To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 120
- compare with another revision
- download diff
- download tarball
- view history from revision 120
- Committer: Teddy Hogeborn
- Date: 2008-08-30 19:05:15 UTC
- Revision ID: teddy@fukt.bsnet.se-20080830190515-l7e6vu81yyw5kcku
* mandos.xml (SYNOPSIS): Use <option> and <replaceable> tags. Unify
short and long options.
short and long options.
- files added:
- plugins.d/usplash
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugins.d/mandos-client.c => plugins.d/password-request.c
- plugins.d/mandos-client.xml => plugins.d/password-request.xml
- files modified:
- .bzrignore
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
16
15
#
17
16
# This program is free software: you can redistribute it and/or modify
18
17
# it under the terms of the GNU General Public License as published by
31
30
# Contact the authors at <mandos@fukt.bsnet.se>.
32
31
#
33
32
34
from __future__ import division, with_statement, absolute_import
33
from __future__ import division
35
34
36
import SocketServer as socketserver
35
import SocketServer
37
36
import socket
38
import optparse
37
import select
38
from optparse import OptionParser
39
39
import datetime
40
40
import errno
41
41
import gnutls.crypto
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser as configparser
47
import ConfigParser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
52
53
import subprocess
53
54
import atexit
54
55
import stat
55
56
import logging
56
57
import logging.handlers
57
import pwd
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
63
import select
64
58
65
59
import dbus
66
import dbus.service
67
60
import gobject
68
61
import avahi
69
62
from dbus.mainloop.glib import DBusGMainLoop
70
63
import ctypes
71
import ctypes.util
72
import xml.dom.minidom
73
import inspect
74
75
try:
76
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
77
except AttributeError:
78
try:
79
from IN import SO_BINDTODEVICE
80
except ImportError:
81
SO_BINDTODEVICE = None
82
83
84
version = "1.0.14"
85
86
logger = logging.Logger(u'mandos')
87
syslogger = (logging.handlers.SysLogHandler
88
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
89
address = "/dev/log"))
90
syslogger.setFormatter(logging.Formatter
91
(u'Mandos [%(process)d]: %(levelname)s:'
92
u' %(message)s'))
64
65
version = "1.0"
66
67
logger = logging.Logger('mandos')
68
syslogger = logging.handlers.SysLogHandler\
69
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
70
address = "/dev/log")
71
syslogger.setFormatter(logging.Formatter\
72
('Mandos: %(levelname)s: %(message)s'))
93
73
logger.addHandler(syslogger)
94
74
95
75
console = logging.StreamHandler()
96
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
97
u' %(levelname)s:'
98
u' %(message)s'))
76
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
77
' %(message)s'))
99
78
logger.addHandler(console)
100
79
101
80
class AvahiError(Exception):
102
def __init__(self, value, *args, **kwargs):
81
def __init__(self, value):
103
82
self.value = value
104
super(AvahiError, self).__init__(value, *args, **kwargs)
105
def __unicode__(self):
106
return unicode(repr(self.value))
83
def __str__(self):
84
return repr(self.value)
107
85
108
86
class AvahiServiceError(AvahiError):
109
87
pass
114
92
115
93
class AvahiService(object):
116
94
"""An Avahi (Zeroconf) service.
117
118
95
Attributes:
119
96
interface: integer; avahi.IF_UNSPEC or an interface index.
120
97
Used to optionally bind to the specified interface.
121
name: string; Example: u'Mandos'
122
type: string; Example: u'_mandos._tcp'.
98
name: string; Example: 'Mandos'
99
type: string; Example: '_mandos._tcp'.
123
100
See <http://www.dns-sd.org/ServiceTypes.html>
124
101
port: integer; what port to announce
125
102
TXT: list of strings; TXT record for the service
128
105
max_renames: integer; maximum number of renames
129
106
rename_count: integer; counter so we only rename after collisions
130
107
a sensible number of times
131
group: D-Bus Entry Group
132
server: D-Bus Server
133
bus: dbus.SystemBus()
134
108
"""
135
109
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
136
servicetype = None, port = None, TXT = None,
137
domain = u"", host = u"", max_renames = 32768,
138
protocol = avahi.PROTO_UNSPEC, bus = None):
110
type = None, port = None, TXT = None, domain = "",
111
host = "", max_renames = 32768):
139
112
self.interface = interface
140
113
self.name = name
141
self.type = servicetype
114
self.type = type
142
115
self.port = port
143
self.TXT = TXT if TXT is not None else []
116
if TXT is None:
117
self.TXT = []
118
else:
119
self.TXT = TXT
144
120
self.domain = domain
145
121
self.host = host
146
122
self.rename_count = 0
147
123
self.max_renames = max_renames
148
self.protocol = protocol
149
self.group = None # our entry group
150
self.server = None
151
self.bus = bus
152
124
def rename(self):
153
125
"""Derived from the Avahi example code"""
154
126
if self.rename_count >= self.max_renames:
155
127
logger.critical(u"No suitable Zeroconf service name found"
156
128
u" after %i retries, exiting.",
157
self.rename_count)
158
raise AvahiServiceError(u"Too many renames")
159
self.name = self.server.GetAlternativeServiceName(self.name)
129
rename_count)
130
raise AvahiServiceError("Too many renames")
131
self.name = server.GetAlternativeServiceName(self.name)
160
132
logger.info(u"Changing Zeroconf service name to %r ...",
161
unicode(self.name))
162
syslogger.setFormatter(logging.Formatter
163
(u'Mandos (%s) [%%(process)d]:'
164
u' %%(levelname)s: %%(message)s'
165
% self.name))
133
str(self.name))
134
syslogger.setFormatter(logging.Formatter\
135
('Mandos (%s): %%(levelname)s:'
136
' %%(message)s' % self.name))
166
137
self.remove()
167
138
self.add()
168
139
self.rename_count += 1
169
140
def remove(self):
170
141
"""Derived from the Avahi example code"""
171
if self.group is not None:
172
self.group.Reset()
142
if group is not None:
143
group.Reset()
173
144
def add(self):
174
145
"""Derived from the Avahi example code"""
175
if self.group is None:
176
self.group = dbus.Interface(
177
self.bus.get_object(avahi.DBUS_NAME,
178
self.server.EntryGroupNew()),
179
avahi.DBUS_INTERFACE_ENTRY_GROUP)
180
self.group.connect_to_signal('StateChanged',
181
self
182
.entry_group_state_changed)
146
global group
147
if group is None:
148
group = dbus.Interface\
149
(bus.get_object(avahi.DBUS_NAME,
150
server.EntryGroupNew()),
151
avahi.DBUS_INTERFACE_ENTRY_GROUP)
152
group.connect_to_signal('StateChanged',
153
entry_group_state_changed)
183
154
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
184
self.name, self.type)
185
self.group.AddService(
186
self.interface,
187
self.protocol,
188
dbus.UInt32(0), # flags
189
self.name, self.type,
190
self.domain, self.host,
191
dbus.UInt16(self.port),
192
avahi.string_array_to_txt_array(self.TXT))
193
self.group.Commit()
194
def entry_group_state_changed(self, state, error):
195
"""Derived from the Avahi example code"""
196
logger.debug(u"Avahi state change: %i", state)
197
198
if state == avahi.ENTRY_GROUP_ESTABLISHED:
199
logger.debug(u"Zeroconf service established.")
200
elif state == avahi.ENTRY_GROUP_COLLISION:
201
logger.warning(u"Zeroconf service name collision.")
202
self.rename()
203
elif state == avahi.ENTRY_GROUP_FAILURE:
204
logger.critical(u"Avahi: Error in group state changed %s",
205
unicode(error))
206
raise AvahiGroupError(u"State changed: %s"
207
% unicode(error))
208
def cleanup(self):
209
"""Derived from the Avahi example code"""
210
if self.group is not None:
211
self.group.Free()
212
self.group = None
213
def server_state_changed(self, state):
214
"""Derived from the Avahi example code"""
215
if state == avahi.SERVER_COLLISION:
216
logger.error(u"Zeroconf server name collision")
217
self.remove()
218
elif state == avahi.SERVER_RUNNING:
219
self.add()
220
def activate(self):
221
"""Derived from the Avahi example code"""
222
if self.server is None:
223
self.server = dbus.Interface(
224
self.bus.get_object(avahi.DBUS_NAME,
225
avahi.DBUS_PATH_SERVER),
226
avahi.DBUS_INTERFACE_SERVER)
227
self.server.connect_to_signal(u"StateChanged",
228
self.server_state_changed)
229
self.server_state_changed(self.server.GetState())
155
service.name, service.type)
156
group.AddService(
157
self.interface, # interface
158
avahi.PROTO_INET6, # protocol
159
dbus.UInt32(0), # flags
160
self.name, self.type,
161
self.domain, self.host,
162
dbus.UInt16(self.port),
163
avahi.string_array_to_txt_array(self.TXT))
164
group.Commit()
165
166
# From the Avahi example code:
167
group = None # our entry group
168
# End of Avahi example code
230
169
231
170
232
171
class Client(object):
233
172
"""A representation of a client host served by this server.
234
235
173
Attributes:
236
name: string; from the config file, used in log messages and
237
D-Bus identifiers
174
name: string; from the config file, used in log messages
238
175
fingerprint: string (40 or 32 hexadecimal digits); used to
239
176
uniquely identify the client
240
secret: bytestring; sent verbatim (over TLS) to client
241
host: string; available for use by the checker command
242
created: datetime.datetime(); (UTC) object creation
243
last_enabled: datetime.datetime(); (UTC)
244
enabled: bool()
245
last_checked_ok: datetime.datetime(); (UTC) or None
246
timeout: datetime.timedelta(); How long from last_checked_ok
247
until this client is disabled
248
interval: datetime.timedelta(); How often to start a new checker
249
disable_hook: If set, called by disable() as disable_hook(self)
250
checker: subprocess.Popen(); a running checker process used
251
to see if the client lives.
252
'None' if no process is running.
177
secret: bytestring; sent verbatim (over TLS) to client
178
host: string; available for use by the checker command
179
created: datetime.datetime(); object creation, not client host
180
last_checked_ok: datetime.datetime() or None if not yet checked OK
181
timeout: datetime.timedelta(); How long from last_checked_ok
182
until this client is invalid
183
interval: datetime.timedelta(); How often to start a new checker
184
stop_hook: If set, called by stop() as stop_hook(self)
185
checker: subprocess.Popen(); a running checker process used
186
to see if the client lives.
187
'None' if no process is running.
253
188
checker_initiator_tag: a gobject event source tag, or None
254
disable_initiator_tag: - '' -
189
stop_initiator_tag: - '' -
255
190
checker_callback_tag: - '' -
256
191
checker_command: string; External command which is run to check if
257
192
client lives. %() expansions are done at
258
193
runtime with vars(self) as dict, so that for
259
194
instance %(name)s can be used in the command.
260
current_checker_command: string; current running checker_command
195
Private attibutes:
196
_timeout: Real variable for 'timeout'
197
_interval: Real variable for 'interval'
198
_timeout_milliseconds: Used when calling gobject.timeout_add()
199
_interval_milliseconds: - '' -
261
200
"""
262
263
@staticmethod
264
def _timedelta_to_milliseconds(td):
265
"Convert a datetime.timedelta() to milliseconds"
266
return ((td.days * 24 * 60 * 60 * 1000)
267
+ (td.seconds * 1000)
268
+ (td.microseconds // 1000))
269
270
def timeout_milliseconds(self):
271
"Return the 'timeout' attribute in milliseconds"
272
return self._timedelta_to_milliseconds(self.timeout)
273
274
def interval_milliseconds(self):
275
"Return the 'interval' attribute in milliseconds"
276
return self._timedelta_to_milliseconds(self.interval)
277
278
def __init__(self, name = None, disable_hook=None, config=None):
201
def _set_timeout(self, timeout):
202
"Setter function for 'timeout' attribute"
203
self._timeout = timeout
204
self._timeout_milliseconds = ((self.timeout.days
205
* 24 * 60 * 60 * 1000)
206
+ (self.timeout.seconds * 1000)
207
+ (self.timeout.microseconds
208
// 1000))
209
timeout = property(lambda self: self._timeout,
210
_set_timeout)
211
del _set_timeout
212
def _set_interval(self, interval):
213
"Setter function for 'interval' attribute"
214
self._interval = interval
215
self._interval_milliseconds = ((self.interval.days
216
* 24 * 60 * 60 * 1000)
217
+ (self.interval.seconds
218
* 1000)
219
+ (self.interval.microseconds
220
// 1000))
221
interval = property(lambda self: self._interval,
222
_set_interval)
223
del _set_interval
224
def __init__(self, name = None, stop_hook=None, config={}):
279
225
"""Note: the 'checker' key in 'config' sets the
280
226
'checker_command' attribute and *not* the 'checker'
281
227
attribute."""
282
228
self.name = name
283
if config is None:
284
config = {}
285
229
logger.debug(u"Creating client %r", self.name)
286
230
# Uppercase and remove spaces from fingerprint for later
287
231
# comparison purposes with return value from the fingerprint()
288
232
# function
289
self.fingerprint = (config[u"fingerprint"].upper()
290
.replace(u" ", u""))
233
self.fingerprint = config["fingerprint"].upper()\
234
.replace(u" ", u"")
291
235
logger.debug(u" Fingerprint: %s", self.fingerprint)
292
if u"secret" in config:
293
self.secret = config[u"secret"].decode(u"base64")
294
elif u"secfile" in config:
295
with open(os.path.expanduser(os.path.expandvars
296
(config[u"secfile"])),
297
"rb") as secfile:
298
self.secret = secfile.read()
236
if "secret" in config:
237
self.secret = config["secret"].decode(u"base64")
238
elif "secfile" in config:
239
sf = open(config["secfile"])
240
self.secret = sf.read()
241
sf.close()
299
242
else:
300
243
raise TypeError(u"No secret or secfile for client %s"
301
244
% self.name)
302
self.host = config.get(u"host", u"")
303
self.created = datetime.datetime.utcnow()
304
self.enabled = False
305
self.last_enabled = None
245
self.host = config.get("host", "")
246
self.created = datetime.datetime.now()
306
247
self.last_checked_ok = None
307
self.timeout = string_to_delta(config[u"timeout"])
308
self.interval = string_to_delta(config[u"interval"])
309
self.disable_hook = disable_hook
248
self.timeout = string_to_delta(config["timeout"])
249
self.interval = string_to_delta(config["interval"])
250
self.stop_hook = stop_hook
310
251
self.checker = None
311
252
self.checker_initiator_tag = None
312
self.disable_initiator_tag = None
253
self.stop_initiator_tag = None
313
254
self.checker_callback_tag = None
314
self.checker_command = config[u"checker"]
315
self.current_checker_command = None
316
self.last_connect = None
317
318
def enable(self):
255
self.check_command = config["checker"]
256
def start(self):
319
257
"""Start this client's checker and timeout hooks"""
320
if getattr(self, u"enabled", False):
321
# Already enabled
322
return
323
self.last_enabled = datetime.datetime.utcnow()
324
258
# Schedule a new checker to be started an 'interval' from now,
325
259
# and every interval from then on.
326
self.checker_initiator_tag = (gobject.timeout_add
327
(self.interval_milliseconds(),
328
self.start_checker))
329
# Schedule a disable() when 'timeout' has passed
330
self.disable_initiator_tag = (gobject.timeout_add
331
(self.timeout_milliseconds(),
332
self.disable))
333
self.enabled = True
260
self.checker_initiator_tag = gobject.timeout_add\
261
(self._interval_milliseconds,
262
self.start_checker)
334
263
# Also start a new checker *right now*.
335
264
self.start_checker()
336
337
def disable(self, quiet=True):
338
"""Disable this client."""
339
if not getattr(self, "enabled", False):
265
# Schedule a stop() when 'timeout' has passed
266
self.stop_initiator_tag = gobject.timeout_add\
267
(self._timeout_milliseconds,
268
self.stop)
269
def stop(self):
270
"""Stop this client.
271
The possibility that a client might be restarted is left open,
272
but not currently used."""
273
# If this client doesn't have a secret, it is already stopped.
274
if hasattr(self, "secret") and self.secret:
275
logger.info(u"Stopping client %s", self.name)
276
self.secret = None
277
else:
340
278
return False
341
if not quiet:
342
logger.info(u"Disabling client %s", self.name)
343
if getattr(self, u"disable_initiator_tag", False):
344
gobject.source_remove(self.disable_initiator_tag)
345
self.disable_initiator_tag = None
346
if getattr(self, u"checker_initiator_tag", False):
279
if getattr(self, "stop_initiator_tag", False):
280
gobject.source_remove(self.stop_initiator_tag)
281
self.stop_initiator_tag = None
282
if getattr(self, "checker_initiator_tag", False):
347
283
gobject.source_remove(self.checker_initiator_tag)
348
284
self.checker_initiator_tag = None
349
285
self.stop_checker()
350
if self.disable_hook:
351
self.disable_hook(self)
352
self.enabled = False
286
if self.stop_hook:
287
self.stop_hook(self)
353
288
# Do not run this again if called by a gobject.timeout_add
354
289
return False
355
356
290
def __del__(self):
357
self.disable_hook = None
358
self.disable()
359
360
def checker_callback(self, pid, condition, command):
291
self.stop_hook = None
292
self.stop()
293
def checker_callback(self, pid, condition):
361
294
"""The checker has completed, so take appropriate actions."""
295
now = datetime.datetime.now()
362
296
self.checker_callback_tag = None
363
297
self.checker = None
364
if os.WIFEXITED(condition):
365
exitstatus = os.WEXITSTATUS(condition)
366
if exitstatus == 0:
367
logger.info(u"Checker for %(name)s succeeded",
368
vars(self))
369
self.checked_ok()
370
else:
371
logger.info(u"Checker for %(name)s failed",
372
vars(self))
373
else:
298
if os.WIFEXITED(condition) \
299
and (os.WEXITSTATUS(condition) == 0):
300
logger.info(u"Checker for %(name)s succeeded",
301
vars(self))
302
self.last_checked_ok = now
303
gobject.source_remove(self.stop_initiator_tag)
304
self.stop_initiator_tag = gobject.timeout_add\
305
(self._timeout_milliseconds,
306
self.stop)
307
elif not os.WIFEXITED(condition):
374
308
logger.warning(u"Checker for %(name)s crashed?",
375
309
vars(self))
376
377
def checked_ok(self):
378
"""Bump up the timeout for this client.
379
380
This should only be called when the client has been seen,
381
alive and well.
382
"""
383
self.last_checked_ok = datetime.datetime.utcnow()
384
gobject.source_remove(self.disable_initiator_tag)
385
self.disable_initiator_tag = (gobject.timeout_add
386
(self.timeout_milliseconds(),
387
self.disable))
388
310
else:
311
logger.info(u"Checker for %(name)s failed",
312
vars(self))
389
313
def start_checker(self):
390
314
"""Start a new checker subprocess if one is not running.
391
392
315
If a checker already exists, leave it running and do
393
316
nothing."""
394
317
# The reason for not killing a running checker is that if we
397
320
# client would inevitably timeout, since no checker would get
398
321
# a chance to run to completion. If we instead leave running
399
322
# checkers alone, the checker would have to take more time
400
# than 'timeout' for the client to be disabled, which is as it
401
# should be.
402
403
# If a checker exists, make sure it is not a zombie
404
try:
405
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
406
except (AttributeError, OSError), error:
407
if (isinstance(error, OSError)
408
and error.errno != errno.ECHILD):
409
raise error
410
else:
411
if pid:
412
logger.warning(u"Checker was a zombie")
413
gobject.source_remove(self.checker_callback_tag)
414
self.checker_callback(pid, status,
415
self.current_checker_command)
416
# Start a new checker if needed
323
# than 'timeout' for the client to be declared invalid, which
324
# is as it should be.
417
325
if self.checker is None:
418
326
try:
419
# In case checker_command has exactly one % operator
420
command = self.checker_command % self.host
327
# In case check_command has exactly one % operator
328
command = self.check_command % self.host
421
329
except TypeError:
422
330
# Escape attributes for the shell
423
escaped_attrs = dict((key,
424
re.escape(unicode(str(val),
425
errors=
426
u'replace')))
331
escaped_attrs = dict((key, re.escape(str(val)))
427
332
for key, val in
428
333
vars(self).iteritems())
429
334
try:
430
command = self.checker_command % escaped_attrs
335
command = self.check_command % escaped_attrs
431
336
except TypeError, error:
432
337
logger.error(u'Could not format string "%s":'
433
u' %s', self.checker_command, error)
338
u' %s', self.check_command, error)
434
339
return True # Try again later
435
self.current_checker_command = command
436
340
try:
437
341
logger.info(u"Starting checker %r for %s",
438
342
command, self.name)
442
346
# always replaced by /dev/null.)
443
347
self.checker = subprocess.Popen(command,
444
348
close_fds=True,
445
shell=True, cwd=u"/")
446
self.checker_callback_tag = (gobject.child_watch_add
447
(self.checker.pid,
448
self.checker_callback,
449
data=command))
450
# The checker may have completed before the gobject
451
# watch was added. Check for this.
452
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
453
if pid:
454
gobject.source_remove(self.checker_callback_tag)
455
self.checker_callback(pid, status, command)
349
shell=True, cwd="/")
350
self.checker_callback_tag = gobject.child_watch_add\
351
(self.checker.pid,
352
self.checker_callback)
456
353
except OSError, error:
457
354
logger.error(u"Failed to start subprocess: %s",
458
355
error)
459
356
# Re-run this periodically if run by gobject.timeout_add
460
357
return True
461
462
358
def stop_checker(self):
463
359
"""Force the checker process, if any, to stop."""
464
360
if self.checker_callback_tag:
465
361
gobject.source_remove(self.checker_callback_tag)
466
362
self.checker_callback_tag = None
467
if getattr(self, u"checker", None) is None:
363
if getattr(self, "checker", None) is None:
468
364
return
469
365
logger.debug(u"Stopping checker for %(name)s", vars(self))
470
366
try:
471
367
os.kill(self.checker.pid, signal.SIGTERM)
472
#time.sleep(0.5)
368
#os.sleep(0.5)
473
369
#if self.checker.poll() is None:
474
370
# os.kill(self.checker.pid, signal.SIGKILL)
475
371
except OSError, error:
476
372
if error.errno != errno.ESRCH: # No such process
477
373
raise
478
374
self.checker = None
479
480
481
def dbus_service_property(dbus_interface, signature=u"v",
482
access=u"readwrite", byte_arrays=False):
483
"""Decorators for marking methods of a DBusObjectWithProperties to
484
become properties on the D-Bus.
485
486
The decorated method will be called with no arguments by "Get"
487
and with one argument by "Set".
488
489
The parameters, where they are supported, are the same as
490
dbus.service.method, except there is only "signature", since the
491
type from Get() and the type sent to Set() is the same.
492
"""
493
# Encoding deeply encoded byte arrays is not supported yet by the
494
# "Set" method, so we fail early here:
495
if byte_arrays and signature != u"ay":
496
raise ValueError(u"Byte arrays not supported for non-'ay'"
497
u" signature %r" % signature)
498
def decorator(func):
499
func._dbus_is_property = True
500
func._dbus_interface = dbus_interface
501
func._dbus_signature = signature
502
func._dbus_access = access
503
func._dbus_name = func.__name__
504
if func._dbus_name.endswith(u"_dbus_property"):
505
func._dbus_name = func._dbus_name[:-14]
506
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
507
return func
508
return decorator
509
510
511
class DBusPropertyException(dbus.exceptions.DBusException):
512
"""A base class for D-Bus property-related exceptions
513
"""
514
def __unicode__(self):
515
return unicode(str(self))
516
517
518
class DBusPropertyAccessException(DBusPropertyException):
519
"""A property's access permissions disallows an operation.
520
"""
521
pass
522
523
524
class DBusPropertyNotFound(DBusPropertyException):
525
"""An attempt was made to access a non-existing property.
526
"""
527
pass
528
529
530
class DBusObjectWithProperties(dbus.service.Object):
531
"""A D-Bus object with properties.
532
533
Classes inheriting from this can use the dbus_service_property
534
decorator to expose methods as D-Bus properties. It exposes the
535
standard Get(), Set(), and GetAll() methods on the D-Bus.
536
"""
537
538
@staticmethod
539
def _is_dbus_property(obj):
540
return getattr(obj, u"_dbus_is_property", False)
541
542
def _get_all_dbus_properties(self):
543
"""Returns a generator of (name, attribute) pairs
544
"""
545
return ((prop._dbus_name, prop)
546
for name, prop in
547
inspect.getmembers(self, self._is_dbus_property))
548
549
def _get_dbus_property(self, interface_name, property_name):
550
"""Returns a bound method if one exists which is a D-Bus
551
property with the specified name and interface.
552
"""
553
for name in (property_name,
554
property_name + u"_dbus_property"):
555
prop = getattr(self, name, None)
556
if (prop is None
557
or not self._is_dbus_property(prop)
558
or prop._dbus_name != property_name
559
or (interface_name and prop._dbus_interface
560
and interface_name != prop._dbus_interface)):
561
continue
562
return prop
563
# No such property
564
raise DBusPropertyNotFound(self.dbus_object_path + u":"
565
+ interface_name + u"."
566
+ property_name)
567
568
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
569
out_signature=u"v")
570
def Get(self, interface_name, property_name):
571
"""Standard D-Bus property Get() method, see D-Bus standard.
572
"""
573
prop = self._get_dbus_property(interface_name, property_name)
574
if prop._dbus_access == u"write":
575
raise DBusPropertyAccessException(property_name)
576
value = prop()
577
if not hasattr(value, u"variant_level"):
578
return value
579
return type(value)(value, variant_level=value.variant_level+1)
580
581
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
582
def Set(self, interface_name, property_name, value):
583
"""Standard D-Bus property Set() method, see D-Bus standard.
584
"""
585
prop = self._get_dbus_property(interface_name, property_name)
586
if prop._dbus_access == u"read":
587
raise DBusPropertyAccessException(property_name)
588
if prop._dbus_get_args_options[u"byte_arrays"]:
589
# The byte_arrays option is not supported yet on
590
# signatures other than "ay".
591
if prop._dbus_signature != u"ay":
592
raise ValueError
593
value = dbus.ByteArray(''.join(unichr(byte)
594
for byte in value))
595
prop(value)
596
597
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
598
out_signature=u"a{sv}")
599
def GetAll(self, interface_name):
600
"""Standard D-Bus property GetAll() method, see D-Bus
601
standard.
602
603
Note: Will not include properties with access="write".
604
"""
605
all = {}
606
for name, prop in self._get_all_dbus_properties():
607
if (interface_name
608
and interface_name != prop._dbus_interface):
609
# Interface non-empty but did not match
610
continue
611
# Ignore write-only properties
612
if prop._dbus_access == u"write":
613
continue
614
value = prop()
615
if not hasattr(value, u"variant_level"):
616
all[name] = value
617
continue
618
all[name] = type(value)(value, variant_level=
619
value.variant_level+1)
620
return dbus.Dictionary(all, signature=u"sv")
621
622
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
623
out_signature=u"s",
624
path_keyword='object_path',
625
connection_keyword='connection')
626
def Introspect(self, object_path, connection):
627
"""Standard D-Bus method, overloaded to insert property tags.
628
"""
629
xmlstring = dbus.service.Object.Introspect(self, object_path,
630
connection)
631
try:
632
document = xml.dom.minidom.parseString(xmlstring)
633
def make_tag(document, name, prop):
634
e = document.createElement(u"property")
635
e.setAttribute(u"name", name)
636
e.setAttribute(u"type", prop._dbus_signature)
637
e.setAttribute(u"access", prop._dbus_access)
638
return e
639
for if_tag in document.getElementsByTagName(u"interface"):
640
for tag in (make_tag(document, name, prop)
641
for name, prop
642
in self._get_all_dbus_properties()
643
if prop._dbus_interface
644
== if_tag.getAttribute(u"name")):
645
if_tag.appendChild(tag)
646
# Add the names to the return values for the
647
# "org.freedesktop.DBus.Properties" methods
648
if (if_tag.getAttribute(u"name")
649
== u"org.freedesktop.DBus.Properties"):
650
for cn in if_tag.getElementsByTagName(u"method"):
651
if cn.getAttribute(u"name") == u"Get":
652
for arg in cn.getElementsByTagName(u"arg"):
653
if (arg.getAttribute(u"direction")
654
== u"out"):
655
arg.setAttribute(u"name", u"value")
656
elif cn.getAttribute(u"name") == u"GetAll":
657
for arg in cn.getElementsByTagName(u"arg"):
658
if (arg.getAttribute(u"direction")
659
== u"out"):
660
arg.setAttribute(u"name", u"props")
661
xmlstring = document.toxml(u"utf-8")
662
document.unlink()
663
except (AttributeError, xml.dom.DOMException,
664
xml.parsers.expat.ExpatError), error:
665
logger.error(u"Failed to override Introspection method",
666
error)
667
return xmlstring
668
669
670
class ClientDBus(Client, DBusObjectWithProperties):
671
"""A Client class using D-Bus
672
673
Attributes:
674
dbus_object_path: dbus.ObjectPath
675
bus: dbus.SystemBus()
676
"""
677
# dbus.service.Object doesn't use super(), so we can't either.
678
679
def __init__(self, bus = None, *args, **kwargs):
680
self.bus = bus
681
Client.__init__(self, *args, **kwargs)
682
# Only now, when this client is initialized, can it show up on
683
# the D-Bus
684
self.dbus_object_path = (dbus.ObjectPath
685
(u"/clients/"
686
+ self.name.replace(u".", u"_")))
687
DBusObjectWithProperties.__init__(self, self.bus,
688
self.dbus_object_path)
689
690
@staticmethod
691
def _datetime_to_dbus(dt, variant_level=0):
692
"""Convert a UTC datetime.datetime() to a D-Bus type."""
693
return dbus.String(dt.isoformat(),
694
variant_level=variant_level)
695
696
def enable(self):
697
oldstate = getattr(self, u"enabled", False)
698
r = Client.enable(self)
699
if oldstate != self.enabled:
700
# Emit D-Bus signals
701
self.PropertyChanged(dbus.String(u"enabled"),
702
dbus.Boolean(True, variant_level=1))
703
self.PropertyChanged(
704
dbus.String(u"last_enabled"),
705
self._datetime_to_dbus(self.last_enabled,
706
variant_level=1))
707
return r
708
709
def disable(self, quiet = False):
710
oldstate = getattr(self, u"enabled", False)
711
r = Client.disable(self, quiet=quiet)
712
if not quiet and oldstate != self.enabled:
713
# Emit D-Bus signal
714
self.PropertyChanged(dbus.String(u"enabled"),
715
dbus.Boolean(False, variant_level=1))
716
return r
717
718
def __del__(self, *args, **kwargs):
719
try:
720
self.remove_from_connection()
721
except LookupError:
722
pass
723
if hasattr(DBusObjectWithProperties, u"__del__"):
724
DBusObjectWithProperties.__del__(self, *args, **kwargs)
725
Client.__del__(self, *args, **kwargs)
726
727
def checker_callback(self, pid, condition, command,
728
*args, **kwargs):
729
self.checker_callback_tag = None
730
self.checker = None
731
# Emit D-Bus signal
732
self.PropertyChanged(dbus.String(u"checker_running"),
733
dbus.Boolean(False, variant_level=1))
734
if os.WIFEXITED(condition):
735
exitstatus = os.WEXITSTATUS(condition)
736
# Emit D-Bus signal
737
self.CheckerCompleted(dbus.Int16(exitstatus),
738
dbus.Int64(condition),
739
dbus.String(command))
740
else:
741
# Emit D-Bus signal
742
self.CheckerCompleted(dbus.Int16(-1),
743
dbus.Int64(condition),
744
dbus.String(command))
745
746
return Client.checker_callback(self, pid, condition, command,
747
*args, **kwargs)
748
749
def checked_ok(self, *args, **kwargs):
750
r = Client.checked_ok(self, *args, **kwargs)
751
# Emit D-Bus signal
752
self.PropertyChanged(
753
dbus.String(u"last_checked_ok"),
754
(self._datetime_to_dbus(self.last_checked_ok,
755
variant_level=1)))
756
return r
757
758
def start_checker(self, *args, **kwargs):
759
old_checker = self.checker
760
if self.checker is not None:
761
old_checker_pid = self.checker.pid
762
else:
763
old_checker_pid = None
764
r = Client.start_checker(self, *args, **kwargs)
765
# Only if new checker process was started
766
if (self.checker is not None
767
and old_checker_pid != self.checker.pid):
768
# Emit D-Bus signal
769
self.CheckerStarted(self.current_checker_command)
770
self.PropertyChanged(
771
dbus.String(u"checker_running"),
772
dbus.Boolean(True, variant_level=1))
773
return r
774
775
def stop_checker(self, *args, **kwargs):
776
old_checker = getattr(self, u"checker", None)
777
r = Client.stop_checker(self, *args, **kwargs)
778
if (old_checker is not None
779
and getattr(self, u"checker", None) is None):
780
self.PropertyChanged(dbus.String(u"checker_running"),
781
dbus.Boolean(False, variant_level=1))
782
return r
783
784
## D-Bus methods, signals & properties
785
_interface = u"se.bsnet.fukt.Mandos.Client"
786
787
## Signals
788
789
# CheckerCompleted - signal
790
@dbus.service.signal(_interface, signature=u"nxs")
791
def CheckerCompleted(self, exitcode, waitstatus, command):
792
"D-Bus signal"
793
pass
794
795
# CheckerStarted - signal
796
@dbus.service.signal(_interface, signature=u"s")
797
def CheckerStarted(self, command):
798
"D-Bus signal"
799
pass
800
801
# PropertyChanged - signal
802
@dbus.service.signal(_interface, signature=u"sv")
803
def PropertyChanged(self, property, value):
804
"D-Bus signal"
805
pass
806
807
# GotSecret - signal
808
@dbus.service.signal(_interface)
809
def GotSecret(self):
810
"D-Bus signal"
811
pass
812
813
# Rejected - signal
814
@dbus.service.signal(_interface)
815
def Rejected(self):
816
"D-Bus signal"
817
pass
818
819
## Methods
820
821
# CheckedOK - method
822
@dbus.service.method(_interface)
823
def CheckedOK(self):
824
return self.checked_ok()
825
826
# Enable - method
827
@dbus.service.method(_interface)
828
def Enable(self):
829
"D-Bus method"
830
self.enable()
831
832
# StartChecker - method
833
@dbus.service.method(_interface)
834
def StartChecker(self):
835
"D-Bus method"
836
self.start_checker()
837
838
# Disable - method
839
@dbus.service.method(_interface)
840
def Disable(self):
841
"D-Bus method"
842
self.disable()
843
844
# StopChecker - method
845
@dbus.service.method(_interface)
846
def StopChecker(self):
847
self.stop_checker()
848
849
## Properties
850
851
# name - property
852
@dbus_service_property(_interface, signature=u"s", access=u"read")
853
def name_dbus_property(self):
854
return dbus.String(self.name)
855
856
# fingerprint - property
857
@dbus_service_property(_interface, signature=u"s", access=u"read")
858
def fingerprint_dbus_property(self):
859
return dbus.String(self.fingerprint)
860
861
# host - property
862
@dbus_service_property(_interface, signature=u"s",
863
access=u"readwrite")
864
def host_dbus_property(self, value=None):
865
if value is None: # get
866
return dbus.String(self.host)
867
self.host = value
868
# Emit D-Bus signal
869
self.PropertyChanged(dbus.String(u"host"),
870
dbus.String(value, variant_level=1))
871
872
# created - property
873
@dbus_service_property(_interface, signature=u"s", access=u"read")
874
def created_dbus_property(self):
875
return dbus.String(self._datetime_to_dbus(self.created))
876
877
# last_enabled - property
878
@dbus_service_property(_interface, signature=u"s", access=u"read")
879
def last_enabled_dbus_property(self):
880
if self.last_enabled is None:
881
return dbus.String(u"")
882
return dbus.String(self._datetime_to_dbus(self.last_enabled))
883
884
# enabled - property
885
@dbus_service_property(_interface, signature=u"b",
886
access=u"readwrite")
887
def enabled_dbus_property(self, value=None):
888
if value is None: # get
889
return dbus.Boolean(self.enabled)
890
if value:
891
self.enable()
892
else:
893
self.disable()
894
895
# last_checked_ok - property
896
@dbus_service_property(_interface, signature=u"s",
897
access=u"readwrite")
898
def last_checked_ok_dbus_property(self, value=None):
899
if value is not None:
900
self.checked_ok()
901
return
375
def still_valid(self):
376
"""Has the timeout not yet passed for this client?"""
377
now = datetime.datetime.now()
902
378
if self.last_checked_ok is None:
903
return dbus.String(u"")
904
return dbus.String(self._datetime_to_dbus(self
905
.last_checked_ok))
906
907
# timeout - property
908
@dbus_service_property(_interface, signature=u"t",
909
access=u"readwrite")
910
def timeout_dbus_property(self, value=None):
911
if value is None: # get
912
return dbus.UInt64(self.timeout_milliseconds())
913
self.timeout = datetime.timedelta(0, 0, 0, value)
914
# Emit D-Bus signal
915
self.PropertyChanged(dbus.String(u"timeout"),
916
dbus.UInt64(value, variant_level=1))
917
if getattr(self, u"disable_initiator_tag", None) is None:
918
return
919
# Reschedule timeout
920
gobject.source_remove(self.disable_initiator_tag)
921
self.disable_initiator_tag = None
922
time_to_die = (self.
923
_timedelta_to_milliseconds((self
924
.last_checked_ok
925
+ self.timeout)
926
- datetime.datetime
927
.utcnow()))
928
if time_to_die <= 0:
929
# The timeout has passed
930
self.disable()
931
else:
932
self.disable_initiator_tag = (gobject.timeout_add
933
(time_to_die, self.disable))
934
935
# interval - property
936
@dbus_service_property(_interface, signature=u"t",
937
access=u"readwrite")
938
def interval_dbus_property(self, value=None):
939
if value is None: # get
940
return dbus.UInt64(self.interval_milliseconds())
941
self.interval = datetime.timedelta(0, 0, 0, value)
942
# Emit D-Bus signal
943
self.PropertyChanged(dbus.String(u"interval"),
944
dbus.UInt64(value, variant_level=1))
945
if getattr(self, u"checker_initiator_tag", None) is None:
946
return
947
# Reschedule checker run
948
gobject.source_remove(self.checker_initiator_tag)
949
self.checker_initiator_tag = (gobject.timeout_add
950
(value, self.start_checker))
951
self.start_checker() # Start one now, too
952
953
# checker - property
954
@dbus_service_property(_interface, signature=u"s",
955
access=u"readwrite")
956
def checker_dbus_property(self, value=None):
957
if value is None: # get
958
return dbus.String(self.checker_command)
959
self.checker_command = value
960
# Emit D-Bus signal
961
self.PropertyChanged(dbus.String(u"checker"),
962
dbus.String(self.checker_command,
963
variant_level=1))
964
965
# checker_running - property
966
@dbus_service_property(_interface, signature=u"b",
967
access=u"readwrite")
968
def checker_running_dbus_property(self, value=None):
969
if value is None: # get
970
return dbus.Boolean(self.checker is not None)
971
if value:
972
self.start_checker()
973
else:
974
self.stop_checker()
975
976
# object_path - property
977
@dbus_service_property(_interface, signature=u"o", access=u"read")
978
def object_path_dbus_property(self):
979
return self.dbus_object_path # is already a dbus.ObjectPath
980
981
# secret = property
982
@dbus_service_property(_interface, signature=u"ay",
983
access=u"write", byte_arrays=True)
984
def secret_dbus_property(self, value):
985
self.secret = str(value)
986
987
del _interface
988
989
990
class ClientHandler(socketserver.BaseRequestHandler, object):
991
"""A class to handle client connections.
992
993
Instantiated once for each connection to handle it.
379
return now < (self.created + self.timeout)
380
else:
381
return now < (self.last_checked_ok + self.timeout)
382
383
384
def peer_certificate(session):
385
"Return the peer's OpenPGP certificate as a bytestring"
386
# If not an OpenPGP certificate...
387
if gnutls.library.functions.gnutls_certificate_type_get\
388
(session._c_object) \
389
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP:
390
# ...do the normal thing
391
return session.peer_certificate
392
list_size = ctypes.c_uint()
393
cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
394
(session._c_object, ctypes.byref(list_size))
395
if list_size.value == 0:
396
return None
397
cert = cert_list[0]
398
return ctypes.string_at(cert.data, cert.size)
399
400
401
def fingerprint(openpgp):
402
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
403
# New GnuTLS "datum" with the OpenPGP public key
404
datum = gnutls.library.types.gnutls_datum_t\
405
(ctypes.cast(ctypes.c_char_p(openpgp),
406
ctypes.POINTER(ctypes.c_ubyte)),
407
ctypes.c_uint(len(openpgp)))
408
# New empty GnuTLS certificate
409
crt = gnutls.library.types.gnutls_openpgp_crt_t()
410
gnutls.library.functions.gnutls_openpgp_crt_init\
411
(ctypes.byref(crt))
412
# Import the OpenPGP public key into the certificate
413
gnutls.library.functions.gnutls_openpgp_crt_import\
414
(crt, ctypes.byref(datum),
415
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
416
# Verify the self signature in the key
417
crtverify = ctypes.c_uint();
418
gnutls.library.functions.gnutls_openpgp_crt_verify_self\
419
(crt, 0, ctypes.byref(crtverify))
420
if crtverify.value != 0:
421
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
422
raise gnutls.errors.CertificateSecurityError("Verify failed")
423
# New buffer for the fingerprint
424
buffer = ctypes.create_string_buffer(20)
425
buffer_length = ctypes.c_size_t()
426
# Get the fingerprint from the certificate into the buffer
427
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
428
(crt, ctypes.byref(buffer), ctypes.byref(buffer_length))
429
# Deinit the certificate
430
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
431
# Convert the buffer to a Python bytestring
432
fpr = ctypes.string_at(buffer, buffer_length.value)
433
# Convert the bytestring to hexadecimal notation
434
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
435
return hex_fpr
436
437
438
class tcp_handler(SocketServer.BaseRequestHandler, object):
439
"""A TCP request handler class.
440
Instantiated by IPv6_TCPServer for each request to handle it.
994
441
Note: This will run in its own forked process."""
995
442
996
443
def handle(self):
997
444
logger.info(u"TCP connection from: %s",
998
unicode(self.client_address))
999
logger.debug(u"IPC Pipe FD: %d",
1000
self.server.child_pipe[1].fileno())
1001
# Open IPC pipe to parent process
1002
with contextlib.nested(self.server.child_pipe[1],
1003
self.server.parent_pipe[0]
1004
) as (ipc, ipc_return):
1005
session = (gnutls.connection
1006
.ClientSession(self.request,
1007
gnutls.connection
1008
.X509Credentials()))
1009
1010
# Note: gnutls.connection.X509Credentials is really a
1011
# generic GnuTLS certificate credentials object so long as
1012
# no X.509 keys are added to it. Therefore, we can use it
1013
# here despite using OpenPGP certificates.
1014
1015
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1016
# u"+AES-256-CBC", u"+SHA1",
1017
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1018
# u"+DHE-DSS"))
1019
# Use a fallback default, since this MUST be set.
1020
priority = self.server.gnutls_priority
1021
if priority is None:
1022
priority = u"NORMAL"
1023
(gnutls.library.functions
1024
.gnutls_priority_set_direct(session._c_object,
1025
priority, None))
1026
1027
# Start communication using the Mandos protocol
1028
# Get protocol number
1029
line = self.request.makefile().readline()
1030
logger.debug(u"Protocol version: %r", line)
1031
try:
1032
if int(line.strip().split()[0]) > 1:
1033
raise RuntimeError
1034
except (ValueError, IndexError, RuntimeError), error:
1035
logger.error(u"Unknown protocol version: %s", error)
1036
return
1037
1038
# Start GnuTLS connection
1039
try:
1040
session.handshake()
1041
except gnutls.errors.GNUTLSError, error:
1042
logger.warning(u"Handshake failed: %s", error)
1043
# Do not run session.bye() here: the session is not
1044
# established. Just abandon the request.
1045
return
1046
logger.debug(u"Handshake succeeded")
1047
try:
1048
try:
1049
fpr = self.fingerprint(self.peer_certificate
1050
(session))
1051
except (TypeError, gnutls.errors.GNUTLSError), error:
1052
logger.warning(u"Bad certificate: %s", error)
1053
return
1054
logger.debug(u"Fingerprint: %s", fpr)
1055
1056
for c in self.server.clients:
1057
if c.fingerprint == fpr:
1058
client = c
1059
break
1060
else:
1061
ipc.write(u"NOTFOUND %s %s\n"
1062
% (fpr, unicode(self.client_address)))
1063
return
1064
1065
class ClientProxy(object):
1066
"""Client proxy object. Not for calling methods."""
1067
def __init__(self, client):
1068
self.client = client
1069
def __getattr__(self, name):
1070
if name.startswith("ipc_"):
1071
def tempfunc():
1072
ipc.write("%s %s\n" % (name[4:].upper(),
1073
self.client.name))
1074
return tempfunc
1075
if not hasattr(self.client, name):
1076
raise AttributeError
1077
ipc.write(u"GETATTR %s %s\n"
1078
% (name, self.client.fingerprint))
1079
return pickle.load(ipc_return)
1080
clientproxy = ClientProxy(client)
1081
# Have to check if client.enabled, since it is
1082
# possible that the client was disabled since the
1083
# GnuTLS session was established.
1084
if not clientproxy.enabled:
1085
clientproxy.ipc_disabled()
1086
return
1087
1088
clientproxy.ipc_sending()
1089
sent_size = 0
1090
while sent_size < len(client.secret):
1091
sent = session.send(client.secret[sent_size:])
1092
logger.debug(u"Sent: %d, remaining: %d",
1093
sent, len(client.secret)
1094
- (sent_size + sent))
1095
sent_size += sent
1096
finally:
1097
session.bye()
1098
1099
@staticmethod
1100
def peer_certificate(session):
1101
"Return the peer's OpenPGP certificate as a bytestring"
1102
# If not an OpenPGP certificate...
1103
if (gnutls.library.functions
1104
.gnutls_certificate_type_get(session._c_object)
1105
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1106
# ...do the normal thing
1107
return session.peer_certificate
1108
list_size = ctypes.c_uint(1)
1109
cert_list = (gnutls.library.functions
1110
.gnutls_certificate_get_peers
1111
(session._c_object, ctypes.byref(list_size)))
1112
if not bool(cert_list) and list_size.value != 0:
1113
raise gnutls.errors.GNUTLSError(u"error getting peer"
1114
u" certificate")
1115
if list_size.value == 0:
1116
return None
1117
cert = cert_list[0]
1118
return ctypes.string_at(cert.data, cert.size)
1119
1120
@staticmethod
1121
def fingerprint(openpgp):
1122
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1123
# New GnuTLS "datum" with the OpenPGP public key
1124
datum = (gnutls.library.types
1125
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1126
ctypes.POINTER
1127
(ctypes.c_ubyte)),
1128
ctypes.c_uint(len(openpgp))))
1129
# New empty GnuTLS certificate
1130
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1131
(gnutls.library.functions
1132
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1133
# Import the OpenPGP public key into the certificate
1134
(gnutls.library.functions
1135
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1136
gnutls.library.constants
1137
.GNUTLS_OPENPGP_FMT_RAW))
1138
# Verify the self signature in the key
1139
crtverify = ctypes.c_uint()
1140
(gnutls.library.functions
1141
.gnutls_openpgp_crt_verify_self(crt, 0,
1142
ctypes.byref(crtverify)))
1143
if crtverify.value != 0:
1144
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1145
raise (gnutls.errors.CertificateSecurityError
1146
(u"Verify failed"))
1147
# New buffer for the fingerprint
1148
buf = ctypes.create_string_buffer(20)
1149
buf_len = ctypes.c_size_t()
1150
# Get the fingerprint from the certificate into the buffer
1151
(gnutls.library.functions
1152
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1153
ctypes.byref(buf_len)))
1154
# Deinit the certificate
1155
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1156
# Convert the buffer to a Python bytestring
1157
fpr = ctypes.string_at(buf, buf_len.value)
1158
# Convert the bytestring to hexadecimal notation
1159
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1160
return hex_fpr
1161
1162
1163
class ForkingMixInWithPipes(socketserver.ForkingMixIn, object):
1164
"""Like socketserver.ForkingMixIn, but also pass a pipe pair."""
1165
def process_request(self, request, client_address):
1166
"""Overrides and wraps the original process_request().
1167
1168
This function creates a new pipe in self.pipe
1169
"""
1170
# Child writes to child_pipe
1171
self.child_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1172
# Parent writes to parent_pipe
1173
self.parent_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1174
super(ForkingMixInWithPipes,
1175
self).process_request(request, client_address)
1176
# Close unused ends for parent
1177
self.parent_pipe[0].close() # close read end
1178
self.child_pipe[1].close() # close write end
1179
self.add_pipe_fds(self.child_pipe[0], self.parent_pipe[1])
1180
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1181
"""Dummy function; override as necessary"""
1182
child_pipe_fd.close()
1183
parent_pipe_fd.close()
1184
1185
1186
class IPv6_TCPServer(ForkingMixInWithPipes,
1187
socketserver.TCPServer, object):
1188
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1189
445
unicode(self.client_address))
446
session = gnutls.connection.ClientSession\
447
(self.request, gnutls.connection.X509Credentials())
448
449
line = self.request.makefile().readline()
450
logger.debug(u"Protocol version: %r", line)
451
try:
452
if int(line.strip().split()[0]) > 1:
453
raise RuntimeError
454
except (ValueError, IndexError, RuntimeError), error:
455
logger.error(u"Unknown protocol version: %s", error)
456
return
457
458
# Note: gnutls.connection.X509Credentials is really a generic
459
# GnuTLS certificate credentials object so long as no X.509
460
# keys are added to it. Therefore, we can use it here despite
461
# using OpenPGP certificates.
462
463
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
464
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
465
# "+DHE-DSS"))
466
priority = "NORMAL" # Fallback default, since this
467
# MUST be set.
468
if self.server.settings["priority"]:
469
priority = self.server.settings["priority"]
470
gnutls.library.functions.gnutls_priority_set_direct\
471
(session._c_object, priority, None);
472
473
try:
474
session.handshake()
475
except gnutls.errors.GNUTLSError, error:
476
logger.warning(u"Handshake failed: %s", error)
477
# Do not run session.bye() here: the session is not
478
# established. Just abandon the request.
479
return
480
try:
481
fpr = fingerprint(peer_certificate(session))
482
except (TypeError, gnutls.errors.GNUTLSError), error:
483
logger.warning(u"Bad certificate: %s", error)
484
session.bye()
485
return
486
logger.debug(u"Fingerprint: %s", fpr)
487
client = None
488
for c in self.server.clients:
489
if c.fingerprint == fpr:
490
client = c
491
break
492
if not client:
493
logger.warning(u"Client not found for fingerprint: %s",
494
fpr)
495
session.bye()
496
return
497
# Have to check if client.still_valid(), since it is possible
498
# that the client timed out while establishing the GnuTLS
499
# session.
500
if not client.still_valid():
501
logger.warning(u"Client %(name)s is invalid",
502
vars(client))
503
session.bye()
504
return
505
sent_size = 0
506
while sent_size < len(client.secret):
507
sent = session.send(client.secret[sent_size:])
508
logger.debug(u"Sent: %d, remaining: %d",
509
sent, len(client.secret)
510
- (sent_size + sent))
511
sent_size += sent
512
session.bye()
513
514
515
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
516
"""IPv6 TCP server. Accepts 'None' as address and/or port.
1190
517
Attributes:
1191
enabled: Boolean; whether this server is activated yet
1192
interface: None or a network interface name (string)
1193
use_ipv6: Boolean; to use IPv6 or not
518
settings: Server settings
519
clients: Set() of Client objects
1194
520
"""
1195
def __init__(self, server_address, RequestHandlerClass,
1196
interface=None, use_ipv6=True):
1197
self.interface = interface
1198
if use_ipv6:
1199
self.address_family = socket.AF_INET6
1200
socketserver.TCPServer.__init__(self, server_address,
1201
RequestHandlerClass)
521
address_family = socket.AF_INET6
522
def __init__(self, *args, **kwargs):
523
if "settings" in kwargs:
524
self.settings = kwargs["settings"]
525
del kwargs["settings"]
526
if "clients" in kwargs:
527
self.clients = kwargs["clients"]
528
del kwargs["clients"]
529
return super(type(self), self).__init__(*args, **kwargs)
1202
530
def server_bind(self):
1203
531
"""This overrides the normal server_bind() function
1204
532
to bind to an interface if one was specified, and also NOT to
1205
533
bind to an address or port if they were not specified."""
1206
if self.interface is not None:
1207
if SO_BINDTODEVICE is None:
1208
logger.error(u"SO_BINDTODEVICE does not exist;"
1209
u" cannot bind to interface %s",
1210
self.interface)
1211
else:
1212
try:
1213
self.socket.setsockopt(socket.SOL_SOCKET,
1214
SO_BINDTODEVICE,
1215
str(self.interface
1216
+ u'\0'))
1217
except socket.error, error:
1218
if error[0] == errno.EPERM:
1219
logger.error(u"No permission to"
1220
u" bind to interface %s",
1221
self.interface)
1222
elif error[0] == errno.ENOPROTOOPT:
1223
logger.error(u"SO_BINDTODEVICE not available;"
1224
u" cannot bind to interface %s",
1225
self.interface)
1226
else:
1227
raise
534
if self.settings["interface"]:
535
# 25 is from /usr/include/asm-i486/socket.h
536
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
537
try:
538
self.socket.setsockopt(socket.SOL_SOCKET,
539
SO_BINDTODEVICE,
540
self.settings["interface"])
541
except socket.error, error:
542
if error[0] == errno.EPERM:
543
logger.error(u"No permission to"
544
u" bind to interface %s",
545
self.settings["interface"])
546
else:
547
raise error
1228
548
# Only bind(2) the socket if we really need to.
1229
549
if self.server_address[0] or self.server_address[1]:
1230
550
if not self.server_address[0]:
1231
if self.address_family == socket.AF_INET6:
1232
any_address = u"::" # in6addr_any
1233
else:
1234
any_address = socket.INADDR_ANY
1235
self.server_address = (any_address,
551
in6addr_any = "::"
552
self.server_address = (in6addr_any,
1236
553
self.server_address[1])
1237
554
elif not self.server_address[1]:
1238
555
self.server_address = (self.server_address[0],
1239
556
0)
1240
# if self.interface:
557
# if self.settings["interface"]:
1241
558
# self.server_address = (self.server_address[0],
1242
559
# 0, # port
1243
560
# 0, # flowinfo
1244
561
# if_nametoindex
1245
# (self.interface))
1246
return socketserver.TCPServer.server_bind(self)
1247
1248
1249
class MandosServer(IPv6_TCPServer):
1250
"""Mandos server.
1251
1252
Attributes:
1253
clients: set of Client objects
1254
gnutls_priority GnuTLS priority string
1255
use_dbus: Boolean; to emit D-Bus signals or not
1256
1257
Assumes a gobject.MainLoop event loop.
1258
"""
1259
def __init__(self, server_address, RequestHandlerClass,
1260
interface=None, use_ipv6=True, clients=None,
1261
gnutls_priority=None, use_dbus=True):
1262
self.enabled = False
1263
self.clients = clients
1264
if self.clients is None:
1265
self.clients = set()
1266
self.use_dbus = use_dbus
1267
self.gnutls_priority = gnutls_priority
1268
IPv6_TCPServer.__init__(self, server_address,
1269
RequestHandlerClass,
1270
interface = interface,
1271
use_ipv6 = use_ipv6)
1272
def server_activate(self):
1273
if self.enabled:
1274
return socketserver.TCPServer.server_activate(self)
1275
def enable(self):
1276
self.enabled = True
1277
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1278
# Call "handle_ipc" for both data and EOF events
1279
gobject.io_add_watch(child_pipe_fd.fileno(),
1280
gobject.IO_IN | gobject.IO_HUP,
1281
functools.partial(self.handle_ipc,
1282
reply = parent_pipe_fd,
1283
sender= child_pipe_fd))
1284
def handle_ipc(self, source, condition, reply=None, sender=None):
1285
condition_names = {
1286
gobject.IO_IN: u"IN", # There is data to read.
1287
gobject.IO_OUT: u"OUT", # Data can be written (without
1288
# blocking).
1289
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1290
gobject.IO_ERR: u"ERR", # Error condition.
1291
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1292
# broken, usually for pipes and
1293
# sockets).
1294
}
1295
conditions_string = ' | '.join(name
1296
for cond, name in
1297
condition_names.iteritems()
1298
if cond & condition)
1299
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1300
conditions_string)
1301
1302
# Read a line from the file object
1303
cmdline = sender.readline()
1304
if not cmdline: # Empty line means end of file
1305
# close the IPC pipes
1306
sender.close()
1307
reply.close()
1308
1309
# Stop calling this function
1310
return False
1311
1312
logger.debug(u"IPC command: %r", cmdline)
1313
1314
# Parse and act on command
1315
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1316
1317
if cmd == u"NOTFOUND":
1318
fpr, address = args.split(None, 1)
1319
logger.warning(u"Client not found for fingerprint: %s, ad"
1320
u"dress: %s", fpr, address)
1321
if self.use_dbus:
1322
# Emit D-Bus signal
1323
mandos_dbus_service.ClientNotFound(fpr, address)
1324
elif cmd == u"DISABLED":
1325
for client in self.clients:
1326
if client.name == args:
1327
logger.warning(u"Client %s is disabled", args)
1328
if self.use_dbus:
1329
# Emit D-Bus signal
1330
client.Rejected()
1331
break
1332
else:
1333
logger.error(u"Unknown client %s is disabled", args)
1334
elif cmd == u"SENDING":
1335
for client in self.clients:
1336
if client.name == args:
1337
logger.info(u"Sending secret to %s", client.name)
1338
client.checked_ok()
1339
if self.use_dbus:
1340
# Emit D-Bus signal
1341
client.GotSecret()
1342
break
1343
else:
1344
logger.error(u"Sending secret to unknown client %s",
1345
args)
1346
elif cmd == u"GETATTR":
1347
attr_name, fpr = args.split(None, 1)
1348
for client in self.clients:
1349
if client.fingerprint == fpr:
1350
attr_value = getattr(client, attr_name, None)
1351
logger.debug("IPC reply: %r", attr_value)
1352
pickle.dump(attr_value, reply)
1353
break
1354
else:
1355
logger.error(u"Client %s on address %s requesting "
1356
u"attribute %s not found", fpr, address,
1357
attr_name)
1358
pickle.dump(None, reply)
1359
else:
1360
logger.error(u"Unknown IPC command: %r", cmdline)
1361
1362
# Keep calling this function
1363
return True
562
# (self.settings
563
# ["interface"]))
564
return super(type(self), self).server_bind()
1364
565
1365
566
1366
567
def string_to_delta(interval):
1367
568
"""Parse a string and return a datetime.timedelta
1368
1369
>>> string_to_delta(u'7d')
569
570
>>> string_to_delta('7d')
1370
571
datetime.timedelta(7)
1371
>>> string_to_delta(u'60s')
572
>>> string_to_delta('60s')
1372
573
datetime.timedelta(0, 60)
1373
>>> string_to_delta(u'60m')
574
>>> string_to_delta('60m')
1374
575
datetime.timedelta(0, 3600)
1375
>>> string_to_delta(u'24h')
576
>>> string_to_delta('24h')
1376
577
datetime.timedelta(1)
1377
578
>>> string_to_delta(u'1w')
1378
579
datetime.timedelta(7)
1379
>>> string_to_delta(u'5m 30s')
580
>>> string_to_delta('5m 30s')
1380
581
datetime.timedelta(0, 330)
1381
582
"""
1382
583
timevalue = datetime.timedelta(0)
1383
584
for s in interval.split():
1384
585
try:
1385
suffix = unicode(s[-1])
1386
value = int(s[:-1])
586
suffix=unicode(s[-1])
587
value=int(s[:-1])
1387
588
if suffix == u"d":
1388
589
delta = datetime.timedelta(value)
1389
590
elif suffix == u"s":
1395
596
elif suffix == u"w":
1396
597
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1397
598
else:
1398
raise ValueError(u"Unknown suffix %r" % suffix)
1399
except (ValueError, IndexError), e:
1400
raise ValueError(e.message)
599
raise ValueError
600
except (ValueError, IndexError):
601
raise ValueError
1401
602
timevalue += delta
1402
603
return timevalue
1403
604
1404
605
606
def server_state_changed(state):
607
"""Derived from the Avahi example code"""
608
if state == avahi.SERVER_COLLISION:
609
logger.error(u"Zeroconf server name collision")
610
service.remove()
611
elif state == avahi.SERVER_RUNNING:
612
service.add()
613
614
615
def entry_group_state_changed(state, error):
616
"""Derived from the Avahi example code"""
617
logger.debug(u"Avahi state change: %i", state)
618
619
if state == avahi.ENTRY_GROUP_ESTABLISHED:
620
logger.debug(u"Zeroconf service established.")
621
elif state == avahi.ENTRY_GROUP_COLLISION:
622
logger.warning(u"Zeroconf service name collision.")
623
service.rename()
624
elif state == avahi.ENTRY_GROUP_FAILURE:
625
logger.critical(u"Avahi: Error in group state changed %s",
626
unicode(error))
627
raise AvahiGroupError("State changed: %s", str(error))
628
1405
629
def if_nametoindex(interface):
1406
"""Call the C function if_nametoindex(), or equivalent
1407
1408
Note: This function cannot accept a unicode string."""
630
"""Call the C function if_nametoindex(), or equivalent"""
1409
631
global if_nametoindex
1410
632
try:
1411
if_nametoindex = (ctypes.cdll.LoadLibrary
1412
(ctypes.util.find_library(u"c"))
1413
.if_nametoindex)
633
if "ctypes.util" not in sys.modules:
634
import ctypes.util
635
if_nametoindex = ctypes.cdll.LoadLibrary\
636
(ctypes.util.find_library("c")).if_nametoindex
1414
637
except (OSError, AttributeError):
1415
logger.warning(u"Doing if_nametoindex the hard way")
638
if "struct" not in sys.modules:
639
import struct
640
if "fcntl" not in sys.modules:
641
import fcntl
1416
642
def if_nametoindex(interface):
1417
643
"Get an interface index the hard way, i.e. using fcntl()"
1418
644
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1419
with contextlib.closing(socket.socket()) as s:
1420
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1421
struct.pack(str(u"16s16x"),
1422
interface))
1423
interface_index = struct.unpack(str(u"I"),
1424
ifreq[16:20])[0]
645
s = socket.socket()
646
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
647
struct.pack("16s16x", interface))
648
s.close()
649
interface_index = struct.unpack("I", ifreq[16:20])[0]
1425
650
return interface_index
1426
651
return if_nametoindex(interface)
1427
652
1428
653
1429
654
def daemon(nochdir = False, noclose = False):
1430
655
"""See daemon(3). Standard BSD Unix function.
1431
1432
656
This should really exist as os.daemon, but it doesn't (yet)."""
1433
657
if os.fork():
1434
658
sys.exit()
1435
659
os.setsid()
1436
660
if not nochdir:
1437
os.chdir(u"/")
661
os.chdir("/")
1438
662
if os.fork():
1439
663
sys.exit()
1440
664
if not noclose:
1442
666
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1443
667
if not stat.S_ISCHR(os.fstat(null).st_mode):
1444
668
raise OSError(errno.ENODEV,
1445
u"%s not a character device"
1446
% os.path.devnull)
669
"/dev/null not a character device")
1447
670
os.dup2(null, sys.stdin.fileno())
1448
671
os.dup2(null, sys.stdout.fileno())
1449
672
os.dup2(null, sys.stderr.fileno())
1452
675
1453
676
1454
677
def main():
1455
1456
##################################################################
1457
# Parsing of options, both command line and config file
1458
1459
parser = optparse.OptionParser(version = "%%prog %s" % version)
1460
parser.add_option("-i", u"--interface", type=u"string",
1461
metavar="IF", help=u"Bind to interface IF")
1462
parser.add_option("-a", u"--address", type=u"string",
1463
help=u"Address to listen for requests on")
1464
parser.add_option("-p", u"--port", type=u"int",
1465
help=u"Port number to receive requests on")
1466
parser.add_option("--check", action=u"store_true",
1467
help=u"Run self-test")
1468
parser.add_option("--debug", action=u"store_true",
1469
help=u"Debug mode; run in foreground and log to"
1470
u" terminal")
1471
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1472
u" priority string (see GnuTLS documentation)")
1473
parser.add_option("--servicename", type=u"string",
1474
metavar=u"NAME", help=u"Zeroconf service name")
1475
parser.add_option("--configdir", type=u"string",
1476
default=u"/etc/mandos", metavar=u"DIR",
1477
help=u"Directory to search for configuration"
1478
u" files")
1479
parser.add_option("--no-dbus", action=u"store_false",
1480
dest=u"use_dbus", help=u"Do not provide D-Bus"
1481
u" system bus interface")
1482
parser.add_option("--no-ipv6", action=u"store_false",
1483
dest=u"use_ipv6", help=u"Do not use IPv6")
1484
options = parser.parse_args()[0]
678
global main_loop_started
679
main_loop_started = False
680
681
parser = OptionParser(version = "%%prog %s" % version)
682
parser.add_option("-i", "--interface", type="string",
683
metavar="IF", help="Bind to interface IF")
684
parser.add_option("-a", "--address", type="string",
685
help="Address to listen for requests on")
686
parser.add_option("-p", "--port", type="int",
687
help="Port number to receive requests on")
688
parser.add_option("--check", action="store_true", default=False,
689
help="Run self-test")
690
parser.add_option("--debug", action="store_true",
691
help="Debug mode; run in foreground and log to"
692
" terminal")
693
parser.add_option("--priority", type="string", help="GnuTLS"
694
" priority string (see GnuTLS documentation)")
695
parser.add_option("--servicename", type="string", metavar="NAME",
696
help="Zeroconf service name")
697
parser.add_option("--configdir", type="string",
698
default="/etc/mandos", metavar="DIR",
699
help="Directory to search for configuration"
700
" files")
701
(options, args) = parser.parse_args()
1485
702
1486
703
if options.check:
1487
704
import doctest
1489
706
sys.exit()
1490
707
1491
708
# Default values for config file for server-global settings
1492
server_defaults = { u"interface": u"",
1493
u"address": u"",
1494
u"port": u"",
1495
u"debug": u"False",
1496
u"priority":
1497
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1498
u"servicename": u"Mandos",
1499
u"use_dbus": u"True",
1500
u"use_ipv6": u"True",
709
server_defaults = { "interface": "",
710
"address": "",
711
"port": "",
712
"debug": "False",
713
"priority":
714
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
715
"servicename": "Mandos",
1501
716
}
1502
717
1503
718
# Parse config file for server-global settings
1504
server_config = configparser.SafeConfigParser(server_defaults)
719
server_config = ConfigParser.SafeConfigParser(server_defaults)
1505
720
del server_defaults
1506
server_config.read(os.path.join(options.configdir,
1507
u"mandos.conf"))
721
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1508
722
# Convert the SafeConfigParser object to a dict
1509
723
server_settings = server_config.defaults()
1510
# Use the appropriate methods on the non-string config options
1511
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1512
server_settings[option] = server_config.getboolean(u"DEFAULT",
1513
option)
1514
if server_settings["port"]:
1515
server_settings["port"] = server_config.getint(u"DEFAULT",
1516
u"port")
724
# Use getboolean on the boolean config option
725
server_settings["debug"] = server_config.getboolean\
726
("DEFAULT", "debug")
1517
727
del server_config
1518
728
1519
729
# Override the settings from the config file with command line
1520
730
# options, if set.
1521
for option in (u"interface", u"address", u"port", u"debug",
1522
u"priority", u"servicename", u"configdir",
1523
u"use_dbus", u"use_ipv6"):
731
for option in ("interface", "address", "port", "debug",
732
"priority", "servicename", "configdir"):
1524
733
value = getattr(options, option)
1525
734
if value is not None:
1526
735
server_settings[option] = value
1527
736
del options
1528
# Force all strings to be unicode
1529
for option in server_settings.keys():
1530
if type(server_settings[option]) is str:
1531
server_settings[option] = unicode(server_settings[option])
1532
737
# Now we have our good server settings in "server_settings"
1533
738
1534
##################################################################
1535
1536
# For convenience
1537
debug = server_settings[u"debug"]
1538
use_dbus = server_settings[u"use_dbus"]
1539
use_ipv6 = server_settings[u"use_ipv6"]
739
debug = server_settings["debug"]
1540
740
1541
741
if not debug:
1542
742
syslogger.setLevel(logging.WARNING)
1543
743
console.setLevel(logging.WARNING)
1544
744
1545
if server_settings[u"servicename"] != u"Mandos":
1546
syslogger.setFormatter(logging.Formatter
1547
(u'Mandos (%s) [%%(process)d]:'
1548
u' %%(levelname)s: %%(message)s'
1549
% server_settings[u"servicename"]))
745
if server_settings["servicename"] != "Mandos":
746
syslogger.setFormatter(logging.Formatter\
747
('Mandos (%s): %%(levelname)s:'
748
' %%(message)s'
749
% server_settings["servicename"]))
1550
750
1551
751
# Parse config file with clients
1552
client_defaults = { u"timeout": u"1h",
1553
u"interval": u"5m",
1554
u"checker": u"fping -q -- %%(host)s",
1555
u"host": u"",
752
client_defaults = { "timeout": "1h",
753
"interval": "5m",
754
"checker": "fping -q -- %(host)s",
755
"host": "",
1556
756
}
1557
client_config = configparser.SafeConfigParser(client_defaults)
1558
client_config.read(os.path.join(server_settings[u"configdir"],
1559
u"clients.conf"))
1560
1561
global mandos_dbus_service
1562
mandos_dbus_service = None
1563
1564
tcp_server = MandosServer((server_settings[u"address"],
1565
server_settings[u"port"]),
1566
ClientHandler,
1567
interface=server_settings[u"interface"],
1568
use_ipv6=use_ipv6,
1569
gnutls_priority=
1570
server_settings[u"priority"],
1571
use_dbus=use_dbus)
1572
pidfilename = u"/var/run/mandos.pid"
1573
try:
1574
pidfile = open(pidfilename, u"w")
1575
except IOError:
1576
logger.error(u"Could not open file %r", pidfilename)
1577
1578
try:
1579
uid = pwd.getpwnam(u"_mandos").pw_uid
1580
gid = pwd.getpwnam(u"_mandos").pw_gid
1581
except KeyError:
1582
try:
1583
uid = pwd.getpwnam(u"mandos").pw_uid
1584
gid = pwd.getpwnam(u"mandos").pw_gid
1585
except KeyError:
1586
try:
1587
uid = pwd.getpwnam(u"nobody").pw_uid
1588
gid = pwd.getpwnam(u"nobody").pw_gid
1589
except KeyError:
1590
uid = 65534
1591
gid = 65534
1592
try:
1593
os.setgid(gid)
1594
os.setuid(uid)
1595
except OSError, error:
1596
if error[0] != errno.EPERM:
1597
raise error
1598
1599
# Enable all possible GnuTLS debugging
1600
if debug:
1601
# "Use a log level over 10 to enable all debugging options."
1602
# - GnuTLS manual
1603
gnutls.library.functions.gnutls_global_set_log_level(11)
1604
1605
@gnutls.library.types.gnutls_log_func
1606
def debug_gnutls(level, string):
1607
logger.debug(u"GnuTLS: %s", string[:-1])
1608
1609
(gnutls.library.functions
1610
.gnutls_global_set_log_function(debug_gnutls))
757
client_config = ConfigParser.SafeConfigParser(client_defaults)
758
client_config.read(os.path.join(server_settings["configdir"],
759
"clients.conf"))
760
761
global service
762
service = AvahiService(name = server_settings["servicename"],
763
type = "_mandos._tcp", );
764
if server_settings["interface"]:
765
service.interface = if_nametoindex\
766
(server_settings["interface"])
1611
767
1612
768
global main_loop
769
global bus
770
global server
1613
771
# From the Avahi example code
1614
772
DBusGMainLoop(set_as_default=True )
1615
773
main_loop = gobject.MainLoop()
1616
774
bus = dbus.SystemBus()
775
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
776
avahi.DBUS_PATH_SERVER),
777
avahi.DBUS_INTERFACE_SERVER)
1617
778
# End of Avahi example code
1618
if use_dbus:
1619
try:
1620
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1621
bus, do_not_queue=True)
1622
except dbus.exceptions.NameExistsException, e:
1623
logger.error(unicode(e) + u", disabling D-Bus")
1624
use_dbus = False
1625
server_settings[u"use_dbus"] = False
1626
tcp_server.use_dbus = False
1627
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1628
service = AvahiService(name = server_settings[u"servicename"],
1629
servicetype = u"_mandos._tcp",
1630
protocol = protocol, bus = bus)
1631
if server_settings["interface"]:
1632
service.interface = (if_nametoindex
1633
(str(server_settings[u"interface"])))
1634
1635
client_class = Client
1636
if use_dbus:
1637
client_class = functools.partial(ClientDBus, bus = bus)
1638
tcp_server.clients.update(set(
1639
client_class(name = section,
1640
config= dict(client_config.items(section)))
1641
for section in client_config.sections()))
1642
if not tcp_server.clients:
1643
logger.warning(u"No clients defined")
779
780
clients = Set()
781
def remove_from_clients(client):
782
clients.remove(client)
783
if not clients:
784
logger.critical(u"No clients left, exiting")
785
sys.exit()
786
787
clients.update(Set(Client(name = section,
788
stop_hook = remove_from_clients,
789
config
790
= dict(client_config.items(section)))
791
for section in client_config.sections()))
792
if not clients:
793
logger.critical(u"No clients defined")
794
sys.exit(1)
1644
795
1645
796
if debug:
1646
797
# Redirect stdin so all checkers get /dev/null
1654
805
# Close all input and output, do double fork, etc.
1655
806
daemon()
1656
807
808
pidfilename = "/var/run/mandos/mandos.pid"
809
pid = os.getpid()
1657
810
try:
1658
with pidfile:
1659
pid = os.getpid()
1660
pidfile.write(str(pid) + "\n")
811
pidfile = open(pidfilename, "w")
812
pidfile.write(str(pid) + "\n")
813
pidfile.close()
1661
814
del pidfile
1662
except IOError:
1663
logger.error(u"Could not write to file %r with PID %d",
1664
pidfilename, pid)
1665
except NameError:
1666
# "pidfile" was never created
1667
pass
1668
del pidfilename
815
except IOError, err:
816
logger.error(u"Could not write %s file with PID %d",
817
pidfilename, os.getpid())
818
819
def cleanup():
820
"Cleanup function; run on exit"
821
global group
822
# From the Avahi example code
823
if not group is None:
824
group.Free()
825
group = None
826
# End of Avahi example code
827
828
while clients:
829
client = clients.pop()
830
client.stop_hook = None
831
client.stop()
832
833
atexit.register(cleanup)
1669
834
1670
835
if not debug:
1671
836
signal.signal(signal.SIGINT, signal.SIG_IGN)
1672
837
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1673
838
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1674
839
1675
if use_dbus:
1676
class MandosDBusService(dbus.service.Object):
1677
"""A D-Bus proxy object"""
1678
def __init__(self):
1679
dbus.service.Object.__init__(self, bus, u"/")
1680
_interface = u"se.bsnet.fukt.Mandos"
1681
1682
@dbus.service.signal(_interface, signature=u"o")
1683
def ClientAdded(self, objpath):
1684
"D-Bus signal"
1685
pass
1686
1687
@dbus.service.signal(_interface, signature=u"ss")
1688
def ClientNotFound(self, fingerprint, address):
1689
"D-Bus signal"
1690
pass
1691
1692
@dbus.service.signal(_interface, signature=u"os")
1693
def ClientRemoved(self, objpath, name):
1694
"D-Bus signal"
1695
pass
1696
1697
@dbus.service.method(_interface, out_signature=u"ao")
1698
def GetAllClients(self):
1699
"D-Bus method"
1700
return dbus.Array(c.dbus_object_path
1701
for c in tcp_server.clients)
1702
1703
@dbus.service.method(_interface,
1704
out_signature=u"a{oa{sv}}")
1705
def GetAllClientsWithProperties(self):
1706
"D-Bus method"
1707
return dbus.Dictionary(
1708
((c.dbus_object_path, c.GetAll(u""))
1709
for c in tcp_server.clients),
1710
signature=u"oa{sv}")
1711
1712
@dbus.service.method(_interface, in_signature=u"o")
1713
def RemoveClient(self, object_path):
1714
"D-Bus method"
1715
for c in tcp_server.clients:
1716
if c.dbus_object_path == object_path:
1717
tcp_server.clients.remove(c)
1718
c.remove_from_connection()
1719
# Don't signal anything except ClientRemoved
1720
c.disable(quiet=True)
1721
# Emit D-Bus signal
1722
self.ClientRemoved(object_path, c.name)
1723
return
1724
raise KeyError(object_path)
1725
1726
del _interface
1727
1728
mandos_dbus_service = MandosDBusService()
1729
1730
def cleanup():
1731
"Cleanup function; run on exit"
1732
service.cleanup()
1733
1734
while tcp_server.clients:
1735
client = tcp_server.clients.pop()
1736
if use_dbus:
1737
client.remove_from_connection()
1738
client.disable_hook = None
1739
# Don't signal anything except ClientRemoved
1740
client.disable(quiet=True)
1741
if use_dbus:
1742
# Emit D-Bus signal
1743
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1744
client.name)
1745
1746
atexit.register(cleanup)
1747
1748
for client in tcp_server.clients:
1749
if use_dbus:
1750
# Emit D-Bus signal
1751
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1752
client.enable()
1753
1754
tcp_server.enable()
1755
tcp_server.server_activate()
1756
840
for client in clients:
841
client.start()
842
843
tcp_server = IPv6_TCPServer((server_settings["address"],
844
server_settings["port"]),
845
tcp_handler,
846
settings=server_settings,
847
clients=clients)
1757
848
# Find out what port we got
1758
849
service.port = tcp_server.socket.getsockname()[1]
1759
if use_ipv6:
1760
logger.info(u"Now listening on address %r, port %d,"
1761
" flowinfo %d, scope_id %d"
1762
% tcp_server.socket.getsockname())
1763
else: # IPv4
1764
logger.info(u"Now listening on address %r, port %d"
1765
% tcp_server.socket.getsockname())
850
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
851
u" scope_id %d" % tcp_server.socket.getsockname())
1766
852
1767
853
#service.interface = tcp_server.socket.getsockname()[3]
1768
854
1769
855
try:
1770
856
# From the Avahi example code
857
server.connect_to_signal("StateChanged", server_state_changed)
1771
858
try:
1772
service.activate()
859
server_state_changed(server.GetState())
1773
860
except dbus.exceptions.DBusException, error:
1774
861
logger.critical(u"DBusException: %s", error)
1775
cleanup()
1776
862
sys.exit(1)
1777
863
# End of Avahi example code
1778
864
1779
865
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
1780
866
lambda *args, **kwargs:
1781
(tcp_server.handle_request
1782
(*args[2:], **kwargs) or True))
867
tcp_server.handle_request\
868
(*args[2:], **kwargs) or True)
1783
869
1784
870
logger.debug(u"Starting main loop")
871
main_loop_started = True
1785
872
main_loop.run()
1786
873
except AvahiError, error:
1787
logger.critical(u"AvahiError: %s", error)
1788
cleanup()
874
logger.critical(u"AvahiError: %s" + unicode(error))
1789
875
sys.exit(1)
1790
876
except KeyboardInterrupt:
1791
877
if debug:
1792
print >> sys.stderr
1793
logger.debug(u"Server received KeyboardInterrupt")
1794
logger.debug(u"Server exiting")
1795
# Must run before the D-Bus bus name gets deregistered
1796
cleanup()
878
print
1797
879
1798
880
if __name__ == '__main__':
1799
881
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0