To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 521
- compare with another revision
- download diff
- download tarball
- view history from revision 521
- Committer: teddy at bsnet
- Date: 2011-11-10 11:08:50 UTC
- Revision ID: teddy@fukt.bsnet.se-20111110110850-ztybq08hduf85vx6
* debian/control (mandos/Depends): Added "python-crypto".
* mandos: Break long lines.
(ClientDBus.add_to_dbus): New.
(ClientDBus.__init__): Call add_to_dbus().
(main): - '' -
* mandos: Break long lines.
(ClientDBus.add_to_dbus): New.
(ClientDBus.__init__): Call add_to_dbus().
(main): - '' -
- files modified:
- TODO
added
removed
mandos
310
310
interval: datetime.timedelta(); How often to start a new checker
311
311
last_approval_request: datetime.datetime(); (UTC) or None
312
312
last_checked_ok: datetime.datetime(); (UTC) or None
313
last_checker_status: integer between 0 and 255 reflecting exit status
314
of last checker. -1 reflect crashed checker,
315
or None.
313
last_checker_status: integer between 0 and 255 reflecting exit
314
status of last checker. -1 reflect crashed
315
checker, or None.
316
316
last_enabled: datetime.datetime(); (UTC)
317
317
name: string; from the config file, used in log messages and
318
318
D-Bus identifiers
398
398
self.changedstate = (multiprocessing_manager
399
399
.Condition(multiprocessing_manager
400
400
.Lock()))
401
self.client_structure = [attr for attr in self.__dict__.iterkeys() if not attr.startswith("_")]
401
self.client_structure = [attr for attr
402
in self.__dict__.iterkeys()
403
if not attr.startswith("_")]
402
404
self.client_structure.append("client_structure")
403
405
404
406
405
407
for name, t in inspect.getmembers(type(self),
406
lambda obj: isinstance(obj, property)):
408
lambda obj:
409
isinstance(obj,
410
property)):
407
411
if not name.startswith("_"):
408
412
self.client_structure.append(name)
409
413
591
595
raise
592
596
self.checker = None
593
597
594
# Encrypts a client secret and stores it in a varible encrypted_secret
598
# Encrypts a client secret and stores it in a varible
599
# encrypted_secret
595
600
def encrypt_secret(self, key):
596
# Encryption-key need to be of a specific size, so we hash inputed key
601
# Encryption-key need to be of a specific size, so we hash
602
# supplied key
597
603
hasheng = hashlib.sha256()
598
604
hasheng.update(key)
599
605
encryptionkey = hasheng.digest()
600
606
601
# Create validation hash so we know at decryption if it was sucessful
607
# Create validation hash so we know at decryption if it was
608
# sucessful
602
609
hasheng = hashlib.sha256()
603
610
hasheng.update(self.secret)
604
611
validationhash = hasheng.digest()
612
619
613
620
# Decrypt a encrypted client secret
614
621
def decrypt_secret(self, key):
615
# Decryption-key need to be of a specific size, so we hash inputed key
622
# Decryption-key need to be of a specific size, so we hash
623
# supplied key
616
624
hasheng = hashlib.sha256()
617
625
hasheng.update(key)
618
626
encryptionkey = hasheng.digest()
629
637
secret = plain[hasheng.digest_size:]
630
638
hasheng.update(secret)
631
639
632
# if validation fails, we use key as new secret. Otherwhise, we use
633
# the decrypted secret
640
# If validation fails, we use key as new secret. Otherwise, we
641
# use the decrypted secret
634
642
if hasheng.digest() == validationhash:
635
643
self.secret = secret
636
644
else:
944
952
945
953
def __init__(self, bus = None, *args, **kwargs):
946
954
self.bus = bus
955
self._approvals_pending = 0
947
956
Client.__init__(self, *args, **kwargs)
948
949
self._approvals_pending = 0
957
self.add_to_dbus()
958
959
def add_to_dbus(self):
950
960
# Only now, when this client is initialized, can it show up on
951
961
# the D-Bus
952
962
client_object_name = unicode(self.name).translate(
1922
1932
parser.add_argument("--no-ipv6", action="store_false",
1923
1933
dest="use_ipv6", help="Do not use IPv6")
1924
1934
parser.add_argument("--no-restore", action="store_false",
1925
dest="restore", help="Do not restore stored state",
1935
dest="restore",
1936
help="Do not restore stored state",
1926
1937
default=True)
1927
1938
1928
1939
options = parser.parse_args()
2125
2136
# with exceptions for any special settings as defined above
2126
2137
client_settings = dict((clientname,
2127
2138
dict((setting,
2128
(value if setting not in special_settings
2129
else special_settings[setting](clientname)))
2130
for setting, value in client_config.items(clientname)))
2139
(value if
2140
setting not in special_settings
2141
else special_settings[setting]
2142
(clientname)))
2143
for setting, value
2144
in client_config.items(clientname)))
2131
2145
for clientname in client_config.sections())
2132
2146
2133
2147
old_client_settings = {}
2137
2151
if server_settings["restore"]:
2138
2152
try:
2139
2153
with open(stored_state_path, "rb") as stored_state:
2140
clients_data, old_client_settings = pickle.load(stored_state)
2154
clients_data, old_client_settings = (
2155
pickle.load(stored_state))
2141
2156
os.remove(stored_state_path)
2142
2157
except IOError as e:
2143
logger.warning("Could not load persistant state: {0}".format(e))
2158
logger.warning("Could not load persistant state: {0}"
2159
.format(e))
2144
2160
if e.errno != errno.ENOENT:
2145
2161
raise
2146
2162
2157
2173
# For each value in new config, check if it differs
2158
2174
# from the old config value (Except for the "secret"
2159
2175
# attribute)
2160
if name != "secret" and value != old_client_settings[client_name][name]:
2176
if (name != "secret" and
2177
value != old_client_settings[client_name][name]):
2161
2178
setattr(client, name, value)
2162
2179
except KeyError:
2163
2180
pass
2164
2181
2165
# Clients who has passed its expire date, can still be enabled if its
2166
# last checker was sucessful. Clients who checkers failed before we
2167
# stored it state is asumed to had failed checker during downtime.
2182
# Clients who has passed its expire date, can still be enabled
2183
# if its last checker was sucessful. Clients who checkers
2184
# failed before we stored it state is asumed to had failed
2185
# checker during downtime.
2168
2186
if client["enabled"] and client["last_checked_ok"]:
2169
if ((datetime.datetime.utcnow() - client["last_checked_ok"])
2170
> client["interval"]):
2187
if ((datetime.datetime.utcnow()
2188
- client["last_checked_ok"]) > client["interval"]):
2171
2189
if client["last_checker_status"] != 0:
2172
2190
client["enabled"] = False
2173
2191
else:
2174
client["expires"] = datetime.datetime.utcnow() + client["timeout"]
2192
client["expires"] = (datetime.datetime.utcnow()
2193
+ client["timeout"])
2175
2194
2176
2195
client["changedstate"] = (multiprocessing_manager
2177
2196
.Condition(multiprocessing_manager
2178
2197
.Lock()))
2179
2198
if use_dbus:
2180
new_client = ClientDBusTransitional.__new__(ClientDBusTransitional)
2199
new_client = ClientDBusTransitional.__new__(
2200
ClientDBusTransitional)
2181
2201
tcp_server.clients[client_name] = new_client
2182
2202
new_client.bus = bus
2183
2203
for name, value in client.iteritems():
2184
2204
setattr(new_client, name, value)
2185
client_object_name = unicode(client_name).translate(
2186
{ord("."): ord("_"),
2187
ord("-"): ord("_")})
2188
new_client.dbus_object_path = (dbus.ObjectPath
2189
("/clients/" + client_object_name))
2190
DBusObjectWithProperties.__init__(new_client,
2191
new_client.bus,
2192
new_client.dbus_object_path)
2205
new_client._approvals_pending = 0
2206
new_client.add_to_dbus()
2193
2207
else:
2194
2208
tcp_server.clients[client_name] = Client.__new__(Client)
2195
2209
for name, value in client.iteritems():
2202
2216
for clientname in set(old_client_settings) - set(client_settings):
2203
2217
del tcp_server.clients[clientname]
2204
2218
for clientname in set(client_settings) - set(old_client_settings):
2205
tcp_server.clients[clientname] = (client_class(name = clientname,
2206
config =
2207
client_settings
2208
[clientname]))
2219
tcp_server.clients[clientname] = client_class(name
2220
= clientname,
2221
config =
2222
client_settings
2223
[clientname])
2209
2224
2210
2211
2225
if not tcp_server.clients:
2212
2226
logger.warning("No clients defined")
2213
2227
2296
2310
if not (tcp_server.clients or client_settings):
2297
2311
return
2298
2312
2299
# Store client before exiting. Secrets are encrypted with key based
2300
# on what config file has. If config file is removed/edited, old
2301
# secret will thus be unrecovable.
2313
# Store client before exiting. Secrets are encrypted with key
2314
# based on what config file has. If config file is
2315
# removed/edited, old secret will thus be unrecovable.
2302
2316
clients = []
2303
2317
for client in tcp_server.clients.itervalues():
2304
client.encrypt_secret(client_settings[client.name]["secret"])
2318
client.encrypt_secret(
2319
client_settings[client.name]["secret"])
2305
2320
2306
2321
client_dict = {}
2307
2322
2308
# A list of attributes that will not be stored when shuting down.
2309
exclude = set(("bus", "changedstate", "secret"))
2323
# A list of attributes that will not be stored when
2324
# shutting down.
2325
exclude = set(("bus", "changedstate", "secret"))
2310
2326
for name, typ in inspect.getmembers(dbus.service.Object):
2311
2327
exclude.add(name)
2312
2328
2319
2335
del client_settings[client.name]["secret"]
2320
2336
2321
2337
try:
2322
with os.fdopen(os.open(stored_state_path, os.O_CREAT|os.O_WRONLY|os.O_TRUNC, 0600), "wb") as stored_state:
2338
with os.fdopen(os.open(stored_state_path,
2339
os.O_CREAT|os.O_WRONLY|os.O_TRUNC,
2340
stat.S_IRUSR | stat.S_IWUSR),
2341
"wb") as stored_state:
2323
2342
pickle.dump((clients, client_settings), stored_state)
2324
2343
except IOError as e:
2325
logger.warning("Could not save persistant state: {0}".format(e))
2344
logger.warning("Could not save persistant state: {0}"
2345
.format(e))
2326
2346
if e.errno != errno.ENOENT:
2327
2347
raise
2328
2348
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0