To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 335
- compare with another revision
- download diff
- download tarball
- view history from revision 335
- Committer: Teddy Hogeborn
- Date: 2009-04-16 06:47:28 UTC
- Revision ID: teddy@fukt.bsnet.se-20090416064728-c3d36mvgxo5q9aoh
* mandos: Import "SocketServer" as "socketserver" and "ConfigParser"
as "configparser". All users changed.
as "configparser". All users changed.
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- etc-plugins.d-README
- files modified:
- .bzrignore
added
removed
mandos
11
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
15
16
#
16
17
# This program is free software: you can redistribute it and/or modify
17
18
# it under the terms of the GNU General Public License as published by
30
31
# Contact the authors at <mandos@fukt.bsnet.se>.
31
32
#
32
33
33
from __future__ import division
34
from __future__ import division, with_statement, absolute_import
34
35
35
import SocketServer
36
import SocketServer as socketserver
36
37
import socket
37
import select
38
from optparse import OptionParser
38
import optparse
39
39
import datetime
40
40
import errno
41
41
import gnutls.crypto
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser
47
import ConfigParser as configparser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
53
52
import subprocess
54
53
import atexit
55
54
import stat
56
55
import logging
57
56
import logging.handlers
58
57
import pwd
58
from contextlib import closing
59
import struct
60
import fcntl
59
61
60
62
import dbus
63
import dbus.service
61
64
import gobject
62
65
import avahi
63
66
from dbus.mainloop.glib import DBusGMainLoop
64
67
import ctypes
65
66
version = "1.0"
67
68
logger = logging.Logger('mandos')
69
syslogger = logging.handlers.SysLogHandler\
70
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
71
address = "/dev/log")
72
syslogger.setFormatter(logging.Formatter\
73
('Mandos: %(levelname)s: %(message)s'))
68
import ctypes.util
69
70
try:
71
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
72
except AttributeError:
73
try:
74
from IN import SO_BINDTODEVICE
75
except ImportError:
76
# From /usr/include/asm/socket.h
77
SO_BINDTODEVICE = 25
78
79
80
version = "1.0.8"
81
82
logger = logging.Logger(u'mandos')
83
syslogger = (logging.handlers.SysLogHandler
84
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
85
address = "/dev/log"))
86
syslogger.setFormatter(logging.Formatter
87
(u'Mandos [%(process)d]: %(levelname)s:'
88
u' %(message)s'))
74
89
logger.addHandler(syslogger)
75
90
76
91
console = logging.StreamHandler()
77
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
78
' %(message)s'))
92
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
93
u' %(levelname)s:'
94
u' %(message)s'))
79
95
logger.addHandler(console)
80
96
81
97
class AvahiError(Exception):
82
def __init__(self, value):
98
def __init__(self, value, *args, **kwargs):
83
99
self.value = value
84
def __str__(self):
85
return repr(self.value)
100
super(AvahiError, self).__init__(value, *args, **kwargs)
101
def __unicode__(self):
102
return unicode(repr(self.value))
86
103
87
104
class AvahiServiceError(AvahiError):
88
105
pass
93
110
94
111
class AvahiService(object):
95
112
"""An Avahi (Zeroconf) service.
113
96
114
Attributes:
97
115
interface: integer; avahi.IF_UNSPEC or an interface index.
98
116
Used to optionally bind to the specified interface.
99
name: string; Example: 'Mandos'
100
type: string; Example: '_mandos._tcp'.
117
name: string; Example: u'Mandos'
118
type: string; Example: u'_mandos._tcp'.
101
119
See <http://www.dns-sd.org/ServiceTypes.html>
102
120
port: integer; what port to announce
103
121
TXT: list of strings; TXT record for the service
108
126
a sensible number of times
109
127
"""
110
128
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
111
type = None, port = None, TXT = None, domain = "",
112
host = "", max_renames = 32768):
129
servicetype = None, port = None, TXT = None,
130
domain = u"", host = u"", max_renames = 32768,
131
protocol = avahi.PROTO_UNSPEC):
113
132
self.interface = interface
114
133
self.name = name
115
self.type = type
134
self.type = servicetype
116
135
self.port = port
117
if TXT is None:
118
self.TXT = []
119
else:
120
self.TXT = TXT
136
self.TXT = TXT if TXT is not None else []
121
137
self.domain = domain
122
138
self.host = host
123
139
self.rename_count = 0
124
140
self.max_renames = max_renames
141
self.protocol = protocol
125
142
def rename(self):
126
143
"""Derived from the Avahi example code"""
127
144
if self.rename_count >= self.max_renames:
128
145
logger.critical(u"No suitable Zeroconf service name found"
129
146
u" after %i retries, exiting.",
130
rename_count)
131
raise AvahiServiceError("Too many renames")
147
self.rename_count)
148
raise AvahiServiceError(u"Too many renames")
132
149
self.name = server.GetAlternativeServiceName(self.name)
133
150
logger.info(u"Changing Zeroconf service name to %r ...",
134
str(self.name))
135
syslogger.setFormatter(logging.Formatter\
136
('Mandos (%s): %%(levelname)s:'
137
' %%(message)s' % self.name))
151
self.name)
152
syslogger.setFormatter(logging.Formatter
153
(u'Mandos (%s) [%%(process)d]:'
154
u' %%(levelname)s: %%(message)s'
155
% self.name))
138
156
self.remove()
139
157
self.add()
140
158
self.rename_count += 1
146
164
"""Derived from the Avahi example code"""
147
165
global group
148
166
if group is None:
149
group = dbus.Interface\
150
(bus.get_object(avahi.DBUS_NAME,
167
group = dbus.Interface(bus.get_object
168
(avahi.DBUS_NAME,
151
169
server.EntryGroupNew()),
152
avahi.DBUS_INTERFACE_ENTRY_GROUP)
170
avahi.DBUS_INTERFACE_ENTRY_GROUP)
153
171
group.connect_to_signal('StateChanged',
154
172
entry_group_state_changed)
155
173
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
156
174
service.name, service.type)
157
175
group.AddService(
158
176
self.interface, # interface
159
avahi.PROTO_INET6, # protocol
177
self.protocol, # protocol
160
178
dbus.UInt32(0), # flags
161
179
self.name, self.type,
162
180
self.domain, self.host,
169
187
# End of Avahi example code
170
188
171
189
190
def _datetime_to_dbus(dt, variant_level=0):
191
"""Convert a UTC datetime.datetime() to a D-Bus type."""
192
return dbus.String(dt.isoformat(), variant_level=variant_level)
193
194
172
195
class Client(object):
173
196
"""A representation of a client host served by this server.
197
174
198
Attributes:
175
name: string; from the config file, used in log messages
199
name: string; from the config file, used in log messages and
200
D-Bus identifiers
176
201
fingerprint: string (40 or 32 hexadecimal digits); used to
177
202
uniquely identify the client
178
secret: bytestring; sent verbatim (over TLS) to client
179
host: string; available for use by the checker command
180
created: datetime.datetime(); object creation, not client host
181
last_checked_ok: datetime.datetime() or None if not yet checked OK
182
timeout: datetime.timedelta(); How long from last_checked_ok
183
until this client is invalid
184
interval: datetime.timedelta(); How often to start a new checker
185
stop_hook: If set, called by stop() as stop_hook(self)
186
checker: subprocess.Popen(); a running checker process used
187
to see if the client lives.
188
'None' if no process is running.
203
secret: bytestring; sent verbatim (over TLS) to client
204
host: string; available for use by the checker command
205
created: datetime.datetime(); (UTC) object creation
206
last_enabled: datetime.datetime(); (UTC)
207
enabled: bool()
208
last_checked_ok: datetime.datetime(); (UTC) or None
209
timeout: datetime.timedelta(); How long from last_checked_ok
210
until this client is invalid
211
interval: datetime.timedelta(); How often to start a new checker
212
disable_hook: If set, called by disable() as disable_hook(self)
213
checker: subprocess.Popen(); a running checker process used
214
to see if the client lives.
215
'None' if no process is running.
189
216
checker_initiator_tag: a gobject event source tag, or None
190
stop_initiator_tag: - '' -
217
disable_initiator_tag: - '' -
191
218
checker_callback_tag: - '' -
192
219
checker_command: string; External command which is run to check if
193
220
client lives. %() expansions are done at
194
221
runtime with vars(self) as dict, so that for
195
222
instance %(name)s can be used in the command.
196
Private attibutes:
197
_timeout: Real variable for 'timeout'
198
_interval: Real variable for 'interval'
199
_timeout_milliseconds: Used when calling gobject.timeout_add()
200
_interval_milliseconds: - '' -
223
current_checker_command: string; current running checker_command
201
224
"""
202
def _set_timeout(self, timeout):
203
"Setter function for 'timeout' attribute"
204
self._timeout = timeout
205
self._timeout_milliseconds = ((self.timeout.days
206
* 24 * 60 * 60 * 1000)
207
+ (self.timeout.seconds * 1000)
208
+ (self.timeout.microseconds
209
// 1000))
210
timeout = property(lambda self: self._timeout,
211
_set_timeout)
212
del _set_timeout
213
def _set_interval(self, interval):
214
"Setter function for 'interval' attribute"
215
self._interval = interval
216
self._interval_milliseconds = ((self.interval.days
217
* 24 * 60 * 60 * 1000)
218
+ (self.interval.seconds
219
* 1000)
220
+ (self.interval.microseconds
221
// 1000))
222
interval = property(lambda self: self._interval,
223
_set_interval)
224
del _set_interval
225
def __init__(self, name = None, stop_hook=None, config={}):
225
226
@staticmethod
227
def _datetime_to_milliseconds(dt):
228
"Convert a datetime.datetime() to milliseconds"
229
return ((dt.days * 24 * 60 * 60 * 1000)
230
+ (dt.seconds * 1000)
231
+ (dt.microseconds // 1000))
232
233
def timeout_milliseconds(self):
234
"Return the 'timeout' attribute in milliseconds"
235
return self._datetime_to_milliseconds(self.timeout)
236
237
def interval_milliseconds(self):
238
"Return the 'interval' attribute in milliseconds"
239
return self._datetime_to_milliseconds(self.interval)
240
241
def __init__(self, name = None, disable_hook=None, config=None):
226
242
"""Note: the 'checker' key in 'config' sets the
227
243
'checker_command' attribute and *not* the 'checker'
228
244
attribute."""
229
245
self.name = name
246
if config is None:
247
config = {}
230
248
logger.debug(u"Creating client %r", self.name)
231
249
# Uppercase and remove spaces from fingerprint for later
232
250
# comparison purposes with return value from the fingerprint()
233
251
# function
234
self.fingerprint = config["fingerprint"].upper()\
235
.replace(u" ", u"")
252
self.fingerprint = (config[u"fingerprint"].upper()
253
.replace(u" ", u""))
236
254
logger.debug(u" Fingerprint: %s", self.fingerprint)
237
if "secret" in config:
238
self.secret = config["secret"].decode(u"base64")
239
elif "secfile" in config:
240
sf = open(config["secfile"])
241
self.secret = sf.read()
242
sf.close()
255
if u"secret" in config:
256
self.secret = config[u"secret"].decode(u"base64")
257
elif u"secfile" in config:
258
with closing(open(os.path.expanduser
259
(os.path.expandvars
260
(config[u"secfile"])))) as secfile:
261
self.secret = secfile.read()
243
262
else:
244
263
raise TypeError(u"No secret or secfile for client %s"
245
264
% self.name)
246
self.host = config.get("host", "")
247
self.created = datetime.datetime.now()
265
self.host = config.get(u"host", u"")
266
self.created = datetime.datetime.utcnow()
267
self.enabled = False
268
self.last_enabled = None
248
269
self.last_checked_ok = None
249
self.timeout = string_to_delta(config["timeout"])
250
self.interval = string_to_delta(config["interval"])
251
self.stop_hook = stop_hook
270
self.timeout = string_to_delta(config[u"timeout"])
271
self.interval = string_to_delta(config[u"interval"])
272
self.disable_hook = disable_hook
252
273
self.checker = None
253
274
self.checker_initiator_tag = None
254
self.stop_initiator_tag = None
275
self.disable_initiator_tag = None
255
276
self.checker_callback_tag = None
256
self.check_command = config["checker"]
257
def start(self):
277
self.checker_command = config[u"checker"]
278
self.current_checker_command = None
279
self.last_connect = None
280
281
def enable(self):
258
282
"""Start this client's checker and timeout hooks"""
283
self.last_enabled = datetime.datetime.utcnow()
259
284
# Schedule a new checker to be started an 'interval' from now,
260
285
# and every interval from then on.
261
self.checker_initiator_tag = gobject.timeout_add\
262
(self._interval_milliseconds,
263
self.start_checker)
286
self.checker_initiator_tag = (gobject.timeout_add
287
(self.interval_milliseconds(),
288
self.start_checker))
264
289
# Also start a new checker *right now*.
265
290
self.start_checker()
266
# Schedule a stop() when 'timeout' has passed
267
self.stop_initiator_tag = gobject.timeout_add\
268
(self._timeout_milliseconds,
269
self.stop)
270
def stop(self):
271
"""Stop this client.
272
The possibility that a client might be restarted is left open,
273
but not currently used."""
274
# If this client doesn't have a secret, it is already stopped.
275
if hasattr(self, "secret") and self.secret:
276
logger.info(u"Stopping client %s", self.name)
277
self.secret = None
278
else:
291
# Schedule a disable() when 'timeout' has passed
292
self.disable_initiator_tag = (gobject.timeout_add
293
(self.timeout_milliseconds(),
294
self.disable))
295
self.enabled = True
296
297
def disable(self):
298
"""Disable this client."""
299
if not getattr(self, "enabled", False):
279
300
return False
280
if getattr(self, "stop_initiator_tag", False):
281
gobject.source_remove(self.stop_initiator_tag)
282
self.stop_initiator_tag = None
283
if getattr(self, "checker_initiator_tag", False):
301
logger.info(u"Disabling client %s", self.name)
302
if getattr(self, u"disable_initiator_tag", False):
303
gobject.source_remove(self.disable_initiator_tag)
304
self.disable_initiator_tag = None
305
if getattr(self, u"checker_initiator_tag", False):
284
306
gobject.source_remove(self.checker_initiator_tag)
285
307
self.checker_initiator_tag = None
286
308
self.stop_checker()
287
if self.stop_hook:
288
self.stop_hook(self)
309
if self.disable_hook:
310
self.disable_hook(self)
311
self.enabled = False
289
312
# Do not run this again if called by a gobject.timeout_add
290
313
return False
314
291
315
def __del__(self):
292
self.stop_hook = None
293
self.stop()
294
def checker_callback(self, pid, condition):
316
self.disable_hook = None
317
self.disable()
318
319
def checker_callback(self, pid, condition, command):
295
320
"""The checker has completed, so take appropriate actions."""
296
now = datetime.datetime.now()
297
321
self.checker_callback_tag = None
298
322
self.checker = None
299
if os.WIFEXITED(condition) \
300
and (os.WEXITSTATUS(condition) == 0):
301
logger.info(u"Checker for %(name)s succeeded",
302
vars(self))
303
self.last_checked_ok = now
304
gobject.source_remove(self.stop_initiator_tag)
305
self.stop_initiator_tag = gobject.timeout_add\
306
(self._timeout_milliseconds,
307
self.stop)
308
elif not os.WIFEXITED(condition):
323
if os.WIFEXITED(condition):
324
exitstatus = os.WEXITSTATUS(condition)
325
if exitstatus == 0:
326
logger.info(u"Checker for %(name)s succeeded",
327
vars(self))
328
self.checked_ok()
329
else:
330
logger.info(u"Checker for %(name)s failed",
331
vars(self))
332
else:
309
333
logger.warning(u"Checker for %(name)s crashed?",
310
334
vars(self))
311
else:
312
logger.info(u"Checker for %(name)s failed",
313
vars(self))
335
336
def checked_ok(self):
337
"""Bump up the timeout for this client.
338
339
This should only be called when the client has been seen,
340
alive and well.
341
"""
342
self.last_checked_ok = datetime.datetime.utcnow()
343
gobject.source_remove(self.disable_initiator_tag)
344
self.disable_initiator_tag = (gobject.timeout_add
345
(self.timeout_milliseconds(),
346
self.disable))
347
314
348
def start_checker(self):
315
349
"""Start a new checker subprocess if one is not running.
350
316
351
If a checker already exists, leave it running and do
317
352
nothing."""
318
353
# The reason for not killing a running checker is that if we
323
358
# checkers alone, the checker would have to take more time
324
359
# than 'timeout' for the client to be declared invalid, which
325
360
# is as it should be.
361
362
# If a checker exists, make sure it is not a zombie
363
if self.checker is not None:
364
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
365
if pid:
366
logger.warning(u"Checker was a zombie")
367
gobject.source_remove(self.checker_callback_tag)
368
self.checker_callback(pid, status,
369
self.current_checker_command)
370
# Start a new checker if needed
326
371
if self.checker is None:
327
372
try:
328
# In case check_command has exactly one % operator
329
command = self.check_command % self.host
373
# In case checker_command has exactly one % operator
374
command = self.checker_command % self.host
330
375
except TypeError:
331
376
# Escape attributes for the shell
332
escaped_attrs = dict((key, re.escape(str(val)))
377
escaped_attrs = dict((key,
378
re.escape(unicode(str(val),
379
errors=
380
u'replace')))
333
381
for key, val in
334
382
vars(self).iteritems())
335
383
try:
336
command = self.check_command % escaped_attrs
384
command = self.checker_command % escaped_attrs
337
385
except TypeError, error:
338
386
logger.error(u'Could not format string "%s":'
339
u' %s', self.check_command, error)
387
u' %s', self.checker_command, error)
340
388
return True # Try again later
389
self.current_checker_command = command
341
390
try:
342
391
logger.info(u"Starting checker %r for %s",
343
392
command, self.name)
347
396
# always replaced by /dev/null.)
348
397
self.checker = subprocess.Popen(command,
349
398
close_fds=True,
350
shell=True, cwd="/")
351
self.checker_callback_tag = gobject.child_watch_add\
352
(self.checker.pid,
353
self.checker_callback)
399
shell=True, cwd=u"/")
400
self.checker_callback_tag = (gobject.child_watch_add
401
(self.checker.pid,
402
self.checker_callback,
403
data=command))
404
# The checker may have completed before the gobject
405
# watch was added. Check for this.
406
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
407
if pid:
408
gobject.source_remove(self.checker_callback_tag)
409
self.checker_callback(pid, status, command)
354
410
except OSError, error:
355
411
logger.error(u"Failed to start subprocess: %s",
356
412
error)
357
413
# Re-run this periodically if run by gobject.timeout_add
358
414
return True
415
359
416
def stop_checker(self):
360
417
"""Force the checker process, if any, to stop."""
361
418
if self.checker_callback_tag:
362
419
gobject.source_remove(self.checker_callback_tag)
363
420
self.checker_callback_tag = None
364
if getattr(self, "checker", None) is None:
421
if getattr(self, u"checker", None) is None:
365
422
return
366
423
logger.debug(u"Stopping checker for %(name)s", vars(self))
367
424
try:
373
430
if error.errno != errno.ESRCH: # No such process
374
431
raise
375
432
self.checker = None
433
376
434
def still_valid(self):
377
435
"""Has the timeout not yet passed for this client?"""
378
now = datetime.datetime.now()
436
if not getattr(self, u"enabled", False):
437
return False
438
now = datetime.datetime.utcnow()
379
439
if self.last_checked_ok is None:
380
440
return now < (self.created + self.timeout)
381
441
else:
382
442
return now < (self.last_checked_ok + self.timeout)
383
443
384
444
385
def peer_certificate(session):
386
"Return the peer's OpenPGP certificate as a bytestring"
387
# If not an OpenPGP certificate...
388
if gnutls.library.functions.gnutls_certificate_type_get\
389
(session._c_object) \
390
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP:
391
# ...do the normal thing
392
return session.peer_certificate
393
list_size = ctypes.c_uint()
394
cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
395
(session._c_object, ctypes.byref(list_size))
396
if list_size.value == 0:
397
return None
398
cert = cert_list[0]
399
return ctypes.string_at(cert.data, cert.size)
400
401
402
def fingerprint(openpgp):
403
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
404
# New GnuTLS "datum" with the OpenPGP public key
405
datum = gnutls.library.types.gnutls_datum_t\
406
(ctypes.cast(ctypes.c_char_p(openpgp),
407
ctypes.POINTER(ctypes.c_ubyte)),
408
ctypes.c_uint(len(openpgp)))
409
# New empty GnuTLS certificate
410
crt = gnutls.library.types.gnutls_openpgp_crt_t()
411
gnutls.library.functions.gnutls_openpgp_crt_init\
412
(ctypes.byref(crt))
413
# Import the OpenPGP public key into the certificate
414
gnutls.library.functions.gnutls_openpgp_crt_import\
415
(crt, ctypes.byref(datum),
416
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
417
# Verify the self signature in the key
418
crtverify = ctypes.c_uint();
419
gnutls.library.functions.gnutls_openpgp_crt_verify_self\
420
(crt, 0, ctypes.byref(crtverify))
421
if crtverify.value != 0:
422
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
423
raise gnutls.errors.CertificateSecurityError("Verify failed")
424
# New buffer for the fingerprint
425
buffer = ctypes.create_string_buffer(20)
426
buffer_length = ctypes.c_size_t()
427
# Get the fingerprint from the certificate into the buffer
428
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
429
(crt, ctypes.byref(buffer), ctypes.byref(buffer_length))
430
# Deinit the certificate
431
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
432
# Convert the buffer to a Python bytestring
433
fpr = ctypes.string_at(buffer, buffer_length.value)
434
# Convert the bytestring to hexadecimal notation
435
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
436
return hex_fpr
437
438
439
class tcp_handler(SocketServer.BaseRequestHandler, object):
440
"""A TCP request handler class.
441
Instantiated by IPv6_TCPServer for each request to handle it.
445
class ClientDBus(Client, dbus.service.Object):
446
"""A Client class using D-Bus
447
448
Attributes:
449
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
450
"""
451
# dbus.service.Object doesn't use super(), so we can't either.
452
453
def __init__(self, *args, **kwargs):
454
Client.__init__(self, *args, **kwargs)
455
# Only now, when this client is initialized, can it show up on
456
# the D-Bus
457
self.dbus_object_path = (dbus.ObjectPath
458
(u"/clients/"
459
+ self.name.replace(u".", u"_")))
460
dbus.service.Object.__init__(self, bus,
461
self.dbus_object_path)
462
def enable(self):
463
oldstate = getattr(self, u"enabled", False)
464
r = Client.enable(self)
465
if oldstate != self.enabled:
466
# Emit D-Bus signals
467
self.PropertyChanged(dbus.String(u"enabled"),
468
dbus.Boolean(True, variant_level=1))
469
self.PropertyChanged(dbus.String(u"last_enabled"),
470
(_datetime_to_dbus(self.last_enabled,
471
variant_level=1)))
472
return r
473
474
def disable(self, signal = True):
475
oldstate = getattr(self, u"enabled", False)
476
r = Client.disable(self)
477
if signal and oldstate != self.enabled:
478
# Emit D-Bus signal
479
self.PropertyChanged(dbus.String(u"enabled"),
480
dbus.Boolean(False, variant_level=1))
481
return r
482
483
def __del__(self, *args, **kwargs):
484
try:
485
self.remove_from_connection()
486
except LookupError:
487
pass
488
if hasattr(dbus.service.Object, u"__del__"):
489
dbus.service.Object.__del__(self, *args, **kwargs)
490
Client.__del__(self, *args, **kwargs)
491
492
def checker_callback(self, pid, condition, command,
493
*args, **kwargs):
494
self.checker_callback_tag = None
495
self.checker = None
496
# Emit D-Bus signal
497
self.PropertyChanged(dbus.String(u"checker_running"),
498
dbus.Boolean(False, variant_level=1))
499
if os.WIFEXITED(condition):
500
exitstatus = os.WEXITSTATUS(condition)
501
# Emit D-Bus signal
502
self.CheckerCompleted(dbus.Int16(exitstatus),
503
dbus.Int64(condition),
504
dbus.String(command))
505
else:
506
# Emit D-Bus signal
507
self.CheckerCompleted(dbus.Int16(-1),
508
dbus.Int64(condition),
509
dbus.String(command))
510
511
return Client.checker_callback(self, pid, condition, command,
512
*args, **kwargs)
513
514
def checked_ok(self, *args, **kwargs):
515
r = Client.checked_ok(self, *args, **kwargs)
516
# Emit D-Bus signal
517
self.PropertyChanged(
518
dbus.String(u"last_checked_ok"),
519
(_datetime_to_dbus(self.last_checked_ok,
520
variant_level=1)))
521
return r
522
523
def start_checker(self, *args, **kwargs):
524
old_checker = self.checker
525
if self.checker is not None:
526
old_checker_pid = self.checker.pid
527
else:
528
old_checker_pid = None
529
r = Client.start_checker(self, *args, **kwargs)
530
# Only if new checker process was started
531
if (self.checker is not None
532
and old_checker_pid != self.checker.pid):
533
# Emit D-Bus signal
534
self.CheckerStarted(self.current_checker_command)
535
self.PropertyChanged(
536
dbus.String(u"checker_running"),
537
dbus.Boolean(True, variant_level=1))
538
return r
539
540
def stop_checker(self, *args, **kwargs):
541
old_checker = getattr(self, u"checker", None)
542
r = Client.stop_checker(self, *args, **kwargs)
543
if (old_checker is not None
544
and getattr(self, u"checker", None) is None):
545
self.PropertyChanged(dbus.String(u"checker_running"),
546
dbus.Boolean(False, variant_level=1))
547
return r
548
549
## D-Bus methods & signals
550
_interface = u"se.bsnet.fukt.Mandos.Client"
551
552
# CheckedOK - method
553
@dbus.service.method(_interface)
554
def CheckedOK(self):
555
return self.checked_ok()
556
557
# CheckerCompleted - signal
558
@dbus.service.signal(_interface, signature=u"nxs")
559
def CheckerCompleted(self, exitcode, waitstatus, command):
560
"D-Bus signal"
561
pass
562
563
# CheckerStarted - signal
564
@dbus.service.signal(_interface, signature=u"s")
565
def CheckerStarted(self, command):
566
"D-Bus signal"
567
pass
568
569
# GetAllProperties - method
570
@dbus.service.method(_interface, out_signature=u"a{sv}")
571
def GetAllProperties(self):
572
"D-Bus method"
573
return dbus.Dictionary({
574
dbus.String(u"name"):
575
dbus.String(self.name, variant_level=1),
576
dbus.String(u"fingerprint"):
577
dbus.String(self.fingerprint, variant_level=1),
578
dbus.String(u"host"):
579
dbus.String(self.host, variant_level=1),
580
dbus.String(u"created"):
581
_datetime_to_dbus(self.created, variant_level=1),
582
dbus.String(u"last_enabled"):
583
(_datetime_to_dbus(self.last_enabled,
584
variant_level=1)
585
if self.last_enabled is not None
586
else dbus.Boolean(False, variant_level=1)),
587
dbus.String(u"enabled"):
588
dbus.Boolean(self.enabled, variant_level=1),
589
dbus.String(u"last_checked_ok"):
590
(_datetime_to_dbus(self.last_checked_ok,
591
variant_level=1)
592
if self.last_checked_ok is not None
593
else dbus.Boolean (False, variant_level=1)),
594
dbus.String(u"timeout"):
595
dbus.UInt64(self.timeout_milliseconds(),
596
variant_level=1),
597
dbus.String(u"interval"):
598
dbus.UInt64(self.interval_milliseconds(),
599
variant_level=1),
600
dbus.String(u"checker"):
601
dbus.String(self.checker_command,
602
variant_level=1),
603
dbus.String(u"checker_running"):
604
dbus.Boolean(self.checker is not None,
605
variant_level=1),
606
dbus.String(u"object_path"):
607
dbus.ObjectPath(self.dbus_object_path,
608
variant_level=1)
609
}, signature=u"sv")
610
611
# IsStillValid - method
612
@dbus.service.method(_interface, out_signature=u"b")
613
def IsStillValid(self):
614
return self.still_valid()
615
616
# PropertyChanged - signal
617
@dbus.service.signal(_interface, signature=u"sv")
618
def PropertyChanged(self, property, value):
619
"D-Bus signal"
620
pass
621
622
# ReceivedSecret - signal
623
@dbus.service.signal(_interface)
624
def ReceivedSecret(self):
625
"D-Bus signal"
626
pass
627
628
# Rejected - signal
629
@dbus.service.signal(_interface)
630
def Rejected(self):
631
"D-Bus signal"
632
pass
633
634
# SetChecker - method
635
@dbus.service.method(_interface, in_signature=u"s")
636
def SetChecker(self, checker):
637
"D-Bus setter method"
638
self.checker_command = checker
639
# Emit D-Bus signal
640
self.PropertyChanged(dbus.String(u"checker"),
641
dbus.String(self.checker_command,
642
variant_level=1))
643
644
# SetHost - method
645
@dbus.service.method(_interface, in_signature=u"s")
646
def SetHost(self, host):
647
"D-Bus setter method"
648
self.host = host
649
# Emit D-Bus signal
650
self.PropertyChanged(dbus.String(u"host"),
651
dbus.String(self.host, variant_level=1))
652
653
# SetInterval - method
654
@dbus.service.method(_interface, in_signature=u"t")
655
def SetInterval(self, milliseconds):
656
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
657
# Emit D-Bus signal
658
self.PropertyChanged(dbus.String(u"interval"),
659
(dbus.UInt64(self.interval_milliseconds(),
660
variant_level=1)))
661
662
# SetSecret - method
663
@dbus.service.method(_interface, in_signature=u"ay",
664
byte_arrays=True)
665
def SetSecret(self, secret):
666
"D-Bus setter method"
667
self.secret = str(secret)
668
669
# SetTimeout - method
670
@dbus.service.method(_interface, in_signature=u"t")
671
def SetTimeout(self, milliseconds):
672
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
673
# Emit D-Bus signal
674
self.PropertyChanged(dbus.String(u"timeout"),
675
(dbus.UInt64(self.timeout_milliseconds(),
676
variant_level=1)))
677
678
# Enable - method
679
@dbus.service.method(_interface)
680
def Enable(self):
681
"D-Bus method"
682
self.enable()
683
684
# StartChecker - method
685
@dbus.service.method(_interface)
686
def StartChecker(self):
687
"D-Bus method"
688
self.start_checker()
689
690
# Disable - method
691
@dbus.service.method(_interface)
692
def Disable(self):
693
"D-Bus method"
694
self.disable()
695
696
# StopChecker - method
697
@dbus.service.method(_interface)
698
def StopChecker(self):
699
self.stop_checker()
700
701
del _interface
702
703
704
class ClientHandler(socketserver.BaseRequestHandler, object):
705
"""A class to handle client connections.
706
707
Instantiated once for each connection to handle it.
442
708
Note: This will run in its own forked process."""
443
709
444
710
def handle(self):
445
711
logger.info(u"TCP connection from: %s",
446
unicode(self.client_address))
447
session = gnutls.connection.ClientSession\
448
(self.request, gnutls.connection.X509Credentials())
449
450
line = self.request.makefile().readline()
451
logger.debug(u"Protocol version: %r", line)
452
try:
453
if int(line.strip().split()[0]) > 1:
454
raise RuntimeError
455
except (ValueError, IndexError, RuntimeError), error:
456
logger.error(u"Unknown protocol version: %s", error)
457
return
458
459
# Note: gnutls.connection.X509Credentials is really a generic
460
# GnuTLS certificate credentials object so long as no X.509
461
# keys are added to it. Therefore, we can use it here despite
462
# using OpenPGP certificates.
463
464
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
465
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
466
# "+DHE-DSS"))
467
priority = "NORMAL" # Fallback default, since this
468
# MUST be set.
469
if self.server.settings["priority"]:
470
priority = self.server.settings["priority"]
471
gnutls.library.functions.gnutls_priority_set_direct\
472
(session._c_object, priority, None);
473
474
try:
475
session.handshake()
476
except gnutls.errors.GNUTLSError, error:
477
logger.warning(u"Handshake failed: %s", error)
478
# Do not run session.bye() here: the session is not
479
# established. Just abandon the request.
480
return
481
try:
482
fpr = fingerprint(peer_certificate(session))
483
except (TypeError, gnutls.errors.GNUTLSError), error:
484
logger.warning(u"Bad certificate: %s", error)
485
session.bye()
486
return
487
logger.debug(u"Fingerprint: %s", fpr)
488
client = None
489
for c in self.server.clients:
490
if c.fingerprint == fpr:
491
client = c
492
break
493
if not client:
494
logger.warning(u"Client not found for fingerprint: %s",
495
fpr)
496
session.bye()
497
return
498
# Have to check if client.still_valid(), since it is possible
499
# that the client timed out while establishing the GnuTLS
500
# session.
501
if not client.still_valid():
502
logger.warning(u"Client %(name)s is invalid",
503
vars(client))
504
session.bye()
505
return
506
sent_size = 0
507
while sent_size < len(client.secret):
508
sent = session.send(client.secret[sent_size:])
509
logger.debug(u"Sent: %d, remaining: %d",
510
sent, len(client.secret)
511
- (sent_size + sent))
512
sent_size += sent
513
session.bye()
514
515
516
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
517
"""IPv6 TCP server. Accepts 'None' as address and/or port.
712
unicode(self.client_address))
713
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
714
# Open IPC pipe to parent process
715
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
716
session = (gnutls.connection
717
.ClientSession(self.request,
718
gnutls.connection
719
.X509Credentials()))
720
721
line = self.request.makefile().readline()
722
logger.debug(u"Protocol version: %r", line)
723
try:
724
if int(line.strip().split()[0]) > 1:
725
raise RuntimeError
726
except (ValueError, IndexError, RuntimeError), error:
727
logger.error(u"Unknown protocol version: %s", error)
728
return
729
730
# Note: gnutls.connection.X509Credentials is really a
731
# generic GnuTLS certificate credentials object so long as
732
# no X.509 keys are added to it. Therefore, we can use it
733
# here despite using OpenPGP certificates.
734
735
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
736
# u"+AES-256-CBC", u"+SHA1",
737
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
738
# u"+DHE-DSS"))
739
# Use a fallback default, since this MUST be set.
740
priority = self.server.gnutls_priority
741
if priority is None:
742
priority = u"NORMAL"
743
(gnutls.library.functions
744
.gnutls_priority_set_direct(session._c_object,
745
priority, None))
746
747
try:
748
session.handshake()
749
except gnutls.errors.GNUTLSError, error:
750
logger.warning(u"Handshake failed: %s", error)
751
# Do not run session.bye() here: the session is not
752
# established. Just abandon the request.
753
return
754
logger.debug(u"Handshake succeeded")
755
try:
756
fpr = self.fingerprint(self.peer_certificate(session))
757
except (TypeError, gnutls.errors.GNUTLSError), error:
758
logger.warning(u"Bad certificate: %s", error)
759
session.bye()
760
return
761
logger.debug(u"Fingerprint: %s", fpr)
762
763
for c in self.server.clients:
764
if c.fingerprint == fpr:
765
client = c
766
break
767
else:
768
ipc.write(u"NOTFOUND %s\n" % fpr)
769
session.bye()
770
return
771
# Have to check if client.still_valid(), since it is
772
# possible that the client timed out while establishing
773
# the GnuTLS session.
774
if not client.still_valid():
775
ipc.write(u"INVALID %s\n" % client.name)
776
session.bye()
777
return
778
ipc.write(u"SENDING %s\n" % client.name)
779
sent_size = 0
780
while sent_size < len(client.secret):
781
sent = session.send(client.secret[sent_size:])
782
logger.debug(u"Sent: %d, remaining: %d",
783
sent, len(client.secret)
784
- (sent_size + sent))
785
sent_size += sent
786
session.bye()
787
788
@staticmethod
789
def peer_certificate(session):
790
"Return the peer's OpenPGP certificate as a bytestring"
791
# If not an OpenPGP certificate...
792
if (gnutls.library.functions
793
.gnutls_certificate_type_get(session._c_object)
794
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
795
# ...do the normal thing
796
return session.peer_certificate
797
list_size = ctypes.c_uint(1)
798
cert_list = (gnutls.library.functions
799
.gnutls_certificate_get_peers
800
(session._c_object, ctypes.byref(list_size)))
801
if not bool(cert_list) and list_size.value != 0:
802
raise gnutls.errors.GNUTLSError(u"error getting peer"
803
u" certificate")
804
if list_size.value == 0:
805
return None
806
cert = cert_list[0]
807
return ctypes.string_at(cert.data, cert.size)
808
809
@staticmethod
810
def fingerprint(openpgp):
811
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
812
# New GnuTLS "datum" with the OpenPGP public key
813
datum = (gnutls.library.types
814
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
815
ctypes.POINTER
816
(ctypes.c_ubyte)),
817
ctypes.c_uint(len(openpgp))))
818
# New empty GnuTLS certificate
819
crt = gnutls.library.types.gnutls_openpgp_crt_t()
820
(gnutls.library.functions
821
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
822
# Import the OpenPGP public key into the certificate
823
(gnutls.library.functions
824
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
825
gnutls.library.constants
826
.GNUTLS_OPENPGP_FMT_RAW))
827
# Verify the self signature in the key
828
crtverify = ctypes.c_uint()
829
(gnutls.library.functions
830
.gnutls_openpgp_crt_verify_self(crt, 0,
831
ctypes.byref(crtverify)))
832
if crtverify.value != 0:
833
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
834
raise (gnutls.errors.CertificateSecurityError
835
(u"Verify failed"))
836
# New buffer for the fingerprint
837
buf = ctypes.create_string_buffer(20)
838
buf_len = ctypes.c_size_t()
839
# Get the fingerprint from the certificate into the buffer
840
(gnutls.library.functions
841
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
842
ctypes.byref(buf_len)))
843
# Deinit the certificate
844
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
845
# Convert the buffer to a Python bytestring
846
fpr = ctypes.string_at(buf, buf_len.value)
847
# Convert the bytestring to hexadecimal notation
848
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
849
return hex_fpr
850
851
852
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
853
"""Like socketserver.ForkingMixIn, but also pass a pipe.
854
855
Assumes a gobject.MainLoop event loop.
856
"""
857
def process_request(self, request, client_address):
858
"""Overrides and wraps the original process_request().
859
860
This function creates a new pipe in self.pipe
861
"""
862
self.pipe = os.pipe()
863
super(ForkingMixInWithPipe,
864
self).process_request(request, client_address)
865
os.close(self.pipe[1]) # close write end
866
# Call "handle_ipc" for both data and EOF events
867
gobject.io_add_watch(self.pipe[0],
868
gobject.IO_IN | gobject.IO_HUP,
869
self.handle_ipc)
870
def handle_ipc(source, condition):
871
"""Dummy function; override as necessary"""
872
os.close(source)
873
return False
874
875
876
class IPv6_TCPServer(ForkingMixInWithPipe,
877
socketserver.TCPServer, object):
878
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
879
518
880
Attributes:
519
settings: Server settings
520
clients: Set() of Client objects
521
881
enabled: Boolean; whether this server is activated yet
882
interface: None or a network interface name (string)
883
use_ipv6: Boolean; to use IPv6 or not
884
----
885
clients: set of Client objects
886
gnutls_priority GnuTLS priority string
887
use_dbus: Boolean; to emit D-Bus signals or not
522
888
"""
523
address_family = socket.AF_INET6
524
def __init__(self, *args, **kwargs):
525
if "settings" in kwargs:
526
self.settings = kwargs["settings"]
527
del kwargs["settings"]
528
if "clients" in kwargs:
529
self.clients = kwargs["clients"]
530
del kwargs["clients"]
889
def __init__(self, server_address, RequestHandlerClass,
890
interface=None, use_ipv6=True, clients=None,
891
gnutls_priority=None, use_dbus=True):
531
892
self.enabled = False
532
return super(type(self), self).__init__(*args, **kwargs)
893
self.interface = interface
894
if use_ipv6:
895
self.address_family = socket.AF_INET6
896
self.clients = clients
897
self.use_dbus = use_dbus
898
self.gnutls_priority = gnutls_priority
899
socketserver.TCPServer.__init__(self, server_address,
900
RequestHandlerClass)
533
901
def server_bind(self):
534
902
"""This overrides the normal server_bind() function
535
903
to bind to an interface if one was specified, and also NOT to
536
904
bind to an address or port if they were not specified."""
537
if self.settings["interface"]:
538
# 25 is from /usr/include/asm-i486/socket.h
539
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
905
if self.interface is not None:
540
906
try:
541
907
self.socket.setsockopt(socket.SOL_SOCKET,
542
908
SO_BINDTODEVICE,
543
self.settings["interface"])
909
str(self.interface + u'\0'))
544
910
except socket.error, error:
545
911
if error[0] == errno.EPERM:
546
912
logger.error(u"No permission to"
547
913
u" bind to interface %s",
548
self.settings["interface"])
914
self.interface)
549
915
else:
550
raise error
916
raise
551
917
# Only bind(2) the socket if we really need to.
552
918
if self.server_address[0] or self.server_address[1]:
553
919
if not self.server_address[0]:
554
in6addr_any = "::"
555
self.server_address = (in6addr_any,
920
if self.address_family == socket.AF_INET6:
921
any_address = u"::" # in6addr_any
922
else:
923
any_address = socket.INADDR_ANY
924
self.server_address = (any_address,
556
925
self.server_address[1])
557
926
elif not self.server_address[1]:
558
927
self.server_address = (self.server_address[0],
559
928
0)
560
# if self.settings["interface"]:
929
# if self.interface:
561
930
# self.server_address = (self.server_address[0],
562
931
# 0, # port
563
932
# 0, # flowinfo
564
933
# if_nametoindex
565
# (self.settings
566
# ["interface"]))
567
return super(type(self), self).server_bind()
934
# (self.interface))
935
return socketserver.TCPServer.server_bind(self)
568
936
def server_activate(self):
569
937
if self.enabled:
570
return super(type(self), self).server_activate()
938
return socketserver.TCPServer.server_activate(self)
571
939
def enable(self):
572
940
self.enabled = True
941
def handle_ipc(self, source, condition, file_objects={}):
942
condition_names = {
943
gobject.IO_IN: u"IN", # There is data to read.
944
gobject.IO_OUT: u"OUT", # Data can be written (without
945
# blocking).
946
gobject.IO_PRI: u"PRI", # There is urgent data to read.
947
gobject.IO_ERR: u"ERR", # Error condition.
948
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
949
# broken, usually for pipes and
950
# sockets).
951
}
952
conditions_string = ' | '.join(name
953
for cond, name in
954
condition_names.iteritems()
955
if cond & condition)
956
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
957
conditions_string)
958
959
# Turn the pipe file descriptor into a Python file object
960
if source not in file_objects:
961
file_objects[source] = os.fdopen(source, u"r", 1)
962
963
# Read a line from the file object
964
cmdline = file_objects[source].readline()
965
if not cmdline: # Empty line means end of file
966
# close the IPC pipe
967
file_objects[source].close()
968
del file_objects[source]
969
970
# Stop calling this function
971
return False
972
973
logger.debug(u"IPC command: %r", cmdline)
974
975
# Parse and act on command
976
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
977
978
if cmd == u"NOTFOUND":
979
logger.warning(u"Client not found for fingerprint: %s",
980
args)
981
if self.use_dbus:
982
# Emit D-Bus signal
983
mandos_dbus_service.ClientNotFound(args)
984
elif cmd == u"INVALID":
985
for client in self.clients:
986
if client.name == args:
987
logger.warning(u"Client %s is invalid", args)
988
if self.use_dbus:
989
# Emit D-Bus signal
990
client.Rejected()
991
break
992
else:
993
logger.error(u"Unknown client %s is invalid", args)
994
elif cmd == u"SENDING":
995
for client in self.clients:
996
if client.name == args:
997
logger.info(u"Sending secret to %s", client.name)
998
client.checked_ok()
999
if self.use_dbus:
1000
# Emit D-Bus signal
1001
client.ReceivedSecret()
1002
break
1003
else:
1004
logger.error(u"Sending secret to unknown client %s",
1005
args)
1006
else:
1007
logger.error(u"Unknown IPC command: %r", cmdline)
1008
1009
# Keep calling this function
1010
return True
573
1011
574
1012
575
1013
def string_to_delta(interval):
576
1014
"""Parse a string and return a datetime.timedelta
577
578
>>> string_to_delta('7d')
1015
1016
>>> string_to_delta(u'7d')
579
1017
datetime.timedelta(7)
580
>>> string_to_delta('60s')
1018
>>> string_to_delta(u'60s')
581
1019
datetime.timedelta(0, 60)
582
>>> string_to_delta('60m')
1020
>>> string_to_delta(u'60m')
583
1021
datetime.timedelta(0, 3600)
584
>>> string_to_delta('24h')
1022
>>> string_to_delta(u'24h')
585
1023
datetime.timedelta(1)
586
1024
>>> string_to_delta(u'1w')
587
1025
datetime.timedelta(7)
588
>>> string_to_delta('5m 30s')
1026
>>> string_to_delta(u'5m 30s')
589
1027
datetime.timedelta(0, 330)
590
1028
"""
591
1029
timevalue = datetime.timedelta(0)
592
1030
for s in interval.split():
593
1031
try:
594
suffix=unicode(s[-1])
595
value=int(s[:-1])
1032
suffix = unicode(s[-1])
1033
value = int(s[:-1])
596
1034
if suffix == u"d":
597
1035
delta = datetime.timedelta(value)
598
1036
elif suffix == u"s":
632
1070
elif state == avahi.ENTRY_GROUP_FAILURE:
633
1071
logger.critical(u"Avahi: Error in group state changed %s",
634
1072
unicode(error))
635
raise AvahiGroupError("State changed: %s", str(error))
1073
raise AvahiGroupError(u"State changed: %s" % unicode(error))
636
1074
637
1075
def if_nametoindex(interface):
638
"""Call the C function if_nametoindex(), or equivalent"""
1076
"""Call the C function if_nametoindex(), or equivalent
1077
1078
Note: This function cannot accept a unicode string."""
639
1079
global if_nametoindex
640
1080
try:
641
if "ctypes.util" not in sys.modules:
642
import ctypes.util
643
if_nametoindex = ctypes.cdll.LoadLibrary\
644
(ctypes.util.find_library("c")).if_nametoindex
1081
if_nametoindex = (ctypes.cdll.LoadLibrary
1082
(ctypes.util.find_library(u"c"))
1083
.if_nametoindex)
645
1084
except (OSError, AttributeError):
646
if "struct" not in sys.modules:
647
import struct
648
if "fcntl" not in sys.modules:
649
import fcntl
1085
logger.warning(u"Doing if_nametoindex the hard way")
650
1086
def if_nametoindex(interface):
651
1087
"Get an interface index the hard way, i.e. using fcntl()"
652
1088
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
653
s = socket.socket()
654
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
655
struct.pack("16s16x", interface))
656
s.close()
657
interface_index = struct.unpack("I", ifreq[16:20])[0]
1089
with closing(socket.socket()) as s:
1090
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1091
struct.pack(str(u"16s16x"),
1092
interface))
1093
interface_index = struct.unpack(str(u"I"),
1094
ifreq[16:20])[0]
658
1095
return interface_index
659
1096
return if_nametoindex(interface)
660
1097
661
1098
662
1099
def daemon(nochdir = False, noclose = False):
663
1100
"""See daemon(3). Standard BSD Unix function.
1101
664
1102
This should really exist as os.daemon, but it doesn't (yet)."""
665
1103
if os.fork():
666
1104
sys.exit()
667
1105
os.setsid()
668
1106
if not nochdir:
669
os.chdir("/")
1107
os.chdir(u"/")
670
1108
if os.fork():
671
1109
sys.exit()
672
1110
if not noclose:
674
1112
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
675
1113
if not stat.S_ISCHR(os.fstat(null).st_mode):
676
1114
raise OSError(errno.ENODEV,
677
"/dev/null not a character device")
1115
u"/dev/null not a character device")
678
1116
os.dup2(null, sys.stdin.fileno())
679
1117
os.dup2(null, sys.stdout.fileno())
680
1118
os.dup2(null, sys.stderr.fileno())
683
1121
684
1122
685
1123
def main():
686
global main_loop_started
687
main_loop_started = False
688
689
parser = OptionParser(version = "%%prog %s" % version)
690
parser.add_option("-i", "--interface", type="string",
691
metavar="IF", help="Bind to interface IF")
692
parser.add_option("-a", "--address", type="string",
693
help="Address to listen for requests on")
694
parser.add_option("-p", "--port", type="int",
695
help="Port number to receive requests on")
696
parser.add_option("--check", action="store_true", default=False,
697
help="Run self-test")
698
parser.add_option("--debug", action="store_true",
699
help="Debug mode; run in foreground and log to"
700
" terminal")
701
parser.add_option("--priority", type="string", help="GnuTLS"
702
" priority string (see GnuTLS documentation)")
703
parser.add_option("--servicename", type="string", metavar="NAME",
704
help="Zeroconf service name")
705
parser.add_option("--configdir", type="string",
706
default="/etc/mandos", metavar="DIR",
707
help="Directory to search for configuration"
708
" files")
709
(options, args) = parser.parse_args()
1124
1125
######################################################################
1126
# Parsing of options, both command line and config file
1127
1128
parser = optparse.OptionParser(version = "%%prog %s" % version)
1129
parser.add_option("-i", u"--interface", type=u"string",
1130
metavar="IF", help=u"Bind to interface IF")
1131
parser.add_option("-a", u"--address", type=u"string",
1132
help=u"Address to listen for requests on")
1133
parser.add_option("-p", u"--port", type=u"int",
1134
help=u"Port number to receive requests on")
1135
parser.add_option("--check", action=u"store_true",
1136
help=u"Run self-test")
1137
parser.add_option("--debug", action=u"store_true",
1138
help=u"Debug mode; run in foreground and log to"
1139
u" terminal")
1140
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1141
u" priority string (see GnuTLS documentation)")
1142
parser.add_option("--servicename", type=u"string",
1143
metavar=u"NAME", help=u"Zeroconf service name")
1144
parser.add_option("--configdir", type=u"string",
1145
default=u"/etc/mandos", metavar=u"DIR",
1146
help=u"Directory to search for configuration"
1147
u" files")
1148
parser.add_option("--no-dbus", action=u"store_false",
1149
dest=u"use_dbus", help=u"Do not provide D-Bus"
1150
u" system bus interface")
1151
parser.add_option("--no-ipv6", action=u"store_false",
1152
dest=u"use_ipv6", help=u"Do not use IPv6")
1153
options = parser.parse_args()[0]
710
1154
711
1155
if options.check:
712
1156
import doctest
714
1158
sys.exit()
715
1159
716
1160
# Default values for config file for server-global settings
717
server_defaults = { "interface": "",
718
"address": "",
719
"port": "",
720
"debug": "False",
721
"priority":
722
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
723
"servicename": "Mandos",
1161
server_defaults = { u"interface": u"",
1162
u"address": u"",
1163
u"port": u"",
1164
u"debug": u"False",
1165
u"priority":
1166
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1167
u"servicename": u"Mandos",
1168
u"use_dbus": u"True",
1169
u"use_ipv6": u"True",
724
1170
}
725
1171
726
1172
# Parse config file for server-global settings
727
server_config = ConfigParser.SafeConfigParser(server_defaults)
1173
server_config = configparser.SafeConfigParser(server_defaults)
728
1174
del server_defaults
729
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1175
server_config.read(os.path.join(options.configdir,
1176
u"mandos.conf"))
730
1177
# Convert the SafeConfigParser object to a dict
731
1178
server_settings = server_config.defaults()
732
# Use getboolean on the boolean config option
733
server_settings["debug"] = server_config.getboolean\
734
("DEFAULT", "debug")
1179
# Use the appropriate methods on the non-string config options
1180
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1181
server_settings[option] = server_config.getboolean(u"DEFAULT",
1182
option)
1183
if server_settings["port"]:
1184
server_settings["port"] = server_config.getint(u"DEFAULT",
1185
u"port")
735
1186
del server_config
736
1187
737
1188
# Override the settings from the config file with command line
738
1189
# options, if set.
739
for option in ("interface", "address", "port", "debug",
740
"priority", "servicename", "configdir"):
1190
for option in (u"interface", u"address", u"port", u"debug",
1191
u"priority", u"servicename", u"configdir",
1192
u"use_dbus", u"use_ipv6"):
741
1193
value = getattr(options, option)
742
1194
if value is not None:
743
1195
server_settings[option] = value
744
1196
del options
1197
# Force all strings to be unicode
1198
for option in server_settings.keys():
1199
if type(server_settings[option]) is str:
1200
server_settings[option] = unicode(server_settings[option])
745
1201
# Now we have our good server settings in "server_settings"
746
1202
747
debug = server_settings["debug"]
1203
##################################################################
1204
1205
# For convenience
1206
debug = server_settings[u"debug"]
1207
use_dbus = server_settings[u"use_dbus"]
1208
use_ipv6 = server_settings[u"use_ipv6"]
748
1209
749
1210
if not debug:
750
1211
syslogger.setLevel(logging.WARNING)
751
1212
console.setLevel(logging.WARNING)
752
1213
753
if server_settings["servicename"] != "Mandos":
754
syslogger.setFormatter(logging.Formatter\
755
('Mandos (%s): %%(levelname)s:'
756
' %%(message)s'
757
% server_settings["servicename"]))
1214
if server_settings[u"servicename"] != u"Mandos":
1215
syslogger.setFormatter(logging.Formatter
1216
(u'Mandos (%s) [%%(process)d]:'
1217
u' %%(levelname)s: %%(message)s'
1218
% server_settings[u"servicename"]))
758
1219
759
1220
# Parse config file with clients
760
client_defaults = { "timeout": "1h",
761
"interval": "5m",
762
"checker": "fping -q -- %(host)s",
763
"host": "",
1221
client_defaults = { u"timeout": u"1h",
1222
u"interval": u"5m",
1223
u"checker": u"fping -q -- %%(host)s",
1224
u"host": u"",
764
1225
}
765
client_config = ConfigParser.SafeConfigParser(client_defaults)
766
client_config.read(os.path.join(server_settings["configdir"],
767
"clients.conf"))
768
769
clients = Set()
770
tcp_server = IPv6_TCPServer((server_settings["address"],
771
server_settings["port"]),
772
tcp_handler,
773
settings=server_settings,
774
clients=clients)
775
pidfilename = "/var/run/mandos.pid"
776
try:
777
pidfile = open(pidfilename, "w")
778
except IOError, error:
779
logger.error("Could not open file %r", pidfilename)
780
781
uid = 65534
782
gid = 65534
783
try:
784
uid = pwd.getpwnam("mandos").pw_uid
785
except KeyError:
786
try:
787
uid = pwd.getpwnam("nobody").pw_uid
788
except KeyError:
789
pass
790
try:
791
gid = pwd.getpwnam("mandos").pw_gid
792
except KeyError:
793
try:
794
gid = pwd.getpwnam("nogroup").pw_gid
795
except KeyError:
796
pass
797
try:
1226
client_config = configparser.SafeConfigParser(client_defaults)
1227
client_config.read(os.path.join(server_settings[u"configdir"],
1228
u"clients.conf"))
1229
1230
global mandos_dbus_service
1231
mandos_dbus_service = None
1232
1233
clients = set()
1234
tcp_server = IPv6_TCPServer((server_settings[u"address"],
1235
server_settings[u"port"]),
1236
ClientHandler,
1237
interface=
1238
server_settings[u"interface"],
1239
use_ipv6=use_ipv6,
1240
clients=clients,
1241
gnutls_priority=
1242
server_settings[u"priority"],
1243
use_dbus=use_dbus)
1244
pidfilename = u"/var/run/mandos.pid"
1245
try:
1246
pidfile = open(pidfilename, u"w")
1247
except IOError:
1248
logger.error(u"Could not open file %r", pidfilename)
1249
1250
try:
1251
uid = pwd.getpwnam(u"_mandos").pw_uid
1252
gid = pwd.getpwnam(u"_mandos").pw_gid
1253
except KeyError:
1254
try:
1255
uid = pwd.getpwnam(u"mandos").pw_uid
1256
gid = pwd.getpwnam(u"mandos").pw_gid
1257
except KeyError:
1258
try:
1259
uid = pwd.getpwnam(u"nobody").pw_uid
1260
gid = pwd.getpwnam(u"nobody").pw_gid
1261
except KeyError:
1262
uid = 65534
1263
gid = 65534
1264
try:
1265
os.setgid(gid)
798
1266
os.setuid(uid)
799
os.setgid(gid)
800
1267
except OSError, error:
801
1268
if error[0] != errno.EPERM:
802
1269
raise error
803
1270
1271
# Enable all possible GnuTLS debugging
1272
if debug:
1273
# "Use a log level over 10 to enable all debugging options."
1274
# - GnuTLS manual
1275
gnutls.library.functions.gnutls_global_set_log_level(11)
1276
1277
@gnutls.library.types.gnutls_log_func
1278
def debug_gnutls(level, string):
1279
logger.debug(u"GnuTLS: %s", string[:-1])
1280
1281
(gnutls.library.functions
1282
.gnutls_global_set_log_function(debug_gnutls))
1283
804
1284
global service
805
service = AvahiService(name = server_settings["servicename"],
806
type = "_mandos._tcp", );
1285
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1286
service = AvahiService(name = server_settings[u"servicename"],
1287
servicetype = u"_mandos._tcp",
1288
protocol = protocol)
807
1289
if server_settings["interface"]:
808
service.interface = if_nametoindex\
809
(server_settings["interface"])
1290
service.interface = (if_nametoindex
1291
(str(server_settings[u"interface"])))
810
1292
811
1293
global main_loop
812
1294
global bus
819
1301
avahi.DBUS_PATH_SERVER),
820
1302
avahi.DBUS_INTERFACE_SERVER)
821
1303
# End of Avahi example code
822
823
def remove_from_clients(client):
824
clients.remove(client)
825
if not clients:
826
logger.critical(u"No clients left, exiting")
827
sys.exit()
828
829
clients.update(Set(Client(name = section,
830
stop_hook = remove_from_clients,
831
config
832
= dict(client_config.items(section)))
833
for section in client_config.sections()))
1304
if use_dbus:
1305
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1306
1307
client_class = Client
1308
if use_dbus:
1309
client_class = ClientDBus
1310
clients.update(set(
1311
client_class(name = section,
1312
config= dict(client_config.items(section)))
1313
for section in client_config.sections()))
834
1314
if not clients:
835
logger.critical(u"No clients defined")
836
sys.exit(1)
1315
logger.warning(u"No clients defined")
837
1316
838
1317
if debug:
839
1318
# Redirect stdin so all checkers get /dev/null
848
1327
daemon()
849
1328
850
1329
try:
851
pid = os.getpid()
852
pidfile.write(str(pid) + "\n")
853
pidfile.close()
1330
with closing(pidfile):
1331
pid = os.getpid()
1332
pidfile.write(str(pid) + "\n")
854
1333
del pidfile
855
except IOError, err:
1334
except IOError:
856
1335
logger.error(u"Could not write to file %r with PID %d",
857
1336
pidfilename, pid)
858
1337
except NameError:
871
1350
872
1351
while clients:
873
1352
client = clients.pop()
874
client.stop_hook = None
875
client.stop()
1353
client.disable_hook = None
1354
client.disable()
876
1355
877
1356
atexit.register(cleanup)
878
1357
881
1360
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
882
1361
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
883
1362
1363
if use_dbus:
1364
class MandosDBusService(dbus.service.Object):
1365
"""A D-Bus proxy object"""
1366
def __init__(self):
1367
dbus.service.Object.__init__(self, bus, u"/")
1368
_interface = u"se.bsnet.fukt.Mandos"
1369
1370
@dbus.service.signal(_interface, signature=u"oa{sv}")
1371
def ClientAdded(self, objpath, properties):
1372
"D-Bus signal"
1373
pass
1374
1375
@dbus.service.signal(_interface, signature=u"s")
1376
def ClientNotFound(self, fingerprint):
1377
"D-Bus signal"
1378
pass
1379
1380
@dbus.service.signal(_interface, signature=u"os")
1381
def ClientRemoved(self, objpath, name):
1382
"D-Bus signal"
1383
pass
1384
1385
@dbus.service.method(_interface, out_signature=u"ao")
1386
def GetAllClients(self):
1387
"D-Bus method"
1388
return dbus.Array(c.dbus_object_path for c in clients)
1389
1390
@dbus.service.method(_interface,
1391
out_signature=u"a{oa{sv}}")
1392
def GetAllClientsWithProperties(self):
1393
"D-Bus method"
1394
return dbus.Dictionary(
1395
((c.dbus_object_path, c.GetAllProperties())
1396
for c in clients),
1397
signature=u"oa{sv}")
1398
1399
@dbus.service.method(_interface, in_signature=u"o")
1400
def RemoveClient(self, object_path):
1401
"D-Bus method"
1402
for c in clients:
1403
if c.dbus_object_path == object_path:
1404
clients.remove(c)
1405
c.remove_from_connection()
1406
# Don't signal anything except ClientRemoved
1407
c.disable(signal=False)
1408
# Emit D-Bus signal
1409
self.ClientRemoved(object_path, c.name)
1410
return
1411
raise KeyError
1412
1413
del _interface
1414
1415
mandos_dbus_service = MandosDBusService()
1416
884
1417
for client in clients:
885
client.start()
1418
if use_dbus:
1419
# Emit D-Bus signal
1420
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1421
client.GetAllProperties())
1422
client.enable()
886
1423
887
1424
tcp_server.enable()
888
1425
tcp_server.server_activate()
889
1426
890
1427
# Find out what port we got
891
1428
service.port = tcp_server.socket.getsockname()[1]
892
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
893
u" scope_id %d" % tcp_server.socket.getsockname())
1429
if use_ipv6:
1430
logger.info(u"Now listening on address %r, port %d,"
1431
" flowinfo %d, scope_id %d"
1432
% tcp_server.socket.getsockname())
1433
else: # IPv4
1434
logger.info(u"Now listening on address %r, port %d"
1435
% tcp_server.socket.getsockname())
894
1436
895
1437
#service.interface = tcp_server.socket.getsockname()[3]
896
1438
897
1439
try:
898
1440
# From the Avahi example code
899
server.connect_to_signal("StateChanged", server_state_changed)
1441
server.connect_to_signal(u"StateChanged", server_state_changed)
900
1442
try:
901
1443
server_state_changed(server.GetState())
902
1444
except dbus.exceptions.DBusException, error:
906
1448
907
1449
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
908
1450
lambda *args, **kwargs:
909
tcp_server.handle_request\
910
(*args[2:], **kwargs) or True)
1451
(tcp_server.handle_request
1452
(*args[2:], **kwargs) or True))
911
1453
912
1454
logger.debug(u"Starting main loop")
913
main_loop_started = True
914
1455
main_loop.run()
915
1456
except AvahiError, error:
916
logger.critical(u"AvahiError: %s" + unicode(error))
1457
logger.critical(u"AvahiError: %s", error)
917
1458
sys.exit(1)
918
1459
except KeyboardInterrupt:
919
1460
if debug:
920
print
1461
print >> sys.stderr
1462
logger.debug(u"Server received KeyboardInterrupt")
1463
logger.debug(u"Server exiting")
921
1464
922
1465
if __name__ == '__main__':
923
1466
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0