/mandos/release : revision 10

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to server.py

Committer: Teddy Hogeborn
Date: 2008-06-21 00:53:32 UTC
Revision ID: teddy@fukt.bsnet.se-20080621005332-s4scjdpevuso4lsd

* server.py: Bug fix: Do "from __future__ import division".
  (Client.__init__): Bug fix: parse interval string from config file.
  (Client.check_action): Take no arguments.  Print some debugging
  output.  Reset "checker" to None.
  (Client.start_checker): Sleep 10 seconds before pinging to alleviate
  debugging.
  (Client.next_stop): Bug fix: check if "last_seen" and/or "checker"
  is None.
  (Client.still_valid): Bug fix: check if "last_seen" is None.
  (Client.handle): When finding the right password to send, use a list
  comprehension and an index lookup instead of a generator expression to
  a dict.
  (IPv6_TCPServer.request_queue_size): Removed.
  (in6addr_any): Moved inside "main".
  (main): Changed "clients" to be a Set instead of a list.  Bug fix:
  Exit when/if all clients are removed.  Call "select" with all client
  checkers and a suitable timeout.  Add some debugging output.  Start
  new checkers when needed and delete clients which have timed out.

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

client.cpp

crl.pem

key.pem

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
clients.conf => mandos-clients.conf

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

server.py

#!/usr/bin/python

# -*- mode: python; coding: utf-8 -*-

# Mandos server - give out binary blobs to connecting clients.

# This program is partly derived from an example program for an Avahi

# service publisher, downloaded from

# <http://avahi.org/wiki/PythonPublishExample>. This includes the

# methods "add" and "remove" in the "AvahiService" class, the

# "server_state_changed" and "entry_group_state_changed" functions,

# and some lines in "main".

# Everything else is

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see

# <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@fukt.bsnet.se>.

from __future__ import division, with_statement, absolute_import

from __future__ import division

import SocketServer

import socket

import select

from optparse import OptionParser

import datetime

import errno

import gnutls.crypto

import gnutls.connection

import gnutls.errors

import gnutls.library.functions

import gnutls.library.constants

import gnutls.library.types

import ConfigParser

import sys

import re

import signal

from sets import Set

import subprocess

import atexit

import stat

import logging

import logging.handlers

import pwd

from contextlib import closing

import dbus

import dbus.service

import gobject

import avahi

from dbus.mainloop.glib import DBusGMainLoop

import ctypes

import ctypes.util

version = "1.0.2"

logger = logging.Logger('mandos')

syslogger = (logging.handlers.SysLogHandler

(facility = logging.handlers.SysLogHandler.LOG_DAEMON,

address = "/dev/log"))

syslogger.setFormatter(logging.Formatter

('Mandos: %(levelname)s: %(message)s'))

logger.addHandler(syslogger)

console = logging.StreamHandler()

console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'

' %(message)s'))

logger.addHandler(console)

class AvahiError(Exception):

def __init__(self, value):

self.value = value

super(AvahiError, self).__init__()

def __str__(self):

return repr(self.value)

class AvahiServiceError(AvahiError):

pass

class AvahiGroupError(AvahiError):

pass

class AvahiService(object):

"""An Avahi (Zeroconf) service.

100

Attributes:

101

interface: integer; avahi.IF_UNSPEC or an interface index.

102

Used to optionally bind to the specified interface.

103

name: string; Example: 'Mandos'

104

type: string; Example: '_mandos._tcp'.

105

See <http://www.dns-sd.org/ServiceTypes.html>

106

port: integer; what port to announce

107

TXT: list of strings; TXT record for the service

108

domain: string; Domain to publish on, default to .local if empty.

109

host: string; Host to publish records for, default is localhost

110

max_renames: integer; maximum number of renames

111

rename_count: integer; counter so we only rename after collisions

112

a sensible number of times

113

"""

114

def __init__(self, interface = avahi.IF_UNSPEC, name = None,

115

servicetype = None, port = None, TXT = None,

116

domain = "", host = "", max_renames = 32768):

117

self.interface = interface

118

self.name = name

119

self.type = servicetype

120

self.port = port

121

self.TXT = TXT if TXT is not None else []

122

self.domain = domain

123

self.host = host

124

self.rename_count = 0

125

self.max_renames = max_renames

126

def rename(self):

127

"""Derived from the Avahi example code"""

128

if self.rename_count >= self.max_renames:

129

logger.critical(u"No suitable Zeroconf service name found"

130

u" after %i retries, exiting.",

131

self.rename_count)

132

raise AvahiServiceError("Too many renames")

133

self.name = server.GetAlternativeServiceName(self.name)

134

logger.info(u"Changing Zeroconf service name to %r ...",

135

str(self.name))

136

syslogger.setFormatter(logging.Formatter

137

('Mandos (%s): %%(levelname)s:'

138

' %%(message)s' % self.name))

139

self.remove()

140

self.add()

141

self.rename_count += 1

142

def remove(self):

143

"""Derived from the Avahi example code"""

144

if group is not None:

145

group.Reset()

146

def add(self):

147

"""Derived from the Avahi example code"""

148

global group

149

if group is None:

150

group = dbus.Interface(bus.get_object

151

(avahi.DBUS_NAME,

152

server.EntryGroupNew()),

153

avahi.DBUS_INTERFACE_ENTRY_GROUP)

154

group.connect_to_signal('StateChanged',

155

entry_group_state_changed)

156

logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",

157

service.name, service.type)

158

group.AddService(

159

self.interface, # interface

160

avahi.PROTO_INET6, # protocol

161

dbus.UInt32(0), # flags

162

self.name, self.type,

163

self.domain, self.host,

164

dbus.UInt16(self.port),

165

avahi.string_array_to_txt_array(self.TXT))

166

group.Commit()

167

168

# From the Avahi example code:

169

group = None # our entry group

170

# End of Avahi example code

171

172

173

def _datetime_to_dbus_struct(dt, variant_level=0):

174

"""Convert a UTC datetime.datetime() to a D-Bus struct.

175

The format is special to this application, since we could not find

176

any other standard way."""

177

return dbus.Struct((dbus.Int16(dt.year),

178

dbus.Byte(dt.month),

179

dbus.Byte(dt.day),

180

dbus.Byte(dt.hour),

181

dbus.Byte(dt.minute),

182

dbus.Byte(dt.second),

183

dbus.UInt32(dt.microsecond)),

184

signature="nyyyyyu",

185

variant_level=variant_level)

186

187

188

class Client(dbus.service.Object):

189

"""A representation of a client host served by this server.

190

Attributes:

191

name: string; from the config file, used in log messages

192

fingerprint: string (40 or 32 hexadecimal digits); used to

193

uniquely identify the client

194

secret: bytestring; sent verbatim (over TLS) to client

195

host: string; available for use by the checker command

196

created: datetime.datetime(); (UTC) object creation

197

last_started: datetime.datetime(); (UTC)

198

started: bool()

199

last_checked_ok: datetime.datetime(); (UTC) or None

200

timeout: datetime.timedelta(); How long from last_checked_ok

201

until this client is invalid

202

interval: datetime.timedelta(); How often to start a new checker

203

stop_hook: If set, called by stop() as stop_hook(self)

204

checker: subprocess.Popen(); a running checker process used

205

to see if the client lives.

206

'None' if no process is running.

207

checker_initiator_tag: a gobject event source tag, or None

208

stop_initiator_tag: - '' -

209

checker_callback_tag: - '' -

210

checker_command: string; External command which is run to check if

211

client lives. %() expansions are done at

212

runtime with vars(self) as dict, so that for

213

instance %(name)s can be used in the command.

214

dbus_object_path: dbus.ObjectPath

215

Private attibutes:

216

_timeout: Real variable for 'timeout'

217

_interval: Real variable for 'interval'

218

_timeout_milliseconds: Used when calling gobject.timeout_add()

219

_interval_milliseconds: - '' -

220

"""

221

def _set_timeout(self, timeout):

222

"Setter function for the 'timeout' attribute"

223

self._timeout = timeout

224

self._timeout_milliseconds = ((self.timeout.days

225

* 24 * 60 * 60 * 1000)

226

+ (self.timeout.seconds * 1000)

227

+ (self.timeout.microseconds

228

// 1000))

229

# Emit D-Bus signal

230

self.PropertyChanged(dbus.String(u"timeout"),

231

(dbus.UInt64(self._timeout_milliseconds,

232

variant_level=1)))

233

timeout = property(lambda self: self._timeout, _set_timeout)

234

del _set_timeout

235

236

def _set_interval(self, interval):

237

"Setter function for the 'interval' attribute"

238

self._interval = interval

239

self._interval_milliseconds = ((self.interval.days

240

* 24 * 60 * 60 * 1000)

241

+ (self.interval.seconds

242

* 1000)

243

+ (self.interval.microseconds

244

// 1000))

245

# Emit D-Bus signal

246

self.PropertyChanged(dbus.String(u"interval"),

247

(dbus.UInt64(self._interval_milliseconds,

248

variant_level=1)))

249

interval = property(lambda self: self._interval, _set_interval)

250

del _set_interval

251

252

def __init__(self, name = None, stop_hook=None, config=None):

253

"""Note: the 'checker' key in 'config' sets the

254

'checker_command' attribute and *not* the 'checker'

255

attribute."""

256

self.dbus_object_path = (dbus.ObjectPath

257

("/Mandos/clients/"

258

+ name.replace(".", "_")))

259

dbus.service.Object.__init__(self, bus,

260

self.dbus_object_path)

261

if config is None:

262

config = {}

263

self.name = name

264

logger.debug(u"Creating client %r", self.name)

265

# Uppercase and remove spaces from fingerprint for later

266

# comparison purposes with return value from the fingerprint()

267

# function

268

self.fingerprint = (config["fingerprint"].upper()

269

.replace(u" ", u""))

270

logger.debug(u" Fingerprint: %s", self.fingerprint)

271

if "secret" in config:

272

self.secret = config["secret"].decode(u"base64")

273

elif "secfile" in config:

274

with closing(open(os.path.expanduser

275

(os.path.expandvars

276

(config["secfile"])))) as secfile:

277

self.secret = secfile.read()

278

else:

279

raise TypeError(u"No secret or secfile for client %s"

280

% self.name)

281

self.host = config.get("host", "")

282

self.created = datetime.datetime.utcnow()

283

self.started = False

284

self.last_started = None

285

self.last_checked_ok = None

286

self.timeout = string_to_delta(config["timeout"])

287

self.interval = string_to_delta(config["interval"])

288

self.stop_hook = stop_hook

class Client(object):

def __init__(self, name=None, options=None, dn=None,

password=None, passfile=None, fqdn=None,

timeout=None, interval=-1):

self.name = name

self.dn = dn

if password:

self.password = password

elif passfile:

self.password = open(passfile).readall()

else:

print "No Password or Passfile in client config file"

# raise RuntimeError XXX

self.password = "gazonk"

self.fqdn = fqdn # string

self.created = datetime.datetime.now()

self.last_seen = None # datetime.datetime()

if timeout is None:

timeout = options.timeout

self.timeout = timeout # datetime.timedelta()

if interval == -1:

interval = options.interval

else:

interval = string_to_delta(interval)

self.interval = interval # datetime.timedelta()

self.next_check = datetime.datetime.now() # datetime.datetime()

# Note: next_check may be in the past if checker is not None

self.checker = None # or a subprocess.Popen()

def check_action(self):

"""The checker said something and might have completed.

Check if is has, and take appropriate actions."""

if self.checker.poll() is None:

# False alarm, no result yet

#self.checker.read()

#print "Checker for %(name)s said nothing?" % vars(self)

return

now = datetime.datetime.now()

if self.checker.returncode == 0:

print "Checker for %(name)s succeeded" % vars(self)

self.last_seen = now

else:

print "Checker for %(name)s failed" % vars(self)

while self.next_check <= now:

self.next_check += self.interval

289

self.checker = None

290

self.checker_initiator_tag = None

291

self.stop_initiator_tag = None

292

self.checker_callback_tag = None

293

self.checker_command = config["checker"]

294

295

def start(self):

296

"""Start this client's checker and timeout hooks"""

297

self.last_started = datetime.datetime.utcnow()

298

# Schedule a new checker to be started an 'interval' from now,

299

# and every interval from then on.

300

self.checker_initiator_tag = (gobject.timeout_add

301

(self._interval_milliseconds,

302

self.start_checker))

303

# Also start a new checker *right now*.

304

self.start_checker()

305

# Schedule a stop() when 'timeout' has passed

306

self.stop_initiator_tag = (gobject.timeout_add

307

(self._timeout_milliseconds,

308

self.stop))

309

self.started = True

310

# Emit D-Bus signal

311

self.PropertyChanged(dbus.String(u"started"),

312

dbus.Boolean(True, variant_level=1))

313

self.PropertyChanged(dbus.String(u"last_started"),

314

(_datetime_to_dbus_struct

315

(self.last_started, variant_level=1)))

316

317

def stop(self):

318

"""Stop this client."""

319

if not getattr(self, "started", False):

320

return False

321

logger.info(u"Stopping client %s", self.name)

322

if getattr(self, "stop_initiator_tag", False):

323

gobject.source_remove(self.stop_initiator_tag)

324

self.stop_initiator_tag = None

325

if getattr(self, "checker_initiator_tag", False):

326

gobject.source_remove(self.checker_initiator_tag)

327

self.checker_initiator_tag = None

handle_request = check_action

def start_checker(self):

328

self.stop_checker()

329

if self.stop_hook:

330

self.stop_hook(self)

331

self.started = False

332

# Emit D-Bus signal

333

self.PropertyChanged(dbus.String(u"started"),

334

dbus.Boolean(False, variant_level=1))

335

# Do not run this again if called by a gobject.timeout_add

336

return False

337

338

def __del__(self):

339

self.stop_hook = None

340

self.stop()

341

342

def checker_callback(self, pid, condition, command):

343

"""The checker has completed, so take appropriate actions."""

344

self.checker_callback_tag = None

345

self.checker = None

346

# Emit D-Bus signal

347

self.PropertyChanged(dbus.String(u"checker_running"),

348

dbus.Boolean(False, variant_level=1))

349

if (os.WIFEXITED(condition)

350

and (os.WEXITSTATUS(condition) == 0)):

351

logger.info(u"Checker for %(name)s succeeded",

352

vars(self))

353

# Emit D-Bus signal

354

self.CheckerCompleted(dbus.Boolean(True),

355

dbus.UInt16(condition),

356

dbus.String(command))

357

self.bump_timeout()

358

elif not os.WIFEXITED(condition):

359

logger.warning(u"Checker for %(name)s crashed?",

360

vars(self))

361

# Emit D-Bus signal

362

self.CheckerCompleted(dbus.Boolean(False),

363

dbus.UInt16(condition),

364

dbus.String(command))

365

else:

366

logger.info(u"Checker for %(name)s failed",

367

vars(self))

368

# Emit D-Bus signal

369

self.CheckerCompleted(dbus.Boolean(False),

370

dbus.UInt16(condition),

371

dbus.String(command))

372

373

def bump_timeout(self):

374

"""Bump up the timeout for this client.

375

This should only be called when the client has been seen,

376

alive and well.

377

"""

378

self.last_checked_ok = datetime.datetime.utcnow()

379

gobject.source_remove(self.stop_initiator_tag)

380

self.stop_initiator_tag = (gobject.timeout_add

381

(self._timeout_milliseconds,

382

self.stop))

383

self.PropertyChanged(dbus.String(u"last_checked_ok"),

384

(_datetime_to_dbus_struct

385

(self.last_checked_ok,

386

variant_level=1)))

387

388

def start_checker(self):

389

"""Start a new checker subprocess if one is not running.

390

If a checker already exists, leave it running and do

391

nothing."""

392

# The reason for not killing a running checker is that if we

393

# did that, then if a checker (for some reason) started

394

# running slowly and taking more than 'interval' time, the

395

# client would inevitably timeout, since no checker would get

396

# a chance to run to completion. If we instead leave running

397

# checkers alone, the checker would have to take more time

398

# than 'timeout' for the client to be declared invalid, which

399

# is as it should be.

400

if self.checker is None:

401

try:

402

# In case checker_command has exactly one % operator

403

command = self.checker_command % self.host

404

except TypeError:

405

# Escape attributes for the shell

406

escaped_attrs = dict((key, re.escape(str(val)))

407

for key, val in

408

vars(self).iteritems())

409

try:

410

command = self.checker_command % escaped_attrs

411

except TypeError, error:

412

logger.error(u'Could not format string "%s":'

413

u' %s', self.checker_command, error)

414

return True # Try again later

415

try:

416

logger.info(u"Starting checker %r for %s",

417

command, self.name)

418

# We don't need to redirect stdout and stderr, since

419

# in normal mode, that is already done by daemon(),

420

# and in debug mode we don't want to. (Stdin is

421

# always replaced by /dev/null.)

422

self.checker = subprocess.Popen(command,

423

close_fds=True,

424

shell=True, cwd="/")

425

# Emit D-Bus signal

426

self.CheckerStarted(command)

427

self.PropertyChanged(dbus.String("checker_running"),

428

dbus.Boolean(True, variant_level=1))

429

self.checker_callback_tag = (gobject.child_watch_add

430

(self.checker.pid,

431

self.checker_callback,

432

data=command))

433

except OSError, error:

434

logger.error(u"Failed to start subprocess: %s",

435

error)

436

# Re-run this periodically if run by gobject.timeout_add

437

return True

438

try:

self.checker = subprocess.Popen("sleep 10; fping -q -- %s"

% re.escape(self.fqdn),

stdout=subprocess.PIPE,

close_fds=True,

shell=True, cwd="/")

except subprocess.OSError, e:

print "Failed to start subprocess:", e

439

def stop_checker(self):

440

"""Force the checker process, if any, to stop."""

441

if self.checker_callback_tag:

442

gobject.source_remove(self.checker_callback_tag)

443

self.checker_callback_tag = None

444

if getattr(self, "checker", None) is None:

if self.checker is None:

445

return

446

logger.debug(u"Stopping checker for %(name)s", vars(self))

447

try:

448

os.kill(self.checker.pid, signal.SIGTERM)

449

#os.sleep(0.5)

450

#if self.checker.poll() is None:

451

# os.kill(self.checker.pid, signal.SIGKILL)

452

except OSError, error:

453

if error.errno != errno.ESRCH: # No such process

454

raise

os.kill(self.checker.pid, signal.SIGTERM)

if self.checker.poll() is None:

os.kill(self.checker.pid, signal.SIGKILL)

455

self.checker = None

456

self.PropertyChanged(dbus.String(u"checker_running"),

457

dbus.Boolean(False, variant_level=1))

458

459

def still_valid(self):

460

"""Has the timeout not yet passed for this client?"""

461

if not getattr(self, "started", False):

462

return False

463

now = datetime.datetime.utcnow()

464

if self.last_checked_ok is None:

__del__ = stop_checker

def fileno(self):

if self.checker is None:

return None

return self.checker.stdout.fileno()

def next_stop(self):

"""The time when something must be done about this client

May be in the past."""

if self.last_seen is None:

# This client has never been seen

next_timeout = self.created + self.timeout

else:

next_timeout = self.last_seen + self.timeout

if self.checker is None:

return min(next_timeout, self.next_check)

100

else:

101

return next_timeout

102

def still_valid(self, now=None):

103

"""Has this client's timeout not passed?"""

104

if now is None:

105

now = datetime.datetime.now()

106

if self.last_seen is None:

465

107

return now < (self.created + self.timeout)

466

108

else:

467

return now < (self.last_checked_ok + self.timeout)

468

469

## D-Bus methods & signals

470

_interface = u"org.mandos_system.Mandos.Client"

471

472

# BumpTimeout - method

473

BumpTimeout = dbus.service.method(_interface)(bump_timeout)

474

BumpTimeout.__name__ = "BumpTimeout"

475

476

# CheckerCompleted - signal

477

@dbus.service.signal(_interface, signature="bqs")

478

def CheckerCompleted(self, success, condition, command):

479

"D-Bus signal"

480

pass

481

482

# CheckerStarted - signal

483

@dbus.service.signal(_interface, signature="s")

484

def CheckerStarted(self, command):

485

"D-Bus signal"

486

pass

487

488

# GetAllProperties - method

489

@dbus.service.method(_interface, out_signature="a{sv}")

490

def GetAllProperties(self):

491

"D-Bus method"

492

return dbus.Dictionary({

493

dbus.String("name"):

494

dbus.String(self.name, variant_level=1),

495

dbus.String("fingerprint"):

496

dbus.String(self.fingerprint, variant_level=1),

497

dbus.String("host"):

498

dbus.String(self.host, variant_level=1),

499

dbus.String("created"):

500

_datetime_to_dbus_struct(self.created,

501

variant_level=1),

502

dbus.String("last_started"):

503

(_datetime_to_dbus_struct(self.last_started,

504

variant_level=1)

505

if self.last_started is not None

506

else dbus.Boolean(False, variant_level=1)),

507

dbus.String("started"):

508

dbus.Boolean(self.started, variant_level=1),

509

dbus.String("last_checked_ok"):

510

(_datetime_to_dbus_struct(self.last_checked_ok,

511

variant_level=1)

512

if self.last_checked_ok is not None

513

else dbus.Boolean (False, variant_level=1)),

514

dbus.String("timeout"):

515

dbus.UInt64(self._timeout_milliseconds,

516

variant_level=1),

517

dbus.String("interval"):

518

dbus.UInt64(self._interval_milliseconds,

519

variant_level=1),

520

dbus.String("checker"):

521

dbus.String(self.checker_command,

522

variant_level=1),

523

dbus.String("checker_running"):

524

dbus.Boolean(self.checker is not None,

525

variant_level=1),

526

}, signature="sv")

527

528

# IsStillValid - method

529

IsStillValid = (dbus.service.method(_interface, out_signature="b")

530

(still_valid))

531

IsStillValid.__name__ = "IsStillValid"

532

533

# PropertyChanged - signal

534

@dbus.service.signal(_interface, signature="sv")

535

def PropertyChanged(self, property, value):

536

"D-Bus signal"

537

pass

538

539

# SetChecker - method

540

@dbus.service.method(_interface, in_signature="s")

541

def SetChecker(self, checker):

542

"D-Bus setter method"

543

self.checker_command = checker

544

545

# SetHost - method

546

@dbus.service.method(_interface, in_signature="s")

547

def SetHost(self, host):

548

"D-Bus setter method"

549

self.host = host

550

551

# SetInterval - method

552

@dbus.service.method(_interface, in_signature="t")

553

def SetInterval(self, milliseconds):

554

self.interval = datetime.timdeelta(0, 0, 0, milliseconds)

555

556

# SetSecret - method

557

@dbus.service.method(_interface, in_signature="ay",

558

byte_arrays=True)

559

def SetSecret(self, secret):

560

"D-Bus setter method"

561

self.secret = str(secret)

562

563

# SetTimeout - method

564

@dbus.service.method(_interface, in_signature="t")

565

def SetTimeout(self, milliseconds):

566

self.timeout = datetime.timedelta(0, 0, 0, milliseconds)

567

568

# Start - method

569

Start = dbus.service.method(_interface)(start)

570

Start.__name__ = "Start"

571

572

# StartChecker - method

573

@dbus.service.method(_interface)

574

def StartChecker(self):

575

"D-Bus method"

576

self.start_checker()

577

578

# Stop - method

579

@dbus.service.method(_interface)

580

def Stop(self):

581

"D-Bus method"

582

self.stop()

583

584

# StopChecker - method

585

StopChecker = dbus.service.method(_interface)(stop_checker)

586

StopChecker.__name__ = "StopChecker"

587

588

del _interface

589

590

591

def peer_certificate(session):

592

"Return the peer's OpenPGP certificate as a bytestring"

593

# If not an OpenPGP certificate...

594

if (gnutls.library.functions

595

.gnutls_certificate_type_get(session._c_object)

596

!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):

597

# ...do the normal thing

598

return session.peer_certificate

599

list_size = ctypes.c_uint()

600

cert_list = (gnutls.library.functions

601

.gnutls_certificate_get_peers

602

(session._c_object, ctypes.byref(list_size)))

603

if list_size.value == 0:

604

return None

605

cert = cert_list[0]

606

return ctypes.string_at(cert.data, cert.size)

607

608

609

def fingerprint(openpgp):

610

"Convert an OpenPGP bytestring to a hexdigit fingerprint string"

611

# New GnuTLS "datum" with the OpenPGP public key

612

datum = (gnutls.library.types

613

.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),

614

ctypes.POINTER

615

(ctypes.c_ubyte)),

616

ctypes.c_uint(len(openpgp))))

617

# New empty GnuTLS certificate

618

crt = gnutls.library.types.gnutls_openpgp_crt_t()

619

(gnutls.library.functions

620

.gnutls_openpgp_crt_init(ctypes.byref(crt)))

621

# Import the OpenPGP public key into the certificate

622

(gnutls.library.functions

623

.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),

624

gnutls.library.constants

625

.GNUTLS_OPENPGP_FMT_RAW))

626

# Verify the self signature in the key

627

crtverify = ctypes.c_uint()

628

(gnutls.library.functions

629

.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))

630

if crtverify.value != 0:

631

gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)

632

raise gnutls.errors.CertificateSecurityError("Verify failed")

633

# New buffer for the fingerprint

634

buf = ctypes.create_string_buffer(20)

635

buf_len = ctypes.c_size_t()

636

# Get the fingerprint from the certificate into the buffer

637

(gnutls.library.functions

638

.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),

639

ctypes.byref(buf_len)))

640

# Deinit the certificate

641

gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)

642

# Convert the buffer to a Python bytestring

643

fpr = ctypes.string_at(buf, buf_len.value)

644

# Convert the bytestring to hexadecimal notation

645

hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)

646

return hex_fpr

647

648

649

class TCP_handler(SocketServer.BaseRequestHandler, object):

650

"""A TCP request handler class.

651

Instantiated by IPv6_TCPServer for each request to handle it.

652

Note: This will run in its own forked process."""

653

654

def handle(self):

655

logger.info(u"TCP connection from: %s",

656

unicode(self.client_address))

657

session = (gnutls.connection

658

.ClientSession(self.request,

659

gnutls.connection

660

.X509Credentials()))

661

662

line = self.request.makefile().readline()

663

logger.debug(u"Protocol version: %r", line)

664

try:

665

if int(line.strip().split()[0]) > 1:

666

raise RuntimeError

667

except (ValueError, IndexError, RuntimeError), error:

668

logger.error(u"Unknown protocol version: %s", error)

669

return

670

671

# Note: gnutls.connection.X509Credentials is really a generic

672

# GnuTLS certificate credentials object so long as no X.509

673

# keys are added to it. Therefore, we can use it here despite

674

# using OpenPGP certificates.

675

676

#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",

677

# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",

678

# "+DHE-DSS"))

679

# Use a fallback default, since this MUST be set.

680

priority = self.server.settings.get("priority", "NORMAL")

681

(gnutls.library.functions

682

.gnutls_priority_set_direct(session._c_object,

683

priority, None))

684

685

try:

686

session.handshake()

687

except gnutls.errors.GNUTLSError, error:

688

logger.warning(u"Handshake failed: %s", error)

689

# Do not run session.bye() here: the session is not

690

# established. Just abandon the request.

691

return

692

try:

693

fpr = fingerprint(peer_certificate(session))

694

except (TypeError, gnutls.errors.GNUTLSError), error:

695

logger.warning(u"Bad certificate: %s", error)

696

session.bye()

697

return

698

logger.debug(u"Fingerprint: %s", fpr)

699

for c in self.server.clients:

700

if c.fingerprint == fpr:

701

client = c

702

break

703

else:

704

logger.warning(u"Client not found for fingerprint: %s",

705

fpr)

706

session.bye()

707

return

708

# Have to check if client.still_valid(), since it is possible

709

# that the client timed out while establishing the GnuTLS

710

# session.

711

if not client.still_valid():

712

logger.warning(u"Client %(name)s is invalid",

713

vars(client))

714

session.bye()

715

return

716

## This won't work here, since we're in a fork.

717

# client.bump_timeout()

718

sent_size = 0

719

while sent_size < len(client.secret):

720

sent = session.send(client.secret[sent_size:])

721

logger.debug(u"Sent: %d, remaining: %d",

722

sent, len(client.secret)

723

- (sent_size + sent))

724

sent_size += sent

109

return now < (self.last_seen + self.timeout)

110

def it_is_time_to_check(self, now=None):

111

if now is None:

112

now = datetime.datetime.now()

113

return self.next_check <= now

114

115

116

class server_metaclass(type):

117

"Common behavior for the UDP and TCP server classes"

118

def __new__(cls, name, bases, attrs):

119

attrs["address_family"] = socket.AF_INET6

120

attrs["allow_reuse_address"] = True

121

def server_bind(self):

122

if self.options.interface:

123

if not hasattr(socket, "SO_BINDTODEVICE"):

124

# From /usr/include/asm-i486/socket.h

125

socket.SO_BINDTODEVICE = 25

126

try:

127

self.socket.setsockopt(socket.SOL_SOCKET,

128

socket.SO_BINDTODEVICE,

129

self.options.interface)

130

except socket.error, error:

131

if error[0] == errno.EPERM:

132

print "Warning: No permission to bind to interface", \

133

self.options.interface

134

else:

135

raise error

136

return super(type(self), self).server_bind()

137

attrs["server_bind"] = server_bind

138

def init(self, *args, **kwargs):

139

if "options" in kwargs:

140

self.options = kwargs["options"]

141

del kwargs["options"]

142

if "clients" in kwargs:

143

self.clients = kwargs["clients"]

144

del kwargs["clients"]

145

if "credentials" in kwargs:

146

self.credentials = kwargs["credentials"]

147

del kwargs["credentials"]

148

return super(type(self), self).__init__(*args, **kwargs)

149

attrs["__init__"] = init

150

return type.__new__(cls, name, bases, attrs)

151

152

153

class udp_handler(SocketServer.DatagramRequestHandler, object):

154

def handle(self):

155

self.wfile.write("Polo")

156

print "UDP request answered"

157

158

159

class IPv6_UDPServer(SocketServer.UDPServer, object):

160

__metaclass__ = server_metaclass

161

def verify_request(self, request, client_address):

162

print "UDP request came"

163

return request[0] == "Marco"

164

165

166

class tcp_handler(SocketServer.BaseRequestHandler, object):

167

def handle(self):

168

print "TCP request came"

169

print "Request:", self.request

170

print "Client Address:", self.client_address

171

print "Server:", self.server

172

session = gnutls.connection.ServerSession(self.request,

173

self.server.credentials)

174

session.handshake()

175

if session.peer_certificate:

176

print "DN:", session.peer_certificate.subject

177

try:

178

session.verify_peer()

179

except gnutls.errors.CertificateError, error:

180

print "Verify failed", error

181

session.bye()

182

return

183

try:

184

session.send([client.password

185

for client in self.server.clients

186

if (client.dn ==

187

session.peer_certificate.subject)][0])

188

except IndexError:

189

session.send("gazonk")

190

# Log maybe? XXX

725

191

session.bye()

726

192

727

193

728

class IPv6_TCPServer(SocketServer.ForkingMixIn,

729

SocketServer.TCPServer, object):

730

"""IPv6 TCP server. Accepts 'None' as address and/or port.

731

Attributes:

732

settings: Server settings

733

clients: Set() of Client objects

734

enabled: Boolean; whether this server is activated yet

735

"""

736

address_family = socket.AF_INET6

737

def __init__(self, *args, **kwargs):

738

if "settings" in kwargs:

739

self.settings = kwargs["settings"]

740

del kwargs["settings"]

741

if "clients" in kwargs:

742

self.clients = kwargs["clients"]

743

del kwargs["clients"]

744

self.enabled = False

745

super(IPv6_TCPServer, self).__init__(*args, **kwargs)

746

def server_bind(self):

747

"""This overrides the normal server_bind() function

748

to bind to an interface if one was specified, and also NOT to

749

bind to an address or port if they were not specified."""

750

if self.settings["interface"]:

751

# 25 is from /usr/include/asm-i486/socket.h

752

SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)

753

try:

754

self.socket.setsockopt(socket.SOL_SOCKET,

755

SO_BINDTODEVICE,

756

self.settings["interface"])

757

except socket.error, error:

758

if error[0] == errno.EPERM:

759

logger.error(u"No permission to"

760

u" bind to interface %s",

761

self.settings["interface"])

762

else:

763

raise error

764

# Only bind(2) the socket if we really need to.

765

if self.server_address[0] or self.server_address[1]:

766

if not self.server_address[0]:

767

in6addr_any = "::"

768

self.server_address = (in6addr_any,

769

self.server_address[1])

770

elif not self.server_address[1]:

771

self.server_address = (self.server_address[0],

772

773

# if self.settings["interface"]:

774

# self.server_address = (self.server_address[0],

775

# 0, # port

776

# 0, # flowinfo

777

# if_nametoindex

778

# (self.settings

779

# ["interface"]))

780

return super(IPv6_TCPServer, self).server_bind()

781

def server_activate(self):

782

if self.enabled:

783

return super(IPv6_TCPServer, self).server_activate()

784

def enable(self):

785

self.enabled = True

194

class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):

195

__metaclass__ = server_metaclass

786

196

787

197

788

198

def string_to_delta(interval):

798

208

datetime.timedelta(1)

799

209

>>> string_to_delta(u'1w')

800

210

datetime.timedelta(7)

801

>>> string_to_delta('5m 30s')

802

datetime.timedelta(0, 330)

803

211

"""

804

timevalue = datetime.timedelta(0)

805

for s in interval.split():

806

try:

807

suffix = unicode(s[-1])

808

value = int(s[:-1])

809

if suffix == u"d":

810

delta = datetime.timedelta(value)

811

elif suffix == u"s":

812

delta = datetime.timedelta(0, value)

813

elif suffix == u"m":

814

delta = datetime.timedelta(0, 0, 0, 0, value)

815

elif suffix == u"h":

816

delta = datetime.timedelta(0, 0, 0, 0, 0, value)

817

elif suffix == u"w":

818

delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)

819

else:

820

raise ValueError

821

except (ValueError, IndexError):

212

try:

213

suffix=unicode(interval[-1])

214

value=int(interval[:-1])

215

if suffix == u"d":

216

delta = datetime.timedelta(value)

217

elif suffix == u"s":

218

delta = datetime.timedelta(0, value)

219

elif suffix == u"m":

220

delta = datetime.timedelta(0, 0, 0, 0, value)

221

elif suffix == u"h":

222

delta = datetime.timedelta(0, 0, 0, 0, 0, value)

223

elif suffix == u"w":

224

delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)

225

else:

822

226

raise ValueError

823

timevalue += delta

824

return timevalue

825

826

827

def server_state_changed(state):

828

"""Derived from the Avahi example code"""

829

if state == avahi.SERVER_COLLISION:

830

logger.error(u"Zeroconf server name collision")

831

service.remove()

832

elif state == avahi.SERVER_RUNNING:

833

service.add()

834

835

836

def entry_group_state_changed(state, error):

837

"""Derived from the Avahi example code"""

838

logger.debug(u"Avahi state change: %i", state)

839

840

if state == avahi.ENTRY_GROUP_ESTABLISHED:

841

logger.debug(u"Zeroconf service established.")

842

elif state == avahi.ENTRY_GROUP_COLLISION:

843

logger.warning(u"Zeroconf service name collision.")

844

service.rename()

845

elif state == avahi.ENTRY_GROUP_FAILURE:

846

logger.critical(u"Avahi: Error in group state changed %s",

847

unicode(error))

848

raise AvahiGroupError("State changed: %s", str(error))

849

850

def if_nametoindex(interface):

851

"""Call the C function if_nametoindex(), or equivalent"""

852

global if_nametoindex

853

try:

854

if_nametoindex = (ctypes.cdll.LoadLibrary

855

(ctypes.util.find_library("c"))

856

.if_nametoindex)

857

except (OSError, AttributeError):

858

if "struct" not in sys.modules:

859

import struct

860

if "fcntl" not in sys.modules:

861

import fcntl

862

def if_nametoindex(interface):

863

"Get an interface index the hard way, i.e. using fcntl()"

864

SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h

865

with closing(socket.socket()) as s:

866

ifreq = fcntl.ioctl(s, SIOCGIFINDEX,

867

struct.pack("16s16x", interface))

868

interface_index = struct.unpack("I", ifreq[16:20])[0]

869

return interface_index

870

return if_nametoindex(interface)

871

872

873

def daemon(nochdir = False, noclose = False):

874

"""See daemon(3). Standard BSD Unix function.

875

This should really exist as os.daemon, but it doesn't (yet)."""

876

if os.fork():

877

sys.exit()

878

os.setsid()

879

if not nochdir:

880

os.chdir("/")

881

if os.fork():

882

sys.exit()

883

if not noclose:

884

# Close all standard open file descriptors

885

null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)

886

if not stat.S_ISCHR(os.fstat(null).st_mode):

887

raise OSError(errno.ENODEV,

888

"/dev/null not a character device")

889

os.dup2(null, sys.stdin.fileno())

890

os.dup2(null, sys.stdout.fileno())

891

os.dup2(null, sys.stderr.fileno())

892

if null > 2:

893

os.close(null)

227

except (ValueError, IndexError):

228

raise ValueError

229

return delta

894

230

895

231

896

232

def main():

897

parser = OptionParser(version = "%%prog %s" % version)

233

parser = OptionParser()

898

234

parser.add_option("-i", "--interface", type="string",

899

metavar="IF", help="Bind to interface IF")

900

parser.add_option("-a", "--address", type="string",

901

help="Address to listen for requests on")

902

parser.add_option("-p", "--port", type="int",

235

default="eth0", metavar="IF",

236

help="Interface to bind to")

237

parser.add_option("--cert", type="string", default="cert.pem",

238

metavar="FILE",

239

help="Public key certificate to use")

240

parser.add_option("--key", type="string", default="key.pem",

241

metavar="FILE",

242

help="Private key to use")

243

parser.add_option("--ca", type="string", default="ca.pem",

244

metavar="FILE",

245

help="Certificate Authority certificate to use")

246

parser.add_option("--crl", type="string", default="crl.pem",

247

metavar="FILE",

248

help="Certificate Revokation List to use")

249

parser.add_option("-p", "--port", type="int", default=49001,

903

250

help="Port number to receive requests on")

251

parser.add_option("--dh", type="int", metavar="BITS",

252

help="DH group to use")

253

parser.add_option("-t", "--timeout", type="string", # Parsed later

254

default="15m",

255

help="Amount of downtime allowed for clients")

256

parser.add_option("--interval", type="string", # Parsed later

257

default="5m",

258

help="How often to check that a client is up")

904

259

parser.add_option("--check", action="store_true", default=False,

905

260

help="Run self-test")

906

parser.add_option("--debug", action="store_true",

907

help="Debug mode; run in foreground and log to"

908

" terminal")

909

parser.add_option("--priority", type="string", help="GnuTLS"

910

" priority string (see GnuTLS documentation)")

911

parser.add_option("--servicename", type="string", metavar="NAME",

912

help="Zeroconf service name")

913

parser.add_option("--configdir", type="string",

914

default="/etc/mandos", metavar="DIR",

915

help="Directory to search for configuration"

916

" files")

917

options = parser.parse_args()[0]

918

261

(options, args) = parser.parse_args()

262

919

263

if options.check:

920

264

import doctest

921

265

doctest.testmod()

922

266

sys.exit()

923

267

924

# Default values for config file for server-global settings

925

server_defaults = { "interface": "",

926

"address": "",

927

"port": "",

928

"debug": "False",

929

"priority":

930

"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",

931

"servicename": "Mandos",

932

}

933

934

# Parse config file for server-global settings

935

server_config = ConfigParser.SafeConfigParser(server_defaults)

936

del server_defaults

937

server_config.read(os.path.join(options.configdir, "mandos.conf"))

938

# Convert the SafeConfigParser object to a dict

939

server_settings = server_config.defaults()

940

# Use getboolean on the boolean config option

941

server_settings["debug"] = (server_config.getboolean

942

("DEFAULT", "debug"))

943

del server_config

944

945

# Override the settings from the config file with command line

946

# options, if set.

947

for option in ("interface", "address", "port", "debug",

948

"priority", "servicename", "configdir"):

949

value = getattr(options, option)

950

if value is not None:

951

server_settings[option] = value

952

del options

953

# Now we have our good server settings in "server_settings"

954

955

debug = server_settings["debug"]

956

957

if not debug:

958

syslogger.setLevel(logging.WARNING)

959

console.setLevel(logging.WARNING)

960

961

if server_settings["servicename"] != "Mandos":

962

syslogger.setFormatter(logging.Formatter

963

('Mandos (%s): %%(levelname)s:'

964

' %%(message)s'

965

% server_settings["servicename"]))

966

967

# Parse config file with clients

968

client_defaults = { "timeout": "1h",

969

"interval": "5m",

970

"checker": "fping -q -- %(host)s",

971

"host": "",

972

}

973

client_config = ConfigParser.SafeConfigParser(client_defaults)

974

client_config.read(os.path.join(server_settings["configdir"],

975

"clients.conf"))

976

977

clients = Set()

978

tcp_server = IPv6_TCPServer((server_settings["address"],

979

server_settings["port"]),

980

TCP_handler,

981

settings=server_settings,

982

clients=clients)

983

pidfilename = "/var/run/mandos.pid"

984

try:

985

pidfile = open(pidfilename, "w")

986

except IOError, error:

987

logger.error("Could not open file %r", pidfilename)

988

989

try:

990

uid = pwd.getpwnam("_mandos").pw_uid

991

except KeyError:

992

try:

993

uid = pwd.getpwnam("mandos").pw_uid

994

except KeyError:

995

try:

996

uid = pwd.getpwnam("nobody").pw_uid

997

except KeyError:

998

uid = 65534

999

try:

1000

gid = pwd.getpwnam("_mandos").pw_gid

1001

except KeyError:

1002

try:

1003

gid = pwd.getpwnam("mandos").pw_gid

1004

except KeyError:

1005

try:

1006

gid = pwd.getpwnam("nogroup").pw_gid

1007

except KeyError:

1008

gid = 65534

1009

try:

1010

os.setuid(uid)

1011

os.setgid(gid)

1012

except OSError, error:

1013

if error[0] != errno.EPERM:

1014

raise error

1015

1016

global service

1017

service = AvahiService(name = server_settings["servicename"],

1018

servicetype = "_mandos._tcp", )

1019

if server_settings["interface"]:

1020

service.interface = (if_nametoindex

1021

(server_settings["interface"]))

1022

1023

global main_loop

1024

global bus

1025

global server

1026

# From the Avahi example code

1027

DBusGMainLoop(set_as_default=True )

1028

main_loop = gobject.MainLoop()

1029

bus = dbus.SystemBus()

1030

server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,

1031

avahi.DBUS_PATH_SERVER),

1032

avahi.DBUS_INTERFACE_SERVER)

1033

# End of Avahi example code

1034

bus_name = dbus.service.BusName(u"org.mandos-system.Mandos", bus)

1035

1036

clients.update(Set(Client(name = section,

1037

config

1038

= dict(client_config.items(section)))

1039

for section in client_config.sections()))

1040

if not clients:

1041

logger.critical(u"No clients defined")

1042

sys.exit(1)

1043

1044

if debug:

1045

# Redirect stdin so all checkers get /dev/null

1046

null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)

1047

os.dup2(null, sys.stdin.fileno())

1048

if null > 2:

1049

os.close(null)

1050

else:

1051

# No console logging

1052

logger.removeHandler(console)

1053

# Close all input and output, do double fork, etc.

1054

daemon()

1055

1056

try:

1057

pid = os.getpid()

1058

pidfile.write(str(pid) + "\n")

1059

pidfile.close()

1060

del pidfile

1061

except IOError:

1062

logger.error(u"Could not write to file %r with PID %d",

1063

pidfilename, pid)

1064

except NameError:

1065

# "pidfile" was never created

1066

pass

1067

del pidfilename

1068

1069

def cleanup():

1070

"Cleanup function; run on exit"

1071

global group

1072

# From the Avahi example code

1073

if not group is None:

1074

group.Free()

1075

group = None

1076

# End of Avahi example code

1077

1078

while clients:

1079

client = clients.pop()

1080

client.stop_hook = None

1081

client.stop()

1082

1083

atexit.register(cleanup)

1084

1085

if not debug:

1086

signal.signal(signal.SIGINT, signal.SIG_IGN)

1087

signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())

1088

signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())

1089

1090

class MandosServer(dbus.service.Object):

1091

"""A D-Bus proxy object"""

1092

def __init__(self):

1093

dbus.service.Object.__init__(self, bus,

1094

"/Mandos")

1095

_interface = u"org.mandos_system.Mandos"

1096

1097

@dbus.service.signal(_interface, signature="oa{sv}")

1098

def ClientAdded(self, objpath, properties):

1099

"D-Bus signal"

1100

pass

1101

1102

@dbus.service.signal(_interface, signature="o")

1103

def ClientRemoved(self, objpath):

1104

"D-Bus signal"

1105

pass

1106

1107

@dbus.service.method(_interface, out_signature="ao")

1108

def GetAllClients(self):

1109

return dbus.Array(c.dbus_object_path for c in clients)

1110

1111

@dbus.service.method(_interface, out_signature="a{oa{sv}}")

1112

def GetAllClientsWithProperties(self):

1113

return dbus.Dictionary(

1114

((c.dbus_object_path, c.GetAllProperties())

1115

for c in clients),

1116

signature="oa{sv}")

1117

1118

@dbus.service.method(_interface, in_signature="o")

1119

def RemoveClient(self, object_path):

1120

for c in clients:

1121

if c.dbus_object_path == object_path:

1122

c.stop()

1123

clients.remove(c)

1124

return

1125

raise KeyError

1126

1127

del _interface

1128

1129

mandos_server = MandosServer()

1130

268

# Parse the time arguments

269

try:

270

options.timeout = string_to_delta(options.timeout)

271

except ValueError:

272

parser.error("option --timeout: Unparseable time")

273

274

try:

275

options.interval = string_to_delta(options.interval)

276

except ValueError:

277

parser.error("option --interval: Unparseable time")

278

279

cert = gnutls.crypto.X509Certificate(open(options.cert).read())

280

key = gnutls.crypto.X509PrivateKey(open(options.key).read())

281

ca = gnutls.crypto.X509Certificate(open(options.ca).read())

282

crl = gnutls.crypto.X509CRL(open(options.crl).read())

283

cred = gnutls.connection.X509Credentials(cert, key, [ca], [crl])

284

285

# Parse config file

286

defaults = {}

287

client_config_object = ConfigParser.SafeConfigParser(defaults)

288

client_config_object.read("mandos-clients.conf")

289

clients = Set(Client(name=section, options=options,

290

**(dict(client_config_object\

291

.items(section))))

292

for section in client_config_object.sections())

293

294

in6addr_any = "::"

295

udp_server = IPv6_UDPServer((in6addr_any, options.port),

296

udp_handler,

297

options=options)

298

299

tcp_server = IPv6_TCPServer((in6addr_any, options.port),

300

tcp_handler,

301

options=options,

302

clients=clients,

303

credentials=cred)

304

305

while True:

306

if not clients:

307

break

308

try:

309

next_stop = min(client.next_stop() for client in clients)

310

now = datetime.datetime.now()

311

if next_stop > now:

312

delay = next_stop - now

313

delay_seconds = (delay.days * 24 * 60 * 60

314

+ delay.seconds

315

+ delay.microseconds / 1000000)

316

clients_with_checkers = tuple(client for client in

317

clients

318

if client.checker

319

is not None)

320

input_checks = (udp_server, tcp_server) \

321

+ clients_with_checkers

322

print "Waiting for network",

323

if clients_with_checkers:

324

print "and checkers for:",

325

for client in clients_with_checkers:

326

print client.name,

327

328

input, out, err = select.select(input_checks, (), (),

329

delay_seconds)

330

for obj in input:

331

obj.handle_request()

332

# start new checkers

333

for client in clients:

334

if client.it_is_time_to_check(now=now) and \

335

client.checker is None:

336

print "Starting checker for client %(name)s" \

337

% vars(client)

338

client.start_checker()

339

# delete timed-out clients

340

for client in clients.copy():

341

if not client.still_valid(now=now):

342

# log xxx

343

print "Removing client %(name)s" % vars(client)

344

clients.remove(client)

345

except KeyboardInterrupt:

346

break

347

348

# Cleanup here

1131

349

for client in clients:

1132

# Emit D-Bus signal

1133

mandos_server.ClientAdded(client.dbus_object_path,

1134

client.GetAllProperties())

1135

client.start()

1136

1137

tcp_server.enable()

1138

tcp_server.server_activate()

1139

1140

# Find out what port we got

1141

service.port = tcp_server.socket.getsockname()[1]

1142

logger.info(u"Now listening on address %r, port %d, flowinfo %d,"

1143

u" scope_id %d" % tcp_server.socket.getsockname())

1144

1145

#service.interface = tcp_server.socket.getsockname()[3]

1146

1147

try:

1148

# From the Avahi example code

1149

server.connect_to_signal("StateChanged", server_state_changed)

1150

try:

1151

server_state_changed(server.GetState())

1152

except dbus.exceptions.DBusException, error:

1153

logger.critical(u"DBusException: %s", error)

1154

sys.exit(1)

1155

# End of Avahi example code

1156

1157

gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,

1158

lambda *args, **kwargs:

1159

(tcp_server.handle_request

1160

(*args[2:], **kwargs) or True))

1161

1162

logger.debug(u"Starting main loop")

1163

main_loop.run()

1164

except AvahiError, error:

1165

logger.critical(u"AvahiError: %s" + unicode(error))

1166

sys.exit(1)

1167

except KeyboardInterrupt:

1168

if debug:

1169

1170

1171

if __name__ == '__main__':

350

client.stop_checker()

351

352

353

if __name__ == "__main__":

1172

354

main()

355

Older »