To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 416.1.2
- compare with another revision
- download diff
- download tarball
- view history from revision 416.1.2
- Committer: Teddy Hogeborn
- Date: 2010-06-19 00:37:04 UTC
- mto: (24.1.149 mandos)
- mto: This revision was merged to the branch mainline in revision 417.
- Revision ID: teddy@fukt.bsnet.se-20100619003704-vpicvssvv1ktg2om
* mandos (ClientHandler.handle): Set up the GnuTLS session object
before reading the protocol number.
(ClientHandler.handle/ProxyObject): New.
before reading the protocol number.
(ClientHandler.handle/ProxyObject): New.
- files added:
- dbus-mandos.conf
- files modified:
- Makefile
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
14
# Copyright © 2008,2009 Teddy Hogeborn
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer
36
import SocketServer as socketserver
37
37
import socket
38
38
import optparse
39
39
import datetime
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser
47
import ConfigParser as configparser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
53
52
import subprocess
54
53
import atexit
55
54
import stat
56
55
import logging
57
56
import logging.handlers
58
57
import pwd
59
from contextlib import closing
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
63
import select
60
64
61
65
import dbus
62
66
import dbus.service
65
69
from dbus.mainloop.glib import DBusGMainLoop
66
70
import ctypes
67
71
import ctypes.util
68
69
version = "1.0.8"
70
71
logger = logging.Logger('mandos')
72
import xml.dom.minidom
73
import inspect
74
75
try:
76
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
77
except AttributeError:
78
try:
79
from IN import SO_BINDTODEVICE
80
except ImportError:
81
SO_BINDTODEVICE = None
82
83
84
version = "1.0.14"
85
86
logger = logging.Logger(u'mandos')
72
87
syslogger = (logging.handlers.SysLogHandler
73
88
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
89
address = "/dev/log"))
75
90
syslogger.setFormatter(logging.Formatter
76
('Mandos [%(process)d]: %(levelname)s:'
77
' %(message)s'))
91
(u'Mandos [%(process)d]: %(levelname)s:'
92
u' %(message)s'))
78
93
logger.addHandler(syslogger)
79
94
80
95
console = logging.StreamHandler()
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
96
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
97
u' %(levelname)s:'
98
u' %(message)s'))
83
99
logger.addHandler(console)
84
100
85
101
class AvahiError(Exception):
98
114
99
115
class AvahiService(object):
100
116
"""An Avahi (Zeroconf) service.
117
101
118
Attributes:
102
119
interface: integer; avahi.IF_UNSPEC or an interface index.
103
120
Used to optionally bind to the specified interface.
104
name: string; Example: 'Mandos'
105
type: string; Example: '_mandos._tcp'.
121
name: string; Example: u'Mandos'
122
type: string; Example: u'_mandos._tcp'.
106
123
See <http://www.dns-sd.org/ServiceTypes.html>
107
124
port: integer; what port to announce
108
125
TXT: list of strings; TXT record for the service
111
128
max_renames: integer; maximum number of renames
112
129
rename_count: integer; counter so we only rename after collisions
113
130
a sensible number of times
131
group: D-Bus Entry Group
132
server: D-Bus Server
133
bus: dbus.SystemBus()
114
134
"""
115
135
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
116
136
servicetype = None, port = None, TXT = None,
117
domain = "", host = "", max_renames = 32768,
118
protocol = avahi.PROTO_UNSPEC):
137
domain = u"", host = u"", max_renames = 32768,
138
protocol = avahi.PROTO_UNSPEC, bus = None):
119
139
self.interface = interface
120
140
self.name = name
121
141
self.type = servicetype
126
146
self.rename_count = 0
127
147
self.max_renames = max_renames
128
148
self.protocol = protocol
149
self.group = None # our entry group
150
self.server = None
151
self.bus = bus
129
152
def rename(self):
130
153
"""Derived from the Avahi example code"""
131
154
if self.rename_count >= self.max_renames:
133
156
u" after %i retries, exiting.",
134
157
self.rename_count)
135
158
raise AvahiServiceError(u"Too many renames")
136
self.name = server.GetAlternativeServiceName(self.name)
159
self.name = self.server.GetAlternativeServiceName(self.name)
137
160
logger.info(u"Changing Zeroconf service name to %r ...",
138
str(self.name))
161
unicode(self.name))
139
162
syslogger.setFormatter(logging.Formatter
140
('Mandos (%s) [%%(process)d]:'
141
' %%(levelname)s: %%(message)s'
163
(u'Mandos (%s) [%%(process)d]:'
164
u' %%(levelname)s: %%(message)s'
142
165
% self.name))
143
166
self.remove()
144
167
self.add()
145
168
self.rename_count += 1
146
169
def remove(self):
147
170
"""Derived from the Avahi example code"""
148
if group is not None:
149
group.Reset()
171
if self.group is not None:
172
self.group.Reset()
150
173
def add(self):
151
174
"""Derived from the Avahi example code"""
152
global group
153
if group is None:
154
group = dbus.Interface(bus.get_object
155
(avahi.DBUS_NAME,
156
server.EntryGroupNew()),
157
avahi.DBUS_INTERFACE_ENTRY_GROUP)
158
group.connect_to_signal('StateChanged',
159
entry_group_state_changed)
175
if self.group is None:
176
self.group = dbus.Interface(
177
self.bus.get_object(avahi.DBUS_NAME,
178
self.server.EntryGroupNew()),
179
avahi.DBUS_INTERFACE_ENTRY_GROUP)
180
self.group.connect_to_signal('StateChanged',
181
self
182
.entry_group_state_changed)
160
183
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
161
service.name, service.type)
162
group.AddService(
163
self.interface, # interface
164
self.protocol, # protocol
165
dbus.UInt32(0), # flags
166
self.name, self.type,
167
self.domain, self.host,
168
dbus.UInt16(self.port),
169
avahi.string_array_to_txt_array(self.TXT))
170
group.Commit()
171
172
# From the Avahi example code:
173
group = None # our entry group
174
# End of Avahi example code
175
176
177
def _datetime_to_dbus(dt, variant_level=0):
178
"""Convert a UTC datetime.datetime() to a D-Bus type."""
179
return dbus.String(dt.isoformat(), variant_level=variant_level)
180
181
182
class Client(dbus.service.Object):
184
self.name, self.type)
185
self.group.AddService(
186
self.interface,
187
self.protocol,
188
dbus.UInt32(0), # flags
189
self.name, self.type,
190
self.domain, self.host,
191
dbus.UInt16(self.port),
192
avahi.string_array_to_txt_array(self.TXT))
193
self.group.Commit()
194
def entry_group_state_changed(self, state, error):
195
"""Derived from the Avahi example code"""
196
logger.debug(u"Avahi state change: %i", state)
197
198
if state == avahi.ENTRY_GROUP_ESTABLISHED:
199
logger.debug(u"Zeroconf service established.")
200
elif state == avahi.ENTRY_GROUP_COLLISION:
201
logger.warning(u"Zeroconf service name collision.")
202
self.rename()
203
elif state == avahi.ENTRY_GROUP_FAILURE:
204
logger.critical(u"Avahi: Error in group state changed %s",
205
unicode(error))
206
raise AvahiGroupError(u"State changed: %s"
207
% unicode(error))
208
def cleanup(self):
209
"""Derived from the Avahi example code"""
210
if self.group is not None:
211
self.group.Free()
212
self.group = None
213
def server_state_changed(self, state):
214
"""Derived from the Avahi example code"""
215
if state == avahi.SERVER_COLLISION:
216
logger.error(u"Zeroconf server name collision")
217
self.remove()
218
elif state == avahi.SERVER_RUNNING:
219
self.add()
220
def activate(self):
221
"""Derived from the Avahi example code"""
222
if self.server is None:
223
self.server = dbus.Interface(
224
self.bus.get_object(avahi.DBUS_NAME,
225
avahi.DBUS_PATH_SERVER),
226
avahi.DBUS_INTERFACE_SERVER)
227
self.server.connect_to_signal(u"StateChanged",
228
self.server_state_changed)
229
self.server_state_changed(self.server.GetState())
230
231
232
class Client(object):
183
233
"""A representation of a client host served by this server.
234
184
235
Attributes:
185
236
name: string; from the config file, used in log messages and
186
237
D-Bus identifiers
193
244
enabled: bool()
194
245
last_checked_ok: datetime.datetime(); (UTC) or None
195
246
timeout: datetime.timedelta(); How long from last_checked_ok
196
until this client is invalid
247
until this client is disabled
197
248
interval: datetime.timedelta(); How often to start a new checker
198
249
disable_hook: If set, called by disable() as disable_hook(self)
199
250
checker: subprocess.Popen(); a running checker process used
200
251
to see if the client lives.
201
252
'None' if no process is running.
202
253
checker_initiator_tag: a gobject event source tag, or None
203
disable_initiator_tag: - '' -
254
disable_initiator_tag: - '' -
204
255
checker_callback_tag: - '' -
205
256
checker_command: string; External command which is run to check if
206
257
client lives. %() expansions are done at
207
258
runtime with vars(self) as dict, so that for
208
259
instance %(name)s can be used in the command.
209
260
current_checker_command: string; current running checker_command
210
use_dbus: bool(); Whether to provide D-Bus interface and signals
211
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
212
261
"""
262
263
@staticmethod
264
def _timedelta_to_milliseconds(td):
265
"Convert a datetime.timedelta() to milliseconds"
266
return ((td.days * 24 * 60 * 60 * 1000)
267
+ (td.seconds * 1000)
268
+ (td.microseconds // 1000))
269
213
270
def timeout_milliseconds(self):
214
271
"Return the 'timeout' attribute in milliseconds"
215
return ((self.timeout.days * 24 * 60 * 60 * 1000)
216
+ (self.timeout.seconds * 1000)
217
+ (self.timeout.microseconds // 1000))
272
return self._timedelta_to_milliseconds(self.timeout)
218
273
219
274
def interval_milliseconds(self):
220
275
"Return the 'interval' attribute in milliseconds"
221
return ((self.interval.days * 24 * 60 * 60 * 1000)
222
+ (self.interval.seconds * 1000)
223
+ (self.interval.microseconds // 1000))
276
return self._timedelta_to_milliseconds(self.interval)
224
277
225
def __init__(self, name = None, disable_hook=None, config=None,
226
use_dbus=True):
278
def __init__(self, name = None, disable_hook=None, config=None):
227
279
"""Note: the 'checker' key in 'config' sets the
228
280
'checker_command' attribute and *not* the 'checker'
229
281
attribute."""
231
283
if config is None:
232
284
config = {}
233
285
logger.debug(u"Creating client %r", self.name)
234
self.use_dbus = False # During __init__
235
286
# Uppercase and remove spaces from fingerprint for later
236
287
# comparison purposes with return value from the fingerprint()
237
288
# function
238
self.fingerprint = (config["fingerprint"].upper()
289
self.fingerprint = (config[u"fingerprint"].upper()
239
290
.replace(u" ", u""))
240
291
logger.debug(u" Fingerprint: %s", self.fingerprint)
241
if "secret" in config:
242
self.secret = config["secret"].decode(u"base64")
243
elif "secfile" in config:
244
with closing(open(os.path.expanduser
245
(os.path.expandvars
246
(config["secfile"])))) as secfile:
292
if u"secret" in config:
293
self.secret = config[u"secret"].decode(u"base64")
294
elif u"secfile" in config:
295
with open(os.path.expanduser(os.path.expandvars
296
(config[u"secfile"])),
297
"rb") as secfile:
247
298
self.secret = secfile.read()
248
299
else:
249
300
raise TypeError(u"No secret or secfile for client %s"
250
301
% self.name)
251
self.host = config.get("host", "")
302
self.host = config.get(u"host", u"")
252
303
self.created = datetime.datetime.utcnow()
253
304
self.enabled = False
254
305
self.last_enabled = None
255
306
self.last_checked_ok = None
256
self.timeout = string_to_delta(config["timeout"])
257
self.interval = string_to_delta(config["interval"])
307
self.timeout = string_to_delta(config[u"timeout"])
308
self.interval = string_to_delta(config[u"interval"])
258
309
self.disable_hook = disable_hook
259
310
self.checker = None
260
311
self.checker_initiator_tag = None
261
312
self.disable_initiator_tag = None
262
313
self.checker_callback_tag = None
263
self.checker_command = config["checker"]
314
self.checker_command = config[u"checker"]
264
315
self.current_checker_command = None
265
316
self.last_connect = None
266
# Only now, when this client is initialized, can it show up on
267
# the D-Bus
268
self.use_dbus = use_dbus
269
if self.use_dbus:
270
self.dbus_object_path = (dbus.ObjectPath
271
("/clients/"
272
+ self.name.replace(".", "_")))
273
dbus.service.Object.__init__(self, bus,
274
self.dbus_object_path)
275
317
276
318
def enable(self):
277
319
"""Start this client's checker and timeout hooks"""
320
if getattr(self, u"enabled", False):
321
# Already enabled
322
return
278
323
self.last_enabled = datetime.datetime.utcnow()
279
324
# Schedule a new checker to be started an 'interval' from now,
280
325
# and every interval from then on.
281
326
self.checker_initiator_tag = (gobject.timeout_add
282
327
(self.interval_milliseconds(),
283
328
self.start_checker))
284
# Also start a new checker *right now*.
285
self.start_checker()
286
329
# Schedule a disable() when 'timeout' has passed
287
330
self.disable_initiator_tag = (gobject.timeout_add
288
331
(self.timeout_milliseconds(),
289
332
self.disable))
290
333
self.enabled = True
291
if self.use_dbus:
292
# Emit D-Bus signals
293
self.PropertyChanged(dbus.String(u"enabled"),
294
dbus.Boolean(True, variant_level=1))
295
self.PropertyChanged(dbus.String(u"last_enabled"),
296
(_datetime_to_dbus(self.last_enabled,
297
variant_level=1)))
334
# Also start a new checker *right now*.
335
self.start_checker()
298
336
299
def disable(self):
337
def disable(self, quiet=True):
300
338
"""Disable this client."""
301
339
if not getattr(self, "enabled", False):
302
340
return False
303
logger.info(u"Disabling client %s", self.name)
304
if getattr(self, "disable_initiator_tag", False):
341
if not quiet:
342
logger.info(u"Disabling client %s", self.name)
343
if getattr(self, u"disable_initiator_tag", False):
305
344
gobject.source_remove(self.disable_initiator_tag)
306
345
self.disable_initiator_tag = None
307
if getattr(self, "checker_initiator_tag", False):
346
if getattr(self, u"checker_initiator_tag", False):
308
347
gobject.source_remove(self.checker_initiator_tag)
309
348
self.checker_initiator_tag = None
310
349
self.stop_checker()
311
350
if self.disable_hook:
312
351
self.disable_hook(self)
313
352
self.enabled = False
314
if self.use_dbus:
315
# Emit D-Bus signal
316
self.PropertyChanged(dbus.String(u"enabled"),
317
dbus.Boolean(False, variant_level=1))
318
353
# Do not run this again if called by a gobject.timeout_add
319
354
return False
320
355
326
361
"""The checker has completed, so take appropriate actions."""
327
362
self.checker_callback_tag = None
328
363
self.checker = None
329
if self.use_dbus:
330
# Emit D-Bus signal
331
self.PropertyChanged(dbus.String(u"checker_running"),
332
dbus.Boolean(False, variant_level=1))
333
364
if os.WIFEXITED(condition):
334
365
exitstatus = os.WEXITSTATUS(condition)
335
366
if exitstatus == 0:
339
370
else:
340
371
logger.info(u"Checker for %(name)s failed",
341
372
vars(self))
342
if self.use_dbus:
343
# Emit D-Bus signal
344
self.CheckerCompleted(dbus.Int16(exitstatus),
345
dbus.Int64(condition),
346
dbus.String(command))
347
373
else:
348
374
logger.warning(u"Checker for %(name)s crashed?",
349
375
vars(self))
350
if self.use_dbus:
351
# Emit D-Bus signal
352
self.CheckerCompleted(dbus.Int16(-1),
353
dbus.Int64(condition),
354
dbus.String(command))
355
376
356
377
def checked_ok(self):
357
378
"""Bump up the timeout for this client.
379
358
380
This should only be called when the client has been seen,
359
381
alive and well.
360
382
"""
363
385
self.disable_initiator_tag = (gobject.timeout_add
364
386
(self.timeout_milliseconds(),
365
387
self.disable))
366
if self.use_dbus:
367
# Emit D-Bus signal
368
self.PropertyChanged(
369
dbus.String(u"last_checked_ok"),
370
(_datetime_to_dbus(self.last_checked_ok,
371
variant_level=1)))
372
388
373
389
def start_checker(self):
374
390
"""Start a new checker subprocess if one is not running.
391
375
392
If a checker already exists, leave it running and do
376
393
nothing."""
377
394
# The reason for not killing a running checker is that if we
380
397
# client would inevitably timeout, since no checker would get
381
398
# a chance to run to completion. If we instead leave running
382
399
# checkers alone, the checker would have to take more time
383
# than 'timeout' for the client to be declared invalid, which
384
# is as it should be.
400
# than 'timeout' for the client to be disabled, which is as it
401
# should be.
385
402
386
403
# If a checker exists, make sure it is not a zombie
387
if self.checker is not None:
404
try:
388
405
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
406
except (AttributeError, OSError), error:
407
if (isinstance(error, OSError)
408
and error.errno != errno.ECHILD):
409
raise error
410
else:
389
411
if pid:
390
logger.warning("Checker was a zombie")
412
logger.warning(u"Checker was a zombie")
391
413
gobject.source_remove(self.checker_callback_tag)
392
414
self.checker_callback(pid, status,
393
415
self.current_checker_command)
398
420
command = self.checker_command % self.host
399
421
except TypeError:
400
422
# Escape attributes for the shell
401
escaped_attrs = dict((key, re.escape(str(val)))
423
escaped_attrs = dict((key,
424
re.escape(unicode(str(val),
425
errors=
426
u'replace')))
402
427
for key, val in
403
428
vars(self).iteritems())
404
429
try:
407
432
logger.error(u'Could not format string "%s":'
408
433
u' %s', self.checker_command, error)
409
434
return True # Try again later
410
self.current_checker_command = command
435
self.current_checker_command = command
411
436
try:
412
437
logger.info(u"Starting checker %r for %s",
413
438
command, self.name)
417
442
# always replaced by /dev/null.)
418
443
self.checker = subprocess.Popen(command,
419
444
close_fds=True,
420
shell=True, cwd="/")
421
if self.use_dbus:
422
# Emit D-Bus signal
423
self.CheckerStarted(command)
424
self.PropertyChanged(
425
dbus.String("checker_running"),
426
dbus.Boolean(True, variant_level=1))
445
shell=True, cwd=u"/")
427
446
self.checker_callback_tag = (gobject.child_watch_add
428
447
(self.checker.pid,
429
448
self.checker_callback,
445
464
if self.checker_callback_tag:
446
465
gobject.source_remove(self.checker_callback_tag)
447
466
self.checker_callback_tag = None
448
if getattr(self, "checker", None) is None:
467
if getattr(self, u"checker", None) is None:
449
468
return
450
469
logger.debug(u"Stopping checker for %(name)s", vars(self))
451
470
try:
452
471
os.kill(self.checker.pid, signal.SIGTERM)
453
#os.sleep(0.5)
472
#time.sleep(0.5)
454
473
#if self.checker.poll() is None:
455
474
# os.kill(self.checker.pid, signal.SIGKILL)
456
475
except OSError, error:
457
476
if error.errno != errno.ESRCH: # No such process
458
477
raise
459
478
self.checker = None
460
if self.use_dbus:
479
480
481
def dbus_service_property(dbus_interface, signature=u"v",
482
access=u"readwrite", byte_arrays=False):
483
"""Decorators for marking methods of a DBusObjectWithProperties to
484
become properties on the D-Bus.
485
486
The decorated method will be called with no arguments by "Get"
487
and with one argument by "Set".
488
489
The parameters, where they are supported, are the same as
490
dbus.service.method, except there is only "signature", since the
491
type from Get() and the type sent to Set() is the same.
492
"""
493
# Encoding deeply encoded byte arrays is not supported yet by the
494
# "Set" method, so we fail early here:
495
if byte_arrays and signature != u"ay":
496
raise ValueError(u"Byte arrays not supported for non-'ay'"
497
u" signature %r" % signature)
498
def decorator(func):
499
func._dbus_is_property = True
500
func._dbus_interface = dbus_interface
501
func._dbus_signature = signature
502
func._dbus_access = access
503
func._dbus_name = func.__name__
504
if func._dbus_name.endswith(u"_dbus_property"):
505
func._dbus_name = func._dbus_name[:-14]
506
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
507
return func
508
return decorator
509
510
511
class DBusPropertyException(dbus.exceptions.DBusException):
512
"""A base class for D-Bus property-related exceptions
513
"""
514
def __unicode__(self):
515
return unicode(str(self))
516
517
518
class DBusPropertyAccessException(DBusPropertyException):
519
"""A property's access permissions disallows an operation.
520
"""
521
pass
522
523
524
class DBusPropertyNotFound(DBusPropertyException):
525
"""An attempt was made to access a non-existing property.
526
"""
527
pass
528
529
530
class DBusObjectWithProperties(dbus.service.Object):
531
"""A D-Bus object with properties.
532
533
Classes inheriting from this can use the dbus_service_property
534
decorator to expose methods as D-Bus properties. It exposes the
535
standard Get(), Set(), and GetAll() methods on the D-Bus.
536
"""
537
538
@staticmethod
539
def _is_dbus_property(obj):
540
return getattr(obj, u"_dbus_is_property", False)
541
542
def _get_all_dbus_properties(self):
543
"""Returns a generator of (name, attribute) pairs
544
"""
545
return ((prop._dbus_name, prop)
546
for name, prop in
547
inspect.getmembers(self, self._is_dbus_property))
548
549
def _get_dbus_property(self, interface_name, property_name):
550
"""Returns a bound method if one exists which is a D-Bus
551
property with the specified name and interface.
552
"""
553
for name in (property_name,
554
property_name + u"_dbus_property"):
555
prop = getattr(self, name, None)
556
if (prop is None
557
or not self._is_dbus_property(prop)
558
or prop._dbus_name != property_name
559
or (interface_name and prop._dbus_interface
560
and interface_name != prop._dbus_interface)):
561
continue
562
return prop
563
# No such property
564
raise DBusPropertyNotFound(self.dbus_object_path + u":"
565
+ interface_name + u"."
566
+ property_name)
567
568
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
569
out_signature=u"v")
570
def Get(self, interface_name, property_name):
571
"""Standard D-Bus property Get() method, see D-Bus standard.
572
"""
573
prop = self._get_dbus_property(interface_name, property_name)
574
if prop._dbus_access == u"write":
575
raise DBusPropertyAccessException(property_name)
576
value = prop()
577
if not hasattr(value, u"variant_level"):
578
return value
579
return type(value)(value, variant_level=value.variant_level+1)
580
581
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
582
def Set(self, interface_name, property_name, value):
583
"""Standard D-Bus property Set() method, see D-Bus standard.
584
"""
585
prop = self._get_dbus_property(interface_name, property_name)
586
if prop._dbus_access == u"read":
587
raise DBusPropertyAccessException(property_name)
588
if prop._dbus_get_args_options[u"byte_arrays"]:
589
# The byte_arrays option is not supported yet on
590
# signatures other than "ay".
591
if prop._dbus_signature != u"ay":
592
raise ValueError
593
value = dbus.ByteArray(''.join(unichr(byte)
594
for byte in value))
595
prop(value)
596
597
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
598
out_signature=u"a{sv}")
599
def GetAll(self, interface_name):
600
"""Standard D-Bus property GetAll() method, see D-Bus
601
standard.
602
603
Note: Will not include properties with access="write".
604
"""
605
all = {}
606
for name, prop in self._get_all_dbus_properties():
607
if (interface_name
608
and interface_name != prop._dbus_interface):
609
# Interface non-empty but did not match
610
continue
611
# Ignore write-only properties
612
if prop._dbus_access == u"write":
613
continue
614
value = prop()
615
if not hasattr(value, u"variant_level"):
616
all[name] = value
617
continue
618
all[name] = type(value)(value, variant_level=
619
value.variant_level+1)
620
return dbus.Dictionary(all, signature=u"sv")
621
622
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
623
out_signature=u"s",
624
path_keyword='object_path',
625
connection_keyword='connection')
626
def Introspect(self, object_path, connection):
627
"""Standard D-Bus method, overloaded to insert property tags.
628
"""
629
xmlstring = dbus.service.Object.Introspect(self, object_path,
630
connection)
631
try:
632
document = xml.dom.minidom.parseString(xmlstring)
633
def make_tag(document, name, prop):
634
e = document.createElement(u"property")
635
e.setAttribute(u"name", name)
636
e.setAttribute(u"type", prop._dbus_signature)
637
e.setAttribute(u"access", prop._dbus_access)
638
return e
639
for if_tag in document.getElementsByTagName(u"interface"):
640
for tag in (make_tag(document, name, prop)
641
for name, prop
642
in self._get_all_dbus_properties()
643
if prop._dbus_interface
644
== if_tag.getAttribute(u"name")):
645
if_tag.appendChild(tag)
646
# Add the names to the return values for the
647
# "org.freedesktop.DBus.Properties" methods
648
if (if_tag.getAttribute(u"name")
649
== u"org.freedesktop.DBus.Properties"):
650
for cn in if_tag.getElementsByTagName(u"method"):
651
if cn.getAttribute(u"name") == u"Get":
652
for arg in cn.getElementsByTagName(u"arg"):
653
if (arg.getAttribute(u"direction")
654
== u"out"):
655
arg.setAttribute(u"name", u"value")
656
elif cn.getAttribute(u"name") == u"GetAll":
657
for arg in cn.getElementsByTagName(u"arg"):
658
if (arg.getAttribute(u"direction")
659
== u"out"):
660
arg.setAttribute(u"name", u"props")
661
xmlstring = document.toxml(u"utf-8")
662
document.unlink()
663
except (AttributeError, xml.dom.DOMException,
664
xml.parsers.expat.ExpatError), error:
665
logger.error(u"Failed to override Introspection method",
666
error)
667
return xmlstring
668
669
670
class ClientDBus(Client, DBusObjectWithProperties):
671
"""A Client class using D-Bus
672
673
Attributes:
674
dbus_object_path: dbus.ObjectPath
675
bus: dbus.SystemBus()
676
"""
677
# dbus.service.Object doesn't use super(), so we can't either.
678
679
def __init__(self, bus = None, *args, **kwargs):
680
self.bus = bus
681
Client.__init__(self, *args, **kwargs)
682
# Only now, when this client is initialized, can it show up on
683
# the D-Bus
684
self.dbus_object_path = (dbus.ObjectPath
685
(u"/clients/"
686
+ self.name.replace(u".", u"_")))
687
DBusObjectWithProperties.__init__(self, self.bus,
688
self.dbus_object_path)
689
690
@staticmethod
691
def _datetime_to_dbus(dt, variant_level=0):
692
"""Convert a UTC datetime.datetime() to a D-Bus type."""
693
return dbus.String(dt.isoformat(),
694
variant_level=variant_level)
695
696
def enable(self):
697
oldstate = getattr(self, u"enabled", False)
698
r = Client.enable(self)
699
if oldstate != self.enabled:
700
# Emit D-Bus signals
701
self.PropertyChanged(dbus.String(u"enabled"),
702
dbus.Boolean(True, variant_level=1))
703
self.PropertyChanged(
704
dbus.String(u"last_enabled"),
705
self._datetime_to_dbus(self.last_enabled,
706
variant_level=1))
707
return r
708
709
def disable(self, quiet = False):
710
oldstate = getattr(self, u"enabled", False)
711
r = Client.disable(self, quiet=quiet)
712
if not quiet and oldstate != self.enabled:
713
# Emit D-Bus signal
714
self.PropertyChanged(dbus.String(u"enabled"),
715
dbus.Boolean(False, variant_level=1))
716
return r
717
718
def __del__(self, *args, **kwargs):
719
try:
720
self.remove_from_connection()
721
except LookupError:
722
pass
723
if hasattr(DBusObjectWithProperties, u"__del__"):
724
DBusObjectWithProperties.__del__(self, *args, **kwargs)
725
Client.__del__(self, *args, **kwargs)
726
727
def checker_callback(self, pid, condition, command,
728
*args, **kwargs):
729
self.checker_callback_tag = None
730
self.checker = None
731
# Emit D-Bus signal
732
self.PropertyChanged(dbus.String(u"checker_running"),
733
dbus.Boolean(False, variant_level=1))
734
if os.WIFEXITED(condition):
735
exitstatus = os.WEXITSTATUS(condition)
736
# Emit D-Bus signal
737
self.CheckerCompleted(dbus.Int16(exitstatus),
738
dbus.Int64(condition),
739
dbus.String(command))
740
else:
741
# Emit D-Bus signal
742
self.CheckerCompleted(dbus.Int16(-1),
743
dbus.Int64(condition),
744
dbus.String(command))
745
746
return Client.checker_callback(self, pid, condition, command,
747
*args, **kwargs)
748
749
def checked_ok(self, *args, **kwargs):
750
r = Client.checked_ok(self, *args, **kwargs)
751
# Emit D-Bus signal
752
self.PropertyChanged(
753
dbus.String(u"last_checked_ok"),
754
(self._datetime_to_dbus(self.last_checked_ok,
755
variant_level=1)))
756
return r
757
758
def start_checker(self, *args, **kwargs):
759
old_checker = self.checker
760
if self.checker is not None:
761
old_checker_pid = self.checker.pid
762
else:
763
old_checker_pid = None
764
r = Client.start_checker(self, *args, **kwargs)
765
# Only if new checker process was started
766
if (self.checker is not None
767
and old_checker_pid != self.checker.pid):
768
# Emit D-Bus signal
769
self.CheckerStarted(self.current_checker_command)
770
self.PropertyChanged(
771
dbus.String(u"checker_running"),
772
dbus.Boolean(True, variant_level=1))
773
return r
774
775
def stop_checker(self, *args, **kwargs):
776
old_checker = getattr(self, u"checker", None)
777
r = Client.stop_checker(self, *args, **kwargs)
778
if (old_checker is not None
779
and getattr(self, u"checker", None) is None):
461
780
self.PropertyChanged(dbus.String(u"checker_running"),
462
781
dbus.Boolean(False, variant_level=1))
463
464
def still_valid(self):
465
"""Has the timeout not yet passed for this client?"""
466
if not getattr(self, "enabled", False):
467
return False
468
now = datetime.datetime.utcnow()
469
if self.last_checked_ok is None:
470
return now < (self.created + self.timeout)
471
else:
472
return now < (self.last_checked_ok + self.timeout)
473
474
## D-Bus methods & signals
782
return r
783
784
## D-Bus methods, signals & properties
475
785
_interface = u"se.bsnet.fukt.Mandos.Client"
476
786
477
# CheckedOK - method
478
CheckedOK = dbus.service.method(_interface)(checked_ok)
479
CheckedOK.__name__ = "CheckedOK"
787
## Signals
480
788
481
789
# CheckerCompleted - signal
482
@dbus.service.signal(_interface, signature="nxs")
790
@dbus.service.signal(_interface, signature=u"nxs")
483
791
def CheckerCompleted(self, exitcode, waitstatus, command):
484
792
"D-Bus signal"
485
793
pass
486
794
487
795
# CheckerStarted - signal
488
@dbus.service.signal(_interface, signature="s")
796
@dbus.service.signal(_interface, signature=u"s")
489
797
def CheckerStarted(self, command):
490
798
"D-Bus signal"
491
799
pass
492
800
493
# GetAllProperties - method
494
@dbus.service.method(_interface, out_signature="a{sv}")
495
def GetAllProperties(self):
496
"D-Bus method"
497
return dbus.Dictionary({
498
dbus.String("name"):
499
dbus.String(self.name, variant_level=1),
500
dbus.String("fingerprint"):
501
dbus.String(self.fingerprint, variant_level=1),
502
dbus.String("host"):
503
dbus.String(self.host, variant_level=1),
504
dbus.String("created"):
505
_datetime_to_dbus(self.created, variant_level=1),
506
dbus.String("last_enabled"):
507
(_datetime_to_dbus(self.last_enabled,
508
variant_level=1)
509
if self.last_enabled is not None
510
else dbus.Boolean(False, variant_level=1)),
511
dbus.String("enabled"):
512
dbus.Boolean(self.enabled, variant_level=1),
513
dbus.String("last_checked_ok"):
514
(_datetime_to_dbus(self.last_checked_ok,
515
variant_level=1)
516
if self.last_checked_ok is not None
517
else dbus.Boolean (False, variant_level=1)),
518
dbus.String("timeout"):
519
dbus.UInt64(self.timeout_milliseconds(),
520
variant_level=1),
521
dbus.String("interval"):
522
dbus.UInt64(self.interval_milliseconds(),
523
variant_level=1),
524
dbus.String("checker"):
525
dbus.String(self.checker_command,
526
variant_level=1),
527
dbus.String("checker_running"):
528
dbus.Boolean(self.checker is not None,
529
variant_level=1),
530
dbus.String("object_path"):
531
dbus.ObjectPath(self.dbus_object_path,
532
variant_level=1)
533
}, signature="sv")
534
535
# IsStillValid - method
536
IsStillValid = (dbus.service.method(_interface, out_signature="b")
537
(still_valid))
538
IsStillValid.__name__ = "IsStillValid"
539
540
801
# PropertyChanged - signal
541
@dbus.service.signal(_interface, signature="sv")
802
@dbus.service.signal(_interface, signature=u"sv")
542
803
def PropertyChanged(self, property, value):
543
804
"D-Bus signal"
544
805
pass
545
806
546
# ReceivedSecret - signal
807
# GotSecret - signal
547
808
@dbus.service.signal(_interface)
548
def ReceivedSecret(self):
809
def GotSecret(self):
549
810
"D-Bus signal"
550
811
pass
551
812
555
816
"D-Bus signal"
556
817
pass
557
818
558
# SetChecker - method
559
@dbus.service.method(_interface, in_signature="s")
560
def SetChecker(self, checker):
561
"D-Bus setter method"
562
self.checker_command = checker
563
# Emit D-Bus signal
564
self.PropertyChanged(dbus.String(u"checker"),
565
dbus.String(self.checker_command,
566
variant_level=1))
567
568
# SetHost - method
569
@dbus.service.method(_interface, in_signature="s")
570
def SetHost(self, host):
571
"D-Bus setter method"
572
self.host = host
573
# Emit D-Bus signal
574
self.PropertyChanged(dbus.String(u"host"),
575
dbus.String(self.host, variant_level=1))
576
577
# SetInterval - method
578
@dbus.service.method(_interface, in_signature="t")
579
def SetInterval(self, milliseconds):
580
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
581
# Emit D-Bus signal
582
self.PropertyChanged(dbus.String(u"interval"),
583
(dbus.UInt64(self.interval_milliseconds(),
584
variant_level=1)))
585
586
# SetSecret - method
587
@dbus.service.method(_interface, in_signature="ay",
588
byte_arrays=True)
589
def SetSecret(self, secret):
590
"D-Bus setter method"
591
self.secret = str(secret)
592
593
# SetTimeout - method
594
@dbus.service.method(_interface, in_signature="t")
595
def SetTimeout(self, milliseconds):
596
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
597
# Emit D-Bus signal
598
self.PropertyChanged(dbus.String(u"timeout"),
599
(dbus.UInt64(self.timeout_milliseconds(),
600
variant_level=1)))
819
## Methods
820
821
# CheckedOK - method
822
@dbus.service.method(_interface)
823
def CheckedOK(self):
824
return self.checked_ok()
601
825
602
826
# Enable - method
603
Enable = dbus.service.method(_interface)(enable)
604
Enable.__name__ = "Enable"
827
@dbus.service.method(_interface)
828
def Enable(self):
829
"D-Bus method"
830
self.enable()
605
831
606
832
# StartChecker - method
607
833
@dbus.service.method(_interface)
616
842
self.disable()
617
843
618
844
# StopChecker - method
619
StopChecker = dbus.service.method(_interface)(stop_checker)
620
StopChecker.__name__ = "StopChecker"
845
@dbus.service.method(_interface)
846
def StopChecker(self):
847
self.stop_checker()
848
849
## Properties
850
851
# name - property
852
@dbus_service_property(_interface, signature=u"s", access=u"read")
853
def name_dbus_property(self):
854
return dbus.String(self.name)
855
856
# fingerprint - property
857
@dbus_service_property(_interface, signature=u"s", access=u"read")
858
def fingerprint_dbus_property(self):
859
return dbus.String(self.fingerprint)
860
861
# host - property
862
@dbus_service_property(_interface, signature=u"s",
863
access=u"readwrite")
864
def host_dbus_property(self, value=None):
865
if value is None: # get
866
return dbus.String(self.host)
867
self.host = value
868
# Emit D-Bus signal
869
self.PropertyChanged(dbus.String(u"host"),
870
dbus.String(value, variant_level=1))
871
872
# created - property
873
@dbus_service_property(_interface, signature=u"s", access=u"read")
874
def created_dbus_property(self):
875
return dbus.String(self._datetime_to_dbus(self.created))
876
877
# last_enabled - property
878
@dbus_service_property(_interface, signature=u"s", access=u"read")
879
def last_enabled_dbus_property(self):
880
if self.last_enabled is None:
881
return dbus.String(u"")
882
return dbus.String(self._datetime_to_dbus(self.last_enabled))
883
884
# enabled - property
885
@dbus_service_property(_interface, signature=u"b",
886
access=u"readwrite")
887
def enabled_dbus_property(self, value=None):
888
if value is None: # get
889
return dbus.Boolean(self.enabled)
890
if value:
891
self.enable()
892
else:
893
self.disable()
894
895
# last_checked_ok - property
896
@dbus_service_property(_interface, signature=u"s",
897
access=u"readwrite")
898
def last_checked_ok_dbus_property(self, value=None):
899
if value is not None:
900
self.checked_ok()
901
return
902
if self.last_checked_ok is None:
903
return dbus.String(u"")
904
return dbus.String(self._datetime_to_dbus(self
905
.last_checked_ok))
906
907
# timeout - property
908
@dbus_service_property(_interface, signature=u"t",
909
access=u"readwrite")
910
def timeout_dbus_property(self, value=None):
911
if value is None: # get
912
return dbus.UInt64(self.timeout_milliseconds())
913
self.timeout = datetime.timedelta(0, 0, 0, value)
914
# Emit D-Bus signal
915
self.PropertyChanged(dbus.String(u"timeout"),
916
dbus.UInt64(value, variant_level=1))
917
if getattr(self, u"disable_initiator_tag", None) is None:
918
return
919
# Reschedule timeout
920
gobject.source_remove(self.disable_initiator_tag)
921
self.disable_initiator_tag = None
922
time_to_die = (self.
923
_timedelta_to_milliseconds((self
924
.last_checked_ok
925
+ self.timeout)
926
- datetime.datetime
927
.utcnow()))
928
if time_to_die <= 0:
929
# The timeout has passed
930
self.disable()
931
else:
932
self.disable_initiator_tag = (gobject.timeout_add
933
(time_to_die, self.disable))
934
935
# interval - property
936
@dbus_service_property(_interface, signature=u"t",
937
access=u"readwrite")
938
def interval_dbus_property(self, value=None):
939
if value is None: # get
940
return dbus.UInt64(self.interval_milliseconds())
941
self.interval = datetime.timedelta(0, 0, 0, value)
942
# Emit D-Bus signal
943
self.PropertyChanged(dbus.String(u"interval"),
944
dbus.UInt64(value, variant_level=1))
945
if getattr(self, u"checker_initiator_tag", None) is None:
946
return
947
# Reschedule checker run
948
gobject.source_remove(self.checker_initiator_tag)
949
self.checker_initiator_tag = (gobject.timeout_add
950
(value, self.start_checker))
951
self.start_checker() # Start one now, too
952
953
# checker - property
954
@dbus_service_property(_interface, signature=u"s",
955
access=u"readwrite")
956
def checker_dbus_property(self, value=None):
957
if value is None: # get
958
return dbus.String(self.checker_command)
959
self.checker_command = value
960
# Emit D-Bus signal
961
self.PropertyChanged(dbus.String(u"checker"),
962
dbus.String(self.checker_command,
963
variant_level=1))
964
965
# checker_running - property
966
@dbus_service_property(_interface, signature=u"b",
967
access=u"readwrite")
968
def checker_running_dbus_property(self, value=None):
969
if value is None: # get
970
return dbus.Boolean(self.checker is not None)
971
if value:
972
self.start_checker()
973
else:
974
self.stop_checker()
975
976
# object_path - property
977
@dbus_service_property(_interface, signature=u"o", access=u"read")
978
def object_path_dbus_property(self):
979
return self.dbus_object_path # is already a dbus.ObjectPath
980
981
# secret = property
982
@dbus_service_property(_interface, signature=u"ay",
983
access=u"write", byte_arrays=True)
984
def secret_dbus_property(self, value):
985
self.secret = str(value)
621
986
622
987
del _interface
623
988
624
989
625
def peer_certificate(session):
626
"Return the peer's OpenPGP certificate as a bytestring"
627
# If not an OpenPGP certificate...
628
if (gnutls.library.functions
629
.gnutls_certificate_type_get(session._c_object)
630
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
631
# ...do the normal thing
632
return session.peer_certificate
633
list_size = ctypes.c_uint(1)
634
cert_list = (gnutls.library.functions
635
.gnutls_certificate_get_peers
636
(session._c_object, ctypes.byref(list_size)))
637
if not bool(cert_list) and list_size.value != 0:
638
raise gnutls.errors.GNUTLSError("error getting peer"
639
" certificate")
640
if list_size.value == 0:
641
return None
642
cert = cert_list[0]
643
return ctypes.string_at(cert.data, cert.size)
644
645
646
def fingerprint(openpgp):
647
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
648
# New GnuTLS "datum" with the OpenPGP public key
649
datum = (gnutls.library.types
650
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
651
ctypes.POINTER
652
(ctypes.c_ubyte)),
653
ctypes.c_uint(len(openpgp))))
654
# New empty GnuTLS certificate
655
crt = gnutls.library.types.gnutls_openpgp_crt_t()
656
(gnutls.library.functions
657
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
658
# Import the OpenPGP public key into the certificate
659
(gnutls.library.functions
660
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
661
gnutls.library.constants
662
.GNUTLS_OPENPGP_FMT_RAW))
663
# Verify the self signature in the key
664
crtverify = ctypes.c_uint()
665
(gnutls.library.functions
666
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
667
if crtverify.value != 0:
668
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
669
raise gnutls.errors.CertificateSecurityError("Verify failed")
670
# New buffer for the fingerprint
671
buf = ctypes.create_string_buffer(20)
672
buf_len = ctypes.c_size_t()
673
# Get the fingerprint from the certificate into the buffer
674
(gnutls.library.functions
675
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
676
ctypes.byref(buf_len)))
677
# Deinit the certificate
678
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
679
# Convert the buffer to a Python bytestring
680
fpr = ctypes.string_at(buf, buf_len.value)
681
# Convert the bytestring to hexadecimal notation
682
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
683
return hex_fpr
684
685
686
class TCP_handler(SocketServer.BaseRequestHandler, object):
687
"""A TCP request handler class.
688
Instantiated by IPv6_TCPServer for each request to handle it.
990
class ClientHandler(socketserver.BaseRequestHandler, object):
991
"""A class to handle client connections.
992
993
Instantiated once for each connection to handle it.
689
994
Note: This will run in its own forked process."""
690
995
691
996
def handle(self):
692
997
logger.info(u"TCP connection from: %s",
693
998
unicode(self.client_address))
694
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
999
logger.debug(u"IPC Pipe FD: %d",
1000
self.server.child_pipe[1].fileno())
695
1001
# Open IPC pipe to parent process
696
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
1002
with contextlib.nested(self.server.child_pipe[1],
1003
self.server.parent_pipe[0]
1004
) as (ipc, ipc_return):
697
1005
session = (gnutls.connection
698
1006
.ClientSession(self.request,
699
1007
gnutls.connection
700
1008
.X509Credentials()))
701
1009
702
line = self.request.makefile().readline()
703
logger.debug(u"Protocol version: %r", line)
704
try:
705
if int(line.strip().split()[0]) > 1:
706
raise RuntimeError
707
except (ValueError, IndexError, RuntimeError), error:
708
logger.error(u"Unknown protocol version: %s", error)
709
return
710
711
1010
# Note: gnutls.connection.X509Credentials is really a
712
1011
# generic GnuTLS certificate credentials object so long as
713
1012
# no X.509 keys are added to it. Therefore, we can use it
714
1013
# here despite using OpenPGP certificates.
715
1014
716
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
717
# "+AES-256-CBC", "+SHA1",
718
# "+COMP-NULL", "+CTYPE-OPENPGP",
719
# "+DHE-DSS"))
1015
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1016
# u"+AES-256-CBC", u"+SHA1",
1017
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1018
# u"+DHE-DSS"))
720
1019
# Use a fallback default, since this MUST be set.
721
priority = self.server.settings.get("priority", "NORMAL")
1020
priority = self.server.gnutls_priority
1021
if priority is None:
1022
priority = u"NORMAL"
722
1023
(gnutls.library.functions
723
1024
.gnutls_priority_set_direct(session._c_object,
724
1025
priority, None))
725
1026
1027
# Start communication using the Mandos protocol
1028
# Get protocol number
1029
line = self.request.makefile().readline()
1030
logger.debug(u"Protocol version: %r", line)
1031
try:
1032
if int(line.strip().split()[0]) > 1:
1033
raise RuntimeError
1034
except (ValueError, IndexError, RuntimeError), error:
1035
logger.error(u"Unknown protocol version: %s", error)
1036
return
1037
1038
# Start GnuTLS connection
726
1039
try:
727
1040
session.handshake()
728
1041
except gnutls.errors.GNUTLSError, error:
732
1045
return
733
1046
logger.debug(u"Handshake succeeded")
734
1047
try:
735
fpr = fingerprint(peer_certificate(session))
736
except (TypeError, gnutls.errors.GNUTLSError), error:
737
logger.warning(u"Bad certificate: %s", error)
738
session.bye()
739
return
740
logger.debug(u"Fingerprint: %s", fpr)
741
742
for c in self.server.clients:
743
if c.fingerprint == fpr:
744
client = c
745
break
746
else:
747
logger.warning(u"Client not found for fingerprint: %s",
748
fpr)
749
ipc.write("NOTFOUND %s\n" % fpr)
750
session.bye()
751
return
752
# Have to check if client.still_valid(), since it is
753
# possible that the client timed out while establishing
754
# the GnuTLS session.
755
if not client.still_valid():
756
logger.warning(u"Client %(name)s is invalid",
757
vars(client))
758
ipc.write("INVALID %s\n" % client.name)
759
session.bye()
760
return
761
ipc.write("SENDING %s\n" % client.name)
762
sent_size = 0
763
while sent_size < len(client.secret):
764
sent = session.send(client.secret[sent_size:])
765
logger.debug(u"Sent: %d, remaining: %d",
766
sent, len(client.secret)
767
- (sent_size + sent))
768
sent_size += sent
769
session.bye()
770
771
772
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
773
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
774
Assumes a gobject.MainLoop event loop.
775
"""
1048
try:
1049
fpr = self.fingerprint(self.peer_certificate
1050
(session))
1051
except (TypeError, gnutls.errors.GNUTLSError), error:
1052
logger.warning(u"Bad certificate: %s", error)
1053
return
1054
logger.debug(u"Fingerprint: %s", fpr)
1055
1056
for c in self.server.clients:
1057
if c.fingerprint == fpr:
1058
client = c
1059
break
1060
else:
1061
ipc.write(u"NOTFOUND %s %s\n"
1062
% (fpr, unicode(self.client_address)))
1063
return
1064
1065
class ClientProxy(object):
1066
"""Client proxy object. Not for calling methods."""
1067
def __init__(self, client):
1068
self.client = client
1069
def __getattr__(self, name):
1070
if name.startswith("ipc_"):
1071
def tempfunc():
1072
ipc.write("%s %s\n" % (name[4:].upper(),
1073
self.client.name))
1074
return tempfunc
1075
if not hasattr(self.client, name):
1076
raise AttributeError
1077
ipc.write(u"GETATTR %s %s\n"
1078
% (name, self.client.fingerprint))
1079
return pickle.load(ipc_return)
1080
clientproxy = ClientProxy(client)
1081
# Have to check if client.enabled, since it is
1082
# possible that the client was disabled since the
1083
# GnuTLS session was established.
1084
if not clientproxy.enabled:
1085
clientproxy.ipc_disabled()
1086
return
1087
1088
clientproxy.ipc_sending()
1089
sent_size = 0
1090
while sent_size < len(client.secret):
1091
sent = session.send(client.secret[sent_size:])
1092
logger.debug(u"Sent: %d, remaining: %d",
1093
sent, len(client.secret)
1094
- (sent_size + sent))
1095
sent_size += sent
1096
finally:
1097
session.bye()
1098
1099
@staticmethod
1100
def peer_certificate(session):
1101
"Return the peer's OpenPGP certificate as a bytestring"
1102
# If not an OpenPGP certificate...
1103
if (gnutls.library.functions
1104
.gnutls_certificate_type_get(session._c_object)
1105
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1106
# ...do the normal thing
1107
return session.peer_certificate
1108
list_size = ctypes.c_uint(1)
1109
cert_list = (gnutls.library.functions
1110
.gnutls_certificate_get_peers
1111
(session._c_object, ctypes.byref(list_size)))
1112
if not bool(cert_list) and list_size.value != 0:
1113
raise gnutls.errors.GNUTLSError(u"error getting peer"
1114
u" certificate")
1115
if list_size.value == 0:
1116
return None
1117
cert = cert_list[0]
1118
return ctypes.string_at(cert.data, cert.size)
1119
1120
@staticmethod
1121
def fingerprint(openpgp):
1122
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1123
# New GnuTLS "datum" with the OpenPGP public key
1124
datum = (gnutls.library.types
1125
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1126
ctypes.POINTER
1127
(ctypes.c_ubyte)),
1128
ctypes.c_uint(len(openpgp))))
1129
# New empty GnuTLS certificate
1130
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1131
(gnutls.library.functions
1132
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1133
# Import the OpenPGP public key into the certificate
1134
(gnutls.library.functions
1135
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1136
gnutls.library.constants
1137
.GNUTLS_OPENPGP_FMT_RAW))
1138
# Verify the self signature in the key
1139
crtverify = ctypes.c_uint()
1140
(gnutls.library.functions
1141
.gnutls_openpgp_crt_verify_self(crt, 0,
1142
ctypes.byref(crtverify)))
1143
if crtverify.value != 0:
1144
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1145
raise (gnutls.errors.CertificateSecurityError
1146
(u"Verify failed"))
1147
# New buffer for the fingerprint
1148
buf = ctypes.create_string_buffer(20)
1149
buf_len = ctypes.c_size_t()
1150
# Get the fingerprint from the certificate into the buffer
1151
(gnutls.library.functions
1152
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1153
ctypes.byref(buf_len)))
1154
# Deinit the certificate
1155
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1156
# Convert the buffer to a Python bytestring
1157
fpr = ctypes.string_at(buf, buf_len.value)
1158
# Convert the bytestring to hexadecimal notation
1159
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1160
return hex_fpr
1161
1162
1163
class ForkingMixInWithPipes(socketserver.ForkingMixIn, object):
1164
"""Like socketserver.ForkingMixIn, but also pass a pipe pair."""
776
1165
def process_request(self, request, client_address):
777
"""This overrides and wraps the original process_request().
778
This function creates a new pipe in self.pipe
1166
"""Overrides and wraps the original process_request().
1167
1168
This function creates a new pipe in self.pipe
779
1169
"""
780
self.pipe = os.pipe()
781
super(ForkingMixInWithPipe,
1170
# Child writes to child_pipe
1171
self.child_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1172
# Parent writes to parent_pipe
1173
self.parent_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1174
super(ForkingMixInWithPipes,
782
1175
self).process_request(request, client_address)
783
os.close(self.pipe[1]) # close write end
784
# Call "handle_ipc" for both data and EOF events
785
gobject.io_add_watch(self.pipe[0],
786
gobject.IO_IN | gobject.IO_HUP,
787
self.handle_ipc)
788
def handle_ipc(source, condition):
1176
# Close unused ends for parent
1177
self.parent_pipe[0].close() # close read end
1178
self.child_pipe[1].close() # close write end
1179
self.add_pipe_fds(self.child_pipe[0], self.parent_pipe[1])
1180
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
789
1181
"""Dummy function; override as necessary"""
790
os.close(source)
791
return False
792
793
794
class IPv6_TCPServer(ForkingMixInWithPipe,
795
SocketServer.TCPServer, object):
1182
child_pipe_fd.close()
1183
parent_pipe_fd.close()
1184
1185
1186
class IPv6_TCPServer(ForkingMixInWithPipes,
1187
socketserver.TCPServer, object):
796
1188
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1189
797
1190
Attributes:
798
settings: Server settings
799
clients: Set() of Client objects
800
1191
enabled: Boolean; whether this server is activated yet
1192
interface: None or a network interface name (string)
1193
use_ipv6: Boolean; to use IPv6 or not
801
1194
"""
802
address_family = socket.AF_INET6
803
def __init__(self, *args, **kwargs):
804
if "settings" in kwargs:
805
self.settings = kwargs["settings"]
806
del kwargs["settings"]
807
if "clients" in kwargs:
808
self.clients = kwargs["clients"]
809
del kwargs["clients"]
810
if "use_ipv6" in kwargs:
811
if not kwargs["use_ipv6"]:
812
self.address_family = socket.AF_INET
813
del kwargs["use_ipv6"]
814
self.enabled = False
815
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1195
def __init__(self, server_address, RequestHandlerClass,
1196
interface=None, use_ipv6=True):
1197
self.interface = interface
1198
if use_ipv6:
1199
self.address_family = socket.AF_INET6
1200
socketserver.TCPServer.__init__(self, server_address,
1201
RequestHandlerClass)
816
1202
def server_bind(self):
817
1203
"""This overrides the normal server_bind() function
818
1204
to bind to an interface if one was specified, and also NOT to
819
1205
bind to an address or port if they were not specified."""
820
if self.settings["interface"]:
821
# 25 is from /usr/include/asm-i486/socket.h
822
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
823
try:
824
self.socket.setsockopt(socket.SOL_SOCKET,
825
SO_BINDTODEVICE,
826
self.settings["interface"])
827
except socket.error, error:
828
if error[0] == errno.EPERM:
829
logger.error(u"No permission to"
830
u" bind to interface %s",
831
self.settings["interface"])
832
else:
833
raise
1206
if self.interface is not None:
1207
if SO_BINDTODEVICE is None:
1208
logger.error(u"SO_BINDTODEVICE does not exist;"
1209
u" cannot bind to interface %s",
1210
self.interface)
1211
else:
1212
try:
1213
self.socket.setsockopt(socket.SOL_SOCKET,
1214
SO_BINDTODEVICE,
1215
str(self.interface
1216
+ u'\0'))
1217
except socket.error, error:
1218
if error[0] == errno.EPERM:
1219
logger.error(u"No permission to"
1220
u" bind to interface %s",
1221
self.interface)
1222
elif error[0] == errno.ENOPROTOOPT:
1223
logger.error(u"SO_BINDTODEVICE not available;"
1224
u" cannot bind to interface %s",
1225
self.interface)
1226
else:
1227
raise
834
1228
# Only bind(2) the socket if we really need to.
835
1229
if self.server_address[0] or self.server_address[1]:
836
1230
if not self.server_address[0]:
837
1231
if self.address_family == socket.AF_INET6:
838
any_address = "::" # in6addr_any
1232
any_address = u"::" # in6addr_any
839
1233
else:
840
1234
any_address = socket.INADDR_ANY
841
1235
self.server_address = (any_address,
843
1237
elif not self.server_address[1]:
844
1238
self.server_address = (self.server_address[0],
845
1239
0)
846
# if self.settings["interface"]:
1240
# if self.interface:
847
1241
# self.server_address = (self.server_address[0],
848
1242
# 0, # port
849
1243
# 0, # flowinfo
850
1244
# if_nametoindex
851
# (self.settings
852
# ["interface"]))
853
return super(IPv6_TCPServer, self).server_bind()
1245
# (self.interface))
1246
return socketserver.TCPServer.server_bind(self)
1247
1248
1249
class MandosServer(IPv6_TCPServer):
1250
"""Mandos server.
1251
1252
Attributes:
1253
clients: set of Client objects
1254
gnutls_priority GnuTLS priority string
1255
use_dbus: Boolean; to emit D-Bus signals or not
1256
1257
Assumes a gobject.MainLoop event loop.
1258
"""
1259
def __init__(self, server_address, RequestHandlerClass,
1260
interface=None, use_ipv6=True, clients=None,
1261
gnutls_priority=None, use_dbus=True):
1262
self.enabled = False
1263
self.clients = clients
1264
if self.clients is None:
1265
self.clients = set()
1266
self.use_dbus = use_dbus
1267
self.gnutls_priority = gnutls_priority
1268
IPv6_TCPServer.__init__(self, server_address,
1269
RequestHandlerClass,
1270
interface = interface,
1271
use_ipv6 = use_ipv6)
854
1272
def server_activate(self):
855
1273
if self.enabled:
856
return super(IPv6_TCPServer, self).server_activate()
1274
return socketserver.TCPServer.server_activate(self)
857
1275
def enable(self):
858
1276
self.enabled = True
859
def handle_ipc(self, source, condition, file_objects={}):
1277
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1278
# Call "handle_ipc" for both data and EOF events
1279
gobject.io_add_watch(child_pipe_fd.fileno(),
1280
gobject.IO_IN | gobject.IO_HUP,
1281
functools.partial(self.handle_ipc,
1282
reply = parent_pipe_fd,
1283
sender= child_pipe_fd))
1284
def handle_ipc(self, source, condition, reply=None, sender=None):
860
1285
condition_names = {
861
gobject.IO_IN: "IN", # There is data to read.
862
gobject.IO_OUT: "OUT", # Data can be written (without
863
# blocking).
864
gobject.IO_PRI: "PRI", # There is urgent data to read.
865
gobject.IO_ERR: "ERR", # Error condition.
866
gobject.IO_HUP: "HUP" # Hung up (the connection has been
867
# broken, usually for pipes and
868
# sockets).
1286
gobject.IO_IN: u"IN", # There is data to read.
1287
gobject.IO_OUT: u"OUT", # Data can be written (without
1288
# blocking).
1289
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1290
gobject.IO_ERR: u"ERR", # Error condition.
1291
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1292
# broken, usually for pipes and
1293
# sockets).
869
1294
}
870
1295
conditions_string = ' | '.join(name
871
1296
for cond, name in
872
1297
condition_names.iteritems()
873
1298
if cond & condition)
874
logger.debug("Handling IPC: FD = %d, condition = %s", source,
1299
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
875
1300
conditions_string)
876
1301
877
# Turn the pipe file descriptor into a Python file object
878
if source not in file_objects:
879
file_objects[source] = os.fdopen(source, "r", 1)
880
881
1302
# Read a line from the file object
882
cmdline = file_objects[source].readline()
1303
cmdline = sender.readline()
883
1304
if not cmdline: # Empty line means end of file
884
# close the IPC pipe
885
file_objects[source].close()
886
del file_objects[source]
1305
# close the IPC pipes
1306
sender.close()
1307
reply.close()
887
1308
888
1309
# Stop calling this function
889
1310
return False
890
1311
891
logger.debug("IPC command: %r\n" % cmdline)
1312
logger.debug(u"IPC command: %r", cmdline)
892
1313
893
1314
# Parse and act on command
894
cmd, args = cmdline.split(None, 1)
895
if cmd == "NOTFOUND":
896
if self.settings["use_dbus"]:
1315
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1316
1317
if cmd == u"NOTFOUND":
1318
fpr, address = args.split(None, 1)
1319
logger.warning(u"Client not found for fingerprint: %s, ad"
1320
u"dress: %s", fpr, address)
1321
if self.use_dbus:
897
1322
# Emit D-Bus signal
898
mandos_dbus_service.ClientNotFound(args)
899
elif cmd == "INVALID":
900
if self.settings["use_dbus"]:
901
for client in self.clients:
902
if client.name == args:
1323
mandos_dbus_service.ClientNotFound(fpr, address)
1324
elif cmd == u"DISABLED":
1325
for client in self.clients:
1326
if client.name == args:
1327
logger.warning(u"Client %s is disabled", args)
1328
if self.use_dbus:
903
1329
# Emit D-Bus signal
904
1330
client.Rejected()
905
break
906
elif cmd == "SENDING":
1331
break
1332
else:
1333
logger.error(u"Unknown client %s is disabled", args)
1334
elif cmd == u"SENDING":
907
1335
for client in self.clients:
908
1336
if client.name == args:
1337
logger.info(u"Sending secret to %s", client.name)
909
1338
client.checked_ok()
910
if self.settings["use_dbus"]:
1339
if self.use_dbus:
911
1340
# Emit D-Bus signal
912
client.ReceivedSecret()
913
break
1341
client.GotSecret()
1342
break
1343
else:
1344
logger.error(u"Sending secret to unknown client %s",
1345
args)
1346
elif cmd == u"GETATTR":
1347
attr_name, fpr = args.split(None, 1)
1348
for client in self.clients:
1349
if client.fingerprint == fpr:
1350
attr_value = getattr(client, attr_name, None)
1351
logger.debug("IPC reply: %r", attr_value)
1352
pickle.dump(attr_value, reply)
1353
break
1354
else:
1355
logger.error(u"Client %s on address %s requesting "
1356
u"attribute %s not found", fpr, address,
1357
attr_name)
1358
pickle.dump(None, reply)
914
1359
else:
915
logger.error("Unknown IPC command: %r", cmdline)
1360
logger.error(u"Unknown IPC command: %r", cmdline)
916
1361
917
1362
# Keep calling this function
918
1363
return True
921
1366
def string_to_delta(interval):
922
1367
"""Parse a string and return a datetime.timedelta
923
1368
924
>>> string_to_delta('7d')
1369
>>> string_to_delta(u'7d')
925
1370
datetime.timedelta(7)
926
>>> string_to_delta('60s')
1371
>>> string_to_delta(u'60s')
927
1372
datetime.timedelta(0, 60)
928
>>> string_to_delta('60m')
1373
>>> string_to_delta(u'60m')
929
1374
datetime.timedelta(0, 3600)
930
>>> string_to_delta('24h')
1375
>>> string_to_delta(u'24h')
931
1376
datetime.timedelta(1)
932
1377
>>> string_to_delta(u'1w')
933
1378
datetime.timedelta(7)
934
>>> string_to_delta('5m 30s')
1379
>>> string_to_delta(u'5m 30s')
935
1380
datetime.timedelta(0, 330)
936
1381
"""
937
1382
timevalue = datetime.timedelta(0)
950
1395
elif suffix == u"w":
951
1396
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
952
1397
else:
953
raise ValueError
954
except (ValueError, IndexError):
955
raise ValueError
1398
raise ValueError(u"Unknown suffix %r" % suffix)
1399
except (ValueError, IndexError), e:
1400
raise ValueError(e.message)
956
1401
timevalue += delta
957
1402
return timevalue
958
1403
959
1404
960
def server_state_changed(state):
961
"""Derived from the Avahi example code"""
962
if state == avahi.SERVER_COLLISION:
963
logger.error(u"Zeroconf server name collision")
964
service.remove()
965
elif state == avahi.SERVER_RUNNING:
966
service.add()
967
968
969
def entry_group_state_changed(state, error):
970
"""Derived from the Avahi example code"""
971
logger.debug(u"Avahi state change: %i", state)
972
973
if state == avahi.ENTRY_GROUP_ESTABLISHED:
974
logger.debug(u"Zeroconf service established.")
975
elif state == avahi.ENTRY_GROUP_COLLISION:
976
logger.warning(u"Zeroconf service name collision.")
977
service.rename()
978
elif state == avahi.ENTRY_GROUP_FAILURE:
979
logger.critical(u"Avahi: Error in group state changed %s",
980
unicode(error))
981
raise AvahiGroupError(u"State changed: %s" % unicode(error))
982
983
1405
def if_nametoindex(interface):
984
"""Call the C function if_nametoindex(), or equivalent"""
1406
"""Call the C function if_nametoindex(), or equivalent
1407
1408
Note: This function cannot accept a unicode string."""
985
1409
global if_nametoindex
986
1410
try:
987
1411
if_nametoindex = (ctypes.cdll.LoadLibrary
988
(ctypes.util.find_library("c"))
1412
(ctypes.util.find_library(u"c"))
989
1413
.if_nametoindex)
990
1414
except (OSError, AttributeError):
991
if "struct" not in sys.modules:
992
import struct
993
if "fcntl" not in sys.modules:
994
import fcntl
1415
logger.warning(u"Doing if_nametoindex the hard way")
995
1416
def if_nametoindex(interface):
996
1417
"Get an interface index the hard way, i.e. using fcntl()"
997
1418
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
998
with closing(socket.socket()) as s:
1419
with contextlib.closing(socket.socket()) as s:
999
1420
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1000
struct.pack("16s16x", interface))
1001
interface_index = struct.unpack("I", ifreq[16:20])[0]
1421
struct.pack(str(u"16s16x"),
1422
interface))
1423
interface_index = struct.unpack(str(u"I"),
1424
ifreq[16:20])[0]
1002
1425
return interface_index
1003
1426
return if_nametoindex(interface)
1004
1427
1005
1428
1006
1429
def daemon(nochdir = False, noclose = False):
1007
1430
"""See daemon(3). Standard BSD Unix function.
1431
1008
1432
This should really exist as os.daemon, but it doesn't (yet)."""
1009
1433
if os.fork():
1010
1434
sys.exit()
1011
1435
os.setsid()
1012
1436
if not nochdir:
1013
os.chdir("/")
1437
os.chdir(u"/")
1014
1438
if os.fork():
1015
1439
sys.exit()
1016
1440
if not noclose:
1018
1442
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1019
1443
if not stat.S_ISCHR(os.fstat(null).st_mode):
1020
1444
raise OSError(errno.ENODEV,
1021
"/dev/null not a character device")
1445
u"%s not a character device"
1446
% os.path.devnull)
1022
1447
os.dup2(null, sys.stdin.fileno())
1023
1448
os.dup2(null, sys.stdout.fileno())
1024
1449
os.dup2(null, sys.stderr.fileno())
1028
1453
1029
1454
def main():
1030
1455
1031
######################################################################
1456
##################################################################
1032
1457
# Parsing of options, both command line and config file
1033
1458
1034
1459
parser = optparse.OptionParser(version = "%%prog %s" % version)
1035
parser.add_option("-i", "--interface", type="string",
1036
metavar="IF", help="Bind to interface IF")
1037
parser.add_option("-a", "--address", type="string",
1038
help="Address to listen for requests on")
1039
parser.add_option("-p", "--port", type="int",
1040
help="Port number to receive requests on")
1041
parser.add_option("--check", action="store_true",
1042
help="Run self-test")
1043
parser.add_option("--debug", action="store_true",
1044
help="Debug mode; run in foreground and log to"
1045
" terminal")
1046
parser.add_option("--priority", type="string", help="GnuTLS"
1047
" priority string (see GnuTLS documentation)")
1048
parser.add_option("--servicename", type="string", metavar="NAME",
1049
help="Zeroconf service name")
1050
parser.add_option("--configdir", type="string",
1051
default="/etc/mandos", metavar="DIR",
1052
help="Directory to search for configuration"
1053
" files")
1054
parser.add_option("--no-dbus", action="store_false",
1055
dest="use_dbus",
1056
help="Do not provide D-Bus system bus"
1057
" interface")
1058
parser.add_option("--no-ipv6", action="store_false",
1059
dest="use_ipv6", help="Do not use IPv6")
1460
parser.add_option("-i", u"--interface", type=u"string",
1461
metavar="IF", help=u"Bind to interface IF")
1462
parser.add_option("-a", u"--address", type=u"string",
1463
help=u"Address to listen for requests on")
1464
parser.add_option("-p", u"--port", type=u"int",
1465
help=u"Port number to receive requests on")
1466
parser.add_option("--check", action=u"store_true",
1467
help=u"Run self-test")
1468
parser.add_option("--debug", action=u"store_true",
1469
help=u"Debug mode; run in foreground and log to"
1470
u" terminal")
1471
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1472
u" priority string (see GnuTLS documentation)")
1473
parser.add_option("--servicename", type=u"string",
1474
metavar=u"NAME", help=u"Zeroconf service name")
1475
parser.add_option("--configdir", type=u"string",
1476
default=u"/etc/mandos", metavar=u"DIR",
1477
help=u"Directory to search for configuration"
1478
u" files")
1479
parser.add_option("--no-dbus", action=u"store_false",
1480
dest=u"use_dbus", help=u"Do not provide D-Bus"
1481
u" system bus interface")
1482
parser.add_option("--no-ipv6", action=u"store_false",
1483
dest=u"use_ipv6", help=u"Do not use IPv6")
1060
1484
options = parser.parse_args()[0]
1061
1485
1062
1486
if options.check:
1065
1489
sys.exit()
1066
1490
1067
1491
# Default values for config file for server-global settings
1068
server_defaults = { "interface": "",
1069
"address": "",
1070
"port": "",
1071
"debug": "False",
1072
"priority":
1073
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1074
"servicename": "Mandos",
1075
"use_dbus": "True",
1076
"use_ipv6": "True",
1492
server_defaults = { u"interface": u"",
1493
u"address": u"",
1494
u"port": u"",
1495
u"debug": u"False",
1496
u"priority":
1497
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1498
u"servicename": u"Mandos",
1499
u"use_dbus": u"True",
1500
u"use_ipv6": u"True",
1077
1501
}
1078
1502
1079
1503
# Parse config file for server-global settings
1080
server_config = ConfigParser.SafeConfigParser(server_defaults)
1504
server_config = configparser.SafeConfigParser(server_defaults)
1081
1505
del server_defaults
1082
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1506
server_config.read(os.path.join(options.configdir,
1507
u"mandos.conf"))
1083
1508
# Convert the SafeConfigParser object to a dict
1084
1509
server_settings = server_config.defaults()
1085
1510
# Use the appropriate methods on the non-string config options
1086
server_settings["debug"] = server_config.getboolean("DEFAULT",
1087
"debug")
1088
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1089
"use_dbus")
1090
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1091
"use_ipv6")
1511
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1512
server_settings[option] = server_config.getboolean(u"DEFAULT",
1513
option)
1092
1514
if server_settings["port"]:
1093
server_settings["port"] = server_config.getint("DEFAULT",
1094
"port")
1515
server_settings["port"] = server_config.getint(u"DEFAULT",
1516
u"port")
1095
1517
del server_config
1096
1518
1097
1519
# Override the settings from the config file with command line
1098
1520
# options, if set.
1099
for option in ("interface", "address", "port", "debug",
1100
"priority", "servicename", "configdir",
1101
"use_dbus", "use_ipv6"):
1521
for option in (u"interface", u"address", u"port", u"debug",
1522
u"priority", u"servicename", u"configdir",
1523
u"use_dbus", u"use_ipv6"):
1102
1524
value = getattr(options, option)
1103
1525
if value is not None:
1104
1526
server_settings[option] = value
1105
1527
del options
1528
# Force all strings to be unicode
1529
for option in server_settings.keys():
1530
if type(server_settings[option]) is str:
1531
server_settings[option] = unicode(server_settings[option])
1106
1532
# Now we have our good server settings in "server_settings"
1107
1533
1108
1534
##################################################################
1109
1535
1110
1536
# For convenience
1111
debug = server_settings["debug"]
1112
use_dbus = server_settings["use_dbus"]
1113
use_ipv6 = server_settings["use_ipv6"]
1537
debug = server_settings[u"debug"]
1538
use_dbus = server_settings[u"use_dbus"]
1539
use_ipv6 = server_settings[u"use_ipv6"]
1114
1540
1115
1541
if not debug:
1116
1542
syslogger.setLevel(logging.WARNING)
1117
1543
console.setLevel(logging.WARNING)
1118
1544
1119
if server_settings["servicename"] != "Mandos":
1545
if server_settings[u"servicename"] != u"Mandos":
1120
1546
syslogger.setFormatter(logging.Formatter
1121
('Mandos (%s) [%%(process)d]:'
1122
' %%(levelname)s: %%(message)s'
1123
% server_settings["servicename"]))
1547
(u'Mandos (%s) [%%(process)d]:'
1548
u' %%(levelname)s: %%(message)s'
1549
% server_settings[u"servicename"]))
1124
1550
1125
1551
# Parse config file with clients
1126
client_defaults = { "timeout": "1h",
1127
"interval": "5m",
1128
"checker": "fping -q -- %%(host)s",
1129
"host": "",
1552
client_defaults = { u"timeout": u"1h",
1553
u"interval": u"5m",
1554
u"checker": u"fping -q -- %%(host)s",
1555
u"host": u"",
1130
1556
}
1131
client_config = ConfigParser.SafeConfigParser(client_defaults)
1132
client_config.read(os.path.join(server_settings["configdir"],
1133
"clients.conf"))
1134
1557
client_config = configparser.SafeConfigParser(client_defaults)
1558
client_config.read(os.path.join(server_settings[u"configdir"],
1559
u"clients.conf"))
1560
1135
1561
global mandos_dbus_service
1136
1562
mandos_dbus_service = None
1137
1563
1138
clients = Set()
1139
tcp_server = IPv6_TCPServer((server_settings["address"],
1140
server_settings["port"]),
1141
TCP_handler,
1142
settings=server_settings,
1143
clients=clients, use_ipv6=use_ipv6)
1144
pidfilename = "/var/run/mandos.pid"
1564
tcp_server = MandosServer((server_settings[u"address"],
1565
server_settings[u"port"]),
1566
ClientHandler,
1567
interface=server_settings[u"interface"],
1568
use_ipv6=use_ipv6,
1569
gnutls_priority=
1570
server_settings[u"priority"],
1571
use_dbus=use_dbus)
1572
pidfilename = u"/var/run/mandos.pid"
1145
1573
try:
1146
pidfile = open(pidfilename, "w")
1574
pidfile = open(pidfilename, u"w")
1147
1575
except IOError:
1148
logger.error("Could not open file %r", pidfilename)
1576
logger.error(u"Could not open file %r", pidfilename)
1149
1577
1150
1578
try:
1151
uid = pwd.getpwnam("_mandos").pw_uid
1152
gid = pwd.getpwnam("_mandos").pw_gid
1579
uid = pwd.getpwnam(u"_mandos").pw_uid
1580
gid = pwd.getpwnam(u"_mandos").pw_gid
1153
1581
except KeyError:
1154
1582
try:
1155
uid = pwd.getpwnam("mandos").pw_uid
1156
gid = pwd.getpwnam("mandos").pw_gid
1583
uid = pwd.getpwnam(u"mandos").pw_uid
1584
gid = pwd.getpwnam(u"mandos").pw_gid
1157
1585
except KeyError:
1158
1586
try:
1159
uid = pwd.getpwnam("nobody").pw_uid
1160
gid = pwd.getpwnam("nogroup").pw_gid
1587
uid = pwd.getpwnam(u"nobody").pw_uid
1588
gid = pwd.getpwnam(u"nobody").pw_gid
1161
1589
except KeyError:
1162
1590
uid = 65534
1163
1591
gid = 65534
1176
1604
1177
1605
@gnutls.library.types.gnutls_log_func
1178
1606
def debug_gnutls(level, string):
1179
logger.debug("GnuTLS: %s", string[:-1])
1607
logger.debug(u"GnuTLS: %s", string[:-1])
1180
1608
1181
1609
(gnutls.library.functions
1182
1610
.gnutls_global_set_log_function(debug_gnutls))
1183
1611
1184
global service
1185
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1186
service = AvahiService(name = server_settings["servicename"],
1187
servicetype = "_mandos._tcp",
1188
protocol = protocol)
1189
if server_settings["interface"]:
1190
service.interface = (if_nametoindex
1191
(server_settings["interface"]))
1192
1193
1612
global main_loop
1194
global bus
1195
global server
1196
1613
# From the Avahi example code
1197
1614
DBusGMainLoop(set_as_default=True )
1198
1615
main_loop = gobject.MainLoop()
1199
1616
bus = dbus.SystemBus()
1200
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1201
avahi.DBUS_PATH_SERVER),
1202
avahi.DBUS_INTERFACE_SERVER)
1203
1617
# End of Avahi example code
1204
1618
if use_dbus:
1205
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1619
try:
1620
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1621
bus, do_not_queue=True)
1622
except dbus.exceptions.NameExistsException, e:
1623
logger.error(unicode(e) + u", disabling D-Bus")
1624
use_dbus = False
1625
server_settings[u"use_dbus"] = False
1626
tcp_server.use_dbus = False
1627
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1628
service = AvahiService(name = server_settings[u"servicename"],
1629
servicetype = u"_mandos._tcp",
1630
protocol = protocol, bus = bus)
1631
if server_settings["interface"]:
1632
service.interface = (if_nametoindex
1633
(str(server_settings[u"interface"])))
1206
1634
1207
clients.update(Set(Client(name = section,
1208
config
1209
= dict(client_config.items(section)),
1210
use_dbus = use_dbus)
1211
for section in client_config.sections()))
1212
if not clients:
1635
client_class = Client
1636
if use_dbus:
1637
client_class = functools.partial(ClientDBus, bus = bus)
1638
tcp_server.clients.update(set(
1639
client_class(name = section,
1640
config= dict(client_config.items(section)))
1641
for section in client_config.sections()))
1642
if not tcp_server.clients:
1213
1643
logger.warning(u"No clients defined")
1214
1644
1215
1645
if debug:
1225
1655
daemon()
1226
1656
1227
1657
try:
1228
with closing(pidfile):
1658
with pidfile:
1229
1659
pid = os.getpid()
1230
1660
pidfile.write(str(pid) + "\n")
1231
1661
del pidfile
1237
1667
pass
1238
1668
del pidfilename
1239
1669
1240
def cleanup():
1241
"Cleanup function; run on exit"
1242
global group
1243
# From the Avahi example code
1244
if not group is None:
1245
group.Free()
1246
group = None
1247
# End of Avahi example code
1248
1249
while clients:
1250
client = clients.pop()
1251
client.disable_hook = None
1252
client.disable()
1253
1254
atexit.register(cleanup)
1255
1256
1670
if not debug:
1257
1671
signal.signal(signal.SIGINT, signal.SIG_IGN)
1258
1672
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1262
1676
class MandosDBusService(dbus.service.Object):
1263
1677
"""A D-Bus proxy object"""
1264
1678
def __init__(self):
1265
dbus.service.Object.__init__(self, bus, "/")
1679
dbus.service.Object.__init__(self, bus, u"/")
1266
1680
_interface = u"se.bsnet.fukt.Mandos"
1267
1681
1268
@dbus.service.signal(_interface, signature="oa{sv}")
1269
def ClientAdded(self, objpath, properties):
1270
"D-Bus signal"
1271
pass
1272
1273
@dbus.service.signal(_interface, signature="s")
1274
def ClientNotFound(self, fingerprint):
1275
"D-Bus signal"
1276
pass
1277
1278
@dbus.service.signal(_interface, signature="os")
1682
@dbus.service.signal(_interface, signature=u"o")
1683
def ClientAdded(self, objpath):
1684
"D-Bus signal"
1685
pass
1686
1687
@dbus.service.signal(_interface, signature=u"ss")
1688
def ClientNotFound(self, fingerprint, address):
1689
"D-Bus signal"
1690
pass
1691
1692
@dbus.service.signal(_interface, signature=u"os")
1279
1693
def ClientRemoved(self, objpath, name):
1280
1694
"D-Bus signal"
1281
1695
pass
1282
1696
1283
@dbus.service.method(_interface, out_signature="ao")
1697
@dbus.service.method(_interface, out_signature=u"ao")
1284
1698
def GetAllClients(self):
1285
1699
"D-Bus method"
1286
return dbus.Array(c.dbus_object_path for c in clients)
1700
return dbus.Array(c.dbus_object_path
1701
for c in tcp_server.clients)
1287
1702
1288
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1703
@dbus.service.method(_interface,
1704
out_signature=u"a{oa{sv}}")
1289
1705
def GetAllClientsWithProperties(self):
1290
1706
"D-Bus method"
1291
1707
return dbus.Dictionary(
1292
((c.dbus_object_path, c.GetAllProperties())
1293
for c in clients),
1294
signature="oa{sv}")
1708
((c.dbus_object_path, c.GetAll(u""))
1709
for c in tcp_server.clients),
1710
signature=u"oa{sv}")
1295
1711
1296
@dbus.service.method(_interface, in_signature="o")
1712
@dbus.service.method(_interface, in_signature=u"o")
1297
1713
def RemoveClient(self, object_path):
1298
1714
"D-Bus method"
1299
for c in clients:
1715
for c in tcp_server.clients:
1300
1716
if c.dbus_object_path == object_path:
1301
clients.remove(c)
1717
tcp_server.clients.remove(c)
1718
c.remove_from_connection()
1302
1719
# Don't signal anything except ClientRemoved
1303
c.use_dbus = False
1304
c.disable()
1720
c.disable(quiet=True)
1305
1721
# Emit D-Bus signal
1306
1722
self.ClientRemoved(object_path, c.name)
1307
1723
return
1308
raise KeyError
1724
raise KeyError(object_path)
1309
1725
1310
1726
del _interface
1311
1727
1312
1728
mandos_dbus_service = MandosDBusService()
1313
1729
1314
for client in clients:
1730
def cleanup():
1731
"Cleanup function; run on exit"
1732
service.cleanup()
1733
1734
while tcp_server.clients:
1735
client = tcp_server.clients.pop()
1736
if use_dbus:
1737
client.remove_from_connection()
1738
client.disable_hook = None
1739
# Don't signal anything except ClientRemoved
1740
client.disable(quiet=True)
1741
if use_dbus:
1742
# Emit D-Bus signal
1743
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1744
client.name)
1745
1746
atexit.register(cleanup)
1747
1748
for client in tcp_server.clients:
1315
1749
if use_dbus:
1316
1750
# Emit D-Bus signal
1317
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1318
client.GetAllProperties())
1751
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1319
1752
client.enable()
1320
1753
1321
1754
tcp_server.enable()
1335
1768
1336
1769
try:
1337
1770
# From the Avahi example code
1338
server.connect_to_signal("StateChanged", server_state_changed)
1339
1771
try:
1340
server_state_changed(server.GetState())
1772
service.activate()
1341
1773
except dbus.exceptions.DBusException, error:
1342
1774
logger.critical(u"DBusException: %s", error)
1775
cleanup()
1343
1776
sys.exit(1)
1344
1777
# End of Avahi example code
1345
1778
1352
1785
main_loop.run()
1353
1786
except AvahiError, error:
1354
1787
logger.critical(u"AvahiError: %s", error)
1788
cleanup()
1355
1789
sys.exit(1)
1356
1790
except KeyboardInterrupt:
1357
1791
if debug:
1358
1792
print >> sys.stderr
1359
logger.debug("Server received KeyboardInterrupt")
1360
logger.debug("Server exiting")
1793
logger.debug(u"Server received KeyboardInterrupt")
1794
logger.debug(u"Server exiting")
1795
# Must run before the D-Bus bus name gets deregistered
1796
cleanup()
1361
1797
1362
1798
if __name__ == '__main__':
1363
1799
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0