To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 88
- compare with another revision
- download diff
- download tarball
- view history from revision 88
- Committer: Teddy Hogeborn
- Date: 2008-08-18 05:57:11 UTC
- Revision ID: teddy@fukt.bsnet.se-20080818055711-2rpzat3hkbq3us62
No code or documentation changes.
- files added:
- plugins.d/usplash
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugins.d/mandos-client.c => plugins.d/password-request.c
- plugins.d/mandos-client.xml => plugins.d/password-request.xml
- files modified:
- Makefile
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
16
15
#
17
16
# This program is free software: you can redistribute it and/or modify
18
17
# it under the terms of the GNU General Public License as published by
25
24
# GNU General Public License for more details.
26
25
#
27
26
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
27
# along with this program. If not, see <http://www.gnu.org/licenses/>.
30
28
#
31
29
# Contact the authors at <mandos@fukt.bsnet.se>.
32
30
#
33
31
34
from __future__ import division, with_statement, absolute_import
32
from __future__ import division
35
33
36
import SocketServer as socketserver
34
import SocketServer
37
35
import socket
38
import optparse
36
import select
37
from optparse import OptionParser
39
38
import datetime
40
39
import errno
41
40
import gnutls.crypto
44
43
import gnutls.library.functions
45
44
import gnutls.library.constants
46
45
import gnutls.library.types
47
import ConfigParser as configparser
46
import ConfigParser
48
47
import sys
49
48
import re
50
49
import os
51
50
import signal
51
from sets import Set
52
52
import subprocess
53
53
import atexit
54
54
import stat
55
55
import logging
56
56
import logging.handlers
57
import pwd
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
63
import multiprocessing
64
57
65
58
import dbus
66
import dbus.service
67
59
import gobject
68
60
import avahi
69
61
from dbus.mainloop.glib import DBusGMainLoop
70
62
import ctypes
71
import ctypes.util
72
import xml.dom.minidom
73
import inspect
74
75
try:
76
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
77
except AttributeError:
78
try:
79
from IN import SO_BINDTODEVICE
80
except ImportError:
81
SO_BINDTODEVICE = None
82
83
84
version = "1.0.14"
85
86
#logger = logging.getLogger(u'mandos')
87
logger = logging.Logger(u'mandos')
88
syslogger = (logging.handlers.SysLogHandler
89
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
90
address = "/dev/log"))
91
syslogger.setFormatter(logging.Formatter
92
(u'Mandos [%(process)d]: %(levelname)s:'
93
u' %(message)s'))
63
64
version = "1.0"
65
66
logger = logging.Logger('mandos')
67
syslogger = logging.handlers.SysLogHandler\
68
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
69
address = "/dev/log")
70
syslogger.setFormatter(logging.Formatter\
71
('Mandos: %(levelname)s: %(message)s'))
94
72
logger.addHandler(syslogger)
95
73
96
74
console = logging.StreamHandler()
97
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
98
u' %(levelname)s:'
99
u' %(message)s'))
75
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
76
' %(message)s'))
100
77
logger.addHandler(console)
101
78
102
79
class AvahiError(Exception):
103
def __init__(self, value, *args, **kwargs):
80
def __init__(self, value):
104
81
self.value = value
105
super(AvahiError, self).__init__(value, *args, **kwargs)
106
def __unicode__(self):
107
return unicode(repr(self.value))
82
def __str__(self):
83
return repr(self.value)
108
84
109
85
class AvahiServiceError(AvahiError):
110
86
pass
115
91
116
92
class AvahiService(object):
117
93
"""An Avahi (Zeroconf) service.
118
119
94
Attributes:
120
95
interface: integer; avahi.IF_UNSPEC or an interface index.
121
96
Used to optionally bind to the specified interface.
122
name: string; Example: u'Mandos'
123
type: string; Example: u'_mandos._tcp'.
97
name: string; Example: 'Mandos'
98
type: string; Example: '_mandos._tcp'.
124
99
See <http://www.dns-sd.org/ServiceTypes.html>
125
100
port: integer; what port to announce
126
101
TXT: list of strings; TXT record for the service
129
104
max_renames: integer; maximum number of renames
130
105
rename_count: integer; counter so we only rename after collisions
131
106
a sensible number of times
132
group: D-Bus Entry Group
133
server: D-Bus Server
134
bus: dbus.SystemBus()
135
107
"""
136
108
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
137
servicetype = None, port = None, TXT = None,
138
domain = u"", host = u"", max_renames = 32768,
139
protocol = avahi.PROTO_UNSPEC, bus = None):
109
type = None, port = None, TXT = None, domain = "",
110
host = "", max_renames = 32768):
140
111
self.interface = interface
141
112
self.name = name
142
self.type = servicetype
113
self.type = type
143
114
self.port = port
144
self.TXT = TXT if TXT is not None else []
115
if TXT is None:
116
self.TXT = []
117
else:
118
self.TXT = TXT
145
119
self.domain = domain
146
120
self.host = host
147
121
self.rename_count = 0
148
122
self.max_renames = max_renames
149
self.protocol = protocol
150
self.group = None # our entry group
151
self.server = None
152
self.bus = bus
153
123
def rename(self):
154
124
"""Derived from the Avahi example code"""
155
125
if self.rename_count >= self.max_renames:
156
logger.critical(u"No suitable Zeroconf service name found"
157
u" after %i retries, exiting.",
158
self.rename_count)
159
raise AvahiServiceError(u"Too many renames")
160
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
161
logger.info(u"Changing Zeroconf service name to %r ...",
162
self.name)
163
syslogger.setFormatter(logging.Formatter
164
(u'Mandos (%s) [%%(process)d]:'
165
u' %%(levelname)s: %%(message)s'
166
% self.name))
126
logger.critical(u"No suitable service name found after %i"
127
u" retries, exiting.", rename_count)
128
raise AvahiServiceError("Too many renames")
129
self.name = server.GetAlternativeServiceName(self.name)
130
logger.info(u"Changing name to %r ...", str(self.name))
131
syslogger.setFormatter(logging.Formatter\
132
('Mandos (%s): %%(levelname)s:'
133
' %%(message)s' % self.name))
167
134
self.remove()
168
try:
169
self.add()
170
except dbus.exceptions.DBusException, error:
171
logger.critical(u"DBusException: %s", error)
172
self.cleanup()
173
os._exit(1)
135
self.add()
174
136
self.rename_count += 1
175
137
def remove(self):
176
138
"""Derived from the Avahi example code"""
177
if self.group is not None:
178
self.group.Reset()
139
if group is not None:
140
group.Reset()
179
141
def add(self):
180
142
"""Derived from the Avahi example code"""
181
if self.group is None:
182
self.group = dbus.Interface(
183
self.bus.get_object(avahi.DBUS_NAME,
184
self.server.EntryGroupNew()),
185
avahi.DBUS_INTERFACE_ENTRY_GROUP)
186
self.group.connect_to_signal('StateChanged',
187
self
188
.entry_group_state_changed)
189
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
190
self.name, self.type)
191
self.group.AddService(
192
self.interface,
193
self.protocol,
194
dbus.UInt32(0), # flags
195
self.name, self.type,
196
self.domain, self.host,
197
dbus.UInt16(self.port),
198
avahi.string_array_to_txt_array(self.TXT))
199
self.group.Commit()
200
def entry_group_state_changed(self, state, error):
201
"""Derived from the Avahi example code"""
202
logger.debug(u"Avahi entry group state change: %i", state)
203
204
if state == avahi.ENTRY_GROUP_ESTABLISHED:
205
logger.debug(u"Zeroconf service established.")
206
elif state == avahi.ENTRY_GROUP_COLLISION:
207
logger.warning(u"Zeroconf service name collision.")
208
self.rename()
209
elif state == avahi.ENTRY_GROUP_FAILURE:
210
logger.critical(u"Avahi: Error in group state changed %s",
211
unicode(error))
212
raise AvahiGroupError(u"State changed: %s"
213
% unicode(error))
214
def cleanup(self):
215
"""Derived from the Avahi example code"""
216
if self.group is not None:
217
self.group.Free()
218
self.group = None
219
def server_state_changed(self, state):
220
"""Derived from the Avahi example code"""
221
logger.debug(u"Avahi server state change: %i", state)
222
if state == avahi.SERVER_COLLISION:
223
logger.error(u"Zeroconf server name collision")
224
self.remove()
225
elif state == avahi.SERVER_RUNNING:
226
self.add()
227
def activate(self):
228
"""Derived from the Avahi example code"""
229
if self.server is None:
230
self.server = dbus.Interface(
231
self.bus.get_object(avahi.DBUS_NAME,
232
avahi.DBUS_PATH_SERVER),
233
avahi.DBUS_INTERFACE_SERVER)
234
self.server.connect_to_signal(u"StateChanged",
235
self.server_state_changed)
236
self.server_state_changed(self.server.GetState())
143
global group
144
if group is None:
145
group = dbus.Interface\
146
(bus.get_object(avahi.DBUS_NAME,
147
server.EntryGroupNew()),
148
avahi.DBUS_INTERFACE_ENTRY_GROUP)
149
group.connect_to_signal('StateChanged',
150
entry_group_state_changed)
151
logger.debug(u"Adding service '%s' of type '%s' ...",
152
service.name, service.type)
153
group.AddService(
154
self.interface, # interface
155
avahi.PROTO_INET6, # protocol
156
dbus.UInt32(0), # flags
157
self.name, self.type,
158
self.domain, self.host,
159
dbus.UInt16(self.port),
160
avahi.string_array_to_txt_array(self.TXT))
161
group.Commit()
162
163
# From the Avahi example code:
164
group = None # our entry group
165
# End of Avahi example code
237
166
238
167
239
168
class Client(object):
240
169
"""A representation of a client host served by this server.
241
242
170
Attributes:
243
name: string; from the config file, used in log messages and
244
D-Bus identifiers
171
name: string; from the config file, used in log messages
245
172
fingerprint: string (40 or 32 hexadecimal digits); used to
246
173
uniquely identify the client
247
secret: bytestring; sent verbatim (over TLS) to client
248
host: string; available for use by the checker command
249
created: datetime.datetime(); (UTC) object creation
250
last_enabled: datetime.datetime(); (UTC)
251
enabled: bool()
252
last_checked_ok: datetime.datetime(); (UTC) or None
253
timeout: datetime.timedelta(); How long from last_checked_ok
254
until this client is disabled
255
interval: datetime.timedelta(); How often to start a new checker
256
disable_hook: If set, called by disable() as disable_hook(self)
257
checker: subprocess.Popen(); a running checker process used
258
to see if the client lives.
259
'None' if no process is running.
174
secret: bytestring; sent verbatim (over TLS) to client
175
host: string; available for use by the checker command
176
created: datetime.datetime(); object creation, not client host
177
last_checked_ok: datetime.datetime() or None if not yet checked OK
178
timeout: datetime.timedelta(); How long from last_checked_ok
179
until this client is invalid
180
interval: datetime.timedelta(); How often to start a new checker
181
stop_hook: If set, called by stop() as stop_hook(self)
182
checker: subprocess.Popen(); a running checker process used
183
to see if the client lives.
184
'None' if no process is running.
260
185
checker_initiator_tag: a gobject event source tag, or None
261
disable_initiator_tag: - '' -
186
stop_initiator_tag: - '' -
262
187
checker_callback_tag: - '' -
263
188
checker_command: string; External command which is run to check if
264
189
client lives. %() expansions are done at
265
190
runtime with vars(self) as dict, so that for
266
191
instance %(name)s can be used in the command.
267
current_checker_command: string; current running checker_command
268
approved_delay: datetime.timedelta(); Time to wait for approval
269
_approved: bool(); 'None' if not yet approved/disapproved
270
approved_duration: datetime.timedelta(); Duration of one approval
192
Private attibutes:
193
_timeout: Real variable for 'timeout'
194
_interval: Real variable for 'interval'
195
_timeout_milliseconds: Used when calling gobject.timeout_add()
196
_interval_milliseconds: - '' -
271
197
"""
272
273
@staticmethod
274
def _timedelta_to_milliseconds(td):
275
"Convert a datetime.timedelta() to milliseconds"
276
return ((td.days * 24 * 60 * 60 * 1000)
277
+ (td.seconds * 1000)
278
+ (td.microseconds // 1000))
279
280
def timeout_milliseconds(self):
281
"Return the 'timeout' attribute in milliseconds"
282
return self._timedelta_to_milliseconds(self.timeout)
283
284
def interval_milliseconds(self):
285
"Return the 'interval' attribute in milliseconds"
286
return self._timedelta_to_milliseconds(self.interval)
287
288
def approved_delay_milliseconds(self):
289
return self._timedelta_to_milliseconds(self.approved_delay)
290
291
def __init__(self, name = None, disable_hook=None, config=None):
198
def _set_timeout(self, timeout):
199
"Setter function for 'timeout' attribute"
200
self._timeout = timeout
201
self._timeout_milliseconds = ((self.timeout.days
202
* 24 * 60 * 60 * 1000)
203
+ (self.timeout.seconds * 1000)
204
+ (self.timeout.microseconds
205
// 1000))
206
timeout = property(lambda self: self._timeout,
207
_set_timeout)
208
del _set_timeout
209
def _set_interval(self, interval):
210
"Setter function for 'interval' attribute"
211
self._interval = interval
212
self._interval_milliseconds = ((self.interval.days
213
* 24 * 60 * 60 * 1000)
214
+ (self.interval.seconds
215
* 1000)
216
+ (self.interval.microseconds
217
// 1000))
218
interval = property(lambda self: self._interval,
219
_set_interval)
220
del _set_interval
221
def __init__(self, name = None, stop_hook=None, config={}):
292
222
"""Note: the 'checker' key in 'config' sets the
293
223
'checker_command' attribute and *not* the 'checker'
294
224
attribute."""
295
225
self.name = name
296
if config is None:
297
config = {}
298
226
logger.debug(u"Creating client %r", self.name)
299
227
# Uppercase and remove spaces from fingerprint for later
300
228
# comparison purposes with return value from the fingerprint()
301
229
# function
302
self.fingerprint = (config[u"fingerprint"].upper()
303
.replace(u" ", u""))
230
self.fingerprint = config["fingerprint"].upper()\
231
.replace(u" ", u"")
304
232
logger.debug(u" Fingerprint: %s", self.fingerprint)
305
if u"secret" in config:
306
self.secret = config[u"secret"].decode(u"base64")
307
elif u"secfile" in config:
308
with open(os.path.expanduser(os.path.expandvars
309
(config[u"secfile"])),
310
"rb") as secfile:
311
self.secret = secfile.read()
233
if "secret" in config:
234
self.secret = config["secret"].decode(u"base64")
235
elif "secfile" in config:
236
sf = open(config["secfile"])
237
self.secret = sf.read()
238
sf.close()
312
239
else:
313
240
raise TypeError(u"No secret or secfile for client %s"
314
241
% self.name)
315
self.host = config.get(u"host", u"")
316
self.created = datetime.datetime.utcnow()
317
self.enabled = False
318
self.last_enabled = None
242
self.host = config.get("host", "")
243
self.created = datetime.datetime.now()
319
244
self.last_checked_ok = None
320
self.timeout = string_to_delta(config[u"timeout"])
321
self.interval = string_to_delta(config[u"interval"])
322
self.disable_hook = disable_hook
245
self.timeout = string_to_delta(config["timeout"])
246
self.interval = string_to_delta(config["interval"])
247
self.stop_hook = stop_hook
323
248
self.checker = None
324
249
self.checker_initiator_tag = None
325
self.disable_initiator_tag = None
250
self.stop_initiator_tag = None
326
251
self.checker_callback_tag = None
327
self.checker_command = config[u"checker"]
328
self.current_checker_command = None
329
self.last_connect = None
330
self._approved = None
331
self.approved_by_default = config.get(u"approved_by_default",
332
True)
333
self.approvals_pending = 0
334
self.approved_delay = string_to_delta(
335
config[u"approved_delay"])
336
self.approved_duration = string_to_delta(
337
config[u"approved_duration"])
338
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
339
340
def send_changedstate(self):
341
self.changedstate.acquire()
342
self.changedstate.notify_all()
343
self.changedstate.release()
344
345
def enable(self):
252
self.check_command = config["checker"]
253
def start(self):
346
254
"""Start this client's checker and timeout hooks"""
347
if getattr(self, u"enabled", False):
348
# Already enabled
349
return
350
self.send_changedstate()
351
self.last_enabled = datetime.datetime.utcnow()
352
255
# Schedule a new checker to be started an 'interval' from now,
353
256
# and every interval from then on.
354
self.checker_initiator_tag = (gobject.timeout_add
355
(self.interval_milliseconds(),
356
self.start_checker))
357
# Schedule a disable() when 'timeout' has passed
358
self.disable_initiator_tag = (gobject.timeout_add
359
(self.timeout_milliseconds(),
360
self.disable))
361
self.enabled = True
257
self.checker_initiator_tag = gobject.timeout_add\
258
(self._interval_milliseconds,
259
self.start_checker)
362
260
# Also start a new checker *right now*.
363
261
self.start_checker()
364
365
def disable(self, quiet=True):
366
"""Disable this client."""
367
if not getattr(self, "enabled", False):
262
# Schedule a stop() when 'timeout' has passed
263
self.stop_initiator_tag = gobject.timeout_add\
264
(self._timeout_milliseconds,
265
self.stop)
266
def stop(self):
267
"""Stop this client.
268
The possibility that a client might be restarted is left open,
269
but not currently used."""
270
# If this client doesn't have a secret, it is already stopped.
271
if hasattr(self, "secret") and self.secret:
272
logger.info(u"Stopping client %s", self.name)
273
self.secret = None
274
else:
368
275
return False
369
if not quiet:
370
self.send_changedstate()
371
if not quiet:
372
logger.info(u"Disabling client %s", self.name)
373
if getattr(self, u"disable_initiator_tag", False):
374
gobject.source_remove(self.disable_initiator_tag)
375
self.disable_initiator_tag = None
376
if getattr(self, u"checker_initiator_tag", False):
276
if getattr(self, "stop_initiator_tag", False):
277
gobject.source_remove(self.stop_initiator_tag)
278
self.stop_initiator_tag = None
279
if getattr(self, "checker_initiator_tag", False):
377
280
gobject.source_remove(self.checker_initiator_tag)
378
281
self.checker_initiator_tag = None
379
282
self.stop_checker()
380
if self.disable_hook:
381
self.disable_hook(self)
382
self.enabled = False
283
if self.stop_hook:
284
self.stop_hook(self)
383
285
# Do not run this again if called by a gobject.timeout_add
384
286
return False
385
386
287
def __del__(self):
387
self.disable_hook = None
388
self.disable()
389
390
def checker_callback(self, pid, condition, command):
288
self.stop_hook = None
289
self.stop()
290
def checker_callback(self, pid, condition):
391
291
"""The checker has completed, so take appropriate actions."""
292
now = datetime.datetime.now()
392
293
self.checker_callback_tag = None
393
294
self.checker = None
394
if os.WIFEXITED(condition):
395
exitstatus = os.WEXITSTATUS(condition)
396
if exitstatus == 0:
397
logger.info(u"Checker for %(name)s succeeded",
398
vars(self))
399
self.checked_ok()
400
else:
401
logger.info(u"Checker for %(name)s failed",
402
vars(self))
403
else:
295
if os.WIFEXITED(condition) \
296
and (os.WEXITSTATUS(condition) == 0):
297
logger.info(u"Checker for %(name)s succeeded",
298
vars(self))
299
self.last_checked_ok = now
300
gobject.source_remove(self.stop_initiator_tag)
301
self.stop_initiator_tag = gobject.timeout_add\
302
(self._timeout_milliseconds,
303
self.stop)
304
elif not os.WIFEXITED(condition):
404
305
logger.warning(u"Checker for %(name)s crashed?",
405
306
vars(self))
406
407
def checked_ok(self):
408
"""Bump up the timeout for this client.
409
410
This should only be called when the client has been seen,
411
alive and well.
412
"""
413
self.last_checked_ok = datetime.datetime.utcnow()
414
gobject.source_remove(self.disable_initiator_tag)
415
self.disable_initiator_tag = (gobject.timeout_add
416
(self.timeout_milliseconds(),
417
self.disable))
418
307
else:
308
logger.info(u"Checker for %(name)s failed",
309
vars(self))
419
310
def start_checker(self):
420
311
"""Start a new checker subprocess if one is not running.
421
422
312
If a checker already exists, leave it running and do
423
313
nothing."""
424
314
# The reason for not killing a running checker is that if we
427
317
# client would inevitably timeout, since no checker would get
428
318
# a chance to run to completion. If we instead leave running
429
319
# checkers alone, the checker would have to take more time
430
# than 'timeout' for the client to be disabled, which is as it
431
# should be.
432
433
# If a checker exists, make sure it is not a zombie
434
try:
435
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
436
except (AttributeError, OSError), error:
437
if (isinstance(error, OSError)
438
and error.errno != errno.ECHILD):
439
raise error
440
else:
441
if pid:
442
logger.warning(u"Checker was a zombie")
443
gobject.source_remove(self.checker_callback_tag)
444
self.checker_callback(pid, status,
445
self.current_checker_command)
446
# Start a new checker if needed
320
# than 'timeout' for the client to be declared invalid, which
321
# is as it should be.
447
322
if self.checker is None:
448
323
try:
449
# In case checker_command has exactly one % operator
450
command = self.checker_command % self.host
324
# In case check_command has exactly one % operator
325
command = self.check_command % self.host
451
326
except TypeError:
452
327
# Escape attributes for the shell
453
escaped_attrs = dict((key,
454
re.escape(unicode(str(val),
455
errors=
456
u'replace')))
328
escaped_attrs = dict((key, re.escape(str(val)))
457
329
for key, val in
458
330
vars(self).iteritems())
459
331
try:
460
command = self.checker_command % escaped_attrs
332
command = self.check_command % escaped_attrs
461
333
except TypeError, error:
462
334
logger.error(u'Could not format string "%s":'
463
u' %s', self.checker_command, error)
335
u' %s', self.check_command, error)
464
336
return True # Try again later
465
self.current_checker_command = command
466
337
try:
467
338
logger.info(u"Starting checker %r for %s",
468
339
command, self.name)
469
# We don't need to redirect stdout and stderr, since
470
# in normal mode, that is already done by daemon(),
471
# and in debug mode we don't want to. (Stdin is
472
# always replaced by /dev/null.)
473
340
self.checker = subprocess.Popen(command,
474
341
close_fds=True,
475
shell=True, cwd=u"/")
476
self.checker_callback_tag = (gobject.child_watch_add
477
(self.checker.pid,
478
self.checker_callback,
479
data=command))
480
# The checker may have completed before the gobject
481
# watch was added. Check for this.
482
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
483
if pid:
484
gobject.source_remove(self.checker_callback_tag)
485
self.checker_callback(pid, status, command)
486
except OSError, error:
342
shell=True, cwd="/")
343
self.checker_callback_tag = gobject.child_watch_add\
344
(self.checker.pid,
345
self.checker_callback)
346
except subprocess.OSError, error:
487
347
logger.error(u"Failed to start subprocess: %s",
488
348
error)
489
349
# Re-run this periodically if run by gobject.timeout_add
490
350
return True
491
492
351
def stop_checker(self):
493
352
"""Force the checker process, if any, to stop."""
494
353
if self.checker_callback_tag:
495
354
gobject.source_remove(self.checker_callback_tag)
496
355
self.checker_callback_tag = None
497
if getattr(self, u"checker", None) is None:
356
if getattr(self, "checker", None) is None:
498
357
return
499
358
logger.debug(u"Stopping checker for %(name)s", vars(self))
500
359
try:
501
360
os.kill(self.checker.pid, signal.SIGTERM)
502
#time.sleep(0.5)
361
#os.sleep(0.5)
503
362
#if self.checker.poll() is None:
504
363
# os.kill(self.checker.pid, signal.SIGKILL)
505
364
except OSError, error:
506
365
if error.errno != errno.ESRCH: # No such process
507
366
raise
508
367
self.checker = None
509
510
def dbus_service_property(dbus_interface, signature=u"v",
511
access=u"readwrite", byte_arrays=False):
512
"""Decorators for marking methods of a DBusObjectWithProperties to
513
become properties on the D-Bus.
514
515
The decorated method will be called with no arguments by "Get"
516
and with one argument by "Set".
517
518
The parameters, where they are supported, are the same as
519
dbus.service.method, except there is only "signature", since the
520
type from Get() and the type sent to Set() is the same.
521
"""
522
# Encoding deeply encoded byte arrays is not supported yet by the
523
# "Set" method, so we fail early here:
524
if byte_arrays and signature != u"ay":
525
raise ValueError(u"Byte arrays not supported for non-'ay'"
526
u" signature %r" % signature)
527
def decorator(func):
528
func._dbus_is_property = True
529
func._dbus_interface = dbus_interface
530
func._dbus_signature = signature
531
func._dbus_access = access
532
func._dbus_name = func.__name__
533
if func._dbus_name.endswith(u"_dbus_property"):
534
func._dbus_name = func._dbus_name[:-14]
535
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
536
return func
537
return decorator
538
539
540
class DBusPropertyException(dbus.exceptions.DBusException):
541
"""A base class for D-Bus property-related exceptions
542
"""
543
def __unicode__(self):
544
return unicode(str(self))
545
546
547
class DBusPropertyAccessException(DBusPropertyException):
548
"""A property's access permissions disallows an operation.
549
"""
550
pass
551
552
553
class DBusPropertyNotFound(DBusPropertyException):
554
"""An attempt was made to access a non-existing property.
555
"""
556
pass
557
558
559
class DBusObjectWithProperties(dbus.service.Object):
560
"""A D-Bus object with properties.
561
562
Classes inheriting from this can use the dbus_service_property
563
decorator to expose methods as D-Bus properties. It exposes the
564
standard Get(), Set(), and GetAll() methods on the D-Bus.
565
"""
566
567
@staticmethod
568
def _is_dbus_property(obj):
569
return getattr(obj, u"_dbus_is_property", False)
570
571
def _get_all_dbus_properties(self):
572
"""Returns a generator of (name, attribute) pairs
573
"""
574
return ((prop._dbus_name, prop)
575
for name, prop in
576
inspect.getmembers(self, self._is_dbus_property))
577
578
def _get_dbus_property(self, interface_name, property_name):
579
"""Returns a bound method if one exists which is a D-Bus
580
property with the specified name and interface.
581
"""
582
for name in (property_name,
583
property_name + u"_dbus_property"):
584
prop = getattr(self, name, None)
585
if (prop is None
586
or not self._is_dbus_property(prop)
587
or prop._dbus_name != property_name
588
or (interface_name and prop._dbus_interface
589
and interface_name != prop._dbus_interface)):
590
continue
591
return prop
592
# No such property
593
raise DBusPropertyNotFound(self.dbus_object_path + u":"
594
+ interface_name + u"."
595
+ property_name)
596
597
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
598
out_signature=u"v")
599
def Get(self, interface_name, property_name):
600
"""Standard D-Bus property Get() method, see D-Bus standard.
601
"""
602
prop = self._get_dbus_property(interface_name, property_name)
603
if prop._dbus_access == u"write":
604
raise DBusPropertyAccessException(property_name)
605
value = prop()
606
if not hasattr(value, u"variant_level"):
607
return value
608
return type(value)(value, variant_level=value.variant_level+1)
609
610
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
611
def Set(self, interface_name, property_name, value):
612
"""Standard D-Bus property Set() method, see D-Bus standard.
613
"""
614
prop = self._get_dbus_property(interface_name, property_name)
615
if prop._dbus_access == u"read":
616
raise DBusPropertyAccessException(property_name)
617
if prop._dbus_get_args_options[u"byte_arrays"]:
618
# The byte_arrays option is not supported yet on
619
# signatures other than "ay".
620
if prop._dbus_signature != u"ay":
621
raise ValueError
622
value = dbus.ByteArray(''.join(unichr(byte)
623
for byte in value))
624
prop(value)
625
626
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
627
out_signature=u"a{sv}")
628
def GetAll(self, interface_name):
629
"""Standard D-Bus property GetAll() method, see D-Bus
630
standard.
631
632
Note: Will not include properties with access="write".
633
"""
634
all = {}
635
for name, prop in self._get_all_dbus_properties():
636
if (interface_name
637
and interface_name != prop._dbus_interface):
638
# Interface non-empty but did not match
639
continue
640
# Ignore write-only properties
641
if prop._dbus_access == u"write":
642
continue
643
value = prop()
644
if not hasattr(value, u"variant_level"):
645
all[name] = value
646
continue
647
all[name] = type(value)(value, variant_level=
648
value.variant_level+1)
649
return dbus.Dictionary(all, signature=u"sv")
650
651
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
652
out_signature=u"s",
653
path_keyword='object_path',
654
connection_keyword='connection')
655
def Introspect(self, object_path, connection):
656
"""Standard D-Bus method, overloaded to insert property tags.
657
"""
658
xmlstring = dbus.service.Object.Introspect(self, object_path,
659
connection)
660
try:
661
document = xml.dom.minidom.parseString(xmlstring)
662
def make_tag(document, name, prop):
663
e = document.createElement(u"property")
664
e.setAttribute(u"name", name)
665
e.setAttribute(u"type", prop._dbus_signature)
666
e.setAttribute(u"access", prop._dbus_access)
667
return e
668
for if_tag in document.getElementsByTagName(u"interface"):
669
for tag in (make_tag(document, name, prop)
670
for name, prop
671
in self._get_all_dbus_properties()
672
if prop._dbus_interface
673
== if_tag.getAttribute(u"name")):
674
if_tag.appendChild(tag)
675
# Add the names to the return values for the
676
# "org.freedesktop.DBus.Properties" methods
677
if (if_tag.getAttribute(u"name")
678
== u"org.freedesktop.DBus.Properties"):
679
for cn in if_tag.getElementsByTagName(u"method"):
680
if cn.getAttribute(u"name") == u"Get":
681
for arg in cn.getElementsByTagName(u"arg"):
682
if (arg.getAttribute(u"direction")
683
== u"out"):
684
arg.setAttribute(u"name", u"value")
685
elif cn.getAttribute(u"name") == u"GetAll":
686
for arg in cn.getElementsByTagName(u"arg"):
687
if (arg.getAttribute(u"direction")
688
== u"out"):
689
arg.setAttribute(u"name", u"props")
690
xmlstring = document.toxml(u"utf-8")
691
document.unlink()
692
except (AttributeError, xml.dom.DOMException,
693
xml.parsers.expat.ExpatError), error:
694
logger.error(u"Failed to override Introspection method",
695
error)
696
return xmlstring
697
698
699
class ClientDBus(Client, DBusObjectWithProperties):
700
"""A Client class using D-Bus
701
702
Attributes:
703
dbus_object_path: dbus.ObjectPath
704
bus: dbus.SystemBus()
705
"""
706
# dbus.service.Object doesn't use super(), so we can't either.
707
708
def __init__(self, bus = None, *args, **kwargs):
709
self._approvals_pending = 0
710
self.bus = bus
711
Client.__init__(self, *args, **kwargs)
712
# Only now, when this client is initialized, can it show up on
713
# the D-Bus
714
self.dbus_object_path = (dbus.ObjectPath
715
(u"/clients/"
716
+ self.name.replace(u".", u"_")))
717
DBusObjectWithProperties.__init__(self, self.bus,
718
self.dbus_object_path)
719
720
def _get_approvals_pending(self):
721
return self._approvals_pending
722
def _set_approvals_pending(self, value):
723
old_value = self._approvals_pending
724
self._approvals_pending = value
725
bval = bool(value)
726
if (hasattr(self, "dbus_object_path")
727
and bval is not bool(old_value)):
728
dbus_bool = dbus.Boolean(bval, variant_level=1)
729
self.PropertyChanged(dbus.String(u"approved_pending"),
730
dbus_bool)
731
732
approvals_pending = property(_get_approvals_pending,
733
_set_approvals_pending)
734
del _get_approvals_pending, _set_approvals_pending
735
736
@staticmethod
737
def _datetime_to_dbus(dt, variant_level=0):
738
"""Convert a UTC datetime.datetime() to a D-Bus type."""
739
return dbus.String(dt.isoformat(),
740
variant_level=variant_level)
741
742
def enable(self):
743
oldstate = getattr(self, u"enabled", False)
744
r = Client.enable(self)
745
if oldstate != self.enabled:
746
# Emit D-Bus signals
747
self.PropertyChanged(dbus.String(u"enabled"),
748
dbus.Boolean(True, variant_level=1))
749
self.PropertyChanged(
750
dbus.String(u"last_enabled"),
751
self._datetime_to_dbus(self.last_enabled,
752
variant_level=1))
753
return r
754
755
def disable(self, quiet = False):
756
oldstate = getattr(self, u"enabled", False)
757
r = Client.disable(self, quiet=quiet)
758
if not quiet and oldstate != self.enabled:
759
# Emit D-Bus signal
760
self.PropertyChanged(dbus.String(u"enabled"),
761
dbus.Boolean(False, variant_level=1))
762
return r
763
764
def __del__(self, *args, **kwargs):
765
try:
766
self.remove_from_connection()
767
except LookupError:
768
pass
769
if hasattr(DBusObjectWithProperties, u"__del__"):
770
DBusObjectWithProperties.__del__(self, *args, **kwargs)
771
Client.__del__(self, *args, **kwargs)
772
773
def checker_callback(self, pid, condition, command,
774
*args, **kwargs):
775
self.checker_callback_tag = None
776
self.checker = None
777
# Emit D-Bus signal
778
self.PropertyChanged(dbus.String(u"checker_running"),
779
dbus.Boolean(False, variant_level=1))
780
if os.WIFEXITED(condition):
781
exitstatus = os.WEXITSTATUS(condition)
782
# Emit D-Bus signal
783
self.CheckerCompleted(dbus.Int16(exitstatus),
784
dbus.Int64(condition),
785
dbus.String(command))
786
else:
787
# Emit D-Bus signal
788
self.CheckerCompleted(dbus.Int16(-1),
789
dbus.Int64(condition),
790
dbus.String(command))
791
792
return Client.checker_callback(self, pid, condition, command,
793
*args, **kwargs)
794
795
def checked_ok(self, *args, **kwargs):
796
r = Client.checked_ok(self, *args, **kwargs)
797
# Emit D-Bus signal
798
self.PropertyChanged(
799
dbus.String(u"last_checked_ok"),
800
(self._datetime_to_dbus(self.last_checked_ok,
801
variant_level=1)))
802
return r
803
804
def start_checker(self, *args, **kwargs):
805
old_checker = self.checker
806
if self.checker is not None:
807
old_checker_pid = self.checker.pid
808
else:
809
old_checker_pid = None
810
r = Client.start_checker(self, *args, **kwargs)
811
# Only if new checker process was started
812
if (self.checker is not None
813
and old_checker_pid != self.checker.pid):
814
# Emit D-Bus signal
815
self.CheckerStarted(self.current_checker_command)
816
self.PropertyChanged(
817
dbus.String(u"checker_running"),
818
dbus.Boolean(True, variant_level=1))
819
return r
820
821
def stop_checker(self, *args, **kwargs):
822
old_checker = getattr(self, u"checker", None)
823
r = Client.stop_checker(self, *args, **kwargs)
824
if (old_checker is not None
825
and getattr(self, u"checker", None) is None):
826
self.PropertyChanged(dbus.String(u"checker_running"),
827
dbus.Boolean(False, variant_level=1))
828
return r
829
830
def _reset_approved(self):
831
self._approved = None
832
return False
833
834
def approve(self, value=True):
835
self.send_changedstate()
836
self._approved = value
837
gobject.timeout_add(self._timedelta_to_milliseconds(self.approved_duration),
838
self._reset_approved)
839
840
841
## D-Bus methods, signals & properties
842
_interface = u"se.bsnet.fukt.Mandos.Client"
843
844
## Signals
845
846
# CheckerCompleted - signal
847
@dbus.service.signal(_interface, signature=u"nxs")
848
def CheckerCompleted(self, exitcode, waitstatus, command):
849
"D-Bus signal"
850
pass
851
852
# CheckerStarted - signal
853
@dbus.service.signal(_interface, signature=u"s")
854
def CheckerStarted(self, command):
855
"D-Bus signal"
856
pass
857
858
# PropertyChanged - signal
859
@dbus.service.signal(_interface, signature=u"sv")
860
def PropertyChanged(self, property, value):
861
"D-Bus signal"
862
pass
863
864
# GotSecret - signal
865
@dbus.service.signal(_interface)
866
def GotSecret(self):
867
"""D-Bus signal
868
Is sent after a successful transfer of secret from the Mandos
869
server to mandos-client
870
"""
871
pass
872
873
# Rejected - signal
874
@dbus.service.signal(_interface, signature=u"s")
875
def Rejected(self, reason):
876
"D-Bus signal"
877
pass
878
879
# NeedApproval - signal
880
@dbus.service.signal(_interface, signature=u"db")
881
def NeedApproval(self, timeout, default):
882
"D-Bus signal"
883
pass
884
885
## Methods
886
887
# Approve - method
888
@dbus.service.method(_interface, in_signature=u"b")
889
def Approve(self, value):
890
self.approve(value)
891
892
# CheckedOK - method
893
@dbus.service.method(_interface)
894
def CheckedOK(self):
895
return self.checked_ok()
896
897
# Enable - method
898
@dbus.service.method(_interface)
899
def Enable(self):
900
"D-Bus method"
901
self.enable()
902
903
# StartChecker - method
904
@dbus.service.method(_interface)
905
def StartChecker(self):
906
"D-Bus method"
907
self.start_checker()
908
909
# Disable - method
910
@dbus.service.method(_interface)
911
def Disable(self):
912
"D-Bus method"
913
self.disable()
914
915
# StopChecker - method
916
@dbus.service.method(_interface)
917
def StopChecker(self):
918
self.stop_checker()
919
920
## Properties
921
922
# approved_pending - property
923
@dbus_service_property(_interface, signature=u"b", access=u"read")
924
def approved_pending_dbus_property(self):
925
return dbus.Boolean(bool(self.approvals_pending))
926
927
# approved_by_default - property
928
@dbus_service_property(_interface, signature=u"b",
929
access=u"readwrite")
930
def approved_by_default_dbus_property(self):
931
return dbus.Boolean(self.approved_by_default)
932
933
# approved_delay - property
934
@dbus_service_property(_interface, signature=u"t",
935
access=u"readwrite")
936
def approved_delay_dbus_property(self):
937
return dbus.UInt64(self.approved_delay_milliseconds())
938
939
# approved_duration - property
940
@dbus_service_property(_interface, signature=u"t",
941
access=u"readwrite")
942
def approved_duration_dbus_property(self):
943
return dbus.UInt64(self._timedelta_to_milliseconds(
944
self.approved_duration))
945
946
# name - property
947
@dbus_service_property(_interface, signature=u"s", access=u"read")
948
def name_dbus_property(self):
949
return dbus.String(self.name)
950
951
# fingerprint - property
952
@dbus_service_property(_interface, signature=u"s", access=u"read")
953
def fingerprint_dbus_property(self):
954
return dbus.String(self.fingerprint)
955
956
# host - property
957
@dbus_service_property(_interface, signature=u"s",
958
access=u"readwrite")
959
def host_dbus_property(self, value=None):
960
if value is None: # get
961
return dbus.String(self.host)
962
self.host = value
963
# Emit D-Bus signal
964
self.PropertyChanged(dbus.String(u"host"),
965
dbus.String(value, variant_level=1))
966
967
# created - property
968
@dbus_service_property(_interface, signature=u"s", access=u"read")
969
def created_dbus_property(self):
970
return dbus.String(self._datetime_to_dbus(self.created))
971
972
# last_enabled - property
973
@dbus_service_property(_interface, signature=u"s", access=u"read")
974
def last_enabled_dbus_property(self):
975
if self.last_enabled is None:
976
return dbus.String(u"")
977
return dbus.String(self._datetime_to_dbus(self.last_enabled))
978
979
# enabled - property
980
@dbus_service_property(_interface, signature=u"b",
981
access=u"readwrite")
982
def enabled_dbus_property(self, value=None):
983
if value is None: # get
984
return dbus.Boolean(self.enabled)
985
if value:
986
self.enable()
987
else:
988
self.disable()
989
990
# last_checked_ok - property
991
@dbus_service_property(_interface, signature=u"s",
992
access=u"readwrite")
993
def last_checked_ok_dbus_property(self, value=None):
994
if value is not None:
995
self.checked_ok()
996
return
368
def still_valid(self):
369
"""Has the timeout not yet passed for this client?"""
370
now = datetime.datetime.now()
997
371
if self.last_checked_ok is None:
998
return dbus.String(u"")
999
return dbus.String(self._datetime_to_dbus(self
1000
.last_checked_ok))
1001
1002
# timeout - property
1003
@dbus_service_property(_interface, signature=u"t",
1004
access=u"readwrite")
1005
def timeout_dbus_property(self, value=None):
1006
if value is None: # get
1007
return dbus.UInt64(self.timeout_milliseconds())
1008
self.timeout = datetime.timedelta(0, 0, 0, value)
1009
# Emit D-Bus signal
1010
self.PropertyChanged(dbus.String(u"timeout"),
1011
dbus.UInt64(value, variant_level=1))
1012
if getattr(self, u"disable_initiator_tag", None) is None:
1013
return
1014
# Reschedule timeout
1015
gobject.source_remove(self.disable_initiator_tag)
1016
self.disable_initiator_tag = None
1017
time_to_die = (self.
1018
_timedelta_to_milliseconds((self
1019
.last_checked_ok
1020
+ self.timeout)
1021
- datetime.datetime
1022
.utcnow()))
1023
if time_to_die <= 0:
1024
# The timeout has passed
1025
self.disable()
1026
else:
1027
self.disable_initiator_tag = (gobject.timeout_add
1028
(time_to_die, self.disable))
1029
1030
# interval - property
1031
@dbus_service_property(_interface, signature=u"t",
1032
access=u"readwrite")
1033
def interval_dbus_property(self, value=None):
1034
if value is None: # get
1035
return dbus.UInt64(self.interval_milliseconds())
1036
self.interval = datetime.timedelta(0, 0, 0, value)
1037
# Emit D-Bus signal
1038
self.PropertyChanged(dbus.String(u"interval"),
1039
dbus.UInt64(value, variant_level=1))
1040
if getattr(self, u"checker_initiator_tag", None) is None:
1041
return
1042
# Reschedule checker run
1043
gobject.source_remove(self.checker_initiator_tag)
1044
self.checker_initiator_tag = (gobject.timeout_add
1045
(value, self.start_checker))
1046
self.start_checker() # Start one now, too
1047
1048
# checker - property
1049
@dbus_service_property(_interface, signature=u"s",
1050
access=u"readwrite")
1051
def checker_dbus_property(self, value=None):
1052
if value is None: # get
1053
return dbus.String(self.checker_command)
1054
self.checker_command = value
1055
# Emit D-Bus signal
1056
self.PropertyChanged(dbus.String(u"checker"),
1057
dbus.String(self.checker_command,
1058
variant_level=1))
1059
1060
# checker_running - property
1061
@dbus_service_property(_interface, signature=u"b",
1062
access=u"readwrite")
1063
def checker_running_dbus_property(self, value=None):
1064
if value is None: # get
1065
return dbus.Boolean(self.checker is not None)
1066
if value:
1067
self.start_checker()
1068
else:
1069
self.stop_checker()
1070
1071
# object_path - property
1072
@dbus_service_property(_interface, signature=u"o", access=u"read")
1073
def object_path_dbus_property(self):
1074
return self.dbus_object_path # is already a dbus.ObjectPath
1075
1076
# secret = property
1077
@dbus_service_property(_interface, signature=u"ay",
1078
access=u"write", byte_arrays=True)
1079
def secret_dbus_property(self, value):
1080
self.secret = str(value)
1081
1082
del _interface
1083
1084
1085
class ProxyClient(object):
1086
def __init__(self, child_pipe, fpr, address):
1087
self._pipe = child_pipe
1088
self._pipe.send(('init', fpr, address))
1089
if not self._pipe.recv():
1090
raise KeyError()
1091
1092
def __getattribute__(self, name):
1093
if(name == '_pipe'):
1094
return super(ProxyClient, self).__getattribute__(name)
1095
self._pipe.send(('getattr', name))
1096
data = self._pipe.recv()
1097
if data[0] == 'data':
1098
return data[1]
1099
if data[0] == 'function':
1100
def func(*args, **kwargs):
1101
self._pipe.send(('funcall', name, args, kwargs))
1102
return self._pipe.recv()[1]
1103
return func
1104
1105
def __setattr__(self, name, value):
1106
if(name == '_pipe'):
1107
return super(ProxyClient, self).__setattr__(name, value)
1108
self._pipe.send(('setattr', name, value))
1109
1110
1111
class ClientHandler(socketserver.BaseRequestHandler, object):
1112
"""A class to handle client connections.
1113
1114
Instantiated once for each connection to handle it.
372
return now < (self.created + self.timeout)
373
else:
374
return now < (self.last_checked_ok + self.timeout)
375
376
377
def peer_certificate(session):
378
"Return the peer's OpenPGP certificate as a bytestring"
379
# If not an OpenPGP certificate...
380
if gnutls.library.functions.gnutls_certificate_type_get\
381
(session._c_object) \
382
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP:
383
# ...do the normal thing
384
return session.peer_certificate
385
list_size = ctypes.c_uint()
386
cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
387
(session._c_object, ctypes.byref(list_size))
388
if list_size.value == 0:
389
return None
390
cert = cert_list[0]
391
return ctypes.string_at(cert.data, cert.size)
392
393
394
def fingerprint(openpgp):
395
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
396
# New GnuTLS "datum" with the OpenPGP public key
397
datum = gnutls.library.types.gnutls_datum_t\
398
(ctypes.cast(ctypes.c_char_p(openpgp),
399
ctypes.POINTER(ctypes.c_ubyte)),
400
ctypes.c_uint(len(openpgp)))
401
# New empty GnuTLS certificate
402
crt = gnutls.library.types.gnutls_openpgp_crt_t()
403
gnutls.library.functions.gnutls_openpgp_crt_init\
404
(ctypes.byref(crt))
405
# Import the OpenPGP public key into the certificate
406
gnutls.library.functions.gnutls_openpgp_crt_import\
407
(crt, ctypes.byref(datum),
408
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
409
# New buffer for the fingerprint
410
buffer = ctypes.create_string_buffer(20)
411
buffer_length = ctypes.c_size_t()
412
# Get the fingerprint from the certificate into the buffer
413
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
414
(crt, ctypes.byref(buffer), ctypes.byref(buffer_length))
415
# Deinit the certificate
416
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
417
# Convert the buffer to a Python bytestring
418
fpr = ctypes.string_at(buffer, buffer_length.value)
419
# Convert the bytestring to hexadecimal notation
420
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
421
return hex_fpr
422
423
424
class tcp_handler(SocketServer.BaseRequestHandler, object):
425
"""A TCP request handler class.
426
Instantiated by IPv6_TCPServer for each request to handle it.
1115
427
Note: This will run in its own forked process."""
1116
428
1117
429
def handle(self):
1118
with contextlib.closing(self.server.child_pipe) as child_pipe:
1119
logger.info(u"TCP connection from: %s",
1120
unicode(self.client_address))
1121
logger.debug(u"Pipe FD: %d",
1122
self.server.child_pipe.fileno())
1123
1124
session = (gnutls.connection
1125
.ClientSession(self.request,
1126
gnutls.connection
1127
.X509Credentials()))
1128
1129
# Note: gnutls.connection.X509Credentials is really a
1130
# generic GnuTLS certificate credentials object so long as
1131
# no X.509 keys are added to it. Therefore, we can use it
1132
# here despite using OpenPGP certificates.
1133
1134
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1135
# u"+AES-256-CBC", u"+SHA1",
1136
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1137
# u"+DHE-DSS"))
1138
# Use a fallback default, since this MUST be set.
1139
priority = self.server.gnutls_priority
1140
if priority is None:
1141
priority = u"NORMAL"
1142
(gnutls.library.functions
1143
.gnutls_priority_set_direct(session._c_object,
1144
priority, None))
1145
1146
# Start communication using the Mandos protocol
1147
# Get protocol number
1148
line = self.request.makefile().readline()
1149
logger.debug(u"Protocol version: %r", line)
1150
try:
1151
if int(line.strip().split()[0]) > 1:
1152
raise RuntimeError
1153
except (ValueError, IndexError, RuntimeError), error:
1154
logger.error(u"Unknown protocol version: %s", error)
1155
return
1156
1157
# Start GnuTLS connection
1158
try:
1159
session.handshake()
1160
except gnutls.errors.GNUTLSError, error:
1161
logger.warning(u"Handshake failed: %s", error)
1162
# Do not run session.bye() here: the session is not
1163
# established. Just abandon the request.
1164
return
1165
logger.debug(u"Handshake succeeded")
1166
1167
approval_required = False
1168
try:
1169
try:
1170
fpr = self.fingerprint(self.peer_certificate
1171
(session))
1172
except (TypeError, gnutls.errors.GNUTLSError), error:
1173
logger.warning(u"Bad certificate: %s", error)
1174
return
1175
logger.debug(u"Fingerprint: %s", fpr)
1176
1177
try:
1178
client = ProxyClient(child_pipe, fpr,
1179
self.client_address)
1180
except KeyError:
1181
return
1182
1183
if client.approved_delay:
1184
delay = client.approved_delay
1185
client.approvals_pending += 1
1186
approval_required = True
1187
1188
while True:
1189
if not client.enabled:
1190
logger.warning(u"Client %s is disabled",
1191
client.name)
1192
if self.server.use_dbus:
1193
# Emit D-Bus signal
1194
client.Rejected("Disabled")
1195
return
1196
1197
if client._approved or not client.approved_delay:
1198
#We are approved or approval is disabled
1199
break
1200
elif client._approved is None:
1201
logger.info(u"Client %s need approval",
1202
client.name)
1203
if self.server.use_dbus:
1204
# Emit D-Bus signal
1205
client.NeedApproval(
1206
client.approved_delay_milliseconds(),
1207
client.approved_by_default)
1208
else:
1209
logger.warning(u"Client %s was not approved",
1210
client.name)
1211
if self.server.use_dbus:
1212
# Emit D-Bus signal
1213
client.Rejected("Disapproved")
1214
return
1215
1216
#wait until timeout or approved
1217
#x = float(client._timedelta_to_milliseconds(delay))
1218
time = datetime.datetime.now()
1219
client.changedstate.acquire()
1220
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1221
client.changedstate.release()
1222
time2 = datetime.datetime.now()
1223
if (time2 - time) >= delay:
1224
if not client.approved_by_default:
1225
logger.warning("Client %s timed out while"
1226
" waiting for approval",
1227
client.name)
1228
if self.server.use_dbus:
1229
# Emit D-Bus signal
1230
client.Rejected("Time out")
1231
return
1232
else:
1233
break
1234
else:
1235
delay -= time2 - time
1236
1237
sent_size = 0
1238
while sent_size < len(client.secret):
1239
try:
1240
sent = session.send(client.secret[sent_size:])
1241
except (gnutls.errors.GNUTLSError), error:
1242
logger.warning("gnutls send failed")
1243
return
1244
logger.debug(u"Sent: %d, remaining: %d",
1245
sent, len(client.secret)
1246
- (sent_size + sent))
1247
sent_size += sent
1248
1249
logger.info(u"Sending secret to %s", client.name)
1250
# bump the timeout as if seen
1251
client.checked_ok()
1252
if self.server.use_dbus:
1253
# Emit D-Bus signal
1254
client.GotSecret()
1255
1256
finally:
1257
if approval_required:
1258
client.approvals_pending -= 1
1259
try:
1260
session.bye()
1261
except (gnutls.errors.GNUTLSError), error:
1262
logger.warning("gnutls bye failed")
1263
1264
@staticmethod
1265
def peer_certificate(session):
1266
"Return the peer's OpenPGP certificate as a bytestring"
1267
# If not an OpenPGP certificate...
1268
if (gnutls.library.functions
1269
.gnutls_certificate_type_get(session._c_object)
1270
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1271
# ...do the normal thing
1272
return session.peer_certificate
1273
list_size = ctypes.c_uint(1)
1274
cert_list = (gnutls.library.functions
1275
.gnutls_certificate_get_peers
1276
(session._c_object, ctypes.byref(list_size)))
1277
if not bool(cert_list) and list_size.value != 0:
1278
raise gnutls.errors.GNUTLSError(u"error getting peer"
1279
u" certificate")
1280
if list_size.value == 0:
1281
return None
1282
cert = cert_list[0]
1283
return ctypes.string_at(cert.data, cert.size)
1284
1285
@staticmethod
1286
def fingerprint(openpgp):
1287
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1288
# New GnuTLS "datum" with the OpenPGP public key
1289
datum = (gnutls.library.types
1290
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1291
ctypes.POINTER
1292
(ctypes.c_ubyte)),
1293
ctypes.c_uint(len(openpgp))))
1294
# New empty GnuTLS certificate
1295
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1296
(gnutls.library.functions
1297
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1298
# Import the OpenPGP public key into the certificate
1299
(gnutls.library.functions
1300
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1301
gnutls.library.constants
1302
.GNUTLS_OPENPGP_FMT_RAW))
1303
# Verify the self signature in the key
1304
crtverify = ctypes.c_uint()
1305
(gnutls.library.functions
1306
.gnutls_openpgp_crt_verify_self(crt, 0,
1307
ctypes.byref(crtverify)))
1308
if crtverify.value != 0:
1309
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1310
raise (gnutls.errors.CertificateSecurityError
1311
(u"Verify failed"))
1312
# New buffer for the fingerprint
1313
buf = ctypes.create_string_buffer(20)
1314
buf_len = ctypes.c_size_t()
1315
# Get the fingerprint from the certificate into the buffer
1316
(gnutls.library.functions
1317
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1318
ctypes.byref(buf_len)))
1319
# Deinit the certificate
1320
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1321
# Convert the buffer to a Python bytestring
1322
fpr = ctypes.string_at(buf, buf_len.value)
1323
# Convert the bytestring to hexadecimal notation
1324
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1325
return hex_fpr
1326
1327
1328
class MultiprocessingMixIn(object):
1329
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1330
def sub_process_main(self, request, address):
1331
try:
1332
self.finish_request(request, address)
1333
except:
1334
self.handle_error(request, address)
1335
self.close_request(request)
1336
1337
def process_request(self, request, address):
1338
"""Start a new process to process the request."""
1339
multiprocessing.Process(target = self.sub_process_main,
1340
args = (request, address)).start()
1341
1342
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1343
""" adds a pipe to the MixIn """
1344
def process_request(self, request, client_address):
1345
"""Overrides and wraps the original process_request().
1346
1347
This function creates a new pipe in self.pipe
1348
"""
1349
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1350
1351
super(MultiprocessingMixInWithPipe,
1352
self).process_request(request, client_address)
1353
self.child_pipe.close()
1354
self.add_pipe(parent_pipe)
1355
1356
def add_pipe(self, parent_pipe):
1357
"""Dummy function; override as necessary"""
1358
pass
1359
1360
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1361
socketserver.TCPServer, object):
1362
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1363
430
logger.info(u"TCP connection from: %s",
431
unicode(self.client_address))
432
session = gnutls.connection.ClientSession\
433
(self.request, gnutls.connection.X509Credentials())
434
435
line = self.request.makefile().readline()
436
logger.debug(u"Protocol version: %r", line)
437
try:
438
if int(line.strip().split()[0]) > 1:
439
raise RuntimeError
440
except (ValueError, IndexError, RuntimeError), error:
441
logger.error(u"Unknown protocol version: %s", error)
442
return
443
444
# Note: gnutls.connection.X509Credentials is really a generic
445
# GnuTLS certificate credentials object so long as no X.509
446
# keys are added to it. Therefore, we can use it here despite
447
# using OpenPGP certificates.
448
449
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
450
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
451
# "+DHE-DSS"))
452
priority = "NORMAL" # Fallback default, since this
453
# MUST be set.
454
if self.server.settings["priority"]:
455
priority = self.server.settings["priority"]
456
gnutls.library.functions.gnutls_priority_set_direct\
457
(session._c_object, priority, None);
458
459
try:
460
session.handshake()
461
except gnutls.errors.GNUTLSError, error:
462
logger.warning(u"Handshake failed: %s", error)
463
# Do not run session.bye() here: the session is not
464
# established. Just abandon the request.
465
return
466
try:
467
fpr = fingerprint(peer_certificate(session))
468
except (TypeError, gnutls.errors.GNUTLSError), error:
469
logger.warning(u"Bad certificate: %s", error)
470
session.bye()
471
return
472
logger.debug(u"Fingerprint: %s", fpr)
473
client = None
474
for c in self.server.clients:
475
if c.fingerprint == fpr:
476
client = c
477
break
478
if not client:
479
logger.warning(u"Client not found for fingerprint: %s",
480
fpr)
481
session.bye()
482
return
483
# Have to check if client.still_valid(), since it is possible
484
# that the client timed out while establishing the GnuTLS
485
# session.
486
if not client.still_valid():
487
logger.warning(u"Client %(name)s is invalid",
488
vars(client))
489
session.bye()
490
return
491
sent_size = 0
492
while sent_size < len(client.secret):
493
sent = session.send(client.secret[sent_size:])
494
logger.debug(u"Sent: %d, remaining: %d",
495
sent, len(client.secret)
496
- (sent_size + sent))
497
sent_size += sent
498
session.bye()
499
500
501
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
502
"""IPv6 TCP server. Accepts 'None' as address and/or port.
1364
503
Attributes:
1365
enabled: Boolean; whether this server is activated yet
1366
interface: None or a network interface name (string)
1367
use_ipv6: Boolean; to use IPv6 or not
504
settings: Server settings
505
clients: Set() of Client objects
1368
506
"""
1369
def __init__(self, server_address, RequestHandlerClass,
1370
interface=None, use_ipv6=True):
1371
self.interface = interface
1372
if use_ipv6:
1373
self.address_family = socket.AF_INET6
1374
socketserver.TCPServer.__init__(self, server_address,
1375
RequestHandlerClass)
507
address_family = socket.AF_INET6
508
def __init__(self, *args, **kwargs):
509
if "settings" in kwargs:
510
self.settings = kwargs["settings"]
511
del kwargs["settings"]
512
if "clients" in kwargs:
513
self.clients = kwargs["clients"]
514
del kwargs["clients"]
515
return super(type(self), self).__init__(*args, **kwargs)
1376
516
def server_bind(self):
1377
517
"""This overrides the normal server_bind() function
1378
518
to bind to an interface if one was specified, and also NOT to
1379
519
bind to an address or port if they were not specified."""
1380
if self.interface is not None:
1381
if SO_BINDTODEVICE is None:
1382
logger.error(u"SO_BINDTODEVICE does not exist;"
1383
u" cannot bind to interface %s",
1384
self.interface)
1385
else:
1386
try:
1387
self.socket.setsockopt(socket.SOL_SOCKET,
1388
SO_BINDTODEVICE,
1389
str(self.interface
1390
+ u'\0'))
1391
except socket.error, error:
1392
if error[0] == errno.EPERM:
1393
logger.error(u"No permission to"
1394
u" bind to interface %s",
1395
self.interface)
1396
elif error[0] == errno.ENOPROTOOPT:
1397
logger.error(u"SO_BINDTODEVICE not available;"
1398
u" cannot bind to interface %s",
1399
self.interface)
1400
else:
1401
raise
520
if self.settings["interface"]:
521
# 25 is from /usr/include/asm-i486/socket.h
522
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
523
try:
524
self.socket.setsockopt(socket.SOL_SOCKET,
525
SO_BINDTODEVICE,
526
self.settings["interface"])
527
except socket.error, error:
528
if error[0] == errno.EPERM:
529
logger.error(u"No permission to"
530
u" bind to interface %s",
531
self.settings["interface"])
532
else:
533
raise error
1402
534
# Only bind(2) the socket if we really need to.
1403
535
if self.server_address[0] or self.server_address[1]:
1404
536
if not self.server_address[0]:
1405
if self.address_family == socket.AF_INET6:
1406
any_address = u"::" # in6addr_any
1407
else:
1408
any_address = socket.INADDR_ANY
1409
self.server_address = (any_address,
537
in6addr_any = "::"
538
self.server_address = (in6addr_any,
1410
539
self.server_address[1])
1411
540
elif not self.server_address[1]:
1412
541
self.server_address = (self.server_address[0],
1413
542
0)
1414
# if self.interface:
543
# if self.settings["interface"]:
1415
544
# self.server_address = (self.server_address[0],
1416
545
# 0, # port
1417
546
# 0, # flowinfo
1418
547
# if_nametoindex
1419
# (self.interface))
1420
return socketserver.TCPServer.server_bind(self)
1421
1422
1423
class MandosServer(IPv6_TCPServer):
1424
"""Mandos server.
1425
1426
Attributes:
1427
clients: set of Client objects
1428
gnutls_priority GnuTLS priority string
1429
use_dbus: Boolean; to emit D-Bus signals or not
1430
1431
Assumes a gobject.MainLoop event loop.
1432
"""
1433
def __init__(self, server_address, RequestHandlerClass,
1434
interface=None, use_ipv6=True, clients=None,
1435
gnutls_priority=None, use_dbus=True):
1436
self.enabled = False
1437
self.clients = clients
1438
if self.clients is None:
1439
self.clients = set()
1440
self.use_dbus = use_dbus
1441
self.gnutls_priority = gnutls_priority
1442
IPv6_TCPServer.__init__(self, server_address,
1443
RequestHandlerClass,
1444
interface = interface,
1445
use_ipv6 = use_ipv6)
1446
def server_activate(self):
1447
if self.enabled:
1448
return socketserver.TCPServer.server_activate(self)
1449
def enable(self):
1450
self.enabled = True
1451
def add_pipe(self, parent_pipe):
1452
# Call "handle_ipc" for both data and EOF events
1453
gobject.io_add_watch(parent_pipe.fileno(),
1454
gobject.IO_IN | gobject.IO_HUP,
1455
functools.partial(self.handle_ipc,
1456
parent_pipe = parent_pipe))
1457
1458
def handle_ipc(self, source, condition, parent_pipe=None,
1459
client_object=None):
1460
condition_names = {
1461
gobject.IO_IN: u"IN", # There is data to read.
1462
gobject.IO_OUT: u"OUT", # Data can be written (without
1463
# blocking).
1464
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1465
gobject.IO_ERR: u"ERR", # Error condition.
1466
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1467
# broken, usually for pipes and
1468
# sockets).
1469
}
1470
conditions_string = ' | '.join(name
1471
for cond, name in
1472
condition_names.iteritems()
1473
if cond & condition)
1474
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1475
conditions_string)
1476
1477
# error or the other end of multiprocessing.Pipe has closed
1478
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1479
return False
1480
1481
# Read a request from the child
1482
request = parent_pipe.recv()
1483
logger.debug(u"IPC request: %s", repr(request))
1484
command = request[0]
1485
1486
if command == 'init':
1487
fpr = request[1]
1488
address = request[2]
1489
1490
for c in self.clients:
1491
if c.fingerprint == fpr:
1492
client = c
1493
break
1494
else:
1495
logger.warning(u"Client not found for fingerprint: %s, ad"
1496
u"dress: %s", fpr, address)
1497
if self.use_dbus:
1498
# Emit D-Bus signal
1499
mandos_dbus_service.ClientNotFound(fpr, address)
1500
parent_pipe.send(False)
1501
return False
1502
1503
gobject.io_add_watch(parent_pipe.fileno(),
1504
gobject.IO_IN | gobject.IO_HUP,
1505
functools.partial(self.handle_ipc,
1506
parent_pipe = parent_pipe,
1507
client_object = client))
1508
parent_pipe.send(True)
1509
# remove the old hook in favor of the new above hook on same fileno
1510
return False
1511
if command == 'funcall':
1512
funcname = request[1]
1513
args = request[2]
1514
kwargs = request[3]
1515
1516
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1517
1518
if command == 'getattr':
1519
attrname = request[1]
1520
if callable(client_object.__getattribute__(attrname)):
1521
parent_pipe.send(('function',))
1522
else:
1523
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1524
1525
if command == 'setattr':
1526
attrname = request[1]
1527
value = request[2]
1528
setattr(client_object, attrname, value)
1529
1530
return True
548
# (self.settings
549
# ["interface"]))
550
return super(type(self), self).server_bind()
1531
551
1532
552
1533
553
def string_to_delta(interval):
1534
554
"""Parse a string and return a datetime.timedelta
1535
1536
>>> string_to_delta(u'7d')
555
556
>>> string_to_delta('7d')
1537
557
datetime.timedelta(7)
1538
>>> string_to_delta(u'60s')
558
>>> string_to_delta('60s')
1539
559
datetime.timedelta(0, 60)
1540
>>> string_to_delta(u'60m')
560
>>> string_to_delta('60m')
1541
561
datetime.timedelta(0, 3600)
1542
>>> string_to_delta(u'24h')
562
>>> string_to_delta('24h')
1543
563
datetime.timedelta(1)
1544
564
>>> string_to_delta(u'1w')
1545
565
datetime.timedelta(7)
1546
>>> string_to_delta(u'5m 30s')
1547
datetime.timedelta(0, 330)
1548
566
"""
1549
timevalue = datetime.timedelta(0)
1550
for s in interval.split():
1551
try:
1552
suffix = unicode(s[-1])
1553
value = int(s[:-1])
1554
if suffix == u"d":
1555
delta = datetime.timedelta(value)
1556
elif suffix == u"s":
1557
delta = datetime.timedelta(0, value)
1558
elif suffix == u"m":
1559
delta = datetime.timedelta(0, 0, 0, 0, value)
1560
elif suffix == u"h":
1561
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1562
elif suffix == u"w":
1563
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1564
else:
1565
raise ValueError(u"Unknown suffix %r" % suffix)
1566
except (ValueError, IndexError), e:
1567
raise ValueError(e.message)
1568
timevalue += delta
1569
return timevalue
1570
567
try:
568
suffix=unicode(interval[-1])
569
value=int(interval[:-1])
570
if suffix == u"d":
571
delta = datetime.timedelta(value)
572
elif suffix == u"s":
573
delta = datetime.timedelta(0, value)
574
elif suffix == u"m":
575
delta = datetime.timedelta(0, 0, 0, 0, value)
576
elif suffix == u"h":
577
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
578
elif suffix == u"w":
579
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
580
else:
581
raise ValueError
582
except (ValueError, IndexError):
583
raise ValueError
584
return delta
585
586
587
def server_state_changed(state):
588
"""Derived from the Avahi example code"""
589
if state == avahi.SERVER_COLLISION:
590
logger.error(u"Server name collision")
591
service.remove()
592
elif state == avahi.SERVER_RUNNING:
593
service.add()
594
595
596
def entry_group_state_changed(state, error):
597
"""Derived from the Avahi example code"""
598
logger.debug(u"state change: %i", state)
599
600
if state == avahi.ENTRY_GROUP_ESTABLISHED:
601
logger.debug(u"Service established.")
602
elif state == avahi.ENTRY_GROUP_COLLISION:
603
logger.warning(u"Service name collision.")
604
service.rename()
605
elif state == avahi.ENTRY_GROUP_FAILURE:
606
logger.critical(u"Error in group state changed %s",
607
unicode(error))
608
raise AvahiGroupError("State changed: %s", str(error))
1571
609
1572
610
def if_nametoindex(interface):
1573
"""Call the C function if_nametoindex(), or equivalent
1574
1575
Note: This function cannot accept a unicode string."""
611
"""Call the C function if_nametoindex(), or equivalent"""
1576
612
global if_nametoindex
1577
613
try:
1578
if_nametoindex = (ctypes.cdll.LoadLibrary
1579
(ctypes.util.find_library(u"c"))
1580
.if_nametoindex)
614
if "ctypes.util" not in sys.modules:
615
import ctypes.util
616
if_nametoindex = ctypes.cdll.LoadLibrary\
617
(ctypes.util.find_library("c")).if_nametoindex
1581
618
except (OSError, AttributeError):
1582
logger.warning(u"Doing if_nametoindex the hard way")
619
if "struct" not in sys.modules:
620
import struct
621
if "fcntl" not in sys.modules:
622
import fcntl
1583
623
def if_nametoindex(interface):
1584
624
"Get an interface index the hard way, i.e. using fcntl()"
1585
625
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1586
with contextlib.closing(socket.socket()) as s:
1587
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1588
struct.pack(str(u"16s16x"),
1589
interface))
1590
interface_index = struct.unpack(str(u"I"),
1591
ifreq[16:20])[0]
626
s = socket.socket()
627
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
628
struct.pack("16s16x", interface))
629
s.close()
630
interface_index = struct.unpack("I", ifreq[16:20])[0]
1592
631
return interface_index
1593
632
return if_nametoindex(interface)
1594
633
1595
634
1596
635
def daemon(nochdir = False, noclose = False):
1597
636
"""See daemon(3). Standard BSD Unix function.
1598
1599
637
This should really exist as os.daemon, but it doesn't (yet)."""
1600
638
if os.fork():
1601
639
sys.exit()
1602
640
os.setsid()
1603
641
if not nochdir:
1604
os.chdir(u"/")
642
os.chdir("/")
1605
643
if os.fork():
1606
644
sys.exit()
1607
645
if not noclose:
1609
647
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1610
648
if not stat.S_ISCHR(os.fstat(null).st_mode):
1611
649
raise OSError(errno.ENODEV,
1612
u"%s not a character device"
1613
% os.path.devnull)
650
"/dev/null not a character device")
1614
651
os.dup2(null, sys.stdin.fileno())
1615
652
os.dup2(null, sys.stdout.fileno())
1616
653
os.dup2(null, sys.stderr.fileno())
1619
656
1620
657
1621
658
def main():
1622
1623
##################################################################
1624
# Parsing of options, both command line and config file
1625
1626
parser = optparse.OptionParser(version = "%%prog %s" % version)
1627
parser.add_option("-i", u"--interface", type=u"string",
1628
metavar="IF", help=u"Bind to interface IF")
1629
parser.add_option("-a", u"--address", type=u"string",
1630
help=u"Address to listen for requests on")
1631
parser.add_option("-p", u"--port", type=u"int",
1632
help=u"Port number to receive requests on")
1633
parser.add_option("--check", action=u"store_true",
1634
help=u"Run self-test")
1635
parser.add_option("--debug", action=u"store_true",
1636
help=u"Debug mode; run in foreground and log to"
1637
u" terminal")
1638
parser.add_option("--debuglevel", type=u"string", metavar="Level",
1639
help=u"Debug level for stdout output")
1640
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1641
u" priority string (see GnuTLS documentation)")
1642
parser.add_option("--servicename", type=u"string",
1643
metavar=u"NAME", help=u"Zeroconf service name")
1644
parser.add_option("--configdir", type=u"string",
1645
default=u"/etc/mandos", metavar=u"DIR",
1646
help=u"Directory to search for configuration"
1647
u" files")
1648
parser.add_option("--no-dbus", action=u"store_false",
1649
dest=u"use_dbus", help=u"Do not provide D-Bus"
1650
u" system bus interface")
1651
parser.add_option("--no-ipv6", action=u"store_false",
1652
dest=u"use_ipv6", help=u"Do not use IPv6")
1653
options = parser.parse_args()[0]
659
global main_loop_started
660
main_loop_started = False
661
662
parser = OptionParser(version = "%%prog %s" % version)
663
parser.add_option("-i", "--interface", type="string",
664
metavar="IF", help="Bind to interface IF")
665
parser.add_option("-a", "--address", type="string",
666
help="Address to listen for requests on")
667
parser.add_option("-p", "--port", type="int",
668
help="Port number to receive requests on")
669
parser.add_option("--check", action="store_true", default=False,
670
help="Run self-test")
671
parser.add_option("--debug", action="store_true",
672
help="Debug mode; run in foreground and log to"
673
" terminal")
674
parser.add_option("--priority", type="string", help="GnuTLS"
675
" priority string (see GnuTLS documentation)")
676
parser.add_option("--servicename", type="string", metavar="NAME",
677
help="Zeroconf service name")
678
parser.add_option("--configdir", type="string",
679
default="/etc/mandos", metavar="DIR",
680
help="Directory to search for configuration"
681
" files")
682
(options, args) = parser.parse_args()
1654
683
1655
684
if options.check:
1656
685
import doctest
1658
687
sys.exit()
1659
688
1660
689
# Default values for config file for server-global settings
1661
server_defaults = { u"interface": u"",
1662
u"address": u"",
1663
u"port": u"",
1664
u"debug": u"False",
1665
u"priority":
1666
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1667
u"servicename": u"Mandos",
1668
u"use_dbus": u"True",
1669
u"use_ipv6": u"True",
1670
u"debuglevel": u"",
690
server_defaults = { "interface": "",
691
"address": "",
692
"port": "",
693
"debug": "False",
694
"priority":
695
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
696
"servicename": "Mandos",
1671
697
}
1672
698
1673
699
# Parse config file for server-global settings
1674
server_config = configparser.SafeConfigParser(server_defaults)
700
server_config = ConfigParser.SafeConfigParser(server_defaults)
1675
701
del server_defaults
1676
server_config.read(os.path.join(options.configdir,
1677
u"mandos.conf"))
702
server_config.read(os.path.join(options.configdir, "mandos.conf"))
703
server_section = "server"
1678
704
# Convert the SafeConfigParser object to a dict
1679
server_settings = server_config.defaults()
1680
# Use the appropriate methods on the non-string config options
1681
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1682
server_settings[option] = server_config.getboolean(u"DEFAULT",
1683
option)
1684
if server_settings["port"]:
1685
server_settings["port"] = server_config.getint(u"DEFAULT",
1686
u"port")
705
server_settings = dict(server_config.items(server_section))
706
# Use getboolean on the boolean config option
707
server_settings["debug"] = server_config.getboolean\
708
(server_section, "debug")
1687
709
del server_config
1688
710
1689
711
# Override the settings from the config file with command line
1690
712
# options, if set.
1691
for option in (u"interface", u"address", u"port", u"debug",
1692
u"priority", u"servicename", u"configdir",
1693
u"use_dbus", u"use_ipv6", u"debuglevel"):
713
for option in ("interface", "address", "port", "debug",
714
"priority", "servicename", "configdir"):
1694
715
value = getattr(options, option)
1695
716
if value is not None:
1696
717
server_settings[option] = value
1697
718
del options
1698
# Force all strings to be unicode
1699
for option in server_settings.keys():
1700
if type(server_settings[option]) is str:
1701
server_settings[option] = unicode(server_settings[option])
1702
719
# Now we have our good server settings in "server_settings"
1703
720
1704
##################################################################
1705
1706
# For convenience
1707
debug = server_settings[u"debug"]
1708
debuglevel = server_settings[u"debuglevel"]
1709
use_dbus = server_settings[u"use_dbus"]
1710
use_ipv6 = server_settings[u"use_ipv6"]
1711
1712
if server_settings[u"servicename"] != u"Mandos":
1713
syslogger.setFormatter(logging.Formatter
1714
(u'Mandos (%s) [%%(process)d]:'
1715
u' %%(levelname)s: %%(message)s'
1716
% server_settings[u"servicename"]))
1717
1718
# Parse config file with clients
1719
client_defaults = { u"timeout": u"1h",
1720
u"interval": u"5m",
1721
u"checker": u"fping -q -- %%(host)s",
1722
u"host": u"",
1723
u"approved_delay": u"0s",
1724
u"approved_duration": u"1s",
1725
}
1726
client_config = configparser.SafeConfigParser(client_defaults)
1727
client_config.read(os.path.join(server_settings[u"configdir"],
1728
u"clients.conf"))
1729
1730
global mandos_dbus_service
1731
mandos_dbus_service = None
1732
1733
tcp_server = MandosServer((server_settings[u"address"],
1734
server_settings[u"port"]),
1735
ClientHandler,
1736
interface=(server_settings[u"interface"]
1737
or None),
1738
use_ipv6=use_ipv6,
1739
gnutls_priority=
1740
server_settings[u"priority"],
1741
use_dbus=use_dbus)
1742
pidfilename = u"/var/run/mandos.pid"
1743
try:
1744
pidfile = open(pidfilename, u"w")
1745
except IOError:
1746
logger.error(u"Could not open file %r", pidfilename)
1747
1748
try:
1749
uid = pwd.getpwnam(u"_mandos").pw_uid
1750
gid = pwd.getpwnam(u"_mandos").pw_gid
1751
except KeyError:
1752
try:
1753
uid = pwd.getpwnam(u"mandos").pw_uid
1754
gid = pwd.getpwnam(u"mandos").pw_gid
1755
except KeyError:
1756
try:
1757
uid = pwd.getpwnam(u"nobody").pw_uid
1758
gid = pwd.getpwnam(u"nobody").pw_gid
1759
except KeyError:
1760
uid = 65534
1761
gid = 65534
1762
try:
1763
os.setgid(gid)
1764
os.setuid(uid)
1765
except OSError, error:
1766
if error[0] != errno.EPERM:
1767
raise error
1768
1769
# Enable all possible GnuTLS debugging
1770
1771
1772
if not debug and not debuglevel:
721
debug = server_settings["debug"]
722
723
if not debug:
1773
724
syslogger.setLevel(logging.WARNING)
1774
725
console.setLevel(logging.WARNING)
1775
if debuglevel:
1776
level = getattr(logging, debuglevel.upper())
1777
syslogger.setLevel(level)
1778
console.setLevel(level)
1779
1780
if debug:
1781
# "Use a log level over 10 to enable all debugging options."
1782
# - GnuTLS manual
1783
gnutls.library.functions.gnutls_global_set_log_level(11)
1784
1785
@gnutls.library.types.gnutls_log_func
1786
def debug_gnutls(level, string):
1787
logger.debug(u"GnuTLS: %s", string[:-1])
1788
1789
(gnutls.library.functions
1790
.gnutls_global_set_log_function(debug_gnutls))
1791
1792
# Redirect stdin so all checkers get /dev/null
1793
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1794
os.dup2(null, sys.stdin.fileno())
1795
if null > 2:
1796
os.close(null)
1797
else:
1798
# No console logging
1799
logger.removeHandler(console)
1800
726
727
if server_settings["servicename"] != "Mandos":
728
syslogger.setFormatter(logging.Formatter\
729
('Mandos (%s): %%(levelname)s:'
730
' %%(message)s'
731
% server_settings["servicename"]))
732
733
# Parse config file with clients
734
client_defaults = { "timeout": "1h",
735
"interval": "5m",
736
"checker": "fping -q -- %%(host)s",
737
}
738
client_config = ConfigParser.SafeConfigParser(client_defaults)
739
client_config.read(os.path.join(server_settings["configdir"],
740
"clients.conf"))
741
742
global service
743
service = AvahiService(name = server_settings["servicename"],
744
type = "_mandos._tcp", );
745
if server_settings["interface"]:
746
service.interface = if_nametoindex(server_settings["interface"])
1801
747
1802
748
global main_loop
749
global bus
750
global server
1803
751
# From the Avahi example code
1804
752
DBusGMainLoop(set_as_default=True )
1805
753
main_loop = gobject.MainLoop()
1806
754
bus = dbus.SystemBus()
755
server = dbus.Interface(
756
bus.get_object( avahi.DBUS_NAME, avahi.DBUS_PATH_SERVER ),
757
avahi.DBUS_INTERFACE_SERVER )
1807
758
# End of Avahi example code
1808
if use_dbus:
1809
try:
1810
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1811
bus, do_not_queue=True)
1812
except dbus.exceptions.NameExistsException, e:
1813
logger.error(unicode(e) + u", disabling D-Bus")
1814
use_dbus = False
1815
server_settings[u"use_dbus"] = False
1816
tcp_server.use_dbus = False
1817
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1818
service = AvahiService(name = server_settings[u"servicename"],
1819
servicetype = u"_mandos._tcp",
1820
protocol = protocol, bus = bus)
1821
if server_settings["interface"]:
1822
service.interface = (if_nametoindex
1823
(str(server_settings[u"interface"])))
1824
759
760
clients = Set()
761
def remove_from_clients(client):
762
clients.remove(client)
763
if not clients:
764
logger.critical(u"No clients left, exiting")
765
sys.exit()
766
767
clients.update(Set(Client(name = section,
768
stop_hook = remove_from_clients,
769
config
770
= dict(client_config.items(section)))
771
for section in client_config.sections()))
772
if not clients:
773
logger.critical(u"No clients defined")
774
sys.exit(1)
775
1825
776
if not debug:
1826
# Close all input and output, do double fork, etc.
777
logger.removeHandler(console)
1827
778
daemon()
1828
1829
global multiprocessing_manager
1830
multiprocessing_manager = multiprocessing.Manager()
1831
1832
client_class = Client
1833
if use_dbus:
1834
client_class = functools.partial(ClientDBus, bus = bus)
1835
def client_config_items(config, section):
1836
special_settings = {
1837
"approved_by_default":
1838
lambda: config.getboolean(section,
1839
"approved_by_default"),
1840
}
1841
for name, value in config.items(section):
1842
try:
1843
yield (name, special_settings[name]())
1844
except KeyError:
1845
yield (name, value)
1846
1847
tcp_server.clients.update(set(
1848
client_class(name = section,
1849
config= dict(client_config_items(
1850
client_config, section)))
1851
for section in client_config.sections()))
1852
if not tcp_server.clients:
1853
logger.warning(u"No clients defined")
1854
779
780
pidfilename = "/var/run/mandos/mandos.pid"
781
pid = os.getpid()
1855
782
try:
1856
with pidfile:
1857
pid = os.getpid()
1858
pidfile.write(str(pid) + "\n")
783
pidfile = open(pidfilename, "w")
784
pidfile.write(str(pid) + "\n")
785
pidfile.close()
1859
786
del pidfile
1860
except IOError:
1861
logger.error(u"Could not write to file %r with PID %d",
1862
pidfilename, pid)
1863
except NameError:
1864
# "pidfile" was never created
1865
pass
1866
del pidfilename
787
except IOError, err:
788
logger.error(u"Could not write %s file with PID %d",
789
pidfilename, os.getpid())
790
791
def cleanup():
792
"Cleanup function; run on exit"
793
global group
794
# From the Avahi example code
795
if not group is None:
796
group.Free()
797
group = None
798
# End of Avahi example code
799
800
while clients:
801
client = clients.pop()
802
client.stop_hook = None
803
client.stop()
804
805
atexit.register(cleanup)
1867
806
1868
807
if not debug:
1869
808
signal.signal(signal.SIGINT, signal.SIG_IGN)
1870
809
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1871
810
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1872
811
1873
if use_dbus:
1874
class MandosDBusService(dbus.service.Object):
1875
"""A D-Bus proxy object"""
1876
def __init__(self):
1877
dbus.service.Object.__init__(self, bus, u"/")
1878
_interface = u"se.bsnet.fukt.Mandos"
1879
1880
@dbus.service.signal(_interface, signature=u"o")
1881
def ClientAdded(self, objpath):
1882
"D-Bus signal"
1883
pass
1884
1885
@dbus.service.signal(_interface, signature=u"ss")
1886
def ClientNotFound(self, fingerprint, address):
1887
"D-Bus signal"
1888
pass
1889
1890
@dbus.service.signal(_interface, signature=u"os")
1891
def ClientRemoved(self, objpath, name):
1892
"D-Bus signal"
1893
pass
1894
1895
@dbus.service.method(_interface, out_signature=u"ao")
1896
def GetAllClients(self):
1897
"D-Bus method"
1898
return dbus.Array(c.dbus_object_path
1899
for c in tcp_server.clients)
1900
1901
@dbus.service.method(_interface,
1902
out_signature=u"a{oa{sv}}")
1903
def GetAllClientsWithProperties(self):
1904
"D-Bus method"
1905
return dbus.Dictionary(
1906
((c.dbus_object_path, c.GetAll(u""))
1907
for c in tcp_server.clients),
1908
signature=u"oa{sv}")
1909
1910
@dbus.service.method(_interface, in_signature=u"o")
1911
def RemoveClient(self, object_path):
1912
"D-Bus method"
1913
for c in tcp_server.clients:
1914
if c.dbus_object_path == object_path:
1915
tcp_server.clients.remove(c)
1916
c.remove_from_connection()
1917
# Don't signal anything except ClientRemoved
1918
c.disable(quiet=True)
1919
# Emit D-Bus signal
1920
self.ClientRemoved(object_path, c.name)
1921
return
1922
raise KeyError(object_path)
1923
1924
del _interface
1925
1926
mandos_dbus_service = MandosDBusService()
1927
1928
def cleanup():
1929
"Cleanup function; run on exit"
1930
service.cleanup()
1931
1932
while tcp_server.clients:
1933
client = tcp_server.clients.pop()
1934
if use_dbus:
1935
client.remove_from_connection()
1936
client.disable_hook = None
1937
# Don't signal anything except ClientRemoved
1938
client.disable(quiet=True)
1939
if use_dbus:
1940
# Emit D-Bus signal
1941
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1942
client.name)
1943
1944
atexit.register(cleanup)
1945
1946
for client in tcp_server.clients:
1947
if use_dbus:
1948
# Emit D-Bus signal
1949
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1950
client.enable()
1951
1952
tcp_server.enable()
1953
tcp_server.server_activate()
1954
812
for client in clients:
813
client.start()
814
815
tcp_server = IPv6_TCPServer((server_settings["address"],
816
server_settings["port"]),
817
tcp_handler,
818
settings=server_settings,
819
clients=clients)
1955
820
# Find out what port we got
1956
821
service.port = tcp_server.socket.getsockname()[1]
1957
if use_ipv6:
1958
logger.info(u"Now listening on address %r, port %d,"
1959
" flowinfo %d, scope_id %d"
1960
% tcp_server.socket.getsockname())
1961
else: # IPv4
1962
logger.info(u"Now listening on address %r, port %d"
1963
% tcp_server.socket.getsockname())
822
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
823
u" scope_id %d" % tcp_server.socket.getsockname())
1964
824
1965
825
#service.interface = tcp_server.socket.getsockname()[3]
1966
826
1967
827
try:
1968
828
# From the Avahi example code
829
server.connect_to_signal("StateChanged", server_state_changed)
1969
830
try:
1970
service.activate()
831
server_state_changed(server.GetState())
1971
832
except dbus.exceptions.DBusException, error:
1972
833
logger.critical(u"DBusException: %s", error)
1973
cleanup()
1974
834
sys.exit(1)
1975
835
# End of Avahi example code
1976
836
1977
837
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
1978
838
lambda *args, **kwargs:
1979
(tcp_server.handle_request
1980
(*args[2:], **kwargs) or True))
839
tcp_server.handle_request\
840
(*args[2:], **kwargs) or True)
1981
841
1982
842
logger.debug(u"Starting main loop")
843
main_loop_started = True
1983
844
main_loop.run()
1984
845
except AvahiError, error:
1985
logger.critical(u"AvahiError: %s", error)
1986
cleanup()
846
logger.critical(u"AvahiError: %s" + unicode(error))
1987
847
sys.exit(1)
1988
848
except KeyboardInterrupt:
1989
849
if debug:
1990
print >> sys.stderr
1991
logger.debug(u"Server received KeyboardInterrupt")
1992
logger.debug(u"Server exiting")
1993
# Must run before the D-Bus bus name gets deregistered
1994
cleanup()
850
print
1995
851
1996
852
if __name__ == '__main__':
1997
853
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0