def _ensureIfDown(ifname, ifconfig_output, logger):
"""
Check if an interface is down (useful before ifup...)
If it is not down, perform an ifdown on it
"""
if "%s " % ifname not in ifconfig_output:
logger.debug("Ok, %s is down as expected" % ifname)
return
logger.debug(
"Found interface %s to be up. "
"Setting it down prior to ifup it by safety" % ifname
)
command = '/sbin/ifdown %s' % ifname
process = createProcess(logger,
command.split(),
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
env={})
return_code, stdout, stderr = communicateProcess(logger, process, TIMEOUT)
if return_code != 0:
logger.error("Error while running '%s'.\n%s" % (command, '\n'.join(stdout)))
else:
logger.debug("...ok")
def restart_rsyslog(logger):
process = createProcess(logger, ["/etc/init.d/rsyslog", "restart"],
locale=False)
exit_code = process.wait()
if exit_code != 0:
return False # Failure.
return True
def dig(logger, defaultserver=None, server=None, query=None):
if server in (None, u''):
assert defaultserver is not None
server = defaultserver
if query in (None, u''):
cmd = ('/usr/bin/dig', '@' + server)
else:
cmd = ('/usr/bin/dig', query, '@' + server)
#except ProcessError
process = createProcess(logger, cmd, stdout=PIPE, stderr=PIPE, env={})
return_code = process.wait()
if return_code != 0:
if return_code == 9:
raise ResolvError("Unreachable server")
stderr = readProcessOutput(process.stderr, 10)
errmsg = '\n'.join(stderr)
raise ResolvError(errmsg)
stdout = readProcessOutput(process.stdout, 500)
return stdout
def createRepository(self, repository_directory, checkout_directory):
process = createProcess(self, ["svnadmin", "create", repository_directory])
result = waitProcess(self, process, 20)
if result != 0:
raise VersionningError("error creating repository %s" % repository_directory)
self.client.checkout("file://%s" % repository_directory, checkout_directory)
def check_and_correct_lo(logger):
"""
@type logger: logging.Logger
@return: bool
"""
try:
ok, msg = check_if_up('lo')
except IOError:
return False
if ok:
return True
logger.critical("%s - Bringing lo up..." % msg)
process = createProcess(
logger,
'/sbin/ip l set lo up'.split(),
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
env={}
)
retcode = waitProcess(logger, process, 120)
try:
re_ok, re_msg = check_if_up('lo')
except IOError:
#FIXME: if we go here, what happened ? Shouldn't we have the problem at the beginning of the function
return False
if re_ok:
logger.info("Could bring lo up!")
return True
logger.critical("Could NOT bring lo up!")
return False
def service_vpnstates(self, context):
"""
return a dict where keys are identifier and values are state
possible values for state: DISCONNECTED, PHASE1_OK, CONNECTED
"""
in_error = not exists("/var/run/pluto/pluto.ctl")
if not in_error:
command = "ipsec whack --status".split()
proc = createProcess(self, command, stdout=PIPE, stderr=PIPE, locale=False)
stdout, stderr = proc.communicate()
retcode = proc.wait()
in_error = retcode != 0
if in_error:
self.error("'%s' - return code: '%s'\nstderr:\n%s\n\nstdout:\n%s" % (
unicode(command), retcode, stderr, stdout)
)
result = {}
if self.cfg.vpns is not None:
for vpn in self.cfg.vpns:
if in_error:
result[vpn.identifier] = DISCONNECTED
else:
result[vpn.identifier] = self.vpnState(stdout, vpn.identifier)
return result
def _setethernetspeed(self, ethernet):
if ethernet.eth_auto:
cmd = "/usr/sbin/ethtool -s %s autoneg on" % ethernet.system_name
self.responsible.feedback(
tr("Setting up speed for interface %(DESCRIPTION)s: auto"),
DESCRIPTION=ethernet.fullName()
)
else:
args = {
'name': ethernet.system_name,
'duplex': "full" if ethernet.eth_duplex == Ethernet.FULL else "half",
'speed': ethernet.eth_speed
}
cmd = "/usr/sbin/ethtool -s %(name)s autoneg off speed "\
"%(speed)s duplex %(duplex)s" % args
self.responsible.feedback(
tr(
"Setting up speed for interface %(DESCRIPTION)s: "
"speed: %(SPEED)s, duplex: %(DUPLEX)s."),
DESCRIPTION=ethernet.fullName(),
SPEED=args['speed'],
DUPLEX=args['duplex']
)
process = createProcess(self, cmd.split(),
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
env={})
retcode, stdout, stderr = communicateProcess(self, process, 30)
if retcode == 0:
return
else:
self.responsible.feedback("Could not set speed.")
#Explicitely catched
raise EthernetSpeedError("Error while running [%s]." % cmd)
def saveLocalSid(component):
"""save local sid (default in /var/lib/ufwi_rpcd/ufwi_conf/nuauth_localsid)"""
proc = createProcess(component, _NET_GETLOCALSID.split(), stdout=PIPE, locale=False)
outputs = proc.communicate()
stdout = outputs[0]
retcode = proc.wait()
if retcode != 0 or not stdout:
component.critical("Can not fetch 'localsid'."
" 'localsid' will not be exported. SSO with high availability will fail")
# TODO raise an error which will be non blocking if we are not in HA ?
return
vardir = component.core.config.get('CORE', 'vardir')
output_path = getLocalSidPath(vardir)
# output sample of net getlocalsid:
# SID for domain EW4-TEST1 is: S-1-5-21-4286993159-1593211551-402818373
line = stdout.splitlines()[0]
sid = line.split()[-1] # last element
with open(output_path, 'w') as output_file:
output_file.flush()
fsync(output_file.fileno())
output_file.write(sid)
msg = "netlocalsid is '%s' and was saved in '%s'"
component.info(msg % (sid, output_path))
def apply(self):
process = createProcess(self, self.arguments, stdout=PIPE, stderr=STDOUT)
exitcode = waitProcess(self, process, TIMEOUT)
if exitcode:
lines = readProcessOutput(process.stdout, 100)
lines = u'\n\n' + u'\n'.join(lines)
raise RulesetError(tr("Ruleset script error (exitcode %s):%s"),
exitcode, lines)
def vpn_support_last(logger):
command = ["/bin/grep", "(sshd:session): session", "/var/log/auth.log"]
process = createProcess(logger, command, stdout=subprocess.PIPE)
return_code = process.wait()
if return_code == 0:
return readProcessOutput(process.stdout, 100)
else:
return []
def runCommand(logger, command, timeout=DEFAULT_TIMEOUT, **popen_args):
"""
use only if stdin/stdout/stderr are NOT pipes (instead use createProcess
and communicateProcess)
"""
process = createProcess(logger, command, **popen_args)
status = waitProcess(logger, process, timeout)
return (process, status)
def startEAS(logger, args = []):
if platform.system() == 'Windows':
import _winreg
regkey = 'SOFTWARE\\Edenwall Technologies\\EAS\\'
keyname = 'BinPath'
key = _winreg.OpenKey(_winreg.HKEY_LOCAL_MACHINE, regkey)
eas_bin = _winreg.QueryValueEx(key, keyname)[0]
else:
eas_bin = abspath(argv[0])
try:
# Append arguments
eas_cmd = [eas_bin] + args
createProcess(logger, eas_cmd)
except ProcessError:
QMessageBox.critical(None,
tr("Edenwall Administration Suite"),
tr("Please install Edenwall Administration Suite before performing this operation"))
def killdhclients(self):
for name in ('dhclient', 'dhclient3'):
command = 'killall %s' % name
process = createProcess(self,
command.split(),
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
env={})
return_code, stdout, stderr = communicateProcess(self, process, 20)
if stdout:
self.debug("stdout: %s" % '\n'.join(stdout))
def total_space_partition(logger, partition):
process = createProcess(logger, ["df", "-P", partition],
stdout=subprocess.PIPE, locale=False)
exit_code = process.wait()
if exit_code != 0:
return False # Failure.
value = readProcessOutput(process.stdout, 2)
if len(value) < 2:
return False # Failure.
try:
return int(value[1].split()[1]) * 1024
except Exception:
return False # Failure.
def readKeytab(logger, keytab_filename):
#check the file syntaxically:
cmd = ('/usr/sbin/ktutil', '-k', keytab_filename, 'list')
#except ProcessError
process = createProcess(logger, cmd, stdout=PIPE, stderr=PIPE, env={})
return_code = process.wait()
if return_code != 0:
stderr = readProcessOutput(process.stderr, -1)
raise NuauthException(INVALID_KEYTAB, "This keytab is unparseable:%s" % stderr)
stdout = readProcessOutput(process.stdout, -1)
return stdout
def _start_or_stopNetworkDefer(self, log_prefix, command):
process = createProcess(self, command,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
env={})
retcode, stdout, stderr = communicateProcess(self, process, TIMEOUT)
if not check_and_correct_lo(self):
self.critical("Networking configuration problem. :-(")
if retcode == 0:
return
for line in stdout:
self.info("%s: %s" % (log_prefix, line))
line_lower = line.lower()
if (u'failed' in line_lower) or (u'error' in line_lower):
raise ConfigError(line)
def refresh_var_log(system_data, logger):
# "df -P /var/log | sed -n '2s/.*\s\([0-9]\+\)%.*/\1/p'"
process = createProcess(logger, ["df", "-P", "/var/log"],
stdout=subprocess.PIPE, locale=False)
exit_code = process.wait()
if exit_code != 0:
return False # Failure.
value = readProcessOutput(process.stdout, 2)
if len(value) < 2:
return False # Failure.
m = var_log_re.search(value[1])
if not m:
return False # Failure.
system_data["var_log"] = int(m.group(1))
return True # Success.
def buildConfig(self):
try:
file(self.DH1024_FILE)
except IOError:
with open(os.path.devnull, 'wb') as devnull:
self.info('Generating a new DH Parameter key.')
process = createProcess(self, ['/usr/bin/openssl', 'dhparam',
'-out', self.DH1024_FILE,
'1024'],
stdout=devnull,
stderr=devnull)
if waitProcess(self, process, 60.0 * 10) != 0:
raise OpenVPNError('Unable to generate a DH Parameter key.')
return """daemon
def runCommandAndCheck(logger, command, timeout=DEFAULT_TIMEOUT, **popen_args):
# Return (process, stdout) where stdout is a list of unicode strings
popen_args.update({'stdout': PIPE, 'stderr': STDOUT})
cmdstr = formatCommand(command)
process = createProcess(logger, command, **popen_args)
status, stdout, stderr = communicateProcess(logger, process, timeout)
if status:
output = u'\n'.join(stdout)
raise RunCommandError(cmdstr, unicode(status), output)
else:
command_str = popen_args.get('cmdstr', command)
logger.debug("Success : '%s'" % unicode(command_str))
return process, stdout
def _ensureIfsDown(interfaces_list, logger):
command = "/sbin/ifconfig"
process = createProcess(logger,
command.split(),
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
env={})
return_code, stdout, stderr = communicateProcess(logger, process, TIMEOUT)
stdout, stderr = __stdoutAndStderr(process)
if return_code != 0:
output = '\n'.join(stdout)
logger.critical("Error while running '%s'.\n%s" % (command, output))
raise NetCfgError("Could not run ifconfig properly ?!\n%s" % output)
ifconfig_output = stdout
for ifname in interfaces_list.split():
_ensureIfDown(ifname, ifconfig_output, logger)
def _parseGetent(self):
groups = set()
process = createProcess(self,
['/usr/bin/getent', 'group'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
# read output with a timeout of 5 minutes
status, stdout, stderr = communicateProcess(self, process, 60.0*5)
if status:
logs = stdout[20:] + stderr[20:]
raise ComponentError(tr("getent command failed:\n%s"), logs)
for line in stdout:
parts = line.split(u':')
name = parts[0]
gid = int(parts[2])
groups.add((name, gid))
return groups
def getFingerprint(self):
command = "ipsec showhostkey --left".split()
proc = createProcess(self, command, stdout=PIPE, stderr=STDOUT, locale=False)
# FIXME: use communicateProcess() with a timeout
outputs = proc.communicate() # stdout, stderr
stdout = outputs[0]
retcode = proc.wait()
if retcode:
raise RunCommandError(unicode(command), retcode, unicode(stdout))
else:
self.debug("Success : '%s'" % unicode(command))
for line in stdout.split('\n'):
if "leftrsa" not in line:
continue
else:
return line.split('=')[1]
raise FingerprintNotFound("Could not find fingerprint")
def service_getDiagnosticFile(self, context):
"""
Return a diagnostic file, containing the result of various command
"""
process = createProcess(self,
'/usr/share/ufwi_rpcd/scripts/diagnostic',
stdout=subprocess.PIPE, stderr=subprocess.PIPE, locale=False)
return_code, out, err = communicateProcess(self, process, DEFAULT_TIMEOUT)
if return_code != 0:
raise CreateDiagFailed(err)
tmp_dir = out[0].strip()
with open(tmp_dir + "/diagnostic.tar.gz") as fd:
result = encodeFileContent(fd.read())
try:
rmtree(tmp_dir)
except Exception, err:
self.error(
'Could not delete temporary diagnostic directory (%s).',
err)
def joinAd(logger, user, realm, password, block_tcp_53):
if user is None:
user = ''
if realm is None:
realm = ''
if password is None:
password = ''
if not isinstance(block_tcp_53, basestring):
raise ValueError("block_tcp_53 must be a string: 'no' or anything")
#./script admin password DOMAIN_FQDN block_tcp_53(no/other)
cmd = (_NET_JOIN_SCRIPT, user, password, realm, block_tcp_53)
cmdstr = formatCommand((_NET_JOIN_SCRIPT, user, '***', realm, block_tcp_53))
process = createProcess(logger, cmd, stdout=PIPE, stderr=STDOUT, env={}, cmdstr=cmdstr)
# FIXME: use communicateProcess() with a timeout
stdout, stderr = process.communicate()
return_code = process.wait()
if return_code == 0:
logger.critical("Join successful to domain %s" % realm)
return
stdout = stdout.strip()
stdout = '\n'.join(stdout.splitlines()[:50])
if return_code == 1:
format = tr("Unable to create temp file:\n%s")
elif return_code == 2:
format = tr("There was an error while getting a ticket granting ticket:\n%s")
#Not always critical. continue ? For instance: unreachable server
raise NuauthException(MAYBE_TEMPORARY_ERROR, format, stdout)
elif return_code == 4:
format = tr("There was en error while trying to join the domain:\n%s")
elif return_code == 10:
format = tr("Abnormal program termination:\n%s")
else:
format = tr("Exit code %s:") % return_code + "\n%s"
raise NuauthException(NUAUTH_INVALID_CONF, format, stdout)
def configureLocalSid(component):
var_dir = component.core.config.get('CORE', 'vardir')
sid_path = getLocalSidPath(var_dir)
with open(sid_path) as sid_file:
content = sid_file.readlines()
if content:
sid = content[0]
else:
return False
cmd = _NET_SETLOCALSID % sid
cmd = cmd.split()
proc = createProcess(component, cmd, stdout=PIPE, stderr=STDOUT, locale=False)
outputs = proc.communicate() # stdout, stderr
retcode = proc.wait()
if retcode != 0:
stdout = outputs[0]
msg = "can not save local SID '%s', error: '%s'"
component.critical(msg % (sid, stdout))
return False
else:
component.info("successfully set local SID '%s'" % sid)
return True
def service_getSelectedRulesCounts(self, context, thresholds=None):
"""Return 3 counts: selected rules for alert and drop, and available
rules.
If thresholds is None, then this method reads the actual rules file;
if thresholds is a list of two floats, then this method uses these
values to compute the count of rules, not touching or reading the
actual file."""
results = []
if thresholds is None:
file_to_read = RULES_DEST
try:
command = [FPSTAT, '-a', '%f' % thresholds[0]]
if self.ids_ips_cfg.block:
command.append('-d %f' % thresholds[1])
command.append('%s/*.rules' % RULES_SOURCE)
file_to_read = '/dev/shm/selected_rules'
with open(file_to_read, "w") as stdout:
process, retcode = runCommand(self, command, stdout=stdout)
except TypeError:
raise IdsIpsError(IDS_IPS_SELECTED_RULES_COUNTS_ERROR,
tr('Could not count the selected rules (type error).'))
except IndexError:
raise IdsIpsError(IDS_IPS_SELECTED_RULES_COUNTS_ERROR,
tr('Could not count the selected rules (index error).'))
if retcode != 0:
raise IdsIpsError(IDS_IPS_SELECTED_RULES_COUNTS_ERROR,
tr('Error while selecting rules for counting.'))
# FIXME: use "grep -c" or just use Python code
commands = ("grep '^alert ' %s |wc -l" % file_to_read,
"grep '^drop ' %s |wc -l" % file_to_read)
for command in commands:
# FIXME: don't use shell=True
p = createProcess(self, command, shell=True, stdout=PIPE)
stdout, stderr = p.communicate()
retcode = p.wait()
if retcode != 0:
raise IdsIpsError(
IDS_IPS_SELECTED_RULES_COUNTS_ERROR,
tr('Could not count the selected rules.'))
first_line = stdout.splitlines()[0]
results.append(int(first_line))
else:
alert_count = None
drop_count = None
try:
with open(RULES_COUNTS) as fd:
# First threshold (alert):
for line in fd:
cols = line.split()
if float(cols[0]) >= thresholds[0]:
alert_count = int(cols[1])
if float(cols[0]) >= thresholds[1]:
drop_count = int(cols[2])
break
# Second threshold (drop):
if drop_count is None:
for line in fd:
cols = line.split()
if float(cols[0]) >= thresholds[1]:
drop_count = int(cols[2])
break
except:
pass # We will test the counts anyway.
if alert_count is None or drop_count is None:
raise IdsIpsError(IDS_IPS_SELECTED_RULES_COUNTS_ERROR,
tr('Could not count the selected rules.'))
results.extend([alert_count, drop_count])
results.append(self._total_rules_count())
return results
def getVpnSupportStatusAndIP(logger):
process = createProcess(logger, "/usr/share/ufwi_rpcd/scripts/vpn_support_status_and_ip", stdout=subprocess.PIPE)
# FIXME: use communicateProcess() with a timeout
return_code = process.wait()
if return_code == 0:
return [line.strip() for line in readProcessOutput(process.stdout, 2)]