Skip to content

Commit 6bb2067

Browse files
Merge pull request #46 from chrisjbillington/security-default-on
Make secure communication default
2 parents 2d12f33 + 76633d8 commit 6bb2067

File tree

3 files changed

+49
-4
lines changed

3 files changed

+49
-4
lines changed

labscript_profile/create.py

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,21 @@
33
import shutil
44
import configparser
55
from pathlib import Path
6+
from subprocess import check_output
67
from labscript_profile import LABSCRIPT_SUITE_PROFILE, default_labconfig_path
78

89
_here = os.path.dirname(os.path.abspath(__file__))
910
DEFAULT_PROFILE_CONTENTS = os.path.join(_here, 'default_profile')
1011

1112

13+
def make_shared_secret(directory):
14+
"""Create a new zprocess shared secret file in the given directory and return its
15+
filepath"""
16+
cmd = [sys.executable, '-m', 'zprocess.makesecret']
17+
path = check_output(cmd, cwd=directory).decode('utf8').splitlines()[-1].strip()
18+
return Path(path)
19+
20+
1221
def make_labconfig_file():
1322
source_path = os.path.join(LABSCRIPT_SUITE_PROFILE, 'labconfig', 'example.ini')
1423
target_path = default_labconfig_path()
@@ -22,14 +31,19 @@ def make_labconfig_file():
2231
# Now change some things about it:
2332
config = configparser.ConfigParser(interpolation=None)
2433
config.read(target_path)
25-
if sys.platform in ['linux', 'linux2']:
34+
if sys.platform == 'linux':
2635
config.set('programs', 'text_editor', 'gedit')
2736
elif sys.platform == 'darwin':
2837
config.set('programs', 'text_editor', 'open')
2938
config.set('programs', 'text_editor_arguments', '-a TextEdit {file}')
3039
if sys.platform != 'win32':
3140
config.set('programs', 'hdf5_viewer', 'hdfview')
32-
config.set('DEFAULT', 'shared_drive', str(Path.home() / ' labscript_shared'))
41+
config.set('DEFAULT', 'shared_drive', '$HOME/labscript_shared')
42+
shared_secret = make_shared_secret(target_path.parent)
43+
shared_secret_entry = Path(
44+
'%(labscript_suite)s', shared_secret.relative_to(LABSCRIPT_SUITE_PROFILE)
45+
)
46+
config.set('security', 'shared_secret', str(shared_secret_entry))
3347

3448
with open(target_path, 'w') as f:
3549
config.write(f)

labscript_profile/default_profile/labconfig/example.ini

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,3 +52,6 @@ integer_indexing = False
5252
autoload_config_file = %(app_saved_configs)s\runmanager\runmanager.ini
5353
output_folder_format = %%Y\%%m\%%d\{sequence_index:04d}
5454
filename_prefix_format = %%Y-%%m-%%d_{sequence_index:04d}_{script_basename}
55+
56+
[security]
57+
shared_secret = %(labscript_suite)s\labconfig\zpsecret-b810f83f.key

labscript_utils/ls_zprocess.py

Lines changed: 30 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
# #
1212
#####################################################################
1313
import sys
14+
import os
1415
from socket import gethostbyname
1516
from distutils.version import LooseVersion
1617
import zmq
@@ -40,6 +41,32 @@
4041

4142
_cached_config = None
4243

44+
_ERR_NO_SHARED_SECRET = """
45+
46+
--------
47+
48+
Security has not been configured. To create a new shared secret, run:
49+
50+
python -m zprocess.makesecret
51+
52+
move the resulting file somewhere (for example the labconfig directory)
53+
and then add it to labconfig like:
54+
55+
[security]
56+
shared_secret = %(labscript_suite)s/labconfig/zpsecret-09f6dfa0.key
57+
58+
You will need to copy the same shared secret to all computers running
59+
the labscript suite that need to communicate with each other. Treat this
60+
file like a password: it allows anyone on the same network acess to
61+
labscript suite programs, most of of which are capable of remote code
62+
execution. If you are on a trusted network and don't want to use encrypted
63+
communication, you may instead set:
64+
65+
[security]
66+
allow_insecure = True
67+
68+
in your configuration, but this is not advised."""
69+
4370
def get_config():
4471
"""Get relevant options from LabConfig, substituting defaults where appropriate and
4572
return as a dict"""
@@ -78,8 +105,9 @@ def get_config():
78105
try:
79106
config['allow_insecure'] = labconfig.getboolean('security', 'allow_insecure')
80107
except (labconfig.NoOptionError, labconfig.NoSectionError):
81-
# Default will be set to False once the security rollout is complete:
82-
config['allow_insecure'] = True
108+
config['allow_insecure'] = False
109+
if config['shared_secret'] is None and not config['allow_insecure']:
110+
raise ValueError(_ERR_NO_SHARED_SECRET.replace('', os.sep))
83111
try:
84112
config['logging_maxBytes'] = labconfig.getint('logging', 'maxBytes')
85113
except (labconfig.NoOptionError, labconfig.NoSectionError):

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy