To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.2.1
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.1
- Committer: Teddy Hogeborn
- Date: 2008-12-10 01:26:02 UTC
- mfrom: (237.1.2 mandos)
- mto: (24.1.114 mandos) (237.4.2 mandos-pipe-ipc) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 238.
- Revision ID: teddy@fukt.bsnet.se-20081210012602-vhz3h75xkj24t340
First version of a somewhat complete D-Bus server interface. Also
change user/group name to "_mandos".
* debian/mandos.postinst: Rename old "mandos" user and group to
"_mandos"; create "_mandos" user and group
if none exist.
* debian/mandos-client.postinst: - '' -
* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
group name.
* mandos (_datetime_to_dbus_struct): New; was previously local.
(Client.started): Renamed to "last_started". All users changed.
(Client.started): New; boolean.
(Client.dbus_object_path): New.
(Client.check_command): Renamed to "checker_command". All users
changed.
(Client.__init__): Set and use "self.dbus_object_path". Set
"self.started".
(Client.start): Update "self.started". Emit "self.PropertyChanged"
signals for both "started" and "last_started".
(Client.stop): Update "self.started". Emit "self.PropertyChanged"
signal for "started".
(Client.checker_callback): Take additional "command" argument. All
callers changed. Emit
"self.PropertyChanged" signal.
(Client.bump_timeout): Emit "self.PropertyChanged" signal for
"last_checked_ok".
(Client.start_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.stop_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.still_valid): Bug fix: use "getattr(self, started, False)"
instead of "self.started" in case this client
object is so new that the "started" attribute
has not been created yet.
(Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
Client.GetCreated, Client.GetFingerprint, Client.GetHost,
Client.GetInterval, Client.GetName, Client.GetStarted,
Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
Removed; all callers changed.
(Client.CheckerCompleted): Add "condition" and "command" arguments.
All callers changed.
(Client.GetAllProperties, Client.PropertyChanged): New.
(Client.StillValid): Renamed to "IsStillValid".
(Client.StartChecker): Changed to its own function to avoid the
return value from "Client.start_checker()".
(Client.Stop): Changed to its own function to avoid the return value
from "Client.stop()".
(main): Try "_mandos" before "mandos" as user and group name.
Removed inner function "remove_from_clients". New inner
class "MandosServer".
change user/group name to "_mandos".
* debian/mandos.postinst: Rename old "mandos" user and group to
"_mandos"; create "_mandos" user and group
if none exist.
* debian/mandos-client.postinst: - '' -
* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
group name.
* mandos (_datetime_to_dbus_struct): New; was previously local.
(Client.started): Renamed to "last_started". All users changed.
(Client.started): New; boolean.
(Client.dbus_object_path): New.
(Client.check_command): Renamed to "checker_command". All users
changed.
(Client.__init__): Set and use "self.dbus_object_path". Set
"self.started".
(Client.start): Update "self.started". Emit "self.PropertyChanged"
signals for both "started" and "last_started".
(Client.stop): Update "self.started". Emit "self.PropertyChanged"
signal for "started".
(Client.checker_callback): Take additional "command" argument. All
callers changed. Emit
"self.PropertyChanged" signal.
(Client.bump_timeout): Emit "self.PropertyChanged" signal for
"last_checked_ok".
(Client.start_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.stop_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.still_valid): Bug fix: use "getattr(self, started, False)"
instead of "self.started" in case this client
object is so new that the "started" attribute
has not been created yet.
(Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
Client.GetCreated, Client.GetFingerprint, Client.GetHost,
Client.GetInterval, Client.GetName, Client.GetStarted,
Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
Removed; all callers changed.
(Client.CheckerCompleted): Add "condition" and "command" arguments.
All callers changed.
(Client.GetAllProperties, Client.PropertyChanged): New.
(Client.StillValid): Renamed to "IsStillValid".
(Client.StartChecker): Changed to its own function to avoid the
return value from "Client.start_checker()".
(Client.Stop): Changed to its own function to avoid the return value
from "Client.stop()".
(main): Try "_mandos" before "mandos" as user and group name.
Removed inner function "remove_from_clients". New inner
class "MandosServer".
- files added:
- debian/mandos-client.config
- files removed:
- debian/watch
- files modified:
- INSTALL
added
removed
mandos
11
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2008 Teddy Hogeborn
15
# Copyright © 2008 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
35
35
36
36
import SocketServer
37
37
import socket
38
import optparse
38
from optparse import OptionParser
39
39
import datetime
40
40
import errno
41
41
import gnutls.crypto
66
66
import ctypes
67
67
import ctypes.util
68
68
69
version = "1.0.8"
69
version = "1.0.2"
70
70
71
71
logger = logging.Logger('mandos')
72
72
syslogger = (logging.handlers.SysLogHandler
73
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
74
address = "/dev/log"))
75
75
syslogger.setFormatter(logging.Formatter
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
76
('Mandos: %(levelname)s: %(message)s'))
78
77
logger.addHandler(syslogger)
79
78
80
79
console = logging.StreamHandler()
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
80
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
81
' %(message)s'))
83
82
logger.addHandler(console)
84
83
85
84
class AvahiError(Exception):
86
def __init__(self, value, *args, **kwargs):
85
def __init__(self, value):
87
86
self.value = value
88
super(AvahiError, self).__init__(value, *args, **kwargs)
89
def __unicode__(self):
90
return unicode(repr(self.value))
87
super(AvahiError, self).__init__()
88
def __str__(self):
89
return repr(self.value)
91
90
92
91
class AvahiServiceError(AvahiError):
93
92
pass
114
113
"""
115
114
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
116
115
servicetype = None, port = None, TXT = None,
117
domain = "", host = "", max_renames = 32768,
118
protocol = avahi.PROTO_UNSPEC):
116
domain = "", host = "", max_renames = 32768):
119
117
self.interface = interface
120
118
self.name = name
121
119
self.type = servicetype
125
123
self.host = host
126
124
self.rename_count = 0
127
125
self.max_renames = max_renames
128
self.protocol = protocol
129
126
def rename(self):
130
127
"""Derived from the Avahi example code"""
131
128
if self.rename_count >= self.max_renames:
132
129
logger.critical(u"No suitable Zeroconf service name found"
133
130
u" after %i retries, exiting.",
134
131
self.rename_count)
135
raise AvahiServiceError(u"Too many renames")
132
raise AvahiServiceError("Too many renames")
136
133
self.name = server.GetAlternativeServiceName(self.name)
137
134
logger.info(u"Changing Zeroconf service name to %r ...",
138
135
str(self.name))
160
157
service.name, service.type)
161
158
group.AddService(
162
159
self.interface, # interface
163
self.protocol, # protocol
160
avahi.PROTO_INET6, # protocol
164
161
dbus.UInt32(0), # flags
165
162
self.name, self.type,
166
163
self.domain, self.host,
173
170
# End of Avahi example code
174
171
175
172
176
def _datetime_to_dbus(dt, variant_level=0):
177
"""Convert a UTC datetime.datetime() to a D-Bus type."""
178
return dbus.String(dt.isoformat(), variant_level=variant_level)
173
def _datetime_to_dbus_struct(dt, variant_level=0):
174
"""Convert a UTC datetime.datetime() to a D-Bus struct.
175
The format is special to this application, since we could not find
176
any other standard way."""
177
return dbus.Struct((dbus.Int16(dt.year),
178
dbus.Byte(dt.month),
179
dbus.Byte(dt.day),
180
dbus.Byte(dt.hour),
181
dbus.Byte(dt.minute),
182
dbus.Byte(dt.second),
183
dbus.UInt32(dt.microsecond)),
184
signature="nyyyyyu",
185
variant_level=variant_level)
179
186
180
187
181
188
class Client(dbus.service.Object):
182
189
"""A representation of a client host served by this server.
183
190
Attributes:
184
name: string; from the config file, used in log messages and
185
D-Bus identifiers
191
name: string; from the config file, used in log messages
186
192
fingerprint: string (40 or 32 hexadecimal digits); used to
187
193
uniquely identify the client
188
194
secret: bytestring; sent verbatim (over TLS) to client
189
195
host: string; available for use by the checker command
190
196
created: datetime.datetime(); (UTC) object creation
191
last_enabled: datetime.datetime(); (UTC)
192
enabled: bool()
197
last_started: datetime.datetime(); (UTC)
198
started: bool()
193
199
last_checked_ok: datetime.datetime(); (UTC) or None
194
200
timeout: datetime.timedelta(); How long from last_checked_ok
195
201
until this client is invalid
196
202
interval: datetime.timedelta(); How often to start a new checker
197
disable_hook: If set, called by disable() as disable_hook(self)
203
stop_hook: If set, called by stop() as stop_hook(self)
198
204
checker: subprocess.Popen(); a running checker process used
199
205
to see if the client lives.
200
206
'None' if no process is running.
201
207
checker_initiator_tag: a gobject event source tag, or None
202
disable_initiator_tag: - '' -
208
stop_initiator_tag: - '' -
203
209
checker_callback_tag: - '' -
204
210
checker_command: string; External command which is run to check if
205
211
client lives. %() expansions are done at
206
212
runtime with vars(self) as dict, so that for
207
213
instance %(name)s can be used in the command.
208
current_checker_command: string; current running checker_command
209
use_dbus: bool(); Whether to provide D-Bus interface and signals
210
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
214
dbus_object_path: dbus.ObjectPath
215
Private attibutes:
216
_timeout: Real variable for 'timeout'
217
_interval: Real variable for 'interval'
218
_timeout_milliseconds: Used when calling gobject.timeout_add()
219
_interval_milliseconds: - '' -
211
220
"""
212
def timeout_milliseconds(self):
213
"Return the 'timeout' attribute in milliseconds"
214
return ((self.timeout.days * 24 * 60 * 60 * 1000)
215
+ (self.timeout.seconds * 1000)
216
+ (self.timeout.microseconds // 1000))
217
218
def interval_milliseconds(self):
219
"Return the 'interval' attribute in milliseconds"
220
return ((self.interval.days * 24 * 60 * 60 * 1000)
221
+ (self.interval.seconds * 1000)
222
+ (self.interval.microseconds // 1000))
223
224
def __init__(self, name = None, disable_hook=None, config=None,
225
use_dbus=True):
221
def _set_timeout(self, timeout):
222
"Setter function for the 'timeout' attribute"
223
self._timeout = timeout
224
self._timeout_milliseconds = ((self.timeout.days
225
* 24 * 60 * 60 * 1000)
226
+ (self.timeout.seconds * 1000)
227
+ (self.timeout.microseconds
228
// 1000))
229
# Emit D-Bus signal
230
self.PropertyChanged(dbus.String(u"timeout"),
231
(dbus.UInt64(self._timeout_milliseconds,
232
variant_level=1)))
233
timeout = property(lambda self: self._timeout, _set_timeout)
234
del _set_timeout
235
236
def _set_interval(self, interval):
237
"Setter function for the 'interval' attribute"
238
self._interval = interval
239
self._interval_milliseconds = ((self.interval.days
240
* 24 * 60 * 60 * 1000)
241
+ (self.interval.seconds
242
* 1000)
243
+ (self.interval.microseconds
244
// 1000))
245
# Emit D-Bus signal
246
self.PropertyChanged(dbus.String(u"interval"),
247
(dbus.UInt64(self._interval_milliseconds,
248
variant_level=1)))
249
interval = property(lambda self: self._interval, _set_interval)
250
del _set_interval
251
252
def __init__(self, name = None, stop_hook=None, config=None):
226
253
"""Note: the 'checker' key in 'config' sets the
227
254
'checker_command' attribute and *not* the 'checker'
228
255
attribute."""
229
self.name = name
256
self.dbus_object_path = (dbus.ObjectPath
257
("/Mandos/clients/"
258
+ name.replace(".", "_")))
259
dbus.service.Object.__init__(self, bus,
260
self.dbus_object_path)
230
261
if config is None:
231
262
config = {}
263
self.name = name
232
264
logger.debug(u"Creating client %r", self.name)
233
self.use_dbus = False # During __init__
234
265
# Uppercase and remove spaces from fingerprint for later
235
266
# comparison purposes with return value from the fingerprint()
236
267
# function
249
280
% self.name)
250
281
self.host = config.get("host", "")
251
282
self.created = datetime.datetime.utcnow()
252
self.enabled = False
253
self.last_enabled = None
283
self.started = False
284
self.last_started = None
254
285
self.last_checked_ok = None
255
286
self.timeout = string_to_delta(config["timeout"])
256
287
self.interval = string_to_delta(config["interval"])
257
self.disable_hook = disable_hook
288
self.stop_hook = stop_hook
258
289
self.checker = None
259
290
self.checker_initiator_tag = None
260
self.disable_initiator_tag = None
291
self.stop_initiator_tag = None
261
292
self.checker_callback_tag = None
262
293
self.checker_command = config["checker"]
263
self.current_checker_command = None
264
self.last_connect = None
265
# Only now, when this client is initialized, can it show up on
266
# the D-Bus
267
self.use_dbus = use_dbus
268
if self.use_dbus:
269
self.dbus_object_path = (dbus.ObjectPath
270
("/clients/"
271
+ self.name.replace(".", "_")))
272
dbus.service.Object.__init__(self, bus,
273
self.dbus_object_path)
274
294
275
def enable(self):
295
def start(self):
276
296
"""Start this client's checker and timeout hooks"""
277
self.last_enabled = datetime.datetime.utcnow()
297
self.last_started = datetime.datetime.utcnow()
278
298
# Schedule a new checker to be started an 'interval' from now,
279
299
# and every interval from then on.
280
300
self.checker_initiator_tag = (gobject.timeout_add
281
(self.interval_milliseconds(),
301
(self._interval_milliseconds,
282
302
self.start_checker))
283
303
# Also start a new checker *right now*.
284
304
self.start_checker()
285
# Schedule a disable() when 'timeout' has passed
286
self.disable_initiator_tag = (gobject.timeout_add
287
(self.timeout_milliseconds(),
288
self.disable))
289
self.enabled = True
290
if self.use_dbus:
291
# Emit D-Bus signals
292
self.PropertyChanged(dbus.String(u"enabled"),
293
dbus.Boolean(True, variant_level=1))
294
self.PropertyChanged(dbus.String(u"last_enabled"),
295
(_datetime_to_dbus(self.last_enabled,
296
variant_level=1)))
305
# Schedule a stop() when 'timeout' has passed
306
self.stop_initiator_tag = (gobject.timeout_add
307
(self._timeout_milliseconds,
308
self.stop))
309
self.started = True
310
# Emit D-Bus signal
311
self.PropertyChanged(dbus.String(u"started"),
312
dbus.Boolean(True, variant_level=1))
313
self.PropertyChanged(dbus.String(u"last_started"),
314
(_datetime_to_dbus_struct
315
(self.last_started, variant_level=1)))
297
316
298
def disable(self):
299
"""Disable this client."""
300
if not getattr(self, "enabled", False):
317
def stop(self):
318
"""Stop this client."""
319
if not getattr(self, "started", False):
301
320
return False
302
logger.info(u"Disabling client %s", self.name)
303
if getattr(self, "disable_initiator_tag", False):
304
gobject.source_remove(self.disable_initiator_tag)
305
self.disable_initiator_tag = None
321
logger.info(u"Stopping client %s", self.name)
322
if getattr(self, "stop_initiator_tag", False):
323
gobject.source_remove(self.stop_initiator_tag)
324
self.stop_initiator_tag = None
306
325
if getattr(self, "checker_initiator_tag", False):
307
326
gobject.source_remove(self.checker_initiator_tag)
308
327
self.checker_initiator_tag = None
309
328
self.stop_checker()
310
if self.disable_hook:
311
self.disable_hook(self)
312
self.enabled = False
313
if self.use_dbus:
314
# Emit D-Bus signal
315
self.PropertyChanged(dbus.String(u"enabled"),
316
dbus.Boolean(False, variant_level=1))
329
if self.stop_hook:
330
self.stop_hook(self)
331
self.started = False
332
# Emit D-Bus signal
333
self.PropertyChanged(dbus.String(u"started"),
334
dbus.Boolean(False, variant_level=1))
317
335
# Do not run this again if called by a gobject.timeout_add
318
336
return False
319
337
320
338
def __del__(self):
321
self.disable_hook = None
322
self.disable()
339
self.stop_hook = None
340
self.stop()
323
341
324
342
def checker_callback(self, pid, condition, command):
325
343
"""The checker has completed, so take appropriate actions."""
326
344
self.checker_callback_tag = None
327
345
self.checker = None
328
if self.use_dbus:
346
# Emit D-Bus signal
347
self.PropertyChanged(dbus.String(u"checker_running"),
348
dbus.Boolean(False, variant_level=1))
349
if (os.WIFEXITED(condition)
350
and (os.WEXITSTATUS(condition) == 0)):
351
logger.info(u"Checker for %(name)s succeeded",
352
vars(self))
329
353
# Emit D-Bus signal
330
self.PropertyChanged(dbus.String(u"checker_running"),
331
dbus.Boolean(False, variant_level=1))
332
if os.WIFEXITED(condition):
333
exitstatus = os.WEXITSTATUS(condition)
334
if exitstatus == 0:
335
logger.info(u"Checker for %(name)s succeeded",
336
vars(self))
337
self.checked_ok()
338
else:
339
logger.info(u"Checker for %(name)s failed",
340
vars(self))
341
if self.use_dbus:
342
# Emit D-Bus signal
343
self.CheckerCompleted(dbus.Int16(exitstatus),
344
dbus.Int64(condition),
345
dbus.String(command))
346
else:
354
self.CheckerCompleted(dbus.Boolean(True),
355
dbus.UInt16(condition),
356
dbus.String(command))
357
self.bump_timeout()
358
elif not os.WIFEXITED(condition):
347
359
logger.warning(u"Checker for %(name)s crashed?",
348
360
vars(self))
349
if self.use_dbus:
350
# Emit D-Bus signal
351
self.CheckerCompleted(dbus.Int16(-1),
352
dbus.Int64(condition),
353
dbus.String(command))
361
# Emit D-Bus signal
362
self.CheckerCompleted(dbus.Boolean(False),
363
dbus.UInt16(condition),
364
dbus.String(command))
365
else:
366
logger.info(u"Checker for %(name)s failed",
367
vars(self))
368
# Emit D-Bus signal
369
self.CheckerCompleted(dbus.Boolean(False),
370
dbus.UInt16(condition),
371
dbus.String(command))
354
372
355
def checked_ok(self):
373
def bump_timeout(self):
356
374
"""Bump up the timeout for this client.
357
375
This should only be called when the client has been seen,
358
376
alive and well.
359
377
"""
360
378
self.last_checked_ok = datetime.datetime.utcnow()
361
gobject.source_remove(self.disable_initiator_tag)
362
self.disable_initiator_tag = (gobject.timeout_add
363
(self.timeout_milliseconds(),
364
self.disable))
365
if self.use_dbus:
366
# Emit D-Bus signal
367
self.PropertyChanged(
368
dbus.String(u"last_checked_ok"),
369
(_datetime_to_dbus(self.last_checked_ok,
370
variant_level=1)))
379
gobject.source_remove(self.stop_initiator_tag)
380
self.stop_initiator_tag = (gobject.timeout_add
381
(self._timeout_milliseconds,
382
self.stop))
383
self.PropertyChanged(dbus.String(u"last_checked_ok"),
384
(_datetime_to_dbus_struct
385
(self.last_checked_ok,
386
variant_level=1)))
371
387
372
388
def start_checker(self):
373
389
"""Start a new checker subprocess if one is not running.
381
397
# checkers alone, the checker would have to take more time
382
398
# than 'timeout' for the client to be declared invalid, which
383
399
# is as it should be.
384
385
# If a checker exists, make sure it is not a zombie
386
if self.checker is not None:
387
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
388
if pid:
389
logger.warning("Checker was a zombie")
390
gobject.source_remove(self.checker_callback_tag)
391
self.checker_callback(pid, status,
392
self.current_checker_command)
393
# Start a new checker if needed
394
400
if self.checker is None:
395
401
try:
396
402
# In case checker_command has exactly one % operator
406
412
logger.error(u'Could not format string "%s":'
407
413
u' %s', self.checker_command, error)
408
414
return True # Try again later
409
self.current_checker_command = command
410
415
try:
411
416
logger.info(u"Starting checker %r for %s",
412
417
command, self.name)
417
422
self.checker = subprocess.Popen(command,
418
423
close_fds=True,
419
424
shell=True, cwd="/")
420
if self.use_dbus:
421
# Emit D-Bus signal
422
self.CheckerStarted(command)
423
self.PropertyChanged(
424
dbus.String("checker_running"),
425
dbus.Boolean(True, variant_level=1))
425
# Emit D-Bus signal
426
self.CheckerStarted(command)
427
self.PropertyChanged(dbus.String("checker_running"),
428
dbus.Boolean(True, variant_level=1))
426
429
self.checker_callback_tag = (gobject.child_watch_add
427
430
(self.checker.pid,
428
431
self.checker_callback,
429
432
data=command))
430
# The checker may have completed before the gobject
431
# watch was added. Check for this.
432
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
433
if pid:
434
gobject.source_remove(self.checker_callback_tag)
435
self.checker_callback(pid, status, command)
436
433
except OSError, error:
437
434
logger.error(u"Failed to start subprocess: %s",
438
435
error)
456
453
if error.errno != errno.ESRCH: # No such process
457
454
raise
458
455
self.checker = None
459
if self.use_dbus:
460
self.PropertyChanged(dbus.String(u"checker_running"),
461
dbus.Boolean(False, variant_level=1))
456
self.PropertyChanged(dbus.String(u"checker_running"),
457
dbus.Boolean(False, variant_level=1))
462
458
463
459
def still_valid(self):
464
460
"""Has the timeout not yet passed for this client?"""
465
if not getattr(self, "enabled", False):
461
if not getattr(self, "started", False):
466
462
return False
467
463
now = datetime.datetime.utcnow()
468
464
if self.last_checked_ok is None:
471
467
return now < (self.last_checked_ok + self.timeout)
472
468
473
469
## D-Bus methods & signals
474
_interface = u"se.bsnet.fukt.Mandos.Client"
470
_interface = u"org.mandos_system.Mandos.Client"
475
471
476
# CheckedOK - method
477
CheckedOK = dbus.service.method(_interface)(checked_ok)
478
CheckedOK.__name__ = "CheckedOK"
472
# BumpTimeout - method
473
BumpTimeout = dbus.service.method(_interface)(bump_timeout)
474
BumpTimeout.__name__ = "BumpTimeout"
479
475
480
476
# CheckerCompleted - signal
481
@dbus.service.signal(_interface, signature="nxs")
482
def CheckerCompleted(self, exitcode, waitstatus, command):
477
@dbus.service.signal(_interface, signature="bqs")
478
def CheckerCompleted(self, success, condition, command):
483
479
"D-Bus signal"
484
480
pass
485
481
501
497
dbus.String("host"):
502
498
dbus.String(self.host, variant_level=1),
503
499
dbus.String("created"):
504
_datetime_to_dbus(self.created, variant_level=1),
505
dbus.String("last_enabled"):
506
(_datetime_to_dbus(self.last_enabled,
507
variant_level=1)
508
if self.last_enabled is not None
500
_datetime_to_dbus_struct(self.created,
501
variant_level=1),
502
dbus.String("last_started"):
503
(_datetime_to_dbus_struct(self.last_started,
504
variant_level=1)
505
if self.last_started is not None
509
506
else dbus.Boolean(False, variant_level=1)),
510
dbus.String("enabled"):
511
dbus.Boolean(self.enabled, variant_level=1),
507
dbus.String("started"):
508
dbus.Boolean(self.started, variant_level=1),
512
509
dbus.String("last_checked_ok"):
513
(_datetime_to_dbus(self.last_checked_ok,
514
variant_level=1)
510
(_datetime_to_dbus_struct(self.last_checked_ok,
511
variant_level=1)
515
512
if self.last_checked_ok is not None
516
513
else dbus.Boolean (False, variant_level=1)),
517
514
dbus.String("timeout"):
518
dbus.UInt64(self.timeout_milliseconds(),
515
dbus.UInt64(self._timeout_milliseconds,
519
516
variant_level=1),
520
517
dbus.String("interval"):
521
dbus.UInt64(self.interval_milliseconds(),
518
dbus.UInt64(self._interval_milliseconds,
522
519
variant_level=1),
523
520
dbus.String("checker"):
524
521
dbus.String(self.checker_command,
526
523
dbus.String("checker_running"):
527
524
dbus.Boolean(self.checker is not None,
528
525
variant_level=1),
529
dbus.String("object_path"):
530
dbus.ObjectPath(self.dbus_object_path,
531
variant_level=1)
532
526
}, signature="sv")
533
527
534
528
# IsStillValid - method
547
541
def SetChecker(self, checker):
548
542
"D-Bus setter method"
549
543
self.checker_command = checker
550
# Emit D-Bus signal
551
self.PropertyChanged(dbus.String(u"checker"),
552
dbus.String(self.checker_command,
553
variant_level=1))
554
544
555
545
# SetHost - method
556
546
@dbus.service.method(_interface, in_signature="s")
557
547
def SetHost(self, host):
558
548
"D-Bus setter method"
559
549
self.host = host
560
# Emit D-Bus signal
561
self.PropertyChanged(dbus.String(u"host"),
562
dbus.String(self.host, variant_level=1))
563
550
564
551
# SetInterval - method
565
552
@dbus.service.method(_interface, in_signature="t")
566
553
def SetInterval(self, milliseconds):
567
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
568
# Emit D-Bus signal
569
self.PropertyChanged(dbus.String(u"interval"),
570
(dbus.UInt64(self.interval_milliseconds(),
571
variant_level=1)))
554
self.interval = datetime.timdeelta(0, 0, 0, milliseconds)
572
555
573
556
# SetSecret - method
574
557
@dbus.service.method(_interface, in_signature="ay",
581
564
@dbus.service.method(_interface, in_signature="t")
582
565
def SetTimeout(self, milliseconds):
583
566
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
584
# Emit D-Bus signal
585
self.PropertyChanged(dbus.String(u"timeout"),
586
(dbus.UInt64(self.timeout_milliseconds(),
587
variant_level=1)))
588
567
589
# Enable - method
590
Enable = dbus.service.method(_interface)(enable)
591
Enable.__name__ = "Enable"
568
# Start - method
569
Start = dbus.service.method(_interface)(start)
570
Start.__name__ = "Start"
592
571
593
572
# StartChecker - method
594
573
@dbus.service.method(_interface)
596
575
"D-Bus method"
597
576
self.start_checker()
598
577
599
# Disable - method
578
# Stop - method
600
579
@dbus.service.method(_interface)
601
def Disable(self):
580
def Stop(self):
602
581
"D-Bus method"
603
self.disable()
582
self.stop()
604
583
605
584
# StopChecker - method
606
585
StopChecker = dbus.service.method(_interface)(stop_checker)
617
596
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
618
597
# ...do the normal thing
619
598
return session.peer_certificate
620
list_size = ctypes.c_uint(1)
599
list_size = ctypes.c_uint()
621
600
cert_list = (gnutls.library.functions
622
601
.gnutls_certificate_get_peers
623
602
(session._c_object, ctypes.byref(list_size)))
624
if not bool(cert_list) and list_size.value != 0:
625
raise gnutls.errors.GNUTLSError("error getting peer"
626
" certificate")
627
603
if list_size.value == 0:
628
604
return None
629
605
cert = cert_list[0]
698
674
# using OpenPGP certificates.
699
675
700
676
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
701
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
702
# "+DHE-DSS"))
677
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
678
# "+DHE-DSS"))
703
679
# Use a fallback default, since this MUST be set.
704
680
priority = self.server.settings.get("priority", "NORMAL")
705
681
(gnutls.library.functions
713
689
# Do not run session.bye() here: the session is not
714
690
# established. Just abandon the request.
715
691
return
716
logger.debug(u"Handshake succeeded")
717
692
try:
718
693
fpr = fingerprint(peer_certificate(session))
719
694
except (TypeError, gnutls.errors.GNUTLSError), error:
721
696
session.bye()
722
697
return
723
698
logger.debug(u"Fingerprint: %s", fpr)
724
725
699
for c in self.server.clients:
726
700
if c.fingerprint == fpr:
727
701
client = c
740
714
session.bye()
741
715
return
742
716
## This won't work here, since we're in a fork.
743
# client.checked_ok()
717
# client.bump_timeout()
744
718
sent_size = 0
745
719
while sent_size < len(client.secret):
746
720
sent = session.send(client.secret[sent_size:])
753
727
754
728
class IPv6_TCPServer(SocketServer.ForkingMixIn,
755
729
SocketServer.TCPServer, object):
756
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
730
"""IPv6 TCP server. Accepts 'None' as address and/or port.
757
731
Attributes:
758
732
settings: Server settings
759
733
clients: Set() of Client objects
767
741
if "clients" in kwargs:
768
742
self.clients = kwargs["clients"]
769
743
del kwargs["clients"]
770
if "use_ipv6" in kwargs:
771
if not kwargs["use_ipv6"]:
772
self.address_family = socket.AF_INET
773
del kwargs["use_ipv6"]
774
744
self.enabled = False
775
745
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
776
746
def server_bind(self):
790
760
u" bind to interface %s",
791
761
self.settings["interface"])
792
762
else:
793
raise
763
raise error
794
764
# Only bind(2) the socket if we really need to.
795
765
if self.server_address[0] or self.server_address[1]:
796
766
if not self.server_address[0]:
797
if self.address_family == socket.AF_INET6:
798
any_address = "::" # in6addr_any
799
else:
800
any_address = socket.INADDR_ANY
801
self.server_address = (any_address,
767
in6addr_any = "::"
768
self.server_address = (in6addr_any,
802
769
self.server_address[1])
803
770
elif not self.server_address[1]:
804
771
self.server_address = (self.server_address[0],
820
787
821
788
def string_to_delta(interval):
822
789
"""Parse a string and return a datetime.timedelta
823
790
824
791
>>> string_to_delta('7d')
825
792
datetime.timedelta(7)
826
793
>>> string_to_delta('60s')
878
845
elif state == avahi.ENTRY_GROUP_FAILURE:
879
846
logger.critical(u"Avahi: Error in group state changed %s",
880
847
unicode(error))
881
raise AvahiGroupError(u"State changed: %s" % unicode(error))
848
raise AvahiGroupError("State changed: %s", str(error))
882
849
883
850
def if_nametoindex(interface):
884
851
"""Call the C function if_nametoindex(), or equivalent"""
927
894
928
895
929
896
def main():
930
parser = optparse.OptionParser(version = "%%prog %s" % version)
897
parser = OptionParser(version = "%%prog %s" % version)
931
898
parser.add_option("-i", "--interface", type="string",
932
899
metavar="IF", help="Bind to interface IF")
933
900
parser.add_option("-a", "--address", type="string",
934
901
help="Address to listen for requests on")
935
902
parser.add_option("-p", "--port", type="int",
936
903
help="Port number to receive requests on")
937
parser.add_option("--check", action="store_true",
904
parser.add_option("--check", action="store_true", default=False,
938
905
help="Run self-test")
939
906
parser.add_option("--debug", action="store_true",
940
907
help="Debug mode; run in foreground and log to"
947
914
default="/etc/mandos", metavar="DIR",
948
915
help="Directory to search for configuration"
949
916
" files")
950
parser.add_option("--no-dbus", action="store_false",
951
dest="use_dbus",
952
help="Do not provide D-Bus system bus"
953
" interface")
954
parser.add_option("--no-ipv6", action="store_false",
955
dest="use_ipv6", help="Do not use IPv6")
956
917
options = parser.parse_args()[0]
957
918
958
919
if options.check:
968
929
"priority":
969
930
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
970
931
"servicename": "Mandos",
971
"use_dbus": "True",
972
"use_ipv6": "True",
973
932
}
974
933
975
934
# Parse config file for server-global settings
978
937
server_config.read(os.path.join(options.configdir, "mandos.conf"))
979
938
# Convert the SafeConfigParser object to a dict
980
939
server_settings = server_config.defaults()
981
# Use the appropriate methods on the non-string config options
982
server_settings["debug"] = server_config.getboolean("DEFAULT",
983
"debug")
984
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
985
"use_dbus")
986
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
987
"use_ipv6")
988
if server_settings["port"]:
989
server_settings["port"] = server_config.getint("DEFAULT",
990
"port")
940
# Use getboolean on the boolean config option
941
server_settings["debug"] = (server_config.getboolean
942
("DEFAULT", "debug"))
991
943
del server_config
992
944
993
945
# Override the settings from the config file with command line
994
946
# options, if set.
995
947
for option in ("interface", "address", "port", "debug",
996
"priority", "servicename", "configdir",
997
"use_dbus", "use_ipv6"):
948
"priority", "servicename", "configdir"):
998
949
value = getattr(options, option)
999
950
if value is not None:
1000
951
server_settings[option] = value
1001
952
del options
1002
953
# Now we have our good server settings in "server_settings"
1003
954
1004
# For convenience
1005
955
debug = server_settings["debug"]
1006
use_dbus = server_settings["use_dbus"]
1007
use_ipv6 = server_settings["use_ipv6"]
1008
956
1009
957
if not debug:
1010
958
syslogger.setLevel(logging.WARNING)
1019
967
# Parse config file with clients
1020
968
client_defaults = { "timeout": "1h",
1021
969
"interval": "5m",
1022
"checker": "fping -q -- %%(host)s",
970
"checker": "fping -q -- %(host)s",
1023
971
"host": "",
1024
972
}
1025
973
client_config = ConfigParser.SafeConfigParser(client_defaults)
1031
979
server_settings["port"]),
1032
980
TCP_handler,
1033
981
settings=server_settings,
1034
clients=clients, use_ipv6=use_ipv6)
982
clients=clients)
1035
983
pidfilename = "/var/run/mandos.pid"
1036
984
try:
1037
985
pidfile = open(pidfilename, "w")
1038
except IOError:
986
except IOError, error:
1039
987
logger.error("Could not open file %r", pidfilename)
1040
988
1041
989
try:
1042
990
uid = pwd.getpwnam("_mandos").pw_uid
991
except KeyError:
992
try:
993
uid = pwd.getpwnam("mandos").pw_uid
994
except KeyError:
995
try:
996
uid = pwd.getpwnam("nobody").pw_uid
997
except KeyError:
998
uid = 65534
999
try:
1043
1000
gid = pwd.getpwnam("_mandos").pw_gid
1044
1001
except KeyError:
1045
1002
try:
1046
uid = pwd.getpwnam("mandos").pw_uid
1047
1003
gid = pwd.getpwnam("mandos").pw_gid
1048
1004
except KeyError:
1049
1005
try:
1050
uid = pwd.getpwnam("nobody").pw_uid
1051
1006
gid = pwd.getpwnam("nogroup").pw_gid
1052
1007
except KeyError:
1053
uid = 65534
1054
1008
gid = 65534
1055
1009
try:
1010
os.setuid(uid)
1056
1011
os.setgid(gid)
1057
os.setuid(uid)
1058
1012
except OSError, error:
1059
1013
if error[0] != errno.EPERM:
1060
1014
raise error
1061
1015
1062
# Enable all possible GnuTLS debugging
1063
if debug:
1064
# "Use a log level over 10 to enable all debugging options."
1065
# - GnuTLS manual
1066
gnutls.library.functions.gnutls_global_set_log_level(11)
1067
1068
@gnutls.library.types.gnutls_log_func
1069
def debug_gnutls(level, string):
1070
logger.debug("GnuTLS: %s", string[:-1])
1071
1072
(gnutls.library.functions
1073
.gnutls_global_set_log_function(debug_gnutls))
1074
1075
1016
global service
1076
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1077
1017
service = AvahiService(name = server_settings["servicename"],
1078
servicetype = "_mandos._tcp",
1079
protocol = protocol)
1018
servicetype = "_mandos._tcp", )
1080
1019
if server_settings["interface"]:
1081
1020
service.interface = (if_nametoindex
1082
1021
(server_settings["interface"]))
1092
1031
avahi.DBUS_PATH_SERVER),
1093
1032
avahi.DBUS_INTERFACE_SERVER)
1094
1033
# End of Avahi example code
1095
if use_dbus:
1096
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1034
bus_name = dbus.service.BusName(u"org.mandos-system.Mandos", bus)
1097
1035
1098
1036
clients.update(Set(Client(name = section,
1099
1037
config
1100
= dict(client_config.items(section)),
1101
use_dbus = use_dbus)
1038
= dict(client_config.items(section)))
1102
1039
for section in client_config.sections()))
1103
1040
if not clients:
1104
logger.warning(u"No clients defined")
1041
logger.critical(u"No clients defined")
1042
sys.exit(1)
1105
1043
1106
1044
if debug:
1107
1045
# Redirect stdin so all checkers get /dev/null
1139
1077
1140
1078
while clients:
1141
1079
client = clients.pop()
1142
client.disable_hook = None
1143
client.disable()
1080
client.stop_hook = None
1081
client.stop()
1144
1082
1145
1083
atexit.register(cleanup)
1146
1084
1149
1087
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1150
1088
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1151
1089
1152
if use_dbus:
1153
class MandosServer(dbus.service.Object):
1154
"""A D-Bus proxy object"""
1155
def __init__(self):
1156
dbus.service.Object.__init__(self, bus, "/")
1157
_interface = u"se.bsnet.fukt.Mandos"
1158
1159
@dbus.service.signal(_interface, signature="oa{sv}")
1160
def ClientAdded(self, objpath, properties):
1161
"D-Bus signal"
1162
pass
1163
1164
@dbus.service.signal(_interface, signature="os")
1165
def ClientRemoved(self, objpath, name):
1166
"D-Bus signal"
1167
pass
1168
1169
@dbus.service.method(_interface, out_signature="ao")
1170
def GetAllClients(self):
1171
"D-Bus method"
1172
return dbus.Array(c.dbus_object_path for c in clients)
1173
1174
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1175
def GetAllClientsWithProperties(self):
1176
"D-Bus method"
1177
return dbus.Dictionary(
1178
((c.dbus_object_path, c.GetAllProperties())
1179
for c in clients),
1180
signature="oa{sv}")
1181
1182
@dbus.service.method(_interface, in_signature="o")
1183
def RemoveClient(self, object_path):
1184
"D-Bus method"
1185
for c in clients:
1186
if c.dbus_object_path == object_path:
1187
clients.remove(c)
1188
# Don't signal anything except ClientRemoved
1189
c.use_dbus = False
1190
c.disable()
1191
# Emit D-Bus signal
1192
self.ClientRemoved(object_path, c.name)
1193
return
1194
raise KeyError
1195
1196
del _interface
1197
1198
mandos_server = MandosServer()
1090
class MandosServer(dbus.service.Object):
1091
"""A D-Bus proxy object"""
1092
def __init__(self):
1093
dbus.service.Object.__init__(self, bus,
1094
"/Mandos")
1095
_interface = u"org.mandos_system.Mandos"
1096
1097
@dbus.service.signal(_interface, signature="oa{sv}")
1098
def ClientAdded(self, objpath, properties):
1099
"D-Bus signal"
1100
pass
1101
1102
@dbus.service.signal(_interface, signature="o")
1103
def ClientRemoved(self, objpath):
1104
"D-Bus signal"
1105
pass
1106
1107
@dbus.service.method(_interface, out_signature="ao")
1108
def GetAllClients(self):
1109
return dbus.Array(c.dbus_object_path for c in clients)
1110
1111
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1112
def GetAllClientsWithProperties(self):
1113
return dbus.Dictionary(
1114
((c.dbus_object_path, c.GetAllProperties())
1115
for c in clients),
1116
signature="oa{sv}")
1117
1118
@dbus.service.method(_interface, in_signature="o")
1119
def RemoveClient(self, object_path):
1120
for c in clients:
1121
if c.dbus_object_path == object_path:
1122
c.stop()
1123
clients.remove(c)
1124
return
1125
raise KeyError
1126
1127
del _interface
1128
1129
mandos_server = MandosServer()
1199
1130
1200
1131
for client in clients:
1201
if use_dbus:
1202
# Emit D-Bus signal
1203
mandos_server.ClientAdded(client.dbus_object_path,
1204
client.GetAllProperties())
1205
client.enable()
1132
# Emit D-Bus signal
1133
mandos_server.ClientAdded(client.dbus_object_path,
1134
client.GetAllProperties())
1135
client.start()
1206
1136
1207
1137
tcp_server.enable()
1208
1138
tcp_server.server_activate()
1209
1139
1210
1140
# Find out what port we got
1211
1141
service.port = tcp_server.socket.getsockname()[1]
1212
if use_ipv6:
1213
logger.info(u"Now listening on address %r, port %d,"
1214
" flowinfo %d, scope_id %d"
1215
% tcp_server.socket.getsockname())
1216
else: # IPv4
1217
logger.info(u"Now listening on address %r, port %d"
1218
% tcp_server.socket.getsockname())
1142
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1143
u" scope_id %d" % tcp_server.socket.getsockname())
1219
1144
1220
1145
#service.interface = tcp_server.socket.getsockname()[3]
1221
1146
1237
1162
logger.debug(u"Starting main loop")
1238
1163
main_loop.run()
1239
1164
except AvahiError, error:
1240
logger.critical(u"AvahiError: %s", error)
1165
logger.critical(u"AvahiError: %s" + unicode(error))
1241
1166
sys.exit(1)
1242
1167
except KeyboardInterrupt:
1243
1168
if debug:
1244
print >> sys.stderr
1245
logger.debug("Server received KeyboardInterrupt")
1246
logger.debug("Server exiting")
1169
print
1247
1170
1248
1171
if __name__ == '__main__':
1249
1172
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0