             host, port = spec.rsplit(":", 1)
     349            host, port = ip_port.rsplit(":", 1)
    354350            if host == "":
    355351                host = "127.0.0.1"
    356352            if not port:
     
    363359                    assert 0<iport<2**16
    364360                except:
    365361                    raise InitException("invalid port number: %s" % port)
    366             ip_sockets.add((host, iport))
     362            options = {}
     363            if len(parts)==2:
     364                options = parse_simple_dict(parts[1])
     365            ip_sockets[(host, iport)] = options
    367366    return ip_sockets
    368367
    369368def setup_vsock_socket(cid, iport):
     
    382381    return "vsock", vsock_socket, (cid, iport), cleanup_vsock_socket
    383382
    384383def parse_bind_vsock(bind_vsock):
    385     vsock_sockets = set()
     384    vsock_sockets = {}
    386385    if bind_vsock:
    387386        from xpra.scripts.main import parse_vsock
    388387        for spec in bind_vsock:
    389             vsock_sockets.add(parse_vsock(spec))
     388            parts = spec.split(",", 1)
     389            cid, iport = parse_vsock(parts[0])
     390            options = {}
     391            if len(parts)==2:
     392                options = parse_simple_dict(parts[1])
     393            vsock_sockets[(cid, iport)] = options
    390394    return vsock_sockets
    391395
    392396def setup_sd_listen_socket(stype, sock, addr):
     
    417421def setup_local_sockets(bind, socket_dir, socket_dirs, display_name, clobber,
    418422                        mmap_group="auto", socket_permissions="600", username="", uid=0, gid=0):
    419423    if not bind:
    420         return []
     424        return {}
    421425    if not socket_dir and (not socket_dirs or (len(socket_dirs)==1 and not socket_dirs[0])):
    422426        if WIN32:
    423427            socket_dirs = [""]
     
    428432    if display_name is not None:
    429433        display_name = normalize_local_display_name(display_name)
    430434    log = get_network_logger()
    431     defs = []
     435    defs = {}
    432436    try:
    433         sockpaths = []
     437        sockpaths = {}
    434438        log("setup_local_sockets: bind=%s", bind)
    435439        for b in bind:
    436             sockpath = b
    437440            if b in ("none", ""):
    438441                continue
    439             elif b=="auto":
     442            parts = b.split(",")
     443            sockpath = parts[0]
     444            options = {}
     445            if len(parts)==2:
     446                options = parse_simple_dict(parts[1])
     447            if b=="auto":
    440448                assert display_name is not None
    441                 sockpaths += dotxpra.norm_socket_paths(display_name)
     449                for sockpath in dotxpra.norm_socket_paths(display_name):
     450                    sockpaths[sockpath] = options
    442451                log("sockpaths(%s)=%s (uid=%i, gid=%i)", display_name, sockpaths, uid, gid)
    443452            else:
    444                 sockpath = dotxpra.osexpand(b)
    445                 if b.endswith("/") or (os.path.exists(sockpath) and os.path.isdir(sockpath)):
     453                sockpath = dotxpra.osexpand(sockpath)
     454                if os.path.isabs(sockpath):
     455                    pass
     456                elif sockpath.endswith("/") or (os.path.exists(sockpath) and os.path.isdir(sockpath)):
    446457                    assert display_name is not None
    447458                    sockpath = os.path.abspath(sockpath)
    448459                    if not os.path.exists(sockpath):
    449460                        os.makedirs(sockpath)
    450461                    sockpath = norm_makepath(sockpath, display_name)
    451                 elif os.path.isabs(b):
    452                     sockpath = b
    453462                else:
    454                     sockpath = dotxpra.socket_path(b)
    455                 sockpaths += [sockpath]
     463                    sockpath = dotxpra.socket_path(sockpath)
     464                sockpaths[sockpath] = options
    456465            assert sockpaths, "no socket paths to try for %s" % b
    457466        #expand and remove duplicate paths:
    458         tmp = []
    459         for tsp in sockpaths:
     467        tmp = {}
     468        for tsp, options in sockpaths.items():
    460469            sockpath = dotxpra.osexpand(tsp)
    461470            if sockpath in tmp:
    462471                log.warn("Warning: skipping duplicate bind path %s", sockpath)
    463472                continue
    464             tmp.append(sockpath)
     473            tmp[sockpath] = options
    465474        sockpaths = tmp
    466475        #create listeners:
    467476        if WIN32:
    468477            from xpra.platform.win32.namedpipes.listener import NamedPipeListener
    469             for sockpath in sockpaths:
     478            for sockpath, options in sockpaths.items():
    470479                npl = NamedPipeListener(sockpath)
    471480                log.info("created named pipe '%s'", sockpath)
    472481                defs.append(("named-pipe", npl, sockpath, npl.stop))
     
    511520            log("sockets in unknown state: %s", unknown)
    512521            if unknown:
    513522                #re-probe them using threads so we can do them in parallel:
    514                 from time import sleep
    515523                from xpra.make_thread import start_thread
    516524                threads = []
    517525                def timeout_probe(sockpath):
     
    562570                        raise ValueError("invalid socket permissions "+
    563571                                         "(must be an octal number): '%s'" % socket_permissions) from None
    564572                #now try to create all the sockets:
    565                 for sockpath in sockpaths:
     573                for sockpath, options in sockpaths.items():
    566574                    #create it:
    567575                    try:
    568576                        sock, cleanup_socket = create_unix_domain_socket(sockpath, sperms)
    569577                        log.info("created unix domain socket '%s'", sockpath)
    570                         defs.append(("unix-domain", sock, sockpath, cleanup_socket))
     578                        defs[("unix-domain", sock, sockpath, cleanup_socket)] = options
    571579                    except Exception as e:
    572580                        handle_socket_error(sockpath, sperms, e)
    573581                        del e
     
    579587                log.error("Error cleaning up socket %s:", sock)
    580588                log.error(" %s", e)
    581589                del e
    582         defs = []
    583590        raise
    584591    return defs
    585592
  • xpra/platform/win32/namedpipes/connection.py

     
    5050
    5151
    5252class NamedPipeConnection(Connection):
    53     def __init__(self, name, pipe_handle):
    54         log("NamedPipeConnection(%s, %#x)", name, pipe_handle)
    55         Connection.__init__(self, name, "named-pipe")
     53    def __init__(self, name, pipe_handle, options):
     54        log("NamedPipeConnection(%s, %#x)", name, pipe_handle, options)
     55        Connection.__init__(self, name, "named-pipe", options=options)
    5656        self.pipe_handle = pipe_handle
    5757        self.read_buffer = (c_char*BUFSIZE)()
    5858        self.read_buffer_ptr = cast(addressof(self.read_buffer), c_void_p)
  • xpra/scripts/main.py

     
    15881588                                                    None, False,
    15891589                                                    opts.mmap_group, opts.socket_permissions,
    15901590                                                    get_username(), getuid, getgid)
    1591                 sockets += local_sockets
     1591                sockets.update(local_sockets)
    15921592                listen_cleanup = []
    15931593                socket_cleanup = []
    15941594                def new_connection(socktype, sock, handle=0):
  • xpra/scripts/server.py

     
    792792                                        opts.mmap_group, opts.socket_permissions,
    793793                                        username, uid, gid)
    794794    netlog("setting up local sockets: %s", local_sockets)
    795     sockets += local_sockets
     795    sockets.update(local_sockets)
    796796    if POSIX and (starting or upgrading or starting_desktop or upgrading_desktop):
    797797        #all unix domain sockets:
    798798        ud_paths = [sockpath for stype, _, sockpath, _ in local_sockets if stype=="unix-domain"]
  • xpra/server/auth/allow_auth.py

     
    11# This file is part of Xpra.
    2 # Copyright (C) 2013-2017 Antoine Martin <antoine@xpra.org>
     2# Copyright (C) 2013-2019 Antoine Martin <antoine@xpra.org>
    33# Xpra is released under the terms of the GNU GPL v2, or, at your option, any
    44# later version. See the file COPYING for details.
    55
    6 from xpra.server.auth.sys_auth_base import SysAuthenticator, init, log
    7 assert init and log #tests will disable logging from here
     6from xpra.server.auth.sys_auth_base import SysAuthenticator
    87
    98
    109class Authenticator(SysAuthenticator):
  • xpra/server/auth/env_auth.py

     
    11# This file is part of Xpra.
    2 # Copyright (C) 2016-2017 Antoine Martin <antoine@xpra.org>
     2# Copyright (C) 2016-2019 Antoine Martin <antoine@xpra.org>
    33# Xpra is released under the terms of the GNU GPL v2, or, at your option, any
    44# later version. See the file COPYING for details.
    55
    66import os
    7 from xpra.server.auth.sys_auth_base import SysAuthenticator, init, log
    8 assert init and log #tests will disable logging from here
     7from xpra.server.auth.sys_auth_base import SysAuthenticator
    98
    109
    1110class Authenticator(SysAuthenticator):
  • xpra/server/auth/exec_auth.py

     
    1010from xpra.util import envint
    1111from xpra.os_util import OSX
    1212from xpra.child_reaper import getChildReaper
    13 from xpra.server.auth.sys_auth_base import SysAuthenticator, init, log
     13from xpra.server.auth.sys_auth_base import SysAuthenticator, log
    1414from xpra.platform.features import EXECUTABLE_EXTENSION
    1515
    16 #will be called when we init the module
    17 assert init
    18 
    1916TIMEOUT = envint("XPRA_EXEC_AUTH_TIMEOUT", 600)
    2017
    2118
  • xpra/server/auth/fail_auth.py

     
    11# This file is part of Xpra.
    2 # Copyright (C) 2014 Antoine Martin <antoine@xpra.org>
     2# Copyright (C) 2014-2019 Antoine Martin <antoine@xpra.org>
    33# Xpra is released under the terms of the GNU GPL v2, or, at your option, any
    44# later version. See the file COPYING for details.
    55
    66
    7 def init(_opts):
    8     pass
    9 
    107class Authenticator(object):
    118    def __init__(self, username="", **kwargs):
    129        raise Exception("failing")
  • xpra/server/auth/file_auth.py

     
    11# This file is part of Xpra.
    2 # Copyright (C) 2013-2018 Antoine Martin <antoine@xpra.org>
     2# Copyright (C) 2013-2019 Antoine Martin <antoine@xpra.org>
    33# Xpra is released under the terms of the GNU GPL v2, or, at your option, any
    44# later version. See the file COPYING for details.
    55
     
    66#authentication from a file containing just the password
    77
    88from xpra.net.digest import verify_digest
    9 from xpra.server.auth.file_auth_base import FileAuthenticatorBase, init, log
     9from xpra.server.auth.file_auth_base import FileAuthenticatorBase, log
    1010from xpra.util import obsc
    1111
    1212
    13 #will be called when we init the module
    14 assert init
    15 
    16 
    1713class Authenticator(FileAuthenticatorBase):
    1814
    1915    def authenticate_hmac(self, challenge_response, client_salt=None):
  • xpra/server/auth/file_auth_base.py

     
    11# This file is part of Xpra.
    2 # Copyright (C) 2013-2018 Antoine Martin <antoine@xpra.org>
     2# Copyright (C) 2013-2019 Antoine Martin <antoine@xpra.org>
    33# Xpra is released under the terms of the GNU GPL v2, or, at your option, any
    44# later version. See the file COPYING for details.
    55
     
    1414log = Logger("auth")
    1515
    1616
    17 #legacy interface: this is to inject the "--password-file=" option
    18 #this is shared by all instances
    19 password_file = None
    20 def init(opts):
    21     global password_file
    22     password_file = opts.password_file
    23 
    24 
    2517class FileAuthenticatorBase(SysAuthenticator):
    2618    def __init__(self, username, **kwargs):
    27         password_files = [kwargs.pop("filename", None)]+list(password_file or [])
    28         log("FileAuthenticatorBase password_files=%s", password_files)
    29         filename = None
    30         for filename in password_files:
    31             if not filename:
    32                 continue
    33             if not os.path.isabs(filename):
    34                 exec_cwd = kwargs.get("exec_cwd", os.getcwd())
    35                 filename = os.path.join(exec_cwd, filename)
    36             if os.path.exists(filename):
    37                 break
    38         log("FileAuthenticatorBase filename=%s", filename)
     19        password_file = kwargs.pop("filename", None)
     20        log("FileAuthenticatorBase password_file=%s", password_file)
     21        if not password_file:
     22            raise Exception("file authentication module is missing the password file option")
     23        if not os.path.isabs(password_file):
     24            exec_cwd = kwargs.get("exec_cwd", os.getcwd())
     25            password_file = os.path.join(exec_cwd, password_file)
     26        log("FileAuthenticatorBase filename=%s", password_file)
    3927        SysAuthenticator.__init__(self, username, **kwargs)
    40         self.password_filename = filename
     28        self.password_filename = password_file
    4129        self.password_filedata = None
    4230        self.password_filetime = None
    4331        self.authenticate = self.authenticate_hmac
  • xpra/server/auth/gss_auth.py

     
    11#!/usr/bin/env python
    22# This file is part of Xpra.
    3 # Copyright (C) 2018 Antoine Martin <antoine@xpra.org>
     3# Copyright (C) 2018-2019 Antoine Martin <antoine@xpra.org>
    44# Xpra is released under the terms of the GNU GPL v2, or, at your option, any
    55# later version. See the file COPYING for details.
    66
    77import sys
    88
    9 from xpra.server.auth.sys_auth_base import SysAuthenticatorBase, init, log, parse_uid, parse_gid
     9from xpra.server.auth.sys_auth_base import SysAuthenticatorBase, log, parse_uid, parse_gid
    1010from xpra.net.digest import get_salt, get_digests, gendigest
    1111from xpra.util import xor
    12 assert init and log #tests will disable logging from here
    1312
    1413
    1514class Authenticator(SysAuthenticatorBase):
  • xpra/server/auth/hosts_auth.py

     
    88from ctypes import CDLL, c_int, c_char_p
    99
    1010from xpra.os_util import POSIX, strtobytes
    11 from xpra.server.auth.sys_auth_base import SysAuthenticator, init, log
    12 assert init and log #tests will disable logging from here
     11from xpra.server.auth.sys_auth_base import SysAuthenticator, log
    1312
    1413LIBWRAP = os.environ.get("XPRA_LIBWRAP", "libwrap.so.0")
    1514
  • xpra/server/auth/kerberos_password_auth.py

     
    66
    77import sys
    88
    9 from xpra.server.auth.sys_auth_base import SysAuthenticatorBase, init, log, parse_uid, parse_gid
     9from xpra.server.auth.sys_auth_base import SysAuthenticatorBase, log, parse_uid, parse_gid
    1010from xpra.net.digest import get_salt, get_digests, gendigest
    1111from xpra.util import xor
    1212from xpra.os_util import WIN32
    13 assert init and log #tests will disable logging from here
    1413
    1514
    1615class Authenticator(SysAuthenticatorBase):
  • xpra/server/auth/kerberos_token_auth.py

     
    66
    77import sys
    88
    9 from xpra.server.auth.sys_auth_base import SysAuthenticatorBase, init, log, parse_uid, parse_gid
     9from xpra.server.auth.sys_auth_base import SysAuthenticatorBase, log, parse_uid, parse_gid
    1010from xpra.net.digest import get_salt, get_digests, gendigest
    1111from xpra.util import xor
    1212from xpra.os_util import WIN32
    13 assert init and log #tests will disable logging from here
    1413
    1514
    1615class Authenticator(SysAuthenticatorBase):
    1716
    1817    def __init__(self, username, **kwargs):
    19         def ipop(k):
    20             try:
    21                 return int(kwargs.pop(k, 0))
    22             except ValueError:
    23                 return 0
    2418        self.service = kwargs.pop("service", "")
    2519        self.uid = parse_uid(kwargs.pop("uid", None))
    2620        self.gid = parse_gid(kwargs.pop("gid", None))
  • xpra/server/auth/ldap_auth.py

     
    1010
    1111from xpra.util import envint, obsc
    1212from xpra.os_util import bytestostr
    13 from xpra.server.auth.sys_auth_base import SysAuthenticatorBase, init, log, parse_uid, parse_gid
     13from xpra.server.auth.sys_auth_base import SysAuthenticatorBase, log, parse_uid, parse_gid
    1414from xpra.log import is_debug_enabled, enable_debug_for
    15 assert init and log #tests will disable logging from here
    1615
    1716LDAP_REFERRALS = envint("XPRA_LDAP_REFERRALS", 0)
    1817LDAP_PROTOCOL_VERSION = envint("XPRA_LDAP_PROTOCOL_VERSION", 3)
  • xpra/server/auth/multifile_auth.py

     
    77# username|password|uid|gid|displays|env_options|session_options
    88
    99from xpra.server.auth.sys_auth_base import parse_uid, parse_gid
    10 from xpra.server.auth.file_auth_base import log, FileAuthenticatorBase, init
     10from xpra.server.auth.file_auth_base import log, FileAuthenticatorBase
    1111from xpra.os_util import strtobytes, bytestostr, hexstr
    1212from xpra.util import parse_simple_dict
    1313from xpra.net.digest import verify_digest
    14 assert init and log #tests will disable logging from here
    1514
    1615
    1716def parse_auth_line(line):
  • xpra/server/auth/mysql_auth.py

     
    77import re
    88import sys
    99
    10 from xpra.server.auth.sys_auth_base import init, log
     10from xpra.server.auth.sys_auth_base import log
    1111from xpra.server.auth.sqlauthbase import SQLAuthenticator, DatabaseUtilBase, run_dbutil
    12 assert init and log #tests will disable logging from here
    1312
    1413
    1514def url_path_to_dict(path):
  • xpra/server/auth/none_auth.py

     
    11# This file is part of Xpra.
    2 # Copyright (C) 2014-2017 Antoine Martin <antoine@xpra.org>
     2# Copyright (C) 2014-2019 Antoine Martin <antoine@xpra.org>
    33# Xpra is released under the terms of the GNU GPL v2, or, at your option, any
    44# later version. See the file COPYING for details.
    55
    6 from xpra.server.auth.sys_auth_base import SysAuthenticator, init, log
     6from xpra.server.auth.sys_auth_base import SysAuthenticator, log
    77from xpra.platform.info import get_username
    8 assert init and log #tests will disable logging from here
    98
    109
    1110class Authenticator(SysAuthenticator):
  • xpra/server/auth/pam_auth.py

     
    11# This file is part of Xpra.
    2 # Copyright (C) 2013-2018 Antoine Martin <antoine@xpra.org>
     2# Copyright (C) 2013-2019 Antoine Martin <antoine@xpra.org>
    33# Xpra is released under the terms of the GNU GPL v2, or, at your option, any
    44# later version. See the file COPYING for details.
    55
     
    88
    99from xpra.util import envbool
    1010from xpra.scripts.config import parse_bool
    11 from xpra.server.auth.sys_auth_base import SysAuthenticator, init, log
    12 assert init and log #tests will disable logging from here
     11from xpra.server.auth.sys_auth_base import SysAuthenticator, log
    1312
    1413PAM_AUTH_SERVICE = os.environ.get("XPRA_PAM_AUTH_SERVICE", "login")
    1514PAM_CHECK_ACCOUNT = envbool("XPRA_PAM_CHECK_ACCOUNT", False)
  • xpra/server/auth/password_auth.py

     
    33# Xpra is released under the terms of the GNU GPL v2, or, at your option, any
    44# later version. See the file COPYING for details.
    55
    6 from xpra.server.auth.sys_auth_base import SysAuthenticator, init, log
    7 assert init and log #tests will disable logging from here
     6from xpra.server.auth.sys_auth_base import SysAuthenticator
    87
    98
    109class Authenticator(SysAuthenticator):
  • xpra/server/auth/peercred_auth.py

     
    11# This file is part of Xpra.
    2 # Copyright (C) 2017 Antoine Martin <antoine@xpra.org>
     2# Copyright (C) 2017-2019 Antoine Martin <antoine@xpra.org>
    33# Xpra is released under the terms of the GNU GPL v2, or, at your option, any
    44# later version. See the file COPYING for details.
    55
    66import os
    77
    8 from xpra.server.auth.sys_auth_base import SysAuthenticator, init, log
     8from xpra.server.auth.sys_auth_base import SysAuthenticator, log
    99from xpra.os_util import get_peercred, get_group_id, osexpand, POSIX
    1010from xpra.util import csv
    11 assert init and log #tests will disable logging from here
    1211
    1312
    1413class Authenticator(SysAuthenticator):
  • xpra/server/auth/sql_auth.py

     
    77import os
    88import sys
    99
    10 from xpra.server.auth.sys_auth_base import init, log
    1110from xpra.server.auth.sqlauthbase import SQLAuthenticator, DatabaseUtilBase, run_dbutil
    12 assert init and log #tests will disable logging from here
    1311
    1412
    1513class Authenticator(SQLAuthenticator):
  • xpra/server/auth/sqlauthbase.py

     
    66
    77from xpra.util import csv, parse_simple_dict
    88from xpra.os_util import getuid, getgid
    9 from xpra.server.auth.sys_auth_base import SysAuthenticator, init, log
    10 assert init and log #tests will disable logging from here
     9from xpra.server.auth.sys_auth_base import SysAuthenticator, log
    1110
    1211
    1312class SQLAuthenticator(SysAuthenticator):
  • xpra/server/auth/sqlite_auth.py

     
    88import sys
    99
    1010from xpra.util import parse_simple_dict
    11 from xpra.server.auth.sys_auth_base import init, log, parse_uid, parse_gid
     11from xpra.server.auth.sys_auth_base import log, parse_uid, parse_gid
    1212from xpra.server.auth.sqlauthbase import SQLAuthenticator, DatabaseUtilBase, run_dbutil
    13 assert init and log #tests will disable logging from here
    1413
    1514
    1615class Authenticator(SQLAuthenticator):
  • xpra/server/auth/sys_auth_base.py

     
    1818DEFAULT_GID = os.environ.get("XPRA_AUTHENTICATION_DEFAULT_GID", "nobody")
    1919
    2020
    21 socket_dir = None
    22 socket_dirs = None
    23 def init(opts):
    24     global socket_dir, socket_dirs
    25     socket_dir = opts.socket_dir
    26     socket_dirs = opts.socket_dirs
    27 
    28 
    2921def parse_uid(v):
    3022    if v:
    3123        try:
     
    6860        self.digest = None
    6961        self.salt_digest = None
    7062        self.prompt = kwargs.pop("prompt", "password")
     63        self.socket_dir = kwargs.pop("socket-dir", "")
    7164        self.challenge_sent = False
    7265        self.passed = False
    7366        self.password_used = None
     
    176169        gid = self.get_gid()
    177170        log("%s.get_sessions() uid=%i, gid=%i", self, uid, gid)
    178171        try:
    179             sockdir = DotXpra(socket_dir, socket_dirs, actual_username=self.username, uid=uid, gid=gid)
     172            sockdir = DotXpra(self.socket_dir, None, actual_username=self.username, uid=uid, gid=gid)
    180173            results = sockdir.sockets(check_uid=uid)
    181174            displays = []
    182175            for state, display in results:
  • xpra/server/auth/u2f_auth.py

     
    1515from xpra.util import csv, engs
    1616from xpra.os_util import hexstr, osexpand, load_binary_file, getuid, strtobytes, POSIX
    1717from xpra.net.digest import get_salt
    18 from xpra.server.auth.sys_auth_base import SysAuthenticator, init, log
     18from xpra.server.auth.sys_auth_base import SysAuthenticator, log
    1919from xpra.platform.paths import get_user_conf_dirs
    20 assert init and log #tests will disable logging from here
    2120
    2221
    2322PUB_KEY_DER_PREFIX = binascii.a2b_hex("3059301306072a8648ce3d020106082a8648ce3d030107034200")
  • xpra/server/auth/win32_auth.py

     
    66from ctypes import windll, byref, addressof, POINTER, FormatError, GetLastError
    77from ctypes.wintypes import LPCWSTR, DWORD, HANDLE, BOOL
    88
    9 from xpra.server.auth.sys_auth_base import SysAuthenticator, init, log
     9from xpra.server.auth.sys_auth_base import SysAuthenticator, log
    1010from xpra.util import envbool
    1111from xpra.os_util import bytestostr
    1212from xpra.platform.win32.common import CloseHandle
    13 assert init and log #tests will disable logging from here
    1413
    1514LOG_CREDENTIALS = envbool("XPRA_LOG_CREDENTIALS", False)
    1615
  • xpra/server/server_core.py

     
    217217        self._http_headers_dir = None
    218218        self._aliases = {}
    219219        self.socket_info = {}
     220        self.socket_options = {}
    220221        self.socket_cleanup = []
    221222        self.socket_verify_timer = WeakKeyDictionary()
    222223        self.socket_rfb_upgrade_timer = WeakKeyDictionary()
     
    601602    ######################################################################
    602603    # authentication:
    603604    def init_auth(self, opts):
    604         auth = self.get_auth_modules("local-auth", opts.auth, opts)
     605        auth = self.get_auth_modules("local-auth", opts.auth)
    605606        if WIN32:
    606607            self.auth_classes["named-pipe"] = auth
    607608        else:
     
    608609            self.auth_classes["unix-domain"] = auth
    609610        for x in SOCKET_TYPES:
    610611            opts_value = getattr(opts, "%s_auth" % x)
    611             self.auth_classes[x] = self.get_auth_modules(x, opts_value, opts)
     612            self.auth_classes[x] = self.get_auth_modules(x, opts_value)
    612613        authlog("init_auth(..) auth=%s", self.auth_classes)
    613614
    614     def get_auth_modules(self, socket_type, auth_strs, opts):
     615    def get_auth_modules(self, socket_type, auth_strs):
    615616        authlog("get_auth_modules(%s, %s, {..})", socket_type, auth_strs)
    616617        if not auth_strs:
    617618            return None
    618         return tuple(self.get_auth_module(socket_type, auth_str, opts) for auth_str in auth_strs)
     619        return tuple(self.get_auth_module(socket_type, auth_str) for auth_str in auth_strs)
    619620
    620     def get_auth_module(self, socket_type, auth_str, opts):
     621    def get_auth_module(self, socket_type, auth_str):
    621622        authlog("get_auth_module(%s, %s, {..})", socket_type, auth_str)
    622623        #separate options from the auth module name
    623624        #either with ":" or "," as separator
     
    627628            parts = auth_str.split(":", 1)
    628629        else:
    629630            parts = auth_str.split(",", 1)
    630         if len(parts)==1 and auth_str.find(",")>0:
    631             parts = auth_str.split(",", 1)
    632631        auth = parts[0]
    633632        auth_options = {}
    634633        if len(parts)>1:
     
    652651            raise InitException("cannot load authentication module '%s' for %s socket: %s" % (auth, socket_type, e)) from None
    653652        authlog("auth module for '%s': %s", auth, auth_module)
    654653        try:
    655             auth_module.init(opts)
    656654            auth_class = auth_module.Authenticator
    657655            auth_class.auth_name = auth.lower()
    658656            return auth, auth_class, auth_options
     
    848846
    849847    def start_listen_sockets(self):
    850848        ### All right, we're ready to accept customers:
    851         for socktype, sock, info, _ in self._socket_info:
     849        for sock_def, options in self._socket_info.items():
     850            socktype, sock, info, _ = sock_def
    852851            netlog("init_sockets(%s) will add %s socket %s (%s)", self._socket_info, socktype, sock, info)
    853852            self.socket_info[sock] = info
     853            self.socket_options[sock] = options
    854854            self.idle_add(self.add_listen_socket, socktype, sock)
    855855            if socktype=="unix-domain" and info:
    856856                try:
     
    950950        socket_info = self.socket_info.get(listener)
    951951        assert socktype, "cannot find socket type for %s" % listener
    952952        #TODO: just like add_listen_socket above, this needs refactoring
     953        socket_options = self.socket_options.get(listener)
    953954        if socktype=="named-pipe":
    954955            from xpra.platform.win32.namedpipes.connection import NamedPipeConnection
    955             conn = NamedPipeConnection(listener.pipe_name, handle)
     956            conn = NamedPipeConnection(listener.pipe_name, handle, socket_options)
    956957            netlog.info("New %s connection received on %s", socktype, conn.target)
    957958            return self.make_protocol(socktype, conn)
    958959
    959         conn = accept_connection(socktype, listener, self._socket_timeout)
     960        conn = accept_connection(socktype, listener, self._socket_timeout, socket_options)
    960961        if conn is None:
    961962            return True
    962963        #limit number of concurrent network connections:
     
    16151616    def make_authenticators(self, socktype, username, conn):
    16161617        authlog("make_authenticators%s", (socktype, username, conn))
    16171618        authenticators = []
    1618         auth_classes = self.auth_classes[socktype]
     1619        authlog.warn("make_authenticators%s socket options=%s", (socktype, username, conn), conn.options)
     1620        sock_auth = conn.options.get("auth", "").split(",")
     1621        if sock_auth:
     1622            #per socket authentication option:
     1623            #ie: --bind-tcp=0.0.0.0:10000,auth=hosts,auth=file:filename=pass.txt:foo=bar
     1624            # -> sock_auth = ["hosts", "file:filename=pass.txt:foo=bar"]
     1625            auth_classes = self.get_auth_modules(conn.socktype, sock_auth)
     1626        else:
     1627            auth_classes = self.auth_classes[socktype]
    16191628        i = 0
    16201629        if auth_classes:
    16211630            authlog("creating authenticators %s for %s, with username=%s, connection=%s",
    16221631                    csv(auth_classes), socktype, username, conn)
    1623             for auth_class in auth_classes:
    1624                 auth, aclass, options = auth_class
     1632            for auth, aclass, options in auth_classes:
    16251633                opts = dict(options)
    16261634                opts["connection"] = conn
    16271635                authenticator = aclass(username, **opts)
  • xpra/util.py

     
    704704        if not el:
    705705            continue
    706706        try:
    707             k,v = el.split("=", 1)
     707            k, v = el.split("=", 1)
     708            cur = d.get(k, "")
     709            if cur:
     710                v = cur+","+v
    708711            d[k] = v
    709712        except Exception as e:
    710713            log = get_util_logger()