/mandos/trunk : revision 3

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to server.py

Committer: Björn Påhlsson
Date: 2007-12-11 23:40:35 UTC
Revision ID: belorn@braxen-20071211234035-m1nsu41vuzkak69h

Python based server
Added client configfile

files added:
bad-ca.pem

bad-cert.pem

bad-client-cert.pem

bad-client-key.pem

bad-crl.pem

bad-key.pem

clients.conf

server.cpp

files modified:
Makefile

client.cpp

server.py

Show diffs side-by-side

added added

removed removed

server.py

import gnutls.connection

import gnutls.errors

import ConfigParser

import sys

import re

import os

import signal

class Client(object):

def __init__(self, name=None, options=None, dn=None,

password=None, passfile=None, fqdn=None,

timeout=None, interval=-1):

def __init__(self, name=None, dn=None, password=None,

passfile=None, fqdn=None, timeout=None,

interval=-1):

self.name = name

self.dn = dn

if password:

print "No Password or Passfile in client config file"

# raise RuntimeError XXX

self.password = "gazonk"

self.fqdn = fqdn # string

self.created = datetime.datetime.now()

self.last_seen = None # datetime.datetime()

self.fqdn = fqdn

# self.created = ...

self.last_seen = None

if timeout is None:

timeout = options.timeout

self.timeout = timeout # datetime.timedelta()

timeout = self.server.options.timeout

self.timeout = timeout

if interval == -1:

interval = options.interval

self.interval = interval # datetime.timedelta()

self.next_check = datetime.datetime.now() # datetime.datetime()

self.checker = None # or a subprocess.Popen()

def check_action(self, now=None):

"""The checker said something and might have completed.

Check if is has, and take appropriate actions."""

if self.checker.poll() is None:

# False alarm, no result yet

#self.checker.read()

return

if now is None:

now = datetime.datetime.now()

if self.checker.returncode == 0:

self.last_seen = now

while self.next_check <= now:

self.next_check += self.interval

handle_request = check_action

def start_checker(self):

self.stop_checker()

interval = self.server.options.interval

self.interval = interval

def server_bind(self):

if self.options.interface:

if not hasattr(socket, "SO_BINDTODEVICE"):

# From /usr/include/asm-i486/socket.h

socket.SO_BINDTODEVICE = 25

try:

self.checker = subprocess.Popen("sleep 1; fping -q -- %s"

% re.escape(self.fqdn),

stdout=subprocess.PIPE,

close_fds=True,

shell=True, cwd="/")

except subprocess.OSError, e:

print "Failed to start subprocess:", e

def stop_checker(self):

if self.checker is None:

return

os.kill(self.checker.pid, signal.SIGTERM)

if self.checker.poll() is None:

os.kill(self.checker.pid, signal.SIGKILL)

self.checker = None

__del__ = stop_checker

def fileno(self):

if self.checker is None:

return None

return self.checker.stdout.fileno()

def next_stop(self):

"""The time when something must be done about this client"""

return min(self.last_seen + self.timeout, self.next_check)

def still_valid(self, now=None):

"""Has this client's timeout not passed?"""

if now is None:

now = datetime.datetime.now()

return now < (self.last_seen + timeout)

def it_is_time_to_check(self, now=None):

if now is None:

now = datetime.datetime.now()

return self.next_check <= now

class server_metaclass(type):

"Common behavior for the UDP and TCP server classes"

def __new__(cls, name, bases, attrs):

attrs["address_family"] = socket.AF_INET6

attrs["allow_reuse_address"] = True

def server_bind(self):

if self.options.interface:

100

if not hasattr(socket, "SO_BINDTODEVICE"):

101

# From /usr/include/asm-i486/socket.h

102

socket.SO_BINDTODEVICE = 25

103

try:

104

self.socket.setsockopt(socket.SOL_SOCKET,

105

socket.SO_BINDTODEVICE,

106

self.options.interface)

107

except socket.error, error:

108

if error[0] == errno.EPERM:

109

print "Warning: No permission to bind to interface", \

110

self.options.interface

111

else:

112

raise error

113

return super(type(self), self).server_bind()

114

attrs["server_bind"] = server_bind

115

def init(self, *args, **kwargs):

116

if "options" in kwargs:

117

self.options = kwargs["options"]

118

del kwargs["options"]

119

if "clients" in kwargs:

120

self.clients = kwargs["clients"]

121

del kwargs["clients"]

122

if "credentials" in kwargs:

123

self.credentials = kwargs["credentials"]

124

del kwargs["credentials"]

125

return super(type(self), self).__init__(*args, **kwargs)

126

attrs["__init__"] = init

127

return type.__new__(cls, name, bases, attrs)

self.socket.setsockopt(socket.SOL_SOCKET,

socket.SO_BINDTODEVICE,

self.options.interface)

except socket.error, error:

if error[0] == errno.EPERM:

print "Warning: Denied permission to bind to interface", \

self.options.interface

else:

raise error

return super(type(self), self).server_bind()

def init_with_options(self, *args, **kwargs):

if "options" in kwargs:

self.options = kwargs["options"]

del kwargs["options"]

if "clients" in kwargs:

self.clients = kwargs["clients"]

del kwargs["clients"]

if "credentials" in kwargs:

self.credentials = kwargs["credentials"]

del kwargs["credentials"]

return super(type(self), self).__init__(*args, **kwargs)

128

129

130

class udp_handler(SocketServer.DatagramRequestHandler, object):

134

135

136

class IPv6_UDPServer(SocketServer.UDPServer, object):

137

__metaclass__ = server_metaclass

__init__ = init_with_options

address_family = socket.AF_INET6

allow_reuse_address = True

server_bind = server_bind

138

def verify_request(self, request, client_address):

139

print "UDP request came"

140

return request[0] == "Marco"

166

108

# Log maybe? XXX

167

109

session.bye()

168

110

169

170

111

class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):

171

__metaclass__ = server_metaclass

112

__init__ = init_with_options

113

address_family = socket.AF_INET6

114

allow_reuse_address = True

172

115

request_queue_size = 1024

116

server_bind = server_bind

173

117

174

118

175

119

in6addr_any = "::"

176

120

177

def string_to_delta(interval):

178

"""Parse a string and return a datetime.timedelta

179

180

>>> string_to_delta('7d')

181

datetime.timedelta(7)

182

>>> string_to_delta('60s')

183

datetime.timedelta(0, 60)

184

>>> string_to_delta('60m')

185

datetime.timedelta(0, 3600)

186

>>> string_to_delta('24h')

187

datetime.timedelta(1)

188

>>> string_to_delta(u'1w')

189

datetime.timedelta(7)

190

"""

191

try:

192

suffix=unicode(interval[-1])

193

value=int(interval[:-1])

194

if suffix == u"d":

195

delta = datetime.timedelta(value)

196

elif suffix == u"s":

197

delta = datetime.timedelta(0, value)

198

elif suffix == u"m":

199

delta = datetime.timedelta(0, 0, 0, 0, value)

200

elif suffix == u"h":

201

delta = datetime.timedelta(0, 0, 0, 0, 0, value)

202

elif suffix == u"w":

203

delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)

204

else:

205

raise ValueError

206

except (ValueError, IndexError):

207

raise ValueError

208

return delta

209

121

cred = None

210

122

211

123

def main():

212

124

parser = OptionParser()

232

144

parser.add_option("-t", "--timeout", type="string", # Parsed later

233

145

default="15m",

234

146

help="Amount of downtime allowed for clients")

235

parser.add_option("--interval", type="string", # Parsed later

236

default="5m",

237

help="How often to check that a client is up")

238

parser.add_option("--check", action="store_true", default=False,

239

help="Run self-test")

240

147

(options, args) = parser.parse_args()

241

242

if options.check:

243

import doctest

244

doctest.testmod()

245

sys.exit()

246

148

247

# Parse the time arguments

149

# Parse the time argument

248

150

try:

249

options.timeout = string_to_delta(options.timeout)

250

except ValueError:

151

suffix=options.timeout[-1]

152

value=int(options.timeout[:-1])

153

if suffix == "d":

154

options.timeout = datetime.timedelta(value)

155

elif suffix == "s":

156

options.timeout = datetime.timedelta(0, value)

157

elif suffix == "m":

158

options.timeout = datetime.timedelta(0, 0, 0, 0, value)

159

elif suffix == "h":

160

options.timeout = datetime.timedelta(0, 0, 0, 0, 0, value)

161

elif suffix == "w":

162

options.timeout = datetime.timedelta(0, 0, 0, 0, 0, 0,

163

value)

164

else:

165

raise ValueError

166

except (ValueError, IndexError):

251

167

parser.error("option --timeout: Unparseable time")

252

168

253

try:

254

options.interval = string_to_delta(options.interval)

255

except ValueError:

256

parser.error("option --interval: Unparseable time")

257

258

169

cert = gnutls.crypto.X509Certificate(open(options.cert).read())

259

170

key = gnutls.crypto.X509PrivateKey(open(options.key).read())

260

171

ca = gnutls.crypto.X509Certificate(open(options.ca).read())

265

176

defaults = {}

266

177

client_config_object = ConfigParser.SafeConfigParser(defaults)

267

178

client_config_object.read("mandos-clients.conf")

268

clients = [Client(name=section, options=options,

179

clients = [Client(name=section,

269

180

**(dict(client_config_object.items(section))))

270

181

for section in client_config_object.sections()]

271

182

280

191

credentials=cred)

281

192

282

193

while True:

283

try:

284

input, out, err = select.select((udp_server,

285

tcp_server), (), ())

286

if not input:

287

pass

288

else:

289

for obj in input:

290

obj.handle_request()

291

except KeyboardInterrupt:

292

break

293

294

# Cleanup here

295

for client in clients:

296

client.stop_checker()

194

in_, out, err = select.select((udp_server,

195

tcp_server), (), ())

196

for server in in_:

197

server.handle_request()

297

198

298

199

299

200

if __name__ == "__main__":

Older »