To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 24.1.149
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.149
- Committer: Björn Påhlsson
- Date: 2010-08-22 13:34:42 UTC
- mfrom: (416.1.2 mandos)
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 421.
- Revision ID: belorn@fukt.bsnet.se-20100822133442-rbx6xls26j2sejky
Changed ForkingMixIn in favor of multiprocessing
Added approval functionallity
Added approval functionallity
- files added:
- dbus-mandos.conf
- files modified:
- INSTALL
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer
36
import SocketServer as socketserver
37
37
import socket
38
38
import optparse
39
39
import datetime
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser
47
import ConfigParser as configparser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
53
52
import subprocess
54
53
import atexit
55
54
import stat
56
55
import logging
57
56
import logging.handlers
58
57
import pwd
59
from contextlib import closing
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
63
import multiprocessing
60
64
61
65
import dbus
62
66
import dbus.service
65
69
from dbus.mainloop.glib import DBusGMainLoop
66
70
import ctypes
67
71
import ctypes.util
68
69
version = "1.0.5"
70
71
logger = logging.Logger('mandos')
72
import xml.dom.minidom
73
import inspect
74
75
try:
76
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
77
except AttributeError:
78
try:
79
from IN import SO_BINDTODEVICE
80
except ImportError:
81
SO_BINDTODEVICE = None
82
83
84
version = "1.0.14"
85
86
logger = logging.Logger(u'mandos')
72
87
syslogger = (logging.handlers.SysLogHandler
73
88
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
89
address = "/dev/log"))
75
90
syslogger.setFormatter(logging.Formatter
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
91
(u'Mandos [%(process)d]: %(levelname)s:'
92
u' %(message)s'))
78
93
logger.addHandler(syslogger)
79
94
80
95
console = logging.StreamHandler()
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
96
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
97
u' %(levelname)s:'
98
u' %(message)s'))
83
99
logger.addHandler(console)
84
100
101
multiprocessing_manager = multiprocessing.Manager()
102
85
103
class AvahiError(Exception):
86
104
def __init__(self, value, *args, **kwargs):
87
105
self.value = value
98
116
99
117
class AvahiService(object):
100
118
"""An Avahi (Zeroconf) service.
119
101
120
Attributes:
102
121
interface: integer; avahi.IF_UNSPEC or an interface index.
103
122
Used to optionally bind to the specified interface.
104
name: string; Example: 'Mandos'
105
type: string; Example: '_mandos._tcp'.
123
name: string; Example: u'Mandos'
124
type: string; Example: u'_mandos._tcp'.
106
125
See <http://www.dns-sd.org/ServiceTypes.html>
107
126
port: integer; what port to announce
108
127
TXT: list of strings; TXT record for the service
111
130
max_renames: integer; maximum number of renames
112
131
rename_count: integer; counter so we only rename after collisions
113
132
a sensible number of times
133
group: D-Bus Entry Group
134
server: D-Bus Server
135
bus: dbus.SystemBus()
114
136
"""
115
137
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
116
138
servicetype = None, port = None, TXT = None,
117
domain = "", host = "", max_renames = 32768):
139
domain = u"", host = u"", max_renames = 32768,
140
protocol = avahi.PROTO_UNSPEC, bus = None):
118
141
self.interface = interface
119
142
self.name = name
120
143
self.type = servicetype
124
147
self.host = host
125
148
self.rename_count = 0
126
149
self.max_renames = max_renames
150
self.protocol = protocol
151
self.group = None # our entry group
152
self.server = None
153
self.bus = bus
127
154
def rename(self):
128
155
"""Derived from the Avahi example code"""
129
156
if self.rename_count >= self.max_renames:
131
158
u" after %i retries, exiting.",
132
159
self.rename_count)
133
160
raise AvahiServiceError(u"Too many renames")
134
self.name = server.GetAlternativeServiceName(self.name)
161
self.name = self.server.GetAlternativeServiceName(self.name)
135
162
logger.info(u"Changing Zeroconf service name to %r ...",
136
str(self.name))
163
unicode(self.name))
137
164
syslogger.setFormatter(logging.Formatter
138
('Mandos (%s): %%(levelname)s:'
139
' %%(message)s' % self.name))
165
(u'Mandos (%s) [%%(process)d]:'
166
u' %%(levelname)s: %%(message)s'
167
% self.name))
140
168
self.remove()
141
169
self.add()
142
170
self.rename_count += 1
143
171
def remove(self):
144
172
"""Derived from the Avahi example code"""
145
if group is not None:
146
group.Reset()
173
if self.group is not None:
174
self.group.Reset()
147
175
def add(self):
148
176
"""Derived from the Avahi example code"""
149
global group
150
if group is None:
151
group = dbus.Interface(bus.get_object
152
(avahi.DBUS_NAME,
153
server.EntryGroupNew()),
154
avahi.DBUS_INTERFACE_ENTRY_GROUP)
155
group.connect_to_signal('StateChanged',
156
entry_group_state_changed)
177
if self.group is None:
178
self.group = dbus.Interface(
179
self.bus.get_object(avahi.DBUS_NAME,
180
self.server.EntryGroupNew()),
181
avahi.DBUS_INTERFACE_ENTRY_GROUP)
182
self.group.connect_to_signal('StateChanged',
183
self
184
.entry_group_state_changed)
157
185
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
158
service.name, service.type)
159
group.AddService(
160
self.interface, # interface
161
avahi.PROTO_INET6, # protocol
162
dbus.UInt32(0), # flags
163
self.name, self.type,
164
self.domain, self.host,
165
dbus.UInt16(self.port),
166
avahi.string_array_to_txt_array(self.TXT))
167
group.Commit()
168
169
# From the Avahi example code:
170
group = None # our entry group
171
# End of Avahi example code
172
173
174
def _datetime_to_dbus(dt, variant_level=0):
175
"""Convert a UTC datetime.datetime() to a D-Bus type."""
176
return dbus.String(dt.isoformat(), variant_level=variant_level)
177
178
179
class Client(dbus.service.Object):
186
self.name, self.type)
187
self.group.AddService(
188
self.interface,
189
self.protocol,
190
dbus.UInt32(0), # flags
191
self.name, self.type,
192
self.domain, self.host,
193
dbus.UInt16(self.port),
194
avahi.string_array_to_txt_array(self.TXT))
195
self.group.Commit()
196
def entry_group_state_changed(self, state, error):
197
"""Derived from the Avahi example code"""
198
logger.debug(u"Avahi state change: %i", state)
199
200
if state == avahi.ENTRY_GROUP_ESTABLISHED:
201
logger.debug(u"Zeroconf service established.")
202
elif state == avahi.ENTRY_GROUP_COLLISION:
203
logger.warning(u"Zeroconf service name collision.")
204
self.rename()
205
elif state == avahi.ENTRY_GROUP_FAILURE:
206
logger.critical(u"Avahi: Error in group state changed %s",
207
unicode(error))
208
raise AvahiGroupError(u"State changed: %s"
209
% unicode(error))
210
def cleanup(self):
211
"""Derived from the Avahi example code"""
212
if self.group is not None:
213
self.group.Free()
214
self.group = None
215
def server_state_changed(self, state):
216
"""Derived from the Avahi example code"""
217
if state == avahi.SERVER_COLLISION:
218
logger.error(u"Zeroconf server name collision")
219
self.remove()
220
elif state == avahi.SERVER_RUNNING:
221
self.add()
222
def activate(self):
223
"""Derived from the Avahi example code"""
224
if self.server is None:
225
self.server = dbus.Interface(
226
self.bus.get_object(avahi.DBUS_NAME,
227
avahi.DBUS_PATH_SERVER),
228
avahi.DBUS_INTERFACE_SERVER)
229
self.server.connect_to_signal(u"StateChanged",
230
self.server_state_changed)
231
self.server_state_changed(self.server.GetState())
232
233
234
# XXX Need to add:
235
# approved_by_default (Config option for each client)
236
# approved_delay (config option for each client)
237
# approved_duration (config option for each client)
238
class Client(object):
180
239
"""A representation of a client host served by this server.
240
181
241
Attributes:
182
242
name: string; from the config file, used in log messages and
183
243
D-Bus identifiers
190
250
enabled: bool()
191
251
last_checked_ok: datetime.datetime(); (UTC) or None
192
252
timeout: datetime.timedelta(); How long from last_checked_ok
193
until this client is invalid
253
until this client is disabled
194
254
interval: datetime.timedelta(); How often to start a new checker
195
255
disable_hook: If set, called by disable() as disable_hook(self)
196
256
checker: subprocess.Popen(); a running checker process used
197
257
to see if the client lives.
198
258
'None' if no process is running.
199
259
checker_initiator_tag: a gobject event source tag, or None
200
disable_initiator_tag: - '' -
260
disable_initiator_tag: - '' -
201
261
checker_callback_tag: - '' -
202
262
checker_command: string; External command which is run to check if
203
263
client lives. %() expansions are done at
204
264
runtime with vars(self) as dict, so that for
205
265
instance %(name)s can be used in the command.
206
use_dbus: bool(); Whether to provide D-Bus interface and signals
207
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
266
current_checker_command: string; current running checker_command
267
approved_delay: datetime.timedelta(); Time to wait for approval
268
_approved: bool(); 'None' if not yet approved/disapproved
269
approved_duration: datetime.timedelta(); Duration of one approval
208
270
"""
271
272
@staticmethod
273
def _timedelta_to_milliseconds(td):
274
"Convert a datetime.timedelta() to milliseconds"
275
return ((td.days * 24 * 60 * 60 * 1000)
276
+ (td.seconds * 1000)
277
+ (td.microseconds // 1000))
278
209
279
def timeout_milliseconds(self):
210
280
"Return the 'timeout' attribute in milliseconds"
211
return ((self.timeout.days * 24 * 60 * 60 * 1000)
212
+ (self.timeout.seconds * 1000)
213
+ (self.timeout.microseconds // 1000))
281
return self._timedelta_to_milliseconds(self.timeout)
214
282
215
283
def interval_milliseconds(self):
216
284
"Return the 'interval' attribute in milliseconds"
217
return ((self.interval.days * 24 * 60 * 60 * 1000)
218
+ (self.interval.seconds * 1000)
219
+ (self.interval.microseconds // 1000))
285
return self._timedelta_to_milliseconds(self.interval)
286
287
def approved_delay_milliseconds(self):
288
return self._timedelta_to_milliseconds(self.approved_delay)
220
289
221
def __init__(self, name = None, disable_hook=None, config=None,
222
use_dbus=True):
290
def __init__(self, name = None, disable_hook=None, config=None):
223
291
"""Note: the 'checker' key in 'config' sets the
224
292
'checker_command' attribute and *not* the 'checker'
225
293
attribute."""
227
295
if config is None:
228
296
config = {}
229
297
logger.debug(u"Creating client %r", self.name)
230
self.use_dbus = False # During __init__
231
298
# Uppercase and remove spaces from fingerprint for later
232
299
# comparison purposes with return value from the fingerprint()
233
300
# function
234
self.fingerprint = (config["fingerprint"].upper()
301
self.fingerprint = (config[u"fingerprint"].upper()
235
302
.replace(u" ", u""))
236
303
logger.debug(u" Fingerprint: %s", self.fingerprint)
237
if "secret" in config:
238
self.secret = config["secret"].decode(u"base64")
239
elif "secfile" in config:
240
with closing(open(os.path.expanduser
241
(os.path.expandvars
242
(config["secfile"])))) as secfile:
304
if u"secret" in config:
305
self.secret = config[u"secret"].decode(u"base64")
306
elif u"secfile" in config:
307
with open(os.path.expanduser(os.path.expandvars
308
(config[u"secfile"])),
309
"rb") as secfile:
243
310
self.secret = secfile.read()
244
311
else:
312
#XXX Need to allow secret on demand!
245
313
raise TypeError(u"No secret or secfile for client %s"
246
314
% self.name)
247
self.host = config.get("host", "")
315
self.host = config.get(u"host", u"")
248
316
self.created = datetime.datetime.utcnow()
249
317
self.enabled = False
250
318
self.last_enabled = None
251
319
self.last_checked_ok = None
252
self.timeout = string_to_delta(config["timeout"])
253
self.interval = string_to_delta(config["interval"])
320
self.timeout = string_to_delta(config[u"timeout"])
321
self.interval = string_to_delta(config[u"interval"])
254
322
self.disable_hook = disable_hook
255
323
self.checker = None
256
324
self.checker_initiator_tag = None
257
325
self.disable_initiator_tag = None
258
326
self.checker_callback_tag = None
259
self.checker_command = config["checker"]
327
self.checker_command = config[u"checker"]
328
self.current_checker_command = None
260
329
self.last_connect = None
261
# Only now, when this client is initialized, can it show up on
262
# the D-Bus
263
self.use_dbus = use_dbus
264
if self.use_dbus:
265
self.dbus_object_path = (dbus.ObjectPath
266
("/clients/"
267
+ self.name.replace(".", "_")))
268
dbus.service.Object.__init__(self, bus,
269
self.dbus_object_path)
270
330
self._approved = None
331
self.approved_by_default = config.get(u"approved_by_default",
332
False)
333
self.approved_delay = string_to_delta(
334
config[u"approved_delay"])
335
self.approved_duration = string_to_delta(
336
config[u"approved_duration"])
337
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
338
339
def send_changedstate(self):
340
self.changedstate.acquire()
341
self.changedstate.notify_all()
342
self.changedstate.release()
343
271
344
def enable(self):
272
345
"""Start this client's checker and timeout hooks"""
346
if getattr(self, u"enabled", False):
347
# Already enabled
348
return
349
self.send_changedstate()
273
350
self.last_enabled = datetime.datetime.utcnow()
274
351
# Schedule a new checker to be started an 'interval' from now,
275
352
# and every interval from then on.
276
353
self.checker_initiator_tag = (gobject.timeout_add
277
354
(self.interval_milliseconds(),
278
355
self.start_checker))
279
# Also start a new checker *right now*.
280
self.start_checker()
281
356
# Schedule a disable() when 'timeout' has passed
282
357
self.disable_initiator_tag = (gobject.timeout_add
283
358
(self.timeout_milliseconds(),
284
359
self.disable))
285
360
self.enabled = True
286
if self.use_dbus:
287
# Emit D-Bus signals
288
self.PropertyChanged(dbus.String(u"enabled"),
289
dbus.Boolean(True, variant_level=1))
290
self.PropertyChanged(dbus.String(u"last_enabled"),
291
(_datetime_to_dbus(self.last_enabled,
292
variant_level=1)))
361
# Also start a new checker *right now*.
362
self.start_checker()
293
363
294
def disable(self):
364
def disable(self, quiet=True):
295
365
"""Disable this client."""
296
366
if not getattr(self, "enabled", False):
297
367
return False
298
logger.info(u"Disabling client %s", self.name)
299
if getattr(self, "disable_initiator_tag", False):
368
if not quiet:
369
self.send_changedstate()
370
if not quiet:
371
logger.info(u"Disabling client %s", self.name)
372
if getattr(self, u"disable_initiator_tag", False):
300
373
gobject.source_remove(self.disable_initiator_tag)
301
374
self.disable_initiator_tag = None
302
if getattr(self, "checker_initiator_tag", False):
375
if getattr(self, u"checker_initiator_tag", False):
303
376
gobject.source_remove(self.checker_initiator_tag)
304
377
self.checker_initiator_tag = None
305
378
self.stop_checker()
306
379
if self.disable_hook:
307
380
self.disable_hook(self)
308
381
self.enabled = False
309
if self.use_dbus:
310
# Emit D-Bus signal
311
self.PropertyChanged(dbus.String(u"enabled"),
312
dbus.Boolean(False, variant_level=1))
313
382
# Do not run this again if called by a gobject.timeout_add
314
383
return False
315
384
321
390
"""The checker has completed, so take appropriate actions."""
322
391
self.checker_callback_tag = None
323
392
self.checker = None
324
if self.use_dbus:
325
# Emit D-Bus signal
326
self.PropertyChanged(dbus.String(u"checker_running"),
327
dbus.Boolean(False, variant_level=1))
328
393
if os.WIFEXITED(condition):
329
394
exitstatus = os.WEXITSTATUS(condition)
330
395
if exitstatus == 0:
334
399
else:
335
400
logger.info(u"Checker for %(name)s failed",
336
401
vars(self))
337
if self.use_dbus:
338
# Emit D-Bus signal
339
self.CheckerCompleted(dbus.Int16(exitstatus),
340
dbus.Int64(condition),
341
dbus.String(command))
342
402
else:
343
403
logger.warning(u"Checker for %(name)s crashed?",
344
404
vars(self))
345
if self.use_dbus:
346
# Emit D-Bus signal
347
self.CheckerCompleted(dbus.Int16(-1),
348
dbus.Int64(condition),
349
dbus.String(command))
350
405
351
406
def checked_ok(self):
352
407
"""Bump up the timeout for this client.
408
353
409
This should only be called when the client has been seen,
354
410
alive and well.
355
411
"""
358
414
self.disable_initiator_tag = (gobject.timeout_add
359
415
(self.timeout_milliseconds(),
360
416
self.disable))
361
if self.use_dbus:
362
# Emit D-Bus signal
363
self.PropertyChanged(
364
dbus.String(u"last_checked_ok"),
365
(_datetime_to_dbus(self.last_checked_ok,
366
variant_level=1)))
367
417
368
418
def start_checker(self):
369
419
"""Start a new checker subprocess if one is not running.
420
370
421
If a checker already exists, leave it running and do
371
422
nothing."""
372
423
# The reason for not killing a running checker is that if we
375
426
# client would inevitably timeout, since no checker would get
376
427
# a chance to run to completion. If we instead leave running
377
428
# checkers alone, the checker would have to take more time
378
# than 'timeout' for the client to be declared invalid, which
379
# is as it should be.
429
# than 'timeout' for the client to be disabled, which is as it
430
# should be.
431
432
# If a checker exists, make sure it is not a zombie
433
try:
434
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
435
except (AttributeError, OSError), error:
436
if (isinstance(error, OSError)
437
and error.errno != errno.ECHILD):
438
raise error
439
else:
440
if pid:
441
logger.warning(u"Checker was a zombie")
442
gobject.source_remove(self.checker_callback_tag)
443
self.checker_callback(pid, status,
444
self.current_checker_command)
445
# Start a new checker if needed
380
446
if self.checker is None:
381
447
try:
382
448
# In case checker_command has exactly one % operator
383
449
command = self.checker_command % self.host
384
450
except TypeError:
385
451
# Escape attributes for the shell
386
escaped_attrs = dict((key, re.escape(str(val)))
452
escaped_attrs = dict((key,
453
re.escape(unicode(str(val),
454
errors=
455
u'replace')))
387
456
for key, val in
388
457
vars(self).iteritems())
389
458
try:
392
461
logger.error(u'Could not format string "%s":'
393
462
u' %s', self.checker_command, error)
394
463
return True # Try again later
464
self.current_checker_command = command
395
465
try:
396
466
logger.info(u"Starting checker %r for %s",
397
467
command, self.name)
401
471
# always replaced by /dev/null.)
402
472
self.checker = subprocess.Popen(command,
403
473
close_fds=True,
404
shell=True, cwd="/")
405
if self.use_dbus:
406
# Emit D-Bus signal
407
self.CheckerStarted(command)
408
self.PropertyChanged(
409
dbus.String("checker_running"),
410
dbus.Boolean(True, variant_level=1))
474
shell=True, cwd=u"/")
411
475
self.checker_callback_tag = (gobject.child_watch_add
412
476
(self.checker.pid,
413
477
self.checker_callback,
414
478
data=command))
479
# The checker may have completed before the gobject
480
# watch was added. Check for this.
481
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
482
if pid:
483
gobject.source_remove(self.checker_callback_tag)
484
self.checker_callback(pid, status, command)
415
485
except OSError, error:
416
486
logger.error(u"Failed to start subprocess: %s",
417
487
error)
423
493
if self.checker_callback_tag:
424
494
gobject.source_remove(self.checker_callback_tag)
425
495
self.checker_callback_tag = None
426
if getattr(self, "checker", None) is None:
496
if getattr(self, u"checker", None) is None:
427
497
return
428
498
logger.debug(u"Stopping checker for %(name)s", vars(self))
429
499
try:
430
500
os.kill(self.checker.pid, signal.SIGTERM)
431
#os.sleep(0.5)
501
#time.sleep(0.5)
432
502
#if self.checker.poll() is None:
433
503
# os.kill(self.checker.pid, signal.SIGKILL)
434
504
except OSError, error:
435
505
if error.errno != errno.ESRCH: # No such process
436
506
raise
437
507
self.checker = None
438
if self.use_dbus:
508
509
def dbus_service_property(dbus_interface, signature=u"v",
510
access=u"readwrite", byte_arrays=False):
511
"""Decorators for marking methods of a DBusObjectWithProperties to
512
become properties on the D-Bus.
513
514
The decorated method will be called with no arguments by "Get"
515
and with one argument by "Set".
516
517
The parameters, where they are supported, are the same as
518
dbus.service.method, except there is only "signature", since the
519
type from Get() and the type sent to Set() is the same.
520
"""
521
# Encoding deeply encoded byte arrays is not supported yet by the
522
# "Set" method, so we fail early here:
523
if byte_arrays and signature != u"ay":
524
raise ValueError(u"Byte arrays not supported for non-'ay'"
525
u" signature %r" % signature)
526
def decorator(func):
527
func._dbus_is_property = True
528
func._dbus_interface = dbus_interface
529
func._dbus_signature = signature
530
func._dbus_access = access
531
func._dbus_name = func.__name__
532
if func._dbus_name.endswith(u"_dbus_property"):
533
func._dbus_name = func._dbus_name[:-14]
534
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
535
return func
536
return decorator
537
538
539
class DBusPropertyException(dbus.exceptions.DBusException):
540
"""A base class for D-Bus property-related exceptions
541
"""
542
def __unicode__(self):
543
return unicode(str(self))
544
545
546
class DBusPropertyAccessException(DBusPropertyException):
547
"""A property's access permissions disallows an operation.
548
"""
549
pass
550
551
552
class DBusPropertyNotFound(DBusPropertyException):
553
"""An attempt was made to access a non-existing property.
554
"""
555
pass
556
557
558
class DBusObjectWithProperties(dbus.service.Object):
559
"""A D-Bus object with properties.
560
561
Classes inheriting from this can use the dbus_service_property
562
decorator to expose methods as D-Bus properties. It exposes the
563
standard Get(), Set(), and GetAll() methods on the D-Bus.
564
"""
565
566
@staticmethod
567
def _is_dbus_property(obj):
568
return getattr(obj, u"_dbus_is_property", False)
569
570
def _get_all_dbus_properties(self):
571
"""Returns a generator of (name, attribute) pairs
572
"""
573
return ((prop._dbus_name, prop)
574
for name, prop in
575
inspect.getmembers(self, self._is_dbus_property))
576
577
def _get_dbus_property(self, interface_name, property_name):
578
"""Returns a bound method if one exists which is a D-Bus
579
property with the specified name and interface.
580
"""
581
for name in (property_name,
582
property_name + u"_dbus_property"):
583
prop = getattr(self, name, None)
584
if (prop is None
585
or not self._is_dbus_property(prop)
586
or prop._dbus_name != property_name
587
or (interface_name and prop._dbus_interface
588
and interface_name != prop._dbus_interface)):
589
continue
590
return prop
591
# No such property
592
raise DBusPropertyNotFound(self.dbus_object_path + u":"
593
+ interface_name + u"."
594
+ property_name)
595
596
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
597
out_signature=u"v")
598
def Get(self, interface_name, property_name):
599
"""Standard D-Bus property Get() method, see D-Bus standard.
600
"""
601
prop = self._get_dbus_property(interface_name, property_name)
602
if prop._dbus_access == u"write":
603
raise DBusPropertyAccessException(property_name)
604
value = prop()
605
if not hasattr(value, u"variant_level"):
606
return value
607
return type(value)(value, variant_level=value.variant_level+1)
608
609
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
610
def Set(self, interface_name, property_name, value):
611
"""Standard D-Bus property Set() method, see D-Bus standard.
612
"""
613
prop = self._get_dbus_property(interface_name, property_name)
614
if prop._dbus_access == u"read":
615
raise DBusPropertyAccessException(property_name)
616
if prop._dbus_get_args_options[u"byte_arrays"]:
617
# The byte_arrays option is not supported yet on
618
# signatures other than "ay".
619
if prop._dbus_signature != u"ay":
620
raise ValueError
621
value = dbus.ByteArray(''.join(unichr(byte)
622
for byte in value))
623
prop(value)
624
625
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
626
out_signature=u"a{sv}")
627
def GetAll(self, interface_name):
628
"""Standard D-Bus property GetAll() method, see D-Bus
629
standard.
630
631
Note: Will not include properties with access="write".
632
"""
633
all = {}
634
for name, prop in self._get_all_dbus_properties():
635
if (interface_name
636
and interface_name != prop._dbus_interface):
637
# Interface non-empty but did not match
638
continue
639
# Ignore write-only properties
640
if prop._dbus_access == u"write":
641
continue
642
value = prop()
643
if not hasattr(value, u"variant_level"):
644
all[name] = value
645
continue
646
all[name] = type(value)(value, variant_level=
647
value.variant_level+1)
648
return dbus.Dictionary(all, signature=u"sv")
649
650
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
651
out_signature=u"s",
652
path_keyword='object_path',
653
connection_keyword='connection')
654
def Introspect(self, object_path, connection):
655
"""Standard D-Bus method, overloaded to insert property tags.
656
"""
657
xmlstring = dbus.service.Object.Introspect(self, object_path,
658
connection)
659
try:
660
document = xml.dom.minidom.parseString(xmlstring)
661
def make_tag(document, name, prop):
662
e = document.createElement(u"property")
663
e.setAttribute(u"name", name)
664
e.setAttribute(u"type", prop._dbus_signature)
665
e.setAttribute(u"access", prop._dbus_access)
666
return e
667
for if_tag in document.getElementsByTagName(u"interface"):
668
for tag in (make_tag(document, name, prop)
669
for name, prop
670
in self._get_all_dbus_properties()
671
if prop._dbus_interface
672
== if_tag.getAttribute(u"name")):
673
if_tag.appendChild(tag)
674
# Add the names to the return values for the
675
# "org.freedesktop.DBus.Properties" methods
676
if (if_tag.getAttribute(u"name")
677
== u"org.freedesktop.DBus.Properties"):
678
for cn in if_tag.getElementsByTagName(u"method"):
679
if cn.getAttribute(u"name") == u"Get":
680
for arg in cn.getElementsByTagName(u"arg"):
681
if (arg.getAttribute(u"direction")
682
== u"out"):
683
arg.setAttribute(u"name", u"value")
684
elif cn.getAttribute(u"name") == u"GetAll":
685
for arg in cn.getElementsByTagName(u"arg"):
686
if (arg.getAttribute(u"direction")
687
== u"out"):
688
arg.setAttribute(u"name", u"props")
689
xmlstring = document.toxml(u"utf-8")
690
document.unlink()
691
except (AttributeError, xml.dom.DOMException,
692
xml.parsers.expat.ExpatError), error:
693
logger.error(u"Failed to override Introspection method",
694
error)
695
return xmlstring
696
697
698
class ClientDBus(Client, DBusObjectWithProperties):
699
"""A Client class using D-Bus
700
701
Attributes:
702
dbus_object_path: dbus.ObjectPath
703
bus: dbus.SystemBus()
704
"""
705
# dbus.service.Object doesn't use super(), so we can't either.
706
707
def __init__(self, bus = None, *args, **kwargs):
708
self.bus = bus
709
Client.__init__(self, *args, **kwargs)
710
# Only now, when this client is initialized, can it show up on
711
# the D-Bus
712
self.dbus_object_path = (dbus.ObjectPath
713
(u"/clients/"
714
+ self.name.replace(u".", u"_")))
715
DBusObjectWithProperties.__init__(self, self.bus,
716
self.dbus_object_path)
717
718
@staticmethod
719
def _datetime_to_dbus(dt, variant_level=0):
720
"""Convert a UTC datetime.datetime() to a D-Bus type."""
721
return dbus.String(dt.isoformat(),
722
variant_level=variant_level)
723
724
def enable(self):
725
oldstate = getattr(self, u"enabled", False)
726
r = Client.enable(self)
727
if oldstate != self.enabled:
728
# Emit D-Bus signals
729
self.PropertyChanged(dbus.String(u"enabled"),
730
dbus.Boolean(True, variant_level=1))
731
self.PropertyChanged(
732
dbus.String(u"last_enabled"),
733
self._datetime_to_dbus(self.last_enabled,
734
variant_level=1))
735
return r
736
737
def disable(self, quiet = False):
738
oldstate = getattr(self, u"enabled", False)
739
r = Client.disable(self, quiet=quiet)
740
if not quiet and oldstate != self.enabled:
741
# Emit D-Bus signal
742
self.PropertyChanged(dbus.String(u"enabled"),
743
dbus.Boolean(False, variant_level=1))
744
return r
745
746
def __del__(self, *args, **kwargs):
747
try:
748
self.remove_from_connection()
749
except LookupError:
750
pass
751
if hasattr(DBusObjectWithProperties, u"__del__"):
752
DBusObjectWithProperties.__del__(self, *args, **kwargs)
753
Client.__del__(self, *args, **kwargs)
754
755
def checker_callback(self, pid, condition, command,
756
*args, **kwargs):
757
self.checker_callback_tag = None
758
self.checker = None
759
# Emit D-Bus signal
760
self.PropertyChanged(dbus.String(u"checker_running"),
761
dbus.Boolean(False, variant_level=1))
762
if os.WIFEXITED(condition):
763
exitstatus = os.WEXITSTATUS(condition)
764
# Emit D-Bus signal
765
self.CheckerCompleted(dbus.Int16(exitstatus),
766
dbus.Int64(condition),
767
dbus.String(command))
768
else:
769
# Emit D-Bus signal
770
self.CheckerCompleted(dbus.Int16(-1),
771
dbus.Int64(condition),
772
dbus.String(command))
773
774
return Client.checker_callback(self, pid, condition, command,
775
*args, **kwargs)
776
777
def checked_ok(self, *args, **kwargs):
778
r = Client.checked_ok(self, *args, **kwargs)
779
# Emit D-Bus signal
780
self.PropertyChanged(
781
dbus.String(u"last_checked_ok"),
782
(self._datetime_to_dbus(self.last_checked_ok,
783
variant_level=1)))
784
return r
785
786
def start_checker(self, *args, **kwargs):
787
old_checker = self.checker
788
if self.checker is not None:
789
old_checker_pid = self.checker.pid
790
else:
791
old_checker_pid = None
792
r = Client.start_checker(self, *args, **kwargs)
793
# Only if new checker process was started
794
if (self.checker is not None
795
and old_checker_pid != self.checker.pid):
796
# Emit D-Bus signal
797
self.CheckerStarted(self.current_checker_command)
798
self.PropertyChanged(
799
dbus.String(u"checker_running"),
800
dbus.Boolean(True, variant_level=1))
801
return r
802
803
def stop_checker(self, *args, **kwargs):
804
old_checker = getattr(self, u"checker", None)
805
r = Client.stop_checker(self, *args, **kwargs)
806
if (old_checker is not None
807
and getattr(self, u"checker", None) is None):
439
808
self.PropertyChanged(dbus.String(u"checker_running"),
440
809
dbus.Boolean(False, variant_level=1))
441
442
def still_valid(self):
443
"""Has the timeout not yet passed for this client?"""
444
if not getattr(self, "enabled", False):
445
return False
446
now = datetime.datetime.utcnow()
447
if self.last_checked_ok is None:
448
return now < (self.created + self.timeout)
449
else:
450
return now < (self.last_checked_ok + self.timeout)
451
452
## D-Bus methods & signals
810
return r
811
812
def _reset_approved(self):
813
self._approved = None
814
return False
815
816
def approve(self, value=True):
817
self._approved = value
818
gobject.timeout_add(self._timedelta_to_milliseconds(self.approved_duration, self._reset_approved))
819
820
## D-Bus methods, signals & properties
453
821
_interface = u"se.bsnet.fukt.Mandos.Client"
454
822
455
# CheckedOK - method
456
CheckedOK = dbus.service.method(_interface)(checked_ok)
457
CheckedOK.__name__ = "CheckedOK"
823
## Signals
458
824
459
825
# CheckerCompleted - signal
460
@dbus.service.signal(_interface, signature="nxs")
826
@dbus.service.signal(_interface, signature=u"nxs")
461
827
def CheckerCompleted(self, exitcode, waitstatus, command):
462
828
"D-Bus signal"
463
829
pass
464
830
465
831
# CheckerStarted - signal
466
@dbus.service.signal(_interface, signature="s")
832
@dbus.service.signal(_interface, signature=u"s")
467
833
def CheckerStarted(self, command):
468
834
"D-Bus signal"
469
835
pass
470
836
471
# GetAllProperties - method
472
@dbus.service.method(_interface, out_signature="a{sv}")
473
def GetAllProperties(self):
474
"D-Bus method"
475
return dbus.Dictionary({
476
dbus.String("name"):
477
dbus.String(self.name, variant_level=1),
478
dbus.String("fingerprint"):
479
dbus.String(self.fingerprint, variant_level=1),
480
dbus.String("host"):
481
dbus.String(self.host, variant_level=1),
482
dbus.String("created"):
483
_datetime_to_dbus(self.created, variant_level=1),
484
dbus.String("last_enabled"):
485
(_datetime_to_dbus(self.last_enabled,
486
variant_level=1)
487
if self.last_enabled is not None
488
else dbus.Boolean(False, variant_level=1)),
489
dbus.String("enabled"):
490
dbus.Boolean(self.enabled, variant_level=1),
491
dbus.String("last_checked_ok"):
492
(_datetime_to_dbus(self.last_checked_ok,
493
variant_level=1)
494
if self.last_checked_ok is not None
495
else dbus.Boolean (False, variant_level=1)),
496
dbus.String("timeout"):
497
dbus.UInt64(self.timeout_milliseconds(),
498
variant_level=1),
499
dbus.String("interval"):
500
dbus.UInt64(self.interval_milliseconds(),
501
variant_level=1),
502
dbus.String("checker"):
503
dbus.String(self.checker_command,
504
variant_level=1),
505
dbus.String("checker_running"):
506
dbus.Boolean(self.checker is not None,
507
variant_level=1),
508
dbus.String("object_path"):
509
dbus.ObjectPath(self.dbus_object_path,
510
variant_level=1)
511
}, signature="sv")
512
513
# IsStillValid - method
514
IsStillValid = (dbus.service.method(_interface, out_signature="b")
515
(still_valid))
516
IsStillValid.__name__ = "IsStillValid"
517
518
837
# PropertyChanged - signal
519
@dbus.service.signal(_interface, signature="sv")
838
@dbus.service.signal(_interface, signature=u"sv")
520
839
def PropertyChanged(self, property, value):
521
840
"D-Bus signal"
522
841
pass
523
842
524
# SetChecker - method
525
@dbus.service.method(_interface, in_signature="s")
526
def SetChecker(self, checker):
527
"D-Bus setter method"
528
self.checker_command = checker
529
# Emit D-Bus signal
530
self.PropertyChanged(dbus.String(u"checker"),
531
dbus.String(self.checker_command,
532
variant_level=1))
533
534
# SetHost - method
535
@dbus.service.method(_interface, in_signature="s")
536
def SetHost(self, host):
537
"D-Bus setter method"
538
self.host = host
539
# Emit D-Bus signal
540
self.PropertyChanged(dbus.String(u"host"),
541
dbus.String(self.host, variant_level=1))
542
543
# SetInterval - method
544
@dbus.service.method(_interface, in_signature="t")
545
def SetInterval(self, milliseconds):
546
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
547
# Emit D-Bus signal
548
self.PropertyChanged(dbus.String(u"interval"),
549
(dbus.UInt64(self.interval_milliseconds(),
550
variant_level=1)))
551
552
# SetSecret - method
553
@dbus.service.method(_interface, in_signature="ay",
554
byte_arrays=True)
555
def SetSecret(self, secret):
556
"D-Bus setter method"
557
self.secret = str(secret)
558
559
# SetTimeout - method
560
@dbus.service.method(_interface, in_signature="t")
561
def SetTimeout(self, milliseconds):
562
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
563
# Emit D-Bus signal
564
self.PropertyChanged(dbus.String(u"timeout"),
565
(dbus.UInt64(self.timeout_milliseconds(),
566
variant_level=1)))
843
# GotSecret - signal
844
@dbus.service.signal(_interface)
845
def GotSecret(self):
846
"D-Bus signal"
847
pass
848
849
# Rejected - signal
850
@dbus.service.signal(_interface, signature=u"s")
851
def Rejected(self, reason):
852
"D-Bus signal"
853
pass
854
855
# NeedApproval - signal
856
@dbus.service.signal(_interface, signature=u"db")
857
def NeedApproval(self, timeout, default):
858
"D-Bus signal"
859
pass
860
861
## Methods
862
863
# Approve - method
864
@dbus.service.method(_interface, in_signature=u"b")
865
def Approve(self, value):
866
self.approve(value)
867
868
# CheckedOK - method
869
@dbus.service.method(_interface)
870
def CheckedOK(self):
871
return self.checked_ok()
567
872
568
873
# Enable - method
569
Enable = dbus.service.method(_interface)(enable)
570
Enable.__name__ = "Enable"
874
@dbus.service.method(_interface)
875
def Enable(self):
876
"D-Bus method"
877
self.enable()
571
878
572
879
# StartChecker - method
573
880
@dbus.service.method(_interface)
582
889
self.disable()
583
890
584
891
# StopChecker - method
585
StopChecker = dbus.service.method(_interface)(stop_checker)
586
StopChecker.__name__ = "StopChecker"
892
@dbus.service.method(_interface)
893
def StopChecker(self):
894
self.stop_checker()
895
896
## Properties
897
898
# xxx 3 new properties
899
900
# name - property
901
@dbus_service_property(_interface, signature=u"s", access=u"read")
902
def name_dbus_property(self):
903
return dbus.String(self.name)
904
905
# fingerprint - property
906
@dbus_service_property(_interface, signature=u"s", access=u"read")
907
def fingerprint_dbus_property(self):
908
return dbus.String(self.fingerprint)
909
910
# host - property
911
@dbus_service_property(_interface, signature=u"s",
912
access=u"readwrite")
913
def host_dbus_property(self, value=None):
914
if value is None: # get
915
return dbus.String(self.host)
916
self.host = value
917
# Emit D-Bus signal
918
self.PropertyChanged(dbus.String(u"host"),
919
dbus.String(value, variant_level=1))
920
921
# created - property
922
@dbus_service_property(_interface, signature=u"s", access=u"read")
923
def created_dbus_property(self):
924
return dbus.String(self._datetime_to_dbus(self.created))
925
926
# last_enabled - property
927
@dbus_service_property(_interface, signature=u"s", access=u"read")
928
def last_enabled_dbus_property(self):
929
if self.last_enabled is None:
930
return dbus.String(u"")
931
return dbus.String(self._datetime_to_dbus(self.last_enabled))
932
933
# enabled - property
934
@dbus_service_property(_interface, signature=u"b",
935
access=u"readwrite")
936
def enabled_dbus_property(self, value=None):
937
if value is None: # get
938
return dbus.Boolean(self.enabled)
939
if value:
940
self.enable()
941
else:
942
self.disable()
943
944
# last_checked_ok - property
945
@dbus_service_property(_interface, signature=u"s",
946
access=u"readwrite")
947
def last_checked_ok_dbus_property(self, value=None):
948
if value is not None:
949
self.checked_ok()
950
return
951
if self.last_checked_ok is None:
952
return dbus.String(u"")
953
return dbus.String(self._datetime_to_dbus(self
954
.last_checked_ok))
955
956
# timeout - property
957
@dbus_service_property(_interface, signature=u"t",
958
access=u"readwrite")
959
def timeout_dbus_property(self, value=None):
960
if value is None: # get
961
return dbus.UInt64(self.timeout_milliseconds())
962
self.timeout = datetime.timedelta(0, 0, 0, value)
963
# Emit D-Bus signal
964
self.PropertyChanged(dbus.String(u"timeout"),
965
dbus.UInt64(value, variant_level=1))
966
if getattr(self, u"disable_initiator_tag", None) is None:
967
return
968
# Reschedule timeout
969
gobject.source_remove(self.disable_initiator_tag)
970
self.disable_initiator_tag = None
971
time_to_die = (self.
972
_timedelta_to_milliseconds((self
973
.last_checked_ok
974
+ self.timeout)
975
- datetime.datetime
976
.utcnow()))
977
if time_to_die <= 0:
978
# The timeout has passed
979
self.disable()
980
else:
981
self.disable_initiator_tag = (gobject.timeout_add
982
(time_to_die, self.disable))
983
984
# interval - property
985
@dbus_service_property(_interface, signature=u"t",
986
access=u"readwrite")
987
def interval_dbus_property(self, value=None):
988
if value is None: # get
989
return dbus.UInt64(self.interval_milliseconds())
990
self.interval = datetime.timedelta(0, 0, 0, value)
991
# Emit D-Bus signal
992
self.PropertyChanged(dbus.String(u"interval"),
993
dbus.UInt64(value, variant_level=1))
994
if getattr(self, u"checker_initiator_tag", None) is None:
995
return
996
# Reschedule checker run
997
gobject.source_remove(self.checker_initiator_tag)
998
self.checker_initiator_tag = (gobject.timeout_add
999
(value, self.start_checker))
1000
self.start_checker() # Start one now, too
1001
1002
# checker - property
1003
@dbus_service_property(_interface, signature=u"s",
1004
access=u"readwrite")
1005
def checker_dbus_property(self, value=None):
1006
if value is None: # get
1007
return dbus.String(self.checker_command)
1008
self.checker_command = value
1009
# Emit D-Bus signal
1010
self.PropertyChanged(dbus.String(u"checker"),
1011
dbus.String(self.checker_command,
1012
variant_level=1))
1013
1014
# checker_running - property
1015
@dbus_service_property(_interface, signature=u"b",
1016
access=u"readwrite")
1017
def checker_running_dbus_property(self, value=None):
1018
if value is None: # get
1019
return dbus.Boolean(self.checker is not None)
1020
if value:
1021
self.start_checker()
1022
else:
1023
self.stop_checker()
1024
1025
# object_path - property
1026
@dbus_service_property(_interface, signature=u"o", access=u"read")
1027
def object_path_dbus_property(self):
1028
return self.dbus_object_path # is already a dbus.ObjectPath
1029
1030
# secret = property
1031
@dbus_service_property(_interface, signature=u"ay",
1032
access=u"write", byte_arrays=True)
1033
def secret_dbus_property(self, value):
1034
self.secret = str(value)
587
1035
588
1036
del _interface
589
1037
590
1038
591
def peer_certificate(session):
592
"Return the peer's OpenPGP certificate as a bytestring"
593
# If not an OpenPGP certificate...
594
if (gnutls.library.functions
595
.gnutls_certificate_type_get(session._c_object)
596
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
597
# ...do the normal thing
598
return session.peer_certificate
599
list_size = ctypes.c_uint(1)
600
cert_list = (gnutls.library.functions
601
.gnutls_certificate_get_peers
602
(session._c_object, ctypes.byref(list_size)))
603
if not bool(cert_list) and list_size.value != 0:
604
raise gnutls.errors.GNUTLSError("error getting peer"
605
" certificate")
606
if list_size.value == 0:
607
return None
608
cert = cert_list[0]
609
return ctypes.string_at(cert.data, cert.size)
610
611
612
def fingerprint(openpgp):
613
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
614
# New GnuTLS "datum" with the OpenPGP public key
615
datum = (gnutls.library.types
616
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
617
ctypes.POINTER
618
(ctypes.c_ubyte)),
619
ctypes.c_uint(len(openpgp))))
620
# New empty GnuTLS certificate
621
crt = gnutls.library.types.gnutls_openpgp_crt_t()
622
(gnutls.library.functions
623
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
624
# Import the OpenPGP public key into the certificate
625
(gnutls.library.functions
626
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
627
gnutls.library.constants
628
.GNUTLS_OPENPGP_FMT_RAW))
629
# Verify the self signature in the key
630
crtverify = ctypes.c_uint()
631
(gnutls.library.functions
632
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
633
if crtverify.value != 0:
634
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
635
raise gnutls.errors.CertificateSecurityError("Verify failed")
636
# New buffer for the fingerprint
637
buf = ctypes.create_string_buffer(20)
638
buf_len = ctypes.c_size_t()
639
# Get the fingerprint from the certificate into the buffer
640
(gnutls.library.functions
641
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
642
ctypes.byref(buf_len)))
643
# Deinit the certificate
644
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
645
# Convert the buffer to a Python bytestring
646
fpr = ctypes.string_at(buf, buf_len.value)
647
# Convert the bytestring to hexadecimal notation
648
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
649
return hex_fpr
650
651
652
class TCP_handler(SocketServer.BaseRequestHandler, object):
653
"""A TCP request handler class.
654
Instantiated by IPv6_TCPServer for each request to handle it.
1039
class ProxyClient(object):
1040
def __init__(self, child_pipe, fpr, address):
1041
self._pipe = child_pipe
1042
self._pipe.send(('init', fpr, address))
1043
if not self._pipe.recv():
1044
raise KeyError()
1045
1046
def __getattribute__(self, name):
1047
if(name == '_pipe'):
1048
return super(ProxyClient, self).__getattribute__(name)
1049
self._pipe.send(('getattr', name))
1050
data = self._pipe.recv()
1051
if data[0] == 'data':
1052
return data[1]
1053
if data[0] == 'function':
1054
def func(*args, **kwargs):
1055
self._pipe.send(('funcall', name, args, kwargs))
1056
return self._pipe.recv()[1]
1057
return func
1058
1059
def __setattr__(self, name, value):
1060
if(name == '_pipe'):
1061
return super(ProxyClient, self).__setattr__(name, value)
1062
self._pipe.send(('setattr', name, value))
1063
1064
1065
class ClientHandler(socketserver.BaseRequestHandler, object):
1066
"""A class to handle client connections.
1067
1068
Instantiated once for each connection to handle it.
655
1069
Note: This will run in its own forked process."""
656
1070
657
1071
def handle(self):
658
logger.info(u"TCP connection from: %s",
659
unicode(self.client_address))
660
session = (gnutls.connection
661
.ClientSession(self.request,
662
gnutls.connection
663
.X509Credentials()))
664
665
line = self.request.makefile().readline()
666
logger.debug(u"Protocol version: %r", line)
667
try:
668
if int(line.strip().split()[0]) > 1:
669
raise RuntimeError
670
except (ValueError, IndexError, RuntimeError), error:
671
logger.error(u"Unknown protocol version: %s", error)
672
return
673
674
# Note: gnutls.connection.X509Credentials is really a generic
675
# GnuTLS certificate credentials object so long as no X.509
676
# keys are added to it. Therefore, we can use it here despite
677
# using OpenPGP certificates.
678
679
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
680
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
681
# "+DHE-DSS"))
682
# Use a fallback default, since this MUST be set.
683
priority = self.server.settings.get("priority", "NORMAL")
684
(gnutls.library.functions
685
.gnutls_priority_set_direct(session._c_object,
686
priority, None))
687
688
try:
689
session.handshake()
690
except gnutls.errors.GNUTLSError, error:
691
logger.warning(u"Handshake failed: %s", error)
692
# Do not run session.bye() here: the session is not
693
# established. Just abandon the request.
694
return
695
logger.debug(u"Handshake succeeded")
696
try:
697
fpr = fingerprint(peer_certificate(session))
698
except (TypeError, gnutls.errors.GNUTLSError), error:
699
logger.warning(u"Bad certificate: %s", error)
700
session.bye()
701
return
702
logger.debug(u"Fingerprint: %s", fpr)
703
704
for c in self.server.clients:
705
if c.fingerprint == fpr:
706
client = c
707
break
708
else:
709
logger.warning(u"Client not found for fingerprint: %s",
710
fpr)
711
session.bye()
712
return
713
# Have to check if client.still_valid(), since it is possible
714
# that the client timed out while establishing the GnuTLS
715
# session.
716
if not client.still_valid():
717
logger.warning(u"Client %(name)s is invalid",
718
vars(client))
719
session.bye()
720
return
721
## This won't work here, since we're in a fork.
722
# client.checked_ok()
723
sent_size = 0
724
while sent_size < len(client.secret):
725
sent = session.send(client.secret[sent_size:])
726
logger.debug(u"Sent: %d, remaining: %d",
727
sent, len(client.secret)
728
- (sent_size + sent))
729
sent_size += sent
730
session.bye()
731
732
733
class IPv6_TCPServer(SocketServer.ForkingMixIn,
734
SocketServer.TCPServer, object):
735
"""IPv6 TCP server. Accepts 'None' as address and/or port.
1072
with contextlib.closing(self.server.child_pipe) as child_pipe:
1073
logger.info(u"TCP connection from: %s",
1074
unicode(self.client_address))
1075
logger.debug(u"Pipe FD: %d",
1076
self.server.child_pipe.fileno())
1077
1078
session = (gnutls.connection
1079
.ClientSession(self.request,
1080
gnutls.connection
1081
.X509Credentials()))
1082
1083
# Note: gnutls.connection.X509Credentials is really a
1084
# generic GnuTLS certificate credentials object so long as
1085
# no X.509 keys are added to it. Therefore, we can use it
1086
# here despite using OpenPGP certificates.
1087
1088
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1089
# u"+AES-256-CBC", u"+SHA1",
1090
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1091
# u"+DHE-DSS"))
1092
# Use a fallback default, since this MUST be set.
1093
priority = self.server.gnutls_priority
1094
if priority is None:
1095
priority = u"NORMAL"
1096
(gnutls.library.functions
1097
.gnutls_priority_set_direct(session._c_object,
1098
priority, None))
1099
1100
# Start communication using the Mandos protocol
1101
# Get protocol number
1102
line = self.request.makefile().readline()
1103
logger.debug(u"Protocol version: %r", line)
1104
try:
1105
if int(line.strip().split()[0]) > 1:
1106
raise RuntimeError
1107
except (ValueError, IndexError, RuntimeError), error:
1108
logger.error(u"Unknown protocol version: %s", error)
1109
return
1110
1111
# Start GnuTLS connection
1112
try:
1113
session.handshake()
1114
except gnutls.errors.GNUTLSError, error:
1115
logger.warning(u"Handshake failed: %s", error)
1116
# Do not run session.bye() here: the session is not
1117
# established. Just abandon the request.
1118
return
1119
logger.debug(u"Handshake succeeded")
1120
try:
1121
try:
1122
fpr = self.fingerprint(self.peer_certificate
1123
(session))
1124
except (TypeError, gnutls.errors.GNUTLSError), error:
1125
logger.warning(u"Bad certificate: %s", error)
1126
return
1127
logger.debug(u"Fingerprint: %s", fpr)
1128
1129
try:
1130
client = ProxyClient(child_pipe, fpr,
1131
self.client_address)
1132
except KeyError:
1133
return
1134
1135
delay = client.approved_delay
1136
while True:
1137
if not client.enabled:
1138
logger.warning(u"Client %s is disabled",
1139
client.name)
1140
if self.server.use_dbus:
1141
# Emit D-Bus signal
1142
client.Rejected("Disabled")
1143
return
1144
if client._approved is None:
1145
logger.info(u"Client %s need approval",
1146
client.name)
1147
if self.server.use_dbus:
1148
# Emit D-Bus signal
1149
client.NeedApproval(
1150
client.approved_delay_milliseconds(),
1151
client.approved_by_default)
1152
elif client._approved:
1153
#We have a password and are approved
1154
break
1155
else:
1156
logger.warning(u"Client %s was not approved",
1157
client.name)
1158
if self.server.use_dbus:
1159
# Emit D-Bus signal
1160
client.Rejected("Disapproved")
1161
return
1162
1163
#wait until timeout or approved
1164
#x = float(client._timedelta_to_milliseconds(delay))
1165
time = datetime.datetime.now()
1166
client.changedstate.acquire()
1167
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1168
client.changedstate.release()
1169
time2 = datetime.datetime.now()
1170
if (time2 - time) >= delay:
1171
if not client.approved_by_default:
1172
logger.warning("Client %s timed out while"
1173
" waiting for approval",
1174
client.name)
1175
if self.server.use_dbus:
1176
# Emit D-Bus signal
1177
client.Rejected("Time out")
1178
return
1179
else:
1180
break
1181
else:
1182
delay -= time2 - time
1183
1184
sent_size = 0
1185
while sent_size < len(client.secret):
1186
# XXX handle session exception
1187
sent = session.send(client.secret[sent_size:])
1188
logger.debug(u"Sent: %d, remaining: %d",
1189
sent, len(client.secret)
1190
- (sent_size + sent))
1191
sent_size += sent
1192
1193
logger.info(u"Sending secret to %s", client.name)
1194
# bump the timeout as if seen
1195
client.checked_ok()
1196
if self.server.use_dbus:
1197
# Emit D-Bus signal
1198
client.GotSecret()
1199
1200
finally:
1201
session.bye()
1202
1203
@staticmethod
1204
def peer_certificate(session):
1205
"Return the peer's OpenPGP certificate as a bytestring"
1206
# If not an OpenPGP certificate...
1207
if (gnutls.library.functions
1208
.gnutls_certificate_type_get(session._c_object)
1209
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1210
# ...do the normal thing
1211
return session.peer_certificate
1212
list_size = ctypes.c_uint(1)
1213
cert_list = (gnutls.library.functions
1214
.gnutls_certificate_get_peers
1215
(session._c_object, ctypes.byref(list_size)))
1216
if not bool(cert_list) and list_size.value != 0:
1217
raise gnutls.errors.GNUTLSError(u"error getting peer"
1218
u" certificate")
1219
if list_size.value == 0:
1220
return None
1221
cert = cert_list[0]
1222
return ctypes.string_at(cert.data, cert.size)
1223
1224
@staticmethod
1225
def fingerprint(openpgp):
1226
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1227
# New GnuTLS "datum" with the OpenPGP public key
1228
datum = (gnutls.library.types
1229
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1230
ctypes.POINTER
1231
(ctypes.c_ubyte)),
1232
ctypes.c_uint(len(openpgp))))
1233
# New empty GnuTLS certificate
1234
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1235
(gnutls.library.functions
1236
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1237
# Import the OpenPGP public key into the certificate
1238
(gnutls.library.functions
1239
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1240
gnutls.library.constants
1241
.GNUTLS_OPENPGP_FMT_RAW))
1242
# Verify the self signature in the key
1243
crtverify = ctypes.c_uint()
1244
(gnutls.library.functions
1245
.gnutls_openpgp_crt_verify_self(crt, 0,
1246
ctypes.byref(crtverify)))
1247
if crtverify.value != 0:
1248
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1249
raise (gnutls.errors.CertificateSecurityError
1250
(u"Verify failed"))
1251
# New buffer for the fingerprint
1252
buf = ctypes.create_string_buffer(20)
1253
buf_len = ctypes.c_size_t()
1254
# Get the fingerprint from the certificate into the buffer
1255
(gnutls.library.functions
1256
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1257
ctypes.byref(buf_len)))
1258
# Deinit the certificate
1259
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1260
# Convert the buffer to a Python bytestring
1261
fpr = ctypes.string_at(buf, buf_len.value)
1262
# Convert the bytestring to hexadecimal notation
1263
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1264
return hex_fpr
1265
1266
1267
class MultiprocessingMixIn(object):
1268
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1269
def sub_process_main(self, request, address):
1270
try:
1271
self.finish_request(request, address)
1272
except:
1273
self.handle_error(request, address)
1274
self.close_request(request)
1275
1276
def process_request(self, request, address):
1277
"""Start a new process to process the request."""
1278
multiprocessing.Process(target = self.sub_process_main,
1279
args = (request, address)).start()
1280
1281
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1282
""" adds a pipe to the MixIn """
1283
def process_request(self, request, client_address):
1284
"""Overrides and wraps the original process_request().
1285
1286
This function creates a new pipe in self.pipe
1287
"""
1288
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1289
1290
super(MultiprocessingMixInWithPipe,
1291
self).process_request(request, client_address)
1292
self.add_pipe(parent_pipe)
1293
def add_pipe(self, parent_pipe):
1294
"""Dummy function; override as necessary"""
1295
pass
1296
1297
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1298
socketserver.TCPServer, object):
1299
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1300
736
1301
Attributes:
737
settings: Server settings
738
clients: Set() of Client objects
739
1302
enabled: Boolean; whether this server is activated yet
1303
interface: None or a network interface name (string)
1304
use_ipv6: Boolean; to use IPv6 or not
740
1305
"""
741
address_family = socket.AF_INET6
742
def __init__(self, *args, **kwargs):
743
if "settings" in kwargs:
744
self.settings = kwargs["settings"]
745
del kwargs["settings"]
746
if "clients" in kwargs:
747
self.clients = kwargs["clients"]
748
del kwargs["clients"]
749
self.enabled = False
750
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1306
def __init__(self, server_address, RequestHandlerClass,
1307
interface=None, use_ipv6=True):
1308
self.interface = interface
1309
if use_ipv6:
1310
self.address_family = socket.AF_INET6
1311
socketserver.TCPServer.__init__(self, server_address,
1312
RequestHandlerClass)
751
1313
def server_bind(self):
752
1314
"""This overrides the normal server_bind() function
753
1315
to bind to an interface if one was specified, and also NOT to
754
1316
bind to an address or port if they were not specified."""
755
if self.settings["interface"]:
756
# 25 is from /usr/include/asm-i486/socket.h
757
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
758
try:
759
self.socket.setsockopt(socket.SOL_SOCKET,
760
SO_BINDTODEVICE,
761
self.settings["interface"])
762
except socket.error, error:
763
if error[0] == errno.EPERM:
764
logger.error(u"No permission to"
765
u" bind to interface %s",
766
self.settings["interface"])
767
else:
768
raise
1317
if self.interface is not None:
1318
if SO_BINDTODEVICE is None:
1319
logger.error(u"SO_BINDTODEVICE does not exist;"
1320
u" cannot bind to interface %s",
1321
self.interface)
1322
else:
1323
try:
1324
self.socket.setsockopt(socket.SOL_SOCKET,
1325
SO_BINDTODEVICE,
1326
str(self.interface
1327
+ u'\0'))
1328
except socket.error, error:
1329
if error[0] == errno.EPERM:
1330
logger.error(u"No permission to"
1331
u" bind to interface %s",
1332
self.interface)
1333
elif error[0] == errno.ENOPROTOOPT:
1334
logger.error(u"SO_BINDTODEVICE not available;"
1335
u" cannot bind to interface %s",
1336
self.interface)
1337
else:
1338
raise
769
1339
# Only bind(2) the socket if we really need to.
770
1340
if self.server_address[0] or self.server_address[1]:
771
1341
if not self.server_address[0]:
772
in6addr_any = "::"
773
self.server_address = (in6addr_any,
1342
if self.address_family == socket.AF_INET6:
1343
any_address = u"::" # in6addr_any
1344
else:
1345
any_address = socket.INADDR_ANY
1346
self.server_address = (any_address,
774
1347
self.server_address[1])
775
1348
elif not self.server_address[1]:
776
1349
self.server_address = (self.server_address[0],
777
1350
0)
778
# if self.settings["interface"]:
1351
# if self.interface:
779
1352
# self.server_address = (self.server_address[0],
780
1353
# 0, # port
781
1354
# 0, # flowinfo
782
1355
# if_nametoindex
783
# (self.settings
784
# ["interface"]))
785
return super(IPv6_TCPServer, self).server_bind()
1356
# (self.interface))
1357
return socketserver.TCPServer.server_bind(self)
1358
1359
1360
class MandosServer(IPv6_TCPServer):
1361
"""Mandos server.
1362
1363
Attributes:
1364
clients: set of Client objects
1365
gnutls_priority GnuTLS priority string
1366
use_dbus: Boolean; to emit D-Bus signals or not
1367
1368
Assumes a gobject.MainLoop event loop.
1369
"""
1370
def __init__(self, server_address, RequestHandlerClass,
1371
interface=None, use_ipv6=True, clients=None,
1372
gnutls_priority=None, use_dbus=True):
1373
self.enabled = False
1374
self.clients = clients
1375
if self.clients is None:
1376
self.clients = set()
1377
self.use_dbus = use_dbus
1378
self.gnutls_priority = gnutls_priority
1379
IPv6_TCPServer.__init__(self, server_address,
1380
RequestHandlerClass,
1381
interface = interface,
1382
use_ipv6 = use_ipv6)
786
1383
def server_activate(self):
787
1384
if self.enabled:
788
return super(IPv6_TCPServer, self).server_activate()
1385
return socketserver.TCPServer.server_activate(self)
789
1386
def enable(self):
790
1387
self.enabled = True
1388
def add_pipe(self, parent_pipe):
1389
# Call "handle_ipc" for both data and EOF events
1390
gobject.io_add_watch(parent_pipe.fileno(),
1391
gobject.IO_IN | gobject.IO_HUP,
1392
functools.partial(self.handle_ipc,
1393
parent_pipe = parent_pipe))
1394
1395
def handle_ipc(self, source, condition, parent_pipe=None,
1396
client_object=None):
1397
condition_names = {
1398
gobject.IO_IN: u"IN", # There is data to read.
1399
gobject.IO_OUT: u"OUT", # Data can be written (without
1400
# blocking).
1401
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1402
gobject.IO_ERR: u"ERR", # Error condition.
1403
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1404
# broken, usually for pipes and
1405
# sockets).
1406
}
1407
conditions_string = ' | '.join(name
1408
for cond, name in
1409
condition_names.iteritems()
1410
if cond & condition)
1411
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1412
conditions_string)
1413
1414
# Read a request from the child
1415
request = parent_pipe.recv()
1416
command = request[0]
1417
1418
if command == 'init':
1419
fpr = request[1]
1420
address = request[2]
1421
1422
for c in self.clients:
1423
if c.fingerprint == fpr:
1424
client = c
1425
break
1426
else:
1427
logger.warning(u"Client not found for fingerprint: %s, ad"
1428
u"dress: %s", fpr, address)
1429
if self.use_dbus:
1430
# Emit D-Bus signal
1431
mandos_dbus_service.ClientNotFound(fpr, address)
1432
parent_pipe.send(False)
1433
return False
1434
1435
gobject.io_add_watch(parent_pipe.fileno(),
1436
gobject.IO_IN | gobject.IO_HUP,
1437
functools.partial(self.handle_ipc,
1438
parent_pipe = parent_pipe,
1439
client_object = client))
1440
parent_pipe.send(True)
1441
# remove the old hook in favor of the new above hook on same fileno
1442
return False
1443
if command == 'funcall':
1444
funcname = request[1]
1445
args = request[2]
1446
kwargs = request[3]
1447
1448
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1449
1450
if command == 'getattr':
1451
attrname = request[1]
1452
if callable(client_object.__getattribute__(attrname)):
1453
parent_pipe.send(('function',))
1454
else:
1455
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1456
1457
if command == 'setattr':
1458
attrname = request[1]
1459
value = request[2]
1460
setattr(client_object, attrname, value)
1461
1462
return True
791
1463
792
1464
793
1465
def string_to_delta(interval):
794
1466
"""Parse a string and return a datetime.timedelta
795
1467
796
>>> string_to_delta('7d')
1468
>>> string_to_delta(u'7d')
797
1469
datetime.timedelta(7)
798
>>> string_to_delta('60s')
1470
>>> string_to_delta(u'60s')
799
1471
datetime.timedelta(0, 60)
800
>>> string_to_delta('60m')
1472
>>> string_to_delta(u'60m')
801
1473
datetime.timedelta(0, 3600)
802
>>> string_to_delta('24h')
1474
>>> string_to_delta(u'24h')
803
1475
datetime.timedelta(1)
804
1476
>>> string_to_delta(u'1w')
805
1477
datetime.timedelta(7)
806
>>> string_to_delta('5m 30s')
1478
>>> string_to_delta(u'5m 30s')
807
1479
datetime.timedelta(0, 330)
808
1480
"""
809
1481
timevalue = datetime.timedelta(0)
822
1494
elif suffix == u"w":
823
1495
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
824
1496
else:
825
raise ValueError
826
except (ValueError, IndexError):
827
raise ValueError
1497
raise ValueError(u"Unknown suffix %r" % suffix)
1498
except (ValueError, IndexError), e:
1499
raise ValueError(e.message)
828
1500
timevalue += delta
829
1501
return timevalue
830
1502
831
1503
832
def server_state_changed(state):
833
"""Derived from the Avahi example code"""
834
if state == avahi.SERVER_COLLISION:
835
logger.error(u"Zeroconf server name collision")
836
service.remove()
837
elif state == avahi.SERVER_RUNNING:
838
service.add()
839
840
841
def entry_group_state_changed(state, error):
842
"""Derived from the Avahi example code"""
843
logger.debug(u"Avahi state change: %i", state)
844
845
if state == avahi.ENTRY_GROUP_ESTABLISHED:
846
logger.debug(u"Zeroconf service established.")
847
elif state == avahi.ENTRY_GROUP_COLLISION:
848
logger.warning(u"Zeroconf service name collision.")
849
service.rename()
850
elif state == avahi.ENTRY_GROUP_FAILURE:
851
logger.critical(u"Avahi: Error in group state changed %s",
852
unicode(error))
853
raise AvahiGroupError(u"State changed: %s" % unicode(error))
854
855
1504
def if_nametoindex(interface):
856
"""Call the C function if_nametoindex(), or equivalent"""
1505
"""Call the C function if_nametoindex(), or equivalent
1506
1507
Note: This function cannot accept a unicode string."""
857
1508
global if_nametoindex
858
1509
try:
859
1510
if_nametoindex = (ctypes.cdll.LoadLibrary
860
(ctypes.util.find_library("c"))
1511
(ctypes.util.find_library(u"c"))
861
1512
.if_nametoindex)
862
1513
except (OSError, AttributeError):
863
if "struct" not in sys.modules:
864
import struct
865
if "fcntl" not in sys.modules:
866
import fcntl
1514
logger.warning(u"Doing if_nametoindex the hard way")
867
1515
def if_nametoindex(interface):
868
1516
"Get an interface index the hard way, i.e. using fcntl()"
869
1517
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
870
with closing(socket.socket()) as s:
1518
with contextlib.closing(socket.socket()) as s:
871
1519
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
872
struct.pack("16s16x", interface))
873
interface_index = struct.unpack("I", ifreq[16:20])[0]
1520
struct.pack(str(u"16s16x"),
1521
interface))
1522
interface_index = struct.unpack(str(u"I"),
1523
ifreq[16:20])[0]
874
1524
return interface_index
875
1525
return if_nametoindex(interface)
876
1526
877
1527
878
1528
def daemon(nochdir = False, noclose = False):
879
1529
"""See daemon(3). Standard BSD Unix function.
1530
880
1531
This should really exist as os.daemon, but it doesn't (yet)."""
881
1532
if os.fork():
882
1533
sys.exit()
883
1534
os.setsid()
884
1535
if not nochdir:
885
os.chdir("/")
1536
os.chdir(u"/")
886
1537
if os.fork():
887
1538
sys.exit()
888
1539
if not noclose:
890
1541
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
891
1542
if not stat.S_ISCHR(os.fstat(null).st_mode):
892
1543
raise OSError(errno.ENODEV,
893
"/dev/null not a character device")
1544
u"%s not a character device"
1545
% os.path.devnull)
894
1546
os.dup2(null, sys.stdin.fileno())
895
1547
os.dup2(null, sys.stdout.fileno())
896
1548
os.dup2(null, sys.stderr.fileno())
899
1551
900
1552
901
1553
def main():
1554
1555
##################################################################
1556
# Parsing of options, both command line and config file
1557
902
1558
parser = optparse.OptionParser(version = "%%prog %s" % version)
903
parser.add_option("-i", "--interface", type="string",
904
metavar="IF", help="Bind to interface IF")
905
parser.add_option("-a", "--address", type="string",
906
help="Address to listen for requests on")
907
parser.add_option("-p", "--port", type="int",
908
help="Port number to receive requests on")
909
parser.add_option("--check", action="store_true",
910
help="Run self-test")
911
parser.add_option("--debug", action="store_true",
912
help="Debug mode; run in foreground and log to"
913
" terminal")
914
parser.add_option("--priority", type="string", help="GnuTLS"
915
" priority string (see GnuTLS documentation)")
916
parser.add_option("--servicename", type="string", metavar="NAME",
917
help="Zeroconf service name")
918
parser.add_option("--configdir", type="string",
919
default="/etc/mandos", metavar="DIR",
920
help="Directory to search for configuration"
921
" files")
922
parser.add_option("--no-dbus", action="store_false",
923
dest="use_dbus",
924
help="Do not provide D-Bus system bus"
925
" interface")
1559
parser.add_option("-i", u"--interface", type=u"string",
1560
metavar="IF", help=u"Bind to interface IF")
1561
parser.add_option("-a", u"--address", type=u"string",
1562
help=u"Address to listen for requests on")
1563
parser.add_option("-p", u"--port", type=u"int",
1564
help=u"Port number to receive requests on")
1565
parser.add_option("--check", action=u"store_true",
1566
help=u"Run self-test")
1567
parser.add_option("--debug", action=u"store_true",
1568
help=u"Debug mode; run in foreground and log to"
1569
u" terminal")
1570
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1571
u" priority string (see GnuTLS documentation)")
1572
parser.add_option("--servicename", type=u"string",
1573
metavar=u"NAME", help=u"Zeroconf service name")
1574
parser.add_option("--configdir", type=u"string",
1575
default=u"/etc/mandos", metavar=u"DIR",
1576
help=u"Directory to search for configuration"
1577
u" files")
1578
parser.add_option("--no-dbus", action=u"store_false",
1579
dest=u"use_dbus", help=u"Do not provide D-Bus"
1580
u" system bus interface")
1581
parser.add_option("--no-ipv6", action=u"store_false",
1582
dest=u"use_ipv6", help=u"Do not use IPv6")
926
1583
options = parser.parse_args()[0]
927
1584
928
1585
if options.check:
931
1588
sys.exit()
932
1589
933
1590
# Default values for config file for server-global settings
934
server_defaults = { "interface": "",
935
"address": "",
936
"port": "",
937
"debug": "False",
938
"priority":
939
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
940
"servicename": "Mandos",
941
"use_dbus": "True",
1591
server_defaults = { u"interface": u"",
1592
u"address": u"",
1593
u"port": u"",
1594
u"debug": u"False",
1595
u"priority":
1596
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1597
u"servicename": u"Mandos",
1598
u"use_dbus": u"True",
1599
u"use_ipv6": u"True",
942
1600
}
943
1601
944
1602
# Parse config file for server-global settings
945
server_config = ConfigParser.SafeConfigParser(server_defaults)
1603
server_config = configparser.SafeConfigParser(server_defaults)
946
1604
del server_defaults
947
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1605
server_config.read(os.path.join(options.configdir,
1606
u"mandos.conf"))
948
1607
# Convert the SafeConfigParser object to a dict
949
1608
server_settings = server_config.defaults()
950
1609
# Use the appropriate methods on the non-string config options
951
server_settings["debug"] = server_config.getboolean("DEFAULT",
952
"debug")
953
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
954
"use_dbus")
1610
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1611
server_settings[option] = server_config.getboolean(u"DEFAULT",
1612
option)
955
1613
if server_settings["port"]:
956
server_settings["port"] = server_config.getint("DEFAULT",
957
"port")
1614
server_settings["port"] = server_config.getint(u"DEFAULT",
1615
u"port")
958
1616
del server_config
959
1617
960
1618
# Override the settings from the config file with command line
961
1619
# options, if set.
962
for option in ("interface", "address", "port", "debug",
963
"priority", "servicename", "configdir",
964
"use_dbus"):
1620
for option in (u"interface", u"address", u"port", u"debug",
1621
u"priority", u"servicename", u"configdir",
1622
u"use_dbus", u"use_ipv6"):
965
1623
value = getattr(options, option)
966
1624
if value is not None:
967
1625
server_settings[option] = value
968
1626
del options
1627
# Force all strings to be unicode
1628
for option in server_settings.keys():
1629
if type(server_settings[option]) is str:
1630
server_settings[option] = unicode(server_settings[option])
969
1631
# Now we have our good server settings in "server_settings"
970
1632
1633
##################################################################
1634
971
1635
# For convenience
972
debug = server_settings["debug"]
973
use_dbus = server_settings["use_dbus"]
1636
debug = server_settings[u"debug"]
1637
use_dbus = server_settings[u"use_dbus"]
1638
use_ipv6 = server_settings[u"use_ipv6"]
974
1639
975
1640
if not debug:
976
1641
syslogger.setLevel(logging.WARNING)
977
1642
console.setLevel(logging.WARNING)
978
1643
979
if server_settings["servicename"] != "Mandos":
1644
if server_settings[u"servicename"] != u"Mandos":
980
1645
syslogger.setFormatter(logging.Formatter
981
('Mandos (%s): %%(levelname)s:'
982
' %%(message)s'
983
% server_settings["servicename"]))
1646
(u'Mandos (%s) [%%(process)d]:'
1647
u' %%(levelname)s: %%(message)s'
1648
% server_settings[u"servicename"]))
984
1649
985
1650
# Parse config file with clients
986
client_defaults = { "timeout": "1h",
987
"interval": "5m",
988
"checker": "fping -q -- %%(host)s",
989
"host": "",
1651
client_defaults = { u"timeout": u"1h",
1652
u"interval": u"5m",
1653
u"checker": u"fping -q -- %%(host)s",
1654
u"host": u"",
1655
u"approved_delay": u"5m",
1656
u"approved_duration": u"1s",
990
1657
}
991
client_config = ConfigParser.SafeConfigParser(client_defaults)
992
client_config.read(os.path.join(server_settings["configdir"],
993
"clients.conf"))
994
995
clients = Set()
996
tcp_server = IPv6_TCPServer((server_settings["address"],
997
server_settings["port"]),
998
TCP_handler,
999
settings=server_settings,
1000
clients=clients)
1001
pidfilename = "/var/run/mandos.pid"
1658
client_config = configparser.SafeConfigParser(client_defaults)
1659
client_config.read(os.path.join(server_settings[u"configdir"],
1660
u"clients.conf"))
1661
1662
global mandos_dbus_service
1663
mandos_dbus_service = None
1664
1665
tcp_server = MandosServer((server_settings[u"address"],
1666
server_settings[u"port"]),
1667
ClientHandler,
1668
interface=server_settings[u"interface"],
1669
use_ipv6=use_ipv6,
1670
gnutls_priority=
1671
server_settings[u"priority"],
1672
use_dbus=use_dbus)
1673
pidfilename = u"/var/run/mandos.pid"
1002
1674
try:
1003
pidfile = open(pidfilename, "w")
1675
pidfile = open(pidfilename, u"w")
1004
1676
except IOError:
1005
logger.error("Could not open file %r", pidfilename)
1677
logger.error(u"Could not open file %r", pidfilename)
1006
1678
1007
1679
try:
1008
uid = pwd.getpwnam("_mandos").pw_uid
1009
gid = pwd.getpwnam("_mandos").pw_gid
1680
uid = pwd.getpwnam(u"_mandos").pw_uid
1681
gid = pwd.getpwnam(u"_mandos").pw_gid
1010
1682
except KeyError:
1011
1683
try:
1012
uid = pwd.getpwnam("mandos").pw_uid
1013
gid = pwd.getpwnam("mandos").pw_gid
1684
uid = pwd.getpwnam(u"mandos").pw_uid
1685
gid = pwd.getpwnam(u"mandos").pw_gid
1014
1686
except KeyError:
1015
1687
try:
1016
uid = pwd.getpwnam("nobody").pw_uid
1017
gid = pwd.getpwnam("nogroup").pw_gid
1688
uid = pwd.getpwnam(u"nobody").pw_uid
1689
gid = pwd.getpwnam(u"nobody").pw_gid
1018
1690
except KeyError:
1019
1691
uid = 65534
1020
1692
gid = 65534
1033
1705
1034
1706
@gnutls.library.types.gnutls_log_func
1035
1707
def debug_gnutls(level, string):
1036
logger.debug("GnuTLS: %s", string[:-1])
1708
logger.debug(u"GnuTLS: %s", string[:-1])
1037
1709
1038
1710
(gnutls.library.functions
1039
1711
.gnutls_global_set_log_function(debug_gnutls))
1040
1712
1041
global service
1042
service = AvahiService(name = server_settings["servicename"],
1043
servicetype = "_mandos._tcp", )
1044
if server_settings["interface"]:
1045
service.interface = (if_nametoindex
1046
(server_settings["interface"]))
1047
1048
1713
global main_loop
1049
global bus
1050
global server
1051
1714
# From the Avahi example code
1052
1715
DBusGMainLoop(set_as_default=True )
1053
1716
main_loop = gobject.MainLoop()
1054
1717
bus = dbus.SystemBus()
1055
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1056
avahi.DBUS_PATH_SERVER),
1057
avahi.DBUS_INTERFACE_SERVER)
1058
1718
# End of Avahi example code
1059
1719
if use_dbus:
1060
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1061
1062
clients.update(Set(Client(name = section,
1063
config
1064
= dict(client_config.items(section)),
1065
use_dbus = use_dbus)
1066
for section in client_config.sections()))
1067
if not clients:
1720
try:
1721
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1722
bus, do_not_queue=True)
1723
except dbus.exceptions.NameExistsException, e:
1724
logger.error(unicode(e) + u", disabling D-Bus")
1725
use_dbus = False
1726
server_settings[u"use_dbus"] = False
1727
tcp_server.use_dbus = False
1728
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1729
service = AvahiService(name = server_settings[u"servicename"],
1730
servicetype = u"_mandos._tcp",
1731
protocol = protocol, bus = bus)
1732
if server_settings["interface"]:
1733
service.interface = (if_nametoindex
1734
(str(server_settings[u"interface"])))
1735
1736
client_class = Client
1737
if use_dbus:
1738
client_class = functools.partial(ClientDBus, bus = bus)
1739
def client_config_items(config, section):
1740
special_settings = {
1741
"approve_by_default":
1742
lambda: config.getboolean(section,
1743
"approve_by_default"),
1744
}
1745
for name, value in config.items(section):
1746
try:
1747
yield special_settings[name]()
1748
except KeyError:
1749
yield (name, value)
1750
1751
tcp_server.clients.update(set(
1752
client_class(name = section,
1753
config= dict(client_config_items(
1754
client_config, section)))
1755
for section in client_config.sections()))
1756
if not tcp_server.clients:
1068
1757
logger.warning(u"No clients defined")
1069
1758
1070
1759
if debug:
1080
1769
daemon()
1081
1770
1082
1771
try:
1083
pid = os.getpid()
1084
pidfile.write(str(pid) + "\n")
1085
pidfile.close()
1772
with pidfile:
1773
pid = os.getpid()
1774
pidfile.write(str(pid) + "\n")
1086
1775
del pidfile
1087
1776
except IOError:
1088
1777
logger.error(u"Could not write to file %r with PID %d",
1092
1781
pass
1093
1782
del pidfilename
1094
1783
1095
def cleanup():
1096
"Cleanup function; run on exit"
1097
global group
1098
# From the Avahi example code
1099
if not group is None:
1100
group.Free()
1101
group = None
1102
# End of Avahi example code
1103
1104
while clients:
1105
client = clients.pop()
1106
client.disable_hook = None
1107
client.disable()
1108
1109
atexit.register(cleanup)
1110
1111
1784
if not debug:
1112
1785
signal.signal(signal.SIGINT, signal.SIG_IGN)
1113
1786
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1114
1787
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1115
1788
1116
1789
if use_dbus:
1117
class MandosServer(dbus.service.Object):
1790
class MandosDBusService(dbus.service.Object):
1118
1791
"""A D-Bus proxy object"""
1119
1792
def __init__(self):
1120
dbus.service.Object.__init__(self, bus, "/")
1793
dbus.service.Object.__init__(self, bus, u"/")
1121
1794
_interface = u"se.bsnet.fukt.Mandos"
1122
1795
1123
@dbus.service.signal(_interface, signature="oa{sv}")
1124
def ClientAdded(self, objpath, properties):
1125
"D-Bus signal"
1126
pass
1127
1128
@dbus.service.signal(_interface, signature="os")
1796
@dbus.service.signal(_interface, signature=u"o")
1797
def ClientAdded(self, objpath):
1798
"D-Bus signal"
1799
pass
1800
1801
@dbus.service.signal(_interface, signature=u"ss")
1802
def ClientNotFound(self, fingerprint, address):
1803
"D-Bus signal"
1804
pass
1805
1806
@dbus.service.signal(_interface, signature=u"os")
1129
1807
def ClientRemoved(self, objpath, name):
1130
1808
"D-Bus signal"
1131
1809
pass
1132
1810
1133
@dbus.service.method(_interface, out_signature="ao")
1811
@dbus.service.method(_interface, out_signature=u"ao")
1134
1812
def GetAllClients(self):
1135
1813
"D-Bus method"
1136
return dbus.Array(c.dbus_object_path for c in clients)
1814
return dbus.Array(c.dbus_object_path
1815
for c in tcp_server.clients)
1137
1816
1138
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1817
@dbus.service.method(_interface,
1818
out_signature=u"a{oa{sv}}")
1139
1819
def GetAllClientsWithProperties(self):
1140
1820
"D-Bus method"
1141
1821
return dbus.Dictionary(
1142
((c.dbus_object_path, c.GetAllProperties())
1143
for c in clients),
1144
signature="oa{sv}")
1822
((c.dbus_object_path, c.GetAll(u""))
1823
for c in tcp_server.clients),
1824
signature=u"oa{sv}")
1145
1825
1146
@dbus.service.method(_interface, in_signature="o")
1826
@dbus.service.method(_interface, in_signature=u"o")
1147
1827
def RemoveClient(self, object_path):
1148
1828
"D-Bus method"
1149
for c in clients:
1829
for c in tcp_server.clients:
1150
1830
if c.dbus_object_path == object_path:
1151
clients.remove(c)
1831
tcp_server.clients.remove(c)
1832
c.remove_from_connection()
1152
1833
# Don't signal anything except ClientRemoved
1153
c.use_dbus = False
1154
c.disable()
1834
c.disable(quiet=True)
1155
1835
# Emit D-Bus signal
1156
1836
self.ClientRemoved(object_path, c.name)
1157
1837
return
1158
raise KeyError
1838
raise KeyError(object_path)
1159
1839
1160
1840
del _interface
1161
1841
1162
mandos_server = MandosServer()
1163
1164
for client in clients:
1842
mandos_dbus_service = MandosDBusService()
1843
1844
def cleanup():
1845
"Cleanup function; run on exit"
1846
service.cleanup()
1847
1848
while tcp_server.clients:
1849
client = tcp_server.clients.pop()
1850
if use_dbus:
1851
client.remove_from_connection()
1852
client.disable_hook = None
1853
# Don't signal anything except ClientRemoved
1854
client.disable(quiet=True)
1855
if use_dbus:
1856
# Emit D-Bus signal
1857
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1858
client.name)
1859
1860
atexit.register(cleanup)
1861
1862
for client in tcp_server.clients:
1165
1863
if use_dbus:
1166
1864
# Emit D-Bus signal
1167
mandos_server.ClientAdded(client.dbus_object_path,
1168
client.GetAllProperties())
1865
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1169
1866
client.enable()
1170
1867
1171
1868
tcp_server.enable()
1173
1870
1174
1871
# Find out what port we got
1175
1872
service.port = tcp_server.socket.getsockname()[1]
1176
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1177
u" scope_id %d" % tcp_server.socket.getsockname())
1873
if use_ipv6:
1874
logger.info(u"Now listening on address %r, port %d,"
1875
" flowinfo %d, scope_id %d"
1876
% tcp_server.socket.getsockname())
1877
else: # IPv4
1878
logger.info(u"Now listening on address %r, port %d"
1879
% tcp_server.socket.getsockname())
1178
1880
1179
1881
#service.interface = tcp_server.socket.getsockname()[3]
1180
1882
1181
1883
try:
1182
1884
# From the Avahi example code
1183
server.connect_to_signal("StateChanged", server_state_changed)
1184
1885
try:
1185
server_state_changed(server.GetState())
1886
service.activate()
1186
1887
except dbus.exceptions.DBusException, error:
1187
1888
logger.critical(u"DBusException: %s", error)
1889
cleanup()
1188
1890
sys.exit(1)
1189
1891
# End of Avahi example code
1190
1892
1197
1899
main_loop.run()
1198
1900
except AvahiError, error:
1199
1901
logger.critical(u"AvahiError: %s", error)
1902
cleanup()
1200
1903
sys.exit(1)
1201
1904
except KeyboardInterrupt:
1202
1905
if debug:
1203
1906
print >> sys.stderr
1204
logger.debug("Server received KeyboardInterrupt")
1205
logger.debug("Server exiting")
1907
logger.debug(u"Server received KeyboardInterrupt")
1908
logger.debug(u"Server exiting")
1909
# Must run before the D-Bus bus name gets deregistered
1910
cleanup()
1206
1911
1207
1912
if __name__ == '__main__':
1208
1913
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0