To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 305
- compare with another revision
- download diff
- download tarball
- view history from revision 305
- Committer: Teddy Hogeborn
- Date: 2009-02-09 02:13:58 UTC
- Revision ID: teddy@fukt.bsnet.se-20090209021358-6nrlc91oi08hn5hb
* initramfs-tools-hook: Whitespace change only.
- files removed:
- dbus-mandos.conf
- files modified:
- INSTALL
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer as socketserver
36
import SocketServer
37
37
import socket
38
38
import optparse
39
39
import datetime
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser as configparser
47
import ConfigParser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
52
53
import subprocess
53
54
import atexit
54
55
import stat
55
56
import logging
56
57
import logging.handlers
57
58
import pwd
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
63
import multiprocessing
59
from contextlib import closing
64
60
65
61
import dbus
66
62
import dbus.service
69
65
from dbus.mainloop.glib import DBusGMainLoop
70
66
import ctypes
71
67
import ctypes.util
72
import xml.dom.minidom
73
import inspect
74
75
try:
76
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
77
except AttributeError:
78
try:
79
from IN import SO_BINDTODEVICE
80
except ImportError:
81
SO_BINDTODEVICE = None
82
83
84
version = "1.0.14"
85
86
#logger = logging.getLogger(u'mandos')
87
logger = logging.Logger(u'mandos')
68
69
version = "1.0.5"
70
71
logger = logging.Logger('mandos')
88
72
syslogger = (logging.handlers.SysLogHandler
89
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
90
74
address = "/dev/log"))
91
75
syslogger.setFormatter(logging.Formatter
92
(u'Mandos [%(process)d]: %(levelname)s:'
93
u' %(message)s'))
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
94
78
logger.addHandler(syslogger)
95
79
96
80
console = logging.StreamHandler()
97
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
98
u' %(levelname)s:'
99
u' %(message)s'))
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
100
83
logger.addHandler(console)
101
84
102
85
class AvahiError(Exception):
115
98
116
99
class AvahiService(object):
117
100
"""An Avahi (Zeroconf) service.
118
119
101
Attributes:
120
102
interface: integer; avahi.IF_UNSPEC or an interface index.
121
103
Used to optionally bind to the specified interface.
122
name: string; Example: u'Mandos'
123
type: string; Example: u'_mandos._tcp'.
104
name: string; Example: 'Mandos'
105
type: string; Example: '_mandos._tcp'.
124
106
See <http://www.dns-sd.org/ServiceTypes.html>
125
107
port: integer; what port to announce
126
108
TXT: list of strings; TXT record for the service
129
111
max_renames: integer; maximum number of renames
130
112
rename_count: integer; counter so we only rename after collisions
131
113
a sensible number of times
132
group: D-Bus Entry Group
133
server: D-Bus Server
134
bus: dbus.SystemBus()
135
114
"""
136
115
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
137
116
servicetype = None, port = None, TXT = None,
138
domain = u"", host = u"", max_renames = 32768,
139
protocol = avahi.PROTO_UNSPEC, bus = None):
117
domain = "", host = "", max_renames = 32768):
140
118
self.interface = interface
141
119
self.name = name
142
120
self.type = servicetype
146
124
self.host = host
147
125
self.rename_count = 0
148
126
self.max_renames = max_renames
149
self.protocol = protocol
150
self.group = None # our entry group
151
self.server = None
152
self.bus = bus
153
127
def rename(self):
154
128
"""Derived from the Avahi example code"""
155
129
if self.rename_count >= self.max_renames:
157
131
u" after %i retries, exiting.",
158
132
self.rename_count)
159
133
raise AvahiServiceError(u"Too many renames")
160
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
134
self.name = server.GetAlternativeServiceName(self.name)
161
135
logger.info(u"Changing Zeroconf service name to %r ...",
162
self.name)
136
str(self.name))
163
137
syslogger.setFormatter(logging.Formatter
164
(u'Mandos (%s) [%%(process)d]:'
165
u' %%(levelname)s: %%(message)s'
166
% self.name))
138
('Mandos (%s): %%(levelname)s:'
139
' %%(message)s' % self.name))
167
140
self.remove()
168
141
self.add()
169
142
self.rename_count += 1
170
143
def remove(self):
171
144
"""Derived from the Avahi example code"""
172
if self.group is not None:
173
self.group.Reset()
145
if group is not None:
146
group.Reset()
174
147
def add(self):
175
148
"""Derived from the Avahi example code"""
176
if self.group is None:
177
self.group = dbus.Interface(
178
self.bus.get_object(avahi.DBUS_NAME,
179
self.server.EntryGroupNew()),
180
avahi.DBUS_INTERFACE_ENTRY_GROUP)
181
self.group.connect_to_signal('StateChanged',
182
self
183
.entry_group_state_changed)
149
global group
150
if group is None:
151
group = dbus.Interface(bus.get_object
152
(avahi.DBUS_NAME,
153
server.EntryGroupNew()),
154
avahi.DBUS_INTERFACE_ENTRY_GROUP)
155
group.connect_to_signal('StateChanged',
156
entry_group_state_changed)
184
157
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
185
self.name, self.type)
186
self.group.AddService(
187
self.interface,
188
self.protocol,
189
dbus.UInt32(0), # flags
190
self.name, self.type,
191
self.domain, self.host,
192
dbus.UInt16(self.port),
193
avahi.string_array_to_txt_array(self.TXT))
194
self.group.Commit()
195
def entry_group_state_changed(self, state, error):
196
"""Derived from the Avahi example code"""
197
logger.debug(u"Avahi state change: %i", state)
198
199
if state == avahi.ENTRY_GROUP_ESTABLISHED:
200
logger.debug(u"Zeroconf service established.")
201
elif state == avahi.ENTRY_GROUP_COLLISION:
202
logger.warning(u"Zeroconf service name collision.")
203
self.rename()
204
elif state == avahi.ENTRY_GROUP_FAILURE:
205
logger.critical(u"Avahi: Error in group state changed %s",
206
unicode(error))
207
raise AvahiGroupError(u"State changed: %s"
208
% unicode(error))
209
def cleanup(self):
210
"""Derived from the Avahi example code"""
211
if self.group is not None:
212
self.group.Free()
213
self.group = None
214
def server_state_changed(self, state):
215
"""Derived from the Avahi example code"""
216
if state == avahi.SERVER_COLLISION:
217
logger.error(u"Zeroconf server name collision")
218
self.remove()
219
elif state == avahi.SERVER_RUNNING:
220
self.add()
221
def activate(self):
222
"""Derived from the Avahi example code"""
223
if self.server is None:
224
self.server = dbus.Interface(
225
self.bus.get_object(avahi.DBUS_NAME,
226
avahi.DBUS_PATH_SERVER),
227
avahi.DBUS_INTERFACE_SERVER)
228
self.server.connect_to_signal(u"StateChanged",
229
self.server_state_changed)
230
self.server_state_changed(self.server.GetState())
231
232
233
class Client(object):
158
service.name, service.type)
159
group.AddService(
160
self.interface, # interface
161
avahi.PROTO_INET6, # protocol
162
dbus.UInt32(0), # flags
163
self.name, self.type,
164
self.domain, self.host,
165
dbus.UInt16(self.port),
166
avahi.string_array_to_txt_array(self.TXT))
167
group.Commit()
168
169
# From the Avahi example code:
170
group = None # our entry group
171
# End of Avahi example code
172
173
174
def _datetime_to_dbus(dt, variant_level=0):
175
"""Convert a UTC datetime.datetime() to a D-Bus type."""
176
return dbus.String(dt.isoformat(), variant_level=variant_level)
177
178
179
class Client(dbus.service.Object):
234
180
"""A representation of a client host served by this server.
235
236
181
Attributes:
237
182
name: string; from the config file, used in log messages and
238
183
D-Bus identifiers
245
190
enabled: bool()
246
191
last_checked_ok: datetime.datetime(); (UTC) or None
247
192
timeout: datetime.timedelta(); How long from last_checked_ok
248
until this client is disabled
193
until this client is invalid
249
194
interval: datetime.timedelta(); How often to start a new checker
250
195
disable_hook: If set, called by disable() as disable_hook(self)
251
196
checker: subprocess.Popen(); a running checker process used
252
197
to see if the client lives.
253
198
'None' if no process is running.
254
199
checker_initiator_tag: a gobject event source tag, or None
255
disable_initiator_tag: - '' -
200
disable_initiator_tag: - '' -
256
201
checker_callback_tag: - '' -
257
202
checker_command: string; External command which is run to check if
258
203
client lives. %() expansions are done at
259
204
runtime with vars(self) as dict, so that for
260
205
instance %(name)s can be used in the command.
261
current_checker_command: string; current running checker_command
262
approved_delay: datetime.timedelta(); Time to wait for approval
263
_approved: bool(); 'None' if not yet approved/disapproved
264
approved_duration: datetime.timedelta(); Duration of one approval
206
use_dbus: bool(); Whether to provide D-Bus interface and signals
207
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
265
208
"""
266
267
@staticmethod
268
def _timedelta_to_milliseconds(td):
269
"Convert a datetime.timedelta() to milliseconds"
270
return ((td.days * 24 * 60 * 60 * 1000)
271
+ (td.seconds * 1000)
272
+ (td.microseconds // 1000))
273
274
209
def timeout_milliseconds(self):
275
210
"Return the 'timeout' attribute in milliseconds"
276
return self._timedelta_to_milliseconds(self.timeout)
211
return ((self.timeout.days * 24 * 60 * 60 * 1000)
212
+ (self.timeout.seconds * 1000)
213
+ (self.timeout.microseconds // 1000))
277
214
278
215
def interval_milliseconds(self):
279
216
"Return the 'interval' attribute in milliseconds"
280
return self._timedelta_to_milliseconds(self.interval)
281
282
def approved_delay_milliseconds(self):
283
return self._timedelta_to_milliseconds(self.approved_delay)
217
return ((self.interval.days * 24 * 60 * 60 * 1000)
218
+ (self.interval.seconds * 1000)
219
+ (self.interval.microseconds // 1000))
284
220
285
def __init__(self, name = None, disable_hook=None, config=None):
221
def __init__(self, name = None, disable_hook=None, config=None,
222
use_dbus=True):
286
223
"""Note: the 'checker' key in 'config' sets the
287
224
'checker_command' attribute and *not* the 'checker'
288
225
attribute."""
290
227
if config is None:
291
228
config = {}
292
229
logger.debug(u"Creating client %r", self.name)
230
self.use_dbus = False # During __init__
293
231
# Uppercase and remove spaces from fingerprint for later
294
232
# comparison purposes with return value from the fingerprint()
295
233
# function
296
self.fingerprint = (config[u"fingerprint"].upper()
234
self.fingerprint = (config["fingerprint"].upper()
297
235
.replace(u" ", u""))
298
236
logger.debug(u" Fingerprint: %s", self.fingerprint)
299
if u"secret" in config:
300
self.secret = config[u"secret"].decode(u"base64")
301
elif u"secfile" in config:
302
with open(os.path.expanduser(os.path.expandvars
303
(config[u"secfile"])),
304
"rb") as secfile:
237
if "secret" in config:
238
self.secret = config["secret"].decode(u"base64")
239
elif "secfile" in config:
240
with closing(open(os.path.expanduser
241
(os.path.expandvars
242
(config["secfile"])))) as secfile:
305
243
self.secret = secfile.read()
306
244
else:
307
245
raise TypeError(u"No secret or secfile for client %s"
308
246
% self.name)
309
self.host = config.get(u"host", u"")
247
self.host = config.get("host", "")
310
248
self.created = datetime.datetime.utcnow()
311
249
self.enabled = False
312
250
self.last_enabled = None
313
251
self.last_checked_ok = None
314
self.timeout = string_to_delta(config[u"timeout"])
315
self.interval = string_to_delta(config[u"interval"])
252
self.timeout = string_to_delta(config["timeout"])
253
self.interval = string_to_delta(config["interval"])
316
254
self.disable_hook = disable_hook
317
255
self.checker = None
318
256
self.checker_initiator_tag = None
319
257
self.disable_initiator_tag = None
320
258
self.checker_callback_tag = None
321
self.checker_command = config[u"checker"]
322
self.current_checker_command = None
259
self.checker_command = config["checker"]
323
260
self.last_connect = None
324
self._approved = None
325
self.approved_by_default = config.get(u"approved_by_default",
326
True)
327
self.approvals_pending = 0
328
self.approved_delay = string_to_delta(
329
config[u"approved_delay"])
330
self.approved_duration = string_to_delta(
331
config[u"approved_duration"])
332
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
261
# Only now, when this client is initialized, can it show up on
262
# the D-Bus
263
self.use_dbus = use_dbus
264
if self.use_dbus:
265
self.dbus_object_path = (dbus.ObjectPath
266
("/clients/"
267
+ self.name.replace(".", "_")))
268
dbus.service.Object.__init__(self, bus,
269
self.dbus_object_path)
333
270
334
def send_changedstate(self):
335
self.changedstate.acquire()
336
self.changedstate.notify_all()
337
self.changedstate.release()
338
339
271
def enable(self):
340
272
"""Start this client's checker and timeout hooks"""
341
if getattr(self, u"enabled", False):
342
# Already enabled
343
return
344
self.send_changedstate()
345
273
self.last_enabled = datetime.datetime.utcnow()
346
274
# Schedule a new checker to be started an 'interval' from now,
347
275
# and every interval from then on.
348
276
self.checker_initiator_tag = (gobject.timeout_add
349
277
(self.interval_milliseconds(),
350
278
self.start_checker))
279
# Also start a new checker *right now*.
280
self.start_checker()
351
281
# Schedule a disable() when 'timeout' has passed
352
282
self.disable_initiator_tag = (gobject.timeout_add
353
283
(self.timeout_milliseconds(),
354
284
self.disable))
355
285
self.enabled = True
356
# Also start a new checker *right now*.
357
self.start_checker()
286
if self.use_dbus:
287
# Emit D-Bus signals
288
self.PropertyChanged(dbus.String(u"enabled"),
289
dbus.Boolean(True, variant_level=1))
290
self.PropertyChanged(dbus.String(u"last_enabled"),
291
(_datetime_to_dbus(self.last_enabled,
292
variant_level=1)))
358
293
359
def disable(self, quiet=True):
294
def disable(self):
360
295
"""Disable this client."""
361
296
if not getattr(self, "enabled", False):
362
297
return False
363
if not quiet:
364
self.send_changedstate()
365
if not quiet:
366
logger.info(u"Disabling client %s", self.name)
367
if getattr(self, u"disable_initiator_tag", False):
298
logger.info(u"Disabling client %s", self.name)
299
if getattr(self, "disable_initiator_tag", False):
368
300
gobject.source_remove(self.disable_initiator_tag)
369
301
self.disable_initiator_tag = None
370
if getattr(self, u"checker_initiator_tag", False):
302
if getattr(self, "checker_initiator_tag", False):
371
303
gobject.source_remove(self.checker_initiator_tag)
372
304
self.checker_initiator_tag = None
373
305
self.stop_checker()
374
306
if self.disable_hook:
375
307
self.disable_hook(self)
376
308
self.enabled = False
309
if self.use_dbus:
310
# Emit D-Bus signal
311
self.PropertyChanged(dbus.String(u"enabled"),
312
dbus.Boolean(False, variant_level=1))
377
313
# Do not run this again if called by a gobject.timeout_add
378
314
return False
379
315
385
321
"""The checker has completed, so take appropriate actions."""
386
322
self.checker_callback_tag = None
387
323
self.checker = None
324
if self.use_dbus:
325
# Emit D-Bus signal
326
self.PropertyChanged(dbus.String(u"checker_running"),
327
dbus.Boolean(False, variant_level=1))
388
328
if os.WIFEXITED(condition):
389
329
exitstatus = os.WEXITSTATUS(condition)
390
330
if exitstatus == 0:
394
334
else:
395
335
logger.info(u"Checker for %(name)s failed",
396
336
vars(self))
337
if self.use_dbus:
338
# Emit D-Bus signal
339
self.CheckerCompleted(dbus.Int16(exitstatus),
340
dbus.Int64(condition),
341
dbus.String(command))
397
342
else:
398
343
logger.warning(u"Checker for %(name)s crashed?",
399
344
vars(self))
345
if self.use_dbus:
346
# Emit D-Bus signal
347
self.CheckerCompleted(dbus.Int16(-1),
348
dbus.Int64(condition),
349
dbus.String(command))
400
350
401
351
def checked_ok(self):
402
352
"""Bump up the timeout for this client.
403
404
353
This should only be called when the client has been seen,
405
354
alive and well.
406
355
"""
409
358
self.disable_initiator_tag = (gobject.timeout_add
410
359
(self.timeout_milliseconds(),
411
360
self.disable))
361
if self.use_dbus:
362
# Emit D-Bus signal
363
self.PropertyChanged(
364
dbus.String(u"last_checked_ok"),
365
(_datetime_to_dbus(self.last_checked_ok,
366
variant_level=1)))
412
367
413
368
def start_checker(self):
414
369
"""Start a new checker subprocess if one is not running.
415
416
370
If a checker already exists, leave it running and do
417
371
nothing."""
418
372
# The reason for not killing a running checker is that if we
421
375
# client would inevitably timeout, since no checker would get
422
376
# a chance to run to completion. If we instead leave running
423
377
# checkers alone, the checker would have to take more time
424
# than 'timeout' for the client to be disabled, which is as it
425
# should be.
426
427
# If a checker exists, make sure it is not a zombie
428
try:
429
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
430
except (AttributeError, OSError), error:
431
if (isinstance(error, OSError)
432
and error.errno != errno.ECHILD):
433
raise error
434
else:
435
if pid:
436
logger.warning(u"Checker was a zombie")
437
gobject.source_remove(self.checker_callback_tag)
438
self.checker_callback(pid, status,
439
self.current_checker_command)
440
# Start a new checker if needed
378
# than 'timeout' for the client to be declared invalid, which
379
# is as it should be.
441
380
if self.checker is None:
442
381
try:
443
382
# In case checker_command has exactly one % operator
444
383
command = self.checker_command % self.host
445
384
except TypeError:
446
385
# Escape attributes for the shell
447
escaped_attrs = dict((key,
448
re.escape(unicode(str(val),
449
errors=
450
u'replace')))
386
escaped_attrs = dict((key, re.escape(str(val)))
451
387
for key, val in
452
388
vars(self).iteritems())
453
389
try:
456
392
logger.error(u'Could not format string "%s":'
457
393
u' %s', self.checker_command, error)
458
394
return True # Try again later
459
self.current_checker_command = command
460
395
try:
461
396
logger.info(u"Starting checker %r for %s",
462
397
command, self.name)
466
401
# always replaced by /dev/null.)
467
402
self.checker = subprocess.Popen(command,
468
403
close_fds=True,
469
shell=True, cwd=u"/")
404
shell=True, cwd="/")
405
if self.use_dbus:
406
# Emit D-Bus signal
407
self.CheckerStarted(command)
408
self.PropertyChanged(
409
dbus.String("checker_running"),
410
dbus.Boolean(True, variant_level=1))
470
411
self.checker_callback_tag = (gobject.child_watch_add
471
412
(self.checker.pid,
472
413
self.checker_callback,
473
414
data=command))
474
# The checker may have completed before the gobject
475
# watch was added. Check for this.
476
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
477
if pid:
478
gobject.source_remove(self.checker_callback_tag)
479
self.checker_callback(pid, status, command)
480
415
except OSError, error:
481
416
logger.error(u"Failed to start subprocess: %s",
482
417
error)
488
423
if self.checker_callback_tag:
489
424
gobject.source_remove(self.checker_callback_tag)
490
425
self.checker_callback_tag = None
491
if getattr(self, u"checker", None) is None:
426
if getattr(self, "checker", None) is None:
492
427
return
493
428
logger.debug(u"Stopping checker for %(name)s", vars(self))
494
429
try:
495
430
os.kill(self.checker.pid, signal.SIGTERM)
496
#time.sleep(0.5)
431
#os.sleep(0.5)
497
432
#if self.checker.poll() is None:
498
433
# os.kill(self.checker.pid, signal.SIGKILL)
499
434
except OSError, error:
500
435
if error.errno != errno.ESRCH: # No such process
501
436
raise
502
437
self.checker = None
503
504
def dbus_service_property(dbus_interface, signature=u"v",
505
access=u"readwrite", byte_arrays=False):
506
"""Decorators for marking methods of a DBusObjectWithProperties to
507
become properties on the D-Bus.
508
509
The decorated method will be called with no arguments by "Get"
510
and with one argument by "Set".
511
512
The parameters, where they are supported, are the same as
513
dbus.service.method, except there is only "signature", since the
514
type from Get() and the type sent to Set() is the same.
515
"""
516
# Encoding deeply encoded byte arrays is not supported yet by the
517
# "Set" method, so we fail early here:
518
if byte_arrays and signature != u"ay":
519
raise ValueError(u"Byte arrays not supported for non-'ay'"
520
u" signature %r" % signature)
521
def decorator(func):
522
func._dbus_is_property = True
523
func._dbus_interface = dbus_interface
524
func._dbus_signature = signature
525
func._dbus_access = access
526
func._dbus_name = func.__name__
527
if func._dbus_name.endswith(u"_dbus_property"):
528
func._dbus_name = func._dbus_name[:-14]
529
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
530
return func
531
return decorator
532
533
534
class DBusPropertyException(dbus.exceptions.DBusException):
535
"""A base class for D-Bus property-related exceptions
536
"""
537
def __unicode__(self):
538
return unicode(str(self))
539
540
541
class DBusPropertyAccessException(DBusPropertyException):
542
"""A property's access permissions disallows an operation.
543
"""
544
pass
545
546
547
class DBusPropertyNotFound(DBusPropertyException):
548
"""An attempt was made to access a non-existing property.
549
"""
550
pass
551
552
553
class DBusObjectWithProperties(dbus.service.Object):
554
"""A D-Bus object with properties.
555
556
Classes inheriting from this can use the dbus_service_property
557
decorator to expose methods as D-Bus properties. It exposes the
558
standard Get(), Set(), and GetAll() methods on the D-Bus.
559
"""
560
561
@staticmethod
562
def _is_dbus_property(obj):
563
return getattr(obj, u"_dbus_is_property", False)
564
565
def _get_all_dbus_properties(self):
566
"""Returns a generator of (name, attribute) pairs
567
"""
568
return ((prop._dbus_name, prop)
569
for name, prop in
570
inspect.getmembers(self, self._is_dbus_property))
571
572
def _get_dbus_property(self, interface_name, property_name):
573
"""Returns a bound method if one exists which is a D-Bus
574
property with the specified name and interface.
575
"""
576
for name in (property_name,
577
property_name + u"_dbus_property"):
578
prop = getattr(self, name, None)
579
if (prop is None
580
or not self._is_dbus_property(prop)
581
or prop._dbus_name != property_name
582
or (interface_name and prop._dbus_interface
583
and interface_name != prop._dbus_interface)):
584
continue
585
return prop
586
# No such property
587
raise DBusPropertyNotFound(self.dbus_object_path + u":"
588
+ interface_name + u"."
589
+ property_name)
590
591
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
592
out_signature=u"v")
593
def Get(self, interface_name, property_name):
594
"""Standard D-Bus property Get() method, see D-Bus standard.
595
"""
596
prop = self._get_dbus_property(interface_name, property_name)
597
if prop._dbus_access == u"write":
598
raise DBusPropertyAccessException(property_name)
599
value = prop()
600
if not hasattr(value, u"variant_level"):
601
return value
602
return type(value)(value, variant_level=value.variant_level+1)
603
604
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
605
def Set(self, interface_name, property_name, value):
606
"""Standard D-Bus property Set() method, see D-Bus standard.
607
"""
608
prop = self._get_dbus_property(interface_name, property_name)
609
if prop._dbus_access == u"read":
610
raise DBusPropertyAccessException(property_name)
611
if prop._dbus_get_args_options[u"byte_arrays"]:
612
# The byte_arrays option is not supported yet on
613
# signatures other than "ay".
614
if prop._dbus_signature != u"ay":
615
raise ValueError
616
value = dbus.ByteArray(''.join(unichr(byte)
617
for byte in value))
618
prop(value)
619
620
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
621
out_signature=u"a{sv}")
622
def GetAll(self, interface_name):
623
"""Standard D-Bus property GetAll() method, see D-Bus
624
standard.
625
626
Note: Will not include properties with access="write".
627
"""
628
all = {}
629
for name, prop in self._get_all_dbus_properties():
630
if (interface_name
631
and interface_name != prop._dbus_interface):
632
# Interface non-empty but did not match
633
continue
634
# Ignore write-only properties
635
if prop._dbus_access == u"write":
636
continue
637
value = prop()
638
if not hasattr(value, u"variant_level"):
639
all[name] = value
640
continue
641
all[name] = type(value)(value, variant_level=
642
value.variant_level+1)
643
return dbus.Dictionary(all, signature=u"sv")
644
645
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
646
out_signature=u"s",
647
path_keyword='object_path',
648
connection_keyword='connection')
649
def Introspect(self, object_path, connection):
650
"""Standard D-Bus method, overloaded to insert property tags.
651
"""
652
xmlstring = dbus.service.Object.Introspect(self, object_path,
653
connection)
654
try:
655
document = xml.dom.minidom.parseString(xmlstring)
656
def make_tag(document, name, prop):
657
e = document.createElement(u"property")
658
e.setAttribute(u"name", name)
659
e.setAttribute(u"type", prop._dbus_signature)
660
e.setAttribute(u"access", prop._dbus_access)
661
return e
662
for if_tag in document.getElementsByTagName(u"interface"):
663
for tag in (make_tag(document, name, prop)
664
for name, prop
665
in self._get_all_dbus_properties()
666
if prop._dbus_interface
667
== if_tag.getAttribute(u"name")):
668
if_tag.appendChild(tag)
669
# Add the names to the return values for the
670
# "org.freedesktop.DBus.Properties" methods
671
if (if_tag.getAttribute(u"name")
672
== u"org.freedesktop.DBus.Properties"):
673
for cn in if_tag.getElementsByTagName(u"method"):
674
if cn.getAttribute(u"name") == u"Get":
675
for arg in cn.getElementsByTagName(u"arg"):
676
if (arg.getAttribute(u"direction")
677
== u"out"):
678
arg.setAttribute(u"name", u"value")
679
elif cn.getAttribute(u"name") == u"GetAll":
680
for arg in cn.getElementsByTagName(u"arg"):
681
if (arg.getAttribute(u"direction")
682
== u"out"):
683
arg.setAttribute(u"name", u"props")
684
xmlstring = document.toxml(u"utf-8")
685
document.unlink()
686
except (AttributeError, xml.dom.DOMException,
687
xml.parsers.expat.ExpatError), error:
688
logger.error(u"Failed to override Introspection method",
689
error)
690
return xmlstring
691
692
693
class ClientDBus(Client, DBusObjectWithProperties):
694
"""A Client class using D-Bus
695
696
Attributes:
697
dbus_object_path: dbus.ObjectPath
698
bus: dbus.SystemBus()
699
"""
700
# dbus.service.Object doesn't use super(), so we can't either.
701
702
def __init__(self, bus = None, *args, **kwargs):
703
self._approvals_pending = 0
704
self.bus = bus
705
Client.__init__(self, *args, **kwargs)
706
# Only now, when this client is initialized, can it show up on
707
# the D-Bus
708
self.dbus_object_path = (dbus.ObjectPath
709
(u"/clients/"
710
+ self.name.replace(u".", u"_")))
711
DBusObjectWithProperties.__init__(self, self.bus,
712
self.dbus_object_path)
713
714
def _get_approvals_pending(self):
715
return self._approvals_pending
716
def _set_approvals_pending(self, value):
717
old_value = self._approvals_pending
718
self._approvals_pending = value
719
bval = bool(value)
720
if (hasattr(self, "dbus_object_path")
721
and bval is not bool(old_value)):
722
dbus_bool = dbus.Boolean(bval, variant_level=1)
723
self.PropertyChanged(dbus.String(u"approved_pending"),
724
dbus_bool)
725
726
approvals_pending = property(_get_approvals_pending,
727
_set_approvals_pending)
728
del _get_approvals_pending, _set_approvals_pending
729
730
@staticmethod
731
def _datetime_to_dbus(dt, variant_level=0):
732
"""Convert a UTC datetime.datetime() to a D-Bus type."""
733
return dbus.String(dt.isoformat(),
734
variant_level=variant_level)
735
736
def enable(self):
737
oldstate = getattr(self, u"enabled", False)
738
r = Client.enable(self)
739
if oldstate != self.enabled:
740
# Emit D-Bus signals
741
self.PropertyChanged(dbus.String(u"enabled"),
742
dbus.Boolean(True, variant_level=1))
743
self.PropertyChanged(
744
dbus.String(u"last_enabled"),
745
self._datetime_to_dbus(self.last_enabled,
746
variant_level=1))
747
return r
748
749
def disable(self, quiet = False):
750
oldstate = getattr(self, u"enabled", False)
751
r = Client.disable(self, quiet=quiet)
752
if not quiet and oldstate != self.enabled:
753
# Emit D-Bus signal
754
self.PropertyChanged(dbus.String(u"enabled"),
755
dbus.Boolean(False, variant_level=1))
756
return r
757
758
def __del__(self, *args, **kwargs):
759
try:
760
self.remove_from_connection()
761
except LookupError:
762
pass
763
if hasattr(DBusObjectWithProperties, u"__del__"):
764
DBusObjectWithProperties.__del__(self, *args, **kwargs)
765
Client.__del__(self, *args, **kwargs)
766
767
def checker_callback(self, pid, condition, command,
768
*args, **kwargs):
769
self.checker_callback_tag = None
770
self.checker = None
771
# Emit D-Bus signal
772
self.PropertyChanged(dbus.String(u"checker_running"),
773
dbus.Boolean(False, variant_level=1))
774
if os.WIFEXITED(condition):
775
exitstatus = os.WEXITSTATUS(condition)
776
# Emit D-Bus signal
777
self.CheckerCompleted(dbus.Int16(exitstatus),
778
dbus.Int64(condition),
779
dbus.String(command))
780
else:
781
# Emit D-Bus signal
782
self.CheckerCompleted(dbus.Int16(-1),
783
dbus.Int64(condition),
784
dbus.String(command))
785
786
return Client.checker_callback(self, pid, condition, command,
787
*args, **kwargs)
788
789
def checked_ok(self, *args, **kwargs):
790
r = Client.checked_ok(self, *args, **kwargs)
791
# Emit D-Bus signal
792
self.PropertyChanged(
793
dbus.String(u"last_checked_ok"),
794
(self._datetime_to_dbus(self.last_checked_ok,
795
variant_level=1)))
796
return r
797
798
def start_checker(self, *args, **kwargs):
799
old_checker = self.checker
800
if self.checker is not None:
801
old_checker_pid = self.checker.pid
802
else:
803
old_checker_pid = None
804
r = Client.start_checker(self, *args, **kwargs)
805
# Only if new checker process was started
806
if (self.checker is not None
807
and old_checker_pid != self.checker.pid):
808
# Emit D-Bus signal
809
self.CheckerStarted(self.current_checker_command)
810
self.PropertyChanged(
811
dbus.String(u"checker_running"),
812
dbus.Boolean(True, variant_level=1))
813
return r
814
815
def stop_checker(self, *args, **kwargs):
816
old_checker = getattr(self, u"checker", None)
817
r = Client.stop_checker(self, *args, **kwargs)
818
if (old_checker is not None
819
and getattr(self, u"checker", None) is None):
438
if self.use_dbus:
820
439
self.PropertyChanged(dbus.String(u"checker_running"),
821
440
dbus.Boolean(False, variant_level=1))
822
return r
823
824
def _reset_approved(self):
825
self._approved = None
826
return False
827
828
def approve(self, value=True):
829
self.send_changedstate()
830
self._approved = value
831
gobject.timeout_add(self._timedelta_to_milliseconds(self.approved_duration),
832
self._reset_approved)
833
834
835
## D-Bus methods, signals & properties
441
442
def still_valid(self):
443
"""Has the timeout not yet passed for this client?"""
444
if not getattr(self, "enabled", False):
445
return False
446
now = datetime.datetime.utcnow()
447
if self.last_checked_ok is None:
448
return now < (self.created + self.timeout)
449
else:
450
return now < (self.last_checked_ok + self.timeout)
451
452
## D-Bus methods & signals
836
453
_interface = u"se.bsnet.fukt.Mandos.Client"
837
454
838
## Signals
455
# CheckedOK - method
456
CheckedOK = dbus.service.method(_interface)(checked_ok)
457
CheckedOK.__name__ = "CheckedOK"
839
458
840
459
# CheckerCompleted - signal
841
@dbus.service.signal(_interface, signature=u"nxs")
460
@dbus.service.signal(_interface, signature="nxs")
842
461
def CheckerCompleted(self, exitcode, waitstatus, command):
843
462
"D-Bus signal"
844
463
pass
845
464
846
465
# CheckerStarted - signal
847
@dbus.service.signal(_interface, signature=u"s")
466
@dbus.service.signal(_interface, signature="s")
848
467
def CheckerStarted(self, command):
849
468
"D-Bus signal"
850
469
pass
851
470
471
# GetAllProperties - method
472
@dbus.service.method(_interface, out_signature="a{sv}")
473
def GetAllProperties(self):
474
"D-Bus method"
475
return dbus.Dictionary({
476
dbus.String("name"):
477
dbus.String(self.name, variant_level=1),
478
dbus.String("fingerprint"):
479
dbus.String(self.fingerprint, variant_level=1),
480
dbus.String("host"):
481
dbus.String(self.host, variant_level=1),
482
dbus.String("created"):
483
_datetime_to_dbus(self.created, variant_level=1),
484
dbus.String("last_enabled"):
485
(_datetime_to_dbus(self.last_enabled,
486
variant_level=1)
487
if self.last_enabled is not None
488
else dbus.Boolean(False, variant_level=1)),
489
dbus.String("enabled"):
490
dbus.Boolean(self.enabled, variant_level=1),
491
dbus.String("last_checked_ok"):
492
(_datetime_to_dbus(self.last_checked_ok,
493
variant_level=1)
494
if self.last_checked_ok is not None
495
else dbus.Boolean (False, variant_level=1)),
496
dbus.String("timeout"):
497
dbus.UInt64(self.timeout_milliseconds(),
498
variant_level=1),
499
dbus.String("interval"):
500
dbus.UInt64(self.interval_milliseconds(),
501
variant_level=1),
502
dbus.String("checker"):
503
dbus.String(self.checker_command,
504
variant_level=1),
505
dbus.String("checker_running"):
506
dbus.Boolean(self.checker is not None,
507
variant_level=1),
508
dbus.String("object_path"):
509
dbus.ObjectPath(self.dbus_object_path,
510
variant_level=1)
511
}, signature="sv")
512
513
# IsStillValid - method
514
IsStillValid = (dbus.service.method(_interface, out_signature="b")
515
(still_valid))
516
IsStillValid.__name__ = "IsStillValid"
517
852
518
# PropertyChanged - signal
853
@dbus.service.signal(_interface, signature=u"sv")
519
@dbus.service.signal(_interface, signature="sv")
854
520
def PropertyChanged(self, property, value):
855
521
"D-Bus signal"
856
522
pass
857
523
858
# GotSecret - signal
859
@dbus.service.signal(_interface)
860
def GotSecret(self):
861
"""D-Bus signal
862
Is sent after a successful transfer of secret from the Mandos
863
server to mandos-client
864
"""
865
pass
866
867
# Rejected - signal
868
@dbus.service.signal(_interface, signature=u"s")
869
def Rejected(self, reason):
870
"D-Bus signal"
871
pass
872
873
# NeedApproval - signal
874
@dbus.service.signal(_interface, signature=u"db")
875
def NeedApproval(self, timeout, default):
876
"D-Bus signal"
877
pass
878
879
## Methods
880
881
# Approve - method
882
@dbus.service.method(_interface, in_signature=u"b")
883
def Approve(self, value):
884
self.approve(value)
885
886
# CheckedOK - method
887
@dbus.service.method(_interface)
888
def CheckedOK(self):
889
return self.checked_ok()
524
# SetChecker - method
525
@dbus.service.method(_interface, in_signature="s")
526
def SetChecker(self, checker):
527
"D-Bus setter method"
528
self.checker_command = checker
529
# Emit D-Bus signal
530
self.PropertyChanged(dbus.String(u"checker"),
531
dbus.String(self.checker_command,
532
variant_level=1))
533
534
# SetHost - method
535
@dbus.service.method(_interface, in_signature="s")
536
def SetHost(self, host):
537
"D-Bus setter method"
538
self.host = host
539
# Emit D-Bus signal
540
self.PropertyChanged(dbus.String(u"host"),
541
dbus.String(self.host, variant_level=1))
542
543
# SetInterval - method
544
@dbus.service.method(_interface, in_signature="t")
545
def SetInterval(self, milliseconds):
546
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
547
# Emit D-Bus signal
548
self.PropertyChanged(dbus.String(u"interval"),
549
(dbus.UInt64(self.interval_milliseconds(),
550
variant_level=1)))
551
552
# SetSecret - method
553
@dbus.service.method(_interface, in_signature="ay",
554
byte_arrays=True)
555
def SetSecret(self, secret):
556
"D-Bus setter method"
557
self.secret = str(secret)
558
559
# SetTimeout - method
560
@dbus.service.method(_interface, in_signature="t")
561
def SetTimeout(self, milliseconds):
562
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
563
# Emit D-Bus signal
564
self.PropertyChanged(dbus.String(u"timeout"),
565
(dbus.UInt64(self.timeout_milliseconds(),
566
variant_level=1)))
890
567
891
568
# Enable - method
892
@dbus.service.method(_interface)
893
def Enable(self):
894
"D-Bus method"
895
self.enable()
569
Enable = dbus.service.method(_interface)(enable)
570
Enable.__name__ = "Enable"
896
571
897
572
# StartChecker - method
898
573
@dbus.service.method(_interface)
907
582
self.disable()
908
583
909
584
# StopChecker - method
910
@dbus.service.method(_interface)
911
def StopChecker(self):
912
self.stop_checker()
913
914
## Properties
915
916
# approved_pending - property
917
@dbus_service_property(_interface, signature=u"b", access=u"read")
918
def approved_pending_dbus_property(self):
919
return dbus.Boolean(bool(self.approvals_pending))
920
921
# approved_by_default - property
922
@dbus_service_property(_interface, signature=u"b",
923
access=u"readwrite")
924
def approved_by_default_dbus_property(self):
925
return dbus.Boolean(self.approved_by_default)
926
927
# approved_delay - property
928
@dbus_service_property(_interface, signature=u"t",
929
access=u"readwrite")
930
def approved_delay_dbus_property(self):
931
return dbus.UInt64(self.approved_delay_milliseconds())
932
933
# approved_duration - property
934
@dbus_service_property(_interface, signature=u"t",
935
access=u"readwrite")
936
def approved_duration_dbus_property(self):
937
return dbus.UInt64(self._timedelta_to_milliseconds(
938
self.approved_duration))
939
940
# name - property
941
@dbus_service_property(_interface, signature=u"s", access=u"read")
942
def name_dbus_property(self):
943
return dbus.String(self.name)
944
945
# fingerprint - property
946
@dbus_service_property(_interface, signature=u"s", access=u"read")
947
def fingerprint_dbus_property(self):
948
return dbus.String(self.fingerprint)
949
950
# host - property
951
@dbus_service_property(_interface, signature=u"s",
952
access=u"readwrite")
953
def host_dbus_property(self, value=None):
954
if value is None: # get
955
return dbus.String(self.host)
956
self.host = value
957
# Emit D-Bus signal
958
self.PropertyChanged(dbus.String(u"host"),
959
dbus.String(value, variant_level=1))
960
961
# created - property
962
@dbus_service_property(_interface, signature=u"s", access=u"read")
963
def created_dbus_property(self):
964
return dbus.String(self._datetime_to_dbus(self.created))
965
966
# last_enabled - property
967
@dbus_service_property(_interface, signature=u"s", access=u"read")
968
def last_enabled_dbus_property(self):
969
if self.last_enabled is None:
970
return dbus.String(u"")
971
return dbus.String(self._datetime_to_dbus(self.last_enabled))
972
973
# enabled - property
974
@dbus_service_property(_interface, signature=u"b",
975
access=u"readwrite")
976
def enabled_dbus_property(self, value=None):
977
if value is None: # get
978
return dbus.Boolean(self.enabled)
979
if value:
980
self.enable()
981
else:
982
self.disable()
983
984
# last_checked_ok - property
985
@dbus_service_property(_interface, signature=u"s",
986
access=u"readwrite")
987
def last_checked_ok_dbus_property(self, value=None):
988
if value is not None:
989
self.checked_ok()
990
return
991
if self.last_checked_ok is None:
992
return dbus.String(u"")
993
return dbus.String(self._datetime_to_dbus(self
994
.last_checked_ok))
995
996
# timeout - property
997
@dbus_service_property(_interface, signature=u"t",
998
access=u"readwrite")
999
def timeout_dbus_property(self, value=None):
1000
if value is None: # get
1001
return dbus.UInt64(self.timeout_milliseconds())
1002
self.timeout = datetime.timedelta(0, 0, 0, value)
1003
# Emit D-Bus signal
1004
self.PropertyChanged(dbus.String(u"timeout"),
1005
dbus.UInt64(value, variant_level=1))
1006
if getattr(self, u"disable_initiator_tag", None) is None:
1007
return
1008
# Reschedule timeout
1009
gobject.source_remove(self.disable_initiator_tag)
1010
self.disable_initiator_tag = None
1011
time_to_die = (self.
1012
_timedelta_to_milliseconds((self
1013
.last_checked_ok
1014
+ self.timeout)
1015
- datetime.datetime
1016
.utcnow()))
1017
if time_to_die <= 0:
1018
# The timeout has passed
1019
self.disable()
1020
else:
1021
self.disable_initiator_tag = (gobject.timeout_add
1022
(time_to_die, self.disable))
1023
1024
# interval - property
1025
@dbus_service_property(_interface, signature=u"t",
1026
access=u"readwrite")
1027
def interval_dbus_property(self, value=None):
1028
if value is None: # get
1029
return dbus.UInt64(self.interval_milliseconds())
1030
self.interval = datetime.timedelta(0, 0, 0, value)
1031
# Emit D-Bus signal
1032
self.PropertyChanged(dbus.String(u"interval"),
1033
dbus.UInt64(value, variant_level=1))
1034
if getattr(self, u"checker_initiator_tag", None) is None:
1035
return
1036
# Reschedule checker run
1037
gobject.source_remove(self.checker_initiator_tag)
1038
self.checker_initiator_tag = (gobject.timeout_add
1039
(value, self.start_checker))
1040
self.start_checker() # Start one now, too
1041
1042
# checker - property
1043
@dbus_service_property(_interface, signature=u"s",
1044
access=u"readwrite")
1045
def checker_dbus_property(self, value=None):
1046
if value is None: # get
1047
return dbus.String(self.checker_command)
1048
self.checker_command = value
1049
# Emit D-Bus signal
1050
self.PropertyChanged(dbus.String(u"checker"),
1051
dbus.String(self.checker_command,
1052
variant_level=1))
1053
1054
# checker_running - property
1055
@dbus_service_property(_interface, signature=u"b",
1056
access=u"readwrite")
1057
def checker_running_dbus_property(self, value=None):
1058
if value is None: # get
1059
return dbus.Boolean(self.checker is not None)
1060
if value:
1061
self.start_checker()
1062
else:
1063
self.stop_checker()
1064
1065
# object_path - property
1066
@dbus_service_property(_interface, signature=u"o", access=u"read")
1067
def object_path_dbus_property(self):
1068
return self.dbus_object_path # is already a dbus.ObjectPath
1069
1070
# secret = property
1071
@dbus_service_property(_interface, signature=u"ay",
1072
access=u"write", byte_arrays=True)
1073
def secret_dbus_property(self, value):
1074
self.secret = str(value)
585
StopChecker = dbus.service.method(_interface)(stop_checker)
586
StopChecker.__name__ = "StopChecker"
1075
587
1076
588
del _interface
1077
589
1078
590
1079
class ProxyClient(object):
1080
def __init__(self, child_pipe, fpr, address):
1081
self._pipe = child_pipe
1082
self._pipe.send(('init', fpr, address))
1083
if not self._pipe.recv():
1084
raise KeyError()
1085
1086
def __getattribute__(self, name):
1087
if(name == '_pipe'):
1088
return super(ProxyClient, self).__getattribute__(name)
1089
self._pipe.send(('getattr', name))
1090
data = self._pipe.recv()
1091
if data[0] == 'data':
1092
return data[1]
1093
if data[0] == 'function':
1094
def func(*args, **kwargs):
1095
self._pipe.send(('funcall', name, args, kwargs))
1096
return self._pipe.recv()[1]
1097
return func
1098
1099
def __setattr__(self, name, value):
1100
if(name == '_pipe'):
1101
return super(ProxyClient, self).__setattr__(name, value)
1102
self._pipe.send(('setattr', name, value))
1103
1104
1105
class ClientHandler(socketserver.BaseRequestHandler, object):
1106
"""A class to handle client connections.
1107
1108
Instantiated once for each connection to handle it.
591
def peer_certificate(session):
592
"Return the peer's OpenPGP certificate as a bytestring"
593
# If not an OpenPGP certificate...
594
if (gnutls.library.functions
595
.gnutls_certificate_type_get(session._c_object)
596
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
597
# ...do the normal thing
598
return session.peer_certificate
599
list_size = ctypes.c_uint(1)
600
cert_list = (gnutls.library.functions
601
.gnutls_certificate_get_peers
602
(session._c_object, ctypes.byref(list_size)))
603
if not bool(cert_list) and list_size.value != 0:
604
raise gnutls.errors.GNUTLSError("error getting peer"
605
" certificate")
606
if list_size.value == 0:
607
return None
608
cert = cert_list[0]
609
return ctypes.string_at(cert.data, cert.size)
610
611
612
def fingerprint(openpgp):
613
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
614
# New GnuTLS "datum" with the OpenPGP public key
615
datum = (gnutls.library.types
616
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
617
ctypes.POINTER
618
(ctypes.c_ubyte)),
619
ctypes.c_uint(len(openpgp))))
620
# New empty GnuTLS certificate
621
crt = gnutls.library.types.gnutls_openpgp_crt_t()
622
(gnutls.library.functions
623
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
624
# Import the OpenPGP public key into the certificate
625
(gnutls.library.functions
626
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
627
gnutls.library.constants
628
.GNUTLS_OPENPGP_FMT_RAW))
629
# Verify the self signature in the key
630
crtverify = ctypes.c_uint()
631
(gnutls.library.functions
632
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
633
if crtverify.value != 0:
634
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
635
raise gnutls.errors.CertificateSecurityError("Verify failed")
636
# New buffer for the fingerprint
637
buf = ctypes.create_string_buffer(20)
638
buf_len = ctypes.c_size_t()
639
# Get the fingerprint from the certificate into the buffer
640
(gnutls.library.functions
641
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
642
ctypes.byref(buf_len)))
643
# Deinit the certificate
644
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
645
# Convert the buffer to a Python bytestring
646
fpr = ctypes.string_at(buf, buf_len.value)
647
# Convert the bytestring to hexadecimal notation
648
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
649
return hex_fpr
650
651
652
class TCP_handler(SocketServer.BaseRequestHandler, object):
653
"""A TCP request handler class.
654
Instantiated by IPv6_TCPServer for each request to handle it.
1109
655
Note: This will run in its own forked process."""
1110
656
1111
657
def handle(self):
1112
with contextlib.closing(self.server.child_pipe) as child_pipe:
1113
logger.info(u"TCP connection from: %s",
1114
unicode(self.client_address))
1115
logger.debug(u"Pipe FD: %d",
1116
self.server.child_pipe.fileno())
1117
1118
session = (gnutls.connection
1119
.ClientSession(self.request,
1120
gnutls.connection
1121
.X509Credentials()))
1122
1123
# Note: gnutls.connection.X509Credentials is really a
1124
# generic GnuTLS certificate credentials object so long as
1125
# no X.509 keys are added to it. Therefore, we can use it
1126
# here despite using OpenPGP certificates.
1127
1128
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1129
# u"+AES-256-CBC", u"+SHA1",
1130
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1131
# u"+DHE-DSS"))
1132
# Use a fallback default, since this MUST be set.
1133
priority = self.server.gnutls_priority
1134
if priority is None:
1135
priority = u"NORMAL"
1136
(gnutls.library.functions
1137
.gnutls_priority_set_direct(session._c_object,
1138
priority, None))
1139
1140
# Start communication using the Mandos protocol
1141
# Get protocol number
1142
line = self.request.makefile().readline()
1143
logger.debug(u"Protocol version: %r", line)
1144
try:
1145
if int(line.strip().split()[0]) > 1:
1146
raise RuntimeError
1147
except (ValueError, IndexError, RuntimeError), error:
1148
logger.error(u"Unknown protocol version: %s", error)
1149
return
1150
1151
# Start GnuTLS connection
1152
try:
1153
session.handshake()
1154
except gnutls.errors.GNUTLSError, error:
1155
logger.warning(u"Handshake failed: %s", error)
1156
# Do not run session.bye() here: the session is not
1157
# established. Just abandon the request.
1158
return
1159
logger.debug(u"Handshake succeeded")
1160
1161
approval_required = False
1162
try:
1163
try:
1164
fpr = self.fingerprint(self.peer_certificate
1165
(session))
1166
except (TypeError, gnutls.errors.GNUTLSError), error:
1167
logger.warning(u"Bad certificate: %s", error)
1168
return
1169
logger.debug(u"Fingerprint: %s", fpr)
1170
1171
try:
1172
client = ProxyClient(child_pipe, fpr,
1173
self.client_address)
1174
except KeyError:
1175
return
1176
1177
if client.approved_delay:
1178
delay = client.approved_delay
1179
client.approvals_pending += 1
1180
approval_required = True
1181
1182
while True:
1183
if not client.enabled:
1184
logger.warning(u"Client %s is disabled",
1185
client.name)
1186
if self.server.use_dbus:
1187
# Emit D-Bus signal
1188
client.Rejected("Disabled")
1189
return
1190
1191
if client._approved or not client.approved_delay:
1192
#We are approved or approval is disabled
1193
break
1194
elif client._approved is None:
1195
logger.info(u"Client %s need approval",
1196
client.name)
1197
if self.server.use_dbus:
1198
# Emit D-Bus signal
1199
client.NeedApproval(
1200
client.approved_delay_milliseconds(),
1201
client.approved_by_default)
1202
else:
1203
logger.warning(u"Client %s was not approved",
1204
client.name)
1205
if self.server.use_dbus:
1206
# Emit D-Bus signal
1207
client.Rejected("Disapproved")
1208
return
1209
1210
#wait until timeout or approved
1211
#x = float(client._timedelta_to_milliseconds(delay))
1212
time = datetime.datetime.now()
1213
client.changedstate.acquire()
1214
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1215
client.changedstate.release()
1216
time2 = datetime.datetime.now()
1217
if (time2 - time) >= delay:
1218
if not client.approved_by_default:
1219
logger.warning("Client %s timed out while"
1220
" waiting for approval",
1221
client.name)
1222
if self.server.use_dbus:
1223
# Emit D-Bus signal
1224
client.Rejected("Time out")
1225
return
1226
else:
1227
break
1228
else:
1229
delay -= time2 - time
1230
1231
sent_size = 0
1232
while sent_size < len(client.secret):
1233
try:
1234
sent = session.send(client.secret[sent_size:])
1235
except (gnutls.errors.GNUTLSError), error:
1236
logger.warning("gnutls send failed")
1237
return
1238
logger.debug(u"Sent: %d, remaining: %d",
1239
sent, len(client.secret)
1240
- (sent_size + sent))
1241
sent_size += sent
1242
1243
logger.info(u"Sending secret to %s", client.name)
1244
# bump the timeout as if seen
1245
client.checked_ok()
1246
if self.server.use_dbus:
1247
# Emit D-Bus signal
1248
client.GotSecret()
1249
1250
finally:
1251
if approval_required:
1252
client.approvals_pending -= 1
1253
try:
1254
session.bye()
1255
except (gnutls.errors.GNUTLSError), error:
1256
logger.warning("gnutls bye failed")
1257
1258
@staticmethod
1259
def peer_certificate(session):
1260
"Return the peer's OpenPGP certificate as a bytestring"
1261
# If not an OpenPGP certificate...
1262
if (gnutls.library.functions
1263
.gnutls_certificate_type_get(session._c_object)
1264
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1265
# ...do the normal thing
1266
return session.peer_certificate
1267
list_size = ctypes.c_uint(1)
1268
cert_list = (gnutls.library.functions
1269
.gnutls_certificate_get_peers
1270
(session._c_object, ctypes.byref(list_size)))
1271
if not bool(cert_list) and list_size.value != 0:
1272
raise gnutls.errors.GNUTLSError(u"error getting peer"
1273
u" certificate")
1274
if list_size.value == 0:
1275
return None
1276
cert = cert_list[0]
1277
return ctypes.string_at(cert.data, cert.size)
1278
1279
@staticmethod
1280
def fingerprint(openpgp):
1281
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1282
# New GnuTLS "datum" with the OpenPGP public key
1283
datum = (gnutls.library.types
1284
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1285
ctypes.POINTER
1286
(ctypes.c_ubyte)),
1287
ctypes.c_uint(len(openpgp))))
1288
# New empty GnuTLS certificate
1289
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1290
(gnutls.library.functions
1291
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1292
# Import the OpenPGP public key into the certificate
1293
(gnutls.library.functions
1294
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1295
gnutls.library.constants
1296
.GNUTLS_OPENPGP_FMT_RAW))
1297
# Verify the self signature in the key
1298
crtverify = ctypes.c_uint()
1299
(gnutls.library.functions
1300
.gnutls_openpgp_crt_verify_self(crt, 0,
1301
ctypes.byref(crtverify)))
1302
if crtverify.value != 0:
1303
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1304
raise (gnutls.errors.CertificateSecurityError
1305
(u"Verify failed"))
1306
# New buffer for the fingerprint
1307
buf = ctypes.create_string_buffer(20)
1308
buf_len = ctypes.c_size_t()
1309
# Get the fingerprint from the certificate into the buffer
1310
(gnutls.library.functions
1311
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1312
ctypes.byref(buf_len)))
1313
# Deinit the certificate
1314
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1315
# Convert the buffer to a Python bytestring
1316
fpr = ctypes.string_at(buf, buf_len.value)
1317
# Convert the bytestring to hexadecimal notation
1318
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1319
return hex_fpr
1320
1321
1322
class MultiprocessingMixIn(object):
1323
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1324
def sub_process_main(self, request, address):
1325
try:
1326
self.finish_request(request, address)
1327
except:
1328
self.handle_error(request, address)
1329
self.close_request(request)
1330
1331
def process_request(self, request, address):
1332
"""Start a new process to process the request."""
1333
multiprocessing.Process(target = self.sub_process_main,
1334
args = (request, address)).start()
1335
1336
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1337
""" adds a pipe to the MixIn """
1338
def process_request(self, request, client_address):
1339
"""Overrides and wraps the original process_request().
1340
1341
This function creates a new pipe in self.pipe
1342
"""
1343
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1344
1345
super(MultiprocessingMixInWithPipe,
1346
self).process_request(request, client_address)
1347
self.child_pipe.close()
1348
self.add_pipe(parent_pipe)
1349
1350
def add_pipe(self, parent_pipe):
1351
"""Dummy function; override as necessary"""
1352
pass
1353
1354
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1355
socketserver.TCPServer, object):
1356
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1357
658
logger.info(u"TCP connection from: %s",
659
unicode(self.client_address))
660
session = (gnutls.connection
661
.ClientSession(self.request,
662
gnutls.connection
663
.X509Credentials()))
664
665
line = self.request.makefile().readline()
666
logger.debug(u"Protocol version: %r", line)
667
try:
668
if int(line.strip().split()[0]) > 1:
669
raise RuntimeError
670
except (ValueError, IndexError, RuntimeError), error:
671
logger.error(u"Unknown protocol version: %s", error)
672
return
673
674
# Note: gnutls.connection.X509Credentials is really a generic
675
# GnuTLS certificate credentials object so long as no X.509
676
# keys are added to it. Therefore, we can use it here despite
677
# using OpenPGP certificates.
678
679
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
680
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
681
# "+DHE-DSS"))
682
# Use a fallback default, since this MUST be set.
683
priority = self.server.settings.get("priority", "NORMAL")
684
(gnutls.library.functions
685
.gnutls_priority_set_direct(session._c_object,
686
priority, None))
687
688
try:
689
session.handshake()
690
except gnutls.errors.GNUTLSError, error:
691
logger.warning(u"Handshake failed: %s", error)
692
# Do not run session.bye() here: the session is not
693
# established. Just abandon the request.
694
return
695
logger.debug(u"Handshake succeeded")
696
try:
697
fpr = fingerprint(peer_certificate(session))
698
except (TypeError, gnutls.errors.GNUTLSError), error:
699
logger.warning(u"Bad certificate: %s", error)
700
session.bye()
701
return
702
logger.debug(u"Fingerprint: %s", fpr)
703
704
for c in self.server.clients:
705
if c.fingerprint == fpr:
706
client = c
707
break
708
else:
709
logger.warning(u"Client not found for fingerprint: %s",
710
fpr)
711
session.bye()
712
return
713
# Have to check if client.still_valid(), since it is possible
714
# that the client timed out while establishing the GnuTLS
715
# session.
716
if not client.still_valid():
717
logger.warning(u"Client %(name)s is invalid",
718
vars(client))
719
session.bye()
720
return
721
## This won't work here, since we're in a fork.
722
# client.checked_ok()
723
sent_size = 0
724
while sent_size < len(client.secret):
725
sent = session.send(client.secret[sent_size:])
726
logger.debug(u"Sent: %d, remaining: %d",
727
sent, len(client.secret)
728
- (sent_size + sent))
729
sent_size += sent
730
session.bye()
731
732
733
class IPv6_TCPServer(SocketServer.ForkingMixIn,
734
SocketServer.TCPServer, object):
735
"""IPv6 TCP server. Accepts 'None' as address and/or port.
1358
736
Attributes:
737
settings: Server settings
738
clients: Set() of Client objects
1359
739
enabled: Boolean; whether this server is activated yet
1360
interface: None or a network interface name (string)
1361
use_ipv6: Boolean; to use IPv6 or not
1362
740
"""
1363
def __init__(self, server_address, RequestHandlerClass,
1364
interface=None, use_ipv6=True):
1365
self.interface = interface
1366
if use_ipv6:
1367
self.address_family = socket.AF_INET6
1368
socketserver.TCPServer.__init__(self, server_address,
1369
RequestHandlerClass)
741
address_family = socket.AF_INET6
742
def __init__(self, *args, **kwargs):
743
if "settings" in kwargs:
744
self.settings = kwargs["settings"]
745
del kwargs["settings"]
746
if "clients" in kwargs:
747
self.clients = kwargs["clients"]
748
del kwargs["clients"]
749
self.enabled = False
750
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1370
751
def server_bind(self):
1371
752
"""This overrides the normal server_bind() function
1372
753
to bind to an interface if one was specified, and also NOT to
1373
754
bind to an address or port if they were not specified."""
1374
if self.interface is not None:
1375
if SO_BINDTODEVICE is None:
1376
logger.error(u"SO_BINDTODEVICE does not exist;"
1377
u" cannot bind to interface %s",
1378
self.interface)
1379
else:
1380
try:
1381
self.socket.setsockopt(socket.SOL_SOCKET,
1382
SO_BINDTODEVICE,
1383
str(self.interface
1384
+ u'\0'))
1385
except socket.error, error:
1386
if error[0] == errno.EPERM:
1387
logger.error(u"No permission to"
1388
u" bind to interface %s",
1389
self.interface)
1390
elif error[0] == errno.ENOPROTOOPT:
1391
logger.error(u"SO_BINDTODEVICE not available;"
1392
u" cannot bind to interface %s",
1393
self.interface)
1394
else:
1395
raise
755
if self.settings["interface"]:
756
# 25 is from /usr/include/asm-i486/socket.h
757
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
758
try:
759
self.socket.setsockopt(socket.SOL_SOCKET,
760
SO_BINDTODEVICE,
761
self.settings["interface"])
762
except socket.error, error:
763
if error[0] == errno.EPERM:
764
logger.error(u"No permission to"
765
u" bind to interface %s",
766
self.settings["interface"])
767
else:
768
raise
1396
769
# Only bind(2) the socket if we really need to.
1397
770
if self.server_address[0] or self.server_address[1]:
1398
771
if not self.server_address[0]:
1399
if self.address_family == socket.AF_INET6:
1400
any_address = u"::" # in6addr_any
1401
else:
1402
any_address = socket.INADDR_ANY
1403
self.server_address = (any_address,
772
in6addr_any = "::"
773
self.server_address = (in6addr_any,
1404
774
self.server_address[1])
1405
775
elif not self.server_address[1]:
1406
776
self.server_address = (self.server_address[0],
1407
777
0)
1408
# if self.interface:
778
# if self.settings["interface"]:
1409
779
# self.server_address = (self.server_address[0],
1410
780
# 0, # port
1411
781
# 0, # flowinfo
1412
782
# if_nametoindex
1413
# (self.interface))
1414
return socketserver.TCPServer.server_bind(self)
1415
1416
1417
class MandosServer(IPv6_TCPServer):
1418
"""Mandos server.
1419
1420
Attributes:
1421
clients: set of Client objects
1422
gnutls_priority GnuTLS priority string
1423
use_dbus: Boolean; to emit D-Bus signals or not
1424
1425
Assumes a gobject.MainLoop event loop.
1426
"""
1427
def __init__(self, server_address, RequestHandlerClass,
1428
interface=None, use_ipv6=True, clients=None,
1429
gnutls_priority=None, use_dbus=True):
1430
self.enabled = False
1431
self.clients = clients
1432
if self.clients is None:
1433
self.clients = set()
1434
self.use_dbus = use_dbus
1435
self.gnutls_priority = gnutls_priority
1436
IPv6_TCPServer.__init__(self, server_address,
1437
RequestHandlerClass,
1438
interface = interface,
1439
use_ipv6 = use_ipv6)
783
# (self.settings
784
# ["interface"]))
785
return super(IPv6_TCPServer, self).server_bind()
1440
786
def server_activate(self):
1441
787
if self.enabled:
1442
return socketserver.TCPServer.server_activate(self)
788
return super(IPv6_TCPServer, self).server_activate()
1443
789
def enable(self):
1444
790
self.enabled = True
1445
def add_pipe(self, parent_pipe):
1446
# Call "handle_ipc" for both data and EOF events
1447
gobject.io_add_watch(parent_pipe.fileno(),
1448
gobject.IO_IN | gobject.IO_HUP,
1449
functools.partial(self.handle_ipc,
1450
parent_pipe = parent_pipe))
1451
1452
def handle_ipc(self, source, condition, parent_pipe=None,
1453
client_object=None):
1454
condition_names = {
1455
gobject.IO_IN: u"IN", # There is data to read.
1456
gobject.IO_OUT: u"OUT", # Data can be written (without
1457
# blocking).
1458
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1459
gobject.IO_ERR: u"ERR", # Error condition.
1460
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1461
# broken, usually for pipes and
1462
# sockets).
1463
}
1464
conditions_string = ' | '.join(name
1465
for cond, name in
1466
condition_names.iteritems()
1467
if cond & condition)
1468
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1469
conditions_string)
1470
1471
# error or the other end of multiprocessing.Pipe has closed
1472
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1473
return False
1474
1475
# Read a request from the child
1476
request = parent_pipe.recv()
1477
logger.debug(u"IPC request: %s", repr(request))
1478
command = request[0]
1479
1480
if command == 'init':
1481
fpr = request[1]
1482
address = request[2]
1483
1484
for c in self.clients:
1485
if c.fingerprint == fpr:
1486
client = c
1487
break
1488
else:
1489
logger.warning(u"Client not found for fingerprint: %s, ad"
1490
u"dress: %s", fpr, address)
1491
if self.use_dbus:
1492
# Emit D-Bus signal
1493
mandos_dbus_service.ClientNotFound(fpr, address)
1494
parent_pipe.send(False)
1495
return False
1496
1497
gobject.io_add_watch(parent_pipe.fileno(),
1498
gobject.IO_IN | gobject.IO_HUP,
1499
functools.partial(self.handle_ipc,
1500
parent_pipe = parent_pipe,
1501
client_object = client))
1502
parent_pipe.send(True)
1503
# remove the old hook in favor of the new above hook on same fileno
1504
return False
1505
if command == 'funcall':
1506
funcname = request[1]
1507
args = request[2]
1508
kwargs = request[3]
1509
1510
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1511
1512
if command == 'getattr':
1513
attrname = request[1]
1514
if callable(client_object.__getattribute__(attrname)):
1515
parent_pipe.send(('function',))
1516
else:
1517
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1518
1519
if command == 'setattr':
1520
attrname = request[1]
1521
value = request[2]
1522
setattr(client_object, attrname, value)
1523
1524
return True
1525
791
1526
792
1527
793
def string_to_delta(interval):
1528
794
"""Parse a string and return a datetime.timedelta
1529
795
1530
>>> string_to_delta(u'7d')
796
>>> string_to_delta('7d')
1531
797
datetime.timedelta(7)
1532
>>> string_to_delta(u'60s')
798
>>> string_to_delta('60s')
1533
799
datetime.timedelta(0, 60)
1534
>>> string_to_delta(u'60m')
800
>>> string_to_delta('60m')
1535
801
datetime.timedelta(0, 3600)
1536
>>> string_to_delta(u'24h')
802
>>> string_to_delta('24h')
1537
803
datetime.timedelta(1)
1538
804
>>> string_to_delta(u'1w')
1539
805
datetime.timedelta(7)
1540
>>> string_to_delta(u'5m 30s')
806
>>> string_to_delta('5m 30s')
1541
807
datetime.timedelta(0, 330)
1542
808
"""
1543
809
timevalue = datetime.timedelta(0)
1556
822
elif suffix == u"w":
1557
823
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1558
824
else:
1559
raise ValueError(u"Unknown suffix %r" % suffix)
1560
except (ValueError, IndexError), e:
1561
raise ValueError(e.message)
825
raise ValueError
826
except (ValueError, IndexError):
827
raise ValueError
1562
828
timevalue += delta
1563
829
return timevalue
1564
830
1565
831
832
def server_state_changed(state):
833
"""Derived from the Avahi example code"""
834
if state == avahi.SERVER_COLLISION:
835
logger.error(u"Zeroconf server name collision")
836
service.remove()
837
elif state == avahi.SERVER_RUNNING:
838
service.add()
839
840
841
def entry_group_state_changed(state, error):
842
"""Derived from the Avahi example code"""
843
logger.debug(u"Avahi state change: %i", state)
844
845
if state == avahi.ENTRY_GROUP_ESTABLISHED:
846
logger.debug(u"Zeroconf service established.")
847
elif state == avahi.ENTRY_GROUP_COLLISION:
848
logger.warning(u"Zeroconf service name collision.")
849
service.rename()
850
elif state == avahi.ENTRY_GROUP_FAILURE:
851
logger.critical(u"Avahi: Error in group state changed %s",
852
unicode(error))
853
raise AvahiGroupError(u"State changed: %s" % unicode(error))
854
1566
855
def if_nametoindex(interface):
1567
"""Call the C function if_nametoindex(), or equivalent
1568
1569
Note: This function cannot accept a unicode string."""
856
"""Call the C function if_nametoindex(), or equivalent"""
1570
857
global if_nametoindex
1571
858
try:
1572
859
if_nametoindex = (ctypes.cdll.LoadLibrary
1573
(ctypes.util.find_library(u"c"))
860
(ctypes.util.find_library("c"))
1574
861
.if_nametoindex)
1575
862
except (OSError, AttributeError):
1576
logger.warning(u"Doing if_nametoindex the hard way")
863
if "struct" not in sys.modules:
864
import struct
865
if "fcntl" not in sys.modules:
866
import fcntl
1577
867
def if_nametoindex(interface):
1578
868
"Get an interface index the hard way, i.e. using fcntl()"
1579
869
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1580
with contextlib.closing(socket.socket()) as s:
870
with closing(socket.socket()) as s:
1581
871
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1582
struct.pack(str(u"16s16x"),
1583
interface))
1584
interface_index = struct.unpack(str(u"I"),
1585
ifreq[16:20])[0]
872
struct.pack("16s16x", interface))
873
interface_index = struct.unpack("I", ifreq[16:20])[0]
1586
874
return interface_index
1587
875
return if_nametoindex(interface)
1588
876
1589
877
1590
878
def daemon(nochdir = False, noclose = False):
1591
879
"""See daemon(3). Standard BSD Unix function.
1592
1593
880
This should really exist as os.daemon, but it doesn't (yet)."""
1594
881
if os.fork():
1595
882
sys.exit()
1596
883
os.setsid()
1597
884
if not nochdir:
1598
os.chdir(u"/")
885
os.chdir("/")
1599
886
if os.fork():
1600
887
sys.exit()
1601
888
if not noclose:
1603
890
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1604
891
if not stat.S_ISCHR(os.fstat(null).st_mode):
1605
892
raise OSError(errno.ENODEV,
1606
u"%s not a character device"
1607
% os.path.devnull)
893
"/dev/null not a character device")
1608
894
os.dup2(null, sys.stdin.fileno())
1609
895
os.dup2(null, sys.stdout.fileno())
1610
896
os.dup2(null, sys.stderr.fileno())
1613
899
1614
900
1615
901
def main():
1616
1617
##################################################################
1618
# Parsing of options, both command line and config file
1619
1620
902
parser = optparse.OptionParser(version = "%%prog %s" % version)
1621
parser.add_option("-i", u"--interface", type=u"string",
1622
metavar="IF", help=u"Bind to interface IF")
1623
parser.add_option("-a", u"--address", type=u"string",
1624
help=u"Address to listen for requests on")
1625
parser.add_option("-p", u"--port", type=u"int",
1626
help=u"Port number to receive requests on")
1627
parser.add_option("--check", action=u"store_true",
1628
help=u"Run self-test")
1629
parser.add_option("--debug", action=u"store_true",
1630
help=u"Debug mode; run in foreground and log to"
1631
u" terminal")
1632
parser.add_option("--debuglevel", type=u"string", metavar="Level",
1633
help=u"Debug level for stdout output")
1634
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1635
u" priority string (see GnuTLS documentation)")
1636
parser.add_option("--servicename", type=u"string",
1637
metavar=u"NAME", help=u"Zeroconf service name")
1638
parser.add_option("--configdir", type=u"string",
1639
default=u"/etc/mandos", metavar=u"DIR",
1640
help=u"Directory to search for configuration"
1641
u" files")
1642
parser.add_option("--no-dbus", action=u"store_false",
1643
dest=u"use_dbus", help=u"Do not provide D-Bus"
1644
u" system bus interface")
1645
parser.add_option("--no-ipv6", action=u"store_false",
1646
dest=u"use_ipv6", help=u"Do not use IPv6")
903
parser.add_option("-i", "--interface", type="string",
904
metavar="IF", help="Bind to interface IF")
905
parser.add_option("-a", "--address", type="string",
906
help="Address to listen for requests on")
907
parser.add_option("-p", "--port", type="int",
908
help="Port number to receive requests on")
909
parser.add_option("--check", action="store_true",
910
help="Run self-test")
911
parser.add_option("--debug", action="store_true",
912
help="Debug mode; run in foreground and log to"
913
" terminal")
914
parser.add_option("--priority", type="string", help="GnuTLS"
915
" priority string (see GnuTLS documentation)")
916
parser.add_option("--servicename", type="string", metavar="NAME",
917
help="Zeroconf service name")
918
parser.add_option("--configdir", type="string",
919
default="/etc/mandos", metavar="DIR",
920
help="Directory to search for configuration"
921
" files")
922
parser.add_option("--no-dbus", action="store_false",
923
dest="use_dbus",
924
help="Do not provide D-Bus system bus"
925
" interface")
1647
926
options = parser.parse_args()[0]
1648
927
1649
928
if options.check:
1652
931
sys.exit()
1653
932
1654
933
# Default values for config file for server-global settings
1655
server_defaults = { u"interface": u"",
1656
u"address": u"",
1657
u"port": u"",
1658
u"debug": u"False",
1659
u"priority":
1660
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1661
u"servicename": u"Mandos",
1662
u"use_dbus": u"True",
1663
u"use_ipv6": u"True",
1664
u"debuglevel": u"",
934
server_defaults = { "interface": "",
935
"address": "",
936
"port": "",
937
"debug": "False",
938
"priority":
939
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
940
"servicename": "Mandos",
941
"use_dbus": "True",
1665
942
}
1666
943
1667
944
# Parse config file for server-global settings
1668
server_config = configparser.SafeConfigParser(server_defaults)
945
server_config = ConfigParser.SafeConfigParser(server_defaults)
1669
946
del server_defaults
1670
server_config.read(os.path.join(options.configdir,
1671
u"mandos.conf"))
947
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1672
948
# Convert the SafeConfigParser object to a dict
1673
949
server_settings = server_config.defaults()
1674
950
# Use the appropriate methods on the non-string config options
1675
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1676
server_settings[option] = server_config.getboolean(u"DEFAULT",
1677
option)
951
server_settings["debug"] = server_config.getboolean("DEFAULT",
952
"debug")
953
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
954
"use_dbus")
1678
955
if server_settings["port"]:
1679
server_settings["port"] = server_config.getint(u"DEFAULT",
1680
u"port")
956
server_settings["port"] = server_config.getint("DEFAULT",
957
"port")
1681
958
del server_config
1682
959
1683
960
# Override the settings from the config file with command line
1684
961
# options, if set.
1685
for option in (u"interface", u"address", u"port", u"debug",
1686
u"priority", u"servicename", u"configdir",
1687
u"use_dbus", u"use_ipv6", u"debuglevel"):
962
for option in ("interface", "address", "port", "debug",
963
"priority", "servicename", "configdir",
964
"use_dbus"):
1688
965
value = getattr(options, option)
1689
966
if value is not None:
1690
967
server_settings[option] = value
1691
968
del options
1692
# Force all strings to be unicode
1693
for option in server_settings.keys():
1694
if type(server_settings[option]) is str:
1695
server_settings[option] = unicode(server_settings[option])
1696
969
# Now we have our good server settings in "server_settings"
1697
970
1698
##################################################################
1699
1700
971
# For convenience
1701
debug = server_settings[u"debug"]
1702
debuglevel = server_settings[u"debuglevel"]
1703
use_dbus = server_settings[u"use_dbus"]
1704
use_ipv6 = server_settings[u"use_ipv6"]
1705
1706
if server_settings[u"servicename"] != u"Mandos":
972
debug = server_settings["debug"]
973
use_dbus = server_settings["use_dbus"]
974
975
if not debug:
976
syslogger.setLevel(logging.WARNING)
977
console.setLevel(logging.WARNING)
978
979
if server_settings["servicename"] != "Mandos":
1707
980
syslogger.setFormatter(logging.Formatter
1708
(u'Mandos (%s) [%%(process)d]:'
1709
u' %%(levelname)s: %%(message)s'
1710
% server_settings[u"servicename"]))
981
('Mandos (%s): %%(levelname)s:'
982
' %%(message)s'
983
% server_settings["servicename"]))
1711
984
1712
985
# Parse config file with clients
1713
client_defaults = { u"timeout": u"1h",
1714
u"interval": u"5m",
1715
u"checker": u"fping -q -- %%(host)s",
1716
u"host": u"",
1717
u"approved_delay": u"0s",
1718
u"approved_duration": u"1s",
986
client_defaults = { "timeout": "1h",
987
"interval": "5m",
988
"checker": "fping -q -- %%(host)s",
989
"host": "",
1719
990
}
1720
client_config = configparser.SafeConfigParser(client_defaults)
1721
client_config.read(os.path.join(server_settings[u"configdir"],
1722
u"clients.conf"))
1723
1724
global mandos_dbus_service
1725
mandos_dbus_service = None
1726
1727
tcp_server = MandosServer((server_settings[u"address"],
1728
server_settings[u"port"]),
1729
ClientHandler,
1730
interface=server_settings[u"interface"],
1731
use_ipv6=use_ipv6,
1732
gnutls_priority=
1733
server_settings[u"priority"],
1734
use_dbus=use_dbus)
1735
pidfilename = u"/var/run/mandos.pid"
991
client_config = ConfigParser.SafeConfigParser(client_defaults)
992
client_config.read(os.path.join(server_settings["configdir"],
993
"clients.conf"))
994
995
clients = Set()
996
tcp_server = IPv6_TCPServer((server_settings["address"],
997
server_settings["port"]),
998
TCP_handler,
999
settings=server_settings,
1000
clients=clients)
1001
pidfilename = "/var/run/mandos.pid"
1736
1002
try:
1737
pidfile = open(pidfilename, u"w")
1003
pidfile = open(pidfilename, "w")
1738
1004
except IOError:
1739
logger.error(u"Could not open file %r", pidfilename)
1005
logger.error("Could not open file %r", pidfilename)
1740
1006
1741
1007
try:
1742
uid = pwd.getpwnam(u"_mandos").pw_uid
1743
gid = pwd.getpwnam(u"_mandos").pw_gid
1008
uid = pwd.getpwnam("_mandos").pw_uid
1009
gid = pwd.getpwnam("_mandos").pw_gid
1744
1010
except KeyError:
1745
1011
try:
1746
uid = pwd.getpwnam(u"mandos").pw_uid
1747
gid = pwd.getpwnam(u"mandos").pw_gid
1012
uid = pwd.getpwnam("mandos").pw_uid
1013
gid = pwd.getpwnam("mandos").pw_gid
1748
1014
except KeyError:
1749
1015
try:
1750
uid = pwd.getpwnam(u"nobody").pw_uid
1751
gid = pwd.getpwnam(u"nobody").pw_gid
1016
uid = pwd.getpwnam("nobody").pw_uid
1017
gid = pwd.getpwnam("nogroup").pw_gid
1752
1018
except KeyError:
1753
1019
uid = 65534
1754
1020
gid = 65534
1760
1026
raise error
1761
1027
1762
1028
# Enable all possible GnuTLS debugging
1763
1764
1765
if not debug and not debuglevel:
1766
syslogger.setLevel(logging.WARNING)
1767
console.setLevel(logging.WARNING)
1768
if debuglevel:
1769
level = getattr(logging, debuglevel.upper())
1770
syslogger.setLevel(level)
1771
console.setLevel(level)
1772
1773
1029
if debug:
1774
1030
# "Use a log level over 10 to enable all debugging options."
1775
1031
# - GnuTLS manual
1777
1033
1778
1034
@gnutls.library.types.gnutls_log_func
1779
1035
def debug_gnutls(level, string):
1780
logger.debug(u"GnuTLS: %s", string[:-1])
1036
logger.debug("GnuTLS: %s", string[:-1])
1781
1037
1782
1038
(gnutls.library.functions
1783
1039
.gnutls_global_set_log_function(debug_gnutls))
1784
1785
# Redirect stdin so all checkers get /dev/null
1786
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1787
os.dup2(null, sys.stdin.fileno())
1788
if null > 2:
1789
os.close(null)
1790
else:
1791
# No console logging
1792
logger.removeHandler(console)
1793
1040
1041
global service
1042
service = AvahiService(name = server_settings["servicename"],
1043
servicetype = "_mandos._tcp", )
1044
if server_settings["interface"]:
1045
service.interface = (if_nametoindex
1046
(server_settings["interface"]))
1794
1047
1795
1048
global main_loop
1049
global bus
1050
global server
1796
1051
# From the Avahi example code
1797
1052
DBusGMainLoop(set_as_default=True )
1798
1053
main_loop = gobject.MainLoop()
1799
1054
bus = dbus.SystemBus()
1055
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1056
avahi.DBUS_PATH_SERVER),
1057
avahi.DBUS_INTERFACE_SERVER)
1800
1058
# End of Avahi example code
1801
1059
if use_dbus:
1802
try:
1803
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1804
bus, do_not_queue=True)
1805
except dbus.exceptions.NameExistsException, e:
1806
logger.error(unicode(e) + u", disabling D-Bus")
1807
use_dbus = False
1808
server_settings[u"use_dbus"] = False
1809
tcp_server.use_dbus = False
1810
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1811
service = AvahiService(name = server_settings[u"servicename"],
1812
servicetype = u"_mandos._tcp",
1813
protocol = protocol, bus = bus)
1814
if server_settings["interface"]:
1815
service.interface = (if_nametoindex
1816
(str(server_settings[u"interface"])))
1817
1818
if not debug:
1060
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1061
1062
clients.update(Set(Client(name = section,
1063
config
1064
= dict(client_config.items(section)),
1065
use_dbus = use_dbus)
1066
for section in client_config.sections()))
1067
if not clients:
1068
logger.warning(u"No clients defined")
1069
1070
if debug:
1071
# Redirect stdin so all checkers get /dev/null
1072
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1073
os.dup2(null, sys.stdin.fileno())
1074
if null > 2:
1075
os.close(null)
1076
else:
1077
# No console logging
1078
logger.removeHandler(console)
1819
1079
# Close all input and output, do double fork, etc.
1820
1080
daemon()
1821
1822
global multiprocessing_manager
1823
multiprocessing_manager = multiprocessing.Manager()
1824
1825
client_class = Client
1826
if use_dbus:
1827
client_class = functools.partial(ClientDBus, bus = bus)
1828
def client_config_items(config, section):
1829
special_settings = {
1830
"approved_by_default":
1831
lambda: config.getboolean(section,
1832
"approved_by_default"),
1833
}
1834
for name, value in config.items(section):
1835
try:
1836
yield (name, special_settings[name]())
1837
except KeyError:
1838
yield (name, value)
1839
1840
tcp_server.clients.update(set(
1841
client_class(name = section,
1842
config= dict(client_config_items(
1843
client_config, section)))
1844
for section in client_config.sections()))
1845
if not tcp_server.clients:
1846
logger.warning(u"No clients defined")
1847
1081
1848
1082
try:
1849
with pidfile:
1850
pid = os.getpid()
1851
pidfile.write(str(pid) + "\n")
1083
pid = os.getpid()
1084
pidfile.write(str(pid) + "\n")
1085
pidfile.close()
1852
1086
del pidfile
1853
1087
except IOError:
1854
1088
logger.error(u"Could not write to file %r with PID %d",
1858
1092
pass
1859
1093
del pidfilename
1860
1094
1095
def cleanup():
1096
"Cleanup function; run on exit"
1097
global group
1098
# From the Avahi example code
1099
if not group is None:
1100
group.Free()
1101
group = None
1102
# End of Avahi example code
1103
1104
while clients:
1105
client = clients.pop()
1106
client.disable_hook = None
1107
client.disable()
1108
1109
atexit.register(cleanup)
1110
1861
1111
if not debug:
1862
1112
signal.signal(signal.SIGINT, signal.SIG_IGN)
1863
1113
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1864
1114
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1865
1115
1866
1116
if use_dbus:
1867
class MandosDBusService(dbus.service.Object):
1117
class MandosServer(dbus.service.Object):
1868
1118
"""A D-Bus proxy object"""
1869
1119
def __init__(self):
1870
dbus.service.Object.__init__(self, bus, u"/")
1120
dbus.service.Object.__init__(self, bus, "/")
1871
1121
_interface = u"se.bsnet.fukt.Mandos"
1872
1122
1873
@dbus.service.signal(_interface, signature=u"o")
1874
def ClientAdded(self, objpath):
1875
"D-Bus signal"
1876
pass
1877
1878
@dbus.service.signal(_interface, signature=u"ss")
1879
def ClientNotFound(self, fingerprint, address):
1880
"D-Bus signal"
1881
pass
1882
1883
@dbus.service.signal(_interface, signature=u"os")
1123
@dbus.service.signal(_interface, signature="oa{sv}")
1124
def ClientAdded(self, objpath, properties):
1125
"D-Bus signal"
1126
pass
1127
1128
@dbus.service.signal(_interface, signature="os")
1884
1129
def ClientRemoved(self, objpath, name):
1885
1130
"D-Bus signal"
1886
1131
pass
1887
1132
1888
@dbus.service.method(_interface, out_signature=u"ao")
1133
@dbus.service.method(_interface, out_signature="ao")
1889
1134
def GetAllClients(self):
1890
1135
"D-Bus method"
1891
return dbus.Array(c.dbus_object_path
1892
for c in tcp_server.clients)
1136
return dbus.Array(c.dbus_object_path for c in clients)
1893
1137
1894
@dbus.service.method(_interface,
1895
out_signature=u"a{oa{sv}}")
1138
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1896
1139
def GetAllClientsWithProperties(self):
1897
1140
"D-Bus method"
1898
1141
return dbus.Dictionary(
1899
((c.dbus_object_path, c.GetAll(u""))
1900
for c in tcp_server.clients),
1901
signature=u"oa{sv}")
1142
((c.dbus_object_path, c.GetAllProperties())
1143
for c in clients),
1144
signature="oa{sv}")
1902
1145
1903
@dbus.service.method(_interface, in_signature=u"o")
1146
@dbus.service.method(_interface, in_signature="o")
1904
1147
def RemoveClient(self, object_path):
1905
1148
"D-Bus method"
1906
for c in tcp_server.clients:
1149
for c in clients:
1907
1150
if c.dbus_object_path == object_path:
1908
tcp_server.clients.remove(c)
1909
c.remove_from_connection()
1151
clients.remove(c)
1910
1152
# Don't signal anything except ClientRemoved
1911
c.disable(quiet=True)
1153
c.use_dbus = False
1154
c.disable()
1912
1155
# Emit D-Bus signal
1913
1156
self.ClientRemoved(object_path, c.name)
1914
1157
return
1915
raise KeyError(object_path)
1158
raise KeyError
1916
1159
1917
1160
del _interface
1918
1161
1919
mandos_dbus_service = MandosDBusService()
1920
1921
def cleanup():
1922
"Cleanup function; run on exit"
1923
service.cleanup()
1924
1925
while tcp_server.clients:
1926
client = tcp_server.clients.pop()
1927
if use_dbus:
1928
client.remove_from_connection()
1929
client.disable_hook = None
1930
# Don't signal anything except ClientRemoved
1931
client.disable(quiet=True)
1932
if use_dbus:
1933
# Emit D-Bus signal
1934
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1935
client.name)
1936
1937
atexit.register(cleanup)
1938
1939
for client in tcp_server.clients:
1162
mandos_server = MandosServer()
1163
1164
for client in clients:
1940
1165
if use_dbus:
1941
1166
# Emit D-Bus signal
1942
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1167
mandos_server.ClientAdded(client.dbus_object_path,
1168
client.GetAllProperties())
1943
1169
client.enable()
1944
1170
1945
1171
tcp_server.enable()
1947
1173
1948
1174
# Find out what port we got
1949
1175
service.port = tcp_server.socket.getsockname()[1]
1950
if use_ipv6:
1951
logger.info(u"Now listening on address %r, port %d,"
1952
" flowinfo %d, scope_id %d"
1953
% tcp_server.socket.getsockname())
1954
else: # IPv4
1955
logger.info(u"Now listening on address %r, port %d"
1956
% tcp_server.socket.getsockname())
1176
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1177
u" scope_id %d" % tcp_server.socket.getsockname())
1957
1178
1958
1179
#service.interface = tcp_server.socket.getsockname()[3]
1959
1180
1960
1181
try:
1961
1182
# From the Avahi example code
1183
server.connect_to_signal("StateChanged", server_state_changed)
1962
1184
try:
1963
service.activate()
1185
server_state_changed(server.GetState())
1964
1186
except dbus.exceptions.DBusException, error:
1965
1187
logger.critical(u"DBusException: %s", error)
1966
cleanup()
1967
1188
sys.exit(1)
1968
1189
# End of Avahi example code
1969
1190
1976
1197
main_loop.run()
1977
1198
except AvahiError, error:
1978
1199
logger.critical(u"AvahiError: %s", error)
1979
cleanup()
1980
1200
sys.exit(1)
1981
1201
except KeyboardInterrupt:
1982
1202
if debug:
1983
1203
print >> sys.stderr
1984
logger.debug(u"Server received KeyboardInterrupt")
1985
logger.debug(u"Server exiting")
1986
# Must run before the D-Bus bus name gets deregistered
1987
cleanup()
1204
logger.debug("Server received KeyboardInterrupt")
1205
logger.debug("Server exiting")
1988
1206
1989
1207
if __name__ == '__main__':
1990
1208
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0