To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.2.145
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.145
- Committer: Teddy Hogeborn
- Date: 2009-09-22 12:48:07 UTC
- mto: (24.1.146 mandos) (237.12.2 mandos-persistent) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 270.
- Revision ID: teddy@fukt.bsnet.se-20090922124807-i2cr0zv4vxjv38g4
* mandos-ctl: Made work again after D-Bus API changes.
(datetime_to_milliseconds): Renamed to "timedelta_to_milliseconds".
All callers changed.
(milliseconds_to_string): Use clearer mapping string format.
(string_to_delta): Add some comments.
(datetime_to_milliseconds): Renamed to "timedelta_to_milliseconds".
All callers changed.
(milliseconds_to_string): Use clearer mapping string format.
(string_to_delta): Add some comments.
- files modified:
- INSTALL
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer
36
import SocketServer as socketserver
37
37
import socket
38
38
import optparse
39
39
import datetime
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser
47
import ConfigParser as configparser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
53
52
import subprocess
54
53
import atexit
55
54
import stat
57
56
import logging.handlers
58
57
import pwd
59
58
from contextlib import closing
59
import struct
60
import fcntl
61
import functools
60
62
61
63
import dbus
62
64
import dbus.service
65
67
from dbus.mainloop.glib import DBusGMainLoop
66
68
import ctypes
67
69
import ctypes.util
68
69
version = "1.0.5"
70
71
logger = logging.Logger('mandos')
70
import xml.dom.minidom
71
import inspect
72
73
try:
74
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
75
except AttributeError:
76
try:
77
from IN import SO_BINDTODEVICE
78
except ImportError:
79
SO_BINDTODEVICE = None
80
81
82
version = "1.0.12"
83
84
logger = logging.Logger(u'mandos')
72
85
syslogger = (logging.handlers.SysLogHandler
73
86
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
87
address = "/dev/log"))
75
88
syslogger.setFormatter(logging.Formatter
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
89
(u'Mandos [%(process)d]: %(levelname)s:'
90
u' %(message)s'))
78
91
logger.addHandler(syslogger)
79
92
80
93
console = logging.StreamHandler()
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
94
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
95
u' %(levelname)s:'
96
u' %(message)s'))
83
97
logger.addHandler(console)
84
98
85
99
class AvahiError(Exception):
98
112
99
113
class AvahiService(object):
100
114
"""An Avahi (Zeroconf) service.
115
101
116
Attributes:
102
117
interface: integer; avahi.IF_UNSPEC or an interface index.
103
118
Used to optionally bind to the specified interface.
104
name: string; Example: 'Mandos'
105
type: string; Example: '_mandos._tcp'.
119
name: string; Example: u'Mandos'
120
type: string; Example: u'_mandos._tcp'.
106
121
See <http://www.dns-sd.org/ServiceTypes.html>
107
122
port: integer; what port to announce
108
123
TXT: list of strings; TXT record for the service
111
126
max_renames: integer; maximum number of renames
112
127
rename_count: integer; counter so we only rename after collisions
113
128
a sensible number of times
129
group: D-Bus Entry Group
130
server: D-Bus Server
131
bus: dbus.SystemBus()
114
132
"""
115
133
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
116
134
servicetype = None, port = None, TXT = None,
117
domain = "", host = "", max_renames = 32768):
135
domain = u"", host = u"", max_renames = 32768,
136
protocol = avahi.PROTO_UNSPEC, bus = None):
118
137
self.interface = interface
119
138
self.name = name
120
139
self.type = servicetype
124
143
self.host = host
125
144
self.rename_count = 0
126
145
self.max_renames = max_renames
146
self.protocol = protocol
147
self.group = None # our entry group
148
self.server = None
149
self.bus = bus
127
150
def rename(self):
128
151
"""Derived from the Avahi example code"""
129
152
if self.rename_count >= self.max_renames:
131
154
u" after %i retries, exiting.",
132
155
self.rename_count)
133
156
raise AvahiServiceError(u"Too many renames")
134
self.name = server.GetAlternativeServiceName(self.name)
157
self.name = self.server.GetAlternativeServiceName(self.name)
135
158
logger.info(u"Changing Zeroconf service name to %r ...",
136
str(self.name))
159
unicode(self.name))
137
160
syslogger.setFormatter(logging.Formatter
138
('Mandos (%s): %%(levelname)s:'
139
' %%(message)s' % self.name))
161
(u'Mandos (%s) [%%(process)d]:'
162
u' %%(levelname)s: %%(message)s'
163
% self.name))
140
164
self.remove()
141
165
self.add()
142
166
self.rename_count += 1
143
167
def remove(self):
144
168
"""Derived from the Avahi example code"""
145
if group is not None:
146
group.Reset()
169
if self.group is not None:
170
self.group.Reset()
147
171
def add(self):
148
172
"""Derived from the Avahi example code"""
149
global group
150
if group is None:
151
group = dbus.Interface(bus.get_object
152
(avahi.DBUS_NAME,
153
server.EntryGroupNew()),
154
avahi.DBUS_INTERFACE_ENTRY_GROUP)
155
group.connect_to_signal('StateChanged',
156
entry_group_state_changed)
173
if self.group is None:
174
self.group = dbus.Interface(
175
self.bus.get_object(avahi.DBUS_NAME,
176
self.server.EntryGroupNew()),
177
avahi.DBUS_INTERFACE_ENTRY_GROUP)
178
self.group.connect_to_signal('StateChanged',
179
self
180
.entry_group_state_changed)
157
181
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
158
service.name, service.type)
159
group.AddService(
160
self.interface, # interface
161
avahi.PROTO_INET6, # protocol
162
dbus.UInt32(0), # flags
163
self.name, self.type,
164
self.domain, self.host,
165
dbus.UInt16(self.port),
166
avahi.string_array_to_txt_array(self.TXT))
167
group.Commit()
168
169
# From the Avahi example code:
170
group = None # our entry group
171
# End of Avahi example code
172
173
174
def _datetime_to_dbus(dt, variant_level=0):
175
"""Convert a UTC datetime.datetime() to a D-Bus type."""
176
return dbus.String(dt.isoformat(), variant_level=variant_level)
177
178
179
class Client(dbus.service.Object):
182
self.name, self.type)
183
self.group.AddService(
184
self.interface,
185
self.protocol,
186
dbus.UInt32(0), # flags
187
self.name, self.type,
188
self.domain, self.host,
189
dbus.UInt16(self.port),
190
avahi.string_array_to_txt_array(self.TXT))
191
self.group.Commit()
192
def entry_group_state_changed(self, state, error):
193
"""Derived from the Avahi example code"""
194
logger.debug(u"Avahi state change: %i", state)
195
196
if state == avahi.ENTRY_GROUP_ESTABLISHED:
197
logger.debug(u"Zeroconf service established.")
198
elif state == avahi.ENTRY_GROUP_COLLISION:
199
logger.warning(u"Zeroconf service name collision.")
200
self.rename()
201
elif state == avahi.ENTRY_GROUP_FAILURE:
202
logger.critical(u"Avahi: Error in group state changed %s",
203
unicode(error))
204
raise AvahiGroupError(u"State changed: %s"
205
% unicode(error))
206
def cleanup(self):
207
"""Derived from the Avahi example code"""
208
if self.group is not None:
209
self.group.Free()
210
self.group = None
211
def server_state_changed(self, state):
212
"""Derived from the Avahi example code"""
213
if state == avahi.SERVER_COLLISION:
214
logger.error(u"Zeroconf server name collision")
215
self.remove()
216
elif state == avahi.SERVER_RUNNING:
217
self.add()
218
def activate(self):
219
"""Derived from the Avahi example code"""
220
if self.server is None:
221
self.server = dbus.Interface(
222
self.bus.get_object(avahi.DBUS_NAME,
223
avahi.DBUS_PATH_SERVER),
224
avahi.DBUS_INTERFACE_SERVER)
225
self.server.connect_to_signal(u"StateChanged",
226
self.server_state_changed)
227
self.server_state_changed(self.server.GetState())
228
229
230
class Client(object):
180
231
"""A representation of a client host served by this server.
232
181
233
Attributes:
182
234
name: string; from the config file, used in log messages and
183
235
D-Bus identifiers
197
249
to see if the client lives.
198
250
'None' if no process is running.
199
251
checker_initiator_tag: a gobject event source tag, or None
200
disable_initiator_tag: - '' -
252
disable_initiator_tag: - '' -
201
253
checker_callback_tag: - '' -
202
254
checker_command: string; External command which is run to check if
203
255
client lives. %() expansions are done at
204
256
runtime with vars(self) as dict, so that for
205
257
instance %(name)s can be used in the command.
206
use_dbus: bool(); Whether to provide D-Bus interface and signals
207
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
258
current_checker_command: string; current running checker_command
208
259
"""
260
261
@staticmethod
262
def _timedelta_to_milliseconds(td):
263
"Convert a datetime.timedelta() to milliseconds"
264
return ((td.days * 24 * 60 * 60 * 1000)
265
+ (td.seconds * 1000)
266
+ (td.microseconds // 1000))
267
209
268
def timeout_milliseconds(self):
210
269
"Return the 'timeout' attribute in milliseconds"
211
return ((self.timeout.days * 24 * 60 * 60 * 1000)
212
+ (self.timeout.seconds * 1000)
213
+ (self.timeout.microseconds // 1000))
270
return self._timedelta_to_milliseconds(self.timeout)
214
271
215
272
def interval_milliseconds(self):
216
273
"Return the 'interval' attribute in milliseconds"
217
return ((self.interval.days * 24 * 60 * 60 * 1000)
218
+ (self.interval.seconds * 1000)
219
+ (self.interval.microseconds // 1000))
274
return self._timedelta_to_milliseconds(self.interval)
220
275
221
def __init__(self, name = None, disable_hook=None, config=None,
222
use_dbus=True):
276
def __init__(self, name = None, disable_hook=None, config=None):
223
277
"""Note: the 'checker' key in 'config' sets the
224
278
'checker_command' attribute and *not* the 'checker'
225
279
attribute."""
227
281
if config is None:
228
282
config = {}
229
283
logger.debug(u"Creating client %r", self.name)
230
self.use_dbus = False # During __init__
231
284
# Uppercase and remove spaces from fingerprint for later
232
285
# comparison purposes with return value from the fingerprint()
233
286
# function
234
self.fingerprint = (config["fingerprint"].upper()
287
self.fingerprint = (config[u"fingerprint"].upper()
235
288
.replace(u" ", u""))
236
289
logger.debug(u" Fingerprint: %s", self.fingerprint)
237
if "secret" in config:
238
self.secret = config["secret"].decode(u"base64")
239
elif "secfile" in config:
290
if u"secret" in config:
291
self.secret = config[u"secret"].decode(u"base64")
292
elif u"secfile" in config:
240
293
with closing(open(os.path.expanduser
241
294
(os.path.expandvars
242
(config["secfile"])))) as secfile:
295
(config[u"secfile"])))) as secfile:
243
296
self.secret = secfile.read()
244
297
else:
245
298
raise TypeError(u"No secret or secfile for client %s"
246
299
% self.name)
247
self.host = config.get("host", "")
300
self.host = config.get(u"host", u"")
248
301
self.created = datetime.datetime.utcnow()
249
302
self.enabled = False
250
303
self.last_enabled = None
251
304
self.last_checked_ok = None
252
self.timeout = string_to_delta(config["timeout"])
253
self.interval = string_to_delta(config["interval"])
305
self.timeout = string_to_delta(config[u"timeout"])
306
self.interval = string_to_delta(config[u"interval"])
254
307
self.disable_hook = disable_hook
255
308
self.checker = None
256
309
self.checker_initiator_tag = None
257
310
self.disable_initiator_tag = None
258
311
self.checker_callback_tag = None
259
self.checker_command = config["checker"]
312
self.checker_command = config[u"checker"]
313
self.current_checker_command = None
260
314
self.last_connect = None
261
# Only now, when this client is initialized, can it show up on
262
# the D-Bus
263
self.use_dbus = use_dbus
264
if self.use_dbus:
265
self.dbus_object_path = (dbus.ObjectPath
266
("/clients/"
267
+ self.name.replace(".", "_")))
268
dbus.service.Object.__init__(self, bus,
269
self.dbus_object_path)
270
315
271
316
def enable(self):
272
317
"""Start this client's checker and timeout hooks"""
318
if getattr(self, u"enabled", False):
319
# Already enabled
320
return
273
321
self.last_enabled = datetime.datetime.utcnow()
274
322
# Schedule a new checker to be started an 'interval' from now,
275
323
# and every interval from then on.
283
331
(self.timeout_milliseconds(),
284
332
self.disable))
285
333
self.enabled = True
286
if self.use_dbus:
287
# Emit D-Bus signals
288
self.PropertyChanged(dbus.String(u"enabled"),
289
dbus.Boolean(True, variant_level=1))
290
self.PropertyChanged(dbus.String(u"last_enabled"),
291
(_datetime_to_dbus(self.last_enabled,
292
variant_level=1)))
293
334
294
335
def disable(self):
295
336
"""Disable this client."""
296
337
if not getattr(self, "enabled", False):
297
338
return False
298
339
logger.info(u"Disabling client %s", self.name)
299
if getattr(self, "disable_initiator_tag", False):
340
if getattr(self, u"disable_initiator_tag", False):
300
341
gobject.source_remove(self.disable_initiator_tag)
301
342
self.disable_initiator_tag = None
302
if getattr(self, "checker_initiator_tag", False):
343
if getattr(self, u"checker_initiator_tag", False):
303
344
gobject.source_remove(self.checker_initiator_tag)
304
345
self.checker_initiator_tag = None
305
346
self.stop_checker()
306
347
if self.disable_hook:
307
348
self.disable_hook(self)
308
349
self.enabled = False
309
if self.use_dbus:
310
# Emit D-Bus signal
311
self.PropertyChanged(dbus.String(u"enabled"),
312
dbus.Boolean(False, variant_level=1))
313
350
# Do not run this again if called by a gobject.timeout_add
314
351
return False
315
352
321
358
"""The checker has completed, so take appropriate actions."""
322
359
self.checker_callback_tag = None
323
360
self.checker = None
324
if self.use_dbus:
325
# Emit D-Bus signal
326
self.PropertyChanged(dbus.String(u"checker_running"),
327
dbus.Boolean(False, variant_level=1))
328
361
if os.WIFEXITED(condition):
329
362
exitstatus = os.WEXITSTATUS(condition)
330
363
if exitstatus == 0:
334
367
else:
335
368
logger.info(u"Checker for %(name)s failed",
336
369
vars(self))
337
if self.use_dbus:
338
# Emit D-Bus signal
339
self.CheckerCompleted(dbus.Int16(exitstatus),
340
dbus.Int64(condition),
341
dbus.String(command))
342
370
else:
343
371
logger.warning(u"Checker for %(name)s crashed?",
344
372
vars(self))
345
if self.use_dbus:
346
# Emit D-Bus signal
347
self.CheckerCompleted(dbus.Int16(-1),
348
dbus.Int64(condition),
349
dbus.String(command))
350
373
351
374
def checked_ok(self):
352
375
"""Bump up the timeout for this client.
376
353
377
This should only be called when the client has been seen,
354
378
alive and well.
355
379
"""
358
382
self.disable_initiator_tag = (gobject.timeout_add
359
383
(self.timeout_milliseconds(),
360
384
self.disable))
361
if self.use_dbus:
362
# Emit D-Bus signal
363
self.PropertyChanged(
364
dbus.String(u"last_checked_ok"),
365
(_datetime_to_dbus(self.last_checked_ok,
366
variant_level=1)))
367
385
368
386
def start_checker(self):
369
387
"""Start a new checker subprocess if one is not running.
388
370
389
If a checker already exists, leave it running and do
371
390
nothing."""
372
391
# The reason for not killing a running checker is that if we
377
396
# checkers alone, the checker would have to take more time
378
397
# than 'timeout' for the client to be declared invalid, which
379
398
# is as it should be.
399
400
# If a checker exists, make sure it is not a zombie
401
if self.checker is not None:
402
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
403
if pid:
404
logger.warning(u"Checker was a zombie")
405
gobject.source_remove(self.checker_callback_tag)
406
self.checker_callback(pid, status,
407
self.current_checker_command)
408
# Start a new checker if needed
380
409
if self.checker is None:
381
410
try:
382
411
# In case checker_command has exactly one % operator
383
412
command = self.checker_command % self.host
384
413
except TypeError:
385
414
# Escape attributes for the shell
386
escaped_attrs = dict((key, re.escape(str(val)))
415
escaped_attrs = dict((key,
416
re.escape(unicode(str(val),
417
errors=
418
u'replace')))
387
419
for key, val in
388
420
vars(self).iteritems())
389
421
try:
392
424
logger.error(u'Could not format string "%s":'
393
425
u' %s', self.checker_command, error)
394
426
return True # Try again later
427
self.current_checker_command = command
395
428
try:
396
429
logger.info(u"Starting checker %r for %s",
397
430
command, self.name)
401
434
# always replaced by /dev/null.)
402
435
self.checker = subprocess.Popen(command,
403
436
close_fds=True,
404
shell=True, cwd="/")
405
if self.use_dbus:
406
# Emit D-Bus signal
407
self.CheckerStarted(command)
408
self.PropertyChanged(
409
dbus.String("checker_running"),
410
dbus.Boolean(True, variant_level=1))
437
shell=True, cwd=u"/")
411
438
self.checker_callback_tag = (gobject.child_watch_add
412
439
(self.checker.pid,
413
440
self.checker_callback,
429
456
if self.checker_callback_tag:
430
457
gobject.source_remove(self.checker_callback_tag)
431
458
self.checker_callback_tag = None
432
if getattr(self, "checker", None) is None:
459
if getattr(self, u"checker", None) is None:
433
460
return
434
461
logger.debug(u"Stopping checker for %(name)s", vars(self))
435
462
try:
441
468
if error.errno != errno.ESRCH: # No such process
442
469
raise
443
470
self.checker = None
444
if self.use_dbus:
445
self.PropertyChanged(dbus.String(u"checker_running"),
446
dbus.Boolean(False, variant_level=1))
447
471
448
472
def still_valid(self):
449
473
"""Has the timeout not yet passed for this client?"""
450
if not getattr(self, "enabled", False):
474
if not getattr(self, u"enabled", False):
451
475
return False
452
476
now = datetime.datetime.utcnow()
453
477
if self.last_checked_ok is None:
454
478
return now < (self.created + self.timeout)
455
479
else:
456
480
return now < (self.last_checked_ok + self.timeout)
481
482
483
def dbus_service_property(dbus_interface, signature=u"v",
484
access=u"readwrite", byte_arrays=False):
485
"""Decorators for marking methods of a DBusObjectWithProperties to
486
become properties on the D-Bus.
487
488
The decorated method will be called with no arguments by "Get"
489
and with one argument by "Set".
490
491
The parameters, where they are supported, are the same as
492
dbus.service.method, except there is only "signature", since the
493
type from Get() and the type sent to Set() is the same.
494
"""
495
def decorator(func):
496
func._dbus_is_property = True
497
func._dbus_interface = dbus_interface
498
func._dbus_signature = signature
499
func._dbus_access = access
500
func._dbus_name = func.__name__
501
if func._dbus_name.endswith(u"_dbus_property"):
502
func._dbus_name = func._dbus_name[:-14]
503
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
504
return func
505
return decorator
506
507
508
class DBusPropertyException(dbus.exceptions.DBusException):
509
"""A base class for D-Bus property-related exceptions
510
"""
511
def __unicode__(self):
512
return unicode(str(self))
513
514
515
class DBusPropertyAccessException(DBusPropertyException):
516
"""A property's access permissions disallows an operation.
517
"""
518
pass
519
520
521
class DBusPropertyNotFound(DBusPropertyException):
522
"""An attempt was made to access a non-existing property.
523
"""
524
pass
525
526
527
class DBusObjectWithProperties(dbus.service.Object):
528
"""A D-Bus object with properties.
529
530
Classes inheriting from this can use the dbus_service_property
531
decorator to expose methods as D-Bus properties. It exposes the
532
standard Get(), Set(), and GetAll() methods on the D-Bus.
533
"""
534
535
@staticmethod
536
def _is_dbus_property(obj):
537
return getattr(obj, u"_dbus_is_property", False)
538
539
def _get_all_dbus_properties(self):
540
"""Returns a generator of (name, attribute) pairs
541
"""
542
return ((prop._dbus_name, prop)
543
for name, prop in
544
inspect.getmembers(self, self._is_dbus_property))
545
546
def _get_dbus_property(self, interface_name, property_name):
547
"""Returns a bound method if one exists which is a D-Bus
548
property with the specified name and interface.
549
"""
550
for name in (property_name,
551
property_name + u"_dbus_property"):
552
prop = getattr(self, name, None)
553
if (prop is None
554
or not self._is_dbus_property(prop)
555
or prop._dbus_name != property_name
556
or (interface_name and prop._dbus_interface
557
and interface_name != prop._dbus_interface)):
558
continue
559
return prop
560
# No such property
561
raise DBusPropertyNotFound(self.dbus_object_path + u":"
562
+ interface_name + u"."
563
+ property_name)
564
565
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
566
out_signature=u"v")
567
def Get(self, interface_name, property_name):
568
"""Standard D-Bus property Get() method, see D-Bus standard.
569
"""
570
prop = self._get_dbus_property(interface_name, property_name)
571
if prop._dbus_access == u"write":
572
raise DBusPropertyAccessException(property_name)
573
value = prop()
574
if not hasattr(value, u"variant_level"):
575
return value
576
return type(value)(value, variant_level=value.variant_level+1)
577
578
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
579
def Set(self, interface_name, property_name, value):
580
"""Standard D-Bus property Set() method, see D-Bus standard.
581
"""
582
prop = self._get_dbus_property(interface_name, property_name)
583
if prop._dbus_access == u"read":
584
raise DBusPropertyAccessException(property_name)
585
if prop._dbus_get_args_options[u"byte_arrays"]:
586
value = dbus.ByteArray(''.join(unichr(byte)
587
for byte in value))
588
prop(value)
589
590
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
591
out_signature=u"a{sv}")
592
def GetAll(self, interface_name):
593
"""Standard D-Bus property GetAll() method, see D-Bus
594
standard.
595
596
Note: Will not include properties with access="write".
597
"""
598
all = {}
599
for name, prop in self._get_all_dbus_properties():
600
if (interface_name
601
and interface_name != prop._dbus_interface):
602
# Interface non-empty but did not match
603
continue
604
# Ignore write-only properties
605
if prop._dbus_access == u"write":
606
continue
607
value = prop()
608
if not hasattr(value, u"variant_level"):
609
all[name] = value
610
continue
611
all[name] = type(value)(value, variant_level=
612
value.variant_level+1)
613
return dbus.Dictionary(all, signature=u"sv")
614
615
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
616
out_signature=u"s",
617
path_keyword='object_path',
618
connection_keyword='connection')
619
def Introspect(self, object_path, connection):
620
"""Standard D-Bus method, overloaded to insert property tags.
621
"""
622
xmlstring = dbus.service.Object.Introspect(self, object_path,
623
connection)
624
document = xml.dom.minidom.parseString(xmlstring)
625
del xmlstring
626
def make_tag(document, name, prop):
627
e = document.createElement(u"property")
628
e.setAttribute(u"name", name)
629
e.setAttribute(u"type", prop._dbus_signature)
630
e.setAttribute(u"access", prop._dbus_access)
631
return e
632
for if_tag in document.getElementsByTagName(u"interface"):
633
for tag in (make_tag(document, name, prop)
634
for name, prop
635
in self._get_all_dbus_properties()
636
if prop._dbus_interface
637
== if_tag.getAttribute(u"name")):
638
if_tag.appendChild(tag)
639
xmlstring = document.toxml(u"utf-8")
640
document.unlink()
641
return xmlstring
642
643
644
class ClientDBus(Client, DBusObjectWithProperties):
645
"""A Client class using D-Bus
646
647
Attributes:
648
dbus_object_path: dbus.ObjectPath
649
bus: dbus.SystemBus()
650
"""
651
# dbus.service.Object doesn't use super(), so we can't either.
652
653
def __init__(self, bus = None, *args, **kwargs):
654
self.bus = bus
655
Client.__init__(self, *args, **kwargs)
656
# Only now, when this client is initialized, can it show up on
657
# the D-Bus
658
self.dbus_object_path = (dbus.ObjectPath
659
(u"/clients/"
660
+ self.name.replace(u".", u"_")))
661
DBusObjectWithProperties.__init__(self, self.bus,
662
self.dbus_object_path)
663
664
@staticmethod
665
def _datetime_to_dbus(dt, variant_level=0):
666
"""Convert a UTC datetime.datetime() to a D-Bus type."""
667
return dbus.String(dt.isoformat(),
668
variant_level=variant_level)
669
670
def enable(self):
671
oldstate = getattr(self, u"enabled", False)
672
r = Client.enable(self)
673
if oldstate != self.enabled:
674
# Emit D-Bus signals
675
self.PropertyChanged(dbus.String(u"enabled"),
676
dbus.Boolean(True, variant_level=1))
677
self.PropertyChanged(
678
dbus.String(u"last_enabled"),
679
self._datetime_to_dbus(self.last_enabled,
680
variant_level=1))
681
return r
682
683
def disable(self, signal = True):
684
oldstate = getattr(self, u"enabled", False)
685
r = Client.disable(self)
686
if signal and oldstate != self.enabled:
687
# Emit D-Bus signal
688
self.PropertyChanged(dbus.String(u"enabled"),
689
dbus.Boolean(False, variant_level=1))
690
return r
691
692
def __del__(self, *args, **kwargs):
693
try:
694
self.remove_from_connection()
695
except LookupError:
696
pass
697
if hasattr(DBusObjectWithProperties, u"__del__"):
698
DBusObjectWithProperties.__del__(self, *args, **kwargs)
699
Client.__del__(self, *args, **kwargs)
700
701
def checker_callback(self, pid, condition, command,
702
*args, **kwargs):
703
self.checker_callback_tag = None
704
self.checker = None
705
# Emit D-Bus signal
706
self.PropertyChanged(dbus.String(u"checker_running"),
707
dbus.Boolean(False, variant_level=1))
708
if os.WIFEXITED(condition):
709
exitstatus = os.WEXITSTATUS(condition)
710
# Emit D-Bus signal
711
self.CheckerCompleted(dbus.Int16(exitstatus),
712
dbus.Int64(condition),
713
dbus.String(command))
714
else:
715
# Emit D-Bus signal
716
self.CheckerCompleted(dbus.Int16(-1),
717
dbus.Int64(condition),
718
dbus.String(command))
719
720
return Client.checker_callback(self, pid, condition, command,
721
*args, **kwargs)
722
723
def checked_ok(self, *args, **kwargs):
724
r = Client.checked_ok(self, *args, **kwargs)
725
# Emit D-Bus signal
726
self.PropertyChanged(
727
dbus.String(u"last_checked_ok"),
728
(self._datetime_to_dbus(self.last_checked_ok,
729
variant_level=1)))
730
return r
731
732
def start_checker(self, *args, **kwargs):
733
old_checker = self.checker
734
if self.checker is not None:
735
old_checker_pid = self.checker.pid
736
else:
737
old_checker_pid = None
738
r = Client.start_checker(self, *args, **kwargs)
739
# Only if new checker process was started
740
if (self.checker is not None
741
and old_checker_pid != self.checker.pid):
742
# Emit D-Bus signal
743
self.CheckerStarted(self.current_checker_command)
744
self.PropertyChanged(
745
dbus.String(u"checker_running"),
746
dbus.Boolean(True, variant_level=1))
747
return r
748
749
def stop_checker(self, *args, **kwargs):
750
old_checker = getattr(self, u"checker", None)
751
r = Client.stop_checker(self, *args, **kwargs)
752
if (old_checker is not None
753
and getattr(self, u"checker", None) is None):
754
self.PropertyChanged(dbus.String(u"checker_running"),
755
dbus.Boolean(False, variant_level=1))
756
return r
457
757
458
758
## D-Bus methods & signals
459
759
_interface = u"se.bsnet.fukt.Mandos.Client"
460
760
461
761
# CheckedOK - method
462
CheckedOK = dbus.service.method(_interface)(checked_ok)
463
CheckedOK.__name__ = "CheckedOK"
762
@dbus.service.method(_interface)
763
def CheckedOK(self):
764
return self.checked_ok()
464
765
465
766
# CheckerCompleted - signal
466
@dbus.service.signal(_interface, signature="nxs")
767
@dbus.service.signal(_interface, signature=u"nxs")
467
768
def CheckerCompleted(self, exitcode, waitstatus, command):
468
769
"D-Bus signal"
469
770
pass
470
771
471
772
# CheckerStarted - signal
472
@dbus.service.signal(_interface, signature="s")
773
@dbus.service.signal(_interface, signature=u"s")
473
774
def CheckerStarted(self, command):
474
775
"D-Bus signal"
475
776
pass
476
777
477
# GetAllProperties - method
478
@dbus.service.method(_interface, out_signature="a{sv}")
479
def GetAllProperties(self):
480
"D-Bus method"
481
return dbus.Dictionary({
482
dbus.String("name"):
483
dbus.String(self.name, variant_level=1),
484
dbus.String("fingerprint"):
485
dbus.String(self.fingerprint, variant_level=1),
486
dbus.String("host"):
487
dbus.String(self.host, variant_level=1),
488
dbus.String("created"):
489
_datetime_to_dbus(self.created, variant_level=1),
490
dbus.String("last_enabled"):
491
(_datetime_to_dbus(self.last_enabled,
492
variant_level=1)
493
if self.last_enabled is not None
494
else dbus.Boolean(False, variant_level=1)),
495
dbus.String("enabled"):
496
dbus.Boolean(self.enabled, variant_level=1),
497
dbus.String("last_checked_ok"):
498
(_datetime_to_dbus(self.last_checked_ok,
499
variant_level=1)
500
if self.last_checked_ok is not None
501
else dbus.Boolean (False, variant_level=1)),
502
dbus.String("timeout"):
503
dbus.UInt64(self.timeout_milliseconds(),
504
variant_level=1),
505
dbus.String("interval"):
506
dbus.UInt64(self.interval_milliseconds(),
507
variant_level=1),
508
dbus.String("checker"):
509
dbus.String(self.checker_command,
510
variant_level=1),
511
dbus.String("checker_running"):
512
dbus.Boolean(self.checker is not None,
513
variant_level=1),
514
dbus.String("object_path"):
515
dbus.ObjectPath(self.dbus_object_path,
516
variant_level=1)
517
}, signature="sv")
518
519
# IsStillValid - method
520
IsStillValid = (dbus.service.method(_interface, out_signature="b")
521
(still_valid))
522
IsStillValid.__name__ = "IsStillValid"
523
524
778
# PropertyChanged - signal
525
@dbus.service.signal(_interface, signature="sv")
779
@dbus.service.signal(_interface, signature=u"sv")
526
780
def PropertyChanged(self, property, value):
527
781
"D-Bus signal"
528
782
pass
529
783
530
# SetChecker - method
531
@dbus.service.method(_interface, in_signature="s")
532
def SetChecker(self, checker):
533
"D-Bus setter method"
534
self.checker_command = checker
535
# Emit D-Bus signal
536
self.PropertyChanged(dbus.String(u"checker"),
537
dbus.String(self.checker_command,
538
variant_level=1))
539
540
# SetHost - method
541
@dbus.service.method(_interface, in_signature="s")
542
def SetHost(self, host):
543
"D-Bus setter method"
544
self.host = host
545
# Emit D-Bus signal
546
self.PropertyChanged(dbus.String(u"host"),
547
dbus.String(self.host, variant_level=1))
548
549
# SetInterval - method
550
@dbus.service.method(_interface, in_signature="t")
551
def SetInterval(self, milliseconds):
552
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
553
# Emit D-Bus signal
554
self.PropertyChanged(dbus.String(u"interval"),
555
(dbus.UInt64(self.interval_milliseconds(),
556
variant_level=1)))
557
558
# SetSecret - method
559
@dbus.service.method(_interface, in_signature="ay",
560
byte_arrays=True)
561
def SetSecret(self, secret):
562
"D-Bus setter method"
563
self.secret = str(secret)
564
565
# SetTimeout - method
566
@dbus.service.method(_interface, in_signature="t")
567
def SetTimeout(self, milliseconds):
568
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
569
# Emit D-Bus signal
570
self.PropertyChanged(dbus.String(u"timeout"),
571
(dbus.UInt64(self.timeout_milliseconds(),
572
variant_level=1)))
784
# ReceivedSecret - signal
785
@dbus.service.signal(_interface)
786
def ReceivedSecret(self):
787
"D-Bus signal"
788
pass
789
790
# Rejected - signal
791
@dbus.service.signal(_interface)
792
def Rejected(self):
793
"D-Bus signal"
794
pass
573
795
574
796
# Enable - method
575
Enable = dbus.service.method(_interface)(enable)
576
Enable.__name__ = "Enable"
797
@dbus.service.method(_interface)
798
def Enable(self):
799
"D-Bus method"
800
self.enable()
577
801
578
802
# StartChecker - method
579
803
@dbus.service.method(_interface)
588
812
self.disable()
589
813
590
814
# StopChecker - method
591
StopChecker = dbus.service.method(_interface)(stop_checker)
592
StopChecker.__name__ = "StopChecker"
815
@dbus.service.method(_interface)
816
def StopChecker(self):
817
self.stop_checker()
818
819
# name - property
820
@dbus_service_property(_interface, signature=u"s", access=u"read")
821
def name_dbus_property(self):
822
return dbus.String(self.name)
823
824
# fingerprint - property
825
@dbus_service_property(_interface, signature=u"s", access=u"read")
826
def fingerprint_dbus_property(self):
827
return dbus.String(self.fingerprint)
828
829
# host - property
830
@dbus_service_property(_interface, signature=u"s",
831
access=u"readwrite")
832
def host_dbus_property(self, value=None):
833
if value is None: # get
834
return dbus.String(self.host)
835
self.host = value
836
# Emit D-Bus signal
837
self.PropertyChanged(dbus.String(u"host"),
838
dbus.String(value, variant_level=1))
839
840
# created - property
841
@dbus_service_property(_interface, signature=u"s", access=u"read")
842
def created_dbus_property(self):
843
return dbus.String(self._datetime_to_dbus(self.created))
844
845
# last_enabled - property
846
@dbus_service_property(_interface, signature=u"s", access=u"read")
847
def last_enabled_dbus_property(self):
848
if self.last_enabled is None:
849
return dbus.String(u"")
850
return dbus.String(self._datetime_to_dbus(self.last_enabled))
851
852
# enabled - property
853
@dbus_service_property(_interface, signature=u"b",
854
access=u"readwrite")
855
def enabled_dbus_property(self, value=None):
856
if value is None: # get
857
return dbus.Boolean(self.enabled)
858
if value:
859
self.enable()
860
else:
861
self.disable()
862
863
# last_checked_ok - property
864
@dbus_service_property(_interface, signature=u"s",
865
access=u"readwrite")
866
def last_checked_ok_dbus_property(self, value=None):
867
if value is not None:
868
self.checked_ok()
869
return
870
if self.last_checked_ok is None:
871
return dbus.String(u"")
872
return dbus.String(self._datetime_to_dbus(self
873
.last_checked_ok))
874
875
# timeout - property
876
@dbus_service_property(_interface, signature=u"t",
877
access=u"readwrite")
878
def timeout_dbus_property(self, value=None):
879
if value is None: # get
880
return dbus.UInt64(self.timeout_milliseconds())
881
self.timeout = datetime.timedelta(0, 0, 0, value)
882
# Emit D-Bus signal
883
self.PropertyChanged(dbus.String(u"timeout"),
884
dbus.UInt64(value, variant_level=1))
885
if getattr(self, u"disable_initiator_tag", None) is None:
886
return
887
# Reschedule timeout
888
gobject.source_remove(self.disable_initiator_tag)
889
self.disable_initiator_tag = None
890
time_to_die = (self.
891
_timedelta_to_milliseconds((self
892
.last_checked_ok
893
+ self.timeout)
894
- datetime.datetime
895
.utcnow()))
896
if time_to_die <= 0:
897
# The timeout has passed
898
self.disable()
899
else:
900
self.disable_initiator_tag = (gobject.timeout_add
901
(time_to_die, self.disable))
902
903
# interval - property
904
@dbus_service_property(_interface, signature=u"t",
905
access=u"readwrite")
906
def interval_dbus_property(self, value=None):
907
if value is None: # get
908
return dbus.UInt64(self.interval_milliseconds())
909
self.interval = datetime.timedelta(0, 0, 0, value)
910
# Emit D-Bus signal
911
self.PropertyChanged(dbus.String(u"interval"),
912
dbus.UInt64(value, variant_level=1))
913
if getattr(self, u"checker_initiator_tag", None) is None:
914
return
915
# Reschedule checker run
916
gobject.source_remove(self.checker_initiator_tag)
917
self.checker_initiator_tag = (gobject.timeout_add
918
(value, self.start_checker))
919
self.start_checker() # Start one now, too
920
921
# checker - property
922
@dbus_service_property(_interface, signature=u"s",
923
access=u"readwrite")
924
def checker_dbus_property(self, value=None):
925
if value is None: # get
926
return dbus.String(self.checker_command)
927
self.checker_command = value
928
# Emit D-Bus signal
929
self.PropertyChanged(dbus.String(u"checker"),
930
dbus.String(self.checker_command,
931
variant_level=1))
932
933
# checker_running - property
934
@dbus_service_property(_interface, signature=u"b",
935
access=u"readwrite")
936
def checker_running_dbus_property(self, value=None):
937
if value is None: # get
938
return dbus.Boolean(self.checker is not None)
939
if value:
940
self.start_checker()
941
else:
942
self.stop_checker()
943
944
# object_path - property
945
@dbus_service_property(_interface, signature=u"o", access=u"read")
946
def object_path_dbus_property(self):
947
return self.dbus_object_path # is already a dbus.ObjectPath
948
949
# secret = property
950
@dbus_service_property(_interface, signature=u"ay",
951
access=u"write", byte_arrays=True)
952
def secret_dbus_property(self, value):
953
self.secret = str(value)
593
954
594
955
del _interface
595
956
596
957
597
def peer_certificate(session):
598
"Return the peer's OpenPGP certificate as a bytestring"
599
# If not an OpenPGP certificate...
600
if (gnutls.library.functions
601
.gnutls_certificate_type_get(session._c_object)
602
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
603
# ...do the normal thing
604
return session.peer_certificate
605
list_size = ctypes.c_uint(1)
606
cert_list = (gnutls.library.functions
607
.gnutls_certificate_get_peers
608
(session._c_object, ctypes.byref(list_size)))
609
if not bool(cert_list) and list_size.value != 0:
610
raise gnutls.errors.GNUTLSError("error getting peer"
611
" certificate")
612
if list_size.value == 0:
613
return None
614
cert = cert_list[0]
615
return ctypes.string_at(cert.data, cert.size)
616
617
618
def fingerprint(openpgp):
619
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
620
# New GnuTLS "datum" with the OpenPGP public key
621
datum = (gnutls.library.types
622
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
623
ctypes.POINTER
624
(ctypes.c_ubyte)),
625
ctypes.c_uint(len(openpgp))))
626
# New empty GnuTLS certificate
627
crt = gnutls.library.types.gnutls_openpgp_crt_t()
628
(gnutls.library.functions
629
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
630
# Import the OpenPGP public key into the certificate
631
(gnutls.library.functions
632
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
633
gnutls.library.constants
634
.GNUTLS_OPENPGP_FMT_RAW))
635
# Verify the self signature in the key
636
crtverify = ctypes.c_uint()
637
(gnutls.library.functions
638
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
639
if crtverify.value != 0:
640
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
641
raise gnutls.errors.CertificateSecurityError("Verify failed")
642
# New buffer for the fingerprint
643
buf = ctypes.create_string_buffer(20)
644
buf_len = ctypes.c_size_t()
645
# Get the fingerprint from the certificate into the buffer
646
(gnutls.library.functions
647
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
648
ctypes.byref(buf_len)))
649
# Deinit the certificate
650
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
651
# Convert the buffer to a Python bytestring
652
fpr = ctypes.string_at(buf, buf_len.value)
653
# Convert the bytestring to hexadecimal notation
654
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
655
return hex_fpr
656
657
658
class TCP_handler(SocketServer.BaseRequestHandler, object):
659
"""A TCP request handler class.
660
Instantiated by IPv6_TCPServer for each request to handle it.
958
class ClientHandler(socketserver.BaseRequestHandler, object):
959
"""A class to handle client connections.
960
961
Instantiated once for each connection to handle it.
661
962
Note: This will run in its own forked process."""
662
963
663
964
def handle(self):
664
965
logger.info(u"TCP connection from: %s",
665
966
unicode(self.client_address))
666
session = (gnutls.connection
667
.ClientSession(self.request,
668
gnutls.connection
669
.X509Credentials()))
670
671
line = self.request.makefile().readline()
672
logger.debug(u"Protocol version: %r", line)
673
try:
674
if int(line.strip().split()[0]) > 1:
675
raise RuntimeError
676
except (ValueError, IndexError, RuntimeError), error:
677
logger.error(u"Unknown protocol version: %s", error)
678
return
679
680
# Note: gnutls.connection.X509Credentials is really a generic
681
# GnuTLS certificate credentials object so long as no X.509
682
# keys are added to it. Therefore, we can use it here despite
683
# using OpenPGP certificates.
684
685
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
686
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
687
# "+DHE-DSS"))
688
# Use a fallback default, since this MUST be set.
689
priority = self.server.settings.get("priority", "NORMAL")
690
(gnutls.library.functions
691
.gnutls_priority_set_direct(session._c_object,
692
priority, None))
693
694
try:
695
session.handshake()
696
except gnutls.errors.GNUTLSError, error:
697
logger.warning(u"Handshake failed: %s", error)
698
# Do not run session.bye() here: the session is not
699
# established. Just abandon the request.
700
return
701
logger.debug(u"Handshake succeeded")
702
try:
703
fpr = fingerprint(peer_certificate(session))
704
except (TypeError, gnutls.errors.GNUTLSError), error:
705
logger.warning(u"Bad certificate: %s", error)
706
session.bye()
707
return
708
logger.debug(u"Fingerprint: %s", fpr)
709
710
for c in self.server.clients:
711
if c.fingerprint == fpr:
712
client = c
713
break
714
else:
715
logger.warning(u"Client not found for fingerprint: %s",
716
fpr)
717
session.bye()
718
return
719
# Have to check if client.still_valid(), since it is possible
720
# that the client timed out while establishing the GnuTLS
721
# session.
722
if not client.still_valid():
723
logger.warning(u"Client %(name)s is invalid",
724
vars(client))
725
session.bye()
726
return
727
## This won't work here, since we're in a fork.
728
# client.checked_ok()
729
sent_size = 0
730
while sent_size < len(client.secret):
731
sent = session.send(client.secret[sent_size:])
732
logger.debug(u"Sent: %d, remaining: %d",
733
sent, len(client.secret)
734
- (sent_size + sent))
735
sent_size += sent
736
session.bye()
737
738
739
class IPv6_TCPServer(SocketServer.ForkingMixIn,
740
SocketServer.TCPServer, object):
741
"""IPv6 TCP server. Accepts 'None' as address and/or port.
967
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
968
# Open IPC pipe to parent process
969
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
970
session = (gnutls.connection
971
.ClientSession(self.request,
972
gnutls.connection
973
.X509Credentials()))
974
975
line = self.request.makefile().readline()
976
logger.debug(u"Protocol version: %r", line)
977
try:
978
if int(line.strip().split()[0]) > 1:
979
raise RuntimeError
980
except (ValueError, IndexError, RuntimeError), error:
981
logger.error(u"Unknown protocol version: %s", error)
982
return
983
984
# Note: gnutls.connection.X509Credentials is really a
985
# generic GnuTLS certificate credentials object so long as
986
# no X.509 keys are added to it. Therefore, we can use it
987
# here despite using OpenPGP certificates.
988
989
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
990
# u"+AES-256-CBC", u"+SHA1",
991
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
992
# u"+DHE-DSS"))
993
# Use a fallback default, since this MUST be set.
994
priority = self.server.gnutls_priority
995
if priority is None:
996
priority = u"NORMAL"
997
(gnutls.library.functions
998
.gnutls_priority_set_direct(session._c_object,
999
priority, None))
1000
1001
try:
1002
session.handshake()
1003
except gnutls.errors.GNUTLSError, error:
1004
logger.warning(u"Handshake failed: %s", error)
1005
# Do not run session.bye() here: the session is not
1006
# established. Just abandon the request.
1007
return
1008
logger.debug(u"Handshake succeeded")
1009
try:
1010
fpr = self.fingerprint(self.peer_certificate(session))
1011
except (TypeError, gnutls.errors.GNUTLSError), error:
1012
logger.warning(u"Bad certificate: %s", error)
1013
session.bye()
1014
return
1015
logger.debug(u"Fingerprint: %s", fpr)
1016
1017
for c in self.server.clients:
1018
if c.fingerprint == fpr:
1019
client = c
1020
break
1021
else:
1022
ipc.write(u"NOTFOUND %s %s\n"
1023
% (fpr, unicode(self.client_address)))
1024
session.bye()
1025
return
1026
# Have to check if client.still_valid(), since it is
1027
# possible that the client timed out while establishing
1028
# the GnuTLS session.
1029
if not client.still_valid():
1030
ipc.write(u"INVALID %s\n" % client.name)
1031
session.bye()
1032
return
1033
ipc.write(u"SENDING %s\n" % client.name)
1034
sent_size = 0
1035
while sent_size < len(client.secret):
1036
sent = session.send(client.secret[sent_size:])
1037
logger.debug(u"Sent: %d, remaining: %d",
1038
sent, len(client.secret)
1039
- (sent_size + sent))
1040
sent_size += sent
1041
session.bye()
1042
1043
@staticmethod
1044
def peer_certificate(session):
1045
"Return the peer's OpenPGP certificate as a bytestring"
1046
# If not an OpenPGP certificate...
1047
if (gnutls.library.functions
1048
.gnutls_certificate_type_get(session._c_object)
1049
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1050
# ...do the normal thing
1051
return session.peer_certificate
1052
list_size = ctypes.c_uint(1)
1053
cert_list = (gnutls.library.functions
1054
.gnutls_certificate_get_peers
1055
(session._c_object, ctypes.byref(list_size)))
1056
if not bool(cert_list) and list_size.value != 0:
1057
raise gnutls.errors.GNUTLSError(u"error getting peer"
1058
u" certificate")
1059
if list_size.value == 0:
1060
return None
1061
cert = cert_list[0]
1062
return ctypes.string_at(cert.data, cert.size)
1063
1064
@staticmethod
1065
def fingerprint(openpgp):
1066
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1067
# New GnuTLS "datum" with the OpenPGP public key
1068
datum = (gnutls.library.types
1069
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1070
ctypes.POINTER
1071
(ctypes.c_ubyte)),
1072
ctypes.c_uint(len(openpgp))))
1073
# New empty GnuTLS certificate
1074
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1075
(gnutls.library.functions
1076
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1077
# Import the OpenPGP public key into the certificate
1078
(gnutls.library.functions
1079
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1080
gnutls.library.constants
1081
.GNUTLS_OPENPGP_FMT_RAW))
1082
# Verify the self signature in the key
1083
crtverify = ctypes.c_uint()
1084
(gnutls.library.functions
1085
.gnutls_openpgp_crt_verify_self(crt, 0,
1086
ctypes.byref(crtverify)))
1087
if crtverify.value != 0:
1088
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1089
raise (gnutls.errors.CertificateSecurityError
1090
(u"Verify failed"))
1091
# New buffer for the fingerprint
1092
buf = ctypes.create_string_buffer(20)
1093
buf_len = ctypes.c_size_t()
1094
# Get the fingerprint from the certificate into the buffer
1095
(gnutls.library.functions
1096
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1097
ctypes.byref(buf_len)))
1098
# Deinit the certificate
1099
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1100
# Convert the buffer to a Python bytestring
1101
fpr = ctypes.string_at(buf, buf_len.value)
1102
# Convert the bytestring to hexadecimal notation
1103
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1104
return hex_fpr
1105
1106
1107
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
1108
"""Like socketserver.ForkingMixIn, but also pass a pipe."""
1109
def process_request(self, request, client_address):
1110
"""Overrides and wraps the original process_request().
1111
1112
This function creates a new pipe in self.pipe
1113
"""
1114
self.pipe = os.pipe()
1115
super(ForkingMixInWithPipe,
1116
self).process_request(request, client_address)
1117
os.close(self.pipe[1]) # close write end
1118
self.add_pipe(self.pipe[0])
1119
def add_pipe(self, pipe):
1120
"""Dummy function; override as necessary"""
1121
os.close(pipe)
1122
1123
1124
class IPv6_TCPServer(ForkingMixInWithPipe,
1125
socketserver.TCPServer, object):
1126
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1127
742
1128
Attributes:
743
settings: Server settings
744
clients: Set() of Client objects
745
1129
enabled: Boolean; whether this server is activated yet
1130
interface: None or a network interface name (string)
1131
use_ipv6: Boolean; to use IPv6 or not
746
1132
"""
747
address_family = socket.AF_INET6
748
def __init__(self, *args, **kwargs):
749
if "settings" in kwargs:
750
self.settings = kwargs["settings"]
751
del kwargs["settings"]
752
if "clients" in kwargs:
753
self.clients = kwargs["clients"]
754
del kwargs["clients"]
755
self.enabled = False
756
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1133
def __init__(self, server_address, RequestHandlerClass,
1134
interface=None, use_ipv6=True):
1135
self.interface = interface
1136
if use_ipv6:
1137
self.address_family = socket.AF_INET6
1138
socketserver.TCPServer.__init__(self, server_address,
1139
RequestHandlerClass)
757
1140
def server_bind(self):
758
1141
"""This overrides the normal server_bind() function
759
1142
to bind to an interface if one was specified, and also NOT to
760
1143
bind to an address or port if they were not specified."""
761
if self.settings["interface"]:
762
# 25 is from /usr/include/asm-i486/socket.h
763
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
764
try:
765
self.socket.setsockopt(socket.SOL_SOCKET,
766
SO_BINDTODEVICE,
767
self.settings["interface"])
768
except socket.error, error:
769
if error[0] == errno.EPERM:
770
logger.error(u"No permission to"
771
u" bind to interface %s",
772
self.settings["interface"])
773
else:
774
raise
1144
if self.interface is not None:
1145
if SO_BINDTODEVICE is None:
1146
logger.error(u"SO_BINDTODEVICE does not exist;"
1147
u" cannot bind to interface %s",
1148
self.interface)
1149
else:
1150
try:
1151
self.socket.setsockopt(socket.SOL_SOCKET,
1152
SO_BINDTODEVICE,
1153
str(self.interface
1154
+ u'\0'))
1155
except socket.error, error:
1156
if error[0] == errno.EPERM:
1157
logger.error(u"No permission to"
1158
u" bind to interface %s",
1159
self.interface)
1160
elif error[0] == errno.ENOPROTOOPT:
1161
logger.error(u"SO_BINDTODEVICE not available;"
1162
u" cannot bind to interface %s",
1163
self.interface)
1164
else:
1165
raise
775
1166
# Only bind(2) the socket if we really need to.
776
1167
if self.server_address[0] or self.server_address[1]:
777
1168
if not self.server_address[0]:
778
in6addr_any = "::"
779
self.server_address = (in6addr_any,
1169
if self.address_family == socket.AF_INET6:
1170
any_address = u"::" # in6addr_any
1171
else:
1172
any_address = socket.INADDR_ANY
1173
self.server_address = (any_address,
780
1174
self.server_address[1])
781
1175
elif not self.server_address[1]:
782
1176
self.server_address = (self.server_address[0],
783
1177
0)
784
# if self.settings["interface"]:
1178
# if self.interface:
785
1179
# self.server_address = (self.server_address[0],
786
1180
# 0, # port
787
1181
# 0, # flowinfo
788
1182
# if_nametoindex
789
# (self.settings
790
# ["interface"]))
791
return super(IPv6_TCPServer, self).server_bind()
1183
# (self.interface))
1184
return socketserver.TCPServer.server_bind(self)
1185
1186
1187
class MandosServer(IPv6_TCPServer):
1188
"""Mandos server.
1189
1190
Attributes:
1191
clients: set of Client objects
1192
gnutls_priority GnuTLS priority string
1193
use_dbus: Boolean; to emit D-Bus signals or not
1194
1195
Assumes a gobject.MainLoop event loop.
1196
"""
1197
def __init__(self, server_address, RequestHandlerClass,
1198
interface=None, use_ipv6=True, clients=None,
1199
gnutls_priority=None, use_dbus=True):
1200
self.enabled = False
1201
self.clients = clients
1202
if self.clients is None:
1203
self.clients = set()
1204
self.use_dbus = use_dbus
1205
self.gnutls_priority = gnutls_priority
1206
IPv6_TCPServer.__init__(self, server_address,
1207
RequestHandlerClass,
1208
interface = interface,
1209
use_ipv6 = use_ipv6)
792
1210
def server_activate(self):
793
1211
if self.enabled:
794
return super(IPv6_TCPServer, self).server_activate()
1212
return socketserver.TCPServer.server_activate(self)
795
1213
def enable(self):
796
1214
self.enabled = True
1215
def add_pipe(self, pipe):
1216
# Call "handle_ipc" for both data and EOF events
1217
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1218
self.handle_ipc)
1219
def handle_ipc(self, source, condition, file_objects={}):
1220
condition_names = {
1221
gobject.IO_IN: u"IN", # There is data to read.
1222
gobject.IO_OUT: u"OUT", # Data can be written (without
1223
# blocking).
1224
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1225
gobject.IO_ERR: u"ERR", # Error condition.
1226
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1227
# broken, usually for pipes and
1228
# sockets).
1229
}
1230
conditions_string = ' | '.join(name
1231
for cond, name in
1232
condition_names.iteritems()
1233
if cond & condition)
1234
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1235
conditions_string)
1236
1237
# Turn the pipe file descriptor into a Python file object
1238
if source not in file_objects:
1239
file_objects[source] = os.fdopen(source, u"r", 1)
1240
1241
# Read a line from the file object
1242
cmdline = file_objects[source].readline()
1243
if not cmdline: # Empty line means end of file
1244
# close the IPC pipe
1245
file_objects[source].close()
1246
del file_objects[source]
1247
1248
# Stop calling this function
1249
return False
1250
1251
logger.debug(u"IPC command: %r", cmdline)
1252
1253
# Parse and act on command
1254
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1255
1256
if cmd == u"NOTFOUND":
1257
logger.warning(u"Client not found for fingerprint: %s",
1258
args)
1259
if self.use_dbus:
1260
# Emit D-Bus signal
1261
mandos_dbus_service.ClientNotFound(args)
1262
elif cmd == u"INVALID":
1263
for client in self.clients:
1264
if client.name == args:
1265
logger.warning(u"Client %s is invalid", args)
1266
if self.use_dbus:
1267
# Emit D-Bus signal
1268
client.Rejected()
1269
break
1270
else:
1271
logger.error(u"Unknown client %s is invalid", args)
1272
elif cmd == u"SENDING":
1273
for client in self.clients:
1274
if client.name == args:
1275
logger.info(u"Sending secret to %s", client.name)
1276
client.checked_ok()
1277
if self.use_dbus:
1278
# Emit D-Bus signal
1279
client.ReceivedSecret()
1280
break
1281
else:
1282
logger.error(u"Sending secret to unknown client %s",
1283
args)
1284
else:
1285
logger.error(u"Unknown IPC command: %r", cmdline)
1286
1287
# Keep calling this function
1288
return True
797
1289
798
1290
799
1291
def string_to_delta(interval):
800
1292
"""Parse a string and return a datetime.timedelta
801
1293
802
>>> string_to_delta('7d')
1294
>>> string_to_delta(u'7d')
803
1295
datetime.timedelta(7)
804
>>> string_to_delta('60s')
1296
>>> string_to_delta(u'60s')
805
1297
datetime.timedelta(0, 60)
806
>>> string_to_delta('60m')
1298
>>> string_to_delta(u'60m')
807
1299
datetime.timedelta(0, 3600)
808
>>> string_to_delta('24h')
1300
>>> string_to_delta(u'24h')
809
1301
datetime.timedelta(1)
810
1302
>>> string_to_delta(u'1w')
811
1303
datetime.timedelta(7)
812
>>> string_to_delta('5m 30s')
1304
>>> string_to_delta(u'5m 30s')
813
1305
datetime.timedelta(0, 330)
814
1306
"""
815
1307
timevalue = datetime.timedelta(0)
835
1327
return timevalue
836
1328
837
1329
838
def server_state_changed(state):
839
"""Derived from the Avahi example code"""
840
if state == avahi.SERVER_COLLISION:
841
logger.error(u"Zeroconf server name collision")
842
service.remove()
843
elif state == avahi.SERVER_RUNNING:
844
service.add()
845
846
847
def entry_group_state_changed(state, error):
848
"""Derived from the Avahi example code"""
849
logger.debug(u"Avahi state change: %i", state)
850
851
if state == avahi.ENTRY_GROUP_ESTABLISHED:
852
logger.debug(u"Zeroconf service established.")
853
elif state == avahi.ENTRY_GROUP_COLLISION:
854
logger.warning(u"Zeroconf service name collision.")
855
service.rename()
856
elif state == avahi.ENTRY_GROUP_FAILURE:
857
logger.critical(u"Avahi: Error in group state changed %s",
858
unicode(error))
859
raise AvahiGroupError(u"State changed: %s" % unicode(error))
860
861
1330
def if_nametoindex(interface):
862
"""Call the C function if_nametoindex(), or equivalent"""
1331
"""Call the C function if_nametoindex(), or equivalent
1332
1333
Note: This function cannot accept a unicode string."""
863
1334
global if_nametoindex
864
1335
try:
865
1336
if_nametoindex = (ctypes.cdll.LoadLibrary
866
(ctypes.util.find_library("c"))
1337
(ctypes.util.find_library(u"c"))
867
1338
.if_nametoindex)
868
1339
except (OSError, AttributeError):
869
if "struct" not in sys.modules:
870
import struct
871
if "fcntl" not in sys.modules:
872
import fcntl
1340
logger.warning(u"Doing if_nametoindex the hard way")
873
1341
def if_nametoindex(interface):
874
1342
"Get an interface index the hard way, i.e. using fcntl()"
875
1343
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
876
1344
with closing(socket.socket()) as s:
877
1345
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
878
struct.pack("16s16x", interface))
879
interface_index = struct.unpack("I", ifreq[16:20])[0]
1346
struct.pack(str(u"16s16x"),
1347
interface))
1348
interface_index = struct.unpack(str(u"I"),
1349
ifreq[16:20])[0]
880
1350
return interface_index
881
1351
return if_nametoindex(interface)
882
1352
883
1353
884
1354
def daemon(nochdir = False, noclose = False):
885
1355
"""See daemon(3). Standard BSD Unix function.
1356
886
1357
This should really exist as os.daemon, but it doesn't (yet)."""
887
1358
if os.fork():
888
1359
sys.exit()
889
1360
os.setsid()
890
1361
if not nochdir:
891
os.chdir("/")
1362
os.chdir(u"/")
892
1363
if os.fork():
893
1364
sys.exit()
894
1365
if not noclose:
896
1367
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
897
1368
if not stat.S_ISCHR(os.fstat(null).st_mode):
898
1369
raise OSError(errno.ENODEV,
899
"/dev/null not a character device")
1370
u"/dev/null not a character device")
900
1371
os.dup2(null, sys.stdin.fileno())
901
1372
os.dup2(null, sys.stdout.fileno())
902
1373
os.dup2(null, sys.stderr.fileno())
905
1376
906
1377
907
1378
def main():
1379
1380
##################################################################
1381
# Parsing of options, both command line and config file
1382
908
1383
parser = optparse.OptionParser(version = "%%prog %s" % version)
909
parser.add_option("-i", "--interface", type="string",
910
metavar="IF", help="Bind to interface IF")
911
parser.add_option("-a", "--address", type="string",
912
help="Address to listen for requests on")
913
parser.add_option("-p", "--port", type="int",
914
help="Port number to receive requests on")
915
parser.add_option("--check", action="store_true",
916
help="Run self-test")
917
parser.add_option("--debug", action="store_true",
918
help="Debug mode; run in foreground and log to"
919
" terminal")
920
parser.add_option("--priority", type="string", help="GnuTLS"
921
" priority string (see GnuTLS documentation)")
922
parser.add_option("--servicename", type="string", metavar="NAME",
923
help="Zeroconf service name")
924
parser.add_option("--configdir", type="string",
925
default="/etc/mandos", metavar="DIR",
926
help="Directory to search for configuration"
927
" files")
928
parser.add_option("--no-dbus", action="store_false",
929
dest="use_dbus",
930
help="Do not provide D-Bus system bus"
931
" interface")
1384
parser.add_option("-i", u"--interface", type=u"string",
1385
metavar="IF", help=u"Bind to interface IF")
1386
parser.add_option("-a", u"--address", type=u"string",
1387
help=u"Address to listen for requests on")
1388
parser.add_option("-p", u"--port", type=u"int",
1389
help=u"Port number to receive requests on")
1390
parser.add_option("--check", action=u"store_true",
1391
help=u"Run self-test")
1392
parser.add_option("--debug", action=u"store_true",
1393
help=u"Debug mode; run in foreground and log to"
1394
u" terminal")
1395
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1396
u" priority string (see GnuTLS documentation)")
1397
parser.add_option("--servicename", type=u"string",
1398
metavar=u"NAME", help=u"Zeroconf service name")
1399
parser.add_option("--configdir", type=u"string",
1400
default=u"/etc/mandos", metavar=u"DIR",
1401
help=u"Directory to search for configuration"
1402
u" files")
1403
parser.add_option("--no-dbus", action=u"store_false",
1404
dest=u"use_dbus", help=u"Do not provide D-Bus"
1405
u" system bus interface")
1406
parser.add_option("--no-ipv6", action=u"store_false",
1407
dest=u"use_ipv6", help=u"Do not use IPv6")
932
1408
options = parser.parse_args()[0]
933
1409
934
1410
if options.check:
937
1413
sys.exit()
938
1414
939
1415
# Default values for config file for server-global settings
940
server_defaults = { "interface": "",
941
"address": "",
942
"port": "",
943
"debug": "False",
944
"priority":
945
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
946
"servicename": "Mandos",
947
"use_dbus": "True",
1416
server_defaults = { u"interface": u"",
1417
u"address": u"",
1418
u"port": u"",
1419
u"debug": u"False",
1420
u"priority":
1421
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1422
u"servicename": u"Mandos",
1423
u"use_dbus": u"True",
1424
u"use_ipv6": u"True",
948
1425
}
949
1426
950
1427
# Parse config file for server-global settings
951
server_config = ConfigParser.SafeConfigParser(server_defaults)
1428
server_config = configparser.SafeConfigParser(server_defaults)
952
1429
del server_defaults
953
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1430
server_config.read(os.path.join(options.configdir,
1431
u"mandos.conf"))
954
1432
# Convert the SafeConfigParser object to a dict
955
1433
server_settings = server_config.defaults()
956
1434
# Use the appropriate methods on the non-string config options
957
server_settings["debug"] = server_config.getboolean("DEFAULT",
958
"debug")
959
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
960
"use_dbus")
1435
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1436
server_settings[option] = server_config.getboolean(u"DEFAULT",
1437
option)
961
1438
if server_settings["port"]:
962
server_settings["port"] = server_config.getint("DEFAULT",
963
"port")
1439
server_settings["port"] = server_config.getint(u"DEFAULT",
1440
u"port")
964
1441
del server_config
965
1442
966
1443
# Override the settings from the config file with command line
967
1444
# options, if set.
968
for option in ("interface", "address", "port", "debug",
969
"priority", "servicename", "configdir",
970
"use_dbus"):
1445
for option in (u"interface", u"address", u"port", u"debug",
1446
u"priority", u"servicename", u"configdir",
1447
u"use_dbus", u"use_ipv6"):
971
1448
value = getattr(options, option)
972
1449
if value is not None:
973
1450
server_settings[option] = value
974
1451
del options
1452
# Force all strings to be unicode
1453
for option in server_settings.keys():
1454
if type(server_settings[option]) is str:
1455
server_settings[option] = unicode(server_settings[option])
975
1456
# Now we have our good server settings in "server_settings"
976
1457
1458
##################################################################
1459
977
1460
# For convenience
978
debug = server_settings["debug"]
979
use_dbus = server_settings["use_dbus"]
1461
debug = server_settings[u"debug"]
1462
use_dbus = server_settings[u"use_dbus"]
1463
use_ipv6 = server_settings[u"use_ipv6"]
980
1464
981
1465
if not debug:
982
1466
syslogger.setLevel(logging.WARNING)
983
1467
console.setLevel(logging.WARNING)
984
1468
985
if server_settings["servicename"] != "Mandos":
1469
if server_settings[u"servicename"] != u"Mandos":
986
1470
syslogger.setFormatter(logging.Formatter
987
('Mandos (%s): %%(levelname)s:'
988
' %%(message)s'
989
% server_settings["servicename"]))
1471
(u'Mandos (%s) [%%(process)d]:'
1472
u' %%(levelname)s: %%(message)s'
1473
% server_settings[u"servicename"]))
990
1474
991
1475
# Parse config file with clients
992
client_defaults = { "timeout": "1h",
993
"interval": "5m",
994
"checker": "fping -q -- %%(host)s",
995
"host": "",
1476
client_defaults = { u"timeout": u"1h",
1477
u"interval": u"5m",
1478
u"checker": u"fping -q -- %%(host)s",
1479
u"host": u"",
996
1480
}
997
client_config = ConfigParser.SafeConfigParser(client_defaults)
998
client_config.read(os.path.join(server_settings["configdir"],
999
"clients.conf"))
1000
1001
clients = Set()
1002
tcp_server = IPv6_TCPServer((server_settings["address"],
1003
server_settings["port"]),
1004
TCP_handler,
1005
settings=server_settings,
1006
clients=clients)
1007
pidfilename = "/var/run/mandos.pid"
1481
client_config = configparser.SafeConfigParser(client_defaults)
1482
client_config.read(os.path.join(server_settings[u"configdir"],
1483
u"clients.conf"))
1484
1485
global mandos_dbus_service
1486
mandos_dbus_service = None
1487
1488
tcp_server = MandosServer((server_settings[u"address"],
1489
server_settings[u"port"]),
1490
ClientHandler,
1491
interface=server_settings[u"interface"],
1492
use_ipv6=use_ipv6,
1493
gnutls_priority=
1494
server_settings[u"priority"],
1495
use_dbus=use_dbus)
1496
pidfilename = u"/var/run/mandos.pid"
1008
1497
try:
1009
pidfile = open(pidfilename, "w")
1498
pidfile = open(pidfilename, u"w")
1010
1499
except IOError:
1011
logger.error("Could not open file %r", pidfilename)
1500
logger.error(u"Could not open file %r", pidfilename)
1012
1501
1013
1502
try:
1014
uid = pwd.getpwnam("_mandos").pw_uid
1015
gid = pwd.getpwnam("_mandos").pw_gid
1503
uid = pwd.getpwnam(u"_mandos").pw_uid
1504
gid = pwd.getpwnam(u"_mandos").pw_gid
1016
1505
except KeyError:
1017
1506
try:
1018
uid = pwd.getpwnam("mandos").pw_uid
1019
gid = pwd.getpwnam("mandos").pw_gid
1507
uid = pwd.getpwnam(u"mandos").pw_uid
1508
gid = pwd.getpwnam(u"mandos").pw_gid
1020
1509
except KeyError:
1021
1510
try:
1022
uid = pwd.getpwnam("nobody").pw_uid
1023
gid = pwd.getpwnam("nogroup").pw_gid
1511
uid = pwd.getpwnam(u"nobody").pw_uid
1512
gid = pwd.getpwnam(u"nobody").pw_gid
1024
1513
except KeyError:
1025
1514
uid = 65534
1026
1515
gid = 65534
1039
1528
1040
1529
@gnutls.library.types.gnutls_log_func
1041
1530
def debug_gnutls(level, string):
1042
logger.debug("GnuTLS: %s", string[:-1])
1531
logger.debug(u"GnuTLS: %s", string[:-1])
1043
1532
1044
1533
(gnutls.library.functions
1045
1534
.gnutls_global_set_log_function(debug_gnutls))
1046
1535
1047
global service
1048
service = AvahiService(name = server_settings["servicename"],
1049
servicetype = "_mandos._tcp", )
1050
if server_settings["interface"]:
1051
service.interface = (if_nametoindex
1052
(server_settings["interface"]))
1053
1054
1536
global main_loop
1055
global bus
1056
global server
1057
1537
# From the Avahi example code
1058
1538
DBusGMainLoop(set_as_default=True )
1059
1539
main_loop = gobject.MainLoop()
1060
1540
bus = dbus.SystemBus()
1061
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1062
avahi.DBUS_PATH_SERVER),
1063
avahi.DBUS_INTERFACE_SERVER)
1064
1541
# End of Avahi example code
1065
1542
if use_dbus:
1066
1543
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1544
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1545
service = AvahiService(name = server_settings[u"servicename"],
1546
servicetype = u"_mandos._tcp",
1547
protocol = protocol, bus = bus)
1548
if server_settings["interface"]:
1549
service.interface = (if_nametoindex
1550
(str(server_settings[u"interface"])))
1067
1551
1068
clients.update(Set(Client(name = section,
1069
config
1070
= dict(client_config.items(section)),
1071
use_dbus = use_dbus)
1072
for section in client_config.sections()))
1073
if not clients:
1552
client_class = Client
1553
if use_dbus:
1554
client_class = functools.partial(ClientDBus, bus = bus)
1555
tcp_server.clients.update(set(
1556
client_class(name = section,
1557
config= dict(client_config.items(section)))
1558
for section in client_config.sections()))
1559
if not tcp_server.clients:
1074
1560
logger.warning(u"No clients defined")
1075
1561
1076
1562
if debug:
1086
1572
daemon()
1087
1573
1088
1574
try:
1089
pid = os.getpid()
1090
pidfile.write(str(pid) + "\n")
1091
pidfile.close()
1575
with closing(pidfile):
1576
pid = os.getpid()
1577
pidfile.write(str(pid) + "\n")
1092
1578
del pidfile
1093
1579
except IOError:
1094
1580
logger.error(u"Could not write to file %r with PID %d",
1100
1586
1101
1587
def cleanup():
1102
1588
"Cleanup function; run on exit"
1103
global group
1104
# From the Avahi example code
1105
if not group is None:
1106
group.Free()
1107
group = None
1108
# End of Avahi example code
1589
service.cleanup()
1109
1590
1110
while clients:
1111
client = clients.pop()
1591
while tcp_server.clients:
1592
client = tcp_server.clients.pop()
1112
1593
client.disable_hook = None
1113
1594
client.disable()
1114
1595
1120
1601
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1121
1602
1122
1603
if use_dbus:
1123
class MandosServer(dbus.service.Object):
1604
class MandosDBusService(dbus.service.Object):
1124
1605
"""A D-Bus proxy object"""
1125
1606
def __init__(self):
1126
dbus.service.Object.__init__(self, bus, "/")
1607
dbus.service.Object.__init__(self, bus, u"/")
1127
1608
_interface = u"se.bsnet.fukt.Mandos"
1128
1609
1129
@dbus.service.signal(_interface, signature="oa{sv}")
1610
@dbus.service.signal(_interface, signature=u"oa{sv}")
1130
1611
def ClientAdded(self, objpath, properties):
1131
1612
"D-Bus signal"
1132
1613
pass
1133
1614
1134
@dbus.service.signal(_interface, signature="os")
1615
@dbus.service.signal(_interface, signature=u"s")
1616
def ClientNotFound(self, fingerprint):
1617
"D-Bus signal"
1618
pass
1619
1620
@dbus.service.signal(_interface, signature=u"os")
1135
1621
def ClientRemoved(self, objpath, name):
1136
1622
"D-Bus signal"
1137
1623
pass
1138
1624
1139
@dbus.service.method(_interface, out_signature="ao")
1625
@dbus.service.method(_interface, out_signature=u"ao")
1140
1626
def GetAllClients(self):
1141
1627
"D-Bus method"
1142
return dbus.Array(c.dbus_object_path for c in clients)
1628
return dbus.Array(c.dbus_object_path
1629
for c in tcp_server.clients)
1143
1630
1144
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1631
@dbus.service.method(_interface,
1632
out_signature=u"a{oa{sv}}")
1145
1633
def GetAllClientsWithProperties(self):
1146
1634
"D-Bus method"
1147
1635
return dbus.Dictionary(
1148
((c.dbus_object_path, c.GetAllProperties())
1149
for c in clients),
1150
signature="oa{sv}")
1636
((c.dbus_object_path, c.GetAll(u""))
1637
for c in tcp_server.clients),
1638
signature=u"oa{sv}")
1151
1639
1152
@dbus.service.method(_interface, in_signature="o")
1640
@dbus.service.method(_interface, in_signature=u"o")
1153
1641
def RemoveClient(self, object_path):
1154
1642
"D-Bus method"
1155
for c in clients:
1643
for c in tcp_server.clients:
1156
1644
if c.dbus_object_path == object_path:
1157
clients.remove(c)
1645
tcp_server.clients.remove(c)
1646
c.remove_from_connection()
1158
1647
# Don't signal anything except ClientRemoved
1159
c.use_dbus = False
1160
c.disable()
1648
c.disable(signal=False)
1161
1649
# Emit D-Bus signal
1162
1650
self.ClientRemoved(object_path, c.name)
1163
1651
return
1165
1653
1166
1654
del _interface
1167
1655
1168
mandos_server = MandosServer()
1656
mandos_dbus_service = MandosDBusService()
1169
1657
1170
for client in clients:
1658
for client in tcp_server.clients:
1171
1659
if use_dbus:
1172
1660
# Emit D-Bus signal
1173
mandos_server.ClientAdded(client.dbus_object_path,
1174
client.GetAllProperties())
1661
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1662
client.GetAll(u""))
1175
1663
client.enable()
1176
1664
1177
1665
tcp_server.enable()
1179
1667
1180
1668
# Find out what port we got
1181
1669
service.port = tcp_server.socket.getsockname()[1]
1182
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1183
u" scope_id %d" % tcp_server.socket.getsockname())
1670
if use_ipv6:
1671
logger.info(u"Now listening on address %r, port %d,"
1672
" flowinfo %d, scope_id %d"
1673
% tcp_server.socket.getsockname())
1674
else: # IPv4
1675
logger.info(u"Now listening on address %r, port %d"
1676
% tcp_server.socket.getsockname())
1184
1677
1185
1678
#service.interface = tcp_server.socket.getsockname()[3]
1186
1679
1187
1680
try:
1188
1681
# From the Avahi example code
1189
server.connect_to_signal("StateChanged", server_state_changed)
1190
1682
try:
1191
server_state_changed(server.GetState())
1683
service.activate()
1192
1684
except dbus.exceptions.DBusException, error:
1193
1685
logger.critical(u"DBusException: %s", error)
1194
1686
sys.exit(1)
1207
1699
except KeyboardInterrupt:
1208
1700
if debug:
1209
1701
print >> sys.stderr
1210
logger.debug("Server received KeyboardInterrupt")
1211
logger.debug("Server exiting")
1702
logger.debug(u"Server received KeyboardInterrupt")
1703
logger.debug(u"Server exiting")
1212
1704
1213
1705
if __name__ == '__main__':
1214
1706
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0