To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to server.py
- browse files at revision 10
- compare with another revision
- download diff
- download tarball
- view history from revision 10
- Committer: Teddy Hogeborn
- Date: 2008-06-21 00:53:32 UTC
- Revision ID: teddy@fukt.bsnet.se-20080621005332-s4scjdpevuso4lsd
* server.py: Bug fix: Do "from __future__ import division".
(Client.__init__): Bug fix: parse interval string from config file.
(Client.check_action): Take no arguments. Print some debugging
output. Reset "checker" to None.
(Client.start_checker): Sleep 10 seconds before pinging to alleviate
debugging.
(Client.next_stop): Bug fix: check if "last_seen" and/or "checker"
is None.
(Client.still_valid): Bug fix: check if "last_seen" is None.
(Client.handle): When finding the right password to send, use a list
comprehension and an index lookup instead of a generator expression to
a dict.
(IPv6_TCPServer.request_queue_size): Removed.
(in6addr_any): Moved inside "main".
(main): Changed "clients" to be a Set instead of a list. Bug fix:
Exit when/if all clients are removed. Call "select" with all client
checkers and a suitable timeout. Add some debugging output. Start
new checkers when needed and delete clients which have timed out.
(Client.__init__): Bug fix: parse interval string from config file.
(Client.check_action): Take no arguments. Print some debugging
output. Reset "checker" to None.
(Client.start_checker): Sleep 10 seconds before pinging to alleviate
debugging.
(Client.next_stop): Bug fix: check if "last_seen" and/or "checker"
is None.
(Client.still_valid): Bug fix: check if "last_seen" is None.
(Client.handle): When finding the right password to send, use a list
comprehension and an index lookup instead of a generator expression to
a dict.
(IPv6_TCPServer.request_queue_size): Removed.
(in6addr_any): Moved inside "main".
(main): Changed "clients" to be a Set instead of a list. Bug fix:
Exit when/if all clients are removed. Call "select" with all client
checkers and a suitable timeout. Add some debugging output. Start
new checkers when needed and delete clients which have timed out.
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- plugins.d
- files renamed:
- clients.conf => mandos-clients.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
server.py
1
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
# Mandos server - give out binary blobs to connecting clients.
5
#
6
# This program is partly derived from an example program for an Avahi
7
# service publisher, downloaded from
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
12
#
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
19
# the Free Software Foundation, either version 3 of the License, or
20
# (at your option) any later version.
21
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
# GNU General Public License for more details.
26
#
27
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
#
33
34
from __future__ import division, with_statement, absolute_import
35
36
import SocketServer as socketserver
2
3
from __future__ import division
4
5
import SocketServer
37
6
import socket
38
import optparse
7
import select
8
from optparse import OptionParser
39
9
import datetime
40
10
import errno
41
11
import gnutls.crypto
42
12
import gnutls.connection
43
13
import gnutls.errors
44
import gnutls.library.functions
45
import gnutls.library.constants
46
import gnutls.library.types
47
import ConfigParser as configparser
14
import ConfigParser
48
15
import sys
49
16
import re
50
17
import os
51
18
import signal
19
from sets import Set
52
20
import subprocess
53
import atexit
54
import stat
55
import logging
56
import logging.handlers
57
import pwd
58
from contextlib import closing
59
import struct
60
import fcntl
61
62
import dbus
63
import dbus.service
64
import gobject
65
import avahi
66
from dbus.mainloop.glib import DBusGMainLoop
67
import ctypes
68
import ctypes.util
69
70
try:
71
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
72
except AttributeError:
73
try:
74
from IN import SO_BINDTODEVICE
75
except ImportError:
76
# From /usr/include/asm/socket.h
77
SO_BINDTODEVICE = 25
78
79
80
version = "1.0.8"
81
82
logger = logging.Logger(u'mandos')
83
syslogger = (logging.handlers.SysLogHandler
84
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
85
address = "/dev/log"))
86
syslogger.setFormatter(logging.Formatter
87
(u'Mandos [%(process)d]: %(levelname)s:'
88
u' %(message)s'))
89
logger.addHandler(syslogger)
90
91
console = logging.StreamHandler()
92
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
93
u' %(levelname)s:'
94
u' %(message)s'))
95
logger.addHandler(console)
96
97
class AvahiError(Exception):
98
def __init__(self, value, *args, **kwargs):
99
self.value = value
100
super(AvahiError, self).__init__(value, *args, **kwargs)
101
def __unicode__(self):
102
return unicode(repr(self.value))
103
104
class AvahiServiceError(AvahiError):
105
pass
106
107
class AvahiGroupError(AvahiError):
108
pass
109
110
111
class AvahiService(object):
112
"""An Avahi (Zeroconf) service.
113
114
Attributes:
115
interface: integer; avahi.IF_UNSPEC or an interface index.
116
Used to optionally bind to the specified interface.
117
name: string; Example: u'Mandos'
118
type: string; Example: u'_mandos._tcp'.
119
See <http://www.dns-sd.org/ServiceTypes.html>
120
port: integer; what port to announce
121
TXT: list of strings; TXT record for the service
122
domain: string; Domain to publish on, default to .local if empty.
123
host: string; Host to publish records for, default is localhost
124
max_renames: integer; maximum number of renames
125
rename_count: integer; counter so we only rename after collisions
126
a sensible number of times
127
group: D-Bus Entry Group
128
server: D-Bus Server
129
"""
130
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
131
servicetype = None, port = None, TXT = None,
132
domain = u"", host = u"", max_renames = 32768,
133
protocol = avahi.PROTO_UNSPEC):
134
self.interface = interface
135
self.name = name
136
self.type = servicetype
137
self.port = port
138
self.TXT = TXT if TXT is not None else []
139
self.domain = domain
140
self.host = host
141
self.rename_count = 0
142
self.max_renames = max_renames
143
self.protocol = protocol
144
self.group = None # our entry group
145
self.server = None
146
def rename(self):
147
"""Derived from the Avahi example code"""
148
if self.rename_count >= self.max_renames:
149
logger.critical(u"No suitable Zeroconf service name found"
150
u" after %i retries, exiting.",
151
self.rename_count)
152
raise AvahiServiceError(u"Too many renames")
153
self.name = self.server.GetAlternativeServiceName(self.name)
154
logger.info(u"Changing Zeroconf service name to %r ...",
155
unicode(self.name))
156
syslogger.setFormatter(logging.Formatter
157
(u'Mandos (%s) [%%(process)d]:'
158
u' %%(levelname)s: %%(message)s'
159
% self.name))
160
self.remove()
161
self.add()
162
self.rename_count += 1
163
def remove(self):
164
"""Derived from the Avahi example code"""
165
if self.group is not None:
166
self.group.Reset()
167
def add(self):
168
"""Derived from the Avahi example code"""
169
if self.group is None:
170
self.group = dbus.Interface(
171
bus.get_object(avahi.DBUS_NAME,
172
self.server.EntryGroupNew()),
173
avahi.DBUS_INTERFACE_ENTRY_GROUP)
174
self.group.connect_to_signal('StateChanged',
175
self.entry_group_state_changed)
176
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
177
self.name, self.type)
178
self.group.AddService(
179
self.interface,
180
self.protocol,
181
dbus.UInt32(0), # flags
182
self.name, self.type,
183
self.domain, self.host,
184
dbus.UInt16(self.port),
185
avahi.string_array_to_txt_array(self.TXT))
186
self.group.Commit()
187
def entry_group_state_changed(self, state, error):
188
"""Derived from the Avahi example code"""
189
logger.debug(u"Avahi state change: %i", state)
190
191
if state == avahi.ENTRY_GROUP_ESTABLISHED:
192
logger.debug(u"Zeroconf service established.")
193
elif state == avahi.ENTRY_GROUP_COLLISION:
194
logger.warning(u"Zeroconf service name collision.")
195
self.rename()
196
elif state == avahi.ENTRY_GROUP_FAILURE:
197
logger.critical(u"Avahi: Error in group state changed %s",
198
unicode(error))
199
raise AvahiGroupError(u"State changed: %s"
200
% unicode(error))
201
def cleanup(self):
202
"""Derived from the Avahi example code"""
203
if self.group is not None:
204
self.group.Free()
205
self.group = None
206
def server_state_changed(self, state):
207
"""Derived from the Avahi example code"""
208
if state == avahi.SERVER_COLLISION:
209
logger.error(u"Zeroconf server name collision")
210
self.remove()
211
elif state == avahi.SERVER_RUNNING:
212
self.add()
213
def activate(self):
214
"""Derived from the Avahi example code"""
215
if self.server is None:
216
self.server = dbus.Interface(
217
bus.get_object(avahi.DBUS_NAME,
218
avahi.DBUS_PATH_SERVER),
219
avahi.DBUS_INTERFACE_SERVER)
220
self.server.connect_to_signal(u"StateChanged",
221
self.server_state_changed)
222
self.server_state_changed(self.server.GetState())
223
224
21
225
22
class Client(object):
226
"""A representation of a client host served by this server.
227
228
Attributes:
229
name: string; from the config file, used in log messages and
230
D-Bus identifiers
231
fingerprint: string (40 or 32 hexadecimal digits); used to
232
uniquely identify the client
233
secret: bytestring; sent verbatim (over TLS) to client
234
host: string; available for use by the checker command
235
created: datetime.datetime(); (UTC) object creation
236
last_enabled: datetime.datetime(); (UTC)
237
enabled: bool()
238
last_checked_ok: datetime.datetime(); (UTC) or None
239
timeout: datetime.timedelta(); How long from last_checked_ok
240
until this client is invalid
241
interval: datetime.timedelta(); How often to start a new checker
242
disable_hook: If set, called by disable() as disable_hook(self)
243
checker: subprocess.Popen(); a running checker process used
244
to see if the client lives.
245
'None' if no process is running.
246
checker_initiator_tag: a gobject event source tag, or None
247
disable_initiator_tag: - '' -
248
checker_callback_tag: - '' -
249
checker_command: string; External command which is run to check if
250
client lives. %() expansions are done at
251
runtime with vars(self) as dict, so that for
252
instance %(name)s can be used in the command.
253
current_checker_command: string; current running checker_command
254
"""
255
256
@staticmethod
257
def _datetime_to_milliseconds(dt):
258
"Convert a datetime.datetime() to milliseconds"
259
return ((dt.days * 24 * 60 * 60 * 1000)
260
+ (dt.seconds * 1000)
261
+ (dt.microseconds // 1000))
262
263
def timeout_milliseconds(self):
264
"Return the 'timeout' attribute in milliseconds"
265
return self._datetime_to_milliseconds(self.timeout)
266
267
def interval_milliseconds(self):
268
"Return the 'interval' attribute in milliseconds"
269
return self._datetime_to_milliseconds(self.interval)
270
271
def __init__(self, name = None, disable_hook=None, config=None):
272
"""Note: the 'checker' key in 'config' sets the
273
'checker_command' attribute and *not* the 'checker'
274
attribute."""
23
def __init__(self, name=None, options=None, dn=None,
24
password=None, passfile=None, fqdn=None,
25
timeout=None, interval=-1):
275
26
self.name = name
276
if config is None:
277
config = {}
278
logger.debug(u"Creating client %r", self.name)
279
# Uppercase and remove spaces from fingerprint for later
280
# comparison purposes with return value from the fingerprint()
281
# function
282
self.fingerprint = (config[u"fingerprint"].upper()
283
.replace(u" ", u""))
284
logger.debug(u" Fingerprint: %s", self.fingerprint)
285
if u"secret" in config:
286
self.secret = config[u"secret"].decode(u"base64")
287
elif u"secfile" in config:
288
with closing(open(os.path.expanduser
289
(os.path.expandvars
290
(config[u"secfile"])))) as secfile:
291
self.secret = secfile.read()
292
else:
293
raise TypeError(u"No secret or secfile for client %s"
294
% self.name)
295
self.host = config.get(u"host", u"")
296
self.created = datetime.datetime.utcnow()
297
self.enabled = False
298
self.last_enabled = None
299
self.last_checked_ok = None
300
self.timeout = string_to_delta(config[u"timeout"])
301
self.interval = string_to_delta(config[u"interval"])
302
self.disable_hook = disable_hook
303
self.checker = None
304
self.checker_initiator_tag = None
305
self.disable_initiator_tag = None
306
self.checker_callback_tag = None
307
self.checker_command = config[u"checker"]
308
self.current_checker_command = None
309
self.last_connect = None
310
311
def enable(self):
312
"""Start this client's checker and timeout hooks"""
313
self.last_enabled = datetime.datetime.utcnow()
314
# Schedule a new checker to be started an 'interval' from now,
315
# and every interval from then on.
316
self.checker_initiator_tag = (gobject.timeout_add
317
(self.interval_milliseconds(),
318
self.start_checker))
319
# Also start a new checker *right now*.
320
self.start_checker()
321
# Schedule a disable() when 'timeout' has passed
322
self.disable_initiator_tag = (gobject.timeout_add
323
(self.timeout_milliseconds(),
324
self.disable))
325
self.enabled = True
326
327
def disable(self):
328
"""Disable this client."""
329
if not getattr(self, "enabled", False):
330
return False
331
logger.info(u"Disabling client %s", self.name)
332
if getattr(self, u"disable_initiator_tag", False):
333
gobject.source_remove(self.disable_initiator_tag)
334
self.disable_initiator_tag = None
335
if getattr(self, u"checker_initiator_tag", False):
336
gobject.source_remove(self.checker_initiator_tag)
337
self.checker_initiator_tag = None
338
self.stop_checker()
339
if self.disable_hook:
340
self.disable_hook(self)
341
self.enabled = False
342
# Do not run this again if called by a gobject.timeout_add
343
return False
344
345
def __del__(self):
346
self.disable_hook = None
347
self.disable()
348
349
def checker_callback(self, pid, condition, command):
350
"""The checker has completed, so take appropriate actions."""
351
self.checker_callback_tag = None
352
self.checker = None
353
if os.WIFEXITED(condition):
354
exitstatus = os.WEXITSTATUS(condition)
355
if exitstatus == 0:
356
logger.info(u"Checker for %(name)s succeeded",
357
vars(self))
358
self.checked_ok()
359
else:
360
logger.info(u"Checker for %(name)s failed",
361
vars(self))
362
else:
363
logger.warning(u"Checker for %(name)s crashed?",
364
vars(self))
365
366
def checked_ok(self):
367
"""Bump up the timeout for this client.
368
369
This should only be called when the client has been seen,
370
alive and well.
371
"""
372
self.last_checked_ok = datetime.datetime.utcnow()
373
gobject.source_remove(self.disable_initiator_tag)
374
self.disable_initiator_tag = (gobject.timeout_add
375
(self.timeout_milliseconds(),
376
self.disable))
377
27
self.dn = dn
28
if password:
29
self.password = password
30
elif passfile:
31
self.password = open(passfile).readall()
32
else:
33
print "No Password or Passfile in client config file"
34
# raise RuntimeError XXX
35
self.password = "gazonk"
36
self.fqdn = fqdn # string
37
self.created = datetime.datetime.now()
38
self.last_seen = None # datetime.datetime()
39
if timeout is None:
40
timeout = options.timeout
41
self.timeout = timeout # datetime.timedelta()
42
if interval == -1:
43
interval = options.interval
44
else:
45
interval = string_to_delta(interval)
46
self.interval = interval # datetime.timedelta()
47
self.next_check = datetime.datetime.now() # datetime.datetime()
48
# Note: next_check may be in the past if checker is not None
49
self.checker = None # or a subprocess.Popen()
50
def check_action(self):
51
"""The checker said something and might have completed.
52
Check if is has, and take appropriate actions."""
53
if self.checker.poll() is None:
54
# False alarm, no result yet
55
#self.checker.read()
56
#print "Checker for %(name)s said nothing?" % vars(self)
57
return
58
now = datetime.datetime.now()
59
if self.checker.returncode == 0:
60
print "Checker for %(name)s succeeded" % vars(self)
61
self.last_seen = now
62
else:
63
print "Checker for %(name)s failed" % vars(self)
64
while self.next_check <= now:
65
self.next_check += self.interval
66
self.checker = None
67
handle_request = check_action
378
68
def start_checker(self):
379
"""Start a new checker subprocess if one is not running.
380
381
If a checker already exists, leave it running and do
382
nothing."""
383
# The reason for not killing a running checker is that if we
384
# did that, then if a checker (for some reason) started
385
# running slowly and taking more than 'interval' time, the
386
# client would inevitably timeout, since no checker would get
387
# a chance to run to completion. If we instead leave running
388
# checkers alone, the checker would have to take more time
389
# than 'timeout' for the client to be declared invalid, which
390
# is as it should be.
391
392
# If a checker exists, make sure it is not a zombie
393
if self.checker is not None:
394
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
395
if pid:
396
logger.warning(u"Checker was a zombie")
397
gobject.source_remove(self.checker_callback_tag)
398
self.checker_callback(pid, status,
399
self.current_checker_command)
400
# Start a new checker if needed
401
if self.checker is None:
402
try:
403
# In case checker_command has exactly one % operator
404
command = self.checker_command % self.host
405
except TypeError:
406
# Escape attributes for the shell
407
escaped_attrs = dict((key,
408
re.escape(unicode(str(val),
409
errors=
410
u'replace')))
411
for key, val in
412
vars(self).iteritems())
413
try:
414
command = self.checker_command % escaped_attrs
415
except TypeError, error:
416
logger.error(u'Could not format string "%s":'
417
u' %s', self.checker_command, error)
418
return True # Try again later
419
self.current_checker_command = command
420
try:
421
logger.info(u"Starting checker %r for %s",
422
command, self.name)
423
# We don't need to redirect stdout and stderr, since
424
# in normal mode, that is already done by daemon(),
425
# and in debug mode we don't want to. (Stdin is
426
# always replaced by /dev/null.)
427
self.checker = subprocess.Popen(command,
428
close_fds=True,
429
shell=True, cwd=u"/")
430
self.checker_callback_tag = (gobject.child_watch_add
431
(self.checker.pid,
432
self.checker_callback,
433
data=command))
434
# The checker may have completed before the gobject
435
# watch was added. Check for this.
436
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
437
if pid:
438
gobject.source_remove(self.checker_callback_tag)
439
self.checker_callback(pid, status, command)
440
except OSError, error:
441
logger.error(u"Failed to start subprocess: %s",
442
error)
443
# Re-run this periodically if run by gobject.timeout_add
444
return True
445
69
self.stop_checker()
70
try:
71
self.checker = subprocess.Popen("sleep 10; fping -q -- %s"
72
% re.escape(self.fqdn),
73
stdout=subprocess.PIPE,
74
close_fds=True,
75
shell=True, cwd="/")
76
except subprocess.OSError, e:
77
print "Failed to start subprocess:", e
446
78
def stop_checker(self):
447
"""Force the checker process, if any, to stop."""
448
if self.checker_callback_tag:
449
gobject.source_remove(self.checker_callback_tag)
450
self.checker_callback_tag = None
451
if getattr(self, u"checker", None) is None:
79
if self.checker is None:
452
80
return
453
logger.debug(u"Stopping checker for %(name)s", vars(self))
454
try:
455
os.kill(self.checker.pid, signal.SIGTERM)
456
#os.sleep(0.5)
457
#if self.checker.poll() is None:
458
# os.kill(self.checker.pid, signal.SIGKILL)
459
except OSError, error:
460
if error.errno != errno.ESRCH: # No such process
461
raise
81
os.kill(self.checker.pid, signal.SIGTERM)
82
if self.checker.poll() is None:
83
os.kill(self.checker.pid, signal.SIGKILL)
462
84
self.checker = None
463
464
def still_valid(self):
465
"""Has the timeout not yet passed for this client?"""
466
if not getattr(self, u"enabled", False):
467
return False
468
now = datetime.datetime.utcnow()
469
if self.last_checked_ok is None:
85
__del__ = stop_checker
86
def fileno(self):
87
if self.checker is None:
88
return None
89
return self.checker.stdout.fileno()
90
def next_stop(self):
91
"""The time when something must be done about this client
92
May be in the past."""
93
if self.last_seen is None:
94
# This client has never been seen
95
next_timeout = self.created + self.timeout
96
else:
97
next_timeout = self.last_seen + self.timeout
98
if self.checker is None:
99
return min(next_timeout, self.next_check)
100
else:
101
return next_timeout
102
def still_valid(self, now=None):
103
"""Has this client's timeout not passed?"""
104
if now is None:
105
now = datetime.datetime.now()
106
if self.last_seen is None:
470
107
return now < (self.created + self.timeout)
471
108
else:
472
return now < (self.last_checked_ok + self.timeout)
473
474
475
class ClientDBus(Client, dbus.service.Object):
476
"""A Client class using D-Bus
477
478
Attributes:
479
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
480
"""
481
# dbus.service.Object doesn't use super(), so we can't either.
482
483
def __init__(self, *args, **kwargs):
484
Client.__init__(self, *args, **kwargs)
485
# Only now, when this client is initialized, can it show up on
486
# the D-Bus
487
self.dbus_object_path = (dbus.ObjectPath
488
(u"/clients/"
489
+ self.name.replace(u".", u"_")))
490
dbus.service.Object.__init__(self, bus,
491
self.dbus_object_path)
492
493
@staticmethod
494
def _datetime_to_dbus(dt, variant_level=0):
495
"""Convert a UTC datetime.datetime() to a D-Bus type."""
496
return dbus.String(dt.isoformat(),
497
variant_level=variant_level)
498
499
def enable(self):
500
oldstate = getattr(self, u"enabled", False)
501
r = Client.enable(self)
502
if oldstate != self.enabled:
503
# Emit D-Bus signals
504
self.PropertyChanged(dbus.String(u"enabled"),
505
dbus.Boolean(True, variant_level=1))
506
self.PropertyChanged(
507
dbus.String(u"last_enabled"),
508
self._datetime_to_dbus(self.last_enabled,
509
variant_level=1))
510
return r
511
512
def disable(self, signal = True):
513
oldstate = getattr(self, u"enabled", False)
514
r = Client.disable(self)
515
if signal and oldstate != self.enabled:
516
# Emit D-Bus signal
517
self.PropertyChanged(dbus.String(u"enabled"),
518
dbus.Boolean(False, variant_level=1))
519
return r
520
521
def __del__(self, *args, **kwargs):
109
return now < (self.last_seen + self.timeout)
110
def it_is_time_to_check(self, now=None):
111
if now is None:
112
now = datetime.datetime.now()
113
return self.next_check <= now
114
115
116
class server_metaclass(type):
117
"Common behavior for the UDP and TCP server classes"
118
def __new__(cls, name, bases, attrs):
119
attrs["address_family"] = socket.AF_INET6
120
attrs["allow_reuse_address"] = True
121
def server_bind(self):
122
if self.options.interface:
123
if not hasattr(socket, "SO_BINDTODEVICE"):
124
# From /usr/include/asm-i486/socket.h
125
socket.SO_BINDTODEVICE = 25
126
try:
127
self.socket.setsockopt(socket.SOL_SOCKET,
128
socket.SO_BINDTODEVICE,
129
self.options.interface)
130
except socket.error, error:
131
if error[0] == errno.EPERM:
132
print "Warning: No permission to bind to interface", \
133
self.options.interface
134
else:
135
raise error
136
return super(type(self), self).server_bind()
137
attrs["server_bind"] = server_bind
138
def init(self, *args, **kwargs):
139
if "options" in kwargs:
140
self.options = kwargs["options"]
141
del kwargs["options"]
142
if "clients" in kwargs:
143
self.clients = kwargs["clients"]
144
del kwargs["clients"]
145
if "credentials" in kwargs:
146
self.credentials = kwargs["credentials"]
147
del kwargs["credentials"]
148
return super(type(self), self).__init__(*args, **kwargs)
149
attrs["__init__"] = init
150
return type.__new__(cls, name, bases, attrs)
151
152
153
class udp_handler(SocketServer.DatagramRequestHandler, object):
154
def handle(self):
155
self.wfile.write("Polo")
156
print "UDP request answered"
157
158
159
class IPv6_UDPServer(SocketServer.UDPServer, object):
160
__metaclass__ = server_metaclass
161
def verify_request(self, request, client_address):
162
print "UDP request came"
163
return request[0] == "Marco"
164
165
166
class tcp_handler(SocketServer.BaseRequestHandler, object):
167
def handle(self):
168
print "TCP request came"
169
print "Request:", self.request
170
print "Client Address:", self.client_address
171
print "Server:", self.server
172
session = gnutls.connection.ServerSession(self.request,
173
self.server.credentials)
174
session.handshake()
175
if session.peer_certificate:
176
print "DN:", session.peer_certificate.subject
522
177
try:
523
self.remove_from_connection()
524
except LookupError:
525
pass
526
if hasattr(dbus.service.Object, u"__del__"):
527
dbus.service.Object.__del__(self, *args, **kwargs)
528
Client.__del__(self, *args, **kwargs)
529
530
def checker_callback(self, pid, condition, command,
531
*args, **kwargs):
532
self.checker_callback_tag = None
533
self.checker = None
534
# Emit D-Bus signal
535
self.PropertyChanged(dbus.String(u"checker_running"),
536
dbus.Boolean(False, variant_level=1))
537
if os.WIFEXITED(condition):
538
exitstatus = os.WEXITSTATUS(condition)
539
# Emit D-Bus signal
540
self.CheckerCompleted(dbus.Int16(exitstatus),
541
dbus.Int64(condition),
542
dbus.String(command))
543
else:
544
# Emit D-Bus signal
545
self.CheckerCompleted(dbus.Int16(-1),
546
dbus.Int64(condition),
547
dbus.String(command))
548
549
return Client.checker_callback(self, pid, condition, command,
550
*args, **kwargs)
551
552
def checked_ok(self, *args, **kwargs):
553
r = Client.checked_ok(self, *args, **kwargs)
554
# Emit D-Bus signal
555
self.PropertyChanged(
556
dbus.String(u"last_checked_ok"),
557
(self._datetime_to_dbus(self.last_checked_ok,
558
variant_level=1)))
559
return r
560
561
def start_checker(self, *args, **kwargs):
562
old_checker = self.checker
563
if self.checker is not None:
564
old_checker_pid = self.checker.pid
565
else:
566
old_checker_pid = None
567
r = Client.start_checker(self, *args, **kwargs)
568
# Only if new checker process was started
569
if (self.checker is not None
570
and old_checker_pid != self.checker.pid):
571
# Emit D-Bus signal
572
self.CheckerStarted(self.current_checker_command)
573
self.PropertyChanged(
574
dbus.String(u"checker_running"),
575
dbus.Boolean(True, variant_level=1))
576
return r
577
578
def stop_checker(self, *args, **kwargs):
579
old_checker = getattr(self, u"checker", None)
580
r = Client.stop_checker(self, *args, **kwargs)
581
if (old_checker is not None
582
and getattr(self, u"checker", None) is None):
583
self.PropertyChanged(dbus.String(u"checker_running"),
584
dbus.Boolean(False, variant_level=1))
585
return r
586
587
## D-Bus methods & signals
588
_interface = u"se.bsnet.fukt.Mandos.Client"
589
590
# CheckedOK - method
591
@dbus.service.method(_interface)
592
def CheckedOK(self):
593
return self.checked_ok()
594
595
# CheckerCompleted - signal
596
@dbus.service.signal(_interface, signature=u"nxs")
597
def CheckerCompleted(self, exitcode, waitstatus, command):
598
"D-Bus signal"
599
pass
600
601
# CheckerStarted - signal
602
@dbus.service.signal(_interface, signature=u"s")
603
def CheckerStarted(self, command):
604
"D-Bus signal"
605
pass
606
607
# GetAllProperties - method
608
@dbus.service.method(_interface, out_signature=u"a{sv}")
609
def GetAllProperties(self):
610
"D-Bus method"
611
return dbus.Dictionary({
612
dbus.String(u"name"):
613
dbus.String(self.name, variant_level=1),
614
dbus.String(u"fingerprint"):
615
dbus.String(self.fingerprint, variant_level=1),
616
dbus.String(u"host"):
617
dbus.String(self.host, variant_level=1),
618
dbus.String(u"created"):
619
self._datetime_to_dbus(self.created,
620
variant_level=1),
621
dbus.String(u"last_enabled"):
622
(self._datetime_to_dbus(self.last_enabled,
623
variant_level=1)
624
if self.last_enabled is not None
625
else dbus.Boolean(False, variant_level=1)),
626
dbus.String(u"enabled"):
627
dbus.Boolean(self.enabled, variant_level=1),
628
dbus.String(u"last_checked_ok"):
629
(self._datetime_to_dbus(self.last_checked_ok,
630
variant_level=1)
631
if self.last_checked_ok is not None
632
else dbus.Boolean (False, variant_level=1)),
633
dbus.String(u"timeout"):
634
dbus.UInt64(self.timeout_milliseconds(),
635
variant_level=1),
636
dbus.String(u"interval"):
637
dbus.UInt64(self.interval_milliseconds(),
638
variant_level=1),
639
dbus.String(u"checker"):
640
dbus.String(self.checker_command,
641
variant_level=1),
642
dbus.String(u"checker_running"):
643
dbus.Boolean(self.checker is not None,
644
variant_level=1),
645
dbus.String(u"object_path"):
646
dbus.ObjectPath(self.dbus_object_path,
647
variant_level=1)
648
}, signature=u"sv")
649
650
# IsStillValid - method
651
@dbus.service.method(_interface, out_signature=u"b")
652
def IsStillValid(self):
653
return self.still_valid()
654
655
# PropertyChanged - signal
656
@dbus.service.signal(_interface, signature=u"sv")
657
def PropertyChanged(self, property, value):
658
"D-Bus signal"
659
pass
660
661
# ReceivedSecret - signal
662
@dbus.service.signal(_interface)
663
def ReceivedSecret(self):
664
"D-Bus signal"
665
pass
666
667
# Rejected - signal
668
@dbus.service.signal(_interface)
669
def Rejected(self):
670
"D-Bus signal"
671
pass
672
673
# SetChecker - method
674
@dbus.service.method(_interface, in_signature=u"s")
675
def SetChecker(self, checker):
676
"D-Bus setter method"
677
self.checker_command = checker
678
# Emit D-Bus signal
679
self.PropertyChanged(dbus.String(u"checker"),
680
dbus.String(self.checker_command,
681
variant_level=1))
682
683
# SetHost - method
684
@dbus.service.method(_interface, in_signature=u"s")
685
def SetHost(self, host):
686
"D-Bus setter method"
687
self.host = host
688
# Emit D-Bus signal
689
self.PropertyChanged(dbus.String(u"host"),
690
dbus.String(self.host, variant_level=1))
691
692
# SetInterval - method
693
@dbus.service.method(_interface, in_signature=u"t")
694
def SetInterval(self, milliseconds):
695
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
696
# Emit D-Bus signal
697
self.PropertyChanged(dbus.String(u"interval"),
698
(dbus.UInt64(self.interval_milliseconds(),
699
variant_level=1)))
700
701
# SetSecret - method
702
@dbus.service.method(_interface, in_signature=u"ay",
703
byte_arrays=True)
704
def SetSecret(self, secret):
705
"D-Bus setter method"
706
self.secret = str(secret)
707
708
# SetTimeout - method
709
@dbus.service.method(_interface, in_signature=u"t")
710
def SetTimeout(self, milliseconds):
711
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
712
# Emit D-Bus signal
713
self.PropertyChanged(dbus.String(u"timeout"),
714
(dbus.UInt64(self.timeout_milliseconds(),
715
variant_level=1)))
716
717
# Enable - method
718
@dbus.service.method(_interface)
719
def Enable(self):
720
"D-Bus method"
721
self.enable()
722
723
# StartChecker - method
724
@dbus.service.method(_interface)
725
def StartChecker(self):
726
"D-Bus method"
727
self.start_checker()
728
729
# Disable - method
730
@dbus.service.method(_interface)
731
def Disable(self):
732
"D-Bus method"
733
self.disable()
734
735
# StopChecker - method
736
@dbus.service.method(_interface)
737
def StopChecker(self):
738
self.stop_checker()
739
740
del _interface
741
742
743
class ClientHandler(socketserver.BaseRequestHandler, object):
744
"""A class to handle client connections.
745
746
Instantiated once for each connection to handle it.
747
Note: This will run in its own forked process."""
748
749
def handle(self):
750
logger.info(u"TCP connection from: %s",
751
unicode(self.client_address))
752
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
753
# Open IPC pipe to parent process
754
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
755
session = (gnutls.connection
756
.ClientSession(self.request,
757
gnutls.connection
758
.X509Credentials()))
759
760
line = self.request.makefile().readline()
761
logger.debug(u"Protocol version: %r", line)
762
try:
763
if int(line.strip().split()[0]) > 1:
764
raise RuntimeError
765
except (ValueError, IndexError, RuntimeError), error:
766
logger.error(u"Unknown protocol version: %s", error)
767
return
768
769
# Note: gnutls.connection.X509Credentials is really a
770
# generic GnuTLS certificate credentials object so long as
771
# no X.509 keys are added to it. Therefore, we can use it
772
# here despite using OpenPGP certificates.
773
774
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
775
# u"+AES-256-CBC", u"+SHA1",
776
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
777
# u"+DHE-DSS"))
778
# Use a fallback default, since this MUST be set.
779
priority = self.server.gnutls_priority
780
if priority is None:
781
priority = u"NORMAL"
782
(gnutls.library.functions
783
.gnutls_priority_set_direct(session._c_object,
784
priority, None))
785
786
try:
787
session.handshake()
788
except gnutls.errors.GNUTLSError, error:
789
logger.warning(u"Handshake failed: %s", error)
790
# Do not run session.bye() here: the session is not
791
# established. Just abandon the request.
792
return
793
logger.debug(u"Handshake succeeded")
794
try:
795
fpr = self.fingerprint(self.peer_certificate(session))
796
except (TypeError, gnutls.errors.GNUTLSError), error:
797
logger.warning(u"Bad certificate: %s", error)
798
session.bye()
799
return
800
logger.debug(u"Fingerprint: %s", fpr)
801
802
for c in self.server.clients:
803
if c.fingerprint == fpr:
804
client = c
805
break
806
else:
807
ipc.write(u"NOTFOUND %s\n" % fpr)
808
session.bye()
809
return
810
# Have to check if client.still_valid(), since it is
811
# possible that the client timed out while establishing
812
# the GnuTLS session.
813
if not client.still_valid():
814
ipc.write(u"INVALID %s\n" % client.name)
815
session.bye()
816
return
817
ipc.write(u"SENDING %s\n" % client.name)
818
sent_size = 0
819
while sent_size < len(client.secret):
820
sent = session.send(client.secret[sent_size:])
821
logger.debug(u"Sent: %d, remaining: %d",
822
sent, len(client.secret)
823
- (sent_size + sent))
824
sent_size += sent
178
session.verify_peer()
179
except gnutls.errors.CertificateError, error:
180
print "Verify failed", error
825
181
session.bye()
826
827
@staticmethod
828
def peer_certificate(session):
829
"Return the peer's OpenPGP certificate as a bytestring"
830
# If not an OpenPGP certificate...
831
if (gnutls.library.functions
832
.gnutls_certificate_type_get(session._c_object)
833
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
834
# ...do the normal thing
835
return session.peer_certificate
836
list_size = ctypes.c_uint(1)
837
cert_list = (gnutls.library.functions
838
.gnutls_certificate_get_peers
839
(session._c_object, ctypes.byref(list_size)))
840
if not bool(cert_list) and list_size.value != 0:
841
raise gnutls.errors.GNUTLSError(u"error getting peer"
842
u" certificate")
843
if list_size.value == 0:
844
return None
845
cert = cert_list[0]
846
return ctypes.string_at(cert.data, cert.size)
847
848
@staticmethod
849
def fingerprint(openpgp):
850
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
851
# New GnuTLS "datum" with the OpenPGP public key
852
datum = (gnutls.library.types
853
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
854
ctypes.POINTER
855
(ctypes.c_ubyte)),
856
ctypes.c_uint(len(openpgp))))
857
# New empty GnuTLS certificate
858
crt = gnutls.library.types.gnutls_openpgp_crt_t()
859
(gnutls.library.functions
860
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
861
# Import the OpenPGP public key into the certificate
862
(gnutls.library.functions
863
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
864
gnutls.library.constants
865
.GNUTLS_OPENPGP_FMT_RAW))
866
# Verify the self signature in the key
867
crtverify = ctypes.c_uint()
868
(gnutls.library.functions
869
.gnutls_openpgp_crt_verify_self(crt, 0,
870
ctypes.byref(crtverify)))
871
if crtverify.value != 0:
872
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
873
raise (gnutls.errors.CertificateSecurityError
874
(u"Verify failed"))
875
# New buffer for the fingerprint
876
buf = ctypes.create_string_buffer(20)
877
buf_len = ctypes.c_size_t()
878
# Get the fingerprint from the certificate into the buffer
879
(gnutls.library.functions
880
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
881
ctypes.byref(buf_len)))
882
# Deinit the certificate
883
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
884
# Convert the buffer to a Python bytestring
885
fpr = ctypes.string_at(buf, buf_len.value)
886
# Convert the bytestring to hexadecimal notation
887
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
888
return hex_fpr
889
890
891
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
892
"""Like socketserver.ForkingMixIn, but also pass a pipe.
893
894
Assumes a gobject.MainLoop event loop.
895
"""
896
def process_request(self, request, client_address):
897
"""Overrides and wraps the original process_request().
898
899
This function creates a new pipe in self.pipe
900
"""
901
self.pipe = os.pipe()
902
super(ForkingMixInWithPipe,
903
self).process_request(request, client_address)
904
os.close(self.pipe[1]) # close write end
905
# Call "handle_ipc" for both data and EOF events
906
gobject.io_add_watch(self.pipe[0],
907
gobject.IO_IN | gobject.IO_HUP,
908
self.handle_ipc)
909
def handle_ipc(source, condition):
910
"""Dummy function; override as necessary"""
911
os.close(source)
912
return False
913
914
915
class IPv6_TCPServer(ForkingMixInWithPipe,
916
socketserver.TCPServer, object):
917
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
918
919
Attributes:
920
enabled: Boolean; whether this server is activated yet
921
interface: None or a network interface name (string)
922
use_ipv6: Boolean; to use IPv6 or not
923
----
924
clients: set of Client objects
925
gnutls_priority GnuTLS priority string
926
use_dbus: Boolean; to emit D-Bus signals or not
927
"""
928
def __init__(self, server_address, RequestHandlerClass,
929
interface=None, use_ipv6=True, clients=None,
930
gnutls_priority=None, use_dbus=True):
931
self.enabled = False
932
self.interface = interface
933
if use_ipv6:
934
self.address_family = socket.AF_INET6
935
self.clients = clients
936
self.use_dbus = use_dbus
937
self.gnutls_priority = gnutls_priority
938
socketserver.TCPServer.__init__(self, server_address,
939
RequestHandlerClass)
940
def server_bind(self):
941
"""This overrides the normal server_bind() function
942
to bind to an interface if one was specified, and also NOT to
943
bind to an address or port if they were not specified."""
944
if self.interface is not None:
945
try:
946
self.socket.setsockopt(socket.SOL_SOCKET,
947
SO_BINDTODEVICE,
948
str(self.interface + u'\0'))
949
except socket.error, error:
950
if error[0] == errno.EPERM:
951
logger.error(u"No permission to"
952
u" bind to interface %s",
953
self.interface)
954
else:
955
raise
956
# Only bind(2) the socket if we really need to.
957
if self.server_address[0] or self.server_address[1]:
958
if not self.server_address[0]:
959
if self.address_family == socket.AF_INET6:
960
any_address = u"::" # in6addr_any
961
else:
962
any_address = socket.INADDR_ANY
963
self.server_address = (any_address,
964
self.server_address[1])
965
elif not self.server_address[1]:
966
self.server_address = (self.server_address[0],
967
0)
968
# if self.interface:
969
# self.server_address = (self.server_address[0],
970
# 0, # port
971
# 0, # flowinfo
972
# if_nametoindex
973
# (self.interface))
974
return socketserver.TCPServer.server_bind(self)
975
def server_activate(self):
976
if self.enabled:
977
return socketserver.TCPServer.server_activate(self)
978
def enable(self):
979
self.enabled = True
980
def handle_ipc(self, source, condition, file_objects={}):
981
condition_names = {
982
gobject.IO_IN: u"IN", # There is data to read.
983
gobject.IO_OUT: u"OUT", # Data can be written (without
984
# blocking).
985
gobject.IO_PRI: u"PRI", # There is urgent data to read.
986
gobject.IO_ERR: u"ERR", # Error condition.
987
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
988
# broken, usually for pipes and
989
# sockets).
990
}
991
conditions_string = ' | '.join(name
992
for cond, name in
993
condition_names.iteritems()
994
if cond & condition)
995
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
996
conditions_string)
997
998
# Turn the pipe file descriptor into a Python file object
999
if source not in file_objects:
1000
file_objects[source] = os.fdopen(source, u"r", 1)
1001
1002
# Read a line from the file object
1003
cmdline = file_objects[source].readline()
1004
if not cmdline: # Empty line means end of file
1005
# close the IPC pipe
1006
file_objects[source].close()
1007
del file_objects[source]
1008
1009
# Stop calling this function
1010
return False
1011
1012
logger.debug(u"IPC command: %r", cmdline)
1013
1014
# Parse and act on command
1015
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1016
1017
if cmd == u"NOTFOUND":
1018
logger.warning(u"Client not found for fingerprint: %s",
1019
args)
1020
if self.use_dbus:
1021
# Emit D-Bus signal
1022
mandos_dbus_service.ClientNotFound(args)
1023
elif cmd == u"INVALID":
1024
for client in self.clients:
1025
if client.name == args:
1026
logger.warning(u"Client %s is invalid", args)
1027
if self.use_dbus:
1028
# Emit D-Bus signal
1029
client.Rejected()
1030
break
1031
else:
1032
logger.error(u"Unknown client %s is invalid", args)
1033
elif cmd == u"SENDING":
1034
for client in self.clients:
1035
if client.name == args:
1036
logger.info(u"Sending secret to %s", client.name)
1037
client.checked_ok()
1038
if self.use_dbus:
1039
# Emit D-Bus signal
1040
client.ReceivedSecret()
1041
break
1042
else:
1043
logger.error(u"Sending secret to unknown client %s",
1044
args)
1045
else:
1046
logger.error(u"Unknown IPC command: %r", cmdline)
1047
1048
# Keep calling this function
1049
return True
182
return
183
try:
184
session.send([client.password
185
for client in self.server.clients
186
if (client.dn ==
187
session.peer_certificate.subject)][0])
188
except IndexError:
189
session.send("gazonk")
190
# Log maybe? XXX
191
session.bye()
192
193
194
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
195
__metaclass__ = server_metaclass
1050
196
1051
197
1052
198
def string_to_delta(interval):
1053
199
"""Parse a string and return a datetime.timedelta
1054
1055
>>> string_to_delta(u'7d')
200
201
>>> string_to_delta('7d')
1056
202
datetime.timedelta(7)
1057
>>> string_to_delta(u'60s')
203
>>> string_to_delta('60s')
1058
204
datetime.timedelta(0, 60)
1059
>>> string_to_delta(u'60m')
205
>>> string_to_delta('60m')
1060
206
datetime.timedelta(0, 3600)
1061
>>> string_to_delta(u'24h')
207
>>> string_to_delta('24h')
1062
208
datetime.timedelta(1)
1063
209
>>> string_to_delta(u'1w')
1064
210
datetime.timedelta(7)
1065
>>> string_to_delta(u'5m 30s')
1066
datetime.timedelta(0, 330)
1067
211
"""
1068
timevalue = datetime.timedelta(0)
1069
for s in interval.split():
1070
try:
1071
suffix = unicode(s[-1])
1072
value = int(s[:-1])
1073
if suffix == u"d":
1074
delta = datetime.timedelta(value)
1075
elif suffix == u"s":
1076
delta = datetime.timedelta(0, value)
1077
elif suffix == u"m":
1078
delta = datetime.timedelta(0, 0, 0, 0, value)
1079
elif suffix == u"h":
1080
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1081
elif suffix == u"w":
1082
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1083
else:
1084
raise ValueError
1085
except (ValueError, IndexError):
212
try:
213
suffix=unicode(interval[-1])
214
value=int(interval[:-1])
215
if suffix == u"d":
216
delta = datetime.timedelta(value)
217
elif suffix == u"s":
218
delta = datetime.timedelta(0, value)
219
elif suffix == u"m":
220
delta = datetime.timedelta(0, 0, 0, 0, value)
221
elif suffix == u"h":
222
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
223
elif suffix == u"w":
224
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
225
else:
1086
226
raise ValueError
1087
timevalue += delta
1088
return timevalue
1089
1090
1091
def if_nametoindex(interface):
1092
"""Call the C function if_nametoindex(), or equivalent
1093
1094
Note: This function cannot accept a unicode string."""
1095
global if_nametoindex
1096
try:
1097
if_nametoindex = (ctypes.cdll.LoadLibrary
1098
(ctypes.util.find_library(u"c"))
1099
.if_nametoindex)
1100
except (OSError, AttributeError):
1101
logger.warning(u"Doing if_nametoindex the hard way")
1102
def if_nametoindex(interface):
1103
"Get an interface index the hard way, i.e. using fcntl()"
1104
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1105
with closing(socket.socket()) as s:
1106
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1107
struct.pack(str(u"16s16x"),
1108
interface))
1109
interface_index = struct.unpack(str(u"I"),
1110
ifreq[16:20])[0]
1111
return interface_index
1112
return if_nametoindex(interface)
1113
1114
1115
def daemon(nochdir = False, noclose = False):
1116
"""See daemon(3). Standard BSD Unix function.
1117
1118
This should really exist as os.daemon, but it doesn't (yet)."""
1119
if os.fork():
1120
sys.exit()
1121
os.setsid()
1122
if not nochdir:
1123
os.chdir(u"/")
1124
if os.fork():
1125
sys.exit()
1126
if not noclose:
1127
# Close all standard open file descriptors
1128
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1129
if not stat.S_ISCHR(os.fstat(null).st_mode):
1130
raise OSError(errno.ENODEV,
1131
u"/dev/null not a character device")
1132
os.dup2(null, sys.stdin.fileno())
1133
os.dup2(null, sys.stdout.fileno())
1134
os.dup2(null, sys.stderr.fileno())
1135
if null > 2:
1136
os.close(null)
227
except (ValueError, IndexError):
228
raise ValueError
229
return delta
1137
230
1138
231
1139
232
def main():
1140
1141
######################################################################
1142
# Parsing of options, both command line and config file
1143
1144
parser = optparse.OptionParser(version = "%%prog %s" % version)
1145
parser.add_option("-i", u"--interface", type=u"string",
1146
metavar="IF", help=u"Bind to interface IF")
1147
parser.add_option("-a", u"--address", type=u"string",
1148
help=u"Address to listen for requests on")
1149
parser.add_option("-p", u"--port", type=u"int",
1150
help=u"Port number to receive requests on")
1151
parser.add_option("--check", action=u"store_true",
1152
help=u"Run self-test")
1153
parser.add_option("--debug", action=u"store_true",
1154
help=u"Debug mode; run in foreground and log to"
1155
u" terminal")
1156
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1157
u" priority string (see GnuTLS documentation)")
1158
parser.add_option("--servicename", type=u"string",
1159
metavar=u"NAME", help=u"Zeroconf service name")
1160
parser.add_option("--configdir", type=u"string",
1161
default=u"/etc/mandos", metavar=u"DIR",
1162
help=u"Directory to search for configuration"
1163
u" files")
1164
parser.add_option("--no-dbus", action=u"store_false",
1165
dest=u"use_dbus", help=u"Do not provide D-Bus"
1166
u" system bus interface")
1167
parser.add_option("--no-ipv6", action=u"store_false",
1168
dest=u"use_ipv6", help=u"Do not use IPv6")
1169
options = parser.parse_args()[0]
1170
233
parser = OptionParser()
234
parser.add_option("-i", "--interface", type="string",
235
default="eth0", metavar="IF",
236
help="Interface to bind to")
237
parser.add_option("--cert", type="string", default="cert.pem",
238
metavar="FILE",
239
help="Public key certificate to use")
240
parser.add_option("--key", type="string", default="key.pem",
241
metavar="FILE",
242
help="Private key to use")
243
parser.add_option("--ca", type="string", default="ca.pem",
244
metavar="FILE",
245
help="Certificate Authority certificate to use")
246
parser.add_option("--crl", type="string", default="crl.pem",
247
metavar="FILE",
248
help="Certificate Revokation List to use")
249
parser.add_option("-p", "--port", type="int", default=49001,
250
help="Port number to receive requests on")
251
parser.add_option("--dh", type="int", metavar="BITS",
252
help="DH group to use")
253
parser.add_option("-t", "--timeout", type="string", # Parsed later
254
default="15m",
255
help="Amount of downtime allowed for clients")
256
parser.add_option("--interval", type="string", # Parsed later
257
default="5m",
258
help="How often to check that a client is up")
259
parser.add_option("--check", action="store_true", default=False,
260
help="Run self-test")
261
(options, args) = parser.parse_args()
262
1171
263
if options.check:
1172
264
import doctest
1173
265
doctest.testmod()
1174
266
sys.exit()
1175
267
1176
# Default values for config file for server-global settings
1177
server_defaults = { u"interface": u"",
1178
u"address": u"",
1179
u"port": u"",
1180
u"debug": u"False",
1181
u"priority":
1182
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1183
u"servicename": u"Mandos",
1184
u"use_dbus": u"True",
1185
u"use_ipv6": u"True",
1186
}
1187
1188
# Parse config file for server-global settings
1189
server_config = configparser.SafeConfigParser(server_defaults)
1190
del server_defaults
1191
server_config.read(os.path.join(options.configdir,
1192
u"mandos.conf"))
1193
# Convert the SafeConfigParser object to a dict
1194
server_settings = server_config.defaults()
1195
# Use the appropriate methods on the non-string config options
1196
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1197
server_settings[option] = server_config.getboolean(u"DEFAULT",
1198
option)
1199
if server_settings["port"]:
1200
server_settings["port"] = server_config.getint(u"DEFAULT",
1201
u"port")
1202
del server_config
1203
1204
# Override the settings from the config file with command line
1205
# options, if set.
1206
for option in (u"interface", u"address", u"port", u"debug",
1207
u"priority", u"servicename", u"configdir",
1208
u"use_dbus", u"use_ipv6"):
1209
value = getattr(options, option)
1210
if value is not None:
1211
server_settings[option] = value
1212
del options
1213
# Force all strings to be unicode
1214
for option in server_settings.keys():
1215
if type(server_settings[option]) is str:
1216
server_settings[option] = unicode(server_settings[option])
1217
# Now we have our good server settings in "server_settings"
1218
1219
##################################################################
1220
1221
# For convenience
1222
debug = server_settings[u"debug"]
1223
use_dbus = server_settings[u"use_dbus"]
1224
use_ipv6 = server_settings[u"use_ipv6"]
1225
1226
if not debug:
1227
syslogger.setLevel(logging.WARNING)
1228
console.setLevel(logging.WARNING)
1229
1230
if server_settings[u"servicename"] != u"Mandos":
1231
syslogger.setFormatter(logging.Formatter
1232
(u'Mandos (%s) [%%(process)d]:'
1233
u' %%(levelname)s: %%(message)s'
1234
% server_settings[u"servicename"]))
1235
1236
# Parse config file with clients
1237
client_defaults = { u"timeout": u"1h",
1238
u"interval": u"5m",
1239
u"checker": u"fping -q -- %%(host)s",
1240
u"host": u"",
1241
}
1242
client_config = configparser.SafeConfigParser(client_defaults)
1243
client_config.read(os.path.join(server_settings[u"configdir"],
1244
u"clients.conf"))
1245
1246
global mandos_dbus_service
1247
mandos_dbus_service = None
1248
1249
clients = set()
1250
tcp_server = IPv6_TCPServer((server_settings[u"address"],
1251
server_settings[u"port"]),
1252
ClientHandler,
1253
interface=
1254
server_settings[u"interface"],
1255
use_ipv6=use_ipv6,
268
# Parse the time arguments
269
try:
270
options.timeout = string_to_delta(options.timeout)
271
except ValueError:
272
parser.error("option --timeout: Unparseable time")
273
274
try:
275
options.interval = string_to_delta(options.interval)
276
except ValueError:
277
parser.error("option --interval: Unparseable time")
278
279
cert = gnutls.crypto.X509Certificate(open(options.cert).read())
280
key = gnutls.crypto.X509PrivateKey(open(options.key).read())
281
ca = gnutls.crypto.X509Certificate(open(options.ca).read())
282
crl = gnutls.crypto.X509CRL(open(options.crl).read())
283
cred = gnutls.connection.X509Credentials(cert, key, [ca], [crl])
284
285
# Parse config file
286
defaults = {}
287
client_config_object = ConfigParser.SafeConfigParser(defaults)
288
client_config_object.read("mandos-clients.conf")
289
clients = Set(Client(name=section, options=options,
290
**(dict(client_config_object\
291
.items(section))))
292
for section in client_config_object.sections())
293
294
in6addr_any = "::"
295
udp_server = IPv6_UDPServer((in6addr_any, options.port),
296
udp_handler,
297
options=options)
298
299
tcp_server = IPv6_TCPServer((in6addr_any, options.port),
300
tcp_handler,
301
options=options,
1256
302
clients=clients,
1257
gnutls_priority=
1258
server_settings[u"priority"],
1259
use_dbus=use_dbus)
1260
pidfilename = u"/var/run/mandos.pid"
1261
try:
1262
pidfile = open(pidfilename, u"w")
1263
except IOError:
1264
logger.error(u"Could not open file %r", pidfilename)
303
credentials=cred)
1265
304
1266
try:
1267
uid = pwd.getpwnam(u"_mandos").pw_uid
1268
gid = pwd.getpwnam(u"_mandos").pw_gid
1269
except KeyError:
305
while True:
306
if not clients:
307
break
1270
308
try:
1271
uid = pwd.getpwnam(u"mandos").pw_uid
1272
gid = pwd.getpwnam(u"mandos").pw_gid
1273
except KeyError:
1274
try:
1275
uid = pwd.getpwnam(u"nobody").pw_uid
1276
gid = pwd.getpwnam(u"nobody").pw_gid
1277
except KeyError:
1278
uid = 65534
1279
gid = 65534
1280
try:
1281
os.setgid(gid)
1282
os.setuid(uid)
1283
except OSError, error:
1284
if error[0] != errno.EPERM:
1285
raise error
1286
1287
# Enable all possible GnuTLS debugging
1288
if debug:
1289
# "Use a log level over 10 to enable all debugging options."
1290
# - GnuTLS manual
1291
gnutls.library.functions.gnutls_global_set_log_level(11)
1292
1293
@gnutls.library.types.gnutls_log_func
1294
def debug_gnutls(level, string):
1295
logger.debug(u"GnuTLS: %s", string[:-1])
1296
1297
(gnutls.library.functions
1298
.gnutls_global_set_log_function(debug_gnutls))
1299
1300
global service
1301
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1302
service = AvahiService(name = server_settings[u"servicename"],
1303
servicetype = u"_mandos._tcp",
1304
protocol = protocol)
1305
if server_settings["interface"]:
1306
service.interface = (if_nametoindex
1307
(str(server_settings[u"interface"])))
1308
1309
global main_loop
1310
global bus
1311
# From the Avahi example code
1312
DBusGMainLoop(set_as_default=True )
1313
main_loop = gobject.MainLoop()
1314
bus = dbus.SystemBus()
1315
# End of Avahi example code
1316
if use_dbus:
1317
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1318
1319
client_class = Client
1320
if use_dbus:
1321
client_class = ClientDBus
1322
clients.update(set(
1323
client_class(name = section,
1324
config= dict(client_config.items(section)))
1325
for section in client_config.sections()))
1326
if not clients:
1327
logger.warning(u"No clients defined")
1328
1329
if debug:
1330
# Redirect stdin so all checkers get /dev/null
1331
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1332
os.dup2(null, sys.stdin.fileno())
1333
if null > 2:
1334
os.close(null)
1335
else:
1336
# No console logging
1337
logger.removeHandler(console)
1338
# Close all input and output, do double fork, etc.
1339
daemon()
1340
1341
try:
1342
with closing(pidfile):
1343
pid = os.getpid()
1344
pidfile.write(str(pid) + "\n")
1345
del pidfile
1346
except IOError:
1347
logger.error(u"Could not write to file %r with PID %d",
1348
pidfilename, pid)
1349
except NameError:
1350
# "pidfile" was never created
1351
pass
1352
del pidfilename
1353
1354
def cleanup():
1355
"Cleanup function; run on exit"
1356
service.cleanup()
1357
1358
while clients:
1359
client = clients.pop()
1360
client.disable_hook = None
1361
client.disable()
1362
1363
atexit.register(cleanup)
1364
1365
if not debug:
1366
signal.signal(signal.SIGINT, signal.SIG_IGN)
1367
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1368
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1369
1370
if use_dbus:
1371
class MandosDBusService(dbus.service.Object):
1372
"""A D-Bus proxy object"""
1373
def __init__(self):
1374
dbus.service.Object.__init__(self, bus, u"/")
1375
_interface = u"se.bsnet.fukt.Mandos"
1376
1377
@dbus.service.signal(_interface, signature=u"oa{sv}")
1378
def ClientAdded(self, objpath, properties):
1379
"D-Bus signal"
1380
pass
1381
1382
@dbus.service.signal(_interface, signature=u"s")
1383
def ClientNotFound(self, fingerprint):
1384
"D-Bus signal"
1385
pass
1386
1387
@dbus.service.signal(_interface, signature=u"os")
1388
def ClientRemoved(self, objpath, name):
1389
"D-Bus signal"
1390
pass
1391
1392
@dbus.service.method(_interface, out_signature=u"ao")
1393
def GetAllClients(self):
1394
"D-Bus method"
1395
return dbus.Array(c.dbus_object_path for c in clients)
1396
1397
@dbus.service.method(_interface,
1398
out_signature=u"a{oa{sv}}")
1399
def GetAllClientsWithProperties(self):
1400
"D-Bus method"
1401
return dbus.Dictionary(
1402
((c.dbus_object_path, c.GetAllProperties())
1403
for c in clients),
1404
signature=u"oa{sv}")
1405
1406
@dbus.service.method(_interface, in_signature=u"o")
1407
def RemoveClient(self, object_path):
1408
"D-Bus method"
1409
for c in clients:
1410
if c.dbus_object_path == object_path:
1411
clients.remove(c)
1412
c.remove_from_connection()
1413
# Don't signal anything except ClientRemoved
1414
c.disable(signal=False)
1415
# Emit D-Bus signal
1416
self.ClientRemoved(object_path, c.name)
1417
return
1418
raise KeyError
1419
1420
del _interface
1421
1422
mandos_dbus_service = MandosDBusService()
1423
309
next_stop = min(client.next_stop() for client in clients)
310
now = datetime.datetime.now()
311
if next_stop > now:
312
delay = next_stop - now
313
delay_seconds = (delay.days * 24 * 60 * 60
314
+ delay.seconds
315
+ delay.microseconds / 1000000)
316
clients_with_checkers = tuple(client for client in
317
clients
318
if client.checker
319
is not None)
320
input_checks = (udp_server, tcp_server) \
321
+ clients_with_checkers
322
print "Waiting for network",
323
if clients_with_checkers:
324
print "and checkers for:",
325
for client in clients_with_checkers:
326
print client.name,
327
print
328
input, out, err = select.select(input_checks, (), (),
329
delay_seconds)
330
for obj in input:
331
obj.handle_request()
332
# start new checkers
333
for client in clients:
334
if client.it_is_time_to_check(now=now) and \
335
client.checker is None:
336
print "Starting checker for client %(name)s" \
337
% vars(client)
338
client.start_checker()
339
# delete timed-out clients
340
for client in clients.copy():
341
if not client.still_valid(now=now):
342
# log xxx
343
print "Removing client %(name)s" % vars(client)
344
clients.remove(client)
345
except KeyboardInterrupt:
346
break
347
348
# Cleanup here
1424
349
for client in clients:
1425
if use_dbus:
1426
# Emit D-Bus signal
1427
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1428
client.GetAllProperties())
1429
client.enable()
1430
1431
tcp_server.enable()
1432
tcp_server.server_activate()
1433
1434
# Find out what port we got
1435
service.port = tcp_server.socket.getsockname()[1]
1436
if use_ipv6:
1437
logger.info(u"Now listening on address %r, port %d,"
1438
" flowinfo %d, scope_id %d"
1439
% tcp_server.socket.getsockname())
1440
else: # IPv4
1441
logger.info(u"Now listening on address %r, port %d"
1442
% tcp_server.socket.getsockname())
1443
1444
#service.interface = tcp_server.socket.getsockname()[3]
1445
1446
try:
1447
# From the Avahi example code
1448
try:
1449
service.activate()
1450
except dbus.exceptions.DBusException, error:
1451
logger.critical(u"DBusException: %s", error)
1452
sys.exit(1)
1453
# End of Avahi example code
1454
1455
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
1456
lambda *args, **kwargs:
1457
(tcp_server.handle_request
1458
(*args[2:], **kwargs) or True))
1459
1460
logger.debug(u"Starting main loop")
1461
main_loop.run()
1462
except AvahiError, error:
1463
logger.critical(u"AvahiError: %s", error)
1464
sys.exit(1)
1465
except KeyboardInterrupt:
1466
if debug:
1467
print >> sys.stderr
1468
logger.debug(u"Server received KeyboardInterrupt")
1469
logger.debug(u"Server exiting")
1470
1471
if __name__ == '__main__':
350
client.stop_checker()
351
352
353
if __name__ == "__main__":
1472
354
main()
355
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0