To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 302
- compare with another revision
- download diff
- download tarball
- view history from revision 302
- Committer: Teddy Hogeborn
- Date: 2009-02-07 04:50:39 UTC
- Revision ID: teddy@fukt.bsnet.se-20090207045039-xkr6b80vtqwqrq8l
* Makefile (install-client-nokey): Move "initramfs-tools-script" from
"/scripts/local-top/mandos" to
"/scripts/init-premount/mandos".
(uninstall-client): - '' -
* debian/mandos-client.dirs: - '' -
* initramfs-tools-script (PREREQ): Added "udev".
"/scripts/local-top/mandos" to
"/scripts/init-premount/mandos".
(uninstall-client): - '' -
* debian/mandos-client.dirs: - '' -
* initramfs-tools-script (PREREQ): Added "udev".
- files removed:
- dbus-mandos.conf
- files modified:
- INSTALL
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer as socketserver
36
import SocketServer
37
37
import socket
38
38
import optparse
39
39
import datetime
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser as configparser
47
import ConfigParser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
52
53
import subprocess
53
54
import atexit
54
55
import stat
55
56
import logging
56
57
import logging.handlers
57
58
import pwd
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
59
from contextlib import closing
63
60
64
61
import dbus
65
62
import dbus.service
68
65
from dbus.mainloop.glib import DBusGMainLoop
69
66
import ctypes
70
67
import ctypes.util
71
import xml.dom.minidom
72
import inspect
73
74
try:
75
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
76
except AttributeError:
77
try:
78
from IN import SO_BINDTODEVICE
79
except ImportError:
80
SO_BINDTODEVICE = None
81
82
83
version = "1.0.14"
84
85
logger = logging.Logger(u'mandos')
68
69
version = "1.0.5"
70
71
logger = logging.Logger('mandos')
86
72
syslogger = (logging.handlers.SysLogHandler
87
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
88
74
address = "/dev/log"))
89
75
syslogger.setFormatter(logging.Formatter
90
(u'Mandos [%(process)d]: %(levelname)s:'
91
u' %(message)s'))
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
92
78
logger.addHandler(syslogger)
93
79
94
80
console = logging.StreamHandler()
95
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
96
u' %(levelname)s:'
97
u' %(message)s'))
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
98
83
logger.addHandler(console)
99
84
100
85
class AvahiError(Exception):
113
98
114
99
class AvahiService(object):
115
100
"""An Avahi (Zeroconf) service.
116
117
101
Attributes:
118
102
interface: integer; avahi.IF_UNSPEC or an interface index.
119
103
Used to optionally bind to the specified interface.
120
name: string; Example: u'Mandos'
121
type: string; Example: u'_mandos._tcp'.
104
name: string; Example: 'Mandos'
105
type: string; Example: '_mandos._tcp'.
122
106
See <http://www.dns-sd.org/ServiceTypes.html>
123
107
port: integer; what port to announce
124
108
TXT: list of strings; TXT record for the service
127
111
max_renames: integer; maximum number of renames
128
112
rename_count: integer; counter so we only rename after collisions
129
113
a sensible number of times
130
group: D-Bus Entry Group
131
server: D-Bus Server
132
bus: dbus.SystemBus()
133
114
"""
134
115
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
135
116
servicetype = None, port = None, TXT = None,
136
domain = u"", host = u"", max_renames = 32768,
137
protocol = avahi.PROTO_UNSPEC, bus = None):
117
domain = "", host = "", max_renames = 32768):
138
118
self.interface = interface
139
119
self.name = name
140
120
self.type = servicetype
144
124
self.host = host
145
125
self.rename_count = 0
146
126
self.max_renames = max_renames
147
self.protocol = protocol
148
self.group = None # our entry group
149
self.server = None
150
self.bus = bus
151
127
def rename(self):
152
128
"""Derived from the Avahi example code"""
153
129
if self.rename_count >= self.max_renames:
155
131
u" after %i retries, exiting.",
156
132
self.rename_count)
157
133
raise AvahiServiceError(u"Too many renames")
158
self.name = self.server.GetAlternativeServiceName(self.name)
134
self.name = server.GetAlternativeServiceName(self.name)
159
135
logger.info(u"Changing Zeroconf service name to %r ...",
160
unicode(self.name))
136
str(self.name))
161
137
syslogger.setFormatter(logging.Formatter
162
(u'Mandos (%s) [%%(process)d]:'
163
u' %%(levelname)s: %%(message)s'
164
% self.name))
138
('Mandos (%s): %%(levelname)s:'
139
' %%(message)s' % self.name))
165
140
self.remove()
166
141
self.add()
167
142
self.rename_count += 1
168
143
def remove(self):
169
144
"""Derived from the Avahi example code"""
170
if self.group is not None:
171
self.group.Reset()
145
if group is not None:
146
group.Reset()
172
147
def add(self):
173
148
"""Derived from the Avahi example code"""
174
if self.group is None:
175
self.group = dbus.Interface(
176
self.bus.get_object(avahi.DBUS_NAME,
177
self.server.EntryGroupNew()),
178
avahi.DBUS_INTERFACE_ENTRY_GROUP)
179
self.group.connect_to_signal('StateChanged',
180
self
181
.entry_group_state_changed)
149
global group
150
if group is None:
151
group = dbus.Interface(bus.get_object
152
(avahi.DBUS_NAME,
153
server.EntryGroupNew()),
154
avahi.DBUS_INTERFACE_ENTRY_GROUP)
155
group.connect_to_signal('StateChanged',
156
entry_group_state_changed)
182
157
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
183
self.name, self.type)
184
self.group.AddService(
185
self.interface,
186
self.protocol,
187
dbus.UInt32(0), # flags
188
self.name, self.type,
189
self.domain, self.host,
190
dbus.UInt16(self.port),
191
avahi.string_array_to_txt_array(self.TXT))
192
self.group.Commit()
193
def entry_group_state_changed(self, state, error):
194
"""Derived from the Avahi example code"""
195
logger.debug(u"Avahi state change: %i", state)
196
197
if state == avahi.ENTRY_GROUP_ESTABLISHED:
198
logger.debug(u"Zeroconf service established.")
199
elif state == avahi.ENTRY_GROUP_COLLISION:
200
logger.warning(u"Zeroconf service name collision.")
201
self.rename()
202
elif state == avahi.ENTRY_GROUP_FAILURE:
203
logger.critical(u"Avahi: Error in group state changed %s",
204
unicode(error))
205
raise AvahiGroupError(u"State changed: %s"
206
% unicode(error))
207
def cleanup(self):
208
"""Derived from the Avahi example code"""
209
if self.group is not None:
210
self.group.Free()
211
self.group = None
212
def server_state_changed(self, state):
213
"""Derived from the Avahi example code"""
214
if state == avahi.SERVER_COLLISION:
215
logger.error(u"Zeroconf server name collision")
216
self.remove()
217
elif state == avahi.SERVER_RUNNING:
218
self.add()
219
def activate(self):
220
"""Derived from the Avahi example code"""
221
if self.server is None:
222
self.server = dbus.Interface(
223
self.bus.get_object(avahi.DBUS_NAME,
224
avahi.DBUS_PATH_SERVER),
225
avahi.DBUS_INTERFACE_SERVER)
226
self.server.connect_to_signal(u"StateChanged",
227
self.server_state_changed)
228
self.server_state_changed(self.server.GetState())
229
230
231
class Client(object):
158
service.name, service.type)
159
group.AddService(
160
self.interface, # interface
161
avahi.PROTO_INET6, # protocol
162
dbus.UInt32(0), # flags
163
self.name, self.type,
164
self.domain, self.host,
165
dbus.UInt16(self.port),
166
avahi.string_array_to_txt_array(self.TXT))
167
group.Commit()
168
169
# From the Avahi example code:
170
group = None # our entry group
171
# End of Avahi example code
172
173
174
def _datetime_to_dbus(dt, variant_level=0):
175
"""Convert a UTC datetime.datetime() to a D-Bus type."""
176
return dbus.String(dt.isoformat(), variant_level=variant_level)
177
178
179
class Client(dbus.service.Object):
232
180
"""A representation of a client host served by this server.
233
234
181
Attributes:
235
182
name: string; from the config file, used in log messages and
236
183
D-Bus identifiers
243
190
enabled: bool()
244
191
last_checked_ok: datetime.datetime(); (UTC) or None
245
192
timeout: datetime.timedelta(); How long from last_checked_ok
246
until this client is disabled
193
until this client is invalid
247
194
interval: datetime.timedelta(); How often to start a new checker
248
195
disable_hook: If set, called by disable() as disable_hook(self)
249
196
checker: subprocess.Popen(); a running checker process used
250
197
to see if the client lives.
251
198
'None' if no process is running.
252
199
checker_initiator_tag: a gobject event source tag, or None
253
disable_initiator_tag: - '' -
200
disable_initiator_tag: - '' -
254
201
checker_callback_tag: - '' -
255
202
checker_command: string; External command which is run to check if
256
203
client lives. %() expansions are done at
257
204
runtime with vars(self) as dict, so that for
258
205
instance %(name)s can be used in the command.
259
current_checker_command: string; current running checker_command
206
use_dbus: bool(); Whether to provide D-Bus interface and signals
207
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
260
208
"""
261
262
@staticmethod
263
def _timedelta_to_milliseconds(td):
264
"Convert a datetime.timedelta() to milliseconds"
265
return ((td.days * 24 * 60 * 60 * 1000)
266
+ (td.seconds * 1000)
267
+ (td.microseconds // 1000))
268
269
209
def timeout_milliseconds(self):
270
210
"Return the 'timeout' attribute in milliseconds"
271
return self._timedelta_to_milliseconds(self.timeout)
211
return ((self.timeout.days * 24 * 60 * 60 * 1000)
212
+ (self.timeout.seconds * 1000)
213
+ (self.timeout.microseconds // 1000))
272
214
273
215
def interval_milliseconds(self):
274
216
"Return the 'interval' attribute in milliseconds"
275
return self._timedelta_to_milliseconds(self.interval)
217
return ((self.interval.days * 24 * 60 * 60 * 1000)
218
+ (self.interval.seconds * 1000)
219
+ (self.interval.microseconds // 1000))
276
220
277
def __init__(self, name = None, disable_hook=None, config=None):
221
def __init__(self, name = None, disable_hook=None, config=None,
222
use_dbus=True):
278
223
"""Note: the 'checker' key in 'config' sets the
279
224
'checker_command' attribute and *not* the 'checker'
280
225
attribute."""
282
227
if config is None:
283
228
config = {}
284
229
logger.debug(u"Creating client %r", self.name)
230
self.use_dbus = False # During __init__
285
231
# Uppercase and remove spaces from fingerprint for later
286
232
# comparison purposes with return value from the fingerprint()
287
233
# function
288
self.fingerprint = (config[u"fingerprint"].upper()
234
self.fingerprint = (config["fingerprint"].upper()
289
235
.replace(u" ", u""))
290
236
logger.debug(u" Fingerprint: %s", self.fingerprint)
291
if u"secret" in config:
292
self.secret = config[u"secret"].decode(u"base64")
293
elif u"secfile" in config:
294
with open(os.path.expanduser(os.path.expandvars
295
(config[u"secfile"])),
296
"rb") as secfile:
237
if "secret" in config:
238
self.secret = config["secret"].decode(u"base64")
239
elif "secfile" in config:
240
with closing(open(os.path.expanduser
241
(os.path.expandvars
242
(config["secfile"])))) as secfile:
297
243
self.secret = secfile.read()
298
244
else:
299
245
raise TypeError(u"No secret or secfile for client %s"
300
246
% self.name)
301
self.host = config.get(u"host", u"")
247
self.host = config.get("host", "")
302
248
self.created = datetime.datetime.utcnow()
303
249
self.enabled = False
304
250
self.last_enabled = None
305
251
self.last_checked_ok = None
306
self.timeout = string_to_delta(config[u"timeout"])
307
self.interval = string_to_delta(config[u"interval"])
252
self.timeout = string_to_delta(config["timeout"])
253
self.interval = string_to_delta(config["interval"])
308
254
self.disable_hook = disable_hook
309
255
self.checker = None
310
256
self.checker_initiator_tag = None
311
257
self.disable_initiator_tag = None
312
258
self.checker_callback_tag = None
313
self.checker_command = config[u"checker"]
314
self.current_checker_command = None
259
self.checker_command = config["checker"]
315
260
self.last_connect = None
261
# Only now, when this client is initialized, can it show up on
262
# the D-Bus
263
self.use_dbus = use_dbus
264
if self.use_dbus:
265
self.dbus_object_path = (dbus.ObjectPath
266
("/clients/"
267
+ self.name.replace(".", "_")))
268
dbus.service.Object.__init__(self, bus,
269
self.dbus_object_path)
316
270
317
271
def enable(self):
318
272
"""Start this client's checker and timeout hooks"""
319
if getattr(self, u"enabled", False):
320
# Already enabled
321
return
322
273
self.last_enabled = datetime.datetime.utcnow()
323
274
# Schedule a new checker to be started an 'interval' from now,
324
275
# and every interval from then on.
325
276
self.checker_initiator_tag = (gobject.timeout_add
326
277
(self.interval_milliseconds(),
327
278
self.start_checker))
279
# Also start a new checker *right now*.
280
self.start_checker()
328
281
# Schedule a disable() when 'timeout' has passed
329
282
self.disable_initiator_tag = (gobject.timeout_add
330
283
(self.timeout_milliseconds(),
331
284
self.disable))
332
285
self.enabled = True
333
# Also start a new checker *right now*.
334
self.start_checker()
286
if self.use_dbus:
287
# Emit D-Bus signals
288
self.PropertyChanged(dbus.String(u"enabled"),
289
dbus.Boolean(True, variant_level=1))
290
self.PropertyChanged(dbus.String(u"last_enabled"),
291
(_datetime_to_dbus(self.last_enabled,
292
variant_level=1)))
335
293
336
def disable(self, quiet=True):
294
def disable(self):
337
295
"""Disable this client."""
338
296
if not getattr(self, "enabled", False):
339
297
return False
340
if not quiet:
341
logger.info(u"Disabling client %s", self.name)
342
if getattr(self, u"disable_initiator_tag", False):
298
logger.info(u"Disabling client %s", self.name)
299
if getattr(self, "disable_initiator_tag", False):
343
300
gobject.source_remove(self.disable_initiator_tag)
344
301
self.disable_initiator_tag = None
345
if getattr(self, u"checker_initiator_tag", False):
302
if getattr(self, "checker_initiator_tag", False):
346
303
gobject.source_remove(self.checker_initiator_tag)
347
304
self.checker_initiator_tag = None
348
305
self.stop_checker()
349
306
if self.disable_hook:
350
307
self.disable_hook(self)
351
308
self.enabled = False
309
if self.use_dbus:
310
# Emit D-Bus signal
311
self.PropertyChanged(dbus.String(u"enabled"),
312
dbus.Boolean(False, variant_level=1))
352
313
# Do not run this again if called by a gobject.timeout_add
353
314
return False
354
315
360
321
"""The checker has completed, so take appropriate actions."""
361
322
self.checker_callback_tag = None
362
323
self.checker = None
324
if self.use_dbus:
325
# Emit D-Bus signal
326
self.PropertyChanged(dbus.String(u"checker_running"),
327
dbus.Boolean(False, variant_level=1))
363
328
if os.WIFEXITED(condition):
364
329
exitstatus = os.WEXITSTATUS(condition)
365
330
if exitstatus == 0:
369
334
else:
370
335
logger.info(u"Checker for %(name)s failed",
371
336
vars(self))
337
if self.use_dbus:
338
# Emit D-Bus signal
339
self.CheckerCompleted(dbus.Int16(exitstatus),
340
dbus.Int64(condition),
341
dbus.String(command))
372
342
else:
373
343
logger.warning(u"Checker for %(name)s crashed?",
374
344
vars(self))
345
if self.use_dbus:
346
# Emit D-Bus signal
347
self.CheckerCompleted(dbus.Int16(-1),
348
dbus.Int64(condition),
349
dbus.String(command))
375
350
376
351
def checked_ok(self):
377
352
"""Bump up the timeout for this client.
378
379
353
This should only be called when the client has been seen,
380
354
alive and well.
381
355
"""
384
358
self.disable_initiator_tag = (gobject.timeout_add
385
359
(self.timeout_milliseconds(),
386
360
self.disable))
361
if self.use_dbus:
362
# Emit D-Bus signal
363
self.PropertyChanged(
364
dbus.String(u"last_checked_ok"),
365
(_datetime_to_dbus(self.last_checked_ok,
366
variant_level=1)))
387
367
388
368
def start_checker(self):
389
369
"""Start a new checker subprocess if one is not running.
390
391
370
If a checker already exists, leave it running and do
392
371
nothing."""
393
372
# The reason for not killing a running checker is that if we
396
375
# client would inevitably timeout, since no checker would get
397
376
# a chance to run to completion. If we instead leave running
398
377
# checkers alone, the checker would have to take more time
399
# than 'timeout' for the client to be disabled, which is as it
400
# should be.
401
402
# If a checker exists, make sure it is not a zombie
403
try:
404
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
405
except (AttributeError, OSError), error:
406
if (isinstance(error, OSError)
407
and error.errno != errno.ECHILD):
408
raise error
409
else:
410
if pid:
411
logger.warning(u"Checker was a zombie")
412
gobject.source_remove(self.checker_callback_tag)
413
self.checker_callback(pid, status,
414
self.current_checker_command)
415
# Start a new checker if needed
378
# than 'timeout' for the client to be declared invalid, which
379
# is as it should be.
416
380
if self.checker is None:
417
381
try:
418
382
# In case checker_command has exactly one % operator
419
383
command = self.checker_command % self.host
420
384
except TypeError:
421
385
# Escape attributes for the shell
422
escaped_attrs = dict((key,
423
re.escape(unicode(str(val),
424
errors=
425
u'replace')))
386
escaped_attrs = dict((key, re.escape(str(val)))
426
387
for key, val in
427
388
vars(self).iteritems())
428
389
try:
431
392
logger.error(u'Could not format string "%s":'
432
393
u' %s', self.checker_command, error)
433
394
return True # Try again later
434
self.current_checker_command = command
435
395
try:
436
396
logger.info(u"Starting checker %r for %s",
437
397
command, self.name)
441
401
# always replaced by /dev/null.)
442
402
self.checker = subprocess.Popen(command,
443
403
close_fds=True,
444
shell=True, cwd=u"/")
404
shell=True, cwd="/")
405
if self.use_dbus:
406
# Emit D-Bus signal
407
self.CheckerStarted(command)
408
self.PropertyChanged(
409
dbus.String("checker_running"),
410
dbus.Boolean(True, variant_level=1))
445
411
self.checker_callback_tag = (gobject.child_watch_add
446
412
(self.checker.pid,
447
413
self.checker_callback,
448
414
data=command))
449
# The checker may have completed before the gobject
450
# watch was added. Check for this.
451
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
452
if pid:
453
gobject.source_remove(self.checker_callback_tag)
454
self.checker_callback(pid, status, command)
455
415
except OSError, error:
456
416
logger.error(u"Failed to start subprocess: %s",
457
417
error)
463
423
if self.checker_callback_tag:
464
424
gobject.source_remove(self.checker_callback_tag)
465
425
self.checker_callback_tag = None
466
if getattr(self, u"checker", None) is None:
426
if getattr(self, "checker", None) is None:
467
427
return
468
428
logger.debug(u"Stopping checker for %(name)s", vars(self))
469
429
try:
470
430
os.kill(self.checker.pid, signal.SIGTERM)
471
#time.sleep(0.5)
431
#os.sleep(0.5)
472
432
#if self.checker.poll() is None:
473
433
# os.kill(self.checker.pid, signal.SIGKILL)
474
434
except OSError, error:
475
435
if error.errno != errno.ESRCH: # No such process
476
436
raise
477
437
self.checker = None
478
479
480
def dbus_service_property(dbus_interface, signature=u"v",
481
access=u"readwrite", byte_arrays=False):
482
"""Decorators for marking methods of a DBusObjectWithProperties to
483
become properties on the D-Bus.
484
485
The decorated method will be called with no arguments by "Get"
486
and with one argument by "Set".
487
488
The parameters, where they are supported, are the same as
489
dbus.service.method, except there is only "signature", since the
490
type from Get() and the type sent to Set() is the same.
491
"""
492
# Encoding deeply encoded byte arrays is not supported yet by the
493
# "Set" method, so we fail early here:
494
if byte_arrays and signature != u"ay":
495
raise ValueError(u"Byte arrays not supported for non-'ay'"
496
u" signature %r" % signature)
497
def decorator(func):
498
func._dbus_is_property = True
499
func._dbus_interface = dbus_interface
500
func._dbus_signature = signature
501
func._dbus_access = access
502
func._dbus_name = func.__name__
503
if func._dbus_name.endswith(u"_dbus_property"):
504
func._dbus_name = func._dbus_name[:-14]
505
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
506
return func
507
return decorator
508
509
510
class DBusPropertyException(dbus.exceptions.DBusException):
511
"""A base class for D-Bus property-related exceptions
512
"""
513
def __unicode__(self):
514
return unicode(str(self))
515
516
517
class DBusPropertyAccessException(DBusPropertyException):
518
"""A property's access permissions disallows an operation.
519
"""
520
pass
521
522
523
class DBusPropertyNotFound(DBusPropertyException):
524
"""An attempt was made to access a non-existing property.
525
"""
526
pass
527
528
529
class DBusObjectWithProperties(dbus.service.Object):
530
"""A D-Bus object with properties.
531
532
Classes inheriting from this can use the dbus_service_property
533
decorator to expose methods as D-Bus properties. It exposes the
534
standard Get(), Set(), and GetAll() methods on the D-Bus.
535
"""
536
537
@staticmethod
538
def _is_dbus_property(obj):
539
return getattr(obj, u"_dbus_is_property", False)
540
541
def _get_all_dbus_properties(self):
542
"""Returns a generator of (name, attribute) pairs
543
"""
544
return ((prop._dbus_name, prop)
545
for name, prop in
546
inspect.getmembers(self, self._is_dbus_property))
547
548
def _get_dbus_property(self, interface_name, property_name):
549
"""Returns a bound method if one exists which is a D-Bus
550
property with the specified name and interface.
551
"""
552
for name in (property_name,
553
property_name + u"_dbus_property"):
554
prop = getattr(self, name, None)
555
if (prop is None
556
or not self._is_dbus_property(prop)
557
or prop._dbus_name != property_name
558
or (interface_name and prop._dbus_interface
559
and interface_name != prop._dbus_interface)):
560
continue
561
return prop
562
# No such property
563
raise DBusPropertyNotFound(self.dbus_object_path + u":"
564
+ interface_name + u"."
565
+ property_name)
566
567
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
568
out_signature=u"v")
569
def Get(self, interface_name, property_name):
570
"""Standard D-Bus property Get() method, see D-Bus standard.
571
"""
572
prop = self._get_dbus_property(interface_name, property_name)
573
if prop._dbus_access == u"write":
574
raise DBusPropertyAccessException(property_name)
575
value = prop()
576
if not hasattr(value, u"variant_level"):
577
return value
578
return type(value)(value, variant_level=value.variant_level+1)
579
580
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
581
def Set(self, interface_name, property_name, value):
582
"""Standard D-Bus property Set() method, see D-Bus standard.
583
"""
584
prop = self._get_dbus_property(interface_name, property_name)
585
if prop._dbus_access == u"read":
586
raise DBusPropertyAccessException(property_name)
587
if prop._dbus_get_args_options[u"byte_arrays"]:
588
# The byte_arrays option is not supported yet on
589
# signatures other than "ay".
590
if prop._dbus_signature != u"ay":
591
raise ValueError
592
value = dbus.ByteArray(''.join(unichr(byte)
593
for byte in value))
594
prop(value)
595
596
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
597
out_signature=u"a{sv}")
598
def GetAll(self, interface_name):
599
"""Standard D-Bus property GetAll() method, see D-Bus
600
standard.
601
602
Note: Will not include properties with access="write".
603
"""
604
all = {}
605
for name, prop in self._get_all_dbus_properties():
606
if (interface_name
607
and interface_name != prop._dbus_interface):
608
# Interface non-empty but did not match
609
continue
610
# Ignore write-only properties
611
if prop._dbus_access == u"write":
612
continue
613
value = prop()
614
if not hasattr(value, u"variant_level"):
615
all[name] = value
616
continue
617
all[name] = type(value)(value, variant_level=
618
value.variant_level+1)
619
return dbus.Dictionary(all, signature=u"sv")
620
621
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
622
out_signature=u"s",
623
path_keyword='object_path',
624
connection_keyword='connection')
625
def Introspect(self, object_path, connection):
626
"""Standard D-Bus method, overloaded to insert property tags.
627
"""
628
xmlstring = dbus.service.Object.Introspect(self, object_path,
629
connection)
630
try:
631
document = xml.dom.minidom.parseString(xmlstring)
632
def make_tag(document, name, prop):
633
e = document.createElement(u"property")
634
e.setAttribute(u"name", name)
635
e.setAttribute(u"type", prop._dbus_signature)
636
e.setAttribute(u"access", prop._dbus_access)
637
return e
638
for if_tag in document.getElementsByTagName(u"interface"):
639
for tag in (make_tag(document, name, prop)
640
for name, prop
641
in self._get_all_dbus_properties()
642
if prop._dbus_interface
643
== if_tag.getAttribute(u"name")):
644
if_tag.appendChild(tag)
645
# Add the names to the return values for the
646
# "org.freedesktop.DBus.Properties" methods
647
if (if_tag.getAttribute(u"name")
648
== u"org.freedesktop.DBus.Properties"):
649
for cn in if_tag.getElementsByTagName(u"method"):
650
if cn.getAttribute(u"name") == u"Get":
651
for arg in cn.getElementsByTagName(u"arg"):
652
if (arg.getAttribute(u"direction")
653
== u"out"):
654
arg.setAttribute(u"name", u"value")
655
elif cn.getAttribute(u"name") == u"GetAll":
656
for arg in cn.getElementsByTagName(u"arg"):
657
if (arg.getAttribute(u"direction")
658
== u"out"):
659
arg.setAttribute(u"name", u"props")
660
xmlstring = document.toxml(u"utf-8")
661
document.unlink()
662
except (AttributeError, xml.dom.DOMException,
663
xml.parsers.expat.ExpatError), error:
664
logger.error(u"Failed to override Introspection method",
665
error)
666
return xmlstring
667
668
669
class ClientDBus(Client, DBusObjectWithProperties):
670
"""A Client class using D-Bus
671
672
Attributes:
673
dbus_object_path: dbus.ObjectPath
674
bus: dbus.SystemBus()
675
"""
676
# dbus.service.Object doesn't use super(), so we can't either.
677
678
def __init__(self, bus = None, *args, **kwargs):
679
self.bus = bus
680
Client.__init__(self, *args, **kwargs)
681
# Only now, when this client is initialized, can it show up on
682
# the D-Bus
683
self.dbus_object_path = (dbus.ObjectPath
684
(u"/clients/"
685
+ self.name.replace(u".", u"_")))
686
DBusObjectWithProperties.__init__(self, self.bus,
687
self.dbus_object_path)
688
689
@staticmethod
690
def _datetime_to_dbus(dt, variant_level=0):
691
"""Convert a UTC datetime.datetime() to a D-Bus type."""
692
return dbus.String(dt.isoformat(),
693
variant_level=variant_level)
694
695
def enable(self):
696
oldstate = getattr(self, u"enabled", False)
697
r = Client.enable(self)
698
if oldstate != self.enabled:
699
# Emit D-Bus signals
700
self.PropertyChanged(dbus.String(u"enabled"),
701
dbus.Boolean(True, variant_level=1))
702
self.PropertyChanged(
703
dbus.String(u"last_enabled"),
704
self._datetime_to_dbus(self.last_enabled,
705
variant_level=1))
706
return r
707
708
def disable(self, quiet = False):
709
oldstate = getattr(self, u"enabled", False)
710
r = Client.disable(self, quiet=quiet)
711
if not quiet and oldstate != self.enabled:
712
# Emit D-Bus signal
713
self.PropertyChanged(dbus.String(u"enabled"),
714
dbus.Boolean(False, variant_level=1))
715
return r
716
717
def __del__(self, *args, **kwargs):
718
try:
719
self.remove_from_connection()
720
except LookupError:
721
pass
722
if hasattr(DBusObjectWithProperties, u"__del__"):
723
DBusObjectWithProperties.__del__(self, *args, **kwargs)
724
Client.__del__(self, *args, **kwargs)
725
726
def checker_callback(self, pid, condition, command,
727
*args, **kwargs):
728
self.checker_callback_tag = None
729
self.checker = None
730
# Emit D-Bus signal
731
self.PropertyChanged(dbus.String(u"checker_running"),
732
dbus.Boolean(False, variant_level=1))
733
if os.WIFEXITED(condition):
734
exitstatus = os.WEXITSTATUS(condition)
735
# Emit D-Bus signal
736
self.CheckerCompleted(dbus.Int16(exitstatus),
737
dbus.Int64(condition),
738
dbus.String(command))
739
else:
740
# Emit D-Bus signal
741
self.CheckerCompleted(dbus.Int16(-1),
742
dbus.Int64(condition),
743
dbus.String(command))
744
745
return Client.checker_callback(self, pid, condition, command,
746
*args, **kwargs)
747
748
def checked_ok(self, *args, **kwargs):
749
r = Client.checked_ok(self, *args, **kwargs)
750
# Emit D-Bus signal
751
self.PropertyChanged(
752
dbus.String(u"last_checked_ok"),
753
(self._datetime_to_dbus(self.last_checked_ok,
754
variant_level=1)))
755
return r
756
757
def start_checker(self, *args, **kwargs):
758
old_checker = self.checker
759
if self.checker is not None:
760
old_checker_pid = self.checker.pid
761
else:
762
old_checker_pid = None
763
r = Client.start_checker(self, *args, **kwargs)
764
# Only if new checker process was started
765
if (self.checker is not None
766
and old_checker_pid != self.checker.pid):
767
# Emit D-Bus signal
768
self.CheckerStarted(self.current_checker_command)
769
self.PropertyChanged(
770
dbus.String(u"checker_running"),
771
dbus.Boolean(True, variant_level=1))
772
return r
773
774
def stop_checker(self, *args, **kwargs):
775
old_checker = getattr(self, u"checker", None)
776
r = Client.stop_checker(self, *args, **kwargs)
777
if (old_checker is not None
778
and getattr(self, u"checker", None) is None):
438
if self.use_dbus:
779
439
self.PropertyChanged(dbus.String(u"checker_running"),
780
440
dbus.Boolean(False, variant_level=1))
781
return r
441
442
def still_valid(self):
443
"""Has the timeout not yet passed for this client?"""
444
if not getattr(self, "enabled", False):
445
return False
446
now = datetime.datetime.utcnow()
447
if self.last_checked_ok is None:
448
return now < (self.created + self.timeout)
449
else:
450
return now < (self.last_checked_ok + self.timeout)
782
451
783
452
## D-Bus methods & signals
784
453
_interface = u"se.bsnet.fukt.Mandos.Client"
785
454
786
455
# CheckedOK - method
787
@dbus.service.method(_interface)
788
def CheckedOK(self):
789
return self.checked_ok()
456
CheckedOK = dbus.service.method(_interface)(checked_ok)
457
CheckedOK.__name__ = "CheckedOK"
790
458
791
459
# CheckerCompleted - signal
792
@dbus.service.signal(_interface, signature=u"nxs")
460
@dbus.service.signal(_interface, signature="nxs")
793
461
def CheckerCompleted(self, exitcode, waitstatus, command):
794
462
"D-Bus signal"
795
463
pass
796
464
797
465
# CheckerStarted - signal
798
@dbus.service.signal(_interface, signature=u"s")
466
@dbus.service.signal(_interface, signature="s")
799
467
def CheckerStarted(self, command):
800
468
"D-Bus signal"
801
469
pass
802
470
471
# GetAllProperties - method
472
@dbus.service.method(_interface, out_signature="a{sv}")
473
def GetAllProperties(self):
474
"D-Bus method"
475
return dbus.Dictionary({
476
dbus.String("name"):
477
dbus.String(self.name, variant_level=1),
478
dbus.String("fingerprint"):
479
dbus.String(self.fingerprint, variant_level=1),
480
dbus.String("host"):
481
dbus.String(self.host, variant_level=1),
482
dbus.String("created"):
483
_datetime_to_dbus(self.created, variant_level=1),
484
dbus.String("last_enabled"):
485
(_datetime_to_dbus(self.last_enabled,
486
variant_level=1)
487
if self.last_enabled is not None
488
else dbus.Boolean(False, variant_level=1)),
489
dbus.String("enabled"):
490
dbus.Boolean(self.enabled, variant_level=1),
491
dbus.String("last_checked_ok"):
492
(_datetime_to_dbus(self.last_checked_ok,
493
variant_level=1)
494
if self.last_checked_ok is not None
495
else dbus.Boolean (False, variant_level=1)),
496
dbus.String("timeout"):
497
dbus.UInt64(self.timeout_milliseconds(),
498
variant_level=1),
499
dbus.String("interval"):
500
dbus.UInt64(self.interval_milliseconds(),
501
variant_level=1),
502
dbus.String("checker"):
503
dbus.String(self.checker_command,
504
variant_level=1),
505
dbus.String("checker_running"):
506
dbus.Boolean(self.checker is not None,
507
variant_level=1),
508
dbus.String("object_path"):
509
dbus.ObjectPath(self.dbus_object_path,
510
variant_level=1)
511
}, signature="sv")
512
513
# IsStillValid - method
514
IsStillValid = (dbus.service.method(_interface, out_signature="b")
515
(still_valid))
516
IsStillValid.__name__ = "IsStillValid"
517
803
518
# PropertyChanged - signal
804
@dbus.service.signal(_interface, signature=u"sv")
519
@dbus.service.signal(_interface, signature="sv")
805
520
def PropertyChanged(self, property, value):
806
521
"D-Bus signal"
807
522
pass
808
523
809
# GotSecret - signal
810
@dbus.service.signal(_interface)
811
def GotSecret(self):
812
"D-Bus signal"
813
pass
814
815
# Rejected - signal
816
@dbus.service.signal(_interface)
817
def Rejected(self):
818
"D-Bus signal"
819
pass
524
# SetChecker - method
525
@dbus.service.method(_interface, in_signature="s")
526
def SetChecker(self, checker):
527
"D-Bus setter method"
528
self.checker_command = checker
529
# Emit D-Bus signal
530
self.PropertyChanged(dbus.String(u"checker"),
531
dbus.String(self.checker_command,
532
variant_level=1))
533
534
# SetHost - method
535
@dbus.service.method(_interface, in_signature="s")
536
def SetHost(self, host):
537
"D-Bus setter method"
538
self.host = host
539
# Emit D-Bus signal
540
self.PropertyChanged(dbus.String(u"host"),
541
dbus.String(self.host, variant_level=1))
542
543
# SetInterval - method
544
@dbus.service.method(_interface, in_signature="t")
545
def SetInterval(self, milliseconds):
546
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
547
# Emit D-Bus signal
548
self.PropertyChanged(dbus.String(u"interval"),
549
(dbus.UInt64(self.interval_milliseconds(),
550
variant_level=1)))
551
552
# SetSecret - method
553
@dbus.service.method(_interface, in_signature="ay",
554
byte_arrays=True)
555
def SetSecret(self, secret):
556
"D-Bus setter method"
557
self.secret = str(secret)
558
559
# SetTimeout - method
560
@dbus.service.method(_interface, in_signature="t")
561
def SetTimeout(self, milliseconds):
562
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
563
# Emit D-Bus signal
564
self.PropertyChanged(dbus.String(u"timeout"),
565
(dbus.UInt64(self.timeout_milliseconds(),
566
variant_level=1)))
820
567
821
568
# Enable - method
822
@dbus.service.method(_interface)
823
def Enable(self):
824
"D-Bus method"
825
self.enable()
569
Enable = dbus.service.method(_interface)(enable)
570
Enable.__name__ = "Enable"
826
571
827
572
# StartChecker - method
828
573
@dbus.service.method(_interface)
837
582
self.disable()
838
583
839
584
# StopChecker - method
840
@dbus.service.method(_interface)
841
def StopChecker(self):
842
self.stop_checker()
843
844
# name - property
845
@dbus_service_property(_interface, signature=u"s", access=u"read")
846
def name_dbus_property(self):
847
return dbus.String(self.name)
848
849
# fingerprint - property
850
@dbus_service_property(_interface, signature=u"s", access=u"read")
851
def fingerprint_dbus_property(self):
852
return dbus.String(self.fingerprint)
853
854
# host - property
855
@dbus_service_property(_interface, signature=u"s",
856
access=u"readwrite")
857
def host_dbus_property(self, value=None):
858
if value is None: # get
859
return dbus.String(self.host)
860
self.host = value
861
# Emit D-Bus signal
862
self.PropertyChanged(dbus.String(u"host"),
863
dbus.String(value, variant_level=1))
864
865
# created - property
866
@dbus_service_property(_interface, signature=u"s", access=u"read")
867
def created_dbus_property(self):
868
return dbus.String(self._datetime_to_dbus(self.created))
869
870
# last_enabled - property
871
@dbus_service_property(_interface, signature=u"s", access=u"read")
872
def last_enabled_dbus_property(self):
873
if self.last_enabled is None:
874
return dbus.String(u"")
875
return dbus.String(self._datetime_to_dbus(self.last_enabled))
876
877
# enabled - property
878
@dbus_service_property(_interface, signature=u"b",
879
access=u"readwrite")
880
def enabled_dbus_property(self, value=None):
881
if value is None: # get
882
return dbus.Boolean(self.enabled)
883
if value:
884
self.enable()
885
else:
886
self.disable()
887
888
# last_checked_ok - property
889
@dbus_service_property(_interface, signature=u"s",
890
access=u"readwrite")
891
def last_checked_ok_dbus_property(self, value=None):
892
if value is not None:
893
self.checked_ok()
894
return
895
if self.last_checked_ok is None:
896
return dbus.String(u"")
897
return dbus.String(self._datetime_to_dbus(self
898
.last_checked_ok))
899
900
# timeout - property
901
@dbus_service_property(_interface, signature=u"t",
902
access=u"readwrite")
903
def timeout_dbus_property(self, value=None):
904
if value is None: # get
905
return dbus.UInt64(self.timeout_milliseconds())
906
self.timeout = datetime.timedelta(0, 0, 0, value)
907
# Emit D-Bus signal
908
self.PropertyChanged(dbus.String(u"timeout"),
909
dbus.UInt64(value, variant_level=1))
910
if getattr(self, u"disable_initiator_tag", None) is None:
911
return
912
# Reschedule timeout
913
gobject.source_remove(self.disable_initiator_tag)
914
self.disable_initiator_tag = None
915
time_to_die = (self.
916
_timedelta_to_milliseconds((self
917
.last_checked_ok
918
+ self.timeout)
919
- datetime.datetime
920
.utcnow()))
921
if time_to_die <= 0:
922
# The timeout has passed
923
self.disable()
924
else:
925
self.disable_initiator_tag = (gobject.timeout_add
926
(time_to_die, self.disable))
927
928
# interval - property
929
@dbus_service_property(_interface, signature=u"t",
930
access=u"readwrite")
931
def interval_dbus_property(self, value=None):
932
if value is None: # get
933
return dbus.UInt64(self.interval_milliseconds())
934
self.interval = datetime.timedelta(0, 0, 0, value)
935
# Emit D-Bus signal
936
self.PropertyChanged(dbus.String(u"interval"),
937
dbus.UInt64(value, variant_level=1))
938
if getattr(self, u"checker_initiator_tag", None) is None:
939
return
940
# Reschedule checker run
941
gobject.source_remove(self.checker_initiator_tag)
942
self.checker_initiator_tag = (gobject.timeout_add
943
(value, self.start_checker))
944
self.start_checker() # Start one now, too
945
946
# checker - property
947
@dbus_service_property(_interface, signature=u"s",
948
access=u"readwrite")
949
def checker_dbus_property(self, value=None):
950
if value is None: # get
951
return dbus.String(self.checker_command)
952
self.checker_command = value
953
# Emit D-Bus signal
954
self.PropertyChanged(dbus.String(u"checker"),
955
dbus.String(self.checker_command,
956
variant_level=1))
957
958
# checker_running - property
959
@dbus_service_property(_interface, signature=u"b",
960
access=u"readwrite")
961
def checker_running_dbus_property(self, value=None):
962
if value is None: # get
963
return dbus.Boolean(self.checker is not None)
964
if value:
965
self.start_checker()
966
else:
967
self.stop_checker()
968
969
# object_path - property
970
@dbus_service_property(_interface, signature=u"o", access=u"read")
971
def object_path_dbus_property(self):
972
return self.dbus_object_path # is already a dbus.ObjectPath
973
974
# secret = property
975
@dbus_service_property(_interface, signature=u"ay",
976
access=u"write", byte_arrays=True)
977
def secret_dbus_property(self, value):
978
self.secret = str(value)
585
StopChecker = dbus.service.method(_interface)(stop_checker)
586
StopChecker.__name__ = "StopChecker"
979
587
980
588
del _interface
981
589
982
590
983
class ClientHandler(socketserver.BaseRequestHandler, object):
984
"""A class to handle client connections.
985
986
Instantiated once for each connection to handle it.
591
def peer_certificate(session):
592
"Return the peer's OpenPGP certificate as a bytestring"
593
# If not an OpenPGP certificate...
594
if (gnutls.library.functions
595
.gnutls_certificate_type_get(session._c_object)
596
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
597
# ...do the normal thing
598
return session.peer_certificate
599
list_size = ctypes.c_uint(1)
600
cert_list = (gnutls.library.functions
601
.gnutls_certificate_get_peers
602
(session._c_object, ctypes.byref(list_size)))
603
if not bool(cert_list) and list_size.value != 0:
604
raise gnutls.errors.GNUTLSError("error getting peer"
605
" certificate")
606
if list_size.value == 0:
607
return None
608
cert = cert_list[0]
609
return ctypes.string_at(cert.data, cert.size)
610
611
612
def fingerprint(openpgp):
613
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
614
# New GnuTLS "datum" with the OpenPGP public key
615
datum = (gnutls.library.types
616
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
617
ctypes.POINTER
618
(ctypes.c_ubyte)),
619
ctypes.c_uint(len(openpgp))))
620
# New empty GnuTLS certificate
621
crt = gnutls.library.types.gnutls_openpgp_crt_t()
622
(gnutls.library.functions
623
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
624
# Import the OpenPGP public key into the certificate
625
(gnutls.library.functions
626
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
627
gnutls.library.constants
628
.GNUTLS_OPENPGP_FMT_RAW))
629
# Verify the self signature in the key
630
crtverify = ctypes.c_uint()
631
(gnutls.library.functions
632
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
633
if crtverify.value != 0:
634
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
635
raise gnutls.errors.CertificateSecurityError("Verify failed")
636
# New buffer for the fingerprint
637
buf = ctypes.create_string_buffer(20)
638
buf_len = ctypes.c_size_t()
639
# Get the fingerprint from the certificate into the buffer
640
(gnutls.library.functions
641
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
642
ctypes.byref(buf_len)))
643
# Deinit the certificate
644
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
645
# Convert the buffer to a Python bytestring
646
fpr = ctypes.string_at(buf, buf_len.value)
647
# Convert the bytestring to hexadecimal notation
648
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
649
return hex_fpr
650
651
652
class TCP_handler(SocketServer.BaseRequestHandler, object):
653
"""A TCP request handler class.
654
Instantiated by IPv6_TCPServer for each request to handle it.
987
655
Note: This will run in its own forked process."""
988
656
989
657
def handle(self):
990
658
logger.info(u"TCP connection from: %s",
991
659
unicode(self.client_address))
992
logger.debug(u"IPC Pipe FD: %d", self.server.child_pipe[1])
993
# Open IPC pipe to parent process
994
with contextlib.nested(os.fdopen(self.server.child_pipe[1],
995
u"w", 1),
996
os.fdopen(self.server.parent_pipe[0],
997
u"r", 0)) as (ipc,
998
ipc_return):
999
session = (gnutls.connection
1000
.ClientSession(self.request,
1001
gnutls.connection
1002
.X509Credentials()))
1003
1004
line = self.request.makefile().readline()
1005
logger.debug(u"Protocol version: %r", line)
1006
try:
1007
if int(line.strip().split()[0]) > 1:
1008
raise RuntimeError
1009
except (ValueError, IndexError, RuntimeError), error:
1010
logger.error(u"Unknown protocol version: %s", error)
1011
return
1012
1013
# Note: gnutls.connection.X509Credentials is really a
1014
# generic GnuTLS certificate credentials object so long as
1015
# no X.509 keys are added to it. Therefore, we can use it
1016
# here despite using OpenPGP certificates.
1017
1018
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1019
# u"+AES-256-CBC", u"+SHA1",
1020
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1021
# u"+DHE-DSS"))
1022
# Use a fallback default, since this MUST be set.
1023
priority = self.server.gnutls_priority
1024
if priority is None:
1025
priority = u"NORMAL"
1026
(gnutls.library.functions
1027
.gnutls_priority_set_direct(session._c_object,
1028
priority, None))
1029
1030
try:
1031
session.handshake()
1032
except gnutls.errors.GNUTLSError, error:
1033
logger.warning(u"Handshake failed: %s", error)
1034
# Do not run session.bye() here: the session is not
1035
# established. Just abandon the request.
1036
return
1037
logger.debug(u"Handshake succeeded")
1038
try:
1039
try:
1040
fpr = self.fingerprint(self.peer_certificate
1041
(session))
1042
except (TypeError, gnutls.errors.GNUTLSError), error:
1043
logger.warning(u"Bad certificate: %s", error)
1044
return
1045
logger.debug(u"Fingerprint: %s", fpr)
1046
1047
for c in self.server.clients:
1048
if c.fingerprint == fpr:
1049
client = c
1050
break
1051
else:
1052
ipc.write(u"NOTFOUND %s %s\n"
1053
% (fpr, unicode(self.client_address)))
1054
return
1055
# Have to check if client.enabled, since it is
1056
# possible that the client was disabled since the
1057
# GnuTLS session was established.
1058
ipc.write(u"GETATTR enabled %s\n" % fpr)
1059
enabled = pickle.load(ipc_return)
1060
if not enabled:
1061
ipc.write(u"DISABLED %s\n" % client.name)
1062
return
1063
ipc.write(u"SENDING %s\n" % client.name)
1064
sent_size = 0
1065
while sent_size < len(client.secret):
1066
sent = session.send(client.secret[sent_size:])
1067
logger.debug(u"Sent: %d, remaining: %d",
1068
sent, len(client.secret)
1069
- (sent_size + sent))
1070
sent_size += sent
1071
finally:
1072
session.bye()
1073
1074
@staticmethod
1075
def peer_certificate(session):
1076
"Return the peer's OpenPGP certificate as a bytestring"
1077
# If not an OpenPGP certificate...
1078
if (gnutls.library.functions
1079
.gnutls_certificate_type_get(session._c_object)
1080
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1081
# ...do the normal thing
1082
return session.peer_certificate
1083
list_size = ctypes.c_uint(1)
1084
cert_list = (gnutls.library.functions
1085
.gnutls_certificate_get_peers
1086
(session._c_object, ctypes.byref(list_size)))
1087
if not bool(cert_list) and list_size.value != 0:
1088
raise gnutls.errors.GNUTLSError(u"error getting peer"
1089
u" certificate")
1090
if list_size.value == 0:
1091
return None
1092
cert = cert_list[0]
1093
return ctypes.string_at(cert.data, cert.size)
1094
1095
@staticmethod
1096
def fingerprint(openpgp):
1097
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1098
# New GnuTLS "datum" with the OpenPGP public key
1099
datum = (gnutls.library.types
1100
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1101
ctypes.POINTER
1102
(ctypes.c_ubyte)),
1103
ctypes.c_uint(len(openpgp))))
1104
# New empty GnuTLS certificate
1105
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1106
(gnutls.library.functions
1107
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1108
# Import the OpenPGP public key into the certificate
1109
(gnutls.library.functions
1110
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1111
gnutls.library.constants
1112
.GNUTLS_OPENPGP_FMT_RAW))
1113
# Verify the self signature in the key
1114
crtverify = ctypes.c_uint()
1115
(gnutls.library.functions
1116
.gnutls_openpgp_crt_verify_self(crt, 0,
1117
ctypes.byref(crtverify)))
1118
if crtverify.value != 0:
1119
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1120
raise (gnutls.errors.CertificateSecurityError
1121
(u"Verify failed"))
1122
# New buffer for the fingerprint
1123
buf = ctypes.create_string_buffer(20)
1124
buf_len = ctypes.c_size_t()
1125
# Get the fingerprint from the certificate into the buffer
1126
(gnutls.library.functions
1127
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1128
ctypes.byref(buf_len)))
1129
# Deinit the certificate
1130
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1131
# Convert the buffer to a Python bytestring
1132
fpr = ctypes.string_at(buf, buf_len.value)
1133
# Convert the bytestring to hexadecimal notation
1134
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1135
return hex_fpr
1136
1137
1138
class ForkingMixInWithPipes(socketserver.ForkingMixIn, object):
1139
"""Like socketserver.ForkingMixIn, but also pass a pipe pair."""
1140
def process_request(self, request, client_address):
1141
"""Overrides and wraps the original process_request().
1142
1143
This function creates a new pipe in self.pipe
1144
"""
1145
self.child_pipe = os.pipe() # Child writes here
1146
self.parent_pipe = os.pipe() # Parent writes here
1147
super(ForkingMixInWithPipes,
1148
self).process_request(request, client_address)
1149
# Close unused ends for parent
1150
os.close(self.parent_pipe[0]) # close read end
1151
os.close(self.child_pipe[1]) # close write end
1152
self.add_pipe_fds(self.child_pipe[0], self.parent_pipe[1])
1153
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1154
"""Dummy function; override as necessary"""
1155
os.close(child_pipe_fd)
1156
os.close(parent_pipe_fd)
1157
1158
1159
class IPv6_TCPServer(ForkingMixInWithPipes,
1160
socketserver.TCPServer, object):
1161
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1162
660
session = (gnutls.connection
661
.ClientSession(self.request,
662
gnutls.connection
663
.X509Credentials()))
664
665
line = self.request.makefile().readline()
666
logger.debug(u"Protocol version: %r", line)
667
try:
668
if int(line.strip().split()[0]) > 1:
669
raise RuntimeError
670
except (ValueError, IndexError, RuntimeError), error:
671
logger.error(u"Unknown protocol version: %s", error)
672
return
673
674
# Note: gnutls.connection.X509Credentials is really a generic
675
# GnuTLS certificate credentials object so long as no X.509
676
# keys are added to it. Therefore, we can use it here despite
677
# using OpenPGP certificates.
678
679
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
680
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
681
# "+DHE-DSS"))
682
# Use a fallback default, since this MUST be set.
683
priority = self.server.settings.get("priority", "NORMAL")
684
(gnutls.library.functions
685
.gnutls_priority_set_direct(session._c_object,
686
priority, None))
687
688
try:
689
session.handshake()
690
except gnutls.errors.GNUTLSError, error:
691
logger.warning(u"Handshake failed: %s", error)
692
# Do not run session.bye() here: the session is not
693
# established. Just abandon the request.
694
return
695
logger.debug(u"Handshake succeeded")
696
try:
697
fpr = fingerprint(peer_certificate(session))
698
except (TypeError, gnutls.errors.GNUTLSError), error:
699
logger.warning(u"Bad certificate: %s", error)
700
session.bye()
701
return
702
logger.debug(u"Fingerprint: %s", fpr)
703
704
for c in self.server.clients:
705
if c.fingerprint == fpr:
706
client = c
707
break
708
else:
709
logger.warning(u"Client not found for fingerprint: %s",
710
fpr)
711
session.bye()
712
return
713
# Have to check if client.still_valid(), since it is possible
714
# that the client timed out while establishing the GnuTLS
715
# session.
716
if not client.still_valid():
717
logger.warning(u"Client %(name)s is invalid",
718
vars(client))
719
session.bye()
720
return
721
## This won't work here, since we're in a fork.
722
# client.checked_ok()
723
sent_size = 0
724
while sent_size < len(client.secret):
725
sent = session.send(client.secret[sent_size:])
726
logger.debug(u"Sent: %d, remaining: %d",
727
sent, len(client.secret)
728
- (sent_size + sent))
729
sent_size += sent
730
session.bye()
731
732
733
class IPv6_TCPServer(SocketServer.ForkingMixIn,
734
SocketServer.TCPServer, object):
735
"""IPv6 TCP server. Accepts 'None' as address and/or port.
1163
736
Attributes:
737
settings: Server settings
738
clients: Set() of Client objects
1164
739
enabled: Boolean; whether this server is activated yet
1165
interface: None or a network interface name (string)
1166
use_ipv6: Boolean; to use IPv6 or not
1167
740
"""
1168
def __init__(self, server_address, RequestHandlerClass,
1169
interface=None, use_ipv6=True):
1170
self.interface = interface
1171
if use_ipv6:
1172
self.address_family = socket.AF_INET6
1173
socketserver.TCPServer.__init__(self, server_address,
1174
RequestHandlerClass)
741
address_family = socket.AF_INET6
742
def __init__(self, *args, **kwargs):
743
if "settings" in kwargs:
744
self.settings = kwargs["settings"]
745
del kwargs["settings"]
746
if "clients" in kwargs:
747
self.clients = kwargs["clients"]
748
del kwargs["clients"]
749
self.enabled = False
750
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1175
751
def server_bind(self):
1176
752
"""This overrides the normal server_bind() function
1177
753
to bind to an interface if one was specified, and also NOT to
1178
754
bind to an address or port if they were not specified."""
1179
if self.interface is not None:
1180
if SO_BINDTODEVICE is None:
1181
logger.error(u"SO_BINDTODEVICE does not exist;"
1182
u" cannot bind to interface %s",
1183
self.interface)
1184
else:
1185
try:
1186
self.socket.setsockopt(socket.SOL_SOCKET,
1187
SO_BINDTODEVICE,
1188
str(self.interface
1189
+ u'\0'))
1190
except socket.error, error:
1191
if error[0] == errno.EPERM:
1192
logger.error(u"No permission to"
1193
u" bind to interface %s",
1194
self.interface)
1195
elif error[0] == errno.ENOPROTOOPT:
1196
logger.error(u"SO_BINDTODEVICE not available;"
1197
u" cannot bind to interface %s",
1198
self.interface)
1199
else:
1200
raise
755
if self.settings["interface"]:
756
# 25 is from /usr/include/asm-i486/socket.h
757
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
758
try:
759
self.socket.setsockopt(socket.SOL_SOCKET,
760
SO_BINDTODEVICE,
761
self.settings["interface"])
762
except socket.error, error:
763
if error[0] == errno.EPERM:
764
logger.error(u"No permission to"
765
u" bind to interface %s",
766
self.settings["interface"])
767
else:
768
raise
1201
769
# Only bind(2) the socket if we really need to.
1202
770
if self.server_address[0] or self.server_address[1]:
1203
771
if not self.server_address[0]:
1204
if self.address_family == socket.AF_INET6:
1205
any_address = u"::" # in6addr_any
1206
else:
1207
any_address = socket.INADDR_ANY
1208
self.server_address = (any_address,
772
in6addr_any = "::"
773
self.server_address = (in6addr_any,
1209
774
self.server_address[1])
1210
775
elif not self.server_address[1]:
1211
776
self.server_address = (self.server_address[0],
1212
777
0)
1213
# if self.interface:
778
# if self.settings["interface"]:
1214
779
# self.server_address = (self.server_address[0],
1215
780
# 0, # port
1216
781
# 0, # flowinfo
1217
782
# if_nametoindex
1218
# (self.interface))
1219
return socketserver.TCPServer.server_bind(self)
1220
1221
1222
class MandosServer(IPv6_TCPServer):
1223
"""Mandos server.
1224
1225
Attributes:
1226
clients: set of Client objects
1227
gnutls_priority GnuTLS priority string
1228
use_dbus: Boolean; to emit D-Bus signals or not
1229
1230
Assumes a gobject.MainLoop event loop.
1231
"""
1232
def __init__(self, server_address, RequestHandlerClass,
1233
interface=None, use_ipv6=True, clients=None,
1234
gnutls_priority=None, use_dbus=True):
1235
self.enabled = False
1236
self.clients = clients
1237
if self.clients is None:
1238
self.clients = set()
1239
self.use_dbus = use_dbus
1240
self.gnutls_priority = gnutls_priority
1241
IPv6_TCPServer.__init__(self, server_address,
1242
RequestHandlerClass,
1243
interface = interface,
1244
use_ipv6 = use_ipv6)
783
# (self.settings
784
# ["interface"]))
785
return super(IPv6_TCPServer, self).server_bind()
1245
786
def server_activate(self):
1246
787
if self.enabled:
1247
return socketserver.TCPServer.server_activate(self)
788
return super(IPv6_TCPServer, self).server_activate()
1248
789
def enable(self):
1249
790
self.enabled = True
1250
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1251
# Call "handle_ipc" for both data and EOF events
1252
gobject.io_add_watch(child_pipe_fd,
1253
gobject.IO_IN | gobject.IO_HUP,
1254
functools.partial(self.handle_ipc,
1255
reply_fd
1256
=parent_pipe_fd))
1257
def handle_ipc(self, source, condition, reply_fd=None,
1258
file_objects={}):
1259
condition_names = {
1260
gobject.IO_IN: u"IN", # There is data to read.
1261
gobject.IO_OUT: u"OUT", # Data can be written (without
1262
# blocking).
1263
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1264
gobject.IO_ERR: u"ERR", # Error condition.
1265
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1266
# broken, usually for pipes and
1267
# sockets).
1268
}
1269
conditions_string = ' | '.join(name
1270
for cond, name in
1271
condition_names.iteritems()
1272
if cond & condition)
1273
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1274
conditions_string)
1275
1276
# Turn the pipe file descriptors into Python file objects
1277
if source not in file_objects:
1278
file_objects[source] = os.fdopen(source, u"r", 1)
1279
if reply_fd not in file_objects:
1280
file_objects[reply_fd] = os.fdopen(reply_fd, u"w", 0)
1281
1282
# Read a line from the file object
1283
cmdline = file_objects[source].readline()
1284
if not cmdline: # Empty line means end of file
1285
# close the IPC pipes
1286
file_objects[source].close()
1287
del file_objects[source]
1288
file_objects[reply_fd].close()
1289
del file_objects[reply_fd]
1290
1291
# Stop calling this function
1292
return False
1293
1294
logger.debug(u"IPC command: %r", cmdline)
1295
1296
# Parse and act on command
1297
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1298
1299
if cmd == u"NOTFOUND":
1300
fpr, address = args.split(None, 1)
1301
logger.warning(u"Client not found for fingerprint: %s, ad"
1302
u"dress: %s", fpr, address)
1303
if self.use_dbus:
1304
# Emit D-Bus signal
1305
mandos_dbus_service.ClientNotFound(fpr, address)
1306
elif cmd == u"DISABLED":
1307
for client in self.clients:
1308
if client.name == args:
1309
logger.warning(u"Client %s is disabled", args)
1310
if self.use_dbus:
1311
# Emit D-Bus signal
1312
client.Rejected()
1313
break
1314
else:
1315
logger.error(u"Unknown client %s is disabled", args)
1316
elif cmd == u"SENDING":
1317
for client in self.clients:
1318
if client.name == args:
1319
logger.info(u"Sending secret to %s", client.name)
1320
client.checked_ok()
1321
if self.use_dbus:
1322
# Emit D-Bus signal
1323
client.GotSecret()
1324
break
1325
else:
1326
logger.error(u"Sending secret to unknown client %s",
1327
args)
1328
elif cmd == u"GETATTR":
1329
attr_name, fpr = args.split(None, 1)
1330
for client in self.clients:
1331
if client.fingerprint == fpr:
1332
attr_value = getattr(client, attr_name, None)
1333
logger.debug("IPC reply: %r", attr_value)
1334
pickle.dump(attr_value, file_objects[reply_fd])
1335
break
1336
else:
1337
logger.error(u"Client %s on address %s requesting "
1338
u"attribute %s not found", fpr, address,
1339
attr_name)
1340
pickle.dump(None, file_objects[reply_fd])
1341
else:
1342
logger.error(u"Unknown IPC command: %r", cmdline)
1343
1344
# Keep calling this function
1345
return True
1346
791
1347
792
1348
793
def string_to_delta(interval):
1349
794
"""Parse a string and return a datetime.timedelta
1350
795
1351
>>> string_to_delta(u'7d')
796
>>> string_to_delta('7d')
1352
797
datetime.timedelta(7)
1353
>>> string_to_delta(u'60s')
798
>>> string_to_delta('60s')
1354
799
datetime.timedelta(0, 60)
1355
>>> string_to_delta(u'60m')
800
>>> string_to_delta('60m')
1356
801
datetime.timedelta(0, 3600)
1357
>>> string_to_delta(u'24h')
802
>>> string_to_delta('24h')
1358
803
datetime.timedelta(1)
1359
804
>>> string_to_delta(u'1w')
1360
805
datetime.timedelta(7)
1361
>>> string_to_delta(u'5m 30s')
806
>>> string_to_delta('5m 30s')
1362
807
datetime.timedelta(0, 330)
1363
808
"""
1364
809
timevalue = datetime.timedelta(0)
1377
822
elif suffix == u"w":
1378
823
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1379
824
else:
1380
raise ValueError(u"Unknown suffix %r" % suffix)
1381
except (ValueError, IndexError), e:
1382
raise ValueError(e.message)
825
raise ValueError
826
except (ValueError, IndexError):
827
raise ValueError
1383
828
timevalue += delta
1384
829
return timevalue
1385
830
1386
831
832
def server_state_changed(state):
833
"""Derived from the Avahi example code"""
834
if state == avahi.SERVER_COLLISION:
835
logger.error(u"Zeroconf server name collision")
836
service.remove()
837
elif state == avahi.SERVER_RUNNING:
838
service.add()
839
840
841
def entry_group_state_changed(state, error):
842
"""Derived from the Avahi example code"""
843
logger.debug(u"Avahi state change: %i", state)
844
845
if state == avahi.ENTRY_GROUP_ESTABLISHED:
846
logger.debug(u"Zeroconf service established.")
847
elif state == avahi.ENTRY_GROUP_COLLISION:
848
logger.warning(u"Zeroconf service name collision.")
849
service.rename()
850
elif state == avahi.ENTRY_GROUP_FAILURE:
851
logger.critical(u"Avahi: Error in group state changed %s",
852
unicode(error))
853
raise AvahiGroupError(u"State changed: %s" % unicode(error))
854
1387
855
def if_nametoindex(interface):
1388
"""Call the C function if_nametoindex(), or equivalent
1389
1390
Note: This function cannot accept a unicode string."""
856
"""Call the C function if_nametoindex(), or equivalent"""
1391
857
global if_nametoindex
1392
858
try:
1393
859
if_nametoindex = (ctypes.cdll.LoadLibrary
1394
(ctypes.util.find_library(u"c"))
860
(ctypes.util.find_library("c"))
1395
861
.if_nametoindex)
1396
862
except (OSError, AttributeError):
1397
logger.warning(u"Doing if_nametoindex the hard way")
863
if "struct" not in sys.modules:
864
import struct
865
if "fcntl" not in sys.modules:
866
import fcntl
1398
867
def if_nametoindex(interface):
1399
868
"Get an interface index the hard way, i.e. using fcntl()"
1400
869
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1401
with contextlib.closing(socket.socket()) as s:
870
with closing(socket.socket()) as s:
1402
871
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1403
struct.pack(str(u"16s16x"),
1404
interface))
1405
interface_index = struct.unpack(str(u"I"),
1406
ifreq[16:20])[0]
872
struct.pack("16s16x", interface))
873
interface_index = struct.unpack("I", ifreq[16:20])[0]
1407
874
return interface_index
1408
875
return if_nametoindex(interface)
1409
876
1410
877
1411
878
def daemon(nochdir = False, noclose = False):
1412
879
"""See daemon(3). Standard BSD Unix function.
1413
1414
880
This should really exist as os.daemon, but it doesn't (yet)."""
1415
881
if os.fork():
1416
882
sys.exit()
1417
883
os.setsid()
1418
884
if not nochdir:
1419
os.chdir(u"/")
885
os.chdir("/")
1420
886
if os.fork():
1421
887
sys.exit()
1422
888
if not noclose:
1424
890
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1425
891
if not stat.S_ISCHR(os.fstat(null).st_mode):
1426
892
raise OSError(errno.ENODEV,
1427
u"%s not a character device"
1428
% os.path.devnull)
893
"/dev/null not a character device")
1429
894
os.dup2(null, sys.stdin.fileno())
1430
895
os.dup2(null, sys.stdout.fileno())
1431
896
os.dup2(null, sys.stderr.fileno())
1434
899
1435
900
1436
901
def main():
1437
1438
##################################################################
1439
# Parsing of options, both command line and config file
1440
1441
902
parser = optparse.OptionParser(version = "%%prog %s" % version)
1442
parser.add_option("-i", u"--interface", type=u"string",
1443
metavar="IF", help=u"Bind to interface IF")
1444
parser.add_option("-a", u"--address", type=u"string",
1445
help=u"Address to listen for requests on")
1446
parser.add_option("-p", u"--port", type=u"int",
1447
help=u"Port number to receive requests on")
1448
parser.add_option("--check", action=u"store_true",
1449
help=u"Run self-test")
1450
parser.add_option("--debug", action=u"store_true",
1451
help=u"Debug mode; run in foreground and log to"
1452
u" terminal")
1453
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1454
u" priority string (see GnuTLS documentation)")
1455
parser.add_option("--servicename", type=u"string",
1456
metavar=u"NAME", help=u"Zeroconf service name")
1457
parser.add_option("--configdir", type=u"string",
1458
default=u"/etc/mandos", metavar=u"DIR",
1459
help=u"Directory to search for configuration"
1460
u" files")
1461
parser.add_option("--no-dbus", action=u"store_false",
1462
dest=u"use_dbus", help=u"Do not provide D-Bus"
1463
u" system bus interface")
1464
parser.add_option("--no-ipv6", action=u"store_false",
1465
dest=u"use_ipv6", help=u"Do not use IPv6")
903
parser.add_option("-i", "--interface", type="string",
904
metavar="IF", help="Bind to interface IF")
905
parser.add_option("-a", "--address", type="string",
906
help="Address to listen for requests on")
907
parser.add_option("-p", "--port", type="int",
908
help="Port number to receive requests on")
909
parser.add_option("--check", action="store_true",
910
help="Run self-test")
911
parser.add_option("--debug", action="store_true",
912
help="Debug mode; run in foreground and log to"
913
" terminal")
914
parser.add_option("--priority", type="string", help="GnuTLS"
915
" priority string (see GnuTLS documentation)")
916
parser.add_option("--servicename", type="string", metavar="NAME",
917
help="Zeroconf service name")
918
parser.add_option("--configdir", type="string",
919
default="/etc/mandos", metavar="DIR",
920
help="Directory to search for configuration"
921
" files")
922
parser.add_option("--no-dbus", action="store_false",
923
dest="use_dbus",
924
help="Do not provide D-Bus system bus"
925
" interface")
1466
926
options = parser.parse_args()[0]
1467
927
1468
928
if options.check:
1471
931
sys.exit()
1472
932
1473
933
# Default values for config file for server-global settings
1474
server_defaults = { u"interface": u"",
1475
u"address": u"",
1476
u"port": u"",
1477
u"debug": u"False",
1478
u"priority":
1479
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1480
u"servicename": u"Mandos",
1481
u"use_dbus": u"True",
1482
u"use_ipv6": u"True",
934
server_defaults = { "interface": "",
935
"address": "",
936
"port": "",
937
"debug": "False",
938
"priority":
939
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
940
"servicename": "Mandos",
941
"use_dbus": "True",
1483
942
}
1484
943
1485
944
# Parse config file for server-global settings
1486
server_config = configparser.SafeConfigParser(server_defaults)
945
server_config = ConfigParser.SafeConfigParser(server_defaults)
1487
946
del server_defaults
1488
server_config.read(os.path.join(options.configdir,
1489
u"mandos.conf"))
947
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1490
948
# Convert the SafeConfigParser object to a dict
1491
949
server_settings = server_config.defaults()
1492
950
# Use the appropriate methods on the non-string config options
1493
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1494
server_settings[option] = server_config.getboolean(u"DEFAULT",
1495
option)
951
server_settings["debug"] = server_config.getboolean("DEFAULT",
952
"debug")
953
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
954
"use_dbus")
1496
955
if server_settings["port"]:
1497
server_settings["port"] = server_config.getint(u"DEFAULT",
1498
u"port")
956
server_settings["port"] = server_config.getint("DEFAULT",
957
"port")
1499
958
del server_config
1500
959
1501
960
# Override the settings from the config file with command line
1502
961
# options, if set.
1503
for option in (u"interface", u"address", u"port", u"debug",
1504
u"priority", u"servicename", u"configdir",
1505
u"use_dbus", u"use_ipv6"):
962
for option in ("interface", "address", "port", "debug",
963
"priority", "servicename", "configdir",
964
"use_dbus"):
1506
965
value = getattr(options, option)
1507
966
if value is not None:
1508
967
server_settings[option] = value
1509
968
del options
1510
# Force all strings to be unicode
1511
for option in server_settings.keys():
1512
if type(server_settings[option]) is str:
1513
server_settings[option] = unicode(server_settings[option])
1514
969
# Now we have our good server settings in "server_settings"
1515
970
1516
##################################################################
1517
1518
971
# For convenience
1519
debug = server_settings[u"debug"]
1520
use_dbus = server_settings[u"use_dbus"]
1521
use_ipv6 = server_settings[u"use_ipv6"]
972
debug = server_settings["debug"]
973
use_dbus = server_settings["use_dbus"]
1522
974
1523
975
if not debug:
1524
976
syslogger.setLevel(logging.WARNING)
1525
977
console.setLevel(logging.WARNING)
1526
978
1527
if server_settings[u"servicename"] != u"Mandos":
979
if server_settings["servicename"] != "Mandos":
1528
980
syslogger.setFormatter(logging.Formatter
1529
(u'Mandos (%s) [%%(process)d]:'
1530
u' %%(levelname)s: %%(message)s'
1531
% server_settings[u"servicename"]))
981
('Mandos (%s): %%(levelname)s:'
982
' %%(message)s'
983
% server_settings["servicename"]))
1532
984
1533
985
# Parse config file with clients
1534
client_defaults = { u"timeout": u"1h",
1535
u"interval": u"5m",
1536
u"checker": u"fping -q -- %%(host)s",
1537
u"host": u"",
986
client_defaults = { "timeout": "1h",
987
"interval": "5m",
988
"checker": "fping -q -- %%(host)s",
989
"host": "",
1538
990
}
1539
client_config = configparser.SafeConfigParser(client_defaults)
1540
client_config.read(os.path.join(server_settings[u"configdir"],
1541
u"clients.conf"))
1542
1543
global mandos_dbus_service
1544
mandos_dbus_service = None
1545
1546
tcp_server = MandosServer((server_settings[u"address"],
1547
server_settings[u"port"]),
1548
ClientHandler,
1549
interface=server_settings[u"interface"],
1550
use_ipv6=use_ipv6,
1551
gnutls_priority=
1552
server_settings[u"priority"],
1553
use_dbus=use_dbus)
1554
pidfilename = u"/var/run/mandos.pid"
991
client_config = ConfigParser.SafeConfigParser(client_defaults)
992
client_config.read(os.path.join(server_settings["configdir"],
993
"clients.conf"))
994
995
clients = Set()
996
tcp_server = IPv6_TCPServer((server_settings["address"],
997
server_settings["port"]),
998
TCP_handler,
999
settings=server_settings,
1000
clients=clients)
1001
pidfilename = "/var/run/mandos.pid"
1555
1002
try:
1556
pidfile = open(pidfilename, u"w")
1003
pidfile = open(pidfilename, "w")
1557
1004
except IOError:
1558
logger.error(u"Could not open file %r", pidfilename)
1005
logger.error("Could not open file %r", pidfilename)
1559
1006
1560
1007
try:
1561
uid = pwd.getpwnam(u"_mandos").pw_uid
1562
gid = pwd.getpwnam(u"_mandos").pw_gid
1008
uid = pwd.getpwnam("_mandos").pw_uid
1009
gid = pwd.getpwnam("_mandos").pw_gid
1563
1010
except KeyError:
1564
1011
try:
1565
uid = pwd.getpwnam(u"mandos").pw_uid
1566
gid = pwd.getpwnam(u"mandos").pw_gid
1012
uid = pwd.getpwnam("mandos").pw_uid
1013
gid = pwd.getpwnam("mandos").pw_gid
1567
1014
except KeyError:
1568
1015
try:
1569
uid = pwd.getpwnam(u"nobody").pw_uid
1570
gid = pwd.getpwnam(u"nobody").pw_gid
1016
uid = pwd.getpwnam("nobody").pw_uid
1017
gid = pwd.getpwnam("nogroup").pw_gid
1571
1018
except KeyError:
1572
1019
uid = 65534
1573
1020
gid = 65534
1586
1033
1587
1034
@gnutls.library.types.gnutls_log_func
1588
1035
def debug_gnutls(level, string):
1589
logger.debug(u"GnuTLS: %s", string[:-1])
1036
logger.debug("GnuTLS: %s", string[:-1])
1590
1037
1591
1038
(gnutls.library.functions
1592
1039
.gnutls_global_set_log_function(debug_gnutls))
1593
1040
1041
global service
1042
service = AvahiService(name = server_settings["servicename"],
1043
servicetype = "_mandos._tcp", )
1044
if server_settings["interface"]:
1045
service.interface = (if_nametoindex
1046
(server_settings["interface"]))
1047
1594
1048
global main_loop
1049
global bus
1050
global server
1595
1051
# From the Avahi example code
1596
1052
DBusGMainLoop(set_as_default=True )
1597
1053
main_loop = gobject.MainLoop()
1598
1054
bus = dbus.SystemBus()
1055
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1056
avahi.DBUS_PATH_SERVER),
1057
avahi.DBUS_INTERFACE_SERVER)
1599
1058
# End of Avahi example code
1600
1059
if use_dbus:
1601
try:
1602
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1603
bus, do_not_queue=True)
1604
except dbus.exceptions.NameExistsException, e:
1605
logger.error(unicode(e) + u", disabling D-Bus")
1606
use_dbus = False
1607
server_settings[u"use_dbus"] = False
1608
tcp_server.use_dbus = False
1609
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1610
service = AvahiService(name = server_settings[u"servicename"],
1611
servicetype = u"_mandos._tcp",
1612
protocol = protocol, bus = bus)
1613
if server_settings["interface"]:
1614
service.interface = (if_nametoindex
1615
(str(server_settings[u"interface"])))
1060
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1616
1061
1617
client_class = Client
1618
if use_dbus:
1619
client_class = functools.partial(ClientDBus, bus = bus)
1620
tcp_server.clients.update(set(
1621
client_class(name = section,
1622
config= dict(client_config.items(section)))
1623
for section in client_config.sections()))
1624
if not tcp_server.clients:
1062
clients.update(Set(Client(name = section,
1063
config
1064
= dict(client_config.items(section)),
1065
use_dbus = use_dbus)
1066
for section in client_config.sections()))
1067
if not clients:
1625
1068
logger.warning(u"No clients defined")
1626
1069
1627
1070
if debug:
1637
1080
daemon()
1638
1081
1639
1082
try:
1640
with pidfile:
1641
pid = os.getpid()
1642
pidfile.write(str(pid) + "\n")
1083
pid = os.getpid()
1084
pidfile.write(str(pid) + "\n")
1085
pidfile.close()
1643
1086
del pidfile
1644
1087
except IOError:
1645
1088
logger.error(u"Could not write to file %r with PID %d",
1649
1092
pass
1650
1093
del pidfilename
1651
1094
1095
def cleanup():
1096
"Cleanup function; run on exit"
1097
global group
1098
# From the Avahi example code
1099
if not group is None:
1100
group.Free()
1101
group = None
1102
# End of Avahi example code
1103
1104
while clients:
1105
client = clients.pop()
1106
client.disable_hook = None
1107
client.disable()
1108
1109
atexit.register(cleanup)
1110
1652
1111
if not debug:
1653
1112
signal.signal(signal.SIGINT, signal.SIG_IGN)
1654
1113
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1655
1114
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1656
1115
1657
1116
if use_dbus:
1658
class MandosDBusService(dbus.service.Object):
1117
class MandosServer(dbus.service.Object):
1659
1118
"""A D-Bus proxy object"""
1660
1119
def __init__(self):
1661
dbus.service.Object.__init__(self, bus, u"/")
1120
dbus.service.Object.__init__(self, bus, "/")
1662
1121
_interface = u"se.bsnet.fukt.Mandos"
1663
1122
1664
@dbus.service.signal(_interface, signature=u"o")
1665
def ClientAdded(self, objpath):
1666
"D-Bus signal"
1667
pass
1668
1669
@dbus.service.signal(_interface, signature=u"ss")
1670
def ClientNotFound(self, fingerprint, address):
1671
"D-Bus signal"
1672
pass
1673
1674
@dbus.service.signal(_interface, signature=u"os")
1123
@dbus.service.signal(_interface, signature="oa{sv}")
1124
def ClientAdded(self, objpath, properties):
1125
"D-Bus signal"
1126
pass
1127
1128
@dbus.service.signal(_interface, signature="os")
1675
1129
def ClientRemoved(self, objpath, name):
1676
1130
"D-Bus signal"
1677
1131
pass
1678
1132
1679
@dbus.service.method(_interface, out_signature=u"ao")
1133
@dbus.service.method(_interface, out_signature="ao")
1680
1134
def GetAllClients(self):
1681
1135
"D-Bus method"
1682
return dbus.Array(c.dbus_object_path
1683
for c in tcp_server.clients)
1136
return dbus.Array(c.dbus_object_path for c in clients)
1684
1137
1685
@dbus.service.method(_interface,
1686
out_signature=u"a{oa{sv}}")
1138
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1687
1139
def GetAllClientsWithProperties(self):
1688
1140
"D-Bus method"
1689
1141
return dbus.Dictionary(
1690
((c.dbus_object_path, c.GetAll(u""))
1691
for c in tcp_server.clients),
1692
signature=u"oa{sv}")
1142
((c.dbus_object_path, c.GetAllProperties())
1143
for c in clients),
1144
signature="oa{sv}")
1693
1145
1694
@dbus.service.method(_interface, in_signature=u"o")
1146
@dbus.service.method(_interface, in_signature="o")
1695
1147
def RemoveClient(self, object_path):
1696
1148
"D-Bus method"
1697
for c in tcp_server.clients:
1149
for c in clients:
1698
1150
if c.dbus_object_path == object_path:
1699
tcp_server.clients.remove(c)
1700
c.remove_from_connection()
1151
clients.remove(c)
1701
1152
# Don't signal anything except ClientRemoved
1702
c.disable(quiet=True)
1153
c.use_dbus = False
1154
c.disable()
1703
1155
# Emit D-Bus signal
1704
1156
self.ClientRemoved(object_path, c.name)
1705
1157
return
1706
raise KeyError(object_path)
1158
raise KeyError
1707
1159
1708
1160
del _interface
1709
1161
1710
mandos_dbus_service = MandosDBusService()
1711
1712
def cleanup():
1713
"Cleanup function; run on exit"
1714
service.cleanup()
1715
1716
while tcp_server.clients:
1717
client = tcp_server.clients.pop()
1718
if use_dbus:
1719
client.remove_from_connection()
1720
client.disable_hook = None
1721
# Don't signal anything except ClientRemoved
1722
client.disable(quiet=True)
1723
if use_dbus:
1724
# Emit D-Bus signal
1725
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1726
client.name)
1727
1728
atexit.register(cleanup)
1729
1730
for client in tcp_server.clients:
1162
mandos_server = MandosServer()
1163
1164
for client in clients:
1731
1165
if use_dbus:
1732
1166
# Emit D-Bus signal
1733
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1167
mandos_server.ClientAdded(client.dbus_object_path,
1168
client.GetAllProperties())
1734
1169
client.enable()
1735
1170
1736
1171
tcp_server.enable()
1738
1173
1739
1174
# Find out what port we got
1740
1175
service.port = tcp_server.socket.getsockname()[1]
1741
if use_ipv6:
1742
logger.info(u"Now listening on address %r, port %d,"
1743
" flowinfo %d, scope_id %d"
1744
% tcp_server.socket.getsockname())
1745
else: # IPv4
1746
logger.info(u"Now listening on address %r, port %d"
1747
% tcp_server.socket.getsockname())
1176
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1177
u" scope_id %d" % tcp_server.socket.getsockname())
1748
1178
1749
1179
#service.interface = tcp_server.socket.getsockname()[3]
1750
1180
1751
1181
try:
1752
1182
# From the Avahi example code
1183
server.connect_to_signal("StateChanged", server_state_changed)
1753
1184
try:
1754
service.activate()
1185
server_state_changed(server.GetState())
1755
1186
except dbus.exceptions.DBusException, error:
1756
1187
logger.critical(u"DBusException: %s", error)
1757
cleanup()
1758
1188
sys.exit(1)
1759
1189
# End of Avahi example code
1760
1190
1767
1197
main_loop.run()
1768
1198
except AvahiError, error:
1769
1199
logger.critical(u"AvahiError: %s", error)
1770
cleanup()
1771
1200
sys.exit(1)
1772
1201
except KeyboardInterrupt:
1773
1202
if debug:
1774
1203
print >> sys.stderr
1775
logger.debug(u"Server received KeyboardInterrupt")
1776
logger.debug(u"Server exiting")
1777
# Must run before the D-Bus bus name gets deregistered
1778
cleanup()
1204
logger.debug("Server received KeyboardInterrupt")
1205
logger.debug("Server exiting")
1779
1206
1780
1207
if __name__ == '__main__':
1781
1208
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0