#!/usr/bin/python3
#
# chhoyhopper-server.py
#
# Copyright (C) 2021 by University of Southern California
# Written by ASM Rizvi<asmrizvi@usc.edu>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License,
# version 2, as published by the Free Software Foundation.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
#


import argparse
from datetime import datetime
import dns.resolver
import hashlib
import ipaddress
import logging
import math
import netifaces
import os
import socket
import subprocess
import sys
import time

DELTA_TIME = 10 # in second
NEXT_ADDRESS_CHANGE = 60 # in second

SERVER_INTERFACE = ""
SERVER_ADDRESS = ""

verbose = 0

class Program:
    def __init__(self):
        self.arg = self.parse_args()
        
    def parse_args(self):
        parser = argparse.ArgumentParser(description = 'Implement a moving target defense, where the server IPv6 address changes over time', epilog="""

With this program, an IPv6 service will be provided at a moving IPv6 address.
The service runs on another IP address and this program forwards 
traffic to that service IP from an IPv6 address
that depends on the current time, a shared secret, and a salt value.

By default the service address changes every minute.
We account for clock skew with a grace period of up to 60s.
       
By default, the service is ssh on prefix::f.
To overwrite, select the translated address with --to.

The key is provided in a file via --keyfile.
The key is arbitrary binary data.

By default we hop over the entire /64 on the given interface.

This daemon runs forever, changing the address regularly.

This program inserts ip6tables NAT and INPUT filter rules.
NAT rules will be inserted top of the table and will translate the temporary IPv6 address to the actual server address. The INPUT filter will be at the top of the INPUT chain and will drop packets that do not have the actual server address. A packet needs to go through both NAT and INPUT chain rule to get the service. No one can reach the IPv6 server without computing the current IPv6 address. Even targeting the actual server address won't be successful. This program will also insert rules to keep the already established connections. Also, it automatically assigns IPv6 address to the interface. When the life of an address is over, it stops the service at that address and deletes the NAT rules and interface addresses.

EXAMPLE: 

Running hopping for ssh on prefix::f, exporting service on
using vm18.ant.isi.edu's /64 prefix:

Opening service for hostname (default):

        chhoyhopper-server

Opening service for vm18.ant.isi.edu:

        chhoyhopper-server --address vm18.ant.isi.edu

or by IP address
        
        chhoyhopper-server --address 2001:1878:401::8009:1d15

(note that the hopping address will be anywhere in 2001:1878:401::/64,
not at this public IP address.)

changing key file (this should be shared with clients, default is file.bin):
        python3 chhoyhopper-server.py --keyfile "/tmp/key"
        """)
        
        parser.add_argument('--address', '-a', default='hostname', help='Enter the service address IPv6 address or domain name.')

        parser.add_argument('--to', '-t', help='Enter the internal IPv6 server address. NAT rule will translate the dummy to this address.')

        parser.add_argument('--keyfile', '-k', default='/usr/local/etc/chhoyhopper.key', help='Key file shared by the server')

        parser.add_argument('--salt', '-s', default='4750', help='Constant salt for generating key')
        
        parser.add_argument('--verbose', '-v', action='count', default=0)
        
        args = parser.parse_args()

        return args


def check_ipv6(n):
    try:
        socket.inet_pton(socket.AF_INET6, n)
        return True
    except socket.error:
        return False

def executeCommand(command, message):
    if verbose == 2:
        print(command)
    # exitCode = os.system(command)
    exitCode = subprocess.call(command, stderr=subprocess.DEVNULL, shell=True)
    if exitCode != 0 and verbose == 2:
         print("Command execution message: " + message)
    return exitCode

def find_interface(interface_address):
    interface_list = netifaces.interfaces()
    retIface = ""
    for iface in interface_list:
        address_entries = netifaces.ifaddresses(iface)
        for address in address_entries:
            for i in  range(len(address_entries[address])):
                addr = address_entries[address][i]['addr']
                if interface_address in addr:
                    retIface = iface
                    break
    return retIface

def sha1GetIp6Address (timeNowMin, key, constant, prefix):
    result = hashlib.sha1()
    result.update(str(timeNowMin).encode())
    result.update(key)
    result.update(str(constant).encode())
    
    hexaDeciNum = prefix

    i = 0
    while i < 13:
        hexaDeciNum = hexaDeciNum + result.hexdigest()[i : i + 4]
        if i < 12:
            hexaDeciNum = hexaDeciNum + ":"
        i = i + 4

    return hexaDeciNum

def createNatRule(address):
    command = "ip6tables -t nat -I PREROUTING -d " + address + " -j DNAT --to-destination " + SERVER_ADDRESS
    executeCommand(command, "NAT creation")

def createBlockRule(address, prefix):

    # Blocking everything other than the translated server address.
    if verbose == 2:
        print("Checking whether we already have the ip6tables rejection rule or not...")
    command = "ip6tables -C INPUT -p tcp --dport 22 ! -d " + address + " -j REJECT"
    exitCode = executeCommand(command, "no rejection rule, this program is adding it")
    
    if exitCode != 0: # check whether we already have that rule
        command = "ip6tables -I INPUT -p tcp --dport 22 ! -d " + address + " -j REJECT"
        executeCommand(command, "creating block rule")
    else:
        if verbose == 2:
            print("block rule exists, nothing adding")
         
    # Changing the destination address if client targets the real destination address.
    if verbose == 2:
        print("Checking whether we already have the destination change rule or not...")
    command = "ip6tables -t nat -C PREROUTING -d " + SERVER_ADDRESS + " -j DNAT --to-destination " + prefix + "e"
    exitCode = executeCommand(command, "no real destination change rule, this program is adding it")
    if exitCode != 0:
        command = "ip6tables -t nat -I PREROUTING -d " + SERVER_ADDRESS + " -j DNAT --to-destination " + prefix + "e"
        executeCommand(command, "change real destination using NAT")
    else:
        if verbose == 2:
            print("NAT rule already exists to translate the actual destination")

def createInterface(address):
    if verbose >= 1:
        dt_object = datetime.fromtimestamp(time.time())
        print("at " + str(dt_object) + " accepting " + address)
    command = "ip -6 addr add " + address + " dev " + SERVER_INTERFACE
    executeCommand(command, "create interface rule exists.")

def deleteInterfaceAndNat(address):
    command = "ip -6 addr del " + address + " dev " + SERVER_INTERFACE
    executeCommand(command, "delete interface rule does not exist")

    command = "ip6tables -t nat -D PREROUTING -d " + address + " -j DNAT --to-destination " + SERVER_ADDRESS
    executeCommand(command, "delete NAT rule does not exist")

def initRules(key, currentTime, constant, prefix):
    createInterface(SERVER_ADDRESS)
    createBlockRule(SERVER_ADDRESS, prefix)
    
    timeNowMin = math.floor((currentTime + DELTA_TIME) / NEXT_ADDRESS_CHANGE)

    exitCode = executeCommand("ip6tables -t nat -C PREROUTING -m state --state ESTABLISHED,RELATED -j ACCEPT", "no rule for keeping established connections, this program is adding it.")
    if exitCode != 0:
        exitCode = executeCommand("ip6tables -t nat -A PREROUTING -m state --state ESTABLISHED,RELATED -j ACCEPT", "inserting NAT rule for established connection did not work")
    else:
        if verbose == 2:
            print("rule for established connection exists, nothing adding")

    generatedIp6Address = sha1GetIp6Address(timeNowMin, key, constant, prefix)
    logging.info("TIME: " + str(timeNowMin) + ": initial rules " + generatedIp6Address)
    createNatRule(generatedIp6Address)
    createInterface(generatedIp6Address)

    generatedIp6Address = sha1GetIp6Address(timeNowMin - 1, key, constant, prefix)
    createNatRule(generatedIp6Address)
    createInterface(generatedIp6Address)

def addNewAddress(key, currentTime, constant, prefix):
    timeNowMin = math.floor((currentTime + DELTA_TIME) / NEXT_ADDRESS_CHANGE)

    generatedIp6Address = sha1GetIp6Address(timeNowMin, key, constant, prefix)
    logging.info("TIME: " + str(timeNowMin) + ": rules adding " + generatedIp6Address)

    createNatRule(generatedIp6Address)
    createInterface(generatedIp6Address)

def deleteOldAddress(key, currentTime, constant, prefix):
    timeNowMin = math.floor((currentTime + DELTA_TIME) / NEXT_ADDRESS_CHANGE)

    generatedIp6Address = sha1GetIp6Address(timeNowMin - 2, key, constant, prefix)
    if verbose >= 1:
        dt_object = datetime.fromtimestamp(time.time())
        print("at " + str(dt_object) + " dropping " + generatedIp6Address)
    logging.info("TIME: " + str(timeNowMin) + ": rules deleting " + generatedIp6Address)
    deleteInterfaceAndNat(generatedIp6Address)

def resolveDnsAndGettingAddress(domainName):
    try:
        result = dns.resolver.query(domainName, 'AAAA')
        if len(result) > 0:
            IP = result[0]
    except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
        exit("Domain name does not exist! Resolving DNS failed for \"" + domainName + "\". Please enter a valid domain name." )
    return IP

def readKey(keyFile):
    if os.path.exists(keyFile):
        f = open(keyFile, 'rb')
        key = f.read()
        f.close()
        return key
    else:
        exit("Key file not found! As a server admin, please generate a binary key file! This program searches for the key in the /usr/local/var/ directory or the directory you provided with the --keyfile option.")


def main():
    if os.geteuid() != 0:
        exit("You need to have root privileges to run this script.")

    logging.basicConfig(filename='/tmp/server.log',level=logging.DEBUG)
    
    global SERVER_INTERFACE
    global SERVER_ADDRESS
    global verbose
    
    args = Program()

    IP = args.arg.address
    serverAddress = args.arg.to
    keyFile = args.arg.keyfile
    constant = args.arg.salt
    verbose = args.arg.verbose
    
    if check_ipv6(IP) is False:
        if IP == "hostname":
            IP = os.uname()[1]
            # print("Hostname: " + IP)
        IP = str(resolveDnsAndGettingAddress(IP))

    try:
        ipaddress.ip_address(IP)
    except ValueError:
        exit("Please enter a valid IPv6 address or domain.")
    keyVal = readKey(keyFile)

    SERVER_INTERFACE = find_interface(IP)
    
    prefix = str(ipaddress.ip_network(IP).supernet(new_prefix=64))
    prefix = prefix[0:prefix.index('/')]

    if str(serverAddress) == "None":
        SERVER_ADDRESS = prefix + "f"
    else:
        SERVER_ADDRESS = serverAddress

    print("chhoyhopper-server on clear: " + IP)
    print("Internal server at: " + SERVER_ADDRESS)
    
    currentTime = time.time()
    initRules(keyVal, currentTime, constant, prefix)
    TIMER = NEXT_ADDRESS_CHANGE - ((currentTime + DELTA_TIME - 2) % NEXT_ADDRESS_CHANGE)
    logging.info(str(currentTime) + "\t" + str(TIMER) + ": timer set for the first time")

    while 1:
        time.sleep(TIMER)
        currentTime = time.time()
        logging.info(str(currentTime) + " sleep done, write new rules.")
        addNewAddress(keyVal, currentTime, constant, prefix)
        deleteOldAddress(keyVal, currentTime, constant, prefix)
        TIMER = NEXT_ADDRESS_CHANGE - ((currentTime + DELTA_TIME - 2) % NEXT_ADDRESS_CHANGE)


if __name__ == "__main__":
    main()
    sys.exit(0)
