普通文本  |  310行  |  11.72 KB

# Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

import logging

from autotest_lib.client.bin import utils
from autotest_lib.client.cros import network_chroot
from autotest_lib.client.common_lib.cros import site_eap_certs

class VPNServer(object):
    """Context enclosing the use of a VPN server instance."""

    def __enter__(self):
        self.start_server()
        return self


    def __exit__(self, exception, value, traceback):
        logging.info('Log contents: %s', self.get_log_contents())
        self.stop_server()


class L2TPIPSecVPNServer(VPNServer):
    """Implementation of an L2TP/IPSec VPN.  Uses ipsec starter and xl2tpd."""
    ROOT_DIRECTORIES = ('etc/ipsec.d', 'etc/ipsec.d/cacerts',
                        'etc/ipsec.d/certs', 'etc/ipsec.d/crls',
                        'etc/ipsec.d/private', 'etc/ppp', 'etc/xl2tpd')
    CHAP_USER = 'chapuser'
    CHAP_SECRET = 'chapsecret'
    IPSEC_COMMAND = '/usr/sbin/ipsec'
    IPSEC_LOGFILE = 'var/log/charon.log'
    IPSEC_PRESHARED_KEY = 'preshared-key'
    IPSEC_CA_CERTIFICATE = 'etc/ipsec.d/cacerts/ca.cert'
    IPSEC_SERVER_CERTIFICATE = 'etc/ipsec.d/certs/server.cert'
    PPPD_PID_FILE = 'run/ppp0.pid'
    XAUTH_USER = 'xauth_user'
    XAUTH_PASSWORD = 'xauth_password'
    XAUTH_SECONDARY_AUTHENTICATION_STANZA = 'rightauth2=xauth'
    XL2TPD_COMMAND = '/usr/sbin/xl2tpd'
    XL2TPD_CONFIG_FILE = 'etc/xl2tpd/xl2tpd.conf'
    XL2TPD_PID_FILE = 'run/xl2tpd.pid'
    SERVER_IP_ADDRESS = '192.168.1.99'
    IPSEC_COMMON_CONFIGS = {
        'etc/strongswan.conf' :
            'charon {\n'
            '  filelog {\n'
            '    %(charon-logfile)s {\n'
            '      time_format = %%b %%e %%T\n'
            '      default = 3\n'
            '    }\n'
            '  }\n'
            '  install_routes = no\n'
            '  ignore_routing_tables = 0\n'
            '  routing_table = 0\n'
            '}\n',

        'etc/passwd' :
            'root:x:0:0:root:/root:/bin/bash\n'
            'ipsec:*:212:212::/dev/null:/bin/false\n',

        'etc/group' :
            'ipsec:x:212:\n',

        XL2TPD_CONFIG_FILE :
            '[global]\n'
            '\n'
            '[lns default]\n'
            '  ip range = 192.168.1.128-192.168.1.254\n'
            '  local ip = 192.168.1.99\n'
            '  require chap = yes\n'
            '  refuse pap = yes\n'
            '  require authentication = yes\n'
            '  name = LinuxVPNserver\n'
            '  ppp debug = yes\n'
            '  pppoptfile = /etc/ppp/options.xl2tpd\n'
            '  length bit = yes\n',

        'etc/xl2tpd/l2tp-secrets' :
            '*      them    l2tp-secret',

        'etc/ppp/chap-secrets' :
            '%(chap-user)s        *       %(chap-secret)s      *',

        'etc/ppp/options.xl2tpd' :
            'ipcp-accept-local\n'
            'ipcp-accept-remote\n'
            'noccp\n'
            'auth\n'
            'crtscts\n'
            'idle 1800\n'
            'mtu 1410\n'
            'mru 1410\n'
            'nodefaultroute\n'
            'debug\n'
            'lock\n'
            'proxyarp\n'
    }
    IPSEC_TYPED_CONFIGS = {
        'psk': {
            'etc/ipsec.conf' :
                'config setup\n'
                '  charondebug="%(charon-debug-flags)s"\n'
                'conn L2TP\n'
                '  keyexchange=ikev1\n'
                '  ike=aes128-sha1-modp2048!\n'
                '  esp=3des-sha1!\n'
                '  type=transport\n'
                '  authby=psk\n'
                '  %(xauth-stanza)s\n'
                '  rekey=no\n'
                '  left=%(local-ip)s\n'
                '  leftprotoport=17/1701\n'
                '  right=%%any\n'
                '  rightprotoport=17/%%any\n'
                '  auto=add\n',

            'etc/ipsec.secrets' :
              '%(local-ip)s %%any : PSK "%(preshared-key)s"\n'
              '%(xauth-user)s : XAUTH "%(xauth-password)s"\n',
        },
        'cert': {
            'etc/ipsec.conf' :
                'config setup\n'
                '  charondebug="%(charon-debug-flags)s"\n'
                'conn L2TP\n'
                '  keyexchange=ikev1\n'
                '  ike=aes128-sha1-modp2048!\n'
                '  esp=3des-sha1!\n'
                '  type=transport\n'
                '  left=%(local-ip)s\n'
                '  leftcert=server.cert\n'
                '  leftid="C=US, ST=California, L=Mountain View, '
                'CN=chromelab-wifi-testbed-server.mtv.google.com"\n'
                '  leftprotoport=17/1701\n'
                '  right=%%any\n'
                '  rightca="C=US, ST=California, L=Mountain View, '
                'CN=chromelab-wifi-testbed-root.mtv.google.com"\n'
                '  rightprotoport=17/%%any\n'
                '  auto=add\n',

            'etc/ipsec.secrets' : ': RSA server.key ""\n',

            IPSEC_SERVER_CERTIFICATE : site_eap_certs.server_cert_1,
            IPSEC_CA_CERTIFICATE : site_eap_certs.ca_cert_1,
            'etc/ipsec.d/private/server.key' :
                site_eap_certs.server_private_key_1,
        },
    }

    """Implementation of an L2TP/IPSec server instance."""
    def __init__(self, auth_type, interface_name, address, network_prefix,
                 perform_xauth_authentication=False,
                 local_ip_is_public_ip=False):
        self._auth_type = auth_type
        self._chroot = network_chroot.NetworkChroot(interface_name,
                                                    address, network_prefix)
        self._perform_xauth_authentication = perform_xauth_authentication

        if local_ip_is_public_ip:
            self.IPSEC_COMMON_CONFIGS[self.XL2TPD_CONFIG_FILE] = \
                self.IPSEC_COMMON_CONFIGS[self.XL2TPD_CONFIG_FILE].replace(
                    self.SERVER_IP_ADDRESS, address)
            self.SERVER_IP_ADDRESS = address


    def start_server(self):
        """Start VPN server instance"""
        if self._auth_type not in self.IPSEC_TYPED_CONFIGS:
            raise RuntimeError('L2TP/IPSec type %s is not define' %
                               self._auth_type)
        chroot = self._chroot
        chroot.add_root_directories(self.ROOT_DIRECTORIES)
        chroot.add_config_templates(self.IPSEC_COMMON_CONFIGS)
        chroot.add_config_templates(self.IPSEC_TYPED_CONFIGS[self._auth_type])
        chroot.add_config_values({
            'chap-user': self.CHAP_USER,
            'chap-secret': self.CHAP_SECRET,
            'charon-debug-flags': 'dmn 2, mgr 2, ike 2, net 2',
            'charon-logfile': self.IPSEC_LOGFILE,
            'preshared-key': self.IPSEC_PRESHARED_KEY,
            'xauth-user': self.XAUTH_USER,
            'xauth-password': self.XAUTH_PASSWORD,
            'xauth-stanza': self.XAUTH_SECONDARY_AUTHENTICATION_STANZA
                    if self._perform_xauth_authentication else '',
        })
        chroot.add_startup_command('%s start' % self.IPSEC_COMMAND)
        chroot.add_startup_command('%s -c /%s -C /tmp/l2tpd.control' %
                                   (self.XL2TPD_COMMAND,
                                    self.XL2TPD_CONFIG_FILE))
        chroot.startup()


    def stop_server(self):
        """Start VPN server instance"""
        chroot = self._chroot
        chroot.run([self.IPSEC_COMMAND, 'stop'], ignore_status=True)
        chroot.kill_pid_file(self.XL2TPD_PID_FILE, missing_ok=True)
        chroot.kill_pid_file(self.PPPD_PID_FILE, missing_ok=True)
        chroot.shutdown()


    def get_log_contents(self):
        """Return all logs related to the chroot."""
        return self._chroot.get_log_contents()


class OpenVPNServer(VPNServer):
    """Implementation of an OpenVPN service."""
    PRELOAD_MODULES = ('tun',)
    ROOT_DIRECTORIES = ('etc/openvpn', 'etc/ssl')
    CA_CERTIFICATE_FILE = 'etc/openvpn/ca.crt'
    SERVER_CERTIFICATE_FILE = 'etc/openvpn/server.crt'
    SERVER_KEY_FILE = 'etc/openvpn/server.key'
    DIFFIE_HELLMAN_FILE = 'etc/openvpn/diffie-hellman.pem'
    OPENVPN_COMMAND = '/usr/sbin/openvpn'
    OPENVPN_CONFIG_FILE = 'etc/openvpn/openvpn.conf'
    OPENVPN_PID_FILE = 'run/openvpn.pid'
    OPENVPN_STATUS_FILE = 'tmp/openvpn.status'
    AUTHENTICATION_SCRIPT = 'etc/openvpn_authentication_script.sh'
    EXPECTED_AUTHENTICATION_FILE = 'etc/openvpn_expected_authentication.txt'
    PASSWORD = 'password'
    USERNAME = 'username'
    SERVER_IP_ADDRESS = '10.11.12.1'
    CONFIGURATION = {
        'etc/ssl/blacklist' : '',
        CA_CERTIFICATE_FILE : site_eap_certs.ca_cert_1,
        SERVER_CERTIFICATE_FILE : site_eap_certs.server_cert_1,
        SERVER_KEY_FILE : site_eap_certs.server_private_key_1,
        DIFFIE_HELLMAN_FILE : site_eap_certs.dh1024_pem_key_1,
        AUTHENTICATION_SCRIPT :
            '#!/bin/bash\n'
            'diff -q $1 %(expected-authentication-file)s\n',
        EXPECTED_AUTHENTICATION_FILE : '%(username)s\n%(password)s\n',
        OPENVPN_CONFIG_FILE :
            'ca /%(ca-cert)s\n'
            'cert /%(server-cert)s\n'
            'dev tun\n'
            'dh /%(diffie-hellman-params-file)s\n'
            'keepalive 10 120\n'
            'local %(local-ip)s\n'
            'log /var/log/openvpn.log\n'
            'ifconfig-pool-persist /tmp/ipp.txt\n'
            'key /%(server-key)s\n'
            'persist-key\n'
            'persist-tun\n'
            'port 1194\n'
            'proto udp\n'
            'server 10.11.12.0 255.255.255.0\n'
            'status /%(status-file)s\n'
            'verb 5\n'
            'writepid /%(pid-file)s\n'
            '%(optional-user-verification)s\n'
    }

    def __init__(self, interface_name, address, network_prefix,
                 perform_username_authentication=False):
        self._chroot = network_chroot.NetworkChroot(interface_name,
                                                    address, network_prefix)
        self._perform_username_authentication = perform_username_authentication


    def start_server(self):
        """Start VPN server instance"""
        chroot = self._chroot
        chroot.add_root_directories(self.ROOT_DIRECTORIES)
        # Create a configuration template from the key-value pairs.
        chroot.add_config_templates(self.CONFIGURATION)
        config_values = {
            'ca-cert': self.CA_CERTIFICATE_FILE,
            'diffie-hellman-params-file': self.DIFFIE_HELLMAN_FILE,
            'expected-authentication-file': self.EXPECTED_AUTHENTICATION_FILE,
            'optional-user-verification': '',
            'password': self.PASSWORD,
            'pid-file': self.OPENVPN_PID_FILE,
            'server-cert': self.SERVER_CERTIFICATE_FILE,
            'server-key': self.SERVER_KEY_FILE,
            'status-file': self.OPENVPN_STATUS_FILE,
            'username': self.USERNAME,
        }
        if self._perform_username_authentication:
            config_values['optional-user-verification'] = (
                    'auth-user-pass-verify /%s via-file\nscript-security 2' %
                    self.AUTHENTICATION_SCRIPT)
        chroot.add_config_values(config_values)
        chroot.add_startup_command('chmod 755 %s' % self.AUTHENTICATION_SCRIPT)
        chroot.add_startup_command('%s --config /%s &' %
                                   (self.OPENVPN_COMMAND,
                                    self.OPENVPN_CONFIG_FILE))
        self.preload_modules()
        chroot.startup()


    def preload_modules(self):
        """Pre-load modules since they can't be loaded from chroot."""
        for module in self.PRELOAD_MODULES:
            utils.system('modprobe %s' % module)


    def get_log_contents(self):
        """Return all logs related to the chroot."""
        return self._chroot.get_log_contents()


    def stop_server(self):
        """Start VPN server instance"""
        chroot = self._chroot
        chroot.kill_pid_file(self.OPENVPN_PID_FILE, missing_ok=True)
        chroot.shutdown()