To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 288.1.1
- compare with another revision
- download diff
- download tarball
- view history from revision 288.1.1
- Committer: Teddy Hogeborn
- Date: 2009-01-28 11:23:12 UTC
- mto: This revision was merged to the branch mainline in revision 327.
- Revision ID: teddy@fukt.bsnet.se-20090128112312-fccq15ef11z330u3
Start of new pipe-based IPC mechanism.
* mandos (TCP_handler.handle): Open the IPC pipe, write messages to it
and close it when done.
(ForkingMixInWithPipe): New.
(IPv6_TCPServer): Inherit from "ForkingMixInWithPipe" instead of
"SocketServer.ForkingMixIn".
(IPv6_TCPServer.handle_ipc): New.
* mandos (TCP_handler.handle): Open the IPC pipe, write messages to it
and close it when done.
(ForkingMixInWithPipe): New.
(IPv6_TCPServer): Inherit from "ForkingMixInWithPipe" instead of
"SocketServer.ForkingMixIn".
(IPv6_TCPServer.handle_ipc): New.
- files modified:
- INSTALL
added
removed
mandos
66
66
import ctypes
67
67
import ctypes.util
68
68
69
version = "1.0.8"
69
version = "1.0.5"
70
70
71
71
logger = logging.Logger('mandos')
72
72
syslogger = (logging.handlers.SysLogHandler
73
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
74
address = "/dev/log"))
75
75
syslogger.setFormatter(logging.Formatter
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
76
('Mandos: %(levelname)s: %(message)s'))
78
77
logger.addHandler(syslogger)
79
78
80
79
console = logging.StreamHandler()
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
80
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
81
' %(message)s'))
83
82
logger.addHandler(console)
84
83
85
84
class AvahiError(Exception):
114
113
"""
115
114
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
116
115
servicetype = None, port = None, TXT = None,
117
domain = "", host = "", max_renames = 32768,
118
protocol = avahi.PROTO_UNSPEC):
116
domain = "", host = "", max_renames = 32768):
119
117
self.interface = interface
120
118
self.name = name
121
119
self.type = servicetype
125
123
self.host = host
126
124
self.rename_count = 0
127
125
self.max_renames = max_renames
128
self.protocol = protocol
129
126
def rename(self):
130
127
"""Derived from the Avahi example code"""
131
128
if self.rename_count >= self.max_renames:
137
134
logger.info(u"Changing Zeroconf service name to %r ...",
138
135
str(self.name))
139
136
syslogger.setFormatter(logging.Formatter
140
('Mandos (%s) [%%(process)d]:'
141
' %%(levelname)s: %%(message)s'
142
% self.name))
137
('Mandos (%s): %%(levelname)s:'
138
' %%(message)s' % self.name))
143
139
self.remove()
144
140
self.add()
145
141
self.rename_count += 1
161
157
service.name, service.type)
162
158
group.AddService(
163
159
self.interface, # interface
164
self.protocol, # protocol
160
avahi.PROTO_INET6, # protocol
165
161
dbus.UInt32(0), # flags
166
162
self.name, self.type,
167
163
self.domain, self.host,
206
202
client lives. %() expansions are done at
207
203
runtime with vars(self) as dict, so that for
208
204
instance %(name)s can be used in the command.
209
current_checker_command: string; current running checker_command
210
205
use_dbus: bool(); Whether to provide D-Bus interface and signals
211
206
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
212
207
"""
261
256
self.disable_initiator_tag = None
262
257
self.checker_callback_tag = None
263
258
self.checker_command = config["checker"]
264
self.current_checker_command = None
265
259
self.last_connect = None
266
260
# Only now, when this client is initialized, can it show up on
267
261
# the D-Bus
382
376
# checkers alone, the checker would have to take more time
383
377
# than 'timeout' for the client to be declared invalid, which
384
378
# is as it should be.
385
386
# If a checker exists, make sure it is not a zombie
387
if self.checker is not None:
388
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
389
if pid:
390
logger.warning("Checker was a zombie")
391
gobject.source_remove(self.checker_callback_tag)
392
self.checker_callback(pid, status,
393
self.current_checker_command)
394
# Start a new checker if needed
395
379
if self.checker is None:
396
380
try:
397
381
# In case checker_command has exactly one % operator
407
391
logger.error(u'Could not format string "%s":'
408
392
u' %s', self.checker_command, error)
409
393
return True # Try again later
410
self.current_checker_command = command
411
394
try:
412
395
logger.info(u"Starting checker %r for %s",
413
396
command, self.name)
428
411
(self.checker.pid,
429
412
self.checker_callback,
430
413
data=command))
431
# The checker may have completed before the gobject
432
# watch was added. Check for this.
433
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
434
if pid:
435
gobject.source_remove(self.checker_callback_tag)
436
self.checker_callback(pid, status, command)
437
414
except OSError, error:
438
415
logger.error(u"Failed to start subprocess: %s",
439
416
error)
543
520
"D-Bus signal"
544
521
pass
545
522
546
# ReceivedSecret - signal
547
@dbus.service.signal(_interface)
548
def ReceivedSecret(self):
549
"D-Bus signal"
550
pass
551
552
# Rejected - signal
553
@dbus.service.signal(_interface)
554
def Rejected(self):
555
"D-Bus signal"
556
pass
557
558
523
# SetChecker - method
559
524
@dbus.service.method(_interface, in_signature="s")
560
525
def SetChecker(self, checker):
691
656
def handle(self):
692
657
logger.info(u"TCP connection from: %s",
693
658
unicode(self.client_address))
694
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
659
logger.debug(u"Pipe: %d", self.server.pipe[1])
695
660
# Open IPC pipe to parent process
696
661
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
697
662
session = (gnutls.connection
722
687
(gnutls.library.functions
723
688
.gnutls_priority_set_direct(session._c_object,
724
689
priority, None))
725
690
726
691
try:
727
692
session.handshake()
728
693
except gnutls.errors.GNUTLSError, error:
738
703
session.bye()
739
704
return
740
705
logger.debug(u"Fingerprint: %s", fpr)
741
742
706
for c in self.server.clients:
743
707
if c.fingerprint == fpr:
744
708
client = c
759
723
session.bye()
760
724
return
761
725
ipc.write("SENDING %s\n" % client.name)
726
## This won't work here, since we're in a fork.
727
# client.checked_ok()
762
728
sent_size = 0
763
729
while sent_size < len(client.secret):
764
730
sent = session.send(client.secret[sent_size:])
793
759
794
760
class IPv6_TCPServer(ForkingMixInWithPipe,
795
761
SocketServer.TCPServer, object):
796
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
762
"""IPv6 TCP server. Accepts 'None' as address and/or port.
797
763
Attributes:
798
764
settings: Server settings
799
765
clients: Set() of Client objects
807
773
if "clients" in kwargs:
808
774
self.clients = kwargs["clients"]
809
775
del kwargs["clients"]
810
if "use_ipv6" in kwargs:
811
if not kwargs["use_ipv6"]:
812
self.address_family = socket.AF_INET
813
del kwargs["use_ipv6"]
814
776
self.enabled = False
815
777
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
816
778
def server_bind(self):
830
792
u" bind to interface %s",
831
793
self.settings["interface"])
832
794
else:
833
raise
795
raise error
834
796
# Only bind(2) the socket if we really need to.
835
797
if self.server_address[0] or self.server_address[1]:
836
798
if not self.server_address[0]:
837
if self.address_family == socket.AF_INET6:
838
any_address = "::" # in6addr_any
839
else:
840
any_address = socket.INADDR_ANY
841
self.server_address = (any_address,
799
in6addr_any = "::"
800
self.server_address = (in6addr_any,
842
801
self.server_address[1])
843
802
elif not self.server_address[1]:
844
803
self.server_address = (self.server_address[0],
857
816
def enable(self):
858
817
self.enabled = True
859
818
def handle_ipc(self, source, condition, file_objects={}):
860
condition_names = {
861
gobject.IO_IN: "IN", # There is data to read.
862
gobject.IO_OUT: "OUT", # Data can be written (without
863
# blocking).
864
gobject.IO_PRI: "PRI", # There is urgent data to read.
865
gobject.IO_ERR: "ERR", # Error condition.
866
gobject.IO_HUP: "HUP" # Hung up (the connection has been
867
# broken, usually for pipes and
868
# sockets).
869
}
870
conditions_string = ' | '.join(name
871
for cond, name in
872
condition_names.iteritems()
873
if cond & condition)
874
logger.debug("Handling IPC: FD = %d, condition = %s", source,
875
conditions_string)
819
logger.debug("Handling IPC: %r : %r", source, condition)
876
820
877
# Turn the pipe file descriptor into a Python file object
821
# Turn a file descriptor into a Python file object
878
822
if source not in file_objects:
879
823
file_objects[source] = os.fdopen(source, "r", 1)
880
824
882
826
cmdline = file_objects[source].readline()
883
827
if not cmdline: # Empty line means end of file
884
828
# close the IPC pipe
829
logger.debug("Closing: %r", source)
885
830
file_objects[source].close()
886
831
del file_objects[source]
887
832
888
833
# Stop calling this function
889
834
return False
890
835
893
838
# Parse and act on command
894
839
cmd, args = cmdline.split(None, 1)
895
840
if cmd == "NOTFOUND":
896
if self.settings["use_dbus"]:
897
# Emit D-Bus signal
898
mandos_dbus_service.ClientNotFound(args)
841
pass # xxx
899
842
elif cmd == "INVALID":
900
if self.settings["use_dbus"]:
901
for client in self.clients:
902
if client.name == args:
903
# Emit D-Bus signal
904
client.Rejected()
905
break
843
pass # xxx
906
844
elif cmd == "SENDING":
907
for client in self.clients:
908
if client.name == args:
909
client.checked_ok()
910
if self.settings["use_dbus"]:
911
# Emit D-Bus signal
912
client.ReceivedSecret()
913
break
845
pass # xxx
914
846
else:
915
847
logger.error("Unknown IPC command: %r", cmdline)
916
848
920
852
921
853
def string_to_delta(interval):
922
854
"""Parse a string and return a datetime.timedelta
923
855
924
856
>>> string_to_delta('7d')
925
857
datetime.timedelta(7)
926
858
>>> string_to_delta('60s')
1027
959
1028
960
1029
961
def main():
1030
1031
######################################################################
1032
# Parsing of options, both command line and config file
1033
1034
962
parser = optparse.OptionParser(version = "%%prog %s" % version)
1035
963
parser.add_option("-i", "--interface", type="string",
1036
964
metavar="IF", help="Bind to interface IF")
1055
983
dest="use_dbus",
1056
984
help="Do not provide D-Bus system bus"
1057
985
" interface")
1058
parser.add_option("--no-ipv6", action="store_false",
1059
dest="use_ipv6", help="Do not use IPv6")
1060
986
options = parser.parse_args()[0]
1061
987
1062
988
if options.check:
1073
999
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1074
1000
"servicename": "Mandos",
1075
1001
"use_dbus": "True",
1076
"use_ipv6": "True",
1077
1002
}
1078
1003
1079
1004
# Parse config file for server-global settings
1087
1012
"debug")
1088
1013
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1089
1014
"use_dbus")
1090
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1091
"use_ipv6")
1092
1015
if server_settings["port"]:
1093
1016
server_settings["port"] = server_config.getint("DEFAULT",
1094
1017
"port")
1098
1021
# options, if set.
1099
1022
for option in ("interface", "address", "port", "debug",
1100
1023
"priority", "servicename", "configdir",
1101
"use_dbus", "use_ipv6"):
1024
"use_dbus"):
1102
1025
value = getattr(options, option)
1103
1026
if value is not None:
1104
1027
server_settings[option] = value
1105
1028
del options
1106
1029
# Now we have our good server settings in "server_settings"
1107
1030
1108
##################################################################
1109
1110
1031
# For convenience
1111
1032
debug = server_settings["debug"]
1112
1033
use_dbus = server_settings["use_dbus"]
1113
use_ipv6 = server_settings["use_ipv6"]
1114
1034
1115
1035
if not debug:
1116
1036
syslogger.setLevel(logging.WARNING)
1118
1038
1119
1039
if server_settings["servicename"] != "Mandos":
1120
1040
syslogger.setFormatter(logging.Formatter
1121
('Mandos (%s) [%%(process)d]:'
1122
' %%(levelname)s: %%(message)s'
1041
('Mandos (%s): %%(levelname)s:'
1042
' %%(message)s'
1123
1043
% server_settings["servicename"]))
1124
1044
1125
1045
# Parse config file with clients
1131
1051
client_config = ConfigParser.SafeConfigParser(client_defaults)
1132
1052
client_config.read(os.path.join(server_settings["configdir"],
1133
1053
"clients.conf"))
1134
1135
global mandos_dbus_service
1136
mandos_dbus_service = None
1137
1054
1138
1055
clients = Set()
1139
1056
tcp_server = IPv6_TCPServer((server_settings["address"],
1140
1057
server_settings["port"]),
1141
1058
TCP_handler,
1142
1059
settings=server_settings,
1143
clients=clients, use_ipv6=use_ipv6)
1060
clients=clients)
1144
1061
pidfilename = "/var/run/mandos.pid"
1145
1062
try:
1146
1063
pidfile = open(pidfilename, "w")
1147
except IOError:
1064
except IOError, error:
1148
1065
logger.error("Could not open file %r", pidfilename)
1149
1066
1150
1067
try:
1162
1079
uid = 65534
1163
1080
gid = 65534
1164
1081
try:
1082
os.setuid(uid)
1165
1083
os.setgid(gid)
1166
os.setuid(uid)
1167
1084
except OSError, error:
1168
1085
if error[0] != errno.EPERM:
1169
1086
raise error
1170
1087
1171
# Enable all possible GnuTLS debugging
1172
if debug:
1173
# "Use a log level over 10 to enable all debugging options."
1174
# - GnuTLS manual
1175
gnutls.library.functions.gnutls_global_set_log_level(11)
1176
1177
@gnutls.library.types.gnutls_log_func
1178
def debug_gnutls(level, string):
1179
logger.debug("GnuTLS: %s", string[:-1])
1180
1181
(gnutls.library.functions
1182
.gnutls_global_set_log_function(debug_gnutls))
1183
1184
1088
global service
1185
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1186
1089
service = AvahiService(name = server_settings["servicename"],
1187
servicetype = "_mandos._tcp",
1188
protocol = protocol)
1090
servicetype = "_mandos._tcp", )
1189
1091
if server_settings["interface"]:
1190
1092
service.interface = (if_nametoindex
1191
1093
(server_settings["interface"]))
1225
1127
daemon()
1226
1128
1227
1129
try:
1228
with closing(pidfile):
1229
pid = os.getpid()
1230
pidfile.write(str(pid) + "\n")
1130
pid = os.getpid()
1131
pidfile.write(str(pid) + "\n")
1132
pidfile.close()
1231
1133
del pidfile
1232
1134
except IOError:
1233
1135
logger.error(u"Could not write to file %r with PID %d",
1259
1161
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1260
1162
1261
1163
if use_dbus:
1262
class MandosDBusService(dbus.service.Object):
1164
class MandosServer(dbus.service.Object):
1263
1165
"""A D-Bus proxy object"""
1264
1166
def __init__(self):
1265
1167
dbus.service.Object.__init__(self, bus, "/")
1270
1172
"D-Bus signal"
1271
1173
pass
1272
1174
1273
@dbus.service.signal(_interface, signature="s")
1274
def ClientNotFound(self, fingerprint):
1275
"D-Bus signal"
1276
pass
1277
1278
1175
@dbus.service.signal(_interface, signature="os")
1279
1176
def ClientRemoved(self, objpath, name):
1280
1177
"D-Bus signal"
1309
1206
1310
1207
del _interface
1311
1208
1312
mandos_dbus_service = MandosDBusService()
1209
mandos_server = MandosServer()
1313
1210
1314
1211
for client in clients:
1315
1212
if use_dbus:
1316
1213
# Emit D-Bus signal
1317
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1318
client.GetAllProperties())
1214
mandos_server.ClientAdded(client.dbus_object_path,
1215
client.GetAllProperties())
1319
1216
client.enable()
1320
1217
1321
1218
tcp_server.enable()
1323
1220
1324
1221
# Find out what port we got
1325
1222
service.port = tcp_server.socket.getsockname()[1]
1326
if use_ipv6:
1327
logger.info(u"Now listening on address %r, port %d,"
1328
" flowinfo %d, scope_id %d"
1329
% tcp_server.socket.getsockname())
1330
else: # IPv4
1331
logger.info(u"Now listening on address %r, port %d"
1332
% tcp_server.socket.getsockname())
1223
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1224
u" scope_id %d" % tcp_server.socket.getsockname())
1333
1225
1334
1226
#service.interface = tcp_server.socket.getsockname()[3]
1335
1227
1355
1247
sys.exit(1)
1356
1248
except KeyboardInterrupt:
1357
1249
if debug:
1358
print >> sys.stderr
1359
logger.debug("Server received KeyboardInterrupt")
1360
logger.debug("Server exiting")
1250
print
1361
1251
1362
1252
if __name__ == '__main__':
1363
1253
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0