To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 416.1.2
- compare with another revision
- download diff
- download tarball
- view history from revision 416.1.2
- Committer: Teddy Hogeborn
- Date: 2010-06-19 00:37:04 UTC
- mto: (24.1.149 mandos)
- mto: This revision was merged to the branch mainline in revision 417.
- Revision ID: teddy@fukt.bsnet.se-20100619003704-vpicvssvv1ktg2om
* mandos (ClientHandler.handle): Set up the GnuTLS session object
before reading the protocol number.
(ClientHandler.handle/ProxyObject): New.
before reading the protocol number.
(ClientHandler.handle/ProxyObject): New.
- files added:
- dbus-mandos.conf
- files modified:
- INSTALL
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer
36
import SocketServer as socketserver
37
37
import socket
38
38
import optparse
39
39
import datetime
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser
47
import ConfigParser as configparser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
53
52
import subprocess
54
53
import atexit
55
54
import stat
56
55
import logging
57
56
import logging.handlers
58
57
import pwd
59
from contextlib import closing
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
63
import select
60
64
61
65
import dbus
62
66
import dbus.service
65
69
from dbus.mainloop.glib import DBusGMainLoop
66
70
import ctypes
67
71
import ctypes.util
68
69
version = "1.0.5"
70
71
logger = logging.Logger('mandos')
72
import xml.dom.minidom
73
import inspect
74
75
try:
76
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
77
except AttributeError:
78
try:
79
from IN import SO_BINDTODEVICE
80
except ImportError:
81
SO_BINDTODEVICE = None
82
83
84
version = "1.0.14"
85
86
logger = logging.Logger(u'mandos')
72
87
syslogger = (logging.handlers.SysLogHandler
73
88
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
89
address = "/dev/log"))
75
90
syslogger.setFormatter(logging.Formatter
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
91
(u'Mandos [%(process)d]: %(levelname)s:'
92
u' %(message)s'))
78
93
logger.addHandler(syslogger)
79
94
80
95
console = logging.StreamHandler()
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
96
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
97
u' %(levelname)s:'
98
u' %(message)s'))
83
99
logger.addHandler(console)
84
100
85
101
class AvahiError(Exception):
98
114
99
115
class AvahiService(object):
100
116
"""An Avahi (Zeroconf) service.
117
101
118
Attributes:
102
119
interface: integer; avahi.IF_UNSPEC or an interface index.
103
120
Used to optionally bind to the specified interface.
104
name: string; Example: 'Mandos'
105
type: string; Example: '_mandos._tcp'.
121
name: string; Example: u'Mandos'
122
type: string; Example: u'_mandos._tcp'.
106
123
See <http://www.dns-sd.org/ServiceTypes.html>
107
124
port: integer; what port to announce
108
125
TXT: list of strings; TXT record for the service
111
128
max_renames: integer; maximum number of renames
112
129
rename_count: integer; counter so we only rename after collisions
113
130
a sensible number of times
131
group: D-Bus Entry Group
132
server: D-Bus Server
133
bus: dbus.SystemBus()
114
134
"""
115
135
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
116
136
servicetype = None, port = None, TXT = None,
117
domain = "", host = "", max_renames = 32768):
137
domain = u"", host = u"", max_renames = 32768,
138
protocol = avahi.PROTO_UNSPEC, bus = None):
118
139
self.interface = interface
119
140
self.name = name
120
141
self.type = servicetype
124
145
self.host = host
125
146
self.rename_count = 0
126
147
self.max_renames = max_renames
148
self.protocol = protocol
149
self.group = None # our entry group
150
self.server = None
151
self.bus = bus
127
152
def rename(self):
128
153
"""Derived from the Avahi example code"""
129
154
if self.rename_count >= self.max_renames:
131
156
u" after %i retries, exiting.",
132
157
self.rename_count)
133
158
raise AvahiServiceError(u"Too many renames")
134
self.name = server.GetAlternativeServiceName(self.name)
159
self.name = self.server.GetAlternativeServiceName(self.name)
135
160
logger.info(u"Changing Zeroconf service name to %r ...",
136
str(self.name))
161
unicode(self.name))
137
162
syslogger.setFormatter(logging.Formatter
138
('Mandos (%s): %%(levelname)s:'
139
' %%(message)s' % self.name))
163
(u'Mandos (%s) [%%(process)d]:'
164
u' %%(levelname)s: %%(message)s'
165
% self.name))
140
166
self.remove()
141
167
self.add()
142
168
self.rename_count += 1
143
169
def remove(self):
144
170
"""Derived from the Avahi example code"""
145
if group is not None:
146
group.Reset()
171
if self.group is not None:
172
self.group.Reset()
147
173
def add(self):
148
174
"""Derived from the Avahi example code"""
149
global group
150
if group is None:
151
group = dbus.Interface(bus.get_object
152
(avahi.DBUS_NAME,
153
server.EntryGroupNew()),
154
avahi.DBUS_INTERFACE_ENTRY_GROUP)
155
group.connect_to_signal('StateChanged',
156
entry_group_state_changed)
175
if self.group is None:
176
self.group = dbus.Interface(
177
self.bus.get_object(avahi.DBUS_NAME,
178
self.server.EntryGroupNew()),
179
avahi.DBUS_INTERFACE_ENTRY_GROUP)
180
self.group.connect_to_signal('StateChanged',
181
self
182
.entry_group_state_changed)
157
183
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
158
service.name, service.type)
159
group.AddService(
160
self.interface, # interface
161
avahi.PROTO_INET6, # protocol
162
dbus.UInt32(0), # flags
163
self.name, self.type,
164
self.domain, self.host,
165
dbus.UInt16(self.port),
166
avahi.string_array_to_txt_array(self.TXT))
167
group.Commit()
168
169
# From the Avahi example code:
170
group = None # our entry group
171
# End of Avahi example code
172
173
174
def _datetime_to_dbus(dt, variant_level=0):
175
"""Convert a UTC datetime.datetime() to a D-Bus type."""
176
return dbus.String(dt.isoformat(), variant_level=variant_level)
177
178
179
class Client(dbus.service.Object):
184
self.name, self.type)
185
self.group.AddService(
186
self.interface,
187
self.protocol,
188
dbus.UInt32(0), # flags
189
self.name, self.type,
190
self.domain, self.host,
191
dbus.UInt16(self.port),
192
avahi.string_array_to_txt_array(self.TXT))
193
self.group.Commit()
194
def entry_group_state_changed(self, state, error):
195
"""Derived from the Avahi example code"""
196
logger.debug(u"Avahi state change: %i", state)
197
198
if state == avahi.ENTRY_GROUP_ESTABLISHED:
199
logger.debug(u"Zeroconf service established.")
200
elif state == avahi.ENTRY_GROUP_COLLISION:
201
logger.warning(u"Zeroconf service name collision.")
202
self.rename()
203
elif state == avahi.ENTRY_GROUP_FAILURE:
204
logger.critical(u"Avahi: Error in group state changed %s",
205
unicode(error))
206
raise AvahiGroupError(u"State changed: %s"
207
% unicode(error))
208
def cleanup(self):
209
"""Derived from the Avahi example code"""
210
if self.group is not None:
211
self.group.Free()
212
self.group = None
213
def server_state_changed(self, state):
214
"""Derived from the Avahi example code"""
215
if state == avahi.SERVER_COLLISION:
216
logger.error(u"Zeroconf server name collision")
217
self.remove()
218
elif state == avahi.SERVER_RUNNING:
219
self.add()
220
def activate(self):
221
"""Derived from the Avahi example code"""
222
if self.server is None:
223
self.server = dbus.Interface(
224
self.bus.get_object(avahi.DBUS_NAME,
225
avahi.DBUS_PATH_SERVER),
226
avahi.DBUS_INTERFACE_SERVER)
227
self.server.connect_to_signal(u"StateChanged",
228
self.server_state_changed)
229
self.server_state_changed(self.server.GetState())
230
231
232
class Client(object):
180
233
"""A representation of a client host served by this server.
234
181
235
Attributes:
182
236
name: string; from the config file, used in log messages and
183
237
D-Bus identifiers
190
244
enabled: bool()
191
245
last_checked_ok: datetime.datetime(); (UTC) or None
192
246
timeout: datetime.timedelta(); How long from last_checked_ok
193
until this client is invalid
247
until this client is disabled
194
248
interval: datetime.timedelta(); How often to start a new checker
195
249
disable_hook: If set, called by disable() as disable_hook(self)
196
250
checker: subprocess.Popen(); a running checker process used
197
251
to see if the client lives.
198
252
'None' if no process is running.
199
253
checker_initiator_tag: a gobject event source tag, or None
200
disable_initiator_tag: - '' -
254
disable_initiator_tag: - '' -
201
255
checker_callback_tag: - '' -
202
256
checker_command: string; External command which is run to check if
203
257
client lives. %() expansions are done at
204
258
runtime with vars(self) as dict, so that for
205
259
instance %(name)s can be used in the command.
206
use_dbus: bool(); Whether to provide D-Bus interface and signals
207
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
260
current_checker_command: string; current running checker_command
208
261
"""
262
263
@staticmethod
264
def _timedelta_to_milliseconds(td):
265
"Convert a datetime.timedelta() to milliseconds"
266
return ((td.days * 24 * 60 * 60 * 1000)
267
+ (td.seconds * 1000)
268
+ (td.microseconds // 1000))
269
209
270
def timeout_milliseconds(self):
210
271
"Return the 'timeout' attribute in milliseconds"
211
return ((self.timeout.days * 24 * 60 * 60 * 1000)
212
+ (self.timeout.seconds * 1000)
213
+ (self.timeout.microseconds // 1000))
272
return self._timedelta_to_milliseconds(self.timeout)
214
273
215
274
def interval_milliseconds(self):
216
275
"Return the 'interval' attribute in milliseconds"
217
return ((self.interval.days * 24 * 60 * 60 * 1000)
218
+ (self.interval.seconds * 1000)
219
+ (self.interval.microseconds // 1000))
276
return self._timedelta_to_milliseconds(self.interval)
220
277
221
def __init__(self, name = None, disable_hook=None, config=None,
222
use_dbus=True):
278
def __init__(self, name = None, disable_hook=None, config=None):
223
279
"""Note: the 'checker' key in 'config' sets the
224
280
'checker_command' attribute and *not* the 'checker'
225
281
attribute."""
227
283
if config is None:
228
284
config = {}
229
285
logger.debug(u"Creating client %r", self.name)
230
self.use_dbus = False # During __init__
231
286
# Uppercase and remove spaces from fingerprint for later
232
287
# comparison purposes with return value from the fingerprint()
233
288
# function
234
self.fingerprint = (config["fingerprint"].upper()
289
self.fingerprint = (config[u"fingerprint"].upper()
235
290
.replace(u" ", u""))
236
291
logger.debug(u" Fingerprint: %s", self.fingerprint)
237
if "secret" in config:
238
self.secret = config["secret"].decode(u"base64")
239
elif "secfile" in config:
240
with closing(open(os.path.expanduser
241
(os.path.expandvars
242
(config["secfile"])))) as secfile:
292
if u"secret" in config:
293
self.secret = config[u"secret"].decode(u"base64")
294
elif u"secfile" in config:
295
with open(os.path.expanduser(os.path.expandvars
296
(config[u"secfile"])),
297
"rb") as secfile:
243
298
self.secret = secfile.read()
244
299
else:
245
300
raise TypeError(u"No secret or secfile for client %s"
246
301
% self.name)
247
self.host = config.get("host", "")
302
self.host = config.get(u"host", u"")
248
303
self.created = datetime.datetime.utcnow()
249
304
self.enabled = False
250
305
self.last_enabled = None
251
306
self.last_checked_ok = None
252
self.timeout = string_to_delta(config["timeout"])
253
self.interval = string_to_delta(config["interval"])
307
self.timeout = string_to_delta(config[u"timeout"])
308
self.interval = string_to_delta(config[u"interval"])
254
309
self.disable_hook = disable_hook
255
310
self.checker = None
256
311
self.checker_initiator_tag = None
257
312
self.disable_initiator_tag = None
258
313
self.checker_callback_tag = None
259
self.checker_command = config["checker"]
314
self.checker_command = config[u"checker"]
315
self.current_checker_command = None
260
316
self.last_connect = None
261
# Only now, when this client is initialized, can it show up on
262
# the D-Bus
263
self.use_dbus = use_dbus
264
if self.use_dbus:
265
self.dbus_object_path = (dbus.ObjectPath
266
("/clients/"
267
+ self.name.replace(".", "_")))
268
dbus.service.Object.__init__(self, bus,
269
self.dbus_object_path)
270
317
271
318
def enable(self):
272
319
"""Start this client's checker and timeout hooks"""
320
if getattr(self, u"enabled", False):
321
# Already enabled
322
return
273
323
self.last_enabled = datetime.datetime.utcnow()
274
324
# Schedule a new checker to be started an 'interval' from now,
275
325
# and every interval from then on.
276
326
self.checker_initiator_tag = (gobject.timeout_add
277
327
(self.interval_milliseconds(),
278
328
self.start_checker))
279
# Also start a new checker *right now*.
280
self.start_checker()
281
329
# Schedule a disable() when 'timeout' has passed
282
330
self.disable_initiator_tag = (gobject.timeout_add
283
331
(self.timeout_milliseconds(),
284
332
self.disable))
285
333
self.enabled = True
286
if self.use_dbus:
287
# Emit D-Bus signals
288
self.PropertyChanged(dbus.String(u"enabled"),
289
dbus.Boolean(True, variant_level=1))
290
self.PropertyChanged(dbus.String(u"last_enabled"),
291
(_datetime_to_dbus(self.last_enabled,
292
variant_level=1)))
334
# Also start a new checker *right now*.
335
self.start_checker()
293
336
294
def disable(self):
337
def disable(self, quiet=True):
295
338
"""Disable this client."""
296
339
if not getattr(self, "enabled", False):
297
340
return False
298
logger.info(u"Disabling client %s", self.name)
299
if getattr(self, "disable_initiator_tag", False):
341
if not quiet:
342
logger.info(u"Disabling client %s", self.name)
343
if getattr(self, u"disable_initiator_tag", False):
300
344
gobject.source_remove(self.disable_initiator_tag)
301
345
self.disable_initiator_tag = None
302
if getattr(self, "checker_initiator_tag", False):
346
if getattr(self, u"checker_initiator_tag", False):
303
347
gobject.source_remove(self.checker_initiator_tag)
304
348
self.checker_initiator_tag = None
305
349
self.stop_checker()
306
350
if self.disable_hook:
307
351
self.disable_hook(self)
308
352
self.enabled = False
309
if self.use_dbus:
310
# Emit D-Bus signal
311
self.PropertyChanged(dbus.String(u"enabled"),
312
dbus.Boolean(False, variant_level=1))
313
353
# Do not run this again if called by a gobject.timeout_add
314
354
return False
315
355
321
361
"""The checker has completed, so take appropriate actions."""
322
362
self.checker_callback_tag = None
323
363
self.checker = None
324
if self.use_dbus:
325
# Emit D-Bus signal
326
self.PropertyChanged(dbus.String(u"checker_running"),
327
dbus.Boolean(False, variant_level=1))
328
364
if os.WIFEXITED(condition):
329
365
exitstatus = os.WEXITSTATUS(condition)
330
366
if exitstatus == 0:
334
370
else:
335
371
logger.info(u"Checker for %(name)s failed",
336
372
vars(self))
337
if self.use_dbus:
338
# Emit D-Bus signal
339
self.CheckerCompleted(dbus.Int16(exitstatus),
340
dbus.Int64(condition),
341
dbus.String(command))
342
373
else:
343
374
logger.warning(u"Checker for %(name)s crashed?",
344
375
vars(self))
345
if self.use_dbus:
346
# Emit D-Bus signal
347
self.CheckerCompleted(dbus.Int16(-1),
348
dbus.Int64(condition),
349
dbus.String(command))
350
376
351
377
def checked_ok(self):
352
378
"""Bump up the timeout for this client.
379
353
380
This should only be called when the client has been seen,
354
381
alive and well.
355
382
"""
358
385
self.disable_initiator_tag = (gobject.timeout_add
359
386
(self.timeout_milliseconds(),
360
387
self.disable))
361
if self.use_dbus:
362
# Emit D-Bus signal
363
self.PropertyChanged(
364
dbus.String(u"last_checked_ok"),
365
(_datetime_to_dbus(self.last_checked_ok,
366
variant_level=1)))
367
388
368
389
def start_checker(self):
369
390
"""Start a new checker subprocess if one is not running.
391
370
392
If a checker already exists, leave it running and do
371
393
nothing."""
372
394
# The reason for not killing a running checker is that if we
375
397
# client would inevitably timeout, since no checker would get
376
398
# a chance to run to completion. If we instead leave running
377
399
# checkers alone, the checker would have to take more time
378
# than 'timeout' for the client to be declared invalid, which
379
# is as it should be.
400
# than 'timeout' for the client to be disabled, which is as it
401
# should be.
402
403
# If a checker exists, make sure it is not a zombie
404
try:
405
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
406
except (AttributeError, OSError), error:
407
if (isinstance(error, OSError)
408
and error.errno != errno.ECHILD):
409
raise error
410
else:
411
if pid:
412
logger.warning(u"Checker was a zombie")
413
gobject.source_remove(self.checker_callback_tag)
414
self.checker_callback(pid, status,
415
self.current_checker_command)
416
# Start a new checker if needed
380
417
if self.checker is None:
381
418
try:
382
419
# In case checker_command has exactly one % operator
383
420
command = self.checker_command % self.host
384
421
except TypeError:
385
422
# Escape attributes for the shell
386
escaped_attrs = dict((key, re.escape(str(val)))
423
escaped_attrs = dict((key,
424
re.escape(unicode(str(val),
425
errors=
426
u'replace')))
387
427
for key, val in
388
428
vars(self).iteritems())
389
429
try:
392
432
logger.error(u'Could not format string "%s":'
393
433
u' %s', self.checker_command, error)
394
434
return True # Try again later
435
self.current_checker_command = command
395
436
try:
396
437
logger.info(u"Starting checker %r for %s",
397
438
command, self.name)
401
442
# always replaced by /dev/null.)
402
443
self.checker = subprocess.Popen(command,
403
444
close_fds=True,
404
shell=True, cwd="/")
405
if self.use_dbus:
406
# Emit D-Bus signal
407
self.CheckerStarted(command)
408
self.PropertyChanged(
409
dbus.String("checker_running"),
410
dbus.Boolean(True, variant_level=1))
445
shell=True, cwd=u"/")
411
446
self.checker_callback_tag = (gobject.child_watch_add
412
447
(self.checker.pid,
413
448
self.checker_callback,
414
449
data=command))
450
# The checker may have completed before the gobject
451
# watch was added. Check for this.
452
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
453
if pid:
454
gobject.source_remove(self.checker_callback_tag)
455
self.checker_callback(pid, status, command)
415
456
except OSError, error:
416
457
logger.error(u"Failed to start subprocess: %s",
417
458
error)
423
464
if self.checker_callback_tag:
424
465
gobject.source_remove(self.checker_callback_tag)
425
466
self.checker_callback_tag = None
426
if getattr(self, "checker", None) is None:
467
if getattr(self, u"checker", None) is None:
427
468
return
428
469
logger.debug(u"Stopping checker for %(name)s", vars(self))
429
470
try:
430
471
os.kill(self.checker.pid, signal.SIGTERM)
431
#os.sleep(0.5)
472
#time.sleep(0.5)
432
473
#if self.checker.poll() is None:
433
474
# os.kill(self.checker.pid, signal.SIGKILL)
434
475
except OSError, error:
435
476
if error.errno != errno.ESRCH: # No such process
436
477
raise
437
478
self.checker = None
438
if self.use_dbus:
479
480
481
def dbus_service_property(dbus_interface, signature=u"v",
482
access=u"readwrite", byte_arrays=False):
483
"""Decorators for marking methods of a DBusObjectWithProperties to
484
become properties on the D-Bus.
485
486
The decorated method will be called with no arguments by "Get"
487
and with one argument by "Set".
488
489
The parameters, where they are supported, are the same as
490
dbus.service.method, except there is only "signature", since the
491
type from Get() and the type sent to Set() is the same.
492
"""
493
# Encoding deeply encoded byte arrays is not supported yet by the
494
# "Set" method, so we fail early here:
495
if byte_arrays and signature != u"ay":
496
raise ValueError(u"Byte arrays not supported for non-'ay'"
497
u" signature %r" % signature)
498
def decorator(func):
499
func._dbus_is_property = True
500
func._dbus_interface = dbus_interface
501
func._dbus_signature = signature
502
func._dbus_access = access
503
func._dbus_name = func.__name__
504
if func._dbus_name.endswith(u"_dbus_property"):
505
func._dbus_name = func._dbus_name[:-14]
506
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
507
return func
508
return decorator
509
510
511
class DBusPropertyException(dbus.exceptions.DBusException):
512
"""A base class for D-Bus property-related exceptions
513
"""
514
def __unicode__(self):
515
return unicode(str(self))
516
517
518
class DBusPropertyAccessException(DBusPropertyException):
519
"""A property's access permissions disallows an operation.
520
"""
521
pass
522
523
524
class DBusPropertyNotFound(DBusPropertyException):
525
"""An attempt was made to access a non-existing property.
526
"""
527
pass
528
529
530
class DBusObjectWithProperties(dbus.service.Object):
531
"""A D-Bus object with properties.
532
533
Classes inheriting from this can use the dbus_service_property
534
decorator to expose methods as D-Bus properties. It exposes the
535
standard Get(), Set(), and GetAll() methods on the D-Bus.
536
"""
537
538
@staticmethod
539
def _is_dbus_property(obj):
540
return getattr(obj, u"_dbus_is_property", False)
541
542
def _get_all_dbus_properties(self):
543
"""Returns a generator of (name, attribute) pairs
544
"""
545
return ((prop._dbus_name, prop)
546
for name, prop in
547
inspect.getmembers(self, self._is_dbus_property))
548
549
def _get_dbus_property(self, interface_name, property_name):
550
"""Returns a bound method if one exists which is a D-Bus
551
property with the specified name and interface.
552
"""
553
for name in (property_name,
554
property_name + u"_dbus_property"):
555
prop = getattr(self, name, None)
556
if (prop is None
557
or not self._is_dbus_property(prop)
558
or prop._dbus_name != property_name
559
or (interface_name and prop._dbus_interface
560
and interface_name != prop._dbus_interface)):
561
continue
562
return prop
563
# No such property
564
raise DBusPropertyNotFound(self.dbus_object_path + u":"
565
+ interface_name + u"."
566
+ property_name)
567
568
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
569
out_signature=u"v")
570
def Get(self, interface_name, property_name):
571
"""Standard D-Bus property Get() method, see D-Bus standard.
572
"""
573
prop = self._get_dbus_property(interface_name, property_name)
574
if prop._dbus_access == u"write":
575
raise DBusPropertyAccessException(property_name)
576
value = prop()
577
if not hasattr(value, u"variant_level"):
578
return value
579
return type(value)(value, variant_level=value.variant_level+1)
580
581
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
582
def Set(self, interface_name, property_name, value):
583
"""Standard D-Bus property Set() method, see D-Bus standard.
584
"""
585
prop = self._get_dbus_property(interface_name, property_name)
586
if prop._dbus_access == u"read":
587
raise DBusPropertyAccessException(property_name)
588
if prop._dbus_get_args_options[u"byte_arrays"]:
589
# The byte_arrays option is not supported yet on
590
# signatures other than "ay".
591
if prop._dbus_signature != u"ay":
592
raise ValueError
593
value = dbus.ByteArray(''.join(unichr(byte)
594
for byte in value))
595
prop(value)
596
597
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
598
out_signature=u"a{sv}")
599
def GetAll(self, interface_name):
600
"""Standard D-Bus property GetAll() method, see D-Bus
601
standard.
602
603
Note: Will not include properties with access="write".
604
"""
605
all = {}
606
for name, prop in self._get_all_dbus_properties():
607
if (interface_name
608
and interface_name != prop._dbus_interface):
609
# Interface non-empty but did not match
610
continue
611
# Ignore write-only properties
612
if prop._dbus_access == u"write":
613
continue
614
value = prop()
615
if not hasattr(value, u"variant_level"):
616
all[name] = value
617
continue
618
all[name] = type(value)(value, variant_level=
619
value.variant_level+1)
620
return dbus.Dictionary(all, signature=u"sv")
621
622
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
623
out_signature=u"s",
624
path_keyword='object_path',
625
connection_keyword='connection')
626
def Introspect(self, object_path, connection):
627
"""Standard D-Bus method, overloaded to insert property tags.
628
"""
629
xmlstring = dbus.service.Object.Introspect(self, object_path,
630
connection)
631
try:
632
document = xml.dom.minidom.parseString(xmlstring)
633
def make_tag(document, name, prop):
634
e = document.createElement(u"property")
635
e.setAttribute(u"name", name)
636
e.setAttribute(u"type", prop._dbus_signature)
637
e.setAttribute(u"access", prop._dbus_access)
638
return e
639
for if_tag in document.getElementsByTagName(u"interface"):
640
for tag in (make_tag(document, name, prop)
641
for name, prop
642
in self._get_all_dbus_properties()
643
if prop._dbus_interface
644
== if_tag.getAttribute(u"name")):
645
if_tag.appendChild(tag)
646
# Add the names to the return values for the
647
# "org.freedesktop.DBus.Properties" methods
648
if (if_tag.getAttribute(u"name")
649
== u"org.freedesktop.DBus.Properties"):
650
for cn in if_tag.getElementsByTagName(u"method"):
651
if cn.getAttribute(u"name") == u"Get":
652
for arg in cn.getElementsByTagName(u"arg"):
653
if (arg.getAttribute(u"direction")
654
== u"out"):
655
arg.setAttribute(u"name", u"value")
656
elif cn.getAttribute(u"name") == u"GetAll":
657
for arg in cn.getElementsByTagName(u"arg"):
658
if (arg.getAttribute(u"direction")
659
== u"out"):
660
arg.setAttribute(u"name", u"props")
661
xmlstring = document.toxml(u"utf-8")
662
document.unlink()
663
except (AttributeError, xml.dom.DOMException,
664
xml.parsers.expat.ExpatError), error:
665
logger.error(u"Failed to override Introspection method",
666
error)
667
return xmlstring
668
669
670
class ClientDBus(Client, DBusObjectWithProperties):
671
"""A Client class using D-Bus
672
673
Attributes:
674
dbus_object_path: dbus.ObjectPath
675
bus: dbus.SystemBus()
676
"""
677
# dbus.service.Object doesn't use super(), so we can't either.
678
679
def __init__(self, bus = None, *args, **kwargs):
680
self.bus = bus
681
Client.__init__(self, *args, **kwargs)
682
# Only now, when this client is initialized, can it show up on
683
# the D-Bus
684
self.dbus_object_path = (dbus.ObjectPath
685
(u"/clients/"
686
+ self.name.replace(u".", u"_")))
687
DBusObjectWithProperties.__init__(self, self.bus,
688
self.dbus_object_path)
689
690
@staticmethod
691
def _datetime_to_dbus(dt, variant_level=0):
692
"""Convert a UTC datetime.datetime() to a D-Bus type."""
693
return dbus.String(dt.isoformat(),
694
variant_level=variant_level)
695
696
def enable(self):
697
oldstate = getattr(self, u"enabled", False)
698
r = Client.enable(self)
699
if oldstate != self.enabled:
700
# Emit D-Bus signals
701
self.PropertyChanged(dbus.String(u"enabled"),
702
dbus.Boolean(True, variant_level=1))
703
self.PropertyChanged(
704
dbus.String(u"last_enabled"),
705
self._datetime_to_dbus(self.last_enabled,
706
variant_level=1))
707
return r
708
709
def disable(self, quiet = False):
710
oldstate = getattr(self, u"enabled", False)
711
r = Client.disable(self, quiet=quiet)
712
if not quiet and oldstate != self.enabled:
713
# Emit D-Bus signal
714
self.PropertyChanged(dbus.String(u"enabled"),
715
dbus.Boolean(False, variant_level=1))
716
return r
717
718
def __del__(self, *args, **kwargs):
719
try:
720
self.remove_from_connection()
721
except LookupError:
722
pass
723
if hasattr(DBusObjectWithProperties, u"__del__"):
724
DBusObjectWithProperties.__del__(self, *args, **kwargs)
725
Client.__del__(self, *args, **kwargs)
726
727
def checker_callback(self, pid, condition, command,
728
*args, **kwargs):
729
self.checker_callback_tag = None
730
self.checker = None
731
# Emit D-Bus signal
732
self.PropertyChanged(dbus.String(u"checker_running"),
733
dbus.Boolean(False, variant_level=1))
734
if os.WIFEXITED(condition):
735
exitstatus = os.WEXITSTATUS(condition)
736
# Emit D-Bus signal
737
self.CheckerCompleted(dbus.Int16(exitstatus),
738
dbus.Int64(condition),
739
dbus.String(command))
740
else:
741
# Emit D-Bus signal
742
self.CheckerCompleted(dbus.Int16(-1),
743
dbus.Int64(condition),
744
dbus.String(command))
745
746
return Client.checker_callback(self, pid, condition, command,
747
*args, **kwargs)
748
749
def checked_ok(self, *args, **kwargs):
750
r = Client.checked_ok(self, *args, **kwargs)
751
# Emit D-Bus signal
752
self.PropertyChanged(
753
dbus.String(u"last_checked_ok"),
754
(self._datetime_to_dbus(self.last_checked_ok,
755
variant_level=1)))
756
return r
757
758
def start_checker(self, *args, **kwargs):
759
old_checker = self.checker
760
if self.checker is not None:
761
old_checker_pid = self.checker.pid
762
else:
763
old_checker_pid = None
764
r = Client.start_checker(self, *args, **kwargs)
765
# Only if new checker process was started
766
if (self.checker is not None
767
and old_checker_pid != self.checker.pid):
768
# Emit D-Bus signal
769
self.CheckerStarted(self.current_checker_command)
770
self.PropertyChanged(
771
dbus.String(u"checker_running"),
772
dbus.Boolean(True, variant_level=1))
773
return r
774
775
def stop_checker(self, *args, **kwargs):
776
old_checker = getattr(self, u"checker", None)
777
r = Client.stop_checker(self, *args, **kwargs)
778
if (old_checker is not None
779
and getattr(self, u"checker", None) is None):
439
780
self.PropertyChanged(dbus.String(u"checker_running"),
440
781
dbus.Boolean(False, variant_level=1))
441
442
def still_valid(self):
443
"""Has the timeout not yet passed for this client?"""
444
if not getattr(self, "enabled", False):
445
return False
446
now = datetime.datetime.utcnow()
447
if self.last_checked_ok is None:
448
return now < (self.created + self.timeout)
449
else:
450
return now < (self.last_checked_ok + self.timeout)
451
452
## D-Bus methods & signals
782
return r
783
784
## D-Bus methods, signals & properties
453
785
_interface = u"se.bsnet.fukt.Mandos.Client"
454
786
455
# CheckedOK - method
456
CheckedOK = dbus.service.method(_interface)(checked_ok)
457
CheckedOK.__name__ = "CheckedOK"
787
## Signals
458
788
459
789
# CheckerCompleted - signal
460
@dbus.service.signal(_interface, signature="nxs")
790
@dbus.service.signal(_interface, signature=u"nxs")
461
791
def CheckerCompleted(self, exitcode, waitstatus, command):
462
792
"D-Bus signal"
463
793
pass
464
794
465
795
# CheckerStarted - signal
466
@dbus.service.signal(_interface, signature="s")
796
@dbus.service.signal(_interface, signature=u"s")
467
797
def CheckerStarted(self, command):
468
798
"D-Bus signal"
469
799
pass
470
800
471
# GetAllProperties - method
472
@dbus.service.method(_interface, out_signature="a{sv}")
473
def GetAllProperties(self):
474
"D-Bus method"
475
return dbus.Dictionary({
476
dbus.String("name"):
477
dbus.String(self.name, variant_level=1),
478
dbus.String("fingerprint"):
479
dbus.String(self.fingerprint, variant_level=1),
480
dbus.String("host"):
481
dbus.String(self.host, variant_level=1),
482
dbus.String("created"):
483
_datetime_to_dbus(self.created, variant_level=1),
484
dbus.String("last_enabled"):
485
(_datetime_to_dbus(self.last_enabled,
486
variant_level=1)
487
if self.last_enabled is not None
488
else dbus.Boolean(False, variant_level=1)),
489
dbus.String("enabled"):
490
dbus.Boolean(self.enabled, variant_level=1),
491
dbus.String("last_checked_ok"):
492
(_datetime_to_dbus(self.last_checked_ok,
493
variant_level=1)
494
if self.last_checked_ok is not None
495
else dbus.Boolean (False, variant_level=1)),
496
dbus.String("timeout"):
497
dbus.UInt64(self.timeout_milliseconds(),
498
variant_level=1),
499
dbus.String("interval"):
500
dbus.UInt64(self.interval_milliseconds(),
501
variant_level=1),
502
dbus.String("checker"):
503
dbus.String(self.checker_command,
504
variant_level=1),
505
dbus.String("checker_running"):
506
dbus.Boolean(self.checker is not None,
507
variant_level=1),
508
dbus.String("object_path"):
509
dbus.ObjectPath(self.dbus_object_path,
510
variant_level=1)
511
}, signature="sv")
512
513
# IsStillValid - method
514
IsStillValid = (dbus.service.method(_interface, out_signature="b")
515
(still_valid))
516
IsStillValid.__name__ = "IsStillValid"
517
518
801
# PropertyChanged - signal
519
@dbus.service.signal(_interface, signature="sv")
802
@dbus.service.signal(_interface, signature=u"sv")
520
803
def PropertyChanged(self, property, value):
521
804
"D-Bus signal"
522
805
pass
523
806
524
# SetChecker - method
525
@dbus.service.method(_interface, in_signature="s")
526
def SetChecker(self, checker):
527
"D-Bus setter method"
528
self.checker_command = checker
529
# Emit D-Bus signal
530
self.PropertyChanged(dbus.String(u"checker"),
531
dbus.String(self.checker_command,
532
variant_level=1))
533
534
# SetHost - method
535
@dbus.service.method(_interface, in_signature="s")
536
def SetHost(self, host):
537
"D-Bus setter method"
538
self.host = host
539
# Emit D-Bus signal
540
self.PropertyChanged(dbus.String(u"host"),
541
dbus.String(self.host, variant_level=1))
542
543
# SetInterval - method
544
@dbus.service.method(_interface, in_signature="t")
545
def SetInterval(self, milliseconds):
546
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
547
# Emit D-Bus signal
548
self.PropertyChanged(dbus.String(u"interval"),
549
(dbus.UInt64(self.interval_milliseconds(),
550
variant_level=1)))
551
552
# SetSecret - method
553
@dbus.service.method(_interface, in_signature="ay",
554
byte_arrays=True)
555
def SetSecret(self, secret):
556
"D-Bus setter method"
557
self.secret = str(secret)
558
559
# SetTimeout - method
560
@dbus.service.method(_interface, in_signature="t")
561
def SetTimeout(self, milliseconds):
562
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
563
# Emit D-Bus signal
564
self.PropertyChanged(dbus.String(u"timeout"),
565
(dbus.UInt64(self.timeout_milliseconds(),
566
variant_level=1)))
807
# GotSecret - signal
808
@dbus.service.signal(_interface)
809
def GotSecret(self):
810
"D-Bus signal"
811
pass
812
813
# Rejected - signal
814
@dbus.service.signal(_interface)
815
def Rejected(self):
816
"D-Bus signal"
817
pass
818
819
## Methods
820
821
# CheckedOK - method
822
@dbus.service.method(_interface)
823
def CheckedOK(self):
824
return self.checked_ok()
567
825
568
826
# Enable - method
569
Enable = dbus.service.method(_interface)(enable)
570
Enable.__name__ = "Enable"
827
@dbus.service.method(_interface)
828
def Enable(self):
829
"D-Bus method"
830
self.enable()
571
831
572
832
# StartChecker - method
573
833
@dbus.service.method(_interface)
582
842
self.disable()
583
843
584
844
# StopChecker - method
585
StopChecker = dbus.service.method(_interface)(stop_checker)
586
StopChecker.__name__ = "StopChecker"
845
@dbus.service.method(_interface)
846
def StopChecker(self):
847
self.stop_checker()
848
849
## Properties
850
851
# name - property
852
@dbus_service_property(_interface, signature=u"s", access=u"read")
853
def name_dbus_property(self):
854
return dbus.String(self.name)
855
856
# fingerprint - property
857
@dbus_service_property(_interface, signature=u"s", access=u"read")
858
def fingerprint_dbus_property(self):
859
return dbus.String(self.fingerprint)
860
861
# host - property
862
@dbus_service_property(_interface, signature=u"s",
863
access=u"readwrite")
864
def host_dbus_property(self, value=None):
865
if value is None: # get
866
return dbus.String(self.host)
867
self.host = value
868
# Emit D-Bus signal
869
self.PropertyChanged(dbus.String(u"host"),
870
dbus.String(value, variant_level=1))
871
872
# created - property
873
@dbus_service_property(_interface, signature=u"s", access=u"read")
874
def created_dbus_property(self):
875
return dbus.String(self._datetime_to_dbus(self.created))
876
877
# last_enabled - property
878
@dbus_service_property(_interface, signature=u"s", access=u"read")
879
def last_enabled_dbus_property(self):
880
if self.last_enabled is None:
881
return dbus.String(u"")
882
return dbus.String(self._datetime_to_dbus(self.last_enabled))
883
884
# enabled - property
885
@dbus_service_property(_interface, signature=u"b",
886
access=u"readwrite")
887
def enabled_dbus_property(self, value=None):
888
if value is None: # get
889
return dbus.Boolean(self.enabled)
890
if value:
891
self.enable()
892
else:
893
self.disable()
894
895
# last_checked_ok - property
896
@dbus_service_property(_interface, signature=u"s",
897
access=u"readwrite")
898
def last_checked_ok_dbus_property(self, value=None):
899
if value is not None:
900
self.checked_ok()
901
return
902
if self.last_checked_ok is None:
903
return dbus.String(u"")
904
return dbus.String(self._datetime_to_dbus(self
905
.last_checked_ok))
906
907
# timeout - property
908
@dbus_service_property(_interface, signature=u"t",
909
access=u"readwrite")
910
def timeout_dbus_property(self, value=None):
911
if value is None: # get
912
return dbus.UInt64(self.timeout_milliseconds())
913
self.timeout = datetime.timedelta(0, 0, 0, value)
914
# Emit D-Bus signal
915
self.PropertyChanged(dbus.String(u"timeout"),
916
dbus.UInt64(value, variant_level=1))
917
if getattr(self, u"disable_initiator_tag", None) is None:
918
return
919
# Reschedule timeout
920
gobject.source_remove(self.disable_initiator_tag)
921
self.disable_initiator_tag = None
922
time_to_die = (self.
923
_timedelta_to_milliseconds((self
924
.last_checked_ok
925
+ self.timeout)
926
- datetime.datetime
927
.utcnow()))
928
if time_to_die <= 0:
929
# The timeout has passed
930
self.disable()
931
else:
932
self.disable_initiator_tag = (gobject.timeout_add
933
(time_to_die, self.disable))
934
935
# interval - property
936
@dbus_service_property(_interface, signature=u"t",
937
access=u"readwrite")
938
def interval_dbus_property(self, value=None):
939
if value is None: # get
940
return dbus.UInt64(self.interval_milliseconds())
941
self.interval = datetime.timedelta(0, 0, 0, value)
942
# Emit D-Bus signal
943
self.PropertyChanged(dbus.String(u"interval"),
944
dbus.UInt64(value, variant_level=1))
945
if getattr(self, u"checker_initiator_tag", None) is None:
946
return
947
# Reschedule checker run
948
gobject.source_remove(self.checker_initiator_tag)
949
self.checker_initiator_tag = (gobject.timeout_add
950
(value, self.start_checker))
951
self.start_checker() # Start one now, too
952
953
# checker - property
954
@dbus_service_property(_interface, signature=u"s",
955
access=u"readwrite")
956
def checker_dbus_property(self, value=None):
957
if value is None: # get
958
return dbus.String(self.checker_command)
959
self.checker_command = value
960
# Emit D-Bus signal
961
self.PropertyChanged(dbus.String(u"checker"),
962
dbus.String(self.checker_command,
963
variant_level=1))
964
965
# checker_running - property
966
@dbus_service_property(_interface, signature=u"b",
967
access=u"readwrite")
968
def checker_running_dbus_property(self, value=None):
969
if value is None: # get
970
return dbus.Boolean(self.checker is not None)
971
if value:
972
self.start_checker()
973
else:
974
self.stop_checker()
975
976
# object_path - property
977
@dbus_service_property(_interface, signature=u"o", access=u"read")
978
def object_path_dbus_property(self):
979
return self.dbus_object_path # is already a dbus.ObjectPath
980
981
# secret = property
982
@dbus_service_property(_interface, signature=u"ay",
983
access=u"write", byte_arrays=True)
984
def secret_dbus_property(self, value):
985
self.secret = str(value)
587
986
588
987
del _interface
589
988
590
989
591
def peer_certificate(session):
592
"Return the peer's OpenPGP certificate as a bytestring"
593
# If not an OpenPGP certificate...
594
if (gnutls.library.functions
595
.gnutls_certificate_type_get(session._c_object)
596
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
597
# ...do the normal thing
598
return session.peer_certificate
599
list_size = ctypes.c_uint(1)
600
cert_list = (gnutls.library.functions
601
.gnutls_certificate_get_peers
602
(session._c_object, ctypes.byref(list_size)))
603
if not bool(cert_list) and list_size.value != 0:
604
raise gnutls.errors.GNUTLSError("error getting peer"
605
" certificate")
606
if list_size.value == 0:
607
return None
608
cert = cert_list[0]
609
return ctypes.string_at(cert.data, cert.size)
610
611
612
def fingerprint(openpgp):
613
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
614
# New GnuTLS "datum" with the OpenPGP public key
615
datum = (gnutls.library.types
616
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
617
ctypes.POINTER
618
(ctypes.c_ubyte)),
619
ctypes.c_uint(len(openpgp))))
620
# New empty GnuTLS certificate
621
crt = gnutls.library.types.gnutls_openpgp_crt_t()
622
(gnutls.library.functions
623
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
624
# Import the OpenPGP public key into the certificate
625
(gnutls.library.functions
626
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
627
gnutls.library.constants
628
.GNUTLS_OPENPGP_FMT_RAW))
629
# Verify the self signature in the key
630
crtverify = ctypes.c_uint()
631
(gnutls.library.functions
632
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
633
if crtverify.value != 0:
634
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
635
raise gnutls.errors.CertificateSecurityError("Verify failed")
636
# New buffer for the fingerprint
637
buf = ctypes.create_string_buffer(20)
638
buf_len = ctypes.c_size_t()
639
# Get the fingerprint from the certificate into the buffer
640
(gnutls.library.functions
641
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
642
ctypes.byref(buf_len)))
643
# Deinit the certificate
644
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
645
# Convert the buffer to a Python bytestring
646
fpr = ctypes.string_at(buf, buf_len.value)
647
# Convert the bytestring to hexadecimal notation
648
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
649
return hex_fpr
650
651
652
class TCP_handler(SocketServer.BaseRequestHandler, object):
653
"""A TCP request handler class.
654
Instantiated by IPv6_TCPServer for each request to handle it.
990
class ClientHandler(socketserver.BaseRequestHandler, object):
991
"""A class to handle client connections.
992
993
Instantiated once for each connection to handle it.
655
994
Note: This will run in its own forked process."""
656
995
657
996
def handle(self):
658
997
logger.info(u"TCP connection from: %s",
659
998
unicode(self.client_address))
660
session = (gnutls.connection
661
.ClientSession(self.request,
662
gnutls.connection
663
.X509Credentials()))
664
665
line = self.request.makefile().readline()
666
logger.debug(u"Protocol version: %r", line)
667
try:
668
if int(line.strip().split()[0]) > 1:
669
raise RuntimeError
670
except (ValueError, IndexError, RuntimeError), error:
671
logger.error(u"Unknown protocol version: %s", error)
672
return
673
674
# Note: gnutls.connection.X509Credentials is really a generic
675
# GnuTLS certificate credentials object so long as no X.509
676
# keys are added to it. Therefore, we can use it here despite
677
# using OpenPGP certificates.
678
679
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
680
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
681
# "+DHE-DSS"))
682
# Use a fallback default, since this MUST be set.
683
priority = self.server.settings.get("priority", "NORMAL")
684
(gnutls.library.functions
685
.gnutls_priority_set_direct(session._c_object,
686
priority, None))
687
688
try:
689
session.handshake()
690
except gnutls.errors.GNUTLSError, error:
691
logger.warning(u"Handshake failed: %s", error)
692
# Do not run session.bye() here: the session is not
693
# established. Just abandon the request.
694
return
695
logger.debug(u"Handshake succeeded")
696
try:
697
fpr = fingerprint(peer_certificate(session))
698
except (TypeError, gnutls.errors.GNUTLSError), error:
699
logger.warning(u"Bad certificate: %s", error)
700
session.bye()
701
return
702
logger.debug(u"Fingerprint: %s", fpr)
703
704
for c in self.server.clients:
705
if c.fingerprint == fpr:
706
client = c
707
break
708
else:
709
logger.warning(u"Client not found for fingerprint: %s",
710
fpr)
711
session.bye()
712
return
713
# Have to check if client.still_valid(), since it is possible
714
# that the client timed out while establishing the GnuTLS
715
# session.
716
if not client.still_valid():
717
logger.warning(u"Client %(name)s is invalid",
718
vars(client))
719
session.bye()
720
return
721
## This won't work here, since we're in a fork.
722
# client.checked_ok()
723
sent_size = 0
724
while sent_size < len(client.secret):
725
sent = session.send(client.secret[sent_size:])
726
logger.debug(u"Sent: %d, remaining: %d",
727
sent, len(client.secret)
728
- (sent_size + sent))
729
sent_size += sent
730
session.bye()
731
732
733
class IPv6_TCPServer(SocketServer.ForkingMixIn,
734
SocketServer.TCPServer, object):
735
"""IPv6 TCP server. Accepts 'None' as address and/or port.
999
logger.debug(u"IPC Pipe FD: %d",
1000
self.server.child_pipe[1].fileno())
1001
# Open IPC pipe to parent process
1002
with contextlib.nested(self.server.child_pipe[1],
1003
self.server.parent_pipe[0]
1004
) as (ipc, ipc_return):
1005
session = (gnutls.connection
1006
.ClientSession(self.request,
1007
gnutls.connection
1008
.X509Credentials()))
1009
1010
# Note: gnutls.connection.X509Credentials is really a
1011
# generic GnuTLS certificate credentials object so long as
1012
# no X.509 keys are added to it. Therefore, we can use it
1013
# here despite using OpenPGP certificates.
1014
1015
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1016
# u"+AES-256-CBC", u"+SHA1",
1017
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1018
# u"+DHE-DSS"))
1019
# Use a fallback default, since this MUST be set.
1020
priority = self.server.gnutls_priority
1021
if priority is None:
1022
priority = u"NORMAL"
1023
(gnutls.library.functions
1024
.gnutls_priority_set_direct(session._c_object,
1025
priority, None))
1026
1027
# Start communication using the Mandos protocol
1028
# Get protocol number
1029
line = self.request.makefile().readline()
1030
logger.debug(u"Protocol version: %r", line)
1031
try:
1032
if int(line.strip().split()[0]) > 1:
1033
raise RuntimeError
1034
except (ValueError, IndexError, RuntimeError), error:
1035
logger.error(u"Unknown protocol version: %s", error)
1036
return
1037
1038
# Start GnuTLS connection
1039
try:
1040
session.handshake()
1041
except gnutls.errors.GNUTLSError, error:
1042
logger.warning(u"Handshake failed: %s", error)
1043
# Do not run session.bye() here: the session is not
1044
# established. Just abandon the request.
1045
return
1046
logger.debug(u"Handshake succeeded")
1047
try:
1048
try:
1049
fpr = self.fingerprint(self.peer_certificate
1050
(session))
1051
except (TypeError, gnutls.errors.GNUTLSError), error:
1052
logger.warning(u"Bad certificate: %s", error)
1053
return
1054
logger.debug(u"Fingerprint: %s", fpr)
1055
1056
for c in self.server.clients:
1057
if c.fingerprint == fpr:
1058
client = c
1059
break
1060
else:
1061
ipc.write(u"NOTFOUND %s %s\n"
1062
% (fpr, unicode(self.client_address)))
1063
return
1064
1065
class ClientProxy(object):
1066
"""Client proxy object. Not for calling methods."""
1067
def __init__(self, client):
1068
self.client = client
1069
def __getattr__(self, name):
1070
if name.startswith("ipc_"):
1071
def tempfunc():
1072
ipc.write("%s %s\n" % (name[4:].upper(),
1073
self.client.name))
1074
return tempfunc
1075
if not hasattr(self.client, name):
1076
raise AttributeError
1077
ipc.write(u"GETATTR %s %s\n"
1078
% (name, self.client.fingerprint))
1079
return pickle.load(ipc_return)
1080
clientproxy = ClientProxy(client)
1081
# Have to check if client.enabled, since it is
1082
# possible that the client was disabled since the
1083
# GnuTLS session was established.
1084
if not clientproxy.enabled:
1085
clientproxy.ipc_disabled()
1086
return
1087
1088
clientproxy.ipc_sending()
1089
sent_size = 0
1090
while sent_size < len(client.secret):
1091
sent = session.send(client.secret[sent_size:])
1092
logger.debug(u"Sent: %d, remaining: %d",
1093
sent, len(client.secret)
1094
- (sent_size + sent))
1095
sent_size += sent
1096
finally:
1097
session.bye()
1098
1099
@staticmethod
1100
def peer_certificate(session):
1101
"Return the peer's OpenPGP certificate as a bytestring"
1102
# If not an OpenPGP certificate...
1103
if (gnutls.library.functions
1104
.gnutls_certificate_type_get(session._c_object)
1105
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1106
# ...do the normal thing
1107
return session.peer_certificate
1108
list_size = ctypes.c_uint(1)
1109
cert_list = (gnutls.library.functions
1110
.gnutls_certificate_get_peers
1111
(session._c_object, ctypes.byref(list_size)))
1112
if not bool(cert_list) and list_size.value != 0:
1113
raise gnutls.errors.GNUTLSError(u"error getting peer"
1114
u" certificate")
1115
if list_size.value == 0:
1116
return None
1117
cert = cert_list[0]
1118
return ctypes.string_at(cert.data, cert.size)
1119
1120
@staticmethod
1121
def fingerprint(openpgp):
1122
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1123
# New GnuTLS "datum" with the OpenPGP public key
1124
datum = (gnutls.library.types
1125
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1126
ctypes.POINTER
1127
(ctypes.c_ubyte)),
1128
ctypes.c_uint(len(openpgp))))
1129
# New empty GnuTLS certificate
1130
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1131
(gnutls.library.functions
1132
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1133
# Import the OpenPGP public key into the certificate
1134
(gnutls.library.functions
1135
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1136
gnutls.library.constants
1137
.GNUTLS_OPENPGP_FMT_RAW))
1138
# Verify the self signature in the key
1139
crtverify = ctypes.c_uint()
1140
(gnutls.library.functions
1141
.gnutls_openpgp_crt_verify_self(crt, 0,
1142
ctypes.byref(crtverify)))
1143
if crtverify.value != 0:
1144
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1145
raise (gnutls.errors.CertificateSecurityError
1146
(u"Verify failed"))
1147
# New buffer for the fingerprint
1148
buf = ctypes.create_string_buffer(20)
1149
buf_len = ctypes.c_size_t()
1150
# Get the fingerprint from the certificate into the buffer
1151
(gnutls.library.functions
1152
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1153
ctypes.byref(buf_len)))
1154
# Deinit the certificate
1155
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1156
# Convert the buffer to a Python bytestring
1157
fpr = ctypes.string_at(buf, buf_len.value)
1158
# Convert the bytestring to hexadecimal notation
1159
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1160
return hex_fpr
1161
1162
1163
class ForkingMixInWithPipes(socketserver.ForkingMixIn, object):
1164
"""Like socketserver.ForkingMixIn, but also pass a pipe pair."""
1165
def process_request(self, request, client_address):
1166
"""Overrides and wraps the original process_request().
1167
1168
This function creates a new pipe in self.pipe
1169
"""
1170
# Child writes to child_pipe
1171
self.child_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1172
# Parent writes to parent_pipe
1173
self.parent_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1174
super(ForkingMixInWithPipes,
1175
self).process_request(request, client_address)
1176
# Close unused ends for parent
1177
self.parent_pipe[0].close() # close read end
1178
self.child_pipe[1].close() # close write end
1179
self.add_pipe_fds(self.child_pipe[0], self.parent_pipe[1])
1180
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1181
"""Dummy function; override as necessary"""
1182
child_pipe_fd.close()
1183
parent_pipe_fd.close()
1184
1185
1186
class IPv6_TCPServer(ForkingMixInWithPipes,
1187
socketserver.TCPServer, object):
1188
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1189
736
1190
Attributes:
737
settings: Server settings
738
clients: Set() of Client objects
739
1191
enabled: Boolean; whether this server is activated yet
1192
interface: None or a network interface name (string)
1193
use_ipv6: Boolean; to use IPv6 or not
740
1194
"""
741
address_family = socket.AF_INET6
742
def __init__(self, *args, **kwargs):
743
if "settings" in kwargs:
744
self.settings = kwargs["settings"]
745
del kwargs["settings"]
746
if "clients" in kwargs:
747
self.clients = kwargs["clients"]
748
del kwargs["clients"]
749
self.enabled = False
750
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1195
def __init__(self, server_address, RequestHandlerClass,
1196
interface=None, use_ipv6=True):
1197
self.interface = interface
1198
if use_ipv6:
1199
self.address_family = socket.AF_INET6
1200
socketserver.TCPServer.__init__(self, server_address,
1201
RequestHandlerClass)
751
1202
def server_bind(self):
752
1203
"""This overrides the normal server_bind() function
753
1204
to bind to an interface if one was specified, and also NOT to
754
1205
bind to an address or port if they were not specified."""
755
if self.settings["interface"]:
756
# 25 is from /usr/include/asm-i486/socket.h
757
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
758
try:
759
self.socket.setsockopt(socket.SOL_SOCKET,
760
SO_BINDTODEVICE,
761
self.settings["interface"])
762
except socket.error, error:
763
if error[0] == errno.EPERM:
764
logger.error(u"No permission to"
765
u" bind to interface %s",
766
self.settings["interface"])
767
else:
768
raise
1206
if self.interface is not None:
1207
if SO_BINDTODEVICE is None:
1208
logger.error(u"SO_BINDTODEVICE does not exist;"
1209
u" cannot bind to interface %s",
1210
self.interface)
1211
else:
1212
try:
1213
self.socket.setsockopt(socket.SOL_SOCKET,
1214
SO_BINDTODEVICE,
1215
str(self.interface
1216
+ u'\0'))
1217
except socket.error, error:
1218
if error[0] == errno.EPERM:
1219
logger.error(u"No permission to"
1220
u" bind to interface %s",
1221
self.interface)
1222
elif error[0] == errno.ENOPROTOOPT:
1223
logger.error(u"SO_BINDTODEVICE not available;"
1224
u" cannot bind to interface %s",
1225
self.interface)
1226
else:
1227
raise
769
1228
# Only bind(2) the socket if we really need to.
770
1229
if self.server_address[0] or self.server_address[1]:
771
1230
if not self.server_address[0]:
772
in6addr_any = "::"
773
self.server_address = (in6addr_any,
1231
if self.address_family == socket.AF_INET6:
1232
any_address = u"::" # in6addr_any
1233
else:
1234
any_address = socket.INADDR_ANY
1235
self.server_address = (any_address,
774
1236
self.server_address[1])
775
1237
elif not self.server_address[1]:
776
1238
self.server_address = (self.server_address[0],
777
1239
0)
778
# if self.settings["interface"]:
1240
# if self.interface:
779
1241
# self.server_address = (self.server_address[0],
780
1242
# 0, # port
781
1243
# 0, # flowinfo
782
1244
# if_nametoindex
783
# (self.settings
784
# ["interface"]))
785
return super(IPv6_TCPServer, self).server_bind()
1245
# (self.interface))
1246
return socketserver.TCPServer.server_bind(self)
1247
1248
1249
class MandosServer(IPv6_TCPServer):
1250
"""Mandos server.
1251
1252
Attributes:
1253
clients: set of Client objects
1254
gnutls_priority GnuTLS priority string
1255
use_dbus: Boolean; to emit D-Bus signals or not
1256
1257
Assumes a gobject.MainLoop event loop.
1258
"""
1259
def __init__(self, server_address, RequestHandlerClass,
1260
interface=None, use_ipv6=True, clients=None,
1261
gnutls_priority=None, use_dbus=True):
1262
self.enabled = False
1263
self.clients = clients
1264
if self.clients is None:
1265
self.clients = set()
1266
self.use_dbus = use_dbus
1267
self.gnutls_priority = gnutls_priority
1268
IPv6_TCPServer.__init__(self, server_address,
1269
RequestHandlerClass,
1270
interface = interface,
1271
use_ipv6 = use_ipv6)
786
1272
def server_activate(self):
787
1273
if self.enabled:
788
return super(IPv6_TCPServer, self).server_activate()
1274
return socketserver.TCPServer.server_activate(self)
789
1275
def enable(self):
790
1276
self.enabled = True
1277
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1278
# Call "handle_ipc" for both data and EOF events
1279
gobject.io_add_watch(child_pipe_fd.fileno(),
1280
gobject.IO_IN | gobject.IO_HUP,
1281
functools.partial(self.handle_ipc,
1282
reply = parent_pipe_fd,
1283
sender= child_pipe_fd))
1284
def handle_ipc(self, source, condition, reply=None, sender=None):
1285
condition_names = {
1286
gobject.IO_IN: u"IN", # There is data to read.
1287
gobject.IO_OUT: u"OUT", # Data can be written (without
1288
# blocking).
1289
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1290
gobject.IO_ERR: u"ERR", # Error condition.
1291
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1292
# broken, usually for pipes and
1293
# sockets).
1294
}
1295
conditions_string = ' | '.join(name
1296
for cond, name in
1297
condition_names.iteritems()
1298
if cond & condition)
1299
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1300
conditions_string)
1301
1302
# Read a line from the file object
1303
cmdline = sender.readline()
1304
if not cmdline: # Empty line means end of file
1305
# close the IPC pipes
1306
sender.close()
1307
reply.close()
1308
1309
# Stop calling this function
1310
return False
1311
1312
logger.debug(u"IPC command: %r", cmdline)
1313
1314
# Parse and act on command
1315
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1316
1317
if cmd == u"NOTFOUND":
1318
fpr, address = args.split(None, 1)
1319
logger.warning(u"Client not found for fingerprint: %s, ad"
1320
u"dress: %s", fpr, address)
1321
if self.use_dbus:
1322
# Emit D-Bus signal
1323
mandos_dbus_service.ClientNotFound(fpr, address)
1324
elif cmd == u"DISABLED":
1325
for client in self.clients:
1326
if client.name == args:
1327
logger.warning(u"Client %s is disabled", args)
1328
if self.use_dbus:
1329
# Emit D-Bus signal
1330
client.Rejected()
1331
break
1332
else:
1333
logger.error(u"Unknown client %s is disabled", args)
1334
elif cmd == u"SENDING":
1335
for client in self.clients:
1336
if client.name == args:
1337
logger.info(u"Sending secret to %s", client.name)
1338
client.checked_ok()
1339
if self.use_dbus:
1340
# Emit D-Bus signal
1341
client.GotSecret()
1342
break
1343
else:
1344
logger.error(u"Sending secret to unknown client %s",
1345
args)
1346
elif cmd == u"GETATTR":
1347
attr_name, fpr = args.split(None, 1)
1348
for client in self.clients:
1349
if client.fingerprint == fpr:
1350
attr_value = getattr(client, attr_name, None)
1351
logger.debug("IPC reply: %r", attr_value)
1352
pickle.dump(attr_value, reply)
1353
break
1354
else:
1355
logger.error(u"Client %s on address %s requesting "
1356
u"attribute %s not found", fpr, address,
1357
attr_name)
1358
pickle.dump(None, reply)
1359
else:
1360
logger.error(u"Unknown IPC command: %r", cmdline)
1361
1362
# Keep calling this function
1363
return True
791
1364
792
1365
793
1366
def string_to_delta(interval):
794
1367
"""Parse a string and return a datetime.timedelta
795
1368
796
>>> string_to_delta('7d')
1369
>>> string_to_delta(u'7d')
797
1370
datetime.timedelta(7)
798
>>> string_to_delta('60s')
1371
>>> string_to_delta(u'60s')
799
1372
datetime.timedelta(0, 60)
800
>>> string_to_delta('60m')
1373
>>> string_to_delta(u'60m')
801
1374
datetime.timedelta(0, 3600)
802
>>> string_to_delta('24h')
1375
>>> string_to_delta(u'24h')
803
1376
datetime.timedelta(1)
804
1377
>>> string_to_delta(u'1w')
805
1378
datetime.timedelta(7)
806
>>> string_to_delta('5m 30s')
1379
>>> string_to_delta(u'5m 30s')
807
1380
datetime.timedelta(0, 330)
808
1381
"""
809
1382
timevalue = datetime.timedelta(0)
822
1395
elif suffix == u"w":
823
1396
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
824
1397
else:
825
raise ValueError
826
except (ValueError, IndexError):
827
raise ValueError
1398
raise ValueError(u"Unknown suffix %r" % suffix)
1399
except (ValueError, IndexError), e:
1400
raise ValueError(e.message)
828
1401
timevalue += delta
829
1402
return timevalue
830
1403
831
1404
832
def server_state_changed(state):
833
"""Derived from the Avahi example code"""
834
if state == avahi.SERVER_COLLISION:
835
logger.error(u"Zeroconf server name collision")
836
service.remove()
837
elif state == avahi.SERVER_RUNNING:
838
service.add()
839
840
841
def entry_group_state_changed(state, error):
842
"""Derived from the Avahi example code"""
843
logger.debug(u"Avahi state change: %i", state)
844
845
if state == avahi.ENTRY_GROUP_ESTABLISHED:
846
logger.debug(u"Zeroconf service established.")
847
elif state == avahi.ENTRY_GROUP_COLLISION:
848
logger.warning(u"Zeroconf service name collision.")
849
service.rename()
850
elif state == avahi.ENTRY_GROUP_FAILURE:
851
logger.critical(u"Avahi: Error in group state changed %s",
852
unicode(error))
853
raise AvahiGroupError(u"State changed: %s" % unicode(error))
854
855
1405
def if_nametoindex(interface):
856
"""Call the C function if_nametoindex(), or equivalent"""
1406
"""Call the C function if_nametoindex(), or equivalent
1407
1408
Note: This function cannot accept a unicode string."""
857
1409
global if_nametoindex
858
1410
try:
859
1411
if_nametoindex = (ctypes.cdll.LoadLibrary
860
(ctypes.util.find_library("c"))
1412
(ctypes.util.find_library(u"c"))
861
1413
.if_nametoindex)
862
1414
except (OSError, AttributeError):
863
if "struct" not in sys.modules:
864
import struct
865
if "fcntl" not in sys.modules:
866
import fcntl
1415
logger.warning(u"Doing if_nametoindex the hard way")
867
1416
def if_nametoindex(interface):
868
1417
"Get an interface index the hard way, i.e. using fcntl()"
869
1418
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
870
with closing(socket.socket()) as s:
1419
with contextlib.closing(socket.socket()) as s:
871
1420
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
872
struct.pack("16s16x", interface))
873
interface_index = struct.unpack("I", ifreq[16:20])[0]
1421
struct.pack(str(u"16s16x"),
1422
interface))
1423
interface_index = struct.unpack(str(u"I"),
1424
ifreq[16:20])[0]
874
1425
return interface_index
875
1426
return if_nametoindex(interface)
876
1427
877
1428
878
1429
def daemon(nochdir = False, noclose = False):
879
1430
"""See daemon(3). Standard BSD Unix function.
1431
880
1432
This should really exist as os.daemon, but it doesn't (yet)."""
881
1433
if os.fork():
882
1434
sys.exit()
883
1435
os.setsid()
884
1436
if not nochdir:
885
os.chdir("/")
1437
os.chdir(u"/")
886
1438
if os.fork():
887
1439
sys.exit()
888
1440
if not noclose:
890
1442
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
891
1443
if not stat.S_ISCHR(os.fstat(null).st_mode):
892
1444
raise OSError(errno.ENODEV,
893
"/dev/null not a character device")
1445
u"%s not a character device"
1446
% os.path.devnull)
894
1447
os.dup2(null, sys.stdin.fileno())
895
1448
os.dup2(null, sys.stdout.fileno())
896
1449
os.dup2(null, sys.stderr.fileno())
899
1452
900
1453
901
1454
def main():
1455
1456
##################################################################
1457
# Parsing of options, both command line and config file
1458
902
1459
parser = optparse.OptionParser(version = "%%prog %s" % version)
903
parser.add_option("-i", "--interface", type="string",
904
metavar="IF", help="Bind to interface IF")
905
parser.add_option("-a", "--address", type="string",
906
help="Address to listen for requests on")
907
parser.add_option("-p", "--port", type="int",
908
help="Port number to receive requests on")
909
parser.add_option("--check", action="store_true",
910
help="Run self-test")
911
parser.add_option("--debug", action="store_true",
912
help="Debug mode; run in foreground and log to"
913
" terminal")
914
parser.add_option("--priority", type="string", help="GnuTLS"
915
" priority string (see GnuTLS documentation)")
916
parser.add_option("--servicename", type="string", metavar="NAME",
917
help="Zeroconf service name")
918
parser.add_option("--configdir", type="string",
919
default="/etc/mandos", metavar="DIR",
920
help="Directory to search for configuration"
921
" files")
922
parser.add_option("--no-dbus", action="store_false",
923
dest="use_dbus",
924
help="Do not provide D-Bus system bus"
925
" interface")
1460
parser.add_option("-i", u"--interface", type=u"string",
1461
metavar="IF", help=u"Bind to interface IF")
1462
parser.add_option("-a", u"--address", type=u"string",
1463
help=u"Address to listen for requests on")
1464
parser.add_option("-p", u"--port", type=u"int",
1465
help=u"Port number to receive requests on")
1466
parser.add_option("--check", action=u"store_true",
1467
help=u"Run self-test")
1468
parser.add_option("--debug", action=u"store_true",
1469
help=u"Debug mode; run in foreground and log to"
1470
u" terminal")
1471
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1472
u" priority string (see GnuTLS documentation)")
1473
parser.add_option("--servicename", type=u"string",
1474
metavar=u"NAME", help=u"Zeroconf service name")
1475
parser.add_option("--configdir", type=u"string",
1476
default=u"/etc/mandos", metavar=u"DIR",
1477
help=u"Directory to search for configuration"
1478
u" files")
1479
parser.add_option("--no-dbus", action=u"store_false",
1480
dest=u"use_dbus", help=u"Do not provide D-Bus"
1481
u" system bus interface")
1482
parser.add_option("--no-ipv6", action=u"store_false",
1483
dest=u"use_ipv6", help=u"Do not use IPv6")
926
1484
options = parser.parse_args()[0]
927
1485
928
1486
if options.check:
931
1489
sys.exit()
932
1490
933
1491
# Default values for config file for server-global settings
934
server_defaults = { "interface": "",
935
"address": "",
936
"port": "",
937
"debug": "False",
938
"priority":
939
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
940
"servicename": "Mandos",
941
"use_dbus": "True",
1492
server_defaults = { u"interface": u"",
1493
u"address": u"",
1494
u"port": u"",
1495
u"debug": u"False",
1496
u"priority":
1497
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1498
u"servicename": u"Mandos",
1499
u"use_dbus": u"True",
1500
u"use_ipv6": u"True",
942
1501
}
943
1502
944
1503
# Parse config file for server-global settings
945
server_config = ConfigParser.SafeConfigParser(server_defaults)
1504
server_config = configparser.SafeConfigParser(server_defaults)
946
1505
del server_defaults
947
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1506
server_config.read(os.path.join(options.configdir,
1507
u"mandos.conf"))
948
1508
# Convert the SafeConfigParser object to a dict
949
1509
server_settings = server_config.defaults()
950
1510
# Use the appropriate methods on the non-string config options
951
server_settings["debug"] = server_config.getboolean("DEFAULT",
952
"debug")
953
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
954
"use_dbus")
1511
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1512
server_settings[option] = server_config.getboolean(u"DEFAULT",
1513
option)
955
1514
if server_settings["port"]:
956
server_settings["port"] = server_config.getint("DEFAULT",
957
"port")
1515
server_settings["port"] = server_config.getint(u"DEFAULT",
1516
u"port")
958
1517
del server_config
959
1518
960
1519
# Override the settings from the config file with command line
961
1520
# options, if set.
962
for option in ("interface", "address", "port", "debug",
963
"priority", "servicename", "configdir",
964
"use_dbus"):
1521
for option in (u"interface", u"address", u"port", u"debug",
1522
u"priority", u"servicename", u"configdir",
1523
u"use_dbus", u"use_ipv6"):
965
1524
value = getattr(options, option)
966
1525
if value is not None:
967
1526
server_settings[option] = value
968
1527
del options
1528
# Force all strings to be unicode
1529
for option in server_settings.keys():
1530
if type(server_settings[option]) is str:
1531
server_settings[option] = unicode(server_settings[option])
969
1532
# Now we have our good server settings in "server_settings"
970
1533
1534
##################################################################
1535
971
1536
# For convenience
972
debug = server_settings["debug"]
973
use_dbus = server_settings["use_dbus"]
1537
debug = server_settings[u"debug"]
1538
use_dbus = server_settings[u"use_dbus"]
1539
use_ipv6 = server_settings[u"use_ipv6"]
974
1540
975
1541
if not debug:
976
1542
syslogger.setLevel(logging.WARNING)
977
1543
console.setLevel(logging.WARNING)
978
1544
979
if server_settings["servicename"] != "Mandos":
1545
if server_settings[u"servicename"] != u"Mandos":
980
1546
syslogger.setFormatter(logging.Formatter
981
('Mandos (%s): %%(levelname)s:'
982
' %%(message)s'
983
% server_settings["servicename"]))
1547
(u'Mandos (%s) [%%(process)d]:'
1548
u' %%(levelname)s: %%(message)s'
1549
% server_settings[u"servicename"]))
984
1550
985
1551
# Parse config file with clients
986
client_defaults = { "timeout": "1h",
987
"interval": "5m",
988
"checker": "fping -q -- %%(host)s",
989
"host": "",
1552
client_defaults = { u"timeout": u"1h",
1553
u"interval": u"5m",
1554
u"checker": u"fping -q -- %%(host)s",
1555
u"host": u"",
990
1556
}
991
client_config = ConfigParser.SafeConfigParser(client_defaults)
992
client_config.read(os.path.join(server_settings["configdir"],
993
"clients.conf"))
994
995
clients = Set()
996
tcp_server = IPv6_TCPServer((server_settings["address"],
997
server_settings["port"]),
998
TCP_handler,
999
settings=server_settings,
1000
clients=clients)
1001
pidfilename = "/var/run/mandos.pid"
1557
client_config = configparser.SafeConfigParser(client_defaults)
1558
client_config.read(os.path.join(server_settings[u"configdir"],
1559
u"clients.conf"))
1560
1561
global mandos_dbus_service
1562
mandos_dbus_service = None
1563
1564
tcp_server = MandosServer((server_settings[u"address"],
1565
server_settings[u"port"]),
1566
ClientHandler,
1567
interface=server_settings[u"interface"],
1568
use_ipv6=use_ipv6,
1569
gnutls_priority=
1570
server_settings[u"priority"],
1571
use_dbus=use_dbus)
1572
pidfilename = u"/var/run/mandos.pid"
1002
1573
try:
1003
pidfile = open(pidfilename, "w")
1574
pidfile = open(pidfilename, u"w")
1004
1575
except IOError:
1005
logger.error("Could not open file %r", pidfilename)
1576
logger.error(u"Could not open file %r", pidfilename)
1006
1577
1007
1578
try:
1008
uid = pwd.getpwnam("_mandos").pw_uid
1009
gid = pwd.getpwnam("_mandos").pw_gid
1579
uid = pwd.getpwnam(u"_mandos").pw_uid
1580
gid = pwd.getpwnam(u"_mandos").pw_gid
1010
1581
except KeyError:
1011
1582
try:
1012
uid = pwd.getpwnam("mandos").pw_uid
1013
gid = pwd.getpwnam("mandos").pw_gid
1583
uid = pwd.getpwnam(u"mandos").pw_uid
1584
gid = pwd.getpwnam(u"mandos").pw_gid
1014
1585
except KeyError:
1015
1586
try:
1016
uid = pwd.getpwnam("nobody").pw_uid
1017
gid = pwd.getpwnam("nogroup").pw_gid
1587
uid = pwd.getpwnam(u"nobody").pw_uid
1588
gid = pwd.getpwnam(u"nobody").pw_gid
1018
1589
except KeyError:
1019
1590
uid = 65534
1020
1591
gid = 65534
1033
1604
1034
1605
@gnutls.library.types.gnutls_log_func
1035
1606
def debug_gnutls(level, string):
1036
logger.debug("GnuTLS: %s", string[:-1])
1607
logger.debug(u"GnuTLS: %s", string[:-1])
1037
1608
1038
1609
(gnutls.library.functions
1039
1610
.gnutls_global_set_log_function(debug_gnutls))
1040
1611
1041
global service
1042
service = AvahiService(name = server_settings["servicename"],
1043
servicetype = "_mandos._tcp", )
1044
if server_settings["interface"]:
1045
service.interface = (if_nametoindex
1046
(server_settings["interface"]))
1047
1048
1612
global main_loop
1049
global bus
1050
global server
1051
1613
# From the Avahi example code
1052
1614
DBusGMainLoop(set_as_default=True )
1053
1615
main_loop = gobject.MainLoop()
1054
1616
bus = dbus.SystemBus()
1055
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1056
avahi.DBUS_PATH_SERVER),
1057
avahi.DBUS_INTERFACE_SERVER)
1058
1617
# End of Avahi example code
1059
1618
if use_dbus:
1060
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1619
try:
1620
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1621
bus, do_not_queue=True)
1622
except dbus.exceptions.NameExistsException, e:
1623
logger.error(unicode(e) + u", disabling D-Bus")
1624
use_dbus = False
1625
server_settings[u"use_dbus"] = False
1626
tcp_server.use_dbus = False
1627
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1628
service = AvahiService(name = server_settings[u"servicename"],
1629
servicetype = u"_mandos._tcp",
1630
protocol = protocol, bus = bus)
1631
if server_settings["interface"]:
1632
service.interface = (if_nametoindex
1633
(str(server_settings[u"interface"])))
1061
1634
1062
clients.update(Set(Client(name = section,
1063
config
1064
= dict(client_config.items(section)),
1065
use_dbus = use_dbus)
1066
for section in client_config.sections()))
1067
if not clients:
1635
client_class = Client
1636
if use_dbus:
1637
client_class = functools.partial(ClientDBus, bus = bus)
1638
tcp_server.clients.update(set(
1639
client_class(name = section,
1640
config= dict(client_config.items(section)))
1641
for section in client_config.sections()))
1642
if not tcp_server.clients:
1068
1643
logger.warning(u"No clients defined")
1069
1644
1070
1645
if debug:
1080
1655
daemon()
1081
1656
1082
1657
try:
1083
pid = os.getpid()
1084
pidfile.write(str(pid) + "\n")
1085
pidfile.close()
1658
with pidfile:
1659
pid = os.getpid()
1660
pidfile.write(str(pid) + "\n")
1086
1661
del pidfile
1087
1662
except IOError:
1088
1663
logger.error(u"Could not write to file %r with PID %d",
1092
1667
pass
1093
1668
del pidfilename
1094
1669
1095
def cleanup():
1096
"Cleanup function; run on exit"
1097
global group
1098
# From the Avahi example code
1099
if not group is None:
1100
group.Free()
1101
group = None
1102
# End of Avahi example code
1103
1104
while clients:
1105
client = clients.pop()
1106
client.disable_hook = None
1107
client.disable()
1108
1109
atexit.register(cleanup)
1110
1111
1670
if not debug:
1112
1671
signal.signal(signal.SIGINT, signal.SIG_IGN)
1113
1672
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1114
1673
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1115
1674
1116
1675
if use_dbus:
1117
class MandosServer(dbus.service.Object):
1676
class MandosDBusService(dbus.service.Object):
1118
1677
"""A D-Bus proxy object"""
1119
1678
def __init__(self):
1120
dbus.service.Object.__init__(self, bus, "/")
1679
dbus.service.Object.__init__(self, bus, u"/")
1121
1680
_interface = u"se.bsnet.fukt.Mandos"
1122
1681
1123
@dbus.service.signal(_interface, signature="oa{sv}")
1124
def ClientAdded(self, objpath, properties):
1125
"D-Bus signal"
1126
pass
1127
1128
@dbus.service.signal(_interface, signature="os")
1682
@dbus.service.signal(_interface, signature=u"o")
1683
def ClientAdded(self, objpath):
1684
"D-Bus signal"
1685
pass
1686
1687
@dbus.service.signal(_interface, signature=u"ss")
1688
def ClientNotFound(self, fingerprint, address):
1689
"D-Bus signal"
1690
pass
1691
1692
@dbus.service.signal(_interface, signature=u"os")
1129
1693
def ClientRemoved(self, objpath, name):
1130
1694
"D-Bus signal"
1131
1695
pass
1132
1696
1133
@dbus.service.method(_interface, out_signature="ao")
1697
@dbus.service.method(_interface, out_signature=u"ao")
1134
1698
def GetAllClients(self):
1135
1699
"D-Bus method"
1136
return dbus.Array(c.dbus_object_path for c in clients)
1700
return dbus.Array(c.dbus_object_path
1701
for c in tcp_server.clients)
1137
1702
1138
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1703
@dbus.service.method(_interface,
1704
out_signature=u"a{oa{sv}}")
1139
1705
def GetAllClientsWithProperties(self):
1140
1706
"D-Bus method"
1141
1707
return dbus.Dictionary(
1142
((c.dbus_object_path, c.GetAllProperties())
1143
for c in clients),
1144
signature="oa{sv}")
1708
((c.dbus_object_path, c.GetAll(u""))
1709
for c in tcp_server.clients),
1710
signature=u"oa{sv}")
1145
1711
1146
@dbus.service.method(_interface, in_signature="o")
1712
@dbus.service.method(_interface, in_signature=u"o")
1147
1713
def RemoveClient(self, object_path):
1148
1714
"D-Bus method"
1149
for c in clients:
1715
for c in tcp_server.clients:
1150
1716
if c.dbus_object_path == object_path:
1151
clients.remove(c)
1717
tcp_server.clients.remove(c)
1718
c.remove_from_connection()
1152
1719
# Don't signal anything except ClientRemoved
1153
c.use_dbus = False
1154
c.disable()
1720
c.disable(quiet=True)
1155
1721
# Emit D-Bus signal
1156
1722
self.ClientRemoved(object_path, c.name)
1157
1723
return
1158
raise KeyError
1724
raise KeyError(object_path)
1159
1725
1160
1726
del _interface
1161
1727
1162
mandos_server = MandosServer()
1163
1164
for client in clients:
1728
mandos_dbus_service = MandosDBusService()
1729
1730
def cleanup():
1731
"Cleanup function; run on exit"
1732
service.cleanup()
1733
1734
while tcp_server.clients:
1735
client = tcp_server.clients.pop()
1736
if use_dbus:
1737
client.remove_from_connection()
1738
client.disable_hook = None
1739
# Don't signal anything except ClientRemoved
1740
client.disable(quiet=True)
1741
if use_dbus:
1742
# Emit D-Bus signal
1743
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1744
client.name)
1745
1746
atexit.register(cleanup)
1747
1748
for client in tcp_server.clients:
1165
1749
if use_dbus:
1166
1750
# Emit D-Bus signal
1167
mandos_server.ClientAdded(client.dbus_object_path,
1168
client.GetAllProperties())
1751
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1169
1752
client.enable()
1170
1753
1171
1754
tcp_server.enable()
1173
1756
1174
1757
# Find out what port we got
1175
1758
service.port = tcp_server.socket.getsockname()[1]
1176
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1177
u" scope_id %d" % tcp_server.socket.getsockname())
1759
if use_ipv6:
1760
logger.info(u"Now listening on address %r, port %d,"
1761
" flowinfo %d, scope_id %d"
1762
% tcp_server.socket.getsockname())
1763
else: # IPv4
1764
logger.info(u"Now listening on address %r, port %d"
1765
% tcp_server.socket.getsockname())
1178
1766
1179
1767
#service.interface = tcp_server.socket.getsockname()[3]
1180
1768
1181
1769
try:
1182
1770
# From the Avahi example code
1183
server.connect_to_signal("StateChanged", server_state_changed)
1184
1771
try:
1185
server_state_changed(server.GetState())
1772
service.activate()
1186
1773
except dbus.exceptions.DBusException, error:
1187
1774
logger.critical(u"DBusException: %s", error)
1775
cleanup()
1188
1776
sys.exit(1)
1189
1777
# End of Avahi example code
1190
1778
1197
1785
main_loop.run()
1198
1786
except AvahiError, error:
1199
1787
logger.critical(u"AvahiError: %s", error)
1788
cleanup()
1200
1789
sys.exit(1)
1201
1790
except KeyboardInterrupt:
1202
1791
if debug:
1203
1792
print >> sys.stderr
1204
logger.debug("Server received KeyboardInterrupt")
1205
logger.debug("Server exiting")
1793
logger.debug(u"Server received KeyboardInterrupt")
1794
logger.debug(u"Server exiting")
1795
# Must run before the D-Bus bus name gets deregistered
1796
cleanup()
1206
1797
1207
1798
if __name__ == '__main__':
1208
1799
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0