To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 389
- compare with another revision
- download diff
- download tarball
- view history from revision 389
- Committer: Teddy Hogeborn
- Date: 2009-10-18 08:47:40 UTC
- Revision ID: teddy@fukt.bsnet.se-20091018084740-fa1qgm22lg125r10
* plugins.d/splashy.c: Use exit codes from <sysexits.h>.
- files removed:
- dbus-mandos.conf
- files modified:
- Makefile
added
removed
mandos
55
55
import logging
56
56
import logging.handlers
57
57
import pwd
58
import contextlib
58
from contextlib import closing
59
59
import struct
60
60
import fcntl
61
61
import functools
62
import cPickle as pickle
63
import multiprocessing
64
62
65
63
import dbus
66
64
import dbus.service
81
79
SO_BINDTODEVICE = None
82
80
83
81
84
version = "1.0.14"
82
version = "1.0.12"
85
83
86
#logger = logging.getLogger(u'mandos')
87
84
logger = logging.Logger(u'mandos')
88
85
syslogger = (logging.handlers.SysLogHandler
89
86
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
157
154
u" after %i retries, exiting.",
158
155
self.rename_count)
159
156
raise AvahiServiceError(u"Too many renames")
160
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
157
self.name = self.server.GetAlternativeServiceName(self.name)
161
158
logger.info(u"Changing Zeroconf service name to %r ...",
162
self.name)
159
unicode(self.name))
163
160
syslogger.setFormatter(logging.Formatter
164
161
(u'Mandos (%s) [%%(process)d]:'
165
162
u' %%(levelname)s: %%(message)s'
245
242
enabled: bool()
246
243
last_checked_ok: datetime.datetime(); (UTC) or None
247
244
timeout: datetime.timedelta(); How long from last_checked_ok
248
until this client is disabled
245
until this client is invalid
249
246
interval: datetime.timedelta(); How often to start a new checker
250
247
disable_hook: If set, called by disable() as disable_hook(self)
251
248
checker: subprocess.Popen(); a running checker process used
259
256
runtime with vars(self) as dict, so that for
260
257
instance %(name)s can be used in the command.
261
258
current_checker_command: string; current running checker_command
262
approved_delay: datetime.timedelta(); Time to wait for approval
263
_approved: bool(); 'None' if not yet approved/disapproved
264
approved_duration: datetime.timedelta(); Duration of one approval
265
259
"""
266
260
267
261
@staticmethod
278
272
def interval_milliseconds(self):
279
273
"Return the 'interval' attribute in milliseconds"
280
274
return self._timedelta_to_milliseconds(self.interval)
281
282
def approved_delay_milliseconds(self):
283
return self._timedelta_to_milliseconds(self.approved_delay)
284
275
285
276
def __init__(self, name = None, disable_hook=None, config=None):
286
277
"""Note: the 'checker' key in 'config' sets the
299
290
if u"secret" in config:
300
291
self.secret = config[u"secret"].decode(u"base64")
301
292
elif u"secfile" in config:
302
with open(os.path.expanduser(os.path.expandvars
303
(config[u"secfile"])),
304
"rb") as secfile:
293
with closing(open(os.path.expanduser
294
(os.path.expandvars
295
(config[u"secfile"])),
296
"rb")) as secfile:
305
297
self.secret = secfile.read()
306
298
else:
307
299
raise TypeError(u"No secret or secfile for client %s"
321
313
self.checker_command = config[u"checker"]
322
314
self.current_checker_command = None
323
315
self.last_connect = None
324
self._approved = None
325
self.approved_by_default = config.get(u"approved_by_default",
326
True)
327
self.approvals_pending = 0
328
self.approved_delay = string_to_delta(
329
config[u"approved_delay"])
330
self.approved_duration = string_to_delta(
331
config[u"approved_duration"])
332
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
333
316
334
def send_changedstate(self):
335
self.changedstate.acquire()
336
self.changedstate.notify_all()
337
self.changedstate.release()
338
339
317
def enable(self):
340
318
"""Start this client's checker and timeout hooks"""
341
319
if getattr(self, u"enabled", False):
342
320
# Already enabled
343
321
return
344
self.send_changedstate()
345
322
self.last_enabled = datetime.datetime.utcnow()
346
323
# Schedule a new checker to be started an 'interval' from now,
347
324
# and every interval from then on.
348
325
self.checker_initiator_tag = (gobject.timeout_add
349
326
(self.interval_milliseconds(),
350
327
self.start_checker))
328
# Also start a new checker *right now*.
329
self.start_checker()
351
330
# Schedule a disable() when 'timeout' has passed
352
331
self.disable_initiator_tag = (gobject.timeout_add
353
332
(self.timeout_milliseconds(),
354
333
self.disable))
355
334
self.enabled = True
356
# Also start a new checker *right now*.
357
self.start_checker()
358
335
359
def disable(self, quiet=True):
336
def disable(self):
360
337
"""Disable this client."""
361
338
if not getattr(self, "enabled", False):
362
339
return False
363
if not quiet:
364
self.send_changedstate()
365
if not quiet:
366
logger.info(u"Disabling client %s", self.name)
340
logger.info(u"Disabling client %s", self.name)
367
341
if getattr(self, u"disable_initiator_tag", False):
368
342
gobject.source_remove(self.disable_initiator_tag)
369
343
self.disable_initiator_tag = None
421
395
# client would inevitably timeout, since no checker would get
422
396
# a chance to run to completion. If we instead leave running
423
397
# checkers alone, the checker would have to take more time
424
# than 'timeout' for the client to be disabled, which is as it
425
# should be.
398
# than 'timeout' for the client to be declared invalid, which
399
# is as it should be.
426
400
427
401
# If a checker exists, make sure it is not a zombie
428
402
try:
493
467
logger.debug(u"Stopping checker for %(name)s", vars(self))
494
468
try:
495
469
os.kill(self.checker.pid, signal.SIGTERM)
496
#time.sleep(0.5)
470
#os.sleep(0.5)
497
471
#if self.checker.poll() is None:
498
472
# os.kill(self.checker.pid, signal.SIGKILL)
499
473
except OSError, error:
500
474
if error.errno != errno.ESRCH: # No such process
501
475
raise
502
476
self.checker = None
477
478
def still_valid(self):
479
"""Has the timeout not yet passed for this client?"""
480
if not getattr(self, u"enabled", False):
481
return False
482
now = datetime.datetime.utcnow()
483
if self.last_checked_ok is None:
484
return now < (self.created + self.timeout)
485
else:
486
return now < (self.last_checked_ok + self.timeout)
487
503
488
504
489
def dbus_service_property(dbus_interface, signature=u"v",
505
490
access=u"readwrite", byte_arrays=False):
513
498
dbus.service.method, except there is only "signature", since the
514
499
type from Get() and the type sent to Set() is the same.
515
500
"""
516
# Encoding deeply encoded byte arrays is not supported yet by the
517
# "Set" method, so we fail early here:
518
if byte_arrays and signature != u"ay":
519
raise ValueError(u"Byte arrays not supported for non-'ay'"
520
u" signature %r" % signature)
521
501
def decorator(func):
522
502
func._dbus_is_property = True
523
503
func._dbus_interface = dbus_interface
609
589
if prop._dbus_access == u"read":
610
590
raise DBusPropertyAccessException(property_name)
611
591
if prop._dbus_get_args_options[u"byte_arrays"]:
612
# The byte_arrays option is not supported yet on
613
# signatures other than "ay".
614
if prop._dbus_signature != u"ay":
615
raise ValueError
616
592
value = dbus.ByteArray(''.join(unichr(byte)
617
593
for byte in value))
618
594
prop(value)
700
676
# dbus.service.Object doesn't use super(), so we can't either.
701
677
702
678
def __init__(self, bus = None, *args, **kwargs):
703
self._approvals_pending = 0
704
679
self.bus = bus
705
680
Client.__init__(self, *args, **kwargs)
706
681
# Only now, when this client is initialized, can it show up on
710
685
+ self.name.replace(u".", u"_")))
711
686
DBusObjectWithProperties.__init__(self, self.bus,
712
687
self.dbus_object_path)
713
714
def _get_approvals_pending(self):
715
return self._approvals_pending
716
def _set_approvals_pending(self, value):
717
old_value = self._approvals_pending
718
self._approvals_pending = value
719
bval = bool(value)
720
if (hasattr(self, "dbus_object_path")
721
and bval is not bool(old_value)):
722
dbus_bool = dbus.Boolean(bval, variant_level=1)
723
self.PropertyChanged(dbus.String(u"approved_pending"),
724
dbus_bool)
725
726
approvals_pending = property(_get_approvals_pending,
727
_set_approvals_pending)
728
del _get_approvals_pending, _set_approvals_pending
729
688
730
689
@staticmethod
731
690
def _datetime_to_dbus(dt, variant_level=0):
746
705
variant_level=1))
747
706
return r
748
707
749
def disable(self, quiet = False):
708
def disable(self, signal = True):
750
709
oldstate = getattr(self, u"enabled", False)
751
r = Client.disable(self, quiet=quiet)
752
if not quiet and oldstate != self.enabled:
710
r = Client.disable(self)
711
if signal and oldstate != self.enabled:
753
712
# Emit D-Bus signal
754
713
self.PropertyChanged(dbus.String(u"enabled"),
755
714
dbus.Boolean(False, variant_level=1))
820
779
self.PropertyChanged(dbus.String(u"checker_running"),
821
780
dbus.Boolean(False, variant_level=1))
822
781
return r
823
824
def _reset_approved(self):
825
self._approved = None
826
return False
827
828
def approve(self, value=True):
829
self.send_changedstate()
830
self._approved = value
831
gobject.timeout_add(self._timedelta_to_milliseconds(self.approved_duration),
832
self._reset_approved)
833
834
835
## D-Bus methods, signals & properties
782
783
## D-Bus methods & signals
836
784
_interface = u"se.bsnet.fukt.Mandos.Client"
837
785
838
## Signals
786
# CheckedOK - method
787
@dbus.service.method(_interface)
788
def CheckedOK(self):
789
return self.checked_ok()
839
790
840
791
# CheckerCompleted - signal
841
792
@dbus.service.signal(_interface, signature=u"nxs")
858
809
# GotSecret - signal
859
810
@dbus.service.signal(_interface)
860
811
def GotSecret(self):
861
"""D-Bus signal
862
Is sent after a successful transfer of secret from the Mandos
863
server to mandos-client
864
"""
812
"D-Bus signal"
865
813
pass
866
814
867
815
# Rejected - signal
868
@dbus.service.signal(_interface, signature=u"s")
869
def Rejected(self, reason):
870
"D-Bus signal"
871
pass
872
873
# NeedApproval - signal
874
@dbus.service.signal(_interface, signature=u"db")
875
def NeedApproval(self, timeout, default):
876
"D-Bus signal"
877
pass
878
879
## Methods
880
881
# Approve - method
882
@dbus.service.method(_interface, in_signature=u"b")
883
def Approve(self, value):
884
self.approve(value)
885
886
# CheckedOK - method
887
@dbus.service.method(_interface)
888
def CheckedOK(self):
889
return self.checked_ok()
816
@dbus.service.signal(_interface)
817
def Rejected(self):
818
"D-Bus signal"
819
pass
890
820
891
821
# Enable - method
892
822
@dbus.service.method(_interface)
911
841
def StopChecker(self):
912
842
self.stop_checker()
913
843
914
## Properties
915
916
# approved_pending - property
917
@dbus_service_property(_interface, signature=u"b", access=u"read")
918
def approved_pending_dbus_property(self):
919
return dbus.Boolean(bool(self.approvals_pending))
920
921
# approved_by_default - property
922
@dbus_service_property(_interface, signature=u"b",
923
access=u"readwrite")
924
def approved_by_default_dbus_property(self):
925
return dbus.Boolean(self.approved_by_default)
926
927
# approved_delay - property
928
@dbus_service_property(_interface, signature=u"t",
929
access=u"readwrite")
930
def approved_delay_dbus_property(self):
931
return dbus.UInt64(self.approved_delay_milliseconds())
932
933
# approved_duration - property
934
@dbus_service_property(_interface, signature=u"t",
935
access=u"readwrite")
936
def approved_duration_dbus_property(self):
937
return dbus.UInt64(self._timedelta_to_milliseconds(
938
self.approved_duration))
939
940
844
# name - property
941
845
@dbus_service_property(_interface, signature=u"s", access=u"read")
942
846
def name_dbus_property(self):
1076
980
del _interface
1077
981
1078
982
1079
class ProxyClient(object):
1080
def __init__(self, child_pipe, fpr, address):
1081
self._pipe = child_pipe
1082
self._pipe.send(('init', fpr, address))
1083
if not self._pipe.recv():
1084
raise KeyError()
1085
1086
def __getattribute__(self, name):
1087
if(name == '_pipe'):
1088
return super(ProxyClient, self).__getattribute__(name)
1089
self._pipe.send(('getattr', name))
1090
data = self._pipe.recv()
1091
if data[0] == 'data':
1092
return data[1]
1093
if data[0] == 'function':
1094
def func(*args, **kwargs):
1095
self._pipe.send(('funcall', name, args, kwargs))
1096
return self._pipe.recv()[1]
1097
return func
1098
1099
def __setattr__(self, name, value):
1100
if(name == '_pipe'):
1101
return super(ProxyClient, self).__setattr__(name, value)
1102
self._pipe.send(('setattr', name, value))
1103
1104
1105
983
class ClientHandler(socketserver.BaseRequestHandler, object):
1106
984
"""A class to handle client connections.
1107
985
1109
987
Note: This will run in its own forked process."""
1110
988
1111
989
def handle(self):
1112
with contextlib.closing(self.server.child_pipe) as child_pipe:
1113
logger.info(u"TCP connection from: %s",
1114
unicode(self.client_address))
1115
logger.debug(u"Pipe FD: %d",
1116
self.server.child_pipe.fileno())
1117
990
logger.info(u"TCP connection from: %s",
991
unicode(self.client_address))
992
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
993
# Open IPC pipe to parent process
994
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
1118
995
session = (gnutls.connection
1119
996
.ClientSession(self.request,
1120
997
gnutls.connection
1121
998
.X509Credentials()))
1122
999
1000
line = self.request.makefile().readline()
1001
logger.debug(u"Protocol version: %r", line)
1002
try:
1003
if int(line.strip().split()[0]) > 1:
1004
raise RuntimeError
1005
except (ValueError, IndexError, RuntimeError), error:
1006
logger.error(u"Unknown protocol version: %s", error)
1007
return
1008
1123
1009
# Note: gnutls.connection.X509Credentials is really a
1124
1010
# generic GnuTLS certificate credentials object so long as
1125
1011
# no X.509 keys are added to it. Therefore, we can use it
1126
1012
# here despite using OpenPGP certificates.
1127
1013
1128
1014
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1129
1015
# u"+AES-256-CBC", u"+SHA1",
1130
1016
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1136
1022
(gnutls.library.functions
1137
1023
.gnutls_priority_set_direct(session._c_object,
1138
1024
priority, None))
1139
1140
# Start communication using the Mandos protocol
1141
# Get protocol number
1142
line = self.request.makefile().readline()
1143
logger.debug(u"Protocol version: %r", line)
1144
try:
1145
if int(line.strip().split()[0]) > 1:
1146
raise RuntimeError
1147
except (ValueError, IndexError, RuntimeError), error:
1148
logger.error(u"Unknown protocol version: %s", error)
1149
return
1150
1151
# Start GnuTLS connection
1025
1152
1026
try:
1153
1027
session.handshake()
1154
1028
except gnutls.errors.GNUTLSError, error:
1157
1031
# established. Just abandon the request.
1158
1032
return
1159
1033
logger.debug(u"Handshake succeeded")
1160
1161
approval_required = False
1162
1034
try:
1163
try:
1164
fpr = self.fingerprint(self.peer_certificate
1165
(session))
1166
except (TypeError, gnutls.errors.GNUTLSError), error:
1167
logger.warning(u"Bad certificate: %s", error)
1168
return
1169
logger.debug(u"Fingerprint: %s", fpr)
1170
1171
try:
1172
client = ProxyClient(child_pipe, fpr,
1173
self.client_address)
1174
except KeyError:
1175
return
1176
1177
if client.approved_delay:
1178
delay = client.approved_delay
1179
client.approvals_pending += 1
1180
approval_required = True
1181
1182
while True:
1183
if not client.enabled:
1184
logger.warning(u"Client %s is disabled",
1185
client.name)
1186
if self.server.use_dbus:
1187
# Emit D-Bus signal
1188
client.Rejected("Disabled")
1189
return
1190
1191
if client._approved or not client.approved_delay:
1192
#We are approved or approval is disabled
1193
break
1194
elif client._approved is None:
1195
logger.info(u"Client %s need approval",
1196
client.name)
1197
if self.server.use_dbus:
1198
# Emit D-Bus signal
1199
client.NeedApproval(
1200
client.approved_delay_milliseconds(),
1201
client.approved_by_default)
1202
else:
1203
logger.warning(u"Client %s was not approved",
1204
client.name)
1205
if self.server.use_dbus:
1206
# Emit D-Bus signal
1207
client.Rejected("Disapproved")
1208
return
1209
1210
#wait until timeout or approved
1211
#x = float(client._timedelta_to_milliseconds(delay))
1212
time = datetime.datetime.now()
1213
client.changedstate.acquire()
1214
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1215
client.changedstate.release()
1216
time2 = datetime.datetime.now()
1217
if (time2 - time) >= delay:
1218
if not client.approved_by_default:
1219
logger.warning("Client %s timed out while"
1220
" waiting for approval",
1221
client.name)
1222
if self.server.use_dbus:
1223
# Emit D-Bus signal
1224
client.Rejected("Time out")
1225
return
1226
else:
1227
break
1228
else:
1229
delay -= time2 - time
1230
1231
sent_size = 0
1232
while sent_size < len(client.secret):
1233
try:
1234
sent = session.send(client.secret[sent_size:])
1235
except (gnutls.errors.GNUTLSError), error:
1236
logger.warning("gnutls send failed")
1237
return
1238
logger.debug(u"Sent: %d, remaining: %d",
1239
sent, len(client.secret)
1240
- (sent_size + sent))
1241
sent_size += sent
1242
1243
logger.info(u"Sending secret to %s", client.name)
1244
# bump the timeout as if seen
1245
client.checked_ok()
1246
if self.server.use_dbus:
1247
# Emit D-Bus signal
1248
client.GotSecret()
1035
fpr = self.fingerprint(self.peer_certificate(session))
1036
except (TypeError, gnutls.errors.GNUTLSError), error:
1037
logger.warning(u"Bad certificate: %s", error)
1038
session.bye()
1039
return
1040
logger.debug(u"Fingerprint: %s", fpr)
1249
1041
1250
finally:
1251
if approval_required:
1252
client.approvals_pending -= 1
1253
try:
1254
session.bye()
1255
except (gnutls.errors.GNUTLSError), error:
1256
logger.warning("gnutls bye failed")
1042
for c in self.server.clients:
1043
if c.fingerprint == fpr:
1044
client = c
1045
break
1046
else:
1047
ipc.write(u"NOTFOUND %s %s\n"
1048
% (fpr, unicode(self.client_address)))
1049
session.bye()
1050
return
1051
# Have to check if client.still_valid(), since it is
1052
# possible that the client timed out while establishing
1053
# the GnuTLS session.
1054
if not client.still_valid():
1055
ipc.write(u"INVALID %s\n" % client.name)
1056
session.bye()
1057
return
1058
ipc.write(u"SENDING %s\n" % client.name)
1059
sent_size = 0
1060
while sent_size < len(client.secret):
1061
sent = session.send(client.secret[sent_size:])
1062
logger.debug(u"Sent: %d, remaining: %d",
1063
sent, len(client.secret)
1064
- (sent_size + sent))
1065
sent_size += sent
1066
session.bye()
1257
1067
1258
1068
@staticmethod
1259
1069
def peer_certificate(session):
1319
1129
return hex_fpr
1320
1130
1321
1131
1322
class MultiprocessingMixIn(object):
1323
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1324
def sub_process_main(self, request, address):
1325
try:
1326
self.finish_request(request, address)
1327
except:
1328
self.handle_error(request, address)
1329
self.close_request(request)
1330
1331
def process_request(self, request, address):
1332
"""Start a new process to process the request."""
1333
multiprocessing.Process(target = self.sub_process_main,
1334
args = (request, address)).start()
1335
1336
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1337
""" adds a pipe to the MixIn """
1132
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
1133
"""Like socketserver.ForkingMixIn, but also pass a pipe."""
1338
1134
def process_request(self, request, client_address):
1339
1135
"""Overrides and wraps the original process_request().
1340
1136
1341
1137
This function creates a new pipe in self.pipe
1342
1138
"""
1343
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1344
1345
super(MultiprocessingMixInWithPipe,
1139
self.pipe = os.pipe()
1140
super(ForkingMixInWithPipe,
1346
1141
self).process_request(request, client_address)
1347
self.child_pipe.close()
1348
self.add_pipe(parent_pipe)
1349
1350
def add_pipe(self, parent_pipe):
1142
os.close(self.pipe[1]) # close write end
1143
self.add_pipe(self.pipe[0])
1144
def add_pipe(self, pipe):
1351
1145
"""Dummy function; override as necessary"""
1352
pass
1353
1354
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1146
os.close(pipe)
1147
1148
1149
class IPv6_TCPServer(ForkingMixInWithPipe,
1355
1150
socketserver.TCPServer, object):
1356
1151
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1357
1152
1442
1237
return socketserver.TCPServer.server_activate(self)
1443
1238
def enable(self):
1444
1239
self.enabled = True
1445
def add_pipe(self, parent_pipe):
1240
def add_pipe(self, pipe):
1446
1241
# Call "handle_ipc" for both data and EOF events
1447
gobject.io_add_watch(parent_pipe.fileno(),
1448
gobject.IO_IN | gobject.IO_HUP,
1449
functools.partial(self.handle_ipc,
1450
parent_pipe = parent_pipe))
1451
1452
def handle_ipc(self, source, condition, parent_pipe=None,
1453
client_object=None):
1242
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1243
self.handle_ipc)
1244
def handle_ipc(self, source, condition, file_objects={}):
1454
1245
condition_names = {
1455
1246
gobject.IO_IN: u"IN", # There is data to read.
1456
1247
gobject.IO_OUT: u"OUT", # Data can be written (without
1467
1258
if cond & condition)
1468
1259
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1469
1260
conditions_string)
1470
1471
# error or the other end of multiprocessing.Pipe has closed
1472
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1473
return False
1474
1475
# Read a request from the child
1476
request = parent_pipe.recv()
1477
logger.debug(u"IPC request: %s", repr(request))
1478
command = request[0]
1479
1480
if command == 'init':
1481
fpr = request[1]
1482
address = request[2]
1483
1484
for c in self.clients:
1485
if c.fingerprint == fpr:
1486
client = c
1487
break
1488
else:
1489
logger.warning(u"Client not found for fingerprint: %s, ad"
1490
u"dress: %s", fpr, address)
1491
if self.use_dbus:
1492
# Emit D-Bus signal
1493
mandos_dbus_service.ClientNotFound(fpr, address)
1494
parent_pipe.send(False)
1495
return False
1496
1497
gobject.io_add_watch(parent_pipe.fileno(),
1498
gobject.IO_IN | gobject.IO_HUP,
1499
functools.partial(self.handle_ipc,
1500
parent_pipe = parent_pipe,
1501
client_object = client))
1502
parent_pipe.send(True)
1503
# remove the old hook in favor of the new above hook on same fileno
1504
return False
1505
if command == 'funcall':
1506
funcname = request[1]
1507
args = request[2]
1508
kwargs = request[3]
1509
1510
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1511
1512
if command == 'getattr':
1513
attrname = request[1]
1514
if callable(client_object.__getattribute__(attrname)):
1515
parent_pipe.send(('function',))
1516
else:
1517
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1518
1519
if command == 'setattr':
1520
attrname = request[1]
1521
value = request[2]
1522
setattr(client_object, attrname, value)
1523
1261
1262
# Turn the pipe file descriptor into a Python file object
1263
if source not in file_objects:
1264
file_objects[source] = os.fdopen(source, u"r", 1)
1265
1266
# Read a line from the file object
1267
cmdline = file_objects[source].readline()
1268
if not cmdline: # Empty line means end of file
1269
# close the IPC pipe
1270
file_objects[source].close()
1271
del file_objects[source]
1272
1273
# Stop calling this function
1274
return False
1275
1276
logger.debug(u"IPC command: %r", cmdline)
1277
1278
# Parse and act on command
1279
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1280
1281
if cmd == u"NOTFOUND":
1282
logger.warning(u"Client not found for fingerprint: %s",
1283
args)
1284
if self.use_dbus:
1285
# Emit D-Bus signal
1286
mandos_dbus_service.ClientNotFound(args)
1287
elif cmd == u"INVALID":
1288
for client in self.clients:
1289
if client.name == args:
1290
logger.warning(u"Client %s is invalid", args)
1291
if self.use_dbus:
1292
# Emit D-Bus signal
1293
client.Rejected()
1294
break
1295
else:
1296
logger.error(u"Unknown client %s is invalid", args)
1297
elif cmd == u"SENDING":
1298
for client in self.clients:
1299
if client.name == args:
1300
logger.info(u"Sending secret to %s", client.name)
1301
client.checked_ok()
1302
if self.use_dbus:
1303
# Emit D-Bus signal
1304
client.GotSecret()
1305
break
1306
else:
1307
logger.error(u"Sending secret to unknown client %s",
1308
args)
1309
else:
1310
logger.error(u"Unknown IPC command: %r", cmdline)
1311
1312
# Keep calling this function
1524
1313
return True
1525
1314
1526
1315
1556
1345
elif suffix == u"w":
1557
1346
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1558
1347
else:
1559
raise ValueError(u"Unknown suffix %r" % suffix)
1560
except (ValueError, IndexError), e:
1561
raise ValueError(e.message)
1348
raise ValueError
1349
except (ValueError, IndexError):
1350
raise ValueError
1562
1351
timevalue += delta
1563
1352
return timevalue
1564
1353
1577
1366
def if_nametoindex(interface):
1578
1367
"Get an interface index the hard way, i.e. using fcntl()"
1579
1368
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1580
with contextlib.closing(socket.socket()) as s:
1369
with closing(socket.socket()) as s:
1581
1370
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1582
1371
struct.pack(str(u"16s16x"),
1583
1372
interface))
1629
1418
parser.add_option("--debug", action=u"store_true",
1630
1419
help=u"Debug mode; run in foreground and log to"
1631
1420
u" terminal")
1632
parser.add_option("--debuglevel", type=u"string", metavar="Level",
1633
help=u"Debug level for stdout output")
1634
1421
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1635
1422
u" priority string (see GnuTLS documentation)")
1636
1423
parser.add_option("--servicename", type=u"string",
1661
1448
u"servicename": u"Mandos",
1662
1449
u"use_dbus": u"True",
1663
1450
u"use_ipv6": u"True",
1664
u"debuglevel": u"",
1665
1451
}
1666
1452
1667
1453
# Parse config file for server-global settings
1684
1470
# options, if set.
1685
1471
for option in (u"interface", u"address", u"port", u"debug",
1686
1472
u"priority", u"servicename", u"configdir",
1687
u"use_dbus", u"use_ipv6", u"debuglevel"):
1473
u"use_dbus", u"use_ipv6"):
1688
1474
value = getattr(options, option)
1689
1475
if value is not None:
1690
1476
server_settings[option] = value
1699
1485
1700
1486
# For convenience
1701
1487
debug = server_settings[u"debug"]
1702
debuglevel = server_settings[u"debuglevel"]
1703
1488
use_dbus = server_settings[u"use_dbus"]
1704
1489
use_ipv6 = server_settings[u"use_ipv6"]
1705
1490
1491
if not debug:
1492
syslogger.setLevel(logging.WARNING)
1493
console.setLevel(logging.WARNING)
1494
1706
1495
if server_settings[u"servicename"] != u"Mandos":
1707
1496
syslogger.setFormatter(logging.Formatter
1708
1497
(u'Mandos (%s) [%%(process)d]:'
1714
1503
u"interval": u"5m",
1715
1504
u"checker": u"fping -q -- %%(host)s",
1716
1505
u"host": u"",
1717
u"approved_delay": u"0s",
1718
u"approved_duration": u"1s",
1719
1506
}
1720
1507
client_config = configparser.SafeConfigParser(client_defaults)
1721
1508
client_config.read(os.path.join(server_settings[u"configdir"],
1760
1547
raise error
1761
1548
1762
1549
# Enable all possible GnuTLS debugging
1763
1764
1765
if not debug and not debuglevel:
1766
syslogger.setLevel(logging.WARNING)
1767
console.setLevel(logging.WARNING)
1768
if debuglevel:
1769
level = getattr(logging, debuglevel.upper())
1770
syslogger.setLevel(level)
1771
console.setLevel(level)
1772
1773
1550
if debug:
1774
1551
# "Use a log level over 10 to enable all debugging options."
1775
1552
# - GnuTLS manual
1781
1558
1782
1559
(gnutls.library.functions
1783
1560
.gnutls_global_set_log_function(debug_gnutls))
1784
1785
# Redirect stdin so all checkers get /dev/null
1786
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1787
os.dup2(null, sys.stdin.fileno())
1788
if null > 2:
1789
os.close(null)
1790
else:
1791
# No console logging
1792
logger.removeHandler(console)
1793
1794
1561
1795
1562
global main_loop
1796
1563
# From the Avahi example code
1799
1566
bus = dbus.SystemBus()
1800
1567
# End of Avahi example code
1801
1568
if use_dbus:
1802
try:
1803
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1804
bus, do_not_queue=True)
1805
except dbus.exceptions.NameExistsException, e:
1806
logger.error(unicode(e) + u", disabling D-Bus")
1807
use_dbus = False
1808
server_settings[u"use_dbus"] = False
1809
tcp_server.use_dbus = False
1569
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1810
1570
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1811
1571
service = AvahiService(name = server_settings[u"servicename"],
1812
1572
servicetype = u"_mandos._tcp",
1814
1574
if server_settings["interface"]:
1815
1575
service.interface = (if_nametoindex
1816
1576
(str(server_settings[u"interface"])))
1817
1818
if not debug:
1819
# Close all input and output, do double fork, etc.
1820
daemon()
1821
1822
global multiprocessing_manager
1823
multiprocessing_manager = multiprocessing.Manager()
1824
1577
1825
1578
client_class = Client
1826
1579
if use_dbus:
1827
1580
client_class = functools.partial(ClientDBus, bus = bus)
1828
def client_config_items(config, section):
1829
special_settings = {
1830
"approved_by_default":
1831
lambda: config.getboolean(section,
1832
"approved_by_default"),
1833
}
1834
for name, value in config.items(section):
1835
try:
1836
yield (name, special_settings[name]())
1837
except KeyError:
1838
yield (name, value)
1839
1840
1581
tcp_server.clients.update(set(
1841
1582
client_class(name = section,
1842
config= dict(client_config_items(
1843
client_config, section)))
1583
config= dict(client_config.items(section)))
1844
1584
for section in client_config.sections()))
1845
1585
if not tcp_server.clients:
1846
1586
logger.warning(u"No clients defined")
1847
1587
1588
if debug:
1589
# Redirect stdin so all checkers get /dev/null
1590
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1591
os.dup2(null, sys.stdin.fileno())
1592
if null > 2:
1593
os.close(null)
1594
else:
1595
# No console logging
1596
logger.removeHandler(console)
1597
# Close all input and output, do double fork, etc.
1598
daemon()
1599
1848
1600
try:
1849
with pidfile:
1601
with closing(pidfile):
1850
1602
pid = os.getpid()
1851
1603
pidfile.write(str(pid) + "\n")
1852
1604
del pidfile
1858
1610
pass
1859
1611
del pidfilename
1860
1612
1613
def cleanup():
1614
"Cleanup function; run on exit"
1615
service.cleanup()
1616
1617
while tcp_server.clients:
1618
client = tcp_server.clients.pop()
1619
client.disable_hook = None
1620
client.disable()
1621
1622
atexit.register(cleanup)
1623
1861
1624
if not debug:
1862
1625
signal.signal(signal.SIGINT, signal.SIG_IGN)
1863
1626
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1870
1633
dbus.service.Object.__init__(self, bus, u"/")
1871
1634
_interface = u"se.bsnet.fukt.Mandos"
1872
1635
1873
@dbus.service.signal(_interface, signature=u"o")
1874
def ClientAdded(self, objpath):
1636
@dbus.service.signal(_interface, signature=u"oa{sv}")
1637
def ClientAdded(self, objpath, properties):
1875
1638
"D-Bus signal"
1876
1639
pass
1877
1640
1878
@dbus.service.signal(_interface, signature=u"ss")
1879
def ClientNotFound(self, fingerprint, address):
1641
@dbus.service.signal(_interface, signature=u"s")
1642
def ClientNotFound(self, fingerprint):
1880
1643
"D-Bus signal"
1881
1644
pass
1882
1645
1908
1671
tcp_server.clients.remove(c)
1909
1672
c.remove_from_connection()
1910
1673
# Don't signal anything except ClientRemoved
1911
c.disable(quiet=True)
1674
c.disable(signal=False)
1912
1675
# Emit D-Bus signal
1913
1676
self.ClientRemoved(object_path, c.name)
1914
1677
return
1915
raise KeyError(object_path)
1678
raise KeyError
1916
1679
1917
1680
del _interface
1918
1681
1919
1682
mandos_dbus_service = MandosDBusService()
1920
1683
1921
def cleanup():
1922
"Cleanup function; run on exit"
1923
service.cleanup()
1924
1925
while tcp_server.clients:
1926
client = tcp_server.clients.pop()
1927
if use_dbus:
1928
client.remove_from_connection()
1929
client.disable_hook = None
1930
# Don't signal anything except ClientRemoved
1931
client.disable(quiet=True)
1932
if use_dbus:
1933
# Emit D-Bus signal
1934
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1935
client.name)
1936
1937
atexit.register(cleanup)
1938
1939
1684
for client in tcp_server.clients:
1940
1685
if use_dbus:
1941
1686
# Emit D-Bus signal
1942
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1687
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1688
client.GetAll(u""))
1943
1689
client.enable()
1944
1690
1945
1691
tcp_server.enable()
1963
1709
service.activate()
1964
1710
except dbus.exceptions.DBusException, error:
1965
1711
logger.critical(u"DBusException: %s", error)
1966
cleanup()
1967
1712
sys.exit(1)
1968
1713
# End of Avahi example code
1969
1714
1976
1721
main_loop.run()
1977
1722
except AvahiError, error:
1978
1723
logger.critical(u"AvahiError: %s", error)
1979
cleanup()
1980
1724
sys.exit(1)
1981
1725
except KeyboardInterrupt:
1982
1726
if debug:
1983
1727
print >> sys.stderr
1984
1728
logger.debug(u"Server received KeyboardInterrupt")
1985
1729
logger.debug(u"Server exiting")
1986
# Must run before the D-Bus bus name gets deregistered
1987
cleanup()
1988
1730
1989
1731
if __name__ == '__main__':
1990
1732
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0