To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to server.py
- browse files at revision 24.1.19
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.19
- Committer: Björn Påhlsson
- Date: 2008-08-04 21:27:53 UTC
- mfrom: (45 mandos)
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 46.
- Revision ID: belorn@braxen-20080804212753-rdghixnyfxb7w3u5
merge
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
server.py
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
9
# following functions: "AvahiService.add", "AvahiService.remove",
10
# "server_state_changed", "entry_group_state_changed", and some lines
11
# in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
16
15
#
17
16
# This program is free software: you can redistribute it and/or modify
18
17
# it under the terms of the GNU General Public License as published by
25
24
# GNU General Public License for more details.
26
25
#
27
26
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
27
# along with this program. If not, see <http://www.gnu.org/licenses/>.
30
28
#
31
29
# Contact the authors at <mandos@fukt.bsnet.se>.
32
30
#
33
31
34
from __future__ import division, with_statement, absolute_import
32
from __future__ import division
35
33
36
34
import SocketServer
37
35
import socket
38
import optparse
36
import select
37
from optparse import OptionParser
39
38
import datetime
40
39
import errno
41
40
import gnutls.crypto
55
54
import stat
56
55
import logging
57
56
import logging.handlers
58
import pwd
59
from contextlib import closing
60
57
61
58
import dbus
62
import dbus.service
63
59
import gobject
64
60
import avahi
65
61
from dbus.mainloop.glib import DBusGMainLoop
66
62
import ctypes
67
import ctypes.util
68
69
try:
70
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
71
except AttributeError:
72
try:
73
from IN import SO_BINDTODEVICE
74
except ImportError:
75
# From /usr/include/asm/socket.h
76
SO_BINDTODEVICE = 25
77
78
79
version = "1.0.8"
63
64
# Brief description of the operation of this program:
65
#
66
# This server announces itself as a Zeroconf service. Connecting
67
# clients use the TLS protocol, with the unusual quirk that this
68
# server program acts as a TLS "client" while a connecting client acts
69
# as a TLS "server". The client (acting as a TLS "server") must
70
# supply an OpenPGP certificate, and the fingerprint of this
71
# certificate is used by this server to look up (in a list read from a
72
# file at start time) which binary blob to give the client. No other
73
# authentication or authorization is done by this server.
74
80
75
81
76
logger = logging.Logger('mandos')
82
syslogger = (logging.handlers.SysLogHandler
83
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
84
address = "/dev/log"))
85
syslogger.setFormatter(logging.Formatter
86
('Mandos [%(process)d]: %(levelname)s:'
87
' %(message)s'))
77
syslogger = logging.handlers.SysLogHandler\
78
(facility = logging.handlers.SysLogHandler.LOG_DAEMON)
79
syslogger.setFormatter(logging.Formatter\
80
('%(levelname)s: %(message)s'))
88
81
logger.addHandler(syslogger)
82
del syslogger
89
83
90
console = logging.StreamHandler()
91
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
92
' %(levelname)s: %(message)s'))
93
logger.addHandler(console)
94
84
95
85
class AvahiError(Exception):
96
def __init__(self, value, *args, **kwargs):
86
def __init__(self, value):
97
87
self.value = value
98
super(AvahiError, self).__init__(value, *args, **kwargs)
99
def __unicode__(self):
100
return unicode(repr(self.value))
88
def __str__(self):
89
return repr(self.value)
101
90
102
91
class AvahiServiceError(AvahiError):
103
92
pass
108
97
109
98
class AvahiService(object):
110
99
"""An Avahi (Zeroconf) service.
111
112
100
Attributes:
113
101
interface: integer; avahi.IF_UNSPEC or an interface index.
114
102
Used to optionally bind to the specified interface.
124
112
a sensible number of times
125
113
"""
126
114
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
127
servicetype = None, port = None, TXT = None,
128
domain = "", host = "", max_renames = 32768,
129
protocol = avahi.PROTO_UNSPEC):
115
type = None, port = None, TXT = None, domain = "",
116
host = "", max_renames = 12):
130
117
self.interface = interface
131
118
self.name = name
132
self.type = servicetype
119
self.type = type
133
120
self.port = port
134
self.TXT = TXT if TXT is not None else []
121
if TXT is None:
122
self.TXT = []
123
else:
124
self.TXT = TXT
135
125
self.domain = domain
136
126
self.host = host
137
127
self.rename_count = 0
138
self.max_renames = max_renames
139
self.protocol = protocol
140
128
def rename(self):
141
129
"""Derived from the Avahi example code"""
142
130
if self.rename_count >= self.max_renames:
143
logger.critical(u"No suitable Zeroconf service name found"
144
u" after %i retries, exiting.",
145
self.rename_count)
146
raise AvahiServiceError(u"Too many renames")
147
self.name = server.GetAlternativeServiceName(self.name)
148
logger.info(u"Changing Zeroconf service name to %r ...",
149
str(self.name))
150
syslogger.setFormatter(logging.Formatter
151
('Mandos (%s) [%%(process)d]:'
152
' %%(levelname)s: %%(message)s'
153
% self.name))
131
logger.critical(u"No suitable service name found after %i"
132
u" retries, exiting.", rename_count)
133
raise AvahiServiceError("Too many renames")
134
name = server.GetAlternativeServiceName(name)
135
logger.error(u"Changing name to %r ...", name)
154
136
self.remove()
155
137
self.add()
156
138
self.rename_count += 1
162
144
"""Derived from the Avahi example code"""
163
145
global group
164
146
if group is None:
165
group = dbus.Interface(bus.get_object
166
(avahi.DBUS_NAME,
147
group = dbus.Interface\
148
(bus.get_object(avahi.DBUS_NAME,
167
149
server.EntryGroupNew()),
168
avahi.DBUS_INTERFACE_ENTRY_GROUP)
150
avahi.DBUS_INTERFACE_ENTRY_GROUP)
169
151
group.connect_to_signal('StateChanged',
170
152
entry_group_state_changed)
171
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
153
logger.debug(u"Adding service '%s' of type '%s' ...",
172
154
service.name, service.type)
173
155
group.AddService(
174
156
self.interface, # interface
175
self.protocol, # protocol
157
avahi.PROTO_INET6, # protocol
176
158
dbus.UInt32(0), # flags
177
159
self.name, self.type,
178
160
self.domain, self.host,
185
167
# End of Avahi example code
186
168
187
169
188
def _datetime_to_dbus(dt, variant_level=0):
189
"""Convert a UTC datetime.datetime() to a D-Bus type."""
190
return dbus.String(dt.isoformat(), variant_level=variant_level)
191
192
193
170
class Client(object):
194
171
"""A representation of a client host served by this server.
195
196
172
Attributes:
197
name: string; from the config file, used in log messages and
198
D-Bus identifiers
173
name: string; from the config file, used in log messages
199
174
fingerprint: string (40 or 32 hexadecimal digits); used to
200
175
uniquely identify the client
201
secret: bytestring; sent verbatim (over TLS) to client
202
host: string; available for use by the checker command
203
created: datetime.datetime(); (UTC) object creation
204
last_enabled: datetime.datetime(); (UTC)
205
enabled: bool()
206
last_checked_ok: datetime.datetime(); (UTC) or None
207
timeout: datetime.timedelta(); How long from last_checked_ok
208
until this client is invalid
209
interval: datetime.timedelta(); How often to start a new checker
210
disable_hook: If set, called by disable() as disable_hook(self)
211
checker: subprocess.Popen(); a running checker process used
212
to see if the client lives.
213
'None' if no process is running.
176
secret: bytestring; sent verbatim (over TLS) to client
177
fqdn: string (FQDN); available for use by the checker command
178
created: datetime.datetime(); object creation, not client host
179
last_checked_ok: datetime.datetime() or None if not yet checked OK
180
timeout: datetime.timedelta(); How long from last_checked_ok
181
until this client is invalid
182
interval: datetime.timedelta(); How often to start a new checker
183
stop_hook: If set, called by stop() as stop_hook(self)
184
checker: subprocess.Popen(); a running checker process used
185
to see if the client lives.
186
'None' if no process is running.
214
187
checker_initiator_tag: a gobject event source tag, or None
215
disable_initiator_tag: - '' -
188
stop_initiator_tag: - '' -
216
189
checker_callback_tag: - '' -
217
190
checker_command: string; External command which is run to check if
218
191
client lives. %() expansions are done at
219
192
runtime with vars(self) as dict, so that for
220
193
instance %(name)s can be used in the command.
221
current_checker_command: string; current running checker_command
194
Private attibutes:
195
_timeout: Real variable for 'timeout'
196
_interval: Real variable for 'interval'
197
_timeout_milliseconds: Used when calling gobject.timeout_add()
198
_interval_milliseconds: - '' -
222
199
"""
223
def timeout_milliseconds(self):
224
"Return the 'timeout' attribute in milliseconds"
225
return ((self.timeout.days * 24 * 60 * 60 * 1000)
226
+ (self.timeout.seconds * 1000)
227
+ (self.timeout.microseconds // 1000))
228
229
def interval_milliseconds(self):
230
"Return the 'interval' attribute in milliseconds"
231
return ((self.interval.days * 24 * 60 * 60 * 1000)
232
+ (self.interval.seconds * 1000)
233
+ (self.interval.microseconds // 1000))
234
235
def __init__(self, name = None, disable_hook=None, config=None):
200
def _set_timeout(self, timeout):
201
"Setter function for 'timeout' attribute"
202
self._timeout = timeout
203
self._timeout_milliseconds = ((self.timeout.days
204
* 24 * 60 * 60 * 1000)
205
+ (self.timeout.seconds * 1000)
206
+ (self.timeout.microseconds
207
// 1000))
208
timeout = property(lambda self: self._timeout,
209
_set_timeout)
210
del _set_timeout
211
def _set_interval(self, interval):
212
"Setter function for 'interval' attribute"
213
self._interval = interval
214
self._interval_milliseconds = ((self.interval.days
215
* 24 * 60 * 60 * 1000)
216
+ (self.interval.seconds
217
* 1000)
218
+ (self.interval.microseconds
219
// 1000))
220
interval = property(lambda self: self._interval,
221
_set_interval)
222
del _set_interval
223
def __init__(self, name = None, stop_hook=None, config={}):
236
224
"""Note: the 'checker' key in 'config' sets the
237
225
'checker_command' attribute and *not* the 'checker'
238
226
attribute."""
239
227
self.name = name
240
if config is None:
241
config = {}
242
228
logger.debug(u"Creating client %r", self.name)
243
229
# Uppercase and remove spaces from fingerprint for later
244
230
# comparison purposes with return value from the fingerprint()
245
231
# function
246
self.fingerprint = (config["fingerprint"].upper()
247
.replace(u" ", u""))
232
self.fingerprint = config["fingerprint"].upper()\
233
.replace(u" ", u"")
248
234
logger.debug(u" Fingerprint: %s", self.fingerprint)
249
235
if "secret" in config:
250
236
self.secret = config["secret"].decode(u"base64")
251
237
elif "secfile" in config:
252
with closing(open(os.path.expanduser
253
(os.path.expandvars
254
(config["secfile"])))) as secfile:
255
self.secret = secfile.read()
238
sf = open(config["secfile"])
239
self.secret = sf.read()
240
sf.close()
256
241
else:
257
242
raise TypeError(u"No secret or secfile for client %s"
258
243
% self.name)
259
self.host = config.get("host", "")
260
self.created = datetime.datetime.utcnow()
261
self.enabled = False
262
self.last_enabled = None
244
self.fqdn = config.get("fqdn", "")
245
self.created = datetime.datetime.now()
263
246
self.last_checked_ok = None
264
247
self.timeout = string_to_delta(config["timeout"])
265
248
self.interval = string_to_delta(config["interval"])
266
self.disable_hook = disable_hook
249
self.stop_hook = stop_hook
267
250
self.checker = None
268
251
self.checker_initiator_tag = None
269
self.disable_initiator_tag = None
252
self.stop_initiator_tag = None
270
253
self.checker_callback_tag = None
271
self.checker_command = config["checker"]
272
self.current_checker_command = None
273
self.last_connect = None
274
275
def enable(self):
254
self.check_command = config["checker"]
255
def start(self):
276
256
"""Start this client's checker and timeout hooks"""
277
self.last_enabled = datetime.datetime.utcnow()
278
257
# Schedule a new checker to be started an 'interval' from now,
279
258
# and every interval from then on.
280
self.checker_initiator_tag = (gobject.timeout_add
281
(self.interval_milliseconds(),
282
self.start_checker))
259
self.checker_initiator_tag = gobject.timeout_add\
260
(self._interval_milliseconds,
261
self.start_checker)
283
262
# Also start a new checker *right now*.
284
263
self.start_checker()
285
# Schedule a disable() when 'timeout' has passed
286
self.disable_initiator_tag = (gobject.timeout_add
287
(self.timeout_milliseconds(),
288
self.disable))
289
self.enabled = True
290
291
def disable(self):
292
"""Disable this client."""
293
if not getattr(self, "enabled", False):
264
# Schedule a stop() when 'timeout' has passed
265
self.stop_initiator_tag = gobject.timeout_add\
266
(self._timeout_milliseconds,
267
self.stop)
268
def stop(self):
269
"""Stop this client.
270
The possibility that a client might be restarted is left open,
271
but not currently used."""
272
# If this client doesn't have a secret, it is already stopped.
273
if self.secret:
274
logger.info(u"Stopping client %s", self.name)
275
self.secret = None
276
else:
294
277
return False
295
logger.info(u"Disabling client %s", self.name)
296
if getattr(self, "disable_initiator_tag", False):
297
gobject.source_remove(self.disable_initiator_tag)
298
self.disable_initiator_tag = None
278
if getattr(self, "stop_initiator_tag", False):
279
gobject.source_remove(self.stop_initiator_tag)
280
self.stop_initiator_tag = None
299
281
if getattr(self, "checker_initiator_tag", False):
300
282
gobject.source_remove(self.checker_initiator_tag)
301
283
self.checker_initiator_tag = None
302
284
self.stop_checker()
303
if self.disable_hook:
304
self.disable_hook(self)
305
self.enabled = False
285
if self.stop_hook:
286
self.stop_hook(self)
306
287
# Do not run this again if called by a gobject.timeout_add
307
288
return False
308
309
289
def __del__(self):
310
self.disable_hook = None
311
self.disable()
312
313
def checker_callback(self, pid, condition, command):
290
self.stop_hook = None
291
self.stop()
292
def checker_callback(self, pid, condition):
314
293
"""The checker has completed, so take appropriate actions."""
294
now = datetime.datetime.now()
315
295
self.checker_callback_tag = None
316
296
self.checker = None
317
if os.WIFEXITED(condition):
318
exitstatus = os.WEXITSTATUS(condition)
319
if exitstatus == 0:
320
logger.info(u"Checker for %(name)s succeeded",
321
vars(self))
322
self.checked_ok()
323
else:
324
logger.info(u"Checker for %(name)s failed",
325
vars(self))
326
else:
297
if os.WIFEXITED(condition) \
298
and (os.WEXITSTATUS(condition) == 0):
299
logger.info(u"Checker for %(name)s succeeded",
300
vars(self))
301
self.last_checked_ok = now
302
gobject.source_remove(self.stop_initiator_tag)
303
self.stop_initiator_tag = gobject.timeout_add\
304
(self._timeout_milliseconds,
305
self.stop)
306
elif not os.WIFEXITED(condition):
327
307
logger.warning(u"Checker for %(name)s crashed?",
328
308
vars(self))
329
330
def checked_ok(self):
331
"""Bump up the timeout for this client.
332
333
This should only be called when the client has been seen,
334
alive and well.
335
"""
336
self.last_checked_ok = datetime.datetime.utcnow()
337
gobject.source_remove(self.disable_initiator_tag)
338
self.disable_initiator_tag = (gobject.timeout_add
339
(self.timeout_milliseconds(),
340
self.disable))
341
309
else:
310
logger.info(u"Checker for %(name)s failed",
311
vars(self))
342
312
def start_checker(self):
343
313
"""Start a new checker subprocess if one is not running.
344
345
314
If a checker already exists, leave it running and do
346
315
nothing."""
347
316
# The reason for not killing a running checker is that if we
352
321
# checkers alone, the checker would have to take more time
353
322
# than 'timeout' for the client to be declared invalid, which
354
323
# is as it should be.
355
356
# If a checker exists, make sure it is not a zombie
357
if self.checker is not None:
358
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
359
if pid:
360
logger.warning("Checker was a zombie")
361
gobject.source_remove(self.checker_callback_tag)
362
self.checker_callback(pid, status,
363
self.current_checker_command)
364
# Start a new checker if needed
365
324
if self.checker is None:
366
325
try:
367
# In case checker_command has exactly one % operator
368
command = self.checker_command % self.host
326
# In case check_command has exactly one % operator
327
command = self.check_command % self.fqdn
369
328
except TypeError:
370
329
# Escape attributes for the shell
371
330
escaped_attrs = dict((key, re.escape(str(val)))
372
331
for key, val in
373
332
vars(self).iteritems())
374
333
try:
375
command = self.checker_command % escaped_attrs
334
command = self.check_command % escaped_attrs
376
335
except TypeError, error:
377
336
logger.error(u'Could not format string "%s":'
378
u' %s', self.checker_command, error)
337
u' %s', self.check_command, error)
379
338
return True # Try again later
380
self.current_checker_command = command
381
339
try:
382
340
logger.info(u"Starting checker %r for %s",
383
341
command, self.name)
384
# We don't need to redirect stdout and stderr, since
385
# in normal mode, that is already done by daemon(),
386
# and in debug mode we don't want to. (Stdin is
387
# always replaced by /dev/null.)
388
342
self.checker = subprocess.Popen(command,
389
343
close_fds=True,
390
344
shell=True, cwd="/")
391
self.checker_callback_tag = (gobject.child_watch_add
392
(self.checker.pid,
393
self.checker_callback,
394
data=command))
395
# The checker may have completed before the gobject
396
# watch was added. Check for this.
397
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
398
if pid:
399
gobject.source_remove(self.checker_callback_tag)
400
self.checker_callback(pid, status, command)
401
except OSError, error:
345
self.checker_callback_tag = gobject.child_watch_add\
346
(self.checker.pid,
347
self.checker_callback)
348
except subprocess.OSError, error:
402
349
logger.error(u"Failed to start subprocess: %s",
403
350
error)
404
351
# Re-run this periodically if run by gobject.timeout_add
405
352
return True
406
407
353
def stop_checker(self):
408
354
"""Force the checker process, if any, to stop."""
409
355
if self.checker_callback_tag:
411
357
self.checker_callback_tag = None
412
358
if getattr(self, "checker", None) is None:
413
359
return
414
logger.debug(u"Stopping checker for %(name)s", vars(self))
360
logger.debug("Stopping checker for %(name)s", vars(self))
415
361
try:
416
362
os.kill(self.checker.pid, signal.SIGTERM)
417
363
#os.sleep(0.5)
421
367
if error.errno != errno.ESRCH: # No such process
422
368
raise
423
369
self.checker = None
424
425
370
def still_valid(self):
426
371
"""Has the timeout not yet passed for this client?"""
427
if not getattr(self, "enabled", False):
428
return False
429
now = datetime.datetime.utcnow()
372
now = datetime.datetime.now()
430
373
if self.last_checked_ok is None:
431
374
return now < (self.created + self.timeout)
432
375
else:
433
376
return now < (self.last_checked_ok + self.timeout)
434
377
435
378
436
class ClientDBus(Client, dbus.service.Object):
437
"""A Client class using D-Bus
438
439
Attributes:
440
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
441
"""
442
# dbus.service.Object doesn't use super(), so we can't either.
443
444
def __init__(self, *args, **kwargs):
445
Client.__init__(self, *args, **kwargs)
446
# Only now, when this client is initialized, can it show up on
447
# the D-Bus
448
self.dbus_object_path = (dbus.ObjectPath
449
("/clients/"
450
+ self.name.replace(".", "_")))
451
dbus.service.Object.__init__(self, bus,
452
self.dbus_object_path)
453
def enable(self):
454
oldstate = getattr(self, "enabled", False)
455
r = Client.enable(self)
456
if oldstate != self.enabled:
457
# Emit D-Bus signals
458
self.PropertyChanged(dbus.String(u"enabled"),
459
dbus.Boolean(True, variant_level=1))
460
self.PropertyChanged(dbus.String(u"last_enabled"),
461
(_datetime_to_dbus(self.last_enabled,
462
variant_level=1)))
463
return r
464
465
def disable(self, signal = True):
466
oldstate = getattr(self, "enabled", False)
467
r = Client.disable(self)
468
if signal and oldstate != self.enabled:
469
# Emit D-Bus signal
470
self.PropertyChanged(dbus.String(u"enabled"),
471
dbus.Boolean(False, variant_level=1))
472
return r
473
474
def __del__(self, *args, **kwargs):
475
try:
476
self.remove_from_connection()
477
except LookupError:
478
pass
479
if hasattr(dbus.service.Object, "__del__"):
480
dbus.service.Object.__del__(self, *args, **kwargs)
481
Client.__del__(self, *args, **kwargs)
482
483
def checker_callback(self, pid, condition, command,
484
*args, **kwargs):
485
self.checker_callback_tag = None
486
self.checker = None
487
# Emit D-Bus signal
488
self.PropertyChanged(dbus.String(u"checker_running"),
489
dbus.Boolean(False, variant_level=1))
490
if os.WIFEXITED(condition):
491
exitstatus = os.WEXITSTATUS(condition)
492
# Emit D-Bus signal
493
self.CheckerCompleted(dbus.Int16(exitstatus),
494
dbus.Int64(condition),
495
dbus.String(command))
496
else:
497
# Emit D-Bus signal
498
self.CheckerCompleted(dbus.Int16(-1),
499
dbus.Int64(condition),
500
dbus.String(command))
501
502
return Client.checker_callback(self, pid, condition, command,
503
*args, **kwargs)
504
505
def checked_ok(self, *args, **kwargs):
506
r = Client.checked_ok(self, *args, **kwargs)
507
# Emit D-Bus signal
508
self.PropertyChanged(
509
dbus.String(u"last_checked_ok"),
510
(_datetime_to_dbus(self.last_checked_ok,
511
variant_level=1)))
512
return r
513
514
def start_checker(self, *args, **kwargs):
515
old_checker = self.checker
516
if self.checker is not None:
517
old_checker_pid = self.checker.pid
518
else:
519
old_checker_pid = None
520
r = Client.start_checker(self, *args, **kwargs)
521
# Only if new checker process was started
522
if (self.checker is not None
523
and old_checker_pid != self.checker.pid):
524
# Emit D-Bus signal
525
self.CheckerStarted(self.current_checker_command)
526
self.PropertyChanged(
527
dbus.String("checker_running"),
528
dbus.Boolean(True, variant_level=1))
529
return r
530
531
def stop_checker(self, *args, **kwargs):
532
old_checker = getattr(self, "checker", None)
533
r = Client.stop_checker(self, *args, **kwargs)
534
if (old_checker is not None
535
and getattr(self, "checker", None) is None):
536
self.PropertyChanged(dbus.String(u"checker_running"),
537
dbus.Boolean(False, variant_level=1))
538
return r
539
540
## D-Bus methods & signals
541
_interface = u"se.bsnet.fukt.Mandos.Client"
542
543
# CheckedOK - method
544
CheckedOK = dbus.service.method(_interface)(checked_ok)
545
CheckedOK.__name__ = "CheckedOK"
546
547
# CheckerCompleted - signal
548
@dbus.service.signal(_interface, signature="nxs")
549
def CheckerCompleted(self, exitcode, waitstatus, command):
550
"D-Bus signal"
551
pass
552
553
# CheckerStarted - signal
554
@dbus.service.signal(_interface, signature="s")
555
def CheckerStarted(self, command):
556
"D-Bus signal"
557
pass
558
559
# GetAllProperties - method
560
@dbus.service.method(_interface, out_signature="a{sv}")
561
def GetAllProperties(self):
562
"D-Bus method"
563
return dbus.Dictionary({
564
dbus.String("name"):
565
dbus.String(self.name, variant_level=1),
566
dbus.String("fingerprint"):
567
dbus.String(self.fingerprint, variant_level=1),
568
dbus.String("host"):
569
dbus.String(self.host, variant_level=1),
570
dbus.String("created"):
571
_datetime_to_dbus(self.created, variant_level=1),
572
dbus.String("last_enabled"):
573
(_datetime_to_dbus(self.last_enabled,
574
variant_level=1)
575
if self.last_enabled is not None
576
else dbus.Boolean(False, variant_level=1)),
577
dbus.String("enabled"):
578
dbus.Boolean(self.enabled, variant_level=1),
579
dbus.String("last_checked_ok"):
580
(_datetime_to_dbus(self.last_checked_ok,
581
variant_level=1)
582
if self.last_checked_ok is not None
583
else dbus.Boolean (False, variant_level=1)),
584
dbus.String("timeout"):
585
dbus.UInt64(self.timeout_milliseconds(),
586
variant_level=1),
587
dbus.String("interval"):
588
dbus.UInt64(self.interval_milliseconds(),
589
variant_level=1),
590
dbus.String("checker"):
591
dbus.String(self.checker_command,
592
variant_level=1),
593
dbus.String("checker_running"):
594
dbus.Boolean(self.checker is not None,
595
variant_level=1),
596
dbus.String("object_path"):
597
dbus.ObjectPath(self.dbus_object_path,
598
variant_level=1)
599
}, signature="sv")
600
601
# IsStillValid - method
602
@dbus.service.method(_interface, out_signature="b")
603
def IsStillValid(self):
604
return self.still_valid()
605
606
# PropertyChanged - signal
607
@dbus.service.signal(_interface, signature="sv")
608
def PropertyChanged(self, property, value):
609
"D-Bus signal"
610
pass
611
612
# ReceivedSecret - signal
613
@dbus.service.signal(_interface)
614
def ReceivedSecret(self):
615
"D-Bus signal"
616
pass
617
618
# Rejected - signal
619
@dbus.service.signal(_interface)
620
def Rejected(self):
621
"D-Bus signal"
622
pass
623
624
# SetChecker - method
625
@dbus.service.method(_interface, in_signature="s")
626
def SetChecker(self, checker):
627
"D-Bus setter method"
628
self.checker_command = checker
629
# Emit D-Bus signal
630
self.PropertyChanged(dbus.String(u"checker"),
631
dbus.String(self.checker_command,
632
variant_level=1))
633
634
# SetHost - method
635
@dbus.service.method(_interface, in_signature="s")
636
def SetHost(self, host):
637
"D-Bus setter method"
638
self.host = host
639
# Emit D-Bus signal
640
self.PropertyChanged(dbus.String(u"host"),
641
dbus.String(self.host, variant_level=1))
642
643
# SetInterval - method
644
@dbus.service.method(_interface, in_signature="t")
645
def SetInterval(self, milliseconds):
646
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
647
# Emit D-Bus signal
648
self.PropertyChanged(dbus.String(u"interval"),
649
(dbus.UInt64(self.interval_milliseconds(),
650
variant_level=1)))
651
652
# SetSecret - method
653
@dbus.service.method(_interface, in_signature="ay",
654
byte_arrays=True)
655
def SetSecret(self, secret):
656
"D-Bus setter method"
657
self.secret = str(secret)
658
659
# SetTimeout - method
660
@dbus.service.method(_interface, in_signature="t")
661
def SetTimeout(self, milliseconds):
662
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
663
# Emit D-Bus signal
664
self.PropertyChanged(dbus.String(u"timeout"),
665
(dbus.UInt64(self.timeout_milliseconds(),
666
variant_level=1)))
667
668
# Enable - method
669
Enable = dbus.service.method(_interface)(enable)
670
Enable.__name__ = "Enable"
671
672
# StartChecker - method
673
@dbus.service.method(_interface)
674
def StartChecker(self):
675
"D-Bus method"
676
self.start_checker()
677
678
# Disable - method
679
@dbus.service.method(_interface)
680
def Disable(self):
681
"D-Bus method"
682
self.disable()
683
684
# StopChecker - method
685
StopChecker = dbus.service.method(_interface)(stop_checker)
686
StopChecker.__name__ = "StopChecker"
687
688
del _interface
689
690
691
class ClientHandler(SocketServer.BaseRequestHandler, object):
692
"""A class to handle client connections.
693
694
Instantiated once for each connection to handle it.
379
def peer_certificate(session):
380
"Return the peer's OpenPGP certificate as a bytestring"
381
# If not an OpenPGP certificate...
382
if gnutls.library.functions.gnutls_certificate_type_get\
383
(session._c_object) \
384
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP:
385
# ...do the normal thing
386
return session.peer_certificate
387
list_size = ctypes.c_uint()
388
cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
389
(session._c_object, ctypes.byref(list_size))
390
if list_size.value == 0:
391
return None
392
cert = cert_list[0]
393
return ctypes.string_at(cert.data, cert.size)
394
395
396
def fingerprint(openpgp):
397
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
398
# New GnuTLS "datum" with the OpenPGP public key
399
datum = gnutls.library.types.gnutls_datum_t\
400
(ctypes.cast(ctypes.c_char_p(openpgp),
401
ctypes.POINTER(ctypes.c_ubyte)),
402
ctypes.c_uint(len(openpgp)))
403
# New empty GnuTLS certificate
404
crt = gnutls.library.types.gnutls_openpgp_crt_t()
405
gnutls.library.functions.gnutls_openpgp_crt_init\
406
(ctypes.byref(crt))
407
# Import the OpenPGP public key into the certificate
408
gnutls.library.functions.gnutls_openpgp_crt_import\
409
(crt, ctypes.byref(datum),
410
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
411
# New buffer for the fingerprint
412
buffer = ctypes.create_string_buffer(20)
413
buffer_length = ctypes.c_size_t()
414
# Get the fingerprint from the certificate into the buffer
415
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
416
(crt, ctypes.byref(buffer), ctypes.byref(buffer_length))
417
# Deinit the certificate
418
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
419
# Convert the buffer to a Python bytestring
420
fpr = ctypes.string_at(buffer, buffer_length.value)
421
# Convert the bytestring to hexadecimal notation
422
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
423
return hex_fpr
424
425
426
class tcp_handler(SocketServer.BaseRequestHandler, object):
427
"""A TCP request handler class.
428
Instantiated by IPv6_TCPServer for each request to handle it.
695
429
Note: This will run in its own forked process."""
696
430
697
431
def handle(self):
698
432
logger.info(u"TCP connection from: %s",
699
unicode(self.client_address))
700
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
701
# Open IPC pipe to parent process
702
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
703
session = (gnutls.connection
704
.ClientSession(self.request,
705
gnutls.connection
706
.X509Credentials()))
707
708
line = self.request.makefile().readline()
709
logger.debug(u"Protocol version: %r", line)
710
try:
711
if int(line.strip().split()[0]) > 1:
712
raise RuntimeError
713
except (ValueError, IndexError, RuntimeError), error:
714
logger.error(u"Unknown protocol version: %s", error)
715
return
716
717
# Note: gnutls.connection.X509Credentials is really a
718
# generic GnuTLS certificate credentials object so long as
719
# no X.509 keys are added to it. Therefore, we can use it
720
# here despite using OpenPGP certificates.
721
722
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
723
# "+AES-256-CBC", "+SHA1",
724
# "+COMP-NULL", "+CTYPE-OPENPGP",
725
# "+DHE-DSS"))
726
# Use a fallback default, since this MUST be set.
727
priority = self.server.gnutls_priority
728
if priority is None:
729
priority = "NORMAL"
730
(gnutls.library.functions
731
.gnutls_priority_set_direct(session._c_object,
732
priority, None))
733
734
try:
735
session.handshake()
736
except gnutls.errors.GNUTLSError, error:
737
logger.warning(u"Handshake failed: %s", error)
738
# Do not run session.bye() here: the session is not
739
# established. Just abandon the request.
740
return
741
logger.debug(u"Handshake succeeded")
742
try:
743
fpr = self.fingerprint(self.peer_certificate(session))
744
except (TypeError, gnutls.errors.GNUTLSError), error:
745
logger.warning(u"Bad certificate: %s", error)
746
session.bye()
747
return
748
logger.debug(u"Fingerprint: %s", fpr)
749
750
for c in self.server.clients:
751
if c.fingerprint == fpr:
752
client = c
753
break
754
else:
755
ipc.write("NOTFOUND %s\n" % fpr)
756
session.bye()
757
return
758
# Have to check if client.still_valid(), since it is
759
# possible that the client timed out while establishing
760
# the GnuTLS session.
761
if not client.still_valid():
762
ipc.write("INVALID %s\n" % client.name)
763
session.bye()
764
return
765
ipc.write("SENDING %s\n" % client.name)
766
sent_size = 0
767
while sent_size < len(client.secret):
768
sent = session.send(client.secret[sent_size:])
769
logger.debug(u"Sent: %d, remaining: %d",
770
sent, len(client.secret)
771
- (sent_size + sent))
772
sent_size += sent
773
session.bye()
774
775
@staticmethod
776
def peer_certificate(session):
777
"Return the peer's OpenPGP certificate as a bytestring"
778
# If not an OpenPGP certificate...
779
if (gnutls.library.functions
780
.gnutls_certificate_type_get(session._c_object)
781
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
782
# ...do the normal thing
783
return session.peer_certificate
784
list_size = ctypes.c_uint(1)
785
cert_list = (gnutls.library.functions
786
.gnutls_certificate_get_peers
787
(session._c_object, ctypes.byref(list_size)))
788
if not bool(cert_list) and list_size.value != 0:
789
raise gnutls.errors.GNUTLSError("error getting peer"
790
" certificate")
791
if list_size.value == 0:
792
return None
793
cert = cert_list[0]
794
return ctypes.string_at(cert.data, cert.size)
795
796
@staticmethod
797
def fingerprint(openpgp):
798
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
799
# New GnuTLS "datum" with the OpenPGP public key
800
datum = (gnutls.library.types
801
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
802
ctypes.POINTER
803
(ctypes.c_ubyte)),
804
ctypes.c_uint(len(openpgp))))
805
# New empty GnuTLS certificate
806
crt = gnutls.library.types.gnutls_openpgp_crt_t()
807
(gnutls.library.functions
808
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
809
# Import the OpenPGP public key into the certificate
810
(gnutls.library.functions
811
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
812
gnutls.library.constants
813
.GNUTLS_OPENPGP_FMT_RAW))
814
# Verify the self signature in the key
815
crtverify = ctypes.c_uint()
816
(gnutls.library.functions
817
.gnutls_openpgp_crt_verify_self(crt, 0,
818
ctypes.byref(crtverify)))
819
if crtverify.value != 0:
820
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
821
raise (gnutls.errors.CertificateSecurityError
822
("Verify failed"))
823
# New buffer for the fingerprint
824
buf = ctypes.create_string_buffer(20)
825
buf_len = ctypes.c_size_t()
826
# Get the fingerprint from the certificate into the buffer
827
(gnutls.library.functions
828
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
829
ctypes.byref(buf_len)))
830
# Deinit the certificate
831
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
832
# Convert the buffer to a Python bytestring
833
fpr = ctypes.string_at(buf, buf_len.value)
834
# Convert the bytestring to hexadecimal notation
835
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
836
return hex_fpr
837
838
839
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
840
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
841
842
Assumes a gobject.MainLoop event loop.
843
"""
844
def process_request(self, request, client_address):
845
"""Overrides and wraps the original process_request().
846
847
This function creates a new pipe in self.pipe
848
"""
849
self.pipe = os.pipe()
850
super(ForkingMixInWithPipe,
851
self).process_request(request, client_address)
852
os.close(self.pipe[1]) # close write end
853
# Call "handle_ipc" for both data and EOF events
854
gobject.io_add_watch(self.pipe[0],
855
gobject.IO_IN | gobject.IO_HUP,
856
self.handle_ipc)
857
def handle_ipc(source, condition):
858
"""Dummy function; override as necessary"""
859
os.close(source)
860
return False
861
862
863
class IPv6_TCPServer(ForkingMixInWithPipe,
864
SocketServer.TCPServer, object):
865
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
866
433
unicode(self.client_address))
434
session = gnutls.connection.ClientSession\
435
(self.request, gnutls.connection.X509Credentials())
436
437
line = self.request.makefile().readline()
438
logger.debug(u"Protocol version: %r", line)
439
try:
440
if int(line.strip().split()[0]) > 1:
441
raise RuntimeError
442
except (ValueError, IndexError, RuntimeError), error:
443
logger.error(u"Unknown protocol version: %s", error)
444
return
445
446
# Note: gnutls.connection.X509Credentials is really a generic
447
# GnuTLS certificate credentials object so long as no X.509
448
# keys are added to it. Therefore, we can use it here despite
449
# using OpenPGP certificates.
450
451
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
452
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
453
# "+DHE-DSS"))
454
priority = "NORMAL" # Fallback default, since this
455
# MUST be set.
456
if self.server.settings["priority"]:
457
priority = self.server.settings["priority"]
458
gnutls.library.functions.gnutls_priority_set_direct\
459
(session._c_object, priority, None);
460
461
try:
462
session.handshake()
463
except gnutls.errors.GNUTLSError, error:
464
logger.warning(u"Handshake failed: %s", error)
465
# Do not run session.bye() here: the session is not
466
# established. Just abandon the request.
467
return
468
try:
469
fpr = fingerprint(peer_certificate(session))
470
except (TypeError, gnutls.errors.GNUTLSError), error:
471
logger.warning(u"Bad certificate: %s", error)
472
session.bye()
473
return
474
logger.debug(u"Fingerprint: %s", fpr)
475
client = None
476
for c in self.server.clients:
477
if c.fingerprint == fpr:
478
client = c
479
break
480
if not client:
481
logger.warning(u"Client not found for fingerprint: %s",
482
fpr)
483
session.bye()
484
return
485
# Have to check if client.still_valid(), since it is possible
486
# that the client timed out while establishing the GnuTLS
487
# session.
488
if not client.still_valid():
489
logger.warning(u"Client %(name)s is invalid",
490
vars(client))
491
session.bye()
492
return
493
sent_size = 0
494
while sent_size < len(client.secret):
495
sent = session.send(client.secret[sent_size:])
496
logger.debug(u"Sent: %d, remaining: %d",
497
sent, len(client.secret)
498
- (sent_size + sent))
499
sent_size += sent
500
session.bye()
501
502
503
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
504
"""IPv6 TCP server. Accepts 'None' as address and/or port.
867
505
Attributes:
868
enabled: Boolean; whether this server is activated yet
869
interface: None or a network interface name (string)
870
use_ipv6: Boolean; to use IPv6 or not
871
----
506
settings: Server settings
872
507
clients: Set() of Client objects
873
gnutls_priority GnuTLS priority string
874
use_dbus: Boolean; to emit D-Bus signals or not
875
508
"""
876
def __init__(self, server_address, RequestHandlerClass,
877
interface=None, use_ipv6=True, clients=None,
878
gnutls_priority=None, use_dbus=True):
879
self.enabled = False
880
self.interface = interface
881
if use_ipv6:
882
self.address_family = socket.AF_INET6
883
self.clients = clients
884
self.use_dbus = use_dbus
885
self.gnutls_priority = gnutls_priority
886
SocketServer.TCPServer.__init__(self, server_address,
887
RequestHandlerClass)
509
address_family = socket.AF_INET6
510
def __init__(self, *args, **kwargs):
511
if "settings" in kwargs:
512
self.settings = kwargs["settings"]
513
del kwargs["settings"]
514
if "clients" in kwargs:
515
self.clients = kwargs["clients"]
516
del kwargs["clients"]
517
return super(type(self), self).__init__(*args, **kwargs)
888
518
def server_bind(self):
889
519
"""This overrides the normal server_bind() function
890
520
to bind to an interface if one was specified, and also NOT to
891
521
bind to an address or port if they were not specified."""
892
if self.interface is not None:
522
if self.settings["interface"]:
523
# 25 is from /usr/include/asm-i486/socket.h
524
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
893
525
try:
894
526
self.socket.setsockopt(socket.SOL_SOCKET,
895
527
SO_BINDTODEVICE,
896
self.interface + '\0')
528
self.settings["interface"])
897
529
except socket.error, error:
898
530
if error[0] == errno.EPERM:
899
531
logger.error(u"No permission to"
900
532
u" bind to interface %s",
901
self.interface)
533
self.settings["interface"])
902
534
else:
903
raise
535
raise error
904
536
# Only bind(2) the socket if we really need to.
905
537
if self.server_address[0] or self.server_address[1]:
906
538
if not self.server_address[0]:
907
if self.address_family == socket.AF_INET6:
908
any_address = "::" # in6addr_any
909
else:
910
any_address = socket.INADDR_ANY
911
self.server_address = (any_address,
539
in6addr_any = "::"
540
self.server_address = (in6addr_any,
912
541
self.server_address[1])
913
elif not self.server_address[1]:
542
elif self.server_address[1] is None:
914
543
self.server_address = (self.server_address[0],
915
544
0)
916
# if self.interface:
917
# self.server_address = (self.server_address[0],
918
# 0, # port
919
# 0, # flowinfo
920
# if_nametoindex
921
# (self.interface))
922
return SocketServer.TCPServer.server_bind(self)
923
def server_activate(self):
924
if self.enabled:
925
return SocketServer.TCPServer.server_activate(self)
926
def enable(self):
927
self.enabled = True
928
def handle_ipc(self, source, condition, file_objects={}):
929
condition_names = {
930
gobject.IO_IN: "IN", # There is data to read.
931
gobject.IO_OUT: "OUT", # Data can be written (without
932
# blocking).
933
gobject.IO_PRI: "PRI", # There is urgent data to read.
934
gobject.IO_ERR: "ERR", # Error condition.
935
gobject.IO_HUP: "HUP" # Hung up (the connection has been
936
# broken, usually for pipes and
937
# sockets).
938
}
939
conditions_string = ' | '.join(name
940
for cond, name in
941
condition_names.iteritems()
942
if cond & condition)
943
logger.debug("Handling IPC: FD = %d, condition = %s", source,
944
conditions_string)
945
946
# Turn the pipe file descriptor into a Python file object
947
if source not in file_objects:
948
file_objects[source] = os.fdopen(source, "r", 1)
949
950
# Read a line from the file object
951
cmdline = file_objects[source].readline()
952
if not cmdline: # Empty line means end of file
953
# close the IPC pipe
954
file_objects[source].close()
955
del file_objects[source]
956
957
# Stop calling this function
958
return False
959
960
logger.debug("IPC command: %r", cmdline)
961
962
# Parse and act on command
963
cmd, args = cmdline.rstrip("\r\n").split(None, 1)
964
965
if cmd == "NOTFOUND":
966
logger.warning(u"Client not found for fingerprint: %s",
967
args)
968
if self.use_dbus:
969
# Emit D-Bus signal
970
mandos_dbus_service.ClientNotFound(args)
971
elif cmd == "INVALID":
972
for client in self.clients:
973
if client.name == args:
974
logger.warning(u"Client %s is invalid", args)
975
if self.use_dbus:
976
# Emit D-Bus signal
977
client.Rejected()
978
break
979
else:
980
logger.error(u"Unknown client %s is invalid", args)
981
elif cmd == "SENDING":
982
for client in self.clients:
983
if client.name == args:
984
logger.info(u"Sending secret to %s", client.name)
985
client.checked_ok()
986
if self.use_dbus:
987
# Emit D-Bus signal
988
client.ReceivedSecret()
989
break
990
else:
991
logger.error(u"Sending secret to unknown client %s",
992
args)
993
else:
994
logger.error("Unknown IPC command: %r", cmdline)
995
996
# Keep calling this function
997
return True
545
return super(type(self), self).server_bind()
998
546
999
547
1000
548
def string_to_delta(interval):
1001
549
"""Parse a string and return a datetime.timedelta
1002
550
1003
551
>>> string_to_delta('7d')
1004
552
datetime.timedelta(7)
1005
553
>>> string_to_delta('60s')
1010
558
datetime.timedelta(1)
1011
559
>>> string_to_delta(u'1w')
1012
560
datetime.timedelta(7)
1013
>>> string_to_delta('5m 30s')
1014
datetime.timedelta(0, 330)
1015
561
"""
1016
timevalue = datetime.timedelta(0)
1017
for s in interval.split():
1018
try:
1019
suffix = unicode(s[-1])
1020
value = int(s[:-1])
1021
if suffix == u"d":
1022
delta = datetime.timedelta(value)
1023
elif suffix == u"s":
1024
delta = datetime.timedelta(0, value)
1025
elif suffix == u"m":
1026
delta = datetime.timedelta(0, 0, 0, 0, value)
1027
elif suffix == u"h":
1028
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1029
elif suffix == u"w":
1030
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1031
else:
1032
raise ValueError
1033
except (ValueError, IndexError):
562
try:
563
suffix=unicode(interval[-1])
564
value=int(interval[:-1])
565
if suffix == u"d":
566
delta = datetime.timedelta(value)
567
elif suffix == u"s":
568
delta = datetime.timedelta(0, value)
569
elif suffix == u"m":
570
delta = datetime.timedelta(0, 0, 0, 0, value)
571
elif suffix == u"h":
572
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
573
elif suffix == u"w":
574
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
575
else:
1034
576
raise ValueError
1035
timevalue += delta
1036
return timevalue
577
except (ValueError, IndexError):
578
raise ValueError
579
return delta
1037
580
1038
581
1039
582
def server_state_changed(state):
1040
583
"""Derived from the Avahi example code"""
1041
584
if state == avahi.SERVER_COLLISION:
1042
logger.error(u"Zeroconf server name collision")
585
logger.error(u"Server name collision")
1043
586
service.remove()
1044
587
elif state == avahi.SERVER_RUNNING:
1045
588
service.add()
1047
590
1048
591
def entry_group_state_changed(state, error):
1049
592
"""Derived from the Avahi example code"""
1050
logger.debug(u"Avahi state change: %i", state)
593
logger.debug(u"state change: %i", state)
1051
594
1052
595
if state == avahi.ENTRY_GROUP_ESTABLISHED:
1053
logger.debug(u"Zeroconf service established.")
596
logger.debug(u"Service established.")
1054
597
elif state == avahi.ENTRY_GROUP_COLLISION:
1055
logger.warning(u"Zeroconf service name collision.")
598
logger.warning(u"Service name collision.")
1056
599
service.rename()
1057
600
elif state == avahi.ENTRY_GROUP_FAILURE:
1058
logger.critical(u"Avahi: Error in group state changed %s",
601
logger.critical(u"Error in group state changed %s",
1059
602
unicode(error))
1060
raise AvahiGroupError(u"State changed: %s" % unicode(error))
603
raise AvahiGroupError("State changed: %s", str(error))
1061
604
1062
605
def if_nametoindex(interface):
1063
606
"""Call the C function if_nametoindex(), or equivalent"""
1064
607
global if_nametoindex
1065
608
try:
1066
if_nametoindex = (ctypes.cdll.LoadLibrary
1067
(ctypes.util.find_library("c"))
1068
.if_nametoindex)
609
if "ctypes.util" not in sys.modules:
610
import ctypes.util
611
if_nametoindex = ctypes.cdll.LoadLibrary\
612
(ctypes.util.find_library("c")).if_nametoindex
1069
613
except (OSError, AttributeError):
1070
614
if "struct" not in sys.modules:
1071
615
import struct
1074
618
def if_nametoindex(interface):
1075
619
"Get an interface index the hard way, i.e. using fcntl()"
1076
620
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1077
with closing(socket.socket()) as s:
1078
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1079
struct.pack("16s16x", interface))
621
s = socket.socket()
622
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
623
struct.pack("16s16x", interface))
624
s.close()
1080
625
interface_index = struct.unpack("I", ifreq[16:20])[0]
1081
626
return interface_index
1082
627
return if_nametoindex(interface)
1083
628
1084
629
1085
def daemon(nochdir = False, noclose = False):
630
def daemon(nochdir, noclose):
1086
631
"""See daemon(3). Standard BSD Unix function.
1087
1088
632
This should really exist as os.daemon, but it doesn't (yet)."""
1089
633
if os.fork():
1090
634
sys.exit()
1091
635
os.setsid()
1092
636
if not nochdir:
1093
637
os.chdir("/")
1094
if os.fork():
1095
sys.exit()
1096
638
if not noclose:
1097
639
# Close all standard open file descriptors
1098
640
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1107
649
1108
650
1109
651
def main():
1110
1111
######################################################################
1112
# Parsing of options, both command line and config file
1113
1114
parser = optparse.OptionParser(version = "%%prog %s" % version)
652
global main_loop_started
653
main_loop_started = False
654
655
parser = OptionParser()
1115
656
parser.add_option("-i", "--interface", type="string",
1116
657
metavar="IF", help="Bind to interface IF")
1117
658
parser.add_option("-a", "--address", type="string",
1118
659
help="Address to listen for requests on")
1119
660
parser.add_option("-p", "--port", type="int",
1120
661
help="Port number to receive requests on")
1121
parser.add_option("--check", action="store_true",
662
parser.add_option("--check", action="store_true", default=False,
1122
663
help="Run self-test")
1123
parser.add_option("--debug", action="store_true",
664
parser.add_option("--debug", action="store_true", default=False,
1124
665
help="Debug mode; run in foreground and log to"
1125
666
" terminal")
1126
667
parser.add_option("--priority", type="string", help="GnuTLS"
1131
672
default="/etc/mandos", metavar="DIR",
1132
673
help="Directory to search for configuration"
1133
674
" files")
1134
parser.add_option("--no-dbus", action="store_false",
1135
dest="use_dbus",
1136
help="Do not provide D-Bus system bus"
1137
" interface")
1138
parser.add_option("--no-ipv6", action="store_false",
1139
dest="use_ipv6", help="Do not use IPv6")
1140
options = parser.parse_args()[0]
675
(options, args) = parser.parse_args()
1141
676
1142
677
if options.check:
1143
678
import doctest
1152
687
"priority":
1153
688
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1154
689
"servicename": "Mandos",
1155
"use_dbus": "True",
1156
"use_ipv6": "True",
1157
690
}
1158
691
1159
692
# Parse config file for server-global settings
1160
693
server_config = ConfigParser.SafeConfigParser(server_defaults)
1161
694
del server_defaults
1162
server_config.read(os.path.join(options.configdir, "mandos.conf"))
695
server_config.read(os.path.join(options.configdir, "server.conf"))
696
server_section = "server"
1163
697
# Convert the SafeConfigParser object to a dict
1164
server_settings = server_config.defaults()
1165
# Use the appropriate methods on the non-string config options
1166
server_settings["debug"] = server_config.getboolean("DEFAULT",
1167
"debug")
1168
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1169
"use_dbus")
1170
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1171
"use_ipv6")
1172
if server_settings["port"]:
1173
server_settings["port"] = server_config.getint("DEFAULT",
1174
"port")
698
server_settings = dict(server_config.items(server_section))
699
# Use getboolean on the boolean config option
700
server_settings["debug"] = server_config.getboolean\
701
(server_section, "debug")
1175
702
del server_config
1176
703
1177
704
# Override the settings from the config file with command line
1178
705
# options, if set.
1179
706
for option in ("interface", "address", "port", "debug",
1180
"priority", "servicename", "configdir",
1181
"use_dbus", "use_ipv6"):
707
"priority", "servicename", "configdir"):
1182
708
value = getattr(options, option)
1183
709
if value is not None:
1184
710
server_settings[option] = value
1185
711
del options
1186
712
# Now we have our good server settings in "server_settings"
1187
713
1188
##################################################################
1189
1190
# For convenience
1191
debug = server_settings["debug"]
1192
use_dbus = server_settings["use_dbus"]
1193
use_ipv6 = server_settings["use_ipv6"]
1194
1195
if not debug:
1196
syslogger.setLevel(logging.WARNING)
1197
console.setLevel(logging.WARNING)
1198
1199
if server_settings["servicename"] != "Mandos":
1200
syslogger.setFormatter(logging.Formatter
1201
('Mandos (%s) [%%(process)d]:'
1202
' %%(levelname)s: %%(message)s'
1203
% server_settings["servicename"]))
1204
1205
714
# Parse config file with clients
1206
715
client_defaults = { "timeout": "1h",
1207
716
"interval": "5m",
1208
"checker": "fping -q -- %%(host)s",
1209
"host": "",
717
"checker": "fping -q -- %%(fqdn)s",
1210
718
}
1211
719
client_config = ConfigParser.SafeConfigParser(client_defaults)
1212
720
client_config.read(os.path.join(server_settings["configdir"],
1213
721
"clients.conf"))
1214
1215
global mandos_dbus_service
1216
mandos_dbus_service = None
1217
1218
clients = Set()
1219
tcp_server = IPv6_TCPServer((server_settings["address"],
1220
server_settings["port"]),
1221
ClientHandler,
1222
interface=
1223
server_settings["interface"],
1224
use_ipv6=use_ipv6,
1225
clients=clients,
1226
gnutls_priority=
1227
server_settings["priority"],
1228
use_dbus=use_dbus)
1229
pidfilename = "/var/run/mandos.pid"
1230
try:
1231
pidfile = open(pidfilename, "w")
1232
except IOError:
1233
logger.error("Could not open file %r", pidfilename)
1234
1235
try:
1236
uid = pwd.getpwnam("_mandos").pw_uid
1237
gid = pwd.getpwnam("_mandos").pw_gid
1238
except KeyError:
1239
try:
1240
uid = pwd.getpwnam("mandos").pw_uid
1241
gid = pwd.getpwnam("mandos").pw_gid
1242
except KeyError:
1243
try:
1244
uid = pwd.getpwnam("nobody").pw_uid
1245
gid = pwd.getpwnam("nogroup").pw_gid
1246
except KeyError:
1247
uid = 65534
1248
gid = 65534
1249
try:
1250
os.setgid(gid)
1251
os.setuid(uid)
1252
except OSError, error:
1253
if error[0] != errno.EPERM:
1254
raise error
1255
1256
# Enable all possible GnuTLS debugging
1257
if debug:
1258
# "Use a log level over 10 to enable all debugging options."
1259
# - GnuTLS manual
1260
gnutls.library.functions.gnutls_global_set_log_level(11)
1261
1262
@gnutls.library.types.gnutls_log_func
1263
def debug_gnutls(level, string):
1264
logger.debug("GnuTLS: %s", string[:-1])
1265
1266
(gnutls.library.functions
1267
.gnutls_global_set_log_function(debug_gnutls))
1268
722
1269
723
global service
1270
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1271
724
service = AvahiService(name = server_settings["servicename"],
1272
servicetype = "_mandos._tcp",
1273
protocol = protocol)
725
type = "_mandos._tcp", );
1274
726
if server_settings["interface"]:
1275
service.interface = (if_nametoindex
1276
(server_settings["interface"]))
727
service.interface = if_nametoindex(server_settings["interface"])
1277
728
1278
729
global main_loop
1279
730
global bus
1282
733
DBusGMainLoop(set_as_default=True )
1283
734
main_loop = gobject.MainLoop()
1284
735
bus = dbus.SystemBus()
1285
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1286
avahi.DBUS_PATH_SERVER),
1287
avahi.DBUS_INTERFACE_SERVER)
736
server = dbus.Interface(
737
bus.get_object( avahi.DBUS_NAME, avahi.DBUS_PATH_SERVER ),
738
avahi.DBUS_INTERFACE_SERVER )
1288
739
# End of Avahi example code
1289
if use_dbus:
1290
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1291
740
1292
client_class = Client
1293
if use_dbus:
1294
client_class = ClientDBus
1295
clients.update(Set(
1296
client_class(name = section,
1297
config= dict(client_config.items(section)))
1298
for section in client_config.sections()))
1299
if not clients:
1300
logger.warning(u"No clients defined")
741
debug = server_settings["debug"]
1301
742
1302
743
if debug:
1303
# Redirect stdin so all checkers get /dev/null
1304
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1305
os.dup2(null, sys.stdin.fileno())
1306
if null > 2:
1307
os.close(null)
1308
else:
1309
# No console logging
1310
logger.removeHandler(console)
1311
# Close all input and output, do double fork, etc.
1312
daemon()
1313
1314
try:
1315
with closing(pidfile):
1316
pid = os.getpid()
1317
pidfile.write(str(pid) + "\n")
1318
del pidfile
1319
except IOError:
1320
logger.error(u"Could not write to file %r with PID %d",
1321
pidfilename, pid)
1322
except NameError:
1323
# "pidfile" was never created
1324
pass
1325
del pidfilename
744
console = logging.StreamHandler()
745
# console.setLevel(logging.DEBUG)
746
console.setFormatter(logging.Formatter\
747
('%(levelname)s: %(message)s'))
748
logger.addHandler(console)
749
del console
750
751
clients = Set()
752
def remove_from_clients(client):
753
clients.remove(client)
754
if not clients:
755
logger.critical(u"No clients left, exiting")
756
sys.exit()
757
758
clients.update(Set(Client(name = section,
759
stop_hook = remove_from_clients,
760
config
761
= dict(client_config.items(section)))
762
for section in client_config.sections()))
763
764
if not debug:
765
daemon(False, False)
1326
766
1327
767
def cleanup():
1328
768
"Cleanup function; run on exit"
1335
775
1336
776
while clients:
1337
777
client = clients.pop()
1338
client.disable_hook = None
1339
client.disable()
778
client.stop_hook = None
779
client.stop()
1340
780
1341
781
atexit.register(cleanup)
1342
782
1345
785
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1346
786
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1347
787
1348
if use_dbus:
1349
class MandosDBusService(dbus.service.Object):
1350
"""A D-Bus proxy object"""
1351
def __init__(self):
1352
dbus.service.Object.__init__(self, bus, "/")
1353
_interface = u"se.bsnet.fukt.Mandos"
1354
1355
@dbus.service.signal(_interface, signature="oa{sv}")
1356
def ClientAdded(self, objpath, properties):
1357
"D-Bus signal"
1358
pass
1359
1360
@dbus.service.signal(_interface, signature="s")
1361
def ClientNotFound(self, fingerprint):
1362
"D-Bus signal"
1363
pass
1364
1365
@dbus.service.signal(_interface, signature="os")
1366
def ClientRemoved(self, objpath, name):
1367
"D-Bus signal"
1368
pass
1369
1370
@dbus.service.method(_interface, out_signature="ao")
1371
def GetAllClients(self):
1372
"D-Bus method"
1373
return dbus.Array(c.dbus_object_path for c in clients)
1374
1375
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1376
def GetAllClientsWithProperties(self):
1377
"D-Bus method"
1378
return dbus.Dictionary(
1379
((c.dbus_object_path, c.GetAllProperties())
1380
for c in clients),
1381
signature="oa{sv}")
1382
1383
@dbus.service.method(_interface, in_signature="o")
1384
def RemoveClient(self, object_path):
1385
"D-Bus method"
1386
for c in clients:
1387
if c.dbus_object_path == object_path:
1388
clients.remove(c)
1389
c.remove_from_connection()
1390
# Don't signal anything except ClientRemoved
1391
c.disable(signal=False)
1392
# Emit D-Bus signal
1393
self.ClientRemoved(object_path, c.name)
1394
return
1395
raise KeyError
1396
1397
del _interface
1398
1399
mandos_dbus_service = MandosDBusService()
1400
1401
788
for client in clients:
1402
if use_dbus:
1403
# Emit D-Bus signal
1404
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1405
client.GetAllProperties())
1406
client.enable()
1407
1408
tcp_server.enable()
1409
tcp_server.server_activate()
1410
789
client.start()
790
791
tcp_server = IPv6_TCPServer((server_settings["address"],
792
server_settings["port"]),
793
tcp_handler,
794
settings=server_settings,
795
clients=clients)
1411
796
# Find out what port we got
1412
797
service.port = tcp_server.socket.getsockname()[1]
1413
if use_ipv6:
1414
logger.info(u"Now listening on address %r, port %d,"
1415
" flowinfo %d, scope_id %d"
1416
% tcp_server.socket.getsockname())
1417
else: # IPv4
1418
logger.info(u"Now listening on address %r, port %d"
1419
% tcp_server.socket.getsockname())
798
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
799
u" scope_id %d" % tcp_server.socket.getsockname())
1420
800
1421
801
#service.interface = tcp_server.socket.getsockname()[3]
1422
802
1432
812
1433
813
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
1434
814
lambda *args, **kwargs:
1435
(tcp_server.handle_request
1436
(*args[2:], **kwargs) or True))
815
tcp_server.handle_request\
816
(*args[2:], **kwargs) or True)
1437
817
1438
logger.debug(u"Starting main loop")
818
logger.debug("Starting main loop")
819
main_loop_started = True
1439
820
main_loop.run()
1440
821
except AvahiError, error:
1441
logger.critical(u"AvahiError: %s", error)
822
logger.critical(u"AvahiError: %s" + unicode(error))
1442
823
sys.exit(1)
1443
824
except KeyboardInterrupt:
1444
825
if debug:
1445
print >> sys.stderr
1446
logger.debug("Server received KeyboardInterrupt")
1447
logger.debug("Server exiting")
826
print
1448
827
1449
828
if __name__ == '__main__':
1450
829
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0