To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.2.19
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.19
- Committer: Teddy Hogeborn
- Date: 2009-05-17 00:50:09 UTC
- mto: (24.1.170 mandos) (237.4.29 release)
- mto: This revision was merged to the branch mainline in revision 343.
- Revision ID: teddy@fukt.bsnet.se-20090517005009-c0iptxampo6nf177
* initramfs-tools-hook-conf: Security bug fix: Add code to handle
being called by "mkinitramfs-kpkg"
instead of "update-initramfs".
being called by "mkinitramfs-kpkg"
instead of "update-initramfs".
- files removed:
- dbus-mandos.conf
- files modified:
- Makefile
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer as socketserver
36
import SocketServer
37
37
import socket
38
38
import optparse
39
39
import datetime
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser as configparser
47
import ConfigParser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
52
53
import subprocess
53
54
import atexit
54
55
import stat
55
56
import logging
56
57
import logging.handlers
57
58
import pwd
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
59
from contextlib import closing
63
60
64
61
import dbus
65
62
import dbus.service
68
65
from dbus.mainloop.glib import DBusGMainLoop
69
66
import ctypes
70
67
import ctypes.util
71
import xml.dom.minidom
72
import inspect
73
74
try:
75
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
76
except AttributeError:
77
try:
78
from IN import SO_BINDTODEVICE
79
except ImportError:
80
SO_BINDTODEVICE = None
81
82
83
version = "1.0.14"
84
85
logger = logging.Logger(u'mandos')
68
69
version = "1.0.8"
70
71
logger = logging.Logger('mandos')
86
72
syslogger = (logging.handlers.SysLogHandler
87
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
88
74
address = "/dev/log"))
89
75
syslogger.setFormatter(logging.Formatter
90
(u'Mandos [%(process)d]: %(levelname)s:'
91
u' %(message)s'))
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
92
78
logger.addHandler(syslogger)
93
79
94
80
console = logging.StreamHandler()
95
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
96
u' %(levelname)s:'
97
u' %(message)s'))
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
98
83
logger.addHandler(console)
99
84
100
85
class AvahiError(Exception):
113
98
114
99
class AvahiService(object):
115
100
"""An Avahi (Zeroconf) service.
116
117
101
Attributes:
118
102
interface: integer; avahi.IF_UNSPEC or an interface index.
119
103
Used to optionally bind to the specified interface.
120
name: string; Example: u'Mandos'
121
type: string; Example: u'_mandos._tcp'.
104
name: string; Example: 'Mandos'
105
type: string; Example: '_mandos._tcp'.
122
106
See <http://www.dns-sd.org/ServiceTypes.html>
123
107
port: integer; what port to announce
124
108
TXT: list of strings; TXT record for the service
127
111
max_renames: integer; maximum number of renames
128
112
rename_count: integer; counter so we only rename after collisions
129
113
a sensible number of times
130
group: D-Bus Entry Group
131
server: D-Bus Server
132
bus: dbus.SystemBus()
133
114
"""
134
115
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
135
116
servicetype = None, port = None, TXT = None,
136
domain = u"", host = u"", max_renames = 32768,
137
protocol = avahi.PROTO_UNSPEC, bus = None):
117
domain = "", host = "", max_renames = 32768,
118
protocol = avahi.PROTO_UNSPEC):
138
119
self.interface = interface
139
120
self.name = name
140
121
self.type = servicetype
145
126
self.rename_count = 0
146
127
self.max_renames = max_renames
147
128
self.protocol = protocol
148
self.group = None # our entry group
149
self.server = None
150
self.bus = bus
151
129
def rename(self):
152
130
"""Derived from the Avahi example code"""
153
131
if self.rename_count >= self.max_renames:
155
133
u" after %i retries, exiting.",
156
134
self.rename_count)
157
135
raise AvahiServiceError(u"Too many renames")
158
self.name = self.server.GetAlternativeServiceName(self.name)
136
self.name = server.GetAlternativeServiceName(self.name)
159
137
logger.info(u"Changing Zeroconf service name to %r ...",
160
unicode(self.name))
138
str(self.name))
161
139
syslogger.setFormatter(logging.Formatter
162
(u'Mandos (%s) [%%(process)d]:'
163
u' %%(levelname)s: %%(message)s'
164
% self.name))
140
('Mandos (%s): %%(levelname)s:'
141
' %%(message)s' % self.name))
165
142
self.remove()
166
143
self.add()
167
144
self.rename_count += 1
168
145
def remove(self):
169
146
"""Derived from the Avahi example code"""
170
if self.group is not None:
171
self.group.Reset()
147
if group is not None:
148
group.Reset()
172
149
def add(self):
173
150
"""Derived from the Avahi example code"""
174
if self.group is None:
175
self.group = dbus.Interface(
176
self.bus.get_object(avahi.DBUS_NAME,
177
self.server.EntryGroupNew()),
178
avahi.DBUS_INTERFACE_ENTRY_GROUP)
179
self.group.connect_to_signal('StateChanged',
180
self
181
.entry_group_state_changed)
151
global group
152
if group is None:
153
group = dbus.Interface(bus.get_object
154
(avahi.DBUS_NAME,
155
server.EntryGroupNew()),
156
avahi.DBUS_INTERFACE_ENTRY_GROUP)
157
group.connect_to_signal('StateChanged',
158
entry_group_state_changed)
182
159
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
183
self.name, self.type)
184
self.group.AddService(
185
self.interface,
186
self.protocol,
187
dbus.UInt32(0), # flags
188
self.name, self.type,
189
self.domain, self.host,
190
dbus.UInt16(self.port),
191
avahi.string_array_to_txt_array(self.TXT))
192
self.group.Commit()
193
def entry_group_state_changed(self, state, error):
194
"""Derived from the Avahi example code"""
195
logger.debug(u"Avahi state change: %i", state)
196
197
if state == avahi.ENTRY_GROUP_ESTABLISHED:
198
logger.debug(u"Zeroconf service established.")
199
elif state == avahi.ENTRY_GROUP_COLLISION:
200
logger.warning(u"Zeroconf service name collision.")
201
self.rename()
202
elif state == avahi.ENTRY_GROUP_FAILURE:
203
logger.critical(u"Avahi: Error in group state changed %s",
204
unicode(error))
205
raise AvahiGroupError(u"State changed: %s"
206
% unicode(error))
207
def cleanup(self):
208
"""Derived from the Avahi example code"""
209
if self.group is not None:
210
self.group.Free()
211
self.group = None
212
def server_state_changed(self, state):
213
"""Derived from the Avahi example code"""
214
if state == avahi.SERVER_COLLISION:
215
logger.error(u"Zeroconf server name collision")
216
self.remove()
217
elif state == avahi.SERVER_RUNNING:
218
self.add()
219
def activate(self):
220
"""Derived from the Avahi example code"""
221
if self.server is None:
222
self.server = dbus.Interface(
223
self.bus.get_object(avahi.DBUS_NAME,
224
avahi.DBUS_PATH_SERVER),
225
avahi.DBUS_INTERFACE_SERVER)
226
self.server.connect_to_signal(u"StateChanged",
227
self.server_state_changed)
228
self.server_state_changed(self.server.GetState())
229
230
231
class Client(object):
160
service.name, service.type)
161
group.AddService(
162
self.interface, # interface
163
self.protocol, # protocol
164
dbus.UInt32(0), # flags
165
self.name, self.type,
166
self.domain, self.host,
167
dbus.UInt16(self.port),
168
avahi.string_array_to_txt_array(self.TXT))
169
group.Commit()
170
171
# From the Avahi example code:
172
group = None # our entry group
173
# End of Avahi example code
174
175
176
def _datetime_to_dbus(dt, variant_level=0):
177
"""Convert a UTC datetime.datetime() to a D-Bus type."""
178
return dbus.String(dt.isoformat(), variant_level=variant_level)
179
180
181
class Client(dbus.service.Object):
232
182
"""A representation of a client host served by this server.
233
234
183
Attributes:
235
184
name: string; from the config file, used in log messages and
236
185
D-Bus identifiers
243
192
enabled: bool()
244
193
last_checked_ok: datetime.datetime(); (UTC) or None
245
194
timeout: datetime.timedelta(); How long from last_checked_ok
246
until this client is disabled
195
until this client is invalid
247
196
interval: datetime.timedelta(); How often to start a new checker
248
197
disable_hook: If set, called by disable() as disable_hook(self)
249
198
checker: subprocess.Popen(); a running checker process used
250
199
to see if the client lives.
251
200
'None' if no process is running.
252
201
checker_initiator_tag: a gobject event source tag, or None
253
disable_initiator_tag: - '' -
202
disable_initiator_tag: - '' -
254
203
checker_callback_tag: - '' -
255
204
checker_command: string; External command which is run to check if
256
205
client lives. %() expansions are done at
257
206
runtime with vars(self) as dict, so that for
258
207
instance %(name)s can be used in the command.
259
208
current_checker_command: string; current running checker_command
209
use_dbus: bool(); Whether to provide D-Bus interface and signals
210
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
260
211
"""
261
262
@staticmethod
263
def _timedelta_to_milliseconds(td):
264
"Convert a datetime.timedelta() to milliseconds"
265
return ((td.days * 24 * 60 * 60 * 1000)
266
+ (td.seconds * 1000)
267
+ (td.microseconds // 1000))
268
269
212
def timeout_milliseconds(self):
270
213
"Return the 'timeout' attribute in milliseconds"
271
return self._timedelta_to_milliseconds(self.timeout)
214
return ((self.timeout.days * 24 * 60 * 60 * 1000)
215
+ (self.timeout.seconds * 1000)
216
+ (self.timeout.microseconds // 1000))
272
217
273
218
def interval_milliseconds(self):
274
219
"Return the 'interval' attribute in milliseconds"
275
return self._timedelta_to_milliseconds(self.interval)
220
return ((self.interval.days * 24 * 60 * 60 * 1000)
221
+ (self.interval.seconds * 1000)
222
+ (self.interval.microseconds // 1000))
276
223
277
def __init__(self, name = None, disable_hook=None, config=None):
224
def __init__(self, name = None, disable_hook=None, config=None,
225
use_dbus=True):
278
226
"""Note: the 'checker' key in 'config' sets the
279
227
'checker_command' attribute and *not* the 'checker'
280
228
attribute."""
282
230
if config is None:
283
231
config = {}
284
232
logger.debug(u"Creating client %r", self.name)
233
self.use_dbus = False # During __init__
285
234
# Uppercase and remove spaces from fingerprint for later
286
235
# comparison purposes with return value from the fingerprint()
287
236
# function
288
self.fingerprint = (config[u"fingerprint"].upper()
237
self.fingerprint = (config["fingerprint"].upper()
289
238
.replace(u" ", u""))
290
239
logger.debug(u" Fingerprint: %s", self.fingerprint)
291
if u"secret" in config:
292
self.secret = config[u"secret"].decode(u"base64")
293
elif u"secfile" in config:
294
with open(os.path.expanduser(os.path.expandvars
295
(config[u"secfile"])),
296
"rb") as secfile:
240
if "secret" in config:
241
self.secret = config["secret"].decode(u"base64")
242
elif "secfile" in config:
243
with closing(open(os.path.expanduser
244
(os.path.expandvars
245
(config["secfile"])))) as secfile:
297
246
self.secret = secfile.read()
298
247
else:
299
248
raise TypeError(u"No secret or secfile for client %s"
300
249
% self.name)
301
self.host = config.get(u"host", u"")
250
self.host = config.get("host", "")
302
251
self.created = datetime.datetime.utcnow()
303
252
self.enabled = False
304
253
self.last_enabled = None
305
254
self.last_checked_ok = None
306
self.timeout = string_to_delta(config[u"timeout"])
307
self.interval = string_to_delta(config[u"interval"])
255
self.timeout = string_to_delta(config["timeout"])
256
self.interval = string_to_delta(config["interval"])
308
257
self.disable_hook = disable_hook
309
258
self.checker = None
310
259
self.checker_initiator_tag = None
311
260
self.disable_initiator_tag = None
312
261
self.checker_callback_tag = None
313
self.checker_command = config[u"checker"]
262
self.checker_command = config["checker"]
314
263
self.current_checker_command = None
315
264
self.last_connect = None
265
# Only now, when this client is initialized, can it show up on
266
# the D-Bus
267
self.use_dbus = use_dbus
268
if self.use_dbus:
269
self.dbus_object_path = (dbus.ObjectPath
270
("/clients/"
271
+ self.name.replace(".", "_")))
272
dbus.service.Object.__init__(self, bus,
273
self.dbus_object_path)
316
274
317
275
def enable(self):
318
276
"""Start this client's checker and timeout hooks"""
319
if getattr(self, u"enabled", False):
320
# Already enabled
321
return
322
277
self.last_enabled = datetime.datetime.utcnow()
323
278
# Schedule a new checker to be started an 'interval' from now,
324
279
# and every interval from then on.
325
280
self.checker_initiator_tag = (gobject.timeout_add
326
281
(self.interval_milliseconds(),
327
282
self.start_checker))
283
# Also start a new checker *right now*.
284
self.start_checker()
328
285
# Schedule a disable() when 'timeout' has passed
329
286
self.disable_initiator_tag = (gobject.timeout_add
330
287
(self.timeout_milliseconds(),
331
288
self.disable))
332
289
self.enabled = True
333
# Also start a new checker *right now*.
334
self.start_checker()
290
if self.use_dbus:
291
# Emit D-Bus signals
292
self.PropertyChanged(dbus.String(u"enabled"),
293
dbus.Boolean(True, variant_level=1))
294
self.PropertyChanged(dbus.String(u"last_enabled"),
295
(_datetime_to_dbus(self.last_enabled,
296
variant_level=1)))
335
297
336
def disable(self, quiet=True):
298
def disable(self):
337
299
"""Disable this client."""
338
300
if not getattr(self, "enabled", False):
339
301
return False
340
if not quiet:
341
logger.info(u"Disabling client %s", self.name)
342
if getattr(self, u"disable_initiator_tag", False):
302
logger.info(u"Disabling client %s", self.name)
303
if getattr(self, "disable_initiator_tag", False):
343
304
gobject.source_remove(self.disable_initiator_tag)
344
305
self.disable_initiator_tag = None
345
if getattr(self, u"checker_initiator_tag", False):
306
if getattr(self, "checker_initiator_tag", False):
346
307
gobject.source_remove(self.checker_initiator_tag)
347
308
self.checker_initiator_tag = None
348
309
self.stop_checker()
349
310
if self.disable_hook:
350
311
self.disable_hook(self)
351
312
self.enabled = False
313
if self.use_dbus:
314
# Emit D-Bus signal
315
self.PropertyChanged(dbus.String(u"enabled"),
316
dbus.Boolean(False, variant_level=1))
352
317
# Do not run this again if called by a gobject.timeout_add
353
318
return False
354
319
360
325
"""The checker has completed, so take appropriate actions."""
361
326
self.checker_callback_tag = None
362
327
self.checker = None
328
if self.use_dbus:
329
# Emit D-Bus signal
330
self.PropertyChanged(dbus.String(u"checker_running"),
331
dbus.Boolean(False, variant_level=1))
363
332
if os.WIFEXITED(condition):
364
333
exitstatus = os.WEXITSTATUS(condition)
365
334
if exitstatus == 0:
369
338
else:
370
339
logger.info(u"Checker for %(name)s failed",
371
340
vars(self))
341
if self.use_dbus:
342
# Emit D-Bus signal
343
self.CheckerCompleted(dbus.Int16(exitstatus),
344
dbus.Int64(condition),
345
dbus.String(command))
372
346
else:
373
347
logger.warning(u"Checker for %(name)s crashed?",
374
348
vars(self))
349
if self.use_dbus:
350
# Emit D-Bus signal
351
self.CheckerCompleted(dbus.Int16(-1),
352
dbus.Int64(condition),
353
dbus.String(command))
375
354
376
355
def checked_ok(self):
377
356
"""Bump up the timeout for this client.
378
379
357
This should only be called when the client has been seen,
380
358
alive and well.
381
359
"""
384
362
self.disable_initiator_tag = (gobject.timeout_add
385
363
(self.timeout_milliseconds(),
386
364
self.disable))
365
if self.use_dbus:
366
# Emit D-Bus signal
367
self.PropertyChanged(
368
dbus.String(u"last_checked_ok"),
369
(_datetime_to_dbus(self.last_checked_ok,
370
variant_level=1)))
387
371
388
372
def start_checker(self):
389
373
"""Start a new checker subprocess if one is not running.
390
391
374
If a checker already exists, leave it running and do
392
375
nothing."""
393
376
# The reason for not killing a running checker is that if we
396
379
# client would inevitably timeout, since no checker would get
397
380
# a chance to run to completion. If we instead leave running
398
381
# checkers alone, the checker would have to take more time
399
# than 'timeout' for the client to be disabled, which is as it
400
# should be.
382
# than 'timeout' for the client to be declared invalid, which
383
# is as it should be.
401
384
402
385
# If a checker exists, make sure it is not a zombie
403
try:
386
if self.checker is not None:
404
387
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
405
except (AttributeError, OSError), error:
406
if (isinstance(error, OSError)
407
and error.errno != errno.ECHILD):
408
raise error
409
else:
410
388
if pid:
411
logger.warning(u"Checker was a zombie")
389
logger.warning("Checker was a zombie")
412
390
gobject.source_remove(self.checker_callback_tag)
413
391
self.checker_callback(pid, status,
414
392
self.current_checker_command)
419
397
command = self.checker_command % self.host
420
398
except TypeError:
421
399
# Escape attributes for the shell
422
escaped_attrs = dict((key,
423
re.escape(unicode(str(val),
424
errors=
425
u'replace')))
400
escaped_attrs = dict((key, re.escape(str(val)))
426
401
for key, val in
427
402
vars(self).iteritems())
428
403
try:
431
406
logger.error(u'Could not format string "%s":'
432
407
u' %s', self.checker_command, error)
433
408
return True # Try again later
434
self.current_checker_command = command
409
self.current_checker_command = command
435
410
try:
436
411
logger.info(u"Starting checker %r for %s",
437
412
command, self.name)
441
416
# always replaced by /dev/null.)
442
417
self.checker = subprocess.Popen(command,
443
418
close_fds=True,
444
shell=True, cwd=u"/")
419
shell=True, cwd="/")
420
if self.use_dbus:
421
# Emit D-Bus signal
422
self.CheckerStarted(command)
423
self.PropertyChanged(
424
dbus.String("checker_running"),
425
dbus.Boolean(True, variant_level=1))
445
426
self.checker_callback_tag = (gobject.child_watch_add
446
427
(self.checker.pid,
447
428
self.checker_callback,
463
444
if self.checker_callback_tag:
464
445
gobject.source_remove(self.checker_callback_tag)
465
446
self.checker_callback_tag = None
466
if getattr(self, u"checker", None) is None:
447
if getattr(self, "checker", None) is None:
467
448
return
468
449
logger.debug(u"Stopping checker for %(name)s", vars(self))
469
450
try:
470
451
os.kill(self.checker.pid, signal.SIGTERM)
471
#time.sleep(0.5)
452
#os.sleep(0.5)
472
453
#if self.checker.poll() is None:
473
454
# os.kill(self.checker.pid, signal.SIGKILL)
474
455
except OSError, error:
475
456
if error.errno != errno.ESRCH: # No such process
476
457
raise
477
458
self.checker = None
478
479
480
def dbus_service_property(dbus_interface, signature=u"v",
481
access=u"readwrite", byte_arrays=False):
482
"""Decorators for marking methods of a DBusObjectWithProperties to
483
become properties on the D-Bus.
484
485
The decorated method will be called with no arguments by "Get"
486
and with one argument by "Set".
487
488
The parameters, where they are supported, are the same as
489
dbus.service.method, except there is only "signature", since the
490
type from Get() and the type sent to Set() is the same.
491
"""
492
# Encoding deeply encoded byte arrays is not supported yet by the
493
# "Set" method, so we fail early here:
494
if byte_arrays and signature != u"ay":
495
raise ValueError(u"Byte arrays not supported for non-'ay'"
496
u" signature %r" % signature)
497
def decorator(func):
498
func._dbus_is_property = True
499
func._dbus_interface = dbus_interface
500
func._dbus_signature = signature
501
func._dbus_access = access
502
func._dbus_name = func.__name__
503
if func._dbus_name.endswith(u"_dbus_property"):
504
func._dbus_name = func._dbus_name[:-14]
505
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
506
return func
507
return decorator
508
509
510
class DBusPropertyException(dbus.exceptions.DBusException):
511
"""A base class for D-Bus property-related exceptions
512
"""
513
def __unicode__(self):
514
return unicode(str(self))
515
516
517
class DBusPropertyAccessException(DBusPropertyException):
518
"""A property's access permissions disallows an operation.
519
"""
520
pass
521
522
523
class DBusPropertyNotFound(DBusPropertyException):
524
"""An attempt was made to access a non-existing property.
525
"""
526
pass
527
528
529
class DBusObjectWithProperties(dbus.service.Object):
530
"""A D-Bus object with properties.
531
532
Classes inheriting from this can use the dbus_service_property
533
decorator to expose methods as D-Bus properties. It exposes the
534
standard Get(), Set(), and GetAll() methods on the D-Bus.
535
"""
536
537
@staticmethod
538
def _is_dbus_property(obj):
539
return getattr(obj, u"_dbus_is_property", False)
540
541
def _get_all_dbus_properties(self):
542
"""Returns a generator of (name, attribute) pairs
543
"""
544
return ((prop._dbus_name, prop)
545
for name, prop in
546
inspect.getmembers(self, self._is_dbus_property))
547
548
def _get_dbus_property(self, interface_name, property_name):
549
"""Returns a bound method if one exists which is a D-Bus
550
property with the specified name and interface.
551
"""
552
for name in (property_name,
553
property_name + u"_dbus_property"):
554
prop = getattr(self, name, None)
555
if (prop is None
556
or not self._is_dbus_property(prop)
557
or prop._dbus_name != property_name
558
or (interface_name and prop._dbus_interface
559
and interface_name != prop._dbus_interface)):
560
continue
561
return prop
562
# No such property
563
raise DBusPropertyNotFound(self.dbus_object_path + u":"
564
+ interface_name + u"."
565
+ property_name)
566
567
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
568
out_signature=u"v")
569
def Get(self, interface_name, property_name):
570
"""Standard D-Bus property Get() method, see D-Bus standard.
571
"""
572
prop = self._get_dbus_property(interface_name, property_name)
573
if prop._dbus_access == u"write":
574
raise DBusPropertyAccessException(property_name)
575
value = prop()
576
if not hasattr(value, u"variant_level"):
577
return value
578
return type(value)(value, variant_level=value.variant_level+1)
579
580
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
581
def Set(self, interface_name, property_name, value):
582
"""Standard D-Bus property Set() method, see D-Bus standard.
583
"""
584
prop = self._get_dbus_property(interface_name, property_name)
585
if prop._dbus_access == u"read":
586
raise DBusPropertyAccessException(property_name)
587
if prop._dbus_get_args_options[u"byte_arrays"]:
588
# The byte_arrays option is not supported yet on
589
# signatures other than "ay".
590
if prop._dbus_signature != u"ay":
591
raise ValueError
592
value = dbus.ByteArray(''.join(unichr(byte)
593
for byte in value))
594
prop(value)
595
596
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
597
out_signature=u"a{sv}")
598
def GetAll(self, interface_name):
599
"""Standard D-Bus property GetAll() method, see D-Bus
600
standard.
601
602
Note: Will not include properties with access="write".
603
"""
604
all = {}
605
for name, prop in self._get_all_dbus_properties():
606
if (interface_name
607
and interface_name != prop._dbus_interface):
608
# Interface non-empty but did not match
609
continue
610
# Ignore write-only properties
611
if prop._dbus_access == u"write":
612
continue
613
value = prop()
614
if not hasattr(value, u"variant_level"):
615
all[name] = value
616
continue
617
all[name] = type(value)(value, variant_level=
618
value.variant_level+1)
619
return dbus.Dictionary(all, signature=u"sv")
620
621
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
622
out_signature=u"s",
623
path_keyword='object_path',
624
connection_keyword='connection')
625
def Introspect(self, object_path, connection):
626
"""Standard D-Bus method, overloaded to insert property tags.
627
"""
628
xmlstring = dbus.service.Object.Introspect(self, object_path,
629
connection)
630
try:
631
document = xml.dom.minidom.parseString(xmlstring)
632
def make_tag(document, name, prop):
633
e = document.createElement(u"property")
634
e.setAttribute(u"name", name)
635
e.setAttribute(u"type", prop._dbus_signature)
636
e.setAttribute(u"access", prop._dbus_access)
637
return e
638
for if_tag in document.getElementsByTagName(u"interface"):
639
for tag in (make_tag(document, name, prop)
640
for name, prop
641
in self._get_all_dbus_properties()
642
if prop._dbus_interface
643
== if_tag.getAttribute(u"name")):
644
if_tag.appendChild(tag)
645
# Add the names to the return values for the
646
# "org.freedesktop.DBus.Properties" methods
647
if (if_tag.getAttribute(u"name")
648
== u"org.freedesktop.DBus.Properties"):
649
for cn in if_tag.getElementsByTagName(u"method"):
650
if cn.getAttribute(u"name") == u"Get":
651
for arg in cn.getElementsByTagName(u"arg"):
652
if (arg.getAttribute(u"direction")
653
== u"out"):
654
arg.setAttribute(u"name", u"value")
655
elif cn.getAttribute(u"name") == u"GetAll":
656
for arg in cn.getElementsByTagName(u"arg"):
657
if (arg.getAttribute(u"direction")
658
== u"out"):
659
arg.setAttribute(u"name", u"props")
660
xmlstring = document.toxml(u"utf-8")
661
document.unlink()
662
except (AttributeError, xml.dom.DOMException,
663
xml.parsers.expat.ExpatError), error:
664
logger.error(u"Failed to override Introspection method",
665
error)
666
return xmlstring
667
668
669
class ClientDBus(Client, DBusObjectWithProperties):
670
"""A Client class using D-Bus
671
672
Attributes:
673
dbus_object_path: dbus.ObjectPath
674
bus: dbus.SystemBus()
675
"""
676
# dbus.service.Object doesn't use super(), so we can't either.
677
678
def __init__(self, bus = None, *args, **kwargs):
679
self.bus = bus
680
Client.__init__(self, *args, **kwargs)
681
# Only now, when this client is initialized, can it show up on
682
# the D-Bus
683
self.dbus_object_path = (dbus.ObjectPath
684
(u"/clients/"
685
+ self.name.replace(u".", u"_")))
686
DBusObjectWithProperties.__init__(self, self.bus,
687
self.dbus_object_path)
688
689
@staticmethod
690
def _datetime_to_dbus(dt, variant_level=0):
691
"""Convert a UTC datetime.datetime() to a D-Bus type."""
692
return dbus.String(dt.isoformat(),
693
variant_level=variant_level)
694
695
def enable(self):
696
oldstate = getattr(self, u"enabled", False)
697
r = Client.enable(self)
698
if oldstate != self.enabled:
699
# Emit D-Bus signals
700
self.PropertyChanged(dbus.String(u"enabled"),
701
dbus.Boolean(True, variant_level=1))
702
self.PropertyChanged(
703
dbus.String(u"last_enabled"),
704
self._datetime_to_dbus(self.last_enabled,
705
variant_level=1))
706
return r
707
708
def disable(self, quiet = False):
709
oldstate = getattr(self, u"enabled", False)
710
r = Client.disable(self, quiet=quiet)
711
if not quiet and oldstate != self.enabled:
712
# Emit D-Bus signal
713
self.PropertyChanged(dbus.String(u"enabled"),
714
dbus.Boolean(False, variant_level=1))
715
return r
716
717
def __del__(self, *args, **kwargs):
718
try:
719
self.remove_from_connection()
720
except LookupError:
721
pass
722
if hasattr(DBusObjectWithProperties, u"__del__"):
723
DBusObjectWithProperties.__del__(self, *args, **kwargs)
724
Client.__del__(self, *args, **kwargs)
725
726
def checker_callback(self, pid, condition, command,
727
*args, **kwargs):
728
self.checker_callback_tag = None
729
self.checker = None
730
# Emit D-Bus signal
731
self.PropertyChanged(dbus.String(u"checker_running"),
732
dbus.Boolean(False, variant_level=1))
733
if os.WIFEXITED(condition):
734
exitstatus = os.WEXITSTATUS(condition)
735
# Emit D-Bus signal
736
self.CheckerCompleted(dbus.Int16(exitstatus),
737
dbus.Int64(condition),
738
dbus.String(command))
739
else:
740
# Emit D-Bus signal
741
self.CheckerCompleted(dbus.Int16(-1),
742
dbus.Int64(condition),
743
dbus.String(command))
744
745
return Client.checker_callback(self, pid, condition, command,
746
*args, **kwargs)
747
748
def checked_ok(self, *args, **kwargs):
749
r = Client.checked_ok(self, *args, **kwargs)
750
# Emit D-Bus signal
751
self.PropertyChanged(
752
dbus.String(u"last_checked_ok"),
753
(self._datetime_to_dbus(self.last_checked_ok,
754
variant_level=1)))
755
return r
756
757
def start_checker(self, *args, **kwargs):
758
old_checker = self.checker
759
if self.checker is not None:
760
old_checker_pid = self.checker.pid
761
else:
762
old_checker_pid = None
763
r = Client.start_checker(self, *args, **kwargs)
764
# Only if new checker process was started
765
if (self.checker is not None
766
and old_checker_pid != self.checker.pid):
767
# Emit D-Bus signal
768
self.CheckerStarted(self.current_checker_command)
769
self.PropertyChanged(
770
dbus.String(u"checker_running"),
771
dbus.Boolean(True, variant_level=1))
772
return r
773
774
def stop_checker(self, *args, **kwargs):
775
old_checker = getattr(self, u"checker", None)
776
r = Client.stop_checker(self, *args, **kwargs)
777
if (old_checker is not None
778
and getattr(self, u"checker", None) is None):
459
if self.use_dbus:
779
460
self.PropertyChanged(dbus.String(u"checker_running"),
780
461
dbus.Boolean(False, variant_level=1))
781
return r
782
783
## D-Bus methods, signals & properties
462
463
def still_valid(self):
464
"""Has the timeout not yet passed for this client?"""
465
if not getattr(self, "enabled", False):
466
return False
467
now = datetime.datetime.utcnow()
468
if self.last_checked_ok is None:
469
return now < (self.created + self.timeout)
470
else:
471
return now < (self.last_checked_ok + self.timeout)
472
473
## D-Bus methods & signals
784
474
_interface = u"se.bsnet.fukt.Mandos.Client"
785
475
786
## Signals
476
# CheckedOK - method
477
CheckedOK = dbus.service.method(_interface)(checked_ok)
478
CheckedOK.__name__ = "CheckedOK"
787
479
788
480
# CheckerCompleted - signal
789
@dbus.service.signal(_interface, signature=u"nxs")
481
@dbus.service.signal(_interface, signature="nxs")
790
482
def CheckerCompleted(self, exitcode, waitstatus, command):
791
483
"D-Bus signal"
792
484
pass
793
485
794
486
# CheckerStarted - signal
795
@dbus.service.signal(_interface, signature=u"s")
487
@dbus.service.signal(_interface, signature="s")
796
488
def CheckerStarted(self, command):
797
489
"D-Bus signal"
798
490
pass
799
491
492
# GetAllProperties - method
493
@dbus.service.method(_interface, out_signature="a{sv}")
494
def GetAllProperties(self):
495
"D-Bus method"
496
return dbus.Dictionary({
497
dbus.String("name"):
498
dbus.String(self.name, variant_level=1),
499
dbus.String("fingerprint"):
500
dbus.String(self.fingerprint, variant_level=1),
501
dbus.String("host"):
502
dbus.String(self.host, variant_level=1),
503
dbus.String("created"):
504
_datetime_to_dbus(self.created, variant_level=1),
505
dbus.String("last_enabled"):
506
(_datetime_to_dbus(self.last_enabled,
507
variant_level=1)
508
if self.last_enabled is not None
509
else dbus.Boolean(False, variant_level=1)),
510
dbus.String("enabled"):
511
dbus.Boolean(self.enabled, variant_level=1),
512
dbus.String("last_checked_ok"):
513
(_datetime_to_dbus(self.last_checked_ok,
514
variant_level=1)
515
if self.last_checked_ok is not None
516
else dbus.Boolean (False, variant_level=1)),
517
dbus.String("timeout"):
518
dbus.UInt64(self.timeout_milliseconds(),
519
variant_level=1),
520
dbus.String("interval"):
521
dbus.UInt64(self.interval_milliseconds(),
522
variant_level=1),
523
dbus.String("checker"):
524
dbus.String(self.checker_command,
525
variant_level=1),
526
dbus.String("checker_running"):
527
dbus.Boolean(self.checker is not None,
528
variant_level=1),
529
dbus.String("object_path"):
530
dbus.ObjectPath(self.dbus_object_path,
531
variant_level=1)
532
}, signature="sv")
533
534
# IsStillValid - method
535
IsStillValid = (dbus.service.method(_interface, out_signature="b")
536
(still_valid))
537
IsStillValid.__name__ = "IsStillValid"
538
800
539
# PropertyChanged - signal
801
@dbus.service.signal(_interface, signature=u"sv")
540
@dbus.service.signal(_interface, signature="sv")
802
541
def PropertyChanged(self, property, value):
803
542
"D-Bus signal"
804
543
pass
805
544
806
# GotSecret - signal
807
@dbus.service.signal(_interface)
808
def GotSecret(self):
809
"D-Bus signal"
810
pass
811
812
# Rejected - signal
813
@dbus.service.signal(_interface)
814
def Rejected(self):
815
"D-Bus signal"
816
pass
817
818
## Methods
819
820
# CheckedOK - method
821
@dbus.service.method(_interface)
822
def CheckedOK(self):
823
return self.checked_ok()
545
# SetChecker - method
546
@dbus.service.method(_interface, in_signature="s")
547
def SetChecker(self, checker):
548
"D-Bus setter method"
549
self.checker_command = checker
550
# Emit D-Bus signal
551
self.PropertyChanged(dbus.String(u"checker"),
552
dbus.String(self.checker_command,
553
variant_level=1))
554
555
# SetHost - method
556
@dbus.service.method(_interface, in_signature="s")
557
def SetHost(self, host):
558
"D-Bus setter method"
559
self.host = host
560
# Emit D-Bus signal
561
self.PropertyChanged(dbus.String(u"host"),
562
dbus.String(self.host, variant_level=1))
563
564
# SetInterval - method
565
@dbus.service.method(_interface, in_signature="t")
566
def SetInterval(self, milliseconds):
567
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
568
# Emit D-Bus signal
569
self.PropertyChanged(dbus.String(u"interval"),
570
(dbus.UInt64(self.interval_milliseconds(),
571
variant_level=1)))
572
573
# SetSecret - method
574
@dbus.service.method(_interface, in_signature="ay",
575
byte_arrays=True)
576
def SetSecret(self, secret):
577
"D-Bus setter method"
578
self.secret = str(secret)
579
580
# SetTimeout - method
581
@dbus.service.method(_interface, in_signature="t")
582
def SetTimeout(self, milliseconds):
583
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
584
# Emit D-Bus signal
585
self.PropertyChanged(dbus.String(u"timeout"),
586
(dbus.UInt64(self.timeout_milliseconds(),
587
variant_level=1)))
824
588
825
589
# Enable - method
826
@dbus.service.method(_interface)
827
def Enable(self):
828
"D-Bus method"
829
self.enable()
590
Enable = dbus.service.method(_interface)(enable)
591
Enable.__name__ = "Enable"
830
592
831
593
# StartChecker - method
832
594
@dbus.service.method(_interface)
841
603
self.disable()
842
604
843
605
# StopChecker - method
844
@dbus.service.method(_interface)
845
def StopChecker(self):
846
self.stop_checker()
847
848
## Properties
849
850
# name - property
851
@dbus_service_property(_interface, signature=u"s", access=u"read")
852
def name_dbus_property(self):
853
return dbus.String(self.name)
854
855
# fingerprint - property
856
@dbus_service_property(_interface, signature=u"s", access=u"read")
857
def fingerprint_dbus_property(self):
858
return dbus.String(self.fingerprint)
859
860
# host - property
861
@dbus_service_property(_interface, signature=u"s",
862
access=u"readwrite")
863
def host_dbus_property(self, value=None):
864
if value is None: # get
865
return dbus.String(self.host)
866
self.host = value
867
# Emit D-Bus signal
868
self.PropertyChanged(dbus.String(u"host"),
869
dbus.String(value, variant_level=1))
870
871
# created - property
872
@dbus_service_property(_interface, signature=u"s", access=u"read")
873
def created_dbus_property(self):
874
return dbus.String(self._datetime_to_dbus(self.created))
875
876
# last_enabled - property
877
@dbus_service_property(_interface, signature=u"s", access=u"read")
878
def last_enabled_dbus_property(self):
879
if self.last_enabled is None:
880
return dbus.String(u"")
881
return dbus.String(self._datetime_to_dbus(self.last_enabled))
882
883
# enabled - property
884
@dbus_service_property(_interface, signature=u"b",
885
access=u"readwrite")
886
def enabled_dbus_property(self, value=None):
887
if value is None: # get
888
return dbus.Boolean(self.enabled)
889
if value:
890
self.enable()
891
else:
892
self.disable()
893
894
# last_checked_ok - property
895
@dbus_service_property(_interface, signature=u"s",
896
access=u"readwrite")
897
def last_checked_ok_dbus_property(self, value=None):
898
if value is not None:
899
self.checked_ok()
900
return
901
if self.last_checked_ok is None:
902
return dbus.String(u"")
903
return dbus.String(self._datetime_to_dbus(self
904
.last_checked_ok))
905
906
# timeout - property
907
@dbus_service_property(_interface, signature=u"t",
908
access=u"readwrite")
909
def timeout_dbus_property(self, value=None):
910
if value is None: # get
911
return dbus.UInt64(self.timeout_milliseconds())
912
self.timeout = datetime.timedelta(0, 0, 0, value)
913
# Emit D-Bus signal
914
self.PropertyChanged(dbus.String(u"timeout"),
915
dbus.UInt64(value, variant_level=1))
916
if getattr(self, u"disable_initiator_tag", None) is None:
917
return
918
# Reschedule timeout
919
gobject.source_remove(self.disable_initiator_tag)
920
self.disable_initiator_tag = None
921
time_to_die = (self.
922
_timedelta_to_milliseconds((self
923
.last_checked_ok
924
+ self.timeout)
925
- datetime.datetime
926
.utcnow()))
927
if time_to_die <= 0:
928
# The timeout has passed
929
self.disable()
930
else:
931
self.disable_initiator_tag = (gobject.timeout_add
932
(time_to_die, self.disable))
933
934
# interval - property
935
@dbus_service_property(_interface, signature=u"t",
936
access=u"readwrite")
937
def interval_dbus_property(self, value=None):
938
if value is None: # get
939
return dbus.UInt64(self.interval_milliseconds())
940
self.interval = datetime.timedelta(0, 0, 0, value)
941
# Emit D-Bus signal
942
self.PropertyChanged(dbus.String(u"interval"),
943
dbus.UInt64(value, variant_level=1))
944
if getattr(self, u"checker_initiator_tag", None) is None:
945
return
946
# Reschedule checker run
947
gobject.source_remove(self.checker_initiator_tag)
948
self.checker_initiator_tag = (gobject.timeout_add
949
(value, self.start_checker))
950
self.start_checker() # Start one now, too
951
952
# checker - property
953
@dbus_service_property(_interface, signature=u"s",
954
access=u"readwrite")
955
def checker_dbus_property(self, value=None):
956
if value is None: # get
957
return dbus.String(self.checker_command)
958
self.checker_command = value
959
# Emit D-Bus signal
960
self.PropertyChanged(dbus.String(u"checker"),
961
dbus.String(self.checker_command,
962
variant_level=1))
963
964
# checker_running - property
965
@dbus_service_property(_interface, signature=u"b",
966
access=u"readwrite")
967
def checker_running_dbus_property(self, value=None):
968
if value is None: # get
969
return dbus.Boolean(self.checker is not None)
970
if value:
971
self.start_checker()
972
else:
973
self.stop_checker()
974
975
# object_path - property
976
@dbus_service_property(_interface, signature=u"o", access=u"read")
977
def object_path_dbus_property(self):
978
return self.dbus_object_path # is already a dbus.ObjectPath
979
980
# secret = property
981
@dbus_service_property(_interface, signature=u"ay",
982
access=u"write", byte_arrays=True)
983
def secret_dbus_property(self, value):
984
self.secret = str(value)
606
StopChecker = dbus.service.method(_interface)(stop_checker)
607
StopChecker.__name__ = "StopChecker"
985
608
986
609
del _interface
987
610
988
611
989
class ClientHandler(socketserver.BaseRequestHandler, object):
990
"""A class to handle client connections.
991
992
Instantiated once for each connection to handle it.
612
def peer_certificate(session):
613
"Return the peer's OpenPGP certificate as a bytestring"
614
# If not an OpenPGP certificate...
615
if (gnutls.library.functions
616
.gnutls_certificate_type_get(session._c_object)
617
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
618
# ...do the normal thing
619
return session.peer_certificate
620
list_size = ctypes.c_uint(1)
621
cert_list = (gnutls.library.functions
622
.gnutls_certificate_get_peers
623
(session._c_object, ctypes.byref(list_size)))
624
if not bool(cert_list) and list_size.value != 0:
625
raise gnutls.errors.GNUTLSError("error getting peer"
626
" certificate")
627
if list_size.value == 0:
628
return None
629
cert = cert_list[0]
630
return ctypes.string_at(cert.data, cert.size)
631
632
633
def fingerprint(openpgp):
634
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
635
# New GnuTLS "datum" with the OpenPGP public key
636
datum = (gnutls.library.types
637
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
638
ctypes.POINTER
639
(ctypes.c_ubyte)),
640
ctypes.c_uint(len(openpgp))))
641
# New empty GnuTLS certificate
642
crt = gnutls.library.types.gnutls_openpgp_crt_t()
643
(gnutls.library.functions
644
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
645
# Import the OpenPGP public key into the certificate
646
(gnutls.library.functions
647
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
648
gnutls.library.constants
649
.GNUTLS_OPENPGP_FMT_RAW))
650
# Verify the self signature in the key
651
crtverify = ctypes.c_uint()
652
(gnutls.library.functions
653
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
654
if crtverify.value != 0:
655
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
656
raise gnutls.errors.CertificateSecurityError("Verify failed")
657
# New buffer for the fingerprint
658
buf = ctypes.create_string_buffer(20)
659
buf_len = ctypes.c_size_t()
660
# Get the fingerprint from the certificate into the buffer
661
(gnutls.library.functions
662
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
663
ctypes.byref(buf_len)))
664
# Deinit the certificate
665
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
666
# Convert the buffer to a Python bytestring
667
fpr = ctypes.string_at(buf, buf_len.value)
668
# Convert the bytestring to hexadecimal notation
669
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
670
return hex_fpr
671
672
673
class TCP_handler(SocketServer.BaseRequestHandler, object):
674
"""A TCP request handler class.
675
Instantiated by IPv6_TCPServer for each request to handle it.
993
676
Note: This will run in its own forked process."""
994
677
995
678
def handle(self):
996
679
logger.info(u"TCP connection from: %s",
997
680
unicode(self.client_address))
998
logger.debug(u"IPC Pipe FD: %d",
999
self.server.child_pipe[1].fileno())
1000
# Open IPC pipe to parent process
1001
with contextlib.nested(self.server.child_pipe[1],
1002
self.server.parent_pipe[0]
1003
) as (ipc, ipc_return):
1004
session = (gnutls.connection
1005
.ClientSession(self.request,
1006
gnutls.connection
1007
.X509Credentials()))
1008
1009
line = self.request.makefile().readline()
1010
logger.debug(u"Protocol version: %r", line)
1011
try:
1012
if int(line.strip().split()[0]) > 1:
1013
raise RuntimeError
1014
except (ValueError, IndexError, RuntimeError), error:
1015
logger.error(u"Unknown protocol version: %s", error)
1016
return
1017
1018
# Note: gnutls.connection.X509Credentials is really a
1019
# generic GnuTLS certificate credentials object so long as
1020
# no X.509 keys are added to it. Therefore, we can use it
1021
# here despite using OpenPGP certificates.
1022
1023
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1024
# u"+AES-256-CBC", u"+SHA1",
1025
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1026
# u"+DHE-DSS"))
1027
# Use a fallback default, since this MUST be set.
1028
priority = self.server.gnutls_priority
1029
if priority is None:
1030
priority = u"NORMAL"
1031
(gnutls.library.functions
1032
.gnutls_priority_set_direct(session._c_object,
1033
priority, None))
1034
1035
try:
1036
session.handshake()
1037
except gnutls.errors.GNUTLSError, error:
1038
logger.warning(u"Handshake failed: %s", error)
1039
# Do not run session.bye() here: the session is not
1040
# established. Just abandon the request.
1041
return
1042
logger.debug(u"Handshake succeeded")
1043
try:
1044
try:
1045
fpr = self.fingerprint(self.peer_certificate
1046
(session))
1047
except (TypeError, gnutls.errors.GNUTLSError), error:
1048
logger.warning(u"Bad certificate: %s", error)
1049
return
1050
logger.debug(u"Fingerprint: %s", fpr)
1051
1052
for c in self.server.clients:
1053
if c.fingerprint == fpr:
1054
client = c
1055
break
1056
else:
1057
ipc.write(u"NOTFOUND %s %s\n"
1058
% (fpr, unicode(self.client_address)))
1059
return
1060
# Have to check if client.enabled, since it is
1061
# possible that the client was disabled since the
1062
# GnuTLS session was established.
1063
ipc.write(u"GETATTR enabled %s\n" % fpr)
1064
enabled = pickle.load(ipc_return)
1065
if not enabled:
1066
ipc.write(u"DISABLED %s\n" % client.name)
1067
return
1068
# Send "NEED_APPROVAL" here and hang waiting
1069
# for response? Leave timeout to parent process?
1070
ipc.write(u"SENDING %s\n" % client.name)
1071
sent_size = 0
1072
while sent_size < len(client.secret):
1073
sent = session.send(client.secret[sent_size:])
1074
logger.debug(u"Sent: %d, remaining: %d",
1075
sent, len(client.secret)
1076
- (sent_size + sent))
1077
sent_size += sent
1078
finally:
1079
session.bye()
1080
1081
@staticmethod
1082
def peer_certificate(session):
1083
"Return the peer's OpenPGP certificate as a bytestring"
1084
# If not an OpenPGP certificate...
1085
if (gnutls.library.functions
1086
.gnutls_certificate_type_get(session._c_object)
1087
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1088
# ...do the normal thing
1089
return session.peer_certificate
1090
list_size = ctypes.c_uint(1)
1091
cert_list = (gnutls.library.functions
1092
.gnutls_certificate_get_peers
1093
(session._c_object, ctypes.byref(list_size)))
1094
if not bool(cert_list) and list_size.value != 0:
1095
raise gnutls.errors.GNUTLSError(u"error getting peer"
1096
u" certificate")
1097
if list_size.value == 0:
1098
return None
1099
cert = cert_list[0]
1100
return ctypes.string_at(cert.data, cert.size)
1101
1102
@staticmethod
1103
def fingerprint(openpgp):
1104
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1105
# New GnuTLS "datum" with the OpenPGP public key
1106
datum = (gnutls.library.types
1107
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1108
ctypes.POINTER
1109
(ctypes.c_ubyte)),
1110
ctypes.c_uint(len(openpgp))))
1111
# New empty GnuTLS certificate
1112
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1113
(gnutls.library.functions
1114
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1115
# Import the OpenPGP public key into the certificate
1116
(gnutls.library.functions
1117
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1118
gnutls.library.constants
1119
.GNUTLS_OPENPGP_FMT_RAW))
1120
# Verify the self signature in the key
1121
crtverify = ctypes.c_uint()
1122
(gnutls.library.functions
1123
.gnutls_openpgp_crt_verify_self(crt, 0,
1124
ctypes.byref(crtverify)))
1125
if crtverify.value != 0:
1126
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1127
raise (gnutls.errors.CertificateSecurityError
1128
(u"Verify failed"))
1129
# New buffer for the fingerprint
1130
buf = ctypes.create_string_buffer(20)
1131
buf_len = ctypes.c_size_t()
1132
# Get the fingerprint from the certificate into the buffer
1133
(gnutls.library.functions
1134
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1135
ctypes.byref(buf_len)))
1136
# Deinit the certificate
1137
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1138
# Convert the buffer to a Python bytestring
1139
fpr = ctypes.string_at(buf, buf_len.value)
1140
# Convert the bytestring to hexadecimal notation
1141
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1142
return hex_fpr
1143
1144
1145
class ForkingMixInWithPipes(socketserver.ForkingMixIn, object):
1146
"""Like socketserver.ForkingMixIn, but also pass a pipe pair."""
1147
def process_request(self, request, client_address):
1148
"""Overrides and wraps the original process_request().
1149
1150
This function creates a new pipe in self.pipe
1151
"""
1152
# Child writes to child_pipe
1153
self.child_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1154
# Parent writes to parent_pipe
1155
self.parent_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1156
super(ForkingMixInWithPipes,
1157
self).process_request(request, client_address)
1158
# Close unused ends for parent
1159
self.parent_pipe[0].close() # close read end
1160
self.child_pipe[1].close() # close write end
1161
self.add_pipe_fds(self.child_pipe[0], self.parent_pipe[1])
1162
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1163
"""Dummy function; override as necessary"""
1164
child_pipe_fd.close()
1165
parent_pipe_fd.close()
1166
1167
1168
class IPv6_TCPServer(ForkingMixInWithPipes,
1169
socketserver.TCPServer, object):
681
session = (gnutls.connection
682
.ClientSession(self.request,
683
gnutls.connection
684
.X509Credentials()))
685
686
line = self.request.makefile().readline()
687
logger.debug(u"Protocol version: %r", line)
688
try:
689
if int(line.strip().split()[0]) > 1:
690
raise RuntimeError
691
except (ValueError, IndexError, RuntimeError), error:
692
logger.error(u"Unknown protocol version: %s", error)
693
return
694
695
# Note: gnutls.connection.X509Credentials is really a generic
696
# GnuTLS certificate credentials object so long as no X.509
697
# keys are added to it. Therefore, we can use it here despite
698
# using OpenPGP certificates.
699
700
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
701
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
702
# "+DHE-DSS"))
703
# Use a fallback default, since this MUST be set.
704
priority = self.server.settings.get("priority", "NORMAL")
705
(gnutls.library.functions
706
.gnutls_priority_set_direct(session._c_object,
707
priority, None))
708
709
try:
710
session.handshake()
711
except gnutls.errors.GNUTLSError, error:
712
logger.warning(u"Handshake failed: %s", error)
713
# Do not run session.bye() here: the session is not
714
# established. Just abandon the request.
715
return
716
logger.debug(u"Handshake succeeded")
717
try:
718
fpr = fingerprint(peer_certificate(session))
719
except (TypeError, gnutls.errors.GNUTLSError), error:
720
logger.warning(u"Bad certificate: %s", error)
721
session.bye()
722
return
723
logger.debug(u"Fingerprint: %s", fpr)
724
725
for c in self.server.clients:
726
if c.fingerprint == fpr:
727
client = c
728
break
729
else:
730
logger.warning(u"Client not found for fingerprint: %s",
731
fpr)
732
session.bye()
733
return
734
# Have to check if client.still_valid(), since it is possible
735
# that the client timed out while establishing the GnuTLS
736
# session.
737
if not client.still_valid():
738
logger.warning(u"Client %(name)s is invalid",
739
vars(client))
740
session.bye()
741
return
742
## This won't work here, since we're in a fork.
743
# client.checked_ok()
744
sent_size = 0
745
while sent_size < len(client.secret):
746
sent = session.send(client.secret[sent_size:])
747
logger.debug(u"Sent: %d, remaining: %d",
748
sent, len(client.secret)
749
- (sent_size + sent))
750
sent_size += sent
751
session.bye()
752
753
754
class IPv6_TCPServer(SocketServer.ForkingMixIn,
755
SocketServer.TCPServer, object):
1170
756
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1171
1172
757
Attributes:
758
settings: Server settings
759
clients: Set() of Client objects
1173
760
enabled: Boolean; whether this server is activated yet
1174
interface: None or a network interface name (string)
1175
use_ipv6: Boolean; to use IPv6 or not
1176
761
"""
1177
def __init__(self, server_address, RequestHandlerClass,
1178
interface=None, use_ipv6=True):
1179
self.interface = interface
1180
if use_ipv6:
1181
self.address_family = socket.AF_INET6
1182
socketserver.TCPServer.__init__(self, server_address,
1183
RequestHandlerClass)
762
address_family = socket.AF_INET6
763
def __init__(self, *args, **kwargs):
764
if "settings" in kwargs:
765
self.settings = kwargs["settings"]
766
del kwargs["settings"]
767
if "clients" in kwargs:
768
self.clients = kwargs["clients"]
769
del kwargs["clients"]
770
if "use_ipv6" in kwargs:
771
if not kwargs["use_ipv6"]:
772
self.address_family = socket.AF_INET
773
del kwargs["use_ipv6"]
774
self.enabled = False
775
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1184
776
def server_bind(self):
1185
777
"""This overrides the normal server_bind() function
1186
778
to bind to an interface if one was specified, and also NOT to
1187
779
bind to an address or port if they were not specified."""
1188
if self.interface is not None:
1189
if SO_BINDTODEVICE is None:
1190
logger.error(u"SO_BINDTODEVICE does not exist;"
1191
u" cannot bind to interface %s",
1192
self.interface)
1193
else:
1194
try:
1195
self.socket.setsockopt(socket.SOL_SOCKET,
1196
SO_BINDTODEVICE,
1197
str(self.interface
1198
+ u'\0'))
1199
except socket.error, error:
1200
if error[0] == errno.EPERM:
1201
logger.error(u"No permission to"
1202
u" bind to interface %s",
1203
self.interface)
1204
elif error[0] == errno.ENOPROTOOPT:
1205
logger.error(u"SO_BINDTODEVICE not available;"
1206
u" cannot bind to interface %s",
1207
self.interface)
1208
else:
1209
raise
780
if self.settings["interface"]:
781
# 25 is from /usr/include/asm-i486/socket.h
782
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
783
try:
784
self.socket.setsockopt(socket.SOL_SOCKET,
785
SO_BINDTODEVICE,
786
self.settings["interface"])
787
except socket.error, error:
788
if error[0] == errno.EPERM:
789
logger.error(u"No permission to"
790
u" bind to interface %s",
791
self.settings["interface"])
792
else:
793
raise
1210
794
# Only bind(2) the socket if we really need to.
1211
795
if self.server_address[0] or self.server_address[1]:
1212
796
if not self.server_address[0]:
1213
797
if self.address_family == socket.AF_INET6:
1214
any_address = u"::" # in6addr_any
798
any_address = "::" # in6addr_any
1215
799
else:
1216
800
any_address = socket.INADDR_ANY
1217
801
self.server_address = (any_address,
1219
803
elif not self.server_address[1]:
1220
804
self.server_address = (self.server_address[0],
1221
805
0)
1222
# if self.interface:
806
# if self.settings["interface"]:
1223
807
# self.server_address = (self.server_address[0],
1224
808
# 0, # port
1225
809
# 0, # flowinfo
1226
810
# if_nametoindex
1227
# (self.interface))
1228
return socketserver.TCPServer.server_bind(self)
1229
1230
1231
class MandosServer(IPv6_TCPServer):
1232
"""Mandos server.
1233
1234
Attributes:
1235
clients: set of Client objects
1236
gnutls_priority GnuTLS priority string
1237
use_dbus: Boolean; to emit D-Bus signals or not
1238
1239
Assumes a gobject.MainLoop event loop.
1240
"""
1241
def __init__(self, server_address, RequestHandlerClass,
1242
interface=None, use_ipv6=True, clients=None,
1243
gnutls_priority=None, use_dbus=True):
1244
self.enabled = False
1245
self.clients = clients
1246
if self.clients is None:
1247
self.clients = set()
1248
self.use_dbus = use_dbus
1249
self.gnutls_priority = gnutls_priority
1250
IPv6_TCPServer.__init__(self, server_address,
1251
RequestHandlerClass,
1252
interface = interface,
1253
use_ipv6 = use_ipv6)
811
# (self.settings
812
# ["interface"]))
813
return super(IPv6_TCPServer, self).server_bind()
1254
814
def server_activate(self):
1255
815
if self.enabled:
1256
return socketserver.TCPServer.server_activate(self)
816
return super(IPv6_TCPServer, self).server_activate()
1257
817
def enable(self):
1258
818
self.enabled = True
1259
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1260
# Call "handle_ipc" for both data and EOF events
1261
gobject.io_add_watch(child_pipe_fd.fileno(),
1262
gobject.IO_IN | gobject.IO_HUP,
1263
functools.partial(self.handle_ipc,
1264
reply = parent_pipe_fd,
1265
sender= child_pipe_fd))
1266
def handle_ipc(self, source, condition, reply=None, sender=None):
1267
condition_names = {
1268
gobject.IO_IN: u"IN", # There is data to read.
1269
gobject.IO_OUT: u"OUT", # Data can be written (without
1270
# blocking).
1271
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1272
gobject.IO_ERR: u"ERR", # Error condition.
1273
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1274
# broken, usually for pipes and
1275
# sockets).
1276
}
1277
conditions_string = ' | '.join(name
1278
for cond, name in
1279
condition_names.iteritems()
1280
if cond & condition)
1281
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1282
conditions_string)
1283
1284
# Read a line from the file object
1285
cmdline = sender.readline()
1286
if not cmdline: # Empty line means end of file
1287
# close the IPC pipes
1288
sender.close()
1289
reply.close()
1290
1291
# Stop calling this function
1292
return False
1293
1294
logger.debug(u"IPC command: %r", cmdline)
1295
1296
# Parse and act on command
1297
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1298
1299
if cmd == u"NOTFOUND":
1300
fpr, address = args.split(None, 1)
1301
logger.warning(u"Client not found for fingerprint: %s, ad"
1302
u"dress: %s", fpr, address)
1303
if self.use_dbus:
1304
# Emit D-Bus signal
1305
mandos_dbus_service.ClientNotFound(fpr, address)
1306
elif cmd == u"DISABLED":
1307
for client in self.clients:
1308
if client.name == args:
1309
logger.warning(u"Client %s is disabled", args)
1310
if self.use_dbus:
1311
# Emit D-Bus signal
1312
client.Rejected()
1313
break
1314
else:
1315
logger.error(u"Unknown client %s is disabled", args)
1316
elif cmd == u"SENDING":
1317
for client in self.clients:
1318
if client.name == args:
1319
logger.info(u"Sending secret to %s", client.name)
1320
client.checked_ok()
1321
if self.use_dbus:
1322
# Emit D-Bus signal
1323
client.GotSecret()
1324
break
1325
else:
1326
logger.error(u"Sending secret to unknown client %s",
1327
args)
1328
elif cmd == u"GETATTR":
1329
attr_name, fpr = args.split(None, 1)
1330
for client in self.clients:
1331
if client.fingerprint == fpr:
1332
attr_value = getattr(client, attr_name, None)
1333
logger.debug("IPC reply: %r", attr_value)
1334
pickle.dump(attr_value, reply)
1335
break
1336
else:
1337
logger.error(u"Client %s on address %s requesting "
1338
u"attribute %s not found", fpr, address,
1339
attr_name)
1340
pickle.dump(None, reply)
1341
else:
1342
logger.error(u"Unknown IPC command: %r", cmdline)
1343
1344
# Keep calling this function
1345
return True
1346
819
1347
820
1348
821
def string_to_delta(interval):
1349
822
"""Parse a string and return a datetime.timedelta
1350
823
1351
>>> string_to_delta(u'7d')
824
>>> string_to_delta('7d')
1352
825
datetime.timedelta(7)
1353
>>> string_to_delta(u'60s')
826
>>> string_to_delta('60s')
1354
827
datetime.timedelta(0, 60)
1355
>>> string_to_delta(u'60m')
828
>>> string_to_delta('60m')
1356
829
datetime.timedelta(0, 3600)
1357
>>> string_to_delta(u'24h')
830
>>> string_to_delta('24h')
1358
831
datetime.timedelta(1)
1359
832
>>> string_to_delta(u'1w')
1360
833
datetime.timedelta(7)
1361
>>> string_to_delta(u'5m 30s')
834
>>> string_to_delta('5m 30s')
1362
835
datetime.timedelta(0, 330)
1363
836
"""
1364
837
timevalue = datetime.timedelta(0)
1377
850
elif suffix == u"w":
1378
851
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1379
852
else:
1380
raise ValueError(u"Unknown suffix %r" % suffix)
1381
except (ValueError, IndexError), e:
1382
raise ValueError(e.message)
853
raise ValueError
854
except (ValueError, IndexError):
855
raise ValueError
1383
856
timevalue += delta
1384
857
return timevalue
1385
858
1386
859
860
def server_state_changed(state):
861
"""Derived from the Avahi example code"""
862
if state == avahi.SERVER_COLLISION:
863
logger.error(u"Zeroconf server name collision")
864
service.remove()
865
elif state == avahi.SERVER_RUNNING:
866
service.add()
867
868
869
def entry_group_state_changed(state, error):
870
"""Derived from the Avahi example code"""
871
logger.debug(u"Avahi state change: %i", state)
872
873
if state == avahi.ENTRY_GROUP_ESTABLISHED:
874
logger.debug(u"Zeroconf service established.")
875
elif state == avahi.ENTRY_GROUP_COLLISION:
876
logger.warning(u"Zeroconf service name collision.")
877
service.rename()
878
elif state == avahi.ENTRY_GROUP_FAILURE:
879
logger.critical(u"Avahi: Error in group state changed %s",
880
unicode(error))
881
raise AvahiGroupError(u"State changed: %s" % unicode(error))
882
1387
883
def if_nametoindex(interface):
1388
"""Call the C function if_nametoindex(), or equivalent
1389
1390
Note: This function cannot accept a unicode string."""
884
"""Call the C function if_nametoindex(), or equivalent"""
1391
885
global if_nametoindex
1392
886
try:
1393
887
if_nametoindex = (ctypes.cdll.LoadLibrary
1394
(ctypes.util.find_library(u"c"))
888
(ctypes.util.find_library("c"))
1395
889
.if_nametoindex)
1396
890
except (OSError, AttributeError):
1397
logger.warning(u"Doing if_nametoindex the hard way")
891
if "struct" not in sys.modules:
892
import struct
893
if "fcntl" not in sys.modules:
894
import fcntl
1398
895
def if_nametoindex(interface):
1399
896
"Get an interface index the hard way, i.e. using fcntl()"
1400
897
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1401
with contextlib.closing(socket.socket()) as s:
898
with closing(socket.socket()) as s:
1402
899
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1403
struct.pack(str(u"16s16x"),
1404
interface))
1405
interface_index = struct.unpack(str(u"I"),
1406
ifreq[16:20])[0]
900
struct.pack("16s16x", interface))
901
interface_index = struct.unpack("I", ifreq[16:20])[0]
1407
902
return interface_index
1408
903
return if_nametoindex(interface)
1409
904
1410
905
1411
906
def daemon(nochdir = False, noclose = False):
1412
907
"""See daemon(3). Standard BSD Unix function.
1413
1414
908
This should really exist as os.daemon, but it doesn't (yet)."""
1415
909
if os.fork():
1416
910
sys.exit()
1417
911
os.setsid()
1418
912
if not nochdir:
1419
os.chdir(u"/")
913
os.chdir("/")
1420
914
if os.fork():
1421
915
sys.exit()
1422
916
if not noclose:
1424
918
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1425
919
if not stat.S_ISCHR(os.fstat(null).st_mode):
1426
920
raise OSError(errno.ENODEV,
1427
u"%s not a character device"
1428
% os.path.devnull)
921
"/dev/null not a character device")
1429
922
os.dup2(null, sys.stdin.fileno())
1430
923
os.dup2(null, sys.stdout.fileno())
1431
924
os.dup2(null, sys.stderr.fileno())
1434
927
1435
928
1436
929
def main():
1437
1438
##################################################################
1439
# Parsing of options, both command line and config file
1440
1441
930
parser = optparse.OptionParser(version = "%%prog %s" % version)
1442
parser.add_option("-i", u"--interface", type=u"string",
1443
metavar="IF", help=u"Bind to interface IF")
1444
parser.add_option("-a", u"--address", type=u"string",
1445
help=u"Address to listen for requests on")
1446
parser.add_option("-p", u"--port", type=u"int",
1447
help=u"Port number to receive requests on")
1448
parser.add_option("--check", action=u"store_true",
1449
help=u"Run self-test")
1450
parser.add_option("--debug", action=u"store_true",
1451
help=u"Debug mode; run in foreground and log to"
1452
u" terminal")
1453
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1454
u" priority string (see GnuTLS documentation)")
1455
parser.add_option("--servicename", type=u"string",
1456
metavar=u"NAME", help=u"Zeroconf service name")
1457
parser.add_option("--configdir", type=u"string",
1458
default=u"/etc/mandos", metavar=u"DIR",
1459
help=u"Directory to search for configuration"
1460
u" files")
1461
parser.add_option("--no-dbus", action=u"store_false",
1462
dest=u"use_dbus", help=u"Do not provide D-Bus"
1463
u" system bus interface")
1464
parser.add_option("--no-ipv6", action=u"store_false",
1465
dest=u"use_ipv6", help=u"Do not use IPv6")
931
parser.add_option("-i", "--interface", type="string",
932
metavar="IF", help="Bind to interface IF")
933
parser.add_option("-a", "--address", type="string",
934
help="Address to listen for requests on")
935
parser.add_option("-p", "--port", type="int",
936
help="Port number to receive requests on")
937
parser.add_option("--check", action="store_true",
938
help="Run self-test")
939
parser.add_option("--debug", action="store_true",
940
help="Debug mode; run in foreground and log to"
941
" terminal")
942
parser.add_option("--priority", type="string", help="GnuTLS"
943
" priority string (see GnuTLS documentation)")
944
parser.add_option("--servicename", type="string", metavar="NAME",
945
help="Zeroconf service name")
946
parser.add_option("--configdir", type="string",
947
default="/etc/mandos", metavar="DIR",
948
help="Directory to search for configuration"
949
" files")
950
parser.add_option("--no-dbus", action="store_false",
951
dest="use_dbus",
952
help=optparse.SUPPRESS_HELP) # XXX: Not done yet
953
parser.add_option("--no-ipv6", action="store_false",
954
dest="use_ipv6", help="Do not use IPv6")
1466
955
options = parser.parse_args()[0]
1467
956
1468
957
if options.check:
1471
960
sys.exit()
1472
961
1473
962
# Default values for config file for server-global settings
1474
server_defaults = { u"interface": u"",
1475
u"address": u"",
1476
u"port": u"",
1477
u"debug": u"False",
1478
u"priority":
1479
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1480
u"servicename": u"Mandos",
1481
u"use_dbus": u"True",
1482
u"use_ipv6": u"True",
963
server_defaults = { "interface": "",
964
"address": "",
965
"port": "",
966
"debug": "False",
967
"priority":
968
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
969
"servicename": "Mandos",
970
"use_dbus": "True",
971
"use_ipv6": "True",
1483
972
}
1484
973
1485
974
# Parse config file for server-global settings
1486
server_config = configparser.SafeConfigParser(server_defaults)
975
server_config = ConfigParser.SafeConfigParser(server_defaults)
1487
976
del server_defaults
1488
server_config.read(os.path.join(options.configdir,
1489
u"mandos.conf"))
977
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1490
978
# Convert the SafeConfigParser object to a dict
1491
979
server_settings = server_config.defaults()
1492
980
# Use the appropriate methods on the non-string config options
1493
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1494
server_settings[option] = server_config.getboolean(u"DEFAULT",
1495
option)
981
server_settings["debug"] = server_config.getboolean("DEFAULT",
982
"debug")
983
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
984
"use_dbus")
985
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
986
"use_ipv6")
1496
987
if server_settings["port"]:
1497
server_settings["port"] = server_config.getint(u"DEFAULT",
1498
u"port")
988
server_settings["port"] = server_config.getint("DEFAULT",
989
"port")
1499
990
del server_config
1500
991
1501
992
# Override the settings from the config file with command line
1502
993
# options, if set.
1503
for option in (u"interface", u"address", u"port", u"debug",
1504
u"priority", u"servicename", u"configdir",
1505
u"use_dbus", u"use_ipv6"):
994
for option in ("interface", "address", "port", "debug",
995
"priority", "servicename", "configdir",
996
"use_dbus", "use_ipv6"):
1506
997
value = getattr(options, option)
1507
998
if value is not None:
1508
999
server_settings[option] = value
1509
1000
del options
1510
# Force all strings to be unicode
1511
for option in server_settings.keys():
1512
if type(server_settings[option]) is str:
1513
server_settings[option] = unicode(server_settings[option])
1514
1001
# Now we have our good server settings in "server_settings"
1515
1002
1516
##################################################################
1517
1518
1003
# For convenience
1519
debug = server_settings[u"debug"]
1520
use_dbus = server_settings[u"use_dbus"]
1521
use_ipv6 = server_settings[u"use_ipv6"]
1004
debug = server_settings["debug"]
1005
use_dbus = server_settings["use_dbus"]
1006
use_dbus = False # XXX: Not done yet
1007
use_ipv6 = server_settings["use_ipv6"]
1522
1008
1523
1009
if not debug:
1524
1010
syslogger.setLevel(logging.WARNING)
1525
1011
console.setLevel(logging.WARNING)
1526
1012
1527
if server_settings[u"servicename"] != u"Mandos":
1013
if server_settings["servicename"] != "Mandos":
1528
1014
syslogger.setFormatter(logging.Formatter
1529
(u'Mandos (%s) [%%(process)d]:'
1530
u' %%(levelname)s: %%(message)s'
1531
% server_settings[u"servicename"]))
1015
('Mandos (%s): %%(levelname)s:'
1016
' %%(message)s'
1017
% server_settings["servicename"]))
1532
1018
1533
1019
# Parse config file with clients
1534
client_defaults = { u"timeout": u"1h",
1535
u"interval": u"5m",
1536
u"checker": u"fping -q -- %%(host)s",
1537
u"host": u"",
1020
client_defaults = { "timeout": "1h",
1021
"interval": "5m",
1022
"checker": "fping -q -- %%(host)s",
1023
"host": "",
1538
1024
}
1539
client_config = configparser.SafeConfigParser(client_defaults)
1540
client_config.read(os.path.join(server_settings[u"configdir"],
1541
u"clients.conf"))
1542
1543
global mandos_dbus_service
1544
mandos_dbus_service = None
1545
1546
tcp_server = MandosServer((server_settings[u"address"],
1547
server_settings[u"port"]),
1548
ClientHandler,
1549
interface=server_settings[u"interface"],
1550
use_ipv6=use_ipv6,
1551
gnutls_priority=
1552
server_settings[u"priority"],
1553
use_dbus=use_dbus)
1554
pidfilename = u"/var/run/mandos.pid"
1025
client_config = ConfigParser.SafeConfigParser(client_defaults)
1026
client_config.read(os.path.join(server_settings["configdir"],
1027
"clients.conf"))
1028
1029
clients = Set()
1030
tcp_server = IPv6_TCPServer((server_settings["address"],
1031
server_settings["port"]),
1032
TCP_handler,
1033
settings=server_settings,
1034
clients=clients, use_ipv6=use_ipv6)
1035
pidfilename = "/var/run/mandos.pid"
1555
1036
try:
1556
pidfile = open(pidfilename, u"w")
1037
pidfile = open(pidfilename, "w")
1557
1038
except IOError:
1558
logger.error(u"Could not open file %r", pidfilename)
1039
logger.error("Could not open file %r", pidfilename)
1559
1040
1560
1041
try:
1561
uid = pwd.getpwnam(u"_mandos").pw_uid
1562
gid = pwd.getpwnam(u"_mandos").pw_gid
1042
uid = pwd.getpwnam("_mandos").pw_uid
1043
gid = pwd.getpwnam("_mandos").pw_gid
1563
1044
except KeyError:
1564
1045
try:
1565
uid = pwd.getpwnam(u"mandos").pw_uid
1566
gid = pwd.getpwnam(u"mandos").pw_gid
1046
uid = pwd.getpwnam("mandos").pw_uid
1047
gid = pwd.getpwnam("mandos").pw_gid
1567
1048
except KeyError:
1568
1049
try:
1569
uid = pwd.getpwnam(u"nobody").pw_uid
1570
gid = pwd.getpwnam(u"nobody").pw_gid
1050
uid = pwd.getpwnam("nobody").pw_uid
1051
gid = pwd.getpwnam("nogroup").pw_gid
1571
1052
except KeyError:
1572
1053
uid = 65534
1573
1054
gid = 65534
1586
1067
1587
1068
@gnutls.library.types.gnutls_log_func
1588
1069
def debug_gnutls(level, string):
1589
logger.debug(u"GnuTLS: %s", string[:-1])
1070
logger.debug("GnuTLS: %s", string[:-1])
1590
1071
1591
1072
(gnutls.library.functions
1592
1073
.gnutls_global_set_log_function(debug_gnutls))
1593
1074
1075
global service
1076
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1077
service = AvahiService(name = server_settings["servicename"],
1078
servicetype = "_mandos._tcp",
1079
protocol = protocol)
1080
if server_settings["interface"]:
1081
service.interface = (if_nametoindex
1082
(server_settings["interface"]))
1083
1594
1084
global main_loop
1085
global bus
1086
global server
1595
1087
# From the Avahi example code
1596
1088
DBusGMainLoop(set_as_default=True )
1597
1089
main_loop = gobject.MainLoop()
1598
1090
bus = dbus.SystemBus()
1091
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1092
avahi.DBUS_PATH_SERVER),
1093
avahi.DBUS_INTERFACE_SERVER)
1599
1094
# End of Avahi example code
1600
1095
if use_dbus:
1601
try:
1602
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1603
bus, do_not_queue=True)
1604
except dbus.exceptions.NameExistsException, e:
1605
logger.error(unicode(e) + u", disabling D-Bus")
1606
use_dbus = False
1607
server_settings[u"use_dbus"] = False
1608
tcp_server.use_dbus = False
1609
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1610
service = AvahiService(name = server_settings[u"servicename"],
1611
servicetype = u"_mandos._tcp",
1612
protocol = protocol, bus = bus)
1613
if server_settings["interface"]:
1614
service.interface = (if_nametoindex
1615
(str(server_settings[u"interface"])))
1096
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1616
1097
1617
client_class = Client
1618
if use_dbus:
1619
client_class = functools.partial(ClientDBus, bus = bus)
1620
tcp_server.clients.update(set(
1621
client_class(name = section,
1622
config= dict(client_config.items(section)))
1623
for section in client_config.sections()))
1624
if not tcp_server.clients:
1098
clients.update(Set(Client(name = section,
1099
config
1100
= dict(client_config.items(section)),
1101
use_dbus = use_dbus)
1102
for section in client_config.sections()))
1103
if not clients:
1625
1104
logger.warning(u"No clients defined")
1626
1105
1627
1106
if debug:
1637
1116
daemon()
1638
1117
1639
1118
try:
1640
with pidfile:
1641
pid = os.getpid()
1642
pidfile.write(str(pid) + "\n")
1119
pid = os.getpid()
1120
pidfile.write(str(pid) + "\n")
1121
pidfile.close()
1643
1122
del pidfile
1644
1123
except IOError:
1645
1124
logger.error(u"Could not write to file %r with PID %d",
1649
1128
pass
1650
1129
del pidfilename
1651
1130
1131
def cleanup():
1132
"Cleanup function; run on exit"
1133
global group
1134
# From the Avahi example code
1135
if not group is None:
1136
group.Free()
1137
group = None
1138
# End of Avahi example code
1139
1140
while clients:
1141
client = clients.pop()
1142
client.disable_hook = None
1143
client.disable()
1144
1145
atexit.register(cleanup)
1146
1652
1147
if not debug:
1653
1148
signal.signal(signal.SIGINT, signal.SIG_IGN)
1654
1149
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1655
1150
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1656
1151
1657
1152
if use_dbus:
1658
class MandosDBusService(dbus.service.Object):
1153
class MandosServer(dbus.service.Object):
1659
1154
"""A D-Bus proxy object"""
1660
1155
def __init__(self):
1661
dbus.service.Object.__init__(self, bus, u"/")
1156
dbus.service.Object.__init__(self, bus, "/")
1662
1157
_interface = u"se.bsnet.fukt.Mandos"
1663
1158
1664
@dbus.service.signal(_interface, signature=u"o")
1665
def ClientAdded(self, objpath):
1666
"D-Bus signal"
1667
pass
1668
1669
@dbus.service.signal(_interface, signature=u"ss")
1670
def ClientNotFound(self, fingerprint, address):
1671
"D-Bus signal"
1672
pass
1673
1674
@dbus.service.signal(_interface, signature=u"os")
1159
@dbus.service.signal(_interface, signature="oa{sv}")
1160
def ClientAdded(self, objpath, properties):
1161
"D-Bus signal"
1162
pass
1163
1164
@dbus.service.signal(_interface, signature="os")
1675
1165
def ClientRemoved(self, objpath, name):
1676
1166
"D-Bus signal"
1677
1167
pass
1678
1168
1679
@dbus.service.method(_interface, out_signature=u"ao")
1169
@dbus.service.method(_interface, out_signature="ao")
1680
1170
def GetAllClients(self):
1681
1171
"D-Bus method"
1682
return dbus.Array(c.dbus_object_path
1683
for c in tcp_server.clients)
1172
return dbus.Array(c.dbus_object_path for c in clients)
1684
1173
1685
@dbus.service.method(_interface,
1686
out_signature=u"a{oa{sv}}")
1174
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1687
1175
def GetAllClientsWithProperties(self):
1688
1176
"D-Bus method"
1689
1177
return dbus.Dictionary(
1690
((c.dbus_object_path, c.GetAll(u""))
1691
for c in tcp_server.clients),
1692
signature=u"oa{sv}")
1178
((c.dbus_object_path, c.GetAllProperties())
1179
for c in clients),
1180
signature="oa{sv}")
1693
1181
1694
@dbus.service.method(_interface, in_signature=u"o")
1182
@dbus.service.method(_interface, in_signature="o")
1695
1183
def RemoveClient(self, object_path):
1696
1184
"D-Bus method"
1697
for c in tcp_server.clients:
1185
for c in clients:
1698
1186
if c.dbus_object_path == object_path:
1699
tcp_server.clients.remove(c)
1700
c.remove_from_connection()
1187
clients.remove(c)
1701
1188
# Don't signal anything except ClientRemoved
1702
c.disable(quiet=True)
1189
c.use_dbus = False
1190
c.disable()
1703
1191
# Emit D-Bus signal
1704
1192
self.ClientRemoved(object_path, c.name)
1705
1193
return
1706
raise KeyError(object_path)
1194
raise KeyError
1707
1195
1708
1196
del _interface
1709
1197
1710
mandos_dbus_service = MandosDBusService()
1711
1712
def cleanup():
1713
"Cleanup function; run on exit"
1714
service.cleanup()
1715
1716
while tcp_server.clients:
1717
client = tcp_server.clients.pop()
1718
if use_dbus:
1719
client.remove_from_connection()
1720
client.disable_hook = None
1721
# Don't signal anything except ClientRemoved
1722
client.disable(quiet=True)
1723
if use_dbus:
1724
# Emit D-Bus signal
1725
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1726
client.name)
1727
1728
atexit.register(cleanup)
1729
1730
for client in tcp_server.clients:
1198
mandos_server = MandosServer()
1199
1200
for client in clients:
1731
1201
if use_dbus:
1732
1202
# Emit D-Bus signal
1733
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1203
mandos_server.ClientAdded(client.dbus_object_path,
1204
client.GetAllProperties())
1734
1205
client.enable()
1735
1206
1736
1207
tcp_server.enable()
1750
1221
1751
1222
try:
1752
1223
# From the Avahi example code
1224
server.connect_to_signal("StateChanged", server_state_changed)
1753
1225
try:
1754
service.activate()
1226
server_state_changed(server.GetState())
1755
1227
except dbus.exceptions.DBusException, error:
1756
1228
logger.critical(u"DBusException: %s", error)
1757
cleanup()
1758
1229
sys.exit(1)
1759
1230
# End of Avahi example code
1760
1231
1767
1238
main_loop.run()
1768
1239
except AvahiError, error:
1769
1240
logger.critical(u"AvahiError: %s", error)
1770
cleanup()
1771
1241
sys.exit(1)
1772
1242
except KeyboardInterrupt:
1773
1243
if debug:
1774
1244
print >> sys.stderr
1775
logger.debug(u"Server received KeyboardInterrupt")
1776
logger.debug(u"Server exiting")
1777
# Must run before the D-Bus bus name gets deregistered
1778
cleanup()
1245
logger.debug("Server received KeyboardInterrupt")
1246
logger.debug("Server exiting")
1779
1247
1780
1248
if __name__ == '__main__':
1781
1249
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0