To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 302
- compare with another revision
- download diff
- download tarball
- view history from revision 302
- Committer: Teddy Hogeborn
- Date: 2009-02-07 04:50:39 UTC
- Revision ID: teddy@fukt.bsnet.se-20090207045039-xkr6b80vtqwqrq8l
* Makefile (install-client-nokey): Move "initramfs-tools-script" from
"/scripts/local-top/mandos" to
"/scripts/init-premount/mandos".
(uninstall-client): - '' -
* debian/mandos-client.dirs: - '' -
* initramfs-tools-script (PREREQ): Added "udev".
"/scripts/local-top/mandos" to
"/scripts/init-premount/mandos".
(uninstall-client): - '' -
* debian/mandos-client.dirs: - '' -
* initramfs-tools-script (PREREQ): Added "udev".
- files added:
- .bzr-builddeb
- debian
- debian/po
- plugins.d
- files removed:
- ca.pem
- files renamed:
- mandos-clients.conf => clients.conf
- server.py => mandos
- files modified:
- Makefile
added
removed
mandos
1
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
# Mandos server - give out binary blobs to connecting clients.
5
#
6
# This program is partly derived from an example program for an Avahi
7
# service publisher, downloaded from
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
#
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
19
# the Free Software Foundation, either version 3 of the License, or
20
# (at your option) any later version.
21
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
# GNU General Public License for more details.
26
#
27
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
#
2
33
3
from __future__ import division
34
from __future__ import division, with_statement, absolute_import
4
35
5
36
import SocketServer
6
37
import socket
7
import select
8
from optparse import OptionParser
38
import optparse
9
39
import datetime
10
40
import errno
11
41
import gnutls.crypto
21
51
import signal
22
52
from sets import Set
23
53
import subprocess
54
import atexit
55
import stat
56
import logging
57
import logging.handlers
58
import pwd
59
from contextlib import closing
24
60
25
61
import dbus
62
import dbus.service
26
63
import gobject
27
64
import avahi
28
65
from dbus.mainloop.glib import DBusGMainLoop
29
66
import ctypes
30
31
# This variable is used to optionally bind to a specified interface.
32
# It is a global variable to fit in with the other variables from the
33
# Avahi server example code.
34
serviceInterface = avahi.IF_UNSPEC
35
# From the Avahi server example code:
36
serviceName = "Mandos"
37
serviceType = "_mandos._tcp" # http://www.dns-sd.org/ServiceTypes.html
38
servicePort = None # Not known at startup
39
serviceTXT = [] # TXT record for the service
40
domain = "" # Domain to publish on, default to .local
41
host = "" # Host to publish records for, default to localhost
42
group = None #our entry group
43
rename_count = 12 # Counter so we only rename after collisions a
44
# sensible number of times
67
import ctypes.util
68
69
version = "1.0.5"
70
71
logger = logging.Logger('mandos')
72
syslogger = (logging.handlers.SysLogHandler
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
address = "/dev/log"))
75
syslogger.setFormatter(logging.Formatter
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
78
logger.addHandler(syslogger)
79
80
console = logging.StreamHandler()
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
83
logger.addHandler(console)
84
85
class AvahiError(Exception):
86
def __init__(self, value, *args, **kwargs):
87
self.value = value
88
super(AvahiError, self).__init__(value, *args, **kwargs)
89
def __unicode__(self):
90
return unicode(repr(self.value))
91
92
class AvahiServiceError(AvahiError):
93
pass
94
95
class AvahiGroupError(AvahiError):
96
pass
97
98
99
class AvahiService(object):
100
"""An Avahi (Zeroconf) service.
101
Attributes:
102
interface: integer; avahi.IF_UNSPEC or an interface index.
103
Used to optionally bind to the specified interface.
104
name: string; Example: 'Mandos'
105
type: string; Example: '_mandos._tcp'.
106
See <http://www.dns-sd.org/ServiceTypes.html>
107
port: integer; what port to announce
108
TXT: list of strings; TXT record for the service
109
domain: string; Domain to publish on, default to .local if empty.
110
host: string; Host to publish records for, default is localhost
111
max_renames: integer; maximum number of renames
112
rename_count: integer; counter so we only rename after collisions
113
a sensible number of times
114
"""
115
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
116
servicetype = None, port = None, TXT = None,
117
domain = "", host = "", max_renames = 32768):
118
self.interface = interface
119
self.name = name
120
self.type = servicetype
121
self.port = port
122
self.TXT = TXT if TXT is not None else []
123
self.domain = domain
124
self.host = host
125
self.rename_count = 0
126
self.max_renames = max_renames
127
def rename(self):
128
"""Derived from the Avahi example code"""
129
if self.rename_count >= self.max_renames:
130
logger.critical(u"No suitable Zeroconf service name found"
131
u" after %i retries, exiting.",
132
self.rename_count)
133
raise AvahiServiceError(u"Too many renames")
134
self.name = server.GetAlternativeServiceName(self.name)
135
logger.info(u"Changing Zeroconf service name to %r ...",
136
str(self.name))
137
syslogger.setFormatter(logging.Formatter
138
('Mandos (%s): %%(levelname)s:'
139
' %%(message)s' % self.name))
140
self.remove()
141
self.add()
142
self.rename_count += 1
143
def remove(self):
144
"""Derived from the Avahi example code"""
145
if group is not None:
146
group.Reset()
147
def add(self):
148
"""Derived from the Avahi example code"""
149
global group
150
if group is None:
151
group = dbus.Interface(bus.get_object
152
(avahi.DBUS_NAME,
153
server.EntryGroupNew()),
154
avahi.DBUS_INTERFACE_ENTRY_GROUP)
155
group.connect_to_signal('StateChanged',
156
entry_group_state_changed)
157
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
158
service.name, service.type)
159
group.AddService(
160
self.interface, # interface
161
avahi.PROTO_INET6, # protocol
162
dbus.UInt32(0), # flags
163
self.name, self.type,
164
self.domain, self.host,
165
dbus.UInt16(self.port),
166
avahi.string_array_to_txt_array(self.TXT))
167
group.Commit()
168
169
# From the Avahi example code:
170
group = None # our entry group
45
171
# End of Avahi example code
46
172
47
173
48
class Client(object):
174
def _datetime_to_dbus(dt, variant_level=0):
175
"""Convert a UTC datetime.datetime() to a D-Bus type."""
176
return dbus.String(dt.isoformat(), variant_level=variant_level)
177
178
179
class Client(dbus.service.Object):
49
180
"""A representation of a client host served by this server.
50
181
Attributes:
51
name: string; from the config file, used in log messages
182
name: string; from the config file, used in log messages and
183
D-Bus identifiers
52
184
fingerprint: string (40 or 32 hexadecimal digits); used to
53
185
uniquely identify the client
54
secret: bytestring; sent verbatim (over TLS) to client
55
fqdn: string (FQDN); available for use by the checker command
56
created: datetime.datetime()
57
last_seen: datetime.datetime() or None if not yet seen
58
timeout: datetime.timedelta(); How long from last_seen until
59
this client is invalid
60
interval: datetime.timedelta(); How often to start a new checker
61
stop_hook: If set, called by stop() as stop_hook(self)
62
checker: subprocess.Popen(); a running checker process used
63
to see if the client lives.
64
Is None if no process is running.
186
secret: bytestring; sent verbatim (over TLS) to client
187
host: string; available for use by the checker command
188
created: datetime.datetime(); (UTC) object creation
189
last_enabled: datetime.datetime(); (UTC)
190
enabled: bool()
191
last_checked_ok: datetime.datetime(); (UTC) or None
192
timeout: datetime.timedelta(); How long from last_checked_ok
193
until this client is invalid
194
interval: datetime.timedelta(); How often to start a new checker
195
disable_hook: If set, called by disable() as disable_hook(self)
196
checker: subprocess.Popen(); a running checker process used
197
to see if the client lives.
198
'None' if no process is running.
65
199
checker_initiator_tag: a gobject event source tag, or None
66
stop_initiator_tag: - '' -
200
disable_initiator_tag: - '' -
67
201
checker_callback_tag: - '' -
68
202
checker_command: string; External command which is run to check if
69
client lives. %()s expansions are done at
203
client lives. %() expansions are done at
70
204
runtime with vars(self) as dict, so that for
71
205
instance %(name)s can be used in the command.
72
Private attibutes:
73
_timeout: Real variable for 'timeout'
74
_interval: Real variable for 'interval'
75
_timeout_milliseconds: Used by gobject.timeout_add()
76
_interval_milliseconds: - '' -
206
use_dbus: bool(); Whether to provide D-Bus interface and signals
207
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
77
208
"""
78
def _set_timeout(self, timeout):
79
"Setter function for 'timeout' attribute"
80
self._timeout = timeout
81
self._timeout_milliseconds = ((self.timeout.days
82
* 24 * 60 * 60 * 1000)
83
+ (self.timeout.seconds * 1000)
84
+ (self.timeout.microseconds
85
// 1000))
86
timeout = property(lambda self: self._timeout,
87
_set_timeout)
88
del _set_timeout
89
def _set_interval(self, interval):
90
"Setter function for 'interval' attribute"
91
self._interval = interval
92
self._interval_milliseconds = ((self.interval.days
93
* 24 * 60 * 60 * 1000)
94
+ (self.interval.seconds
95
* 1000)
96
+ (self.interval.microseconds
97
// 1000))
98
interval = property(lambda self: self._interval,
99
_set_interval)
100
del _set_interval
101
def __init__(self, name=None, options=None, stop_hook=None,
102
fingerprint=None, secret=None, secfile=None, fqdn=None,
103
timeout=None, interval=-1, checker=None):
209
def timeout_milliseconds(self):
210
"Return the 'timeout' attribute in milliseconds"
211
return ((self.timeout.days * 24 * 60 * 60 * 1000)
212
+ (self.timeout.seconds * 1000)
213
+ (self.timeout.microseconds // 1000))
214
215
def interval_milliseconds(self):
216
"Return the 'interval' attribute in milliseconds"
217
return ((self.interval.days * 24 * 60 * 60 * 1000)
218
+ (self.interval.seconds * 1000)
219
+ (self.interval.microseconds // 1000))
220
221
def __init__(self, name = None, disable_hook=None, config=None,
222
use_dbus=True):
223
"""Note: the 'checker' key in 'config' sets the
224
'checker_command' attribute and *not* the 'checker'
225
attribute."""
104
226
self.name = name
105
# Uppercase and remove spaces from fingerprint
106
# for later comparison purposes with return value of
107
# the fingerprint() function
108
self.fingerprint = fingerprint.upper().replace(u" ", u"")
109
if secret:
110
self.secret = secret.decode(u"base64")
111
elif secfile:
112
sf = open(secfile)
113
self.secret = sf.read()
114
sf.close()
115
else:
116
raise RuntimeError(u"No secret or secfile for client %s"
117
% self.name)
118
self.fqdn = fqdn # string
119
self.created = datetime.datetime.now()
120
self.last_seen = None
121
if timeout is None:
122
timeout = options.timeout
123
self.timeout = timeout
124
if interval == -1:
125
interval = options.interval
126
else:
127
interval = string_to_delta(interval)
128
self.interval = interval
129
self.stop_hook = stop_hook
227
if config is None:
228
config = {}
229
logger.debug(u"Creating client %r", self.name)
230
self.use_dbus = False # During __init__
231
# Uppercase and remove spaces from fingerprint for later
232
# comparison purposes with return value from the fingerprint()
233
# function
234
self.fingerprint = (config["fingerprint"].upper()
235
.replace(u" ", u""))
236
logger.debug(u" Fingerprint: %s", self.fingerprint)
237
if "secret" in config:
238
self.secret = config["secret"].decode(u"base64")
239
elif "secfile" in config:
240
with closing(open(os.path.expanduser
241
(os.path.expandvars
242
(config["secfile"])))) as secfile:
243
self.secret = secfile.read()
244
else:
245
raise TypeError(u"No secret or secfile for client %s"
246
% self.name)
247
self.host = config.get("host", "")
248
self.created = datetime.datetime.utcnow()
249
self.enabled = False
250
self.last_enabled = None
251
self.last_checked_ok = None
252
self.timeout = string_to_delta(config["timeout"])
253
self.interval = string_to_delta(config["interval"])
254
self.disable_hook = disable_hook
130
255
self.checker = None
131
256
self.checker_initiator_tag = None
132
self.stop_initiator_tag = None
257
self.disable_initiator_tag = None
133
258
self.checker_callback_tag = None
134
self.check_command = checker
135
def start(self):
136
"""Start this clients checker and timeout hooks"""
259
self.checker_command = config["checker"]
260
self.last_connect = None
261
# Only now, when this client is initialized, can it show up on
262
# the D-Bus
263
self.use_dbus = use_dbus
264
if self.use_dbus:
265
self.dbus_object_path = (dbus.ObjectPath
266
("/clients/"
267
+ self.name.replace(".", "_")))
268
dbus.service.Object.__init__(self, bus,
269
self.dbus_object_path)
270
271
def enable(self):
272
"""Start this client's checker and timeout hooks"""
273
self.last_enabled = datetime.datetime.utcnow()
137
274
# Schedule a new checker to be started an 'interval' from now,
138
275
# and every interval from then on.
139
self.checker_initiator_tag = gobject.timeout_add\
140
(self._interval_milliseconds,
141
self.start_checker)
276
self.checker_initiator_tag = (gobject.timeout_add
277
(self.interval_milliseconds(),
278
self.start_checker))
142
279
# Also start a new checker *right now*.
143
280
self.start_checker()
144
# Schedule a stop() when 'timeout' has passed
145
self.stop_initiator_tag = gobject.timeout_add\
146
(self._timeout_milliseconds,
147
self.stop)
148
def stop(self):
149
"""Stop this client.
150
The possibility that this client might be restarted is left
151
open, but not currently used."""
152
if debug:
153
sys.stderr.write(u"Stopping client %s\n" % self.name)
154
self.secret = None
155
if self.stop_initiator_tag:
156
gobject.source_remove(self.stop_initiator_tag)
157
self.stop_initiator_tag = None
158
if self.checker_initiator_tag:
281
# Schedule a disable() when 'timeout' has passed
282
self.disable_initiator_tag = (gobject.timeout_add
283
(self.timeout_milliseconds(),
284
self.disable))
285
self.enabled = True
286
if self.use_dbus:
287
# Emit D-Bus signals
288
self.PropertyChanged(dbus.String(u"enabled"),
289
dbus.Boolean(True, variant_level=1))
290
self.PropertyChanged(dbus.String(u"last_enabled"),
291
(_datetime_to_dbus(self.last_enabled,
292
variant_level=1)))
293
294
def disable(self):
295
"""Disable this client."""
296
if not getattr(self, "enabled", False):
297
return False
298
logger.info(u"Disabling client %s", self.name)
299
if getattr(self, "disable_initiator_tag", False):
300
gobject.source_remove(self.disable_initiator_tag)
301
self.disable_initiator_tag = None
302
if getattr(self, "checker_initiator_tag", False):
159
303
gobject.source_remove(self.checker_initiator_tag)
160
304
self.checker_initiator_tag = None
161
305
self.stop_checker()
162
if self.stop_hook:
163
self.stop_hook(self)
306
if self.disable_hook:
307
self.disable_hook(self)
308
self.enabled = False
309
if self.use_dbus:
310
# Emit D-Bus signal
311
self.PropertyChanged(dbus.String(u"enabled"),
312
dbus.Boolean(False, variant_level=1))
164
313
# Do not run this again if called by a gobject.timeout_add
165
314
return False
315
166
316
def __del__(self):
167
# Some code duplication here and in stop()
168
if hasattr(self, "stop_initiator_tag") \
169
and self.stop_initiator_tag:
170
gobject.source_remove(self.stop_initiator_tag)
171
self.stop_initiator_tag = None
172
if hasattr(self, "checker_initiator_tag") \
173
and self.checker_initiator_tag:
174
gobject.source_remove(self.checker_initiator_tag)
175
self.checker_initiator_tag = None
176
self.stop_checker()
177
def checker_callback(self, pid, condition):
317
self.disable_hook = None
318
self.disable()
319
320
def checker_callback(self, pid, condition, command):
178
321
"""The checker has completed, so take appropriate actions."""
179
now = datetime.datetime.now()
180
if os.WIFEXITED(condition) \
181
and (os.WEXITSTATUS(condition) == 0):
182
if debug:
183
sys.stderr.write(u"Checker for %(name)s succeeded\n"
184
% vars(self))
185
self.last_seen = now
186
gobject.source_remove(self.stop_initiator_tag)
187
self.stop_initiator_tag = gobject.timeout_add\
188
(self._timeout_milliseconds,
189
self.stop)
190
elif debug:
191
if not os.WIFEXITED(condition):
192
sys.stderr.write(u"Checker for %(name)s crashed?\n"
193
% vars(self))
322
self.checker_callback_tag = None
323
self.checker = None
324
if self.use_dbus:
325
# Emit D-Bus signal
326
self.PropertyChanged(dbus.String(u"checker_running"),
327
dbus.Boolean(False, variant_level=1))
328
if os.WIFEXITED(condition):
329
exitstatus = os.WEXITSTATUS(condition)
330
if exitstatus == 0:
331
logger.info(u"Checker for %(name)s succeeded",
332
vars(self))
333
self.checked_ok()
194
334
else:
195
sys.stderr.write(u"Checker for %(name)s failed\n"
196
% vars(self))
197
self.checker = None
198
self.checker_callback_tag = None
335
logger.info(u"Checker for %(name)s failed",
336
vars(self))
337
if self.use_dbus:
338
# Emit D-Bus signal
339
self.CheckerCompleted(dbus.Int16(exitstatus),
340
dbus.Int64(condition),
341
dbus.String(command))
342
else:
343
logger.warning(u"Checker for %(name)s crashed?",
344
vars(self))
345
if self.use_dbus:
346
# Emit D-Bus signal
347
self.CheckerCompleted(dbus.Int16(-1),
348
dbus.Int64(condition),
349
dbus.String(command))
350
351
def checked_ok(self):
352
"""Bump up the timeout for this client.
353
This should only be called when the client has been seen,
354
alive and well.
355
"""
356
self.last_checked_ok = datetime.datetime.utcnow()
357
gobject.source_remove(self.disable_initiator_tag)
358
self.disable_initiator_tag = (gobject.timeout_add
359
(self.timeout_milliseconds(),
360
self.disable))
361
if self.use_dbus:
362
# Emit D-Bus signal
363
self.PropertyChanged(
364
dbus.String(u"last_checked_ok"),
365
(_datetime_to_dbus(self.last_checked_ok,
366
variant_level=1)))
367
199
368
def start_checker(self):
200
369
"""Start a new checker subprocess if one is not running.
201
370
If a checker already exists, leave it running and do
202
371
nothing."""
372
# The reason for not killing a running checker is that if we
373
# did that, then if a checker (for some reason) started
374
# running slowly and taking more than 'interval' time, the
375
# client would inevitably timeout, since no checker would get
376
# a chance to run to completion. If we instead leave running
377
# checkers alone, the checker would have to take more time
378
# than 'timeout' for the client to be declared invalid, which
379
# is as it should be.
203
380
if self.checker is None:
204
if debug:
205
sys.stderr.write(u"Starting checker for %s\n"
206
% self.name)
207
381
try:
208
command = self.check_command % self.fqdn
382
# In case checker_command has exactly one % operator
383
command = self.checker_command % self.host
209
384
except TypeError:
385
# Escape attributes for the shell
210
386
escaped_attrs = dict((key, re.escape(str(val)))
211
387
for key, val in
212
388
vars(self).iteritems())
213
command = self.check_command % escaped_attrs
389
try:
390
command = self.checker_command % escaped_attrs
391
except TypeError, error:
392
logger.error(u'Could not format string "%s":'
393
u' %s', self.checker_command, error)
394
return True # Try again later
214
395
try:
215
self.checker = subprocess.\
216
Popen(command,
217
stdout=subprocess.PIPE,
218
close_fds=True, shell=True,
219
cwd="/")
220
self.checker_callback_tag = gobject.\
221
child_watch_add(self.checker.pid,
222
self.\
223
checker_callback)
224
except subprocess.OSError, error:
225
sys.stderr.write(u"Failed to start subprocess: %s\n"
226
% error)
396
logger.info(u"Starting checker %r for %s",
397
command, self.name)
398
# We don't need to redirect stdout and stderr, since
399
# in normal mode, that is already done by daemon(),
400
# and in debug mode we don't want to. (Stdin is
401
# always replaced by /dev/null.)
402
self.checker = subprocess.Popen(command,
403
close_fds=True,
404
shell=True, cwd="/")
405
if self.use_dbus:
406
# Emit D-Bus signal
407
self.CheckerStarted(command)
408
self.PropertyChanged(
409
dbus.String("checker_running"),
410
dbus.Boolean(True, variant_level=1))
411
self.checker_callback_tag = (gobject.child_watch_add
412
(self.checker.pid,
413
self.checker_callback,
414
data=command))
415
except OSError, error:
416
logger.error(u"Failed to start subprocess: %s",
417
error)
227
418
# Re-run this periodically if run by gobject.timeout_add
228
419
return True
420
229
421
def stop_checker(self):
230
422
"""Force the checker process, if any, to stop."""
231
if not hasattr(self, "checker") or self.checker is None:
423
if self.checker_callback_tag:
424
gobject.source_remove(self.checker_callback_tag)
425
self.checker_callback_tag = None
426
if getattr(self, "checker", None) is None:
232
427
return
233
gobject.source_remove(self.checker_callback_tag)
234
self.checker_callback_tag = None
235
os.kill(self.checker.pid, signal.SIGTERM)
236
if self.checker.poll() is None:
237
os.kill(self.checker.pid, signal.SIGKILL)
428
logger.debug(u"Stopping checker for %(name)s", vars(self))
429
try:
430
os.kill(self.checker.pid, signal.SIGTERM)
431
#os.sleep(0.5)
432
#if self.checker.poll() is None:
433
# os.kill(self.checker.pid, signal.SIGKILL)
434
except OSError, error:
435
if error.errno != errno.ESRCH: # No such process
436
raise
238
437
self.checker = None
239
def still_valid(self, now=None):
438
if self.use_dbus:
439
self.PropertyChanged(dbus.String(u"checker_running"),
440
dbus.Boolean(False, variant_level=1))
441
442
def still_valid(self):
240
443
"""Has the timeout not yet passed for this client?"""
241
if now is None:
242
now = datetime.datetime.now()
243
if self.last_seen is None:
444
if not getattr(self, "enabled", False):
445
return False
446
now = datetime.datetime.utcnow()
447
if self.last_checked_ok is None:
244
448
return now < (self.created + self.timeout)
245
449
else:
246
return now < (self.last_seen + self.timeout)
450
return now < (self.last_checked_ok + self.timeout)
451
452
## D-Bus methods & signals
453
_interface = u"se.bsnet.fukt.Mandos.Client"
454
455
# CheckedOK - method
456
CheckedOK = dbus.service.method(_interface)(checked_ok)
457
CheckedOK.__name__ = "CheckedOK"
458
459
# CheckerCompleted - signal
460
@dbus.service.signal(_interface, signature="nxs")
461
def CheckerCompleted(self, exitcode, waitstatus, command):
462
"D-Bus signal"
463
pass
464
465
# CheckerStarted - signal
466
@dbus.service.signal(_interface, signature="s")
467
def CheckerStarted(self, command):
468
"D-Bus signal"
469
pass
470
471
# GetAllProperties - method
472
@dbus.service.method(_interface, out_signature="a{sv}")
473
def GetAllProperties(self):
474
"D-Bus method"
475
return dbus.Dictionary({
476
dbus.String("name"):
477
dbus.String(self.name, variant_level=1),
478
dbus.String("fingerprint"):
479
dbus.String(self.fingerprint, variant_level=1),
480
dbus.String("host"):
481
dbus.String(self.host, variant_level=1),
482
dbus.String("created"):
483
_datetime_to_dbus(self.created, variant_level=1),
484
dbus.String("last_enabled"):
485
(_datetime_to_dbus(self.last_enabled,
486
variant_level=1)
487
if self.last_enabled is not None
488
else dbus.Boolean(False, variant_level=1)),
489
dbus.String("enabled"):
490
dbus.Boolean(self.enabled, variant_level=1),
491
dbus.String("last_checked_ok"):
492
(_datetime_to_dbus(self.last_checked_ok,
493
variant_level=1)
494
if self.last_checked_ok is not None
495
else dbus.Boolean (False, variant_level=1)),
496
dbus.String("timeout"):
497
dbus.UInt64(self.timeout_milliseconds(),
498
variant_level=1),
499
dbus.String("interval"):
500
dbus.UInt64(self.interval_milliseconds(),
501
variant_level=1),
502
dbus.String("checker"):
503
dbus.String(self.checker_command,
504
variant_level=1),
505
dbus.String("checker_running"):
506
dbus.Boolean(self.checker is not None,
507
variant_level=1),
508
dbus.String("object_path"):
509
dbus.ObjectPath(self.dbus_object_path,
510
variant_level=1)
511
}, signature="sv")
512
513
# IsStillValid - method
514
IsStillValid = (dbus.service.method(_interface, out_signature="b")
515
(still_valid))
516
IsStillValid.__name__ = "IsStillValid"
517
518
# PropertyChanged - signal
519
@dbus.service.signal(_interface, signature="sv")
520
def PropertyChanged(self, property, value):
521
"D-Bus signal"
522
pass
523
524
# SetChecker - method
525
@dbus.service.method(_interface, in_signature="s")
526
def SetChecker(self, checker):
527
"D-Bus setter method"
528
self.checker_command = checker
529
# Emit D-Bus signal
530
self.PropertyChanged(dbus.String(u"checker"),
531
dbus.String(self.checker_command,
532
variant_level=1))
533
534
# SetHost - method
535
@dbus.service.method(_interface, in_signature="s")
536
def SetHost(self, host):
537
"D-Bus setter method"
538
self.host = host
539
# Emit D-Bus signal
540
self.PropertyChanged(dbus.String(u"host"),
541
dbus.String(self.host, variant_level=1))
542
543
# SetInterval - method
544
@dbus.service.method(_interface, in_signature="t")
545
def SetInterval(self, milliseconds):
546
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
547
# Emit D-Bus signal
548
self.PropertyChanged(dbus.String(u"interval"),
549
(dbus.UInt64(self.interval_milliseconds(),
550
variant_level=1)))
551
552
# SetSecret - method
553
@dbus.service.method(_interface, in_signature="ay",
554
byte_arrays=True)
555
def SetSecret(self, secret):
556
"D-Bus setter method"
557
self.secret = str(secret)
558
559
# SetTimeout - method
560
@dbus.service.method(_interface, in_signature="t")
561
def SetTimeout(self, milliseconds):
562
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
563
# Emit D-Bus signal
564
self.PropertyChanged(dbus.String(u"timeout"),
565
(dbus.UInt64(self.timeout_milliseconds(),
566
variant_level=1)))
567
568
# Enable - method
569
Enable = dbus.service.method(_interface)(enable)
570
Enable.__name__ = "Enable"
571
572
# StartChecker - method
573
@dbus.service.method(_interface)
574
def StartChecker(self):
575
"D-Bus method"
576
self.start_checker()
577
578
# Disable - method
579
@dbus.service.method(_interface)
580
def Disable(self):
581
"D-Bus method"
582
self.disable()
583
584
# StopChecker - method
585
StopChecker = dbus.service.method(_interface)(stop_checker)
586
StopChecker.__name__ = "StopChecker"
587
588
del _interface
247
589
248
590
249
591
def peer_certificate(session):
592
"Return the peer's OpenPGP certificate as a bytestring"
250
593
# If not an OpenPGP certificate...
251
if gnutls.library.functions.gnutls_certificate_type_get\
252
(session._c_object) \
253
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP:
594
if (gnutls.library.functions
595
.gnutls_certificate_type_get(session._c_object)
596
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
254
597
# ...do the normal thing
255
598
return session.peer_certificate
256
list_size = ctypes.c_uint()
257
cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
258
(session._c_object, ctypes.byref(list_size))
599
list_size = ctypes.c_uint(1)
600
cert_list = (gnutls.library.functions
601
.gnutls_certificate_get_peers
602
(session._c_object, ctypes.byref(list_size)))
603
if not bool(cert_list) and list_size.value != 0:
604
raise gnutls.errors.GNUTLSError("error getting peer"
605
" certificate")
259
606
if list_size.value == 0:
260
607
return None
261
608
cert = cert_list[0]
263
610
264
611
265
612
def fingerprint(openpgp):
613
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
614
# New GnuTLS "datum" with the OpenPGP public key
615
datum = (gnutls.library.types
616
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
617
ctypes.POINTER
618
(ctypes.c_ubyte)),
619
ctypes.c_uint(len(openpgp))))
266
620
# New empty GnuTLS certificate
267
621
crt = gnutls.library.types.gnutls_openpgp_crt_t()
268
gnutls.library.functions.gnutls_openpgp_crt_init\
269
(ctypes.byref(crt))
270
# New GnuTLS "datum" with the OpenPGP public key
271
datum = gnutls.library.types.gnutls_datum_t\
272
(ctypes.cast(ctypes.c_char_p(openpgp),
273
ctypes.POINTER(ctypes.c_ubyte)),
274
ctypes.c_uint(len(openpgp)))
622
(gnutls.library.functions
623
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
275
624
# Import the OpenPGP public key into the certificate
276
ret = gnutls.library.functions.gnutls_openpgp_crt_import\
277
(crt,
278
ctypes.byref(datum),
279
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
625
(gnutls.library.functions
626
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
627
gnutls.library.constants
628
.GNUTLS_OPENPGP_FMT_RAW))
629
# Verify the self signature in the key
630
crtverify = ctypes.c_uint()
631
(gnutls.library.functions
632
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
633
if crtverify.value != 0:
634
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
635
raise gnutls.errors.CertificateSecurityError("Verify failed")
280
636
# New buffer for the fingerprint
281
buffer = ctypes.create_string_buffer(20)
282
buffer_length = ctypes.c_size_t()
637
buf = ctypes.create_string_buffer(20)
638
buf_len = ctypes.c_size_t()
283
639
# Get the fingerprint from the certificate into the buffer
284
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
285
(crt, ctypes.byref(buffer), ctypes.byref(buffer_length))
640
(gnutls.library.functions
641
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
642
ctypes.byref(buf_len)))
286
643
# Deinit the certificate
287
644
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
288
645
# Convert the buffer to a Python bytestring
289
fpr = ctypes.string_at(buffer, buffer_length.value)
646
fpr = ctypes.string_at(buf, buf_len.value)
290
647
# Convert the bytestring to hexadecimal notation
291
648
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
292
649
return hex_fpr
293
650
294
651
295
class tcp_handler(SocketServer.BaseRequestHandler, object):
652
class TCP_handler(SocketServer.BaseRequestHandler, object):
296
653
"""A TCP request handler class.
297
654
Instantiated by IPv6_TCPServer for each request to handle it.
298
655
Note: This will run in its own forked process."""
299
656
300
657
def handle(self):
301
if debug:
302
sys.stderr.write(u"TCP request came\n")
303
sys.stderr.write(u"Request: %s\n" % self.request)
304
sys.stderr.write(u"Client Address: %s\n"
305
% unicode(self.client_address))
306
sys.stderr.write(u"Server: %s\n" % self.server)
307
session = gnutls.connection.ClientSession(self.request,
308
gnutls.connection.\
309
X509Credentials())
658
logger.info(u"TCP connection from: %s",
659
unicode(self.client_address))
660
session = (gnutls.connection
661
.ClientSession(self.request,
662
gnutls.connection
663
.X509Credentials()))
664
665
line = self.request.makefile().readline()
666
logger.debug(u"Protocol version: %r", line)
667
try:
668
if int(line.strip().split()[0]) > 1:
669
raise RuntimeError
670
except (ValueError, IndexError, RuntimeError), error:
671
logger.error(u"Unknown protocol version: %s", error)
672
return
673
674
# Note: gnutls.connection.X509Credentials is really a generic
675
# GnuTLS certificate credentials object so long as no X.509
676
# keys are added to it. Therefore, we can use it here despite
677
# using OpenPGP certificates.
310
678
311
679
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
312
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
313
# "+DHE-DSS"))
314
priority = "SECURE256"
315
316
gnutls.library.functions.gnutls_priority_set_direct\
317
(session._c_object, priority, None);
680
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
681
# "+DHE-DSS"))
682
# Use a fallback default, since this MUST be set.
683
priority = self.server.settings.get("priority", "NORMAL")
684
(gnutls.library.functions
685
.gnutls_priority_set_direct(session._c_object,
686
priority, None))
318
687
319
688
try:
320
689
session.handshake()
321
690
except gnutls.errors.GNUTLSError, error:
322
if debug:
323
sys.stderr.write(u"Handshake failed: %s\n" % error)
691
logger.warning(u"Handshake failed: %s", error)
324
692
# Do not run session.bye() here: the session is not
325
693
# established. Just abandon the request.
326
694
return
695
logger.debug(u"Handshake succeeded")
327
696
try:
328
697
fpr = fingerprint(peer_certificate(session))
329
698
except (TypeError, gnutls.errors.GNUTLSError), error:
330
if debug:
331
sys.stderr.write(u"Bad certificate: %s\n" % error)
699
logger.warning(u"Bad certificate: %s", error)
332
700
session.bye()
333
701
return
334
if debug:
335
sys.stderr.write(u"Fingerprint: %s\n" % fpr)
336
client = None
337
for c in clients:
702
logger.debug(u"Fingerprint: %s", fpr)
703
704
for c in self.server.clients:
338
705
if c.fingerprint == fpr:
339
706
client = c
340
707
break
708
else:
709
logger.warning(u"Client not found for fingerprint: %s",
710
fpr)
711
session.bye()
712
return
341
713
# Have to check if client.still_valid(), since it is possible
342
714
# that the client timed out while establishing the GnuTLS
343
715
# session.
344
if (not client) or (not client.still_valid()):
345
if debug:
346
if client:
347
sys.stderr.write(u"Client %(name)s is invalid\n"
348
% vars(client))
349
else:
350
sys.stderr.write(u"Client not found for "
351
u"fingerprint: %s\n" % fpr)
716
if not client.still_valid():
717
logger.warning(u"Client %(name)s is invalid",
718
vars(client))
352
719
session.bye()
353
720
return
721
## This won't work here, since we're in a fork.
722
# client.checked_ok()
354
723
sent_size = 0
355
724
while sent_size < len(client.secret):
356
725
sent = session.send(client.secret[sent_size:])
357
if debug:
358
sys.stderr.write(u"Sent: %d, remaining: %d\n"
359
% (sent, len(client.secret)
360
- (sent_size + sent)))
726
logger.debug(u"Sent: %d, remaining: %d",
727
sent, len(client.secret)
728
- (sent_size + sent))
361
729
sent_size += sent
362
730
session.bye()
363
731
364
732
365
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
733
class IPv6_TCPServer(SocketServer.ForkingMixIn,
734
SocketServer.TCPServer, object):
366
735
"""IPv6 TCP server. Accepts 'None' as address and/or port.
367
736
Attributes:
368
options: Command line options
737
settings: Server settings
369
738
clients: Set() of Client objects
739
enabled: Boolean; whether this server is activated yet
370
740
"""
371
741
address_family = socket.AF_INET6
372
742
def __init__(self, *args, **kwargs):
373
if "options" in kwargs:
374
self.options = kwargs["options"]
375
del kwargs["options"]
743
if "settings" in kwargs:
744
self.settings = kwargs["settings"]
745
del kwargs["settings"]
376
746
if "clients" in kwargs:
377
747
self.clients = kwargs["clients"]
378
748
del kwargs["clients"]
379
return super(type(self), self).__init__(*args, **kwargs)
749
self.enabled = False
750
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
380
751
def server_bind(self):
381
752
"""This overrides the normal server_bind() function
382
753
to bind to an interface if one was specified, and also NOT to
383
754
bind to an address or port if they were not specified."""
384
if self.options.interface:
385
if not hasattr(socket, "SO_BINDTODEVICE"):
386
# From /usr/include/asm-i486/socket.h
387
socket.SO_BINDTODEVICE = 25
755
if self.settings["interface"]:
756
# 25 is from /usr/include/asm-i486/socket.h
757
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
388
758
try:
389
759
self.socket.setsockopt(socket.SOL_SOCKET,
390
socket.SO_BINDTODEVICE,
391
self.options.interface)
760
SO_BINDTODEVICE,
761
self.settings["interface"])
392
762
except socket.error, error:
393
763
if error[0] == errno.EPERM:
394
sys.stderr.write(u"Warning: No permission to" \
395
u" bind to interface %s\n"
396
% self.options.interface)
764
logger.error(u"No permission to"
765
u" bind to interface %s",
766
self.settings["interface"])
397
767
else:
398
raise error
768
raise
399
769
# Only bind(2) the socket if we really need to.
400
770
if self.server_address[0] or self.server_address[1]:
401
771
if not self.server_address[0]:
402
772
in6addr_any = "::"
403
773
self.server_address = (in6addr_any,
404
774
self.server_address[1])
405
elif self.server_address[1] is None:
775
elif not self.server_address[1]:
406
776
self.server_address = (self.server_address[0],
407
777
0)
408
return super(type(self), self).server_bind()
778
# if self.settings["interface"]:
779
# self.server_address = (self.server_address[0],
780
# 0, # port
781
# 0, # flowinfo
782
# if_nametoindex
783
# (self.settings
784
# ["interface"]))
785
return super(IPv6_TCPServer, self).server_bind()
786
def server_activate(self):
787
if self.enabled:
788
return super(IPv6_TCPServer, self).server_activate()
789
def enable(self):
790
self.enabled = True
409
791
410
792
411
793
def string_to_delta(interval):
412
794
"""Parse a string and return a datetime.timedelta
413
795
414
796
>>> string_to_delta('7d')
415
797
datetime.timedelta(7)
416
798
>>> string_to_delta('60s')
421
803
datetime.timedelta(1)
422
804
>>> string_to_delta(u'1w')
423
805
datetime.timedelta(7)
806
>>> string_to_delta('5m 30s')
807
datetime.timedelta(0, 330)
424
808
"""
425
try:
426
suffix=unicode(interval[-1])
427
value=int(interval[:-1])
428
if suffix == u"d":
429
delta = datetime.timedelta(value)
430
elif suffix == u"s":
431
delta = datetime.timedelta(0, value)
432
elif suffix == u"m":
433
delta = datetime.timedelta(0, 0, 0, 0, value)
434
elif suffix == u"h":
435
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
436
elif suffix == u"w":
437
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
438
else:
809
timevalue = datetime.timedelta(0)
810
for s in interval.split():
811
try:
812
suffix = unicode(s[-1])
813
value = int(s[:-1])
814
if suffix == u"d":
815
delta = datetime.timedelta(value)
816
elif suffix == u"s":
817
delta = datetime.timedelta(0, value)
818
elif suffix == u"m":
819
delta = datetime.timedelta(0, 0, 0, 0, value)
820
elif suffix == u"h":
821
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
822
elif suffix == u"w":
823
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
824
else:
825
raise ValueError
826
except (ValueError, IndexError):
439
827
raise ValueError
440
except (ValueError, IndexError):
441
raise ValueError
442
return delta
443
444
445
def add_service():
446
"""From the Avahi server example code"""
447
global group, serviceName, serviceType, servicePort, serviceTXT, \
448
domain, host
449
if group is None:
450
group = dbus.Interface(
451
bus.get_object( avahi.DBUS_NAME,
452
server.EntryGroupNew()),
453
avahi.DBUS_INTERFACE_ENTRY_GROUP)
454
group.connect_to_signal('StateChanged',
455
entry_group_state_changed)
456
if debug:
457
sys.stderr.write(u"Adding service '%s' of type '%s' ...\n"
458
% (serviceName, serviceType))
459
460
group.AddService(
461
serviceInterface, # interface
462
avahi.PROTO_INET6, # protocol
463
dbus.UInt32(0), # flags
464
serviceName, serviceType,
465
domain, host,
466
dbus.UInt16(servicePort),
467
avahi.string_array_to_txt_array(serviceTXT))
468
group.Commit()
469
470
471
def remove_service():
472
"""From the Avahi server example code"""
473
global group
474
475
if not group is None:
476
group.Reset()
828
timevalue += delta
829
return timevalue
477
830
478
831
479
832
def server_state_changed(state):
480
"""From the Avahi server example code"""
833
"""Derived from the Avahi example code"""
481
834
if state == avahi.SERVER_COLLISION:
482
sys.stderr.write(u"WARNING: Server name collision\n")
483
remove_service()
835
logger.error(u"Zeroconf server name collision")
836
service.remove()
484
837
elif state == avahi.SERVER_RUNNING:
485
add_service()
838
service.add()
486
839
487
840
488
841
def entry_group_state_changed(state, error):
489
"""From the Avahi server example code"""
490
global serviceName, server, rename_count
491
492
if debug:
493
sys.stderr.write(u"state change: %i\n" % state)
842
"""Derived from the Avahi example code"""
843
logger.debug(u"Avahi state change: %i", state)
494
844
495
845
if state == avahi.ENTRY_GROUP_ESTABLISHED:
496
if debug:
497
sys.stderr.write(u"Service established.\n")
846
logger.debug(u"Zeroconf service established.")
498
847
elif state == avahi.ENTRY_GROUP_COLLISION:
499
500
rename_count = rename_count - 1
501
if rename_count > 0:
502
name = server.GetAlternativeServiceName(name)
503
sys.stderr.write(u"WARNING: Service name collision, "
504
u"changing name to '%s' ...\n" % name)
505
remove_service()
506
add_service()
507
508
else:
509
sys.stderr.write(u"ERROR: No suitable service name found "
510
u"after %i retries, exiting.\n"
511
% n_rename)
512
main_loop.quit()
848
logger.warning(u"Zeroconf service name collision.")
849
service.rename()
513
850
elif state == avahi.ENTRY_GROUP_FAILURE:
514
sys.stderr.write(u"Error in group state changed %s\n"
515
% unicode(error))
516
main_loop.quit()
517
return
518
851
logger.critical(u"Avahi: Error in group state changed %s",
852
unicode(error))
853
raise AvahiGroupError(u"State changed: %s" % unicode(error))
519
854
520
855
def if_nametoindex(interface):
521
"""Call the C function if_nametoindex()"""
856
"""Call the C function if_nametoindex(), or equivalent"""
857
global if_nametoindex
522
858
try:
523
libc = ctypes.cdll.LoadLibrary("libc.so.6")
524
return libc.if_nametoindex(interface)
859
if_nametoindex = (ctypes.cdll.LoadLibrary
860
(ctypes.util.find_library("c"))
861
.if_nametoindex)
525
862
except (OSError, AttributeError):
526
863
if "struct" not in sys.modules:
527
864
import struct
528
865
if "fcntl" not in sys.modules:
529
866
import fcntl
530
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
531
s = socket.socket()
532
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
533
struct.pack("16s16x", interface))
534
s.close()
535
interface_index = struct.unpack("I", ifreq[16:20])[0]
536
return interface_index
537
538
539
if __name__ == '__main__':
540
parser = OptionParser()
867
def if_nametoindex(interface):
868
"Get an interface index the hard way, i.e. using fcntl()"
869
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
870
with closing(socket.socket()) as s:
871
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
872
struct.pack("16s16x", interface))
873
interface_index = struct.unpack("I", ifreq[16:20])[0]
874
return interface_index
875
return if_nametoindex(interface)
876
877
878
def daemon(nochdir = False, noclose = False):
879
"""See daemon(3). Standard BSD Unix function.
880
This should really exist as os.daemon, but it doesn't (yet)."""
881
if os.fork():
882
sys.exit()
883
os.setsid()
884
if not nochdir:
885
os.chdir("/")
886
if os.fork():
887
sys.exit()
888
if not noclose:
889
# Close all standard open file descriptors
890
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
891
if not stat.S_ISCHR(os.fstat(null).st_mode):
892
raise OSError(errno.ENODEV,
893
"/dev/null not a character device")
894
os.dup2(null, sys.stdin.fileno())
895
os.dup2(null, sys.stdout.fileno())
896
os.dup2(null, sys.stderr.fileno())
897
if null > 2:
898
os.close(null)
899
900
901
def main():
902
parser = optparse.OptionParser(version = "%%prog %s" % version)
541
903
parser.add_option("-i", "--interface", type="string",
542
default=None, metavar="IF",
543
help="Bind to interface IF")
544
parser.add_option("--cert", type="string", default="cert.pem",
545
metavar="FILE",
546
help="Public key certificate PEM file to use")
547
parser.add_option("--key", type="string", default="key.pem",
548
metavar="FILE",
549
help="Private key PEM file to use")
550
parser.add_option("--ca", type="string", default="ca.pem",
551
metavar="FILE",
552
help="Certificate Authority certificate PEM file to use")
553
parser.add_option("--crl", type="string", default="crl.pem",
554
metavar="FILE",
555
help="Certificate Revokation List PEM file to use")
556
parser.add_option("-p", "--port", type="int", default=None,
904
metavar="IF", help="Bind to interface IF")
905
parser.add_option("-a", "--address", type="string",
906
help="Address to listen for requests on")
907
parser.add_option("-p", "--port", type="int",
557
908
help="Port number to receive requests on")
558
parser.add_option("--timeout", type="string", # Parsed later
559
default="1h",
560
help="Amount of downtime allowed for clients")
561
parser.add_option("--interval", type="string", # Parsed later
562
default="5m",
563
help="How often to check that a client is up")
564
parser.add_option("--check", action="store_true", default=False,
909
parser.add_option("--check", action="store_true",
565
910
help="Run self-test")
566
parser.add_option("--debug", action="store_true", default=False,
567
help="Debug mode")
568
(options, args) = parser.parse_args()
911
parser.add_option("--debug", action="store_true",
912
help="Debug mode; run in foreground and log to"
913
" terminal")
914
parser.add_option("--priority", type="string", help="GnuTLS"
915
" priority string (see GnuTLS documentation)")
916
parser.add_option("--servicename", type="string", metavar="NAME",
917
help="Zeroconf service name")
918
parser.add_option("--configdir", type="string",
919
default="/etc/mandos", metavar="DIR",
920
help="Directory to search for configuration"
921
" files")
922
parser.add_option("--no-dbus", action="store_false",
923
dest="use_dbus",
924
help="Do not provide D-Bus system bus"
925
" interface")
926
options = parser.parse_args()[0]
569
927
570
928
if options.check:
571
929
import doctest
572
930
doctest.testmod()
573
931
sys.exit()
574
932
575
# Parse the time arguments
576
try:
577
options.timeout = string_to_delta(options.timeout)
578
except ValueError:
579
parser.error("option --timeout: Unparseable time")
580
try:
581
options.interval = string_to_delta(options.interval)
582
except ValueError:
583
parser.error("option --interval: Unparseable time")
584
585
# Parse config file
586
defaults = { "checker": "sleep 1; fping -q -- %%(fqdn)s" }
587
client_config = ConfigParser.SafeConfigParser(defaults)
588
#client_config.readfp(open("secrets.conf"), "secrets.conf")
589
client_config.read("mandos-clients.conf")
590
591
# From the Avahi server example code
933
# Default values for config file for server-global settings
934
server_defaults = { "interface": "",
935
"address": "",
936
"port": "",
937
"debug": "False",
938
"priority":
939
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
940
"servicename": "Mandos",
941
"use_dbus": "True",
942
}
943
944
# Parse config file for server-global settings
945
server_config = ConfigParser.SafeConfigParser(server_defaults)
946
del server_defaults
947
server_config.read(os.path.join(options.configdir, "mandos.conf"))
948
# Convert the SafeConfigParser object to a dict
949
server_settings = server_config.defaults()
950
# Use the appropriate methods on the non-string config options
951
server_settings["debug"] = server_config.getboolean("DEFAULT",
952
"debug")
953
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
954
"use_dbus")
955
if server_settings["port"]:
956
server_settings["port"] = server_config.getint("DEFAULT",
957
"port")
958
del server_config
959
960
# Override the settings from the config file with command line
961
# options, if set.
962
for option in ("interface", "address", "port", "debug",
963
"priority", "servicename", "configdir",
964
"use_dbus"):
965
value = getattr(options, option)
966
if value is not None:
967
server_settings[option] = value
968
del options
969
# Now we have our good server settings in "server_settings"
970
971
# For convenience
972
debug = server_settings["debug"]
973
use_dbus = server_settings["use_dbus"]
974
975
if not debug:
976
syslogger.setLevel(logging.WARNING)
977
console.setLevel(logging.WARNING)
978
979
if server_settings["servicename"] != "Mandos":
980
syslogger.setFormatter(logging.Formatter
981
('Mandos (%s): %%(levelname)s:'
982
' %%(message)s'
983
% server_settings["servicename"]))
984
985
# Parse config file with clients
986
client_defaults = { "timeout": "1h",
987
"interval": "5m",
988
"checker": "fping -q -- %%(host)s",
989
"host": "",
990
}
991
client_config = ConfigParser.SafeConfigParser(client_defaults)
992
client_config.read(os.path.join(server_settings["configdir"],
993
"clients.conf"))
994
995
clients = Set()
996
tcp_server = IPv6_TCPServer((server_settings["address"],
997
server_settings["port"]),
998
TCP_handler,
999
settings=server_settings,
1000
clients=clients)
1001
pidfilename = "/var/run/mandos.pid"
1002
try:
1003
pidfile = open(pidfilename, "w")
1004
except IOError:
1005
logger.error("Could not open file %r", pidfilename)
1006
1007
try:
1008
uid = pwd.getpwnam("_mandos").pw_uid
1009
gid = pwd.getpwnam("_mandos").pw_gid
1010
except KeyError:
1011
try:
1012
uid = pwd.getpwnam("mandos").pw_uid
1013
gid = pwd.getpwnam("mandos").pw_gid
1014
except KeyError:
1015
try:
1016
uid = pwd.getpwnam("nobody").pw_uid
1017
gid = pwd.getpwnam("nogroup").pw_gid
1018
except KeyError:
1019
uid = 65534
1020
gid = 65534
1021
try:
1022
os.setgid(gid)
1023
os.setuid(uid)
1024
except OSError, error:
1025
if error[0] != errno.EPERM:
1026
raise error
1027
1028
# Enable all possible GnuTLS debugging
1029
if debug:
1030
# "Use a log level over 10 to enable all debugging options."
1031
# - GnuTLS manual
1032
gnutls.library.functions.gnutls_global_set_log_level(11)
1033
1034
@gnutls.library.types.gnutls_log_func
1035
def debug_gnutls(level, string):
1036
logger.debug("GnuTLS: %s", string[:-1])
1037
1038
(gnutls.library.functions
1039
.gnutls_global_set_log_function(debug_gnutls))
1040
1041
global service
1042
service = AvahiService(name = server_settings["servicename"],
1043
servicetype = "_mandos._tcp", )
1044
if server_settings["interface"]:
1045
service.interface = (if_nametoindex
1046
(server_settings["interface"]))
1047
1048
global main_loop
1049
global bus
1050
global server
1051
# From the Avahi example code
592
1052
DBusGMainLoop(set_as_default=True )
593
1053
main_loop = gobject.MainLoop()
594
1054
bus = dbus.SystemBus()
595
server = dbus.Interface(
596
bus.get_object( avahi.DBUS_NAME, avahi.DBUS_PATH_SERVER ),
597
avahi.DBUS_INTERFACE_SERVER )
1055
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1056
avahi.DBUS_PATH_SERVER),
1057
avahi.DBUS_INTERFACE_SERVER)
598
1058
# End of Avahi example code
599
600
debug = options.debug
601
602
clients = Set()
603
def remove_from_clients(client):
604
clients.remove(client)
605
if not clients:
606
if debug:
607
sys.stderr.write(u"No clients left, exiting\n")
608
main_loop.quit()
609
610
clients.update(Set(Client(name=section, options=options,
611
stop_hook = remove_from_clients,
612
**(dict(client_config\
613
.items(section))))
1059
if use_dbus:
1060
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1061
1062
clients.update(Set(Client(name = section,
1063
config
1064
= dict(client_config.items(section)),
1065
use_dbus = use_dbus)
614
1066
for section in client_config.sections()))
1067
if not clients:
1068
logger.warning(u"No clients defined")
1069
1070
if debug:
1071
# Redirect stdin so all checkers get /dev/null
1072
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1073
os.dup2(null, sys.stdin.fileno())
1074
if null > 2:
1075
os.close(null)
1076
else:
1077
# No console logging
1078
logger.removeHandler(console)
1079
# Close all input and output, do double fork, etc.
1080
daemon()
1081
1082
try:
1083
pid = os.getpid()
1084
pidfile.write(str(pid) + "\n")
1085
pidfile.close()
1086
del pidfile
1087
except IOError:
1088
logger.error(u"Could not write to file %r with PID %d",
1089
pidfilename, pid)
1090
except NameError:
1091
# "pidfile" was never created
1092
pass
1093
del pidfilename
1094
1095
def cleanup():
1096
"Cleanup function; run on exit"
1097
global group
1098
# From the Avahi example code
1099
if not group is None:
1100
group.Free()
1101
group = None
1102
# End of Avahi example code
1103
1104
while clients:
1105
client = clients.pop()
1106
client.disable_hook = None
1107
client.disable()
1108
1109
atexit.register(cleanup)
1110
1111
if not debug:
1112
signal.signal(signal.SIGINT, signal.SIG_IGN)
1113
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1114
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1115
1116
if use_dbus:
1117
class MandosServer(dbus.service.Object):
1118
"""A D-Bus proxy object"""
1119
def __init__(self):
1120
dbus.service.Object.__init__(self, bus, "/")
1121
_interface = u"se.bsnet.fukt.Mandos"
1122
1123
@dbus.service.signal(_interface, signature="oa{sv}")
1124
def ClientAdded(self, objpath, properties):
1125
"D-Bus signal"
1126
pass
1127
1128
@dbus.service.signal(_interface, signature="os")
1129
def ClientRemoved(self, objpath, name):
1130
"D-Bus signal"
1131
pass
1132
1133
@dbus.service.method(_interface, out_signature="ao")
1134
def GetAllClients(self):
1135
"D-Bus method"
1136
return dbus.Array(c.dbus_object_path for c in clients)
1137
1138
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1139
def GetAllClientsWithProperties(self):
1140
"D-Bus method"
1141
return dbus.Dictionary(
1142
((c.dbus_object_path, c.GetAllProperties())
1143
for c in clients),
1144
signature="oa{sv}")
1145
1146
@dbus.service.method(_interface, in_signature="o")
1147
def RemoveClient(self, object_path):
1148
"D-Bus method"
1149
for c in clients:
1150
if c.dbus_object_path == object_path:
1151
clients.remove(c)
1152
# Don't signal anything except ClientRemoved
1153
c.use_dbus = False
1154
c.disable()
1155
# Emit D-Bus signal
1156
self.ClientRemoved(object_path, c.name)
1157
return
1158
raise KeyError
1159
1160
del _interface
1161
1162
mandos_server = MandosServer()
1163
615
1164
for client in clients:
616
client.start()
617
618
tcp_server = IPv6_TCPServer((None, options.port),
619
tcp_handler,
620
options=options,
621
clients=clients)
622
# Find out what random port we got
623
servicePort = tcp_server.socket.getsockname()[1]
624
if debug:
625
sys.stderr.write(u"Now listening on port %d\n" % servicePort)
626
627
if options.interface is not None:
628
serviceInterface = if_nametoindex(options.interface)
629
630
# From the Avahi server example code
631
server.connect_to_signal("StateChanged", server_state_changed)
632
server_state_changed(server.GetState())
633
# End of Avahi example code
634
635
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
636
lambda *args, **kwargs:
637
tcp_server.handle_request(*args[2:],
638
**kwargs) or True)
1165
if use_dbus:
1166
# Emit D-Bus signal
1167
mandos_server.ClientAdded(client.dbus_object_path,
1168
client.GetAllProperties())
1169
client.enable()
1170
1171
tcp_server.enable()
1172
tcp_server.server_activate()
1173
1174
# Find out what port we got
1175
service.port = tcp_server.socket.getsockname()[1]
1176
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1177
u" scope_id %d" % tcp_server.socket.getsockname())
1178
1179
#service.interface = tcp_server.socket.getsockname()[3]
1180
639
1181
try:
1182
# From the Avahi example code
1183
server.connect_to_signal("StateChanged", server_state_changed)
1184
try:
1185
server_state_changed(server.GetState())
1186
except dbus.exceptions.DBusException, error:
1187
logger.critical(u"DBusException: %s", error)
1188
sys.exit(1)
1189
# End of Avahi example code
1190
1191
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
1192
lambda *args, **kwargs:
1193
(tcp_server.handle_request
1194
(*args[2:], **kwargs) or True))
1195
1196
logger.debug(u"Starting main loop")
640
1197
main_loop.run()
1198
except AvahiError, error:
1199
logger.critical(u"AvahiError: %s", error)
1200
sys.exit(1)
641
1201
except KeyboardInterrupt:
642
print
643
644
# Cleanup here
1202
if debug:
1203
print >> sys.stderr
1204
logger.debug("Server received KeyboardInterrupt")
1205
logger.debug("Server exiting")
645
1206
646
# From the Avahi server example code
647
if not group is None:
648
group.Free()
649
# End of Avahi example code
650
651
for client in clients:
652
client.stop_hook = None
653
client.stop()
1207
if __name__ == '__main__':
1208
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0