To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 403
- compare with another revision
- download diff
- download tarball
- view history from revision 403
- Committer: Teddy Hogeborn
- Date: 2009-11-05 02:12:57 UTC
- Revision ID: teddy@fukt.bsnet.se-20091105021257-l2b5nb1v4pc2tupw
* mandos (ClientDBus.disable): Bug fix: complete rename of "log" and
"signal" to "quiet".
"signal" to "quiet".
- files removed:
- dbus-mandos.conf
- files modified:
- Makefile
added
removed
mandos
55
55
import logging
56
56
import logging.handlers
57
57
import pwd
58
import contextlib
58
from contextlib import closing
59
59
import struct
60
60
import fcntl
61
61
import functools
62
import cPickle as pickle
63
import multiprocessing
64
62
65
63
import dbus
66
64
import dbus.service
83
81
84
82
version = "1.0.14"
85
83
86
#logger = logging.getLogger(u'mandos')
87
84
logger = logging.Logger(u'mandos')
88
85
syslogger = (logging.handlers.SysLogHandler
89
86
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
157
154
u" after %i retries, exiting.",
158
155
self.rename_count)
159
156
raise AvahiServiceError(u"Too many renames")
160
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
157
self.name = self.server.GetAlternativeServiceName(self.name)
161
158
logger.info(u"Changing Zeroconf service name to %r ...",
162
self.name)
159
unicode(self.name))
163
160
syslogger.setFormatter(logging.Formatter
164
161
(u'Mandos (%s) [%%(process)d]:'
165
162
u' %%(levelname)s: %%(message)s'
194
191
self.group.Commit()
195
192
def entry_group_state_changed(self, state, error):
196
193
"""Derived from the Avahi example code"""
197
logger.debug(u"Avahi entry group state change: %i", state)
194
logger.debug(u"Avahi state change: %i", state)
198
195
199
196
if state == avahi.ENTRY_GROUP_ESTABLISHED:
200
197
logger.debug(u"Zeroconf service established.")
213
210
self.group = None
214
211
def server_state_changed(self, state):
215
212
"""Derived from the Avahi example code"""
216
logger.debug(u"Avahi server state change: %i", state)
217
213
if state == avahi.SERVER_COLLISION:
218
214
logger.error(u"Zeroconf server name collision")
219
215
self.remove()
246
242
enabled: bool()
247
243
last_checked_ok: datetime.datetime(); (UTC) or None
248
244
timeout: datetime.timedelta(); How long from last_checked_ok
249
until this client is disabled
245
until this client is invalid
250
246
interval: datetime.timedelta(); How often to start a new checker
251
247
disable_hook: If set, called by disable() as disable_hook(self)
252
248
checker: subprocess.Popen(); a running checker process used
260
256
runtime with vars(self) as dict, so that for
261
257
instance %(name)s can be used in the command.
262
258
current_checker_command: string; current running checker_command
263
approved_delay: datetime.timedelta(); Time to wait for approval
264
_approved: bool(); 'None' if not yet approved/disapproved
265
approved_duration: datetime.timedelta(); Duration of one approval
266
259
"""
267
260
268
261
@staticmethod
279
272
def interval_milliseconds(self):
280
273
"Return the 'interval' attribute in milliseconds"
281
274
return self._timedelta_to_milliseconds(self.interval)
282
283
def approved_delay_milliseconds(self):
284
return self._timedelta_to_milliseconds(self.approved_delay)
285
275
286
276
def __init__(self, name = None, disable_hook=None, config=None):
287
277
"""Note: the 'checker' key in 'config' sets the
300
290
if u"secret" in config:
301
291
self.secret = config[u"secret"].decode(u"base64")
302
292
elif u"secfile" in config:
303
with open(os.path.expanduser(os.path.expandvars
304
(config[u"secfile"])),
305
"rb") as secfile:
293
with closing(open(os.path.expanduser
294
(os.path.expandvars
295
(config[u"secfile"])),
296
"rb")) as secfile:
306
297
self.secret = secfile.read()
307
298
else:
308
299
raise TypeError(u"No secret or secfile for client %s"
322
313
self.checker_command = config[u"checker"]
323
314
self.current_checker_command = None
324
315
self.last_connect = None
325
self._approved = None
326
self.approved_by_default = config.get(u"approved_by_default",
327
True)
328
self.approvals_pending = 0
329
self.approved_delay = string_to_delta(
330
config[u"approved_delay"])
331
self.approved_duration = string_to_delta(
332
config[u"approved_duration"])
333
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
334
316
335
def send_changedstate(self):
336
self.changedstate.acquire()
337
self.changedstate.notify_all()
338
self.changedstate.release()
339
340
317
def enable(self):
341
318
"""Start this client's checker and timeout hooks"""
342
319
if getattr(self, u"enabled", False):
343
320
# Already enabled
344
321
return
345
self.send_changedstate()
346
322
self.last_enabled = datetime.datetime.utcnow()
347
323
# Schedule a new checker to be started an 'interval' from now,
348
324
# and every interval from then on.
362
338
if not getattr(self, "enabled", False):
363
339
return False
364
340
if not quiet:
365
self.send_changedstate()
366
if not quiet:
367
341
logger.info(u"Disabling client %s", self.name)
368
342
if getattr(self, u"disable_initiator_tag", False):
369
343
gobject.source_remove(self.disable_initiator_tag)
422
396
# client would inevitably timeout, since no checker would get
423
397
# a chance to run to completion. If we instead leave running
424
398
# checkers alone, the checker would have to take more time
425
# than 'timeout' for the client to be disabled, which is as it
426
# should be.
399
# than 'timeout' for the client to be declared invalid, which
400
# is as it should be.
427
401
428
402
# If a checker exists, make sure it is not a zombie
429
403
try:
501
475
if error.errno != errno.ESRCH: # No such process
502
476
raise
503
477
self.checker = None
478
479
def still_valid(self):
480
"""Has the timeout not yet passed for this client?"""
481
if not getattr(self, u"enabled", False):
482
return False
483
now = datetime.datetime.utcnow()
484
if self.last_checked_ok is None:
485
return now < (self.created + self.timeout)
486
else:
487
return now < (self.last_checked_ok + self.timeout)
488
504
489
505
490
def dbus_service_property(dbus_interface, signature=u"v",
506
491
access=u"readwrite", byte_arrays=False):
514
499
dbus.service.method, except there is only "signature", since the
515
500
type from Get() and the type sent to Set() is the same.
516
501
"""
517
# Encoding deeply encoded byte arrays is not supported yet by the
518
# "Set" method, so we fail early here:
519
if byte_arrays and signature != u"ay":
520
raise ValueError(u"Byte arrays not supported for non-'ay'"
521
u" signature %r" % signature)
522
502
def decorator(func):
523
503
func._dbus_is_property = True
524
504
func._dbus_interface = dbus_interface
610
590
if prop._dbus_access == u"read":
611
591
raise DBusPropertyAccessException(property_name)
612
592
if prop._dbus_get_args_options[u"byte_arrays"]:
613
# The byte_arrays option is not supported yet on
614
# signatures other than "ay".
615
if prop._dbus_signature != u"ay":
616
raise ValueError
617
593
value = dbus.ByteArray(''.join(unichr(byte)
618
594
for byte in value))
619
595
prop(value)
701
677
# dbus.service.Object doesn't use super(), so we can't either.
702
678
703
679
def __init__(self, bus = None, *args, **kwargs):
704
self._approvals_pending = 0
705
680
self.bus = bus
706
681
Client.__init__(self, *args, **kwargs)
707
682
# Only now, when this client is initialized, can it show up on
711
686
+ self.name.replace(u".", u"_")))
712
687
DBusObjectWithProperties.__init__(self, self.bus,
713
688
self.dbus_object_path)
714
715
def _get_approvals_pending(self):
716
return self._approvals_pending
717
def _set_approvals_pending(self, value):
718
old_value = self._approvals_pending
719
self._approvals_pending = value
720
bval = bool(value)
721
if (hasattr(self, "dbus_object_path")
722
and bval is not bool(old_value)):
723
dbus_bool = dbus.Boolean(bval, variant_level=1)
724
self.PropertyChanged(dbus.String(u"approved_pending"),
725
dbus_bool)
726
727
approvals_pending = property(_get_approvals_pending,
728
_set_approvals_pending)
729
del _get_approvals_pending, _set_approvals_pending
730
689
731
690
@staticmethod
732
691
def _datetime_to_dbus(dt, variant_level=0):
821
780
self.PropertyChanged(dbus.String(u"checker_running"),
822
781
dbus.Boolean(False, variant_level=1))
823
782
return r
824
825
def _reset_approved(self):
826
self._approved = None
827
return False
828
829
def approve(self, value=True):
830
self.send_changedstate()
831
self._approved = value
832
gobject.timeout_add(self._timedelta_to_milliseconds(self.approved_duration),
833
self._reset_approved)
834
835
836
## D-Bus methods, signals & properties
783
784
## D-Bus methods & signals
837
785
_interface = u"se.bsnet.fukt.Mandos.Client"
838
786
839
## Signals
787
# CheckedOK - method
788
@dbus.service.method(_interface)
789
def CheckedOK(self):
790
return self.checked_ok()
840
791
841
792
# CheckerCompleted - signal
842
793
@dbus.service.signal(_interface, signature=u"nxs")
859
810
# GotSecret - signal
860
811
@dbus.service.signal(_interface)
861
812
def GotSecret(self):
862
"""D-Bus signal
863
Is sent after a successful transfer of secret from the Mandos
864
server to mandos-client
865
"""
813
"D-Bus signal"
866
814
pass
867
815
868
816
# Rejected - signal
869
@dbus.service.signal(_interface, signature=u"s")
870
def Rejected(self, reason):
871
"D-Bus signal"
872
pass
873
874
# NeedApproval - signal
875
@dbus.service.signal(_interface, signature=u"db")
876
def NeedApproval(self, timeout, default):
877
"D-Bus signal"
878
pass
879
880
## Methods
881
882
# Approve - method
883
@dbus.service.method(_interface, in_signature=u"b")
884
def Approve(self, value):
885
self.approve(value)
886
887
# CheckedOK - method
888
@dbus.service.method(_interface)
889
def CheckedOK(self):
890
return self.checked_ok()
817
@dbus.service.signal(_interface)
818
def Rejected(self):
819
"D-Bus signal"
820
pass
891
821
892
822
# Enable - method
893
823
@dbus.service.method(_interface)
912
842
def StopChecker(self):
913
843
self.stop_checker()
914
844
915
## Properties
916
917
# approved_pending - property
918
@dbus_service_property(_interface, signature=u"b", access=u"read")
919
def approved_pending_dbus_property(self):
920
return dbus.Boolean(bool(self.approvals_pending))
921
922
# approved_by_default - property
923
@dbus_service_property(_interface, signature=u"b",
924
access=u"readwrite")
925
def approved_by_default_dbus_property(self):
926
return dbus.Boolean(self.approved_by_default)
927
928
# approved_delay - property
929
@dbus_service_property(_interface, signature=u"t",
930
access=u"readwrite")
931
def approved_delay_dbus_property(self):
932
return dbus.UInt64(self.approved_delay_milliseconds())
933
934
# approved_duration - property
935
@dbus_service_property(_interface, signature=u"t",
936
access=u"readwrite")
937
def approved_duration_dbus_property(self):
938
return dbus.UInt64(self._timedelta_to_milliseconds(
939
self.approved_duration))
940
941
845
# name - property
942
846
@dbus_service_property(_interface, signature=u"s", access=u"read")
943
847
def name_dbus_property(self):
1077
981
del _interface
1078
982
1079
983
1080
class ProxyClient(object):
1081
def __init__(self, child_pipe, fpr, address):
1082
self._pipe = child_pipe
1083
self._pipe.send(('init', fpr, address))
1084
if not self._pipe.recv():
1085
raise KeyError()
1086
1087
def __getattribute__(self, name):
1088
if(name == '_pipe'):
1089
return super(ProxyClient, self).__getattribute__(name)
1090
self._pipe.send(('getattr', name))
1091
data = self._pipe.recv()
1092
if data[0] == 'data':
1093
return data[1]
1094
if data[0] == 'function':
1095
def func(*args, **kwargs):
1096
self._pipe.send(('funcall', name, args, kwargs))
1097
return self._pipe.recv()[1]
1098
return func
1099
1100
def __setattr__(self, name, value):
1101
if(name == '_pipe'):
1102
return super(ProxyClient, self).__setattr__(name, value)
1103
self._pipe.send(('setattr', name, value))
1104
1105
1106
984
class ClientHandler(socketserver.BaseRequestHandler, object):
1107
985
"""A class to handle client connections.
1108
986
1110
988
Note: This will run in its own forked process."""
1111
989
1112
990
def handle(self):
1113
with contextlib.closing(self.server.child_pipe) as child_pipe:
1114
logger.info(u"TCP connection from: %s",
1115
unicode(self.client_address))
1116
logger.debug(u"Pipe FD: %d",
1117
self.server.child_pipe.fileno())
1118
991
logger.info(u"TCP connection from: %s",
992
unicode(self.client_address))
993
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
994
# Open IPC pipe to parent process
995
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
1119
996
session = (gnutls.connection
1120
997
.ClientSession(self.request,
1121
998
gnutls.connection
1122
999
.X509Credentials()))
1123
1000
1001
line = self.request.makefile().readline()
1002
logger.debug(u"Protocol version: %r", line)
1003
try:
1004
if int(line.strip().split()[0]) > 1:
1005
raise RuntimeError
1006
except (ValueError, IndexError, RuntimeError), error:
1007
logger.error(u"Unknown protocol version: %s", error)
1008
return
1009
1124
1010
# Note: gnutls.connection.X509Credentials is really a
1125
1011
# generic GnuTLS certificate credentials object so long as
1126
1012
# no X.509 keys are added to it. Therefore, we can use it
1127
1013
# here despite using OpenPGP certificates.
1128
1014
1129
1015
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1130
1016
# u"+AES-256-CBC", u"+SHA1",
1131
1017
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1137
1023
(gnutls.library.functions
1138
1024
.gnutls_priority_set_direct(session._c_object,
1139
1025
priority, None))
1140
1141
# Start communication using the Mandos protocol
1142
# Get protocol number
1143
line = self.request.makefile().readline()
1144
logger.debug(u"Protocol version: %r", line)
1145
try:
1146
if int(line.strip().split()[0]) > 1:
1147
raise RuntimeError
1148
except (ValueError, IndexError, RuntimeError), error:
1149
logger.error(u"Unknown protocol version: %s", error)
1150
return
1151
1152
# Start GnuTLS connection
1026
1153
1027
try:
1154
1028
session.handshake()
1155
1029
except gnutls.errors.GNUTLSError, error:
1158
1032
# established. Just abandon the request.
1159
1033
return
1160
1034
logger.debug(u"Handshake succeeded")
1161
1162
approval_required = False
1163
1035
try:
1164
try:
1165
fpr = self.fingerprint(self.peer_certificate
1166
(session))
1167
except (TypeError, gnutls.errors.GNUTLSError), error:
1168
logger.warning(u"Bad certificate: %s", error)
1169
return
1170
logger.debug(u"Fingerprint: %s", fpr)
1171
1172
try:
1173
client = ProxyClient(child_pipe, fpr,
1174
self.client_address)
1175
except KeyError:
1176
return
1177
1178
if client.approved_delay:
1179
delay = client.approved_delay
1180
client.approvals_pending += 1
1181
approval_required = True
1182
1183
while True:
1184
if not client.enabled:
1185
logger.warning(u"Client %s is disabled",
1186
client.name)
1187
if self.server.use_dbus:
1188
# Emit D-Bus signal
1189
client.Rejected("Disabled")
1190
return
1191
1192
if client._approved or not client.approved_delay:
1193
#We are approved or approval is disabled
1194
break
1195
elif client._approved is None:
1196
logger.info(u"Client %s need approval",
1197
client.name)
1198
if self.server.use_dbus:
1199
# Emit D-Bus signal
1200
client.NeedApproval(
1201
client.approved_delay_milliseconds(),
1202
client.approved_by_default)
1203
else:
1204
logger.warning(u"Client %s was not approved",
1205
client.name)
1206
if self.server.use_dbus:
1207
# Emit D-Bus signal
1208
client.Rejected("Disapproved")
1209
return
1210
1211
#wait until timeout or approved
1212
#x = float(client._timedelta_to_milliseconds(delay))
1213
time = datetime.datetime.now()
1214
client.changedstate.acquire()
1215
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1216
client.changedstate.release()
1217
time2 = datetime.datetime.now()
1218
if (time2 - time) >= delay:
1219
if not client.approved_by_default:
1220
logger.warning("Client %s timed out while"
1221
" waiting for approval",
1222
client.name)
1223
if self.server.use_dbus:
1224
# Emit D-Bus signal
1225
client.Rejected("Time out")
1226
return
1227
else:
1228
break
1229
else:
1230
delay -= time2 - time
1231
1232
sent_size = 0
1233
while sent_size < len(client.secret):
1234
try:
1235
sent = session.send(client.secret[sent_size:])
1236
except (gnutls.errors.GNUTLSError), error:
1237
logger.warning("gnutls send failed")
1238
return
1239
logger.debug(u"Sent: %d, remaining: %d",
1240
sent, len(client.secret)
1241
- (sent_size + sent))
1242
sent_size += sent
1243
1244
logger.info(u"Sending secret to %s", client.name)
1245
# bump the timeout as if seen
1246
client.checked_ok()
1247
if self.server.use_dbus:
1248
# Emit D-Bus signal
1249
client.GotSecret()
1036
fpr = self.fingerprint(self.peer_certificate(session))
1037
except (TypeError, gnutls.errors.GNUTLSError), error:
1038
logger.warning(u"Bad certificate: %s", error)
1039
session.bye()
1040
return
1041
logger.debug(u"Fingerprint: %s", fpr)
1250
1042
1251
finally:
1252
if approval_required:
1253
client.approvals_pending -= 1
1254
try:
1255
session.bye()
1256
except (gnutls.errors.GNUTLSError), error:
1257
logger.warning("gnutls bye failed")
1043
for c in self.server.clients:
1044
if c.fingerprint == fpr:
1045
client = c
1046
break
1047
else:
1048
ipc.write(u"NOTFOUND %s %s\n"
1049
% (fpr, unicode(self.client_address)))
1050
session.bye()
1051
return
1052
# Have to check if client.still_valid(), since it is
1053
# possible that the client timed out while establishing
1054
# the GnuTLS session.
1055
if not client.still_valid():
1056
ipc.write(u"INVALID %s\n" % client.name)
1057
session.bye()
1058
return
1059
ipc.write(u"SENDING %s\n" % client.name)
1060
sent_size = 0
1061
while sent_size < len(client.secret):
1062
sent = session.send(client.secret[sent_size:])
1063
logger.debug(u"Sent: %d, remaining: %d",
1064
sent, len(client.secret)
1065
- (sent_size + sent))
1066
sent_size += sent
1067
session.bye()
1258
1068
1259
1069
@staticmethod
1260
1070
def peer_certificate(session):
1320
1130
return hex_fpr
1321
1131
1322
1132
1323
class MultiprocessingMixIn(object):
1324
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1325
def sub_process_main(self, request, address):
1326
try:
1327
self.finish_request(request, address)
1328
except:
1329
self.handle_error(request, address)
1330
self.close_request(request)
1331
1332
def process_request(self, request, address):
1333
"""Start a new process to process the request."""
1334
multiprocessing.Process(target = self.sub_process_main,
1335
args = (request, address)).start()
1336
1337
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1338
""" adds a pipe to the MixIn """
1133
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
1134
"""Like socketserver.ForkingMixIn, but also pass a pipe."""
1339
1135
def process_request(self, request, client_address):
1340
1136
"""Overrides and wraps the original process_request().
1341
1137
1342
1138
This function creates a new pipe in self.pipe
1343
1139
"""
1344
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1345
1346
super(MultiprocessingMixInWithPipe,
1140
self.pipe = os.pipe()
1141
super(ForkingMixInWithPipe,
1347
1142
self).process_request(request, client_address)
1348
self.child_pipe.close()
1349
self.add_pipe(parent_pipe)
1350
1351
def add_pipe(self, parent_pipe):
1143
os.close(self.pipe[1]) # close write end
1144
self.add_pipe(self.pipe[0])
1145
def add_pipe(self, pipe):
1352
1146
"""Dummy function; override as necessary"""
1353
pass
1354
1355
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1147
os.close(pipe)
1148
1149
1150
class IPv6_TCPServer(ForkingMixInWithPipe,
1356
1151
socketserver.TCPServer, object):
1357
1152
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1358
1153
1443
1238
return socketserver.TCPServer.server_activate(self)
1444
1239
def enable(self):
1445
1240
self.enabled = True
1446
def add_pipe(self, parent_pipe):
1241
def add_pipe(self, pipe):
1447
1242
# Call "handle_ipc" for both data and EOF events
1448
gobject.io_add_watch(parent_pipe.fileno(),
1449
gobject.IO_IN | gobject.IO_HUP,
1450
functools.partial(self.handle_ipc,
1451
parent_pipe = parent_pipe))
1452
1453
def handle_ipc(self, source, condition, parent_pipe=None,
1454
client_object=None):
1243
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1244
self.handle_ipc)
1245
def handle_ipc(self, source, condition, file_objects={}):
1455
1246
condition_names = {
1456
1247
gobject.IO_IN: u"IN", # There is data to read.
1457
1248
gobject.IO_OUT: u"OUT", # Data can be written (without
1468
1259
if cond & condition)
1469
1260
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1470
1261
conditions_string)
1471
1472
# error or the other end of multiprocessing.Pipe has closed
1473
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1474
return False
1475
1476
# Read a request from the child
1477
request = parent_pipe.recv()
1478
logger.debug(u"IPC request: %s", repr(request))
1479
command = request[0]
1480
1481
if command == 'init':
1482
fpr = request[1]
1483
address = request[2]
1484
1485
for c in self.clients:
1486
if c.fingerprint == fpr:
1487
client = c
1488
break
1489
else:
1490
logger.warning(u"Client not found for fingerprint: %s, ad"
1491
u"dress: %s", fpr, address)
1492
if self.use_dbus:
1493
# Emit D-Bus signal
1494
mandos_dbus_service.ClientNotFound(fpr, address)
1495
parent_pipe.send(False)
1496
return False
1497
1498
gobject.io_add_watch(parent_pipe.fileno(),
1499
gobject.IO_IN | gobject.IO_HUP,
1500
functools.partial(self.handle_ipc,
1501
parent_pipe = parent_pipe,
1502
client_object = client))
1503
parent_pipe.send(True)
1504
# remove the old hook in favor of the new above hook on same fileno
1505
return False
1506
if command == 'funcall':
1507
funcname = request[1]
1508
args = request[2]
1509
kwargs = request[3]
1510
1511
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1512
1513
if command == 'getattr':
1514
attrname = request[1]
1515
if callable(client_object.__getattribute__(attrname)):
1516
parent_pipe.send(('function',))
1517
else:
1518
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1519
1520
if command == 'setattr':
1521
attrname = request[1]
1522
value = request[2]
1523
setattr(client_object, attrname, value)
1524
1262
1263
# Turn the pipe file descriptor into a Python file object
1264
if source not in file_objects:
1265
file_objects[source] = os.fdopen(source, u"r", 1)
1266
1267
# Read a line from the file object
1268
cmdline = file_objects[source].readline()
1269
if not cmdline: # Empty line means end of file
1270
# close the IPC pipe
1271
file_objects[source].close()
1272
del file_objects[source]
1273
1274
# Stop calling this function
1275
return False
1276
1277
logger.debug(u"IPC command: %r", cmdline)
1278
1279
# Parse and act on command
1280
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1281
1282
if cmd == u"NOTFOUND":
1283
logger.warning(u"Client not found for fingerprint: %s",
1284
args)
1285
if self.use_dbus:
1286
# Emit D-Bus signal
1287
mandos_dbus_service.ClientNotFound(args)
1288
elif cmd == u"INVALID":
1289
for client in self.clients:
1290
if client.name == args:
1291
logger.warning(u"Client %s is invalid", args)
1292
if self.use_dbus:
1293
# Emit D-Bus signal
1294
client.Rejected()
1295
break
1296
else:
1297
logger.error(u"Unknown client %s is invalid", args)
1298
elif cmd == u"SENDING":
1299
for client in self.clients:
1300
if client.name == args:
1301
logger.info(u"Sending secret to %s", client.name)
1302
client.checked_ok()
1303
if self.use_dbus:
1304
# Emit D-Bus signal
1305
client.GotSecret()
1306
break
1307
else:
1308
logger.error(u"Sending secret to unknown client %s",
1309
args)
1310
else:
1311
logger.error(u"Unknown IPC command: %r", cmdline)
1312
1313
# Keep calling this function
1525
1314
return True
1526
1315
1527
1316
1578
1367
def if_nametoindex(interface):
1579
1368
"Get an interface index the hard way, i.e. using fcntl()"
1580
1369
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1581
with contextlib.closing(socket.socket()) as s:
1370
with closing(socket.socket()) as s:
1582
1371
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1583
1372
struct.pack(str(u"16s16x"),
1584
1373
interface))
1630
1419
parser.add_option("--debug", action=u"store_true",
1631
1420
help=u"Debug mode; run in foreground and log to"
1632
1421
u" terminal")
1633
parser.add_option("--debuglevel", type=u"string", metavar="Level",
1634
help=u"Debug level for stdout output")
1635
1422
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1636
1423
u" priority string (see GnuTLS documentation)")
1637
1424
parser.add_option("--servicename", type=u"string",
1662
1449
u"servicename": u"Mandos",
1663
1450
u"use_dbus": u"True",
1664
1451
u"use_ipv6": u"True",
1665
u"debuglevel": u"",
1666
1452
}
1667
1453
1668
1454
# Parse config file for server-global settings
1685
1471
# options, if set.
1686
1472
for option in (u"interface", u"address", u"port", u"debug",
1687
1473
u"priority", u"servicename", u"configdir",
1688
u"use_dbus", u"use_ipv6", u"debuglevel"):
1474
u"use_dbus", u"use_ipv6"):
1689
1475
value = getattr(options, option)
1690
1476
if value is not None:
1691
1477
server_settings[option] = value
1700
1486
1701
1487
# For convenience
1702
1488
debug = server_settings[u"debug"]
1703
debuglevel = server_settings[u"debuglevel"]
1704
1489
use_dbus = server_settings[u"use_dbus"]
1705
1490
use_ipv6 = server_settings[u"use_ipv6"]
1706
1491
1492
if not debug:
1493
syslogger.setLevel(logging.WARNING)
1494
console.setLevel(logging.WARNING)
1495
1707
1496
if server_settings[u"servicename"] != u"Mandos":
1708
1497
syslogger.setFormatter(logging.Formatter
1709
1498
(u'Mandos (%s) [%%(process)d]:'
1715
1504
u"interval": u"5m",
1716
1505
u"checker": u"fping -q -- %%(host)s",
1717
1506
u"host": u"",
1718
u"approved_delay": u"0s",
1719
u"approved_duration": u"1s",
1720
1507
}
1721
1508
client_config = configparser.SafeConfigParser(client_defaults)
1722
1509
client_config.read(os.path.join(server_settings[u"configdir"],
1761
1548
raise error
1762
1549
1763
1550
# Enable all possible GnuTLS debugging
1764
1765
1766
if not debug and not debuglevel:
1767
syslogger.setLevel(logging.WARNING)
1768
console.setLevel(logging.WARNING)
1769
if debuglevel:
1770
level = getattr(logging, debuglevel.upper())
1771
syslogger.setLevel(level)
1772
console.setLevel(level)
1773
1774
1551
if debug:
1775
1552
# "Use a log level over 10 to enable all debugging options."
1776
1553
# - GnuTLS manual
1782
1559
1783
1560
(gnutls.library.functions
1784
1561
.gnutls_global_set_log_function(debug_gnutls))
1785
1786
# Redirect stdin so all checkers get /dev/null
1787
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1788
os.dup2(null, sys.stdin.fileno())
1789
if null > 2:
1790
os.close(null)
1791
else:
1792
# No console logging
1793
logger.removeHandler(console)
1794
1795
1562
1796
1563
global main_loop
1797
1564
# From the Avahi example code
1815
1582
if server_settings["interface"]:
1816
1583
service.interface = (if_nametoindex
1817
1584
(str(server_settings[u"interface"])))
1818
1819
if not debug:
1820
# Close all input and output, do double fork, etc.
1821
daemon()
1822
1823
global multiprocessing_manager
1824
multiprocessing_manager = multiprocessing.Manager()
1825
1585
1826
1586
client_class = Client
1827
1587
if use_dbus:
1828
1588
client_class = functools.partial(ClientDBus, bus = bus)
1829
def client_config_items(config, section):
1830
special_settings = {
1831
"approved_by_default":
1832
lambda: config.getboolean(section,
1833
"approved_by_default"),
1834
}
1835
for name, value in config.items(section):
1836
try:
1837
yield (name, special_settings[name]())
1838
except KeyError:
1839
yield (name, value)
1840
1841
1589
tcp_server.clients.update(set(
1842
1590
client_class(name = section,
1843
config= dict(client_config_items(
1844
client_config, section)))
1591
config= dict(client_config.items(section)))
1845
1592
for section in client_config.sections()))
1846
1593
if not tcp_server.clients:
1847
1594
logger.warning(u"No clients defined")
1848
1595
1596
if debug:
1597
# Redirect stdin so all checkers get /dev/null
1598
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1599
os.dup2(null, sys.stdin.fileno())
1600
if null > 2:
1601
os.close(null)
1602
else:
1603
# No console logging
1604
logger.removeHandler(console)
1605
# Close all input and output, do double fork, etc.
1606
daemon()
1607
1849
1608
try:
1850
with pidfile:
1609
with closing(pidfile):
1851
1610
pid = os.getpid()
1852
1611
pidfile.write(str(pid) + "\n")
1853
1612
del pidfile
1871
1630
dbus.service.Object.__init__(self, bus, u"/")
1872
1631
_interface = u"se.bsnet.fukt.Mandos"
1873
1632
1874
@dbus.service.signal(_interface, signature=u"o")
1875
def ClientAdded(self, objpath):
1633
@dbus.service.signal(_interface, signature=u"oa{sv}")
1634
def ClientAdded(self, objpath, properties):
1876
1635
"D-Bus signal"
1877
1636
pass
1878
1637
1879
@dbus.service.signal(_interface, signature=u"ss")
1880
def ClientNotFound(self, fingerprint, address):
1638
@dbus.service.signal(_interface, signature=u"s")
1639
def ClientNotFound(self, fingerprint):
1881
1640
"D-Bus signal"
1882
1641
pass
1883
1642
1940
1699
for client in tcp_server.clients:
1941
1700
if use_dbus:
1942
1701
# Emit D-Bus signal
1943
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1702
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1703
client.GetAll(u""))
1944
1704
client.enable()
1945
1705
1946
1706
tcp_server.enable()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0