To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 416.1.2
- compare with another revision
- download diff
- download tarball
- view history from revision 416.1.2
- Committer: Teddy Hogeborn
- Date: 2010-06-19 00:37:04 UTC
- mto: (24.1.149 mandos)
- mto: This revision was merged to the branch mainline in revision 417.
- Revision ID: teddy@fukt.bsnet.se-20100619003704-vpicvssvv1ktg2om
* mandos (ClientHandler.handle): Set up the GnuTLS session object
before reading the protocol number.
(ClientHandler.handle/ProxyObject): New.
before reading the protocol number.
(ClientHandler.handle/ProxyObject): New.
- files added:
- dbus-mandos.conf
- files renamed:
- mandos-list => mandos-ctl
- files modified:
- INSTALL
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer
36
import SocketServer as socketserver
37
37
import socket
38
from optparse import OptionParser
38
import optparse
39
39
import datetime
40
40
import errno
41
41
import gnutls.crypto
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser
47
import ConfigParser as configparser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
53
52
import subprocess
54
53
import atexit
55
54
import stat
56
55
import logging
57
56
import logging.handlers
58
57
import pwd
59
from contextlib import closing
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
63
import select
60
64
61
65
import dbus
62
66
import dbus.service
65
69
from dbus.mainloop.glib import DBusGMainLoop
66
70
import ctypes
67
71
import ctypes.util
68
69
version = "1.0.3"
70
71
logger = logging.Logger('mandos')
72
import xml.dom.minidom
73
import inspect
74
75
try:
76
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
77
except AttributeError:
78
try:
79
from IN import SO_BINDTODEVICE
80
except ImportError:
81
SO_BINDTODEVICE = None
82
83
84
version = "1.0.14"
85
86
logger = logging.Logger(u'mandos')
72
87
syslogger = (logging.handlers.SysLogHandler
73
88
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
89
address = "/dev/log"))
75
90
syslogger.setFormatter(logging.Formatter
76
('Mandos: %(levelname)s: %(message)s'))
91
(u'Mandos [%(process)d]: %(levelname)s:'
92
u' %(message)s'))
77
93
logger.addHandler(syslogger)
78
94
79
95
console = logging.StreamHandler()
80
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
81
' %(message)s'))
96
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
97
u' %(levelname)s:'
98
u' %(message)s'))
82
99
logger.addHandler(console)
83
100
84
101
class AvahiError(Exception):
97
114
98
115
class AvahiService(object):
99
116
"""An Avahi (Zeroconf) service.
117
100
118
Attributes:
101
119
interface: integer; avahi.IF_UNSPEC or an interface index.
102
120
Used to optionally bind to the specified interface.
103
name: string; Example: 'Mandos'
104
type: string; Example: '_mandos._tcp'.
121
name: string; Example: u'Mandos'
122
type: string; Example: u'_mandos._tcp'.
105
123
See <http://www.dns-sd.org/ServiceTypes.html>
106
124
port: integer; what port to announce
107
125
TXT: list of strings; TXT record for the service
110
128
max_renames: integer; maximum number of renames
111
129
rename_count: integer; counter so we only rename after collisions
112
130
a sensible number of times
131
group: D-Bus Entry Group
132
server: D-Bus Server
133
bus: dbus.SystemBus()
113
134
"""
114
135
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
115
136
servicetype = None, port = None, TXT = None,
116
domain = "", host = "", max_renames = 32768):
137
domain = u"", host = u"", max_renames = 32768,
138
protocol = avahi.PROTO_UNSPEC, bus = None):
117
139
self.interface = interface
118
140
self.name = name
119
141
self.type = servicetype
123
145
self.host = host
124
146
self.rename_count = 0
125
147
self.max_renames = max_renames
148
self.protocol = protocol
149
self.group = None # our entry group
150
self.server = None
151
self.bus = bus
126
152
def rename(self):
127
153
"""Derived from the Avahi example code"""
128
154
if self.rename_count >= self.max_renames:
130
156
u" after %i retries, exiting.",
131
157
self.rename_count)
132
158
raise AvahiServiceError(u"Too many renames")
133
self.name = server.GetAlternativeServiceName(self.name)
159
self.name = self.server.GetAlternativeServiceName(self.name)
134
160
logger.info(u"Changing Zeroconf service name to %r ...",
135
str(self.name))
161
unicode(self.name))
136
162
syslogger.setFormatter(logging.Formatter
137
('Mandos (%s): %%(levelname)s:'
138
' %%(message)s' % self.name))
163
(u'Mandos (%s) [%%(process)d]:'
164
u' %%(levelname)s: %%(message)s'
165
% self.name))
139
166
self.remove()
140
167
self.add()
141
168
self.rename_count += 1
142
169
def remove(self):
143
170
"""Derived from the Avahi example code"""
144
if group is not None:
145
group.Reset()
171
if self.group is not None:
172
self.group.Reset()
146
173
def add(self):
147
174
"""Derived from the Avahi example code"""
148
global group
149
if group is None:
150
group = dbus.Interface(bus.get_object
151
(avahi.DBUS_NAME,
152
server.EntryGroupNew()),
153
avahi.DBUS_INTERFACE_ENTRY_GROUP)
154
group.connect_to_signal('StateChanged',
155
entry_group_state_changed)
175
if self.group is None:
176
self.group = dbus.Interface(
177
self.bus.get_object(avahi.DBUS_NAME,
178
self.server.EntryGroupNew()),
179
avahi.DBUS_INTERFACE_ENTRY_GROUP)
180
self.group.connect_to_signal('StateChanged',
181
self
182
.entry_group_state_changed)
156
183
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
157
service.name, service.type)
158
group.AddService(
159
self.interface, # interface
160
avahi.PROTO_INET6, # protocol
161
dbus.UInt32(0), # flags
162
self.name, self.type,
163
self.domain, self.host,
164
dbus.UInt16(self.port),
165
avahi.string_array_to_txt_array(self.TXT))
166
group.Commit()
167
168
# From the Avahi example code:
169
group = None # our entry group
170
# End of Avahi example code
171
172
173
def _datetime_to_dbus(dt, variant_level=0):
174
"""Convert a UTC datetime.datetime() to a D-Bus type."""
175
return dbus.String(dt.isoformat(), variant_level=variant_level)
176
177
178
class Client(dbus.service.Object):
184
self.name, self.type)
185
self.group.AddService(
186
self.interface,
187
self.protocol,
188
dbus.UInt32(0), # flags
189
self.name, self.type,
190
self.domain, self.host,
191
dbus.UInt16(self.port),
192
avahi.string_array_to_txt_array(self.TXT))
193
self.group.Commit()
194
def entry_group_state_changed(self, state, error):
195
"""Derived from the Avahi example code"""
196
logger.debug(u"Avahi state change: %i", state)
197
198
if state == avahi.ENTRY_GROUP_ESTABLISHED:
199
logger.debug(u"Zeroconf service established.")
200
elif state == avahi.ENTRY_GROUP_COLLISION:
201
logger.warning(u"Zeroconf service name collision.")
202
self.rename()
203
elif state == avahi.ENTRY_GROUP_FAILURE:
204
logger.critical(u"Avahi: Error in group state changed %s",
205
unicode(error))
206
raise AvahiGroupError(u"State changed: %s"
207
% unicode(error))
208
def cleanup(self):
209
"""Derived from the Avahi example code"""
210
if self.group is not None:
211
self.group.Free()
212
self.group = None
213
def server_state_changed(self, state):
214
"""Derived from the Avahi example code"""
215
if state == avahi.SERVER_COLLISION:
216
logger.error(u"Zeroconf server name collision")
217
self.remove()
218
elif state == avahi.SERVER_RUNNING:
219
self.add()
220
def activate(self):
221
"""Derived from the Avahi example code"""
222
if self.server is None:
223
self.server = dbus.Interface(
224
self.bus.get_object(avahi.DBUS_NAME,
225
avahi.DBUS_PATH_SERVER),
226
avahi.DBUS_INTERFACE_SERVER)
227
self.server.connect_to_signal(u"StateChanged",
228
self.server_state_changed)
229
self.server_state_changed(self.server.GetState())
230
231
232
class Client(object):
179
233
"""A representation of a client host served by this server.
234
180
235
Attributes:
181
name: string; from the config file, used in log messages
236
name: string; from the config file, used in log messages and
237
D-Bus identifiers
182
238
fingerprint: string (40 or 32 hexadecimal digits); used to
183
239
uniquely identify the client
184
240
secret: bytestring; sent verbatim (over TLS) to client
188
244
enabled: bool()
189
245
last_checked_ok: datetime.datetime(); (UTC) or None
190
246
timeout: datetime.timedelta(); How long from last_checked_ok
191
until this client is invalid
247
until this client is disabled
192
248
interval: datetime.timedelta(); How often to start a new checker
193
249
disable_hook: If set, called by disable() as disable_hook(self)
194
250
checker: subprocess.Popen(); a running checker process used
195
251
to see if the client lives.
196
252
'None' if no process is running.
197
253
checker_initiator_tag: a gobject event source tag, or None
198
disable_initiator_tag: - '' -
254
disable_initiator_tag: - '' -
199
255
checker_callback_tag: - '' -
200
256
checker_command: string; External command which is run to check if
201
257
client lives. %() expansions are done at
202
258
runtime with vars(self) as dict, so that for
203
259
instance %(name)s can be used in the command.
204
use_dbus: bool(); Whether to provide D-Bus interface and signals
205
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
260
current_checker_command: string; current running checker_command
206
261
"""
262
263
@staticmethod
264
def _timedelta_to_milliseconds(td):
265
"Convert a datetime.timedelta() to milliseconds"
266
return ((td.days * 24 * 60 * 60 * 1000)
267
+ (td.seconds * 1000)
268
+ (td.microseconds // 1000))
269
207
270
def timeout_milliseconds(self):
208
271
"Return the 'timeout' attribute in milliseconds"
209
return ((self.timeout.days * 24 * 60 * 60 * 1000)
210
+ (self.timeout.seconds * 1000)
211
+ (self.timeout.microseconds // 1000))
272
return self._timedelta_to_milliseconds(self.timeout)
212
273
213
274
def interval_milliseconds(self):
214
275
"Return the 'interval' attribute in milliseconds"
215
return ((self.interval.days * 24 * 60 * 60 * 1000)
216
+ (self.interval.seconds * 1000)
217
+ (self.interval.microseconds // 1000))
276
return self._timedelta_to_milliseconds(self.interval)
218
277
219
def __init__(self, name = None, disable_hook=None, config=None,
220
use_dbus=True):
278
def __init__(self, name = None, disable_hook=None, config=None):
221
279
"""Note: the 'checker' key in 'config' sets the
222
280
'checker_command' attribute and *not* the 'checker'
223
281
attribute."""
225
283
if config is None:
226
284
config = {}
227
285
logger.debug(u"Creating client %r", self.name)
228
self.use_dbus = use_dbus
229
if self.use_dbus:
230
self.dbus_object_path = (dbus.ObjectPath
231
("/Mandos/clients/"
232
+ self.name.replace(".", "_")))
233
dbus.service.Object.__init__(self, bus,
234
self.dbus_object_path)
235
286
# Uppercase and remove spaces from fingerprint for later
236
287
# comparison purposes with return value from the fingerprint()
237
288
# function
238
self.fingerprint = (config["fingerprint"].upper()
289
self.fingerprint = (config[u"fingerprint"].upper()
239
290
.replace(u" ", u""))
240
291
logger.debug(u" Fingerprint: %s", self.fingerprint)
241
if "secret" in config:
242
self.secret = config["secret"].decode(u"base64")
243
elif "secfile" in config:
244
with closing(open(os.path.expanduser
245
(os.path.expandvars
246
(config["secfile"])))) as secfile:
292
if u"secret" in config:
293
self.secret = config[u"secret"].decode(u"base64")
294
elif u"secfile" in config:
295
with open(os.path.expanduser(os.path.expandvars
296
(config[u"secfile"])),
297
"rb") as secfile:
247
298
self.secret = secfile.read()
248
299
else:
249
300
raise TypeError(u"No secret or secfile for client %s"
250
301
% self.name)
251
self.host = config.get("host", "")
302
self.host = config.get(u"host", u"")
252
303
self.created = datetime.datetime.utcnow()
253
304
self.enabled = False
254
305
self.last_enabled = None
255
306
self.last_checked_ok = None
256
self.timeout = string_to_delta(config["timeout"])
257
self.interval = string_to_delta(config["interval"])
307
self.timeout = string_to_delta(config[u"timeout"])
308
self.interval = string_to_delta(config[u"interval"])
258
309
self.disable_hook = disable_hook
259
310
self.checker = None
260
311
self.checker_initiator_tag = None
261
312
self.disable_initiator_tag = None
262
313
self.checker_callback_tag = None
263
self.checker_command = config["checker"]
314
self.checker_command = config[u"checker"]
315
self.current_checker_command = None
316
self.last_connect = None
264
317
265
318
def enable(self):
266
319
"""Start this client's checker and timeout hooks"""
320
if getattr(self, u"enabled", False):
321
# Already enabled
322
return
267
323
self.last_enabled = datetime.datetime.utcnow()
268
324
# Schedule a new checker to be started an 'interval' from now,
269
325
# and every interval from then on.
270
326
self.checker_initiator_tag = (gobject.timeout_add
271
327
(self.interval_milliseconds(),
272
328
self.start_checker))
273
# Also start a new checker *right now*.
274
self.start_checker()
275
329
# Schedule a disable() when 'timeout' has passed
276
330
self.disable_initiator_tag = (gobject.timeout_add
277
331
(self.timeout_milliseconds(),
278
332
self.disable))
279
333
self.enabled = True
280
if self.use_dbus:
281
# Emit D-Bus signals
282
self.PropertyChanged(dbus.String(u"enabled"),
283
dbus.Boolean(True, variant_level=1))
284
self.PropertyChanged(dbus.String(u"last_enabled"),
285
(_datetime_to_dbus(self.last_enabled,
286
variant_level=1)))
334
# Also start a new checker *right now*.
335
self.start_checker()
287
336
288
def disable(self):
337
def disable(self, quiet=True):
289
338
"""Disable this client."""
290
339
if not getattr(self, "enabled", False):
291
340
return False
292
logger.info(u"Disabling client %s", self.name)
293
if getattr(self, "disable_initiator_tag", False):
341
if not quiet:
342
logger.info(u"Disabling client %s", self.name)
343
if getattr(self, u"disable_initiator_tag", False):
294
344
gobject.source_remove(self.disable_initiator_tag)
295
345
self.disable_initiator_tag = None
296
if getattr(self, "checker_initiator_tag", False):
346
if getattr(self, u"checker_initiator_tag", False):
297
347
gobject.source_remove(self.checker_initiator_tag)
298
348
self.checker_initiator_tag = None
299
349
self.stop_checker()
300
350
if self.disable_hook:
301
351
self.disable_hook(self)
302
352
self.enabled = False
303
if self.use_dbus:
304
# Emit D-Bus signal
305
self.PropertyChanged(dbus.String(u"enabled"),
306
dbus.Boolean(False, variant_level=1))
307
353
# Do not run this again if called by a gobject.timeout_add
308
354
return False
309
355
315
361
"""The checker has completed, so take appropriate actions."""
316
362
self.checker_callback_tag = None
317
363
self.checker = None
318
if self.use_dbus:
319
# Emit D-Bus signal
320
self.PropertyChanged(dbus.String(u"checker_running"),
321
dbus.Boolean(False, variant_level=1))
322
if (os.WIFEXITED(condition)
323
and (os.WEXITSTATUS(condition) == 0)):
324
logger.info(u"Checker for %(name)s succeeded",
325
vars(self))
326
if self.use_dbus:
327
# Emit D-Bus signal
328
self.CheckerCompleted(dbus.Boolean(True),
329
dbus.UInt16(condition),
330
dbus.String(command))
331
self.bump_timeout()
332
elif not os.WIFEXITED(condition):
364
if os.WIFEXITED(condition):
365
exitstatus = os.WEXITSTATUS(condition)
366
if exitstatus == 0:
367
logger.info(u"Checker for %(name)s succeeded",
368
vars(self))
369
self.checked_ok()
370
else:
371
logger.info(u"Checker for %(name)s failed",
372
vars(self))
373
else:
333
374
logger.warning(u"Checker for %(name)s crashed?",
334
375
vars(self))
335
if self.use_dbus:
336
# Emit D-Bus signal
337
self.CheckerCompleted(dbus.Boolean(False),
338
dbus.UInt16(condition),
339
dbus.String(command))
340
else:
341
logger.info(u"Checker for %(name)s failed",
342
vars(self))
343
if self.use_dbus:
344
# Emit D-Bus signal
345
self.CheckerCompleted(dbus.Boolean(False),
346
dbus.UInt16(condition),
347
dbus.String(command))
348
376
349
def bump_timeout(self):
377
def checked_ok(self):
350
378
"""Bump up the timeout for this client.
379
351
380
This should only be called when the client has been seen,
352
381
alive and well.
353
382
"""
356
385
self.disable_initiator_tag = (gobject.timeout_add
357
386
(self.timeout_milliseconds(),
358
387
self.disable))
359
if self.use_dbus:
360
# Emit D-Bus signal
361
self.PropertyChanged(
362
dbus.String(u"last_checked_ok"),
363
(_datetime_to_dbus(self.last_checked_ok,
364
variant_level=1)))
365
388
366
389
def start_checker(self):
367
390
"""Start a new checker subprocess if one is not running.
391
368
392
If a checker already exists, leave it running and do
369
393
nothing."""
370
394
# The reason for not killing a running checker is that if we
373
397
# client would inevitably timeout, since no checker would get
374
398
# a chance to run to completion. If we instead leave running
375
399
# checkers alone, the checker would have to take more time
376
# than 'timeout' for the client to be declared invalid, which
377
# is as it should be.
400
# than 'timeout' for the client to be disabled, which is as it
401
# should be.
402
403
# If a checker exists, make sure it is not a zombie
404
try:
405
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
406
except (AttributeError, OSError), error:
407
if (isinstance(error, OSError)
408
and error.errno != errno.ECHILD):
409
raise error
410
else:
411
if pid:
412
logger.warning(u"Checker was a zombie")
413
gobject.source_remove(self.checker_callback_tag)
414
self.checker_callback(pid, status,
415
self.current_checker_command)
416
# Start a new checker if needed
378
417
if self.checker is None:
379
418
try:
380
419
# In case checker_command has exactly one % operator
381
420
command = self.checker_command % self.host
382
421
except TypeError:
383
422
# Escape attributes for the shell
384
escaped_attrs = dict((key, re.escape(str(val)))
423
escaped_attrs = dict((key,
424
re.escape(unicode(str(val),
425
errors=
426
u'replace')))
385
427
for key, val in
386
428
vars(self).iteritems())
387
429
try:
390
432
logger.error(u'Could not format string "%s":'
391
433
u' %s', self.checker_command, error)
392
434
return True # Try again later
435
self.current_checker_command = command
393
436
try:
394
437
logger.info(u"Starting checker %r for %s",
395
438
command, self.name)
399
442
# always replaced by /dev/null.)
400
443
self.checker = subprocess.Popen(command,
401
444
close_fds=True,
402
shell=True, cwd="/")
403
if self.use_dbus:
404
# Emit D-Bus signal
405
self.CheckerStarted(command)
406
self.PropertyChanged(
407
dbus.String("checker_running"),
408
dbus.Boolean(True, variant_level=1))
445
shell=True, cwd=u"/")
409
446
self.checker_callback_tag = (gobject.child_watch_add
410
447
(self.checker.pid,
411
448
self.checker_callback,
412
449
data=command))
450
# The checker may have completed before the gobject
451
# watch was added. Check for this.
452
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
453
if pid:
454
gobject.source_remove(self.checker_callback_tag)
455
self.checker_callback(pid, status, command)
413
456
except OSError, error:
414
457
logger.error(u"Failed to start subprocess: %s",
415
458
error)
421
464
if self.checker_callback_tag:
422
465
gobject.source_remove(self.checker_callback_tag)
423
466
self.checker_callback_tag = None
424
if getattr(self, "checker", None) is None:
467
if getattr(self, u"checker", None) is None:
425
468
return
426
469
logger.debug(u"Stopping checker for %(name)s", vars(self))
427
470
try:
428
471
os.kill(self.checker.pid, signal.SIGTERM)
429
#os.sleep(0.5)
472
#time.sleep(0.5)
430
473
#if self.checker.poll() is None:
431
474
# os.kill(self.checker.pid, signal.SIGKILL)
432
475
except OSError, error:
433
476
if error.errno != errno.ESRCH: # No such process
434
477
raise
435
478
self.checker = None
436
if self.use_dbus:
479
480
481
def dbus_service_property(dbus_interface, signature=u"v",
482
access=u"readwrite", byte_arrays=False):
483
"""Decorators for marking methods of a DBusObjectWithProperties to
484
become properties on the D-Bus.
485
486
The decorated method will be called with no arguments by "Get"
487
and with one argument by "Set".
488
489
The parameters, where they are supported, are the same as
490
dbus.service.method, except there is only "signature", since the
491
type from Get() and the type sent to Set() is the same.
492
"""
493
# Encoding deeply encoded byte arrays is not supported yet by the
494
# "Set" method, so we fail early here:
495
if byte_arrays and signature != u"ay":
496
raise ValueError(u"Byte arrays not supported for non-'ay'"
497
u" signature %r" % signature)
498
def decorator(func):
499
func._dbus_is_property = True
500
func._dbus_interface = dbus_interface
501
func._dbus_signature = signature
502
func._dbus_access = access
503
func._dbus_name = func.__name__
504
if func._dbus_name.endswith(u"_dbus_property"):
505
func._dbus_name = func._dbus_name[:-14]
506
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
507
return func
508
return decorator
509
510
511
class DBusPropertyException(dbus.exceptions.DBusException):
512
"""A base class for D-Bus property-related exceptions
513
"""
514
def __unicode__(self):
515
return unicode(str(self))
516
517
518
class DBusPropertyAccessException(DBusPropertyException):
519
"""A property's access permissions disallows an operation.
520
"""
521
pass
522
523
524
class DBusPropertyNotFound(DBusPropertyException):
525
"""An attempt was made to access a non-existing property.
526
"""
527
pass
528
529
530
class DBusObjectWithProperties(dbus.service.Object):
531
"""A D-Bus object with properties.
532
533
Classes inheriting from this can use the dbus_service_property
534
decorator to expose methods as D-Bus properties. It exposes the
535
standard Get(), Set(), and GetAll() methods on the D-Bus.
536
"""
537
538
@staticmethod
539
def _is_dbus_property(obj):
540
return getattr(obj, u"_dbus_is_property", False)
541
542
def _get_all_dbus_properties(self):
543
"""Returns a generator of (name, attribute) pairs
544
"""
545
return ((prop._dbus_name, prop)
546
for name, prop in
547
inspect.getmembers(self, self._is_dbus_property))
548
549
def _get_dbus_property(self, interface_name, property_name):
550
"""Returns a bound method if one exists which is a D-Bus
551
property with the specified name and interface.
552
"""
553
for name in (property_name,
554
property_name + u"_dbus_property"):
555
prop = getattr(self, name, None)
556
if (prop is None
557
or not self._is_dbus_property(prop)
558
or prop._dbus_name != property_name
559
or (interface_name and prop._dbus_interface
560
and interface_name != prop._dbus_interface)):
561
continue
562
return prop
563
# No such property
564
raise DBusPropertyNotFound(self.dbus_object_path + u":"
565
+ interface_name + u"."
566
+ property_name)
567
568
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
569
out_signature=u"v")
570
def Get(self, interface_name, property_name):
571
"""Standard D-Bus property Get() method, see D-Bus standard.
572
"""
573
prop = self._get_dbus_property(interface_name, property_name)
574
if prop._dbus_access == u"write":
575
raise DBusPropertyAccessException(property_name)
576
value = prop()
577
if not hasattr(value, u"variant_level"):
578
return value
579
return type(value)(value, variant_level=value.variant_level+1)
580
581
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
582
def Set(self, interface_name, property_name, value):
583
"""Standard D-Bus property Set() method, see D-Bus standard.
584
"""
585
prop = self._get_dbus_property(interface_name, property_name)
586
if prop._dbus_access == u"read":
587
raise DBusPropertyAccessException(property_name)
588
if prop._dbus_get_args_options[u"byte_arrays"]:
589
# The byte_arrays option is not supported yet on
590
# signatures other than "ay".
591
if prop._dbus_signature != u"ay":
592
raise ValueError
593
value = dbus.ByteArray(''.join(unichr(byte)
594
for byte in value))
595
prop(value)
596
597
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
598
out_signature=u"a{sv}")
599
def GetAll(self, interface_name):
600
"""Standard D-Bus property GetAll() method, see D-Bus
601
standard.
602
603
Note: Will not include properties with access="write".
604
"""
605
all = {}
606
for name, prop in self._get_all_dbus_properties():
607
if (interface_name
608
and interface_name != prop._dbus_interface):
609
# Interface non-empty but did not match
610
continue
611
# Ignore write-only properties
612
if prop._dbus_access == u"write":
613
continue
614
value = prop()
615
if not hasattr(value, u"variant_level"):
616
all[name] = value
617
continue
618
all[name] = type(value)(value, variant_level=
619
value.variant_level+1)
620
return dbus.Dictionary(all, signature=u"sv")
621
622
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
623
out_signature=u"s",
624
path_keyword='object_path',
625
connection_keyword='connection')
626
def Introspect(self, object_path, connection):
627
"""Standard D-Bus method, overloaded to insert property tags.
628
"""
629
xmlstring = dbus.service.Object.Introspect(self, object_path,
630
connection)
631
try:
632
document = xml.dom.minidom.parseString(xmlstring)
633
def make_tag(document, name, prop):
634
e = document.createElement(u"property")
635
e.setAttribute(u"name", name)
636
e.setAttribute(u"type", prop._dbus_signature)
637
e.setAttribute(u"access", prop._dbus_access)
638
return e
639
for if_tag in document.getElementsByTagName(u"interface"):
640
for tag in (make_tag(document, name, prop)
641
for name, prop
642
in self._get_all_dbus_properties()
643
if prop._dbus_interface
644
== if_tag.getAttribute(u"name")):
645
if_tag.appendChild(tag)
646
# Add the names to the return values for the
647
# "org.freedesktop.DBus.Properties" methods
648
if (if_tag.getAttribute(u"name")
649
== u"org.freedesktop.DBus.Properties"):
650
for cn in if_tag.getElementsByTagName(u"method"):
651
if cn.getAttribute(u"name") == u"Get":
652
for arg in cn.getElementsByTagName(u"arg"):
653
if (arg.getAttribute(u"direction")
654
== u"out"):
655
arg.setAttribute(u"name", u"value")
656
elif cn.getAttribute(u"name") == u"GetAll":
657
for arg in cn.getElementsByTagName(u"arg"):
658
if (arg.getAttribute(u"direction")
659
== u"out"):
660
arg.setAttribute(u"name", u"props")
661
xmlstring = document.toxml(u"utf-8")
662
document.unlink()
663
except (AttributeError, xml.dom.DOMException,
664
xml.parsers.expat.ExpatError), error:
665
logger.error(u"Failed to override Introspection method",
666
error)
667
return xmlstring
668
669
670
class ClientDBus(Client, DBusObjectWithProperties):
671
"""A Client class using D-Bus
672
673
Attributes:
674
dbus_object_path: dbus.ObjectPath
675
bus: dbus.SystemBus()
676
"""
677
# dbus.service.Object doesn't use super(), so we can't either.
678
679
def __init__(self, bus = None, *args, **kwargs):
680
self.bus = bus
681
Client.__init__(self, *args, **kwargs)
682
# Only now, when this client is initialized, can it show up on
683
# the D-Bus
684
self.dbus_object_path = (dbus.ObjectPath
685
(u"/clients/"
686
+ self.name.replace(u".", u"_")))
687
DBusObjectWithProperties.__init__(self, self.bus,
688
self.dbus_object_path)
689
690
@staticmethod
691
def _datetime_to_dbus(dt, variant_level=0):
692
"""Convert a UTC datetime.datetime() to a D-Bus type."""
693
return dbus.String(dt.isoformat(),
694
variant_level=variant_level)
695
696
def enable(self):
697
oldstate = getattr(self, u"enabled", False)
698
r = Client.enable(self)
699
if oldstate != self.enabled:
700
# Emit D-Bus signals
701
self.PropertyChanged(dbus.String(u"enabled"),
702
dbus.Boolean(True, variant_level=1))
703
self.PropertyChanged(
704
dbus.String(u"last_enabled"),
705
self._datetime_to_dbus(self.last_enabled,
706
variant_level=1))
707
return r
708
709
def disable(self, quiet = False):
710
oldstate = getattr(self, u"enabled", False)
711
r = Client.disable(self, quiet=quiet)
712
if not quiet and oldstate != self.enabled:
713
# Emit D-Bus signal
714
self.PropertyChanged(dbus.String(u"enabled"),
715
dbus.Boolean(False, variant_level=1))
716
return r
717
718
def __del__(self, *args, **kwargs):
719
try:
720
self.remove_from_connection()
721
except LookupError:
722
pass
723
if hasattr(DBusObjectWithProperties, u"__del__"):
724
DBusObjectWithProperties.__del__(self, *args, **kwargs)
725
Client.__del__(self, *args, **kwargs)
726
727
def checker_callback(self, pid, condition, command,
728
*args, **kwargs):
729
self.checker_callback_tag = None
730
self.checker = None
731
# Emit D-Bus signal
732
self.PropertyChanged(dbus.String(u"checker_running"),
733
dbus.Boolean(False, variant_level=1))
734
if os.WIFEXITED(condition):
735
exitstatus = os.WEXITSTATUS(condition)
736
# Emit D-Bus signal
737
self.CheckerCompleted(dbus.Int16(exitstatus),
738
dbus.Int64(condition),
739
dbus.String(command))
740
else:
741
# Emit D-Bus signal
742
self.CheckerCompleted(dbus.Int16(-1),
743
dbus.Int64(condition),
744
dbus.String(command))
745
746
return Client.checker_callback(self, pid, condition, command,
747
*args, **kwargs)
748
749
def checked_ok(self, *args, **kwargs):
750
r = Client.checked_ok(self, *args, **kwargs)
751
# Emit D-Bus signal
752
self.PropertyChanged(
753
dbus.String(u"last_checked_ok"),
754
(self._datetime_to_dbus(self.last_checked_ok,
755
variant_level=1)))
756
return r
757
758
def start_checker(self, *args, **kwargs):
759
old_checker = self.checker
760
if self.checker is not None:
761
old_checker_pid = self.checker.pid
762
else:
763
old_checker_pid = None
764
r = Client.start_checker(self, *args, **kwargs)
765
# Only if new checker process was started
766
if (self.checker is not None
767
and old_checker_pid != self.checker.pid):
768
# Emit D-Bus signal
769
self.CheckerStarted(self.current_checker_command)
770
self.PropertyChanged(
771
dbus.String(u"checker_running"),
772
dbus.Boolean(True, variant_level=1))
773
return r
774
775
def stop_checker(self, *args, **kwargs):
776
old_checker = getattr(self, u"checker", None)
777
r = Client.stop_checker(self, *args, **kwargs)
778
if (old_checker is not None
779
and getattr(self, u"checker", None) is None):
437
780
self.PropertyChanged(dbus.String(u"checker_running"),
438
781
dbus.Boolean(False, variant_level=1))
439
440
def still_valid(self):
441
"""Has the timeout not yet passed for this client?"""
442
if not getattr(self, "enabled", False):
443
return False
444
now = datetime.datetime.utcnow()
445
if self.last_checked_ok is None:
446
return now < (self.created + self.timeout)
447
else:
448
return now < (self.last_checked_ok + self.timeout)
449
450
## D-Bus methods & signals
451
_interface = u"org.mandos_system.Mandos.Client"
452
453
# BumpTimeout - method
454
BumpTimeout = dbus.service.method(_interface)(bump_timeout)
455
BumpTimeout.__name__ = "BumpTimeout"
782
return r
783
784
## D-Bus methods, signals & properties
785
_interface = u"se.bsnet.fukt.Mandos.Client"
786
787
## Signals
456
788
457
789
# CheckerCompleted - signal
458
@dbus.service.signal(_interface, signature="bqs")
459
def CheckerCompleted(self, success, condition, command):
790
@dbus.service.signal(_interface, signature=u"nxs")
791
def CheckerCompleted(self, exitcode, waitstatus, command):
460
792
"D-Bus signal"
461
793
pass
462
794
463
795
# CheckerStarted - signal
464
@dbus.service.signal(_interface, signature="s")
796
@dbus.service.signal(_interface, signature=u"s")
465
797
def CheckerStarted(self, command):
466
798
"D-Bus signal"
467
799
pass
468
800
469
# GetAllProperties - method
470
@dbus.service.method(_interface, out_signature="a{sv}")
471
def GetAllProperties(self):
472
"D-Bus method"
473
return dbus.Dictionary({
474
dbus.String("name"):
475
dbus.String(self.name, variant_level=1),
476
dbus.String("fingerprint"):
477
dbus.String(self.fingerprint, variant_level=1),
478
dbus.String("host"):
479
dbus.String(self.host, variant_level=1),
480
dbus.String("created"):
481
_datetime_to_dbus(self.created, variant_level=1),
482
dbus.String("last_enabled"):
483
(_datetime_to_dbus(self.last_enabled,
484
variant_level=1)
485
if self.last_enabled is not None
486
else dbus.Boolean(False, variant_level=1)),
487
dbus.String("enabled"):
488
dbus.Boolean(self.enabled, variant_level=1),
489
dbus.String("last_checked_ok"):
490
(_datetime_to_dbus(self.last_checked_ok,
491
variant_level=1)
492
if self.last_checked_ok is not None
493
else dbus.Boolean (False, variant_level=1)),
494
dbus.String("timeout"):
495
dbus.UInt64(self.timeout_milliseconds(),
496
variant_level=1),
497
dbus.String("interval"):
498
dbus.UInt64(self.interval_milliseconds(),
499
variant_level=1),
500
dbus.String("checker"):
501
dbus.String(self.checker_command,
502
variant_level=1),
503
dbus.String("checker_running"):
504
dbus.Boolean(self.checker is not None,
505
variant_level=1),
506
}, signature="sv")
507
508
# IsStillValid - method
509
IsStillValid = (dbus.service.method(_interface, out_signature="b")
510
(still_valid))
511
IsStillValid.__name__ = "IsStillValid"
512
513
801
# PropertyChanged - signal
514
@dbus.service.signal(_interface, signature="sv")
802
@dbus.service.signal(_interface, signature=u"sv")
515
803
def PropertyChanged(self, property, value):
516
804
"D-Bus signal"
517
805
pass
518
806
519
# SetChecker - method
520
@dbus.service.method(_interface, in_signature="s")
521
def SetChecker(self, checker):
522
"D-Bus setter method"
523
self.checker_command = checker
524
# Emit D-Bus signal
525
self.PropertyChanged(dbus.String(u"checker"),
526
dbus.String(self.checker_command,
527
variant_level=1))
528
529
# SetHost - method
530
@dbus.service.method(_interface, in_signature="s")
531
def SetHost(self, host):
532
"D-Bus setter method"
533
self.host = host
534
# Emit D-Bus signal
535
self.PropertyChanged(dbus.String(u"host"),
536
dbus.String(self.host, variant_level=1))
537
538
# SetInterval - method
539
@dbus.service.method(_interface, in_signature="t")
540
def SetInterval(self, milliseconds):
541
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
542
# Emit D-Bus signal
543
self.PropertyChanged(dbus.String(u"interval"),
544
(dbus.UInt64(self.interval_milliseconds(),
545
variant_level=1)))
546
547
# SetSecret - method
548
@dbus.service.method(_interface, in_signature="ay",
549
byte_arrays=True)
550
def SetSecret(self, secret):
551
"D-Bus setter method"
552
self.secret = str(secret)
553
554
# SetTimeout - method
555
@dbus.service.method(_interface, in_signature="t")
556
def SetTimeout(self, milliseconds):
557
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
558
# Emit D-Bus signal
559
self.PropertyChanged(dbus.String(u"timeout"),
560
(dbus.UInt64(self.timeout_milliseconds(),
561
variant_level=1)))
807
# GotSecret - signal
808
@dbus.service.signal(_interface)
809
def GotSecret(self):
810
"D-Bus signal"
811
pass
812
813
# Rejected - signal
814
@dbus.service.signal(_interface)
815
def Rejected(self):
816
"D-Bus signal"
817
pass
818
819
## Methods
820
821
# CheckedOK - method
822
@dbus.service.method(_interface)
823
def CheckedOK(self):
824
return self.checked_ok()
562
825
563
826
# Enable - method
564
Enable = dbus.service.method(_interface)(enable)
565
Enable.__name__ = "Enable"
827
@dbus.service.method(_interface)
828
def Enable(self):
829
"D-Bus method"
830
self.enable()
566
831
567
832
# StartChecker - method
568
833
@dbus.service.method(_interface)
577
842
self.disable()
578
843
579
844
# StopChecker - method
580
StopChecker = dbus.service.method(_interface)(stop_checker)
581
StopChecker.__name__ = "StopChecker"
845
@dbus.service.method(_interface)
846
def StopChecker(self):
847
self.stop_checker()
848
849
## Properties
850
851
# name - property
852
@dbus_service_property(_interface, signature=u"s", access=u"read")
853
def name_dbus_property(self):
854
return dbus.String(self.name)
855
856
# fingerprint - property
857
@dbus_service_property(_interface, signature=u"s", access=u"read")
858
def fingerprint_dbus_property(self):
859
return dbus.String(self.fingerprint)
860
861
# host - property
862
@dbus_service_property(_interface, signature=u"s",
863
access=u"readwrite")
864
def host_dbus_property(self, value=None):
865
if value is None: # get
866
return dbus.String(self.host)
867
self.host = value
868
# Emit D-Bus signal
869
self.PropertyChanged(dbus.String(u"host"),
870
dbus.String(value, variant_level=1))
871
872
# created - property
873
@dbus_service_property(_interface, signature=u"s", access=u"read")
874
def created_dbus_property(self):
875
return dbus.String(self._datetime_to_dbus(self.created))
876
877
# last_enabled - property
878
@dbus_service_property(_interface, signature=u"s", access=u"read")
879
def last_enabled_dbus_property(self):
880
if self.last_enabled is None:
881
return dbus.String(u"")
882
return dbus.String(self._datetime_to_dbus(self.last_enabled))
883
884
# enabled - property
885
@dbus_service_property(_interface, signature=u"b",
886
access=u"readwrite")
887
def enabled_dbus_property(self, value=None):
888
if value is None: # get
889
return dbus.Boolean(self.enabled)
890
if value:
891
self.enable()
892
else:
893
self.disable()
894
895
# last_checked_ok - property
896
@dbus_service_property(_interface, signature=u"s",
897
access=u"readwrite")
898
def last_checked_ok_dbus_property(self, value=None):
899
if value is not None:
900
self.checked_ok()
901
return
902
if self.last_checked_ok is None:
903
return dbus.String(u"")
904
return dbus.String(self._datetime_to_dbus(self
905
.last_checked_ok))
906
907
# timeout - property
908
@dbus_service_property(_interface, signature=u"t",
909
access=u"readwrite")
910
def timeout_dbus_property(self, value=None):
911
if value is None: # get
912
return dbus.UInt64(self.timeout_milliseconds())
913
self.timeout = datetime.timedelta(0, 0, 0, value)
914
# Emit D-Bus signal
915
self.PropertyChanged(dbus.String(u"timeout"),
916
dbus.UInt64(value, variant_level=1))
917
if getattr(self, u"disable_initiator_tag", None) is None:
918
return
919
# Reschedule timeout
920
gobject.source_remove(self.disable_initiator_tag)
921
self.disable_initiator_tag = None
922
time_to_die = (self.
923
_timedelta_to_milliseconds((self
924
.last_checked_ok
925
+ self.timeout)
926
- datetime.datetime
927
.utcnow()))
928
if time_to_die <= 0:
929
# The timeout has passed
930
self.disable()
931
else:
932
self.disable_initiator_tag = (gobject.timeout_add
933
(time_to_die, self.disable))
934
935
# interval - property
936
@dbus_service_property(_interface, signature=u"t",
937
access=u"readwrite")
938
def interval_dbus_property(self, value=None):
939
if value is None: # get
940
return dbus.UInt64(self.interval_milliseconds())
941
self.interval = datetime.timedelta(0, 0, 0, value)
942
# Emit D-Bus signal
943
self.PropertyChanged(dbus.String(u"interval"),
944
dbus.UInt64(value, variant_level=1))
945
if getattr(self, u"checker_initiator_tag", None) is None:
946
return
947
# Reschedule checker run
948
gobject.source_remove(self.checker_initiator_tag)
949
self.checker_initiator_tag = (gobject.timeout_add
950
(value, self.start_checker))
951
self.start_checker() # Start one now, too
952
953
# checker - property
954
@dbus_service_property(_interface, signature=u"s",
955
access=u"readwrite")
956
def checker_dbus_property(self, value=None):
957
if value is None: # get
958
return dbus.String(self.checker_command)
959
self.checker_command = value
960
# Emit D-Bus signal
961
self.PropertyChanged(dbus.String(u"checker"),
962
dbus.String(self.checker_command,
963
variant_level=1))
964
965
# checker_running - property
966
@dbus_service_property(_interface, signature=u"b",
967
access=u"readwrite")
968
def checker_running_dbus_property(self, value=None):
969
if value is None: # get
970
return dbus.Boolean(self.checker is not None)
971
if value:
972
self.start_checker()
973
else:
974
self.stop_checker()
975
976
# object_path - property
977
@dbus_service_property(_interface, signature=u"o", access=u"read")
978
def object_path_dbus_property(self):
979
return self.dbus_object_path # is already a dbus.ObjectPath
980
981
# secret = property
982
@dbus_service_property(_interface, signature=u"ay",
983
access=u"write", byte_arrays=True)
984
def secret_dbus_property(self, value):
985
self.secret = str(value)
582
986
583
987
del _interface
584
988
585
989
586
def peer_certificate(session):
587
"Return the peer's OpenPGP certificate as a bytestring"
588
# If not an OpenPGP certificate...
589
if (gnutls.library.functions
590
.gnutls_certificate_type_get(session._c_object)
591
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
592
# ...do the normal thing
593
return session.peer_certificate
594
list_size = ctypes.c_uint()
595
cert_list = (gnutls.library.functions
596
.gnutls_certificate_get_peers
597
(session._c_object, ctypes.byref(list_size)))
598
if list_size.value == 0:
599
return None
600
cert = cert_list[0]
601
return ctypes.string_at(cert.data, cert.size)
602
603
604
def fingerprint(openpgp):
605
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
606
# New GnuTLS "datum" with the OpenPGP public key
607
datum = (gnutls.library.types
608
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
609
ctypes.POINTER
610
(ctypes.c_ubyte)),
611
ctypes.c_uint(len(openpgp))))
612
# New empty GnuTLS certificate
613
crt = gnutls.library.types.gnutls_openpgp_crt_t()
614
(gnutls.library.functions
615
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
616
# Import the OpenPGP public key into the certificate
617
(gnutls.library.functions
618
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
619
gnutls.library.constants
620
.GNUTLS_OPENPGP_FMT_RAW))
621
# Verify the self signature in the key
622
crtverify = ctypes.c_uint()
623
(gnutls.library.functions
624
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
625
if crtverify.value != 0:
626
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
627
raise gnutls.errors.CertificateSecurityError("Verify failed")
628
# New buffer for the fingerprint
629
buf = ctypes.create_string_buffer(20)
630
buf_len = ctypes.c_size_t()
631
# Get the fingerprint from the certificate into the buffer
632
(gnutls.library.functions
633
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
634
ctypes.byref(buf_len)))
635
# Deinit the certificate
636
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
637
# Convert the buffer to a Python bytestring
638
fpr = ctypes.string_at(buf, buf_len.value)
639
# Convert the bytestring to hexadecimal notation
640
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
641
return hex_fpr
642
643
644
class TCP_handler(SocketServer.BaseRequestHandler, object):
645
"""A TCP request handler class.
646
Instantiated by IPv6_TCPServer for each request to handle it.
990
class ClientHandler(socketserver.BaseRequestHandler, object):
991
"""A class to handle client connections.
992
993
Instantiated once for each connection to handle it.
647
994
Note: This will run in its own forked process."""
648
995
649
996
def handle(self):
650
997
logger.info(u"TCP connection from: %s",
651
998
unicode(self.client_address))
652
session = (gnutls.connection
653
.ClientSession(self.request,
654
gnutls.connection
655
.X509Credentials()))
656
657
line = self.request.makefile().readline()
658
logger.debug(u"Protocol version: %r", line)
659
try:
660
if int(line.strip().split()[0]) > 1:
661
raise RuntimeError
662
except (ValueError, IndexError, RuntimeError), error:
663
logger.error(u"Unknown protocol version: %s", error)
664
return
665
666
# Note: gnutls.connection.X509Credentials is really a generic
667
# GnuTLS certificate credentials object so long as no X.509
668
# keys are added to it. Therefore, we can use it here despite
669
# using OpenPGP certificates.
670
671
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
672
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
673
# "+DHE-DSS"))
674
# Use a fallback default, since this MUST be set.
675
priority = self.server.settings.get("priority", "NORMAL")
676
(gnutls.library.functions
677
.gnutls_priority_set_direct(session._c_object,
678
priority, None))
679
680
try:
681
session.handshake()
682
except gnutls.errors.GNUTLSError, error:
683
logger.warning(u"Handshake failed: %s", error)
684
# Do not run session.bye() here: the session is not
685
# established. Just abandon the request.
686
return
687
try:
688
fpr = fingerprint(peer_certificate(session))
689
except (TypeError, gnutls.errors.GNUTLSError), error:
690
logger.warning(u"Bad certificate: %s", error)
691
session.bye()
692
return
693
logger.debug(u"Fingerprint: %s", fpr)
694
for c in self.server.clients:
695
if c.fingerprint == fpr:
696
client = c
697
break
698
else:
699
logger.warning(u"Client not found for fingerprint: %s",
700
fpr)
701
session.bye()
702
return
703
# Have to check if client.still_valid(), since it is possible
704
# that the client timed out while establishing the GnuTLS
705
# session.
706
if not client.still_valid():
707
logger.warning(u"Client %(name)s is invalid",
708
vars(client))
709
session.bye()
710
return
711
## This won't work here, since we're in a fork.
712
# client.bump_timeout()
713
sent_size = 0
714
while sent_size < len(client.secret):
715
sent = session.send(client.secret[sent_size:])
716
logger.debug(u"Sent: %d, remaining: %d",
717
sent, len(client.secret)
718
- (sent_size + sent))
719
sent_size += sent
720
session.bye()
721
722
723
class IPv6_TCPServer(SocketServer.ForkingMixIn,
724
SocketServer.TCPServer, object):
725
"""IPv6 TCP server. Accepts 'None' as address and/or port.
999
logger.debug(u"IPC Pipe FD: %d",
1000
self.server.child_pipe[1].fileno())
1001
# Open IPC pipe to parent process
1002
with contextlib.nested(self.server.child_pipe[1],
1003
self.server.parent_pipe[0]
1004
) as (ipc, ipc_return):
1005
session = (gnutls.connection
1006
.ClientSession(self.request,
1007
gnutls.connection
1008
.X509Credentials()))
1009
1010
# Note: gnutls.connection.X509Credentials is really a
1011
# generic GnuTLS certificate credentials object so long as
1012
# no X.509 keys are added to it. Therefore, we can use it
1013
# here despite using OpenPGP certificates.
1014
1015
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1016
# u"+AES-256-CBC", u"+SHA1",
1017
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1018
# u"+DHE-DSS"))
1019
# Use a fallback default, since this MUST be set.
1020
priority = self.server.gnutls_priority
1021
if priority is None:
1022
priority = u"NORMAL"
1023
(gnutls.library.functions
1024
.gnutls_priority_set_direct(session._c_object,
1025
priority, None))
1026
1027
# Start communication using the Mandos protocol
1028
# Get protocol number
1029
line = self.request.makefile().readline()
1030
logger.debug(u"Protocol version: %r", line)
1031
try:
1032
if int(line.strip().split()[0]) > 1:
1033
raise RuntimeError
1034
except (ValueError, IndexError, RuntimeError), error:
1035
logger.error(u"Unknown protocol version: %s", error)
1036
return
1037
1038
# Start GnuTLS connection
1039
try:
1040
session.handshake()
1041
except gnutls.errors.GNUTLSError, error:
1042
logger.warning(u"Handshake failed: %s", error)
1043
# Do not run session.bye() here: the session is not
1044
# established. Just abandon the request.
1045
return
1046
logger.debug(u"Handshake succeeded")
1047
try:
1048
try:
1049
fpr = self.fingerprint(self.peer_certificate
1050
(session))
1051
except (TypeError, gnutls.errors.GNUTLSError), error:
1052
logger.warning(u"Bad certificate: %s", error)
1053
return
1054
logger.debug(u"Fingerprint: %s", fpr)
1055
1056
for c in self.server.clients:
1057
if c.fingerprint == fpr:
1058
client = c
1059
break
1060
else:
1061
ipc.write(u"NOTFOUND %s %s\n"
1062
% (fpr, unicode(self.client_address)))
1063
return
1064
1065
class ClientProxy(object):
1066
"""Client proxy object. Not for calling methods."""
1067
def __init__(self, client):
1068
self.client = client
1069
def __getattr__(self, name):
1070
if name.startswith("ipc_"):
1071
def tempfunc():
1072
ipc.write("%s %s\n" % (name[4:].upper(),
1073
self.client.name))
1074
return tempfunc
1075
if not hasattr(self.client, name):
1076
raise AttributeError
1077
ipc.write(u"GETATTR %s %s\n"
1078
% (name, self.client.fingerprint))
1079
return pickle.load(ipc_return)
1080
clientproxy = ClientProxy(client)
1081
# Have to check if client.enabled, since it is
1082
# possible that the client was disabled since the
1083
# GnuTLS session was established.
1084
if not clientproxy.enabled:
1085
clientproxy.ipc_disabled()
1086
return
1087
1088
clientproxy.ipc_sending()
1089
sent_size = 0
1090
while sent_size < len(client.secret):
1091
sent = session.send(client.secret[sent_size:])
1092
logger.debug(u"Sent: %d, remaining: %d",
1093
sent, len(client.secret)
1094
- (sent_size + sent))
1095
sent_size += sent
1096
finally:
1097
session.bye()
1098
1099
@staticmethod
1100
def peer_certificate(session):
1101
"Return the peer's OpenPGP certificate as a bytestring"
1102
# If not an OpenPGP certificate...
1103
if (gnutls.library.functions
1104
.gnutls_certificate_type_get(session._c_object)
1105
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1106
# ...do the normal thing
1107
return session.peer_certificate
1108
list_size = ctypes.c_uint(1)
1109
cert_list = (gnutls.library.functions
1110
.gnutls_certificate_get_peers
1111
(session._c_object, ctypes.byref(list_size)))
1112
if not bool(cert_list) and list_size.value != 0:
1113
raise gnutls.errors.GNUTLSError(u"error getting peer"
1114
u" certificate")
1115
if list_size.value == 0:
1116
return None
1117
cert = cert_list[0]
1118
return ctypes.string_at(cert.data, cert.size)
1119
1120
@staticmethod
1121
def fingerprint(openpgp):
1122
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1123
# New GnuTLS "datum" with the OpenPGP public key
1124
datum = (gnutls.library.types
1125
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1126
ctypes.POINTER
1127
(ctypes.c_ubyte)),
1128
ctypes.c_uint(len(openpgp))))
1129
# New empty GnuTLS certificate
1130
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1131
(gnutls.library.functions
1132
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1133
# Import the OpenPGP public key into the certificate
1134
(gnutls.library.functions
1135
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1136
gnutls.library.constants
1137
.GNUTLS_OPENPGP_FMT_RAW))
1138
# Verify the self signature in the key
1139
crtverify = ctypes.c_uint()
1140
(gnutls.library.functions
1141
.gnutls_openpgp_crt_verify_self(crt, 0,
1142
ctypes.byref(crtverify)))
1143
if crtverify.value != 0:
1144
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1145
raise (gnutls.errors.CertificateSecurityError
1146
(u"Verify failed"))
1147
# New buffer for the fingerprint
1148
buf = ctypes.create_string_buffer(20)
1149
buf_len = ctypes.c_size_t()
1150
# Get the fingerprint from the certificate into the buffer
1151
(gnutls.library.functions
1152
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1153
ctypes.byref(buf_len)))
1154
# Deinit the certificate
1155
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1156
# Convert the buffer to a Python bytestring
1157
fpr = ctypes.string_at(buf, buf_len.value)
1158
# Convert the bytestring to hexadecimal notation
1159
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1160
return hex_fpr
1161
1162
1163
class ForkingMixInWithPipes(socketserver.ForkingMixIn, object):
1164
"""Like socketserver.ForkingMixIn, but also pass a pipe pair."""
1165
def process_request(self, request, client_address):
1166
"""Overrides and wraps the original process_request().
1167
1168
This function creates a new pipe in self.pipe
1169
"""
1170
# Child writes to child_pipe
1171
self.child_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1172
# Parent writes to parent_pipe
1173
self.parent_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1174
super(ForkingMixInWithPipes,
1175
self).process_request(request, client_address)
1176
# Close unused ends for parent
1177
self.parent_pipe[0].close() # close read end
1178
self.child_pipe[1].close() # close write end
1179
self.add_pipe_fds(self.child_pipe[0], self.parent_pipe[1])
1180
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1181
"""Dummy function; override as necessary"""
1182
child_pipe_fd.close()
1183
parent_pipe_fd.close()
1184
1185
1186
class IPv6_TCPServer(ForkingMixInWithPipes,
1187
socketserver.TCPServer, object):
1188
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1189
726
1190
Attributes:
727
settings: Server settings
728
clients: Set() of Client objects
729
1191
enabled: Boolean; whether this server is activated yet
1192
interface: None or a network interface name (string)
1193
use_ipv6: Boolean; to use IPv6 or not
730
1194
"""
731
address_family = socket.AF_INET6
732
def __init__(self, *args, **kwargs):
733
if "settings" in kwargs:
734
self.settings = kwargs["settings"]
735
del kwargs["settings"]
736
if "clients" in kwargs:
737
self.clients = kwargs["clients"]
738
del kwargs["clients"]
739
self.enabled = False
740
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1195
def __init__(self, server_address, RequestHandlerClass,
1196
interface=None, use_ipv6=True):
1197
self.interface = interface
1198
if use_ipv6:
1199
self.address_family = socket.AF_INET6
1200
socketserver.TCPServer.__init__(self, server_address,
1201
RequestHandlerClass)
741
1202
def server_bind(self):
742
1203
"""This overrides the normal server_bind() function
743
1204
to bind to an interface if one was specified, and also NOT to
744
1205
bind to an address or port if they were not specified."""
745
if self.settings["interface"]:
746
# 25 is from /usr/include/asm-i486/socket.h
747
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
748
try:
749
self.socket.setsockopt(socket.SOL_SOCKET,
750
SO_BINDTODEVICE,
751
self.settings["interface"])
752
except socket.error, error:
753
if error[0] == errno.EPERM:
754
logger.error(u"No permission to"
755
u" bind to interface %s",
756
self.settings["interface"])
757
else:
758
raise error
1206
if self.interface is not None:
1207
if SO_BINDTODEVICE is None:
1208
logger.error(u"SO_BINDTODEVICE does not exist;"
1209
u" cannot bind to interface %s",
1210
self.interface)
1211
else:
1212
try:
1213
self.socket.setsockopt(socket.SOL_SOCKET,
1214
SO_BINDTODEVICE,
1215
str(self.interface
1216
+ u'\0'))
1217
except socket.error, error:
1218
if error[0] == errno.EPERM:
1219
logger.error(u"No permission to"
1220
u" bind to interface %s",
1221
self.interface)
1222
elif error[0] == errno.ENOPROTOOPT:
1223
logger.error(u"SO_BINDTODEVICE not available;"
1224
u" cannot bind to interface %s",
1225
self.interface)
1226
else:
1227
raise
759
1228
# Only bind(2) the socket if we really need to.
760
1229
if self.server_address[0] or self.server_address[1]:
761
1230
if not self.server_address[0]:
762
in6addr_any = "::"
763
self.server_address = (in6addr_any,
1231
if self.address_family == socket.AF_INET6:
1232
any_address = u"::" # in6addr_any
1233
else:
1234
any_address = socket.INADDR_ANY
1235
self.server_address = (any_address,
764
1236
self.server_address[1])
765
1237
elif not self.server_address[1]:
766
1238
self.server_address = (self.server_address[0],
767
1239
0)
768
# if self.settings["interface"]:
1240
# if self.interface:
769
1241
# self.server_address = (self.server_address[0],
770
1242
# 0, # port
771
1243
# 0, # flowinfo
772
1244
# if_nametoindex
773
# (self.settings
774
# ["interface"]))
775
return super(IPv6_TCPServer, self).server_bind()
1245
# (self.interface))
1246
return socketserver.TCPServer.server_bind(self)
1247
1248
1249
class MandosServer(IPv6_TCPServer):
1250
"""Mandos server.
1251
1252
Attributes:
1253
clients: set of Client objects
1254
gnutls_priority GnuTLS priority string
1255
use_dbus: Boolean; to emit D-Bus signals or not
1256
1257
Assumes a gobject.MainLoop event loop.
1258
"""
1259
def __init__(self, server_address, RequestHandlerClass,
1260
interface=None, use_ipv6=True, clients=None,
1261
gnutls_priority=None, use_dbus=True):
1262
self.enabled = False
1263
self.clients = clients
1264
if self.clients is None:
1265
self.clients = set()
1266
self.use_dbus = use_dbus
1267
self.gnutls_priority = gnutls_priority
1268
IPv6_TCPServer.__init__(self, server_address,
1269
RequestHandlerClass,
1270
interface = interface,
1271
use_ipv6 = use_ipv6)
776
1272
def server_activate(self):
777
1273
if self.enabled:
778
return super(IPv6_TCPServer, self).server_activate()
1274
return socketserver.TCPServer.server_activate(self)
779
1275
def enable(self):
780
1276
self.enabled = True
1277
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1278
# Call "handle_ipc" for both data and EOF events
1279
gobject.io_add_watch(child_pipe_fd.fileno(),
1280
gobject.IO_IN | gobject.IO_HUP,
1281
functools.partial(self.handle_ipc,
1282
reply = parent_pipe_fd,
1283
sender= child_pipe_fd))
1284
def handle_ipc(self, source, condition, reply=None, sender=None):
1285
condition_names = {
1286
gobject.IO_IN: u"IN", # There is data to read.
1287
gobject.IO_OUT: u"OUT", # Data can be written (without
1288
# blocking).
1289
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1290
gobject.IO_ERR: u"ERR", # Error condition.
1291
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1292
# broken, usually for pipes and
1293
# sockets).
1294
}
1295
conditions_string = ' | '.join(name
1296
for cond, name in
1297
condition_names.iteritems()
1298
if cond & condition)
1299
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1300
conditions_string)
1301
1302
# Read a line from the file object
1303
cmdline = sender.readline()
1304
if not cmdline: # Empty line means end of file
1305
# close the IPC pipes
1306
sender.close()
1307
reply.close()
1308
1309
# Stop calling this function
1310
return False
1311
1312
logger.debug(u"IPC command: %r", cmdline)
1313
1314
# Parse and act on command
1315
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1316
1317
if cmd == u"NOTFOUND":
1318
fpr, address = args.split(None, 1)
1319
logger.warning(u"Client not found for fingerprint: %s, ad"
1320
u"dress: %s", fpr, address)
1321
if self.use_dbus:
1322
# Emit D-Bus signal
1323
mandos_dbus_service.ClientNotFound(fpr, address)
1324
elif cmd == u"DISABLED":
1325
for client in self.clients:
1326
if client.name == args:
1327
logger.warning(u"Client %s is disabled", args)
1328
if self.use_dbus:
1329
# Emit D-Bus signal
1330
client.Rejected()
1331
break
1332
else:
1333
logger.error(u"Unknown client %s is disabled", args)
1334
elif cmd == u"SENDING":
1335
for client in self.clients:
1336
if client.name == args:
1337
logger.info(u"Sending secret to %s", client.name)
1338
client.checked_ok()
1339
if self.use_dbus:
1340
# Emit D-Bus signal
1341
client.GotSecret()
1342
break
1343
else:
1344
logger.error(u"Sending secret to unknown client %s",
1345
args)
1346
elif cmd == u"GETATTR":
1347
attr_name, fpr = args.split(None, 1)
1348
for client in self.clients:
1349
if client.fingerprint == fpr:
1350
attr_value = getattr(client, attr_name, None)
1351
logger.debug("IPC reply: %r", attr_value)
1352
pickle.dump(attr_value, reply)
1353
break
1354
else:
1355
logger.error(u"Client %s on address %s requesting "
1356
u"attribute %s not found", fpr, address,
1357
attr_name)
1358
pickle.dump(None, reply)
1359
else:
1360
logger.error(u"Unknown IPC command: %r", cmdline)
1361
1362
# Keep calling this function
1363
return True
781
1364
782
1365
783
1366
def string_to_delta(interval):
784
1367
"""Parse a string and return a datetime.timedelta
785
786
>>> string_to_delta('7d')
1368
1369
>>> string_to_delta(u'7d')
787
1370
datetime.timedelta(7)
788
>>> string_to_delta('60s')
1371
>>> string_to_delta(u'60s')
789
1372
datetime.timedelta(0, 60)
790
>>> string_to_delta('60m')
1373
>>> string_to_delta(u'60m')
791
1374
datetime.timedelta(0, 3600)
792
>>> string_to_delta('24h')
1375
>>> string_to_delta(u'24h')
793
1376
datetime.timedelta(1)
794
1377
>>> string_to_delta(u'1w')
795
1378
datetime.timedelta(7)
796
>>> string_to_delta('5m 30s')
1379
>>> string_to_delta(u'5m 30s')
797
1380
datetime.timedelta(0, 330)
798
1381
"""
799
1382
timevalue = datetime.timedelta(0)
812
1395
elif suffix == u"w":
813
1396
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
814
1397
else:
815
raise ValueError
816
except (ValueError, IndexError):
817
raise ValueError
1398
raise ValueError(u"Unknown suffix %r" % suffix)
1399
except (ValueError, IndexError), e:
1400
raise ValueError(e.message)
818
1401
timevalue += delta
819
1402
return timevalue
820
1403
821
1404
822
def server_state_changed(state):
823
"""Derived from the Avahi example code"""
824
if state == avahi.SERVER_COLLISION:
825
logger.error(u"Zeroconf server name collision")
826
service.remove()
827
elif state == avahi.SERVER_RUNNING:
828
service.add()
829
830
831
def entry_group_state_changed(state, error):
832
"""Derived from the Avahi example code"""
833
logger.debug(u"Avahi state change: %i", state)
834
835
if state == avahi.ENTRY_GROUP_ESTABLISHED:
836
logger.debug(u"Zeroconf service established.")
837
elif state == avahi.ENTRY_GROUP_COLLISION:
838
logger.warning(u"Zeroconf service name collision.")
839
service.rename()
840
elif state == avahi.ENTRY_GROUP_FAILURE:
841
logger.critical(u"Avahi: Error in group state changed %s",
842
unicode(error))
843
raise AvahiGroupError(u"State changed: %s" % unicode(error))
844
845
1405
def if_nametoindex(interface):
846
"""Call the C function if_nametoindex(), or equivalent"""
1406
"""Call the C function if_nametoindex(), or equivalent
1407
1408
Note: This function cannot accept a unicode string."""
847
1409
global if_nametoindex
848
1410
try:
849
1411
if_nametoindex = (ctypes.cdll.LoadLibrary
850
(ctypes.util.find_library("c"))
1412
(ctypes.util.find_library(u"c"))
851
1413
.if_nametoindex)
852
1414
except (OSError, AttributeError):
853
if "struct" not in sys.modules:
854
import struct
855
if "fcntl" not in sys.modules:
856
import fcntl
1415
logger.warning(u"Doing if_nametoindex the hard way")
857
1416
def if_nametoindex(interface):
858
1417
"Get an interface index the hard way, i.e. using fcntl()"
859
1418
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
860
with closing(socket.socket()) as s:
1419
with contextlib.closing(socket.socket()) as s:
861
1420
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
862
struct.pack("16s16x", interface))
863
interface_index = struct.unpack("I", ifreq[16:20])[0]
1421
struct.pack(str(u"16s16x"),
1422
interface))
1423
interface_index = struct.unpack(str(u"I"),
1424
ifreq[16:20])[0]
864
1425
return interface_index
865
1426
return if_nametoindex(interface)
866
1427
867
1428
868
1429
def daemon(nochdir = False, noclose = False):
869
1430
"""See daemon(3). Standard BSD Unix function.
1431
870
1432
This should really exist as os.daemon, but it doesn't (yet)."""
871
1433
if os.fork():
872
1434
sys.exit()
873
1435
os.setsid()
874
1436
if not nochdir:
875
os.chdir("/")
1437
os.chdir(u"/")
876
1438
if os.fork():
877
1439
sys.exit()
878
1440
if not noclose:
880
1442
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
881
1443
if not stat.S_ISCHR(os.fstat(null).st_mode):
882
1444
raise OSError(errno.ENODEV,
883
"/dev/null not a character device")
1445
u"%s not a character device"
1446
% os.path.devnull)
884
1447
os.dup2(null, sys.stdin.fileno())
885
1448
os.dup2(null, sys.stdout.fileno())
886
1449
os.dup2(null, sys.stderr.fileno())
889
1452
890
1453
891
1454
def main():
892
parser = OptionParser(version = "%%prog %s" % version)
893
parser.add_option("-i", "--interface", type="string",
894
metavar="IF", help="Bind to interface IF")
895
parser.add_option("-a", "--address", type="string",
896
help="Address to listen for requests on")
897
parser.add_option("-p", "--port", type="int",
898
help="Port number to receive requests on")
899
parser.add_option("--check", action="store_true",
900
help="Run self-test")
901
parser.add_option("--debug", action="store_true",
902
help="Debug mode; run in foreground and log to"
903
" terminal")
904
parser.add_option("--priority", type="string", help="GnuTLS"
905
" priority string (see GnuTLS documentation)")
906
parser.add_option("--servicename", type="string", metavar="NAME",
907
help="Zeroconf service name")
908
parser.add_option("--configdir", type="string",
909
default="/etc/mandos", metavar="DIR",
910
help="Directory to search for configuration"
911
" files")
912
parser.add_option("--no-dbus", action="store_false",
913
dest="use_dbus",
914
help="Do not provide D-Bus system bus"
915
" interface")
1455
1456
##################################################################
1457
# Parsing of options, both command line and config file
1458
1459
parser = optparse.OptionParser(version = "%%prog %s" % version)
1460
parser.add_option("-i", u"--interface", type=u"string",
1461
metavar="IF", help=u"Bind to interface IF")
1462
parser.add_option("-a", u"--address", type=u"string",
1463
help=u"Address to listen for requests on")
1464
parser.add_option("-p", u"--port", type=u"int",
1465
help=u"Port number to receive requests on")
1466
parser.add_option("--check", action=u"store_true",
1467
help=u"Run self-test")
1468
parser.add_option("--debug", action=u"store_true",
1469
help=u"Debug mode; run in foreground and log to"
1470
u" terminal")
1471
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1472
u" priority string (see GnuTLS documentation)")
1473
parser.add_option("--servicename", type=u"string",
1474
metavar=u"NAME", help=u"Zeroconf service name")
1475
parser.add_option("--configdir", type=u"string",
1476
default=u"/etc/mandos", metavar=u"DIR",
1477
help=u"Directory to search for configuration"
1478
u" files")
1479
parser.add_option("--no-dbus", action=u"store_false",
1480
dest=u"use_dbus", help=u"Do not provide D-Bus"
1481
u" system bus interface")
1482
parser.add_option("--no-ipv6", action=u"store_false",
1483
dest=u"use_ipv6", help=u"Do not use IPv6")
916
1484
options = parser.parse_args()[0]
917
1485
918
1486
if options.check:
921
1489
sys.exit()
922
1490
923
1491
# Default values for config file for server-global settings
924
server_defaults = { "interface": "",
925
"address": "",
926
"port": "",
927
"debug": "False",
928
"priority":
929
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
930
"servicename": "Mandos",
931
"use_dbus": "True",
1492
server_defaults = { u"interface": u"",
1493
u"address": u"",
1494
u"port": u"",
1495
u"debug": u"False",
1496
u"priority":
1497
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1498
u"servicename": u"Mandos",
1499
u"use_dbus": u"True",
1500
u"use_ipv6": u"True",
932
1501
}
933
1502
934
1503
# Parse config file for server-global settings
935
server_config = ConfigParser.SafeConfigParser(server_defaults)
1504
server_config = configparser.SafeConfigParser(server_defaults)
936
1505
del server_defaults
937
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1506
server_config.read(os.path.join(options.configdir,
1507
u"mandos.conf"))
938
1508
# Convert the SafeConfigParser object to a dict
939
1509
server_settings = server_config.defaults()
940
# Use getboolean on the boolean config options
941
server_settings["debug"] = (server_config.getboolean
942
("DEFAULT", "debug"))
943
server_settings["use_dbus"] = (server_config.getboolean
944
("DEFAULT", "use_dbus"))
1510
# Use the appropriate methods on the non-string config options
1511
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1512
server_settings[option] = server_config.getboolean(u"DEFAULT",
1513
option)
1514
if server_settings["port"]:
1515
server_settings["port"] = server_config.getint(u"DEFAULT",
1516
u"port")
945
1517
del server_config
946
1518
947
1519
# Override the settings from the config file with command line
948
1520
# options, if set.
949
for option in ("interface", "address", "port", "debug",
950
"priority", "servicename", "configdir",
951
"use_dbus"):
1521
for option in (u"interface", u"address", u"port", u"debug",
1522
u"priority", u"servicename", u"configdir",
1523
u"use_dbus", u"use_ipv6"):
952
1524
value = getattr(options, option)
953
1525
if value is not None:
954
1526
server_settings[option] = value
955
1527
del options
1528
# Force all strings to be unicode
1529
for option in server_settings.keys():
1530
if type(server_settings[option]) is str:
1531
server_settings[option] = unicode(server_settings[option])
956
1532
# Now we have our good server settings in "server_settings"
957
1533
1534
##################################################################
1535
958
1536
# For convenience
959
debug = server_settings["debug"]
960
use_dbus = server_settings["use_dbus"]
1537
debug = server_settings[u"debug"]
1538
use_dbus = server_settings[u"use_dbus"]
1539
use_ipv6 = server_settings[u"use_ipv6"]
961
1540
962
1541
if not debug:
963
1542
syslogger.setLevel(logging.WARNING)
964
1543
console.setLevel(logging.WARNING)
965
1544
966
if server_settings["servicename"] != "Mandos":
1545
if server_settings[u"servicename"] != u"Mandos":
967
1546
syslogger.setFormatter(logging.Formatter
968
('Mandos (%s): %%(levelname)s:'
969
' %%(message)s'
970
% server_settings["servicename"]))
1547
(u'Mandos (%s) [%%(process)d]:'
1548
u' %%(levelname)s: %%(message)s'
1549
% server_settings[u"servicename"]))
971
1550
972
1551
# Parse config file with clients
973
client_defaults = { "timeout": "1h",
974
"interval": "5m",
975
"checker": "fping -q -- %%(host)s",
976
"host": "",
1552
client_defaults = { u"timeout": u"1h",
1553
u"interval": u"5m",
1554
u"checker": u"fping -q -- %%(host)s",
1555
u"host": u"",
977
1556
}
978
client_config = ConfigParser.SafeConfigParser(client_defaults)
979
client_config.read(os.path.join(server_settings["configdir"],
980
"clients.conf"))
981
982
clients = Set()
983
tcp_server = IPv6_TCPServer((server_settings["address"],
984
server_settings["port"]),
985
TCP_handler,
986
settings=server_settings,
987
clients=clients)
988
pidfilename = "/var/run/mandos.pid"
989
try:
990
pidfile = open(pidfilename, "w")
991
except IOError, error:
992
logger.error("Could not open file %r", pidfilename)
993
994
try:
995
uid = pwd.getpwnam("_mandos").pw_uid
996
gid = pwd.getpwnam("_mandos").pw_gid
1557
client_config = configparser.SafeConfigParser(client_defaults)
1558
client_config.read(os.path.join(server_settings[u"configdir"],
1559
u"clients.conf"))
1560
1561
global mandos_dbus_service
1562
mandos_dbus_service = None
1563
1564
tcp_server = MandosServer((server_settings[u"address"],
1565
server_settings[u"port"]),
1566
ClientHandler,
1567
interface=server_settings[u"interface"],
1568
use_ipv6=use_ipv6,
1569
gnutls_priority=
1570
server_settings[u"priority"],
1571
use_dbus=use_dbus)
1572
pidfilename = u"/var/run/mandos.pid"
1573
try:
1574
pidfile = open(pidfilename, u"w")
1575
except IOError:
1576
logger.error(u"Could not open file %r", pidfilename)
1577
1578
try:
1579
uid = pwd.getpwnam(u"_mandos").pw_uid
1580
gid = pwd.getpwnam(u"_mandos").pw_gid
997
1581
except KeyError:
998
1582
try:
999
uid = pwd.getpwnam("mandos").pw_uid
1000
gid = pwd.getpwnam("mandos").pw_gid
1583
uid = pwd.getpwnam(u"mandos").pw_uid
1584
gid = pwd.getpwnam(u"mandos").pw_gid
1001
1585
except KeyError:
1002
1586
try:
1003
uid = pwd.getpwnam("nobody").pw_uid
1004
gid = pwd.getpwnam("nogroup").pw_gid
1587
uid = pwd.getpwnam(u"nobody").pw_uid
1588
gid = pwd.getpwnam(u"nobody").pw_gid
1005
1589
except KeyError:
1006
1590
uid = 65534
1007
1591
gid = 65534
1008
1592
try:
1593
os.setgid(gid)
1009
1594
os.setuid(uid)
1010
os.setgid(gid)
1011
1595
except OSError, error:
1012
1596
if error[0] != errno.EPERM:
1013
1597
raise error
1014
1598
1015
global service
1016
service = AvahiService(name = server_settings["servicename"],
1017
servicetype = "_mandos._tcp", )
1018
if server_settings["interface"]:
1019
service.interface = (if_nametoindex
1020
(server_settings["interface"]))
1599
# Enable all possible GnuTLS debugging
1600
if debug:
1601
# "Use a log level over 10 to enable all debugging options."
1602
# - GnuTLS manual
1603
gnutls.library.functions.gnutls_global_set_log_level(11)
1604
1605
@gnutls.library.types.gnutls_log_func
1606
def debug_gnutls(level, string):
1607
logger.debug(u"GnuTLS: %s", string[:-1])
1608
1609
(gnutls.library.functions
1610
.gnutls_global_set_log_function(debug_gnutls))
1021
1611
1022
1612
global main_loop
1023
global bus
1024
global server
1025
1613
# From the Avahi example code
1026
1614
DBusGMainLoop(set_as_default=True )
1027
1615
main_loop = gobject.MainLoop()
1028
1616
bus = dbus.SystemBus()
1029
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1030
avahi.DBUS_PATH_SERVER),
1031
avahi.DBUS_INTERFACE_SERVER)
1032
1617
# End of Avahi example code
1033
1618
if use_dbus:
1034
bus_name = dbus.service.BusName(u"org.mandos-system.Mandos",
1035
bus)
1619
try:
1620
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1621
bus, do_not_queue=True)
1622
except dbus.exceptions.NameExistsException, e:
1623
logger.error(unicode(e) + u", disabling D-Bus")
1624
use_dbus = False
1625
server_settings[u"use_dbus"] = False
1626
tcp_server.use_dbus = False
1627
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1628
service = AvahiService(name = server_settings[u"servicename"],
1629
servicetype = u"_mandos._tcp",
1630
protocol = protocol, bus = bus)
1631
if server_settings["interface"]:
1632
service.interface = (if_nametoindex
1633
(str(server_settings[u"interface"])))
1036
1634
1037
clients.update(Set(Client(name = section,
1038
config
1039
= dict(client_config.items(section)),
1040
use_dbus = use_dbus)
1041
for section in client_config.sections()))
1042
if not clients:
1635
client_class = Client
1636
if use_dbus:
1637
client_class = functools.partial(ClientDBus, bus = bus)
1638
tcp_server.clients.update(set(
1639
client_class(name = section,
1640
config= dict(client_config.items(section)))
1641
for section in client_config.sections()))
1642
if not tcp_server.clients:
1043
1643
logger.warning(u"No clients defined")
1044
1644
1045
1645
if debug:
1055
1655
daemon()
1056
1656
1057
1657
try:
1058
pid = os.getpid()
1059
pidfile.write(str(pid) + "\n")
1060
pidfile.close()
1658
with pidfile:
1659
pid = os.getpid()
1660
pidfile.write(str(pid) + "\n")
1061
1661
del pidfile
1062
1662
except IOError:
1063
1663
logger.error(u"Could not write to file %r with PID %d",
1067
1667
pass
1068
1668
del pidfilename
1069
1669
1070
def cleanup():
1071
"Cleanup function; run on exit"
1072
global group
1073
# From the Avahi example code
1074
if not group is None:
1075
group.Free()
1076
group = None
1077
# End of Avahi example code
1078
1079
while clients:
1080
client = clients.pop()
1081
client.disable_hook = None
1082
client.disable()
1083
1084
atexit.register(cleanup)
1085
1086
1670
if not debug:
1087
1671
signal.signal(signal.SIGINT, signal.SIG_IGN)
1088
1672
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1089
1673
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1090
1674
1091
1675
if use_dbus:
1092
class MandosServer(dbus.service.Object):
1676
class MandosDBusService(dbus.service.Object):
1093
1677
"""A D-Bus proxy object"""
1094
1678
def __init__(self):
1095
dbus.service.Object.__init__(self, bus,
1096
"/Mandos")
1097
_interface = u"org.mandos_system.Mandos"
1098
1099
@dbus.service.signal(_interface, signature="oa{sv}")
1100
def ClientAdded(self, objpath, properties):
1101
"D-Bus signal"
1102
pass
1103
1104
@dbus.service.signal(_interface, signature="o")
1105
def ClientRemoved(self, objpath):
1106
"D-Bus signal"
1107
pass
1108
1109
@dbus.service.method(_interface, out_signature="ao")
1679
dbus.service.Object.__init__(self, bus, u"/")
1680
_interface = u"se.bsnet.fukt.Mandos"
1681
1682
@dbus.service.signal(_interface, signature=u"o")
1683
def ClientAdded(self, objpath):
1684
"D-Bus signal"
1685
pass
1686
1687
@dbus.service.signal(_interface, signature=u"ss")
1688
def ClientNotFound(self, fingerprint, address):
1689
"D-Bus signal"
1690
pass
1691
1692
@dbus.service.signal(_interface, signature=u"os")
1693
def ClientRemoved(self, objpath, name):
1694
"D-Bus signal"
1695
pass
1696
1697
@dbus.service.method(_interface, out_signature=u"ao")
1110
1698
def GetAllClients(self):
1111
return dbus.Array(c.dbus_object_path for c in clients)
1112
1113
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1699
"D-Bus method"
1700
return dbus.Array(c.dbus_object_path
1701
for c in tcp_server.clients)
1702
1703
@dbus.service.method(_interface,
1704
out_signature=u"a{oa{sv}}")
1114
1705
def GetAllClientsWithProperties(self):
1706
"D-Bus method"
1115
1707
return dbus.Dictionary(
1116
((c.dbus_object_path, c.GetAllProperties())
1117
for c in clients),
1118
signature="oa{sv}")
1119
1120
@dbus.service.method(_interface, in_signature="o")
1708
((c.dbus_object_path, c.GetAll(u""))
1709
for c in tcp_server.clients),
1710
signature=u"oa{sv}")
1711
1712
@dbus.service.method(_interface, in_signature=u"o")
1121
1713
def RemoveClient(self, object_path):
1122
for c in clients:
1714
"D-Bus method"
1715
for c in tcp_server.clients:
1123
1716
if c.dbus_object_path == object_path:
1124
clients.remove(c)
1717
tcp_server.clients.remove(c)
1718
c.remove_from_connection()
1125
1719
# Don't signal anything except ClientRemoved
1126
c.use_dbus = False
1127
c.disable()
1720
c.disable(quiet=True)
1128
1721
# Emit D-Bus signal
1129
self.ClientRemoved(object_path)
1722
self.ClientRemoved(object_path, c.name)
1130
1723
return
1131
raise KeyError
1132
@dbus.service.method(_interface)
1133
def Quit(self):
1134
main_loop.quit()
1135
1724
raise KeyError(object_path)
1725
1136
1726
del _interface
1137
1138
mandos_server = MandosServer()
1139
1140
for client in clients:
1727
1728
mandos_dbus_service = MandosDBusService()
1729
1730
def cleanup():
1731
"Cleanup function; run on exit"
1732
service.cleanup()
1733
1734
while tcp_server.clients:
1735
client = tcp_server.clients.pop()
1736
if use_dbus:
1737
client.remove_from_connection()
1738
client.disable_hook = None
1739
# Don't signal anything except ClientRemoved
1740
client.disable(quiet=True)
1741
if use_dbus:
1742
# Emit D-Bus signal
1743
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1744
client.name)
1745
1746
atexit.register(cleanup)
1747
1748
for client in tcp_server.clients:
1141
1749
if use_dbus:
1142
1750
# Emit D-Bus signal
1143
mandos_server.ClientAdded(client.dbus_object_path,
1144
client.GetAllProperties())
1751
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1145
1752
client.enable()
1146
1753
1147
1754
tcp_server.enable()
1149
1756
1150
1757
# Find out what port we got
1151
1758
service.port = tcp_server.socket.getsockname()[1]
1152
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1153
u" scope_id %d" % tcp_server.socket.getsockname())
1759
if use_ipv6:
1760
logger.info(u"Now listening on address %r, port %d,"
1761
" flowinfo %d, scope_id %d"
1762
% tcp_server.socket.getsockname())
1763
else: # IPv4
1764
logger.info(u"Now listening on address %r, port %d"
1765
% tcp_server.socket.getsockname())
1154
1766
1155
1767
#service.interface = tcp_server.socket.getsockname()[3]
1156
1768
1157
1769
try:
1158
1770
# From the Avahi example code
1159
server.connect_to_signal("StateChanged", server_state_changed)
1160
1771
try:
1161
server_state_changed(server.GetState())
1772
service.activate()
1162
1773
except dbus.exceptions.DBusException, error:
1163
1774
logger.critical(u"DBusException: %s", error)
1775
cleanup()
1164
1776
sys.exit(1)
1165
1777
# End of Avahi example code
1166
1778
1173
1785
main_loop.run()
1174
1786
except AvahiError, error:
1175
1787
logger.critical(u"AvahiError: %s", error)
1788
cleanup()
1176
1789
sys.exit(1)
1177
1790
except KeyboardInterrupt:
1178
1791
if debug:
1179
print
1792
print >> sys.stderr
1793
logger.debug(u"Server received KeyboardInterrupt")
1794
logger.debug(u"Server exiting")
1795
# Must run before the D-Bus bus name gets deregistered
1796
cleanup()
1180
1797
1181
1798
if __name__ == '__main__':
1182
1799
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0