82
86
SO_BINDTODEVICE = None
90
stored_state_file = "clients.pickle"
87
#logger = logging.getLogger('mandos')
88
logger = logging.Logger('mandos')
92
logger = logging.getLogger()
89
93
syslogger = (logging.handlers.SysLogHandler
90
94
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
91
95
address = str("/dev/log")))
92
syslogger.setFormatter(logging.Formatter
93
('Mandos [%(process)d]: %(levelname)s:'
95
logger.addHandler(syslogger)
97
console = logging.StreamHandler()
98
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
101
logger.addHandler(console)
98
if_nametoindex = (ctypes.cdll.LoadLibrary
99
(ctypes.util.find_library("c"))
101
except (OSError, AttributeError):
102
def if_nametoindex(interface):
103
"Get an interface index the hard way, i.e. using fcntl()"
104
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
105
with contextlib.closing(socket.socket()) as s:
106
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
107
struct.pack(str("16s16x"),
109
interface_index = struct.unpack(str("I"),
111
return interface_index
114
def initlogger(level=logging.WARNING):
115
"""init logger and add loglevel"""
117
syslogger.setFormatter(logging.Formatter
118
('Mandos [%(process)d]: %(levelname)s:'
120
logger.addHandler(syslogger)
122
console = logging.StreamHandler()
123
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
127
logger.addHandler(console)
128
logger.setLevel(level)
131
class CryptoError(Exception):
135
class Crypto(object):
136
"""A simple class for OpenPGP symmetric encryption & decryption"""
138
self.gnupg = GnuPGInterface.GnuPG()
139
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
140
self.gnupg = GnuPGInterface.GnuPG()
141
self.gnupg.options.meta_interactive = False
142
self.gnupg.options.homedir = self.tempdir
143
self.gnupg.options.extra_args.extend(['--force-mdc',
149
def __exit__ (self, exc_type, exc_value, traceback):
157
if self.tempdir is not None:
158
# Delete contents of tempdir
159
for root, dirs, files in os.walk(self.tempdir,
161
for filename in files:
162
os.remove(os.path.join(root, filename))
164
os.rmdir(os.path.join(root, dirname))
166
os.rmdir(self.tempdir)
169
def password_encode(self, password):
170
# Passphrase can not be empty and can not contain newlines or
171
# NUL bytes. So we prefix it and hex encode it.
172
return b"mandos" + binascii.hexlify(password)
174
def encrypt(self, data, password):
175
self.gnupg.passphrase = self.password_encode(password)
176
with open(os.devnull) as devnull:
178
proc = self.gnupg.run(['--symmetric'],
179
create_fhs=['stdin', 'stdout'],
180
attach_fhs={'stderr': devnull})
181
with contextlib.closing(proc.handles['stdin']) as f:
183
with contextlib.closing(proc.handles['stdout']) as f:
184
ciphertext = f.read()
188
self.gnupg.passphrase = None
191
def decrypt(self, data, password):
192
self.gnupg.passphrase = self.password_encode(password)
193
with open(os.devnull) as devnull:
195
proc = self.gnupg.run(['--decrypt'],
196
create_fhs=['stdin', 'stdout'],
197
attach_fhs={'stderr': devnull})
198
with contextlib.closing(proc.handles['stdin'] ) as f:
200
with contextlib.closing(proc.handles['stdout']) as f:
201
decrypted_plaintext = f.read()
205
self.gnupg.passphrase = None
206
return decrypted_plaintext
103
210
class AvahiError(Exception):
104
211
def __init__(self, value, *args, **kwargs):
291
411
interval: datetime.timedelta(); How often to start a new checker
292
412
last_approval_request: datetime.datetime(); (UTC) or None
293
413
last_checked_ok: datetime.datetime(); (UTC) or None
415
last_checker_status: integer between 0 and 255 reflecting exit
416
status of last checker. -1 reflects crashed
294
418
last_enabled: datetime.datetime(); (UTC)
295
419
name: string; from the config file, used in log messages and
296
420
D-Bus identifiers
297
421
secret: bytestring; sent verbatim (over TLS) to client
298
422
timeout: datetime.timedelta(); How long from last_checked_ok
299
423
until this client is disabled
424
extended_timeout: extra long timeout when password has been sent
300
425
runtime_expansions: Allowed attributes for runtime expansion.
426
expires: datetime.datetime(); time (UTC) when a client will be
303
430
runtime_expansions = ("approval_delay", "approval_duration",
305
432
"host", "interval", "last_checked_ok",
306
433
"last_enabled", "name", "timeout")
309
def _timedelta_to_milliseconds(td):
310
"Convert a datetime.timedelta() to milliseconds"
311
return ((td.days * 24 * 60 * 60 * 1000)
312
+ (td.seconds * 1000)
313
+ (td.microseconds // 1000))
315
435
def timeout_milliseconds(self):
316
436
"Return the 'timeout' attribute in milliseconds"
317
return self._timedelta_to_milliseconds(self.timeout)
437
return _timedelta_to_milliseconds(self.timeout)
439
def extended_timeout_milliseconds(self):
440
"Return the 'extended_timeout' attribute in milliseconds"
441
return _timedelta_to_milliseconds(self.extended_timeout)
319
443
def interval_milliseconds(self):
320
444
"Return the 'interval' attribute in milliseconds"
321
return self._timedelta_to_milliseconds(self.interval)
445
return _timedelta_to_milliseconds(self.interval)
323
447
def approval_delay_milliseconds(self):
324
return self._timedelta_to_milliseconds(self.approval_delay)
448
return _timedelta_to_milliseconds(self.approval_delay)
326
def __init__(self, name = None, disable_hook=None, config=None):
450
def __init__(self, name = None, config=None):
327
451
"""Note: the 'checker' key in 'config' sets the
328
452
'checker_command' attribute and *not* the 'checker'
350
474
self.host = config.get("host", "")
351
475
self.created = datetime.datetime.utcnow()
353
477
self.last_approval_request = None
354
self.last_enabled = None
478
self.last_enabled = datetime.datetime.utcnow()
355
479
self.last_checked_ok = None
480
self.last_checker_status = None
356
481
self.timeout = string_to_delta(config["timeout"])
482
self.extended_timeout = string_to_delta(config
483
["extended_timeout"])
357
484
self.interval = string_to_delta(config["interval"])
358
self.disable_hook = disable_hook
359
485
self.checker = None
360
486
self.checker_initiator_tag = None
361
487
self.disable_initiator_tag = None
488
self.expires = datetime.datetime.utcnow() + self.timeout
362
489
self.checker_callback_tag = None
363
490
self.checker_command = config["checker"]
364
491
self.current_checker_command = None
365
self.last_connect = None
366
492
self._approved = None
367
493
self.approved_by_default = config.get("approved_by_default",
371
497
config["approval_delay"])
372
498
self.approval_duration = string_to_delta(
373
499
config["approval_duration"])
374
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
500
self.changedstate = (multiprocessing_manager
501
.Condition(multiprocessing_manager
503
self.client_structure = [attr for attr in
504
self.__dict__.iterkeys()
505
if not attr.startswith("_")]
506
self.client_structure.append("client_structure")
508
for name, t in inspect.getmembers(type(self),
512
if not name.startswith("_"):
513
self.client_structure.append(name)
515
# Send notice to process children that client state has changed
376
516
def send_changedstate(self):
377
self.changedstate.acquire()
378
self.changedstate.notify_all()
379
self.changedstate.release()
517
with self.changedstate:
518
self.changedstate.notify_all()
381
520
def enable(self):
382
521
"""Start this client's checker and timeout hooks"""
383
522
if getattr(self, "enabled", False):
384
523
# Already enabled
386
525
self.send_changedstate()
526
self.expires = datetime.datetime.utcnow() + self.timeout
387
528
self.last_enabled = datetime.datetime.utcnow()
388
# Schedule a new checker to be started an 'interval' from now,
389
# and every interval from then on.
390
self.checker_initiator_tag = (gobject.timeout_add
391
(self.interval_milliseconds(),
393
# Schedule a disable() when 'timeout' has passed
394
self.disable_initiator_tag = (gobject.timeout_add
395
(self.timeout_milliseconds(),
398
# Also start a new checker *right now*.
401
531
def disable(self, quiet=True):
402
532
"""Disable this client."""
409
539
if getattr(self, "disable_initiator_tag", False):
410
540
gobject.source_remove(self.disable_initiator_tag)
411
541
self.disable_initiator_tag = None
412
543
if getattr(self, "checker_initiator_tag", False):
413
544
gobject.source_remove(self.checker_initiator_tag)
414
545
self.checker_initiator_tag = None
415
546
self.stop_checker()
416
if self.disable_hook:
417
self.disable_hook(self)
418
547
self.enabled = False
419
548
# Do not run this again if called by a gobject.timeout_add
422
551
def __del__(self):
423
self.disable_hook = None
554
def init_checker(self):
555
# Schedule a new checker to be started an 'interval' from now,
556
# and every interval from then on.
557
self.checker_initiator_tag = (gobject.timeout_add
558
(self.interval_milliseconds(),
560
# Schedule a disable() when 'timeout' has passed
561
self.disable_initiator_tag = (gobject.timeout_add
562
(self.timeout_milliseconds(),
564
# Also start a new checker *right now*.
426
567
def checker_callback(self, pid, condition, command):
427
568
"""The checker has completed, so take appropriate actions."""
428
569
self.checker_callback_tag = None
429
570
self.checker = None
430
571
if os.WIFEXITED(condition):
431
exitstatus = os.WEXITSTATUS(condition)
572
self.last_checker_status = os.WEXITSTATUS(condition)
573
if self.last_checker_status == 0:
433
574
logger.info("Checker for %(name)s succeeded",
435
576
self.checked_ok()
437
578
logger.info("Checker for %(name)s failed",
581
self.last_checker_status = -1
440
582
logger.warning("Checker for %(name)s crashed?",
443
def checked_ok(self):
585
def checked_ok(self, timeout=None):
444
586
"""Bump up the timeout for this client.
446
588
This should only be called when the client has been seen,
592
timeout = self.timeout
449
593
self.last_checked_ok = datetime.datetime.utcnow()
450
gobject.source_remove(self.disable_initiator_tag)
451
self.disable_initiator_tag = (gobject.timeout_add
452
(self.timeout_milliseconds(),
594
if self.disable_initiator_tag is not None:
595
gobject.source_remove(self.disable_initiator_tag)
596
if getattr(self, "enabled", False):
597
self.disable_initiator_tag = (gobject.timeout_add
598
(_timedelta_to_milliseconds
599
(timeout), self.disable))
600
self.expires = datetime.datetime.utcnow() + timeout
455
602
def need_approval(self):
456
603
self.last_approval_request = datetime.datetime.utcnow()
612
760
def _get_all_dbus_properties(self):
613
761
"""Returns a generator of (name, attribute) pairs
615
return ((prop._dbus_name, prop)
763
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
764
for cls in self.__class__.__mro__
616
765
for name, prop in
617
inspect.getmembers(self, self._is_dbus_property))
766
inspect.getmembers(cls, self._is_dbus_property))
619
768
def _get_dbus_property(self, interface_name, property_name):
620
769
"""Returns a bound method if one exists which is a D-Bus
621
770
property with the specified name and interface.
623
for name in (property_name,
624
property_name + "_dbus_property"):
625
prop = getattr(self, name, None)
627
or not self._is_dbus_property(prop)
628
or prop._dbus_name != property_name
629
or (interface_name and prop._dbus_interface
630
and interface_name != prop._dbus_interface)):
772
for cls in self.__class__.__mro__:
773
for name, value in (inspect.getmembers
774
(cls, self._is_dbus_property)):
775
if (value._dbus_name == property_name
776
and value._dbus_interface == interface_name):
777
return value.__get__(self)
633
779
# No such property
634
780
raise DBusPropertyNotFound(self.dbus_object_path + ":"
635
781
+ interface_name + "."
886
def datetime_to_dbus (dt, variant_level=0):
887
"""Convert a UTC datetime.datetime() to a D-Bus type."""
889
return dbus.String("", variant_level = variant_level)
890
return dbus.String(dt.isoformat(),
891
variant_level=variant_level)
894
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
896
"""Applied to an empty subclass of a D-Bus object, this metaclass
897
will add additional D-Bus attributes matching a certain pattern.
899
def __new__(mcs, name, bases, attr):
900
# Go through all the base classes which could have D-Bus
901
# methods, signals, or properties in them
902
for base in (b for b in bases
903
if issubclass(b, dbus.service.Object)):
904
# Go though all attributes of the base class
905
for attrname, attribute in inspect.getmembers(base):
906
# Ignore non-D-Bus attributes, and D-Bus attributes
907
# with the wrong interface name
908
if (not hasattr(attribute, "_dbus_interface")
909
or not attribute._dbus_interface
910
.startswith("se.recompile.Mandos")):
912
# Create an alternate D-Bus interface name based on
914
alt_interface = (attribute._dbus_interface
915
.replace("se.recompile.Mandos",
916
"se.bsnet.fukt.Mandos"))
917
# Is this a D-Bus signal?
918
if getattr(attribute, "_dbus_is_signal", False):
919
# Extract the original non-method function by
921
nonmethod_func = (dict(
922
zip(attribute.func_code.co_freevars,
923
attribute.__closure__))["func"]
925
# Create a new, but exactly alike, function
926
# object, and decorate it to be a new D-Bus signal
927
# with the alternate D-Bus interface name
928
new_function = (dbus.service.signal
930
attribute._dbus_signature)
932
nonmethod_func.func_code,
933
nonmethod_func.func_globals,
934
nonmethod_func.func_name,
935
nonmethod_func.func_defaults,
936
nonmethod_func.func_closure)))
937
# Define a creator of a function to call both the
938
# old and new functions, so both the old and new
939
# signals gets sent when the function is called
940
def fixscope(func1, func2):
941
"""This function is a scope container to pass
942
func1 and func2 to the "call_both" function
943
outside of its arguments"""
944
def call_both(*args, **kwargs):
945
"""This function will emit two D-Bus
946
signals by calling func1 and func2"""
947
func1(*args, **kwargs)
948
func2(*args, **kwargs)
950
# Create the "call_both" function and add it to
952
attr[attrname] = fixscope(attribute,
954
# Is this a D-Bus method?
955
elif getattr(attribute, "_dbus_is_method", False):
956
# Create a new, but exactly alike, function
957
# object. Decorate it to be a new D-Bus method
958
# with the alternate D-Bus interface name. Add it
960
attr[attrname] = (dbus.service.method
962
attribute._dbus_in_signature,
963
attribute._dbus_out_signature)
965
(attribute.func_code,
966
attribute.func_globals,
968
attribute.func_defaults,
969
attribute.func_closure)))
970
# Is this a D-Bus property?
971
elif getattr(attribute, "_dbus_is_property", False):
972
# Create a new, but exactly alike, function
973
# object, and decorate it to be a new D-Bus
974
# property with the alternate D-Bus interface
975
# name. Add it to the class.
976
attr[attrname] = (dbus_service_property
978
attribute._dbus_signature,
979
attribute._dbus_access,
981
._dbus_get_args_options
984
(attribute.func_code,
985
attribute.func_globals,
987
attribute.func_defaults,
988
attribute.func_closure)))
989
return type.__new__(mcs, name, bases, attr)
740
992
class ClientDBus(Client, DBusObjectWithProperties):
741
993
"""A Client class using D-Bus
764
1017
DBusObjectWithProperties.__init__(self, self.bus,
765
1018
self.dbus_object_path)
767
def _get_approvals_pending(self):
768
return self._approvals_pending
769
def _set_approvals_pending(self, value):
770
old_value = self._approvals_pending
771
self._approvals_pending = value
773
if (hasattr(self, "dbus_object_path")
774
and bval is not bool(old_value)):
775
dbus_bool = dbus.Boolean(bval, variant_level=1)
776
self.PropertyChanged(dbus.String("ApprovalPending"),
779
approvals_pending = property(_get_approvals_pending,
780
_set_approvals_pending)
781
del _get_approvals_pending, _set_approvals_pending
784
def _datetime_to_dbus(dt, variant_level=0):
785
"""Convert a UTC datetime.datetime() to a D-Bus type."""
786
return dbus.String(dt.isoformat(),
787
variant_level=variant_level)
790
oldstate = getattr(self, "enabled", False)
791
r = Client.enable(self)
792
if oldstate != self.enabled:
794
self.PropertyChanged(dbus.String("Enabled"),
795
dbus.Boolean(True, variant_level=1))
796
self.PropertyChanged(
797
dbus.String("LastEnabled"),
798
self._datetime_to_dbus(self.last_enabled,
802
def disable(self, quiet = False):
803
oldstate = getattr(self, "enabled", False)
804
r = Client.disable(self, quiet=quiet)
805
if not quiet and oldstate != self.enabled:
807
self.PropertyChanged(dbus.String("Enabled"),
808
dbus.Boolean(False, variant_level=1))
1020
def notifychangeproperty(transform_func,
1021
dbus_name, type_func=lambda x: x,
1023
""" Modify a variable so that it's a property which announces
1024
its changes to DBus.
1026
transform_fun: Function that takes a value and a variant_level
1027
and transforms it to a D-Bus type.
1028
dbus_name: D-Bus name of the variable
1029
type_func: Function that transform the value before sending it
1030
to the D-Bus. Default: no transform
1031
variant_level: D-Bus variant level. Default: 1
1033
attrname = "_{0}".format(dbus_name)
1034
def setter(self, value):
1035
if hasattr(self, "dbus_object_path"):
1036
if (not hasattr(self, attrname) or
1037
type_func(getattr(self, attrname, None))
1038
!= type_func(value)):
1039
dbus_value = transform_func(type_func(value),
1042
self.PropertyChanged(dbus.String(dbus_name),
1044
setattr(self, attrname, value)
1046
return property(lambda self: getattr(self, attrname), setter)
1049
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1050
approvals_pending = notifychangeproperty(dbus.Boolean,
1053
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1054
last_enabled = notifychangeproperty(datetime_to_dbus,
1056
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1057
type_func = lambda checker:
1058
checker is not None)
1059
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1061
last_approval_request = notifychangeproperty(
1062
datetime_to_dbus, "LastApprovalRequest")
1063
approved_by_default = notifychangeproperty(dbus.Boolean,
1064
"ApprovedByDefault")
1065
approval_delay = notifychangeproperty(dbus.UInt16,
1068
_timedelta_to_milliseconds)
1069
approval_duration = notifychangeproperty(
1070
dbus.UInt16, "ApprovalDuration",
1071
type_func = _timedelta_to_milliseconds)
1072
host = notifychangeproperty(dbus.String, "Host")
1073
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
1075
_timedelta_to_milliseconds)
1076
extended_timeout = notifychangeproperty(
1077
dbus.UInt16, "ExtendedTimeout",
1078
type_func = _timedelta_to_milliseconds)
1079
interval = notifychangeproperty(dbus.UInt16,
1082
_timedelta_to_milliseconds)
1083
checker_command = notifychangeproperty(dbus.String, "Checker")
1085
del notifychangeproperty
811
1087
def __del__(self, *args, **kwargs):
839
1112
return Client.checker_callback(self, pid, condition, command,
840
1113
*args, **kwargs)
842
def checked_ok(self, *args, **kwargs):
843
Client.checked_ok(self, *args, **kwargs)
845
self.PropertyChanged(
846
dbus.String("LastCheckedOK"),
847
(self._datetime_to_dbus(self.last_checked_ok,
850
def need_approval(self, *args, **kwargs):
851
r = Client.need_approval(self, *args, **kwargs)
853
self.PropertyChanged(
854
dbus.String("LastApprovalRequest"),
855
(self._datetime_to_dbus(self.last_approval_request,
859
1115
def start_checker(self, *args, **kwargs):
860
1116
old_checker = self.checker
861
1117
if self.checker is not None:
868
1124
and old_checker_pid != self.checker.pid):
869
1125
# Emit D-Bus signal
870
1126
self.CheckerStarted(self.current_checker_command)
871
self.PropertyChanged(
872
dbus.String("CheckerRunning"),
873
dbus.Boolean(True, variant_level=1))
876
def stop_checker(self, *args, **kwargs):
877
old_checker = getattr(self, "checker", None)
878
r = Client.stop_checker(self, *args, **kwargs)
879
if (old_checker is not None
880
and getattr(self, "checker", None) is None):
881
self.PropertyChanged(dbus.String("CheckerRunning"),
882
dbus.Boolean(False, variant_level=1))
885
1129
def _reset_approved(self):
886
1130
self._approved = None
998
1247
if value is None: # get
999
1248
return dbus.UInt64(self.approval_delay_milliseconds())
1000
1249
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1002
self.PropertyChanged(dbus.String("ApprovalDelay"),
1003
dbus.UInt64(value, variant_level=1))
1005
1251
# ApprovalDuration - property
1006
1252
@dbus_service_property(_interface, signature="t",
1007
1253
access="readwrite")
1008
1254
def ApprovalDuration_dbus_property(self, value=None):
1009
1255
if value is None: # get
1010
return dbus.UInt64(self._timedelta_to_milliseconds(
1256
return dbus.UInt64(_timedelta_to_milliseconds(
1011
1257
self.approval_duration))
1012
1258
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1014
self.PropertyChanged(dbus.String("ApprovalDuration"),
1015
dbus.UInt64(value, variant_level=1))
1017
1260
# Name - property
1018
1261
@dbus_service_property(_interface, signature="s", access="read")
1031
1274
if value is None: # get
1032
1275
return dbus.String(self.host)
1033
1276
self.host = value
1035
self.PropertyChanged(dbus.String("Host"),
1036
dbus.String(value, variant_level=1))
1038
1278
# Created - property
1039
1279
@dbus_service_property(_interface, signature="s", access="read")
1040
1280
def Created_dbus_property(self):
1041
return dbus.String(self._datetime_to_dbus(self.created))
1281
return dbus.String(datetime_to_dbus(self.created))
1043
1283
# LastEnabled - property
1044
1284
@dbus_service_property(_interface, signature="s", access="read")
1045
1285
def LastEnabled_dbus_property(self):
1046
if self.last_enabled is None:
1047
return dbus.String("")
1048
return dbus.String(self._datetime_to_dbus(self.last_enabled))
1286
return datetime_to_dbus(self.last_enabled)
1050
1288
# Enabled - property
1051
1289
@dbus_service_property(_interface, signature="b",
1086
1322
if value is None: # get
1087
1323
return dbus.UInt64(self.timeout_milliseconds())
1088
1324
self.timeout = datetime.timedelta(0, 0, 0, value)
1090
self.PropertyChanged(dbus.String("Timeout"),
1091
dbus.UInt64(value, variant_level=1))
1092
1325
if getattr(self, "disable_initiator_tag", None) is None:
1094
1327
# Reschedule timeout
1095
1328
gobject.source_remove(self.disable_initiator_tag)
1096
1329
self.disable_initiator_tag = None
1097
time_to_die = (self.
1098
_timedelta_to_milliseconds((self
1331
time_to_die = _timedelta_to_milliseconds((self
1103
1336
if time_to_die <= 0:
1104
1337
# The timeout has passed
1340
self.expires = (datetime.datetime.utcnow()
1341
+ datetime.timedelta(milliseconds =
1107
1343
self.disable_initiator_tag = (gobject.timeout_add
1108
1344
(time_to_die, self.disable))
1346
# ExtendedTimeout - property
1347
@dbus_service_property(_interface, signature="t",
1349
def ExtendedTimeout_dbus_property(self, value=None):
1350
if value is None: # get
1351
return dbus.UInt64(self.extended_timeout_milliseconds())
1352
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1110
1354
# Interval - property
1111
1355
@dbus_service_property(_interface, signature="t",
1112
1356
access="readwrite")
1200
1441
unicode(self.client_address))
1201
1442
logger.debug("Pipe FD: %d",
1202
1443
self.server.child_pipe.fileno())
1204
1445
session = (gnutls.connection
1205
1446
.ClientSession(self.request,
1206
1447
gnutls.connection
1207
1448
.X509Credentials()))
1209
1450
# Note: gnutls.connection.X509Credentials is really a
1210
1451
# generic GnuTLS certificate credentials object so long as
1211
1452
# no X.509 keys are added to it. Therefore, we can use it
1212
1453
# here despite using OpenPGP certificates.
1214
1455
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1215
1456
# "+AES-256-CBC", "+SHA1",
1216
1457
# "+COMP-NULL", "+CTYPE-OPENPGP",
1428
1677
This function creates a new pipe in self.pipe
1430
1679
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1432
super(MultiprocessingMixInWithPipe,
1433
self).process_request(request, client_address)
1681
proc = MultiprocessingMixIn.process_request(self, request,
1434
1683
self.child_pipe.close()
1435
self.add_pipe(parent_pipe)
1437
def add_pipe(self, parent_pipe):
1684
self.add_pipe(parent_pipe, proc)
1686
def add_pipe(self, parent_pipe, proc):
1438
1687
"""Dummy function; override as necessary"""
1439
1688
raise NotImplementedError
1441
1691
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1442
1692
socketserver.TCPServer, object):
1443
1693
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1527
1777
def server_activate(self):
1528
1778
if self.enabled:
1529
1779
return socketserver.TCPServer.server_activate(self)
1530
1781
def enable(self):
1531
1782
self.enabled = True
1532
def add_pipe(self, parent_pipe):
1784
def add_pipe(self, parent_pipe, proc):
1533
1785
# Call "handle_ipc" for both data and EOF events
1534
1786
gobject.io_add_watch(parent_pipe.fileno(),
1535
1787
gobject.IO_IN | gobject.IO_HUP,
1536
1788
functools.partial(self.handle_ipc,
1537
parent_pipe = parent_pipe))
1539
1793
def handle_ipc(self, source, condition, parent_pipe=None,
1540
client_object=None):
1794
proc = None, client_object=None):
1541
1795
condition_names = {
1542
1796
gobject.IO_IN: "IN", # There is data to read.
1543
1797
gobject.IO_OUT: "OUT", # Data can be written (without
1573
1829
"dress: %s", fpr, address)
1574
1830
if self.use_dbus:
1575
1831
# Emit D-Bus signal
1576
mandos_dbus_service.ClientNotFound(fpr, address[0])
1832
mandos_dbus_service.ClientNotFound(fpr,
1577
1834
parent_pipe.send(False)
1580
1837
gobject.io_add_watch(parent_pipe.fileno(),
1581
1838
gobject.IO_IN | gobject.IO_HUP,
1582
1839
functools.partial(self.handle_ipc,
1583
parent_pipe = parent_pipe,
1584
client_object = client))
1585
1845
parent_pipe.send(True)
1586
# remove the old hook in favor of the new above hook on same fileno
1846
# remove the old hook in favor of the new above hook on
1588
1849
if command == 'funcall':
1589
1850
funcname = request[1]
1590
1851
args = request[2]
1591
1852
kwargs = request[3]
1593
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1854
parent_pipe.send(('data', getattr(client_object,
1595
1858
if command == 'getattr':
1596
1859
attrname = request[1]
1597
1860
if callable(client_object.__getattribute__(attrname)):
1598
1861
parent_pipe.send(('function',))
1600
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1863
parent_pipe.send(('data', client_object
1864
.__getattribute__(attrname)))
1602
1866
if command == 'setattr':
1603
1867
attrname = request[1]
1604
1868
value = request[2]
1605
1869
setattr(client_object, attrname, value)
1646
1910
return timevalue
1649
def if_nametoindex(interface):
1650
"""Call the C function if_nametoindex(), or equivalent
1652
Note: This function cannot accept a unicode string."""
1653
global if_nametoindex
1655
if_nametoindex = (ctypes.cdll.LoadLibrary
1656
(ctypes.util.find_library("c"))
1658
except (OSError, AttributeError):
1659
logger.warning("Doing if_nametoindex the hard way")
1660
def if_nametoindex(interface):
1661
"Get an interface index the hard way, i.e. using fcntl()"
1662
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1663
with contextlib.closing(socket.socket()) as s:
1664
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1665
struct.pack(str("16s16x"),
1667
interface_index = struct.unpack(str("I"),
1669
return interface_index
1670
return if_nametoindex(interface)
1673
1913
def daemon(nochdir = False, noclose = False):
1674
1914
"""See daemon(3). Standard BSD Unix function.
1891
2144
# End of Avahi example code
1894
bus_name = dbus.service.BusName("se.bsnet.fukt.Mandos",
2147
bus_name = dbus.service.BusName("se.recompile.Mandos",
1895
2148
bus, do_not_queue=True)
2149
old_bus_name = (dbus.service.BusName
2150
("se.bsnet.fukt.Mandos", bus,
1896
2152
except dbus.exceptions.NameExistsException as e:
1897
2153
logger.error(unicode(e) + ", disabling D-Bus")
1898
2154
use_dbus = False
1899
2155
server_settings["use_dbus"] = False
1900
2156
tcp_server.use_dbus = False
1901
2157
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1902
service = AvahiService(name = server_settings["servicename"],
1903
servicetype = "_mandos._tcp",
1904
protocol = protocol, bus = bus)
2158
service = AvahiServiceToSyslog(name =
2159
server_settings["servicename"],
2160
servicetype = "_mandos._tcp",
2161
protocol = protocol, bus = bus)
1905
2162
if server_settings["interface"]:
1906
2163
service.interface = (if_nametoindex
1907
2164
(str(server_settings["interface"])))
1912
2169
client_class = Client
1914
client_class = functools.partial(ClientDBus, bus = bus)
1915
def client_config_items(config, section):
1916
special_settings = {
1917
"approved_by_default":
1918
lambda: config.getboolean(section,
1919
"approved_by_default"),
1921
for name, value in config.items(section):
2171
client_class = functools.partial(ClientDBusTransitional,
2174
special_settings = {
2175
# Some settings need to be accessd by special methods;
2176
# booleans need .getboolean(), etc. Here is a list of them:
2177
"approved_by_default":
2179
client_config.getboolean(section, "approved_by_default"),
2181
# Construct a new dict of client settings of this form:
2182
# { client_name: {setting_name: value, ...}, ...}
2183
# with exceptions for any special settings as defined above
2184
client_settings = dict((clientname,
2187
if setting not in special_settings
2188
else special_settings[setting]
2190
for setting, value in
2191
client_config.items(clientname)))
2192
for clientname in client_config.sections())
2194
old_client_settings = {}
2197
# Get client data and settings from last running state.
2198
if server_settings["restore"]:
2200
with open(stored_state_path, "rb") as stored_state:
2201
clients_data, old_client_settings = (pickle.load
2203
os.remove(stored_state_path)
2204
except IOError as e:
2205
logger.warning("Could not load persistent state: {0}"
2207
if e.errno != errno.ENOENT:
2210
with Crypto() as crypt:
2211
for client in clients_data:
2212
client_name = client["name"]
2214
# Decide which value to use after restoring saved state.
2215
# We have three different values: Old config file,
2216
# new config file, and saved state.
2217
# New config value takes precedence if it differs from old
2218
# config value, otherwise use saved state.
2219
for name, value in client_settings[client_name].items():
2221
# For each value in new config, check if it
2222
# differs from the old config value (Except for
2223
# the "secret" attribute)
2224
if (name != "secret" and
2225
value != old_client_settings[client_name]
2227
setattr(client, name, value)
2231
# Clients who has passed its expire date can still be
2232
# enabled if its last checker was sucessful. Clients
2233
# whose checker failed before we stored its state is
2234
# assumed to have failed all checkers during downtime.
2235
if client["enabled"] and client["last_checked_ok"]:
2236
if ((datetime.datetime.utcnow()
2237
- client["last_checked_ok"])
2238
> client["interval"]):
2239
if client["last_checker_status"] != 0:
2240
client["enabled"] = False
2242
client["expires"] = (datetime.datetime
2244
+ client["timeout"])
2246
client["changedstate"] = (multiprocessing_manager
2248
(multiprocessing_manager
2251
new_client = (ClientDBusTransitional.__new__
2252
(ClientDBusTransitional))
2253
tcp_server.clients[client_name] = new_client
2254
new_client.bus = bus
2255
for name, value in client.iteritems():
2256
setattr(new_client, name, value)
2257
client_object_name = unicode(client_name).translate(
2258
{ord("."): ord("_"),
2259
ord("-"): ord("_")})
2260
new_client.dbus_object_path = (dbus.ObjectPath
2262
+ client_object_name))
2263
DBusObjectWithProperties.__init__(new_client,
2268
tcp_server.clients[client_name] = (Client.__new__
2270
for name, value in client.iteritems():
2271
setattr(tcp_server.clients[client_name],
1923
yield (name, special_settings[name]())
1927
tcp_server.clients.update(set(
1928
client_class(name = section,
1929
config= dict(client_config_items(
1930
client_config, section)))
1931
for section in client_config.sections()))
2275
tcp_server.clients[client_name].secret = (
2276
crypt.decrypt(tcp_server.clients[client_name]
2278
client_settings[client_name]
2281
# If decryption fails, we use secret from new settings
2282
tcp_server.clients[client_name].secret = (
2283
client_settings[client_name]["secret"])
2285
# Create/remove clients based on new changes made to config
2286
for clientname in set(old_client_settings) - set(client_settings):
2287
del tcp_server.clients[clientname]
2288
for clientname in set(client_settings) - set(old_client_settings):
2289
tcp_server.clients[clientname] = (client_class(name
1932
2295
if not tcp_server.clients:
1933
2296
logger.warning("No clients defined")
2007
mandos_dbus_service = MandosDBusService()
2371
class MandosDBusServiceTransitional(MandosDBusService):
2372
__metaclass__ = AlternateDBusNamesMetaclass
2373
mandos_dbus_service = MandosDBusServiceTransitional()
2010
2376
"Cleanup function; run on exit"
2011
2377
service.cleanup()
2379
multiprocessing.active_children()
2380
if not (tcp_server.clients or client_settings):
2383
# Store client before exiting. Secrets are encrypted with key
2384
# based on what config file has. If config file is
2385
# removed/edited, old secret will thus be unrecovable.
2387
with Crypto() as crypt:
2388
for client in tcp_server.clients.itervalues():
2389
key = client_settings[client.name]["secret"]
2390
client.encrypted_secret = crypt.encrypt(client.secret,
2394
# A list of attributes that will not be stored when
2396
exclude = set(("bus", "changedstate", "secret"))
2397
for name, typ in (inspect.getmembers
2398
(dbus.service.Object)):
2401
client_dict["encrypted_secret"] = (client
2403
for attr in client.client_structure:
2404
if attr not in exclude:
2405
client_dict[attr] = getattr(client, attr)
2407
clients.append(client_dict)
2408
del client_settings[client.name]["secret"]
2411
with os.fdopen(os.open(stored_state_path,
2412
os.O_CREAT|os.O_WRONLY|os.O_TRUNC,
2413
0600), "wb") as stored_state:
2414
pickle.dump((clients, client_settings), stored_state)
2415
except (IOError, OSError) as e:
2416
logger.warning("Could not save persistent state: {0}"
2418
if e.errno not in (errno.ENOENT, errno.EACCES):
2421
# Delete all clients, and settings from config
2013
2422
while tcp_server.clients:
2014
client = tcp_server.clients.pop()
2423
name, client = tcp_server.clients.popitem()
2016
2425
client.remove_from_connection()
2017
client.disable_hook = None
2018
2426
# Don't signal anything except ClientRemoved
2019
2427
client.disable(quiet=True)
2021
2429
# Emit D-Bus signal
2022
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
2430
mandos_dbus_service.ClientRemoved(client
2433
client_settings.clear()
2025
2435
atexit.register(cleanup)
2027
for client in tcp_server.clients:
2437
for client in tcp_server.clients.itervalues():
2029
2439
# Emit D-Bus signal
2030
2440
mandos_dbus_service.ClientAdded(client.dbus_object_path)
2441
# Need to initiate checking of clients
2443
client.init_checker()
2033
2445
tcp_server.enable()
2034
2446
tcp_server.server_activate()