Initial commit

.gitignore

@@ -0,0 +1,8 @@
+*.pyc
+*.log
+*.req
+*.state
+*.sublime*
+tmp
+*.original
+*.directory

M2LPlugin/Readme.md

@@ -0,0 +1 @@
+PSA M2LPlugin placeholder 

MSPL/Readme.md

@@ -0,0 +1 @@
+PSA MSPL placeholder

NED_files/TVDM/PSAManifest/strongswan

@@ -0,0 +1,22 @@
+{
+	"PSA_id":"strongswan",
+	"disk": "corporate-vpnPSA.qcow2",
+	"interface": [
+			{
+			"network":"data", 
+			"type":"data_in"
+			},
+			{
+			"network":"data", 
+			"type":"data_out"
+			},
+			{
+			"network":"control", 
+			"type":"manage"
+			}
+		],
+	"memory": "1024",
+	"IP": true,
+	"os-architecture": "x86_64",
+	"vcpu": "1"
+}

NED_files/TVDM/psaConfigs/strongswan/strongswan_user8

@@ -0,0 +1,20 @@
+{
+  "default": {
+    "keyexchange": "ikev2",
+    "rekeymargin": "3m",
+    "keyingtries": "3",
+    "ikelifetime": "60m"
+  },
+  "psa": {
+    "rightsubnet": "0.0.0.0/0",
+    "leftfirewall": "yes",
+    "leftsourceip": "%config",
+    "auto": "add",
+    "left": "%any",
+    "leftsubnet": "10.2.2.0/16",
+    "leftcert": "ClientCert.pem",
+    "rightid": "@vpn.secured.eu",
+    "leftid": "[email protected]",
+    "right": "147.83.42.191"
+  }
+}

NED_files/TVDM/userGraph/user8

@@ -0,0 +1,26 @@
+{
+	"name": "user_profile_type",
+	"user_token": "",
+	"profile_type": "AD",			
+
+	"PSASet": [
+
+		{
+			"id": "strongswan",
+			"security_controls": [
+
+				{
+					"imgName": "strongswan.img",
+					"conf_id":"strongswan_user8"
+				}
+
+			] 
+
+		}
+
+	], 
+
+	"ingress_flow": ["strongswan"],
+	"egress_flow": ["strongswan"]
+
+}

PSA/Config.py

@@ -0,0 +1,91 @@
+import ConfigParser
+import os
+import copy
+
+
+class Configuration(object):
+
+    _instance = None
+    #(fmignini) Not too meaningful use this var, I should change his name with something else like inizialized = False 
+    _AUTH_SERVER = None
+
+    def __new__(cls, *args, **kwargs):
+
+        if not cls._instance:
+            cls._instance = super(Configuration, cls).__new__(
+                                cls, *args, **kwargs)
+        return cls._instance 
+
+    def __init__(self):
+        #print 'Configuration - PATH : '+os.getcwd()
+        path = copy.copy(os.getcwd())
+        path_dirs = path.split("/")
+        for path_dir in path_dirs:
+            if path_dir == 'tests':
+                self.test = True
+            else:
+                self.test = False
+        #print self.test
+        if self._AUTH_SERVER is None:
+            self.inizialize()
+
+    def inizialize(self): 
+        config = ConfigParser.RawConfigParser()
+        config.read('psaEE.conf')
+        self._LOG_FILE = 'PSA.log'
+        self._VERBOSE = 'true'
+        self._DEBUG = 'true'
+        self._PSC_ADDRESS = config.get('configuration', 'psc_address')
+        self._PSA_CONFIG_PATH = config.get('configuration', 'psa_config_path')
+        self._PSA_ID = config.get('configuration', 'psa_id')
+        self._PSA_SCRIPTS_PATH = config.get('configuration', 'scripts_path')
+        self._PSA_API_VERSION = config.get('configuration', 'psa_api_version')
+        self._PSA_VERSION = config.get('configuration', 'psa_version')
+        self._PSA_NAME = config.get('configuration', 'psa_name')
+        self._PSA_LOG_LOCATION = config.get('configuration', 'psa_log_location')
+
+        #self._CONF_ID = config.get('configuration', 'conf_id')
+
+    @property
+    def LOG_FILE(self):
+        return self._LOG_FILE
+
+    @property
+    def VERBOSE(self):
+        return self._VERBOSE
+
+    @property
+    def PSC_ADDRESS(self):
+        return self._PSC_ADDRESS
+
+    @property
+    def PSA_CONFIG_PATH(self):
+        return self._PSA_CONFIG_PATH
+
+    @property
+    def PSA_SCRIPTS_PATH(self):
+        return self._PSA_SCRIPTS_PATH
+
+    @property
+    def PSA_ID(self):
+        return self._PSA_ID
+
+    @property
+    def PSA_NAME(self):
+        return self._PSA_NAME
+
+    @property
+    def PSA_API_VERSION(self):
+        return self._PSA_API_VERSION
+
+    @property
+    def PSA_VERSION(self):
+        return self._PSA_VERSION
+
+    @property
+    def PSA_LOG_LOCATION(self):
+        return self._PSA_LOG_LOCATION
+
+    # @property
+    # def CONF_ID(self):
+    #     return self._CONF_ID

PSA/Readme.md

@@ -0,0 +1,4 @@
+# Software for PSA Execution Environment (*ctrlmgmtd* agent)
+
+These files or functionality need to be a part of the PSA Execution Environment template.
+

PSA/boot_script_psa

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Place this in /etc/network/if-up.d/
+
+[ "$IFACE" = 'eth2' ] || exit 0
+
+ifconfig eth2 mtu 1496
+dhclient -1 eth2
+cd /home/psa/pythonScript
+ip=$(ifconfig eth2 | grep "inet addr" | awk '{print $2}' | cut -d: -f2)
+gunicorn -b $ip:8080 --log-file /home/psa/GUNICORN.log --log-level debug psaEE:app &

PSA/defaultIpsecConf

@@ -0,0 +1,13 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+config setup
+
+conn my_lan
+    left=%any
+    leftsubnet=192.168.2.0/24 #,10.2.0.0/16
+    rightsubnet=192.168.2.0/24 #,10.2.0.0/16
+    authby=never
+    type=passthrough
+    auto=route
+
+
+

PSA/dumpLogFile.py

@@ -0,0 +1,25 @@
+'''   
+    File:       dumpLogFile.py
+    Description:
+        REST resource to dump content of the log file from the PSC
+        For development purpose only! Disable this in production (TBD)
+
+'''
+import falcon
+import json
+
+
+class dumpLogFile():
+	def __init__(self):
+		pass
+
+	def on_get(self, req, resp):
+		try:
+			in_file = open("PSA.log","r")
+			log = in_file.read()
+			in_file.close()
+			resp.status = falcon.HTTP_200
+			resp.body = log
+		except Exception as e:
+			logging.exception(sys.exc_info()[0])
+			resp.status = falcon.HTTP_501

PSA/execInterface.py

@@ -0,0 +1,149 @@
+#   
+#   File: 		execInterface.py
+#	Created:    27/08/2014
+#   Author:     BSC, VTT
+#   
+#   Description:
+#       Web service running on the PSA receiving the configuration for the PSA from the PSC
+#
+#
+
+import falcon
+import logging
+import json
+import sys
+import subprocess
+import os
+import stat
+
+class execInterface():
+    def __init__(self, configsPath, scriptsPath, psaLogLocation, psaID):
+        self.confsPath = configsPath
+        self.scripts_path = scriptsPath
+        self.log_location = psaLogLocation
+        self.psaID = psaID
+
+    def on_post(self, request, response, command):
+        print "onPost"
+        try:
+            res = {}
+            res["command"] = command
+            if command == "init":
+                # receiev the configuration, or init package
+                script_file = self.confsPath + "/psaconf"
+                fp=open(script_file, 'wb')
+                while True:
+                    chunk = request.stream.read(4096)
+                    fp.write(chunk)
+                    if not chunk:
+                        break
+                fp.close()
+
+                # Make script executable for current user
+                # hazardous.. we're root
+                #st = os.stat(script_file)
+                #os.chmod(script_file, st.st_mode | stat.S_IEXEC)
+
+                # Run the init.sh and return it's return value
+                res["ret_code"] = str(self.callInitScript())
+                logging.info("PSA "+self.psaID+" configuration registered")
+            elif command == "start":
+                res["ret_code"] = str(self.callStartScript())
+            elif command == "stop":
+                res["ret_code"] = str(self.callStopScript())
+            else:
+                logging.info("POST: unknown command: " + command)
+                response.status = falcon.HTTP_404
+                return
+
+            response.body = json.dumps(res)
+            response.status = falcon.HTTP_200
+            response.set_header("Content-Type", "application/json")
+        except Exception as e:
+            logging.exception(sys.exc_info()[0])
+            response.status = falcon.HTTP_501
+
+    def on_get(self, request, response, command):
+        try:
+            res = {}
+            res["command"] = command
+            if command == "status":
+                res["ret_code"] = self.callStatusScript().replace("\n", "")
+            elif command == "configuration":
+                res["ret_code"] = self.callGetConfigurationScript()
+            elif command == "internet":
+                res["ret_code"] = self.callGetInternetScript()
+            elif command == "log":
+                # Return PSA log or 501
+                log = self.callGetLogScript()
+                if log != None:
+                    response.body = log
+                    response.status = falcon.HTTP_200
+                    response.set_header("Content-Type", "text/plain; charset=UTF-8")
+                else:
+                    #res["ret_code"] = "not_available"
+                    #response.body = json.dumps(res)
+                    #response.set_header("Accept", "application/json")
+                    response.status = falcon.HTTP_501
+                return
+            else:
+                logging.info("GET: unknown command: " + command)
+                response.status = falcon.HTTP_404
+                return
+
+            response.body = json.dumps(res)
+            response.status = falcon.HTTP_200
+            response.set_header("Content-Type", "application/json")
+        except Exception as e:
+            logging.exception(sys.exc_info()[0])
+            response.status = falcon.HTTP_501
+
+    def callInitScript(self):
+        logging.info("callInitScript()")
+        ret = subprocess.call(['.' + self.scripts_path + 'init.sh'])
+        return ret
+
+    def callStartScript(self):
+        logging.info("callStartScript()")
+        ret = subprocess.call(['.' + self.scripts_path + 'start.sh'])
+        return ret
+
+    def callStopScript(self):
+        logging.info("callStopScript()")
+        ret = subprocess.call(['.' + self.scripts_path + 'stop.sh'])
+        return ret
+
+    def callStatusScript(self):
+        proc = subprocess.Popen(['.' + self.scripts_path + 'status.sh'], stdout=subprocess.PIPE, shell=True)
+        (out, err) = proc.communicate()
+        return out
+
+    def callGetConfigurationScript(self):
+        logging.info("callGetConfigurationScript()")
+        proc = subprocess.Popen(['.' + self.scripts_path + 'current_config.sh'], stdout=subprocess.PIPE, shell=True)
+        (out, err) = proc.communicate()
+        return out
+
+    def callGetInternetScript(self):
+        logging.info("callGetInternetScript()")
+        proc = subprocess.Popen(['.' + self.scripts_path + 'ping.sh'], stdout=subprocess.PIPE, shell=True)
+        (out, err) = proc.communicate()
+        return out
+
+    def callGetLogScript(self):
+        logging.info("callGetLogScript()")
+        ret = None
+        try:
+            with open(self.log_location, "r") as f:
+                ret = f.read()
+        except Exception as e:
+            logging.exception(sys.exc_info()[0])
+
+        return ret
+
+    def get_client_address(self,environ):
+        try:
+            return environ['HTTP_X_FORWARDED_FOR'].split(',')[-1].strip()
+        except KeyError:
+            return environ['REMOTE_ADDR']
+