diff options
Diffstat (limited to 'kpov_judge/tasks/openvpn_simple_smb')
-rw-r--r-- | kpov_judge/tasks/openvpn_simple_smb/task.py | 306 |
1 files changed, 138 insertions, 168 deletions
diff --git a/kpov_judge/tasks/openvpn_simple_smb/task.py b/kpov_judge/tasks/openvpn_simple_smb/task.py index bf39102..3304fb3 100644 --- a/kpov_judge/tasks/openvpn_simple_smb/task.py +++ b/kpov_judge/tasks/openvpn_simple_smb/task.py @@ -5,31 +5,26 @@ instructions = { 'si':u""" -Postavi tri navidezne racunalnike - SimpleArbiter z diska SimpleArbiterVPN ter -VPNClient1 in VPNClient2, ki jima nastavite pravilne mrežne nastavitve (medsebojna povezava in povezava na splet). -Na vse racunalnike namestite OpenVPN in program za nadzor nad virtualnimi napravami (s katerim kreirate napravo tap). +Postavi dva navidezna racunalnika - SimpleArbiter z diska SimpleArbiterVPN ter +VPNClient1. Nastavite jima nastavite pravilne mrežne nastavitve (medsebojna povezava in povezava na splet). +Na VPNClient1 namestite OpenVPN in program za nadzor nad virtualnimi napravami (s katerim kreirate napravo tap). -Na strežniku SimpleArbiterVPN že teče VPN strežnik, ki uporablja skrivnost, ki jo najdete tudi na VPNClient1. -Na VPNClient1 vzpostavite VPN tako, da napišete primerno konf. datoteko. +Na strežniku SimpleArbiterVPN že teče VPN strežnik, ki uporablja skrivnost, ki jo najdete tudi na VPNClient1 v domačem imeniku uporabnika student. +Na VPNClient1 vzpostavite VPN tako, da napišete primerno datoteko z nastavitvami. -Nato poskrbite, da bo VPNClient1 na navideznem omrežju prek NFS omogočil +Nato poskrbite, da bo na VPNClient1 na navideznem omrežju prek NFS omogočen dostop do imenika /home/tester/DIRNAME, pri čemer DIRNAME preberite na SimpleArbiter. V ta imenik skopirajte datoteke, ki so prek SMB dostopne na SimpleArbiter. """, 'en':u""" -Setup three virtual machines - SimpleArbiterVPN and two VPN clients (VPNClient1, VPNClient2). Set both -clients network cards so that they will have access to internal network and internet. Install OpenVPN to -all three machines and a program for supervising virtual devices (which you will use to create device tap). -Server SimpleArbiterVPN should generate a common secret (*.key), which you should save to /vpn directory -and use on VPNClient together with configuration file for OpenVPN connection. After that make sure that -VPNClient has enabled access to /home/test/DIRNAME over NFS on it's virtual connection. You will get -IME_IMENIKA from SimpleArbiter. Copy files that should be available from AimpleArbiter over SMB to IME_IMENIKA. +Setup two virtual machines - SimpleArbiterVPN and a VPN client (VPNClient1). +Set the client's network up so that it has access to the internal network and internet. On VPNClient1, install OpenVPN and a program for supervising virtual devices (which you will use to create device tap). +An OpenVPN server is already running on SimpleArbiterVPN. Use the secret available on VPNClient1 in the home directory of user student to connect to the VPN server on SimpleArbiterVPN. To do that, you will have to write your own OpenVPN configuration file. After you have set up the VPN, make the directory +/home/test/DIRNAME on VPNClient1 available over NFS from SimpleArbiter over your VPN. Copy files that are available from SimpleArbiter over SMB to DIRNAME. """ } computers = { - # SimpleArbiter needs to have the package nmap installed - # http://linux.die.net/man/1/nmap 'SimpleArbiter': { 'disks': [ { @@ -68,26 +63,7 @@ computers = { ], 'flavor': 'm1.tiny', 'config_drive': False - }, - 'VPNClient2': { - 'disks': [ - { 'name': 'VPNClient2', - }, - #{ 'name': 'CDROM', - # 'options':{'readonly': True}, - # 'parts': [],# no parts, no mounting. - #} - ], - 'network_interfaces': [ - { - 'network': 'net1' - } - ], - 'flavor': 'm1.tiny', - 'config_drive': False - - } } networks = { @@ -101,19 +77,18 @@ networks = { } #Tukaj sem generiral tri parametre, prosil bi če se upoštevajo pri Tasku. params_meta = { - 'IP_SimpleArbiterVPN': {'descriptions':{'si':'IP za SimpleArbiter'}, 'w': False, 'public': True, 'type': 'IP', 'generated': True}, - 'IP_VPNArbiter': {'descriptions':{'si':'IP za SimpleArbiter na VPN'}, 'w': False, 'public': False, 'type': 'IP', 'generated': True}, - 'IP_VPNClient1': {'descriptions':{'si':'IP za 1. klienta'}, 'w': False, 'public': True, 'type': 'IP', 'generated': True}, - 'IP_VPNClient2': {'descriptions':{'si':'IP za 2. klienta'}, 'w': False, 'public': True, 'type': 'IP', 'generated': True}, + 'IP_SimpleArbiterVPN': {'descriptions':{'si':'IP za SimpleArbiter na VPN'}, 'w': False, 'public': True, 'type': 'IP', 'generated': True}, + 'IP_VPNClient1': {'descriptions':{'si':'IP klienta na VPN'}, 'w': False, 'public': True, 'type': 'IP', 'generated': True}, + 'IP_LANClient1': {'descriptions':{'si':'IP klienta na LAN'}, 'w': True, 'public': True, 'type': 'IP', 'generated': False}, 'DIRNAME': {'descriptions':{'si':'Imenik, dostopen prek NFS'}, 'w': False, 'public': True, 'type': 'IP', 'generated': True}, 'secret_random_seed': {'descriptions':{'si':'Seme za skrivnost'}, 'w': False, 'public': False, 'type': None, 'generated': True}, } -def task(IP_SimpleArbiterVPN, IP_VPNClient1, IP_VPNClient2, DIRNAME): - +def task(IP_SimpleArbiterVPN, IP_VPNClient1, IP_LANClient1, DIRNAME): + import pxssh # Used to set up an SSH connection to a remote machine - #import pexpect # Allows the script to spawn a child application and control it as if a human were typing commands + import pexpect # Allows the script to spawn a child application and control it as if a human were typing commands # The necessary things we need to check if the task was performed correctly @@ -126,135 +101,58 @@ def task(IP_SimpleArbiterVPN, IP_VPNClient1, IP_VPNClient2, DIRNAME): ### # Sets up the SSH connections to the machines ### - # SimpleArbiter - sA = pxssh.pxssh() # VPNClient1 sC1 = pxssh.pxssh() - # VPNClient2 - sC2 = pxssh.pxssh() # Logs in to the machines with the default login params - sA.login( - IP_SimpleArbiterVPN, - peer_user, - peer_passwd - ) sC1.login( - IP_VPNClient1, - peer_user, - peer_passwd - ) - - sC2.login( - IP_VPNClient2, + IP_LANClient1, peer_user, peer_passwd ) - - ###### # sA ###### - # Check if the VPN is set up - # Returns 1 if ok, else 0 - sA.sendline('ls /sys/class/net/ | grep -ci "tap0"') - sA.prompt() - output = sA.before - output.split('\n')[1] - results['SimpleArbiter_is_VPN_set_up'] = output + results['SimpleArbiter_ifconfig'] = pexpect.run( + '/sbin/ifconfig -a') - # Check if the VPN server is running - # Returns 1 if ok, else 0 - sA.sendline('ls /sys/class/net | grep -ci "tun0"') - sA.prompt() - output = sA.before - output.split('\n')[1] - results['SimpleArbiter_is_VPN_running'] = output + results['SimpleArbiter_route'] = pexpect.run( + '/sbin/route -n') # Pings each of the clients # 10.8.0.6 and 10.8.0.10 are the first two default addresses distributed by OpenVPN # Will output everything ping outputs (set to ping 3 times) - sA.sendLine('ping -c 3 10.8.0.6') - sA.prompt() - output = sA.before - results['SimpleArbiter_ping_C1'] = output - sA.sendLine('ping -c 3 10.8.0.10') - sA.prompt() - output = sA.before - results['SimpleArbiter_ping_C2'] = output - - ### - # Check if both clients are connected to the correct VPN - # (check if first 24 bits of IP addr are the same as the IP of the VPN server) - ### - # User must be root - sA.sendline('id -u') - sA.prompt() - uid = sA.before.split('\n') - uid = uid[1].rstrip() - # If it isn't root - if ( uid != "0" ): - print "SimpleArbiter user must be root to continue with this step" - # If it is, we continue - else: - # Check if nmap is installed - sA.sendline('dpkg-query -W nmap') - sA.prompt() - lines = sA.before.split('\n') - line = lines[1] - # If it isn't - if ( len(line.rstrip()) == 4 ): # returns "nmap\r\n" if package isn't installed - print "Computer SimpleArbiter must have nmap installed" - else: - sA.sendline('') - #sA.wait() # For some reason this hangs - sA.expect(".*#") # Expecting a new line prompt (root's prompt ends with a #) - - # Run nmap on the VPN network - sA.sendline('nmap -sP 10.8.0.0/24') - sA.prompt() - results['SimpleArbiter_nmap_results'] = sA.before - - # Checks if .key file is in the /vpn directory - sA.sendline('ls /vpn | egrep "\.key"') - sA.prompt() - output = sA.before - results['SimpleArbiter_dir_vpn_contents'] = output - - # Checks if NFS access control list allows directory /home/test/IME_IMENIKA - sA.sendline('cat /etc/exports') - sA.prompt() - output = sA.before - results['SimpleArbiter_nfs_access_control_list'] = output - - - ###### - # sC1 - ###### - - # Ping the VPN server - sC1.sendLine('ping -c 3 {0}'.format( IP_SimpleArbiterVPN )) + results['SimpleArbiter_ping_C1'] = pexpect.run( + 'ping -c 3 {}'.format(IP_VPNClient1)) + results['SimpleArbiter_traceroute'] = pexpect.run( + '/usr/bin/traceroute {}'.format(IP_VPNClient1)) + sC1.sendline('cat /etc/exports') sC1.prompt() output = sC1.before - results['VPNClient1_ping_VPN_server'] = output - - - ###### - # sC2 - ###### - + results['VPNClient1_nfs_access_control_list'] = output + results['SimpleArbiter_mount'] = pexpect.run( + 'sudo mount {}:/home/test/{} /mnt'.format(IP_VPNClient1, DIRNAME)) + results['SimpleArbiter_mount_result'] = pexpect.run( + 'sudo mount') + results['SimpleArbiter_ls'] = pexpect.run( + 'ls /mnt') + pexpect.run( + 'sudo umount /mnt') # Ping the VPN server - sC2.sendLine('ping -c 3 {0}'.format( IP_SimpleArbiterVPN )) - sC2.prompt() - output = sC2.before - results['VPNClient2_ping_VPN_server'] = output - - - sA.logout() + sC1.sendline('ping -c 3 {0}'.format( IP_SimpleArbiterVPN )) + sC1.prompt() + results['VPNClient1_ping_VPN_server'] = sC1.before + + sC1.sendline('/sbin/ifconfig -a') + sC1.prompt() + results['VPNClient1_ifconfig'] = sC1.before + + sC1.sendline('ps xa') + sC1.prompt() + results['VPNClient1_ps'] = sC1.before sC1.logout() - sC2.logout() return results @@ -268,7 +166,7 @@ def gen_params(user_id, params_meta): import random r = random.Random(user_id) net = kpov_random_helpers.IPv4_subnet_gen(r, '10.168.0.0/16', 24) - params['IP_VPNClient1'], params['IP_VPNClient2'], params['IP_VPNArbiter'] = kpov_random_helpers.IPv4_addr_gen(r, net, 3) + params['IP_VPNClient1'], params['IP_SimpleArbiterVPN'] = kpov_random_helpers.IPv4_addr_gen(r, net, 2) params['DIRNAME'] = kpov_random_helpers.fname_gen(r, extension=False) params['secret_random_seed']=str(r.random()) return params @@ -277,26 +175,89 @@ def gen_params(user_id, params_meta): def task_check(results, params): import re - #nastavil score na 0 iz -9 score = 0 - if results['NM_nslookup'].find('Server:\t\t{0}\r'.format(params['DNS_NM'])) > -1: - score += 3 - if results['SimpleArbiter_VPN_is_set_up'] == 1: - score += 3 - if results['SimpleArbiter_VPN_is_running'] == 1: - score +=3 - #zal si se nisem prišla na jasno s pingi - #if results['SimpleArbiter_ping_C1'] .find(Server:\t\t{0}\r'.format(params[]) - if results['static_nslookup'].find('Server:\t\t{0}\r'.format(params['DNS_static'])) > -1: - score += 3 - if re.search(r'eth0 +802-.*connected', results['NM_nmcli']): - score += 2 - if not re.search(r'eth0 +802-.*connected', results['static_nmcli']): - score += 2 - # to stran - # score = 0 + # zal si se nisem prišla na jasno s pingi + IP_SA = params['IP_SimpleArbiterVPN'].replace('.', '\.') + IP_C1 = params['IP_VPNClient1'].replace('.', '\.') + rs = r"tap0 +Link encap:Ethernet +HWaddr [a-f0-9:]+ *\r\n +inet addr:{}".format( + IP_SA) + # print rs, re.match(rs, results['SimpleArbiter_ifconfig']) + if re.search(rs, + results['SimpleArbiter_ifconfig']): + score += 1 + # print "ifconfig OK" + else: + pass + # print ('SA_ifconfig', results['SimpleArbiter_ifconfig']) + # results['SimpleArbiter_route'] = pexpect.run( + if re.search( + "PING.*\r\n64 bytes from {}: icmp_req=[0-9]+ ttl=64 time=[0-9.]* ms".format( + IP_C1), + results['SimpleArbiter_ping_C1']): + # print "Server ping OK" + score += 1 + else: + pass + # print ("Server ping", results['SimpleArbiter_ping_C1']) + # ignore this + # print results['SimpleArbiter_mount'] + # print results['SimpleArbiter_traceroute'] + rs = "1 +{0} \({0}\)".format(IP_C1) + if re.search(rs, + results['SimpleArbiter_traceroute']): + score += 1 + else: + pass + # print ("fail!", rs, results['SimpleArbiter_traceroute']) + if results['VPNClient1_nfs_access_control_list'].find( + '/home/test/' + params['DIRNAME'] + ' ') >= 0: + score += 1 + if results['SimpleArbiter_mount_result'].find( + '{}:/home/test/{} on /mnt type nfs'.format( + params['IP_VPNClient1'], + params['DIRNAME'])): + # print "mount OK" + score += 1 + # get r into the correct state + r = random.Random(params['secret_random_seed']) + s = "\n".join([ + "".join([r.choice("0123456789abcdef") for i in xrange(16)]) + for i in xrange(16)]) + keyfile = kpov_random_helpers.fname_gen(r, extension=False) + # now check the filenames + fnames_ok = True + for i in xrange(3): + fname = kpov_random_helpers.fname_gen(r, False) + foo = kpov_random_helpers.fortune(r, 4096) + pos = results['SimpleArbiter_ls'].find(fname + '.txt') + fnames_ok = fnames_ok and pos >= 0 + if fnames_ok: + score += 2 + # Ping the VPN server + if re.search( + "PING.*\r\n64 bytes from {}: icmp_req=[0-9]+ ttl=64 time=[0-9.]* ms".format( + IP_SA), + results['VPNClient1_ping_VPN_server']): + # print "ping OK" + score += 1 + else: + pass + # print "Client ping", results['VPNClient1_ping_VPN_server'] + + rs = r"tap0 +Link encap:Ethernet +HWaddr [a-f0-9:]+ *\r\n +inet addr:{}".format( + IP_C1) + if re.search(rs, + results['VPNClient1_ifconfig']): + score += 1 + # print "ifconfig OK" + else: + pass + # print ('VPNClient1_ifconfig', results['VPNClient1_ifconfig']) + + if results['VPNClient1_ps'].find('openvpn') > 0: + score += 1 return score @@ -319,10 +280,19 @@ def prepare_disks(templates, params): templates['SimpleArbiterVPN'].write("/etc/openvpn/secret.key", s) netaddr_s = """auto tap0 iface tap0 inet static + openvpn server + pre-up tunctl -t tap0 address {} netmask 255.255.255.0 -""".format(params['IP_VPNArbiter']) +""".format(params['IP_SimpleArbiterVPN']) templates['SimpleArbiterVPN'].write_append("/etc/network/interfaces", netaddr_s) + for i in xrange(3): + fname = kpov_random_helpers.fname_gen(r, False) + templates['SimpleArbiterVPN'].write( + "/srv/smb/" + fname + '.txt', + kpov_random_helpers.fortune(r, 4096)) templates['VPNClient1'].write("/home/student/" + keyfile, s) - templates['VPNClient1'].chown("student", "student", "/home/student/" + keyfile) + templates['VPNClient1'].chown("student", "student", "/home/student/" + keyfile) + + |