-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcheckAccess.py
More file actions
executable file
·117 lines (87 loc) · 3.61 KB
/
checkAccess.py
File metadata and controls
executable file
·117 lines (87 loc) · 3.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
#!/usr/bin/env python3
# Simple access checking program for OpenVPN server (OVPN-Access)
#
# Magnetic-Fox, 28.07.2023 - 14.10.2025
#
# (C)2023-2025 Bartłomiej "Magnetic-Fox" Węgrzyn
import sys
import os
import hashlib
import logging
import logging.handlers
import mysql.connector
import sqlConfig
import stringTableConfig
# Function for gathering environment variables
def getEnvironmentVariables():
try:
username = os.environ["username"]
common_name = os.environ["common_name"]
untrusted_ip = os.environ["untrusted_ip"]
return username, common_name, untrusted_ip
except:
# On error simply return three empty strings
return "", "", ""
# Simple logger preparation function
def prepareLogger(loggerName = __name__, loggerAddress = stringTableConfig.DEFAULT_LOGGER_ADDRESS):
logger = logging.getLogger(loggerName)
handler = logging.handlers.SysLogHandler(address = loggerAddress)
logger.setLevel(logging.INFO)
logger.addHandler(handler)
return logger
# Simple logging utility
# prepareLogger() will be executed once on the script start
def logInfo(message, logger = prepareLogger(), prefix = stringTableConfig.LOG_PREFIX):
logger.info(prefix + message)
return
# Very simple hashing function (SHA-256)
def sha256hash(string):
return hashlib.sha256(string.encode("utf-8")).hexdigest()
# Check user access rights (according to the values set in the database)
def checkUserAccess(userName, commonName, sqlConfiguration):
try:
mydb = mysql.connector.connect(**sqlConfiguration)
cur = mydb.cursor(buffered = True)
sql = "SELECT AccessGranted FROM `user-cn` uc WHERE BINARY uc.UserHash=%s AND BINARY uc.CertificateHash=%s"
cur.execute(sql, (sha256hash(userName), sha256hash(commonName)))
response = cur.fetchall()
for responseLine in response:
if responseLine[0] == 1:
# Access is allowed
return 0
else:
# Access is not allowed
return 1
# Username and common name not found in database - access not allowed
return 2
except:
# Something went wrong - access not allowed
return 3
# Main string preparation function
def prepareMainString(untrusted_ip, username, common_name, prefix = "", postfix = ""):
return prefix + stringTableConfig.IP_STRING + untrusted_ip + stringTableConfig.USERNAME_STRING + username + stringTableConfig.COMMON_NAME_STRING + common_name + postfix
# "Access granted" string preparation function
def prepareAccessGrantedString(untrusted_ip, username, common_name, prefix = stringTableConfig.ACCESS_GRANTED_STRING, postfix = ""):
return prepareMainString(untrusted_ip, username, common_name, prefix, postfix)
# "Access denied" string preparation function
def prepareAccessDeniedString(untrusted_ip, username, common_name, prefix = stringTableConfig.ACCESS_DENIED_STRING, postfix = ""):
return prepareMainString(untrusted_ip, username, common_name, prefix, postfix)
# Autorun part
if __name__ == "__main__":
username, common_name, untrusted_ip = getEnvironmentVariables()
if (username == "") and (common_name == "") and (untrusted_ip == ""):
logInfo(stringTableConfig.SOMETHING_WRONG_1)
else:
result = checkUserAccess(username, common_name, sqlConfig.config)
if result == 0:
# The only point where access is allowed
logInfo(prepareAccessGrantedString(untrusted_ip, username, common_name))
os._exit(0)
elif result == 1:
logInfo(prepareAccessDeniedString(untrusted_ip, username, common_name))
elif result == 2:
logInfo(prepareAccessDeniedString(untrusted_ip, username, common_name, postfix = stringTableConfig.USERNAME_AND_CN_NOT_FOUND))
else:
logInfo(stringTableConfig.SOMETHING_WRONG_2)
# If code reached this point then access in not allowed
os._exit(1)