To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 291
- compare with another revision
- download diff
- download tarball
- view history from revision 291
- Committer: Teddy Hogeborn
- Date: 2009-01-31 10:33:17 UTC
- mfrom: (24.1.129 mandos)
- Revision ID: teddy@fukt.bsnet.se-20090131103317-wzqvyr532sjcjt7u
Merge from Björn:
* mandos-ctl: New option "--remove-client". Only default to listing
clients if no clients were given on the command line.
* plugins.d/mandos-client.c: Lower kernel log level while bringing up
network interface. New option "--delay"
to control the maximum delay to wait for
running interface.
* plugins.d/mandos-client.xml (SYNOPSIS, OPTIONS): New option
"--delay".
* mandos-ctl: New option "--remove-client". Only default to listing
clients if no clients were given on the command line.
* plugins.d/mandos-client.c: Lower kernel log level while bringing up
network interface. New option "--delay"
to control the maximum delay to wait for
running interface.
* plugins.d/mandos-client.xml (SYNOPSIS, OPTIONS): New option
"--delay".
- files modified:
- INSTALL
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer as socketserver
36
import SocketServer
37
37
import socket
38
38
import optparse
39
39
import datetime
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser as configparser
47
import ConfigParser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
52
53
import subprocess
53
54
import atexit
54
55
import stat
56
57
import logging.handlers
57
58
import pwd
58
59
from contextlib import closing
59
import struct
60
import fcntl
61
import functools
62
60
63
61
import dbus
64
62
import dbus.service
67
65
from dbus.mainloop.glib import DBusGMainLoop
68
66
import ctypes
69
67
import ctypes.util
70
import xml.dom.minidom
71
import inspect
72
73
try:
74
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
75
except AttributeError:
76
try:
77
from IN import SO_BINDTODEVICE
78
except ImportError:
79
SO_BINDTODEVICE = None
80
81
82
version = "1.0.12"
83
84
logger = logging.Logger(u'mandos')
68
69
version = "1.0.5"
70
71
logger = logging.Logger('mandos')
85
72
syslogger = (logging.handlers.SysLogHandler
86
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
87
74
address = "/dev/log"))
88
75
syslogger.setFormatter(logging.Formatter
89
(u'Mandos [%(process)d]: %(levelname)s:'
90
u' %(message)s'))
76
('Mandos: %(levelname)s: %(message)s'))
91
77
logger.addHandler(syslogger)
92
78
93
79
console = logging.StreamHandler()
94
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
95
u' %(levelname)s:'
96
u' %(message)s'))
80
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
81
' %(message)s'))
97
82
logger.addHandler(console)
98
83
99
84
class AvahiError(Exception):
112
97
113
98
class AvahiService(object):
114
99
"""An Avahi (Zeroconf) service.
115
116
100
Attributes:
117
101
interface: integer; avahi.IF_UNSPEC or an interface index.
118
102
Used to optionally bind to the specified interface.
119
name: string; Example: u'Mandos'
120
type: string; Example: u'_mandos._tcp'.
103
name: string; Example: 'Mandos'
104
type: string; Example: '_mandos._tcp'.
121
105
See <http://www.dns-sd.org/ServiceTypes.html>
122
106
port: integer; what port to announce
123
107
TXT: list of strings; TXT record for the service
126
110
max_renames: integer; maximum number of renames
127
111
rename_count: integer; counter so we only rename after collisions
128
112
a sensible number of times
129
group: D-Bus Entry Group
130
server: D-Bus Server
131
bus: dbus.SystemBus()
132
113
"""
133
114
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
134
115
servicetype = None, port = None, TXT = None,
135
domain = u"", host = u"", max_renames = 32768,
136
protocol = avahi.PROTO_UNSPEC, bus = None):
116
domain = "", host = "", max_renames = 32768):
137
117
self.interface = interface
138
118
self.name = name
139
119
self.type = servicetype
143
123
self.host = host
144
124
self.rename_count = 0
145
125
self.max_renames = max_renames
146
self.protocol = protocol
147
self.group = None # our entry group
148
self.server = None
149
self.bus = bus
150
126
def rename(self):
151
127
"""Derived from the Avahi example code"""
152
128
if self.rename_count >= self.max_renames:
154
130
u" after %i retries, exiting.",
155
131
self.rename_count)
156
132
raise AvahiServiceError(u"Too many renames")
157
self.name = self.server.GetAlternativeServiceName(self.name)
133
self.name = server.GetAlternativeServiceName(self.name)
158
134
logger.info(u"Changing Zeroconf service name to %r ...",
159
unicode(self.name))
135
str(self.name))
160
136
syslogger.setFormatter(logging.Formatter
161
(u'Mandos (%s) [%%(process)d]:'
162
u' %%(levelname)s: %%(message)s'
163
% self.name))
137
('Mandos (%s): %%(levelname)s:'
138
' %%(message)s' % self.name))
164
139
self.remove()
165
140
self.add()
166
141
self.rename_count += 1
167
142
def remove(self):
168
143
"""Derived from the Avahi example code"""
169
if self.group is not None:
170
self.group.Reset()
144
if group is not None:
145
group.Reset()
171
146
def add(self):
172
147
"""Derived from the Avahi example code"""
173
if self.group is None:
174
self.group = dbus.Interface(
175
self.bus.get_object(avahi.DBUS_NAME,
176
self.server.EntryGroupNew()),
177
avahi.DBUS_INTERFACE_ENTRY_GROUP)
178
self.group.connect_to_signal('StateChanged',
179
self
180
.entry_group_state_changed)
148
global group
149
if group is None:
150
group = dbus.Interface(bus.get_object
151
(avahi.DBUS_NAME,
152
server.EntryGroupNew()),
153
avahi.DBUS_INTERFACE_ENTRY_GROUP)
154
group.connect_to_signal('StateChanged',
155
entry_group_state_changed)
181
156
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
182
self.name, self.type)
183
self.group.AddService(
184
self.interface,
185
self.protocol,
186
dbus.UInt32(0), # flags
187
self.name, self.type,
188
self.domain, self.host,
189
dbus.UInt16(self.port),
190
avahi.string_array_to_txt_array(self.TXT))
191
self.group.Commit()
192
def entry_group_state_changed(self, state, error):
193
"""Derived from the Avahi example code"""
194
logger.debug(u"Avahi state change: %i", state)
195
196
if state == avahi.ENTRY_GROUP_ESTABLISHED:
197
logger.debug(u"Zeroconf service established.")
198
elif state == avahi.ENTRY_GROUP_COLLISION:
199
logger.warning(u"Zeroconf service name collision.")
200
self.rename()
201
elif state == avahi.ENTRY_GROUP_FAILURE:
202
logger.critical(u"Avahi: Error in group state changed %s",
203
unicode(error))
204
raise AvahiGroupError(u"State changed: %s"
205
% unicode(error))
206
def cleanup(self):
207
"""Derived from the Avahi example code"""
208
if self.group is not None:
209
self.group.Free()
210
self.group = None
211
def server_state_changed(self, state):
212
"""Derived from the Avahi example code"""
213
if state == avahi.SERVER_COLLISION:
214
logger.error(u"Zeroconf server name collision")
215
self.remove()
216
elif state == avahi.SERVER_RUNNING:
217
self.add()
218
def activate(self):
219
"""Derived from the Avahi example code"""
220
if self.server is None:
221
self.server = dbus.Interface(
222
self.bus.get_object(avahi.DBUS_NAME,
223
avahi.DBUS_PATH_SERVER),
224
avahi.DBUS_INTERFACE_SERVER)
225
self.server.connect_to_signal(u"StateChanged",
226
self.server_state_changed)
227
self.server_state_changed(self.server.GetState())
228
229
230
class Client(object):
157
service.name, service.type)
158
group.AddService(
159
self.interface, # interface
160
avahi.PROTO_INET6, # protocol
161
dbus.UInt32(0), # flags
162
self.name, self.type,
163
self.domain, self.host,
164
dbus.UInt16(self.port),
165
avahi.string_array_to_txt_array(self.TXT))
166
group.Commit()
167
168
# From the Avahi example code:
169
group = None # our entry group
170
# End of Avahi example code
171
172
173
def _datetime_to_dbus(dt, variant_level=0):
174
"""Convert a UTC datetime.datetime() to a D-Bus type."""
175
return dbus.String(dt.isoformat(), variant_level=variant_level)
176
177
178
class Client(dbus.service.Object):
231
179
"""A representation of a client host served by this server.
232
233
180
Attributes:
234
181
name: string; from the config file, used in log messages and
235
182
D-Bus identifiers
249
196
to see if the client lives.
250
197
'None' if no process is running.
251
198
checker_initiator_tag: a gobject event source tag, or None
252
disable_initiator_tag: - '' -
199
disable_initiator_tag: - '' -
253
200
checker_callback_tag: - '' -
254
201
checker_command: string; External command which is run to check if
255
202
client lives. %() expansions are done at
256
203
runtime with vars(self) as dict, so that for
257
204
instance %(name)s can be used in the command.
258
current_checker_command: string; current running checker_command
205
use_dbus: bool(); Whether to provide D-Bus interface and signals
206
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
259
207
"""
260
261
@staticmethod
262
def _timedelta_to_milliseconds(td):
263
"Convert a datetime.timedelta() to milliseconds"
264
return ((td.days * 24 * 60 * 60 * 1000)
265
+ (td.seconds * 1000)
266
+ (td.microseconds // 1000))
267
268
208
def timeout_milliseconds(self):
269
209
"Return the 'timeout' attribute in milliseconds"
270
return self._timedelta_to_milliseconds(self.timeout)
210
return ((self.timeout.days * 24 * 60 * 60 * 1000)
211
+ (self.timeout.seconds * 1000)
212
+ (self.timeout.microseconds // 1000))
271
213
272
214
def interval_milliseconds(self):
273
215
"Return the 'interval' attribute in milliseconds"
274
return self._timedelta_to_milliseconds(self.interval)
216
return ((self.interval.days * 24 * 60 * 60 * 1000)
217
+ (self.interval.seconds * 1000)
218
+ (self.interval.microseconds // 1000))
275
219
276
def __init__(self, name = None, disable_hook=None, config=None):
220
def __init__(self, name = None, disable_hook=None, config=None,
221
use_dbus=True):
277
222
"""Note: the 'checker' key in 'config' sets the
278
223
'checker_command' attribute and *not* the 'checker'
279
224
attribute."""
281
226
if config is None:
282
227
config = {}
283
228
logger.debug(u"Creating client %r", self.name)
229
self.use_dbus = False # During __init__
284
230
# Uppercase and remove spaces from fingerprint for later
285
231
# comparison purposes with return value from the fingerprint()
286
232
# function
287
self.fingerprint = (config[u"fingerprint"].upper()
233
self.fingerprint = (config["fingerprint"].upper()
288
234
.replace(u" ", u""))
289
235
logger.debug(u" Fingerprint: %s", self.fingerprint)
290
if u"secret" in config:
291
self.secret = config[u"secret"].decode(u"base64")
292
elif u"secfile" in config:
236
if "secret" in config:
237
self.secret = config["secret"].decode(u"base64")
238
elif "secfile" in config:
293
239
with closing(open(os.path.expanduser
294
240
(os.path.expandvars
295
(config[u"secfile"])))) as secfile:
241
(config["secfile"])))) as secfile:
296
242
self.secret = secfile.read()
297
243
else:
298
244
raise TypeError(u"No secret or secfile for client %s"
299
245
% self.name)
300
self.host = config.get(u"host", u"")
246
self.host = config.get("host", "")
301
247
self.created = datetime.datetime.utcnow()
302
248
self.enabled = False
303
249
self.last_enabled = None
304
250
self.last_checked_ok = None
305
self.timeout = string_to_delta(config[u"timeout"])
306
self.interval = string_to_delta(config[u"interval"])
251
self.timeout = string_to_delta(config["timeout"])
252
self.interval = string_to_delta(config["interval"])
307
253
self.disable_hook = disable_hook
308
254
self.checker = None
309
255
self.checker_initiator_tag = None
310
256
self.disable_initiator_tag = None
311
257
self.checker_callback_tag = None
312
self.checker_command = config[u"checker"]
313
self.current_checker_command = None
258
self.checker_command = config["checker"]
314
259
self.last_connect = None
260
# Only now, when this client is initialized, can it show up on
261
# the D-Bus
262
self.use_dbus = use_dbus
263
if self.use_dbus:
264
self.dbus_object_path = (dbus.ObjectPath
265
("/clients/"
266
+ self.name.replace(".", "_")))
267
dbus.service.Object.__init__(self, bus,
268
self.dbus_object_path)
315
269
316
270
def enable(self):
317
271
"""Start this client's checker and timeout hooks"""
318
if getattr(self, u"enabled", False):
319
# Already enabled
320
return
321
272
self.last_enabled = datetime.datetime.utcnow()
322
273
# Schedule a new checker to be started an 'interval' from now,
323
274
# and every interval from then on.
331
282
(self.timeout_milliseconds(),
332
283
self.disable))
333
284
self.enabled = True
285
if self.use_dbus:
286
# Emit D-Bus signals
287
self.PropertyChanged(dbus.String(u"enabled"),
288
dbus.Boolean(True, variant_level=1))
289
self.PropertyChanged(dbus.String(u"last_enabled"),
290
(_datetime_to_dbus(self.last_enabled,
291
variant_level=1)))
334
292
335
293
def disable(self):
336
294
"""Disable this client."""
337
295
if not getattr(self, "enabled", False):
338
296
return False
339
297
logger.info(u"Disabling client %s", self.name)
340
if getattr(self, u"disable_initiator_tag", False):
298
if getattr(self, "disable_initiator_tag", False):
341
299
gobject.source_remove(self.disable_initiator_tag)
342
300
self.disable_initiator_tag = None
343
if getattr(self, u"checker_initiator_tag", False):
301
if getattr(self, "checker_initiator_tag", False):
344
302
gobject.source_remove(self.checker_initiator_tag)
345
303
self.checker_initiator_tag = None
346
304
self.stop_checker()
347
305
if self.disable_hook:
348
306
self.disable_hook(self)
349
307
self.enabled = False
308
if self.use_dbus:
309
# Emit D-Bus signal
310
self.PropertyChanged(dbus.String(u"enabled"),
311
dbus.Boolean(False, variant_level=1))
350
312
# Do not run this again if called by a gobject.timeout_add
351
313
return False
352
314
358
320
"""The checker has completed, so take appropriate actions."""
359
321
self.checker_callback_tag = None
360
322
self.checker = None
323
if self.use_dbus:
324
# Emit D-Bus signal
325
self.PropertyChanged(dbus.String(u"checker_running"),
326
dbus.Boolean(False, variant_level=1))
361
327
if os.WIFEXITED(condition):
362
328
exitstatus = os.WEXITSTATUS(condition)
363
329
if exitstatus == 0:
367
333
else:
368
334
logger.info(u"Checker for %(name)s failed",
369
335
vars(self))
336
if self.use_dbus:
337
# Emit D-Bus signal
338
self.CheckerCompleted(dbus.Int16(exitstatus),
339
dbus.Int64(condition),
340
dbus.String(command))
370
341
else:
371
342
logger.warning(u"Checker for %(name)s crashed?",
372
343
vars(self))
344
if self.use_dbus:
345
# Emit D-Bus signal
346
self.CheckerCompleted(dbus.Int16(-1),
347
dbus.Int64(condition),
348
dbus.String(command))
373
349
374
350
def checked_ok(self):
375
351
"""Bump up the timeout for this client.
376
377
352
This should only be called when the client has been seen,
378
353
alive and well.
379
354
"""
382
357
self.disable_initiator_tag = (gobject.timeout_add
383
358
(self.timeout_milliseconds(),
384
359
self.disable))
360
if self.use_dbus:
361
# Emit D-Bus signal
362
self.PropertyChanged(
363
dbus.String(u"last_checked_ok"),
364
(_datetime_to_dbus(self.last_checked_ok,
365
variant_level=1)))
385
366
386
367
def start_checker(self):
387
368
"""Start a new checker subprocess if one is not running.
388
389
369
If a checker already exists, leave it running and do
390
370
nothing."""
391
371
# The reason for not killing a running checker is that if we
396
376
# checkers alone, the checker would have to take more time
397
377
# than 'timeout' for the client to be declared invalid, which
398
378
# is as it should be.
399
400
# If a checker exists, make sure it is not a zombie
401
if self.checker is not None:
402
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
403
if pid:
404
logger.warning(u"Checker was a zombie")
405
gobject.source_remove(self.checker_callback_tag)
406
self.checker_callback(pid, status,
407
self.current_checker_command)
408
# Start a new checker if needed
409
379
if self.checker is None:
410
380
try:
411
381
# In case checker_command has exactly one % operator
412
382
command = self.checker_command % self.host
413
383
except TypeError:
414
384
# Escape attributes for the shell
415
escaped_attrs = dict((key,
416
re.escape(unicode(str(val),
417
errors=
418
u'replace')))
385
escaped_attrs = dict((key, re.escape(str(val)))
419
386
for key, val in
420
387
vars(self).iteritems())
421
388
try:
424
391
logger.error(u'Could not format string "%s":'
425
392
u' %s', self.checker_command, error)
426
393
return True # Try again later
427
self.current_checker_command = command
428
394
try:
429
395
logger.info(u"Starting checker %r for %s",
430
396
command, self.name)
434
400
# always replaced by /dev/null.)
435
401
self.checker = subprocess.Popen(command,
436
402
close_fds=True,
437
shell=True, cwd=u"/")
403
shell=True, cwd="/")
404
if self.use_dbus:
405
# Emit D-Bus signal
406
self.CheckerStarted(command)
407
self.PropertyChanged(
408
dbus.String("checker_running"),
409
dbus.Boolean(True, variant_level=1))
438
410
self.checker_callback_tag = (gobject.child_watch_add
439
411
(self.checker.pid,
440
412
self.checker_callback,
441
413
data=command))
442
# The checker may have completed before the gobject
443
# watch was added. Check for this.
444
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
445
if pid:
446
gobject.source_remove(self.checker_callback_tag)
447
self.checker_callback(pid, status, command)
448
414
except OSError, error:
449
415
logger.error(u"Failed to start subprocess: %s",
450
416
error)
456
422
if self.checker_callback_tag:
457
423
gobject.source_remove(self.checker_callback_tag)
458
424
self.checker_callback_tag = None
459
if getattr(self, u"checker", None) is None:
425
if getattr(self, "checker", None) is None:
460
426
return
461
427
logger.debug(u"Stopping checker for %(name)s", vars(self))
462
428
try:
468
434
if error.errno != errno.ESRCH: # No such process
469
435
raise
470
436
self.checker = None
437
if self.use_dbus:
438
self.PropertyChanged(dbus.String(u"checker_running"),
439
dbus.Boolean(False, variant_level=1))
471
440
472
441
def still_valid(self):
473
442
"""Has the timeout not yet passed for this client?"""
474
if not getattr(self, u"enabled", False):
443
if not getattr(self, "enabled", False):
475
444
return False
476
445
now = datetime.datetime.utcnow()
477
446
if self.last_checked_ok is None:
478
447
return now < (self.created + self.timeout)
479
448
else:
480
449
return now < (self.last_checked_ok + self.timeout)
481
482
483
def dbus_service_property(dbus_interface, signature=u"v",
484
access=u"readwrite", byte_arrays=False):
485
"""Decorators for marking methods of a DBusObjectWithProperties to
486
become properties on the D-Bus.
487
488
The decorated method will be called with no arguments by "Get"
489
and with one argument by "Set".
490
491
The parameters, where they are supported, are the same as
492
dbus.service.method, except there is only "signature", since the
493
type from Get() and the type sent to Set() is the same.
494
"""
495
def decorator(func):
496
func._dbus_is_property = True
497
func._dbus_interface = dbus_interface
498
func._dbus_signature = signature
499
func._dbus_access = access
500
func._dbus_name = func.__name__
501
if func._dbus_name.endswith(u"_dbus_property"):
502
func._dbus_name = func._dbus_name[:-14]
503
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
504
return func
505
return decorator
506
507
508
class DBusPropertyException(dbus.exceptions.DBusException):
509
"""A base class for D-Bus property-related exceptions
510
"""
511
def __unicode__(self):
512
return unicode(str(self))
513
514
515
class DBusPropertyAccessException(DBusPropertyException):
516
"""A property's access permissions disallows an operation.
517
"""
518
pass
519
520
521
class DBusPropertyNotFound(DBusPropertyException):
522
"""An attempt was made to access a non-existing property.
523
"""
524
pass
525
526
527
class DBusObjectWithProperties(dbus.service.Object):
528
"""A D-Bus object with properties.
529
530
Classes inheriting from this can use the dbus_service_property
531
decorator to expose methods as D-Bus properties. It exposes the
532
standard Get(), Set(), and GetAll() methods on the D-Bus.
533
"""
534
535
@staticmethod
536
def _is_dbus_property(obj):
537
return getattr(obj, u"_dbus_is_property", False)
538
539
def _get_all_dbus_properties(self):
540
"""Returns a generator of (name, attribute) pairs
541
"""
542
return ((prop._dbus_name, prop)
543
for name, prop in
544
inspect.getmembers(self, self._is_dbus_property))
545
546
def _get_dbus_property(self, interface_name, property_name):
547
"""Returns a bound method if one exists which is a D-Bus
548
property with the specified name and interface.
549
"""
550
for name in (property_name,
551
property_name + u"_dbus_property"):
552
prop = getattr(self, name, None)
553
if (prop is None
554
or not self._is_dbus_property(prop)
555
or prop._dbus_name != property_name
556
or (interface_name and prop._dbus_interface
557
and interface_name != prop._dbus_interface)):
558
continue
559
return prop
560
# No such property
561
raise DBusPropertyNotFound(self.dbus_object_path + u":"
562
+ interface_name + u"."
563
+ property_name)
564
565
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
566
out_signature=u"v")
567
def Get(self, interface_name, property_name):
568
"""Standard D-Bus property Get() method, see D-Bus standard.
569
"""
570
prop = self._get_dbus_property(interface_name, property_name)
571
if prop._dbus_access == u"write":
572
raise DBusPropertyAccessException(property_name)
573
value = prop()
574
if not hasattr(value, u"variant_level"):
575
return value
576
return type(value)(value, variant_level=value.variant_level+1)
577
578
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
579
def Set(self, interface_name, property_name, value):
580
"""Standard D-Bus property Set() method, see D-Bus standard.
581
"""
582
prop = self._get_dbus_property(interface_name, property_name)
583
if prop._dbus_access == u"read":
584
raise DBusPropertyAccessException(property_name)
585
if prop._dbus_get_args_options[u"byte_arrays"]:
586
value = dbus.ByteArray(''.join(unichr(byte)
587
for byte in value))
588
prop(value)
589
590
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
591
out_signature=u"a{sv}")
592
def GetAll(self, interface_name):
593
"""Standard D-Bus property GetAll() method, see D-Bus
594
standard.
595
596
Note: Will not include properties with access="write".
597
"""
598
all = {}
599
for name, prop in self._get_all_dbus_properties():
600
if (interface_name
601
and interface_name != prop._dbus_interface):
602
# Interface non-empty but did not match
603
continue
604
# Ignore write-only properties
605
if prop._dbus_access == u"write":
606
continue
607
value = prop()
608
if not hasattr(value, u"variant_level"):
609
all[name] = value
610
continue
611
all[name] = type(value)(value, variant_level=
612
value.variant_level+1)
613
return dbus.Dictionary(all, signature=u"sv")
614
615
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
616
out_signature=u"s",
617
path_keyword='object_path',
618
connection_keyword='connection')
619
def Introspect(self, object_path, connection):
620
"""Standard D-Bus method, overloaded to insert property tags.
621
"""
622
xmlstring = dbus.service.Object.Introspect(self, object_path,
623
connection)
624
document = xml.dom.minidom.parseString(xmlstring)
625
del xmlstring
626
def make_tag(document, name, prop):
627
e = document.createElement(u"property")
628
e.setAttribute(u"name", name)
629
e.setAttribute(u"type", prop._dbus_signature)
630
e.setAttribute(u"access", prop._dbus_access)
631
return e
632
for if_tag in document.getElementsByTagName(u"interface"):
633
for tag in (make_tag(document, name, prop)
634
for name, prop
635
in self._get_all_dbus_properties()
636
if prop._dbus_interface
637
== if_tag.getAttribute(u"name")):
638
if_tag.appendChild(tag)
639
xmlstring = document.toxml(u"utf-8")
640
document.unlink()
641
return xmlstring
642
643
644
class ClientDBus(Client, DBusObjectWithProperties):
645
"""A Client class using D-Bus
646
647
Attributes:
648
dbus_object_path: dbus.ObjectPath
649
bus: dbus.SystemBus()
650
"""
651
# dbus.service.Object doesn't use super(), so we can't either.
652
653
def __init__(self, bus = None, *args, **kwargs):
654
self.bus = bus
655
Client.__init__(self, *args, **kwargs)
656
# Only now, when this client is initialized, can it show up on
657
# the D-Bus
658
self.dbus_object_path = (dbus.ObjectPath
659
(u"/clients/"
660
+ self.name.replace(u".", u"_")))
661
DBusObjectWithProperties.__init__(self, self.bus,
662
self.dbus_object_path)
663
664
@staticmethod
665
def _datetime_to_dbus(dt, variant_level=0):
666
"""Convert a UTC datetime.datetime() to a D-Bus type."""
667
return dbus.String(dt.isoformat(),
668
variant_level=variant_level)
669
670
def enable(self):
671
oldstate = getattr(self, u"enabled", False)
672
r = Client.enable(self)
673
if oldstate != self.enabled:
674
# Emit D-Bus signals
675
self.PropertyChanged(dbus.String(u"enabled"),
676
dbus.Boolean(True, variant_level=1))
677
self.PropertyChanged(
678
dbus.String(u"last_enabled"),
679
self._datetime_to_dbus(self.last_enabled,
680
variant_level=1))
681
return r
682
683
def disable(self, signal = True):
684
oldstate = getattr(self, u"enabled", False)
685
r = Client.disable(self)
686
if signal and oldstate != self.enabled:
687
# Emit D-Bus signal
688
self.PropertyChanged(dbus.String(u"enabled"),
689
dbus.Boolean(False, variant_level=1))
690
return r
691
692
def __del__(self, *args, **kwargs):
693
try:
694
self.remove_from_connection()
695
except LookupError:
696
pass
697
if hasattr(DBusObjectWithProperties, u"__del__"):
698
DBusObjectWithProperties.__del__(self, *args, **kwargs)
699
Client.__del__(self, *args, **kwargs)
700
701
def checker_callback(self, pid, condition, command,
702
*args, **kwargs):
703
self.checker_callback_tag = None
704
self.checker = None
705
# Emit D-Bus signal
706
self.PropertyChanged(dbus.String(u"checker_running"),
707
dbus.Boolean(False, variant_level=1))
708
if os.WIFEXITED(condition):
709
exitstatus = os.WEXITSTATUS(condition)
710
# Emit D-Bus signal
711
self.CheckerCompleted(dbus.Int16(exitstatus),
712
dbus.Int64(condition),
713
dbus.String(command))
714
else:
715
# Emit D-Bus signal
716
self.CheckerCompleted(dbus.Int16(-1),
717
dbus.Int64(condition),
718
dbus.String(command))
719
720
return Client.checker_callback(self, pid, condition, command,
721
*args, **kwargs)
722
723
def checked_ok(self, *args, **kwargs):
724
r = Client.checked_ok(self, *args, **kwargs)
725
# Emit D-Bus signal
726
self.PropertyChanged(
727
dbus.String(u"last_checked_ok"),
728
(self._datetime_to_dbus(self.last_checked_ok,
729
variant_level=1)))
730
return r
731
732
def start_checker(self, *args, **kwargs):
733
old_checker = self.checker
734
if self.checker is not None:
735
old_checker_pid = self.checker.pid
736
else:
737
old_checker_pid = None
738
r = Client.start_checker(self, *args, **kwargs)
739
# Only if new checker process was started
740
if (self.checker is not None
741
and old_checker_pid != self.checker.pid):
742
# Emit D-Bus signal
743
self.CheckerStarted(self.current_checker_command)
744
self.PropertyChanged(
745
dbus.String(u"checker_running"),
746
dbus.Boolean(True, variant_level=1))
747
return r
748
749
def stop_checker(self, *args, **kwargs):
750
old_checker = getattr(self, u"checker", None)
751
r = Client.stop_checker(self, *args, **kwargs)
752
if (old_checker is not None
753
and getattr(self, u"checker", None) is None):
754
self.PropertyChanged(dbus.String(u"checker_running"),
755
dbus.Boolean(False, variant_level=1))
756
return r
757
450
758
451
## D-Bus methods & signals
759
452
_interface = u"se.bsnet.fukt.Mandos.Client"
760
453
761
454
# CheckedOK - method
762
@dbus.service.method(_interface)
763
def CheckedOK(self):
764
return self.checked_ok()
455
CheckedOK = dbus.service.method(_interface)(checked_ok)
456
CheckedOK.__name__ = "CheckedOK"
765
457
766
458
# CheckerCompleted - signal
767
@dbus.service.signal(_interface, signature=u"nxs")
459
@dbus.service.signal(_interface, signature="nxs")
768
460
def CheckerCompleted(self, exitcode, waitstatus, command):
769
461
"D-Bus signal"
770
462
pass
771
463
772
464
# CheckerStarted - signal
773
@dbus.service.signal(_interface, signature=u"s")
465
@dbus.service.signal(_interface, signature="s")
774
466
def CheckerStarted(self, command):
775
467
"D-Bus signal"
776
468
pass
777
469
470
# GetAllProperties - method
471
@dbus.service.method(_interface, out_signature="a{sv}")
472
def GetAllProperties(self):
473
"D-Bus method"
474
return dbus.Dictionary({
475
dbus.String("name"):
476
dbus.String(self.name, variant_level=1),
477
dbus.String("fingerprint"):
478
dbus.String(self.fingerprint, variant_level=1),
479
dbus.String("host"):
480
dbus.String(self.host, variant_level=1),
481
dbus.String("created"):
482
_datetime_to_dbus(self.created, variant_level=1),
483
dbus.String("last_enabled"):
484
(_datetime_to_dbus(self.last_enabled,
485
variant_level=1)
486
if self.last_enabled is not None
487
else dbus.Boolean(False, variant_level=1)),
488
dbus.String("enabled"):
489
dbus.Boolean(self.enabled, variant_level=1),
490
dbus.String("last_checked_ok"):
491
(_datetime_to_dbus(self.last_checked_ok,
492
variant_level=1)
493
if self.last_checked_ok is not None
494
else dbus.Boolean (False, variant_level=1)),
495
dbus.String("timeout"):
496
dbus.UInt64(self.timeout_milliseconds(),
497
variant_level=1),
498
dbus.String("interval"):
499
dbus.UInt64(self.interval_milliseconds(),
500
variant_level=1),
501
dbus.String("checker"):
502
dbus.String(self.checker_command,
503
variant_level=1),
504
dbus.String("checker_running"):
505
dbus.Boolean(self.checker is not None,
506
variant_level=1),
507
dbus.String("object_path"):
508
dbus.ObjectPath(self.dbus_object_path,
509
variant_level=1)
510
}, signature="sv")
511
512
# IsStillValid - method
513
IsStillValid = (dbus.service.method(_interface, out_signature="b")
514
(still_valid))
515
IsStillValid.__name__ = "IsStillValid"
516
778
517
# PropertyChanged - signal
779
@dbus.service.signal(_interface, signature=u"sv")
518
@dbus.service.signal(_interface, signature="sv")
780
519
def PropertyChanged(self, property, value):
781
520
"D-Bus signal"
782
521
pass
783
522
784
# ReceivedSecret - signal
785
@dbus.service.signal(_interface)
786
def ReceivedSecret(self):
787
"D-Bus signal"
788
pass
789
790
# Rejected - signal
791
@dbus.service.signal(_interface)
792
def Rejected(self):
793
"D-Bus signal"
794
pass
523
# SetChecker - method
524
@dbus.service.method(_interface, in_signature="s")
525
def SetChecker(self, checker):
526
"D-Bus setter method"
527
self.checker_command = checker
528
# Emit D-Bus signal
529
self.PropertyChanged(dbus.String(u"checker"),
530
dbus.String(self.checker_command,
531
variant_level=1))
532
533
# SetHost - method
534
@dbus.service.method(_interface, in_signature="s")
535
def SetHost(self, host):
536
"D-Bus setter method"
537
self.host = host
538
# Emit D-Bus signal
539
self.PropertyChanged(dbus.String(u"host"),
540
dbus.String(self.host, variant_level=1))
541
542
# SetInterval - method
543
@dbus.service.method(_interface, in_signature="t")
544
def SetInterval(self, milliseconds):
545
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
546
# Emit D-Bus signal
547
self.PropertyChanged(dbus.String(u"interval"),
548
(dbus.UInt64(self.interval_milliseconds(),
549
variant_level=1)))
550
551
# SetSecret - method
552
@dbus.service.method(_interface, in_signature="ay",
553
byte_arrays=True)
554
def SetSecret(self, secret):
555
"D-Bus setter method"
556
self.secret = str(secret)
557
558
# SetTimeout - method
559
@dbus.service.method(_interface, in_signature="t")
560
def SetTimeout(self, milliseconds):
561
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
562
# Emit D-Bus signal
563
self.PropertyChanged(dbus.String(u"timeout"),
564
(dbus.UInt64(self.timeout_milliseconds(),
565
variant_level=1)))
795
566
796
567
# Enable - method
797
@dbus.service.method(_interface)
798
def Enable(self):
799
"D-Bus method"
800
self.enable()
568
Enable = dbus.service.method(_interface)(enable)
569
Enable.__name__ = "Enable"
801
570
802
571
# StartChecker - method
803
572
@dbus.service.method(_interface)
812
581
self.disable()
813
582
814
583
# StopChecker - method
815
@dbus.service.method(_interface)
816
def StopChecker(self):
817
self.stop_checker()
818
819
# name - property
820
@dbus_service_property(_interface, signature=u"s", access=u"read")
821
def name_dbus_property(self):
822
return dbus.String(self.name)
823
824
# fingerprint - property
825
@dbus_service_property(_interface, signature=u"s", access=u"read")
826
def fingerprint_dbus_property(self):
827
return dbus.String(self.fingerprint)
828
829
# host - property
830
@dbus_service_property(_interface, signature=u"s",
831
access=u"readwrite")
832
def host_dbus_property(self, value=None):
833
if value is None: # get
834
return dbus.String(self.host)
835
self.host = value
836
# Emit D-Bus signal
837
self.PropertyChanged(dbus.String(u"host"),
838
dbus.String(value, variant_level=1))
839
840
# created - property
841
@dbus_service_property(_interface, signature=u"s", access=u"read")
842
def created_dbus_property(self):
843
return dbus.String(self._datetime_to_dbus(self.created))
844
845
# last_enabled - property
846
@dbus_service_property(_interface, signature=u"s", access=u"read")
847
def last_enabled_dbus_property(self):
848
if self.last_enabled is None:
849
return dbus.String(u"")
850
return dbus.String(self._datetime_to_dbus(self.last_enabled))
851
852
# enabled - property
853
@dbus_service_property(_interface, signature=u"b",
854
access=u"readwrite")
855
def enabled_dbus_property(self, value=None):
856
if value is None: # get
857
return dbus.Boolean(self.enabled)
858
if value:
859
self.enable()
860
else:
861
self.disable()
862
863
# last_checked_ok - property
864
@dbus_service_property(_interface, signature=u"s",
865
access=u"readwrite")
866
def last_checked_ok_dbus_property(self, value=None):
867
if value is not None:
868
self.checked_ok()
869
return
870
if self.last_checked_ok is None:
871
return dbus.String(u"")
872
return dbus.String(self._datetime_to_dbus(self
873
.last_checked_ok))
874
875
# timeout - property
876
@dbus_service_property(_interface, signature=u"t",
877
access=u"readwrite")
878
def timeout_dbus_property(self, value=None):
879
if value is None: # get
880
return dbus.UInt64(self.timeout_milliseconds())
881
self.timeout = datetime.timedelta(0, 0, 0, value)
882
# Emit D-Bus signal
883
self.PropertyChanged(dbus.String(u"timeout"),
884
dbus.UInt64(value, variant_level=1))
885
if getattr(self, u"disable_initiator_tag", None) is None:
886
return
887
# Reschedule timeout
888
gobject.source_remove(self.disable_initiator_tag)
889
self.disable_initiator_tag = None
890
time_to_die = (self.
891
_timedelta_to_milliseconds((self
892
.last_checked_ok
893
+ self.timeout)
894
- datetime.datetime
895
.utcnow()))
896
if time_to_die <= 0:
897
# The timeout has passed
898
self.disable()
899
else:
900
self.disable_initiator_tag = (gobject.timeout_add
901
(time_to_die, self.disable))
902
903
# interval - property
904
@dbus_service_property(_interface, signature=u"t",
905
access=u"readwrite")
906
def interval_dbus_property(self, value=None):
907
if value is None: # get
908
return dbus.UInt64(self.interval_milliseconds())
909
self.interval = datetime.timedelta(0, 0, 0, value)
910
# Emit D-Bus signal
911
self.PropertyChanged(dbus.String(u"interval"),
912
dbus.UInt64(value, variant_level=1))
913
if getattr(self, u"checker_initiator_tag", None) is None:
914
return
915
# Reschedule checker run
916
gobject.source_remove(self.checker_initiator_tag)
917
self.checker_initiator_tag = (gobject.timeout_add
918
(value, self.start_checker))
919
self.start_checker() # Start one now, too
920
921
# checker - property
922
@dbus_service_property(_interface, signature=u"s",
923
access=u"readwrite")
924
def checker_dbus_property(self, value=None):
925
if value is None: # get
926
return dbus.String(self.checker_command)
927
self.checker_command = value
928
# Emit D-Bus signal
929
self.PropertyChanged(dbus.String(u"checker"),
930
dbus.String(self.checker_command,
931
variant_level=1))
932
933
# checker_running - property
934
@dbus_service_property(_interface, signature=u"b",
935
access=u"readwrite")
936
def checker_running_dbus_property(self, value=None):
937
if value is None: # get
938
return dbus.Boolean(self.checker is not None)
939
if value:
940
self.start_checker()
941
else:
942
self.stop_checker()
943
944
# object_path - property
945
@dbus_service_property(_interface, signature=u"o", access=u"read")
946
def object_path_dbus_property(self):
947
return self.dbus_object_path # is already a dbus.ObjectPath
948
949
# secret = property
950
@dbus_service_property(_interface, signature=u"ay",
951
access=u"write", byte_arrays=True)
952
def secret_dbus_property(self, value):
953
self.secret = str(value)
584
StopChecker = dbus.service.method(_interface)(stop_checker)
585
StopChecker.__name__ = "StopChecker"
954
586
955
587
del _interface
956
588
957
589
958
class ClientHandler(socketserver.BaseRequestHandler, object):
959
"""A class to handle client connections.
960
961
Instantiated once for each connection to handle it.
590
def peer_certificate(session):
591
"Return the peer's OpenPGP certificate as a bytestring"
592
# If not an OpenPGP certificate...
593
if (gnutls.library.functions
594
.gnutls_certificate_type_get(session._c_object)
595
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
596
# ...do the normal thing
597
return session.peer_certificate
598
list_size = ctypes.c_uint(1)
599
cert_list = (gnutls.library.functions
600
.gnutls_certificate_get_peers
601
(session._c_object, ctypes.byref(list_size)))
602
if not bool(cert_list) and list_size.value != 0:
603
raise gnutls.errors.GNUTLSError("error getting peer"
604
" certificate")
605
if list_size.value == 0:
606
return None
607
cert = cert_list[0]
608
return ctypes.string_at(cert.data, cert.size)
609
610
611
def fingerprint(openpgp):
612
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
613
# New GnuTLS "datum" with the OpenPGP public key
614
datum = (gnutls.library.types
615
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
616
ctypes.POINTER
617
(ctypes.c_ubyte)),
618
ctypes.c_uint(len(openpgp))))
619
# New empty GnuTLS certificate
620
crt = gnutls.library.types.gnutls_openpgp_crt_t()
621
(gnutls.library.functions
622
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
623
# Import the OpenPGP public key into the certificate
624
(gnutls.library.functions
625
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
626
gnutls.library.constants
627
.GNUTLS_OPENPGP_FMT_RAW))
628
# Verify the self signature in the key
629
crtverify = ctypes.c_uint()
630
(gnutls.library.functions
631
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
632
if crtverify.value != 0:
633
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
634
raise gnutls.errors.CertificateSecurityError("Verify failed")
635
# New buffer for the fingerprint
636
buf = ctypes.create_string_buffer(20)
637
buf_len = ctypes.c_size_t()
638
# Get the fingerprint from the certificate into the buffer
639
(gnutls.library.functions
640
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
641
ctypes.byref(buf_len)))
642
# Deinit the certificate
643
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
644
# Convert the buffer to a Python bytestring
645
fpr = ctypes.string_at(buf, buf_len.value)
646
# Convert the bytestring to hexadecimal notation
647
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
648
return hex_fpr
649
650
651
class TCP_handler(SocketServer.BaseRequestHandler, object):
652
"""A TCP request handler class.
653
Instantiated by IPv6_TCPServer for each request to handle it.
962
654
Note: This will run in its own forked process."""
963
655
964
656
def handle(self):
965
657
logger.info(u"TCP connection from: %s",
966
658
unicode(self.client_address))
967
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
968
# Open IPC pipe to parent process
969
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
970
session = (gnutls.connection
971
.ClientSession(self.request,
972
gnutls.connection
973
.X509Credentials()))
974
975
line = self.request.makefile().readline()
976
logger.debug(u"Protocol version: %r", line)
977
try:
978
if int(line.strip().split()[0]) > 1:
979
raise RuntimeError
980
except (ValueError, IndexError, RuntimeError), error:
981
logger.error(u"Unknown protocol version: %s", error)
982
return
983
984
# Note: gnutls.connection.X509Credentials is really a
985
# generic GnuTLS certificate credentials object so long as
986
# no X.509 keys are added to it. Therefore, we can use it
987
# here despite using OpenPGP certificates.
988
989
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
990
# u"+AES-256-CBC", u"+SHA1",
991
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
992
# u"+DHE-DSS"))
993
# Use a fallback default, since this MUST be set.
994
priority = self.server.gnutls_priority
995
if priority is None:
996
priority = u"NORMAL"
997
(gnutls.library.functions
998
.gnutls_priority_set_direct(session._c_object,
999
priority, None))
1000
1001
try:
1002
session.handshake()
1003
except gnutls.errors.GNUTLSError, error:
1004
logger.warning(u"Handshake failed: %s", error)
1005
# Do not run session.bye() here: the session is not
1006
# established. Just abandon the request.
1007
return
1008
logger.debug(u"Handshake succeeded")
1009
try:
1010
fpr = self.fingerprint(self.peer_certificate(session))
1011
except (TypeError, gnutls.errors.GNUTLSError), error:
1012
logger.warning(u"Bad certificate: %s", error)
1013
session.bye()
1014
return
1015
logger.debug(u"Fingerprint: %s", fpr)
1016
1017
for c in self.server.clients:
1018
if c.fingerprint == fpr:
1019
client = c
1020
break
1021
else:
1022
ipc.write(u"NOTFOUND %s %s\n"
1023
% (fpr, unicode(self.client_address)))
1024
session.bye()
1025
return
1026
# Have to check if client.still_valid(), since it is
1027
# possible that the client timed out while establishing
1028
# the GnuTLS session.
1029
if not client.still_valid():
1030
ipc.write(u"INVALID %s\n" % client.name)
1031
session.bye()
1032
return
1033
ipc.write(u"SENDING %s\n" % client.name)
1034
sent_size = 0
1035
while sent_size < len(client.secret):
1036
sent = session.send(client.secret[sent_size:])
1037
logger.debug(u"Sent: %d, remaining: %d",
1038
sent, len(client.secret)
1039
- (sent_size + sent))
1040
sent_size += sent
1041
session.bye()
1042
1043
@staticmethod
1044
def peer_certificate(session):
1045
"Return the peer's OpenPGP certificate as a bytestring"
1046
# If not an OpenPGP certificate...
1047
if (gnutls.library.functions
1048
.gnutls_certificate_type_get(session._c_object)
1049
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1050
# ...do the normal thing
1051
return session.peer_certificate
1052
list_size = ctypes.c_uint(1)
1053
cert_list = (gnutls.library.functions
1054
.gnutls_certificate_get_peers
1055
(session._c_object, ctypes.byref(list_size)))
1056
if not bool(cert_list) and list_size.value != 0:
1057
raise gnutls.errors.GNUTLSError(u"error getting peer"
1058
u" certificate")
1059
if list_size.value == 0:
1060
return None
1061
cert = cert_list[0]
1062
return ctypes.string_at(cert.data, cert.size)
1063
1064
@staticmethod
1065
def fingerprint(openpgp):
1066
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1067
# New GnuTLS "datum" with the OpenPGP public key
1068
datum = (gnutls.library.types
1069
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1070
ctypes.POINTER
1071
(ctypes.c_ubyte)),
1072
ctypes.c_uint(len(openpgp))))
1073
# New empty GnuTLS certificate
1074
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1075
(gnutls.library.functions
1076
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1077
# Import the OpenPGP public key into the certificate
1078
(gnutls.library.functions
1079
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1080
gnutls.library.constants
1081
.GNUTLS_OPENPGP_FMT_RAW))
1082
# Verify the self signature in the key
1083
crtverify = ctypes.c_uint()
1084
(gnutls.library.functions
1085
.gnutls_openpgp_crt_verify_self(crt, 0,
1086
ctypes.byref(crtverify)))
1087
if crtverify.value != 0:
1088
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1089
raise (gnutls.errors.CertificateSecurityError
1090
(u"Verify failed"))
1091
# New buffer for the fingerprint
1092
buf = ctypes.create_string_buffer(20)
1093
buf_len = ctypes.c_size_t()
1094
# Get the fingerprint from the certificate into the buffer
1095
(gnutls.library.functions
1096
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1097
ctypes.byref(buf_len)))
1098
# Deinit the certificate
1099
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1100
# Convert the buffer to a Python bytestring
1101
fpr = ctypes.string_at(buf, buf_len.value)
1102
# Convert the bytestring to hexadecimal notation
1103
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1104
return hex_fpr
1105
1106
1107
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
1108
"""Like socketserver.ForkingMixIn, but also pass a pipe."""
1109
def process_request(self, request, client_address):
1110
"""Overrides and wraps the original process_request().
1111
1112
This function creates a new pipe in self.pipe
1113
"""
1114
self.pipe = os.pipe()
1115
super(ForkingMixInWithPipe,
1116
self).process_request(request, client_address)
1117
os.close(self.pipe[1]) # close write end
1118
self.add_pipe(self.pipe[0])
1119
def add_pipe(self, pipe):
1120
"""Dummy function; override as necessary"""
1121
os.close(pipe)
1122
1123
1124
class IPv6_TCPServer(ForkingMixInWithPipe,
1125
socketserver.TCPServer, object):
1126
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1127
659
session = (gnutls.connection
660
.ClientSession(self.request,
661
gnutls.connection
662
.X509Credentials()))
663
664
line = self.request.makefile().readline()
665
logger.debug(u"Protocol version: %r", line)
666
try:
667
if int(line.strip().split()[0]) > 1:
668
raise RuntimeError
669
except (ValueError, IndexError, RuntimeError), error:
670
logger.error(u"Unknown protocol version: %s", error)
671
return
672
673
# Note: gnutls.connection.X509Credentials is really a generic
674
# GnuTLS certificate credentials object so long as no X.509
675
# keys are added to it. Therefore, we can use it here despite
676
# using OpenPGP certificates.
677
678
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
679
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
680
# "+DHE-DSS"))
681
# Use a fallback default, since this MUST be set.
682
priority = self.server.settings.get("priority", "NORMAL")
683
(gnutls.library.functions
684
.gnutls_priority_set_direct(session._c_object,
685
priority, None))
686
687
try:
688
session.handshake()
689
except gnutls.errors.GNUTLSError, error:
690
logger.warning(u"Handshake failed: %s", error)
691
# Do not run session.bye() here: the session is not
692
# established. Just abandon the request.
693
return
694
logger.debug(u"Handshake succeeded")
695
try:
696
fpr = fingerprint(peer_certificate(session))
697
except (TypeError, gnutls.errors.GNUTLSError), error:
698
logger.warning(u"Bad certificate: %s", error)
699
session.bye()
700
return
701
logger.debug(u"Fingerprint: %s", fpr)
702
703
for c in self.server.clients:
704
if c.fingerprint == fpr:
705
client = c
706
break
707
else:
708
logger.warning(u"Client not found for fingerprint: %s",
709
fpr)
710
session.bye()
711
return
712
# Have to check if client.still_valid(), since it is possible
713
# that the client timed out while establishing the GnuTLS
714
# session.
715
if not client.still_valid():
716
logger.warning(u"Client %(name)s is invalid",
717
vars(client))
718
session.bye()
719
return
720
## This won't work here, since we're in a fork.
721
# client.checked_ok()
722
sent_size = 0
723
while sent_size < len(client.secret):
724
sent = session.send(client.secret[sent_size:])
725
logger.debug(u"Sent: %d, remaining: %d",
726
sent, len(client.secret)
727
- (sent_size + sent))
728
sent_size += sent
729
session.bye()
730
731
732
class IPv6_TCPServer(SocketServer.ForkingMixIn,
733
SocketServer.TCPServer, object):
734
"""IPv6 TCP server. Accepts 'None' as address and/or port.
1128
735
Attributes:
736
settings: Server settings
737
clients: Set() of Client objects
1129
738
enabled: Boolean; whether this server is activated yet
1130
interface: None or a network interface name (string)
1131
use_ipv6: Boolean; to use IPv6 or not
1132
739
"""
1133
def __init__(self, server_address, RequestHandlerClass,
1134
interface=None, use_ipv6=True):
1135
self.interface = interface
1136
if use_ipv6:
1137
self.address_family = socket.AF_INET6
1138
socketserver.TCPServer.__init__(self, server_address,
1139
RequestHandlerClass)
740
address_family = socket.AF_INET6
741
def __init__(self, *args, **kwargs):
742
if "settings" in kwargs:
743
self.settings = kwargs["settings"]
744
del kwargs["settings"]
745
if "clients" in kwargs:
746
self.clients = kwargs["clients"]
747
del kwargs["clients"]
748
self.enabled = False
749
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1140
750
def server_bind(self):
1141
751
"""This overrides the normal server_bind() function
1142
752
to bind to an interface if one was specified, and also NOT to
1143
753
bind to an address or port if they were not specified."""
1144
if self.interface is not None:
1145
if SO_BINDTODEVICE is None:
1146
logger.error(u"SO_BINDTODEVICE does not exist;"
1147
u" cannot bind to interface %s",
1148
self.interface)
1149
else:
1150
try:
1151
self.socket.setsockopt(socket.SOL_SOCKET,
1152
SO_BINDTODEVICE,
1153
str(self.interface
1154
+ u'\0'))
1155
except socket.error, error:
1156
if error[0] == errno.EPERM:
1157
logger.error(u"No permission to"
1158
u" bind to interface %s",
1159
self.interface)
1160
elif error[0] == errno.ENOPROTOOPT:
1161
logger.error(u"SO_BINDTODEVICE not available;"
1162
u" cannot bind to interface %s",
1163
self.interface)
1164
else:
1165
raise
754
if self.settings["interface"]:
755
# 25 is from /usr/include/asm-i486/socket.h
756
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
757
try:
758
self.socket.setsockopt(socket.SOL_SOCKET,
759
SO_BINDTODEVICE,
760
self.settings["interface"])
761
except socket.error, error:
762
if error[0] == errno.EPERM:
763
logger.error(u"No permission to"
764
u" bind to interface %s",
765
self.settings["interface"])
766
else:
767
raise error
1166
768
# Only bind(2) the socket if we really need to.
1167
769
if self.server_address[0] or self.server_address[1]:
1168
770
if not self.server_address[0]:
1169
if self.address_family == socket.AF_INET6:
1170
any_address = u"::" # in6addr_any
1171
else:
1172
any_address = socket.INADDR_ANY
1173
self.server_address = (any_address,
771
in6addr_any = "::"
772
self.server_address = (in6addr_any,
1174
773
self.server_address[1])
1175
774
elif not self.server_address[1]:
1176
775
self.server_address = (self.server_address[0],
1177
776
0)
1178
# if self.interface:
777
# if self.settings["interface"]:
1179
778
# self.server_address = (self.server_address[0],
1180
779
# 0, # port
1181
780
# 0, # flowinfo
1182
781
# if_nametoindex
1183
# (self.interface))
1184
return socketserver.TCPServer.server_bind(self)
1185
1186
1187
class MandosServer(IPv6_TCPServer):
1188
"""Mandos server.
1189
1190
Attributes:
1191
clients: set of Client objects
1192
gnutls_priority GnuTLS priority string
1193
use_dbus: Boolean; to emit D-Bus signals or not
1194
1195
Assumes a gobject.MainLoop event loop.
1196
"""
1197
def __init__(self, server_address, RequestHandlerClass,
1198
interface=None, use_ipv6=True, clients=None,
1199
gnutls_priority=None, use_dbus=True):
1200
self.enabled = False
1201
self.clients = clients
1202
if self.clients is None:
1203
self.clients = set()
1204
self.use_dbus = use_dbus
1205
self.gnutls_priority = gnutls_priority
1206
IPv6_TCPServer.__init__(self, server_address,
1207
RequestHandlerClass,
1208
interface = interface,
1209
use_ipv6 = use_ipv6)
782
# (self.settings
783
# ["interface"]))
784
return super(IPv6_TCPServer, self).server_bind()
1210
785
def server_activate(self):
1211
786
if self.enabled:
1212
return socketserver.TCPServer.server_activate(self)
787
return super(IPv6_TCPServer, self).server_activate()
1213
788
def enable(self):
1214
789
self.enabled = True
1215
def add_pipe(self, pipe):
1216
# Call "handle_ipc" for both data and EOF events
1217
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1218
self.handle_ipc)
1219
def handle_ipc(self, source, condition, file_objects={}):
1220
condition_names = {
1221
gobject.IO_IN: u"IN", # There is data to read.
1222
gobject.IO_OUT: u"OUT", # Data can be written (without
1223
# blocking).
1224
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1225
gobject.IO_ERR: u"ERR", # Error condition.
1226
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1227
# broken, usually for pipes and
1228
# sockets).
1229
}
1230
conditions_string = ' | '.join(name
1231
for cond, name in
1232
condition_names.iteritems()
1233
if cond & condition)
1234
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1235
conditions_string)
1236
1237
# Turn the pipe file descriptor into a Python file object
1238
if source not in file_objects:
1239
file_objects[source] = os.fdopen(source, u"r", 1)
1240
1241
# Read a line from the file object
1242
cmdline = file_objects[source].readline()
1243
if not cmdline: # Empty line means end of file
1244
# close the IPC pipe
1245
file_objects[source].close()
1246
del file_objects[source]
1247
1248
# Stop calling this function
1249
return False
1250
1251
logger.debug(u"IPC command: %r", cmdline)
1252
1253
# Parse and act on command
1254
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1255
1256
if cmd == u"NOTFOUND":
1257
logger.warning(u"Client not found for fingerprint: %s",
1258
args)
1259
if self.use_dbus:
1260
# Emit D-Bus signal
1261
mandos_dbus_service.ClientNotFound(args)
1262
elif cmd == u"INVALID":
1263
for client in self.clients:
1264
if client.name == args:
1265
logger.warning(u"Client %s is invalid", args)
1266
if self.use_dbus:
1267
# Emit D-Bus signal
1268
client.Rejected()
1269
break
1270
else:
1271
logger.error(u"Unknown client %s is invalid", args)
1272
elif cmd == u"SENDING":
1273
for client in self.clients:
1274
if client.name == args:
1275
logger.info(u"Sending secret to %s", client.name)
1276
client.checked_ok()
1277
if self.use_dbus:
1278
# Emit D-Bus signal
1279
client.ReceivedSecret()
1280
break
1281
else:
1282
logger.error(u"Sending secret to unknown client %s",
1283
args)
1284
else:
1285
logger.error(u"Unknown IPC command: %r", cmdline)
1286
1287
# Keep calling this function
1288
return True
1289
790
1290
791
1291
792
def string_to_delta(interval):
1292
793
"""Parse a string and return a datetime.timedelta
1293
794
1294
>>> string_to_delta(u'7d')
795
>>> string_to_delta('7d')
1295
796
datetime.timedelta(7)
1296
>>> string_to_delta(u'60s')
797
>>> string_to_delta('60s')
1297
798
datetime.timedelta(0, 60)
1298
>>> string_to_delta(u'60m')
799
>>> string_to_delta('60m')
1299
800
datetime.timedelta(0, 3600)
1300
>>> string_to_delta(u'24h')
801
>>> string_to_delta('24h')
1301
802
datetime.timedelta(1)
1302
803
>>> string_to_delta(u'1w')
1303
804
datetime.timedelta(7)
1304
>>> string_to_delta(u'5m 30s')
805
>>> string_to_delta('5m 30s')
1305
806
datetime.timedelta(0, 330)
1306
807
"""
1307
808
timevalue = datetime.timedelta(0)
1327
828
return timevalue
1328
829
1329
830
831
def server_state_changed(state):
832
"""Derived from the Avahi example code"""
833
if state == avahi.SERVER_COLLISION:
834
logger.error(u"Zeroconf server name collision")
835
service.remove()
836
elif state == avahi.SERVER_RUNNING:
837
service.add()
838
839
840
def entry_group_state_changed(state, error):
841
"""Derived from the Avahi example code"""
842
logger.debug(u"Avahi state change: %i", state)
843
844
if state == avahi.ENTRY_GROUP_ESTABLISHED:
845
logger.debug(u"Zeroconf service established.")
846
elif state == avahi.ENTRY_GROUP_COLLISION:
847
logger.warning(u"Zeroconf service name collision.")
848
service.rename()
849
elif state == avahi.ENTRY_GROUP_FAILURE:
850
logger.critical(u"Avahi: Error in group state changed %s",
851
unicode(error))
852
raise AvahiGroupError(u"State changed: %s" % unicode(error))
853
1330
854
def if_nametoindex(interface):
1331
"""Call the C function if_nametoindex(), or equivalent
1332
1333
Note: This function cannot accept a unicode string."""
855
"""Call the C function if_nametoindex(), or equivalent"""
1334
856
global if_nametoindex
1335
857
try:
1336
858
if_nametoindex = (ctypes.cdll.LoadLibrary
1337
(ctypes.util.find_library(u"c"))
859
(ctypes.util.find_library("c"))
1338
860
.if_nametoindex)
1339
861
except (OSError, AttributeError):
1340
logger.warning(u"Doing if_nametoindex the hard way")
862
if "struct" not in sys.modules:
863
import struct
864
if "fcntl" not in sys.modules:
865
import fcntl
1341
866
def if_nametoindex(interface):
1342
867
"Get an interface index the hard way, i.e. using fcntl()"
1343
868
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1344
869
with closing(socket.socket()) as s:
1345
870
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1346
struct.pack(str(u"16s16x"),
1347
interface))
1348
interface_index = struct.unpack(str(u"I"),
1349
ifreq[16:20])[0]
871
struct.pack("16s16x", interface))
872
interface_index = struct.unpack("I", ifreq[16:20])[0]
1350
873
return interface_index
1351
874
return if_nametoindex(interface)
1352
875
1353
876
1354
877
def daemon(nochdir = False, noclose = False):
1355
878
"""See daemon(3). Standard BSD Unix function.
1356
1357
879
This should really exist as os.daemon, but it doesn't (yet)."""
1358
880
if os.fork():
1359
881
sys.exit()
1360
882
os.setsid()
1361
883
if not nochdir:
1362
os.chdir(u"/")
884
os.chdir("/")
1363
885
if os.fork():
1364
886
sys.exit()
1365
887
if not noclose:
1367
889
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1368
890
if not stat.S_ISCHR(os.fstat(null).st_mode):
1369
891
raise OSError(errno.ENODEV,
1370
u"/dev/null not a character device")
892
"/dev/null not a character device")
1371
893
os.dup2(null, sys.stdin.fileno())
1372
894
os.dup2(null, sys.stdout.fileno())
1373
895
os.dup2(null, sys.stderr.fileno())
1376
898
1377
899
1378
900
def main():
1379
1380
##################################################################
1381
# Parsing of options, both command line and config file
1382
1383
901
parser = optparse.OptionParser(version = "%%prog %s" % version)
1384
parser.add_option("-i", u"--interface", type=u"string",
1385
metavar="IF", help=u"Bind to interface IF")
1386
parser.add_option("-a", u"--address", type=u"string",
1387
help=u"Address to listen for requests on")
1388
parser.add_option("-p", u"--port", type=u"int",
1389
help=u"Port number to receive requests on")
1390
parser.add_option("--check", action=u"store_true",
1391
help=u"Run self-test")
1392
parser.add_option("--debug", action=u"store_true",
1393
help=u"Debug mode; run in foreground and log to"
1394
u" terminal")
1395
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1396
u" priority string (see GnuTLS documentation)")
1397
parser.add_option("--servicename", type=u"string",
1398
metavar=u"NAME", help=u"Zeroconf service name")
1399
parser.add_option("--configdir", type=u"string",
1400
default=u"/etc/mandos", metavar=u"DIR",
1401
help=u"Directory to search for configuration"
1402
u" files")
1403
parser.add_option("--no-dbus", action=u"store_false",
1404
dest=u"use_dbus", help=u"Do not provide D-Bus"
1405
u" system bus interface")
1406
parser.add_option("--no-ipv6", action=u"store_false",
1407
dest=u"use_ipv6", help=u"Do not use IPv6")
902
parser.add_option("-i", "--interface", type="string",
903
metavar="IF", help="Bind to interface IF")
904
parser.add_option("-a", "--address", type="string",
905
help="Address to listen for requests on")
906
parser.add_option("-p", "--port", type="int",
907
help="Port number to receive requests on")
908
parser.add_option("--check", action="store_true",
909
help="Run self-test")
910
parser.add_option("--debug", action="store_true",
911
help="Debug mode; run in foreground and log to"
912
" terminal")
913
parser.add_option("--priority", type="string", help="GnuTLS"
914
" priority string (see GnuTLS documentation)")
915
parser.add_option("--servicename", type="string", metavar="NAME",
916
help="Zeroconf service name")
917
parser.add_option("--configdir", type="string",
918
default="/etc/mandos", metavar="DIR",
919
help="Directory to search for configuration"
920
" files")
921
parser.add_option("--no-dbus", action="store_false",
922
dest="use_dbus",
923
help="Do not provide D-Bus system bus"
924
" interface")
1408
925
options = parser.parse_args()[0]
1409
926
1410
927
if options.check:
1413
930
sys.exit()
1414
931
1415
932
# Default values for config file for server-global settings
1416
server_defaults = { u"interface": u"",
1417
u"address": u"",
1418
u"port": u"",
1419
u"debug": u"False",
1420
u"priority":
1421
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1422
u"servicename": u"Mandos",
1423
u"use_dbus": u"True",
1424
u"use_ipv6": u"True",
933
server_defaults = { "interface": "",
934
"address": "",
935
"port": "",
936
"debug": "False",
937
"priority":
938
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
939
"servicename": "Mandos",
940
"use_dbus": "True",
1425
941
}
1426
942
1427
943
# Parse config file for server-global settings
1428
server_config = configparser.SafeConfigParser(server_defaults)
944
server_config = ConfigParser.SafeConfigParser(server_defaults)
1429
945
del server_defaults
1430
server_config.read(os.path.join(options.configdir,
1431
u"mandos.conf"))
946
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1432
947
# Convert the SafeConfigParser object to a dict
1433
948
server_settings = server_config.defaults()
1434
949
# Use the appropriate methods on the non-string config options
1435
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1436
server_settings[option] = server_config.getboolean(u"DEFAULT",
1437
option)
950
server_settings["debug"] = server_config.getboolean("DEFAULT",
951
"debug")
952
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
953
"use_dbus")
1438
954
if server_settings["port"]:
1439
server_settings["port"] = server_config.getint(u"DEFAULT",
1440
u"port")
955
server_settings["port"] = server_config.getint("DEFAULT",
956
"port")
1441
957
del server_config
1442
958
1443
959
# Override the settings from the config file with command line
1444
960
# options, if set.
1445
for option in (u"interface", u"address", u"port", u"debug",
1446
u"priority", u"servicename", u"configdir",
1447
u"use_dbus", u"use_ipv6"):
961
for option in ("interface", "address", "port", "debug",
962
"priority", "servicename", "configdir",
963
"use_dbus"):
1448
964
value = getattr(options, option)
1449
965
if value is not None:
1450
966
server_settings[option] = value
1451
967
del options
1452
# Force all strings to be unicode
1453
for option in server_settings.keys():
1454
if type(server_settings[option]) is str:
1455
server_settings[option] = unicode(server_settings[option])
1456
968
# Now we have our good server settings in "server_settings"
1457
969
1458
##################################################################
1459
1460
970
# For convenience
1461
debug = server_settings[u"debug"]
1462
use_dbus = server_settings[u"use_dbus"]
1463
use_ipv6 = server_settings[u"use_ipv6"]
971
debug = server_settings["debug"]
972
use_dbus = server_settings["use_dbus"]
973
974
def sigsegvhandler(signum, frame):
975
raise RuntimeError('Segmentation fault')
1464
976
1465
977
if not debug:
1466
978
syslogger.setLevel(logging.WARNING)
1467
979
console.setLevel(logging.WARNING)
980
else:
981
signal.signal(signal.SIGSEGV, sigsegvhandler)
1468
982
1469
if server_settings[u"servicename"] != u"Mandos":
983
if server_settings["servicename"] != "Mandos":
1470
984
syslogger.setFormatter(logging.Formatter
1471
(u'Mandos (%s) [%%(process)d]:'
1472
u' %%(levelname)s: %%(message)s'
1473
% server_settings[u"servicename"]))
985
('Mandos (%s): %%(levelname)s:'
986
' %%(message)s'
987
% server_settings["servicename"]))
1474
988
1475
989
# Parse config file with clients
1476
client_defaults = { u"timeout": u"1h",
1477
u"interval": u"5m",
1478
u"checker": u"fping -q -- %%(host)s",
1479
u"host": u"",
990
client_defaults = { "timeout": "1h",
991
"interval": "5m",
992
"checker": "fping -q -- %%(host)s",
993
"host": "",
1480
994
}
1481
client_config = configparser.SafeConfigParser(client_defaults)
1482
client_config.read(os.path.join(server_settings[u"configdir"],
1483
u"clients.conf"))
1484
1485
global mandos_dbus_service
1486
mandos_dbus_service = None
1487
1488
tcp_server = MandosServer((server_settings[u"address"],
1489
server_settings[u"port"]),
1490
ClientHandler,
1491
interface=server_settings[u"interface"],
1492
use_ipv6=use_ipv6,
1493
gnutls_priority=
1494
server_settings[u"priority"],
1495
use_dbus=use_dbus)
1496
pidfilename = u"/var/run/mandos.pid"
1497
try:
1498
pidfile = open(pidfilename, u"w")
1499
except IOError:
1500
logger.error(u"Could not open file %r", pidfilename)
1501
1502
try:
1503
uid = pwd.getpwnam(u"_mandos").pw_uid
1504
gid = pwd.getpwnam(u"_mandos").pw_gid
995
client_config = ConfigParser.SafeConfigParser(client_defaults)
996
client_config.read(os.path.join(server_settings["configdir"],
997
"clients.conf"))
998
999
clients = Set()
1000
tcp_server = IPv6_TCPServer((server_settings["address"],
1001
server_settings["port"]),
1002
TCP_handler,
1003
settings=server_settings,
1004
clients=clients)
1005
pidfilename = "/var/run/mandos.pid"
1006
try:
1007
pidfile = open(pidfilename, "w")
1008
except IOError, error:
1009
logger.error("Could not open file %r", pidfilename)
1010
1011
try:
1012
uid = pwd.getpwnam("_mandos").pw_uid
1013
gid = pwd.getpwnam("_mandos").pw_gid
1505
1014
except KeyError:
1506
1015
try:
1507
uid = pwd.getpwnam(u"mandos").pw_uid
1508
gid = pwd.getpwnam(u"mandos").pw_gid
1016
uid = pwd.getpwnam("mandos").pw_uid
1017
gid = pwd.getpwnam("mandos").pw_gid
1509
1018
except KeyError:
1510
1019
try:
1511
uid = pwd.getpwnam(u"nobody").pw_uid
1512
gid = pwd.getpwnam(u"nobody").pw_gid
1020
uid = pwd.getpwnam("nobody").pw_uid
1021
gid = pwd.getpwnam("nogroup").pw_gid
1513
1022
except KeyError:
1514
1023
uid = 65534
1515
1024
gid = 65534
1528
1037
1529
1038
@gnutls.library.types.gnutls_log_func
1530
1039
def debug_gnutls(level, string):
1531
logger.debug(u"GnuTLS: %s", string[:-1])
1040
logger.debug("GnuTLS: %s", string[:-1])
1532
1041
1533
1042
(gnutls.library.functions
1534
1043
.gnutls_global_set_log_function(debug_gnutls))
1535
1044
1045
global service
1046
service = AvahiService(name = server_settings["servicename"],
1047
servicetype = "_mandos._tcp", )
1048
if server_settings["interface"]:
1049
service.interface = (if_nametoindex
1050
(server_settings["interface"]))
1051
1536
1052
global main_loop
1053
global bus
1054
global server
1537
1055
# From the Avahi example code
1538
1056
DBusGMainLoop(set_as_default=True )
1539
1057
main_loop = gobject.MainLoop()
1540
1058
bus = dbus.SystemBus()
1059
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1060
avahi.DBUS_PATH_SERVER),
1061
avahi.DBUS_INTERFACE_SERVER)
1541
1062
# End of Avahi example code
1542
1063
if use_dbus:
1543
1064
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1544
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1545
service = AvahiService(name = server_settings[u"servicename"],
1546
servicetype = u"_mandos._tcp",
1547
protocol = protocol, bus = bus)
1548
if server_settings["interface"]:
1549
service.interface = (if_nametoindex
1550
(str(server_settings[u"interface"])))
1551
1065
1552
client_class = Client
1553
if use_dbus:
1554
client_class = functools.partial(ClientDBus, bus = bus)
1555
tcp_server.clients.update(set(
1556
client_class(name = section,
1557
config= dict(client_config.items(section)))
1558
for section in client_config.sections()))
1559
if not tcp_server.clients:
1066
clients.update(Set(Client(name = section,
1067
config
1068
= dict(client_config.items(section)),
1069
use_dbus = use_dbus)
1070
for section in client_config.sections()))
1071
if not clients:
1560
1072
logger.warning(u"No clients defined")
1561
1073
1562
1074
if debug:
1572
1084
daemon()
1573
1085
1574
1086
try:
1575
with closing(pidfile):
1576
pid = os.getpid()
1577
pidfile.write(str(pid) + "\n")
1087
pid = os.getpid()
1088
pidfile.write(str(pid) + "\n")
1089
pidfile.close()
1578
1090
del pidfile
1579
1091
except IOError:
1580
1092
logger.error(u"Could not write to file %r with PID %d",
1586
1098
1587
1099
def cleanup():
1588
1100
"Cleanup function; run on exit"
1589
service.cleanup()
1101
global group
1102
# From the Avahi example code
1103
if not group is None:
1104
group.Free()
1105
group = None
1106
# End of Avahi example code
1590
1107
1591
while tcp_server.clients:
1592
client = tcp_server.clients.pop()
1108
while clients:
1109
client = clients.pop()
1593
1110
client.disable_hook = None
1594
1111
client.disable()
1595
1112
1601
1118
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1602
1119
1603
1120
if use_dbus:
1604
class MandosDBusService(dbus.service.Object):
1121
class MandosServer(dbus.service.Object):
1605
1122
"""A D-Bus proxy object"""
1606
1123
def __init__(self):
1607
dbus.service.Object.__init__(self, bus, u"/")
1124
dbus.service.Object.__init__(self, bus, "/")
1608
1125
_interface = u"se.bsnet.fukt.Mandos"
1609
1126
1610
@dbus.service.signal(_interface, signature=u"oa{sv}")
1127
@dbus.service.signal(_interface, signature="oa{sv}")
1611
1128
def ClientAdded(self, objpath, properties):
1612
1129
"D-Bus signal"
1613
1130
pass
1614
1131
1615
@dbus.service.signal(_interface, signature=u"s")
1616
def ClientNotFound(self, fingerprint):
1617
"D-Bus signal"
1618
pass
1619
1620
@dbus.service.signal(_interface, signature=u"os")
1132
@dbus.service.signal(_interface, signature="os")
1621
1133
def ClientRemoved(self, objpath, name):
1622
1134
"D-Bus signal"
1623
1135
pass
1624
1136
1625
@dbus.service.method(_interface, out_signature=u"ao")
1137
@dbus.service.method(_interface, out_signature="ao")
1626
1138
def GetAllClients(self):
1627
1139
"D-Bus method"
1628
return dbus.Array(c.dbus_object_path
1629
for c in tcp_server.clients)
1140
return dbus.Array(c.dbus_object_path for c in clients)
1630
1141
1631
@dbus.service.method(_interface,
1632
out_signature=u"a{oa{sv}}")
1142
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1633
1143
def GetAllClientsWithProperties(self):
1634
1144
"D-Bus method"
1635
1145
return dbus.Dictionary(
1636
((c.dbus_object_path, c.GetAll(u""))
1637
for c in tcp_server.clients),
1638
signature=u"oa{sv}")
1146
((c.dbus_object_path, c.GetAllProperties())
1147
for c in clients),
1148
signature="oa{sv}")
1639
1149
1640
@dbus.service.method(_interface, in_signature=u"o")
1150
@dbus.service.method(_interface, in_signature="o")
1641
1151
def RemoveClient(self, object_path):
1642
1152
"D-Bus method"
1643
for c in tcp_server.clients:
1153
for c in clients:
1644
1154
if c.dbus_object_path == object_path:
1645
tcp_server.clients.remove(c)
1646
c.remove_from_connection()
1155
clients.remove(c)
1647
1156
# Don't signal anything except ClientRemoved
1648
c.disable(signal=False)
1157
c.use_dbus = False
1158
c.disable()
1649
1159
# Emit D-Bus signal
1650
1160
self.ClientRemoved(object_path, c.name)
1651
1161
return
1653
1163
1654
1164
del _interface
1655
1165
1656
mandos_dbus_service = MandosDBusService()
1166
mandos_server = MandosServer()
1657
1167
1658
for client in tcp_server.clients:
1168
for client in clients:
1659
1169
if use_dbus:
1660
1170
# Emit D-Bus signal
1661
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1662
client.GetAll(u""))
1171
mandos_server.ClientAdded(client.dbus_object_path,
1172
client.GetAllProperties())
1663
1173
client.enable()
1664
1174
1665
1175
tcp_server.enable()
1667
1177
1668
1178
# Find out what port we got
1669
1179
service.port = tcp_server.socket.getsockname()[1]
1670
if use_ipv6:
1671
logger.info(u"Now listening on address %r, port %d,"
1672
" flowinfo %d, scope_id %d"
1673
% tcp_server.socket.getsockname())
1674
else: # IPv4
1675
logger.info(u"Now listening on address %r, port %d"
1676
% tcp_server.socket.getsockname())
1180
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1181
u" scope_id %d" % tcp_server.socket.getsockname())
1677
1182
1678
1183
#service.interface = tcp_server.socket.getsockname()[3]
1679
1184
1680
1185
try:
1681
1186
# From the Avahi example code
1187
server.connect_to_signal("StateChanged", server_state_changed)
1682
1188
try:
1683
service.activate()
1189
server_state_changed(server.GetState())
1684
1190
except dbus.exceptions.DBusException, error:
1685
1191
logger.critical(u"DBusException: %s", error)
1686
1192
sys.exit(1)
1698
1204
sys.exit(1)
1699
1205
except KeyboardInterrupt:
1700
1206
if debug:
1701
print >> sys.stderr
1702
logger.debug(u"Server received KeyboardInterrupt")
1703
logger.debug(u"Server exiting")
1207
print
1704
1208
1705
1209
if __name__ == '__main__':
1706
1210
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0