/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-monitor

  • Committer: Teddy Hogeborn
  • Date: 2016-03-04 22:07:35 UTC
  • Revision ID: teddy@recompile.se-20160304220735-4xeeqt5p4nhw5cuh
Restrict the Mandos server daemon in the systemd service file.

* mandos.service ([Service]/ProtectSystem): Set to "full".
 ([Service]/PrivateTmp, [Service]/PrivateDevices,
  [Service]/ProtectHome): Set to "yes".
 ([Service]/CapabilityBoundingSet): Set to "CAP_SETUID
                                    CAP_DAC_OVERRIDE CAP_NET_RAW".

Show diffs side-by-side

added added

removed removed

Lines of Context:
3
3
4
4
# Mandos Monitor - Control and monitor the Mandos server
5
5
6
 
# Copyright © 2009-2013 Teddy Hogeborn
7
 
# Copyright © 2009-2013 Björn Påhlsson
 
6
# Copyright © 2009-2016 Teddy Hogeborn
 
7
# Copyright © 2009-2016 Björn Påhlsson
8
8
9
9
# This program is free software: you can redistribute it and/or modify
10
10
# it under the terms of the GNU General Public License as published by
32
32
 
33
33
import sys
34
34
import os
35
 
import signal
36
35
 
37
36
import datetime
38
37
 
49
48
 
50
49
import locale
51
50
 
52
 
if sys.version_info[0] == 2:
 
51
if sys.version_info.major == 2:
53
52
    str = unicode
54
53
 
55
54
locale.setlocale(locale.LC_ALL, '')
61
60
domain = 'se.recompile'
62
61
server_interface = domain + '.Mandos'
63
62
client_interface = domain + '.Mandos.Client'
64
 
version = "1.6.1"
 
63
version = "1.7.3"
 
64
 
 
65
try:
 
66
    dbus.OBJECT_MANAGER_IFACE
 
67
except AttributeError:
 
68
    dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
65
69
 
66
70
def isoformat_to_datetime(iso):
67
71
    "Parse an ISO 8601 date string to a datetime.datetime()"
88
92
        self.proxy = proxy_object # Mandos Client proxy object
89
93
        self.properties = dict() if properties is None else properties
90
94
        self.property_changed_match = (
91
 
            self.proxy.connect_to_signal("PropertyChanged",
92
 
                                         self._property_changed,
93
 
                                         client_interface,
 
95
            self.proxy.connect_to_signal("PropertiesChanged",
 
96
                                         self.properties_changed,
 
97
                                         dbus.PROPERTIES_IFACE,
94
98
                                         byte_arrays=True))
95
99
        
96
100
        if properties is None:
101
105
        
102
106
        super(MandosClientPropertyCache, self).__init__(**kwargs)
103
107
    
104
 
    def _property_changed(self, property, value):
105
 
        """Helper which takes positional arguments"""
106
 
        return self.property_changed(property=property, value=value)
107
 
    
108
 
    def property_changed(self, property=None, value=None):
109
 
        """This is called whenever we get a PropertyChanged signal
110
 
        It updates the changed property in the "properties" dict.
 
108
    def properties_changed(self, interface, properties, invalidated):
 
109
        """This is called whenever we get a PropertiesChanged signal
 
110
        It updates the changed properties in the "properties" dict.
111
111
        """
112
112
        # Update properties dict with new value
113
 
        self.properties[property] = value
 
113
        if interface == client_interface:
 
114
            self.properties.update(properties)
114
115
    
115
116
    def delete(self):
116
117
        self.property_changed_match.remove()
162
163
                                         self.rejected,
163
164
                                         client_interface,
164
165
                                         byte_arrays=True))
165
 
        #self.logger('Created client {0}'
166
 
        #            .format(self.properties["Name"]))
 
166
        self.logger('Created client {}'
 
167
                    .format(self.properties["Name"]), level=0)
167
168
    
168
169
    def using_timer(self, flag):
169
170
        """Call this method with True or False when timer should be
180
181
    
181
182
    def checker_completed(self, exitstatus, condition, command):
182
183
        if exitstatus == 0:
 
184
            self.logger('Checker for client {} (command "{}")'
 
185
                        ' succeeded'.format(self.properties["Name"],
 
186
                                            command), level=0)
183
187
            self.update()
184
188
            return
185
189
        # Checker failed
186
190
        if os.WIFEXITED(condition):
187
 
            self.logger('Checker for client {0} (command "{1}")'
188
 
                        ' failed with exit code {2}'
 
191
            self.logger('Checker for client {} (command "{}") failed'
 
192
                        ' with exit code {}'
189
193
                        .format(self.properties["Name"], command,
190
194
                                os.WEXITSTATUS(condition)))
191
195
        elif os.WIFSIGNALED(condition):
192
 
            self.logger('Checker for client {0} (command "{1}") was'
193
 
                        ' killed by signal {2}'
 
196
            self.logger('Checker for client {} (command "{}") was'
 
197
                        ' killed by signal {}'
194
198
                        .format(self.properties["Name"], command,
195
199
                                os.WTERMSIG(condition)))
196
 
        elif os.WCOREDUMP(condition):
197
 
            self.logger('Checker for client {0} (command "{1}")'
198
 
                        ' dumped core'
199
 
                        .format(self.properties["Name"], command))
200
 
        else:
201
 
            self.logger('Checker for client {0} completed'
202
 
                        ' mysteriously'
203
 
                        .format(self.properties["Name"]))
204
200
        self.update()
205
201
    
206
202
    def checker_started(self, command):
207
 
        """Server signals that a checker started. This could be useful
208
 
           to log in the future. """
209
 
        #self.logger('Client {0} started checker "{1}"'
210
 
        #            .format(self.properties["Name"],
211
 
        #                    str(command)))
212
 
        pass
 
203
        """Server signals that a checker started."""
 
204
        self.logger('Client {} started checker "{}"'
 
205
                    .format(self.properties["Name"],
 
206
                            command), level=0)
213
207
    
214
208
    def got_secret(self):
215
 
        self.logger('Client {0} received its secret'
 
209
        self.logger('Client {} received its secret'
216
210
                    .format(self.properties["Name"]))
217
211
    
218
212
    def need_approval(self, timeout, default):
219
213
        if not default:
220
 
            message = 'Client {0} needs approval within {1} seconds'
 
214
            message = 'Client {} needs approval within {} seconds'
221
215
        else:
222
 
            message = 'Client {0} will get its secret in {1} seconds'
 
216
            message = 'Client {} will get its secret in {} seconds'
223
217
        self.logger(message.format(self.properties["Name"],
224
218
                                   timeout/1000))
225
219
    
226
220
    def rejected(self, reason):
227
 
        self.logger('Client {0} was rejected; reason: {1}'
 
221
        self.logger('Client {} was rejected; reason: {}'
228
222
                    .format(self.properties["Name"], reason))
229
223
    
230
224
    def selectable(self):
274
268
            else:
275
269
                timer = datetime.timedelta()
276
270
            if self.properties["ApprovedByDefault"]:
277
 
                message = "Approval in {0}. (d)eny?"
 
271
                message = "Approval in {}. (d)eny?"
278
272
            else:
279
 
                message = "Denial in {0}. (a)pprove?"
 
273
                message = "Denial in {}. (a)pprove?"
280
274
            message = message.format(str(timer).rsplit(".", 1)[0])
281
275
            self.using_timer(True)
282
276
        elif self.properties["LastCheckerStatus"] != 0:
290
284
                timer = max(expires - datetime.datetime.utcnow(),
291
285
                            datetime.timedelta())
292
286
            message = ('A checker has failed! Time until client'
293
 
                       ' gets disabled: {0}'
 
287
                       ' gets disabled: {}'
294
288
                       .format(str(timer).rsplit(".", 1)[0]))
295
289
            self.using_timer(True)
296
290
        else:
297
291
            message = "enabled"
298
292
            self.using_timer(False)
299
 
        self._text = "{0}{1}".format(base, message)
 
293
        self._text = "{}{}".format(base, message)
300
294
        
301
295
        if not urwid.supports_unicode():
302
296
            self._text = self._text.encode("ascii", "replace")
341
335
        """Handle keys.
342
336
        This overrides the method from urwid.FlowWidget"""
343
337
        if key == "+":
344
 
            self.proxy.Enable(dbus_interface = client_interface,
345
 
                              ignore_reply=True)
 
338
            self.proxy.Set(client_interface, "Enabled",
 
339
                           dbus.Boolean(True), ignore_reply = True,
 
340
                           dbus_interface = dbus.PROPERTIES_IFACE)
346
341
        elif key == "-":
347
 
            self.proxy.Disable(dbus_interface = client_interface,
348
 
                               ignore_reply=True)
 
342
            self.proxy.Set(client_interface, "Enabled", False,
 
343
                           ignore_reply = True,
 
344
                           dbus_interface = dbus.PROPERTIES_IFACE)
349
345
        elif key == "a":
350
346
            self.proxy.Approve(dbus.Boolean(True, variant_level=1),
351
347
                               dbus_interface = client_interface,
359
355
                                                  .object_path,
360
356
                                                  ignore_reply=True)
361
357
        elif key == "s":
362
 
            self.proxy.StartChecker(dbus_interface = client_interface,
363
 
                                    ignore_reply=True)
 
358
            self.proxy.Set(client_interface, "CheckerRunning",
 
359
                           dbus.Boolean(True), ignore_reply = True,
 
360
                           dbus_interface = dbus.PROPERTIES_IFACE)
364
361
        elif key == "S":
365
 
            self.proxy.StopChecker(dbus_interface = client_interface,
366
 
                                   ignore_reply=True)
 
362
            self.proxy.Set(client_interface, "CheckerRunning",
 
363
                           dbus.Boolean(False), ignore_reply = True,
 
364
                           dbus_interface = dbus.PROPERTIES_IFACE)
367
365
        elif key == "C":
368
366
            self.proxy.CheckedOK(dbus_interface = client_interface,
369
367
                                 ignore_reply=True)
377
375
        else:
378
376
            return key
379
377
    
380
 
    def property_changed(self, property=None, **kwargs):
381
 
        """Call self.update() if old value is not new value.
 
378
    def properties_changed(self, interface, properties, invalidated):
 
379
        """Call self.update() if any properties changed.
382
380
        This overrides the method from MandosClientPropertyCache"""
383
 
        property_name = str(property)
384
 
        old_value = self.properties.get(property_name)
385
 
        super(MandosClientWidget, self).property_changed(
386
 
            property=property, **kwargs)
387
 
        if self.properties.get(property_name) != old_value:
 
381
        old_values = { key: self.properties.get(key)
 
382
                       for key in properties.keys() }
 
383
        super(MandosClientWidget, self).properties_changed(
 
384
            interface, properties, invalidated)
 
385
        if any(old_values[key] != self.properties.get(key)
 
386
               for key in old_values):
388
387
            self.update()
389
388
 
390
389
 
404
403
    """This is the entire user interface - the whole screen
405
404
    with boxes, lists of client widgets, etc.
406
405
    """
407
 
    def __init__(self, max_log_length=1000):
 
406
    def __init__(self, max_log_length=1000, log_level=1):
408
407
        DBusGMainLoop(set_as_default=True)
409
408
        
410
409
        self.screen = urwid.curses_display.Screen()
448
447
        self.log = []
449
448
        self.max_log_length = max_log_length
450
449
        
 
450
        self.log_level = log_level
 
451
        
451
452
        # We keep a reference to the log widget so we can remove it
452
453
        # from the ListWalker without it getting destroyed
453
454
        self.logbox = ConstrainedListBox(self.log)
467
468
        self.main_loop = gobject.MainLoop()
468
469
    
469
470
    def client_not_found(self, fingerprint, address):
470
 
        self.log_message("Client with address {0} and fingerprint"
471
 
                         " {1} could not be found"
 
471
        self.log_message("Client with address {} and fingerprint {}"
 
472
                         " could not be found"
472
473
                         .format(address, fingerprint))
473
474
    
474
475
    def rebuild(self):
487
488
            self.uilist.append(self.logbox)
488
489
        self.topwidget = urwid.Pile(self.uilist)
489
490
    
490
 
    def log_message(self, message):
 
491
    def log_message(self, message, level=1):
491
492
        """Log message formatted with timestamp"""
 
493
        if level < self.log_level:
 
494
            return
492
495
        timestamp = datetime.datetime.now().isoformat()
493
 
        self.log_message_raw(timestamp + ": " + message)
 
496
        self.log_message_raw("{}: {}".format(timestamp, message),
 
497
                             level=level)
494
498
    
495
 
    def log_message_raw(self, markup):
 
499
    def log_message_raw(self, markup, level=1):
496
500
        """Add a log message to the log buffer."""
 
501
        if level < self.log_level:
 
502
            return
497
503
        self.log.append(urwid.Text(markup, wrap=self.log_wrap))
498
504
        if (self.max_log_length
499
505
            and len(self.log) > self.max_log_length):
506
512
        """Toggle visibility of the log buffer."""
507
513
        self.log_visible = not self.log_visible
508
514
        self.rebuild()
509
 
        #self.log_message("Log visibility changed to: "
510
 
        #                 + str(self.log_visible))
 
515
        self.log_message("Log visibility changed to: {}"
 
516
                         .format(self.log_visible), level=0)
511
517
    
512
518
    def change_log_display(self):
513
519
        """Change type of log display.
518
524
            self.log_wrap = "clip"
519
525
        for textwidget in self.log:
520
526
            textwidget.set_wrap_mode(self.log_wrap)
521
 
        #self.log_message("Wrap mode: " + self.log_wrap)
 
527
        self.log_message("Wrap mode: {}".format(self.log_wrap),
 
528
                         level=0)
522
529
    
523
 
    def find_and_remove_client(self, path, name):
 
530
    def find_and_remove_client(self, path, interfaces):
524
531
        """Find a client by its object path and remove it.
525
532
        
526
 
        This is connected to the ClientRemoved signal from the
 
533
        This is connected to the InterfacesRemoved signal from the
527
534
        Mandos server object."""
 
535
        if client_interface not in interfaces:
 
536
            # Not a Mandos client object; ignore
 
537
            return
528
538
        try:
529
539
            client = self.clients_dict[path]
530
540
        except KeyError:
531
541
            # not found?
532
 
            self.log_message("Unknown client {0!r} ({1!r}) removed"
533
 
                             .format(name, path))
 
542
            self.log_message("Unknown client {!r} removed"
 
543
                             .format(path))
534
544
            return
535
545
        client.delete()
536
546
    
537
 
    def add_new_client(self, path):
 
547
    def add_new_client(self, path, ifs_and_props):
 
548
        """Find a client by its object path and remove it.
 
549
        
 
550
        This is connected to the InterfacesAdded signal from the
 
551
        Mandos server object.
 
552
        """
 
553
        if client_interface not in ifs_and_props:
 
554
            # Not a Mandos client object; ignore
 
555
            return
538
556
        client_proxy_object = self.bus.get_object(self.busname, path)
539
557
        self.add_client(MandosClientWidget(server_proxy_object
540
558
                                           =self.mandos_serv,
545
563
                                           delete_hook
546
564
                                           =self.remove_client,
547
565
                                           logger
548
 
                                           =self.log_message),
 
566
                                           =self.log_message,
 
567
                                           properties
 
568
                                           = dict(ifs_and_props[
 
569
                                               client_interface])),
549
570
                        path=path)
550
571
    
551
572
    def add_client(self, client, path=None):
586
607
            mandos_clients = dbus.Dictionary()
587
608
        
588
609
        (self.mandos_serv
589
 
         .connect_to_signal("ClientRemoved",
 
610
         .connect_to_signal("InterfacesRemoved",
590
611
                            self.find_and_remove_client,
591
 
                            dbus_interface=server_interface,
 
612
                            dbus_interface
 
613
                            = dbus.OBJECT_MANAGER_IFACE,
592
614
                            byte_arrays=True))
593
615
        (self.mandos_serv
594
 
         .connect_to_signal("ClientAdded",
 
616
         .connect_to_signal("InterfacesAdded",
595
617
                            self.add_new_client,
596
 
                            dbus_interface=server_interface,
 
618
                            dbus_interface
 
619
                            = dbus.OBJECT_MANAGER_IFACE,
597
620
                            byte_arrays=True))
598
621
        (self.mandos_serv
599
622
         .connect_to_signal("ClientNotFound",
653
676
            elif key == "window resize":
654
677
                self.size = self.screen.get_cols_rows()
655
678
                self.refresh()
656
 
            elif key == "\f":  # Ctrl-L
 
679
            elif key == "ctrl l":
 
680
                self.screen.clear()
657
681
                self.refresh()
658
682
            elif key == "l" or key == "D":
659
683
                self.toggle_log_display()
671
695
                                            "?: Help",
672
696
                                            "l: Log window toggle",
673
697
                                            "TAB: Switch window",
674
 
                                            "w: Wrap (log)"))))
 
698
                                            "w: Wrap (log lines)",
 
699
                                            "v: Toggle verbose log",
 
700
                                            ))))
675
701
                self.log_message_raw(("bold",
676
702
                                      "  "
677
703
                                      .join(("Clients:",
690
716
                else:
691
717
                    self.topwidget.set_focus(self.logbox)
692
718
                self.refresh()
 
719
            elif key == "v":
 
720
                if self.log_level == 0:
 
721
                    self.log_level = 1
 
722
                    self.log_message("Verbose mode: Off")
 
723
                else:
 
724
                    self.log_level = 0
 
725
                    self.log_message("Verbose mode: On")
693
726
            #elif (key == "end" or key == "meta >" or key == "G"
694
727
            #      or key == ">"):
695
728
            #    pass            # xxx end-of-buffer