From 3c9b4d0e434d536c471d225e01723a61af544cb1 Mon Sep 17 00:00:00 2001
From: Tony Mack <tmack@paris.CS.Princeton.EDU>
Date: Wed, 2 Mar 2011 16:26:03 -0500
Subject: [PATCH] add support for flash clients using flashpolicy

---
 config/default_config.xml              |  25 ++++++
 flashpolicy/.sfa_flashpolicy.py.swp    | Bin 0 -> 20480 bytes
 flashpolicy/sfa_flashpolicy.py         | 115 +++++++++++++++++++++++++
 flashpolicy/sfa_flashpolicy_config.xml |   8 ++
 setup.py                               |   3 +
 sfa.spec                               |  12 +++
 sfa/init.d/sfa                         |   4 +
 7 files changed, 167 insertions(+)
 create mode 100644 flashpolicy/.sfa_flashpolicy.py.swp
 create mode 100644 flashpolicy/sfa_flashpolicy.py
 create mode 100644 flashpolicy/sfa_flashpolicy_config.xml

diff --git a/config/default_config.xml b/config/default_config.xml
index aa8a3482..3eecf98e 100644
--- a/config/default_config.xml
+++ b/config/default_config.xml
@@ -265,6 +265,31 @@ Thierry Parmentelat
       </variablelist>
     </category>
 
+    <category id="sfa_flashpolicy">
+      <name>SFA Flash Policy</name>
+      <description>The settings that affect the flash policy server that will run
+      as part of this SFA instance.</description>
+
+      <variablelist>
+        <variable id="enabled" type="boolean">
+          <name>Enable Flash Policy Server</name>
+          <value>false</value>
+          <description>Allows this local SFA instance to run a
+          flash policy server.</description>
+        </variable>
+        <variable id="config_file" type="string">
+          <name>Flash policy config file</name>
+          <value>/etc/sfa/sfa_flashpolicy_config.xml</value>
+          <description>The path to where the flash policy config file can be reached.</description>
+        </variable>
+        <variable id="port" type="int">
+          <name>Flash policy port</name>
+          <value>843</value>
+          <description>The flash policy server port.</description>
+        </variable>
+      </variablelist>
+    </category>
+
   </variables>
 
   <comps>
diff --git a/flashpolicy/.sfa_flashpolicy.py.swp b/flashpolicy/.sfa_flashpolicy.py.swp
new file mode 100644
index 0000000000000000000000000000000000000000..cf37d73c61f2c38c4dda9fb3b44be137ddbbdd1b
GIT binary patch
literal 20480
zcmeI2ZEPGz8ON8DKwHum(EvpPG_e)!S-m@-6E|rM7ZJs_WRlpf&j}J~*zVoV*<0`J
z9y_zPuR!@!A%sAHXjLQxqJ^M-K!6IWM4QkGB#L+u;zQDcc#(LE@&VLJL4|&R|1-0D
zyXTjtYRd<zS>>1W?9Mzh^UO1^&opZ%XO6Rj)iDdtjh6M5?}x{azJITEpJ!RJ<F;1l
z{S}_B8~fr4ap?2CO5o^P6t9df`EpdW-O+a7isfz;_^lp=okF<U?Y#`4CW_I3(ZH28
zkjQrBw(G3@`^IX+LwndwZ#{A4G$w}8fYE@_fYE@_fYE@_fYE@_fYHF~N&~WcmGvLg
zXb0E@-jMP}{5HV#Y4|Gq?gn?IVf>iKXuxQ|XuxQ|XuxQ|XuxQ|XuxQ|XuxQ|XuxRT
z|3m{W{QSSdCV%%0C@}p0bOvw<e_sUW!6V?CU=1X|15;oUya!OacK{1K4>^AZzXnf&
zAA;|K?|_Fu51a(kU>Mv4{(7Bd{StJ*wct4v;2CfM`~W-vJ`Ox^5bOjmyv4G<1wISr
zz)o=STFd%2;Nach-`7~y@4;E{C9nz>z~!qg>nZRVFbQr1|9rD${Rx~0=Rg8ZfZgEv
zH(Az?!DHYPU=i#B&+N3UGavwO2QT8l<WcY`Fat)wvp6()0t8?YjD!8a2G8Qa<$iD!
zTm#PI;N^3GZTT$opj)>Ek5_rj^lb^&_5;qQXO2zTW!B-+U3KHSt->Qp3T|Z}LDls<
zC+bQ+3QKmSjktEDLP_zL$AzrhT~{vK<(JGj@P*_di$dfbOEy2ZuvpAgg}2YNt23pf
zd8RrbdtF}lLrG<6yGbDHw~g=Lt}FwZfg%LzRJZqb<7kQ5>=q_uTsk?m(3qK<9VwQE
z)fp6^)KQ&NnwVFrDJ8;P;`o}%I8~`o8S7M?(@blrt`%&dc&y|4VQFL{Z=-IEqO(JX
zL{C(O^mrVXsSrw)lpu(fN`eP%^%e<>6`=Q3ieOL0aTK#<H}nEOTw<*#40(&%i?!pZ
z!}f{^V6(lfgr<xkzs&flvD0Z4NhV)!@vdZ3>IVrC;eVc)h*~RLR#E4O3N)A>6)LY_
zgF{P2qm|Ld8Wk!-Y3U(7R0R(`Hwcs#t6GF^Ssh3JpXYSa4SbKq{38i08^0~?uW~Qb
z<A4sg$dRPQTqbd7X~Bd4=h>VHAv#(L{d*uh%Wd1nN+WEMq2KPO-UBOqpRS<los~4z
z=%G7n_GaZ~nbx(MP@L7$SZ&|<2<$NSyQR%a8fGpNurG`m6uZotiDc+RJ(h%lzrurF
zbyKZ}*^IOWnobD6iG*_5m28c(wJ5YDTjCOLI793DF-g^0_XoAN=F4R&q~z-|@SD|E
z5K%Eo)V$kvi6fi(z;<mX<6f?vw121`EhY+`=2Y!;nLbjtQMIJrsd^kwJ17;W%qY&b
zh0^`hZBbtv?5O<?O8v52Xy~+KUa_yp<(Ru3+Rlxo6Y@1jztCo{%ZV|BMhp^F)nzCZ
zG9pV|Tc!zNF-{7dv9BJgaGZon;)WV(lTSP7CL18h+dnjSY__%7^#$xA8;(SEA%Tr_
zxYA(Bo{c1oaaHxz!mzMm4npU!TQN+p;zcy_Vr-^Mf;J10+^3m{f_dX_U&!K@S5)9>
zQY@yKrrQj9Ohyq4+!!+l#<3<xRbH|Z0S`+$!U#LW#%g#53!SE}vv!rN0R6aD8_Sid
zIuK3RB`Q0n@3?7?Fjug)7Nc4g=^QO5wP#h&JfGZl^i*EDHP0ab*7QTKRI)Ki(>z!(
zuRMz2l1vcuX(_ep#@sQdF?ZzX)FMn&PYR7WXJP6@W9sna<U*Mh>Ow8imxXSc#@9cY
zz{Atd%<O=)BS)Ra;=<J7<9VS;(r}huO+u{Y%GNR$Y_7qS&SvIU4=~RcXf*Cwlz^Ts
zx@4{<itt*N@36#ZjDc2Le!qnCJ-LkOy_xs{##0QC5yoOFu0;i)CoSb*`d3!Y1BGVU
zLXrIug0fY0SBsKkYQ;yxT(;=j>)jdBD6CAwqS*AP6nzU;Au{637zewXjtnbC)6*AA
ziO8j3X^9UoJ@tVM+j0ERmyVNJHNL?(Y0#OlTDUn(lM@XCj$Rs<qUPOLJK>{}5Q(an
zboZ57G42?nT4lCRThQhYsgY(eQ4Yk3y6C(1C>GYENWJNLGTx!9ARf$p@`DTPWBTvI
z^Yc@)lUe8p>=r$vc3^y5=RM5U*VnOlU+-{M!363HhJSY_Sg>F`>9{MLi3Ibhnrt!F
zEmI?4t`%5XCSBjd2!ttABCUYk1RhH;)_Qz3OoCvb*6BOstus!;g{qMnbizV4`Wi|)
zu2?Chi7^@@b{jXhOCt=6mD&V_9lq|%EDFLjI{03?`gj>hhK7bFUEYakC8gF9tt5`s
zYB7#lT!<<nsHL~3VyVS<y23{_YIJGc?~uV1Rv6iveEP}W=t(sT=|Lw8Wg7$)PGv^I
zQj0prX(w0}a>rrm7wWSPW^2hiC@nU#Yyqnutbznf`}V%-tqiOB08wImJ{BzrYF@od
zu!iyK1Z_ShSmD0AhYRm4+l0&x>_AkC26D$lqzj%JzTO3<8$&b?o2L8p5Whh#3D`55
zh<Fr({3s7sSyv507VZB}W8eK0p#4Aj_`ip}{C(gq&;U1s9pGu~*M9=efivLqzyY+M
zw*l?vFGJ2n@Hg;tKysf1<}n&D8Za6#8Za6#8Za6#8Za6#8Za6#8hDi&!0}1ynX<6s
zcAU`d&`z}uhl1nK!KvfGfuK$XC~6mnCMu8~F&*W-X5_}+3{L3dIO)p#l!@G0YJ*=m
z!OL7;tmyONMS)Y<vG0IaXu~m0R|>du=r9KxZ~RFoI#oKK)~63tP<pa$zokO>kIob*
zf&QS2s!p)_F;cImIub0|>g2XVXDc|U6<yx)+dlWItid@WpK8_C8A2`{EB6bND`8OH
zY{YQ#o6xRb;4jWX&b@5}BBIc8NGzNS2-EqNcFU?Chu#(Ito*z~I4-9HUR}xRQ0^R^
zb_2n6iBmD~SY+Pap^As7LzRk7r;@?HJJb)l%Bxr(5;DSJhJ>SFsI2z?Z-d`Cfe)JY
z|8(d7GWPm^0T;ke!DHYX;OpQ4a6kAY_%L`cxCLAdUcmnUXW&t=0RDk}|9Nm0JORE6
zJ_?#(2D}Sgf<OOv;0r*2ac~L#{9k}Cf)9Wl;1BTW{|Gz;?ggj7LGT;+^v{48jHLek
z-@>Q=G<Y053_b)Vz`x+nzW^QqUj`ny9Xtnr{#o#8a0hr1{`^0J2SEs`;CgTlKK-wO
zJHYMWo#1A$3!H;b{~k~Se}^s~2TG@}vU|TSlV{y|@Yh^&7}N(N|E#&>kSZmeueP3E
zC{FIYP=3bO;zmX4pHh>_z;u>1RGz1~<Un^W3O>V3MVMN%s{!VcL(xjjB?oou!CZ1M
zmmIXi-du7pmmK1J=hdInX%@!DDV>b<&xXq)=8}WC<Y1A(m`e_7Qq8V4=+2Uba1No4
L4YDxKaIF6V5Po6y

literal 0
HcmV?d00001

diff --git a/flashpolicy/sfa_flashpolicy.py b/flashpolicy/sfa_flashpolicy.py
new file mode 100644
index 00000000..8ccdc00e
--- /dev/null
+++ b/flashpolicy/sfa_flashpolicy.py
@@ -0,0 +1,115 @@
+#!/usr/bin/env python
+#
+# flashpolicyd.py
+# Simple socket policy file server for Flash
+#
+# Usage: flashpolicyd.py [--port=N] --file=FILE
+#
+# Logs to stderr
+# Requires Python 2.5 or later
+
+from __future__ import with_statement
+import os
+import sys
+import optparse
+import socket
+import thread
+import exceptions
+import contextlib
+
+VERSION = 0.1
+
+def daemon():
+    """Daemonize the current process."""
+    if os.fork() != 0: os._exit(0)
+    os.setsid()
+    if os.fork() != 0: os._exit(0)
+    os.umask(0)
+    devnull = os.open(os.devnull, os.O_RDWR)
+    os.dup2(devnull, 0)
+    # xxx fixme - this is just to make sure that nothing gets stupidly lost - should use devnull
+    crashlog = os.open('/var/log/sfa_flashpolicy.log', os.O_RDWR | os.O_APPEND | os.O_CREAT, 0644)
+    os.dup2(crashlog, 1)
+    os.dup2(crashlog, 2)
+
+class policy_server(object):
+    def __init__(self, port, path):
+        self.port = port
+        self.path = path
+        self.policy = self.read_policy(path)
+        self.log('Listening on port %d\n' % port)
+        try:
+            self.sock = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
+        except AttributeError:
+            # AttributeError catches Python built without IPv6
+            self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        except socket.error:
+            # socket.error catches OS with IPv6 disabled
+            self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+        self.sock.bind(('', port))
+        self.sock.listen(5)
+    def read_policy(self, path):
+        with file(path, 'rb') as f:
+            policy = f.read(10001)
+            if len(policy) > 10000:
+                raise exceptions.RuntimeError('File probably too large to be a policy file',
+                                              path)
+            if 'cross-domain-policy' not in policy:
+                raise exceptions.RuntimeError('Not a valid policy file',
+                                              path)
+            return policy
+    def run(self):
+        try:
+            while True:
+                thread.start_new_thread(self.handle, self.sock.accept())
+        except socket.error, e:
+            self.log('Error accepting connection: %s' % (e[1],))
+    def handle(self, conn, addr):
+        addrstr = '%s:%s' % (addr[0],addr[1])
+        try:
+            self.log('Connection from %s' % (addrstr,))
+            with contextlib.closing(conn):
+                # It's possible that we won't get the entire request in
+                # a single recv, but very unlikely.
+                request = conn.recv(1024).strip()
+                if request != '<policy-file-request/>\0':
+                    self.log('Unrecognized request from %s: %s' % (addrstr, request))
+                    return
+                self.log('Valid request received from %s' % (addrstr,))
+                conn.sendall(self.policy)
+                self.log('Sent policy file to %s' % (addrstr,))
+        except socket.error, e:
+            self.log('Error handling connection from %s: %s' % (addrstr, e[1]))
+        except Exception, e:
+            self.log('Error handling connection from %s: %s' % (addrstr, e[1]))
+    def log(self, str):
+        print >>sys.stderr, str
+
+def main():
+    parser = optparse.OptionParser(usage = '%prog [--port=PORT] --file=FILE',
+                                   version='%prog ' + str(VERSION))
+    parser.add_option('-p', '--port', dest='port', type=int, default=843,
+                      help='listen on port PORT', metavar='PORT')
+    parser.add_option('-f', '--file', dest='path',
+                      help='server policy file FILE', metavar='FILE')
+    parser.add_option("-d", "--daemon", dest="daemon", action="store_true",
+         help="Run as daemon.", default=False)
+    opts, args = parser.parse_args()
+    if args:
+        parser.error('No arguments are needed. See help.')
+    if not opts.path:
+        parser.error('File must be specified. See help.')
+
+    try:
+        if opts.daemon:
+            daemon()
+        policy_server(opts.port, opts.path).run()
+    except Exception, e:
+        print >> sys.stderr, e
+        sys.exit(1)
+    except KeyboardInterrupt:
+        pass
+
+if __name__ == '__main__':
+    main()
diff --git a/flashpolicy/sfa_flashpolicy_config.xml b/flashpolicy/sfa_flashpolicy_config.xml
new file mode 100644
index 00000000..757022b0
--- /dev/null
+++ b/flashpolicy/sfa_flashpolicy_config.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd">
+
+<cross-domain-policy> 
+   <site-control permitted-cross-domain-policies="master-only"/>
+   <allow-access-from domain="*" to-ports="80,443,12345,12346,12347" />
+</cross-domain-policy>
+
diff --git a/setup.py b/setup.py
index ffa138e8..87a45297 100755
--- a/setup.py
+++ b/setup.py
@@ -31,6 +31,7 @@ bins = [
     'sfa/client/sfiDeleteAttribute.py',
     'sfatables/sfatables',
     'keyconvert/keyconvert.py'
+    'flashpolicy/sfa_flashpolicy.py',
     ]
 
 package_dirs = [
@@ -47,6 +48,7 @@ package_dirs = [
     'sfatables',
     'sfatables/commands',
     'sfatables/processors',
+    'flashpolicy',
     ]
 
 
@@ -60,6 +62,7 @@ data_files = [('/etc/sfa/', [ 'config/aggregates.xml',
                               'sfa/trust/sig.xsd',
                               'sfa/trust/xml.xsd',
                               'sfa/trust/protogeni-rspec-common.xsd',
+                              'flash_policy/flashpolicy_config.xml',
                             ]),
               ('/etc/sfatables/matches/', glob('sfatables/matches/*.xml')),
               ('/etc/sfatables/targets/', glob('sfatables/targets/*.xml')),
diff --git a/sfa.spec b/sfa.spec
index 27364039..94904c3c 100644
--- a/sfa.spec
+++ b/sfa.spec
@@ -70,6 +70,11 @@ Summary: sfatables policy tool for SFA
 Group: Applications/System
 Requires: sfa
 
+%package flashpolicy
+Summary: SFA support for flash clients
+Group: Applications/System
+Requires: sfa
+
 %Package tests
 Summary: unit tests suite for SFA
 Group: Applications/System
@@ -95,6 +100,9 @@ sfatables is a tool for defining access and admission control policies
 in an SFA network, in much the same way as iptables is for ip
 networks. This is the command line interface to manage sfatables
 
+%description flashpolicy
+This package provides support for adobe flash client applications.  
+ 
 %description tests
 Provides some binary unit tests in /usr/share/sfa/tests
 
@@ -154,6 +162,10 @@ rm -rf $RPM_BUILD_ROOT
 %files sfatables
 %{_bindir}/sfatables
 
+%files flashpolicy
+%{_bindir}/sfa_flashpolicy.py
+/etc/sfa/flashpolicy_config.xml
+
 %files tests
 %{_datadir}/sfa/tests
 
diff --git a/sfa/init.d/sfa b/sfa/init.d/sfa
index 5e579ee5..e4b8fecd 100755
--- a/sfa/init.d/sfa
+++ b/sfa/init.d/sfa
@@ -75,6 +75,10 @@ start() {
         action "SFA SliceMgr" daemon /usr/bin/sfa-server.py -s -d $OPTIONS
     fi
 
+    if [ "$SFA_FLASHPOLICY_ENABLED" -eq 1 ]; then
+        action "Flash Policy Server" daemon /usr/bin/sfa_flashpolicy.py --file="$SFA_FLASHPOLICY_CONFIG_FILE" --port=$SFA_FLASHPOLICY_PORT -d
+    fi
+
     RETVAL=$?
     [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sfa-server.py
 
-- 
2.43.0