3 from enigma import eConsoleAppContainer, eTPM
4 from Plugins.Plugin import PluginDescriptor
6 from Components.config import config, ConfigBoolean, ConfigSubsection, ConfigInteger, ConfigYesNo, ConfigText
7 from Components.Network import iNetwork
8 from Screens.MessageBox import MessageBox
9 from WebIfConfig import WebIfConfigScreen
10 from WebChilds.Toplevel import getToplevel
12 from Tools.Directories import copyfile, resolveFilename, SCOPE_PLUGINS, SCOPE_CONFIG
14 from twisted.internet import reactor, ssl
15 from twisted.web import server, http, util, static, resource
17 from zope.interface import Interface, implements
18 from socket import gethostname as socket_gethostname
19 from OpenSSL import SSL
21 from os.path import isfile as os_isfile
22 from __init__ import _, __version__, decrypt_block
23 from webif import get_random, validate_certificate
25 rootkey = ['\x9f', '|', '\xe4', 'G', '\xc9', '\xb4', '\xf4', '#', '&', '\xce', '\xb3', '\xfe', '\xda', '\xc9', 'U', '`', '\xd8', '\x8c', 's', 'o', '\x90', '\x9b', '\\', 'b', '\xc0', '\x89', '\xd1', '\x8c', '\x9e', 'J', 'T', '\xc5', 'X', '\xa1', '\xb8', '\x13', '5', 'E', '\x02', '\xc9', '\xb2', '\xe6', 't', '\x89', '\xde', '\xcd', '\x9d', '\x11', '\xdd', '\xc7', '\xf4', '\xe4', '\xe4', '\xbc', '\xdb', '\x9c', '\xea', '}', '\xad', '\xda', 't', 'r', '\x9b', '\xdc', '\xbc', '\x18', '3', '\xe7', '\xaf', '|', '\xae', '\x0c', '\xe3', '\xb5', '\x84', '\x8d', '\r', '\x8d', '\x9d', '2', '\xd0', '\xce', '\xd5', 'q', '\t', '\x84', 'c', '\xa8', ')', '\x99', '\xdc', '<', '"', 'x', '\xe8', '\x87', '\x8f', '\x02', ';', 'S', 'm', '\xd5', '\xf0', '\xa3', '_', '\xb7', 'T', '\t', '\xde', '\xa7', '\xf1', '\xc9', '\xae', '\x8a', '\xd7', '\xd2', '\xcf', '\xb2', '.', '\x13', '\xfb', '\xac', 'j', '\xdf', '\xb1', '\x1d', ':', '?']
29 config.plugins.Webinterface = ConfigSubsection()
30 config.plugins.Webinterface.enabled = ConfigYesNo(default=True)
31 config.plugins.Webinterface.allowzapping = ConfigYesNo(default=True)
32 config.plugins.Webinterface.includemedia = ConfigYesNo(default=False)
33 config.plugins.Webinterface.autowritetimer = ConfigYesNo(default=False)
34 config.plugins.Webinterface.loadmovielength = ConfigYesNo(default=True)
35 config.plugins.Webinterface.version = ConfigText(__version__) # used to make the versioninfo accessible enigma2-wide, not confgurable in GUI.
37 config.plugins.Webinterface.http = ConfigSubsection()
38 config.plugins.Webinterface.http.enabled = ConfigYesNo(default=True)
39 config.plugins.Webinterface.http.port = ConfigInteger(default = 80, limits=(1, 65535) )
40 config.plugins.Webinterface.http.auth = ConfigYesNo(default=False)
42 config.plugins.Webinterface.https = ConfigSubsection()
43 config.plugins.Webinterface.https.enabled = ConfigYesNo(default=True)
44 config.plugins.Webinterface.https.port = ConfigInteger(default = 443, limits=(1, 65535) )
45 config.plugins.Webinterface.https.auth = ConfigYesNo(default=True)
47 config.plugins.Webinterface.streamauth = ConfigYesNo(default=False)
49 global running_defered, waiting_shutdown, toplevel
54 server.VERSION = "Enigma2 WebInterface Server $Revision$".replace("$Revi", "").replace("sion: ", "").replace("$", "")
56 #===============================================================================
57 # Helperclass to close running Instances of the Webinterface
58 #===============================================================================
61 def __init__(self, session, callback=None):
62 self.callback = callback
63 self.session = session
65 #===============================================================================
66 # Closes all running Instances of the Webinterface
67 #===============================================================================
69 global running_defered
70 for d in running_defered:
71 print "[Webinterface] stopping interface on ", d.interface, " with port", d.port
75 x.addCallback(self.isDown)
77 except AttributeError:
81 if self.callback is not None:
82 self.callback(self.session)
84 #===============================================================================
85 # #Is it already down?
86 #===============================================================================
90 if self.callback is not None:
91 self.callback(self.session)
93 def checkCertificates():
94 print "[WebInterface] checking for SSL Certificates"
95 srvcert = '%sserver.pem' %resolveFilename(SCOPE_CONFIG)
96 cacert = '%scacert.pem' %resolveFilename(SCOPE_CONFIG)
98 # Check whether there are regular certificates, if not copy the default ones over
99 if not os_isfile(srvcert) or not os_isfile(cacert):
105 def installCertificates(session, callback = None):
106 print "[WebInterface] Installing SSL Certificates to %s" %resolveFilename(SCOPE_CONFIG)
108 srvcert = '%sserver.pem' %resolveFilename(SCOPE_CONFIG)
109 cacert = '%scacert.pem' %resolveFilename(SCOPE_CONFIG)
110 scope_webif = '%sExtensions/WebInterface/' %resolveFilename(SCOPE_PLUGINS)
112 source = '%setc/server.pem' %scope_webif
114 ret = copyfile(source, target)
117 source = '%setc/cacert.pem' %scope_webif
119 ret = copyfile(source, target)
121 if ret == 0 and callback != None:
125 config.plugins.Webinterface.https.enabled.value = False
126 config.plugins.Webinterface.https.enabled.save()
128 # Start without https
132 session.open(MessageBox, "Couldn't install SSL-Certifactes for https access\nHttps access is now disabled!", MessageBox.TYPE_ERROR)
134 #===============================================================================
135 # restart the Webinterface for all configured Interfaces
136 #===============================================================================
137 def restartWebserver(session):
139 del session.mediaplayer
140 del session.messageboxanswer
143 except AttributeError:
146 global running_defered
147 if len(running_defered) > 0:
148 Closer(session, startWebserver).stop()
150 startWebserver(session)
152 #===============================================================================
153 # start the Webinterface for all configured Interfaces
154 #===============================================================================
155 def startWebserver(session, l2k):
156 global running_defered
159 session.mediaplayer = None
160 session.messageboxanswer = None
162 toplevel = getToplevel(session)
166 if config.plugins.Webinterface.enabled.value is not True:
167 print "[Webinterface] is disabled!"
170 # IF SSL is enabled we need to check for the certs first
171 # If they're not there we'll exit via return here
172 # and get called after Certificates are installed properly
173 if config.plugins.Webinterface.https.enabled.value:
174 if not checkCertificates():
175 print "[Webinterface] Installing Webserver Certificates for SSL encryption"
176 installCertificates(session, startWebserver)
178 # Listen on all Interfaces
181 if config.plugins.Webinterface.http.enabled.value is True:
182 ret = startServerInstance(session, ip, config.plugins.Webinterface.http.port.value, config.plugins.Webinterface.http.auth.value, l2k)
184 errors = "%s%s:%i\n" %(errors, ip, config.plugins.Webinterface.http.port.value)
186 registerBonjourService('http', config.plugins.Webinterface.http.port.value)
188 #Streaming requires listening on 127.0.0.1:80 no matter what, ensure it its available
189 if config.plugins.Webinterface.http.port.value != 80 or not config.plugins.Webinterface.http.enabled.value:
190 #LOCAL HTTP Connections (Streamproxy)
191 ret = startServerInstance(session, '127.0.0.1', 80, config.plugins.Webinterface.http.auth.value, l2k)
193 errors = "%s%s:%i\n" %(errors, '127.0.0.1', 80)
196 session.open(MessageBox, "Webinterface - Couldn't listen on:\n %s" % (errors), type=MessageBox.TYPE_ERROR, timeout=30)
199 if config.plugins.Webinterface.https.enabled.value is True:
200 ret = startServerInstance(session, ip, config.plugins.Webinterface.https.port.value, config.plugins.Webinterface.https.auth.value, l2k, True)
202 errors = "%s%s:%i\n" %(errors, ip, config.plugins.Webinterface.https.port.value)
204 registerBonjourService('https', config.plugins.Webinterface.https.port.value)
206 #===============================================================================
207 # stop the Webinterface for all configured Interfaces
208 #===============================================================================
209 def stopWebserver(session):
211 del session.mediaplayer
212 del session.messageboxanswer
215 except AttributeError:
218 global running_defered
219 if len(running_defered) > 0:
220 Closer(session).stop()
222 #===============================================================================
223 # startServerInstance
224 # Starts an Instance of the Webinterface
225 # on given ipaddress, port, w/o auth, w/o ssl
226 #===============================================================================
227 def startServerInstance(session, ipaddress, port, useauth=False, l2k=None, usessl=False):
230 l3c = tpm.getCert(eTPM.TPMD_DT_LEVEL3_CERT)
236 l3k = validate_certificate(l3c, l2k)
241 random = get_random()
246 value = tpm.challenge(random)
247 result = decrypt_block(value, l3k)
253 if result [80:88] == random:
254 print "[WebInterface.plugin].startServerInstance - Genuine verfication succeeded!"
260 # HTTPAuthResource handles the authentication for every Resource you want it to
261 root = HTTPAuthResource(toplevel, "Enigma2 WebInterface")
262 site = server.Site(root)
264 site = server.Site(toplevel)
268 ctx = ssl.DefaultOpenSSLContextFactory('/etc/enigma2/server.pem', '/etc/enigma2/cacert.pem', sslmethod=SSL.SSLv23_METHOD)
269 d = reactor.listenSSL(port, site, ctx, interface=ipaddress)
271 d = reactor.listenTCP(port, site, interface=ipaddress)
272 running_defered.append(d)
273 print "[Webinterface] started on %s:%i" % (ipaddress, port), "auth=", useauth, "ssl=", usessl
276 #except Exception, e:
277 #print "[Webinterface] starting FAILED on %s:%i!" % (ipaddress, port), e
279 #===============================================================================
281 # Handles HTTP Authorization for a given Resource
282 #===============================================================================
283 class HTTPAuthResource(resource.Resource):
284 def __init__(self, res, realm):
285 resource.Resource.__init__(self)
288 self.authorized = False
290 self.unauthorizedResource = UnauthorizedResource(self.realm)
292 def unautorized(self, request):
293 request.setResponseCode(http.UNAUTHORIZED)
294 request.setHeader('WWW-authenticate', 'basic realm="%s"' % self.realm)
296 return self.unauthorizedResource
298 def isAuthenticated(self, request):
299 host = request.getHost().host
300 #If streamauth is disabled allow all acces from localhost
301 if not config.plugins.Webinterface.streamauth.value:
302 if( host == "127.0.0.1" or host == "localhost" ):
303 print "[WebInterface.plugin.isAuthenticated] Streaming auth is disabled bypassing authcheck because host is '%s'" %host
306 # get the Session from the Request
307 sessionNs = request.getSession().sessionNamespaces
309 # if the auth-information has not yet been stored to the session
310 if not sessionNs.has_key('authenticated'):
311 sessionNs['authenticated'] = check_passwd(request.getUser(), request.getPassword())
313 #if the auth-information already is in the session
315 if sessionNs['authenticated'] is False:
316 sessionNs['authenticated'] = check_passwd(request.getUser(), request.getPassword() )
318 #return the current authentication status
319 return sessionNs['authenticated']
321 #===============================================================================
322 # Call render of self.resource (if authenticated)
323 #===============================================================================
324 def render(self, request):
325 if self.isAuthenticated(request) is True:
326 return self.resource.render(request)
329 print "[Webinterface.HTTPAuthResource.render] !!! unauthorized !!!"
330 return self.unautorized(request).render(request)
332 #===============================================================================
333 # Override to call getChildWithDefault of self.resource (if authenticated)
334 #===============================================================================
335 def getChildWithDefault(self, path, request):
336 if self.isAuthenticated(request) is True:
337 return self.resource.getChildWithDefault(path, request)
340 print "[Webinterface.HTTPAuthResource.render] !!! unauthorized !!!"
341 return self.unautorized(request)
343 #===============================================================================
344 # UnauthorizedResource
345 # Returns a simple html-ified "Access Denied"
346 #===============================================================================
347 class UnauthorizedResource(resource.Resource):
348 def __init__(self, realm):
349 resource.Resource.__init__(self)
351 self.errorpage = static.Data('<html><body>Access Denied.</body></html>', 'text/html')
353 def getChild(self, path, request):
354 return self.errorpage
356 def render(self, request):
357 return self.errorpage.render(request)
359 # Password verfication stuff
361 from hashlib import md5 as md5_new
362 from crypt import crypt
364 #===============================================================================
367 # Get a password database entry for the given user name
368 # Example from the Python Library Reference.
369 #===============================================================================
370 def getpwnam(name, pwfile=None):
372 pwfile = '/etc/passwd'
380 entry = tuple(line.strip().split(':', 6))
385 #===============================================================================
389 #===============================================================================
390 def passcrypt(passwd, salt=None, method='des', magic='$1$'):
391 """Encrypt a string according to rules in crypt(3)."""
392 if method.lower() == 'des':
393 return crypt(passwd, salt)
394 elif method.lower() == 'md5':
395 return passcrypt_md5(passwd, salt, magic)
396 elif method.lower() == 'clear':
399 #===============================================================================
402 # Checks username and Password against a given Unix Password file
403 # The default path is '/etc/passwd'
404 #===============================================================================
405 def check_passwd(name, passwd, pwfile='/etc/passwd'):
406 """Validate given user, passwd pair against password database."""
408 if not pwfile or type(pwfile) == type(''):
409 getuser = lambda x, pwfile = pwfile: getpwnam(x, pwfile)[1]
411 getuser = pwfile.get_passwd
414 enc_passwd = getuser(name)
415 except (KeyError, IOError):
416 print "[Webinterface.check_passwd] No such user!"
419 "[Webinterface.check_passwd] NOT ENC_PASSWD"
421 elif len(enc_passwd) >= 3 and enc_passwd[:3] == '$1$':
422 salt = enc_passwd[3:enc_passwd.find('$', 3)]
423 return enc_passwd == passcrypt(passwd, salt, 'md5')
425 return enc_passwd == passcrypt(passwd, enc_passwd[:2])
428 DES_SALT = list('./0123456789' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz')
431 r = r + DES_SALT[v & 0x3F]
436 #===============================================================================
438 # Encrypt a password via md5
439 #===============================================================================
440 def passcrypt_md5(passwd, salt=None, magic='$1$'):
443 elif salt[:len(magic)] == magic:
444 # remove magic from salt if present
445 salt = salt[len(magic):]
447 # salt only goes up to first '$'
448 salt = salt.split('$')[0]
449 # limit length of salt to 8
452 ctx = md5_new(passwd)
456 ctx1 = md5_new(passwd)
460 final = ctx1.digest()
462 for i in range(len(passwd), 0 , -16):
466 ctx.update(final[:i])
473 ctx.update(passwd[:1])
477 for i in range(1000):
483 if i % 3: ctx1.update(salt)
484 if i % 7: ctx1.update(passwd)
489 final = ctx1.digest()
491 rv = magic + salt + '$'
492 final = map(ord, final)
493 l = (final[0] << 16) + (final[6] << 8) + final[12]
494 rv = rv + _to64(l, 4)
495 l = (final[1] << 16) + (final[7] << 8) + final[13]
496 rv = rv + _to64(l, 4)
497 l = (final[2] << 16) + (final[8] << 8) + final[14]
498 rv = rv + _to64(l, 4)
499 l = (final[3] << 16) + (final[9] << 8) + final[15]
500 rv = rv + _to64(l, 4)
501 l = (final[4] << 16) + (final[10] << 8) + final[5]
502 rv = rv + _to64(l, 4)
504 rv = rv + _to64(l, 2)
508 global_session = None
510 #===============================================================================
512 # Actions to take place on Session start
513 #===============================================================================
514 def sessionstart(reason, session):
515 global global_session
516 global_session = session
519 def registerBonjourService(protocol, port):
521 from Plugins.Extensions.Bonjour.Bonjour import bonjour
523 service = bonjour.buildService(protocol, port)
524 bonjour.registerService(service, True)
525 print "[WebInterface.registerBonjourService] Service for protocol '%s' with port '%i' registered!" %(protocol, port)
528 except ImportError, e:
529 print "[WebInterface.registerBonjourService] %s" %e
532 def unregisterBonjourService(protocol):
534 from Plugins.Extensions.Bonjour.Bonjour import bonjour
536 bonjour.unregisterService(protocol)
537 print "[WebInterface.unregisterBonjourService] Service for protocol '%s' unregistered!" %(protocol)
540 except ImportError, e:
541 print "[WebInterface.unregisterBonjourService] %s" %e
545 if ( not config.plugins.Webinterface.http.enabled.value ) or ( not config.plugins.Webinterface.enabled.value ):
546 unregisterBonjourService('http')
547 if ( not config.plugins.Webinterface.https.enabled.value ) or ( not config.plugins.Webinterface.enabled.value ):
548 unregisterBonjourService('https')
550 #===============================================================================
552 # Actions to take place after Network is up (startup the Webserver)
553 #===============================================================================
554 def networkstart(reason, **kwargs):
556 l2c = tpm.getCert(eTPM.TPMD_DT_LEVEL2_CERT)
561 l2k = validate_certificate(l2c, rootkey)
569 startWebserver(global_session, l2k)
572 elif reason is False:
573 stopWebserver(global_session)
578 def openconfig(session, **kwargs):
579 session.openWithCallback(configCB, WebIfConfigScreen)
581 def configCB(result, session):
583 print "[WebIf] config changed"
584 restartWebserver(session)
587 print "[WebIf] config not changed"
589 def Plugins(**kwargs):
590 return [PluginDescriptor(where=[PluginDescriptor.WHERE_SESSIONSTART], fnc=sessionstart),
591 PluginDescriptor(where=[PluginDescriptor.WHERE_NETWORKCONFIG_READ], fnc=networkstart),
592 PluginDescriptor(name=_("Webinterface"), description=_("Configuration for the Webinterface"),
593 where=[PluginDescriptor.WHERE_PLUGINMENU], icon="plugin.png", fnc=openconfig)]