To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 330
- compare with another revision
- download diff
- download tarball
- view history from revision 330
- Committer: Teddy Hogeborn
- Date: 2009-04-03 03:36:08 UTC
- Revision ID: teddy@fukt.bsnet.se-20090403033608-ftgzsnnuzo7gbvzc
* mandos (peer_certificate, fingerprint): Moved into "TCP_handler"
class.
(TCP_handler.peer_certificate, TCP_handler.fingerprint): Moved here.
(TCP_handler.handle): Do not log conditions also sent via IPC.
(IPv6_TCPServer.handle_ipc): Bug fix: Remove extra newline from IPC
command log message. Bug fix: Strip
CR and NL from IPC line. Log
conditions recieved via IPC. Log error
if IPC recieved about unknown client.
class.
(TCP_handler.peer_certificate, TCP_handler.fingerprint): Moved here.
(TCP_handler.handle): Do not log conditions also sent via IPC.
(IPv6_TCPServer.handle_ipc): Bug fix: Remove extra newline from IPC
command log message. Bug fix: Strip
CR and NL from IPC line. Log
conditions recieved via IPC. Log error
if IPC recieved about unknown client.
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer as socketserver
36
import SocketServer
37
37
import socket
38
38
import optparse
39
39
import datetime
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser as configparser
47
import ConfigParser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
52
53
import subprocess
53
54
import atexit
54
55
import stat
56
57
import logging.handlers
57
58
import pwd
58
59
from contextlib import closing
59
import struct
60
import fcntl
61
import functools
62
60
63
61
import dbus
64
62
import dbus.service
68
66
import ctypes
69
67
import ctypes.util
70
68
71
try:
72
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
73
except AttributeError:
74
try:
75
from IN import SO_BINDTODEVICE
76
except ImportError:
77
SO_BINDTODEVICE = None
78
79
80
69
version = "1.0.8"
81
70
82
logger = logging.Logger(u'mandos')
71
logger = logging.Logger('mandos')
83
72
syslogger = (logging.handlers.SysLogHandler
84
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
85
74
address = "/dev/log"))
86
75
syslogger.setFormatter(logging.Formatter
87
(u'Mandos [%(process)d]: %(levelname)s:'
88
u' %(message)s'))
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
89
78
logger.addHandler(syslogger)
90
79
91
80
console = logging.StreamHandler()
92
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
93
u' %(levelname)s:'
94
u' %(message)s'))
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
95
83
logger.addHandler(console)
96
84
97
85
class AvahiError(Exception):
110
98
111
99
class AvahiService(object):
112
100
"""An Avahi (Zeroconf) service.
113
114
101
Attributes:
115
102
interface: integer; avahi.IF_UNSPEC or an interface index.
116
103
Used to optionally bind to the specified interface.
117
name: string; Example: u'Mandos'
118
type: string; Example: u'_mandos._tcp'.
104
name: string; Example: 'Mandos'
105
type: string; Example: '_mandos._tcp'.
119
106
See <http://www.dns-sd.org/ServiceTypes.html>
120
107
port: integer; what port to announce
121
108
TXT: list of strings; TXT record for the service
124
111
max_renames: integer; maximum number of renames
125
112
rename_count: integer; counter so we only rename after collisions
126
113
a sensible number of times
127
group: D-Bus Entry Group
128
server: D-Bus Server
129
bus: dbus.SystemBus()
130
114
"""
131
115
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
132
116
servicetype = None, port = None, TXT = None,
133
domain = u"", host = u"", max_renames = 32768,
134
protocol = avahi.PROTO_UNSPEC, bus = None):
117
domain = "", host = "", max_renames = 32768,
118
protocol = avahi.PROTO_UNSPEC):
135
119
self.interface = interface
136
120
self.name = name
137
121
self.type = servicetype
142
126
self.rename_count = 0
143
127
self.max_renames = max_renames
144
128
self.protocol = protocol
145
self.group = None # our entry group
146
self.server = None
147
self.bus = bus
148
129
def rename(self):
149
130
"""Derived from the Avahi example code"""
150
131
if self.rename_count >= self.max_renames:
152
133
u" after %i retries, exiting.",
153
134
self.rename_count)
154
135
raise AvahiServiceError(u"Too many renames")
155
self.name = self.server.GetAlternativeServiceName(self.name)
136
self.name = server.GetAlternativeServiceName(self.name)
156
137
logger.info(u"Changing Zeroconf service name to %r ...",
157
unicode(self.name))
138
str(self.name))
158
139
syslogger.setFormatter(logging.Formatter
159
(u'Mandos (%s) [%%(process)d]:'
160
u' %%(levelname)s: %%(message)s'
140
('Mandos (%s) [%%(process)d]:'
141
' %%(levelname)s: %%(message)s'
161
142
% self.name))
162
143
self.remove()
163
144
self.add()
164
145
self.rename_count += 1
165
146
def remove(self):
166
147
"""Derived from the Avahi example code"""
167
if self.group is not None:
168
self.group.Reset()
148
if group is not None:
149
group.Reset()
169
150
def add(self):
170
151
"""Derived from the Avahi example code"""
171
if self.group is None:
172
self.group = dbus.Interface(
173
self.bus.get_object(avahi.DBUS_NAME,
174
self.server.EntryGroupNew()),
175
avahi.DBUS_INTERFACE_ENTRY_GROUP)
176
self.group.connect_to_signal('StateChanged',
177
self.entry_group_state_changed)
152
global group
153
if group is None:
154
group = dbus.Interface(bus.get_object
155
(avahi.DBUS_NAME,
156
server.EntryGroupNew()),
157
avahi.DBUS_INTERFACE_ENTRY_GROUP)
158
group.connect_to_signal('StateChanged',
159
entry_group_state_changed)
178
160
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
179
self.name, self.type)
180
self.group.AddService(
181
self.interface,
182
self.protocol,
183
dbus.UInt32(0), # flags
184
self.name, self.type,
185
self.domain, self.host,
186
dbus.UInt16(self.port),
187
avahi.string_array_to_txt_array(self.TXT))
188
self.group.Commit()
189
def entry_group_state_changed(self, state, error):
190
"""Derived from the Avahi example code"""
191
logger.debug(u"Avahi state change: %i", state)
192
193
if state == avahi.ENTRY_GROUP_ESTABLISHED:
194
logger.debug(u"Zeroconf service established.")
195
elif state == avahi.ENTRY_GROUP_COLLISION:
196
logger.warning(u"Zeroconf service name collision.")
197
self.rename()
198
elif state == avahi.ENTRY_GROUP_FAILURE:
199
logger.critical(u"Avahi: Error in group state changed %s",
200
unicode(error))
201
raise AvahiGroupError(u"State changed: %s"
202
% unicode(error))
203
def cleanup(self):
204
"""Derived from the Avahi example code"""
205
if self.group is not None:
206
self.group.Free()
207
self.group = None
208
def server_state_changed(self, state):
209
"""Derived from the Avahi example code"""
210
if state == avahi.SERVER_COLLISION:
211
logger.error(u"Zeroconf server name collision")
212
self.remove()
213
elif state == avahi.SERVER_RUNNING:
214
self.add()
215
def activate(self):
216
"""Derived from the Avahi example code"""
217
if self.server is None:
218
self.server = dbus.Interface(
219
self.bus.get_object(avahi.DBUS_NAME,
220
avahi.DBUS_PATH_SERVER),
221
avahi.DBUS_INTERFACE_SERVER)
222
self.server.connect_to_signal(u"StateChanged",
223
self.server_state_changed)
224
self.server_state_changed(self.server.GetState())
161
service.name, service.type)
162
group.AddService(
163
self.interface, # interface
164
self.protocol, # protocol
165
dbus.UInt32(0), # flags
166
self.name, self.type,
167
self.domain, self.host,
168
dbus.UInt16(self.port),
169
avahi.string_array_to_txt_array(self.TXT))
170
group.Commit()
171
172
# From the Avahi example code:
173
group = None # our entry group
174
# End of Avahi example code
175
176
177
def _datetime_to_dbus(dt, variant_level=0):
178
"""Convert a UTC datetime.datetime() to a D-Bus type."""
179
return dbus.String(dt.isoformat(), variant_level=variant_level)
225
180
226
181
227
182
class Client(object):
228
183
"""A representation of a client host served by this server.
229
230
184
Attributes:
231
185
name: string; from the config file, used in log messages and
232
186
D-Bus identifiers
254
208
instance %(name)s can be used in the command.
255
209
current_checker_command: string; current running checker_command
256
210
"""
257
258
@staticmethod
259
def _datetime_to_milliseconds(dt):
260
"Convert a datetime.datetime() to milliseconds"
261
return ((dt.days * 24 * 60 * 60 * 1000)
262
+ (dt.seconds * 1000)
263
+ (dt.microseconds // 1000))
264
265
211
def timeout_milliseconds(self):
266
212
"Return the 'timeout' attribute in milliseconds"
267
return self._datetime_to_milliseconds(self.timeout)
213
return ((self.timeout.days * 24 * 60 * 60 * 1000)
214
+ (self.timeout.seconds * 1000)
215
+ (self.timeout.microseconds // 1000))
268
216
269
217
def interval_milliseconds(self):
270
218
"Return the 'interval' attribute in milliseconds"
271
return self._datetime_to_milliseconds(self.interval)
219
return ((self.interval.days * 24 * 60 * 60 * 1000)
220
+ (self.interval.seconds * 1000)
221
+ (self.interval.microseconds // 1000))
272
222
273
223
def __init__(self, name = None, disable_hook=None, config=None):
274
224
"""Note: the 'checker' key in 'config' sets the
281
231
# Uppercase and remove spaces from fingerprint for later
282
232
# comparison purposes with return value from the fingerprint()
283
233
# function
284
self.fingerprint = (config[u"fingerprint"].upper()
234
self.fingerprint = (config["fingerprint"].upper()
285
235
.replace(u" ", u""))
286
236
logger.debug(u" Fingerprint: %s", self.fingerprint)
287
if u"secret" in config:
288
self.secret = config[u"secret"].decode(u"base64")
289
elif u"secfile" in config:
237
if "secret" in config:
238
self.secret = config["secret"].decode(u"base64")
239
elif "secfile" in config:
290
240
with closing(open(os.path.expanduser
291
241
(os.path.expandvars
292
(config[u"secfile"])))) as secfile:
242
(config["secfile"])))) as secfile:
293
243
self.secret = secfile.read()
294
244
else:
295
245
raise TypeError(u"No secret or secfile for client %s"
296
246
% self.name)
297
self.host = config.get(u"host", u"")
247
self.host = config.get("host", "")
298
248
self.created = datetime.datetime.utcnow()
299
249
self.enabled = False
300
250
self.last_enabled = None
301
251
self.last_checked_ok = None
302
self.timeout = string_to_delta(config[u"timeout"])
303
self.interval = string_to_delta(config[u"interval"])
252
self.timeout = string_to_delta(config["timeout"])
253
self.interval = string_to_delta(config["interval"])
304
254
self.disable_hook = disable_hook
305
255
self.checker = None
306
256
self.checker_initiator_tag = None
307
257
self.disable_initiator_tag = None
308
258
self.checker_callback_tag = None
309
self.checker_command = config[u"checker"]
259
self.checker_command = config["checker"]
310
260
self.current_checker_command = None
311
261
self.last_connect = None
312
262
313
263
def enable(self):
314
264
"""Start this client's checker and timeout hooks"""
315
if getattr(self, u"enabled", False):
316
# Already enabled
317
return
318
265
self.last_enabled = datetime.datetime.utcnow()
319
266
# Schedule a new checker to be started an 'interval' from now,
320
267
# and every interval from then on.
334
281
if not getattr(self, "enabled", False):
335
282
return False
336
283
logger.info(u"Disabling client %s", self.name)
337
if getattr(self, u"disable_initiator_tag", False):
284
if getattr(self, "disable_initiator_tag", False):
338
285
gobject.source_remove(self.disable_initiator_tag)
339
286
self.disable_initiator_tag = None
340
if getattr(self, u"checker_initiator_tag", False):
287
if getattr(self, "checker_initiator_tag", False):
341
288
gobject.source_remove(self.checker_initiator_tag)
342
289
self.checker_initiator_tag = None
343
290
self.stop_checker()
370
317
371
318
def checked_ok(self):
372
319
"""Bump up the timeout for this client.
373
374
320
This should only be called when the client has been seen,
375
321
alive and well.
376
322
"""
382
328
383
329
def start_checker(self):
384
330
"""Start a new checker subprocess if one is not running.
385
386
331
If a checker already exists, leave it running and do
387
332
nothing."""
388
333
# The reason for not killing a running checker is that if we
398
343
if self.checker is not None:
399
344
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
400
345
if pid:
401
logger.warning(u"Checker was a zombie")
346
logger.warning("Checker was a zombie")
402
347
gobject.source_remove(self.checker_callback_tag)
403
348
self.checker_callback(pid, status,
404
349
self.current_checker_command)
409
354
command = self.checker_command % self.host
410
355
except TypeError:
411
356
# Escape attributes for the shell
412
escaped_attrs = dict((key,
413
re.escape(unicode(str(val),
414
errors=
415
u'replace')))
357
escaped_attrs = dict((key, re.escape(str(val)))
416
358
for key, val in
417
359
vars(self).iteritems())
418
360
try:
431
373
# always replaced by /dev/null.)
432
374
self.checker = subprocess.Popen(command,
433
375
close_fds=True,
434
shell=True, cwd=u"/")
376
shell=True, cwd="/")
435
377
self.checker_callback_tag = (gobject.child_watch_add
436
378
(self.checker.pid,
437
379
self.checker_callback,
453
395
if self.checker_callback_tag:
454
396
gobject.source_remove(self.checker_callback_tag)
455
397
self.checker_callback_tag = None
456
if getattr(self, u"checker", None) is None:
398
if getattr(self, "checker", None) is None:
457
399
return
458
400
logger.debug(u"Stopping checker for %(name)s", vars(self))
459
401
try:
468
410
469
411
def still_valid(self):
470
412
"""Has the timeout not yet passed for this client?"""
471
if not getattr(self, u"enabled", False):
413
if not getattr(self, "enabled", False):
472
414
return False
473
415
now = datetime.datetime.utcnow()
474
416
if self.last_checked_ok is None:
479
421
480
422
class ClientDBus(Client, dbus.service.Object):
481
423
"""A Client class using D-Bus
482
483
424
Attributes:
484
dbus_object_path: dbus.ObjectPath
485
bus: dbus.SystemBus()
425
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
486
426
"""
487
427
# dbus.service.Object doesn't use super(), so we can't either.
488
428
489
def __init__(self, bus = None, *args, **kwargs):
490
self.bus = bus
429
def __init__(self, *args, **kwargs):
491
430
Client.__init__(self, *args, **kwargs)
492
431
# Only now, when this client is initialized, can it show up on
493
432
# the D-Bus
494
433
self.dbus_object_path = (dbus.ObjectPath
495
(u"/clients/"
496
+ self.name.replace(u".", u"_")))
497
dbus.service.Object.__init__(self, self.bus,
434
("/clients/"
435
+ self.name.replace(".", "_")))
436
dbus.service.Object.__init__(self, bus,
498
437
self.dbus_object_path)
499
500
@staticmethod
501
def _datetime_to_dbus(dt, variant_level=0):
502
"""Convert a UTC datetime.datetime() to a D-Bus type."""
503
return dbus.String(dt.isoformat(),
504
variant_level=variant_level)
505
506
438
def enable(self):
507
oldstate = getattr(self, u"enabled", False)
439
oldstate = getattr(self, "enabled", False)
508
440
r = Client.enable(self)
509
441
if oldstate != self.enabled:
510
442
# Emit D-Bus signals
511
443
self.PropertyChanged(dbus.String(u"enabled"),
512
444
dbus.Boolean(True, variant_level=1))
513
self.PropertyChanged(
514
dbus.String(u"last_enabled"),
515
self._datetime_to_dbus(self.last_enabled,
516
variant_level=1))
445
self.PropertyChanged(dbus.String(u"last_enabled"),
446
(_datetime_to_dbus(self.last_enabled,
447
variant_level=1)))
517
448
return r
518
449
519
450
def disable(self, signal = True):
520
oldstate = getattr(self, u"enabled", False)
451
oldstate = getattr(self, "enabled", False)
521
452
r = Client.disable(self)
522
453
if signal and oldstate != self.enabled:
523
454
# Emit D-Bus signal
530
461
self.remove_from_connection()
531
462
except LookupError:
532
463
pass
533
if hasattr(dbus.service.Object, u"__del__"):
464
if hasattr(dbus.service.Object, "__del__"):
534
465
dbus.service.Object.__del__(self, *args, **kwargs)
535
466
Client.__del__(self, *args, **kwargs)
536
467
561
492
# Emit D-Bus signal
562
493
self.PropertyChanged(
563
494
dbus.String(u"last_checked_ok"),
564
(self._datetime_to_dbus(self.last_checked_ok,
565
variant_level=1)))
495
(_datetime_to_dbus(self.last_checked_ok,
496
variant_level=1)))
566
497
return r
567
498
568
499
def start_checker(self, *args, **kwargs):
578
509
# Emit D-Bus signal
579
510
self.CheckerStarted(self.current_checker_command)
580
511
self.PropertyChanged(
581
dbus.String(u"checker_running"),
512
dbus.String("checker_running"),
582
513
dbus.Boolean(True, variant_level=1))
583
514
return r
584
515
585
516
def stop_checker(self, *args, **kwargs):
586
old_checker = getattr(self, u"checker", None)
517
old_checker = getattr(self, "checker", None)
587
518
r = Client.stop_checker(self, *args, **kwargs)
588
519
if (old_checker is not None
589
and getattr(self, u"checker", None) is None):
520
and getattr(self, "checker", None) is None):
590
521
self.PropertyChanged(dbus.String(u"checker_running"),
591
522
dbus.Boolean(False, variant_level=1))
592
523
return r
595
526
_interface = u"se.bsnet.fukt.Mandos.Client"
596
527
597
528
# CheckedOK - method
598
@dbus.service.method(_interface)
599
def CheckedOK(self):
600
return self.checked_ok()
529
CheckedOK = dbus.service.method(_interface)(checked_ok)
530
CheckedOK.__name__ = "CheckedOK"
601
531
602
532
# CheckerCompleted - signal
603
@dbus.service.signal(_interface, signature=u"nxs")
533
@dbus.service.signal(_interface, signature="nxs")
604
534
def CheckerCompleted(self, exitcode, waitstatus, command):
605
535
"D-Bus signal"
606
536
pass
607
537
608
538
# CheckerStarted - signal
609
@dbus.service.signal(_interface, signature=u"s")
539
@dbus.service.signal(_interface, signature="s")
610
540
def CheckerStarted(self, command):
611
541
"D-Bus signal"
612
542
pass
613
543
614
544
# GetAllProperties - method
615
@dbus.service.method(_interface, out_signature=u"a{sv}")
545
@dbus.service.method(_interface, out_signature="a{sv}")
616
546
def GetAllProperties(self):
617
547
"D-Bus method"
618
548
return dbus.Dictionary({
619
dbus.String(u"name"):
549
dbus.String("name"):
620
550
dbus.String(self.name, variant_level=1),
621
dbus.String(u"fingerprint"):
551
dbus.String("fingerprint"):
622
552
dbus.String(self.fingerprint, variant_level=1),
623
dbus.String(u"host"):
553
dbus.String("host"):
624
554
dbus.String(self.host, variant_level=1),
625
dbus.String(u"created"):
626
self._datetime_to_dbus(self.created,
627
variant_level=1),
628
dbus.String(u"last_enabled"):
629
(self._datetime_to_dbus(self.last_enabled,
630
variant_level=1)
555
dbus.String("created"):
556
_datetime_to_dbus(self.created, variant_level=1),
557
dbus.String("last_enabled"):
558
(_datetime_to_dbus(self.last_enabled,
559
variant_level=1)
631
560
if self.last_enabled is not None
632
561
else dbus.Boolean(False, variant_level=1)),
633
dbus.String(u"enabled"):
562
dbus.String("enabled"):
634
563
dbus.Boolean(self.enabled, variant_level=1),
635
dbus.String(u"last_checked_ok"):
636
(self._datetime_to_dbus(self.last_checked_ok,
637
variant_level=1)
564
dbus.String("last_checked_ok"):
565
(_datetime_to_dbus(self.last_checked_ok,
566
variant_level=1)
638
567
if self.last_checked_ok is not None
639
568
else dbus.Boolean (False, variant_level=1)),
640
dbus.String(u"timeout"):
569
dbus.String("timeout"):
641
570
dbus.UInt64(self.timeout_milliseconds(),
642
571
variant_level=1),
643
dbus.String(u"interval"):
572
dbus.String("interval"):
644
573
dbus.UInt64(self.interval_milliseconds(),
645
574
variant_level=1),
646
dbus.String(u"checker"):
575
dbus.String("checker"):
647
576
dbus.String(self.checker_command,
648
577
variant_level=1),
649
dbus.String(u"checker_running"):
578
dbus.String("checker_running"):
650
579
dbus.Boolean(self.checker is not None,
651
580
variant_level=1),
652
dbus.String(u"object_path"):
581
dbus.String("object_path"):
653
582
dbus.ObjectPath(self.dbus_object_path,
654
583
variant_level=1)
655
}, signature=u"sv")
584
}, signature="sv")
656
585
657
586
# IsStillValid - method
658
@dbus.service.method(_interface, out_signature=u"b")
587
@dbus.service.method(_interface, out_signature="b")
659
588
def IsStillValid(self):
660
589
return self.still_valid()
661
590
662
591
# PropertyChanged - signal
663
@dbus.service.signal(_interface, signature=u"sv")
592
@dbus.service.signal(_interface, signature="sv")
664
593
def PropertyChanged(self, property, value):
665
594
"D-Bus signal"
666
595
pass
678
607
pass
679
608
680
609
# SetChecker - method
681
@dbus.service.method(_interface, in_signature=u"s")
610
@dbus.service.method(_interface, in_signature="s")
682
611
def SetChecker(self, checker):
683
612
"D-Bus setter method"
684
613
self.checker_command = checker
688
617
variant_level=1))
689
618
690
619
# SetHost - method
691
@dbus.service.method(_interface, in_signature=u"s")
620
@dbus.service.method(_interface, in_signature="s")
692
621
def SetHost(self, host):
693
622
"D-Bus setter method"
694
623
self.host = host
697
626
dbus.String(self.host, variant_level=1))
698
627
699
628
# SetInterval - method
700
@dbus.service.method(_interface, in_signature=u"t")
629
@dbus.service.method(_interface, in_signature="t")
701
630
def SetInterval(self, milliseconds):
702
631
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
703
632
# Emit D-Bus signal
706
635
variant_level=1)))
707
636
708
637
# SetSecret - method
709
@dbus.service.method(_interface, in_signature=u"ay",
638
@dbus.service.method(_interface, in_signature="ay",
710
639
byte_arrays=True)
711
640
def SetSecret(self, secret):
712
641
"D-Bus setter method"
713
642
self.secret = str(secret)
714
643
715
644
# SetTimeout - method
716
@dbus.service.method(_interface, in_signature=u"t")
645
@dbus.service.method(_interface, in_signature="t")
717
646
def SetTimeout(self, milliseconds):
718
647
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
719
648
# Emit D-Bus signal
722
651
variant_level=1)))
723
652
724
653
# Enable - method
725
@dbus.service.method(_interface)
726
def Enable(self):
727
"D-Bus method"
728
self.enable()
654
Enable = dbus.service.method(_interface)(enable)
655
Enable.__name__ = "Enable"
729
656
730
657
# StartChecker - method
731
658
@dbus.service.method(_interface)
740
667
self.disable()
741
668
742
669
# StopChecker - method
743
@dbus.service.method(_interface)
744
def StopChecker(self):
745
self.stop_checker()
670
StopChecker = dbus.service.method(_interface)(stop_checker)
671
StopChecker.__name__ = "StopChecker"
746
672
747
673
del _interface
748
674
749
675
750
class ClientHandler(socketserver.BaseRequestHandler, object):
751
"""A class to handle client connections.
752
753
Instantiated once for each connection to handle it.
676
class TCP_handler(SocketServer.BaseRequestHandler, object):
677
"""A TCP request handler class.
678
Instantiated by IPv6_TCPServer for each request to handle it.
754
679
Note: This will run in its own forked process."""
755
680
756
681
def handle(self):
758
683
unicode(self.client_address))
759
684
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
760
685
# Open IPC pipe to parent process
761
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
686
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
762
687
session = (gnutls.connection
763
688
.ClientSession(self.request,
764
689
gnutls.connection
778
703
# no X.509 keys are added to it. Therefore, we can use it
779
704
# here despite using OpenPGP certificates.
780
705
781
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
782
# u"+AES-256-CBC", u"+SHA1",
783
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
784
# u"+DHE-DSS"))
706
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
707
# "+AES-256-CBC", "+SHA1",
708
# "+COMP-NULL", "+CTYPE-OPENPGP",
709
# "+DHE-DSS"))
785
710
# Use a fallback default, since this MUST be set.
786
priority = self.server.gnutls_priority
787
if priority is None:
788
priority = u"NORMAL"
711
priority = self.server.settings.get("priority", "NORMAL")
789
712
(gnutls.library.functions
790
713
.gnutls_priority_set_direct(session._c_object,
791
714
priority, None))
811
734
client = c
812
735
break
813
736
else:
814
ipc.write(u"NOTFOUND %s\n" % fpr)
737
ipc.write("NOTFOUND %s\n" % fpr)
815
738
session.bye()
816
739
return
817
740
# Have to check if client.still_valid(), since it is
818
741
# possible that the client timed out while establishing
819
742
# the GnuTLS session.
820
743
if not client.still_valid():
821
ipc.write(u"INVALID %s\n" % client.name)
744
ipc.write("INVALID %s\n" % client.name)
822
745
session.bye()
823
746
return
824
ipc.write(u"SENDING %s\n" % client.name)
747
ipc.write("SENDING %s\n" % client.name)
825
748
sent_size = 0
826
749
while sent_size < len(client.secret):
827
750
sent = session.send(client.secret[sent_size:])
845
768
.gnutls_certificate_get_peers
846
769
(session._c_object, ctypes.byref(list_size)))
847
770
if not bool(cert_list) and list_size.value != 0:
848
raise gnutls.errors.GNUTLSError(u"error getting peer"
849
u" certificate")
771
raise gnutls.errors.GNUTLSError("error getting peer"
772
" certificate")
850
773
if list_size.value == 0:
851
774
return None
852
775
cert = cert_list[0]
878
801
if crtverify.value != 0:
879
802
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
880
803
raise (gnutls.errors.CertificateSecurityError
881
(u"Verify failed"))
804
("Verify failed"))
882
805
# New buffer for the fingerprint
883
806
buf = ctypes.create_string_buffer(20)
884
807
buf_len = ctypes.c_size_t()
895
818
return hex_fpr
896
819
897
820
898
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
899
"""Like socketserver.ForkingMixIn, but also pass a pipe."""
821
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
822
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
823
Assumes a gobject.MainLoop event loop.
824
"""
900
825
def process_request(self, request, client_address):
901
"""Overrides and wraps the original process_request().
902
826
"""This overrides and wraps the original process_request().
903
827
This function creates a new pipe in self.pipe
904
828
"""
905
829
self.pipe = os.pipe()
906
830
super(ForkingMixInWithPipe,
907
831
self).process_request(request, client_address)
908
832
os.close(self.pipe[1]) # close write end
909
self.add_pipe(self.pipe[0])
910
def add_pipe(self, pipe):
833
# Call "handle_ipc" for both data and EOF events
834
gobject.io_add_watch(self.pipe[0],
835
gobject.IO_IN | gobject.IO_HUP,
836
self.handle_ipc)
837
def handle_ipc(source, condition):
911
838
"""Dummy function; override as necessary"""
912
os.close(pipe)
839
os.close(source)
840
return False
913
841
914
842
915
843
class IPv6_TCPServer(ForkingMixInWithPipe,
916
socketserver.TCPServer, object):
844
SocketServer.TCPServer, object):
917
845
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
918
919
846
Attributes:
847
settings: Server settings
848
clients: Set() of Client objects
920
849
enabled: Boolean; whether this server is activated yet
921
interface: None or a network interface name (string)
922
use_ipv6: Boolean; to use IPv6 or not
923
850
"""
924
def __init__(self, server_address, RequestHandlerClass,
925
interface=None, use_ipv6=True):
926
self.interface = interface
927
if use_ipv6:
928
self.address_family = socket.AF_INET6
929
socketserver.TCPServer.__init__(self, server_address,
930
RequestHandlerClass)
851
address_family = socket.AF_INET6
852
def __init__(self, *args, **kwargs):
853
if "settings" in kwargs:
854
self.settings = kwargs["settings"]
855
del kwargs["settings"]
856
if "clients" in kwargs:
857
self.clients = kwargs["clients"]
858
del kwargs["clients"]
859
if "use_ipv6" in kwargs:
860
if not kwargs["use_ipv6"]:
861
self.address_family = socket.AF_INET
862
del kwargs["use_ipv6"]
863
self.enabled = False
864
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
931
865
def server_bind(self):
932
866
"""This overrides the normal server_bind() function
933
867
to bind to an interface if one was specified, and also NOT to
934
868
bind to an address or port if they were not specified."""
935
if self.interface is not None:
936
if SO_BINDTODEVICE is None:
937
logger.error(u"SO_BINDTODEVICE does not exist;"
938
u" cannot bind to interface %s",
939
self.interface)
940
else:
941
try:
942
self.socket.setsockopt(socket.SOL_SOCKET,
943
SO_BINDTODEVICE,
944
str(self.interface
945
+ u'\0'))
946
except socket.error, error:
947
if error[0] == errno.EPERM:
948
logger.error(u"No permission to"
949
u" bind to interface %s",
950
self.interface)
951
elif error[0] == errno.ENOPROTOOPT:
952
logger.error(u"SO_BINDTODEVICE not available;"
953
u" cannot bind to interface %s",
954
self.interface)
955
else:
956
raise
869
if self.settings["interface"]:
870
# 25 is from /usr/include/asm-i486/socket.h
871
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
872
try:
873
self.socket.setsockopt(socket.SOL_SOCKET,
874
SO_BINDTODEVICE,
875
self.settings["interface"])
876
except socket.error, error:
877
if error[0] == errno.EPERM:
878
logger.error(u"No permission to"
879
u" bind to interface %s",
880
self.settings["interface"])
881
else:
882
raise
957
883
# Only bind(2) the socket if we really need to.
958
884
if self.server_address[0] or self.server_address[1]:
959
885
if not self.server_address[0]:
960
886
if self.address_family == socket.AF_INET6:
961
any_address = u"::" # in6addr_any
887
any_address = "::" # in6addr_any
962
888
else:
963
889
any_address = socket.INADDR_ANY
964
890
self.server_address = (any_address,
966
892
elif not self.server_address[1]:
967
893
self.server_address = (self.server_address[0],
968
894
0)
969
# if self.interface:
895
# if self.settings["interface"]:
970
896
# self.server_address = (self.server_address[0],
971
897
# 0, # port
972
898
# 0, # flowinfo
973
899
# if_nametoindex
974
# (self.interface))
975
return socketserver.TCPServer.server_bind(self)
976
977
978
class MandosServer(IPv6_TCPServer):
979
"""Mandos server.
980
981
Attributes:
982
clients: set of Client objects
983
gnutls_priority GnuTLS priority string
984
use_dbus: Boolean; to emit D-Bus signals or not
985
clients: set of Client objects
986
gnutls_priority GnuTLS priority string
987
use_dbus: Boolean; to emit D-Bus signals or not
988
989
Assumes a gobject.MainLoop event loop.
990
"""
991
def __init__(self, server_address, RequestHandlerClass,
992
interface=None, use_ipv6=True, clients=None,
993
gnutls_priority=None, use_dbus=True):
994
self.enabled = False
995
self.clients = clients
996
if self.clients is None:
997
self.clients = set()
998
self.use_dbus = use_dbus
999
self.gnutls_priority = gnutls_priority
1000
IPv6_TCPServer.__init__(self, server_address,
1001
RequestHandlerClass,
1002
interface = interface,
1003
use_ipv6 = use_ipv6)
900
# (self.settings
901
# ["interface"]))
902
return super(IPv6_TCPServer, self).server_bind()
1004
903
def server_activate(self):
1005
904
if self.enabled:
1006
return socketserver.TCPServer.server_activate(self)
905
return super(IPv6_TCPServer, self).server_activate()
1007
906
def enable(self):
1008
907
self.enabled = True
1009
def add_pipe(self, pipe):
1010
# Call "handle_ipc" for both data and EOF events
1011
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1012
self.handle_ipc)
1013
908
def handle_ipc(self, source, condition, file_objects={}):
1014
909
condition_names = {
1015
gobject.IO_IN: u"IN", # There is data to read.
1016
gobject.IO_OUT: u"OUT", # Data can be written (without
1017
# blocking).
1018
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1019
gobject.IO_ERR: u"ERR", # Error condition.
1020
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1021
# broken, usually for pipes and
1022
# sockets).
910
gobject.IO_IN: "IN", # There is data to read.
911
gobject.IO_OUT: "OUT", # Data can be written (without
912
# blocking).
913
gobject.IO_PRI: "PRI", # There is urgent data to read.
914
gobject.IO_ERR: "ERR", # Error condition.
915
gobject.IO_HUP: "HUP" # Hung up (the connection has been
916
# broken, usually for pipes and
917
# sockets).
1023
918
}
1024
919
conditions_string = ' | '.join(name
1025
920
for cond, name in
1026
921
condition_names.iteritems()
1027
922
if cond & condition)
1028
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
923
logger.debug("Handling IPC: FD = %d, condition = %s", source,
1029
924
conditions_string)
1030
925
1031
926
# Turn the pipe file descriptor into a Python file object
1032
927
if source not in file_objects:
1033
file_objects[source] = os.fdopen(source, u"r", 1)
928
file_objects[source] = os.fdopen(source, "r", 1)
1034
929
1035
930
# Read a line from the file object
1036
931
cmdline = file_objects[source].readline()
1042
937
# Stop calling this function
1043
938
return False
1044
939
1045
logger.debug(u"IPC command: %r", cmdline)
940
logger.debug("IPC command: %r", cmdline)
1046
941
1047
942
# Parse and act on command
1048
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
943
cmd, args = cmdline.rstrip("\r\n").split(None, 1)
1049
944
1050
if cmd == u"NOTFOUND":
945
if cmd == "NOTFOUND":
1051
946
logger.warning(u"Client not found for fingerprint: %s",
1052
947
args)
1053
if self.use_dbus:
948
if self.settings["use_dbus"]:
1054
949
# Emit D-Bus signal
1055
950
mandos_dbus_service.ClientNotFound(args)
1056
elif cmd == u"INVALID":
951
elif cmd == "INVALID":
1057
952
for client in self.clients:
1058
953
if client.name == args:
1059
954
logger.warning(u"Client %s is invalid", args)
1060
if self.use_dbus:
955
if self.settings["use_dbus"]:
1061
956
# Emit D-Bus signal
1062
957
client.Rejected()
1063
958
break
1064
959
else:
1065
960
logger.error(u"Unknown client %s is invalid", args)
1066
elif cmd == u"SENDING":
961
elif cmd == "SENDING":
1067
962
for client in self.clients:
1068
963
if client.name == args:
1069
964
logger.info(u"Sending secret to %s", client.name)
1070
965
client.checked_ok()
1071
if self.use_dbus:
966
if self.settings["use_dbus"]:
1072
967
# Emit D-Bus signal
1073
968
client.ReceivedSecret()
1074
969
break
1076
971
logger.error(u"Sending secret to unknown client %s",
1077
972
args)
1078
973
else:
1079
logger.error(u"Unknown IPC command: %r", cmdline)
974
logger.error("Unknown IPC command: %r", cmdline)
1080
975
1081
976
# Keep calling this function
1082
977
return True
1085
980
def string_to_delta(interval):
1086
981
"""Parse a string and return a datetime.timedelta
1087
982
1088
>>> string_to_delta(u'7d')
983
>>> string_to_delta('7d')
1089
984
datetime.timedelta(7)
1090
>>> string_to_delta(u'60s')
985
>>> string_to_delta('60s')
1091
986
datetime.timedelta(0, 60)
1092
>>> string_to_delta(u'60m')
987
>>> string_to_delta('60m')
1093
988
datetime.timedelta(0, 3600)
1094
>>> string_to_delta(u'24h')
989
>>> string_to_delta('24h')
1095
990
datetime.timedelta(1)
1096
991
>>> string_to_delta(u'1w')
1097
992
datetime.timedelta(7)
1098
>>> string_to_delta(u'5m 30s')
993
>>> string_to_delta('5m 30s')
1099
994
datetime.timedelta(0, 330)
1100
995
"""
1101
996
timevalue = datetime.timedelta(0)
1121
1016
return timevalue
1122
1017
1123
1018
1019
def server_state_changed(state):
1020
"""Derived from the Avahi example code"""
1021
if state == avahi.SERVER_COLLISION:
1022
logger.error(u"Zeroconf server name collision")
1023
service.remove()
1024
elif state == avahi.SERVER_RUNNING:
1025
service.add()
1026
1027
1028
def entry_group_state_changed(state, error):
1029
"""Derived from the Avahi example code"""
1030
logger.debug(u"Avahi state change: %i", state)
1031
1032
if state == avahi.ENTRY_GROUP_ESTABLISHED:
1033
logger.debug(u"Zeroconf service established.")
1034
elif state == avahi.ENTRY_GROUP_COLLISION:
1035
logger.warning(u"Zeroconf service name collision.")
1036
service.rename()
1037
elif state == avahi.ENTRY_GROUP_FAILURE:
1038
logger.critical(u"Avahi: Error in group state changed %s",
1039
unicode(error))
1040
raise AvahiGroupError(u"State changed: %s" % unicode(error))
1041
1124
1042
def if_nametoindex(interface):
1125
"""Call the C function if_nametoindex(), or equivalent
1126
1127
Note: This function cannot accept a unicode string."""
1043
"""Call the C function if_nametoindex(), or equivalent"""
1128
1044
global if_nametoindex
1129
1045
try:
1130
1046
if_nametoindex = (ctypes.cdll.LoadLibrary
1131
(ctypes.util.find_library(u"c"))
1047
(ctypes.util.find_library("c"))
1132
1048
.if_nametoindex)
1133
1049
except (OSError, AttributeError):
1134
logger.warning(u"Doing if_nametoindex the hard way")
1050
if "struct" not in sys.modules:
1051
import struct
1052
if "fcntl" not in sys.modules:
1053
import fcntl
1135
1054
def if_nametoindex(interface):
1136
1055
"Get an interface index the hard way, i.e. using fcntl()"
1137
1056
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1138
1057
with closing(socket.socket()) as s:
1139
1058
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1140
struct.pack(str(u"16s16x"),
1141
interface))
1142
interface_index = struct.unpack(str(u"I"),
1143
ifreq[16:20])[0]
1059
struct.pack("16s16x", interface))
1060
interface_index = struct.unpack("I", ifreq[16:20])[0]
1144
1061
return interface_index
1145
1062
return if_nametoindex(interface)
1146
1063
1147
1064
1148
1065
def daemon(nochdir = False, noclose = False):
1149
1066
"""See daemon(3). Standard BSD Unix function.
1150
1151
1067
This should really exist as os.daemon, but it doesn't (yet)."""
1152
1068
if os.fork():
1153
1069
sys.exit()
1154
1070
os.setsid()
1155
1071
if not nochdir:
1156
os.chdir(u"/")
1072
os.chdir("/")
1157
1073
if os.fork():
1158
1074
sys.exit()
1159
1075
if not noclose:
1161
1077
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1162
1078
if not stat.S_ISCHR(os.fstat(null).st_mode):
1163
1079
raise OSError(errno.ENODEV,
1164
u"/dev/null not a character device")
1080
"/dev/null not a character device")
1165
1081
os.dup2(null, sys.stdin.fileno())
1166
1082
os.dup2(null, sys.stdout.fileno())
1167
1083
os.dup2(null, sys.stderr.fileno())
1175
1091
# Parsing of options, both command line and config file
1176
1092
1177
1093
parser = optparse.OptionParser(version = "%%prog %s" % version)
1178
parser.add_option("-i", u"--interface", type=u"string",
1179
metavar="IF", help=u"Bind to interface IF")
1180
parser.add_option("-a", u"--address", type=u"string",
1181
help=u"Address to listen for requests on")
1182
parser.add_option("-p", u"--port", type=u"int",
1183
help=u"Port number to receive requests on")
1184
parser.add_option("--check", action=u"store_true",
1185
help=u"Run self-test")
1186
parser.add_option("--debug", action=u"store_true",
1187
help=u"Debug mode; run in foreground and log to"
1188
u" terminal")
1189
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1190
u" priority string (see GnuTLS documentation)")
1191
parser.add_option("--servicename", type=u"string",
1192
metavar=u"NAME", help=u"Zeroconf service name")
1193
parser.add_option("--configdir", type=u"string",
1194
default=u"/etc/mandos", metavar=u"DIR",
1195
help=u"Directory to search for configuration"
1196
u" files")
1197
parser.add_option("--no-dbus", action=u"store_false",
1198
dest=u"use_dbus", help=u"Do not provide D-Bus"
1199
u" system bus interface")
1200
parser.add_option("--no-ipv6", action=u"store_false",
1201
dest=u"use_ipv6", help=u"Do not use IPv6")
1094
parser.add_option("-i", "--interface", type="string",
1095
metavar="IF", help="Bind to interface IF")
1096
parser.add_option("-a", "--address", type="string",
1097
help="Address to listen for requests on")
1098
parser.add_option("-p", "--port", type="int",
1099
help="Port number to receive requests on")
1100
parser.add_option("--check", action="store_true",
1101
help="Run self-test")
1102
parser.add_option("--debug", action="store_true",
1103
help="Debug mode; run in foreground and log to"
1104
" terminal")
1105
parser.add_option("--priority", type="string", help="GnuTLS"
1106
" priority string (see GnuTLS documentation)")
1107
parser.add_option("--servicename", type="string", metavar="NAME",
1108
help="Zeroconf service name")
1109
parser.add_option("--configdir", type="string",
1110
default="/etc/mandos", metavar="DIR",
1111
help="Directory to search for configuration"
1112
" files")
1113
parser.add_option("--no-dbus", action="store_false",
1114
dest="use_dbus",
1115
help="Do not provide D-Bus system bus"
1116
" interface")
1117
parser.add_option("--no-ipv6", action="store_false",
1118
dest="use_ipv6", help="Do not use IPv6")
1202
1119
options = parser.parse_args()[0]
1203
1120
1204
1121
if options.check:
1207
1124
sys.exit()
1208
1125
1209
1126
# Default values for config file for server-global settings
1210
server_defaults = { u"interface": u"",
1211
u"address": u"",
1212
u"port": u"",
1213
u"debug": u"False",
1214
u"priority":
1215
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1216
u"servicename": u"Mandos",
1217
u"use_dbus": u"True",
1218
u"use_ipv6": u"True",
1127
server_defaults = { "interface": "",
1128
"address": "",
1129
"port": "",
1130
"debug": "False",
1131
"priority":
1132
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1133
"servicename": "Mandos",
1134
"use_dbus": "True",
1135
"use_ipv6": "True",
1219
1136
}
1220
1137
1221
1138
# Parse config file for server-global settings
1222
server_config = configparser.SafeConfigParser(server_defaults)
1139
server_config = ConfigParser.SafeConfigParser(server_defaults)
1223
1140
del server_defaults
1224
server_config.read(os.path.join(options.configdir,
1225
u"mandos.conf"))
1141
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1226
1142
# Convert the SafeConfigParser object to a dict
1227
1143
server_settings = server_config.defaults()
1228
1144
# Use the appropriate methods on the non-string config options
1229
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1230
server_settings[option] = server_config.getboolean(u"DEFAULT",
1231
option)
1145
server_settings["debug"] = server_config.getboolean("DEFAULT",
1146
"debug")
1147
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1148
"use_dbus")
1149
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1150
"use_ipv6")
1232
1151
if server_settings["port"]:
1233
server_settings["port"] = server_config.getint(u"DEFAULT",
1234
u"port")
1152
server_settings["port"] = server_config.getint("DEFAULT",
1153
"port")
1235
1154
del server_config
1236
1155
1237
1156
# Override the settings from the config file with command line
1238
1157
# options, if set.
1239
for option in (u"interface", u"address", u"port", u"debug",
1240
u"priority", u"servicename", u"configdir",
1241
u"use_dbus", u"use_ipv6"):
1158
for option in ("interface", "address", "port", "debug",
1159
"priority", "servicename", "configdir",
1160
"use_dbus", "use_ipv6"):
1242
1161
value = getattr(options, option)
1243
1162
if value is not None:
1244
1163
server_settings[option] = value
1245
1164
del options
1246
# Force all strings to be unicode
1247
for option in server_settings.keys():
1248
if type(server_settings[option]) is str:
1249
server_settings[option] = unicode(server_settings[option])
1250
1165
# Now we have our good server settings in "server_settings"
1251
1166
1252
1167
##################################################################
1253
1168
1254
1169
# For convenience
1255
debug = server_settings[u"debug"]
1256
use_dbus = server_settings[u"use_dbus"]
1257
use_ipv6 = server_settings[u"use_ipv6"]
1170
debug = server_settings["debug"]
1171
use_dbus = server_settings["use_dbus"]
1172
use_ipv6 = server_settings["use_ipv6"]
1258
1173
1259
1174
if not debug:
1260
1175
syslogger.setLevel(logging.WARNING)
1261
1176
console.setLevel(logging.WARNING)
1262
1177
1263
if server_settings[u"servicename"] != u"Mandos":
1178
if server_settings["servicename"] != "Mandos":
1264
1179
syslogger.setFormatter(logging.Formatter
1265
(u'Mandos (%s) [%%(process)d]:'
1266
u' %%(levelname)s: %%(message)s'
1267
% server_settings[u"servicename"]))
1180
('Mandos (%s) [%%(process)d]:'
1181
' %%(levelname)s: %%(message)s'
1182
% server_settings["servicename"]))
1268
1183
1269
1184
# Parse config file with clients
1270
client_defaults = { u"timeout": u"1h",
1271
u"interval": u"5m",
1272
u"checker": u"fping -q -- %%(host)s",
1273
u"host": u"",
1185
client_defaults = { "timeout": "1h",
1186
"interval": "5m",
1187
"checker": "fping -q -- %%(host)s",
1188
"host": "",
1274
1189
}
1275
client_config = configparser.SafeConfigParser(client_defaults)
1276
client_config.read(os.path.join(server_settings[u"configdir"],
1277
u"clients.conf"))
1278
1190
client_config = ConfigParser.SafeConfigParser(client_defaults)
1191
client_config.read(os.path.join(server_settings["configdir"],
1192
"clients.conf"))
1193
1279
1194
global mandos_dbus_service
1280
1195
mandos_dbus_service = None
1281
1196
1282
tcp_server = MandosServer((server_settings[u"address"],
1283
server_settings[u"port"]),
1284
ClientHandler,
1285
interface=server_settings[u"interface"],
1286
use_ipv6=use_ipv6,
1287
gnutls_priority=
1288
server_settings[u"priority"],
1289
use_dbus=use_dbus)
1290
pidfilename = u"/var/run/mandos.pid"
1197
clients = Set()
1198
tcp_server = IPv6_TCPServer((server_settings["address"],
1199
server_settings["port"]),
1200
TCP_handler,
1201
settings=server_settings,
1202
clients=clients, use_ipv6=use_ipv6)
1203
pidfilename = "/var/run/mandos.pid"
1291
1204
try:
1292
pidfile = open(pidfilename, u"w")
1205
pidfile = open(pidfilename, "w")
1293
1206
except IOError:
1294
logger.error(u"Could not open file %r", pidfilename)
1207
logger.error("Could not open file %r", pidfilename)
1295
1208
1296
1209
try:
1297
uid = pwd.getpwnam(u"_mandos").pw_uid
1298
gid = pwd.getpwnam(u"_mandos").pw_gid
1210
uid = pwd.getpwnam("_mandos").pw_uid
1211
gid = pwd.getpwnam("_mandos").pw_gid
1299
1212
except KeyError:
1300
1213
try:
1301
uid = pwd.getpwnam(u"mandos").pw_uid
1302
gid = pwd.getpwnam(u"mandos").pw_gid
1214
uid = pwd.getpwnam("mandos").pw_uid
1215
gid = pwd.getpwnam("mandos").pw_gid
1303
1216
except KeyError:
1304
1217
try:
1305
uid = pwd.getpwnam(u"nobody").pw_uid
1306
gid = pwd.getpwnam(u"nobody").pw_gid
1218
uid = pwd.getpwnam("nobody").pw_uid
1219
gid = pwd.getpwnam("nogroup").pw_gid
1307
1220
except KeyError:
1308
1221
uid = 65534
1309
1222
gid = 65534
1322
1235
1323
1236
@gnutls.library.types.gnutls_log_func
1324
1237
def debug_gnutls(level, string):
1325
logger.debug(u"GnuTLS: %s", string[:-1])
1238
logger.debug("GnuTLS: %s", string[:-1])
1326
1239
1327
1240
(gnutls.library.functions
1328
1241
.gnutls_global_set_log_function(debug_gnutls))
1329
1242
1243
global service
1244
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1245
service = AvahiService(name = server_settings["servicename"],
1246
servicetype = "_mandos._tcp",
1247
protocol = protocol)
1248
if server_settings["interface"]:
1249
service.interface = (if_nametoindex
1250
(server_settings["interface"]))
1251
1330
1252
global main_loop
1253
global bus
1254
global server
1331
1255
# From the Avahi example code
1332
1256
DBusGMainLoop(set_as_default=True )
1333
1257
main_loop = gobject.MainLoop()
1334
1258
bus = dbus.SystemBus()
1259
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1260
avahi.DBUS_PATH_SERVER),
1261
avahi.DBUS_INTERFACE_SERVER)
1335
1262
# End of Avahi example code
1336
1263
if use_dbus:
1337
1264
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1338
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1339
service = AvahiService(name = server_settings[u"servicename"],
1340
servicetype = u"_mandos._tcp",
1341
protocol = protocol, bus = bus)
1342
if server_settings["interface"]:
1343
service.interface = (if_nametoindex
1344
(str(server_settings[u"interface"])))
1345
1265
1346
1266
client_class = Client
1347
1267
if use_dbus:
1348
client_class = functools.partial(ClientDBus, bus = bus)
1349
tcp_server.clients.update(set(
1268
client_class = ClientDBus
1269
clients.update(Set(
1350
1270
client_class(name = section,
1351
1271
config= dict(client_config.items(section)))
1352
1272
for section in client_config.sections()))
1353
if not tcp_server.clients:
1273
if not clients:
1354
1274
logger.warning(u"No clients defined")
1355
1275
1356
1276
if debug:
1380
1300
1381
1301
def cleanup():
1382
1302
"Cleanup function; run on exit"
1383
service.cleanup()
1303
global group
1304
# From the Avahi example code
1305
if not group is None:
1306
group.Free()
1307
group = None
1308
# End of Avahi example code
1384
1309
1385
while tcp_server.clients:
1386
client = tcp_server.clients.pop()
1310
while clients:
1311
client = clients.pop()
1387
1312
client.disable_hook = None
1388
1313
client.disable()
1389
1314
1398
1323
class MandosDBusService(dbus.service.Object):
1399
1324
"""A D-Bus proxy object"""
1400
1325
def __init__(self):
1401
dbus.service.Object.__init__(self, bus, u"/")
1326
dbus.service.Object.__init__(self, bus, "/")
1402
1327
_interface = u"se.bsnet.fukt.Mandos"
1403
1328
1404
@dbus.service.signal(_interface, signature=u"oa{sv}")
1329
@dbus.service.signal(_interface, signature="oa{sv}")
1405
1330
def ClientAdded(self, objpath, properties):
1406
1331
"D-Bus signal"
1407
1332
pass
1408
1333
1409
@dbus.service.signal(_interface, signature=u"s")
1334
@dbus.service.signal(_interface, signature="s")
1410
1335
def ClientNotFound(self, fingerprint):
1411
1336
"D-Bus signal"
1412
1337
pass
1413
1338
1414
@dbus.service.signal(_interface, signature=u"os")
1339
@dbus.service.signal(_interface, signature="os")
1415
1340
def ClientRemoved(self, objpath, name):
1416
1341
"D-Bus signal"
1417
1342
pass
1418
1343
1419
@dbus.service.method(_interface, out_signature=u"ao")
1344
@dbus.service.method(_interface, out_signature="ao")
1420
1345
def GetAllClients(self):
1421
1346
"D-Bus method"
1422
return dbus.Array(c.dbus_object_path
1423
for c in tcp_server.clients)
1347
return dbus.Array(c.dbus_object_path for c in clients)
1424
1348
1425
@dbus.service.method(_interface,
1426
out_signature=u"a{oa{sv}}")
1349
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1427
1350
def GetAllClientsWithProperties(self):
1428
1351
"D-Bus method"
1429
1352
return dbus.Dictionary(
1430
1353
((c.dbus_object_path, c.GetAllProperties())
1431
for c in tcp_server.clients),
1432
signature=u"oa{sv}")
1354
for c in clients),
1355
signature="oa{sv}")
1433
1356
1434
@dbus.service.method(_interface, in_signature=u"o")
1357
@dbus.service.method(_interface, in_signature="o")
1435
1358
def RemoveClient(self, object_path):
1436
1359
"D-Bus method"
1437
for c in tcp_server.clients:
1360
for c in clients:
1438
1361
if c.dbus_object_path == object_path:
1439
tcp_server.clients.remove(c)
1362
clients.remove(c)
1440
1363
c.remove_from_connection()
1441
1364
# Don't signal anything except ClientRemoved
1442
1365
c.disable(signal=False)
1449
1372
1450
1373
mandos_dbus_service = MandosDBusService()
1451
1374
1452
for client in tcp_server.clients:
1375
for client in clients:
1453
1376
if use_dbus:
1454
1377
# Emit D-Bus signal
1455
1378
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1473
1396
1474
1397
try:
1475
1398
# From the Avahi example code
1399
server.connect_to_signal("StateChanged", server_state_changed)
1476
1400
try:
1477
service.activate()
1401
server_state_changed(server.GetState())
1478
1402
except dbus.exceptions.DBusException, error:
1479
1403
logger.critical(u"DBusException: %s", error)
1480
1404
sys.exit(1)
1493
1417
except KeyboardInterrupt:
1494
1418
if debug:
1495
1419
print >> sys.stderr
1496
logger.debug(u"Server received KeyboardInterrupt")
1497
logger.debug(u"Server exiting")
1420
logger.debug("Server received KeyboardInterrupt")
1421
logger.debug("Server exiting")
1498
1422
1499
1423
if __name__ == '__main__':
1500
1424
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0