157
155
u" after %i retries, exiting.",
158
156
self.rename_count)
159
157
raise AvahiServiceError(u"Too many renames")
160
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
158
self.name = self.server.GetAlternativeServiceName(self.name)
161
159
logger.info(u"Changing Zeroconf service name to %r ...",
163
161
syslogger.setFormatter(logging.Formatter
164
162
(u'Mandos (%s) [%%(process)d]:'
165
163
u' %%(levelname)s: %%(message)s'
170
except dbus.exceptions.DBusException, error:
171
logger.critical(u"DBusException: %s", error)
174
167
self.rename_count += 1
175
168
def remove(self):
176
169
"""Derived from the Avahi example code"""
327
313
self.checker_command = config[u"checker"]
328
314
self.current_checker_command = None
329
315
self.last_connect = None
330
self._approved = None
331
self.approved_by_default = config.get(u"approved_by_default",
333
self.approvals_pending = 0
334
self.approval_delay = string_to_delta(
335
config[u"approval_delay"])
336
self.approval_duration = string_to_delta(
337
config[u"approval_duration"])
338
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
340
def send_changedstate(self):
341
self.changedstate.acquire()
342
self.changedstate.notify_all()
343
self.changedstate.release()
345
317
def enable(self):
346
318
"""Start this client's checker and timeout hooks"""
347
319
if getattr(self, u"enabled", False):
348
320
# Already enabled
350
self.send_changedstate()
351
322
self.last_enabled = datetime.datetime.utcnow()
352
323
# Schedule a new checker to be started an 'interval' from now,
353
324
# and every interval from then on.
716
685
+ self.name.replace(u".", u"_")))
717
686
DBusObjectWithProperties.__init__(self, self.bus,
718
687
self.dbus_object_path)
720
def _get_approvals_pending(self):
721
return self._approvals_pending
722
def _set_approvals_pending(self, value):
723
old_value = self._approvals_pending
724
self._approvals_pending = value
726
if (hasattr(self, "dbus_object_path")
727
and bval is not bool(old_value)):
728
dbus_bool = dbus.Boolean(bval, variant_level=1)
729
self.PropertyChanged(dbus.String(u"ApprovalPending"),
732
approvals_pending = property(_get_approvals_pending,
733
_set_approvals_pending)
734
del _get_approvals_pending, _set_approvals_pending
737
690
def _datetime_to_dbus(dt, variant_level=0):
823
776
r = Client.stop_checker(self, *args, **kwargs)
824
777
if (old_checker is not None
825
778
and getattr(self, u"checker", None) is None):
826
self.PropertyChanged(dbus.String(u"CheckerRunning"),
779
self.PropertyChanged(dbus.String(u"checker_running"),
827
780
dbus.Boolean(False, variant_level=1))
830
def _reset_approved(self):
831
self._approved = None
834
def approve(self, value=True):
835
self.send_changedstate()
836
self._approved = value
837
gobject.timeout_add(self._timedelta_to_milliseconds
838
(self.approval_duration),
839
self._reset_approved)
842
783
## D-Bus methods, signals & properties
843
784
_interface = u"se.bsnet.fukt.Mandos.Client"
865
806
# GotSecret - signal
866
807
@dbus.service.signal(_interface)
867
808
def GotSecret(self):
869
Is sent after a successful transfer of secret from the Mandos
870
server to mandos-client
874
812
# Rejected - signal
875
@dbus.service.signal(_interface, signature=u"s")
876
def Rejected(self, reason):
880
# NeedApproval - signal
881
@dbus.service.signal(_interface, signature=u"tb")
882
def NeedApproval(self, timeout, default):
813
@dbus.service.signal(_interface)
889
@dbus.service.method(_interface, in_signature=u"b")
890
def Approve(self, value):
893
820
# CheckedOK - method
894
821
@dbus.service.method(_interface)
895
822
def CheckedOK(self):
923
# ApprovalPending - property
924
@dbus_service_property(_interface, signature=u"b", access=u"read")
925
def ApprovalPending_dbus_property(self):
926
return dbus.Boolean(bool(self.approvals_pending))
928
# ApprovedByDefault - property
929
@dbus_service_property(_interface, signature=u"b",
931
def ApprovedByDefault_dbus_property(self, value=None):
932
if value is None: # get
933
return dbus.Boolean(self.approved_by_default)
934
self.approved_by_default = bool(value)
936
self.PropertyChanged(dbus.String(u"ApprovedByDefault"),
937
dbus.Boolean(value, variant_level=1))
939
# ApprovalDelay - property
940
@dbus_service_property(_interface, signature=u"t",
942
def ApprovalDelay_dbus_property(self, value=None):
943
if value is None: # get
944
return dbus.UInt64(self.approval_delay_milliseconds())
945
self.approval_delay = datetime.timedelta(0, 0, 0, value)
947
self.PropertyChanged(dbus.String(u"ApprovalDelay"),
948
dbus.UInt64(value, variant_level=1))
950
# ApprovalDuration - property
951
@dbus_service_property(_interface, signature=u"t",
953
def ApprovalDuration_dbus_property(self, value=None):
954
if value is None: # get
955
return dbus.UInt64(self._timedelta_to_milliseconds(
956
self.approval_duration))
957
self.approval_duration = datetime.timedelta(0, 0, 0, value)
959
self.PropertyChanged(dbus.String(u"ApprovalDuration"),
960
dbus.UInt64(value, variant_level=1))
963
851
@dbus_service_property(_interface, signature=u"s", access=u"read")
964
def Name_dbus_property(self):
852
def name_dbus_property(self):
965
853
return dbus.String(self.name)
967
# Fingerprint - property
855
# fingerprint - property
968
856
@dbus_service_property(_interface, signature=u"s", access=u"read")
969
def Fingerprint_dbus_property(self):
857
def fingerprint_dbus_property(self):
970
858
return dbus.String(self.fingerprint)
973
861
@dbus_service_property(_interface, signature=u"s",
974
862
access=u"readwrite")
975
def Host_dbus_property(self, value=None):
863
def host_dbus_property(self, value=None):
976
864
if value is None: # get
977
865
return dbus.String(self.host)
978
866
self.host = value
979
867
# Emit D-Bus signal
980
self.PropertyChanged(dbus.String(u"Host"),
868
self.PropertyChanged(dbus.String(u"host"),
981
869
dbus.String(value, variant_level=1))
984
872
@dbus_service_property(_interface, signature=u"s", access=u"read")
985
def Created_dbus_property(self):
873
def created_dbus_property(self):
986
874
return dbus.String(self._datetime_to_dbus(self.created))
988
# LastEnabled - property
876
# last_enabled - property
989
877
@dbus_service_property(_interface, signature=u"s", access=u"read")
990
def LastEnabled_dbus_property(self):
878
def last_enabled_dbus_property(self):
991
879
if self.last_enabled is None:
992
880
return dbus.String(u"")
993
881
return dbus.String(self._datetime_to_dbus(self.last_enabled))
996
884
@dbus_service_property(_interface, signature=u"b",
997
885
access=u"readwrite")
998
def Enabled_dbus_property(self, value=None):
886
def enabled_dbus_property(self, value=None):
999
887
if value is None: # get
1000
888
return dbus.Boolean(self.enabled)
1015
903
return dbus.String(self._datetime_to_dbus(self
1016
904
.last_checked_ok))
1018
# Timeout - property
1019
907
@dbus_service_property(_interface, signature=u"t",
1020
908
access=u"readwrite")
1021
def Timeout_dbus_property(self, value=None):
909
def timeout_dbus_property(self, value=None):
1022
910
if value is None: # get
1023
911
return dbus.UInt64(self.timeout_milliseconds())
1024
912
self.timeout = datetime.timedelta(0, 0, 0, value)
1025
913
# Emit D-Bus signal
1026
self.PropertyChanged(dbus.String(u"Timeout"),
914
self.PropertyChanged(dbus.String(u"timeout"),
1027
915
dbus.UInt64(value, variant_level=1))
1028
916
if getattr(self, u"disable_initiator_tag", None) is None:
1043
931
self.disable_initiator_tag = (gobject.timeout_add
1044
932
(time_to_die, self.disable))
1046
# Interval - property
934
# interval - property
1047
935
@dbus_service_property(_interface, signature=u"t",
1048
936
access=u"readwrite")
1049
def Interval_dbus_property(self, value=None):
937
def interval_dbus_property(self, value=None):
1050
938
if value is None: # get
1051
939
return dbus.UInt64(self.interval_milliseconds())
1052
940
self.interval = datetime.timedelta(0, 0, 0, value)
1053
941
# Emit D-Bus signal
1054
self.PropertyChanged(dbus.String(u"Interval"),
942
self.PropertyChanged(dbus.String(u"interval"),
1055
943
dbus.UInt64(value, variant_level=1))
1056
944
if getattr(self, u"checker_initiator_tag", None) is None:
1061
949
(value, self.start_checker))
1062
950
self.start_checker() # Start one now, too
1064
# Checker - property
1065
953
@dbus_service_property(_interface, signature=u"s",
1066
954
access=u"readwrite")
1067
def Checker_dbus_property(self, value=None):
955
def checker_dbus_property(self, value=None):
1068
956
if value is None: # get
1069
957
return dbus.String(self.checker_command)
1070
958
self.checker_command = value
1071
959
# Emit D-Bus signal
1072
self.PropertyChanged(dbus.String(u"Checker"),
960
self.PropertyChanged(dbus.String(u"checker"),
1073
961
dbus.String(self.checker_command,
1074
962
variant_level=1))
1076
# CheckerRunning - property
964
# checker_running - property
1077
965
@dbus_service_property(_interface, signature=u"b",
1078
966
access=u"readwrite")
1079
def CheckerRunning_dbus_property(self, value=None):
967
def checker_running_dbus_property(self, value=None):
1080
968
if value is None: # get
1081
969
return dbus.Boolean(self.checker is not None)
1085
973
self.stop_checker()
1087
# ObjectPath - property
975
# object_path - property
1088
976
@dbus_service_property(_interface, signature=u"o", access=u"read")
1089
def ObjectPath_dbus_property(self):
977
def object_path_dbus_property(self):
1090
978
return self.dbus_object_path # is already a dbus.ObjectPath
1093
981
@dbus_service_property(_interface, signature=u"ay",
1094
982
access=u"write", byte_arrays=True)
1095
def Secret_dbus_property(self, value):
983
def secret_dbus_property(self, value):
1096
984
self.secret = str(value)
1101
class ProxyClient(object):
1102
def __init__(self, child_pipe, fpr, address):
1103
self._pipe = child_pipe
1104
self._pipe.send(('init', fpr, address))
1105
if not self._pipe.recv():
1108
def __getattribute__(self, name):
1109
if(name == '_pipe'):
1110
return super(ProxyClient, self).__getattribute__(name)
1111
self._pipe.send(('getattr', name))
1112
data = self._pipe.recv()
1113
if data[0] == 'data':
1115
if data[0] == 'function':
1116
def func(*args, **kwargs):
1117
self._pipe.send(('funcall', name, args, kwargs))
1118
return self._pipe.recv()[1]
1121
def __setattr__(self, name, value):
1122
if(name == '_pipe'):
1123
return super(ProxyClient, self).__setattr__(name, value)
1124
self._pipe.send(('setattr', name, value))
1127
989
class ClientHandler(socketserver.BaseRequestHandler, object):
1128
990
"""A class to handle client connections.
1131
993
Note: This will run in its own forked process."""
1133
995
def handle(self):
1134
with contextlib.closing(self.server.child_pipe) as child_pipe:
1135
logger.info(u"TCP connection from: %s",
1136
unicode(self.client_address))
1137
logger.debug(u"Pipe FD: %d",
1138
self.server.child_pipe.fileno())
996
logger.info(u"TCP connection from: %s",
997
unicode(self.client_address))
998
logger.debug(u"IPC Pipe FD: %d",
999
self.server.child_pipe[1].fileno())
1000
# Open IPC pipe to parent process
1001
with contextlib.nested(self.server.child_pipe[1],
1002
self.server.parent_pipe[0]
1003
) as (ipc, ipc_return):
1140
1004
session = (gnutls.connection
1141
1005
.ClientSession(self.request,
1142
1006
gnutls.connection
1143
1007
.X509Credentials()))
1009
line = self.request.makefile().readline()
1010
logger.debug(u"Protocol version: %r", line)
1012
if int(line.strip().split()[0]) > 1:
1014
except (ValueError, IndexError, RuntimeError), error:
1015
logger.error(u"Unknown protocol version: %s", error)
1145
1018
# Note: gnutls.connection.X509Credentials is really a
1146
1019
# generic GnuTLS certificate credentials object so long as
1147
1020
# no X.509 keys are added to it. Therefore, we can use it
1148
1021
# here despite using OpenPGP certificates.
1150
1023
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1151
1024
# u"+AES-256-CBC", u"+SHA1",
1152
1025
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1158
1031
(gnutls.library.functions
1159
1032
.gnutls_priority_set_direct(session._c_object,
1160
1033
priority, None))
1162
# Start communication using the Mandos protocol
1163
# Get protocol number
1164
line = self.request.makefile().readline()
1165
logger.debug(u"Protocol version: %r", line)
1167
if int(line.strip().split()[0]) > 1:
1169
except (ValueError, IndexError, RuntimeError), error:
1170
logger.error(u"Unknown protocol version: %s", error)
1173
# Start GnuTLS connection
1175
1036
session.handshake()
1176
1037
except gnutls.errors.GNUTLSError, error:
1191
1050
logger.debug(u"Fingerprint: %s", fpr)
1194
client = ProxyClient(child_pipe, fpr,
1195
self.client_address)
1199
if client.approval_delay:
1200
delay = client.approval_delay
1201
client.approvals_pending += 1
1202
approval_required = True
1205
if not client.enabled:
1206
logger.warning(u"Client %s is disabled",
1208
if self.server.use_dbus:
1210
client.Rejected("Disabled")
1213
if client._approved or not client.approval_delay:
1214
#We are approved or approval is disabled
1052
for c in self.server.clients:
1053
if c.fingerprint == fpr:
1216
elif client._approved is None:
1217
logger.info(u"Client %s needs approval",
1219
if self.server.use_dbus:
1221
client.NeedApproval(
1222
client.approval_delay_milliseconds(),
1223
client.approved_by_default)
1225
logger.warning(u"Client %s was not approved",
1227
if self.server.use_dbus:
1229
client.Rejected("Denied")
1232
#wait until timeout or approved
1233
#x = float(client._timedelta_to_milliseconds(delay))
1234
time = datetime.datetime.now()
1235
client.changedstate.acquire()
1236
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1237
client.changedstate.release()
1238
time2 = datetime.datetime.now()
1239
if (time2 - time) >= delay:
1240
if not client.approved_by_default:
1241
logger.warning("Client %s timed out while"
1242
" waiting for approval",
1244
if self.server.use_dbus:
1246
client.Rejected("Timed out")
1251
delay -= time2 - time
1057
ipc.write(u"NOTFOUND %s %s\n"
1058
% (fpr, unicode(self.client_address)))
1060
# Have to check if client.enabled, since it is
1061
# possible that the client was disabled since the
1062
# GnuTLS session was established.
1063
ipc.write(u"GETATTR enabled %s\n" % fpr)
1064
enabled = pickle.load(ipc_return)
1066
ipc.write(u"DISABLED %s\n" % client.name)
1068
ipc.write(u"SENDING %s\n" % client.name)
1254
1070
while sent_size < len(client.secret):
1256
sent = session.send(client.secret[sent_size:])
1257
except (gnutls.errors.GNUTLSError), error:
1258
logger.warning("gnutls send failed")
1071
sent = session.send(client.secret[sent_size:])
1260
1072
logger.debug(u"Sent: %d, remaining: %d",
1261
1073
sent, len(client.secret)
1262
1074
- (sent_size + sent))
1263
1075
sent_size += sent
1265
logger.info(u"Sending secret to %s", client.name)
1266
# bump the timeout as if seen
1268
if self.server.use_dbus:
1273
if approval_required:
1274
client.approvals_pending -= 1
1277
except (gnutls.errors.GNUTLSError), error:
1278
logger.warning("GnuTLS bye failed")
1281
1080
def peer_certificate(session):
1344
class MultiprocessingMixIn(object):
1345
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1346
def sub_process_main(self, request, address):
1348
self.finish_request(request, address)
1350
self.handle_error(request, address)
1351
self.close_request(request)
1353
def process_request(self, request, address):
1354
"""Start a new process to process the request."""
1355
multiprocessing.Process(target = self.sub_process_main,
1356
args = (request, address)).start()
1358
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1359
""" adds a pipe to the MixIn """
1143
class ForkingMixInWithPipes(socketserver.ForkingMixIn, object):
1144
"""Like socketserver.ForkingMixIn, but also pass a pipe pair."""
1360
1145
def process_request(self, request, client_address):
1361
1146
"""Overrides and wraps the original process_request().
1363
1148
This function creates a new pipe in self.pipe
1365
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1367
super(MultiprocessingMixInWithPipe,
1150
# Child writes to child_pipe
1151
self.child_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1152
# Parent writes to parent_pipe
1153
self.parent_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1154
super(ForkingMixInWithPipes,
1368
1155
self).process_request(request, client_address)
1369
self.child_pipe.close()
1370
self.add_pipe(parent_pipe)
1372
def add_pipe(self, parent_pipe):
1156
# Close unused ends for parent
1157
self.parent_pipe[0].close() # close read end
1158
self.child_pipe[1].close() # close write end
1159
self.add_pipe_fds(self.child_pipe[0], self.parent_pipe[1])
1160
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1373
1161
"""Dummy function; override as necessary"""
1376
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1162
child_pipe_fd.close()
1163
parent_pipe_fd.close()
1166
class IPv6_TCPServer(ForkingMixInWithPipes,
1377
1167
socketserver.TCPServer, object):
1378
1168
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1464
1254
return socketserver.TCPServer.server_activate(self)
1465
1255
def enable(self):
1466
1256
self.enabled = True
1467
def add_pipe(self, parent_pipe):
1257
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1468
1258
# Call "handle_ipc" for both data and EOF events
1469
gobject.io_add_watch(parent_pipe.fileno(),
1259
gobject.io_add_watch(child_pipe_fd.fileno(),
1470
1260
gobject.IO_IN | gobject.IO_HUP,
1471
1261
functools.partial(self.handle_ipc,
1472
parent_pipe = parent_pipe))
1474
def handle_ipc(self, source, condition, parent_pipe=None,
1475
client_object=None):
1262
reply = parent_pipe_fd,
1263
sender= child_pipe_fd))
1264
def handle_ipc(self, source, condition, reply=None, sender=None):
1476
1265
condition_names = {
1477
1266
gobject.IO_IN: u"IN", # There is data to read.
1478
1267
gobject.IO_OUT: u"OUT", # Data can be written (without
1489
1278
if cond & condition)
1490
1279
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1491
1280
conditions_string)
1493
# error or the other end of multiprocessing.Pipe has closed
1494
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1497
# Read a request from the child
1498
request = parent_pipe.recv()
1499
logger.debug(u"IPC request: %s", repr(request))
1500
command = request[0]
1502
if command == 'init':
1504
address = request[2]
1506
for c in self.clients:
1507
if c.fingerprint == fpr:
1511
logger.warning(u"Client not found for fingerprint: %s, ad"
1512
u"dress: %s", fpr, address)
1515
mandos_dbus_service.ClientNotFound(fpr, address)
1516
parent_pipe.send(False)
1519
gobject.io_add_watch(parent_pipe.fileno(),
1520
gobject.IO_IN | gobject.IO_HUP,
1521
functools.partial(self.handle_ipc,
1522
parent_pipe = parent_pipe,
1523
client_object = client))
1524
parent_pipe.send(True)
1525
# remove the old hook in favor of the new above hook on same fileno
1527
if command == 'funcall':
1528
funcname = request[1]
1532
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1534
if command == 'getattr':
1535
attrname = request[1]
1536
if callable(client_object.__getattribute__(attrname)):
1537
parent_pipe.send(('function',))
1539
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1541
if command == 'setattr':
1542
attrname = request[1]
1544
setattr(client_object, attrname, value)
1282
# Read a line from the file object
1283
cmdline = sender.readline()
1284
if not cmdline: # Empty line means end of file
1285
# close the IPC pipes
1289
# Stop calling this function
1292
logger.debug(u"IPC command: %r", cmdline)
1294
# Parse and act on command
1295
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1297
if cmd == u"NOTFOUND":
1298
fpr, address = args.split(None, 1)
1299
logger.warning(u"Client not found for fingerprint: %s, ad"
1300
u"dress: %s", fpr, address)
1303
mandos_dbus_service.ClientNotFound(fpr, address)
1304
elif cmd == u"DISABLED":
1305
for client in self.clients:
1306
if client.name == args:
1307
logger.warning(u"Client %s is disabled", args)
1313
logger.error(u"Unknown client %s is disabled", args)
1314
elif cmd == u"SENDING":
1315
for client in self.clients:
1316
if client.name == args:
1317
logger.info(u"Sending secret to %s", client.name)
1324
logger.error(u"Sending secret to unknown client %s",
1326
elif cmd == u"GETATTR":
1327
attr_name, fpr = args.split(None, 1)
1328
for client in self.clients:
1329
if client.fingerprint == fpr:
1330
attr_value = getattr(client, attr_name, None)
1331
logger.debug("IPC reply: %r", attr_value)
1332
pickle.dump(attr_value, reply)
1335
logger.error(u"Client %s on address %s requesting "
1336
u"attribute %s not found", fpr, address,
1338
pickle.dump(None, reply)
1340
logger.error(u"Unknown IPC command: %r", cmdline)
1342
# Keep calling this function
1836
1611
if server_settings["interface"]:
1837
1612
service.interface = (if_nametoindex
1838
1613
(str(server_settings[u"interface"])))
1841
# Close all input and output, do double fork, etc.
1844
global multiprocessing_manager
1845
multiprocessing_manager = multiprocessing.Manager()
1847
1615
client_class = Client
1849
1617
client_class = functools.partial(ClientDBus, bus = bus)
1850
def client_config_items(config, section):
1851
special_settings = {
1852
"approved_by_default":
1853
lambda: config.getboolean(section,
1854
"approved_by_default"),
1856
for name, value in config.items(section):
1858
yield (name, special_settings[name]())
1862
1618
tcp_server.clients.update(set(
1863
1619
client_class(name = section,
1864
config= dict(client_config_items(
1865
client_config, section)))
1620
config= dict(client_config.items(section)))
1866
1621
for section in client_config.sections()))
1867
1622
if not tcp_server.clients:
1868
1623
logger.warning(u"No clients defined")
1626
# Redirect stdin so all checkers get /dev/null
1627
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1628
os.dup2(null, sys.stdin.fileno())
1632
# No console logging
1633
logger.removeHandler(console)
1634
# Close all input and output, do double fork, etc.
1872
1639
pid = os.getpid()