To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.16.24
- compare with another revision
- download diff
- download tarball
- view history from revision 237.16.24
- Committer: Teddy Hogeborn
- Date: 2011-11-29 18:19:31 UTC
- mto: (237.15.13 mandos-client-network-hooks)
- mto: This revision was merged to the branch mainline in revision 290.
- Revision ID: teddy@recompile.se-20111129181931-vctlij1omtu1qbnx
* initramfs-tools-hook: Set DEVICE for network hooks.
- files added:
- DBUS-API
- debian/source
- network-hooks.d
- files modified:
- .bzrignore
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
30
#
31
# Contact the authors at <mandos@fukt.bsnet.se>.
31
# Contact the authors at <mandos@recompile.se>.
32
32
#
33
33
34
from __future__ import division, with_statement, absolute_import
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
35
36
36
import SocketServer
37
import SocketServer as socketserver
37
38
import socket
38
import optparse
39
import argparse
39
40
import datetime
40
41
import errno
41
42
import gnutls.crypto
44
45
import gnutls.library.functions
45
46
import gnutls.library.constants
46
47
import gnutls.library.types
47
import ConfigParser
48
import ConfigParser as configparser
48
49
import sys
49
50
import re
50
51
import os
51
52
import signal
52
from sets import Set
53
53
import subprocess
54
54
import atexit
55
55
import stat
56
56
import logging
57
57
import logging.handlers
58
58
import pwd
59
from contextlib import closing
59
import contextlib
60
import struct
61
import fcntl
62
import functools
63
import cPickle as pickle
64
import multiprocessing
65
import types
60
66
61
67
import dbus
62
68
import dbus.service
65
71
from dbus.mainloop.glib import DBusGMainLoop
66
72
import ctypes
67
73
import ctypes.util
68
69
version = "1.0.3"
70
74
import xml.dom.minidom
75
import inspect
76
77
try:
78
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
79
except AttributeError:
80
try:
81
from IN import SO_BINDTODEVICE
82
except ImportError:
83
SO_BINDTODEVICE = None
84
85
86
version = "1.4.1"
87
88
#logger = logging.getLogger('mandos')
71
89
logger = logging.Logger('mandos')
72
90
syslogger = (logging.handlers.SysLogHandler
73
91
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
address = "/dev/log"))
92
address = str("/dev/log")))
75
93
syslogger.setFormatter(logging.Formatter
76
('Mandos: %(levelname)s: %(message)s'))
94
('Mandos [%(process)d]: %(levelname)s:'
95
' %(message)s'))
77
96
logger.addHandler(syslogger)
78
97
79
98
console = logging.StreamHandler()
80
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
99
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
100
' %(levelname)s:'
81
101
' %(message)s'))
82
102
logger.addHandler(console)
83
103
97
117
98
118
class AvahiService(object):
99
119
"""An Avahi (Zeroconf) service.
120
100
121
Attributes:
101
122
interface: integer; avahi.IF_UNSPEC or an interface index.
102
123
Used to optionally bind to the specified interface.
110
131
max_renames: integer; maximum number of renames
111
132
rename_count: integer; counter so we only rename after collisions
112
133
a sensible number of times
134
group: D-Bus Entry Group
135
server: D-Bus Server
136
bus: dbus.SystemBus()
113
137
"""
114
138
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
115
139
servicetype = None, port = None, TXT = None,
116
domain = "", host = "", max_renames = 32768):
140
domain = "", host = "", max_renames = 32768,
141
protocol = avahi.PROTO_UNSPEC, bus = None):
117
142
self.interface = interface
118
143
self.name = name
119
144
self.type = servicetype
123
148
self.host = host
124
149
self.rename_count = 0
125
150
self.max_renames = max_renames
151
self.protocol = protocol
152
self.group = None # our entry group
153
self.server = None
154
self.bus = bus
155
self.entry_group_state_changed_match = None
126
156
def rename(self):
127
157
"""Derived from the Avahi example code"""
128
158
if self.rename_count >= self.max_renames:
129
logger.critical(u"No suitable Zeroconf service name found"
130
u" after %i retries, exiting.",
159
logger.critical("No suitable Zeroconf service name found"
160
" after %i retries, exiting.",
131
161
self.rename_count)
132
raise AvahiServiceError(u"Too many renames")
133
self.name = server.GetAlternativeServiceName(self.name)
134
logger.info(u"Changing Zeroconf service name to %r ...",
135
str(self.name))
162
raise AvahiServiceError("Too many renames")
163
self.name = unicode(self.server
164
.GetAlternativeServiceName(self.name))
165
logger.info("Changing Zeroconf service name to %r ...",
166
self.name)
136
167
syslogger.setFormatter(logging.Formatter
137
('Mandos (%s): %%(levelname)s:'
138
' %%(message)s' % self.name))
168
('Mandos (%s) [%%(process)d]:'
169
' %%(levelname)s: %%(message)s'
170
% self.name))
139
171
self.remove()
140
self.add()
172
try:
173
self.add()
174
except dbus.exceptions.DBusException as error:
175
logger.critical("DBusException: %s", error)
176
self.cleanup()
177
os._exit(1)
141
178
self.rename_count += 1
142
179
def remove(self):
143
180
"""Derived from the Avahi example code"""
144
if group is not None:
145
group.Reset()
181
if self.entry_group_state_changed_match is not None:
182
self.entry_group_state_changed_match.remove()
183
self.entry_group_state_changed_match = None
184
if self.group is not None:
185
self.group.Reset()
146
186
def add(self):
147
187
"""Derived from the Avahi example code"""
148
global group
149
if group is None:
150
group = dbus.Interface(bus.get_object
151
(avahi.DBUS_NAME,
152
server.EntryGroupNew()),
153
avahi.DBUS_INTERFACE_ENTRY_GROUP)
154
group.connect_to_signal('StateChanged',
155
entry_group_state_changed)
156
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
157
service.name, service.type)
158
group.AddService(
159
self.interface, # interface
160
avahi.PROTO_INET6, # protocol
161
dbus.UInt32(0), # flags
162
self.name, self.type,
163
self.domain, self.host,
164
dbus.UInt16(self.port),
165
avahi.string_array_to_txt_array(self.TXT))
166
group.Commit()
167
168
# From the Avahi example code:
169
group = None # our entry group
170
# End of Avahi example code
171
172
173
def _datetime_to_dbus(dt, variant_level=0):
174
"""Convert a UTC datetime.datetime() to a D-Bus type."""
175
return dbus.String(dt.isoformat(), variant_level=variant_level)
176
177
178
class Client(dbus.service.Object):
188
self.remove()
189
if self.group is None:
190
self.group = dbus.Interface(
191
self.bus.get_object(avahi.DBUS_NAME,
192
self.server.EntryGroupNew()),
193
avahi.DBUS_INTERFACE_ENTRY_GROUP)
194
self.entry_group_state_changed_match = (
195
self.group.connect_to_signal(
196
'StateChanged', self .entry_group_state_changed))
197
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
198
self.name, self.type)
199
self.group.AddService(
200
self.interface,
201
self.protocol,
202
dbus.UInt32(0), # flags
203
self.name, self.type,
204
self.domain, self.host,
205
dbus.UInt16(self.port),
206
avahi.string_array_to_txt_array(self.TXT))
207
self.group.Commit()
208
def entry_group_state_changed(self, state, error):
209
"""Derived from the Avahi example code"""
210
logger.debug("Avahi entry group state change: %i", state)
211
212
if state == avahi.ENTRY_GROUP_ESTABLISHED:
213
logger.debug("Zeroconf service established.")
214
elif state == avahi.ENTRY_GROUP_COLLISION:
215
logger.info("Zeroconf service name collision.")
216
self.rename()
217
elif state == avahi.ENTRY_GROUP_FAILURE:
218
logger.critical("Avahi: Error in group state changed %s",
219
unicode(error))
220
raise AvahiGroupError("State changed: %s"
221
% unicode(error))
222
def cleanup(self):
223
"""Derived from the Avahi example code"""
224
if self.group is not None:
225
try:
226
self.group.Free()
227
except (dbus.exceptions.UnknownMethodException,
228
dbus.exceptions.DBusException) as e:
229
pass
230
self.group = None
231
self.remove()
232
def server_state_changed(self, state, error=None):
233
"""Derived from the Avahi example code"""
234
logger.debug("Avahi server state change: %i", state)
235
bad_states = { avahi.SERVER_INVALID:
236
"Zeroconf server invalid",
237
avahi.SERVER_REGISTERING: None,
238
avahi.SERVER_COLLISION:
239
"Zeroconf server name collision",
240
avahi.SERVER_FAILURE:
241
"Zeroconf server failure" }
242
if state in bad_states:
243
if bad_states[state] is not None:
244
if error is None:
245
logger.error(bad_states[state])
246
else:
247
logger.error(bad_states[state] + ": %r", error)
248
self.cleanup()
249
elif state == avahi.SERVER_RUNNING:
250
self.add()
251
else:
252
if error is None:
253
logger.debug("Unknown state: %r", state)
254
else:
255
logger.debug("Unknown state: %r: %r", state, error)
256
def activate(self):
257
"""Derived from the Avahi example code"""
258
if self.server is None:
259
self.server = dbus.Interface(
260
self.bus.get_object(avahi.DBUS_NAME,
261
avahi.DBUS_PATH_SERVER,
262
follow_name_owner_changes=True),
263
avahi.DBUS_INTERFACE_SERVER)
264
self.server.connect_to_signal("StateChanged",
265
self.server_state_changed)
266
self.server_state_changed(self.server.GetState())
267
268
269
def _timedelta_to_milliseconds(td):
270
"Convert a datetime.timedelta() to milliseconds"
271
return ((td.days * 24 * 60 * 60 * 1000)
272
+ (td.seconds * 1000)
273
+ (td.microseconds // 1000))
274
275
class Client(object):
179
276
"""A representation of a client host served by this server.
277
180
278
Attributes:
181
name: string; from the config file, used in log messages
279
_approved: bool(); 'None' if not yet approved/disapproved
280
approval_delay: datetime.timedelta(); Time to wait for approval
281
approval_duration: datetime.timedelta(); Duration of one approval
282
checker: subprocess.Popen(); a running checker process used
283
to see if the client lives.
284
'None' if no process is running.
285
checker_callback_tag: a gobject event source tag, or None
286
checker_command: string; External command which is run to check
287
if client lives. %() expansions are done at
288
runtime with vars(self) as dict, so that for
289
instance %(name)s can be used in the command.
290
checker_initiator_tag: a gobject event source tag, or None
291
created: datetime.datetime(); (UTC) object creation
292
current_checker_command: string; current running checker_command
293
disable_hook: If set, called by disable() as disable_hook(self)
294
disable_initiator_tag: a gobject event source tag, or None
295
enabled: bool()
182
296
fingerprint: string (40 or 32 hexadecimal digits); used to
183
297
uniquely identify the client
184
secret: bytestring; sent verbatim (over TLS) to client
185
298
host: string; available for use by the checker command
186
created: datetime.datetime(); (UTC) object creation
299
interval: datetime.timedelta(); How often to start a new checker
300
last_approval_request: datetime.datetime(); (UTC) or None
301
last_checked_ok: datetime.datetime(); (UTC) or None
187
302
last_enabled: datetime.datetime(); (UTC)
188
enabled: bool()
189
last_checked_ok: datetime.datetime(); (UTC) or None
303
name: string; from the config file, used in log messages and
304
D-Bus identifiers
305
secret: bytestring; sent verbatim (over TLS) to client
190
306
timeout: datetime.timedelta(); How long from last_checked_ok
191
until this client is invalid
192
interval: datetime.timedelta(); How often to start a new checker
193
disable_hook: If set, called by disable() as disable_hook(self)
194
checker: subprocess.Popen(); a running checker process used
195
to see if the client lives.
196
'None' if no process is running.
197
checker_initiator_tag: a gobject event source tag, or None
198
disable_initiator_tag: - '' -
199
checker_callback_tag: - '' -
200
checker_command: string; External command which is run to check if
201
client lives. %() expansions are done at
202
runtime with vars(self) as dict, so that for
203
instance %(name)s can be used in the command.
204
use_dbus: bool(); Whether to provide D-Bus interface and signals
205
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
307
until this client is disabled
308
extended_timeout: extra long timeout when password has been sent
309
runtime_expansions: Allowed attributes for runtime expansion.
310
expires: datetime.datetime(); time (UTC) when a client will be
311
disabled, or None
206
312
"""
313
314
runtime_expansions = ("approval_delay", "approval_duration",
315
"created", "enabled", "fingerprint",
316
"host", "interval", "last_checked_ok",
317
"last_enabled", "name", "timeout")
318
207
319
def timeout_milliseconds(self):
208
320
"Return the 'timeout' attribute in milliseconds"
209
return ((self.timeout.days * 24 * 60 * 60 * 1000)
210
+ (self.timeout.seconds * 1000)
211
+ (self.timeout.microseconds // 1000))
321
return _timedelta_to_milliseconds(self.timeout)
322
323
def extended_timeout_milliseconds(self):
324
"Return the 'extended_timeout' attribute in milliseconds"
325
return _timedelta_to_milliseconds(self.extended_timeout)
212
326
213
327
def interval_milliseconds(self):
214
328
"Return the 'interval' attribute in milliseconds"
215
return ((self.interval.days * 24 * 60 * 60 * 1000)
216
+ (self.interval.seconds * 1000)
217
+ (self.interval.microseconds // 1000))
218
219
def __init__(self, name = None, disable_hook=None, config=None,
220
use_dbus=True):
329
return _timedelta_to_milliseconds(self.interval)
330
331
def approval_delay_milliseconds(self):
332
return _timedelta_to_milliseconds(self.approval_delay)
333
334
def __init__(self, name = None, disable_hook=None, config=None):
221
335
"""Note: the 'checker' key in 'config' sets the
222
336
'checker_command' attribute and *not* the 'checker'
223
337
attribute."""
224
338
self.name = name
225
339
if config is None:
226
340
config = {}
227
logger.debug(u"Creating client %r", self.name)
228
self.use_dbus = use_dbus
229
if self.use_dbus:
230
self.dbus_object_path = (dbus.ObjectPath
231
("/Mandos/clients/"
232
+ self.name.replace(".", "_")))
233
dbus.service.Object.__init__(self, bus,
234
self.dbus_object_path)
341
logger.debug("Creating client %r", self.name)
235
342
# Uppercase and remove spaces from fingerprint for later
236
343
# comparison purposes with return value from the fingerprint()
237
344
# function
238
345
self.fingerprint = (config["fingerprint"].upper()
239
.replace(u" ", u""))
240
logger.debug(u" Fingerprint: %s", self.fingerprint)
346
.replace(" ", ""))
347
logger.debug(" Fingerprint: %s", self.fingerprint)
241
348
if "secret" in config:
242
self.secret = config["secret"].decode(u"base64")
349
self.secret = config["secret"].decode("base64")
243
350
elif "secfile" in config:
244
with closing(open(os.path.expanduser
245
(os.path.expandvars
246
(config["secfile"])))) as secfile:
351
with open(os.path.expanduser(os.path.expandvars
352
(config["secfile"])),
353
"rb") as secfile:
247
354
self.secret = secfile.read()
248
355
else:
249
raise TypeError(u"No secret or secfile for client %s"
356
raise TypeError("No secret or secfile for client %s"
250
357
% self.name)
251
358
self.host = config.get("host", "")
252
359
self.created = datetime.datetime.utcnow()
253
360
self.enabled = False
361
self.last_approval_request = None
254
362
self.last_enabled = None
255
363
self.last_checked_ok = None
256
364
self.timeout = string_to_delta(config["timeout"])
365
self.extended_timeout = string_to_delta(config
366
["extended_timeout"])
257
367
self.interval = string_to_delta(config["interval"])
258
368
self.disable_hook = disable_hook
259
369
self.checker = None
260
370
self.checker_initiator_tag = None
261
371
self.disable_initiator_tag = None
372
self.expires = None
262
373
self.checker_callback_tag = None
263
374
self.checker_command = config["checker"]
375
self.current_checker_command = None
376
self.last_connect = None
377
self._approved = None
378
self.approved_by_default = config.get("approved_by_default",
379
True)
380
self.approvals_pending = 0
381
self.approval_delay = string_to_delta(
382
config["approval_delay"])
383
self.approval_duration = string_to_delta(
384
config["approval_duration"])
385
self.changedstate = (multiprocessing_manager
386
.Condition(multiprocessing_manager
387
.Lock()))
388
389
def send_changedstate(self):
390
self.changedstate.acquire()
391
self.changedstate.notify_all()
392
self.changedstate.release()
264
393
265
394
def enable(self):
266
395
"""Start this client's checker and timeout hooks"""
267
self.last_enabled = datetime.datetime.utcnow()
396
if getattr(self, "enabled", False):
397
# Already enabled
398
return
399
self.send_changedstate()
268
400
# Schedule a new checker to be started an 'interval' from now,
269
401
# and every interval from then on.
270
402
self.checker_initiator_tag = (gobject.timeout_add
271
403
(self.interval_milliseconds(),
272
404
self.start_checker))
273
# Also start a new checker *right now*.
274
self.start_checker()
275
405
# Schedule a disable() when 'timeout' has passed
406
self.expires = datetime.datetime.utcnow() + self.timeout
276
407
self.disable_initiator_tag = (gobject.timeout_add
277
408
(self.timeout_milliseconds(),
278
409
self.disable))
279
410
self.enabled = True
280
if self.use_dbus:
281
# Emit D-Bus signals
282
self.PropertyChanged(dbus.String(u"enabled"),
283
dbus.Boolean(True, variant_level=1))
284
self.PropertyChanged(dbus.String(u"last_enabled"),
285
(_datetime_to_dbus(self.last_enabled,
286
variant_level=1)))
411
self.last_enabled = datetime.datetime.utcnow()
412
# Also start a new checker *right now*.
413
self.start_checker()
287
414
288
def disable(self):
415
def disable(self, quiet=True):
289
416
"""Disable this client."""
290
417
if not getattr(self, "enabled", False):
291
418
return False
292
logger.info(u"Disabling client %s", self.name)
419
if not quiet:
420
self.send_changedstate()
421
if not quiet:
422
logger.info("Disabling client %s", self.name)
293
423
if getattr(self, "disable_initiator_tag", False):
294
424
gobject.source_remove(self.disable_initiator_tag)
295
425
self.disable_initiator_tag = None
426
self.expires = None
296
427
if getattr(self, "checker_initiator_tag", False):
297
428
gobject.source_remove(self.checker_initiator_tag)
298
429
self.checker_initiator_tag = None
300
431
if self.disable_hook:
301
432
self.disable_hook(self)
302
433
self.enabled = False
303
if self.use_dbus:
304
# Emit D-Bus signal
305
self.PropertyChanged(dbus.String(u"enabled"),
306
dbus.Boolean(False, variant_level=1))
307
434
# Do not run this again if called by a gobject.timeout_add
308
435
return False
309
436
315
442
"""The checker has completed, so take appropriate actions."""
316
443
self.checker_callback_tag = None
317
444
self.checker = None
318
if self.use_dbus:
319
# Emit D-Bus signal
320
self.PropertyChanged(dbus.String(u"checker_running"),
321
dbus.Boolean(False, variant_level=1))
322
if (os.WIFEXITED(condition)
323
and (os.WEXITSTATUS(condition) == 0)):
324
logger.info(u"Checker for %(name)s succeeded",
325
vars(self))
326
if self.use_dbus:
327
# Emit D-Bus signal
328
self.CheckerCompleted(dbus.Boolean(True),
329
dbus.UInt16(condition),
330
dbus.String(command))
331
self.bump_timeout()
332
elif not os.WIFEXITED(condition):
333
logger.warning(u"Checker for %(name)s crashed?",
445
if os.WIFEXITED(condition):
446
exitstatus = os.WEXITSTATUS(condition)
447
if exitstatus == 0:
448
logger.info("Checker for %(name)s succeeded",
449
vars(self))
450
self.checked_ok()
451
else:
452
logger.info("Checker for %(name)s failed",
453
vars(self))
454
else:
455
logger.warning("Checker for %(name)s crashed?",
334
456
vars(self))
335
if self.use_dbus:
336
# Emit D-Bus signal
337
self.CheckerCompleted(dbus.Boolean(False),
338
dbus.UInt16(condition),
339
dbus.String(command))
340
else:
341
logger.info(u"Checker for %(name)s failed",
342
vars(self))
343
if self.use_dbus:
344
# Emit D-Bus signal
345
self.CheckerCompleted(dbus.Boolean(False),
346
dbus.UInt16(condition),
347
dbus.String(command))
348
457
349
def bump_timeout(self):
458
def checked_ok(self, timeout=None):
350
459
"""Bump up the timeout for this client.
460
351
461
This should only be called when the client has been seen,
352
462
alive and well.
353
463
"""
464
if timeout is None:
465
timeout = self.timeout
354
466
self.last_checked_ok = datetime.datetime.utcnow()
355
gobject.source_remove(self.disable_initiator_tag)
356
self.disable_initiator_tag = (gobject.timeout_add
357
(self.timeout_milliseconds(),
358
self.disable))
359
if self.use_dbus:
360
# Emit D-Bus signal
361
self.PropertyChanged(
362
dbus.String(u"last_checked_ok"),
363
(_datetime_to_dbus(self.last_checked_ok,
364
variant_level=1)))
467
if self.disable_initiator_tag is not None:
468
gobject.source_remove(self.disable_initiator_tag)
469
if getattr(self, "enabled", False):
470
self.disable_initiator_tag = (gobject.timeout_add
471
(_timedelta_to_milliseconds
472
(timeout), self.disable))
473
self.expires = datetime.datetime.utcnow() + timeout
474
475
def need_approval(self):
476
self.last_approval_request = datetime.datetime.utcnow()
365
477
366
478
def start_checker(self):
367
479
"""Start a new checker subprocess if one is not running.
480
368
481
If a checker already exists, leave it running and do
369
482
nothing."""
370
483
# The reason for not killing a running checker is that if we
373
486
# client would inevitably timeout, since no checker would get
374
487
# a chance to run to completion. If we instead leave running
375
488
# checkers alone, the checker would have to take more time
376
# than 'timeout' for the client to be declared invalid, which
377
# is as it should be.
489
# than 'timeout' for the client to be disabled, which is as it
490
# should be.
491
492
# If a checker exists, make sure it is not a zombie
493
try:
494
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
495
except (AttributeError, OSError) as error:
496
if (isinstance(error, OSError)
497
and error.errno != errno.ECHILD):
498
raise error
499
else:
500
if pid:
501
logger.warning("Checker was a zombie")
502
gobject.source_remove(self.checker_callback_tag)
503
self.checker_callback(pid, status,
504
self.current_checker_command)
505
# Start a new checker if needed
378
506
if self.checker is None:
379
507
try:
380
508
# In case checker_command has exactly one % operator
381
509
command = self.checker_command % self.host
382
510
except TypeError:
383
511
# Escape attributes for the shell
384
escaped_attrs = dict((key, re.escape(str(val)))
385
for key, val in
386
vars(self).iteritems())
512
escaped_attrs = dict(
513
(attr,
514
re.escape(unicode(str(getattr(self, attr, "")),
515
errors=
516
'replace')))
517
for attr in
518
self.runtime_expansions)
519
387
520
try:
388
521
command = self.checker_command % escaped_attrs
389
except TypeError, error:
390
logger.error(u'Could not format string "%s":'
391
u' %s', self.checker_command, error)
522
except TypeError as error:
523
logger.error('Could not format string "%s":'
524
' %s', self.checker_command, error)
392
525
return True # Try again later
526
self.current_checker_command = command
393
527
try:
394
logger.info(u"Starting checker %r for %s",
528
logger.info("Starting checker %r for %s",
395
529
command, self.name)
396
530
# We don't need to redirect stdout and stderr, since
397
531
# in normal mode, that is already done by daemon(),
400
534
self.checker = subprocess.Popen(command,
401
535
close_fds=True,
402
536
shell=True, cwd="/")
403
if self.use_dbus:
404
# Emit D-Bus signal
405
self.CheckerStarted(command)
406
self.PropertyChanged(
407
dbus.String("checker_running"),
408
dbus.Boolean(True, variant_level=1))
409
537
self.checker_callback_tag = (gobject.child_watch_add
410
538
(self.checker.pid,
411
539
self.checker_callback,
412
540
data=command))
413
except OSError, error:
414
logger.error(u"Failed to start subprocess: %s",
541
# The checker may have completed before the gobject
542
# watch was added. Check for this.
543
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
544
if pid:
545
gobject.source_remove(self.checker_callback_tag)
546
self.checker_callback(pid, status, command)
547
except OSError as error:
548
logger.error("Failed to start subprocess: %s",
415
549
error)
416
550
# Re-run this periodically if run by gobject.timeout_add
417
551
return True
423
557
self.checker_callback_tag = None
424
558
if getattr(self, "checker", None) is None:
425
559
return
426
logger.debug(u"Stopping checker for %(name)s", vars(self))
560
logger.debug("Stopping checker for %(name)s", vars(self))
427
561
try:
428
562
os.kill(self.checker.pid, signal.SIGTERM)
429
#os.sleep(0.5)
563
#time.sleep(0.5)
430
564
#if self.checker.poll() is None:
431
565
# os.kill(self.checker.pid, signal.SIGKILL)
432
except OSError, error:
566
except OSError as error:
433
567
if error.errno != errno.ESRCH: # No such process
434
568
raise
435
569
self.checker = None
436
if self.use_dbus:
437
self.PropertyChanged(dbus.String(u"checker_running"),
438
dbus.Boolean(False, variant_level=1))
439
440
def still_valid(self):
441
"""Has the timeout not yet passed for this client?"""
442
if not getattr(self, "enabled", False):
443
return False
444
now = datetime.datetime.utcnow()
445
if self.last_checked_ok is None:
446
return now < (self.created + self.timeout)
447
else:
448
return now < (self.last_checked_ok + self.timeout)
449
450
## D-Bus methods & signals
451
_interface = u"org.mandos_system.Mandos.Client"
452
453
# BumpTimeout - method
454
BumpTimeout = dbus.service.method(_interface)(bump_timeout)
455
BumpTimeout.__name__ = "BumpTimeout"
570
571
572
def dbus_service_property(dbus_interface, signature="v",
573
access="readwrite", byte_arrays=False):
574
"""Decorators for marking methods of a DBusObjectWithProperties to
575
become properties on the D-Bus.
576
577
The decorated method will be called with no arguments by "Get"
578
and with one argument by "Set".
579
580
The parameters, where they are supported, are the same as
581
dbus.service.method, except there is only "signature", since the
582
type from Get() and the type sent to Set() is the same.
583
"""
584
# Encoding deeply encoded byte arrays is not supported yet by the
585
# "Set" method, so we fail early here:
586
if byte_arrays and signature != "ay":
587
raise ValueError("Byte arrays not supported for non-'ay'"
588
" signature %r" % signature)
589
def decorator(func):
590
func._dbus_is_property = True
591
func._dbus_interface = dbus_interface
592
func._dbus_signature = signature
593
func._dbus_access = access
594
func._dbus_name = func.__name__
595
if func._dbus_name.endswith("_dbus_property"):
596
func._dbus_name = func._dbus_name[:-14]
597
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
598
return func
599
return decorator
600
601
602
class DBusPropertyException(dbus.exceptions.DBusException):
603
"""A base class for D-Bus property-related exceptions
604
"""
605
def __unicode__(self):
606
return unicode(str(self))
607
608
609
class DBusPropertyAccessException(DBusPropertyException):
610
"""A property's access permissions disallows an operation.
611
"""
612
pass
613
614
615
class DBusPropertyNotFound(DBusPropertyException):
616
"""An attempt was made to access a non-existing property.
617
"""
618
pass
619
620
621
class DBusObjectWithProperties(dbus.service.Object):
622
"""A D-Bus object with properties.
623
624
Classes inheriting from this can use the dbus_service_property
625
decorator to expose methods as D-Bus properties. It exposes the
626
standard Get(), Set(), and GetAll() methods on the D-Bus.
627
"""
628
629
@staticmethod
630
def _is_dbus_property(obj):
631
return getattr(obj, "_dbus_is_property", False)
632
633
def _get_all_dbus_properties(self):
634
"""Returns a generator of (name, attribute) pairs
635
"""
636
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
637
for cls in self.__class__.__mro__
638
for name, prop in
639
inspect.getmembers(cls, self._is_dbus_property))
640
641
def _get_dbus_property(self, interface_name, property_name):
642
"""Returns a bound method if one exists which is a D-Bus
643
property with the specified name and interface.
644
"""
645
for cls in self.__class__.__mro__:
646
for name, value in (inspect.getmembers
647
(cls, self._is_dbus_property)):
648
if (value._dbus_name == property_name
649
and value._dbus_interface == interface_name):
650
return value.__get__(self)
651
652
# No such property
653
raise DBusPropertyNotFound(self.dbus_object_path + ":"
654
+ interface_name + "."
655
+ property_name)
656
657
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
658
out_signature="v")
659
def Get(self, interface_name, property_name):
660
"""Standard D-Bus property Get() method, see D-Bus standard.
661
"""
662
prop = self._get_dbus_property(interface_name, property_name)
663
if prop._dbus_access == "write":
664
raise DBusPropertyAccessException(property_name)
665
value = prop()
666
if not hasattr(value, "variant_level"):
667
return value
668
return type(value)(value, variant_level=value.variant_level+1)
669
670
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
671
def Set(self, interface_name, property_name, value):
672
"""Standard D-Bus property Set() method, see D-Bus standard.
673
"""
674
prop = self._get_dbus_property(interface_name, property_name)
675
if prop._dbus_access == "read":
676
raise DBusPropertyAccessException(property_name)
677
if prop._dbus_get_args_options["byte_arrays"]:
678
# The byte_arrays option is not supported yet on
679
# signatures other than "ay".
680
if prop._dbus_signature != "ay":
681
raise ValueError
682
value = dbus.ByteArray(''.join(unichr(byte)
683
for byte in value))
684
prop(value)
685
686
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
687
out_signature="a{sv}")
688
def GetAll(self, interface_name):
689
"""Standard D-Bus property GetAll() method, see D-Bus
690
standard.
691
692
Note: Will not include properties with access="write".
693
"""
694
all = {}
695
for name, prop in self._get_all_dbus_properties():
696
if (interface_name
697
and interface_name != prop._dbus_interface):
698
# Interface non-empty but did not match
699
continue
700
# Ignore write-only properties
701
if prop._dbus_access == "write":
702
continue
703
value = prop()
704
if not hasattr(value, "variant_level"):
705
all[name] = value
706
continue
707
all[name] = type(value)(value, variant_level=
708
value.variant_level+1)
709
return dbus.Dictionary(all, signature="sv")
710
711
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
712
out_signature="s",
713
path_keyword='object_path',
714
connection_keyword='connection')
715
def Introspect(self, object_path, connection):
716
"""Standard D-Bus method, overloaded to insert property tags.
717
"""
718
xmlstring = dbus.service.Object.Introspect(self, object_path,
719
connection)
720
try:
721
document = xml.dom.minidom.parseString(xmlstring)
722
def make_tag(document, name, prop):
723
e = document.createElement("property")
724
e.setAttribute("name", name)
725
e.setAttribute("type", prop._dbus_signature)
726
e.setAttribute("access", prop._dbus_access)
727
return e
728
for if_tag in document.getElementsByTagName("interface"):
729
for tag in (make_tag(document, name, prop)
730
for name, prop
731
in self._get_all_dbus_properties()
732
if prop._dbus_interface
733
== if_tag.getAttribute("name")):
734
if_tag.appendChild(tag)
735
# Add the names to the return values for the
736
# "org.freedesktop.DBus.Properties" methods
737
if (if_tag.getAttribute("name")
738
== "org.freedesktop.DBus.Properties"):
739
for cn in if_tag.getElementsByTagName("method"):
740
if cn.getAttribute("name") == "Get":
741
for arg in cn.getElementsByTagName("arg"):
742
if (arg.getAttribute("direction")
743
== "out"):
744
arg.setAttribute("name", "value")
745
elif cn.getAttribute("name") == "GetAll":
746
for arg in cn.getElementsByTagName("arg"):
747
if (arg.getAttribute("direction")
748
== "out"):
749
arg.setAttribute("name", "props")
750
xmlstring = document.toxml("utf-8")
751
document.unlink()
752
except (AttributeError, xml.dom.DOMException,
753
xml.parsers.expat.ExpatError) as error:
754
logger.error("Failed to override Introspection method",
755
error)
756
return xmlstring
757
758
759
def datetime_to_dbus (dt, variant_level=0):
760
"""Convert a UTC datetime.datetime() to a D-Bus type."""
761
if dt is None:
762
return dbus.String("", variant_level = variant_level)
763
return dbus.String(dt.isoformat(),
764
variant_level=variant_level)
765
766
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
767
.__metaclass__):
768
"""Applied to an empty subclass of a D-Bus object, this metaclass
769
will add additional D-Bus attributes matching a certain pattern.
770
"""
771
def __new__(mcs, name, bases, attr):
772
# Go through all the base classes which could have D-Bus
773
# methods, signals, or properties in them
774
for base in (b for b in bases
775
if issubclass(b, dbus.service.Object)):
776
# Go though all attributes of the base class
777
for attrname, attribute in inspect.getmembers(base):
778
# Ignore non-D-Bus attributes, and D-Bus attributes
779
# with the wrong interface name
780
if (not hasattr(attribute, "_dbus_interface")
781
or not attribute._dbus_interface
782
.startswith("se.recompile.Mandos")):
783
continue
784
# Create an alternate D-Bus interface name based on
785
# the current name
786
alt_interface = (attribute._dbus_interface
787
.replace("se.recompile.Mandos",
788
"se.bsnet.fukt.Mandos"))
789
# Is this a D-Bus signal?
790
if getattr(attribute, "_dbus_is_signal", False):
791
# Extract the original non-method function by
792
# black magic
793
nonmethod_func = (dict(
794
zip(attribute.func_code.co_freevars,
795
attribute.__closure__))["func"]
796
.cell_contents)
797
# Create a new, but exactly alike, function
798
# object, and decorate it to be a new D-Bus signal
799
# with the alternate D-Bus interface name
800
new_function = (dbus.service.signal
801
(alt_interface,
802
attribute._dbus_signature)
803
(types.FunctionType(
804
nonmethod_func.func_code,
805
nonmethod_func.func_globals,
806
nonmethod_func.func_name,
807
nonmethod_func.func_defaults,
808
nonmethod_func.func_closure)))
809
# Define a creator of a function to call both the
810
# old and new functions, so both the old and new
811
# signals gets sent when the function is called
812
def fixscope(func1, func2):
813
"""This function is a scope container to pass
814
func1 and func2 to the "call_both" function
815
outside of its arguments"""
816
def call_both(*args, **kwargs):
817
"""This function will emit two D-Bus
818
signals by calling func1 and func2"""
819
func1(*args, **kwargs)
820
func2(*args, **kwargs)
821
return call_both
822
# Create the "call_both" function and add it to
823
# the class
824
attr[attrname] = fixscope(attribute,
825
new_function)
826
# Is this a D-Bus method?
827
elif getattr(attribute, "_dbus_is_method", False):
828
# Create a new, but exactly alike, function
829
# object. Decorate it to be a new D-Bus method
830
# with the alternate D-Bus interface name. Add it
831
# to the class.
832
attr[attrname] = (dbus.service.method
833
(alt_interface,
834
attribute._dbus_in_signature,
835
attribute._dbus_out_signature)
836
(types.FunctionType
837
(attribute.func_code,
838
attribute.func_globals,
839
attribute.func_name,
840
attribute.func_defaults,
841
attribute.func_closure)))
842
# Is this a D-Bus property?
843
elif getattr(attribute, "_dbus_is_property", False):
844
# Create a new, but exactly alike, function
845
# object, and decorate it to be a new D-Bus
846
# property with the alternate D-Bus interface
847
# name. Add it to the class.
848
attr[attrname] = (dbus_service_property
849
(alt_interface,
850
attribute._dbus_signature,
851
attribute._dbus_access,
852
attribute
853
._dbus_get_args_options
854
["byte_arrays"])
855
(types.FunctionType
856
(attribute.func_code,
857
attribute.func_globals,
858
attribute.func_name,
859
attribute.func_defaults,
860
attribute.func_closure)))
861
return type.__new__(mcs, name, bases, attr)
862
863
class ClientDBus(Client, DBusObjectWithProperties):
864
"""A Client class using D-Bus
865
866
Attributes:
867
dbus_object_path: dbus.ObjectPath
868
bus: dbus.SystemBus()
869
"""
870
871
runtime_expansions = (Client.runtime_expansions
872
+ ("dbus_object_path",))
873
874
# dbus.service.Object doesn't use super(), so we can't either.
875
876
def __init__(self, bus = None, *args, **kwargs):
877
self._approvals_pending = 0
878
self.bus = bus
879
Client.__init__(self, *args, **kwargs)
880
# Only now, when this client is initialized, can it show up on
881
# the D-Bus
882
client_object_name = unicode(self.name).translate(
883
{ord("."): ord("_"),
884
ord("-"): ord("_")})
885
self.dbus_object_path = (dbus.ObjectPath
886
("/clients/" + client_object_name))
887
DBusObjectWithProperties.__init__(self, self.bus,
888
self.dbus_object_path)
889
890
def notifychangeproperty(transform_func,
891
dbus_name, type_func=lambda x: x,
892
variant_level=1):
893
""" Modify a variable so that it's a property which announces
894
its changes to DBus.
895
896
transform_fun: Function that takes a value and a variant_level
897
and transforms it to a D-Bus type.
898
dbus_name: D-Bus name of the variable
899
type_func: Function that transform the value before sending it
900
to the D-Bus. Default: no transform
901
variant_level: D-Bus variant level. Default: 1
902
"""
903
attrname = "_{0}".format(dbus_name)
904
def setter(self, value):
905
if hasattr(self, "dbus_object_path"):
906
if (not hasattr(self, attrname) or
907
type_func(getattr(self, attrname, None))
908
!= type_func(value)):
909
dbus_value = transform_func(type_func(value),
910
variant_level
911
=variant_level)
912
self.PropertyChanged(dbus.String(dbus_name),
913
dbus_value)
914
setattr(self, attrname, value)
915
916
return property(lambda self: getattr(self, attrname), setter)
917
918
919
expires = notifychangeproperty(datetime_to_dbus, "Expires")
920
approvals_pending = notifychangeproperty(dbus.Boolean,
921
"ApprovalPending",
922
type_func = bool)
923
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
924
last_enabled = notifychangeproperty(datetime_to_dbus,
925
"LastEnabled")
926
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
927
type_func = lambda checker:
928
checker is not None)
929
last_checked_ok = notifychangeproperty(datetime_to_dbus,
930
"LastCheckedOK")
931
last_approval_request = notifychangeproperty(
932
datetime_to_dbus, "LastApprovalRequest")
933
approved_by_default = notifychangeproperty(dbus.Boolean,
934
"ApprovedByDefault")
935
approval_delay = notifychangeproperty(dbus.UInt16,
936
"ApprovalDelay",
937
type_func =
938
_timedelta_to_milliseconds)
939
approval_duration = notifychangeproperty(
940
dbus.UInt16, "ApprovalDuration",
941
type_func = _timedelta_to_milliseconds)
942
host = notifychangeproperty(dbus.String, "Host")
943
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
944
type_func =
945
_timedelta_to_milliseconds)
946
extended_timeout = notifychangeproperty(
947
dbus.UInt16, "ExtendedTimeout",
948
type_func = _timedelta_to_milliseconds)
949
interval = notifychangeproperty(dbus.UInt16,
950
"Interval",
951
type_func =
952
_timedelta_to_milliseconds)
953
checker_command = notifychangeproperty(dbus.String, "Checker")
954
955
del notifychangeproperty
956
957
def __del__(self, *args, **kwargs):
958
try:
959
self.remove_from_connection()
960
except LookupError:
961
pass
962
if hasattr(DBusObjectWithProperties, "__del__"):
963
DBusObjectWithProperties.__del__(self, *args, **kwargs)
964
Client.__del__(self, *args, **kwargs)
965
966
def checker_callback(self, pid, condition, command,
967
*args, **kwargs):
968
self.checker_callback_tag = None
969
self.checker = None
970
if os.WIFEXITED(condition):
971
exitstatus = os.WEXITSTATUS(condition)
972
# Emit D-Bus signal
973
self.CheckerCompleted(dbus.Int16(exitstatus),
974
dbus.Int64(condition),
975
dbus.String(command))
976
else:
977
# Emit D-Bus signal
978
self.CheckerCompleted(dbus.Int16(-1),
979
dbus.Int64(condition),
980
dbus.String(command))
981
982
return Client.checker_callback(self, pid, condition, command,
983
*args, **kwargs)
984
985
def start_checker(self, *args, **kwargs):
986
old_checker = self.checker
987
if self.checker is not None:
988
old_checker_pid = self.checker.pid
989
else:
990
old_checker_pid = None
991
r = Client.start_checker(self, *args, **kwargs)
992
# Only if new checker process was started
993
if (self.checker is not None
994
and old_checker_pid != self.checker.pid):
995
# Emit D-Bus signal
996
self.CheckerStarted(self.current_checker_command)
997
return r
998
999
def _reset_approved(self):
1000
self._approved = None
1001
return False
1002
1003
def approve(self, value=True):
1004
self.send_changedstate()
1005
self._approved = value
1006
gobject.timeout_add(_timedelta_to_milliseconds
1007
(self.approval_duration),
1008
self._reset_approved)
1009
1010
1011
## D-Bus methods, signals & properties
1012
_interface = "se.recompile.Mandos.Client"
1013
1014
## Signals
456
1015
457
1016
# CheckerCompleted - signal
458
@dbus.service.signal(_interface, signature="bqs")
459
def CheckerCompleted(self, success, condition, command):
1017
@dbus.service.signal(_interface, signature="nxs")
1018
def CheckerCompleted(self, exitcode, waitstatus, command):
460
1019
"D-Bus signal"
461
1020
pass
462
1021
466
1025
"D-Bus signal"
467
1026
pass
468
1027
469
# GetAllProperties - method
470
@dbus.service.method(_interface, out_signature="a{sv}")
471
def GetAllProperties(self):
472
"D-Bus method"
473
return dbus.Dictionary({
474
dbus.String("name"):
475
dbus.String(self.name, variant_level=1),
476
dbus.String("fingerprint"):
477
dbus.String(self.fingerprint, variant_level=1),
478
dbus.String("host"):
479
dbus.String(self.host, variant_level=1),
480
dbus.String("created"):
481
_datetime_to_dbus(self.created, variant_level=1),
482
dbus.String("last_enabled"):
483
(_datetime_to_dbus(self.last_enabled,
484
variant_level=1)
485
if self.last_enabled is not None
486
else dbus.Boolean(False, variant_level=1)),
487
dbus.String("enabled"):
488
dbus.Boolean(self.enabled, variant_level=1),
489
dbus.String("last_checked_ok"):
490
(_datetime_to_dbus(self.last_checked_ok,
491
variant_level=1)
492
if self.last_checked_ok is not None
493
else dbus.Boolean (False, variant_level=1)),
494
dbus.String("timeout"):
495
dbus.UInt64(self.timeout_milliseconds(),
496
variant_level=1),
497
dbus.String("interval"):
498
dbus.UInt64(self.interval_milliseconds(),
499
variant_level=1),
500
dbus.String("checker"):
501
dbus.String(self.checker_command,
502
variant_level=1),
503
dbus.String("checker_running"):
504
dbus.Boolean(self.checker is not None,
505
variant_level=1),
506
}, signature="sv")
507
508
# IsStillValid - method
509
IsStillValid = (dbus.service.method(_interface, out_signature="b")
510
(still_valid))
511
IsStillValid.__name__ = "IsStillValid"
512
513
1028
# PropertyChanged - signal
514
1029
@dbus.service.signal(_interface, signature="sv")
515
1030
def PropertyChanged(self, property, value):
516
1031
"D-Bus signal"
517
1032
pass
518
1033
519
# SetChecker - method
520
@dbus.service.method(_interface, in_signature="s")
521
def SetChecker(self, checker):
522
"D-Bus setter method"
523
self.checker_command = checker
524
# Emit D-Bus signal
525
self.PropertyChanged(dbus.String(u"checker"),
526
dbus.String(self.checker_command,
527
variant_level=1))
528
529
# SetHost - method
530
@dbus.service.method(_interface, in_signature="s")
531
def SetHost(self, host):
532
"D-Bus setter method"
533
self.host = host
534
# Emit D-Bus signal
535
self.PropertyChanged(dbus.String(u"host"),
536
dbus.String(self.host, variant_level=1))
537
538
# SetInterval - method
539
@dbus.service.method(_interface, in_signature="t")
540
def SetInterval(self, milliseconds):
541
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
542
# Emit D-Bus signal
543
self.PropertyChanged(dbus.String(u"interval"),
544
(dbus.UInt64(self.interval_milliseconds(),
545
variant_level=1)))
546
547
# SetSecret - method
548
@dbus.service.method(_interface, in_signature="ay",
549
byte_arrays=True)
550
def SetSecret(self, secret):
551
"D-Bus setter method"
552
self.secret = str(secret)
553
554
# SetTimeout - method
555
@dbus.service.method(_interface, in_signature="t")
556
def SetTimeout(self, milliseconds):
557
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
558
# Emit D-Bus signal
559
self.PropertyChanged(dbus.String(u"timeout"),
560
(dbus.UInt64(self.timeout_milliseconds(),
561
variant_level=1)))
1034
# GotSecret - signal
1035
@dbus.service.signal(_interface)
1036
def GotSecret(self):
1037
"""D-Bus signal
1038
Is sent after a successful transfer of secret from the Mandos
1039
server to mandos-client
1040
"""
1041
pass
1042
1043
# Rejected - signal
1044
@dbus.service.signal(_interface, signature="s")
1045
def Rejected(self, reason):
1046
"D-Bus signal"
1047
pass
1048
1049
# NeedApproval - signal
1050
@dbus.service.signal(_interface, signature="tb")
1051
def NeedApproval(self, timeout, default):
1052
"D-Bus signal"
1053
return self.need_approval()
1054
1055
## Methods
1056
1057
# Approve - method
1058
@dbus.service.method(_interface, in_signature="b")
1059
def Approve(self, value):
1060
self.approve(value)
1061
1062
# CheckedOK - method
1063
@dbus.service.method(_interface)
1064
def CheckedOK(self):
1065
self.checked_ok()
562
1066
563
1067
# Enable - method
564
Enable = dbus.service.method(_interface)(enable)
565
Enable.__name__ = "Enable"
1068
@dbus.service.method(_interface)
1069
def Enable(self):
1070
"D-Bus method"
1071
self.enable()
566
1072
567
1073
# StartChecker - method
568
1074
@dbus.service.method(_interface)
577
1083
self.disable()
578
1084
579
1085
# StopChecker - method
580
StopChecker = dbus.service.method(_interface)(stop_checker)
581
StopChecker.__name__ = "StopChecker"
1086
@dbus.service.method(_interface)
1087
def StopChecker(self):
1088
self.stop_checker()
1089
1090
## Properties
1091
1092
# ApprovalPending - property
1093
@dbus_service_property(_interface, signature="b", access="read")
1094
def ApprovalPending_dbus_property(self):
1095
return dbus.Boolean(bool(self.approvals_pending))
1096
1097
# ApprovedByDefault - property
1098
@dbus_service_property(_interface, signature="b",
1099
access="readwrite")
1100
def ApprovedByDefault_dbus_property(self, value=None):
1101
if value is None: # get
1102
return dbus.Boolean(self.approved_by_default)
1103
self.approved_by_default = bool(value)
1104
1105
# ApprovalDelay - property
1106
@dbus_service_property(_interface, signature="t",
1107
access="readwrite")
1108
def ApprovalDelay_dbus_property(self, value=None):
1109
if value is None: # get
1110
return dbus.UInt64(self.approval_delay_milliseconds())
1111
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1112
1113
# ApprovalDuration - property
1114
@dbus_service_property(_interface, signature="t",
1115
access="readwrite")
1116
def ApprovalDuration_dbus_property(self, value=None):
1117
if value is None: # get
1118
return dbus.UInt64(_timedelta_to_milliseconds(
1119
self.approval_duration))
1120
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1121
1122
# Name - property
1123
@dbus_service_property(_interface, signature="s", access="read")
1124
def Name_dbus_property(self):
1125
return dbus.String(self.name)
1126
1127
# Fingerprint - property
1128
@dbus_service_property(_interface, signature="s", access="read")
1129
def Fingerprint_dbus_property(self):
1130
return dbus.String(self.fingerprint)
1131
1132
# Host - property
1133
@dbus_service_property(_interface, signature="s",
1134
access="readwrite")
1135
def Host_dbus_property(self, value=None):
1136
if value is None: # get
1137
return dbus.String(self.host)
1138
self.host = value
1139
1140
# Created - property
1141
@dbus_service_property(_interface, signature="s", access="read")
1142
def Created_dbus_property(self):
1143
return dbus.String(datetime_to_dbus(self.created))
1144
1145
# LastEnabled - property
1146
@dbus_service_property(_interface, signature="s", access="read")
1147
def LastEnabled_dbus_property(self):
1148
return datetime_to_dbus(self.last_enabled)
1149
1150
# Enabled - property
1151
@dbus_service_property(_interface, signature="b",
1152
access="readwrite")
1153
def Enabled_dbus_property(self, value=None):
1154
if value is None: # get
1155
return dbus.Boolean(self.enabled)
1156
if value:
1157
self.enable()
1158
else:
1159
self.disable()
1160
1161
# LastCheckedOK - property
1162
@dbus_service_property(_interface, signature="s",
1163
access="readwrite")
1164
def LastCheckedOK_dbus_property(self, value=None):
1165
if value is not None:
1166
self.checked_ok()
1167
return
1168
return datetime_to_dbus(self.last_checked_ok)
1169
1170
# Expires - property
1171
@dbus_service_property(_interface, signature="s", access="read")
1172
def Expires_dbus_property(self):
1173
return datetime_to_dbus(self.expires)
1174
1175
# LastApprovalRequest - property
1176
@dbus_service_property(_interface, signature="s", access="read")
1177
def LastApprovalRequest_dbus_property(self):
1178
return datetime_to_dbus(self.last_approval_request)
1179
1180
# Timeout - property
1181
@dbus_service_property(_interface, signature="t",
1182
access="readwrite")
1183
def Timeout_dbus_property(self, value=None):
1184
if value is None: # get
1185
return dbus.UInt64(self.timeout_milliseconds())
1186
self.timeout = datetime.timedelta(0, 0, 0, value)
1187
if getattr(self, "disable_initiator_tag", None) is None:
1188
return
1189
# Reschedule timeout
1190
gobject.source_remove(self.disable_initiator_tag)
1191
self.disable_initiator_tag = None
1192
self.expires = None
1193
time_to_die = _timedelta_to_milliseconds((self
1194
.last_checked_ok
1195
+ self.timeout)
1196
- datetime.datetime
1197
.utcnow())
1198
if time_to_die <= 0:
1199
# The timeout has passed
1200
self.disable()
1201
else:
1202
self.expires = (datetime.datetime.utcnow()
1203
+ datetime.timedelta(milliseconds =
1204
time_to_die))
1205
self.disable_initiator_tag = (gobject.timeout_add
1206
(time_to_die, self.disable))
1207
1208
# ExtendedTimeout - property
1209
@dbus_service_property(_interface, signature="t",
1210
access="readwrite")
1211
def ExtendedTimeout_dbus_property(self, value=None):
1212
if value is None: # get
1213
return dbus.UInt64(self.extended_timeout_milliseconds())
1214
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1215
1216
# Interval - property
1217
@dbus_service_property(_interface, signature="t",
1218
access="readwrite")
1219
def Interval_dbus_property(self, value=None):
1220
if value is None: # get
1221
return dbus.UInt64(self.interval_milliseconds())
1222
self.interval = datetime.timedelta(0, 0, 0, value)
1223
if getattr(self, "checker_initiator_tag", None) is None:
1224
return
1225
# Reschedule checker run
1226
gobject.source_remove(self.checker_initiator_tag)
1227
self.checker_initiator_tag = (gobject.timeout_add
1228
(value, self.start_checker))
1229
self.start_checker() # Start one now, too
1230
1231
# Checker - property
1232
@dbus_service_property(_interface, signature="s",
1233
access="readwrite")
1234
def Checker_dbus_property(self, value=None):
1235
if value is None: # get
1236
return dbus.String(self.checker_command)
1237
self.checker_command = value
1238
1239
# CheckerRunning - property
1240
@dbus_service_property(_interface, signature="b",
1241
access="readwrite")
1242
def CheckerRunning_dbus_property(self, value=None):
1243
if value is None: # get
1244
return dbus.Boolean(self.checker is not None)
1245
if value:
1246
self.start_checker()
1247
else:
1248
self.stop_checker()
1249
1250
# ObjectPath - property
1251
@dbus_service_property(_interface, signature="o", access="read")
1252
def ObjectPath_dbus_property(self):
1253
return self.dbus_object_path # is already a dbus.ObjectPath
1254
1255
# Secret = property
1256
@dbus_service_property(_interface, signature="ay",
1257
access="write", byte_arrays=True)
1258
def Secret_dbus_property(self, value):
1259
self.secret = str(value)
582
1260
583
1261
del _interface
584
1262
585
1263
586
def peer_certificate(session):
587
"Return the peer's OpenPGP certificate as a bytestring"
588
# If not an OpenPGP certificate...
589
if (gnutls.library.functions
590
.gnutls_certificate_type_get(session._c_object)
591
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
592
# ...do the normal thing
593
return session.peer_certificate
594
list_size = ctypes.c_uint()
595
cert_list = (gnutls.library.functions
596
.gnutls_certificate_get_peers
597
(session._c_object, ctypes.byref(list_size)))
598
if list_size.value == 0:
599
return None
600
cert = cert_list[0]
601
return ctypes.string_at(cert.data, cert.size)
602
603
604
def fingerprint(openpgp):
605
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
606
# New GnuTLS "datum" with the OpenPGP public key
607
datum = (gnutls.library.types
608
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
609
ctypes.POINTER
610
(ctypes.c_ubyte)),
611
ctypes.c_uint(len(openpgp))))
612
# New empty GnuTLS certificate
613
crt = gnutls.library.types.gnutls_openpgp_crt_t()
614
(gnutls.library.functions
615
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
616
# Import the OpenPGP public key into the certificate
617
(gnutls.library.functions
618
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
619
gnutls.library.constants
620
.GNUTLS_OPENPGP_FMT_RAW))
621
# Verify the self signature in the key
622
crtverify = ctypes.c_uint()
623
(gnutls.library.functions
624
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
625
if crtverify.value != 0:
626
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
627
raise gnutls.errors.CertificateSecurityError("Verify failed")
628
# New buffer for the fingerprint
629
buf = ctypes.create_string_buffer(20)
630
buf_len = ctypes.c_size_t()
631
# Get the fingerprint from the certificate into the buffer
632
(gnutls.library.functions
633
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
634
ctypes.byref(buf_len)))
635
# Deinit the certificate
636
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
637
# Convert the buffer to a Python bytestring
638
fpr = ctypes.string_at(buf, buf_len.value)
639
# Convert the bytestring to hexadecimal notation
640
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
641
return hex_fpr
642
643
644
class TCP_handler(SocketServer.BaseRequestHandler, object):
645
"""A TCP request handler class.
646
Instantiated by IPv6_TCPServer for each request to handle it.
1264
class ProxyClient(object):
1265
def __init__(self, child_pipe, fpr, address):
1266
self._pipe = child_pipe
1267
self._pipe.send(('init', fpr, address))
1268
if not self._pipe.recv():
1269
raise KeyError()
1270
1271
def __getattribute__(self, name):
1272
if(name == '_pipe'):
1273
return super(ProxyClient, self).__getattribute__(name)
1274
self._pipe.send(('getattr', name))
1275
data = self._pipe.recv()
1276
if data[0] == 'data':
1277
return data[1]
1278
if data[0] == 'function':
1279
def func(*args, **kwargs):
1280
self._pipe.send(('funcall', name, args, kwargs))
1281
return self._pipe.recv()[1]
1282
return func
1283
1284
def __setattr__(self, name, value):
1285
if(name == '_pipe'):
1286
return super(ProxyClient, self).__setattr__(name, value)
1287
self._pipe.send(('setattr', name, value))
1288
1289
class ClientDBusTransitional(ClientDBus):
1290
__metaclass__ = AlternateDBusNamesMetaclass
1291
1292
class ClientHandler(socketserver.BaseRequestHandler, object):
1293
"""A class to handle client connections.
1294
1295
Instantiated once for each connection to handle it.
647
1296
Note: This will run in its own forked process."""
648
1297
649
1298
def handle(self):
650
logger.info(u"TCP connection from: %s",
651
unicode(self.client_address))
652
session = (gnutls.connection
653
.ClientSession(self.request,
654
gnutls.connection
655
.X509Credentials()))
656
657
line = self.request.makefile().readline()
658
logger.debug(u"Protocol version: %r", line)
659
try:
660
if int(line.strip().split()[0]) > 1:
661
raise RuntimeError
662
except (ValueError, IndexError, RuntimeError), error:
663
logger.error(u"Unknown protocol version: %s", error)
664
return
665
666
# Note: gnutls.connection.X509Credentials is really a generic
667
# GnuTLS certificate credentials object so long as no X.509
668
# keys are added to it. Therefore, we can use it here despite
669
# using OpenPGP certificates.
670
671
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
672
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
673
# "+DHE-DSS"))
674
# Use a fallback default, since this MUST be set.
675
priority = self.server.settings.get("priority", "NORMAL")
676
(gnutls.library.functions
677
.gnutls_priority_set_direct(session._c_object,
678
priority, None))
679
680
try:
681
session.handshake()
682
except gnutls.errors.GNUTLSError, error:
683
logger.warning(u"Handshake failed: %s", error)
684
# Do not run session.bye() here: the session is not
685
# established. Just abandon the request.
686
return
687
try:
688
fpr = fingerprint(peer_certificate(session))
689
except (TypeError, gnutls.errors.GNUTLSError), error:
690
logger.warning(u"Bad certificate: %s", error)
691
session.bye()
692
return
693
logger.debug(u"Fingerprint: %s", fpr)
694
for c in self.server.clients:
695
if c.fingerprint == fpr:
696
client = c
697
break
698
else:
699
logger.warning(u"Client not found for fingerprint: %s",
700
fpr)
701
session.bye()
702
return
703
# Have to check if client.still_valid(), since it is possible
704
# that the client timed out while establishing the GnuTLS
705
# session.
706
if not client.still_valid():
707
logger.warning(u"Client %(name)s is invalid",
708
vars(client))
709
session.bye()
710
return
711
## This won't work here, since we're in a fork.
712
# client.bump_timeout()
713
sent_size = 0
714
while sent_size < len(client.secret):
715
sent = session.send(client.secret[sent_size:])
716
logger.debug(u"Sent: %d, remaining: %d",
717
sent, len(client.secret)
718
- (sent_size + sent))
719
sent_size += sent
720
session.bye()
721
722
723
class IPv6_TCPServer(SocketServer.ForkingMixIn,
724
SocketServer.TCPServer, object):
725
"""IPv6 TCP server. Accepts 'None' as address and/or port.
1299
with contextlib.closing(self.server.child_pipe) as child_pipe:
1300
logger.info("TCP connection from: %s",
1301
unicode(self.client_address))
1302
logger.debug("Pipe FD: %d",
1303
self.server.child_pipe.fileno())
1304
1305
session = (gnutls.connection
1306
.ClientSession(self.request,
1307
gnutls.connection
1308
.X509Credentials()))
1309
1310
# Note: gnutls.connection.X509Credentials is really a
1311
# generic GnuTLS certificate credentials object so long as
1312
# no X.509 keys are added to it. Therefore, we can use it
1313
# here despite using OpenPGP certificates.
1314
1315
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1316
# "+AES-256-CBC", "+SHA1",
1317
# "+COMP-NULL", "+CTYPE-OPENPGP",
1318
# "+DHE-DSS"))
1319
# Use a fallback default, since this MUST be set.
1320
priority = self.server.gnutls_priority
1321
if priority is None:
1322
priority = "NORMAL"
1323
(gnutls.library.functions
1324
.gnutls_priority_set_direct(session._c_object,
1325
priority, None))
1326
1327
# Start communication using the Mandos protocol
1328
# Get protocol number
1329
line = self.request.makefile().readline()
1330
logger.debug("Protocol version: %r", line)
1331
try:
1332
if int(line.strip().split()[0]) > 1:
1333
raise RuntimeError
1334
except (ValueError, IndexError, RuntimeError) as error:
1335
logger.error("Unknown protocol version: %s", error)
1336
return
1337
1338
# Start GnuTLS connection
1339
try:
1340
session.handshake()
1341
except gnutls.errors.GNUTLSError as error:
1342
logger.warning("Handshake failed: %s", error)
1343
# Do not run session.bye() here: the session is not
1344
# established. Just abandon the request.
1345
return
1346
logger.debug("Handshake succeeded")
1347
1348
approval_required = False
1349
try:
1350
try:
1351
fpr = self.fingerprint(self.peer_certificate
1352
(session))
1353
except (TypeError,
1354
gnutls.errors.GNUTLSError) as error:
1355
logger.warning("Bad certificate: %s", error)
1356
return
1357
logger.debug("Fingerprint: %s", fpr)
1358
1359
try:
1360
client = ProxyClient(child_pipe, fpr,
1361
self.client_address)
1362
except KeyError:
1363
return
1364
1365
if client.approval_delay:
1366
delay = client.approval_delay
1367
client.approvals_pending += 1
1368
approval_required = True
1369
1370
while True:
1371
if not client.enabled:
1372
logger.info("Client %s is disabled",
1373
client.name)
1374
if self.server.use_dbus:
1375
# Emit D-Bus signal
1376
client.Rejected("Disabled")
1377
return
1378
1379
if client._approved or not client.approval_delay:
1380
#We are approved or approval is disabled
1381
break
1382
elif client._approved is None:
1383
logger.info("Client %s needs approval",
1384
client.name)
1385
if self.server.use_dbus:
1386
# Emit D-Bus signal
1387
client.NeedApproval(
1388
client.approval_delay_milliseconds(),
1389
client.approved_by_default)
1390
else:
1391
logger.warning("Client %s was not approved",
1392
client.name)
1393
if self.server.use_dbus:
1394
# Emit D-Bus signal
1395
client.Rejected("Denied")
1396
return
1397
1398
#wait until timeout or approved
1399
time = datetime.datetime.now()
1400
client.changedstate.acquire()
1401
(client.changedstate.wait
1402
(float(client._timedelta_to_milliseconds(delay)
1403
/ 1000)))
1404
client.changedstate.release()
1405
time2 = datetime.datetime.now()
1406
if (time2 - time) >= delay:
1407
if not client.approved_by_default:
1408
logger.warning("Client %s timed out while"
1409
" waiting for approval",
1410
client.name)
1411
if self.server.use_dbus:
1412
# Emit D-Bus signal
1413
client.Rejected("Approval timed out")
1414
return
1415
else:
1416
break
1417
else:
1418
delay -= time2 - time
1419
1420
sent_size = 0
1421
while sent_size < len(client.secret):
1422
try:
1423
sent = session.send(client.secret[sent_size:])
1424
except gnutls.errors.GNUTLSError as error:
1425
logger.warning("gnutls send failed")
1426
return
1427
logger.debug("Sent: %d, remaining: %d",
1428
sent, len(client.secret)
1429
- (sent_size + sent))
1430
sent_size += sent
1431
1432
logger.info("Sending secret to %s", client.name)
1433
# bump the timeout using extended_timeout
1434
client.checked_ok(client.extended_timeout)
1435
if self.server.use_dbus:
1436
# Emit D-Bus signal
1437
client.GotSecret()
1438
1439
finally:
1440
if approval_required:
1441
client.approvals_pending -= 1
1442
try:
1443
session.bye()
1444
except gnutls.errors.GNUTLSError as error:
1445
logger.warning("GnuTLS bye failed")
1446
1447
@staticmethod
1448
def peer_certificate(session):
1449
"Return the peer's OpenPGP certificate as a bytestring"
1450
# If not an OpenPGP certificate...
1451
if (gnutls.library.functions
1452
.gnutls_certificate_type_get(session._c_object)
1453
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1454
# ...do the normal thing
1455
return session.peer_certificate
1456
list_size = ctypes.c_uint(1)
1457
cert_list = (gnutls.library.functions
1458
.gnutls_certificate_get_peers
1459
(session._c_object, ctypes.byref(list_size)))
1460
if not bool(cert_list) and list_size.value != 0:
1461
raise gnutls.errors.GNUTLSError("error getting peer"
1462
" certificate")
1463
if list_size.value == 0:
1464
return None
1465
cert = cert_list[0]
1466
return ctypes.string_at(cert.data, cert.size)
1467
1468
@staticmethod
1469
def fingerprint(openpgp):
1470
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1471
# New GnuTLS "datum" with the OpenPGP public key
1472
datum = (gnutls.library.types
1473
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1474
ctypes.POINTER
1475
(ctypes.c_ubyte)),
1476
ctypes.c_uint(len(openpgp))))
1477
# New empty GnuTLS certificate
1478
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1479
(gnutls.library.functions
1480
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1481
# Import the OpenPGP public key into the certificate
1482
(gnutls.library.functions
1483
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1484
gnutls.library.constants
1485
.GNUTLS_OPENPGP_FMT_RAW))
1486
# Verify the self signature in the key
1487
crtverify = ctypes.c_uint()
1488
(gnutls.library.functions
1489
.gnutls_openpgp_crt_verify_self(crt, 0,
1490
ctypes.byref(crtverify)))
1491
if crtverify.value != 0:
1492
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1493
raise (gnutls.errors.CertificateSecurityError
1494
("Verify failed"))
1495
# New buffer for the fingerprint
1496
buf = ctypes.create_string_buffer(20)
1497
buf_len = ctypes.c_size_t()
1498
# Get the fingerprint from the certificate into the buffer
1499
(gnutls.library.functions
1500
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1501
ctypes.byref(buf_len)))
1502
# Deinit the certificate
1503
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1504
# Convert the buffer to a Python bytestring
1505
fpr = ctypes.string_at(buf, buf_len.value)
1506
# Convert the bytestring to hexadecimal notation
1507
hex_fpr = ''.join("%02X" % ord(char) for char in fpr)
1508
return hex_fpr
1509
1510
1511
class MultiprocessingMixIn(object):
1512
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1513
def sub_process_main(self, request, address):
1514
try:
1515
self.finish_request(request, address)
1516
except:
1517
self.handle_error(request, address)
1518
self.close_request(request)
1519
1520
def process_request(self, request, address):
1521
"""Start a new process to process the request."""
1522
proc = multiprocessing.Process(target = self.sub_process_main,
1523
args = (request,
1524
address))
1525
proc.start()
1526
return proc
1527
1528
1529
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1530
""" adds a pipe to the MixIn """
1531
def process_request(self, request, client_address):
1532
"""Overrides and wraps the original process_request().
1533
1534
This function creates a new pipe in self.pipe
1535
"""
1536
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1537
1538
proc = MultiprocessingMixIn.process_request(self, request,
1539
client_address)
1540
self.child_pipe.close()
1541
self.add_pipe(parent_pipe, proc)
1542
1543
def add_pipe(self, parent_pipe, proc):
1544
"""Dummy function; override as necessary"""
1545
raise NotImplementedError
1546
1547
1548
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1549
socketserver.TCPServer, object):
1550
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1551
726
1552
Attributes:
727
settings: Server settings
728
clients: Set() of Client objects
729
1553
enabled: Boolean; whether this server is activated yet
1554
interface: None or a network interface name (string)
1555
use_ipv6: Boolean; to use IPv6 or not
730
1556
"""
731
address_family = socket.AF_INET6
732
def __init__(self, *args, **kwargs):
733
if "settings" in kwargs:
734
self.settings = kwargs["settings"]
735
del kwargs["settings"]
736
if "clients" in kwargs:
737
self.clients = kwargs["clients"]
738
del kwargs["clients"]
739
self.enabled = False
740
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1557
def __init__(self, server_address, RequestHandlerClass,
1558
interface=None, use_ipv6=True):
1559
self.interface = interface
1560
if use_ipv6:
1561
self.address_family = socket.AF_INET6
1562
socketserver.TCPServer.__init__(self, server_address,
1563
RequestHandlerClass)
741
1564
def server_bind(self):
742
1565
"""This overrides the normal server_bind() function
743
1566
to bind to an interface if one was specified, and also NOT to
744
1567
bind to an address or port if they were not specified."""
745
if self.settings["interface"]:
746
# 25 is from /usr/include/asm-i486/socket.h
747
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
748
try:
749
self.socket.setsockopt(socket.SOL_SOCKET,
750
SO_BINDTODEVICE,
751
self.settings["interface"])
752
except socket.error, error:
753
if error[0] == errno.EPERM:
754
logger.error(u"No permission to"
755
u" bind to interface %s",
756
self.settings["interface"])
757
else:
758
raise error
1568
if self.interface is not None:
1569
if SO_BINDTODEVICE is None:
1570
logger.error("SO_BINDTODEVICE does not exist;"
1571
" cannot bind to interface %s",
1572
self.interface)
1573
else:
1574
try:
1575
self.socket.setsockopt(socket.SOL_SOCKET,
1576
SO_BINDTODEVICE,
1577
str(self.interface
1578
+ '\0'))
1579
except socket.error as error:
1580
if error[0] == errno.EPERM:
1581
logger.error("No permission to"
1582
" bind to interface %s",
1583
self.interface)
1584
elif error[0] == errno.ENOPROTOOPT:
1585
logger.error("SO_BINDTODEVICE not available;"
1586
" cannot bind to interface %s",
1587
self.interface)
1588
else:
1589
raise
759
1590
# Only bind(2) the socket if we really need to.
760
1591
if self.server_address[0] or self.server_address[1]:
761
1592
if not self.server_address[0]:
762
in6addr_any = "::"
763
self.server_address = (in6addr_any,
1593
if self.address_family == socket.AF_INET6:
1594
any_address = "::" # in6addr_any
1595
else:
1596
any_address = socket.INADDR_ANY
1597
self.server_address = (any_address,
764
1598
self.server_address[1])
765
1599
elif not self.server_address[1]:
766
1600
self.server_address = (self.server_address[0],
767
1601
0)
768
# if self.settings["interface"]:
1602
# if self.interface:
769
1603
# self.server_address = (self.server_address[0],
770
1604
# 0, # port
771
1605
# 0, # flowinfo
772
1606
# if_nametoindex
773
# (self.settings
774
# ["interface"]))
775
return super(IPv6_TCPServer, self).server_bind()
1607
# (self.interface))
1608
return socketserver.TCPServer.server_bind(self)
1609
1610
1611
class MandosServer(IPv6_TCPServer):
1612
"""Mandos server.
1613
1614
Attributes:
1615
clients: set of Client objects
1616
gnutls_priority GnuTLS priority string
1617
use_dbus: Boolean; to emit D-Bus signals or not
1618
1619
Assumes a gobject.MainLoop event loop.
1620
"""
1621
def __init__(self, server_address, RequestHandlerClass,
1622
interface=None, use_ipv6=True, clients=None,
1623
gnutls_priority=None, use_dbus=True):
1624
self.enabled = False
1625
self.clients = clients
1626
if self.clients is None:
1627
self.clients = set()
1628
self.use_dbus = use_dbus
1629
self.gnutls_priority = gnutls_priority
1630
IPv6_TCPServer.__init__(self, server_address,
1631
RequestHandlerClass,
1632
interface = interface,
1633
use_ipv6 = use_ipv6)
776
1634
def server_activate(self):
777
1635
if self.enabled:
778
return super(IPv6_TCPServer, self).server_activate()
1636
return socketserver.TCPServer.server_activate(self)
1637
779
1638
def enable(self):
780
1639
self.enabled = True
1640
1641
def add_pipe(self, parent_pipe, proc):
1642
# Call "handle_ipc" for both data and EOF events
1643
gobject.io_add_watch(parent_pipe.fileno(),
1644
gobject.IO_IN | gobject.IO_HUP,
1645
functools.partial(self.handle_ipc,
1646
parent_pipe =
1647
parent_pipe,
1648
proc = proc))
1649
1650
def handle_ipc(self, source, condition, parent_pipe=None,
1651
proc = None, client_object=None):
1652
condition_names = {
1653
gobject.IO_IN: "IN", # There is data to read.
1654
gobject.IO_OUT: "OUT", # Data can be written (without
1655
# blocking).
1656
gobject.IO_PRI: "PRI", # There is urgent data to read.
1657
gobject.IO_ERR: "ERR", # Error condition.
1658
gobject.IO_HUP: "HUP" # Hung up (the connection has been
1659
# broken, usually for pipes and
1660
# sockets).
1661
}
1662
conditions_string = ' | '.join(name
1663
for cond, name in
1664
condition_names.iteritems()
1665
if cond & condition)
1666
# error, or the other end of multiprocessing.Pipe has closed
1667
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1668
# Wait for other process to exit
1669
proc.join()
1670
return False
1671
1672
# Read a request from the child
1673
request = parent_pipe.recv()
1674
command = request[0]
1675
1676
if command == 'init':
1677
fpr = request[1]
1678
address = request[2]
1679
1680
for c in self.clients:
1681
if c.fingerprint == fpr:
1682
client = c
1683
break
1684
else:
1685
logger.info("Client not found for fingerprint: %s, ad"
1686
"dress: %s", fpr, address)
1687
if self.use_dbus:
1688
# Emit D-Bus signal
1689
mandos_dbus_service.ClientNotFound(fpr,
1690
address[0])
1691
parent_pipe.send(False)
1692
return False
1693
1694
gobject.io_add_watch(parent_pipe.fileno(),
1695
gobject.IO_IN | gobject.IO_HUP,
1696
functools.partial(self.handle_ipc,
1697
parent_pipe =
1698
parent_pipe,
1699
proc = proc,
1700
client_object =
1701
client))
1702
parent_pipe.send(True)
1703
# remove the old hook in favor of the new above hook on
1704
# same fileno
1705
return False
1706
if command == 'funcall':
1707
funcname = request[1]
1708
args = request[2]
1709
kwargs = request[3]
1710
1711
parent_pipe.send(('data', getattr(client_object,
1712
funcname)(*args,
1713
**kwargs)))
1714
1715
if command == 'getattr':
1716
attrname = request[1]
1717
if callable(client_object.__getattribute__(attrname)):
1718
parent_pipe.send(('function',))
1719
else:
1720
parent_pipe.send(('data', client_object
1721
.__getattribute__(attrname)))
1722
1723
if command == 'setattr':
1724
attrname = request[1]
1725
value = request[2]
1726
setattr(client_object, attrname, value)
1727
1728
return True
781
1729
782
1730
783
1731
def string_to_delta(interval):
784
1732
"""Parse a string and return a datetime.timedelta
785
1733
786
1734
>>> string_to_delta('7d')
787
1735
datetime.timedelta(7)
788
1736
>>> string_to_delta('60s')
791
1739
datetime.timedelta(0, 3600)
792
1740
>>> string_to_delta('24h')
793
1741
datetime.timedelta(1)
794
>>> string_to_delta(u'1w')
1742
>>> string_to_delta('1w')
795
1743
datetime.timedelta(7)
796
1744
>>> string_to_delta('5m 30s')
797
1745
datetime.timedelta(0, 330)
801
1749
try:
802
1750
suffix = unicode(s[-1])
803
1751
value = int(s[:-1])
804
if suffix == u"d":
1752
if suffix == "d":
805
1753
delta = datetime.timedelta(value)
806
elif suffix == u"s":
1754
elif suffix == "s":
807
1755
delta = datetime.timedelta(0, value)
808
elif suffix == u"m":
1756
elif suffix == "m":
809
1757
delta = datetime.timedelta(0, 0, 0, 0, value)
810
elif suffix == u"h":
1758
elif suffix == "h":
811
1759
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
812
elif suffix == u"w":
1760
elif suffix == "w":
813
1761
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
814
1762
else:
815
raise ValueError
816
except (ValueError, IndexError):
817
raise ValueError
1763
raise ValueError("Unknown suffix %r" % suffix)
1764
except (ValueError, IndexError) as e:
1765
raise ValueError(*(e.args))
818
1766
timevalue += delta
819
1767
return timevalue
820
1768
821
1769
822
def server_state_changed(state):
823
"""Derived from the Avahi example code"""
824
if state == avahi.SERVER_COLLISION:
825
logger.error(u"Zeroconf server name collision")
826
service.remove()
827
elif state == avahi.SERVER_RUNNING:
828
service.add()
829
830
831
def entry_group_state_changed(state, error):
832
"""Derived from the Avahi example code"""
833
logger.debug(u"Avahi state change: %i", state)
834
835
if state == avahi.ENTRY_GROUP_ESTABLISHED:
836
logger.debug(u"Zeroconf service established.")
837
elif state == avahi.ENTRY_GROUP_COLLISION:
838
logger.warning(u"Zeroconf service name collision.")
839
service.rename()
840
elif state == avahi.ENTRY_GROUP_FAILURE:
841
logger.critical(u"Avahi: Error in group state changed %s",
842
unicode(error))
843
raise AvahiGroupError(u"State changed: %s" % unicode(error))
844
845
1770
def if_nametoindex(interface):
846
"""Call the C function if_nametoindex(), or equivalent"""
1771
"""Call the C function if_nametoindex(), or equivalent
1772
1773
Note: This function cannot accept a unicode string."""
847
1774
global if_nametoindex
848
1775
try:
849
1776
if_nametoindex = (ctypes.cdll.LoadLibrary
850
1777
(ctypes.util.find_library("c"))
851
1778
.if_nametoindex)
852
1779
except (OSError, AttributeError):
853
if "struct" not in sys.modules:
854
import struct
855
if "fcntl" not in sys.modules:
856
import fcntl
1780
logger.warning("Doing if_nametoindex the hard way")
857
1781
def if_nametoindex(interface):
858
1782
"Get an interface index the hard way, i.e. using fcntl()"
859
1783
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
860
with closing(socket.socket()) as s:
1784
with contextlib.closing(socket.socket()) as s:
861
1785
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
862
struct.pack("16s16x", interface))
863
interface_index = struct.unpack("I", ifreq[16:20])[0]
1786
struct.pack(str("16s16x"),
1787
interface))
1788
interface_index = struct.unpack(str("I"),
1789
ifreq[16:20])[0]
864
1790
return interface_index
865
1791
return if_nametoindex(interface)
866
1792
867
1793
868
1794
def daemon(nochdir = False, noclose = False):
869
1795
"""See daemon(3). Standard BSD Unix function.
1796
870
1797
This should really exist as os.daemon, but it doesn't (yet)."""
871
1798
if os.fork():
872
1799
sys.exit()
880
1807
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
881
1808
if not stat.S_ISCHR(os.fstat(null).st_mode):
882
1809
raise OSError(errno.ENODEV,
883
"/dev/null not a character device")
1810
"%s not a character device"
1811
% os.path.devnull)
884
1812
os.dup2(null, sys.stdin.fileno())
885
1813
os.dup2(null, sys.stdout.fileno())
886
1814
os.dup2(null, sys.stderr.fileno())
889
1817
890
1818
891
1819
def main():
892
parser = optparse.OptionParser(version = "%%prog %s" % version)
893
parser.add_option("-i", "--interface", type="string",
894
metavar="IF", help="Bind to interface IF")
895
parser.add_option("-a", "--address", type="string",
896
help="Address to listen for requests on")
897
parser.add_option("-p", "--port", type="int",
898
help="Port number to receive requests on")
899
parser.add_option("--check", action="store_true",
900
help="Run self-test")
901
parser.add_option("--debug", action="store_true",
902
help="Debug mode; run in foreground and log to"
903
" terminal")
904
parser.add_option("--priority", type="string", help="GnuTLS"
905
" priority string (see GnuTLS documentation)")
906
parser.add_option("--servicename", type="string", metavar="NAME",
907
help="Zeroconf service name")
908
parser.add_option("--configdir", type="string",
909
default="/etc/mandos", metavar="DIR",
910
help="Directory to search for configuration"
911
" files")
912
parser.add_option("--no-dbus", action="store_false",
913
dest="use_dbus",
914
help=optparse.SUPPRESS_HELP)
915
options = parser.parse_args()[0]
1820
1821
##################################################################
1822
# Parsing of options, both command line and config file
1823
1824
parser = argparse.ArgumentParser()
1825
parser.add_argument("-v", "--version", action="version",
1826
version = "%%(prog)s %s" % version,
1827
help="show version number and exit")
1828
parser.add_argument("-i", "--interface", metavar="IF",
1829
help="Bind to interface IF")
1830
parser.add_argument("-a", "--address",
1831
help="Address to listen for requests on")
1832
parser.add_argument("-p", "--port", type=int,
1833
help="Port number to receive requests on")
1834
parser.add_argument("--check", action="store_true",
1835
help="Run self-test")
1836
parser.add_argument("--debug", action="store_true",
1837
help="Debug mode; run in foreground and log"
1838
" to terminal")
1839
parser.add_argument("--debuglevel", metavar="LEVEL",
1840
help="Debug level for stdout output")
1841
parser.add_argument("--priority", help="GnuTLS"
1842
" priority string (see GnuTLS documentation)")
1843
parser.add_argument("--servicename",
1844
metavar="NAME", help="Zeroconf service name")
1845
parser.add_argument("--configdir",
1846
default="/etc/mandos", metavar="DIR",
1847
help="Directory to search for configuration"
1848
" files")
1849
parser.add_argument("--no-dbus", action="store_false",
1850
dest="use_dbus", help="Do not provide D-Bus"
1851
" system bus interface")
1852
parser.add_argument("--no-ipv6", action="store_false",
1853
dest="use_ipv6", help="Do not use IPv6")
1854
options = parser.parse_args()
916
1855
917
1856
if options.check:
918
1857
import doctest
928
1867
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
929
1868
"servicename": "Mandos",
930
1869
"use_dbus": "True",
1870
"use_ipv6": "True",
1871
"debuglevel": "",
931
1872
}
932
1873
933
1874
# Parse config file for server-global settings
934
server_config = ConfigParser.SafeConfigParser(server_defaults)
1875
server_config = configparser.SafeConfigParser(server_defaults)
935
1876
del server_defaults
936
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1877
server_config.read(os.path.join(options.configdir,
1878
"mandos.conf"))
937
1879
# Convert the SafeConfigParser object to a dict
938
1880
server_settings = server_config.defaults()
939
# Use getboolean on the boolean config options
940
server_settings["debug"] = (server_config.getboolean
941
("DEFAULT", "debug"))
942
server_settings["use_dbus"] = (server_config.getboolean
943
("DEFAULT", "use_dbus"))
1881
# Use the appropriate methods on the non-string config options
1882
for option in ("debug", "use_dbus", "use_ipv6"):
1883
server_settings[option] = server_config.getboolean("DEFAULT",
1884
option)
1885
if server_settings["port"]:
1886
server_settings["port"] = server_config.getint("DEFAULT",
1887
"port")
944
1888
del server_config
945
1889
946
1890
# Override the settings from the config file with command line
947
1891
# options, if set.
948
1892
for option in ("interface", "address", "port", "debug",
949
1893
"priority", "servicename", "configdir",
950
"use_dbus"):
1894
"use_dbus", "use_ipv6", "debuglevel"):
951
1895
value = getattr(options, option)
952
1896
if value is not None:
953
1897
server_settings[option] = value
954
1898
del options
1899
# Force all strings to be unicode
1900
for option in server_settings.keys():
1901
if type(server_settings[option]) is str:
1902
server_settings[option] = unicode(server_settings[option])
955
1903
# Now we have our good server settings in "server_settings"
956
1904
1905
##################################################################
1906
957
1907
# For convenience
958
1908
debug = server_settings["debug"]
1909
debuglevel = server_settings["debuglevel"]
959
1910
use_dbus = server_settings["use_dbus"]
960
use_dbus = False
961
962
if not debug:
963
syslogger.setLevel(logging.WARNING)
964
console.setLevel(logging.WARNING)
1911
use_ipv6 = server_settings["use_ipv6"]
965
1912
966
1913
if server_settings["servicename"] != "Mandos":
967
1914
syslogger.setFormatter(logging.Formatter
968
('Mandos (%s): %%(levelname)s:'
969
' %%(message)s'
1915
('Mandos (%s) [%%(process)d]:'
1916
' %%(levelname)s: %%(message)s'
970
1917
% server_settings["servicename"]))
971
1918
972
1919
# Parse config file with clients
973
client_defaults = { "timeout": "1h",
974
"interval": "5m",
975
"checker": "fping -q -- %(host)s",
1920
client_defaults = { "timeout": "5m",
1921
"extended_timeout": "15m",
1922
"interval": "2m",
1923
"checker": "fping -q -- %%(host)s",
976
1924
"host": "",
1925
"approval_delay": "0s",
1926
"approval_duration": "1s",
977
1927
}
978
client_config = ConfigParser.SafeConfigParser(client_defaults)
1928
client_config = configparser.SafeConfigParser(client_defaults)
979
1929
client_config.read(os.path.join(server_settings["configdir"],
980
1930
"clients.conf"))
981
1931
982
clients = Set()
983
tcp_server = IPv6_TCPServer((server_settings["address"],
984
server_settings["port"]),
985
TCP_handler,
986
settings=server_settings,
987
clients=clients)
988
pidfilename = "/var/run/mandos.pid"
989
try:
990
pidfile = open(pidfilename, "w")
991
except IOError, error:
992
logger.error("Could not open file %r", pidfilename)
1932
global mandos_dbus_service
1933
mandos_dbus_service = None
1934
1935
tcp_server = MandosServer((server_settings["address"],
1936
server_settings["port"]),
1937
ClientHandler,
1938
interface=(server_settings["interface"]
1939
or None),
1940
use_ipv6=use_ipv6,
1941
gnutls_priority=
1942
server_settings["priority"],
1943
use_dbus=use_dbus)
1944
if not debug:
1945
pidfilename = "/var/run/mandos.pid"
1946
try:
1947
pidfile = open(pidfilename, "w")
1948
except IOError:
1949
logger.error("Could not open file %r", pidfilename)
993
1950
994
1951
try:
995
1952
uid = pwd.getpwnam("_mandos").pw_uid
1953
gid = pwd.getpwnam("_mandos").pw_gid
996
1954
except KeyError:
997
1955
try:
998
1956
uid = pwd.getpwnam("mandos").pw_uid
1957
gid = pwd.getpwnam("mandos").pw_gid
999
1958
except KeyError:
1000
1959
try:
1001
1960
uid = pwd.getpwnam("nobody").pw_uid
1961
gid = pwd.getpwnam("nobody").pw_gid
1002
1962
except KeyError:
1003
1963
uid = 65534
1004
try:
1005
gid = pwd.getpwnam("_mandos").pw_gid
1006
except KeyError:
1007
try:
1008
gid = pwd.getpwnam("mandos").pw_gid
1009
except KeyError:
1010
try:
1011
gid = pwd.getpwnam("nogroup").pw_gid
1012
except KeyError:
1013
1964
gid = 65534
1014
1965
try:
1966
os.setgid(gid)
1015
1967
os.setuid(uid)
1016
os.setgid(gid)
1017
except OSError, error:
1968
except OSError as error:
1018
1969
if error[0] != errno.EPERM:
1019
1970
raise error
1020
1971
1021
global service
1022
service = AvahiService(name = server_settings["servicename"],
1023
servicetype = "_mandos._tcp", )
1024
if server_settings["interface"]:
1025
service.interface = (if_nametoindex
1026
(server_settings["interface"]))
1027
1028
global main_loop
1029
global bus
1030
global server
1031
# From the Avahi example code
1032
DBusGMainLoop(set_as_default=True )
1033
main_loop = gobject.MainLoop()
1034
bus = dbus.SystemBus()
1035
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1036
avahi.DBUS_PATH_SERVER),
1037
avahi.DBUS_INTERFACE_SERVER)
1038
# End of Avahi example code
1039
if use_dbus:
1040
bus_name = dbus.service.BusName(u"org.mandos-system.Mandos",
1041
bus)
1042
1043
clients.update(Set(Client(name = section,
1044
config
1045
= dict(client_config.items(section)),
1046
use_dbus = use_dbus)
1047
for section in client_config.sections()))
1048
if not clients:
1049
logger.warning(u"No clients defined")
1972
if not debug and not debuglevel:
1973
syslogger.setLevel(logging.WARNING)
1974
console.setLevel(logging.WARNING)
1975
if debuglevel:
1976
level = getattr(logging, debuglevel.upper())
1977
syslogger.setLevel(level)
1978
console.setLevel(level)
1050
1979
1051
1980
if debug:
1981
# Enable all possible GnuTLS debugging
1982
1983
# "Use a log level over 10 to enable all debugging options."
1984
# - GnuTLS manual
1985
gnutls.library.functions.gnutls_global_set_log_level(11)
1986
1987
@gnutls.library.types.gnutls_log_func
1988
def debug_gnutls(level, string):
1989
logger.debug("GnuTLS: %s", string[:-1])
1990
1991
(gnutls.library.functions
1992
.gnutls_global_set_log_function(debug_gnutls))
1993
1052
1994
# Redirect stdin so all checkers get /dev/null
1053
1995
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1054
1996
os.dup2(null, sys.stdin.fileno())
1057
1999
else:
1058
2000
# No console logging
1059
2001
logger.removeHandler(console)
2002
2003
# Need to fork before connecting to D-Bus
2004
if not debug:
1060
2005
# Close all input and output, do double fork, etc.
1061
2006
daemon()
1062
2007
1063
try:
1064
pid = os.getpid()
1065
pidfile.write(str(pid) + "\n")
1066
pidfile.close()
1067
del pidfile
1068
except IOError:
1069
logger.error(u"Could not write to file %r with PID %d",
1070
pidfilename, pid)
1071
except NameError:
1072
# "pidfile" was never created
1073
pass
1074
del pidfilename
1075
1076
def cleanup():
1077
"Cleanup function; run on exit"
1078
global group
1079
# From the Avahi example code
1080
if not group is None:
1081
group.Free()
1082
group = None
1083
# End of Avahi example code
2008
global main_loop
2009
# From the Avahi example code
2010
DBusGMainLoop(set_as_default=True )
2011
main_loop = gobject.MainLoop()
2012
bus = dbus.SystemBus()
2013
# End of Avahi example code
2014
if use_dbus:
2015
try:
2016
bus_name = dbus.service.BusName("se.recompile.Mandos",
2017
bus, do_not_queue=True)
2018
old_bus_name = (dbus.service.BusName
2019
("se.bsnet.fukt.Mandos", bus,
2020
do_not_queue=True))
2021
except dbus.exceptions.NameExistsException as e:
2022
logger.error(unicode(e) + ", disabling D-Bus")
2023
use_dbus = False
2024
server_settings["use_dbus"] = False
2025
tcp_server.use_dbus = False
2026
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2027
service = AvahiService(name = server_settings["servicename"],
2028
servicetype = "_mandos._tcp",
2029
protocol = protocol, bus = bus)
2030
if server_settings["interface"]:
2031
service.interface = (if_nametoindex
2032
(str(server_settings["interface"])))
2033
2034
global multiprocessing_manager
2035
multiprocessing_manager = multiprocessing.Manager()
2036
2037
client_class = Client
2038
if use_dbus:
2039
client_class = functools.partial(ClientDBusTransitional,
2040
bus = bus)
2041
def client_config_items(config, section):
2042
special_settings = {
2043
"approved_by_default":
2044
lambda: config.getboolean(section,
2045
"approved_by_default"),
2046
}
2047
for name, value in config.items(section):
2048
try:
2049
yield (name, special_settings[name]())
2050
except KeyError:
2051
yield (name, value)
2052
2053
tcp_server.clients.update(set(
2054
client_class(name = section,
2055
config= dict(client_config_items(
2056
client_config, section)))
2057
for section in client_config.sections()))
2058
if not tcp_server.clients:
2059
logger.warning("No clients defined")
1084
2060
1085
while clients:
1086
client = clients.pop()
1087
client.disable_hook = None
1088
client.disable()
1089
1090
atexit.register(cleanup)
1091
1092
2061
if not debug:
2062
try:
2063
with pidfile:
2064
pid = os.getpid()
2065
pidfile.write(str(pid) + "\n".encode("utf-8"))
2066
del pidfile
2067
except IOError:
2068
logger.error("Could not write to file %r with PID %d",
2069
pidfilename, pid)
2070
except NameError:
2071
# "pidfile" was never created
2072
pass
2073
del pidfilename
2074
1093
2075
signal.signal(signal.SIGINT, signal.SIG_IGN)
2076
1094
2077
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1095
2078
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1096
2079
1097
2080
if use_dbus:
1098
class MandosServer(dbus.service.Object):
2081
class MandosDBusService(dbus.service.Object):
1099
2082
"""A D-Bus proxy object"""
1100
2083
def __init__(self):
1101
dbus.service.Object.__init__(self, bus,
1102
"/Mandos")
1103
_interface = u"org.mandos_system.Mandos"
1104
1105
@dbus.service.signal(_interface, signature="oa{sv}")
1106
def ClientAdded(self, objpath, properties):
1107
"D-Bus signal"
1108
pass
1109
2084
dbus.service.Object.__init__(self, bus, "/")
2085
_interface = "se.recompile.Mandos"
2086
1110
2087
@dbus.service.signal(_interface, signature="o")
1111
def ClientRemoved(self, objpath):
1112
"D-Bus signal"
1113
pass
1114
2088
def ClientAdded(self, objpath):
2089
"D-Bus signal"
2090
pass
2091
2092
@dbus.service.signal(_interface, signature="ss")
2093
def ClientNotFound(self, fingerprint, address):
2094
"D-Bus signal"
2095
pass
2096
2097
@dbus.service.signal(_interface, signature="os")
2098
def ClientRemoved(self, objpath, name):
2099
"D-Bus signal"
2100
pass
2101
1115
2102
@dbus.service.method(_interface, out_signature="ao")
1116
2103
def GetAllClients(self):
1117
return dbus.Array(c.dbus_object_path for c in clients)
1118
1119
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
2104
"D-Bus method"
2105
return dbus.Array(c.dbus_object_path
2106
for c in tcp_server.clients)
2107
2108
@dbus.service.method(_interface,
2109
out_signature="a{oa{sv}}")
1120
2110
def GetAllClientsWithProperties(self):
2111
"D-Bus method"
1121
2112
return dbus.Dictionary(
1122
((c.dbus_object_path, c.GetAllProperties())
1123
for c in clients),
2113
((c.dbus_object_path, c.GetAll(""))
2114
for c in tcp_server.clients),
1124
2115
signature="oa{sv}")
1125
2116
1126
2117
@dbus.service.method(_interface, in_signature="o")
1127
2118
def RemoveClient(self, object_path):
1128
for c in clients:
2119
"D-Bus method"
2120
for c in tcp_server.clients:
1129
2121
if c.dbus_object_path == object_path:
1130
clients.remove(c)
2122
tcp_server.clients.remove(c)
2123
c.remove_from_connection()
1131
2124
# Don't signal anything except ClientRemoved
1132
c.use_dbus = False
1133
c.disable()
2125
c.disable(quiet=True)
1134
2126
# Emit D-Bus signal
1135
self.ClientRemoved(object_path)
2127
self.ClientRemoved(object_path, c.name)
1136
2128
return
1137
raise KeyError
1138
@dbus.service.method(_interface)
1139
def Quit(self):
1140
main_loop.quit()
1141
2129
raise KeyError(object_path)
2130
1142
2131
del _interface
1143
1144
mandos_server = MandosServer()
1145
1146
for client in clients:
2132
2133
class MandosDBusServiceTransitional(MandosDBusService):
2134
__metaclass__ = AlternateDBusNamesMetaclass
2135
mandos_dbus_service = MandosDBusServiceTransitional()
2136
2137
def cleanup():
2138
"Cleanup function; run on exit"
2139
service.cleanup()
2140
2141
multiprocessing.active_children()
2142
while tcp_server.clients:
2143
client = tcp_server.clients.pop()
2144
if use_dbus:
2145
client.remove_from_connection()
2146
client.disable_hook = None
2147
# Don't signal anything except ClientRemoved
2148
client.disable(quiet=True)
2149
if use_dbus:
2150
# Emit D-Bus signal
2151
mandos_dbus_service.ClientRemoved(client
2152
.dbus_object_path,
2153
client.name)
2154
2155
atexit.register(cleanup)
2156
2157
for client in tcp_server.clients:
1147
2158
if use_dbus:
1148
2159
# Emit D-Bus signal
1149
mandos_server.ClientAdded(client.dbus_object_path,
1150
client.GetAllProperties())
2160
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1151
2161
client.enable()
1152
2162
1153
2163
tcp_server.enable()
1155
2165
1156
2166
# Find out what port we got
1157
2167
service.port = tcp_server.socket.getsockname()[1]
1158
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1159
u" scope_id %d" % tcp_server.socket.getsockname())
2168
if use_ipv6:
2169
logger.info("Now listening on address %r, port %d,"
2170
" flowinfo %d, scope_id %d"
2171
% tcp_server.socket.getsockname())
2172
else: # IPv4
2173
logger.info("Now listening on address %r, port %d"
2174
% tcp_server.socket.getsockname())
1160
2175
1161
2176
#service.interface = tcp_server.socket.getsockname()[3]
1162
2177
1163
2178
try:
1164
2179
# From the Avahi example code
1165
server.connect_to_signal("StateChanged", server_state_changed)
1166
2180
try:
1167
server_state_changed(server.GetState())
1168
except dbus.exceptions.DBusException, error:
1169
logger.critical(u"DBusException: %s", error)
2181
service.activate()
2182
except dbus.exceptions.DBusException as error:
2183
logger.critical("DBusException: %s", error)
2184
cleanup()
1170
2185
sys.exit(1)
1171
2186
# End of Avahi example code
1172
2187
1175
2190
(tcp_server.handle_request
1176
2191
(*args[2:], **kwargs) or True))
1177
2192
1178
logger.debug(u"Starting main loop")
2193
logger.debug("Starting main loop")
1179
2194
main_loop.run()
1180
except AvahiError, error:
1181
logger.critical(u"AvahiError: %s", error)
2195
except AvahiError as error:
2196
logger.critical("AvahiError: %s", error)
2197
cleanup()
1182
2198
sys.exit(1)
1183
2199
except KeyboardInterrupt:
1184
2200
if debug:
1185
print
2201
print("", file=sys.stderr)
2202
logger.debug("Server received KeyboardInterrupt")
2203
logger.debug("Server exiting")
2204
# Must run before the D-Bus bus name gets deregistered
2205
cleanup()
2206
1186
2207
1187
2208
if __name__ == '__main__':
1188
2209
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0