To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 335
- compare with another revision
- download diff
- download tarball
- view history from revision 335
- Committer: Teddy Hogeborn
- Date: 2009-04-16 06:47:28 UTC
- Revision ID: teddy@fukt.bsnet.se-20090416064728-c3d36mvgxo5q9aoh
* mandos: Import "SocketServer" as "socketserver" and "ConfigParser"
as "configparser". All users changed.
as "configparser". All users changed.
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- network-protocol.txt
- files renamed:
- plugins.d/password-request.c => plugins.d/mandos-client.c
- plugins.d/password-request.xml => plugins.d/mandos-client.xml
- files modified:
- Makefile
added
removed
mandos
11
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
15
16
#
16
17
# This program is free software: you can redistribute it and/or modify
17
18
# it under the terms of the GNU General Public License as published by
24
25
# GNU General Public License for more details.
25
26
#
26
27
# You should have received a copy of the GNU General Public License
27
# along with this program. If not, see <http://www.gnu.org/licenses/>.
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
28
30
#
29
31
# Contact the authors at <mandos@fukt.bsnet.se>.
30
32
#
31
33
32
from __future__ import division
34
from __future__ import division, with_statement, absolute_import
33
35
34
import SocketServer
36
import SocketServer as socketserver
35
37
import socket
36
import select
37
from optparse import OptionParser
38
import optparse
38
39
import datetime
39
40
import errno
40
41
import gnutls.crypto
43
44
import gnutls.library.functions
44
45
import gnutls.library.constants
45
46
import gnutls.library.types
46
import ConfigParser
47
import ConfigParser as configparser
47
48
import sys
48
49
import re
49
50
import os
50
51
import signal
51
from sets import Set
52
52
import subprocess
53
53
import atexit
54
54
import stat
55
55
import logging
56
56
import logging.handlers
57
import pwd
58
from contextlib import closing
59
import struct
60
import fcntl
57
61
58
62
import dbus
63
import dbus.service
59
64
import gobject
60
65
import avahi
61
66
from dbus.mainloop.glib import DBusGMainLoop
62
67
import ctypes
63
64
version = "1.0"
65
66
logger = logging.Logger('mandos')
67
syslogger = logging.handlers.SysLogHandler\
68
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
69
address = "/dev/log")
70
syslogger.setFormatter(logging.Formatter\
71
('Mandos: %(levelname)s: %(message)s'))
68
import ctypes.util
69
70
try:
71
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
72
except AttributeError:
73
try:
74
from IN import SO_BINDTODEVICE
75
except ImportError:
76
# From /usr/include/asm/socket.h
77
SO_BINDTODEVICE = 25
78
79
80
version = "1.0.8"
81
82
logger = logging.Logger(u'mandos')
83
syslogger = (logging.handlers.SysLogHandler
84
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
85
address = "/dev/log"))
86
syslogger.setFormatter(logging.Formatter
87
(u'Mandos [%(process)d]: %(levelname)s:'
88
u' %(message)s'))
72
89
logger.addHandler(syslogger)
73
90
74
91
console = logging.StreamHandler()
75
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
76
' %(message)s'))
92
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
93
u' %(levelname)s:'
94
u' %(message)s'))
77
95
logger.addHandler(console)
78
96
79
97
class AvahiError(Exception):
80
def __init__(self, value):
98
def __init__(self, value, *args, **kwargs):
81
99
self.value = value
82
def __str__(self):
83
return repr(self.value)
100
super(AvahiError, self).__init__(value, *args, **kwargs)
101
def __unicode__(self):
102
return unicode(repr(self.value))
84
103
85
104
class AvahiServiceError(AvahiError):
86
105
pass
91
110
92
111
class AvahiService(object):
93
112
"""An Avahi (Zeroconf) service.
113
94
114
Attributes:
95
115
interface: integer; avahi.IF_UNSPEC or an interface index.
96
116
Used to optionally bind to the specified interface.
97
name: string; Example: 'Mandos'
98
type: string; Example: '_mandos._tcp'.
117
name: string; Example: u'Mandos'
118
type: string; Example: u'_mandos._tcp'.
99
119
See <http://www.dns-sd.org/ServiceTypes.html>
100
120
port: integer; what port to announce
101
121
TXT: list of strings; TXT record for the service
106
126
a sensible number of times
107
127
"""
108
128
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
109
type = None, port = None, TXT = None, domain = "",
110
host = "", max_renames = 32768):
129
servicetype = None, port = None, TXT = None,
130
domain = u"", host = u"", max_renames = 32768,
131
protocol = avahi.PROTO_UNSPEC):
111
132
self.interface = interface
112
133
self.name = name
113
self.type = type
134
self.type = servicetype
114
135
self.port = port
115
if TXT is None:
116
self.TXT = []
117
else:
118
self.TXT = TXT
136
self.TXT = TXT if TXT is not None else []
119
137
self.domain = domain
120
138
self.host = host
121
139
self.rename_count = 0
122
140
self.max_renames = max_renames
141
self.protocol = protocol
123
142
def rename(self):
124
143
"""Derived from the Avahi example code"""
125
144
if self.rename_count >= self.max_renames:
126
logger.critical(u"No suitable service name found after %i"
127
u" retries, exiting.", rename_count)
128
raise AvahiServiceError("Too many renames")
145
logger.critical(u"No suitable Zeroconf service name found"
146
u" after %i retries, exiting.",
147
self.rename_count)
148
raise AvahiServiceError(u"Too many renames")
129
149
self.name = server.GetAlternativeServiceName(self.name)
130
logger.info(u"Changing name to %r ...", str(self.name))
131
syslogger.setFormatter(logging.Formatter\
132
('Mandos (%s): %%(levelname)s:'
133
' %%(message)s' % self.name))
150
logger.info(u"Changing Zeroconf service name to %r ...",
151
self.name)
152
syslogger.setFormatter(logging.Formatter
153
(u'Mandos (%s) [%%(process)d]:'
154
u' %%(levelname)s: %%(message)s'
155
% self.name))
134
156
self.remove()
135
157
self.add()
136
158
self.rename_count += 1
142
164
"""Derived from the Avahi example code"""
143
165
global group
144
166
if group is None:
145
group = dbus.Interface\
146
(bus.get_object(avahi.DBUS_NAME,
167
group = dbus.Interface(bus.get_object
168
(avahi.DBUS_NAME,
147
169
server.EntryGroupNew()),
148
avahi.DBUS_INTERFACE_ENTRY_GROUP)
170
avahi.DBUS_INTERFACE_ENTRY_GROUP)
149
171
group.connect_to_signal('StateChanged',
150
172
entry_group_state_changed)
151
logger.debug(u"Adding service '%s' of type '%s' ...",
173
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
152
174
service.name, service.type)
153
175
group.AddService(
154
176
self.interface, # interface
155
avahi.PROTO_INET6, # protocol
177
self.protocol, # protocol
156
178
dbus.UInt32(0), # flags
157
179
self.name, self.type,
158
180
self.domain, self.host,
165
187
# End of Avahi example code
166
188
167
189
190
def _datetime_to_dbus(dt, variant_level=0):
191
"""Convert a UTC datetime.datetime() to a D-Bus type."""
192
return dbus.String(dt.isoformat(), variant_level=variant_level)
193
194
168
195
class Client(object):
169
196
"""A representation of a client host served by this server.
197
170
198
Attributes:
171
name: string; from the config file, used in log messages
199
name: string; from the config file, used in log messages and
200
D-Bus identifiers
172
201
fingerprint: string (40 or 32 hexadecimal digits); used to
173
202
uniquely identify the client
174
secret: bytestring; sent verbatim (over TLS) to client
175
host: string; available for use by the checker command
176
created: datetime.datetime(); object creation, not client host
177
last_checked_ok: datetime.datetime() or None if not yet checked OK
178
timeout: datetime.timedelta(); How long from last_checked_ok
179
until this client is invalid
180
interval: datetime.timedelta(); How often to start a new checker
181
stop_hook: If set, called by stop() as stop_hook(self)
182
checker: subprocess.Popen(); a running checker process used
183
to see if the client lives.
184
'None' if no process is running.
203
secret: bytestring; sent verbatim (over TLS) to client
204
host: string; available for use by the checker command
205
created: datetime.datetime(); (UTC) object creation
206
last_enabled: datetime.datetime(); (UTC)
207
enabled: bool()
208
last_checked_ok: datetime.datetime(); (UTC) or None
209
timeout: datetime.timedelta(); How long from last_checked_ok
210
until this client is invalid
211
interval: datetime.timedelta(); How often to start a new checker
212
disable_hook: If set, called by disable() as disable_hook(self)
213
checker: subprocess.Popen(); a running checker process used
214
to see if the client lives.
215
'None' if no process is running.
185
216
checker_initiator_tag: a gobject event source tag, or None
186
stop_initiator_tag: - '' -
217
disable_initiator_tag: - '' -
187
218
checker_callback_tag: - '' -
188
219
checker_command: string; External command which is run to check if
189
220
client lives. %() expansions are done at
190
221
runtime with vars(self) as dict, so that for
191
222
instance %(name)s can be used in the command.
192
Private attibutes:
193
_timeout: Real variable for 'timeout'
194
_interval: Real variable for 'interval'
195
_timeout_milliseconds: Used when calling gobject.timeout_add()
196
_interval_milliseconds: - '' -
223
current_checker_command: string; current running checker_command
197
224
"""
198
def _set_timeout(self, timeout):
199
"Setter function for 'timeout' attribute"
200
self._timeout = timeout
201
self._timeout_milliseconds = ((self.timeout.days
202
* 24 * 60 * 60 * 1000)
203
+ (self.timeout.seconds * 1000)
204
+ (self.timeout.microseconds
205
// 1000))
206
timeout = property(lambda self: self._timeout,
207
_set_timeout)
208
del _set_timeout
209
def _set_interval(self, interval):
210
"Setter function for 'interval' attribute"
211
self._interval = interval
212
self._interval_milliseconds = ((self.interval.days
213
* 24 * 60 * 60 * 1000)
214
+ (self.interval.seconds
215
* 1000)
216
+ (self.interval.microseconds
217
// 1000))
218
interval = property(lambda self: self._interval,
219
_set_interval)
220
del _set_interval
221
def __init__(self, name = None, stop_hook=None, config={}):
225
226
@staticmethod
227
def _datetime_to_milliseconds(dt):
228
"Convert a datetime.datetime() to milliseconds"
229
return ((dt.days * 24 * 60 * 60 * 1000)
230
+ (dt.seconds * 1000)
231
+ (dt.microseconds // 1000))
232
233
def timeout_milliseconds(self):
234
"Return the 'timeout' attribute in milliseconds"
235
return self._datetime_to_milliseconds(self.timeout)
236
237
def interval_milliseconds(self):
238
"Return the 'interval' attribute in milliseconds"
239
return self._datetime_to_milliseconds(self.interval)
240
241
def __init__(self, name = None, disable_hook=None, config=None):
222
242
"""Note: the 'checker' key in 'config' sets the
223
243
'checker_command' attribute and *not* the 'checker'
224
244
attribute."""
225
245
self.name = name
246
if config is None:
247
config = {}
226
248
logger.debug(u"Creating client %r", self.name)
227
249
# Uppercase and remove spaces from fingerprint for later
228
250
# comparison purposes with return value from the fingerprint()
229
251
# function
230
self.fingerprint = config["fingerprint"].upper()\
231
.replace(u" ", u"")
252
self.fingerprint = (config[u"fingerprint"].upper()
253
.replace(u" ", u""))
232
254
logger.debug(u" Fingerprint: %s", self.fingerprint)
233
if "secret" in config:
234
self.secret = config["secret"].decode(u"base64")
235
elif "secfile" in config:
236
sf = open(config["secfile"])
237
self.secret = sf.read()
238
sf.close()
255
if u"secret" in config:
256
self.secret = config[u"secret"].decode(u"base64")
257
elif u"secfile" in config:
258
with closing(open(os.path.expanduser
259
(os.path.expandvars
260
(config[u"secfile"])))) as secfile:
261
self.secret = secfile.read()
239
262
else:
240
263
raise TypeError(u"No secret or secfile for client %s"
241
264
% self.name)
242
self.host = config.get("host", "")
243
self.created = datetime.datetime.now()
265
self.host = config.get(u"host", u"")
266
self.created = datetime.datetime.utcnow()
267
self.enabled = False
268
self.last_enabled = None
244
269
self.last_checked_ok = None
245
self.timeout = string_to_delta(config["timeout"])
246
self.interval = string_to_delta(config["interval"])
247
self.stop_hook = stop_hook
270
self.timeout = string_to_delta(config[u"timeout"])
271
self.interval = string_to_delta(config[u"interval"])
272
self.disable_hook = disable_hook
248
273
self.checker = None
249
274
self.checker_initiator_tag = None
250
self.stop_initiator_tag = None
275
self.disable_initiator_tag = None
251
276
self.checker_callback_tag = None
252
self.check_command = config["checker"]
253
def start(self):
277
self.checker_command = config[u"checker"]
278
self.current_checker_command = None
279
self.last_connect = None
280
281
def enable(self):
254
282
"""Start this client's checker and timeout hooks"""
283
self.last_enabled = datetime.datetime.utcnow()
255
284
# Schedule a new checker to be started an 'interval' from now,
256
285
# and every interval from then on.
257
self.checker_initiator_tag = gobject.timeout_add\
258
(self._interval_milliseconds,
259
self.start_checker)
286
self.checker_initiator_tag = (gobject.timeout_add
287
(self.interval_milliseconds(),
288
self.start_checker))
260
289
# Also start a new checker *right now*.
261
290
self.start_checker()
262
# Schedule a stop() when 'timeout' has passed
263
self.stop_initiator_tag = gobject.timeout_add\
264
(self._timeout_milliseconds,
265
self.stop)
266
def stop(self):
267
"""Stop this client.
268
The possibility that a client might be restarted is left open,
269
but not currently used."""
270
# If this client doesn't have a secret, it is already stopped.
271
if hasattr(self, "secret") and self.secret:
272
logger.info(u"Stopping client %s", self.name)
273
self.secret = None
274
else:
291
# Schedule a disable() when 'timeout' has passed
292
self.disable_initiator_tag = (gobject.timeout_add
293
(self.timeout_milliseconds(),
294
self.disable))
295
self.enabled = True
296
297
def disable(self):
298
"""Disable this client."""
299
if not getattr(self, "enabled", False):
275
300
return False
276
if getattr(self, "stop_initiator_tag", False):
277
gobject.source_remove(self.stop_initiator_tag)
278
self.stop_initiator_tag = None
279
if getattr(self, "checker_initiator_tag", False):
301
logger.info(u"Disabling client %s", self.name)
302
if getattr(self, u"disable_initiator_tag", False):
303
gobject.source_remove(self.disable_initiator_tag)
304
self.disable_initiator_tag = None
305
if getattr(self, u"checker_initiator_tag", False):
280
306
gobject.source_remove(self.checker_initiator_tag)
281
307
self.checker_initiator_tag = None
282
308
self.stop_checker()
283
if self.stop_hook:
284
self.stop_hook(self)
309
if self.disable_hook:
310
self.disable_hook(self)
311
self.enabled = False
285
312
# Do not run this again if called by a gobject.timeout_add
286
313
return False
314
287
315
def __del__(self):
288
self.stop_hook = None
289
self.stop()
290
def checker_callback(self, pid, condition):
316
self.disable_hook = None
317
self.disable()
318
319
def checker_callback(self, pid, condition, command):
291
320
"""The checker has completed, so take appropriate actions."""
292
now = datetime.datetime.now()
293
321
self.checker_callback_tag = None
294
322
self.checker = None
295
if os.WIFEXITED(condition) \
296
and (os.WEXITSTATUS(condition) == 0):
297
logger.info(u"Checker for %(name)s succeeded",
298
vars(self))
299
self.last_checked_ok = now
300
gobject.source_remove(self.stop_initiator_tag)
301
self.stop_initiator_tag = gobject.timeout_add\
302
(self._timeout_milliseconds,
303
self.stop)
304
elif not os.WIFEXITED(condition):
323
if os.WIFEXITED(condition):
324
exitstatus = os.WEXITSTATUS(condition)
325
if exitstatus == 0:
326
logger.info(u"Checker for %(name)s succeeded",
327
vars(self))
328
self.checked_ok()
329
else:
330
logger.info(u"Checker for %(name)s failed",
331
vars(self))
332
else:
305
333
logger.warning(u"Checker for %(name)s crashed?",
306
334
vars(self))
307
else:
308
logger.info(u"Checker for %(name)s failed",
309
vars(self))
335
336
def checked_ok(self):
337
"""Bump up the timeout for this client.
338
339
This should only be called when the client has been seen,
340
alive and well.
341
"""
342
self.last_checked_ok = datetime.datetime.utcnow()
343
gobject.source_remove(self.disable_initiator_tag)
344
self.disable_initiator_tag = (gobject.timeout_add
345
(self.timeout_milliseconds(),
346
self.disable))
347
310
348
def start_checker(self):
311
349
"""Start a new checker subprocess if one is not running.
350
312
351
If a checker already exists, leave it running and do
313
352
nothing."""
314
353
# The reason for not killing a running checker is that if we
319
358
# checkers alone, the checker would have to take more time
320
359
# than 'timeout' for the client to be declared invalid, which
321
360
# is as it should be.
361
362
# If a checker exists, make sure it is not a zombie
363
if self.checker is not None:
364
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
365
if pid:
366
logger.warning(u"Checker was a zombie")
367
gobject.source_remove(self.checker_callback_tag)
368
self.checker_callback(pid, status,
369
self.current_checker_command)
370
# Start a new checker if needed
322
371
if self.checker is None:
323
372
try:
324
# In case check_command has exactly one % operator
325
command = self.check_command % self.host
373
# In case checker_command has exactly one % operator
374
command = self.checker_command % self.host
326
375
except TypeError:
327
376
# Escape attributes for the shell
328
escaped_attrs = dict((key, re.escape(str(val)))
377
escaped_attrs = dict((key,
378
re.escape(unicode(str(val),
379
errors=
380
u'replace')))
329
381
for key, val in
330
382
vars(self).iteritems())
331
383
try:
332
command = self.check_command % escaped_attrs
384
command = self.checker_command % escaped_attrs
333
385
except TypeError, error:
334
386
logger.error(u'Could not format string "%s":'
335
u' %s', self.check_command, error)
387
u' %s', self.checker_command, error)
336
388
return True # Try again later
389
self.current_checker_command = command
337
390
try:
338
391
logger.info(u"Starting checker %r for %s",
339
392
command, self.name)
393
# We don't need to redirect stdout and stderr, since
394
# in normal mode, that is already done by daemon(),
395
# and in debug mode we don't want to. (Stdin is
396
# always replaced by /dev/null.)
340
397
self.checker = subprocess.Popen(command,
341
398
close_fds=True,
342
shell=True, cwd="/")
343
self.checker_callback_tag = gobject.child_watch_add\
344
(self.checker.pid,
345
self.checker_callback)
346
except subprocess.OSError, error:
399
shell=True, cwd=u"/")
400
self.checker_callback_tag = (gobject.child_watch_add
401
(self.checker.pid,
402
self.checker_callback,
403
data=command))
404
# The checker may have completed before the gobject
405
# watch was added. Check for this.
406
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
407
if pid:
408
gobject.source_remove(self.checker_callback_tag)
409
self.checker_callback(pid, status, command)
410
except OSError, error:
347
411
logger.error(u"Failed to start subprocess: %s",
348
412
error)
349
413
# Re-run this periodically if run by gobject.timeout_add
350
414
return True
415
351
416
def stop_checker(self):
352
417
"""Force the checker process, if any, to stop."""
353
418
if self.checker_callback_tag:
354
419
gobject.source_remove(self.checker_callback_tag)
355
420
self.checker_callback_tag = None
356
if getattr(self, "checker", None) is None:
421
if getattr(self, u"checker", None) is None:
357
422
return
358
423
logger.debug(u"Stopping checker for %(name)s", vars(self))
359
424
try:
365
430
if error.errno != errno.ESRCH: # No such process
366
431
raise
367
432
self.checker = None
433
368
434
def still_valid(self):
369
435
"""Has the timeout not yet passed for this client?"""
370
now = datetime.datetime.now()
436
if not getattr(self, u"enabled", False):
437
return False
438
now = datetime.datetime.utcnow()
371
439
if self.last_checked_ok is None:
372
440
return now < (self.created + self.timeout)
373
441
else:
374
442
return now < (self.last_checked_ok + self.timeout)
375
443
376
444
377
def peer_certificate(session):
378
"Return the peer's OpenPGP certificate as a bytestring"
379
# If not an OpenPGP certificate...
380
if gnutls.library.functions.gnutls_certificate_type_get\
381
(session._c_object) \
382
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP:
383
# ...do the normal thing
384
return session.peer_certificate
385
list_size = ctypes.c_uint()
386
cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
387
(session._c_object, ctypes.byref(list_size))
388
if list_size.value == 0:
389
return None
390
cert = cert_list[0]
391
return ctypes.string_at(cert.data, cert.size)
392
393
394
def fingerprint(openpgp):
395
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
396
# New GnuTLS "datum" with the OpenPGP public key
397
datum = gnutls.library.types.gnutls_datum_t\
398
(ctypes.cast(ctypes.c_char_p(openpgp),
399
ctypes.POINTER(ctypes.c_ubyte)),
400
ctypes.c_uint(len(openpgp)))
401
# New empty GnuTLS certificate
402
crt = gnutls.library.types.gnutls_openpgp_crt_t()
403
gnutls.library.functions.gnutls_openpgp_crt_init\
404
(ctypes.byref(crt))
405
# Import the OpenPGP public key into the certificate
406
gnutls.library.functions.gnutls_openpgp_crt_import\
407
(crt, ctypes.byref(datum),
408
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
409
# New buffer for the fingerprint
410
buffer = ctypes.create_string_buffer(20)
411
buffer_length = ctypes.c_size_t()
412
# Get the fingerprint from the certificate into the buffer
413
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
414
(crt, ctypes.byref(buffer), ctypes.byref(buffer_length))
415
# Deinit the certificate
416
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
417
# Convert the buffer to a Python bytestring
418
fpr = ctypes.string_at(buffer, buffer_length.value)
419
# Convert the bytestring to hexadecimal notation
420
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
421
return hex_fpr
422
423
424
class tcp_handler(SocketServer.BaseRequestHandler, object):
425
"""A TCP request handler class.
426
Instantiated by IPv6_TCPServer for each request to handle it.
445
class ClientDBus(Client, dbus.service.Object):
446
"""A Client class using D-Bus
447
448
Attributes:
449
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
450
"""
451
# dbus.service.Object doesn't use super(), so we can't either.
452
453
def __init__(self, *args, **kwargs):
454
Client.__init__(self, *args, **kwargs)
455
# Only now, when this client is initialized, can it show up on
456
# the D-Bus
457
self.dbus_object_path = (dbus.ObjectPath
458
(u"/clients/"
459
+ self.name.replace(u".", u"_")))
460
dbus.service.Object.__init__(self, bus,
461
self.dbus_object_path)
462
def enable(self):
463
oldstate = getattr(self, u"enabled", False)
464
r = Client.enable(self)
465
if oldstate != self.enabled:
466
# Emit D-Bus signals
467
self.PropertyChanged(dbus.String(u"enabled"),
468
dbus.Boolean(True, variant_level=1))
469
self.PropertyChanged(dbus.String(u"last_enabled"),
470
(_datetime_to_dbus(self.last_enabled,
471
variant_level=1)))
472
return r
473
474
def disable(self, signal = True):
475
oldstate = getattr(self, u"enabled", False)
476
r = Client.disable(self)
477
if signal and oldstate != self.enabled:
478
# Emit D-Bus signal
479
self.PropertyChanged(dbus.String(u"enabled"),
480
dbus.Boolean(False, variant_level=1))
481
return r
482
483
def __del__(self, *args, **kwargs):
484
try:
485
self.remove_from_connection()
486
except LookupError:
487
pass
488
if hasattr(dbus.service.Object, u"__del__"):
489
dbus.service.Object.__del__(self, *args, **kwargs)
490
Client.__del__(self, *args, **kwargs)
491
492
def checker_callback(self, pid, condition, command,
493
*args, **kwargs):
494
self.checker_callback_tag = None
495
self.checker = None
496
# Emit D-Bus signal
497
self.PropertyChanged(dbus.String(u"checker_running"),
498
dbus.Boolean(False, variant_level=1))
499
if os.WIFEXITED(condition):
500
exitstatus = os.WEXITSTATUS(condition)
501
# Emit D-Bus signal
502
self.CheckerCompleted(dbus.Int16(exitstatus),
503
dbus.Int64(condition),
504
dbus.String(command))
505
else:
506
# Emit D-Bus signal
507
self.CheckerCompleted(dbus.Int16(-1),
508
dbus.Int64(condition),
509
dbus.String(command))
510
511
return Client.checker_callback(self, pid, condition, command,
512
*args, **kwargs)
513
514
def checked_ok(self, *args, **kwargs):
515
r = Client.checked_ok(self, *args, **kwargs)
516
# Emit D-Bus signal
517
self.PropertyChanged(
518
dbus.String(u"last_checked_ok"),
519
(_datetime_to_dbus(self.last_checked_ok,
520
variant_level=1)))
521
return r
522
523
def start_checker(self, *args, **kwargs):
524
old_checker = self.checker
525
if self.checker is not None:
526
old_checker_pid = self.checker.pid
527
else:
528
old_checker_pid = None
529
r = Client.start_checker(self, *args, **kwargs)
530
# Only if new checker process was started
531
if (self.checker is not None
532
and old_checker_pid != self.checker.pid):
533
# Emit D-Bus signal
534
self.CheckerStarted(self.current_checker_command)
535
self.PropertyChanged(
536
dbus.String(u"checker_running"),
537
dbus.Boolean(True, variant_level=1))
538
return r
539
540
def stop_checker(self, *args, **kwargs):
541
old_checker = getattr(self, u"checker", None)
542
r = Client.stop_checker(self, *args, **kwargs)
543
if (old_checker is not None
544
and getattr(self, u"checker", None) is None):
545
self.PropertyChanged(dbus.String(u"checker_running"),
546
dbus.Boolean(False, variant_level=1))
547
return r
548
549
## D-Bus methods & signals
550
_interface = u"se.bsnet.fukt.Mandos.Client"
551
552
# CheckedOK - method
553
@dbus.service.method(_interface)
554
def CheckedOK(self):
555
return self.checked_ok()
556
557
# CheckerCompleted - signal
558
@dbus.service.signal(_interface, signature=u"nxs")
559
def CheckerCompleted(self, exitcode, waitstatus, command):
560
"D-Bus signal"
561
pass
562
563
# CheckerStarted - signal
564
@dbus.service.signal(_interface, signature=u"s")
565
def CheckerStarted(self, command):
566
"D-Bus signal"
567
pass
568
569
# GetAllProperties - method
570
@dbus.service.method(_interface, out_signature=u"a{sv}")
571
def GetAllProperties(self):
572
"D-Bus method"
573
return dbus.Dictionary({
574
dbus.String(u"name"):
575
dbus.String(self.name, variant_level=1),
576
dbus.String(u"fingerprint"):
577
dbus.String(self.fingerprint, variant_level=1),
578
dbus.String(u"host"):
579
dbus.String(self.host, variant_level=1),
580
dbus.String(u"created"):
581
_datetime_to_dbus(self.created, variant_level=1),
582
dbus.String(u"last_enabled"):
583
(_datetime_to_dbus(self.last_enabled,
584
variant_level=1)
585
if self.last_enabled is not None
586
else dbus.Boolean(False, variant_level=1)),
587
dbus.String(u"enabled"):
588
dbus.Boolean(self.enabled, variant_level=1),
589
dbus.String(u"last_checked_ok"):
590
(_datetime_to_dbus(self.last_checked_ok,
591
variant_level=1)
592
if self.last_checked_ok is not None
593
else dbus.Boolean (False, variant_level=1)),
594
dbus.String(u"timeout"):
595
dbus.UInt64(self.timeout_milliseconds(),
596
variant_level=1),
597
dbus.String(u"interval"):
598
dbus.UInt64(self.interval_milliseconds(),
599
variant_level=1),
600
dbus.String(u"checker"):
601
dbus.String(self.checker_command,
602
variant_level=1),
603
dbus.String(u"checker_running"):
604
dbus.Boolean(self.checker is not None,
605
variant_level=1),
606
dbus.String(u"object_path"):
607
dbus.ObjectPath(self.dbus_object_path,
608
variant_level=1)
609
}, signature=u"sv")
610
611
# IsStillValid - method
612
@dbus.service.method(_interface, out_signature=u"b")
613
def IsStillValid(self):
614
return self.still_valid()
615
616
# PropertyChanged - signal
617
@dbus.service.signal(_interface, signature=u"sv")
618
def PropertyChanged(self, property, value):
619
"D-Bus signal"
620
pass
621
622
# ReceivedSecret - signal
623
@dbus.service.signal(_interface)
624
def ReceivedSecret(self):
625
"D-Bus signal"
626
pass
627
628
# Rejected - signal
629
@dbus.service.signal(_interface)
630
def Rejected(self):
631
"D-Bus signal"
632
pass
633
634
# SetChecker - method
635
@dbus.service.method(_interface, in_signature=u"s")
636
def SetChecker(self, checker):
637
"D-Bus setter method"
638
self.checker_command = checker
639
# Emit D-Bus signal
640
self.PropertyChanged(dbus.String(u"checker"),
641
dbus.String(self.checker_command,
642
variant_level=1))
643
644
# SetHost - method
645
@dbus.service.method(_interface, in_signature=u"s")
646
def SetHost(self, host):
647
"D-Bus setter method"
648
self.host = host
649
# Emit D-Bus signal
650
self.PropertyChanged(dbus.String(u"host"),
651
dbus.String(self.host, variant_level=1))
652
653
# SetInterval - method
654
@dbus.service.method(_interface, in_signature=u"t")
655
def SetInterval(self, milliseconds):
656
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
657
# Emit D-Bus signal
658
self.PropertyChanged(dbus.String(u"interval"),
659
(dbus.UInt64(self.interval_milliseconds(),
660
variant_level=1)))
661
662
# SetSecret - method
663
@dbus.service.method(_interface, in_signature=u"ay",
664
byte_arrays=True)
665
def SetSecret(self, secret):
666
"D-Bus setter method"
667
self.secret = str(secret)
668
669
# SetTimeout - method
670
@dbus.service.method(_interface, in_signature=u"t")
671
def SetTimeout(self, milliseconds):
672
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
673
# Emit D-Bus signal
674
self.PropertyChanged(dbus.String(u"timeout"),
675
(dbus.UInt64(self.timeout_milliseconds(),
676
variant_level=1)))
677
678
# Enable - method
679
@dbus.service.method(_interface)
680
def Enable(self):
681
"D-Bus method"
682
self.enable()
683
684
# StartChecker - method
685
@dbus.service.method(_interface)
686
def StartChecker(self):
687
"D-Bus method"
688
self.start_checker()
689
690
# Disable - method
691
@dbus.service.method(_interface)
692
def Disable(self):
693
"D-Bus method"
694
self.disable()
695
696
# StopChecker - method
697
@dbus.service.method(_interface)
698
def StopChecker(self):
699
self.stop_checker()
700
701
del _interface
702
703
704
class ClientHandler(socketserver.BaseRequestHandler, object):
705
"""A class to handle client connections.
706
707
Instantiated once for each connection to handle it.
427
708
Note: This will run in its own forked process."""
428
709
429
710
def handle(self):
430
711
logger.info(u"TCP connection from: %s",
431
unicode(self.client_address))
432
session = gnutls.connection.ClientSession\
433
(self.request, gnutls.connection.X509Credentials())
434
435
line = self.request.makefile().readline()
436
logger.debug(u"Protocol version: %r", line)
437
try:
438
if int(line.strip().split()[0]) > 1:
439
raise RuntimeError
440
except (ValueError, IndexError, RuntimeError), error:
441
logger.error(u"Unknown protocol version: %s", error)
442
return
443
444
# Note: gnutls.connection.X509Credentials is really a generic
445
# GnuTLS certificate credentials object so long as no X.509
446
# keys are added to it. Therefore, we can use it here despite
447
# using OpenPGP certificates.
448
449
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
450
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
451
# "+DHE-DSS"))
452
priority = "NORMAL" # Fallback default, since this
453
# MUST be set.
454
if self.server.settings["priority"]:
455
priority = self.server.settings["priority"]
456
gnutls.library.functions.gnutls_priority_set_direct\
457
(session._c_object, priority, None);
458
459
try:
460
session.handshake()
461
except gnutls.errors.GNUTLSError, error:
462
logger.warning(u"Handshake failed: %s", error)
463
# Do not run session.bye() here: the session is not
464
# established. Just abandon the request.
465
return
466
try:
467
fpr = fingerprint(peer_certificate(session))
468
except (TypeError, gnutls.errors.GNUTLSError), error:
469
logger.warning(u"Bad certificate: %s", error)
470
session.bye()
471
return
472
logger.debug(u"Fingerprint: %s", fpr)
473
client = None
474
for c in self.server.clients:
475
if c.fingerprint == fpr:
476
client = c
477
break
478
if not client:
479
logger.warning(u"Client not found for fingerprint: %s",
480
fpr)
481
session.bye()
482
return
483
# Have to check if client.still_valid(), since it is possible
484
# that the client timed out while establishing the GnuTLS
485
# session.
486
if not client.still_valid():
487
logger.warning(u"Client %(name)s is invalid",
488
vars(client))
489
session.bye()
490
return
491
sent_size = 0
492
while sent_size < len(client.secret):
493
sent = session.send(client.secret[sent_size:])
494
logger.debug(u"Sent: %d, remaining: %d",
495
sent, len(client.secret)
496
- (sent_size + sent))
497
sent_size += sent
498
session.bye()
499
500
501
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
502
"""IPv6 TCP server. Accepts 'None' as address and/or port.
712
unicode(self.client_address))
713
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
714
# Open IPC pipe to parent process
715
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
716
session = (gnutls.connection
717
.ClientSession(self.request,
718
gnutls.connection
719
.X509Credentials()))
720
721
line = self.request.makefile().readline()
722
logger.debug(u"Protocol version: %r", line)
723
try:
724
if int(line.strip().split()[0]) > 1:
725
raise RuntimeError
726
except (ValueError, IndexError, RuntimeError), error:
727
logger.error(u"Unknown protocol version: %s", error)
728
return
729
730
# Note: gnutls.connection.X509Credentials is really a
731
# generic GnuTLS certificate credentials object so long as
732
# no X.509 keys are added to it. Therefore, we can use it
733
# here despite using OpenPGP certificates.
734
735
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
736
# u"+AES-256-CBC", u"+SHA1",
737
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
738
# u"+DHE-DSS"))
739
# Use a fallback default, since this MUST be set.
740
priority = self.server.gnutls_priority
741
if priority is None:
742
priority = u"NORMAL"
743
(gnutls.library.functions
744
.gnutls_priority_set_direct(session._c_object,
745
priority, None))
746
747
try:
748
session.handshake()
749
except gnutls.errors.GNUTLSError, error:
750
logger.warning(u"Handshake failed: %s", error)
751
# Do not run session.bye() here: the session is not
752
# established. Just abandon the request.
753
return
754
logger.debug(u"Handshake succeeded")
755
try:
756
fpr = self.fingerprint(self.peer_certificate(session))
757
except (TypeError, gnutls.errors.GNUTLSError), error:
758
logger.warning(u"Bad certificate: %s", error)
759
session.bye()
760
return
761
logger.debug(u"Fingerprint: %s", fpr)
762
763
for c in self.server.clients:
764
if c.fingerprint == fpr:
765
client = c
766
break
767
else:
768
ipc.write(u"NOTFOUND %s\n" % fpr)
769
session.bye()
770
return
771
# Have to check if client.still_valid(), since it is
772
# possible that the client timed out while establishing
773
# the GnuTLS session.
774
if not client.still_valid():
775
ipc.write(u"INVALID %s\n" % client.name)
776
session.bye()
777
return
778
ipc.write(u"SENDING %s\n" % client.name)
779
sent_size = 0
780
while sent_size < len(client.secret):
781
sent = session.send(client.secret[sent_size:])
782
logger.debug(u"Sent: %d, remaining: %d",
783
sent, len(client.secret)
784
- (sent_size + sent))
785
sent_size += sent
786
session.bye()
787
788
@staticmethod
789
def peer_certificate(session):
790
"Return the peer's OpenPGP certificate as a bytestring"
791
# If not an OpenPGP certificate...
792
if (gnutls.library.functions
793
.gnutls_certificate_type_get(session._c_object)
794
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
795
# ...do the normal thing
796
return session.peer_certificate
797
list_size = ctypes.c_uint(1)
798
cert_list = (gnutls.library.functions
799
.gnutls_certificate_get_peers
800
(session._c_object, ctypes.byref(list_size)))
801
if not bool(cert_list) and list_size.value != 0:
802
raise gnutls.errors.GNUTLSError(u"error getting peer"
803
u" certificate")
804
if list_size.value == 0:
805
return None
806
cert = cert_list[0]
807
return ctypes.string_at(cert.data, cert.size)
808
809
@staticmethod
810
def fingerprint(openpgp):
811
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
812
# New GnuTLS "datum" with the OpenPGP public key
813
datum = (gnutls.library.types
814
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
815
ctypes.POINTER
816
(ctypes.c_ubyte)),
817
ctypes.c_uint(len(openpgp))))
818
# New empty GnuTLS certificate
819
crt = gnutls.library.types.gnutls_openpgp_crt_t()
820
(gnutls.library.functions
821
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
822
# Import the OpenPGP public key into the certificate
823
(gnutls.library.functions
824
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
825
gnutls.library.constants
826
.GNUTLS_OPENPGP_FMT_RAW))
827
# Verify the self signature in the key
828
crtverify = ctypes.c_uint()
829
(gnutls.library.functions
830
.gnutls_openpgp_crt_verify_self(crt, 0,
831
ctypes.byref(crtverify)))
832
if crtverify.value != 0:
833
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
834
raise (gnutls.errors.CertificateSecurityError
835
(u"Verify failed"))
836
# New buffer for the fingerprint
837
buf = ctypes.create_string_buffer(20)
838
buf_len = ctypes.c_size_t()
839
# Get the fingerprint from the certificate into the buffer
840
(gnutls.library.functions
841
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
842
ctypes.byref(buf_len)))
843
# Deinit the certificate
844
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
845
# Convert the buffer to a Python bytestring
846
fpr = ctypes.string_at(buf, buf_len.value)
847
# Convert the bytestring to hexadecimal notation
848
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
849
return hex_fpr
850
851
852
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
853
"""Like socketserver.ForkingMixIn, but also pass a pipe.
854
855
Assumes a gobject.MainLoop event loop.
856
"""
857
def process_request(self, request, client_address):
858
"""Overrides and wraps the original process_request().
859
860
This function creates a new pipe in self.pipe
861
"""
862
self.pipe = os.pipe()
863
super(ForkingMixInWithPipe,
864
self).process_request(request, client_address)
865
os.close(self.pipe[1]) # close write end
866
# Call "handle_ipc" for both data and EOF events
867
gobject.io_add_watch(self.pipe[0],
868
gobject.IO_IN | gobject.IO_HUP,
869
self.handle_ipc)
870
def handle_ipc(source, condition):
871
"""Dummy function; override as necessary"""
872
os.close(source)
873
return False
874
875
876
class IPv6_TCPServer(ForkingMixInWithPipe,
877
socketserver.TCPServer, object):
878
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
879
503
880
Attributes:
504
settings: Server settings
505
clients: Set() of Client objects
881
enabled: Boolean; whether this server is activated yet
882
interface: None or a network interface name (string)
883
use_ipv6: Boolean; to use IPv6 or not
884
----
885
clients: set of Client objects
886
gnutls_priority GnuTLS priority string
887
use_dbus: Boolean; to emit D-Bus signals or not
506
888
"""
507
address_family = socket.AF_INET6
508
def __init__(self, *args, **kwargs):
509
if "settings" in kwargs:
510
self.settings = kwargs["settings"]
511
del kwargs["settings"]
512
if "clients" in kwargs:
513
self.clients = kwargs["clients"]
514
del kwargs["clients"]
515
return super(type(self), self).__init__(*args, **kwargs)
889
def __init__(self, server_address, RequestHandlerClass,
890
interface=None, use_ipv6=True, clients=None,
891
gnutls_priority=None, use_dbus=True):
892
self.enabled = False
893
self.interface = interface
894
if use_ipv6:
895
self.address_family = socket.AF_INET6
896
self.clients = clients
897
self.use_dbus = use_dbus
898
self.gnutls_priority = gnutls_priority
899
socketserver.TCPServer.__init__(self, server_address,
900
RequestHandlerClass)
516
901
def server_bind(self):
517
902
"""This overrides the normal server_bind() function
518
903
to bind to an interface if one was specified, and also NOT to
519
904
bind to an address or port if they were not specified."""
520
if self.settings["interface"]:
521
# 25 is from /usr/include/asm-i486/socket.h
522
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
905
if self.interface is not None:
523
906
try:
524
907
self.socket.setsockopt(socket.SOL_SOCKET,
525
908
SO_BINDTODEVICE,
526
self.settings["interface"])
909
str(self.interface + u'\0'))
527
910
except socket.error, error:
528
911
if error[0] == errno.EPERM:
529
912
logger.error(u"No permission to"
530
913
u" bind to interface %s",
531
self.settings["interface"])
914
self.interface)
532
915
else:
533
raise error
916
raise
534
917
# Only bind(2) the socket if we really need to.
535
918
if self.server_address[0] or self.server_address[1]:
536
919
if not self.server_address[0]:
537
in6addr_any = "::"
538
self.server_address = (in6addr_any,
920
if self.address_family == socket.AF_INET6:
921
any_address = u"::" # in6addr_any
922
else:
923
any_address = socket.INADDR_ANY
924
self.server_address = (any_address,
539
925
self.server_address[1])
540
926
elif not self.server_address[1]:
541
927
self.server_address = (self.server_address[0],
542
928
0)
543
# if self.settings["interface"]:
929
# if self.interface:
544
930
# self.server_address = (self.server_address[0],
545
931
# 0, # port
546
932
# 0, # flowinfo
547
933
# if_nametoindex
548
# (self.settings
549
# ["interface"]))
550
return super(type(self), self).server_bind()
934
# (self.interface))
935
return socketserver.TCPServer.server_bind(self)
936
def server_activate(self):
937
if self.enabled:
938
return socketserver.TCPServer.server_activate(self)
939
def enable(self):
940
self.enabled = True
941
def handle_ipc(self, source, condition, file_objects={}):
942
condition_names = {
943
gobject.IO_IN: u"IN", # There is data to read.
944
gobject.IO_OUT: u"OUT", # Data can be written (without
945
# blocking).
946
gobject.IO_PRI: u"PRI", # There is urgent data to read.
947
gobject.IO_ERR: u"ERR", # Error condition.
948
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
949
# broken, usually for pipes and
950
# sockets).
951
}
952
conditions_string = ' | '.join(name
953
for cond, name in
954
condition_names.iteritems()
955
if cond & condition)
956
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
957
conditions_string)
958
959
# Turn the pipe file descriptor into a Python file object
960
if source not in file_objects:
961
file_objects[source] = os.fdopen(source, u"r", 1)
962
963
# Read a line from the file object
964
cmdline = file_objects[source].readline()
965
if not cmdline: # Empty line means end of file
966
# close the IPC pipe
967
file_objects[source].close()
968
del file_objects[source]
969
970
# Stop calling this function
971
return False
972
973
logger.debug(u"IPC command: %r", cmdline)
974
975
# Parse and act on command
976
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
977
978
if cmd == u"NOTFOUND":
979
logger.warning(u"Client not found for fingerprint: %s",
980
args)
981
if self.use_dbus:
982
# Emit D-Bus signal
983
mandos_dbus_service.ClientNotFound(args)
984
elif cmd == u"INVALID":
985
for client in self.clients:
986
if client.name == args:
987
logger.warning(u"Client %s is invalid", args)
988
if self.use_dbus:
989
# Emit D-Bus signal
990
client.Rejected()
991
break
992
else:
993
logger.error(u"Unknown client %s is invalid", args)
994
elif cmd == u"SENDING":
995
for client in self.clients:
996
if client.name == args:
997
logger.info(u"Sending secret to %s", client.name)
998
client.checked_ok()
999
if self.use_dbus:
1000
# Emit D-Bus signal
1001
client.ReceivedSecret()
1002
break
1003
else:
1004
logger.error(u"Sending secret to unknown client %s",
1005
args)
1006
else:
1007
logger.error(u"Unknown IPC command: %r", cmdline)
1008
1009
# Keep calling this function
1010
return True
551
1011
552
1012
553
1013
def string_to_delta(interval):
554
1014
"""Parse a string and return a datetime.timedelta
555
556
>>> string_to_delta('7d')
1015
1016
>>> string_to_delta(u'7d')
557
1017
datetime.timedelta(7)
558
>>> string_to_delta('60s')
1018
>>> string_to_delta(u'60s')
559
1019
datetime.timedelta(0, 60)
560
>>> string_to_delta('60m')
1020
>>> string_to_delta(u'60m')
561
1021
datetime.timedelta(0, 3600)
562
>>> string_to_delta('24h')
1022
>>> string_to_delta(u'24h')
563
1023
datetime.timedelta(1)
564
1024
>>> string_to_delta(u'1w')
565
1025
datetime.timedelta(7)
1026
>>> string_to_delta(u'5m 30s')
1027
datetime.timedelta(0, 330)
566
1028
"""
567
try:
568
suffix=unicode(interval[-1])
569
value=int(interval[:-1])
570
if suffix == u"d":
571
delta = datetime.timedelta(value)
572
elif suffix == u"s":
573
delta = datetime.timedelta(0, value)
574
elif suffix == u"m":
575
delta = datetime.timedelta(0, 0, 0, 0, value)
576
elif suffix == u"h":
577
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
578
elif suffix == u"w":
579
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
580
else:
1029
timevalue = datetime.timedelta(0)
1030
for s in interval.split():
1031
try:
1032
suffix = unicode(s[-1])
1033
value = int(s[:-1])
1034
if suffix == u"d":
1035
delta = datetime.timedelta(value)
1036
elif suffix == u"s":
1037
delta = datetime.timedelta(0, value)
1038
elif suffix == u"m":
1039
delta = datetime.timedelta(0, 0, 0, 0, value)
1040
elif suffix == u"h":
1041
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1042
elif suffix == u"w":
1043
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1044
else:
1045
raise ValueError
1046
except (ValueError, IndexError):
581
1047
raise ValueError
582
except (ValueError, IndexError):
583
raise ValueError
584
return delta
1048
timevalue += delta
1049
return timevalue
585
1050
586
1051
587
1052
def server_state_changed(state):
588
1053
"""Derived from the Avahi example code"""
589
1054
if state == avahi.SERVER_COLLISION:
590
logger.error(u"Server name collision")
1055
logger.error(u"Zeroconf server name collision")
591
1056
service.remove()
592
1057
elif state == avahi.SERVER_RUNNING:
593
1058
service.add()
595
1060
596
1061
def entry_group_state_changed(state, error):
597
1062
"""Derived from the Avahi example code"""
598
logger.debug(u"state change: %i", state)
1063
logger.debug(u"Avahi state change: %i", state)
599
1064
600
1065
if state == avahi.ENTRY_GROUP_ESTABLISHED:
601
logger.debug(u"Service established.")
1066
logger.debug(u"Zeroconf service established.")
602
1067
elif state == avahi.ENTRY_GROUP_COLLISION:
603
logger.warning(u"Service name collision.")
1068
logger.warning(u"Zeroconf service name collision.")
604
1069
service.rename()
605
1070
elif state == avahi.ENTRY_GROUP_FAILURE:
606
logger.critical(u"Error in group state changed %s",
1071
logger.critical(u"Avahi: Error in group state changed %s",
607
1072
unicode(error))
608
raise AvahiGroupError("State changed: %s", str(error))
1073
raise AvahiGroupError(u"State changed: %s" % unicode(error))
609
1074
610
1075
def if_nametoindex(interface):
611
"""Call the C function if_nametoindex(), or equivalent"""
1076
"""Call the C function if_nametoindex(), or equivalent
1077
1078
Note: This function cannot accept a unicode string."""
612
1079
global if_nametoindex
613
1080
try:
614
if "ctypes.util" not in sys.modules:
615
import ctypes.util
616
if_nametoindex = ctypes.cdll.LoadLibrary\
617
(ctypes.util.find_library("c")).if_nametoindex
1081
if_nametoindex = (ctypes.cdll.LoadLibrary
1082
(ctypes.util.find_library(u"c"))
1083
.if_nametoindex)
618
1084
except (OSError, AttributeError):
619
if "struct" not in sys.modules:
620
import struct
621
if "fcntl" not in sys.modules:
622
import fcntl
1085
logger.warning(u"Doing if_nametoindex the hard way")
623
1086
def if_nametoindex(interface):
624
1087
"Get an interface index the hard way, i.e. using fcntl()"
625
1088
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
626
s = socket.socket()
627
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
628
struct.pack("16s16x", interface))
629
s.close()
630
interface_index = struct.unpack("I", ifreq[16:20])[0]
1089
with closing(socket.socket()) as s:
1090
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1091
struct.pack(str(u"16s16x"),
1092
interface))
1093
interface_index = struct.unpack(str(u"I"),
1094
ifreq[16:20])[0]
631
1095
return interface_index
632
1096
return if_nametoindex(interface)
633
1097
634
1098
635
1099
def daemon(nochdir = False, noclose = False):
636
1100
"""See daemon(3). Standard BSD Unix function.
1101
637
1102
This should really exist as os.daemon, but it doesn't (yet)."""
638
1103
if os.fork():
639
1104
sys.exit()
640
1105
os.setsid()
641
1106
if not nochdir:
642
os.chdir("/")
1107
os.chdir(u"/")
643
1108
if os.fork():
644
1109
sys.exit()
645
1110
if not noclose:
647
1112
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
648
1113
if not stat.S_ISCHR(os.fstat(null).st_mode):
649
1114
raise OSError(errno.ENODEV,
650
"/dev/null not a character device")
1115
u"/dev/null not a character device")
651
1116
os.dup2(null, sys.stdin.fileno())
652
1117
os.dup2(null, sys.stdout.fileno())
653
1118
os.dup2(null, sys.stderr.fileno())
656
1121
657
1122
658
1123
def main():
659
global main_loop_started
660
main_loop_started = False
661
662
parser = OptionParser(version = "%%prog %s" % version)
663
parser.add_option("-i", "--interface", type="string",
664
metavar="IF", help="Bind to interface IF")
665
parser.add_option("-a", "--address", type="string",
666
help="Address to listen for requests on")
667
parser.add_option("-p", "--port", type="int",
668
help="Port number to receive requests on")
669
parser.add_option("--check", action="store_true", default=False,
670
help="Run self-test")
671
parser.add_option("--debug", action="store_true",
672
help="Debug mode; run in foreground and log to"
673
" terminal")
674
parser.add_option("--priority", type="string", help="GnuTLS"
675
" priority string (see GnuTLS documentation)")
676
parser.add_option("--servicename", type="string", metavar="NAME",
677
help="Zeroconf service name")
678
parser.add_option("--configdir", type="string",
679
default="/etc/mandos", metavar="DIR",
680
help="Directory to search for configuration"
681
" files")
682
(options, args) = parser.parse_args()
1124
1125
######################################################################
1126
# Parsing of options, both command line and config file
1127
1128
parser = optparse.OptionParser(version = "%%prog %s" % version)
1129
parser.add_option("-i", u"--interface", type=u"string",
1130
metavar="IF", help=u"Bind to interface IF")
1131
parser.add_option("-a", u"--address", type=u"string",
1132
help=u"Address to listen for requests on")
1133
parser.add_option("-p", u"--port", type=u"int",
1134
help=u"Port number to receive requests on")
1135
parser.add_option("--check", action=u"store_true",
1136
help=u"Run self-test")
1137
parser.add_option("--debug", action=u"store_true",
1138
help=u"Debug mode; run in foreground and log to"
1139
u" terminal")
1140
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1141
u" priority string (see GnuTLS documentation)")
1142
parser.add_option("--servicename", type=u"string",
1143
metavar=u"NAME", help=u"Zeroconf service name")
1144
parser.add_option("--configdir", type=u"string",
1145
default=u"/etc/mandos", metavar=u"DIR",
1146
help=u"Directory to search for configuration"
1147
u" files")
1148
parser.add_option("--no-dbus", action=u"store_false",
1149
dest=u"use_dbus", help=u"Do not provide D-Bus"
1150
u" system bus interface")
1151
parser.add_option("--no-ipv6", action=u"store_false",
1152
dest=u"use_ipv6", help=u"Do not use IPv6")
1153
options = parser.parse_args()[0]
683
1154
684
1155
if options.check:
685
1156
import doctest
687
1158
sys.exit()
688
1159
689
1160
# Default values for config file for server-global settings
690
server_defaults = { "interface": "",
691
"address": "",
692
"port": "",
693
"debug": "False",
694
"priority":
695
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
696
"servicename": "Mandos",
1161
server_defaults = { u"interface": u"",
1162
u"address": u"",
1163
u"port": u"",
1164
u"debug": u"False",
1165
u"priority":
1166
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1167
u"servicename": u"Mandos",
1168
u"use_dbus": u"True",
1169
u"use_ipv6": u"True",
697
1170
}
698
1171
699
1172
# Parse config file for server-global settings
700
server_config = ConfigParser.SafeConfigParser(server_defaults)
1173
server_config = configparser.SafeConfigParser(server_defaults)
701
1174
del server_defaults
702
server_config.read(os.path.join(options.configdir, "mandos.conf"))
703
server_section = "server"
1175
server_config.read(os.path.join(options.configdir,
1176
u"mandos.conf"))
704
1177
# Convert the SafeConfigParser object to a dict
705
server_settings = dict(server_config.items(server_section))
706
# Use getboolean on the boolean config option
707
server_settings["debug"] = server_config.getboolean\
708
(server_section, "debug")
1178
server_settings = server_config.defaults()
1179
# Use the appropriate methods on the non-string config options
1180
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1181
server_settings[option] = server_config.getboolean(u"DEFAULT",
1182
option)
1183
if server_settings["port"]:
1184
server_settings["port"] = server_config.getint(u"DEFAULT",
1185
u"port")
709
1186
del server_config
710
1187
711
1188
# Override the settings from the config file with command line
712
1189
# options, if set.
713
for option in ("interface", "address", "port", "debug",
714
"priority", "servicename", "configdir"):
1190
for option in (u"interface", u"address", u"port", u"debug",
1191
u"priority", u"servicename", u"configdir",
1192
u"use_dbus", u"use_ipv6"):
715
1193
value = getattr(options, option)
716
1194
if value is not None:
717
1195
server_settings[option] = value
718
1196
del options
1197
# Force all strings to be unicode
1198
for option in server_settings.keys():
1199
if type(server_settings[option]) is str:
1200
server_settings[option] = unicode(server_settings[option])
719
1201
# Now we have our good server settings in "server_settings"
720
1202
721
debug = server_settings["debug"]
1203
##################################################################
1204
1205
# For convenience
1206
debug = server_settings[u"debug"]
1207
use_dbus = server_settings[u"use_dbus"]
1208
use_ipv6 = server_settings[u"use_ipv6"]
722
1209
723
1210
if not debug:
724
1211
syslogger.setLevel(logging.WARNING)
725
1212
console.setLevel(logging.WARNING)
726
1213
727
if server_settings["servicename"] != "Mandos":
728
syslogger.setFormatter(logging.Formatter\
729
('Mandos (%s): %%(levelname)s:'
730
' %%(message)s'
731
% server_settings["servicename"]))
1214
if server_settings[u"servicename"] != u"Mandos":
1215
syslogger.setFormatter(logging.Formatter
1216
(u'Mandos (%s) [%%(process)d]:'
1217
u' %%(levelname)s: %%(message)s'
1218
% server_settings[u"servicename"]))
732
1219
733
1220
# Parse config file with clients
734
client_defaults = { "timeout": "1h",
735
"interval": "5m",
736
"checker": "fping -q -- %%(host)s",
1221
client_defaults = { u"timeout": u"1h",
1222
u"interval": u"5m",
1223
u"checker": u"fping -q -- %%(host)s",
1224
u"host": u"",
737
1225
}
738
client_config = ConfigParser.SafeConfigParser(client_defaults)
739
client_config.read(os.path.join(server_settings["configdir"],
740
"clients.conf"))
1226
client_config = configparser.SafeConfigParser(client_defaults)
1227
client_config.read(os.path.join(server_settings[u"configdir"],
1228
u"clients.conf"))
1229
1230
global mandos_dbus_service
1231
mandos_dbus_service = None
1232
1233
clients = set()
1234
tcp_server = IPv6_TCPServer((server_settings[u"address"],
1235
server_settings[u"port"]),
1236
ClientHandler,
1237
interface=
1238
server_settings[u"interface"],
1239
use_ipv6=use_ipv6,
1240
clients=clients,
1241
gnutls_priority=
1242
server_settings[u"priority"],
1243
use_dbus=use_dbus)
1244
pidfilename = u"/var/run/mandos.pid"
1245
try:
1246
pidfile = open(pidfilename, u"w")
1247
except IOError:
1248
logger.error(u"Could not open file %r", pidfilename)
1249
1250
try:
1251
uid = pwd.getpwnam(u"_mandos").pw_uid
1252
gid = pwd.getpwnam(u"_mandos").pw_gid
1253
except KeyError:
1254
try:
1255
uid = pwd.getpwnam(u"mandos").pw_uid
1256
gid = pwd.getpwnam(u"mandos").pw_gid
1257
except KeyError:
1258
try:
1259
uid = pwd.getpwnam(u"nobody").pw_uid
1260
gid = pwd.getpwnam(u"nobody").pw_gid
1261
except KeyError:
1262
uid = 65534
1263
gid = 65534
1264
try:
1265
os.setgid(gid)
1266
os.setuid(uid)
1267
except OSError, error:
1268
if error[0] != errno.EPERM:
1269
raise error
1270
1271
# Enable all possible GnuTLS debugging
1272
if debug:
1273
# "Use a log level over 10 to enable all debugging options."
1274
# - GnuTLS manual
1275
gnutls.library.functions.gnutls_global_set_log_level(11)
1276
1277
@gnutls.library.types.gnutls_log_func
1278
def debug_gnutls(level, string):
1279
logger.debug(u"GnuTLS: %s", string[:-1])
1280
1281
(gnutls.library.functions
1282
.gnutls_global_set_log_function(debug_gnutls))
741
1283
742
1284
global service
743
service = AvahiService(name = server_settings["servicename"],
744
type = "_mandos._tcp", );
1285
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1286
service = AvahiService(name = server_settings[u"servicename"],
1287
servicetype = u"_mandos._tcp",
1288
protocol = protocol)
745
1289
if server_settings["interface"]:
746
service.interface = if_nametoindex(server_settings["interface"])
1290
service.interface = (if_nametoindex
1291
(str(server_settings[u"interface"])))
747
1292
748
1293
global main_loop
749
1294
global bus
752
1297
DBusGMainLoop(set_as_default=True )
753
1298
main_loop = gobject.MainLoop()
754
1299
bus = dbus.SystemBus()
755
server = dbus.Interface(
756
bus.get_object( avahi.DBUS_NAME, avahi.DBUS_PATH_SERVER ),
757
avahi.DBUS_INTERFACE_SERVER )
1300
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1301
avahi.DBUS_PATH_SERVER),
1302
avahi.DBUS_INTERFACE_SERVER)
758
1303
# End of Avahi example code
759
760
clients = Set()
761
def remove_from_clients(client):
762
clients.remove(client)
763
if not clients:
764
logger.critical(u"No clients left, exiting")
765
sys.exit()
766
767
clients.update(Set(Client(name = section,
768
stop_hook = remove_from_clients,
769
config
770
= dict(client_config.items(section)))
771
for section in client_config.sections()))
1304
if use_dbus:
1305
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1306
1307
client_class = Client
1308
if use_dbus:
1309
client_class = ClientDBus
1310
clients.update(set(
1311
client_class(name = section,
1312
config= dict(client_config.items(section)))
1313
for section in client_config.sections()))
772
1314
if not clients:
773
logger.critical(u"No clients defined")
774
sys.exit(1)
1315
logger.warning(u"No clients defined")
775
1316
776
if not debug:
1317
if debug:
1318
# Redirect stdin so all checkers get /dev/null
1319
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1320
os.dup2(null, sys.stdin.fileno())
1321
if null > 2:
1322
os.close(null)
1323
else:
1324
# No console logging
777
1325
logger.removeHandler(console)
1326
# Close all input and output, do double fork, etc.
778
1327
daemon()
779
1328
780
pidfilename = "/var/run/mandos/mandos.pid"
781
pid = os.getpid()
782
1329
try:
783
pidfile = open(pidfilename, "w")
784
pidfile.write(str(pid) + "\n")
785
pidfile.close()
1330
with closing(pidfile):
1331
pid = os.getpid()
1332
pidfile.write(str(pid) + "\n")
786
1333
del pidfile
787
except IOError, err:
788
logger.error(u"Could not write %s file with PID %d",
789
pidfilename, os.getpid())
1334
except IOError:
1335
logger.error(u"Could not write to file %r with PID %d",
1336
pidfilename, pid)
1337
except NameError:
1338
# "pidfile" was never created
1339
pass
1340
del pidfilename
790
1341
791
1342
def cleanup():
792
1343
"Cleanup function; run on exit"
799
1350
800
1351
while clients:
801
1352
client = clients.pop()
802
client.stop_hook = None
803
client.stop()
1353
client.disable_hook = None
1354
client.disable()
804
1355
805
1356
atexit.register(cleanup)
806
1357
809
1360
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
810
1361
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
811
1362
1363
if use_dbus:
1364
class MandosDBusService(dbus.service.Object):
1365
"""A D-Bus proxy object"""
1366
def __init__(self):
1367
dbus.service.Object.__init__(self, bus, u"/")
1368
_interface = u"se.bsnet.fukt.Mandos"
1369
1370
@dbus.service.signal(_interface, signature=u"oa{sv}")
1371
def ClientAdded(self, objpath, properties):
1372
"D-Bus signal"
1373
pass
1374
1375
@dbus.service.signal(_interface, signature=u"s")
1376
def ClientNotFound(self, fingerprint):
1377
"D-Bus signal"
1378
pass
1379
1380
@dbus.service.signal(_interface, signature=u"os")
1381
def ClientRemoved(self, objpath, name):
1382
"D-Bus signal"
1383
pass
1384
1385
@dbus.service.method(_interface, out_signature=u"ao")
1386
def GetAllClients(self):
1387
"D-Bus method"
1388
return dbus.Array(c.dbus_object_path for c in clients)
1389
1390
@dbus.service.method(_interface,
1391
out_signature=u"a{oa{sv}}")
1392
def GetAllClientsWithProperties(self):
1393
"D-Bus method"
1394
return dbus.Dictionary(
1395
((c.dbus_object_path, c.GetAllProperties())
1396
for c in clients),
1397
signature=u"oa{sv}")
1398
1399
@dbus.service.method(_interface, in_signature=u"o")
1400
def RemoveClient(self, object_path):
1401
"D-Bus method"
1402
for c in clients:
1403
if c.dbus_object_path == object_path:
1404
clients.remove(c)
1405
c.remove_from_connection()
1406
# Don't signal anything except ClientRemoved
1407
c.disable(signal=False)
1408
# Emit D-Bus signal
1409
self.ClientRemoved(object_path, c.name)
1410
return
1411
raise KeyError
1412
1413
del _interface
1414
1415
mandos_dbus_service = MandosDBusService()
1416
812
1417
for client in clients:
813
client.start()
814
815
tcp_server = IPv6_TCPServer((server_settings["address"],
816
server_settings["port"]),
817
tcp_handler,
818
settings=server_settings,
819
clients=clients)
1418
if use_dbus:
1419
# Emit D-Bus signal
1420
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1421
client.GetAllProperties())
1422
client.enable()
1423
1424
tcp_server.enable()
1425
tcp_server.server_activate()
1426
820
1427
# Find out what port we got
821
1428
service.port = tcp_server.socket.getsockname()[1]
822
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
823
u" scope_id %d" % tcp_server.socket.getsockname())
1429
if use_ipv6:
1430
logger.info(u"Now listening on address %r, port %d,"
1431
" flowinfo %d, scope_id %d"
1432
% tcp_server.socket.getsockname())
1433
else: # IPv4
1434
logger.info(u"Now listening on address %r, port %d"
1435
% tcp_server.socket.getsockname())
824
1436
825
1437
#service.interface = tcp_server.socket.getsockname()[3]
826
1438
827
1439
try:
828
1440
# From the Avahi example code
829
server.connect_to_signal("StateChanged", server_state_changed)
1441
server.connect_to_signal(u"StateChanged", server_state_changed)
830
1442
try:
831
1443
server_state_changed(server.GetState())
832
1444
except dbus.exceptions.DBusException, error:
836
1448
837
1449
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
838
1450
lambda *args, **kwargs:
839
tcp_server.handle_request\
840
(*args[2:], **kwargs) or True)
1451
(tcp_server.handle_request
1452
(*args[2:], **kwargs) or True))
841
1453
842
1454
logger.debug(u"Starting main loop")
843
main_loop_started = True
844
1455
main_loop.run()
845
1456
except AvahiError, error:
846
logger.critical(u"AvahiError: %s" + unicode(error))
1457
logger.critical(u"AvahiError: %s", error)
847
1458
sys.exit(1)
848
1459
except KeyboardInterrupt:
849
1460
if debug:
850
print
1461
print >> sys.stderr
1462
logger.debug(u"Server received KeyboardInterrupt")
1463
logger.debug(u"Server exiting")
851
1464
852
1465
if __name__ == '__main__':
853
1466
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0