To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to server.py
- browse files at revision 46
- compare with another revision
- download diff
- download tarball
- view history from revision 46
- Committer: Teddy Hogeborn
- Date: 2008-08-04 23:38:26 UTC
- mfrom: (24.1.20 mandos)
- Revision ID: teddy@fukt.bsnet.se-20080804233826-idy7v8x36llseue0
* network-protocol.txt: New.
* server.py (daemon): Do the double fork thing.
* server.py (daemon): Do the double fork thing.
- files added:
- network-protocol.txt
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
server.py
11
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
16
15
#
17
16
# This program is free software: you can redistribute it and/or modify
18
17
# it under the terms of the GNU General Public License as published by
25
24
# GNU General Public License for more details.
26
25
#
27
26
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
27
# along with this program. If not, see <http://www.gnu.org/licenses/>.
30
28
#
31
29
# Contact the authors at <mandos@fukt.bsnet.se>.
32
30
#
33
31
34
from __future__ import division, with_statement, absolute_import
32
from __future__ import division
35
33
36
34
import SocketServer
37
35
import socket
38
import optparse
36
import select
37
from optparse import OptionParser
39
38
import datetime
40
39
import errno
41
40
import gnutls.crypto
49
48
import re
50
49
import os
51
50
import signal
51
from sets import Set
52
52
import subprocess
53
53
import atexit
54
54
import stat
55
55
import logging
56
56
import logging.handlers
57
import pwd
58
from contextlib import closing
59
import struct
60
import fcntl
61
57
62
58
import dbus
63
import dbus.service
64
59
import gobject
65
60
import avahi
66
61
from dbus.mainloop.glib import DBusGMainLoop
67
62
import ctypes
68
import ctypes.util
69
70
try:
71
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
72
except AttributeError:
73
try:
74
from IN import SO_BINDTODEVICE
75
except ImportError:
76
# From /usr/include/asm/socket.h
77
SO_BINDTODEVICE = 25
78
79
80
version = "1.0.8"
81
82
logger = logging.Logger(u'mandos')
83
syslogger = (logging.handlers.SysLogHandler
84
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
85
address = "/dev/log"))
86
syslogger.setFormatter(logging.Formatter
87
(u'Mandos [%(process)d]: %(levelname)s:'
88
u' %(message)s'))
63
64
65
logger = logging.Logger('mandos')
66
syslogger = logging.handlers.SysLogHandler\
67
(facility = logging.handlers.SysLogHandler.LOG_DAEMON)
68
syslogger.setFormatter(logging.Formatter\
69
('%(levelname)s: %(message)s'))
89
70
logger.addHandler(syslogger)
71
del syslogger
90
72
91
console = logging.StreamHandler()
92
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
93
u' %(levelname)s:'
94
u' %(message)s'))
95
logger.addHandler(console)
96
73
97
74
class AvahiError(Exception):
98
def __init__(self, value, *args, **kwargs):
75
def __init__(self, value):
99
76
self.value = value
100
super(AvahiError, self).__init__(value, *args, **kwargs)
101
def __unicode__(self):
102
return unicode(repr(self.value))
77
def __str__(self):
78
return repr(self.value)
103
79
104
80
class AvahiServiceError(AvahiError):
105
81
pass
110
86
111
87
class AvahiService(object):
112
88
"""An Avahi (Zeroconf) service.
113
114
89
Attributes:
115
90
interface: integer; avahi.IF_UNSPEC or an interface index.
116
91
Used to optionally bind to the specified interface.
117
name: string; Example: u'Mandos'
118
type: string; Example: u'_mandos._tcp'.
92
name: string; Example: 'Mandos'
93
type: string; Example: '_mandos._tcp'.
119
94
See <http://www.dns-sd.org/ServiceTypes.html>
120
95
port: integer; what port to announce
121
96
TXT: list of strings; TXT record for the service
126
101
a sensible number of times
127
102
"""
128
103
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
129
servicetype = None, port = None, TXT = None,
130
domain = u"", host = u"", max_renames = 32768,
131
protocol = avahi.PROTO_UNSPEC):
104
type = None, port = None, TXT = None, domain = "",
105
host = "", max_renames = 12):
132
106
self.interface = interface
133
107
self.name = name
134
self.type = servicetype
108
self.type = type
135
109
self.port = port
136
self.TXT = TXT if TXT is not None else []
110
if TXT is None:
111
self.TXT = []
112
else:
113
self.TXT = TXT
137
114
self.domain = domain
138
115
self.host = host
139
116
self.rename_count = 0
140
self.max_renames = max_renames
141
self.protocol = protocol
142
117
def rename(self):
143
118
"""Derived from the Avahi example code"""
144
119
if self.rename_count >= self.max_renames:
145
logger.critical(u"No suitable Zeroconf service name found"
146
u" after %i retries, exiting.",
147
self.rename_count)
148
raise AvahiServiceError(u"Too many renames")
149
self.name = server.GetAlternativeServiceName(self.name)
150
logger.info(u"Changing Zeroconf service name to %r ...",
151
self.name)
152
syslogger.setFormatter(logging.Formatter
153
(u'Mandos (%s) [%%(process)d]:'
154
u' %%(levelname)s: %%(message)s'
155
% self.name))
120
logger.critical(u"No suitable service name found after %i"
121
u" retries, exiting.", rename_count)
122
raise AvahiServiceError("Too many renames")
123
name = server.GetAlternativeServiceName(name)
124
logger.error(u"Changing name to %r ...", name)
156
125
self.remove()
157
126
self.add()
158
127
self.rename_count += 1
164
133
"""Derived from the Avahi example code"""
165
134
global group
166
135
if group is None:
167
group = dbus.Interface(bus.get_object
168
(avahi.DBUS_NAME,
136
group = dbus.Interface\
137
(bus.get_object(avahi.DBUS_NAME,
169
138
server.EntryGroupNew()),
170
avahi.DBUS_INTERFACE_ENTRY_GROUP)
139
avahi.DBUS_INTERFACE_ENTRY_GROUP)
171
140
group.connect_to_signal('StateChanged',
172
141
entry_group_state_changed)
173
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
142
logger.debug(u"Adding service '%s' of type '%s' ...",
174
143
service.name, service.type)
175
144
group.AddService(
176
145
self.interface, # interface
177
self.protocol, # protocol
146
avahi.PROTO_INET6, # protocol
178
147
dbus.UInt32(0), # flags
179
148
self.name, self.type,
180
149
self.domain, self.host,
187
156
# End of Avahi example code
188
157
189
158
190
def _datetime_to_dbus(dt, variant_level=0):
191
"""Convert a UTC datetime.datetime() to a D-Bus type."""
192
return dbus.String(dt.isoformat(), variant_level=variant_level)
193
194
195
159
class Client(object):
196
160
"""A representation of a client host served by this server.
197
198
161
Attributes:
199
name: string; from the config file, used in log messages and
200
D-Bus identifiers
162
name: string; from the config file, used in log messages
201
163
fingerprint: string (40 or 32 hexadecimal digits); used to
202
164
uniquely identify the client
203
secret: bytestring; sent verbatim (over TLS) to client
204
host: string; available for use by the checker command
205
created: datetime.datetime(); (UTC) object creation
206
last_enabled: datetime.datetime(); (UTC)
207
enabled: bool()
208
last_checked_ok: datetime.datetime(); (UTC) or None
209
timeout: datetime.timedelta(); How long from last_checked_ok
210
until this client is invalid
211
interval: datetime.timedelta(); How often to start a new checker
212
disable_hook: If set, called by disable() as disable_hook(self)
213
checker: subprocess.Popen(); a running checker process used
214
to see if the client lives.
215
'None' if no process is running.
165
secret: bytestring; sent verbatim (over TLS) to client
166
fqdn: string (FQDN); available for use by the checker command
167
created: datetime.datetime(); object creation, not client host
168
last_checked_ok: datetime.datetime() or None if not yet checked OK
169
timeout: datetime.timedelta(); How long from last_checked_ok
170
until this client is invalid
171
interval: datetime.timedelta(); How often to start a new checker
172
stop_hook: If set, called by stop() as stop_hook(self)
173
checker: subprocess.Popen(); a running checker process used
174
to see if the client lives.
175
'None' if no process is running.
216
176
checker_initiator_tag: a gobject event source tag, or None
217
disable_initiator_tag: - '' -
177
stop_initiator_tag: - '' -
218
178
checker_callback_tag: - '' -
219
179
checker_command: string; External command which is run to check if
220
180
client lives. %() expansions are done at
221
181
runtime with vars(self) as dict, so that for
222
182
instance %(name)s can be used in the command.
223
current_checker_command: string; current running checker_command
183
Private attibutes:
184
_timeout: Real variable for 'timeout'
185
_interval: Real variable for 'interval'
186
_timeout_milliseconds: Used when calling gobject.timeout_add()
187
_interval_milliseconds: - '' -
224
188
"""
225
226
@staticmethod
227
def _datetime_to_milliseconds(dt):
228
"Convert a datetime.datetime() to milliseconds"
229
return ((dt.days * 24 * 60 * 60 * 1000)
230
+ (dt.seconds * 1000)
231
+ (dt.microseconds // 1000))
232
233
def timeout_milliseconds(self):
234
"Return the 'timeout' attribute in milliseconds"
235
return self._datetime_to_milliseconds(self.timeout)
236
237
def interval_milliseconds(self):
238
"Return the 'interval' attribute in milliseconds"
239
return self._datetime_to_milliseconds(self.interval)
240
241
def __init__(self, name = None, disable_hook=None, config=None):
189
def _set_timeout(self, timeout):
190
"Setter function for 'timeout' attribute"
191
self._timeout = timeout
192
self._timeout_milliseconds = ((self.timeout.days
193
* 24 * 60 * 60 * 1000)
194
+ (self.timeout.seconds * 1000)
195
+ (self.timeout.microseconds
196
// 1000))
197
timeout = property(lambda self: self._timeout,
198
_set_timeout)
199
del _set_timeout
200
def _set_interval(self, interval):
201
"Setter function for 'interval' attribute"
202
self._interval = interval
203
self._interval_milliseconds = ((self.interval.days
204
* 24 * 60 * 60 * 1000)
205
+ (self.interval.seconds
206
* 1000)
207
+ (self.interval.microseconds
208
// 1000))
209
interval = property(lambda self: self._interval,
210
_set_interval)
211
del _set_interval
212
def __init__(self, name = None, stop_hook=None, config={}):
242
213
"""Note: the 'checker' key in 'config' sets the
243
214
'checker_command' attribute and *not* the 'checker'
244
215
attribute."""
245
216
self.name = name
246
if config is None:
247
config = {}
248
217
logger.debug(u"Creating client %r", self.name)
249
218
# Uppercase and remove spaces from fingerprint for later
250
219
# comparison purposes with return value from the fingerprint()
251
220
# function
252
self.fingerprint = (config[u"fingerprint"].upper()
253
.replace(u" ", u""))
221
self.fingerprint = config["fingerprint"].upper()\
222
.replace(u" ", u"")
254
223
logger.debug(u" Fingerprint: %s", self.fingerprint)
255
if u"secret" in config:
256
self.secret = config[u"secret"].decode(u"base64")
257
elif u"secfile" in config:
258
with closing(open(os.path.expanduser
259
(os.path.expandvars
260
(config[u"secfile"])))) as secfile:
261
self.secret = secfile.read()
224
if "secret" in config:
225
self.secret = config["secret"].decode(u"base64")
226
elif "secfile" in config:
227
sf = open(config["secfile"])
228
self.secret = sf.read()
229
sf.close()
262
230
else:
263
231
raise TypeError(u"No secret or secfile for client %s"
264
232
% self.name)
265
self.host = config.get(u"host", u"")
266
self.created = datetime.datetime.utcnow()
267
self.enabled = False
268
self.last_enabled = None
233
self.fqdn = config.get("fqdn", "")
234
self.created = datetime.datetime.now()
269
235
self.last_checked_ok = None
270
self.timeout = string_to_delta(config[u"timeout"])
271
self.interval = string_to_delta(config[u"interval"])
272
self.disable_hook = disable_hook
236
self.timeout = string_to_delta(config["timeout"])
237
self.interval = string_to_delta(config["interval"])
238
self.stop_hook = stop_hook
273
239
self.checker = None
274
240
self.checker_initiator_tag = None
275
self.disable_initiator_tag = None
241
self.stop_initiator_tag = None
276
242
self.checker_callback_tag = None
277
self.checker_command = config[u"checker"]
278
self.current_checker_command = None
279
self.last_connect = None
280
281
def enable(self):
243
self.check_command = config["checker"]
244
def start(self):
282
245
"""Start this client's checker and timeout hooks"""
283
self.last_enabled = datetime.datetime.utcnow()
284
246
# Schedule a new checker to be started an 'interval' from now,
285
247
# and every interval from then on.
286
self.checker_initiator_tag = (gobject.timeout_add
287
(self.interval_milliseconds(),
288
self.start_checker))
248
self.checker_initiator_tag = gobject.timeout_add\
249
(self._interval_milliseconds,
250
self.start_checker)
289
251
# Also start a new checker *right now*.
290
252
self.start_checker()
291
# Schedule a disable() when 'timeout' has passed
292
self.disable_initiator_tag = (gobject.timeout_add
293
(self.timeout_milliseconds(),
294
self.disable))
295
self.enabled = True
296
297
def disable(self):
298
"""Disable this client."""
299
if not getattr(self, "enabled", False):
253
# Schedule a stop() when 'timeout' has passed
254
self.stop_initiator_tag = gobject.timeout_add\
255
(self._timeout_milliseconds,
256
self.stop)
257
def stop(self):
258
"""Stop this client.
259
The possibility that a client might be restarted is left open,
260
but not currently used."""
261
# If this client doesn't have a secret, it is already stopped.
262
if self.secret:
263
logger.info(u"Stopping client %s", self.name)
264
self.secret = None
265
else:
300
266
return False
301
logger.info(u"Disabling client %s", self.name)
302
if getattr(self, u"disable_initiator_tag", False):
303
gobject.source_remove(self.disable_initiator_tag)
304
self.disable_initiator_tag = None
305
if getattr(self, u"checker_initiator_tag", False):
267
if getattr(self, "stop_initiator_tag", False):
268
gobject.source_remove(self.stop_initiator_tag)
269
self.stop_initiator_tag = None
270
if getattr(self, "checker_initiator_tag", False):
306
271
gobject.source_remove(self.checker_initiator_tag)
307
272
self.checker_initiator_tag = None
308
273
self.stop_checker()
309
if self.disable_hook:
310
self.disable_hook(self)
311
self.enabled = False
274
if self.stop_hook:
275
self.stop_hook(self)
312
276
# Do not run this again if called by a gobject.timeout_add
313
277
return False
314
315
278
def __del__(self):
316
self.disable_hook = None
317
self.disable()
318
319
def checker_callback(self, pid, condition, command):
279
self.stop_hook = None
280
self.stop()
281
def checker_callback(self, pid, condition):
320
282
"""The checker has completed, so take appropriate actions."""
283
now = datetime.datetime.now()
321
284
self.checker_callback_tag = None
322
285
self.checker = None
323
if os.WIFEXITED(condition):
324
exitstatus = os.WEXITSTATUS(condition)
325
if exitstatus == 0:
326
logger.info(u"Checker for %(name)s succeeded",
327
vars(self))
328
self.checked_ok()
329
else:
330
logger.info(u"Checker for %(name)s failed",
331
vars(self))
332
else:
286
if os.WIFEXITED(condition) \
287
and (os.WEXITSTATUS(condition) == 0):
288
logger.info(u"Checker for %(name)s succeeded",
289
vars(self))
290
self.last_checked_ok = now
291
gobject.source_remove(self.stop_initiator_tag)
292
self.stop_initiator_tag = gobject.timeout_add\
293
(self._timeout_milliseconds,
294
self.stop)
295
elif not os.WIFEXITED(condition):
333
296
logger.warning(u"Checker for %(name)s crashed?",
334
297
vars(self))
335
336
def checked_ok(self):
337
"""Bump up the timeout for this client.
338
339
This should only be called when the client has been seen,
340
alive and well.
341
"""
342
self.last_checked_ok = datetime.datetime.utcnow()
343
gobject.source_remove(self.disable_initiator_tag)
344
self.disable_initiator_tag = (gobject.timeout_add
345
(self.timeout_milliseconds(),
346
self.disable))
347
298
else:
299
logger.info(u"Checker for %(name)s failed",
300
vars(self))
348
301
def start_checker(self):
349
302
"""Start a new checker subprocess if one is not running.
350
351
303
If a checker already exists, leave it running and do
352
304
nothing."""
353
305
# The reason for not killing a running checker is that if we
358
310
# checkers alone, the checker would have to take more time
359
311
# than 'timeout' for the client to be declared invalid, which
360
312
# is as it should be.
361
362
# If a checker exists, make sure it is not a zombie
363
if self.checker is not None:
364
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
365
if pid:
366
logger.warning(u"Checker was a zombie")
367
gobject.source_remove(self.checker_callback_tag)
368
self.checker_callback(pid, status,
369
self.current_checker_command)
370
# Start a new checker if needed
371
313
if self.checker is None:
372
314
try:
373
# In case checker_command has exactly one % operator
374
command = self.checker_command % self.host
315
# In case check_command has exactly one % operator
316
command = self.check_command % self.fqdn
375
317
except TypeError:
376
318
# Escape attributes for the shell
377
escaped_attrs = dict((key,
378
re.escape(unicode(str(val),
379
errors=
380
u'replace')))
319
escaped_attrs = dict((key, re.escape(str(val)))
381
320
for key, val in
382
321
vars(self).iteritems())
383
322
try:
384
command = self.checker_command % escaped_attrs
323
command = self.check_command % escaped_attrs
385
324
except TypeError, error:
386
325
logger.error(u'Could not format string "%s":'
387
u' %s', self.checker_command, error)
326
u' %s', self.check_command, error)
388
327
return True # Try again later
389
self.current_checker_command = command
390
328
try:
391
329
logger.info(u"Starting checker %r for %s",
392
330
command, self.name)
393
# We don't need to redirect stdout and stderr, since
394
# in normal mode, that is already done by daemon(),
395
# and in debug mode we don't want to. (Stdin is
396
# always replaced by /dev/null.)
397
331
self.checker = subprocess.Popen(command,
398
332
close_fds=True,
399
shell=True, cwd=u"/")
400
self.checker_callback_tag = (gobject.child_watch_add
401
(self.checker.pid,
402
self.checker_callback,
403
data=command))
404
# The checker may have completed before the gobject
405
# watch was added. Check for this.
406
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
407
if pid:
408
gobject.source_remove(self.checker_callback_tag)
409
self.checker_callback(pid, status, command)
410
except OSError, error:
333
shell=True, cwd="/")
334
self.checker_callback_tag = gobject.child_watch_add\
335
(self.checker.pid,
336
self.checker_callback)
337
except subprocess.OSError, error:
411
338
logger.error(u"Failed to start subprocess: %s",
412
339
error)
413
340
# Re-run this periodically if run by gobject.timeout_add
414
341
return True
415
416
342
def stop_checker(self):
417
343
"""Force the checker process, if any, to stop."""
418
344
if self.checker_callback_tag:
419
345
gobject.source_remove(self.checker_callback_tag)
420
346
self.checker_callback_tag = None
421
if getattr(self, u"checker", None) is None:
347
if getattr(self, "checker", None) is None:
422
348
return
423
logger.debug(u"Stopping checker for %(name)s", vars(self))
349
logger.debug("Stopping checker for %(name)s", vars(self))
424
350
try:
425
351
os.kill(self.checker.pid, signal.SIGTERM)
426
352
#os.sleep(0.5)
430
356
if error.errno != errno.ESRCH: # No such process
431
357
raise
432
358
self.checker = None
433
434
359
def still_valid(self):
435
360
"""Has the timeout not yet passed for this client?"""
436
if not getattr(self, u"enabled", False):
437
return False
438
now = datetime.datetime.utcnow()
361
now = datetime.datetime.now()
439
362
if self.last_checked_ok is None:
440
363
return now < (self.created + self.timeout)
441
364
else:
442
365
return now < (self.last_checked_ok + self.timeout)
443
366
444
367
445
class ClientDBus(Client, dbus.service.Object):
446
"""A Client class using D-Bus
447
448
Attributes:
449
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
450
"""
451
# dbus.service.Object doesn't use super(), so we can't either.
452
453
def __init__(self, *args, **kwargs):
454
Client.__init__(self, *args, **kwargs)
455
# Only now, when this client is initialized, can it show up on
456
# the D-Bus
457
self.dbus_object_path = (dbus.ObjectPath
458
(u"/clients/"
459
+ self.name.replace(u".", u"_")))
460
dbus.service.Object.__init__(self, bus,
461
self.dbus_object_path)
462
def enable(self):
463
oldstate = getattr(self, u"enabled", False)
464
r = Client.enable(self)
465
if oldstate != self.enabled:
466
# Emit D-Bus signals
467
self.PropertyChanged(dbus.String(u"enabled"),
468
dbus.Boolean(True, variant_level=1))
469
self.PropertyChanged(dbus.String(u"last_enabled"),
470
(_datetime_to_dbus(self.last_enabled,
471
variant_level=1)))
472
return r
473
474
def disable(self, signal = True):
475
oldstate = getattr(self, u"enabled", False)
476
r = Client.disable(self)
477
if signal and oldstate != self.enabled:
478
# Emit D-Bus signal
479
self.PropertyChanged(dbus.String(u"enabled"),
480
dbus.Boolean(False, variant_level=1))
481
return r
482
483
def __del__(self, *args, **kwargs):
484
try:
485
self.remove_from_connection()
486
except LookupError:
487
pass
488
if hasattr(dbus.service.Object, u"__del__"):
489
dbus.service.Object.__del__(self, *args, **kwargs)
490
Client.__del__(self, *args, **kwargs)
491
492
def checker_callback(self, pid, condition, command,
493
*args, **kwargs):
494
self.checker_callback_tag = None
495
self.checker = None
496
# Emit D-Bus signal
497
self.PropertyChanged(dbus.String(u"checker_running"),
498
dbus.Boolean(False, variant_level=1))
499
if os.WIFEXITED(condition):
500
exitstatus = os.WEXITSTATUS(condition)
501
# Emit D-Bus signal
502
self.CheckerCompleted(dbus.Int16(exitstatus),
503
dbus.Int64(condition),
504
dbus.String(command))
505
else:
506
# Emit D-Bus signal
507
self.CheckerCompleted(dbus.Int16(-1),
508
dbus.Int64(condition),
509
dbus.String(command))
510
511
return Client.checker_callback(self, pid, condition, command,
512
*args, **kwargs)
513
514
def checked_ok(self, *args, **kwargs):
515
r = Client.checked_ok(self, *args, **kwargs)
516
# Emit D-Bus signal
517
self.PropertyChanged(
518
dbus.String(u"last_checked_ok"),
519
(_datetime_to_dbus(self.last_checked_ok,
520
variant_level=1)))
521
return r
522
523
def start_checker(self, *args, **kwargs):
524
old_checker = self.checker
525
if self.checker is not None:
526
old_checker_pid = self.checker.pid
527
else:
528
old_checker_pid = None
529
r = Client.start_checker(self, *args, **kwargs)
530
# Only if new checker process was started
531
if (self.checker is not None
532
and old_checker_pid != self.checker.pid):
533
# Emit D-Bus signal
534
self.CheckerStarted(self.current_checker_command)
535
self.PropertyChanged(
536
dbus.String(u"checker_running"),
537
dbus.Boolean(True, variant_level=1))
538
return r
539
540
def stop_checker(self, *args, **kwargs):
541
old_checker = getattr(self, u"checker", None)
542
r = Client.stop_checker(self, *args, **kwargs)
543
if (old_checker is not None
544
and getattr(self, u"checker", None) is None):
545
self.PropertyChanged(dbus.String(u"checker_running"),
546
dbus.Boolean(False, variant_level=1))
547
return r
548
549
## D-Bus methods & signals
550
_interface = u"se.bsnet.fukt.Mandos.Client"
551
552
# CheckedOK - method
553
@dbus.service.method(_interface)
554
def CheckedOK(self):
555
return self.checked_ok()
556
557
# CheckerCompleted - signal
558
@dbus.service.signal(_interface, signature=u"nxs")
559
def CheckerCompleted(self, exitcode, waitstatus, command):
560
"D-Bus signal"
561
pass
562
563
# CheckerStarted - signal
564
@dbus.service.signal(_interface, signature=u"s")
565
def CheckerStarted(self, command):
566
"D-Bus signal"
567
pass
568
569
# GetAllProperties - method
570
@dbus.service.method(_interface, out_signature=u"a{sv}")
571
def GetAllProperties(self):
572
"D-Bus method"
573
return dbus.Dictionary({
574
dbus.String(u"name"):
575
dbus.String(self.name, variant_level=1),
576
dbus.String(u"fingerprint"):
577
dbus.String(self.fingerprint, variant_level=1),
578
dbus.String(u"host"):
579
dbus.String(self.host, variant_level=1),
580
dbus.String(u"created"):
581
_datetime_to_dbus(self.created, variant_level=1),
582
dbus.String(u"last_enabled"):
583
(_datetime_to_dbus(self.last_enabled,
584
variant_level=1)
585
if self.last_enabled is not None
586
else dbus.Boolean(False, variant_level=1)),
587
dbus.String(u"enabled"):
588
dbus.Boolean(self.enabled, variant_level=1),
589
dbus.String(u"last_checked_ok"):
590
(_datetime_to_dbus(self.last_checked_ok,
591
variant_level=1)
592
if self.last_checked_ok is not None
593
else dbus.Boolean (False, variant_level=1)),
594
dbus.String(u"timeout"):
595
dbus.UInt64(self.timeout_milliseconds(),
596
variant_level=1),
597
dbus.String(u"interval"):
598
dbus.UInt64(self.interval_milliseconds(),
599
variant_level=1),
600
dbus.String(u"checker"):
601
dbus.String(self.checker_command,
602
variant_level=1),
603
dbus.String(u"checker_running"):
604
dbus.Boolean(self.checker is not None,
605
variant_level=1),
606
dbus.String(u"object_path"):
607
dbus.ObjectPath(self.dbus_object_path,
608
variant_level=1)
609
}, signature=u"sv")
610
611
# IsStillValid - method
612
@dbus.service.method(_interface, out_signature=u"b")
613
def IsStillValid(self):
614
return self.still_valid()
615
616
# PropertyChanged - signal
617
@dbus.service.signal(_interface, signature=u"sv")
618
def PropertyChanged(self, property, value):
619
"D-Bus signal"
620
pass
621
622
# ReceivedSecret - signal
623
@dbus.service.signal(_interface)
624
def ReceivedSecret(self):
625
"D-Bus signal"
626
pass
627
628
# Rejected - signal
629
@dbus.service.signal(_interface)
630
def Rejected(self):
631
"D-Bus signal"
632
pass
633
634
# SetChecker - method
635
@dbus.service.method(_interface, in_signature=u"s")
636
def SetChecker(self, checker):
637
"D-Bus setter method"
638
self.checker_command = checker
639
# Emit D-Bus signal
640
self.PropertyChanged(dbus.String(u"checker"),
641
dbus.String(self.checker_command,
642
variant_level=1))
643
644
# SetHost - method
645
@dbus.service.method(_interface, in_signature=u"s")
646
def SetHost(self, host):
647
"D-Bus setter method"
648
self.host = host
649
# Emit D-Bus signal
650
self.PropertyChanged(dbus.String(u"host"),
651
dbus.String(self.host, variant_level=1))
652
653
# SetInterval - method
654
@dbus.service.method(_interface, in_signature=u"t")
655
def SetInterval(self, milliseconds):
656
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
657
# Emit D-Bus signal
658
self.PropertyChanged(dbus.String(u"interval"),
659
(dbus.UInt64(self.interval_milliseconds(),
660
variant_level=1)))
661
662
# SetSecret - method
663
@dbus.service.method(_interface, in_signature=u"ay",
664
byte_arrays=True)
665
def SetSecret(self, secret):
666
"D-Bus setter method"
667
self.secret = str(secret)
668
669
# SetTimeout - method
670
@dbus.service.method(_interface, in_signature=u"t")
671
def SetTimeout(self, milliseconds):
672
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
673
# Emit D-Bus signal
674
self.PropertyChanged(dbus.String(u"timeout"),
675
(dbus.UInt64(self.timeout_milliseconds(),
676
variant_level=1)))
677
678
# Enable - method
679
@dbus.service.method(_interface)
680
def Enable(self):
681
"D-Bus method"
682
self.enable()
683
684
# StartChecker - method
685
@dbus.service.method(_interface)
686
def StartChecker(self):
687
"D-Bus method"
688
self.start_checker()
689
690
# Disable - method
691
@dbus.service.method(_interface)
692
def Disable(self):
693
"D-Bus method"
694
self.disable()
695
696
# StopChecker - method
697
@dbus.service.method(_interface)
698
def StopChecker(self):
699
self.stop_checker()
700
701
del _interface
702
703
704
class ClientHandler(SocketServer.BaseRequestHandler, object):
705
"""A class to handle client connections.
706
707
Instantiated once for each connection to handle it.
368
def peer_certificate(session):
369
"Return the peer's OpenPGP certificate as a bytestring"
370
# If not an OpenPGP certificate...
371
if gnutls.library.functions.gnutls_certificate_type_get\
372
(session._c_object) \
373
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP:
374
# ...do the normal thing
375
return session.peer_certificate
376
list_size = ctypes.c_uint()
377
cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
378
(session._c_object, ctypes.byref(list_size))
379
if list_size.value == 0:
380
return None
381
cert = cert_list[0]
382
return ctypes.string_at(cert.data, cert.size)
383
384
385
def fingerprint(openpgp):
386
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
387
# New GnuTLS "datum" with the OpenPGP public key
388
datum = gnutls.library.types.gnutls_datum_t\
389
(ctypes.cast(ctypes.c_char_p(openpgp),
390
ctypes.POINTER(ctypes.c_ubyte)),
391
ctypes.c_uint(len(openpgp)))
392
# New empty GnuTLS certificate
393
crt = gnutls.library.types.gnutls_openpgp_crt_t()
394
gnutls.library.functions.gnutls_openpgp_crt_init\
395
(ctypes.byref(crt))
396
# Import the OpenPGP public key into the certificate
397
gnutls.library.functions.gnutls_openpgp_crt_import\
398
(crt, ctypes.byref(datum),
399
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
400
# New buffer for the fingerprint
401
buffer = ctypes.create_string_buffer(20)
402
buffer_length = ctypes.c_size_t()
403
# Get the fingerprint from the certificate into the buffer
404
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
405
(crt, ctypes.byref(buffer), ctypes.byref(buffer_length))
406
# Deinit the certificate
407
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
408
# Convert the buffer to a Python bytestring
409
fpr = ctypes.string_at(buffer, buffer_length.value)
410
# Convert the bytestring to hexadecimal notation
411
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
412
return hex_fpr
413
414
415
class tcp_handler(SocketServer.BaseRequestHandler, object):
416
"""A TCP request handler class.
417
Instantiated by IPv6_TCPServer for each request to handle it.
708
418
Note: This will run in its own forked process."""
709
419
710
420
def handle(self):
711
421
logger.info(u"TCP connection from: %s",
712
unicode(self.client_address))
713
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
714
# Open IPC pipe to parent process
715
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
716
session = (gnutls.connection
717
.ClientSession(self.request,
718
gnutls.connection
719
.X509Credentials()))
720
721
line = self.request.makefile().readline()
722
logger.debug(u"Protocol version: %r", line)
723
try:
724
if int(line.strip().split()[0]) > 1:
725
raise RuntimeError
726
except (ValueError, IndexError, RuntimeError), error:
727
logger.error(u"Unknown protocol version: %s", error)
728
return
729
730
# Note: gnutls.connection.X509Credentials is really a
731
# generic GnuTLS certificate credentials object so long as
732
# no X.509 keys are added to it. Therefore, we can use it
733
# here despite using OpenPGP certificates.
734
735
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
736
# u"+AES-256-CBC", u"+SHA1",
737
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
738
# u"+DHE-DSS"))
739
# Use a fallback default, since this MUST be set.
740
priority = self.server.gnutls_priority
741
if priority is None:
742
priority = u"NORMAL"
743
(gnutls.library.functions
744
.gnutls_priority_set_direct(session._c_object,
745
priority, None))
746
747
try:
748
session.handshake()
749
except gnutls.errors.GNUTLSError, error:
750
logger.warning(u"Handshake failed: %s", error)
751
# Do not run session.bye() here: the session is not
752
# established. Just abandon the request.
753
return
754
logger.debug(u"Handshake succeeded")
755
try:
756
fpr = self.fingerprint(self.peer_certificate(session))
757
except (TypeError, gnutls.errors.GNUTLSError), error:
758
logger.warning(u"Bad certificate: %s", error)
759
session.bye()
760
return
761
logger.debug(u"Fingerprint: %s", fpr)
762
763
for c in self.server.clients:
764
if c.fingerprint == fpr:
765
client = c
766
break
767
else:
768
ipc.write(u"NOTFOUND %s\n" % fpr)
769
session.bye()
770
return
771
# Have to check if client.still_valid(), since it is
772
# possible that the client timed out while establishing
773
# the GnuTLS session.
774
if not client.still_valid():
775
ipc.write(u"INVALID %s\n" % client.name)
776
session.bye()
777
return
778
ipc.write(u"SENDING %s\n" % client.name)
779
sent_size = 0
780
while sent_size < len(client.secret):
781
sent = session.send(client.secret[sent_size:])
782
logger.debug(u"Sent: %d, remaining: %d",
783
sent, len(client.secret)
784
- (sent_size + sent))
785
sent_size += sent
786
session.bye()
787
788
@staticmethod
789
def peer_certificate(session):
790
"Return the peer's OpenPGP certificate as a bytestring"
791
# If not an OpenPGP certificate...
792
if (gnutls.library.functions
793
.gnutls_certificate_type_get(session._c_object)
794
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
795
# ...do the normal thing
796
return session.peer_certificate
797
list_size = ctypes.c_uint(1)
798
cert_list = (gnutls.library.functions
799
.gnutls_certificate_get_peers
800
(session._c_object, ctypes.byref(list_size)))
801
if not bool(cert_list) and list_size.value != 0:
802
raise gnutls.errors.GNUTLSError(u"error getting peer"
803
u" certificate")
804
if list_size.value == 0:
805
return None
806
cert = cert_list[0]
807
return ctypes.string_at(cert.data, cert.size)
808
809
@staticmethod
810
def fingerprint(openpgp):
811
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
812
# New GnuTLS "datum" with the OpenPGP public key
813
datum = (gnutls.library.types
814
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
815
ctypes.POINTER
816
(ctypes.c_ubyte)),
817
ctypes.c_uint(len(openpgp))))
818
# New empty GnuTLS certificate
819
crt = gnutls.library.types.gnutls_openpgp_crt_t()
820
(gnutls.library.functions
821
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
822
# Import the OpenPGP public key into the certificate
823
(gnutls.library.functions
824
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
825
gnutls.library.constants
826
.GNUTLS_OPENPGP_FMT_RAW))
827
# Verify the self signature in the key
828
crtverify = ctypes.c_uint()
829
(gnutls.library.functions
830
.gnutls_openpgp_crt_verify_self(crt, 0,
831
ctypes.byref(crtverify)))
832
if crtverify.value != 0:
833
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
834
raise (gnutls.errors.CertificateSecurityError
835
(u"Verify failed"))
836
# New buffer for the fingerprint
837
buf = ctypes.create_string_buffer(20)
838
buf_len = ctypes.c_size_t()
839
# Get the fingerprint from the certificate into the buffer
840
(gnutls.library.functions
841
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
842
ctypes.byref(buf_len)))
843
# Deinit the certificate
844
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
845
# Convert the buffer to a Python bytestring
846
fpr = ctypes.string_at(buf, buf_len.value)
847
# Convert the bytestring to hexadecimal notation
848
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
849
return hex_fpr
850
851
852
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
853
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
854
855
Assumes a gobject.MainLoop event loop.
856
"""
857
def process_request(self, request, client_address):
858
"""Overrides and wraps the original process_request().
859
860
This function creates a new pipe in self.pipe
861
"""
862
self.pipe = os.pipe()
863
super(ForkingMixInWithPipe,
864
self).process_request(request, client_address)
865
os.close(self.pipe[1]) # close write end
866
# Call "handle_ipc" for both data and EOF events
867
gobject.io_add_watch(self.pipe[0],
868
gobject.IO_IN | gobject.IO_HUP,
869
self.handle_ipc)
870
def handle_ipc(source, condition):
871
"""Dummy function; override as necessary"""
872
os.close(source)
873
return False
874
875
876
class IPv6_TCPServer(ForkingMixInWithPipe,
877
SocketServer.TCPServer, object):
878
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
879
422
unicode(self.client_address))
423
session = gnutls.connection.ClientSession\
424
(self.request, gnutls.connection.X509Credentials())
425
426
line = self.request.makefile().readline()
427
logger.debug(u"Protocol version: %r", line)
428
try:
429
if int(line.strip().split()[0]) > 1:
430
raise RuntimeError
431
except (ValueError, IndexError, RuntimeError), error:
432
logger.error(u"Unknown protocol version: %s", error)
433
return
434
435
# Note: gnutls.connection.X509Credentials is really a generic
436
# GnuTLS certificate credentials object so long as no X.509
437
# keys are added to it. Therefore, we can use it here despite
438
# using OpenPGP certificates.
439
440
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
441
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
442
# "+DHE-DSS"))
443
priority = "NORMAL" # Fallback default, since this
444
# MUST be set.
445
if self.server.settings["priority"]:
446
priority = self.server.settings["priority"]
447
gnutls.library.functions.gnutls_priority_set_direct\
448
(session._c_object, priority, None);
449
450
try:
451
session.handshake()
452
except gnutls.errors.GNUTLSError, error:
453
logger.warning(u"Handshake failed: %s", error)
454
# Do not run session.bye() here: the session is not
455
# established. Just abandon the request.
456
return
457
try:
458
fpr = fingerprint(peer_certificate(session))
459
except (TypeError, gnutls.errors.GNUTLSError), error:
460
logger.warning(u"Bad certificate: %s", error)
461
session.bye()
462
return
463
logger.debug(u"Fingerprint: %s", fpr)
464
client = None
465
for c in self.server.clients:
466
if c.fingerprint == fpr:
467
client = c
468
break
469
if not client:
470
logger.warning(u"Client not found for fingerprint: %s",
471
fpr)
472
session.bye()
473
return
474
# Have to check if client.still_valid(), since it is possible
475
# that the client timed out while establishing the GnuTLS
476
# session.
477
if not client.still_valid():
478
logger.warning(u"Client %(name)s is invalid",
479
vars(client))
480
session.bye()
481
return
482
sent_size = 0
483
while sent_size < len(client.secret):
484
sent = session.send(client.secret[sent_size:])
485
logger.debug(u"Sent: %d, remaining: %d",
486
sent, len(client.secret)
487
- (sent_size + sent))
488
sent_size += sent
489
session.bye()
490
491
492
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
493
"""IPv6 TCP server. Accepts 'None' as address and/or port.
880
494
Attributes:
881
enabled: Boolean; whether this server is activated yet
882
interface: None or a network interface name (string)
883
use_ipv6: Boolean; to use IPv6 or not
884
----
885
clients: set of Client objects
886
gnutls_priority GnuTLS priority string
887
use_dbus: Boolean; to emit D-Bus signals or not
495
settings: Server settings
496
clients: Set() of Client objects
888
497
"""
889
def __init__(self, server_address, RequestHandlerClass,
890
interface=None, use_ipv6=True, clients=None,
891
gnutls_priority=None, use_dbus=True):
892
self.enabled = False
893
self.interface = interface
894
if use_ipv6:
895
self.address_family = socket.AF_INET6
896
self.clients = clients
897
self.use_dbus = use_dbus
898
self.gnutls_priority = gnutls_priority
899
SocketServer.TCPServer.__init__(self, server_address,
900
RequestHandlerClass)
498
address_family = socket.AF_INET6
499
def __init__(self, *args, **kwargs):
500
if "settings" in kwargs:
501
self.settings = kwargs["settings"]
502
del kwargs["settings"]
503
if "clients" in kwargs:
504
self.clients = kwargs["clients"]
505
del kwargs["clients"]
506
return super(type(self), self).__init__(*args, **kwargs)
901
507
def server_bind(self):
902
508
"""This overrides the normal server_bind() function
903
509
to bind to an interface if one was specified, and also NOT to
904
510
bind to an address or port if they were not specified."""
905
if self.interface is not None:
511
if self.settings["interface"]:
512
# 25 is from /usr/include/asm-i486/socket.h
513
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
906
514
try:
907
515
self.socket.setsockopt(socket.SOL_SOCKET,
908
516
SO_BINDTODEVICE,
909
str(self.interface + u'\0'))
517
self.settings["interface"])
910
518
except socket.error, error:
911
519
if error[0] == errno.EPERM:
912
520
logger.error(u"No permission to"
913
521
u" bind to interface %s",
914
self.interface)
522
self.settings["interface"])
915
523
else:
916
raise
524
raise error
917
525
# Only bind(2) the socket if we really need to.
918
526
if self.server_address[0] or self.server_address[1]:
919
527
if not self.server_address[0]:
920
if self.address_family == socket.AF_INET6:
921
any_address = u"::" # in6addr_any
922
else:
923
any_address = socket.INADDR_ANY
924
self.server_address = (any_address,
528
in6addr_any = "::"
529
self.server_address = (in6addr_any,
925
530
self.server_address[1])
926
elif not self.server_address[1]:
531
elif self.server_address[1] is None:
927
532
self.server_address = (self.server_address[0],
928
533
0)
929
# if self.interface:
930
# self.server_address = (self.server_address[0],
931
# 0, # port
932
# 0, # flowinfo
933
# if_nametoindex
934
# (self.interface))
935
return SocketServer.TCPServer.server_bind(self)
936
def server_activate(self):
937
if self.enabled:
938
return SocketServer.TCPServer.server_activate(self)
939
def enable(self):
940
self.enabled = True
941
def handle_ipc(self, source, condition, file_objects={}):
942
condition_names = {
943
gobject.IO_IN: u"IN", # There is data to read.
944
gobject.IO_OUT: u"OUT", # Data can be written (without
945
# blocking).
946
gobject.IO_PRI: u"PRI", # There is urgent data to read.
947
gobject.IO_ERR: u"ERR", # Error condition.
948
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
949
# broken, usually for pipes and
950
# sockets).
951
}
952
conditions_string = ' | '.join(name
953
for cond, name in
954
condition_names.iteritems()
955
if cond & condition)
956
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
957
conditions_string)
958
959
# Turn the pipe file descriptor into a Python file object
960
if source not in file_objects:
961
file_objects[source] = os.fdopen(source, u"r", 1)
962
963
# Read a line from the file object
964
cmdline = file_objects[source].readline()
965
if not cmdline: # Empty line means end of file
966
# close the IPC pipe
967
file_objects[source].close()
968
del file_objects[source]
969
970
# Stop calling this function
971
return False
972
973
logger.debug(u"IPC command: %r", cmdline)
974
975
# Parse and act on command
976
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
977
978
if cmd == u"NOTFOUND":
979
logger.warning(u"Client not found for fingerprint: %s",
980
args)
981
if self.use_dbus:
982
# Emit D-Bus signal
983
mandos_dbus_service.ClientNotFound(args)
984
elif cmd == u"INVALID":
985
for client in self.clients:
986
if client.name == args:
987
logger.warning(u"Client %s is invalid", args)
988
if self.use_dbus:
989
# Emit D-Bus signal
990
client.Rejected()
991
break
992
else:
993
logger.error(u"Unknown client %s is invalid", args)
994
elif cmd == u"SENDING":
995
for client in self.clients:
996
if client.name == args:
997
logger.info(u"Sending secret to %s", client.name)
998
client.checked_ok()
999
if self.use_dbus:
1000
# Emit D-Bus signal
1001
client.ReceivedSecret()
1002
break
1003
else:
1004
logger.error(u"Sending secret to unknown client %s",
1005
args)
1006
else:
1007
logger.error(u"Unknown IPC command: %r", cmdline)
1008
1009
# Keep calling this function
1010
return True
534
return super(type(self), self).server_bind()
1011
535
1012
536
1013
537
def string_to_delta(interval):
1014
538
"""Parse a string and return a datetime.timedelta
1015
1016
>>> string_to_delta(u'7d')
539
540
>>> string_to_delta('7d')
1017
541
datetime.timedelta(7)
1018
>>> string_to_delta(u'60s')
542
>>> string_to_delta('60s')
1019
543
datetime.timedelta(0, 60)
1020
>>> string_to_delta(u'60m')
544
>>> string_to_delta('60m')
1021
545
datetime.timedelta(0, 3600)
1022
>>> string_to_delta(u'24h')
546
>>> string_to_delta('24h')
1023
547
datetime.timedelta(1)
1024
548
>>> string_to_delta(u'1w')
1025
549
datetime.timedelta(7)
1026
>>> string_to_delta(u'5m 30s')
1027
datetime.timedelta(0, 330)
1028
550
"""
1029
timevalue = datetime.timedelta(0)
1030
for s in interval.split():
1031
try:
1032
suffix = unicode(s[-1])
1033
value = int(s[:-1])
1034
if suffix == u"d":
1035
delta = datetime.timedelta(value)
1036
elif suffix == u"s":
1037
delta = datetime.timedelta(0, value)
1038
elif suffix == u"m":
1039
delta = datetime.timedelta(0, 0, 0, 0, value)
1040
elif suffix == u"h":
1041
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1042
elif suffix == u"w":
1043
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1044
else:
1045
raise ValueError
1046
except (ValueError, IndexError):
551
try:
552
suffix=unicode(interval[-1])
553
value=int(interval[:-1])
554
if suffix == u"d":
555
delta = datetime.timedelta(value)
556
elif suffix == u"s":
557
delta = datetime.timedelta(0, value)
558
elif suffix == u"m":
559
delta = datetime.timedelta(0, 0, 0, 0, value)
560
elif suffix == u"h":
561
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
562
elif suffix == u"w":
563
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
564
else:
1047
565
raise ValueError
1048
timevalue += delta
1049
return timevalue
566
except (ValueError, IndexError):
567
raise ValueError
568
return delta
1050
569
1051
570
1052
571
def server_state_changed(state):
1053
572
"""Derived from the Avahi example code"""
1054
573
if state == avahi.SERVER_COLLISION:
1055
logger.error(u"Zeroconf server name collision")
574
logger.error(u"Server name collision")
1056
575
service.remove()
1057
576
elif state == avahi.SERVER_RUNNING:
1058
577
service.add()
1060
579
1061
580
def entry_group_state_changed(state, error):
1062
581
"""Derived from the Avahi example code"""
1063
logger.debug(u"Avahi state change: %i", state)
582
logger.debug(u"state change: %i", state)
1064
583
1065
584
if state == avahi.ENTRY_GROUP_ESTABLISHED:
1066
logger.debug(u"Zeroconf service established.")
585
logger.debug(u"Service established.")
1067
586
elif state == avahi.ENTRY_GROUP_COLLISION:
1068
logger.warning(u"Zeroconf service name collision.")
587
logger.warning(u"Service name collision.")
1069
588
service.rename()
1070
589
elif state == avahi.ENTRY_GROUP_FAILURE:
1071
logger.critical(u"Avahi: Error in group state changed %s",
590
logger.critical(u"Error in group state changed %s",
1072
591
unicode(error))
1073
raise AvahiGroupError(u"State changed: %s" % unicode(error))
592
raise AvahiGroupError("State changed: %s", str(error))
1074
593
1075
594
def if_nametoindex(interface):
1076
"""Call the C function if_nametoindex(), or equivalent
1077
1078
Note: This function cannot accept a unicode string."""
595
"""Call the C function if_nametoindex(), or equivalent"""
1079
596
global if_nametoindex
1080
597
try:
1081
if_nametoindex = (ctypes.cdll.LoadLibrary
1082
(ctypes.util.find_library(u"c"))
1083
.if_nametoindex)
598
if "ctypes.util" not in sys.modules:
599
import ctypes.util
600
if_nametoindex = ctypes.cdll.LoadLibrary\
601
(ctypes.util.find_library("c")).if_nametoindex
1084
602
except (OSError, AttributeError):
1085
logger.warning(u"Doing if_nametoindex the hard way")
603
if "struct" not in sys.modules:
604
import struct
605
if "fcntl" not in sys.modules:
606
import fcntl
1086
607
def if_nametoindex(interface):
1087
608
"Get an interface index the hard way, i.e. using fcntl()"
1088
609
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1089
with closing(socket.socket()) as s:
1090
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1091
struct.pack(str(u"16s16x"),
1092
interface))
1093
interface_index = struct.unpack(str(u"I"),
1094
ifreq[16:20])[0]
610
s = socket.socket()
611
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
612
struct.pack("16s16x", interface))
613
s.close()
614
interface_index = struct.unpack("I", ifreq[16:20])[0]
1095
615
return interface_index
1096
616
return if_nametoindex(interface)
1097
617
1098
618
1099
def daemon(nochdir = False, noclose = False):
619
def daemon(nochdir, noclose):
1100
620
"""See daemon(3). Standard BSD Unix function.
1101
1102
621
This should really exist as os.daemon, but it doesn't (yet)."""
1103
622
if os.fork():
1104
623
sys.exit()
1105
624
os.setsid()
1106
625
if not nochdir:
1107
os.chdir(u"/")
626
os.chdir("/")
1108
627
if os.fork():
1109
628
sys.exit()
1110
629
if not noclose:
1112
631
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1113
632
if not stat.S_ISCHR(os.fstat(null).st_mode):
1114
633
raise OSError(errno.ENODEV,
1115
u"/dev/null not a character device")
634
"/dev/null not a character device")
1116
635
os.dup2(null, sys.stdin.fileno())
1117
636
os.dup2(null, sys.stdout.fileno())
1118
637
os.dup2(null, sys.stderr.fileno())
1121
640
1122
641
1123
642
def main():
1124
1125
######################################################################
1126
# Parsing of options, both command line and config file
1127
1128
parser = optparse.OptionParser(version = "%%prog %s" % version)
1129
parser.add_option("-i", u"--interface", type=u"string",
1130
metavar="IF", help=u"Bind to interface IF")
1131
parser.add_option("-a", u"--address", type=u"string",
1132
help=u"Address to listen for requests on")
1133
parser.add_option("-p", u"--port", type=u"int",
1134
help=u"Port number to receive requests on")
1135
parser.add_option("--check", action=u"store_true",
1136
help=u"Run self-test")
1137
parser.add_option("--debug", action=u"store_true",
1138
help=u"Debug mode; run in foreground and log to"
1139
u" terminal")
1140
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1141
u" priority string (see GnuTLS documentation)")
1142
parser.add_option("--servicename", type=u"string",
1143
metavar=u"NAME", help=u"Zeroconf service name")
1144
parser.add_option("--configdir", type=u"string",
1145
default=u"/etc/mandos", metavar=u"DIR",
1146
help=u"Directory to search for configuration"
1147
u" files")
1148
parser.add_option("--no-dbus", action=u"store_false",
1149
dest=u"use_dbus", help=u"Do not provide D-Bus"
1150
u" system bus interface")
1151
parser.add_option("--no-ipv6", action=u"store_false",
1152
dest=u"use_ipv6", help=u"Do not use IPv6")
1153
options = parser.parse_args()[0]
643
global main_loop_started
644
main_loop_started = False
645
646
parser = OptionParser()
647
parser.add_option("-i", "--interface", type="string",
648
metavar="IF", help="Bind to interface IF")
649
parser.add_option("-a", "--address", type="string",
650
help="Address to listen for requests on")
651
parser.add_option("-p", "--port", type="int",
652
help="Port number to receive requests on")
653
parser.add_option("--check", action="store_true", default=False,
654
help="Run self-test")
655
parser.add_option("--debug", action="store_true", default=False,
656
help="Debug mode; run in foreground and log to"
657
" terminal")
658
parser.add_option("--priority", type="string", help="GnuTLS"
659
" priority string (see GnuTLS documentation)")
660
parser.add_option("--servicename", type="string", metavar="NAME",
661
help="Zeroconf service name")
662
parser.add_option("--configdir", type="string",
663
default="/etc/mandos", metavar="DIR",
664
help="Directory to search for configuration"
665
" files")
666
(options, args) = parser.parse_args()
1154
667
1155
668
if options.check:
1156
669
import doctest
1158
671
sys.exit()
1159
672
1160
673
# Default values for config file for server-global settings
1161
server_defaults = { u"interface": u"",
1162
u"address": u"",
1163
u"port": u"",
1164
u"debug": u"False",
1165
u"priority":
1166
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1167
u"servicename": u"Mandos",
1168
u"use_dbus": u"True",
1169
u"use_ipv6": u"True",
674
server_defaults = { "interface": "",
675
"address": "",
676
"port": "",
677
"debug": "False",
678
"priority":
679
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
680
"servicename": "Mandos",
1170
681
}
1171
682
1172
683
# Parse config file for server-global settings
1173
684
server_config = ConfigParser.SafeConfigParser(server_defaults)
1174
685
del server_defaults
1175
server_config.read(os.path.join(options.configdir,
1176
u"mandos.conf"))
686
server_config.read(os.path.join(options.configdir, "server.conf"))
687
server_section = "server"
1177
688
# Convert the SafeConfigParser object to a dict
1178
server_settings = server_config.defaults()
1179
# Use the appropriate methods on the non-string config options
1180
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1181
server_settings[option] = server_config.getboolean(u"DEFAULT",
1182
option)
1183
if server_settings["port"]:
1184
server_settings["port"] = server_config.getint(u"DEFAULT",
1185
u"port")
689
server_settings = dict(server_config.items(server_section))
690
# Use getboolean on the boolean config option
691
server_settings["debug"] = server_config.getboolean\
692
(server_section, "debug")
1186
693
del server_config
1187
694
1188
695
# Override the settings from the config file with command line
1189
696
# options, if set.
1190
for option in (u"interface", u"address", u"port", u"debug",
1191
u"priority", u"servicename", u"configdir",
1192
u"use_dbus", u"use_ipv6"):
697
for option in ("interface", "address", "port", "debug",
698
"priority", "servicename", "configdir"):
1193
699
value = getattr(options, option)
1194
700
if value is not None:
1195
701
server_settings[option] = value
1196
702
del options
1197
# Force all strings to be unicode
1198
for option in server_settings.keys():
1199
if type(server_settings[option]) is str:
1200
server_settings[option] = unicode(server_settings[option])
1201
703
# Now we have our good server settings in "server_settings"
1202
704
1203
##################################################################
1204
1205
# For convenience
1206
debug = server_settings[u"debug"]
1207
use_dbus = server_settings[u"use_dbus"]
1208
use_ipv6 = server_settings[u"use_ipv6"]
1209
1210
if not debug:
1211
syslogger.setLevel(logging.WARNING)
1212
console.setLevel(logging.WARNING)
1213
1214
if server_settings[u"servicename"] != u"Mandos":
1215
syslogger.setFormatter(logging.Formatter
1216
(u'Mandos (%s) [%%(process)d]:'
1217
u' %%(levelname)s: %%(message)s'
1218
% server_settings[u"servicename"]))
1219
1220
705
# Parse config file with clients
1221
client_defaults = { u"timeout": u"1h",
1222
u"interval": u"5m",
1223
u"checker": u"fping -q -- %%(host)s",
1224
u"host": u"",
706
client_defaults = { "timeout": "1h",
707
"interval": "5m",
708
"checker": "fping -q -- %%(fqdn)s",
1225
709
}
1226
710
client_config = ConfigParser.SafeConfigParser(client_defaults)
1227
client_config.read(os.path.join(server_settings[u"configdir"],
1228
u"clients.conf"))
1229
1230
global mandos_dbus_service
1231
mandos_dbus_service = None
1232
1233
clients = set()
1234
tcp_server = IPv6_TCPServer((server_settings[u"address"],
1235
server_settings[u"port"]),
1236
ClientHandler,
1237
interface=
1238
server_settings[u"interface"],
1239
use_ipv6=use_ipv6,
1240
clients=clients,
1241
gnutls_priority=
1242
server_settings[u"priority"],
1243
use_dbus=use_dbus)
1244
pidfilename = u"/var/run/mandos.pid"
1245
try:
1246
pidfile = open(pidfilename, u"w")
1247
except IOError:
1248
logger.error(u"Could not open file %r", pidfilename)
1249
1250
try:
1251
uid = pwd.getpwnam(u"_mandos").pw_uid
1252
gid = pwd.getpwnam(u"_mandos").pw_gid
1253
except KeyError:
1254
try:
1255
uid = pwd.getpwnam(u"mandos").pw_uid
1256
gid = pwd.getpwnam(u"mandos").pw_gid
1257
except KeyError:
1258
try:
1259
uid = pwd.getpwnam(u"nobody").pw_uid
1260
gid = pwd.getpwnam(u"nobody").pw_gid
1261
except KeyError:
1262
uid = 65534
1263
gid = 65534
1264
try:
1265
os.setgid(gid)
1266
os.setuid(uid)
1267
except OSError, error:
1268
if error[0] != errno.EPERM:
1269
raise error
1270
1271
# Enable all possible GnuTLS debugging
1272
if debug:
1273
# "Use a log level over 10 to enable all debugging options."
1274
# - GnuTLS manual
1275
gnutls.library.functions.gnutls_global_set_log_level(11)
1276
1277
@gnutls.library.types.gnutls_log_func
1278
def debug_gnutls(level, string):
1279
logger.debug(u"GnuTLS: %s", string[:-1])
1280
1281
(gnutls.library.functions
1282
.gnutls_global_set_log_function(debug_gnutls))
711
client_config.read(os.path.join(server_settings["configdir"],
712
"clients.conf"))
1283
713
1284
714
global service
1285
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1286
service = AvahiService(name = server_settings[u"servicename"],
1287
servicetype = u"_mandos._tcp",
1288
protocol = protocol)
715
service = AvahiService(name = server_settings["servicename"],
716
type = "_mandos._tcp", );
1289
717
if server_settings["interface"]:
1290
service.interface = (if_nametoindex
1291
(str(server_settings[u"interface"])))
718
service.interface = if_nametoindex(server_settings["interface"])
1292
719
1293
720
global main_loop
1294
721
global bus
1297
724
DBusGMainLoop(set_as_default=True )
1298
725
main_loop = gobject.MainLoop()
1299
726
bus = dbus.SystemBus()
1300
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1301
avahi.DBUS_PATH_SERVER),
1302
avahi.DBUS_INTERFACE_SERVER)
727
server = dbus.Interface(
728
bus.get_object( avahi.DBUS_NAME, avahi.DBUS_PATH_SERVER ),
729
avahi.DBUS_INTERFACE_SERVER )
1303
730
# End of Avahi example code
1304
if use_dbus:
1305
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1306
731
1307
client_class = Client
1308
if use_dbus:
1309
client_class = ClientDBus
1310
clients.update(set(
1311
client_class(name = section,
1312
config= dict(client_config.items(section)))
1313
for section in client_config.sections()))
1314
if not clients:
1315
logger.warning(u"No clients defined")
732
debug = server_settings["debug"]
1316
733
1317
734
if debug:
1318
# Redirect stdin so all checkers get /dev/null
1319
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1320
os.dup2(null, sys.stdin.fileno())
1321
if null > 2:
1322
os.close(null)
1323
else:
1324
# No console logging
1325
logger.removeHandler(console)
1326
# Close all input and output, do double fork, etc.
1327
daemon()
1328
1329
try:
1330
with closing(pidfile):
1331
pid = os.getpid()
1332
pidfile.write(str(pid) + "\n")
1333
del pidfile
1334
except IOError:
1335
logger.error(u"Could not write to file %r with PID %d",
1336
pidfilename, pid)
1337
except NameError:
1338
# "pidfile" was never created
1339
pass
1340
del pidfilename
735
console = logging.StreamHandler()
736
# console.setLevel(logging.DEBUG)
737
console.setFormatter(logging.Formatter\
738
('%(levelname)s: %(message)s'))
739
logger.addHandler(console)
740
del console
741
742
clients = Set()
743
def remove_from_clients(client):
744
clients.remove(client)
745
if not clients:
746
logger.critical(u"No clients left, exiting")
747
sys.exit()
748
749
clients.update(Set(Client(name = section,
750
stop_hook = remove_from_clients,
751
config
752
= dict(client_config.items(section)))
753
for section in client_config.sections()))
754
755
if not debug:
756
daemon(False, False)
1341
757
1342
758
def cleanup():
1343
759
"Cleanup function; run on exit"
1350
766
1351
767
while clients:
1352
768
client = clients.pop()
1353
client.disable_hook = None
1354
client.disable()
769
client.stop_hook = None
770
client.stop()
1355
771
1356
772
atexit.register(cleanup)
1357
773
1360
776
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1361
777
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1362
778
1363
if use_dbus:
1364
class MandosDBusService(dbus.service.Object):
1365
"""A D-Bus proxy object"""
1366
def __init__(self):
1367
dbus.service.Object.__init__(self, bus, u"/")
1368
_interface = u"se.bsnet.fukt.Mandos"
1369
1370
@dbus.service.signal(_interface, signature=u"oa{sv}")
1371
def ClientAdded(self, objpath, properties):
1372
"D-Bus signal"
1373
pass
1374
1375
@dbus.service.signal(_interface, signature=u"s")
1376
def ClientNotFound(self, fingerprint):
1377
"D-Bus signal"
1378
pass
1379
1380
@dbus.service.signal(_interface, signature=u"os")
1381
def ClientRemoved(self, objpath, name):
1382
"D-Bus signal"
1383
pass
1384
1385
@dbus.service.method(_interface, out_signature=u"ao")
1386
def GetAllClients(self):
1387
"D-Bus method"
1388
return dbus.Array(c.dbus_object_path for c in clients)
1389
1390
@dbus.service.method(_interface,
1391
out_signature=u"a{oa{sv}}")
1392
def GetAllClientsWithProperties(self):
1393
"D-Bus method"
1394
return dbus.Dictionary(
1395
((c.dbus_object_path, c.GetAllProperties())
1396
for c in clients),
1397
signature=u"oa{sv}")
1398
1399
@dbus.service.method(_interface, in_signature=u"o")
1400
def RemoveClient(self, object_path):
1401
"D-Bus method"
1402
for c in clients:
1403
if c.dbus_object_path == object_path:
1404
clients.remove(c)
1405
c.remove_from_connection()
1406
# Don't signal anything except ClientRemoved
1407
c.disable(signal=False)
1408
# Emit D-Bus signal
1409
self.ClientRemoved(object_path, c.name)
1410
return
1411
raise KeyError
1412
1413
del _interface
1414
1415
mandos_dbus_service = MandosDBusService()
1416
1417
779
for client in clients:
1418
if use_dbus:
1419
# Emit D-Bus signal
1420
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1421
client.GetAllProperties())
1422
client.enable()
1423
1424
tcp_server.enable()
1425
tcp_server.server_activate()
1426
780
client.start()
781
782
tcp_server = IPv6_TCPServer((server_settings["address"],
783
server_settings["port"]),
784
tcp_handler,
785
settings=server_settings,
786
clients=clients)
1427
787
# Find out what port we got
1428
788
service.port = tcp_server.socket.getsockname()[1]
1429
if use_ipv6:
1430
logger.info(u"Now listening on address %r, port %d,"
1431
" flowinfo %d, scope_id %d"
1432
% tcp_server.socket.getsockname())
1433
else: # IPv4
1434
logger.info(u"Now listening on address %r, port %d"
1435
% tcp_server.socket.getsockname())
789
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
790
u" scope_id %d" % tcp_server.socket.getsockname())
1436
791
1437
792
#service.interface = tcp_server.socket.getsockname()[3]
1438
793
1439
794
try:
1440
795
# From the Avahi example code
1441
server.connect_to_signal(u"StateChanged", server_state_changed)
796
server.connect_to_signal("StateChanged", server_state_changed)
1442
797
try:
1443
798
server_state_changed(server.GetState())
1444
799
except dbus.exceptions.DBusException, error:
1448
803
1449
804
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
1450
805
lambda *args, **kwargs:
1451
(tcp_server.handle_request
1452
(*args[2:], **kwargs) or True))
806
tcp_server.handle_request\
807
(*args[2:], **kwargs) or True)
1453
808
1454
logger.debug(u"Starting main loop")
809
logger.debug("Starting main loop")
810
main_loop_started = True
1455
811
main_loop.run()
1456
812
except AvahiError, error:
1457
logger.critical(u"AvahiError: %s", error)
813
logger.critical(u"AvahiError: %s" + unicode(error))
1458
814
sys.exit(1)
1459
815
except KeyboardInterrupt:
1460
816
if debug:
1461
print >> sys.stderr
1462
logger.debug(u"Server received KeyboardInterrupt")
1463
logger.debug(u"Server exiting")
817
print
1464
818
1465
819
if __name__ == '__main__':
1466
820
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0