To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos-ctl
- browse files at revision 472
- compare with another revision
- download diff
- download tarball
- view history from revision 472
- Committer: Teddy Hogeborn
- Date: 2011-03-08 19:09:03 UTC
- Revision ID: teddy@fukt.bsnet.se-20110308190903-j499ebtb9bpk31ar
* INSTALL: Updated.
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/upstream
- network-hooks.d
- plugin-helpers
- files modified:
- .bzrignore
added
removed
mandos-ctl
1
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8; after-save-hook: (lambda () (let ((command (if (and (boundp 'tramp-file-name-structure) (string-match (car tramp-file-name-structure) (buffer-file-name))) (tramp-file-name-localname (tramp-dissect-file-name (buffer-file-name))) (buffer-file-name)))) (if (= (shell-command (format "%s --check" (shell-quote-argument command)) "*Test*") 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w)) (kill-buffer "*Test*")) (display-buffer "*Test*")))); -*-
3
#
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
4
# Mandos Monitor - Control and monitor the Mandos server
5
#
6
# Copyright © 2008-2019 Teddy Hogeborn
7
# Copyright © 2008-2019 Björn Påhlsson
8
#
9
# This file is part of Mandos.
10
#
11
# Mandos is free software: you can redistribute it and/or modify it
12
# under the terms of the GNU General Public License as published by
5
#
6
# Copyright © 2008-2010 Teddy Hogeborn
7
# Copyright © 2008-2010 Björn Påhlsson
8
#
9
# This program is free software: you can redistribute it and/or modify
10
# it under the terms of the GNU General Public License as published by
13
11
# the Free Software Foundation, either version 3 of the License, or
14
12
# (at your option) any later version.
15
13
#
16
# Mandos is distributed in the hope that it will be useful, but
17
# WITHOUT ANY WARRANTY; without even the implied warranty of
14
# This program is distributed in the hope that it will be useful,
15
# but WITHOUT ANY WARRANTY; without even the implied warranty of
18
16
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19
17
# GNU General Public License for more details.
20
#
18
#
21
19
# You should have received a copy of the GNU General Public License
22
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
23
#
24
# Contact the authors at <mandos@recompile.se>.
25
#
20
# along with this program. If not, see <http://www.gnu.org/licenses/>.
21
#
22
# Contact the authors at <mandos@fukt.bsnet.se>.
23
#
26
24
27
25
from __future__ import (division, absolute_import, print_function,
28
26
unicode_literals)
29
27
30
try:
31
from future_builtins import *
32
except ImportError:
33
pass
34
35
28
import sys
36
import argparse
29
import dbus
30
from optparse import OptionParser
37
31
import locale
38
32
import datetime
39
33
import re
40
34
import os
41
import collections
42
import json
43
import unittest
44
import logging
45
46
import dbus
47
48
# Show warnings by default
49
if not sys.warnoptions:
50
import warnings
51
warnings.simplefilter("default")
52
53
log = logging.getLogger(sys.argv[0])
54
logging.basicConfig(level="INFO", # Show info level messages
55
format="%(message)s") # Show basic log messages
56
57
logging.captureWarnings(True) # Show warnings via the logging system
58
59
if sys.version_info.major == 2:
60
str = unicode
61
35
62
36
locale.setlocale(locale.LC_ALL, "")
63
37
64
domain = "se.recompile"
38
tablewords = {
39
"Name": "Name",
40
"Enabled": "Enabled",
41
"Timeout": "Timeout",
42
"LastCheckedOK": "Last Successful Check",
43
"LastApprovalRequest": "Last Approval Request",
44
"Created": "Created",
45
"Interval": "Interval",
46
"Host": "Host",
47
"Fingerprint": "Fingerprint",
48
"CheckerRunning": "Check Is Running",
49
"LastEnabled": "Last Enabled",
50
"ApprovalPending": "Approval Is Pending",
51
"ApprovedByDefault": "Approved By Default",
52
"ApprovalDelay": "Approval Delay",
53
"ApprovalDuration": "Approval Duration",
54
"Checker": "Checker",
55
}
56
defaultkeywords = ("Name", "Enabled", "Timeout", "LastCheckedOK")
57
domain = "se.bsnet.fukt"
65
58
busname = domain + ".Mandos"
66
59
server_path = "/"
67
60
server_interface = domain + ".Mandos"
68
61
client_interface = domain + ".Mandos.Client"
69
version = "1.8.3"
70
71
72
try:
73
dbus.OBJECT_MANAGER_IFACE
74
except AttributeError:
75
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
76
62
version = "1.2.3"
63
64
def timedelta_to_milliseconds(td):
65
"""Convert a datetime.timedelta object to milliseconds"""
66
return ((td.days * 24 * 60 * 60 * 1000)
67
+ (td.seconds * 1000)
68
+ (td.microseconds // 1000))
77
69
78
70
def milliseconds_to_string(ms):
79
71
td = datetime.timedelta(0, 0, 0, ms)
80
return ("{days}{hours:02}:{minutes:02}:{seconds:02}"
81
.format(days="{}T".format(td.days) if td.days else "",
82
hours=td.seconds // 3600,
83
minutes=(td.seconds % 3600) // 60,
84
seconds=td.seconds % 60))
85
86
87
def rfc3339_duration_to_delta(duration):
88
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
89
90
>>> rfc3339_duration_to_delta("P7D")
91
datetime.timedelta(7)
92
>>> rfc3339_duration_to_delta("PT60S")
93
datetime.timedelta(0, 60)
94
>>> rfc3339_duration_to_delta("PT60M")
95
datetime.timedelta(0, 3600)
96
>>> rfc3339_duration_to_delta("P60M")
97
datetime.timedelta(1680)
98
>>> rfc3339_duration_to_delta("PT24H")
99
datetime.timedelta(1)
100
>>> rfc3339_duration_to_delta("P1W")
101
datetime.timedelta(7)
102
>>> rfc3339_duration_to_delta("PT5M30S")
103
datetime.timedelta(0, 330)
104
>>> rfc3339_duration_to_delta("P1DT3M20S")
105
datetime.timedelta(1, 200)
106
>>> # Can not be empty:
107
>>> rfc3339_duration_to_delta("")
108
Traceback (most recent call last):
109
...
110
ValueError: Invalid RFC 3339 duration: u''
111
>>> # Must start with "P":
112
>>> rfc3339_duration_to_delta("1D")
113
Traceback (most recent call last):
114
...
115
ValueError: Invalid RFC 3339 duration: u'1D'
116
>>> # Must use correct order
117
>>> rfc3339_duration_to_delta("PT1S2M")
118
Traceback (most recent call last):
119
...
120
ValueError: Invalid RFC 3339 duration: u'PT1S2M'
121
>>> # Time needs time marker
122
>>> rfc3339_duration_to_delta("P1H2S")
123
Traceback (most recent call last):
124
...
125
ValueError: Invalid RFC 3339 duration: u'P1H2S'
126
>>> # Weeks can not be combined with anything else
127
>>> rfc3339_duration_to_delta("P1D2W")
128
Traceback (most recent call last):
129
...
130
ValueError: Invalid RFC 3339 duration: u'P1D2W'
131
>>> rfc3339_duration_to_delta("P2W2H")
132
Traceback (most recent call last):
133
...
134
ValueError: Invalid RFC 3339 duration: u'P2W2H'
135
"""
136
137
# Parsing an RFC 3339 duration with regular expressions is not
138
# possible - there would have to be multiple places for the same
139
# values, like seconds. The current code, while more esoteric, is
140
# cleaner without depending on a parsing library. If Python had a
141
# built-in library for parsing we would use it, but we'd like to
142
# avoid excessive use of external libraries.
143
144
# New type for defining tokens, syntax, and semantics all-in-one
145
Token = collections.namedtuple("Token", (
146
"regexp", # To match token; if "value" is not None, must have
147
# a "group" containing digits
148
"value", # datetime.timedelta or None
149
"followers")) # Tokens valid after this token
150
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
151
# the "duration" ABNF definition in RFC 3339, Appendix A.
152
token_end = Token(re.compile(r"$"), None, frozenset())
153
token_second = Token(re.compile(r"(\d+)S"),
154
datetime.timedelta(seconds=1),
155
frozenset((token_end, )))
156
token_minute = Token(re.compile(r"(\d+)M"),
157
datetime.timedelta(minutes=1),
158
frozenset((token_second, token_end)))
159
token_hour = Token(re.compile(r"(\d+)H"),
160
datetime.timedelta(hours=1),
161
frozenset((token_minute, token_end)))
162
token_time = Token(re.compile(r"T"),
163
None,
164
frozenset((token_hour, token_minute,
165
token_second)))
166
token_day = Token(re.compile(r"(\d+)D"),
167
datetime.timedelta(days=1),
168
frozenset((token_time, token_end)))
169
token_month = Token(re.compile(r"(\d+)M"),
170
datetime.timedelta(weeks=4),
171
frozenset((token_day, token_end)))
172
token_year = Token(re.compile(r"(\d+)Y"),
173
datetime.timedelta(weeks=52),
174
frozenset((token_month, token_end)))
175
token_week = Token(re.compile(r"(\d+)W"),
176
datetime.timedelta(weeks=1),
177
frozenset((token_end, )))
178
token_duration = Token(re.compile(r"P"), None,
179
frozenset((token_year, token_month,
180
token_day, token_time,
181
token_week)))
182
# Define starting values:
183
# Value so far
184
value = datetime.timedelta()
185
found_token = None
186
# Following valid tokens
187
followers = frozenset((token_duration, ))
188
# String left to parse
189
s = duration
190
# Loop until end token is found
191
while found_token is not token_end:
192
# Search for any currently valid tokens
193
for token in followers:
194
match = token.regexp.match(s)
195
if match is not None:
196
# Token found
197
if token.value is not None:
198
# Value found, parse digits
199
factor = int(match.group(1), 10)
200
# Add to value so far
201
value += factor * token.value
202
# Strip token from string
203
s = token.regexp.sub("", s, 1)
204
# Go to found token
205
found_token = token
206
# Set valid next tokens
207
followers = found_token.followers
208
break
209
else:
210
# No currently valid tokens were found
211
raise ValueError("Invalid RFC 3339 duration: {!r}"
212
.format(duration))
213
# End token found
214
return value
72
return ("%(days)s%(hours)02d:%(minutes)02d:%(seconds)02d"
73
% { "days": "%dT" % td.days if td.days else "",
74
"hours": td.seconds // 3600,
75
"minutes": (td.seconds % 3600) // 60,
76
"seconds": td.seconds % 60,
77
})
215
78
216
79
217
80
def string_to_delta(interval):
218
"""Parse a string and return a datetime.timedelta"""
219
220
try:
221
return rfc3339_duration_to_delta(interval)
222
except ValueError as e:
223
log.warning("%s - Parsing as pre-1.6.1 interval instead",
224
' '.join(e.args))
225
return parse_pre_1_6_1_interval(interval)
226
227
228
def parse_pre_1_6_1_interval(interval):
229
"""Parse an interval string as documented by Mandos before 1.6.1,
230
and return a datetime.timedelta
231
232
>>> parse_pre_1_6_1_interval('7d')
81
"""Parse a string and return a datetime.timedelta
82
83
>>> string_to_delta("7d")
233
84
datetime.timedelta(7)
234
>>> parse_pre_1_6_1_interval('60s')
85
>>> string_to_delta("60s")
235
86
datetime.timedelta(0, 60)
236
>>> parse_pre_1_6_1_interval('60m')
87
>>> string_to_delta("60m")
237
88
datetime.timedelta(0, 3600)
238
>>> parse_pre_1_6_1_interval('24h')
89
>>> string_to_delta("24h")
239
90
datetime.timedelta(1)
240
>>> parse_pre_1_6_1_interval('1w')
91
>>> string_to_delta("1w")
241
92
datetime.timedelta(7)
242
>>> parse_pre_1_6_1_interval('5m 30s')
93
>>> string_to_delta("5m 30s")
243
94
datetime.timedelta(0, 330)
244
>>> parse_pre_1_6_1_interval('')
245
datetime.timedelta(0)
246
>>> # Ignore unknown characters, allow any order and repetitions
247
>>> parse_pre_1_6_1_interval('2dxy7zz11y3m5m')
248
datetime.timedelta(2, 480, 18000)
249
250
95
"""
251
252
value = datetime.timedelta(0)
253
regexp = re.compile(r"(\d+)([dsmhw]?)")
254
255
for num, suffix in regexp.findall(interval):
256
if suffix == "d":
257
value += datetime.timedelta(int(num))
258
elif suffix == "s":
259
value += datetime.timedelta(0, int(num))
260
elif suffix == "m":
261
value += datetime.timedelta(0, 0, 0, 0, int(num))
262
elif suffix == "h":
263
value += datetime.timedelta(0, 0, 0, 0, 0, int(num))
264
elif suffix == "w":
265
value += datetime.timedelta(0, 0, 0, 0, 0, 0, int(num))
266
elif suffix == "":
267
value += datetime.timedelta(0, 0, 0, int(num))
268
return value
269
270
271
## Classes for commands.
272
273
# Abstract classes first
274
class Command(object):
275
"""Abstract class for commands"""
276
def run(self, mandos, clients):
277
"""Normal commands should implement run_on_one_client(), but
278
commands which want to operate on all clients at the same time
279
can override this run() method instead."""
280
self.mandos = mandos
281
for client in clients:
282
self.run_on_one_client(client)
283
284
class PrintCmd(Command):
285
"""Abstract class for commands printing client details"""
286
all_keywords = ("Name", "Enabled", "Timeout", "LastCheckedOK",
287
"Created", "Interval", "Host", "KeyID",
288
"Fingerprint", "CheckerRunning", "LastEnabled",
289
"ApprovalPending", "ApprovedByDefault",
290
"LastApprovalRequest", "ApprovalDelay",
291
"ApprovalDuration", "Checker", "ExtendedTimeout",
292
"Expires", "LastCheckerStatus")
293
def run(self, mandos, clients):
294
print(self.output(clients))
295
296
class PropertyCmd(Command):
297
"""Abstract class for Actions for setting one client property"""
298
def run_on_one_client(self, client):
299
"""Set the Client's D-Bus property"""
300
client.Set(client_interface, self.property, self.value_to_set,
301
dbus_interface=dbus.PROPERTIES_IFACE)
302
303
class ValueArgumentMixIn(object):
304
"""Mixin class for commands taking a value as argument"""
305
def __init__(self, value):
306
self.value_to_set = value
307
308
class MillisecondsValueArgumentMixIn(ValueArgumentMixIn):
309
"""Mixin class for commands taking a value argument as
310
milliseconds."""
311
@property
312
def value_to_set(self):
313
return self._vts
314
@value_to_set.setter
315
def value_to_set(self, value):
316
"""When setting, convert value to a datetime.timedelta"""
317
self._vts = string_to_delta(value).total_seconds() * 1000
318
319
# Actual (non-abstract) command classes
320
321
class PrintTableCmd(PrintCmd):
322
def __init__(self, verbose=False):
323
self.verbose = verbose
324
325
def output(self, clients):
326
if self.verbose:
327
keywords = self.all_keywords
328
else:
329
keywords = ("Name", "Enabled", "Timeout", "LastCheckedOK")
330
return str(self.TableOfClients(clients.values(), keywords))
331
332
class TableOfClients(object):
333
tableheaders = {
334
"Name": "Name",
335
"Enabled": "Enabled",
336
"Timeout": "Timeout",
337
"LastCheckedOK": "Last Successful Check",
338
"LastApprovalRequest": "Last Approval Request",
339
"Created": "Created",
340
"Interval": "Interval",
341
"Host": "Host",
342
"Fingerprint": "Fingerprint",
343
"KeyID": "Key ID",
344
"CheckerRunning": "Check Is Running",
345
"LastEnabled": "Last Enabled",
346
"ApprovalPending": "Approval Is Pending",
347
"ApprovedByDefault": "Approved By Default",
348
"ApprovalDelay": "Approval Delay",
349
"ApprovalDuration": "Approval Duration",
350
"Checker": "Checker",
351
"ExtendedTimeout": "Extended Timeout",
352
"Expires": "Expires",
353
"LastCheckerStatus": "Last Checker Status",
354
}
355
356
def __init__(self, clients, keywords, tableheaders=None):
357
self.clients = clients
358
self.keywords = keywords
359
if tableheaders is not None:
360
self.tableheaders = tableheaders
361
362
def __str__(self):
363
return "\n".join(self.rows())
364
365
if sys.version_info.major == 2:
366
__unicode__ = __str__
367
def __str__(self):
368
return str(self).encode(locale.getpreferredencoding())
369
370
def rows(self):
371
format_string = self.row_formatting_string()
372
rows = [self.header_line(format_string)]
373
rows.extend(self.client_line(client, format_string)
374
for client in self.clients)
375
return rows
376
377
def row_formatting_string(self):
378
"Format string used to format table rows"
379
return " ".join("{{{key}:{width}}}".format(
380
width=max(len(self.tableheaders[key]),
381
*(len(self.string_from_client(client, key))
382
for client in self.clients)),
383
key=key)
384
for key in self.keywords)
385
386
def string_from_client(self, client, key):
387
return self.valuetostring(client[key], key)
388
389
@staticmethod
390
def valuetostring(value, keyword):
391
if isinstance(value, dbus.Boolean):
392
return "Yes" if value else "No"
393
if keyword in ("Timeout", "Interval", "ApprovalDelay",
394
"ApprovalDuration", "ExtendedTimeout"):
395
return milliseconds_to_string(value)
396
return str(value)
397
398
def header_line(self, format_string):
399
return format_string.format(**self.tableheaders)
400
401
def client_line(self, client, format_string):
402
return format_string.format(
403
**{key: self.string_from_client(client, key)
404
for key in self.keywords})
405
406
407
408
class DumpJSONCmd(PrintCmd):
409
def output(self, clients):
410
data = {client["Name"]:
411
{key: self.dbus_boolean_to_bool(client[key])
412
for key in self.all_keywords}
413
for client in clients.values()}
414
return json.dumps(data, indent=4, separators=(',', ': '))
415
@staticmethod
416
def dbus_boolean_to_bool(value):
417
if isinstance(value, dbus.Boolean):
418
value = bool(value)
419
return value
420
421
class IsEnabledCmd(Command):
422
def run_on_one_client(self, client):
423
if self.is_enabled(client):
424
sys.exit(0)
425
sys.exit(1)
426
def is_enabled(self, client):
427
return client.Get(client_interface, "Enabled",
428
dbus_interface=dbus.PROPERTIES_IFACE)
429
430
class RemoveCmd(Command):
431
def run_on_one_client(self, client):
432
self.mandos.RemoveClient(client.__dbus_object_path__)
433
434
class ApproveCmd(Command):
435
def run_on_one_client(self, client):
436
client.Approve(dbus.Boolean(True),
437
dbus_interface=client_interface)
438
439
class DenyCmd(Command):
440
def run_on_one_client(self, client):
441
client.Approve(dbus.Boolean(False),
442
dbus_interface=client_interface)
443
444
class EnableCmd(PropertyCmd):
445
property = "Enabled"
446
value_to_set = dbus.Boolean(True)
447
448
class DisableCmd(PropertyCmd):
449
property = "Enabled"
450
value_to_set = dbus.Boolean(False)
451
452
class BumpTimeoutCmd(PropertyCmd):
453
property = "LastCheckedOK"
454
value_to_set = ""
455
456
class StartCheckerCmd(PropertyCmd):
457
property = "CheckerRunning"
458
value_to_set = dbus.Boolean(True)
459
460
class StopCheckerCmd(PropertyCmd):
461
property = "CheckerRunning"
462
value_to_set = dbus.Boolean(False)
463
464
class ApproveByDefaultCmd(PropertyCmd):
465
property = "ApprovedByDefault"
466
value_to_set = dbus.Boolean(True)
467
468
class DenyByDefaultCmd(PropertyCmd):
469
property = "ApprovedByDefault"
470
value_to_set = dbus.Boolean(False)
471
472
class SetCheckerCmd(PropertyCmd, ValueArgumentMixIn):
473
property = "Checker"
474
475
class SetHostCmd(PropertyCmd, ValueArgumentMixIn):
476
property = "Host"
477
478
class SetSecretCmd(PropertyCmd, ValueArgumentMixIn):
479
property = "Secret"
480
481
class SetTimeoutCmd(PropertyCmd, MillisecondsValueArgumentMixIn):
482
property = "Timeout"
483
484
class SetExtendedTimeoutCmd(PropertyCmd,
485
MillisecondsValueArgumentMixIn):
486
property = "ExtendedTimeout"
487
488
class SetIntervalCmd(PropertyCmd, MillisecondsValueArgumentMixIn):
489
property = "Interval"
490
491
class SetApprovalDelayCmd(PropertyCmd,
492
MillisecondsValueArgumentMixIn):
493
property = "ApprovalDelay"
494
495
class SetApprovalDurationCmd(PropertyCmd,
496
MillisecondsValueArgumentMixIn):
497
property = "ApprovalDuration"
96
timevalue = datetime.timedelta(0)
97
regexp = re.compile("\d+[dsmhw]")
98
99
for s in regexp.findall(interval):
100
try:
101
suffix = unicode(s[-1])
102
value = int(s[:-1])
103
if suffix == "d":
104
delta = datetime.timedelta(value)
105
elif suffix == "s":
106
delta = datetime.timedelta(0, value)
107
elif suffix == "m":
108
delta = datetime.timedelta(0, 0, 0, 0, value)
109
elif suffix == "h":
110
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
111
elif suffix == "w":
112
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
113
else:
114
raise ValueError
115
except (ValueError, IndexError):
116
raise ValueError
117
timevalue += delta
118
return timevalue
119
120
def print_clients(clients, keywords):
121
def valuetostring(value, keyword):
122
if type(value) is dbus.Boolean:
123
return "Yes" if value else "No"
124
if keyword in ("Timeout", "Interval", "ApprovalDelay",
125
"ApprovalDuration"):
126
return milliseconds_to_string(value)
127
return unicode(value)
128
129
# Create format string to print table rows
130
format_string = " ".join("%%-%ds" %
131
max(len(tablewords[key]),
132
max(len(valuetostring(client[key],
133
key))
134
for client in
135
clients))
136
for key in keywords)
137
# Print header line
138
print(format_string % tuple(tablewords[key] for key in keywords))
139
for client in clients:
140
print(format_string % tuple(valuetostring(client[key], key)
141
for key in keywords))
498
142
499
143
def has_actions(options):
500
144
return any((options.enable,
506
150
options.remove,
507
151
options.checker is not None,
508
152
options.timeout is not None,
509
options.extended_timeout is not None,
510
153
options.interval is not None,
511
154
options.approved_by_default is not None,
512
155
options.approval_delay is not None,
515
158
options.secret is not None,
516
159
options.approve,
517
160
options.deny))
518
519
def add_command_line_options(parser):
520
parser.add_argument("--version", action="version",
521
version="%(prog)s {}".format(version),
522
help="show version number and exit")
523
parser.add_argument("-a", "--all", action="store_true",
524
help="Select all clients")
525
parser.add_argument("-v", "--verbose", action="store_true",
526
help="Print all fields")
527
parser.add_argument("-j", "--dump-json", action="store_true",
528
help="Dump client data in JSON format")
529
enable_disable = parser.add_mutually_exclusive_group()
530
enable_disable.add_argument("-e", "--enable", action="store_true",
531
help="Enable client")
532
enable_disable.add_argument("-d", "--disable",
533
action="store_true",
534
help="disable client")
535
parser.add_argument("-b", "--bump-timeout", action="store_true",
536
help="Bump timeout for client")
537
start_stop_checker = parser.add_mutually_exclusive_group()
538
start_stop_checker.add_argument("--start-checker",
539
action="store_true",
540
help="Start checker for client")
541
start_stop_checker.add_argument("--stop-checker",
542
action="store_true",
543
help="Stop checker for client")
544
parser.add_argument("-V", "--is-enabled", action="store_true",
545
help="Check if client is enabled")
546
parser.add_argument("-r", "--remove", action="store_true",
547
help="Remove client")
548
parser.add_argument("-c", "--checker",
549
help="Set checker command for client")
550
parser.add_argument("-t", "--timeout",
551
help="Set timeout for client")
552
parser.add_argument("--extended-timeout",
553
help="Set extended timeout for client")
554
parser.add_argument("-i", "--interval",
555
help="Set checker interval for client")
556
approve_deny_default = parser.add_mutually_exclusive_group()
557
approve_deny_default.add_argument(
558
"--approve-by-default", action="store_true",
559
default=None, dest="approved_by_default",
560
help="Set client to be approved by default")
561
approve_deny_default.add_argument(
562
"--deny-by-default", action="store_false",
563
dest="approved_by_default",
564
help="Set client to be denied by default")
565
parser.add_argument("--approval-delay",
566
help="Set delay before client approve/deny")
567
parser.add_argument("--approval-duration",
568
help="Set duration of one client approval")
569
parser.add_argument("-H", "--host", help="Set host for client")
570
parser.add_argument("-s", "--secret",
571
type=argparse.FileType(mode="rb"),
572
help="Set password blob (file) for client")
573
approve_deny = parser.add_mutually_exclusive_group()
574
approve_deny.add_argument(
575
"-A", "--approve", action="store_true",
576
help="Approve any current client request")
577
approve_deny.add_argument("-D", "--deny", action="store_true",
578
help="Deny any current client request")
579
parser.add_argument("--check", action="store_true",
580
help="Run self-test")
581
parser.add_argument("client", nargs="*", help="Client name")
582
583
584
def commands_and_clients_from_options(options):
585
586
commands = []
587
588
if options.dump_json:
589
commands.append(DumpJSONCmd())
590
591
if options.enable:
592
commands.append(EnableCmd())
593
594
if options.disable:
595
commands.append(DisableCmd())
596
597
if options.bump_timeout:
598
commands.append(BumpTimeoutCmd(options.bump_timeout))
599
600
if options.start_checker:
601
commands.append(StartCheckerCmd())
602
603
if options.stop_checker:
604
commands.append(StopCheckerCmd())
605
606
if options.is_enabled:
607
commands.append(IsEnabledCmd())
608
609
if options.remove:
610
commands.append(RemoveCmd())
611
612
if options.checker is not None:
613
commands.append(SetCheckerCmd())
614
615
if options.timeout is not None:
616
commands.append(SetTimeoutCmd(options.timeout))
617
618
if options.extended_timeout:
619
commands.append(
620
SetExtendedTimeoutCmd(options.extended_timeout))
621
622
if options.interval is not None:
623
command.append(SetIntervalCmd(options.interval))
624
625
if options.approved_by_default is not None:
626
if options.approved_by_default:
627
command.append(ApproveByDefaultCmd())
628
else:
629
command.append(DenyByDefaultCmd())
630
631
if options.approval_delay is not None:
632
command.append(SetApprovalDelayCmd(options.approval_delay))
633
634
if options.approval_duration is not None:
635
command.append(
636
SetApprovalDurationCmd(options.approval_duration))
637
638
if options.host is not None:
639
command.append(SetHostCmd(options.host))
640
641
if options.secret is not None:
642
command.append(SetSecretCmd(options.secret))
643
644
if options.approve:
645
commands.append(ApproveCmd())
646
647
if options.deny:
648
commands.append(DenyCmd())
649
650
# If no command option has been given, show table of clients,
651
# optionally verbosely
652
if not commands:
653
commands.append(PrintTableCmd(verbose=options.verbose))
654
655
return commands, options.client
656
657
161
658
162
def main():
659
parser = argparse.ArgumentParser()
660
661
add_command_line_options(parser)
662
663
options = parser.parse_args()
664
665
if has_actions(options) and not (options.client or options.all):
666
parser.error("Options require clients names or --all.")
667
if options.verbose and has_actions(options):
668
parser.error("--verbose can only be used alone.")
669
if options.dump_json and (options.verbose
670
or has_actions(options)):
671
parser.error("--dump-json can only be used alone.")
672
if options.all and not has_actions(options):
673
parser.error("--all requires an action.")
674
if options.is_enabled and len(options.client) > 1:
675
parser.error("--is-enabled requires exactly one client")
676
677
commands, clientnames = commands_and_clients_from_options(options)
678
679
try:
680
bus = dbus.SystemBus()
681
mandos_dbus_objc = bus.get_object(busname, server_path)
682
except dbus.exceptions.DBusException:
683
log.critical("Could not connect to Mandos server")
684
sys.exit(1)
685
686
mandos_serv = dbus.Interface(mandos_dbus_objc,
687
dbus_interface=server_interface)
688
mandos_serv_object_manager = dbus.Interface(
689
mandos_dbus_objc, dbus_interface=dbus.OBJECT_MANAGER_IFACE)
690
691
# Filter out log message from dbus module
692
dbus_logger = logging.getLogger("dbus.proxies")
693
class NullFilter(logging.Filter):
694
def filter(self, record):
695
return False
696
dbus_filter = NullFilter()
697
dbus_logger.addFilter(dbus_filter)
698
try:
699
try:
700
mandos_clients = {path: ifs_and_props[client_interface]
701
for path, ifs_and_props in
702
mandos_serv_object_manager
703
.GetManagedObjects().items()
704
if client_interface in ifs_and_props}
705
finally:
706
# restore dbus logger
707
dbus_logger.removeFilter(dbus_filter)
708
except dbus.exceptions.DBusException as e:
709
log.critical("Failed to access Mandos server through D-Bus:"
710
"\n%s", e)
711
sys.exit(1)
712
713
# Compile dict of (clients: properties) to process
714
clients = {}
715
716
if not clientnames:
717
clients = {bus.get_object(busname, path): properties
718
for path, properties in mandos_clients.items()}
719
else:
720
for name in clientnames:
721
for path, client in mandos_clients.items():
722
if client["Name"] == name:
723
client_objc = bus.get_object(busname, path)
724
clients[client_objc] = client
725
break
726
else:
727
log.critical("Client not found on server: %r", name)
728
sys.exit(1)
729
730
# Run all commands on clients
731
for command in commands:
732
command.run(mandos_serv, clients)
733
734
735
class Test_milliseconds_to_string(unittest.TestCase):
736
def test_all(self):
737
self.assertEqual(milliseconds_to_string(93785000),
738
"1T02:03:05")
739
def test_no_days(self):
740
self.assertEqual(milliseconds_to_string(7385000), "02:03:05")
741
def test_all_zero(self):
742
self.assertEqual(milliseconds_to_string(0), "00:00:00")
743
def test_no_fractional_seconds(self):
744
self.assertEqual(milliseconds_to_string(400), "00:00:00")
745
self.assertEqual(milliseconds_to_string(900), "00:00:00")
746
self.assertEqual(milliseconds_to_string(1900), "00:00:01")
747
748
class Test_string_to_delta(unittest.TestCase):
749
def test_handles_basic_rfc3339(self):
750
self.assertEqual(string_to_delta("PT2H"),
751
datetime.timedelta(0, 7200))
752
def test_falls_back_to_pre_1_6_1_with_warning(self):
753
# assertLogs only exists in Python 3.4
754
if hasattr(self, "assertLogs"):
755
with self.assertLogs(log, logging.WARNING):
756
value = string_to_delta("2h")
757
else:
758
class WarningFilter(logging.Filter):
759
"""Don't show, but record the presence of, warnings"""
760
def filter(self, record):
761
is_warning = record.levelno >= logging.WARNING
762
self.found = is_warning or getattr(self, "found",
763
False)
764
return not is_warning
765
warning_filter = WarningFilter()
766
log.addFilter(warning_filter)
163
parser = OptionParser(version = "%%prog %s" % version)
164
parser.add_option("-a", "--all", action="store_true",
165
help="Select all clients")
166
parser.add_option("-v", "--verbose", action="store_true",
167
help="Print all fields")
168
parser.add_option("-e", "--enable", action="store_true",
169
help="Enable client")
170
parser.add_option("-d", "--disable", action="store_true",
171
help="disable client")
172
parser.add_option("-b", "--bump-timeout", action="store_true",
173
help="Bump timeout for client")
174
parser.add_option("--start-checker", action="store_true",
175
help="Start checker for client")
176
parser.add_option("--stop-checker", action="store_true",
177
help="Stop checker for client")
178
parser.add_option("-V", "--is-enabled", action="store_true",
179
help="Check if client is enabled")
180
parser.add_option("-r", "--remove", action="store_true",
181
help="Remove client")
182
parser.add_option("-c", "--checker", type="string",
183
help="Set checker command for client")
184
parser.add_option("-t", "--timeout", type="string",
185
help="Set timeout for client")
186
parser.add_option("-i", "--interval", type="string",
187
help="Set checker interval for client")
188
parser.add_option("--approve-by-default", action="store_true",
189
dest="approved_by_default",
190
help="Set client to be approved by default")
191
parser.add_option("--deny-by-default", action="store_false",
192
dest="approved_by_default",
193
help="Set client to be denied by default")
194
parser.add_option("--approval-delay", type="string",
195
help="Set delay before client approve/deny")
196
parser.add_option("--approval-duration", type="string",
197
help="Set duration of one client approval")
198
parser.add_option("-H", "--host", type="string",
199
help="Set host for client")
200
parser.add_option("-s", "--secret", type="string",
201
help="Set password blob (file) for client")
202
parser.add_option("-A", "--approve", action="store_true",
203
help="Approve any current client request")
204
parser.add_option("-D", "--deny", action="store_true",
205
help="Deny any current client request")
206
options, client_names = parser.parse_args()
207
208
if has_actions(options) and not client_names and not options.all:
209
parser.error("Options require clients names or --all.")
210
if options.verbose and has_actions(options):
211
parser.error("--verbose can only be used alone or with"
212
" --all.")
213
if options.all and not has_actions(options):
214
parser.error("--all requires an action.")
215
216
try:
217
bus = dbus.SystemBus()
218
mandos_dbus_objc = bus.get_object(busname, server_path)
219
except dbus.exceptions.DBusException:
220
print("Could not connect to Mandos server",
221
file=sys.stderr)
222
sys.exit(1)
223
224
mandos_serv = dbus.Interface(mandos_dbus_objc,
225
dbus_interface = server_interface)
226
227
#block stderr since dbus library prints to stderr
228
null = os.open(os.path.devnull, os.O_RDWR)
229
stderrcopy = os.dup(sys.stderr.fileno())
230
os.dup2(null, sys.stderr.fileno())
231
os.close(null)
232
try:
767
233
try:
768
value = string_to_delta("2h")
234
mandos_clients = mandos_serv.GetAllClientsWithProperties()
769
235
finally:
770
log.removeFilter(warning_filter)
771
self.assertTrue(getattr(warning_filter, "found", False))
772
self.assertEqual(value, datetime.timedelta(0, 7200))
773
774
775
class TestCmd(unittest.TestCase):
776
"""Abstract class for tests of command classes"""
777
def setUp(self):
778
testcase = self
779
class MockClient(object):
780
def __init__(self, name, **attributes):
781
self.__dbus_object_path__ = "objpath_{}".format(name)
782
self.attributes = attributes
783
self.attributes["Name"] = name
784
self.calls = []
785
def Set(self, interface, property, value, dbus_interface):
786
testcase.assertEqual(interface, client_interface)
787
testcase.assertEqual(dbus_interface,
788
dbus.PROPERTIES_IFACE)
789
self.attributes[property] = value
790
self.calls.append(("Set", (interface, property, value,
791
dbus_interface)))
792
def Get(self, interface, property, dbus_interface):
793
testcase.assertEqual(interface, client_interface)
794
testcase.assertEqual(dbus_interface,
795
dbus.PROPERTIES_IFACE)
796
self.calls.append(("Get", (interface, property,
797
dbus_interface)))
798
return self.attributes[property]
799
def __getitem__(self, key):
800
return self.attributes[key]
801
def __setitem__(self, key, value):
802
self.attributes[key] = value
803
self.clients = collections.OrderedDict([
804
("foo",
805
MockClient(
806
"foo",
807
KeyID=("92ed150794387c03ce684574b1139a65"
808
"94a34f895daaaf09fd8ea90a27cddb12"),
809
Secret=b"secret",
810
Host="foo.example.org",
811
Enabled=dbus.Boolean(True),
812
Timeout=300000,
813
LastCheckedOK="2019-02-03T00:00:00",
814
Created="2019-01-02T00:00:00",
815
Interval=120000,
816
Fingerprint=("778827225BA7DE539C5A"
817
"7CFA59CFF7CDBD9A5920"),
818
CheckerRunning=dbus.Boolean(False),
819
LastEnabled="2019-01-03T00:00:00",
820
ApprovalPending=dbus.Boolean(False),
821
ApprovedByDefault=dbus.Boolean(True),
822
LastApprovalRequest="",
823
ApprovalDelay=0,
824
ApprovalDuration=1000,
825
Checker="fping -q -- %(host)s",
826
ExtendedTimeout=900000,
827
Expires="2019-02-04T00:00:00",
828
LastCheckerStatus=0)),
829
("barbar",
830
MockClient(
831
"barbar",
832
KeyID=("0558568eedd67d622f5c83b35a115f79"
833
"6ab612cff5ad227247e46c2b020f441c"),
834
Secret=b"secretbar",
835
Host="192.0.2.3",
836
Enabled=dbus.Boolean(True),
837
Timeout=300000,
838
LastCheckedOK="2019-02-04T00:00:00",
839
Created="2019-01-03T00:00:00",
840
Interval=120000,
841
Fingerprint=("3E393AEAEFB84C7E89E2"
842
"F547B3A107558FCA3A27"),
843
CheckerRunning=dbus.Boolean(True),
844
LastEnabled="2019-01-04T00:00:00",
845
ApprovalPending=dbus.Boolean(False),
846
ApprovedByDefault=dbus.Boolean(False),
847
LastApprovalRequest="2019-01-03T00:00:00",
848
ApprovalDelay=30000,
849
ApprovalDuration=1000,
850
Checker=":",
851
ExtendedTimeout=900000,
852
Expires="2019-02-05T00:00:00",
853
LastCheckerStatus=-2)),
854
])
855
856
class TestPrintTableCmd(TestCmd):
857
def test_normal(self):
858
output = PrintTableCmd().output(self.clients)
859
expected_output = """
860
Name Enabled Timeout Last Successful Check
861
foo Yes 00:05:00 2019-02-03T00:00:00
862
barbar Yes 00:05:00 2019-02-04T00:00:00
863
"""[1:-1]
864
self.assertEqual(output, expected_output)
865
def test_verbose(self):
866
output = PrintTableCmd(verbose=True).output(self.clients)
867
expected_output = """
868
Name Enabled Timeout Last Successful Check Created Interval Host Key ID Fingerprint Check Is Running Last Enabled Approval Is Pending Approved By Default Last Approval Request Approval Delay Approval Duration Checker Extended Timeout Expires Last Checker Status
869
foo Yes 00:05:00 2019-02-03T00:00:00 2019-01-02T00:00:00 00:02:00 foo.example.org 92ed150794387c03ce684574b1139a6594a34f895daaaf09fd8ea90a27cddb12 778827225BA7DE539C5A7CFA59CFF7CDBD9A5920 No 2019-01-03T00:00:00 No Yes 00:00:00 00:00:01 fping -q -- %(host)s 00:15:00 2019-02-04T00:00:00 0
870
barbar Yes 00:05:00 2019-02-04T00:00:00 2019-01-03T00:00:00 00:02:00 192.0.2.3 0558568eedd67d622f5c83b35a115f796ab612cff5ad227247e46c2b020f441c 3E393AEAEFB84C7E89E2F547B3A107558FCA3A27 Yes 2019-01-04T00:00:00 No No 2019-01-03T00:00:00 00:00:30 00:00:01 : 00:15:00 2019-02-05T00:00:00 -2
871
"""[1:-1]
872
self.assertEqual(output, expected_output)
873
def test_one_client(self):
874
output = PrintTableCmd().output({"foo": self.clients["foo"]})
875
expected_output = """
876
Name Enabled Timeout Last Successful Check
877
foo Yes 00:05:00 2019-02-03T00:00:00
878
"""[1:-1]
879
self.assertEqual(output, expected_output)
880
881
class TestDumpJSONCmd(TestCmd):
882
def setUp(self):
883
self.expected_json = {
884
"foo": {
885
"Name": "foo",
886
"KeyID": ("92ed150794387c03ce684574b1139a65"
887
"94a34f895daaaf09fd8ea90a27cddb12"),
888
"Host": "foo.example.org",
889
"Enabled": True,
890
"Timeout": 300000,
891
"LastCheckedOK": "2019-02-03T00:00:00",
892
"Created": "2019-01-02T00:00:00",
893
"Interval": 120000,
894
"Fingerprint": ("778827225BA7DE539C5A"
895
"7CFA59CFF7CDBD9A5920"),
896
"CheckerRunning": False,
897
"LastEnabled": "2019-01-03T00:00:00",
898
"ApprovalPending": False,
899
"ApprovedByDefault": True,
900
"LastApprovalRequest": "",
901
"ApprovalDelay": 0,
902
"ApprovalDuration": 1000,
903
"Checker": "fping -q -- %(host)s",
904
"ExtendedTimeout": 900000,
905
"Expires": "2019-02-04T00:00:00",
906
"LastCheckerStatus": 0,
907
},
908
"barbar": {
909
"Name": "barbar",
910
"KeyID": ("0558568eedd67d622f5c83b35a115f79"
911
"6ab612cff5ad227247e46c2b020f441c"),
912
"Host": "192.0.2.3",
913
"Enabled": True,
914
"Timeout": 300000,
915
"LastCheckedOK": "2019-02-04T00:00:00",
916
"Created": "2019-01-03T00:00:00",
917
"Interval": 120000,
918
"Fingerprint": ("3E393AEAEFB84C7E89E2"
919
"F547B3A107558FCA3A27"),
920
"CheckerRunning": True,
921
"LastEnabled": "2019-01-04T00:00:00",
922
"ApprovalPending": False,
923
"ApprovedByDefault": False,
924
"LastApprovalRequest": "2019-01-03T00:00:00",
925
"ApprovalDelay": 30000,
926
"ApprovalDuration": 1000,
927
"Checker": ":",
928
"ExtendedTimeout": 900000,
929
"Expires": "2019-02-05T00:00:00",
930
"LastCheckerStatus": -2,
931
},
932
}
933
return super(TestDumpJSONCmd, self).setUp()
934
def test_normal(self):
935
json_data = json.loads(DumpJSONCmd().output(self.clients))
936
self.assertDictEqual(json_data, self.expected_json)
937
def test_one_client(self):
938
clients = {"foo": self.clients["foo"]}
939
json_data = json.loads(DumpJSONCmd().output(clients))
940
expected_json = {"foo": self.expected_json["foo"]}
941
self.assertDictEqual(json_data, expected_json)
942
943
class TestIsEnabledCmd(TestCmd):
944
def test_is_enabled(self):
945
self.assertTrue(all(IsEnabledCmd().is_enabled(client)
946
for client in self.clients.values()))
947
def test_is_enabled_does_get_attribute(self):
948
client = self.clients["foo"]
949
self.assertTrue(IsEnabledCmd().is_enabled(client))
950
self.assertListEqual(client.calls,
951
[("Get",
952
("se.recompile.Mandos.Client",
953
"Enabled",
954
"org.freedesktop.DBus.Properties"))])
955
def test_is_enabled_run_exits_successfully(self):
956
client = self.clients["foo"]
957
with self.assertRaises(SystemExit) as e:
958
IsEnabledCmd().run_on_one_client(client)
959
if e.exception.code is not None:
960
self.assertEqual(e.exception.code, 0)
961
else:
962
self.assertIsNone(e.exception.code)
963
def test_is_enabled_run_exits_with_failure(self):
964
client = self.clients["foo"]
965
client["Enabled"] = dbus.Boolean(False)
966
with self.assertRaises(SystemExit) as e:
967
IsEnabledCmd().run_on_one_client(client)
968
if isinstance(e.exception.code, int):
969
self.assertNotEqual(e.exception.code, 0)
970
else:
971
self.assertIsNotNone(e.exception.code)
972
973
974
975
def should_only_run_tests():
976
parser = argparse.ArgumentParser(add_help=False)
977
parser.add_argument("--check", action='store_true')
978
args, unknown_args = parser.parse_known_args()
979
run_tests = args.check
980
if run_tests:
981
# Remove --check argument from sys.argv
982
sys.argv[1:] = unknown_args
983
return run_tests
984
985
# Add all tests from doctest strings
986
def load_tests(loader, tests, none):
987
import doctest
988
tests.addTests(doctest.DocTestSuite())
989
return tests
236
#restore stderr
237
os.dup2(stderrcopy, sys.stderr.fileno())
238
os.close(stderrcopy)
239
except dbus.exceptions.DBusException, e:
240
print("Access denied: Accessing mandos server through dbus.",
241
file=sys.stderr)
242
sys.exit(1)
243
244
# Compile dict of (clients: properties) to process
245
clients={}
246
247
if options.all or not client_names:
248
clients = dict((bus.get_object(busname, path), properties)
249
for path, properties in
250
mandos_clients.iteritems())
251
else:
252
for name in client_names:
253
for path, client in mandos_clients.iteritems():
254
if client["Name"] == name:
255
client_objc = bus.get_object(busname, path)
256
clients[client_objc] = client
257
break
258
else:
259
print("Client not found on server: %r" % name,
260
file=sys.stderr)
261
sys.exit(1)
262
263
if not has_actions(options) and clients:
264
if options.verbose:
265
keywords = ("Name", "Enabled", "Timeout",
266
"LastCheckedOK", "Created", "Interval",
267
"Host", "Fingerprint", "CheckerRunning",
268
"LastEnabled", "ApprovalPending",
269
"ApprovedByDefault",
270
"LastApprovalRequest", "ApprovalDelay",
271
"ApprovalDuration", "Checker")
272
else:
273
keywords = defaultkeywords
274
275
print_clients(clients.values(), keywords)
276
else:
277
# Process each client in the list by all selected options
278
for client in clients:
279
if options.remove:
280
mandos_serv.RemoveClient(client.__dbus_object_path__)
281
if options.enable:
282
client.Enable(dbus_interface=client_interface)
283
if options.disable:
284
client.Disable(dbus_interface=client_interface)
285
if options.bump_timeout:
286
client.CheckedOK(dbus_interface=client_interface)
287
if options.start_checker:
288
client.StartChecker(dbus_interface=client_interface)
289
if options.stop_checker:
290
client.StopChecker(dbus_interface=client_interface)
291
if options.is_enabled:
292
sys.exit(0 if client.Get(client_interface,
293
"Enabled",
294
dbus_interface=dbus.PROPERTIES_IFACE)
295
else 1)
296
if options.checker:
297
client.Set(client_interface, "Checker", options.checker,
298
dbus_interface=dbus.PROPERTIES_IFACE)
299
if options.host:
300
client.Set(client_interface, "Host", options.host,
301
dbus_interface=dbus.PROPERTIES_IFACE)
302
if options.interval:
303
client.Set(client_interface, "Interval",
304
timedelta_to_milliseconds
305
(string_to_delta(options.interval)),
306
dbus_interface=dbus.PROPERTIES_IFACE)
307
if options.approval_delay:
308
client.Set(client_interface, "ApprovalDelay",
309
timedelta_to_milliseconds
310
(string_to_delta(options.
311
approval_delay)),
312
dbus_interface=dbus.PROPERTIES_IFACE)
313
if options.approval_duration:
314
client.Set(client_interface, "ApprovalDuration",
315
timedelta_to_milliseconds
316
(string_to_delta(options.
317
approval_duration)),
318
dbus_interface=dbus.PROPERTIES_IFACE)
319
if options.timeout:
320
client.Set(client_interface, "Timeout",
321
timedelta_to_milliseconds
322
(string_to_delta(options.timeout)),
323
dbus_interface=dbus.PROPERTIES_IFACE)
324
if options.secret:
325
client.Set(client_interface, "Secret",
326
dbus.ByteArray(open(options.secret,
327
"rb").read()),
328
dbus_interface=dbus.PROPERTIES_IFACE)
329
if options.approved_by_default is not None:
330
client.Set(client_interface, "ApprovedByDefault",
331
dbus.Boolean(options
332
.approved_by_default),
333
dbus_interface=dbus.PROPERTIES_IFACE)
334
if options.approve:
335
client.Approve(dbus.Boolean(True),
336
dbus_interface=client_interface)
337
elif options.deny:
338
client.Approve(dbus.Boolean(False),
339
dbus_interface=client_interface)
990
340
991
341
if __name__ == "__main__":
992
if should_only_run_tests():
993
# Call using ./tdd-python-script --check [--verbose]
994
unittest.main()
995
else:
996
main()
342
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0