/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-ctl

  • Committer: Teddy Hogeborn
  • Date: 2019-02-10 03:50:20 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 370.
  • Revision ID: teddy@recompile.se-20190210035020-nttr1tybgwwixueu
Show debconf note about new TLS key IDs

If mandos-client did not see TLS keys and had to create them, or if
mandos sees GnuTLS version 3.6.6 or later, show an important notice on
package installation about the importance of adding the new key_id
options to clients.conf on the Mandos server.

* debian/control (Package: mandos, Package: mandos-client): Depend on
                                                            debconf.
* debian/mandos-client.lintian-overrides: Override warnings.
* debian/mandos-client.postinst (create_keys): Show notice if new TLS
                                               key files were created.
* debian/mandos-client.templates: New.
* debian/mandos.lintian-overrides: Override warnings.
* debian/mandos.postinst (configure): If GnuTLS 3.6.6 or later is
                                      detected, show an important
                                      notice (once) about the new
                                      key_id option required in
                                      clients.conf.
* debian/mandos.templates: New.

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
#!/usr/bin/python
 
2
# -*- mode: python; coding: utf-8 -*-
 
3
#
 
4
# Mandos Monitor - Control and monitor the Mandos server
 
5
#
 
6
# Copyright © 2008-2018 Teddy Hogeborn
 
7
# Copyright © 2008-2018 Björn Påhlsson
 
8
#
 
9
# This file is part of Mandos.
 
10
#
 
11
# Mandos is free software: you can redistribute it and/or modify it
 
12
# under the terms of the GNU General Public License as published by
 
13
# the Free Software Foundation, either version 3 of the License, or
 
14
# (at your option) any later version.
 
15
#
 
16
#     Mandos is distributed in the hope that it will be useful, but
 
17
#     WITHOUT ANY WARRANTY; without even the implied warranty of
 
18
#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 
19
#     GNU General Public License for more details.
 
20
#
 
21
# You should have received a copy of the GNU General Public License
 
22
# along with Mandos.  If not, see <http://www.gnu.org/licenses/>.
 
23
#
 
24
# Contact the authors at <mandos@recompile.se>.
 
25
#
 
26
 
 
27
from __future__ import (division, absolute_import, print_function,
 
28
                        unicode_literals)
 
29
 
 
30
try:
 
31
    from future_builtins import *
 
32
except ImportError:
 
33
    pass
 
34
 
 
35
import sys
 
36
import argparse
 
37
import locale
 
38
import datetime
 
39
import re
 
40
import os
 
41
import collections
 
42
import json
 
43
 
 
44
import dbus
 
45
 
 
46
if sys.version_info.major == 2:
 
47
    str = unicode
 
48
 
 
49
locale.setlocale(locale.LC_ALL, "")
 
50
 
 
51
tablewords = {
 
52
    "Name": "Name",
 
53
    "Enabled": "Enabled",
 
54
    "Timeout": "Timeout",
 
55
    "LastCheckedOK": "Last Successful Check",
 
56
    "LastApprovalRequest": "Last Approval Request",
 
57
    "Created": "Created",
 
58
    "Interval": "Interval",
 
59
    "Host": "Host",
 
60
    "Fingerprint": "Fingerprint",
 
61
    "KeyID": "Key ID",
 
62
    "CheckerRunning": "Check Is Running",
 
63
    "LastEnabled": "Last Enabled",
 
64
    "ApprovalPending": "Approval Is Pending",
 
65
    "ApprovedByDefault": "Approved By Default",
 
66
    "ApprovalDelay": "Approval Delay",
 
67
    "ApprovalDuration": "Approval Duration",
 
68
    "Checker": "Checker",
 
69
    "ExtendedTimeout": "Extended Timeout",
 
70
    "Expires": "Expires",
 
71
    "LastCheckerStatus": "Last Checker Status",
 
72
}
 
73
defaultkeywords = ("Name", "Enabled", "Timeout", "LastCheckedOK")
 
74
domain = "se.recompile"
 
75
busname = domain + ".Mandos"
 
76
server_path = "/"
 
77
server_interface = domain + ".Mandos"
 
78
client_interface = domain + ".Mandos.Client"
 
79
version = "1.7.20"
 
80
 
 
81
 
 
82
try:
 
83
    dbus.OBJECT_MANAGER_IFACE
 
84
except AttributeError:
 
85
    dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
 
86
 
 
87
 
 
88
def milliseconds_to_string(ms):
 
89
    td = datetime.timedelta(0, 0, 0, ms)
 
90
    return ("{days}{hours:02}:{minutes:02}:{seconds:02}"
 
91
            .format(days="{}T".format(td.days) if td.days else "",
 
92
                    hours=td.seconds // 3600,
 
93
                    minutes=(td.seconds % 3600) // 60,
 
94
                    seconds=td.seconds % 60))
 
95
 
 
96
 
 
97
def rfc3339_duration_to_delta(duration):
 
98
    """Parse an RFC 3339 "duration" and return a datetime.timedelta
 
99
 
 
100
    >>> rfc3339_duration_to_delta("P7D")
 
101
    datetime.timedelta(7)
 
102
    >>> rfc3339_duration_to_delta("PT60S")
 
103
    datetime.timedelta(0, 60)
 
104
    >>> rfc3339_duration_to_delta("PT60M")
 
105
    datetime.timedelta(0, 3600)
 
106
    >>> rfc3339_duration_to_delta("PT24H")
 
107
    datetime.timedelta(1)
 
108
    >>> rfc3339_duration_to_delta("P1W")
 
109
    datetime.timedelta(7)
 
110
    >>> rfc3339_duration_to_delta("PT5M30S")
 
111
    datetime.timedelta(0, 330)
 
112
    >>> rfc3339_duration_to_delta("P1DT3M20S")
 
113
    datetime.timedelta(1, 200)
 
114
    """
 
115
 
 
116
    # Parsing an RFC 3339 duration with regular expressions is not
 
117
    # possible - there would have to be multiple places for the same
 
118
    # values, like seconds.  The current code, while more esoteric, is
 
119
    # cleaner without depending on a parsing library.  If Python had a
 
120
    # built-in library for parsing we would use it, but we'd like to
 
121
    # avoid excessive use of external libraries.
 
122
 
 
123
    # New type for defining tokens, syntax, and semantics all-in-one
 
124
    Token = collections.namedtuple("Token", (
 
125
        "regexp",  # To match token; if "value" is not None, must have
 
126
                   # a "group" containing digits
 
127
        "value",   # datetime.timedelta or None
 
128
        "followers"))           # Tokens valid after this token
 
129
    # RFC 3339 "duration" tokens, syntax, and semantics; taken from
 
130
    # the "duration" ABNF definition in RFC 3339, Appendix A.
 
131
    token_end = Token(re.compile(r"$"), None, frozenset())
 
132
    token_second = Token(re.compile(r"(\d+)S"),
 
133
                         datetime.timedelta(seconds=1),
 
134
                         frozenset((token_end, )))
 
135
    token_minute = Token(re.compile(r"(\d+)M"),
 
136
                         datetime.timedelta(minutes=1),
 
137
                         frozenset((token_second, token_end)))
 
138
    token_hour = Token(re.compile(r"(\d+)H"),
 
139
                       datetime.timedelta(hours=1),
 
140
                       frozenset((token_minute, token_end)))
 
141
    token_time = Token(re.compile(r"T"),
 
142
                       None,
 
143
                       frozenset((token_hour, token_minute,
 
144
                                  token_second)))
 
145
    token_day = Token(re.compile(r"(\d+)D"),
 
146
                      datetime.timedelta(days=1),
 
147
                      frozenset((token_time, token_end)))
 
148
    token_month = Token(re.compile(r"(\d+)M"),
 
149
                        datetime.timedelta(weeks=4),
 
150
                        frozenset((token_day, token_end)))
 
151
    token_year = Token(re.compile(r"(\d+)Y"),
 
152
                       datetime.timedelta(weeks=52),
 
153
                       frozenset((token_month, token_end)))
 
154
    token_week = Token(re.compile(r"(\d+)W"),
 
155
                       datetime.timedelta(weeks=1),
 
156
                       frozenset((token_end, )))
 
157
    token_duration = Token(re.compile(r"P"), None,
 
158
                           frozenset((token_year, token_month,
 
159
                                      token_day, token_time,
 
160
                                      token_week)))
 
161
    # Define starting values:
 
162
    # Value so far
 
163
    value = datetime.timedelta()
 
164
    found_token = None
 
165
    # Following valid tokens
 
166
    followers = frozenset((token_duration, ))
 
167
    # String left to parse
 
168
    s = duration
 
169
    # Loop until end token is found
 
170
    while found_token is not token_end:
 
171
        # Search for any currently valid tokens
 
172
        for token in followers:
 
173
            match = token.regexp.match(s)
 
174
            if match is not None:
 
175
                # Token found
 
176
                if token.value is not None:
 
177
                    # Value found, parse digits
 
178
                    factor = int(match.group(1), 10)
 
179
                    # Add to value so far
 
180
                    value += factor * token.value
 
181
                # Strip token from string
 
182
                s = token.regexp.sub("", s, 1)
 
183
                # Go to found token
 
184
                found_token = token
 
185
                # Set valid next tokens
 
186
                followers = found_token.followers
 
187
                break
 
188
        else:
 
189
            # No currently valid tokens were found
 
190
            raise ValueError("Invalid RFC 3339 duration: {!r}"
 
191
                             .format(duration))
 
192
    # End token found
 
193
    return value
 
194
 
 
195
 
 
196
def string_to_delta(interval):
 
197
    """Parse a string and return a datetime.timedelta
 
198
 
 
199
    >>> string_to_delta('7d')
 
200
    datetime.timedelta(7)
 
201
    >>> string_to_delta('60s')
 
202
    datetime.timedelta(0, 60)
 
203
    >>> string_to_delta('60m')
 
204
    datetime.timedelta(0, 3600)
 
205
    >>> string_to_delta('24h')
 
206
    datetime.timedelta(1)
 
207
    >>> string_to_delta('1w')
 
208
    datetime.timedelta(7)
 
209
    >>> string_to_delta('5m 30s')
 
210
    datetime.timedelta(0, 330)
 
211
    """
 
212
 
 
213
    try:
 
214
        return rfc3339_duration_to_delta(interval)
 
215
    except ValueError:
 
216
        pass
 
217
 
 
218
    value = datetime.timedelta(0)
 
219
    regexp = re.compile(r"(\d+)([dsmhw]?)")
 
220
 
 
221
    for num, suffix in regexp.findall(interval):
 
222
        if suffix == "d":
 
223
            value += datetime.timedelta(int(num))
 
224
        elif suffix == "s":
 
225
            value += datetime.timedelta(0, int(num))
 
226
        elif suffix == "m":
 
227
            value += datetime.timedelta(0, 0, 0, 0, int(num))
 
228
        elif suffix == "h":
 
229
            value += datetime.timedelta(0, 0, 0, 0, 0, int(num))
 
230
        elif suffix == "w":
 
231
            value += datetime.timedelta(0, 0, 0, 0, 0, 0, int(num))
 
232
        elif suffix == "":
 
233
            value += datetime.timedelta(0, 0, 0, int(num))
 
234
    return value
 
235
 
 
236
 
 
237
def print_clients(clients, keywords):
 
238
    def valuetostring(value, keyword):
 
239
        if type(value) is dbus.Boolean:
 
240
            return "Yes" if value else "No"
 
241
        if keyword in ("Timeout", "Interval", "ApprovalDelay",
 
242
                       "ApprovalDuration", "ExtendedTimeout"):
 
243
            return milliseconds_to_string(value)
 
244
        return str(value)
 
245
 
 
246
    # Create format string to print table rows
 
247
    format_string = " ".join("{{{key}:{width}}}".format(
 
248
        width=max(len(tablewords[key]),
 
249
                  max(len(valuetostring(client[key], key))
 
250
                      for client in clients)),
 
251
        key=key)
 
252
                             for key in keywords)
 
253
    # Print header line
 
254
    print(format_string.format(**tablewords))
 
255
    for client in clients:
 
256
        print(format_string
 
257
              .format(**{key: valuetostring(client[key], key)
 
258
                         for key in keywords}))
 
259
 
 
260
 
 
261
def has_actions(options):
 
262
    return any((options.enable,
 
263
                options.disable,
 
264
                options.bump_timeout,
 
265
                options.start_checker,
 
266
                options.stop_checker,
 
267
                options.is_enabled,
 
268
                options.remove,
 
269
                options.checker is not None,
 
270
                options.timeout is not None,
 
271
                options.extended_timeout is not None,
 
272
                options.interval is not None,
 
273
                options.approved_by_default is not None,
 
274
                options.approval_delay is not None,
 
275
                options.approval_duration is not None,
 
276
                options.host is not None,
 
277
                options.secret is not None,
 
278
                options.approve,
 
279
                options.deny))
 
280
 
 
281
 
 
282
def main():
 
283
    parser = argparse.ArgumentParser()
 
284
    parser.add_argument("--version", action="version",
 
285
                        version="%(prog)s {}".format(version),
 
286
                        help="show version number and exit")
 
287
    parser.add_argument("-a", "--all", action="store_true",
 
288
                        help="Select all clients")
 
289
    parser.add_argument("-v", "--verbose", action="store_true",
 
290
                        help="Print all fields")
 
291
    parser.add_argument("-j", "--dump-json", action="store_true",
 
292
                        help="Dump client data in JSON format")
 
293
    parser.add_argument("-e", "--enable", action="store_true",
 
294
                        help="Enable client")
 
295
    parser.add_argument("-d", "--disable", action="store_true",
 
296
                        help="disable client")
 
297
    parser.add_argument("-b", "--bump-timeout", action="store_true",
 
298
                        help="Bump timeout for client")
 
299
    parser.add_argument("--start-checker", action="store_true",
 
300
                        help="Start checker for client")
 
301
    parser.add_argument("--stop-checker", action="store_true",
 
302
                        help="Stop checker for client")
 
303
    parser.add_argument("-V", "--is-enabled", action="store_true",
 
304
                        help="Check if client is enabled")
 
305
    parser.add_argument("-r", "--remove", action="store_true",
 
306
                        help="Remove client")
 
307
    parser.add_argument("-c", "--checker",
 
308
                        help="Set checker command for client")
 
309
    parser.add_argument("-t", "--timeout",
 
310
                        help="Set timeout for client")
 
311
    parser.add_argument("--extended-timeout",
 
312
                        help="Set extended timeout for client")
 
313
    parser.add_argument("-i", "--interval",
 
314
                        help="Set checker interval for client")
 
315
    parser.add_argument("--approve-by-default", action="store_true",
 
316
                        default=None, dest="approved_by_default",
 
317
                        help="Set client to be approved by default")
 
318
    parser.add_argument("--deny-by-default", action="store_false",
 
319
                        dest="approved_by_default",
 
320
                        help="Set client to be denied by default")
 
321
    parser.add_argument("--approval-delay",
 
322
                        help="Set delay before client approve/deny")
 
323
    parser.add_argument("--approval-duration",
 
324
                        help="Set duration of one client approval")
 
325
    parser.add_argument("-H", "--host", help="Set host for client")
 
326
    parser.add_argument("-s", "--secret",
 
327
                        type=argparse.FileType(mode="rb"),
 
328
                        help="Set password blob (file) for client")
 
329
    parser.add_argument("-A", "--approve", action="store_true",
 
330
                        help="Approve any current client request")
 
331
    parser.add_argument("-D", "--deny", action="store_true",
 
332
                        help="Deny any current client request")
 
333
    parser.add_argument("--check", action="store_true",
 
334
                        help="Run self-test")
 
335
    parser.add_argument("client", nargs="*", help="Client name")
 
336
    options = parser.parse_args()
 
337
 
 
338
    if has_actions(options) and not (options.client or options.all):
 
339
        parser.error("Options require clients names or --all.")
 
340
    if options.verbose and has_actions(options):
 
341
        parser.error("--verbose can only be used alone.")
 
342
    if options.dump_json and (options.verbose
 
343
                              or has_actions(options)):
 
344
        parser.error("--dump-json can only be used alone.")
 
345
    if options.all and not has_actions(options):
 
346
        parser.error("--all requires an action.")
 
347
 
 
348
    if options.check:
 
349
        import doctest
 
350
        fail_count, test_count = doctest.testmod()
 
351
        sys.exit(os.EX_OK if fail_count == 0 else 1)
 
352
 
 
353
    try:
 
354
        bus = dbus.SystemBus()
 
355
        mandos_dbus_objc = bus.get_object(busname, server_path)
 
356
    except dbus.exceptions.DBusException:
 
357
        print("Could not connect to Mandos server", file=sys.stderr)
 
358
        sys.exit(1)
 
359
 
 
360
    mandos_serv = dbus.Interface(mandos_dbus_objc,
 
361
                                 dbus_interface=server_interface)
 
362
    mandos_serv_object_manager = dbus.Interface(
 
363
        mandos_dbus_objc, dbus_interface=dbus.OBJECT_MANAGER_IFACE)
 
364
 
 
365
    # block stderr since dbus library prints to stderr
 
366
    null = os.open(os.path.devnull, os.O_RDWR)
 
367
    stderrcopy = os.dup(sys.stderr.fileno())
 
368
    os.dup2(null, sys.stderr.fileno())
 
369
    os.close(null)
 
370
    try:
 
371
        try:
 
372
            mandos_clients = {path: ifs_and_props[client_interface]
 
373
                              for path, ifs_and_props in
 
374
                              mandos_serv_object_manager
 
375
                              .GetManagedObjects().items()
 
376
                              if client_interface in ifs_and_props}
 
377
        finally:
 
378
            # restore stderr
 
379
            os.dup2(stderrcopy, sys.stderr.fileno())
 
380
            os.close(stderrcopy)
 
381
    except dbus.exceptions.DBusException as e:
 
382
        print("Access denied: "
 
383
              "Accessing mandos server through D-Bus: {}".format(e),
 
384
              file=sys.stderr)
 
385
        sys.exit(1)
 
386
 
 
387
    # Compile dict of (clients: properties) to process
 
388
    clients = {}
 
389
 
 
390
    if options.all or not options.client:
 
391
        clients = {bus.get_object(busname, path): properties
 
392
                   for path, properties in mandos_clients.items()}
 
393
    else:
 
394
        for name in options.client:
 
395
            for path, client in mandos_clients.items():
 
396
                if client["Name"] == name:
 
397
                    client_objc = bus.get_object(busname, path)
 
398
                    clients[client_objc] = client
 
399
                    break
 
400
            else:
 
401
                print("Client not found on server: {!r}"
 
402
                      .format(name), file=sys.stderr)
 
403
                sys.exit(1)
 
404
 
 
405
    if not has_actions(options) and clients:
 
406
        if options.verbose or options.dump_json:
 
407
            keywords = ("Name", "Enabled", "Timeout", "LastCheckedOK",
 
408
                        "Created", "Interval", "Host", "KeyID",
 
409
                        "Fingerprint", "CheckerRunning",
 
410
                        "LastEnabled", "ApprovalPending",
 
411
                        "ApprovedByDefault", "LastApprovalRequest",
 
412
                        "ApprovalDelay", "ApprovalDuration",
 
413
                        "Checker", "ExtendedTimeout", "Expires",
 
414
                        "LastCheckerStatus")
 
415
        else:
 
416
            keywords = defaultkeywords
 
417
 
 
418
        if options.dump_json:
 
419
            json.dump({client["Name"]: {key:
 
420
                                        bool(client[key])
 
421
                                        if isinstance(client[key],
 
422
                                                      dbus.Boolean)
 
423
                                        else client[key]
 
424
                                        for key in keywords}
 
425
                       for client in clients.values()},
 
426
                      fp=sys.stdout, indent=4,
 
427
                      separators=(',', ': '))
 
428
            print()
 
429
        else:
 
430
            print_clients(clients.values(), keywords)
 
431
    else:
 
432
        # Process each client in the list by all selected options
 
433
        for client in clients:
 
434
 
 
435
            def set_client_prop(prop, value):
 
436
                """Set a Client D-Bus property"""
 
437
                client.Set(client_interface, prop, value,
 
438
                           dbus_interface=dbus.PROPERTIES_IFACE)
 
439
 
 
440
            def set_client_prop_ms(prop, value):
 
441
                """Set a Client D-Bus property, converted
 
442
                from a string to milliseconds."""
 
443
                set_client_prop(prop,
 
444
                                string_to_delta(value).total_seconds()
 
445
                                * 1000)
 
446
 
 
447
            if options.remove:
 
448
                mandos_serv.RemoveClient(client.__dbus_object_path__)
 
449
            if options.enable:
 
450
                set_client_prop("Enabled", dbus.Boolean(True))
 
451
            if options.disable:
 
452
                set_client_prop("Enabled", dbus.Boolean(False))
 
453
            if options.bump_timeout:
 
454
                set_client_prop("LastCheckedOK", "")
 
455
            if options.start_checker:
 
456
                set_client_prop("CheckerRunning", dbus.Boolean(True))
 
457
            if options.stop_checker:
 
458
                set_client_prop("CheckerRunning", dbus.Boolean(False))
 
459
            if options.is_enabled:
 
460
                if client.Get(client_interface, "Enabled",
 
461
                              dbus_interface=dbus.PROPERTIES_IFACE):
 
462
                    sys.exit(0)
 
463
                else:
 
464
                    sys.exit(1)
 
465
            if options.checker is not None:
 
466
                set_client_prop("Checker", options.checker)
 
467
            if options.host is not None:
 
468
                set_client_prop("Host", options.host)
 
469
            if options.interval is not None:
 
470
                set_client_prop_ms("Interval", options.interval)
 
471
            if options.approval_delay is not None:
 
472
                set_client_prop_ms("ApprovalDelay",
 
473
                                   options.approval_delay)
 
474
            if options.approval_duration is not None:
 
475
                set_client_prop_ms("ApprovalDuration",
 
476
                                   options.approval_duration)
 
477
            if options.timeout is not None:
 
478
                set_client_prop_ms("Timeout", options.timeout)
 
479
            if options.extended_timeout is not None:
 
480
                set_client_prop_ms("ExtendedTimeout",
 
481
                                   options.extended_timeout)
 
482
            if options.secret is not None:
 
483
                set_client_prop("Secret",
 
484
                                dbus.ByteArray(options.secret.read()))
 
485
            if options.approved_by_default is not None:
 
486
                set_client_prop("ApprovedByDefault",
 
487
                                dbus.Boolean(options
 
488
                                             .approved_by_default))
 
489
            if options.approve:
 
490
                client.Approve(dbus.Boolean(True),
 
491
                               dbus_interface=client_interface)
 
492
            elif options.deny:
 
493
                client.Approve(dbus.Boolean(False),
 
494
                               dbus_interface=client_interface)
 
495
 
 
496
 
 
497
if __name__ == "__main__":
 
498
    main()