To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 474
- compare with another revision
- download diff
- download tarball
- view history from revision 474
- Committer: teddy at bsnet
- Date: 2011-03-15 19:15:24 UTC
- Revision ID: teddy@fukt.bsnet.se-20110315191524-jc3ajgqu2za7dcly
* mandos: Use the new argparse library instead of optparse.
* debian/control (mandos): Depend on python (<=2.7) | python-argparse
* debian/control (mandos): Depend on python (<=2.7) | python-argparse
added
removed
mandos
82
82
SO_BINDTODEVICE = None
83
83
84
84
85
version = "1.3.1"
85
version = "1.3.0"
86
86
87
87
#logger = logging.getLogger('mandos')
88
88
logger = logging.Logger('mandos')
151
151
self.group = None # our entry group
152
152
self.server = None
153
153
self.bus = bus
154
self.entry_group_state_changed_match = None
155
154
def rename(self):
156
155
"""Derived from the Avahi example code"""
157
156
if self.rename_count >= self.max_renames:
169
168
self.remove()
170
169
try:
171
170
self.add()
172
except dbus.exceptions.DBusException as error:
171
except dbus.exceptions.DBusException, error:
173
172
logger.critical("DBusException: %s", error)
174
173
self.cleanup()
175
174
os._exit(1)
176
175
self.rename_count += 1
177
176
def remove(self):
178
177
"""Derived from the Avahi example code"""
179
if self.entry_group_state_changed_match is not None:
180
self.entry_group_state_changed_match.remove()
181
self.entry_group_state_changed_match = None
182
178
if self.group is not None:
183
179
self.group.Reset()
184
180
def add(self):
185
181
"""Derived from the Avahi example code"""
186
self.remove()
187
182
if self.group is None:
188
183
self.group = dbus.Interface(
189
184
self.bus.get_object(avahi.DBUS_NAME,
190
185
self.server.EntryGroupNew()),
191
186
avahi.DBUS_INTERFACE_ENTRY_GROUP)
192
self.entry_group_state_changed_match = (
193
self.group.connect_to_signal(
194
'StateChanged', self .entry_group_state_changed))
187
self.group.connect_to_signal('StateChanged',
188
self
189
.entry_group_state_changed)
195
190
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
196
191
self.name, self.type)
197
192
self.group.AddService(
220
215
def cleanup(self):
221
216
"""Derived from the Avahi example code"""
222
217
if self.group is not None:
223
try:
224
self.group.Free()
225
except (dbus.exceptions.UnknownMethodException,
226
dbus.exceptions.DBusException) as e:
227
pass
218
self.group.Free()
228
219
self.group = None
229
self.remove()
230
def server_state_changed(self, state, error=None):
220
def server_state_changed(self, state):
231
221
"""Derived from the Avahi example code"""
232
222
logger.debug("Avahi server state change: %i", state)
233
bad_states = { avahi.SERVER_INVALID:
234
"Zeroconf server invalid",
235
avahi.SERVER_REGISTERING: None,
236
avahi.SERVER_COLLISION:
237
"Zeroconf server name collision",
238
avahi.SERVER_FAILURE:
239
"Zeroconf server failure" }
240
if state in bad_states:
241
if bad_states[state] is not None:
242
if error is None:
243
logger.error(bad_states[state])
244
else:
245
logger.error(bad_states[state] + ": %r", error)
246
self.cleanup()
223
if state == avahi.SERVER_COLLISION:
224
logger.error("Zeroconf server name collision")
225
self.remove()
247
226
elif state == avahi.SERVER_RUNNING:
248
227
self.add()
249
else:
250
if error is None:
251
logger.debug("Unknown state: %r", state)
252
else:
253
logger.debug("Unknown state: %r: %r", state, error)
254
228
def activate(self):
255
229
"""Derived from the Avahi example code"""
256
230
if self.server is None:
257
231
self.server = dbus.Interface(
258
232
self.bus.get_object(avahi.DBUS_NAME,
259
avahi.DBUS_PATH_SERVER,
260
follow_name_owner_changes=True),
233
avahi.DBUS_PATH_SERVER),
261
234
avahi.DBUS_INTERFACE_SERVER)
262
235
self.server.connect_to_signal("StateChanged",
263
236
self.server_state_changed)
297
270
secret: bytestring; sent verbatim (over TLS) to client
298
271
timeout: datetime.timedelta(); How long from last_checked_ok
299
272
until this client is disabled
300
extended_timeout: extra long timeout when password has been sent
301
273
runtime_expansions: Allowed attributes for runtime expansion.
302
expires: datetime.datetime(); time (UTC) when a client will be
303
disabled, or None
304
274
"""
305
275
306
276
runtime_expansions = ("approval_delay", "approval_duration",
318
288
def timeout_milliseconds(self):
319
289
"Return the 'timeout' attribute in milliseconds"
320
290
return self._timedelta_to_milliseconds(self.timeout)
321
322
def extended_timeout_milliseconds(self):
323
"Return the 'extended_timeout' attribute in milliseconds"
324
return self._timedelta_to_milliseconds(self.extended_timeout)
325
291
326
292
def interval_milliseconds(self):
327
293
"Return the 'interval' attribute in milliseconds"
361
327
self.last_enabled = None
362
328
self.last_checked_ok = None
363
329
self.timeout = string_to_delta(config["timeout"])
364
self.extended_timeout = string_to_delta(config["extended_timeout"])
365
330
self.interval = string_to_delta(config["interval"])
366
331
self.disable_hook = disable_hook
367
332
self.checker = None
368
333
self.checker_initiator_tag = None
369
334
self.disable_initiator_tag = None
370
self.expires = None
371
335
self.checker_callback_tag = None
372
336
self.checker_command = config["checker"]
373
337
self.current_checker_command = None
400
364
(self.interval_milliseconds(),
401
365
self.start_checker))
402
366
# Schedule a disable() when 'timeout' has passed
403
self.expires = datetime.datetime.utcnow() + self.timeout
404
367
self.disable_initiator_tag = (gobject.timeout_add
405
368
(self.timeout_milliseconds(),
406
369
self.disable))
419
382
if getattr(self, "disable_initiator_tag", False):
420
383
gobject.source_remove(self.disable_initiator_tag)
421
384
self.disable_initiator_tag = None
422
self.expires = None
423
385
if getattr(self, "checker_initiator_tag", False):
424
386
gobject.source_remove(self.checker_initiator_tag)
425
387
self.checker_initiator_tag = None
451
413
logger.warning("Checker for %(name)s crashed?",
452
414
vars(self))
453
415
454
def checked_ok(self, timeout=None):
416
def checked_ok(self):
455
417
"""Bump up the timeout for this client.
456
418
457
419
This should only be called when the client has been seen,
458
420
alive and well.
459
421
"""
460
if timeout is None:
461
timeout = self.timeout
462
422
self.last_checked_ok = datetime.datetime.utcnow()
463
423
gobject.source_remove(self.disable_initiator_tag)
464
self.expires = datetime.datetime.utcnow() + timeout
465
424
self.disable_initiator_tag = (gobject.timeout_add
466
(self._timedelta_to_milliseconds(timeout),
425
(self.timeout_milliseconds(),
467
426
self.disable))
468
427
469
428
def need_approval(self):
486
445
# If a checker exists, make sure it is not a zombie
487
446
try:
488
447
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
489
except (AttributeError, OSError) as error:
448
except (AttributeError, OSError), error:
490
449
if (isinstance(error, OSError)
491
450
and error.errno != errno.ECHILD):
492
451
raise error
513
472
514
473
try:
515
474
command = self.checker_command % escaped_attrs
516
except TypeError as error:
475
except TypeError, error:
517
476
logger.error('Could not format string "%s":'
518
477
' %s', self.checker_command, error)
519
478
return True # Try again later
538
497
if pid:
539
498
gobject.source_remove(self.checker_callback_tag)
540
499
self.checker_callback(pid, status, command)
541
except OSError as error:
500
except OSError, error:
542
501
logger.error("Failed to start subprocess: %s",
543
502
error)
544
503
# Re-run this periodically if run by gobject.timeout_add
557
516
#time.sleep(0.5)
558
517
#if self.checker.poll() is None:
559
518
# os.kill(self.checker.pid, signal.SIGKILL)
560
except OSError as error:
519
except OSError, error:
561
520
if error.errno != errno.ESRCH: # No such process
562
521
raise
563
522
self.checker = None
745
704
xmlstring = document.toxml("utf-8")
746
705
document.unlink()
747
706
except (AttributeError, xml.dom.DOMException,
748
xml.parsers.expat.ExpatError) as error:
707
xml.parsers.expat.ExpatError), error:
749
708
logger.error("Failed to override Introspection method",
750
709
error)
751
710
return xmlstring
777
736
("/clients/" + client_object_name))
778
737
DBusObjectWithProperties.__init__(self, self.bus,
779
738
self.dbus_object_path)
780
def _set_expires(self, value):
781
old_value = getattr(self, "_expires", None)
782
self._expires = value
783
if hasattr(self, "dbus_object_path") and old_value != value:
784
dbus_time = (self._datetime_to_dbus(self._expires,
785
variant_level=1))
786
self.PropertyChanged(dbus.String("Expires"),
787
dbus_time)
788
expires = property(lambda self: self._expires, _set_expires)
789
del _set_expires
790
739
791
740
def _get_approvals_pending(self):
792
741
return self._approvals_pending
807
756
@staticmethod
808
757
def _datetime_to_dbus(dt, variant_level=0):
809
758
"""Convert a UTC datetime.datetime() to a D-Bus type."""
810
if dt is None:
811
return dbus.String("", variant_level = variant_level)
812
759
return dbus.String(dt.isoformat(),
813
760
variant_level=variant_level)
814
761
866
813
*args, **kwargs)
867
814
868
815
def checked_ok(self, *args, **kwargs):
869
Client.checked_ok(self, *args, **kwargs)
816
r = Client.checked_ok(self, *args, **kwargs)
870
817
# Emit D-Bus signal
871
818
self.PropertyChanged(
872
819
dbus.String("LastCheckedOK"),
873
820
(self._datetime_to_dbus(self.last_checked_ok,
874
821
variant_level=1)))
822
return r
875
823
876
824
def need_approval(self, *args, **kwargs):
877
825
r = Client.need_approval(self, *args, **kwargs)
974
922
# CheckedOK - method
975
923
@dbus.service.method(_interface)
976
924
def CheckedOK(self):
977
self.checked_ok()
925
return self.checked_ok()
978
926
979
927
# Enable - method
980
928
@dbus.service.method(_interface)
1012
960
def ApprovedByDefault_dbus_property(self, value=None):
1013
961
if value is None: # get
1014
962
return dbus.Boolean(self.approved_by_default)
1015
old_value = self.approved_by_default
1016
963
self.approved_by_default = bool(value)
1017
964
# Emit D-Bus signal
1018
if old_value != self.approved_by_default:
1019
self.PropertyChanged(dbus.String("ApprovedByDefault"),
1020
dbus.Boolean(value, variant_level=1))
965
self.PropertyChanged(dbus.String("ApprovedByDefault"),
966
dbus.Boolean(value, variant_level=1))
1021
967
1022
968
# ApprovalDelay - property
1023
969
@dbus_service_property(_interface, signature="t",
1025
971
def ApprovalDelay_dbus_property(self, value=None):
1026
972
if value is None: # get
1027
973
return dbus.UInt64(self.approval_delay_milliseconds())
1028
old_value = self.approval_delay
1029
974
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1030
975
# Emit D-Bus signal
1031
if old_value != self.approval_delay:
1032
self.PropertyChanged(dbus.String("ApprovalDelay"),
1033
dbus.UInt64(value, variant_level=1))
976
self.PropertyChanged(dbus.String("ApprovalDelay"),
977
dbus.UInt64(value, variant_level=1))
1034
978
1035
979
# ApprovalDuration - property
1036
980
@dbus_service_property(_interface, signature="t",
1039
983
if value is None: # get
1040
984
return dbus.UInt64(self._timedelta_to_milliseconds(
1041
985
self.approval_duration))
1042
old_value = self.approval_duration
1043
986
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1044
987
# Emit D-Bus signal
1045
if old_value != self.approval_duration:
1046
self.PropertyChanged(dbus.String("ApprovalDuration"),
1047
dbus.UInt64(value, variant_level=1))
988
self.PropertyChanged(dbus.String("ApprovalDuration"),
989
dbus.UInt64(value, variant_level=1))
1048
990
1049
991
# Name - property
1050
992
@dbus_service_property(_interface, signature="s", access="read")
1062
1004
def Host_dbus_property(self, value=None):
1063
1005
if value is None: # get
1064
1006
return dbus.String(self.host)
1065
old_value = self.host
1066
1007
self.host = value
1067
1008
# Emit D-Bus signal
1068
if old_value != self.host:
1069
self.PropertyChanged(dbus.String("Host"),
1070
dbus.String(value, variant_level=1))
1009
self.PropertyChanged(dbus.String("Host"),
1010
dbus.String(value, variant_level=1))
1071
1011
1072
1012
# Created - property
1073
1013
@dbus_service_property(_interface, signature="s", access="read")
1077
1017
# LastEnabled - property
1078
1018
@dbus_service_property(_interface, signature="s", access="read")
1079
1019
def LastEnabled_dbus_property(self):
1080
return self._datetime_to_dbus(self.last_enabled)
1020
if self.last_enabled is None:
1021
return dbus.String("")
1022
return dbus.String(self._datetime_to_dbus(self.last_enabled))
1081
1023
1082
1024
# Enabled - property
1083
1025
@dbus_service_property(_interface, signature="b",
1097
1039
if value is not None:
1098
1040
self.checked_ok()
1099
1041
return
1100
return self._datetime_to_dbus(self.last_checked_ok)
1101
1102
# Expires - property
1103
@dbus_service_property(_interface, signature="s", access="read")
1104
def Expires_dbus_property(self):
1105
return self._datetime_to_dbus(self.expires)
1042
if self.last_checked_ok is None:
1043
return dbus.String("")
1044
return dbus.String(self._datetime_to_dbus(self
1045
.last_checked_ok))
1106
1046
1107
1047
# LastApprovalRequest - property
1108
1048
@dbus_service_property(_interface, signature="s", access="read")
1109
1049
def LastApprovalRequest_dbus_property(self):
1110
return self._datetime_to_dbus(self.last_approval_request)
1050
if self.last_approval_request is None:
1051
return dbus.String("")
1052
return dbus.String(self.
1053
_datetime_to_dbus(self
1054
.last_approval_request))
1111
1055
1112
1056
# Timeout - property
1113
1057
@dbus_service_property(_interface, signature="t",
1115
1059
def Timeout_dbus_property(self, value=None):
1116
1060
if value is None: # get
1117
1061
return dbus.UInt64(self.timeout_milliseconds())
1118
old_value = self.timeout
1119
1062
self.timeout = datetime.timedelta(0, 0, 0, value)
1120
1063
# Emit D-Bus signal
1121
if old_value != self.timeout:
1122
self.PropertyChanged(dbus.String("Timeout"),
1123
dbus.UInt64(value, variant_level=1))
1064
self.PropertyChanged(dbus.String("Timeout"),
1065
dbus.UInt64(value, variant_level=1))
1124
1066
if getattr(self, "disable_initiator_tag", None) is None:
1125
1067
return
1126
1068
# Reschedule timeout
1127
1069
gobject.source_remove(self.disable_initiator_tag)
1128
1070
self.disable_initiator_tag = None
1129
self.expires = None
1130
1071
time_to_die = (self.
1131
1072
_timedelta_to_milliseconds((self
1132
1073
.last_checked_ok
1137
1078
# The timeout has passed
1138
1079
self.disable()
1139
1080
else:
1140
self.expires = (datetime.datetime.utcnow()
1141
+ datetime.timedelta(milliseconds = time_to_die))
1142
1081
self.disable_initiator_tag = (gobject.timeout_add
1143
1082
(time_to_die, self.disable))
1144
1145
# ExtendedTimeout - property
1146
@dbus_service_property(_interface, signature="t",
1147
access="readwrite")
1148
def ExtendedTimeout_dbus_property(self, value=None):
1149
if value is None: # get
1150
return dbus.UInt64(self.extended_timeout_milliseconds())
1151
old_value = self.extended_timeout
1152
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1153
# Emit D-Bus signal
1154
if old_value != self.extended_timeout:
1155
self.PropertyChanged(dbus.String("ExtendedTimeout"),
1156
dbus.UInt64(value, variant_level=1))
1157
1083
1158
1084
# Interval - property
1159
1085
@dbus_service_property(_interface, signature="t",
1160
1086
access="readwrite")
1161
1087
def Interval_dbus_property(self, value=None):
1162
1088
if value is None: # get
1163
1089
return dbus.UInt64(self.interval_milliseconds())
1164
old_value = self.interval
1165
1090
self.interval = datetime.timedelta(0, 0, 0, value)
1166
1091
# Emit D-Bus signal
1167
if old_value != self.interval:
1168
self.PropertyChanged(dbus.String("Interval"),
1169
dbus.UInt64(value, variant_level=1))
1092
self.PropertyChanged(dbus.String("Interval"),
1093
dbus.UInt64(value, variant_level=1))
1170
1094
if getattr(self, "checker_initiator_tag", None) is None:
1171
1095
return
1172
1096
# Reschedule checker run
1181
1105
def Checker_dbus_property(self, value=None):
1182
1106
if value is None: # get
1183
1107
return dbus.String(self.checker_command)
1184
old_value = self.checker_command
1185
1108
self.checker_command = value
1186
1109
# Emit D-Bus signal
1187
if old_value != self.checker_command:
1188
self.PropertyChanged(dbus.String("Checker"),
1189
dbus.String(self.checker_command,
1190
variant_level=1))
1110
self.PropertyChanged(dbus.String("Checker"),
1111
dbus.String(self.checker_command,
1112
variant_level=1))
1191
1113
1192
1114
# CheckerRunning - property
1193
1115
@dbus_service_property(_interface, signature="b",
1282
1204
try:
1283
1205
if int(line.strip().split()[0]) > 1:
1284
1206
raise RuntimeError
1285
except (ValueError, IndexError, RuntimeError) as error:
1207
except (ValueError, IndexError, RuntimeError), error:
1286
1208
logger.error("Unknown protocol version: %s", error)
1287
1209
return
1288
1210
1289
1211
# Start GnuTLS connection
1290
1212
try:
1291
1213
session.handshake()
1292
except gnutls.errors.GNUTLSError as error:
1214
except gnutls.errors.GNUTLSError, error:
1293
1215
logger.warning("Handshake failed: %s", error)
1294
1216
# Do not run session.bye() here: the session is not
1295
1217
# established. Just abandon the request.
1301
1223
try:
1302
1224
fpr = self.fingerprint(self.peer_certificate
1303
1225
(session))
1304
except (TypeError,
1305
gnutls.errors.GNUTLSError) as error:
1226
except (TypeError, gnutls.errors.GNUTLSError), error:
1306
1227
logger.warning("Bad certificate: %s", error)
1307
1228
return
1308
1229
logger.debug("Fingerprint: %s", fpr)
1320
1241
1321
1242
while True:
1322
1243
if not client.enabled:
1323
logger.info("Client %s is disabled",
1244
logger.warning("Client %s is disabled",
1324
1245
client.name)
1325
1246
if self.server.use_dbus:
1326
1247
# Emit D-Bus signal
1371
1292
while sent_size < len(client.secret):
1372
1293
try:
1373
1294
sent = session.send(client.secret[sent_size:])
1374
except gnutls.errors.GNUTLSError as error:
1295
except (gnutls.errors.GNUTLSError), error:
1375
1296
logger.warning("gnutls send failed")
1376
1297
return
1377
1298
logger.debug("Sent: %d, remaining: %d",
1381
1302
1382
1303
logger.info("Sending secret to %s", client.name)
1383
1304
# bump the timeout as if seen
1384
client.checked_ok(client.extended_timeout)
1305
client.checked_ok()
1385
1306
if self.server.use_dbus:
1386
1307
# Emit D-Bus signal
1387
1308
client.GotSecret()
1391
1312
client.approvals_pending -= 1
1392
1313
try:
1393
1314
session.bye()
1394
except gnutls.errors.GNUTLSError as error:
1315
except (gnutls.errors.GNUTLSError), error:
1395
1316
logger.warning("GnuTLS bye failed")
1396
1317
1397
1318
@staticmethod
1521
1442
SO_BINDTODEVICE,
1522
1443
str(self.interface
1523
1444
+ '\0'))
1524
except socket.error as error:
1445
except socket.error, error:
1525
1446
if error[0] == errno.EPERM:
1526
1447
logger.error("No permission to"
1527
1448
" bind to interface %s",
1621
1542
client = c
1622
1543
break
1623
1544
else:
1624
logger.info("Client not found for fingerprint: %s, ad"
1625
"dress: %s", fpr, address)
1545
logger.warning("Client not found for fingerprint: %s, ad"
1546
"dress: %s", fpr, address)
1626
1547
if self.use_dbus:
1627
1548
# Emit D-Bus signal
1628
1549
mandos_dbus_service.ClientNotFound(fpr, address[0])
1692
1613
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1693
1614
else:
1694
1615
raise ValueError("Unknown suffix %r" % suffix)
1695
except (ValueError, IndexError) as e:
1616
except (ValueError, IndexError), e:
1696
1617
raise ValueError(*(e.args))
1697
1618
timevalue += delta
1698
1619
return timevalue
1848
1769
% server_settings["servicename"]))
1849
1770
1850
1771
# Parse config file with clients
1851
client_defaults = { "timeout": "5m",
1852
"extended_timeout": "15m",
1853
"interval": "2m",
1772
client_defaults = { "timeout": "1h",
1773
"interval": "5m",
1854
1774
"checker": "fping -q -- %%(host)s",
1855
1775
"host": "",
1856
1776
"approval_delay": "0s",
1896
1816
try:
1897
1817
os.setgid(gid)
1898
1818
os.setuid(uid)
1899
except OSError as error:
1819
except OSError, error:
1900
1820
if error[0] != errno.EPERM:
1901
1821
raise error
1902
1822
1946
1866
try:
1947
1867
bus_name = dbus.service.BusName("se.bsnet.fukt.Mandos",
1948
1868
bus, do_not_queue=True)
1949
except dbus.exceptions.NameExistsException as e:
1869
except dbus.exceptions.NameExistsException, e:
1950
1870
logger.error(unicode(e) + ", disabling D-Bus")
1951
1871
use_dbus = False
1952
1872
server_settings["use_dbus"] = False
2102
2022
# From the Avahi example code
2103
2023
try:
2104
2024
service.activate()
2105
except dbus.exceptions.DBusException as error:
2025
except dbus.exceptions.DBusException, error:
2106
2026
logger.critical("DBusException: %s", error)
2107
2027
cleanup()
2108
2028
sys.exit(1)
2115
2035
2116
2036
logger.debug("Starting main loop")
2117
2037
main_loop.run()
2118
except AvahiError as error:
2038
except AvahiError, error:
2119
2039
logger.critical("AvahiError: %s", error)
2120
2040
cleanup()
2121
2041
sys.exit(1)
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0