To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to server.py
- browse files at revision 11
- compare with another revision
- download diff
- download tarball
- view history from revision 11
- Committer: Teddy Hogeborn
- Date: 2008-06-30 01:43:39 UTC
- Revision ID: teddy@fukt.bsnet.se-20080630014339-rsuztydpl2w5ml83
* server.py: Rewritten to use Zeroconf (mDNS/DNS-SD) in place of the
old broadcast-UDP-to-port-49001 method.
old broadcast-UDP-to-port-49001 method.
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- plugins.d
- files renamed:
- clients.conf => mandos-clients.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
server.py
1
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
# Mandos server - give out binary blobs to connecting clients.
5
#
6
# This program is partly derived from an example program for an Avahi
7
# service publisher, downloaded from
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
#
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
19
# the Free Software Foundation, either version 3 of the License, or
20
# (at your option) any later version.
21
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
# GNU General Public License for more details.
26
#
27
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
#
33
2
34
from __future__ import division, with_statement, absolute_import
3
from __future__ import division
35
4
36
5
import SocketServer
37
6
import socket
38
import optparse
7
import select
8
from optparse import OptionParser
39
9
import datetime
40
10
import errno
41
11
import gnutls.crypto
42
12
import gnutls.connection
43
13
import gnutls.errors
44
import gnutls.library.functions
45
import gnutls.library.constants
46
import gnutls.library.types
47
14
import ConfigParser
48
15
import sys
49
16
import re
51
18
import signal
52
19
from sets import Set
53
20
import subprocess
54
import atexit
55
import stat
56
import logging
57
import logging.handlers
58
import pwd
59
from contextlib import closing
60
21
61
22
import dbus
62
import dbus.service
63
23
import gobject
64
24
import avahi
65
25
from dbus.mainloop.glib import DBusGMainLoop
66
import ctypes
67
import ctypes.util
68
69
version = "1.0.5"
70
71
logger = logging.Logger('mandos')
72
syslogger = (logging.handlers.SysLogHandler
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
address = "/dev/log"))
75
syslogger.setFormatter(logging.Formatter
76
('Mandos: %(levelname)s: %(message)s'))
77
logger.addHandler(syslogger)
78
79
console = logging.StreamHandler()
80
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
81
' %(message)s'))
82
logger.addHandler(console)
83
84
class AvahiError(Exception):
85
def __init__(self, value, *args, **kwargs):
86
self.value = value
87
super(AvahiError, self).__init__(value, *args, **kwargs)
88
def __unicode__(self):
89
return unicode(repr(self.value))
90
91
class AvahiServiceError(AvahiError):
92
pass
93
94
class AvahiGroupError(AvahiError):
95
pass
96
97
98
class AvahiService(object):
99
"""An Avahi (Zeroconf) service.
100
Attributes:
101
interface: integer; avahi.IF_UNSPEC or an interface index.
102
Used to optionally bind to the specified interface.
103
name: string; Example: 'Mandos'
104
type: string; Example: '_mandos._tcp'.
105
See <http://www.dns-sd.org/ServiceTypes.html>
106
port: integer; what port to announce
107
TXT: list of strings; TXT record for the service
108
domain: string; Domain to publish on, default to .local if empty.
109
host: string; Host to publish records for, default is localhost
110
max_renames: integer; maximum number of renames
111
rename_count: integer; counter so we only rename after collisions
112
a sensible number of times
113
"""
114
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
115
servicetype = None, port = None, TXT = None,
116
domain = "", host = "", max_renames = 32768):
117
self.interface = interface
118
self.name = name
119
self.type = servicetype
120
self.port = port
121
self.TXT = TXT if TXT is not None else []
122
self.domain = domain
123
self.host = host
124
self.rename_count = 0
125
self.max_renames = max_renames
126
def rename(self):
127
"""Derived from the Avahi example code"""
128
if self.rename_count >= self.max_renames:
129
logger.critical(u"No suitable Zeroconf service name found"
130
u" after %i retries, exiting.",
131
self.rename_count)
132
raise AvahiServiceError(u"Too many renames")
133
self.name = server.GetAlternativeServiceName(self.name)
134
logger.info(u"Changing Zeroconf service name to %r ...",
135
str(self.name))
136
syslogger.setFormatter(logging.Formatter
137
('Mandos (%s): %%(levelname)s:'
138
' %%(message)s' % self.name))
139
self.remove()
140
self.add()
141
self.rename_count += 1
142
def remove(self):
143
"""Derived from the Avahi example code"""
144
if group is not None:
145
group.Reset()
146
def add(self):
147
"""Derived from the Avahi example code"""
148
global group
149
if group is None:
150
group = dbus.Interface(bus.get_object
151
(avahi.DBUS_NAME,
152
server.EntryGroupNew()),
153
avahi.DBUS_INTERFACE_ENTRY_GROUP)
154
group.connect_to_signal('StateChanged',
155
entry_group_state_changed)
156
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
157
service.name, service.type)
158
group.AddService(
159
self.interface, # interface
160
avahi.PROTO_INET6, # protocol
161
dbus.UInt32(0), # flags
162
self.name, self.type,
163
self.domain, self.host,
164
dbus.UInt16(self.port),
165
avahi.string_array_to_txt_array(self.TXT))
166
group.Commit()
167
168
# From the Avahi example code:
169
group = None # our entry group
26
27
# This variable is used to optionally bind to a specified
28
# interface.
29
serviceInterface = avahi.IF_UNSPEC
30
# It is a global variable to fit in with the rest of the
31
# variables from the Avahi server example code:
32
serviceName = "Mandos"
33
serviceType = "_mandos._tcp" # http://www.dns-sd.org/ServiceTypes.html
34
servicePort = None # Not known at startup
35
serviceTXT = [] # TXT record for the service
36
domain = "" # Domain to publish on, default to .local
37
host = "" # Host to publish records for, default to localhost
38
group = None #our entry group
39
rename_count = 12 # Counter so we only rename after collisions a
40
# sensible number of times
170
41
# End of Avahi example code
171
42
172
43
173
def _datetime_to_dbus(dt, variant_level=0):
174
"""Convert a UTC datetime.datetime() to a D-Bus type."""
175
return dbus.String(dt.isoformat(), variant_level=variant_level)
176
177
178
class Client(dbus.service.Object):
44
class Client(object):
179
45
"""A representation of a client host served by this server.
180
46
Attributes:
181
name: string; from the config file, used in log messages and
182
D-Bus identifiers
183
fingerprint: string (40 or 32 hexadecimal digits); used to
184
uniquely identify the client
185
secret: bytestring; sent verbatim (over TLS) to client
186
host: string; available for use by the checker command
187
created: datetime.datetime(); (UTC) object creation
188
last_enabled: datetime.datetime(); (UTC)
189
enabled: bool()
190
last_checked_ok: datetime.datetime(); (UTC) or None
191
timeout: datetime.timedelta(); How long from last_checked_ok
192
until this client is invalid
193
interval: datetime.timedelta(); How often to start a new checker
194
disable_hook: If set, called by disable() as disable_hook(self)
195
checker: subprocess.Popen(); a running checker process used
196
to see if the client lives.
197
'None' if no process is running.
47
password: string
48
fqdn: string, FQDN (used by the checker)
49
created: datetime.datetime()
50
last_seen: datetime.datetime() or None if not yet seen
51
timeout: datetime.timedelta(); How long from last_seen until
52
this client is invalid
53
interval: datetime.timedelta(); How often to start a new checker
54
timeout_milliseconds: Used by gobject.timeout_add()
55
interval_milliseconds: - '' -
56
stop_hook: If set, called by stop() as stop_hook(self)
57
checker: subprocess.Popen(); a running checker process used
58
to see if the client lives.
59
Is None if no process is running.
198
60
checker_initiator_tag: a gobject event source tag, or None
199
disable_initiator_tag: - '' -
61
stop_initiator_tag: - '' -
200
62
checker_callback_tag: - '' -
201
checker_command: string; External command which is run to check if
202
client lives. %() expansions are done at
203
runtime with vars(self) as dict, so that for
204
instance %(name)s can be used in the command.
205
use_dbus: bool(); Whether to provide D-Bus interface and signals
206
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
207
63
"""
208
def timeout_milliseconds(self):
209
"Return the 'timeout' attribute in milliseconds"
210
return ((self.timeout.days * 24 * 60 * 60 * 1000)
211
+ (self.timeout.seconds * 1000)
212
+ (self.timeout.microseconds // 1000))
213
214
def interval_milliseconds(self):
215
"Return the 'interval' attribute in milliseconds"
216
return ((self.interval.days * 24 * 60 * 60 * 1000)
217
+ (self.interval.seconds * 1000)
218
+ (self.interval.microseconds // 1000))
219
220
def __init__(self, name = None, disable_hook=None, config=None,
221
use_dbus=True):
222
"""Note: the 'checker' key in 'config' sets the
223
'checker_command' attribute and *not* the 'checker'
224
attribute."""
64
def __init__(self, name=None, options=None, stop_hook=None,
65
dn=None, password=None, passfile=None, fqdn=None,
66
timeout=None, interval=-1):
225
67
self.name = name
226
if config is None:
227
config = {}
228
logger.debug(u"Creating client %r", self.name)
229
self.use_dbus = False # During __init__
230
# Uppercase and remove spaces from fingerprint for later
231
# comparison purposes with return value from the fingerprint()
232
# function
233
self.fingerprint = (config["fingerprint"].upper()
234
.replace(u" ", u""))
235
logger.debug(u" Fingerprint: %s", self.fingerprint)
236
if "secret" in config:
237
self.secret = config["secret"].decode(u"base64")
238
elif "secfile" in config:
239
with closing(open(os.path.expanduser
240
(os.path.expandvars
241
(config["secfile"])))) as secfile:
242
self.secret = secfile.read()
243
else:
244
raise TypeError(u"No secret or secfile for client %s"
245
% self.name)
246
self.host = config.get("host", "")
247
self.created = datetime.datetime.utcnow()
248
self.enabled = False
249
self.last_enabled = None
250
self.last_checked_ok = None
251
self.timeout = string_to_delta(config["timeout"])
252
self.interval = string_to_delta(config["interval"])
253
self.disable_hook = disable_hook
68
self.dn = dn
69
if password:
70
self.password = password
71
elif passfile:
72
self.password = open(passfile).readall()
73
else:
74
raise RuntimeError(u"No Password or Passfile for client %s"
75
% self.name)
76
self.fqdn = fqdn # string
77
self.created = datetime.datetime.now()
78
self.last_seen = None
79
if timeout is None:
80
timeout = options.timeout
81
self.timeout = timeout
82
self.timeout_milliseconds = ((self.timeout.days
83
* 24 * 60 * 60 * 1000)
84
+ (self.timeout.seconds * 1000)
85
+ (self.timeout.microseconds
86
// 1000))
87
if interval == -1:
88
interval = options.interval
89
else:
90
interval = string_to_delta(interval)
91
self.interval = interval
92
self.interval_milliseconds = ((self.interval.days
93
* 24 * 60 * 60 * 1000)
94
+ (self.interval.seconds * 1000)
95
+ (self.interval.microseconds
96
// 1000))
97
self.stop_hook = stop_hook
254
98
self.checker = None
255
99
self.checker_initiator_tag = None
256
self.disable_initiator_tag = None
100
self.stop_initiator_tag = None
257
101
self.checker_callback_tag = None
258
self.checker_command = config["checker"]
259
self.last_connect = None
260
# Only now, when this client is initialized, can it show up on
261
# the D-Bus
262
self.use_dbus = use_dbus
263
if self.use_dbus:
264
self.dbus_object_path = (dbus.ObjectPath
265
("/clients/"
266
+ self.name.replace(".", "_")))
267
dbus.service.Object.__init__(self, bus,
268
self.dbus_object_path)
269
270
def enable(self):
271
"""Start this client's checker and timeout hooks"""
272
self.last_enabled = datetime.datetime.utcnow()
102
def start(self):
103
"""Start this clients checker and timeout hooks"""
273
104
# Schedule a new checker to be started an 'interval' from now,
274
105
# and every interval from then on.
275
self.checker_initiator_tag = (gobject.timeout_add
276
(self.interval_milliseconds(),
277
self.start_checker))
106
self.checker_initiator_tag = gobject.\
107
timeout_add(self.interval_milliseconds,
108
self.start_checker)
278
109
# Also start a new checker *right now*.
279
110
self.start_checker()
280
# Schedule a disable() when 'timeout' has passed
281
self.disable_initiator_tag = (gobject.timeout_add
282
(self.timeout_milliseconds(),
283
self.disable))
284
self.enabled = True
285
if self.use_dbus:
286
# Emit D-Bus signals
287
self.PropertyChanged(dbus.String(u"enabled"),
288
dbus.Boolean(True, variant_level=1))
289
self.PropertyChanged(dbus.String(u"last_enabled"),
290
(_datetime_to_dbus(self.last_enabled,
291
variant_level=1)))
292
293
def disable(self):
294
"""Disable this client."""
295
if not getattr(self, "enabled", False):
296
return False
297
logger.info(u"Disabling client %s", self.name)
298
if getattr(self, "disable_initiator_tag", False):
299
gobject.source_remove(self.disable_initiator_tag)
300
self.disable_initiator_tag = None
301
if getattr(self, "checker_initiator_tag", False):
111
# Schedule a stop() when 'timeout' has passed
112
self.stop_initiator_tag = gobject.\
113
timeout_add(self.timeout_milliseconds,
114
self.stop)
115
def stop(self):
116
"""Stop this client.
117
The possibility that this client might be restarted is left
118
open, but not currently used."""
119
# print "Stopping client", self.name
120
self.password = None
121
if self.stop_initiator_tag:
122
gobject.source_remove(self.stop_initiator_tag)
123
self.stop_initiator_tag = None
124
if self.checker_initiator_tag:
302
125
gobject.source_remove(self.checker_initiator_tag)
303
126
self.checker_initiator_tag = None
304
127
self.stop_checker()
305
if self.disable_hook:
306
self.disable_hook(self)
307
self.enabled = False
308
if self.use_dbus:
309
# Emit D-Bus signal
310
self.PropertyChanged(dbus.String(u"enabled"),
311
dbus.Boolean(False, variant_level=1))
128
if self.stop_hook:
129
self.stop_hook(self)
312
130
# Do not run this again if called by a gobject.timeout_add
313
131
return False
314
315
132
def __del__(self):
316
self.disable_hook = None
317
self.disable()
318
319
def checker_callback(self, pid, condition, command):
133
# Some code duplication here and in stop()
134
if hasattr(self, "stop_initiator_tag") \
135
and self.stop_initiator_tag:
136
gobject.source_remove(self.stop_initiator_tag)
137
self.stop_initiator_tag = None
138
if hasattr(self, "checker_initiator_tag") \
139
and self.checker_initiator_tag:
140
gobject.source_remove(self.checker_initiator_tag)
141
self.checker_initiator_tag = None
142
self.stop_checker()
143
def checker_callback(self, pid, condition):
320
144
"""The checker has completed, so take appropriate actions."""
145
now = datetime.datetime.now()
146
if os.WIFEXITED(condition) \
147
and (os.WEXITSTATUS(condition) == 0):
148
#print "Checker for %(name)s succeeded" % vars(self)
149
self.last_seen = now
150
gobject.source_remove(self.stop_initiator_tag)
151
self.stop_initiator_tag = gobject.\
152
timeout_add(self.timeout_milliseconds,
153
self.stop)
154
#else:
155
# if not os.WIFEXITED(condition):
156
# print "Checker for %(name)s crashed?" % vars(self)
157
# else:
158
# print "Checker for %(name)s failed" % vars(self)
159
self.checker = None
321
160
self.checker_callback_tag = None
322
self.checker = None
323
if self.use_dbus:
324
# Emit D-Bus signal
325
self.PropertyChanged(dbus.String(u"checker_running"),
326
dbus.Boolean(False, variant_level=1))
327
if os.WIFEXITED(condition):
328
exitstatus = os.WEXITSTATUS(condition)
329
if exitstatus == 0:
330
logger.info(u"Checker for %(name)s succeeded",
331
vars(self))
332
self.checked_ok()
333
else:
334
logger.info(u"Checker for %(name)s failed",
335
vars(self))
336
if self.use_dbus:
337
# Emit D-Bus signal
338
self.CheckerCompleted(dbus.Int16(exitstatus),
339
dbus.Int64(condition),
340
dbus.String(command))
341
else:
342
logger.warning(u"Checker for %(name)s crashed?",
343
vars(self))
344
if self.use_dbus:
345
# Emit D-Bus signal
346
self.CheckerCompleted(dbus.Int16(-1),
347
dbus.Int64(condition),
348
dbus.String(command))
349
350
def checked_ok(self):
351
"""Bump up the timeout for this client.
352
This should only be called when the client has been seen,
353
alive and well.
354
"""
355
self.last_checked_ok = datetime.datetime.utcnow()
356
gobject.source_remove(self.disable_initiator_tag)
357
self.disable_initiator_tag = (gobject.timeout_add
358
(self.timeout_milliseconds(),
359
self.disable))
360
if self.use_dbus:
361
# Emit D-Bus signal
362
self.PropertyChanged(
363
dbus.String(u"last_checked_ok"),
364
(_datetime_to_dbus(self.last_checked_ok,
365
variant_level=1)))
366
367
161
def start_checker(self):
368
162
"""Start a new checker subprocess if one is not running.
369
163
If a checker already exists, leave it running and do
370
164
nothing."""
371
# The reason for not killing a running checker is that if we
372
# did that, then if a checker (for some reason) started
373
# running slowly and taking more than 'interval' time, the
374
# client would inevitably timeout, since no checker would get
375
# a chance to run to completion. If we instead leave running
376
# checkers alone, the checker would have to take more time
377
# than 'timeout' for the client to be declared invalid, which
378
# is as it should be.
379
165
if self.checker is None:
380
try:
381
# In case checker_command has exactly one % operator
382
command = self.checker_command % self.host
383
except TypeError:
384
# Escape attributes for the shell
385
escaped_attrs = dict((key, re.escape(str(val)))
386
for key, val in
387
vars(self).iteritems())
388
try:
389
command = self.checker_command % escaped_attrs
390
except TypeError, error:
391
logger.error(u'Could not format string "%s":'
392
u' %s', self.checker_command, error)
393
return True # Try again later
394
try:
395
logger.info(u"Starting checker %r for %s",
396
command, self.name)
397
# We don't need to redirect stdout and stderr, since
398
# in normal mode, that is already done by daemon(),
399
# and in debug mode we don't want to. (Stdin is
400
# always replaced by /dev/null.)
401
self.checker = subprocess.Popen(command,
402
close_fds=True,
403
shell=True, cwd="/")
404
if self.use_dbus:
405
# Emit D-Bus signal
406
self.CheckerStarted(command)
407
self.PropertyChanged(
408
dbus.String("checker_running"),
409
dbus.Boolean(True, variant_level=1))
410
self.checker_callback_tag = (gobject.child_watch_add
411
(self.checker.pid,
412
self.checker_callback,
413
data=command))
414
except OSError, error:
415
logger.error(u"Failed to start subprocess: %s",
416
error)
166
#print "Starting checker for", self.name
167
try:
168
self.checker = subprocess.\
169
Popen("sleep 1; fping -q -- %s"
170
% re.escape(self.fqdn),
171
stdout=subprocess.PIPE,
172
close_fds=True, shell=True,
173
cwd="/")
174
self.checker_callback_tag = gobject.\
175
child_watch_add(self.checker.pid,
176
self.\
177
checker_callback)
178
except subprocess.OSError, error:
179
sys.stderr.write(u"Failed to start subprocess: %s\n"
180
% error)
417
181
# Re-run this periodically if run by gobject.timeout_add
418
182
return True
419
420
183
def stop_checker(self):
421
184
"""Force the checker process, if any, to stop."""
422
if self.checker_callback_tag:
423
gobject.source_remove(self.checker_callback_tag)
424
self.checker_callback_tag = None
425
if getattr(self, "checker", None) is None:
185
if not hasattr(self, "checker") or self.checker is None:
426
186
return
427
logger.debug(u"Stopping checker for %(name)s", vars(self))
428
try:
429
os.kill(self.checker.pid, signal.SIGTERM)
430
#os.sleep(0.5)
431
#if self.checker.poll() is None:
432
# os.kill(self.checker.pid, signal.SIGKILL)
433
except OSError, error:
434
if error.errno != errno.ESRCH: # No such process
435
raise
187
gobject.source_remove(self.checker_callback_tag)
188
self.checker_callback_tag = None
189
os.kill(self.checker.pid, signal.SIGTERM)
190
if self.checker.poll() is None:
191
os.kill(self.checker.pid, signal.SIGKILL)
436
192
self.checker = None
437
if self.use_dbus:
438
self.PropertyChanged(dbus.String(u"checker_running"),
439
dbus.Boolean(False, variant_level=1))
440
441
def still_valid(self):
193
def still_valid(self, now=None):
442
194
"""Has the timeout not yet passed for this client?"""
443
if not getattr(self, "enabled", False):
444
return False
445
now = datetime.datetime.utcnow()
446
if self.last_checked_ok is None:
195
if now is None:
196
now = datetime.datetime.now()
197
if self.last_seen is None:
447
198
return now < (self.created + self.timeout)
448
199
else:
449
return now < (self.last_checked_ok + self.timeout)
450
451
## D-Bus methods & signals
452
_interface = u"se.bsnet.fukt.Mandos.Client"
453
454
# CheckedOK - method
455
CheckedOK = dbus.service.method(_interface)(checked_ok)
456
CheckedOK.__name__ = "CheckedOK"
457
458
# CheckerCompleted - signal
459
@dbus.service.signal(_interface, signature="nxs")
460
def CheckerCompleted(self, exitcode, waitstatus, command):
461
"D-Bus signal"
462
pass
463
464
# CheckerStarted - signal
465
@dbus.service.signal(_interface, signature="s")
466
def CheckerStarted(self, command):
467
"D-Bus signal"
468
pass
469
470
# GetAllProperties - method
471
@dbus.service.method(_interface, out_signature="a{sv}")
472
def GetAllProperties(self):
473
"D-Bus method"
474
return dbus.Dictionary({
475
dbus.String("name"):
476
dbus.String(self.name, variant_level=1),
477
dbus.String("fingerprint"):
478
dbus.String(self.fingerprint, variant_level=1),
479
dbus.String("host"):
480
dbus.String(self.host, variant_level=1),
481
dbus.String("created"):
482
_datetime_to_dbus(self.created, variant_level=1),
483
dbus.String("last_enabled"):
484
(_datetime_to_dbus(self.last_enabled,
485
variant_level=1)
486
if self.last_enabled is not None
487
else dbus.Boolean(False, variant_level=1)),
488
dbus.String("enabled"):
489
dbus.Boolean(self.enabled, variant_level=1),
490
dbus.String("last_checked_ok"):
491
(_datetime_to_dbus(self.last_checked_ok,
492
variant_level=1)
493
if self.last_checked_ok is not None
494
else dbus.Boolean (False, variant_level=1)),
495
dbus.String("timeout"):
496
dbus.UInt64(self.timeout_milliseconds(),
497
variant_level=1),
498
dbus.String("interval"):
499
dbus.UInt64(self.interval_milliseconds(),
500
variant_level=1),
501
dbus.String("checker"):
502
dbus.String(self.checker_command,
503
variant_level=1),
504
dbus.String("checker_running"):
505
dbus.Boolean(self.checker is not None,
506
variant_level=1),
507
dbus.String("object_path"):
508
dbus.ObjectPath(self.dbus_object_path,
509
variant_level=1)
510
}, signature="sv")
511
512
# IsStillValid - method
513
IsStillValid = (dbus.service.method(_interface, out_signature="b")
514
(still_valid))
515
IsStillValid.__name__ = "IsStillValid"
516
517
# PropertyChanged - signal
518
@dbus.service.signal(_interface, signature="sv")
519
def PropertyChanged(self, property, value):
520
"D-Bus signal"
521
pass
522
523
# SetChecker - method
524
@dbus.service.method(_interface, in_signature="s")
525
def SetChecker(self, checker):
526
"D-Bus setter method"
527
self.checker_command = checker
528
# Emit D-Bus signal
529
self.PropertyChanged(dbus.String(u"checker"),
530
dbus.String(self.checker_command,
531
variant_level=1))
532
533
# SetHost - method
534
@dbus.service.method(_interface, in_signature="s")
535
def SetHost(self, host):
536
"D-Bus setter method"
537
self.host = host
538
# Emit D-Bus signal
539
self.PropertyChanged(dbus.String(u"host"),
540
dbus.String(self.host, variant_level=1))
541
542
# SetInterval - method
543
@dbus.service.method(_interface, in_signature="t")
544
def SetInterval(self, milliseconds):
545
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
546
# Emit D-Bus signal
547
self.PropertyChanged(dbus.String(u"interval"),
548
(dbus.UInt64(self.interval_milliseconds(),
549
variant_level=1)))
550
551
# SetSecret - method
552
@dbus.service.method(_interface, in_signature="ay",
553
byte_arrays=True)
554
def SetSecret(self, secret):
555
"D-Bus setter method"
556
self.secret = str(secret)
557
558
# SetTimeout - method
559
@dbus.service.method(_interface, in_signature="t")
560
def SetTimeout(self, milliseconds):
561
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
562
# Emit D-Bus signal
563
self.PropertyChanged(dbus.String(u"timeout"),
564
(dbus.UInt64(self.timeout_milliseconds(),
565
variant_level=1)))
566
567
# Enable - method
568
Enable = dbus.service.method(_interface)(enable)
569
Enable.__name__ = "Enable"
570
571
# StartChecker - method
572
@dbus.service.method(_interface)
573
def StartChecker(self):
574
"D-Bus method"
575
self.start_checker()
576
577
# Disable - method
578
@dbus.service.method(_interface)
579
def Disable(self):
580
"D-Bus method"
581
self.disable()
582
583
# StopChecker - method
584
StopChecker = dbus.service.method(_interface)(stop_checker)
585
StopChecker.__name__ = "StopChecker"
586
587
del _interface
588
589
590
def peer_certificate(session):
591
"Return the peer's OpenPGP certificate as a bytestring"
592
# If not an OpenPGP certificate...
593
if (gnutls.library.functions
594
.gnutls_certificate_type_get(session._c_object)
595
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
596
# ...do the normal thing
597
return session.peer_certificate
598
list_size = ctypes.c_uint(1)
599
cert_list = (gnutls.library.functions
600
.gnutls_certificate_get_peers
601
(session._c_object, ctypes.byref(list_size)))
602
if not bool(cert_list) and list_size.value != 0:
603
raise gnutls.errors.GNUTLSError("error getting peer"
604
" certificate")
605
if list_size.value == 0:
606
return None
607
cert = cert_list[0]
608
return ctypes.string_at(cert.data, cert.size)
609
610
611
def fingerprint(openpgp):
612
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
613
# New GnuTLS "datum" with the OpenPGP public key
614
datum = (gnutls.library.types
615
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
616
ctypes.POINTER
617
(ctypes.c_ubyte)),
618
ctypes.c_uint(len(openpgp))))
619
# New empty GnuTLS certificate
620
crt = gnutls.library.types.gnutls_openpgp_crt_t()
621
(gnutls.library.functions
622
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
623
# Import the OpenPGP public key into the certificate
624
(gnutls.library.functions
625
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
626
gnutls.library.constants
627
.GNUTLS_OPENPGP_FMT_RAW))
628
# Verify the self signature in the key
629
crtverify = ctypes.c_uint()
630
(gnutls.library.functions
631
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
632
if crtverify.value != 0:
633
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
634
raise gnutls.errors.CertificateSecurityError("Verify failed")
635
# New buffer for the fingerprint
636
buf = ctypes.create_string_buffer(20)
637
buf_len = ctypes.c_size_t()
638
# Get the fingerprint from the certificate into the buffer
639
(gnutls.library.functions
640
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
641
ctypes.byref(buf_len)))
642
# Deinit the certificate
643
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
644
# Convert the buffer to a Python bytestring
645
fpr = ctypes.string_at(buf, buf_len.value)
646
# Convert the bytestring to hexadecimal notation
647
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
648
return hex_fpr
649
650
651
class TCP_handler(SocketServer.BaseRequestHandler, object):
200
return now < (self.last_seen + self.timeout)
201
202
203
class tcp_handler(SocketServer.BaseRequestHandler, object):
652
204
"""A TCP request handler class.
653
205
Instantiated by IPv6_TCPServer for each request to handle it.
654
206
Note: This will run in its own forked process."""
655
656
207
def handle(self):
657
logger.info(u"TCP connection from: %s",
658
unicode(self.client_address))
659
session = (gnutls.connection
660
.ClientSession(self.request,
661
gnutls.connection
662
.X509Credentials()))
663
664
line = self.request.makefile().readline()
665
logger.debug(u"Protocol version: %r", line)
666
try:
667
if int(line.strip().split()[0]) > 1:
668
raise RuntimeError
669
except (ValueError, IndexError, RuntimeError), error:
670
logger.error(u"Unknown protocol version: %s", error)
671
return
672
673
# Note: gnutls.connection.X509Credentials is really a generic
674
# GnuTLS certificate credentials object so long as no X.509
675
# keys are added to it. Therefore, we can use it here despite
676
# using OpenPGP certificates.
677
678
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
679
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
680
# "+DHE-DSS"))
681
# Use a fallback default, since this MUST be set.
682
priority = self.server.settings.get("priority", "NORMAL")
683
(gnutls.library.functions
684
.gnutls_priority_set_direct(session._c_object,
685
priority, None))
686
208
#print u"TCP request came"
209
#print u"Request:", self.request
210
#print u"Client Address:", self.client_address
211
#print u"Server:", self.server
212
session = gnutls.connection.ServerSession(self.request,
213
self.server\
214
.credentials)
687
215
try:
688
216
session.handshake()
689
217
except gnutls.errors.GNUTLSError, error:
690
logger.warning(u"Handshake failed: %s", error)
218
#sys.stderr.write(u"Handshake failed: %s\n" % error)
691
219
# Do not run session.bye() here: the session is not
692
220
# established. Just abandon the request.
693
221
return
694
logger.debug(u"Handshake succeeded")
222
#if session.peer_certificate:
223
# print "DN:", session.peer_certificate.subject
695
224
try:
696
fpr = fingerprint(peer_certificate(session))
697
except (TypeError, gnutls.errors.GNUTLSError), error:
698
logger.warning(u"Bad certificate: %s", error)
225
session.verify_peer()
226
except gnutls.errors.CertificateError, error:
227
#sys.stderr.write(u"Verify failed: %s\n" % error)
699
228
session.bye()
700
229
return
701
logger.debug(u"Fingerprint: %s", fpr)
702
for c in self.server.clients:
703
if c.fingerprint == fpr:
230
client = None
231
for c in clients:
232
if c.dn == session.peer_certificate.subject:
704
233
client = c
705
234
break
706
else:
707
logger.warning(u"Client not found for fingerprint: %s",
708
fpr)
709
session.bye()
710
return
711
235
# Have to check if client.still_valid(), since it is possible
712
236
# that the client timed out while establishing the GnuTLS
713
237
# session.
714
if not client.still_valid():
715
logger.warning(u"Client %(name)s is invalid",
716
vars(client))
717
session.bye()
718
return
719
## This won't work here, since we're in a fork.
720
# client.checked_ok()
721
sent_size = 0
722
while sent_size < len(client.secret):
723
sent = session.send(client.secret[sent_size:])
724
logger.debug(u"Sent: %d, remaining: %d",
725
sent, len(client.secret)
726
- (sent_size + sent))
727
sent_size += sent
238
if client and client.still_valid():
239
session.send(client.password)
240
else:
241
#if client:
242
# sys.stderr.write(u"Client %(name)s is invalid\n"
243
# % vars(client))
244
#else:
245
# sys.stderr.write(u"Client not found for DN: %s\n"
246
# % session.peer_certificate.subject)
247
#session.send("gazonk")
248
pass
728
249
session.bye()
729
250
730
251
731
class IPv6_TCPServer(SocketServer.ForkingMixIn,
732
SocketServer.TCPServer, object):
252
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
733
253
"""IPv6 TCP server. Accepts 'None' as address and/or port.
734
254
Attributes:
735
settings: Server settings
255
options: Command line options
736
256
clients: Set() of Client objects
737
enabled: Boolean; whether this server is activated yet
257
credentials: GnuTLS X.509 credentials
738
258
"""
739
259
address_family = socket.AF_INET6
740
260
def __init__(self, *args, **kwargs):
741
if "settings" in kwargs:
742
self.settings = kwargs["settings"]
743
del kwargs["settings"]
261
if "options" in kwargs:
262
self.options = kwargs["options"]
263
del kwargs["options"]
744
264
if "clients" in kwargs:
745
265
self.clients = kwargs["clients"]
746
266
del kwargs["clients"]
747
self.enabled = False
748
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
267
if "credentials" in kwargs:
268
self.credentials = kwargs["credentials"]
269
del kwargs["credentials"]
270
return super(type(self), self).__init__(*args, **kwargs)
749
271
def server_bind(self):
750
272
"""This overrides the normal server_bind() function
751
273
to bind to an interface if one was specified, and also NOT to
752
274
bind to an address or port if they were not specified."""
753
if self.settings["interface"]:
754
# 25 is from /usr/include/asm-i486/socket.h
755
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
275
if self.options.interface:
276
if not hasattr(socket, "SO_BINDTODEVICE"):
277
# From /usr/include/asm-i486/socket.h
278
socket.SO_BINDTODEVICE = 25
756
279
try:
757
280
self.socket.setsockopt(socket.SOL_SOCKET,
758
SO_BINDTODEVICE,
759
self.settings["interface"])
281
socket.SO_BINDTODEVICE,
282
self.options.interface)
760
283
except socket.error, error:
761
284
if error[0] == errno.EPERM:
762
logger.error(u"No permission to"
763
u" bind to interface %s",
764
self.settings["interface"])
285
sys.stderr.write(u"Warning: No permission to bind to interface %s\n"
286
% self.options.interface)
765
287
else:
766
288
raise error
767
289
# Only bind(2) the socket if we really need to.
770
292
in6addr_any = "::"
771
293
self.server_address = (in6addr_any,
772
294
self.server_address[1])
773
elif not self.server_address[1]:
295
elif self.server_address[1] is None:
774
296
self.server_address = (self.server_address[0],
775
297
0)
776
# if self.settings["interface"]:
777
# self.server_address = (self.server_address[0],
778
# 0, # port
779
# 0, # flowinfo
780
# if_nametoindex
781
# (self.settings
782
# ["interface"]))
783
return super(IPv6_TCPServer, self).server_bind()
784
def server_activate(self):
785
if self.enabled:
786
return super(IPv6_TCPServer, self).server_activate()
787
def enable(self):
788
self.enabled = True
298
return super(type(self), self).server_bind()
789
299
790
300
791
301
def string_to_delta(interval):
801
311
datetime.timedelta(1)
802
312
>>> string_to_delta(u'1w')
803
313
datetime.timedelta(7)
804
>>> string_to_delta('5m 30s')
805
datetime.timedelta(0, 330)
806
314
"""
807
timevalue = datetime.timedelta(0)
808
for s in interval.split():
809
try:
810
suffix = unicode(s[-1])
811
value = int(s[:-1])
812
if suffix == u"d":
813
delta = datetime.timedelta(value)
814
elif suffix == u"s":
815
delta = datetime.timedelta(0, value)
816
elif suffix == u"m":
817
delta = datetime.timedelta(0, 0, 0, 0, value)
818
elif suffix == u"h":
819
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
820
elif suffix == u"w":
821
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
822
else:
823
raise ValueError
824
except (ValueError, IndexError):
315
try:
316
suffix=unicode(interval[-1])
317
value=int(interval[:-1])
318
if suffix == u"d":
319
delta = datetime.timedelta(value)
320
elif suffix == u"s":
321
delta = datetime.timedelta(0, value)
322
elif suffix == u"m":
323
delta = datetime.timedelta(0, 0, 0, 0, value)
324
elif suffix == u"h":
325
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
326
elif suffix == u"w":
327
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
328
else:
825
329
raise ValueError
826
timevalue += delta
827
return timevalue
330
except (ValueError, IndexError):
331
raise ValueError
332
return delta
333
334
335
def add_service():
336
"""From the Avahi server example code"""
337
global group, serviceName, serviceType, servicePort, serviceTXT, \
338
domain, host
339
if group is None:
340
group = dbus.Interface(
341
bus.get_object( avahi.DBUS_NAME,
342
server.EntryGroupNew()),
343
avahi.DBUS_INTERFACE_ENTRY_GROUP)
344
group.connect_to_signal('StateChanged',
345
entry_group_state_changed)
346
347
# print "Adding service '%s' of type '%s' ..." % (serviceName,
348
# serviceType)
349
350
group.AddService(
351
serviceInterface, # interface
352
avahi.PROTO_INET6, # protocol
353
dbus.UInt32(0), # flags
354
serviceName, serviceType,
355
domain, host,
356
dbus.UInt16(servicePort),
357
avahi.string_array_to_txt_array(serviceTXT))
358
group.Commit()
359
360
361
def remove_service():
362
"""From the Avahi server example code"""
363
global group
364
365
if not group is None:
366
group.Reset()
828
367
829
368
830
369
def server_state_changed(state):
831
"""Derived from the Avahi example code"""
370
"""From the Avahi server example code"""
832
371
if state == avahi.SERVER_COLLISION:
833
logger.error(u"Zeroconf server name collision")
834
service.remove()
372
print "WARNING: Server name collision"
373
remove_service()
835
374
elif state == avahi.SERVER_RUNNING:
836
service.add()
375
add_service()
837
376
838
377
839
378
def entry_group_state_changed(state, error):
840
"""Derived from the Avahi example code"""
841
logger.debug(u"Avahi state change: %i", state)
379
"""From the Avahi server example code"""
380
global serviceName, server, rename_count
381
382
# print "state change: %i" % state
842
383
843
384
if state == avahi.ENTRY_GROUP_ESTABLISHED:
844
logger.debug(u"Zeroconf service established.")
385
pass
386
# print "Service established."
845
387
elif state == avahi.ENTRY_GROUP_COLLISION:
846
logger.warning(u"Zeroconf service name collision.")
847
service.rename()
388
389
rename_count = rename_count - 1
390
if rename_count > 0:
391
name = server.GetAlternativeServiceName(name)
392
print "WARNING: Service name collision, changing name to '%s' ..." % name
393
remove_service()
394
add_service()
395
396
else:
397
print "ERROR: No suitable service name found after %i retries, exiting." % n_rename
398
main_loop.quit()
848
399
elif state == avahi.ENTRY_GROUP_FAILURE:
849
logger.critical(u"Avahi: Error in group state changed %s",
850
unicode(error))
851
raise AvahiGroupError(u"State changed: %s" % unicode(error))
400
print "Error in group state changed", error
401
main_loop.quit()
402
return
403
852
404
853
405
def if_nametoindex(interface):
854
"""Call the C function if_nametoindex(), or equivalent"""
855
global if_nametoindex
406
"""Call the C function if_nametoindex()"""
856
407
try:
857
if_nametoindex = (ctypes.cdll.LoadLibrary
858
(ctypes.util.find_library("c"))
859
.if_nametoindex)
860
except (OSError, AttributeError):
408
if "ctypes" not in sys.modules:
409
import ctypes
410
libc = ctypes.cdll.LoadLibrary("libc.so.6")
411
return libc.if_nametoindex(interface)
412
except (ImportError, OSError, AttributeError):
861
413
if "struct" not in sys.modules:
862
414
import struct
863
415
if "fcntl" not in sys.modules:
864
416
import fcntl
865
def if_nametoindex(interface):
866
"Get an interface index the hard way, i.e. using fcntl()"
867
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
868
with closing(socket.socket()) as s:
869
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
870
struct.pack("16s16x", interface))
871
interface_index = struct.unpack("I", ifreq[16:20])[0]
872
return interface_index
873
return if_nametoindex(interface)
874
875
876
def daemon(nochdir = False, noclose = False):
877
"""See daemon(3). Standard BSD Unix function.
878
This should really exist as os.daemon, but it doesn't (yet)."""
879
if os.fork():
880
sys.exit()
881
os.setsid()
882
if not nochdir:
883
os.chdir("/")
884
if os.fork():
885
sys.exit()
886
if not noclose:
887
# Close all standard open file descriptors
888
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
889
if not stat.S_ISCHR(os.fstat(null).st_mode):
890
raise OSError(errno.ENODEV,
891
"/dev/null not a character device")
892
os.dup2(null, sys.stdin.fileno())
893
os.dup2(null, sys.stdout.fileno())
894
os.dup2(null, sys.stderr.fileno())
895
if null > 2:
896
os.close(null)
897
898
899
def main():
900
parser = optparse.OptionParser(version = "%%prog %s" % version)
417
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
418
s = socket.socket()
419
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
420
struct.pack("16s16x", interface))
421
s.close()
422
interface_index = struct.unpack("I", ifreq[16:20])[0]
423
return interface_index
424
425
426
if __name__ == '__main__':
427
parser = OptionParser()
901
428
parser.add_option("-i", "--interface", type="string",
902
metavar="IF", help="Bind to interface IF")
903
parser.add_option("-a", "--address", type="string",
904
help="Address to listen for requests on")
905
parser.add_option("-p", "--port", type="int",
429
default=None, metavar="IF",
430
help="Bind to interface IF")
431
parser.add_option("--cert", type="string", default="cert.pem",
432
metavar="FILE",
433
help="Public key certificate PEM file to use")
434
parser.add_option("--key", type="string", default="key.pem",
435
metavar="FILE",
436
help="Private key PEM file to use")
437
parser.add_option("--ca", type="string", default="ca.pem",
438
metavar="FILE",
439
help="Certificate Authority certificate PEM file to use")
440
parser.add_option("--crl", type="string", default="crl.pem",
441
metavar="FILE",
442
help="Certificate Revokation List PEM file to use")
443
parser.add_option("-p", "--port", type="int", default=None,
906
444
help="Port number to receive requests on")
907
parser.add_option("--check", action="store_true",
445
parser.add_option("--timeout", type="string", # Parsed later
446
default="1h",
447
help="Amount of downtime allowed for clients")
448
parser.add_option("--interval", type="string", # Parsed later
449
default="5m",
450
help="How often to check that a client is up")
451
parser.add_option("--check", action="store_true", default=False,
908
452
help="Run self-test")
909
parser.add_option("--debug", action="store_true",
910
help="Debug mode; run in foreground and log to"
911
" terminal")
912
parser.add_option("--priority", type="string", help="GnuTLS"
913
" priority string (see GnuTLS documentation)")
914
parser.add_option("--servicename", type="string", metavar="NAME",
915
help="Zeroconf service name")
916
parser.add_option("--configdir", type="string",
917
default="/etc/mandos", metavar="DIR",
918
help="Directory to search for configuration"
919
" files")
920
parser.add_option("--no-dbus", action="store_false",
921
dest="use_dbus",
922
help="Do not provide D-Bus system bus"
923
" interface")
924
options = parser.parse_args()[0]
453
(options, args) = parser.parse_args()
925
454
926
455
if options.check:
927
456
import doctest
928
457
doctest.testmod()
929
458
sys.exit()
930
459
931
# Default values for config file for server-global settings
932
server_defaults = { "interface": "",
933
"address": "",
934
"port": "",
935
"debug": "False",
936
"priority":
937
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
938
"servicename": "Mandos",
939
"use_dbus": "True",
940
}
941
942
# Parse config file for server-global settings
943
server_config = ConfigParser.SafeConfigParser(server_defaults)
944
del server_defaults
945
server_config.read(os.path.join(options.configdir, "mandos.conf"))
946
# Convert the SafeConfigParser object to a dict
947
server_settings = server_config.defaults()
948
# Use the appropriate methods on the non-string config options
949
server_settings["debug"] = server_config.getboolean("DEFAULT",
950
"debug")
951
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
952
"use_dbus")
953
if server_settings["port"]:
954
server_settings["port"] = server_config.getint("DEFAULT",
955
"port")
956
del server_config
957
958
# Override the settings from the config file with command line
959
# options, if set.
960
for option in ("interface", "address", "port", "debug",
961
"priority", "servicename", "configdir",
962
"use_dbus"):
963
value = getattr(options, option)
964
if value is not None:
965
server_settings[option] = value
966
del options
967
# Now we have our good server settings in "server_settings"
968
969
# For convenience
970
debug = server_settings["debug"]
971
use_dbus = server_settings["use_dbus"]
972
973
if not debug:
974
syslogger.setLevel(logging.WARNING)
975
console.setLevel(logging.WARNING)
976
977
if server_settings["servicename"] != "Mandos":
978
syslogger.setFormatter(logging.Formatter
979
('Mandos (%s): %%(levelname)s:'
980
' %%(message)s'
981
% server_settings["servicename"]))
982
983
# Parse config file with clients
984
client_defaults = { "timeout": "1h",
985
"interval": "5m",
986
"checker": "fping -q -- %%(host)s",
987
"host": "",
988
}
989
client_config = ConfigParser.SafeConfigParser(client_defaults)
990
client_config.read(os.path.join(server_settings["configdir"],
991
"clients.conf"))
992
993
clients = Set()
994
tcp_server = IPv6_TCPServer((server_settings["address"],
995
server_settings["port"]),
996
TCP_handler,
997
settings=server_settings,
998
clients=clients)
999
pidfilename = "/var/run/mandos.pid"
1000
try:
1001
pidfile = open(pidfilename, "w")
1002
except IOError, error:
1003
logger.error("Could not open file %r", pidfilename)
1004
1005
try:
1006
uid = pwd.getpwnam("_mandos").pw_uid
1007
gid = pwd.getpwnam("_mandos").pw_gid
1008
except KeyError:
1009
try:
1010
uid = pwd.getpwnam("mandos").pw_uid
1011
gid = pwd.getpwnam("mandos").pw_gid
1012
except KeyError:
1013
try:
1014
uid = pwd.getpwnam("nobody").pw_uid
1015
gid = pwd.getpwnam("nogroup").pw_gid
1016
except KeyError:
1017
uid = 65534
1018
gid = 65534
1019
try:
1020
os.setuid(uid)
1021
os.setgid(gid)
1022
except OSError, error:
1023
if error[0] != errno.EPERM:
1024
raise error
1025
1026
global service
1027
service = AvahiService(name = server_settings["servicename"],
1028
servicetype = "_mandos._tcp", )
1029
if server_settings["interface"]:
1030
service.interface = (if_nametoindex
1031
(server_settings["interface"]))
1032
1033
global main_loop
1034
global bus
1035
global server
1036
# From the Avahi example code
460
# Parse the time arguments
461
try:
462
options.timeout = string_to_delta(options.timeout)
463
except ValueError:
464
parser.error("option --timeout: Unparseable time")
465
try:
466
options.interval = string_to_delta(options.interval)
467
except ValueError:
468
parser.error("option --interval: Unparseable time")
469
470
cert = gnutls.crypto.X509Certificate(open(options.cert).read())
471
key = gnutls.crypto.X509PrivateKey(open(options.key).read())
472
ca = gnutls.crypto.X509Certificate(open(options.ca).read())
473
crl = gnutls.crypto.X509CRL(open(options.crl).read())
474
cred = gnutls.connection.X509Credentials(cert, key, [ca], [crl])
475
476
# Parse config file
477
defaults = {}
478
client_config = ConfigParser.SafeConfigParser(defaults)
479
#client_config.readfp(open("secrets.conf"), "secrets.conf")
480
client_config.read("mandos-clients.conf")
481
482
# From the Avahi server example code
1037
483
DBusGMainLoop(set_as_default=True )
1038
484
main_loop = gobject.MainLoop()
1039
485
bus = dbus.SystemBus()
1040
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1041
avahi.DBUS_PATH_SERVER),
1042
avahi.DBUS_INTERFACE_SERVER)
486
server = dbus.Interface(
487
bus.get_object( avahi.DBUS_NAME, avahi.DBUS_PATH_SERVER ),
488
avahi.DBUS_INTERFACE_SERVER )
1043
489
# End of Avahi example code
1044
if use_dbus:
1045
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1046
1047
clients.update(Set(Client(name = section,
1048
config
1049
= dict(client_config.items(section)),
1050
use_dbus = use_dbus)
490
491
clients = Set()
492
def remove_from_clients(client):
493
clients.remove(client)
494
if not clients:
495
print "No clients left, exiting"
496
main_loop.quit()
497
498
clients.update(Set(Client(name=section, options=options,
499
stop_hook = remove_from_clients,
500
**(dict(client_config\
501
.items(section))))
1051
502
for section in client_config.sections()))
1052
if not clients:
1053
logger.warning(u"No clients defined")
1054
1055
if debug:
1056
# Redirect stdin so all checkers get /dev/null
1057
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1058
os.dup2(null, sys.stdin.fileno())
1059
if null > 2:
1060
os.close(null)
1061
else:
1062
# No console logging
1063
logger.removeHandler(console)
1064
# Close all input and output, do double fork, etc.
1065
daemon()
1066
1067
try:
1068
pid = os.getpid()
1069
pidfile.write(str(pid) + "\n")
1070
pidfile.close()
1071
del pidfile
1072
except IOError:
1073
logger.error(u"Could not write to file %r with PID %d",
1074
pidfilename, pid)
1075
except NameError:
1076
# "pidfile" was never created
1077
pass
1078
del pidfilename
1079
1080
def cleanup():
1081
"Cleanup function; run on exit"
1082
global group
1083
# From the Avahi example code
1084
if not group is None:
1085
group.Free()
1086
group = None
1087
# End of Avahi example code
1088
1089
while clients:
1090
client = clients.pop()
1091
client.disable_hook = None
1092
client.disable()
1093
1094
atexit.register(cleanup)
1095
1096
if not debug:
1097
signal.signal(signal.SIGINT, signal.SIG_IGN)
1098
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1099
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1100
1101
if use_dbus:
1102
class MandosServer(dbus.service.Object):
1103
"""A D-Bus proxy object"""
1104
def __init__(self):
1105
dbus.service.Object.__init__(self, bus, "/")
1106
_interface = u"se.bsnet.fukt.Mandos"
1107
1108
@dbus.service.signal(_interface, signature="oa{sv}")
1109
def ClientAdded(self, objpath, properties):
1110
"D-Bus signal"
1111
pass
1112
1113
@dbus.service.signal(_interface, signature="os")
1114
def ClientRemoved(self, objpath, name):
1115
"D-Bus signal"
1116
pass
1117
1118
@dbus.service.method(_interface, out_signature="ao")
1119
def GetAllClients(self):
1120
"D-Bus method"
1121
return dbus.Array(c.dbus_object_path for c in clients)
1122
1123
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1124
def GetAllClientsWithProperties(self):
1125
"D-Bus method"
1126
return dbus.Dictionary(
1127
((c.dbus_object_path, c.GetAllProperties())
1128
for c in clients),
1129
signature="oa{sv}")
1130
1131
@dbus.service.method(_interface, in_signature="o")
1132
def RemoveClient(self, object_path):
1133
"D-Bus method"
1134
for c in clients:
1135
if c.dbus_object_path == object_path:
1136
clients.remove(c)
1137
# Don't signal anything except ClientRemoved
1138
c.use_dbus = False
1139
c.disable()
1140
# Emit D-Bus signal
1141
self.ClientRemoved(object_path, c.name)
1142
return
1143
raise KeyError
1144
1145
del _interface
1146
1147
mandos_server = MandosServer()
1148
1149
503
for client in clients:
1150
if use_dbus:
1151
# Emit D-Bus signal
1152
mandos_server.ClientAdded(client.dbus_object_path,
1153
client.GetAllProperties())
1154
client.enable()
1155
1156
tcp_server.enable()
1157
tcp_server.server_activate()
1158
1159
# Find out what port we got
1160
service.port = tcp_server.socket.getsockname()[1]
1161
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1162
u" scope_id %d" % tcp_server.socket.getsockname())
1163
1164
#service.interface = tcp_server.socket.getsockname()[3]
1165
504
client.start()
505
506
tcp_server = IPv6_TCPServer((None, options.port),
507
tcp_handler,
508
options=options,
509
clients=clients,
510
credentials=cred)
511
# Find out what random port we got
512
servicePort = tcp_server.socket.getsockname()[1]
513
#sys.stderr.write("Now listening on port %d\n" % servicePort)
514
515
if options.interface is not None:
516
serviceInterface = if_nametoindex(options.interface)
517
518
# From the Avahi server example code
519
server.connect_to_signal("StateChanged", server_state_changed)
520
server_state_changed(server.GetState())
521
# End of Avahi example code
522
523
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
524
lambda *args, **kwargs:
525
tcp_server.handle_request(*args[2:],
526
**kwargs) or True)
1166
527
try:
1167
# From the Avahi example code
1168
server.connect_to_signal("StateChanged", server_state_changed)
1169
try:
1170
server_state_changed(server.GetState())
1171
except dbus.exceptions.DBusException, error:
1172
logger.critical(u"DBusException: %s", error)
1173
sys.exit(1)
1174
# End of Avahi example code
1175
1176
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
1177
lambda *args, **kwargs:
1178
(tcp_server.handle_request
1179
(*args[2:], **kwargs) or True))
1180
1181
logger.debug(u"Starting main loop")
1182
528
main_loop.run()
1183
except AvahiError, error:
1184
logger.critical(u"AvahiError: %s", error)
1185
sys.exit(1)
1186
529
except KeyboardInterrupt:
1187
if debug:
1188
print
530
print
531
532
# Cleanup here
1189
533
1190
if __name__ == '__main__':
1191
main()
534
# From the Avahi server example code
535
if not group is None:
536
group.Free()
537
# End of Avahi example code
538
539
for client in clients:
540
client.stop_hook = None
541
client.stop()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0