To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 24.1.36
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.36
- Committer: Björn Påhlsson
- Date: 2008-08-10 00:18:39 UTC
- mfrom: (58 mandos)
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 59.
- Revision ID: belorn@braxen-20080810001839-sq9v1v0x996z7mna
merge
- files added:
- mandos-client.xml
- files removed:
- ca.pem
- files renamed:
- mandos-clients.conf => clients.conf
- server.py => mandos
- plugbasedclient.c => mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- plugins.d/mandosclient.c => plugins.d/password-request.c
- files modified:
- Makefile
added
removed
mandos
1
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
# Mandos server - give out binary blobs to connecting clients.
5
#
6
# This program is partly derived from an example program for an Avahi
7
# service publisher, downloaded from
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
#
13
# Everything else is
14
# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
15
#
16
# This program is free software: you can redistribute it and/or modify
17
# it under the terms of the GNU General Public License as published by
18
# the Free Software Foundation, either version 3 of the License, or
19
# (at your option) any later version.
20
#
21
# This program is distributed in the hope that it will be useful,
22
# but WITHOUT ANY WARRANTY; without even the implied warranty of
23
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24
# GNU General Public License for more details.
25
#
26
# You should have received a copy of the GNU General Public License
27
# along with this program. If not, see <http://www.gnu.org/licenses/>.
28
#
29
# Contact the authors at <mandos@fukt.bsnet.se>.
30
#
3
31
4
32
from __future__ import division
5
33
24
52
import subprocess
25
53
import atexit
26
54
import stat
55
import logging
56
import logging.handlers
27
57
28
58
import dbus
29
59
import gobject
31
61
from dbus.mainloop.glib import DBusGMainLoop
32
62
import ctypes
33
63
34
import logging
35
import logging.handlers
64
version = "1.0"
36
65
37
66
logger = logging.Logger('mandos')
38
67
syslogger = logging.handlers.SysLogHandler\
39
(facility = logging.handlers.SysLogHandler.LOG_DAEMON)
68
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
69
address = "/dev/log")
40
70
syslogger.setFormatter(logging.Formatter\
41
('%(levelname)s: %(message)s'))
71
('Mandos: %(levelname)s: %(message)s'))
42
72
logger.addHandler(syslogger)
43
del syslogger
44
45
# This variable is used to optionally bind to a specified interface.
46
# It is a global variable to fit in with the other variables from the
47
# Avahi server example code.
48
serviceInterface = avahi.IF_UNSPEC
49
# From the Avahi server example code:
50
serviceName = "Mandos"
51
serviceType = "_mandos._tcp" # http://www.dns-sd.org/ServiceTypes.html
52
servicePort = None # Not known at startup
53
serviceTXT = [] # TXT record for the service
54
domain = "" # Domain to publish on, default to .local
55
host = "" # Host to publish records for, default to localhost
56
group = None #our entry group
57
rename_count = 12 # Counter so we only rename after collisions a
58
# sensible number of times
73
74
75
class AvahiError(Exception):
76
def __init__(self, value):
77
self.value = value
78
def __str__(self):
79
return repr(self.value)
80
81
class AvahiServiceError(AvahiError):
82
pass
83
84
class AvahiGroupError(AvahiError):
85
pass
86
87
88
class AvahiService(object):
89
"""An Avahi (Zeroconf) service.
90
Attributes:
91
interface: integer; avahi.IF_UNSPEC or an interface index.
92
Used to optionally bind to the specified interface.
93
name: string; Example: 'Mandos'
94
type: string; Example: '_mandos._tcp'.
95
See <http://www.dns-sd.org/ServiceTypes.html>
96
port: integer; what port to announce
97
TXT: list of strings; TXT record for the service
98
domain: string; Domain to publish on, default to .local if empty.
99
host: string; Host to publish records for, default is localhost
100
max_renames: integer; maximum number of renames
101
rename_count: integer; counter so we only rename after collisions
102
a sensible number of times
103
"""
104
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
105
type = None, port = None, TXT = None, domain = "",
106
host = "", max_renames = 32768):
107
self.interface = interface
108
self.name = name
109
self.type = type
110
self.port = port
111
if TXT is None:
112
self.TXT = []
113
else:
114
self.TXT = TXT
115
self.domain = domain
116
self.host = host
117
self.rename_count = 0
118
def rename(self):
119
"""Derived from the Avahi example code"""
120
if self.rename_count >= self.max_renames:
121
logger.critical(u"No suitable service name found after %i"
122
u" retries, exiting.", rename_count)
123
raise AvahiServiceError("Too many renames")
124
name = server.GetAlternativeServiceName(name)
125
logger.error(u"Changing name to %r ...", name)
126
syslogger.setFormatter(logging.Formatter\
127
('Mandos (%s): %%(levelname)s:'
128
' %%(message)s' % name))
129
self.remove()
130
self.add()
131
self.rename_count += 1
132
def remove(self):
133
"""Derived from the Avahi example code"""
134
if group is not None:
135
group.Reset()
136
def add(self):
137
"""Derived from the Avahi example code"""
138
global group
139
if group is None:
140
group = dbus.Interface\
141
(bus.get_object(avahi.DBUS_NAME,
142
server.EntryGroupNew()),
143
avahi.DBUS_INTERFACE_ENTRY_GROUP)
144
group.connect_to_signal('StateChanged',
145
entry_group_state_changed)
146
logger.debug(u"Adding service '%s' of type '%s' ...",
147
service.name, service.type)
148
group.AddService(
149
self.interface, # interface
150
avahi.PROTO_INET6, # protocol
151
dbus.UInt32(0), # flags
152
self.name, self.type,
153
self.domain, self.host,
154
dbus.UInt16(self.port),
155
avahi.string_array_to_txt_array(self.TXT))
156
group.Commit()
157
158
# From the Avahi example code:
159
group = None # our entry group
59
160
# End of Avahi example code
60
161
61
162
66
167
fingerprint: string (40 or 32 hexadecimal digits); used to
67
168
uniquely identify the client
68
169
secret: bytestring; sent verbatim (over TLS) to client
69
fqdn: string (FQDN); available for use by the checker command
70
created: datetime.datetime()
71
last_seen: datetime.datetime() or None if not yet seen
72
timeout: datetime.timedelta(); How long from last_seen until
73
this client is invalid
170
host: string; available for use by the checker command
171
created: datetime.datetime(); object creation, not client host
172
last_checked_ok: datetime.datetime() or None if not yet checked OK
173
timeout: datetime.timedelta(); How long from last_checked_ok
174
until this client is invalid
74
175
interval: datetime.timedelta(); How often to start a new checker
75
176
stop_hook: If set, called by stop() as stop_hook(self)
76
177
checker: subprocess.Popen(); a running checker process used
77
178
to see if the client lives.
78
Is None if no process is running.
179
'None' if no process is running.
79
180
checker_initiator_tag: a gobject event source tag, or None
80
181
stop_initiator_tag: - '' -
81
182
checker_callback_tag: - '' -
82
183
checker_command: string; External command which is run to check if
83
client lives. %()s expansions are done at
184
client lives. %() expansions are done at
84
185
runtime with vars(self) as dict, so that for
85
186
instance %(name)s can be used in the command.
86
187
Private attibutes:
87
188
_timeout: Real variable for 'timeout'
88
189
_interval: Real variable for 'interval'
89
_timeout_milliseconds: Used by gobject.timeout_add()
190
_timeout_milliseconds: Used when calling gobject.timeout_add()
90
191
_interval_milliseconds: - '' -
91
192
"""
92
193
def _set_timeout(self, timeout):
112
213
interval = property(lambda self: self._interval,
113
214
_set_interval)
114
215
del _set_interval
115
def __init__(self, name=None, options=None, stop_hook=None,
116
fingerprint=None, secret=None, secfile=None,
117
fqdn=None, timeout=None, interval=-1, checker=None):
216
def __init__(self, name = None, stop_hook=None, config={}):
217
"""Note: the 'checker' key in 'config' sets the
218
'checker_command' attribute and *not* the 'checker'
219
attribute."""
118
220
self.name = name
119
# Uppercase and remove spaces from fingerprint
120
# for later comparison purposes with return value of
121
# the fingerprint() function
122
self.fingerprint = fingerprint.upper().replace(u" ", u"")
123
if secret:
124
self.secret = secret.decode(u"base64")
125
elif secfile:
126
sf = open(secfile)
221
logger.debug(u"Creating client %r", self.name)
222
# Uppercase and remove spaces from fingerprint for later
223
# comparison purposes with return value from the fingerprint()
224
# function
225
self.fingerprint = config["fingerprint"].upper()\
226
.replace(u" ", u"")
227
logger.debug(u" Fingerprint: %s", self.fingerprint)
228
if "secret" in config:
229
self.secret = config["secret"].decode(u"base64")
230
elif "secfile" in config:
231
sf = open(config["secfile"])
127
232
self.secret = sf.read()
128
233
sf.close()
129
234
else:
130
raise RuntimeError(u"No secret or secfile for client %s"
131
% self.name)
132
self.fqdn = fqdn # string
235
raise TypeError(u"No secret or secfile for client %s"
236
% self.name)
237
self.host = config.get("host", "")
133
238
self.created = datetime.datetime.now()
134
self.last_seen = None
135
if timeout is None:
136
self.timeout = options.timeout
137
else:
138
self.timeout = string_to_delta(timeout)
139
if interval == -1:
140
self.interval = options.interval
141
else:
142
self.interval = string_to_delta(interval)
239
self.last_checked_ok = None
240
self.timeout = string_to_delta(config["timeout"])
241
self.interval = string_to_delta(config["interval"])
143
242
self.stop_hook = stop_hook
144
243
self.checker = None
145
244
self.checker_initiator_tag = None
146
245
self.stop_initiator_tag = None
147
246
self.checker_callback_tag = None
148
self.check_command = checker
247
self.check_command = config["checker"]
149
248
def start(self):
150
"""Start this clients checker and timeout hooks"""
249
"""Start this client's checker and timeout hooks"""
151
250
# Schedule a new checker to be started an 'interval' from now,
152
251
# and every interval from then on.
153
252
self.checker_initiator_tag = gobject.timeout_add\
161
260
self.stop)
162
261
def stop(self):
163
262
"""Stop this client.
164
The possibility that this client might be restarted is left
165
open, but not currently used."""
166
logger.debug(u"Stopping client %s", self.name)
167
self.secret = None
168
if self.stop_initiator_tag:
263
The possibility that a client might be restarted is left open,
264
but not currently used."""
265
# If this client doesn't have a secret, it is already stopped.
266
if hasattr(self, "secret") and self.secret:
267
logger.info(u"Stopping client %s", self.name)
268
self.secret = None
269
else:
270
return False
271
if getattr(self, "stop_initiator_tag", False):
169
272
gobject.source_remove(self.stop_initiator_tag)
170
273
self.stop_initiator_tag = None
171
if self.checker_initiator_tag:
274
if getattr(self, "checker_initiator_tag", False):
172
275
gobject.source_remove(self.checker_initiator_tag)
173
276
self.checker_initiator_tag = None
174
277
self.stop_checker()
177
280
# Do not run this again if called by a gobject.timeout_add
178
281
return False
179
282
def __del__(self):
180
# Some code duplication here and in stop()
181
if hasattr(self, "stop_initiator_tag") \
182
and self.stop_initiator_tag:
183
gobject.source_remove(self.stop_initiator_tag)
184
self.stop_initiator_tag = None
185
if hasattr(self, "checker_initiator_tag") \
186
and self.checker_initiator_tag:
187
gobject.source_remove(self.checker_initiator_tag)
188
self.checker_initiator_tag = None
189
self.stop_checker()
283
self.stop_hook = None
284
self.stop()
190
285
def checker_callback(self, pid, condition):
191
286
"""The checker has completed, so take appropriate actions."""
192
287
now = datetime.datetime.now()
288
self.checker_callback_tag = None
289
self.checker = None
193
290
if os.WIFEXITED(condition) \
194
291
and (os.WEXITSTATUS(condition) == 0):
195
logger.debug(u"Checker for %(name)s succeeded",
196
vars(self))
197
self.last_seen = now
292
logger.info(u"Checker for %(name)s succeeded",
293
vars(self))
294
self.last_checked_ok = now
198
295
gobject.source_remove(self.stop_initiator_tag)
199
296
self.stop_initiator_tag = gobject.timeout_add\
200
297
(self._timeout_milliseconds,
203
300
logger.warning(u"Checker for %(name)s crashed?",
204
301
vars(self))
205
302
else:
206
logger.debug(u"Checker for %(name)s failed",
207
vars(self))
208
self.checker = None
209
self.checker_callback_tag = None
303
logger.info(u"Checker for %(name)s failed",
304
vars(self))
210
305
def start_checker(self):
211
306
"""Start a new checker subprocess if one is not running.
212
307
If a checker already exists, leave it running and do
213
308
nothing."""
309
# The reason for not killing a running checker is that if we
310
# did that, then if a checker (for some reason) started
311
# running slowly and taking more than 'interval' time, the
312
# client would inevitably timeout, since no checker would get
313
# a chance to run to completion. If we instead leave running
314
# checkers alone, the checker would have to take more time
315
# than 'timeout' for the client to be declared invalid, which
316
# is as it should be.
214
317
if self.checker is None:
215
318
try:
216
command = self.check_command % self.fqdn
319
# In case check_command has exactly one % operator
320
command = self.check_command % self.host
217
321
except TypeError:
322
# Escape attributes for the shell
218
323
escaped_attrs = dict((key, re.escape(str(val)))
219
324
for key, val in
220
325
vars(self).iteritems())
221
326
try:
222
327
command = self.check_command % escaped_attrs
223
328
except TypeError, error:
224
logger.critical(u'Could not format string "%s":'
225
u' %s', self.check_command, error)
329
logger.error(u'Could not format string "%s":'
330
u' %s', self.check_command, error)
226
331
return True # Try again later
227
332
try:
228
logger.debug(u"Starting checker %r for %s",
229
command, self.name)
230
self.checker = subprocess.\
231
Popen(command,
232
close_fds=True, shell=True,
233
cwd="/")
333
logger.info(u"Starting checker %r for %s",
334
command, self.name)
335
self.checker = subprocess.Popen(command,
336
close_fds=True,
337
shell=True, cwd="/")
234
338
self.checker_callback_tag = gobject.child_watch_add\
235
339
(self.checker.pid,
236
340
self.checker_callback)
241
345
return True
242
346
def stop_checker(self):
243
347
"""Force the checker process, if any, to stop."""
244
if not hasattr(self, "checker") or self.checker is None:
348
if self.checker_callback_tag:
349
gobject.source_remove(self.checker_callback_tag)
350
self.checker_callback_tag = None
351
if getattr(self, "checker", None) is None:
245
352
return
246
gobject.source_remove(self.checker_callback_tag)
247
self.checker_callback_tag = None
248
os.kill(self.checker.pid, signal.SIGTERM)
249
if self.checker.poll() is None:
250
os.kill(self.checker.pid, signal.SIGKILL)
353
logger.debug(u"Stopping checker for %(name)s", vars(self))
354
try:
355
os.kill(self.checker.pid, signal.SIGTERM)
356
#os.sleep(0.5)
357
#if self.checker.poll() is None:
358
# os.kill(self.checker.pid, signal.SIGKILL)
359
except OSError, error:
360
if error.errno != errno.ESRCH: # No such process
361
raise
251
362
self.checker = None
252
def still_valid(self, now=None):
363
def still_valid(self):
253
364
"""Has the timeout not yet passed for this client?"""
254
if now is None:
255
now = datetime.datetime.now()
256
if self.last_seen is None:
365
now = datetime.datetime.now()
366
if self.last_checked_ok is None:
257
367
return now < (self.created + self.timeout)
258
368
else:
259
return now < (self.last_seen + self.timeout)
369
return now < (self.last_checked_ok + self.timeout)
260
370
261
371
262
372
def peer_certificate(session):
263
"Return an OpenPGP data packet string for the peer's certificate"
373
"Return the peer's OpenPGP certificate as a bytestring"
264
374
# If not an OpenPGP certificate...
265
375
if gnutls.library.functions.gnutls_certificate_type_get\
266
376
(session._c_object) \
277
387
278
388
279
389
def fingerprint(openpgp):
280
"Convert an OpenPGP data string to a hexdigit fingerprint string"
281
# New empty GnuTLS certificate
282
crt = gnutls.library.types.gnutls_openpgp_crt_t()
283
gnutls.library.functions.gnutls_openpgp_crt_init\
284
(ctypes.byref(crt))
390
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
285
391
# New GnuTLS "datum" with the OpenPGP public key
286
392
datum = gnutls.library.types.gnutls_datum_t\
287
393
(ctypes.cast(ctypes.c_char_p(openpgp),
288
394
ctypes.POINTER(ctypes.c_ubyte)),
289
395
ctypes.c_uint(len(openpgp)))
396
# New empty GnuTLS certificate
397
crt = gnutls.library.types.gnutls_openpgp_crt_t()
398
gnutls.library.functions.gnutls_openpgp_crt_init\
399
(ctypes.byref(crt))
290
400
# Import the OpenPGP public key into the certificate
291
ret = gnutls.library.functions.gnutls_openpgp_crt_import\
292
(crt,
293
ctypes.byref(datum),
294
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
401
gnutls.library.functions.gnutls_openpgp_crt_import\
402
(crt, ctypes.byref(datum),
403
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
295
404
# New buffer for the fingerprint
296
405
buffer = ctypes.create_string_buffer(20)
297
406
buffer_length = ctypes.c_size_t()
313
422
Note: This will run in its own forked process."""
314
423
315
424
def handle(self):
316
logger.debug(u"TCP connection from: %s",
425
logger.info(u"TCP connection from: %s",
317
426
unicode(self.client_address))
318
session = gnutls.connection.ClientSession(self.request,
319
gnutls.connection.\
320
X509Credentials())
427
session = gnutls.connection.ClientSession\
428
(self.request, gnutls.connection.X509Credentials())
429
430
line = self.request.makefile().readline()
431
logger.debug(u"Protocol version: %r", line)
432
try:
433
if int(line.strip().split()[0]) > 1:
434
raise RuntimeError
435
except (ValueError, IndexError, RuntimeError), error:
436
logger.error(u"Unknown protocol version: %s", error)
437
return
438
439
# Note: gnutls.connection.X509Credentials is really a generic
440
# GnuTLS certificate credentials object so long as no X.509
441
# keys are added to it. Therefore, we can use it here despite
442
# using OpenPGP certificates.
321
443
322
444
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
323
445
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
324
446
# "+DHE-DSS"))
325
priority = "SECURE256"
326
447
priority = "NORMAL" # Fallback default, since this
448
# MUST be set.
449
if self.server.settings["priority"]:
450
priority = self.server.settings["priority"]
327
451
gnutls.library.functions.gnutls_priority_set_direct\
328
452
(session._c_object, priority, None);
329
453
330
454
try:
331
455
session.handshake()
332
456
except gnutls.errors.GNUTLSError, error:
333
logger.debug(u"Handshake failed: %s", error)
457
logger.warning(u"Handshake failed: %s", error)
334
458
# Do not run session.bye() here: the session is not
335
459
# established. Just abandon the request.
336
460
return
337
461
try:
338
462
fpr = fingerprint(peer_certificate(session))
339
463
except (TypeError, gnutls.errors.GNUTLSError), error:
340
logger.debug(u"Bad certificate: %s", error)
464
logger.warning(u"Bad certificate: %s", error)
341
465
session.bye()
342
466
return
343
467
logger.debug(u"Fingerprint: %s", fpr)
344
468
client = None
345
for c in clients:
469
for c in self.server.clients:
346
470
if c.fingerprint == fpr:
347
471
client = c
348
472
break
473
if not client:
474
logger.warning(u"Client not found for fingerprint: %s",
475
fpr)
476
session.bye()
477
return
349
478
# Have to check if client.still_valid(), since it is possible
350
479
# that the client timed out while establishing the GnuTLS
351
480
# session.
352
if (not client) or (not client.still_valid()):
353
if client:
354
logger.debug(u"Client %(name)s is invalid",
355
vars(client))
356
else:
357
logger.debug(u"Client not found for fingerprint: %s",
358
fpr)
481
if not client.still_valid():
482
logger.warning(u"Client %(name)s is invalid",
483
vars(client))
359
484
session.bye()
360
485
return
361
486
sent_size = 0
371
496
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
372
497
"""IPv6 TCP server. Accepts 'None' as address and/or port.
373
498
Attributes:
374
options: Command line options
499
settings: Server settings
375
500
clients: Set() of Client objects
376
501
"""
377
502
address_family = socket.AF_INET6
378
503
def __init__(self, *args, **kwargs):
379
if "options" in kwargs:
380
self.options = kwargs["options"]
381
del kwargs["options"]
504
if "settings" in kwargs:
505
self.settings = kwargs["settings"]
506
del kwargs["settings"]
382
507
if "clients" in kwargs:
383
508
self.clients = kwargs["clients"]
384
509
del kwargs["clients"]
387
512
"""This overrides the normal server_bind() function
388
513
to bind to an interface if one was specified, and also NOT to
389
514
bind to an address or port if they were not specified."""
390
if self.options.interface:
391
if not hasattr(socket, "SO_BINDTODEVICE"):
392
# From /usr/include/asm-i486/socket.h
393
socket.SO_BINDTODEVICE = 25
515
if self.settings["interface"]:
516
# 25 is from /usr/include/asm-i486/socket.h
517
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
394
518
try:
395
519
self.socket.setsockopt(socket.SOL_SOCKET,
396
socket.SO_BINDTODEVICE,
397
self.options.interface)
520
SO_BINDTODEVICE,
521
self.settings["interface"])
398
522
except socket.error, error:
399
523
if error[0] == errno.EPERM:
400
logger.warning(u"No permission to"
401
u" bind to interface %s",
402
self.options.interface)
524
logger.error(u"No permission to"
525
u" bind to interface %s",
526
self.settings["interface"])
403
527
else:
404
528
raise error
405
529
# Only bind(2) the socket if we really need to.
408
532
in6addr_any = "::"
409
533
self.server_address = (in6addr_any,
410
534
self.server_address[1])
411
elif self.server_address[1] is None:
535
elif not self.server_address[1]:
412
536
self.server_address = (self.server_address[0],
413
537
0)
538
# if self.settings["interface"]:
539
# self.server_address = (self.server_address[0],
540
# 0, # port
541
# 0, # flowinfo
542
# if_nametoindex
543
# (self.settings
544
# ["interface"]))
414
545
return super(type(self), self).server_bind()
415
546
416
547
448
579
return delta
449
580
450
581
451
def add_service():
452
"""From the Avahi server example code"""
453
global group, serviceName, serviceType, servicePort, serviceTXT, \
454
domain, host
455
if group is None:
456
group = dbus.Interface(
457
bus.get_object( avahi.DBUS_NAME,
458
server.EntryGroupNew()),
459
avahi.DBUS_INTERFACE_ENTRY_GROUP)
460
group.connect_to_signal('StateChanged',
461
entry_group_state_changed)
462
logger.debug(u"Adding service '%s' of type '%s' ...",
463
serviceName, serviceType)
464
465
group.AddService(
466
serviceInterface, # interface
467
avahi.PROTO_INET6, # protocol
468
dbus.UInt32(0), # flags
469
serviceName, serviceType,
470
domain, host,
471
dbus.UInt16(servicePort),
472
avahi.string_array_to_txt_array(serviceTXT))
473
group.Commit()
474
475
476
def remove_service():
477
"""From the Avahi server example code"""
478
global group
479
480
if not group is None:
481
group.Reset()
482
483
484
582
def server_state_changed(state):
485
"""From the Avahi server example code"""
583
"""Derived from the Avahi example code"""
486
584
if state == avahi.SERVER_COLLISION:
487
logger.warning(u"Server name collision")
488
remove_service()
585
logger.error(u"Server name collision")
586
service.remove()
489
587
elif state == avahi.SERVER_RUNNING:
490
add_service()
588
service.add()
491
589
492
590
493
591
def entry_group_state_changed(state, error):
494
"""From the Avahi server example code"""
495
global serviceName, server, rename_count
496
592
"""Derived from the Avahi example code"""
497
593
logger.debug(u"state change: %i", state)
498
594
499
595
if state == avahi.ENTRY_GROUP_ESTABLISHED:
500
596
logger.debug(u"Service established.")
501
597
elif state == avahi.ENTRY_GROUP_COLLISION:
502
503
rename_count = rename_count - 1
504
if rename_count > 0:
505
name = server.GetAlternativeServiceName(name)
506
logger.warning(u"Service name collision, "
507
u"changing name to '%s' ...", name)
508
remove_service()
509
add_service()
510
511
else:
512
logger.error(u"No suitable service name found after %i"
513
u" retries, exiting.", n_rename)
514
killme(1)
598
logger.warning(u"Service name collision.")
599
service.rename()
515
600
elif state == avahi.ENTRY_GROUP_FAILURE:
516
logger.error(u"Error in group state changed %s",
517
unicode(error))
518
killme(1)
519
601
logger.critical(u"Error in group state changed %s",
602
unicode(error))
603
raise AvahiGroupError("State changed: %s", str(error))
520
604
521
605
def if_nametoindex(interface):
522
"""Call the C function if_nametoindex()"""
606
"""Call the C function if_nametoindex(), or equivalent"""
607
global if_nametoindex
523
608
try:
524
libc = ctypes.cdll.LoadLibrary("libc.so.6")
525
return libc.if_nametoindex(interface)
609
if "ctypes.util" not in sys.modules:
610
import ctypes.util
611
if_nametoindex = ctypes.cdll.LoadLibrary\
612
(ctypes.util.find_library("c")).if_nametoindex
526
613
except (OSError, AttributeError):
527
614
if "struct" not in sys.modules:
528
615
import struct
529
616
if "fcntl" not in sys.modules:
530
617
import fcntl
531
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
532
s = socket.socket()
533
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
534
struct.pack("16s16x", interface))
535
s.close()
536
interface_index = struct.unpack("I", ifreq[16:20])[0]
537
return interface_index
538
539
540
def daemon(nochdir, noclose):
618
def if_nametoindex(interface):
619
"Get an interface index the hard way, i.e. using fcntl()"
620
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
621
s = socket.socket()
622
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
623
struct.pack("16s16x", interface))
624
s.close()
625
interface_index = struct.unpack("I", ifreq[16:20])[0]
626
return interface_index
627
return if_nametoindex(interface)
628
629
630
def daemon(nochdir = False, noclose = False):
541
631
"""See daemon(3). Standard BSD Unix function.
542
632
This should really exist as os.daemon, but it doesn't (yet)."""
543
633
if os.fork():
545
635
os.setsid()
546
636
if not nochdir:
547
637
os.chdir("/")
638
if os.fork():
639
sys.exit()
548
640
if not noclose:
549
641
# Close all standard open file descriptors
550
null = os.open("/dev/null", os.O_NOCTTY | os.O_RDWR)
642
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
551
643
if not stat.S_ISCHR(os.fstat(null).st_mode):
552
644
raise OSError(errno.ENODEV,
553
645
"/dev/null not a character device")
558
650
os.close(null)
559
651
560
652
561
def killme(status = 0):
562
logger.debug("Stopping server with exit status %d", status)
563
exitstatus = status
564
if main_loop_started:
565
main_loop.quit()
566
else:
567
sys.exit(status)
568
569
570
if __name__ == '__main__':
571
exitstatus = 0
653
def main():
654
global main_loop_started
572
655
main_loop_started = False
573
parser = OptionParser()
656
657
parser = OptionParser(version = "Mandos server %s" % version)
574
658
parser.add_option("-i", "--interface", type="string",
575
default=None, metavar="IF",
576
help="Bind to interface IF")
577
parser.add_option("-p", "--port", type="int", default=None,
659
metavar="IF", help="Bind to interface IF")
660
parser.add_option("-a", "--address", type="string",
661
help="Address to listen for requests on")
662
parser.add_option("-p", "--port", type="int",
578
663
help="Port number to receive requests on")
579
parser.add_option("--timeout", type="string", # Parsed later
580
default="1h",
581
help="Amount of downtime allowed for clients")
582
parser.add_option("--interval", type="string", # Parsed later
583
default="5m",
584
help="How often to check that a client is up")
585
664
parser.add_option("--check", action="store_true", default=False,
586
665
help="Run self-test")
587
parser.add_option("--debug", action="store_true", default=False,
588
help="Debug mode")
666
parser.add_option("--debug", action="store_true",
667
help="Debug mode; run in foreground and log to"
668
" terminal")
669
parser.add_option("--priority", type="string", help="GnuTLS"
670
" priority string (see GnuTLS documentation)")
671
parser.add_option("--servicename", type="string", metavar="NAME",
672
help="Zeroconf service name")
673
parser.add_option("--configdir", type="string",
674
default="/etc/mandos", metavar="DIR",
675
help="Directory to search for configuration"
676
" files")
589
677
(options, args) = parser.parse_args()
590
678
591
679
if options.check:
593
681
doctest.testmod()
594
682
sys.exit()
595
683
596
# Parse the time arguments
597
try:
598
options.timeout = string_to_delta(options.timeout)
599
except ValueError:
600
parser.error("option --timeout: Unparseable time")
601
try:
602
options.interval = string_to_delta(options.interval)
603
except ValueError:
604
parser.error("option --interval: Unparseable time")
605
606
# Parse config file
607
defaults = { "checker": "fping -q -- %%(fqdn)s" }
608
client_config = ConfigParser.SafeConfigParser(defaults)
609
#client_config.readfp(open("secrets.conf"), "secrets.conf")
610
client_config.read("mandos-clients.conf")
611
612
# From the Avahi server example code
684
# Default values for config file for server-global settings
685
server_defaults = { "interface": "",
686
"address": "",
687
"port": "",
688
"debug": "False",
689
"priority":
690
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
691
"servicename": "Mandos",
692
}
693
694
# Parse config file for server-global settings
695
server_config = ConfigParser.SafeConfigParser(server_defaults)
696
del server_defaults
697
server_config.read(os.path.join(options.configdir, "mandos.conf"))
698
server_section = "server"
699
# Convert the SafeConfigParser object to a dict
700
server_settings = dict(server_config.items(server_section))
701
# Use getboolean on the boolean config option
702
server_settings["debug"] = server_config.getboolean\
703
(server_section, "debug")
704
del server_config
705
706
# Override the settings from the config file with command line
707
# options, if set.
708
for option in ("interface", "address", "port", "debug",
709
"priority", "servicename", "configdir"):
710
value = getattr(options, option)
711
if value is not None:
712
server_settings[option] = value
713
del options
714
# Now we have our good server settings in "server_settings"
715
716
debug = server_settings["debug"]
717
718
if not debug:
719
syslogger.setLevel(logging.WARNING)
720
721
if server_settings["servicename"] != "Mandos":
722
syslogger.setFormatter(logging.Formatter\
723
('Mandos (%s): %%(levelname)s:'
724
' %%(message)s'
725
% server_settings["servicename"]))
726
727
# Parse config file with clients
728
client_defaults = { "timeout": "1h",
729
"interval": "5m",
730
"checker": "fping -q -- %%(host)s",
731
}
732
client_config = ConfigParser.SafeConfigParser(client_defaults)
733
client_config.read(os.path.join(server_settings["configdir"],
734
"clients.conf"))
735
736
global service
737
service = AvahiService(name = server_settings["servicename"],
738
type = "_mandos._tcp", );
739
if server_settings["interface"]:
740
service.interface = if_nametoindex(server_settings["interface"])
741
742
global main_loop
743
global bus
744
global server
745
# From the Avahi example code
613
746
DBusGMainLoop(set_as_default=True )
614
747
main_loop = gobject.MainLoop()
615
748
bus = dbus.SystemBus()
618
751
avahi.DBUS_INTERFACE_SERVER )
619
752
# End of Avahi example code
620
753
621
debug = options.debug
622
623
754
if debug:
624
755
console = logging.StreamHandler()
625
756
# console.setLevel(logging.DEBUG)
632
763
def remove_from_clients(client):
633
764
clients.remove(client)
634
765
if not clients:
635
logger.debug(u"No clients left, exiting")
636
killme()
766
logger.critical(u"No clients left, exiting")
767
sys.exit()
637
768
638
clients.update(Set(Client(name=section, options=options,
769
clients.update(Set(Client(name = section,
639
770
stop_hook = remove_from_clients,
640
**(dict(client_config\
641
.items(section))))
771
config
772
= dict(client_config.items(section)))
642
773
for section in client_config.sections()))
774
if not clients:
775
logger.critical(u"No clients defined")
776
sys.exit(1)
643
777
644
778
if not debug:
645
daemon(False, False)
779
daemon()
780
781
pidfilename = "/var/run/mandos/mandos.pid"
782
pid = os.getpid()
783
try:
784
pidfile = open(pidfilename, "w")
785
pidfile.write(str(pid) + "\n")
786
pidfile.close()
787
del pidfile
788
except IOError, err:
789
logger.error(u"Could not write %s file with PID %d",
790
pidfilename, os.getpid())
646
791
647
792
def cleanup():
648
793
"Cleanup function; run on exit"
649
794
global group
650
# From the Avahi server example code
795
# From the Avahi example code
651
796
if not group is None:
652
797
group.Free()
653
798
group = None
654
799
# End of Avahi example code
655
800
656
for client in clients:
801
while clients:
802
client = clients.pop()
657
803
client.stop_hook = None
658
804
client.stop()
659
805
661
807
662
808
if not debug:
663
809
signal.signal(signal.SIGINT, signal.SIG_IGN)
664
signal.signal(signal.SIGHUP, lambda signum, frame: killme())
665
signal.signal(signal.SIGTERM, lambda signum, frame: killme())
810
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
811
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
666
812
667
813
for client in clients:
668
814
client.start()
669
815
670
tcp_server = IPv6_TCPServer((None, options.port),
816
tcp_server = IPv6_TCPServer((server_settings["address"],
817
server_settings["port"]),
671
818
tcp_handler,
672
options=options,
819
settings=server_settings,
673
820
clients=clients)
674
# Find out what random port we got
675
servicePort = tcp_server.socket.getsockname()[1]
676
logger.debug(u"Now listening on port %d", servicePort)
677
678
if options.interface is not None:
679
serviceInterface = if_nametoindex(options.interface)
680
681
# From the Avahi server example code
682
server.connect_to_signal("StateChanged", server_state_changed)
683
try:
684
server_state_changed(server.GetState())
685
except dbus.exceptions.DBusException, error:
686
logger.critical(u"DBusException: %s", error)
687
killme(1)
688
# End of Avahi example code
689
690
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
691
lambda *args, **kwargs:
692
tcp_server.handle_request(*args[2:],
693
**kwargs) or True)
694
try:
821
# Find out what port we got
822
service.port = tcp_server.socket.getsockname()[1]
823
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
824
u" scope_id %d" % tcp_server.socket.getsockname())
825
826
#service.interface = tcp_server.socket.getsockname()[3]
827
828
try:
829
# From the Avahi example code
830
server.connect_to_signal("StateChanged", server_state_changed)
831
try:
832
server_state_changed(server.GetState())
833
except dbus.exceptions.DBusException, error:
834
logger.critical(u"DBusException: %s", error)
835
sys.exit(1)
836
# End of Avahi example code
837
838
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
839
lambda *args, **kwargs:
840
tcp_server.handle_request\
841
(*args[2:], **kwargs) or True)
842
843
logger.debug(u"Starting main loop")
695
844
main_loop_started = True
696
845
main_loop.run()
846
except AvahiError, error:
847
logger.critical(u"AvahiError: %s" + unicode(error))
848
sys.exit(1)
697
849
except KeyboardInterrupt:
698
850
if debug:
699
851
print
700
701
sys.exit(exitstatus)
852
853
if __name__ == '__main__':
854
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0