To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to server.py
- browse files at revision 11
- compare with another revision
- download diff
- download tarball
- view history from revision 11
- Committer: Teddy Hogeborn
- Date: 2008-06-30 01:43:39 UTC
- Revision ID: teddy@fukt.bsnet.se-20080630014339-rsuztydpl2w5ml83
* server.py: Rewritten to use Zeroconf (mDNS/DNS-SD) in place of the
old broadcast-UDP-to-port-49001 method.
old broadcast-UDP-to-port-49001 method.
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- plugins.d
- files renamed:
- clients.conf => mandos-clients.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
server.py
1
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
# Mandos server - give out binary blobs to connecting clients.
5
#
6
# This program is partly derived from an example program for an Avahi
7
# service publisher, downloaded from
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
#
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
19
# the Free Software Foundation, either version 3 of the License, or
20
# (at your option) any later version.
21
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
# GNU General Public License for more details.
26
#
27
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
#
33
2
34
from __future__ import division, with_statement, absolute_import
3
from __future__ import division
35
4
36
5
import SocketServer
37
6
import socket
7
import select
38
8
from optparse import OptionParser
39
9
import datetime
40
10
import errno
41
11
import gnutls.crypto
42
12
import gnutls.connection
43
13
import gnutls.errors
44
import gnutls.library.functions
45
import gnutls.library.constants
46
import gnutls.library.types
47
14
import ConfigParser
48
15
import sys
49
16
import re
51
18
import signal
52
19
from sets import Set
53
20
import subprocess
54
import atexit
55
import stat
56
import logging
57
import logging.handlers
58
import pwd
59
from contextlib import closing
60
21
61
22
import dbus
62
import dbus.service
63
23
import gobject
64
24
import avahi
65
25
from dbus.mainloop.glib import DBusGMainLoop
66
import ctypes
67
import ctypes.util
68
69
version = "1.0.3"
70
71
logger = logging.Logger('mandos')
72
syslogger = (logging.handlers.SysLogHandler
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
address = "/dev/log"))
75
syslogger.setFormatter(logging.Formatter
76
('Mandos: %(levelname)s: %(message)s'))
77
logger.addHandler(syslogger)
78
79
console = logging.StreamHandler()
80
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
81
' %(message)s'))
82
logger.addHandler(console)
83
84
class AvahiError(Exception):
85
def __init__(self, value, *args, **kwargs):
86
self.value = value
87
super(AvahiError, self).__init__(value, *args, **kwargs)
88
def __unicode__(self):
89
return unicode(repr(self.value))
90
91
class AvahiServiceError(AvahiError):
92
pass
93
94
class AvahiGroupError(AvahiError):
95
pass
96
97
98
class AvahiService(object):
99
"""An Avahi (Zeroconf) service.
100
Attributes:
101
interface: integer; avahi.IF_UNSPEC or an interface index.
102
Used to optionally bind to the specified interface.
103
name: string; Example: 'Mandos'
104
type: string; Example: '_mandos._tcp'.
105
See <http://www.dns-sd.org/ServiceTypes.html>
106
port: integer; what port to announce
107
TXT: list of strings; TXT record for the service
108
domain: string; Domain to publish on, default to .local if empty.
109
host: string; Host to publish records for, default is localhost
110
max_renames: integer; maximum number of renames
111
rename_count: integer; counter so we only rename after collisions
112
a sensible number of times
113
"""
114
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
115
servicetype = None, port = None, TXT = None,
116
domain = "", host = "", max_renames = 32768):
117
self.interface = interface
118
self.name = name
119
self.type = servicetype
120
self.port = port
121
self.TXT = TXT if TXT is not None else []
122
self.domain = domain
123
self.host = host
124
self.rename_count = 0
125
self.max_renames = max_renames
126
def rename(self):
127
"""Derived from the Avahi example code"""
128
if self.rename_count >= self.max_renames:
129
logger.critical(u"No suitable Zeroconf service name found"
130
u" after %i retries, exiting.",
131
self.rename_count)
132
raise AvahiServiceError(u"Too many renames")
133
self.name = server.GetAlternativeServiceName(self.name)
134
logger.info(u"Changing Zeroconf service name to %r ...",
135
str(self.name))
136
syslogger.setFormatter(logging.Formatter
137
('Mandos (%s): %%(levelname)s:'
138
' %%(message)s' % self.name))
139
self.remove()
140
self.add()
141
self.rename_count += 1
142
def remove(self):
143
"""Derived from the Avahi example code"""
144
if group is not None:
145
group.Reset()
146
def add(self):
147
"""Derived from the Avahi example code"""
148
global group
149
if group is None:
150
group = dbus.Interface(bus.get_object
151
(avahi.DBUS_NAME,
152
server.EntryGroupNew()),
153
avahi.DBUS_INTERFACE_ENTRY_GROUP)
154
group.connect_to_signal('StateChanged',
155
entry_group_state_changed)
156
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
157
service.name, service.type)
158
group.AddService(
159
self.interface, # interface
160
avahi.PROTO_INET6, # protocol
161
dbus.UInt32(0), # flags
162
self.name, self.type,
163
self.domain, self.host,
164
dbus.UInt16(self.port),
165
avahi.string_array_to_txt_array(self.TXT))
166
group.Commit()
167
168
# From the Avahi example code:
169
group = None # our entry group
26
27
# This variable is used to optionally bind to a specified
28
# interface.
29
serviceInterface = avahi.IF_UNSPEC
30
# It is a global variable to fit in with the rest of the
31
# variables from the Avahi server example code:
32
serviceName = "Mandos"
33
serviceType = "_mandos._tcp" # http://www.dns-sd.org/ServiceTypes.html
34
servicePort = None # Not known at startup
35
serviceTXT = [] # TXT record for the service
36
domain = "" # Domain to publish on, default to .local
37
host = "" # Host to publish records for, default to localhost
38
group = None #our entry group
39
rename_count = 12 # Counter so we only rename after collisions a
40
# sensible number of times
170
41
# End of Avahi example code
171
42
172
43
173
def _datetime_to_dbus(dt, variant_level=0):
174
"""Convert a UTC datetime.datetime() to a D-Bus type."""
175
return dbus.String(dt.isoformat(), variant_level=variant_level)
176
177
178
class Client(dbus.service.Object):
44
class Client(object):
179
45
"""A representation of a client host served by this server.
180
46
Attributes:
181
name: string; from the config file, used in log messages
182
fingerprint: string (40 or 32 hexadecimal digits); used to
183
uniquely identify the client
184
secret: bytestring; sent verbatim (over TLS) to client
185
host: string; available for use by the checker command
186
created: datetime.datetime(); (UTC) object creation
187
last_enabled: datetime.datetime(); (UTC)
188
enabled: bool()
189
last_checked_ok: datetime.datetime(); (UTC) or None
190
timeout: datetime.timedelta(); How long from last_checked_ok
191
until this client is invalid
192
interval: datetime.timedelta(); How often to start a new checker
193
disable_hook: If set, called by disable() as disable_hook(self)
194
checker: subprocess.Popen(); a running checker process used
195
to see if the client lives.
196
'None' if no process is running.
47
password: string
48
fqdn: string, FQDN (used by the checker)
49
created: datetime.datetime()
50
last_seen: datetime.datetime() or None if not yet seen
51
timeout: datetime.timedelta(); How long from last_seen until
52
this client is invalid
53
interval: datetime.timedelta(); How often to start a new checker
54
timeout_milliseconds: Used by gobject.timeout_add()
55
interval_milliseconds: - '' -
56
stop_hook: If set, called by stop() as stop_hook(self)
57
checker: subprocess.Popen(); a running checker process used
58
to see if the client lives.
59
Is None if no process is running.
197
60
checker_initiator_tag: a gobject event source tag, or None
198
disable_initiator_tag: - '' -
61
stop_initiator_tag: - '' -
199
62
checker_callback_tag: - '' -
200
checker_command: string; External command which is run to check if
201
client lives. %() expansions are done at
202
runtime with vars(self) as dict, so that for
203
instance %(name)s can be used in the command.
204
use_dbus: bool(); Whether to provide D-Bus interface and signals
205
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
206
63
"""
207
def timeout_milliseconds(self):
208
"Return the 'timeout' attribute in milliseconds"
209
return ((self.timeout.days * 24 * 60 * 60 * 1000)
210
+ (self.timeout.seconds * 1000)
211
+ (self.timeout.microseconds // 1000))
212
213
def interval_milliseconds(self):
214
"Return the 'interval' attribute in milliseconds"
215
return ((self.interval.days * 24 * 60 * 60 * 1000)
216
+ (self.interval.seconds * 1000)
217
+ (self.interval.microseconds // 1000))
218
219
def __init__(self, name = None, disable_hook=None, config=None,
220
use_dbus=True):
221
"""Note: the 'checker' key in 'config' sets the
222
'checker_command' attribute and *not* the 'checker'
223
attribute."""
64
def __init__(self, name=None, options=None, stop_hook=None,
65
dn=None, password=None, passfile=None, fqdn=None,
66
timeout=None, interval=-1):
224
67
self.name = name
225
if config is None:
226
config = {}
227
logger.debug(u"Creating client %r", self.name)
228
self.use_dbus = use_dbus
229
if self.use_dbus:
230
self.dbus_object_path = (dbus.ObjectPath
231
("/Mandos/clients/"
232
+ self.name.replace(".", "_")))
233
dbus.service.Object.__init__(self, bus,
234
self.dbus_object_path)
235
# Uppercase and remove spaces from fingerprint for later
236
# comparison purposes with return value from the fingerprint()
237
# function
238
self.fingerprint = (config["fingerprint"].upper()
239
.replace(u" ", u""))
240
logger.debug(u" Fingerprint: %s", self.fingerprint)
241
if "secret" in config:
242
self.secret = config["secret"].decode(u"base64")
243
elif "secfile" in config:
244
with closing(open(os.path.expanduser
245
(os.path.expandvars
246
(config["secfile"])))) as secfile:
247
self.secret = secfile.read()
248
else:
249
raise TypeError(u"No secret or secfile for client %s"
250
% self.name)
251
self.host = config.get("host", "")
252
self.created = datetime.datetime.utcnow()
253
self.enabled = False
254
self.last_enabled = None
255
self.last_checked_ok = None
256
self.timeout = string_to_delta(config["timeout"])
257
self.interval = string_to_delta(config["interval"])
258
self.disable_hook = disable_hook
68
self.dn = dn
69
if password:
70
self.password = password
71
elif passfile:
72
self.password = open(passfile).readall()
73
else:
74
raise RuntimeError(u"No Password or Passfile for client %s"
75
% self.name)
76
self.fqdn = fqdn # string
77
self.created = datetime.datetime.now()
78
self.last_seen = None
79
if timeout is None:
80
timeout = options.timeout
81
self.timeout = timeout
82
self.timeout_milliseconds = ((self.timeout.days
83
* 24 * 60 * 60 * 1000)
84
+ (self.timeout.seconds * 1000)
85
+ (self.timeout.microseconds
86
// 1000))
87
if interval == -1:
88
interval = options.interval
89
else:
90
interval = string_to_delta(interval)
91
self.interval = interval
92
self.interval_milliseconds = ((self.interval.days
93
* 24 * 60 * 60 * 1000)
94
+ (self.interval.seconds * 1000)
95
+ (self.interval.microseconds
96
// 1000))
97
self.stop_hook = stop_hook
259
98
self.checker = None
260
99
self.checker_initiator_tag = None
261
self.disable_initiator_tag = None
100
self.stop_initiator_tag = None
262
101
self.checker_callback_tag = None
263
self.checker_command = config["checker"]
264
265
def enable(self):
266
"""Start this client's checker and timeout hooks"""
267
self.last_enabled = datetime.datetime.utcnow()
102
def start(self):
103
"""Start this clients checker and timeout hooks"""
268
104
# Schedule a new checker to be started an 'interval' from now,
269
105
# and every interval from then on.
270
self.checker_initiator_tag = (gobject.timeout_add
271
(self.interval_milliseconds(),
272
self.start_checker))
106
self.checker_initiator_tag = gobject.\
107
timeout_add(self.interval_milliseconds,
108
self.start_checker)
273
109
# Also start a new checker *right now*.
274
110
self.start_checker()
275
# Schedule a disable() when 'timeout' has passed
276
self.disable_initiator_tag = (gobject.timeout_add
277
(self.timeout_milliseconds(),
278
self.disable))
279
self.enabled = True
280
if self.use_dbus:
281
# Emit D-Bus signals
282
self.PropertyChanged(dbus.String(u"enabled"),
283
dbus.Boolean(True, variant_level=1))
284
self.PropertyChanged(dbus.String(u"last_enabled"),
285
(_datetime_to_dbus(self.last_enabled,
286
variant_level=1)))
287
288
def disable(self):
289
"""Disable this client."""
290
if not getattr(self, "enabled", False):
291
return False
292
logger.info(u"Disabling client %s", self.name)
293
if getattr(self, "disable_initiator_tag", False):
294
gobject.source_remove(self.disable_initiator_tag)
295
self.disable_initiator_tag = None
296
if getattr(self, "checker_initiator_tag", False):
111
# Schedule a stop() when 'timeout' has passed
112
self.stop_initiator_tag = gobject.\
113
timeout_add(self.timeout_milliseconds,
114
self.stop)
115
def stop(self):
116
"""Stop this client.
117
The possibility that this client might be restarted is left
118
open, but not currently used."""
119
# print "Stopping client", self.name
120
self.password = None
121
if self.stop_initiator_tag:
122
gobject.source_remove(self.stop_initiator_tag)
123
self.stop_initiator_tag = None
124
if self.checker_initiator_tag:
297
125
gobject.source_remove(self.checker_initiator_tag)
298
126
self.checker_initiator_tag = None
299
127
self.stop_checker()
300
if self.disable_hook:
301
self.disable_hook(self)
302
self.enabled = False
303
if self.use_dbus:
304
# Emit D-Bus signal
305
self.PropertyChanged(dbus.String(u"enabled"),
306
dbus.Boolean(False, variant_level=1))
128
if self.stop_hook:
129
self.stop_hook(self)
307
130
# Do not run this again if called by a gobject.timeout_add
308
131
return False
309
310
132
def __del__(self):
311
self.disable_hook = None
312
self.disable()
313
314
def checker_callback(self, pid, condition, command):
133
# Some code duplication here and in stop()
134
if hasattr(self, "stop_initiator_tag") \
135
and self.stop_initiator_tag:
136
gobject.source_remove(self.stop_initiator_tag)
137
self.stop_initiator_tag = None
138
if hasattr(self, "checker_initiator_tag") \
139
and self.checker_initiator_tag:
140
gobject.source_remove(self.checker_initiator_tag)
141
self.checker_initiator_tag = None
142
self.stop_checker()
143
def checker_callback(self, pid, condition):
315
144
"""The checker has completed, so take appropriate actions."""
145
now = datetime.datetime.now()
146
if os.WIFEXITED(condition) \
147
and (os.WEXITSTATUS(condition) == 0):
148
#print "Checker for %(name)s succeeded" % vars(self)
149
self.last_seen = now
150
gobject.source_remove(self.stop_initiator_tag)
151
self.stop_initiator_tag = gobject.\
152
timeout_add(self.timeout_milliseconds,
153
self.stop)
154
#else:
155
# if not os.WIFEXITED(condition):
156
# print "Checker for %(name)s crashed?" % vars(self)
157
# else:
158
# print "Checker for %(name)s failed" % vars(self)
159
self.checker = None
316
160
self.checker_callback_tag = None
317
self.checker = None
318
if self.use_dbus:
319
# Emit D-Bus signal
320
self.PropertyChanged(dbus.String(u"checker_running"),
321
dbus.Boolean(False, variant_level=1))
322
if (os.WIFEXITED(condition)
323
and (os.WEXITSTATUS(condition) == 0)):
324
logger.info(u"Checker for %(name)s succeeded",
325
vars(self))
326
if self.use_dbus:
327
# Emit D-Bus signal
328
self.CheckerCompleted(dbus.Boolean(True),
329
dbus.UInt16(condition),
330
dbus.String(command))
331
self.bump_timeout()
332
elif not os.WIFEXITED(condition):
333
logger.warning(u"Checker for %(name)s crashed?",
334
vars(self))
335
if self.use_dbus:
336
# Emit D-Bus signal
337
self.CheckerCompleted(dbus.Boolean(False),
338
dbus.UInt16(condition),
339
dbus.String(command))
340
else:
341
logger.info(u"Checker for %(name)s failed",
342
vars(self))
343
if self.use_dbus:
344
# Emit D-Bus signal
345
self.CheckerCompleted(dbus.Boolean(False),
346
dbus.UInt16(condition),
347
dbus.String(command))
348
349
def bump_timeout(self):
350
"""Bump up the timeout for this client.
351
This should only be called when the client has been seen,
352
alive and well.
353
"""
354
self.last_checked_ok = datetime.datetime.utcnow()
355
gobject.source_remove(self.disable_initiator_tag)
356
self.disable_initiator_tag = (gobject.timeout_add
357
(self.timeout_milliseconds(),
358
self.disable))
359
if self.use_dbus:
360
# Emit D-Bus signal
361
self.PropertyChanged(
362
dbus.String(u"last_checked_ok"),
363
(_datetime_to_dbus(self.last_checked_ok,
364
variant_level=1)))
365
366
161
def start_checker(self):
367
162
"""Start a new checker subprocess if one is not running.
368
163
If a checker already exists, leave it running and do
369
164
nothing."""
370
# The reason for not killing a running checker is that if we
371
# did that, then if a checker (for some reason) started
372
# running slowly and taking more than 'interval' time, the
373
# client would inevitably timeout, since no checker would get
374
# a chance to run to completion. If we instead leave running
375
# checkers alone, the checker would have to take more time
376
# than 'timeout' for the client to be declared invalid, which
377
# is as it should be.
378
165
if self.checker is None:
379
try:
380
# In case checker_command has exactly one % operator
381
command = self.checker_command % self.host
382
except TypeError:
383
# Escape attributes for the shell
384
escaped_attrs = dict((key, re.escape(str(val)))
385
for key, val in
386
vars(self).iteritems())
387
try:
388
command = self.checker_command % escaped_attrs
389
except TypeError, error:
390
logger.error(u'Could not format string "%s":'
391
u' %s', self.checker_command, error)
392
return True # Try again later
393
try:
394
logger.info(u"Starting checker %r for %s",
395
command, self.name)
396
# We don't need to redirect stdout and stderr, since
397
# in normal mode, that is already done by daemon(),
398
# and in debug mode we don't want to. (Stdin is
399
# always replaced by /dev/null.)
400
self.checker = subprocess.Popen(command,
401
close_fds=True,
402
shell=True, cwd="/")
403
if self.use_dbus:
404
# Emit D-Bus signal
405
self.CheckerStarted(command)
406
self.PropertyChanged(
407
dbus.String("checker_running"),
408
dbus.Boolean(True, variant_level=1))
409
self.checker_callback_tag = (gobject.child_watch_add
410
(self.checker.pid,
411
self.checker_callback,
412
data=command))
413
except OSError, error:
414
logger.error(u"Failed to start subprocess: %s",
415
error)
166
#print "Starting checker for", self.name
167
try:
168
self.checker = subprocess.\
169
Popen("sleep 1; fping -q -- %s"
170
% re.escape(self.fqdn),
171
stdout=subprocess.PIPE,
172
close_fds=True, shell=True,
173
cwd="/")
174
self.checker_callback_tag = gobject.\
175
child_watch_add(self.checker.pid,
176
self.\
177
checker_callback)
178
except subprocess.OSError, error:
179
sys.stderr.write(u"Failed to start subprocess: %s\n"
180
% error)
416
181
# Re-run this periodically if run by gobject.timeout_add
417
182
return True
418
419
183
def stop_checker(self):
420
184
"""Force the checker process, if any, to stop."""
421
if self.checker_callback_tag:
422
gobject.source_remove(self.checker_callback_tag)
423
self.checker_callback_tag = None
424
if getattr(self, "checker", None) is None:
185
if not hasattr(self, "checker") or self.checker is None:
425
186
return
426
logger.debug(u"Stopping checker for %(name)s", vars(self))
427
try:
428
os.kill(self.checker.pid, signal.SIGTERM)
429
#os.sleep(0.5)
430
#if self.checker.poll() is None:
431
# os.kill(self.checker.pid, signal.SIGKILL)
432
except OSError, error:
433
if error.errno != errno.ESRCH: # No such process
434
raise
187
gobject.source_remove(self.checker_callback_tag)
188
self.checker_callback_tag = None
189
os.kill(self.checker.pid, signal.SIGTERM)
190
if self.checker.poll() is None:
191
os.kill(self.checker.pid, signal.SIGKILL)
435
192
self.checker = None
436
if self.use_dbus:
437
self.PropertyChanged(dbus.String(u"checker_running"),
438
dbus.Boolean(False, variant_level=1))
439
440
def still_valid(self):
193
def still_valid(self, now=None):
441
194
"""Has the timeout not yet passed for this client?"""
442
if not getattr(self, "enabled", False):
443
return False
444
now = datetime.datetime.utcnow()
445
if self.last_checked_ok is None:
195
if now is None:
196
now = datetime.datetime.now()
197
if self.last_seen is None:
446
198
return now < (self.created + self.timeout)
447
199
else:
448
return now < (self.last_checked_ok + self.timeout)
449
450
## D-Bus methods & signals
451
_interface = u"org.mandos_system.Mandos.Client"
452
453
# BumpTimeout - method
454
BumpTimeout = dbus.service.method(_interface)(bump_timeout)
455
BumpTimeout.__name__ = "BumpTimeout"
456
457
# CheckerCompleted - signal
458
@dbus.service.signal(_interface, signature="bqs")
459
def CheckerCompleted(self, success, condition, command):
460
"D-Bus signal"
461
pass
462
463
# CheckerStarted - signal
464
@dbus.service.signal(_interface, signature="s")
465
def CheckerStarted(self, command):
466
"D-Bus signal"
467
pass
468
469
# GetAllProperties - method
470
@dbus.service.method(_interface, out_signature="a{sv}")
471
def GetAllProperties(self):
472
"D-Bus method"
473
return dbus.Dictionary({
474
dbus.String("name"):
475
dbus.String(self.name, variant_level=1),
476
dbus.String("fingerprint"):
477
dbus.String(self.fingerprint, variant_level=1),
478
dbus.String("host"):
479
dbus.String(self.host, variant_level=1),
480
dbus.String("created"):
481
_datetime_to_dbus(self.created, variant_level=1),
482
dbus.String("last_enabled"):
483
(_datetime_to_dbus(self.last_enabled,
484
variant_level=1)
485
if self.last_enabled is not None
486
else dbus.Boolean(False, variant_level=1)),
487
dbus.String("enabled"):
488
dbus.Boolean(self.enabled, variant_level=1),
489
dbus.String("last_checked_ok"):
490
(_datetime_to_dbus(self.last_checked_ok,
491
variant_level=1)
492
if self.last_checked_ok is not None
493
else dbus.Boolean (False, variant_level=1)),
494
dbus.String("timeout"):
495
dbus.UInt64(self.timeout_milliseconds(),
496
variant_level=1),
497
dbus.String("interval"):
498
dbus.UInt64(self.interval_milliseconds(),
499
variant_level=1),
500
dbus.String("checker"):
501
dbus.String(self.checker_command,
502
variant_level=1),
503
dbus.String("checker_running"):
504
dbus.Boolean(self.checker is not None,
505
variant_level=1),
506
}, signature="sv")
507
508
# IsStillValid - method
509
IsStillValid = (dbus.service.method(_interface, out_signature="b")
510
(still_valid))
511
IsStillValid.__name__ = "IsStillValid"
512
513
# PropertyChanged - signal
514
@dbus.service.signal(_interface, signature="sv")
515
def PropertyChanged(self, property, value):
516
"D-Bus signal"
517
pass
518
519
# SetChecker - method
520
@dbus.service.method(_interface, in_signature="s")
521
def SetChecker(self, checker):
522
"D-Bus setter method"
523
self.checker_command = checker
524
# Emit D-Bus signal
525
self.PropertyChanged(dbus.String(u"checker"),
526
dbus.String(self.checker_command,
527
variant_level=1))
528
529
# SetHost - method
530
@dbus.service.method(_interface, in_signature="s")
531
def SetHost(self, host):
532
"D-Bus setter method"
533
self.host = host
534
# Emit D-Bus signal
535
self.PropertyChanged(dbus.String(u"host"),
536
dbus.String(self.host, variant_level=1))
537
538
# SetInterval - method
539
@dbus.service.method(_interface, in_signature="t")
540
def SetInterval(self, milliseconds):
541
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
542
# Emit D-Bus signal
543
self.PropertyChanged(dbus.String(u"interval"),
544
(dbus.UInt64(self.interval_milliseconds(),
545
variant_level=1)))
546
547
# SetSecret - method
548
@dbus.service.method(_interface, in_signature="ay",
549
byte_arrays=True)
550
def SetSecret(self, secret):
551
"D-Bus setter method"
552
self.secret = str(secret)
553
554
# SetTimeout - method
555
@dbus.service.method(_interface, in_signature="t")
556
def SetTimeout(self, milliseconds):
557
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
558
# Emit D-Bus signal
559
self.PropertyChanged(dbus.String(u"timeout"),
560
(dbus.UInt64(self.timeout_milliseconds(),
561
variant_level=1)))
562
563
# Enable - method
564
Enable = dbus.service.method(_interface)(enable)
565
Enable.__name__ = "Enable"
566
567
# StartChecker - method
568
@dbus.service.method(_interface)
569
def StartChecker(self):
570
"D-Bus method"
571
self.start_checker()
572
573
# Disable - method
574
@dbus.service.method(_interface)
575
def Disable(self):
576
"D-Bus method"
577
self.disable()
578
579
# StopChecker - method
580
StopChecker = dbus.service.method(_interface)(stop_checker)
581
StopChecker.__name__ = "StopChecker"
582
583
del _interface
584
585
586
def peer_certificate(session):
587
"Return the peer's OpenPGP certificate as a bytestring"
588
# If not an OpenPGP certificate...
589
if (gnutls.library.functions
590
.gnutls_certificate_type_get(session._c_object)
591
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
592
# ...do the normal thing
593
return session.peer_certificate
594
list_size = ctypes.c_uint()
595
cert_list = (gnutls.library.functions
596
.gnutls_certificate_get_peers
597
(session._c_object, ctypes.byref(list_size)))
598
if list_size.value == 0:
599
return None
600
cert = cert_list[0]
601
return ctypes.string_at(cert.data, cert.size)
602
603
604
def fingerprint(openpgp):
605
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
606
# New GnuTLS "datum" with the OpenPGP public key
607
datum = (gnutls.library.types
608
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
609
ctypes.POINTER
610
(ctypes.c_ubyte)),
611
ctypes.c_uint(len(openpgp))))
612
# New empty GnuTLS certificate
613
crt = gnutls.library.types.gnutls_openpgp_crt_t()
614
(gnutls.library.functions
615
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
616
# Import the OpenPGP public key into the certificate
617
(gnutls.library.functions
618
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
619
gnutls.library.constants
620
.GNUTLS_OPENPGP_FMT_RAW))
621
# Verify the self signature in the key
622
crtverify = ctypes.c_uint()
623
(gnutls.library.functions
624
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
625
if crtverify.value != 0:
626
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
627
raise gnutls.errors.CertificateSecurityError("Verify failed")
628
# New buffer for the fingerprint
629
buf = ctypes.create_string_buffer(20)
630
buf_len = ctypes.c_size_t()
631
# Get the fingerprint from the certificate into the buffer
632
(gnutls.library.functions
633
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
634
ctypes.byref(buf_len)))
635
# Deinit the certificate
636
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
637
# Convert the buffer to a Python bytestring
638
fpr = ctypes.string_at(buf, buf_len.value)
639
# Convert the bytestring to hexadecimal notation
640
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
641
return hex_fpr
642
643
644
class TCP_handler(SocketServer.BaseRequestHandler, object):
200
return now < (self.last_seen + self.timeout)
201
202
203
class tcp_handler(SocketServer.BaseRequestHandler, object):
645
204
"""A TCP request handler class.
646
205
Instantiated by IPv6_TCPServer for each request to handle it.
647
206
Note: This will run in its own forked process."""
648
649
207
def handle(self):
650
logger.info(u"TCP connection from: %s",
651
unicode(self.client_address))
652
session = (gnutls.connection
653
.ClientSession(self.request,
654
gnutls.connection
655
.X509Credentials()))
656
657
line = self.request.makefile().readline()
658
logger.debug(u"Protocol version: %r", line)
659
try:
660
if int(line.strip().split()[0]) > 1:
661
raise RuntimeError
662
except (ValueError, IndexError, RuntimeError), error:
663
logger.error(u"Unknown protocol version: %s", error)
664
return
665
666
# Note: gnutls.connection.X509Credentials is really a generic
667
# GnuTLS certificate credentials object so long as no X.509
668
# keys are added to it. Therefore, we can use it here despite
669
# using OpenPGP certificates.
670
671
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
672
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
673
# "+DHE-DSS"))
674
# Use a fallback default, since this MUST be set.
675
priority = self.server.settings.get("priority", "NORMAL")
676
(gnutls.library.functions
677
.gnutls_priority_set_direct(session._c_object,
678
priority, None))
679
208
#print u"TCP request came"
209
#print u"Request:", self.request
210
#print u"Client Address:", self.client_address
211
#print u"Server:", self.server
212
session = gnutls.connection.ServerSession(self.request,
213
self.server\
214
.credentials)
680
215
try:
681
216
session.handshake()
682
217
except gnutls.errors.GNUTLSError, error:
683
logger.warning(u"Handshake failed: %s", error)
218
#sys.stderr.write(u"Handshake failed: %s\n" % error)
684
219
# Do not run session.bye() here: the session is not
685
220
# established. Just abandon the request.
686
221
return
222
#if session.peer_certificate:
223
# print "DN:", session.peer_certificate.subject
687
224
try:
688
fpr = fingerprint(peer_certificate(session))
689
except (TypeError, gnutls.errors.GNUTLSError), error:
690
logger.warning(u"Bad certificate: %s", error)
225
session.verify_peer()
226
except gnutls.errors.CertificateError, error:
227
#sys.stderr.write(u"Verify failed: %s\n" % error)
691
228
session.bye()
692
229
return
693
logger.debug(u"Fingerprint: %s", fpr)
694
for c in self.server.clients:
695
if c.fingerprint == fpr:
230
client = None
231
for c in clients:
232
if c.dn == session.peer_certificate.subject:
696
233
client = c
697
234
break
698
else:
699
logger.warning(u"Client not found for fingerprint: %s",
700
fpr)
701
session.bye()
702
return
703
235
# Have to check if client.still_valid(), since it is possible
704
236
# that the client timed out while establishing the GnuTLS
705
237
# session.
706
if not client.still_valid():
707
logger.warning(u"Client %(name)s is invalid",
708
vars(client))
709
session.bye()
710
return
711
## This won't work here, since we're in a fork.
712
# client.bump_timeout()
713
sent_size = 0
714
while sent_size < len(client.secret):
715
sent = session.send(client.secret[sent_size:])
716
logger.debug(u"Sent: %d, remaining: %d",
717
sent, len(client.secret)
718
- (sent_size + sent))
719
sent_size += sent
238
if client and client.still_valid():
239
session.send(client.password)
240
else:
241
#if client:
242
# sys.stderr.write(u"Client %(name)s is invalid\n"
243
# % vars(client))
244
#else:
245
# sys.stderr.write(u"Client not found for DN: %s\n"
246
# % session.peer_certificate.subject)
247
#session.send("gazonk")
248
pass
720
249
session.bye()
721
250
722
251
723
class IPv6_TCPServer(SocketServer.ForkingMixIn,
724
SocketServer.TCPServer, object):
252
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
725
253
"""IPv6 TCP server. Accepts 'None' as address and/or port.
726
254
Attributes:
727
settings: Server settings
255
options: Command line options
728
256
clients: Set() of Client objects
729
enabled: Boolean; whether this server is activated yet
257
credentials: GnuTLS X.509 credentials
730
258
"""
731
259
address_family = socket.AF_INET6
732
260
def __init__(self, *args, **kwargs):
733
if "settings" in kwargs:
734
self.settings = kwargs["settings"]
735
del kwargs["settings"]
261
if "options" in kwargs:
262
self.options = kwargs["options"]
263
del kwargs["options"]
736
264
if "clients" in kwargs:
737
265
self.clients = kwargs["clients"]
738
266
del kwargs["clients"]
739
self.enabled = False
740
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
267
if "credentials" in kwargs:
268
self.credentials = kwargs["credentials"]
269
del kwargs["credentials"]
270
return super(type(self), self).__init__(*args, **kwargs)
741
271
def server_bind(self):
742
272
"""This overrides the normal server_bind() function
743
273
to bind to an interface if one was specified, and also NOT to
744
274
bind to an address or port if they were not specified."""
745
if self.settings["interface"]:
746
# 25 is from /usr/include/asm-i486/socket.h
747
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
275
if self.options.interface:
276
if not hasattr(socket, "SO_BINDTODEVICE"):
277
# From /usr/include/asm-i486/socket.h
278
socket.SO_BINDTODEVICE = 25
748
279
try:
749
280
self.socket.setsockopt(socket.SOL_SOCKET,
750
SO_BINDTODEVICE,
751
self.settings["interface"])
281
socket.SO_BINDTODEVICE,
282
self.options.interface)
752
283
except socket.error, error:
753
284
if error[0] == errno.EPERM:
754
logger.error(u"No permission to"
755
u" bind to interface %s",
756
self.settings["interface"])
285
sys.stderr.write(u"Warning: No permission to bind to interface %s\n"
286
% self.options.interface)
757
287
else:
758
288
raise error
759
289
# Only bind(2) the socket if we really need to.
762
292
in6addr_any = "::"
763
293
self.server_address = (in6addr_any,
764
294
self.server_address[1])
765
elif not self.server_address[1]:
295
elif self.server_address[1] is None:
766
296
self.server_address = (self.server_address[0],
767
297
0)
768
# if self.settings["interface"]:
769
# self.server_address = (self.server_address[0],
770
# 0, # port
771
# 0, # flowinfo
772
# if_nametoindex
773
# (self.settings
774
# ["interface"]))
775
return super(IPv6_TCPServer, self).server_bind()
776
def server_activate(self):
777
if self.enabled:
778
return super(IPv6_TCPServer, self).server_activate()
779
def enable(self):
780
self.enabled = True
298
return super(type(self), self).server_bind()
781
299
782
300
783
301
def string_to_delta(interval):
793
311
datetime.timedelta(1)
794
312
>>> string_to_delta(u'1w')
795
313
datetime.timedelta(7)
796
>>> string_to_delta('5m 30s')
797
datetime.timedelta(0, 330)
798
314
"""
799
timevalue = datetime.timedelta(0)
800
for s in interval.split():
801
try:
802
suffix = unicode(s[-1])
803
value = int(s[:-1])
804
if suffix == u"d":
805
delta = datetime.timedelta(value)
806
elif suffix == u"s":
807
delta = datetime.timedelta(0, value)
808
elif suffix == u"m":
809
delta = datetime.timedelta(0, 0, 0, 0, value)
810
elif suffix == u"h":
811
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
812
elif suffix == u"w":
813
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
814
else:
815
raise ValueError
816
except (ValueError, IndexError):
315
try:
316
suffix=unicode(interval[-1])
317
value=int(interval[:-1])
318
if suffix == u"d":
319
delta = datetime.timedelta(value)
320
elif suffix == u"s":
321
delta = datetime.timedelta(0, value)
322
elif suffix == u"m":
323
delta = datetime.timedelta(0, 0, 0, 0, value)
324
elif suffix == u"h":
325
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
326
elif suffix == u"w":
327
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
328
else:
817
329
raise ValueError
818
timevalue += delta
819
return timevalue
330
except (ValueError, IndexError):
331
raise ValueError
332
return delta
333
334
335
def add_service():
336
"""From the Avahi server example code"""
337
global group, serviceName, serviceType, servicePort, serviceTXT, \
338
domain, host
339
if group is None:
340
group = dbus.Interface(
341
bus.get_object( avahi.DBUS_NAME,
342
server.EntryGroupNew()),
343
avahi.DBUS_INTERFACE_ENTRY_GROUP)
344
group.connect_to_signal('StateChanged',
345
entry_group_state_changed)
346
347
# print "Adding service '%s' of type '%s' ..." % (serviceName,
348
# serviceType)
349
350
group.AddService(
351
serviceInterface, # interface
352
avahi.PROTO_INET6, # protocol
353
dbus.UInt32(0), # flags
354
serviceName, serviceType,
355
domain, host,
356
dbus.UInt16(servicePort),
357
avahi.string_array_to_txt_array(serviceTXT))
358
group.Commit()
359
360
361
def remove_service():
362
"""From the Avahi server example code"""
363
global group
364
365
if not group is None:
366
group.Reset()
820
367
821
368
822
369
def server_state_changed(state):
823
"""Derived from the Avahi example code"""
370
"""From the Avahi server example code"""
824
371
if state == avahi.SERVER_COLLISION:
825
logger.error(u"Zeroconf server name collision")
826
service.remove()
372
print "WARNING: Server name collision"
373
remove_service()
827
374
elif state == avahi.SERVER_RUNNING:
828
service.add()
375
add_service()
829
376
830
377
831
378
def entry_group_state_changed(state, error):
832
"""Derived from the Avahi example code"""
833
logger.debug(u"Avahi state change: %i", state)
379
"""From the Avahi server example code"""
380
global serviceName, server, rename_count
381
382
# print "state change: %i" % state
834
383
835
384
if state == avahi.ENTRY_GROUP_ESTABLISHED:
836
logger.debug(u"Zeroconf service established.")
385
pass
386
# print "Service established."
837
387
elif state == avahi.ENTRY_GROUP_COLLISION:
838
logger.warning(u"Zeroconf service name collision.")
839
service.rename()
388
389
rename_count = rename_count - 1
390
if rename_count > 0:
391
name = server.GetAlternativeServiceName(name)
392
print "WARNING: Service name collision, changing name to '%s' ..." % name
393
remove_service()
394
add_service()
395
396
else:
397
print "ERROR: No suitable service name found after %i retries, exiting." % n_rename
398
main_loop.quit()
840
399
elif state == avahi.ENTRY_GROUP_FAILURE:
841
logger.critical(u"Avahi: Error in group state changed %s",
842
unicode(error))
843
raise AvahiGroupError(u"State changed: %s" % unicode(error))
400
print "Error in group state changed", error
401
main_loop.quit()
402
return
403
844
404
845
405
def if_nametoindex(interface):
846
"""Call the C function if_nametoindex(), or equivalent"""
847
global if_nametoindex
406
"""Call the C function if_nametoindex()"""
848
407
try:
849
if_nametoindex = (ctypes.cdll.LoadLibrary
850
(ctypes.util.find_library("c"))
851
.if_nametoindex)
852
except (OSError, AttributeError):
408
if "ctypes" not in sys.modules:
409
import ctypes
410
libc = ctypes.cdll.LoadLibrary("libc.so.6")
411
return libc.if_nametoindex(interface)
412
except (ImportError, OSError, AttributeError):
853
413
if "struct" not in sys.modules:
854
414
import struct
855
415
if "fcntl" not in sys.modules:
856
416
import fcntl
857
def if_nametoindex(interface):
858
"Get an interface index the hard way, i.e. using fcntl()"
859
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
860
with closing(socket.socket()) as s:
861
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
862
struct.pack("16s16x", interface))
863
interface_index = struct.unpack("I", ifreq[16:20])[0]
864
return interface_index
865
return if_nametoindex(interface)
866
867
868
def daemon(nochdir = False, noclose = False):
869
"""See daemon(3). Standard BSD Unix function.
870
This should really exist as os.daemon, but it doesn't (yet)."""
871
if os.fork():
872
sys.exit()
873
os.setsid()
874
if not nochdir:
875
os.chdir("/")
876
if os.fork():
877
sys.exit()
878
if not noclose:
879
# Close all standard open file descriptors
880
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
881
if not stat.S_ISCHR(os.fstat(null).st_mode):
882
raise OSError(errno.ENODEV,
883
"/dev/null not a character device")
884
os.dup2(null, sys.stdin.fileno())
885
os.dup2(null, sys.stdout.fileno())
886
os.dup2(null, sys.stderr.fileno())
887
if null > 2:
888
os.close(null)
889
890
891
def main():
892
parser = OptionParser(version = "%%prog %s" % version)
417
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
418
s = socket.socket()
419
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
420
struct.pack("16s16x", interface))
421
s.close()
422
interface_index = struct.unpack("I", ifreq[16:20])[0]
423
return interface_index
424
425
426
if __name__ == '__main__':
427
parser = OptionParser()
893
428
parser.add_option("-i", "--interface", type="string",
894
metavar="IF", help="Bind to interface IF")
895
parser.add_option("-a", "--address", type="string",
896
help="Address to listen for requests on")
897
parser.add_option("-p", "--port", type="int",
429
default=None, metavar="IF",
430
help="Bind to interface IF")
431
parser.add_option("--cert", type="string", default="cert.pem",
432
metavar="FILE",
433
help="Public key certificate PEM file to use")
434
parser.add_option("--key", type="string", default="key.pem",
435
metavar="FILE",
436
help="Private key PEM file to use")
437
parser.add_option("--ca", type="string", default="ca.pem",
438
metavar="FILE",
439
help="Certificate Authority certificate PEM file to use")
440
parser.add_option("--crl", type="string", default="crl.pem",
441
metavar="FILE",
442
help="Certificate Revokation List PEM file to use")
443
parser.add_option("-p", "--port", type="int", default=None,
898
444
help="Port number to receive requests on")
899
parser.add_option("--check", action="store_true",
445
parser.add_option("--timeout", type="string", # Parsed later
446
default="1h",
447
help="Amount of downtime allowed for clients")
448
parser.add_option("--interval", type="string", # Parsed later
449
default="5m",
450
help="How often to check that a client is up")
451
parser.add_option("--check", action="store_true", default=False,
900
452
help="Run self-test")
901
parser.add_option("--debug", action="store_true",
902
help="Debug mode; run in foreground and log to"
903
" terminal")
904
parser.add_option("--priority", type="string", help="GnuTLS"
905
" priority string (see GnuTLS documentation)")
906
parser.add_option("--servicename", type="string", metavar="NAME",
907
help="Zeroconf service name")
908
parser.add_option("--configdir", type="string",
909
default="/etc/mandos", metavar="DIR",
910
help="Directory to search for configuration"
911
" files")
912
parser.add_option("--no-dbus", action="store_false",
913
dest="use_dbus",
914
help="Do not provide D-Bus system bus"
915
" interface")
916
options = parser.parse_args()[0]
453
(options, args) = parser.parse_args()
917
454
918
455
if options.check:
919
456
import doctest
920
457
doctest.testmod()
921
458
sys.exit()
922
459
923
# Default values for config file for server-global settings
924
server_defaults = { "interface": "",
925
"address": "",
926
"port": "",
927
"debug": "False",
928
"priority":
929
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
930
"servicename": "Mandos",
931
"use_dbus": "True",
932
}
933
934
# Parse config file for server-global settings
935
server_config = ConfigParser.SafeConfigParser(server_defaults)
936
del server_defaults
937
server_config.read(os.path.join(options.configdir, "mandos.conf"))
938
# Convert the SafeConfigParser object to a dict
939
server_settings = server_config.defaults()
940
# Use getboolean on the boolean config options
941
server_settings["debug"] = (server_config.getboolean
942
("DEFAULT", "debug"))
943
server_settings["use_dbus"] = (server_config.getboolean
944
("DEFAULT", "use_dbus"))
945
del server_config
946
947
# Override the settings from the config file with command line
948
# options, if set.
949
for option in ("interface", "address", "port", "debug",
950
"priority", "servicename", "configdir",
951
"use_dbus"):
952
value = getattr(options, option)
953
if value is not None:
954
server_settings[option] = value
955
del options
956
# Now we have our good server settings in "server_settings"
957
958
# For convenience
959
debug = server_settings["debug"]
960
use_dbus = server_settings["use_dbus"]
961
962
if not debug:
963
syslogger.setLevel(logging.WARNING)
964
console.setLevel(logging.WARNING)
965
966
if server_settings["servicename"] != "Mandos":
967
syslogger.setFormatter(logging.Formatter
968
('Mandos (%s): %%(levelname)s:'
969
' %%(message)s'
970
% server_settings["servicename"]))
971
972
# Parse config file with clients
973
client_defaults = { "timeout": "1h",
974
"interval": "5m",
975
"checker": "fping -q -- %%(host)s",
976
"host": "",
977
}
978
client_config = ConfigParser.SafeConfigParser(client_defaults)
979
client_config.read(os.path.join(server_settings["configdir"],
980
"clients.conf"))
981
982
clients = Set()
983
tcp_server = IPv6_TCPServer((server_settings["address"],
984
server_settings["port"]),
985
TCP_handler,
986
settings=server_settings,
987
clients=clients)
988
pidfilename = "/var/run/mandos.pid"
989
try:
990
pidfile = open(pidfilename, "w")
991
except IOError, error:
992
logger.error("Could not open file %r", pidfilename)
993
994
try:
995
uid = pwd.getpwnam("_mandos").pw_uid
996
gid = pwd.getpwnam("_mandos").pw_gid
997
except KeyError:
998
try:
999
uid = pwd.getpwnam("mandos").pw_uid
1000
gid = pwd.getpwnam("mandos").pw_gid
1001
except KeyError:
1002
try:
1003
uid = pwd.getpwnam("nobody").pw_uid
1004
gid = pwd.getpwnam("nogroup").pw_gid
1005
except KeyError:
1006
uid = 65534
1007
gid = 65534
1008
try:
1009
os.setuid(uid)
1010
os.setgid(gid)
1011
except OSError, error:
1012
if error[0] != errno.EPERM:
1013
raise error
1014
1015
global service
1016
service = AvahiService(name = server_settings["servicename"],
1017
servicetype = "_mandos._tcp", )
1018
if server_settings["interface"]:
1019
service.interface = (if_nametoindex
1020
(server_settings["interface"]))
1021
1022
global main_loop
1023
global bus
1024
global server
1025
# From the Avahi example code
460
# Parse the time arguments
461
try:
462
options.timeout = string_to_delta(options.timeout)
463
except ValueError:
464
parser.error("option --timeout: Unparseable time")
465
try:
466
options.interval = string_to_delta(options.interval)
467
except ValueError:
468
parser.error("option --interval: Unparseable time")
469
470
cert = gnutls.crypto.X509Certificate(open(options.cert).read())
471
key = gnutls.crypto.X509PrivateKey(open(options.key).read())
472
ca = gnutls.crypto.X509Certificate(open(options.ca).read())
473
crl = gnutls.crypto.X509CRL(open(options.crl).read())
474
cred = gnutls.connection.X509Credentials(cert, key, [ca], [crl])
475
476
# Parse config file
477
defaults = {}
478
client_config = ConfigParser.SafeConfigParser(defaults)
479
#client_config.readfp(open("secrets.conf"), "secrets.conf")
480
client_config.read("mandos-clients.conf")
481
482
# From the Avahi server example code
1026
483
DBusGMainLoop(set_as_default=True )
1027
484
main_loop = gobject.MainLoop()
1028
485
bus = dbus.SystemBus()
1029
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1030
avahi.DBUS_PATH_SERVER),
1031
avahi.DBUS_INTERFACE_SERVER)
486
server = dbus.Interface(
487
bus.get_object( avahi.DBUS_NAME, avahi.DBUS_PATH_SERVER ),
488
avahi.DBUS_INTERFACE_SERVER )
1032
489
# End of Avahi example code
1033
if use_dbus:
1034
bus_name = dbus.service.BusName(u"org.mandos-system.Mandos",
1035
bus)
1036
1037
clients.update(Set(Client(name = section,
1038
config
1039
= dict(client_config.items(section)),
1040
use_dbus = use_dbus)
490
491
clients = Set()
492
def remove_from_clients(client):
493
clients.remove(client)
494
if not clients:
495
print "No clients left, exiting"
496
main_loop.quit()
497
498
clients.update(Set(Client(name=section, options=options,
499
stop_hook = remove_from_clients,
500
**(dict(client_config\
501
.items(section))))
1041
502
for section in client_config.sections()))
1042
if not clients:
1043
logger.warning(u"No clients defined")
1044
1045
if debug:
1046
# Redirect stdin so all checkers get /dev/null
1047
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1048
os.dup2(null, sys.stdin.fileno())
1049
if null > 2:
1050
os.close(null)
1051
else:
1052
# No console logging
1053
logger.removeHandler(console)
1054
# Close all input and output, do double fork, etc.
1055
daemon()
1056
1057
try:
1058
pid = os.getpid()
1059
pidfile.write(str(pid) + "\n")
1060
pidfile.close()
1061
del pidfile
1062
except IOError:
1063
logger.error(u"Could not write to file %r with PID %d",
1064
pidfilename, pid)
1065
except NameError:
1066
# "pidfile" was never created
1067
pass
1068
del pidfilename
1069
1070
def cleanup():
1071
"Cleanup function; run on exit"
1072
global group
1073
# From the Avahi example code
1074
if not group is None:
1075
group.Free()
1076
group = None
1077
# End of Avahi example code
1078
1079
while clients:
1080
client = clients.pop()
1081
client.disable_hook = None
1082
client.disable()
1083
1084
atexit.register(cleanup)
1085
1086
if not debug:
1087
signal.signal(signal.SIGINT, signal.SIG_IGN)
1088
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1089
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1090
1091
if use_dbus:
1092
class MandosServer(dbus.service.Object):
1093
"""A D-Bus proxy object"""
1094
def __init__(self):
1095
dbus.service.Object.__init__(self, bus,
1096
"/Mandos")
1097
_interface = u"org.mandos_system.Mandos"
1098
1099
@dbus.service.signal(_interface, signature="oa{sv}")
1100
def ClientAdded(self, objpath, properties):
1101
"D-Bus signal"
1102
pass
1103
1104
@dbus.service.signal(_interface, signature="o")
1105
def ClientRemoved(self, objpath):
1106
"D-Bus signal"
1107
pass
1108
1109
@dbus.service.method(_interface, out_signature="ao")
1110
def GetAllClients(self):
1111
return dbus.Array(c.dbus_object_path for c in clients)
1112
1113
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1114
def GetAllClientsWithProperties(self):
1115
return dbus.Dictionary(
1116
((c.dbus_object_path, c.GetAllProperties())
1117
for c in clients),
1118
signature="oa{sv}")
1119
1120
@dbus.service.method(_interface, in_signature="o")
1121
def RemoveClient(self, object_path):
1122
for c in clients:
1123
if c.dbus_object_path == object_path:
1124
clients.remove(c)
1125
# Don't signal anything except ClientRemoved
1126
c.use_dbus = False
1127
c.disable()
1128
# Emit D-Bus signal
1129
self.ClientRemoved(object_path)
1130
return
1131
raise KeyError
1132
@dbus.service.method(_interface)
1133
def Quit(self):
1134
main_loop.quit()
1135
1136
del _interface
1137
1138
mandos_server = MandosServer()
1139
1140
503
for client in clients:
1141
if use_dbus:
1142
# Emit D-Bus signal
1143
mandos_server.ClientAdded(client.dbus_object_path,
1144
client.GetAllProperties())
1145
client.enable()
1146
1147
tcp_server.enable()
1148
tcp_server.server_activate()
1149
1150
# Find out what port we got
1151
service.port = tcp_server.socket.getsockname()[1]
1152
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1153
u" scope_id %d" % tcp_server.socket.getsockname())
1154
1155
#service.interface = tcp_server.socket.getsockname()[3]
1156
504
client.start()
505
506
tcp_server = IPv6_TCPServer((None, options.port),
507
tcp_handler,
508
options=options,
509
clients=clients,
510
credentials=cred)
511
# Find out what random port we got
512
servicePort = tcp_server.socket.getsockname()[1]
513
#sys.stderr.write("Now listening on port %d\n" % servicePort)
514
515
if options.interface is not None:
516
serviceInterface = if_nametoindex(options.interface)
517
518
# From the Avahi server example code
519
server.connect_to_signal("StateChanged", server_state_changed)
520
server_state_changed(server.GetState())
521
# End of Avahi example code
522
523
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
524
lambda *args, **kwargs:
525
tcp_server.handle_request(*args[2:],
526
**kwargs) or True)
1157
527
try:
1158
# From the Avahi example code
1159
server.connect_to_signal("StateChanged", server_state_changed)
1160
try:
1161
server_state_changed(server.GetState())
1162
except dbus.exceptions.DBusException, error:
1163
logger.critical(u"DBusException: %s", error)
1164
sys.exit(1)
1165
# End of Avahi example code
1166
1167
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
1168
lambda *args, **kwargs:
1169
(tcp_server.handle_request
1170
(*args[2:], **kwargs) or True))
1171
1172
logger.debug(u"Starting main loop")
1173
528
main_loop.run()
1174
except AvahiError, error:
1175
logger.critical(u"AvahiError: %s", error)
1176
sys.exit(1)
1177
529
except KeyboardInterrupt:
1178
if debug:
1179
print
530
print
531
532
# Cleanup here
1180
533
1181
if __name__ == '__main__':
1182
main()
534
# From the Avahi server example code
535
if not group is None:
536
group.Free()
537
# End of Avahi example code
538
539
for client in clients:
540
client.stop_hook = None
541
client.stop()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0