To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 474
- compare with another revision
- download diff
- download tarball
- view history from revision 474
- Committer: teddy at bsnet
- Date: 2011-03-15 19:15:24 UTC
- Revision ID: teddy@fukt.bsnet.se-20110315191524-jc3ajgqu2za7dcly
* mandos: Use the new argparse library instead of optparse.
* debian/control (mandos): Depend on python (<=2.7) | python-argparse
* debian/control (mandos): Depend on python (<=2.7) | python-argparse
- files added:
- DBUS-API
- debian/source
- files modified:
- .bzrignore
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
31
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
32
#
33
33
34
from __future__ import division, with_statement, absolute_import
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
35
36
36
import SocketServer
37
import SocketServer as socketserver
37
38
import socket
38
import optparse
39
import argparse
39
40
import datetime
40
41
import errno
41
42
import gnutls.crypto
44
45
import gnutls.library.functions
45
46
import gnutls.library.constants
46
47
import gnutls.library.types
47
import ConfigParser
48
import ConfigParser as configparser
48
49
import sys
49
50
import re
50
51
import os
51
52
import signal
52
from sets import Set
53
53
import subprocess
54
54
import atexit
55
55
import stat
56
56
import logging
57
57
import logging.handlers
58
58
import pwd
59
from contextlib import closing
59
import contextlib
60
import struct
61
import fcntl
62
import functools
63
import cPickle as pickle
64
import multiprocessing
60
65
61
66
import dbus
62
67
import dbus.service
65
70
from dbus.mainloop.glib import DBusGMainLoop
66
71
import ctypes
67
72
import ctypes.util
73
import xml.dom.minidom
74
import inspect
68
75
69
76
try:
70
77
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
72
79
try:
73
80
from IN import SO_BINDTODEVICE
74
81
except ImportError:
75
# From /usr/include/asm/socket.h
76
SO_BINDTODEVICE = 25
77
78
79
version = "1.0.8"
80
82
SO_BINDTODEVICE = None
83
84
85
version = "1.3.0"
86
87
#logger = logging.getLogger('mandos')
81
88
logger = logging.Logger('mandos')
82
89
syslogger = (logging.handlers.SysLogHandler
83
90
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
84
address = "/dev/log"))
91
address = str("/dev/log")))
85
92
syslogger.setFormatter(logging.Formatter
86
93
('Mandos [%(process)d]: %(levelname)s:'
87
94
' %(message)s'))
89
96
90
97
console = logging.StreamHandler()
91
98
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
92
' %(levelname)s: %(message)s'))
99
' %(levelname)s:'
100
' %(message)s'))
93
101
logger.addHandler(console)
94
102
95
103
class AvahiError(Exception):
122
130
max_renames: integer; maximum number of renames
123
131
rename_count: integer; counter so we only rename after collisions
124
132
a sensible number of times
133
group: D-Bus Entry Group
134
server: D-Bus Server
135
bus: dbus.SystemBus()
125
136
"""
126
137
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
127
138
servicetype = None, port = None, TXT = None,
128
139
domain = "", host = "", max_renames = 32768,
129
protocol = avahi.PROTO_UNSPEC):
140
protocol = avahi.PROTO_UNSPEC, bus = None):
130
141
self.interface = interface
131
142
self.name = name
132
143
self.type = servicetype
137
148
self.rename_count = 0
138
149
self.max_renames = max_renames
139
150
self.protocol = protocol
151
self.group = None # our entry group
152
self.server = None
153
self.bus = bus
140
154
def rename(self):
141
155
"""Derived from the Avahi example code"""
142
156
if self.rename_count >= self.max_renames:
143
logger.critical(u"No suitable Zeroconf service name found"
144
u" after %i retries, exiting.",
157
logger.critical("No suitable Zeroconf service name found"
158
" after %i retries, exiting.",
145
159
self.rename_count)
146
raise AvahiServiceError(u"Too many renames")
147
self.name = server.GetAlternativeServiceName(self.name)
148
logger.info(u"Changing Zeroconf service name to %r ...",
149
str(self.name))
160
raise AvahiServiceError("Too many renames")
161
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
162
logger.info("Changing Zeroconf service name to %r ...",
163
self.name)
150
164
syslogger.setFormatter(logging.Formatter
151
165
('Mandos (%s) [%%(process)d]:'
152
166
' %%(levelname)s: %%(message)s'
153
167
% self.name))
154
168
self.remove()
155
self.add()
169
try:
170
self.add()
171
except dbus.exceptions.DBusException, error:
172
logger.critical("DBusException: %s", error)
173
self.cleanup()
174
os._exit(1)
156
175
self.rename_count += 1
157
176
def remove(self):
158
177
"""Derived from the Avahi example code"""
159
if group is not None:
160
group.Reset()
178
if self.group is not None:
179
self.group.Reset()
161
180
def add(self):
162
181
"""Derived from the Avahi example code"""
163
global group
164
if group is None:
165
group = dbus.Interface(bus.get_object
166
(avahi.DBUS_NAME,
167
server.EntryGroupNew()),
168
avahi.DBUS_INTERFACE_ENTRY_GROUP)
169
group.connect_to_signal('StateChanged',
170
entry_group_state_changed)
171
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
172
service.name, service.type)
173
group.AddService(
174
self.interface, # interface
175
self.protocol, # protocol
176
dbus.UInt32(0), # flags
177
self.name, self.type,
178
self.domain, self.host,
179
dbus.UInt16(self.port),
180
avahi.string_array_to_txt_array(self.TXT))
181
group.Commit()
182
183
# From the Avahi example code:
184
group = None # our entry group
185
# End of Avahi example code
186
187
188
def _datetime_to_dbus(dt, variant_level=0):
189
"""Convert a UTC datetime.datetime() to a D-Bus type."""
190
return dbus.String(dt.isoformat(), variant_level=variant_level)
182
if self.group is None:
183
self.group = dbus.Interface(
184
self.bus.get_object(avahi.DBUS_NAME,
185
self.server.EntryGroupNew()),
186
avahi.DBUS_INTERFACE_ENTRY_GROUP)
187
self.group.connect_to_signal('StateChanged',
188
self
189
.entry_group_state_changed)
190
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
191
self.name, self.type)
192
self.group.AddService(
193
self.interface,
194
self.protocol,
195
dbus.UInt32(0), # flags
196
self.name, self.type,
197
self.domain, self.host,
198
dbus.UInt16(self.port),
199
avahi.string_array_to_txt_array(self.TXT))
200
self.group.Commit()
201
def entry_group_state_changed(self, state, error):
202
"""Derived from the Avahi example code"""
203
logger.debug("Avahi entry group state change: %i", state)
204
205
if state == avahi.ENTRY_GROUP_ESTABLISHED:
206
logger.debug("Zeroconf service established.")
207
elif state == avahi.ENTRY_GROUP_COLLISION:
208
logger.info("Zeroconf service name collision.")
209
self.rename()
210
elif state == avahi.ENTRY_GROUP_FAILURE:
211
logger.critical("Avahi: Error in group state changed %s",
212
unicode(error))
213
raise AvahiGroupError("State changed: %s"
214
% unicode(error))
215
def cleanup(self):
216
"""Derived from the Avahi example code"""
217
if self.group is not None:
218
self.group.Free()
219
self.group = None
220
def server_state_changed(self, state):
221
"""Derived from the Avahi example code"""
222
logger.debug("Avahi server state change: %i", state)
223
if state == avahi.SERVER_COLLISION:
224
logger.error("Zeroconf server name collision")
225
self.remove()
226
elif state == avahi.SERVER_RUNNING:
227
self.add()
228
def activate(self):
229
"""Derived from the Avahi example code"""
230
if self.server is None:
231
self.server = dbus.Interface(
232
self.bus.get_object(avahi.DBUS_NAME,
233
avahi.DBUS_PATH_SERVER),
234
avahi.DBUS_INTERFACE_SERVER)
235
self.server.connect_to_signal("StateChanged",
236
self.server_state_changed)
237
self.server_state_changed(self.server.GetState())
191
238
192
239
193
240
class Client(object):
194
241
"""A representation of a client host served by this server.
195
242
196
243
Attributes:
197
name: string; from the config file, used in log messages and
198
D-Bus identifiers
199
fingerprint: string (40 or 32 hexadecimal digits); used to
200
uniquely identify the client
201
secret: bytestring; sent verbatim (over TLS) to client
202
host: string; available for use by the checker command
203
created: datetime.datetime(); (UTC) object creation
204
last_enabled: datetime.datetime(); (UTC)
205
enabled: bool()
206
last_checked_ok: datetime.datetime(); (UTC) or None
207
timeout: datetime.timedelta(); How long from last_checked_ok
208
until this client is invalid
209
interval: datetime.timedelta(); How often to start a new checker
210
disable_hook: If set, called by disable() as disable_hook(self)
244
_approved: bool(); 'None' if not yet approved/disapproved
245
approval_delay: datetime.timedelta(); Time to wait for approval
246
approval_duration: datetime.timedelta(); Duration of one approval
211
247
checker: subprocess.Popen(); a running checker process used
212
248
to see if the client lives.
213
249
'None' if no process is running.
214
checker_initiator_tag: a gobject event source tag, or None
215
disable_initiator_tag: - '' -
216
checker_callback_tag: - '' -
217
checker_command: string; External command which is run to check if
218
client lives. %() expansions are done at
250
checker_callback_tag: a gobject event source tag, or None
251
checker_command: string; External command which is run to check
252
if client lives. %() expansions are done at
219
253
runtime with vars(self) as dict, so that for
220
254
instance %(name)s can be used in the command.
255
checker_initiator_tag: a gobject event source tag, or None
256
created: datetime.datetime(); (UTC) object creation
221
257
current_checker_command: string; current running checker_command
258
disable_hook: If set, called by disable() as disable_hook(self)
259
disable_initiator_tag: a gobject event source tag, or None
260
enabled: bool()
261
fingerprint: string (40 or 32 hexadecimal digits); used to
262
uniquely identify the client
263
host: string; available for use by the checker command
264
interval: datetime.timedelta(); How often to start a new checker
265
last_approval_request: datetime.datetime(); (UTC) or None
266
last_checked_ok: datetime.datetime(); (UTC) or None
267
last_enabled: datetime.datetime(); (UTC)
268
name: string; from the config file, used in log messages and
269
D-Bus identifiers
270
secret: bytestring; sent verbatim (over TLS) to client
271
timeout: datetime.timedelta(); How long from last_checked_ok
272
until this client is disabled
273
runtime_expansions: Allowed attributes for runtime expansion.
222
274
"""
275
276
runtime_expansions = ("approval_delay", "approval_duration",
277
"created", "enabled", "fingerprint",
278
"host", "interval", "last_checked_ok",
279
"last_enabled", "name", "timeout")
280
281
@staticmethod
282
def _timedelta_to_milliseconds(td):
283
"Convert a datetime.timedelta() to milliseconds"
284
return ((td.days * 24 * 60 * 60 * 1000)
285
+ (td.seconds * 1000)
286
+ (td.microseconds // 1000))
287
223
288
def timeout_milliseconds(self):
224
289
"Return the 'timeout' attribute in milliseconds"
225
return ((self.timeout.days * 24 * 60 * 60 * 1000)
226
+ (self.timeout.seconds * 1000)
227
+ (self.timeout.microseconds // 1000))
290
return self._timedelta_to_milliseconds(self.timeout)
228
291
229
292
def interval_milliseconds(self):
230
293
"Return the 'interval' attribute in milliseconds"
231
return ((self.interval.days * 24 * 60 * 60 * 1000)
232
+ (self.interval.seconds * 1000)
233
+ (self.interval.microseconds // 1000))
294
return self._timedelta_to_milliseconds(self.interval)
295
296
def approval_delay_milliseconds(self):
297
return self._timedelta_to_milliseconds(self.approval_delay)
234
298
235
299
def __init__(self, name = None, disable_hook=None, config=None):
236
300
"""Note: the 'checker' key in 'config' sets the
239
303
self.name = name
240
304
if config is None:
241
305
config = {}
242
logger.debug(u"Creating client %r", self.name)
306
logger.debug("Creating client %r", self.name)
243
307
# Uppercase and remove spaces from fingerprint for later
244
308
# comparison purposes with return value from the fingerprint()
245
309
# function
246
310
self.fingerprint = (config["fingerprint"].upper()
247
.replace(u" ", u""))
248
logger.debug(u" Fingerprint: %s", self.fingerprint)
311
.replace(" ", ""))
312
logger.debug(" Fingerprint: %s", self.fingerprint)
249
313
if "secret" in config:
250
self.secret = config["secret"].decode(u"base64")
314
self.secret = config["secret"].decode("base64")
251
315
elif "secfile" in config:
252
with closing(open(os.path.expanduser
253
(os.path.expandvars
254
(config["secfile"])))) as secfile:
316
with open(os.path.expanduser(os.path.expandvars
317
(config["secfile"])),
318
"rb") as secfile:
255
319
self.secret = secfile.read()
256
320
else:
257
raise TypeError(u"No secret or secfile for client %s"
321
raise TypeError("No secret or secfile for client %s"
258
322
% self.name)
259
323
self.host = config.get("host", "")
260
324
self.created = datetime.datetime.utcnow()
261
325
self.enabled = False
326
self.last_approval_request = None
262
327
self.last_enabled = None
263
328
self.last_checked_ok = None
264
329
self.timeout = string_to_delta(config["timeout"])
271
336
self.checker_command = config["checker"]
272
337
self.current_checker_command = None
273
338
self.last_connect = None
339
self._approved = None
340
self.approved_by_default = config.get("approved_by_default",
341
True)
342
self.approvals_pending = 0
343
self.approval_delay = string_to_delta(
344
config["approval_delay"])
345
self.approval_duration = string_to_delta(
346
config["approval_duration"])
347
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
274
348
349
def send_changedstate(self):
350
self.changedstate.acquire()
351
self.changedstate.notify_all()
352
self.changedstate.release()
353
275
354
def enable(self):
276
355
"""Start this client's checker and timeout hooks"""
356
if getattr(self, "enabled", False):
357
# Already enabled
358
return
359
self.send_changedstate()
277
360
self.last_enabled = datetime.datetime.utcnow()
278
361
# Schedule a new checker to be started an 'interval' from now,
279
362
# and every interval from then on.
280
363
self.checker_initiator_tag = (gobject.timeout_add
281
364
(self.interval_milliseconds(),
282
365
self.start_checker))
283
# Also start a new checker *right now*.
284
self.start_checker()
285
366
# Schedule a disable() when 'timeout' has passed
286
367
self.disable_initiator_tag = (gobject.timeout_add
287
368
(self.timeout_milliseconds(),
288
369
self.disable))
289
370
self.enabled = True
371
# Also start a new checker *right now*.
372
self.start_checker()
290
373
291
def disable(self):
374
def disable(self, quiet=True):
292
375
"""Disable this client."""
293
376
if not getattr(self, "enabled", False):
294
377
return False
295
logger.info(u"Disabling client %s", self.name)
378
if not quiet:
379
self.send_changedstate()
380
if not quiet:
381
logger.info("Disabling client %s", self.name)
296
382
if getattr(self, "disable_initiator_tag", False):
297
383
gobject.source_remove(self.disable_initiator_tag)
298
384
self.disable_initiator_tag = None
317
403
if os.WIFEXITED(condition):
318
404
exitstatus = os.WEXITSTATUS(condition)
319
405
if exitstatus == 0:
320
logger.info(u"Checker for %(name)s succeeded",
406
logger.info("Checker for %(name)s succeeded",
321
407
vars(self))
322
408
self.checked_ok()
323
409
else:
324
logger.info(u"Checker for %(name)s failed",
410
logger.info("Checker for %(name)s failed",
325
411
vars(self))
326
412
else:
327
logger.warning(u"Checker for %(name)s crashed?",
413
logger.warning("Checker for %(name)s crashed?",
328
414
vars(self))
329
415
330
416
def checked_ok(self):
339
425
(self.timeout_milliseconds(),
340
426
self.disable))
341
427
428
def need_approval(self):
429
self.last_approval_request = datetime.datetime.utcnow()
430
342
431
def start_checker(self):
343
432
"""Start a new checker subprocess if one is not running.
344
433
350
439
# client would inevitably timeout, since no checker would get
351
440
# a chance to run to completion. If we instead leave running
352
441
# checkers alone, the checker would have to take more time
353
# than 'timeout' for the client to be declared invalid, which
354
# is as it should be.
442
# than 'timeout' for the client to be disabled, which is as it
443
# should be.
355
444
356
445
# If a checker exists, make sure it is not a zombie
357
if self.checker is not None:
446
try:
358
447
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
448
except (AttributeError, OSError), error:
449
if (isinstance(error, OSError)
450
and error.errno != errno.ECHILD):
451
raise error
452
else:
359
453
if pid:
360
454
logger.warning("Checker was a zombie")
361
455
gobject.source_remove(self.checker_callback_tag)
368
462
command = self.checker_command % self.host
369
463
except TypeError:
370
464
# Escape attributes for the shell
371
escaped_attrs = dict((key, re.escape(str(val)))
372
for key, val in
373
vars(self).iteritems())
465
escaped_attrs = dict(
466
(attr,
467
re.escape(unicode(str(getattr(self, attr, "")),
468
errors=
469
'replace')))
470
for attr in
471
self.runtime_expansions)
472
374
473
try:
375
474
command = self.checker_command % escaped_attrs
376
475
except TypeError, error:
377
logger.error(u'Could not format string "%s":'
378
u' %s', self.checker_command, error)
476
logger.error('Could not format string "%s":'
477
' %s', self.checker_command, error)
379
478
return True # Try again later
380
479
self.current_checker_command = command
381
480
try:
382
logger.info(u"Starting checker %r for %s",
481
logger.info("Starting checker %r for %s",
383
482
command, self.name)
384
483
# We don't need to redirect stdout and stderr, since
385
484
# in normal mode, that is already done by daemon(),
399
498
gobject.source_remove(self.checker_callback_tag)
400
499
self.checker_callback(pid, status, command)
401
500
except OSError, error:
402
logger.error(u"Failed to start subprocess: %s",
501
logger.error("Failed to start subprocess: %s",
403
502
error)
404
503
# Re-run this periodically if run by gobject.timeout_add
405
504
return True
411
510
self.checker_callback_tag = None
412
511
if getattr(self, "checker", None) is None:
413
512
return
414
logger.debug(u"Stopping checker for %(name)s", vars(self))
513
logger.debug("Stopping checker for %(name)s", vars(self))
415
514
try:
416
515
os.kill(self.checker.pid, signal.SIGTERM)
417
#os.sleep(0.5)
516
#time.sleep(0.5)
418
517
#if self.checker.poll() is None:
419
518
# os.kill(self.checker.pid, signal.SIGKILL)
420
519
except OSError, error:
421
520
if error.errno != errno.ESRCH: # No such process
422
521
raise
423
522
self.checker = None
424
425
def still_valid(self):
426
"""Has the timeout not yet passed for this client?"""
427
if not getattr(self, "enabled", False):
428
return False
429
now = datetime.datetime.utcnow()
430
if self.last_checked_ok is None:
431
return now < (self.created + self.timeout)
432
else:
433
return now < (self.last_checked_ok + self.timeout)
434
435
436
class ClientDBus(Client, dbus.service.Object):
523
524
def dbus_service_property(dbus_interface, signature="v",
525
access="readwrite", byte_arrays=False):
526
"""Decorators for marking methods of a DBusObjectWithProperties to
527
become properties on the D-Bus.
528
529
The decorated method will be called with no arguments by "Get"
530
and with one argument by "Set".
531
532
The parameters, where they are supported, are the same as
533
dbus.service.method, except there is only "signature", since the
534
type from Get() and the type sent to Set() is the same.
535
"""
536
# Encoding deeply encoded byte arrays is not supported yet by the
537
# "Set" method, so we fail early here:
538
if byte_arrays and signature != "ay":
539
raise ValueError("Byte arrays not supported for non-'ay'"
540
" signature %r" % signature)
541
def decorator(func):
542
func._dbus_is_property = True
543
func._dbus_interface = dbus_interface
544
func._dbus_signature = signature
545
func._dbus_access = access
546
func._dbus_name = func.__name__
547
if func._dbus_name.endswith("_dbus_property"):
548
func._dbus_name = func._dbus_name[:-14]
549
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
550
return func
551
return decorator
552
553
554
class DBusPropertyException(dbus.exceptions.DBusException):
555
"""A base class for D-Bus property-related exceptions
556
"""
557
def __unicode__(self):
558
return unicode(str(self))
559
560
561
class DBusPropertyAccessException(DBusPropertyException):
562
"""A property's access permissions disallows an operation.
563
"""
564
pass
565
566
567
class DBusPropertyNotFound(DBusPropertyException):
568
"""An attempt was made to access a non-existing property.
569
"""
570
pass
571
572
573
class DBusObjectWithProperties(dbus.service.Object):
574
"""A D-Bus object with properties.
575
576
Classes inheriting from this can use the dbus_service_property
577
decorator to expose methods as D-Bus properties. It exposes the
578
standard Get(), Set(), and GetAll() methods on the D-Bus.
579
"""
580
581
@staticmethod
582
def _is_dbus_property(obj):
583
return getattr(obj, "_dbus_is_property", False)
584
585
def _get_all_dbus_properties(self):
586
"""Returns a generator of (name, attribute) pairs
587
"""
588
return ((prop._dbus_name, prop)
589
for name, prop in
590
inspect.getmembers(self, self._is_dbus_property))
591
592
def _get_dbus_property(self, interface_name, property_name):
593
"""Returns a bound method if one exists which is a D-Bus
594
property with the specified name and interface.
595
"""
596
for name in (property_name,
597
property_name + "_dbus_property"):
598
prop = getattr(self, name, None)
599
if (prop is None
600
or not self._is_dbus_property(prop)
601
or prop._dbus_name != property_name
602
or (interface_name and prop._dbus_interface
603
and interface_name != prop._dbus_interface)):
604
continue
605
return prop
606
# No such property
607
raise DBusPropertyNotFound(self.dbus_object_path + ":"
608
+ interface_name + "."
609
+ property_name)
610
611
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
612
out_signature="v")
613
def Get(self, interface_name, property_name):
614
"""Standard D-Bus property Get() method, see D-Bus standard.
615
"""
616
prop = self._get_dbus_property(interface_name, property_name)
617
if prop._dbus_access == "write":
618
raise DBusPropertyAccessException(property_name)
619
value = prop()
620
if not hasattr(value, "variant_level"):
621
return value
622
return type(value)(value, variant_level=value.variant_level+1)
623
624
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
625
def Set(self, interface_name, property_name, value):
626
"""Standard D-Bus property Set() method, see D-Bus standard.
627
"""
628
prop = self._get_dbus_property(interface_name, property_name)
629
if prop._dbus_access == "read":
630
raise DBusPropertyAccessException(property_name)
631
if prop._dbus_get_args_options["byte_arrays"]:
632
# The byte_arrays option is not supported yet on
633
# signatures other than "ay".
634
if prop._dbus_signature != "ay":
635
raise ValueError
636
value = dbus.ByteArray(''.join(unichr(byte)
637
for byte in value))
638
prop(value)
639
640
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
641
out_signature="a{sv}")
642
def GetAll(self, interface_name):
643
"""Standard D-Bus property GetAll() method, see D-Bus
644
standard.
645
646
Note: Will not include properties with access="write".
647
"""
648
all = {}
649
for name, prop in self._get_all_dbus_properties():
650
if (interface_name
651
and interface_name != prop._dbus_interface):
652
# Interface non-empty but did not match
653
continue
654
# Ignore write-only properties
655
if prop._dbus_access == "write":
656
continue
657
value = prop()
658
if not hasattr(value, "variant_level"):
659
all[name] = value
660
continue
661
all[name] = type(value)(value, variant_level=
662
value.variant_level+1)
663
return dbus.Dictionary(all, signature="sv")
664
665
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
666
out_signature="s",
667
path_keyword='object_path',
668
connection_keyword='connection')
669
def Introspect(self, object_path, connection):
670
"""Standard D-Bus method, overloaded to insert property tags.
671
"""
672
xmlstring = dbus.service.Object.Introspect(self, object_path,
673
connection)
674
try:
675
document = xml.dom.minidom.parseString(xmlstring)
676
def make_tag(document, name, prop):
677
e = document.createElement("property")
678
e.setAttribute("name", name)
679
e.setAttribute("type", prop._dbus_signature)
680
e.setAttribute("access", prop._dbus_access)
681
return e
682
for if_tag in document.getElementsByTagName("interface"):
683
for tag in (make_tag(document, name, prop)
684
for name, prop
685
in self._get_all_dbus_properties()
686
if prop._dbus_interface
687
== if_tag.getAttribute("name")):
688
if_tag.appendChild(tag)
689
# Add the names to the return values for the
690
# "org.freedesktop.DBus.Properties" methods
691
if (if_tag.getAttribute("name")
692
== "org.freedesktop.DBus.Properties"):
693
for cn in if_tag.getElementsByTagName("method"):
694
if cn.getAttribute("name") == "Get":
695
for arg in cn.getElementsByTagName("arg"):
696
if (arg.getAttribute("direction")
697
== "out"):
698
arg.setAttribute("name", "value")
699
elif cn.getAttribute("name") == "GetAll":
700
for arg in cn.getElementsByTagName("arg"):
701
if (arg.getAttribute("direction")
702
== "out"):
703
arg.setAttribute("name", "props")
704
xmlstring = document.toxml("utf-8")
705
document.unlink()
706
except (AttributeError, xml.dom.DOMException,
707
xml.parsers.expat.ExpatError), error:
708
logger.error("Failed to override Introspection method",
709
error)
710
return xmlstring
711
712
713
class ClientDBus(Client, DBusObjectWithProperties):
437
714
"""A Client class using D-Bus
438
715
439
716
Attributes:
440
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
717
dbus_object_path: dbus.ObjectPath
718
bus: dbus.SystemBus()
441
719
"""
720
721
runtime_expansions = (Client.runtime_expansions
722
+ ("dbus_object_path",))
723
442
724
# dbus.service.Object doesn't use super(), so we can't either.
443
725
444
def __init__(self, *args, **kwargs):
726
def __init__(self, bus = None, *args, **kwargs):
727
self._approvals_pending = 0
728
self.bus = bus
445
729
Client.__init__(self, *args, **kwargs)
446
730
# Only now, when this client is initialized, can it show up on
447
731
# the D-Bus
732
client_object_name = unicode(self.name).translate(
733
{ord("."): ord("_"),
734
ord("-"): ord("_")})
448
735
self.dbus_object_path = (dbus.ObjectPath
449
("/clients/"
450
+ self.name.replace(".", "_")))
451
dbus.service.Object.__init__(self, bus,
452
self.dbus_object_path)
736
("/clients/" + client_object_name))
737
DBusObjectWithProperties.__init__(self, self.bus,
738
self.dbus_object_path)
739
740
def _get_approvals_pending(self):
741
return self._approvals_pending
742
def _set_approvals_pending(self, value):
743
old_value = self._approvals_pending
744
self._approvals_pending = value
745
bval = bool(value)
746
if (hasattr(self, "dbus_object_path")
747
and bval is not bool(old_value)):
748
dbus_bool = dbus.Boolean(bval, variant_level=1)
749
self.PropertyChanged(dbus.String("ApprovalPending"),
750
dbus_bool)
751
752
approvals_pending = property(_get_approvals_pending,
753
_set_approvals_pending)
754
del _get_approvals_pending, _set_approvals_pending
755
756
@staticmethod
757
def _datetime_to_dbus(dt, variant_level=0):
758
"""Convert a UTC datetime.datetime() to a D-Bus type."""
759
return dbus.String(dt.isoformat(),
760
variant_level=variant_level)
761
453
762
def enable(self):
454
763
oldstate = getattr(self, "enabled", False)
455
764
r = Client.enable(self)
456
765
if oldstate != self.enabled:
457
766
# Emit D-Bus signals
458
self.PropertyChanged(dbus.String(u"enabled"),
767
self.PropertyChanged(dbus.String("Enabled"),
459
768
dbus.Boolean(True, variant_level=1))
460
self.PropertyChanged(dbus.String(u"last_enabled"),
461
(_datetime_to_dbus(self.last_enabled,
462
variant_level=1)))
769
self.PropertyChanged(
770
dbus.String("LastEnabled"),
771
self._datetime_to_dbus(self.last_enabled,
772
variant_level=1))
463
773
return r
464
774
465
def disable(self, signal = True):
775
def disable(self, quiet = False):
466
776
oldstate = getattr(self, "enabled", False)
467
r = Client.disable(self)
468
if signal and oldstate != self.enabled:
777
r = Client.disable(self, quiet=quiet)
778
if not quiet and oldstate != self.enabled:
469
779
# Emit D-Bus signal
470
self.PropertyChanged(dbus.String(u"enabled"),
780
self.PropertyChanged(dbus.String("Enabled"),
471
781
dbus.Boolean(False, variant_level=1))
472
782
return r
473
783
476
786
self.remove_from_connection()
477
787
except LookupError:
478
788
pass
479
if hasattr(dbus.service.Object, "__del__"):
480
dbus.service.Object.__del__(self, *args, **kwargs)
789
if hasattr(DBusObjectWithProperties, "__del__"):
790
DBusObjectWithProperties.__del__(self, *args, **kwargs)
481
791
Client.__del__(self, *args, **kwargs)
482
792
483
793
def checker_callback(self, pid, condition, command,
485
795
self.checker_callback_tag = None
486
796
self.checker = None
487
797
# Emit D-Bus signal
488
self.PropertyChanged(dbus.String(u"checker_running"),
798
self.PropertyChanged(dbus.String("CheckerRunning"),
489
799
dbus.Boolean(False, variant_level=1))
490
800
if os.WIFEXITED(condition):
491
801
exitstatus = os.WEXITSTATUS(condition)
506
816
r = Client.checked_ok(self, *args, **kwargs)
507
817
# Emit D-Bus signal
508
818
self.PropertyChanged(
509
dbus.String(u"last_checked_ok"),
510
(_datetime_to_dbus(self.last_checked_ok,
511
variant_level=1)))
819
dbus.String("LastCheckedOK"),
820
(self._datetime_to_dbus(self.last_checked_ok,
821
variant_level=1)))
822
return r
823
824
def need_approval(self, *args, **kwargs):
825
r = Client.need_approval(self, *args, **kwargs)
826
# Emit D-Bus signal
827
self.PropertyChanged(
828
dbus.String("LastApprovalRequest"),
829
(self._datetime_to_dbus(self.last_approval_request,
830
variant_level=1)))
512
831
return r
513
832
514
833
def start_checker(self, *args, **kwargs):
524
843
# Emit D-Bus signal
525
844
self.CheckerStarted(self.current_checker_command)
526
845
self.PropertyChanged(
527
dbus.String("checker_running"),
846
dbus.String("CheckerRunning"),
528
847
dbus.Boolean(True, variant_level=1))
529
848
return r
530
849
533
852
r = Client.stop_checker(self, *args, **kwargs)
534
853
if (old_checker is not None
535
854
and getattr(self, "checker", None) is None):
536
self.PropertyChanged(dbus.String(u"checker_running"),
855
self.PropertyChanged(dbus.String("CheckerRunning"),
537
856
dbus.Boolean(False, variant_level=1))
538
857
return r
539
540
## D-Bus methods & signals
541
_interface = u"se.bsnet.fukt.Mandos.Client"
542
543
# CheckedOK - method
544
CheckedOK = dbus.service.method(_interface)(checked_ok)
545
CheckedOK.__name__ = "CheckedOK"
858
859
def _reset_approved(self):
860
self._approved = None
861
return False
862
863
def approve(self, value=True):
864
self.send_changedstate()
865
self._approved = value
866
gobject.timeout_add(self._timedelta_to_milliseconds
867
(self.approval_duration),
868
self._reset_approved)
869
870
871
## D-Bus methods, signals & properties
872
_interface = "se.bsnet.fukt.Mandos.Client"
873
874
## Signals
546
875
547
876
# CheckerCompleted - signal
548
877
@dbus.service.signal(_interface, signature="nxs")
556
885
"D-Bus signal"
557
886
pass
558
887
559
# GetAllProperties - method
560
@dbus.service.method(_interface, out_signature="a{sv}")
561
def GetAllProperties(self):
562
"D-Bus method"
563
return dbus.Dictionary({
564
dbus.String("name"):
565
dbus.String(self.name, variant_level=1),
566
dbus.String("fingerprint"):
567
dbus.String(self.fingerprint, variant_level=1),
568
dbus.String("host"):
569
dbus.String(self.host, variant_level=1),
570
dbus.String("created"):
571
_datetime_to_dbus(self.created, variant_level=1),
572
dbus.String("last_enabled"):
573
(_datetime_to_dbus(self.last_enabled,
574
variant_level=1)
575
if self.last_enabled is not None
576
else dbus.Boolean(False, variant_level=1)),
577
dbus.String("enabled"):
578
dbus.Boolean(self.enabled, variant_level=1),
579
dbus.String("last_checked_ok"):
580
(_datetime_to_dbus(self.last_checked_ok,
581
variant_level=1)
582
if self.last_checked_ok is not None
583
else dbus.Boolean (False, variant_level=1)),
584
dbus.String("timeout"):
585
dbus.UInt64(self.timeout_milliseconds(),
586
variant_level=1),
587
dbus.String("interval"):
588
dbus.UInt64(self.interval_milliseconds(),
589
variant_level=1),
590
dbus.String("checker"):
591
dbus.String(self.checker_command,
592
variant_level=1),
593
dbus.String("checker_running"):
594
dbus.Boolean(self.checker is not None,
595
variant_level=1),
596
dbus.String("object_path"):
597
dbus.ObjectPath(self.dbus_object_path,
598
variant_level=1)
599
}, signature="sv")
600
601
# IsStillValid - method
602
@dbus.service.method(_interface, out_signature="b")
603
def IsStillValid(self):
604
return self.still_valid()
605
606
888
# PropertyChanged - signal
607
889
@dbus.service.signal(_interface, signature="sv")
608
890
def PropertyChanged(self, property, value):
609
891
"D-Bus signal"
610
892
pass
611
893
612
# ReceivedSecret - signal
894
# GotSecret - signal
613
895
@dbus.service.signal(_interface)
614
def ReceivedSecret(self):
615
"D-Bus signal"
896
def GotSecret(self):
897
"""D-Bus signal
898
Is sent after a successful transfer of secret from the Mandos
899
server to mandos-client
900
"""
616
901
pass
617
902
618
903
# Rejected - signal
619
@dbus.service.signal(_interface)
620
def Rejected(self):
904
@dbus.service.signal(_interface, signature="s")
905
def Rejected(self, reason):
621
906
"D-Bus signal"
622
907
pass
623
908
624
# SetChecker - method
625
@dbus.service.method(_interface, in_signature="s")
626
def SetChecker(self, checker):
627
"D-Bus setter method"
628
self.checker_command = checker
629
# Emit D-Bus signal
630
self.PropertyChanged(dbus.String(u"checker"),
631
dbus.String(self.checker_command,
632
variant_level=1))
633
634
# SetHost - method
635
@dbus.service.method(_interface, in_signature="s")
636
def SetHost(self, host):
637
"D-Bus setter method"
638
self.host = host
639
# Emit D-Bus signal
640
self.PropertyChanged(dbus.String(u"host"),
641
dbus.String(self.host, variant_level=1))
642
643
# SetInterval - method
644
@dbus.service.method(_interface, in_signature="t")
645
def SetInterval(self, milliseconds):
646
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
647
# Emit D-Bus signal
648
self.PropertyChanged(dbus.String(u"interval"),
649
(dbus.UInt64(self.interval_milliseconds(),
650
variant_level=1)))
651
652
# SetSecret - method
653
@dbus.service.method(_interface, in_signature="ay",
654
byte_arrays=True)
655
def SetSecret(self, secret):
656
"D-Bus setter method"
657
self.secret = str(secret)
658
659
# SetTimeout - method
660
@dbus.service.method(_interface, in_signature="t")
661
def SetTimeout(self, milliseconds):
662
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
663
# Emit D-Bus signal
664
self.PropertyChanged(dbus.String(u"timeout"),
665
(dbus.UInt64(self.timeout_milliseconds(),
666
variant_level=1)))
909
# NeedApproval - signal
910
@dbus.service.signal(_interface, signature="tb")
911
def NeedApproval(self, timeout, default):
912
"D-Bus signal"
913
return self.need_approval()
914
915
## Methods
916
917
# Approve - method
918
@dbus.service.method(_interface, in_signature="b")
919
def Approve(self, value):
920
self.approve(value)
921
922
# CheckedOK - method
923
@dbus.service.method(_interface)
924
def CheckedOK(self):
925
return self.checked_ok()
667
926
668
927
# Enable - method
669
Enable = dbus.service.method(_interface)(enable)
670
Enable.__name__ = "Enable"
928
@dbus.service.method(_interface)
929
def Enable(self):
930
"D-Bus method"
931
self.enable()
671
932
672
933
# StartChecker - method
673
934
@dbus.service.method(_interface)
682
943
self.disable()
683
944
684
945
# StopChecker - method
685
StopChecker = dbus.service.method(_interface)(stop_checker)
686
StopChecker.__name__ = "StopChecker"
946
@dbus.service.method(_interface)
947
def StopChecker(self):
948
self.stop_checker()
949
950
## Properties
951
952
# ApprovalPending - property
953
@dbus_service_property(_interface, signature="b", access="read")
954
def ApprovalPending_dbus_property(self):
955
return dbus.Boolean(bool(self.approvals_pending))
956
957
# ApprovedByDefault - property
958
@dbus_service_property(_interface, signature="b",
959
access="readwrite")
960
def ApprovedByDefault_dbus_property(self, value=None):
961
if value is None: # get
962
return dbus.Boolean(self.approved_by_default)
963
self.approved_by_default = bool(value)
964
# Emit D-Bus signal
965
self.PropertyChanged(dbus.String("ApprovedByDefault"),
966
dbus.Boolean(value, variant_level=1))
967
968
# ApprovalDelay - property
969
@dbus_service_property(_interface, signature="t",
970
access="readwrite")
971
def ApprovalDelay_dbus_property(self, value=None):
972
if value is None: # get
973
return dbus.UInt64(self.approval_delay_milliseconds())
974
self.approval_delay = datetime.timedelta(0, 0, 0, value)
975
# Emit D-Bus signal
976
self.PropertyChanged(dbus.String("ApprovalDelay"),
977
dbus.UInt64(value, variant_level=1))
978
979
# ApprovalDuration - property
980
@dbus_service_property(_interface, signature="t",
981
access="readwrite")
982
def ApprovalDuration_dbus_property(self, value=None):
983
if value is None: # get
984
return dbus.UInt64(self._timedelta_to_milliseconds(
985
self.approval_duration))
986
self.approval_duration = datetime.timedelta(0, 0, 0, value)
987
# Emit D-Bus signal
988
self.PropertyChanged(dbus.String("ApprovalDuration"),
989
dbus.UInt64(value, variant_level=1))
990
991
# Name - property
992
@dbus_service_property(_interface, signature="s", access="read")
993
def Name_dbus_property(self):
994
return dbus.String(self.name)
995
996
# Fingerprint - property
997
@dbus_service_property(_interface, signature="s", access="read")
998
def Fingerprint_dbus_property(self):
999
return dbus.String(self.fingerprint)
1000
1001
# Host - property
1002
@dbus_service_property(_interface, signature="s",
1003
access="readwrite")
1004
def Host_dbus_property(self, value=None):
1005
if value is None: # get
1006
return dbus.String(self.host)
1007
self.host = value
1008
# Emit D-Bus signal
1009
self.PropertyChanged(dbus.String("Host"),
1010
dbus.String(value, variant_level=1))
1011
1012
# Created - property
1013
@dbus_service_property(_interface, signature="s", access="read")
1014
def Created_dbus_property(self):
1015
return dbus.String(self._datetime_to_dbus(self.created))
1016
1017
# LastEnabled - property
1018
@dbus_service_property(_interface, signature="s", access="read")
1019
def LastEnabled_dbus_property(self):
1020
if self.last_enabled is None:
1021
return dbus.String("")
1022
return dbus.String(self._datetime_to_dbus(self.last_enabled))
1023
1024
# Enabled - property
1025
@dbus_service_property(_interface, signature="b",
1026
access="readwrite")
1027
def Enabled_dbus_property(self, value=None):
1028
if value is None: # get
1029
return dbus.Boolean(self.enabled)
1030
if value:
1031
self.enable()
1032
else:
1033
self.disable()
1034
1035
# LastCheckedOK - property
1036
@dbus_service_property(_interface, signature="s",
1037
access="readwrite")
1038
def LastCheckedOK_dbus_property(self, value=None):
1039
if value is not None:
1040
self.checked_ok()
1041
return
1042
if self.last_checked_ok is None:
1043
return dbus.String("")
1044
return dbus.String(self._datetime_to_dbus(self
1045
.last_checked_ok))
1046
1047
# LastApprovalRequest - property
1048
@dbus_service_property(_interface, signature="s", access="read")
1049
def LastApprovalRequest_dbus_property(self):
1050
if self.last_approval_request is None:
1051
return dbus.String("")
1052
return dbus.String(self.
1053
_datetime_to_dbus(self
1054
.last_approval_request))
1055
1056
# Timeout - property
1057
@dbus_service_property(_interface, signature="t",
1058
access="readwrite")
1059
def Timeout_dbus_property(self, value=None):
1060
if value is None: # get
1061
return dbus.UInt64(self.timeout_milliseconds())
1062
self.timeout = datetime.timedelta(0, 0, 0, value)
1063
# Emit D-Bus signal
1064
self.PropertyChanged(dbus.String("Timeout"),
1065
dbus.UInt64(value, variant_level=1))
1066
if getattr(self, "disable_initiator_tag", None) is None:
1067
return
1068
# Reschedule timeout
1069
gobject.source_remove(self.disable_initiator_tag)
1070
self.disable_initiator_tag = None
1071
time_to_die = (self.
1072
_timedelta_to_milliseconds((self
1073
.last_checked_ok
1074
+ self.timeout)
1075
- datetime.datetime
1076
.utcnow()))
1077
if time_to_die <= 0:
1078
# The timeout has passed
1079
self.disable()
1080
else:
1081
self.disable_initiator_tag = (gobject.timeout_add
1082
(time_to_die, self.disable))
1083
1084
# Interval - property
1085
@dbus_service_property(_interface, signature="t",
1086
access="readwrite")
1087
def Interval_dbus_property(self, value=None):
1088
if value is None: # get
1089
return dbus.UInt64(self.interval_milliseconds())
1090
self.interval = datetime.timedelta(0, 0, 0, value)
1091
# Emit D-Bus signal
1092
self.PropertyChanged(dbus.String("Interval"),
1093
dbus.UInt64(value, variant_level=1))
1094
if getattr(self, "checker_initiator_tag", None) is None:
1095
return
1096
# Reschedule checker run
1097
gobject.source_remove(self.checker_initiator_tag)
1098
self.checker_initiator_tag = (gobject.timeout_add
1099
(value, self.start_checker))
1100
self.start_checker() # Start one now, too
1101
1102
# Checker - property
1103
@dbus_service_property(_interface, signature="s",
1104
access="readwrite")
1105
def Checker_dbus_property(self, value=None):
1106
if value is None: # get
1107
return dbus.String(self.checker_command)
1108
self.checker_command = value
1109
# Emit D-Bus signal
1110
self.PropertyChanged(dbus.String("Checker"),
1111
dbus.String(self.checker_command,
1112
variant_level=1))
1113
1114
# CheckerRunning - property
1115
@dbus_service_property(_interface, signature="b",
1116
access="readwrite")
1117
def CheckerRunning_dbus_property(self, value=None):
1118
if value is None: # get
1119
return dbus.Boolean(self.checker is not None)
1120
if value:
1121
self.start_checker()
1122
else:
1123
self.stop_checker()
1124
1125
# ObjectPath - property
1126
@dbus_service_property(_interface, signature="o", access="read")
1127
def ObjectPath_dbus_property(self):
1128
return self.dbus_object_path # is already a dbus.ObjectPath
1129
1130
# Secret = property
1131
@dbus_service_property(_interface, signature="ay",
1132
access="write", byte_arrays=True)
1133
def Secret_dbus_property(self, value):
1134
self.secret = str(value)
687
1135
688
1136
del _interface
689
1137
690
1138
691
class ClientHandler(SocketServer.BaseRequestHandler, object):
1139
class ProxyClient(object):
1140
def __init__(self, child_pipe, fpr, address):
1141
self._pipe = child_pipe
1142
self._pipe.send(('init', fpr, address))
1143
if not self._pipe.recv():
1144
raise KeyError()
1145
1146
def __getattribute__(self, name):
1147
if(name == '_pipe'):
1148
return super(ProxyClient, self).__getattribute__(name)
1149
self._pipe.send(('getattr', name))
1150
data = self._pipe.recv()
1151
if data[0] == 'data':
1152
return data[1]
1153
if data[0] == 'function':
1154
def func(*args, **kwargs):
1155
self._pipe.send(('funcall', name, args, kwargs))
1156
return self._pipe.recv()[1]
1157
return func
1158
1159
def __setattr__(self, name, value):
1160
if(name == '_pipe'):
1161
return super(ProxyClient, self).__setattr__(name, value)
1162
self._pipe.send(('setattr', name, value))
1163
1164
1165
class ClientHandler(socketserver.BaseRequestHandler, object):
692
1166
"""A class to handle client connections.
693
1167
694
1168
Instantiated once for each connection to handle it.
695
1169
Note: This will run in its own forked process."""
696
1170
697
1171
def handle(self):
698
logger.info(u"TCP connection from: %s",
699
unicode(self.client_address))
700
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
701
# Open IPC pipe to parent process
702
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
1172
with contextlib.closing(self.server.child_pipe) as child_pipe:
1173
logger.info("TCP connection from: %s",
1174
unicode(self.client_address))
1175
logger.debug("Pipe FD: %d",
1176
self.server.child_pipe.fileno())
1177
703
1178
session = (gnutls.connection
704
1179
.ClientSession(self.request,
705
1180
gnutls.connection
706
1181
.X509Credentials()))
707
708
line = self.request.makefile().readline()
709
logger.debug(u"Protocol version: %r", line)
710
try:
711
if int(line.strip().split()[0]) > 1:
712
raise RuntimeError
713
except (ValueError, IndexError, RuntimeError), error:
714
logger.error(u"Unknown protocol version: %s", error)
715
return
716
1182
717
1183
# Note: gnutls.connection.X509Credentials is really a
718
1184
# generic GnuTLS certificate credentials object so long as
719
1185
# no X.509 keys are added to it. Therefore, we can use it
720
1186
# here despite using OpenPGP certificates.
721
1187
722
1188
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
723
# "+AES-256-CBC", "+SHA1",
724
# "+COMP-NULL", "+CTYPE-OPENPGP",
725
# "+DHE-DSS"))
1189
# "+AES-256-CBC", "+SHA1",
1190
# "+COMP-NULL", "+CTYPE-OPENPGP",
1191
# "+DHE-DSS"))
726
1192
# Use a fallback default, since this MUST be set.
727
1193
priority = self.server.gnutls_priority
728
1194
if priority is None:
730
1196
(gnutls.library.functions
731
1197
.gnutls_priority_set_direct(session._c_object,
732
1198
priority, None))
733
1199
1200
# Start communication using the Mandos protocol
1201
# Get protocol number
1202
line = self.request.makefile().readline()
1203
logger.debug("Protocol version: %r", line)
1204
try:
1205
if int(line.strip().split()[0]) > 1:
1206
raise RuntimeError
1207
except (ValueError, IndexError, RuntimeError), error:
1208
logger.error("Unknown protocol version: %s", error)
1209
return
1210
1211
# Start GnuTLS connection
734
1212
try:
735
1213
session.handshake()
736
1214
except gnutls.errors.GNUTLSError, error:
737
logger.warning(u"Handshake failed: %s", error)
1215
logger.warning("Handshake failed: %s", error)
738
1216
# Do not run session.bye() here: the session is not
739
1217
# established. Just abandon the request.
740
1218
return
741
logger.debug(u"Handshake succeeded")
1219
logger.debug("Handshake succeeded")
1220
1221
approval_required = False
742
1222
try:
743
fpr = self.fingerprint(self.peer_certificate(session))
744
except (TypeError, gnutls.errors.GNUTLSError), error:
745
logger.warning(u"Bad certificate: %s", error)
746
session.bye()
747
return
748
logger.debug(u"Fingerprint: %s", fpr)
1223
try:
1224
fpr = self.fingerprint(self.peer_certificate
1225
(session))
1226
except (TypeError, gnutls.errors.GNUTLSError), error:
1227
logger.warning("Bad certificate: %s", error)
1228
return
1229
logger.debug("Fingerprint: %s", fpr)
1230
1231
try:
1232
client = ProxyClient(child_pipe, fpr,
1233
self.client_address)
1234
except KeyError:
1235
return
1236
1237
if client.approval_delay:
1238
delay = client.approval_delay
1239
client.approvals_pending += 1
1240
approval_required = True
1241
1242
while True:
1243
if not client.enabled:
1244
logger.warning("Client %s is disabled",
1245
client.name)
1246
if self.server.use_dbus:
1247
# Emit D-Bus signal
1248
client.Rejected("Disabled")
1249
return
1250
1251
if client._approved or not client.approval_delay:
1252
#We are approved or approval is disabled
1253
break
1254
elif client._approved is None:
1255
logger.info("Client %s needs approval",
1256
client.name)
1257
if self.server.use_dbus:
1258
# Emit D-Bus signal
1259
client.NeedApproval(
1260
client.approval_delay_milliseconds(),
1261
client.approved_by_default)
1262
else:
1263
logger.warning("Client %s was not approved",
1264
client.name)
1265
if self.server.use_dbus:
1266
# Emit D-Bus signal
1267
client.Rejected("Denied")
1268
return
1269
1270
#wait until timeout or approved
1271
#x = float(client._timedelta_to_milliseconds(delay))
1272
time = datetime.datetime.now()
1273
client.changedstate.acquire()
1274
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1275
client.changedstate.release()
1276
time2 = datetime.datetime.now()
1277
if (time2 - time) >= delay:
1278
if not client.approved_by_default:
1279
logger.warning("Client %s timed out while"
1280
" waiting for approval",
1281
client.name)
1282
if self.server.use_dbus:
1283
# Emit D-Bus signal
1284
client.Rejected("Approval timed out")
1285
return
1286
else:
1287
break
1288
else:
1289
delay -= time2 - time
1290
1291
sent_size = 0
1292
while sent_size < len(client.secret):
1293
try:
1294
sent = session.send(client.secret[sent_size:])
1295
except (gnutls.errors.GNUTLSError), error:
1296
logger.warning("gnutls send failed")
1297
return
1298
logger.debug("Sent: %d, remaining: %d",
1299
sent, len(client.secret)
1300
- (sent_size + sent))
1301
sent_size += sent
1302
1303
logger.info("Sending secret to %s", client.name)
1304
# bump the timeout as if seen
1305
client.checked_ok()
1306
if self.server.use_dbus:
1307
# Emit D-Bus signal
1308
client.GotSecret()
749
1309
750
for c in self.server.clients:
751
if c.fingerprint == fpr:
752
client = c
753
break
754
else:
755
ipc.write("NOTFOUND %s\n" % fpr)
756
session.bye()
757
return
758
# Have to check if client.still_valid(), since it is
759
# possible that the client timed out while establishing
760
# the GnuTLS session.
761
if not client.still_valid():
762
ipc.write("INVALID %s\n" % client.name)
763
session.bye()
764
return
765
ipc.write("SENDING %s\n" % client.name)
766
sent_size = 0
767
while sent_size < len(client.secret):
768
sent = session.send(client.secret[sent_size:])
769
logger.debug(u"Sent: %d, remaining: %d",
770
sent, len(client.secret)
771
- (sent_size + sent))
772
sent_size += sent
773
session.bye()
1310
finally:
1311
if approval_required:
1312
client.approvals_pending -= 1
1313
try:
1314
session.bye()
1315
except (gnutls.errors.GNUTLSError), error:
1316
logger.warning("GnuTLS bye failed")
774
1317
775
1318
@staticmethod
776
1319
def peer_certificate(session):
832
1375
# Convert the buffer to a Python bytestring
833
1376
fpr = ctypes.string_at(buf, buf_len.value)
834
1377
# Convert the bytestring to hexadecimal notation
835
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1378
hex_fpr = ''.join("%02X" % ord(char) for char in fpr)
836
1379
return hex_fpr
837
1380
838
1381
839
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
840
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
841
842
Assumes a gobject.MainLoop event loop.
843
"""
1382
class MultiprocessingMixIn(object):
1383
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1384
def sub_process_main(self, request, address):
1385
try:
1386
self.finish_request(request, address)
1387
except:
1388
self.handle_error(request, address)
1389
self.close_request(request)
1390
1391
def process_request(self, request, address):
1392
"""Start a new process to process the request."""
1393
multiprocessing.Process(target = self.sub_process_main,
1394
args = (request, address)).start()
1395
1396
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1397
""" adds a pipe to the MixIn """
844
1398
def process_request(self, request, client_address):
845
1399
"""Overrides and wraps the original process_request().
846
1400
847
This function creates a new pipe in self.pipe
1401
This function creates a new pipe in self.pipe
848
1402
"""
849
self.pipe = os.pipe()
850
super(ForkingMixInWithPipe,
1403
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1404
1405
super(MultiprocessingMixInWithPipe,
851
1406
self).process_request(request, client_address)
852
os.close(self.pipe[1]) # close write end
853
# Call "handle_ipc" for both data and EOF events
854
gobject.io_add_watch(self.pipe[0],
855
gobject.IO_IN | gobject.IO_HUP,
856
self.handle_ipc)
857
def handle_ipc(source, condition):
1407
self.child_pipe.close()
1408
self.add_pipe(parent_pipe)
1409
1410
def add_pipe(self, parent_pipe):
858
1411
"""Dummy function; override as necessary"""
859
os.close(source)
860
return False
861
862
863
class IPv6_TCPServer(ForkingMixInWithPipe,
864
SocketServer.TCPServer, object):
1412
raise NotImplementedError
1413
1414
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1415
socketserver.TCPServer, object):
865
1416
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
866
1417
867
1418
Attributes:
868
1419
enabled: Boolean; whether this server is activated yet
869
1420
interface: None or a network interface name (string)
870
1421
use_ipv6: Boolean; to use IPv6 or not
871
----
872
clients: Set() of Client objects
873
gnutls_priority GnuTLS priority string
874
use_dbus: Boolean; to emit D-Bus signals or not
875
1422
"""
876
1423
def __init__(self, server_address, RequestHandlerClass,
877
interface=None, use_ipv6=True, clients=None,
878
gnutls_priority=None, use_dbus=True):
879
self.enabled = False
1424
interface=None, use_ipv6=True):
880
1425
self.interface = interface
881
1426
if use_ipv6:
882
1427
self.address_family = socket.AF_INET6
883
self.clients = clients
884
self.use_dbus = use_dbus
885
self.gnutls_priority = gnutls_priority
886
SocketServer.TCPServer.__init__(self, server_address,
1428
socketserver.TCPServer.__init__(self, server_address,
887
1429
RequestHandlerClass)
888
1430
def server_bind(self):
889
1431
"""This overrides the normal server_bind() function
890
1432
to bind to an interface if one was specified, and also NOT to
891
1433
bind to an address or port if they were not specified."""
892
1434
if self.interface is not None:
893
try:
894
self.socket.setsockopt(socket.SOL_SOCKET,
895
SO_BINDTODEVICE,
896
self.interface + '\0')
897
except socket.error, error:
898
if error[0] == errno.EPERM:
899
logger.error(u"No permission to"
900
u" bind to interface %s",
901
self.interface)
902
else:
903
raise
1435
if SO_BINDTODEVICE is None:
1436
logger.error("SO_BINDTODEVICE does not exist;"
1437
" cannot bind to interface %s",
1438
self.interface)
1439
else:
1440
try:
1441
self.socket.setsockopt(socket.SOL_SOCKET,
1442
SO_BINDTODEVICE,
1443
str(self.interface
1444
+ '\0'))
1445
except socket.error, error:
1446
if error[0] == errno.EPERM:
1447
logger.error("No permission to"
1448
" bind to interface %s",
1449
self.interface)
1450
elif error[0] == errno.ENOPROTOOPT:
1451
logger.error("SO_BINDTODEVICE not available;"
1452
" cannot bind to interface %s",
1453
self.interface)
1454
else:
1455
raise
904
1456
# Only bind(2) the socket if we really need to.
905
1457
if self.server_address[0] or self.server_address[1]:
906
1458
if not self.server_address[0]:
919
1471
# 0, # flowinfo
920
1472
# if_nametoindex
921
1473
# (self.interface))
922
return SocketServer.TCPServer.server_bind(self)
1474
return socketserver.TCPServer.server_bind(self)
1475
1476
1477
class MandosServer(IPv6_TCPServer):
1478
"""Mandos server.
1479
1480
Attributes:
1481
clients: set of Client objects
1482
gnutls_priority GnuTLS priority string
1483
use_dbus: Boolean; to emit D-Bus signals or not
1484
1485
Assumes a gobject.MainLoop event loop.
1486
"""
1487
def __init__(self, server_address, RequestHandlerClass,
1488
interface=None, use_ipv6=True, clients=None,
1489
gnutls_priority=None, use_dbus=True):
1490
self.enabled = False
1491
self.clients = clients
1492
if self.clients is None:
1493
self.clients = set()
1494
self.use_dbus = use_dbus
1495
self.gnutls_priority = gnutls_priority
1496
IPv6_TCPServer.__init__(self, server_address,
1497
RequestHandlerClass,
1498
interface = interface,
1499
use_ipv6 = use_ipv6)
923
1500
def server_activate(self):
924
1501
if self.enabled:
925
return SocketServer.TCPServer.server_activate(self)
1502
return socketserver.TCPServer.server_activate(self)
926
1503
def enable(self):
927
1504
self.enabled = True
928
def handle_ipc(self, source, condition, file_objects={}):
1505
def add_pipe(self, parent_pipe):
1506
# Call "handle_ipc" for both data and EOF events
1507
gobject.io_add_watch(parent_pipe.fileno(),
1508
gobject.IO_IN | gobject.IO_HUP,
1509
functools.partial(self.handle_ipc,
1510
parent_pipe = parent_pipe))
1511
1512
def handle_ipc(self, source, condition, parent_pipe=None,
1513
client_object=None):
929
1514
condition_names = {
930
gobject.IO_IN: "IN", # There is data to read.
1515
gobject.IO_IN: "IN", # There is data to read.
931
1516
gobject.IO_OUT: "OUT", # Data can be written (without
932
# blocking).
1517
# blocking).
933
1518
gobject.IO_PRI: "PRI", # There is urgent data to read.
934
1519
gobject.IO_ERR: "ERR", # Error condition.
935
1520
gobject.IO_HUP: "HUP" # Hung up (the connection has been
936
# broken, usually for pipes and
937
# sockets).
1521
# broken, usually for pipes and
1522
# sockets).
938
1523
}
939
1524
conditions_string = ' | '.join(name
940
1525
for cond, name in
941
1526
condition_names.iteritems()
942
1527
if cond & condition)
943
logger.debug("Handling IPC: FD = %d, condition = %s", source,
944
conditions_string)
945
946
# Turn the pipe file descriptor into a Python file object
947
if source not in file_objects:
948
file_objects[source] = os.fdopen(source, "r", 1)
949
950
# Read a line from the file object
951
cmdline = file_objects[source].readline()
952
if not cmdline: # Empty line means end of file
953
# close the IPC pipe
954
file_objects[source].close()
955
del file_objects[source]
956
957
# Stop calling this function
958
return False
959
960
logger.debug("IPC command: %r", cmdline)
961
962
# Parse and act on command
963
cmd, args = cmdline.rstrip("\r\n").split(None, 1)
964
965
if cmd == "NOTFOUND":
966
logger.warning(u"Client not found for fingerprint: %s",
967
args)
968
if self.use_dbus:
969
# Emit D-Bus signal
970
mandos_dbus_service.ClientNotFound(args)
971
elif cmd == "INVALID":
972
for client in self.clients:
973
if client.name == args:
974
logger.warning(u"Client %s is invalid", args)
975
if self.use_dbus:
976
# Emit D-Bus signal
977
client.Rejected()
978
break
979
else:
980
logger.error(u"Unknown client %s is invalid", args)
981
elif cmd == "SENDING":
982
for client in self.clients:
983
if client.name == args:
984
logger.info(u"Sending secret to %s", client.name)
985
client.checked_ok()
986
if self.use_dbus:
987
# Emit D-Bus signal
988
client.ReceivedSecret()
989
break
990
else:
991
logger.error(u"Sending secret to unknown client %s",
992
args)
993
else:
994
logger.error("Unknown IPC command: %r", cmdline)
995
996
# Keep calling this function
1528
# error or the other end of multiprocessing.Pipe has closed
1529
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1530
return False
1531
1532
# Read a request from the child
1533
request = parent_pipe.recv()
1534
command = request[0]
1535
1536
if command == 'init':
1537
fpr = request[1]
1538
address = request[2]
1539
1540
for c in self.clients:
1541
if c.fingerprint == fpr:
1542
client = c
1543
break
1544
else:
1545
logger.warning("Client not found for fingerprint: %s, ad"
1546
"dress: %s", fpr, address)
1547
if self.use_dbus:
1548
# Emit D-Bus signal
1549
mandos_dbus_service.ClientNotFound(fpr, address[0])
1550
parent_pipe.send(False)
1551
return False
1552
1553
gobject.io_add_watch(parent_pipe.fileno(),
1554
gobject.IO_IN | gobject.IO_HUP,
1555
functools.partial(self.handle_ipc,
1556
parent_pipe = parent_pipe,
1557
client_object = client))
1558
parent_pipe.send(True)
1559
# remove the old hook in favor of the new above hook on same fileno
1560
return False
1561
if command == 'funcall':
1562
funcname = request[1]
1563
args = request[2]
1564
kwargs = request[3]
1565
1566
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1567
1568
if command == 'getattr':
1569
attrname = request[1]
1570
if callable(client_object.__getattribute__(attrname)):
1571
parent_pipe.send(('function',))
1572
else:
1573
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1574
1575
if command == 'setattr':
1576
attrname = request[1]
1577
value = request[2]
1578
setattr(client_object, attrname, value)
1579
997
1580
return True
998
1581
999
1582
1008
1591
datetime.timedelta(0, 3600)
1009
1592
>>> string_to_delta('24h')
1010
1593
datetime.timedelta(1)
1011
>>> string_to_delta(u'1w')
1594
>>> string_to_delta('1w')
1012
1595
datetime.timedelta(7)
1013
1596
>>> string_to_delta('5m 30s')
1014
1597
datetime.timedelta(0, 330)
1018
1601
try:
1019
1602
suffix = unicode(s[-1])
1020
1603
value = int(s[:-1])
1021
if suffix == u"d":
1604
if suffix == "d":
1022
1605
delta = datetime.timedelta(value)
1023
elif suffix == u"s":
1606
elif suffix == "s":
1024
1607
delta = datetime.timedelta(0, value)
1025
elif suffix == u"m":
1608
elif suffix == "m":
1026
1609
delta = datetime.timedelta(0, 0, 0, 0, value)
1027
elif suffix == u"h":
1610
elif suffix == "h":
1028
1611
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1029
elif suffix == u"w":
1612
elif suffix == "w":
1030
1613
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1031
1614
else:
1032
raise ValueError
1033
except (ValueError, IndexError):
1034
raise ValueError
1615
raise ValueError("Unknown suffix %r" % suffix)
1616
except (ValueError, IndexError), e:
1617
raise ValueError(*(e.args))
1035
1618
timevalue += delta
1036
1619
return timevalue
1037
1620
1038
1621
1039
def server_state_changed(state):
1040
"""Derived from the Avahi example code"""
1041
if state == avahi.SERVER_COLLISION:
1042
logger.error(u"Zeroconf server name collision")
1043
service.remove()
1044
elif state == avahi.SERVER_RUNNING:
1045
service.add()
1046
1047
1048
def entry_group_state_changed(state, error):
1049
"""Derived from the Avahi example code"""
1050
logger.debug(u"Avahi state change: %i", state)
1051
1052
if state == avahi.ENTRY_GROUP_ESTABLISHED:
1053
logger.debug(u"Zeroconf service established.")
1054
elif state == avahi.ENTRY_GROUP_COLLISION:
1055
logger.warning(u"Zeroconf service name collision.")
1056
service.rename()
1057
elif state == avahi.ENTRY_GROUP_FAILURE:
1058
logger.critical(u"Avahi: Error in group state changed %s",
1059
unicode(error))
1060
raise AvahiGroupError(u"State changed: %s" % unicode(error))
1061
1062
1622
def if_nametoindex(interface):
1063
"""Call the C function if_nametoindex(), or equivalent"""
1623
"""Call the C function if_nametoindex(), or equivalent
1624
1625
Note: This function cannot accept a unicode string."""
1064
1626
global if_nametoindex
1065
1627
try:
1066
1628
if_nametoindex = (ctypes.cdll.LoadLibrary
1067
1629
(ctypes.util.find_library("c"))
1068
1630
.if_nametoindex)
1069
1631
except (OSError, AttributeError):
1070
if "struct" not in sys.modules:
1071
import struct
1072
if "fcntl" not in sys.modules:
1073
import fcntl
1632
logger.warning("Doing if_nametoindex the hard way")
1074
1633
def if_nametoindex(interface):
1075
1634
"Get an interface index the hard way, i.e. using fcntl()"
1076
1635
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1077
with closing(socket.socket()) as s:
1636
with contextlib.closing(socket.socket()) as s:
1078
1637
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1079
struct.pack("16s16x", interface))
1080
interface_index = struct.unpack("I", ifreq[16:20])[0]
1638
struct.pack(str("16s16x"),
1639
interface))
1640
interface_index = struct.unpack(str("I"),
1641
ifreq[16:20])[0]
1081
1642
return interface_index
1082
1643
return if_nametoindex(interface)
1083
1644
1098
1659
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1099
1660
if not stat.S_ISCHR(os.fstat(null).st_mode):
1100
1661
raise OSError(errno.ENODEV,
1101
"/dev/null not a character device")
1662
"%s not a character device"
1663
% os.path.devnull)
1102
1664
os.dup2(null, sys.stdin.fileno())
1103
1665
os.dup2(null, sys.stdout.fileno())
1104
1666
os.dup2(null, sys.stderr.fileno())
1108
1670
1109
1671
def main():
1110
1672
1111
######################################################################
1673
##################################################################
1112
1674
# Parsing of options, both command line and config file
1113
1675
1114
parser = optparse.OptionParser(version = "%%prog %s" % version)
1115
parser.add_option("-i", "--interface", type="string",
1116
metavar="IF", help="Bind to interface IF")
1117
parser.add_option("-a", "--address", type="string",
1118
help="Address to listen for requests on")
1119
parser.add_option("-p", "--port", type="int",
1120
help="Port number to receive requests on")
1121
parser.add_option("--check", action="store_true",
1122
help="Run self-test")
1123
parser.add_option("--debug", action="store_true",
1124
help="Debug mode; run in foreground and log to"
1125
" terminal")
1126
parser.add_option("--priority", type="string", help="GnuTLS"
1127
" priority string (see GnuTLS documentation)")
1128
parser.add_option("--servicename", type="string", metavar="NAME",
1129
help="Zeroconf service name")
1130
parser.add_option("--configdir", type="string",
1131
default="/etc/mandos", metavar="DIR",
1132
help="Directory to search for configuration"
1133
" files")
1134
parser.add_option("--no-dbus", action="store_false",
1135
dest="use_dbus",
1136
help="Do not provide D-Bus system bus"
1137
" interface")
1138
parser.add_option("--no-ipv6", action="store_false",
1139
dest="use_ipv6", help="Do not use IPv6")
1140
options = parser.parse_args()[0]
1676
parser = argparse.ArgumentParser()
1677
parser.add_argument("-v", "--version", action="version",
1678
version = "%%(prog)s %s" % version,
1679
help="show version number and exit")
1680
parser.add_argument("-i", "--interface", metavar="IF",
1681
help="Bind to interface IF")
1682
parser.add_argument("-a", "--address",
1683
help="Address to listen for requests on")
1684
parser.add_argument("-p", "--port", type=int,
1685
help="Port number to receive requests on")
1686
parser.add_argument("--check", action="store_true",
1687
help="Run self-test")
1688
parser.add_argument("--debug", action="store_true",
1689
help="Debug mode; run in foreground and log"
1690
" to terminal")
1691
parser.add_argument("--debuglevel", metavar="LEVEL",
1692
help="Debug level for stdout output")
1693
parser.add_argument("--priority", help="GnuTLS"
1694
" priority string (see GnuTLS documentation)")
1695
parser.add_argument("--servicename",
1696
metavar="NAME", help="Zeroconf service name")
1697
parser.add_argument("--configdir",
1698
default="/etc/mandos", metavar="DIR",
1699
help="Directory to search for configuration"
1700
" files")
1701
parser.add_argument("--no-dbus", action="store_false",
1702
dest="use_dbus", help="Do not provide D-Bus"
1703
" system bus interface")
1704
parser.add_argument("--no-ipv6", action="store_false",
1705
dest="use_ipv6", help="Do not use IPv6")
1706
options = parser.parse_args()
1141
1707
1142
1708
if options.check:
1143
1709
import doctest
1154
1720
"servicename": "Mandos",
1155
1721
"use_dbus": "True",
1156
1722
"use_ipv6": "True",
1723
"debuglevel": "",
1157
1724
}
1158
1725
1159
1726
# Parse config file for server-global settings
1160
server_config = ConfigParser.SafeConfigParser(server_defaults)
1727
server_config = configparser.SafeConfigParser(server_defaults)
1161
1728
del server_defaults
1162
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1729
server_config.read(os.path.join(options.configdir,
1730
"mandos.conf"))
1163
1731
# Convert the SafeConfigParser object to a dict
1164
1732
server_settings = server_config.defaults()
1165
1733
# Use the appropriate methods on the non-string config options
1166
server_settings["debug"] = server_config.getboolean("DEFAULT",
1167
"debug")
1168
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1169
"use_dbus")
1170
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1171
"use_ipv6")
1734
for option in ("debug", "use_dbus", "use_ipv6"):
1735
server_settings[option] = server_config.getboolean("DEFAULT",
1736
option)
1172
1737
if server_settings["port"]:
1173
1738
server_settings["port"] = server_config.getint("DEFAULT",
1174
1739
"port")
1178
1743
# options, if set.
1179
1744
for option in ("interface", "address", "port", "debug",
1180
1745
"priority", "servicename", "configdir",
1181
"use_dbus", "use_ipv6"):
1746
"use_dbus", "use_ipv6", "debuglevel"):
1182
1747
value = getattr(options, option)
1183
1748
if value is not None:
1184
1749
server_settings[option] = value
1185
1750
del options
1751
# Force all strings to be unicode
1752
for option in server_settings.keys():
1753
if type(server_settings[option]) is str:
1754
server_settings[option] = unicode(server_settings[option])
1186
1755
# Now we have our good server settings in "server_settings"
1187
1756
1188
1757
##################################################################
1189
1758
1190
1759
# For convenience
1191
1760
debug = server_settings["debug"]
1761
debuglevel = server_settings["debuglevel"]
1192
1762
use_dbus = server_settings["use_dbus"]
1193
1763
use_ipv6 = server_settings["use_ipv6"]
1194
1195
if not debug:
1196
syslogger.setLevel(logging.WARNING)
1197
console.setLevel(logging.WARNING)
1198
1764
1199
1765
if server_settings["servicename"] != "Mandos":
1200
1766
syslogger.setFormatter(logging.Formatter
1201
1767
('Mandos (%s) [%%(process)d]:'
1207
1773
"interval": "5m",
1208
1774
"checker": "fping -q -- %%(host)s",
1209
1775
"host": "",
1776
"approval_delay": "0s",
1777
"approval_duration": "1s",
1210
1778
}
1211
client_config = ConfigParser.SafeConfigParser(client_defaults)
1779
client_config = configparser.SafeConfigParser(client_defaults)
1212
1780
client_config.read(os.path.join(server_settings["configdir"],
1213
1781
"clients.conf"))
1214
1782
1215
1783
global mandos_dbus_service
1216
1784
mandos_dbus_service = None
1217
1785
1218
clients = Set()
1219
tcp_server = IPv6_TCPServer((server_settings["address"],
1220
server_settings["port"]),
1221
ClientHandler,
1222
interface=
1223
server_settings["interface"],
1224
use_ipv6=use_ipv6,
1225
clients=clients,
1226
gnutls_priority=
1227
server_settings["priority"],
1228
use_dbus=use_dbus)
1229
pidfilename = "/var/run/mandos.pid"
1230
try:
1231
pidfile = open(pidfilename, "w")
1232
except IOError:
1233
logger.error("Could not open file %r", pidfilename)
1786
tcp_server = MandosServer((server_settings["address"],
1787
server_settings["port"]),
1788
ClientHandler,
1789
interface=(server_settings["interface"]
1790
or None),
1791
use_ipv6=use_ipv6,
1792
gnutls_priority=
1793
server_settings["priority"],
1794
use_dbus=use_dbus)
1795
if not debug:
1796
pidfilename = "/var/run/mandos.pid"
1797
try:
1798
pidfile = open(pidfilename, "w")
1799
except IOError:
1800
logger.error("Could not open file %r", pidfilename)
1234
1801
1235
1802
try:
1236
1803
uid = pwd.getpwnam("_mandos").pw_uid
1242
1809
except KeyError:
1243
1810
try:
1244
1811
uid = pwd.getpwnam("nobody").pw_uid
1245
gid = pwd.getpwnam("nogroup").pw_gid
1812
gid = pwd.getpwnam("nobody").pw_gid
1246
1813
except KeyError:
1247
1814
uid = 65534
1248
1815
gid = 65534
1253
1820
if error[0] != errno.EPERM:
1254
1821
raise error
1255
1822
1256
# Enable all possible GnuTLS debugging
1823
if not debug and not debuglevel:
1824
syslogger.setLevel(logging.WARNING)
1825
console.setLevel(logging.WARNING)
1826
if debuglevel:
1827
level = getattr(logging, debuglevel.upper())
1828
syslogger.setLevel(level)
1829
console.setLevel(level)
1830
1257
1831
if debug:
1832
# Enable all possible GnuTLS debugging
1833
1258
1834
# "Use a log level over 10 to enable all debugging options."
1259
1835
# - GnuTLS manual
1260
1836
gnutls.library.functions.gnutls_global_set_log_level(11)
1265
1841
1266
1842
(gnutls.library.functions
1267
1843
.gnutls_global_set_log_function(debug_gnutls))
1844
1845
# Redirect stdin so all checkers get /dev/null
1846
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1847
os.dup2(null, sys.stdin.fileno())
1848
if null > 2:
1849
os.close(null)
1850
else:
1851
# No console logging
1852
logger.removeHandler(console)
1268
1853
1269
global service
1270
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1271
service = AvahiService(name = server_settings["servicename"],
1272
servicetype = "_mandos._tcp",
1273
protocol = protocol)
1274
if server_settings["interface"]:
1275
service.interface = (if_nametoindex
1276
(server_settings["interface"]))
1854
# Need to fork before connecting to D-Bus
1855
if not debug:
1856
# Close all input and output, do double fork, etc.
1857
daemon()
1277
1858
1278
1859
global main_loop
1279
global bus
1280
global server
1281
1860
# From the Avahi example code
1282
1861
DBusGMainLoop(set_as_default=True )
1283
1862
main_loop = gobject.MainLoop()
1284
1863
bus = dbus.SystemBus()
1285
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1286
avahi.DBUS_PATH_SERVER),
1287
avahi.DBUS_INTERFACE_SERVER)
1288
1864
# End of Avahi example code
1289
1865
if use_dbus:
1290
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1866
try:
1867
bus_name = dbus.service.BusName("se.bsnet.fukt.Mandos",
1868
bus, do_not_queue=True)
1869
except dbus.exceptions.NameExistsException, e:
1870
logger.error(unicode(e) + ", disabling D-Bus")
1871
use_dbus = False
1872
server_settings["use_dbus"] = False
1873
tcp_server.use_dbus = False
1874
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1875
service = AvahiService(name = server_settings["servicename"],
1876
servicetype = "_mandos._tcp",
1877
protocol = protocol, bus = bus)
1878
if server_settings["interface"]:
1879
service.interface = (if_nametoindex
1880
(str(server_settings["interface"])))
1881
1882
global multiprocessing_manager
1883
multiprocessing_manager = multiprocessing.Manager()
1291
1884
1292
1885
client_class = Client
1293
1886
if use_dbus:
1294
client_class = ClientDBus
1295
clients.update(Set(
1887
client_class = functools.partial(ClientDBus, bus = bus)
1888
def client_config_items(config, section):
1889
special_settings = {
1890
"approved_by_default":
1891
lambda: config.getboolean(section,
1892
"approved_by_default"),
1893
}
1894
for name, value in config.items(section):
1895
try:
1896
yield (name, special_settings[name]())
1897
except KeyError:
1898
yield (name, value)
1899
1900
tcp_server.clients.update(set(
1296
1901
client_class(name = section,
1297
config= dict(client_config.items(section)))
1902
config= dict(client_config_items(
1903
client_config, section)))
1298
1904
for section in client_config.sections()))
1299
if not clients:
1300
logger.warning(u"No clients defined")
1301
1302
if debug:
1303
# Redirect stdin so all checkers get /dev/null
1304
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1305
os.dup2(null, sys.stdin.fileno())
1306
if null > 2:
1307
os.close(null)
1308
else:
1309
# No console logging
1310
logger.removeHandler(console)
1311
# Close all input and output, do double fork, etc.
1312
daemon()
1313
1314
try:
1315
with closing(pidfile):
1316
pid = os.getpid()
1317
pidfile.write(str(pid) + "\n")
1318
del pidfile
1319
except IOError:
1320
logger.error(u"Could not write to file %r with PID %d",
1321
pidfilename, pid)
1322
except NameError:
1323
# "pidfile" was never created
1324
pass
1325
del pidfilename
1326
1327
def cleanup():
1328
"Cleanup function; run on exit"
1329
global group
1330
# From the Avahi example code
1331
if not group is None:
1332
group.Free()
1333
group = None
1334
# End of Avahi example code
1905
if not tcp_server.clients:
1906
logger.warning("No clients defined")
1335
1907
1336
while clients:
1337
client = clients.pop()
1338
client.disable_hook = None
1339
client.disable()
1340
1341
atexit.register(cleanup)
1342
1343
1908
if not debug:
1909
try:
1910
with pidfile:
1911
pid = os.getpid()
1912
pidfile.write(str(pid) + "\n".encode("utf-8"))
1913
del pidfile
1914
except IOError:
1915
logger.error("Could not write to file %r with PID %d",
1916
pidfilename, pid)
1917
except NameError:
1918
# "pidfile" was never created
1919
pass
1920
del pidfilename
1921
1344
1922
signal.signal(signal.SIGINT, signal.SIG_IGN)
1923
1345
1924
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1346
1925
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1347
1926
1350
1929
"""A D-Bus proxy object"""
1351
1930
def __init__(self):
1352
1931
dbus.service.Object.__init__(self, bus, "/")
1353
_interface = u"se.bsnet.fukt.Mandos"
1932
_interface = "se.bsnet.fukt.Mandos"
1354
1933
1355
@dbus.service.signal(_interface, signature="oa{sv}")
1356
def ClientAdded(self, objpath, properties):
1934
@dbus.service.signal(_interface, signature="o")
1935
def ClientAdded(self, objpath):
1357
1936
"D-Bus signal"
1358
1937
pass
1359
1938
1360
@dbus.service.signal(_interface, signature="s")
1361
def ClientNotFound(self, fingerprint):
1939
@dbus.service.signal(_interface, signature="ss")
1940
def ClientNotFound(self, fingerprint, address):
1362
1941
"D-Bus signal"
1363
1942
pass
1364
1943
1370
1949
@dbus.service.method(_interface, out_signature="ao")
1371
1950
def GetAllClients(self):
1372
1951
"D-Bus method"
1373
return dbus.Array(c.dbus_object_path for c in clients)
1952
return dbus.Array(c.dbus_object_path
1953
for c in tcp_server.clients)
1374
1954
1375
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1955
@dbus.service.method(_interface,
1956
out_signature="a{oa{sv}}")
1376
1957
def GetAllClientsWithProperties(self):
1377
1958
"D-Bus method"
1378
1959
return dbus.Dictionary(
1379
((c.dbus_object_path, c.GetAllProperties())
1380
for c in clients),
1960
((c.dbus_object_path, c.GetAll(""))
1961
for c in tcp_server.clients),
1381
1962
signature="oa{sv}")
1382
1963
1383
1964
@dbus.service.method(_interface, in_signature="o")
1384
1965
def RemoveClient(self, object_path):
1385
1966
"D-Bus method"
1386
for c in clients:
1967
for c in tcp_server.clients:
1387
1968
if c.dbus_object_path == object_path:
1388
clients.remove(c)
1969
tcp_server.clients.remove(c)
1389
1970
c.remove_from_connection()
1390
1971
# Don't signal anything except ClientRemoved
1391
c.disable(signal=False)
1972
c.disable(quiet=True)
1392
1973
# Emit D-Bus signal
1393
1974
self.ClientRemoved(object_path, c.name)
1394
1975
return
1395
raise KeyError
1976
raise KeyError(object_path)
1396
1977
1397
1978
del _interface
1398
1979
1399
1980
mandos_dbus_service = MandosDBusService()
1400
1981
1401
for client in clients:
1982
def cleanup():
1983
"Cleanup function; run on exit"
1984
service.cleanup()
1985
1986
while tcp_server.clients:
1987
client = tcp_server.clients.pop()
1988
if use_dbus:
1989
client.remove_from_connection()
1990
client.disable_hook = None
1991
# Don't signal anything except ClientRemoved
1992
client.disable(quiet=True)
1993
if use_dbus:
1994
# Emit D-Bus signal
1995
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1996
client.name)
1997
1998
atexit.register(cleanup)
1999
2000
for client in tcp_server.clients:
1402
2001
if use_dbus:
1403
2002
# Emit D-Bus signal
1404
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1405
client.GetAllProperties())
2003
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1406
2004
client.enable()
1407
2005
1408
2006
tcp_server.enable()
1411
2009
# Find out what port we got
1412
2010
service.port = tcp_server.socket.getsockname()[1]
1413
2011
if use_ipv6:
1414
logger.info(u"Now listening on address %r, port %d,"
2012
logger.info("Now listening on address %r, port %d,"
1415
2013
" flowinfo %d, scope_id %d"
1416
2014
% tcp_server.socket.getsockname())
1417
2015
else: # IPv4
1418
logger.info(u"Now listening on address %r, port %d"
2016
logger.info("Now listening on address %r, port %d"
1419
2017
% tcp_server.socket.getsockname())
1420
2018
1421
2019
#service.interface = tcp_server.socket.getsockname()[3]
1422
2020
1423
2021
try:
1424
2022
# From the Avahi example code
1425
server.connect_to_signal("StateChanged", server_state_changed)
1426
2023
try:
1427
server_state_changed(server.GetState())
2024
service.activate()
1428
2025
except dbus.exceptions.DBusException, error:
1429
logger.critical(u"DBusException: %s", error)
2026
logger.critical("DBusException: %s", error)
2027
cleanup()
1430
2028
sys.exit(1)
1431
2029
# End of Avahi example code
1432
2030
1435
2033
(tcp_server.handle_request
1436
2034
(*args[2:], **kwargs) or True))
1437
2035
1438
logger.debug(u"Starting main loop")
2036
logger.debug("Starting main loop")
1439
2037
main_loop.run()
1440
2038
except AvahiError, error:
1441
logger.critical(u"AvahiError: %s", error)
2039
logger.critical("AvahiError: %s", error)
2040
cleanup()
1442
2041
sys.exit(1)
1443
2042
except KeyboardInterrupt:
1444
2043
if debug:
1445
print >> sys.stderr
2044
print("", file=sys.stderr)
1446
2045
logger.debug("Server received KeyboardInterrupt")
1447
2046
logger.debug("Server exiting")
2047
# Must run before the D-Bus bus name gets deregistered
2048
cleanup()
1448
2049
1449
2050
if __name__ == '__main__':
1450
2051
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0