/mandos/trunk : revision 237.4.22

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos

Committer: Teddy Hogeborn
Date: 2012-01-01 05:06:20 UTC
mto: (237.4.29 release)
mto: This revision was merged to the branch mainline in revision 548.
Revision ID: teddy@recompile.se-20120101050620-mpqzg5l19gppibhf

Tags: version-1.5.0-1

* Makefile (version): Changed to "1.5.0".
* NEWS (Version 1.5.0): New entry.
* debian/changelog (1.5.0-1): - '' -

files modified:
DBUS-API

Makefile

NEWS

README

TODO

common.ent

debian/changelog

debian/control

debian/rules

mandos

mandos-ctl

mandos-keygen

mandos-monitor

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

Show diffs side-by-side

added added

removed removed

mandos

except ImportError:

SO_BINDTODEVICE = None

version = "1.5.3"

version = "1.5.0"

stored_state_file = "clients.pickle"

logger = logging.getLogger()

415

last_checked_ok: datetime.datetime(); (UTC) or None

416

last_checker_status: integer between 0 and 255 reflecting exit

417

status of last checker. -1 reflects crashed

418

checker, -2 means no checker completed yet.

418

checker, or None.

419

last_enabled: datetime.datetime(); (UTC) or None

420

name: string; from the config file, used in log messages and

421

D-Bus identifiers

422

secret: bytestring; sent verbatim (over TLS) to client

423

timeout: datetime.timedelta(); How long from last_checked_ok

424

until this client is disabled

425

extended_timeout: extra long timeout when secret has been sent

425

extended_timeout: extra long timeout when password has been sent

426

runtime_expansions: Allowed attributes for runtime expansion.

427

expires: datetime.datetime(); time (UTC) when a client will be

428

disabled, or None

501

client["checker_command"] = section["checker"]

502

client["last_approval_request"] = None

503

client["last_checked_ok"] = None

504

client["last_checker_status"] = -2

504

client["last_checker_status"] = None

505

506

return settings

507

626

logger.warning("Checker for %(name)s crashed?",

627

vars(self))

628

629

def checked_ok(self):

630

"""Assert that the client has been seen, alive and well."""

631

self.last_checked_ok = datetime.datetime.utcnow()

632

self.last_checker_status = 0

633

self.bump_timeout()

634

635

def bump_timeout(self, timeout=None):

636

"""Bump up the timeout for this client."""

629

def checked_ok(self, timeout=None):

630

"""Bump up the timeout for this client.

631

632

This should only be called when the client has been seen,

633

alive and well.

634

"""

637

635

if timeout is None:

638

636

timeout = self.timeout

637

self.last_checked_ok = datetime.datetime.utcnow()

639

638

if self.disable_initiator_tag is not None:

640

639

gobject.source_remove(self.disable_initiator_tag)

641

640

if getattr(self, "enabled", False):

1050

1049

def __init__(self, bus = None, *args, **kwargs):

1051

1050

self.bus = bus

1052

1051

Client.__init__(self, *args, **kwargs)

1052

self._approvals_pending = 0

1053

1054

self._approvals_pending = 0

1053

1055

# Only now, when this client is initialized, can it show up on

1054

1056

# the D-Bus

1055

1057

client_object_name = unicode(self.name).translate(

1101

1103

checker is not None)

1102

1104

last_checked_ok = notifychangeproperty(datetime_to_dbus,

1103

1105

"LastCheckedOK")

1104

last_checker_status = notifychangeproperty(dbus.Int16,

1105

"LastCheckerStatus")

1106

last_approval_request = notifychangeproperty(

1107

datetime_to_dbus, "LastApprovalRequest")

1108

approved_by_default = notifychangeproperty(dbus.Boolean,

1227

"D-Bus signal"

1228

return self.need_approval()

1229

1230

# NeRwequest - signal

1231

@dbus.service.signal(_interface, signature="s")

1232

def NewRequest(self, ip):

1233

"""D-Bus signal

1234

Is sent after a client request a password.

1235

"""

1236

pass

1237

1230

1238

## Methods

1231

1239

1232

1240

# Approve - method

1342

1350

return

1343

1351

return datetime_to_dbus(self.last_checked_ok)

1344

1352

1345

# LastCheckerStatus - property

1346

@dbus_service_property(_interface, signature="n",

1347

access="read")

1348

def LastCheckerStatus_dbus_property(self):

1349

return dbus.Int16(self.last_checker_status)

1350

1351

1353

# Expires - property

1352

1354

@dbus_service_property(_interface, signature="s", access="read")

1353

1355

def Expires_dbus_property(self):

1545

1547

except KeyError:

1546

1548

return

1547

1549

1550

if self.server.use_dbus:

1551

# Emit D-Bus signal

1552

client.NewRequest(str(self.client_address))

1553

1548

1554

if client.approval_delay:

1549

1555

delay = client.approval_delay

1550

1556

client.approvals_pending += 1

1614

1620

1615

1621

logger.info("Sending secret to %s", client.name)

1616

1622

# bump the timeout using extended_timeout

1617

client.bump_timeout(client.extended_timeout)

1623

client.checked_ok(client.extended_timeout)

1618

1624

if self.server.use_dbus:

1619

1625

# Emit D-Bus signal

1620

1626

client.GotSecret()

2244

2250

2245

2251

# Clients who has passed its expire date can still be

2246

2252

# enabled if its last checker was successful. Clients

2247

# whose checker succeeded before we stored its state is

2248

# assumed to have successfully run all checkers during

2249

# downtime.

2253

# whose checker failed before we stored its state is

2254

# assumed to have failed all checkers during downtime.

2250

2255

if client["enabled"]:

2251

2256

if datetime.datetime.utcnow() >= client["expires"]:

2252

2257

if not client["last_checked_ok"]:

2253

2258

logger.warning(

2254

2259

"disabling client {0} - Client never "

2255

"performed a successful checker"

2256

.format(client_name))

2260

"performed a successfull checker"

2261

.format(client["name"]))

2257

2262

client["enabled"] = False

2258

2263

elif client["last_checker_status"] != 0:

2259

2264

logger.warning(

2260

2265

"disabling client {0} - Client "

2261

2266

"last checker failed with error code {1}"

2262

.format(client_name,

2267

.format(client["name"],

2263

2268

client["last_checker_status"]))

2264

2269

client["enabled"] = False

2265

2270

else:

2268

2273

+ client["timeout"])

2269

2274

logger.debug("Last checker succeeded,"

2270

2275

" keeping {0} enabled"

2271

.format(client_name))

2276

.format(client["name"]))

2272

2277

try:

2273

2278

client["secret"] = (

2274

2279

pgp.decrypt(client["encrypted_secret"],

2290

2295

- set(old_client_settings)):

2291

2296

clients_data[client_name] = client_settings[client_name]

2292

2297

2293

# Create all client objects

2298

# Create clients all clients

2294

2299

for client_name, client in clients_data.iteritems():

2295

2300

tcp_server.clients[client_name] = client_class(

2296

2301

name = client_name, settings = client)

Older »