Threaded context

KASM-2108 Update noVNC commit

.gitmodules

@@ -1,4 +1,4 @@
 [submodule "kasmweb"]
 	path = kasmweb
 	url = https://github.com/kasmtech/noVNC.git
-	branch = bugfix/KASM-2034_mobile_audio
+	branch = master

builder/README.md

@@ -79,6 +79,25 @@ packages installed with XFCE.
 ```
 builder/test-deb-barebones ubuntu focal
 ```
+
+# Preparing a release
+
+Deb and rpm packages need their versions bumped to the new release version. It
+can be done with:
+
+```
+builder/bump-package-version 0.9.4-beta
+```
+
+This will update corresponding package files, use `git diff` to see changes.
+
+If you've ran the command and curious about Debian version specifics, here's an
+explanation:
+Deb version will be `0.9.4~beta-1`. `~` (and not `-`) is required by packaging
+guidelines, and `-1` is Debian package revision for `0.9.4` upstream release. If
+a Debian-specific patch was later added on top of `0.9.4`, it'd be `-2` for the
+next Debian version. Rpm has a corresponding revision in its .spec file.
+
 # CI development
 
 S3 upload code is extracted to various files in `.ci`. It's possible to iterate

builder/bump-package-version

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+update_version_to_meet_packaging_standards() {
+  new_version=$(echo "$new_version" |
+    sed -e 's/\([0-9]\)-\([a-zA-Z]\)/\1~\2/')
+}
+
+add_debian_revision_to_new_version() {
+  echo "$new_version-1"
+}
+
+bump_rpm() {
+  sed -i "s/^Version:.\+/Version:        $new_version/" centos/kasmvncserver.spec
+}
+
+bump_deb() {
+  local image="debbump_package_version:dev"
+  local L_UID=$(id -u)
+  local L_GID=$(id -g)
+  local debian_version=$(add_debian_revision_to_new_version)
+
+  docker build -t "$image" -f builder/dockerfile.bump-package-version .
+  docker run --rm -v "$PWD":/src --user "$L_UID:$L_GID" \
+    "$image" /bin/bash -c \
+    "cd /src && builder/bump-package-version-inside-docker-deb $debian_version"
+}
+
+new_version="$1"
+
+if [[ -z "$new_version" ]]; then
+  echo >&2 "Usage: $(basename "$0") <new_version>"
+  exit 1
+fi
+
+cd "$(dirname "$0")/.."
+
+update_version_to_meet_packaging_standards
+bump_rpm
+bump_deb

builder/bump-package-version-inside-docker-deb

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+new_version="$1"
+
+update_version() {
+  dch --newversion $new_version 'New upstream release.'
+}
+
+mark_as_released() {
+  dch --release ""
+}
+
+update_version
+mark_as_released

builder/dockerfile.bump-package-version

@@ -0,0 +1,6 @@
+FROM debian:buster
+
+ENV DEBEMAIL="Kasm Technologies LLC <info@kasmweb.com>"
+
+RUN apt-get update && \
+      apt-get -y install vim devscripts

common/network/Blacklist.cxx

@@ -0,0 +1,82 @@
+/* Copyright (C) 2021 Kasm
+ *
+ * This is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this software; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
+ * USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <arpa/inet.h>
+#include <errno.h>
+#include <netinet/tcp.h>
+#include <netdb.h>
+#include <pthread.h>
+#include <stdlib.h>
+#include <time.h>
+
+#include <map>
+#include <string>
+
+#include <network/Blacklist.h>
+#include <rfb/Blacklist.h>
+
+static std::map<std::string, unsigned> hits;
+static std::map<std::string, time_t> blacklist;
+
+static pthread_mutex_t hitmutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_mutex_t blmutex = PTHREAD_MUTEX_INITIALIZER;
+
+unsigned char bl_isBlacklisted(const char *addr) {
+	const unsigned char count = blacklist.count(addr);
+	if (!count)
+		return 0;
+
+	const time_t now = time(NULL);
+	const unsigned timeout = rfb::Blacklist::initialTimeout;
+
+	if (pthread_mutex_lock(&blmutex))
+		abort();
+
+	if (now - timeout > blacklist[addr]) {
+		blacklist.erase(addr);
+		pthread_mutex_unlock(&blmutex);
+
+		if (pthread_mutex_lock(&hitmutex))
+			abort();
+		hits.erase(addr);
+		pthread_mutex_unlock(&hitmutex);
+		return 0;
+	} else {
+		blacklist[addr] = now;
+		pthread_mutex_unlock(&blmutex);
+		return 1;
+	}
+}
+
+void bl_addFailure(const char *addr) {
+	if (pthread_mutex_lock(&hitmutex))
+		abort();
+	const unsigned num = ++hits[addr];
+	pthread_mutex_unlock(&hitmutex);
+
+	if (num >= (unsigned) rfb::Blacklist::threshold) {
+		if (pthread_mutex_lock(&blmutex))
+			abort();
+		blacklist[addr] = time(NULL);
+		pthread_mutex_unlock(&blmutex);
+	}
+}

common/network/Blacklist.h

@@ -0,0 +1,33 @@
+/* Copyright (C) 2021 Kasm
+ *
+ * This is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this software; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
+ * USA.
+ */
+
+#ifndef __NETWORK_BLACKLIST_H__
+#define __NETWORK_BLACKLIST_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+unsigned char bl_isBlacklisted(const char *);
+void bl_addFailure(const char *);
+
+#ifdef __cplusplus
+} // extern C
+#endif
+
+#endif // __NETWORK_TCP_SOCKET_H__

common/network/CMakeLists.txt

@@ -2,6 +2,7 @@ include_directories(${CMAKE_SOURCE_DIR}/common ${CMAKE_SOURCE_DIR}/unix/kasmvncp
 
 set(NETWORK_SOURCES
   GetAPIMessager.cxx
+  Blacklist.cxx
   Socket.cxx
   TcpSocket.cxx
   websocket.c

common/network/websocket.c

@@ -32,6 +32,7 @@
 #include <openssl/sha.h> /* sha1 hash */
 #include "websocket.h"
 #include "kasmpasswd.h"
+#include <network/Blacklist.h>
 
 /*
  * Global state
@@ -1203,7 +1204,7 @@ nope:
     return 1;
 }
 
-ws_ctx_t *do_handshake(int sock) {
+ws_ctx_t *do_handshake(int sock, const char *ip) {
     char handshake[4096], response[4096], sha1[29], trailer[17];
     char *scheme, *pre;
     headers_t *headers;
@@ -1271,10 +1272,20 @@ ws_ctx_t *do_handshake(int sock) {
         usleep(10);
     }
 
+    if (bl_isBlacklisted(ip)) {
+        wserr("IP %s is blacklisted, dropping\n", ip);
+        sprintf(response, "HTTP/1.1 401 Forbidden\r\n"
+                          "\r\n");
+        ws_send(ws_ctx, response, strlen(response));
+        free_ws_ctx(ws_ctx);
+        return NULL;
+    }
+
     unsigned char owner = 0;
     if (!settings.disablebasicauth) {
         const char *hdr = strstr(handshake, "Authorization: Basic ");
         if (!hdr) {
+            bl_addFailure(ip);
             handler_emsg("BasicAuth required, but client didn't send any. 401 Unauth\n");
             sprintf(response, "HTTP/1.1 401 Unauthorized\r\n"
                               "WWW-Authenticate: Basic realm=\"Websockify\"\r\n"
@@ -1288,6 +1299,7 @@ ws_ctx_t *do_handshake(int sock) {
         const char *end = strchr(hdr, '\r');
         if (!end || end - hdr > 256) {
             handler_emsg("Client sent invalid BasicAuth, dropping connection\n");
+            bl_addFailure(ip);
             free_ws_ctx(ws_ctx);
             return NULL;
         }
@@ -1357,6 +1369,7 @@ ws_ctx_t *do_handshake(int sock) {
 
         if (len <= 0 || strcmp(authbuf, response)) {
             handler_emsg("BasicAuth user/pw did not match\n");
+            bl_addFailure(ip);
             sprintf(response, "HTTP/1.1 401 Forbidden\r\n"
                               "\r\n");
             ws_send(ws_ctx, response, strlen(response));
@@ -1445,7 +1458,7 @@ void *subthread(void *ptr) {
 
     ws_ctx_t *ws_ctx;
 
-    ws_ctx = do_handshake(csock);
+    ws_ctx = do_handshake(csock, pass->ip);
     if (ws_ctx == NULL) {
         handler_msg("No connection after handshake\n");
         goto out;   // Child process exits