To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 518.2.3
- compare with another revision
- download diff
- download tarball
- view history from revision 518.2.3
- Committer: Teddy Hogeborn
- Date: 2011-11-26 23:08:17 UTC
- mto: (518.1.8 mandos-persistent)
- mto: This revision was merged to the branch mainline in revision 524.
- Revision ID: teddy@recompile.se-20111126230817-tv08v831s2yltbkd
Make "enabled" a client config option.
* DBUS-API: Fix wording on "Expires" option.
* clients.conf (enabled): New.
* mandos (Client): "last_enabled" can now be None.
(Client.__init__): Get "enabled" from config. Only set
"last_enabled" and "expires" if enabled.
(ClientDBus.Created_dbus_property): Removed redundant dbus.String().
(ClientDBus.Interval_dbus_property): If changed, only reschedule
checker if enabled.
(main/special_settings): Added "enabled".
* mandos-clients.conf (OPTIONS): Added "enabled".
* DBUS-API: Fix wording on "Expires" option.
* clients.conf (enabled): New.
* mandos (Client): "last_enabled" can now be None.
(Client.__init__): Get "enabled" from config. Only set
"last_enabled" and "expires" if enabled.
(ClientDBus.Created_dbus_property): Removed redundant dbus.String().
(ClientDBus.Interval_dbus_property): If changed, only reschedule
checker if enabled.
(main/special_settings): Added "enabled".
* mandos-clients.conf (OPTIONS): Added "enabled".
- files added:
- debian/source/local-options
- files modified:
- DBUS-API
added
removed
mandos
63
63
import cPickle as pickle
64
64
import multiprocessing
65
65
import types
66
import binascii
67
import tempfile
66
68
67
69
import dbus
68
70
import dbus.service
73
75
import ctypes.util
74
76
import xml.dom.minidom
75
77
import inspect
78
import GnuPGInterface
76
79
77
80
try:
78
81
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
83
86
SO_BINDTODEVICE = None
84
87
85
88
86
version = "1.3.1"
89
version = "1.4.1"
90
stored_state_file = "clients.pickle"
87
91
88
#logger = logging.getLogger('mandos')
89
logger = logging.Logger('mandos')
92
logger = logging.getLogger()
90
93
syslogger = (logging.handlers.SysLogHandler
91
94
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
92
95
address = str("/dev/log")))
93
syslogger.setFormatter(logging.Formatter
94
('Mandos [%(process)d]: %(levelname)s:'
95
' %(message)s'))
96
logger.addHandler(syslogger)
97
98
console = logging.StreamHandler()
99
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
100
' %(levelname)s:'
101
' %(message)s'))
102
logger.addHandler(console)
96
97
try:
98
if_nametoindex = (ctypes.cdll.LoadLibrary
99
(ctypes.util.find_library("c"))
100
.if_nametoindex)
101
except (OSError, AttributeError):
102
def if_nametoindex(interface):
103
"Get an interface index the hard way, i.e. using fcntl()"
104
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
105
with contextlib.closing(socket.socket()) as s:
106
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
107
struct.pack(str("16s16x"),
108
interface))
109
interface_index = struct.unpack(str("I"),
110
ifreq[16:20])[0]
111
return interface_index
112
113
114
def initlogger(level=logging.WARNING):
115
"""init logger and add loglevel"""
116
117
syslogger.setFormatter(logging.Formatter
118
('Mandos [%(process)d]: %(levelname)s:'
119
' %(message)s'))
120
logger.addHandler(syslogger)
121
122
console = logging.StreamHandler()
123
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
124
' [%(process)d]:'
125
' %(levelname)s:'
126
' %(message)s'))
127
logger.addHandler(console)
128
logger.setLevel(level)
129
130
131
class CryptoError(Exception):
132
pass
133
134
135
class Crypto(object):
136
"""A simple class for OpenPGP symmetric encryption & decryption"""
137
def __init__(self):
138
self.gnupg = GnuPGInterface.GnuPG()
139
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
140
self.gnupg = GnuPGInterface.GnuPG()
141
self.gnupg.options.meta_interactive = False
142
self.gnupg.options.homedir = self.tempdir
143
self.gnupg.options.extra_args.extend(['--force-mdc',
144
'--quiet'])
145
146
def __enter__(self):
147
return self
148
149
def __exit__ (self, exc_type, exc_value, traceback):
150
self._cleanup()
151
return False
152
153
def __del__(self):
154
self._cleanup()
155
156
def _cleanup(self):
157
if self.tempdir is not None:
158
# Delete contents of tempdir
159
for root, dirs, files in os.walk(self.tempdir,
160
topdown = False):
161
for filename in files:
162
os.remove(os.path.join(root, filename))
163
for dirname in dirs:
164
os.rmdir(os.path.join(root, dirname))
165
# Remove tempdir
166
os.rmdir(self.tempdir)
167
self.tempdir = None
168
169
def password_encode(self, password):
170
# Passphrase can not be empty and can not contain newlines or
171
# NUL bytes. So we prefix it and hex encode it.
172
return b"mandos" + binascii.hexlify(password)
173
174
def encrypt(self, data, password):
175
self.gnupg.passphrase = self.password_encode(password)
176
with open(os.devnull) as devnull:
177
try:
178
proc = self.gnupg.run(['--symmetric'],
179
create_fhs=['stdin', 'stdout'],
180
attach_fhs={'stderr': devnull})
181
with contextlib.closing(proc.handles['stdin']) as f:
182
f.write(data)
183
with contextlib.closing(proc.handles['stdout']) as f:
184
ciphertext = f.read()
185
proc.wait()
186
except IOError as e:
187
raise CryptoError(e)
188
self.gnupg.passphrase = None
189
return ciphertext
190
191
def decrypt(self, data, password):
192
self.gnupg.passphrase = self.password_encode(password)
193
with open(os.devnull) as devnull:
194
try:
195
proc = self.gnupg.run(['--decrypt'],
196
create_fhs=['stdin', 'stdout'],
197
attach_fhs={'stderr': devnull})
198
with contextlib.closing(proc.handles['stdin'] ) as f:
199
f.write(data)
200
with contextlib.closing(proc.handles['stdout']) as f:
201
decrypted_plaintext = f.read()
202
proc.wait()
203
except IOError as e:
204
raise CryptoError(e)
205
self.gnupg.passphrase = None
206
return decrypted_plaintext
207
208
103
209
104
210
class AvahiError(Exception):
105
211
def __init__(self, value, *args, **kwargs):
160
266
" after %i retries, exiting.",
161
267
self.rename_count)
162
268
raise AvahiServiceError("Too many renames")
163
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
269
self.name = unicode(self.server
270
.GetAlternativeServiceName(self.name))
164
271
logger.info("Changing Zeroconf service name to %r ...",
165
272
self.name)
166
syslogger.setFormatter(logging.Formatter
167
('Mandos (%s) [%%(process)d]:'
168
' %%(levelname)s: %%(message)s'
169
% self.name))
170
273
self.remove()
171
274
try:
172
275
self.add()
192
295
avahi.DBUS_INTERFACE_ENTRY_GROUP)
193
296
self.entry_group_state_changed_match = (
194
297
self.group.connect_to_signal(
195
'StateChanged', self .entry_group_state_changed))
298
'StateChanged', self.entry_group_state_changed))
196
299
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
197
300
self.name, self.type)
198
301
self.group.AddService(
224
327
try:
225
328
self.group.Free()
226
329
except (dbus.exceptions.UnknownMethodException,
227
dbus.exceptions.DBusException) as e:
330
dbus.exceptions.DBusException):
228
331
pass
229
332
self.group = None
230
333
self.remove()
264
367
self.server_state_changed)
265
368
self.server_state_changed(self.server.GetState())
266
369
370
class AvahiServiceToSyslog(AvahiService):
371
def rename(self):
372
"""Add the new name to the syslog messages"""
373
ret = AvahiService.rename(self)
374
syslogger.setFormatter(logging.Formatter
375
('Mandos (%s) [%%(process)d]:'
376
' %%(levelname)s: %%(message)s'
377
% self.name))
378
return ret
267
379
268
380
def _timedelta_to_milliseconds(td):
269
381
"Convert a datetime.timedelta() to milliseconds"
288
400
instance %(name)s can be used in the command.
289
401
checker_initiator_tag: a gobject event source tag, or None
290
402
created: datetime.datetime(); (UTC) object creation
403
client_structure: Object describing what attributes a client has
404
and is used for storing the client at exit
291
405
current_checker_command: string; current running checker_command
292
disable_hook: If set, called by disable() as disable_hook(self)
293
406
disable_initiator_tag: a gobject event source tag, or None
294
407
enabled: bool()
295
408
fingerprint: string (40 or 32 hexadecimal digits); used to
298
411
interval: datetime.timedelta(); How often to start a new checker
299
412
last_approval_request: datetime.datetime(); (UTC) or None
300
413
last_checked_ok: datetime.datetime(); (UTC) or None
301
last_enabled: datetime.datetime(); (UTC)
414
415
last_checker_status: integer between 0 and 255 reflecting exit
416
status of last checker. -1 reflects crashed
417
checker, or None.
418
last_enabled: datetime.datetime(); (UTC) or None
302
419
name: string; from the config file, used in log messages and
303
420
D-Bus identifiers
304
421
secret: bytestring; sent verbatim (over TLS) to client
321
438
322
439
def extended_timeout_milliseconds(self):
323
440
"Return the 'extended_timeout' attribute in milliseconds"
324
return _timedelta_to_milliseconds(self.extended_timeout)
441
return _timedelta_to_milliseconds(self.extended_timeout)
325
442
326
443
def interval_milliseconds(self):
327
444
"Return the 'interval' attribute in milliseconds"
330
447
def approval_delay_milliseconds(self):
331
448
return _timedelta_to_milliseconds(self.approval_delay)
332
449
333
def __init__(self, name = None, disable_hook=None, config=None):
450
def __init__(self, name = None, config=None):
334
451
"""Note: the 'checker' key in 'config' sets the
335
452
'checker_command' attribute and *not* the 'checker'
336
453
attribute."""
356
473
% self.name)
357
474
self.host = config.get("host", "")
358
475
self.created = datetime.datetime.utcnow()
359
self.enabled = False
476
self.enabled = config.get("enabled", True)
360
477
self.last_approval_request = None
361
self.last_enabled = None
478
if self.enabled:
479
self.last_enabled = datetime.datetime.utcnow()
480
else:
481
self.last_enabled = None
362
482
self.last_checked_ok = None
483
self.last_checker_status = None
363
484
self.timeout = string_to_delta(config["timeout"])
364
self.extended_timeout = string_to_delta(config["extended_timeout"])
485
self.extended_timeout = string_to_delta(config
486
["extended_timeout"])
365
487
self.interval = string_to_delta(config["interval"])
366
self.disable_hook = disable_hook
367
488
self.checker = None
368
489
self.checker_initiator_tag = None
369
490
self.disable_initiator_tag = None
370
self.expires = None
491
if self.enabled:
492
self.expires = datetime.datetime.utcnow() + self.timeout
493
else:
494
self.expires = None
371
495
self.checker_callback_tag = None
372
496
self.checker_command = config["checker"]
373
497
self.current_checker_command = None
374
self.last_connect = None
375
498
self._approved = None
376
499
self.approved_by_default = config.get("approved_by_default",
377
500
True)
380
503
config["approval_delay"])
381
504
self.approval_duration = string_to_delta(
382
505
config["approval_duration"])
383
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
506
self.changedstate = (multiprocessing_manager
507
.Condition(multiprocessing_manager
508
.Lock()))
509
self.client_structure = [attr for attr in
510
self.__dict__.iterkeys()
511
if not attr.startswith("_")]
512
self.client_structure.append("client_structure")
513
514
for name, t in inspect.getmembers(type(self),
515
lambda obj:
516
isinstance(obj,
517
property)):
518
if not name.startswith("_"):
519
self.client_structure.append(name)
384
520
521
# Send notice to process children that client state has changed
385
522
def send_changedstate(self):
386
self.changedstate.acquire()
387
self.changedstate.notify_all()
388
self.changedstate.release()
389
523
with self.changedstate:
524
self.changedstate.notify_all()
525
390
526
def enable(self):
391
527
"""Start this client's checker and timeout hooks"""
392
528
if getattr(self, "enabled", False):
393
529
# Already enabled
394
530
return
395
531
self.send_changedstate()
396
# Schedule a new checker to be started an 'interval' from now,
397
# and every interval from then on.
398
self.checker_initiator_tag = (gobject.timeout_add
399
(self.interval_milliseconds(),
400
self.start_checker))
401
# Schedule a disable() when 'timeout' has passed
402
532
self.expires = datetime.datetime.utcnow() + self.timeout
403
self.disable_initiator_tag = (gobject.timeout_add
404
(self.timeout_milliseconds(),
405
self.disable))
406
533
self.enabled = True
407
534
self.last_enabled = datetime.datetime.utcnow()
408
# Also start a new checker *right now*.
409
self.start_checker()
535
self.init_checker()
410
536
411
537
def disable(self, quiet=True):
412
538
"""Disable this client."""
424
550
gobject.source_remove(self.checker_initiator_tag)
425
551
self.checker_initiator_tag = None
426
552
self.stop_checker()
427
if self.disable_hook:
428
self.disable_hook(self)
429
553
self.enabled = False
430
554
# Do not run this again if called by a gobject.timeout_add
431
555
return False
432
556
433
557
def __del__(self):
434
self.disable_hook = None
435
558
self.disable()
436
559
560
def init_checker(self):
561
# Schedule a new checker to be started an 'interval' from now,
562
# and every interval from then on.
563
self.checker_initiator_tag = (gobject.timeout_add
564
(self.interval_milliseconds(),
565
self.start_checker))
566
# Schedule a disable() when 'timeout' has passed
567
self.disable_initiator_tag = (gobject.timeout_add
568
(self.timeout_milliseconds(),
569
self.disable))
570
# Also start a new checker *right now*.
571
self.start_checker()
572
437
573
def checker_callback(self, pid, condition, command):
438
574
"""The checker has completed, so take appropriate actions."""
439
575
self.checker_callback_tag = None
440
576
self.checker = None
441
577
if os.WIFEXITED(condition):
442
exitstatus = os.WEXITSTATUS(condition)
443
if exitstatus == 0:
578
self.last_checker_status = os.WEXITSTATUS(condition)
579
if self.last_checker_status == 0:
444
580
logger.info("Checker for %(name)s succeeded",
445
581
vars(self))
446
582
self.checked_ok()
448
584
logger.info("Checker for %(name)s failed",
449
585
vars(self))
450
586
else:
587
self.last_checker_status = -1
451
588
logger.warning("Checker for %(name)s crashed?",
452
589
vars(self))
453
590
460
597
if timeout is None:
461
598
timeout = self.timeout
462
599
self.last_checked_ok = datetime.datetime.utcnow()
463
gobject.source_remove(self.disable_initiator_tag)
464
self.expires = datetime.datetime.utcnow() + timeout
465
self.disable_initiator_tag = (gobject.timeout_add
466
(_timedelta_to_milliseconds(timeout),
467
self.disable))
600
if self.disable_initiator_tag is not None:
601
gobject.source_remove(self.disable_initiator_tag)
602
if getattr(self, "enabled", False):
603
self.disable_initiator_tag = (gobject.timeout_add
604
(_timedelta_to_milliseconds
605
(timeout), self.disable))
606
self.expires = datetime.datetime.utcnow() + timeout
468
607
469
608
def need_approval(self):
470
609
self.last_approval_request = datetime.datetime.utcnow()
629
768
"""
630
769
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
631
770
for cls in self.__class__.__mro__
632
for name, prop in inspect.getmembers(cls, self._is_dbus_property))
771
for name, prop in
772
inspect.getmembers(cls, self._is_dbus_property))
633
773
634
774
def _get_dbus_property(self, interface_name, property_name):
635
775
"""Returns a bound method if one exists which is a D-Bus
636
776
property with the specified name and interface.
637
777
"""
638
778
for cls in self.__class__.__mro__:
639
for name, value in inspect.getmembers(cls, self._is_dbus_property):
640
if value._dbus_name == property_name and value._dbus_interface == interface_name:
779
for name, value in (inspect.getmembers
780
(cls, self._is_dbus_property)):
781
if (value._dbus_name == property_name
782
and value._dbus_interface == interface_name):
641
783
return value.__get__(self)
642
784
643
785
# No such property
682
824
683
825
Note: Will not include properties with access="write".
684
826
"""
685
all = {}
827
properties = {}
686
828
for name, prop in self._get_all_dbus_properties():
687
829
if (interface_name
688
830
and interface_name != prop._dbus_interface):
693
835
continue
694
836
value = prop()
695
837
if not hasattr(value, "variant_level"):
696
all[name] = value
838
properties[name] = value
697
839
continue
698
all[name] = type(value)(value, variant_level=
699
value.variant_level+1)
700
return dbus.Dictionary(all, signature="sv")
840
properties[name] = type(value)(value, variant_level=
841
value.variant_level+1)
842
return dbus.Dictionary(properties, signature="sv")
701
843
702
844
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
703
845
out_signature="s",
754
896
return dbus.String(dt.isoformat(),
755
897
variant_level=variant_level)
756
898
757
class AlternateDBusNamesMetaclass(DBusObjectWithProperties.__metaclass__):
899
900
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
901
.__metaclass__):
758
902
"""Applied to an empty subclass of a D-Bus object, this metaclass
759
903
will add additional D-Bus attributes matching a certain pattern.
760
904
"""
850
994
attribute.func_closure)))
851
995
return type.__new__(mcs, name, bases, attr)
852
996
997
853
998
class ClientDBus(Client, DBusObjectWithProperties):
854
999
"""A Client class using D-Bus
855
1000
864
1009
# dbus.service.Object doesn't use super(), so we can't either.
865
1010
866
1011
def __init__(self, bus = None, *args, **kwargs):
1012
self.bus = bus
1013
Client.__init__(self, *args, **kwargs)
1014
867
1015
self._approvals_pending = 0
868
self.bus = bus
869
Client.__init__(self, *args, **kwargs)
870
1016
# Only now, when this client is initialized, can it show up on
871
1017
# the D-Bus
872
1018
client_object_name = unicode(self.name).translate(
882
1028
variant_level=1):
883
1029
""" Modify a variable so that it's a property which announces
884
1030
its changes to DBus.
885
886
transform_fun: Function that takes a value and transforms it
887
to a D-Bus type.
1031
1032
transform_fun: Function that takes a value and a variant_level
1033
and transforms it to a D-Bus type.
888
1034
dbus_name: D-Bus name of the variable
889
1035
type_func: Function that transform the value before sending it
890
1036
to the D-Bus. Default: no transform
891
1037
variant_level: D-Bus variant level. Default: 1
892
1038
"""
893
real_value = [None,]
1039
attrname = "_{0}".format(dbus_name)
894
1040
def setter(self, value):
895
old_value = real_value[0]
896
real_value[0] = value
897
1041
if hasattr(self, "dbus_object_path"):
898
if type_func(old_value) != type_func(real_value[0]):
899
dbus_value = transform_func(type_func(real_value[0]),
900
variant_level)
1042
if (not hasattr(self, attrname) or
1043
type_func(getattr(self, attrname, None))
1044
!= type_func(value)):
1045
dbus_value = transform_func(type_func(value),
1046
variant_level
1047
=variant_level)
901
1048
self.PropertyChanged(dbus.String(dbus_name),
902
1049
dbus_value)
1050
setattr(self, attrname, value)
903
1051
904
return property(lambda self: real_value[0], setter)
1052
return property(lambda self: getattr(self, attrname), setter)
905
1053
906
1054
907
1055
expires = notifychangeproperty(datetime_to_dbus, "Expires")
912
1060
last_enabled = notifychangeproperty(datetime_to_dbus,
913
1061
"LastEnabled")
914
1062
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
915
type_func = lambda checker: checker is not None)
1063
type_func = lambda checker:
1064
checker is not None)
916
1065
last_checked_ok = notifychangeproperty(datetime_to_dbus,
917
1066
"LastCheckedOK")
918
last_approval_request = notifychangeproperty(datetime_to_dbus,
919
"LastApprovalRequest")
1067
last_approval_request = notifychangeproperty(
1068
datetime_to_dbus, "LastApprovalRequest")
920
1069
approved_by_default = notifychangeproperty(dbus.Boolean,
921
1070
"ApprovedByDefault")
922
approval_delay = notifychangeproperty(dbus.UInt16, "ApprovalDelay",
923
type_func = _timedelta_to_milliseconds)
924
approval_duration = notifychangeproperty(dbus.UInt16, "ApprovalDuration",
925
type_func = _timedelta_to_milliseconds)
1071
approval_delay = notifychangeproperty(dbus.UInt16,
1072
"ApprovalDelay",
1073
type_func =
1074
_timedelta_to_milliseconds)
1075
approval_duration = notifychangeproperty(
1076
dbus.UInt16, "ApprovalDuration",
1077
type_func = _timedelta_to_milliseconds)
926
1078
host = notifychangeproperty(dbus.String, "Host")
927
1079
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
928
type_func = _timedelta_to_milliseconds)
929
extended_timeout = notifychangeproperty(dbus.UInt16, "ExtendedTimeout",
930
type_func = _timedelta_to_milliseconds)
931
interval = notifychangeproperty(dbus.UInt16, "Interval",
932
type_func = _timedelta_to_milliseconds)
1080
type_func =
1081
_timedelta_to_milliseconds)
1082
extended_timeout = notifychangeproperty(
1083
dbus.UInt16, "ExtendedTimeout",
1084
type_func = _timedelta_to_milliseconds)
1085
interval = notifychangeproperty(dbus.UInt16,
1086
"Interval",
1087
type_func =
1088
_timedelta_to_milliseconds)
933
1089
checker_command = notifychangeproperty(dbus.String, "Checker")
934
1090
935
1091
del notifychangeproperty
1032
1188
"D-Bus signal"
1033
1189
return self.need_approval()
1034
1190
1191
# NeRwequest - signal
1192
@dbus.service.signal(_interface, signature="s")
1193
def NewRequest(self, ip):
1194
"""D-Bus signal
1195
Is sent after a client request a password.
1196
"""
1197
pass
1198
1035
1199
## Methods
1036
1200
1037
1201
# Approve - method
1120
1284
# Created - property
1121
1285
@dbus_service_property(_interface, signature="s", access="read")
1122
1286
def Created_dbus_property(self):
1123
return dbus.String(datetime_to_dbus(self.created))
1287
return datetime_to_dbus(self.created)
1124
1288
1125
1289
# LastEnabled - property
1126
1290
@dbus_service_property(_interface, signature="s", access="read")
1170
1334
gobject.source_remove(self.disable_initiator_tag)
1171
1335
self.disable_initiator_tag = None
1172
1336
self.expires = None
1173
time_to_die = (self.
1174
_timedelta_to_milliseconds((self
1175
.last_checked_ok
1176
+ self.timeout)
1177
- datetime.datetime
1178
.utcnow()))
1337
time_to_die = _timedelta_to_milliseconds((self
1338
.last_checked_ok
1339
+ self.timeout)
1340
- datetime.datetime
1341
.utcnow())
1179
1342
if time_to_die <= 0:
1180
1343
# The timeout has passed
1181
1344
self.disable()
1182
1345
else:
1183
1346
self.expires = (datetime.datetime.utcnow()
1184
+ datetime.timedelta(milliseconds = time_to_die))
1347
+ datetime.timedelta(milliseconds =
1348
time_to_die))
1185
1349
self.disable_initiator_tag = (gobject.timeout_add
1186
1350
(time_to_die, self.disable))
1187
1351
1202
1366
self.interval = datetime.timedelta(0, 0, 0, value)
1203
1367
if getattr(self, "checker_initiator_tag", None) is None:
1204
1368
return
1205
# Reschedule checker run
1206
gobject.source_remove(self.checker_initiator_tag)
1207
self.checker_initiator_tag = (gobject.timeout_add
1208
(value, self.start_checker))
1209
self.start_checker() # Start one now, too
1369
if self.enabled:
1370
# Reschedule checker run
1371
gobject.source_remove(self.checker_initiator_tag)
1372
self.checker_initiator_tag = (gobject.timeout_add
1373
(value, self.start_checker))
1374
self.start_checker() # Start one now, too
1210
1375
1211
1376
# Checker - property
1212
1377
@dbus_service_property(_interface, signature="s",
1266
1431
return super(ProxyClient, self).__setattr__(name, value)
1267
1432
self._pipe.send(('setattr', name, value))
1268
1433
1434
1269
1435
class ClientDBusTransitional(ClientDBus):
1270
1436
__metaclass__ = AlternateDBusNamesMetaclass
1271
1437
1438
1272
1439
class ClientHandler(socketserver.BaseRequestHandler, object):
1273
1440
"""A class to handle client connections.
1274
1441
1335
1502
logger.warning("Bad certificate: %s", error)
1336
1503
return
1337
1504
logger.debug("Fingerprint: %s", fpr)
1505
if self.server.use_dbus:
1506
# Emit D-Bus signal
1507
client.NewRequest(str(self.client_address))
1338
1508
1339
1509
try:
1340
1510
client = ProxyClient(child_pipe, fpr,
1353
1523
client.name)
1354
1524
if self.server.use_dbus:
1355
1525
# Emit D-Bus signal
1356
client.Rejected("Disabled")
1526
client.Rejected("Disabled")
1357
1527
return
1358
1528
1359
1529
if client._approved or not client.approval_delay:
1376
1546
return
1377
1547
1378
1548
#wait until timeout or approved
1379
#x = float(client._timedelta_to_milliseconds(delay))
1380
1549
time = datetime.datetime.now()
1381
1550
client.changedstate.acquire()
1382
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1551
(client.changedstate.wait
1552
(float(client._timedelta_to_milliseconds(delay)
1553
/ 1000)))
1383
1554
client.changedstate.release()
1384
1555
time2 = datetime.datetime.now()
1385
1556
if (time2 - time) >= delay:
1409
1580
sent_size += sent
1410
1581
1411
1582
logger.info("Sending secret to %s", client.name)
1412
# bump the timeout as if seen
1583
# bump the timeout using extended_timeout
1413
1584
client.checked_ok(client.extended_timeout)
1414
1585
if self.server.use_dbus:
1415
1586
# Emit D-Bus signal
1483
1654
# Convert the buffer to a Python bytestring
1484
1655
fpr = ctypes.string_at(buf, buf_len.value)
1485
1656
# Convert the bytestring to hexadecimal notation
1486
hex_fpr = ''.join("%02X" % ord(char) for char in fpr)
1657
hex_fpr = binascii.hexlify(fpr).upper()
1487
1658
return hex_fpr
1488
1659
1489
1660
1495
1666
except:
1496
1667
self.handle_error(request, address)
1497
1668
self.close_request(request)
1498
1669
1499
1670
def process_request(self, request, address):
1500
1671
"""Start a new process to process the request."""
1501
multiprocessing.Process(target = self.sub_process_main,
1502
args = (request, address)).start()
1672
proc = multiprocessing.Process(target = self.sub_process_main,
1673
args = (request,
1674
address))
1675
proc.start()
1676
return proc
1503
1677
1504
1678
1505
1679
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1511
1685
"""
1512
1686
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1513
1687
1514
super(MultiprocessingMixInWithPipe,
1515
self).process_request(request, client_address)
1688
proc = MultiprocessingMixIn.process_request(self, request,
1689
client_address)
1516
1690
self.child_pipe.close()
1517
self.add_pipe(parent_pipe)
1691
self.add_pipe(parent_pipe, proc)
1518
1692
1519
def add_pipe(self, parent_pipe):
1693
def add_pipe(self, parent_pipe, proc):
1520
1694
"""Dummy function; override as necessary"""
1521
1695
raise NotImplementedError
1522
1696
1600
1774
self.enabled = False
1601
1775
self.clients = clients
1602
1776
if self.clients is None:
1603
self.clients = set()
1777
self.clients = {}
1604
1778
self.use_dbus = use_dbus
1605
1779
self.gnutls_priority = gnutls_priority
1606
1780
IPv6_TCPServer.__init__(self, server_address,
1610
1784
def server_activate(self):
1611
1785
if self.enabled:
1612
1786
return socketserver.TCPServer.server_activate(self)
1787
1613
1788
def enable(self):
1614
1789
self.enabled = True
1615
def add_pipe(self, parent_pipe):
1790
1791
def add_pipe(self, parent_pipe, proc):
1616
1792
# Call "handle_ipc" for both data and EOF events
1617
1793
gobject.io_add_watch(parent_pipe.fileno(),
1618
1794
gobject.IO_IN | gobject.IO_HUP,
1619
1795
functools.partial(self.handle_ipc,
1620
parent_pipe = parent_pipe))
1621
1796
parent_pipe =
1797
parent_pipe,
1798
proc = proc))
1799
1622
1800
def handle_ipc(self, source, condition, parent_pipe=None,
1623
client_object=None):
1801
proc = None, client_object=None):
1624
1802
condition_names = {
1625
1803
gobject.IO_IN: "IN", # There is data to read.
1626
1804
gobject.IO_OUT: "OUT", # Data can be written (without
1635
1813
for cond, name in
1636
1814
condition_names.iteritems()
1637
1815
if cond & condition)
1638
# error or the other end of multiprocessing.Pipe has closed
1816
# error, or the other end of multiprocessing.Pipe has closed
1639
1817
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1818
# Wait for other process to exit
1819
proc.join()
1640
1820
return False
1641
1821
1642
1822
# Read a request from the child
1647
1827
fpr = request[1]
1648
1828
address = request[2]
1649
1829
1650
for c in self.clients:
1830
for c in self.clients.itervalues():
1651
1831
if c.fingerprint == fpr:
1652
1832
client = c
1653
1833
break
1656
1836
"dress: %s", fpr, address)
1657
1837
if self.use_dbus:
1658
1838
# Emit D-Bus signal
1659
mandos_dbus_service.ClientNotFound(fpr, address[0])
1839
mandos_dbus_service.ClientNotFound(fpr,
1840
address[0])
1660
1841
parent_pipe.send(False)
1661
1842
return False
1662
1843
1663
1844
gobject.io_add_watch(parent_pipe.fileno(),
1664
1845
gobject.IO_IN | gobject.IO_HUP,
1665
1846
functools.partial(self.handle_ipc,
1666
parent_pipe = parent_pipe,
1667
client_object = client))
1847
parent_pipe =
1848
parent_pipe,
1849
proc = proc,
1850
client_object =
1851
client))
1668
1852
parent_pipe.send(True)
1669
# remove the old hook in favor of the new above hook on same fileno
1853
# remove the old hook in favor of the new above hook on
1854
# same fileno
1670
1855
return False
1671
1856
if command == 'funcall':
1672
1857
funcname = request[1]
1673
1858
args = request[2]
1674
1859
kwargs = request[3]
1675
1860
1676
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1861
parent_pipe.send(('data', getattr(client_object,
1862
funcname)(*args,
1863
**kwargs)))
1677
1864
1678
1865
if command == 'getattr':
1679
1866
attrname = request[1]
1680
1867
if callable(client_object.__getattribute__(attrname)):
1681
1868
parent_pipe.send(('function',))
1682
1869
else:
1683
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1870
parent_pipe.send(('data', client_object
1871
.__getattribute__(attrname)))
1684
1872
1685
1873
if command == 'setattr':
1686
1874
attrname = request[1]
1729
1917
return timevalue
1730
1918
1731
1919
1732
def if_nametoindex(interface):
1733
"""Call the C function if_nametoindex(), or equivalent
1734
1735
Note: This function cannot accept a unicode string."""
1736
global if_nametoindex
1737
try:
1738
if_nametoindex = (ctypes.cdll.LoadLibrary
1739
(ctypes.util.find_library("c"))
1740
.if_nametoindex)
1741
except (OSError, AttributeError):
1742
logger.warning("Doing if_nametoindex the hard way")
1743
def if_nametoindex(interface):
1744
"Get an interface index the hard way, i.e. using fcntl()"
1745
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1746
with contextlib.closing(socket.socket()) as s:
1747
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1748
struct.pack(str("16s16x"),
1749
interface))
1750
interface_index = struct.unpack(str("I"),
1751
ifreq[16:20])[0]
1752
return interface_index
1753
return if_nametoindex(interface)
1754
1755
1756
1920
def daemon(nochdir = False, noclose = False):
1757
1921
"""See daemon(3). Standard BSD Unix function.
1758
1922
1813
1977
" system bus interface")
1814
1978
parser.add_argument("--no-ipv6", action="store_false",
1815
1979
dest="use_ipv6", help="Do not use IPv6")
1980
parser.add_argument("--no-restore", action="store_false",
1981
dest="restore", help="Do not restore stored"
1982
" state")
1983
parser.add_argument("--statedir", metavar="DIR",
1984
help="Directory to save/restore state in")
1985
1816
1986
options = parser.parse_args()
1817
1987
1818
1988
if options.check:
1831
2001
"use_dbus": "True",
1832
2002
"use_ipv6": "True",
1833
2003
"debuglevel": "",
2004
"restore": "True",
2005
"statedir": "/var/lib/mandos"
1834
2006
}
1835
2007
1836
2008
# Parse config file for server-global settings
1853
2025
# options, if set.
1854
2026
for option in ("interface", "address", "port", "debug",
1855
2027
"priority", "servicename", "configdir",
1856
"use_dbus", "use_ipv6", "debuglevel"):
2028
"use_dbus", "use_ipv6", "debuglevel", "restore",
2029
"statedir"):
1857
2030
value = getattr(options, option)
1858
2031
if value is not None:
1859
2032
server_settings[option] = value
1871
2044
debuglevel = server_settings["debuglevel"]
1872
2045
use_dbus = server_settings["use_dbus"]
1873
2046
use_ipv6 = server_settings["use_ipv6"]
2047
stored_state_path = os.path.join(server_settings["statedir"],
2048
stored_state_file)
2049
2050
if debug:
2051
initlogger(logging.DEBUG)
2052
else:
2053
if not debuglevel:
2054
initlogger()
2055
else:
2056
level = getattr(logging, debuglevel.upper())
2057
initlogger(level)
1874
2058
1875
2059
if server_settings["servicename"] != "Mandos":
1876
2060
syslogger.setFormatter(logging.Formatter
1931
2115
if error[0] != errno.EPERM:
1932
2116
raise error
1933
2117
1934
if not debug and not debuglevel:
1935
syslogger.setLevel(logging.WARNING)
1936
console.setLevel(logging.WARNING)
1937
if debuglevel:
1938
level = getattr(logging, debuglevel.upper())
1939
syslogger.setLevel(level)
1940
console.setLevel(level)
1941
1942
2118
if debug:
1943
2119
# Enable all possible GnuTLS debugging
1944
2120
1977
2153
try:
1978
2154
bus_name = dbus.service.BusName("se.recompile.Mandos",
1979
2155
bus, do_not_queue=True)
1980
old_bus_name = dbus.service.BusName("se.bsnet.fukt.Mandos",
1981
bus, do_not_queue=True)
2156
old_bus_name = (dbus.service.BusName
2157
("se.bsnet.fukt.Mandos", bus,
2158
do_not_queue=True))
1982
2159
except dbus.exceptions.NameExistsException as e:
1983
2160
logger.error(unicode(e) + ", disabling D-Bus")
1984
2161
use_dbus = False
1985
2162
server_settings["use_dbus"] = False
1986
2163
tcp_server.use_dbus = False
1987
2164
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1988
service = AvahiService(name = server_settings["servicename"],
1989
servicetype = "_mandos._tcp",
1990
protocol = protocol, bus = bus)
2165
service = AvahiServiceToSyslog(name =
2166
server_settings["servicename"],
2167
servicetype = "_mandos._tcp",
2168
protocol = protocol, bus = bus)
1991
2169
if server_settings["interface"]:
1992
2170
service.interface = (if_nametoindex
1993
2171
(str(server_settings["interface"])))
1997
2175
1998
2176
client_class = Client
1999
2177
if use_dbus:
2000
client_class = functools.partial(ClientDBusTransitional, bus = bus)
2001
def client_config_items(config, section):
2002
special_settings = {
2003
"approved_by_default":
2004
lambda: config.getboolean(section,
2005
"approved_by_default"),
2006
}
2007
for name, value in config.items(section):
2178
client_class = functools.partial(ClientDBusTransitional,
2179
bus = bus)
2180
2181
special_settings = {
2182
# Some settings need to be accessd by special methods;
2183
# booleans need .getboolean(), etc. Here is a list of them:
2184
"approved_by_default":
2185
lambda section:
2186
client_config.getboolean(section, "approved_by_default"),
2187
"enabled":
2188
lambda section:
2189
client_config.getboolean(section, "enabled"),
2190
}
2191
# Construct a new dict of client settings of this form:
2192
# { client_name: {setting_name: value, ...}, ...}
2193
# with exceptions for any special settings as defined above
2194
client_settings = dict((clientname,
2195
dict((setting,
2196
(value
2197
if setting not in special_settings
2198
else special_settings[setting]
2199
(clientname)))
2200
for setting, value in
2201
client_config.items(clientname)))
2202
for clientname in client_config.sections())
2203
2204
old_client_settings = {}
2205
clients_data = []
2206
2207
# Get client data and settings from last running state.
2208
if server_settings["restore"]:
2209
try:
2210
with open(stored_state_path, "rb") as stored_state:
2211
clients_data, old_client_settings = (pickle.load
2212
(stored_state))
2213
os.remove(stored_state_path)
2214
except IOError as e:
2215
logger.warning("Could not load persistent state: {0}"
2216
.format(e))
2217
if e.errno != errno.ENOENT:
2218
raise
2219
2220
with Crypto() as crypt:
2221
for client in clients_data:
2222
client_name = client["name"]
2223
2224
# Decide which value to use after restoring saved state.
2225
# We have three different values: Old config file,
2226
# new config file, and saved state.
2227
# New config value takes precedence if it differs from old
2228
# config value, otherwise use saved state.
2229
for name, value in client_settings[client_name].items():
2230
try:
2231
# For each value in new config, check if it
2232
# differs from the old config value (Except for
2233
# the "secret" attribute)
2234
if (name != "secret" and
2235
value != old_client_settings[client_name]
2236
[name]):
2237
setattr(client, name, value)
2238
except KeyError:
2239
pass
2240
2241
# Clients who has passed its expire date can still be
2242
# enabled if its last checker was sucessful. Clients
2243
# whose checker failed before we stored its state is
2244
# assumed to have failed all checkers during downtime.
2245
if client["enabled"] and client["last_checked_ok"]:
2246
if ((datetime.datetime.utcnow()
2247
- client["last_checked_ok"])
2248
> client["interval"]):
2249
if client["last_checker_status"] != 0:
2250
client["enabled"] = False
2251
else:
2252
client["expires"] = (datetime.datetime
2253
.utcnow()
2254
+ client["timeout"])
2255
2256
client["changedstate"] = (multiprocessing_manager
2257
.Condition
2258
(multiprocessing_manager
2259
.Lock()))
2260
if use_dbus:
2261
new_client = (ClientDBusTransitional.__new__
2262
(ClientDBusTransitional))
2263
tcp_server.clients[client_name] = new_client
2264
new_client.bus = bus
2265
for name, value in client.iteritems():
2266
setattr(new_client, name, value)
2267
client_object_name = unicode(client_name).translate(
2268
{ord("."): ord("_"),
2269
ord("-"): ord("_")})
2270
new_client.dbus_object_path = (dbus.ObjectPath
2271
("/clients/"
2272
+ client_object_name))
2273
DBusObjectWithProperties.__init__(new_client,
2274
new_client.bus,
2275
new_client
2276
.dbus_object_path)
2277
else:
2278
tcp_server.clients[client_name] = (Client.__new__
2279
(Client))
2280
for name, value in client.iteritems():
2281
setattr(tcp_server.clients[client_name],
2282
name, value)
2283
2008
2284
try:
2009
yield (name, special_settings[name]())
2010
except KeyError:
2011
yield (name, value)
2012
2013
tcp_server.clients.update(set(
2014
client_class(name = section,
2015
config= dict(client_config_items(
2016
client_config, section)))
2017
for section in client_config.sections()))
2285
tcp_server.clients[client_name].secret = (
2286
crypt.decrypt(tcp_server.clients[client_name]
2287
.encrypted_secret,
2288
client_settings[client_name]
2289
["secret"]))
2290
except CryptoError:
2291
# If decryption fails, we use secret from new settings
2292
tcp_server.clients[client_name].secret = (
2293
client_settings[client_name]["secret"])
2294
2295
# Create/remove clients based on new changes made to config
2296
for clientname in set(old_client_settings) - set(client_settings):
2297
del tcp_server.clients[clientname]
2298
for clientname in set(client_settings) - set(old_client_settings):
2299
tcp_server.clients[clientname] = (client_class(name
2300
= clientname,
2301
config =
2302
client_settings
2303
[clientname]))
2304
2018
2305
if not tcp_server.clients:
2019
2306
logger.warning("No clients defined")
2020
2307
2063
2350
def GetAllClients(self):
2064
2351
"D-Bus method"
2065
2352
return dbus.Array(c.dbus_object_path
2066
for c in tcp_server.clients)
2353
for c in
2354
tcp_server.clients.itervalues())
2067
2355
2068
2356
@dbus.service.method(_interface,
2069
2357
out_signature="a{oa{sv}}")
2071
2359
"D-Bus method"
2072
2360
return dbus.Dictionary(
2073
2361
((c.dbus_object_path, c.GetAll(""))
2074
for c in tcp_server.clients),
2362
for c in tcp_server.clients.itervalues()),
2075
2363
signature="oa{sv}")
2076
2364
2077
2365
@dbus.service.method(_interface, in_signature="o")
2078
2366
def RemoveClient(self, object_path):
2079
2367
"D-Bus method"
2080
for c in tcp_server.clients:
2368
for c in tcp_server.clients.itervalues():
2081
2369
if c.dbus_object_path == object_path:
2082
tcp_server.clients.remove(c)
2370
del tcp_server.clients[c.name]
2083
2371
c.remove_from_connection()
2084
2372
# Don't signal anything except ClientRemoved
2085
2373
c.disable(quiet=True)
2098
2386
"Cleanup function; run on exit"
2099
2387
service.cleanup()
2100
2388
2389
multiprocessing.active_children()
2390
if not (tcp_server.clients or client_settings):
2391
return
2392
2393
# Store client before exiting. Secrets are encrypted with key
2394
# based on what config file has. If config file is
2395
# removed/edited, old secret will thus be unrecovable.
2396
clients = []
2397
with Crypto() as crypt:
2398
for client in tcp_server.clients.itervalues():
2399
key = client_settings[client.name]["secret"]
2400
client.encrypted_secret = crypt.encrypt(client.secret,
2401
key)
2402
client_dict = {}
2403
2404
# A list of attributes that will not be stored when
2405
# shutting down.
2406
exclude = set(("bus", "changedstate", "secret"))
2407
for name, typ in (inspect.getmembers
2408
(dbus.service.Object)):
2409
exclude.add(name)
2410
2411
client_dict["encrypted_secret"] = (client
2412
.encrypted_secret)
2413
for attr in client.client_structure:
2414
if attr not in exclude:
2415
client_dict[attr] = getattr(client, attr)
2416
2417
clients.append(client_dict)
2418
del client_settings[client.name]["secret"]
2419
2420
try:
2421
with os.fdopen(os.open(stored_state_path,
2422
os.O_CREAT|os.O_WRONLY|os.O_TRUNC,
2423
0600), "wb") as stored_state:
2424
pickle.dump((clients, client_settings), stored_state)
2425
except (IOError, OSError) as e:
2426
logger.warning("Could not save persistent state: {0}"
2427
.format(e))
2428
if e.errno not in (errno.ENOENT, errno.EACCES):
2429
raise
2430
2431
# Delete all clients, and settings from config
2101
2432
while tcp_server.clients:
2102
client = tcp_server.clients.pop()
2433
name, client = tcp_server.clients.popitem()
2103
2434
if use_dbus:
2104
2435
client.remove_from_connection()
2105
client.disable_hook = None
2106
2436
# Don't signal anything except ClientRemoved
2107
2437
client.disable(quiet=True)
2108
2438
if use_dbus:
2109
2439
# Emit D-Bus signal
2110
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
2440
mandos_dbus_service.ClientRemoved(client
2441
.dbus_object_path,
2111
2442
client.name)
2443
client_settings.clear()
2112
2444
2113
2445
atexit.register(cleanup)
2114
2446
2115
for client in tcp_server.clients:
2447
for client in tcp_server.clients.itervalues():
2116
2448
if use_dbus:
2117
2449
# Emit D-Bus signal
2118
2450
mandos_dbus_service.ClientAdded(client.dbus_object_path)
2119
client.enable()
2451
# Need to initiate checking of clients
2452
if client.enabled:
2453
client.init_checker()
2120
2454
2121
2455
tcp_server.enable()
2122
2456
tcp_server.server_activate()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0