To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 328
- compare with another revision
- download diff
- download tarball
- view history from revision 328
- Committer: Teddy Hogeborn
- Date: 2009-03-31 01:32:12 UTC
- Revision ID: teddy@fukt.bsnet.se-20090331013212-yes2wy6njzlyniaa
* mandos (Client): Move all D-Bus code to new "ClientDBus" class.
(Client.start_checker): Bug fix: update "current_checker_command" in
all cases.
(ClientDBus): New class.
(main): Use Client or ClientDBus depending on "use_dbus".
(main/MandosDBusService.RemoveClient): Bug fix: make sure the client
is removed from the D-Bus.
(Client.start_checker): Bug fix: update "current_checker_command" in
all cases.
(ClientDBus): New class.
(main): Use Client or ClientDBus depending on "use_dbus".
(main/MandosDBusService.RemoveClient): Bug fix: make sure the client
is removed from the D-Bus.
- files modified:
- Makefile
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer as socketserver
36
import SocketServer
37
37
import socket
38
38
import optparse
39
39
import datetime
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser as configparser
47
import ConfigParser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
52
53
import subprocess
53
54
import atexit
54
55
import stat
56
57
import logging.handlers
57
58
import pwd
58
59
from contextlib import closing
59
import struct
60
import fcntl
61
import functools
62
60
63
61
import dbus
64
62
import dbus.service
68
66
import ctypes
69
67
import ctypes.util
70
68
71
try:
72
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
73
except AttributeError:
74
try:
75
from IN import SO_BINDTODEVICE
76
except ImportError:
77
SO_BINDTODEVICE = None
78
79
80
version = "1.0.11"
81
82
logger = logging.Logger(u'mandos')
69
version = "1.0.8"
70
71
logger = logging.Logger('mandos')
83
72
syslogger = (logging.handlers.SysLogHandler
84
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
85
74
address = "/dev/log"))
86
75
syslogger.setFormatter(logging.Formatter
87
(u'Mandos [%(process)d]: %(levelname)s:'
88
u' %(message)s'))
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
89
78
logger.addHandler(syslogger)
90
79
91
80
console = logging.StreamHandler()
92
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
93
u' %(levelname)s:'
94
u' %(message)s'))
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
95
83
logger.addHandler(console)
96
84
97
85
class AvahiError(Exception):
110
98
111
99
class AvahiService(object):
112
100
"""An Avahi (Zeroconf) service.
113
114
101
Attributes:
115
102
interface: integer; avahi.IF_UNSPEC or an interface index.
116
103
Used to optionally bind to the specified interface.
117
name: string; Example: u'Mandos'
118
type: string; Example: u'_mandos._tcp'.
104
name: string; Example: 'Mandos'
105
type: string; Example: '_mandos._tcp'.
119
106
See <http://www.dns-sd.org/ServiceTypes.html>
120
107
port: integer; what port to announce
121
108
TXT: list of strings; TXT record for the service
124
111
max_renames: integer; maximum number of renames
125
112
rename_count: integer; counter so we only rename after collisions
126
113
a sensible number of times
127
group: D-Bus Entry Group
128
server: D-Bus Server
129
bus: dbus.SystemBus()
130
114
"""
131
115
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
132
116
servicetype = None, port = None, TXT = None,
133
domain = u"", host = u"", max_renames = 32768,
134
protocol = avahi.PROTO_UNSPEC, bus = None):
117
domain = "", host = "", max_renames = 32768,
118
protocol = avahi.PROTO_UNSPEC):
135
119
self.interface = interface
136
120
self.name = name
137
121
self.type = servicetype
142
126
self.rename_count = 0
143
127
self.max_renames = max_renames
144
128
self.protocol = protocol
145
self.group = None # our entry group
146
self.server = None
147
self.bus = bus
148
129
def rename(self):
149
130
"""Derived from the Avahi example code"""
150
131
if self.rename_count >= self.max_renames:
152
133
u" after %i retries, exiting.",
153
134
self.rename_count)
154
135
raise AvahiServiceError(u"Too many renames")
155
self.name = self.server.GetAlternativeServiceName(self.name)
136
self.name = server.GetAlternativeServiceName(self.name)
156
137
logger.info(u"Changing Zeroconf service name to %r ...",
157
unicode(self.name))
138
str(self.name))
158
139
syslogger.setFormatter(logging.Formatter
159
(u'Mandos (%s) [%%(process)d]:'
160
u' %%(levelname)s: %%(message)s'
140
('Mandos (%s) [%%(process)d]:'
141
' %%(levelname)s: %%(message)s'
161
142
% self.name))
162
143
self.remove()
163
144
self.add()
164
145
self.rename_count += 1
165
146
def remove(self):
166
147
"""Derived from the Avahi example code"""
167
if self.group is not None:
168
self.group.Reset()
148
if group is not None:
149
group.Reset()
169
150
def add(self):
170
151
"""Derived from the Avahi example code"""
171
if self.group is None:
172
self.group = dbus.Interface(
173
self.bus.get_object(avahi.DBUS_NAME,
174
self.server.EntryGroupNew()),
175
avahi.DBUS_INTERFACE_ENTRY_GROUP)
176
self.group.connect_to_signal('StateChanged',
177
self.entry_group_state_changed)
152
global group
153
if group is None:
154
group = dbus.Interface(bus.get_object
155
(avahi.DBUS_NAME,
156
server.EntryGroupNew()),
157
avahi.DBUS_INTERFACE_ENTRY_GROUP)
158
group.connect_to_signal('StateChanged',
159
entry_group_state_changed)
178
160
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
179
self.name, self.type)
180
self.group.AddService(
181
self.interface,
182
self.protocol,
183
dbus.UInt32(0), # flags
184
self.name, self.type,
185
self.domain, self.host,
186
dbus.UInt16(self.port),
187
avahi.string_array_to_txt_array(self.TXT))
188
self.group.Commit()
189
def entry_group_state_changed(self, state, error):
190
"""Derived from the Avahi example code"""
191
logger.debug(u"Avahi state change: %i", state)
192
193
if state == avahi.ENTRY_GROUP_ESTABLISHED:
194
logger.debug(u"Zeroconf service established.")
195
elif state == avahi.ENTRY_GROUP_COLLISION:
196
logger.warning(u"Zeroconf service name collision.")
197
self.rename()
198
elif state == avahi.ENTRY_GROUP_FAILURE:
199
logger.critical(u"Avahi: Error in group state changed %s",
200
unicode(error))
201
raise AvahiGroupError(u"State changed: %s"
202
% unicode(error))
203
def cleanup(self):
204
"""Derived from the Avahi example code"""
205
if self.group is not None:
206
self.group.Free()
207
self.group = None
208
def server_state_changed(self, state):
209
"""Derived from the Avahi example code"""
210
if state == avahi.SERVER_COLLISION:
211
logger.error(u"Zeroconf server name collision")
212
self.remove()
213
elif state == avahi.SERVER_RUNNING:
214
self.add()
215
def activate(self):
216
"""Derived from the Avahi example code"""
217
if self.server is None:
218
self.server = dbus.Interface(
219
self.bus.get_object(avahi.DBUS_NAME,
220
avahi.DBUS_PATH_SERVER),
221
avahi.DBUS_INTERFACE_SERVER)
222
self.server.connect_to_signal(u"StateChanged",
223
self.server_state_changed)
224
self.server_state_changed(self.server.GetState())
161
service.name, service.type)
162
group.AddService(
163
self.interface, # interface
164
self.protocol, # protocol
165
dbus.UInt32(0), # flags
166
self.name, self.type,
167
self.domain, self.host,
168
dbus.UInt16(self.port),
169
avahi.string_array_to_txt_array(self.TXT))
170
group.Commit()
171
172
# From the Avahi example code:
173
group = None # our entry group
174
# End of Avahi example code
175
176
177
def _datetime_to_dbus(dt, variant_level=0):
178
"""Convert a UTC datetime.datetime() to a D-Bus type."""
179
return dbus.String(dt.isoformat(), variant_level=variant_level)
225
180
226
181
227
182
class Client(object):
228
183
"""A representation of a client host served by this server.
229
230
184
Attributes:
231
185
name: string; from the config file, used in log messages and
232
186
D-Bus identifiers
254
208
instance %(name)s can be used in the command.
255
209
current_checker_command: string; current running checker_command
256
210
"""
257
258
@staticmethod
259
def _datetime_to_milliseconds(dt):
260
"Convert a datetime.datetime() to milliseconds"
261
return ((dt.days * 24 * 60 * 60 * 1000)
262
+ (dt.seconds * 1000)
263
+ (dt.microseconds // 1000))
264
265
211
def timeout_milliseconds(self):
266
212
"Return the 'timeout' attribute in milliseconds"
267
return self._datetime_to_milliseconds(self.timeout)
213
return ((self.timeout.days * 24 * 60 * 60 * 1000)
214
+ (self.timeout.seconds * 1000)
215
+ (self.timeout.microseconds // 1000))
268
216
269
217
def interval_milliseconds(self):
270
218
"Return the 'interval' attribute in milliseconds"
271
return self._datetime_to_milliseconds(self.interval)
219
return ((self.interval.days * 24 * 60 * 60 * 1000)
220
+ (self.interval.seconds * 1000)
221
+ (self.interval.microseconds // 1000))
272
222
273
223
def __init__(self, name = None, disable_hook=None, config=None):
274
224
"""Note: the 'checker' key in 'config' sets the
281
231
# Uppercase and remove spaces from fingerprint for later
282
232
# comparison purposes with return value from the fingerprint()
283
233
# function
284
self.fingerprint = (config[u"fingerprint"].upper()
234
self.fingerprint = (config["fingerprint"].upper()
285
235
.replace(u" ", u""))
286
236
logger.debug(u" Fingerprint: %s", self.fingerprint)
287
if u"secret" in config:
288
self.secret = config[u"secret"].decode(u"base64")
289
elif u"secfile" in config:
237
if "secret" in config:
238
self.secret = config["secret"].decode(u"base64")
239
elif "secfile" in config:
290
240
with closing(open(os.path.expanduser
291
241
(os.path.expandvars
292
(config[u"secfile"])))) as secfile:
242
(config["secfile"])))) as secfile:
293
243
self.secret = secfile.read()
294
244
else:
295
245
raise TypeError(u"No secret or secfile for client %s"
296
246
% self.name)
297
self.host = config.get(u"host", u"")
247
self.host = config.get("host", "")
298
248
self.created = datetime.datetime.utcnow()
299
249
self.enabled = False
300
250
self.last_enabled = None
301
251
self.last_checked_ok = None
302
self.timeout = string_to_delta(config[u"timeout"])
303
self.interval = string_to_delta(config[u"interval"])
252
self.timeout = string_to_delta(config["timeout"])
253
self.interval = string_to_delta(config["interval"])
304
254
self.disable_hook = disable_hook
305
255
self.checker = None
306
256
self.checker_initiator_tag = None
307
257
self.disable_initiator_tag = None
308
258
self.checker_callback_tag = None
309
self.checker_command = config[u"checker"]
259
self.checker_command = config["checker"]
310
260
self.current_checker_command = None
311
261
self.last_connect = None
312
262
313
263
def enable(self):
314
264
"""Start this client's checker and timeout hooks"""
315
if getattr(self, u"enabled", False):
316
# Already enabled
317
return
318
265
self.last_enabled = datetime.datetime.utcnow()
319
266
# Schedule a new checker to be started an 'interval' from now,
320
267
# and every interval from then on.
334
281
if not getattr(self, "enabled", False):
335
282
return False
336
283
logger.info(u"Disabling client %s", self.name)
337
if getattr(self, u"disable_initiator_tag", False):
284
if getattr(self, "disable_initiator_tag", False):
338
285
gobject.source_remove(self.disable_initiator_tag)
339
286
self.disable_initiator_tag = None
340
if getattr(self, u"checker_initiator_tag", False):
287
if getattr(self, "checker_initiator_tag", False):
341
288
gobject.source_remove(self.checker_initiator_tag)
342
289
self.checker_initiator_tag = None
343
290
self.stop_checker()
370
317
371
318
def checked_ok(self):
372
319
"""Bump up the timeout for this client.
373
374
320
This should only be called when the client has been seen,
375
321
alive and well.
376
322
"""
382
328
383
329
def start_checker(self):
384
330
"""Start a new checker subprocess if one is not running.
385
386
331
If a checker already exists, leave it running and do
387
332
nothing."""
388
333
# The reason for not killing a running checker is that if we
398
343
if self.checker is not None:
399
344
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
400
345
if pid:
401
logger.warning(u"Checker was a zombie")
346
logger.warning("Checker was a zombie")
402
347
gobject.source_remove(self.checker_callback_tag)
403
348
self.checker_callback(pid, status,
404
349
self.current_checker_command)
409
354
command = self.checker_command % self.host
410
355
except TypeError:
411
356
# Escape attributes for the shell
412
escaped_attrs = dict((key,
413
re.escape(unicode(str(val),
414
errors=
415
u'replace')))
357
escaped_attrs = dict((key, re.escape(str(val)))
416
358
for key, val in
417
359
vars(self).iteritems())
418
360
try:
431
373
# always replaced by /dev/null.)
432
374
self.checker = subprocess.Popen(command,
433
375
close_fds=True,
434
shell=True, cwd=u"/")
376
shell=True, cwd="/")
435
377
self.checker_callback_tag = (gobject.child_watch_add
436
378
(self.checker.pid,
437
379
self.checker_callback,
453
395
if self.checker_callback_tag:
454
396
gobject.source_remove(self.checker_callback_tag)
455
397
self.checker_callback_tag = None
456
if getattr(self, u"checker", None) is None:
398
if getattr(self, "checker", None) is None:
457
399
return
458
400
logger.debug(u"Stopping checker for %(name)s", vars(self))
459
401
try:
468
410
469
411
def still_valid(self):
470
412
"""Has the timeout not yet passed for this client?"""
471
if not getattr(self, u"enabled", False):
413
if not getattr(self, "enabled", False):
472
414
return False
473
415
now = datetime.datetime.utcnow()
474
416
if self.last_checked_ok is None:
479
421
480
422
class ClientDBus(Client, dbus.service.Object):
481
423
"""A Client class using D-Bus
482
483
424
Attributes:
484
dbus_object_path: dbus.ObjectPath
485
bus: dbus.SystemBus()
425
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
486
426
"""
487
427
# dbus.service.Object doesn't use super(), so we can't either.
488
428
489
def __init__(self, bus = None, *args, **kwargs):
490
self.bus = bus
429
def __init__(self, *args, **kwargs):
491
430
Client.__init__(self, *args, **kwargs)
492
431
# Only now, when this client is initialized, can it show up on
493
432
# the D-Bus
494
433
self.dbus_object_path = (dbus.ObjectPath
495
(u"/clients/"
496
+ self.name.replace(u".", u"_")))
497
dbus.service.Object.__init__(self, self.bus,
434
("/clients/"
435
+ self.name.replace(".", "_")))
436
dbus.service.Object.__init__(self, bus,
498
437
self.dbus_object_path)
499
500
@staticmethod
501
def _datetime_to_dbus(dt, variant_level=0):
502
"""Convert a UTC datetime.datetime() to a D-Bus type."""
503
return dbus.String(dt.isoformat(),
504
variant_level=variant_level)
505
506
438
def enable(self):
507
oldstate = getattr(self, u"enabled", False)
439
oldstate = getattr(self, "enabled", False)
508
440
r = Client.enable(self)
509
441
if oldstate != self.enabled:
510
442
# Emit D-Bus signals
511
443
self.PropertyChanged(dbus.String(u"enabled"),
512
444
dbus.Boolean(True, variant_level=1))
513
self.PropertyChanged(
514
dbus.String(u"last_enabled"),
515
self._datetime_to_dbus(self.last_enabled,
516
variant_level=1))
445
self.PropertyChanged(dbus.String(u"last_enabled"),
446
(_datetime_to_dbus(self.last_enabled,
447
variant_level=1)))
517
448
return r
518
449
519
450
def disable(self, signal = True):
520
oldstate = getattr(self, u"enabled", False)
451
oldstate = getattr(self, "enabled", False)
521
452
r = Client.disable(self)
522
453
if signal and oldstate != self.enabled:
523
454
# Emit D-Bus signal
528
459
def __del__(self, *args, **kwargs):
529
460
try:
530
461
self.remove_from_connection()
531
except LookupError:
462
except org.freedesktop.DBus.Python.LookupError:
532
463
pass
533
if hasattr(dbus.service.Object, u"__del__"):
534
dbus.service.Object.__del__(self, *args, **kwargs)
464
dbus.service.Object.__del__(self, *args, **kwargs)
535
465
Client.__del__(self, *args, **kwargs)
536
466
537
467
def checker_callback(self, pid, condition, command,
561
491
# Emit D-Bus signal
562
492
self.PropertyChanged(
563
493
dbus.String(u"last_checked_ok"),
564
(self._datetime_to_dbus(self.last_checked_ok,
565
variant_level=1)))
494
(_datetime_to_dbus(self.last_checked_ok,
495
variant_level=1)))
566
496
return r
567
497
568
498
def start_checker(self, *args, **kwargs):
572
502
else:
573
503
old_checker_pid = None
574
504
r = Client.start_checker(self, *args, **kwargs)
575
# Only if new checker process was started
576
if (self.checker is not None
577
and old_checker_pid != self.checker.pid):
578
# Emit D-Bus signal
505
# Only emit D-Bus signal if new checker process was started
506
if ((self.checker is not None)
507
and not (old_checker is not None
508
and old_checker_pid == self.checker.pid)):
579
509
self.CheckerStarted(self.current_checker_command)
580
510
self.PropertyChanged(
581
dbus.String(u"checker_running"),
511
dbus.String("checker_running"),
582
512
dbus.Boolean(True, variant_level=1))
583
513
return r
584
514
585
515
def stop_checker(self, *args, **kwargs):
586
old_checker = getattr(self, u"checker", None)
516
old_checker = getattr(self, "checker", None)
587
517
r = Client.stop_checker(self, *args, **kwargs)
588
518
if (old_checker is not None
589
and getattr(self, u"checker", None) is None):
519
and getattr(self, "checker", None) is None):
590
520
self.PropertyChanged(dbus.String(u"checker_running"),
591
521
dbus.Boolean(False, variant_level=1))
592
522
return r
595
525
_interface = u"se.bsnet.fukt.Mandos.Client"
596
526
597
527
# CheckedOK - method
598
@dbus.service.method(_interface)
599
def CheckedOK(self):
600
return self.checked_ok()
528
CheckedOK = dbus.service.method(_interface)(checked_ok)
529
CheckedOK.__name__ = "CheckedOK"
601
530
602
531
# CheckerCompleted - signal
603
@dbus.service.signal(_interface, signature=u"nxs")
532
@dbus.service.signal(_interface, signature="nxs")
604
533
def CheckerCompleted(self, exitcode, waitstatus, command):
605
534
"D-Bus signal"
606
535
pass
607
536
608
537
# CheckerStarted - signal
609
@dbus.service.signal(_interface, signature=u"s")
538
@dbus.service.signal(_interface, signature="s")
610
539
def CheckerStarted(self, command):
611
540
"D-Bus signal"
612
541
pass
613
542
614
543
# GetAllProperties - method
615
@dbus.service.method(_interface, out_signature=u"a{sv}")
544
@dbus.service.method(_interface, out_signature="a{sv}")
616
545
def GetAllProperties(self):
617
546
"D-Bus method"
618
547
return dbus.Dictionary({
619
dbus.String(u"name"):
548
dbus.String("name"):
620
549
dbus.String(self.name, variant_level=1),
621
dbus.String(u"fingerprint"):
550
dbus.String("fingerprint"):
622
551
dbus.String(self.fingerprint, variant_level=1),
623
dbus.String(u"host"):
552
dbus.String("host"):
624
553
dbus.String(self.host, variant_level=1),
625
dbus.String(u"created"):
626
self._datetime_to_dbus(self.created,
627
variant_level=1),
628
dbus.String(u"last_enabled"):
629
(self._datetime_to_dbus(self.last_enabled,
630
variant_level=1)
554
dbus.String("created"):
555
_datetime_to_dbus(self.created, variant_level=1),
556
dbus.String("last_enabled"):
557
(_datetime_to_dbus(self.last_enabled,
558
variant_level=1)
631
559
if self.last_enabled is not None
632
560
else dbus.Boolean(False, variant_level=1)),
633
dbus.String(u"enabled"):
561
dbus.String("enabled"):
634
562
dbus.Boolean(self.enabled, variant_level=1),
635
dbus.String(u"last_checked_ok"):
636
(self._datetime_to_dbus(self.last_checked_ok,
637
variant_level=1)
563
dbus.String("last_checked_ok"):
564
(_datetime_to_dbus(self.last_checked_ok,
565
variant_level=1)
638
566
if self.last_checked_ok is not None
639
567
else dbus.Boolean (False, variant_level=1)),
640
dbus.String(u"timeout"):
568
dbus.String("timeout"):
641
569
dbus.UInt64(self.timeout_milliseconds(),
642
570
variant_level=1),
643
dbus.String(u"interval"):
571
dbus.String("interval"):
644
572
dbus.UInt64(self.interval_milliseconds(),
645
573
variant_level=1),
646
dbus.String(u"checker"):
574
dbus.String("checker"):
647
575
dbus.String(self.checker_command,
648
576
variant_level=1),
649
dbus.String(u"checker_running"):
577
dbus.String("checker_running"):
650
578
dbus.Boolean(self.checker is not None,
651
579
variant_level=1),
652
dbus.String(u"object_path"):
580
dbus.String("object_path"):
653
581
dbus.ObjectPath(self.dbus_object_path,
654
582
variant_level=1)
655
}, signature=u"sv")
583
}, signature="sv")
656
584
657
585
# IsStillValid - method
658
@dbus.service.method(_interface, out_signature=u"b")
586
@dbus.service.method(_interface, out_signature="b")
659
587
def IsStillValid(self):
660
588
return self.still_valid()
661
589
662
590
# PropertyChanged - signal
663
@dbus.service.signal(_interface, signature=u"sv")
591
@dbus.service.signal(_interface, signature="sv")
664
592
def PropertyChanged(self, property, value):
665
593
"D-Bus signal"
666
594
pass
678
606
pass
679
607
680
608
# SetChecker - method
681
@dbus.service.method(_interface, in_signature=u"s")
609
@dbus.service.method(_interface, in_signature="s")
682
610
def SetChecker(self, checker):
683
611
"D-Bus setter method"
684
612
self.checker_command = checker
688
616
variant_level=1))
689
617
690
618
# SetHost - method
691
@dbus.service.method(_interface, in_signature=u"s")
619
@dbus.service.method(_interface, in_signature="s")
692
620
def SetHost(self, host):
693
621
"D-Bus setter method"
694
622
self.host = host
697
625
dbus.String(self.host, variant_level=1))
698
626
699
627
# SetInterval - method
700
@dbus.service.method(_interface, in_signature=u"t")
628
@dbus.service.method(_interface, in_signature="t")
701
629
def SetInterval(self, milliseconds):
702
630
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
703
631
# Emit D-Bus signal
706
634
variant_level=1)))
707
635
708
636
# SetSecret - method
709
@dbus.service.method(_interface, in_signature=u"ay",
637
@dbus.service.method(_interface, in_signature="ay",
710
638
byte_arrays=True)
711
639
def SetSecret(self, secret):
712
640
"D-Bus setter method"
713
641
self.secret = str(secret)
714
642
715
643
# SetTimeout - method
716
@dbus.service.method(_interface, in_signature=u"t")
644
@dbus.service.method(_interface, in_signature="t")
717
645
def SetTimeout(self, milliseconds):
718
646
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
719
647
# Emit D-Bus signal
722
650
variant_level=1)))
723
651
724
652
# Enable - method
725
@dbus.service.method(_interface)
726
def Enable(self):
727
"D-Bus method"
728
self.enable()
653
Enable = dbus.service.method(_interface)(enable)
654
Enable.__name__ = "Enable"
729
655
730
656
# StartChecker - method
731
657
@dbus.service.method(_interface)
740
666
self.disable()
741
667
742
668
# StopChecker - method
743
@dbus.service.method(_interface)
744
def StopChecker(self):
745
self.stop_checker()
669
StopChecker = dbus.service.method(_interface)(stop_checker)
670
StopChecker.__name__ = "StopChecker"
746
671
747
672
del _interface
748
673
749
674
750
class ClientHandler(socketserver.BaseRequestHandler, object):
751
"""A class to handle client connections.
752
753
Instantiated once for each connection to handle it.
675
def peer_certificate(session):
676
"Return the peer's OpenPGP certificate as a bytestring"
677
# If not an OpenPGP certificate...
678
if (gnutls.library.functions
679
.gnutls_certificate_type_get(session._c_object)
680
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
681
# ...do the normal thing
682
return session.peer_certificate
683
list_size = ctypes.c_uint(1)
684
cert_list = (gnutls.library.functions
685
.gnutls_certificate_get_peers
686
(session._c_object, ctypes.byref(list_size)))
687
if not bool(cert_list) and list_size.value != 0:
688
raise gnutls.errors.GNUTLSError("error getting peer"
689
" certificate")
690
if list_size.value == 0:
691
return None
692
cert = cert_list[0]
693
return ctypes.string_at(cert.data, cert.size)
694
695
696
def fingerprint(openpgp):
697
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
698
# New GnuTLS "datum" with the OpenPGP public key
699
datum = (gnutls.library.types
700
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
701
ctypes.POINTER
702
(ctypes.c_ubyte)),
703
ctypes.c_uint(len(openpgp))))
704
# New empty GnuTLS certificate
705
crt = gnutls.library.types.gnutls_openpgp_crt_t()
706
(gnutls.library.functions
707
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
708
# Import the OpenPGP public key into the certificate
709
(gnutls.library.functions
710
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
711
gnutls.library.constants
712
.GNUTLS_OPENPGP_FMT_RAW))
713
# Verify the self signature in the key
714
crtverify = ctypes.c_uint()
715
(gnutls.library.functions
716
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
717
if crtverify.value != 0:
718
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
719
raise gnutls.errors.CertificateSecurityError("Verify failed")
720
# New buffer for the fingerprint
721
buf = ctypes.create_string_buffer(20)
722
buf_len = ctypes.c_size_t()
723
# Get the fingerprint from the certificate into the buffer
724
(gnutls.library.functions
725
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
726
ctypes.byref(buf_len)))
727
# Deinit the certificate
728
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
729
# Convert the buffer to a Python bytestring
730
fpr = ctypes.string_at(buf, buf_len.value)
731
# Convert the bytestring to hexadecimal notation
732
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
733
return hex_fpr
734
735
736
class TCP_handler(SocketServer.BaseRequestHandler, object):
737
"""A TCP request handler class.
738
Instantiated by IPv6_TCPServer for each request to handle it.
754
739
Note: This will run in its own forked process."""
755
740
756
741
def handle(self):
758
743
unicode(self.client_address))
759
744
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
760
745
# Open IPC pipe to parent process
761
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
746
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
762
747
session = (gnutls.connection
763
748
.ClientSession(self.request,
764
749
gnutls.connection
778
763
# no X.509 keys are added to it. Therefore, we can use it
779
764
# here despite using OpenPGP certificates.
780
765
781
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
782
# u"+AES-256-CBC", u"+SHA1",
783
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
784
# u"+DHE-DSS"))
766
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
767
# "+AES-256-CBC", "+SHA1",
768
# "+COMP-NULL", "+CTYPE-OPENPGP",
769
# "+DHE-DSS"))
785
770
# Use a fallback default, since this MUST be set.
786
priority = self.server.gnutls_priority
787
if priority is None:
788
priority = u"NORMAL"
771
priority = self.server.settings.get("priority", "NORMAL")
789
772
(gnutls.library.functions
790
773
.gnutls_priority_set_direct(session._c_object,
791
774
priority, None))
799
782
return
800
783
logger.debug(u"Handshake succeeded")
801
784
try:
802
fpr = self.fingerprint(self.peer_certificate(session))
785
fpr = fingerprint(peer_certificate(session))
803
786
except (TypeError, gnutls.errors.GNUTLSError), error:
804
787
logger.warning(u"Bad certificate: %s", error)
805
788
session.bye()
811
794
client = c
812
795
break
813
796
else:
814
ipc.write(u"NOTFOUND %s %s\n"
815
% (fpr, unicode(self.client_address)))
797
logger.warning(u"Client not found for fingerprint: %s",
798
fpr)
799
ipc.write("NOTFOUND %s\n" % fpr)
816
800
session.bye()
817
801
return
818
802
# Have to check if client.still_valid(), since it is
819
803
# possible that the client timed out while establishing
820
804
# the GnuTLS session.
821
805
if not client.still_valid():
822
ipc.write(u"INVALID %s\n" % client.name)
806
logger.warning(u"Client %(name)s is invalid",
807
vars(client))
808
ipc.write("INVALID %s\n" % client.name)
823
809
session.bye()
824
810
return
825
ipc.write(u"SENDING %s\n" % client.name)
811
ipc.write("SENDING %s\n" % client.name)
826
812
sent_size = 0
827
813
while sent_size < len(client.secret):
828
814
sent = session.send(client.secret[sent_size:])
831
817
- (sent_size + sent))
832
818
sent_size += sent
833
819
session.bye()
834
835
@staticmethod
836
def peer_certificate(session):
837
"Return the peer's OpenPGP certificate as a bytestring"
838
# If not an OpenPGP certificate...
839
if (gnutls.library.functions
840
.gnutls_certificate_type_get(session._c_object)
841
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
842
# ...do the normal thing
843
return session.peer_certificate
844
list_size = ctypes.c_uint(1)
845
cert_list = (gnutls.library.functions
846
.gnutls_certificate_get_peers
847
(session._c_object, ctypes.byref(list_size)))
848
if not bool(cert_list) and list_size.value != 0:
849
raise gnutls.errors.GNUTLSError(u"error getting peer"
850
u" certificate")
851
if list_size.value == 0:
852
return None
853
cert = cert_list[0]
854
return ctypes.string_at(cert.data, cert.size)
855
856
@staticmethod
857
def fingerprint(openpgp):
858
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
859
# New GnuTLS "datum" with the OpenPGP public key
860
datum = (gnutls.library.types
861
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
862
ctypes.POINTER
863
(ctypes.c_ubyte)),
864
ctypes.c_uint(len(openpgp))))
865
# New empty GnuTLS certificate
866
crt = gnutls.library.types.gnutls_openpgp_crt_t()
867
(gnutls.library.functions
868
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
869
# Import the OpenPGP public key into the certificate
870
(gnutls.library.functions
871
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
872
gnutls.library.constants
873
.GNUTLS_OPENPGP_FMT_RAW))
874
# Verify the self signature in the key
875
crtverify = ctypes.c_uint()
876
(gnutls.library.functions
877
.gnutls_openpgp_crt_verify_self(crt, 0,
878
ctypes.byref(crtverify)))
879
if crtverify.value != 0:
880
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
881
raise (gnutls.errors.CertificateSecurityError
882
(u"Verify failed"))
883
# New buffer for the fingerprint
884
buf = ctypes.create_string_buffer(20)
885
buf_len = ctypes.c_size_t()
886
# Get the fingerprint from the certificate into the buffer
887
(gnutls.library.functions
888
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
889
ctypes.byref(buf_len)))
890
# Deinit the certificate
891
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
892
# Convert the buffer to a Python bytestring
893
fpr = ctypes.string_at(buf, buf_len.value)
894
# Convert the bytestring to hexadecimal notation
895
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
896
return hex_fpr
897
898
899
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
900
"""Like socketserver.ForkingMixIn, but also pass a pipe."""
820
821
822
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
823
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
824
Assumes a gobject.MainLoop event loop.
825
"""
901
826
def process_request(self, request, client_address):
902
"""Overrides and wraps the original process_request().
903
904
This function creates a new pipe in self.pipe
827
"""This overrides and wraps the original process_request().
828
This function creates a new pipe in self.pipe
905
829
"""
906
830
self.pipe = os.pipe()
907
831
super(ForkingMixInWithPipe,
908
832
self).process_request(request, client_address)
909
833
os.close(self.pipe[1]) # close write end
910
self.add_pipe(self.pipe[0])
911
def add_pipe(self, pipe):
834
# Call "handle_ipc" for both data and EOF events
835
gobject.io_add_watch(self.pipe[0],
836
gobject.IO_IN | gobject.IO_HUP,
837
self.handle_ipc)
838
def handle_ipc(source, condition):
912
839
"""Dummy function; override as necessary"""
913
os.close(pipe)
840
os.close(source)
841
return False
914
842
915
843
916
844
class IPv6_TCPServer(ForkingMixInWithPipe,
917
socketserver.TCPServer, object):
845
SocketServer.TCPServer, object):
918
846
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
919
920
847
Attributes:
848
settings: Server settings
849
clients: Set() of Client objects
921
850
enabled: Boolean; whether this server is activated yet
922
interface: None or a network interface name (string)
923
use_ipv6: Boolean; to use IPv6 or not
924
851
"""
925
def __init__(self, server_address, RequestHandlerClass,
926
interface=None, use_ipv6=True):
927
self.interface = interface
928
if use_ipv6:
929
self.address_family = socket.AF_INET6
930
socketserver.TCPServer.__init__(self, server_address,
931
RequestHandlerClass)
852
address_family = socket.AF_INET6
853
def __init__(self, *args, **kwargs):
854
if "settings" in kwargs:
855
self.settings = kwargs["settings"]
856
del kwargs["settings"]
857
if "clients" in kwargs:
858
self.clients = kwargs["clients"]
859
del kwargs["clients"]
860
if "use_ipv6" in kwargs:
861
if not kwargs["use_ipv6"]:
862
self.address_family = socket.AF_INET
863
del kwargs["use_ipv6"]
864
self.enabled = False
865
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
932
866
def server_bind(self):
933
867
"""This overrides the normal server_bind() function
934
868
to bind to an interface if one was specified, and also NOT to
935
869
bind to an address or port if they were not specified."""
936
if self.interface is not None:
937
if SO_BINDTODEVICE is None:
938
logger.error(u"SO_BINDTODEVICE does not exist;"
939
u" cannot bind to interface %s",
940
self.interface)
941
else:
942
try:
943
self.socket.setsockopt(socket.SOL_SOCKET,
944
SO_BINDTODEVICE,
945
str(self.interface
946
+ u'\0'))
947
except socket.error, error:
948
if error[0] == errno.EPERM:
949
logger.error(u"No permission to"
950
u" bind to interface %s",
951
self.interface)
952
elif error[0] == errno.ENOPROTOOPT:
953
logger.error(u"SO_BINDTODEVICE not available;"
954
u" cannot bind to interface %s",
955
self.interface)
956
else:
957
raise
870
if self.settings["interface"]:
871
# 25 is from /usr/include/asm-i486/socket.h
872
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
873
try:
874
self.socket.setsockopt(socket.SOL_SOCKET,
875
SO_BINDTODEVICE,
876
self.settings["interface"])
877
except socket.error, error:
878
if error[0] == errno.EPERM:
879
logger.error(u"No permission to"
880
u" bind to interface %s",
881
self.settings["interface"])
882
else:
883
raise
958
884
# Only bind(2) the socket if we really need to.
959
885
if self.server_address[0] or self.server_address[1]:
960
886
if not self.server_address[0]:
961
887
if self.address_family == socket.AF_INET6:
962
any_address = u"::" # in6addr_any
888
any_address = "::" # in6addr_any
963
889
else:
964
890
any_address = socket.INADDR_ANY
965
891
self.server_address = (any_address,
967
893
elif not self.server_address[1]:
968
894
self.server_address = (self.server_address[0],
969
895
0)
970
# if self.interface:
896
# if self.settings["interface"]:
971
897
# self.server_address = (self.server_address[0],
972
898
# 0, # port
973
899
# 0, # flowinfo
974
900
# if_nametoindex
975
# (self.interface))
976
return socketserver.TCPServer.server_bind(self)
977
978
979
class MandosServer(IPv6_TCPServer):
980
"""Mandos server.
981
982
Attributes:
983
clients: set of Client objects
984
gnutls_priority GnuTLS priority string
985
use_dbus: Boolean; to emit D-Bus signals or not
986
clients: set of Client objects
987
gnutls_priority GnuTLS priority string
988
use_dbus: Boolean; to emit D-Bus signals or not
989
990
Assumes a gobject.MainLoop event loop.
991
"""
992
def __init__(self, server_address, RequestHandlerClass,
993
interface=None, use_ipv6=True, clients=None,
994
gnutls_priority=None, use_dbus=True):
995
self.enabled = False
996
self.clients = clients
997
if self.clients is None:
998
self.clients = set()
999
self.use_dbus = use_dbus
1000
self.gnutls_priority = gnutls_priority
1001
IPv6_TCPServer.__init__(self, server_address,
1002
RequestHandlerClass,
1003
interface = interface,
1004
use_ipv6 = use_ipv6)
901
# (self.settings
902
# ["interface"]))
903
return super(IPv6_TCPServer, self).server_bind()
1005
904
def server_activate(self):
1006
905
if self.enabled:
1007
return socketserver.TCPServer.server_activate(self)
906
return super(IPv6_TCPServer, self).server_activate()
1008
907
def enable(self):
1009
908
self.enabled = True
1010
def add_pipe(self, pipe):
1011
# Call "handle_ipc" for both data and EOF events
1012
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1013
self.handle_ipc)
1014
909
def handle_ipc(self, source, condition, file_objects={}):
1015
910
condition_names = {
1016
gobject.IO_IN: u"IN", # There is data to read.
1017
gobject.IO_OUT: u"OUT", # Data can be written (without
1018
# blocking).
1019
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1020
gobject.IO_ERR: u"ERR", # Error condition.
1021
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1022
# broken, usually for pipes and
1023
# sockets).
911
gobject.IO_IN: "IN", # There is data to read.
912
gobject.IO_OUT: "OUT", # Data can be written (without
913
# blocking).
914
gobject.IO_PRI: "PRI", # There is urgent data to read.
915
gobject.IO_ERR: "ERR", # Error condition.
916
gobject.IO_HUP: "HUP" # Hung up (the connection has been
917
# broken, usually for pipes and
918
# sockets).
1024
919
}
1025
920
conditions_string = ' | '.join(name
1026
921
for cond, name in
1027
922
condition_names.iteritems()
1028
923
if cond & condition)
1029
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
924
logger.debug("Handling IPC: FD = %d, condition = %s", source,
1030
925
conditions_string)
1031
926
1032
927
# Turn the pipe file descriptor into a Python file object
1033
928
if source not in file_objects:
1034
file_objects[source] = os.fdopen(source, u"r", 1)
929
file_objects[source] = os.fdopen(source, "r", 1)
1035
930
1036
931
# Read a line from the file object
1037
932
cmdline = file_objects[source].readline()
1043
938
# Stop calling this function
1044
939
return False
1045
940
1046
logger.debug(u"IPC command: %r", cmdline)
941
logger.debug("IPC command: %r\n" % cmdline)
1047
942
1048
943
# Parse and act on command
1049
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1050
1051
if cmd == u"NOTFOUND":
1052
logger.warning(u"Client not found for fingerprint: %s",
1053
args)
1054
if self.use_dbus:
944
cmd, args = cmdline.split(None, 1)
945
if cmd == "NOTFOUND":
946
if self.settings["use_dbus"]:
1055
947
# Emit D-Bus signal
1056
948
mandos_dbus_service.ClientNotFound(args)
1057
elif cmd == u"INVALID":
1058
for client in self.clients:
1059
if client.name == args:
1060
logger.warning(u"Client %s is invalid", args)
1061
if self.use_dbus:
949
elif cmd == "INVALID":
950
if self.settings["use_dbus"]:
951
for client in self.clients:
952
if client.name == args:
1062
953
# Emit D-Bus signal
1063
954
client.Rejected()
1064
break
1065
else:
1066
logger.error(u"Unknown client %s is invalid", args)
1067
elif cmd == u"SENDING":
955
break
956
elif cmd == "SENDING":
1068
957
for client in self.clients:
1069
958
if client.name == args:
1070
logger.info(u"Sending secret to %s", client.name)
1071
959
client.checked_ok()
1072
if self.use_dbus:
960
if self.settings["use_dbus"]:
1073
961
# Emit D-Bus signal
1074
962
client.ReceivedSecret()
1075
963
break
1076
else:
1077
logger.error(u"Sending secret to unknown client %s",
1078
args)
1079
964
else:
1080
logger.error(u"Unknown IPC command: %r", cmdline)
965
logger.error("Unknown IPC command: %r", cmdline)
1081
966
1082
967
# Keep calling this function
1083
968
return True
1086
971
def string_to_delta(interval):
1087
972
"""Parse a string and return a datetime.timedelta
1088
973
1089
>>> string_to_delta(u'7d')
974
>>> string_to_delta('7d')
1090
975
datetime.timedelta(7)
1091
>>> string_to_delta(u'60s')
976
>>> string_to_delta('60s')
1092
977
datetime.timedelta(0, 60)
1093
>>> string_to_delta(u'60m')
978
>>> string_to_delta('60m')
1094
979
datetime.timedelta(0, 3600)
1095
>>> string_to_delta(u'24h')
980
>>> string_to_delta('24h')
1096
981
datetime.timedelta(1)
1097
982
>>> string_to_delta(u'1w')
1098
983
datetime.timedelta(7)
1099
>>> string_to_delta(u'5m 30s')
984
>>> string_to_delta('5m 30s')
1100
985
datetime.timedelta(0, 330)
1101
986
"""
1102
987
timevalue = datetime.timedelta(0)
1122
1007
return timevalue
1123
1008
1124
1009
1010
def server_state_changed(state):
1011
"""Derived from the Avahi example code"""
1012
if state == avahi.SERVER_COLLISION:
1013
logger.error(u"Zeroconf server name collision")
1014
service.remove()
1015
elif state == avahi.SERVER_RUNNING:
1016
service.add()
1017
1018
1019
def entry_group_state_changed(state, error):
1020
"""Derived from the Avahi example code"""
1021
logger.debug(u"Avahi state change: %i", state)
1022
1023
if state == avahi.ENTRY_GROUP_ESTABLISHED:
1024
logger.debug(u"Zeroconf service established.")
1025
elif state == avahi.ENTRY_GROUP_COLLISION:
1026
logger.warning(u"Zeroconf service name collision.")
1027
service.rename()
1028
elif state == avahi.ENTRY_GROUP_FAILURE:
1029
logger.critical(u"Avahi: Error in group state changed %s",
1030
unicode(error))
1031
raise AvahiGroupError(u"State changed: %s" % unicode(error))
1032
1125
1033
def if_nametoindex(interface):
1126
"""Call the C function if_nametoindex(), or equivalent
1127
1128
Note: This function cannot accept a unicode string."""
1034
"""Call the C function if_nametoindex(), or equivalent"""
1129
1035
global if_nametoindex
1130
1036
try:
1131
1037
if_nametoindex = (ctypes.cdll.LoadLibrary
1132
(ctypes.util.find_library(u"c"))
1038
(ctypes.util.find_library("c"))
1133
1039
.if_nametoindex)
1134
1040
except (OSError, AttributeError):
1135
logger.warning(u"Doing if_nametoindex the hard way")
1041
if "struct" not in sys.modules:
1042
import struct
1043
if "fcntl" not in sys.modules:
1044
import fcntl
1136
1045
def if_nametoindex(interface):
1137
1046
"Get an interface index the hard way, i.e. using fcntl()"
1138
1047
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1139
1048
with closing(socket.socket()) as s:
1140
1049
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1141
struct.pack(str(u"16s16x"),
1142
interface))
1143
interface_index = struct.unpack(str(u"I"),
1144
ifreq[16:20])[0]
1050
struct.pack("16s16x", interface))
1051
interface_index = struct.unpack("I", ifreq[16:20])[0]
1145
1052
return interface_index
1146
1053
return if_nametoindex(interface)
1147
1054
1148
1055
1149
1056
def daemon(nochdir = False, noclose = False):
1150
1057
"""See daemon(3). Standard BSD Unix function.
1151
1152
1058
This should really exist as os.daemon, but it doesn't (yet)."""
1153
1059
if os.fork():
1154
1060
sys.exit()
1155
1061
os.setsid()
1156
1062
if not nochdir:
1157
os.chdir(u"/")
1063
os.chdir("/")
1158
1064
if os.fork():
1159
1065
sys.exit()
1160
1066
if not noclose:
1162
1068
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1163
1069
if not stat.S_ISCHR(os.fstat(null).st_mode):
1164
1070
raise OSError(errno.ENODEV,
1165
u"/dev/null not a character device")
1071
"/dev/null not a character device")
1166
1072
os.dup2(null, sys.stdin.fileno())
1167
1073
os.dup2(null, sys.stdout.fileno())
1168
1074
os.dup2(null, sys.stderr.fileno())
1176
1082
# Parsing of options, both command line and config file
1177
1083
1178
1084
parser = optparse.OptionParser(version = "%%prog %s" % version)
1179
parser.add_option("-i", u"--interface", type=u"string",
1180
metavar="IF", help=u"Bind to interface IF")
1181
parser.add_option("-a", u"--address", type=u"string",
1182
help=u"Address to listen for requests on")
1183
parser.add_option("-p", u"--port", type=u"int",
1184
help=u"Port number to receive requests on")
1185
parser.add_option("--check", action=u"store_true",
1186
help=u"Run self-test")
1187
parser.add_option("--debug", action=u"store_true",
1188
help=u"Debug mode; run in foreground and log to"
1189
u" terminal")
1190
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1191
u" priority string (see GnuTLS documentation)")
1192
parser.add_option("--servicename", type=u"string",
1193
metavar=u"NAME", help=u"Zeroconf service name")
1194
parser.add_option("--configdir", type=u"string",
1195
default=u"/etc/mandos", metavar=u"DIR",
1196
help=u"Directory to search for configuration"
1197
u" files")
1198
parser.add_option("--no-dbus", action=u"store_false",
1199
dest=u"use_dbus", help=u"Do not provide D-Bus"
1200
u" system bus interface")
1201
parser.add_option("--no-ipv6", action=u"store_false",
1202
dest=u"use_ipv6", help=u"Do not use IPv6")
1085
parser.add_option("-i", "--interface", type="string",
1086
metavar="IF", help="Bind to interface IF")
1087
parser.add_option("-a", "--address", type="string",
1088
help="Address to listen for requests on")
1089
parser.add_option("-p", "--port", type="int",
1090
help="Port number to receive requests on")
1091
parser.add_option("--check", action="store_true",
1092
help="Run self-test")
1093
parser.add_option("--debug", action="store_true",
1094
help="Debug mode; run in foreground and log to"
1095
" terminal")
1096
parser.add_option("--priority", type="string", help="GnuTLS"
1097
" priority string (see GnuTLS documentation)")
1098
parser.add_option("--servicename", type="string", metavar="NAME",
1099
help="Zeroconf service name")
1100
parser.add_option("--configdir", type="string",
1101
default="/etc/mandos", metavar="DIR",
1102
help="Directory to search for configuration"
1103
" files")
1104
parser.add_option("--no-dbus", action="store_false",
1105
dest="use_dbus",
1106
help="Do not provide D-Bus system bus"
1107
" interface")
1108
parser.add_option("--no-ipv6", action="store_false",
1109
dest="use_ipv6", help="Do not use IPv6")
1203
1110
options = parser.parse_args()[0]
1204
1111
1205
1112
if options.check:
1208
1115
sys.exit()
1209
1116
1210
1117
# Default values for config file for server-global settings
1211
server_defaults = { u"interface": u"",
1212
u"address": u"",
1213
u"port": u"",
1214
u"debug": u"False",
1215
u"priority":
1216
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1217
u"servicename": u"Mandos",
1218
u"use_dbus": u"True",
1219
u"use_ipv6": u"True",
1118
server_defaults = { "interface": "",
1119
"address": "",
1120
"port": "",
1121
"debug": "False",
1122
"priority":
1123
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1124
"servicename": "Mandos",
1125
"use_dbus": "True",
1126
"use_ipv6": "True",
1220
1127
}
1221
1128
1222
1129
# Parse config file for server-global settings
1223
server_config = configparser.SafeConfigParser(server_defaults)
1130
server_config = ConfigParser.SafeConfigParser(server_defaults)
1224
1131
del server_defaults
1225
server_config.read(os.path.join(options.configdir,
1226
u"mandos.conf"))
1132
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1227
1133
# Convert the SafeConfigParser object to a dict
1228
1134
server_settings = server_config.defaults()
1229
1135
# Use the appropriate methods on the non-string config options
1230
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1231
server_settings[option] = server_config.getboolean(u"DEFAULT",
1232
option)
1136
server_settings["debug"] = server_config.getboolean("DEFAULT",
1137
"debug")
1138
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1139
"use_dbus")
1140
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1141
"use_ipv6")
1233
1142
if server_settings["port"]:
1234
server_settings["port"] = server_config.getint(u"DEFAULT",
1235
u"port")
1143
server_settings["port"] = server_config.getint("DEFAULT",
1144
"port")
1236
1145
del server_config
1237
1146
1238
1147
# Override the settings from the config file with command line
1239
1148
# options, if set.
1240
for option in (u"interface", u"address", u"port", u"debug",
1241
u"priority", u"servicename", u"configdir",
1242
u"use_dbus", u"use_ipv6"):
1149
for option in ("interface", "address", "port", "debug",
1150
"priority", "servicename", "configdir",
1151
"use_dbus", "use_ipv6"):
1243
1152
value = getattr(options, option)
1244
1153
if value is not None:
1245
1154
server_settings[option] = value
1246
1155
del options
1247
# Force all strings to be unicode
1248
for option in server_settings.keys():
1249
if type(server_settings[option]) is str:
1250
server_settings[option] = unicode(server_settings[option])
1251
1156
# Now we have our good server settings in "server_settings"
1252
1157
1253
1158
##################################################################
1254
1159
1255
1160
# For convenience
1256
debug = server_settings[u"debug"]
1257
use_dbus = server_settings[u"use_dbus"]
1258
use_ipv6 = server_settings[u"use_ipv6"]
1161
debug = server_settings["debug"]
1162
use_dbus = server_settings["use_dbus"]
1163
use_ipv6 = server_settings["use_ipv6"]
1259
1164
1260
1165
if not debug:
1261
1166
syslogger.setLevel(logging.WARNING)
1262
1167
console.setLevel(logging.WARNING)
1263
1168
1264
if server_settings[u"servicename"] != u"Mandos":
1169
if server_settings["servicename"] != "Mandos":
1265
1170
syslogger.setFormatter(logging.Formatter
1266
(u'Mandos (%s) [%%(process)d]:'
1267
u' %%(levelname)s: %%(message)s'
1268
% server_settings[u"servicename"]))
1171
('Mandos (%s) [%%(process)d]:'
1172
' %%(levelname)s: %%(message)s'
1173
% server_settings["servicename"]))
1269
1174
1270
1175
# Parse config file with clients
1271
client_defaults = { u"timeout": u"1h",
1272
u"interval": u"5m",
1273
u"checker": u"fping -q -- %%(host)s",
1274
u"host": u"",
1176
client_defaults = { "timeout": "1h",
1177
"interval": "5m",
1178
"checker": "fping -q -- %%(host)s",
1179
"host": "",
1275
1180
}
1276
client_config = configparser.SafeConfigParser(client_defaults)
1277
client_config.read(os.path.join(server_settings[u"configdir"],
1278
u"clients.conf"))
1279
1181
client_config = ConfigParser.SafeConfigParser(client_defaults)
1182
client_config.read(os.path.join(server_settings["configdir"],
1183
"clients.conf"))
1184
1280
1185
global mandos_dbus_service
1281
1186
mandos_dbus_service = None
1282
1187
1283
tcp_server = MandosServer((server_settings[u"address"],
1284
server_settings[u"port"]),
1285
ClientHandler,
1286
interface=server_settings[u"interface"],
1287
use_ipv6=use_ipv6,
1288
gnutls_priority=
1289
server_settings[u"priority"],
1290
use_dbus=use_dbus)
1291
pidfilename = u"/var/run/mandos.pid"
1188
clients = Set()
1189
tcp_server = IPv6_TCPServer((server_settings["address"],
1190
server_settings["port"]),
1191
TCP_handler,
1192
settings=server_settings,
1193
clients=clients, use_ipv6=use_ipv6)
1194
pidfilename = "/var/run/mandos.pid"
1292
1195
try:
1293
pidfile = open(pidfilename, u"w")
1196
pidfile = open(pidfilename, "w")
1294
1197
except IOError:
1295
logger.error(u"Could not open file %r", pidfilename)
1198
logger.error("Could not open file %r", pidfilename)
1296
1199
1297
1200
try:
1298
uid = pwd.getpwnam(u"_mandos").pw_uid
1299
gid = pwd.getpwnam(u"_mandos").pw_gid
1201
uid = pwd.getpwnam("_mandos").pw_uid
1202
gid = pwd.getpwnam("_mandos").pw_gid
1300
1203
except KeyError:
1301
1204
try:
1302
uid = pwd.getpwnam(u"mandos").pw_uid
1303
gid = pwd.getpwnam(u"mandos").pw_gid
1205
uid = pwd.getpwnam("mandos").pw_uid
1206
gid = pwd.getpwnam("mandos").pw_gid
1304
1207
except KeyError:
1305
1208
try:
1306
uid = pwd.getpwnam(u"nobody").pw_uid
1307
gid = pwd.getpwnam(u"nobody").pw_gid
1209
uid = pwd.getpwnam("nobody").pw_uid
1210
gid = pwd.getpwnam("nogroup").pw_gid
1308
1211
except KeyError:
1309
1212
uid = 65534
1310
1213
gid = 65534
1323
1226
1324
1227
@gnutls.library.types.gnutls_log_func
1325
1228
def debug_gnutls(level, string):
1326
logger.debug(u"GnuTLS: %s", string[:-1])
1229
logger.debug("GnuTLS: %s", string[:-1])
1327
1230
1328
1231
(gnutls.library.functions
1329
1232
.gnutls_global_set_log_function(debug_gnutls))
1330
1233
1234
global service
1235
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1236
service = AvahiService(name = server_settings["servicename"],
1237
servicetype = "_mandos._tcp",
1238
protocol = protocol)
1239
if server_settings["interface"]:
1240
service.interface = (if_nametoindex
1241
(server_settings["interface"]))
1242
1331
1243
global main_loop
1244
global bus
1245
global server
1332
1246
# From the Avahi example code
1333
1247
DBusGMainLoop(set_as_default=True )
1334
1248
main_loop = gobject.MainLoop()
1335
1249
bus = dbus.SystemBus()
1250
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1251
avahi.DBUS_PATH_SERVER),
1252
avahi.DBUS_INTERFACE_SERVER)
1336
1253
# End of Avahi example code
1337
1254
if use_dbus:
1338
1255
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1339
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1340
service = AvahiService(name = server_settings[u"servicename"],
1341
servicetype = u"_mandos._tcp",
1342
protocol = protocol, bus = bus)
1343
if server_settings["interface"]:
1344
service.interface = (if_nametoindex
1345
(str(server_settings[u"interface"])))
1346
1256
1347
1257
client_class = Client
1348
1258
if use_dbus:
1349
client_class = functools.partial(ClientDBus, bus = bus)
1350
tcp_server.clients.update(set(
1259
client_class = ClientDBus
1260
clients.update(Set(
1351
1261
client_class(name = section,
1352
1262
config= dict(client_config.items(section)))
1353
1263
for section in client_config.sections()))
1354
if not tcp_server.clients:
1264
if not clients:
1355
1265
logger.warning(u"No clients defined")
1356
1266
1357
1267
if debug:
1381
1291
1382
1292
def cleanup():
1383
1293
"Cleanup function; run on exit"
1384
service.cleanup()
1294
global group
1295
# From the Avahi example code
1296
if not group is None:
1297
group.Free()
1298
group = None
1299
# End of Avahi example code
1385
1300
1386
while tcp_server.clients:
1387
client = tcp_server.clients.pop()
1301
while clients:
1302
client = clients.pop()
1388
1303
client.disable_hook = None
1389
1304
client.disable()
1390
1305
1399
1314
class MandosDBusService(dbus.service.Object):
1400
1315
"""A D-Bus proxy object"""
1401
1316
def __init__(self):
1402
dbus.service.Object.__init__(self, bus, u"/")
1317
dbus.service.Object.__init__(self, bus, "/")
1403
1318
_interface = u"se.bsnet.fukt.Mandos"
1404
1319
1405
@dbus.service.signal(_interface, signature=u"oa{sv}")
1320
@dbus.service.signal(_interface, signature="oa{sv}")
1406
1321
def ClientAdded(self, objpath, properties):
1407
1322
"D-Bus signal"
1408
1323
pass
1409
1324
1410
@dbus.service.signal(_interface, signature=u"s")
1325
@dbus.service.signal(_interface, signature="s")
1411
1326
def ClientNotFound(self, fingerprint):
1412
1327
"D-Bus signal"
1413
1328
pass
1414
1329
1415
@dbus.service.signal(_interface, signature=u"os")
1330
@dbus.service.signal(_interface, signature="os")
1416
1331
def ClientRemoved(self, objpath, name):
1417
1332
"D-Bus signal"
1418
1333
pass
1419
1334
1420
@dbus.service.method(_interface, out_signature=u"ao")
1335
@dbus.service.method(_interface, out_signature="ao")
1421
1336
def GetAllClients(self):
1422
1337
"D-Bus method"
1423
return dbus.Array(c.dbus_object_path
1424
for c in tcp_server.clients)
1338
return dbus.Array(c.dbus_object_path for c in clients)
1425
1339
1426
@dbus.service.method(_interface,
1427
out_signature=u"a{oa{sv}}")
1340
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1428
1341
def GetAllClientsWithProperties(self):
1429
1342
"D-Bus method"
1430
1343
return dbus.Dictionary(
1431
1344
((c.dbus_object_path, c.GetAllProperties())
1432
for c in tcp_server.clients),
1433
signature=u"oa{sv}")
1345
for c in clients),
1346
signature="oa{sv}")
1434
1347
1435
@dbus.service.method(_interface, in_signature=u"o")
1348
@dbus.service.method(_interface, in_signature="o")
1436
1349
def RemoveClient(self, object_path):
1437
1350
"D-Bus method"
1438
for c in tcp_server.clients:
1351
for c in clients:
1439
1352
if c.dbus_object_path == object_path:
1440
tcp_server.clients.remove(c)
1353
clients.remove(c)
1441
1354
c.remove_from_connection()
1442
1355
# Don't signal anything except ClientRemoved
1443
1356
c.disable(signal=False)
1450
1363
1451
1364
mandos_dbus_service = MandosDBusService()
1452
1365
1453
for client in tcp_server.clients:
1366
for client in clients:
1454
1367
if use_dbus:
1455
1368
# Emit D-Bus signal
1456
1369
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1474
1387
1475
1388
try:
1476
1389
# From the Avahi example code
1390
server.connect_to_signal("StateChanged", server_state_changed)
1477
1391
try:
1478
service.activate()
1392
server_state_changed(server.GetState())
1479
1393
except dbus.exceptions.DBusException, error:
1480
1394
logger.critical(u"DBusException: %s", error)
1481
1395
sys.exit(1)
1494
1408
except KeyboardInterrupt:
1495
1409
if debug:
1496
1410
print >> sys.stderr
1497
logger.debug(u"Server received KeyboardInterrupt")
1498
logger.debug(u"Server exiting")
1411
logger.debug("Server received KeyboardInterrupt")
1412
logger.debug("Server exiting")
1499
1413
1500
1414
if __name__ == '__main__':
1501
1415
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0