85
82
except ImportError:
86
83
SO_BINDTODEVICE = None
89
stored_state_file = "clients.pickle"
91
88
logger = logging.getLogger()
92
89
syslogger = (logging.handlers.SysLogHandler
93
90
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
94
91
address = str("/dev/log")))
97
if_nametoindex = (ctypes.cdll.LoadLibrary
98
(ctypes.util.find_library("c"))
100
except (OSError, AttributeError):
101
def if_nametoindex(interface):
102
"Get an interface index the hard way, i.e. using fcntl()"
103
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
104
with contextlib.closing(socket.socket()) as s:
105
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
106
struct.pack(str("16s16x"),
108
interface_index = struct.unpack(str("I"),
110
return interface_index
113
def initlogger(level=logging.WARNING):
114
"""init logger and add loglevel"""
116
syslogger.setFormatter(logging.Formatter
117
('Mandos [%(process)d]: %(levelname)s:'
119
logger.addHandler(syslogger)
121
console = logging.StreamHandler()
122
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
126
logger.addHandler(console)
127
logger.setLevel(level)
130
class PGPError(Exception):
131
"""Exception if encryption/decryption fails"""
135
class PGPEngine(object):
136
"""A simple class for OpenPGP symmetric encryption & decryption"""
138
self.gnupg = GnuPGInterface.GnuPG()
139
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
140
self.gnupg = GnuPGInterface.GnuPG()
141
self.gnupg.options.meta_interactive = False
142
self.gnupg.options.homedir = self.tempdir
143
self.gnupg.options.extra_args.extend(['--force-mdc',
149
def __exit__ (self, exc_type, exc_value, traceback):
157
if self.tempdir is not None:
158
# Delete contents of tempdir
159
for root, dirs, files in os.walk(self.tempdir,
161
for filename in files:
162
os.remove(os.path.join(root, filename))
164
os.rmdir(os.path.join(root, dirname))
166
os.rmdir(self.tempdir)
169
def password_encode(self, password):
170
# Passphrase can not be empty and can not contain newlines or
171
# NUL bytes. So we prefix it and hex encode it.
172
return b"mandos" + binascii.hexlify(password)
174
def encrypt(self, data, password):
175
self.gnupg.passphrase = self.password_encode(password)
176
with open(os.devnull) as devnull:
178
proc = self.gnupg.run(['--symmetric'],
179
create_fhs=['stdin', 'stdout'],
180
attach_fhs={'stderr': devnull})
181
with contextlib.closing(proc.handles['stdin']) as f:
183
with contextlib.closing(proc.handles['stdout']) as f:
184
ciphertext = f.read()
188
self.gnupg.passphrase = None
191
def decrypt(self, data, password):
192
self.gnupg.passphrase = self.password_encode(password)
193
with open(os.devnull) as devnull:
195
proc = self.gnupg.run(['--decrypt'],
196
create_fhs=['stdin', 'stdout'],
197
attach_fhs={'stderr': devnull})
198
with contextlib.closing(proc.handles['stdin'] ) as f:
200
with contextlib.closing(proc.handles['stdout']) as f:
201
decrypted_plaintext = f.read()
205
self.gnupg.passphrase = None
206
return decrypted_plaintext
92
syslogger.setFormatter(logging.Formatter
93
('Mandos [%(process)d]: %(levelname)s:'
95
logger.addHandler(syslogger)
97
console = logging.StreamHandler()
98
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
102
logger.addHandler(console)
210
105
class AvahiError(Exception):
431
321
"created", "enabled", "fingerprint",
432
322
"host", "interval", "last_checked_ok",
433
323
"last_enabled", "name", "timeout")
434
client_defaults = { "timeout": "5m",
435
"extended_timeout": "15m",
437
"checker": "fping -q -- %%(host)s",
439
"approval_delay": "0s",
440
"approval_duration": "1s",
441
"approved_by_default": "True",
445
325
def timeout_milliseconds(self):
446
326
"Return the 'timeout' attribute in milliseconds"
447
return timedelta_to_milliseconds(self.timeout)
327
return _timedelta_to_milliseconds(self.timeout)
449
329
def extended_timeout_milliseconds(self):
450
330
"Return the 'extended_timeout' attribute in milliseconds"
451
return timedelta_to_milliseconds(self.extended_timeout)
331
return _timedelta_to_milliseconds(self.extended_timeout)
453
333
def interval_milliseconds(self):
454
334
"Return the 'interval' attribute in milliseconds"
455
return timedelta_to_milliseconds(self.interval)
335
return _timedelta_to_milliseconds(self.interval)
457
337
def approval_delay_milliseconds(self):
458
return timedelta_to_milliseconds(self.approval_delay)
461
def config_parser(config):
462
""" Construct a new dict of client settings of this form:
463
{ client_name: {setting_name: value, ...}, ...}
464
with exceptions for any special settings as defined above"""
466
for client_name in config.sections():
467
section = dict(config.items(client_name))
468
client = settings[client_name] = {}
470
# Default copying each value from config to new dict
471
for setting, value in section.iteritems():
472
client[setting] = value
474
# Reformat values from string types to Python types
475
client["approved_by_default"] = config.getboolean(
476
client_name, "approved_by_default")
477
client["enabled"] = config.getboolean(client_name, "enabled")
479
client["fingerprint"] = (section["fingerprint"].upper()
481
if "secret" in section:
482
client["secret"] = section["secret"].decode("base64")
483
elif "secfile" in section:
484
with open(os.path.expanduser(os.path.expandvars
485
(section["secfile"])),
487
client["secret"] = secfile.read()
489
raise TypeError("No secret or secfile for section %s"
491
client["timeout"] = string_to_delta(section["timeout"])
492
client["extended_timeout"] = string_to_delta(
493
section["extended_timeout"])
494
client["interval"] = string_to_delta(section["interval"])
495
client["approval_delay"] = string_to_delta(
496
section["approval_delay"])
497
client["approval_duration"] = string_to_delta(
498
section["approval_duration"])
503
def __init__(self, config, name = None):
338
return _timedelta_to_milliseconds(self.approval_delay)
340
def __init__(self, name = None, disable_hook=None, config=None):
504
341
"""Note: the 'checker' key in 'config' sets the
505
342
'checker_command' attribute and *not* the 'checker'
508
347
logger.debug("Creating client %r", self.name)
509
348
# Uppercase and remove spaces from fingerprint for later
510
349
# comparison purposes with return value from the fingerprint()
512
self.fingerprint = config["fingerprint"]
351
self.fingerprint = (config["fingerprint"].upper()
513
353
logger.debug(" Fingerprint: %s", self.fingerprint)
514
self.secret = config["secret"]
515
self.host = config["host"]
354
if "secret" in config:
355
self.secret = config["secret"].decode("base64")
356
elif "secfile" in config:
357
with open(os.path.expanduser(os.path.expandvars
358
(config["secfile"])),
360
self.secret = secfile.read()
362
raise TypeError("No secret or secfile for client %s"
364
self.host = config.get("host", "")
516
365
self.created = datetime.datetime.utcnow()
517
self.enabled = config["enabled"]
518
367
self.last_approval_request = None
520
self.last_enabled = datetime.datetime.utcnow()
522
self.last_enabled = None
368
self.last_enabled = None
523
369
self.last_checked_ok = None
524
self.last_checker_status = None
525
self.timeout = config["timeout"]
526
self.extended_timeout = config["extended_timeout"]
527
self.interval = config["interval"]
370
self.timeout = string_to_delta(config["timeout"])
371
self.extended_timeout = string_to_delta(config
372
["extended_timeout"])
373
self.interval = string_to_delta(config["interval"])
374
self.disable_hook = disable_hook
528
375
self.checker = None
529
376
self.checker_initiator_tag = None
530
377
self.disable_initiator_tag = None
532
self.expires = datetime.datetime.utcnow() + self.timeout
535
379
self.checker_callback_tag = None
536
380
self.checker_command = config["checker"]
537
381
self.current_checker_command = None
539
self.approved_by_default = config["approved_by_default"]
382
self.last_connect = None
383
self._approved = None
384
self.approved_by_default = config.get("approved_by_default",
540
386
self.approvals_pending = 0
541
self.approval_delay = config["approval_delay"]
542
self.approval_duration = config["approval_duration"]
387
self.approval_delay = string_to_delta(
388
config["approval_delay"])
389
self.approval_duration = string_to_delta(
390
config["approval_duration"])
543
391
self.changedstate = (multiprocessing_manager
544
392
.Condition(multiprocessing_manager
546
self.client_structure = [attr for attr in
547
self.__dict__.iterkeys()
548
if not attr.startswith("_")]
549
self.client_structure.append("client_structure")
551
for name, t in inspect.getmembers(type(self),
555
if not name.startswith("_"):
556
self.client_structure.append(name)
558
# Send notice to process children that client state has changed
559
395
def send_changedstate(self):
560
with self.changedstate:
561
self.changedstate.notify_all()
396
self.changedstate.acquire()
397
self.changedstate.notify_all()
398
self.changedstate.release()
563
400
def enable(self):
564
401
"""Start this client's checker and timeout hooks"""
587
434
gobject.source_remove(self.checker_initiator_tag)
588
435
self.checker_initiator_tag = None
589
436
self.stop_checker()
437
if self.disable_hook:
438
self.disable_hook(self)
590
439
self.enabled = False
591
440
# Do not run this again if called by a gobject.timeout_add
594
443
def __del__(self):
444
self.disable_hook = None
597
def init_checker(self):
598
# Schedule a new checker to be started an 'interval' from now,
599
# and every interval from then on.
600
self.checker_initiator_tag = (gobject.timeout_add
601
(self.interval_milliseconds(),
603
# Schedule a disable() when 'timeout' has passed
604
self.disable_initiator_tag = (gobject.timeout_add
605
(self.timeout_milliseconds(),
607
# Also start a new checker *right now*.
610
447
def checker_callback(self, pid, condition, command):
611
448
"""The checker has completed, so take appropriate actions."""
612
449
self.checker_callback_tag = None
613
450
self.checker = None
614
451
if os.WIFEXITED(condition):
615
self.last_checker_status = os.WEXITSTATUS(condition)
616
if self.last_checker_status == 0:
452
exitstatus = os.WEXITSTATUS(condition)
617
454
logger.info("Checker for %(name)s succeeded",
619
456
self.checked_ok()
1105
938
datetime_to_dbus, "LastApprovalRequest")
1106
939
approved_by_default = notifychangeproperty(dbus.Boolean,
1107
940
"ApprovedByDefault")
1108
approval_delay = notifychangeproperty(dbus.UInt64,
941
approval_delay = notifychangeproperty(dbus.UInt16,
1109
942
"ApprovalDelay",
1111
timedelta_to_milliseconds)
944
_timedelta_to_milliseconds)
1112
945
approval_duration = notifychangeproperty(
1113
dbus.UInt64, "ApprovalDuration",
1114
type_func = timedelta_to_milliseconds)
946
dbus.UInt16, "ApprovalDuration",
947
type_func = _timedelta_to_milliseconds)
1115
948
host = notifychangeproperty(dbus.String, "Host")
1116
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
949
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
1118
timedelta_to_milliseconds)
951
_timedelta_to_milliseconds)
1119
952
extended_timeout = notifychangeproperty(
1120
dbus.UInt64, "ExtendedTimeout",
1121
type_func = timedelta_to_milliseconds)
1122
interval = notifychangeproperty(dbus.UInt64,
953
dbus.UInt16, "ExtendedTimeout",
954
type_func = _timedelta_to_milliseconds)
955
interval = notifychangeproperty(dbus.UInt16,
1125
timedelta_to_milliseconds)
958
_timedelta_to_milliseconds)
1126
959
checker_command = notifychangeproperty(dbus.String, "Checker")
1128
961
del notifychangeproperty
2208
2045
client_class = functools.partial(ClientDBusTransitional,
2211
client_settings = Client.config_parser(client_config)
2212
old_client_settings = {}
2215
# Get client data and settings from last running state.
2216
if server_settings["restore"]:
2218
with open(stored_state_path, "rb") as stored_state:
2219
clients_data, old_client_settings = (pickle.load
2221
os.remove(stored_state_path)
2222
except IOError as e:
2223
logger.warning("Could not load persistent state: {0}"
2225
if e.errno != errno.ENOENT:
2228
with PGPEngine() as pgp:
2229
for client in clients_data:
2230
client_name = client["name"]
2232
# Decide which value to use after restoring saved state.
2233
# We have three different values: Old config file,
2234
# new config file, and saved state.
2235
# New config value takes precedence if it differs from old
2236
# config value, otherwise use saved state.
2237
for name, value in client_settings[client_name].items():
2239
# For each value in new config, check if it
2240
# differs from the old config value (Except for
2241
# the "secret" attribute)
2242
if (name != "secret" and
2243
value != old_client_settings[client_name]
2245
client[name] = value
2249
# Clients who has passed its expire date can still be
2250
# enabled if its last checker was successful. Clients
2251
# whose checker failed before we stored its state is
2252
# assumed to have failed all checkers during downtime.
2253
if client["enabled"]:
2254
if datetime.datetime.utcnow() >= client["expires"]:
2255
if not client["last_checked_ok"]:
2257
"disabling client {0} - Client never "
2258
"performed a successfull checker"
2259
.format(client["name"]))
2260
client["enabled"] = False
2261
elif client["last_checker_status"] != 0:
2263
"disabling client {0} - Client "
2264
"last checker failed with error code {1}"
2265
.format(client["name"],
2266
client["last_checker_status"]))
2267
client["enabled"] = False
2269
client["expires"] = (datetime.datetime
2271
+ client["timeout"])
2273
client["changedstate"] = (multiprocessing_manager
2275
(multiprocessing_manager
2277
client["checker"] = None
2279
new_client = (ClientDBusTransitional.__new__
2280
(ClientDBusTransitional))
2281
tcp_server.clients[client_name] = new_client
2282
new_client.bus = bus
2283
for name, value in client.iteritems():
2284
setattr(new_client, name, value)
2285
client_object_name = unicode(client_name).translate(
2286
{ord("."): ord("_"),
2287
ord("-"): ord("_")})
2288
new_client.dbus_object_path = (dbus.ObjectPath
2290
+ client_object_name))
2291
DBusObjectWithProperties.__init__(new_client,
2296
tcp_server.clients[client_name] = (Client.__new__
2298
for name, value in client.iteritems():
2299
setattr(tcp_server.clients[client_name],
2047
def client_config_items(config, section):
2048
special_settings = {
2049
"approved_by_default":
2050
lambda: config.getboolean(section,
2051
"approved_by_default"),
2053
for name, value in config.items(section):
2303
tcp_server.clients[client_name].secret = (
2304
pgp.decrypt(tcp_server.clients[client_name]
2306
client_settings[client_name]
2309
# If decryption fails, we use secret from new settings
2310
logger.debug("Failed to decrypt {0} old secret"
2311
.format(client_name))
2312
tcp_server.clients[client_name].secret = (
2313
client_settings[client_name]["secret"])
2315
# Create/remove clients based on new changes made to config
2316
for clientname in set(old_client_settings) - set(client_settings):
2317
del tcp_server.clients[clientname]
2318
for clientname in set(client_settings) - set(old_client_settings):
2319
tcp_server.clients[clientname] = (client_class(name = clientname,
2055
yield (name, special_settings[name]())
2059
tcp_server.clients.update(set(
2060
client_class(name = section,
2061
config= dict(client_config_items(
2062
client_config, section)))
2063
for section in client_config.sections()))
2324
2064
if not tcp_server.clients:
2325
2065
logger.warning("No clients defined")
2405
2145
service.cleanup()
2407
2147
multiprocessing.active_children()
2408
if not (tcp_server.clients or client_settings):
2411
# Store client before exiting. Secrets are encrypted with key
2412
# based on what config file has. If config file is
2413
# removed/edited, old secret will thus be unrecovable.
2415
with PGPEngine() as pgp:
2416
for client in tcp_server.clients.itervalues():
2417
key = client_settings[client.name]["secret"]
2418
client.encrypted_secret = pgp.encrypt(client.secret,
2422
# A list of attributes that will not be stored when
2424
exclude = set(("bus", "changedstate", "secret",
2426
for name, typ in (inspect.getmembers
2427
(dbus.service.Object)):
2430
client_dict["encrypted_secret"] = (client
2432
for attr in client.client_structure:
2433
if attr not in exclude:
2434
client_dict[attr] = getattr(client, attr)
2436
clients.append(client_dict)
2437
del client_settings[client.name]["secret"]
2440
with os.fdopen(os.open(stored_state_path,
2441
os.O_CREAT|os.O_WRONLY|os.O_TRUNC,
2442
0600), "wb") as stored_state:
2443
pickle.dump((clients, client_settings), stored_state)
2444
except (IOError, OSError) as e:
2445
logger.warning("Could not save persistent state: {0}"
2447
if e.errno not in (errno.ENOENT, errno.EACCES):
2450
# Delete all clients, and settings from config
2451
2148
while tcp_server.clients:
2452
name, client = tcp_server.clients.popitem()
2149
client = tcp_server.clients.pop()
2454
2151
client.remove_from_connection()
2152
client.disable_hook = None
2455
2153
# Don't signal anything except ClientRemoved
2456
2154
client.disable(quiet=True)