To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 291
- compare with another revision
- download diff
- download tarball
- view history from revision 291
- Committer: Teddy Hogeborn
- Date: 2009-01-31 10:33:17 UTC
- mfrom: (24.1.129 mandos)
- Revision ID: teddy@fukt.bsnet.se-20090131103317-wzqvyr532sjcjt7u
Merge from Björn:
* mandos-ctl: New option "--remove-client". Only default to listing
clients if no clients were given on the command line.
* plugins.d/mandos-client.c: Lower kernel log level while bringing up
network interface. New option "--delay"
to control the maximum delay to wait for
running interface.
* plugins.d/mandos-client.xml (SYNOPSIS, OPTIONS): New option
"--delay".
* mandos-ctl: New option "--remove-client". Only default to listing
clients if no clients were given on the command line.
* plugins.d/mandos-client.c: Lower kernel log level while bringing up
network interface. New option "--delay"
to control the maximum delay to wait for
running interface.
* plugins.d/mandos-client.xml (SYNOPSIS, OPTIONS): New option
"--delay".
- files removed:
- dbus-mandos.conf
- files modified:
- INSTALL
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer as socketserver
36
import SocketServer
37
37
import socket
38
38
import optparse
39
39
import datetime
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser as configparser
47
import ConfigParser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
52
53
import subprocess
53
54
import atexit
54
55
import stat
55
56
import logging
56
57
import logging.handlers
57
58
import pwd
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
63
import multiprocessing
59
from contextlib import closing
64
60
65
61
import dbus
66
62
import dbus.service
69
65
from dbus.mainloop.glib import DBusGMainLoop
70
66
import ctypes
71
67
import ctypes.util
72
import xml.dom.minidom
73
import inspect
74
75
try:
76
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
77
except AttributeError:
78
try:
79
from IN import SO_BINDTODEVICE
80
except ImportError:
81
SO_BINDTODEVICE = None
82
83
84
version = "1.0.14"
85
86
#logger = logging.getLogger(u'mandos')
87
logger = logging.Logger(u'mandos')
68
69
version = "1.0.5"
70
71
logger = logging.Logger('mandos')
88
72
syslogger = (logging.handlers.SysLogHandler
89
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
90
74
address = "/dev/log"))
91
75
syslogger.setFormatter(logging.Formatter
92
(u'Mandos [%(process)d]: %(levelname)s:'
93
u' %(message)s'))
76
('Mandos: %(levelname)s: %(message)s'))
94
77
logger.addHandler(syslogger)
95
78
96
79
console = logging.StreamHandler()
97
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
98
u' %(levelname)s:'
99
u' %(message)s'))
80
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
81
' %(message)s'))
100
82
logger.addHandler(console)
101
83
102
84
class AvahiError(Exception):
115
97
116
98
class AvahiService(object):
117
99
"""An Avahi (Zeroconf) service.
118
119
100
Attributes:
120
101
interface: integer; avahi.IF_UNSPEC or an interface index.
121
102
Used to optionally bind to the specified interface.
122
name: string; Example: u'Mandos'
123
type: string; Example: u'_mandos._tcp'.
103
name: string; Example: 'Mandos'
104
type: string; Example: '_mandos._tcp'.
124
105
See <http://www.dns-sd.org/ServiceTypes.html>
125
106
port: integer; what port to announce
126
107
TXT: list of strings; TXT record for the service
129
110
max_renames: integer; maximum number of renames
130
111
rename_count: integer; counter so we only rename after collisions
131
112
a sensible number of times
132
group: D-Bus Entry Group
133
server: D-Bus Server
134
bus: dbus.SystemBus()
135
113
"""
136
114
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
137
115
servicetype = None, port = None, TXT = None,
138
domain = u"", host = u"", max_renames = 32768,
139
protocol = avahi.PROTO_UNSPEC, bus = None):
116
domain = "", host = "", max_renames = 32768):
140
117
self.interface = interface
141
118
self.name = name
142
119
self.type = servicetype
146
123
self.host = host
147
124
self.rename_count = 0
148
125
self.max_renames = max_renames
149
self.protocol = protocol
150
self.group = None # our entry group
151
self.server = None
152
self.bus = bus
153
126
def rename(self):
154
127
"""Derived from the Avahi example code"""
155
128
if self.rename_count >= self.max_renames:
157
130
u" after %i retries, exiting.",
158
131
self.rename_count)
159
132
raise AvahiServiceError(u"Too many renames")
160
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
133
self.name = server.GetAlternativeServiceName(self.name)
161
134
logger.info(u"Changing Zeroconf service name to %r ...",
162
self.name)
135
str(self.name))
163
136
syslogger.setFormatter(logging.Formatter
164
(u'Mandos (%s) [%%(process)d]:'
165
u' %%(levelname)s: %%(message)s'
166
% self.name))
137
('Mandos (%s): %%(levelname)s:'
138
' %%(message)s' % self.name))
167
139
self.remove()
168
try:
169
self.add()
170
except dbus.exceptions.DBusException, error:
171
logger.critical(u"DBusException: %s", error)
172
self.cleanup()
173
os._exit(1)
140
self.add()
174
141
self.rename_count += 1
175
142
def remove(self):
176
143
"""Derived from the Avahi example code"""
177
if self.group is not None:
178
self.group.Reset()
144
if group is not None:
145
group.Reset()
179
146
def add(self):
180
147
"""Derived from the Avahi example code"""
181
if self.group is None:
182
self.group = dbus.Interface(
183
self.bus.get_object(avahi.DBUS_NAME,
184
self.server.EntryGroupNew()),
185
avahi.DBUS_INTERFACE_ENTRY_GROUP)
186
self.group.connect_to_signal('StateChanged',
187
self
188
.entry_group_state_changed)
148
global group
149
if group is None:
150
group = dbus.Interface(bus.get_object
151
(avahi.DBUS_NAME,
152
server.EntryGroupNew()),
153
avahi.DBUS_INTERFACE_ENTRY_GROUP)
154
group.connect_to_signal('StateChanged',
155
entry_group_state_changed)
189
156
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
190
self.name, self.type)
191
self.group.AddService(
192
self.interface,
193
self.protocol,
194
dbus.UInt32(0), # flags
195
self.name, self.type,
196
self.domain, self.host,
197
dbus.UInt16(self.port),
198
avahi.string_array_to_txt_array(self.TXT))
199
self.group.Commit()
200
def entry_group_state_changed(self, state, error):
201
"""Derived from the Avahi example code"""
202
logger.debug(u"Avahi entry group state change: %i", state)
203
204
if state == avahi.ENTRY_GROUP_ESTABLISHED:
205
logger.debug(u"Zeroconf service established.")
206
elif state == avahi.ENTRY_GROUP_COLLISION:
207
logger.warning(u"Zeroconf service name collision.")
208
self.rename()
209
elif state == avahi.ENTRY_GROUP_FAILURE:
210
logger.critical(u"Avahi: Error in group state changed %s",
211
unicode(error))
212
raise AvahiGroupError(u"State changed: %s"
213
% unicode(error))
214
def cleanup(self):
215
"""Derived from the Avahi example code"""
216
if self.group is not None:
217
self.group.Free()
218
self.group = None
219
def server_state_changed(self, state):
220
"""Derived from the Avahi example code"""
221
logger.debug(u"Avahi server state change: %i", state)
222
if state == avahi.SERVER_COLLISION:
223
logger.error(u"Zeroconf server name collision")
224
self.remove()
225
elif state == avahi.SERVER_RUNNING:
226
self.add()
227
def activate(self):
228
"""Derived from the Avahi example code"""
229
if self.server is None:
230
self.server = dbus.Interface(
231
self.bus.get_object(avahi.DBUS_NAME,
232
avahi.DBUS_PATH_SERVER),
233
avahi.DBUS_INTERFACE_SERVER)
234
self.server.connect_to_signal(u"StateChanged",
235
self.server_state_changed)
236
self.server_state_changed(self.server.GetState())
237
238
239
class Client(object):
157
service.name, service.type)
158
group.AddService(
159
self.interface, # interface
160
avahi.PROTO_INET6, # protocol
161
dbus.UInt32(0), # flags
162
self.name, self.type,
163
self.domain, self.host,
164
dbus.UInt16(self.port),
165
avahi.string_array_to_txt_array(self.TXT))
166
group.Commit()
167
168
# From the Avahi example code:
169
group = None # our entry group
170
# End of Avahi example code
171
172
173
def _datetime_to_dbus(dt, variant_level=0):
174
"""Convert a UTC datetime.datetime() to a D-Bus type."""
175
return dbus.String(dt.isoformat(), variant_level=variant_level)
176
177
178
class Client(dbus.service.Object):
240
179
"""A representation of a client host served by this server.
241
242
180
Attributes:
243
181
name: string; from the config file, used in log messages and
244
182
D-Bus identifiers
251
189
enabled: bool()
252
190
last_checked_ok: datetime.datetime(); (UTC) or None
253
191
timeout: datetime.timedelta(); How long from last_checked_ok
254
until this client is disabled
192
until this client is invalid
255
193
interval: datetime.timedelta(); How often to start a new checker
256
194
disable_hook: If set, called by disable() as disable_hook(self)
257
195
checker: subprocess.Popen(); a running checker process used
258
196
to see if the client lives.
259
197
'None' if no process is running.
260
198
checker_initiator_tag: a gobject event source tag, or None
261
disable_initiator_tag: - '' -
199
disable_initiator_tag: - '' -
262
200
checker_callback_tag: - '' -
263
201
checker_command: string; External command which is run to check if
264
202
client lives. %() expansions are done at
265
203
runtime with vars(self) as dict, so that for
266
204
instance %(name)s can be used in the command.
267
current_checker_command: string; current running checker_command
268
approved_delay: datetime.timedelta(); Time to wait for approval
269
_approved: bool(); 'None' if not yet approved/disapproved
270
approved_duration: datetime.timedelta(); Duration of one approval
205
use_dbus: bool(); Whether to provide D-Bus interface and signals
206
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
271
207
"""
272
273
@staticmethod
274
def _timedelta_to_milliseconds(td):
275
"Convert a datetime.timedelta() to milliseconds"
276
return ((td.days * 24 * 60 * 60 * 1000)
277
+ (td.seconds * 1000)
278
+ (td.microseconds // 1000))
279
280
208
def timeout_milliseconds(self):
281
209
"Return the 'timeout' attribute in milliseconds"
282
return self._timedelta_to_milliseconds(self.timeout)
210
return ((self.timeout.days * 24 * 60 * 60 * 1000)
211
+ (self.timeout.seconds * 1000)
212
+ (self.timeout.microseconds // 1000))
283
213
284
214
def interval_milliseconds(self):
285
215
"Return the 'interval' attribute in milliseconds"
286
return self._timedelta_to_milliseconds(self.interval)
287
288
def approved_delay_milliseconds(self):
289
return self._timedelta_to_milliseconds(self.approved_delay)
216
return ((self.interval.days * 24 * 60 * 60 * 1000)
217
+ (self.interval.seconds * 1000)
218
+ (self.interval.microseconds // 1000))
290
219
291
def __init__(self, name = None, disable_hook=None, config=None):
220
def __init__(self, name = None, disable_hook=None, config=None,
221
use_dbus=True):
292
222
"""Note: the 'checker' key in 'config' sets the
293
223
'checker_command' attribute and *not* the 'checker'
294
224
attribute."""
296
226
if config is None:
297
227
config = {}
298
228
logger.debug(u"Creating client %r", self.name)
229
self.use_dbus = False # During __init__
299
230
# Uppercase and remove spaces from fingerprint for later
300
231
# comparison purposes with return value from the fingerprint()
301
232
# function
302
self.fingerprint = (config[u"fingerprint"].upper()
233
self.fingerprint = (config["fingerprint"].upper()
303
234
.replace(u" ", u""))
304
235
logger.debug(u" Fingerprint: %s", self.fingerprint)
305
if u"secret" in config:
306
self.secret = config[u"secret"].decode(u"base64")
307
elif u"secfile" in config:
308
with open(os.path.expanduser(os.path.expandvars
309
(config[u"secfile"])),
310
"rb") as secfile:
236
if "secret" in config:
237
self.secret = config["secret"].decode(u"base64")
238
elif "secfile" in config:
239
with closing(open(os.path.expanduser
240
(os.path.expandvars
241
(config["secfile"])))) as secfile:
311
242
self.secret = secfile.read()
312
243
else:
313
244
raise TypeError(u"No secret or secfile for client %s"
314
245
% self.name)
315
self.host = config.get(u"host", u"")
246
self.host = config.get("host", "")
316
247
self.created = datetime.datetime.utcnow()
317
248
self.enabled = False
318
249
self.last_enabled = None
319
250
self.last_checked_ok = None
320
self.timeout = string_to_delta(config[u"timeout"])
321
self.interval = string_to_delta(config[u"interval"])
251
self.timeout = string_to_delta(config["timeout"])
252
self.interval = string_to_delta(config["interval"])
322
253
self.disable_hook = disable_hook
323
254
self.checker = None
324
255
self.checker_initiator_tag = None
325
256
self.disable_initiator_tag = None
326
257
self.checker_callback_tag = None
327
self.checker_command = config[u"checker"]
328
self.current_checker_command = None
258
self.checker_command = config["checker"]
329
259
self.last_connect = None
330
self._approved = None
331
self.approved_by_default = config.get(u"approved_by_default",
332
True)
333
self.approvals_pending = 0
334
self.approved_delay = string_to_delta(
335
config[u"approved_delay"])
336
self.approved_duration = string_to_delta(
337
config[u"approved_duration"])
338
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
260
# Only now, when this client is initialized, can it show up on
261
# the D-Bus
262
self.use_dbus = use_dbus
263
if self.use_dbus:
264
self.dbus_object_path = (dbus.ObjectPath
265
("/clients/"
266
+ self.name.replace(".", "_")))
267
dbus.service.Object.__init__(self, bus,
268
self.dbus_object_path)
339
269
340
def send_changedstate(self):
341
self.changedstate.acquire()
342
self.changedstate.notify_all()
343
self.changedstate.release()
344
345
270
def enable(self):
346
271
"""Start this client's checker and timeout hooks"""
347
if getattr(self, u"enabled", False):
348
# Already enabled
349
return
350
self.send_changedstate()
351
272
self.last_enabled = datetime.datetime.utcnow()
352
273
# Schedule a new checker to be started an 'interval' from now,
353
274
# and every interval from then on.
354
275
self.checker_initiator_tag = (gobject.timeout_add
355
276
(self.interval_milliseconds(),
356
277
self.start_checker))
278
# Also start a new checker *right now*.
279
self.start_checker()
357
280
# Schedule a disable() when 'timeout' has passed
358
281
self.disable_initiator_tag = (gobject.timeout_add
359
282
(self.timeout_milliseconds(),
360
283
self.disable))
361
284
self.enabled = True
362
# Also start a new checker *right now*.
363
self.start_checker()
285
if self.use_dbus:
286
# Emit D-Bus signals
287
self.PropertyChanged(dbus.String(u"enabled"),
288
dbus.Boolean(True, variant_level=1))
289
self.PropertyChanged(dbus.String(u"last_enabled"),
290
(_datetime_to_dbus(self.last_enabled,
291
variant_level=1)))
364
292
365
def disable(self, quiet=True):
293
def disable(self):
366
294
"""Disable this client."""
367
295
if not getattr(self, "enabled", False):
368
296
return False
369
if not quiet:
370
self.send_changedstate()
371
if not quiet:
372
logger.info(u"Disabling client %s", self.name)
373
if getattr(self, u"disable_initiator_tag", False):
297
logger.info(u"Disabling client %s", self.name)
298
if getattr(self, "disable_initiator_tag", False):
374
299
gobject.source_remove(self.disable_initiator_tag)
375
300
self.disable_initiator_tag = None
376
if getattr(self, u"checker_initiator_tag", False):
301
if getattr(self, "checker_initiator_tag", False):
377
302
gobject.source_remove(self.checker_initiator_tag)
378
303
self.checker_initiator_tag = None
379
304
self.stop_checker()
380
305
if self.disable_hook:
381
306
self.disable_hook(self)
382
307
self.enabled = False
308
if self.use_dbus:
309
# Emit D-Bus signal
310
self.PropertyChanged(dbus.String(u"enabled"),
311
dbus.Boolean(False, variant_level=1))
383
312
# Do not run this again if called by a gobject.timeout_add
384
313
return False
385
314
391
320
"""The checker has completed, so take appropriate actions."""
392
321
self.checker_callback_tag = None
393
322
self.checker = None
323
if self.use_dbus:
324
# Emit D-Bus signal
325
self.PropertyChanged(dbus.String(u"checker_running"),
326
dbus.Boolean(False, variant_level=1))
394
327
if os.WIFEXITED(condition):
395
328
exitstatus = os.WEXITSTATUS(condition)
396
329
if exitstatus == 0:
400
333
else:
401
334
logger.info(u"Checker for %(name)s failed",
402
335
vars(self))
336
if self.use_dbus:
337
# Emit D-Bus signal
338
self.CheckerCompleted(dbus.Int16(exitstatus),
339
dbus.Int64(condition),
340
dbus.String(command))
403
341
else:
404
342
logger.warning(u"Checker for %(name)s crashed?",
405
343
vars(self))
344
if self.use_dbus:
345
# Emit D-Bus signal
346
self.CheckerCompleted(dbus.Int16(-1),
347
dbus.Int64(condition),
348
dbus.String(command))
406
349
407
350
def checked_ok(self):
408
351
"""Bump up the timeout for this client.
409
410
352
This should only be called when the client has been seen,
411
353
alive and well.
412
354
"""
415
357
self.disable_initiator_tag = (gobject.timeout_add
416
358
(self.timeout_milliseconds(),
417
359
self.disable))
360
if self.use_dbus:
361
# Emit D-Bus signal
362
self.PropertyChanged(
363
dbus.String(u"last_checked_ok"),
364
(_datetime_to_dbus(self.last_checked_ok,
365
variant_level=1)))
418
366
419
367
def start_checker(self):
420
368
"""Start a new checker subprocess if one is not running.
421
422
369
If a checker already exists, leave it running and do
423
370
nothing."""
424
371
# The reason for not killing a running checker is that if we
427
374
# client would inevitably timeout, since no checker would get
428
375
# a chance to run to completion. If we instead leave running
429
376
# checkers alone, the checker would have to take more time
430
# than 'timeout' for the client to be disabled, which is as it
431
# should be.
432
433
# If a checker exists, make sure it is not a zombie
434
try:
435
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
436
except (AttributeError, OSError), error:
437
if (isinstance(error, OSError)
438
and error.errno != errno.ECHILD):
439
raise error
440
else:
441
if pid:
442
logger.warning(u"Checker was a zombie")
443
gobject.source_remove(self.checker_callback_tag)
444
self.checker_callback(pid, status,
445
self.current_checker_command)
446
# Start a new checker if needed
377
# than 'timeout' for the client to be declared invalid, which
378
# is as it should be.
447
379
if self.checker is None:
448
380
try:
449
381
# In case checker_command has exactly one % operator
450
382
command = self.checker_command % self.host
451
383
except TypeError:
452
384
# Escape attributes for the shell
453
escaped_attrs = dict((key,
454
re.escape(unicode(str(val),
455
errors=
456
u'replace')))
385
escaped_attrs = dict((key, re.escape(str(val)))
457
386
for key, val in
458
387
vars(self).iteritems())
459
388
try:
462
391
logger.error(u'Could not format string "%s":'
463
392
u' %s', self.checker_command, error)
464
393
return True # Try again later
465
self.current_checker_command = command
466
394
try:
467
395
logger.info(u"Starting checker %r for %s",
468
396
command, self.name)
472
400
# always replaced by /dev/null.)
473
401
self.checker = subprocess.Popen(command,
474
402
close_fds=True,
475
shell=True, cwd=u"/")
403
shell=True, cwd="/")
404
if self.use_dbus:
405
# Emit D-Bus signal
406
self.CheckerStarted(command)
407
self.PropertyChanged(
408
dbus.String("checker_running"),
409
dbus.Boolean(True, variant_level=1))
476
410
self.checker_callback_tag = (gobject.child_watch_add
477
411
(self.checker.pid,
478
412
self.checker_callback,
479
413
data=command))
480
# The checker may have completed before the gobject
481
# watch was added. Check for this.
482
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
483
if pid:
484
gobject.source_remove(self.checker_callback_tag)
485
self.checker_callback(pid, status, command)
486
414
except OSError, error:
487
415
logger.error(u"Failed to start subprocess: %s",
488
416
error)
494
422
if self.checker_callback_tag:
495
423
gobject.source_remove(self.checker_callback_tag)
496
424
self.checker_callback_tag = None
497
if getattr(self, u"checker", None) is None:
425
if getattr(self, "checker", None) is None:
498
426
return
499
427
logger.debug(u"Stopping checker for %(name)s", vars(self))
500
428
try:
501
429
os.kill(self.checker.pid, signal.SIGTERM)
502
#time.sleep(0.5)
430
#os.sleep(0.5)
503
431
#if self.checker.poll() is None:
504
432
# os.kill(self.checker.pid, signal.SIGKILL)
505
433
except OSError, error:
506
434
if error.errno != errno.ESRCH: # No such process
507
435
raise
508
436
self.checker = None
509
510
def dbus_service_property(dbus_interface, signature=u"v",
511
access=u"readwrite", byte_arrays=False):
512
"""Decorators for marking methods of a DBusObjectWithProperties to
513
become properties on the D-Bus.
514
515
The decorated method will be called with no arguments by "Get"
516
and with one argument by "Set".
517
518
The parameters, where they are supported, are the same as
519
dbus.service.method, except there is only "signature", since the
520
type from Get() and the type sent to Set() is the same.
521
"""
522
# Encoding deeply encoded byte arrays is not supported yet by the
523
# "Set" method, so we fail early here:
524
if byte_arrays and signature != u"ay":
525
raise ValueError(u"Byte arrays not supported for non-'ay'"
526
u" signature %r" % signature)
527
def decorator(func):
528
func._dbus_is_property = True
529
func._dbus_interface = dbus_interface
530
func._dbus_signature = signature
531
func._dbus_access = access
532
func._dbus_name = func.__name__
533
if func._dbus_name.endswith(u"_dbus_property"):
534
func._dbus_name = func._dbus_name[:-14]
535
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
536
return func
537
return decorator
538
539
540
class DBusPropertyException(dbus.exceptions.DBusException):
541
"""A base class for D-Bus property-related exceptions
542
"""
543
def __unicode__(self):
544
return unicode(str(self))
545
546
547
class DBusPropertyAccessException(DBusPropertyException):
548
"""A property's access permissions disallows an operation.
549
"""
550
pass
551
552
553
class DBusPropertyNotFound(DBusPropertyException):
554
"""An attempt was made to access a non-existing property.
555
"""
556
pass
557
558
559
class DBusObjectWithProperties(dbus.service.Object):
560
"""A D-Bus object with properties.
561
562
Classes inheriting from this can use the dbus_service_property
563
decorator to expose methods as D-Bus properties. It exposes the
564
standard Get(), Set(), and GetAll() methods on the D-Bus.
565
"""
566
567
@staticmethod
568
def _is_dbus_property(obj):
569
return getattr(obj, u"_dbus_is_property", False)
570
571
def _get_all_dbus_properties(self):
572
"""Returns a generator of (name, attribute) pairs
573
"""
574
return ((prop._dbus_name, prop)
575
for name, prop in
576
inspect.getmembers(self, self._is_dbus_property))
577
578
def _get_dbus_property(self, interface_name, property_name):
579
"""Returns a bound method if one exists which is a D-Bus
580
property with the specified name and interface.
581
"""
582
for name in (property_name,
583
property_name + u"_dbus_property"):
584
prop = getattr(self, name, None)
585
if (prop is None
586
or not self._is_dbus_property(prop)
587
or prop._dbus_name != property_name
588
or (interface_name and prop._dbus_interface
589
and interface_name != prop._dbus_interface)):
590
continue
591
return prop
592
# No such property
593
raise DBusPropertyNotFound(self.dbus_object_path + u":"
594
+ interface_name + u"."
595
+ property_name)
596
597
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
598
out_signature=u"v")
599
def Get(self, interface_name, property_name):
600
"""Standard D-Bus property Get() method, see D-Bus standard.
601
"""
602
prop = self._get_dbus_property(interface_name, property_name)
603
if prop._dbus_access == u"write":
604
raise DBusPropertyAccessException(property_name)
605
value = prop()
606
if not hasattr(value, u"variant_level"):
607
return value
608
return type(value)(value, variant_level=value.variant_level+1)
609
610
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
611
def Set(self, interface_name, property_name, value):
612
"""Standard D-Bus property Set() method, see D-Bus standard.
613
"""
614
prop = self._get_dbus_property(interface_name, property_name)
615
if prop._dbus_access == u"read":
616
raise DBusPropertyAccessException(property_name)
617
if prop._dbus_get_args_options[u"byte_arrays"]:
618
# The byte_arrays option is not supported yet on
619
# signatures other than "ay".
620
if prop._dbus_signature != u"ay":
621
raise ValueError
622
value = dbus.ByteArray(''.join(unichr(byte)
623
for byte in value))
624
prop(value)
625
626
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
627
out_signature=u"a{sv}")
628
def GetAll(self, interface_name):
629
"""Standard D-Bus property GetAll() method, see D-Bus
630
standard.
631
632
Note: Will not include properties with access="write".
633
"""
634
all = {}
635
for name, prop in self._get_all_dbus_properties():
636
if (interface_name
637
and interface_name != prop._dbus_interface):
638
# Interface non-empty but did not match
639
continue
640
# Ignore write-only properties
641
if prop._dbus_access == u"write":
642
continue
643
value = prop()
644
if not hasattr(value, u"variant_level"):
645
all[name] = value
646
continue
647
all[name] = type(value)(value, variant_level=
648
value.variant_level+1)
649
return dbus.Dictionary(all, signature=u"sv")
650
651
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
652
out_signature=u"s",
653
path_keyword='object_path',
654
connection_keyword='connection')
655
def Introspect(self, object_path, connection):
656
"""Standard D-Bus method, overloaded to insert property tags.
657
"""
658
xmlstring = dbus.service.Object.Introspect(self, object_path,
659
connection)
660
try:
661
document = xml.dom.minidom.parseString(xmlstring)
662
def make_tag(document, name, prop):
663
e = document.createElement(u"property")
664
e.setAttribute(u"name", name)
665
e.setAttribute(u"type", prop._dbus_signature)
666
e.setAttribute(u"access", prop._dbus_access)
667
return e
668
for if_tag in document.getElementsByTagName(u"interface"):
669
for tag in (make_tag(document, name, prop)
670
for name, prop
671
in self._get_all_dbus_properties()
672
if prop._dbus_interface
673
== if_tag.getAttribute(u"name")):
674
if_tag.appendChild(tag)
675
# Add the names to the return values for the
676
# "org.freedesktop.DBus.Properties" methods
677
if (if_tag.getAttribute(u"name")
678
== u"org.freedesktop.DBus.Properties"):
679
for cn in if_tag.getElementsByTagName(u"method"):
680
if cn.getAttribute(u"name") == u"Get":
681
for arg in cn.getElementsByTagName(u"arg"):
682
if (arg.getAttribute(u"direction")
683
== u"out"):
684
arg.setAttribute(u"name", u"value")
685
elif cn.getAttribute(u"name") == u"GetAll":
686
for arg in cn.getElementsByTagName(u"arg"):
687
if (arg.getAttribute(u"direction")
688
== u"out"):
689
arg.setAttribute(u"name", u"props")
690
xmlstring = document.toxml(u"utf-8")
691
document.unlink()
692
except (AttributeError, xml.dom.DOMException,
693
xml.parsers.expat.ExpatError), error:
694
logger.error(u"Failed to override Introspection method",
695
error)
696
return xmlstring
697
698
699
class ClientDBus(Client, DBusObjectWithProperties):
700
"""A Client class using D-Bus
701
702
Attributes:
703
dbus_object_path: dbus.ObjectPath
704
bus: dbus.SystemBus()
705
"""
706
# dbus.service.Object doesn't use super(), so we can't either.
707
708
def __init__(self, bus = None, *args, **kwargs):
709
self._approvals_pending = 0
710
self.bus = bus
711
Client.__init__(self, *args, **kwargs)
712
# Only now, when this client is initialized, can it show up on
713
# the D-Bus
714
self.dbus_object_path = (dbus.ObjectPath
715
(u"/clients/"
716
+ self.name.replace(u".", u"_")))
717
DBusObjectWithProperties.__init__(self, self.bus,
718
self.dbus_object_path)
719
720
def _get_approvals_pending(self):
721
return self._approvals_pending
722
def _set_approvals_pending(self, value):
723
old_value = self._approvals_pending
724
self._approvals_pending = value
725
bval = bool(value)
726
if (hasattr(self, "dbus_object_path")
727
and bval is not bool(old_value)):
728
dbus_bool = dbus.Boolean(bval, variant_level=1)
729
self.PropertyChanged(dbus.String(u"approved_pending"),
730
dbus_bool)
731
732
approvals_pending = property(_get_approvals_pending,
733
_set_approvals_pending)
734
del _get_approvals_pending, _set_approvals_pending
735
736
@staticmethod
737
def _datetime_to_dbus(dt, variant_level=0):
738
"""Convert a UTC datetime.datetime() to a D-Bus type."""
739
return dbus.String(dt.isoformat(),
740
variant_level=variant_level)
741
742
def enable(self):
743
oldstate = getattr(self, u"enabled", False)
744
r = Client.enable(self)
745
if oldstate != self.enabled:
746
# Emit D-Bus signals
747
self.PropertyChanged(dbus.String(u"enabled"),
748
dbus.Boolean(True, variant_level=1))
749
self.PropertyChanged(
750
dbus.String(u"last_enabled"),
751
self._datetime_to_dbus(self.last_enabled,
752
variant_level=1))
753
return r
754
755
def disable(self, quiet = False):
756
oldstate = getattr(self, u"enabled", False)
757
r = Client.disable(self, quiet=quiet)
758
if not quiet and oldstate != self.enabled:
759
# Emit D-Bus signal
760
self.PropertyChanged(dbus.String(u"enabled"),
761
dbus.Boolean(False, variant_level=1))
762
return r
763
764
def __del__(self, *args, **kwargs):
765
try:
766
self.remove_from_connection()
767
except LookupError:
768
pass
769
if hasattr(DBusObjectWithProperties, u"__del__"):
770
DBusObjectWithProperties.__del__(self, *args, **kwargs)
771
Client.__del__(self, *args, **kwargs)
772
773
def checker_callback(self, pid, condition, command,
774
*args, **kwargs):
775
self.checker_callback_tag = None
776
self.checker = None
777
# Emit D-Bus signal
778
self.PropertyChanged(dbus.String(u"checker_running"),
779
dbus.Boolean(False, variant_level=1))
780
if os.WIFEXITED(condition):
781
exitstatus = os.WEXITSTATUS(condition)
782
# Emit D-Bus signal
783
self.CheckerCompleted(dbus.Int16(exitstatus),
784
dbus.Int64(condition),
785
dbus.String(command))
786
else:
787
# Emit D-Bus signal
788
self.CheckerCompleted(dbus.Int16(-1),
789
dbus.Int64(condition),
790
dbus.String(command))
791
792
return Client.checker_callback(self, pid, condition, command,
793
*args, **kwargs)
794
795
def checked_ok(self, *args, **kwargs):
796
r = Client.checked_ok(self, *args, **kwargs)
797
# Emit D-Bus signal
798
self.PropertyChanged(
799
dbus.String(u"last_checked_ok"),
800
(self._datetime_to_dbus(self.last_checked_ok,
801
variant_level=1)))
802
return r
803
804
def start_checker(self, *args, **kwargs):
805
old_checker = self.checker
806
if self.checker is not None:
807
old_checker_pid = self.checker.pid
808
else:
809
old_checker_pid = None
810
r = Client.start_checker(self, *args, **kwargs)
811
# Only if new checker process was started
812
if (self.checker is not None
813
and old_checker_pid != self.checker.pid):
814
# Emit D-Bus signal
815
self.CheckerStarted(self.current_checker_command)
816
self.PropertyChanged(
817
dbus.String(u"checker_running"),
818
dbus.Boolean(True, variant_level=1))
819
return r
820
821
def stop_checker(self, *args, **kwargs):
822
old_checker = getattr(self, u"checker", None)
823
r = Client.stop_checker(self, *args, **kwargs)
824
if (old_checker is not None
825
and getattr(self, u"checker", None) is None):
437
if self.use_dbus:
826
438
self.PropertyChanged(dbus.String(u"checker_running"),
827
439
dbus.Boolean(False, variant_level=1))
828
return r
829
830
def _reset_approved(self):
831
self._approved = None
832
return False
833
834
def approve(self, value=True):
835
self.send_changedstate()
836
self._approved = value
837
gobject.timeout_add(self._timedelta_to_milliseconds(self.approved_duration),
838
self._reset_approved)
839
840
841
## D-Bus methods, signals & properties
440
441
def still_valid(self):
442
"""Has the timeout not yet passed for this client?"""
443
if not getattr(self, "enabled", False):
444
return False
445
now = datetime.datetime.utcnow()
446
if self.last_checked_ok is None:
447
return now < (self.created + self.timeout)
448
else:
449
return now < (self.last_checked_ok + self.timeout)
450
451
## D-Bus methods & signals
842
452
_interface = u"se.bsnet.fukt.Mandos.Client"
843
453
844
## Signals
454
# CheckedOK - method
455
CheckedOK = dbus.service.method(_interface)(checked_ok)
456
CheckedOK.__name__ = "CheckedOK"
845
457
846
458
# CheckerCompleted - signal
847
@dbus.service.signal(_interface, signature=u"nxs")
459
@dbus.service.signal(_interface, signature="nxs")
848
460
def CheckerCompleted(self, exitcode, waitstatus, command):
849
461
"D-Bus signal"
850
462
pass
851
463
852
464
# CheckerStarted - signal
853
@dbus.service.signal(_interface, signature=u"s")
465
@dbus.service.signal(_interface, signature="s")
854
466
def CheckerStarted(self, command):
855
467
"D-Bus signal"
856
468
pass
857
469
470
# GetAllProperties - method
471
@dbus.service.method(_interface, out_signature="a{sv}")
472
def GetAllProperties(self):
473
"D-Bus method"
474
return dbus.Dictionary({
475
dbus.String("name"):
476
dbus.String(self.name, variant_level=1),
477
dbus.String("fingerprint"):
478
dbus.String(self.fingerprint, variant_level=1),
479
dbus.String("host"):
480
dbus.String(self.host, variant_level=1),
481
dbus.String("created"):
482
_datetime_to_dbus(self.created, variant_level=1),
483
dbus.String("last_enabled"):
484
(_datetime_to_dbus(self.last_enabled,
485
variant_level=1)
486
if self.last_enabled is not None
487
else dbus.Boolean(False, variant_level=1)),
488
dbus.String("enabled"):
489
dbus.Boolean(self.enabled, variant_level=1),
490
dbus.String("last_checked_ok"):
491
(_datetime_to_dbus(self.last_checked_ok,
492
variant_level=1)
493
if self.last_checked_ok is not None
494
else dbus.Boolean (False, variant_level=1)),
495
dbus.String("timeout"):
496
dbus.UInt64(self.timeout_milliseconds(),
497
variant_level=1),
498
dbus.String("interval"):
499
dbus.UInt64(self.interval_milliseconds(),
500
variant_level=1),
501
dbus.String("checker"):
502
dbus.String(self.checker_command,
503
variant_level=1),
504
dbus.String("checker_running"):
505
dbus.Boolean(self.checker is not None,
506
variant_level=1),
507
dbus.String("object_path"):
508
dbus.ObjectPath(self.dbus_object_path,
509
variant_level=1)
510
}, signature="sv")
511
512
# IsStillValid - method
513
IsStillValid = (dbus.service.method(_interface, out_signature="b")
514
(still_valid))
515
IsStillValid.__name__ = "IsStillValid"
516
858
517
# PropertyChanged - signal
859
@dbus.service.signal(_interface, signature=u"sv")
518
@dbus.service.signal(_interface, signature="sv")
860
519
def PropertyChanged(self, property, value):
861
520
"D-Bus signal"
862
521
pass
863
522
864
# GotSecret - signal
865
@dbus.service.signal(_interface)
866
def GotSecret(self):
867
"""D-Bus signal
868
Is sent after a successful transfer of secret from the Mandos
869
server to mandos-client
870
"""
871
pass
872
873
# Rejected - signal
874
@dbus.service.signal(_interface, signature=u"s")
875
def Rejected(self, reason):
876
"D-Bus signal"
877
pass
878
879
# NeedApproval - signal
880
@dbus.service.signal(_interface, signature=u"db")
881
def NeedApproval(self, timeout, default):
882
"D-Bus signal"
883
pass
884
885
## Methods
886
887
# Approve - method
888
@dbus.service.method(_interface, in_signature=u"b")
889
def Approve(self, value):
890
self.approve(value)
891
892
# CheckedOK - method
893
@dbus.service.method(_interface)
894
def CheckedOK(self):
895
return self.checked_ok()
523
# SetChecker - method
524
@dbus.service.method(_interface, in_signature="s")
525
def SetChecker(self, checker):
526
"D-Bus setter method"
527
self.checker_command = checker
528
# Emit D-Bus signal
529
self.PropertyChanged(dbus.String(u"checker"),
530
dbus.String(self.checker_command,
531
variant_level=1))
532
533
# SetHost - method
534
@dbus.service.method(_interface, in_signature="s")
535
def SetHost(self, host):
536
"D-Bus setter method"
537
self.host = host
538
# Emit D-Bus signal
539
self.PropertyChanged(dbus.String(u"host"),
540
dbus.String(self.host, variant_level=1))
541
542
# SetInterval - method
543
@dbus.service.method(_interface, in_signature="t")
544
def SetInterval(self, milliseconds):
545
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
546
# Emit D-Bus signal
547
self.PropertyChanged(dbus.String(u"interval"),
548
(dbus.UInt64(self.interval_milliseconds(),
549
variant_level=1)))
550
551
# SetSecret - method
552
@dbus.service.method(_interface, in_signature="ay",
553
byte_arrays=True)
554
def SetSecret(self, secret):
555
"D-Bus setter method"
556
self.secret = str(secret)
557
558
# SetTimeout - method
559
@dbus.service.method(_interface, in_signature="t")
560
def SetTimeout(self, milliseconds):
561
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
562
# Emit D-Bus signal
563
self.PropertyChanged(dbus.String(u"timeout"),
564
(dbus.UInt64(self.timeout_milliseconds(),
565
variant_level=1)))
896
566
897
567
# Enable - method
898
@dbus.service.method(_interface)
899
def Enable(self):
900
"D-Bus method"
901
self.enable()
568
Enable = dbus.service.method(_interface)(enable)
569
Enable.__name__ = "Enable"
902
570
903
571
# StartChecker - method
904
572
@dbus.service.method(_interface)
913
581
self.disable()
914
582
915
583
# StopChecker - method
916
@dbus.service.method(_interface)
917
def StopChecker(self):
918
self.stop_checker()
919
920
## Properties
921
922
# approved_pending - property
923
@dbus_service_property(_interface, signature=u"b", access=u"read")
924
def approved_pending_dbus_property(self):
925
return dbus.Boolean(bool(self.approvals_pending))
926
927
# approved_by_default - property
928
@dbus_service_property(_interface, signature=u"b",
929
access=u"readwrite")
930
def approved_by_default_dbus_property(self):
931
return dbus.Boolean(self.approved_by_default)
932
933
# approved_delay - property
934
@dbus_service_property(_interface, signature=u"t",
935
access=u"readwrite")
936
def approved_delay_dbus_property(self):
937
return dbus.UInt64(self.approved_delay_milliseconds())
938
939
# approved_duration - property
940
@dbus_service_property(_interface, signature=u"t",
941
access=u"readwrite")
942
def approved_duration_dbus_property(self):
943
return dbus.UInt64(self._timedelta_to_milliseconds(
944
self.approved_duration))
945
946
# name - property
947
@dbus_service_property(_interface, signature=u"s", access=u"read")
948
def name_dbus_property(self):
949
return dbus.String(self.name)
950
951
# fingerprint - property
952
@dbus_service_property(_interface, signature=u"s", access=u"read")
953
def fingerprint_dbus_property(self):
954
return dbus.String(self.fingerprint)
955
956
# host - property
957
@dbus_service_property(_interface, signature=u"s",
958
access=u"readwrite")
959
def host_dbus_property(self, value=None):
960
if value is None: # get
961
return dbus.String(self.host)
962
self.host = value
963
# Emit D-Bus signal
964
self.PropertyChanged(dbus.String(u"host"),
965
dbus.String(value, variant_level=1))
966
967
# created - property
968
@dbus_service_property(_interface, signature=u"s", access=u"read")
969
def created_dbus_property(self):
970
return dbus.String(self._datetime_to_dbus(self.created))
971
972
# last_enabled - property
973
@dbus_service_property(_interface, signature=u"s", access=u"read")
974
def last_enabled_dbus_property(self):
975
if self.last_enabled is None:
976
return dbus.String(u"")
977
return dbus.String(self._datetime_to_dbus(self.last_enabled))
978
979
# enabled - property
980
@dbus_service_property(_interface, signature=u"b",
981
access=u"readwrite")
982
def enabled_dbus_property(self, value=None):
983
if value is None: # get
984
return dbus.Boolean(self.enabled)
985
if value:
986
self.enable()
987
else:
988
self.disable()
989
990
# last_checked_ok - property
991
@dbus_service_property(_interface, signature=u"s",
992
access=u"readwrite")
993
def last_checked_ok_dbus_property(self, value=None):
994
if value is not None:
995
self.checked_ok()
996
return
997
if self.last_checked_ok is None:
998
return dbus.String(u"")
999
return dbus.String(self._datetime_to_dbus(self
1000
.last_checked_ok))
1001
1002
# timeout - property
1003
@dbus_service_property(_interface, signature=u"t",
1004
access=u"readwrite")
1005
def timeout_dbus_property(self, value=None):
1006
if value is None: # get
1007
return dbus.UInt64(self.timeout_milliseconds())
1008
self.timeout = datetime.timedelta(0, 0, 0, value)
1009
# Emit D-Bus signal
1010
self.PropertyChanged(dbus.String(u"timeout"),
1011
dbus.UInt64(value, variant_level=1))
1012
if getattr(self, u"disable_initiator_tag", None) is None:
1013
return
1014
# Reschedule timeout
1015
gobject.source_remove(self.disable_initiator_tag)
1016
self.disable_initiator_tag = None
1017
time_to_die = (self.
1018
_timedelta_to_milliseconds((self
1019
.last_checked_ok
1020
+ self.timeout)
1021
- datetime.datetime
1022
.utcnow()))
1023
if time_to_die <= 0:
1024
# The timeout has passed
1025
self.disable()
1026
else:
1027
self.disable_initiator_tag = (gobject.timeout_add
1028
(time_to_die, self.disable))
1029
1030
# interval - property
1031
@dbus_service_property(_interface, signature=u"t",
1032
access=u"readwrite")
1033
def interval_dbus_property(self, value=None):
1034
if value is None: # get
1035
return dbus.UInt64(self.interval_milliseconds())
1036
self.interval = datetime.timedelta(0, 0, 0, value)
1037
# Emit D-Bus signal
1038
self.PropertyChanged(dbus.String(u"interval"),
1039
dbus.UInt64(value, variant_level=1))
1040
if getattr(self, u"checker_initiator_tag", None) is None:
1041
return
1042
# Reschedule checker run
1043
gobject.source_remove(self.checker_initiator_tag)
1044
self.checker_initiator_tag = (gobject.timeout_add
1045
(value, self.start_checker))
1046
self.start_checker() # Start one now, too
1047
1048
# checker - property
1049
@dbus_service_property(_interface, signature=u"s",
1050
access=u"readwrite")
1051
def checker_dbus_property(self, value=None):
1052
if value is None: # get
1053
return dbus.String(self.checker_command)
1054
self.checker_command = value
1055
# Emit D-Bus signal
1056
self.PropertyChanged(dbus.String(u"checker"),
1057
dbus.String(self.checker_command,
1058
variant_level=1))
1059
1060
# checker_running - property
1061
@dbus_service_property(_interface, signature=u"b",
1062
access=u"readwrite")
1063
def checker_running_dbus_property(self, value=None):
1064
if value is None: # get
1065
return dbus.Boolean(self.checker is not None)
1066
if value:
1067
self.start_checker()
1068
else:
1069
self.stop_checker()
1070
1071
# object_path - property
1072
@dbus_service_property(_interface, signature=u"o", access=u"read")
1073
def object_path_dbus_property(self):
1074
return self.dbus_object_path # is already a dbus.ObjectPath
1075
1076
# secret = property
1077
@dbus_service_property(_interface, signature=u"ay",
1078
access=u"write", byte_arrays=True)
1079
def secret_dbus_property(self, value):
1080
self.secret = str(value)
584
StopChecker = dbus.service.method(_interface)(stop_checker)
585
StopChecker.__name__ = "StopChecker"
1081
586
1082
587
del _interface
1083
588
1084
589
1085
class ProxyClient(object):
1086
def __init__(self, child_pipe, fpr, address):
1087
self._pipe = child_pipe
1088
self._pipe.send(('init', fpr, address))
1089
if not self._pipe.recv():
1090
raise KeyError()
1091
1092
def __getattribute__(self, name):
1093
if(name == '_pipe'):
1094
return super(ProxyClient, self).__getattribute__(name)
1095
self._pipe.send(('getattr', name))
1096
data = self._pipe.recv()
1097
if data[0] == 'data':
1098
return data[1]
1099
if data[0] == 'function':
1100
def func(*args, **kwargs):
1101
self._pipe.send(('funcall', name, args, kwargs))
1102
return self._pipe.recv()[1]
1103
return func
1104
1105
def __setattr__(self, name, value):
1106
if(name == '_pipe'):
1107
return super(ProxyClient, self).__setattr__(name, value)
1108
self._pipe.send(('setattr', name, value))
1109
1110
1111
class ClientHandler(socketserver.BaseRequestHandler, object):
1112
"""A class to handle client connections.
1113
1114
Instantiated once for each connection to handle it.
590
def peer_certificate(session):
591
"Return the peer's OpenPGP certificate as a bytestring"
592
# If not an OpenPGP certificate...
593
if (gnutls.library.functions
594
.gnutls_certificate_type_get(session._c_object)
595
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
596
# ...do the normal thing
597
return session.peer_certificate
598
list_size = ctypes.c_uint(1)
599
cert_list = (gnutls.library.functions
600
.gnutls_certificate_get_peers
601
(session._c_object, ctypes.byref(list_size)))
602
if not bool(cert_list) and list_size.value != 0:
603
raise gnutls.errors.GNUTLSError("error getting peer"
604
" certificate")
605
if list_size.value == 0:
606
return None
607
cert = cert_list[0]
608
return ctypes.string_at(cert.data, cert.size)
609
610
611
def fingerprint(openpgp):
612
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
613
# New GnuTLS "datum" with the OpenPGP public key
614
datum = (gnutls.library.types
615
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
616
ctypes.POINTER
617
(ctypes.c_ubyte)),
618
ctypes.c_uint(len(openpgp))))
619
# New empty GnuTLS certificate
620
crt = gnutls.library.types.gnutls_openpgp_crt_t()
621
(gnutls.library.functions
622
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
623
# Import the OpenPGP public key into the certificate
624
(gnutls.library.functions
625
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
626
gnutls.library.constants
627
.GNUTLS_OPENPGP_FMT_RAW))
628
# Verify the self signature in the key
629
crtverify = ctypes.c_uint()
630
(gnutls.library.functions
631
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
632
if crtverify.value != 0:
633
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
634
raise gnutls.errors.CertificateSecurityError("Verify failed")
635
# New buffer for the fingerprint
636
buf = ctypes.create_string_buffer(20)
637
buf_len = ctypes.c_size_t()
638
# Get the fingerprint from the certificate into the buffer
639
(gnutls.library.functions
640
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
641
ctypes.byref(buf_len)))
642
# Deinit the certificate
643
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
644
# Convert the buffer to a Python bytestring
645
fpr = ctypes.string_at(buf, buf_len.value)
646
# Convert the bytestring to hexadecimal notation
647
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
648
return hex_fpr
649
650
651
class TCP_handler(SocketServer.BaseRequestHandler, object):
652
"""A TCP request handler class.
653
Instantiated by IPv6_TCPServer for each request to handle it.
1115
654
Note: This will run in its own forked process."""
1116
655
1117
656
def handle(self):
1118
with contextlib.closing(self.server.child_pipe) as child_pipe:
1119
logger.info(u"TCP connection from: %s",
1120
unicode(self.client_address))
1121
logger.debug(u"Pipe FD: %d",
1122
self.server.child_pipe.fileno())
1123
1124
session = (gnutls.connection
1125
.ClientSession(self.request,
1126
gnutls.connection
1127
.X509Credentials()))
1128
1129
# Note: gnutls.connection.X509Credentials is really a
1130
# generic GnuTLS certificate credentials object so long as
1131
# no X.509 keys are added to it. Therefore, we can use it
1132
# here despite using OpenPGP certificates.
1133
1134
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1135
# u"+AES-256-CBC", u"+SHA1",
1136
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1137
# u"+DHE-DSS"))
1138
# Use a fallback default, since this MUST be set.
1139
priority = self.server.gnutls_priority
1140
if priority is None:
1141
priority = u"NORMAL"
1142
(gnutls.library.functions
1143
.gnutls_priority_set_direct(session._c_object,
1144
priority, None))
1145
1146
# Start communication using the Mandos protocol
1147
# Get protocol number
1148
line = self.request.makefile().readline()
1149
logger.debug(u"Protocol version: %r", line)
1150
try:
1151
if int(line.strip().split()[0]) > 1:
1152
raise RuntimeError
1153
except (ValueError, IndexError, RuntimeError), error:
1154
logger.error(u"Unknown protocol version: %s", error)
1155
return
1156
1157
# Start GnuTLS connection
1158
try:
1159
session.handshake()
1160
except gnutls.errors.GNUTLSError, error:
1161
logger.warning(u"Handshake failed: %s", error)
1162
# Do not run session.bye() here: the session is not
1163
# established. Just abandon the request.
1164
return
1165
logger.debug(u"Handshake succeeded")
1166
1167
approval_required = False
1168
try:
1169
try:
1170
fpr = self.fingerprint(self.peer_certificate
1171
(session))
1172
except (TypeError, gnutls.errors.GNUTLSError), error:
1173
logger.warning(u"Bad certificate: %s", error)
1174
return
1175
logger.debug(u"Fingerprint: %s", fpr)
1176
1177
try:
1178
client = ProxyClient(child_pipe, fpr,
1179
self.client_address)
1180
except KeyError:
1181
return
1182
1183
if client.approved_delay:
1184
delay = client.approved_delay
1185
client.approvals_pending += 1
1186
approval_required = True
1187
1188
while True:
1189
if not client.enabled:
1190
logger.warning(u"Client %s is disabled",
1191
client.name)
1192
if self.server.use_dbus:
1193
# Emit D-Bus signal
1194
client.Rejected("Disabled")
1195
return
1196
1197
if client._approved or not client.approved_delay:
1198
#We are approved or approval is disabled
1199
break
1200
elif client._approved is None:
1201
logger.info(u"Client %s need approval",
1202
client.name)
1203
if self.server.use_dbus:
1204
# Emit D-Bus signal
1205
client.NeedApproval(
1206
client.approved_delay_milliseconds(),
1207
client.approved_by_default)
1208
else:
1209
logger.warning(u"Client %s was not approved",
1210
client.name)
1211
if self.server.use_dbus:
1212
# Emit D-Bus signal
1213
client.Rejected("Disapproved")
1214
return
1215
1216
#wait until timeout or approved
1217
#x = float(client._timedelta_to_milliseconds(delay))
1218
time = datetime.datetime.now()
1219
client.changedstate.acquire()
1220
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1221
client.changedstate.release()
1222
time2 = datetime.datetime.now()
1223
if (time2 - time) >= delay:
1224
if not client.approved_by_default:
1225
logger.warning("Client %s timed out while"
1226
" waiting for approval",
1227
client.name)
1228
if self.server.use_dbus:
1229
# Emit D-Bus signal
1230
client.Rejected("Approval timed out")
1231
return
1232
else:
1233
break
1234
else:
1235
delay -= time2 - time
1236
1237
sent_size = 0
1238
while sent_size < len(client.secret):
1239
try:
1240
sent = session.send(client.secret[sent_size:])
1241
except (gnutls.errors.GNUTLSError), error:
1242
logger.warning("gnutls send failed")
1243
return
1244
logger.debug(u"Sent: %d, remaining: %d",
1245
sent, len(client.secret)
1246
- (sent_size + sent))
1247
sent_size += sent
1248
1249
logger.info(u"Sending secret to %s", client.name)
1250
# bump the timeout as if seen
1251
client.checked_ok()
1252
if self.server.use_dbus:
1253
# Emit D-Bus signal
1254
client.GotSecret()
1255
1256
finally:
1257
if approval_required:
1258
client.approvals_pending -= 1
1259
try:
1260
session.bye()
1261
except (gnutls.errors.GNUTLSError), error:
1262
logger.warning("gnutls bye failed")
1263
1264
@staticmethod
1265
def peer_certificate(session):
1266
"Return the peer's OpenPGP certificate as a bytestring"
1267
# If not an OpenPGP certificate...
1268
if (gnutls.library.functions
1269
.gnutls_certificate_type_get(session._c_object)
1270
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1271
# ...do the normal thing
1272
return session.peer_certificate
1273
list_size = ctypes.c_uint(1)
1274
cert_list = (gnutls.library.functions
1275
.gnutls_certificate_get_peers
1276
(session._c_object, ctypes.byref(list_size)))
1277
if not bool(cert_list) and list_size.value != 0:
1278
raise gnutls.errors.GNUTLSError(u"error getting peer"
1279
u" certificate")
1280
if list_size.value == 0:
1281
return None
1282
cert = cert_list[0]
1283
return ctypes.string_at(cert.data, cert.size)
1284
1285
@staticmethod
1286
def fingerprint(openpgp):
1287
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1288
# New GnuTLS "datum" with the OpenPGP public key
1289
datum = (gnutls.library.types
1290
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1291
ctypes.POINTER
1292
(ctypes.c_ubyte)),
1293
ctypes.c_uint(len(openpgp))))
1294
# New empty GnuTLS certificate
1295
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1296
(gnutls.library.functions
1297
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1298
# Import the OpenPGP public key into the certificate
1299
(gnutls.library.functions
1300
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1301
gnutls.library.constants
1302
.GNUTLS_OPENPGP_FMT_RAW))
1303
# Verify the self signature in the key
1304
crtverify = ctypes.c_uint()
1305
(gnutls.library.functions
1306
.gnutls_openpgp_crt_verify_self(crt, 0,
1307
ctypes.byref(crtverify)))
1308
if crtverify.value != 0:
1309
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1310
raise (gnutls.errors.CertificateSecurityError
1311
(u"Verify failed"))
1312
# New buffer for the fingerprint
1313
buf = ctypes.create_string_buffer(20)
1314
buf_len = ctypes.c_size_t()
1315
# Get the fingerprint from the certificate into the buffer
1316
(gnutls.library.functions
1317
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1318
ctypes.byref(buf_len)))
1319
# Deinit the certificate
1320
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1321
# Convert the buffer to a Python bytestring
1322
fpr = ctypes.string_at(buf, buf_len.value)
1323
# Convert the bytestring to hexadecimal notation
1324
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1325
return hex_fpr
1326
1327
1328
class MultiprocessingMixIn(object):
1329
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1330
def sub_process_main(self, request, address):
1331
try:
1332
self.finish_request(request, address)
1333
except:
1334
self.handle_error(request, address)
1335
self.close_request(request)
1336
1337
def process_request(self, request, address):
1338
"""Start a new process to process the request."""
1339
multiprocessing.Process(target = self.sub_process_main,
1340
args = (request, address)).start()
1341
1342
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1343
""" adds a pipe to the MixIn """
1344
def process_request(self, request, client_address):
1345
"""Overrides and wraps the original process_request().
1346
1347
This function creates a new pipe in self.pipe
1348
"""
1349
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1350
1351
super(MultiprocessingMixInWithPipe,
1352
self).process_request(request, client_address)
1353
self.child_pipe.close()
1354
self.add_pipe(parent_pipe)
1355
1356
def add_pipe(self, parent_pipe):
1357
"""Dummy function; override as necessary"""
1358
pass
1359
1360
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1361
socketserver.TCPServer, object):
1362
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1363
657
logger.info(u"TCP connection from: %s",
658
unicode(self.client_address))
659
session = (gnutls.connection
660
.ClientSession(self.request,
661
gnutls.connection
662
.X509Credentials()))
663
664
line = self.request.makefile().readline()
665
logger.debug(u"Protocol version: %r", line)
666
try:
667
if int(line.strip().split()[0]) > 1:
668
raise RuntimeError
669
except (ValueError, IndexError, RuntimeError), error:
670
logger.error(u"Unknown protocol version: %s", error)
671
return
672
673
# Note: gnutls.connection.X509Credentials is really a generic
674
# GnuTLS certificate credentials object so long as no X.509
675
# keys are added to it. Therefore, we can use it here despite
676
# using OpenPGP certificates.
677
678
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
679
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
680
# "+DHE-DSS"))
681
# Use a fallback default, since this MUST be set.
682
priority = self.server.settings.get("priority", "NORMAL")
683
(gnutls.library.functions
684
.gnutls_priority_set_direct(session._c_object,
685
priority, None))
686
687
try:
688
session.handshake()
689
except gnutls.errors.GNUTLSError, error:
690
logger.warning(u"Handshake failed: %s", error)
691
# Do not run session.bye() here: the session is not
692
# established. Just abandon the request.
693
return
694
logger.debug(u"Handshake succeeded")
695
try:
696
fpr = fingerprint(peer_certificate(session))
697
except (TypeError, gnutls.errors.GNUTLSError), error:
698
logger.warning(u"Bad certificate: %s", error)
699
session.bye()
700
return
701
logger.debug(u"Fingerprint: %s", fpr)
702
703
for c in self.server.clients:
704
if c.fingerprint == fpr:
705
client = c
706
break
707
else:
708
logger.warning(u"Client not found for fingerprint: %s",
709
fpr)
710
session.bye()
711
return
712
# Have to check if client.still_valid(), since it is possible
713
# that the client timed out while establishing the GnuTLS
714
# session.
715
if not client.still_valid():
716
logger.warning(u"Client %(name)s is invalid",
717
vars(client))
718
session.bye()
719
return
720
## This won't work here, since we're in a fork.
721
# client.checked_ok()
722
sent_size = 0
723
while sent_size < len(client.secret):
724
sent = session.send(client.secret[sent_size:])
725
logger.debug(u"Sent: %d, remaining: %d",
726
sent, len(client.secret)
727
- (sent_size + sent))
728
sent_size += sent
729
session.bye()
730
731
732
class IPv6_TCPServer(SocketServer.ForkingMixIn,
733
SocketServer.TCPServer, object):
734
"""IPv6 TCP server. Accepts 'None' as address and/or port.
1364
735
Attributes:
736
settings: Server settings
737
clients: Set() of Client objects
1365
738
enabled: Boolean; whether this server is activated yet
1366
interface: None or a network interface name (string)
1367
use_ipv6: Boolean; to use IPv6 or not
1368
739
"""
1369
def __init__(self, server_address, RequestHandlerClass,
1370
interface=None, use_ipv6=True):
1371
self.interface = interface
1372
if use_ipv6:
1373
self.address_family = socket.AF_INET6
1374
socketserver.TCPServer.__init__(self, server_address,
1375
RequestHandlerClass)
740
address_family = socket.AF_INET6
741
def __init__(self, *args, **kwargs):
742
if "settings" in kwargs:
743
self.settings = kwargs["settings"]
744
del kwargs["settings"]
745
if "clients" in kwargs:
746
self.clients = kwargs["clients"]
747
del kwargs["clients"]
748
self.enabled = False
749
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1376
750
def server_bind(self):
1377
751
"""This overrides the normal server_bind() function
1378
752
to bind to an interface if one was specified, and also NOT to
1379
753
bind to an address or port if they were not specified."""
1380
if self.interface is not None:
1381
if SO_BINDTODEVICE is None:
1382
logger.error(u"SO_BINDTODEVICE does not exist;"
1383
u" cannot bind to interface %s",
1384
self.interface)
1385
else:
1386
try:
1387
self.socket.setsockopt(socket.SOL_SOCKET,
1388
SO_BINDTODEVICE,
1389
str(self.interface
1390
+ u'\0'))
1391
except socket.error, error:
1392
if error[0] == errno.EPERM:
1393
logger.error(u"No permission to"
1394
u" bind to interface %s",
1395
self.interface)
1396
elif error[0] == errno.ENOPROTOOPT:
1397
logger.error(u"SO_BINDTODEVICE not available;"
1398
u" cannot bind to interface %s",
1399
self.interface)
1400
else:
1401
raise
754
if self.settings["interface"]:
755
# 25 is from /usr/include/asm-i486/socket.h
756
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
757
try:
758
self.socket.setsockopt(socket.SOL_SOCKET,
759
SO_BINDTODEVICE,
760
self.settings["interface"])
761
except socket.error, error:
762
if error[0] == errno.EPERM:
763
logger.error(u"No permission to"
764
u" bind to interface %s",
765
self.settings["interface"])
766
else:
767
raise error
1402
768
# Only bind(2) the socket if we really need to.
1403
769
if self.server_address[0] or self.server_address[1]:
1404
770
if not self.server_address[0]:
1405
if self.address_family == socket.AF_INET6:
1406
any_address = u"::" # in6addr_any
1407
else:
1408
any_address = socket.INADDR_ANY
1409
self.server_address = (any_address,
771
in6addr_any = "::"
772
self.server_address = (in6addr_any,
1410
773
self.server_address[1])
1411
774
elif not self.server_address[1]:
1412
775
self.server_address = (self.server_address[0],
1413
776
0)
1414
# if self.interface:
777
# if self.settings["interface"]:
1415
778
# self.server_address = (self.server_address[0],
1416
779
# 0, # port
1417
780
# 0, # flowinfo
1418
781
# if_nametoindex
1419
# (self.interface))
1420
return socketserver.TCPServer.server_bind(self)
1421
1422
1423
class MandosServer(IPv6_TCPServer):
1424
"""Mandos server.
1425
1426
Attributes:
1427
clients: set of Client objects
1428
gnutls_priority GnuTLS priority string
1429
use_dbus: Boolean; to emit D-Bus signals or not
1430
1431
Assumes a gobject.MainLoop event loop.
1432
"""
1433
def __init__(self, server_address, RequestHandlerClass,
1434
interface=None, use_ipv6=True, clients=None,
1435
gnutls_priority=None, use_dbus=True):
1436
self.enabled = False
1437
self.clients = clients
1438
if self.clients is None:
1439
self.clients = set()
1440
self.use_dbus = use_dbus
1441
self.gnutls_priority = gnutls_priority
1442
IPv6_TCPServer.__init__(self, server_address,
1443
RequestHandlerClass,
1444
interface = interface,
1445
use_ipv6 = use_ipv6)
782
# (self.settings
783
# ["interface"]))
784
return super(IPv6_TCPServer, self).server_bind()
1446
785
def server_activate(self):
1447
786
if self.enabled:
1448
return socketserver.TCPServer.server_activate(self)
787
return super(IPv6_TCPServer, self).server_activate()
1449
788
def enable(self):
1450
789
self.enabled = True
1451
def add_pipe(self, parent_pipe):
1452
# Call "handle_ipc" for both data and EOF events
1453
gobject.io_add_watch(parent_pipe.fileno(),
1454
gobject.IO_IN | gobject.IO_HUP,
1455
functools.partial(self.handle_ipc,
1456
parent_pipe = parent_pipe))
1457
1458
def handle_ipc(self, source, condition, parent_pipe=None,
1459
client_object=None):
1460
condition_names = {
1461
gobject.IO_IN: u"IN", # There is data to read.
1462
gobject.IO_OUT: u"OUT", # Data can be written (without
1463
# blocking).
1464
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1465
gobject.IO_ERR: u"ERR", # Error condition.
1466
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1467
# broken, usually for pipes and
1468
# sockets).
1469
}
1470
conditions_string = ' | '.join(name
1471
for cond, name in
1472
condition_names.iteritems()
1473
if cond & condition)
1474
# error or the other end of multiprocessing.Pipe has closed
1475
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1476
return False
1477
1478
# Read a request from the child
1479
request = parent_pipe.recv()
1480
command = request[0]
1481
1482
if command == 'init':
1483
fpr = request[1]
1484
address = request[2]
1485
1486
for c in self.clients:
1487
if c.fingerprint == fpr:
1488
client = c
1489
break
1490
else:
1491
logger.warning(u"Client not found for fingerprint: %s, ad"
1492
u"dress: %s", fpr, address)
1493
if self.use_dbus:
1494
# Emit D-Bus signal
1495
mandos_dbus_service.ClientNotFound(fpr, address)
1496
parent_pipe.send(False)
1497
return False
1498
1499
gobject.io_add_watch(parent_pipe.fileno(),
1500
gobject.IO_IN | gobject.IO_HUP,
1501
functools.partial(self.handle_ipc,
1502
parent_pipe = parent_pipe,
1503
client_object = client))
1504
parent_pipe.send(True)
1505
# remove the old hook in favor of the new above hook on same fileno
1506
return False
1507
if command == 'funcall':
1508
funcname = request[1]
1509
args = request[2]
1510
kwargs = request[3]
1511
1512
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1513
1514
if command == 'getattr':
1515
attrname = request[1]
1516
if callable(client_object.__getattribute__(attrname)):
1517
parent_pipe.send(('function',))
1518
else:
1519
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1520
1521
if command == 'setattr':
1522
attrname = request[1]
1523
value = request[2]
1524
setattr(client_object, attrname, value)
1525
1526
return True
1527
790
1528
791
1529
792
def string_to_delta(interval):
1530
793
"""Parse a string and return a datetime.timedelta
1531
794
1532
>>> string_to_delta(u'7d')
795
>>> string_to_delta('7d')
1533
796
datetime.timedelta(7)
1534
>>> string_to_delta(u'60s')
797
>>> string_to_delta('60s')
1535
798
datetime.timedelta(0, 60)
1536
>>> string_to_delta(u'60m')
799
>>> string_to_delta('60m')
1537
800
datetime.timedelta(0, 3600)
1538
>>> string_to_delta(u'24h')
801
>>> string_to_delta('24h')
1539
802
datetime.timedelta(1)
1540
803
>>> string_to_delta(u'1w')
1541
804
datetime.timedelta(7)
1542
>>> string_to_delta(u'5m 30s')
805
>>> string_to_delta('5m 30s')
1543
806
datetime.timedelta(0, 330)
1544
807
"""
1545
808
timevalue = datetime.timedelta(0)
1558
821
elif suffix == u"w":
1559
822
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1560
823
else:
1561
raise ValueError(u"Unknown suffix %r" % suffix)
1562
except (ValueError, IndexError), e:
1563
raise ValueError(e.message)
824
raise ValueError
825
except (ValueError, IndexError):
826
raise ValueError
1564
827
timevalue += delta
1565
828
return timevalue
1566
829
1567
830
831
def server_state_changed(state):
832
"""Derived from the Avahi example code"""
833
if state == avahi.SERVER_COLLISION:
834
logger.error(u"Zeroconf server name collision")
835
service.remove()
836
elif state == avahi.SERVER_RUNNING:
837
service.add()
838
839
840
def entry_group_state_changed(state, error):
841
"""Derived from the Avahi example code"""
842
logger.debug(u"Avahi state change: %i", state)
843
844
if state == avahi.ENTRY_GROUP_ESTABLISHED:
845
logger.debug(u"Zeroconf service established.")
846
elif state == avahi.ENTRY_GROUP_COLLISION:
847
logger.warning(u"Zeroconf service name collision.")
848
service.rename()
849
elif state == avahi.ENTRY_GROUP_FAILURE:
850
logger.critical(u"Avahi: Error in group state changed %s",
851
unicode(error))
852
raise AvahiGroupError(u"State changed: %s" % unicode(error))
853
1568
854
def if_nametoindex(interface):
1569
"""Call the C function if_nametoindex(), or equivalent
1570
1571
Note: This function cannot accept a unicode string."""
855
"""Call the C function if_nametoindex(), or equivalent"""
1572
856
global if_nametoindex
1573
857
try:
1574
858
if_nametoindex = (ctypes.cdll.LoadLibrary
1575
(ctypes.util.find_library(u"c"))
859
(ctypes.util.find_library("c"))
1576
860
.if_nametoindex)
1577
861
except (OSError, AttributeError):
1578
logger.warning(u"Doing if_nametoindex the hard way")
862
if "struct" not in sys.modules:
863
import struct
864
if "fcntl" not in sys.modules:
865
import fcntl
1579
866
def if_nametoindex(interface):
1580
867
"Get an interface index the hard way, i.e. using fcntl()"
1581
868
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1582
with contextlib.closing(socket.socket()) as s:
869
with closing(socket.socket()) as s:
1583
870
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1584
struct.pack(str(u"16s16x"),
1585
interface))
1586
interface_index = struct.unpack(str(u"I"),
1587
ifreq[16:20])[0]
871
struct.pack("16s16x", interface))
872
interface_index = struct.unpack("I", ifreq[16:20])[0]
1588
873
return interface_index
1589
874
return if_nametoindex(interface)
1590
875
1591
876
1592
877
def daemon(nochdir = False, noclose = False):
1593
878
"""See daemon(3). Standard BSD Unix function.
1594
1595
879
This should really exist as os.daemon, but it doesn't (yet)."""
1596
880
if os.fork():
1597
881
sys.exit()
1598
882
os.setsid()
1599
883
if not nochdir:
1600
os.chdir(u"/")
884
os.chdir("/")
1601
885
if os.fork():
1602
886
sys.exit()
1603
887
if not noclose:
1605
889
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1606
890
if not stat.S_ISCHR(os.fstat(null).st_mode):
1607
891
raise OSError(errno.ENODEV,
1608
u"%s not a character device"
1609
% os.path.devnull)
892
"/dev/null not a character device")
1610
893
os.dup2(null, sys.stdin.fileno())
1611
894
os.dup2(null, sys.stdout.fileno())
1612
895
os.dup2(null, sys.stderr.fileno())
1615
898
1616
899
1617
900
def main():
1618
1619
##################################################################
1620
# Parsing of options, both command line and config file
1621
1622
901
parser = optparse.OptionParser(version = "%%prog %s" % version)
1623
parser.add_option("-i", u"--interface", type=u"string",
1624
metavar="IF", help=u"Bind to interface IF")
1625
parser.add_option("-a", u"--address", type=u"string",
1626
help=u"Address to listen for requests on")
1627
parser.add_option("-p", u"--port", type=u"int",
1628
help=u"Port number to receive requests on")
1629
parser.add_option("--check", action=u"store_true",
1630
help=u"Run self-test")
1631
parser.add_option("--debug", action=u"store_true",
1632
help=u"Debug mode; run in foreground and log to"
1633
u" terminal")
1634
parser.add_option("--debuglevel", type=u"string", metavar="Level",
1635
help=u"Debug level for stdout output")
1636
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1637
u" priority string (see GnuTLS documentation)")
1638
parser.add_option("--servicename", type=u"string",
1639
metavar=u"NAME", help=u"Zeroconf service name")
1640
parser.add_option("--configdir", type=u"string",
1641
default=u"/etc/mandos", metavar=u"DIR",
1642
help=u"Directory to search for configuration"
1643
u" files")
1644
parser.add_option("--no-dbus", action=u"store_false",
1645
dest=u"use_dbus", help=u"Do not provide D-Bus"
1646
u" system bus interface")
1647
parser.add_option("--no-ipv6", action=u"store_false",
1648
dest=u"use_ipv6", help=u"Do not use IPv6")
902
parser.add_option("-i", "--interface", type="string",
903
metavar="IF", help="Bind to interface IF")
904
parser.add_option("-a", "--address", type="string",
905
help="Address to listen for requests on")
906
parser.add_option("-p", "--port", type="int",
907
help="Port number to receive requests on")
908
parser.add_option("--check", action="store_true",
909
help="Run self-test")
910
parser.add_option("--debug", action="store_true",
911
help="Debug mode; run in foreground and log to"
912
" terminal")
913
parser.add_option("--priority", type="string", help="GnuTLS"
914
" priority string (see GnuTLS documentation)")
915
parser.add_option("--servicename", type="string", metavar="NAME",
916
help="Zeroconf service name")
917
parser.add_option("--configdir", type="string",
918
default="/etc/mandos", metavar="DIR",
919
help="Directory to search for configuration"
920
" files")
921
parser.add_option("--no-dbus", action="store_false",
922
dest="use_dbus",
923
help="Do not provide D-Bus system bus"
924
" interface")
1649
925
options = parser.parse_args()[0]
1650
926
1651
927
if options.check:
1654
930
sys.exit()
1655
931
1656
932
# Default values for config file for server-global settings
1657
server_defaults = { u"interface": u"",
1658
u"address": u"",
1659
u"port": u"",
1660
u"debug": u"False",
1661
u"priority":
1662
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1663
u"servicename": u"Mandos",
1664
u"use_dbus": u"True",
1665
u"use_ipv6": u"True",
1666
u"debuglevel": u"",
933
server_defaults = { "interface": "",
934
"address": "",
935
"port": "",
936
"debug": "False",
937
"priority":
938
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
939
"servicename": "Mandos",
940
"use_dbus": "True",
1667
941
}
1668
942
1669
943
# Parse config file for server-global settings
1670
server_config = configparser.SafeConfigParser(server_defaults)
944
server_config = ConfigParser.SafeConfigParser(server_defaults)
1671
945
del server_defaults
1672
server_config.read(os.path.join(options.configdir,
1673
u"mandos.conf"))
946
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1674
947
# Convert the SafeConfigParser object to a dict
1675
948
server_settings = server_config.defaults()
1676
949
# Use the appropriate methods on the non-string config options
1677
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1678
server_settings[option] = server_config.getboolean(u"DEFAULT",
1679
option)
950
server_settings["debug"] = server_config.getboolean("DEFAULT",
951
"debug")
952
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
953
"use_dbus")
1680
954
if server_settings["port"]:
1681
server_settings["port"] = server_config.getint(u"DEFAULT",
1682
u"port")
955
server_settings["port"] = server_config.getint("DEFAULT",
956
"port")
1683
957
del server_config
1684
958
1685
959
# Override the settings from the config file with command line
1686
960
# options, if set.
1687
for option in (u"interface", u"address", u"port", u"debug",
1688
u"priority", u"servicename", u"configdir",
1689
u"use_dbus", u"use_ipv6", u"debuglevel"):
961
for option in ("interface", "address", "port", "debug",
962
"priority", "servicename", "configdir",
963
"use_dbus"):
1690
964
value = getattr(options, option)
1691
965
if value is not None:
1692
966
server_settings[option] = value
1693
967
del options
1694
# Force all strings to be unicode
1695
for option in server_settings.keys():
1696
if type(server_settings[option]) is str:
1697
server_settings[option] = unicode(server_settings[option])
1698
968
# Now we have our good server settings in "server_settings"
1699
969
1700
##################################################################
1701
1702
970
# For convenience
1703
debug = server_settings[u"debug"]
1704
debuglevel = server_settings[u"debuglevel"]
1705
use_dbus = server_settings[u"use_dbus"]
1706
use_ipv6 = server_settings[u"use_ipv6"]
971
debug = server_settings["debug"]
972
use_dbus = server_settings["use_dbus"]
1707
973
1708
if server_settings[u"servicename"] != u"Mandos":
974
def sigsegvhandler(signum, frame):
975
raise RuntimeError('Segmentation fault')
976
977
if not debug:
978
syslogger.setLevel(logging.WARNING)
979
console.setLevel(logging.WARNING)
980
else:
981
signal.signal(signal.SIGSEGV, sigsegvhandler)
982
983
if server_settings["servicename"] != "Mandos":
1709
984
syslogger.setFormatter(logging.Formatter
1710
(u'Mandos (%s) [%%(process)d]:'
1711
u' %%(levelname)s: %%(message)s'
1712
% server_settings[u"servicename"]))
985
('Mandos (%s): %%(levelname)s:'
986
' %%(message)s'
987
% server_settings["servicename"]))
1713
988
1714
989
# Parse config file with clients
1715
client_defaults = { u"timeout": u"1h",
1716
u"interval": u"5m",
1717
u"checker": u"fping -q -- %%(host)s",
1718
u"host": u"",
1719
u"approved_delay": u"0s",
1720
u"approved_duration": u"1s",
990
client_defaults = { "timeout": "1h",
991
"interval": "5m",
992
"checker": "fping -q -- %%(host)s",
993
"host": "",
1721
994
}
1722
client_config = configparser.SafeConfigParser(client_defaults)
1723
client_config.read(os.path.join(server_settings[u"configdir"],
1724
u"clients.conf"))
1725
1726
global mandos_dbus_service
1727
mandos_dbus_service = None
1728
1729
tcp_server = MandosServer((server_settings[u"address"],
1730
server_settings[u"port"]),
1731
ClientHandler,
1732
interface=(server_settings[u"interface"]
1733
or None),
1734
use_ipv6=use_ipv6,
1735
gnutls_priority=
1736
server_settings[u"priority"],
1737
use_dbus=use_dbus)
1738
pidfilename = u"/var/run/mandos.pid"
1739
try:
1740
pidfile = open(pidfilename, u"w")
1741
except IOError:
1742
logger.error(u"Could not open file %r", pidfilename)
1743
1744
try:
1745
uid = pwd.getpwnam(u"_mandos").pw_uid
1746
gid = pwd.getpwnam(u"_mandos").pw_gid
995
client_config = ConfigParser.SafeConfigParser(client_defaults)
996
client_config.read(os.path.join(server_settings["configdir"],
997
"clients.conf"))
998
999
clients = Set()
1000
tcp_server = IPv6_TCPServer((server_settings["address"],
1001
server_settings["port"]),
1002
TCP_handler,
1003
settings=server_settings,
1004
clients=clients)
1005
pidfilename = "/var/run/mandos.pid"
1006
try:
1007
pidfile = open(pidfilename, "w")
1008
except IOError, error:
1009
logger.error("Could not open file %r", pidfilename)
1010
1011
try:
1012
uid = pwd.getpwnam("_mandos").pw_uid
1013
gid = pwd.getpwnam("_mandos").pw_gid
1747
1014
except KeyError:
1748
1015
try:
1749
uid = pwd.getpwnam(u"mandos").pw_uid
1750
gid = pwd.getpwnam(u"mandos").pw_gid
1016
uid = pwd.getpwnam("mandos").pw_uid
1017
gid = pwd.getpwnam("mandos").pw_gid
1751
1018
except KeyError:
1752
1019
try:
1753
uid = pwd.getpwnam(u"nobody").pw_uid
1754
gid = pwd.getpwnam(u"nobody").pw_gid
1020
uid = pwd.getpwnam("nobody").pw_uid
1021
gid = pwd.getpwnam("nogroup").pw_gid
1755
1022
except KeyError:
1756
1023
uid = 65534
1757
1024
gid = 65534
1763
1030
raise error
1764
1031
1765
1032
# Enable all possible GnuTLS debugging
1766
1767
1768
if not debug and not debuglevel:
1769
syslogger.setLevel(logging.WARNING)
1770
console.setLevel(logging.WARNING)
1771
if debuglevel:
1772
level = getattr(logging, debuglevel.upper())
1773
syslogger.setLevel(level)
1774
console.setLevel(level)
1775
1776
1033
if debug:
1777
1034
# "Use a log level over 10 to enable all debugging options."
1778
1035
# - GnuTLS manual
1780
1037
1781
1038
@gnutls.library.types.gnutls_log_func
1782
1039
def debug_gnutls(level, string):
1783
logger.debug(u"GnuTLS: %s", string[:-1])
1040
logger.debug("GnuTLS: %s", string[:-1])
1784
1041
1785
1042
(gnutls.library.functions
1786
1043
.gnutls_global_set_log_function(debug_gnutls))
1787
1788
# Redirect stdin so all checkers get /dev/null
1789
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1790
os.dup2(null, sys.stdin.fileno())
1791
if null > 2:
1792
os.close(null)
1793
else:
1794
# No console logging
1795
logger.removeHandler(console)
1796
1044
1045
global service
1046
service = AvahiService(name = server_settings["servicename"],
1047
servicetype = "_mandos._tcp", )
1048
if server_settings["interface"]:
1049
service.interface = (if_nametoindex
1050
(server_settings["interface"]))
1797
1051
1798
1052
global main_loop
1053
global bus
1054
global server
1799
1055
# From the Avahi example code
1800
1056
DBusGMainLoop(set_as_default=True )
1801
1057
main_loop = gobject.MainLoop()
1802
1058
bus = dbus.SystemBus()
1059
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1060
avahi.DBUS_PATH_SERVER),
1061
avahi.DBUS_INTERFACE_SERVER)
1803
1062
# End of Avahi example code
1804
1063
if use_dbus:
1805
try:
1806
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1807
bus, do_not_queue=True)
1808
except dbus.exceptions.NameExistsException, e:
1809
logger.error(unicode(e) + u", disabling D-Bus")
1810
use_dbus = False
1811
server_settings[u"use_dbus"] = False
1812
tcp_server.use_dbus = False
1813
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1814
service = AvahiService(name = server_settings[u"servicename"],
1815
servicetype = u"_mandos._tcp",
1816
protocol = protocol, bus = bus)
1817
if server_settings["interface"]:
1818
service.interface = (if_nametoindex
1819
(str(server_settings[u"interface"])))
1820
1821
if not debug:
1064
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1065
1066
clients.update(Set(Client(name = section,
1067
config
1068
= dict(client_config.items(section)),
1069
use_dbus = use_dbus)
1070
for section in client_config.sections()))
1071
if not clients:
1072
logger.warning(u"No clients defined")
1073
1074
if debug:
1075
# Redirect stdin so all checkers get /dev/null
1076
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1077
os.dup2(null, sys.stdin.fileno())
1078
if null > 2:
1079
os.close(null)
1080
else:
1081
# No console logging
1082
logger.removeHandler(console)
1822
1083
# Close all input and output, do double fork, etc.
1823
1084
daemon()
1824
1825
global multiprocessing_manager
1826
multiprocessing_manager = multiprocessing.Manager()
1827
1828
client_class = Client
1829
if use_dbus:
1830
client_class = functools.partial(ClientDBus, bus = bus)
1831
def client_config_items(config, section):
1832
special_settings = {
1833
"approved_by_default":
1834
lambda: config.getboolean(section,
1835
"approved_by_default"),
1836
}
1837
for name, value in config.items(section):
1838
try:
1839
yield (name, special_settings[name]())
1840
except KeyError:
1841
yield (name, value)
1842
1843
tcp_server.clients.update(set(
1844
client_class(name = section,
1845
config= dict(client_config_items(
1846
client_config, section)))
1847
for section in client_config.sections()))
1848
if not tcp_server.clients:
1849
logger.warning(u"No clients defined")
1850
1085
1851
1086
try:
1852
with pidfile:
1853
pid = os.getpid()
1854
pidfile.write(str(pid) + "\n")
1087
pid = os.getpid()
1088
pidfile.write(str(pid) + "\n")
1089
pidfile.close()
1855
1090
del pidfile
1856
1091
except IOError:
1857
1092
logger.error(u"Could not write to file %r with PID %d",
1861
1096
pass
1862
1097
del pidfilename
1863
1098
1099
def cleanup():
1100
"Cleanup function; run on exit"
1101
global group
1102
# From the Avahi example code
1103
if not group is None:
1104
group.Free()
1105
group = None
1106
# End of Avahi example code
1107
1108
while clients:
1109
client = clients.pop()
1110
client.disable_hook = None
1111
client.disable()
1112
1113
atexit.register(cleanup)
1114
1864
1115
if not debug:
1865
1116
signal.signal(signal.SIGINT, signal.SIG_IGN)
1866
1117
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1867
1118
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1868
1119
1869
1120
if use_dbus:
1870
class MandosDBusService(dbus.service.Object):
1121
class MandosServer(dbus.service.Object):
1871
1122
"""A D-Bus proxy object"""
1872
1123
def __init__(self):
1873
dbus.service.Object.__init__(self, bus, u"/")
1124
dbus.service.Object.__init__(self, bus, "/")
1874
1125
_interface = u"se.bsnet.fukt.Mandos"
1875
1126
1876
@dbus.service.signal(_interface, signature=u"o")
1877
def ClientAdded(self, objpath):
1878
"D-Bus signal"
1879
pass
1880
1881
@dbus.service.signal(_interface, signature=u"ss")
1882
def ClientNotFound(self, fingerprint, address):
1883
"D-Bus signal"
1884
pass
1885
1886
@dbus.service.signal(_interface, signature=u"os")
1127
@dbus.service.signal(_interface, signature="oa{sv}")
1128
def ClientAdded(self, objpath, properties):
1129
"D-Bus signal"
1130
pass
1131
1132
@dbus.service.signal(_interface, signature="os")
1887
1133
def ClientRemoved(self, objpath, name):
1888
1134
"D-Bus signal"
1889
1135
pass
1890
1136
1891
@dbus.service.method(_interface, out_signature=u"ao")
1137
@dbus.service.method(_interface, out_signature="ao")
1892
1138
def GetAllClients(self):
1893
1139
"D-Bus method"
1894
return dbus.Array(c.dbus_object_path
1895
for c in tcp_server.clients)
1140
return dbus.Array(c.dbus_object_path for c in clients)
1896
1141
1897
@dbus.service.method(_interface,
1898
out_signature=u"a{oa{sv}}")
1142
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1899
1143
def GetAllClientsWithProperties(self):
1900
1144
"D-Bus method"
1901
1145
return dbus.Dictionary(
1902
((c.dbus_object_path, c.GetAll(u""))
1903
for c in tcp_server.clients),
1904
signature=u"oa{sv}")
1146
((c.dbus_object_path, c.GetAllProperties())
1147
for c in clients),
1148
signature="oa{sv}")
1905
1149
1906
@dbus.service.method(_interface, in_signature=u"o")
1150
@dbus.service.method(_interface, in_signature="o")
1907
1151
def RemoveClient(self, object_path):
1908
1152
"D-Bus method"
1909
for c in tcp_server.clients:
1153
for c in clients:
1910
1154
if c.dbus_object_path == object_path:
1911
tcp_server.clients.remove(c)
1912
c.remove_from_connection()
1155
clients.remove(c)
1913
1156
# Don't signal anything except ClientRemoved
1914
c.disable(quiet=True)
1157
c.use_dbus = False
1158
c.disable()
1915
1159
# Emit D-Bus signal
1916
1160
self.ClientRemoved(object_path, c.name)
1917
1161
return
1918
raise KeyError(object_path)
1162
raise KeyError
1919
1163
1920
1164
del _interface
1921
1165
1922
mandos_dbus_service = MandosDBusService()
1923
1924
def cleanup():
1925
"Cleanup function; run on exit"
1926
service.cleanup()
1927
1928
while tcp_server.clients:
1929
client = tcp_server.clients.pop()
1930
if use_dbus:
1931
client.remove_from_connection()
1932
client.disable_hook = None
1933
# Don't signal anything except ClientRemoved
1934
client.disable(quiet=True)
1935
if use_dbus:
1936
# Emit D-Bus signal
1937
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1938
client.name)
1939
1940
atexit.register(cleanup)
1941
1942
for client in tcp_server.clients:
1166
mandos_server = MandosServer()
1167
1168
for client in clients:
1943
1169
if use_dbus:
1944
1170
# Emit D-Bus signal
1945
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1171
mandos_server.ClientAdded(client.dbus_object_path,
1172
client.GetAllProperties())
1946
1173
client.enable()
1947
1174
1948
1175
tcp_server.enable()
1950
1177
1951
1178
# Find out what port we got
1952
1179
service.port = tcp_server.socket.getsockname()[1]
1953
if use_ipv6:
1954
logger.info(u"Now listening on address %r, port %d,"
1955
" flowinfo %d, scope_id %d"
1956
% tcp_server.socket.getsockname())
1957
else: # IPv4
1958
logger.info(u"Now listening on address %r, port %d"
1959
% tcp_server.socket.getsockname())
1180
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1181
u" scope_id %d" % tcp_server.socket.getsockname())
1960
1182
1961
1183
#service.interface = tcp_server.socket.getsockname()[3]
1962
1184
1963
1185
try:
1964
1186
# From the Avahi example code
1187
server.connect_to_signal("StateChanged", server_state_changed)
1965
1188
try:
1966
service.activate()
1189
server_state_changed(server.GetState())
1967
1190
except dbus.exceptions.DBusException, error:
1968
1191
logger.critical(u"DBusException: %s", error)
1969
cleanup()
1970
1192
sys.exit(1)
1971
1193
# End of Avahi example code
1972
1194
1979
1201
main_loop.run()
1980
1202
except AvahiError, error:
1981
1203
logger.critical(u"AvahiError: %s", error)
1982
cleanup()
1983
1204
sys.exit(1)
1984
1205
except KeyboardInterrupt:
1985
1206
if debug:
1986
print >> sys.stderr
1987
logger.debug(u"Server received KeyboardInterrupt")
1988
logger.debug(u"Server exiting")
1989
# Must run before the D-Bus bus name gets deregistered
1990
cleanup()
1207
print
1991
1208
1992
1209
if __name__ == '__main__':
1993
1210
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0