To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 413
- compare with another revision
- download diff
- download tarball
- view history from revision 413
- Committer: Teddy Hogeborn
- Date: 2009-12-27 03:35:58 UTC
- Revision ID: teddy@fukt.bsnet.se-20091227033558-y57wv1u4cls3i8kq
TODO file changes.
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- etc-plugins.d-README
- files modified:
- .bzrignore
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
15
16
#
16
17
# This program is free software: you can redistribute it and/or modify
17
18
# it under the terms of the GNU General Public License as published by
30
31
# Contact the authors at <mandos@fukt.bsnet.se>.
31
32
#
32
33
33
from __future__ import division
34
from __future__ import division, with_statement, absolute_import
34
35
35
import SocketServer
36
import SocketServer as socketserver
36
37
import socket
37
import select
38
from optparse import OptionParser
38
import optparse
39
39
import datetime
40
40
import errno
41
41
import gnutls.crypto
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser
47
import ConfigParser as configparser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
53
52
import subprocess
54
53
import atexit
55
54
import stat
56
55
import logging
57
56
import logging.handlers
58
57
import pwd
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
59
63
60
64
import dbus
65
import dbus.service
61
66
import gobject
62
67
import avahi
63
68
from dbus.mainloop.glib import DBusGMainLoop
64
69
import ctypes
65
66
version = "1.0"
67
68
logger = logging.Logger('mandos')
69
syslogger = logging.handlers.SysLogHandler\
70
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
71
address = "/dev/log")
72
syslogger.setFormatter(logging.Formatter\
73
('Mandos: %(levelname)s: %(message)s'))
70
import ctypes.util
71
import xml.dom.minidom
72
import inspect
73
74
try:
75
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
76
except AttributeError:
77
try:
78
from IN import SO_BINDTODEVICE
79
except ImportError:
80
SO_BINDTODEVICE = None
81
82
83
version = "1.0.14"
84
85
logger = logging.Logger(u'mandos')
86
syslogger = (logging.handlers.SysLogHandler
87
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
88
address = "/dev/log"))
89
syslogger.setFormatter(logging.Formatter
90
(u'Mandos [%(process)d]: %(levelname)s:'
91
u' %(message)s'))
74
92
logger.addHandler(syslogger)
75
93
76
94
console = logging.StreamHandler()
77
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
78
' %(message)s'))
95
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
96
u' %(levelname)s:'
97
u' %(message)s'))
79
98
logger.addHandler(console)
80
99
81
100
class AvahiError(Exception):
82
def __init__(self, value):
101
def __init__(self, value, *args, **kwargs):
83
102
self.value = value
84
def __str__(self):
85
return repr(self.value)
103
super(AvahiError, self).__init__(value, *args, **kwargs)
104
def __unicode__(self):
105
return unicode(repr(self.value))
86
106
87
107
class AvahiServiceError(AvahiError):
88
108
pass
93
113
94
114
class AvahiService(object):
95
115
"""An Avahi (Zeroconf) service.
116
96
117
Attributes:
97
118
interface: integer; avahi.IF_UNSPEC or an interface index.
98
119
Used to optionally bind to the specified interface.
99
name: string; Example: 'Mandos'
100
type: string; Example: '_mandos._tcp'.
120
name: string; Example: u'Mandos'
121
type: string; Example: u'_mandos._tcp'.
101
122
See <http://www.dns-sd.org/ServiceTypes.html>
102
123
port: integer; what port to announce
103
124
TXT: list of strings; TXT record for the service
106
127
max_renames: integer; maximum number of renames
107
128
rename_count: integer; counter so we only rename after collisions
108
129
a sensible number of times
130
group: D-Bus Entry Group
131
server: D-Bus Server
132
bus: dbus.SystemBus()
109
133
"""
110
134
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
111
type = None, port = None, TXT = None, domain = "",
112
host = "", max_renames = 32768):
135
servicetype = None, port = None, TXT = None,
136
domain = u"", host = u"", max_renames = 32768,
137
protocol = avahi.PROTO_UNSPEC, bus = None):
113
138
self.interface = interface
114
139
self.name = name
115
self.type = type
140
self.type = servicetype
116
141
self.port = port
117
if TXT is None:
118
self.TXT = []
119
else:
120
self.TXT = TXT
142
self.TXT = TXT if TXT is not None else []
121
143
self.domain = domain
122
144
self.host = host
123
145
self.rename_count = 0
124
146
self.max_renames = max_renames
147
self.protocol = protocol
148
self.group = None # our entry group
149
self.server = None
150
self.bus = bus
125
151
def rename(self):
126
152
"""Derived from the Avahi example code"""
127
153
if self.rename_count >= self.max_renames:
128
154
logger.critical(u"No suitable Zeroconf service name found"
129
155
u" after %i retries, exiting.",
130
rename_count)
131
raise AvahiServiceError("Too many renames")
132
self.name = server.GetAlternativeServiceName(self.name)
156
self.rename_count)
157
raise AvahiServiceError(u"Too many renames")
158
self.name = self.server.GetAlternativeServiceName(self.name)
133
159
logger.info(u"Changing Zeroconf service name to %r ...",
134
str(self.name))
135
syslogger.setFormatter(logging.Formatter\
136
('Mandos (%s): %%(levelname)s:'
137
' %%(message)s' % self.name))
160
unicode(self.name))
161
syslogger.setFormatter(logging.Formatter
162
(u'Mandos (%s) [%%(process)d]:'
163
u' %%(levelname)s: %%(message)s'
164
% self.name))
138
165
self.remove()
139
166
self.add()
140
167
self.rename_count += 1
141
168
def remove(self):
142
169
"""Derived from the Avahi example code"""
143
if group is not None:
144
group.Reset()
170
if self.group is not None:
171
self.group.Reset()
145
172
def add(self):
146
173
"""Derived from the Avahi example code"""
147
global group
148
if group is None:
149
group = dbus.Interface\
150
(bus.get_object(avahi.DBUS_NAME,
151
server.EntryGroupNew()),
152
avahi.DBUS_INTERFACE_ENTRY_GROUP)
153
group.connect_to_signal('StateChanged',
154
entry_group_state_changed)
174
if self.group is None:
175
self.group = dbus.Interface(
176
self.bus.get_object(avahi.DBUS_NAME,
177
self.server.EntryGroupNew()),
178
avahi.DBUS_INTERFACE_ENTRY_GROUP)
179
self.group.connect_to_signal('StateChanged',
180
self
181
.entry_group_state_changed)
155
182
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
156
service.name, service.type)
157
group.AddService(
158
self.interface, # interface
159
avahi.PROTO_INET6, # protocol
160
dbus.UInt32(0), # flags
161
self.name, self.type,
162
self.domain, self.host,
163
dbus.UInt16(self.port),
164
avahi.string_array_to_txt_array(self.TXT))
165
group.Commit()
166
167
# From the Avahi example code:
168
group = None # our entry group
169
# End of Avahi example code
183
self.name, self.type)
184
self.group.AddService(
185
self.interface,
186
self.protocol,
187
dbus.UInt32(0), # flags
188
self.name, self.type,
189
self.domain, self.host,
190
dbus.UInt16(self.port),
191
avahi.string_array_to_txt_array(self.TXT))
192
self.group.Commit()
193
def entry_group_state_changed(self, state, error):
194
"""Derived from the Avahi example code"""
195
logger.debug(u"Avahi state change: %i", state)
196
197
if state == avahi.ENTRY_GROUP_ESTABLISHED:
198
logger.debug(u"Zeroconf service established.")
199
elif state == avahi.ENTRY_GROUP_COLLISION:
200
logger.warning(u"Zeroconf service name collision.")
201
self.rename()
202
elif state == avahi.ENTRY_GROUP_FAILURE:
203
logger.critical(u"Avahi: Error in group state changed %s",
204
unicode(error))
205
raise AvahiGroupError(u"State changed: %s"
206
% unicode(error))
207
def cleanup(self):
208
"""Derived from the Avahi example code"""
209
if self.group is not None:
210
self.group.Free()
211
self.group = None
212
def server_state_changed(self, state):
213
"""Derived from the Avahi example code"""
214
if state == avahi.SERVER_COLLISION:
215
logger.error(u"Zeroconf server name collision")
216
self.remove()
217
elif state == avahi.SERVER_RUNNING:
218
self.add()
219
def activate(self):
220
"""Derived from the Avahi example code"""
221
if self.server is None:
222
self.server = dbus.Interface(
223
self.bus.get_object(avahi.DBUS_NAME,
224
avahi.DBUS_PATH_SERVER),
225
avahi.DBUS_INTERFACE_SERVER)
226
self.server.connect_to_signal(u"StateChanged",
227
self.server_state_changed)
228
self.server_state_changed(self.server.GetState())
170
229
171
230
172
231
class Client(object):
173
232
"""A representation of a client host served by this server.
233
174
234
Attributes:
175
name: string; from the config file, used in log messages
235
name: string; from the config file, used in log messages and
236
D-Bus identifiers
176
237
fingerprint: string (40 or 32 hexadecimal digits); used to
177
238
uniquely identify the client
178
secret: bytestring; sent verbatim (over TLS) to client
179
host: string; available for use by the checker command
180
created: datetime.datetime(); object creation, not client host
181
last_checked_ok: datetime.datetime() or None if not yet checked OK
182
timeout: datetime.timedelta(); How long from last_checked_ok
183
until this client is invalid
184
interval: datetime.timedelta(); How often to start a new checker
185
stop_hook: If set, called by stop() as stop_hook(self)
186
checker: subprocess.Popen(); a running checker process used
187
to see if the client lives.
188
'None' if no process is running.
239
secret: bytestring; sent verbatim (over TLS) to client
240
host: string; available for use by the checker command
241
created: datetime.datetime(); (UTC) object creation
242
last_enabled: datetime.datetime(); (UTC)
243
enabled: bool()
244
last_checked_ok: datetime.datetime(); (UTC) or None
245
timeout: datetime.timedelta(); How long from last_checked_ok
246
until this client is disabled
247
interval: datetime.timedelta(); How often to start a new checker
248
disable_hook: If set, called by disable() as disable_hook(self)
249
checker: subprocess.Popen(); a running checker process used
250
to see if the client lives.
251
'None' if no process is running.
189
252
checker_initiator_tag: a gobject event source tag, or None
190
stop_initiator_tag: - '' -
253
disable_initiator_tag: - '' -
191
254
checker_callback_tag: - '' -
192
255
checker_command: string; External command which is run to check if
193
256
client lives. %() expansions are done at
194
257
runtime with vars(self) as dict, so that for
195
258
instance %(name)s can be used in the command.
196
Private attibutes:
197
_timeout: Real variable for 'timeout'
198
_interval: Real variable for 'interval'
199
_timeout_milliseconds: Used when calling gobject.timeout_add()
200
_interval_milliseconds: - '' -
259
current_checker_command: string; current running checker_command
201
260
"""
202
def _set_timeout(self, timeout):
203
"Setter function for 'timeout' attribute"
204
self._timeout = timeout
205
self._timeout_milliseconds = ((self.timeout.days
206
* 24 * 60 * 60 * 1000)
207
+ (self.timeout.seconds * 1000)
208
+ (self.timeout.microseconds
209
// 1000))
210
timeout = property(lambda self: self._timeout,
211
_set_timeout)
212
del _set_timeout
213
def _set_interval(self, interval):
214
"Setter function for 'interval' attribute"
215
self._interval = interval
216
self._interval_milliseconds = ((self.interval.days
217
* 24 * 60 * 60 * 1000)
218
+ (self.interval.seconds
219
* 1000)
220
+ (self.interval.microseconds
221
// 1000))
222
interval = property(lambda self: self._interval,
223
_set_interval)
224
del _set_interval
225
def __init__(self, name = None, stop_hook=None, config={}):
261
262
@staticmethod
263
def _timedelta_to_milliseconds(td):
264
"Convert a datetime.timedelta() to milliseconds"
265
return ((td.days * 24 * 60 * 60 * 1000)
266
+ (td.seconds * 1000)
267
+ (td.microseconds // 1000))
268
269
def timeout_milliseconds(self):
270
"Return the 'timeout' attribute in milliseconds"
271
return self._timedelta_to_milliseconds(self.timeout)
272
273
def interval_milliseconds(self):
274
"Return the 'interval' attribute in milliseconds"
275
return self._timedelta_to_milliseconds(self.interval)
276
277
def __init__(self, name = None, disable_hook=None, config=None):
226
278
"""Note: the 'checker' key in 'config' sets the
227
279
'checker_command' attribute and *not* the 'checker'
228
280
attribute."""
229
281
self.name = name
282
if config is None:
283
config = {}
230
284
logger.debug(u"Creating client %r", self.name)
231
285
# Uppercase and remove spaces from fingerprint for later
232
286
# comparison purposes with return value from the fingerprint()
233
287
# function
234
self.fingerprint = config["fingerprint"].upper()\
235
.replace(u" ", u"")
288
self.fingerprint = (config[u"fingerprint"].upper()
289
.replace(u" ", u""))
236
290
logger.debug(u" Fingerprint: %s", self.fingerprint)
237
if "secret" in config:
238
self.secret = config["secret"].decode(u"base64")
239
elif "secfile" in config:
240
sf = open(config["secfile"])
241
self.secret = sf.read()
242
sf.close()
291
if u"secret" in config:
292
self.secret = config[u"secret"].decode(u"base64")
293
elif u"secfile" in config:
294
with open(os.path.expanduser(os.path.expandvars
295
(config[u"secfile"])),
296
"rb") as secfile:
297
self.secret = secfile.read()
243
298
else:
244
299
raise TypeError(u"No secret or secfile for client %s"
245
300
% self.name)
246
self.host = config.get("host", "")
247
self.created = datetime.datetime.now()
301
self.host = config.get(u"host", u"")
302
self.created = datetime.datetime.utcnow()
303
self.enabled = False
304
self.last_enabled = None
248
305
self.last_checked_ok = None
249
self.timeout = string_to_delta(config["timeout"])
250
self.interval = string_to_delta(config["interval"])
251
self.stop_hook = stop_hook
306
self.timeout = string_to_delta(config[u"timeout"])
307
self.interval = string_to_delta(config[u"interval"])
308
self.disable_hook = disable_hook
252
309
self.checker = None
253
310
self.checker_initiator_tag = None
254
self.stop_initiator_tag = None
311
self.disable_initiator_tag = None
255
312
self.checker_callback_tag = None
256
self.check_command = config["checker"]
257
def start(self):
313
self.checker_command = config[u"checker"]
314
self.current_checker_command = None
315
self.last_connect = None
316
317
def enable(self):
258
318
"""Start this client's checker and timeout hooks"""
319
if getattr(self, u"enabled", False):
320
# Already enabled
321
return
322
self.last_enabled = datetime.datetime.utcnow()
259
323
# Schedule a new checker to be started an 'interval' from now,
260
324
# and every interval from then on.
261
self.checker_initiator_tag = gobject.timeout_add\
262
(self._interval_milliseconds,
263
self.start_checker)
325
self.checker_initiator_tag = (gobject.timeout_add
326
(self.interval_milliseconds(),
327
self.start_checker))
328
# Schedule a disable() when 'timeout' has passed
329
self.disable_initiator_tag = (gobject.timeout_add
330
(self.timeout_milliseconds(),
331
self.disable))
332
self.enabled = True
264
333
# Also start a new checker *right now*.
265
334
self.start_checker()
266
# Schedule a stop() when 'timeout' has passed
267
self.stop_initiator_tag = gobject.timeout_add\
268
(self._timeout_milliseconds,
269
self.stop)
270
def stop(self):
271
"""Stop this client.
272
The possibility that a client might be restarted is left open,
273
but not currently used."""
274
# If this client doesn't have a secret, it is already stopped.
275
if hasattr(self, "secret") and self.secret:
276
logger.info(u"Stopping client %s", self.name)
277
self.secret = None
278
else:
335
336
def disable(self, quiet=True):
337
"""Disable this client."""
338
if not getattr(self, "enabled", False):
279
339
return False
280
if getattr(self, "stop_initiator_tag", False):
281
gobject.source_remove(self.stop_initiator_tag)
282
self.stop_initiator_tag = None
283
if getattr(self, "checker_initiator_tag", False):
340
if not quiet:
341
logger.info(u"Disabling client %s", self.name)
342
if getattr(self, u"disable_initiator_tag", False):
343
gobject.source_remove(self.disable_initiator_tag)
344
self.disable_initiator_tag = None
345
if getattr(self, u"checker_initiator_tag", False):
284
346
gobject.source_remove(self.checker_initiator_tag)
285
347
self.checker_initiator_tag = None
286
348
self.stop_checker()
287
if self.stop_hook:
288
self.stop_hook(self)
349
if self.disable_hook:
350
self.disable_hook(self)
351
self.enabled = False
289
352
# Do not run this again if called by a gobject.timeout_add
290
353
return False
354
291
355
def __del__(self):
292
self.stop_hook = None
293
self.stop()
294
def checker_callback(self, pid, condition):
356
self.disable_hook = None
357
self.disable()
358
359
def checker_callback(self, pid, condition, command):
295
360
"""The checker has completed, so take appropriate actions."""
296
now = datetime.datetime.now()
297
361
self.checker_callback_tag = None
298
362
self.checker = None
299
if os.WIFEXITED(condition) \
300
and (os.WEXITSTATUS(condition) == 0):
301
logger.info(u"Checker for %(name)s succeeded",
302
vars(self))
303
self.last_checked_ok = now
304
gobject.source_remove(self.stop_initiator_tag)
305
self.stop_initiator_tag = gobject.timeout_add\
306
(self._timeout_milliseconds,
307
self.stop)
308
elif not os.WIFEXITED(condition):
363
if os.WIFEXITED(condition):
364
exitstatus = os.WEXITSTATUS(condition)
365
if exitstatus == 0:
366
logger.info(u"Checker for %(name)s succeeded",
367
vars(self))
368
self.checked_ok()
369
else:
370
logger.info(u"Checker for %(name)s failed",
371
vars(self))
372
else:
309
373
logger.warning(u"Checker for %(name)s crashed?",
310
374
vars(self))
311
else:
312
logger.info(u"Checker for %(name)s failed",
313
vars(self))
375
376
def checked_ok(self):
377
"""Bump up the timeout for this client.
378
379
This should only be called when the client has been seen,
380
alive and well.
381
"""
382
self.last_checked_ok = datetime.datetime.utcnow()
383
gobject.source_remove(self.disable_initiator_tag)
384
self.disable_initiator_tag = (gobject.timeout_add
385
(self.timeout_milliseconds(),
386
self.disable))
387
314
388
def start_checker(self):
315
389
"""Start a new checker subprocess if one is not running.
390
316
391
If a checker already exists, leave it running and do
317
392
nothing."""
318
393
# The reason for not killing a running checker is that if we
321
396
# client would inevitably timeout, since no checker would get
322
397
# a chance to run to completion. If we instead leave running
323
398
# checkers alone, the checker would have to take more time
324
# than 'timeout' for the client to be declared invalid, which
325
# is as it should be.
399
# than 'timeout' for the client to be disabled, which is as it
400
# should be.
401
402
# If a checker exists, make sure it is not a zombie
403
try:
404
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
405
except (AttributeError, OSError), error:
406
if (isinstance(error, OSError)
407
and error.errno != errno.ECHILD):
408
raise error
409
else:
410
if pid:
411
logger.warning(u"Checker was a zombie")
412
gobject.source_remove(self.checker_callback_tag)
413
self.checker_callback(pid, status,
414
self.current_checker_command)
415
# Start a new checker if needed
326
416
if self.checker is None:
327
417
try:
328
# In case check_command has exactly one % operator
329
command = self.check_command % self.host
418
# In case checker_command has exactly one % operator
419
command = self.checker_command % self.host
330
420
except TypeError:
331
421
# Escape attributes for the shell
332
escaped_attrs = dict((key, re.escape(str(val)))
422
escaped_attrs = dict((key,
423
re.escape(unicode(str(val),
424
errors=
425
u'replace')))
333
426
for key, val in
334
427
vars(self).iteritems())
335
428
try:
336
command = self.check_command % escaped_attrs
429
command = self.checker_command % escaped_attrs
337
430
except TypeError, error:
338
431
logger.error(u'Could not format string "%s":'
339
u' %s', self.check_command, error)
432
u' %s', self.checker_command, error)
340
433
return True # Try again later
434
self.current_checker_command = command
341
435
try:
342
436
logger.info(u"Starting checker %r for %s",
343
437
command, self.name)
347
441
# always replaced by /dev/null.)
348
442
self.checker = subprocess.Popen(command,
349
443
close_fds=True,
350
shell=True, cwd="/")
351
self.checker_callback_tag = gobject.child_watch_add\
352
(self.checker.pid,
353
self.checker_callback)
444
shell=True, cwd=u"/")
445
self.checker_callback_tag = (gobject.child_watch_add
446
(self.checker.pid,
447
self.checker_callback,
448
data=command))
449
# The checker may have completed before the gobject
450
# watch was added. Check for this.
451
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
452
if pid:
453
gobject.source_remove(self.checker_callback_tag)
454
self.checker_callback(pid, status, command)
354
455
except OSError, error:
355
456
logger.error(u"Failed to start subprocess: %s",
356
457
error)
357
458
# Re-run this periodically if run by gobject.timeout_add
358
459
return True
460
359
461
def stop_checker(self):
360
462
"""Force the checker process, if any, to stop."""
361
463
if self.checker_callback_tag:
362
464
gobject.source_remove(self.checker_callback_tag)
363
465
self.checker_callback_tag = None
364
if getattr(self, "checker", None) is None:
466
if getattr(self, u"checker", None) is None:
365
467
return
366
468
logger.debug(u"Stopping checker for %(name)s", vars(self))
367
469
try:
368
470
os.kill(self.checker.pid, signal.SIGTERM)
369
#os.sleep(0.5)
471
#time.sleep(0.5)
370
472
#if self.checker.poll() is None:
371
473
# os.kill(self.checker.pid, signal.SIGKILL)
372
474
except OSError, error:
373
475
if error.errno != errno.ESRCH: # No such process
374
476
raise
375
477
self.checker = None
376
def still_valid(self):
377
"""Has the timeout not yet passed for this client?"""
378
now = datetime.datetime.now()
478
479
480
def dbus_service_property(dbus_interface, signature=u"v",
481
access=u"readwrite", byte_arrays=False):
482
"""Decorators for marking methods of a DBusObjectWithProperties to
483
become properties on the D-Bus.
484
485
The decorated method will be called with no arguments by "Get"
486
and with one argument by "Set".
487
488
The parameters, where they are supported, are the same as
489
dbus.service.method, except there is only "signature", since the
490
type from Get() and the type sent to Set() is the same.
491
"""
492
# Encoding deeply encoded byte arrays is not supported yet by the
493
# "Set" method, so we fail early here:
494
if byte_arrays and signature != u"ay":
495
raise ValueError(u"Byte arrays not supported for non-'ay'"
496
u" signature %r" % signature)
497
def decorator(func):
498
func._dbus_is_property = True
499
func._dbus_interface = dbus_interface
500
func._dbus_signature = signature
501
func._dbus_access = access
502
func._dbus_name = func.__name__
503
if func._dbus_name.endswith(u"_dbus_property"):
504
func._dbus_name = func._dbus_name[:-14]
505
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
506
return func
507
return decorator
508
509
510
class DBusPropertyException(dbus.exceptions.DBusException):
511
"""A base class for D-Bus property-related exceptions
512
"""
513
def __unicode__(self):
514
return unicode(str(self))
515
516
517
class DBusPropertyAccessException(DBusPropertyException):
518
"""A property's access permissions disallows an operation.
519
"""
520
pass
521
522
523
class DBusPropertyNotFound(DBusPropertyException):
524
"""An attempt was made to access a non-existing property.
525
"""
526
pass
527
528
529
class DBusObjectWithProperties(dbus.service.Object):
530
"""A D-Bus object with properties.
531
532
Classes inheriting from this can use the dbus_service_property
533
decorator to expose methods as D-Bus properties. It exposes the
534
standard Get(), Set(), and GetAll() methods on the D-Bus.
535
"""
536
537
@staticmethod
538
def _is_dbus_property(obj):
539
return getattr(obj, u"_dbus_is_property", False)
540
541
def _get_all_dbus_properties(self):
542
"""Returns a generator of (name, attribute) pairs
543
"""
544
return ((prop._dbus_name, prop)
545
for name, prop in
546
inspect.getmembers(self, self._is_dbus_property))
547
548
def _get_dbus_property(self, interface_name, property_name):
549
"""Returns a bound method if one exists which is a D-Bus
550
property with the specified name and interface.
551
"""
552
for name in (property_name,
553
property_name + u"_dbus_property"):
554
prop = getattr(self, name, None)
555
if (prop is None
556
or not self._is_dbus_property(prop)
557
or prop._dbus_name != property_name
558
or (interface_name and prop._dbus_interface
559
and interface_name != prop._dbus_interface)):
560
continue
561
return prop
562
# No such property
563
raise DBusPropertyNotFound(self.dbus_object_path + u":"
564
+ interface_name + u"."
565
+ property_name)
566
567
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
568
out_signature=u"v")
569
def Get(self, interface_name, property_name):
570
"""Standard D-Bus property Get() method, see D-Bus standard.
571
"""
572
prop = self._get_dbus_property(interface_name, property_name)
573
if prop._dbus_access == u"write":
574
raise DBusPropertyAccessException(property_name)
575
value = prop()
576
if not hasattr(value, u"variant_level"):
577
return value
578
return type(value)(value, variant_level=value.variant_level+1)
579
580
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
581
def Set(self, interface_name, property_name, value):
582
"""Standard D-Bus property Set() method, see D-Bus standard.
583
"""
584
prop = self._get_dbus_property(interface_name, property_name)
585
if prop._dbus_access == u"read":
586
raise DBusPropertyAccessException(property_name)
587
if prop._dbus_get_args_options[u"byte_arrays"]:
588
# The byte_arrays option is not supported yet on
589
# signatures other than "ay".
590
if prop._dbus_signature != u"ay":
591
raise ValueError
592
value = dbus.ByteArray(''.join(unichr(byte)
593
for byte in value))
594
prop(value)
595
596
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
597
out_signature=u"a{sv}")
598
def GetAll(self, interface_name):
599
"""Standard D-Bus property GetAll() method, see D-Bus
600
standard.
601
602
Note: Will not include properties with access="write".
603
"""
604
all = {}
605
for name, prop in self._get_all_dbus_properties():
606
if (interface_name
607
and interface_name != prop._dbus_interface):
608
# Interface non-empty but did not match
609
continue
610
# Ignore write-only properties
611
if prop._dbus_access == u"write":
612
continue
613
value = prop()
614
if not hasattr(value, u"variant_level"):
615
all[name] = value
616
continue
617
all[name] = type(value)(value, variant_level=
618
value.variant_level+1)
619
return dbus.Dictionary(all, signature=u"sv")
620
621
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
622
out_signature=u"s",
623
path_keyword='object_path',
624
connection_keyword='connection')
625
def Introspect(self, object_path, connection):
626
"""Standard D-Bus method, overloaded to insert property tags.
627
"""
628
xmlstring = dbus.service.Object.Introspect(self, object_path,
629
connection)
630
try:
631
document = xml.dom.minidom.parseString(xmlstring)
632
def make_tag(document, name, prop):
633
e = document.createElement(u"property")
634
e.setAttribute(u"name", name)
635
e.setAttribute(u"type", prop._dbus_signature)
636
e.setAttribute(u"access", prop._dbus_access)
637
return e
638
for if_tag in document.getElementsByTagName(u"interface"):
639
for tag in (make_tag(document, name, prop)
640
for name, prop
641
in self._get_all_dbus_properties()
642
if prop._dbus_interface
643
== if_tag.getAttribute(u"name")):
644
if_tag.appendChild(tag)
645
# Add the names to the return values for the
646
# "org.freedesktop.DBus.Properties" methods
647
if (if_tag.getAttribute(u"name")
648
== u"org.freedesktop.DBus.Properties"):
649
for cn in if_tag.getElementsByTagName(u"method"):
650
if cn.getAttribute(u"name") == u"Get":
651
for arg in cn.getElementsByTagName(u"arg"):
652
if (arg.getAttribute(u"direction")
653
== u"out"):
654
arg.setAttribute(u"name", u"value")
655
elif cn.getAttribute(u"name") == u"GetAll":
656
for arg in cn.getElementsByTagName(u"arg"):
657
if (arg.getAttribute(u"direction")
658
== u"out"):
659
arg.setAttribute(u"name", u"props")
660
xmlstring = document.toxml(u"utf-8")
661
document.unlink()
662
except (AttributeError, xml.dom.DOMException,
663
xml.parsers.expat.ExpatError), error:
664
logger.error(u"Failed to override Introspection method",
665
error)
666
return xmlstring
667
668
669
class ClientDBus(Client, DBusObjectWithProperties):
670
"""A Client class using D-Bus
671
672
Attributes:
673
dbus_object_path: dbus.ObjectPath
674
bus: dbus.SystemBus()
675
"""
676
# dbus.service.Object doesn't use super(), so we can't either.
677
678
def __init__(self, bus = None, *args, **kwargs):
679
self.bus = bus
680
Client.__init__(self, *args, **kwargs)
681
# Only now, when this client is initialized, can it show up on
682
# the D-Bus
683
self.dbus_object_path = (dbus.ObjectPath
684
(u"/clients/"
685
+ self.name.replace(u".", u"_")))
686
DBusObjectWithProperties.__init__(self, self.bus,
687
self.dbus_object_path)
688
689
@staticmethod
690
def _datetime_to_dbus(dt, variant_level=0):
691
"""Convert a UTC datetime.datetime() to a D-Bus type."""
692
return dbus.String(dt.isoformat(),
693
variant_level=variant_level)
694
695
def enable(self):
696
oldstate = getattr(self, u"enabled", False)
697
r = Client.enable(self)
698
if oldstate != self.enabled:
699
# Emit D-Bus signals
700
self.PropertyChanged(dbus.String(u"enabled"),
701
dbus.Boolean(True, variant_level=1))
702
self.PropertyChanged(
703
dbus.String(u"last_enabled"),
704
self._datetime_to_dbus(self.last_enabled,
705
variant_level=1))
706
return r
707
708
def disable(self, quiet = False):
709
oldstate = getattr(self, u"enabled", False)
710
r = Client.disable(self, quiet=quiet)
711
if not quiet and oldstate != self.enabled:
712
# Emit D-Bus signal
713
self.PropertyChanged(dbus.String(u"enabled"),
714
dbus.Boolean(False, variant_level=1))
715
return r
716
717
def __del__(self, *args, **kwargs):
718
try:
719
self.remove_from_connection()
720
except LookupError:
721
pass
722
if hasattr(DBusObjectWithProperties, u"__del__"):
723
DBusObjectWithProperties.__del__(self, *args, **kwargs)
724
Client.__del__(self, *args, **kwargs)
725
726
def checker_callback(self, pid, condition, command,
727
*args, **kwargs):
728
self.checker_callback_tag = None
729
self.checker = None
730
# Emit D-Bus signal
731
self.PropertyChanged(dbus.String(u"checker_running"),
732
dbus.Boolean(False, variant_level=1))
733
if os.WIFEXITED(condition):
734
exitstatus = os.WEXITSTATUS(condition)
735
# Emit D-Bus signal
736
self.CheckerCompleted(dbus.Int16(exitstatus),
737
dbus.Int64(condition),
738
dbus.String(command))
739
else:
740
# Emit D-Bus signal
741
self.CheckerCompleted(dbus.Int16(-1),
742
dbus.Int64(condition),
743
dbus.String(command))
744
745
return Client.checker_callback(self, pid, condition, command,
746
*args, **kwargs)
747
748
def checked_ok(self, *args, **kwargs):
749
r = Client.checked_ok(self, *args, **kwargs)
750
# Emit D-Bus signal
751
self.PropertyChanged(
752
dbus.String(u"last_checked_ok"),
753
(self._datetime_to_dbus(self.last_checked_ok,
754
variant_level=1)))
755
return r
756
757
def start_checker(self, *args, **kwargs):
758
old_checker = self.checker
759
if self.checker is not None:
760
old_checker_pid = self.checker.pid
761
else:
762
old_checker_pid = None
763
r = Client.start_checker(self, *args, **kwargs)
764
# Only if new checker process was started
765
if (self.checker is not None
766
and old_checker_pid != self.checker.pid):
767
# Emit D-Bus signal
768
self.CheckerStarted(self.current_checker_command)
769
self.PropertyChanged(
770
dbus.String(u"checker_running"),
771
dbus.Boolean(True, variant_level=1))
772
return r
773
774
def stop_checker(self, *args, **kwargs):
775
old_checker = getattr(self, u"checker", None)
776
r = Client.stop_checker(self, *args, **kwargs)
777
if (old_checker is not None
778
and getattr(self, u"checker", None) is None):
779
self.PropertyChanged(dbus.String(u"checker_running"),
780
dbus.Boolean(False, variant_level=1))
781
return r
782
783
## D-Bus methods & signals
784
_interface = u"se.bsnet.fukt.Mandos.Client"
785
786
# CheckedOK - method
787
@dbus.service.method(_interface)
788
def CheckedOK(self):
789
return self.checked_ok()
790
791
# CheckerCompleted - signal
792
@dbus.service.signal(_interface, signature=u"nxs")
793
def CheckerCompleted(self, exitcode, waitstatus, command):
794
"D-Bus signal"
795
pass
796
797
# CheckerStarted - signal
798
@dbus.service.signal(_interface, signature=u"s")
799
def CheckerStarted(self, command):
800
"D-Bus signal"
801
pass
802
803
# PropertyChanged - signal
804
@dbus.service.signal(_interface, signature=u"sv")
805
def PropertyChanged(self, property, value):
806
"D-Bus signal"
807
pass
808
809
# GotSecret - signal
810
@dbus.service.signal(_interface)
811
def GotSecret(self):
812
"D-Bus signal"
813
pass
814
815
# Rejected - signal
816
@dbus.service.signal(_interface)
817
def Rejected(self):
818
"D-Bus signal"
819
pass
820
821
# Enable - method
822
@dbus.service.method(_interface)
823
def Enable(self):
824
"D-Bus method"
825
self.enable()
826
827
# StartChecker - method
828
@dbus.service.method(_interface)
829
def StartChecker(self):
830
"D-Bus method"
831
self.start_checker()
832
833
# Disable - method
834
@dbus.service.method(_interface)
835
def Disable(self):
836
"D-Bus method"
837
self.disable()
838
839
# StopChecker - method
840
@dbus.service.method(_interface)
841
def StopChecker(self):
842
self.stop_checker()
843
844
# name - property
845
@dbus_service_property(_interface, signature=u"s", access=u"read")
846
def name_dbus_property(self):
847
return dbus.String(self.name)
848
849
# fingerprint - property
850
@dbus_service_property(_interface, signature=u"s", access=u"read")
851
def fingerprint_dbus_property(self):
852
return dbus.String(self.fingerprint)
853
854
# host - property
855
@dbus_service_property(_interface, signature=u"s",
856
access=u"readwrite")
857
def host_dbus_property(self, value=None):
858
if value is None: # get
859
return dbus.String(self.host)
860
self.host = value
861
# Emit D-Bus signal
862
self.PropertyChanged(dbus.String(u"host"),
863
dbus.String(value, variant_level=1))
864
865
# created - property
866
@dbus_service_property(_interface, signature=u"s", access=u"read")
867
def created_dbus_property(self):
868
return dbus.String(self._datetime_to_dbus(self.created))
869
870
# last_enabled - property
871
@dbus_service_property(_interface, signature=u"s", access=u"read")
872
def last_enabled_dbus_property(self):
873
if self.last_enabled is None:
874
return dbus.String(u"")
875
return dbus.String(self._datetime_to_dbus(self.last_enabled))
876
877
# enabled - property
878
@dbus_service_property(_interface, signature=u"b",
879
access=u"readwrite")
880
def enabled_dbus_property(self, value=None):
881
if value is None: # get
882
return dbus.Boolean(self.enabled)
883
if value:
884
self.enable()
885
else:
886
self.disable()
887
888
# last_checked_ok - property
889
@dbus_service_property(_interface, signature=u"s",
890
access=u"readwrite")
891
def last_checked_ok_dbus_property(self, value=None):
892
if value is not None:
893
self.checked_ok()
894
return
379
895
if self.last_checked_ok is None:
380
return now < (self.created + self.timeout)
381
else:
382
return now < (self.last_checked_ok + self.timeout)
383
384
385
def peer_certificate(session):
386
"Return the peer's OpenPGP certificate as a bytestring"
387
# If not an OpenPGP certificate...
388
if gnutls.library.functions.gnutls_certificate_type_get\
389
(session._c_object) \
390
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP:
391
# ...do the normal thing
392
return session.peer_certificate
393
list_size = ctypes.c_uint()
394
cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
395
(session._c_object, ctypes.byref(list_size))
396
if list_size.value == 0:
397
return None
398
cert = cert_list[0]
399
return ctypes.string_at(cert.data, cert.size)
400
401
402
def fingerprint(openpgp):
403
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
404
# New GnuTLS "datum" with the OpenPGP public key
405
datum = gnutls.library.types.gnutls_datum_t\
406
(ctypes.cast(ctypes.c_char_p(openpgp),
407
ctypes.POINTER(ctypes.c_ubyte)),
408
ctypes.c_uint(len(openpgp)))
409
# New empty GnuTLS certificate
410
crt = gnutls.library.types.gnutls_openpgp_crt_t()
411
gnutls.library.functions.gnutls_openpgp_crt_init\
412
(ctypes.byref(crt))
413
# Import the OpenPGP public key into the certificate
414
gnutls.library.functions.gnutls_openpgp_crt_import\
415
(crt, ctypes.byref(datum),
416
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
417
# Verify the self signature in the key
418
crtverify = ctypes.c_uint();
419
gnutls.library.functions.gnutls_openpgp_crt_verify_self\
420
(crt, 0, ctypes.byref(crtverify))
421
if crtverify.value != 0:
422
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
423
raise gnutls.errors.CertificateSecurityError("Verify failed")
424
# New buffer for the fingerprint
425
buffer = ctypes.create_string_buffer(20)
426
buffer_length = ctypes.c_size_t()
427
# Get the fingerprint from the certificate into the buffer
428
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
429
(crt, ctypes.byref(buffer), ctypes.byref(buffer_length))
430
# Deinit the certificate
431
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
432
# Convert the buffer to a Python bytestring
433
fpr = ctypes.string_at(buffer, buffer_length.value)
434
# Convert the bytestring to hexadecimal notation
435
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
436
return hex_fpr
437
438
439
class tcp_handler(SocketServer.BaseRequestHandler, object):
440
"""A TCP request handler class.
441
Instantiated by IPv6_TCPServer for each request to handle it.
896
return dbus.String(u"")
897
return dbus.String(self._datetime_to_dbus(self
898
.last_checked_ok))
899
900
# timeout - property
901
@dbus_service_property(_interface, signature=u"t",
902
access=u"readwrite")
903
def timeout_dbus_property(self, value=None):
904
if value is None: # get
905
return dbus.UInt64(self.timeout_milliseconds())
906
self.timeout = datetime.timedelta(0, 0, 0, value)
907
# Emit D-Bus signal
908
self.PropertyChanged(dbus.String(u"timeout"),
909
dbus.UInt64(value, variant_level=1))
910
if getattr(self, u"disable_initiator_tag", None) is None:
911
return
912
# Reschedule timeout
913
gobject.source_remove(self.disable_initiator_tag)
914
self.disable_initiator_tag = None
915
time_to_die = (self.
916
_timedelta_to_milliseconds((self
917
.last_checked_ok
918
+ self.timeout)
919
- datetime.datetime
920
.utcnow()))
921
if time_to_die <= 0:
922
# The timeout has passed
923
self.disable()
924
else:
925
self.disable_initiator_tag = (gobject.timeout_add
926
(time_to_die, self.disable))
927
928
# interval - property
929
@dbus_service_property(_interface, signature=u"t",
930
access=u"readwrite")
931
def interval_dbus_property(self, value=None):
932
if value is None: # get
933
return dbus.UInt64(self.interval_milliseconds())
934
self.interval = datetime.timedelta(0, 0, 0, value)
935
# Emit D-Bus signal
936
self.PropertyChanged(dbus.String(u"interval"),
937
dbus.UInt64(value, variant_level=1))
938
if getattr(self, u"checker_initiator_tag", None) is None:
939
return
940
# Reschedule checker run
941
gobject.source_remove(self.checker_initiator_tag)
942
self.checker_initiator_tag = (gobject.timeout_add
943
(value, self.start_checker))
944
self.start_checker() # Start one now, too
945
946
# checker - property
947
@dbus_service_property(_interface, signature=u"s",
948
access=u"readwrite")
949
def checker_dbus_property(self, value=None):
950
if value is None: # get
951
return dbus.String(self.checker_command)
952
self.checker_command = value
953
# Emit D-Bus signal
954
self.PropertyChanged(dbus.String(u"checker"),
955
dbus.String(self.checker_command,
956
variant_level=1))
957
958
# checker_running - property
959
@dbus_service_property(_interface, signature=u"b",
960
access=u"readwrite")
961
def checker_running_dbus_property(self, value=None):
962
if value is None: # get
963
return dbus.Boolean(self.checker is not None)
964
if value:
965
self.start_checker()
966
else:
967
self.stop_checker()
968
969
# object_path - property
970
@dbus_service_property(_interface, signature=u"o", access=u"read")
971
def object_path_dbus_property(self):
972
return self.dbus_object_path # is already a dbus.ObjectPath
973
974
# secret = property
975
@dbus_service_property(_interface, signature=u"ay",
976
access=u"write", byte_arrays=True)
977
def secret_dbus_property(self, value):
978
self.secret = str(value)
979
980
del _interface
981
982
983
class ClientHandler(socketserver.BaseRequestHandler, object):
984
"""A class to handle client connections.
985
986
Instantiated once for each connection to handle it.
442
987
Note: This will run in its own forked process."""
443
988
444
989
def handle(self):
445
990
logger.info(u"TCP connection from: %s",
446
unicode(self.client_address))
447
session = gnutls.connection.ClientSession\
448
(self.request, gnutls.connection.X509Credentials())
449
450
line = self.request.makefile().readline()
451
logger.debug(u"Protocol version: %r", line)
452
try:
453
if int(line.strip().split()[0]) > 1:
454
raise RuntimeError
455
except (ValueError, IndexError, RuntimeError), error:
456
logger.error(u"Unknown protocol version: %s", error)
457
return
458
459
# Note: gnutls.connection.X509Credentials is really a generic
460
# GnuTLS certificate credentials object so long as no X.509
461
# keys are added to it. Therefore, we can use it here despite
462
# using OpenPGP certificates.
463
464
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
465
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
466
# "+DHE-DSS"))
467
priority = "NORMAL" # Fallback default, since this
468
# MUST be set.
469
if self.server.settings["priority"]:
470
priority = self.server.settings["priority"]
471
gnutls.library.functions.gnutls_priority_set_direct\
472
(session._c_object, priority, None);
473
474
try:
475
session.handshake()
476
except gnutls.errors.GNUTLSError, error:
477
logger.warning(u"Handshake failed: %s", error)
478
# Do not run session.bye() here: the session is not
479
# established. Just abandon the request.
480
return
481
try:
482
fpr = fingerprint(peer_certificate(session))
483
except (TypeError, gnutls.errors.GNUTLSError), error:
484
logger.warning(u"Bad certificate: %s", error)
485
session.bye()
486
return
487
logger.debug(u"Fingerprint: %s", fpr)
488
client = None
489
for c in self.server.clients:
490
if c.fingerprint == fpr:
491
client = c
492
break
493
if not client:
494
logger.warning(u"Client not found for fingerprint: %s",
495
fpr)
496
session.bye()
497
return
498
# Have to check if client.still_valid(), since it is possible
499
# that the client timed out while establishing the GnuTLS
500
# session.
501
if not client.still_valid():
502
logger.warning(u"Client %(name)s is invalid",
503
vars(client))
504
session.bye()
505
return
506
sent_size = 0
507
while sent_size < len(client.secret):
508
sent = session.send(client.secret[sent_size:])
509
logger.debug(u"Sent: %d, remaining: %d",
510
sent, len(client.secret)
511
- (sent_size + sent))
512
sent_size += sent
513
session.bye()
514
515
516
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
517
"""IPv6 TCP server. Accepts 'None' as address and/or port.
991
unicode(self.client_address))
992
logger.debug(u"IPC Pipe FD: %d", self.server.child_pipe[1])
993
# Open IPC pipe to parent process
994
with contextlib.nested(os.fdopen(self.server.child_pipe[1],
995
u"w", 1),
996
os.fdopen(self.server.parent_pipe[0],
997
u"r", 0)) as (ipc,
998
ipc_return):
999
session = (gnutls.connection
1000
.ClientSession(self.request,
1001
gnutls.connection
1002
.X509Credentials()))
1003
1004
line = self.request.makefile().readline()
1005
logger.debug(u"Protocol version: %r", line)
1006
try:
1007
if int(line.strip().split()[0]) > 1:
1008
raise RuntimeError
1009
except (ValueError, IndexError, RuntimeError), error:
1010
logger.error(u"Unknown protocol version: %s", error)
1011
return
1012
1013
# Note: gnutls.connection.X509Credentials is really a
1014
# generic GnuTLS certificate credentials object so long as
1015
# no X.509 keys are added to it. Therefore, we can use it
1016
# here despite using OpenPGP certificates.
1017
1018
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1019
# u"+AES-256-CBC", u"+SHA1",
1020
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1021
# u"+DHE-DSS"))
1022
# Use a fallback default, since this MUST be set.
1023
priority = self.server.gnutls_priority
1024
if priority is None:
1025
priority = u"NORMAL"
1026
(gnutls.library.functions
1027
.gnutls_priority_set_direct(session._c_object,
1028
priority, None))
1029
1030
try:
1031
session.handshake()
1032
except gnutls.errors.GNUTLSError, error:
1033
logger.warning(u"Handshake failed: %s", error)
1034
# Do not run session.bye() here: the session is not
1035
# established. Just abandon the request.
1036
return
1037
logger.debug(u"Handshake succeeded")
1038
try:
1039
try:
1040
fpr = self.fingerprint(self.peer_certificate
1041
(session))
1042
except (TypeError, gnutls.errors.GNUTLSError), error:
1043
logger.warning(u"Bad certificate: %s", error)
1044
return
1045
logger.debug(u"Fingerprint: %s", fpr)
1046
1047
for c in self.server.clients:
1048
if c.fingerprint == fpr:
1049
client = c
1050
break
1051
else:
1052
ipc.write(u"NOTFOUND %s %s\n"
1053
% (fpr, unicode(self.client_address)))
1054
return
1055
# Have to check if client.enabled, since it is
1056
# possible that the client was disabled since the
1057
# GnuTLS session was established.
1058
ipc.write(u"GETATTR enabled %s\n" % fpr)
1059
enabled = pickle.load(ipc_return)
1060
if not enabled:
1061
ipc.write(u"DISABLED %s\n" % client.name)
1062
return
1063
ipc.write(u"SENDING %s\n" % client.name)
1064
sent_size = 0
1065
while sent_size < len(client.secret):
1066
sent = session.send(client.secret[sent_size:])
1067
logger.debug(u"Sent: %d, remaining: %d",
1068
sent, len(client.secret)
1069
- (sent_size + sent))
1070
sent_size += sent
1071
finally:
1072
session.bye()
1073
1074
@staticmethod
1075
def peer_certificate(session):
1076
"Return the peer's OpenPGP certificate as a bytestring"
1077
# If not an OpenPGP certificate...
1078
if (gnutls.library.functions
1079
.gnutls_certificate_type_get(session._c_object)
1080
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1081
# ...do the normal thing
1082
return session.peer_certificate
1083
list_size = ctypes.c_uint(1)
1084
cert_list = (gnutls.library.functions
1085
.gnutls_certificate_get_peers
1086
(session._c_object, ctypes.byref(list_size)))
1087
if not bool(cert_list) and list_size.value != 0:
1088
raise gnutls.errors.GNUTLSError(u"error getting peer"
1089
u" certificate")
1090
if list_size.value == 0:
1091
return None
1092
cert = cert_list[0]
1093
return ctypes.string_at(cert.data, cert.size)
1094
1095
@staticmethod
1096
def fingerprint(openpgp):
1097
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1098
# New GnuTLS "datum" with the OpenPGP public key
1099
datum = (gnutls.library.types
1100
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1101
ctypes.POINTER
1102
(ctypes.c_ubyte)),
1103
ctypes.c_uint(len(openpgp))))
1104
# New empty GnuTLS certificate
1105
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1106
(gnutls.library.functions
1107
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1108
# Import the OpenPGP public key into the certificate
1109
(gnutls.library.functions
1110
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1111
gnutls.library.constants
1112
.GNUTLS_OPENPGP_FMT_RAW))
1113
# Verify the self signature in the key
1114
crtverify = ctypes.c_uint()
1115
(gnutls.library.functions
1116
.gnutls_openpgp_crt_verify_self(crt, 0,
1117
ctypes.byref(crtverify)))
1118
if crtverify.value != 0:
1119
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1120
raise (gnutls.errors.CertificateSecurityError
1121
(u"Verify failed"))
1122
# New buffer for the fingerprint
1123
buf = ctypes.create_string_buffer(20)
1124
buf_len = ctypes.c_size_t()
1125
# Get the fingerprint from the certificate into the buffer
1126
(gnutls.library.functions
1127
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1128
ctypes.byref(buf_len)))
1129
# Deinit the certificate
1130
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1131
# Convert the buffer to a Python bytestring
1132
fpr = ctypes.string_at(buf, buf_len.value)
1133
# Convert the bytestring to hexadecimal notation
1134
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1135
return hex_fpr
1136
1137
1138
class ForkingMixInWithPipes(socketserver.ForkingMixIn, object):
1139
"""Like socketserver.ForkingMixIn, but also pass a pipe pair."""
1140
def process_request(self, request, client_address):
1141
"""Overrides and wraps the original process_request().
1142
1143
This function creates a new pipe in self.pipe
1144
"""
1145
self.child_pipe = os.pipe() # Child writes here
1146
self.parent_pipe = os.pipe() # Parent writes here
1147
super(ForkingMixInWithPipes,
1148
self).process_request(request, client_address)
1149
# Close unused ends for parent
1150
os.close(self.parent_pipe[0]) # close read end
1151
os.close(self.child_pipe[1]) # close write end
1152
self.add_pipe_fds(self.child_pipe[0], self.parent_pipe[1])
1153
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1154
"""Dummy function; override as necessary"""
1155
os.close(child_pipe_fd)
1156
os.close(parent_pipe_fd)
1157
1158
1159
class IPv6_TCPServer(ForkingMixInWithPipes,
1160
socketserver.TCPServer, object):
1161
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1162
518
1163
Attributes:
519
settings: Server settings
520
clients: Set() of Client objects
521
1164
enabled: Boolean; whether this server is activated yet
1165
interface: None or a network interface name (string)
1166
use_ipv6: Boolean; to use IPv6 or not
522
1167
"""
523
address_family = socket.AF_INET6
524
def __init__(self, *args, **kwargs):
525
if "settings" in kwargs:
526
self.settings = kwargs["settings"]
527
del kwargs["settings"]
528
if "clients" in kwargs:
529
self.clients = kwargs["clients"]
530
del kwargs["clients"]
531
self.enabled = False
532
return super(type(self), self).__init__(*args, **kwargs)
1168
def __init__(self, server_address, RequestHandlerClass,
1169
interface=None, use_ipv6=True):
1170
self.interface = interface
1171
if use_ipv6:
1172
self.address_family = socket.AF_INET6
1173
socketserver.TCPServer.__init__(self, server_address,
1174
RequestHandlerClass)
533
1175
def server_bind(self):
534
1176
"""This overrides the normal server_bind() function
535
1177
to bind to an interface if one was specified, and also NOT to
536
1178
bind to an address or port if they were not specified."""
537
if self.settings["interface"]:
538
# 25 is from /usr/include/asm-i486/socket.h
539
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
540
try:
541
self.socket.setsockopt(socket.SOL_SOCKET,
542
SO_BINDTODEVICE,
543
self.settings["interface"])
544
except socket.error, error:
545
if error[0] == errno.EPERM:
546
logger.error(u"No permission to"
547
u" bind to interface %s",
548
self.settings["interface"])
549
else:
550
raise error
1179
if self.interface is not None:
1180
if SO_BINDTODEVICE is None:
1181
logger.error(u"SO_BINDTODEVICE does not exist;"
1182
u" cannot bind to interface %s",
1183
self.interface)
1184
else:
1185
try:
1186
self.socket.setsockopt(socket.SOL_SOCKET,
1187
SO_BINDTODEVICE,
1188
str(self.interface
1189
+ u'\0'))
1190
except socket.error, error:
1191
if error[0] == errno.EPERM:
1192
logger.error(u"No permission to"
1193
u" bind to interface %s",
1194
self.interface)
1195
elif error[0] == errno.ENOPROTOOPT:
1196
logger.error(u"SO_BINDTODEVICE not available;"
1197
u" cannot bind to interface %s",
1198
self.interface)
1199
else:
1200
raise
551
1201
# Only bind(2) the socket if we really need to.
552
1202
if self.server_address[0] or self.server_address[1]:
553
1203
if not self.server_address[0]:
554
in6addr_any = "::"
555
self.server_address = (in6addr_any,
1204
if self.address_family == socket.AF_INET6:
1205
any_address = u"::" # in6addr_any
1206
else:
1207
any_address = socket.INADDR_ANY
1208
self.server_address = (any_address,
556
1209
self.server_address[1])
557
1210
elif not self.server_address[1]:
558
1211
self.server_address = (self.server_address[0],
559
1212
0)
560
# if self.settings["interface"]:
1213
# if self.interface:
561
1214
# self.server_address = (self.server_address[0],
562
1215
# 0, # port
563
1216
# 0, # flowinfo
564
1217
# if_nametoindex
565
# (self.settings
566
# ["interface"]))
567
return super(type(self), self).server_bind()
1218
# (self.interface))
1219
return socketserver.TCPServer.server_bind(self)
1220
1221
1222
class MandosServer(IPv6_TCPServer):
1223
"""Mandos server.
1224
1225
Attributes:
1226
clients: set of Client objects
1227
gnutls_priority GnuTLS priority string
1228
use_dbus: Boolean; to emit D-Bus signals or not
1229
1230
Assumes a gobject.MainLoop event loop.
1231
"""
1232
def __init__(self, server_address, RequestHandlerClass,
1233
interface=None, use_ipv6=True, clients=None,
1234
gnutls_priority=None, use_dbus=True):
1235
self.enabled = False
1236
self.clients = clients
1237
if self.clients is None:
1238
self.clients = set()
1239
self.use_dbus = use_dbus
1240
self.gnutls_priority = gnutls_priority
1241
IPv6_TCPServer.__init__(self, server_address,
1242
RequestHandlerClass,
1243
interface = interface,
1244
use_ipv6 = use_ipv6)
568
1245
def server_activate(self):
569
1246
if self.enabled:
570
return super(type(self), self).server_activate()
1247
return socketserver.TCPServer.server_activate(self)
571
1248
def enable(self):
572
1249
self.enabled = True
1250
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1251
# Call "handle_ipc" for both data and EOF events
1252
gobject.io_add_watch(child_pipe_fd,
1253
gobject.IO_IN | gobject.IO_HUP,
1254
functools.partial(self.handle_ipc,
1255
reply_fd
1256
=parent_pipe_fd))
1257
def handle_ipc(self, source, condition, reply_fd=None,
1258
file_objects={}):
1259
condition_names = {
1260
gobject.IO_IN: u"IN", # There is data to read.
1261
gobject.IO_OUT: u"OUT", # Data can be written (without
1262
# blocking).
1263
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1264
gobject.IO_ERR: u"ERR", # Error condition.
1265
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1266
# broken, usually for pipes and
1267
# sockets).
1268
}
1269
conditions_string = ' | '.join(name
1270
for cond, name in
1271
condition_names.iteritems()
1272
if cond & condition)
1273
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1274
conditions_string)
1275
1276
# Turn the pipe file descriptors into Python file objects
1277
if source not in file_objects:
1278
file_objects[source] = os.fdopen(source, u"r", 1)
1279
if reply_fd not in file_objects:
1280
file_objects[reply_fd] = os.fdopen(reply_fd, u"w", 0)
1281
1282
# Read a line from the file object
1283
cmdline = file_objects[source].readline()
1284
if not cmdline: # Empty line means end of file
1285
# close the IPC pipes
1286
file_objects[source].close()
1287
del file_objects[source]
1288
file_objects[reply_fd].close()
1289
del file_objects[reply_fd]
1290
1291
# Stop calling this function
1292
return False
1293
1294
logger.debug(u"IPC command: %r", cmdline)
1295
1296
# Parse and act on command
1297
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1298
1299
if cmd == u"NOTFOUND":
1300
fpr, address = args.split(None, 1)
1301
logger.warning(u"Client not found for fingerprint: %s, ad"
1302
u"dress: %s", fpr, address)
1303
if self.use_dbus:
1304
# Emit D-Bus signal
1305
mandos_dbus_service.ClientNotFound(fpr, address)
1306
elif cmd == u"DISABLED":
1307
for client in self.clients:
1308
if client.name == args:
1309
logger.warning(u"Client %s is disabled", args)
1310
if self.use_dbus:
1311
# Emit D-Bus signal
1312
client.Rejected()
1313
break
1314
else:
1315
logger.error(u"Unknown client %s is disabled", args)
1316
elif cmd == u"SENDING":
1317
for client in self.clients:
1318
if client.name == args:
1319
logger.info(u"Sending secret to %s", client.name)
1320
client.checked_ok()
1321
if self.use_dbus:
1322
# Emit D-Bus signal
1323
client.GotSecret()
1324
break
1325
else:
1326
logger.error(u"Sending secret to unknown client %s",
1327
args)
1328
elif cmd == u"GETATTR":
1329
attr_name, fpr = args.split(None, 1)
1330
for client in self.clients:
1331
if client.fingerprint == fpr:
1332
attr_value = getattr(client, attr_name, None)
1333
logger.debug("IPC reply: %r", attr_value)
1334
pickle.dump(attr_value, file_objects[reply_fd])
1335
break
1336
else:
1337
logger.error(u"Client %s on address %s requesting "
1338
u"attribute %s not found", fpr, address,
1339
attr_name)
1340
pickle.dump(None, file_objects[reply_fd])
1341
else:
1342
logger.error(u"Unknown IPC command: %r", cmdline)
1343
1344
# Keep calling this function
1345
return True
573
1346
574
1347
575
1348
def string_to_delta(interval):
576
1349
"""Parse a string and return a datetime.timedelta
577
578
>>> string_to_delta('7d')
1350
1351
>>> string_to_delta(u'7d')
579
1352
datetime.timedelta(7)
580
>>> string_to_delta('60s')
1353
>>> string_to_delta(u'60s')
581
1354
datetime.timedelta(0, 60)
582
>>> string_to_delta('60m')
1355
>>> string_to_delta(u'60m')
583
1356
datetime.timedelta(0, 3600)
584
>>> string_to_delta('24h')
1357
>>> string_to_delta(u'24h')
585
1358
datetime.timedelta(1)
586
1359
>>> string_to_delta(u'1w')
587
1360
datetime.timedelta(7)
588
>>> string_to_delta('5m 30s')
1361
>>> string_to_delta(u'5m 30s')
589
1362
datetime.timedelta(0, 330)
590
1363
"""
591
1364
timevalue = datetime.timedelta(0)
592
1365
for s in interval.split():
593
1366
try:
594
suffix=unicode(s[-1])
595
value=int(s[:-1])
1367
suffix = unicode(s[-1])
1368
value = int(s[:-1])
596
1369
if suffix == u"d":
597
1370
delta = datetime.timedelta(value)
598
1371
elif suffix == u"s":
604
1377
elif suffix == u"w":
605
1378
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
606
1379
else:
607
raise ValueError
608
except (ValueError, IndexError):
609
raise ValueError
1380
raise ValueError(u"Unknown suffix %r" % suffix)
1381
except (ValueError, IndexError), e:
1382
raise ValueError(e.message)
610
1383
timevalue += delta
611
1384
return timevalue
612
1385
613
1386
614
def server_state_changed(state):
615
"""Derived from the Avahi example code"""
616
if state == avahi.SERVER_COLLISION:
617
logger.error(u"Zeroconf server name collision")
618
service.remove()
619
elif state == avahi.SERVER_RUNNING:
620
service.add()
621
622
623
def entry_group_state_changed(state, error):
624
"""Derived from the Avahi example code"""
625
logger.debug(u"Avahi state change: %i", state)
626
627
if state == avahi.ENTRY_GROUP_ESTABLISHED:
628
logger.debug(u"Zeroconf service established.")
629
elif state == avahi.ENTRY_GROUP_COLLISION:
630
logger.warning(u"Zeroconf service name collision.")
631
service.rename()
632
elif state == avahi.ENTRY_GROUP_FAILURE:
633
logger.critical(u"Avahi: Error in group state changed %s",
634
unicode(error))
635
raise AvahiGroupError("State changed: %s", str(error))
636
637
1387
def if_nametoindex(interface):
638
"""Call the C function if_nametoindex(), or equivalent"""
1388
"""Call the C function if_nametoindex(), or equivalent
1389
1390
Note: This function cannot accept a unicode string."""
639
1391
global if_nametoindex
640
1392
try:
641
if "ctypes.util" not in sys.modules:
642
import ctypes.util
643
if_nametoindex = ctypes.cdll.LoadLibrary\
644
(ctypes.util.find_library("c")).if_nametoindex
1393
if_nametoindex = (ctypes.cdll.LoadLibrary
1394
(ctypes.util.find_library(u"c"))
1395
.if_nametoindex)
645
1396
except (OSError, AttributeError):
646
if "struct" not in sys.modules:
647
import struct
648
if "fcntl" not in sys.modules:
649
import fcntl
1397
logger.warning(u"Doing if_nametoindex the hard way")
650
1398
def if_nametoindex(interface):
651
1399
"Get an interface index the hard way, i.e. using fcntl()"
652
1400
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
653
s = socket.socket()
654
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
655
struct.pack("16s16x", interface))
656
s.close()
657
interface_index = struct.unpack("I", ifreq[16:20])[0]
1401
with contextlib.closing(socket.socket()) as s:
1402
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1403
struct.pack(str(u"16s16x"),
1404
interface))
1405
interface_index = struct.unpack(str(u"I"),
1406
ifreq[16:20])[0]
658
1407
return interface_index
659
1408
return if_nametoindex(interface)
660
1409
661
1410
662
1411
def daemon(nochdir = False, noclose = False):
663
1412
"""See daemon(3). Standard BSD Unix function.
1413
664
1414
This should really exist as os.daemon, but it doesn't (yet)."""
665
1415
if os.fork():
666
1416
sys.exit()
667
1417
os.setsid()
668
1418
if not nochdir:
669
os.chdir("/")
1419
os.chdir(u"/")
670
1420
if os.fork():
671
1421
sys.exit()
672
1422
if not noclose:
674
1424
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
675
1425
if not stat.S_ISCHR(os.fstat(null).st_mode):
676
1426
raise OSError(errno.ENODEV,
677
"/dev/null not a character device")
1427
u"%s not a character device"
1428
% os.path.devnull)
678
1429
os.dup2(null, sys.stdin.fileno())
679
1430
os.dup2(null, sys.stdout.fileno())
680
1431
os.dup2(null, sys.stderr.fileno())
683
1434
684
1435
685
1436
def main():
686
global main_loop_started
687
main_loop_started = False
688
689
parser = OptionParser(version = "%%prog %s" % version)
690
parser.add_option("-i", "--interface", type="string",
691
metavar="IF", help="Bind to interface IF")
692
parser.add_option("-a", "--address", type="string",
693
help="Address to listen for requests on")
694
parser.add_option("-p", "--port", type="int",
695
help="Port number to receive requests on")
696
parser.add_option("--check", action="store_true", default=False,
697
help="Run self-test")
698
parser.add_option("--debug", action="store_true",
699
help="Debug mode; run in foreground and log to"
700
" terminal")
701
parser.add_option("--priority", type="string", help="GnuTLS"
702
" priority string (see GnuTLS documentation)")
703
parser.add_option("--servicename", type="string", metavar="NAME",
704
help="Zeroconf service name")
705
parser.add_option("--configdir", type="string",
706
default="/etc/mandos", metavar="DIR",
707
help="Directory to search for configuration"
708
" files")
709
(options, args) = parser.parse_args()
1437
1438
##################################################################
1439
# Parsing of options, both command line and config file
1440
1441
parser = optparse.OptionParser(version = "%%prog %s" % version)
1442
parser.add_option("-i", u"--interface", type=u"string",
1443
metavar="IF", help=u"Bind to interface IF")
1444
parser.add_option("-a", u"--address", type=u"string",
1445
help=u"Address to listen for requests on")
1446
parser.add_option("-p", u"--port", type=u"int",
1447
help=u"Port number to receive requests on")
1448
parser.add_option("--check", action=u"store_true",
1449
help=u"Run self-test")
1450
parser.add_option("--debug", action=u"store_true",
1451
help=u"Debug mode; run in foreground and log to"
1452
u" terminal")
1453
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1454
u" priority string (see GnuTLS documentation)")
1455
parser.add_option("--servicename", type=u"string",
1456
metavar=u"NAME", help=u"Zeroconf service name")
1457
parser.add_option("--configdir", type=u"string",
1458
default=u"/etc/mandos", metavar=u"DIR",
1459
help=u"Directory to search for configuration"
1460
u" files")
1461
parser.add_option("--no-dbus", action=u"store_false",
1462
dest=u"use_dbus", help=u"Do not provide D-Bus"
1463
u" system bus interface")
1464
parser.add_option("--no-ipv6", action=u"store_false",
1465
dest=u"use_ipv6", help=u"Do not use IPv6")
1466
options = parser.parse_args()[0]
710
1467
711
1468
if options.check:
712
1469
import doctest
714
1471
sys.exit()
715
1472
716
1473
# Default values for config file for server-global settings
717
server_defaults = { "interface": "",
718
"address": "",
719
"port": "",
720
"debug": "False",
721
"priority":
722
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
723
"servicename": "Mandos",
1474
server_defaults = { u"interface": u"",
1475
u"address": u"",
1476
u"port": u"",
1477
u"debug": u"False",
1478
u"priority":
1479
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1480
u"servicename": u"Mandos",
1481
u"use_dbus": u"True",
1482
u"use_ipv6": u"True",
724
1483
}
725
1484
726
1485
# Parse config file for server-global settings
727
server_config = ConfigParser.SafeConfigParser(server_defaults)
1486
server_config = configparser.SafeConfigParser(server_defaults)
728
1487
del server_defaults
729
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1488
server_config.read(os.path.join(options.configdir,
1489
u"mandos.conf"))
730
1490
# Convert the SafeConfigParser object to a dict
731
1491
server_settings = server_config.defaults()
732
# Use getboolean on the boolean config option
733
server_settings["debug"] = server_config.getboolean\
734
("DEFAULT", "debug")
1492
# Use the appropriate methods on the non-string config options
1493
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1494
server_settings[option] = server_config.getboolean(u"DEFAULT",
1495
option)
1496
if server_settings["port"]:
1497
server_settings["port"] = server_config.getint(u"DEFAULT",
1498
u"port")
735
1499
del server_config
736
1500
737
1501
# Override the settings from the config file with command line
738
1502
# options, if set.
739
for option in ("interface", "address", "port", "debug",
740
"priority", "servicename", "configdir"):
1503
for option in (u"interface", u"address", u"port", u"debug",
1504
u"priority", u"servicename", u"configdir",
1505
u"use_dbus", u"use_ipv6"):
741
1506
value = getattr(options, option)
742
1507
if value is not None:
743
1508
server_settings[option] = value
744
1509
del options
1510
# Force all strings to be unicode
1511
for option in server_settings.keys():
1512
if type(server_settings[option]) is str:
1513
server_settings[option] = unicode(server_settings[option])
745
1514
# Now we have our good server settings in "server_settings"
746
1515
747
debug = server_settings["debug"]
1516
##################################################################
1517
1518
# For convenience
1519
debug = server_settings[u"debug"]
1520
use_dbus = server_settings[u"use_dbus"]
1521
use_ipv6 = server_settings[u"use_ipv6"]
748
1522
749
1523
if not debug:
750
1524
syslogger.setLevel(logging.WARNING)
751
1525
console.setLevel(logging.WARNING)
752
1526
753
if server_settings["servicename"] != "Mandos":
754
syslogger.setFormatter(logging.Formatter\
755
('Mandos (%s): %%(levelname)s:'
756
' %%(message)s'
757
% server_settings["servicename"]))
1527
if server_settings[u"servicename"] != u"Mandos":
1528
syslogger.setFormatter(logging.Formatter
1529
(u'Mandos (%s) [%%(process)d]:'
1530
u' %%(levelname)s: %%(message)s'
1531
% server_settings[u"servicename"]))
758
1532
759
1533
# Parse config file with clients
760
client_defaults = { "timeout": "1h",
761
"interval": "5m",
762
"checker": "fping -q -- %(host)s",
763
"host": "",
1534
client_defaults = { u"timeout": u"1h",
1535
u"interval": u"5m",
1536
u"checker": u"fping -q -- %%(host)s",
1537
u"host": u"",
764
1538
}
765
client_config = ConfigParser.SafeConfigParser(client_defaults)
766
client_config.read(os.path.join(server_settings["configdir"],
767
"clients.conf"))
768
769
clients = Set()
770
tcp_server = IPv6_TCPServer((server_settings["address"],
771
server_settings["port"]),
772
tcp_handler,
773
settings=server_settings,
774
clients=clients)
775
pidfilename = "/var/run/mandos.pid"
776
try:
777
pidfile = open(pidfilename, "w")
778
except IOError, error:
779
logger.error("Could not open file %r", pidfilename)
780
781
uid = 65534
782
gid = 65534
783
try:
784
uid = pwd.getpwnam("mandos").pw_uid
785
except KeyError:
786
try:
787
uid = pwd.getpwnam("nobody").pw_uid
788
except KeyError:
789
pass
790
try:
791
gid = pwd.getpwnam("mandos").pw_gid
792
except KeyError:
793
try:
794
gid = pwd.getpwnam("nogroup").pw_gid
795
except KeyError:
796
pass
797
try:
1539
client_config = configparser.SafeConfigParser(client_defaults)
1540
client_config.read(os.path.join(server_settings[u"configdir"],
1541
u"clients.conf"))
1542
1543
global mandos_dbus_service
1544
mandos_dbus_service = None
1545
1546
tcp_server = MandosServer((server_settings[u"address"],
1547
server_settings[u"port"]),
1548
ClientHandler,
1549
interface=server_settings[u"interface"],
1550
use_ipv6=use_ipv6,
1551
gnutls_priority=
1552
server_settings[u"priority"],
1553
use_dbus=use_dbus)
1554
pidfilename = u"/var/run/mandos.pid"
1555
try:
1556
pidfile = open(pidfilename, u"w")
1557
except IOError:
1558
logger.error(u"Could not open file %r", pidfilename)
1559
1560
try:
1561
uid = pwd.getpwnam(u"_mandos").pw_uid
1562
gid = pwd.getpwnam(u"_mandos").pw_gid
1563
except KeyError:
1564
try:
1565
uid = pwd.getpwnam(u"mandos").pw_uid
1566
gid = pwd.getpwnam(u"mandos").pw_gid
1567
except KeyError:
1568
try:
1569
uid = pwd.getpwnam(u"nobody").pw_uid
1570
gid = pwd.getpwnam(u"nobody").pw_gid
1571
except KeyError:
1572
uid = 65534
1573
gid = 65534
1574
try:
1575
os.setgid(gid)
798
1576
os.setuid(uid)
799
os.setgid(gid)
800
1577
except OSError, error:
801
1578
if error[0] != errno.EPERM:
802
1579
raise error
803
1580
804
global service
805
service = AvahiService(name = server_settings["servicename"],
806
type = "_mandos._tcp", );
807
if server_settings["interface"]:
808
service.interface = if_nametoindex\
809
(server_settings["interface"])
1581
# Enable all possible GnuTLS debugging
1582
if debug:
1583
# "Use a log level over 10 to enable all debugging options."
1584
# - GnuTLS manual
1585
gnutls.library.functions.gnutls_global_set_log_level(11)
1586
1587
@gnutls.library.types.gnutls_log_func
1588
def debug_gnutls(level, string):
1589
logger.debug(u"GnuTLS: %s", string[:-1])
1590
1591
(gnutls.library.functions
1592
.gnutls_global_set_log_function(debug_gnutls))
810
1593
811
1594
global main_loop
812
global bus
813
global server
814
1595
# From the Avahi example code
815
1596
DBusGMainLoop(set_as_default=True )
816
1597
main_loop = gobject.MainLoop()
817
1598
bus = dbus.SystemBus()
818
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
819
avahi.DBUS_PATH_SERVER),
820
avahi.DBUS_INTERFACE_SERVER)
821
1599
# End of Avahi example code
822
823
def remove_from_clients(client):
824
clients.remove(client)
825
if not clients:
826
logger.critical(u"No clients left, exiting")
827
sys.exit()
828
829
clients.update(Set(Client(name = section,
830
stop_hook = remove_from_clients,
831
config
832
= dict(client_config.items(section)))
833
for section in client_config.sections()))
834
if not clients:
835
logger.critical(u"No clients defined")
836
sys.exit(1)
1600
if use_dbus:
1601
try:
1602
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1603
bus, do_not_queue=True)
1604
except dbus.exceptions.NameExistsException, e:
1605
logger.error(unicode(e) + u", disabling D-Bus")
1606
use_dbus = False
1607
server_settings[u"use_dbus"] = False
1608
tcp_server.use_dbus = False
1609
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1610
service = AvahiService(name = server_settings[u"servicename"],
1611
servicetype = u"_mandos._tcp",
1612
protocol = protocol, bus = bus)
1613
if server_settings["interface"]:
1614
service.interface = (if_nametoindex
1615
(str(server_settings[u"interface"])))
1616
1617
client_class = Client
1618
if use_dbus:
1619
client_class = functools.partial(ClientDBus, bus = bus)
1620
tcp_server.clients.update(set(
1621
client_class(name = section,
1622
config= dict(client_config.items(section)))
1623
for section in client_config.sections()))
1624
if not tcp_server.clients:
1625
logger.warning(u"No clients defined")
837
1626
838
1627
if debug:
839
1628
# Redirect stdin so all checkers get /dev/null
848
1637
daemon()
849
1638
850
1639
try:
851
pid = os.getpid()
852
pidfile.write(str(pid) + "\n")
853
pidfile.close()
1640
with pidfile:
1641
pid = os.getpid()
1642
pidfile.write(str(pid) + "\n")
854
1643
del pidfile
855
except IOError, err:
1644
except IOError:
856
1645
logger.error(u"Could not write to file %r with PID %d",
857
1646
pidfilename, pid)
858
1647
except NameError:
860
1649
pass
861
1650
del pidfilename
862
1651
1652
if not debug:
1653
signal.signal(signal.SIGINT, signal.SIG_IGN)
1654
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1655
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1656
1657
if use_dbus:
1658
class MandosDBusService(dbus.service.Object):
1659
"""A D-Bus proxy object"""
1660
def __init__(self):
1661
dbus.service.Object.__init__(self, bus, u"/")
1662
_interface = u"se.bsnet.fukt.Mandos"
1663
1664
@dbus.service.signal(_interface, signature=u"o")
1665
def ClientAdded(self, objpath):
1666
"D-Bus signal"
1667
pass
1668
1669
@dbus.service.signal(_interface, signature=u"ss")
1670
def ClientNotFound(self, fingerprint, address):
1671
"D-Bus signal"
1672
pass
1673
1674
@dbus.service.signal(_interface, signature=u"os")
1675
def ClientRemoved(self, objpath, name):
1676
"D-Bus signal"
1677
pass
1678
1679
@dbus.service.method(_interface, out_signature=u"ao")
1680
def GetAllClients(self):
1681
"D-Bus method"
1682
return dbus.Array(c.dbus_object_path
1683
for c in tcp_server.clients)
1684
1685
@dbus.service.method(_interface,
1686
out_signature=u"a{oa{sv}}")
1687
def GetAllClientsWithProperties(self):
1688
"D-Bus method"
1689
return dbus.Dictionary(
1690
((c.dbus_object_path, c.GetAll(u""))
1691
for c in tcp_server.clients),
1692
signature=u"oa{sv}")
1693
1694
@dbus.service.method(_interface, in_signature=u"o")
1695
def RemoveClient(self, object_path):
1696
"D-Bus method"
1697
for c in tcp_server.clients:
1698
if c.dbus_object_path == object_path:
1699
tcp_server.clients.remove(c)
1700
c.remove_from_connection()
1701
# Don't signal anything except ClientRemoved
1702
c.disable(quiet=True)
1703
# Emit D-Bus signal
1704
self.ClientRemoved(object_path, c.name)
1705
return
1706
raise KeyError(object_path)
1707
1708
del _interface
1709
1710
mandos_dbus_service = MandosDBusService()
1711
863
1712
def cleanup():
864
1713
"Cleanup function; run on exit"
865
global group
866
# From the Avahi example code
867
if not group is None:
868
group.Free()
869
group = None
870
# End of Avahi example code
1714
service.cleanup()
871
1715
872
while clients:
873
client = clients.pop()
874
client.stop_hook = None
875
client.stop()
1716
while tcp_server.clients:
1717
client = tcp_server.clients.pop()
1718
if use_dbus:
1719
client.remove_from_connection()
1720
client.disable_hook = None
1721
# Don't signal anything except ClientRemoved
1722
client.disable(quiet=True)
1723
if use_dbus:
1724
# Emit D-Bus signal
1725
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1726
client.name)
876
1727
877
1728
atexit.register(cleanup)
878
1729
879
if not debug:
880
signal.signal(signal.SIGINT, signal.SIG_IGN)
881
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
882
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
883
884
for client in clients:
885
client.start()
1730
for client in tcp_server.clients:
1731
if use_dbus:
1732
# Emit D-Bus signal
1733
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1734
client.enable()
886
1735
887
1736
tcp_server.enable()
888
1737
tcp_server.server_activate()
889
1738
890
1739
# Find out what port we got
891
1740
service.port = tcp_server.socket.getsockname()[1]
892
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
893
u" scope_id %d" % tcp_server.socket.getsockname())
1741
if use_ipv6:
1742
logger.info(u"Now listening on address %r, port %d,"
1743
" flowinfo %d, scope_id %d"
1744
% tcp_server.socket.getsockname())
1745
else: # IPv4
1746
logger.info(u"Now listening on address %r, port %d"
1747
% tcp_server.socket.getsockname())
894
1748
895
1749
#service.interface = tcp_server.socket.getsockname()[3]
896
1750
897
1751
try:
898
1752
# From the Avahi example code
899
server.connect_to_signal("StateChanged", server_state_changed)
900
1753
try:
901
server_state_changed(server.GetState())
1754
service.activate()
902
1755
except dbus.exceptions.DBusException, error:
903
1756
logger.critical(u"DBusException: %s", error)
1757
cleanup()
904
1758
sys.exit(1)
905
1759
# End of Avahi example code
906
1760
907
1761
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
908
1762
lambda *args, **kwargs:
909
tcp_server.handle_request\
910
(*args[2:], **kwargs) or True)
1763
(tcp_server.handle_request
1764
(*args[2:], **kwargs) or True))
911
1765
912
1766
logger.debug(u"Starting main loop")
913
main_loop_started = True
914
1767
main_loop.run()
915
1768
except AvahiError, error:
916
logger.critical(u"AvahiError: %s" + unicode(error))
1769
logger.critical(u"AvahiError: %s", error)
1770
cleanup()
917
1771
sys.exit(1)
918
1772
except KeyboardInterrupt:
919
1773
if debug:
920
print
1774
print >> sys.stderr
1775
logger.debug(u"Server received KeyboardInterrupt")
1776
logger.debug(u"Server exiting")
1777
# Must run before the D-Bus bus name gets deregistered
1778
cleanup()
921
1779
922
1780
if __name__ == '__main__':
923
1781
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0