To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 234
- compare with another revision
- download diff
- download tarball
- view history from revision 234
- Committer: Teddy Hogeborn
- Date: 2008-10-18 11:17:22 UTC
- Revision ID: teddy@fukt.bsnet.se-20081018111722-jtbz35c031lxuuc9
* debian/mandos-client.docs (NEWS): Added.
* debian/mandos.docs (NEWS): - '' -
* debian/mandos.docs (NEWS): - '' -
- files added:
- debian/mandos-client.config
- files removed:
- debian/watch
- files modified:
- INSTALL
added
removed
mandos
11
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2008 Teddy Hogeborn & Björn Påhlsson
16
15
#
17
16
# This program is free software: you can redistribute it and/or modify
18
17
# it under the terms of the GNU General Public License as published by
31
30
# Contact the authors at <mandos@fukt.bsnet.se>.
32
31
#
33
32
34
from __future__ import division, with_statement, absolute_import
33
from __future__ import division
35
34
36
import SocketServer as socketserver
35
import SocketServer
37
36
import socket
38
import optparse
37
from optparse import OptionParser
39
38
import datetime
40
39
import errno
41
40
import gnutls.crypto
44
43
import gnutls.library.functions
45
44
import gnutls.library.constants
46
45
import gnutls.library.types
47
import ConfigParser as configparser
46
import ConfigParser
48
47
import sys
49
48
import re
50
49
import os
51
50
import signal
51
from sets import Set
52
52
import subprocess
53
53
import atexit
54
54
import stat
55
55
import logging
56
56
import logging.handlers
57
57
import pwd
58
from contextlib import closing
59
import struct
60
import fcntl
61
58
62
59
import dbus
63
import dbus.service
64
60
import gobject
65
61
import avahi
66
62
from dbus.mainloop.glib import DBusGMainLoop
67
63
import ctypes
68
64
import ctypes.util
69
65
70
try:
71
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
72
except AttributeError:
73
try:
74
from IN import SO_BINDTODEVICE
75
except ImportError:
76
# From /usr/include/asm/socket.h
77
SO_BINDTODEVICE = 25
78
79
80
version = "1.0.8"
81
82
logger = logging.Logger(u'mandos')
83
syslogger = (logging.handlers.SysLogHandler
84
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
85
address = "/dev/log"))
86
syslogger.setFormatter(logging.Formatter
87
(u'Mandos [%(process)d]: %(levelname)s:'
88
u' %(message)s'))
66
version = "1.0.2"
67
68
logger = logging.Logger('mandos')
69
syslogger = logging.handlers.SysLogHandler\
70
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
71
address = "/dev/log")
72
syslogger.setFormatter(logging.Formatter\
73
('Mandos: %(levelname)s: %(message)s'))
89
74
logger.addHandler(syslogger)
90
75
91
76
console = logging.StreamHandler()
92
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
93
u' %(levelname)s:'
94
u' %(message)s'))
77
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
78
' %(message)s'))
95
79
logger.addHandler(console)
96
80
97
81
class AvahiError(Exception):
98
def __init__(self, value, *args, **kwargs):
82
def __init__(self, value):
99
83
self.value = value
100
super(AvahiError, self).__init__(value, *args, **kwargs)
101
def __unicode__(self):
102
return unicode(repr(self.value))
84
super(AvahiError, self).__init__()
85
def __str__(self):
86
return repr(self.value)
103
87
104
88
class AvahiServiceError(AvahiError):
105
89
pass
110
94
111
95
class AvahiService(object):
112
96
"""An Avahi (Zeroconf) service.
113
114
97
Attributes:
115
98
interface: integer; avahi.IF_UNSPEC or an interface index.
116
99
Used to optionally bind to the specified interface.
117
name: string; Example: u'Mandos'
118
type: string; Example: u'_mandos._tcp'.
100
name: string; Example: 'Mandos'
101
type: string; Example: '_mandos._tcp'.
119
102
See <http://www.dns-sd.org/ServiceTypes.html>
120
103
port: integer; what port to announce
121
104
TXT: list of strings; TXT record for the service
126
109
a sensible number of times
127
110
"""
128
111
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
129
servicetype = None, port = None, TXT = None,
130
domain = u"", host = u"", max_renames = 32768,
131
protocol = avahi.PROTO_UNSPEC):
112
servicetype = None, port = None, TXT = None, domain = "",
113
host = "", max_renames = 32768):
132
114
self.interface = interface
133
115
self.name = name
134
116
self.type = servicetype
135
117
self.port = port
136
self.TXT = TXT if TXT is not None else []
118
if TXT is None:
119
self.TXT = []
120
else:
121
self.TXT = TXT
137
122
self.domain = domain
138
123
self.host = host
139
124
self.rename_count = 0
140
125
self.max_renames = max_renames
141
self.protocol = protocol
142
126
def rename(self):
143
127
"""Derived from the Avahi example code"""
144
128
if self.rename_count >= self.max_renames:
145
129
logger.critical(u"No suitable Zeroconf service name found"
146
130
u" after %i retries, exiting.",
147
131
self.rename_count)
148
raise AvahiServiceError(u"Too many renames")
132
raise AvahiServiceError("Too many renames")
149
133
self.name = server.GetAlternativeServiceName(self.name)
150
134
logger.info(u"Changing Zeroconf service name to %r ...",
151
self.name)
152
syslogger.setFormatter(logging.Formatter
153
(u'Mandos (%s) [%%(process)d]:'
154
u' %%(levelname)s: %%(message)s'
155
% self.name))
135
str(self.name))
136
syslogger.setFormatter(logging.Formatter\
137
('Mandos (%s): %%(levelname)s:'
138
' %%(message)s' % self.name))
156
139
self.remove()
157
140
self.add()
158
141
self.rename_count += 1
164
147
"""Derived from the Avahi example code"""
165
148
global group
166
149
if group is None:
167
group = dbus.Interface(bus.get_object
168
(avahi.DBUS_NAME,
150
group = dbus.Interface\
151
(bus.get_object(avahi.DBUS_NAME,
169
152
server.EntryGroupNew()),
170
avahi.DBUS_INTERFACE_ENTRY_GROUP)
153
avahi.DBUS_INTERFACE_ENTRY_GROUP)
171
154
group.connect_to_signal('StateChanged',
172
155
entry_group_state_changed)
173
156
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
174
157
service.name, service.type)
175
158
group.AddService(
176
159
self.interface, # interface
177
self.protocol, # protocol
160
avahi.PROTO_INET6, # protocol
178
161
dbus.UInt32(0), # flags
179
162
self.name, self.type,
180
163
self.domain, self.host,
187
170
# End of Avahi example code
188
171
189
172
190
def _datetime_to_dbus(dt, variant_level=0):
191
"""Convert a UTC datetime.datetime() to a D-Bus type."""
192
return dbus.String(dt.isoformat(), variant_level=variant_level)
193
194
195
173
class Client(object):
196
174
"""A representation of a client host served by this server.
197
198
175
Attributes:
199
name: string; from the config file, used in log messages and
200
D-Bus identifiers
176
name: string; from the config file, used in log messages
201
177
fingerprint: string (40 or 32 hexadecimal digits); used to
202
178
uniquely identify the client
203
secret: bytestring; sent verbatim (over TLS) to client
204
host: string; available for use by the checker command
205
created: datetime.datetime(); (UTC) object creation
206
last_enabled: datetime.datetime(); (UTC)
207
enabled: bool()
208
last_checked_ok: datetime.datetime(); (UTC) or None
209
timeout: datetime.timedelta(); How long from last_checked_ok
210
until this client is invalid
211
interval: datetime.timedelta(); How often to start a new checker
212
disable_hook: If set, called by disable() as disable_hook(self)
213
checker: subprocess.Popen(); a running checker process used
214
to see if the client lives.
215
'None' if no process is running.
179
secret: bytestring; sent verbatim (over TLS) to client
180
host: string; available for use by the checker command
181
created: datetime.datetime(); object creation, not client host
182
last_checked_ok: datetime.datetime() or None if not yet checked OK
183
timeout: datetime.timedelta(); How long from last_checked_ok
184
until this client is invalid
185
interval: datetime.timedelta(); How often to start a new checker
186
stop_hook: If set, called by stop() as stop_hook(self)
187
checker: subprocess.Popen(); a running checker process used
188
to see if the client lives.
189
'None' if no process is running.
216
190
checker_initiator_tag: a gobject event source tag, or None
217
disable_initiator_tag: - '' -
191
stop_initiator_tag: - '' -
218
192
checker_callback_tag: - '' -
219
193
checker_command: string; External command which is run to check if
220
194
client lives. %() expansions are done at
221
195
runtime with vars(self) as dict, so that for
222
196
instance %(name)s can be used in the command.
223
current_checker_command: string; current running checker_command
197
Private attibutes:
198
_timeout: Real variable for 'timeout'
199
_interval: Real variable for 'interval'
200
_timeout_milliseconds: Used when calling gobject.timeout_add()
201
_interval_milliseconds: - '' -
224
202
"""
225
226
@staticmethod
227
def _datetime_to_milliseconds(dt):
228
"Convert a datetime.datetime() to milliseconds"
229
return ((dt.days * 24 * 60 * 60 * 1000)
230
+ (dt.seconds * 1000)
231
+ (dt.microseconds // 1000))
232
233
def timeout_milliseconds(self):
234
"Return the 'timeout' attribute in milliseconds"
235
return self._datetime_to_milliseconds(self.timeout)
236
237
def interval_milliseconds(self):
238
"Return the 'interval' attribute in milliseconds"
239
return self._datetime_to_milliseconds(self.interval)
240
241
def __init__(self, name = None, disable_hook=None, config=None):
203
def _set_timeout(self, timeout):
204
"Setter function for 'timeout' attribute"
205
self._timeout = timeout
206
self._timeout_milliseconds = ((self.timeout.days
207
* 24 * 60 * 60 * 1000)
208
+ (self.timeout.seconds * 1000)
209
+ (self.timeout.microseconds
210
// 1000))
211
timeout = property(lambda self: self._timeout,
212
_set_timeout)
213
del _set_timeout
214
def _set_interval(self, interval):
215
"Setter function for 'interval' attribute"
216
self._interval = interval
217
self._interval_milliseconds = ((self.interval.days
218
* 24 * 60 * 60 * 1000)
219
+ (self.interval.seconds
220
* 1000)
221
+ (self.interval.microseconds
222
// 1000))
223
interval = property(lambda self: self._interval,
224
_set_interval)
225
del _set_interval
226
def __init__(self, name = None, stop_hook=None, config=None):
242
227
"""Note: the 'checker' key in 'config' sets the
243
228
'checker_command' attribute and *not* the 'checker'
244
229
attribute."""
245
self.name = name
246
230
if config is None:
247
231
config = {}
232
self.name = name
248
233
logger.debug(u"Creating client %r", self.name)
249
234
# Uppercase and remove spaces from fingerprint for later
250
235
# comparison purposes with return value from the fingerprint()
251
236
# function
252
self.fingerprint = (config[u"fingerprint"].upper()
253
.replace(u" ", u""))
237
self.fingerprint = config["fingerprint"].upper()\
238
.replace(u" ", u"")
254
239
logger.debug(u" Fingerprint: %s", self.fingerprint)
255
if u"secret" in config:
256
self.secret = config[u"secret"].decode(u"base64")
257
elif u"secfile" in config:
258
with closing(open(os.path.expanduser
259
(os.path.expandvars
260
(config[u"secfile"])))) as secfile:
261
self.secret = secfile.read()
240
if "secret" in config:
241
self.secret = config["secret"].decode(u"base64")
242
elif "secfile" in config:
243
secfile = open(os.path.expanduser(os.path.expandvars
244
(config["secfile"])))
245
self.secret = secfile.read()
246
secfile.close()
262
247
else:
263
248
raise TypeError(u"No secret or secfile for client %s"
264
249
% self.name)
265
self.host = config.get(u"host", u"")
266
self.created = datetime.datetime.utcnow()
267
self.enabled = False
268
self.last_enabled = None
250
self.host = config.get("host", "")
251
self.created = datetime.datetime.now()
269
252
self.last_checked_ok = None
270
self.timeout = string_to_delta(config[u"timeout"])
271
self.interval = string_to_delta(config[u"interval"])
272
self.disable_hook = disable_hook
253
self.timeout = string_to_delta(config["timeout"])
254
self.interval = string_to_delta(config["interval"])
255
self.stop_hook = stop_hook
273
256
self.checker = None
274
257
self.checker_initiator_tag = None
275
self.disable_initiator_tag = None
258
self.stop_initiator_tag = None
276
259
self.checker_callback_tag = None
277
self.checker_command = config[u"checker"]
278
self.current_checker_command = None
279
self.last_connect = None
280
281
def enable(self):
260
self.check_command = config["checker"]
261
def start(self):
282
262
"""Start this client's checker and timeout hooks"""
283
self.last_enabled = datetime.datetime.utcnow()
284
263
# Schedule a new checker to be started an 'interval' from now,
285
264
# and every interval from then on.
286
self.checker_initiator_tag = (gobject.timeout_add
287
(self.interval_milliseconds(),
288
self.start_checker))
265
self.checker_initiator_tag = gobject.timeout_add\
266
(self._interval_milliseconds,
267
self.start_checker)
289
268
# Also start a new checker *right now*.
290
269
self.start_checker()
291
# Schedule a disable() when 'timeout' has passed
292
self.disable_initiator_tag = (gobject.timeout_add
293
(self.timeout_milliseconds(),
294
self.disable))
295
self.enabled = True
296
297
def disable(self):
298
"""Disable this client."""
299
if not getattr(self, "enabled", False):
270
# Schedule a stop() when 'timeout' has passed
271
self.stop_initiator_tag = gobject.timeout_add\
272
(self._timeout_milliseconds,
273
self.stop)
274
def stop(self):
275
"""Stop this client.
276
The possibility that a client might be restarted is left open,
277
but not currently used."""
278
# If this client doesn't have a secret, it is already stopped.
279
if hasattr(self, "secret") and self.secret:
280
logger.info(u"Stopping client %s", self.name)
281
self.secret = None
282
else:
300
283
return False
301
logger.info(u"Disabling client %s", self.name)
302
if getattr(self, u"disable_initiator_tag", False):
303
gobject.source_remove(self.disable_initiator_tag)
304
self.disable_initiator_tag = None
305
if getattr(self, u"checker_initiator_tag", False):
284
if getattr(self, "stop_initiator_tag", False):
285
gobject.source_remove(self.stop_initiator_tag)
286
self.stop_initiator_tag = None
287
if getattr(self, "checker_initiator_tag", False):
306
288
gobject.source_remove(self.checker_initiator_tag)
307
289
self.checker_initiator_tag = None
308
290
self.stop_checker()
309
if self.disable_hook:
310
self.disable_hook(self)
311
self.enabled = False
291
if self.stop_hook:
292
self.stop_hook(self)
312
293
# Do not run this again if called by a gobject.timeout_add
313
294
return False
314
315
295
def __del__(self):
316
self.disable_hook = None
317
self.disable()
318
319
def checker_callback(self, pid, condition, command):
296
self.stop_hook = None
297
self.stop()
298
def checker_callback(self, pid, condition):
320
299
"""The checker has completed, so take appropriate actions."""
300
now = datetime.datetime.now()
321
301
self.checker_callback_tag = None
322
302
self.checker = None
323
if os.WIFEXITED(condition):
324
exitstatus = os.WEXITSTATUS(condition)
325
if exitstatus == 0:
326
logger.info(u"Checker for %(name)s succeeded",
327
vars(self))
328
self.checked_ok()
329
else:
330
logger.info(u"Checker for %(name)s failed",
331
vars(self))
332
else:
303
if os.WIFEXITED(condition) \
304
and (os.WEXITSTATUS(condition) == 0):
305
logger.info(u"Checker for %(name)s succeeded",
306
vars(self))
307
self.last_checked_ok = now
308
gobject.source_remove(self.stop_initiator_tag)
309
self.stop_initiator_tag = gobject.timeout_add\
310
(self._timeout_milliseconds,
311
self.stop)
312
elif not os.WIFEXITED(condition):
333
313
logger.warning(u"Checker for %(name)s crashed?",
334
314
vars(self))
335
336
def checked_ok(self):
337
"""Bump up the timeout for this client.
338
339
This should only be called when the client has been seen,
340
alive and well.
341
"""
342
self.last_checked_ok = datetime.datetime.utcnow()
343
gobject.source_remove(self.disable_initiator_tag)
344
self.disable_initiator_tag = (gobject.timeout_add
345
(self.timeout_milliseconds(),
346
self.disable))
347
315
else:
316
logger.info(u"Checker for %(name)s failed",
317
vars(self))
348
318
def start_checker(self):
349
319
"""Start a new checker subprocess if one is not running.
350
351
320
If a checker already exists, leave it running and do
352
321
nothing."""
353
322
# The reason for not killing a running checker is that if we
358
327
# checkers alone, the checker would have to take more time
359
328
# than 'timeout' for the client to be declared invalid, which
360
329
# is as it should be.
361
362
# If a checker exists, make sure it is not a zombie
363
if self.checker is not None:
364
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
365
if pid:
366
logger.warning(u"Checker was a zombie")
367
gobject.source_remove(self.checker_callback_tag)
368
self.checker_callback(pid, status,
369
self.current_checker_command)
370
# Start a new checker if needed
371
330
if self.checker is None:
372
331
try:
373
# In case checker_command has exactly one % operator
374
command = self.checker_command % self.host
332
# In case check_command has exactly one % operator
333
command = self.check_command % self.host
375
334
except TypeError:
376
335
# Escape attributes for the shell
377
escaped_attrs = dict((key,
378
re.escape(unicode(str(val),
379
errors=
380
u'replace')))
336
escaped_attrs = dict((key, re.escape(str(val)))
381
337
for key, val in
382
338
vars(self).iteritems())
383
339
try:
384
command = self.checker_command % escaped_attrs
340
command = self.check_command % escaped_attrs
385
341
except TypeError, error:
386
342
logger.error(u'Could not format string "%s":'
387
u' %s', self.checker_command, error)
343
u' %s', self.check_command, error)
388
344
return True # Try again later
389
self.current_checker_command = command
390
345
try:
391
346
logger.info(u"Starting checker %r for %s",
392
347
command, self.name)
396
351
# always replaced by /dev/null.)
397
352
self.checker = subprocess.Popen(command,
398
353
close_fds=True,
399
shell=True, cwd=u"/")
400
self.checker_callback_tag = (gobject.child_watch_add
401
(self.checker.pid,
402
self.checker_callback,
403
data=command))
404
# The checker may have completed before the gobject
405
# watch was added. Check for this.
406
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
407
if pid:
408
gobject.source_remove(self.checker_callback_tag)
409
self.checker_callback(pid, status, command)
354
shell=True, cwd="/")
355
self.checker_callback_tag = gobject.child_watch_add\
356
(self.checker.pid,
357
self.checker_callback)
410
358
except OSError, error:
411
359
logger.error(u"Failed to start subprocess: %s",
412
360
error)
413
361
# Re-run this periodically if run by gobject.timeout_add
414
362
return True
415
416
363
def stop_checker(self):
417
364
"""Force the checker process, if any, to stop."""
418
365
if self.checker_callback_tag:
419
366
gobject.source_remove(self.checker_callback_tag)
420
367
self.checker_callback_tag = None
421
if getattr(self, u"checker", None) is None:
368
if getattr(self, "checker", None) is None:
422
369
return
423
370
logger.debug(u"Stopping checker for %(name)s", vars(self))
424
371
try:
430
377
if error.errno != errno.ESRCH: # No such process
431
378
raise
432
379
self.checker = None
433
434
380
def still_valid(self):
435
381
"""Has the timeout not yet passed for this client?"""
436
if not getattr(self, u"enabled", False):
437
return False
438
now = datetime.datetime.utcnow()
382
now = datetime.datetime.now()
439
383
if self.last_checked_ok is None:
440
384
return now < (self.created + self.timeout)
441
385
else:
442
386
return now < (self.last_checked_ok + self.timeout)
443
387
444
388
445
class ClientDBus(Client, dbus.service.Object):
446
"""A Client class using D-Bus
447
448
Attributes:
449
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
450
"""
451
# dbus.service.Object doesn't use super(), so we can't either.
452
453
def __init__(self, *args, **kwargs):
454
Client.__init__(self, *args, **kwargs)
455
# Only now, when this client is initialized, can it show up on
456
# the D-Bus
457
self.dbus_object_path = (dbus.ObjectPath
458
(u"/clients/"
459
+ self.name.replace(u".", u"_")))
460
dbus.service.Object.__init__(self, bus,
461
self.dbus_object_path)
462
def enable(self):
463
oldstate = getattr(self, u"enabled", False)
464
r = Client.enable(self)
465
if oldstate != self.enabled:
466
# Emit D-Bus signals
467
self.PropertyChanged(dbus.String(u"enabled"),
468
dbus.Boolean(True, variant_level=1))
469
self.PropertyChanged(dbus.String(u"last_enabled"),
470
(_datetime_to_dbus(self.last_enabled,
471
variant_level=1)))
472
return r
473
474
def disable(self, signal = True):
475
oldstate = getattr(self, u"enabled", False)
476
r = Client.disable(self)
477
if signal and oldstate != self.enabled:
478
# Emit D-Bus signal
479
self.PropertyChanged(dbus.String(u"enabled"),
480
dbus.Boolean(False, variant_level=1))
481
return r
482
483
def __del__(self, *args, **kwargs):
484
try:
485
self.remove_from_connection()
486
except LookupError:
487
pass
488
if hasattr(dbus.service.Object, u"__del__"):
489
dbus.service.Object.__del__(self, *args, **kwargs)
490
Client.__del__(self, *args, **kwargs)
491
492
def checker_callback(self, pid, condition, command,
493
*args, **kwargs):
494
self.checker_callback_tag = None
495
self.checker = None
496
# Emit D-Bus signal
497
self.PropertyChanged(dbus.String(u"checker_running"),
498
dbus.Boolean(False, variant_level=1))
499
if os.WIFEXITED(condition):
500
exitstatus = os.WEXITSTATUS(condition)
501
# Emit D-Bus signal
502
self.CheckerCompleted(dbus.Int16(exitstatus),
503
dbus.Int64(condition),
504
dbus.String(command))
505
else:
506
# Emit D-Bus signal
507
self.CheckerCompleted(dbus.Int16(-1),
508
dbus.Int64(condition),
509
dbus.String(command))
510
511
return Client.checker_callback(self, pid, condition, command,
512
*args, **kwargs)
513
514
def checked_ok(self, *args, **kwargs):
515
r = Client.checked_ok(self, *args, **kwargs)
516
# Emit D-Bus signal
517
self.PropertyChanged(
518
dbus.String(u"last_checked_ok"),
519
(_datetime_to_dbus(self.last_checked_ok,
520
variant_level=1)))
521
return r
522
523
def start_checker(self, *args, **kwargs):
524
old_checker = self.checker
525
if self.checker is not None:
526
old_checker_pid = self.checker.pid
527
else:
528
old_checker_pid = None
529
r = Client.start_checker(self, *args, **kwargs)
530
# Only if new checker process was started
531
if (self.checker is not None
532
and old_checker_pid != self.checker.pid):
533
# Emit D-Bus signal
534
self.CheckerStarted(self.current_checker_command)
535
self.PropertyChanged(
536
dbus.String(u"checker_running"),
537
dbus.Boolean(True, variant_level=1))
538
return r
539
540
def stop_checker(self, *args, **kwargs):
541
old_checker = getattr(self, u"checker", None)
542
r = Client.stop_checker(self, *args, **kwargs)
543
if (old_checker is not None
544
and getattr(self, u"checker", None) is None):
545
self.PropertyChanged(dbus.String(u"checker_running"),
546
dbus.Boolean(False, variant_level=1))
547
return r
548
549
## D-Bus methods & signals
550
_interface = u"se.bsnet.fukt.Mandos.Client"
551
552
# CheckedOK - method
553
@dbus.service.method(_interface)
554
def CheckedOK(self):
555
return self.checked_ok()
556
557
# CheckerCompleted - signal
558
@dbus.service.signal(_interface, signature=u"nxs")
559
def CheckerCompleted(self, exitcode, waitstatus, command):
560
"D-Bus signal"
561
pass
562
563
# CheckerStarted - signal
564
@dbus.service.signal(_interface, signature=u"s")
565
def CheckerStarted(self, command):
566
"D-Bus signal"
567
pass
568
569
# GetAllProperties - method
570
@dbus.service.method(_interface, out_signature=u"a{sv}")
571
def GetAllProperties(self):
572
"D-Bus method"
573
return dbus.Dictionary({
574
dbus.String(u"name"):
575
dbus.String(self.name, variant_level=1),
576
dbus.String(u"fingerprint"):
577
dbus.String(self.fingerprint, variant_level=1),
578
dbus.String(u"host"):
579
dbus.String(self.host, variant_level=1),
580
dbus.String(u"created"):
581
_datetime_to_dbus(self.created, variant_level=1),
582
dbus.String(u"last_enabled"):
583
(_datetime_to_dbus(self.last_enabled,
584
variant_level=1)
585
if self.last_enabled is not None
586
else dbus.Boolean(False, variant_level=1)),
587
dbus.String(u"enabled"):
588
dbus.Boolean(self.enabled, variant_level=1),
589
dbus.String(u"last_checked_ok"):
590
(_datetime_to_dbus(self.last_checked_ok,
591
variant_level=1)
592
if self.last_checked_ok is not None
593
else dbus.Boolean (False, variant_level=1)),
594
dbus.String(u"timeout"):
595
dbus.UInt64(self.timeout_milliseconds(),
596
variant_level=1),
597
dbus.String(u"interval"):
598
dbus.UInt64(self.interval_milliseconds(),
599
variant_level=1),
600
dbus.String(u"checker"):
601
dbus.String(self.checker_command,
602
variant_level=1),
603
dbus.String(u"checker_running"):
604
dbus.Boolean(self.checker is not None,
605
variant_level=1),
606
dbus.String(u"object_path"):
607
dbus.ObjectPath(self.dbus_object_path,
608
variant_level=1)
609
}, signature=u"sv")
610
611
# IsStillValid - method
612
@dbus.service.method(_interface, out_signature=u"b")
613
def IsStillValid(self):
614
return self.still_valid()
615
616
# PropertyChanged - signal
617
@dbus.service.signal(_interface, signature=u"sv")
618
def PropertyChanged(self, property, value):
619
"D-Bus signal"
620
pass
621
622
# ReceivedSecret - signal
623
@dbus.service.signal(_interface)
624
def ReceivedSecret(self):
625
"D-Bus signal"
626
pass
627
628
# Rejected - signal
629
@dbus.service.signal(_interface)
630
def Rejected(self):
631
"D-Bus signal"
632
pass
633
634
# SetChecker - method
635
@dbus.service.method(_interface, in_signature=u"s")
636
def SetChecker(self, checker):
637
"D-Bus setter method"
638
self.checker_command = checker
639
# Emit D-Bus signal
640
self.PropertyChanged(dbus.String(u"checker"),
641
dbus.String(self.checker_command,
642
variant_level=1))
643
644
# SetHost - method
645
@dbus.service.method(_interface, in_signature=u"s")
646
def SetHost(self, host):
647
"D-Bus setter method"
648
self.host = host
649
# Emit D-Bus signal
650
self.PropertyChanged(dbus.String(u"host"),
651
dbus.String(self.host, variant_level=1))
652
653
# SetInterval - method
654
@dbus.service.method(_interface, in_signature=u"t")
655
def SetInterval(self, milliseconds):
656
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
657
# Emit D-Bus signal
658
self.PropertyChanged(dbus.String(u"interval"),
659
(dbus.UInt64(self.interval_milliseconds(),
660
variant_level=1)))
661
662
# SetSecret - method
663
@dbus.service.method(_interface, in_signature=u"ay",
664
byte_arrays=True)
665
def SetSecret(self, secret):
666
"D-Bus setter method"
667
self.secret = str(secret)
668
669
# SetTimeout - method
670
@dbus.service.method(_interface, in_signature=u"t")
671
def SetTimeout(self, milliseconds):
672
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
673
# Emit D-Bus signal
674
self.PropertyChanged(dbus.String(u"timeout"),
675
(dbus.UInt64(self.timeout_milliseconds(),
676
variant_level=1)))
677
678
# Enable - method
679
@dbus.service.method(_interface)
680
def Enable(self):
681
"D-Bus method"
682
self.enable()
683
684
# StartChecker - method
685
@dbus.service.method(_interface)
686
def StartChecker(self):
687
"D-Bus method"
688
self.start_checker()
689
690
# Disable - method
691
@dbus.service.method(_interface)
692
def Disable(self):
693
"D-Bus method"
694
self.disable()
695
696
# StopChecker - method
697
@dbus.service.method(_interface)
698
def StopChecker(self):
699
self.stop_checker()
700
701
del _interface
702
703
704
class ClientHandler(socketserver.BaseRequestHandler, object):
705
"""A class to handle client connections.
706
707
Instantiated once for each connection to handle it.
389
def peer_certificate(session):
390
"Return the peer's OpenPGP certificate as a bytestring"
391
# If not an OpenPGP certificate...
392
if gnutls.library.functions.gnutls_certificate_type_get\
393
(session._c_object) \
394
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP:
395
# ...do the normal thing
396
return session.peer_certificate
397
list_size = ctypes.c_uint()
398
cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
399
(session._c_object, ctypes.byref(list_size))
400
if list_size.value == 0:
401
return None
402
cert = cert_list[0]
403
return ctypes.string_at(cert.data, cert.size)
404
405
406
def fingerprint(openpgp):
407
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
408
# New GnuTLS "datum" with the OpenPGP public key
409
datum = gnutls.library.types.gnutls_datum_t\
410
(ctypes.cast(ctypes.c_char_p(openpgp),
411
ctypes.POINTER(ctypes.c_ubyte)),
412
ctypes.c_uint(len(openpgp)))
413
# New empty GnuTLS certificate
414
crt = gnutls.library.types.gnutls_openpgp_crt_t()
415
gnutls.library.functions.gnutls_openpgp_crt_init\
416
(ctypes.byref(crt))
417
# Import the OpenPGP public key into the certificate
418
gnutls.library.functions.gnutls_openpgp_crt_import\
419
(crt, ctypes.byref(datum),
420
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
421
# Verify the self signature in the key
422
crtverify = ctypes.c_uint()
423
gnutls.library.functions.gnutls_openpgp_crt_verify_self\
424
(crt, 0, ctypes.byref(crtverify))
425
if crtverify.value != 0:
426
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
427
raise gnutls.errors.CertificateSecurityError("Verify failed")
428
# New buffer for the fingerprint
429
buf = ctypes.create_string_buffer(20)
430
buf_len = ctypes.c_size_t()
431
# Get the fingerprint from the certificate into the buffer
432
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
433
(crt, ctypes.byref(buf), ctypes.byref(buf_len))
434
# Deinit the certificate
435
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
436
# Convert the buffer to a Python bytestring
437
fpr = ctypes.string_at(buf, buf_len.value)
438
# Convert the bytestring to hexadecimal notation
439
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
440
return hex_fpr
441
442
443
class TCP_handler(SocketServer.BaseRequestHandler, object):
444
"""A TCP request handler class.
445
Instantiated by IPv6_TCPServer for each request to handle it.
708
446
Note: This will run in its own forked process."""
709
447
710
448
def handle(self):
711
449
logger.info(u"TCP connection from: %s",
712
unicode(self.client_address))
713
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
714
# Open IPC pipe to parent process
715
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
716
session = (gnutls.connection
717
.ClientSession(self.request,
718
gnutls.connection
719
.X509Credentials()))
720
721
line = self.request.makefile().readline()
722
logger.debug(u"Protocol version: %r", line)
723
try:
724
if int(line.strip().split()[0]) > 1:
725
raise RuntimeError
726
except (ValueError, IndexError, RuntimeError), error:
727
logger.error(u"Unknown protocol version: %s", error)
728
return
729
730
# Note: gnutls.connection.X509Credentials is really a
731
# generic GnuTLS certificate credentials object so long as
732
# no X.509 keys are added to it. Therefore, we can use it
733
# here despite using OpenPGP certificates.
734
735
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
736
# u"+AES-256-CBC", u"+SHA1",
737
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
738
# u"+DHE-DSS"))
739
# Use a fallback default, since this MUST be set.
740
priority = self.server.gnutls_priority
741
if priority is None:
742
priority = u"NORMAL"
743
(gnutls.library.functions
744
.gnutls_priority_set_direct(session._c_object,
745
priority, None))
746
747
try:
748
session.handshake()
749
except gnutls.errors.GNUTLSError, error:
750
logger.warning(u"Handshake failed: %s", error)
751
# Do not run session.bye() here: the session is not
752
# established. Just abandon the request.
753
return
754
logger.debug(u"Handshake succeeded")
755
try:
756
fpr = self.fingerprint(self.peer_certificate(session))
757
except (TypeError, gnutls.errors.GNUTLSError), error:
758
logger.warning(u"Bad certificate: %s", error)
759
session.bye()
760
return
761
logger.debug(u"Fingerprint: %s", fpr)
762
763
for c in self.server.clients:
764
if c.fingerprint == fpr:
765
client = c
766
break
767
else:
768
ipc.write(u"NOTFOUND %s\n" % fpr)
769
session.bye()
770
return
771
# Have to check if client.still_valid(), since it is
772
# possible that the client timed out while establishing
773
# the GnuTLS session.
774
if not client.still_valid():
775
ipc.write(u"INVALID %s\n" % client.name)
776
session.bye()
777
return
778
ipc.write(u"SENDING %s\n" % client.name)
779
sent_size = 0
780
while sent_size < len(client.secret):
781
sent = session.send(client.secret[sent_size:])
782
logger.debug(u"Sent: %d, remaining: %d",
783
sent, len(client.secret)
784
- (sent_size + sent))
785
sent_size += sent
786
session.bye()
787
788
@staticmethod
789
def peer_certificate(session):
790
"Return the peer's OpenPGP certificate as a bytestring"
791
# If not an OpenPGP certificate...
792
if (gnutls.library.functions
793
.gnutls_certificate_type_get(session._c_object)
794
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
795
# ...do the normal thing
796
return session.peer_certificate
797
list_size = ctypes.c_uint(1)
798
cert_list = (gnutls.library.functions
799
.gnutls_certificate_get_peers
800
(session._c_object, ctypes.byref(list_size)))
801
if not bool(cert_list) and list_size.value != 0:
802
raise gnutls.errors.GNUTLSError(u"error getting peer"
803
u" certificate")
804
if list_size.value == 0:
805
return None
806
cert = cert_list[0]
807
return ctypes.string_at(cert.data, cert.size)
808
809
@staticmethod
810
def fingerprint(openpgp):
811
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
812
# New GnuTLS "datum" with the OpenPGP public key
813
datum = (gnutls.library.types
814
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
815
ctypes.POINTER
816
(ctypes.c_ubyte)),
817
ctypes.c_uint(len(openpgp))))
818
# New empty GnuTLS certificate
819
crt = gnutls.library.types.gnutls_openpgp_crt_t()
820
(gnutls.library.functions
821
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
822
# Import the OpenPGP public key into the certificate
823
(gnutls.library.functions
824
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
825
gnutls.library.constants
826
.GNUTLS_OPENPGP_FMT_RAW))
827
# Verify the self signature in the key
828
crtverify = ctypes.c_uint()
829
(gnutls.library.functions
830
.gnutls_openpgp_crt_verify_self(crt, 0,
831
ctypes.byref(crtverify)))
832
if crtverify.value != 0:
833
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
834
raise (gnutls.errors.CertificateSecurityError
835
(u"Verify failed"))
836
# New buffer for the fingerprint
837
buf = ctypes.create_string_buffer(20)
838
buf_len = ctypes.c_size_t()
839
# Get the fingerprint from the certificate into the buffer
840
(gnutls.library.functions
841
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
842
ctypes.byref(buf_len)))
843
# Deinit the certificate
844
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
845
# Convert the buffer to a Python bytestring
846
fpr = ctypes.string_at(buf, buf_len.value)
847
# Convert the bytestring to hexadecimal notation
848
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
849
return hex_fpr
850
851
852
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
853
"""Like socketserver.ForkingMixIn, but also pass a pipe.
854
855
Assumes a gobject.MainLoop event loop.
856
"""
857
def process_request(self, request, client_address):
858
"""Overrides and wraps the original process_request().
859
860
This function creates a new pipe in self.pipe
861
"""
862
self.pipe = os.pipe()
863
super(ForkingMixInWithPipe,
864
self).process_request(request, client_address)
865
os.close(self.pipe[1]) # close write end
866
# Call "handle_ipc" for both data and EOF events
867
gobject.io_add_watch(self.pipe[0],
868
gobject.IO_IN | gobject.IO_HUP,
869
self.handle_ipc)
870
def handle_ipc(source, condition):
871
"""Dummy function; override as necessary"""
872
os.close(source)
873
return False
874
875
876
class IPv6_TCPServer(ForkingMixInWithPipe,
877
socketserver.TCPServer, object):
878
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
879
450
unicode(self.client_address))
451
session = gnutls.connection.ClientSession\
452
(self.request, gnutls.connection.X509Credentials())
453
454
line = self.request.makefile().readline()
455
logger.debug(u"Protocol version: %r", line)
456
try:
457
if int(line.strip().split()[0]) > 1:
458
raise RuntimeError
459
except (ValueError, IndexError, RuntimeError), error:
460
logger.error(u"Unknown protocol version: %s", error)
461
return
462
463
# Note: gnutls.connection.X509Credentials is really a generic
464
# GnuTLS certificate credentials object so long as no X.509
465
# keys are added to it. Therefore, we can use it here despite
466
# using OpenPGP certificates.
467
468
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
469
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
470
# "+DHE-DSS"))
471
priority = "NORMAL" # Fallback default, since this
472
# MUST be set.
473
if self.server.settings["priority"]:
474
priority = self.server.settings["priority"]
475
gnutls.library.functions.gnutls_priority_set_direct\
476
(session._c_object, priority, None)
477
478
try:
479
session.handshake()
480
except gnutls.errors.GNUTLSError, error:
481
logger.warning(u"Handshake failed: %s", error)
482
# Do not run session.bye() here: the session is not
483
# established. Just abandon the request.
484
return
485
try:
486
fpr = fingerprint(peer_certificate(session))
487
except (TypeError, gnutls.errors.GNUTLSError), error:
488
logger.warning(u"Bad certificate: %s", error)
489
session.bye()
490
return
491
logger.debug(u"Fingerprint: %s", fpr)
492
client = None
493
for c in self.server.clients:
494
if c.fingerprint == fpr:
495
client = c
496
break
497
if not client:
498
logger.warning(u"Client not found for fingerprint: %s",
499
fpr)
500
session.bye()
501
return
502
# Have to check if client.still_valid(), since it is possible
503
# that the client timed out while establishing the GnuTLS
504
# session.
505
if not client.still_valid():
506
logger.warning(u"Client %(name)s is invalid",
507
vars(client))
508
session.bye()
509
return
510
sent_size = 0
511
while sent_size < len(client.secret):
512
sent = session.send(client.secret[sent_size:])
513
logger.debug(u"Sent: %d, remaining: %d",
514
sent, len(client.secret)
515
- (sent_size + sent))
516
sent_size += sent
517
session.bye()
518
519
520
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
521
"""IPv6 TCP server. Accepts 'None' as address and/or port.
880
522
Attributes:
523
settings: Server settings
524
clients: Set() of Client objects
881
525
enabled: Boolean; whether this server is activated yet
882
interface: None or a network interface name (string)
883
use_ipv6: Boolean; to use IPv6 or not
884
----
885
clients: set of Client objects
886
gnutls_priority GnuTLS priority string
887
use_dbus: Boolean; to emit D-Bus signals or not
888
526
"""
889
def __init__(self, server_address, RequestHandlerClass,
890
interface=None, use_ipv6=True, clients=None,
891
gnutls_priority=None, use_dbus=True):
527
address_family = socket.AF_INET6
528
def __init__(self, *args, **kwargs):
529
if "settings" in kwargs:
530
self.settings = kwargs["settings"]
531
del kwargs["settings"]
532
if "clients" in kwargs:
533
self.clients = kwargs["clients"]
534
del kwargs["clients"]
892
535
self.enabled = False
893
self.interface = interface
894
if use_ipv6:
895
self.address_family = socket.AF_INET6
896
self.clients = clients
897
self.use_dbus = use_dbus
898
self.gnutls_priority = gnutls_priority
899
socketserver.TCPServer.__init__(self, server_address,
900
RequestHandlerClass)
536
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
901
537
def server_bind(self):
902
538
"""This overrides the normal server_bind() function
903
539
to bind to an interface if one was specified, and also NOT to
904
540
bind to an address or port if they were not specified."""
905
if self.interface is not None:
541
if self.settings["interface"]:
542
# 25 is from /usr/include/asm-i486/socket.h
543
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
906
544
try:
907
545
self.socket.setsockopt(socket.SOL_SOCKET,
908
546
SO_BINDTODEVICE,
909
str(self.interface + u'\0'))
547
self.settings["interface"])
910
548
except socket.error, error:
911
549
if error[0] == errno.EPERM:
912
550
logger.error(u"No permission to"
913
551
u" bind to interface %s",
914
self.interface)
552
self.settings["interface"])
915
553
else:
916
raise
554
raise error
917
555
# Only bind(2) the socket if we really need to.
918
556
if self.server_address[0] or self.server_address[1]:
919
557
if not self.server_address[0]:
920
if self.address_family == socket.AF_INET6:
921
any_address = u"::" # in6addr_any
922
else:
923
any_address = socket.INADDR_ANY
924
self.server_address = (any_address,
558
in6addr_any = "::"
559
self.server_address = (in6addr_any,
925
560
self.server_address[1])
926
561
elif not self.server_address[1]:
927
562
self.server_address = (self.server_address[0],
928
563
0)
929
# if self.interface:
564
# if self.settings["interface"]:
930
565
# self.server_address = (self.server_address[0],
931
566
# 0, # port
932
567
# 0, # flowinfo
933
568
# if_nametoindex
934
# (self.interface))
935
return socketserver.TCPServer.server_bind(self)
569
# (self.settings
570
# ["interface"]))
571
return super(IPv6_TCPServer, self).server_bind()
936
572
def server_activate(self):
937
573
if self.enabled:
938
return socketserver.TCPServer.server_activate(self)
574
return super(IPv6_TCPServer, self).server_activate()
939
575
def enable(self):
940
576
self.enabled = True
941
def handle_ipc(self, source, condition, file_objects={}):
942
condition_names = {
943
gobject.IO_IN: u"IN", # There is data to read.
944
gobject.IO_OUT: u"OUT", # Data can be written (without
945
# blocking).
946
gobject.IO_PRI: u"PRI", # There is urgent data to read.
947
gobject.IO_ERR: u"ERR", # Error condition.
948
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
949
# broken, usually for pipes and
950
# sockets).
951
}
952
conditions_string = ' | '.join(name
953
for cond, name in
954
condition_names.iteritems()
955
if cond & condition)
956
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
957
conditions_string)
958
959
# Turn the pipe file descriptor into a Python file object
960
if source not in file_objects:
961
file_objects[source] = os.fdopen(source, u"r", 1)
962
963
# Read a line from the file object
964
cmdline = file_objects[source].readline()
965
if not cmdline: # Empty line means end of file
966
# close the IPC pipe
967
file_objects[source].close()
968
del file_objects[source]
969
970
# Stop calling this function
971
return False
972
973
logger.debug(u"IPC command: %r", cmdline)
974
975
# Parse and act on command
976
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
977
978
if cmd == u"NOTFOUND":
979
logger.warning(u"Client not found for fingerprint: %s",
980
args)
981
if self.use_dbus:
982
# Emit D-Bus signal
983
mandos_dbus_service.ClientNotFound(args)
984
elif cmd == u"INVALID":
985
for client in self.clients:
986
if client.name == args:
987
logger.warning(u"Client %s is invalid", args)
988
if self.use_dbus:
989
# Emit D-Bus signal
990
client.Rejected()
991
break
992
else:
993
logger.error(u"Unknown client %s is invalid", args)
994
elif cmd == u"SENDING":
995
for client in self.clients:
996
if client.name == args:
997
logger.info(u"Sending secret to %s", client.name)
998
client.checked_ok()
999
if self.use_dbus:
1000
# Emit D-Bus signal
1001
client.ReceivedSecret()
1002
break
1003
else:
1004
logger.error(u"Sending secret to unknown client %s",
1005
args)
1006
else:
1007
logger.error(u"Unknown IPC command: %r", cmdline)
1008
1009
# Keep calling this function
1010
return True
1011
577
1012
578
1013
579
def string_to_delta(interval):
1014
580
"""Parse a string and return a datetime.timedelta
1015
1016
>>> string_to_delta(u'7d')
581
582
>>> string_to_delta('7d')
1017
583
datetime.timedelta(7)
1018
>>> string_to_delta(u'60s')
584
>>> string_to_delta('60s')
1019
585
datetime.timedelta(0, 60)
1020
>>> string_to_delta(u'60m')
586
>>> string_to_delta('60m')
1021
587
datetime.timedelta(0, 3600)
1022
>>> string_to_delta(u'24h')
588
>>> string_to_delta('24h')
1023
589
datetime.timedelta(1)
1024
590
>>> string_to_delta(u'1w')
1025
591
datetime.timedelta(7)
1026
>>> string_to_delta(u'5m 30s')
592
>>> string_to_delta('5m 30s')
1027
593
datetime.timedelta(0, 330)
1028
594
"""
1029
595
timevalue = datetime.timedelta(0)
1070
636
elif state == avahi.ENTRY_GROUP_FAILURE:
1071
637
logger.critical(u"Avahi: Error in group state changed %s",
1072
638
unicode(error))
1073
raise AvahiGroupError(u"State changed: %s" % unicode(error))
639
raise AvahiGroupError("State changed: %s", str(error))
1074
640
1075
641
def if_nametoindex(interface):
1076
"""Call the C function if_nametoindex(), or equivalent
1077
1078
Note: This function cannot accept a unicode string."""
642
"""Call the C function if_nametoindex(), or equivalent"""
1079
643
global if_nametoindex
1080
644
try:
1081
if_nametoindex = (ctypes.cdll.LoadLibrary
1082
(ctypes.util.find_library(u"c"))
1083
.if_nametoindex)
645
if_nametoindex = ctypes.cdll.LoadLibrary\
646
(ctypes.util.find_library("c")).if_nametoindex
1084
647
except (OSError, AttributeError):
1085
logger.warning(u"Doing if_nametoindex the hard way")
648
if "struct" not in sys.modules:
649
import struct
650
if "fcntl" not in sys.modules:
651
import fcntl
1086
652
def if_nametoindex(interface):
1087
653
"Get an interface index the hard way, i.e. using fcntl()"
1088
654
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1089
with closing(socket.socket()) as s:
1090
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1091
struct.pack(str(u"16s16x"),
1092
interface))
1093
interface_index = struct.unpack(str(u"I"),
1094
ifreq[16:20])[0]
655
s = socket.socket()
656
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
657
struct.pack("16s16x", interface))
658
s.close()
659
interface_index = struct.unpack("I", ifreq[16:20])[0]
1095
660
return interface_index
1096
661
return if_nametoindex(interface)
1097
662
1098
663
1099
664
def daemon(nochdir = False, noclose = False):
1100
665
"""See daemon(3). Standard BSD Unix function.
1101
1102
666
This should really exist as os.daemon, but it doesn't (yet)."""
1103
667
if os.fork():
1104
668
sys.exit()
1105
669
os.setsid()
1106
670
if not nochdir:
1107
os.chdir(u"/")
671
os.chdir("/")
1108
672
if os.fork():
1109
673
sys.exit()
1110
674
if not noclose:
1112
676
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1113
677
if not stat.S_ISCHR(os.fstat(null).st_mode):
1114
678
raise OSError(errno.ENODEV,
1115
u"/dev/null not a character device")
679
"/dev/null not a character device")
1116
680
os.dup2(null, sys.stdin.fileno())
1117
681
os.dup2(null, sys.stdout.fileno())
1118
682
os.dup2(null, sys.stderr.fileno())
1121
685
1122
686
1123
687
def main():
1124
1125
######################################################################
1126
# Parsing of options, both command line and config file
1127
1128
parser = optparse.OptionParser(version = "%%prog %s" % version)
1129
parser.add_option("-i", u"--interface", type=u"string",
1130
metavar="IF", help=u"Bind to interface IF")
1131
parser.add_option("-a", u"--address", type=u"string",
1132
help=u"Address to listen for requests on")
1133
parser.add_option("-p", u"--port", type=u"int",
1134
help=u"Port number to receive requests on")
1135
parser.add_option("--check", action=u"store_true",
1136
help=u"Run self-test")
1137
parser.add_option("--debug", action=u"store_true",
1138
help=u"Debug mode; run in foreground and log to"
1139
u" terminal")
1140
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1141
u" priority string (see GnuTLS documentation)")
1142
parser.add_option("--servicename", type=u"string",
1143
metavar=u"NAME", help=u"Zeroconf service name")
1144
parser.add_option("--configdir", type=u"string",
1145
default=u"/etc/mandos", metavar=u"DIR",
1146
help=u"Directory to search for configuration"
1147
u" files")
1148
parser.add_option("--no-dbus", action=u"store_false",
1149
dest=u"use_dbus", help=u"Do not provide D-Bus"
1150
u" system bus interface")
1151
parser.add_option("--no-ipv6", action=u"store_false",
1152
dest=u"use_ipv6", help=u"Do not use IPv6")
688
parser = OptionParser(version = "%%prog %s" % version)
689
parser.add_option("-i", "--interface", type="string",
690
metavar="IF", help="Bind to interface IF")
691
parser.add_option("-a", "--address", type="string",
692
help="Address to listen for requests on")
693
parser.add_option("-p", "--port", type="int",
694
help="Port number to receive requests on")
695
parser.add_option("--check", action="store_true", default=False,
696
help="Run self-test")
697
parser.add_option("--debug", action="store_true",
698
help="Debug mode; run in foreground and log to"
699
" terminal")
700
parser.add_option("--priority", type="string", help="GnuTLS"
701
" priority string (see GnuTLS documentation)")
702
parser.add_option("--servicename", type="string", metavar="NAME",
703
help="Zeroconf service name")
704
parser.add_option("--configdir", type="string",
705
default="/etc/mandos", metavar="DIR",
706
help="Directory to search for configuration"
707
" files")
1153
708
options = parser.parse_args()[0]
1154
709
1155
710
if options.check:
1158
713
sys.exit()
1159
714
1160
715
# Default values for config file for server-global settings
1161
server_defaults = { u"interface": u"",
1162
u"address": u"",
1163
u"port": u"",
1164
u"debug": u"False",
1165
u"priority":
1166
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1167
u"servicename": u"Mandos",
1168
u"use_dbus": u"True",
1169
u"use_ipv6": u"True",
716
server_defaults = { "interface": "",
717
"address": "",
718
"port": "",
719
"debug": "False",
720
"priority":
721
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
722
"servicename": "Mandos",
1170
723
}
1171
724
1172
725
# Parse config file for server-global settings
1173
server_config = configparser.SafeConfigParser(server_defaults)
726
server_config = ConfigParser.SafeConfigParser(server_defaults)
1174
727
del server_defaults
1175
server_config.read(os.path.join(options.configdir,
1176
u"mandos.conf"))
728
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1177
729
# Convert the SafeConfigParser object to a dict
1178
730
server_settings = server_config.defaults()
1179
# Use the appropriate methods on the non-string config options
1180
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1181
server_settings[option] = server_config.getboolean(u"DEFAULT",
1182
option)
1183
if server_settings["port"]:
1184
server_settings["port"] = server_config.getint(u"DEFAULT",
1185
u"port")
731
# Use getboolean on the boolean config option
732
server_settings["debug"] = server_config.getboolean\
733
("DEFAULT", "debug")
1186
734
del server_config
1187
735
1188
736
# Override the settings from the config file with command line
1189
737
# options, if set.
1190
for option in (u"interface", u"address", u"port", u"debug",
1191
u"priority", u"servicename", u"configdir",
1192
u"use_dbus", u"use_ipv6"):
738
for option in ("interface", "address", "port", "debug",
739
"priority", "servicename", "configdir"):
1193
740
value = getattr(options, option)
1194
741
if value is not None:
1195
742
server_settings[option] = value
1196
743
del options
1197
# Force all strings to be unicode
1198
for option in server_settings.keys():
1199
if type(server_settings[option]) is str:
1200
server_settings[option] = unicode(server_settings[option])
1201
744
# Now we have our good server settings in "server_settings"
1202
745
1203
##################################################################
1204
1205
# For convenience
1206
debug = server_settings[u"debug"]
1207
use_dbus = server_settings[u"use_dbus"]
1208
use_ipv6 = server_settings[u"use_ipv6"]
746
debug = server_settings["debug"]
1209
747
1210
748
if not debug:
1211
749
syslogger.setLevel(logging.WARNING)
1212
750
console.setLevel(logging.WARNING)
1213
751
1214
if server_settings[u"servicename"] != u"Mandos":
1215
syslogger.setFormatter(logging.Formatter
1216
(u'Mandos (%s) [%%(process)d]:'
1217
u' %%(levelname)s: %%(message)s'
1218
% server_settings[u"servicename"]))
752
if server_settings["servicename"] != "Mandos":
753
syslogger.setFormatter(logging.Formatter\
754
('Mandos (%s): %%(levelname)s:'
755
' %%(message)s'
756
% server_settings["servicename"]))
1219
757
1220
758
# Parse config file with clients
1221
client_defaults = { u"timeout": u"1h",
1222
u"interval": u"5m",
1223
u"checker": u"fping -q -- %%(host)s",
1224
u"host": u"",
759
client_defaults = { "timeout": "1h",
760
"interval": "5m",
761
"checker": "fping -q -- %(host)s",
762
"host": "",
1225
763
}
1226
client_config = configparser.SafeConfigParser(client_defaults)
1227
client_config.read(os.path.join(server_settings[u"configdir"],
1228
u"clients.conf"))
1229
1230
global mandos_dbus_service
1231
mandos_dbus_service = None
1232
1233
clients = set()
1234
tcp_server = IPv6_TCPServer((server_settings[u"address"],
1235
server_settings[u"port"]),
1236
ClientHandler,
1237
interface=
1238
server_settings[u"interface"],
1239
use_ipv6=use_ipv6,
1240
clients=clients,
1241
gnutls_priority=
1242
server_settings[u"priority"],
1243
use_dbus=use_dbus)
1244
pidfilename = u"/var/run/mandos.pid"
1245
try:
1246
pidfile = open(pidfilename, u"w")
1247
except IOError:
1248
logger.error(u"Could not open file %r", pidfilename)
1249
1250
try:
1251
uid = pwd.getpwnam(u"_mandos").pw_uid
1252
gid = pwd.getpwnam(u"_mandos").pw_gid
1253
except KeyError:
1254
try:
1255
uid = pwd.getpwnam(u"mandos").pw_uid
1256
gid = pwd.getpwnam(u"mandos").pw_gid
1257
except KeyError:
1258
try:
1259
uid = pwd.getpwnam(u"nobody").pw_uid
1260
gid = pwd.getpwnam(u"nobody").pw_gid
1261
except KeyError:
1262
uid = 65534
1263
gid = 65534
1264
try:
764
client_config = ConfigParser.SafeConfigParser(client_defaults)
765
client_config.read(os.path.join(server_settings["configdir"],
766
"clients.conf"))
767
768
clients = Set()
769
tcp_server = IPv6_TCPServer((server_settings["address"],
770
server_settings["port"]),
771
TCP_handler,
772
settings=server_settings,
773
clients=clients)
774
pidfilename = "/var/run/mandos.pid"
775
try:
776
pidfile = open(pidfilename, "w")
777
except IOError, error:
778
logger.error("Could not open file %r", pidfilename)
779
780
uid = 65534
781
gid = 65534
782
try:
783
uid = pwd.getpwnam("mandos").pw_uid
784
except KeyError:
785
try:
786
uid = pwd.getpwnam("nobody").pw_uid
787
except KeyError:
788
pass
789
try:
790
gid = pwd.getpwnam("mandos").pw_gid
791
except KeyError:
792
try:
793
gid = pwd.getpwnam("nogroup").pw_gid
794
except KeyError:
795
pass
796
try:
797
os.setuid(uid)
1265
798
os.setgid(gid)
1266
os.setuid(uid)
1267
799
except OSError, error:
1268
800
if error[0] != errno.EPERM:
1269
801
raise error
1270
802
1271
# Enable all possible GnuTLS debugging
1272
if debug:
1273
# "Use a log level over 10 to enable all debugging options."
1274
# - GnuTLS manual
1275
gnutls.library.functions.gnutls_global_set_log_level(11)
1276
1277
@gnutls.library.types.gnutls_log_func
1278
def debug_gnutls(level, string):
1279
logger.debug(u"GnuTLS: %s", string[:-1])
1280
1281
(gnutls.library.functions
1282
.gnutls_global_set_log_function(debug_gnutls))
1283
1284
803
global service
1285
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1286
service = AvahiService(name = server_settings[u"servicename"],
1287
servicetype = u"_mandos._tcp",
1288
protocol = protocol)
804
service = AvahiService(name = server_settings["servicename"],
805
servicetype = "_mandos._tcp", )
1289
806
if server_settings["interface"]:
1290
service.interface = (if_nametoindex
1291
(str(server_settings[u"interface"])))
807
service.interface = if_nametoindex\
808
(server_settings["interface"])
1292
809
1293
810
global main_loop
1294
811
global bus
1301
818
avahi.DBUS_PATH_SERVER),
1302
819
avahi.DBUS_INTERFACE_SERVER)
1303
820
# End of Avahi example code
1304
if use_dbus:
1305
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1306
1307
client_class = Client
1308
if use_dbus:
1309
client_class = ClientDBus
1310
clients.update(set(
1311
client_class(name = section,
1312
config= dict(client_config.items(section)))
1313
for section in client_config.sections()))
821
822
def remove_from_clients(client):
823
clients.remove(client)
824
if not clients:
825
logger.critical(u"No clients left, exiting")
826
sys.exit()
827
828
clients.update(Set(Client(name = section,
829
stop_hook = remove_from_clients,
830
config
831
= dict(client_config.items(section)))
832
for section in client_config.sections()))
1314
833
if not clients:
1315
logger.warning(u"No clients defined")
834
logger.critical(u"No clients defined")
835
sys.exit(1)
1316
836
1317
837
if debug:
1318
838
# Redirect stdin so all checkers get /dev/null
1327
847
daemon()
1328
848
1329
849
try:
1330
with closing(pidfile):
1331
pid = os.getpid()
1332
pidfile.write(str(pid) + "\n")
850
pid = os.getpid()
851
pidfile.write(str(pid) + "\n")
852
pidfile.close()
1333
853
del pidfile
1334
854
except IOError:
1335
855
logger.error(u"Could not write to file %r with PID %d",
1350
870
1351
871
while clients:
1352
872
client = clients.pop()
1353
client.disable_hook = None
1354
client.disable()
873
client.stop_hook = None
874
client.stop()
1355
875
1356
876
atexit.register(cleanup)
1357
877
1360
880
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1361
881
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1362
882
1363
if use_dbus:
1364
class MandosDBusService(dbus.service.Object):
1365
"""A D-Bus proxy object"""
1366
def __init__(self):
1367
dbus.service.Object.__init__(self, bus, u"/")
1368
_interface = u"se.bsnet.fukt.Mandos"
1369
1370
@dbus.service.signal(_interface, signature=u"oa{sv}")
1371
def ClientAdded(self, objpath, properties):
1372
"D-Bus signal"
1373
pass
1374
1375
@dbus.service.signal(_interface, signature=u"s")
1376
def ClientNotFound(self, fingerprint):
1377
"D-Bus signal"
1378
pass
1379
1380
@dbus.service.signal(_interface, signature=u"os")
1381
def ClientRemoved(self, objpath, name):
1382
"D-Bus signal"
1383
pass
1384
1385
@dbus.service.method(_interface, out_signature=u"ao")
1386
def GetAllClients(self):
1387
"D-Bus method"
1388
return dbus.Array(c.dbus_object_path for c in clients)
1389
1390
@dbus.service.method(_interface,
1391
out_signature=u"a{oa{sv}}")
1392
def GetAllClientsWithProperties(self):
1393
"D-Bus method"
1394
return dbus.Dictionary(
1395
((c.dbus_object_path, c.GetAllProperties())
1396
for c in clients),
1397
signature=u"oa{sv}")
1398
1399
@dbus.service.method(_interface, in_signature=u"o")
1400
def RemoveClient(self, object_path):
1401
"D-Bus method"
1402
for c in clients:
1403
if c.dbus_object_path == object_path:
1404
clients.remove(c)
1405
c.remove_from_connection()
1406
# Don't signal anything except ClientRemoved
1407
c.disable(signal=False)
1408
# Emit D-Bus signal
1409
self.ClientRemoved(object_path, c.name)
1410
return
1411
raise KeyError
1412
1413
del _interface
1414
1415
mandos_dbus_service = MandosDBusService()
1416
1417
883
for client in clients:
1418
if use_dbus:
1419
# Emit D-Bus signal
1420
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1421
client.GetAllProperties())
1422
client.enable()
884
client.start()
1423
885
1424
886
tcp_server.enable()
1425
887
tcp_server.server_activate()
1426
888
1427
889
# Find out what port we got
1428
890
service.port = tcp_server.socket.getsockname()[1]
1429
if use_ipv6:
1430
logger.info(u"Now listening on address %r, port %d,"
1431
" flowinfo %d, scope_id %d"
1432
% tcp_server.socket.getsockname())
1433
else: # IPv4
1434
logger.info(u"Now listening on address %r, port %d"
1435
% tcp_server.socket.getsockname())
891
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
892
u" scope_id %d" % tcp_server.socket.getsockname())
1436
893
1437
894
#service.interface = tcp_server.socket.getsockname()[3]
1438
895
1439
896
try:
1440
897
# From the Avahi example code
1441
server.connect_to_signal(u"StateChanged", server_state_changed)
898
server.connect_to_signal("StateChanged", server_state_changed)
1442
899
try:
1443
900
server_state_changed(server.GetState())
1444
901
except dbus.exceptions.DBusException, error:
1448
905
1449
906
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
1450
907
lambda *args, **kwargs:
1451
(tcp_server.handle_request
1452
(*args[2:], **kwargs) or True))
908
tcp_server.handle_request\
909
(*args[2:], **kwargs) or True)
1453
910
1454
911
logger.debug(u"Starting main loop")
1455
912
main_loop.run()
1456
913
except AvahiError, error:
1457
logger.critical(u"AvahiError: %s", error)
914
logger.critical(u"AvahiError: %s" + unicode(error))
1458
915
sys.exit(1)
1459
916
except KeyboardInterrupt:
1460
917
if debug:
1461
print >> sys.stderr
1462
logger.debug(u"Server received KeyboardInterrupt")
1463
logger.debug(u"Server exiting")
918
print
1464
919
1465
920
if __name__ == '__main__':
1466
921
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0