forked from canada-ca/tracker
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathserver.py
More file actions
230 lines (177 loc) · 7.23 KB
/
server.py
File metadata and controls
230 lines (177 loc) · 7.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
import os
import signal
import sys
import time
import requests
import logging
import json
import emoji
import traceback
import asyncio
import datetime as dt
import subprocess
from ctypes import c_char_p
from concurrent.futures import TimeoutError
from starlette.applications import Starlette
from starlette.routing import Route, Mount, WebSocketRoute
from starlette.responses import Response
from starlette.middleware.errors import ServerErrorMiddleware
from https_scanner import HTTPSScanner
logging.basicConfig(stream=sys.stdout, level=logging.INFO)
MIN_HSTS_AGE = 31536000 # one year
QUEUE_URL = os.getenv(
"RESULT_QUEUE_URL", "http://result-queue.scanners.svc.cluster.local"
)
OTS_QUEUE_URL = os.getenv(
"OTS_RESULT_QUEUE_URL", "http://ots-result-queue.scanners.svc.cluster.local"
)
DEST_URL = lambda ots : OTS_QUEUE_URL if ots else QUEUE_URL
def dispatch_results(payload, client, ots):
client.post(DEST_URL(ots) + "/https", json=payload)
logging.info("Scan results dispatched to result queue")
def process_results(results):
logging.info("Processing HTTPS scan results...")
report = {}
if results == {} or not results["Live"]:
report = {"error": "missing"}
else:
if results["Valid HTTPS"]:
https = "Valid HTTPS" # Yes
elif results["HTTPS Bad Chain"]:
https = "Bad Chain" # Yes
elif results["Downgrades HTTPS"]:
https = "Downgrades HTTPS" # No
else:
https = "No HTTPS"
report["implementation"] = https
# Is HTTPS enforced?
if https == "Downgrades HTTPS":
behavior = "Not Enforced" # N/A
else:
# "Strict" means HTTP immediately redirects to HTTPS,
# *and* that HTTP eventually redirects to HTTPS.
#
# Since a pure redirector domain can't "default" to HTTPS
# for itself, we'll say it "Enforces HTTPS" if it immediately
# redirects to an HTTPS URL.
if results["Strictly Forces HTTPS"] and (
results["Defaults to HTTPS"] or results["Redirect"]
):
behavior = "Strict" # Yes (Strict)
# "Moderate" means HTTP eventually redirects to HTTPS.
elif not results["Strictly Forces HTTPS"] and results["Defaults to HTTPS"]:
behavior = "Moderate" # Yes
# Either both are False, or just 'Strict Force' is True,
# which doesn't matter on its own.
# A "present" is better than a downgrade.
else:
behavior = "Weak" # Present (considered 'No')
report["enforced"] = behavior
###
# Characterize the presence and completeness of HSTS.
hsts_age = results.get("HSTS Max Age", None)
if hsts_age is not None:
hsts_age = int(hsts_age)
# Otherwise, without HTTPS there can be no HSTS for the domain directly.
if https == "Downgrades HTTPS":
hsts = "No HSTS" # N/A (considered 'No')
else:
# HSTS is present for the canonical endpoint.
if results["HSTS"] and hsts_age is not None:
# Say No for too-short max-age's, and note in the extended details.
if hsts_age >= MIN_HSTS_AGE:
hsts = "HSTS Fully Implemented" # Yes, directly
else:
hsts = "HSTS Max Age Too Short" # No
else:
hsts = "No HSTS" # No
# Separate preload status from HSTS status:
#
# * Domains can be preloaded through manual overrides.
# * Confusing to mix an endpoint-level decision with a domain-level decision.
if results["HSTS Preloaded"]:
preloaded = "HSTS Preloaded" # Yes
elif results["HSTS Preload Ready"]:
preloaded = "HSTS Preload Ready" # Ready for submission
else:
preloaded = "HSTS Not Preloaded" # No
# Certificate info
if results["HTTPS Expired Cert"]:
expired = True
else:
expired = False
if results["HTTPS Self Signed Cert"]:
self_signed = True
else:
self_signed = False
if results["HTTPS Cert Revoked"] is None:
revoked = "Unknown"
elif results["HTTPS Cert Revoked"]:
revoked = "Revoked"
else:
revoked = "Valid"
report["hsts"] = hsts
report["hsts_age"] = hsts_age
report["preload_status"] = preloaded
report["expired_cert"] = expired
report["self_signed_cert"] = self_signed
report["cert_revocation_status"] = revoked
report["cert_bad_hostname"] = results["HTTPS Bad Hostname"]
return report
def Server(server_client=requests):
async def scan(scan_request):
logging.info("Scan request received")
inbound_payload = await scan_request.json()
start_time = dt.datetime.now()
try:
domain = inbound_payload["domain"]
user_key = inbound_payload["user_key"]
domain_key = inbound_payload["domain_key"]
shared_id = inbound_payload["shared_id"]
except KeyError:
logging.error(f"Invalid scan request format received: {str(inbound_payload)}")
return Response("Invalid Format", status_code=400)
logging.info(f"Performing scan on {inbound_payload['domain']}...")
try:
scanner = HTTPSScanner(domain)
start = time.time()
future = scanner.run()
scan_results = future.result()
except TimeoutError:
logging.error(f"Timeout while scanning {domain} (Aborted after {round(time.time()-start, 2)} seconds)")
outbound_payload = {
"results": {"error": "unreachable"},
"scan_type": "https",
"user_key": user_key,
"domain_key": domain_key,
"shared_id": shared_id
}
dispatch_results(outbound_payload, server_client, (user_key is not None))
return Response("Timeout occurred while scanning", status_code=500)
logging.info(f"Unprocessed scan results: {str(scan_results)}")
processed_results = process_results(scan_results)
outbound_payload = {
"results": processed_results,
"scan_type": "https",
"user_key": user_key,
"domain_key": domain_key,
"shared_id": shared_id
}
logging.info(f"Processed scan results: {str(processed_results)}")
end_time = dt.datetime.now()
elapsed_time = end_time - start_time
dispatch_results(outbound_payload, server_client, (user_key is not None))
logging.info(f"HTTPS scan completed in {elapsed_time.total_seconds()} seconds.")
return Response("Scan completed")
async def startup():
logging.info(emoji.emojize("ASGI server started :rocket:"))
async def shutdown():
logging.info(emoji.emojize("ASGI server shutting down..."))
routes = [
Route("/", scan, methods=["POST"]),
]
starlette_app = Starlette(
debug=True, routes=routes, on_startup=[startup], on_shutdown=[shutdown]
)
return starlette_app
app = Server()