358
372
self.host = config.get("host", "")
359
373
self.created = datetime.datetime.utcnow()
361
375
self.last_approval_request = None
362
self.last_enabled = None
376
self.last_enabled = datetime.datetime.utcnow()
363
377
self.last_checked_ok = None
378
self.last_checker_status = None
364
379
self.timeout = string_to_delta(config["timeout"])
365
380
self.extended_timeout = string_to_delta(config
366
381
["extended_timeout"])
367
382
self.interval = string_to_delta(config["interval"])
368
self.disable_hook = disable_hook
369
383
self.checker = None
370
384
self.checker_initiator_tag = None
371
385
self.disable_initiator_tag = None
386
self.expires = datetime.datetime.utcnow() + self.timeout
373
387
self.checker_callback_tag = None
374
388
self.checker_command = config["checker"]
375
389
self.current_checker_command = None
376
self.last_connect = None
377
390
self._approved = None
378
391
self.approved_by_default = config.get("approved_by_default",
385
398
self.changedstate = (multiprocessing_manager
386
399
.Condition(multiprocessing_manager
401
self.client_structure = [attr for attr in self.__dict__.iterkeys() if not attr.startswith("_")]
402
self.client_structure.append("client_structure")
405
for name, t in inspect.getmembers(type(self),
406
lambda obj: isinstance(obj, property)):
407
if not name.startswith("_"):
408
self.client_structure.append(name)
410
# Send notice to process children that client state has changed
389
411
def send_changedstate(self):
390
self.changedstate.acquire()
391
self.changedstate.notify_all()
392
self.changedstate.release()
412
with self.changedstate:
413
self.changedstate.notify_all()
394
415
def enable(self):
395
416
"""Start this client's checker and timeout hooks"""
428
439
gobject.source_remove(self.checker_initiator_tag)
429
440
self.checker_initiator_tag = None
430
441
self.stop_checker()
431
if self.disable_hook:
432
self.disable_hook(self)
433
442
self.enabled = False
434
443
# Do not run this again if called by a gobject.timeout_add
437
446
def __del__(self):
438
self.disable_hook = None
449
def init_checker(self):
450
# Schedule a new checker to be started an 'interval' from now,
451
# and every interval from then on.
452
self.checker_initiator_tag = (gobject.timeout_add
453
(self.interval_milliseconds(),
455
# Schedule a disable() when 'timeout' has passed
456
self.disable_initiator_tag = (gobject.timeout_add
457
(self.timeout_milliseconds(),
459
# Also start a new checker *right now*.
441
463
def checker_callback(self, pid, condition, command):
442
464
"""The checker has completed, so take appropriate actions."""
443
465
self.checker_callback_tag = None
444
466
self.checker = None
445
467
if os.WIFEXITED(condition):
446
exitstatus = os.WEXITSTATUS(condition)
468
self.last_checker_status = os.WEXITSTATUS(condition)
469
if self.last_checker_status == 0:
448
470
logger.info("Checker for %(name)s succeeded",
450
472
self.checked_ok()
569
592
self.checker = None
594
# Encrypts a client secret and stores it in a varible encrypted_secret
595
def encrypt_secret(self, key):
596
# Encryption-key need to be of a specific size, so we hash inputed key
597
hasheng = hashlib.sha256()
599
encryptionkey = hasheng.digest()
601
# Create validation hash so we know at decryption if it was sucessful
602
hasheng = hashlib.sha256()
603
hasheng.update(self.secret)
604
validationhash = hasheng.digest()
607
iv = os.urandom(Crypto.Cipher.AES.block_size)
608
ciphereng = Crypto.Cipher.AES.new(encryptionkey,
609
Crypto.Cipher.AES.MODE_CFB, iv)
610
ciphertext = ciphereng.encrypt(validationhash+self.secret)
611
self.encrypted_secret = (ciphertext, iv)
613
# Decrypt a encrypted client secret
614
def decrypt_secret(self, key):
615
# Decryption-key need to be of a specific size, so we hash inputed key
616
hasheng = hashlib.sha256()
618
encryptionkey = hasheng.digest()
620
# Decrypt encrypted secret
621
ciphertext, iv = self.encrypted_secret
622
ciphereng = Crypto.Cipher.AES.new(encryptionkey,
623
Crypto.Cipher.AES.MODE_CFB, iv)
624
plain = ciphereng.decrypt(ciphertext)
626
# Validate decrypted secret to know if it was succesful
627
hasheng = hashlib.sha256()
628
validationhash = plain[:hasheng.digest_size]
629
secret = plain[hasheng.digest_size:]
630
hasheng.update(secret)
632
# if validation fails, we use key as new secret. Otherwhise, we use
633
# the decrypted secret
634
if hasheng.digest() == validationhash:
638
del self.encrypted_secret
572
641
def dbus_service_property(dbus_interface, signature="v",
573
642
access="readwrite", byte_arrays=False):
2024
2097
server_settings["use_dbus"] = False
2025
2098
tcp_server.use_dbus = False
2026
2099
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2027
service = AvahiService(name = server_settings["servicename"],
2028
servicetype = "_mandos._tcp",
2029
protocol = protocol, bus = bus)
2100
service = AvahiServiceToSyslog(name =
2101
server_settings["servicename"],
2102
servicetype = "_mandos._tcp",
2103
protocol = protocol, bus = bus)
2030
2104
if server_settings["interface"]:
2031
2105
service.interface = (if_nametoindex
2032
2106
(str(server_settings["interface"])))
2039
2113
client_class = functools.partial(ClientDBusTransitional,
2041
def client_config_items(config, section):
2042
special_settings = {
2043
"approved_by_default":
2044
lambda: config.getboolean(section,
2045
"approved_by_default"),
2047
for name, value in config.items(section):
2116
special_settings = {
2117
# Some settings need to be accessd by special methods;
2118
# booleans need .getboolean(), etc. Here is a list of them:
2119
"approved_by_default":
2121
client_config.getboolean(section, "approved_by_default"),
2123
# Construct a new dict of client settings of this form:
2124
# { client_name: {setting_name: value, ...}, ...}
2125
# with exceptions for any special settings as defined above
2126
client_settings = dict((clientname,
2128
(value if setting not in special_settings
2129
else special_settings[setting](clientname)))
2130
for setting, value in client_config.items(clientname)))
2131
for clientname in client_config.sections())
2133
old_client_settings = {}
2136
# Get client data and settings from last running state.
2137
if server_settings["restore"]:
2139
with open(stored_state_path, "rb") as stored_state:
2140
clients_data, old_client_settings = pickle.load(stored_state)
2141
os.remove(stored_state_path)
2142
except IOError as e:
2143
logger.warning("Could not load persistant state: {0}".format(e))
2144
if e.errno != errno.ENOENT:
2147
for client in clients_data:
2148
client_name = client["name"]
2150
# Decide which value to use after restoring saved state.
2151
# We have three different values: Old config file,
2152
# new config file, and saved state.
2153
# New config value takes precedence if it differs from old
2154
# config value, otherwise use saved state.
2155
for name, value in client_settings[client_name].items():
2049
yield (name, special_settings[name]())
2157
# For each value in new config, check if it differs
2158
# from the old config value (Except for the "secret"
2160
if name != "secret" and value != old_client_settings[client_name][name]:
2161
setattr(client, name, value)
2050
2162
except KeyError:
2165
# Clients who has passed its expire date, can still be enabled if its
2166
# last checker was sucessful. Clients who checkers failed before we
2167
# stored it state is asumed to had failed checker during downtime.
2168
if client["enabled"] and client["last_checked_ok"]:
2169
if ((datetime.datetime.utcnow() - client["last_checked_ok"])
2170
> client["interval"]):
2171
if client["last_checker_status"] != 0:
2172
client["enabled"] = False
2174
client["expires"] = datetime.datetime.utcnow() + client["timeout"]
2176
client["changedstate"] = (multiprocessing_manager
2177
.Condition(multiprocessing_manager
2180
new_client = ClientDBusTransitional.__new__(ClientDBusTransitional)
2181
tcp_server.clients[client_name] = new_client
2182
new_client.bus = bus
2183
for name, value in client.iteritems():
2184
setattr(new_client, name, value)
2185
client_object_name = unicode(client_name).translate(
2186
{ord("."): ord("_"),
2187
ord("-"): ord("_")})
2188
new_client.dbus_object_path = (dbus.ObjectPath
2189
("/clients/" + client_object_name))
2190
DBusObjectWithProperties.__init__(new_client,
2192
new_client.dbus_object_path)
2194
tcp_server.clients[client_name] = Client.__new__(Client)
2195
for name, value in client.iteritems():
2196
setattr(tcp_server.clients[client_name], name, value)
2198
tcp_server.clients[client_name].decrypt_secret(
2199
client_settings[client_name]["secret"])
2201
# Create/remove clients based on new changes made to config
2202
for clientname in set(old_client_settings) - set(client_settings):
2203
del tcp_server.clients[clientname]
2204
for clientname in set(client_settings) - set(old_client_settings):
2205
tcp_server.clients[clientname] = (client_class(name = clientname,
2053
tcp_server.clients.update(set(
2054
client_class(name = section,
2055
config= dict(client_config_items(
2056
client_config, section)))
2057
for section in client_config.sections()))
2058
2211
if not tcp_server.clients:
2059
2212
logger.warning("No clients defined")
2139
2293
service.cleanup()
2141
2295
multiprocessing.active_children()
2296
if not (tcp_server.clients or client_settings):
2299
# Store client before exiting. Secrets are encrypted with key based
2300
# on what config file has. If config file is removed/edited, old
2301
# secret will thus be unrecovable.
2303
for client in tcp_server.clients.itervalues():
2304
client.encrypt_secret(client_settings[client.name]["secret"])
2308
# A list of attributes that will not be stored when shuting down.
2309
exclude = set(("bus", "changedstate", "secret"))
2310
for name, typ in inspect.getmembers(dbus.service.Object):
2313
client_dict["encrypted_secret"] = client.encrypted_secret
2314
for attr in client.client_structure:
2315
if attr not in exclude:
2316
client_dict[attr] = getattr(client, attr)
2318
clients.append(client_dict)
2319
del client_settings[client.name]["secret"]
2322
with os.fdopen(os.open(stored_state_path, os.O_CREAT|os.O_WRONLY|os.O_TRUNC, 0600), "wb") as stored_state:
2323
pickle.dump((clients, client_settings), stored_state)
2324
except IOError as e:
2325
logger.warning("Could not save persistant state: {0}".format(e))
2326
if e.errno != errno.ENOENT:
2329
# Delete all clients, and settings from config
2142
2330
while tcp_server.clients:
2143
client = tcp_server.clients.pop()
2331
name, client = tcp_server.clients.popitem()
2145
2333
client.remove_from_connection()
2146
client.disable_hook = None
2147
2334
# Don't signal anything except ClientRemoved
2148
2335
client.disable(quiet=True)