/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos

  • Committer: Teddy Hogeborn
  • Date: 2008-11-09 06:40:29 UTC
  • mto: (24.1.113 mandos) (237.2.1 mandos)
  • mto: This revision was merged to the branch mainline in revision 238.
  • Revision ID: teddy@fukt.bsnet.se-20081109064029-df71jpoce308cq3v
First steps of a D-Bus interface to the server.

* mandos: Also import "dbus.service".
  (Client): Inherit from "dbus.service.Object", which is a new-style
            class, so inheriting from "object" is no longer necessary.
  (Client.interface): New temporary variable which only exists during
                     class definition.

  (Client.getName, Client.getFingerprint): New D-Bus getter methods.
  (Client.setSecret): New D-Bus setter method.
  (Client._set_timeout): Emit D-Bus signal "TimeoutChanged".
  (Client.getTimeout): New D-Bus getter method.
  (Client.TimeoutChanged): New D-Bus signal.
  (Client._set_interval): Emit D-Bus signal "IntervalChanged".
  (Client.getInterval): New D-Bus getter method.
  (Client.intervalChanged): New D-Bus signal.
  (Client.__init__): Also call "dbus.service.Object.__init__".
  (Client.started): New boolean attribute.
  (Client.start, Client.stop): Update "self.started", and emit D-Bus
                               signal "StateChanged".
  (Client.StateChanged): New D-Bus signal.
  (Client.stop): Use "self.started" instead of misusing "self.secret".
                 Also simplify code by using "getattr" instead of
                 "hasattr".
  (Client.checker_callback): Emit D-Bus signal "CheckerCompleted".
  (Client.CheckerCompleted): New D-Bus signal.
  (Client.bumpTimeout): D-Bus method name for "bump_timeout".
  (Client.start_checker): Emit D-Bus signal "CheckerStarted".
  (Client.CheckerStarted): New D-Bus signal.
  (Client.checkerIsRunning): New D-Bus method.
  (Client.StopChecker): D-Bus method name for "stop_checker".
  (Client.still_valid): First check "self.started".
  (Client.stillValid): D-Bus method name for "still_valid".

Show diffs side-by-side

added added

removed removed

Lines of Context:
11
11
# and some lines in "main".
12
12
13
13
# Everything else is
14
 
# Copyright © 2008,2009 Teddy Hogeborn
15
 
# Copyright © 2008,2009 Björn Påhlsson
 
14
# Copyright © 2008 Teddy Hogeborn & Björn Påhlsson
16
15
17
16
# This program is free software: you can redistribute it and/or modify
18
17
# it under the terms of the GNU General Public License as published by
66
65
import ctypes
67
66
import ctypes.util
68
67
 
69
 
version = "1.0.3"
 
68
version = "1.0.2"
70
69
 
71
70
logger = logging.Logger('mandos')
72
 
syslogger = (logging.handlers.SysLogHandler
73
 
             (facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
 
              address = "/dev/log"))
75
 
syslogger.setFormatter(logging.Formatter
76
 
                       ('Mandos: %(levelname)s: %(message)s'))
 
71
syslogger = logging.handlers.SysLogHandler\
 
72
            (facility = logging.handlers.SysLogHandler.LOG_DAEMON,
 
73
             address = "/dev/log")
 
74
syslogger.setFormatter(logging.Formatter\
 
75
                        ('Mandos: %(levelname)s: %(message)s'))
77
76
logger.addHandler(syslogger)
78
77
 
79
78
console = logging.StreamHandler()
82
81
logger.addHandler(console)
83
82
 
84
83
class AvahiError(Exception):
85
 
    def __init__(self, value, *args, **kwargs):
 
84
    def __init__(self, value):
86
85
        self.value = value
87
 
        super(AvahiError, self).__init__(value, *args, **kwargs)
88
 
    def __unicode__(self):
89
 
        return unicode(repr(self.value))
 
86
        super(AvahiError, self).__init__()
 
87
    def __str__(self):
 
88
        return repr(self.value)
90
89
 
91
90
class AvahiServiceError(AvahiError):
92
91
    pass
112
111
                  a sensible number of times
113
112
    """
114
113
    def __init__(self, interface = avahi.IF_UNSPEC, name = None,
115
 
                 servicetype = None, port = None, TXT = None,
116
 
                 domain = "", host = "", max_renames = 32768):
 
114
                 servicetype = None, port = None, TXT = None, domain = "",
 
115
                 host = "", max_renames = 32768):
117
116
        self.interface = interface
118
117
        self.name = name
119
118
        self.type = servicetype
120
119
        self.port = port
121
 
        self.TXT = TXT if TXT is not None else []
 
120
        if TXT is None:
 
121
            self.TXT = []
 
122
        else:
 
123
            self.TXT = TXT
122
124
        self.domain = domain
123
125
        self.host = host
124
126
        self.rename_count = 0
129
131
            logger.critical(u"No suitable Zeroconf service name found"
130
132
                            u" after %i retries, exiting.",
131
133
                            self.rename_count)
132
 
            raise AvahiServiceError(u"Too many renames")
 
134
            raise AvahiServiceError("Too many renames")
133
135
        self.name = server.GetAlternativeServiceName(self.name)
134
136
        logger.info(u"Changing Zeroconf service name to %r ...",
135
137
                    str(self.name))
136
 
        syslogger.setFormatter(logging.Formatter
 
138
        syslogger.setFormatter(logging.Formatter\
137
139
                               ('Mandos (%s): %%(levelname)s:'
138
 
                                ' %%(message)s' % self.name))
 
140
                               ' %%(message)s' % self.name))
139
141
        self.remove()
140
142
        self.add()
141
143
        self.rename_count += 1
147
149
        """Derived from the Avahi example code"""
148
150
        global group
149
151
        if group is None:
150
 
            group = dbus.Interface(bus.get_object
151
 
                                   (avahi.DBUS_NAME,
 
152
            group = dbus.Interface\
 
153
                    (bus.get_object(avahi.DBUS_NAME,
152
154
                                    server.EntryGroupNew()),
153
 
                                   avahi.DBUS_INTERFACE_ENTRY_GROUP)
 
155
                     avahi.DBUS_INTERFACE_ENTRY_GROUP)
154
156
            group.connect_to_signal('StateChanged',
155
157
                                    entry_group_state_changed)
156
158
        logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
170
172
# End of Avahi example code
171
173
 
172
174
 
173
 
def _datetime_to_dbus(dt, variant_level=0):
174
 
    """Convert a UTC datetime.datetime() to a D-Bus type."""
175
 
    return dbus.String(dt.isoformat(), variant_level=variant_level)
176
 
 
177
 
 
178
175
class Client(dbus.service.Object):
179
176
    """A representation of a client host served by this server.
180
177
    Attributes:
181
 
    name:       string; from the config file, used in log messages
 
178
    name:      string; from the config file, used in log messages
182
179
    fingerprint: string (40 or 32 hexadecimal digits); used to
183
180
                 uniquely identify the client
184
 
    secret:     bytestring; sent verbatim (over TLS) to client
185
 
    host:       string; available for use by the checker command
186
 
    created:    datetime.datetime(); (UTC) object creation
187
 
    last_enabled: datetime.datetime(); (UTC)
188
 
    enabled:    bool()
189
 
    last_checked_ok: datetime.datetime(); (UTC) or None
190
 
    timeout:    datetime.timedelta(); How long from last_checked_ok
191
 
                                      until this client is invalid
192
 
    interval:   datetime.timedelta(); How often to start a new checker
193
 
    disable_hook:  If set, called by disable() as disable_hook(self)
194
 
    checker:    subprocess.Popen(); a running checker process used
195
 
                                    to see if the client lives.
196
 
                                    'None' if no process is running.
 
181
    secret:    bytestring; sent verbatim (over TLS) to client
 
182
    host:      string; available for use by the checker command
 
183
    created:   datetime.datetime(); object creation, not client host
 
184
    started:   bool()
 
185
    last_checked_ok: datetime.datetime() or None if not yet checked OK
 
186
    timeout:   datetime.timedelta(); How long from last_checked_ok
 
187
                                     until this client is invalid
 
188
    interval:  datetime.timedelta(); How often to start a new checker
 
189
    stop_hook: If set, called by stop() as stop_hook(self)
 
190
    checker:   subprocess.Popen(); a running checker process used
 
191
                                   to see if the client lives.
 
192
                                   'None' if no process is running.
197
193
    checker_initiator_tag: a gobject event source tag, or None
198
 
    disable_initiator_tag:    - '' -
 
194
    stop_initiator_tag:    - '' -
199
195
    checker_callback_tag:  - '' -
200
196
    checker_command: string; External command which is run to check if
201
197
                     client lives.  %() expansions are done at
202
198
                     runtime with vars(self) as dict, so that for
203
199
                     instance %(name)s can be used in the command.
204
 
    use_dbus: bool(); Whether to provide D-Bus interface and signals
205
 
    dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
 
200
    Private attibutes:
 
201
    _timeout: Real variable for 'timeout'
 
202
    _interval: Real variable for 'interval'
 
203
    _timeout_milliseconds: Used when calling gobject.timeout_add()
 
204
    _interval_milliseconds: - '' -
206
205
    """
207
 
    def timeout_milliseconds(self):
208
 
        "Return the 'timeout' attribute in milliseconds"
209
 
        return ((self.timeout.days * 24 * 60 * 60 * 1000)
210
 
                + (self.timeout.seconds * 1000)
211
 
                + (self.timeout.microseconds // 1000))
212
 
    
213
 
    def interval_milliseconds(self):
214
 
        "Return the 'interval' attribute in milliseconds"
215
 
        return ((self.interval.days * 24 * 60 * 60 * 1000)
216
 
                + (self.interval.seconds * 1000)
217
 
                + (self.interval.microseconds // 1000))
218
 
    
219
 
    def __init__(self, name = None, disable_hook=None, config=None,
220
 
                 use_dbus=True):
 
206
    interface = u"org.mandos_system.Mandos.Clients"
 
207
    
 
208
    @dbus.service.method(interface, out_signature="s")
 
209
    def getName(self):
 
210
        "D-Bus getter method"
 
211
        return self.name
 
212
    
 
213
    @dbus.service.method(interface, out_signature="s")
 
214
    def getFingerprint(self):
 
215
        "D-Bus getter method"
 
216
        return self.fingerprint
 
217
    
 
218
    @dbus.service.method(interface, in_signature="ay",
 
219
                         byte_arrays=True)
 
220
    def setSecret(self, secret):
 
221
        "D-Bus setter method"
 
222
        self.secret = secret
 
223
    
 
224
    def _set_timeout(self, timeout):
 
225
        "Setter function for the 'timeout' attribute"
 
226
        self._timeout = timeout
 
227
        self._timeout_milliseconds = ((self.timeout.days
 
228
                                       * 24 * 60 * 60 * 1000)
 
229
                                      + (self.timeout.seconds * 1000)
 
230
                                      + (self.timeout.microseconds
 
231
                                         // 1000))
 
232
        # Emit D-Bus signal
 
233
        self.TimeoutChanged(self._timeout_milliseconds)
 
234
    timeout = property(lambda self: self._timeout, _set_timeout)
 
235
    del _set_timeout
 
236
    
 
237
    @dbus.service.method(interface, out_signature="t")
 
238
    def getTimeout(self):
 
239
        "D-Bus getter method"
 
240
        return self._timeout_milliseconds
 
241
    
 
242
    @dbus.service.signal(interface, signature="t")
 
243
    def TimeoutChanged(self, t):
 
244
        "D-Bus signal"
 
245
        pass
 
246
    
 
247
    def _set_interval(self, interval):
 
248
        "Setter function for the 'interval' attribute"
 
249
        self._interval = interval
 
250
        self._interval_milliseconds = ((self.interval.days
 
251
                                        * 24 * 60 * 60 * 1000)
 
252
                                       + (self.interval.seconds
 
253
                                          * 1000)
 
254
                                       + (self.interval.microseconds
 
255
                                          // 1000))
 
256
        # Emit D-Bus signal
 
257
        self.IntervalChanged(self._interval_milliseconds)
 
258
    interval = property(lambda self: self._interval, _set_interval)
 
259
    del _set_interval
 
260
    
 
261
    @dbus.service.method(interface, out_signature="t")
 
262
    def getInterval(self):
 
263
        "D-Bus getter method"
 
264
        return self._interval_milliseconds
 
265
    
 
266
    @dbus.service.signal(interface, signature="t")
 
267
    def IntervalChanged(self, t):
 
268
        "D-Bus signal"
 
269
        pass
 
270
    
 
271
    def __init__(self, name = None, stop_hook=None, config=None):
221
272
        """Note: the 'checker' key in 'config' sets the
222
273
        'checker_command' attribute and *not* the 'checker'
223
274
        attribute."""
224
 
        self.name = name
 
275
        dbus.service.Object.__init__(self, bus,
 
276
                                     "/Mandos/Clients/%s"
 
277
                                     % name.replace(".", "_"))
225
278
        if config is None:
226
279
            config = {}
 
280
        self.name = name
227
281
        logger.debug(u"Creating client %r", self.name)
228
 
        self.use_dbus = use_dbus
229
 
        if self.use_dbus:
230
 
            self.dbus_object_path = (dbus.ObjectPath
231
 
                                     ("/Mandos/clients/"
232
 
                                      + self.name.replace(".", "_")))
233
 
            dbus.service.Object.__init__(self, bus,
234
 
                                         self.dbus_object_path)
235
282
        # Uppercase and remove spaces from fingerprint for later
236
283
        # comparison purposes with return value from the fingerprint()
237
284
        # function
238
 
        self.fingerprint = (config["fingerprint"].upper()
239
 
                            .replace(u" ", u""))
 
285
        self.fingerprint = config["fingerprint"].upper()\
 
286
                           .replace(u" ", u"")
240
287
        logger.debug(u"  Fingerprint: %s", self.fingerprint)
241
288
        if "secret" in config:
242
289
            self.secret = config["secret"].decode(u"base64")
243
290
        elif "secfile" in config:
244
291
            with closing(open(os.path.expanduser
245
292
                              (os.path.expandvars
246
 
                               (config["secfile"])))) as secfile:
 
293
                               (config["secfile"])))) \
 
294
                               as secfile:
247
295
                self.secret = secfile.read()
248
296
        else:
249
297
            raise TypeError(u"No secret or secfile for client %s"
250
298
                            % self.name)
251
299
        self.host = config.get("host", "")
252
 
        self.created = datetime.datetime.utcnow()
253
 
        self.enabled = False
254
 
        self.last_enabled = None
 
300
        self.created = datetime.datetime.now()
 
301
        self.started = False
255
302
        self.last_checked_ok = None
256
303
        self.timeout = string_to_delta(config["timeout"])
257
304
        self.interval = string_to_delta(config["interval"])
258
 
        self.disable_hook = disable_hook
 
305
        self.stop_hook = stop_hook
259
306
        self.checker = None
260
307
        self.checker_initiator_tag = None
261
 
        self.disable_initiator_tag = None
 
308
        self.stop_initiator_tag = None
262
309
        self.checker_callback_tag = None
263
 
        self.checker_command = config["checker"]
 
310
        self.check_command = config["checker"]
264
311
    
265
 
    def enable(self):
 
312
    def start(self):
266
313
        """Start this client's checker and timeout hooks"""
267
 
        self.last_enabled = datetime.datetime.utcnow()
 
314
        self.started = True
268
315
        # Schedule a new checker to be started an 'interval' from now,
269
316
        # and every interval from then on.
270
 
        self.checker_initiator_tag = (gobject.timeout_add
271
 
                                      (self.interval_milliseconds(),
272
 
                                       self.start_checker))
 
317
        self.checker_initiator_tag = gobject.timeout_add\
 
318
                                     (self._interval_milliseconds,
 
319
                                      self.start_checker)
273
320
        # Also start a new checker *right now*.
274
321
        self.start_checker()
275
 
        # Schedule a disable() when 'timeout' has passed
276
 
        self.disable_initiator_tag = (gobject.timeout_add
277
 
                                   (self.timeout_milliseconds(),
278
 
                                    self.disable))
279
 
        self.enabled = True
280
 
        if self.use_dbus:
281
 
            # Emit D-Bus signals
282
 
            self.PropertyChanged(dbus.String(u"enabled"),
283
 
                                 dbus.Boolean(True, variant_level=1))
284
 
            self.PropertyChanged(dbus.String(u"last_enabled"),
285
 
                                 (_datetime_to_dbus(self.last_enabled,
286
 
                                                    variant_level=1)))
287
 
    
288
 
    def disable(self):
289
 
        """Disable this client."""
290
 
        if not getattr(self, "enabled", False):
 
322
        # Schedule a stop() when 'timeout' has passed
 
323
        self.stop_initiator_tag = gobject.timeout_add\
 
324
                                  (self._timeout_milliseconds,
 
325
                                   self.stop)
 
326
        # Emit D-Bus signal
 
327
        self.StateChanged(True)
 
328
    
 
329
    @dbus.service.signal(interface, signature="b")
 
330
    def StateChanged(self, started):
 
331
        "D-Bus signal"
 
332
        pass
 
333
    
 
334
    def stop(self):
 
335
        """Stop this client."""
 
336
        if getattr(self, "started", False):
 
337
            logger.info(u"Stopping client %s", self.name)
 
338
        else:
291
339
            return False
292
 
        logger.info(u"Disabling client %s", self.name)
293
 
        if getattr(self, "disable_initiator_tag", False):
294
 
            gobject.source_remove(self.disable_initiator_tag)
295
 
            self.disable_initiator_tag = None
 
340
        if getattr(self, "stop_initiator_tag", False):
 
341
            gobject.source_remove(self.stop_initiator_tag)
 
342
            self.stop_initiator_tag = None
296
343
        if getattr(self, "checker_initiator_tag", False):
297
344
            gobject.source_remove(self.checker_initiator_tag)
298
345
            self.checker_initiator_tag = None
299
346
        self.stop_checker()
300
 
        if self.disable_hook:
301
 
            self.disable_hook(self)
302
 
        self.enabled = False
303
 
        if self.use_dbus:
304
 
            # Emit D-Bus signal
305
 
            self.PropertyChanged(dbus.String(u"enabled"),
306
 
                                 dbus.Boolean(False, variant_level=1))
 
347
        if self.stop_hook:
 
348
            self.stop_hook(self)
 
349
        # Emit D-Bus signal
 
350
        self.StateChanged(False)
307
351
        # Do not run this again if called by a gobject.timeout_add
308
352
        return False
 
353
    # D-Bus variant
 
354
    Stop = dbus.service.method(interface)(stop)
309
355
    
310
356
    def __del__(self):
311
 
        self.disable_hook = None
312
 
        self.disable()
 
357
        self.stop_hook = None
 
358
        self.stop()
313
359
    
314
 
    def checker_callback(self, pid, condition, command):
 
360
    def checker_callback(self, pid, condition):
315
361
        """The checker has completed, so take appropriate actions."""
316
362
        self.checker_callback_tag = None
317
363
        self.checker = None
318
 
        if self.use_dbus:
319
 
            # Emit D-Bus signal
320
 
            self.PropertyChanged(dbus.String(u"checker_running"),
321
 
                                 dbus.Boolean(False, variant_level=1))
322
 
        if (os.WIFEXITED(condition)
323
 
            and (os.WEXITSTATUS(condition) == 0)):
 
364
        if os.WIFEXITED(condition) \
 
365
               and (os.WEXITSTATUS(condition) == 0):
324
366
            logger.info(u"Checker for %(name)s succeeded",
325
367
                        vars(self))
326
 
            if self.use_dbus:
327
 
                # Emit D-Bus signal
328
 
                self.CheckerCompleted(dbus.Boolean(True),
329
 
                                      dbus.UInt16(condition),
330
 
                                      dbus.String(command))
 
368
            # Emit D-Bus signal
 
369
            self.CheckerCompleted(True)
331
370
            self.bump_timeout()
332
371
        elif not os.WIFEXITED(condition):
333
372
            logger.warning(u"Checker for %(name)s crashed?",
334
373
                           vars(self))
335
 
            if self.use_dbus:
336
 
                # Emit D-Bus signal
337
 
                self.CheckerCompleted(dbus.Boolean(False),
338
 
                                      dbus.UInt16(condition),
339
 
                                      dbus.String(command))
 
374
            # Emit D-Bus signal
 
375
            self.CheckerCompleted(False)
340
376
        else:
341
377
            logger.info(u"Checker for %(name)s failed",
342
378
                        vars(self))
343
 
            if self.use_dbus:
344
 
                # Emit D-Bus signal
345
 
                self.CheckerCompleted(dbus.Boolean(False),
346
 
                                      dbus.UInt16(condition),
347
 
                                      dbus.String(command))
 
379
            # Emit D-Bus signal
 
380
            self.CheckerCompleted(False)
 
381
    
 
382
    @dbus.service.signal(interface, signature="b")
 
383
    def CheckerCompleted(self, success):
 
384
        "D-Bus signal"
 
385
        pass
348
386
    
349
387
    def bump_timeout(self):
350
388
        """Bump up the timeout for this client.
351
389
        This should only be called when the client has been seen,
352
390
        alive and well.
353
391
        """
354
 
        self.last_checked_ok = datetime.datetime.utcnow()
355
 
        gobject.source_remove(self.disable_initiator_tag)
356
 
        self.disable_initiator_tag = (gobject.timeout_add
357
 
                                      (self.timeout_milliseconds(),
358
 
                                       self.disable))
359
 
        if self.use_dbus:
360
 
            # Emit D-Bus signal
361
 
            self.PropertyChanged(
362
 
                dbus.String(u"last_checked_ok"),
363
 
                (_datetime_to_dbus(self.last_checked_ok,
364
 
                                   variant_level=1)))
 
392
        self.last_checked_ok = datetime.datetime.now()
 
393
        gobject.source_remove(self.stop_initiator_tag)
 
394
        self.stop_initiator_tag = gobject.timeout_add\
 
395
            (self._timeout_milliseconds, self.stop)
 
396
    # D-Bus variant
 
397
    bumpTimeout = dbus.service.method(interface)(bump_timeout)
365
398
    
366
399
    def start_checker(self):
367
400
        """Start a new checker subprocess if one is not running.
377
410
        # is as it should be.
378
411
        if self.checker is None:
379
412
            try:
380
 
                # In case checker_command has exactly one % operator
381
 
                command = self.checker_command % self.host
 
413
                # In case check_command has exactly one % operator
 
414
                command = self.check_command % self.host
382
415
            except TypeError:
383
416
                # Escape attributes for the shell
384
417
                escaped_attrs = dict((key, re.escape(str(val)))
385
418
                                     for key, val in
386
419
                                     vars(self).iteritems())
387
420
                try:
388
 
                    command = self.checker_command % escaped_attrs
 
421
                    command = self.check_command % escaped_attrs
389
422
                except TypeError, error:
390
423
                    logger.error(u'Could not format string "%s":'
391
 
                                 u' %s', self.checker_command, error)
 
424
                                 u' %s', self.check_command, error)
392
425
                    return True # Try again later
393
426
            try:
394
427
                logger.info(u"Starting checker %r for %s",
400
433
                self.checker = subprocess.Popen(command,
401
434
                                                close_fds=True,
402
435
                                                shell=True, cwd="/")
403
 
                if self.use_dbus:
404
 
                    # Emit D-Bus signal
405
 
                    self.CheckerStarted(command)
406
 
                    self.PropertyChanged(
407
 
                        dbus.String("checker_running"),
408
 
                        dbus.Boolean(True, variant_level=1))
409
 
                self.checker_callback_tag = (gobject.child_watch_add
410
 
                                             (self.checker.pid,
411
 
                                              self.checker_callback,
412
 
                                              data=command))
 
436
                self.checker_callback_tag = gobject.child_watch_add\
 
437
                                            (self.checker.pid,
 
438
                                             self.checker_callback)
 
439
                # Emit D-Bus signal
 
440
                self.CheckerStarted(command)
413
441
            except OSError, error:
414
442
                logger.error(u"Failed to start subprocess: %s",
415
443
                             error)
416
444
        # Re-run this periodically if run by gobject.timeout_add
417
445
        return True
418
446
    
 
447
    @dbus.service.signal(interface, signature="s")
 
448
    def CheckerStarted(self, command):
 
449
        pass
 
450
    
 
451
    @dbus.service.method(interface, out_signature="b")
 
452
    def checkerIsRunning(self):
 
453
        "D-Bus getter method"
 
454
        return self.checker is not None
 
455
    
419
456
    def stop_checker(self):
420
457
        """Force the checker process, if any, to stop."""
421
458
        if self.checker_callback_tag:
433
470
            if error.errno != errno.ESRCH: # No such process
434
471
                raise
435
472
        self.checker = None
436
 
        if self.use_dbus:
437
 
            self.PropertyChanged(dbus.String(u"checker_running"),
438
 
                                 dbus.Boolean(False, variant_level=1))
 
473
    # D-Bus variant
 
474
    StopChecker = dbus.service.method(interface)(stop_checker)
439
475
    
440
476
    def still_valid(self):
441
477
        """Has the timeout not yet passed for this client?"""
442
 
        if not getattr(self, "enabled", False):
 
478
        if not self.started:
443
479
            return False
444
 
        now = datetime.datetime.utcnow()
 
480
        now = datetime.datetime.now()
445
481
        if self.last_checked_ok is None:
446
482
            return now < (self.created + self.timeout)
447
483
        else:
448
484
            return now < (self.last_checked_ok + self.timeout)
449
 
    
450
 
    ## D-Bus methods & signals
451
 
    _interface = u"org.mandos_system.Mandos.Client"
452
 
    
453
 
    # BumpTimeout - method
454
 
    BumpTimeout = dbus.service.method(_interface)(bump_timeout)
455
 
    BumpTimeout.__name__ = "BumpTimeout"
456
 
    
457
 
    # CheckerCompleted - signal
458
 
    @dbus.service.signal(_interface, signature="bqs")
459
 
    def CheckerCompleted(self, success, condition, command):
460
 
        "D-Bus signal"
461
 
        pass
462
 
    
463
 
    # CheckerStarted - signal
464
 
    @dbus.service.signal(_interface, signature="s")
465
 
    def CheckerStarted(self, command):
466
 
        "D-Bus signal"
467
 
        pass
468
 
    
469
 
    # GetAllProperties - method
470
 
    @dbus.service.method(_interface, out_signature="a{sv}")
471
 
    def GetAllProperties(self):
472
 
        "D-Bus method"
473
 
        return dbus.Dictionary({
474
 
                dbus.String("name"):
475
 
                    dbus.String(self.name, variant_level=1),
476
 
                dbus.String("fingerprint"):
477
 
                    dbus.String(self.fingerprint, variant_level=1),
478
 
                dbus.String("host"):
479
 
                    dbus.String(self.host, variant_level=1),
480
 
                dbus.String("created"):
481
 
                    _datetime_to_dbus(self.created, variant_level=1),
482
 
                dbus.String("last_enabled"):
483
 
                    (_datetime_to_dbus(self.last_enabled,
484
 
                                       variant_level=1)
485
 
                     if self.last_enabled is not None
486
 
                     else dbus.Boolean(False, variant_level=1)),
487
 
                dbus.String("enabled"):
488
 
                    dbus.Boolean(self.enabled, variant_level=1),
489
 
                dbus.String("last_checked_ok"):
490
 
                    (_datetime_to_dbus(self.last_checked_ok,
491
 
                                       variant_level=1)
492
 
                     if self.last_checked_ok is not None
493
 
                     else dbus.Boolean (False, variant_level=1)),
494
 
                dbus.String("timeout"):
495
 
                    dbus.UInt64(self.timeout_milliseconds(),
496
 
                                variant_level=1),
497
 
                dbus.String("interval"):
498
 
                    dbus.UInt64(self.interval_milliseconds(),
499
 
                                variant_level=1),
500
 
                dbus.String("checker"):
501
 
                    dbus.String(self.checker_command,
502
 
                                variant_level=1),
503
 
                dbus.String("checker_running"):
504
 
                    dbus.Boolean(self.checker is not None,
505
 
                                 variant_level=1),
506
 
                }, signature="sv")
507
 
    
508
 
    # IsStillValid - method
509
 
    IsStillValid = (dbus.service.method(_interface, out_signature="b")
510
 
                    (still_valid))
511
 
    IsStillValid.__name__ = "IsStillValid"
512
 
    
513
 
    # PropertyChanged - signal
514
 
    @dbus.service.signal(_interface, signature="sv")
515
 
    def PropertyChanged(self, property, value):
516
 
        "D-Bus signal"
517
 
        pass
518
 
    
519
 
    # SetChecker - method
520
 
    @dbus.service.method(_interface, in_signature="s")
521
 
    def SetChecker(self, checker):
522
 
        "D-Bus setter method"
523
 
        self.checker_command = checker
524
 
        # Emit D-Bus signal
525
 
        self.PropertyChanged(dbus.String(u"checker"),
526
 
                             dbus.String(self.checker_command,
527
 
                                         variant_level=1))
528
 
    
529
 
    # SetHost - method
530
 
    @dbus.service.method(_interface, in_signature="s")
531
 
    def SetHost(self, host):
532
 
        "D-Bus setter method"
533
 
        self.host = host
534
 
        # Emit D-Bus signal
535
 
        self.PropertyChanged(dbus.String(u"host"),
536
 
                             dbus.String(self.host, variant_level=1))
537
 
    
538
 
    # SetInterval - method
539
 
    @dbus.service.method(_interface, in_signature="t")
540
 
    def SetInterval(self, milliseconds):
541
 
        self.interval = datetime.timedelta(0, 0, 0, milliseconds)
542
 
        # Emit D-Bus signal
543
 
        self.PropertyChanged(dbus.String(u"interval"),
544
 
                             (dbus.UInt64(self.interval_milliseconds(),
545
 
                                          variant_level=1)))
546
 
    
547
 
    # SetSecret - method
548
 
    @dbus.service.method(_interface, in_signature="ay",
549
 
                         byte_arrays=True)
550
 
    def SetSecret(self, secret):
551
 
        "D-Bus setter method"
552
 
        self.secret = str(secret)
553
 
    
554
 
    # SetTimeout - method
555
 
    @dbus.service.method(_interface, in_signature="t")
556
 
    def SetTimeout(self, milliseconds):
557
 
        self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
558
 
        # Emit D-Bus signal
559
 
        self.PropertyChanged(dbus.String(u"timeout"),
560
 
                             (dbus.UInt64(self.timeout_milliseconds(),
561
 
                                          variant_level=1)))
562
 
    
563
 
    # Enable - method
564
 
    Enable = dbus.service.method(_interface)(enable)
565
 
    Enable.__name__ = "Enable"
566
 
    
567
 
    # StartChecker - method
568
 
    @dbus.service.method(_interface)
569
 
    def StartChecker(self):
570
 
        "D-Bus method"
571
 
        self.start_checker()
572
 
    
573
 
    # Disable - method
574
 
    @dbus.service.method(_interface)
575
 
    def Disable(self):
576
 
        "D-Bus method"
577
 
        self.disable()
578
 
    
579
 
    # StopChecker - method
580
 
    StopChecker = dbus.service.method(_interface)(stop_checker)
581
 
    StopChecker.__name__ = "StopChecker"
582
 
    
583
 
    del _interface
 
485
    # D-Bus variant
 
486
    stillValid = dbus.service.method(interface, out_signature="b")\
 
487
        (still_valid)
 
488
    
 
489
    del interface
584
490
 
585
491
 
586
492
def peer_certificate(session):
587
493
    "Return the peer's OpenPGP certificate as a bytestring"
588
494
    # If not an OpenPGP certificate...
589
 
    if (gnutls.library.functions
590
 
        .gnutls_certificate_type_get(session._c_object)
591
 
        != gnutls.library.constants.GNUTLS_CRT_OPENPGP):
 
495
    if gnutls.library.functions.gnutls_certificate_type_get\
 
496
            (session._c_object) \
 
497
           != gnutls.library.constants.GNUTLS_CRT_OPENPGP:
592
498
        # ...do the normal thing
593
499
        return session.peer_certificate
594
500
    list_size = ctypes.c_uint()
595
 
    cert_list = (gnutls.library.functions
596
 
                 .gnutls_certificate_get_peers
597
 
                 (session._c_object, ctypes.byref(list_size)))
 
501
    cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
 
502
        (session._c_object, ctypes.byref(list_size))
598
503
    if list_size.value == 0:
599
504
        return None
600
505
    cert = cert_list[0]
604
509
def fingerprint(openpgp):
605
510
    "Convert an OpenPGP bytestring to a hexdigit fingerprint string"
606
511
    # New GnuTLS "datum" with the OpenPGP public key
607
 
    datum = (gnutls.library.types
608
 
             .gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
609
 
                                         ctypes.POINTER
610
 
                                         (ctypes.c_ubyte)),
611
 
                             ctypes.c_uint(len(openpgp))))
 
512
    datum = gnutls.library.types.gnutls_datum_t\
 
513
        (ctypes.cast(ctypes.c_char_p(openpgp),
 
514
                     ctypes.POINTER(ctypes.c_ubyte)),
 
515
         ctypes.c_uint(len(openpgp)))
612
516
    # New empty GnuTLS certificate
613
517
    crt = gnutls.library.types.gnutls_openpgp_crt_t()
614
 
    (gnutls.library.functions
615
 
     .gnutls_openpgp_crt_init(ctypes.byref(crt)))
 
518
    gnutls.library.functions.gnutls_openpgp_crt_init\
 
519
        (ctypes.byref(crt))
616
520
    # Import the OpenPGP public key into the certificate
617
 
    (gnutls.library.functions
618
 
     .gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
619
 
                                gnutls.library.constants
620
 
                                .GNUTLS_OPENPGP_FMT_RAW))
 
521
    gnutls.library.functions.gnutls_openpgp_crt_import\
 
522
                    (crt, ctypes.byref(datum),
 
523
                     gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
621
524
    # Verify the self signature in the key
622
525
    crtverify = ctypes.c_uint()
623
 
    (gnutls.library.functions
624
 
     .gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
 
526
    gnutls.library.functions.gnutls_openpgp_crt_verify_self\
 
527
        (crt, 0, ctypes.byref(crtverify))
625
528
    if crtverify.value != 0:
626
529
        gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
627
530
        raise gnutls.errors.CertificateSecurityError("Verify failed")
629
532
    buf = ctypes.create_string_buffer(20)
630
533
    buf_len = ctypes.c_size_t()
631
534
    # Get the fingerprint from the certificate into the buffer
632
 
    (gnutls.library.functions
633
 
     .gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
634
 
                                         ctypes.byref(buf_len)))
 
535
    gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
 
536
        (crt, ctypes.byref(buf), ctypes.byref(buf_len))
635
537
    # Deinit the certificate
636
538
    gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
637
539
    # Convert the buffer to a Python bytestring
649
551
    def handle(self):
650
552
        logger.info(u"TCP connection from: %s",
651
553
                    unicode(self.client_address))
652
 
        session = (gnutls.connection
653
 
                   .ClientSession(self.request,
654
 
                                  gnutls.connection
655
 
                                  .X509Credentials()))
 
554
        session = gnutls.connection.ClientSession\
 
555
                  (self.request, gnutls.connection.X509Credentials())
656
556
        
657
557
        line = self.request.makefile().readline()
658
558
        logger.debug(u"Protocol version: %r", line)
673
573
        #                "+DHE-DSS"))
674
574
        # Use a fallback default, since this MUST be set.
675
575
        priority = self.server.settings.get("priority", "NORMAL")
676
 
        (gnutls.library.functions
677
 
         .gnutls_priority_set_direct(session._c_object,
678
 
                                     priority, None))
 
576
        gnutls.library.functions.gnutls_priority_set_direct\
 
577
            (session._c_object, priority, None)
679
578
        
680
579
        try:
681
580
            session.handshake()
691
590
            session.bye()
692
591
            return
693
592
        logger.debug(u"Fingerprint: %s", fpr)
 
593
        client = None
694
594
        for c in self.server.clients:
695
595
            if c.fingerprint == fpr:
696
596
                client = c
697
597
                break
698
 
        else:
 
598
        if not client:
699
599
            logger.warning(u"Client not found for fingerprint: %s",
700
600
                           fpr)
701
601
            session.bye()
840
740
    elif state == avahi.ENTRY_GROUP_FAILURE:
841
741
        logger.critical(u"Avahi: Error in group state changed %s",
842
742
                        unicode(error))
843
 
        raise AvahiGroupError(u"State changed: %s" % unicode(error))
 
743
        raise AvahiGroupError("State changed: %s", str(error))
844
744
 
845
745
def if_nametoindex(interface):
846
746
    """Call the C function if_nametoindex(), or equivalent"""
847
747
    global if_nametoindex
848
748
    try:
849
 
        if_nametoindex = (ctypes.cdll.LoadLibrary
850
 
                          (ctypes.util.find_library("c"))
851
 
                          .if_nametoindex)
 
749
        if_nametoindex = ctypes.cdll.LoadLibrary\
 
750
            (ctypes.util.find_library("c")).if_nametoindex
852
751
    except (OSError, AttributeError):
853
752
        if "struct" not in sys.modules:
854
753
            import struct
896
795
                      help="Address to listen for requests on")
897
796
    parser.add_option("-p", "--port", type="int",
898
797
                      help="Port number to receive requests on")
899
 
    parser.add_option("--check", action="store_true",
 
798
    parser.add_option("--check", action="store_true", default=False,
900
799
                      help="Run self-test")
901
800
    parser.add_option("--debug", action="store_true",
902
801
                      help="Debug mode; run in foreground and log to"
909
808
                      default="/etc/mandos", metavar="DIR",
910
809
                      help="Directory to search for configuration"
911
810
                      " files")
912
 
    parser.add_option("--no-dbus", action="store_false",
913
 
                      dest="use_dbus",
914
 
                      help="Do not provide D-Bus system bus"
915
 
                      " interface")
916
811
    options = parser.parse_args()[0]
917
812
    
918
813
    if options.check:
928
823
                        "priority":
929
824
                        "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
930
825
                        "servicename": "Mandos",
931
 
                        "use_dbus": "True",
932
826
                        }
933
827
    
934
828
    # Parse config file for server-global settings
937
831
    server_config.read(os.path.join(options.configdir, "mandos.conf"))
938
832
    # Convert the SafeConfigParser object to a dict
939
833
    server_settings = server_config.defaults()
940
 
    # Use getboolean on the boolean config options
941
 
    server_settings["debug"] = (server_config.getboolean
942
 
                                ("DEFAULT", "debug"))
943
 
    server_settings["use_dbus"] = (server_config.getboolean
944
 
                                   ("DEFAULT", "use_dbus"))
 
834
    # Use getboolean on the boolean config option
 
835
    server_settings["debug"] = server_config.getboolean\
 
836
                               ("DEFAULT", "debug")
945
837
    del server_config
946
838
    
947
839
    # Override the settings from the config file with command line
948
840
    # options, if set.
949
841
    for option in ("interface", "address", "port", "debug",
950
 
                   "priority", "servicename", "configdir",
951
 
                   "use_dbus"):
 
842
                   "priority", "servicename", "configdir"):
952
843
        value = getattr(options, option)
953
844
        if value is not None:
954
845
            server_settings[option] = value
955
846
    del options
956
847
    # Now we have our good server settings in "server_settings"
957
848
    
958
 
    # For convenience
959
849
    debug = server_settings["debug"]
960
 
    use_dbus = server_settings["use_dbus"]
961
850
    
962
851
    if not debug:
963
852
        syslogger.setLevel(logging.WARNING)
964
853
        console.setLevel(logging.WARNING)
965
854
    
966
855
    if server_settings["servicename"] != "Mandos":
967
 
        syslogger.setFormatter(logging.Formatter
 
856
        syslogger.setFormatter(logging.Formatter\
968
857
                               ('Mandos (%s): %%(levelname)s:'
969
858
                                ' %%(message)s'
970
859
                                % server_settings["servicename"]))
972
861
    # Parse config file with clients
973
862
    client_defaults = { "timeout": "1h",
974
863
                        "interval": "5m",
975
 
                        "checker": "fping -q -- %%(host)s",
 
864
                        "checker": "fping -q -- %(host)s",
976
865
                        "host": "",
977
866
                        }
978
867
    client_config = ConfigParser.SafeConfigParser(client_defaults)
991
880
    except IOError, error:
992
881
        logger.error("Could not open file %r", pidfilename)
993
882
    
994
 
    try:
995
 
        uid = pwd.getpwnam("_mandos").pw_uid
996
 
        gid = pwd.getpwnam("_mandos").pw_gid
997
 
    except KeyError:
998
 
        try:
999
 
            uid = pwd.getpwnam("mandos").pw_uid
1000
 
            gid = pwd.getpwnam("mandos").pw_gid
1001
 
        except KeyError:
1002
 
            try:
1003
 
                uid = pwd.getpwnam("nobody").pw_uid
1004
 
                gid = pwd.getpwnam("nogroup").pw_gid
1005
 
            except KeyError:
1006
 
                uid = 65534
1007
 
                gid = 65534
 
883
    uid = 65534
 
884
    gid = 65534
 
885
    try:
 
886
        uid = pwd.getpwnam("mandos").pw_uid
 
887
    except KeyError:
 
888
        try:
 
889
            uid = pwd.getpwnam("nobody").pw_uid
 
890
        except KeyError:
 
891
            pass
 
892
    try:
 
893
        gid = pwd.getpwnam("mandos").pw_gid
 
894
    except KeyError:
 
895
        try:
 
896
            gid = pwd.getpwnam("nogroup").pw_gid
 
897
        except KeyError:
 
898
            pass
1008
899
    try:
1009
900
        os.setuid(uid)
1010
901
        os.setgid(gid)
1016
907
    service = AvahiService(name = server_settings["servicename"],
1017
908
                           servicetype = "_mandos._tcp", )
1018
909
    if server_settings["interface"]:
1019
 
        service.interface = (if_nametoindex
1020
 
                             (server_settings["interface"]))
 
910
        service.interface = if_nametoindex\
 
911
                            (server_settings["interface"])
1021
912
    
1022
913
    global main_loop
1023
914
    global bus
1030
921
                                           avahi.DBUS_PATH_SERVER),
1031
922
                            avahi.DBUS_INTERFACE_SERVER)
1032
923
    # End of Avahi example code
1033
 
    if use_dbus:
1034
 
        bus_name = dbus.service.BusName(u"org.mandos-system.Mandos",
1035
 
                                        bus)
 
924
    
 
925
    def remove_from_clients(client):
 
926
        clients.remove(client)
 
927
        if not clients:
 
928
            logger.critical(u"No clients left, exiting")
 
929
            sys.exit()
1036
930
    
1037
931
    clients.update(Set(Client(name = section,
 
932
                              stop_hook = remove_from_clients,
1038
933
                              config
1039
 
                              = dict(client_config.items(section)),
1040
 
                              use_dbus = use_dbus)
 
934
                              = dict(client_config.items(section)))
1041
935
                       for section in client_config.sections()))
1042
936
    if not clients:
1043
 
        logger.warning(u"No clients defined")
 
937
        logger.critical(u"No clients defined")
 
938
        sys.exit(1)
1044
939
    
1045
940
    if debug:
1046
941
        # Redirect stdin so all checkers get /dev/null
1078
973
        
1079
974
        while clients:
1080
975
            client = clients.pop()
1081
 
            client.disable_hook = None
1082
 
            client.disable()
 
976
            client.stop_hook = None
 
977
            client.stop()
1083
978
    
1084
979
    atexit.register(cleanup)
1085
980
    
1088
983
    signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1089
984
    signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1090
985
    
1091
 
    if use_dbus:
1092
 
        class MandosServer(dbus.service.Object):
1093
 
            """A D-Bus proxy object"""
1094
 
            def __init__(self):
1095
 
                dbus.service.Object.__init__(self, bus,
1096
 
                                             "/Mandos")
1097
 
            _interface = u"org.mandos_system.Mandos"
1098
 
 
1099
 
            @dbus.service.signal(_interface, signature="oa{sv}")
1100
 
            def ClientAdded(self, objpath, properties):
1101
 
                "D-Bus signal"
1102
 
                pass
1103
 
 
1104
 
            @dbus.service.signal(_interface, signature="o")
1105
 
            def ClientRemoved(self, objpath):
1106
 
                "D-Bus signal"
1107
 
                pass
1108
 
 
1109
 
            @dbus.service.method(_interface, out_signature="ao")
1110
 
            def GetAllClients(self):
1111
 
                return dbus.Array(c.dbus_object_path for c in clients)
1112
 
 
1113
 
            @dbus.service.method(_interface, out_signature="a{oa{sv}}")
1114
 
            def GetAllClientsWithProperties(self):
1115
 
                return dbus.Dictionary(
1116
 
                    ((c.dbus_object_path, c.GetAllProperties())
1117
 
                     for c in clients),
1118
 
                    signature="oa{sv}")
1119
 
 
1120
 
            @dbus.service.method(_interface, in_signature="o")
1121
 
            def RemoveClient(self, object_path):
1122
 
                for c in clients:
1123
 
                    if c.dbus_object_path == object_path:
1124
 
                        clients.remove(c)
1125
 
                        # Don't signal anything except ClientRemoved
1126
 
                        c.use_dbus = False
1127
 
                        c.disable()
1128
 
                        # Emit D-Bus signal
1129
 
                        self.ClientRemoved(object_path)
1130
 
                        return
1131
 
                raise KeyError
1132
 
            @dbus.service.method(_interface)
1133
 
            def Quit(self):
1134
 
                main_loop.quit()
1135
 
 
1136
 
            del _interface
1137
 
    
1138
 
        mandos_server = MandosServer()
1139
 
    
1140
986
    for client in clients:
1141
 
        if use_dbus:
1142
 
            # Emit D-Bus signal
1143
 
            mandos_server.ClientAdded(client.dbus_object_path,
1144
 
                                      client.GetAllProperties())
1145
 
        client.enable()
 
987
        client.start()
1146
988
    
1147
989
    tcp_server.enable()
1148
990
    tcp_server.server_activate()
1166
1008
        
1167
1009
        gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
1168
1010
                             lambda *args, **kwargs:
1169
 
                             (tcp_server.handle_request
1170
 
                              (*args[2:], **kwargs) or True))
 
1011
                             tcp_server.handle_request\
 
1012
                             (*args[2:], **kwargs) or True)
1171
1013
        
1172
1014
        logger.debug(u"Starting main loop")
1173
1015
        main_loop.run()
1174
1016
    except AvahiError, error:
1175
 
        logger.critical(u"AvahiError: %s", error)
 
1017
        logger.critical(u"AvahiError: %s" + unicode(error))
1176
1018
        sys.exit(1)
1177
1019
    except KeyboardInterrupt:
1178
1020
        if debug: