To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 410
- compare with another revision
- download diff
- download tarball
- view history from revision 410
- Committer: Teddy Hogeborn
- Date: 2009-11-19 18:31:28 UTC
- Revision ID: teddy@fukt.bsnet.se-20091119183128-ttstewh61xmtnil1
* Makefile (LINK_FORTIFY_LD): Bug fix: removed "-fPIE".
* mandos-keygen: Bug fix: Fix quoting for the "--password" option.
* mandos-keygen: Bug fix: Fix quoting for the "--password" option.
- files removed:
- plugins.d/plymouth.c
- files modified:
- Makefile
added
removed
mandos
55
55
import logging
56
56
import logging.handlers
57
57
import pwd
58
import contextlib
58
from contextlib import closing
59
59
import struct
60
60
import fcntl
61
61
import functools
62
import cPickle as pickle
63
import multiprocessing
64
62
65
63
import dbus
66
64
import dbus.service
83
81
84
82
version = "1.0.14"
85
83
86
#logger = logging.getLogger(u'mandos')
87
84
logger = logging.Logger(u'mandos')
88
85
syslogger = (logging.handlers.SysLogHandler
89
86
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
157
154
u" after %i retries, exiting.",
158
155
self.rename_count)
159
156
raise AvahiServiceError(u"Too many renames")
160
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
157
self.name = self.server.GetAlternativeServiceName(self.name)
161
158
logger.info(u"Changing Zeroconf service name to %r ...",
162
self.name)
159
unicode(self.name))
163
160
syslogger.setFormatter(logging.Formatter
164
161
(u'Mandos (%s) [%%(process)d]:'
165
162
u' %%(levelname)s: %%(message)s'
166
163
% self.name))
167
164
self.remove()
168
try:
169
self.add()
170
except dbus.exceptions.DBusException, error:
171
logger.critical(u"DBusException: %s", error)
172
self.cleanup()
173
os._exit(1)
165
self.add()
174
166
self.rename_count += 1
175
167
def remove(self):
176
168
"""Derived from the Avahi example code"""
199
191
self.group.Commit()
200
192
def entry_group_state_changed(self, state, error):
201
193
"""Derived from the Avahi example code"""
202
logger.debug(u"Avahi entry group state change: %i", state)
194
logger.debug(u"Avahi state change: %i", state)
203
195
204
196
if state == avahi.ENTRY_GROUP_ESTABLISHED:
205
197
logger.debug(u"Zeroconf service established.")
218
210
self.group = None
219
211
def server_state_changed(self, state):
220
212
"""Derived from the Avahi example code"""
221
logger.debug(u"Avahi server state change: %i", state)
222
213
if state == avahi.SERVER_COLLISION:
223
214
logger.error(u"Zeroconf server name collision")
224
215
self.remove()
251
242
enabled: bool()
252
243
last_checked_ok: datetime.datetime(); (UTC) or None
253
244
timeout: datetime.timedelta(); How long from last_checked_ok
254
until this client is disabled
245
until this client is invalid
255
246
interval: datetime.timedelta(); How often to start a new checker
256
247
disable_hook: If set, called by disable() as disable_hook(self)
257
248
checker: subprocess.Popen(); a running checker process used
265
256
runtime with vars(self) as dict, so that for
266
257
instance %(name)s can be used in the command.
267
258
current_checker_command: string; current running checker_command
268
approved_delay: datetime.timedelta(); Time to wait for approval
269
_approved: bool(); 'None' if not yet approved/disapproved
270
approved_duration: datetime.timedelta(); Duration of one approval
271
259
"""
272
260
273
261
@staticmethod
284
272
def interval_milliseconds(self):
285
273
"Return the 'interval' attribute in milliseconds"
286
274
return self._timedelta_to_milliseconds(self.interval)
287
288
def approved_delay_milliseconds(self):
289
return self._timedelta_to_milliseconds(self.approved_delay)
290
275
291
276
def __init__(self, name = None, disable_hook=None, config=None):
292
277
"""Note: the 'checker' key in 'config' sets the
305
290
if u"secret" in config:
306
291
self.secret = config[u"secret"].decode(u"base64")
307
292
elif u"secfile" in config:
308
with open(os.path.expanduser(os.path.expandvars
309
(config[u"secfile"])),
310
"rb") as secfile:
293
with closing(open(os.path.expanduser
294
(os.path.expandvars
295
(config[u"secfile"])),
296
"rb")) as secfile:
311
297
self.secret = secfile.read()
312
298
else:
313
299
raise TypeError(u"No secret or secfile for client %s"
327
313
self.checker_command = config[u"checker"]
328
314
self.current_checker_command = None
329
315
self.last_connect = None
330
self._approved = None
331
self.approved_by_default = config.get(u"approved_by_default",
332
True)
333
self.approvals_pending = 0
334
self.approved_delay = string_to_delta(
335
config[u"approved_delay"])
336
self.approved_duration = string_to_delta(
337
config[u"approved_duration"])
338
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
339
316
340
def send_changedstate(self):
341
self.changedstate.acquire()
342
self.changedstate.notify_all()
343
self.changedstate.release()
344
345
317
def enable(self):
346
318
"""Start this client's checker and timeout hooks"""
347
319
if getattr(self, u"enabled", False):
348
320
# Already enabled
349
321
return
350
self.send_changedstate()
351
322
self.last_enabled = datetime.datetime.utcnow()
352
323
# Schedule a new checker to be started an 'interval' from now,
353
324
# and every interval from then on.
367
338
if not getattr(self, "enabled", False):
368
339
return False
369
340
if not quiet:
370
self.send_changedstate()
371
if not quiet:
372
341
logger.info(u"Disabling client %s", self.name)
373
342
if getattr(self, u"disable_initiator_tag", False):
374
343
gobject.source_remove(self.disable_initiator_tag)
427
396
# client would inevitably timeout, since no checker would get
428
397
# a chance to run to completion. If we instead leave running
429
398
# checkers alone, the checker would have to take more time
430
# than 'timeout' for the client to be disabled, which is as it
431
# should be.
399
# than 'timeout' for the client to be declared invalid, which
400
# is as it should be.
432
401
433
402
# If a checker exists, make sure it is not a zombie
434
403
try:
506
475
if error.errno != errno.ESRCH: # No such process
507
476
raise
508
477
self.checker = None
478
479
def still_valid(self):
480
"""Has the timeout not yet passed for this client?"""
481
if not getattr(self, u"enabled", False):
482
return False
483
now = datetime.datetime.utcnow()
484
if self.last_checked_ok is None:
485
return now < (self.created + self.timeout)
486
else:
487
return now < (self.last_checked_ok + self.timeout)
488
509
489
510
490
def dbus_service_property(dbus_interface, signature=u"v",
511
491
access=u"readwrite", byte_arrays=False):
519
499
dbus.service.method, except there is only "signature", since the
520
500
type from Get() and the type sent to Set() is the same.
521
501
"""
522
# Encoding deeply encoded byte arrays is not supported yet by the
523
# "Set" method, so we fail early here:
524
if byte_arrays and signature != u"ay":
525
raise ValueError(u"Byte arrays not supported for non-'ay'"
526
u" signature %r" % signature)
527
502
def decorator(func):
528
503
func._dbus_is_property = True
529
504
func._dbus_interface = dbus_interface
615
590
if prop._dbus_access == u"read":
616
591
raise DBusPropertyAccessException(property_name)
617
592
if prop._dbus_get_args_options[u"byte_arrays"]:
618
# The byte_arrays option is not supported yet on
619
# signatures other than "ay".
620
if prop._dbus_signature != u"ay":
621
raise ValueError
622
593
value = dbus.ByteArray(''.join(unichr(byte)
623
594
for byte in value))
624
595
prop(value)
706
677
# dbus.service.Object doesn't use super(), so we can't either.
707
678
708
679
def __init__(self, bus = None, *args, **kwargs):
709
self._approvals_pending = 0
710
680
self.bus = bus
711
681
Client.__init__(self, *args, **kwargs)
712
682
# Only now, when this client is initialized, can it show up on
716
686
+ self.name.replace(u".", u"_")))
717
687
DBusObjectWithProperties.__init__(self, self.bus,
718
688
self.dbus_object_path)
719
720
def _get_approvals_pending(self):
721
return self._approvals_pending
722
def _set_approvals_pending(self, value):
723
old_value = self._approvals_pending
724
self._approvals_pending = value
725
bval = bool(value)
726
if (hasattr(self, "dbus_object_path")
727
and bval is not bool(old_value)):
728
dbus_bool = dbus.Boolean(bval, variant_level=1)
729
self.PropertyChanged(dbus.String(u"approved_pending"),
730
dbus_bool)
731
732
approvals_pending = property(_get_approvals_pending,
733
_set_approvals_pending)
734
del _get_approvals_pending, _set_approvals_pending
735
689
736
690
@staticmethod
737
691
def _datetime_to_dbus(dt, variant_level=0):
826
780
self.PropertyChanged(dbus.String(u"checker_running"),
827
781
dbus.Boolean(False, variant_level=1))
828
782
return r
829
830
def _reset_approved(self):
831
self._approved = None
832
return False
833
834
def approve(self, value=True):
835
self.send_changedstate()
836
self._approved = value
837
gobject.timeout_add(self._timedelta_to_milliseconds(self.approved_duration),
838
self._reset_approved)
839
840
841
## D-Bus methods, signals & properties
783
784
## D-Bus methods & signals
842
785
_interface = u"se.bsnet.fukt.Mandos.Client"
843
786
844
## Signals
787
# CheckedOK - method
788
@dbus.service.method(_interface)
789
def CheckedOK(self):
790
return self.checked_ok()
845
791
846
792
# CheckerCompleted - signal
847
793
@dbus.service.signal(_interface, signature=u"nxs")
864
810
# GotSecret - signal
865
811
@dbus.service.signal(_interface)
866
812
def GotSecret(self):
867
"""D-Bus signal
868
Is sent after a successful transfer of secret from the Mandos
869
server to mandos-client
870
"""
813
"D-Bus signal"
871
814
pass
872
815
873
816
# Rejected - signal
874
@dbus.service.signal(_interface, signature=u"s")
875
def Rejected(self, reason):
876
"D-Bus signal"
877
pass
878
879
# NeedApproval - signal
880
@dbus.service.signal(_interface, signature=u"db")
881
def NeedApproval(self, timeout, default):
882
"D-Bus signal"
883
pass
884
885
## Methods
886
887
# Approve - method
888
@dbus.service.method(_interface, in_signature=u"b")
889
def Approve(self, value):
890
self.approve(value)
891
892
# CheckedOK - method
893
@dbus.service.method(_interface)
894
def CheckedOK(self):
895
return self.checked_ok()
817
@dbus.service.signal(_interface)
818
def Rejected(self):
819
"D-Bus signal"
820
pass
896
821
897
822
# Enable - method
898
823
@dbus.service.method(_interface)
917
842
def StopChecker(self):
918
843
self.stop_checker()
919
844
920
## Properties
921
922
# approved_pending - property
923
@dbus_service_property(_interface, signature=u"b", access=u"read")
924
def approved_pending_dbus_property(self):
925
return dbus.Boolean(bool(self.approvals_pending))
926
927
# approved_by_default - property
928
@dbus_service_property(_interface, signature=u"b",
929
access=u"readwrite")
930
def approved_by_default_dbus_property(self):
931
return dbus.Boolean(self.approved_by_default)
932
933
# approved_delay - property
934
@dbus_service_property(_interface, signature=u"t",
935
access=u"readwrite")
936
def approved_delay_dbus_property(self):
937
return dbus.UInt64(self.approved_delay_milliseconds())
938
939
# approved_duration - property
940
@dbus_service_property(_interface, signature=u"t",
941
access=u"readwrite")
942
def approved_duration_dbus_property(self):
943
return dbus.UInt64(self._timedelta_to_milliseconds(
944
self.approved_duration))
945
946
845
# name - property
947
846
@dbus_service_property(_interface, signature=u"s", access=u"read")
948
847
def name_dbus_property(self):
1082
981
del _interface
1083
982
1084
983
1085
class ProxyClient(object):
1086
def __init__(self, child_pipe, fpr, address):
1087
self._pipe = child_pipe
1088
self._pipe.send(('init', fpr, address))
1089
if not self._pipe.recv():
1090
raise KeyError()
1091
1092
def __getattribute__(self, name):
1093
if(name == '_pipe'):
1094
return super(ProxyClient, self).__getattribute__(name)
1095
self._pipe.send(('getattr', name))
1096
data = self._pipe.recv()
1097
if data[0] == 'data':
1098
return data[1]
1099
if data[0] == 'function':
1100
def func(*args, **kwargs):
1101
self._pipe.send(('funcall', name, args, kwargs))
1102
return self._pipe.recv()[1]
1103
return func
1104
1105
def __setattr__(self, name, value):
1106
if(name == '_pipe'):
1107
return super(ProxyClient, self).__setattr__(name, value)
1108
self._pipe.send(('setattr', name, value))
1109
1110
1111
984
class ClientHandler(socketserver.BaseRequestHandler, object):
1112
985
"""A class to handle client connections.
1113
986
1115
988
Note: This will run in its own forked process."""
1116
989
1117
990
def handle(self):
1118
with contextlib.closing(self.server.child_pipe) as child_pipe:
1119
logger.info(u"TCP connection from: %s",
1120
unicode(self.client_address))
1121
logger.debug(u"Pipe FD: %d",
1122
self.server.child_pipe.fileno())
1123
991
logger.info(u"TCP connection from: %s",
992
unicode(self.client_address))
993
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
994
# Open IPC pipe to parent process
995
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
1124
996
session = (gnutls.connection
1125
997
.ClientSession(self.request,
1126
998
gnutls.connection
1127
999
.X509Credentials()))
1128
1000
1001
line = self.request.makefile().readline()
1002
logger.debug(u"Protocol version: %r", line)
1003
try:
1004
if int(line.strip().split()[0]) > 1:
1005
raise RuntimeError
1006
except (ValueError, IndexError, RuntimeError), error:
1007
logger.error(u"Unknown protocol version: %s", error)
1008
return
1009
1129
1010
# Note: gnutls.connection.X509Credentials is really a
1130
1011
# generic GnuTLS certificate credentials object so long as
1131
1012
# no X.509 keys are added to it. Therefore, we can use it
1132
1013
# here despite using OpenPGP certificates.
1133
1014
1134
1015
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1135
1016
# u"+AES-256-CBC", u"+SHA1",
1136
1017
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1142
1023
(gnutls.library.functions
1143
1024
.gnutls_priority_set_direct(session._c_object,
1144
1025
priority, None))
1145
1146
# Start communication using the Mandos protocol
1147
# Get protocol number
1148
line = self.request.makefile().readline()
1149
logger.debug(u"Protocol version: %r", line)
1150
try:
1151
if int(line.strip().split()[0]) > 1:
1152
raise RuntimeError
1153
except (ValueError, IndexError, RuntimeError), error:
1154
logger.error(u"Unknown protocol version: %s", error)
1155
return
1156
1157
# Start GnuTLS connection
1026
1158
1027
try:
1159
1028
session.handshake()
1160
1029
except gnutls.errors.GNUTLSError, error:
1163
1032
# established. Just abandon the request.
1164
1033
return
1165
1034
logger.debug(u"Handshake succeeded")
1166
1167
approval_required = False
1168
1035
try:
1169
try:
1170
fpr = self.fingerprint(self.peer_certificate
1171
(session))
1172
except (TypeError, gnutls.errors.GNUTLSError), error:
1173
logger.warning(u"Bad certificate: %s", error)
1174
return
1175
logger.debug(u"Fingerprint: %s", fpr)
1176
1177
try:
1178
client = ProxyClient(child_pipe, fpr,
1179
self.client_address)
1180
except KeyError:
1181
return
1182
1183
if client.approved_delay:
1184
delay = client.approved_delay
1185
client.approvals_pending += 1
1186
approval_required = True
1187
1188
while True:
1189
if not client.enabled:
1190
logger.warning(u"Client %s is disabled",
1191
client.name)
1192
if self.server.use_dbus:
1193
# Emit D-Bus signal
1194
client.Rejected("Disabled")
1195
return
1196
1197
if client._approved or not client.approved_delay:
1198
#We are approved or approval is disabled
1199
break
1200
elif client._approved is None:
1201
logger.info(u"Client %s need approval",
1202
client.name)
1203
if self.server.use_dbus:
1204
# Emit D-Bus signal
1205
client.NeedApproval(
1206
client.approved_delay_milliseconds(),
1207
client.approved_by_default)
1208
else:
1209
logger.warning(u"Client %s was not approved",
1210
client.name)
1211
if self.server.use_dbus:
1212
# Emit D-Bus signal
1213
client.Rejected("Disapproved")
1214
return
1215
1216
#wait until timeout or approved
1217
#x = float(client._timedelta_to_milliseconds(delay))
1218
time = datetime.datetime.now()
1219
client.changedstate.acquire()
1220
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1221
client.changedstate.release()
1222
time2 = datetime.datetime.now()
1223
if (time2 - time) >= delay:
1224
if not client.approved_by_default:
1225
logger.warning("Client %s timed out while"
1226
" waiting for approval",
1227
client.name)
1228
if self.server.use_dbus:
1229
# Emit D-Bus signal
1230
client.Rejected("Approval timed out")
1231
return
1232
else:
1233
break
1234
else:
1235
delay -= time2 - time
1236
1237
sent_size = 0
1238
while sent_size < len(client.secret):
1239
try:
1240
sent = session.send(client.secret[sent_size:])
1241
except (gnutls.errors.GNUTLSError), error:
1242
logger.warning("gnutls send failed")
1243
return
1244
logger.debug(u"Sent: %d, remaining: %d",
1245
sent, len(client.secret)
1246
- (sent_size + sent))
1247
sent_size += sent
1248
1249
logger.info(u"Sending secret to %s", client.name)
1250
# bump the timeout as if seen
1251
client.checked_ok()
1252
if self.server.use_dbus:
1253
# Emit D-Bus signal
1254
client.GotSecret()
1036
fpr = self.fingerprint(self.peer_certificate(session))
1037
except (TypeError, gnutls.errors.GNUTLSError), error:
1038
logger.warning(u"Bad certificate: %s", error)
1039
session.bye()
1040
return
1041
logger.debug(u"Fingerprint: %s", fpr)
1255
1042
1256
finally:
1257
if approval_required:
1258
client.approvals_pending -= 1
1259
try:
1260
session.bye()
1261
except (gnutls.errors.GNUTLSError), error:
1262
logger.warning("gnutls bye failed")
1043
for c in self.server.clients:
1044
if c.fingerprint == fpr:
1045
client = c
1046
break
1047
else:
1048
ipc.write(u"NOTFOUND %s %s\n"
1049
% (fpr, unicode(self.client_address)))
1050
session.bye()
1051
return
1052
# Have to check if client.still_valid(), since it is
1053
# possible that the client timed out while establishing
1054
# the GnuTLS session.
1055
if not client.still_valid():
1056
ipc.write(u"INVALID %s\n" % client.name)
1057
session.bye()
1058
return
1059
ipc.write(u"SENDING %s\n" % client.name)
1060
sent_size = 0
1061
while sent_size < len(client.secret):
1062
sent = session.send(client.secret[sent_size:])
1063
logger.debug(u"Sent: %d, remaining: %d",
1064
sent, len(client.secret)
1065
- (sent_size + sent))
1066
sent_size += sent
1067
session.bye()
1263
1068
1264
1069
@staticmethod
1265
1070
def peer_certificate(session):
1325
1130
return hex_fpr
1326
1131
1327
1132
1328
class MultiprocessingMixIn(object):
1329
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1330
def sub_process_main(self, request, address):
1331
try:
1332
self.finish_request(request, address)
1333
except:
1334
self.handle_error(request, address)
1335
self.close_request(request)
1336
1337
def process_request(self, request, address):
1338
"""Start a new process to process the request."""
1339
multiprocessing.Process(target = self.sub_process_main,
1340
args = (request, address)).start()
1341
1342
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1343
""" adds a pipe to the MixIn """
1133
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
1134
"""Like socketserver.ForkingMixIn, but also pass a pipe."""
1344
1135
def process_request(self, request, client_address):
1345
1136
"""Overrides and wraps the original process_request().
1346
1137
1347
1138
This function creates a new pipe in self.pipe
1348
1139
"""
1349
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1350
1351
super(MultiprocessingMixInWithPipe,
1140
self.pipe = os.pipe()
1141
super(ForkingMixInWithPipe,
1352
1142
self).process_request(request, client_address)
1353
self.child_pipe.close()
1354
self.add_pipe(parent_pipe)
1355
1356
def add_pipe(self, parent_pipe):
1143
os.close(self.pipe[1]) # close write end
1144
self.add_pipe(self.pipe[0])
1145
def add_pipe(self, pipe):
1357
1146
"""Dummy function; override as necessary"""
1358
pass
1359
1360
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1147
os.close(pipe)
1148
1149
1150
class IPv6_TCPServer(ForkingMixInWithPipe,
1361
1151
socketserver.TCPServer, object):
1362
1152
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1363
1153
1448
1238
return socketserver.TCPServer.server_activate(self)
1449
1239
def enable(self):
1450
1240
self.enabled = True
1451
def add_pipe(self, parent_pipe):
1241
def add_pipe(self, pipe):
1452
1242
# Call "handle_ipc" for both data and EOF events
1453
gobject.io_add_watch(parent_pipe.fileno(),
1454
gobject.IO_IN | gobject.IO_HUP,
1455
functools.partial(self.handle_ipc,
1456
parent_pipe = parent_pipe))
1457
1458
def handle_ipc(self, source, condition, parent_pipe=None,
1459
client_object=None):
1243
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1244
self.handle_ipc)
1245
def handle_ipc(self, source, condition, file_objects={}):
1460
1246
condition_names = {
1461
1247
gobject.IO_IN: u"IN", # There is data to read.
1462
1248
gobject.IO_OUT: u"OUT", # Data can be written (without
1471
1257
for cond, name in
1472
1258
condition_names.iteritems()
1473
1259
if cond & condition)
1474
# error or the other end of multiprocessing.Pipe has closed
1475
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1476
return False
1477
1478
# Read a request from the child
1479
request = parent_pipe.recv()
1480
command = request[0]
1481
1482
if command == 'init':
1483
fpr = request[1]
1484
address = request[2]
1485
1486
for c in self.clients:
1487
if c.fingerprint == fpr:
1488
client = c
1489
break
1490
else:
1491
logger.warning(u"Client not found for fingerprint: %s, ad"
1492
u"dress: %s", fpr, address)
1493
if self.use_dbus:
1494
# Emit D-Bus signal
1495
mandos_dbus_service.ClientNotFound(fpr, address)
1496
parent_pipe.send(False)
1497
return False
1498
1499
gobject.io_add_watch(parent_pipe.fileno(),
1500
gobject.IO_IN | gobject.IO_HUP,
1501
functools.partial(self.handle_ipc,
1502
parent_pipe = parent_pipe,
1503
client_object = client))
1504
parent_pipe.send(True)
1505
# remove the old hook in favor of the new above hook on same fileno
1506
return False
1507
if command == 'funcall':
1508
funcname = request[1]
1509
args = request[2]
1510
kwargs = request[3]
1511
1512
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1513
1514
if command == 'getattr':
1515
attrname = request[1]
1516
if callable(client_object.__getattribute__(attrname)):
1517
parent_pipe.send(('function',))
1518
else:
1519
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1520
1521
if command == 'setattr':
1522
attrname = request[1]
1523
value = request[2]
1524
setattr(client_object, attrname, value)
1525
1260
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1261
conditions_string)
1262
1263
# Turn the pipe file descriptor into a Python file object
1264
if source not in file_objects:
1265
file_objects[source] = os.fdopen(source, u"r", 1)
1266
1267
# Read a line from the file object
1268
cmdline = file_objects[source].readline()
1269
if not cmdline: # Empty line means end of file
1270
# close the IPC pipe
1271
file_objects[source].close()
1272
del file_objects[source]
1273
1274
# Stop calling this function
1275
return False
1276
1277
logger.debug(u"IPC command: %r", cmdline)
1278
1279
# Parse and act on command
1280
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1281
1282
if cmd == u"NOTFOUND":
1283
fpr, address = args.split(None, 1)
1284
logger.warning(u"Client not found for fingerprint: %s, ad"
1285
u"dress: %s", fpr, address)
1286
if self.use_dbus:
1287
# Emit D-Bus signal
1288
mandos_dbus_service.ClientNotFound(fpr, address)
1289
elif cmd == u"INVALID":
1290
for client in self.clients:
1291
if client.name == args:
1292
logger.warning(u"Client %s is invalid", args)
1293
if self.use_dbus:
1294
# Emit D-Bus signal
1295
client.Rejected()
1296
break
1297
else:
1298
logger.error(u"Unknown client %s is invalid", args)
1299
elif cmd == u"SENDING":
1300
for client in self.clients:
1301
if client.name == args:
1302
logger.info(u"Sending secret to %s", client.name)
1303
client.checked_ok()
1304
if self.use_dbus:
1305
# Emit D-Bus signal
1306
client.GotSecret()
1307
break
1308
else:
1309
logger.error(u"Sending secret to unknown client %s",
1310
args)
1311
else:
1312
logger.error(u"Unknown IPC command: %r", cmdline)
1313
1314
# Keep calling this function
1526
1315
return True
1527
1316
1528
1317
1579
1368
def if_nametoindex(interface):
1580
1369
"Get an interface index the hard way, i.e. using fcntl()"
1581
1370
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1582
with contextlib.closing(socket.socket()) as s:
1371
with closing(socket.socket()) as s:
1583
1372
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1584
1373
struct.pack(str(u"16s16x"),
1585
1374
interface))
1631
1420
parser.add_option("--debug", action=u"store_true",
1632
1421
help=u"Debug mode; run in foreground and log to"
1633
1422
u" terminal")
1634
parser.add_option("--debuglevel", type=u"string", metavar="Level",
1635
help=u"Debug level for stdout output")
1636
1423
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1637
1424
u" priority string (see GnuTLS documentation)")
1638
1425
parser.add_option("--servicename", type=u"string",
1663
1450
u"servicename": u"Mandos",
1664
1451
u"use_dbus": u"True",
1665
1452
u"use_ipv6": u"True",
1666
u"debuglevel": u"",
1667
1453
}
1668
1454
1669
1455
# Parse config file for server-global settings
1686
1472
# options, if set.
1687
1473
for option in (u"interface", u"address", u"port", u"debug",
1688
1474
u"priority", u"servicename", u"configdir",
1689
u"use_dbus", u"use_ipv6", u"debuglevel"):
1475
u"use_dbus", u"use_ipv6"):
1690
1476
value = getattr(options, option)
1691
1477
if value is not None:
1692
1478
server_settings[option] = value
1701
1487
1702
1488
# For convenience
1703
1489
debug = server_settings[u"debug"]
1704
debuglevel = server_settings[u"debuglevel"]
1705
1490
use_dbus = server_settings[u"use_dbus"]
1706
1491
use_ipv6 = server_settings[u"use_ipv6"]
1707
1492
1493
if not debug:
1494
syslogger.setLevel(logging.WARNING)
1495
console.setLevel(logging.WARNING)
1496
1708
1497
if server_settings[u"servicename"] != u"Mandos":
1709
1498
syslogger.setFormatter(logging.Formatter
1710
1499
(u'Mandos (%s) [%%(process)d]:'
1716
1505
u"interval": u"5m",
1717
1506
u"checker": u"fping -q -- %%(host)s",
1718
1507
u"host": u"",
1719
u"approved_delay": u"0s",
1720
u"approved_duration": u"1s",
1721
1508
}
1722
1509
client_config = configparser.SafeConfigParser(client_defaults)
1723
1510
client_config.read(os.path.join(server_settings[u"configdir"],
1729
1516
tcp_server = MandosServer((server_settings[u"address"],
1730
1517
server_settings[u"port"]),
1731
1518
ClientHandler,
1732
interface=(server_settings[u"interface"]
1733
or None),
1519
interface=server_settings[u"interface"],
1734
1520
use_ipv6=use_ipv6,
1735
1521
gnutls_priority=
1736
1522
server_settings[u"priority"],
1763
1549
raise error
1764
1550
1765
1551
# Enable all possible GnuTLS debugging
1766
1767
1768
if not debug and not debuglevel:
1769
syslogger.setLevel(logging.WARNING)
1770
console.setLevel(logging.WARNING)
1771
if debuglevel:
1772
level = getattr(logging, debuglevel.upper())
1773
syslogger.setLevel(level)
1774
console.setLevel(level)
1775
1776
1552
if debug:
1777
1553
# "Use a log level over 10 to enable all debugging options."
1778
1554
# - GnuTLS manual
1784
1560
1785
1561
(gnutls.library.functions
1786
1562
.gnutls_global_set_log_function(debug_gnutls))
1787
1788
# Redirect stdin so all checkers get /dev/null
1789
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1790
os.dup2(null, sys.stdin.fileno())
1791
if null > 2:
1792
os.close(null)
1793
else:
1794
# No console logging
1795
logger.removeHandler(console)
1796
1797
1563
1798
1564
global main_loop
1799
1565
# From the Avahi example code
1817
1583
if server_settings["interface"]:
1818
1584
service.interface = (if_nametoindex
1819
1585
(str(server_settings[u"interface"])))
1820
1821
if not debug:
1822
# Close all input and output, do double fork, etc.
1823
daemon()
1824
1825
global multiprocessing_manager
1826
multiprocessing_manager = multiprocessing.Manager()
1827
1586
1828
1587
client_class = Client
1829
1588
if use_dbus:
1830
1589
client_class = functools.partial(ClientDBus, bus = bus)
1831
def client_config_items(config, section):
1832
special_settings = {
1833
"approved_by_default":
1834
lambda: config.getboolean(section,
1835
"approved_by_default"),
1836
}
1837
for name, value in config.items(section):
1838
try:
1839
yield (name, special_settings[name]())
1840
except KeyError:
1841
yield (name, value)
1842
1843
1590
tcp_server.clients.update(set(
1844
1591
client_class(name = section,
1845
config= dict(client_config_items(
1846
client_config, section)))
1592
config= dict(client_config.items(section)))
1847
1593
for section in client_config.sections()))
1848
1594
if not tcp_server.clients:
1849
1595
logger.warning(u"No clients defined")
1850
1596
1597
if debug:
1598
# Redirect stdin so all checkers get /dev/null
1599
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1600
os.dup2(null, sys.stdin.fileno())
1601
if null > 2:
1602
os.close(null)
1603
else:
1604
# No console logging
1605
logger.removeHandler(console)
1606
# Close all input and output, do double fork, etc.
1607
daemon()
1608
1851
1609
try:
1852
with pidfile:
1610
with closing(pidfile):
1853
1611
pid = os.getpid()
1854
1612
pidfile.write(str(pid) + "\n")
1855
1613
del pidfile
1873
1631
dbus.service.Object.__init__(self, bus, u"/")
1874
1632
_interface = u"se.bsnet.fukt.Mandos"
1875
1633
1876
@dbus.service.signal(_interface, signature=u"o")
1877
def ClientAdded(self, objpath):
1634
@dbus.service.signal(_interface, signature=u"oa{sv}")
1635
def ClientAdded(self, objpath, properties):
1878
1636
"D-Bus signal"
1879
1637
pass
1880
1638
1942
1700
for client in tcp_server.clients:
1943
1701
if use_dbus:
1944
1702
# Emit D-Bus signal
1945
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1703
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1704
client.GetAll(u""))
1946
1705
client.enable()
1947
1706
1948
1707
tcp_server.enable()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0