To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.1.1
- compare with another revision
- download diff
- download tarball
- view history from revision 237.1.1
- Committer: Teddy Hogeborn
- Date: 2008-11-09 06:40:29 UTC
- mto: (24.1.113 mandos) (237.2.1 mandos)
- mto: This revision was merged to the branch mainline in revision 238.
- Revision ID: teddy@fukt.bsnet.se-20081109064029-df71jpoce308cq3v
First steps of a D-Bus interface to the server.
* mandos: Also import "dbus.service".
(Client): Inherit from "dbus.service.Object", which is a new-style
class, so inheriting from "object" is no longer necessary.
(Client.interface): New temporary variable which only exists during
class definition.
(Client.getName, Client.getFingerprint): New D-Bus getter methods.
(Client.setSecret): New D-Bus setter method.
(Client._set_timeout): Emit D-Bus signal "TimeoutChanged".
(Client.getTimeout): New D-Bus getter method.
(Client.TimeoutChanged): New D-Bus signal.
(Client._set_interval): Emit D-Bus signal "IntervalChanged".
(Client.getInterval): New D-Bus getter method.
(Client.intervalChanged): New D-Bus signal.
(Client.__init__): Also call "dbus.service.Object.__init__".
(Client.started): New boolean attribute.
(Client.start, Client.stop): Update "self.started", and emit D-Bus
signal "StateChanged".
(Client.StateChanged): New D-Bus signal.
(Client.stop): Use "self.started" instead of misusing "self.secret".
Also simplify code by using "getattr" instead of
"hasattr".
(Client.checker_callback): Emit D-Bus signal "CheckerCompleted".
(Client.CheckerCompleted): New D-Bus signal.
(Client.bumpTimeout): D-Bus method name for "bump_timeout".
(Client.start_checker): Emit D-Bus signal "CheckerStarted".
(Client.CheckerStarted): New D-Bus signal.
(Client.checkerIsRunning): New D-Bus method.
(Client.StopChecker): D-Bus method name for "stop_checker".
(Client.still_valid): First check "self.started".
(Client.stillValid): D-Bus method name for "still_valid".
* mandos: Also import "dbus.service".
(Client): Inherit from "dbus.service.Object", which is a new-style
class, so inheriting from "object" is no longer necessary.
(Client.interface): New temporary variable which only exists during
class definition.
(Client.getName, Client.getFingerprint): New D-Bus getter methods.
(Client.setSecret): New D-Bus setter method.
(Client._set_timeout): Emit D-Bus signal "TimeoutChanged".
(Client.getTimeout): New D-Bus getter method.
(Client.TimeoutChanged): New D-Bus signal.
(Client._set_interval): Emit D-Bus signal "IntervalChanged".
(Client.getInterval): New D-Bus getter method.
(Client.intervalChanged): New D-Bus signal.
(Client.__init__): Also call "dbus.service.Object.__init__".
(Client.started): New boolean attribute.
(Client.start, Client.stop): Update "self.started", and emit D-Bus
signal "StateChanged".
(Client.StateChanged): New D-Bus signal.
(Client.stop): Use "self.started" instead of misusing "self.secret".
Also simplify code by using "getattr" instead of
"hasattr".
(Client.checker_callback): Emit D-Bus signal "CheckerCompleted".
(Client.CheckerCompleted): New D-Bus signal.
(Client.bumpTimeout): D-Bus method name for "bump_timeout".
(Client.start_checker): Emit D-Bus signal "CheckerStarted".
(Client.CheckerStarted): New D-Bus signal.
(Client.checkerIsRunning): New D-Bus method.
(Client.StopChecker): D-Bus method name for "stop_checker".
(Client.still_valid): First check "self.started".
(Client.stillValid): D-Bus method name for "still_valid".
- files added:
- debian/mandos-client.config
- files removed:
- dbus-mandos.conf
- files modified:
- INSTALL
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2008 Teddy Hogeborn & Björn Påhlsson
16
15
#
17
16
# This program is free software: you can redistribute it and/or modify
18
17
# it under the terms of the GNU General Public License as published by
33
32
34
33
from __future__ import division, with_statement, absolute_import
35
34
36
import SocketServer as socketserver
35
import SocketServer
37
36
import socket
38
import optparse
37
from optparse import OptionParser
39
38
import datetime
40
39
import errno
41
40
import gnutls.crypto
44
43
import gnutls.library.functions
45
44
import gnutls.library.constants
46
45
import gnutls.library.types
47
import ConfigParser as configparser
46
import ConfigParser
48
47
import sys
49
48
import re
50
49
import os
51
50
import signal
51
from sets import Set
52
52
import subprocess
53
53
import atexit
54
54
import stat
55
55
import logging
56
56
import logging.handlers
57
57
import pwd
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
63
import multiprocessing
58
from contextlib import closing
64
59
65
60
import dbus
66
61
import dbus.service
69
64
from dbus.mainloop.glib import DBusGMainLoop
70
65
import ctypes
71
66
import ctypes.util
72
import xml.dom.minidom
73
import inspect
74
75
try:
76
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
77
except AttributeError:
78
try:
79
from IN import SO_BINDTODEVICE
80
except ImportError:
81
SO_BINDTODEVICE = None
82
83
84
version = "1.0.14"
85
86
#logger = logging.getLogger(u'mandos')
87
logger = logging.Logger(u'mandos')
88
syslogger = (logging.handlers.SysLogHandler
89
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
90
address = "/dev/log"))
91
syslogger.setFormatter(logging.Formatter
92
(u'Mandos [%(process)d]: %(levelname)s:'
93
u' %(message)s'))
67
68
version = "1.0.2"
69
70
logger = logging.Logger('mandos')
71
syslogger = logging.handlers.SysLogHandler\
72
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
73
address = "/dev/log")
74
syslogger.setFormatter(logging.Formatter\
75
('Mandos: %(levelname)s: %(message)s'))
94
76
logger.addHandler(syslogger)
95
77
96
78
console = logging.StreamHandler()
97
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
98
u' %(levelname)s:'
99
u' %(message)s'))
79
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
80
' %(message)s'))
100
81
logger.addHandler(console)
101
82
102
83
class AvahiError(Exception):
103
def __init__(self, value, *args, **kwargs):
84
def __init__(self, value):
104
85
self.value = value
105
super(AvahiError, self).__init__(value, *args, **kwargs)
106
def __unicode__(self):
107
return unicode(repr(self.value))
86
super(AvahiError, self).__init__()
87
def __str__(self):
88
return repr(self.value)
108
89
109
90
class AvahiServiceError(AvahiError):
110
91
pass
115
96
116
97
class AvahiService(object):
117
98
"""An Avahi (Zeroconf) service.
118
119
99
Attributes:
120
100
interface: integer; avahi.IF_UNSPEC or an interface index.
121
101
Used to optionally bind to the specified interface.
122
name: string; Example: u'Mandos'
123
type: string; Example: u'_mandos._tcp'.
102
name: string; Example: 'Mandos'
103
type: string; Example: '_mandos._tcp'.
124
104
See <http://www.dns-sd.org/ServiceTypes.html>
125
105
port: integer; what port to announce
126
106
TXT: list of strings; TXT record for the service
129
109
max_renames: integer; maximum number of renames
130
110
rename_count: integer; counter so we only rename after collisions
131
111
a sensible number of times
132
group: D-Bus Entry Group
133
server: D-Bus Server
134
bus: dbus.SystemBus()
135
112
"""
136
113
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
137
servicetype = None, port = None, TXT = None,
138
domain = u"", host = u"", max_renames = 32768,
139
protocol = avahi.PROTO_UNSPEC, bus = None):
114
servicetype = None, port = None, TXT = None, domain = "",
115
host = "", max_renames = 32768):
140
116
self.interface = interface
141
117
self.name = name
142
118
self.type = servicetype
143
119
self.port = port
144
self.TXT = TXT if TXT is not None else []
120
if TXT is None:
121
self.TXT = []
122
else:
123
self.TXT = TXT
145
124
self.domain = domain
146
125
self.host = host
147
126
self.rename_count = 0
148
127
self.max_renames = max_renames
149
self.protocol = protocol
150
self.group = None # our entry group
151
self.server = None
152
self.bus = bus
153
128
def rename(self):
154
129
"""Derived from the Avahi example code"""
155
130
if self.rename_count >= self.max_renames:
156
131
logger.critical(u"No suitable Zeroconf service name found"
157
132
u" after %i retries, exiting.",
158
133
self.rename_count)
159
raise AvahiServiceError(u"Too many renames")
160
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
134
raise AvahiServiceError("Too many renames")
135
self.name = server.GetAlternativeServiceName(self.name)
161
136
logger.info(u"Changing Zeroconf service name to %r ...",
162
self.name)
163
syslogger.setFormatter(logging.Formatter
164
(u'Mandos (%s) [%%(process)d]:'
165
u' %%(levelname)s: %%(message)s'
166
% self.name))
137
str(self.name))
138
syslogger.setFormatter(logging.Formatter\
139
('Mandos (%s): %%(levelname)s:'
140
' %%(message)s' % self.name))
167
141
self.remove()
168
142
self.add()
169
143
self.rename_count += 1
170
144
def remove(self):
171
145
"""Derived from the Avahi example code"""
172
if self.group is not None:
173
self.group.Reset()
146
if group is not None:
147
group.Reset()
174
148
def add(self):
175
149
"""Derived from the Avahi example code"""
176
if self.group is None:
177
self.group = dbus.Interface(
178
self.bus.get_object(avahi.DBUS_NAME,
179
self.server.EntryGroupNew()),
180
avahi.DBUS_INTERFACE_ENTRY_GROUP)
181
self.group.connect_to_signal('StateChanged',
182
self
183
.entry_group_state_changed)
150
global group
151
if group is None:
152
group = dbus.Interface\
153
(bus.get_object(avahi.DBUS_NAME,
154
server.EntryGroupNew()),
155
avahi.DBUS_INTERFACE_ENTRY_GROUP)
156
group.connect_to_signal('StateChanged',
157
entry_group_state_changed)
184
158
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
185
self.name, self.type)
186
self.group.AddService(
187
self.interface,
188
self.protocol,
189
dbus.UInt32(0), # flags
190
self.name, self.type,
191
self.domain, self.host,
192
dbus.UInt16(self.port),
193
avahi.string_array_to_txt_array(self.TXT))
194
self.group.Commit()
195
def entry_group_state_changed(self, state, error):
196
"""Derived from the Avahi example code"""
197
logger.debug(u"Avahi state change: %i", state)
198
199
if state == avahi.ENTRY_GROUP_ESTABLISHED:
200
logger.debug(u"Zeroconf service established.")
201
elif state == avahi.ENTRY_GROUP_COLLISION:
202
logger.warning(u"Zeroconf service name collision.")
203
self.rename()
204
elif state == avahi.ENTRY_GROUP_FAILURE:
205
logger.critical(u"Avahi: Error in group state changed %s",
206
unicode(error))
207
raise AvahiGroupError(u"State changed: %s"
208
% unicode(error))
209
def cleanup(self):
210
"""Derived from the Avahi example code"""
211
if self.group is not None:
212
self.group.Free()
213
self.group = None
214
def server_state_changed(self, state):
215
"""Derived from the Avahi example code"""
216
if state == avahi.SERVER_COLLISION:
217
logger.error(u"Zeroconf server name collision")
218
self.remove()
219
elif state == avahi.SERVER_RUNNING:
220
self.add()
221
def activate(self):
222
"""Derived from the Avahi example code"""
223
if self.server is None:
224
self.server = dbus.Interface(
225
self.bus.get_object(avahi.DBUS_NAME,
226
avahi.DBUS_PATH_SERVER),
227
avahi.DBUS_INTERFACE_SERVER)
228
self.server.connect_to_signal(u"StateChanged",
229
self.server_state_changed)
230
self.server_state_changed(self.server.GetState())
231
232
233
class Client(object):
159
service.name, service.type)
160
group.AddService(
161
self.interface, # interface
162
avahi.PROTO_INET6, # protocol
163
dbus.UInt32(0), # flags
164
self.name, self.type,
165
self.domain, self.host,
166
dbus.UInt16(self.port),
167
avahi.string_array_to_txt_array(self.TXT))
168
group.Commit()
169
170
# From the Avahi example code:
171
group = None # our entry group
172
# End of Avahi example code
173
174
175
class Client(dbus.service.Object):
234
176
"""A representation of a client host served by this server.
235
236
177
Attributes:
237
name: string; from the config file, used in log messages and
238
D-Bus identifiers
178
name: string; from the config file, used in log messages
239
179
fingerprint: string (40 or 32 hexadecimal digits); used to
240
180
uniquely identify the client
241
secret: bytestring; sent verbatim (over TLS) to client
242
host: string; available for use by the checker command
243
created: datetime.datetime(); (UTC) object creation
244
last_enabled: datetime.datetime(); (UTC)
245
enabled: bool()
246
last_checked_ok: datetime.datetime(); (UTC) or None
247
timeout: datetime.timedelta(); How long from last_checked_ok
248
until this client is disabled
249
interval: datetime.timedelta(); How often to start a new checker
250
disable_hook: If set, called by disable() as disable_hook(self)
251
checker: subprocess.Popen(); a running checker process used
252
to see if the client lives.
253
'None' if no process is running.
181
secret: bytestring; sent verbatim (over TLS) to client
182
host: string; available for use by the checker command
183
created: datetime.datetime(); object creation, not client host
184
started: bool()
185
last_checked_ok: datetime.datetime() or None if not yet checked OK
186
timeout: datetime.timedelta(); How long from last_checked_ok
187
until this client is invalid
188
interval: datetime.timedelta(); How often to start a new checker
189
stop_hook: If set, called by stop() as stop_hook(self)
190
checker: subprocess.Popen(); a running checker process used
191
to see if the client lives.
192
'None' if no process is running.
254
193
checker_initiator_tag: a gobject event source tag, or None
255
disable_initiator_tag: - '' -
194
stop_initiator_tag: - '' -
256
195
checker_callback_tag: - '' -
257
196
checker_command: string; External command which is run to check if
258
197
client lives. %() expansions are done at
259
198
runtime with vars(self) as dict, so that for
260
199
instance %(name)s can be used in the command.
261
current_checker_command: string; current running checker_command
262
approved_delay: datetime.timedelta(); Time to wait for approval
263
_approved: bool(); 'None' if not yet approved/disapproved
264
approved_duration: datetime.timedelta(); Duration of one approval
200
Private attibutes:
201
_timeout: Real variable for 'timeout'
202
_interval: Real variable for 'interval'
203
_timeout_milliseconds: Used when calling gobject.timeout_add()
204
_interval_milliseconds: - '' -
265
205
"""
266
267
@staticmethod
268
def _timedelta_to_milliseconds(td):
269
"Convert a datetime.timedelta() to milliseconds"
270
return ((td.days * 24 * 60 * 60 * 1000)
271
+ (td.seconds * 1000)
272
+ (td.microseconds // 1000))
273
274
def timeout_milliseconds(self):
275
"Return the 'timeout' attribute in milliseconds"
276
return self._timedelta_to_milliseconds(self.timeout)
277
278
def interval_milliseconds(self):
279
"Return the 'interval' attribute in milliseconds"
280
return self._timedelta_to_milliseconds(self.interval)
281
282
def approved_delay_milliseconds(self):
283
return self._timedelta_to_milliseconds(self.approved_delay)
284
285
def __init__(self, name = None, disable_hook=None, config=None):
206
interface = u"org.mandos_system.Mandos.Clients"
207
208
@dbus.service.method(interface, out_signature="s")
209
def getName(self):
210
"D-Bus getter method"
211
return self.name
212
213
@dbus.service.method(interface, out_signature="s")
214
def getFingerprint(self):
215
"D-Bus getter method"
216
return self.fingerprint
217
218
@dbus.service.method(interface, in_signature="ay",
219
byte_arrays=True)
220
def setSecret(self, secret):
221
"D-Bus setter method"
222
self.secret = secret
223
224
def _set_timeout(self, timeout):
225
"Setter function for the 'timeout' attribute"
226
self._timeout = timeout
227
self._timeout_milliseconds = ((self.timeout.days
228
* 24 * 60 * 60 * 1000)
229
+ (self.timeout.seconds * 1000)
230
+ (self.timeout.microseconds
231
// 1000))
232
# Emit D-Bus signal
233
self.TimeoutChanged(self._timeout_milliseconds)
234
timeout = property(lambda self: self._timeout, _set_timeout)
235
del _set_timeout
236
237
@dbus.service.method(interface, out_signature="t")
238
def getTimeout(self):
239
"D-Bus getter method"
240
return self._timeout_milliseconds
241
242
@dbus.service.signal(interface, signature="t")
243
def TimeoutChanged(self, t):
244
"D-Bus signal"
245
pass
246
247
def _set_interval(self, interval):
248
"Setter function for the 'interval' attribute"
249
self._interval = interval
250
self._interval_milliseconds = ((self.interval.days
251
* 24 * 60 * 60 * 1000)
252
+ (self.interval.seconds
253
* 1000)
254
+ (self.interval.microseconds
255
// 1000))
256
# Emit D-Bus signal
257
self.IntervalChanged(self._interval_milliseconds)
258
interval = property(lambda self: self._interval, _set_interval)
259
del _set_interval
260
261
@dbus.service.method(interface, out_signature="t")
262
def getInterval(self):
263
"D-Bus getter method"
264
return self._interval_milliseconds
265
266
@dbus.service.signal(interface, signature="t")
267
def IntervalChanged(self, t):
268
"D-Bus signal"
269
pass
270
271
def __init__(self, name = None, stop_hook=None, config=None):
286
272
"""Note: the 'checker' key in 'config' sets the
287
273
'checker_command' attribute and *not* the 'checker'
288
274
attribute."""
289
self.name = name
275
dbus.service.Object.__init__(self, bus,
276
"/Mandos/Clients/%s"
277
% name.replace(".", "_"))
290
278
if config is None:
291
279
config = {}
280
self.name = name
292
281
logger.debug(u"Creating client %r", self.name)
293
282
# Uppercase and remove spaces from fingerprint for later
294
283
# comparison purposes with return value from the fingerprint()
295
284
# function
296
self.fingerprint = (config[u"fingerprint"].upper()
297
.replace(u" ", u""))
285
self.fingerprint = config["fingerprint"].upper()\
286
.replace(u" ", u"")
298
287
logger.debug(u" Fingerprint: %s", self.fingerprint)
299
if u"secret" in config:
300
self.secret = config[u"secret"].decode(u"base64")
301
elif u"secfile" in config:
302
with open(os.path.expanduser(os.path.expandvars
303
(config[u"secfile"])),
304
"rb") as secfile:
288
if "secret" in config:
289
self.secret = config["secret"].decode(u"base64")
290
elif "secfile" in config:
291
with closing(open(os.path.expanduser
292
(os.path.expandvars
293
(config["secfile"])))) \
294
as secfile:
305
295
self.secret = secfile.read()
306
296
else:
307
297
raise TypeError(u"No secret or secfile for client %s"
308
298
% self.name)
309
self.host = config.get(u"host", u"")
310
self.created = datetime.datetime.utcnow()
311
self.enabled = False
312
self.last_enabled = None
299
self.host = config.get("host", "")
300
self.created = datetime.datetime.now()
301
self.started = False
313
302
self.last_checked_ok = None
314
self.timeout = string_to_delta(config[u"timeout"])
315
self.interval = string_to_delta(config[u"interval"])
316
self.disable_hook = disable_hook
303
self.timeout = string_to_delta(config["timeout"])
304
self.interval = string_to_delta(config["interval"])
305
self.stop_hook = stop_hook
317
306
self.checker = None
318
307
self.checker_initiator_tag = None
319
self.disable_initiator_tag = None
308
self.stop_initiator_tag = None
320
309
self.checker_callback_tag = None
321
self.checker_command = config[u"checker"]
322
self.current_checker_command = None
323
self.last_connect = None
324
self._approved = None
325
self.approved_by_default = config.get(u"approved_by_default",
326
True)
327
self.approvals_pending = 0
328
self.approved_delay = string_to_delta(
329
config[u"approved_delay"])
330
self.approved_duration = string_to_delta(
331
config[u"approved_duration"])
332
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
310
self.check_command = config["checker"]
333
311
334
def send_changedstate(self):
335
self.changedstate.acquire()
336
self.changedstate.notify_all()
337
self.changedstate.release()
338
339
def enable(self):
312
def start(self):
340
313
"""Start this client's checker and timeout hooks"""
341
if getattr(self, u"enabled", False):
342
# Already enabled
343
return
344
self.send_changedstate()
345
self.last_enabled = datetime.datetime.utcnow()
314
self.started = True
346
315
# Schedule a new checker to be started an 'interval' from now,
347
316
# and every interval from then on.
348
self.checker_initiator_tag = (gobject.timeout_add
349
(self.interval_milliseconds(),
350
self.start_checker))
351
# Schedule a disable() when 'timeout' has passed
352
self.disable_initiator_tag = (gobject.timeout_add
353
(self.timeout_milliseconds(),
354
self.disable))
355
self.enabled = True
317
self.checker_initiator_tag = gobject.timeout_add\
318
(self._interval_milliseconds,
319
self.start_checker)
356
320
# Also start a new checker *right now*.
357
321
self.start_checker()
358
359
def disable(self, quiet=True):
360
"""Disable this client."""
361
if not getattr(self, "enabled", False):
322
# Schedule a stop() when 'timeout' has passed
323
self.stop_initiator_tag = gobject.timeout_add\
324
(self._timeout_milliseconds,
325
self.stop)
326
# Emit D-Bus signal
327
self.StateChanged(True)
328
329
@dbus.service.signal(interface, signature="b")
330
def StateChanged(self, started):
331
"D-Bus signal"
332
pass
333
334
def stop(self):
335
"""Stop this client."""
336
if getattr(self, "started", False):
337
logger.info(u"Stopping client %s", self.name)
338
else:
362
339
return False
363
if not quiet:
364
self.send_changedstate()
365
if not quiet:
366
logger.info(u"Disabling client %s", self.name)
367
if getattr(self, u"disable_initiator_tag", False):
368
gobject.source_remove(self.disable_initiator_tag)
369
self.disable_initiator_tag = None
370
if getattr(self, u"checker_initiator_tag", False):
340
if getattr(self, "stop_initiator_tag", False):
341
gobject.source_remove(self.stop_initiator_tag)
342
self.stop_initiator_tag = None
343
if getattr(self, "checker_initiator_tag", False):
371
344
gobject.source_remove(self.checker_initiator_tag)
372
345
self.checker_initiator_tag = None
373
346
self.stop_checker()
374
if self.disable_hook:
375
self.disable_hook(self)
376
self.enabled = False
347
if self.stop_hook:
348
self.stop_hook(self)
349
# Emit D-Bus signal
350
self.StateChanged(False)
377
351
# Do not run this again if called by a gobject.timeout_add
378
352
return False
353
# D-Bus variant
354
Stop = dbus.service.method(interface)(stop)
379
355
380
356
def __del__(self):
381
self.disable_hook = None
382
self.disable()
357
self.stop_hook = None
358
self.stop()
383
359
384
def checker_callback(self, pid, condition, command):
360
def checker_callback(self, pid, condition):
385
361
"""The checker has completed, so take appropriate actions."""
386
362
self.checker_callback_tag = None
387
363
self.checker = None
388
if os.WIFEXITED(condition):
389
exitstatus = os.WEXITSTATUS(condition)
390
if exitstatus == 0:
391
logger.info(u"Checker for %(name)s succeeded",
392
vars(self))
393
self.checked_ok()
394
else:
395
logger.info(u"Checker for %(name)s failed",
396
vars(self))
397
else:
364
if os.WIFEXITED(condition) \
365
and (os.WEXITSTATUS(condition) == 0):
366
logger.info(u"Checker for %(name)s succeeded",
367
vars(self))
368
# Emit D-Bus signal
369
self.CheckerCompleted(True)
370
self.bump_timeout()
371
elif not os.WIFEXITED(condition):
398
372
logger.warning(u"Checker for %(name)s crashed?",
399
373
vars(self))
400
401
def checked_ok(self):
374
# Emit D-Bus signal
375
self.CheckerCompleted(False)
376
else:
377
logger.info(u"Checker for %(name)s failed",
378
vars(self))
379
# Emit D-Bus signal
380
self.CheckerCompleted(False)
381
382
@dbus.service.signal(interface, signature="b")
383
def CheckerCompleted(self, success):
384
"D-Bus signal"
385
pass
386
387
def bump_timeout(self):
402
388
"""Bump up the timeout for this client.
403
404
389
This should only be called when the client has been seen,
405
390
alive and well.
406
391
"""
407
self.last_checked_ok = datetime.datetime.utcnow()
408
gobject.source_remove(self.disable_initiator_tag)
409
self.disable_initiator_tag = (gobject.timeout_add
410
(self.timeout_milliseconds(),
411
self.disable))
392
self.last_checked_ok = datetime.datetime.now()
393
gobject.source_remove(self.stop_initiator_tag)
394
self.stop_initiator_tag = gobject.timeout_add\
395
(self._timeout_milliseconds, self.stop)
396
# D-Bus variant
397
bumpTimeout = dbus.service.method(interface)(bump_timeout)
412
398
413
399
def start_checker(self):
414
400
"""Start a new checker subprocess if one is not running.
415
416
401
If a checker already exists, leave it running and do
417
402
nothing."""
418
403
# The reason for not killing a running checker is that if we
421
406
# client would inevitably timeout, since no checker would get
422
407
# a chance to run to completion. If we instead leave running
423
408
# checkers alone, the checker would have to take more time
424
# than 'timeout' for the client to be disabled, which is as it
425
# should be.
426
427
# If a checker exists, make sure it is not a zombie
428
try:
429
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
430
except (AttributeError, OSError), error:
431
if (isinstance(error, OSError)
432
and error.errno != errno.ECHILD):
433
raise error
434
else:
435
if pid:
436
logger.warning(u"Checker was a zombie")
437
gobject.source_remove(self.checker_callback_tag)
438
self.checker_callback(pid, status,
439
self.current_checker_command)
440
# Start a new checker if needed
409
# than 'timeout' for the client to be declared invalid, which
410
# is as it should be.
441
411
if self.checker is None:
442
412
try:
443
# In case checker_command has exactly one % operator
444
command = self.checker_command % self.host
413
# In case check_command has exactly one % operator
414
command = self.check_command % self.host
445
415
except TypeError:
446
416
# Escape attributes for the shell
447
escaped_attrs = dict((key,
448
re.escape(unicode(str(val),
449
errors=
450
u'replace')))
417
escaped_attrs = dict((key, re.escape(str(val)))
451
418
for key, val in
452
419
vars(self).iteritems())
453
420
try:
454
command = self.checker_command % escaped_attrs
421
command = self.check_command % escaped_attrs
455
422
except TypeError, error:
456
423
logger.error(u'Could not format string "%s":'
457
u' %s', self.checker_command, error)
424
u' %s', self.check_command, error)
458
425
return True # Try again later
459
self.current_checker_command = command
460
426
try:
461
427
logger.info(u"Starting checker %r for %s",
462
428
command, self.name)
466
432
# always replaced by /dev/null.)
467
433
self.checker = subprocess.Popen(command,
468
434
close_fds=True,
469
shell=True, cwd=u"/")
470
self.checker_callback_tag = (gobject.child_watch_add
471
(self.checker.pid,
472
self.checker_callback,
473
data=command))
474
# The checker may have completed before the gobject
475
# watch was added. Check for this.
476
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
477
if pid:
478
gobject.source_remove(self.checker_callback_tag)
479
self.checker_callback(pid, status, command)
435
shell=True, cwd="/")
436
self.checker_callback_tag = gobject.child_watch_add\
437
(self.checker.pid,
438
self.checker_callback)
439
# Emit D-Bus signal
440
self.CheckerStarted(command)
480
441
except OSError, error:
481
442
logger.error(u"Failed to start subprocess: %s",
482
443
error)
483
444
# Re-run this periodically if run by gobject.timeout_add
484
445
return True
485
446
447
@dbus.service.signal(interface, signature="s")
448
def CheckerStarted(self, command):
449
pass
450
451
@dbus.service.method(interface, out_signature="b")
452
def checkerIsRunning(self):
453
"D-Bus getter method"
454
return self.checker is not None
455
486
456
def stop_checker(self):
487
457
"""Force the checker process, if any, to stop."""
488
458
if self.checker_callback_tag:
489
459
gobject.source_remove(self.checker_callback_tag)
490
460
self.checker_callback_tag = None
491
if getattr(self, u"checker", None) is None:
461
if getattr(self, "checker", None) is None:
492
462
return
493
463
logger.debug(u"Stopping checker for %(name)s", vars(self))
494
464
try:
495
465
os.kill(self.checker.pid, signal.SIGTERM)
496
#time.sleep(0.5)
466
#os.sleep(0.5)
497
467
#if self.checker.poll() is None:
498
468
# os.kill(self.checker.pid, signal.SIGKILL)
499
469
except OSError, error:
500
470
if error.errno != errno.ESRCH: # No such process
501
471
raise
502
472
self.checker = None
503
504
def dbus_service_property(dbus_interface, signature=u"v",
505
access=u"readwrite", byte_arrays=False):
506
"""Decorators for marking methods of a DBusObjectWithProperties to
507
become properties on the D-Bus.
508
509
The decorated method will be called with no arguments by "Get"
510
and with one argument by "Set".
511
512
The parameters, where they are supported, are the same as
513
dbus.service.method, except there is only "signature", since the
514
type from Get() and the type sent to Set() is the same.
515
"""
516
# Encoding deeply encoded byte arrays is not supported yet by the
517
# "Set" method, so we fail early here:
518
if byte_arrays and signature != u"ay":
519
raise ValueError(u"Byte arrays not supported for non-'ay'"
520
u" signature %r" % signature)
521
def decorator(func):
522
func._dbus_is_property = True
523
func._dbus_interface = dbus_interface
524
func._dbus_signature = signature
525
func._dbus_access = access
526
func._dbus_name = func.__name__
527
if func._dbus_name.endswith(u"_dbus_property"):
528
func._dbus_name = func._dbus_name[:-14]
529
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
530
return func
531
return decorator
532
533
534
class DBusPropertyException(dbus.exceptions.DBusException):
535
"""A base class for D-Bus property-related exceptions
536
"""
537
def __unicode__(self):
538
return unicode(str(self))
539
540
541
class DBusPropertyAccessException(DBusPropertyException):
542
"""A property's access permissions disallows an operation.
543
"""
544
pass
545
546
547
class DBusPropertyNotFound(DBusPropertyException):
548
"""An attempt was made to access a non-existing property.
549
"""
550
pass
551
552
553
class DBusObjectWithProperties(dbus.service.Object):
554
"""A D-Bus object with properties.
555
556
Classes inheriting from this can use the dbus_service_property
557
decorator to expose methods as D-Bus properties. It exposes the
558
standard Get(), Set(), and GetAll() methods on the D-Bus.
559
"""
560
561
@staticmethod
562
def _is_dbus_property(obj):
563
return getattr(obj, u"_dbus_is_property", False)
564
565
def _get_all_dbus_properties(self):
566
"""Returns a generator of (name, attribute) pairs
567
"""
568
return ((prop._dbus_name, prop)
569
for name, prop in
570
inspect.getmembers(self, self._is_dbus_property))
571
572
def _get_dbus_property(self, interface_name, property_name):
573
"""Returns a bound method if one exists which is a D-Bus
574
property with the specified name and interface.
575
"""
576
for name in (property_name,
577
property_name + u"_dbus_property"):
578
prop = getattr(self, name, None)
579
if (prop is None
580
or not self._is_dbus_property(prop)
581
or prop._dbus_name != property_name
582
or (interface_name and prop._dbus_interface
583
and interface_name != prop._dbus_interface)):
584
continue
585
return prop
586
# No such property
587
raise DBusPropertyNotFound(self.dbus_object_path + u":"
588
+ interface_name + u"."
589
+ property_name)
590
591
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
592
out_signature=u"v")
593
def Get(self, interface_name, property_name):
594
"""Standard D-Bus property Get() method, see D-Bus standard.
595
"""
596
prop = self._get_dbus_property(interface_name, property_name)
597
if prop._dbus_access == u"write":
598
raise DBusPropertyAccessException(property_name)
599
value = prop()
600
if not hasattr(value, u"variant_level"):
601
return value
602
return type(value)(value, variant_level=value.variant_level+1)
603
604
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
605
def Set(self, interface_name, property_name, value):
606
"""Standard D-Bus property Set() method, see D-Bus standard.
607
"""
608
prop = self._get_dbus_property(interface_name, property_name)
609
if prop._dbus_access == u"read":
610
raise DBusPropertyAccessException(property_name)
611
if prop._dbus_get_args_options[u"byte_arrays"]:
612
# The byte_arrays option is not supported yet on
613
# signatures other than "ay".
614
if prop._dbus_signature != u"ay":
615
raise ValueError
616
value = dbus.ByteArray(''.join(unichr(byte)
617
for byte in value))
618
prop(value)
619
620
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
621
out_signature=u"a{sv}")
622
def GetAll(self, interface_name):
623
"""Standard D-Bus property GetAll() method, see D-Bus
624
standard.
625
626
Note: Will not include properties with access="write".
627
"""
628
all = {}
629
for name, prop in self._get_all_dbus_properties():
630
if (interface_name
631
and interface_name != prop._dbus_interface):
632
# Interface non-empty but did not match
633
continue
634
# Ignore write-only properties
635
if prop._dbus_access == u"write":
636
continue
637
value = prop()
638
if not hasattr(value, u"variant_level"):
639
all[name] = value
640
continue
641
all[name] = type(value)(value, variant_level=
642
value.variant_level+1)
643
return dbus.Dictionary(all, signature=u"sv")
644
645
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
646
out_signature=u"s",
647
path_keyword='object_path',
648
connection_keyword='connection')
649
def Introspect(self, object_path, connection):
650
"""Standard D-Bus method, overloaded to insert property tags.
651
"""
652
xmlstring = dbus.service.Object.Introspect(self, object_path,
653
connection)
654
try:
655
document = xml.dom.minidom.parseString(xmlstring)
656
def make_tag(document, name, prop):
657
e = document.createElement(u"property")
658
e.setAttribute(u"name", name)
659
e.setAttribute(u"type", prop._dbus_signature)
660
e.setAttribute(u"access", prop._dbus_access)
661
return e
662
for if_tag in document.getElementsByTagName(u"interface"):
663
for tag in (make_tag(document, name, prop)
664
for name, prop
665
in self._get_all_dbus_properties()
666
if prop._dbus_interface
667
== if_tag.getAttribute(u"name")):
668
if_tag.appendChild(tag)
669
# Add the names to the return values for the
670
# "org.freedesktop.DBus.Properties" methods
671
if (if_tag.getAttribute(u"name")
672
== u"org.freedesktop.DBus.Properties"):
673
for cn in if_tag.getElementsByTagName(u"method"):
674
if cn.getAttribute(u"name") == u"Get":
675
for arg in cn.getElementsByTagName(u"arg"):
676
if (arg.getAttribute(u"direction")
677
== u"out"):
678
arg.setAttribute(u"name", u"value")
679
elif cn.getAttribute(u"name") == u"GetAll":
680
for arg in cn.getElementsByTagName(u"arg"):
681
if (arg.getAttribute(u"direction")
682
== u"out"):
683
arg.setAttribute(u"name", u"props")
684
xmlstring = document.toxml(u"utf-8")
685
document.unlink()
686
except (AttributeError, xml.dom.DOMException,
687
xml.parsers.expat.ExpatError), error:
688
logger.error(u"Failed to override Introspection method",
689
error)
690
return xmlstring
691
692
693
class ClientDBus(Client, DBusObjectWithProperties):
694
"""A Client class using D-Bus
695
696
Attributes:
697
dbus_object_path: dbus.ObjectPath
698
bus: dbus.SystemBus()
699
"""
700
# dbus.service.Object doesn't use super(), so we can't either.
701
702
def __init__(self, bus = None, *args, **kwargs):
703
self._approvals_pending = 0
704
self.bus = bus
705
Client.__init__(self, *args, **kwargs)
706
# Only now, when this client is initialized, can it show up on
707
# the D-Bus
708
self.dbus_object_path = (dbus.ObjectPath
709
(u"/clients/"
710
+ self.name.replace(u".", u"_")))
711
DBusObjectWithProperties.__init__(self, self.bus,
712
self.dbus_object_path)
713
714
def _get_approvals_pending(self):
715
return self._approvals_pending
716
def _set_approvals_pending(self, value):
717
old_value = self._approvals_pending
718
self._approvals_pending = value
719
bval = bool(value)
720
if (hasattr(self, "dbus_object_path")
721
and bval is not bool(old_value)):
722
dbus_bool = dbus.Boolean(bval, variant_level=1)
723
self.PropertyChanged(dbus.String(u"approved_pending"),
724
dbus_bool)
725
726
approvals_pending = property(_get_approvals_pending,
727
_set_approvals_pending)
728
del _get_approvals_pending, _set_approvals_pending
729
730
@staticmethod
731
def _datetime_to_dbus(dt, variant_level=0):
732
"""Convert a UTC datetime.datetime() to a D-Bus type."""
733
return dbus.String(dt.isoformat(),
734
variant_level=variant_level)
735
736
def enable(self):
737
oldstate = getattr(self, u"enabled", False)
738
r = Client.enable(self)
739
if oldstate != self.enabled:
740
# Emit D-Bus signals
741
self.PropertyChanged(dbus.String(u"enabled"),
742
dbus.Boolean(True, variant_level=1))
743
self.PropertyChanged(
744
dbus.String(u"last_enabled"),
745
self._datetime_to_dbus(self.last_enabled,
746
variant_level=1))
747
return r
748
749
def disable(self, quiet = False):
750
oldstate = getattr(self, u"enabled", False)
751
r = Client.disable(self, quiet=quiet)
752
if not quiet and oldstate != self.enabled:
753
# Emit D-Bus signal
754
self.PropertyChanged(dbus.String(u"enabled"),
755
dbus.Boolean(False, variant_level=1))
756
return r
757
758
def __del__(self, *args, **kwargs):
759
try:
760
self.remove_from_connection()
761
except LookupError:
762
pass
763
if hasattr(DBusObjectWithProperties, u"__del__"):
764
DBusObjectWithProperties.__del__(self, *args, **kwargs)
765
Client.__del__(self, *args, **kwargs)
766
767
def checker_callback(self, pid, condition, command,
768
*args, **kwargs):
769
self.checker_callback_tag = None
770
self.checker = None
771
# Emit D-Bus signal
772
self.PropertyChanged(dbus.String(u"checker_running"),
773
dbus.Boolean(False, variant_level=1))
774
if os.WIFEXITED(condition):
775
exitstatus = os.WEXITSTATUS(condition)
776
# Emit D-Bus signal
777
self.CheckerCompleted(dbus.Int16(exitstatus),
778
dbus.Int64(condition),
779
dbus.String(command))
780
else:
781
# Emit D-Bus signal
782
self.CheckerCompleted(dbus.Int16(-1),
783
dbus.Int64(condition),
784
dbus.String(command))
785
786
return Client.checker_callback(self, pid, condition, command,
787
*args, **kwargs)
788
789
def checked_ok(self, *args, **kwargs):
790
r = Client.checked_ok(self, *args, **kwargs)
791
# Emit D-Bus signal
792
self.PropertyChanged(
793
dbus.String(u"last_checked_ok"),
794
(self._datetime_to_dbus(self.last_checked_ok,
795
variant_level=1)))
796
return r
797
798
def start_checker(self, *args, **kwargs):
799
old_checker = self.checker
800
if self.checker is not None:
801
old_checker_pid = self.checker.pid
802
else:
803
old_checker_pid = None
804
r = Client.start_checker(self, *args, **kwargs)
805
# Only if new checker process was started
806
if (self.checker is not None
807
and old_checker_pid != self.checker.pid):
808
# Emit D-Bus signal
809
self.CheckerStarted(self.current_checker_command)
810
self.PropertyChanged(
811
dbus.String(u"checker_running"),
812
dbus.Boolean(True, variant_level=1))
813
return r
814
815
def stop_checker(self, *args, **kwargs):
816
old_checker = getattr(self, u"checker", None)
817
r = Client.stop_checker(self, *args, **kwargs)
818
if (old_checker is not None
819
and getattr(self, u"checker", None) is None):
820
self.PropertyChanged(dbus.String(u"checker_running"),
821
dbus.Boolean(False, variant_level=1))
822
return r
823
824
def _reset_approved(self):
825
self._approved = None
826
return False
827
828
def approve(self, value=True):
829
self.send_changedstate()
830
self._approved = value
831
gobject.timeout_add(self._timedelta_to_milliseconds(self.approved_duration),
832
self._reset_approved)
833
834
835
## D-Bus methods, signals & properties
836
_interface = u"se.bsnet.fukt.Mandos.Client"
837
838
## Signals
839
840
# CheckerCompleted - signal
841
@dbus.service.signal(_interface, signature=u"nxs")
842
def CheckerCompleted(self, exitcode, waitstatus, command):
843
"D-Bus signal"
844
pass
845
846
# CheckerStarted - signal
847
@dbus.service.signal(_interface, signature=u"s")
848
def CheckerStarted(self, command):
849
"D-Bus signal"
850
pass
851
852
# PropertyChanged - signal
853
@dbus.service.signal(_interface, signature=u"sv")
854
def PropertyChanged(self, property, value):
855
"D-Bus signal"
856
pass
857
858
# GotSecret - signal
859
@dbus.service.signal(_interface)
860
def GotSecret(self):
861
"""D-Bus signal
862
Is sent after a successful transfer of secret from the Mandos
863
server to mandos-client
864
"""
865
pass
866
867
# Rejected - signal
868
@dbus.service.signal(_interface, signature=u"s")
869
def Rejected(self, reason):
870
"D-Bus signal"
871
pass
872
873
# NeedApproval - signal
874
@dbus.service.signal(_interface, signature=u"db")
875
def NeedApproval(self, timeout, default):
876
"D-Bus signal"
877
pass
878
879
## Methods
880
881
# Approve - method
882
@dbus.service.method(_interface, in_signature=u"b")
883
def Approve(self, value):
884
self.approve(value)
885
886
# CheckedOK - method
887
@dbus.service.method(_interface)
888
def CheckedOK(self):
889
return self.checked_ok()
890
891
# Enable - method
892
@dbus.service.method(_interface)
893
def Enable(self):
894
"D-Bus method"
895
self.enable()
896
897
# StartChecker - method
898
@dbus.service.method(_interface)
899
def StartChecker(self):
900
"D-Bus method"
901
self.start_checker()
902
903
# Disable - method
904
@dbus.service.method(_interface)
905
def Disable(self):
906
"D-Bus method"
907
self.disable()
908
909
# StopChecker - method
910
@dbus.service.method(_interface)
911
def StopChecker(self):
912
self.stop_checker()
913
914
## Properties
915
916
# approved_pending - property
917
@dbus_service_property(_interface, signature=u"b", access=u"read")
918
def approved_pending_dbus_property(self):
919
return dbus.Boolean(bool(self.approvals_pending))
920
921
# approved_by_default - property
922
@dbus_service_property(_interface, signature=u"b",
923
access=u"readwrite")
924
def approved_by_default_dbus_property(self):
925
return dbus.Boolean(self.approved_by_default)
926
927
# approved_delay - property
928
@dbus_service_property(_interface, signature=u"t",
929
access=u"readwrite")
930
def approved_delay_dbus_property(self):
931
return dbus.UInt64(self.approved_delay_milliseconds())
932
933
# approved_duration - property
934
@dbus_service_property(_interface, signature=u"t",
935
access=u"readwrite")
936
def approved_duration_dbus_property(self):
937
return dbus.UInt64(self._timedelta_to_milliseconds(
938
self.approved_duration))
939
940
# name - property
941
@dbus_service_property(_interface, signature=u"s", access=u"read")
942
def name_dbus_property(self):
943
return dbus.String(self.name)
944
945
# fingerprint - property
946
@dbus_service_property(_interface, signature=u"s", access=u"read")
947
def fingerprint_dbus_property(self):
948
return dbus.String(self.fingerprint)
949
950
# host - property
951
@dbus_service_property(_interface, signature=u"s",
952
access=u"readwrite")
953
def host_dbus_property(self, value=None):
954
if value is None: # get
955
return dbus.String(self.host)
956
self.host = value
957
# Emit D-Bus signal
958
self.PropertyChanged(dbus.String(u"host"),
959
dbus.String(value, variant_level=1))
960
961
# created - property
962
@dbus_service_property(_interface, signature=u"s", access=u"read")
963
def created_dbus_property(self):
964
return dbus.String(self._datetime_to_dbus(self.created))
965
966
# last_enabled - property
967
@dbus_service_property(_interface, signature=u"s", access=u"read")
968
def last_enabled_dbus_property(self):
969
if self.last_enabled is None:
970
return dbus.String(u"")
971
return dbus.String(self._datetime_to_dbus(self.last_enabled))
972
973
# enabled - property
974
@dbus_service_property(_interface, signature=u"b",
975
access=u"readwrite")
976
def enabled_dbus_property(self, value=None):
977
if value is None: # get
978
return dbus.Boolean(self.enabled)
979
if value:
980
self.enable()
981
else:
982
self.disable()
983
984
# last_checked_ok - property
985
@dbus_service_property(_interface, signature=u"s",
986
access=u"readwrite")
987
def last_checked_ok_dbus_property(self, value=None):
988
if value is not None:
989
self.checked_ok()
990
return
473
# D-Bus variant
474
StopChecker = dbus.service.method(interface)(stop_checker)
475
476
def still_valid(self):
477
"""Has the timeout not yet passed for this client?"""
478
if not self.started:
479
return False
480
now = datetime.datetime.now()
991
481
if self.last_checked_ok is None:
992
return dbus.String(u"")
993
return dbus.String(self._datetime_to_dbus(self
994
.last_checked_ok))
995
996
# timeout - property
997
@dbus_service_property(_interface, signature=u"t",
998
access=u"readwrite")
999
def timeout_dbus_property(self, value=None):
1000
if value is None: # get
1001
return dbus.UInt64(self.timeout_milliseconds())
1002
self.timeout = datetime.timedelta(0, 0, 0, value)
1003
# Emit D-Bus signal
1004
self.PropertyChanged(dbus.String(u"timeout"),
1005
dbus.UInt64(value, variant_level=1))
1006
if getattr(self, u"disable_initiator_tag", None) is None:
1007
return
1008
# Reschedule timeout
1009
gobject.source_remove(self.disable_initiator_tag)
1010
self.disable_initiator_tag = None
1011
time_to_die = (self.
1012
_timedelta_to_milliseconds((self
1013
.last_checked_ok
1014
+ self.timeout)
1015
- datetime.datetime
1016
.utcnow()))
1017
if time_to_die <= 0:
1018
# The timeout has passed
1019
self.disable()
1020
else:
1021
self.disable_initiator_tag = (gobject.timeout_add
1022
(time_to_die, self.disable))
1023
1024
# interval - property
1025
@dbus_service_property(_interface, signature=u"t",
1026
access=u"readwrite")
1027
def interval_dbus_property(self, value=None):
1028
if value is None: # get
1029
return dbus.UInt64(self.interval_milliseconds())
1030
self.interval = datetime.timedelta(0, 0, 0, value)
1031
# Emit D-Bus signal
1032
self.PropertyChanged(dbus.String(u"interval"),
1033
dbus.UInt64(value, variant_level=1))
1034
if getattr(self, u"checker_initiator_tag", None) is None:
1035
return
1036
# Reschedule checker run
1037
gobject.source_remove(self.checker_initiator_tag)
1038
self.checker_initiator_tag = (gobject.timeout_add
1039
(value, self.start_checker))
1040
self.start_checker() # Start one now, too
1041
1042
# checker - property
1043
@dbus_service_property(_interface, signature=u"s",
1044
access=u"readwrite")
1045
def checker_dbus_property(self, value=None):
1046
if value is None: # get
1047
return dbus.String(self.checker_command)
1048
self.checker_command = value
1049
# Emit D-Bus signal
1050
self.PropertyChanged(dbus.String(u"checker"),
1051
dbus.String(self.checker_command,
1052
variant_level=1))
1053
1054
# checker_running - property
1055
@dbus_service_property(_interface, signature=u"b",
1056
access=u"readwrite")
1057
def checker_running_dbus_property(self, value=None):
1058
if value is None: # get
1059
return dbus.Boolean(self.checker is not None)
1060
if value:
1061
self.start_checker()
1062
else:
1063
self.stop_checker()
1064
1065
# object_path - property
1066
@dbus_service_property(_interface, signature=u"o", access=u"read")
1067
def object_path_dbus_property(self):
1068
return self.dbus_object_path # is already a dbus.ObjectPath
1069
1070
# secret = property
1071
@dbus_service_property(_interface, signature=u"ay",
1072
access=u"write", byte_arrays=True)
1073
def secret_dbus_property(self, value):
1074
self.secret = str(value)
1075
1076
del _interface
1077
1078
1079
class ProxyClient(object):
1080
def __init__(self, child_pipe, fpr, address):
1081
self._pipe = child_pipe
1082
self._pipe.send(('init', fpr, address))
1083
if not self._pipe.recv():
1084
raise KeyError()
1085
1086
def __getattribute__(self, name):
1087
if(name == '_pipe'):
1088
return super(ProxyClient, self).__getattribute__(name)
1089
self._pipe.send(('getattr', name))
1090
data = self._pipe.recv()
1091
if data[0] == 'data':
1092
return data[1]
1093
if data[0] == 'function':
1094
def func(*args, **kwargs):
1095
self._pipe.send(('funcall', name, args, kwargs))
1096
return self._pipe.recv()[1]
1097
return func
1098
1099
def __setattr__(self, name, value):
1100
if(name == '_pipe'):
1101
return super(ProxyClient, self).__setattr__(name, value)
1102
self._pipe.send(('setattr', name, value))
1103
1104
1105
class ClientHandler(socketserver.BaseRequestHandler, object):
1106
"""A class to handle client connections.
1107
1108
Instantiated once for each connection to handle it.
482
return now < (self.created + self.timeout)
483
else:
484
return now < (self.last_checked_ok + self.timeout)
485
# D-Bus variant
486
stillValid = dbus.service.method(interface, out_signature="b")\
487
(still_valid)
488
489
del interface
490
491
492
def peer_certificate(session):
493
"Return the peer's OpenPGP certificate as a bytestring"
494
# If not an OpenPGP certificate...
495
if gnutls.library.functions.gnutls_certificate_type_get\
496
(session._c_object) \
497
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP:
498
# ...do the normal thing
499
return session.peer_certificate
500
list_size = ctypes.c_uint()
501
cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
502
(session._c_object, ctypes.byref(list_size))
503
if list_size.value == 0:
504
return None
505
cert = cert_list[0]
506
return ctypes.string_at(cert.data, cert.size)
507
508
509
def fingerprint(openpgp):
510
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
511
# New GnuTLS "datum" with the OpenPGP public key
512
datum = gnutls.library.types.gnutls_datum_t\
513
(ctypes.cast(ctypes.c_char_p(openpgp),
514
ctypes.POINTER(ctypes.c_ubyte)),
515
ctypes.c_uint(len(openpgp)))
516
# New empty GnuTLS certificate
517
crt = gnutls.library.types.gnutls_openpgp_crt_t()
518
gnutls.library.functions.gnutls_openpgp_crt_init\
519
(ctypes.byref(crt))
520
# Import the OpenPGP public key into the certificate
521
gnutls.library.functions.gnutls_openpgp_crt_import\
522
(crt, ctypes.byref(datum),
523
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
524
# Verify the self signature in the key
525
crtverify = ctypes.c_uint()
526
gnutls.library.functions.gnutls_openpgp_crt_verify_self\
527
(crt, 0, ctypes.byref(crtverify))
528
if crtverify.value != 0:
529
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
530
raise gnutls.errors.CertificateSecurityError("Verify failed")
531
# New buffer for the fingerprint
532
buf = ctypes.create_string_buffer(20)
533
buf_len = ctypes.c_size_t()
534
# Get the fingerprint from the certificate into the buffer
535
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
536
(crt, ctypes.byref(buf), ctypes.byref(buf_len))
537
# Deinit the certificate
538
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
539
# Convert the buffer to a Python bytestring
540
fpr = ctypes.string_at(buf, buf_len.value)
541
# Convert the bytestring to hexadecimal notation
542
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
543
return hex_fpr
544
545
546
class TCP_handler(SocketServer.BaseRequestHandler, object):
547
"""A TCP request handler class.
548
Instantiated by IPv6_TCPServer for each request to handle it.
1109
549
Note: This will run in its own forked process."""
1110
550
1111
551
def handle(self):
1112
with contextlib.closing(self.server.child_pipe) as child_pipe:
1113
logger.info(u"TCP connection from: %s",
1114
unicode(self.client_address))
1115
logger.debug(u"Pipe FD: %d",
1116
self.server.child_pipe.fileno())
1117
1118
session = (gnutls.connection
1119
.ClientSession(self.request,
1120
gnutls.connection
1121
.X509Credentials()))
1122
1123
# Note: gnutls.connection.X509Credentials is really a
1124
# generic GnuTLS certificate credentials object so long as
1125
# no X.509 keys are added to it. Therefore, we can use it
1126
# here despite using OpenPGP certificates.
1127
1128
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1129
# u"+AES-256-CBC", u"+SHA1",
1130
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1131
# u"+DHE-DSS"))
1132
# Use a fallback default, since this MUST be set.
1133
priority = self.server.gnutls_priority
1134
if priority is None:
1135
priority = u"NORMAL"
1136
(gnutls.library.functions
1137
.gnutls_priority_set_direct(session._c_object,
1138
priority, None))
1139
1140
# Start communication using the Mandos protocol
1141
# Get protocol number
1142
line = self.request.makefile().readline()
1143
logger.debug(u"Protocol version: %r", line)
1144
try:
1145
if int(line.strip().split()[0]) > 1:
1146
raise RuntimeError
1147
except (ValueError, IndexError, RuntimeError), error:
1148
logger.error(u"Unknown protocol version: %s", error)
1149
return
1150
1151
# Start GnuTLS connection
1152
try:
1153
session.handshake()
1154
except gnutls.errors.GNUTLSError, error:
1155
logger.warning(u"Handshake failed: %s", error)
1156
# Do not run session.bye() here: the session is not
1157
# established. Just abandon the request.
1158
return
1159
logger.debug(u"Handshake succeeded")
1160
1161
approval_required = False
1162
try:
1163
try:
1164
fpr = self.fingerprint(self.peer_certificate
1165
(session))
1166
except (TypeError, gnutls.errors.GNUTLSError), error:
1167
logger.warning(u"Bad certificate: %s", error)
1168
return
1169
logger.debug(u"Fingerprint: %s", fpr)
1170
1171
try:
1172
client = ProxyClient(child_pipe, fpr,
1173
self.client_address)
1174
except KeyError:
1175
return
1176
1177
if client.approved_delay:
1178
delay = client.approved_delay
1179
client.approvals_pending += 1
1180
approval_required = True
1181
1182
while True:
1183
if not client.enabled:
1184
logger.warning(u"Client %s is disabled",
1185
client.name)
1186
if self.server.use_dbus:
1187
# Emit D-Bus signal
1188
client.Rejected("Disabled")
1189
return
1190
1191
if client._approved or not client.approved_delay:
1192
#We are approved or approval is disabled
1193
break
1194
elif client._approved is None:
1195
logger.info(u"Client %s need approval",
1196
client.name)
1197
if self.server.use_dbus:
1198
# Emit D-Bus signal
1199
client.NeedApproval(
1200
client.approved_delay_milliseconds(),
1201
client.approved_by_default)
1202
else:
1203
logger.warning(u"Client %s was not approved",
1204
client.name)
1205
if self.server.use_dbus:
1206
# Emit D-Bus signal
1207
client.Rejected("Disapproved")
1208
return
1209
1210
#wait until timeout or approved
1211
#x = float(client._timedelta_to_milliseconds(delay))
1212
time = datetime.datetime.now()
1213
client.changedstate.acquire()
1214
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1215
client.changedstate.release()
1216
time2 = datetime.datetime.now()
1217
if (time2 - time) >= delay:
1218
if not client.approved_by_default:
1219
logger.warning("Client %s timed out while"
1220
" waiting for approval",
1221
client.name)
1222
if self.server.use_dbus:
1223
# Emit D-Bus signal
1224
client.Rejected("Time out")
1225
return
1226
else:
1227
break
1228
else:
1229
delay -= time2 - time
1230
1231
sent_size = 0
1232
while sent_size < len(client.secret):
1233
try:
1234
sent = session.send(client.secret[sent_size:])
1235
except (gnutls.errors.GNUTLSError), error:
1236
logger.warning("gnutls send failed")
1237
return
1238
logger.debug(u"Sent: %d, remaining: %d",
1239
sent, len(client.secret)
1240
- (sent_size + sent))
1241
sent_size += sent
1242
1243
logger.info(u"Sending secret to %s", client.name)
1244
# bump the timeout as if seen
1245
client.checked_ok()
1246
if self.server.use_dbus:
1247
# Emit D-Bus signal
1248
client.GotSecret()
1249
1250
finally:
1251
if approval_required:
1252
client.approvals_pending -= 1
1253
try:
1254
session.bye()
1255
except (gnutls.errors.GNUTLSError), error:
1256
logger.warning("gnutls bye failed")
1257
1258
@staticmethod
1259
def peer_certificate(session):
1260
"Return the peer's OpenPGP certificate as a bytestring"
1261
# If not an OpenPGP certificate...
1262
if (gnutls.library.functions
1263
.gnutls_certificate_type_get(session._c_object)
1264
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1265
# ...do the normal thing
1266
return session.peer_certificate
1267
list_size = ctypes.c_uint(1)
1268
cert_list = (gnutls.library.functions
1269
.gnutls_certificate_get_peers
1270
(session._c_object, ctypes.byref(list_size)))
1271
if not bool(cert_list) and list_size.value != 0:
1272
raise gnutls.errors.GNUTLSError(u"error getting peer"
1273
u" certificate")
1274
if list_size.value == 0:
1275
return None
1276
cert = cert_list[0]
1277
return ctypes.string_at(cert.data, cert.size)
1278
1279
@staticmethod
1280
def fingerprint(openpgp):
1281
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1282
# New GnuTLS "datum" with the OpenPGP public key
1283
datum = (gnutls.library.types
1284
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1285
ctypes.POINTER
1286
(ctypes.c_ubyte)),
1287
ctypes.c_uint(len(openpgp))))
1288
# New empty GnuTLS certificate
1289
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1290
(gnutls.library.functions
1291
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1292
# Import the OpenPGP public key into the certificate
1293
(gnutls.library.functions
1294
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1295
gnutls.library.constants
1296
.GNUTLS_OPENPGP_FMT_RAW))
1297
# Verify the self signature in the key
1298
crtverify = ctypes.c_uint()
1299
(gnutls.library.functions
1300
.gnutls_openpgp_crt_verify_self(crt, 0,
1301
ctypes.byref(crtverify)))
1302
if crtverify.value != 0:
1303
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1304
raise (gnutls.errors.CertificateSecurityError
1305
(u"Verify failed"))
1306
# New buffer for the fingerprint
1307
buf = ctypes.create_string_buffer(20)
1308
buf_len = ctypes.c_size_t()
1309
# Get the fingerprint from the certificate into the buffer
1310
(gnutls.library.functions
1311
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1312
ctypes.byref(buf_len)))
1313
# Deinit the certificate
1314
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1315
# Convert the buffer to a Python bytestring
1316
fpr = ctypes.string_at(buf, buf_len.value)
1317
# Convert the bytestring to hexadecimal notation
1318
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1319
return hex_fpr
1320
1321
1322
class MultiprocessingMixIn(object):
1323
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1324
def sub_process_main(self, request, address):
1325
try:
1326
self.finish_request(request, address)
1327
except:
1328
self.handle_error(request, address)
1329
self.close_request(request)
1330
1331
def process_request(self, request, address):
1332
"""Start a new process to process the request."""
1333
multiprocessing.Process(target = self.sub_process_main,
1334
args = (request, address)).start()
1335
1336
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1337
""" adds a pipe to the MixIn """
1338
def process_request(self, request, client_address):
1339
"""Overrides and wraps the original process_request().
1340
1341
This function creates a new pipe in self.pipe
1342
"""
1343
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1344
1345
super(MultiprocessingMixInWithPipe,
1346
self).process_request(request, client_address)
1347
self.child_pipe.close()
1348
self.add_pipe(parent_pipe)
1349
1350
def add_pipe(self, parent_pipe):
1351
"""Dummy function; override as necessary"""
1352
pass
1353
1354
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1355
socketserver.TCPServer, object):
1356
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1357
552
logger.info(u"TCP connection from: %s",
553
unicode(self.client_address))
554
session = gnutls.connection.ClientSession\
555
(self.request, gnutls.connection.X509Credentials())
556
557
line = self.request.makefile().readline()
558
logger.debug(u"Protocol version: %r", line)
559
try:
560
if int(line.strip().split()[0]) > 1:
561
raise RuntimeError
562
except (ValueError, IndexError, RuntimeError), error:
563
logger.error(u"Unknown protocol version: %s", error)
564
return
565
566
# Note: gnutls.connection.X509Credentials is really a generic
567
# GnuTLS certificate credentials object so long as no X.509
568
# keys are added to it. Therefore, we can use it here despite
569
# using OpenPGP certificates.
570
571
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
572
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
573
# "+DHE-DSS"))
574
# Use a fallback default, since this MUST be set.
575
priority = self.server.settings.get("priority", "NORMAL")
576
gnutls.library.functions.gnutls_priority_set_direct\
577
(session._c_object, priority, None)
578
579
try:
580
session.handshake()
581
except gnutls.errors.GNUTLSError, error:
582
logger.warning(u"Handshake failed: %s", error)
583
# Do not run session.bye() here: the session is not
584
# established. Just abandon the request.
585
return
586
try:
587
fpr = fingerprint(peer_certificate(session))
588
except (TypeError, gnutls.errors.GNUTLSError), error:
589
logger.warning(u"Bad certificate: %s", error)
590
session.bye()
591
return
592
logger.debug(u"Fingerprint: %s", fpr)
593
client = None
594
for c in self.server.clients:
595
if c.fingerprint == fpr:
596
client = c
597
break
598
if not client:
599
logger.warning(u"Client not found for fingerprint: %s",
600
fpr)
601
session.bye()
602
return
603
# Have to check if client.still_valid(), since it is possible
604
# that the client timed out while establishing the GnuTLS
605
# session.
606
if not client.still_valid():
607
logger.warning(u"Client %(name)s is invalid",
608
vars(client))
609
session.bye()
610
return
611
## This won't work here, since we're in a fork.
612
# client.bump_timeout()
613
sent_size = 0
614
while sent_size < len(client.secret):
615
sent = session.send(client.secret[sent_size:])
616
logger.debug(u"Sent: %d, remaining: %d",
617
sent, len(client.secret)
618
- (sent_size + sent))
619
sent_size += sent
620
session.bye()
621
622
623
class IPv6_TCPServer(SocketServer.ForkingMixIn,
624
SocketServer.TCPServer, object):
625
"""IPv6 TCP server. Accepts 'None' as address and/or port.
1358
626
Attributes:
627
settings: Server settings
628
clients: Set() of Client objects
1359
629
enabled: Boolean; whether this server is activated yet
1360
interface: None or a network interface name (string)
1361
use_ipv6: Boolean; to use IPv6 or not
1362
630
"""
1363
def __init__(self, server_address, RequestHandlerClass,
1364
interface=None, use_ipv6=True):
1365
self.interface = interface
1366
if use_ipv6:
1367
self.address_family = socket.AF_INET6
1368
socketserver.TCPServer.__init__(self, server_address,
1369
RequestHandlerClass)
631
address_family = socket.AF_INET6
632
def __init__(self, *args, **kwargs):
633
if "settings" in kwargs:
634
self.settings = kwargs["settings"]
635
del kwargs["settings"]
636
if "clients" in kwargs:
637
self.clients = kwargs["clients"]
638
del kwargs["clients"]
639
self.enabled = False
640
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1370
641
def server_bind(self):
1371
642
"""This overrides the normal server_bind() function
1372
643
to bind to an interface if one was specified, and also NOT to
1373
644
bind to an address or port if they were not specified."""
1374
if self.interface is not None:
1375
if SO_BINDTODEVICE is None:
1376
logger.error(u"SO_BINDTODEVICE does not exist;"
1377
u" cannot bind to interface %s",
1378
self.interface)
1379
else:
1380
try:
1381
self.socket.setsockopt(socket.SOL_SOCKET,
1382
SO_BINDTODEVICE,
1383
str(self.interface
1384
+ u'\0'))
1385
except socket.error, error:
1386
if error[0] == errno.EPERM:
1387
logger.error(u"No permission to"
1388
u" bind to interface %s",
1389
self.interface)
1390
elif error[0] == errno.ENOPROTOOPT:
1391
logger.error(u"SO_BINDTODEVICE not available;"
1392
u" cannot bind to interface %s",
1393
self.interface)
1394
else:
1395
raise
645
if self.settings["interface"]:
646
# 25 is from /usr/include/asm-i486/socket.h
647
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
648
try:
649
self.socket.setsockopt(socket.SOL_SOCKET,
650
SO_BINDTODEVICE,
651
self.settings["interface"])
652
except socket.error, error:
653
if error[0] == errno.EPERM:
654
logger.error(u"No permission to"
655
u" bind to interface %s",
656
self.settings["interface"])
657
else:
658
raise error
1396
659
# Only bind(2) the socket if we really need to.
1397
660
if self.server_address[0] or self.server_address[1]:
1398
661
if not self.server_address[0]:
1399
if self.address_family == socket.AF_INET6:
1400
any_address = u"::" # in6addr_any
1401
else:
1402
any_address = socket.INADDR_ANY
1403
self.server_address = (any_address,
662
in6addr_any = "::"
663
self.server_address = (in6addr_any,
1404
664
self.server_address[1])
1405
665
elif not self.server_address[1]:
1406
666
self.server_address = (self.server_address[0],
1407
667
0)
1408
# if self.interface:
668
# if self.settings["interface"]:
1409
669
# self.server_address = (self.server_address[0],
1410
670
# 0, # port
1411
671
# 0, # flowinfo
1412
672
# if_nametoindex
1413
# (self.interface))
1414
return socketserver.TCPServer.server_bind(self)
1415
1416
1417
class MandosServer(IPv6_TCPServer):
1418
"""Mandos server.
1419
1420
Attributes:
1421
clients: set of Client objects
1422
gnutls_priority GnuTLS priority string
1423
use_dbus: Boolean; to emit D-Bus signals or not
1424
1425
Assumes a gobject.MainLoop event loop.
1426
"""
1427
def __init__(self, server_address, RequestHandlerClass,
1428
interface=None, use_ipv6=True, clients=None,
1429
gnutls_priority=None, use_dbus=True):
1430
self.enabled = False
1431
self.clients = clients
1432
if self.clients is None:
1433
self.clients = set()
1434
self.use_dbus = use_dbus
1435
self.gnutls_priority = gnutls_priority
1436
IPv6_TCPServer.__init__(self, server_address,
1437
RequestHandlerClass,
1438
interface = interface,
1439
use_ipv6 = use_ipv6)
673
# (self.settings
674
# ["interface"]))
675
return super(IPv6_TCPServer, self).server_bind()
1440
676
def server_activate(self):
1441
677
if self.enabled:
1442
return socketserver.TCPServer.server_activate(self)
678
return super(IPv6_TCPServer, self).server_activate()
1443
679
def enable(self):
1444
680
self.enabled = True
1445
def add_pipe(self, parent_pipe):
1446
# Call "handle_ipc" for both data and EOF events
1447
gobject.io_add_watch(parent_pipe.fileno(),
1448
gobject.IO_IN | gobject.IO_HUP,
1449
functools.partial(self.handle_ipc,
1450
parent_pipe = parent_pipe))
1451
1452
def handle_ipc(self, source, condition, parent_pipe=None,
1453
client_object=None):
1454
condition_names = {
1455
gobject.IO_IN: u"IN", # There is data to read.
1456
gobject.IO_OUT: u"OUT", # Data can be written (without
1457
# blocking).
1458
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1459
gobject.IO_ERR: u"ERR", # Error condition.
1460
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1461
# broken, usually for pipes and
1462
# sockets).
1463
}
1464
conditions_string = ' | '.join(name
1465
for cond, name in
1466
condition_names.iteritems()
1467
if cond & condition)
1468
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1469
conditions_string)
1470
1471
# error or the other end of multiprocessing.Pipe has closed
1472
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1473
return False
1474
1475
# Read a request from the child
1476
request = parent_pipe.recv()
1477
logger.debug(u"IPC request: %s", repr(request))
1478
command = request[0]
1479
1480
if command == 'init':
1481
fpr = request[1]
1482
address = request[2]
1483
1484
for c in self.clients:
1485
if c.fingerprint == fpr:
1486
client = c
1487
break
1488
else:
1489
logger.warning(u"Client not found for fingerprint: %s, ad"
1490
u"dress: %s", fpr, address)
1491
if self.use_dbus:
1492
# Emit D-Bus signal
1493
mandos_dbus_service.ClientNotFound(fpr, address)
1494
parent_pipe.send(False)
1495
return False
1496
1497
gobject.io_add_watch(parent_pipe.fileno(),
1498
gobject.IO_IN | gobject.IO_HUP,
1499
functools.partial(self.handle_ipc,
1500
parent_pipe = parent_pipe,
1501
client_object = client))
1502
parent_pipe.send(True)
1503
# remove the old hook in favor of the new above hook on same fileno
1504
return False
1505
if command == 'funcall':
1506
funcname = request[1]
1507
args = request[2]
1508
kwargs = request[3]
1509
1510
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1511
1512
if command == 'getattr':
1513
attrname = request[1]
1514
if callable(client_object.__getattribute__(attrname)):
1515
parent_pipe.send(('function',))
1516
else:
1517
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1518
1519
if command == 'setattr':
1520
attrname = request[1]
1521
value = request[2]
1522
setattr(client_object, attrname, value)
1523
1524
return True
1525
681
1526
682
1527
683
def string_to_delta(interval):
1528
684
"""Parse a string and return a datetime.timedelta
1529
1530
>>> string_to_delta(u'7d')
685
686
>>> string_to_delta('7d')
1531
687
datetime.timedelta(7)
1532
>>> string_to_delta(u'60s')
688
>>> string_to_delta('60s')
1533
689
datetime.timedelta(0, 60)
1534
>>> string_to_delta(u'60m')
690
>>> string_to_delta('60m')
1535
691
datetime.timedelta(0, 3600)
1536
>>> string_to_delta(u'24h')
692
>>> string_to_delta('24h')
1537
693
datetime.timedelta(1)
1538
694
>>> string_to_delta(u'1w')
1539
695
datetime.timedelta(7)
1540
>>> string_to_delta(u'5m 30s')
696
>>> string_to_delta('5m 30s')
1541
697
datetime.timedelta(0, 330)
1542
698
"""
1543
699
timevalue = datetime.timedelta(0)
1556
712
elif suffix == u"w":
1557
713
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1558
714
else:
1559
raise ValueError(u"Unknown suffix %r" % suffix)
1560
except (ValueError, IndexError), e:
1561
raise ValueError(e.message)
715
raise ValueError
716
except (ValueError, IndexError):
717
raise ValueError
1562
718
timevalue += delta
1563
719
return timevalue
1564
720
1565
721
722
def server_state_changed(state):
723
"""Derived from the Avahi example code"""
724
if state == avahi.SERVER_COLLISION:
725
logger.error(u"Zeroconf server name collision")
726
service.remove()
727
elif state == avahi.SERVER_RUNNING:
728
service.add()
729
730
731
def entry_group_state_changed(state, error):
732
"""Derived from the Avahi example code"""
733
logger.debug(u"Avahi state change: %i", state)
734
735
if state == avahi.ENTRY_GROUP_ESTABLISHED:
736
logger.debug(u"Zeroconf service established.")
737
elif state == avahi.ENTRY_GROUP_COLLISION:
738
logger.warning(u"Zeroconf service name collision.")
739
service.rename()
740
elif state == avahi.ENTRY_GROUP_FAILURE:
741
logger.critical(u"Avahi: Error in group state changed %s",
742
unicode(error))
743
raise AvahiGroupError("State changed: %s", str(error))
744
1566
745
def if_nametoindex(interface):
1567
"""Call the C function if_nametoindex(), or equivalent
1568
1569
Note: This function cannot accept a unicode string."""
746
"""Call the C function if_nametoindex(), or equivalent"""
1570
747
global if_nametoindex
1571
748
try:
1572
if_nametoindex = (ctypes.cdll.LoadLibrary
1573
(ctypes.util.find_library(u"c"))
1574
.if_nametoindex)
749
if_nametoindex = ctypes.cdll.LoadLibrary\
750
(ctypes.util.find_library("c")).if_nametoindex
1575
751
except (OSError, AttributeError):
1576
logger.warning(u"Doing if_nametoindex the hard way")
752
if "struct" not in sys.modules:
753
import struct
754
if "fcntl" not in sys.modules:
755
import fcntl
1577
756
def if_nametoindex(interface):
1578
757
"Get an interface index the hard way, i.e. using fcntl()"
1579
758
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1580
with contextlib.closing(socket.socket()) as s:
759
with closing(socket.socket()) as s:
1581
760
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1582
struct.pack(str(u"16s16x"),
1583
interface))
1584
interface_index = struct.unpack(str(u"I"),
1585
ifreq[16:20])[0]
761
struct.pack("16s16x", interface))
762
interface_index = struct.unpack("I", ifreq[16:20])[0]
1586
763
return interface_index
1587
764
return if_nametoindex(interface)
1588
765
1589
766
1590
767
def daemon(nochdir = False, noclose = False):
1591
768
"""See daemon(3). Standard BSD Unix function.
1592
1593
769
This should really exist as os.daemon, but it doesn't (yet)."""
1594
770
if os.fork():
1595
771
sys.exit()
1596
772
os.setsid()
1597
773
if not nochdir:
1598
os.chdir(u"/")
774
os.chdir("/")
1599
775
if os.fork():
1600
776
sys.exit()
1601
777
if not noclose:
1603
779
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1604
780
if not stat.S_ISCHR(os.fstat(null).st_mode):
1605
781
raise OSError(errno.ENODEV,
1606
u"%s not a character device"
1607
% os.path.devnull)
782
"/dev/null not a character device")
1608
783
os.dup2(null, sys.stdin.fileno())
1609
784
os.dup2(null, sys.stdout.fileno())
1610
785
os.dup2(null, sys.stderr.fileno())
1613
788
1614
789
1615
790
def main():
1616
1617
##################################################################
1618
# Parsing of options, both command line and config file
1619
1620
parser = optparse.OptionParser(version = "%%prog %s" % version)
1621
parser.add_option("-i", u"--interface", type=u"string",
1622
metavar="IF", help=u"Bind to interface IF")
1623
parser.add_option("-a", u"--address", type=u"string",
1624
help=u"Address to listen for requests on")
1625
parser.add_option("-p", u"--port", type=u"int",
1626
help=u"Port number to receive requests on")
1627
parser.add_option("--check", action=u"store_true",
1628
help=u"Run self-test")
1629
parser.add_option("--debug", action=u"store_true",
1630
help=u"Debug mode; run in foreground and log to"
1631
u" terminal")
1632
parser.add_option("--debuglevel", type=u"string", metavar="Level",
1633
help=u"Debug level for stdout output")
1634
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1635
u" priority string (see GnuTLS documentation)")
1636
parser.add_option("--servicename", type=u"string",
1637
metavar=u"NAME", help=u"Zeroconf service name")
1638
parser.add_option("--configdir", type=u"string",
1639
default=u"/etc/mandos", metavar=u"DIR",
1640
help=u"Directory to search for configuration"
1641
u" files")
1642
parser.add_option("--no-dbus", action=u"store_false",
1643
dest=u"use_dbus", help=u"Do not provide D-Bus"
1644
u" system bus interface")
1645
parser.add_option("--no-ipv6", action=u"store_false",
1646
dest=u"use_ipv6", help=u"Do not use IPv6")
791
parser = OptionParser(version = "%%prog %s" % version)
792
parser.add_option("-i", "--interface", type="string",
793
metavar="IF", help="Bind to interface IF")
794
parser.add_option("-a", "--address", type="string",
795
help="Address to listen for requests on")
796
parser.add_option("-p", "--port", type="int",
797
help="Port number to receive requests on")
798
parser.add_option("--check", action="store_true", default=False,
799
help="Run self-test")
800
parser.add_option("--debug", action="store_true",
801
help="Debug mode; run in foreground and log to"
802
" terminal")
803
parser.add_option("--priority", type="string", help="GnuTLS"
804
" priority string (see GnuTLS documentation)")
805
parser.add_option("--servicename", type="string", metavar="NAME",
806
help="Zeroconf service name")
807
parser.add_option("--configdir", type="string",
808
default="/etc/mandos", metavar="DIR",
809
help="Directory to search for configuration"
810
" files")
1647
811
options = parser.parse_args()[0]
1648
812
1649
813
if options.check:
1652
816
sys.exit()
1653
817
1654
818
# Default values for config file for server-global settings
1655
server_defaults = { u"interface": u"",
1656
u"address": u"",
1657
u"port": u"",
1658
u"debug": u"False",
1659
u"priority":
1660
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1661
u"servicename": u"Mandos",
1662
u"use_dbus": u"True",
1663
u"use_ipv6": u"True",
1664
u"debuglevel": u"",
819
server_defaults = { "interface": "",
820
"address": "",
821
"port": "",
822
"debug": "False",
823
"priority":
824
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
825
"servicename": "Mandos",
1665
826
}
1666
827
1667
828
# Parse config file for server-global settings
1668
server_config = configparser.SafeConfigParser(server_defaults)
829
server_config = ConfigParser.SafeConfigParser(server_defaults)
1669
830
del server_defaults
1670
server_config.read(os.path.join(options.configdir,
1671
u"mandos.conf"))
831
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1672
832
# Convert the SafeConfigParser object to a dict
1673
833
server_settings = server_config.defaults()
1674
# Use the appropriate methods on the non-string config options
1675
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1676
server_settings[option] = server_config.getboolean(u"DEFAULT",
1677
option)
1678
if server_settings["port"]:
1679
server_settings["port"] = server_config.getint(u"DEFAULT",
1680
u"port")
834
# Use getboolean on the boolean config option
835
server_settings["debug"] = server_config.getboolean\
836
("DEFAULT", "debug")
1681
837
del server_config
1682
838
1683
839
# Override the settings from the config file with command line
1684
840
# options, if set.
1685
for option in (u"interface", u"address", u"port", u"debug",
1686
u"priority", u"servicename", u"configdir",
1687
u"use_dbus", u"use_ipv6", u"debuglevel"):
841
for option in ("interface", "address", "port", "debug",
842
"priority", "servicename", "configdir"):
1688
843
value = getattr(options, option)
1689
844
if value is not None:
1690
845
server_settings[option] = value
1691
846
del options
1692
# Force all strings to be unicode
1693
for option in server_settings.keys():
1694
if type(server_settings[option]) is str:
1695
server_settings[option] = unicode(server_settings[option])
1696
847
# Now we have our good server settings in "server_settings"
1697
848
1698
##################################################################
1699
1700
# For convenience
1701
debug = server_settings[u"debug"]
1702
debuglevel = server_settings[u"debuglevel"]
1703
use_dbus = server_settings[u"use_dbus"]
1704
use_ipv6 = server_settings[u"use_ipv6"]
1705
1706
if server_settings[u"servicename"] != u"Mandos":
1707
syslogger.setFormatter(logging.Formatter
1708
(u'Mandos (%s) [%%(process)d]:'
1709
u' %%(levelname)s: %%(message)s'
1710
% server_settings[u"servicename"]))
849
debug = server_settings["debug"]
850
851
if not debug:
852
syslogger.setLevel(logging.WARNING)
853
console.setLevel(logging.WARNING)
854
855
if server_settings["servicename"] != "Mandos":
856
syslogger.setFormatter(logging.Formatter\
857
('Mandos (%s): %%(levelname)s:'
858
' %%(message)s'
859
% server_settings["servicename"]))
1711
860
1712
861
# Parse config file with clients
1713
client_defaults = { u"timeout": u"1h",
1714
u"interval": u"5m",
1715
u"checker": u"fping -q -- %%(host)s",
1716
u"host": u"",
1717
u"approved_delay": u"0s",
1718
u"approved_duration": u"1s",
862
client_defaults = { "timeout": "1h",
863
"interval": "5m",
864
"checker": "fping -q -- %(host)s",
865
"host": "",
1719
866
}
1720
client_config = configparser.SafeConfigParser(client_defaults)
1721
client_config.read(os.path.join(server_settings[u"configdir"],
1722
u"clients.conf"))
1723
1724
global mandos_dbus_service
1725
mandos_dbus_service = None
1726
1727
tcp_server = MandosServer((server_settings[u"address"],
1728
server_settings[u"port"]),
1729
ClientHandler,
1730
interface=server_settings[u"interface"],
1731
use_ipv6=use_ipv6,
1732
gnutls_priority=
1733
server_settings[u"priority"],
1734
use_dbus=use_dbus)
1735
pidfilename = u"/var/run/mandos.pid"
1736
try:
1737
pidfile = open(pidfilename, u"w")
1738
except IOError:
1739
logger.error(u"Could not open file %r", pidfilename)
1740
1741
try:
1742
uid = pwd.getpwnam(u"_mandos").pw_uid
1743
gid = pwd.getpwnam(u"_mandos").pw_gid
1744
except KeyError:
1745
try:
1746
uid = pwd.getpwnam(u"mandos").pw_uid
1747
gid = pwd.getpwnam(u"mandos").pw_gid
1748
except KeyError:
1749
try:
1750
uid = pwd.getpwnam(u"nobody").pw_uid
1751
gid = pwd.getpwnam(u"nobody").pw_gid
1752
except KeyError:
1753
uid = 65534
1754
gid = 65534
1755
try:
867
client_config = ConfigParser.SafeConfigParser(client_defaults)
868
client_config.read(os.path.join(server_settings["configdir"],
869
"clients.conf"))
870
871
clients = Set()
872
tcp_server = IPv6_TCPServer((server_settings["address"],
873
server_settings["port"]),
874
TCP_handler,
875
settings=server_settings,
876
clients=clients)
877
pidfilename = "/var/run/mandos.pid"
878
try:
879
pidfile = open(pidfilename, "w")
880
except IOError, error:
881
logger.error("Could not open file %r", pidfilename)
882
883
uid = 65534
884
gid = 65534
885
try:
886
uid = pwd.getpwnam("mandos").pw_uid
887
except KeyError:
888
try:
889
uid = pwd.getpwnam("nobody").pw_uid
890
except KeyError:
891
pass
892
try:
893
gid = pwd.getpwnam("mandos").pw_gid
894
except KeyError:
895
try:
896
gid = pwd.getpwnam("nogroup").pw_gid
897
except KeyError:
898
pass
899
try:
900
os.setuid(uid)
1756
901
os.setgid(gid)
1757
os.setuid(uid)
1758
902
except OSError, error:
1759
903
if error[0] != errno.EPERM:
1760
904
raise error
1761
905
1762
# Enable all possible GnuTLS debugging
1763
1764
1765
if not debug and not debuglevel:
1766
syslogger.setLevel(logging.WARNING)
1767
console.setLevel(logging.WARNING)
1768
if debuglevel:
1769
level = getattr(logging, debuglevel.upper())
1770
syslogger.setLevel(level)
1771
console.setLevel(level)
1772
1773
if debug:
1774
# "Use a log level over 10 to enable all debugging options."
1775
# - GnuTLS manual
1776
gnutls.library.functions.gnutls_global_set_log_level(11)
1777
1778
@gnutls.library.types.gnutls_log_func
1779
def debug_gnutls(level, string):
1780
logger.debug(u"GnuTLS: %s", string[:-1])
1781
1782
(gnutls.library.functions
1783
.gnutls_global_set_log_function(debug_gnutls))
1784
1785
# Redirect stdin so all checkers get /dev/null
1786
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1787
os.dup2(null, sys.stdin.fileno())
1788
if null > 2:
1789
os.close(null)
1790
else:
1791
# No console logging
1792
logger.removeHandler(console)
1793
906
global service
907
service = AvahiService(name = server_settings["servicename"],
908
servicetype = "_mandos._tcp", )
909
if server_settings["interface"]:
910
service.interface = if_nametoindex\
911
(server_settings["interface"])
1794
912
1795
913
global main_loop
914
global bus
915
global server
1796
916
# From the Avahi example code
1797
917
DBusGMainLoop(set_as_default=True )
1798
918
main_loop = gobject.MainLoop()
1799
919
bus = dbus.SystemBus()
920
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
921
avahi.DBUS_PATH_SERVER),
922
avahi.DBUS_INTERFACE_SERVER)
1800
923
# End of Avahi example code
1801
if use_dbus:
1802
try:
1803
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1804
bus, do_not_queue=True)
1805
except dbus.exceptions.NameExistsException, e:
1806
logger.error(unicode(e) + u", disabling D-Bus")
1807
use_dbus = False
1808
server_settings[u"use_dbus"] = False
1809
tcp_server.use_dbus = False
1810
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1811
service = AvahiService(name = server_settings[u"servicename"],
1812
servicetype = u"_mandos._tcp",
1813
protocol = protocol, bus = bus)
1814
if server_settings["interface"]:
1815
service.interface = (if_nametoindex
1816
(str(server_settings[u"interface"])))
1817
1818
if not debug:
924
925
def remove_from_clients(client):
926
clients.remove(client)
927
if not clients:
928
logger.critical(u"No clients left, exiting")
929
sys.exit()
930
931
clients.update(Set(Client(name = section,
932
stop_hook = remove_from_clients,
933
config
934
= dict(client_config.items(section)))
935
for section in client_config.sections()))
936
if not clients:
937
logger.critical(u"No clients defined")
938
sys.exit(1)
939
940
if debug:
941
# Redirect stdin so all checkers get /dev/null
942
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
943
os.dup2(null, sys.stdin.fileno())
944
if null > 2:
945
os.close(null)
946
else:
947
# No console logging
948
logger.removeHandler(console)
1819
949
# Close all input and output, do double fork, etc.
1820
950
daemon()
1821
1822
global multiprocessing_manager
1823
multiprocessing_manager = multiprocessing.Manager()
1824
1825
client_class = Client
1826
if use_dbus:
1827
client_class = functools.partial(ClientDBus, bus = bus)
1828
def client_config_items(config, section):
1829
special_settings = {
1830
"approved_by_default":
1831
lambda: config.getboolean(section,
1832
"approved_by_default"),
1833
}
1834
for name, value in config.items(section):
1835
try:
1836
yield (name, special_settings[name]())
1837
except KeyError:
1838
yield (name, value)
1839
1840
tcp_server.clients.update(set(
1841
client_class(name = section,
1842
config= dict(client_config_items(
1843
client_config, section)))
1844
for section in client_config.sections()))
1845
if not tcp_server.clients:
1846
logger.warning(u"No clients defined")
1847
951
1848
952
try:
1849
with pidfile:
1850
pid = os.getpid()
1851
pidfile.write(str(pid) + "\n")
953
pid = os.getpid()
954
pidfile.write(str(pid) + "\n")
955
pidfile.close()
1852
956
del pidfile
1853
957
except IOError:
1854
958
logger.error(u"Could not write to file %r with PID %d",
1858
962
pass
1859
963
del pidfilename
1860
964
965
def cleanup():
966
"Cleanup function; run on exit"
967
global group
968
# From the Avahi example code
969
if not group is None:
970
group.Free()
971
group = None
972
# End of Avahi example code
973
974
while clients:
975
client = clients.pop()
976
client.stop_hook = None
977
client.stop()
978
979
atexit.register(cleanup)
980
1861
981
if not debug:
1862
982
signal.signal(signal.SIGINT, signal.SIG_IGN)
1863
983
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1864
984
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1865
985
1866
if use_dbus:
1867
class MandosDBusService(dbus.service.Object):
1868
"""A D-Bus proxy object"""
1869
def __init__(self):
1870
dbus.service.Object.__init__(self, bus, u"/")
1871
_interface = u"se.bsnet.fukt.Mandos"
1872
1873
@dbus.service.signal(_interface, signature=u"o")
1874
def ClientAdded(self, objpath):
1875
"D-Bus signal"
1876
pass
1877
1878
@dbus.service.signal(_interface, signature=u"ss")
1879
def ClientNotFound(self, fingerprint, address):
1880
"D-Bus signal"
1881
pass
1882
1883
@dbus.service.signal(_interface, signature=u"os")
1884
def ClientRemoved(self, objpath, name):
1885
"D-Bus signal"
1886
pass
1887
1888
@dbus.service.method(_interface, out_signature=u"ao")
1889
def GetAllClients(self):
1890
"D-Bus method"
1891
return dbus.Array(c.dbus_object_path
1892
for c in tcp_server.clients)
1893
1894
@dbus.service.method(_interface,
1895
out_signature=u"a{oa{sv}}")
1896
def GetAllClientsWithProperties(self):
1897
"D-Bus method"
1898
return dbus.Dictionary(
1899
((c.dbus_object_path, c.GetAll(u""))
1900
for c in tcp_server.clients),
1901
signature=u"oa{sv}")
1902
1903
@dbus.service.method(_interface, in_signature=u"o")
1904
def RemoveClient(self, object_path):
1905
"D-Bus method"
1906
for c in tcp_server.clients:
1907
if c.dbus_object_path == object_path:
1908
tcp_server.clients.remove(c)
1909
c.remove_from_connection()
1910
# Don't signal anything except ClientRemoved
1911
c.disable(quiet=True)
1912
# Emit D-Bus signal
1913
self.ClientRemoved(object_path, c.name)
1914
return
1915
raise KeyError(object_path)
1916
1917
del _interface
1918
1919
mandos_dbus_service = MandosDBusService()
1920
1921
def cleanup():
1922
"Cleanup function; run on exit"
1923
service.cleanup()
1924
1925
while tcp_server.clients:
1926
client = tcp_server.clients.pop()
1927
if use_dbus:
1928
client.remove_from_connection()
1929
client.disable_hook = None
1930
# Don't signal anything except ClientRemoved
1931
client.disable(quiet=True)
1932
if use_dbus:
1933
# Emit D-Bus signal
1934
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1935
client.name)
1936
1937
atexit.register(cleanup)
1938
1939
for client in tcp_server.clients:
1940
if use_dbus:
1941
# Emit D-Bus signal
1942
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1943
client.enable()
986
for client in clients:
987
client.start()
1944
988
1945
989
tcp_server.enable()
1946
990
tcp_server.server_activate()
1947
991
1948
992
# Find out what port we got
1949
993
service.port = tcp_server.socket.getsockname()[1]
1950
if use_ipv6:
1951
logger.info(u"Now listening on address %r, port %d,"
1952
" flowinfo %d, scope_id %d"
1953
% tcp_server.socket.getsockname())
1954
else: # IPv4
1955
logger.info(u"Now listening on address %r, port %d"
1956
% tcp_server.socket.getsockname())
994
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
995
u" scope_id %d" % tcp_server.socket.getsockname())
1957
996
1958
997
#service.interface = tcp_server.socket.getsockname()[3]
1959
998
1960
999
try:
1961
1000
# From the Avahi example code
1001
server.connect_to_signal("StateChanged", server_state_changed)
1962
1002
try:
1963
service.activate()
1003
server_state_changed(server.GetState())
1964
1004
except dbus.exceptions.DBusException, error:
1965
1005
logger.critical(u"DBusException: %s", error)
1966
cleanup()
1967
1006
sys.exit(1)
1968
1007
# End of Avahi example code
1969
1008
1970
1009
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
1971
1010
lambda *args, **kwargs:
1972
(tcp_server.handle_request
1973
(*args[2:], **kwargs) or True))
1011
tcp_server.handle_request\
1012
(*args[2:], **kwargs) or True)
1974
1013
1975
1014
logger.debug(u"Starting main loop")
1976
1015
main_loop.run()
1977
1016
except AvahiError, error:
1978
logger.critical(u"AvahiError: %s", error)
1979
cleanup()
1017
logger.critical(u"AvahiError: %s" + unicode(error))
1980
1018
sys.exit(1)
1981
1019
except KeyboardInterrupt:
1982
1020
if debug:
1983
print >> sys.stderr
1984
logger.debug(u"Server received KeyboardInterrupt")
1985
logger.debug(u"Server exiting")
1986
# Must run before the D-Bus bus name gets deregistered
1987
cleanup()
1021
print
1988
1022
1989
1023
if __name__ == '__main__':
1990
1024
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0