To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 520
- compare with another revision
- download diff
- download tarball
- view history from revision 520
- Committer: Björn Påhlsson
- Date: 2011-11-09 17:16:03 UTC
- mfrom: (518.1.1 mandos-persistent)
- Revision ID: belorn@fukt.bsnet.se-20111109171603-srz21uoclpldp5ve
merge persistent state
- files modified:
- TODO
added
removed
mandos
310
310
interval: datetime.timedelta(); How often to start a new checker
311
311
last_approval_request: datetime.datetime(); (UTC) or None
312
312
last_checked_ok: datetime.datetime(); (UTC) or None
313
last_checker_status: integer between 0 and 255 reflecting exit
314
status of last checker. -1 reflect crashed
315
checker, or None.
313
last_checker_status: integer between 0 and 255 reflecting exit status
314
of last checker. -1 reflect crashed checker,
315
or None.
316
316
last_enabled: datetime.datetime(); (UTC)
317
317
name: string; from the config file, used in log messages and
318
318
D-Bus identifiers
398
398
self.changedstate = (multiprocessing_manager
399
399
.Condition(multiprocessing_manager
400
400
.Lock()))
401
self.client_structure = [attr for attr
402
in self.__dict__.iterkeys()
403
if not attr.startswith("_")]
401
self.client_structure = [attr for attr in self.__dict__.iterkeys() if not attr.startswith("_")]
404
402
self.client_structure.append("client_structure")
405
403
406
404
407
405
for name, t in inspect.getmembers(type(self),
408
lambda obj:
409
isinstance(obj,
410
property)):
406
lambda obj: isinstance(obj, property)):
411
407
if not name.startswith("_"):
412
408
self.client_structure.append(name)
413
409
595
591
raise
596
592
self.checker = None
597
593
598
# Encrypts a client secret and stores it in a varible
599
# encrypted_secret
594
# Encrypts a client secret and stores it in a varible encrypted_secret
600
595
def encrypt_secret(self, key):
601
# Encryption-key need to be of a specific size, so we hash
602
# supplied key
596
# Encryption-key need to be of a specific size, so we hash inputed key
603
597
hasheng = hashlib.sha256()
604
598
hasheng.update(key)
605
599
encryptionkey = hasheng.digest()
606
600
607
# Create validation hash so we know at decryption if it was
608
# sucessful
601
# Create validation hash so we know at decryption if it was sucessful
609
602
hasheng = hashlib.sha256()
610
603
hasheng.update(self.secret)
611
604
validationhash = hasheng.digest()
619
612
620
613
# Decrypt a encrypted client secret
621
614
def decrypt_secret(self, key):
622
# Decryption-key need to be of a specific size, so we hash
623
# supplied key
615
# Decryption-key need to be of a specific size, so we hash inputed key
624
616
hasheng = hashlib.sha256()
625
617
hasheng.update(key)
626
618
encryptionkey = hasheng.digest()
637
629
secret = plain[hasheng.digest_size:]
638
630
hasheng.update(secret)
639
631
640
# If validation fails, we use key as new secret. Otherwise, we
641
# use the decrypted secret
632
# if validation fails, we use key as new secret. Otherwhise, we use
633
# the decrypted secret
642
634
if hasheng.digest() == validationhash:
643
635
self.secret = secret
644
636
else:
952
944
953
945
def __init__(self, bus = None, *args, **kwargs):
954
946
self.bus = bus
947
Client.__init__(self, *args, **kwargs)
948
955
949
self._approvals_pending = 0
956
Client.__init__(self, *args, **kwargs)
957
self.add_to_dbus()
958
959
def add_to_dbus(self):
960
950
# Only now, when this client is initialized, can it show up on
961
951
# the D-Bus
962
952
client_object_name = unicode(self.name).translate(
1932
1922
parser.add_argument("--no-ipv6", action="store_false",
1933
1923
dest="use_ipv6", help="Do not use IPv6")
1934
1924
parser.add_argument("--no-restore", action="store_false",
1935
dest="restore",
1936
help="Do not restore stored state",
1925
dest="restore", help="Do not restore stored state",
1937
1926
default=True)
1938
1927
1939
1928
options = parser.parse_args()
2136
2125
# with exceptions for any special settings as defined above
2137
2126
client_settings = dict((clientname,
2138
2127
dict((setting,
2139
(value if
2140
setting not in special_settings
2141
else special_settings[setting]
2142
(clientname)))
2143
for setting, value
2144
in client_config.items(clientname)))
2128
(value if setting not in special_settings
2129
else special_settings[setting](clientname)))
2130
for setting, value in client_config.items(clientname)))
2145
2131
for clientname in client_config.sections())
2146
2132
2147
2133
old_client_settings = {}
2151
2137
if server_settings["restore"]:
2152
2138
try:
2153
2139
with open(stored_state_path, "rb") as stored_state:
2154
clients_data, old_client_settings = (
2155
pickle.load(stored_state))
2140
clients_data, old_client_settings = pickle.load(stored_state)
2156
2141
os.remove(stored_state_path)
2157
2142
except IOError as e:
2158
logger.warning("Could not load persistant state: {0}"
2159
.format(e))
2143
logger.warning("Could not load persistant state: {0}".format(e))
2160
2144
if e.errno != errno.ENOENT:
2161
2145
raise
2162
2146
2173
2157
# For each value in new config, check if it differs
2174
2158
# from the old config value (Except for the "secret"
2175
2159
# attribute)
2176
if (name != "secret" and
2177
value != old_client_settings[client_name][name]):
2160
if name != "secret" and value != old_client_settings[client_name][name]:
2178
2161
setattr(client, name, value)
2179
2162
except KeyError:
2180
2163
pass
2181
2164
2182
# Clients who has passed its expire date, can still be enabled
2183
# if its last checker was sucessful. Clients who checkers
2184
# failed before we stored it state is asumed to had failed
2185
# checker during downtime.
2165
# Clients who has passed its expire date, can still be enabled if its
2166
# last checker was sucessful. Clients who checkers failed before we
2167
# stored it state is asumed to had failed checker during downtime.
2186
2168
if client["enabled"] and client["last_checked_ok"]:
2187
if ((datetime.datetime.utcnow()
2188
- client["last_checked_ok"]) > client["interval"]):
2169
if ((datetime.datetime.utcnow() - client["last_checked_ok"])
2170
> client["interval"]):
2189
2171
if client["last_checker_status"] != 0:
2190
2172
client["enabled"] = False
2191
2173
else:
2192
client["expires"] = (datetime.datetime.utcnow()
2193
+ client["timeout"])
2174
client["expires"] = datetime.datetime.utcnow() + client["timeout"]
2194
2175
2195
2176
client["changedstate"] = (multiprocessing_manager
2196
2177
.Condition(multiprocessing_manager
2197
2178
.Lock()))
2198
2179
if use_dbus:
2199
new_client = ClientDBusTransitional.__new__(
2200
ClientDBusTransitional)
2180
new_client = ClientDBusTransitional.__new__(ClientDBusTransitional)
2201
2181
tcp_server.clients[client_name] = new_client
2202
2182
new_client.bus = bus
2203
2183
for name, value in client.iteritems():
2204
2184
setattr(new_client, name, value)
2205
new_client._approvals_pending = 0
2206
new_client.add_to_dbus()
2185
client_object_name = unicode(client_name).translate(
2186
{ord("."): ord("_"),
2187
ord("-"): ord("_")})
2188
new_client.dbus_object_path = (dbus.ObjectPath
2189
("/clients/" + client_object_name))
2190
DBusObjectWithProperties.__init__(new_client,
2191
new_client.bus,
2192
new_client.dbus_object_path)
2207
2193
else:
2208
2194
tcp_server.clients[client_name] = Client.__new__(Client)
2209
2195
for name, value in client.iteritems():
2216
2202
for clientname in set(old_client_settings) - set(client_settings):
2217
2203
del tcp_server.clients[clientname]
2218
2204
for clientname in set(client_settings) - set(old_client_settings):
2219
tcp_server.clients[clientname] = client_class(name
2220
= clientname,
2221
config =
2222
client_settings
2223
[clientname])
2205
tcp_server.clients[clientname] = (client_class(name = clientname,
2206
config =
2207
client_settings
2208
[clientname]))
2224
2209
2210
2225
2211
if not tcp_server.clients:
2226
2212
logger.warning("No clients defined")
2227
2213
2310
2296
if not (tcp_server.clients or client_settings):
2311
2297
return
2312
2298
2313
# Store client before exiting. Secrets are encrypted with key
2314
# based on what config file has. If config file is
2315
# removed/edited, old secret will thus be unrecovable.
2299
# Store client before exiting. Secrets are encrypted with key based
2300
# on what config file has. If config file is removed/edited, old
2301
# secret will thus be unrecovable.
2316
2302
clients = []
2317
2303
for client in tcp_server.clients.itervalues():
2318
client.encrypt_secret(
2319
client_settings[client.name]["secret"])
2304
client.encrypt_secret(client_settings[client.name]["secret"])
2320
2305
2321
2306
client_dict = {}
2322
2307
2323
# A list of attributes that will not be stored when
2324
# shutting down.
2325
exclude = set(("bus", "changedstate", "secret"))
2308
# A list of attributes that will not be stored when shuting down.
2309
exclude = set(("bus", "changedstate", "secret"))
2326
2310
for name, typ in inspect.getmembers(dbus.service.Object):
2327
2311
exclude.add(name)
2328
2312
2335
2319
del client_settings[client.name]["secret"]
2336
2320
2337
2321
try:
2338
with os.fdopen(os.open(stored_state_path,
2339
os.O_CREAT|os.O_WRONLY|os.O_TRUNC,
2340
stat.S_IRUSR | stat.S_IWUSR),
2341
"wb") as stored_state:
2322
with os.fdopen(os.open(stored_state_path, os.O_CREAT|os.O_WRONLY|os.O_TRUNC, 0600), "wb") as stored_state:
2342
2323
pickle.dump((clients, client_settings), stored_state)
2343
2324
except IOError as e:
2344
logger.warning("Could not save persistant state: {0}"
2345
.format(e))
2325
logger.warning("Could not save persistant state: {0}".format(e))
2346
2326
if e.errno != errno.ENOENT:
2347
2327
raise
2348
2328
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0