To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 329
- compare with another revision
- download diff
- download tarball
- view history from revision 329
- Committer: Teddy Hogeborn
- Date: 2009-04-01 03:37:45 UTC
- Revision ID: teddy@fukt.bsnet.se-20090401033745-c89k6bij5opdm1rk
* mandos (ClientDBus.__del__): Bug fix: Correct mispasted code, and do
not try to call
dbus.service.Object.__del__() if it
does not exist.
(ClientDBus.start_checker): Simplify logic.
not try to call
dbus.service.Object.__del__() if it
does not exist.
(ClientDBus.start_checker): Simplify logic.
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer as socketserver
36
import SocketServer
37
37
import socket
38
38
import optparse
39
39
import datetime
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser as configparser
47
import ConfigParser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
52
53
import subprocess
53
54
import atexit
54
55
import stat
56
57
import logging.handlers
57
58
import pwd
58
59
from contextlib import closing
59
import struct
60
import fcntl
61
import functools
62
60
63
61
import dbus
64
62
import dbus.service
68
66
import ctypes
69
67
import ctypes.util
70
68
71
try:
72
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
73
except AttributeError:
74
try:
75
from IN import SO_BINDTODEVICE
76
except ImportError:
77
SO_BINDTODEVICE = None
78
79
80
69
version = "1.0.8"
81
70
82
logger = logging.Logger(u'mandos')
71
logger = logging.Logger('mandos')
83
72
syslogger = (logging.handlers.SysLogHandler
84
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
85
74
address = "/dev/log"))
86
75
syslogger.setFormatter(logging.Formatter
87
(u'Mandos [%(process)d]: %(levelname)s:'
88
u' %(message)s'))
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
89
78
logger.addHandler(syslogger)
90
79
91
80
console = logging.StreamHandler()
92
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
93
u' %(levelname)s:'
94
u' %(message)s'))
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
95
83
logger.addHandler(console)
96
84
97
85
class AvahiError(Exception):
110
98
111
99
class AvahiService(object):
112
100
"""An Avahi (Zeroconf) service.
113
114
101
Attributes:
115
102
interface: integer; avahi.IF_UNSPEC or an interface index.
116
103
Used to optionally bind to the specified interface.
117
name: string; Example: u'Mandos'
118
type: string; Example: u'_mandos._tcp'.
104
name: string; Example: 'Mandos'
105
type: string; Example: '_mandos._tcp'.
119
106
See <http://www.dns-sd.org/ServiceTypes.html>
120
107
port: integer; what port to announce
121
108
TXT: list of strings; TXT record for the service
124
111
max_renames: integer; maximum number of renames
125
112
rename_count: integer; counter so we only rename after collisions
126
113
a sensible number of times
127
group: D-Bus Entry Group
128
server: D-Bus Server
129
bus: dbus.SystemBus()
130
114
"""
131
115
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
132
116
servicetype = None, port = None, TXT = None,
133
domain = u"", host = u"", max_renames = 32768,
134
protocol = avahi.PROTO_UNSPEC, bus = None):
117
domain = "", host = "", max_renames = 32768,
118
protocol = avahi.PROTO_UNSPEC):
135
119
self.interface = interface
136
120
self.name = name
137
121
self.type = servicetype
142
126
self.rename_count = 0
143
127
self.max_renames = max_renames
144
128
self.protocol = protocol
145
self.group = None # our entry group
146
self.server = None
147
self.bus = bus
148
129
def rename(self):
149
130
"""Derived from the Avahi example code"""
150
131
if self.rename_count >= self.max_renames:
152
133
u" after %i retries, exiting.",
153
134
self.rename_count)
154
135
raise AvahiServiceError(u"Too many renames")
155
self.name = self.server.GetAlternativeServiceName(self.name)
136
self.name = server.GetAlternativeServiceName(self.name)
156
137
logger.info(u"Changing Zeroconf service name to %r ...",
157
unicode(self.name))
138
str(self.name))
158
139
syslogger.setFormatter(logging.Formatter
159
(u'Mandos (%s) [%%(process)d]:'
160
u' %%(levelname)s: %%(message)s'
140
('Mandos (%s) [%%(process)d]:'
141
' %%(levelname)s: %%(message)s'
161
142
% self.name))
162
143
self.remove()
163
144
self.add()
164
145
self.rename_count += 1
165
146
def remove(self):
166
147
"""Derived from the Avahi example code"""
167
if self.group is not None:
168
self.group.Reset()
148
if group is not None:
149
group.Reset()
169
150
def add(self):
170
151
"""Derived from the Avahi example code"""
171
if self.group is None:
172
self.group = dbus.Interface(
173
self.bus.get_object(avahi.DBUS_NAME,
174
self.server.EntryGroupNew()),
175
avahi.DBUS_INTERFACE_ENTRY_GROUP)
176
self.group.connect_to_signal('StateChanged',
177
self.entry_group_state_changed)
152
global group
153
if group is None:
154
group = dbus.Interface(bus.get_object
155
(avahi.DBUS_NAME,
156
server.EntryGroupNew()),
157
avahi.DBUS_INTERFACE_ENTRY_GROUP)
158
group.connect_to_signal('StateChanged',
159
entry_group_state_changed)
178
160
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
179
self.name, self.type)
180
self.group.AddService(
181
self.interface,
182
self.protocol,
183
dbus.UInt32(0), # flags
184
self.name, self.type,
185
self.domain, self.host,
186
dbus.UInt16(self.port),
187
avahi.string_array_to_txt_array(self.TXT))
188
self.group.Commit()
189
def entry_group_state_changed(self, state, error):
190
"""Derived from the Avahi example code"""
191
logger.debug(u"Avahi state change: %i", state)
192
193
if state == avahi.ENTRY_GROUP_ESTABLISHED:
194
logger.debug(u"Zeroconf service established.")
195
elif state == avahi.ENTRY_GROUP_COLLISION:
196
logger.warning(u"Zeroconf service name collision.")
197
self.rename()
198
elif state == avahi.ENTRY_GROUP_FAILURE:
199
logger.critical(u"Avahi: Error in group state changed %s",
200
unicode(error))
201
raise AvahiGroupError(u"State changed: %s"
202
% unicode(error))
203
def cleanup(self):
204
"""Derived from the Avahi example code"""
205
if self.group is not None:
206
self.group.Free()
207
self.group = None
208
def server_state_changed(self, state):
209
"""Derived from the Avahi example code"""
210
if state == avahi.SERVER_COLLISION:
211
logger.error(u"Zeroconf server name collision")
212
self.remove()
213
elif state == avahi.SERVER_RUNNING:
214
self.add()
215
def activate(self):
216
"""Derived from the Avahi example code"""
217
if self.server is None:
218
self.server = dbus.Interface(
219
self.bus.get_object(avahi.DBUS_NAME,
220
avahi.DBUS_PATH_SERVER),
221
avahi.DBUS_INTERFACE_SERVER)
222
self.server.connect_to_signal(u"StateChanged",
223
self.server_state_changed)
224
self.server_state_changed(self.server.GetState())
161
service.name, service.type)
162
group.AddService(
163
self.interface, # interface
164
self.protocol, # protocol
165
dbus.UInt32(0), # flags
166
self.name, self.type,
167
self.domain, self.host,
168
dbus.UInt16(self.port),
169
avahi.string_array_to_txt_array(self.TXT))
170
group.Commit()
171
172
# From the Avahi example code:
173
group = None # our entry group
174
# End of Avahi example code
175
176
177
def _datetime_to_dbus(dt, variant_level=0):
178
"""Convert a UTC datetime.datetime() to a D-Bus type."""
179
return dbus.String(dt.isoformat(), variant_level=variant_level)
225
180
226
181
227
182
class Client(object):
228
183
"""A representation of a client host served by this server.
229
230
184
Attributes:
231
185
name: string; from the config file, used in log messages and
232
186
D-Bus identifiers
254
208
instance %(name)s can be used in the command.
255
209
current_checker_command: string; current running checker_command
256
210
"""
257
258
@staticmethod
259
def _datetime_to_milliseconds(dt):
260
"Convert a datetime.datetime() to milliseconds"
261
return ((dt.days * 24 * 60 * 60 * 1000)
262
+ (dt.seconds * 1000)
263
+ (dt.microseconds // 1000))
264
265
211
def timeout_milliseconds(self):
266
212
"Return the 'timeout' attribute in milliseconds"
267
return self._datetime_to_milliseconds(self.timeout)
213
return ((self.timeout.days * 24 * 60 * 60 * 1000)
214
+ (self.timeout.seconds * 1000)
215
+ (self.timeout.microseconds // 1000))
268
216
269
217
def interval_milliseconds(self):
270
218
"Return the 'interval' attribute in milliseconds"
271
return self._datetime_to_milliseconds(self.interval)
219
return ((self.interval.days * 24 * 60 * 60 * 1000)
220
+ (self.interval.seconds * 1000)
221
+ (self.interval.microseconds // 1000))
272
222
273
223
def __init__(self, name = None, disable_hook=None, config=None):
274
224
"""Note: the 'checker' key in 'config' sets the
281
231
# Uppercase and remove spaces from fingerprint for later
282
232
# comparison purposes with return value from the fingerprint()
283
233
# function
284
self.fingerprint = (config[u"fingerprint"].upper()
234
self.fingerprint = (config["fingerprint"].upper()
285
235
.replace(u" ", u""))
286
236
logger.debug(u" Fingerprint: %s", self.fingerprint)
287
if u"secret" in config:
288
self.secret = config[u"secret"].decode(u"base64")
289
elif u"secfile" in config:
237
if "secret" in config:
238
self.secret = config["secret"].decode(u"base64")
239
elif "secfile" in config:
290
240
with closing(open(os.path.expanduser
291
241
(os.path.expandvars
292
(config[u"secfile"])))) as secfile:
242
(config["secfile"])))) as secfile:
293
243
self.secret = secfile.read()
294
244
else:
295
245
raise TypeError(u"No secret or secfile for client %s"
296
246
% self.name)
297
self.host = config.get(u"host", u"")
247
self.host = config.get("host", "")
298
248
self.created = datetime.datetime.utcnow()
299
249
self.enabled = False
300
250
self.last_enabled = None
301
251
self.last_checked_ok = None
302
self.timeout = string_to_delta(config[u"timeout"])
303
self.interval = string_to_delta(config[u"interval"])
252
self.timeout = string_to_delta(config["timeout"])
253
self.interval = string_to_delta(config["interval"])
304
254
self.disable_hook = disable_hook
305
255
self.checker = None
306
256
self.checker_initiator_tag = None
307
257
self.disable_initiator_tag = None
308
258
self.checker_callback_tag = None
309
self.checker_command = config[u"checker"]
259
self.checker_command = config["checker"]
310
260
self.current_checker_command = None
311
261
self.last_connect = None
312
262
313
263
def enable(self):
314
264
"""Start this client's checker and timeout hooks"""
315
if getattr(self, u"enabled", False):
316
# Already enabled
317
return
318
265
self.last_enabled = datetime.datetime.utcnow()
319
266
# Schedule a new checker to be started an 'interval' from now,
320
267
# and every interval from then on.
334
281
if not getattr(self, "enabled", False):
335
282
return False
336
283
logger.info(u"Disabling client %s", self.name)
337
if getattr(self, u"disable_initiator_tag", False):
284
if getattr(self, "disable_initiator_tag", False):
338
285
gobject.source_remove(self.disable_initiator_tag)
339
286
self.disable_initiator_tag = None
340
if getattr(self, u"checker_initiator_tag", False):
287
if getattr(self, "checker_initiator_tag", False):
341
288
gobject.source_remove(self.checker_initiator_tag)
342
289
self.checker_initiator_tag = None
343
290
self.stop_checker()
370
317
371
318
def checked_ok(self):
372
319
"""Bump up the timeout for this client.
373
374
320
This should only be called when the client has been seen,
375
321
alive and well.
376
322
"""
382
328
383
329
def start_checker(self):
384
330
"""Start a new checker subprocess if one is not running.
385
386
331
If a checker already exists, leave it running and do
387
332
nothing."""
388
333
# The reason for not killing a running checker is that if we
398
343
if self.checker is not None:
399
344
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
400
345
if pid:
401
logger.warning(u"Checker was a zombie")
346
logger.warning("Checker was a zombie")
402
347
gobject.source_remove(self.checker_callback_tag)
403
348
self.checker_callback(pid, status,
404
349
self.current_checker_command)
409
354
command = self.checker_command % self.host
410
355
except TypeError:
411
356
# Escape attributes for the shell
412
escaped_attrs = dict((key,
413
re.escape(unicode(str(val),
414
errors=
415
u'replace')))
357
escaped_attrs = dict((key, re.escape(str(val)))
416
358
for key, val in
417
359
vars(self).iteritems())
418
360
try:
431
373
# always replaced by /dev/null.)
432
374
self.checker = subprocess.Popen(command,
433
375
close_fds=True,
434
shell=True, cwd=u"/")
376
shell=True, cwd="/")
435
377
self.checker_callback_tag = (gobject.child_watch_add
436
378
(self.checker.pid,
437
379
self.checker_callback,
453
395
if self.checker_callback_tag:
454
396
gobject.source_remove(self.checker_callback_tag)
455
397
self.checker_callback_tag = None
456
if getattr(self, u"checker", None) is None:
398
if getattr(self, "checker", None) is None:
457
399
return
458
400
logger.debug(u"Stopping checker for %(name)s", vars(self))
459
401
try:
468
410
469
411
def still_valid(self):
470
412
"""Has the timeout not yet passed for this client?"""
471
if not getattr(self, u"enabled", False):
413
if not getattr(self, "enabled", False):
472
414
return False
473
415
now = datetime.datetime.utcnow()
474
416
if self.last_checked_ok is None:
479
421
480
422
class ClientDBus(Client, dbus.service.Object):
481
423
"""A Client class using D-Bus
482
483
424
Attributes:
484
dbus_object_path: dbus.ObjectPath
485
bus: dbus.SystemBus()
425
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
486
426
"""
487
427
# dbus.service.Object doesn't use super(), so we can't either.
488
428
489
def __init__(self, bus = None, *args, **kwargs):
490
self.bus = bus
429
def __init__(self, *args, **kwargs):
491
430
Client.__init__(self, *args, **kwargs)
492
431
# Only now, when this client is initialized, can it show up on
493
432
# the D-Bus
494
433
self.dbus_object_path = (dbus.ObjectPath
495
(u"/clients/"
496
+ self.name.replace(u".", u"_")))
497
dbus.service.Object.__init__(self, self.bus,
434
("/clients/"
435
+ self.name.replace(".", "_")))
436
dbus.service.Object.__init__(self, bus,
498
437
self.dbus_object_path)
499
500
@staticmethod
501
def _datetime_to_dbus(dt, variant_level=0):
502
"""Convert a UTC datetime.datetime() to a D-Bus type."""
503
return dbus.String(dt.isoformat(),
504
variant_level=variant_level)
505
506
438
def enable(self):
507
oldstate = getattr(self, u"enabled", False)
439
oldstate = getattr(self, "enabled", False)
508
440
r = Client.enable(self)
509
441
if oldstate != self.enabled:
510
442
# Emit D-Bus signals
511
443
self.PropertyChanged(dbus.String(u"enabled"),
512
444
dbus.Boolean(True, variant_level=1))
513
self.PropertyChanged(
514
dbus.String(u"last_enabled"),
515
self._datetime_to_dbus(self.last_enabled,
516
variant_level=1))
445
self.PropertyChanged(dbus.String(u"last_enabled"),
446
(_datetime_to_dbus(self.last_enabled,
447
variant_level=1)))
517
448
return r
518
449
519
450
def disable(self, signal = True):
520
oldstate = getattr(self, u"enabled", False)
451
oldstate = getattr(self, "enabled", False)
521
452
r = Client.disable(self)
522
453
if signal and oldstate != self.enabled:
523
454
# Emit D-Bus signal
530
461
self.remove_from_connection()
531
462
except LookupError:
532
463
pass
533
if hasattr(dbus.service.Object, u"__del__"):
464
if hasattr(dbus.service.Object, "__del__"):
534
465
dbus.service.Object.__del__(self, *args, **kwargs)
535
466
Client.__del__(self, *args, **kwargs)
536
467
561
492
# Emit D-Bus signal
562
493
self.PropertyChanged(
563
494
dbus.String(u"last_checked_ok"),
564
(self._datetime_to_dbus(self.last_checked_ok,
565
variant_level=1)))
495
(_datetime_to_dbus(self.last_checked_ok,
496
variant_level=1)))
566
497
return r
567
498
568
499
def start_checker(self, *args, **kwargs):
578
509
# Emit D-Bus signal
579
510
self.CheckerStarted(self.current_checker_command)
580
511
self.PropertyChanged(
581
dbus.String(u"checker_running"),
512
dbus.String("checker_running"),
582
513
dbus.Boolean(True, variant_level=1))
583
514
return r
584
515
585
516
def stop_checker(self, *args, **kwargs):
586
old_checker = getattr(self, u"checker", None)
517
old_checker = getattr(self, "checker", None)
587
518
r = Client.stop_checker(self, *args, **kwargs)
588
519
if (old_checker is not None
589
and getattr(self, u"checker", None) is None):
520
and getattr(self, "checker", None) is None):
590
521
self.PropertyChanged(dbus.String(u"checker_running"),
591
522
dbus.Boolean(False, variant_level=1))
592
523
return r
595
526
_interface = u"se.bsnet.fukt.Mandos.Client"
596
527
597
528
# CheckedOK - method
598
@dbus.service.method(_interface)
599
def CheckedOK(self):
600
return self.checked_ok()
529
CheckedOK = dbus.service.method(_interface)(checked_ok)
530
CheckedOK.__name__ = "CheckedOK"
601
531
602
532
# CheckerCompleted - signal
603
@dbus.service.signal(_interface, signature=u"nxs")
533
@dbus.service.signal(_interface, signature="nxs")
604
534
def CheckerCompleted(self, exitcode, waitstatus, command):
605
535
"D-Bus signal"
606
536
pass
607
537
608
538
# CheckerStarted - signal
609
@dbus.service.signal(_interface, signature=u"s")
539
@dbus.service.signal(_interface, signature="s")
610
540
def CheckerStarted(self, command):
611
541
"D-Bus signal"
612
542
pass
613
543
614
544
# GetAllProperties - method
615
@dbus.service.method(_interface, out_signature=u"a{sv}")
545
@dbus.service.method(_interface, out_signature="a{sv}")
616
546
def GetAllProperties(self):
617
547
"D-Bus method"
618
548
return dbus.Dictionary({
619
dbus.String(u"name"):
549
dbus.String("name"):
620
550
dbus.String(self.name, variant_level=1),
621
dbus.String(u"fingerprint"):
551
dbus.String("fingerprint"):
622
552
dbus.String(self.fingerprint, variant_level=1),
623
dbus.String(u"host"):
553
dbus.String("host"):
624
554
dbus.String(self.host, variant_level=1),
625
dbus.String(u"created"):
626
self._datetime_to_dbus(self.created,
627
variant_level=1),
628
dbus.String(u"last_enabled"):
629
(self._datetime_to_dbus(self.last_enabled,
630
variant_level=1)
555
dbus.String("created"):
556
_datetime_to_dbus(self.created, variant_level=1),
557
dbus.String("last_enabled"):
558
(_datetime_to_dbus(self.last_enabled,
559
variant_level=1)
631
560
if self.last_enabled is not None
632
561
else dbus.Boolean(False, variant_level=1)),
633
dbus.String(u"enabled"):
562
dbus.String("enabled"):
634
563
dbus.Boolean(self.enabled, variant_level=1),
635
dbus.String(u"last_checked_ok"):
636
(self._datetime_to_dbus(self.last_checked_ok,
637
variant_level=1)
564
dbus.String("last_checked_ok"):
565
(_datetime_to_dbus(self.last_checked_ok,
566
variant_level=1)
638
567
if self.last_checked_ok is not None
639
568
else dbus.Boolean (False, variant_level=1)),
640
dbus.String(u"timeout"):
569
dbus.String("timeout"):
641
570
dbus.UInt64(self.timeout_milliseconds(),
642
571
variant_level=1),
643
dbus.String(u"interval"):
572
dbus.String("interval"):
644
573
dbus.UInt64(self.interval_milliseconds(),
645
574
variant_level=1),
646
dbus.String(u"checker"):
575
dbus.String("checker"):
647
576
dbus.String(self.checker_command,
648
577
variant_level=1),
649
dbus.String(u"checker_running"):
578
dbus.String("checker_running"):
650
579
dbus.Boolean(self.checker is not None,
651
580
variant_level=1),
652
dbus.String(u"object_path"):
581
dbus.String("object_path"):
653
582
dbus.ObjectPath(self.dbus_object_path,
654
583
variant_level=1)
655
}, signature=u"sv")
584
}, signature="sv")
656
585
657
586
# IsStillValid - method
658
@dbus.service.method(_interface, out_signature=u"b")
587
@dbus.service.method(_interface, out_signature="b")
659
588
def IsStillValid(self):
660
589
return self.still_valid()
661
590
662
591
# PropertyChanged - signal
663
@dbus.service.signal(_interface, signature=u"sv")
592
@dbus.service.signal(_interface, signature="sv")
664
593
def PropertyChanged(self, property, value):
665
594
"D-Bus signal"
666
595
pass
678
607
pass
679
608
680
609
# SetChecker - method
681
@dbus.service.method(_interface, in_signature=u"s")
610
@dbus.service.method(_interface, in_signature="s")
682
611
def SetChecker(self, checker):
683
612
"D-Bus setter method"
684
613
self.checker_command = checker
688
617
variant_level=1))
689
618
690
619
# SetHost - method
691
@dbus.service.method(_interface, in_signature=u"s")
620
@dbus.service.method(_interface, in_signature="s")
692
621
def SetHost(self, host):
693
622
"D-Bus setter method"
694
623
self.host = host
697
626
dbus.String(self.host, variant_level=1))
698
627
699
628
# SetInterval - method
700
@dbus.service.method(_interface, in_signature=u"t")
629
@dbus.service.method(_interface, in_signature="t")
701
630
def SetInterval(self, milliseconds):
702
631
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
703
632
# Emit D-Bus signal
706
635
variant_level=1)))
707
636
708
637
# SetSecret - method
709
@dbus.service.method(_interface, in_signature=u"ay",
638
@dbus.service.method(_interface, in_signature="ay",
710
639
byte_arrays=True)
711
640
def SetSecret(self, secret):
712
641
"D-Bus setter method"
713
642
self.secret = str(secret)
714
643
715
644
# SetTimeout - method
716
@dbus.service.method(_interface, in_signature=u"t")
645
@dbus.service.method(_interface, in_signature="t")
717
646
def SetTimeout(self, milliseconds):
718
647
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
719
648
# Emit D-Bus signal
722
651
variant_level=1)))
723
652
724
653
# Enable - method
725
@dbus.service.method(_interface)
726
def Enable(self):
727
"D-Bus method"
728
self.enable()
654
Enable = dbus.service.method(_interface)(enable)
655
Enable.__name__ = "Enable"
729
656
730
657
# StartChecker - method
731
658
@dbus.service.method(_interface)
740
667
self.disable()
741
668
742
669
# StopChecker - method
743
@dbus.service.method(_interface)
744
def StopChecker(self):
745
self.stop_checker()
670
StopChecker = dbus.service.method(_interface)(stop_checker)
671
StopChecker.__name__ = "StopChecker"
746
672
747
673
del _interface
748
674
749
675
750
class ClientHandler(socketserver.BaseRequestHandler, object):
751
"""A class to handle client connections.
752
753
Instantiated once for each connection to handle it.
676
def peer_certificate(session):
677
"Return the peer's OpenPGP certificate as a bytestring"
678
# If not an OpenPGP certificate...
679
if (gnutls.library.functions
680
.gnutls_certificate_type_get(session._c_object)
681
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
682
# ...do the normal thing
683
return session.peer_certificate
684
list_size = ctypes.c_uint(1)
685
cert_list = (gnutls.library.functions
686
.gnutls_certificate_get_peers
687
(session._c_object, ctypes.byref(list_size)))
688
if not bool(cert_list) and list_size.value != 0:
689
raise gnutls.errors.GNUTLSError("error getting peer"
690
" certificate")
691
if list_size.value == 0:
692
return None
693
cert = cert_list[0]
694
return ctypes.string_at(cert.data, cert.size)
695
696
697
def fingerprint(openpgp):
698
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
699
# New GnuTLS "datum" with the OpenPGP public key
700
datum = (gnutls.library.types
701
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
702
ctypes.POINTER
703
(ctypes.c_ubyte)),
704
ctypes.c_uint(len(openpgp))))
705
# New empty GnuTLS certificate
706
crt = gnutls.library.types.gnutls_openpgp_crt_t()
707
(gnutls.library.functions
708
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
709
# Import the OpenPGP public key into the certificate
710
(gnutls.library.functions
711
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
712
gnutls.library.constants
713
.GNUTLS_OPENPGP_FMT_RAW))
714
# Verify the self signature in the key
715
crtverify = ctypes.c_uint()
716
(gnutls.library.functions
717
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
718
if crtverify.value != 0:
719
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
720
raise gnutls.errors.CertificateSecurityError("Verify failed")
721
# New buffer for the fingerprint
722
buf = ctypes.create_string_buffer(20)
723
buf_len = ctypes.c_size_t()
724
# Get the fingerprint from the certificate into the buffer
725
(gnutls.library.functions
726
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
727
ctypes.byref(buf_len)))
728
# Deinit the certificate
729
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
730
# Convert the buffer to a Python bytestring
731
fpr = ctypes.string_at(buf, buf_len.value)
732
# Convert the bytestring to hexadecimal notation
733
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
734
return hex_fpr
735
736
737
class TCP_handler(SocketServer.BaseRequestHandler, object):
738
"""A TCP request handler class.
739
Instantiated by IPv6_TCPServer for each request to handle it.
754
740
Note: This will run in its own forked process."""
755
741
756
742
def handle(self):
758
744
unicode(self.client_address))
759
745
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
760
746
# Open IPC pipe to parent process
761
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
747
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
762
748
session = (gnutls.connection
763
749
.ClientSession(self.request,
764
750
gnutls.connection
778
764
# no X.509 keys are added to it. Therefore, we can use it
779
765
# here despite using OpenPGP certificates.
780
766
781
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
782
# u"+AES-256-CBC", u"+SHA1",
783
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
784
# u"+DHE-DSS"))
767
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
768
# "+AES-256-CBC", "+SHA1",
769
# "+COMP-NULL", "+CTYPE-OPENPGP",
770
# "+DHE-DSS"))
785
771
# Use a fallback default, since this MUST be set.
786
priority = self.server.gnutls_priority
787
if priority is None:
788
priority = u"NORMAL"
772
priority = self.server.settings.get("priority", "NORMAL")
789
773
(gnutls.library.functions
790
774
.gnutls_priority_set_direct(session._c_object,
791
775
priority, None))
799
783
return
800
784
logger.debug(u"Handshake succeeded")
801
785
try:
802
fpr = self.fingerprint(self.peer_certificate(session))
786
fpr = fingerprint(peer_certificate(session))
803
787
except (TypeError, gnutls.errors.GNUTLSError), error:
804
788
logger.warning(u"Bad certificate: %s", error)
805
789
session.bye()
811
795
client = c
812
796
break
813
797
else:
814
ipc.write(u"NOTFOUND %s\n" % fpr)
798
logger.warning(u"Client not found for fingerprint: %s",
799
fpr)
800
ipc.write("NOTFOUND %s\n" % fpr)
815
801
session.bye()
816
802
return
817
803
# Have to check if client.still_valid(), since it is
818
804
# possible that the client timed out while establishing
819
805
# the GnuTLS session.
820
806
if not client.still_valid():
821
ipc.write(u"INVALID %s\n" % client.name)
807
logger.warning(u"Client %(name)s is invalid",
808
vars(client))
809
ipc.write("INVALID %s\n" % client.name)
822
810
session.bye()
823
811
return
824
ipc.write(u"SENDING %s\n" % client.name)
812
ipc.write("SENDING %s\n" % client.name)
825
813
sent_size = 0
826
814
while sent_size < len(client.secret):
827
815
sent = session.send(client.secret[sent_size:])
830
818
- (sent_size + sent))
831
819
sent_size += sent
832
820
session.bye()
833
834
@staticmethod
835
def peer_certificate(session):
836
"Return the peer's OpenPGP certificate as a bytestring"
837
# If not an OpenPGP certificate...
838
if (gnutls.library.functions
839
.gnutls_certificate_type_get(session._c_object)
840
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
841
# ...do the normal thing
842
return session.peer_certificate
843
list_size = ctypes.c_uint(1)
844
cert_list = (gnutls.library.functions
845
.gnutls_certificate_get_peers
846
(session._c_object, ctypes.byref(list_size)))
847
if not bool(cert_list) and list_size.value != 0:
848
raise gnutls.errors.GNUTLSError(u"error getting peer"
849
u" certificate")
850
if list_size.value == 0:
851
return None
852
cert = cert_list[0]
853
return ctypes.string_at(cert.data, cert.size)
854
855
@staticmethod
856
def fingerprint(openpgp):
857
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
858
# New GnuTLS "datum" with the OpenPGP public key
859
datum = (gnutls.library.types
860
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
861
ctypes.POINTER
862
(ctypes.c_ubyte)),
863
ctypes.c_uint(len(openpgp))))
864
# New empty GnuTLS certificate
865
crt = gnutls.library.types.gnutls_openpgp_crt_t()
866
(gnutls.library.functions
867
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
868
# Import the OpenPGP public key into the certificate
869
(gnutls.library.functions
870
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
871
gnutls.library.constants
872
.GNUTLS_OPENPGP_FMT_RAW))
873
# Verify the self signature in the key
874
crtverify = ctypes.c_uint()
875
(gnutls.library.functions
876
.gnutls_openpgp_crt_verify_self(crt, 0,
877
ctypes.byref(crtverify)))
878
if crtverify.value != 0:
879
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
880
raise (gnutls.errors.CertificateSecurityError
881
(u"Verify failed"))
882
# New buffer for the fingerprint
883
buf = ctypes.create_string_buffer(20)
884
buf_len = ctypes.c_size_t()
885
# Get the fingerprint from the certificate into the buffer
886
(gnutls.library.functions
887
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
888
ctypes.byref(buf_len)))
889
# Deinit the certificate
890
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
891
# Convert the buffer to a Python bytestring
892
fpr = ctypes.string_at(buf, buf_len.value)
893
# Convert the bytestring to hexadecimal notation
894
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
895
return hex_fpr
896
897
898
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
899
"""Like socketserver.ForkingMixIn, but also pass a pipe."""
821
822
823
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
824
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
825
Assumes a gobject.MainLoop event loop.
826
"""
900
827
def process_request(self, request, client_address):
901
"""Overrides and wraps the original process_request().
902
828
"""This overrides and wraps the original process_request().
903
829
This function creates a new pipe in self.pipe
904
830
"""
905
831
self.pipe = os.pipe()
906
832
super(ForkingMixInWithPipe,
907
833
self).process_request(request, client_address)
908
834
os.close(self.pipe[1]) # close write end
909
self.add_pipe(self.pipe[0])
910
def add_pipe(self, pipe):
835
# Call "handle_ipc" for both data and EOF events
836
gobject.io_add_watch(self.pipe[0],
837
gobject.IO_IN | gobject.IO_HUP,
838
self.handle_ipc)
839
def handle_ipc(source, condition):
911
840
"""Dummy function; override as necessary"""
912
os.close(pipe)
841
os.close(source)
842
return False
913
843
914
844
915
845
class IPv6_TCPServer(ForkingMixInWithPipe,
916
socketserver.TCPServer, object):
846
SocketServer.TCPServer, object):
917
847
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
918
919
848
Attributes:
849
settings: Server settings
850
clients: Set() of Client objects
920
851
enabled: Boolean; whether this server is activated yet
921
interface: None or a network interface name (string)
922
use_ipv6: Boolean; to use IPv6 or not
923
852
"""
924
def __init__(self, server_address, RequestHandlerClass,
925
interface=None, use_ipv6=True):
926
self.interface = interface
927
if use_ipv6:
928
self.address_family = socket.AF_INET6
929
socketserver.TCPServer.__init__(self, server_address,
930
RequestHandlerClass)
853
address_family = socket.AF_INET6
854
def __init__(self, *args, **kwargs):
855
if "settings" in kwargs:
856
self.settings = kwargs["settings"]
857
del kwargs["settings"]
858
if "clients" in kwargs:
859
self.clients = kwargs["clients"]
860
del kwargs["clients"]
861
if "use_ipv6" in kwargs:
862
if not kwargs["use_ipv6"]:
863
self.address_family = socket.AF_INET
864
del kwargs["use_ipv6"]
865
self.enabled = False
866
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
931
867
def server_bind(self):
932
868
"""This overrides the normal server_bind() function
933
869
to bind to an interface if one was specified, and also NOT to
934
870
bind to an address or port if they were not specified."""
935
if self.interface is not None:
936
if SO_BINDTODEVICE is None:
937
logger.error(u"SO_BINDTODEVICE does not exist;"
938
u" cannot bind to interface %s",
939
self.interface)
940
else:
941
try:
942
self.socket.setsockopt(socket.SOL_SOCKET,
943
SO_BINDTODEVICE,
944
str(self.interface
945
+ u'\0'))
946
except socket.error, error:
947
if error[0] == errno.EPERM:
948
logger.error(u"No permission to"
949
u" bind to interface %s",
950
self.interface)
951
elif error[0] == errno.ENOPROTOOPT:
952
logger.error(u"SO_BINDTODEVICE not available;"
953
u" cannot bind to interface %s",
954
self.interface)
955
else:
956
raise
871
if self.settings["interface"]:
872
# 25 is from /usr/include/asm-i486/socket.h
873
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
874
try:
875
self.socket.setsockopt(socket.SOL_SOCKET,
876
SO_BINDTODEVICE,
877
self.settings["interface"])
878
except socket.error, error:
879
if error[0] == errno.EPERM:
880
logger.error(u"No permission to"
881
u" bind to interface %s",
882
self.settings["interface"])
883
else:
884
raise
957
885
# Only bind(2) the socket if we really need to.
958
886
if self.server_address[0] or self.server_address[1]:
959
887
if not self.server_address[0]:
960
888
if self.address_family == socket.AF_INET6:
961
any_address = u"::" # in6addr_any
889
any_address = "::" # in6addr_any
962
890
else:
963
891
any_address = socket.INADDR_ANY
964
892
self.server_address = (any_address,
966
894
elif not self.server_address[1]:
967
895
self.server_address = (self.server_address[0],
968
896
0)
969
# if self.interface:
897
# if self.settings["interface"]:
970
898
# self.server_address = (self.server_address[0],
971
899
# 0, # port
972
900
# 0, # flowinfo
973
901
# if_nametoindex
974
# (self.interface))
975
return socketserver.TCPServer.server_bind(self)
976
977
978
class MandosServer(IPv6_TCPServer):
979
"""Mandos server.
980
981
Attributes:
982
clients: set of Client objects
983
gnutls_priority GnuTLS priority string
984
use_dbus: Boolean; to emit D-Bus signals or not
985
clients: set of Client objects
986
gnutls_priority GnuTLS priority string
987
use_dbus: Boolean; to emit D-Bus signals or not
988
989
Assumes a gobject.MainLoop event loop.
990
"""
991
def __init__(self, server_address, RequestHandlerClass,
992
interface=None, use_ipv6=True, clients=None,
993
gnutls_priority=None, use_dbus=True):
994
self.enabled = False
995
self.clients = clients
996
if self.clients is None:
997
self.clients = set()
998
self.use_dbus = use_dbus
999
self.gnutls_priority = gnutls_priority
1000
IPv6_TCPServer.__init__(self, server_address,
1001
RequestHandlerClass,
1002
interface = interface,
1003
use_ipv6 = use_ipv6)
902
# (self.settings
903
# ["interface"]))
904
return super(IPv6_TCPServer, self).server_bind()
1004
905
def server_activate(self):
1005
906
if self.enabled:
1006
return socketserver.TCPServer.server_activate(self)
907
return super(IPv6_TCPServer, self).server_activate()
1007
908
def enable(self):
1008
909
self.enabled = True
1009
def add_pipe(self, pipe):
1010
# Call "handle_ipc" for both data and EOF events
1011
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1012
self.handle_ipc)
1013
910
def handle_ipc(self, source, condition, file_objects={}):
1014
911
condition_names = {
1015
gobject.IO_IN: u"IN", # There is data to read.
1016
gobject.IO_OUT: u"OUT", # Data can be written (without
1017
# blocking).
1018
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1019
gobject.IO_ERR: u"ERR", # Error condition.
1020
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1021
# broken, usually for pipes and
1022
# sockets).
912
gobject.IO_IN: "IN", # There is data to read.
913
gobject.IO_OUT: "OUT", # Data can be written (without
914
# blocking).
915
gobject.IO_PRI: "PRI", # There is urgent data to read.
916
gobject.IO_ERR: "ERR", # Error condition.
917
gobject.IO_HUP: "HUP" # Hung up (the connection has been
918
# broken, usually for pipes and
919
# sockets).
1023
920
}
1024
921
conditions_string = ' | '.join(name
1025
922
for cond, name in
1026
923
condition_names.iteritems()
1027
924
if cond & condition)
1028
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
925
logger.debug("Handling IPC: FD = %d, condition = %s", source,
1029
926
conditions_string)
1030
927
1031
928
# Turn the pipe file descriptor into a Python file object
1032
929
if source not in file_objects:
1033
file_objects[source] = os.fdopen(source, u"r", 1)
930
file_objects[source] = os.fdopen(source, "r", 1)
1034
931
1035
932
# Read a line from the file object
1036
933
cmdline = file_objects[source].readline()
1042
939
# Stop calling this function
1043
940
return False
1044
941
1045
logger.debug(u"IPC command: %r", cmdline)
942
logger.debug("IPC command: %r\n" % cmdline)
1046
943
1047
944
# Parse and act on command
1048
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1049
1050
if cmd == u"NOTFOUND":
1051
logger.warning(u"Client not found for fingerprint: %s",
1052
args)
1053
if self.use_dbus:
945
cmd, args = cmdline.split(None, 1)
946
if cmd == "NOTFOUND":
947
if self.settings["use_dbus"]:
1054
948
# Emit D-Bus signal
1055
949
mandos_dbus_service.ClientNotFound(args)
1056
elif cmd == u"INVALID":
1057
for client in self.clients:
1058
if client.name == args:
1059
logger.warning(u"Client %s is invalid", args)
1060
if self.use_dbus:
950
elif cmd == "INVALID":
951
if self.settings["use_dbus"]:
952
for client in self.clients:
953
if client.name == args:
1061
954
# Emit D-Bus signal
1062
955
client.Rejected()
1063
break
1064
else:
1065
logger.error(u"Unknown client %s is invalid", args)
1066
elif cmd == u"SENDING":
956
break
957
elif cmd == "SENDING":
1067
958
for client in self.clients:
1068
959
if client.name == args:
1069
logger.info(u"Sending secret to %s", client.name)
1070
960
client.checked_ok()
1071
if self.use_dbus:
961
if self.settings["use_dbus"]:
1072
962
# Emit D-Bus signal
1073
963
client.ReceivedSecret()
1074
964
break
1075
else:
1076
logger.error(u"Sending secret to unknown client %s",
1077
args)
1078
965
else:
1079
logger.error(u"Unknown IPC command: %r", cmdline)
966
logger.error("Unknown IPC command: %r", cmdline)
1080
967
1081
968
# Keep calling this function
1082
969
return True
1085
972
def string_to_delta(interval):
1086
973
"""Parse a string and return a datetime.timedelta
1087
974
1088
>>> string_to_delta(u'7d')
975
>>> string_to_delta('7d')
1089
976
datetime.timedelta(7)
1090
>>> string_to_delta(u'60s')
977
>>> string_to_delta('60s')
1091
978
datetime.timedelta(0, 60)
1092
>>> string_to_delta(u'60m')
979
>>> string_to_delta('60m')
1093
980
datetime.timedelta(0, 3600)
1094
>>> string_to_delta(u'24h')
981
>>> string_to_delta('24h')
1095
982
datetime.timedelta(1)
1096
983
>>> string_to_delta(u'1w')
1097
984
datetime.timedelta(7)
1098
>>> string_to_delta(u'5m 30s')
985
>>> string_to_delta('5m 30s')
1099
986
datetime.timedelta(0, 330)
1100
987
"""
1101
988
timevalue = datetime.timedelta(0)
1121
1008
return timevalue
1122
1009
1123
1010
1011
def server_state_changed(state):
1012
"""Derived from the Avahi example code"""
1013
if state == avahi.SERVER_COLLISION:
1014
logger.error(u"Zeroconf server name collision")
1015
service.remove()
1016
elif state == avahi.SERVER_RUNNING:
1017
service.add()
1018
1019
1020
def entry_group_state_changed(state, error):
1021
"""Derived from the Avahi example code"""
1022
logger.debug(u"Avahi state change: %i", state)
1023
1024
if state == avahi.ENTRY_GROUP_ESTABLISHED:
1025
logger.debug(u"Zeroconf service established.")
1026
elif state == avahi.ENTRY_GROUP_COLLISION:
1027
logger.warning(u"Zeroconf service name collision.")
1028
service.rename()
1029
elif state == avahi.ENTRY_GROUP_FAILURE:
1030
logger.critical(u"Avahi: Error in group state changed %s",
1031
unicode(error))
1032
raise AvahiGroupError(u"State changed: %s" % unicode(error))
1033
1124
1034
def if_nametoindex(interface):
1125
"""Call the C function if_nametoindex(), or equivalent
1126
1127
Note: This function cannot accept a unicode string."""
1035
"""Call the C function if_nametoindex(), or equivalent"""
1128
1036
global if_nametoindex
1129
1037
try:
1130
1038
if_nametoindex = (ctypes.cdll.LoadLibrary
1131
(ctypes.util.find_library(u"c"))
1039
(ctypes.util.find_library("c"))
1132
1040
.if_nametoindex)
1133
1041
except (OSError, AttributeError):
1134
logger.warning(u"Doing if_nametoindex the hard way")
1042
if "struct" not in sys.modules:
1043
import struct
1044
if "fcntl" not in sys.modules:
1045
import fcntl
1135
1046
def if_nametoindex(interface):
1136
1047
"Get an interface index the hard way, i.e. using fcntl()"
1137
1048
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1138
1049
with closing(socket.socket()) as s:
1139
1050
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1140
struct.pack(str(u"16s16x"),
1141
interface))
1142
interface_index = struct.unpack(str(u"I"),
1143
ifreq[16:20])[0]
1051
struct.pack("16s16x", interface))
1052
interface_index = struct.unpack("I", ifreq[16:20])[0]
1144
1053
return interface_index
1145
1054
return if_nametoindex(interface)
1146
1055
1147
1056
1148
1057
def daemon(nochdir = False, noclose = False):
1149
1058
"""See daemon(3). Standard BSD Unix function.
1150
1151
1059
This should really exist as os.daemon, but it doesn't (yet)."""
1152
1060
if os.fork():
1153
1061
sys.exit()
1154
1062
os.setsid()
1155
1063
if not nochdir:
1156
os.chdir(u"/")
1064
os.chdir("/")
1157
1065
if os.fork():
1158
1066
sys.exit()
1159
1067
if not noclose:
1161
1069
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1162
1070
if not stat.S_ISCHR(os.fstat(null).st_mode):
1163
1071
raise OSError(errno.ENODEV,
1164
u"/dev/null not a character device")
1072
"/dev/null not a character device")
1165
1073
os.dup2(null, sys.stdin.fileno())
1166
1074
os.dup2(null, sys.stdout.fileno())
1167
1075
os.dup2(null, sys.stderr.fileno())
1175
1083
# Parsing of options, both command line and config file
1176
1084
1177
1085
parser = optparse.OptionParser(version = "%%prog %s" % version)
1178
parser.add_option("-i", u"--interface", type=u"string",
1179
metavar="IF", help=u"Bind to interface IF")
1180
parser.add_option("-a", u"--address", type=u"string",
1181
help=u"Address to listen for requests on")
1182
parser.add_option("-p", u"--port", type=u"int",
1183
help=u"Port number to receive requests on")
1184
parser.add_option("--check", action=u"store_true",
1185
help=u"Run self-test")
1186
parser.add_option("--debug", action=u"store_true",
1187
help=u"Debug mode; run in foreground and log to"
1188
u" terminal")
1189
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1190
u" priority string (see GnuTLS documentation)")
1191
parser.add_option("--servicename", type=u"string",
1192
metavar=u"NAME", help=u"Zeroconf service name")
1193
parser.add_option("--configdir", type=u"string",
1194
default=u"/etc/mandos", metavar=u"DIR",
1195
help=u"Directory to search for configuration"
1196
u" files")
1197
parser.add_option("--no-dbus", action=u"store_false",
1198
dest=u"use_dbus", help=u"Do not provide D-Bus"
1199
u" system bus interface")
1200
parser.add_option("--no-ipv6", action=u"store_false",
1201
dest=u"use_ipv6", help=u"Do not use IPv6")
1086
parser.add_option("-i", "--interface", type="string",
1087
metavar="IF", help="Bind to interface IF")
1088
parser.add_option("-a", "--address", type="string",
1089
help="Address to listen for requests on")
1090
parser.add_option("-p", "--port", type="int",
1091
help="Port number to receive requests on")
1092
parser.add_option("--check", action="store_true",
1093
help="Run self-test")
1094
parser.add_option("--debug", action="store_true",
1095
help="Debug mode; run in foreground and log to"
1096
" terminal")
1097
parser.add_option("--priority", type="string", help="GnuTLS"
1098
" priority string (see GnuTLS documentation)")
1099
parser.add_option("--servicename", type="string", metavar="NAME",
1100
help="Zeroconf service name")
1101
parser.add_option("--configdir", type="string",
1102
default="/etc/mandos", metavar="DIR",
1103
help="Directory to search for configuration"
1104
" files")
1105
parser.add_option("--no-dbus", action="store_false",
1106
dest="use_dbus",
1107
help="Do not provide D-Bus system bus"
1108
" interface")
1109
parser.add_option("--no-ipv6", action="store_false",
1110
dest="use_ipv6", help="Do not use IPv6")
1202
1111
options = parser.parse_args()[0]
1203
1112
1204
1113
if options.check:
1207
1116
sys.exit()
1208
1117
1209
1118
# Default values for config file for server-global settings
1210
server_defaults = { u"interface": u"",
1211
u"address": u"",
1212
u"port": u"",
1213
u"debug": u"False",
1214
u"priority":
1215
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1216
u"servicename": u"Mandos",
1217
u"use_dbus": u"True",
1218
u"use_ipv6": u"True",
1119
server_defaults = { "interface": "",
1120
"address": "",
1121
"port": "",
1122
"debug": "False",
1123
"priority":
1124
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1125
"servicename": "Mandos",
1126
"use_dbus": "True",
1127
"use_ipv6": "True",
1219
1128
}
1220
1129
1221
1130
# Parse config file for server-global settings
1222
server_config = configparser.SafeConfigParser(server_defaults)
1131
server_config = ConfigParser.SafeConfigParser(server_defaults)
1223
1132
del server_defaults
1224
server_config.read(os.path.join(options.configdir,
1225
u"mandos.conf"))
1133
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1226
1134
# Convert the SafeConfigParser object to a dict
1227
1135
server_settings = server_config.defaults()
1228
1136
# Use the appropriate methods on the non-string config options
1229
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1230
server_settings[option] = server_config.getboolean(u"DEFAULT",
1231
option)
1137
server_settings["debug"] = server_config.getboolean("DEFAULT",
1138
"debug")
1139
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1140
"use_dbus")
1141
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1142
"use_ipv6")
1232
1143
if server_settings["port"]:
1233
server_settings["port"] = server_config.getint(u"DEFAULT",
1234
u"port")
1144
server_settings["port"] = server_config.getint("DEFAULT",
1145
"port")
1235
1146
del server_config
1236
1147
1237
1148
# Override the settings from the config file with command line
1238
1149
# options, if set.
1239
for option in (u"interface", u"address", u"port", u"debug",
1240
u"priority", u"servicename", u"configdir",
1241
u"use_dbus", u"use_ipv6"):
1150
for option in ("interface", "address", "port", "debug",
1151
"priority", "servicename", "configdir",
1152
"use_dbus", "use_ipv6"):
1242
1153
value = getattr(options, option)
1243
1154
if value is not None:
1244
1155
server_settings[option] = value
1245
1156
del options
1246
# Force all strings to be unicode
1247
for option in server_settings.keys():
1248
if type(server_settings[option]) is str:
1249
server_settings[option] = unicode(server_settings[option])
1250
1157
# Now we have our good server settings in "server_settings"
1251
1158
1252
1159
##################################################################
1253
1160
1254
1161
# For convenience
1255
debug = server_settings[u"debug"]
1256
use_dbus = server_settings[u"use_dbus"]
1257
use_ipv6 = server_settings[u"use_ipv6"]
1162
debug = server_settings["debug"]
1163
use_dbus = server_settings["use_dbus"]
1164
use_ipv6 = server_settings["use_ipv6"]
1258
1165
1259
1166
if not debug:
1260
1167
syslogger.setLevel(logging.WARNING)
1261
1168
console.setLevel(logging.WARNING)
1262
1169
1263
if server_settings[u"servicename"] != u"Mandos":
1170
if server_settings["servicename"] != "Mandos":
1264
1171
syslogger.setFormatter(logging.Formatter
1265
(u'Mandos (%s) [%%(process)d]:'
1266
u' %%(levelname)s: %%(message)s'
1267
% server_settings[u"servicename"]))
1172
('Mandos (%s) [%%(process)d]:'
1173
' %%(levelname)s: %%(message)s'
1174
% server_settings["servicename"]))
1268
1175
1269
1176
# Parse config file with clients
1270
client_defaults = { u"timeout": u"1h",
1271
u"interval": u"5m",
1272
u"checker": u"fping -q -- %%(host)s",
1273
u"host": u"",
1177
client_defaults = { "timeout": "1h",
1178
"interval": "5m",
1179
"checker": "fping -q -- %%(host)s",
1180
"host": "",
1274
1181
}
1275
client_config = configparser.SafeConfigParser(client_defaults)
1276
client_config.read(os.path.join(server_settings[u"configdir"],
1277
u"clients.conf"))
1278
1182
client_config = ConfigParser.SafeConfigParser(client_defaults)
1183
client_config.read(os.path.join(server_settings["configdir"],
1184
"clients.conf"))
1185
1279
1186
global mandos_dbus_service
1280
1187
mandos_dbus_service = None
1281
1188
1282
tcp_server = MandosServer((server_settings[u"address"],
1283
server_settings[u"port"]),
1284
ClientHandler,
1285
interface=server_settings[u"interface"],
1286
use_ipv6=use_ipv6,
1287
gnutls_priority=
1288
server_settings[u"priority"],
1289
use_dbus=use_dbus)
1290
pidfilename = u"/var/run/mandos.pid"
1189
clients = Set()
1190
tcp_server = IPv6_TCPServer((server_settings["address"],
1191
server_settings["port"]),
1192
TCP_handler,
1193
settings=server_settings,
1194
clients=clients, use_ipv6=use_ipv6)
1195
pidfilename = "/var/run/mandos.pid"
1291
1196
try:
1292
pidfile = open(pidfilename, u"w")
1197
pidfile = open(pidfilename, "w")
1293
1198
except IOError:
1294
logger.error(u"Could not open file %r", pidfilename)
1199
logger.error("Could not open file %r", pidfilename)
1295
1200
1296
1201
try:
1297
uid = pwd.getpwnam(u"_mandos").pw_uid
1298
gid = pwd.getpwnam(u"_mandos").pw_gid
1202
uid = pwd.getpwnam("_mandos").pw_uid
1203
gid = pwd.getpwnam("_mandos").pw_gid
1299
1204
except KeyError:
1300
1205
try:
1301
uid = pwd.getpwnam(u"mandos").pw_uid
1302
gid = pwd.getpwnam(u"mandos").pw_gid
1206
uid = pwd.getpwnam("mandos").pw_uid
1207
gid = pwd.getpwnam("mandos").pw_gid
1303
1208
except KeyError:
1304
1209
try:
1305
uid = pwd.getpwnam(u"nobody").pw_uid
1306
gid = pwd.getpwnam(u"nobody").pw_gid
1210
uid = pwd.getpwnam("nobody").pw_uid
1211
gid = pwd.getpwnam("nogroup").pw_gid
1307
1212
except KeyError:
1308
1213
uid = 65534
1309
1214
gid = 65534
1322
1227
1323
1228
@gnutls.library.types.gnutls_log_func
1324
1229
def debug_gnutls(level, string):
1325
logger.debug(u"GnuTLS: %s", string[:-1])
1230
logger.debug("GnuTLS: %s", string[:-1])
1326
1231
1327
1232
(gnutls.library.functions
1328
1233
.gnutls_global_set_log_function(debug_gnutls))
1329
1234
1235
global service
1236
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1237
service = AvahiService(name = server_settings["servicename"],
1238
servicetype = "_mandos._tcp",
1239
protocol = protocol)
1240
if server_settings["interface"]:
1241
service.interface = (if_nametoindex
1242
(server_settings["interface"]))
1243
1330
1244
global main_loop
1245
global bus
1246
global server
1331
1247
# From the Avahi example code
1332
1248
DBusGMainLoop(set_as_default=True )
1333
1249
main_loop = gobject.MainLoop()
1334
1250
bus = dbus.SystemBus()
1251
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1252
avahi.DBUS_PATH_SERVER),
1253
avahi.DBUS_INTERFACE_SERVER)
1335
1254
# End of Avahi example code
1336
1255
if use_dbus:
1337
1256
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1338
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1339
service = AvahiService(name = server_settings[u"servicename"],
1340
servicetype = u"_mandos._tcp",
1341
protocol = protocol, bus = bus)
1342
if server_settings["interface"]:
1343
service.interface = (if_nametoindex
1344
(str(server_settings[u"interface"])))
1345
1257
1346
1258
client_class = Client
1347
1259
if use_dbus:
1348
client_class = functools.partial(ClientDBus, bus = bus)
1349
tcp_server.clients.update(set(
1260
client_class = ClientDBus
1261
clients.update(Set(
1350
1262
client_class(name = section,
1351
1263
config= dict(client_config.items(section)))
1352
1264
for section in client_config.sections()))
1353
if not tcp_server.clients:
1265
if not clients:
1354
1266
logger.warning(u"No clients defined")
1355
1267
1356
1268
if debug:
1380
1292
1381
1293
def cleanup():
1382
1294
"Cleanup function; run on exit"
1383
service.cleanup()
1295
global group
1296
# From the Avahi example code
1297
if not group is None:
1298
group.Free()
1299
group = None
1300
# End of Avahi example code
1384
1301
1385
while tcp_server.clients:
1386
client = tcp_server.clients.pop()
1302
while clients:
1303
client = clients.pop()
1387
1304
client.disable_hook = None
1388
1305
client.disable()
1389
1306
1398
1315
class MandosDBusService(dbus.service.Object):
1399
1316
"""A D-Bus proxy object"""
1400
1317
def __init__(self):
1401
dbus.service.Object.__init__(self, bus, u"/")
1318
dbus.service.Object.__init__(self, bus, "/")
1402
1319
_interface = u"se.bsnet.fukt.Mandos"
1403
1320
1404
@dbus.service.signal(_interface, signature=u"oa{sv}")
1321
@dbus.service.signal(_interface, signature="oa{sv}")
1405
1322
def ClientAdded(self, objpath, properties):
1406
1323
"D-Bus signal"
1407
1324
pass
1408
1325
1409
@dbus.service.signal(_interface, signature=u"s")
1326
@dbus.service.signal(_interface, signature="s")
1410
1327
def ClientNotFound(self, fingerprint):
1411
1328
"D-Bus signal"
1412
1329
pass
1413
1330
1414
@dbus.service.signal(_interface, signature=u"os")
1331
@dbus.service.signal(_interface, signature="os")
1415
1332
def ClientRemoved(self, objpath, name):
1416
1333
"D-Bus signal"
1417
1334
pass
1418
1335
1419
@dbus.service.method(_interface, out_signature=u"ao")
1336
@dbus.service.method(_interface, out_signature="ao")
1420
1337
def GetAllClients(self):
1421
1338
"D-Bus method"
1422
return dbus.Array(c.dbus_object_path
1423
for c in tcp_server.clients)
1339
return dbus.Array(c.dbus_object_path for c in clients)
1424
1340
1425
@dbus.service.method(_interface,
1426
out_signature=u"a{oa{sv}}")
1341
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1427
1342
def GetAllClientsWithProperties(self):
1428
1343
"D-Bus method"
1429
1344
return dbus.Dictionary(
1430
1345
((c.dbus_object_path, c.GetAllProperties())
1431
for c in tcp_server.clients),
1432
signature=u"oa{sv}")
1346
for c in clients),
1347
signature="oa{sv}")
1433
1348
1434
@dbus.service.method(_interface, in_signature=u"o")
1349
@dbus.service.method(_interface, in_signature="o")
1435
1350
def RemoveClient(self, object_path):
1436
1351
"D-Bus method"
1437
for c in tcp_server.clients:
1352
for c in clients:
1438
1353
if c.dbus_object_path == object_path:
1439
tcp_server.clients.remove(c)
1354
clients.remove(c)
1440
1355
c.remove_from_connection()
1441
1356
# Don't signal anything except ClientRemoved
1442
1357
c.disable(signal=False)
1449
1364
1450
1365
mandos_dbus_service = MandosDBusService()
1451
1366
1452
for client in tcp_server.clients:
1367
for client in clients:
1453
1368
if use_dbus:
1454
1369
# Emit D-Bus signal
1455
1370
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1473
1388
1474
1389
try:
1475
1390
# From the Avahi example code
1391
server.connect_to_signal("StateChanged", server_state_changed)
1476
1392
try:
1477
service.activate()
1393
server_state_changed(server.GetState())
1478
1394
except dbus.exceptions.DBusException, error:
1479
1395
logger.critical(u"DBusException: %s", error)
1480
1396
sys.exit(1)
1493
1409
except KeyboardInterrupt:
1494
1410
if debug:
1495
1411
print >> sys.stderr
1496
logger.debug(u"Server received KeyboardInterrupt")
1497
logger.debug(u"Server exiting")
1412
logger.debug("Server received KeyboardInterrupt")
1413
logger.debug("Server exiting")
1498
1414
1499
1415
if __name__ == '__main__':
1500
1416
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0