To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 482
- compare with another revision
- download diff
- download tarball
- view history from revision 482
- Committer: Teddy Hogeborn
- Date: 2011-04-02 06:37:18 UTC
- Revision ID: teddy@fukt.bsnet.se-20110402063718-13ldrcuu0t33sdc4
* mandos: Tolerate restarting Avahi servers. Also Changed to new
"except x as y" exception syntax.
(AvahiService.entry_group_state_changed_match): New; contains the
SignalMatch object.
(AvahiService.remove): Really remove the group and the signal
connection, if any.
(AvahiService.add): Always create a new group and signal connection.
(AvahiService.cleanup): Changed to simply call remove().
(AvahiService.server_state_changed): Handle and log more bad states.
(AvahiService.activate): Set "follow_name_owner_changes=True" on the
Avahi Server proxy object.
(ClientDBus.checked_ok): Do not return anything.
(ClientDBus.CheckedOK): Do not return anything, as documented.
* mandos-monitor: Call D-Bus methods asynchronously.
"except x as y" exception syntax.
(AvahiService.entry_group_state_changed_match): New; contains the
SignalMatch object.
(AvahiService.remove): Really remove the group and the signal
connection, if any.
(AvahiService.add): Always create a new group and signal connection.
(AvahiService.cleanup): Changed to simply call remove().
(AvahiService.server_state_changed): Handle and log more bad states.
(AvahiService.activate): Set "follow_name_owner_changes=True" on the
Avahi Server proxy object.
(ClientDBus.checked_ok): Do not return anything.
(ClientDBus.CheckedOK): Do not return anything, as documented.
* mandos-monitor: Call D-Bus methods asynchronously.
added
removed
mandos
82
82
SO_BINDTODEVICE = None
83
83
84
84
85
version = "1.3.1"
85
version = "1.3.0"
86
86
87
87
#logger = logging.getLogger('mandos')
88
88
logger = logging.Logger('mandos')
176
176
self.rename_count += 1
177
177
def remove(self):
178
178
"""Derived from the Avahi example code"""
179
if self.group is not None:
180
try:
181
self.group.Free()
182
except (dbus.exceptions.UnknownMethodException,
183
dbus.exceptions.DBusException) as e:
184
pass
185
self.group = None
179
186
if self.entry_group_state_changed_match is not None:
180
187
self.entry_group_state_changed_match.remove()
181
188
self.entry_group_state_changed_match = None
182
if self.group is not None:
183
self.group.Reset()
184
189
def add(self):
185
190
"""Derived from the Avahi example code"""
186
191
self.remove()
187
if self.group is None:
188
self.group = dbus.Interface(
189
self.bus.get_object(avahi.DBUS_NAME,
190
self.server.EntryGroupNew()),
191
avahi.DBUS_INTERFACE_ENTRY_GROUP)
192
self.group = dbus.Interface(
193
self.bus.get_object(avahi.DBUS_NAME,
194
self.server.EntryGroupNew(),
195
follow_name_owner_changes=True),
196
avahi.DBUS_INTERFACE_ENTRY_GROUP)
192
197
self.entry_group_state_changed_match = (
193
198
self.group.connect_to_signal(
194
199
'StateChanged', self .entry_group_state_changed))
219
224
% unicode(error))
220
225
def cleanup(self):
221
226
"""Derived from the Avahi example code"""
222
if self.group is not None:
223
try:
224
self.group.Free()
225
except (dbus.exceptions.UnknownMethodException,
226
dbus.exceptions.DBusException) as e:
227
pass
228
self.group = None
229
227
self.remove()
230
228
def server_state_changed(self, state, error=None):
231
229
"""Derived from the Avahi example code"""
238
236
avahi.SERVER_FAILURE:
239
237
"Zeroconf server failure" }
240
238
if state in bad_states:
241
if bad_states[state] is not None:
242
if error is None:
243
logger.error(bad_states[state])
244
else:
245
logger.error(bad_states[state] + ": %r", error)
246
self.cleanup()
239
if bad_states[state]:
240
logger.error(bad_states[state])
241
self.remove()
247
242
elif state == avahi.SERVER_RUNNING:
248
243
self.add()
249
244
else:
250
if error is None:
251
logger.debug("Unknown state: %r", state)
252
else:
253
logger.debug("Unknown state: %r: %r", state, error)
245
logger.debug("Unknown state: %r", state)
254
246
def activate(self):
255
247
"""Derived from the Avahi example code"""
256
248
if self.server is None:
264
256
self.server_state_changed(self.server.GetState())
265
257
266
258
267
def _timedelta_to_milliseconds(td):
268
"Convert a datetime.timedelta() to milliseconds"
269
return ((td.days * 24 * 60 * 60 * 1000)
270
+ (td.seconds * 1000)
271
+ (td.microseconds // 1000))
272
273
259
class Client(object):
274
260
"""A representation of a client host served by this server.
275
261
303
289
secret: bytestring; sent verbatim (over TLS) to client
304
290
timeout: datetime.timedelta(); How long from last_checked_ok
305
291
until this client is disabled
306
extended_timeout: extra long timeout when password has been sent
307
292
runtime_expansions: Allowed attributes for runtime expansion.
308
expires: datetime.datetime(); time (UTC) when a client will be
309
disabled, or None
310
293
"""
311
294
312
295
runtime_expansions = ("approval_delay", "approval_duration",
313
296
"created", "enabled", "fingerprint",
314
297
"host", "interval", "last_checked_ok",
315
298
"last_enabled", "name", "timeout")
316
299
300
@staticmethod
301
def _timedelta_to_milliseconds(td):
302
"Convert a datetime.timedelta() to milliseconds"
303
return ((td.days * 24 * 60 * 60 * 1000)
304
+ (td.seconds * 1000)
305
+ (td.microseconds // 1000))
306
317
307
def timeout_milliseconds(self):
318
308
"Return the 'timeout' attribute in milliseconds"
319
return _timedelta_to_milliseconds(self.timeout)
320
321
def extended_timeout_milliseconds(self):
322
"Return the 'extended_timeout' attribute in milliseconds"
323
return _timedelta_to_milliseconds(self.extended_timeout)
309
return self._timedelta_to_milliseconds(self.timeout)
324
310
325
311
def interval_milliseconds(self):
326
312
"Return the 'interval' attribute in milliseconds"
327
return _timedelta_to_milliseconds(self.interval)
313
return self._timedelta_to_milliseconds(self.interval)
328
314
329
315
def approval_delay_milliseconds(self):
330
return _timedelta_to_milliseconds(self.approval_delay)
316
return self._timedelta_to_milliseconds(self.approval_delay)
331
317
332
318
def __init__(self, name = None, disable_hook=None, config=None):
333
319
"""Note: the 'checker' key in 'config' sets the
360
346
self.last_enabled = None
361
347
self.last_checked_ok = None
362
348
self.timeout = string_to_delta(config["timeout"])
363
self.extended_timeout = string_to_delta(config["extended_timeout"])
364
349
self.interval = string_to_delta(config["interval"])
365
350
self.disable_hook = disable_hook
366
351
self.checker = None
367
352
self.checker_initiator_tag = None
368
353
self.disable_initiator_tag = None
369
self.expires = None
370
354
self.checker_callback_tag = None
371
355
self.checker_command = config["checker"]
372
356
self.current_checker_command = None
392
376
# Already enabled
393
377
return
394
378
self.send_changedstate()
379
self.last_enabled = datetime.datetime.utcnow()
395
380
# Schedule a new checker to be started an 'interval' from now,
396
381
# and every interval from then on.
397
382
self.checker_initiator_tag = (gobject.timeout_add
398
383
(self.interval_milliseconds(),
399
384
self.start_checker))
400
385
# Schedule a disable() when 'timeout' has passed
401
self.expires = datetime.datetime.utcnow() + self.timeout
402
386
self.disable_initiator_tag = (gobject.timeout_add
403
387
(self.timeout_milliseconds(),
404
388
self.disable))
405
389
self.enabled = True
406
self.last_enabled = datetime.datetime.utcnow()
407
390
# Also start a new checker *right now*.
408
391
self.start_checker()
409
392
418
401
if getattr(self, "disable_initiator_tag", False):
419
402
gobject.source_remove(self.disable_initiator_tag)
420
403
self.disable_initiator_tag = None
421
self.expires = None
422
404
if getattr(self, "checker_initiator_tag", False):
423
405
gobject.source_remove(self.checker_initiator_tag)
424
406
self.checker_initiator_tag = None
450
432
logger.warning("Checker for %(name)s crashed?",
451
433
vars(self))
452
434
453
def checked_ok(self, timeout=None):
435
def checked_ok(self):
454
436
"""Bump up the timeout for this client.
455
437
456
438
This should only be called when the client has been seen,
457
439
alive and well.
458
440
"""
459
if timeout is None:
460
timeout = self.timeout
461
441
self.last_checked_ok = datetime.datetime.utcnow()
462
442
gobject.source_remove(self.disable_initiator_tag)
463
self.expires = datetime.datetime.utcnow() + timeout
464
443
self.disable_initiator_tag = (gobject.timeout_add
465
(_timedelta_to_milliseconds(timeout),
444
(self.timeout_milliseconds(),
466
445
self.disable))
467
446
468
447
def need_approval(self):
750
729
return xmlstring
751
730
752
731
753
def datetime_to_dbus (dt, variant_level=0):
754
"""Convert a UTC datetime.datetime() to a D-Bus type."""
755
if dt is None:
756
return dbus.String("", variant_level = variant_level)
757
return dbus.String(dt.isoformat(),
758
variant_level=variant_level)
759
760
732
class ClientDBus(Client, DBusObjectWithProperties):
761
733
"""A Client class using D-Bus
762
734
784
756
DBusObjectWithProperties.__init__(self, self.bus,
785
757
self.dbus_object_path)
786
758
787
def notifychangeproperty(transform_func,
788
dbus_name, type_func=lambda x: x,
789
variant_level=1):
790
""" Modify a variable so that its a property that announce its
791
changes to DBus.
792
transform_fun: Function that takes a value and transform it to
793
DBus type.
794
dbus_name: DBus name of the variable
795
type_func: Function that transform the value before sending it
796
to DBus
797
variant_level: DBus variant level. default: 1
798
"""
799
real_value = [None,]
800
def setter(self, value):
801
old_value = real_value[0]
802
real_value[0] = value
803
if hasattr(self, "dbus_object_path"):
804
if type_func(old_value) != type_func(real_value[0]):
805
dbus_value = transform_func(type_func(real_value[0]),
806
variant_level)
807
self.PropertyChanged(dbus.String(dbus_name),
808
dbus_value)
809
810
return property(lambda self: real_value[0], setter)
811
812
813
expires = notifychangeproperty(datetime_to_dbus, "Expires")
814
approvals_pending = notifychangeproperty(dbus.Boolean,
815
"ApprovalPending",
816
type_func = bool)
817
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
818
last_enabled = notifychangeproperty(datetime_to_dbus,
819
"LastEnabled")
820
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
821
type_func = lambda checker: checker is not None)
822
last_checked_ok = notifychangeproperty(datetime_to_dbus,
823
"LastCheckedOK")
824
last_approval_request = notifychangeproperty(datetime_to_dbus,
825
"LastApprovalRequest")
826
approved_by_default = notifychangeproperty(dbus.Boolean,
827
"ApprovedByDefault")
828
approval_delay = notifychangeproperty(dbus.UInt16, "ApprovalDelay",
829
type_func = _timedelta_to_milliseconds)
830
approval_duration = notifychangeproperty(dbus.UInt16, "ApprovalDuration",
831
type_func = _timedelta_to_milliseconds)
832
host = notifychangeproperty(dbus.String, "Host")
833
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
834
type_func = _timedelta_to_milliseconds)
835
extended_timeout = notifychangeproperty(dbus.UInt16, "ExtendedTimeout",
836
type_func = _timedelta_to_milliseconds)
837
interval = notifychangeproperty(dbus.UInt16, "Interval",
838
type_func = _timedelta_to_milliseconds)
839
checker_command = notifychangeproperty(dbus.String, "Checker")
840
841
del notifychangeproperty
759
def _get_approvals_pending(self):
760
return self._approvals_pending
761
def _set_approvals_pending(self, value):
762
old_value = self._approvals_pending
763
self._approvals_pending = value
764
bval = bool(value)
765
if (hasattr(self, "dbus_object_path")
766
and bval is not bool(old_value)):
767
dbus_bool = dbus.Boolean(bval, variant_level=1)
768
self.PropertyChanged(dbus.String("ApprovalPending"),
769
dbus_bool)
770
771
approvals_pending = property(_get_approvals_pending,
772
_set_approvals_pending)
773
del _get_approvals_pending, _set_approvals_pending
774
775
@staticmethod
776
def _datetime_to_dbus(dt, variant_level=0):
777
"""Convert a UTC datetime.datetime() to a D-Bus type."""
778
return dbus.String(dt.isoformat(),
779
variant_level=variant_level)
780
781
def enable(self):
782
oldstate = getattr(self, "enabled", False)
783
r = Client.enable(self)
784
if oldstate != self.enabled:
785
# Emit D-Bus signals
786
self.PropertyChanged(dbus.String("Enabled"),
787
dbus.Boolean(True, variant_level=1))
788
self.PropertyChanged(
789
dbus.String("LastEnabled"),
790
self._datetime_to_dbus(self.last_enabled,
791
variant_level=1))
792
return r
793
794
def disable(self, quiet = False):
795
oldstate = getattr(self, "enabled", False)
796
r = Client.disable(self, quiet=quiet)
797
if not quiet and oldstate != self.enabled:
798
# Emit D-Bus signal
799
self.PropertyChanged(dbus.String("Enabled"),
800
dbus.Boolean(False, variant_level=1))
801
return r
842
802
843
803
def __del__(self, *args, **kwargs):
844
804
try:
853
813
*args, **kwargs):
854
814
self.checker_callback_tag = None
855
815
self.checker = None
816
# Emit D-Bus signal
817
self.PropertyChanged(dbus.String("CheckerRunning"),
818
dbus.Boolean(False, variant_level=1))
856
819
if os.WIFEXITED(condition):
857
820
exitstatus = os.WEXITSTATUS(condition)
858
821
# Emit D-Bus signal
867
830
868
831
return Client.checker_callback(self, pid, condition, command,
869
832
*args, **kwargs)
870
833
834
def checked_ok(self, *args, **kwargs):
835
Client.checked_ok(self, *args, **kwargs)
836
# Emit D-Bus signal
837
self.PropertyChanged(
838
dbus.String("LastCheckedOK"),
839
(self._datetime_to_dbus(self.last_checked_ok,
840
variant_level=1)))
841
842
def need_approval(self, *args, **kwargs):
843
r = Client.need_approval(self, *args, **kwargs)
844
# Emit D-Bus signal
845
self.PropertyChanged(
846
dbus.String("LastApprovalRequest"),
847
(self._datetime_to_dbus(self.last_approval_request,
848
variant_level=1)))
849
return r
850
871
851
def start_checker(self, *args, **kwargs):
872
852
old_checker = self.checker
873
853
if self.checker is not None:
880
860
and old_checker_pid != self.checker.pid):
881
861
# Emit D-Bus signal
882
862
self.CheckerStarted(self.current_checker_command)
863
self.PropertyChanged(
864
dbus.String("CheckerRunning"),
865
dbus.Boolean(True, variant_level=1))
883
866
return r
884
867
868
def stop_checker(self, *args, **kwargs):
869
old_checker = getattr(self, "checker", None)
870
r = Client.stop_checker(self, *args, **kwargs)
871
if (old_checker is not None
872
and getattr(self, "checker", None) is None):
873
self.PropertyChanged(dbus.String("CheckerRunning"),
874
dbus.Boolean(False, variant_level=1))
875
return r
876
885
877
def _reset_approved(self):
886
878
self._approved = None
887
879
return False
889
881
def approve(self, value=True):
890
882
self.send_changedstate()
891
883
self._approved = value
892
gobject.timeout_add(_timedelta_to_milliseconds
884
gobject.timeout_add(self._timedelta_to_milliseconds
893
885
(self.approval_duration),
894
886
self._reset_approved)
895
887
987
979
if value is None: # get
988
980
return dbus.Boolean(self.approved_by_default)
989
981
self.approved_by_default = bool(value)
982
# Emit D-Bus signal
983
self.PropertyChanged(dbus.String("ApprovedByDefault"),
984
dbus.Boolean(value, variant_level=1))
990
985
991
986
# ApprovalDelay - property
992
987
@dbus_service_property(_interface, signature="t",
995
990
if value is None: # get
996
991
return dbus.UInt64(self.approval_delay_milliseconds())
997
992
self.approval_delay = datetime.timedelta(0, 0, 0, value)
993
# Emit D-Bus signal
994
self.PropertyChanged(dbus.String("ApprovalDelay"),
995
dbus.UInt64(value, variant_level=1))
998
996
999
997
# ApprovalDuration - property
1000
998
@dbus_service_property(_interface, signature="t",
1001
999
access="readwrite")
1002
1000
def ApprovalDuration_dbus_property(self, value=None):
1003
1001
if value is None: # get
1004
return dbus.UInt64(_timedelta_to_milliseconds(
1002
return dbus.UInt64(self._timedelta_to_milliseconds(
1005
1003
self.approval_duration))
1006
1004
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1005
# Emit D-Bus signal
1006
self.PropertyChanged(dbus.String("ApprovalDuration"),
1007
dbus.UInt64(value, variant_level=1))
1007
1008
1008
1009
# Name - property
1009
1010
@dbus_service_property(_interface, signature="s", access="read")
1022
1023
if value is None: # get
1023
1024
return dbus.String(self.host)
1024
1025
self.host = value
1026
# Emit D-Bus signal
1027
self.PropertyChanged(dbus.String("Host"),
1028
dbus.String(value, variant_level=1))
1025
1029
1026
1030
# Created - property
1027
1031
@dbus_service_property(_interface, signature="s", access="read")
1028
1032
def Created_dbus_property(self):
1029
return dbus.String(datetime_to_dbus(self.created))
1033
return dbus.String(self._datetime_to_dbus(self.created))
1030
1034
1031
1035
# LastEnabled - property
1032
1036
@dbus_service_property(_interface, signature="s", access="read")
1033
1037
def LastEnabled_dbus_property(self):
1034
return datetime_to_dbus(self.last_enabled)
1038
if self.last_enabled is None:
1039
return dbus.String("")
1040
return dbus.String(self._datetime_to_dbus(self.last_enabled))
1035
1041
1036
1042
# Enabled - property
1037
1043
@dbus_service_property(_interface, signature="b",
1051
1057
if value is not None:
1052
1058
self.checked_ok()
1053
1059
return
1054
return datetime_to_dbus(self.last_checked_ok)
1055
1056
# Expires - property
1057
@dbus_service_property(_interface, signature="s", access="read")
1058
def Expires_dbus_property(self):
1059
return datetime_to_dbus(self.expires)
1060
if self.last_checked_ok is None:
1061
return dbus.String("")
1062
return dbus.String(self._datetime_to_dbus(self
1063
.last_checked_ok))
1060
1064
1061
1065
# LastApprovalRequest - property
1062
1066
@dbus_service_property(_interface, signature="s", access="read")
1063
1067
def LastApprovalRequest_dbus_property(self):
1064
return datetime_to_dbus(self.last_approval_request)
1068
if self.last_approval_request is None:
1069
return dbus.String("")
1070
return dbus.String(self.
1071
_datetime_to_dbus(self
1072
.last_approval_request))
1065
1073
1066
1074
# Timeout - property
1067
1075
@dbus_service_property(_interface, signature="t",
1070
1078
if value is None: # get
1071
1079
return dbus.UInt64(self.timeout_milliseconds())
1072
1080
self.timeout = datetime.timedelta(0, 0, 0, value)
1081
# Emit D-Bus signal
1082
self.PropertyChanged(dbus.String("Timeout"),
1083
dbus.UInt64(value, variant_level=1))
1073
1084
if getattr(self, "disable_initiator_tag", None) is None:
1074
1085
return
1075
1086
# Reschedule timeout
1076
1087
gobject.source_remove(self.disable_initiator_tag)
1077
1088
self.disable_initiator_tag = None
1078
self.expires = None
1079
1089
time_to_die = (self.
1080
1090
_timedelta_to_milliseconds((self
1081
1091
.last_checked_ok
1086
1096
# The timeout has passed
1087
1097
self.disable()
1088
1098
else:
1089
self.expires = (datetime.datetime.utcnow()
1090
+ datetime.timedelta(milliseconds = time_to_die))
1091
1099
self.disable_initiator_tag = (gobject.timeout_add
1092
1100
(time_to_die, self.disable))
1093
1094
# ExtendedTimeout - property
1095
@dbus_service_property(_interface, signature="t",
1096
access="readwrite")
1097
def ExtendedTimeout_dbus_property(self, value=None):
1098
if value is None: # get
1099
return dbus.UInt64(self.extended_timeout_milliseconds())
1100
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1101
1101
1102
1102
# Interval - property
1103
1103
@dbus_service_property(_interface, signature="t",
1104
1104
access="readwrite")
1106
1106
if value is None: # get
1107
1107
return dbus.UInt64(self.interval_milliseconds())
1108
1108
self.interval = datetime.timedelta(0, 0, 0, value)
1109
# Emit D-Bus signal
1110
self.PropertyChanged(dbus.String("Interval"),
1111
dbus.UInt64(value, variant_level=1))
1109
1112
if getattr(self, "checker_initiator_tag", None) is None:
1110
1113
return
1111
1114
# Reschedule checker run
1121
1124
if value is None: # get
1122
1125
return dbus.String(self.checker_command)
1123
1126
self.checker_command = value
1127
# Emit D-Bus signal
1128
self.PropertyChanged(dbus.String("Checker"),
1129
dbus.String(self.checker_command,
1130
variant_level=1))
1124
1131
1125
1132
# CheckerRunning - property
1126
1133
@dbus_service_property(_interface, signature="b",
1253
1260
1254
1261
while True:
1255
1262
if not client.enabled:
1256
logger.info("Client %s is disabled",
1263
logger.warning("Client %s is disabled",
1257
1264
client.name)
1258
1265
if self.server.use_dbus:
1259
1266
# Emit D-Bus signal
1314
1321
1315
1322
logger.info("Sending secret to %s", client.name)
1316
1323
# bump the timeout as if seen
1317
client.checked_ok(client.extended_timeout)
1324
client.checked_ok()
1318
1325
if self.server.use_dbus:
1319
1326
# Emit D-Bus signal
1320
1327
client.GotSecret()
1554
1561
client = c
1555
1562
break
1556
1563
else:
1557
logger.info("Client not found for fingerprint: %s, ad"
1558
"dress: %s", fpr, address)
1564
logger.warning("Client not found for fingerprint: %s, ad"
1565
"dress: %s", fpr, address)
1559
1566
if self.use_dbus:
1560
1567
# Emit D-Bus signal
1561
1568
mandos_dbus_service.ClientNotFound(fpr, address[0])
1781
1788
% server_settings["servicename"]))
1782
1789
1783
1790
# Parse config file with clients
1784
client_defaults = { "timeout": "5m",
1785
"extended_timeout": "15m",
1786
"interval": "2m",
1791
client_defaults = { "timeout": "1h",
1792
"interval": "5m",
1787
1793
"checker": "fping -q -- %%(host)s",
1788
1794
"host": "",
1789
1795
"approval_delay": "0s",
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0