To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.2.9
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.9
- Committer: Teddy Hogeborn
- Date: 2009-01-04 21:54:55 UTC
- mto: (24.1.120 mandos) (237.4.2 mandos-pipe-ipc) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 238.
- Revision ID: teddy@fukt.bsnet.se-20090104215455-o5q1zdrlxzr1wmn1
* README: Update copyright year; add "2009".
* debian/copyright: - '' -
* mandos: - '' -
* mandos-clients.conf.xml: - '' -
* mandos-keygen: - '' -
* mandos-keygen.xml: - '' -
* mandos.conf.xml: - '' -
* mandos.xml: - '' -
* plugin-runner.c: - '' -
* plugin-runner.xml: - '' -
* plugins.d/askpass-fifo.c: - '' -
* plugins.d/askpass-fifo.xml: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/mandos-client.xml: - '' -
* plugins.d/password-prompt.c: - '' -
* plugins.d/password-prompt.xml: - '' -
* plugins.d/splashy.c: - '' -
* plugins.d/splashy.xml: - '' -
* plugins.d/usplash.c: - '' -
* plugins.d/usplash.xml: - '' -
* debian/copyright: - '' -
* mandos: - '' -
* mandos-clients.conf.xml: - '' -
* mandos-keygen: - '' -
* mandos-keygen.xml: - '' -
* mandos.conf.xml: - '' -
* mandos.xml: - '' -
* plugin-runner.c: - '' -
* plugin-runner.xml: - '' -
* plugins.d/askpass-fifo.c: - '' -
* plugins.d/askpass-fifo.xml: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/mandos-client.xml: - '' -
* plugins.d/password-prompt.c: - '' -
* plugins.d/password-prompt.xml: - '' -
* plugins.d/splashy.c: - '' -
* plugins.d/splashy.xml: - '' -
* plugins.d/usplash.c: - '' -
* plugins.d/usplash.xml: - '' -
- files added:
- debian/mandos-client.config
- files removed:
- dbus-mandos.conf
- files renamed:
- mandos-ctl => mandos-list
- files modified:
- INSTALL
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer as socketserver
36
import SocketServer
37
37
import socket
38
import optparse
38
from optparse import OptionParser
39
39
import datetime
40
40
import errno
41
41
import gnutls.crypto
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser as configparser
47
import ConfigParser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
52
53
import subprocess
53
54
import atexit
54
55
import stat
55
56
import logging
56
57
import logging.handlers
57
58
import pwd
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
63
import multiprocessing
59
from contextlib import closing
64
60
65
61
import dbus
66
62
import dbus.service
69
65
from dbus.mainloop.glib import DBusGMainLoop
70
66
import ctypes
71
67
import ctypes.util
72
import xml.dom.minidom
73
import inspect
74
75
try:
76
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
77
except AttributeError:
78
try:
79
from IN import SO_BINDTODEVICE
80
except ImportError:
81
SO_BINDTODEVICE = None
82
83
84
version = "1.0.14"
85
86
logger = logging.Logger(u'mandos')
68
69
version = "1.0.2"
70
71
logger = logging.Logger('mandos')
87
72
syslogger = (logging.handlers.SysLogHandler
88
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
89
74
address = "/dev/log"))
90
75
syslogger.setFormatter(logging.Formatter
91
(u'Mandos [%(process)d]: %(levelname)s:'
92
u' %(message)s'))
76
('Mandos: %(levelname)s: %(message)s'))
93
77
logger.addHandler(syslogger)
94
78
95
79
console = logging.StreamHandler()
96
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
97
u' %(levelname)s:'
98
u' %(message)s'))
80
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
81
' %(message)s'))
99
82
logger.addHandler(console)
100
83
101
multiprocessing_manager = multiprocessing.Manager()
102
103
84
class AvahiError(Exception):
104
85
def __init__(self, value, *args, **kwargs):
105
86
self.value = value
116
97
117
98
class AvahiService(object):
118
99
"""An Avahi (Zeroconf) service.
119
120
100
Attributes:
121
101
interface: integer; avahi.IF_UNSPEC or an interface index.
122
102
Used to optionally bind to the specified interface.
123
name: string; Example: u'Mandos'
124
type: string; Example: u'_mandos._tcp'.
103
name: string; Example: 'Mandos'
104
type: string; Example: '_mandos._tcp'.
125
105
See <http://www.dns-sd.org/ServiceTypes.html>
126
106
port: integer; what port to announce
127
107
TXT: list of strings; TXT record for the service
130
110
max_renames: integer; maximum number of renames
131
111
rename_count: integer; counter so we only rename after collisions
132
112
a sensible number of times
133
group: D-Bus Entry Group
134
server: D-Bus Server
135
bus: dbus.SystemBus()
136
113
"""
137
114
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
138
115
servicetype = None, port = None, TXT = None,
139
domain = u"", host = u"", max_renames = 32768,
140
protocol = avahi.PROTO_UNSPEC, bus = None):
116
domain = "", host = "", max_renames = 32768):
141
117
self.interface = interface
142
118
self.name = name
143
119
self.type = servicetype
147
123
self.host = host
148
124
self.rename_count = 0
149
125
self.max_renames = max_renames
150
self.protocol = protocol
151
self.group = None # our entry group
152
self.server = None
153
self.bus = bus
154
126
def rename(self):
155
127
"""Derived from the Avahi example code"""
156
128
if self.rename_count >= self.max_renames:
158
130
u" after %i retries, exiting.",
159
131
self.rename_count)
160
132
raise AvahiServiceError(u"Too many renames")
161
self.name = self.server.GetAlternativeServiceName(self.name)
133
self.name = server.GetAlternativeServiceName(self.name)
162
134
logger.info(u"Changing Zeroconf service name to %r ...",
163
unicode(self.name))
135
str(self.name))
164
136
syslogger.setFormatter(logging.Formatter
165
(u'Mandos (%s) [%%(process)d]:'
166
u' %%(levelname)s: %%(message)s'
167
% self.name))
137
('Mandos (%s): %%(levelname)s:'
138
' %%(message)s' % self.name))
168
139
self.remove()
169
140
self.add()
170
141
self.rename_count += 1
171
142
def remove(self):
172
143
"""Derived from the Avahi example code"""
173
if self.group is not None:
174
self.group.Reset()
144
if group is not None:
145
group.Reset()
175
146
def add(self):
176
147
"""Derived from the Avahi example code"""
177
if self.group is None:
178
self.group = dbus.Interface(
179
self.bus.get_object(avahi.DBUS_NAME,
180
self.server.EntryGroupNew()),
181
avahi.DBUS_INTERFACE_ENTRY_GROUP)
182
self.group.connect_to_signal('StateChanged',
183
self
184
.entry_group_state_changed)
148
global group
149
if group is None:
150
group = dbus.Interface(bus.get_object
151
(avahi.DBUS_NAME,
152
server.EntryGroupNew()),
153
avahi.DBUS_INTERFACE_ENTRY_GROUP)
154
group.connect_to_signal('StateChanged',
155
entry_group_state_changed)
185
156
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
186
self.name, self.type)
187
self.group.AddService(
188
self.interface,
189
self.protocol,
190
dbus.UInt32(0), # flags
191
self.name, self.type,
192
self.domain, self.host,
193
dbus.UInt16(self.port),
194
avahi.string_array_to_txt_array(self.TXT))
195
self.group.Commit()
196
def entry_group_state_changed(self, state, error):
197
"""Derived from the Avahi example code"""
198
logger.debug(u"Avahi state change: %i", state)
199
200
if state == avahi.ENTRY_GROUP_ESTABLISHED:
201
logger.debug(u"Zeroconf service established.")
202
elif state == avahi.ENTRY_GROUP_COLLISION:
203
logger.warning(u"Zeroconf service name collision.")
204
self.rename()
205
elif state == avahi.ENTRY_GROUP_FAILURE:
206
logger.critical(u"Avahi: Error in group state changed %s",
207
unicode(error))
208
raise AvahiGroupError(u"State changed: %s"
209
% unicode(error))
210
def cleanup(self):
211
"""Derived from the Avahi example code"""
212
if self.group is not None:
213
self.group.Free()
214
self.group = None
215
def server_state_changed(self, state):
216
"""Derived from the Avahi example code"""
217
if state == avahi.SERVER_COLLISION:
218
logger.error(u"Zeroconf server name collision")
219
self.remove()
220
elif state == avahi.SERVER_RUNNING:
221
self.add()
222
def activate(self):
223
"""Derived from the Avahi example code"""
224
if self.server is None:
225
self.server = dbus.Interface(
226
self.bus.get_object(avahi.DBUS_NAME,
227
avahi.DBUS_PATH_SERVER),
228
avahi.DBUS_INTERFACE_SERVER)
229
self.server.connect_to_signal(u"StateChanged",
230
self.server_state_changed)
231
self.server_state_changed(self.server.GetState())
232
233
234
# XXX Need to add:
235
# approved_by_default (Config option for each client)
236
# approved_delay (config option for each client)
237
# approved_duration (config option for each client)
238
class Client(object):
157
service.name, service.type)
158
group.AddService(
159
self.interface, # interface
160
avahi.PROTO_INET6, # protocol
161
dbus.UInt32(0), # flags
162
self.name, self.type,
163
self.domain, self.host,
164
dbus.UInt16(self.port),
165
avahi.string_array_to_txt_array(self.TXT))
166
group.Commit()
167
168
# From the Avahi example code:
169
group = None # our entry group
170
# End of Avahi example code
171
172
173
def _datetime_to_dbus(dt, variant_level=0):
174
"""Convert a UTC datetime.datetime() to a D-Bus type."""
175
return dbus.String(dt.isoformat(), variant_level=variant_level)
176
177
178
class Client(dbus.service.Object):
239
179
"""A representation of a client host served by this server.
240
241
180
Attributes:
242
name: string; from the config file, used in log messages and
243
D-Bus identifiers
181
name: string; from the config file, used in log messages
244
182
fingerprint: string (40 or 32 hexadecimal digits); used to
245
183
uniquely identify the client
246
184
secret: bytestring; sent verbatim (over TLS) to client
250
188
enabled: bool()
251
189
last_checked_ok: datetime.datetime(); (UTC) or None
252
190
timeout: datetime.timedelta(); How long from last_checked_ok
253
until this client is disabled
191
until this client is invalid
254
192
interval: datetime.timedelta(); How often to start a new checker
255
193
disable_hook: If set, called by disable() as disable_hook(self)
256
194
checker: subprocess.Popen(); a running checker process used
257
195
to see if the client lives.
258
196
'None' if no process is running.
259
197
checker_initiator_tag: a gobject event source tag, or None
260
disable_initiator_tag: - '' -
198
disable_initiator_tag: - '' -
261
199
checker_callback_tag: - '' -
262
200
checker_command: string; External command which is run to check if
263
201
client lives. %() expansions are done at
264
202
runtime with vars(self) as dict, so that for
265
203
instance %(name)s can be used in the command.
266
current_checker_command: string; current running checker_command
267
approved_delay: datetime.timedelta(); Time to wait for approval
268
_approved: bool(); 'None' if not yet approved/disapproved
269
approved_duration: datetime.timedelta(); Duration of one approval
204
use_dbus: bool(); Whether to provide D-Bus interface and signals
205
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
270
206
"""
271
272
@staticmethod
273
def _timedelta_to_milliseconds(td):
274
"Convert a datetime.timedelta() to milliseconds"
275
return ((td.days * 24 * 60 * 60 * 1000)
276
+ (td.seconds * 1000)
277
+ (td.microseconds // 1000))
278
279
207
def timeout_milliseconds(self):
280
208
"Return the 'timeout' attribute in milliseconds"
281
return self._timedelta_to_milliseconds(self.timeout)
209
return ((self.timeout.days * 24 * 60 * 60 * 1000)
210
+ (self.timeout.seconds * 1000)
211
+ (self.timeout.microseconds // 1000))
282
212
283
213
def interval_milliseconds(self):
284
214
"Return the 'interval' attribute in milliseconds"
285
return self._timedelta_to_milliseconds(self.interval)
286
287
def approved_delay_milliseconds(self):
288
return self._timedelta_to_milliseconds(self.approved_delay)
215
return ((self.interval.days * 24 * 60 * 60 * 1000)
216
+ (self.interval.seconds * 1000)
217
+ (self.interval.microseconds // 1000))
289
218
290
def __init__(self, name = None, disable_hook=None, config=None):
219
def __init__(self, name = None, disable_hook=None, config=None,
220
use_dbus=True):
291
221
"""Note: the 'checker' key in 'config' sets the
292
222
'checker_command' attribute and *not* the 'checker'
293
223
attribute."""
295
225
if config is None:
296
226
config = {}
297
227
logger.debug(u"Creating client %r", self.name)
228
self.use_dbus = use_dbus
229
if self.use_dbus:
230
self.dbus_object_path = (dbus.ObjectPath
231
("/Mandos/clients/"
232
+ self.name.replace(".", "_")))
233
dbus.service.Object.__init__(self, bus,
234
self.dbus_object_path)
298
235
# Uppercase and remove spaces from fingerprint for later
299
236
# comparison purposes with return value from the fingerprint()
300
237
# function
301
self.fingerprint = (config[u"fingerprint"].upper()
238
self.fingerprint = (config["fingerprint"].upper()
302
239
.replace(u" ", u""))
303
240
logger.debug(u" Fingerprint: %s", self.fingerprint)
304
if u"secret" in config:
305
self.secret = config[u"secret"].decode(u"base64")
306
elif u"secfile" in config:
307
with open(os.path.expanduser(os.path.expandvars
308
(config[u"secfile"])),
309
"rb") as secfile:
241
if "secret" in config:
242
self.secret = config["secret"].decode(u"base64")
243
elif "secfile" in config:
244
with closing(open(os.path.expanduser
245
(os.path.expandvars
246
(config["secfile"])))) as secfile:
310
247
self.secret = secfile.read()
311
248
else:
312
#XXX Need to allow secret on demand!
313
249
raise TypeError(u"No secret or secfile for client %s"
314
250
% self.name)
315
self.host = config.get(u"host", u"")
251
self.host = config.get("host", "")
316
252
self.created = datetime.datetime.utcnow()
317
253
self.enabled = False
318
254
self.last_enabled = None
319
255
self.last_checked_ok = None
320
self.timeout = string_to_delta(config[u"timeout"])
321
self.interval = string_to_delta(config[u"interval"])
256
self.timeout = string_to_delta(config["timeout"])
257
self.interval = string_to_delta(config["interval"])
322
258
self.disable_hook = disable_hook
323
259
self.checker = None
324
260
self.checker_initiator_tag = None
325
261
self.disable_initiator_tag = None
326
262
self.checker_callback_tag = None
327
self.checker_command = config[u"checker"]
328
self.current_checker_command = None
329
self.last_connect = None
330
self._approved = None
331
self.approved_by_default = config.get(u"approved_by_default",
332
False)
333
self.approved_delay = string_to_delta(
334
config[u"approved_delay"])
335
self.approved_duration = string_to_delta(
336
config[u"approved_duration"])
337
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
338
339
def send_changedstate(self):
340
self.changedstate.acquire()
341
self.changedstate.notify_all()
342
self.changedstate.release()
343
263
self.checker_command = config["checker"]
264
344
265
def enable(self):
345
266
"""Start this client's checker and timeout hooks"""
346
if getattr(self, u"enabled", False):
347
# Already enabled
348
return
349
self.send_changedstate()
350
267
self.last_enabled = datetime.datetime.utcnow()
351
268
# Schedule a new checker to be started an 'interval' from now,
352
269
# and every interval from then on.
353
270
self.checker_initiator_tag = (gobject.timeout_add
354
271
(self.interval_milliseconds(),
355
272
self.start_checker))
273
# Also start a new checker *right now*.
274
self.start_checker()
356
275
# Schedule a disable() when 'timeout' has passed
357
276
self.disable_initiator_tag = (gobject.timeout_add
358
277
(self.timeout_milliseconds(),
359
278
self.disable))
360
279
self.enabled = True
361
# Also start a new checker *right now*.
362
self.start_checker()
280
if self.use_dbus:
281
# Emit D-Bus signals
282
self.PropertyChanged(dbus.String(u"enabled"),
283
dbus.Boolean(True, variant_level=1))
284
self.PropertyChanged(dbus.String(u"last_enabled"),
285
(_datetime_to_dbus(self.last_enabled,
286
variant_level=1)))
363
287
364
def disable(self, quiet=True):
288
def disable(self):
365
289
"""Disable this client."""
366
290
if not getattr(self, "enabled", False):
367
291
return False
368
if not quiet:
369
self.send_changedstate()
370
if not quiet:
371
logger.info(u"Disabling client %s", self.name)
372
if getattr(self, u"disable_initiator_tag", False):
292
logger.info(u"Disabling client %s", self.name)
293
if getattr(self, "disable_initiator_tag", False):
373
294
gobject.source_remove(self.disable_initiator_tag)
374
295
self.disable_initiator_tag = None
375
if getattr(self, u"checker_initiator_tag", False):
296
if getattr(self, "checker_initiator_tag", False):
376
297
gobject.source_remove(self.checker_initiator_tag)
377
298
self.checker_initiator_tag = None
378
299
self.stop_checker()
379
300
if self.disable_hook:
380
301
self.disable_hook(self)
381
302
self.enabled = False
303
if self.use_dbus:
304
# Emit D-Bus signal
305
self.PropertyChanged(dbus.String(u"enabled"),
306
dbus.Boolean(False, variant_level=1))
382
307
# Do not run this again if called by a gobject.timeout_add
383
308
return False
384
309
390
315
"""The checker has completed, so take appropriate actions."""
391
316
self.checker_callback_tag = None
392
317
self.checker = None
393
if os.WIFEXITED(condition):
394
exitstatus = os.WEXITSTATUS(condition)
395
if exitstatus == 0:
396
logger.info(u"Checker for %(name)s succeeded",
397
vars(self))
398
self.checked_ok()
399
else:
400
logger.info(u"Checker for %(name)s failed",
401
vars(self))
402
else:
318
if self.use_dbus:
319
# Emit D-Bus signal
320
self.PropertyChanged(dbus.String(u"checker_running"),
321
dbus.Boolean(False, variant_level=1))
322
if (os.WIFEXITED(condition)
323
and (os.WEXITSTATUS(condition) == 0)):
324
logger.info(u"Checker for %(name)s succeeded",
325
vars(self))
326
if self.use_dbus:
327
# Emit D-Bus signal
328
self.CheckerCompleted(dbus.Boolean(True),
329
dbus.UInt16(condition),
330
dbus.String(command))
331
self.bump_timeout()
332
elif not os.WIFEXITED(condition):
403
333
logger.warning(u"Checker for %(name)s crashed?",
404
334
vars(self))
335
if self.use_dbus:
336
# Emit D-Bus signal
337
self.CheckerCompleted(dbus.Boolean(False),
338
dbus.UInt16(condition),
339
dbus.String(command))
340
else:
341
logger.info(u"Checker for %(name)s failed",
342
vars(self))
343
if self.use_dbus:
344
# Emit D-Bus signal
345
self.CheckerCompleted(dbus.Boolean(False),
346
dbus.UInt16(condition),
347
dbus.String(command))
405
348
406
def checked_ok(self):
349
def bump_timeout(self):
407
350
"""Bump up the timeout for this client.
408
409
351
This should only be called when the client has been seen,
410
352
alive and well.
411
353
"""
414
356
self.disable_initiator_tag = (gobject.timeout_add
415
357
(self.timeout_milliseconds(),
416
358
self.disable))
359
if self.use_dbus:
360
# Emit D-Bus signal
361
self.PropertyChanged(
362
dbus.String(u"last_checked_ok"),
363
(_datetime_to_dbus(self.last_checked_ok,
364
variant_level=1)))
417
365
418
366
def start_checker(self):
419
367
"""Start a new checker subprocess if one is not running.
420
421
368
If a checker already exists, leave it running and do
422
369
nothing."""
423
370
# The reason for not killing a running checker is that if we
426
373
# client would inevitably timeout, since no checker would get
427
374
# a chance to run to completion. If we instead leave running
428
375
# checkers alone, the checker would have to take more time
429
# than 'timeout' for the client to be disabled, which is as it
430
# should be.
431
432
# If a checker exists, make sure it is not a zombie
433
try:
434
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
435
except (AttributeError, OSError), error:
436
if (isinstance(error, OSError)
437
and error.errno != errno.ECHILD):
438
raise error
439
else:
440
if pid:
441
logger.warning(u"Checker was a zombie")
442
gobject.source_remove(self.checker_callback_tag)
443
self.checker_callback(pid, status,
444
self.current_checker_command)
445
# Start a new checker if needed
376
# than 'timeout' for the client to be declared invalid, which
377
# is as it should be.
446
378
if self.checker is None:
447
379
try:
448
380
# In case checker_command has exactly one % operator
449
381
command = self.checker_command % self.host
450
382
except TypeError:
451
383
# Escape attributes for the shell
452
escaped_attrs = dict((key,
453
re.escape(unicode(str(val),
454
errors=
455
u'replace')))
384
escaped_attrs = dict((key, re.escape(str(val)))
456
385
for key, val in
457
386
vars(self).iteritems())
458
387
try:
461
390
logger.error(u'Could not format string "%s":'
462
391
u' %s', self.checker_command, error)
463
392
return True # Try again later
464
self.current_checker_command = command
465
393
try:
466
394
logger.info(u"Starting checker %r for %s",
467
395
command, self.name)
471
399
# always replaced by /dev/null.)
472
400
self.checker = subprocess.Popen(command,
473
401
close_fds=True,
474
shell=True, cwd=u"/")
402
shell=True, cwd="/")
403
if self.use_dbus:
404
# Emit D-Bus signal
405
self.CheckerStarted(command)
406
self.PropertyChanged(
407
dbus.String("checker_running"),
408
dbus.Boolean(True, variant_level=1))
475
409
self.checker_callback_tag = (gobject.child_watch_add
476
410
(self.checker.pid,
477
411
self.checker_callback,
478
412
data=command))
479
# The checker may have completed before the gobject
480
# watch was added. Check for this.
481
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
482
if pid:
483
gobject.source_remove(self.checker_callback_tag)
484
self.checker_callback(pid, status, command)
485
413
except OSError, error:
486
414
logger.error(u"Failed to start subprocess: %s",
487
415
error)
493
421
if self.checker_callback_tag:
494
422
gobject.source_remove(self.checker_callback_tag)
495
423
self.checker_callback_tag = None
496
if getattr(self, u"checker", None) is None:
424
if getattr(self, "checker", None) is None:
497
425
return
498
426
logger.debug(u"Stopping checker for %(name)s", vars(self))
499
427
try:
500
428
os.kill(self.checker.pid, signal.SIGTERM)
501
#time.sleep(0.5)
429
#os.sleep(0.5)
502
430
#if self.checker.poll() is None:
503
431
# os.kill(self.checker.pid, signal.SIGKILL)
504
432
except OSError, error:
505
433
if error.errno != errno.ESRCH: # No such process
506
434
raise
507
435
self.checker = None
508
509
def dbus_service_property(dbus_interface, signature=u"v",
510
access=u"readwrite", byte_arrays=False):
511
"""Decorators for marking methods of a DBusObjectWithProperties to
512
become properties on the D-Bus.
513
514
The decorated method will be called with no arguments by "Get"
515
and with one argument by "Set".
516
517
The parameters, where they are supported, are the same as
518
dbus.service.method, except there is only "signature", since the
519
type from Get() and the type sent to Set() is the same.
520
"""
521
# Encoding deeply encoded byte arrays is not supported yet by the
522
# "Set" method, so we fail early here:
523
if byte_arrays and signature != u"ay":
524
raise ValueError(u"Byte arrays not supported for non-'ay'"
525
u" signature %r" % signature)
526
def decorator(func):
527
func._dbus_is_property = True
528
func._dbus_interface = dbus_interface
529
func._dbus_signature = signature
530
func._dbus_access = access
531
func._dbus_name = func.__name__
532
if func._dbus_name.endswith(u"_dbus_property"):
533
func._dbus_name = func._dbus_name[:-14]
534
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
535
return func
536
return decorator
537
538
539
class DBusPropertyException(dbus.exceptions.DBusException):
540
"""A base class for D-Bus property-related exceptions
541
"""
542
def __unicode__(self):
543
return unicode(str(self))
544
545
546
class DBusPropertyAccessException(DBusPropertyException):
547
"""A property's access permissions disallows an operation.
548
"""
549
pass
550
551
552
class DBusPropertyNotFound(DBusPropertyException):
553
"""An attempt was made to access a non-existing property.
554
"""
555
pass
556
557
558
class DBusObjectWithProperties(dbus.service.Object):
559
"""A D-Bus object with properties.
560
561
Classes inheriting from this can use the dbus_service_property
562
decorator to expose methods as D-Bus properties. It exposes the
563
standard Get(), Set(), and GetAll() methods on the D-Bus.
564
"""
565
566
@staticmethod
567
def _is_dbus_property(obj):
568
return getattr(obj, u"_dbus_is_property", False)
569
570
def _get_all_dbus_properties(self):
571
"""Returns a generator of (name, attribute) pairs
572
"""
573
return ((prop._dbus_name, prop)
574
for name, prop in
575
inspect.getmembers(self, self._is_dbus_property))
576
577
def _get_dbus_property(self, interface_name, property_name):
578
"""Returns a bound method if one exists which is a D-Bus
579
property with the specified name and interface.
580
"""
581
for name in (property_name,
582
property_name + u"_dbus_property"):
583
prop = getattr(self, name, None)
584
if (prop is None
585
or not self._is_dbus_property(prop)
586
or prop._dbus_name != property_name
587
or (interface_name and prop._dbus_interface
588
and interface_name != prop._dbus_interface)):
589
continue
590
return prop
591
# No such property
592
raise DBusPropertyNotFound(self.dbus_object_path + u":"
593
+ interface_name + u"."
594
+ property_name)
595
596
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
597
out_signature=u"v")
598
def Get(self, interface_name, property_name):
599
"""Standard D-Bus property Get() method, see D-Bus standard.
600
"""
601
prop = self._get_dbus_property(interface_name, property_name)
602
if prop._dbus_access == u"write":
603
raise DBusPropertyAccessException(property_name)
604
value = prop()
605
if not hasattr(value, u"variant_level"):
606
return value
607
return type(value)(value, variant_level=value.variant_level+1)
608
609
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
610
def Set(self, interface_name, property_name, value):
611
"""Standard D-Bus property Set() method, see D-Bus standard.
612
"""
613
prop = self._get_dbus_property(interface_name, property_name)
614
if prop._dbus_access == u"read":
615
raise DBusPropertyAccessException(property_name)
616
if prop._dbus_get_args_options[u"byte_arrays"]:
617
# The byte_arrays option is not supported yet on
618
# signatures other than "ay".
619
if prop._dbus_signature != u"ay":
620
raise ValueError
621
value = dbus.ByteArray(''.join(unichr(byte)
622
for byte in value))
623
prop(value)
624
625
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
626
out_signature=u"a{sv}")
627
def GetAll(self, interface_name):
628
"""Standard D-Bus property GetAll() method, see D-Bus
629
standard.
630
631
Note: Will not include properties with access="write".
632
"""
633
all = {}
634
for name, prop in self._get_all_dbus_properties():
635
if (interface_name
636
and interface_name != prop._dbus_interface):
637
# Interface non-empty but did not match
638
continue
639
# Ignore write-only properties
640
if prop._dbus_access == u"write":
641
continue
642
value = prop()
643
if not hasattr(value, u"variant_level"):
644
all[name] = value
645
continue
646
all[name] = type(value)(value, variant_level=
647
value.variant_level+1)
648
return dbus.Dictionary(all, signature=u"sv")
649
650
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
651
out_signature=u"s",
652
path_keyword='object_path',
653
connection_keyword='connection')
654
def Introspect(self, object_path, connection):
655
"""Standard D-Bus method, overloaded to insert property tags.
656
"""
657
xmlstring = dbus.service.Object.Introspect(self, object_path,
658
connection)
659
try:
660
document = xml.dom.minidom.parseString(xmlstring)
661
def make_tag(document, name, prop):
662
e = document.createElement(u"property")
663
e.setAttribute(u"name", name)
664
e.setAttribute(u"type", prop._dbus_signature)
665
e.setAttribute(u"access", prop._dbus_access)
666
return e
667
for if_tag in document.getElementsByTagName(u"interface"):
668
for tag in (make_tag(document, name, prop)
669
for name, prop
670
in self._get_all_dbus_properties()
671
if prop._dbus_interface
672
== if_tag.getAttribute(u"name")):
673
if_tag.appendChild(tag)
674
# Add the names to the return values for the
675
# "org.freedesktop.DBus.Properties" methods
676
if (if_tag.getAttribute(u"name")
677
== u"org.freedesktop.DBus.Properties"):
678
for cn in if_tag.getElementsByTagName(u"method"):
679
if cn.getAttribute(u"name") == u"Get":
680
for arg in cn.getElementsByTagName(u"arg"):
681
if (arg.getAttribute(u"direction")
682
== u"out"):
683
arg.setAttribute(u"name", u"value")
684
elif cn.getAttribute(u"name") == u"GetAll":
685
for arg in cn.getElementsByTagName(u"arg"):
686
if (arg.getAttribute(u"direction")
687
== u"out"):
688
arg.setAttribute(u"name", u"props")
689
xmlstring = document.toxml(u"utf-8")
690
document.unlink()
691
except (AttributeError, xml.dom.DOMException,
692
xml.parsers.expat.ExpatError), error:
693
logger.error(u"Failed to override Introspection method",
694
error)
695
return xmlstring
696
697
698
class ClientDBus(Client, DBusObjectWithProperties):
699
"""A Client class using D-Bus
700
701
Attributes:
702
dbus_object_path: dbus.ObjectPath
703
bus: dbus.SystemBus()
704
"""
705
# dbus.service.Object doesn't use super(), so we can't either.
706
707
def __init__(self, bus = None, *args, **kwargs):
708
self.bus = bus
709
Client.__init__(self, *args, **kwargs)
710
# Only now, when this client is initialized, can it show up on
711
# the D-Bus
712
self.dbus_object_path = (dbus.ObjectPath
713
(u"/clients/"
714
+ self.name.replace(u".", u"_")))
715
DBusObjectWithProperties.__init__(self, self.bus,
716
self.dbus_object_path)
717
718
@staticmethod
719
def _datetime_to_dbus(dt, variant_level=0):
720
"""Convert a UTC datetime.datetime() to a D-Bus type."""
721
return dbus.String(dt.isoformat(),
722
variant_level=variant_level)
723
724
def enable(self):
725
oldstate = getattr(self, u"enabled", False)
726
r = Client.enable(self)
727
if oldstate != self.enabled:
728
# Emit D-Bus signals
729
self.PropertyChanged(dbus.String(u"enabled"),
730
dbus.Boolean(True, variant_level=1))
731
self.PropertyChanged(
732
dbus.String(u"last_enabled"),
733
self._datetime_to_dbus(self.last_enabled,
734
variant_level=1))
735
return r
736
737
def disable(self, quiet = False):
738
oldstate = getattr(self, u"enabled", False)
739
r = Client.disable(self, quiet=quiet)
740
if not quiet and oldstate != self.enabled:
741
# Emit D-Bus signal
742
self.PropertyChanged(dbus.String(u"enabled"),
743
dbus.Boolean(False, variant_level=1))
744
return r
745
746
def __del__(self, *args, **kwargs):
747
try:
748
self.remove_from_connection()
749
except LookupError:
750
pass
751
if hasattr(DBusObjectWithProperties, u"__del__"):
752
DBusObjectWithProperties.__del__(self, *args, **kwargs)
753
Client.__del__(self, *args, **kwargs)
754
755
def checker_callback(self, pid, condition, command,
756
*args, **kwargs):
757
self.checker_callback_tag = None
758
self.checker = None
759
# Emit D-Bus signal
760
self.PropertyChanged(dbus.String(u"checker_running"),
761
dbus.Boolean(False, variant_level=1))
762
if os.WIFEXITED(condition):
763
exitstatus = os.WEXITSTATUS(condition)
764
# Emit D-Bus signal
765
self.CheckerCompleted(dbus.Int16(exitstatus),
766
dbus.Int64(condition),
767
dbus.String(command))
768
else:
769
# Emit D-Bus signal
770
self.CheckerCompleted(dbus.Int16(-1),
771
dbus.Int64(condition),
772
dbus.String(command))
773
774
return Client.checker_callback(self, pid, condition, command,
775
*args, **kwargs)
776
777
def checked_ok(self, *args, **kwargs):
778
r = Client.checked_ok(self, *args, **kwargs)
779
# Emit D-Bus signal
780
self.PropertyChanged(
781
dbus.String(u"last_checked_ok"),
782
(self._datetime_to_dbus(self.last_checked_ok,
783
variant_level=1)))
784
return r
785
786
def start_checker(self, *args, **kwargs):
787
old_checker = self.checker
788
if self.checker is not None:
789
old_checker_pid = self.checker.pid
790
else:
791
old_checker_pid = None
792
r = Client.start_checker(self, *args, **kwargs)
793
# Only if new checker process was started
794
if (self.checker is not None
795
and old_checker_pid != self.checker.pid):
796
# Emit D-Bus signal
797
self.CheckerStarted(self.current_checker_command)
798
self.PropertyChanged(
799
dbus.String(u"checker_running"),
800
dbus.Boolean(True, variant_level=1))
801
return r
802
803
def stop_checker(self, *args, **kwargs):
804
old_checker = getattr(self, u"checker", None)
805
r = Client.stop_checker(self, *args, **kwargs)
806
if (old_checker is not None
807
and getattr(self, u"checker", None) is None):
436
if self.use_dbus:
808
437
self.PropertyChanged(dbus.String(u"checker_running"),
809
438
dbus.Boolean(False, variant_level=1))
810
return r
811
812
def _reset_approved(self):
813
self._approved = None
814
return False
815
816
def approve(self, value=True):
817
self._approved = value
818
gobject.timeout_add(self._timedelta_to_milliseconds(self.approved_duration, self._reset_approved))
819
820
## D-Bus methods, signals & properties
821
_interface = u"se.bsnet.fukt.Mandos.Client"
822
823
## Signals
439
440
def still_valid(self):
441
"""Has the timeout not yet passed for this client?"""
442
if not getattr(self, "enabled", False):
443
return False
444
now = datetime.datetime.utcnow()
445
if self.last_checked_ok is None:
446
return now < (self.created + self.timeout)
447
else:
448
return now < (self.last_checked_ok + self.timeout)
449
450
## D-Bus methods & signals
451
_interface = u"org.mandos_system.Mandos.Client"
452
453
# BumpTimeout - method
454
BumpTimeout = dbus.service.method(_interface)(bump_timeout)
455
BumpTimeout.__name__ = "BumpTimeout"
824
456
825
457
# CheckerCompleted - signal
826
@dbus.service.signal(_interface, signature=u"nxs")
827
def CheckerCompleted(self, exitcode, waitstatus, command):
458
@dbus.service.signal(_interface, signature="bqs")
459
def CheckerCompleted(self, success, condition, command):
828
460
"D-Bus signal"
829
461
pass
830
462
831
463
# CheckerStarted - signal
832
@dbus.service.signal(_interface, signature=u"s")
464
@dbus.service.signal(_interface, signature="s")
833
465
def CheckerStarted(self, command):
834
466
"D-Bus signal"
835
467
pass
836
468
469
# GetAllProperties - method
470
@dbus.service.method(_interface, out_signature="a{sv}")
471
def GetAllProperties(self):
472
"D-Bus method"
473
return dbus.Dictionary({
474
dbus.String("name"):
475
dbus.String(self.name, variant_level=1),
476
dbus.String("fingerprint"):
477
dbus.String(self.fingerprint, variant_level=1),
478
dbus.String("host"):
479
dbus.String(self.host, variant_level=1),
480
dbus.String("created"):
481
_datetime_to_dbus(self.created, variant_level=1),
482
dbus.String("last_enabled"):
483
(_datetime_to_dbus(self.last_enabled,
484
variant_level=1)
485
if self.last_enabled is not None
486
else dbus.Boolean(False, variant_level=1)),
487
dbus.String("enabled"):
488
dbus.Boolean(self.enabled, variant_level=1),
489
dbus.String("last_checked_ok"):
490
(_datetime_to_dbus(self.last_checked_ok,
491
variant_level=1)
492
if self.last_checked_ok is not None
493
else dbus.Boolean (False, variant_level=1)),
494
dbus.String("timeout"):
495
dbus.UInt64(self.timeout_milliseconds(),
496
variant_level=1),
497
dbus.String("interval"):
498
dbus.UInt64(self.interval_milliseconds(),
499
variant_level=1),
500
dbus.String("checker"):
501
dbus.String(self.checker_command,
502
variant_level=1),
503
dbus.String("checker_running"):
504
dbus.Boolean(self.checker is not None,
505
variant_level=1),
506
}, signature="sv")
507
508
# IsStillValid - method
509
IsStillValid = (dbus.service.method(_interface, out_signature="b")
510
(still_valid))
511
IsStillValid.__name__ = "IsStillValid"
512
837
513
# PropertyChanged - signal
838
@dbus.service.signal(_interface, signature=u"sv")
514
@dbus.service.signal(_interface, signature="sv")
839
515
def PropertyChanged(self, property, value):
840
516
"D-Bus signal"
841
517
pass
842
518
843
# GotSecret - signal
844
@dbus.service.signal(_interface)
845
def GotSecret(self):
846
"D-Bus signal"
847
pass
848
849
# Rejected - signal
850
@dbus.service.signal(_interface, signature=u"s")
851
def Rejected(self, reason):
852
"D-Bus signal"
853
pass
854
855
# NeedApproval - signal
856
@dbus.service.signal(_interface, signature=u"db")
857
def NeedApproval(self, timeout, default):
858
"D-Bus signal"
859
pass
860
861
## Methods
862
863
# Approve - method
864
@dbus.service.method(_interface, in_signature=u"b")
865
def Approve(self, value):
866
self.approve(value)
867
868
# CheckedOK - method
869
@dbus.service.method(_interface)
870
def CheckedOK(self):
871
return self.checked_ok()
519
# SetChecker - method
520
@dbus.service.method(_interface, in_signature="s")
521
def SetChecker(self, checker):
522
"D-Bus setter method"
523
self.checker_command = checker
524
# Emit D-Bus signal
525
self.PropertyChanged(dbus.String(u"checker"),
526
dbus.String(self.checker_command,
527
variant_level=1))
528
529
# SetHost - method
530
@dbus.service.method(_interface, in_signature="s")
531
def SetHost(self, host):
532
"D-Bus setter method"
533
self.host = host
534
# Emit D-Bus signal
535
self.PropertyChanged(dbus.String(u"host"),
536
dbus.String(self.host, variant_level=1))
537
538
# SetInterval - method
539
@dbus.service.method(_interface, in_signature="t")
540
def SetInterval(self, milliseconds):
541
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
542
# Emit D-Bus signal
543
self.PropertyChanged(dbus.String(u"interval"),
544
(dbus.UInt64(self.interval_milliseconds(),
545
variant_level=1)))
546
547
# SetSecret - method
548
@dbus.service.method(_interface, in_signature="ay",
549
byte_arrays=True)
550
def SetSecret(self, secret):
551
"D-Bus setter method"
552
self.secret = str(secret)
553
554
# SetTimeout - method
555
@dbus.service.method(_interface, in_signature="t")
556
def SetTimeout(self, milliseconds):
557
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
558
# Emit D-Bus signal
559
self.PropertyChanged(dbus.String(u"timeout"),
560
(dbus.UInt64(self.timeout_milliseconds(),
561
variant_level=1)))
872
562
873
563
# Enable - method
874
@dbus.service.method(_interface)
875
def Enable(self):
876
"D-Bus method"
877
self.enable()
564
Enable = dbus.service.method(_interface)(enable)
565
Enable.__name__ = "Enable"
878
566
879
567
# StartChecker - method
880
568
@dbus.service.method(_interface)
889
577
self.disable()
890
578
891
579
# StopChecker - method
892
@dbus.service.method(_interface)
893
def StopChecker(self):
894
self.stop_checker()
895
896
## Properties
897
898
# xxx 3 new properties
899
900
# name - property
901
@dbus_service_property(_interface, signature=u"s", access=u"read")
902
def name_dbus_property(self):
903
return dbus.String(self.name)
904
905
# fingerprint - property
906
@dbus_service_property(_interface, signature=u"s", access=u"read")
907
def fingerprint_dbus_property(self):
908
return dbus.String(self.fingerprint)
909
910
# host - property
911
@dbus_service_property(_interface, signature=u"s",
912
access=u"readwrite")
913
def host_dbus_property(self, value=None):
914
if value is None: # get
915
return dbus.String(self.host)
916
self.host = value
917
# Emit D-Bus signal
918
self.PropertyChanged(dbus.String(u"host"),
919
dbus.String(value, variant_level=1))
920
921
# created - property
922
@dbus_service_property(_interface, signature=u"s", access=u"read")
923
def created_dbus_property(self):
924
return dbus.String(self._datetime_to_dbus(self.created))
925
926
# last_enabled - property
927
@dbus_service_property(_interface, signature=u"s", access=u"read")
928
def last_enabled_dbus_property(self):
929
if self.last_enabled is None:
930
return dbus.String(u"")
931
return dbus.String(self._datetime_to_dbus(self.last_enabled))
932
933
# enabled - property
934
@dbus_service_property(_interface, signature=u"b",
935
access=u"readwrite")
936
def enabled_dbus_property(self, value=None):
937
if value is None: # get
938
return dbus.Boolean(self.enabled)
939
if value:
940
self.enable()
941
else:
942
self.disable()
943
944
# last_checked_ok - property
945
@dbus_service_property(_interface, signature=u"s",
946
access=u"readwrite")
947
def last_checked_ok_dbus_property(self, value=None):
948
if value is not None:
949
self.checked_ok()
950
return
951
if self.last_checked_ok is None:
952
return dbus.String(u"")
953
return dbus.String(self._datetime_to_dbus(self
954
.last_checked_ok))
955
956
# timeout - property
957
@dbus_service_property(_interface, signature=u"t",
958
access=u"readwrite")
959
def timeout_dbus_property(self, value=None):
960
if value is None: # get
961
return dbus.UInt64(self.timeout_milliseconds())
962
self.timeout = datetime.timedelta(0, 0, 0, value)
963
# Emit D-Bus signal
964
self.PropertyChanged(dbus.String(u"timeout"),
965
dbus.UInt64(value, variant_level=1))
966
if getattr(self, u"disable_initiator_tag", None) is None:
967
return
968
# Reschedule timeout
969
gobject.source_remove(self.disable_initiator_tag)
970
self.disable_initiator_tag = None
971
time_to_die = (self.
972
_timedelta_to_milliseconds((self
973
.last_checked_ok
974
+ self.timeout)
975
- datetime.datetime
976
.utcnow()))
977
if time_to_die <= 0:
978
# The timeout has passed
979
self.disable()
980
else:
981
self.disable_initiator_tag = (gobject.timeout_add
982
(time_to_die, self.disable))
983
984
# interval - property
985
@dbus_service_property(_interface, signature=u"t",
986
access=u"readwrite")
987
def interval_dbus_property(self, value=None):
988
if value is None: # get
989
return dbus.UInt64(self.interval_milliseconds())
990
self.interval = datetime.timedelta(0, 0, 0, value)
991
# Emit D-Bus signal
992
self.PropertyChanged(dbus.String(u"interval"),
993
dbus.UInt64(value, variant_level=1))
994
if getattr(self, u"checker_initiator_tag", None) is None:
995
return
996
# Reschedule checker run
997
gobject.source_remove(self.checker_initiator_tag)
998
self.checker_initiator_tag = (gobject.timeout_add
999
(value, self.start_checker))
1000
self.start_checker() # Start one now, too
1001
1002
# checker - property
1003
@dbus_service_property(_interface, signature=u"s",
1004
access=u"readwrite")
1005
def checker_dbus_property(self, value=None):
1006
if value is None: # get
1007
return dbus.String(self.checker_command)
1008
self.checker_command = value
1009
# Emit D-Bus signal
1010
self.PropertyChanged(dbus.String(u"checker"),
1011
dbus.String(self.checker_command,
1012
variant_level=1))
1013
1014
# checker_running - property
1015
@dbus_service_property(_interface, signature=u"b",
1016
access=u"readwrite")
1017
def checker_running_dbus_property(self, value=None):
1018
if value is None: # get
1019
return dbus.Boolean(self.checker is not None)
1020
if value:
1021
self.start_checker()
1022
else:
1023
self.stop_checker()
1024
1025
# object_path - property
1026
@dbus_service_property(_interface, signature=u"o", access=u"read")
1027
def object_path_dbus_property(self):
1028
return self.dbus_object_path # is already a dbus.ObjectPath
1029
1030
# secret = property
1031
@dbus_service_property(_interface, signature=u"ay",
1032
access=u"write", byte_arrays=True)
1033
def secret_dbus_property(self, value):
1034
self.secret = str(value)
580
StopChecker = dbus.service.method(_interface)(stop_checker)
581
StopChecker.__name__ = "StopChecker"
1035
582
1036
583
del _interface
1037
584
1038
585
1039
class ProxyClient(object):
1040
def __init__(self, child_pipe, fpr, address):
1041
self._pipe = child_pipe
1042
self._pipe.send(('init', fpr, address))
1043
if not self._pipe.recv():
1044
raise KeyError()
1045
1046
def __getattribute__(self, name):
1047
if(name == '_pipe'):
1048
return super(ProxyClient, self).__getattribute__(name)
1049
self._pipe.send(('getattr', name))
1050
data = self._pipe.recv()
1051
if data[0] == 'data':
1052
return data[1]
1053
if data[0] == 'function':
1054
def func(*args, **kwargs):
1055
self._pipe.send(('funcall', name, args, kwargs))
1056
return self._pipe.recv()[1]
1057
return func
1058
1059
def __setattr__(self, name, value):
1060
if(name == '_pipe'):
1061
return super(ProxyClient, self).__setattr__(name, value)
1062
self._pipe.send(('setattr', name, value))
1063
1064
1065
class ClientHandler(socketserver.BaseRequestHandler, object):
1066
"""A class to handle client connections.
1067
1068
Instantiated once for each connection to handle it.
586
def peer_certificate(session):
587
"Return the peer's OpenPGP certificate as a bytestring"
588
# If not an OpenPGP certificate...
589
if (gnutls.library.functions
590
.gnutls_certificate_type_get(session._c_object)
591
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
592
# ...do the normal thing
593
return session.peer_certificate
594
list_size = ctypes.c_uint()
595
cert_list = (gnutls.library.functions
596
.gnutls_certificate_get_peers
597
(session._c_object, ctypes.byref(list_size)))
598
if list_size.value == 0:
599
return None
600
cert = cert_list[0]
601
return ctypes.string_at(cert.data, cert.size)
602
603
604
def fingerprint(openpgp):
605
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
606
# New GnuTLS "datum" with the OpenPGP public key
607
datum = (gnutls.library.types
608
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
609
ctypes.POINTER
610
(ctypes.c_ubyte)),
611
ctypes.c_uint(len(openpgp))))
612
# New empty GnuTLS certificate
613
crt = gnutls.library.types.gnutls_openpgp_crt_t()
614
(gnutls.library.functions
615
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
616
# Import the OpenPGP public key into the certificate
617
(gnutls.library.functions
618
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
619
gnutls.library.constants
620
.GNUTLS_OPENPGP_FMT_RAW))
621
# Verify the self signature in the key
622
crtverify = ctypes.c_uint()
623
(gnutls.library.functions
624
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
625
if crtverify.value != 0:
626
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
627
raise gnutls.errors.CertificateSecurityError("Verify failed")
628
# New buffer for the fingerprint
629
buf = ctypes.create_string_buffer(20)
630
buf_len = ctypes.c_size_t()
631
# Get the fingerprint from the certificate into the buffer
632
(gnutls.library.functions
633
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
634
ctypes.byref(buf_len)))
635
# Deinit the certificate
636
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
637
# Convert the buffer to a Python bytestring
638
fpr = ctypes.string_at(buf, buf_len.value)
639
# Convert the bytestring to hexadecimal notation
640
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
641
return hex_fpr
642
643
644
class TCP_handler(SocketServer.BaseRequestHandler, object):
645
"""A TCP request handler class.
646
Instantiated by IPv6_TCPServer for each request to handle it.
1069
647
Note: This will run in its own forked process."""
1070
648
1071
649
def handle(self):
1072
with contextlib.closing(self.server.child_pipe) as child_pipe:
1073
logger.info(u"TCP connection from: %s",
1074
unicode(self.client_address))
1075
logger.debug(u"Pipe FD: %d",
1076
self.server.child_pipe.fileno())
1077
1078
session = (gnutls.connection
1079
.ClientSession(self.request,
1080
gnutls.connection
1081
.X509Credentials()))
1082
1083
# Note: gnutls.connection.X509Credentials is really a
1084
# generic GnuTLS certificate credentials object so long as
1085
# no X.509 keys are added to it. Therefore, we can use it
1086
# here despite using OpenPGP certificates.
1087
1088
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1089
# u"+AES-256-CBC", u"+SHA1",
1090
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1091
# u"+DHE-DSS"))
1092
# Use a fallback default, since this MUST be set.
1093
priority = self.server.gnutls_priority
1094
if priority is None:
1095
priority = u"NORMAL"
1096
(gnutls.library.functions
1097
.gnutls_priority_set_direct(session._c_object,
1098
priority, None))
1099
1100
# Start communication using the Mandos protocol
1101
# Get protocol number
1102
line = self.request.makefile().readline()
1103
logger.debug(u"Protocol version: %r", line)
1104
try:
1105
if int(line.strip().split()[0]) > 1:
1106
raise RuntimeError
1107
except (ValueError, IndexError, RuntimeError), error:
1108
logger.error(u"Unknown protocol version: %s", error)
1109
return
1110
1111
# Start GnuTLS connection
1112
try:
1113
session.handshake()
1114
except gnutls.errors.GNUTLSError, error:
1115
logger.warning(u"Handshake failed: %s", error)
1116
# Do not run session.bye() here: the session is not
1117
# established. Just abandon the request.
1118
return
1119
logger.debug(u"Handshake succeeded")
1120
try:
1121
try:
1122
fpr = self.fingerprint(self.peer_certificate
1123
(session))
1124
except (TypeError, gnutls.errors.GNUTLSError), error:
1125
logger.warning(u"Bad certificate: %s", error)
1126
return
1127
logger.debug(u"Fingerprint: %s", fpr)
1128
1129
try:
1130
client = ProxyClient(child_pipe, fpr,
1131
self.client_address)
1132
except KeyError:
1133
return
1134
1135
delay = client.approved_delay
1136
while True:
1137
if not client.enabled:
1138
logger.warning(u"Client %s is disabled",
1139
client.name)
1140
if self.server.use_dbus:
1141
# Emit D-Bus signal
1142
client.Rejected("Disabled")
1143
return
1144
if client._approved is None:
1145
logger.info(u"Client %s need approval",
1146
client.name)
1147
if self.server.use_dbus:
1148
# Emit D-Bus signal
1149
client.NeedApproval(
1150
client.approved_delay_milliseconds(),
1151
client.approved_by_default)
1152
elif client._approved:
1153
#We have a password and are approved
1154
break
1155
else:
1156
logger.warning(u"Client %s was not approved",
1157
client.name)
1158
if self.server.use_dbus:
1159
# Emit D-Bus signal
1160
client.Rejected("Disapproved")
1161
return
1162
1163
#wait until timeout or approved
1164
#x = float(client._timedelta_to_milliseconds(delay))
1165
time = datetime.datetime.now()
1166
client.changedstate.acquire()
1167
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1168
client.changedstate.release()
1169
time2 = datetime.datetime.now()
1170
if (time2 - time) >= delay:
1171
if not client.approved_by_default:
1172
logger.warning("Client %s timed out while"
1173
" waiting for approval",
1174
client.name)
1175
if self.server.use_dbus:
1176
# Emit D-Bus signal
1177
client.Rejected("Time out")
1178
return
1179
else:
1180
break
1181
else:
1182
delay -= time2 - time
1183
1184
sent_size = 0
1185
while sent_size < len(client.secret):
1186
# XXX handle session exception
1187
sent = session.send(client.secret[sent_size:])
1188
logger.debug(u"Sent: %d, remaining: %d",
1189
sent, len(client.secret)
1190
- (sent_size + sent))
1191
sent_size += sent
1192
1193
logger.info(u"Sending secret to %s", client.name)
1194
# bump the timeout as if seen
1195
client.checked_ok()
1196
if self.server.use_dbus:
1197
# Emit D-Bus signal
1198
client.GotSecret()
1199
1200
finally:
1201
session.bye()
1202
1203
@staticmethod
1204
def peer_certificate(session):
1205
"Return the peer's OpenPGP certificate as a bytestring"
1206
# If not an OpenPGP certificate...
1207
if (gnutls.library.functions
1208
.gnutls_certificate_type_get(session._c_object)
1209
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1210
# ...do the normal thing
1211
return session.peer_certificate
1212
list_size = ctypes.c_uint(1)
1213
cert_list = (gnutls.library.functions
1214
.gnutls_certificate_get_peers
1215
(session._c_object, ctypes.byref(list_size)))
1216
if not bool(cert_list) and list_size.value != 0:
1217
raise gnutls.errors.GNUTLSError(u"error getting peer"
1218
u" certificate")
1219
if list_size.value == 0:
1220
return None
1221
cert = cert_list[0]
1222
return ctypes.string_at(cert.data, cert.size)
1223
1224
@staticmethod
1225
def fingerprint(openpgp):
1226
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1227
# New GnuTLS "datum" with the OpenPGP public key
1228
datum = (gnutls.library.types
1229
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1230
ctypes.POINTER
1231
(ctypes.c_ubyte)),
1232
ctypes.c_uint(len(openpgp))))
1233
# New empty GnuTLS certificate
1234
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1235
(gnutls.library.functions
1236
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1237
# Import the OpenPGP public key into the certificate
1238
(gnutls.library.functions
1239
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1240
gnutls.library.constants
1241
.GNUTLS_OPENPGP_FMT_RAW))
1242
# Verify the self signature in the key
1243
crtverify = ctypes.c_uint()
1244
(gnutls.library.functions
1245
.gnutls_openpgp_crt_verify_self(crt, 0,
1246
ctypes.byref(crtverify)))
1247
if crtverify.value != 0:
1248
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1249
raise (gnutls.errors.CertificateSecurityError
1250
(u"Verify failed"))
1251
# New buffer for the fingerprint
1252
buf = ctypes.create_string_buffer(20)
1253
buf_len = ctypes.c_size_t()
1254
# Get the fingerprint from the certificate into the buffer
1255
(gnutls.library.functions
1256
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1257
ctypes.byref(buf_len)))
1258
# Deinit the certificate
1259
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1260
# Convert the buffer to a Python bytestring
1261
fpr = ctypes.string_at(buf, buf_len.value)
1262
# Convert the bytestring to hexadecimal notation
1263
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1264
return hex_fpr
1265
1266
1267
class MultiprocessingMixIn(object):
1268
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1269
def sub_process_main(self, request, address):
1270
try:
1271
self.finish_request(request, address)
1272
except:
1273
self.handle_error(request, address)
1274
self.close_request(request)
1275
1276
def process_request(self, request, address):
1277
"""Start a new process to process the request."""
1278
multiprocessing.Process(target = self.sub_process_main,
1279
args = (request, address)).start()
1280
1281
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1282
""" adds a pipe to the MixIn """
1283
def process_request(self, request, client_address):
1284
"""Overrides and wraps the original process_request().
1285
1286
This function creates a new pipe in self.pipe
1287
"""
1288
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1289
1290
super(MultiprocessingMixInWithPipe,
1291
self).process_request(request, client_address)
1292
self.add_pipe(parent_pipe)
1293
def add_pipe(self, parent_pipe):
1294
"""Dummy function; override as necessary"""
1295
pass
1296
1297
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1298
socketserver.TCPServer, object):
1299
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1300
650
logger.info(u"TCP connection from: %s",
651
unicode(self.client_address))
652
session = (gnutls.connection
653
.ClientSession(self.request,
654
gnutls.connection
655
.X509Credentials()))
656
657
line = self.request.makefile().readline()
658
logger.debug(u"Protocol version: %r", line)
659
try:
660
if int(line.strip().split()[0]) > 1:
661
raise RuntimeError
662
except (ValueError, IndexError, RuntimeError), error:
663
logger.error(u"Unknown protocol version: %s", error)
664
return
665
666
# Note: gnutls.connection.X509Credentials is really a generic
667
# GnuTLS certificate credentials object so long as no X.509
668
# keys are added to it. Therefore, we can use it here despite
669
# using OpenPGP certificates.
670
671
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
672
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
673
# "+DHE-DSS"))
674
# Use a fallback default, since this MUST be set.
675
priority = self.server.settings.get("priority", "NORMAL")
676
(gnutls.library.functions
677
.gnutls_priority_set_direct(session._c_object,
678
priority, None))
679
680
try:
681
session.handshake()
682
except gnutls.errors.GNUTLSError, error:
683
logger.warning(u"Handshake failed: %s", error)
684
# Do not run session.bye() here: the session is not
685
# established. Just abandon the request.
686
return
687
try:
688
fpr = fingerprint(peer_certificate(session))
689
except (TypeError, gnutls.errors.GNUTLSError), error:
690
logger.warning(u"Bad certificate: %s", error)
691
session.bye()
692
return
693
logger.debug(u"Fingerprint: %s", fpr)
694
for c in self.server.clients:
695
if c.fingerprint == fpr:
696
client = c
697
break
698
else:
699
logger.warning(u"Client not found for fingerprint: %s",
700
fpr)
701
session.bye()
702
return
703
# Have to check if client.still_valid(), since it is possible
704
# that the client timed out while establishing the GnuTLS
705
# session.
706
if not client.still_valid():
707
logger.warning(u"Client %(name)s is invalid",
708
vars(client))
709
session.bye()
710
return
711
## This won't work here, since we're in a fork.
712
# client.bump_timeout()
713
sent_size = 0
714
while sent_size < len(client.secret):
715
sent = session.send(client.secret[sent_size:])
716
logger.debug(u"Sent: %d, remaining: %d",
717
sent, len(client.secret)
718
- (sent_size + sent))
719
sent_size += sent
720
session.bye()
721
722
723
class IPv6_TCPServer(SocketServer.ForkingMixIn,
724
SocketServer.TCPServer, object):
725
"""IPv6 TCP server. Accepts 'None' as address and/or port.
1301
726
Attributes:
727
settings: Server settings
728
clients: Set() of Client objects
1302
729
enabled: Boolean; whether this server is activated yet
1303
interface: None or a network interface name (string)
1304
use_ipv6: Boolean; to use IPv6 or not
1305
730
"""
1306
def __init__(self, server_address, RequestHandlerClass,
1307
interface=None, use_ipv6=True):
1308
self.interface = interface
1309
if use_ipv6:
1310
self.address_family = socket.AF_INET6
1311
socketserver.TCPServer.__init__(self, server_address,
1312
RequestHandlerClass)
731
address_family = socket.AF_INET6
732
def __init__(self, *args, **kwargs):
733
if "settings" in kwargs:
734
self.settings = kwargs["settings"]
735
del kwargs["settings"]
736
if "clients" in kwargs:
737
self.clients = kwargs["clients"]
738
del kwargs["clients"]
739
self.enabled = False
740
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1313
741
def server_bind(self):
1314
742
"""This overrides the normal server_bind() function
1315
743
to bind to an interface if one was specified, and also NOT to
1316
744
bind to an address or port if they were not specified."""
1317
if self.interface is not None:
1318
if SO_BINDTODEVICE is None:
1319
logger.error(u"SO_BINDTODEVICE does not exist;"
1320
u" cannot bind to interface %s",
1321
self.interface)
1322
else:
1323
try:
1324
self.socket.setsockopt(socket.SOL_SOCKET,
1325
SO_BINDTODEVICE,
1326
str(self.interface
1327
+ u'\0'))
1328
except socket.error, error:
1329
if error[0] == errno.EPERM:
1330
logger.error(u"No permission to"
1331
u" bind to interface %s",
1332
self.interface)
1333
elif error[0] == errno.ENOPROTOOPT:
1334
logger.error(u"SO_BINDTODEVICE not available;"
1335
u" cannot bind to interface %s",
1336
self.interface)
1337
else:
1338
raise
745
if self.settings["interface"]:
746
# 25 is from /usr/include/asm-i486/socket.h
747
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
748
try:
749
self.socket.setsockopt(socket.SOL_SOCKET,
750
SO_BINDTODEVICE,
751
self.settings["interface"])
752
except socket.error, error:
753
if error[0] == errno.EPERM:
754
logger.error(u"No permission to"
755
u" bind to interface %s",
756
self.settings["interface"])
757
else:
758
raise error
1339
759
# Only bind(2) the socket if we really need to.
1340
760
if self.server_address[0] or self.server_address[1]:
1341
761
if not self.server_address[0]:
1342
if self.address_family == socket.AF_INET6:
1343
any_address = u"::" # in6addr_any
1344
else:
1345
any_address = socket.INADDR_ANY
1346
self.server_address = (any_address,
762
in6addr_any = "::"
763
self.server_address = (in6addr_any,
1347
764
self.server_address[1])
1348
765
elif not self.server_address[1]:
1349
766
self.server_address = (self.server_address[0],
1350
767
0)
1351
# if self.interface:
768
# if self.settings["interface"]:
1352
769
# self.server_address = (self.server_address[0],
1353
770
# 0, # port
1354
771
# 0, # flowinfo
1355
772
# if_nametoindex
1356
# (self.interface))
1357
return socketserver.TCPServer.server_bind(self)
1358
1359
1360
class MandosServer(IPv6_TCPServer):
1361
"""Mandos server.
1362
1363
Attributes:
1364
clients: set of Client objects
1365
gnutls_priority GnuTLS priority string
1366
use_dbus: Boolean; to emit D-Bus signals or not
1367
1368
Assumes a gobject.MainLoop event loop.
1369
"""
1370
def __init__(self, server_address, RequestHandlerClass,
1371
interface=None, use_ipv6=True, clients=None,
1372
gnutls_priority=None, use_dbus=True):
1373
self.enabled = False
1374
self.clients = clients
1375
if self.clients is None:
1376
self.clients = set()
1377
self.use_dbus = use_dbus
1378
self.gnutls_priority = gnutls_priority
1379
IPv6_TCPServer.__init__(self, server_address,
1380
RequestHandlerClass,
1381
interface = interface,
1382
use_ipv6 = use_ipv6)
773
# (self.settings
774
# ["interface"]))
775
return super(IPv6_TCPServer, self).server_bind()
1383
776
def server_activate(self):
1384
777
if self.enabled:
1385
return socketserver.TCPServer.server_activate(self)
778
return super(IPv6_TCPServer, self).server_activate()
1386
779
def enable(self):
1387
780
self.enabled = True
1388
def add_pipe(self, parent_pipe):
1389
# Call "handle_ipc" for both data and EOF events
1390
gobject.io_add_watch(parent_pipe.fileno(),
1391
gobject.IO_IN | gobject.IO_HUP,
1392
functools.partial(self.handle_ipc,
1393
parent_pipe = parent_pipe))
1394
1395
def handle_ipc(self, source, condition, parent_pipe=None,
1396
client_object=None):
1397
condition_names = {
1398
gobject.IO_IN: u"IN", # There is data to read.
1399
gobject.IO_OUT: u"OUT", # Data can be written (without
1400
# blocking).
1401
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1402
gobject.IO_ERR: u"ERR", # Error condition.
1403
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1404
# broken, usually for pipes and
1405
# sockets).
1406
}
1407
conditions_string = ' | '.join(name
1408
for cond, name in
1409
condition_names.iteritems()
1410
if cond & condition)
1411
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1412
conditions_string)
1413
1414
# Read a request from the child
1415
request = parent_pipe.recv()
1416
command = request[0]
1417
1418
if command == 'init':
1419
fpr = request[1]
1420
address = request[2]
1421
1422
for c in self.clients:
1423
if c.fingerprint == fpr:
1424
client = c
1425
break
1426
else:
1427
logger.warning(u"Client not found for fingerprint: %s, ad"
1428
u"dress: %s", fpr, address)
1429
if self.use_dbus:
1430
# Emit D-Bus signal
1431
mandos_dbus_service.ClientNotFound(fpr, address)
1432
parent_pipe.send(False)
1433
return False
1434
1435
gobject.io_add_watch(parent_pipe.fileno(),
1436
gobject.IO_IN | gobject.IO_HUP,
1437
functools.partial(self.handle_ipc,
1438
parent_pipe = parent_pipe,
1439
client_object = client))
1440
parent_pipe.send(True)
1441
# remove the old hook in favor of the new above hook on same fileno
1442
return False
1443
if command == 'funcall':
1444
funcname = request[1]
1445
args = request[2]
1446
kwargs = request[3]
1447
1448
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1449
1450
if command == 'getattr':
1451
attrname = request[1]
1452
if callable(client_object.__getattribute__(attrname)):
1453
parent_pipe.send(('function',))
1454
else:
1455
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1456
1457
if command == 'setattr':
1458
attrname = request[1]
1459
value = request[2]
1460
setattr(client_object, attrname, value)
1461
1462
return True
1463
781
1464
782
1465
783
def string_to_delta(interval):
1466
784
"""Parse a string and return a datetime.timedelta
1467
1468
>>> string_to_delta(u'7d')
785
786
>>> string_to_delta('7d')
1469
787
datetime.timedelta(7)
1470
>>> string_to_delta(u'60s')
788
>>> string_to_delta('60s')
1471
789
datetime.timedelta(0, 60)
1472
>>> string_to_delta(u'60m')
790
>>> string_to_delta('60m')
1473
791
datetime.timedelta(0, 3600)
1474
>>> string_to_delta(u'24h')
792
>>> string_to_delta('24h')
1475
793
datetime.timedelta(1)
1476
794
>>> string_to_delta(u'1w')
1477
795
datetime.timedelta(7)
1478
>>> string_to_delta(u'5m 30s')
796
>>> string_to_delta('5m 30s')
1479
797
datetime.timedelta(0, 330)
1480
798
"""
1481
799
timevalue = datetime.timedelta(0)
1494
812
elif suffix == u"w":
1495
813
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1496
814
else:
1497
raise ValueError(u"Unknown suffix %r" % suffix)
1498
except (ValueError, IndexError), e:
1499
raise ValueError(e.message)
815
raise ValueError
816
except (ValueError, IndexError):
817
raise ValueError
1500
818
timevalue += delta
1501
819
return timevalue
1502
820
1503
821
822
def server_state_changed(state):
823
"""Derived from the Avahi example code"""
824
if state == avahi.SERVER_COLLISION:
825
logger.error(u"Zeroconf server name collision")
826
service.remove()
827
elif state == avahi.SERVER_RUNNING:
828
service.add()
829
830
831
def entry_group_state_changed(state, error):
832
"""Derived from the Avahi example code"""
833
logger.debug(u"Avahi state change: %i", state)
834
835
if state == avahi.ENTRY_GROUP_ESTABLISHED:
836
logger.debug(u"Zeroconf service established.")
837
elif state == avahi.ENTRY_GROUP_COLLISION:
838
logger.warning(u"Zeroconf service name collision.")
839
service.rename()
840
elif state == avahi.ENTRY_GROUP_FAILURE:
841
logger.critical(u"Avahi: Error in group state changed %s",
842
unicode(error))
843
raise AvahiGroupError(u"State changed: %s" % unicode(error))
844
1504
845
def if_nametoindex(interface):
1505
"""Call the C function if_nametoindex(), or equivalent
1506
1507
Note: This function cannot accept a unicode string."""
846
"""Call the C function if_nametoindex(), or equivalent"""
1508
847
global if_nametoindex
1509
848
try:
1510
849
if_nametoindex = (ctypes.cdll.LoadLibrary
1511
(ctypes.util.find_library(u"c"))
850
(ctypes.util.find_library("c"))
1512
851
.if_nametoindex)
1513
852
except (OSError, AttributeError):
1514
logger.warning(u"Doing if_nametoindex the hard way")
853
if "struct" not in sys.modules:
854
import struct
855
if "fcntl" not in sys.modules:
856
import fcntl
1515
857
def if_nametoindex(interface):
1516
858
"Get an interface index the hard way, i.e. using fcntl()"
1517
859
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1518
with contextlib.closing(socket.socket()) as s:
860
with closing(socket.socket()) as s:
1519
861
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1520
struct.pack(str(u"16s16x"),
1521
interface))
1522
interface_index = struct.unpack(str(u"I"),
1523
ifreq[16:20])[0]
862
struct.pack("16s16x", interface))
863
interface_index = struct.unpack("I", ifreq[16:20])[0]
1524
864
return interface_index
1525
865
return if_nametoindex(interface)
1526
866
1527
867
1528
868
def daemon(nochdir = False, noclose = False):
1529
869
"""See daemon(3). Standard BSD Unix function.
1530
1531
870
This should really exist as os.daemon, but it doesn't (yet)."""
1532
871
if os.fork():
1533
872
sys.exit()
1534
873
os.setsid()
1535
874
if not nochdir:
1536
os.chdir(u"/")
875
os.chdir("/")
1537
876
if os.fork():
1538
877
sys.exit()
1539
878
if not noclose:
1541
880
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1542
881
if not stat.S_ISCHR(os.fstat(null).st_mode):
1543
882
raise OSError(errno.ENODEV,
1544
u"%s not a character device"
1545
% os.path.devnull)
883
"/dev/null not a character device")
1546
884
os.dup2(null, sys.stdin.fileno())
1547
885
os.dup2(null, sys.stdout.fileno())
1548
886
os.dup2(null, sys.stderr.fileno())
1551
889
1552
890
1553
891
def main():
1554
1555
##################################################################
1556
# Parsing of options, both command line and config file
1557
1558
parser = optparse.OptionParser(version = "%%prog %s" % version)
1559
parser.add_option("-i", u"--interface", type=u"string",
1560
metavar="IF", help=u"Bind to interface IF")
1561
parser.add_option("-a", u"--address", type=u"string",
1562
help=u"Address to listen for requests on")
1563
parser.add_option("-p", u"--port", type=u"int",
1564
help=u"Port number to receive requests on")
1565
parser.add_option("--check", action=u"store_true",
1566
help=u"Run self-test")
1567
parser.add_option("--debug", action=u"store_true",
1568
help=u"Debug mode; run in foreground and log to"
1569
u" terminal")
1570
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1571
u" priority string (see GnuTLS documentation)")
1572
parser.add_option("--servicename", type=u"string",
1573
metavar=u"NAME", help=u"Zeroconf service name")
1574
parser.add_option("--configdir", type=u"string",
1575
default=u"/etc/mandos", metavar=u"DIR",
1576
help=u"Directory to search for configuration"
1577
u" files")
1578
parser.add_option("--no-dbus", action=u"store_false",
1579
dest=u"use_dbus", help=u"Do not provide D-Bus"
1580
u" system bus interface")
1581
parser.add_option("--no-ipv6", action=u"store_false",
1582
dest=u"use_ipv6", help=u"Do not use IPv6")
892
parser = OptionParser(version = "%%prog %s" % version)
893
parser.add_option("-i", "--interface", type="string",
894
metavar="IF", help="Bind to interface IF")
895
parser.add_option("-a", "--address", type="string",
896
help="Address to listen for requests on")
897
parser.add_option("-p", "--port", type="int",
898
help="Port number to receive requests on")
899
parser.add_option("--check", action="store_true",
900
help="Run self-test")
901
parser.add_option("--debug", action="store_true",
902
help="Debug mode; run in foreground and log to"
903
" terminal")
904
parser.add_option("--priority", type="string", help="GnuTLS"
905
" priority string (see GnuTLS documentation)")
906
parser.add_option("--servicename", type="string", metavar="NAME",
907
help="Zeroconf service name")
908
parser.add_option("--configdir", type="string",
909
default="/etc/mandos", metavar="DIR",
910
help="Directory to search for configuration"
911
" files")
912
parser.add_option("--no-dbus", action="store_false",
913
dest="use_dbus",
914
help="Do not provide D-Bus system bus"
915
" interface")
1583
916
options = parser.parse_args()[0]
1584
917
1585
918
if options.check:
1588
921
sys.exit()
1589
922
1590
923
# Default values for config file for server-global settings
1591
server_defaults = { u"interface": u"",
1592
u"address": u"",
1593
u"port": u"",
1594
u"debug": u"False",
1595
u"priority":
1596
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1597
u"servicename": u"Mandos",
1598
u"use_dbus": u"True",
1599
u"use_ipv6": u"True",
924
server_defaults = { "interface": "",
925
"address": "",
926
"port": "",
927
"debug": "False",
928
"priority":
929
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
930
"servicename": "Mandos",
931
"use_dbus": "True",
1600
932
}
1601
933
1602
934
# Parse config file for server-global settings
1603
server_config = configparser.SafeConfigParser(server_defaults)
935
server_config = ConfigParser.SafeConfigParser(server_defaults)
1604
936
del server_defaults
1605
server_config.read(os.path.join(options.configdir,
1606
u"mandos.conf"))
937
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1607
938
# Convert the SafeConfigParser object to a dict
1608
939
server_settings = server_config.defaults()
1609
# Use the appropriate methods on the non-string config options
1610
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1611
server_settings[option] = server_config.getboolean(u"DEFAULT",
1612
option)
1613
if server_settings["port"]:
1614
server_settings["port"] = server_config.getint(u"DEFAULT",
1615
u"port")
940
# Use getboolean on the boolean config options
941
server_settings["debug"] = (server_config.getboolean
942
("DEFAULT", "debug"))
943
server_settings["use_dbus"] = (server_config.getboolean
944
("DEFAULT", "use_dbus"))
1616
945
del server_config
1617
946
1618
947
# Override the settings from the config file with command line
1619
948
# options, if set.
1620
for option in (u"interface", u"address", u"port", u"debug",
1621
u"priority", u"servicename", u"configdir",
1622
u"use_dbus", u"use_ipv6"):
949
for option in ("interface", "address", "port", "debug",
950
"priority", "servicename", "configdir",
951
"use_dbus"):
1623
952
value = getattr(options, option)
1624
953
if value is not None:
1625
954
server_settings[option] = value
1626
955
del options
1627
# Force all strings to be unicode
1628
for option in server_settings.keys():
1629
if type(server_settings[option]) is str:
1630
server_settings[option] = unicode(server_settings[option])
1631
956
# Now we have our good server settings in "server_settings"
1632
957
1633
##################################################################
1634
1635
958
# For convenience
1636
debug = server_settings[u"debug"]
1637
use_dbus = server_settings[u"use_dbus"]
1638
use_ipv6 = server_settings[u"use_ipv6"]
959
debug = server_settings["debug"]
960
use_dbus = server_settings["use_dbus"]
1639
961
1640
962
if not debug:
1641
963
syslogger.setLevel(logging.WARNING)
1642
964
console.setLevel(logging.WARNING)
1643
965
1644
if server_settings[u"servicename"] != u"Mandos":
966
if server_settings["servicename"] != "Mandos":
1645
967
syslogger.setFormatter(logging.Formatter
1646
(u'Mandos (%s) [%%(process)d]:'
1647
u' %%(levelname)s: %%(message)s'
1648
% server_settings[u"servicename"]))
968
('Mandos (%s): %%(levelname)s:'
969
' %%(message)s'
970
% server_settings["servicename"]))
1649
971
1650
972
# Parse config file with clients
1651
client_defaults = { u"timeout": u"1h",
1652
u"interval": u"5m",
1653
u"checker": u"fping -q -- %%(host)s",
1654
u"host": u"",
1655
u"approved_delay": u"5m",
1656
u"approved_duration": u"1s",
973
client_defaults = { "timeout": "1h",
974
"interval": "5m",
975
"checker": "fping -q -- %(host)s",
976
"host": "",
1657
977
}
1658
client_config = configparser.SafeConfigParser(client_defaults)
1659
client_config.read(os.path.join(server_settings[u"configdir"],
1660
u"clients.conf"))
1661
1662
global mandos_dbus_service
1663
mandos_dbus_service = None
1664
1665
tcp_server = MandosServer((server_settings[u"address"],
1666
server_settings[u"port"]),
1667
ClientHandler,
1668
interface=server_settings[u"interface"],
1669
use_ipv6=use_ipv6,
1670
gnutls_priority=
1671
server_settings[u"priority"],
1672
use_dbus=use_dbus)
1673
pidfilename = u"/var/run/mandos.pid"
1674
try:
1675
pidfile = open(pidfilename, u"w")
1676
except IOError:
1677
logger.error(u"Could not open file %r", pidfilename)
1678
1679
try:
1680
uid = pwd.getpwnam(u"_mandos").pw_uid
1681
gid = pwd.getpwnam(u"_mandos").pw_gid
978
client_config = ConfigParser.SafeConfigParser(client_defaults)
979
client_config.read(os.path.join(server_settings["configdir"],
980
"clients.conf"))
981
982
clients = Set()
983
tcp_server = IPv6_TCPServer((server_settings["address"],
984
server_settings["port"]),
985
TCP_handler,
986
settings=server_settings,
987
clients=clients)
988
pidfilename = "/var/run/mandos.pid"
989
try:
990
pidfile = open(pidfilename, "w")
991
except IOError, error:
992
logger.error("Could not open file %r", pidfilename)
993
994
try:
995
uid = pwd.getpwnam("_mandos").pw_uid
1682
996
except KeyError:
1683
997
try:
1684
uid = pwd.getpwnam(u"mandos").pw_uid
1685
gid = pwd.getpwnam(u"mandos").pw_gid
998
uid = pwd.getpwnam("mandos").pw_uid
1686
999
except KeyError:
1687
1000
try:
1688
uid = pwd.getpwnam(u"nobody").pw_uid
1689
gid = pwd.getpwnam(u"nobody").pw_gid
1001
uid = pwd.getpwnam("nobody").pw_uid
1690
1002
except KeyError:
1691
1003
uid = 65534
1004
try:
1005
gid = pwd.getpwnam("_mandos").pw_gid
1006
except KeyError:
1007
try:
1008
gid = pwd.getpwnam("mandos").pw_gid
1009
except KeyError:
1010
try:
1011
gid = pwd.getpwnam("nogroup").pw_gid
1012
except KeyError:
1692
1013
gid = 65534
1693
1014
try:
1015
os.setuid(uid)
1694
1016
os.setgid(gid)
1695
os.setuid(uid)
1696
1017
except OSError, error:
1697
1018
if error[0] != errno.EPERM:
1698
1019
raise error
1699
1020
1700
# Enable all possible GnuTLS debugging
1701
if debug:
1702
# "Use a log level over 10 to enable all debugging options."
1703
# - GnuTLS manual
1704
gnutls.library.functions.gnutls_global_set_log_level(11)
1705
1706
@gnutls.library.types.gnutls_log_func
1707
def debug_gnutls(level, string):
1708
logger.debug(u"GnuTLS: %s", string[:-1])
1709
1710
(gnutls.library.functions
1711
.gnutls_global_set_log_function(debug_gnutls))
1021
global service
1022
service = AvahiService(name = server_settings["servicename"],
1023
servicetype = "_mandos._tcp", )
1024
if server_settings["interface"]:
1025
service.interface = (if_nametoindex
1026
(server_settings["interface"]))
1712
1027
1713
1028
global main_loop
1029
global bus
1030
global server
1714
1031
# From the Avahi example code
1715
1032
DBusGMainLoop(set_as_default=True )
1716
1033
main_loop = gobject.MainLoop()
1717
1034
bus = dbus.SystemBus()
1035
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1036
avahi.DBUS_PATH_SERVER),
1037
avahi.DBUS_INTERFACE_SERVER)
1718
1038
# End of Avahi example code
1719
1039
if use_dbus:
1720
try:
1721
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1722
bus, do_not_queue=True)
1723
except dbus.exceptions.NameExistsException, e:
1724
logger.error(unicode(e) + u", disabling D-Bus")
1725
use_dbus = False
1726
server_settings[u"use_dbus"] = False
1727
tcp_server.use_dbus = False
1728
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1729
service = AvahiService(name = server_settings[u"servicename"],
1730
servicetype = u"_mandos._tcp",
1731
protocol = protocol, bus = bus)
1732
if server_settings["interface"]:
1733
service.interface = (if_nametoindex
1734
(str(server_settings[u"interface"])))
1735
1736
client_class = Client
1737
if use_dbus:
1738
client_class = functools.partial(ClientDBus, bus = bus)
1739
def client_config_items(config, section):
1740
special_settings = {
1741
"approve_by_default":
1742
lambda: config.getboolean(section,
1743
"approve_by_default"),
1744
}
1745
for name, value in config.items(section):
1746
try:
1747
yield special_settings[name]()
1748
except KeyError:
1749
yield (name, value)
1750
1751
tcp_server.clients.update(set(
1752
client_class(name = section,
1753
config= dict(client_config_items(
1754
client_config, section)))
1755
for section in client_config.sections()))
1756
if not tcp_server.clients:
1040
bus_name = dbus.service.BusName(u"org.mandos-system.Mandos",
1041
bus)
1042
1043
clients.update(Set(Client(name = section,
1044
config
1045
= dict(client_config.items(section)),
1046
use_dbus = use_dbus)
1047
for section in client_config.sections()))
1048
if not clients:
1757
1049
logger.warning(u"No clients defined")
1758
1050
1759
1051
if debug:
1769
1061
daemon()
1770
1062
1771
1063
try:
1772
with pidfile:
1773
pid = os.getpid()
1774
pidfile.write(str(pid) + "\n")
1064
pid = os.getpid()
1065
pidfile.write(str(pid) + "\n")
1066
pidfile.close()
1775
1067
del pidfile
1776
1068
except IOError:
1777
1069
logger.error(u"Could not write to file %r with PID %d",
1781
1073
pass
1782
1074
del pidfilename
1783
1075
1076
def cleanup():
1077
"Cleanup function; run on exit"
1078
global group
1079
# From the Avahi example code
1080
if not group is None:
1081
group.Free()
1082
group = None
1083
# End of Avahi example code
1084
1085
while clients:
1086
client = clients.pop()
1087
client.disable_hook = None
1088
client.disable()
1089
1090
atexit.register(cleanup)
1091
1784
1092
if not debug:
1785
1093
signal.signal(signal.SIGINT, signal.SIG_IGN)
1786
1094
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1787
1095
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1788
1096
1789
1097
if use_dbus:
1790
class MandosDBusService(dbus.service.Object):
1098
class MandosServer(dbus.service.Object):
1791
1099
"""A D-Bus proxy object"""
1792
1100
def __init__(self):
1793
dbus.service.Object.__init__(self, bus, u"/")
1794
_interface = u"se.bsnet.fukt.Mandos"
1795
1796
@dbus.service.signal(_interface, signature=u"o")
1797
def ClientAdded(self, objpath):
1798
"D-Bus signal"
1799
pass
1800
1801
@dbus.service.signal(_interface, signature=u"ss")
1802
def ClientNotFound(self, fingerprint, address):
1803
"D-Bus signal"
1804
pass
1805
1806
@dbus.service.signal(_interface, signature=u"os")
1807
def ClientRemoved(self, objpath, name):
1808
"D-Bus signal"
1809
pass
1810
1811
@dbus.service.method(_interface, out_signature=u"ao")
1101
dbus.service.Object.__init__(self, bus,
1102
"/Mandos")
1103
_interface = u"org.mandos_system.Mandos"
1104
1105
@dbus.service.signal(_interface, signature="oa{sv}")
1106
def ClientAdded(self, objpath, properties):
1107
"D-Bus signal"
1108
pass
1109
1110
@dbus.service.signal(_interface, signature="o")
1111
def ClientRemoved(self, objpath):
1112
"D-Bus signal"
1113
pass
1114
1115
@dbus.service.method(_interface, out_signature="ao")
1812
1116
def GetAllClients(self):
1813
"D-Bus method"
1814
return dbus.Array(c.dbus_object_path
1815
for c in tcp_server.clients)
1816
1817
@dbus.service.method(_interface,
1818
out_signature=u"a{oa{sv}}")
1117
return dbus.Array(c.dbus_object_path for c in clients)
1118
1119
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1819
1120
def GetAllClientsWithProperties(self):
1820
"D-Bus method"
1821
1121
return dbus.Dictionary(
1822
((c.dbus_object_path, c.GetAll(u""))
1823
for c in tcp_server.clients),
1824
signature=u"oa{sv}")
1825
1826
@dbus.service.method(_interface, in_signature=u"o")
1122
((c.dbus_object_path, c.GetAllProperties())
1123
for c in clients),
1124
signature="oa{sv}")
1125
1126
@dbus.service.method(_interface, in_signature="o")
1827
1127
def RemoveClient(self, object_path):
1828
"D-Bus method"
1829
for c in tcp_server.clients:
1128
for c in clients:
1830
1129
if c.dbus_object_path == object_path:
1831
tcp_server.clients.remove(c)
1832
c.remove_from_connection()
1130
clients.remove(c)
1833
1131
# Don't signal anything except ClientRemoved
1834
c.disable(quiet=True)
1132
c.use_dbus = False
1133
c.disable()
1835
1134
# Emit D-Bus signal
1836
self.ClientRemoved(object_path, c.name)
1135
self.ClientRemoved(object_path)
1837
1136
return
1838
raise KeyError(object_path)
1839
1137
raise KeyError
1138
@dbus.service.method(_interface)
1139
def Quit(self):
1140
main_loop.quit()
1141
1840
1142
del _interface
1841
1842
mandos_dbus_service = MandosDBusService()
1843
1844
def cleanup():
1845
"Cleanup function; run on exit"
1846
service.cleanup()
1847
1848
while tcp_server.clients:
1849
client = tcp_server.clients.pop()
1850
if use_dbus:
1851
client.remove_from_connection()
1852
client.disable_hook = None
1853
# Don't signal anything except ClientRemoved
1854
client.disable(quiet=True)
1855
if use_dbus:
1856
# Emit D-Bus signal
1857
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1858
client.name)
1859
1860
atexit.register(cleanup)
1861
1862
for client in tcp_server.clients:
1143
1144
mandos_server = MandosServer()
1145
1146
for client in clients:
1863
1147
if use_dbus:
1864
1148
# Emit D-Bus signal
1865
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1149
mandos_server.ClientAdded(client.dbus_object_path,
1150
client.GetAllProperties())
1866
1151
client.enable()
1867
1152
1868
1153
tcp_server.enable()
1870
1155
1871
1156
# Find out what port we got
1872
1157
service.port = tcp_server.socket.getsockname()[1]
1873
if use_ipv6:
1874
logger.info(u"Now listening on address %r, port %d,"
1875
" flowinfo %d, scope_id %d"
1876
% tcp_server.socket.getsockname())
1877
else: # IPv4
1878
logger.info(u"Now listening on address %r, port %d"
1879
% tcp_server.socket.getsockname())
1158
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1159
u" scope_id %d" % tcp_server.socket.getsockname())
1880
1160
1881
1161
#service.interface = tcp_server.socket.getsockname()[3]
1882
1162
1883
1163
try:
1884
1164
# From the Avahi example code
1165
server.connect_to_signal("StateChanged", server_state_changed)
1885
1166
try:
1886
service.activate()
1167
server_state_changed(server.GetState())
1887
1168
except dbus.exceptions.DBusException, error:
1888
1169
logger.critical(u"DBusException: %s", error)
1889
cleanup()
1890
1170
sys.exit(1)
1891
1171
# End of Avahi example code
1892
1172
1899
1179
main_loop.run()
1900
1180
except AvahiError, error:
1901
1181
logger.critical(u"AvahiError: %s", error)
1902
cleanup()
1903
1182
sys.exit(1)
1904
1183
except KeyboardInterrupt:
1905
1184
if debug:
1906
print >> sys.stderr
1907
logger.debug(u"Server received KeyboardInterrupt")
1908
logger.debug(u"Server exiting")
1909
# Must run before the D-Bus bus name gets deregistered
1910
cleanup()
1185
print
1911
1186
1912
1187
if __name__ == '__main__':
1913
1188
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0