# HG changeset patch # User ft # Date 1415121999 -3600 # Node ID 28b7682d547638ba4fef6a691f9e6c501809b63f initial commit of encryptionprovider-deb diff -r 000000000000 -r 28b7682d5476 Apache License, Version 2.0.txt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/Apache License, Version 2.0.txt Tue Nov 04 18:26:39 2014 +0100 @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff -r 000000000000 -r 28b7682d5476 encryptionprovider-package --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/encryptionprovider-package Tue Nov 04 18:26:39 2014 +0100 @@ -0,0 +1,34 @@ +### Commented entries have reasonable defaults. +### Uncomment to edit them. +# Source: +Section: misc +Priority: optional +# Homepage: +Standards-Version: 3.9.2 + +Package: encryptionprovider +Version: 0.0.26 +Maintainer: ft +# Pre-Depends: +Depends: python,python-requests,python-urllib3,python-netifaces,python-netaddr,python-webpy +# Recommends: +# Suggests: +# Provides: +# Replaces: +Architecture: all +# Copyright: +# Changelog: +# Readme: +# Extra-Files: +Files: encryptionprovider.py /usr/bin/ + passwordreceiver.py /usr/bin/ + encryptionprovider.cfg /etc/encryptionprovider/ + truecrypt_getdevices.sh /usr/local/bin/ + truecrypt_init.sh /usr/local/bin/ + truecrypt_mount.sh /usr/local/bin/ + truecrypt_umount.sh /usr/local/bin/ + truecrypt_config.cfg /usr/local/bin/ + pre_init.sh /usr/local/bin/ + post_init.sh /usr/local/bin/ +Description: Encryption provider for opensecurity system + An extra layer that makes it possible to easy switch between encryption methodes diff -r 000000000000 -r 28b7682d5476 encryptionprovider-package.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/encryptionprovider-package.conf Tue Nov 04 18:26:39 2014 +0100 @@ -0,0 +1,2 @@ +# Original main-package.conf file. +# Do not touch it!! It belongs to dpkg. diff -r 000000000000 -r 28b7682d5476 encryptionprovider.cfg --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/encryptionprovider.cfg Tue Nov 04 18:26:39 2014 +0100 @@ -0,0 +1,20 @@ +[Main] +# make sure this file is writeable +LogFile: /var/log/encryptionprovider.log + +# DEBUG, INFO, WARNING, ERROR, CRITICAL +LogLevel: debug + +# Path where the keyfile will be saved for temp usage +Keyfile: /tmp/keyfile.key + +MountScript: /usr/local/bin/truecrypt_mount.sh +UmountScript: /usr/local/bin/truecrypt_umount.sh +InitScript: /usr/local/bin/truecrypt_init.sh +GetDevicesScript: /usr/local/bin/truecrypt_getdevices.sh + +# Umount Stick, .... +PreInitScript: /usr/local/bin/pre_init.sh + +# Mount create folders, mount osecfs, ... +PostInitScript: /usr/local/bin/post_init.sh \ No newline at end of file diff -r 000000000000 -r 28b7682d5476 encryptionprovider.py --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/encryptionprovider.py Tue Nov 04 18:26:39 2014 +0100 @@ -0,0 +1,220 @@ +#!/usr/bin/python + +# ------------------------------------------------------------ +# opensecurity package file +# +# Autor: X-Net Services GmbH +# +# Copyright 2013-2014 X-Net and AIT Austrian Institute of Technology +# +# +# X-Net Technologies GmbH +# Elisabethstrasse 1 +# 4020 Linz +# AUSTRIA +# https://www.x-net.at +# +# AIT Austrian Institute of Technology +# Donau City Strasse 1 +# 1220 Wien +# AUSTRIA +# http://www.ait.ac.at +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ------------------------------------------------------------ + +import subprocess +import web +import netifaces +import argparse +import thread +import time +import os +import sys +import ConfigParser +import logging +from passwordreceiver import * + +MINOPTS = { "Main" : ["LogFile", "LogLevel", "MountScript", "UmountScript", "InitScript", "GetDevicesScript", "Keyfile"]} + +CONFIG_FILE="/etc/encryptionprovider/encryptionprovider.cfg" +CONFIG_NOT_READABLE = "Configfile is not readable" +CONFIG_WRONG = "Something is wrong with the config" +CONFIG_MISSING = "Section: \"%s\" Option: \"%s\" in configfile is missing" + +def checkMinimumOptions (config): + for section, options in MINOPTS.iteritems (): + for option in options: + if (config.has_option(section, option) == False): + print (CONFIG_MISSING % (section, option)) + exit (129) + + +def loadConfig (): + configfile = CONFIG_FILE + config = ConfigParser.SafeConfigParser () + + if ((os.path.exists (configfile) == False) or (os.path.isfile (configfile) == False) or (os.access (configfile, os.R_OK) == False)): + print (CONFIG_NOT_READABLE) + exit (1) + + try: + config.read (CONFIG_FILE) + except Exception, e: + print (CONFIG_WRONG) + print ("Error: %s" % (e)) + exit (1) + + checkMinimumOptions (config) + return config + +def initLog (config): + global LOG + logfile = config.get("Main", "LogFile") + + numeric_level = getattr(logging, config.get("Main", "LogLevel").upper(), None) + if not isinstance(numeric_level, int): + raise ValueError('Invalid log level: %s' % loglevel) + + # ToDo move log level and maybe other things to config file + logging.basicConfig( + level = numeric_level, + format = "%(asctime)s %(name)-12s %(funcName)-15s %(levelname)-8s %(message)s", + datefmt = "%Y-%m-%d %H:%M:%S", + filename = logfile, + filemode = "a+", + ) + LOG = logging.getLogger("encryptionprovicer") + + + + +def runExternalScripts (command): + LOG.debug ("Run external Script: %s" %(command,)) + + if (os.path.isfile (command[0]) == False): + LOG.error ("File does not exist: %s" %((command[0]),)) + sys.stderr.write("File does not exist: %s\n" %((command[0]),)) + exit (1) + + process = subprocess.Popen( command, stdout=subprocess.PIPE, stderr=subprocess.PIPE ) + retcode = process.wait() + ( stdout, stderr ) = process.communicate() + + return { "retcode" : retcode, "stdout" : stdout, "stderr" : stderr } + + +def getDevices (script): + command = [script]; + result = runExternalScripts (command); + + if (result["retcode"] != 0): + LOG.error ("Retcode: %s" %(result["retcode"],)) + LOG.error ("stdout: %s" %(result["stdout"],)) + LOG.error ("stderr: %s" %(result["stderr"],)) + sys.stderr.write("%s" %(result["stderr"],)) + exit (1) + + #print ("%s" %(result["stdout"],)) + # don't use print here, because of the extra newline + sys.stdout.write ("%s" %(result["stdout"],)) + + +def umountDevice (script, device): + command = [script, device]; + result = runExternalScripts (command); + + if (result["retcode"] != 0): + LOG.error ("Retcode: %s" %(result["retcode"],)) + LOG.error ("stdout: %s" %(result["stdout"],)) + LOG.error ("stderr: %s" %(result["stderr"],)) + sys.stderr.write("%s" %(result["stderr"],)) + exit (1) + + #print ("%s" %(result["stdout"],)) + # don't use print here, because of the extra newline + sys.stdout.write ("%s" %(result["stdout"],)) + + +def mountDevice (script, interface, port, device, mountpoint, keyfilepath): + listener = MyRestListener (opensecurity_urls, globals(), script = script, device = device, mountpoint = mountpoint, tries = 3, keyfilepath = keyfilepath) + thread.start_new_thread(listener.run, (interface, port,)) + + close = False + while (close == False): + time.sleep(1) + if (os.path.ismount(mountpoint) == True): + close = True + LOG.info ("Stick \"%s\" was mounted sucessfully to \"%s\"" %(device, mountpoint,)) + sys.exit(0) + + if (os.path.exists(device) == False): + close = True + LOG.error ("Stick \"%s\" removed -> exit" %(device,)) + sys.exit(1) + +def isDeviceMountedAtMountpoint (device, mountpoint): + command = ("/bin/df %s | /usr/bin/tail -1 | awk '{print $1}'" %(mountpoint,)) + pipe = os.popen(command) + result = pipe.read().rstrip() + + if (pipe.close() != None): + LOG.error ("error: %s" %(result,)) + exit (1) + + if (result == device): + LOG.debug ("Device: %s ### Result: %s ### Return: True" %(device, result,)) + return True + else: + LOG.debug ("Device: %s ### Result: %s ### Return: False" %(device, result,)) + return False + + +def initDevice (script, interface, port, device, mountpoint, keyfilepath, preinitscript, postinitscript): + listener = MyRestListener (opensecurity_urls, globals(), script = script, device = device, mountpoint = mountpoint, tries = 3, keyfilepath = keyfilepath, preinitscript = preinitscript, postinitscript = postinitscript) + thread.start_new_thread(listener.run, (interface, port,)) + + close = False + while (close == False): + time.sleep(1) + if (os.path.exists(device) == False): + close = True + LOG.info ("Stick \"%s\" removed -> exit" %(device,)) + sys.exit(1) + +if __name__ == "__main__": + + parser = argparse.ArgumentParser(epilog='--mount, --umount and --initialize are mutually exclusive') + group = parser.add_mutually_exclusive_group(required=True) + group.add_argument('-m', '--mount', action='store', nargs=4, dest='mount', help='Mounts an encrypted device.', metavar=("interface", "port", "device", "mountpoint")) + group.add_argument('-u', '--umount', action='store', nargs=1, dest='umount', help='Unmounts an encrypted device', metavar="device") + group.add_argument('-i', '--initialize', action='store', nargs=4, dest='initialize', help='Initialize an device.', metavar=("interface", "port", "device", "mountpoint")) + group.add_argument('-g', '--getdevices', action='store_true', dest="getdevices", help='Returns a list of all mounted encrypted devices') + arguments = parser.parse_args() + + + config = loadConfig () + initLog (config) + + if (arguments.getdevices): + getDevices (config.get ("Main", "GetDevicesScript")) + + if (arguments.umount): + umountDevice (config.get ("Main", "UmountScript"), arguments.umount[0]) + + if (arguments.mount): + mountDevice (config.get ("Main", "MountScript"), arguments.mount[0], int(arguments.mount[1]), arguments.mount[2], arguments.mount[3], config.get ("Main", "Keyfile")) + + if (arguments.initialize): + initDevice (config.get ("Main", "InitScript"), arguments.initialize[0], int(arguments.initialize[1]), arguments.initialize[2], arguments.initialize[3], config.get ("Main", "Keyfile"), config.get("Main", "PreInitScript"), config.get("Main", "PostInitScript")) diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.10_all.deb Binary file encryptionprovider_0.0.10_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.11_all.deb Binary file encryptionprovider_0.0.11_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.12_all.deb Binary file encryptionprovider_0.0.12_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.13_all.deb Binary file encryptionprovider_0.0.13_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.14_all.deb Binary file encryptionprovider_0.0.14_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.15_all.deb Binary file encryptionprovider_0.0.15_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.16_all.deb Binary file encryptionprovider_0.0.16_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.17_all.deb Binary file encryptionprovider_0.0.17_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.18_all.deb Binary file encryptionprovider_0.0.18_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.19_all.deb Binary file encryptionprovider_0.0.19_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.1_all.deb Binary file encryptionprovider_0.0.1_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.20_all.deb Binary file encryptionprovider_0.0.20_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.21_all.deb Binary file encryptionprovider_0.0.21_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.22_all.deb Binary file encryptionprovider_0.0.22_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.23_all.deb Binary file encryptionprovider_0.0.23_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.24_all.deb Binary file encryptionprovider_0.0.24_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.25_all.deb Binary file encryptionprovider_0.0.25_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.26_all.deb Binary file encryptionprovider_0.0.26_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.2_all.deb Binary file encryptionprovider_0.0.2_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.3_all.deb Binary file encryptionprovider_0.0.3_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.4_all.deb Binary file encryptionprovider_0.0.4_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.5_all.deb Binary file encryptionprovider_0.0.5_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.6_all.deb Binary file encryptionprovider_0.0.6_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.7_all.deb Binary file encryptionprovider_0.0.7_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.8_all.deb Binary file encryptionprovider_0.0.8_all.deb has changed diff -r 000000000000 -r 28b7682d5476 encryptionprovider_0.0.9_all.deb Binary file encryptionprovider_0.0.9_all.deb has changed diff -r 000000000000 -r 28b7682d5476 passwordreceiver.py --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/passwordreceiver.py Tue Nov 04 18:26:39 2014 +0100 @@ -0,0 +1,196 @@ +#!/usr/bin/python + +# ------------------------------------------------------------ +# opensecurity package file +# +# Autor: X-Net Services GmbH +# +# Copyright 2013-2014 X-Net and AIT Austrian Institute of Technology +# +# +# X-Net Technologies GmbH +# Elisabethstrasse 1 +# 4020 Linz +# AUSTRIA +# https://www.x-net.at +# +# AIT Austrian Institute of Technology +# Donau City Strasse 1 +# 1220 Wien +# AUSTRIA +# http://www.ait.ac.at +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ------------------------------------------------------------ + + +import subprocess +import web +import netifaces +import os +import sys +import base64 +#import logging + +opensecurity_urls = ( + '/password', 'os_password', + '/init', 'os_init' +) + +#__LOG = logging.getLogger("passwordreceiver") + +class os_password: + + # delete the key file in a secure way (will not working on ssd's :/ ,but ram only vm -> should be ok) + def deleteKeyfile(self, keyfilepath): + filesize = os.path.getsize(keyfilepath) + keyfile = open (keyfilepath, "w+") + for i in range (0, 10): + keyfile.seek(0) + keyfile.write(os.urandom(filesize)) + keyfile.flush() + keyfile.close() + os.remove(keyfilepath) + + + def GET(self, settings): + return self.POST(settings) + + def POST(self, settings): + + # pick the arguments + args = web.input() + + if not "password" in args: + raise web.badrequest() + + if "keyfile" in args: + keyfile = open (settings["keyfilepath"], "w+") + keyfile.write(base64.b64decode(args["keyfile"])) + keyfile.close() + command = [settings["script"], settings["device"], settings["mountpoint"], args["password"], settings["keyfilepath"]] + else: + command = [settings["script"], settings["device"], settings["mountpoint"], args["password"]] + + process = subprocess.Popen( command, stdout=subprocess.PIPE, stderr=subprocess.PIPE ) + retval = process.wait() + ( stdout, stderr ) = process.communicate() + + if "keyfile" in args: + self.deleteKeyfile(settings["keyfilepath"]) + + if (retval != 0): + raise web.badrequest(stderr) + + return "Success: Encrypted Stick is mounted" + +class os_init: + # delete the key file in a secure way (will not working on ssd's :/ ,but ram only vm -> should be ok) + def deleteKeyfile(self, keyfilepath): + filesize = os.path.getsize(keyfilepath) + keyfile = open (keyfilepath, "w+") + for i in range (0, 10): + keyfile.seek(0) + keyfile.write(os.urandom(filesize)) + keyfile.flush() + keyfile.close() + os.remove(keyfilepath) + + def runPreInitScript(self, preinitscript, device): + #__LOG.debug("Start preinit Script") + + command = [preinitscript, device] + process = subprocess.Popen( command, stdout=subprocess.PIPE, stderr=subprocess.PIPE ) + retval = process.wait() + ( stdout, stderr ) = process.communicate() + + #__LOG.debug("preinit done result: %s" %(retval,)) + + if (retval != 0): + raise web.badrequest(stderr) + + def runPostInitScript(self, postinitscript): + #__LOG.debug("Start postinit Script") + + command = [postinitscript] + process = subprocess.Popen( command, stdout=subprocess.PIPE, stderr=subprocess.PIPE ) + retval = process.wait() + ( stdout, stderr ) = process.communicate() + + #__LOG.debug("postinit done result: %s" %(retval,)) + + if (retval != 0): + raise web.badrequest(stderr) + + def GET(self, settings): + return self.POST(settings) + + def POST(self, settings): + + # pick the arguments + args = web.input() + + if not "password" in args: + raise web.badrequest() + + # Do the preinit stuff + self.runPreInitScript(settings["preinitscript"], settings["device"]) + + if "keyfile" in args: + keyfile = open (settings["keyfilepath"], "w+") + keyfile.write(base64.b64decode(args["keyfile"])) + keyfile.close() + command = [settings["script"], settings["device"], settings["mountpoint"], args["password"], settings["keyfilepath"]] + else: + command = [settings["script"], settings["device"], settings["mountpoint"], args["password"]] + + #__LOG.debug("Start init script") + + process = subprocess.Popen( command, stdout=subprocess.PIPE, stderr=subprocess.PIPE ) + retval = process.wait() + ( stdout, stderr ) = process.communicate() + + if "keyfile" in args: + self.deleteKeyfile(settings["keyfilepath"]) + + #__LOG.debug("init done result: %s" %(retval,)) + + if (retval != 0): + raise web.badrequest(stderr) + + # Do the postinit stuff + self.runPostInitScript(settings["postinitscript"]) + + return "Success: Stick is initialized and mounted" + +class MyRestListener(web.application): + def __init__(self, mapping=(), fvars={}, autoreload=None, script=None, device=None, mountpoint=None, tries=None, keyfilepath=None, preinitscript=None, postinitscript=None): + web.application.__init__(self, mapping, fvars, autoreload) + self.device = device + self.mountpoint = mountpoint + self.script = script + self.tries = tries + self.keyfilepath = keyfilepath + self.preinitscript = preinitscript + self.postinitscript = postinitscript + + def run(self, interface, port, *middleware): + func = self.wsgifunc(*middleware) + ifaceip = netifaces.ifaddresses(interface)[2][0]["addr"] + return web.httpserver.runsimple(func, (ifaceip, port)) + + def handle(self): + fn, args = self._match(self.mapping, web.ctx.path) + args.append({"script": self.script, "device": self.device, "mountpoint": self.mountpoint, "tries": self.tries, "keyfilepath": self.keyfilepath, "preinitscript": self.preinitscript, "postinitscript": self.postinitscript}) + return self._delegate(fn, self.fvars, args) diff -r 000000000000 -r 28b7682d5476 post_init.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/post_init.sh Tue Nov 04 18:26:39 2014 +0100 @@ -0,0 +1,40 @@ +#!/bin/sh + +# ------------------------------------------------------------ +# opensecurity package file +# +# Autor: X-Net Services GmbH +# +# Copyright 2013-2014 X-Net and AIT Austrian Institute of Technology +# +# +# X-Net Technologies GmbH +# Elisabethstrasse 1 +# 4020 Linz +# AUSTRIA +# https://www.x-net.at +# +# AIT Austrian Institute of Technology +# Donau City Strasse 1 +# 1220 Wien +# AUSTRIA +# http://www.ait.ac.at +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ------------------------------------------------------------ + +chattr -i "/tmp/usbmount" +mkdir /tmp/usbmount/encrypted +chattr +i "/tmp/usbmount" +/usr/bin/osecfs /etc/osecfs/osecfs_usb.cfg "/tmp/usbmount/encrypted" rw \ No newline at end of file diff -r 000000000000 -r 28b7682d5476 pre_init.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/pre_init.sh Tue Nov 04 18:26:39 2014 +0100 @@ -0,0 +1,59 @@ +#!/bin/sh + +# ------------------------------------------------------------ +# opensecurity package file +# +# Autor: X-Net Services GmbH +# +# Copyright 2013-2014 X-Net and AIT Austrian Institute of Technology +# +# +# X-Net Technologies GmbH +# Elisabethstrasse 1 +# 4020 Linz +# AUSTRIA +# https://www.x-net.at +# +# AIT Austrian Institute of Technology +# Donau City Strasse 1 +# 1220 Wien +# AUSTRIA +# http://www.ait.ac.at +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ------------------------------------------------------------ + +DEVICE="$1" + +# This script makes sure that the stick is unmounted and unused +# Run this Script before the init process + +# make sure to have "/dev/sdb" (not "/dev/sdb1") +#DEVICE="${DEVICE:0:8}" the bash way does not work in dash -.- +DEVICE="$(echo "$DEVICE" | awk '{print substr($1,0,9)}')" + +# make sure the device is not mounted +chattr -i "/tmp/usbmount" +umount /tmp/usbmount/* +sleep 1 +rmdir /tmp/usbmount/* +umount /media/usb* + +# search for already encrypted volumes +device=$(encryptionprovider.py -g) + +if [ "$?" = "0" ] +then + encryptionprovider.py -u $device +fi \ No newline at end of file diff -r 000000000000 -r 28b7682d5476 truecrypt_config.cfg --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/truecrypt_config.cfg Tue Nov 04 18:26:39 2014 +0100 @@ -0,0 +1,3 @@ +#!/bin/bash + +tc_cmd="/usr/bin/truecrypt" \ No newline at end of file diff -r 000000000000 -r 28b7682d5476 truecrypt_getdevices.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/truecrypt_getdevices.sh Tue Nov 04 18:26:39 2014 +0100 @@ -0,0 +1,59 @@ +#!/bin/sh + +# ------------------------------------------------------------ +# opensecurity package file +# +# Autor: X-Net Services GmbH +# +# Copyright 2013-2014 X-Net and AIT Austrian Institute of Technology +# +# +# X-Net Technologies GmbH +# Elisabethstrasse 1 +# 4020 Linz +# AUSTRIA +# https://www.x-net.at +# +# AIT Austrian Institute of Technology +# Donau City Strasse 1 +# 1220 Wien +# AUSTRIA +# http://www.ait.ac.at +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ------------------------------------------------------------ + +BASEDIR="$(dirname $0)" + +if [ -r "$BASEDIR/truecrypt_config.cfg" ] +then + . "$BASEDIR/truecrypt_config.cfg" +else + echo "truecrypt_config.cfg not found" >&2 + exit 1 +fi + +devicelist="$($tc_cmd -l)" +result="$?" + +if [ "$result" != "0" ] +then + exit 1 +fi + +# can't do this on the original command because of /bin/sh -> dash -> no PIPESTATUS -.- +devicelist=$(echo $devicelist | awk '{ print $2}') + +echo "$devicelist" +exit 0 \ No newline at end of file diff -r 000000000000 -r 28b7682d5476 truecrypt_init.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/truecrypt_init.sh Tue Nov 04 18:26:39 2014 +0100 @@ -0,0 +1,135 @@ +#!/bin/sh + +# ------------------------------------------------------------ +# opensecurity package file +# +# Autor: X-Net Services GmbH +# +# Copyright 2013-2014 X-Net and AIT Austrian Institute of Technology +# +# +# X-Net Technologies GmbH +# Elisabethstrasse 1 +# 4020 Linz +# AUSTRIA +# https://www.x-net.at +# +# AIT Austrian Institute of Technology +# Donau City Strasse 1 +# 1220 Wien +# AUSTRIA +# http://www.ait.ac.at +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ------------------------------------------------------------ + +BASEDIR="$(dirname $0)" +DEVICE="$1" +MOUNTPOINT="$2" +PASSWORD="$3" +KEYFILE="$4" + + +getRemoteIp () +{ + ip_address=$(ifconfig eth0 | grep "inet " | awk '{ print $2 }' | cut -d ":" -f 2) + ip_netmask=$(ifconfig eth0 | grep "inet " | awk '{ print $4 }' | cut -d ":" -f 2) + remote_ip=$(ipcalc $ip_address/$ip_netmask | grep HostMin | awk '{ print $2}') + + echo $remote_ip +} + +sendInfoNotification () +{ + MESSAGE="$1" + wget -q -T 3 -t 1 -O /dev/null "http://$(getRemoteIp):8090/message?msgtype=information&text=$MESSAGE" +} + +sendErrorNotification () +{ + MESSAGE="$1" + wget -q -T 3 -t 1 -O /dev/null "http://$(getRemoteIp):8090/notification?msgtype=critical&text=$MESSAGE" +} + + +if [ -r "$BASEDIR/truecrypt_config.cfg" ] +then + . "$BASEDIR/truecrypt_config.cfg" +else + echo "truecrypt_config.cfg not found" >&2 + exit 1 +fi + +# make sure to have "/dev/sdb" (not "/dev/sdb1") +#DEVICE="${DEVICE:0:8}" the bash way does not work in dash -.- +DEVICE="$(echo "$DEVICE" | awk '{print substr($1,0,9)}')" + +sendInfoNotification "Encrypt device" +if [ -z "$KEYFILE" ] +then + message="$($tc_cmd -c --non-interactive --quick --filesystem=none --encryption=AES --hash=RIPEMD-160 -p "$PASSWORD" "$DEVICE")" + result="$?" +else + message="$($tc_cmd -c --non-interactive --quick --filesystem=none --encryption=AES --hash=RIPEMD-160 -p "$PASSWORD" -k "$KEYFILE" "$DEVICE")" + result="$?" +fi + + +if [ "$result" != "0" ] +then + sendErrorNotification "Encryption failed" + exit 1 +fi + +sendInfoNotification "Device encrypted" + + + +if [ -z "$KEYFILE" ] +then + message="$message\n$($tc_cmd --non-interactive --filesystem=none -p "$PASSWORD" "$DEVICE")" + result="$?" +else + message="$message\n$($tc_cmd --non-interactive --filesystem=none -p "$PASSWORD" -k "$KEYFILE" "$DEVICE")" + result="$?" +fi + +if [ "$result" != "0" ] +then + exit 1 +fi + + + +sendInfoNotification "Create NTFS filesystem on encrypted device" + +TC_DEVICE=$(truecrypt -l | awk '{print $3}') + +message="$message\n$(mkfs.ntfs --quick "$TC_DEVICE")" +result="$?" + +if [ "$result" != "0" ] +then + sendErrorNotification "Filesystem creation failed" + exit 1 +fi + +sendInfoNotification "Filesystem successfully created" + +mount "$TC_DEVICE" "$MOUNTPOINT" + +sendInfoNotification "Stick is now initialized" + +echo "$message" +exit 0 \ No newline at end of file diff -r 000000000000 -r 28b7682d5476 truecrypt_mount.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/truecrypt_mount.sh Tue Nov 04 18:26:39 2014 +0100 @@ -0,0 +1,68 @@ +#!/bin/sh + +# ------------------------------------------------------------ +# opensecurity package file +# +# Autor: X-Net Services GmbH +# +# Copyright 2013-2014 X-Net and AIT Austrian Institute of Technology +# +# +# X-Net Technologies GmbH +# Elisabethstrasse 1 +# 4020 Linz +# AUSTRIA +# https://www.x-net.at +# +# AIT Austrian Institute of Technology +# Donau City Strasse 1 +# 1220 Wien +# AUSTRIA +# http://www.ait.ac.at +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ------------------------------------------------------------ + +BASEDIR="$(dirname $0)" +DEVICE="$1" +MOUNTPOINT="$2" +PASSWORD="$3" +KEYFILE="$4" + +if [ -r "$BASEDIR/truecrypt_config.cfg" ] +then + . "$BASEDIR/truecrypt_config.cfg" +else + echo "truecrypt_config.cfg not found" >&2 + exit 1 +fi + +if [ -z "$KEYFILE" ] +then + message="$($tc_cmd --non-interactive "$DEVICE" "$MOUNTPOINT" -p "$PASSWORD")" + result="$?" +else + message="$($tc_cmd --non-interactive "$DEVICE" "$MOUNTPOINT" -p "$PASSWORD" -k "$KEYFILE")" + result="$?" +fi + + + +if [ "$result" != "0" ] +then + exit 1 +fi + +echo "$message" +exit 0 \ No newline at end of file diff -r 000000000000 -r 28b7682d5476 truecrypt_umount.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/truecrypt_umount.sh Tue Nov 04 18:26:39 2014 +0100 @@ -0,0 +1,57 @@ +#!/bin/sh + +# ------------------------------------------------------------ +# opensecurity package file +# +# Autor: X-Net Services GmbH +# +# Copyright 2013-2014 X-Net and AIT Austrian Institute of Technology +# +# +# X-Net Technologies GmbH +# Elisabethstrasse 1 +# 4020 Linz +# AUSTRIA +# https://www.x-net.at +# +# AIT Austrian Institute of Technology +# Donau City Strasse 1 +# 1220 Wien +# AUSTRIA +# http://www.ait.ac.at +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ------------------------------------------------------------ + +BASEDIR="$(dirname $0)" +DEVICE="$1" + +if [ -r "$BASEDIR/truecrypt_config.cfg" ] +then + . "$BASEDIR/truecrypt_config.cfg" +else + echo "truecrypt_config.cfg not found" >&2 + exit 1 +fi + +message="$($tc_cmd -d $DEVICE)" +result="$?" + +if [ "$result" != "0" ] +then + exit 1 +fi + +echo "$message" +exit 0 \ No newline at end of file