To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 328
- compare with another revision
- download diff
- download tarball
- view history from revision 328
- Committer: Teddy Hogeborn
- Date: 2009-03-31 01:32:12 UTC
- Revision ID: teddy@fukt.bsnet.se-20090331013212-yes2wy6njzlyniaa
* mandos (Client): Move all D-Bus code to new "ClientDBus" class.
(Client.start_checker): Bug fix: update "current_checker_command" in
all cases.
(ClientDBus): New class.
(main): Use Client or ClientDBus depending on "use_dbus".
(main/MandosDBusService.RemoveClient): Bug fix: make sure the client
is removed from the D-Bus.
(Client.start_checker): Bug fix: update "current_checker_command" in
all cases.
(ClientDBus): New class.
(main): Use Client or ClientDBus depending on "use_dbus".
(main/MandosDBusService.RemoveClient): Bug fix: make sure the client
is removed from the D-Bus.
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer as socketserver
36
import SocketServer
37
37
import socket
38
38
import optparse
39
39
import datetime
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser as configparser
47
import ConfigParser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
52
53
import subprocess
53
54
import atexit
54
55
import stat
56
57
import logging.handlers
57
58
import pwd
58
59
from contextlib import closing
59
import struct
60
import fcntl
61
import functools
62
60
63
61
import dbus
64
62
import dbus.service
68
66
import ctypes
69
67
import ctypes.util
70
68
71
try:
72
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
73
except AttributeError:
74
try:
75
from IN import SO_BINDTODEVICE
76
except ImportError:
77
SO_BINDTODEVICE = None
78
79
80
69
version = "1.0.8"
81
70
82
logger = logging.Logger(u'mandos')
71
logger = logging.Logger('mandos')
83
72
syslogger = (logging.handlers.SysLogHandler
84
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
85
74
address = "/dev/log"))
86
75
syslogger.setFormatter(logging.Formatter
87
(u'Mandos [%(process)d]: %(levelname)s:'
88
u' %(message)s'))
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
89
78
logger.addHandler(syslogger)
90
79
91
80
console = logging.StreamHandler()
92
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
93
u' %(levelname)s:'
94
u' %(message)s'))
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
95
83
logger.addHandler(console)
96
84
97
85
class AvahiError(Exception):
110
98
111
99
class AvahiService(object):
112
100
"""An Avahi (Zeroconf) service.
113
114
101
Attributes:
115
102
interface: integer; avahi.IF_UNSPEC or an interface index.
116
103
Used to optionally bind to the specified interface.
117
name: string; Example: u'Mandos'
118
type: string; Example: u'_mandos._tcp'.
104
name: string; Example: 'Mandos'
105
type: string; Example: '_mandos._tcp'.
119
106
See <http://www.dns-sd.org/ServiceTypes.html>
120
107
port: integer; what port to announce
121
108
TXT: list of strings; TXT record for the service
124
111
max_renames: integer; maximum number of renames
125
112
rename_count: integer; counter so we only rename after collisions
126
113
a sensible number of times
127
group: D-Bus Entry Group
128
server: D-Bus Server
129
bus: dbus.SystemBus()
130
114
"""
131
115
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
132
116
servicetype = None, port = None, TXT = None,
133
domain = u"", host = u"", max_renames = 32768,
134
protocol = avahi.PROTO_UNSPEC, bus = None):
117
domain = "", host = "", max_renames = 32768,
118
protocol = avahi.PROTO_UNSPEC):
135
119
self.interface = interface
136
120
self.name = name
137
121
self.type = servicetype
142
126
self.rename_count = 0
143
127
self.max_renames = max_renames
144
128
self.protocol = protocol
145
self.group = None # our entry group
146
self.server = None
147
self.bus = bus
148
129
def rename(self):
149
130
"""Derived from the Avahi example code"""
150
131
if self.rename_count >= self.max_renames:
152
133
u" after %i retries, exiting.",
153
134
self.rename_count)
154
135
raise AvahiServiceError(u"Too many renames")
155
self.name = self.server.GetAlternativeServiceName(self.name)
136
self.name = server.GetAlternativeServiceName(self.name)
156
137
logger.info(u"Changing Zeroconf service name to %r ...",
157
unicode(self.name))
138
str(self.name))
158
139
syslogger.setFormatter(logging.Formatter
159
(u'Mandos (%s) [%%(process)d]:'
160
u' %%(levelname)s: %%(message)s'
140
('Mandos (%s) [%%(process)d]:'
141
' %%(levelname)s: %%(message)s'
161
142
% self.name))
162
143
self.remove()
163
144
self.add()
164
145
self.rename_count += 1
165
146
def remove(self):
166
147
"""Derived from the Avahi example code"""
167
if self.group is not None:
168
self.group.Reset()
148
if group is not None:
149
group.Reset()
169
150
def add(self):
170
151
"""Derived from the Avahi example code"""
171
if self.group is None:
172
self.group = dbus.Interface(
173
self.bus.get_object(avahi.DBUS_NAME,
174
self.server.EntryGroupNew()),
175
avahi.DBUS_INTERFACE_ENTRY_GROUP)
176
self.group.connect_to_signal('StateChanged',
177
self.entry_group_state_changed)
152
global group
153
if group is None:
154
group = dbus.Interface(bus.get_object
155
(avahi.DBUS_NAME,
156
server.EntryGroupNew()),
157
avahi.DBUS_INTERFACE_ENTRY_GROUP)
158
group.connect_to_signal('StateChanged',
159
entry_group_state_changed)
178
160
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
179
self.name, self.type)
180
self.group.AddService(
181
self.interface,
182
self.protocol,
183
dbus.UInt32(0), # flags
184
self.name, self.type,
185
self.domain, self.host,
186
dbus.UInt16(self.port),
187
avahi.string_array_to_txt_array(self.TXT))
188
self.group.Commit()
189
def entry_group_state_changed(self, state, error):
190
"""Derived from the Avahi example code"""
191
logger.debug(u"Avahi state change: %i", state)
192
193
if state == avahi.ENTRY_GROUP_ESTABLISHED:
194
logger.debug(u"Zeroconf service established.")
195
elif state == avahi.ENTRY_GROUP_COLLISION:
196
logger.warning(u"Zeroconf service name collision.")
197
self.rename()
198
elif state == avahi.ENTRY_GROUP_FAILURE:
199
logger.critical(u"Avahi: Error in group state changed %s",
200
unicode(error))
201
raise AvahiGroupError(u"State changed: %s"
202
% unicode(error))
203
def cleanup(self):
204
"""Derived from the Avahi example code"""
205
if self.group is not None:
206
self.group.Free()
207
self.group = None
208
def server_state_changed(self, state):
209
"""Derived from the Avahi example code"""
210
if state == avahi.SERVER_COLLISION:
211
logger.error(u"Zeroconf server name collision")
212
self.remove()
213
elif state == avahi.SERVER_RUNNING:
214
self.add()
215
def activate(self):
216
"""Derived from the Avahi example code"""
217
if self.server is None:
218
self.server = dbus.Interface(
219
self.bus.get_object(avahi.DBUS_NAME,
220
avahi.DBUS_PATH_SERVER),
221
avahi.DBUS_INTERFACE_SERVER)
222
self.server.connect_to_signal(u"StateChanged",
223
self.server_state_changed)
224
self.server_state_changed(self.server.GetState())
161
service.name, service.type)
162
group.AddService(
163
self.interface, # interface
164
self.protocol, # protocol
165
dbus.UInt32(0), # flags
166
self.name, self.type,
167
self.domain, self.host,
168
dbus.UInt16(self.port),
169
avahi.string_array_to_txt_array(self.TXT))
170
group.Commit()
171
172
# From the Avahi example code:
173
group = None # our entry group
174
# End of Avahi example code
175
176
177
def _datetime_to_dbus(dt, variant_level=0):
178
"""Convert a UTC datetime.datetime() to a D-Bus type."""
179
return dbus.String(dt.isoformat(), variant_level=variant_level)
225
180
226
181
227
182
class Client(object):
228
183
"""A representation of a client host served by this server.
229
230
184
Attributes:
231
185
name: string; from the config file, used in log messages and
232
186
D-Bus identifiers
254
208
instance %(name)s can be used in the command.
255
209
current_checker_command: string; current running checker_command
256
210
"""
257
258
@staticmethod
259
def _datetime_to_milliseconds(dt):
260
"Convert a datetime.datetime() to milliseconds"
261
return ((dt.days * 24 * 60 * 60 * 1000)
262
+ (dt.seconds * 1000)
263
+ (dt.microseconds // 1000))
264
265
211
def timeout_milliseconds(self):
266
212
"Return the 'timeout' attribute in milliseconds"
267
return self._datetime_to_milliseconds(self.timeout)
213
return ((self.timeout.days * 24 * 60 * 60 * 1000)
214
+ (self.timeout.seconds * 1000)
215
+ (self.timeout.microseconds // 1000))
268
216
269
217
def interval_milliseconds(self):
270
218
"Return the 'interval' attribute in milliseconds"
271
return self._datetime_to_milliseconds(self.interval)
219
return ((self.interval.days * 24 * 60 * 60 * 1000)
220
+ (self.interval.seconds * 1000)
221
+ (self.interval.microseconds // 1000))
272
222
273
223
def __init__(self, name = None, disable_hook=None, config=None):
274
224
"""Note: the 'checker' key in 'config' sets the
281
231
# Uppercase and remove spaces from fingerprint for later
282
232
# comparison purposes with return value from the fingerprint()
283
233
# function
284
self.fingerprint = (config[u"fingerprint"].upper()
234
self.fingerprint = (config["fingerprint"].upper()
285
235
.replace(u" ", u""))
286
236
logger.debug(u" Fingerprint: %s", self.fingerprint)
287
if u"secret" in config:
288
self.secret = config[u"secret"].decode(u"base64")
289
elif u"secfile" in config:
237
if "secret" in config:
238
self.secret = config["secret"].decode(u"base64")
239
elif "secfile" in config:
290
240
with closing(open(os.path.expanduser
291
241
(os.path.expandvars
292
(config[u"secfile"])))) as secfile:
242
(config["secfile"])))) as secfile:
293
243
self.secret = secfile.read()
294
244
else:
295
245
raise TypeError(u"No secret or secfile for client %s"
296
246
% self.name)
297
self.host = config.get(u"host", u"")
247
self.host = config.get("host", "")
298
248
self.created = datetime.datetime.utcnow()
299
249
self.enabled = False
300
250
self.last_enabled = None
301
251
self.last_checked_ok = None
302
self.timeout = string_to_delta(config[u"timeout"])
303
self.interval = string_to_delta(config[u"interval"])
252
self.timeout = string_to_delta(config["timeout"])
253
self.interval = string_to_delta(config["interval"])
304
254
self.disable_hook = disable_hook
305
255
self.checker = None
306
256
self.checker_initiator_tag = None
307
257
self.disable_initiator_tag = None
308
258
self.checker_callback_tag = None
309
self.checker_command = config[u"checker"]
259
self.checker_command = config["checker"]
310
260
self.current_checker_command = None
311
261
self.last_connect = None
312
262
313
263
def enable(self):
314
264
"""Start this client's checker and timeout hooks"""
315
if getattr(self, u"enabled", False):
316
# Already enabled
317
return
318
265
self.last_enabled = datetime.datetime.utcnow()
319
266
# Schedule a new checker to be started an 'interval' from now,
320
267
# and every interval from then on.
334
281
if not getattr(self, "enabled", False):
335
282
return False
336
283
logger.info(u"Disabling client %s", self.name)
337
if getattr(self, u"disable_initiator_tag", False):
284
if getattr(self, "disable_initiator_tag", False):
338
285
gobject.source_remove(self.disable_initiator_tag)
339
286
self.disable_initiator_tag = None
340
if getattr(self, u"checker_initiator_tag", False):
287
if getattr(self, "checker_initiator_tag", False):
341
288
gobject.source_remove(self.checker_initiator_tag)
342
289
self.checker_initiator_tag = None
343
290
self.stop_checker()
370
317
371
318
def checked_ok(self):
372
319
"""Bump up the timeout for this client.
373
374
320
This should only be called when the client has been seen,
375
321
alive and well.
376
322
"""
382
328
383
329
def start_checker(self):
384
330
"""Start a new checker subprocess if one is not running.
385
386
331
If a checker already exists, leave it running and do
387
332
nothing."""
388
333
# The reason for not killing a running checker is that if we
398
343
if self.checker is not None:
399
344
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
400
345
if pid:
401
logger.warning(u"Checker was a zombie")
346
logger.warning("Checker was a zombie")
402
347
gobject.source_remove(self.checker_callback_tag)
403
348
self.checker_callback(pid, status,
404
349
self.current_checker_command)
409
354
command = self.checker_command % self.host
410
355
except TypeError:
411
356
# Escape attributes for the shell
412
escaped_attrs = dict((key,
413
re.escape(unicode(str(val),
414
errors=
415
u'replace')))
357
escaped_attrs = dict((key, re.escape(str(val)))
416
358
for key, val in
417
359
vars(self).iteritems())
418
360
try:
431
373
# always replaced by /dev/null.)
432
374
self.checker = subprocess.Popen(command,
433
375
close_fds=True,
434
shell=True, cwd=u"/")
376
shell=True, cwd="/")
435
377
self.checker_callback_tag = (gobject.child_watch_add
436
378
(self.checker.pid,
437
379
self.checker_callback,
453
395
if self.checker_callback_tag:
454
396
gobject.source_remove(self.checker_callback_tag)
455
397
self.checker_callback_tag = None
456
if getattr(self, u"checker", None) is None:
398
if getattr(self, "checker", None) is None:
457
399
return
458
400
logger.debug(u"Stopping checker for %(name)s", vars(self))
459
401
try:
468
410
469
411
def still_valid(self):
470
412
"""Has the timeout not yet passed for this client?"""
471
if not getattr(self, u"enabled", False):
413
if not getattr(self, "enabled", False):
472
414
return False
473
415
now = datetime.datetime.utcnow()
474
416
if self.last_checked_ok is None:
479
421
480
422
class ClientDBus(Client, dbus.service.Object):
481
423
"""A Client class using D-Bus
482
483
424
Attributes:
484
dbus_object_path: dbus.ObjectPath
485
bus: dbus.SystemBus()
425
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
486
426
"""
487
427
# dbus.service.Object doesn't use super(), so we can't either.
488
428
489
def __init__(self, bus = None, *args, **kwargs):
490
self.bus = bus
429
def __init__(self, *args, **kwargs):
491
430
Client.__init__(self, *args, **kwargs)
492
431
# Only now, when this client is initialized, can it show up on
493
432
# the D-Bus
494
433
self.dbus_object_path = (dbus.ObjectPath
495
(u"/clients/"
496
+ self.name.replace(u".", u"_")))
497
dbus.service.Object.__init__(self, self.bus,
434
("/clients/"
435
+ self.name.replace(".", "_")))
436
dbus.service.Object.__init__(self, bus,
498
437
self.dbus_object_path)
499
500
@staticmethod
501
def _datetime_to_dbus(dt, variant_level=0):
502
"""Convert a UTC datetime.datetime() to a D-Bus type."""
503
return dbus.String(dt.isoformat(),
504
variant_level=variant_level)
505
506
438
def enable(self):
507
oldstate = getattr(self, u"enabled", False)
439
oldstate = getattr(self, "enabled", False)
508
440
r = Client.enable(self)
509
441
if oldstate != self.enabled:
510
442
# Emit D-Bus signals
511
443
self.PropertyChanged(dbus.String(u"enabled"),
512
444
dbus.Boolean(True, variant_level=1))
513
self.PropertyChanged(
514
dbus.String(u"last_enabled"),
515
self._datetime_to_dbus(self.last_enabled,
516
variant_level=1))
445
self.PropertyChanged(dbus.String(u"last_enabled"),
446
(_datetime_to_dbus(self.last_enabled,
447
variant_level=1)))
517
448
return r
518
449
519
450
def disable(self, signal = True):
520
oldstate = getattr(self, u"enabled", False)
451
oldstate = getattr(self, "enabled", False)
521
452
r = Client.disable(self)
522
453
if signal and oldstate != self.enabled:
523
454
# Emit D-Bus signal
528
459
def __del__(self, *args, **kwargs):
529
460
try:
530
461
self.remove_from_connection()
531
except LookupError:
462
except org.freedesktop.DBus.Python.LookupError:
532
463
pass
533
if hasattr(dbus.service.Object, u"__del__"):
534
dbus.service.Object.__del__(self, *args, **kwargs)
464
dbus.service.Object.__del__(self, *args, **kwargs)
535
465
Client.__del__(self, *args, **kwargs)
536
466
537
467
def checker_callback(self, pid, condition, command,
561
491
# Emit D-Bus signal
562
492
self.PropertyChanged(
563
493
dbus.String(u"last_checked_ok"),
564
(self._datetime_to_dbus(self.last_checked_ok,
565
variant_level=1)))
494
(_datetime_to_dbus(self.last_checked_ok,
495
variant_level=1)))
566
496
return r
567
497
568
498
def start_checker(self, *args, **kwargs):
572
502
else:
573
503
old_checker_pid = None
574
504
r = Client.start_checker(self, *args, **kwargs)
575
# Only if new checker process was started
576
if (self.checker is not None
577
and old_checker_pid != self.checker.pid):
578
# Emit D-Bus signal
505
# Only emit D-Bus signal if new checker process was started
506
if ((self.checker is not None)
507
and not (old_checker is not None
508
and old_checker_pid == self.checker.pid)):
579
509
self.CheckerStarted(self.current_checker_command)
580
510
self.PropertyChanged(
581
dbus.String(u"checker_running"),
511
dbus.String("checker_running"),
582
512
dbus.Boolean(True, variant_level=1))
583
513
return r
584
514
585
515
def stop_checker(self, *args, **kwargs):
586
old_checker = getattr(self, u"checker", None)
516
old_checker = getattr(self, "checker", None)
587
517
r = Client.stop_checker(self, *args, **kwargs)
588
518
if (old_checker is not None
589
and getattr(self, u"checker", None) is None):
519
and getattr(self, "checker", None) is None):
590
520
self.PropertyChanged(dbus.String(u"checker_running"),
591
521
dbus.Boolean(False, variant_level=1))
592
522
return r
595
525
_interface = u"se.bsnet.fukt.Mandos.Client"
596
526
597
527
# CheckedOK - method
598
@dbus.service.method(_interface)
599
def CheckedOK(self):
600
return self.checked_ok()
528
CheckedOK = dbus.service.method(_interface)(checked_ok)
529
CheckedOK.__name__ = "CheckedOK"
601
530
602
531
# CheckerCompleted - signal
603
@dbus.service.signal(_interface, signature=u"nxs")
532
@dbus.service.signal(_interface, signature="nxs")
604
533
def CheckerCompleted(self, exitcode, waitstatus, command):
605
534
"D-Bus signal"
606
535
pass
607
536
608
537
# CheckerStarted - signal
609
@dbus.service.signal(_interface, signature=u"s")
538
@dbus.service.signal(_interface, signature="s")
610
539
def CheckerStarted(self, command):
611
540
"D-Bus signal"
612
541
pass
613
542
614
543
# GetAllProperties - method
615
@dbus.service.method(_interface, out_signature=u"a{sv}")
544
@dbus.service.method(_interface, out_signature="a{sv}")
616
545
def GetAllProperties(self):
617
546
"D-Bus method"
618
547
return dbus.Dictionary({
619
dbus.String(u"name"):
548
dbus.String("name"):
620
549
dbus.String(self.name, variant_level=1),
621
dbus.String(u"fingerprint"):
550
dbus.String("fingerprint"):
622
551
dbus.String(self.fingerprint, variant_level=1),
623
dbus.String(u"host"):
552
dbus.String("host"):
624
553
dbus.String(self.host, variant_level=1),
625
dbus.String(u"created"):
626
self._datetime_to_dbus(self.created,
627
variant_level=1),
628
dbus.String(u"last_enabled"):
629
(self._datetime_to_dbus(self.last_enabled,
630
variant_level=1)
554
dbus.String("created"):
555
_datetime_to_dbus(self.created, variant_level=1),
556
dbus.String("last_enabled"):
557
(_datetime_to_dbus(self.last_enabled,
558
variant_level=1)
631
559
if self.last_enabled is not None
632
560
else dbus.Boolean(False, variant_level=1)),
633
dbus.String(u"enabled"):
561
dbus.String("enabled"):
634
562
dbus.Boolean(self.enabled, variant_level=1),
635
dbus.String(u"last_checked_ok"):
636
(self._datetime_to_dbus(self.last_checked_ok,
637
variant_level=1)
563
dbus.String("last_checked_ok"):
564
(_datetime_to_dbus(self.last_checked_ok,
565
variant_level=1)
638
566
if self.last_checked_ok is not None
639
567
else dbus.Boolean (False, variant_level=1)),
640
dbus.String(u"timeout"):
568
dbus.String("timeout"):
641
569
dbus.UInt64(self.timeout_milliseconds(),
642
570
variant_level=1),
643
dbus.String(u"interval"):
571
dbus.String("interval"):
644
572
dbus.UInt64(self.interval_milliseconds(),
645
573
variant_level=1),
646
dbus.String(u"checker"):
574
dbus.String("checker"):
647
575
dbus.String(self.checker_command,
648
576
variant_level=1),
649
dbus.String(u"checker_running"):
577
dbus.String("checker_running"):
650
578
dbus.Boolean(self.checker is not None,
651
579
variant_level=1),
652
dbus.String(u"object_path"):
580
dbus.String("object_path"):
653
581
dbus.ObjectPath(self.dbus_object_path,
654
582
variant_level=1)
655
}, signature=u"sv")
583
}, signature="sv")
656
584
657
585
# IsStillValid - method
658
@dbus.service.method(_interface, out_signature=u"b")
586
@dbus.service.method(_interface, out_signature="b")
659
587
def IsStillValid(self):
660
588
return self.still_valid()
661
589
662
590
# PropertyChanged - signal
663
@dbus.service.signal(_interface, signature=u"sv")
591
@dbus.service.signal(_interface, signature="sv")
664
592
def PropertyChanged(self, property, value):
665
593
"D-Bus signal"
666
594
pass
678
606
pass
679
607
680
608
# SetChecker - method
681
@dbus.service.method(_interface, in_signature=u"s")
609
@dbus.service.method(_interface, in_signature="s")
682
610
def SetChecker(self, checker):
683
611
"D-Bus setter method"
684
612
self.checker_command = checker
688
616
variant_level=1))
689
617
690
618
# SetHost - method
691
@dbus.service.method(_interface, in_signature=u"s")
619
@dbus.service.method(_interface, in_signature="s")
692
620
def SetHost(self, host):
693
621
"D-Bus setter method"
694
622
self.host = host
697
625
dbus.String(self.host, variant_level=1))
698
626
699
627
# SetInterval - method
700
@dbus.service.method(_interface, in_signature=u"t")
628
@dbus.service.method(_interface, in_signature="t")
701
629
def SetInterval(self, milliseconds):
702
630
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
703
631
# Emit D-Bus signal
706
634
variant_level=1)))
707
635
708
636
# SetSecret - method
709
@dbus.service.method(_interface, in_signature=u"ay",
637
@dbus.service.method(_interface, in_signature="ay",
710
638
byte_arrays=True)
711
639
def SetSecret(self, secret):
712
640
"D-Bus setter method"
713
641
self.secret = str(secret)
714
642
715
643
# SetTimeout - method
716
@dbus.service.method(_interface, in_signature=u"t")
644
@dbus.service.method(_interface, in_signature="t")
717
645
def SetTimeout(self, milliseconds):
718
646
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
719
647
# Emit D-Bus signal
722
650
variant_level=1)))
723
651
724
652
# Enable - method
725
@dbus.service.method(_interface)
726
def Enable(self):
727
"D-Bus method"
728
self.enable()
653
Enable = dbus.service.method(_interface)(enable)
654
Enable.__name__ = "Enable"
729
655
730
656
# StartChecker - method
731
657
@dbus.service.method(_interface)
740
666
self.disable()
741
667
742
668
# StopChecker - method
743
@dbus.service.method(_interface)
744
def StopChecker(self):
745
self.stop_checker()
669
StopChecker = dbus.service.method(_interface)(stop_checker)
670
StopChecker.__name__ = "StopChecker"
746
671
747
672
del _interface
748
673
749
674
750
class ClientHandler(socketserver.BaseRequestHandler, object):
751
"""A class to handle client connections.
752
753
Instantiated once for each connection to handle it.
675
def peer_certificate(session):
676
"Return the peer's OpenPGP certificate as a bytestring"
677
# If not an OpenPGP certificate...
678
if (gnutls.library.functions
679
.gnutls_certificate_type_get(session._c_object)
680
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
681
# ...do the normal thing
682
return session.peer_certificate
683
list_size = ctypes.c_uint(1)
684
cert_list = (gnutls.library.functions
685
.gnutls_certificate_get_peers
686
(session._c_object, ctypes.byref(list_size)))
687
if not bool(cert_list) and list_size.value != 0:
688
raise gnutls.errors.GNUTLSError("error getting peer"
689
" certificate")
690
if list_size.value == 0:
691
return None
692
cert = cert_list[0]
693
return ctypes.string_at(cert.data, cert.size)
694
695
696
def fingerprint(openpgp):
697
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
698
# New GnuTLS "datum" with the OpenPGP public key
699
datum = (gnutls.library.types
700
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
701
ctypes.POINTER
702
(ctypes.c_ubyte)),
703
ctypes.c_uint(len(openpgp))))
704
# New empty GnuTLS certificate
705
crt = gnutls.library.types.gnutls_openpgp_crt_t()
706
(gnutls.library.functions
707
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
708
# Import the OpenPGP public key into the certificate
709
(gnutls.library.functions
710
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
711
gnutls.library.constants
712
.GNUTLS_OPENPGP_FMT_RAW))
713
# Verify the self signature in the key
714
crtverify = ctypes.c_uint()
715
(gnutls.library.functions
716
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
717
if crtverify.value != 0:
718
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
719
raise gnutls.errors.CertificateSecurityError("Verify failed")
720
# New buffer for the fingerprint
721
buf = ctypes.create_string_buffer(20)
722
buf_len = ctypes.c_size_t()
723
# Get the fingerprint from the certificate into the buffer
724
(gnutls.library.functions
725
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
726
ctypes.byref(buf_len)))
727
# Deinit the certificate
728
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
729
# Convert the buffer to a Python bytestring
730
fpr = ctypes.string_at(buf, buf_len.value)
731
# Convert the bytestring to hexadecimal notation
732
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
733
return hex_fpr
734
735
736
class TCP_handler(SocketServer.BaseRequestHandler, object):
737
"""A TCP request handler class.
738
Instantiated by IPv6_TCPServer for each request to handle it.
754
739
Note: This will run in its own forked process."""
755
740
756
741
def handle(self):
758
743
unicode(self.client_address))
759
744
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
760
745
# Open IPC pipe to parent process
761
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
746
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
762
747
session = (gnutls.connection
763
748
.ClientSession(self.request,
764
749
gnutls.connection
778
763
# no X.509 keys are added to it. Therefore, we can use it
779
764
# here despite using OpenPGP certificates.
780
765
781
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
782
# u"+AES-256-CBC", u"+SHA1",
783
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
784
# u"+DHE-DSS"))
766
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
767
# "+AES-256-CBC", "+SHA1",
768
# "+COMP-NULL", "+CTYPE-OPENPGP",
769
# "+DHE-DSS"))
785
770
# Use a fallback default, since this MUST be set.
786
priority = self.server.gnutls_priority
787
if priority is None:
788
priority = u"NORMAL"
771
priority = self.server.settings.get("priority", "NORMAL")
789
772
(gnutls.library.functions
790
773
.gnutls_priority_set_direct(session._c_object,
791
774
priority, None))
799
782
return
800
783
logger.debug(u"Handshake succeeded")
801
784
try:
802
fpr = self.fingerprint(self.peer_certificate(session))
785
fpr = fingerprint(peer_certificate(session))
803
786
except (TypeError, gnutls.errors.GNUTLSError), error:
804
787
logger.warning(u"Bad certificate: %s", error)
805
788
session.bye()
811
794
client = c
812
795
break
813
796
else:
814
ipc.write(u"NOTFOUND %s\n" % fpr)
797
logger.warning(u"Client not found for fingerprint: %s",
798
fpr)
799
ipc.write("NOTFOUND %s\n" % fpr)
815
800
session.bye()
816
801
return
817
802
# Have to check if client.still_valid(), since it is
818
803
# possible that the client timed out while establishing
819
804
# the GnuTLS session.
820
805
if not client.still_valid():
821
ipc.write(u"INVALID %s\n" % client.name)
806
logger.warning(u"Client %(name)s is invalid",
807
vars(client))
808
ipc.write("INVALID %s\n" % client.name)
822
809
session.bye()
823
810
return
824
ipc.write(u"SENDING %s\n" % client.name)
811
ipc.write("SENDING %s\n" % client.name)
825
812
sent_size = 0
826
813
while sent_size < len(client.secret):
827
814
sent = session.send(client.secret[sent_size:])
830
817
- (sent_size + sent))
831
818
sent_size += sent
832
819
session.bye()
833
834
@staticmethod
835
def peer_certificate(session):
836
"Return the peer's OpenPGP certificate as a bytestring"
837
# If not an OpenPGP certificate...
838
if (gnutls.library.functions
839
.gnutls_certificate_type_get(session._c_object)
840
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
841
# ...do the normal thing
842
return session.peer_certificate
843
list_size = ctypes.c_uint(1)
844
cert_list = (gnutls.library.functions
845
.gnutls_certificate_get_peers
846
(session._c_object, ctypes.byref(list_size)))
847
if not bool(cert_list) and list_size.value != 0:
848
raise gnutls.errors.GNUTLSError(u"error getting peer"
849
u" certificate")
850
if list_size.value == 0:
851
return None
852
cert = cert_list[0]
853
return ctypes.string_at(cert.data, cert.size)
854
855
@staticmethod
856
def fingerprint(openpgp):
857
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
858
# New GnuTLS "datum" with the OpenPGP public key
859
datum = (gnutls.library.types
860
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
861
ctypes.POINTER
862
(ctypes.c_ubyte)),
863
ctypes.c_uint(len(openpgp))))
864
# New empty GnuTLS certificate
865
crt = gnutls.library.types.gnutls_openpgp_crt_t()
866
(gnutls.library.functions
867
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
868
# Import the OpenPGP public key into the certificate
869
(gnutls.library.functions
870
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
871
gnutls.library.constants
872
.GNUTLS_OPENPGP_FMT_RAW))
873
# Verify the self signature in the key
874
crtverify = ctypes.c_uint()
875
(gnutls.library.functions
876
.gnutls_openpgp_crt_verify_self(crt, 0,
877
ctypes.byref(crtverify)))
878
if crtverify.value != 0:
879
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
880
raise (gnutls.errors.CertificateSecurityError
881
(u"Verify failed"))
882
# New buffer for the fingerprint
883
buf = ctypes.create_string_buffer(20)
884
buf_len = ctypes.c_size_t()
885
# Get the fingerprint from the certificate into the buffer
886
(gnutls.library.functions
887
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
888
ctypes.byref(buf_len)))
889
# Deinit the certificate
890
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
891
# Convert the buffer to a Python bytestring
892
fpr = ctypes.string_at(buf, buf_len.value)
893
# Convert the bytestring to hexadecimal notation
894
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
895
return hex_fpr
896
897
898
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
899
"""Like socketserver.ForkingMixIn, but also pass a pipe."""
820
821
822
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
823
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
824
Assumes a gobject.MainLoop event loop.
825
"""
900
826
def process_request(self, request, client_address):
901
"""Overrides and wraps the original process_request().
902
827
"""This overrides and wraps the original process_request().
903
828
This function creates a new pipe in self.pipe
904
829
"""
905
830
self.pipe = os.pipe()
906
831
super(ForkingMixInWithPipe,
907
832
self).process_request(request, client_address)
908
833
os.close(self.pipe[1]) # close write end
909
self.add_pipe(self.pipe[0])
910
def add_pipe(self, pipe):
834
# Call "handle_ipc" for both data and EOF events
835
gobject.io_add_watch(self.pipe[0],
836
gobject.IO_IN | gobject.IO_HUP,
837
self.handle_ipc)
838
def handle_ipc(source, condition):
911
839
"""Dummy function; override as necessary"""
912
os.close(pipe)
840
os.close(source)
841
return False
913
842
914
843
915
844
class IPv6_TCPServer(ForkingMixInWithPipe,
916
socketserver.TCPServer, object):
845
SocketServer.TCPServer, object):
917
846
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
918
919
847
Attributes:
848
settings: Server settings
849
clients: Set() of Client objects
920
850
enabled: Boolean; whether this server is activated yet
921
interface: None or a network interface name (string)
922
use_ipv6: Boolean; to use IPv6 or not
923
851
"""
924
def __init__(self, server_address, RequestHandlerClass,
925
interface=None, use_ipv6=True):
926
self.interface = interface
927
if use_ipv6:
928
self.address_family = socket.AF_INET6
929
socketserver.TCPServer.__init__(self, server_address,
930
RequestHandlerClass)
852
address_family = socket.AF_INET6
853
def __init__(self, *args, **kwargs):
854
if "settings" in kwargs:
855
self.settings = kwargs["settings"]
856
del kwargs["settings"]
857
if "clients" in kwargs:
858
self.clients = kwargs["clients"]
859
del kwargs["clients"]
860
if "use_ipv6" in kwargs:
861
if not kwargs["use_ipv6"]:
862
self.address_family = socket.AF_INET
863
del kwargs["use_ipv6"]
864
self.enabled = False
865
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
931
866
def server_bind(self):
932
867
"""This overrides the normal server_bind() function
933
868
to bind to an interface if one was specified, and also NOT to
934
869
bind to an address or port if they were not specified."""
935
if self.interface is not None:
936
if SO_BINDTODEVICE is None:
937
logger.error(u"SO_BINDTODEVICE does not exist;"
938
u" cannot bind to interface %s",
939
self.interface)
940
else:
941
try:
942
self.socket.setsockopt(socket.SOL_SOCKET,
943
SO_BINDTODEVICE,
944
str(self.interface
945
+ u'\0'))
946
except socket.error, error:
947
if error[0] == errno.EPERM:
948
logger.error(u"No permission to"
949
u" bind to interface %s",
950
self.interface)
951
elif error[0] == errno.ENOPROTOOPT:
952
logger.error(u"SO_BINDTODEVICE not available;"
953
u" cannot bind to interface %s",
954
self.interface)
955
else:
956
raise
870
if self.settings["interface"]:
871
# 25 is from /usr/include/asm-i486/socket.h
872
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
873
try:
874
self.socket.setsockopt(socket.SOL_SOCKET,
875
SO_BINDTODEVICE,
876
self.settings["interface"])
877
except socket.error, error:
878
if error[0] == errno.EPERM:
879
logger.error(u"No permission to"
880
u" bind to interface %s",
881
self.settings["interface"])
882
else:
883
raise
957
884
# Only bind(2) the socket if we really need to.
958
885
if self.server_address[0] or self.server_address[1]:
959
886
if not self.server_address[0]:
960
887
if self.address_family == socket.AF_INET6:
961
any_address = u"::" # in6addr_any
888
any_address = "::" # in6addr_any
962
889
else:
963
890
any_address = socket.INADDR_ANY
964
891
self.server_address = (any_address,
966
893
elif not self.server_address[1]:
967
894
self.server_address = (self.server_address[0],
968
895
0)
969
# if self.interface:
896
# if self.settings["interface"]:
970
897
# self.server_address = (self.server_address[0],
971
898
# 0, # port
972
899
# 0, # flowinfo
973
900
# if_nametoindex
974
# (self.interface))
975
return socketserver.TCPServer.server_bind(self)
976
977
978
class MandosServer(IPv6_TCPServer):
979
"""Mandos server.
980
981
Attributes:
982
clients: set of Client objects
983
gnutls_priority GnuTLS priority string
984
use_dbus: Boolean; to emit D-Bus signals or not
985
clients: set of Client objects
986
gnutls_priority GnuTLS priority string
987
use_dbus: Boolean; to emit D-Bus signals or not
988
989
Assumes a gobject.MainLoop event loop.
990
"""
991
def __init__(self, server_address, RequestHandlerClass,
992
interface=None, use_ipv6=True, clients=None,
993
gnutls_priority=None, use_dbus=True):
994
self.enabled = False
995
self.clients = clients
996
if self.clients is None:
997
self.clients = set()
998
self.use_dbus = use_dbus
999
self.gnutls_priority = gnutls_priority
1000
IPv6_TCPServer.__init__(self, server_address,
1001
RequestHandlerClass,
1002
interface = interface,
1003
use_ipv6 = use_ipv6)
901
# (self.settings
902
# ["interface"]))
903
return super(IPv6_TCPServer, self).server_bind()
1004
904
def server_activate(self):
1005
905
if self.enabled:
1006
return socketserver.TCPServer.server_activate(self)
906
return super(IPv6_TCPServer, self).server_activate()
1007
907
def enable(self):
1008
908
self.enabled = True
1009
def add_pipe(self, pipe):
1010
# Call "handle_ipc" for both data and EOF events
1011
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1012
self.handle_ipc)
1013
909
def handle_ipc(self, source, condition, file_objects={}):
1014
910
condition_names = {
1015
gobject.IO_IN: u"IN", # There is data to read.
1016
gobject.IO_OUT: u"OUT", # Data can be written (without
1017
# blocking).
1018
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1019
gobject.IO_ERR: u"ERR", # Error condition.
1020
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1021
# broken, usually for pipes and
1022
# sockets).
911
gobject.IO_IN: "IN", # There is data to read.
912
gobject.IO_OUT: "OUT", # Data can be written (without
913
# blocking).
914
gobject.IO_PRI: "PRI", # There is urgent data to read.
915
gobject.IO_ERR: "ERR", # Error condition.
916
gobject.IO_HUP: "HUP" # Hung up (the connection has been
917
# broken, usually for pipes and
918
# sockets).
1023
919
}
1024
920
conditions_string = ' | '.join(name
1025
921
for cond, name in
1026
922
condition_names.iteritems()
1027
923
if cond & condition)
1028
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
924
logger.debug("Handling IPC: FD = %d, condition = %s", source,
1029
925
conditions_string)
1030
926
1031
927
# Turn the pipe file descriptor into a Python file object
1032
928
if source not in file_objects:
1033
file_objects[source] = os.fdopen(source, u"r", 1)
929
file_objects[source] = os.fdopen(source, "r", 1)
1034
930
1035
931
# Read a line from the file object
1036
932
cmdline = file_objects[source].readline()
1042
938
# Stop calling this function
1043
939
return False
1044
940
1045
logger.debug(u"IPC command: %r", cmdline)
941
logger.debug("IPC command: %r\n" % cmdline)
1046
942
1047
943
# Parse and act on command
1048
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1049
1050
if cmd == u"NOTFOUND":
1051
logger.warning(u"Client not found for fingerprint: %s",
1052
args)
1053
if self.use_dbus:
944
cmd, args = cmdline.split(None, 1)
945
if cmd == "NOTFOUND":
946
if self.settings["use_dbus"]:
1054
947
# Emit D-Bus signal
1055
948
mandos_dbus_service.ClientNotFound(args)
1056
elif cmd == u"INVALID":
1057
for client in self.clients:
1058
if client.name == args:
1059
logger.warning(u"Client %s is invalid", args)
1060
if self.use_dbus:
949
elif cmd == "INVALID":
950
if self.settings["use_dbus"]:
951
for client in self.clients:
952
if client.name == args:
1061
953
# Emit D-Bus signal
1062
954
client.Rejected()
1063
break
1064
else:
1065
logger.error(u"Unknown client %s is invalid", args)
1066
elif cmd == u"SENDING":
955
break
956
elif cmd == "SENDING":
1067
957
for client in self.clients:
1068
958
if client.name == args:
1069
logger.info(u"Sending secret to %s", client.name)
1070
959
client.checked_ok()
1071
if self.use_dbus:
960
if self.settings["use_dbus"]:
1072
961
# Emit D-Bus signal
1073
962
client.ReceivedSecret()
1074
963
break
1075
else:
1076
logger.error(u"Sending secret to unknown client %s",
1077
args)
1078
964
else:
1079
logger.error(u"Unknown IPC command: %r", cmdline)
965
logger.error("Unknown IPC command: %r", cmdline)
1080
966
1081
967
# Keep calling this function
1082
968
return True
1085
971
def string_to_delta(interval):
1086
972
"""Parse a string and return a datetime.timedelta
1087
973
1088
>>> string_to_delta(u'7d')
974
>>> string_to_delta('7d')
1089
975
datetime.timedelta(7)
1090
>>> string_to_delta(u'60s')
976
>>> string_to_delta('60s')
1091
977
datetime.timedelta(0, 60)
1092
>>> string_to_delta(u'60m')
978
>>> string_to_delta('60m')
1093
979
datetime.timedelta(0, 3600)
1094
>>> string_to_delta(u'24h')
980
>>> string_to_delta('24h')
1095
981
datetime.timedelta(1)
1096
982
>>> string_to_delta(u'1w')
1097
983
datetime.timedelta(7)
1098
>>> string_to_delta(u'5m 30s')
984
>>> string_to_delta('5m 30s')
1099
985
datetime.timedelta(0, 330)
1100
986
"""
1101
987
timevalue = datetime.timedelta(0)
1121
1007
return timevalue
1122
1008
1123
1009
1010
def server_state_changed(state):
1011
"""Derived from the Avahi example code"""
1012
if state == avahi.SERVER_COLLISION:
1013
logger.error(u"Zeroconf server name collision")
1014
service.remove()
1015
elif state == avahi.SERVER_RUNNING:
1016
service.add()
1017
1018
1019
def entry_group_state_changed(state, error):
1020
"""Derived from the Avahi example code"""
1021
logger.debug(u"Avahi state change: %i", state)
1022
1023
if state == avahi.ENTRY_GROUP_ESTABLISHED:
1024
logger.debug(u"Zeroconf service established.")
1025
elif state == avahi.ENTRY_GROUP_COLLISION:
1026
logger.warning(u"Zeroconf service name collision.")
1027
service.rename()
1028
elif state == avahi.ENTRY_GROUP_FAILURE:
1029
logger.critical(u"Avahi: Error in group state changed %s",
1030
unicode(error))
1031
raise AvahiGroupError(u"State changed: %s" % unicode(error))
1032
1124
1033
def if_nametoindex(interface):
1125
"""Call the C function if_nametoindex(), or equivalent
1126
1127
Note: This function cannot accept a unicode string."""
1034
"""Call the C function if_nametoindex(), or equivalent"""
1128
1035
global if_nametoindex
1129
1036
try:
1130
1037
if_nametoindex = (ctypes.cdll.LoadLibrary
1131
(ctypes.util.find_library(u"c"))
1038
(ctypes.util.find_library("c"))
1132
1039
.if_nametoindex)
1133
1040
except (OSError, AttributeError):
1134
logger.warning(u"Doing if_nametoindex the hard way")
1041
if "struct" not in sys.modules:
1042
import struct
1043
if "fcntl" not in sys.modules:
1044
import fcntl
1135
1045
def if_nametoindex(interface):
1136
1046
"Get an interface index the hard way, i.e. using fcntl()"
1137
1047
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1138
1048
with closing(socket.socket()) as s:
1139
1049
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1140
struct.pack(str(u"16s16x"),
1141
interface))
1142
interface_index = struct.unpack(str(u"I"),
1143
ifreq[16:20])[0]
1050
struct.pack("16s16x", interface))
1051
interface_index = struct.unpack("I", ifreq[16:20])[0]
1144
1052
return interface_index
1145
1053
return if_nametoindex(interface)
1146
1054
1147
1055
1148
1056
def daemon(nochdir = False, noclose = False):
1149
1057
"""See daemon(3). Standard BSD Unix function.
1150
1151
1058
This should really exist as os.daemon, but it doesn't (yet)."""
1152
1059
if os.fork():
1153
1060
sys.exit()
1154
1061
os.setsid()
1155
1062
if not nochdir:
1156
os.chdir(u"/")
1063
os.chdir("/")
1157
1064
if os.fork():
1158
1065
sys.exit()
1159
1066
if not noclose:
1161
1068
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1162
1069
if not stat.S_ISCHR(os.fstat(null).st_mode):
1163
1070
raise OSError(errno.ENODEV,
1164
u"/dev/null not a character device")
1071
"/dev/null not a character device")
1165
1072
os.dup2(null, sys.stdin.fileno())
1166
1073
os.dup2(null, sys.stdout.fileno())
1167
1074
os.dup2(null, sys.stderr.fileno())
1175
1082
# Parsing of options, both command line and config file
1176
1083
1177
1084
parser = optparse.OptionParser(version = "%%prog %s" % version)
1178
parser.add_option("-i", u"--interface", type=u"string",
1179
metavar="IF", help=u"Bind to interface IF")
1180
parser.add_option("-a", u"--address", type=u"string",
1181
help=u"Address to listen for requests on")
1182
parser.add_option("-p", u"--port", type=u"int",
1183
help=u"Port number to receive requests on")
1184
parser.add_option("--check", action=u"store_true",
1185
help=u"Run self-test")
1186
parser.add_option("--debug", action=u"store_true",
1187
help=u"Debug mode; run in foreground and log to"
1188
u" terminal")
1189
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1190
u" priority string (see GnuTLS documentation)")
1191
parser.add_option("--servicename", type=u"string",
1192
metavar=u"NAME", help=u"Zeroconf service name")
1193
parser.add_option("--configdir", type=u"string",
1194
default=u"/etc/mandos", metavar=u"DIR",
1195
help=u"Directory to search for configuration"
1196
u" files")
1197
parser.add_option("--no-dbus", action=u"store_false",
1198
dest=u"use_dbus", help=u"Do not provide D-Bus"
1199
u" system bus interface")
1200
parser.add_option("--no-ipv6", action=u"store_false",
1201
dest=u"use_ipv6", help=u"Do not use IPv6")
1085
parser.add_option("-i", "--interface", type="string",
1086
metavar="IF", help="Bind to interface IF")
1087
parser.add_option("-a", "--address", type="string",
1088
help="Address to listen for requests on")
1089
parser.add_option("-p", "--port", type="int",
1090
help="Port number to receive requests on")
1091
parser.add_option("--check", action="store_true",
1092
help="Run self-test")
1093
parser.add_option("--debug", action="store_true",
1094
help="Debug mode; run in foreground and log to"
1095
" terminal")
1096
parser.add_option("--priority", type="string", help="GnuTLS"
1097
" priority string (see GnuTLS documentation)")
1098
parser.add_option("--servicename", type="string", metavar="NAME",
1099
help="Zeroconf service name")
1100
parser.add_option("--configdir", type="string",
1101
default="/etc/mandos", metavar="DIR",
1102
help="Directory to search for configuration"
1103
" files")
1104
parser.add_option("--no-dbus", action="store_false",
1105
dest="use_dbus",
1106
help="Do not provide D-Bus system bus"
1107
" interface")
1108
parser.add_option("--no-ipv6", action="store_false",
1109
dest="use_ipv6", help="Do not use IPv6")
1202
1110
options = parser.parse_args()[0]
1203
1111
1204
1112
if options.check:
1207
1115
sys.exit()
1208
1116
1209
1117
# Default values for config file for server-global settings
1210
server_defaults = { u"interface": u"",
1211
u"address": u"",
1212
u"port": u"",
1213
u"debug": u"False",
1214
u"priority":
1215
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1216
u"servicename": u"Mandos",
1217
u"use_dbus": u"True",
1218
u"use_ipv6": u"True",
1118
server_defaults = { "interface": "",
1119
"address": "",
1120
"port": "",
1121
"debug": "False",
1122
"priority":
1123
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1124
"servicename": "Mandos",
1125
"use_dbus": "True",
1126
"use_ipv6": "True",
1219
1127
}
1220
1128
1221
1129
# Parse config file for server-global settings
1222
server_config = configparser.SafeConfigParser(server_defaults)
1130
server_config = ConfigParser.SafeConfigParser(server_defaults)
1223
1131
del server_defaults
1224
server_config.read(os.path.join(options.configdir,
1225
u"mandos.conf"))
1132
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1226
1133
# Convert the SafeConfigParser object to a dict
1227
1134
server_settings = server_config.defaults()
1228
1135
# Use the appropriate methods on the non-string config options
1229
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1230
server_settings[option] = server_config.getboolean(u"DEFAULT",
1231
option)
1136
server_settings["debug"] = server_config.getboolean("DEFAULT",
1137
"debug")
1138
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1139
"use_dbus")
1140
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1141
"use_ipv6")
1232
1142
if server_settings["port"]:
1233
server_settings["port"] = server_config.getint(u"DEFAULT",
1234
u"port")
1143
server_settings["port"] = server_config.getint("DEFAULT",
1144
"port")
1235
1145
del server_config
1236
1146
1237
1147
# Override the settings from the config file with command line
1238
1148
# options, if set.
1239
for option in (u"interface", u"address", u"port", u"debug",
1240
u"priority", u"servicename", u"configdir",
1241
u"use_dbus", u"use_ipv6"):
1149
for option in ("interface", "address", "port", "debug",
1150
"priority", "servicename", "configdir",
1151
"use_dbus", "use_ipv6"):
1242
1152
value = getattr(options, option)
1243
1153
if value is not None:
1244
1154
server_settings[option] = value
1245
1155
del options
1246
# Force all strings to be unicode
1247
for option in server_settings.keys():
1248
if type(server_settings[option]) is str:
1249
server_settings[option] = unicode(server_settings[option])
1250
1156
# Now we have our good server settings in "server_settings"
1251
1157
1252
1158
##################################################################
1253
1159
1254
1160
# For convenience
1255
debug = server_settings[u"debug"]
1256
use_dbus = server_settings[u"use_dbus"]
1257
use_ipv6 = server_settings[u"use_ipv6"]
1161
debug = server_settings["debug"]
1162
use_dbus = server_settings["use_dbus"]
1163
use_ipv6 = server_settings["use_ipv6"]
1258
1164
1259
1165
if not debug:
1260
1166
syslogger.setLevel(logging.WARNING)
1261
1167
console.setLevel(logging.WARNING)
1262
1168
1263
if server_settings[u"servicename"] != u"Mandos":
1169
if server_settings["servicename"] != "Mandos":
1264
1170
syslogger.setFormatter(logging.Formatter
1265
(u'Mandos (%s) [%%(process)d]:'
1266
u' %%(levelname)s: %%(message)s'
1267
% server_settings[u"servicename"]))
1171
('Mandos (%s) [%%(process)d]:'
1172
' %%(levelname)s: %%(message)s'
1173
% server_settings["servicename"]))
1268
1174
1269
1175
# Parse config file with clients
1270
client_defaults = { u"timeout": u"1h",
1271
u"interval": u"5m",
1272
u"checker": u"fping -q -- %%(host)s",
1273
u"host": u"",
1176
client_defaults = { "timeout": "1h",
1177
"interval": "5m",
1178
"checker": "fping -q -- %%(host)s",
1179
"host": "",
1274
1180
}
1275
client_config = configparser.SafeConfigParser(client_defaults)
1276
client_config.read(os.path.join(server_settings[u"configdir"],
1277
u"clients.conf"))
1278
1181
client_config = ConfigParser.SafeConfigParser(client_defaults)
1182
client_config.read(os.path.join(server_settings["configdir"],
1183
"clients.conf"))
1184
1279
1185
global mandos_dbus_service
1280
1186
mandos_dbus_service = None
1281
1187
1282
tcp_server = MandosServer((server_settings[u"address"],
1283
server_settings[u"port"]),
1284
ClientHandler,
1285
interface=server_settings[u"interface"],
1286
use_ipv6=use_ipv6,
1287
gnutls_priority=
1288
server_settings[u"priority"],
1289
use_dbus=use_dbus)
1290
pidfilename = u"/var/run/mandos.pid"
1188
clients = Set()
1189
tcp_server = IPv6_TCPServer((server_settings["address"],
1190
server_settings["port"]),
1191
TCP_handler,
1192
settings=server_settings,
1193
clients=clients, use_ipv6=use_ipv6)
1194
pidfilename = "/var/run/mandos.pid"
1291
1195
try:
1292
pidfile = open(pidfilename, u"w")
1196
pidfile = open(pidfilename, "w")
1293
1197
except IOError:
1294
logger.error(u"Could not open file %r", pidfilename)
1198
logger.error("Could not open file %r", pidfilename)
1295
1199
1296
1200
try:
1297
uid = pwd.getpwnam(u"_mandos").pw_uid
1298
gid = pwd.getpwnam(u"_mandos").pw_gid
1201
uid = pwd.getpwnam("_mandos").pw_uid
1202
gid = pwd.getpwnam("_mandos").pw_gid
1299
1203
except KeyError:
1300
1204
try:
1301
uid = pwd.getpwnam(u"mandos").pw_uid
1302
gid = pwd.getpwnam(u"mandos").pw_gid
1205
uid = pwd.getpwnam("mandos").pw_uid
1206
gid = pwd.getpwnam("mandos").pw_gid
1303
1207
except KeyError:
1304
1208
try:
1305
uid = pwd.getpwnam(u"nobody").pw_uid
1306
gid = pwd.getpwnam(u"nobody").pw_gid
1209
uid = pwd.getpwnam("nobody").pw_uid
1210
gid = pwd.getpwnam("nogroup").pw_gid
1307
1211
except KeyError:
1308
1212
uid = 65534
1309
1213
gid = 65534
1322
1226
1323
1227
@gnutls.library.types.gnutls_log_func
1324
1228
def debug_gnutls(level, string):
1325
logger.debug(u"GnuTLS: %s", string[:-1])
1229
logger.debug("GnuTLS: %s", string[:-1])
1326
1230
1327
1231
(gnutls.library.functions
1328
1232
.gnutls_global_set_log_function(debug_gnutls))
1329
1233
1234
global service
1235
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1236
service = AvahiService(name = server_settings["servicename"],
1237
servicetype = "_mandos._tcp",
1238
protocol = protocol)
1239
if server_settings["interface"]:
1240
service.interface = (if_nametoindex
1241
(server_settings["interface"]))
1242
1330
1243
global main_loop
1244
global bus
1245
global server
1331
1246
# From the Avahi example code
1332
1247
DBusGMainLoop(set_as_default=True )
1333
1248
main_loop = gobject.MainLoop()
1334
1249
bus = dbus.SystemBus()
1250
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1251
avahi.DBUS_PATH_SERVER),
1252
avahi.DBUS_INTERFACE_SERVER)
1335
1253
# End of Avahi example code
1336
1254
if use_dbus:
1337
1255
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1338
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1339
service = AvahiService(name = server_settings[u"servicename"],
1340
servicetype = u"_mandos._tcp",
1341
protocol = protocol, bus = bus)
1342
if server_settings["interface"]:
1343
service.interface = (if_nametoindex
1344
(str(server_settings[u"interface"])))
1345
1256
1346
1257
client_class = Client
1347
1258
if use_dbus:
1348
client_class = functools.partial(ClientDBus, bus = bus)
1349
tcp_server.clients.update(set(
1259
client_class = ClientDBus
1260
clients.update(Set(
1350
1261
client_class(name = section,
1351
1262
config= dict(client_config.items(section)))
1352
1263
for section in client_config.sections()))
1353
if not tcp_server.clients:
1264
if not clients:
1354
1265
logger.warning(u"No clients defined")
1355
1266
1356
1267
if debug:
1380
1291
1381
1292
def cleanup():
1382
1293
"Cleanup function; run on exit"
1383
service.cleanup()
1294
global group
1295
# From the Avahi example code
1296
if not group is None:
1297
group.Free()
1298
group = None
1299
# End of Avahi example code
1384
1300
1385
while tcp_server.clients:
1386
client = tcp_server.clients.pop()
1301
while clients:
1302
client = clients.pop()
1387
1303
client.disable_hook = None
1388
1304
client.disable()
1389
1305
1398
1314
class MandosDBusService(dbus.service.Object):
1399
1315
"""A D-Bus proxy object"""
1400
1316
def __init__(self):
1401
dbus.service.Object.__init__(self, bus, u"/")
1317
dbus.service.Object.__init__(self, bus, "/")
1402
1318
_interface = u"se.bsnet.fukt.Mandos"
1403
1319
1404
@dbus.service.signal(_interface, signature=u"oa{sv}")
1320
@dbus.service.signal(_interface, signature="oa{sv}")
1405
1321
def ClientAdded(self, objpath, properties):
1406
1322
"D-Bus signal"
1407
1323
pass
1408
1324
1409
@dbus.service.signal(_interface, signature=u"s")
1325
@dbus.service.signal(_interface, signature="s")
1410
1326
def ClientNotFound(self, fingerprint):
1411
1327
"D-Bus signal"
1412
1328
pass
1413
1329
1414
@dbus.service.signal(_interface, signature=u"os")
1330
@dbus.service.signal(_interface, signature="os")
1415
1331
def ClientRemoved(self, objpath, name):
1416
1332
"D-Bus signal"
1417
1333
pass
1418
1334
1419
@dbus.service.method(_interface, out_signature=u"ao")
1335
@dbus.service.method(_interface, out_signature="ao")
1420
1336
def GetAllClients(self):
1421
1337
"D-Bus method"
1422
return dbus.Array(c.dbus_object_path
1423
for c in tcp_server.clients)
1338
return dbus.Array(c.dbus_object_path for c in clients)
1424
1339
1425
@dbus.service.method(_interface,
1426
out_signature=u"a{oa{sv}}")
1340
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1427
1341
def GetAllClientsWithProperties(self):
1428
1342
"D-Bus method"
1429
1343
return dbus.Dictionary(
1430
1344
((c.dbus_object_path, c.GetAllProperties())
1431
for c in tcp_server.clients),
1432
signature=u"oa{sv}")
1345
for c in clients),
1346
signature="oa{sv}")
1433
1347
1434
@dbus.service.method(_interface, in_signature=u"o")
1348
@dbus.service.method(_interface, in_signature="o")
1435
1349
def RemoveClient(self, object_path):
1436
1350
"D-Bus method"
1437
for c in tcp_server.clients:
1351
for c in clients:
1438
1352
if c.dbus_object_path == object_path:
1439
tcp_server.clients.remove(c)
1353
clients.remove(c)
1440
1354
c.remove_from_connection()
1441
1355
# Don't signal anything except ClientRemoved
1442
1356
c.disable(signal=False)
1449
1363
1450
1364
mandos_dbus_service = MandosDBusService()
1451
1365
1452
for client in tcp_server.clients:
1366
for client in clients:
1453
1367
if use_dbus:
1454
1368
# Emit D-Bus signal
1455
1369
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1473
1387
1474
1388
try:
1475
1389
# From the Avahi example code
1390
server.connect_to_signal("StateChanged", server_state_changed)
1476
1391
try:
1477
service.activate()
1392
server_state_changed(server.GetState())
1478
1393
except dbus.exceptions.DBusException, error:
1479
1394
logger.critical(u"DBusException: %s", error)
1480
1395
sys.exit(1)
1493
1408
except KeyboardInterrupt:
1494
1409
if debug:
1495
1410
print >> sys.stderr
1496
logger.debug(u"Server received KeyboardInterrupt")
1497
logger.debug(u"Server exiting")
1411
logger.debug("Server received KeyboardInterrupt")
1412
logger.debug("Server exiting")
1498
1413
1499
1414
if __name__ == '__main__':
1500
1415
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0