/mandos/trunk : revision 977

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-ctl

Committer: Teddy Hogeborn
Date: 2019-02-11 06:14:29 UTC
Revision ID: teddy@recompile.se-20190211061429-n6n5zk29iatshlb3

Fix Debian package dependencies

* debian/control (Build-Depends): Changed GnuTLS dependencies to
                                  "libgnutls30 (>= 3.3.0),
                                  libgnutls28-dev (>= 3.6.6) |
                                  libgnutls28-dev (<< 3.6.0)".  (We
                                  can't depend on the virtual package
                                  "gnutls-dev", since we need the
                                  version restrictions.)
  (Package: mandos/Depends): Remove dependency on libgnutls28-dev
                             package.
  (Package: mandos/Suggests): New; set to "libc6-dev,
                              c-compiler". (Used to find value of
                              "SO_BINDTODEVICE").
  (Package: mandos-client/Depends): Don't depend on openssl anymore;
                                    instead depend on either a
                                    gnutls-bin (>= 3.6.6) (in which
                                    case TLS key generation will
                                    work), or on libgnutls30 (<<
                                    3.6.0) (in which case TLS key
                                    generation will not be needed).

files added:
debian/mandos-client.templates

debian/mandos.templates

initramfs-tools-conf

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

files removed:
initramfs-tools-hook-conf

files modified:
DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-ctl

#!/usr/bin/python

# -*- mode: python; coding: utf-8 -*-

# Mandos Monitor - Control and monitor the Mandos server

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# This file is part of Mandos.

# Mandos is free software: you can redistribute it and/or modify it

# under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# Mandos is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see

# <http://www.gnu.org/licenses/>.

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@recompile.se>.

from __future__ import (division, absolute_import, print_function,

unicode_literals)

import re

import os

import collections

import doctest

import json

import dbus

"Interval": "Interval",

"Host": "Host",

"Fingerprint": "Fingerprint",

"KeyID": "Key ID",

"CheckerRunning": "Check Is Running",

"LastEnabled": "Last Enabled",

"ApprovalPending": "Approval Is Pending",

"ApprovalDelay": "Approval Delay",

"ApprovalDuration": "Approval Duration",

"Checker": "Checker",

"ExtendedTimeout": "Extended Timeout"

"ExtendedTimeout": "Extended Timeout",

"Expires": "Expires",

"LastCheckerStatus": "Last Checker Status",

}

defaultkeywords = ("Name", "Enabled", "Timeout", "LastCheckedOK")

domain = "se.recompile"

server_path = "/"

server_interface = domain + ".Mandos"

client_interface = domain + ".Mandos.Client"

version = "1.7.7"

version = "1.8.2"

try:

except AttributeError:

dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"

def milliseconds_to_string(ms):

td = datetime.timedelta(0, 0, 0, ms)

return ("{days}{hours:02}:{minutes:02}:{seconds:02}".format(

days = "{}T".format(td.days) if td.days else "",

hours = td.seconds // 3600,

minutes = (td.seconds % 3600) // 60,

seconds = td.seconds % 60))

return ("{days}{hours:02}:{minutes:02}:{seconds:02}"

.format(days="{}T".format(td.days) if td.days else "",

hours=td.seconds // 3600,

minutes=(td.seconds % 3600) // 60,

seconds=td.seconds % 60))

def rfc3339_duration_to_delta(duration):

"""Parse an RFC 3339 "duration" and return a datetime.timedelta

100

>>> rfc3339_duration_to_delta("P7D")

101

datetime.timedelta(7)

102

>>> rfc3339_duration_to_delta("PT60S")

107

112

>>> rfc3339_duration_to_delta("P1DT3M20S")

108

113

datetime.timedelta(1, 200)

109

114

"""

110

115

111

116

# Parsing an RFC 3339 duration with regular expressions is not

112

117

# possible - there would have to be multiple places for the same

113

118

# values, like seconds. The current code, while more esoteric, is

114

119

# cleaner without depending on a parsing library. If Python had a

115

120

# built-in library for parsing we would use it, but we'd like to

116

121

# avoid excessive use of external libraries.

117

122

118

123

# New type for defining tokens, syntax, and semantics all-in-one

119

124

Token = collections.namedtuple("Token", (

120

125

"regexp", # To match token; if "value" is not None, must have

153

158

frozenset((token_year, token_month,

154

159

token_day, token_time,

155

160

token_week)))

156

# Define starting values

157

value = datetime.timedelta() # Value so far

161

# Define starting values:

162

# Value so far

163

value = datetime.timedelta()

158

164

found_token = None

159

followers = frozenset((token_duration, )) # Following valid tokens

160

s = duration # String left to parse

165

# Following valid tokens

166

followers = frozenset((token_duration, ))

167

# String left to parse

168

s = duration

161

169

# Loop until end token is found

162

170

while found_token is not token_end:

163

171

# Search for any currently valid tokens

187

195

188

196

def string_to_delta(interval):

189

197

"""Parse a string and return a datetime.timedelta

190

198

191

199

>>> string_to_delta('7d')

192

200

datetime.timedelta(7)

193

201

>>> string_to_delta('60s')

201

209

>>> string_to_delta('5m 30s')

202

210

datetime.timedelta(0, 330)

203

211

"""

204

212

205

213

try:

206

214

return rfc3339_duration_to_delta(interval)

207

215

except ValueError:

208

216

pass

209

217

210

218

value = datetime.timedelta(0)

211

219

regexp = re.compile(r"(\d+)([dsmhw]?)")

212

220

213

221

for num, suffix in regexp.findall(interval):

214

222

if suffix == "d":

215

223

value += datetime.timedelta(int(num))

234

242

"ApprovalDuration", "ExtendedTimeout"):

235

243

return milliseconds_to_string(value)

236

244

return str(value)

237

245

238

246

# Create format string to print table rows

239

247

format_string = " ".join("{{{key}:{width}}}".format(

240

width = max(len(tablewords[key]),

241

max(len(valuetostring(client[key], key))

242

for client in clients)),

243

key = key)

248

width=max(len(tablewords[key]),

249

max(len(valuetostring(client[key], key))

250

for client in clients)),

251

key=key)

244

252

for key in keywords)

245

253

# Print header line

246

254

print(format_string.format(**tablewords))

247

255

for client in clients:

248

print(format_string.format(**{

249

key: valuetostring(client[key], key)

250

for key in keywords }))

256

print(format_string

257

.format(**{key: valuetostring(client[key], key)

258

for key in keywords}))

251

259

252

260

253

261

def has_actions(options):

274

282

def main():

275

283

parser = argparse.ArgumentParser()

276

284

parser.add_argument("--version", action="version",

277

version = "%(prog)s {}".format(version),

285

version="%(prog)s {}".format(version),

278

286

help="show version number and exit")

279

287

parser.add_argument("-a", "--all", action="store_true",

280

288

help="Select all clients")

281

289

parser.add_argument("-v", "--verbose", action="store_true",

282

290

help="Print all fields")

291

parser.add_argument("-j", "--dump-json", action="store_true",

292

help="Dump client data in JSON format")

283

293

parser.add_argument("-e", "--enable", action="store_true",

284

294

help="Enable client")

285

295

parser.add_argument("-d", "--disable", action="store_true",

324

334

help="Run self-test")

325

335

parser.add_argument("client", nargs="*", help="Client name")

326

336

options = parser.parse_args()

327

337

328

338

if has_actions(options) and not (options.client or options.all):

329

339

parser.error("Options require clients names or --all.")

330

340

if options.verbose and has_actions(options):

331

parser.error("--verbose can only be used alone or with"

332

" --all.")

341

parser.error("--verbose can only be used alone.")

342

if options.dump_json and (options.verbose

343

or has_actions(options)):

344

parser.error("--dump-json can only be used alone.")

333

345

if options.all and not has_actions(options):

334

346

parser.error("--all requires an action.")

335

347

336

348

if options.check:

349

import doctest

337

350

fail_count, test_count = doctest.testmod()

338

351

sys.exit(os.EX_OK if fail_count == 0 else 1)

339

352

340

353

try:

341

354

bus = dbus.SystemBus()

342

355

mandos_dbus_objc = bus.get_object(busname, server_path)

343

356

except dbus.exceptions.DBusException:

344

357

print("Could not connect to Mandos server", file=sys.stderr)

345

358

sys.exit(1)

346

359

347

360

mandos_serv = dbus.Interface(mandos_dbus_objc,

348

dbus_interface = server_interface)

361

dbus_interface=server_interface)

349

362

mandos_serv_object_manager = dbus.Interface(

350

mandos_dbus_objc, dbus_interface = dbus.OBJECT_MANAGER_IFACE)

351

352

#block stderr since dbus library prints to stderr

363

mandos_dbus_objc, dbus_interface=dbus.OBJECT_MANAGER_IFACE)

364

365

# block stderr since dbus library prints to stderr

353

366

null = os.open(os.path.devnull, os.O_RDWR)

354

367

stderrcopy = os.dup(sys.stderr.fileno())

355

368

os.dup2(null, sys.stderr.fileno())

356

369

os.close(null)

357

370

try:

358

371

try:

359

mandos_clients = { path: ifs_and_props[client_interface]

360

for path, ifs_and_props in

361

mandos_serv_object_manager

362

.GetManagedObjects().items()

363

if client_interface in ifs_and_props }

372

mandos_clients = {path: ifs_and_props[client_interface]

373

for path, ifs_and_props in

374

mandos_serv_object_manager

375

.GetManagedObjects().items()

376

if client_interface in ifs_and_props}

364

377

finally:

365

#restore stderr

378

# restore stderr

366

379

os.dup2(stderrcopy, sys.stderr.fileno())

367

380

os.close(stderrcopy)

368

381

except dbus.exceptions.DBusException as e:

369

print("Access denied: Accessing mandos server through D-Bus: {}"

370

.format(e), file=sys.stderr)

382

print("Access denied: "

383

"Accessing mandos server through D-Bus: {}".format(e),

384

file=sys.stderr)

371

385

sys.exit(1)

372

386

373

387

# Compile dict of (clients: properties) to process

374

clients={}

375

388

clients = {}

389

376

390

if options.all or not options.client:

377

clients = { bus.get_object(busname, path): properties

378

for path, properties in mandos_clients.items() }

391

clients = {bus.get_object(busname, path): properties

392

for path, properties in mandos_clients.items()}

379

393

else:

380

394

for name in options.client:

381

395

for path, client in mandos_clients.items():

387

401

print("Client not found on server: {!r}"

388

402

.format(name), file=sys.stderr)

389

403

sys.exit(1)

390

404

391

405

if not has_actions(options) and clients:

392

if options.verbose:

406

if options.verbose or options.dump_json:

393

407

keywords = ("Name", "Enabled", "Timeout", "LastCheckedOK",

394

"Created", "Interval", "Host", "Fingerprint",

395

"CheckerRunning", "LastEnabled",

396

"ApprovalPending", "ApprovedByDefault",

397

"LastApprovalRequest", "ApprovalDelay",

398

"ApprovalDuration", "Checker",

399

"ExtendedTimeout")

408

"Created", "Interval", "Host", "KeyID",

409

"Fingerprint", "CheckerRunning",

410

"LastEnabled", "ApprovalPending",

411

"ApprovedByDefault", "LastApprovalRequest",

412

"ApprovalDelay", "ApprovalDuration",

413

"Checker", "ExtendedTimeout", "Expires",

414

"LastCheckerStatus")

400

415

else:

401

416

keywords = defaultkeywords

402

403

print_clients(clients.values(), keywords)

417

418

if options.dump_json:

419

json.dump({client["Name"]: {key:

420

bool(client[key])

421

if isinstance(client[key],

422

dbus.Boolean)

423

else client[key]

424

for key in keywords}

425

for client in clients.values()},

426

fp=sys.stdout, indent=4,

427

separators=(',', ': '))

428

print()

429

else:

430

print_clients(clients.values(), keywords)

404

431

else:

405

432

# Process each client in the list by all selected options

406

433

for client in clients:

407

434

408

435

def set_client_prop(prop, value):

409

436

"""Set a Client D-Bus property"""

410

437

client.Set(client_interface, prop, value,

411

438

dbus_interface=dbus.PROPERTIES_IFACE)

412

439

413

440

def set_client_prop_ms(prop, value):

414

441

"""Set a Client D-Bus property, converted

415

442

from a string to milliseconds."""

416

443

set_client_prop(prop,

417

444

string_to_delta(value).total_seconds()

418

445

* 1000)

419

446

420

447

if options.remove:

421

448

mandos_serv.RemoveClient(client.__dbus_object_path__)

422

449

if options.enable:

430

457

if options.stop_checker:

431

458

set_client_prop("CheckerRunning", dbus.Boolean(False))

432

459

if options.is_enabled:

433

sys.exit(0 if client.Get(client_interface,

434

"Enabled",

435

dbus_interface=

436

dbus.PROPERTIES_IFACE)

437

else 1)

460

if client.Get(client_interface, "Enabled",

461

dbus_interface=dbus.PROPERTIES_IFACE):

462

sys.exit(0)

463

else:

464

sys.exit(1)

438

465

if options.checker is not None:

439

466

set_client_prop("Checker", options.checker)

440

467

if options.host is not None:

Older »