To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 332
- compare with another revision
- download diff
- download tarball
- view history from revision 332
- Committer: Teddy Hogeborn
- Date: 2009-04-14 14:56:46 UTC
- Revision ID: teddy@fukt.bsnet.se-20090414145646-i6x4knw2f6cde3td
* debian/mandos-client.README.Debian: Added text about non-usability
of pseudo-network interfaces.
of pseudo-network interfaces.
- files removed:
- dbus-mandos.conf
- files modified:
- Makefile
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer as socketserver
36
import SocketServer
37
37
import socket
38
38
import optparse
39
39
import datetime
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser as configparser
47
import ConfigParser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
52
53
import subprocess
53
54
import atexit
54
55
import stat
55
56
import logging
56
57
import logging.handlers
57
58
import pwd
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
63
import multiprocessing
59
from contextlib import closing
64
60
65
61
import dbus
66
62
import dbus.service
69
65
from dbus.mainloop.glib import DBusGMainLoop
70
66
import ctypes
71
67
import ctypes.util
72
import xml.dom.minidom
73
import inspect
74
68
75
69
try:
76
70
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
78
72
try:
79
73
from IN import SO_BINDTODEVICE
80
74
except ImportError:
81
SO_BINDTODEVICE = None
82
83
84
version = "1.0.14"
85
86
#logger = logging.getLogger(u'mandos')
87
logger = logging.Logger(u'mandos')
75
# From /usr/include/asm/socket.h
76
SO_BINDTODEVICE = 25
77
78
79
version = "1.0.8"
80
81
logger = logging.Logger('mandos')
88
82
syslogger = (logging.handlers.SysLogHandler
89
83
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
90
84
address = "/dev/log"))
91
85
syslogger.setFormatter(logging.Formatter
92
(u'Mandos [%(process)d]: %(levelname)s:'
93
u' %(message)s'))
86
('Mandos [%(process)d]: %(levelname)s:'
87
' %(message)s'))
94
88
logger.addHandler(syslogger)
95
89
96
90
console = logging.StreamHandler()
97
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
98
u' %(levelname)s:'
99
u' %(message)s'))
91
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
92
' %(levelname)s: %(message)s'))
100
93
logger.addHandler(console)
101
94
102
95
class AvahiError(Exception):
119
112
Attributes:
120
113
interface: integer; avahi.IF_UNSPEC or an interface index.
121
114
Used to optionally bind to the specified interface.
122
name: string; Example: u'Mandos'
123
type: string; Example: u'_mandos._tcp'.
115
name: string; Example: 'Mandos'
116
type: string; Example: '_mandos._tcp'.
124
117
See <http://www.dns-sd.org/ServiceTypes.html>
125
118
port: integer; what port to announce
126
119
TXT: list of strings; TXT record for the service
129
122
max_renames: integer; maximum number of renames
130
123
rename_count: integer; counter so we only rename after collisions
131
124
a sensible number of times
132
group: D-Bus Entry Group
133
server: D-Bus Server
134
bus: dbus.SystemBus()
135
125
"""
136
126
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
137
127
servicetype = None, port = None, TXT = None,
138
domain = u"", host = u"", max_renames = 32768,
139
protocol = avahi.PROTO_UNSPEC, bus = None):
128
domain = "", host = "", max_renames = 32768,
129
protocol = avahi.PROTO_UNSPEC):
140
130
self.interface = interface
141
131
self.name = name
142
132
self.type = servicetype
147
137
self.rename_count = 0
148
138
self.max_renames = max_renames
149
139
self.protocol = protocol
150
self.group = None # our entry group
151
self.server = None
152
self.bus = bus
153
140
def rename(self):
154
141
"""Derived from the Avahi example code"""
155
142
if self.rename_count >= self.max_renames:
157
144
u" after %i retries, exiting.",
158
145
self.rename_count)
159
146
raise AvahiServiceError(u"Too many renames")
160
self.name = self.server.GetAlternativeServiceName(self.name)
147
self.name = server.GetAlternativeServiceName(self.name)
161
148
logger.info(u"Changing Zeroconf service name to %r ...",
162
unicode(self.name))
149
str(self.name))
163
150
syslogger.setFormatter(logging.Formatter
164
(u'Mandos (%s) [%%(process)d]:'
165
u' %%(levelname)s: %%(message)s'
151
('Mandos (%s) [%%(process)d]:'
152
' %%(levelname)s: %%(message)s'
166
153
% self.name))
167
154
self.remove()
168
155
self.add()
169
156
self.rename_count += 1
170
157
def remove(self):
171
158
"""Derived from the Avahi example code"""
172
if self.group is not None:
173
self.group.Reset()
159
if group is not None:
160
group.Reset()
174
161
def add(self):
175
162
"""Derived from the Avahi example code"""
176
if self.group is None:
177
self.group = dbus.Interface(
178
self.bus.get_object(avahi.DBUS_NAME,
179
self.server.EntryGroupNew()),
180
avahi.DBUS_INTERFACE_ENTRY_GROUP)
181
self.group.connect_to_signal('StateChanged',
182
self
183
.entry_group_state_changed)
163
global group
164
if group is None:
165
group = dbus.Interface(bus.get_object
166
(avahi.DBUS_NAME,
167
server.EntryGroupNew()),
168
avahi.DBUS_INTERFACE_ENTRY_GROUP)
169
group.connect_to_signal('StateChanged',
170
entry_group_state_changed)
184
171
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
185
self.name, self.type)
186
self.group.AddService(
187
self.interface,
188
self.protocol,
189
dbus.UInt32(0), # flags
190
self.name, self.type,
191
self.domain, self.host,
192
dbus.UInt16(self.port),
193
avahi.string_array_to_txt_array(self.TXT))
194
self.group.Commit()
195
def entry_group_state_changed(self, state, error):
196
"""Derived from the Avahi example code"""
197
logger.debug(u"Avahi state change: %i", state)
198
199
if state == avahi.ENTRY_GROUP_ESTABLISHED:
200
logger.debug(u"Zeroconf service established.")
201
elif state == avahi.ENTRY_GROUP_COLLISION:
202
logger.warning(u"Zeroconf service name collision.")
203
self.rename()
204
elif state == avahi.ENTRY_GROUP_FAILURE:
205
logger.critical(u"Avahi: Error in group state changed %s",
206
unicode(error))
207
raise AvahiGroupError(u"State changed: %s"
208
% unicode(error))
209
def cleanup(self):
210
"""Derived from the Avahi example code"""
211
if self.group is not None:
212
self.group.Free()
213
self.group = None
214
def server_state_changed(self, state):
215
"""Derived from the Avahi example code"""
216
if state == avahi.SERVER_COLLISION:
217
logger.error(u"Zeroconf server name collision")
218
self.remove()
219
elif state == avahi.SERVER_RUNNING:
220
self.add()
221
def activate(self):
222
"""Derived from the Avahi example code"""
223
if self.server is None:
224
self.server = dbus.Interface(
225
self.bus.get_object(avahi.DBUS_NAME,
226
avahi.DBUS_PATH_SERVER),
227
avahi.DBUS_INTERFACE_SERVER)
228
self.server.connect_to_signal(u"StateChanged",
229
self.server_state_changed)
230
self.server_state_changed(self.server.GetState())
172
service.name, service.type)
173
group.AddService(
174
self.interface, # interface
175
self.protocol, # protocol
176
dbus.UInt32(0), # flags
177
self.name, self.type,
178
self.domain, self.host,
179
dbus.UInt16(self.port),
180
avahi.string_array_to_txt_array(self.TXT))
181
group.Commit()
182
183
# From the Avahi example code:
184
group = None # our entry group
185
# End of Avahi example code
186
187
188
def _datetime_to_dbus(dt, variant_level=0):
189
"""Convert a UTC datetime.datetime() to a D-Bus type."""
190
return dbus.String(dt.isoformat(), variant_level=variant_level)
231
191
232
192
233
193
class Client(object):
245
205
enabled: bool()
246
206
last_checked_ok: datetime.datetime(); (UTC) or None
247
207
timeout: datetime.timedelta(); How long from last_checked_ok
248
until this client is disabled
208
until this client is invalid
249
209
interval: datetime.timedelta(); How often to start a new checker
250
210
disable_hook: If set, called by disable() as disable_hook(self)
251
211
checker: subprocess.Popen(); a running checker process used
252
212
to see if the client lives.
253
213
'None' if no process is running.
254
214
checker_initiator_tag: a gobject event source tag, or None
255
disable_initiator_tag: - '' -
215
disable_initiator_tag: - '' -
256
216
checker_callback_tag: - '' -
257
217
checker_command: string; External command which is run to check if
258
218
client lives. %() expansions are done at
259
219
runtime with vars(self) as dict, so that for
260
220
instance %(name)s can be used in the command.
261
221
current_checker_command: string; current running checker_command
262
approved_delay: datetime.timedelta(); Time to wait for approval
263
_approved: bool(); 'None' if not yet approved/disapproved
264
approved_duration: datetime.timedelta(); Duration of one approval
265
222
"""
266
267
@staticmethod
268
def _timedelta_to_milliseconds(td):
269
"Convert a datetime.timedelta() to milliseconds"
270
return ((td.days * 24 * 60 * 60 * 1000)
271
+ (td.seconds * 1000)
272
+ (td.microseconds // 1000))
273
274
223
def timeout_milliseconds(self):
275
224
"Return the 'timeout' attribute in milliseconds"
276
return self._timedelta_to_milliseconds(self.timeout)
225
return ((self.timeout.days * 24 * 60 * 60 * 1000)
226
+ (self.timeout.seconds * 1000)
227
+ (self.timeout.microseconds // 1000))
277
228
278
229
def interval_milliseconds(self):
279
230
"Return the 'interval' attribute in milliseconds"
280
return self._timedelta_to_milliseconds(self.interval)
281
282
def approved_delay_milliseconds(self):
283
return self._timedelta_to_milliseconds(self.approved_delay)
231
return ((self.interval.days * 24 * 60 * 60 * 1000)
232
+ (self.interval.seconds * 1000)
233
+ (self.interval.microseconds // 1000))
284
234
285
235
def __init__(self, name = None, disable_hook=None, config=None):
286
236
"""Note: the 'checker' key in 'config' sets the
293
243
# Uppercase and remove spaces from fingerprint for later
294
244
# comparison purposes with return value from the fingerprint()
295
245
# function
296
self.fingerprint = (config[u"fingerprint"].upper()
246
self.fingerprint = (config["fingerprint"].upper()
297
247
.replace(u" ", u""))
298
248
logger.debug(u" Fingerprint: %s", self.fingerprint)
299
if u"secret" in config:
300
self.secret = config[u"secret"].decode(u"base64")
301
elif u"secfile" in config:
302
with open(os.path.expanduser(os.path.expandvars
303
(config[u"secfile"])),
304
"rb") as secfile:
249
if "secret" in config:
250
self.secret = config["secret"].decode(u"base64")
251
elif "secfile" in config:
252
with closing(open(os.path.expanduser
253
(os.path.expandvars
254
(config["secfile"])))) as secfile:
305
255
self.secret = secfile.read()
306
256
else:
307
#XXX Need to allow secret on demand!
308
257
raise TypeError(u"No secret or secfile for client %s"
309
258
% self.name)
310
self.host = config.get(u"host", u"")
259
self.host = config.get("host", "")
311
260
self.created = datetime.datetime.utcnow()
312
261
self.enabled = False
313
262
self.last_enabled = None
314
263
self.last_checked_ok = None
315
self.timeout = string_to_delta(config[u"timeout"])
316
self.interval = string_to_delta(config[u"interval"])
264
self.timeout = string_to_delta(config["timeout"])
265
self.interval = string_to_delta(config["interval"])
317
266
self.disable_hook = disable_hook
318
267
self.checker = None
319
268
self.checker_initiator_tag = None
320
269
self.disable_initiator_tag = None
321
270
self.checker_callback_tag = None
322
self.checker_command = config[u"checker"]
271
self.checker_command = config["checker"]
323
272
self.current_checker_command = None
324
273
self.last_connect = None
325
self._approved = None
326
self.approved_by_default = config.get(u"approved_by_default",
327
True)
328
self.approvals_pending = 0
329
self.approved_delay = string_to_delta(
330
config[u"approved_delay"])
331
self.approved_duration = string_to_delta(
332
config[u"approved_duration"])
333
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
334
274
335
def send_changedstate(self):
336
self.changedstate.acquire()
337
self.changedstate.notify_all()
338
self.changedstate.release()
339
340
275
def enable(self):
341
276
"""Start this client's checker and timeout hooks"""
342
if getattr(self, u"enabled", False):
343
# Already enabled
344
return
345
self.send_changedstate()
346
277
self.last_enabled = datetime.datetime.utcnow()
347
278
# Schedule a new checker to be started an 'interval' from now,
348
279
# and every interval from then on.
349
280
self.checker_initiator_tag = (gobject.timeout_add
350
281
(self.interval_milliseconds(),
351
282
self.start_checker))
283
# Also start a new checker *right now*.
284
self.start_checker()
352
285
# Schedule a disable() when 'timeout' has passed
353
286
self.disable_initiator_tag = (gobject.timeout_add
354
287
(self.timeout_milliseconds(),
355
288
self.disable))
356
289
self.enabled = True
357
# Also start a new checker *right now*.
358
self.start_checker()
359
290
360
def disable(self, quiet=True):
291
def disable(self):
361
292
"""Disable this client."""
362
293
if not getattr(self, "enabled", False):
363
294
return False
364
if not quiet:
365
self.send_changedstate()
366
if not quiet:
367
logger.info(u"Disabling client %s", self.name)
368
if getattr(self, u"disable_initiator_tag", False):
295
logger.info(u"Disabling client %s", self.name)
296
if getattr(self, "disable_initiator_tag", False):
369
297
gobject.source_remove(self.disable_initiator_tag)
370
298
self.disable_initiator_tag = None
371
if getattr(self, u"checker_initiator_tag", False):
299
if getattr(self, "checker_initiator_tag", False):
372
300
gobject.source_remove(self.checker_initiator_tag)
373
301
self.checker_initiator_tag = None
374
302
self.stop_checker()
422
350
# client would inevitably timeout, since no checker would get
423
351
# a chance to run to completion. If we instead leave running
424
352
# checkers alone, the checker would have to take more time
425
# than 'timeout' for the client to be disabled, which is as it
426
# should be.
353
# than 'timeout' for the client to be declared invalid, which
354
# is as it should be.
427
355
428
356
# If a checker exists, make sure it is not a zombie
429
try:
357
if self.checker is not None:
430
358
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
431
except (AttributeError, OSError), error:
432
if (isinstance(error, OSError)
433
and error.errno != errno.ECHILD):
434
raise error
435
else:
436
359
if pid:
437
logger.warning(u"Checker was a zombie")
360
logger.warning("Checker was a zombie")
438
361
gobject.source_remove(self.checker_callback_tag)
439
362
self.checker_callback(pid, status,
440
363
self.current_checker_command)
445
368
command = self.checker_command % self.host
446
369
except TypeError:
447
370
# Escape attributes for the shell
448
escaped_attrs = dict((key,
449
re.escape(unicode(str(val),
450
errors=
451
u'replace')))
371
escaped_attrs = dict((key, re.escape(str(val)))
452
372
for key, val in
453
373
vars(self).iteritems())
454
374
try:
467
387
# always replaced by /dev/null.)
468
388
self.checker = subprocess.Popen(command,
469
389
close_fds=True,
470
shell=True, cwd=u"/")
390
shell=True, cwd="/")
471
391
self.checker_callback_tag = (gobject.child_watch_add
472
392
(self.checker.pid,
473
393
self.checker_callback,
489
409
if self.checker_callback_tag:
490
410
gobject.source_remove(self.checker_callback_tag)
491
411
self.checker_callback_tag = None
492
if getattr(self, u"checker", None) is None:
412
if getattr(self, "checker", None) is None:
493
413
return
494
414
logger.debug(u"Stopping checker for %(name)s", vars(self))
495
415
try:
496
416
os.kill(self.checker.pid, signal.SIGTERM)
497
#time.sleep(0.5)
417
#os.sleep(0.5)
498
418
#if self.checker.poll() is None:
499
419
# os.kill(self.checker.pid, signal.SIGKILL)
500
420
except OSError, error:
501
421
if error.errno != errno.ESRCH: # No such process
502
422
raise
503
423
self.checker = None
504
505
def dbus_service_property(dbus_interface, signature=u"v",
506
access=u"readwrite", byte_arrays=False):
507
"""Decorators for marking methods of a DBusObjectWithProperties to
508
become properties on the D-Bus.
509
510
The decorated method will be called with no arguments by "Get"
511
and with one argument by "Set".
512
513
The parameters, where they are supported, are the same as
514
dbus.service.method, except there is only "signature", since the
515
type from Get() and the type sent to Set() is the same.
516
"""
517
# Encoding deeply encoded byte arrays is not supported yet by the
518
# "Set" method, so we fail early here:
519
if byte_arrays and signature != u"ay":
520
raise ValueError(u"Byte arrays not supported for non-'ay'"
521
u" signature %r" % signature)
522
def decorator(func):
523
func._dbus_is_property = True
524
func._dbus_interface = dbus_interface
525
func._dbus_signature = signature
526
func._dbus_access = access
527
func._dbus_name = func.__name__
528
if func._dbus_name.endswith(u"_dbus_property"):
529
func._dbus_name = func._dbus_name[:-14]
530
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
531
return func
532
return decorator
533
534
535
class DBusPropertyException(dbus.exceptions.DBusException):
536
"""A base class for D-Bus property-related exceptions
537
"""
538
def __unicode__(self):
539
return unicode(str(self))
540
541
542
class DBusPropertyAccessException(DBusPropertyException):
543
"""A property's access permissions disallows an operation.
544
"""
545
pass
546
547
548
class DBusPropertyNotFound(DBusPropertyException):
549
"""An attempt was made to access a non-existing property.
550
"""
551
pass
552
553
554
class DBusObjectWithProperties(dbus.service.Object):
555
"""A D-Bus object with properties.
556
557
Classes inheriting from this can use the dbus_service_property
558
decorator to expose methods as D-Bus properties. It exposes the
559
standard Get(), Set(), and GetAll() methods on the D-Bus.
560
"""
561
562
@staticmethod
563
def _is_dbus_property(obj):
564
return getattr(obj, u"_dbus_is_property", False)
565
566
def _get_all_dbus_properties(self):
567
"""Returns a generator of (name, attribute) pairs
568
"""
569
return ((prop._dbus_name, prop)
570
for name, prop in
571
inspect.getmembers(self, self._is_dbus_property))
572
573
def _get_dbus_property(self, interface_name, property_name):
574
"""Returns a bound method if one exists which is a D-Bus
575
property with the specified name and interface.
576
"""
577
for name in (property_name,
578
property_name + u"_dbus_property"):
579
prop = getattr(self, name, None)
580
if (prop is None
581
or not self._is_dbus_property(prop)
582
or prop._dbus_name != property_name
583
or (interface_name and prop._dbus_interface
584
and interface_name != prop._dbus_interface)):
585
continue
586
return prop
587
# No such property
588
raise DBusPropertyNotFound(self.dbus_object_path + u":"
589
+ interface_name + u"."
590
+ property_name)
591
592
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
593
out_signature=u"v")
594
def Get(self, interface_name, property_name):
595
"""Standard D-Bus property Get() method, see D-Bus standard.
596
"""
597
prop = self._get_dbus_property(interface_name, property_name)
598
if prop._dbus_access == u"write":
599
raise DBusPropertyAccessException(property_name)
600
value = prop()
601
if not hasattr(value, u"variant_level"):
602
return value
603
return type(value)(value, variant_level=value.variant_level+1)
604
605
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
606
def Set(self, interface_name, property_name, value):
607
"""Standard D-Bus property Set() method, see D-Bus standard.
608
"""
609
prop = self._get_dbus_property(interface_name, property_name)
610
if prop._dbus_access == u"read":
611
raise DBusPropertyAccessException(property_name)
612
if prop._dbus_get_args_options[u"byte_arrays"]:
613
# The byte_arrays option is not supported yet on
614
# signatures other than "ay".
615
if prop._dbus_signature != u"ay":
616
raise ValueError
617
value = dbus.ByteArray(''.join(unichr(byte)
618
for byte in value))
619
prop(value)
620
621
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
622
out_signature=u"a{sv}")
623
def GetAll(self, interface_name):
624
"""Standard D-Bus property GetAll() method, see D-Bus
625
standard.
626
627
Note: Will not include properties with access="write".
628
"""
629
all = {}
630
for name, prop in self._get_all_dbus_properties():
631
if (interface_name
632
and interface_name != prop._dbus_interface):
633
# Interface non-empty but did not match
634
continue
635
# Ignore write-only properties
636
if prop._dbus_access == u"write":
637
continue
638
value = prop()
639
if not hasattr(value, u"variant_level"):
640
all[name] = value
641
continue
642
all[name] = type(value)(value, variant_level=
643
value.variant_level+1)
644
return dbus.Dictionary(all, signature=u"sv")
645
646
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
647
out_signature=u"s",
648
path_keyword='object_path',
649
connection_keyword='connection')
650
def Introspect(self, object_path, connection):
651
"""Standard D-Bus method, overloaded to insert property tags.
652
"""
653
xmlstring = dbus.service.Object.Introspect(self, object_path,
654
connection)
655
try:
656
document = xml.dom.minidom.parseString(xmlstring)
657
def make_tag(document, name, prop):
658
e = document.createElement(u"property")
659
e.setAttribute(u"name", name)
660
e.setAttribute(u"type", prop._dbus_signature)
661
e.setAttribute(u"access", prop._dbus_access)
662
return e
663
for if_tag in document.getElementsByTagName(u"interface"):
664
for tag in (make_tag(document, name, prop)
665
for name, prop
666
in self._get_all_dbus_properties()
667
if prop._dbus_interface
668
== if_tag.getAttribute(u"name")):
669
if_tag.appendChild(tag)
670
# Add the names to the return values for the
671
# "org.freedesktop.DBus.Properties" methods
672
if (if_tag.getAttribute(u"name")
673
== u"org.freedesktop.DBus.Properties"):
674
for cn in if_tag.getElementsByTagName(u"method"):
675
if cn.getAttribute(u"name") == u"Get":
676
for arg in cn.getElementsByTagName(u"arg"):
677
if (arg.getAttribute(u"direction")
678
== u"out"):
679
arg.setAttribute(u"name", u"value")
680
elif cn.getAttribute(u"name") == u"GetAll":
681
for arg in cn.getElementsByTagName(u"arg"):
682
if (arg.getAttribute(u"direction")
683
== u"out"):
684
arg.setAttribute(u"name", u"props")
685
xmlstring = document.toxml(u"utf-8")
686
document.unlink()
687
except (AttributeError, xml.dom.DOMException,
688
xml.parsers.expat.ExpatError), error:
689
logger.error(u"Failed to override Introspection method",
690
error)
691
return xmlstring
692
693
694
class ClientDBus(Client, DBusObjectWithProperties):
424
425
def still_valid(self):
426
"""Has the timeout not yet passed for this client?"""
427
if not getattr(self, "enabled", False):
428
return False
429
now = datetime.datetime.utcnow()
430
if self.last_checked_ok is None:
431
return now < (self.created + self.timeout)
432
else:
433
return now < (self.last_checked_ok + self.timeout)
434
435
436
class ClientDBus(Client, dbus.service.Object):
695
437
"""A Client class using D-Bus
696
438
697
439
Attributes:
698
dbus_object_path: dbus.ObjectPath
699
bus: dbus.SystemBus()
440
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
700
441
"""
701
442
# dbus.service.Object doesn't use super(), so we can't either.
702
443
703
def __init__(self, bus = None, *args, **kwargs):
704
self._approvals_pending = 0
705
self.bus = bus
444
def __init__(self, *args, **kwargs):
706
445
Client.__init__(self, *args, **kwargs)
707
446
# Only now, when this client is initialized, can it show up on
708
447
# the D-Bus
709
448
self.dbus_object_path = (dbus.ObjectPath
710
(u"/clients/"
711
+ self.name.replace(u".", u"_")))
712
DBusObjectWithProperties.__init__(self, self.bus,
713
self.dbus_object_path)
714
715
#Could possible return a bool(self._approvals_pending),
716
#but this could mess up approvals_pending += 1 XXX
717
def _get_approvals_pending(self):
718
return self._approvals_pending
719
def _set_approvals_pending(self, value):
720
old_value = self._approvals_pending
721
self._approvals_pending = value
722
bval = bool(value)
723
if (hasattr(self, "dbus_object_path")
724
and bval is not bool(old_value)):
725
dbus_bool = dbus.Boolean(bval, variant_level=1)
726
self.PropertyChanged(dbus.String(u"approved_pending"),
727
dbus_bool)
728
729
approvals_pending = property(_get_approvals_pending,
730
_set_approvals_pending)
731
del _get_approvals_pending, _set_approvals_pending
732
733
@staticmethod
734
def _datetime_to_dbus(dt, variant_level=0):
735
"""Convert a UTC datetime.datetime() to a D-Bus type."""
736
return dbus.String(dt.isoformat(),
737
variant_level=variant_level)
738
449
("/clients/"
450
+ self.name.replace(".", "_")))
451
dbus.service.Object.__init__(self, bus,
452
self.dbus_object_path)
739
453
def enable(self):
740
oldstate = getattr(self, u"enabled", False)
454
oldstate = getattr(self, "enabled", False)
741
455
r = Client.enable(self)
742
456
if oldstate != self.enabled:
743
457
# Emit D-Bus signals
744
458
self.PropertyChanged(dbus.String(u"enabled"),
745
459
dbus.Boolean(True, variant_level=1))
746
self.PropertyChanged(
747
dbus.String(u"last_enabled"),
748
self._datetime_to_dbus(self.last_enabled,
749
variant_level=1))
460
self.PropertyChanged(dbus.String(u"last_enabled"),
461
(_datetime_to_dbus(self.last_enabled,
462
variant_level=1)))
750
463
return r
751
464
752
def disable(self, quiet = False):
753
oldstate = getattr(self, u"enabled", False)
754
r = Client.disable(self, quiet=quiet)
755
if not quiet and oldstate != self.enabled:
465
def disable(self, signal = True):
466
oldstate = getattr(self, "enabled", False)
467
r = Client.disable(self)
468
if signal and oldstate != self.enabled:
756
469
# Emit D-Bus signal
757
470
self.PropertyChanged(dbus.String(u"enabled"),
758
471
dbus.Boolean(False, variant_level=1))
763
476
self.remove_from_connection()
764
477
except LookupError:
765
478
pass
766
if hasattr(DBusObjectWithProperties, u"__del__"):
767
DBusObjectWithProperties.__del__(self, *args, **kwargs)
479
if hasattr(dbus.service.Object, "__del__"):
480
dbus.service.Object.__del__(self, *args, **kwargs)
768
481
Client.__del__(self, *args, **kwargs)
769
482
770
483
def checker_callback(self, pid, condition, command,
794
507
# Emit D-Bus signal
795
508
self.PropertyChanged(
796
509
dbus.String(u"last_checked_ok"),
797
(self._datetime_to_dbus(self.last_checked_ok,
798
variant_level=1)))
510
(_datetime_to_dbus(self.last_checked_ok,
511
variant_level=1)))
799
512
return r
800
513
801
514
def start_checker(self, *args, **kwargs):
811
524
# Emit D-Bus signal
812
525
self.CheckerStarted(self.current_checker_command)
813
526
self.PropertyChanged(
814
dbus.String(u"checker_running"),
527
dbus.String("checker_running"),
815
528
dbus.Boolean(True, variant_level=1))
816
529
return r
817
530
818
531
def stop_checker(self, *args, **kwargs):
819
old_checker = getattr(self, u"checker", None)
532
old_checker = getattr(self, "checker", None)
820
533
r = Client.stop_checker(self, *args, **kwargs)
821
534
if (old_checker is not None
822
and getattr(self, u"checker", None) is None):
535
and getattr(self, "checker", None) is None):
823
536
self.PropertyChanged(dbus.String(u"checker_running"),
824
537
dbus.Boolean(False, variant_level=1))
825
538
return r
826
827
def _reset_approved(self):
828
self._approved = None
829
return False
830
831
def approve(self, value=True):
832
self.send_changedstate()
833
self._approved = value
834
gobject.timeout_add(self._timedelta_to_milliseconds(self.approved_duration),
835
self._reset_approved)
836
837
838
## D-Bus methods, signals & properties
539
540
## D-Bus methods & signals
839
541
_interface = u"se.bsnet.fukt.Mandos.Client"
840
542
841
## Signals
543
# CheckedOK - method
544
CheckedOK = dbus.service.method(_interface)(checked_ok)
545
CheckedOK.__name__ = "CheckedOK"
842
546
843
547
# CheckerCompleted - signal
844
@dbus.service.signal(_interface, signature=u"nxs")
548
@dbus.service.signal(_interface, signature="nxs")
845
549
def CheckerCompleted(self, exitcode, waitstatus, command):
846
550
"D-Bus signal"
847
551
pass
848
552
849
553
# CheckerStarted - signal
850
@dbus.service.signal(_interface, signature=u"s")
554
@dbus.service.signal(_interface, signature="s")
851
555
def CheckerStarted(self, command):
852
556
"D-Bus signal"
853
557
pass
854
558
559
# GetAllProperties - method
560
@dbus.service.method(_interface, out_signature="a{sv}")
561
def GetAllProperties(self):
562
"D-Bus method"
563
return dbus.Dictionary({
564
dbus.String("name"):
565
dbus.String(self.name, variant_level=1),
566
dbus.String("fingerprint"):
567
dbus.String(self.fingerprint, variant_level=1),
568
dbus.String("host"):
569
dbus.String(self.host, variant_level=1),
570
dbus.String("created"):
571
_datetime_to_dbus(self.created, variant_level=1),
572
dbus.String("last_enabled"):
573
(_datetime_to_dbus(self.last_enabled,
574
variant_level=1)
575
if self.last_enabled is not None
576
else dbus.Boolean(False, variant_level=1)),
577
dbus.String("enabled"):
578
dbus.Boolean(self.enabled, variant_level=1),
579
dbus.String("last_checked_ok"):
580
(_datetime_to_dbus(self.last_checked_ok,
581
variant_level=1)
582
if self.last_checked_ok is not None
583
else dbus.Boolean (False, variant_level=1)),
584
dbus.String("timeout"):
585
dbus.UInt64(self.timeout_milliseconds(),
586
variant_level=1),
587
dbus.String("interval"):
588
dbus.UInt64(self.interval_milliseconds(),
589
variant_level=1),
590
dbus.String("checker"):
591
dbus.String(self.checker_command,
592
variant_level=1),
593
dbus.String("checker_running"):
594
dbus.Boolean(self.checker is not None,
595
variant_level=1),
596
dbus.String("object_path"):
597
dbus.ObjectPath(self.dbus_object_path,
598
variant_level=1)
599
}, signature="sv")
600
601
# IsStillValid - method
602
@dbus.service.method(_interface, out_signature="b")
603
def IsStillValid(self):
604
return self.still_valid()
605
855
606
# PropertyChanged - signal
856
@dbus.service.signal(_interface, signature=u"sv")
607
@dbus.service.signal(_interface, signature="sv")
857
608
def PropertyChanged(self, property, value):
858
609
"D-Bus signal"
859
610
pass
860
611
861
# GotSecret - signal
862
# XXXTEDDY Is sent after succesfull transfer of secret from mandos-server to mandos-client
612
# ReceivedSecret - signal
863
613
@dbus.service.signal(_interface)
864
def GotSecret(self):
614
def ReceivedSecret(self):
865
615
"D-Bus signal"
866
616
pass
867
617
868
618
# Rejected - signal
869
@dbus.service.signal(_interface, signature=u"s")
870
def Rejected(self, reason):
871
"D-Bus signal"
872
pass
873
874
# NeedApproval - signal
875
@dbus.service.signal(_interface, signature=u"db")
876
def NeedApproval(self, timeout, default):
877
"D-Bus signal"
878
pass
879
880
## Methods
881
882
# Approve - method
883
@dbus.service.method(_interface, in_signature=u"b")
884
def Approve(self, value):
885
self.approve(value)
886
887
# CheckedOK - method
888
@dbus.service.method(_interface)
889
def CheckedOK(self):
890
return self.checked_ok()
619
@dbus.service.signal(_interface)
620
def Rejected(self):
621
"D-Bus signal"
622
pass
623
624
# SetChecker - method
625
@dbus.service.method(_interface, in_signature="s")
626
def SetChecker(self, checker):
627
"D-Bus setter method"
628
self.checker_command = checker
629
# Emit D-Bus signal
630
self.PropertyChanged(dbus.String(u"checker"),
631
dbus.String(self.checker_command,
632
variant_level=1))
633
634
# SetHost - method
635
@dbus.service.method(_interface, in_signature="s")
636
def SetHost(self, host):
637
"D-Bus setter method"
638
self.host = host
639
# Emit D-Bus signal
640
self.PropertyChanged(dbus.String(u"host"),
641
dbus.String(self.host, variant_level=1))
642
643
# SetInterval - method
644
@dbus.service.method(_interface, in_signature="t")
645
def SetInterval(self, milliseconds):
646
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
647
# Emit D-Bus signal
648
self.PropertyChanged(dbus.String(u"interval"),
649
(dbus.UInt64(self.interval_milliseconds(),
650
variant_level=1)))
651
652
# SetSecret - method
653
@dbus.service.method(_interface, in_signature="ay",
654
byte_arrays=True)
655
def SetSecret(self, secret):
656
"D-Bus setter method"
657
self.secret = str(secret)
658
659
# SetTimeout - method
660
@dbus.service.method(_interface, in_signature="t")
661
def SetTimeout(self, milliseconds):
662
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
663
# Emit D-Bus signal
664
self.PropertyChanged(dbus.String(u"timeout"),
665
(dbus.UInt64(self.timeout_milliseconds(),
666
variant_level=1)))
891
667
892
668
# Enable - method
893
@dbus.service.method(_interface)
894
def Enable(self):
895
"D-Bus method"
896
self.enable()
669
Enable = dbus.service.method(_interface)(enable)
670
Enable.__name__ = "Enable"
897
671
898
672
# StartChecker - method
899
673
@dbus.service.method(_interface)
908
682
self.disable()
909
683
910
684
# StopChecker - method
911
@dbus.service.method(_interface)
912
def StopChecker(self):
913
self.stop_checker()
914
915
## Properties
916
917
# approved_pending - property
918
@dbus_service_property(_interface, signature=u"b", access=u"read")
919
def approved_pending_dbus_property(self):
920
return dbus.Boolean(bool(self.approvals_pending))
921
922
# approved_by_default - property
923
@dbus_service_property(_interface, signature=u"b",
924
access=u"readwrite")
925
def approved_by_default_dbus_property(self):
926
return dbus.Boolean(self.approved_by_default)
927
928
# approved_delay - property
929
@dbus_service_property(_interface, signature=u"t",
930
access=u"readwrite")
931
def approved_delay_dbus_property(self):
932
return dbus.UInt64(self.approved_delay_milliseconds())
933
934
# approved_duration - property
935
@dbus_service_property(_interface, signature=u"t",
936
access=u"readwrite")
937
def approved_duration_dbus_property(self):
938
return dbus.UInt64(self._timedelta_to_milliseconds(
939
self.approved_duration))
940
941
# name - property
942
@dbus_service_property(_interface, signature=u"s", access=u"read")
943
def name_dbus_property(self):
944
return dbus.String(self.name)
945
946
# fingerprint - property
947
@dbus_service_property(_interface, signature=u"s", access=u"read")
948
def fingerprint_dbus_property(self):
949
return dbus.String(self.fingerprint)
950
951
# host - property
952
@dbus_service_property(_interface, signature=u"s",
953
access=u"readwrite")
954
def host_dbus_property(self, value=None):
955
if value is None: # get
956
return dbus.String(self.host)
957
self.host = value
958
# Emit D-Bus signal
959
self.PropertyChanged(dbus.String(u"host"),
960
dbus.String(value, variant_level=1))
961
962
# created - property
963
@dbus_service_property(_interface, signature=u"s", access=u"read")
964
def created_dbus_property(self):
965
return dbus.String(self._datetime_to_dbus(self.created))
966
967
# last_enabled - property
968
@dbus_service_property(_interface, signature=u"s", access=u"read")
969
def last_enabled_dbus_property(self):
970
if self.last_enabled is None:
971
return dbus.String(u"")
972
return dbus.String(self._datetime_to_dbus(self.last_enabled))
973
974
# enabled - property
975
@dbus_service_property(_interface, signature=u"b",
976
access=u"readwrite")
977
def enabled_dbus_property(self, value=None):
978
if value is None: # get
979
return dbus.Boolean(self.enabled)
980
if value:
981
self.enable()
982
else:
983
self.disable()
984
985
# last_checked_ok - property
986
@dbus_service_property(_interface, signature=u"s",
987
access=u"readwrite")
988
def last_checked_ok_dbus_property(self, value=None):
989
if value is not None:
990
self.checked_ok()
991
return
992
if self.last_checked_ok is None:
993
return dbus.String(u"")
994
return dbus.String(self._datetime_to_dbus(self
995
.last_checked_ok))
996
997
# timeout - property
998
@dbus_service_property(_interface, signature=u"t",
999
access=u"readwrite")
1000
def timeout_dbus_property(self, value=None):
1001
if value is None: # get
1002
return dbus.UInt64(self.timeout_milliseconds())
1003
self.timeout = datetime.timedelta(0, 0, 0, value)
1004
# Emit D-Bus signal
1005
self.PropertyChanged(dbus.String(u"timeout"),
1006
dbus.UInt64(value, variant_level=1))
1007
if getattr(self, u"disable_initiator_tag", None) is None:
1008
return
1009
# Reschedule timeout
1010
gobject.source_remove(self.disable_initiator_tag)
1011
self.disable_initiator_tag = None
1012
time_to_die = (self.
1013
_timedelta_to_milliseconds((self
1014
.last_checked_ok
1015
+ self.timeout)
1016
- datetime.datetime
1017
.utcnow()))
1018
if time_to_die <= 0:
1019
# The timeout has passed
1020
self.disable()
1021
else:
1022
self.disable_initiator_tag = (gobject.timeout_add
1023
(time_to_die, self.disable))
1024
1025
# interval - property
1026
@dbus_service_property(_interface, signature=u"t",
1027
access=u"readwrite")
1028
def interval_dbus_property(self, value=None):
1029
if value is None: # get
1030
return dbus.UInt64(self.interval_milliseconds())
1031
self.interval = datetime.timedelta(0, 0, 0, value)
1032
# Emit D-Bus signal
1033
self.PropertyChanged(dbus.String(u"interval"),
1034
dbus.UInt64(value, variant_level=1))
1035
if getattr(self, u"checker_initiator_tag", None) is None:
1036
return
1037
# Reschedule checker run
1038
gobject.source_remove(self.checker_initiator_tag)
1039
self.checker_initiator_tag = (gobject.timeout_add
1040
(value, self.start_checker))
1041
self.start_checker() # Start one now, too
1042
1043
# checker - property
1044
@dbus_service_property(_interface, signature=u"s",
1045
access=u"readwrite")
1046
def checker_dbus_property(self, value=None):
1047
if value is None: # get
1048
return dbus.String(self.checker_command)
1049
self.checker_command = value
1050
# Emit D-Bus signal
1051
self.PropertyChanged(dbus.String(u"checker"),
1052
dbus.String(self.checker_command,
1053
variant_level=1))
1054
1055
# checker_running - property
1056
@dbus_service_property(_interface, signature=u"b",
1057
access=u"readwrite")
1058
def checker_running_dbus_property(self, value=None):
1059
if value is None: # get
1060
return dbus.Boolean(self.checker is not None)
1061
if value:
1062
self.start_checker()
1063
else:
1064
self.stop_checker()
1065
1066
# object_path - property
1067
@dbus_service_property(_interface, signature=u"o", access=u"read")
1068
def object_path_dbus_property(self):
1069
return self.dbus_object_path # is already a dbus.ObjectPath
1070
1071
# secret = property
1072
@dbus_service_property(_interface, signature=u"ay",
1073
access=u"write", byte_arrays=True)
1074
def secret_dbus_property(self, value):
1075
self.secret = str(value)
685
StopChecker = dbus.service.method(_interface)(stop_checker)
686
StopChecker.__name__ = "StopChecker"
1076
687
1077
688
del _interface
1078
689
1079
690
1080
class ProxyClient(object):
1081
def __init__(self, child_pipe, fpr, address):
1082
self._pipe = child_pipe
1083
self._pipe.send(('init', fpr, address))
1084
if not self._pipe.recv():
1085
raise KeyError()
1086
1087
def __getattribute__(self, name):
1088
if(name == '_pipe'):
1089
return super(ProxyClient, self).__getattribute__(name)
1090
self._pipe.send(('getattr', name))
1091
data = self._pipe.recv()
1092
if data[0] == 'data':
1093
return data[1]
1094
if data[0] == 'function':
1095
def func(*args, **kwargs):
1096
self._pipe.send(('funcall', name, args, kwargs))
1097
return self._pipe.recv()[1]
1098
return func
1099
1100
def __setattr__(self, name, value):
1101
if(name == '_pipe'):
1102
return super(ProxyClient, self).__setattr__(name, value)
1103
self._pipe.send(('setattr', name, value))
1104
1105
1106
class ClientHandler(socketserver.BaseRequestHandler, object):
691
class ClientHandler(SocketServer.BaseRequestHandler, object):
1107
692
"""A class to handle client connections.
1108
693
1109
694
Instantiated once for each connection to handle it.
1110
695
Note: This will run in its own forked process."""
1111
696
1112
697
def handle(self):
1113
with contextlib.closing(self.server.child_pipe) as child_pipe:
1114
logger.info(u"TCP connection from: %s",
1115
unicode(self.client_address))
1116
logger.debug(u"Pipe FD: %d",
1117
self.server.child_pipe.fileno())
1118
698
logger.info(u"TCP connection from: %s",
699
unicode(self.client_address))
700
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
701
# Open IPC pipe to parent process
702
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
1119
703
session = (gnutls.connection
1120
704
.ClientSession(self.request,
1121
705
gnutls.connection
1122
706
.X509Credentials()))
1123
707
708
line = self.request.makefile().readline()
709
logger.debug(u"Protocol version: %r", line)
710
try:
711
if int(line.strip().split()[0]) > 1:
712
raise RuntimeError
713
except (ValueError, IndexError, RuntimeError), error:
714
logger.error(u"Unknown protocol version: %s", error)
715
return
716
1124
717
# Note: gnutls.connection.X509Credentials is really a
1125
718
# generic GnuTLS certificate credentials object so long as
1126
719
# no X.509 keys are added to it. Therefore, we can use it
1127
720
# here despite using OpenPGP certificates.
1128
1129
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1130
# u"+AES-256-CBC", u"+SHA1",
1131
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1132
# u"+DHE-DSS"))
721
722
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
723
# "+AES-256-CBC", "+SHA1",
724
# "+COMP-NULL", "+CTYPE-OPENPGP",
725
# "+DHE-DSS"))
1133
726
# Use a fallback default, since this MUST be set.
1134
727
priority = self.server.gnutls_priority
1135
728
if priority is None:
1136
priority = u"NORMAL"
729
priority = "NORMAL"
1137
730
(gnutls.library.functions
1138
731
.gnutls_priority_set_direct(session._c_object,
1139
732
priority, None))
1140
1141
# Start communication using the Mandos protocol
1142
# Get protocol number
1143
line = self.request.makefile().readline()
1144
logger.debug(u"Protocol version: %r", line)
1145
try:
1146
if int(line.strip().split()[0]) > 1:
1147
raise RuntimeError
1148
except (ValueError, IndexError, RuntimeError), error:
1149
logger.error(u"Unknown protocol version: %s", error)
1150
return
1151
1152
# Start GnuTLS connection
733
1153
734
try:
1154
735
session.handshake()
1155
736
except gnutls.errors.GNUTLSError, error:
1158
739
# established. Just abandon the request.
1159
740
return
1160
741
logger.debug(u"Handshake succeeded")
1161
1162
approval_required = False
1163
742
try:
1164
try:
1165
fpr = self.fingerprint(self.peer_certificate
1166
(session))
1167
except (TypeError, gnutls.errors.GNUTLSError), error:
1168
logger.warning(u"Bad certificate: %s", error)
1169
return
1170
logger.debug(u"Fingerprint: %s", fpr)
1171
1172
try:
1173
client = ProxyClient(child_pipe, fpr,
1174
self.client_address)
1175
except KeyError:
1176
return
1177
1178
if client.approved_delay:
1179
delay = client.approved_delay
1180
client.approvals_pending += 1
1181
approval_required = True
1182
1183
while True:
1184
if not client.enabled:
1185
logger.warning(u"Client %s is disabled",
1186
client.name)
1187
if self.server.use_dbus:
1188
# Emit D-Bus signal
1189
client.Rejected("Disabled")
1190
return
1191
1192
if client._approved or not client.approved_delay:
1193
#We are approved or approval is disabled
1194
break
1195
elif client._approved is None:
1196
logger.info(u"Client %s need approval",
1197
client.name)
1198
if self.server.use_dbus:
1199
# Emit D-Bus signal
1200
client.NeedApproval(
1201
client.approved_delay_milliseconds(),
1202
client.approved_by_default)
1203
else:
1204
logger.warning(u"Client %s was not approved",
1205
client.name)
1206
if self.server.use_dbus:
1207
# Emit D-Bus signal
1208
client.Rejected("Disapproved")
1209
return
1210
1211
#wait until timeout or approved
1212
#x = float(client._timedelta_to_milliseconds(delay))
1213
time = datetime.datetime.now()
1214
client.changedstate.acquire()
1215
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1216
client.changedstate.release()
1217
time2 = datetime.datetime.now()
1218
if (time2 - time) >= delay:
1219
if not client.approved_by_default:
1220
logger.warning("Client %s timed out while"
1221
" waiting for approval",
1222
client.name)
1223
if self.server.use_dbus:
1224
# Emit D-Bus signal
1225
client.Rejected("Time out")
1226
return
1227
else:
1228
break
1229
else:
1230
delay -= time2 - time
1231
1232
sent_size = 0
1233
while sent_size < len(client.secret):
1234
# XXX handle session exception
1235
sent = session.send(client.secret[sent_size:])
1236
logger.debug(u"Sent: %d, remaining: %d",
1237
sent, len(client.secret)
1238
- (sent_size + sent))
1239
sent_size += sent
1240
1241
logger.info(u"Sending secret to %s", client.name)
1242
# bump the timeout as if seen
1243
client.checked_ok()
1244
if self.server.use_dbus:
1245
# Emit D-Bus signal
1246
client.GotSecret()
743
fpr = self.fingerprint(self.peer_certificate(session))
744
except (TypeError, gnutls.errors.GNUTLSError), error:
745
logger.warning(u"Bad certificate: %s", error)
746
session.bye()
747
return
748
logger.debug(u"Fingerprint: %s", fpr)
1247
749
1248
finally:
1249
if approval_required:
1250
client.approvals_pending -= 1
1251
session.bye()
750
for c in self.server.clients:
751
if c.fingerprint == fpr:
752
client = c
753
break
754
else:
755
ipc.write("NOTFOUND %s\n" % fpr)
756
session.bye()
757
return
758
# Have to check if client.still_valid(), since it is
759
# possible that the client timed out while establishing
760
# the GnuTLS session.
761
if not client.still_valid():
762
ipc.write("INVALID %s\n" % client.name)
763
session.bye()
764
return
765
ipc.write("SENDING %s\n" % client.name)
766
sent_size = 0
767
while sent_size < len(client.secret):
768
sent = session.send(client.secret[sent_size:])
769
logger.debug(u"Sent: %d, remaining: %d",
770
sent, len(client.secret)
771
- (sent_size + sent))
772
sent_size += sent
773
session.bye()
1252
774
1253
775
@staticmethod
1254
776
def peer_certificate(session):
1264
786
.gnutls_certificate_get_peers
1265
787
(session._c_object, ctypes.byref(list_size)))
1266
788
if not bool(cert_list) and list_size.value != 0:
1267
raise gnutls.errors.GNUTLSError(u"error getting peer"
1268
u" certificate")
789
raise gnutls.errors.GNUTLSError("error getting peer"
790
" certificate")
1269
791
if list_size.value == 0:
1270
792
return None
1271
793
cert = cert_list[0]
1297
819
if crtverify.value != 0:
1298
820
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1299
821
raise (gnutls.errors.CertificateSecurityError
1300
(u"Verify failed"))
822
("Verify failed"))
1301
823
# New buffer for the fingerprint
1302
824
buf = ctypes.create_string_buffer(20)
1303
825
buf_len = ctypes.c_size_t()
1314
836
return hex_fpr
1315
837
1316
838
1317
class MultiprocessingMixIn(object):
1318
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1319
def sub_process_main(self, request, address):
1320
try:
1321
self.finish_request(request, address)
1322
except:
1323
self.handle_error(request, address)
1324
self.close_request(request)
1325
1326
def process_request(self, request, address):
1327
"""Start a new process to process the request."""
1328
multiprocessing.Process(target = self.sub_process_main,
1329
args = (request, address)).start()
1330
1331
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1332
""" adds a pipe to the MixIn """
839
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
840
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
841
842
Assumes a gobject.MainLoop event loop.
843
"""
1333
844
def process_request(self, request, client_address):
1334
845
"""Overrides and wraps the original process_request().
1335
846
1336
This function creates a new pipe in self.pipe
847
This function creates a new pipe in self.pipe
1337
848
"""
1338
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1339
1340
super(MultiprocessingMixInWithPipe,
849
self.pipe = os.pipe()
850
super(ForkingMixInWithPipe,
1341
851
self).process_request(request, client_address)
1342
self.child_pipe.close()
1343
self.add_pipe(parent_pipe)
1344
1345
def add_pipe(self, parent_pipe):
852
os.close(self.pipe[1]) # close write end
853
# Call "handle_ipc" for both data and EOF events
854
gobject.io_add_watch(self.pipe[0],
855
gobject.IO_IN | gobject.IO_HUP,
856
self.handle_ipc)
857
def handle_ipc(source, condition):
1346
858
"""Dummy function; override as necessary"""
1347
pass
1348
1349
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1350
socketserver.TCPServer, object):
859
os.close(source)
860
return False
861
862
863
class IPv6_TCPServer(ForkingMixInWithPipe,
864
SocketServer.TCPServer, object):
1351
865
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1352
866
1353
867
Attributes:
1354
868
enabled: Boolean; whether this server is activated yet
1355
869
interface: None or a network interface name (string)
1356
870
use_ipv6: Boolean; to use IPv6 or not
871
----
872
clients: Set() of Client objects
873
gnutls_priority GnuTLS priority string
874
use_dbus: Boolean; to emit D-Bus signals or not
1357
875
"""
1358
876
def __init__(self, server_address, RequestHandlerClass,
1359
interface=None, use_ipv6=True):
877
interface=None, use_ipv6=True, clients=None,
878
gnutls_priority=None, use_dbus=True):
879
self.enabled = False
1360
880
self.interface = interface
1361
881
if use_ipv6:
1362
882
self.address_family = socket.AF_INET6
1363
socketserver.TCPServer.__init__(self, server_address,
883
self.clients = clients
884
self.use_dbus = use_dbus
885
self.gnutls_priority = gnutls_priority
886
SocketServer.TCPServer.__init__(self, server_address,
1364
887
RequestHandlerClass)
1365
888
def server_bind(self):
1366
889
"""This overrides the normal server_bind() function
1367
890
to bind to an interface if one was specified, and also NOT to
1368
891
bind to an address or port if they were not specified."""
1369
892
if self.interface is not None:
1370
if SO_BINDTODEVICE is None:
1371
logger.error(u"SO_BINDTODEVICE does not exist;"
1372
u" cannot bind to interface %s",
1373
self.interface)
1374
else:
1375
try:
1376
self.socket.setsockopt(socket.SOL_SOCKET,
1377
SO_BINDTODEVICE,
1378
str(self.interface
1379
+ u'\0'))
1380
except socket.error, error:
1381
if error[0] == errno.EPERM:
1382
logger.error(u"No permission to"
1383
u" bind to interface %s",
1384
self.interface)
1385
elif error[0] == errno.ENOPROTOOPT:
1386
logger.error(u"SO_BINDTODEVICE not available;"
1387
u" cannot bind to interface %s",
1388
self.interface)
1389
else:
1390
raise
893
try:
894
self.socket.setsockopt(socket.SOL_SOCKET,
895
SO_BINDTODEVICE,
896
self.interface + '\0')
897
except socket.error, error:
898
if error[0] == errno.EPERM:
899
logger.error(u"No permission to"
900
u" bind to interface %s",
901
self.interface)
902
else:
903
raise
1391
904
# Only bind(2) the socket if we really need to.
1392
905
if self.server_address[0] or self.server_address[1]:
1393
906
if not self.server_address[0]:
1394
907
if self.address_family == socket.AF_INET6:
1395
any_address = u"::" # in6addr_any
908
any_address = "::" # in6addr_any
1396
909
else:
1397
910
any_address = socket.INADDR_ANY
1398
911
self.server_address = (any_address,
1406
919
# 0, # flowinfo
1407
920
# if_nametoindex
1408
921
# (self.interface))
1409
return socketserver.TCPServer.server_bind(self)
1410
1411
1412
class MandosServer(IPv6_TCPServer):
1413
"""Mandos server.
1414
1415
Attributes:
1416
clients: set of Client objects
1417
gnutls_priority GnuTLS priority string
1418
use_dbus: Boolean; to emit D-Bus signals or not
1419
1420
Assumes a gobject.MainLoop event loop.
1421
"""
1422
def __init__(self, server_address, RequestHandlerClass,
1423
interface=None, use_ipv6=True, clients=None,
1424
gnutls_priority=None, use_dbus=True):
1425
self.enabled = False
1426
self.clients = clients
1427
if self.clients is None:
1428
self.clients = set()
1429
self.use_dbus = use_dbus
1430
self.gnutls_priority = gnutls_priority
1431
IPv6_TCPServer.__init__(self, server_address,
1432
RequestHandlerClass,
1433
interface = interface,
1434
use_ipv6 = use_ipv6)
922
return SocketServer.TCPServer.server_bind(self)
1435
923
def server_activate(self):
1436
924
if self.enabled:
1437
return socketserver.TCPServer.server_activate(self)
925
return SocketServer.TCPServer.server_activate(self)
1438
926
def enable(self):
1439
927
self.enabled = True
1440
def add_pipe(self, parent_pipe):
1441
# Call "handle_ipc" for both data and EOF events
1442
gobject.io_add_watch(parent_pipe.fileno(),
1443
gobject.IO_IN | gobject.IO_HUP,
1444
functools.partial(self.handle_ipc,
1445
parent_pipe = parent_pipe))
1446
1447
def handle_ipc(self, source, condition, parent_pipe=None,
1448
client_object=None):
928
def handle_ipc(self, source, condition, file_objects={}):
1449
929
condition_names = {
1450
gobject.IO_IN: u"IN", # There is data to read.
1451
gobject.IO_OUT: u"OUT", # Data can be written (without
1452
# blocking).
1453
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1454
gobject.IO_ERR: u"ERR", # Error condition.
1455
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1456
# broken, usually for pipes and
1457
# sockets).
930
gobject.IO_IN: "IN", # There is data to read.
931
gobject.IO_OUT: "OUT", # Data can be written (without
932
# blocking).
933
gobject.IO_PRI: "PRI", # There is urgent data to read.
934
gobject.IO_ERR: "ERR", # Error condition.
935
gobject.IO_HUP: "HUP" # Hung up (the connection has been
936
# broken, usually for pipes and
937
# sockets).
1458
938
}
1459
939
conditions_string = ' | '.join(name
1460
940
for cond, name in
1461
941
condition_names.iteritems()
1462
942
if cond & condition)
1463
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
943
logger.debug("Handling IPC: FD = %d, condition = %s", source,
1464
944
conditions_string)
1465
1466
# XXXTEDDY error or the other end of multiprocessing.Pipe has closed
1467
if condition & gobject.IO_HUP or condition & gobject.IO_ERR:
1468
return False
1469
1470
# Read a request from the child
1471
request = parent_pipe.recv()
1472
logger.debug(u"IPC request: %s", repr(request))
1473
command = request[0]
1474
1475
if command == 'init':
1476
fpr = request[1]
1477
address = request[2]
1478
1479
for c in self.clients:
1480
if c.fingerprint == fpr:
1481
client = c
1482
break
1483
else:
1484
logger.warning(u"Client not found for fingerprint: %s, ad"
1485
u"dress: %s", fpr, address)
1486
if self.use_dbus:
1487
# Emit D-Bus signal
1488
mandos_dbus_service.ClientNotFound(fpr, address)
1489
parent_pipe.send(False)
1490
return False
1491
1492
gobject.io_add_watch(parent_pipe.fileno(),
1493
gobject.IO_IN | gobject.IO_HUP,
1494
functools.partial(self.handle_ipc,
1495
parent_pipe = parent_pipe,
1496
client_object = client))
1497
parent_pipe.send(True)
1498
# remove the old hook in favor of the new above hook on same fileno
1499
return False
1500
if command == 'funcall':
1501
funcname = request[1]
1502
args = request[2]
1503
kwargs = request[3]
1504
1505
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1506
1507
if command == 'getattr':
1508
attrname = request[1]
1509
if callable(client_object.__getattribute__(attrname)):
1510
parent_pipe.send(('function',))
1511
else:
1512
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1513
1514
if command == 'setattr':
1515
attrname = request[1]
1516
value = request[2]
1517
setattr(client_object, attrname, value)
1518
945
946
# Turn the pipe file descriptor into a Python file object
947
if source not in file_objects:
948
file_objects[source] = os.fdopen(source, "r", 1)
949
950
# Read a line from the file object
951
cmdline = file_objects[source].readline()
952
if not cmdline: # Empty line means end of file
953
# close the IPC pipe
954
file_objects[source].close()
955
del file_objects[source]
956
957
# Stop calling this function
958
return False
959
960
logger.debug("IPC command: %r", cmdline)
961
962
# Parse and act on command
963
cmd, args = cmdline.rstrip("\r\n").split(None, 1)
964
965
if cmd == "NOTFOUND":
966
logger.warning(u"Client not found for fingerprint: %s",
967
args)
968
if self.use_dbus:
969
# Emit D-Bus signal
970
mandos_dbus_service.ClientNotFound(args)
971
elif cmd == "INVALID":
972
for client in self.clients:
973
if client.name == args:
974
logger.warning(u"Client %s is invalid", args)
975
if self.use_dbus:
976
# Emit D-Bus signal
977
client.Rejected()
978
break
979
else:
980
logger.error(u"Unknown client %s is invalid", args)
981
elif cmd == "SENDING":
982
for client in self.clients:
983
if client.name == args:
984
logger.info(u"Sending secret to %s", client.name)
985
client.checked_ok()
986
if self.use_dbus:
987
# Emit D-Bus signal
988
client.ReceivedSecret()
989
break
990
else:
991
logger.error(u"Sending secret to unknown client %s",
992
args)
993
else:
994
logger.error("Unknown IPC command: %r", cmdline)
995
996
# Keep calling this function
1519
997
return True
1520
998
1521
999
1522
1000
def string_to_delta(interval):
1523
1001
"""Parse a string and return a datetime.timedelta
1524
1002
1525
>>> string_to_delta(u'7d')
1003
>>> string_to_delta('7d')
1526
1004
datetime.timedelta(7)
1527
>>> string_to_delta(u'60s')
1005
>>> string_to_delta('60s')
1528
1006
datetime.timedelta(0, 60)
1529
>>> string_to_delta(u'60m')
1007
>>> string_to_delta('60m')
1530
1008
datetime.timedelta(0, 3600)
1531
>>> string_to_delta(u'24h')
1009
>>> string_to_delta('24h')
1532
1010
datetime.timedelta(1)
1533
1011
>>> string_to_delta(u'1w')
1534
1012
datetime.timedelta(7)
1535
>>> string_to_delta(u'5m 30s')
1013
>>> string_to_delta('5m 30s')
1536
1014
datetime.timedelta(0, 330)
1537
1015
"""
1538
1016
timevalue = datetime.timedelta(0)
1551
1029
elif suffix == u"w":
1552
1030
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1553
1031
else:
1554
raise ValueError(u"Unknown suffix %r" % suffix)
1555
except (ValueError, IndexError), e:
1556
raise ValueError(e.message)
1032
raise ValueError
1033
except (ValueError, IndexError):
1034
raise ValueError
1557
1035
timevalue += delta
1558
1036
return timevalue
1559
1037
1560
1038
1039
def server_state_changed(state):
1040
"""Derived from the Avahi example code"""
1041
if state == avahi.SERVER_COLLISION:
1042
logger.error(u"Zeroconf server name collision")
1043
service.remove()
1044
elif state == avahi.SERVER_RUNNING:
1045
service.add()
1046
1047
1048
def entry_group_state_changed(state, error):
1049
"""Derived from the Avahi example code"""
1050
logger.debug(u"Avahi state change: %i", state)
1051
1052
if state == avahi.ENTRY_GROUP_ESTABLISHED:
1053
logger.debug(u"Zeroconf service established.")
1054
elif state == avahi.ENTRY_GROUP_COLLISION:
1055
logger.warning(u"Zeroconf service name collision.")
1056
service.rename()
1057
elif state == avahi.ENTRY_GROUP_FAILURE:
1058
logger.critical(u"Avahi: Error in group state changed %s",
1059
unicode(error))
1060
raise AvahiGroupError(u"State changed: %s" % unicode(error))
1061
1561
1062
def if_nametoindex(interface):
1562
"""Call the C function if_nametoindex(), or equivalent
1563
1564
Note: This function cannot accept a unicode string."""
1063
"""Call the C function if_nametoindex(), or equivalent"""
1565
1064
global if_nametoindex
1566
1065
try:
1567
1066
if_nametoindex = (ctypes.cdll.LoadLibrary
1568
(ctypes.util.find_library(u"c"))
1067
(ctypes.util.find_library("c"))
1569
1068
.if_nametoindex)
1570
1069
except (OSError, AttributeError):
1571
logger.warning(u"Doing if_nametoindex the hard way")
1070
if "struct" not in sys.modules:
1071
import struct
1072
if "fcntl" not in sys.modules:
1073
import fcntl
1572
1074
def if_nametoindex(interface):
1573
1075
"Get an interface index the hard way, i.e. using fcntl()"
1574
1076
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1575
with contextlib.closing(socket.socket()) as s:
1077
with closing(socket.socket()) as s:
1576
1078
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1577
struct.pack(str(u"16s16x"),
1578
interface))
1579
interface_index = struct.unpack(str(u"I"),
1580
ifreq[16:20])[0]
1079
struct.pack("16s16x", interface))
1080
interface_index = struct.unpack("I", ifreq[16:20])[0]
1581
1081
return interface_index
1582
1082
return if_nametoindex(interface)
1583
1083
1590
1090
sys.exit()
1591
1091
os.setsid()
1592
1092
if not nochdir:
1593
os.chdir(u"/")
1093
os.chdir("/")
1594
1094
if os.fork():
1595
1095
sys.exit()
1596
1096
if not noclose:
1598
1098
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1599
1099
if not stat.S_ISCHR(os.fstat(null).st_mode):
1600
1100
raise OSError(errno.ENODEV,
1601
u"%s not a character device"
1602
% os.path.devnull)
1101
"/dev/null not a character device")
1603
1102
os.dup2(null, sys.stdin.fileno())
1604
1103
os.dup2(null, sys.stdout.fileno())
1605
1104
os.dup2(null, sys.stderr.fileno())
1609
1108
1610
1109
def main():
1611
1110
1612
##################################################################
1111
######################################################################
1613
1112
# Parsing of options, both command line and config file
1614
1113
1615
1114
parser = optparse.OptionParser(version = "%%prog %s" % version)
1616
parser.add_option("-i", u"--interface", type=u"string",
1617
metavar="IF", help=u"Bind to interface IF")
1618
parser.add_option("-a", u"--address", type=u"string",
1619
help=u"Address to listen for requests on")
1620
parser.add_option("-p", u"--port", type=u"int",
1621
help=u"Port number to receive requests on")
1622
parser.add_option("--check", action=u"store_true",
1623
help=u"Run self-test")
1624
parser.add_option("--debug", action=u"store_true",
1625
help=u"Debug mode; run in foreground and log to"
1626
u" terminal")
1627
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1628
u" priority string (see GnuTLS documentation)")
1629
parser.add_option("--servicename", type=u"string",
1630
metavar=u"NAME", help=u"Zeroconf service name")
1631
parser.add_option("--configdir", type=u"string",
1632
default=u"/etc/mandos", metavar=u"DIR",
1633
help=u"Directory to search for configuration"
1634
u" files")
1635
parser.add_option("--no-dbus", action=u"store_false",
1636
dest=u"use_dbus", help=u"Do not provide D-Bus"
1637
u" system bus interface")
1638
parser.add_option("--no-ipv6", action=u"store_false",
1639
dest=u"use_ipv6", help=u"Do not use IPv6")
1115
parser.add_option("-i", "--interface", type="string",
1116
metavar="IF", help="Bind to interface IF")
1117
parser.add_option("-a", "--address", type="string",
1118
help="Address to listen for requests on")
1119
parser.add_option("-p", "--port", type="int",
1120
help="Port number to receive requests on")
1121
parser.add_option("--check", action="store_true",
1122
help="Run self-test")
1123
parser.add_option("--debug", action="store_true",
1124
help="Debug mode; run in foreground and log to"
1125
" terminal")
1126
parser.add_option("--priority", type="string", help="GnuTLS"
1127
" priority string (see GnuTLS documentation)")
1128
parser.add_option("--servicename", type="string", metavar="NAME",
1129
help="Zeroconf service name")
1130
parser.add_option("--configdir", type="string",
1131
default="/etc/mandos", metavar="DIR",
1132
help="Directory to search for configuration"
1133
" files")
1134
parser.add_option("--no-dbus", action="store_false",
1135
dest="use_dbus",
1136
help="Do not provide D-Bus system bus"
1137
" interface")
1138
parser.add_option("--no-ipv6", action="store_false",
1139
dest="use_ipv6", help="Do not use IPv6")
1640
1140
options = parser.parse_args()[0]
1641
1141
1642
1142
if options.check:
1645
1145
sys.exit()
1646
1146
1647
1147
# Default values for config file for server-global settings
1648
server_defaults = { u"interface": u"",
1649
u"address": u"",
1650
u"port": u"",
1651
u"debug": u"False",
1652
u"priority":
1653
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1654
u"servicename": u"Mandos",
1655
u"use_dbus": u"True",
1656
u"use_ipv6": u"True",
1148
server_defaults = { "interface": "",
1149
"address": "",
1150
"port": "",
1151
"debug": "False",
1152
"priority":
1153
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1154
"servicename": "Mandos",
1155
"use_dbus": "True",
1156
"use_ipv6": "True",
1657
1157
}
1658
1158
1659
1159
# Parse config file for server-global settings
1660
server_config = configparser.SafeConfigParser(server_defaults)
1160
server_config = ConfigParser.SafeConfigParser(server_defaults)
1661
1161
del server_defaults
1662
server_config.read(os.path.join(options.configdir,
1663
u"mandos.conf"))
1162
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1664
1163
# Convert the SafeConfigParser object to a dict
1665
1164
server_settings = server_config.defaults()
1666
1165
# Use the appropriate methods on the non-string config options
1667
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1668
server_settings[option] = server_config.getboolean(u"DEFAULT",
1669
option)
1166
server_settings["debug"] = server_config.getboolean("DEFAULT",
1167
"debug")
1168
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1169
"use_dbus")
1170
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1171
"use_ipv6")
1670
1172
if server_settings["port"]:
1671
server_settings["port"] = server_config.getint(u"DEFAULT",
1672
u"port")
1173
server_settings["port"] = server_config.getint("DEFAULT",
1174
"port")
1673
1175
del server_config
1674
1176
1675
1177
# Override the settings from the config file with command line
1676
1178
# options, if set.
1677
for option in (u"interface", u"address", u"port", u"debug",
1678
u"priority", u"servicename", u"configdir",
1679
u"use_dbus", u"use_ipv6"):
1179
for option in ("interface", "address", "port", "debug",
1180
"priority", "servicename", "configdir",
1181
"use_dbus", "use_ipv6"):
1680
1182
value = getattr(options, option)
1681
1183
if value is not None:
1682
1184
server_settings[option] = value
1683
1185
del options
1684
# Force all strings to be unicode
1685
for option in server_settings.keys():
1686
if type(server_settings[option]) is str:
1687
server_settings[option] = unicode(server_settings[option])
1688
1186
# Now we have our good server settings in "server_settings"
1689
1187
1690
1188
##################################################################
1691
1189
1692
1190
# For convenience
1693
debug = server_settings[u"debug"]
1694
use_dbus = server_settings[u"use_dbus"]
1695
use_ipv6 = server_settings[u"use_ipv6"]
1191
debug = server_settings["debug"]
1192
use_dbus = server_settings["use_dbus"]
1193
use_ipv6 = server_settings["use_ipv6"]
1696
1194
1697
1195
if not debug:
1698
1196
syslogger.setLevel(logging.WARNING)
1699
1197
console.setLevel(logging.WARNING)
1700
1198
1701
if server_settings[u"servicename"] != u"Mandos":
1199
if server_settings["servicename"] != "Mandos":
1702
1200
syslogger.setFormatter(logging.Formatter
1703
(u'Mandos (%s) [%%(process)d]:'
1704
u' %%(levelname)s: %%(message)s'
1705
% server_settings[u"servicename"]))
1201
('Mandos (%s) [%%(process)d]:'
1202
' %%(levelname)s: %%(message)s'
1203
% server_settings["servicename"]))
1706
1204
1707
1205
# Parse config file with clients
1708
client_defaults = { u"timeout": u"1h",
1709
u"interval": u"5m",
1710
u"checker": u"fping -q -- %%(host)s",
1711
u"host": u"",
1712
u"approved_delay": u"0s",
1713
u"approved_duration": u"1s",
1206
client_defaults = { "timeout": "1h",
1207
"interval": "5m",
1208
"checker": "fping -q -- %%(host)s",
1209
"host": "",
1714
1210
}
1715
client_config = configparser.SafeConfigParser(client_defaults)
1716
client_config.read(os.path.join(server_settings[u"configdir"],
1717
u"clients.conf"))
1718
1211
client_config = ConfigParser.SafeConfigParser(client_defaults)
1212
client_config.read(os.path.join(server_settings["configdir"],
1213
"clients.conf"))
1214
1719
1215
global mandos_dbus_service
1720
1216
mandos_dbus_service = None
1721
1217
1722
tcp_server = MandosServer((server_settings[u"address"],
1723
server_settings[u"port"]),
1724
ClientHandler,
1725
interface=server_settings[u"interface"],
1726
use_ipv6=use_ipv6,
1727
gnutls_priority=
1728
server_settings[u"priority"],
1729
use_dbus=use_dbus)
1730
pidfilename = u"/var/run/mandos.pid"
1218
clients = Set()
1219
tcp_server = IPv6_TCPServer((server_settings["address"],
1220
server_settings["port"]),
1221
ClientHandler,
1222
interface=
1223
server_settings["interface"],
1224
use_ipv6=use_ipv6,
1225
clients=clients,
1226
gnutls_priority=
1227
server_settings["priority"],
1228
use_dbus=use_dbus)
1229
pidfilename = "/var/run/mandos.pid"
1731
1230
try:
1732
pidfile = open(pidfilename, u"w")
1231
pidfile = open(pidfilename, "w")
1733
1232
except IOError:
1734
logger.error(u"Could not open file %r", pidfilename)
1233
logger.error("Could not open file %r", pidfilename)
1735
1234
1736
1235
try:
1737
uid = pwd.getpwnam(u"_mandos").pw_uid
1738
gid = pwd.getpwnam(u"_mandos").pw_gid
1236
uid = pwd.getpwnam("_mandos").pw_uid
1237
gid = pwd.getpwnam("_mandos").pw_gid
1739
1238
except KeyError:
1740
1239
try:
1741
uid = pwd.getpwnam(u"mandos").pw_uid
1742
gid = pwd.getpwnam(u"mandos").pw_gid
1240
uid = pwd.getpwnam("mandos").pw_uid
1241
gid = pwd.getpwnam("mandos").pw_gid
1743
1242
except KeyError:
1744
1243
try:
1745
uid = pwd.getpwnam(u"nobody").pw_uid
1746
gid = pwd.getpwnam(u"nobody").pw_gid
1244
uid = pwd.getpwnam("nobody").pw_uid
1245
gid = pwd.getpwnam("nogroup").pw_gid
1747
1246
except KeyError:
1748
1247
uid = 65534
1749
1248
gid = 65534
1762
1261
1763
1262
@gnutls.library.types.gnutls_log_func
1764
1263
def debug_gnutls(level, string):
1765
logger.debug(u"GnuTLS: %s", string[:-1])
1264
logger.debug("GnuTLS: %s", string[:-1])
1766
1265
1767
1266
(gnutls.library.functions
1768
1267
.gnutls_global_set_log_function(debug_gnutls))
1769
1268
1269
global service
1270
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1271
service = AvahiService(name = server_settings["servicename"],
1272
servicetype = "_mandos._tcp",
1273
protocol = protocol)
1274
if server_settings["interface"]:
1275
service.interface = (if_nametoindex
1276
(server_settings["interface"]))
1277
1770
1278
global main_loop
1279
global bus
1280
global server
1771
1281
# From the Avahi example code
1772
1282
DBusGMainLoop(set_as_default=True )
1773
1283
main_loop = gobject.MainLoop()
1774
1284
bus = dbus.SystemBus()
1285
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1286
avahi.DBUS_PATH_SERVER),
1287
avahi.DBUS_INTERFACE_SERVER)
1775
1288
# End of Avahi example code
1776
1289
if use_dbus:
1777
try:
1778
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1779
bus, do_not_queue=True)
1780
except dbus.exceptions.NameExistsException, e:
1781
logger.error(unicode(e) + u", disabling D-Bus")
1782
use_dbus = False
1783
server_settings[u"use_dbus"] = False
1784
tcp_server.use_dbus = False
1785
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1786
service = AvahiService(name = server_settings[u"servicename"],
1787
servicetype = u"_mandos._tcp",
1788
protocol = protocol, bus = bus)
1789
if server_settings["interface"]:
1790
service.interface = (if_nametoindex
1791
(str(server_settings[u"interface"])))
1792
1793
global multiprocessing_manager
1794
multiprocessing_manager = multiprocessing.Manager()
1290
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1795
1291
1796
1292
client_class = Client
1797
1293
if use_dbus:
1798
client_class = functools.partial(ClientDBus, bus = bus)
1799
def client_config_items(config, section):
1800
special_settings = {
1801
"approved_by_default":
1802
lambda: config.getboolean(section,
1803
"approved_by_default"),
1804
}
1805
for name, value in config.items(section):
1806
try:
1807
yield (name, special_settings[name]())
1808
except KeyError:
1809
yield (name, value)
1810
1811
tcp_server.clients.update(set(
1294
client_class = ClientDBus
1295
clients.update(Set(
1812
1296
client_class(name = section,
1813
config= dict(client_config_items(
1814
client_config, section)))
1297
config= dict(client_config.items(section)))
1815
1298
for section in client_config.sections()))
1816
if not tcp_server.clients:
1299
if not clients:
1817
1300
logger.warning(u"No clients defined")
1818
1301
1819
1302
if debug:
1829
1312
daemon()
1830
1313
1831
1314
try:
1832
with pidfile:
1315
with closing(pidfile):
1833
1316
pid = os.getpid()
1834
1317
pidfile.write(str(pid) + "\n")
1835
1318
del pidfile
1841
1324
pass
1842
1325
del pidfilename
1843
1326
1327
def cleanup():
1328
"Cleanup function; run on exit"
1329
global group
1330
# From the Avahi example code
1331
if not group is None:
1332
group.Free()
1333
group = None
1334
# End of Avahi example code
1335
1336
while clients:
1337
client = clients.pop()
1338
client.disable_hook = None
1339
client.disable()
1340
1341
atexit.register(cleanup)
1342
1844
1343
if not debug:
1845
1344
signal.signal(signal.SIGINT, signal.SIG_IGN)
1846
1345
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1850
1349
class MandosDBusService(dbus.service.Object):
1851
1350
"""A D-Bus proxy object"""
1852
1351
def __init__(self):
1853
dbus.service.Object.__init__(self, bus, u"/")
1352
dbus.service.Object.__init__(self, bus, "/")
1854
1353
_interface = u"se.bsnet.fukt.Mandos"
1855
1354
1856
@dbus.service.signal(_interface, signature=u"o")
1857
def ClientAdded(self, objpath):
1858
"D-Bus signal"
1859
pass
1860
1861
@dbus.service.signal(_interface, signature=u"ss")
1862
def ClientNotFound(self, fingerprint, address):
1863
"D-Bus signal"
1864
pass
1865
1866
@dbus.service.signal(_interface, signature=u"os")
1355
@dbus.service.signal(_interface, signature="oa{sv}")
1356
def ClientAdded(self, objpath, properties):
1357
"D-Bus signal"
1358
pass
1359
1360
@dbus.service.signal(_interface, signature="s")
1361
def ClientNotFound(self, fingerprint):
1362
"D-Bus signal"
1363
pass
1364
1365
@dbus.service.signal(_interface, signature="os")
1867
1366
def ClientRemoved(self, objpath, name):
1868
1367
"D-Bus signal"
1869
1368
pass
1870
1369
1871
@dbus.service.method(_interface, out_signature=u"ao")
1370
@dbus.service.method(_interface, out_signature="ao")
1872
1371
def GetAllClients(self):
1873
1372
"D-Bus method"
1874
return dbus.Array(c.dbus_object_path
1875
for c in tcp_server.clients)
1373
return dbus.Array(c.dbus_object_path for c in clients)
1876
1374
1877
@dbus.service.method(_interface,
1878
out_signature=u"a{oa{sv}}")
1375
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1879
1376
def GetAllClientsWithProperties(self):
1880
1377
"D-Bus method"
1881
1378
return dbus.Dictionary(
1882
((c.dbus_object_path, c.GetAll(u""))
1883
for c in tcp_server.clients),
1884
signature=u"oa{sv}")
1379
((c.dbus_object_path, c.GetAllProperties())
1380
for c in clients),
1381
signature="oa{sv}")
1885
1382
1886
@dbus.service.method(_interface, in_signature=u"o")
1383
@dbus.service.method(_interface, in_signature="o")
1887
1384
def RemoveClient(self, object_path):
1888
1385
"D-Bus method"
1889
for c in tcp_server.clients:
1386
for c in clients:
1890
1387
if c.dbus_object_path == object_path:
1891
tcp_server.clients.remove(c)
1388
clients.remove(c)
1892
1389
c.remove_from_connection()
1893
1390
# Don't signal anything except ClientRemoved
1894
c.disable(quiet=True)
1391
c.disable(signal=False)
1895
1392
# Emit D-Bus signal
1896
1393
self.ClientRemoved(object_path, c.name)
1897
1394
return
1898
raise KeyError(object_path)
1395
raise KeyError
1899
1396
1900
1397
del _interface
1901
1398
1902
1399
mandos_dbus_service = MandosDBusService()
1903
1400
1904
def cleanup():
1905
"Cleanup function; run on exit"
1906
service.cleanup()
1907
1908
while tcp_server.clients:
1909
client = tcp_server.clients.pop()
1910
if use_dbus:
1911
client.remove_from_connection()
1912
client.disable_hook = None
1913
# Don't signal anything except ClientRemoved
1914
client.disable(quiet=True)
1915
if use_dbus:
1916
# Emit D-Bus signal
1917
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1918
client.name)
1919
1920
atexit.register(cleanup)
1921
1922
for client in tcp_server.clients:
1401
for client in clients:
1923
1402
if use_dbus:
1924
1403
# Emit D-Bus signal
1925
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1404
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1405
client.GetAllProperties())
1926
1406
client.enable()
1927
1407
1928
1408
tcp_server.enable()
1942
1422
1943
1423
try:
1944
1424
# From the Avahi example code
1425
server.connect_to_signal("StateChanged", server_state_changed)
1945
1426
try:
1946
service.activate()
1427
server_state_changed(server.GetState())
1947
1428
except dbus.exceptions.DBusException, error:
1948
1429
logger.critical(u"DBusException: %s", error)
1949
cleanup()
1950
1430
sys.exit(1)
1951
1431
# End of Avahi example code
1952
1432
1959
1439
main_loop.run()
1960
1440
except AvahiError, error:
1961
1441
logger.critical(u"AvahiError: %s", error)
1962
cleanup()
1963
1442
sys.exit(1)
1964
1443
except KeyboardInterrupt:
1965
1444
if debug:
1966
1445
print >> sys.stderr
1967
logger.debug(u"Server received KeyboardInterrupt")
1968
logger.debug(u"Server exiting")
1969
# Must run before the D-Bus bus name gets deregistered
1970
cleanup()
1446
logger.debug("Server received KeyboardInterrupt")
1447
logger.debug("Server exiting")
1971
1448
1972
1449
if __name__ == '__main__':
1973
1450
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0