-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcloudburst.py
218 lines (189 loc) · 6.82 KB
/
cloudburst.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
import json
import os
import subprocess
import time
import toml
from bottle import request, response, route, run, template
from bottle import static_file, TEMPLATE_PATH, abort
from ipaddress import ip_address, ip_network
try:
with open("cloudburst.toml", "r") as f:
config = toml.load(f)
ui_config = config.get('cb-ui', {})
clouds = config.get('clouds', {})
# update globals
IPTABLES = ui_config.get('iptables','/sbin/iptables')
IP6TABLES = ui_config.get('ip6tables','/sbin/ip6tables')
LISTEN = ui_config.get('listen', '127.0.0.1')
LOOPBACK_IP_ADDRS = ui_config.get('loopback_addrs', [LISTEN])
INTERNAL_NETS = ui_config.get('internal_networks', ["127.0.0.1", "::1"])
BURSTABLE_CLOUDS = {c['ipset']: {'name': c['name']} for c in clouds.values()}
CLOUDS_FILTER = ui_config.get('shortlist', [])
except Exception as e:
raise e
TEMPLATE_PATH.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), "static/internal")))
class Blocklist(object):
def __init__(self, ip):
parsed_ip = ip_address(ip)
self.ip = ip
self.version = parsed_ip.version
self.chain_name = self.chain_name(ip)
self._exists = False
@staticmethod
def chain_name(ip):
'''constructs a chain from an ip'''
if ':' in ip:
# Some IPv6 addresses are too long (must be **under 29 chars**)
# We need to split on after /64
# otoh is better to remove the : and truncate such that we have the last 28 chars
ip = ip_address(ip).compressed # compress if possible
ip = ip.replace(':', '') # drop colons
if len(ip) == 0:
return 0
elif len(ip) > 28:
return ip[-28:]
else:
return ip
return ip
@staticmethod
def run_iptables(cmd, version, silence=False):
if version == 4:
cmd = [IPTABLES, *cmd ]
elif version == 6:
cmd = [IP6TABLES, *cmd ]
else:
raise ValueError(f'Unknown ip version: {version}')
try:
result = subprocess.run(cmd, check=True, capture_output=True)
ret = False, result.stdout
except subprocess.CalledProcessError as e:
ret = True, e
except Exception as e:
raise e
error, message = ret
if error and not silence:
print(f"running {' '.join(cmd)} failed: {message}")
return ret
def _create(self):
""" Create a chain and the forwarding rule """
ip = self.ip
chain = self.chain_name
cmd = f'-N {chain}'.split()
self.run_iptables(cmd, self.version)
cmd = f'-A FORWARD -s {ip} -j {chain}'.split()
self.run_iptables(cmd, self.version)
def destroy(self):
""" Destroys the chain and the forwarding rule """
self.clear() # chain needs to be empty before removal
time.sleep(.1) # clearing takes time and has to be done for removal
chain = self.chain_name
cmd = f'-D FORWARD -s {self.ip} -j {chain}'.split()
self.run_iptables(cmd, self.version)
cmd = f'-X {chain}'.split()
self.run_iptables(cmd, self.version)
def clear(self):
""" Removes rules from the chain """
chain = self.chain_name
cmd = ['-F', chain]
self.run_iptables(cmd, self.version)
def system_exists(self):
""" Checks whether the chain exists on the system """
chain = self.chain_name
cmd = f'-L {chain}'.split()
error, message = self.run_iptables(cmd, self.version, silence=True)
return not error
def exists(self):
""" Checks whether the chain exists """
if not self._exists:
self._exists = self.system_exists()
return self._exists
def block_cloud(self, cloud):
chain = self.chain_name
version = self.version
print(f'bursting {cloud} for {self.ip}')
cmd = ['-A', chain, '-m','set','--match-set', f'{cloud}-v{version}','dst','-j','REJECT']
self.run_iptables(cmd, version)
def __enter__(self):
if not self.exists():
self._create()
return self
def __exit__(self, type, value, traceback):
pass
def get_clouds(shortlist=True):
""" Returns lists of clouds """
clouds = BURSTABLE_CLOUDS
if shortlist:
clouds = {k: v for k, v in BURSTABLE_CLOUDS.items() if k in CLOUDS_FILTER}
return clouds
def get_ip():
""" Try to get the IP from http headers """
headers_by_priority = ['HTTP_X_REAL_IP', 'HTTP_X_FORWARDED_FOR', 'REMOTE_ADDR']
for header in headers_by_priority:
ip = request.environ.get(header)
if ip:
return ip
return None
def burst(clouds):
ip = get_ip()
with Blocklist(ip) as blocklist:
blocklist.clear()
#blocklist.destroy()
friendly_names = []
for cloud in clouds:
valid_cloud = BURSTABLE_CLOUDS.get(cloud)
if valid_cloud:
with Blocklist(ip) as blocklist:
blocklist.block_cloud(cloud)
friendly_names.append(valid_cloud['name'])
return template('blocked.html', clouds=', '.join(friendly_names))
def is_internal(ip):
if ip is None:
return False
address = ip_address(ip)
internal = any([address in ip_network(net) for net in INTERNAL_NETS])
return internal
@route('/')
def index(filename='index.html'):
ip = get_ip()
if is_internal(ip):
return static_file(filename, root='static/internal')
else:
resp = static_file(filename, root='static/external')
wguser = request.get_cookie("wguser")
if not wguser or wguser == "anonymous":
wguser = request.environ.get('HTTP_X_REQUEST_ID')
if (wguser):
resp.set_cookie("wguser", wguser)
else:
resp.set_cookie("wguser", "anonymous")
return resp
@route('/faq')
def faq():
return static_file('faq.html', root='static/external')
@route('/full')
def full():
ip = get_ip()
if is_internal(ip):
return static_file('full.html', root='static/internal')
abort(404, 'Not found.')
@route('/static/<filename>')
def static(filename):
""" Serve static files """
return static_file(filename, root='static/other/')
@route('/burst', method="ANY")
def burst_post():
clouds = []
for c in BURSTABLE_CLOUDS.keys():
if request.forms.get(c) == 'on':
clouds.append(c)
response.set_cookie("blocked", '-'.join(clouds))
return burst(clouds)
@route('/clouds')
def get_supported_clouds():
""" Obtains shortlist of supported cloudproviders """
return json.dumps(get_clouds())
@route('/allclouds')
def get_all_clouds():
""" Obtains list of supported cloudproviders """
return json.dumps(get_clouds(shortlist=False))
run(host=LISTEN, port=8080)