To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to server.py
- browse files at revision 24.1.2
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.2
- Committer: Björn Påhlsson
- Date: 2008-07-22 06:26:12 UTC
- mfrom: (26 mandos)
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 27.
- Revision ID: belorn@braxen-20080722062612-0om9eb3fpsso8xc4
merge
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- clients.conf => mandos-clients.conf
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos => server.py
- files modified:
- Makefile
added
removed
server.py
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
9
# following functions: "add_service", "remove_service",
10
# "server_state_changed", "entry_group_state_changed", and some lines
11
# in "main".
12
12
#
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
13
# Everything else is Copyright © 2007-2008 Teddy Hogeborn and Björn
14
# Påhlsson.
16
15
#
17
16
# This program is free software: you can redistribute it and/or modify
18
17
# it under the terms of the GNU General Public License as published by
25
24
# GNU General Public License for more details.
26
25
#
27
26
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
27
# along with this program. If not, see <http://www.gnu.org/licenses/>.
30
28
#
31
# Contact the authors at <mandos@fukt.bsnet.se>.
29
# Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
30
# <https://www.fukt.bsnet.se/~teddy/>.
32
31
#
33
32
34
from __future__ import division, with_statement, absolute_import
33
from __future__ import division
35
34
36
35
import SocketServer
37
36
import socket
38
import optparse
37
import select
38
from optparse import OptionParser
39
39
import datetime
40
40
import errno
41
41
import gnutls.crypto
55
55
import stat
56
56
import logging
57
57
import logging.handlers
58
import pwd
59
from contextlib import closing
60
58
61
59
import dbus
62
import dbus.service
63
60
import gobject
64
61
import avahi
65
62
from dbus.mainloop.glib import DBusGMainLoop
66
63
import ctypes
67
import ctypes.util
68
69
version = "1.0.8"
64
65
# Brief description of the operation of this program:
66
#
67
# This server announces itself as a Zeroconf service. Connecting
68
# clients use the TLS protocol, with the unusual quirk that this
69
# server program acts as a TLS "client" while the connecting clients
70
# acts as a TLS "server". The clients (acting as a TLS "server") must
71
# supply an OpenPGP certificate, and the fingerprint of this
72
# certificate is used by this server to look up (in a list read from a
73
# file at start time) which binary blob to give the client. No other
74
# authentication or authorization is done by this server.
75
70
76
71
77
logger = logging.Logger('mandos')
72
syslogger = (logging.handlers.SysLogHandler
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
address = "/dev/log"))
75
syslogger.setFormatter(logging.Formatter
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
78
syslogger = logging.handlers.SysLogHandler\
79
(facility = logging.handlers.SysLogHandler.LOG_DAEMON)
80
syslogger.setFormatter(logging.Formatter\
81
('%(levelname)s: %(message)s'))
78
82
logger.addHandler(syslogger)
79
80
console = logging.StreamHandler()
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
83
logger.addHandler(console)
84
85
class AvahiError(Exception):
86
def __init__(self, value, *args, **kwargs):
87
self.value = value
88
super(AvahiError, self).__init__(value, *args, **kwargs)
89
def __unicode__(self):
90
return unicode(repr(self.value))
91
92
class AvahiServiceError(AvahiError):
93
pass
94
95
class AvahiGroupError(AvahiError):
96
pass
97
98
99
class AvahiService(object):
100
"""An Avahi (Zeroconf) service.
101
Attributes:
102
interface: integer; avahi.IF_UNSPEC or an interface index.
103
Used to optionally bind to the specified interface.
104
name: string; Example: 'Mandos'
105
type: string; Example: '_mandos._tcp'.
106
See <http://www.dns-sd.org/ServiceTypes.html>
107
port: integer; what port to announce
108
TXT: list of strings; TXT record for the service
109
domain: string; Domain to publish on, default to .local if empty.
110
host: string; Host to publish records for, default is localhost
111
max_renames: integer; maximum number of renames
112
rename_count: integer; counter so we only rename after collisions
113
a sensible number of times
114
"""
115
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
116
servicetype = None, port = None, TXT = None,
117
domain = "", host = "", max_renames = 32768,
118
protocol = avahi.PROTO_UNSPEC):
119
self.interface = interface
120
self.name = name
121
self.type = servicetype
122
self.port = port
123
self.TXT = TXT if TXT is not None else []
124
self.domain = domain
125
self.host = host
126
self.rename_count = 0
127
self.max_renames = max_renames
128
self.protocol = protocol
129
def rename(self):
130
"""Derived from the Avahi example code"""
131
if self.rename_count >= self.max_renames:
132
logger.critical(u"No suitable Zeroconf service name found"
133
u" after %i retries, exiting.",
134
self.rename_count)
135
raise AvahiServiceError(u"Too many renames")
136
self.name = server.GetAlternativeServiceName(self.name)
137
logger.info(u"Changing Zeroconf service name to %r ...",
138
str(self.name))
139
syslogger.setFormatter(logging.Formatter
140
('Mandos (%s) [%%(process)d]:'
141
' %%(levelname)s: %%(message)s'
142
% self.name))
143
self.remove()
144
self.add()
145
self.rename_count += 1
146
def remove(self):
147
"""Derived from the Avahi example code"""
148
if group is not None:
149
group.Reset()
150
def add(self):
151
"""Derived from the Avahi example code"""
152
global group
153
if group is None:
154
group = dbus.Interface(bus.get_object
155
(avahi.DBUS_NAME,
156
server.EntryGroupNew()),
157
avahi.DBUS_INTERFACE_ENTRY_GROUP)
158
group.connect_to_signal('StateChanged',
159
entry_group_state_changed)
160
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
161
service.name, service.type)
162
group.AddService(
163
self.interface, # interface
164
self.protocol, # protocol
165
dbus.UInt32(0), # flags
166
self.name, self.type,
167
self.domain, self.host,
168
dbus.UInt16(self.port),
169
avahi.string_array_to_txt_array(self.TXT))
170
group.Commit()
171
83
del syslogger
84
85
# This variable is used to optionally bind to a specified interface.
86
# It is a global variable to fit in with the other variables from the
87
# Avahi example code.
88
serviceInterface = avahi.IF_UNSPEC
172
89
# From the Avahi example code:
173
group = None # our entry group
90
serviceName = None
91
serviceType = "_mandos._tcp" # http://www.dns-sd.org/ServiceTypes.html
92
servicePort = None # Not known at startup
93
serviceTXT = [] # TXT record for the service
94
domain = "" # Domain to publish on, default to .local
95
host = "" # Host to publish records for, default to localhost
96
group = None #our entry group
97
rename_count = 12 # Counter so we only rename after collisions a
98
# sensible number of times
174
99
# End of Avahi example code
175
100
176
101
177
def _datetime_to_dbus(dt, variant_level=0):
178
"""Convert a UTC datetime.datetime() to a D-Bus type."""
179
return dbus.String(dt.isoformat(), variant_level=variant_level)
180
181
182
class Client(dbus.service.Object):
102
class Client(object):
183
103
"""A representation of a client host served by this server.
184
104
Attributes:
185
name: string; from the config file, used in log messages and
186
D-Bus identifiers
105
name: string; from the config file, used in log messages
187
106
fingerprint: string (40 or 32 hexadecimal digits); used to
188
107
uniquely identify the client
189
secret: bytestring; sent verbatim (over TLS) to client
190
host: string; available for use by the checker command
191
created: datetime.datetime(); (UTC) object creation
192
last_enabled: datetime.datetime(); (UTC)
193
enabled: bool()
194
last_checked_ok: datetime.datetime(); (UTC) or None
195
timeout: datetime.timedelta(); How long from last_checked_ok
196
until this client is invalid
197
interval: datetime.timedelta(); How often to start a new checker
198
disable_hook: If set, called by disable() as disable_hook(self)
199
checker: subprocess.Popen(); a running checker process used
200
to see if the client lives.
201
'None' if no process is running.
108
secret: bytestring; sent verbatim (over TLS) to client
109
fqdn: string (FQDN); available for use by the checker command
110
created: datetime.datetime()
111
last_seen: datetime.datetime() or None if not yet seen
112
timeout: datetime.timedelta(); How long from last_seen until
113
this client is invalid
114
interval: datetime.timedelta(); How often to start a new checker
115
stop_hook: If set, called by stop() as stop_hook(self)
116
checker: subprocess.Popen(); a running checker process used
117
to see if the client lives.
118
Is None if no process is running.
202
119
checker_initiator_tag: a gobject event source tag, or None
203
disable_initiator_tag: - '' -
120
stop_initiator_tag: - '' -
204
121
checker_callback_tag: - '' -
205
122
checker_command: string; External command which is run to check if
206
client lives. %() expansions are done at
123
client lives. %()s expansions are done at
207
124
runtime with vars(self) as dict, so that for
208
125
instance %(name)s can be used in the command.
209
current_checker_command: string; current running checker_command
210
use_dbus: bool(); Whether to provide D-Bus interface and signals
211
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
126
Private attibutes:
127
_timeout: Real variable for 'timeout'
128
_interval: Real variable for 'interval'
129
_timeout_milliseconds: Used by gobject.timeout_add()
130
_interval_milliseconds: - '' -
212
131
"""
213
def timeout_milliseconds(self):
214
"Return the 'timeout' attribute in milliseconds"
215
return ((self.timeout.days * 24 * 60 * 60 * 1000)
216
+ (self.timeout.seconds * 1000)
217
+ (self.timeout.microseconds // 1000))
218
219
def interval_milliseconds(self):
220
"Return the 'interval' attribute in milliseconds"
221
return ((self.interval.days * 24 * 60 * 60 * 1000)
222
+ (self.interval.seconds * 1000)
223
+ (self.interval.microseconds // 1000))
224
225
def __init__(self, name = None, disable_hook=None, config=None,
226
use_dbus=True):
227
"""Note: the 'checker' key in 'config' sets the
228
'checker_command' attribute and *not* the 'checker'
229
attribute."""
132
def _set_timeout(self, timeout):
133
"Setter function for 'timeout' attribute"
134
self._timeout = timeout
135
self._timeout_milliseconds = ((self.timeout.days
136
* 24 * 60 * 60 * 1000)
137
+ (self.timeout.seconds * 1000)
138
+ (self.timeout.microseconds
139
// 1000))
140
timeout = property(lambda self: self._timeout,
141
_set_timeout)
142
del _set_timeout
143
def _set_interval(self, interval):
144
"Setter function for 'interval' attribute"
145
self._interval = interval
146
self._interval_milliseconds = ((self.interval.days
147
* 24 * 60 * 60 * 1000)
148
+ (self.interval.seconds
149
* 1000)
150
+ (self.interval.microseconds
151
// 1000))
152
interval = property(lambda self: self._interval,
153
_set_interval)
154
del _set_interval
155
def __init__(self, name=None, stop_hook=None, fingerprint=None,
156
secret=None, secfile=None, fqdn=None, timeout=None,
157
interval=-1, checker=None):
158
"""Note: the 'checker' argument sets the 'checker_command'
159
attribute and not the 'checker' attribute.."""
230
160
self.name = name
231
if config is None:
232
config = {}
233
161
logger.debug(u"Creating client %r", self.name)
234
self.use_dbus = False # During __init__
235
# Uppercase and remove spaces from fingerprint for later
236
# comparison purposes with return value from the fingerprint()
237
# function
238
self.fingerprint = (config["fingerprint"].upper()
239
.replace(u" ", u""))
162
# Uppercase and remove spaces from fingerprint
163
# for later comparison purposes with return value of
164
# the fingerprint() function
165
self.fingerprint = fingerprint.upper().replace(u" ", u"")
240
166
logger.debug(u" Fingerprint: %s", self.fingerprint)
241
if "secret" in config:
242
self.secret = config["secret"].decode(u"base64")
243
elif "secfile" in config:
244
with closing(open(os.path.expanduser
245
(os.path.expandvars
246
(config["secfile"])))) as secfile:
247
self.secret = secfile.read()
167
if secret:
168
self.secret = secret.decode(u"base64")
169
elif secfile:
170
sf = open(secfile)
171
self.secret = sf.read()
172
sf.close()
248
173
else:
249
raise TypeError(u"No secret or secfile for client %s"
250
% self.name)
251
self.host = config.get("host", "")
252
self.created = datetime.datetime.utcnow()
253
self.enabled = False
254
self.last_enabled = None
255
self.last_checked_ok = None
256
self.timeout = string_to_delta(config["timeout"])
257
self.interval = string_to_delta(config["interval"])
258
self.disable_hook = disable_hook
174
raise RuntimeError(u"No secret or secfile for client %s"
175
% self.name)
176
self.fqdn = fqdn # string
177
self.created = datetime.datetime.now()
178
self.last_seen = None
179
self.timeout = string_to_delta(timeout)
180
self.interval = string_to_delta(interval)
181
self.stop_hook = stop_hook
259
182
self.checker = None
260
183
self.checker_initiator_tag = None
261
self.disable_initiator_tag = None
184
self.stop_initiator_tag = None
262
185
self.checker_callback_tag = None
263
self.checker_command = config["checker"]
264
self.current_checker_command = None
265
self.last_connect = None
266
# Only now, when this client is initialized, can it show up on
267
# the D-Bus
268
self.use_dbus = use_dbus
269
if self.use_dbus:
270
self.dbus_object_path = (dbus.ObjectPath
271
("/clients/"
272
+ self.name.replace(".", "_")))
273
dbus.service.Object.__init__(self, bus,
274
self.dbus_object_path)
275
276
def enable(self):
186
self.check_command = checker
187
def start(self):
277
188
"""Start this client's checker and timeout hooks"""
278
self.last_enabled = datetime.datetime.utcnow()
279
189
# Schedule a new checker to be started an 'interval' from now,
280
190
# and every interval from then on.
281
self.checker_initiator_tag = (gobject.timeout_add
282
(self.interval_milliseconds(),
283
self.start_checker))
191
self.checker_initiator_tag = gobject.timeout_add\
192
(self._interval_milliseconds,
193
self.start_checker)
284
194
# Also start a new checker *right now*.
285
195
self.start_checker()
286
# Schedule a disable() when 'timeout' has passed
287
self.disable_initiator_tag = (gobject.timeout_add
288
(self.timeout_milliseconds(),
289
self.disable))
290
self.enabled = True
291
if self.use_dbus:
292
# Emit D-Bus signals
293
self.PropertyChanged(dbus.String(u"enabled"),
294
dbus.Boolean(True, variant_level=1))
295
self.PropertyChanged(dbus.String(u"last_enabled"),
296
(_datetime_to_dbus(self.last_enabled,
297
variant_level=1)))
298
299
def disable(self):
300
"""Disable this client."""
301
if not getattr(self, "enabled", False):
196
# Schedule a stop() when 'timeout' has passed
197
self.stop_initiator_tag = gobject.timeout_add\
198
(self._timeout_milliseconds,
199
self.stop)
200
def stop(self):
201
"""Stop this client.
202
The possibility that this client might be restarted is left
203
open, but not currently used."""
204
# If this client doesn't have a secret, it is already stopped.
205
if self.secret:
206
logger.debug(u"Stopping client %s", self.name)
207
self.secret = None
208
else:
302
209
return False
303
logger.info(u"Disabling client %s", self.name)
304
if getattr(self, "disable_initiator_tag", False):
305
gobject.source_remove(self.disable_initiator_tag)
306
self.disable_initiator_tag = None
307
if getattr(self, "checker_initiator_tag", False):
210
if hasattr(self, "stop_initiator_tag") \
211
and self.stop_initiator_tag:
212
gobject.source_remove(self.stop_initiator_tag)
213
self.stop_initiator_tag = None
214
if hasattr(self, "checker_initiator_tag") \
215
and self.checker_initiator_tag:
308
216
gobject.source_remove(self.checker_initiator_tag)
309
217
self.checker_initiator_tag = None
310
218
self.stop_checker()
311
if self.disable_hook:
312
self.disable_hook(self)
313
self.enabled = False
314
if self.use_dbus:
315
# Emit D-Bus signal
316
self.PropertyChanged(dbus.String(u"enabled"),
317
dbus.Boolean(False, variant_level=1))
219
if self.stop_hook:
220
self.stop_hook(self)
318
221
# Do not run this again if called by a gobject.timeout_add
319
222
return False
320
321
223
def __del__(self):
322
self.disable_hook = None
323
self.disable()
324
325
def checker_callback(self, pid, condition, command):
224
self.stop_hook = None
225
self.stop()
226
def checker_callback(self, pid, condition):
326
227
"""The checker has completed, so take appropriate actions."""
228
now = datetime.datetime.now()
327
229
self.checker_callback_tag = None
328
230
self.checker = None
329
if self.use_dbus:
330
# Emit D-Bus signal
331
self.PropertyChanged(dbus.String(u"checker_running"),
332
dbus.Boolean(False, variant_level=1))
333
if os.WIFEXITED(condition):
334
exitstatus = os.WEXITSTATUS(condition)
335
if exitstatus == 0:
336
logger.info(u"Checker for %(name)s succeeded",
337
vars(self))
338
self.checked_ok()
339
else:
340
logger.info(u"Checker for %(name)s failed",
341
vars(self))
342
if self.use_dbus:
343
# Emit D-Bus signal
344
self.CheckerCompleted(dbus.Int16(exitstatus),
345
dbus.Int64(condition),
346
dbus.String(command))
347
else:
231
if os.WIFEXITED(condition) \
232
and (os.WEXITSTATUS(condition) == 0):
233
logger.debug(u"Checker for %(name)s succeeded",
234
vars(self))
235
self.last_seen = now
236
gobject.source_remove(self.stop_initiator_tag)
237
self.stop_initiator_tag = gobject.timeout_add\
238
(self._timeout_milliseconds,
239
self.stop)
240
elif not os.WIFEXITED(condition):
348
241
logger.warning(u"Checker for %(name)s crashed?",
349
242
vars(self))
350
if self.use_dbus:
351
# Emit D-Bus signal
352
self.CheckerCompleted(dbus.Int16(-1),
353
dbus.Int64(condition),
354
dbus.String(command))
355
356
def checked_ok(self):
357
"""Bump up the timeout for this client.
358
This should only be called when the client has been seen,
359
alive and well.
360
"""
361
self.last_checked_ok = datetime.datetime.utcnow()
362
gobject.source_remove(self.disable_initiator_tag)
363
self.disable_initiator_tag = (gobject.timeout_add
364
(self.timeout_milliseconds(),
365
self.disable))
366
if self.use_dbus:
367
# Emit D-Bus signal
368
self.PropertyChanged(
369
dbus.String(u"last_checked_ok"),
370
(_datetime_to_dbus(self.last_checked_ok,
371
variant_level=1)))
372
243
else:
244
logger.debug(u"Checker for %(name)s failed",
245
vars(self))
373
246
def start_checker(self):
374
247
"""Start a new checker subprocess if one is not running.
375
248
If a checker already exists, leave it running and do
382
255
# checkers alone, the checker would have to take more time
383
256
# than 'timeout' for the client to be declared invalid, which
384
257
# is as it should be.
385
386
# If a checker exists, make sure it is not a zombie
387
if self.checker is not None:
388
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
389
if pid:
390
logger.warning("Checker was a zombie")
391
gobject.source_remove(self.checker_callback_tag)
392
self.checker_callback(pid, status,
393
self.current_checker_command)
394
# Start a new checker if needed
395
258
if self.checker is None:
396
259
try:
397
# In case checker_command has exactly one % operator
398
command = self.checker_command % self.host
260
command = self.check_command % self.fqdn
399
261
except TypeError:
400
# Escape attributes for the shell
401
262
escaped_attrs = dict((key, re.escape(str(val)))
402
263
for key, val in
403
264
vars(self).iteritems())
404
265
try:
405
command = self.checker_command % escaped_attrs
266
command = self.check_command % escaped_attrs
406
267
except TypeError, error:
407
logger.error(u'Could not format string "%s":'
408
u' %s', self.checker_command, error)
268
logger.critical(u'Could not format string "%s":'
269
u' %s', self.check_command, error)
409
270
return True # Try again later
410
self.current_checker_command = command
411
271
try:
412
logger.info(u"Starting checker %r for %s",
413
command, self.name)
414
# We don't need to redirect stdout and stderr, since
415
# in normal mode, that is already done by daemon(),
416
# and in debug mode we don't want to. (Stdin is
417
# always replaced by /dev/null.)
418
self.checker = subprocess.Popen(command,
419
close_fds=True,
420
shell=True, cwd="/")
421
if self.use_dbus:
422
# Emit D-Bus signal
423
self.CheckerStarted(command)
424
self.PropertyChanged(
425
dbus.String("checker_running"),
426
dbus.Boolean(True, variant_level=1))
427
self.checker_callback_tag = (gobject.child_watch_add
428
(self.checker.pid,
429
self.checker_callback,
430
data=command))
431
# The checker may have completed before the gobject
432
# watch was added. Check for this.
433
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
434
if pid:
435
gobject.source_remove(self.checker_callback_tag)
436
self.checker_callback(pid, status, command)
437
except OSError, error:
272
logger.debug(u"Starting checker %r for %s",
273
command, self.name)
274
self.checker = subprocess.\
275
Popen(command,
276
close_fds=True, shell=True,
277
cwd="/")
278
self.checker_callback_tag = gobject.child_watch_add\
279
(self.checker.pid,
280
self.checker_callback)
281
except subprocess.OSError, error:
438
282
logger.error(u"Failed to start subprocess: %s",
439
283
error)
440
284
# Re-run this periodically if run by gobject.timeout_add
441
285
return True
442
443
286
def stop_checker(self):
444
287
"""Force the checker process, if any, to stop."""
445
288
if self.checker_callback_tag:
446
289
gobject.source_remove(self.checker_callback_tag)
447
290
self.checker_callback_tag = None
448
if getattr(self, "checker", None) is None:
291
if not hasattr(self, "checker") or self.checker is None:
449
292
return
450
logger.debug(u"Stopping checker for %(name)s", vars(self))
293
logger.debug("Stopping checker for %(name)s", vars(self))
451
294
try:
452
295
os.kill(self.checker.pid, signal.SIGTERM)
453
296
#os.sleep(0.5)
454
297
#if self.checker.poll() is None:
455
298
# os.kill(self.checker.pid, signal.SIGKILL)
456
299
except OSError, error:
457
if error.errno != errno.ESRCH: # No such process
300
if error.errno != errno.ESRCH:
458
301
raise
459
302
self.checker = None
460
if self.use_dbus:
461
self.PropertyChanged(dbus.String(u"checker_running"),
462
dbus.Boolean(False, variant_level=1))
463
464
def still_valid(self):
303
def still_valid(self, now=None):
465
304
"""Has the timeout not yet passed for this client?"""
466
if not getattr(self, "enabled", False):
467
return False
468
now = datetime.datetime.utcnow()
469
if self.last_checked_ok is None:
305
if now is None:
306
now = datetime.datetime.now()
307
if self.last_seen is None:
470
308
return now < (self.created + self.timeout)
471
309
else:
472
return now < (self.last_checked_ok + self.timeout)
473
474
## D-Bus methods & signals
475
_interface = u"se.bsnet.fukt.Mandos.Client"
476
477
# CheckedOK - method
478
CheckedOK = dbus.service.method(_interface)(checked_ok)
479
CheckedOK.__name__ = "CheckedOK"
480
481
# CheckerCompleted - signal
482
@dbus.service.signal(_interface, signature="nxs")
483
def CheckerCompleted(self, exitcode, waitstatus, command):
484
"D-Bus signal"
485
pass
486
487
# CheckerStarted - signal
488
@dbus.service.signal(_interface, signature="s")
489
def CheckerStarted(self, command):
490
"D-Bus signal"
491
pass
492
493
# GetAllProperties - method
494
@dbus.service.method(_interface, out_signature="a{sv}")
495
def GetAllProperties(self):
496
"D-Bus method"
497
return dbus.Dictionary({
498
dbus.String("name"):
499
dbus.String(self.name, variant_level=1),
500
dbus.String("fingerprint"):
501
dbus.String(self.fingerprint, variant_level=1),
502
dbus.String("host"):
503
dbus.String(self.host, variant_level=1),
504
dbus.String("created"):
505
_datetime_to_dbus(self.created, variant_level=1),
506
dbus.String("last_enabled"):
507
(_datetime_to_dbus(self.last_enabled,
508
variant_level=1)
509
if self.last_enabled is not None
510
else dbus.Boolean(False, variant_level=1)),
511
dbus.String("enabled"):
512
dbus.Boolean(self.enabled, variant_level=1),
513
dbus.String("last_checked_ok"):
514
(_datetime_to_dbus(self.last_checked_ok,
515
variant_level=1)
516
if self.last_checked_ok is not None
517
else dbus.Boolean (False, variant_level=1)),
518
dbus.String("timeout"):
519
dbus.UInt64(self.timeout_milliseconds(),
520
variant_level=1),
521
dbus.String("interval"):
522
dbus.UInt64(self.interval_milliseconds(),
523
variant_level=1),
524
dbus.String("checker"):
525
dbus.String(self.checker_command,
526
variant_level=1),
527
dbus.String("checker_running"):
528
dbus.Boolean(self.checker is not None,
529
variant_level=1),
530
dbus.String("object_path"):
531
dbus.ObjectPath(self.dbus_object_path,
532
variant_level=1)
533
}, signature="sv")
534
535
# IsStillValid - method
536
IsStillValid = (dbus.service.method(_interface, out_signature="b")
537
(still_valid))
538
IsStillValid.__name__ = "IsStillValid"
539
540
# PropertyChanged - signal
541
@dbus.service.signal(_interface, signature="sv")
542
def PropertyChanged(self, property, value):
543
"D-Bus signal"
544
pass
545
546
# ReceivedSecret - signal
547
@dbus.service.signal(_interface)
548
def ReceivedSecret(self):
549
"D-Bus signal"
550
pass
551
552
# Rejected - signal
553
@dbus.service.signal(_interface)
554
def Rejected(self):
555
"D-Bus signal"
556
pass
557
558
# SetChecker - method
559
@dbus.service.method(_interface, in_signature="s")
560
def SetChecker(self, checker):
561
"D-Bus setter method"
562
self.checker_command = checker
563
# Emit D-Bus signal
564
self.PropertyChanged(dbus.String(u"checker"),
565
dbus.String(self.checker_command,
566
variant_level=1))
567
568
# SetHost - method
569
@dbus.service.method(_interface, in_signature="s")
570
def SetHost(self, host):
571
"D-Bus setter method"
572
self.host = host
573
# Emit D-Bus signal
574
self.PropertyChanged(dbus.String(u"host"),
575
dbus.String(self.host, variant_level=1))
576
577
# SetInterval - method
578
@dbus.service.method(_interface, in_signature="t")
579
def SetInterval(self, milliseconds):
580
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
581
# Emit D-Bus signal
582
self.PropertyChanged(dbus.String(u"interval"),
583
(dbus.UInt64(self.interval_milliseconds(),
584
variant_level=1)))
585
586
# SetSecret - method
587
@dbus.service.method(_interface, in_signature="ay",
588
byte_arrays=True)
589
def SetSecret(self, secret):
590
"D-Bus setter method"
591
self.secret = str(secret)
592
593
# SetTimeout - method
594
@dbus.service.method(_interface, in_signature="t")
595
def SetTimeout(self, milliseconds):
596
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
597
# Emit D-Bus signal
598
self.PropertyChanged(dbus.String(u"timeout"),
599
(dbus.UInt64(self.timeout_milliseconds(),
600
variant_level=1)))
601
602
# Enable - method
603
Enable = dbus.service.method(_interface)(enable)
604
Enable.__name__ = "Enable"
605
606
# StartChecker - method
607
@dbus.service.method(_interface)
608
def StartChecker(self):
609
"D-Bus method"
610
self.start_checker()
611
612
# Disable - method
613
@dbus.service.method(_interface)
614
def Disable(self):
615
"D-Bus method"
616
self.disable()
617
618
# StopChecker - method
619
StopChecker = dbus.service.method(_interface)(stop_checker)
620
StopChecker.__name__ = "StopChecker"
621
622
del _interface
310
return now < (self.last_seen + self.timeout)
623
311
624
312
625
313
def peer_certificate(session):
626
314
"Return the peer's OpenPGP certificate as a bytestring"
627
315
# If not an OpenPGP certificate...
628
if (gnutls.library.functions
629
.gnutls_certificate_type_get(session._c_object)
630
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
316
if gnutls.library.functions.gnutls_certificate_type_get\
317
(session._c_object) \
318
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP:
631
319
# ...do the normal thing
632
320
return session.peer_certificate
633
list_size = ctypes.c_uint(1)
634
cert_list = (gnutls.library.functions
635
.gnutls_certificate_get_peers
636
(session._c_object, ctypes.byref(list_size)))
637
if not bool(cert_list) and list_size.value != 0:
638
raise gnutls.errors.GNUTLSError("error getting peer"
639
" certificate")
321
list_size = ctypes.c_uint()
322
cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
323
(session._c_object, ctypes.byref(list_size))
640
324
if list_size.value == 0:
641
325
return None
642
326
cert = cert_list[0]
645
329
646
330
def fingerprint(openpgp):
647
331
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
648
# New GnuTLS "datum" with the OpenPGP public key
649
datum = (gnutls.library.types
650
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
651
ctypes.POINTER
652
(ctypes.c_ubyte)),
653
ctypes.c_uint(len(openpgp))))
654
332
# New empty GnuTLS certificate
655
333
crt = gnutls.library.types.gnutls_openpgp_crt_t()
656
(gnutls.library.functions
657
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
334
gnutls.library.functions.gnutls_openpgp_crt_init\
335
(ctypes.byref(crt))
336
# New GnuTLS "datum" with the OpenPGP public key
337
datum = gnutls.library.types.gnutls_datum_t\
338
(ctypes.cast(ctypes.c_char_p(openpgp),
339
ctypes.POINTER(ctypes.c_ubyte)),
340
ctypes.c_uint(len(openpgp)))
658
341
# Import the OpenPGP public key into the certificate
659
(gnutls.library.functions
660
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
661
gnutls.library.constants
662
.GNUTLS_OPENPGP_FMT_RAW))
663
# Verify the self signature in the key
664
crtverify = ctypes.c_uint()
665
(gnutls.library.functions
666
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
667
if crtverify.value != 0:
668
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
669
raise gnutls.errors.CertificateSecurityError("Verify failed")
342
ret = gnutls.library.functions.gnutls_openpgp_crt_import\
343
(crt,
344
ctypes.byref(datum),
345
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
670
346
# New buffer for the fingerprint
671
buf = ctypes.create_string_buffer(20)
672
buf_len = ctypes.c_size_t()
347
buffer = ctypes.create_string_buffer(20)
348
buffer_length = ctypes.c_size_t()
673
349
# Get the fingerprint from the certificate into the buffer
674
(gnutls.library.functions
675
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
676
ctypes.byref(buf_len)))
350
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
351
(crt, ctypes.byref(buffer), ctypes.byref(buffer_length))
677
352
# Deinit the certificate
678
353
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
679
354
# Convert the buffer to a Python bytestring
680
fpr = ctypes.string_at(buf, buf_len.value)
355
fpr = ctypes.string_at(buffer, buffer_length.value)
681
356
# Convert the bytestring to hexadecimal notation
682
357
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
683
358
return hex_fpr
684
359
685
360
686
class TCP_handler(SocketServer.BaseRequestHandler, object):
361
class tcp_handler(SocketServer.BaseRequestHandler, object):
687
362
"""A TCP request handler class.
688
363
Instantiated by IPv6_TCPServer for each request to handle it.
689
364
Note: This will run in its own forked process."""
690
365
691
366
def handle(self):
692
logger.info(u"TCP connection from: %s",
693
unicode(self.client_address))
694
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
695
# Open IPC pipe to parent process
696
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
697
session = (gnutls.connection
698
.ClientSession(self.request,
699
gnutls.connection
700
.X509Credentials()))
701
702
line = self.request.makefile().readline()
703
logger.debug(u"Protocol version: %r", line)
704
try:
705
if int(line.strip().split()[0]) > 1:
706
raise RuntimeError
707
except (ValueError, IndexError, RuntimeError), error:
708
logger.error(u"Unknown protocol version: %s", error)
709
return
710
711
# Note: gnutls.connection.X509Credentials is really a
712
# generic GnuTLS certificate credentials object so long as
713
# no X.509 keys are added to it. Therefore, we can use it
714
# here despite using OpenPGP certificates.
715
716
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
717
# "+AES-256-CBC", "+SHA1",
718
# "+COMP-NULL", "+CTYPE-OPENPGP",
719
# "+DHE-DSS"))
720
# Use a fallback default, since this MUST be set.
721
priority = self.server.settings.get("priority", "NORMAL")
722
(gnutls.library.functions
723
.gnutls_priority_set_direct(session._c_object,
724
priority, None))
725
726
try:
727
session.handshake()
728
except gnutls.errors.GNUTLSError, error:
729
logger.warning(u"Handshake failed: %s", error)
730
# Do not run session.bye() here: the session is not
731
# established. Just abandon the request.
732
return
733
logger.debug(u"Handshake succeeded")
734
try:
735
fpr = fingerprint(peer_certificate(session))
736
except (TypeError, gnutls.errors.GNUTLSError), error:
737
logger.warning(u"Bad certificate: %s", error)
738
session.bye()
739
return
740
logger.debug(u"Fingerprint: %s", fpr)
741
742
for c in self.server.clients:
743
if c.fingerprint == fpr:
744
client = c
745
break
367
logger.debug(u"TCP connection from: %s",
368
unicode(self.client_address))
369
session = gnutls.connection.ClientSession(self.request,
370
gnutls.connection.\
371
X509Credentials())
372
373
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
374
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
375
# "+DHE-DSS"))
376
priority = "NORMAL"
377
if self.server.options.priority:
378
priority = self.server.options.priority
379
gnutls.library.functions.gnutls_priority_set_direct\
380
(session._c_object, priority, None);
381
382
try:
383
session.handshake()
384
except gnutls.errors.GNUTLSError, error:
385
logger.debug(u"Handshake failed: %s", error)
386
# Do not run session.bye() here: the session is not
387
# established. Just abandon the request.
388
return
389
try:
390
fpr = fingerprint(peer_certificate(session))
391
except (TypeError, gnutls.errors.GNUTLSError), error:
392
logger.debug(u"Bad certificate: %s", error)
393
session.bye()
394
return
395
logger.debug(u"Fingerprint: %s", fpr)
396
client = None
397
for c in self.server.clients:
398
if c.fingerprint == fpr:
399
client = c
400
break
401
# Have to check if client.still_valid(), since it is possible
402
# that the client timed out while establishing the GnuTLS
403
# session.
404
if (not client) or (not client.still_valid()):
405
if client:
406
logger.debug(u"Client %(name)s is invalid",
407
vars(client))
746
408
else:
747
logger.warning(u"Client not found for fingerprint: %s",
748
fpr)
749
ipc.write("NOTFOUND %s\n" % fpr)
750
session.bye()
751
return
752
# Have to check if client.still_valid(), since it is
753
# possible that the client timed out while establishing
754
# the GnuTLS session.
755
if not client.still_valid():
756
logger.warning(u"Client %(name)s is invalid",
757
vars(client))
758
ipc.write("INVALID %s\n" % client.name)
759
session.bye()
760
return
761
ipc.write("SENDING %s\n" % client.name)
762
sent_size = 0
763
while sent_size < len(client.secret):
764
sent = session.send(client.secret[sent_size:])
765
logger.debug(u"Sent: %d, remaining: %d",
766
sent, len(client.secret)
767
- (sent_size + sent))
768
sent_size += sent
409
logger.debug(u"Client not found for fingerprint: %s",
410
fpr)
769
411
session.bye()
770
771
772
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
773
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
774
Assumes a gobject.MainLoop event loop.
775
"""
776
def process_request(self, request, client_address):
777
"""This overrides and wraps the original process_request().
778
This function creates a new pipe in self.pipe
779
"""
780
self.pipe = os.pipe()
781
super(ForkingMixInWithPipe,
782
self).process_request(request, client_address)
783
os.close(self.pipe[1]) # close write end
784
# Call "handle_ipc" for both data and EOF events
785
gobject.io_add_watch(self.pipe[0],
786
gobject.IO_IN | gobject.IO_HUP,
787
self.handle_ipc)
788
def handle_ipc(source, condition):
789
"""Dummy function; override as necessary"""
790
os.close(source)
791
return False
792
793
794
class IPv6_TCPServer(ForkingMixInWithPipe,
795
SocketServer.TCPServer, object):
796
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
412
return
413
sent_size = 0
414
while sent_size < len(client.secret):
415
sent = session.send(client.secret[sent_size:])
416
logger.debug(u"Sent: %d, remaining: %d",
417
sent, len(client.secret)
418
- (sent_size + sent))
419
sent_size += sent
420
session.bye()
421
422
423
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
424
"""IPv6 TCP server. Accepts 'None' as address and/or port.
797
425
Attributes:
798
settings: Server settings
426
options: Command line options
799
427
clients: Set() of Client objects
800
enabled: Boolean; whether this server is activated yet
801
428
"""
802
429
address_family = socket.AF_INET6
803
430
def __init__(self, *args, **kwargs):
804
if "settings" in kwargs:
805
self.settings = kwargs["settings"]
806
del kwargs["settings"]
431
if "options" in kwargs:
432
self.options = kwargs["options"]
433
del kwargs["options"]
807
434
if "clients" in kwargs:
808
435
self.clients = kwargs["clients"]
809
436
del kwargs["clients"]
810
if "use_ipv6" in kwargs:
811
if not kwargs["use_ipv6"]:
812
self.address_family = socket.AF_INET
813
del kwargs["use_ipv6"]
814
self.enabled = False
815
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
437
return super(type(self), self).__init__(*args, **kwargs)
816
438
def server_bind(self):
817
439
"""This overrides the normal server_bind() function
818
440
to bind to an interface if one was specified, and also NOT to
819
441
bind to an address or port if they were not specified."""
820
if self.settings["interface"]:
821
# 25 is from /usr/include/asm-i486/socket.h
822
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
442
if self.options.interface:
443
if not hasattr(socket, "SO_BINDTODEVICE"):
444
# From /usr/include/asm-i486/socket.h
445
socket.SO_BINDTODEVICE = 25
823
446
try:
824
447
self.socket.setsockopt(socket.SOL_SOCKET,
825
SO_BINDTODEVICE,
826
self.settings["interface"])
448
socket.SO_BINDTODEVICE,
449
self.options.interface)
827
450
except socket.error, error:
828
451
if error[0] == errno.EPERM:
829
logger.error(u"No permission to"
830
u" bind to interface %s",
831
self.settings["interface"])
452
logger.warning(u"No permission to"
453
u" bind to interface %s",
454
self.options.interface)
832
455
else:
833
raise
456
raise error
834
457
# Only bind(2) the socket if we really need to.
835
458
if self.server_address[0] or self.server_address[1]:
836
459
if not self.server_address[0]:
837
if self.address_family == socket.AF_INET6:
838
any_address = "::" # in6addr_any
839
else:
840
any_address = socket.INADDR_ANY
841
self.server_address = (any_address,
460
in6addr_any = "::"
461
self.server_address = (in6addr_any,
842
462
self.server_address[1])
843
elif not self.server_address[1]:
463
elif self.server_address[1] is None:
844
464
self.server_address = (self.server_address[0],
845
465
0)
846
# if self.settings["interface"]:
847
# self.server_address = (self.server_address[0],
848
# 0, # port
849
# 0, # flowinfo
850
# if_nametoindex
851
# (self.settings
852
# ["interface"]))
853
return super(IPv6_TCPServer, self).server_bind()
854
def server_activate(self):
855
if self.enabled:
856
return super(IPv6_TCPServer, self).server_activate()
857
def enable(self):
858
self.enabled = True
859
def handle_ipc(self, source, condition, file_objects={}):
860
condition_names = {
861
gobject.IO_IN: "IN", # There is data to read.
862
gobject.IO_OUT: "OUT", # Data can be written (without
863
# blocking).
864
gobject.IO_PRI: "PRI", # There is urgent data to read.
865
gobject.IO_ERR: "ERR", # Error condition.
866
gobject.IO_HUP: "HUP" # Hung up (the connection has been
867
# broken, usually for pipes and
868
# sockets).
869
}
870
conditions_string = ' | '.join(name
871
for cond, name in
872
condition_names.iteritems()
873
if cond & condition)
874
logger.debug("Handling IPC: FD = %d, condition = %s", source,
875
conditions_string)
876
877
# Turn the pipe file descriptor into a Python file object
878
if source not in file_objects:
879
file_objects[source] = os.fdopen(source, "r", 1)
880
881
# Read a line from the file object
882
cmdline = file_objects[source].readline()
883
if not cmdline: # Empty line means end of file
884
# close the IPC pipe
885
file_objects[source].close()
886
del file_objects[source]
887
888
# Stop calling this function
889
return False
890
891
logger.debug("IPC command: %r\n" % cmdline)
892
893
# Parse and act on command
894
cmd, args = cmdline.split(None, 1)
895
if cmd == "NOTFOUND":
896
if self.settings["use_dbus"]:
897
# Emit D-Bus signal
898
mandos_dbus_service.ClientNotFound(args)
899
elif cmd == "INVALID":
900
if self.settings["use_dbus"]:
901
for client in self.clients:
902
if client.name == args:
903
# Emit D-Bus signal
904
client.Rejected()
905
break
906
elif cmd == "SENDING":
907
for client in self.clients:
908
if client.name == args:
909
client.checked_ok()
910
if self.settings["use_dbus"]:
911
# Emit D-Bus signal
912
client.ReceivedSecret()
913
break
914
else:
915
logger.error("Unknown IPC command: %r", cmdline)
916
917
# Keep calling this function
918
return True
466
return super(type(self), self).server_bind()
919
467
920
468
921
469
def string_to_delta(interval):
922
470
"""Parse a string and return a datetime.timedelta
923
471
924
472
>>> string_to_delta('7d')
925
473
datetime.timedelta(7)
926
474
>>> string_to_delta('60s')
931
479
datetime.timedelta(1)
932
480
>>> string_to_delta(u'1w')
933
481
datetime.timedelta(7)
934
>>> string_to_delta('5m 30s')
935
datetime.timedelta(0, 330)
936
482
"""
937
timevalue = datetime.timedelta(0)
938
for s in interval.split():
939
try:
940
suffix = unicode(s[-1])
941
value = int(s[:-1])
942
if suffix == u"d":
943
delta = datetime.timedelta(value)
944
elif suffix == u"s":
945
delta = datetime.timedelta(0, value)
946
elif suffix == u"m":
947
delta = datetime.timedelta(0, 0, 0, 0, value)
948
elif suffix == u"h":
949
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
950
elif suffix == u"w":
951
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
952
else:
953
raise ValueError
954
except (ValueError, IndexError):
483
try:
484
suffix=unicode(interval[-1])
485
value=int(interval[:-1])
486
if suffix == u"d":
487
delta = datetime.timedelta(value)
488
elif suffix == u"s":
489
delta = datetime.timedelta(0, value)
490
elif suffix == u"m":
491
delta = datetime.timedelta(0, 0, 0, 0, value)
492
elif suffix == u"h":
493
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
494
elif suffix == u"w":
495
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
496
else:
955
497
raise ValueError
956
timevalue += delta
957
return timevalue
498
except (ValueError, IndexError):
499
raise ValueError
500
return delta
501
502
503
def add_service():
504
"""Derived from the Avahi example code"""
505
global group, serviceName, serviceType, servicePort, serviceTXT, \
506
domain, host
507
if group is None:
508
group = dbus.Interface(
509
bus.get_object( avahi.DBUS_NAME,
510
server.EntryGroupNew()),
511
avahi.DBUS_INTERFACE_ENTRY_GROUP)
512
group.connect_to_signal('StateChanged',
513
entry_group_state_changed)
514
logger.debug(u"Adding service '%s' of type '%s' ...",
515
serviceName, serviceType)
516
517
group.AddService(
518
serviceInterface, # interface
519
avahi.PROTO_INET6, # protocol
520
dbus.UInt32(0), # flags
521
serviceName, serviceType,
522
domain, host,
523
dbus.UInt16(servicePort),
524
avahi.string_array_to_txt_array(serviceTXT))
525
group.Commit()
526
527
528
def remove_service():
529
"""From the Avahi example code"""
530
global group
531
532
if not group is None:
533
group.Reset()
958
534
959
535
960
536
def server_state_changed(state):
961
537
"""Derived from the Avahi example code"""
962
538
if state == avahi.SERVER_COLLISION:
963
logger.error(u"Zeroconf server name collision")
964
service.remove()
539
logger.warning(u"Server name collision")
540
remove_service()
965
541
elif state == avahi.SERVER_RUNNING:
966
service.add()
542
add_service()
967
543
968
544
969
545
def entry_group_state_changed(state, error):
970
546
"""Derived from the Avahi example code"""
971
logger.debug(u"Avahi state change: %i", state)
547
global serviceName, server, rename_count
548
549
logger.debug(u"state change: %i", state)
972
550
973
551
if state == avahi.ENTRY_GROUP_ESTABLISHED:
974
logger.debug(u"Zeroconf service established.")
552
logger.debug(u"Service established.")
975
553
elif state == avahi.ENTRY_GROUP_COLLISION:
976
logger.warning(u"Zeroconf service name collision.")
977
service.rename()
554
555
rename_count = rename_count - 1
556
if rename_count > 0:
557
name = server.GetAlternativeServiceName(name)
558
logger.warning(u"Service name collision, "
559
u"changing name to '%s' ...", name)
560
remove_service()
561
add_service()
562
563
else:
564
logger.error(u"No suitable service name found after %i"
565
u" retries, exiting.", n_rename)
566
killme(1)
978
567
elif state == avahi.ENTRY_GROUP_FAILURE:
979
logger.critical(u"Avahi: Error in group state changed %s",
980
unicode(error))
981
raise AvahiGroupError(u"State changed: %s" % unicode(error))
568
logger.error(u"Error in group state changed %s",
569
unicode(error))
570
killme(1)
571
982
572
983
573
def if_nametoindex(interface):
984
"""Call the C function if_nametoindex(), or equivalent"""
985
global if_nametoindex
574
"""Call the C function if_nametoindex()"""
986
575
try:
987
if_nametoindex = (ctypes.cdll.LoadLibrary
988
(ctypes.util.find_library("c"))
989
.if_nametoindex)
576
libc = ctypes.cdll.LoadLibrary("libc.so.6")
577
return libc.if_nametoindex(interface)
990
578
except (OSError, AttributeError):
991
579
if "struct" not in sys.modules:
992
580
import struct
993
581
if "fcntl" not in sys.modules:
994
582
import fcntl
995
def if_nametoindex(interface):
996
"Get an interface index the hard way, i.e. using fcntl()"
997
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
998
with closing(socket.socket()) as s:
999
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1000
struct.pack("16s16x", interface))
1001
interface_index = struct.unpack("I", ifreq[16:20])[0]
1002
return interface_index
1003
return if_nametoindex(interface)
1004
1005
1006
def daemon(nochdir = False, noclose = False):
583
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
584
s = socket.socket()
585
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
586
struct.pack("16s16x", interface))
587
s.close()
588
interface_index = struct.unpack("I", ifreq[16:20])[0]
589
return interface_index
590
591
592
def daemon(nochdir, noclose):
1007
593
"""See daemon(3). Standard BSD Unix function.
1008
594
This should really exist as os.daemon, but it doesn't (yet)."""
1009
595
if os.fork():
1011
597
os.setsid()
1012
598
if not nochdir:
1013
599
os.chdir("/")
1014
if os.fork():
1015
sys.exit()
1016
600
if not noclose:
1017
601
# Close all standard open file descriptors
1018
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
602
null = os.open("/dev/null", os.O_NOCTTY | os.O_RDWR)
1019
603
if not stat.S_ISCHR(os.fstat(null).st_mode):
1020
604
raise OSError(errno.ENODEV,
1021
605
"/dev/null not a character device")
1026
610
os.close(null)
1027
611
1028
612
613
def killme(status = 0):
614
logger.debug("Stopping server with exit status %d", status)
615
exitstatus = status
616
if main_loop_started:
617
main_loop.quit()
618
else:
619
sys.exit(status)
620
621
1029
622
def main():
1030
1031
######################################################################
1032
# Parsing of options, both command line and config file
1033
1034
parser = optparse.OptionParser(version = "%%prog %s" % version)
623
global exitstatus
624
exitstatus = 0
625
global main_loop_started
626
main_loop_started = False
627
628
parser = OptionParser()
1035
629
parser.add_option("-i", "--interface", type="string",
1036
metavar="IF", help="Bind to interface IF")
1037
parser.add_option("-a", "--address", type="string",
630
default=None, metavar="IF",
631
help="Bind to interface IF")
632
parser.add_option("-a", "--address", type="string", default=None,
1038
633
help="Address to listen for requests on")
1039
parser.add_option("-p", "--port", type="int",
634
parser.add_option("-p", "--port", type="int", default=None,
1040
635
help="Port number to receive requests on")
1041
parser.add_option("--check", action="store_true",
636
parser.add_option("--check", action="store_true", default=False,
1042
637
help="Run self-test")
1043
parser.add_option("--debug", action="store_true",
1044
help="Debug mode; run in foreground and log to"
1045
" terminal")
1046
parser.add_option("--priority", type="string", help="GnuTLS"
1047
" priority string (see GnuTLS documentation)")
1048
parser.add_option("--servicename", type="string", metavar="NAME",
1049
help="Zeroconf service name")
1050
parser.add_option("--configdir", type="string",
1051
default="/etc/mandos", metavar="DIR",
1052
help="Directory to search for configuration"
1053
" files")
1054
parser.add_option("--no-dbus", action="store_false",
1055
dest="use_dbus",
1056
help="Do not provide D-Bus system bus"
1057
" interface")
1058
parser.add_option("--no-ipv6", action="store_false",
1059
dest="use_ipv6", help="Do not use IPv6")
1060
options = parser.parse_args()[0]
638
parser.add_option("--debug", action="store_true", default=False,
639
help="Debug mode")
640
parser.add_option("--priority", type="string",
641
default="SECURE256",
642
help="GnuTLS priority string"
643
" (see GnuTLS documentation)")
644
parser.add_option("--servicename", type="string",
645
default="Mandos", help="Zeroconf service name")
646
(options, args) = parser.parse_args()
1061
647
1062
648
if options.check:
1063
649
import doctest
1064
650
doctest.testmod()
1065
651
sys.exit()
1066
652
1067
# Default values for config file for server-global settings
1068
server_defaults = { "interface": "",
1069
"address": "",
1070
"port": "",
1071
"debug": "False",
1072
"priority":
1073
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1074
"servicename": "Mandos",
1075
"use_dbus": "True",
1076
"use_ipv6": "True",
1077
}
1078
1079
# Parse config file for server-global settings
1080
server_config = ConfigParser.SafeConfigParser(server_defaults)
1081
del server_defaults
1082
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1083
# Convert the SafeConfigParser object to a dict
1084
server_settings = server_config.defaults()
1085
# Use the appropriate methods on the non-string config options
1086
server_settings["debug"] = server_config.getboolean("DEFAULT",
1087
"debug")
1088
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1089
"use_dbus")
1090
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1091
"use_ipv6")
1092
if server_settings["port"]:
1093
server_settings["port"] = server_config.getint("DEFAULT",
1094
"port")
1095
del server_config
1096
1097
# Override the settings from the config file with command line
1098
# options, if set.
1099
for option in ("interface", "address", "port", "debug",
1100
"priority", "servicename", "configdir",
1101
"use_dbus", "use_ipv6"):
1102
value = getattr(options, option)
1103
if value is not None:
1104
server_settings[option] = value
1105
del options
1106
# Now we have our good server settings in "server_settings"
1107
1108
##################################################################
1109
1110
# For convenience
1111
debug = server_settings["debug"]
1112
use_dbus = server_settings["use_dbus"]
1113
use_ipv6 = server_settings["use_ipv6"]
1114
1115
if not debug:
1116
syslogger.setLevel(logging.WARNING)
1117
console.setLevel(logging.WARNING)
1118
1119
if server_settings["servicename"] != "Mandos":
1120
syslogger.setFormatter(logging.Formatter
1121
('Mandos (%s) [%%(process)d]:'
1122
' %%(levelname)s: %%(message)s'
1123
% server_settings["servicename"]))
1124
1125
# Parse config file with clients
1126
client_defaults = { "timeout": "1h",
1127
"interval": "5m",
1128
"checker": "fping -q -- %%(host)s",
1129
"host": "",
1130
}
1131
client_config = ConfigParser.SafeConfigParser(client_defaults)
1132
client_config.read(os.path.join(server_settings["configdir"],
1133
"clients.conf"))
1134
1135
global mandos_dbus_service
1136
mandos_dbus_service = None
1137
1138
clients = Set()
1139
tcp_server = IPv6_TCPServer((server_settings["address"],
1140
server_settings["port"]),
1141
TCP_handler,
1142
settings=server_settings,
1143
clients=clients, use_ipv6=use_ipv6)
1144
pidfilename = "/var/run/mandos.pid"
1145
try:
1146
pidfile = open(pidfilename, "w")
1147
except IOError:
1148
logger.error("Could not open file %r", pidfilename)
1149
1150
try:
1151
uid = pwd.getpwnam("_mandos").pw_uid
1152
gid = pwd.getpwnam("_mandos").pw_gid
1153
except KeyError:
1154
try:
1155
uid = pwd.getpwnam("mandos").pw_uid
1156
gid = pwd.getpwnam("mandos").pw_gid
1157
except KeyError:
1158
try:
1159
uid = pwd.getpwnam("nobody").pw_uid
1160
gid = pwd.getpwnam("nogroup").pw_gid
1161
except KeyError:
1162
uid = 65534
1163
gid = 65534
1164
try:
1165
os.setgid(gid)
1166
os.setuid(uid)
1167
except OSError, error:
1168
if error[0] != errno.EPERM:
1169
raise error
1170
1171
# Enable all possible GnuTLS debugging
1172
if debug:
1173
# "Use a log level over 10 to enable all debugging options."
1174
# - GnuTLS manual
1175
gnutls.library.functions.gnutls_global_set_log_level(11)
1176
1177
@gnutls.library.types.gnutls_log_func
1178
def debug_gnutls(level, string):
1179
logger.debug("GnuTLS: %s", string[:-1])
1180
1181
(gnutls.library.functions
1182
.gnutls_global_set_log_function(debug_gnutls))
1183
1184
global service
1185
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1186
service = AvahiService(name = server_settings["servicename"],
1187
servicetype = "_mandos._tcp",
1188
protocol = protocol)
1189
if server_settings["interface"]:
1190
service.interface = (if_nametoindex
1191
(server_settings["interface"]))
653
# Parse config file
654
defaults = { "timeout": "1h",
655
"interval": "5m",
656
"checker": "fping -q -- %%(fqdn)s",
657
}
658
client_config = ConfigParser.SafeConfigParser(defaults)
659
#client_config.readfp(open("global.conf"), "global.conf")
660
client_config.read("mandos-clients.conf")
661
662
global serviceName
663
serviceName = options.servicename;
1192
664
1193
665
global main_loop
1194
666
global bus
1197
669
DBusGMainLoop(set_as_default=True )
1198
670
main_loop = gobject.MainLoop()
1199
671
bus = dbus.SystemBus()
1200
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1201
avahi.DBUS_PATH_SERVER),
1202
avahi.DBUS_INTERFACE_SERVER)
672
server = dbus.Interface(
673
bus.get_object( avahi.DBUS_NAME, avahi.DBUS_PATH_SERVER ),
674
avahi.DBUS_INTERFACE_SERVER )
1203
675
# End of Avahi example code
1204
if use_dbus:
1205
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1206
1207
clients.update(Set(Client(name = section,
1208
config
1209
= dict(client_config.items(section)),
1210
use_dbus = use_dbus)
676
677
debug = options.debug
678
679
if debug:
680
console = logging.StreamHandler()
681
# console.setLevel(logging.DEBUG)
682
console.setFormatter(logging.Formatter\
683
('%(levelname)s: %(message)s'))
684
logger.addHandler(console)
685
del console
686
687
clients = Set()
688
def remove_from_clients(client):
689
clients.remove(client)
690
if not clients:
691
logger.debug(u"No clients left, exiting")
692
killme()
693
694
clients.update(Set(Client(name=section,
695
stop_hook = remove_from_clients,
696
**(dict(client_config\
697
.items(section))))
1211
698
for section in client_config.sections()))
1212
if not clients:
1213
logger.warning(u"No clients defined")
1214
1215
if debug:
1216
# Redirect stdin so all checkers get /dev/null
1217
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1218
os.dup2(null, sys.stdin.fileno())
1219
if null > 2:
1220
os.close(null)
1221
else:
1222
# No console logging
1223
logger.removeHandler(console)
1224
# Close all input and output, do double fork, etc.
1225
daemon()
1226
1227
try:
1228
with closing(pidfile):
1229
pid = os.getpid()
1230
pidfile.write(str(pid) + "\n")
1231
del pidfile
1232
except IOError:
1233
logger.error(u"Could not write to file %r with PID %d",
1234
pidfilename, pid)
1235
except NameError:
1236
# "pidfile" was never created
1237
pass
1238
del pidfilename
699
700
if not debug:
701
daemon(False, False)
1239
702
1240
703
def cleanup():
1241
704
"Cleanup function; run on exit"
1248
711
1249
712
while clients:
1250
713
client = clients.pop()
1251
client.disable_hook = None
1252
client.disable()
714
client.stop_hook = None
715
client.stop()
1253
716
1254
717
atexit.register(cleanup)
1255
718
1256
719
if not debug:
1257
720
signal.signal(signal.SIGINT, signal.SIG_IGN)
1258
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1259
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1260
1261
if use_dbus:
1262
class MandosDBusService(dbus.service.Object):
1263
"""A D-Bus proxy object"""
1264
def __init__(self):
1265
dbus.service.Object.__init__(self, bus, "/")
1266
_interface = u"se.bsnet.fukt.Mandos"
1267
1268
@dbus.service.signal(_interface, signature="oa{sv}")
1269
def ClientAdded(self, objpath, properties):
1270
"D-Bus signal"
1271
pass
1272
1273
@dbus.service.signal(_interface, signature="s")
1274
def ClientNotFound(self, fingerprint):
1275
"D-Bus signal"
1276
pass
1277
1278
@dbus.service.signal(_interface, signature="os")
1279
def ClientRemoved(self, objpath, name):
1280
"D-Bus signal"
1281
pass
1282
1283
@dbus.service.method(_interface, out_signature="ao")
1284
def GetAllClients(self):
1285
"D-Bus method"
1286
return dbus.Array(c.dbus_object_path for c in clients)
1287
1288
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1289
def GetAllClientsWithProperties(self):
1290
"D-Bus method"
1291
return dbus.Dictionary(
1292
((c.dbus_object_path, c.GetAllProperties())
1293
for c in clients),
1294
signature="oa{sv}")
1295
1296
@dbus.service.method(_interface, in_signature="o")
1297
def RemoveClient(self, object_path):
1298
"D-Bus method"
1299
for c in clients:
1300
if c.dbus_object_path == object_path:
1301
clients.remove(c)
1302
# Don't signal anything except ClientRemoved
1303
c.use_dbus = False
1304
c.disable()
1305
# Emit D-Bus signal
1306
self.ClientRemoved(object_path, c.name)
1307
return
1308
raise KeyError
1309
1310
del _interface
1311
1312
mandos_dbus_service = MandosDBusService()
721
signal.signal(signal.SIGHUP, lambda signum, frame: killme())
722
signal.signal(signal.SIGTERM, lambda signum, frame: killme())
1313
723
1314
724
for client in clients:
1315
if use_dbus:
1316
# Emit D-Bus signal
1317
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1318
client.GetAllProperties())
1319
client.enable()
1320
1321
tcp_server.enable()
1322
tcp_server.server_activate()
1323
1324
# Find out what port we got
1325
service.port = tcp_server.socket.getsockname()[1]
1326
if use_ipv6:
1327
logger.info(u"Now listening on address %r, port %d,"
1328
" flowinfo %d, scope_id %d"
1329
% tcp_server.socket.getsockname())
1330
else: # IPv4
1331
logger.info(u"Now listening on address %r, port %d"
1332
% tcp_server.socket.getsockname())
1333
1334
#service.interface = tcp_server.socket.getsockname()[3]
1335
1336
try:
1337
# From the Avahi example code
1338
server.connect_to_signal("StateChanged", server_state_changed)
1339
try:
1340
server_state_changed(server.GetState())
1341
except dbus.exceptions.DBusException, error:
1342
logger.critical(u"DBusException: %s", error)
1343
sys.exit(1)
1344
# End of Avahi example code
1345
1346
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
1347
lambda *args, **kwargs:
1348
(tcp_server.handle_request
1349
(*args[2:], **kwargs) or True))
1350
1351
logger.debug(u"Starting main loop")
725
client.start()
726
727
tcp_server = IPv6_TCPServer((options.address, options.port),
728
tcp_handler,
729
options=options,
730
clients=clients)
731
# Find out what random port we got
732
global servicePort
733
servicePort = tcp_server.socket.getsockname()[1]
734
logger.debug(u"Now listening on port %d", servicePort)
735
736
if options.interface is not None:
737
global serviceInterface
738
serviceInterface = if_nametoindex(options.interface)
739
740
# From the Avahi example code
741
server.connect_to_signal("StateChanged", server_state_changed)
742
try:
743
server_state_changed(server.GetState())
744
except dbus.exceptions.DBusException, error:
745
logger.critical(u"DBusException: %s", error)
746
killme(1)
747
# End of Avahi example code
748
749
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
750
lambda *args, **kwargs:
751
tcp_server.handle_request(*args[2:],
752
**kwargs) or True)
753
try:
754
logger.debug("Starting main loop")
755
main_loop_started = True
1352
756
main_loop.run()
1353
except AvahiError, error:
1354
logger.critical(u"AvahiError: %s", error)
1355
sys.exit(1)
1356
757
except KeyboardInterrupt:
1357
758
if debug:
1358
print >> sys.stderr
1359
logger.debug("Server received KeyboardInterrupt")
1360
logger.debug("Server exiting")
759
print
760
761
sys.exit(exitstatus)
1361
762
1362
763
if __name__ == '__main__':
1363
764
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0