/mandos/release : revision 11

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to server.py

Committer: Teddy Hogeborn
Date: 2008-06-30 01:43:39 UTC
Revision ID: teddy@fukt.bsnet.se-20080630014339-rsuztydpl2w5ml83

* server.py: Rewritten to use Zeroconf (mDNS/DNS-SD) in place of the
old broadcast-UDP-to-port-49001 method.

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

client.cpp

crl.pem

key.pem

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
clients.conf => mandos-clients.conf

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

server.py

#!/usr/bin/python

# -*- mode: python; coding: utf-8 -*-

# Mandos server - give out binary blobs to connecting clients.

# This program is partly derived from an example program for an Avahi

# service publisher, downloaded from

# <http://avahi.org/wiki/PythonPublishExample>. This includes the

# methods "add" and "remove" in the "AvahiService" class, the

# "server_state_changed" and "entry_group_state_changed" functions,

# and some lines in "main".

# Everything else is

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see

# <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@fukt.bsnet.se>.

from __future__ import division, with_statement, absolute_import

from __future__ import division

import SocketServer

import socket

import optparse

import select

from optparse import OptionParser

import datetime

import errno

import gnutls.crypto

import gnutls.connection

import gnutls.errors

import gnutls.library.functions

import gnutls.library.constants

import gnutls.library.types

import ConfigParser

import sys

import re

import signal

from sets import Set

import subprocess

import atexit

import stat

import logging

import logging.handlers

import pwd

from contextlib import closing

import dbus

import dbus.service

import gobject

import avahi

from dbus.mainloop.glib import DBusGMainLoop

import ctypes

import ctypes.util

version = "1.0.8"

logger = logging.Logger('mandos')

syslogger = (logging.handlers.SysLogHandler

(facility = logging.handlers.SysLogHandler.LOG_DAEMON,

address = "/dev/log"))

syslogger.setFormatter(logging.Formatter

('Mandos [%(process)d]: %(levelname)s:'

' %(message)s'))

logger.addHandler(syslogger)

console = logging.StreamHandler()

console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'

' %(levelname)s: %(message)s'))

logger.addHandler(console)

class AvahiError(Exception):

def __init__(self, value, *args, **kwargs):

self.value = value

super(AvahiError, self).__init__(value, *args, **kwargs)

def __unicode__(self):

return unicode(repr(self.value))

class AvahiServiceError(AvahiError):

pass

class AvahiGroupError(AvahiError):

pass

class AvahiService(object):

100

"""An Avahi (Zeroconf) service.

101

Attributes:

102

interface: integer; avahi.IF_UNSPEC or an interface index.

103

Used to optionally bind to the specified interface.

104

name: string; Example: 'Mandos'

105

type: string; Example: '_mandos._tcp'.

106

See <http://www.dns-sd.org/ServiceTypes.html>

107

port: integer; what port to announce

108

TXT: list of strings; TXT record for the service

109

domain: string; Domain to publish on, default to .local if empty.

110

host: string; Host to publish records for, default is localhost

111

max_renames: integer; maximum number of renames

112

rename_count: integer; counter so we only rename after collisions

113

a sensible number of times

114

"""

115

def __init__(self, interface = avahi.IF_UNSPEC, name = None,

116

servicetype = None, port = None, TXT = None,

117

domain = "", host = "", max_renames = 32768,

118

protocol = avahi.PROTO_UNSPEC):

119

self.interface = interface

120

self.name = name

121

self.type = servicetype

122

self.port = port

123

self.TXT = TXT if TXT is not None else []

124

self.domain = domain

125

self.host = host

126

self.rename_count = 0

127

self.max_renames = max_renames

128

self.protocol = protocol

129

def rename(self):

130

"""Derived from the Avahi example code"""

131

if self.rename_count >= self.max_renames:

132

logger.critical(u"No suitable Zeroconf service name found"

133

u" after %i retries, exiting.",

134

self.rename_count)

135

raise AvahiServiceError(u"Too many renames")

136

self.name = server.GetAlternativeServiceName(self.name)

137

logger.info(u"Changing Zeroconf service name to %r ...",

138

str(self.name))

139

syslogger.setFormatter(logging.Formatter

140

('Mandos (%s) [%%(process)d]:'

141

' %%(levelname)s: %%(message)s'

142

% self.name))

143

self.remove()

144

self.add()

145

self.rename_count += 1

146

def remove(self):

147

"""Derived from the Avahi example code"""

148

if group is not None:

149

group.Reset()

150

def add(self):

151

"""Derived from the Avahi example code"""

152

global group

153

if group is None:

154

group = dbus.Interface(bus.get_object

155

(avahi.DBUS_NAME,

156

server.EntryGroupNew()),

157

avahi.DBUS_INTERFACE_ENTRY_GROUP)

158

group.connect_to_signal('StateChanged',

159

entry_group_state_changed)

160

logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",

161

service.name, service.type)

162

group.AddService(

163

self.interface, # interface

164

self.protocol, # protocol

165

dbus.UInt32(0), # flags

166

self.name, self.type,

167

self.domain, self.host,

168

dbus.UInt16(self.port),

169

avahi.string_array_to_txt_array(self.TXT))

170

group.Commit()

171

172

# From the Avahi example code:

173

group = None # our entry group

# This variable is used to optionally bind to a specified

# interface.

serviceInterface = avahi.IF_UNSPEC

# It is a global variable to fit in with the rest of the

# variables from the Avahi server example code:

serviceName = "Mandos"

serviceType = "_mandos._tcp" # http://www.dns-sd.org/ServiceTypes.html

servicePort = None # Not known at startup

serviceTXT = [] # TXT record for the service

domain = "" # Domain to publish on, default to .local

host = "" # Host to publish records for, default to localhost

group = None #our entry group

rename_count = 12 # Counter so we only rename after collisions a

# sensible number of times

174

# End of Avahi example code

175

176

177

def _datetime_to_dbus(dt, variant_level=0):

178

"""Convert a UTC datetime.datetime() to a D-Bus type."""

179

return dbus.String(dt.isoformat(), variant_level=variant_level)

180

181

182

class Client(dbus.service.Object):

class Client(object):

183

"""A representation of a client host served by this server.

184

Attributes:

185

name: string; from the config file, used in log messages and

186

D-Bus identifiers

187

fingerprint: string (40 or 32 hexadecimal digits); used to

188

uniquely identify the client

189

secret: bytestring; sent verbatim (over TLS) to client

190

host: string; available for use by the checker command

191

created: datetime.datetime(); (UTC) object creation

192

last_enabled: datetime.datetime(); (UTC)

193

enabled: bool()

194

last_checked_ok: datetime.datetime(); (UTC) or None

195

timeout: datetime.timedelta(); How long from last_checked_ok

196

until this client is invalid

197

interval: datetime.timedelta(); How often to start a new checker

198

disable_hook: If set, called by disable() as disable_hook(self)

199

checker: subprocess.Popen(); a running checker process used

200

to see if the client lives.

201

'None' if no process is running.

password: string

fqdn: string, FQDN (used by the checker)

created: datetime.datetime()

last_seen: datetime.datetime() or None if not yet seen

timeout: datetime.timedelta(); How long from last_seen until

this client is invalid

interval: datetime.timedelta(); How often to start a new checker

timeout_milliseconds: Used by gobject.timeout_add()

interval_milliseconds: - '' -

stop_hook: If set, called by stop() as stop_hook(self)

checker: subprocess.Popen(); a running checker process used

to see if the client lives.

Is None if no process is running.

202

checker_initiator_tag: a gobject event source tag, or None

203

disable_initiator_tag: - '' -

stop_initiator_tag: - '' -

204

checker_callback_tag: - '' -

205

checker_command: string; External command which is run to check if

206

client lives. %() expansions are done at

207

runtime with vars(self) as dict, so that for

208

instance %(name)s can be used in the command.

209

current_checker_command: string; current running checker_command

210

use_dbus: bool(); Whether to provide D-Bus interface and signals

211

dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus

212

"""

213

def timeout_milliseconds(self):

214

"Return the 'timeout' attribute in milliseconds"

215

return ((self.timeout.days * 24 * 60 * 60 * 1000)

216

+ (self.timeout.seconds * 1000)

217

+ (self.timeout.microseconds // 1000))

218

219

def interval_milliseconds(self):

220

"Return the 'interval' attribute in milliseconds"

221

return ((self.interval.days * 24 * 60 * 60 * 1000)

222

+ (self.interval.seconds * 1000)

223

+ (self.interval.microseconds // 1000))

224

225

def __init__(self, name = None, disable_hook=None, config=None,

226

use_dbus=True):

227

"""Note: the 'checker' key in 'config' sets the

228

'checker_command' attribute and *not* the 'checker'

229

attribute."""

def __init__(self, name=None, options=None, stop_hook=None,

dn=None, password=None, passfile=None, fqdn=None,

timeout=None, interval=-1):

230

self.name = name

231

if config is None:

232

config = {}

233

logger.debug(u"Creating client %r", self.name)

234

self.use_dbus = False # During __init__

235

# Uppercase and remove spaces from fingerprint for later

236

# comparison purposes with return value from the fingerprint()

237

# function

238

self.fingerprint = (config["fingerprint"].upper()

239

.replace(u" ", u""))

240

logger.debug(u" Fingerprint: %s", self.fingerprint)

241

if "secret" in config:

242

self.secret = config["secret"].decode(u"base64")

243

elif "secfile" in config:

244

with closing(open(os.path.expanduser

245

(os.path.expandvars

246

(config["secfile"])))) as secfile:

247

self.secret = secfile.read()

248

else:

249

raise TypeError(u"No secret or secfile for client %s"

250

% self.name)

251

self.host = config.get("host", "")

252

self.created = datetime.datetime.utcnow()

253

self.enabled = False

254

self.last_enabled = None

255

self.last_checked_ok = None

256

self.timeout = string_to_delta(config["timeout"])

257

self.interval = string_to_delta(config["interval"])

258

self.disable_hook = disable_hook

self.dn = dn

if password:

self.password = password

elif passfile:

self.password = open(passfile).readall()

else:

raise RuntimeError(u"No Password or Passfile for client %s"

% self.name)

self.fqdn = fqdn # string

self.created = datetime.datetime.now()

self.last_seen = None

if timeout is None:

timeout = options.timeout

self.timeout = timeout

self.timeout_milliseconds = ((self.timeout.days

* 24 * 60 * 60 * 1000)

+ (self.timeout.seconds * 1000)

+ (self.timeout.microseconds

// 1000))

if interval == -1:

interval = options.interval

else:

interval = string_to_delta(interval)

self.interval = interval

self.interval_milliseconds = ((self.interval.days

* 24 * 60 * 60 * 1000)

+ (self.interval.seconds * 1000)

+ (self.interval.microseconds

// 1000))

self.stop_hook = stop_hook

259

self.checker = None

260

self.checker_initiator_tag = None

261

self.disable_initiator_tag = None

100

self.stop_initiator_tag = None

262

101

self.checker_callback_tag = None

263

self.checker_command = config["checker"]

264

self.current_checker_command = None

265

self.last_connect = None

266

# Only now, when this client is initialized, can it show up on

267

# the D-Bus

268

self.use_dbus = use_dbus

269

if self.use_dbus:

270

self.dbus_object_path = (dbus.ObjectPath

271

("/clients/"

272

+ self.name.replace(".", "_")))

273

dbus.service.Object.__init__(self, bus,

274

self.dbus_object_path)

275

276

def enable(self):

277

"""Start this client's checker and timeout hooks"""

278

self.last_enabled = datetime.datetime.utcnow()

102

def start(self):

103

"""Start this clients checker and timeout hooks"""

279

104

# Schedule a new checker to be started an 'interval' from now,

280

105

# and every interval from then on.

281

self.checker_initiator_tag = (gobject.timeout_add

282

(self.interval_milliseconds(),

283

self.start_checker))

106

self.checker_initiator_tag = gobject.\

107

timeout_add(self.interval_milliseconds,

108

self.start_checker)

284

109

# Also start a new checker *right now*.

285

110

self.start_checker()

286

# Schedule a disable() when 'timeout' has passed

287

self.disable_initiator_tag = (gobject.timeout_add

288

(self.timeout_milliseconds(),

289

self.disable))

290

self.enabled = True

291

if self.use_dbus:

292

# Emit D-Bus signals

293

self.PropertyChanged(dbus.String(u"enabled"),

294

dbus.Boolean(True, variant_level=1))

295

self.PropertyChanged(dbus.String(u"last_enabled"),

296

(_datetime_to_dbus(self.last_enabled,

297

variant_level=1)))

298

299

def disable(self):

300

"""Disable this client."""

301

if not getattr(self, "enabled", False):

302

return False

303

logger.info(u"Disabling client %s", self.name)

304

if getattr(self, "disable_initiator_tag", False):

305

gobject.source_remove(self.disable_initiator_tag)

306

self.disable_initiator_tag = None

307

if getattr(self, "checker_initiator_tag", False):

111

# Schedule a stop() when 'timeout' has passed

112

self.stop_initiator_tag = gobject.\

113

timeout_add(self.timeout_milliseconds,

114

self.stop)

115

def stop(self):

116

"""Stop this client.

117

The possibility that this client might be restarted is left

118

open, but not currently used."""

119

# print "Stopping client", self.name

120

self.password = None

121

if self.stop_initiator_tag:

122

gobject.source_remove(self.stop_initiator_tag)

123

self.stop_initiator_tag = None

124

if self.checker_initiator_tag:

308

125

gobject.source_remove(self.checker_initiator_tag)

309

126

self.checker_initiator_tag = None

310

127

self.stop_checker()

311

if self.disable_hook:

312

self.disable_hook(self)

313

self.enabled = False

314

if self.use_dbus:

315

# Emit D-Bus signal

316

self.PropertyChanged(dbus.String(u"enabled"),

317

dbus.Boolean(False, variant_level=1))

128

if self.stop_hook:

129

self.stop_hook(self)

318

130

# Do not run this again if called by a gobject.timeout_add

319

131

return False

320

321

132

def __del__(self):

322

self.disable_hook = None

323

self.disable()

324

325

def checker_callback(self, pid, condition, command):

133

# Some code duplication here and in stop()

134

if hasattr(self, "stop_initiator_tag") \

135

and self.stop_initiator_tag:

136

gobject.source_remove(self.stop_initiator_tag)

137

self.stop_initiator_tag = None

138

if hasattr(self, "checker_initiator_tag") \

139

and self.checker_initiator_tag:

140

gobject.source_remove(self.checker_initiator_tag)

141

self.checker_initiator_tag = None

142

self.stop_checker()

143

def checker_callback(self, pid, condition):

326

144

"""The checker has completed, so take appropriate actions."""

145

now = datetime.datetime.now()

146

if os.WIFEXITED(condition) \

147

and (os.WEXITSTATUS(condition) == 0):

148

#print "Checker for %(name)s succeeded" % vars(self)

149

self.last_seen = now

150

gobject.source_remove(self.stop_initiator_tag)

151

self.stop_initiator_tag = gobject.\

152

timeout_add(self.timeout_milliseconds,

153

self.stop)

154

#else:

155

# if not os.WIFEXITED(condition):

156

# print "Checker for %(name)s crashed?" % vars(self)

157

# else:

158

# print "Checker for %(name)s failed" % vars(self)

159

self.checker = None

327

160

self.checker_callback_tag = None

328

self.checker = None

329

if self.use_dbus:

330

# Emit D-Bus signal

331

self.PropertyChanged(dbus.String(u"checker_running"),

332

dbus.Boolean(False, variant_level=1))

333

if os.WIFEXITED(condition):

334

exitstatus = os.WEXITSTATUS(condition)

335

if exitstatus == 0:

336

logger.info(u"Checker for %(name)s succeeded",

337

vars(self))

338

self.checked_ok()

339

else:

340

logger.info(u"Checker for %(name)s failed",

341

vars(self))

342

if self.use_dbus:

343

# Emit D-Bus signal

344

self.CheckerCompleted(dbus.Int16(exitstatus),

345

dbus.Int64(condition),

346

dbus.String(command))

347

else:

348

logger.warning(u"Checker for %(name)s crashed?",

349

vars(self))

350

if self.use_dbus:

351

# Emit D-Bus signal

352

self.CheckerCompleted(dbus.Int16(-1),

353

dbus.Int64(condition),

354

dbus.String(command))

355

356

def checked_ok(self):

357

"""Bump up the timeout for this client.

358

This should only be called when the client has been seen,

359

alive and well.

360

"""

361

self.last_checked_ok = datetime.datetime.utcnow()

362

gobject.source_remove(self.disable_initiator_tag)

363

self.disable_initiator_tag = (gobject.timeout_add

364

(self.timeout_milliseconds(),

365

self.disable))

366

if self.use_dbus:

367

# Emit D-Bus signal

368

self.PropertyChanged(

369

dbus.String(u"last_checked_ok"),

370

(_datetime_to_dbus(self.last_checked_ok,

371

variant_level=1)))

372

373

161

def start_checker(self):

374

162

"""Start a new checker subprocess if one is not running.

375

163

If a checker already exists, leave it running and do

376

164

nothing."""

377

# The reason for not killing a running checker is that if we

378

# did that, then if a checker (for some reason) started

379

# running slowly and taking more than 'interval' time, the

380

# client would inevitably timeout, since no checker would get

381

# a chance to run to completion. If we instead leave running

382

# checkers alone, the checker would have to take more time

383

# than 'timeout' for the client to be declared invalid, which

384

# is as it should be.

385

386

# If a checker exists, make sure it is not a zombie

387

if self.checker is not None:

388

pid, status = os.waitpid(self.checker.pid, os.WNOHANG)

389

if pid:

390

logger.warning("Checker was a zombie")

391

gobject.source_remove(self.checker_callback_tag)

392

self.checker_callback(pid, status,

393

self.current_checker_command)

394

# Start a new checker if needed

395

165

if self.checker is None:

396

try:

397

# In case checker_command has exactly one % operator

398

command = self.checker_command % self.host

399

except TypeError:

400

# Escape attributes for the shell

401

escaped_attrs = dict((key, re.escape(str(val)))

402

for key, val in

403

vars(self).iteritems())

404

try:

405

command = self.checker_command % escaped_attrs

406

except TypeError, error:

407

logger.error(u'Could not format string "%s":'

408

u' %s', self.checker_command, error)

409

return True # Try again later

410

self.current_checker_command = command

411

try:

412

logger.info(u"Starting checker %r for %s",

413

command, self.name)

414

# We don't need to redirect stdout and stderr, since

415

# in normal mode, that is already done by daemon(),

416

# and in debug mode we don't want to. (Stdin is

417

# always replaced by /dev/null.)

418

self.checker = subprocess.Popen(command,

419

close_fds=True,

420

shell=True, cwd="/")

421

if self.use_dbus:

422

# Emit D-Bus signal

423

self.CheckerStarted(command)

424

self.PropertyChanged(

425

dbus.String("checker_running"),

426

dbus.Boolean(True, variant_level=1))

427

self.checker_callback_tag = (gobject.child_watch_add

428

(self.checker.pid,

429

self.checker_callback,

430

data=command))

431

# The checker may have completed before the gobject

432

# watch was added. Check for this.

433

pid, status = os.waitpid(self.checker.pid, os.WNOHANG)

434

if pid:

435

gobject.source_remove(self.checker_callback_tag)

436

self.checker_callback(pid, status, command)

437

except OSError, error:

438

logger.error(u"Failed to start subprocess: %s",

439

error)

166

#print "Starting checker for", self.name

167

try:

168

self.checker = subprocess.\

169

Popen("sleep 1; fping -q -- %s"

170

% re.escape(self.fqdn),

171

stdout=subprocess.PIPE,

172

close_fds=True, shell=True,

173

cwd="/")

174

self.checker_callback_tag = gobject.\

175

child_watch_add(self.checker.pid,

176

self.\

177

checker_callback)

178

except subprocess.OSError, error:

179

sys.stderr.write(u"Failed to start subprocess: %s\n"

180

% error)

440

181

# Re-run this periodically if run by gobject.timeout_add

441

182

return True

442

443

183

def stop_checker(self):

444

184

"""Force the checker process, if any, to stop."""

445

if self.checker_callback_tag:

446

gobject.source_remove(self.checker_callback_tag)

447

self.checker_callback_tag = None

448

if getattr(self, "checker", None) is None:

185

if not hasattr(self, "checker") or self.checker is None:

449

186

return

450

logger.debug(u"Stopping checker for %(name)s", vars(self))

451

try:

452

os.kill(self.checker.pid, signal.SIGTERM)

453

#os.sleep(0.5)

454

#if self.checker.poll() is None:

455

# os.kill(self.checker.pid, signal.SIGKILL)

456

except OSError, error:

457

if error.errno != errno.ESRCH: # No such process

458

raise

187

gobject.source_remove(self.checker_callback_tag)

188

self.checker_callback_tag = None

189

os.kill(self.checker.pid, signal.SIGTERM)

190

if self.checker.poll() is None:

191

os.kill(self.checker.pid, signal.SIGKILL)

459

192

self.checker = None

460

if self.use_dbus:

461

self.PropertyChanged(dbus.String(u"checker_running"),

462

dbus.Boolean(False, variant_level=1))

463

464

def still_valid(self):

193

def still_valid(self, now=None):

465

194

"""Has the timeout not yet passed for this client?"""

466

if not getattr(self, "enabled", False):

467

return False

468

now = datetime.datetime.utcnow()

469

if self.last_checked_ok is None:

195

if now is None:

196

now = datetime.datetime.now()

197

if self.last_seen is None:

470

198

return now < (self.created + self.timeout)

471

199

else:

472

return now < (self.last_checked_ok + self.timeout)

473

474

## D-Bus methods & signals

475

_interface = u"se.bsnet.fukt.Mandos.Client"

476

477

# CheckedOK - method

478

CheckedOK = dbus.service.method(_interface)(checked_ok)

479

CheckedOK.__name__ = "CheckedOK"

480

481

# CheckerCompleted - signal

482

@dbus.service.signal(_interface, signature="nxs")

483

def CheckerCompleted(self, exitcode, waitstatus, command):

484

"D-Bus signal"

485

pass

486

487

# CheckerStarted - signal

488

@dbus.service.signal(_interface, signature="s")

489

def CheckerStarted(self, command):

490

"D-Bus signal"

491

pass

492

493

# GetAllProperties - method

494

@dbus.service.method(_interface, out_signature="a{sv}")

495

def GetAllProperties(self):

496

"D-Bus method"

497

return dbus.Dictionary({

498

dbus.String("name"):

499

dbus.String(self.name, variant_level=1),

500

dbus.String("fingerprint"):

501

dbus.String(self.fingerprint, variant_level=1),

502

dbus.String("host"):

503

dbus.String(self.host, variant_level=1),

504

dbus.String("created"):

505

_datetime_to_dbus(self.created, variant_level=1),

506

dbus.String("last_enabled"):

507

(_datetime_to_dbus(self.last_enabled,

508

variant_level=1)

509

if self.last_enabled is not None

510

else dbus.Boolean(False, variant_level=1)),

511

dbus.String("enabled"):

512

dbus.Boolean(self.enabled, variant_level=1),

513

dbus.String("last_checked_ok"):

514

(_datetime_to_dbus(self.last_checked_ok,

515

variant_level=1)

516

if self.last_checked_ok is not None

517

else dbus.Boolean (False, variant_level=1)),

518

dbus.String("timeout"):

519

dbus.UInt64(self.timeout_milliseconds(),

520

variant_level=1),

521

dbus.String("interval"):

522

dbus.UInt64(self.interval_milliseconds(),

523

variant_level=1),

524

dbus.String("checker"):

525

dbus.String(self.checker_command,

526

variant_level=1),

527

dbus.String("checker_running"):

528

dbus.Boolean(self.checker is not None,

529

variant_level=1),

530

dbus.String("object_path"):

531

dbus.ObjectPath(self.dbus_object_path,

532

variant_level=1)

533

}, signature="sv")

534

535

# IsStillValid - method

536

IsStillValid = (dbus.service.method(_interface, out_signature="b")

537

(still_valid))

538

IsStillValid.__name__ = "IsStillValid"

539

540

# PropertyChanged - signal

541

@dbus.service.signal(_interface, signature="sv")

542

def PropertyChanged(self, property, value):

543

"D-Bus signal"

544

pass

545

546

# ReceivedSecret - signal

547

@dbus.service.signal(_interface)

548

def ReceivedSecret(self):

549

"D-Bus signal"

550

pass

551

552

# Rejected - signal

553

@dbus.service.signal(_interface)

554

def Rejected(self):

555

"D-Bus signal"

556

pass

557

558

# SetChecker - method

559

@dbus.service.method(_interface, in_signature="s")

560

def SetChecker(self, checker):

561

"D-Bus setter method"

562

self.checker_command = checker

563

# Emit D-Bus signal

564

self.PropertyChanged(dbus.String(u"checker"),

565

dbus.String(self.checker_command,

566

variant_level=1))

567

568

# SetHost - method

569

@dbus.service.method(_interface, in_signature="s")

570

def SetHost(self, host):

571

"D-Bus setter method"

572

self.host = host

573

# Emit D-Bus signal

574

self.PropertyChanged(dbus.String(u"host"),

575

dbus.String(self.host, variant_level=1))

576

577

# SetInterval - method

578

@dbus.service.method(_interface, in_signature="t")

579

def SetInterval(self, milliseconds):

580

self.interval = datetime.timedelta(0, 0, 0, milliseconds)

581

# Emit D-Bus signal

582

self.PropertyChanged(dbus.String(u"interval"),

583

(dbus.UInt64(self.interval_milliseconds(),

584

variant_level=1)))

585

586

# SetSecret - method

587

@dbus.service.method(_interface, in_signature="ay",

588

byte_arrays=True)

589

def SetSecret(self, secret):

590

"D-Bus setter method"

591

self.secret = str(secret)

592

593

# SetTimeout - method

594

@dbus.service.method(_interface, in_signature="t")

595

def SetTimeout(self, milliseconds):

596

self.timeout = datetime.timedelta(0, 0, 0, milliseconds)

597

# Emit D-Bus signal

598

self.PropertyChanged(dbus.String(u"timeout"),

599

(dbus.UInt64(self.timeout_milliseconds(),

600

variant_level=1)))

601

602

# Enable - method

603

Enable = dbus.service.method(_interface)(enable)

604

Enable.__name__ = "Enable"

605

606

# StartChecker - method

607

@dbus.service.method(_interface)

608

def StartChecker(self):

609

"D-Bus method"

610

self.start_checker()

611

612

# Disable - method

613

@dbus.service.method(_interface)

614

def Disable(self):

615

"D-Bus method"

616

self.disable()

617

618

# StopChecker - method

619

StopChecker = dbus.service.method(_interface)(stop_checker)

620

StopChecker.__name__ = "StopChecker"

621

622

del _interface

623

624

625

def peer_certificate(session):

626

"Return the peer's OpenPGP certificate as a bytestring"

627

# If not an OpenPGP certificate...

628

if (gnutls.library.functions

629

.gnutls_certificate_type_get(session._c_object)

630

!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):

631

# ...do the normal thing

632

return session.peer_certificate

633

list_size = ctypes.c_uint(1)

634

cert_list = (gnutls.library.functions

635

.gnutls_certificate_get_peers

636

(session._c_object, ctypes.byref(list_size)))

637

if not bool(cert_list) and list_size.value != 0:

638

raise gnutls.errors.GNUTLSError("error getting peer"

639

" certificate")

640

if list_size.value == 0:

641

return None

642

cert = cert_list[0]

643

return ctypes.string_at(cert.data, cert.size)

644

645

646

def fingerprint(openpgp):

647

"Convert an OpenPGP bytestring to a hexdigit fingerprint string"

648

# New GnuTLS "datum" with the OpenPGP public key

649

datum = (gnutls.library.types

650

.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),

651

ctypes.POINTER

652

(ctypes.c_ubyte)),

653

ctypes.c_uint(len(openpgp))))

654

# New empty GnuTLS certificate

655

crt = gnutls.library.types.gnutls_openpgp_crt_t()

656

(gnutls.library.functions

657

.gnutls_openpgp_crt_init(ctypes.byref(crt)))

658

# Import the OpenPGP public key into the certificate

659

(gnutls.library.functions

660

.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),

661

gnutls.library.constants

662

.GNUTLS_OPENPGP_FMT_RAW))

663

# Verify the self signature in the key

664

crtverify = ctypes.c_uint()

665

(gnutls.library.functions

666

.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))

667

if crtverify.value != 0:

668

gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)

669

raise gnutls.errors.CertificateSecurityError("Verify failed")

670

# New buffer for the fingerprint

671

buf = ctypes.create_string_buffer(20)

672

buf_len = ctypes.c_size_t()

673

# Get the fingerprint from the certificate into the buffer

674

(gnutls.library.functions

675

.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),

676

ctypes.byref(buf_len)))

677

# Deinit the certificate

678

gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)

679

# Convert the buffer to a Python bytestring

680

fpr = ctypes.string_at(buf, buf_len.value)

681

# Convert the bytestring to hexadecimal notation

682

hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)

683

return hex_fpr

684

685

686

class TCP_handler(SocketServer.BaseRequestHandler, object):

200

return now < (self.last_seen + self.timeout)

201

202

203

class tcp_handler(SocketServer.BaseRequestHandler, object):

687

204

"""A TCP request handler class.

688

205

Instantiated by IPv6_TCPServer for each request to handle it.

689

206

Note: This will run in its own forked process."""

690

691

207

def handle(self):

692

logger.info(u"TCP connection from: %s",

693

unicode(self.client_address))

694

logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])

695

# Open IPC pipe to parent process

696

with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:

697

session = (gnutls.connection

698

.ClientSession(self.request,

699

gnutls.connection

700

.X509Credentials()))

701

702

line = self.request.makefile().readline()

703

logger.debug(u"Protocol version: %r", line)

704

try:

705

if int(line.strip().split()[0]) > 1:

706

raise RuntimeError

707

except (ValueError, IndexError, RuntimeError), error:

708

logger.error(u"Unknown protocol version: %s", error)

709

return

710

711

# Note: gnutls.connection.X509Credentials is really a

712

# generic GnuTLS certificate credentials object so long as

713

# no X.509 keys are added to it. Therefore, we can use it

714

# here despite using OpenPGP certificates.

715

716

#priority = ':'.join(("NONE", "+VERS-TLS1.1",

717

# "+AES-256-CBC", "+SHA1",

718

# "+COMP-NULL", "+CTYPE-OPENPGP",

719

# "+DHE-DSS"))

720

# Use a fallback default, since this MUST be set.

721

priority = self.server.settings.get("priority", "NORMAL")

722

(gnutls.library.functions

723

.gnutls_priority_set_direct(session._c_object,

724

priority, None))

725

726

try:

727

session.handshake()

728

except gnutls.errors.GNUTLSError, error:

729

logger.warning(u"Handshake failed: %s", error)

730

# Do not run session.bye() here: the session is not

731

# established. Just abandon the request.

732

return

733

logger.debug(u"Handshake succeeded")

734

try:

735

fpr = fingerprint(peer_certificate(session))

736

except (TypeError, gnutls.errors.GNUTLSError), error:

737

logger.warning(u"Bad certificate: %s", error)

738

session.bye()

739

return

740

logger.debug(u"Fingerprint: %s", fpr)

741

742

for c in self.server.clients:

743

if c.fingerprint == fpr:

744

client = c

745

break

746

else:

747

logger.warning(u"Client not found for fingerprint: %s",

748

fpr)

749

ipc.write("NOTFOUND %s\n" % fpr)

750

session.bye()

751

return

752

# Have to check if client.still_valid(), since it is

753

# possible that the client timed out while establishing

754

# the GnuTLS session.

755

if not client.still_valid():

756

logger.warning(u"Client %(name)s is invalid",

757

vars(client))

758

ipc.write("INVALID %s\n" % client.name)

759

session.bye()

760

return

761

ipc.write("SENDING %s\n" % client.name)

762

sent_size = 0

763

while sent_size < len(client.secret):

764

sent = session.send(client.secret[sent_size:])

765

logger.debug(u"Sent: %d, remaining: %d",

766

sent, len(client.secret)

767

- (sent_size + sent))

768

sent_size += sent

208

#print u"TCP request came"

209

#print u"Request:", self.request

210

#print u"Client Address:", self.client_address

211

#print u"Server:", self.server

212

session = gnutls.connection.ServerSession(self.request,

213

self.server\

214

.credentials)

215

try:

216

session.handshake()

217

except gnutls.errors.GNUTLSError, error:

218

#sys.stderr.write(u"Handshake failed: %s\n" % error)

219

# Do not run session.bye() here: the session is not

220

# established. Just abandon the request.

221

return

222

#if session.peer_certificate:

223

# print "DN:", session.peer_certificate.subject

224

try:

225

session.verify_peer()

226

except gnutls.errors.CertificateError, error:

227

#sys.stderr.write(u"Verify failed: %s\n" % error)

769

228

session.bye()

770

771

772

class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):

773

"""Like SocketServer.ForkingMixIn, but also pass a pipe.

774

Assumes a gobject.MainLoop event loop.

775

"""

776

def process_request(self, request, client_address):

777

"""This overrides and wraps the original process_request().

778

This function creates a new pipe in self.pipe

779

"""

780

self.pipe = os.pipe()

781

super(ForkingMixInWithPipe,

782

self).process_request(request, client_address)

783

os.close(self.pipe[1]) # close write end

784

# Call "handle_ipc" for both data and EOF events

785

gobject.io_add_watch(self.pipe[0],

786

gobject.IO_IN | gobject.IO_HUP,

787

self.handle_ipc)

788

def handle_ipc(source, condition):

789

"""Dummy function; override as necessary"""

790

os.close(source)

791

return False

792

793

794

class IPv6_TCPServer(ForkingMixInWithPipe,

795

SocketServer.TCPServer, object):

796

"""IPv6-capable TCP server. Accepts 'None' as address and/or port

229

return

230

client = None

231

for c in clients:

232

if c.dn == session.peer_certificate.subject:

233

client = c

234

break

235

# Have to check if client.still_valid(), since it is possible

236

# that the client timed out while establishing the GnuTLS

237

# session.

238

if client and client.still_valid():

239

session.send(client.password)

240

else:

241

#if client:

242

# sys.stderr.write(u"Client %(name)s is invalid\n"

243

# % vars(client))

244

#else:

245

# sys.stderr.write(u"Client not found for DN: %s\n"

246

# % session.peer_certificate.subject)

247

#session.send("gazonk")

248

pass

249

session.bye()

250

251

252

class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):

253

"""IPv6 TCP server. Accepts 'None' as address and/or port.

797

254

Attributes:

798

settings: Server settings

255

options: Command line options

799

256

clients: Set() of Client objects

800

enabled: Boolean; whether this server is activated yet

257

credentials: GnuTLS X.509 credentials

801

258

"""

802

259

address_family = socket.AF_INET6

803

260

def __init__(self, *args, **kwargs):

804

if "settings" in kwargs:

805

self.settings = kwargs["settings"]

806

del kwargs["settings"]

261

if "options" in kwargs:

262

self.options = kwargs["options"]

263

del kwargs["options"]

807

264

if "clients" in kwargs:

808

265

self.clients = kwargs["clients"]

809

266

del kwargs["clients"]

810

if "use_ipv6" in kwargs:

811

if not kwargs["use_ipv6"]:

812

self.address_family = socket.AF_INET

813

del kwargs["use_ipv6"]

814

self.enabled = False

815

super(IPv6_TCPServer, self).__init__(*args, **kwargs)

267

if "credentials" in kwargs:

268

self.credentials = kwargs["credentials"]

269

del kwargs["credentials"]

270

return super(type(self), self).__init__(*args, **kwargs)

816

271

def server_bind(self):

817

272

"""This overrides the normal server_bind() function

818

273

to bind to an interface if one was specified, and also NOT to

819

274

bind to an address or port if they were not specified."""

820

if self.settings["interface"]:

821

# 25 is from /usr/include/asm-i486/socket.h

822

SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)

275

if self.options.interface:

276

if not hasattr(socket, "SO_BINDTODEVICE"):

277

# From /usr/include/asm-i486/socket.h

278

socket.SO_BINDTODEVICE = 25

823

279

try:

824

280

self.socket.setsockopt(socket.SOL_SOCKET,

825

SO_BINDTODEVICE,

826

self.settings["interface"])

281

socket.SO_BINDTODEVICE,

282

self.options.interface)

827

283

except socket.error, error:

828

284

if error[0] == errno.EPERM:

829

logger.error(u"No permission to"

830

u" bind to interface %s",

831

self.settings["interface"])

285

sys.stderr.write(u"Warning: No permission to bind to interface %s\n"

286

% self.options.interface)

832

287

else:

833

raise

288

raise error

834

289

# Only bind(2) the socket if we really need to.

835

290

if self.server_address[0] or self.server_address[1]:

836

291

if not self.server_address[0]:

837

if self.address_family == socket.AF_INET6:

838

any_address = "::" # in6addr_any

839

else:

840

any_address = socket.INADDR_ANY

841

self.server_address = (any_address,

292

in6addr_any = "::"

293

self.server_address = (in6addr_any,

842

294

self.server_address[1])

843

elif not self.server_address[1]:

295

elif self.server_address[1] is None:

844

296

self.server_address = (self.server_address[0],

845

297

846

# if self.settings["interface"]:

847

# self.server_address = (self.server_address[0],

848

# 0, # port

849

# 0, # flowinfo

850

# if_nametoindex

851

# (self.settings

852

# ["interface"]))

853

return super(IPv6_TCPServer, self).server_bind()

854

def server_activate(self):

855

if self.enabled:

856

return super(IPv6_TCPServer, self).server_activate()

857

def enable(self):

858

self.enabled = True

859

def handle_ipc(self, source, condition, file_objects={}):

860

condition_names = {

861

gobject.IO_IN: "IN", # There is data to read.

862

gobject.IO_OUT: "OUT", # Data can be written (without

863

# blocking).

864

gobject.IO_PRI: "PRI", # There is urgent data to read.

865

gobject.IO_ERR: "ERR", # Error condition.

866

gobject.IO_HUP: "HUP" # Hung up (the connection has been

867

# broken, usually for pipes and

868

# sockets).

869

}

870

conditions_string = ' | '.join(name

871

for cond, name in

872

condition_names.iteritems()

873

if cond & condition)

874

logger.debug("Handling IPC: FD = %d, condition = %s", source,

875

conditions_string)

876

877

# Turn the pipe file descriptor into a Python file object

878

if source not in file_objects:

879

file_objects[source] = os.fdopen(source, "r", 1)

880

881

# Read a line from the file object

882

cmdline = file_objects[source].readline()

883

if not cmdline: # Empty line means end of file

884

# close the IPC pipe

885

file_objects[source].close()

886

del file_objects[source]

887

888

# Stop calling this function

889

return False

890

891

logger.debug("IPC command: %r\n" % cmdline)

892

893

# Parse and act on command

894

cmd, args = cmdline.split(None, 1)

895

if cmd == "NOTFOUND":

896

if self.settings["use_dbus"]:

897

# Emit D-Bus signal

898

mandos_dbus_service.ClientNotFound(args)

899

elif cmd == "INVALID":

900

if self.settings["use_dbus"]:

901

for client in self.clients:

902

if client.name == args:

903

# Emit D-Bus signal

904

client.Rejected()

905

break

906

elif cmd == "SENDING":

907

for client in self.clients:

908

if client.name == args:

909

client.checked_ok()

910

if self.settings["use_dbus"]:

911

# Emit D-Bus signal

912

client.ReceivedSecret()

913

break

914

else:

915

logger.error("Unknown IPC command: %r", cmdline)

916

917

# Keep calling this function

918

return True

298

return super(type(self), self).server_bind()

919

299

920

300

921

301

def string_to_delta(interval):

922

302

"""Parse a string and return a datetime.timedelta

923

303

924

304

>>> string_to_delta('7d')

925

305

datetime.timedelta(7)

926

306

>>> string_to_delta('60s')

931

311

datetime.timedelta(1)

932

312

>>> string_to_delta(u'1w')

933

313

datetime.timedelta(7)

934

>>> string_to_delta('5m 30s')

935

datetime.timedelta(0, 330)

936

314

"""

937

timevalue = datetime.timedelta(0)

938

for s in interval.split():

939

try:

940

suffix = unicode(s[-1])

941

value = int(s[:-1])

942

if suffix == u"d":

943

delta = datetime.timedelta(value)

944

elif suffix == u"s":

945

delta = datetime.timedelta(0, value)

946

elif suffix == u"m":

947

delta = datetime.timedelta(0, 0, 0, 0, value)

948

elif suffix == u"h":

949

delta = datetime.timedelta(0, 0, 0, 0, 0, value)

950

elif suffix == u"w":

951

delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)

952

else:

953

raise ValueError

954

except (ValueError, IndexError):

315

try:

316

suffix=unicode(interval[-1])

317

value=int(interval[:-1])

318

if suffix == u"d":

319

delta = datetime.timedelta(value)

320

elif suffix == u"s":

321

delta = datetime.timedelta(0, value)

322

elif suffix == u"m":

323

delta = datetime.timedelta(0, 0, 0, 0, value)

324

elif suffix == u"h":

325

delta = datetime.timedelta(0, 0, 0, 0, 0, value)

326

elif suffix == u"w":

327

delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)

328

else:

955

329

raise ValueError

956

timevalue += delta

957

return timevalue

330

except (ValueError, IndexError):

331

raise ValueError

332

return delta

333

334

335

def add_service():

336

"""From the Avahi server example code"""

337

global group, serviceName, serviceType, servicePort, serviceTXT, \

338

domain, host

339

if group is None:

340

group = dbus.Interface(

341

bus.get_object( avahi.DBUS_NAME,

342

server.EntryGroupNew()),

343

avahi.DBUS_INTERFACE_ENTRY_GROUP)

344

group.connect_to_signal('StateChanged',

345

entry_group_state_changed)

346

347

# print "Adding service '%s' of type '%s' ..." % (serviceName,

348

# serviceType)

349

350

group.AddService(

351

serviceInterface, # interface

352

avahi.PROTO_INET6, # protocol

353

dbus.UInt32(0), # flags

354

serviceName, serviceType,

355

domain, host,

356

dbus.UInt16(servicePort),

357

avahi.string_array_to_txt_array(serviceTXT))

358

group.Commit()

359

360

361

def remove_service():

362

"""From the Avahi server example code"""

363

global group

364

365

if not group is None:

366

group.Reset()

958

367

959

368

960

369

def server_state_changed(state):

961

"""Derived from the Avahi example code"""

370

"""From the Avahi server example code"""

962

371

if state == avahi.SERVER_COLLISION:

963

logger.error(u"Zeroconf server name collision")

964

service.remove()

372

print "WARNING: Server name collision"

373

remove_service()

965

374

elif state == avahi.SERVER_RUNNING:

966

service.add()

375

add_service()

967

376

968

377

969

378

def entry_group_state_changed(state, error):

970

"""Derived from the Avahi example code"""

971

logger.debug(u"Avahi state change: %i", state)

379

"""From the Avahi server example code"""

380

global serviceName, server, rename_count

381

382

# print "state change: %i" % state

972

383

973

384

if state == avahi.ENTRY_GROUP_ESTABLISHED:

974

logger.debug(u"Zeroconf service established.")

385

pass

386

# print "Service established."

975

387

elif state == avahi.ENTRY_GROUP_COLLISION:

976

logger.warning(u"Zeroconf service name collision.")

977

service.rename()

388

389

rename_count = rename_count - 1

390

if rename_count > 0:

391

name = server.GetAlternativeServiceName(name)

392

print "WARNING: Service name collision, changing name to '%s' ..." % name

393

remove_service()

394

add_service()

395

396

else:

397

print "ERROR: No suitable service name found after %i retries, exiting." % n_rename

398

main_loop.quit()

978

399

elif state == avahi.ENTRY_GROUP_FAILURE:

979

logger.critical(u"Avahi: Error in group state changed %s",

980

unicode(error))

981

raise AvahiGroupError(u"State changed: %s" % unicode(error))

400

print "Error in group state changed", error

401

main_loop.quit()

402

return

403

982

404

983

405

def if_nametoindex(interface):

984

"""Call the C function if_nametoindex(), or equivalent"""

985

global if_nametoindex

406

"""Call the C function if_nametoindex()"""

986

407

try:

987

if_nametoindex = (ctypes.cdll.LoadLibrary

988

(ctypes.util.find_library("c"))

989

.if_nametoindex)

990

except (OSError, AttributeError):

408

if "ctypes" not in sys.modules:

409

import ctypes

410

libc = ctypes.cdll.LoadLibrary("libc.so.6")

411

return libc.if_nametoindex(interface)

412

except (ImportError, OSError, AttributeError):

991

413

if "struct" not in sys.modules:

992

414

import struct

993

415

if "fcntl" not in sys.modules:

994

416

import fcntl

995

def if_nametoindex(interface):

996

"Get an interface index the hard way, i.e. using fcntl()"

997

SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h

998

with closing(socket.socket()) as s:

999

ifreq = fcntl.ioctl(s, SIOCGIFINDEX,

1000

struct.pack("16s16x", interface))

1001

interface_index = struct.unpack("I", ifreq[16:20])[0]

1002

return interface_index

1003

return if_nametoindex(interface)

1004

1005

1006

def daemon(nochdir = False, noclose = False):

1007

"""See daemon(3). Standard BSD Unix function.

1008

This should really exist as os.daemon, but it doesn't (yet)."""

1009

if os.fork():

1010

sys.exit()

1011

os.setsid()

1012

if not nochdir:

1013

os.chdir("/")

1014

if os.fork():

1015

sys.exit()

1016

if not noclose:

1017

# Close all standard open file descriptors

1018

null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)

1019

if not stat.S_ISCHR(os.fstat(null).st_mode):

1020

raise OSError(errno.ENODEV,

1021

"/dev/null not a character device")

1022

os.dup2(null, sys.stdin.fileno())

1023

os.dup2(null, sys.stdout.fileno())

1024

os.dup2(null, sys.stderr.fileno())

1025

if null > 2:

1026

os.close(null)

1027

1028

1029

def main():

1030

1031

######################################################################

1032

# Parsing of options, both command line and config file

1033

1034

parser = optparse.OptionParser(version = "%%prog %s" % version)

417

SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h

418

s = socket.socket()

419

ifreq = fcntl.ioctl(s, SIOCGIFINDEX,

420

struct.pack("16s16x", interface))

421

s.close()

422

interface_index = struct.unpack("I", ifreq[16:20])[0]

423

return interface_index

424

425

426

if __name__ == '__main__':

427

parser = OptionParser()

1035

428

parser.add_option("-i", "--interface", type="string",

1036

metavar="IF", help="Bind to interface IF")

1037

parser.add_option("-a", "--address", type="string",

1038

help="Address to listen for requests on")

1039

parser.add_option("-p", "--port", type="int",

429

default=None, metavar="IF",

430

help="Bind to interface IF")

431

parser.add_option("--cert", type="string", default="cert.pem",

432

metavar="FILE",

433

help="Public key certificate PEM file to use")

434

parser.add_option("--key", type="string", default="key.pem",

435

metavar="FILE",

436

help="Private key PEM file to use")

437

parser.add_option("--ca", type="string", default="ca.pem",

438

metavar="FILE",

439

help="Certificate Authority certificate PEM file to use")

440

parser.add_option("--crl", type="string", default="crl.pem",

441

metavar="FILE",

442

help="Certificate Revokation List PEM file to use")

443

parser.add_option("-p", "--port", type="int", default=None,

1040

444

help="Port number to receive requests on")

1041

parser.add_option("--check", action="store_true",

445

parser.add_option("--timeout", type="string", # Parsed later

446

default="1h",

447

help="Amount of downtime allowed for clients")

448

parser.add_option("--interval", type="string", # Parsed later

449

default="5m",

450

help="How often to check that a client is up")

451

parser.add_option("--check", action="store_true", default=False,

1042

452

help="Run self-test")

1043

parser.add_option("--debug", action="store_true",

1044

help="Debug mode; run in foreground and log to"

1045

" terminal")

1046

parser.add_option("--priority", type="string", help="GnuTLS"

1047

" priority string (see GnuTLS documentation)")

1048

parser.add_option("--servicename", type="string", metavar="NAME",

1049

help="Zeroconf service name")

1050

parser.add_option("--configdir", type="string",

1051

default="/etc/mandos", metavar="DIR",

1052

help="Directory to search for configuration"

1053

" files")

1054

parser.add_option("--no-dbus", action="store_false",

1055

dest="use_dbus",

1056

help="Do not provide D-Bus system bus"

1057

" interface")

1058

parser.add_option("--no-ipv6", action="store_false",

1059

dest="use_ipv6", help="Do not use IPv6")

1060

options = parser.parse_args()[0]

453

(options, args) = parser.parse_args()

1061

454

1062

455

if options.check:

1063

456

import doctest

1064

457

doctest.testmod()

1065

458

sys.exit()

1066

459

1067

# Default values for config file for server-global settings

1068

server_defaults = { "interface": "",

1069

"address": "",

1070

"port": "",

1071

"debug": "False",

1072

"priority":

1073

"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",

1074

"servicename": "Mandos",

1075

"use_dbus": "True",

1076

"use_ipv6": "True",

1077

}

1078

1079

# Parse config file for server-global settings

1080

server_config = ConfigParser.SafeConfigParser(server_defaults)

1081

del server_defaults

1082

server_config.read(os.path.join(options.configdir, "mandos.conf"))

1083

# Convert the SafeConfigParser object to a dict

1084

server_settings = server_config.defaults()

1085

# Use the appropriate methods on the non-string config options

1086

server_settings["debug"] = server_config.getboolean("DEFAULT",

1087

"debug")

1088

server_settings["use_dbus"] = server_config.getboolean("DEFAULT",

1089

"use_dbus")

1090

server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",

1091

"use_ipv6")

1092

if server_settings["port"]:

1093

server_settings["port"] = server_config.getint("DEFAULT",

1094

"port")

1095

del server_config

1096

1097

# Override the settings from the config file with command line

1098

# options, if set.

1099

for option in ("interface", "address", "port", "debug",

1100

"priority", "servicename", "configdir",

1101

"use_dbus", "use_ipv6"):

1102

value = getattr(options, option)

1103

if value is not None:

1104

server_settings[option] = value

1105

del options

1106

# Now we have our good server settings in "server_settings"

1107

1108

##################################################################

1109

1110

# For convenience

1111

debug = server_settings["debug"]

1112

use_dbus = server_settings["use_dbus"]

1113

use_ipv6 = server_settings["use_ipv6"]

1114

1115

if not debug:

1116

syslogger.setLevel(logging.WARNING)

1117

console.setLevel(logging.WARNING)

1118

1119

if server_settings["servicename"] != "Mandos":

1120

syslogger.setFormatter(logging.Formatter

1121

('Mandos (%s) [%%(process)d]:'

1122

' %%(levelname)s: %%(message)s'

1123

% server_settings["servicename"]))

1124

1125

# Parse config file with clients

1126

client_defaults = { "timeout": "1h",

1127

"interval": "5m",

1128

"checker": "fping -q -- %%(host)s",

1129

"host": "",

1130

}

1131

client_config = ConfigParser.SafeConfigParser(client_defaults)

1132

client_config.read(os.path.join(server_settings["configdir"],

1133

"clients.conf"))

1134

1135

global mandos_dbus_service

1136

mandos_dbus_service = None

1137

1138

clients = Set()

1139

tcp_server = IPv6_TCPServer((server_settings["address"],

1140

server_settings["port"]),

1141

TCP_handler,

1142

settings=server_settings,

1143

clients=clients, use_ipv6=use_ipv6)

1144

pidfilename = "/var/run/mandos.pid"

1145

try:

1146

pidfile = open(pidfilename, "w")

1147

except IOError:

1148

logger.error("Could not open file %r", pidfilename)

1149

1150

try:

1151

uid = pwd.getpwnam("_mandos").pw_uid

1152

gid = pwd.getpwnam("_mandos").pw_gid

1153

except KeyError:

1154

try:

1155

uid = pwd.getpwnam("mandos").pw_uid

1156

gid = pwd.getpwnam("mandos").pw_gid

1157

except KeyError:

1158

try:

1159

uid = pwd.getpwnam("nobody").pw_uid

1160

gid = pwd.getpwnam("nogroup").pw_gid

1161

except KeyError:

1162

uid = 65534

1163

gid = 65534

1164

try:

1165

os.setgid(gid)

1166

os.setuid(uid)

1167

except OSError, error:

1168

if error[0] != errno.EPERM:

1169

raise error

1170

1171

# Enable all possible GnuTLS debugging

1172

if debug:

1173

# "Use a log level over 10 to enable all debugging options."

1174

# - GnuTLS manual

1175

gnutls.library.functions.gnutls_global_set_log_level(11)

1176

1177

@gnutls.library.types.gnutls_log_func

1178

def debug_gnutls(level, string):

1179

logger.debug("GnuTLS: %s", string[:-1])

1180

1181

(gnutls.library.functions

1182

.gnutls_global_set_log_function(debug_gnutls))

1183

1184

global service

1185

protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET

1186

service = AvahiService(name = server_settings["servicename"],

1187

servicetype = "_mandos._tcp",

1188

protocol = protocol)

1189

if server_settings["interface"]:

1190

service.interface = (if_nametoindex

1191

(server_settings["interface"]))

1192

1193

global main_loop

1194

global bus

1195

global server

1196

# From the Avahi example code

460

# Parse the time arguments

461

try:

462

options.timeout = string_to_delta(options.timeout)

463

except ValueError:

464

parser.error("option --timeout: Unparseable time")

465

try:

466

options.interval = string_to_delta(options.interval)

467

except ValueError:

468

parser.error("option --interval: Unparseable time")

469

470

cert = gnutls.crypto.X509Certificate(open(options.cert).read())

471

key = gnutls.crypto.X509PrivateKey(open(options.key).read())

472

ca = gnutls.crypto.X509Certificate(open(options.ca).read())

473

crl = gnutls.crypto.X509CRL(open(options.crl).read())

474

cred = gnutls.connection.X509Credentials(cert, key, [ca], [crl])

475

476

# Parse config file

477

defaults = {}

478

client_config = ConfigParser.SafeConfigParser(defaults)

479

#client_config.readfp(open("secrets.conf"), "secrets.conf")

480

client_config.read("mandos-clients.conf")

481

482

# From the Avahi server example code

1197

483

DBusGMainLoop(set_as_default=True )

1198

484

main_loop = gobject.MainLoop()

1199

485

bus = dbus.SystemBus()

1200

server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,

1201

avahi.DBUS_PATH_SERVER),

1202

avahi.DBUS_INTERFACE_SERVER)

486

server = dbus.Interface(

487

bus.get_object( avahi.DBUS_NAME, avahi.DBUS_PATH_SERVER ),

488

avahi.DBUS_INTERFACE_SERVER )

1203

489

# End of Avahi example code

1204

if use_dbus:

1205

bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)

1206

1207

clients.update(Set(Client(name = section,

1208

config

1209

= dict(client_config.items(section)),

1210

use_dbus = use_dbus)

490

491

clients = Set()

492

def remove_from_clients(client):

493

clients.remove(client)

494

if not clients:

495

print "No clients left, exiting"

496

main_loop.quit()

497

498

clients.update(Set(Client(name=section, options=options,

499

stop_hook = remove_from_clients,

500

**(dict(client_config\

501

.items(section))))

1211

502

for section in client_config.sections()))

1212

if not clients:

1213

logger.warning(u"No clients defined")

1214

1215

if debug:

1216

# Redirect stdin so all checkers get /dev/null

1217

null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)

1218

os.dup2(null, sys.stdin.fileno())

1219

if null > 2:

1220

os.close(null)

1221

else:

1222

# No console logging

1223

logger.removeHandler(console)

1224

# Close all input and output, do double fork, etc.

1225

daemon()

1226

1227

try:

1228

with closing(pidfile):

1229

pid = os.getpid()

1230

pidfile.write(str(pid) + "\n")

1231

del pidfile

1232

except IOError:

1233

logger.error(u"Could not write to file %r with PID %d",

1234

pidfilename, pid)

1235

except NameError:

1236

# "pidfile" was never created

1237

pass

1238

del pidfilename

1239

1240

def cleanup():

1241

"Cleanup function; run on exit"

1242

global group

1243

# From the Avahi example code

1244

if not group is None:

1245

group.Free()

1246

group = None

1247

# End of Avahi example code

1248

1249

while clients:

1250

client = clients.pop()

1251

client.disable_hook = None

1252

client.disable()

1253

1254

atexit.register(cleanup)

1255

1256

if not debug:

1257

signal.signal(signal.SIGINT, signal.SIG_IGN)

1258

signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())

1259

signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())

1260

1261

if use_dbus:

1262

class MandosDBusService(dbus.service.Object):

1263

"""A D-Bus proxy object"""

1264

def __init__(self):

1265

dbus.service.Object.__init__(self, bus, "/")

1266

_interface = u"se.bsnet.fukt.Mandos"

1267

1268

@dbus.service.signal(_interface, signature="oa{sv}")

1269

def ClientAdded(self, objpath, properties):

1270

"D-Bus signal"

1271

pass

1272

1273

@dbus.service.signal(_interface, signature="s")

1274

def ClientNotFound(self, fingerprint):

1275

"D-Bus signal"

1276

pass

1277

1278

@dbus.service.signal(_interface, signature="os")

1279

def ClientRemoved(self, objpath, name):

1280

"D-Bus signal"

1281

pass

1282

1283

@dbus.service.method(_interface, out_signature="ao")

1284

def GetAllClients(self):

1285

"D-Bus method"

1286

return dbus.Array(c.dbus_object_path for c in clients)

1287

1288

@dbus.service.method(_interface, out_signature="a{oa{sv}}")

1289

def GetAllClientsWithProperties(self):

1290

"D-Bus method"

1291

return dbus.Dictionary(

1292

((c.dbus_object_path, c.GetAllProperties())

1293

for c in clients),

1294

signature="oa{sv}")

1295

1296

@dbus.service.method(_interface, in_signature="o")

1297

def RemoveClient(self, object_path):

1298

"D-Bus method"

1299

for c in clients:

1300

if c.dbus_object_path == object_path:

1301

clients.remove(c)

1302

# Don't signal anything except ClientRemoved

1303

c.use_dbus = False

1304

c.disable()

1305

# Emit D-Bus signal

1306

self.ClientRemoved(object_path, c.name)

1307

return

1308

raise KeyError

1309

1310

del _interface

1311

1312

mandos_dbus_service = MandosDBusService()

1313

1314

503

for client in clients:

1315

if use_dbus:

1316

# Emit D-Bus signal

1317

mandos_dbus_service.ClientAdded(client.dbus_object_path,

1318

client.GetAllProperties())

1319

client.enable()

1320

1321

tcp_server.enable()

1322

tcp_server.server_activate()

1323

1324

# Find out what port we got

1325

service.port = tcp_server.socket.getsockname()[1]

1326

if use_ipv6:

1327

logger.info(u"Now listening on address %r, port %d,"

1328

" flowinfo %d, scope_id %d"

1329

% tcp_server.socket.getsockname())

1330

else: # IPv4

1331

logger.info(u"Now listening on address %r, port %d"

1332

% tcp_server.socket.getsockname())

1333

1334

#service.interface = tcp_server.socket.getsockname()[3]

1335

504

client.start()

505

506

tcp_server = IPv6_TCPServer((None, options.port),

507

tcp_handler,

508

options=options,

509

clients=clients,

510

credentials=cred)

511

# Find out what random port we got

512

servicePort = tcp_server.socket.getsockname()[1]

513

#sys.stderr.write("Now listening on port %d\n" % servicePort)

514

515

if options.interface is not None:

516

serviceInterface = if_nametoindex(options.interface)

517

518

# From the Avahi server example code

519

server.connect_to_signal("StateChanged", server_state_changed)

520

server_state_changed(server.GetState())

521

# End of Avahi example code

522

523

gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,

524

lambda *args, **kwargs:

525

tcp_server.handle_request(*args[2:],

526

**kwargs) or True)

1336

527

try:

1337

# From the Avahi example code

1338

server.connect_to_signal("StateChanged", server_state_changed)

1339

try:

1340

server_state_changed(server.GetState())

1341

except dbus.exceptions.DBusException, error:

1342

logger.critical(u"DBusException: %s", error)

1343

sys.exit(1)

1344

# End of Avahi example code

1345

1346

gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,

1347

lambda *args, **kwargs:

1348

(tcp_server.handle_request

1349

(*args[2:], **kwargs) or True))

1350

1351

logger.debug(u"Starting main loop")

1352

528

main_loop.run()

1353

except AvahiError, error:

1354

logger.critical(u"AvahiError: %s", error)

1355

sys.exit(1)

1356

529

except KeyboardInterrupt:

1357

if debug:

1358

print >> sys.stderr

1359

logger.debug("Server received KeyboardInterrupt")

1360

logger.debug("Server exiting")

530

531

532

# Cleanup here

1361

533

1362

if __name__ == '__main__':

1363

main()

534

# From the Avahi server example code

535

if not group is None:

536

group.Free()

537

# End of Avahi example code

538

539

for client in clients:

540

client.stop_hook = None

541

client.stop()

Older »