/mandos/release : revision 27

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to server.py

Committer: Teddy Hogeborn
Date: 2008-07-22 06:25:35 UTC
mfrom: (24.1.2 mandos)
Revision ID: teddy@fukt.bsnet.se-20080722062535-whz5do0b3dzw6m08

Merge.

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
clients.conf => mandos-clients.conf

plugin-runner.c => plugbasedclient.c

plugins.d/mandos-client.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

server.py

# This program is partly derived from an example program for an Avahi

# service publisher, downloaded from

# <http://avahi.org/wiki/PythonPublishExample>. This includes the

# methods "add" and "remove" in the "AvahiService" class, the

# "server_state_changed" and "entry_group_state_changed" functions,

# and some lines in "main".

# following functions: "add_service", "remove_service",

# "server_state_changed", "entry_group_state_changed", and some lines

# in "main".

# Everything else is

# Påhlsson.

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see

# <http://www.gnu.org/licenses/>.

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@fukt.bsnet.se>.

# Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and

# <https://www.fukt.bsnet.se/~teddy/>.

from __future__ import division, with_statement, absolute_import

from __future__ import division

import SocketServer

import socket

import optparse

import select

from optparse import OptionParser

import datetime

import errno

import gnutls.crypto

import stat

import logging

import logging.handlers

import pwd

from contextlib import closing

import dbus

import dbus.service

import gobject

import avahi

from dbus.mainloop.glib import DBusGMainLoop

import ctypes

import ctypes.util

version = "1.0.6"

# Brief description of the operation of this program:

# This server announces itself as a Zeroconf service. Connecting

# clients use the TLS protocol, with the unusual quirk that this

# server program acts as a TLS "client" while the connecting clients

# acts as a TLS "server". The clients (acting as a TLS "server") must

# supply an OpenPGP certificate, and the fingerprint of this

# certificate is used by this server to look up (in a list read from a

# file at start time) which binary blob to give the client. No other

# authentication or authorization is done by this server.

logger = logging.Logger('mandos')

syslogger = (logging.handlers.SysLogHandler

(facility = logging.handlers.SysLogHandler.LOG_DAEMON,

address = "/dev/log"))

syslogger.setFormatter(logging.Formatter

('Mandos [%(process)d]: %(levelname)s:'

' %(message)s'))

syslogger = logging.handlers.SysLogHandler\

(facility = logging.handlers.SysLogHandler.LOG_DAEMON)

syslogger.setFormatter(logging.Formatter\

('%(levelname)s: %(message)s'))

logger.addHandler(syslogger)

console = logging.StreamHandler()

console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'

' %(levelname)s: %(message)s'))

logger.addHandler(console)

class AvahiError(Exception):

def __init__(self, value, *args, **kwargs):

self.value = value

super(AvahiError, self).__init__(value, *args, **kwargs)

def __unicode__(self):

return unicode(repr(self.value))

class AvahiServiceError(AvahiError):

pass

class AvahiGroupError(AvahiError):

pass

class AvahiService(object):

100

"""An Avahi (Zeroconf) service.

101

Attributes:

102

interface: integer; avahi.IF_UNSPEC or an interface index.

103

Used to optionally bind to the specified interface.

104

105

type: string; Example: '_mandos._tcp'.

106

See <http://www.dns-sd.org/ServiceTypes.html>

107

port: integer; what port to announce

108

TXT: list of strings; TXT record for the service

109

domain: string; Domain to publish on, default to .local if empty.

110

host: string; Host to publish records for, default is localhost

111

max_renames: integer; maximum number of renames

112

rename_count: integer; counter so we only rename after collisions

113

a sensible number of times

114

"""

115

def __init__(self, interface = avahi.IF_UNSPEC, name = None,

116

servicetype = None, port = None, TXT = None,

117

domain = "", host = "", max_renames = 32768,

118

protocol = avahi.PROTO_UNSPEC):

119

self.interface = interface

120

self.name = name

121

self.type = servicetype

122

self.port = port

123

self.TXT = TXT if TXT is not None else []

124

self.domain = domain

125

self.host = host

126

self.rename_count = 0

127

self.max_renames = max_renames

128

self.protocol = protocol

129

def rename(self):

130

"""Derived from the Avahi example code"""

131

if self.rename_count >= self.max_renames:

132

logger.critical(u"No suitable Zeroconf service name found"

133

u" after %i retries, exiting.",

134

self.rename_count)

135

raise AvahiServiceError(u"Too many renames")

136

self.name = server.GetAlternativeServiceName(self.name)

137

logger.info(u"Changing Zeroconf service name to %r ...",

138

str(self.name))

139

syslogger.setFormatter(logging.Formatter

140

('Mandos (%s): %%(levelname)s:'

141

' %%(message)s' % self.name))

142

self.remove()

143

self.add()

144

self.rename_count += 1

145

def remove(self):

146

"""Derived from the Avahi example code"""

147

if group is not None:

148

group.Reset()

149

def add(self):

150

"""Derived from the Avahi example code"""

151

global group

152

if group is None:

153

group = dbus.Interface(bus.get_object

154

(avahi.DBUS_NAME,

155

server.EntryGroupNew()),

156

avahi.DBUS_INTERFACE_ENTRY_GROUP)

157

group.connect_to_signal('StateChanged',

158

entry_group_state_changed)

159

logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",

160

service.name, service.type)

161

group.AddService(

162

self.interface, # interface

163

self.protocol, # protocol

164

dbus.UInt32(0), # flags

165

self.name, self.type,

166

self.domain, self.host,

167

dbus.UInt16(self.port),

168

avahi.string_array_to_txt_array(self.TXT))

169

group.Commit()

170

del syslogger

# This variable is used to optionally bind to a specified interface.

# It is a global variable to fit in with the other variables from the

# Avahi example code.

serviceInterface = avahi.IF_UNSPEC

171

# From the Avahi example code:

172

group = None # our entry group

serviceName = None

serviceType = "_mandos._tcp" # http://www.dns-sd.org/ServiceTypes.html

servicePort = None # Not known at startup

serviceTXT = [] # TXT record for the service

domain = "" # Domain to publish on, default to .local

host = "" # Host to publish records for, default to localhost

group = None #our entry group

rename_count = 12 # Counter so we only rename after collisions a

# sensible number of times

173

# End of Avahi example code

174

100

175

101

176

def _datetime_to_dbus(dt, variant_level=0):

177

"""Convert a UTC datetime.datetime() to a D-Bus type."""

178

return dbus.String(dt.isoformat(), variant_level=variant_level)

179

180

181

class Client(dbus.service.Object):

102

class Client(object):

182

103

"""A representation of a client host served by this server.

183

104

Attributes:

184

185

D-Bus identifiers

105

186

106

fingerprint: string (40 or 32 hexadecimal digits); used to

187

107

uniquely identify the client

188

secret: bytestring; sent verbatim (over TLS) to client

189

host: string; available for use by the checker command

190

created: datetime.datetime(); (UTC) object creation

191

last_enabled: datetime.datetime(); (UTC)

192

enabled: bool()

193

last_checked_ok: datetime.datetime(); (UTC) or None

194

timeout: datetime.timedelta(); How long from last_checked_ok

195

until this client is invalid

196

interval: datetime.timedelta(); How often to start a new checker

197

disable_hook: If set, called by disable() as disable_hook(self)

198

checker: subprocess.Popen(); a running checker process used

199

to see if the client lives.

200

'None' if no process is running.

108

secret: bytestring; sent verbatim (over TLS) to client

109

fqdn: string (FQDN); available for use by the checker command

110

created: datetime.datetime()

111

last_seen: datetime.datetime() or None if not yet seen

112

timeout: datetime.timedelta(); How long from last_seen until

113

this client is invalid

114

interval: datetime.timedelta(); How often to start a new checker

115

stop_hook: If set, called by stop() as stop_hook(self)

116

checker: subprocess.Popen(); a running checker process used

117

to see if the client lives.

118

Is None if no process is running.

201

119

checker_initiator_tag: a gobject event source tag, or None

202

disable_initiator_tag: - '' -

120

stop_initiator_tag: - '' -

203

121

checker_callback_tag: - '' -

204

122

checker_command: string; External command which is run to check if

205

client lives. %() expansions are done at

123

client lives. %()s expansions are done at

206

124

runtime with vars(self) as dict, so that for

207

125

instance %(name)s can be used in the command.

208

current_checker_command: string; current running checker_command

209

use_dbus: bool(); Whether to provide D-Bus interface and signals

210

dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus

126

Private attibutes:

127

_timeout: Real variable for 'timeout'

128

_interval: Real variable for 'interval'

129

_timeout_milliseconds: Used by gobject.timeout_add()

130

_interval_milliseconds: - '' -

211

131

"""

212

def timeout_milliseconds(self):

213

"Return the 'timeout' attribute in milliseconds"

214

return ((self.timeout.days * 24 * 60 * 60 * 1000)

215

+ (self.timeout.seconds * 1000)

216

+ (self.timeout.microseconds // 1000))

217

218

def interval_milliseconds(self):

219

"Return the 'interval' attribute in milliseconds"

220

return ((self.interval.days * 24 * 60 * 60 * 1000)

221

+ (self.interval.seconds * 1000)

222

+ (self.interval.microseconds // 1000))

223

224

def __init__(self, name = None, disable_hook=None, config=None,

225

use_dbus=True):

226

"""Note: the 'checker' key in 'config' sets the

227

'checker_command' attribute and *not* the 'checker'

228

attribute."""

132

def _set_timeout(self, timeout):

133

"Setter function for 'timeout' attribute"

134

self._timeout = timeout

135

self._timeout_milliseconds = ((self.timeout.days

136

* 24 * 60 * 60 * 1000)

137

+ (self.timeout.seconds * 1000)

138

+ (self.timeout.microseconds

139

// 1000))

140

timeout = property(lambda self: self._timeout,

141

_set_timeout)

142

del _set_timeout

143

def _set_interval(self, interval):

144

"Setter function for 'interval' attribute"

145

self._interval = interval

146

self._interval_milliseconds = ((self.interval.days

147

* 24 * 60 * 60 * 1000)

148

+ (self.interval.seconds

149

* 1000)

150

+ (self.interval.microseconds

151

// 1000))

152

interval = property(lambda self: self._interval,

153

_set_interval)

154

del _set_interval

155

def __init__(self, name=None, stop_hook=None, fingerprint=None,

156

secret=None, secfile=None, fqdn=None, timeout=None,

157

interval=-1, checker=None):

158

"""Note: the 'checker' argument sets the 'checker_command'

159

attribute and not the 'checker' attribute.."""

229

160

self.name = name

230

if config is None:

231

config = {}

232

161

logger.debug(u"Creating client %r", self.name)

233

self.use_dbus = False # During __init__

234

# Uppercase and remove spaces from fingerprint for later

235

# comparison purposes with return value from the fingerprint()

236

# function

237

self.fingerprint = (config["fingerprint"].upper()

238

.replace(u" ", u""))

162

# Uppercase and remove spaces from fingerprint

163

# for later comparison purposes with return value of

164

# the fingerprint() function

165

self.fingerprint = fingerprint.upper().replace(u" ", u"")

239

166

logger.debug(u" Fingerprint: %s", self.fingerprint)

240

if "secret" in config:

241

self.secret = config["secret"].decode(u"base64")

242

elif "secfile" in config:

243

with closing(open(os.path.expanduser

244

(os.path.expandvars

245

(config["secfile"])))) as secfile:

246

self.secret = secfile.read()

167

if secret:

168

self.secret = secret.decode(u"base64")

169

elif secfile:

170

sf = open(secfile)

171

self.secret = sf.read()

172

sf.close()

247

173

else:

248

raise TypeError(u"No secret or secfile for client %s"

249

% self.name)

250

self.host = config.get("host", "")

251

self.created = datetime.datetime.utcnow()

252

self.enabled = False

253

self.last_enabled = None

254

self.last_checked_ok = None

255

self.timeout = string_to_delta(config["timeout"])

256

self.interval = string_to_delta(config["interval"])

257

self.disable_hook = disable_hook

174

raise RuntimeError(u"No secret or secfile for client %s"

175

% self.name)

176

self.fqdn = fqdn # string

177

self.created = datetime.datetime.now()

178

self.last_seen = None

179

self.timeout = string_to_delta(timeout)

180

self.interval = string_to_delta(interval)

181

self.stop_hook = stop_hook

258

182

self.checker = None

259

183

self.checker_initiator_tag = None

260

self.disable_initiator_tag = None

184

self.stop_initiator_tag = None

261

185

self.checker_callback_tag = None

262

self.checker_command = config["checker"]

263

self.current_checker_command = None

264

self.last_connect = None

265

# Only now, when this client is initialized, can it show up on

266

# the D-Bus

267

self.use_dbus = use_dbus

268

if self.use_dbus:

269

self.dbus_object_path = (dbus.ObjectPath

270

("/clients/"

271

+ self.name.replace(".", "_")))

272

dbus.service.Object.__init__(self, bus,

273

self.dbus_object_path)

274

275

def enable(self):

186

self.check_command = checker

187

def start(self):

276

188

"""Start this client's checker and timeout hooks"""

277

self.last_enabled = datetime.datetime.utcnow()

278

189

# Schedule a new checker to be started an 'interval' from now,

279

190

# and every interval from then on.

280

self.checker_initiator_tag = (gobject.timeout_add

281

(self.interval_milliseconds(),

282

self.start_checker))

191

self.checker_initiator_tag = gobject.timeout_add\

192

(self._interval_milliseconds,

193

self.start_checker)

283

194

# Also start a new checker *right now*.

284

195

self.start_checker()

285

# Schedule a disable() when 'timeout' has passed

286

self.disable_initiator_tag = (gobject.timeout_add

287

(self.timeout_milliseconds(),

288

self.disable))

289

self.enabled = True

290

if self.use_dbus:

291

# Emit D-Bus signals

292

self.PropertyChanged(dbus.String(u"enabled"),

293

dbus.Boolean(True, variant_level=1))

294

self.PropertyChanged(dbus.String(u"last_enabled"),

295

(_datetime_to_dbus(self.last_enabled,

296

variant_level=1)))

297

298

def disable(self):

299

"""Disable this client."""

300

if not getattr(self, "enabled", False):

196

# Schedule a stop() when 'timeout' has passed

197

self.stop_initiator_tag = gobject.timeout_add\

198

(self._timeout_milliseconds,

199

self.stop)

200

def stop(self):

201

"""Stop this client.

202

The possibility that this client might be restarted is left

203

open, but not currently used."""

204

# If this client doesn't have a secret, it is already stopped.

205

if self.secret:

206

logger.debug(u"Stopping client %s", self.name)

207

self.secret = None

208

else:

301

209

return False

302

logger.info(u"Disabling client %s", self.name)

303

if getattr(self, "disable_initiator_tag", False):

304

gobject.source_remove(self.disable_initiator_tag)

305

self.disable_initiator_tag = None

306

if getattr(self, "checker_initiator_tag", False):

210

if hasattr(self, "stop_initiator_tag") \

211

and self.stop_initiator_tag:

212

gobject.source_remove(self.stop_initiator_tag)

213

self.stop_initiator_tag = None

214

if hasattr(self, "checker_initiator_tag") \

215

and self.checker_initiator_tag:

307

216

gobject.source_remove(self.checker_initiator_tag)

308

217

self.checker_initiator_tag = None

309

218

self.stop_checker()

310

if self.disable_hook:

311

self.disable_hook(self)

312

self.enabled = False

313

if self.use_dbus:

314

# Emit D-Bus signal

315

self.PropertyChanged(dbus.String(u"enabled"),

316

dbus.Boolean(False, variant_level=1))

219

if self.stop_hook:

220

self.stop_hook(self)

317

221

# Do not run this again if called by a gobject.timeout_add

318

222

return False

319

320

223

def __del__(self):

321

self.disable_hook = None

322

self.disable()

323

324

def checker_callback(self, pid, condition, command):

224

self.stop_hook = None

225

self.stop()

226

def checker_callback(self, pid, condition):

325

227

"""The checker has completed, so take appropriate actions."""

228

now = datetime.datetime.now()

326

229

self.checker_callback_tag = None

327

230

self.checker = None

328

if self.use_dbus:

329

# Emit D-Bus signal

330

self.PropertyChanged(dbus.String(u"checker_running"),

331

dbus.Boolean(False, variant_level=1))

332

if os.WIFEXITED(condition):

333

exitstatus = os.WEXITSTATUS(condition)

334

if exitstatus == 0:

335

logger.info(u"Checker for %(name)s succeeded",

336

vars(self))

337

self.checked_ok()

338

else:

339

logger.info(u"Checker for %(name)s failed",

340

vars(self))

341

if self.use_dbus:

342

# Emit D-Bus signal

343

self.CheckerCompleted(dbus.Int16(exitstatus),

344

dbus.Int64(condition),

345

dbus.String(command))

346

else:

231

if os.WIFEXITED(condition) \

232

and (os.WEXITSTATUS(condition) == 0):

233

logger.debug(u"Checker for %(name)s succeeded",

234

vars(self))

235

self.last_seen = now

236

gobject.source_remove(self.stop_initiator_tag)

237

self.stop_initiator_tag = gobject.timeout_add\

238

(self._timeout_milliseconds,

239

self.stop)

240

elif not os.WIFEXITED(condition):

347

241

logger.warning(u"Checker for %(name)s crashed?",

348

242

vars(self))

349

if self.use_dbus:

350

# Emit D-Bus signal

351

self.CheckerCompleted(dbus.Int16(-1),

352

dbus.Int64(condition),

353

dbus.String(command))

354

355

def checked_ok(self):

356

"""Bump up the timeout for this client.

357

This should only be called when the client has been seen,

358

alive and well.

359

"""

360

self.last_checked_ok = datetime.datetime.utcnow()

361

gobject.source_remove(self.disable_initiator_tag)

362

self.disable_initiator_tag = (gobject.timeout_add

363

(self.timeout_milliseconds(),

364

self.disable))

365

if self.use_dbus:

366

# Emit D-Bus signal

367

self.PropertyChanged(

368

dbus.String(u"last_checked_ok"),

369

(_datetime_to_dbus(self.last_checked_ok,

370

variant_level=1)))

371

243

else:

244

logger.debug(u"Checker for %(name)s failed",

245

vars(self))

372

246

def start_checker(self):

373

247

"""Start a new checker subprocess if one is not running.

374

248

If a checker already exists, leave it running and do

381

255

# checkers alone, the checker would have to take more time

382

256

# than 'timeout' for the client to be declared invalid, which

383

257

# is as it should be.

384

385

# If a checker exists, make sure it is not a zombie

386

if self.checker is not None:

387

pid, status = os.waitpid(self.checker.pid, os.WNOHANG)

388

if pid:

389

logger.warning("Checker was a zombie")

390

gobject.source_remove(self.checker_callback_tag)

391

self.checker_callback(pid, status,

392

self.current_checker_command)

393

# Start a new checker if needed

394

258

if self.checker is None:

395

259

try:

396

# In case checker_command has exactly one % operator

397

command = self.checker_command % self.host

260

command = self.check_command % self.fqdn

398

261

except TypeError:

399

# Escape attributes for the shell

400

262

escaped_attrs = dict((key, re.escape(str(val)))

401

263

for key, val in

402

264

vars(self).iteritems())

403

265

try:

404

command = self.checker_command % escaped_attrs

266

command = self.check_command % escaped_attrs

405

267

except TypeError, error:

406

logger.error(u'Could not format string "%s":'

407

u' %s', self.checker_command, error)

268

logger.critical(u'Could not format string "%s":'

269

u' %s', self.check_command, error)

408

270

return True # Try again later

409

self.current_checker_command = command

410

271

try:

411

logger.info(u"Starting checker %r for %s",

412

command, self.name)

413

# We don't need to redirect stdout and stderr, since

414

# in normal mode, that is already done by daemon(),

415

# and in debug mode we don't want to. (Stdin is

416

# always replaced by /dev/null.)

417

self.checker = subprocess.Popen(command,

418

close_fds=True,

419

shell=True, cwd="/")

420

if self.use_dbus:

421

# Emit D-Bus signal

422

self.CheckerStarted(command)

423

self.PropertyChanged(

424

dbus.String("checker_running"),

425

dbus.Boolean(True, variant_level=1))

426

self.checker_callback_tag = (gobject.child_watch_add

427

(self.checker.pid,

428

self.checker_callback,

429

data=command))

430

# The checker may have completed before the gobject

431

# watch was added. Check for this.

432

pid, status = os.waitpid(self.checker.pid, os.WNOHANG)

433

if pid:

434

gobject.source_remove(self.checker_callback_tag)

435

self.checker_callback(pid, status, command)

436

except OSError, error:

272

logger.debug(u"Starting checker %r for %s",

273

command, self.name)

274

self.checker = subprocess.\

275

Popen(command,

276

close_fds=True, shell=True,

277

cwd="/")

278

self.checker_callback_tag = gobject.child_watch_add\

279

(self.checker.pid,

280

self.checker_callback)

281

except subprocess.OSError, error:

437

282

logger.error(u"Failed to start subprocess: %s",

438

283

error)

439

284

# Re-run this periodically if run by gobject.timeout_add

440

285

return True

441

442

286

def stop_checker(self):

443

287

"""Force the checker process, if any, to stop."""

444

288

if self.checker_callback_tag:

445

289

gobject.source_remove(self.checker_callback_tag)

446

290

self.checker_callback_tag = None

447

if getattr(self, "checker", None) is None:

291

if not hasattr(self, "checker") or self.checker is None:

448

292

return

449

logger.debug(u"Stopping checker for %(name)s", vars(self))

293

logger.debug("Stopping checker for %(name)s", vars(self))

450

294

try:

451

295

os.kill(self.checker.pid, signal.SIGTERM)

452

296

#os.sleep(0.5)

453

297

#if self.checker.poll() is None:

454

298

# os.kill(self.checker.pid, signal.SIGKILL)

455

299

except OSError, error:

456

if error.errno != errno.ESRCH: # No such process

300

if error.errno != errno.ESRCH:

457

301

raise

458

302

self.checker = None

459

if self.use_dbus:

460

self.PropertyChanged(dbus.String(u"checker_running"),

461

dbus.Boolean(False, variant_level=1))

462

463

def still_valid(self):

303

def still_valid(self, now=None):

464

304

"""Has the timeout not yet passed for this client?"""

465

if not getattr(self, "enabled", False):

466

return False

467

now = datetime.datetime.utcnow()

468

if self.last_checked_ok is None:

305

if now is None:

306

now = datetime.datetime.now()

307

if self.last_seen is None:

469

308

return now < (self.created + self.timeout)

470

309

else:

471

return now < (self.last_checked_ok + self.timeout)

472

473

## D-Bus methods & signals

474

_interface = u"se.bsnet.fukt.Mandos.Client"

475

476

# CheckedOK - method

477

CheckedOK = dbus.service.method(_interface)(checked_ok)

478

CheckedOK.__name__ = "CheckedOK"

479

480

# CheckerCompleted - signal

481

@dbus.service.signal(_interface, signature="nxs")

482

def CheckerCompleted(self, exitcode, waitstatus, command):

483

"D-Bus signal"

484

pass

485

486

# CheckerStarted - signal

487

@dbus.service.signal(_interface, signature="s")

488

def CheckerStarted(self, command):

489

"D-Bus signal"

490

pass

491

492

# GetAllProperties - method

493

@dbus.service.method(_interface, out_signature="a{sv}")

494

def GetAllProperties(self):

495

"D-Bus method"

496

return dbus.Dictionary({

497

dbus.String("name"):

498

dbus.String(self.name, variant_level=1),

499

dbus.String("fingerprint"):

500

dbus.String(self.fingerprint, variant_level=1),

501

dbus.String("host"):

502

dbus.String(self.host, variant_level=1),

503

dbus.String("created"):

504

_datetime_to_dbus(self.created, variant_level=1),

505

dbus.String("last_enabled"):

506

(_datetime_to_dbus(self.last_enabled,

507

variant_level=1)

508

if self.last_enabled is not None

509

else dbus.Boolean(False, variant_level=1)),

510

dbus.String("enabled"):

511

dbus.Boolean(self.enabled, variant_level=1),

512

dbus.String("last_checked_ok"):

513

(_datetime_to_dbus(self.last_checked_ok,

514

variant_level=1)

515

if self.last_checked_ok is not None

516

else dbus.Boolean (False, variant_level=1)),

517

dbus.String("timeout"):

518

dbus.UInt64(self.timeout_milliseconds(),

519

variant_level=1),

520

dbus.String("interval"):

521

dbus.UInt64(self.interval_milliseconds(),

522

variant_level=1),

523

dbus.String("checker"):

524

dbus.String(self.checker_command,

525

variant_level=1),

526

dbus.String("checker_running"):

527

dbus.Boolean(self.checker is not None,

528

variant_level=1),

529

dbus.String("object_path"):

530

dbus.ObjectPath(self.dbus_object_path,

531

variant_level=1)

532

}, signature="sv")

533

534

# IsStillValid - method

535

IsStillValid = (dbus.service.method(_interface, out_signature="b")

536

(still_valid))

537

IsStillValid.__name__ = "IsStillValid"

538

539

# PropertyChanged - signal

540

@dbus.service.signal(_interface, signature="sv")

541

def PropertyChanged(self, property, value):

542

"D-Bus signal"

543

pass

544

545

# SetChecker - method

546

@dbus.service.method(_interface, in_signature="s")

547

def SetChecker(self, checker):

548

"D-Bus setter method"

549

self.checker_command = checker

550

# Emit D-Bus signal

551

self.PropertyChanged(dbus.String(u"checker"),

552

dbus.String(self.checker_command,

553

variant_level=1))

554

555

# SetHost - method

556

@dbus.service.method(_interface, in_signature="s")

557

def SetHost(self, host):

558

"D-Bus setter method"

559

self.host = host

560

# Emit D-Bus signal

561

self.PropertyChanged(dbus.String(u"host"),

562

dbus.String(self.host, variant_level=1))

563

564

# SetInterval - method

565

@dbus.service.method(_interface, in_signature="t")

566

def SetInterval(self, milliseconds):

567

self.interval = datetime.timedelta(0, 0, 0, milliseconds)

568

# Emit D-Bus signal

569

self.PropertyChanged(dbus.String(u"interval"),

570

(dbus.UInt64(self.interval_milliseconds(),

571

variant_level=1)))

572

573

# SetSecret - method

574

@dbus.service.method(_interface, in_signature="ay",

575

byte_arrays=True)

576

def SetSecret(self, secret):

577

"D-Bus setter method"

578

self.secret = str(secret)

579

580

# SetTimeout - method

581

@dbus.service.method(_interface, in_signature="t")

582

def SetTimeout(self, milliseconds):

583

self.timeout = datetime.timedelta(0, 0, 0, milliseconds)

584

# Emit D-Bus signal

585

self.PropertyChanged(dbus.String(u"timeout"),

586

(dbus.UInt64(self.timeout_milliseconds(),

587

variant_level=1)))

588

589

# Enable - method

590

Enable = dbus.service.method(_interface)(enable)

591

Enable.__name__ = "Enable"

592

593

# StartChecker - method

594

@dbus.service.method(_interface)

595

def StartChecker(self):

596

"D-Bus method"

597

self.start_checker()

598

599

# Disable - method

600

@dbus.service.method(_interface)

601

def Disable(self):

602

"D-Bus method"

603

self.disable()

604

605

# StopChecker - method

606

StopChecker = dbus.service.method(_interface)(stop_checker)

607

StopChecker.__name__ = "StopChecker"

608

609

del _interface

310

return now < (self.last_seen + self.timeout)

610

311

611

312

612

313

def peer_certificate(session):

613

314

"Return the peer's OpenPGP certificate as a bytestring"

614

315

# If not an OpenPGP certificate...

615

if (gnutls.library.functions

616

.gnutls_certificate_type_get(session._c_object)

617

!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):

316

if gnutls.library.functions.gnutls_certificate_type_get\

317

(session._c_object) \

318

!= gnutls.library.constants.GNUTLS_CRT_OPENPGP:

618

319

# ...do the normal thing

619

320

return session.peer_certificate

620

list_size = ctypes.c_uint(1)

621

cert_list = (gnutls.library.functions

622

.gnutls_certificate_get_peers

623

(session._c_object, ctypes.byref(list_size)))

624

if not bool(cert_list) and list_size.value != 0:

625

raise gnutls.errors.GNUTLSError("error getting peer"

626

" certificate")

321

list_size = ctypes.c_uint()

322

cert_list = gnutls.library.functions.gnutls_certificate_get_peers\

323

(session._c_object, ctypes.byref(list_size))

627

324

if list_size.value == 0:

628

325

return None

629

326

cert = cert_list[0]

632

329

633

330

def fingerprint(openpgp):

634

331

"Convert an OpenPGP bytestring to a hexdigit fingerprint string"

635

# New GnuTLS "datum" with the OpenPGP public key

636

datum = (gnutls.library.types

637

.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),

638

ctypes.POINTER

639

(ctypes.c_ubyte)),

640

ctypes.c_uint(len(openpgp))))

641

332

# New empty GnuTLS certificate

642

333

crt = gnutls.library.types.gnutls_openpgp_crt_t()

643

(gnutls.library.functions

644

.gnutls_openpgp_crt_init(ctypes.byref(crt)))

334

gnutls.library.functions.gnutls_openpgp_crt_init\

335

(ctypes.byref(crt))

336

# New GnuTLS "datum" with the OpenPGP public key

337

datum = gnutls.library.types.gnutls_datum_t\

338

(ctypes.cast(ctypes.c_char_p(openpgp),

339

ctypes.POINTER(ctypes.c_ubyte)),

340

ctypes.c_uint(len(openpgp)))

645

341

# Import the OpenPGP public key into the certificate

646

(gnutls.library.functions

647

.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),

648

gnutls.library.constants

649

.GNUTLS_OPENPGP_FMT_RAW))

650

# Verify the self signature in the key

651

crtverify = ctypes.c_uint()

652

(gnutls.library.functions

653

.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))

654

if crtverify.value != 0:

655

gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)

656

raise gnutls.errors.CertificateSecurityError("Verify failed")

342

ret = gnutls.library.functions.gnutls_openpgp_crt_import\

343

(crt,

344

ctypes.byref(datum),

345

gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)

657

346

# New buffer for the fingerprint

658

buf = ctypes.create_string_buffer(20)

659

buf_len = ctypes.c_size_t()

347

buffer = ctypes.create_string_buffer(20)

348

buffer_length = ctypes.c_size_t()

660

349

# Get the fingerprint from the certificate into the buffer

661

(gnutls.library.functions

662

.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),

663

ctypes.byref(buf_len)))

350

gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\

351

(crt, ctypes.byref(buffer), ctypes.byref(buffer_length))

664

352

# Deinit the certificate

665

353

gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)

666

354

# Convert the buffer to a Python bytestring

667

fpr = ctypes.string_at(buf, buf_len.value)

355

fpr = ctypes.string_at(buffer, buffer_length.value)

668

356

# Convert the bytestring to hexadecimal notation

669

357

hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)

670

358

return hex_fpr

671

359

672

360

673

class TCP_handler(SocketServer.BaseRequestHandler, object):

361

class tcp_handler(SocketServer.BaseRequestHandler, object):

674

362

"""A TCP request handler class.

675

363

Instantiated by IPv6_TCPServer for each request to handle it.

676

364

Note: This will run in its own forked process."""

677

365

678

366

def handle(self):

679

logger.info(u"TCP connection from: %s",

680

unicode(self.client_address))

681

session = (gnutls.connection

682

.ClientSession(self.request,

683

gnutls.connection

684

.X509Credentials()))

685

686

line = self.request.makefile().readline()

687

logger.debug(u"Protocol version: %r", line)

688

try:

689

if int(line.strip().split()[0]) > 1:

690

raise RuntimeError

691

except (ValueError, IndexError, RuntimeError), error:

692

logger.error(u"Unknown protocol version: %s", error)

693

return

694

695

# Note: gnutls.connection.X509Credentials is really a generic

696

# GnuTLS certificate credentials object so long as no X.509

697

# keys are added to it. Therefore, we can use it here despite

698

# using OpenPGP certificates.

367

logger.debug(u"TCP connection from: %s",

368

unicode(self.client_address))

369

session = gnutls.connection.ClientSession(self.request,

370

gnutls.connection.\

371

X509Credentials())

699

372

700

373

#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",

701

# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",

702

# "+DHE-DSS"))

703

# Use a fallback default, since this MUST be set.

704

priority = self.server.settings.get("priority", "NORMAL")

705

(gnutls.library.functions

706

.gnutls_priority_set_direct(session._c_object,

707

priority, None))

374

# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",

375

# "+DHE-DSS"))

376

priority = "NORMAL"

377

if self.server.options.priority:

378

priority = self.server.options.priority

379

gnutls.library.functions.gnutls_priority_set_direct\

380

(session._c_object, priority, None);

708

381

709

382

try:

710

383

session.handshake()

711

384

except gnutls.errors.GNUTLSError, error:

712

logger.warning(u"Handshake failed: %s", error)

385

logger.debug(u"Handshake failed: %s", error)

713

386

# Do not run session.bye() here: the session is not

714

387

# established. Just abandon the request.

715

388

return

716

logger.debug(u"Handshake succeeded")

717

389

try:

718

390

fpr = fingerprint(peer_certificate(session))

719

391

except (TypeError, gnutls.errors.GNUTLSError), error:

720

logger.warning(u"Bad certificate: %s", error)

392

logger.debug(u"Bad certificate: %s", error)

721

393

session.bye()

722

394

return

723

395

logger.debug(u"Fingerprint: %s", fpr)

724

396

client = None

725

397

for c in self.server.clients:

726

398

if c.fingerprint == fpr:

727

399

client = c

728

400

break

729

else:

730

logger.warning(u"Client not found for fingerprint: %s",

731

fpr)

732

session.bye()

733

return

734

401

# Have to check if client.still_valid(), since it is possible

735

402

# that the client timed out while establishing the GnuTLS

736

403

# session.

737

if not client.still_valid():

738

logger.warning(u"Client %(name)s is invalid",

739

vars(client))

404

if (not client) or (not client.still_valid()):

405

if client:

406

logger.debug(u"Client %(name)s is invalid",

407

vars(client))

408

else:

409

logger.debug(u"Client not found for fingerprint: %s",

410

fpr)

740

411

session.bye()

741

412

return

742

## This won't work here, since we're in a fork.

743

# client.checked_ok()

744

413

sent_size = 0

745

414

while sent_size < len(client.secret):

746

415

sent = session.send(client.secret[sent_size:])

751

420

session.bye()

752

421

753

422

754

class IPv6_TCPServer(SocketServer.ForkingMixIn,

755

SocketServer.TCPServer, object):

756

"""IPv6-capable TCP server. Accepts 'None' as address and/or port

423

class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):

424

"""IPv6 TCP server. Accepts 'None' as address and/or port.

757

425

Attributes:

758

settings: Server settings

426

options: Command line options

759

427

clients: Set() of Client objects

760

enabled: Boolean; whether this server is activated yet

761

428

"""

762

429

address_family = socket.AF_INET6

763

430

def __init__(self, *args, **kwargs):

764

if "settings" in kwargs:

765

self.settings = kwargs["settings"]

766

del kwargs["settings"]

431

if "options" in kwargs:

432

self.options = kwargs["options"]

433

del kwargs["options"]

767

434

if "clients" in kwargs:

768

435

self.clients = kwargs["clients"]

769

436

del kwargs["clients"]

770

if "use_ipv6" in kwargs:

771

if not kwargs["use_ipv6"]:

772

self.address_family = socket.AF_INET

773

del kwargs["use_ipv6"]

774

self.enabled = False

775

super(IPv6_TCPServer, self).__init__(*args, **kwargs)

437

return super(type(self), self).__init__(*args, **kwargs)

776

438

def server_bind(self):

777

439

"""This overrides the normal server_bind() function

778

440

to bind to an interface if one was specified, and also NOT to

779

441

bind to an address or port if they were not specified."""

780

if self.settings["interface"]:

781

# 25 is from /usr/include/asm-i486/socket.h

782

SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)

442

if self.options.interface:

443

if not hasattr(socket, "SO_BINDTODEVICE"):

444

# From /usr/include/asm-i486/socket.h

445

socket.SO_BINDTODEVICE = 25

783

446

try:

784

447

self.socket.setsockopt(socket.SOL_SOCKET,

785

SO_BINDTODEVICE,

786

self.settings["interface"])

448

socket.SO_BINDTODEVICE,

449

self.options.interface)

787

450

except socket.error, error:

788

451

if error[0] == errno.EPERM:

789

logger.error(u"No permission to"

790

u" bind to interface %s",

791

self.settings["interface"])

452

logger.warning(u"No permission to"

453

u" bind to interface %s",

454

self.options.interface)

792

455

else:

793

raise

456

raise error

794

457

# Only bind(2) the socket if we really need to.

795

458

if self.server_address[0] or self.server_address[1]:

796

459

if not self.server_address[0]:

797

if self.address_family == socket.AF_INET6:

798

any_address = "::" # in6addr_any

799

else:

800

any_address = socket.INADDR_ANY

801

self.server_address = (any_address,

460

in6addr_any = "::"

461

self.server_address = (in6addr_any,

802

462

self.server_address[1])

803

elif not self.server_address[1]:

463

elif self.server_address[1] is None:

804

464

self.server_address = (self.server_address[0],

805

465

806

# if self.settings["interface"]:

807

# self.server_address = (self.server_address[0],

808

# 0, # port

809

# 0, # flowinfo

810

# if_nametoindex

811

# (self.settings

812

# ["interface"]))

813

return super(IPv6_TCPServer, self).server_bind()

814

def server_activate(self):

815

if self.enabled:

816

return super(IPv6_TCPServer, self).server_activate()

817

def enable(self):

818

self.enabled = True

466

return super(type(self), self).server_bind()

819

467

820

468

821

469

def string_to_delta(interval):

822

470

"""Parse a string and return a datetime.timedelta

823

471

824

472

>>> string_to_delta('7d')

825

473

datetime.timedelta(7)

826

474

>>> string_to_delta('60s')

831

479

datetime.timedelta(1)

832

480

>>> string_to_delta(u'1w')

833

481

datetime.timedelta(7)

834

>>> string_to_delta('5m 30s')

835

datetime.timedelta(0, 330)

836

482

"""

837

timevalue = datetime.timedelta(0)

838

for s in interval.split():

839

try:

840

suffix = unicode(s[-1])

841

value = int(s[:-1])

842

if suffix == u"d":

843

delta = datetime.timedelta(value)

844

elif suffix == u"s":

845

delta = datetime.timedelta(0, value)

846

elif suffix == u"m":

847

delta = datetime.timedelta(0, 0, 0, 0, value)

848

elif suffix == u"h":

849

delta = datetime.timedelta(0, 0, 0, 0, 0, value)

850

elif suffix == u"w":

851

delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)

852

else:

853

raise ValueError

854

except (ValueError, IndexError):

483

try:

484

suffix=unicode(interval[-1])

485

value=int(interval[:-1])

486

if suffix == u"d":

487

delta = datetime.timedelta(value)

488

elif suffix == u"s":

489

delta = datetime.timedelta(0, value)

490

elif suffix == u"m":

491

delta = datetime.timedelta(0, 0, 0, 0, value)

492

elif suffix == u"h":

493

delta = datetime.timedelta(0, 0, 0, 0, 0, value)

494

elif suffix == u"w":

495

delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)

496

else:

855

497

raise ValueError

856

timevalue += delta

857

return timevalue

498

except (ValueError, IndexError):

499

raise ValueError

500

return delta

501

502

503

def add_service():

504

"""Derived from the Avahi example code"""

505

global group, serviceName, serviceType, servicePort, serviceTXT, \

506

domain, host

507

if group is None:

508

group = dbus.Interface(

509

bus.get_object( avahi.DBUS_NAME,

510

server.EntryGroupNew()),

511

avahi.DBUS_INTERFACE_ENTRY_GROUP)

512

group.connect_to_signal('StateChanged',

513

entry_group_state_changed)

514

logger.debug(u"Adding service '%s' of type '%s' ...",

515

serviceName, serviceType)

516

517

group.AddService(

518

serviceInterface, # interface

519

avahi.PROTO_INET6, # protocol

520

dbus.UInt32(0), # flags

521

serviceName, serviceType,

522

domain, host,

523

dbus.UInt16(servicePort),

524

avahi.string_array_to_txt_array(serviceTXT))

525

group.Commit()

526

527

528

def remove_service():

529

"""From the Avahi example code"""

530

global group

531

532

if not group is None:

533

group.Reset()

858

534

859

535

860

536

def server_state_changed(state):

861

537

"""Derived from the Avahi example code"""

862

538

if state == avahi.SERVER_COLLISION:

863

logger.error(u"Zeroconf server name collision")

864

service.remove()

539

logger.warning(u"Server name collision")

540

remove_service()

865

541

elif state == avahi.SERVER_RUNNING:

866

service.add()

542

add_service()

867

543

868

544

869

545

def entry_group_state_changed(state, error):

870

546

"""Derived from the Avahi example code"""

871

logger.debug(u"Avahi state change: %i", state)

547

global serviceName, server, rename_count

548

549

logger.debug(u"state change: %i", state)

872

550

873

551

if state == avahi.ENTRY_GROUP_ESTABLISHED:

874

logger.debug(u"Zeroconf service established.")

552

logger.debug(u"Service established.")

875

553

elif state == avahi.ENTRY_GROUP_COLLISION:

876

logger.warning(u"Zeroconf service name collision.")

877

service.rename()

554

555

rename_count = rename_count - 1

556

if rename_count > 0:

557

name = server.GetAlternativeServiceName(name)

558

logger.warning(u"Service name collision, "

559

u"changing name to '%s' ...", name)

560

remove_service()

561

add_service()

562

563

else:

564

logger.error(u"No suitable service name found after %i"

565

u" retries, exiting.", n_rename)

566

killme(1)

878

567

elif state == avahi.ENTRY_GROUP_FAILURE:

879

logger.critical(u"Avahi: Error in group state changed %s",

880

unicode(error))

881

raise AvahiGroupError(u"State changed: %s" % unicode(error))

568

logger.error(u"Error in group state changed %s",

569

unicode(error))

570

killme(1)

571

882

572

883

573

def if_nametoindex(interface):

884

"""Call the C function if_nametoindex(), or equivalent"""

885

global if_nametoindex

574

"""Call the C function if_nametoindex()"""

886

575

try:

887

if_nametoindex = (ctypes.cdll.LoadLibrary

888

(ctypes.util.find_library("c"))

889

.if_nametoindex)

576

libc = ctypes.cdll.LoadLibrary("libc.so.6")

577

return libc.if_nametoindex(interface)

890

578

except (OSError, AttributeError):

891

579

if "struct" not in sys.modules:

892

580

import struct

893

581

if "fcntl" not in sys.modules:

894

582

import fcntl

895

def if_nametoindex(interface):

896

"Get an interface index the hard way, i.e. using fcntl()"

897

SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h

898

with closing(socket.socket()) as s:

899

ifreq = fcntl.ioctl(s, SIOCGIFINDEX,

900

struct.pack("16s16x", interface))

901

interface_index = struct.unpack("I", ifreq[16:20])[0]

902

return interface_index

903

return if_nametoindex(interface)

904

905

906

def daemon(nochdir = False, noclose = False):

583

SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h

584

s = socket.socket()

585

ifreq = fcntl.ioctl(s, SIOCGIFINDEX,

586

struct.pack("16s16x", interface))

587

s.close()

588

interface_index = struct.unpack("I", ifreq[16:20])[0]

589

return interface_index

590

591

592

def daemon(nochdir, noclose):

907

593

"""See daemon(3). Standard BSD Unix function.

908

594

This should really exist as os.daemon, but it doesn't (yet)."""

909

595

if os.fork():

911

597

os.setsid()

912

598

if not nochdir:

913

599

os.chdir("/")

914

if os.fork():

915

sys.exit()

916

600

if not noclose:

917

601

# Close all standard open file descriptors

918

null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)

602

null = os.open("/dev/null", os.O_NOCTTY | os.O_RDWR)

919

603

if not stat.S_ISCHR(os.fstat(null).st_mode):

920

604

raise OSError(errno.ENODEV,

921

605

"/dev/null not a character device")

926

610

os.close(null)

927

611

928

612

613

def killme(status = 0):

614

logger.debug("Stopping server with exit status %d", status)

615

exitstatus = status

616

if main_loop_started:

617

main_loop.quit()

618

else:

619

sys.exit(status)

620

621

929

622

def main():

930

parser = optparse.OptionParser(version = "%%prog %s" % version)

623

global exitstatus

624

exitstatus = 0

625

global main_loop_started

626

main_loop_started = False

627

628

parser = OptionParser()

931

629

parser.add_option("-i", "--interface", type="string",

932

metavar="IF", help="Bind to interface IF")

933

parser.add_option("-a", "--address", type="string",

630

default=None, metavar="IF",

631

help="Bind to interface IF")

632

parser.add_option("-a", "--address", type="string", default=None,

934

633

help="Address to listen for requests on")

935

parser.add_option("-p", "--port", type="int",

634

parser.add_option("-p", "--port", type="int", default=None,

936

635

help="Port number to receive requests on")

937

parser.add_option("--check", action="store_true",

636

parser.add_option("--check", action="store_true", default=False,

938

637

help="Run self-test")

939

parser.add_option("--debug", action="store_true",

940

help="Debug mode; run in foreground and log to"

941

" terminal")

942

parser.add_option("--priority", type="string", help="GnuTLS"

943

" priority string (see GnuTLS documentation)")

944

parser.add_option("--servicename", type="string", metavar="NAME",

945

help="Zeroconf service name")

946

parser.add_option("--configdir", type="string",

947

default="/etc/mandos", metavar="DIR",

948

help="Directory to search for configuration"

949

" files")

950

parser.add_option("--no-dbus", action="store_false",

951

dest="use_dbus",

952

help="Do not provide D-Bus system bus"

953

" interface")

954

parser.add_option("--no-ipv6", action="store_false",

955

dest="use_ipv6", help="Do not use IPv6")

956

options = parser.parse_args()[0]

638

parser.add_option("--debug", action="store_true", default=False,

639

help="Debug mode")

640

parser.add_option("--priority", type="string",

641

default="SECURE256",

642

help="GnuTLS priority string"

643

" (see GnuTLS documentation)")

644

parser.add_option("--servicename", type="string",

645

default="Mandos", help="Zeroconf service name")

646

(options, args) = parser.parse_args()

957

647

958

648

if options.check:

959

649

import doctest

960

650

doctest.testmod()

961

651

sys.exit()

962

652

963

# Default values for config file for server-global settings

964

server_defaults = { "interface": "",

965

"address": "",

966

"port": "",

967

"debug": "False",

968

"priority":

969

"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",

970

"servicename": "Mandos",

971

"use_dbus": "True",

972

"use_ipv6": "True",

973

}

974

975

# Parse config file for server-global settings

976

server_config = ConfigParser.SafeConfigParser(server_defaults)

977

del server_defaults

978

server_config.read(os.path.join(options.configdir, "mandos.conf"))

979

# Convert the SafeConfigParser object to a dict

980

server_settings = server_config.defaults()

981

# Use the appropriate methods on the non-string config options

982

server_settings["debug"] = server_config.getboolean("DEFAULT",

983

"debug")

984

server_settings["use_dbus"] = server_config.getboolean("DEFAULT",

985

"use_dbus")

986

server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",

987

"use_ipv6")

988

if server_settings["port"]:

989

server_settings["port"] = server_config.getint("DEFAULT",

990

"port")

991

del server_config

992

993

# Override the settings from the config file with command line

994

# options, if set.

995

for option in ("interface", "address", "port", "debug",

996

"priority", "servicename", "configdir",

997

"use_dbus", "use_ipv6"):

998

value = getattr(options, option)

999

if value is not None:

1000

server_settings[option] = value

1001

del options

1002

# Now we have our good server settings in "server_settings"

1003

1004

# For convenience

1005

debug = server_settings["debug"]

1006

use_dbus = server_settings["use_dbus"]

1007

use_ipv6 = server_settings["use_ipv6"]

1008

1009

if not debug:

1010

syslogger.setLevel(logging.WARNING)

1011

console.setLevel(logging.WARNING)

1012

1013

if server_settings["servicename"] != "Mandos":

1014

syslogger.setFormatter(logging.Formatter

1015

('Mandos (%s): %%(levelname)s:'

1016

' %%(message)s'

1017

% server_settings["servicename"]))

1018

1019

# Parse config file with clients

1020

client_defaults = { "timeout": "1h",

1021

"interval": "5m",

1022

"checker": "fping -q -- %%(host)s",

1023

"host": "",

1024

}

1025

client_config = ConfigParser.SafeConfigParser(client_defaults)

1026

client_config.read(os.path.join(server_settings["configdir"],

1027

"clients.conf"))

1028

1029

clients = Set()

1030

tcp_server = IPv6_TCPServer((server_settings["address"],

1031

server_settings["port"]),

1032

TCP_handler,

1033

settings=server_settings,

1034

clients=clients, use_ipv6=use_ipv6)

1035

pidfilename = "/var/run/mandos.pid"

1036

try:

1037

pidfile = open(pidfilename, "w")

1038

except IOError:

1039

logger.error("Could not open file %r", pidfilename)

1040

1041

try:

1042

uid = pwd.getpwnam("_mandos").pw_uid

1043

gid = pwd.getpwnam("_mandos").pw_gid

1044

except KeyError:

1045

try:

1046

uid = pwd.getpwnam("mandos").pw_uid

1047

gid = pwd.getpwnam("mandos").pw_gid

1048

except KeyError:

1049

try:

1050

uid = pwd.getpwnam("nobody").pw_uid

1051

gid = pwd.getpwnam("nogroup").pw_gid

1052

except KeyError:

1053

uid = 65534

1054

gid = 65534

1055

try:

1056

os.setgid(gid)

1057

os.setuid(uid)

1058

except OSError, error:

1059

if error[0] != errno.EPERM:

1060

raise error

1061

1062

# Enable all possible GnuTLS debugging

1063

if debug:

1064

# "Use a log level over 10 to enable all debugging options."

1065

# - GnuTLS manual

1066

gnutls.library.functions.gnutls_global_set_log_level(11)

1067

1068

@gnutls.library.types.gnutls_log_func

1069

def debug_gnutls(level, string):

1070

logger.debug("GnuTLS: %s", string[:-1])

1071

1072

(gnutls.library.functions

1073

.gnutls_global_set_log_function(debug_gnutls))

1074

1075

global service

1076

protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET

1077

service = AvahiService(name = server_settings["servicename"],

1078

servicetype = "_mandos._tcp",

1079

protocol = protocol)

1080

if server_settings["interface"]:

1081

service.interface = (if_nametoindex

1082

(server_settings["interface"]))

653

# Parse config file

654

defaults = { "timeout": "1h",

655

"interval": "5m",

656

"checker": "fping -q -- %%(fqdn)s",

657

}

658

client_config = ConfigParser.SafeConfigParser(defaults)

659

#client_config.readfp(open("global.conf"), "global.conf")

660

client_config.read("mandos-clients.conf")

661

662

global serviceName

663

serviceName = options.servicename;

1083

664

1084

665

global main_loop

1085

666

global bus

1088

669

DBusGMainLoop(set_as_default=True )

1089

670

main_loop = gobject.MainLoop()

1090

671

bus = dbus.SystemBus()

1091

server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,

1092

avahi.DBUS_PATH_SERVER),

1093

avahi.DBUS_INTERFACE_SERVER)

672

server = dbus.Interface(

673

bus.get_object( avahi.DBUS_NAME, avahi.DBUS_PATH_SERVER ),

674

avahi.DBUS_INTERFACE_SERVER )

1094

675

# End of Avahi example code

1095

if use_dbus:

1096

bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)

1097

1098

clients.update(Set(Client(name = section,

1099

config

1100

= dict(client_config.items(section)),

1101

use_dbus = use_dbus)

676

677

debug = options.debug

678

679

if debug:

680

console = logging.StreamHandler()

681

# console.setLevel(logging.DEBUG)

682

console.setFormatter(logging.Formatter\

683

('%(levelname)s: %(message)s'))

684

logger.addHandler(console)

685

del console

686

687

clients = Set()

688

def remove_from_clients(client):

689

clients.remove(client)

690

if not clients:

691

logger.debug(u"No clients left, exiting")

692

killme()

693

694

clients.update(Set(Client(name=section,

695

stop_hook = remove_from_clients,

696

**(dict(client_config\

697

.items(section))))

1102

698

for section in client_config.sections()))

1103

if not clients:

1104

logger.warning(u"No clients defined")

1105

1106

if debug:

1107

# Redirect stdin so all checkers get /dev/null

1108

null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)

1109

os.dup2(null, sys.stdin.fileno())

1110

if null > 2:

1111

os.close(null)

1112

else:

1113

# No console logging

1114

logger.removeHandler(console)

1115

# Close all input and output, do double fork, etc.

1116

daemon()

1117

1118

try:

1119

pid = os.getpid()

1120

pidfile.write(str(pid) + "\n")

1121

pidfile.close()

1122

del pidfile

1123

except IOError:

1124

logger.error(u"Could not write to file %r with PID %d",

1125

pidfilename, pid)

1126

except NameError:

1127

# "pidfile" was never created

1128

pass

1129

del pidfilename

699

700

if not debug:

701

daemon(False, False)

1130

702

1131

703

def cleanup():

1132

704

"Cleanup function; run on exit"

1139

711

1140

712

while clients:

1141

713

client = clients.pop()

1142

client.disable_hook = None

1143

client.disable()

714

client.stop_hook = None

715

client.stop()

1144

716

1145

717

atexit.register(cleanup)

1146

718

1147

719

if not debug:

1148

720

signal.signal(signal.SIGINT, signal.SIG_IGN)

1149

signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())

1150

signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())

1151

1152

if use_dbus:

1153

class MandosServer(dbus.service.Object):

1154

"""A D-Bus proxy object"""

1155

def __init__(self):

1156

dbus.service.Object.__init__(self, bus, "/")

1157

_interface = u"se.bsnet.fukt.Mandos"

1158

1159

@dbus.service.signal(_interface, signature="oa{sv}")

1160

def ClientAdded(self, objpath, properties):

1161

"D-Bus signal"

1162

pass

1163

1164

@dbus.service.signal(_interface, signature="os")

1165

def ClientRemoved(self, objpath, name):

1166

"D-Bus signal"

1167

pass

1168

1169

@dbus.service.method(_interface, out_signature="ao")

1170

def GetAllClients(self):

1171

"D-Bus method"

1172

return dbus.Array(c.dbus_object_path for c in clients)

1173

1174

@dbus.service.method(_interface, out_signature="a{oa{sv}}")

1175

def GetAllClientsWithProperties(self):

1176

"D-Bus method"

1177

return dbus.Dictionary(

1178

((c.dbus_object_path, c.GetAllProperties())

1179

for c in clients),

1180

signature="oa{sv}")

1181

1182

@dbus.service.method(_interface, in_signature="o")

1183

def RemoveClient(self, object_path):

1184

"D-Bus method"

1185

for c in clients:

1186

if c.dbus_object_path == object_path:

1187

clients.remove(c)

1188

# Don't signal anything except ClientRemoved

1189

c.use_dbus = False

1190

c.disable()

1191

# Emit D-Bus signal

1192

self.ClientRemoved(object_path, c.name)

1193

return

1194

raise KeyError

1195

1196

del _interface

1197

1198

mandos_server = MandosServer()

721

signal.signal(signal.SIGHUP, lambda signum, frame: killme())

722

signal.signal(signal.SIGTERM, lambda signum, frame: killme())

1199

723

1200

724

for client in clients:

1201

if use_dbus:

1202

# Emit D-Bus signal

1203

mandos_server.ClientAdded(client.dbus_object_path,

1204

client.GetAllProperties())

1205

client.enable()

1206

1207

tcp_server.enable()

1208

tcp_server.server_activate()

1209

1210

# Find out what port we got

1211

service.port = tcp_server.socket.getsockname()[1]

1212

if use_ipv6:

1213

logger.info(u"Now listening on address %r, port %d,"

1214

" flowinfo %d, scope_id %d"

1215

% tcp_server.socket.getsockname())

1216

else: # IPv4

1217

logger.info(u"Now listening on address %r, port %d"

1218

% tcp_server.socket.getsockname())

1219

1220

#service.interface = tcp_server.socket.getsockname()[3]

1221

1222

try:

1223

# From the Avahi example code

1224

server.connect_to_signal("StateChanged", server_state_changed)

1225

try:

1226

server_state_changed(server.GetState())

1227

except dbus.exceptions.DBusException, error:

1228

logger.critical(u"DBusException: %s", error)

1229

sys.exit(1)

1230

# End of Avahi example code

1231

1232

gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,

1233

lambda *args, **kwargs:

1234

(tcp_server.handle_request

1235

(*args[2:], **kwargs) or True))

1236

1237

logger.debug(u"Starting main loop")

725

client.start()

726

727

tcp_server = IPv6_TCPServer((options.address, options.port),

728

tcp_handler,

729

options=options,

730

clients=clients)

731

# Find out what random port we got

732

global servicePort

733

servicePort = tcp_server.socket.getsockname()[1]

734

logger.debug(u"Now listening on port %d", servicePort)

735

736

if options.interface is not None:

737

global serviceInterface

738

serviceInterface = if_nametoindex(options.interface)

739

740

# From the Avahi example code

741

server.connect_to_signal("StateChanged", server_state_changed)

742

try:

743

server_state_changed(server.GetState())

744

except dbus.exceptions.DBusException, error:

745

logger.critical(u"DBusException: %s", error)

746

killme(1)

747

# End of Avahi example code

748

749

gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,

750

lambda *args, **kwargs:

751

tcp_server.handle_request(*args[2:],

752

**kwargs) or True)

753

try:

754

logger.debug("Starting main loop")

755

main_loop_started = True

1238

756

main_loop.run()

1239

except AvahiError, error:

1240

logger.critical(u"AvahiError: %s", error)

1241

sys.exit(1)

1242

757

except KeyboardInterrupt:

1243

758

if debug:

1244

print >> sys.stderr

1245

logger.debug("Server received KeyboardInterrupt")

1246

logger.debug("Server exiting")

759

760

761

sys.exit(exitstatus)

1247

762

1248

763

if __name__ == '__main__':

1249

764

main()

Older »