forked from ussjoin/reticle
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathclient.rb
executable file
·457 lines (390 loc) · 13.8 KB
/
client.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
#!/usr/bin/ruby
require 'rubygems'
require 'eventmachine'
require 'em-http'
require 'json'
require 'net/http'
require 'openssl'
require 'base64'
PIDPATH = File.dirname(__FILE__)+"/working/client/client.pid"
BASEURL = 'http://127.0.0.1:50121/reticle/'
FEEDURL = BASEURL+'_changes?feed=continuous'
MISSIONID = "mission"
CLIENTID = "client"
VIEWURL = BASEURL+"_design/utilities/"
NODEVIEWURL = VIEWURL+"_view/nodes"
REPLICATORURL = 'http://127.0.0.1:50121/_replicator/'
#This is the CA's public key, used to verify missions.
CACERTPATH = File.dirname(__FILE__)+"/certs/ca.pem"
MYCERTPATH = File.dirname(__FILE__)+"/certs/my.pem"
MYKEYPATH = File.dirname(__FILE__)+"/certs/my.key"
MISSIONPATH = File.dirname(__FILE__)+"/working/client/mission.rb"
ONIONPATH = File.dirname(__FILE__)+"/working/tor/hidden/hostname"
@runningthread = nil
@since = 0
@myaddress = nil
@mycert = nil
@mykey = nil
def spawn(script)
if (@runningthread)
@runningthread.kill
end
File.open(MISSIONPATH, 'w') {|f| f.write(script) }
@runningthread = Thread.new {system("ruby "+MISSIONPATH)}
end
def client_restart(script)
puts "I am going to restart.\n\n\n"
File.open(__FILE__, 'w') {|f| f.write(script) }
exec("ruby "+__FILE__)
end
def get_macs
ifcon = `ifconfig -a`
ans = []
lines = ifcon.split(/\n/)
lines.each do |l|
m = /wlan[0-9].+HWaddr\s([0-9a-f]{2}\:[0-9a-f]{2}\:[0-9a-f]{2}\:[0-9a-f]{2}\:[0-9a-f]{2}\:[0-9a-f]{2})/.match(l)
ans.push(m[1].gsub(/:/,'')) unless m == nil
end
ans
end
def verify_mission(revision, script, signature)
begin
cert = OpenSSL::X509::Certificate.new File.read CACERTPATH
pkey = OpenSSL::PKey::EC.new cert.public_key
revm = revision.match(/([0-9]+)-.+/)
revnumber = revm[1]
puts "================"
puts "About to try to verify:"
puts "Item: #{revnumber+script}"
puts "Sig: #{signature}"
puts "================"
pkey.dsa_verify_asn1(revnumber+script, Base64.decode64(signature))
rescue => e
puts "Verification failed. Returning false."
return false
end
end
def handle_change(change)
seq = change['seq']
id = change['id']
rev = change['changes'][0]['rev']
@since = seq
if (id == MISSIONID or id == CLIENTID)
puts "#{seq}: #{id} at #{rev}"
uri = URI(BASEURL+id+"?rev="+rev)
req = Net::HTTP::Get.new(uri.path)
req["content-type"] = "application/json"
data = nil
Net::HTTP.start(uri.host, uri.port) do |http|
response = http.request req # Net::HTTPResponse object
data = JSON.parse(response.body)
end
if verify_mission(data['_rev'], data['script'], data['signature'])
if (id == MISSIONID)
#We always spawn on client startup, because we always want the most recent mission running.
puts "Spawning script from #{data['_id']}."
spawn(data['script'])
elsif (id == CLIENTID)
currdigest = Base64.encode64(OpenSSL::Digest::SHA256.new.digest(File.read __FILE__)).strip
newdigest = Base64.encode64(OpenSSL::Digest::SHA256.new.digest(data['script'])).strip
#We don't respawn if it's the same, as that would cause an infinite loop.
if currdigest != newdigest
puts "Current digest = '#{currdigest}'"
puts "New digest = '#{newdigest}'"
client_restart(data['script'])
else
puts "Got new client in; same as current client, so ignoring it."
end
end
end
end
end
#BaseURL: of the form "http://hostname.onion:40120/reticle/"
#remote_certificate: an OpenSSL::X509::Certificate containing the certificate of who we think we're gonna talk to.
def insert_my_node_document(baseurl, remote_certificate)
#Node document has the following fields:
#cert - My PEM certificate
#address - My .onion address
#signature - signature over (rev+address+cert), signed by the cert in cert
puts "Asked to insert my ID document to #{baseurl}"
cert = File.read MYCERTPATH
cert.strip!
uri = URI(baseurl+"node_#{@myaddress}")
req = Net::HTTP::Get.new(uri.path)
req["content-type"] = "application/json"
data = nil
Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https',
:ca_file => CACERTPATH,
:cert => @mycert,
:key => @mykey,
:read_timeout => 60,
:ssl_timeout => 60,
:open_timeout => 60,
:verify_mode => OpenSSL::SSL::VERIFY_NONE,
:verify_callback => proc do |p, c|
remote_certificate.public_key.to_s.strip == c.current_cert.public_key.to_s.strip
end,
:ssl_version => :TLSv1) do |http|
response = http.request req # Net::HTTPResponse object
data = JSON.parse(response.body)
end
newrev = 1
currentrevision = data['_rev']
if currentrevision
revm = data['_rev'].match(/([0-9]+)-.+/)
oldrev = revm[1]
#Wait... if _rev is here, is the whole document valid?
#Check it, and if so, just return immediately.
a = data['address']
c = data['cert']
s = data['signature']
pubkey = OpenSSL::PKey::EC.new (OpenSSL::X509::Certificate.new cert).public_key
if (pubkey.dsa_verify_asn1(oldrev+a+c, Base64.decode64(s)) and a == @myaddress and c == cert)
puts "Was asked to insert my ID to #{baseurl}, but it already had mine!"
return
end
#Well, guess that didn't work.
newrev = oldrev.to_i + 1
end
pkey = OpenSSL::PKey::EC.new File.read MYKEYPATH
signature = Base64.encode64(pkey.dsa_sign_asn1(newrev.to_s+@myaddress+cert)).strip
data = {"cert" => cert, "address" => @myaddress, "signature" => signature, "devices" => get_macs()}
if (currentrevision)
#This allows us to push on top of old data.
data["_rev"] = currentrevision
end
json = JSON.generate(data)
req = Net::HTTP::Put.new(uri.path)
req["content-type"] = "application/json"
req.body = json
Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https',
:ca_file => CACERTPATH,
:cert => @mycert,
:key => @mykey,
:verify_mode => OpenSSL::SSL::VERIFY_NONE,
:verify_callback => proc do |p, c|
remote_certificate.public_key.to_s.strip == c.current_cert.public_key.to_s.strip
end,
:ssl_version => :TLSv1) do |http|
response = http.request req # Net::HTTPResponse object
puts "Response to inserting ID document at #{baseurl}: #{response.body}"
end
end
#Looks through the database for other nodes we've heard of,
#and checks that they have running replications.
def check_for_replications
uri = URI(NODEVIEWURL)
req = Net::HTTP::Get.new(uri.path)
req["content-type"] = "application/json"
data = nil
Net::HTTP.start(uri.host, uri.port) do |http|
response = http.request req # Net::HTTPResponse object
data = JSON.parse(response.body)
end
data['rows'].each do |node|
begin
d = node['value']
puts "My address: #{@myaddress} Considering: #{d['address']}"
if (d['address'] == @myaddress)
#This is me-- don't try to replicate to myself, it'd be dumb.
puts "Won't replicate to myself."
next
else
puts "Proceeding with replication."
end
#signature over (rev+address+cert)
a = d['address']
c = d['cert']
s = d['signature']
revm = d['_rev'].match(/([0-9]+)-.+/)
rev = revm[1]
remote_certificate = OpenSSL::X509::Certificate.new c
pubkey = OpenSSL::PKey::EC.new (remote_certificate.public_key)
if pubkey.dsa_verify_asn1(rev+a+c, Base64.decode64(s))
#Then we've got a valid ID document.
puts "Replications: Found valid ID document for #{a}"
#Now do two things: 1) Push my ID doc to it, and 2) Make sure a replication is running *from* it.
#BaseURL: of the form "http://hostname.onion:34214/reticle/"
remoteaddress = "https://#{a}:34214/reticle/"
insert_my_node_document(remoteaddress, remote_certificate)
uri = URI(REPLICATORURL+"rep_#{a}")
req = Net::HTTP::Get.new(uri.path)
req["content-type"] = "application/json"
crepdata = nil
Net::HTTP.start(uri.host, uri.port) do |http|
response = http.request req # Net::HTTPResponse object
crepdata = JSON.parse(response.body)
end
if (crepdata['_replication_state'] == "triggered")
#Then we've got a valid, working replication already.
puts "I already have a replication for #{remoteaddress}."
next
end
repdata = {
"source" => remoteaddress,
"continuous" => true,
"target" => "reticle"
}
if crepdata['_rev'] #And, importantly, if we're still here...
#This means that the replication isn't working.
repdata['_rev'] = crepdata['_rev'] #Make it rewrite correctly
end
uri = URI(REPLICATORURL+"rep_#{a}")
req = Net::HTTP::Put.new(uri.path)
req["content-type"] = "application/json"
req.body = JSON.generate(repdata)
Net::HTTP.start(uri.host, uri.port) do |http|
response = http.request req # Net::HTTPResponse object
puts "Response to inserting replication document for #{remoteaddress}: #{response.body}"
end
else
puts "Replications: Invalid ID document for #{a}, disregarding."
end
rescue => e
#Have to use kernel.puts here... not entirely sure why, but otherwise I get the
#Error referenced in http://stackoverflow.com/questions/9911781/ruby-global-scope
puts "Was unable to do the replication to #{node['value']['address']} because:"
puts e.message
puts e.backtrace.join("\n")
end
puts "At the bottom of the replication loop for #{node['value']['address']}"
end
end
#Checks to see if the DB exists; if not, creates it.
def initialize_database
uri = URI(BASEURL)
data = nil
while data.nil?
begin
req = Net::HTTP::Get.new(uri.path)
req["content-type"] = "application/json"
puts "OK, going to try connecting to #{uri.host} : #{uri.port}"
Net::HTTP.start(uri.host, uri.port) do |http|
response = http.request req # Net::HTTPResponse object
data = JSON.parse(response.body)
end
rescue => e
puts "Trying to connect to local database didn't work; I'll wait 2 seconds, then try again."
sleep 2
end
end
if data['error']
#Well then, the DB must not be there.
req = Net::HTTP::Put.new(uri.path)
req["content-type"] = "application/json"
data = nil
Net::HTTP.start(uri.host, uri.port) do |http|
response = http.request req # Net::HTTPResponse object
data = JSON.parse(response.body)
end
if (data['ok'].nil?)
puts "ERROR: Tried to create database, but failed."
puts "Everything's probably going to crash."
return
end
uri = URI(BASEURL+CLIENTID)
req = Net::HTTP::Put.new(uri.path)
req["content-type"] = "application/json"
req.body = JSON.generate({"script" => "", "signature" => ""})
data = nil
Net::HTTP.start(uri.host, uri.port) do |http|
response = http.request req # Net::HTTPResponse object
data = JSON.parse(response.body)
end
if (data['ok'].nil?)
puts "ERROR: Tried to create database, but failed to insert the CLIENT document."
puts "Everything's probably going to crash."
return
end
uri = URI(BASEURL+MISSIONID)
req = Net::HTTP::Put.new(uri.path)
req["content-type"] = "application/json"
req.body = JSON.generate({"script" => "", "signature" => ""})
data = nil
Net::HTTP.start(uri.host, uri.port) do |http|
response = http.request req # Net::HTTPResponse object
data = JSON.parse(response.body)
end
if (data['ok'].nil?)
puts "ERROR: Tried to create database, but failed to insert the MISSION document."
puts "Everything's probably going to crash."
return
end
uri = URI(VIEWURL)
req = Net::HTTP::Put.new(uri.path)
req["content-type"] = "application/json"
req.body = JSON.generate({"language" => "javascript", "views" => {
"nodes" => {
"map" => "function(doc){
if (doc._id.match(/^node\_/))
{
emit(doc._id, doc);
}
}"
}
}})
data = nil
Net::HTTP.start(uri.host, uri.port) do |http|
response = http.request req # Net::HTTPResponse object
data = JSON.parse(response.body)
end
if (data['ok'].nil?)
puts "ERROR: Tried to create database, but failed to insert the MISSION document."
puts "Everything's probably going to crash."
return
end
else
puts "Database exists."
end
end
def monitor_couch
EventMachine.run do
http = EventMachine::HttpRequest.new(FEEDURL+"&since=#{@since}").get :timeout => 0
buffer = ""
http.errback {
puts "Connection dropped (restarting; this is normal)"
monitor_couch
}
http.callback {
monitor_couch
}
http.stream do |chunk|
buffer += chunk
while line = buffer.slice!(/.+\r?\n/)
begin
handle_change JSON.parse(line)
rescue => e
puts "Caught exception when processing #{line}"
puts e.message
puts e.backtrace.join("\n")
end
end
end
end
end
puts "====================="
puts "=Client Starting Up ="
puts "====================="
#Write my PID to the assigned file, so the Overall script can read it
File.open(PIDPATH, 'w') {|f| f.write(Process.pid) }
@mycert = OpenSSL::X509::Certificate.new File.read MYCERTPATH
@mykey = OpenSSL::PKey::EC.new File.read MYKEYPATH
initialize_database
mainthread = Thread.new {monitor_couch}
@myaddress = File.read ONIONPATH
@myaddress.strip!
insert_my_node_document(BASEURL, @mycert)
secondthread = Thread.new {
while true
sleep 5
begin
check_for_replications
rescue => e
puts e.message
puts e.backtrace.join("\n")
end
sleep 15
end
}
mainthread.join
secondthread.join