To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.2.1
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.1
- Committer: Teddy Hogeborn
- Date: 2008-12-10 01:26:02 UTC
- mfrom: (237.1.2 mandos)
- mto: (24.1.114 mandos) (237.4.2 mandos-pipe-ipc) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 238.
- Revision ID: teddy@fukt.bsnet.se-20081210012602-vhz3h75xkj24t340
First version of a somewhat complete D-Bus server interface. Also
change user/group name to "_mandos".
* debian/mandos.postinst: Rename old "mandos" user and group to
"_mandos"; create "_mandos" user and group
if none exist.
* debian/mandos-client.postinst: - '' -
* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
group name.
* mandos (_datetime_to_dbus_struct): New; was previously local.
(Client.started): Renamed to "last_started". All users changed.
(Client.started): New; boolean.
(Client.dbus_object_path): New.
(Client.check_command): Renamed to "checker_command". All users
changed.
(Client.__init__): Set and use "self.dbus_object_path". Set
"self.started".
(Client.start): Update "self.started". Emit "self.PropertyChanged"
signals for both "started" and "last_started".
(Client.stop): Update "self.started". Emit "self.PropertyChanged"
signal for "started".
(Client.checker_callback): Take additional "command" argument. All
callers changed. Emit
"self.PropertyChanged" signal.
(Client.bump_timeout): Emit "self.PropertyChanged" signal for
"last_checked_ok".
(Client.start_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.stop_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.still_valid): Bug fix: use "getattr(self, started, False)"
instead of "self.started" in case this client
object is so new that the "started" attribute
has not been created yet.
(Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
Client.GetCreated, Client.GetFingerprint, Client.GetHost,
Client.GetInterval, Client.GetName, Client.GetStarted,
Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
Removed; all callers changed.
(Client.CheckerCompleted): Add "condition" and "command" arguments.
All callers changed.
(Client.GetAllProperties, Client.PropertyChanged): New.
(Client.StillValid): Renamed to "IsStillValid".
(Client.StartChecker): Changed to its own function to avoid the
return value from "Client.start_checker()".
(Client.Stop): Changed to its own function to avoid the return value
from "Client.stop()".
(main): Try "_mandos" before "mandos" as user and group name.
Removed inner function "remove_from_clients". New inner
class "MandosServer".
change user/group name to "_mandos".
* debian/mandos.postinst: Rename old "mandos" user and group to
"_mandos"; create "_mandos" user and group
if none exist.
* debian/mandos-client.postinst: - '' -
* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
group name.
* mandos (_datetime_to_dbus_struct): New; was previously local.
(Client.started): Renamed to "last_started". All users changed.
(Client.started): New; boolean.
(Client.dbus_object_path): New.
(Client.check_command): Renamed to "checker_command". All users
changed.
(Client.__init__): Set and use "self.dbus_object_path". Set
"self.started".
(Client.start): Update "self.started". Emit "self.PropertyChanged"
signals for both "started" and "last_started".
(Client.stop): Update "self.started". Emit "self.PropertyChanged"
signal for "started".
(Client.checker_callback): Take additional "command" argument. All
callers changed. Emit
"self.PropertyChanged" signal.
(Client.bump_timeout): Emit "self.PropertyChanged" signal for
"last_checked_ok".
(Client.start_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.stop_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.still_valid): Bug fix: use "getattr(self, started, False)"
instead of "self.started" in case this client
object is so new that the "started" attribute
has not been created yet.
(Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
Client.GetCreated, Client.GetFingerprint, Client.GetHost,
Client.GetInterval, Client.GetName, Client.GetStarted,
Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
Removed; all callers changed.
(Client.CheckerCompleted): Add "condition" and "command" arguments.
All callers changed.
(Client.GetAllProperties, Client.PropertyChanged): New.
(Client.StillValid): Renamed to "IsStillValid".
(Client.StartChecker): Changed to its own function to avoid the
return value from "Client.start_checker()".
(Client.Stop): Changed to its own function to avoid the return value
from "Client.stop()".
(main): Try "_mandos" before "mandos" as user and group name.
Removed inner function "remove_from_clients". New inner
class "MandosServer".
- files added:
- debian/mandos-client.config
- files removed:
- dbus-mandos.conf
- files modified:
- INSTALL
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2008 Teddy Hogeborn
15
# Copyright © 2008 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer as socketserver
36
import SocketServer
37
37
import socket
38
import optparse
38
from optparse import OptionParser
39
39
import datetime
40
40
import errno
41
41
import gnutls.crypto
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser as configparser
47
import ConfigParser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
52
53
import subprocess
53
54
import atexit
54
55
import stat
55
56
import logging
56
57
import logging.handlers
57
58
import pwd
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
63
import select
59
from contextlib import closing
64
60
65
61
import dbus
66
62
import dbus.service
69
65
from dbus.mainloop.glib import DBusGMainLoop
70
66
import ctypes
71
67
import ctypes.util
72
import xml.dom.minidom
73
import inspect
74
75
try:
76
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
77
except AttributeError:
78
try:
79
from IN import SO_BINDTODEVICE
80
except ImportError:
81
SO_BINDTODEVICE = None
82
83
84
version = "1.0.14"
85
86
logger = logging.Logger(u'mandos')
68
69
version = "1.0.2"
70
71
logger = logging.Logger('mandos')
87
72
syslogger = (logging.handlers.SysLogHandler
88
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
89
74
address = "/dev/log"))
90
75
syslogger.setFormatter(logging.Formatter
91
(u'Mandos [%(process)d]: %(levelname)s:'
92
u' %(message)s'))
76
('Mandos: %(levelname)s: %(message)s'))
93
77
logger.addHandler(syslogger)
94
78
95
79
console = logging.StreamHandler()
96
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
97
u' %(levelname)s:'
98
u' %(message)s'))
80
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
81
' %(message)s'))
99
82
logger.addHandler(console)
100
83
101
84
class AvahiError(Exception):
102
def __init__(self, value, *args, **kwargs):
85
def __init__(self, value):
103
86
self.value = value
104
super(AvahiError, self).__init__(value, *args, **kwargs)
105
def __unicode__(self):
106
return unicode(repr(self.value))
87
super(AvahiError, self).__init__()
88
def __str__(self):
89
return repr(self.value)
107
90
108
91
class AvahiServiceError(AvahiError):
109
92
pass
114
97
115
98
class AvahiService(object):
116
99
"""An Avahi (Zeroconf) service.
117
118
100
Attributes:
119
101
interface: integer; avahi.IF_UNSPEC or an interface index.
120
102
Used to optionally bind to the specified interface.
121
name: string; Example: u'Mandos'
122
type: string; Example: u'_mandos._tcp'.
103
name: string; Example: 'Mandos'
104
type: string; Example: '_mandos._tcp'.
123
105
See <http://www.dns-sd.org/ServiceTypes.html>
124
106
port: integer; what port to announce
125
107
TXT: list of strings; TXT record for the service
128
110
max_renames: integer; maximum number of renames
129
111
rename_count: integer; counter so we only rename after collisions
130
112
a sensible number of times
131
group: D-Bus Entry Group
132
server: D-Bus Server
133
bus: dbus.SystemBus()
134
113
"""
135
114
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
136
115
servicetype = None, port = None, TXT = None,
137
domain = u"", host = u"", max_renames = 32768,
138
protocol = avahi.PROTO_UNSPEC, bus = None):
116
domain = "", host = "", max_renames = 32768):
139
117
self.interface = interface
140
118
self.name = name
141
119
self.type = servicetype
145
123
self.host = host
146
124
self.rename_count = 0
147
125
self.max_renames = max_renames
148
self.protocol = protocol
149
self.group = None # our entry group
150
self.server = None
151
self.bus = bus
152
126
def rename(self):
153
127
"""Derived from the Avahi example code"""
154
128
if self.rename_count >= self.max_renames:
155
129
logger.critical(u"No suitable Zeroconf service name found"
156
130
u" after %i retries, exiting.",
157
131
self.rename_count)
158
raise AvahiServiceError(u"Too many renames")
159
self.name = self.server.GetAlternativeServiceName(self.name)
132
raise AvahiServiceError("Too many renames")
133
self.name = server.GetAlternativeServiceName(self.name)
160
134
logger.info(u"Changing Zeroconf service name to %r ...",
161
unicode(self.name))
135
str(self.name))
162
136
syslogger.setFormatter(logging.Formatter
163
(u'Mandos (%s) [%%(process)d]:'
164
u' %%(levelname)s: %%(message)s'
165
% self.name))
137
('Mandos (%s): %%(levelname)s:'
138
' %%(message)s' % self.name))
166
139
self.remove()
167
140
self.add()
168
141
self.rename_count += 1
169
142
def remove(self):
170
143
"""Derived from the Avahi example code"""
171
if self.group is not None:
172
self.group.Reset()
144
if group is not None:
145
group.Reset()
173
146
def add(self):
174
147
"""Derived from the Avahi example code"""
175
if self.group is None:
176
self.group = dbus.Interface(
177
self.bus.get_object(avahi.DBUS_NAME,
178
self.server.EntryGroupNew()),
179
avahi.DBUS_INTERFACE_ENTRY_GROUP)
180
self.group.connect_to_signal('StateChanged',
181
self
182
.entry_group_state_changed)
148
global group
149
if group is None:
150
group = dbus.Interface(bus.get_object
151
(avahi.DBUS_NAME,
152
server.EntryGroupNew()),
153
avahi.DBUS_INTERFACE_ENTRY_GROUP)
154
group.connect_to_signal('StateChanged',
155
entry_group_state_changed)
183
156
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
184
self.name, self.type)
185
self.group.AddService(
186
self.interface,
187
self.protocol,
188
dbus.UInt32(0), # flags
189
self.name, self.type,
190
self.domain, self.host,
191
dbus.UInt16(self.port),
192
avahi.string_array_to_txt_array(self.TXT))
193
self.group.Commit()
194
def entry_group_state_changed(self, state, error):
195
"""Derived from the Avahi example code"""
196
logger.debug(u"Avahi state change: %i", state)
197
198
if state == avahi.ENTRY_GROUP_ESTABLISHED:
199
logger.debug(u"Zeroconf service established.")
200
elif state == avahi.ENTRY_GROUP_COLLISION:
201
logger.warning(u"Zeroconf service name collision.")
202
self.rename()
203
elif state == avahi.ENTRY_GROUP_FAILURE:
204
logger.critical(u"Avahi: Error in group state changed %s",
205
unicode(error))
206
raise AvahiGroupError(u"State changed: %s"
207
% unicode(error))
208
def cleanup(self):
209
"""Derived from the Avahi example code"""
210
if self.group is not None:
211
self.group.Free()
212
self.group = None
213
def server_state_changed(self, state):
214
"""Derived from the Avahi example code"""
215
if state == avahi.SERVER_COLLISION:
216
logger.error(u"Zeroconf server name collision")
217
self.remove()
218
elif state == avahi.SERVER_RUNNING:
219
self.add()
220
def activate(self):
221
"""Derived from the Avahi example code"""
222
if self.server is None:
223
self.server = dbus.Interface(
224
self.bus.get_object(avahi.DBUS_NAME,
225
avahi.DBUS_PATH_SERVER),
226
avahi.DBUS_INTERFACE_SERVER)
227
self.server.connect_to_signal(u"StateChanged",
228
self.server_state_changed)
229
self.server_state_changed(self.server.GetState())
230
231
232
class Client(object):
157
service.name, service.type)
158
group.AddService(
159
self.interface, # interface
160
avahi.PROTO_INET6, # protocol
161
dbus.UInt32(0), # flags
162
self.name, self.type,
163
self.domain, self.host,
164
dbus.UInt16(self.port),
165
avahi.string_array_to_txt_array(self.TXT))
166
group.Commit()
167
168
# From the Avahi example code:
169
group = None # our entry group
170
# End of Avahi example code
171
172
173
def _datetime_to_dbus_struct(dt, variant_level=0):
174
"""Convert a UTC datetime.datetime() to a D-Bus struct.
175
The format is special to this application, since we could not find
176
any other standard way."""
177
return dbus.Struct((dbus.Int16(dt.year),
178
dbus.Byte(dt.month),
179
dbus.Byte(dt.day),
180
dbus.Byte(dt.hour),
181
dbus.Byte(dt.minute),
182
dbus.Byte(dt.second),
183
dbus.UInt32(dt.microsecond)),
184
signature="nyyyyyu",
185
variant_level=variant_level)
186
187
188
class Client(dbus.service.Object):
233
189
"""A representation of a client host served by this server.
234
235
190
Attributes:
236
name: string; from the config file, used in log messages and
237
D-Bus identifiers
191
name: string; from the config file, used in log messages
238
192
fingerprint: string (40 or 32 hexadecimal digits); used to
239
193
uniquely identify the client
240
194
secret: bytestring; sent verbatim (over TLS) to client
241
195
host: string; available for use by the checker command
242
196
created: datetime.datetime(); (UTC) object creation
243
last_enabled: datetime.datetime(); (UTC)
244
enabled: bool()
197
last_started: datetime.datetime(); (UTC)
198
started: bool()
245
199
last_checked_ok: datetime.datetime(); (UTC) or None
246
200
timeout: datetime.timedelta(); How long from last_checked_ok
247
until this client is disabled
201
until this client is invalid
248
202
interval: datetime.timedelta(); How often to start a new checker
249
disable_hook: If set, called by disable() as disable_hook(self)
203
stop_hook: If set, called by stop() as stop_hook(self)
250
204
checker: subprocess.Popen(); a running checker process used
251
205
to see if the client lives.
252
206
'None' if no process is running.
253
207
checker_initiator_tag: a gobject event source tag, or None
254
disable_initiator_tag: - '' -
208
stop_initiator_tag: - '' -
255
209
checker_callback_tag: - '' -
256
210
checker_command: string; External command which is run to check if
257
211
client lives. %() expansions are done at
258
212
runtime with vars(self) as dict, so that for
259
213
instance %(name)s can be used in the command.
260
current_checker_command: string; current running checker_command
214
dbus_object_path: dbus.ObjectPath
215
Private attibutes:
216
_timeout: Real variable for 'timeout'
217
_interval: Real variable for 'interval'
218
_timeout_milliseconds: Used when calling gobject.timeout_add()
219
_interval_milliseconds: - '' -
261
220
"""
262
263
@staticmethod
264
def _timedelta_to_milliseconds(td):
265
"Convert a datetime.timedelta() to milliseconds"
266
return ((td.days * 24 * 60 * 60 * 1000)
267
+ (td.seconds * 1000)
268
+ (td.microseconds // 1000))
269
270
def timeout_milliseconds(self):
271
"Return the 'timeout' attribute in milliseconds"
272
return self._timedelta_to_milliseconds(self.timeout)
273
274
def interval_milliseconds(self):
275
"Return the 'interval' attribute in milliseconds"
276
return self._timedelta_to_milliseconds(self.interval)
277
278
def __init__(self, name = None, disable_hook=None, config=None):
221
def _set_timeout(self, timeout):
222
"Setter function for the 'timeout' attribute"
223
self._timeout = timeout
224
self._timeout_milliseconds = ((self.timeout.days
225
* 24 * 60 * 60 * 1000)
226
+ (self.timeout.seconds * 1000)
227
+ (self.timeout.microseconds
228
// 1000))
229
# Emit D-Bus signal
230
self.PropertyChanged(dbus.String(u"timeout"),
231
(dbus.UInt64(self._timeout_milliseconds,
232
variant_level=1)))
233
timeout = property(lambda self: self._timeout, _set_timeout)
234
del _set_timeout
235
236
def _set_interval(self, interval):
237
"Setter function for the 'interval' attribute"
238
self._interval = interval
239
self._interval_milliseconds = ((self.interval.days
240
* 24 * 60 * 60 * 1000)
241
+ (self.interval.seconds
242
* 1000)
243
+ (self.interval.microseconds
244
// 1000))
245
# Emit D-Bus signal
246
self.PropertyChanged(dbus.String(u"interval"),
247
(dbus.UInt64(self._interval_milliseconds,
248
variant_level=1)))
249
interval = property(lambda self: self._interval, _set_interval)
250
del _set_interval
251
252
def __init__(self, name = None, stop_hook=None, config=None):
279
253
"""Note: the 'checker' key in 'config' sets the
280
254
'checker_command' attribute and *not* the 'checker'
281
255
attribute."""
282
self.name = name
256
self.dbus_object_path = (dbus.ObjectPath
257
("/Mandos/clients/"
258
+ name.replace(".", "_")))
259
dbus.service.Object.__init__(self, bus,
260
self.dbus_object_path)
283
261
if config is None:
284
262
config = {}
263
self.name = name
285
264
logger.debug(u"Creating client %r", self.name)
286
265
# Uppercase and remove spaces from fingerprint for later
287
266
# comparison purposes with return value from the fingerprint()
288
267
# function
289
self.fingerprint = (config[u"fingerprint"].upper()
268
self.fingerprint = (config["fingerprint"].upper()
290
269
.replace(u" ", u""))
291
270
logger.debug(u" Fingerprint: %s", self.fingerprint)
292
if u"secret" in config:
293
self.secret = config[u"secret"].decode(u"base64")
294
elif u"secfile" in config:
295
with open(os.path.expanduser(os.path.expandvars
296
(config[u"secfile"])),
297
"rb") as secfile:
271
if "secret" in config:
272
self.secret = config["secret"].decode(u"base64")
273
elif "secfile" in config:
274
with closing(open(os.path.expanduser
275
(os.path.expandvars
276
(config["secfile"])))) as secfile:
298
277
self.secret = secfile.read()
299
278
else:
300
279
raise TypeError(u"No secret or secfile for client %s"
301
280
% self.name)
302
self.host = config.get(u"host", u"")
281
self.host = config.get("host", "")
303
282
self.created = datetime.datetime.utcnow()
304
self.enabled = False
305
self.last_enabled = None
283
self.started = False
284
self.last_started = None
306
285
self.last_checked_ok = None
307
self.timeout = string_to_delta(config[u"timeout"])
308
self.interval = string_to_delta(config[u"interval"])
309
self.disable_hook = disable_hook
286
self.timeout = string_to_delta(config["timeout"])
287
self.interval = string_to_delta(config["interval"])
288
self.stop_hook = stop_hook
310
289
self.checker = None
311
290
self.checker_initiator_tag = None
312
self.disable_initiator_tag = None
291
self.stop_initiator_tag = None
313
292
self.checker_callback_tag = None
314
self.checker_command = config[u"checker"]
315
self.current_checker_command = None
316
self.last_connect = None
293
self.checker_command = config["checker"]
317
294
318
def enable(self):
295
def start(self):
319
296
"""Start this client's checker and timeout hooks"""
320
if getattr(self, u"enabled", False):
321
# Already enabled
322
return
323
self.last_enabled = datetime.datetime.utcnow()
297
self.last_started = datetime.datetime.utcnow()
324
298
# Schedule a new checker to be started an 'interval' from now,
325
299
# and every interval from then on.
326
300
self.checker_initiator_tag = (gobject.timeout_add
327
(self.interval_milliseconds(),
301
(self._interval_milliseconds,
328
302
self.start_checker))
329
# Schedule a disable() when 'timeout' has passed
330
self.disable_initiator_tag = (gobject.timeout_add
331
(self.timeout_milliseconds(),
332
self.disable))
333
self.enabled = True
334
303
# Also start a new checker *right now*.
335
304
self.start_checker()
305
# Schedule a stop() when 'timeout' has passed
306
self.stop_initiator_tag = (gobject.timeout_add
307
(self._timeout_milliseconds,
308
self.stop))
309
self.started = True
310
# Emit D-Bus signal
311
self.PropertyChanged(dbus.String(u"started"),
312
dbus.Boolean(True, variant_level=1))
313
self.PropertyChanged(dbus.String(u"last_started"),
314
(_datetime_to_dbus_struct
315
(self.last_started, variant_level=1)))
336
316
337
def disable(self, quiet=True):
338
"""Disable this client."""
339
if not getattr(self, "enabled", False):
317
def stop(self):
318
"""Stop this client."""
319
if not getattr(self, "started", False):
340
320
return False
341
if not quiet:
342
logger.info(u"Disabling client %s", self.name)
343
if getattr(self, u"disable_initiator_tag", False):
344
gobject.source_remove(self.disable_initiator_tag)
345
self.disable_initiator_tag = None
346
if getattr(self, u"checker_initiator_tag", False):
321
logger.info(u"Stopping client %s", self.name)
322
if getattr(self, "stop_initiator_tag", False):
323
gobject.source_remove(self.stop_initiator_tag)
324
self.stop_initiator_tag = None
325
if getattr(self, "checker_initiator_tag", False):
347
326
gobject.source_remove(self.checker_initiator_tag)
348
327
self.checker_initiator_tag = None
349
328
self.stop_checker()
350
if self.disable_hook:
351
self.disable_hook(self)
352
self.enabled = False
329
if self.stop_hook:
330
self.stop_hook(self)
331
self.started = False
332
# Emit D-Bus signal
333
self.PropertyChanged(dbus.String(u"started"),
334
dbus.Boolean(False, variant_level=1))
353
335
# Do not run this again if called by a gobject.timeout_add
354
336
return False
355
337
356
338
def __del__(self):
357
self.disable_hook = None
358
self.disable()
339
self.stop_hook = None
340
self.stop()
359
341
360
342
def checker_callback(self, pid, condition, command):
361
343
"""The checker has completed, so take appropriate actions."""
362
344
self.checker_callback_tag = None
363
345
self.checker = None
364
if os.WIFEXITED(condition):
365
exitstatus = os.WEXITSTATUS(condition)
366
if exitstatus == 0:
367
logger.info(u"Checker for %(name)s succeeded",
368
vars(self))
369
self.checked_ok()
370
else:
371
logger.info(u"Checker for %(name)s failed",
372
vars(self))
373
else:
346
# Emit D-Bus signal
347
self.PropertyChanged(dbus.String(u"checker_running"),
348
dbus.Boolean(False, variant_level=1))
349
if (os.WIFEXITED(condition)
350
and (os.WEXITSTATUS(condition) == 0)):
351
logger.info(u"Checker for %(name)s succeeded",
352
vars(self))
353
# Emit D-Bus signal
354
self.CheckerCompleted(dbus.Boolean(True),
355
dbus.UInt16(condition),
356
dbus.String(command))
357
self.bump_timeout()
358
elif not os.WIFEXITED(condition):
374
359
logger.warning(u"Checker for %(name)s crashed?",
375
360
vars(self))
361
# Emit D-Bus signal
362
self.CheckerCompleted(dbus.Boolean(False),
363
dbus.UInt16(condition),
364
dbus.String(command))
365
else:
366
logger.info(u"Checker for %(name)s failed",
367
vars(self))
368
# Emit D-Bus signal
369
self.CheckerCompleted(dbus.Boolean(False),
370
dbus.UInt16(condition),
371
dbus.String(command))
376
372
377
def checked_ok(self):
373
def bump_timeout(self):
378
374
"""Bump up the timeout for this client.
379
380
375
This should only be called when the client has been seen,
381
376
alive and well.
382
377
"""
383
378
self.last_checked_ok = datetime.datetime.utcnow()
384
gobject.source_remove(self.disable_initiator_tag)
385
self.disable_initiator_tag = (gobject.timeout_add
386
(self.timeout_milliseconds(),
387
self.disable))
379
gobject.source_remove(self.stop_initiator_tag)
380
self.stop_initiator_tag = (gobject.timeout_add
381
(self._timeout_milliseconds,
382
self.stop))
383
self.PropertyChanged(dbus.String(u"last_checked_ok"),
384
(_datetime_to_dbus_struct
385
(self.last_checked_ok,
386
variant_level=1)))
388
387
389
388
def start_checker(self):
390
389
"""Start a new checker subprocess if one is not running.
391
392
390
If a checker already exists, leave it running and do
393
391
nothing."""
394
392
# The reason for not killing a running checker is that if we
397
395
# client would inevitably timeout, since no checker would get
398
396
# a chance to run to completion. If we instead leave running
399
397
# checkers alone, the checker would have to take more time
400
# than 'timeout' for the client to be disabled, which is as it
401
# should be.
402
403
# If a checker exists, make sure it is not a zombie
404
try:
405
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
406
except (AttributeError, OSError), error:
407
if (isinstance(error, OSError)
408
and error.errno != errno.ECHILD):
409
raise error
410
else:
411
if pid:
412
logger.warning(u"Checker was a zombie")
413
gobject.source_remove(self.checker_callback_tag)
414
self.checker_callback(pid, status,
415
self.current_checker_command)
416
# Start a new checker if needed
398
# than 'timeout' for the client to be declared invalid, which
399
# is as it should be.
417
400
if self.checker is None:
418
401
try:
419
402
# In case checker_command has exactly one % operator
420
403
command = self.checker_command % self.host
421
404
except TypeError:
422
405
# Escape attributes for the shell
423
escaped_attrs = dict((key,
424
re.escape(unicode(str(val),
425
errors=
426
u'replace')))
406
escaped_attrs = dict((key, re.escape(str(val)))
427
407
for key, val in
428
408
vars(self).iteritems())
429
409
try:
432
412
logger.error(u'Could not format string "%s":'
433
413
u' %s', self.checker_command, error)
434
414
return True # Try again later
435
self.current_checker_command = command
436
415
try:
437
416
logger.info(u"Starting checker %r for %s",
438
417
command, self.name)
442
421
# always replaced by /dev/null.)
443
422
self.checker = subprocess.Popen(command,
444
423
close_fds=True,
445
shell=True, cwd=u"/")
424
shell=True, cwd="/")
425
# Emit D-Bus signal
426
self.CheckerStarted(command)
427
self.PropertyChanged(dbus.String("checker_running"),
428
dbus.Boolean(True, variant_level=1))
446
429
self.checker_callback_tag = (gobject.child_watch_add
447
430
(self.checker.pid,
448
431
self.checker_callback,
449
432
data=command))
450
# The checker may have completed before the gobject
451
# watch was added. Check for this.
452
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
453
if pid:
454
gobject.source_remove(self.checker_callback_tag)
455
self.checker_callback(pid, status, command)
456
433
except OSError, error:
457
434
logger.error(u"Failed to start subprocess: %s",
458
435
error)
464
441
if self.checker_callback_tag:
465
442
gobject.source_remove(self.checker_callback_tag)
466
443
self.checker_callback_tag = None
467
if getattr(self, u"checker", None) is None:
444
if getattr(self, "checker", None) is None:
468
445
return
469
446
logger.debug(u"Stopping checker for %(name)s", vars(self))
470
447
try:
471
448
os.kill(self.checker.pid, signal.SIGTERM)
472
#time.sleep(0.5)
449
#os.sleep(0.5)
473
450
#if self.checker.poll() is None:
474
451
# os.kill(self.checker.pid, signal.SIGKILL)
475
452
except OSError, error:
476
453
if error.errno != errno.ESRCH: # No such process
477
454
raise
478
455
self.checker = None
479
480
481
def dbus_service_property(dbus_interface, signature=u"v",
482
access=u"readwrite", byte_arrays=False):
483
"""Decorators for marking methods of a DBusObjectWithProperties to
484
become properties on the D-Bus.
485
486
The decorated method will be called with no arguments by "Get"
487
and with one argument by "Set".
488
489
The parameters, where they are supported, are the same as
490
dbus.service.method, except there is only "signature", since the
491
type from Get() and the type sent to Set() is the same.
492
"""
493
# Encoding deeply encoded byte arrays is not supported yet by the
494
# "Set" method, so we fail early here:
495
if byte_arrays and signature != u"ay":
496
raise ValueError(u"Byte arrays not supported for non-'ay'"
497
u" signature %r" % signature)
498
def decorator(func):
499
func._dbus_is_property = True
500
func._dbus_interface = dbus_interface
501
func._dbus_signature = signature
502
func._dbus_access = access
503
func._dbus_name = func.__name__
504
if func._dbus_name.endswith(u"_dbus_property"):
505
func._dbus_name = func._dbus_name[:-14]
506
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
507
return func
508
return decorator
509
510
511
class DBusPropertyException(dbus.exceptions.DBusException):
512
"""A base class for D-Bus property-related exceptions
513
"""
514
def __unicode__(self):
515
return unicode(str(self))
516
517
518
class DBusPropertyAccessException(DBusPropertyException):
519
"""A property's access permissions disallows an operation.
520
"""
521
pass
522
523
524
class DBusPropertyNotFound(DBusPropertyException):
525
"""An attempt was made to access a non-existing property.
526
"""
527
pass
528
529
530
class DBusObjectWithProperties(dbus.service.Object):
531
"""A D-Bus object with properties.
532
533
Classes inheriting from this can use the dbus_service_property
534
decorator to expose methods as D-Bus properties. It exposes the
535
standard Get(), Set(), and GetAll() methods on the D-Bus.
536
"""
537
538
@staticmethod
539
def _is_dbus_property(obj):
540
return getattr(obj, u"_dbus_is_property", False)
541
542
def _get_all_dbus_properties(self):
543
"""Returns a generator of (name, attribute) pairs
544
"""
545
return ((prop._dbus_name, prop)
546
for name, prop in
547
inspect.getmembers(self, self._is_dbus_property))
548
549
def _get_dbus_property(self, interface_name, property_name):
550
"""Returns a bound method if one exists which is a D-Bus
551
property with the specified name and interface.
552
"""
553
for name in (property_name,
554
property_name + u"_dbus_property"):
555
prop = getattr(self, name, None)
556
if (prop is None
557
or not self._is_dbus_property(prop)
558
or prop._dbus_name != property_name
559
or (interface_name and prop._dbus_interface
560
and interface_name != prop._dbus_interface)):
561
continue
562
return prop
563
# No such property
564
raise DBusPropertyNotFound(self.dbus_object_path + u":"
565
+ interface_name + u"."
566
+ property_name)
567
568
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
569
out_signature=u"v")
570
def Get(self, interface_name, property_name):
571
"""Standard D-Bus property Get() method, see D-Bus standard.
572
"""
573
prop = self._get_dbus_property(interface_name, property_name)
574
if prop._dbus_access == u"write":
575
raise DBusPropertyAccessException(property_name)
576
value = prop()
577
if not hasattr(value, u"variant_level"):
578
return value
579
return type(value)(value, variant_level=value.variant_level+1)
580
581
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
582
def Set(self, interface_name, property_name, value):
583
"""Standard D-Bus property Set() method, see D-Bus standard.
584
"""
585
prop = self._get_dbus_property(interface_name, property_name)
586
if prop._dbus_access == u"read":
587
raise DBusPropertyAccessException(property_name)
588
if prop._dbus_get_args_options[u"byte_arrays"]:
589
# The byte_arrays option is not supported yet on
590
# signatures other than "ay".
591
if prop._dbus_signature != u"ay":
592
raise ValueError
593
value = dbus.ByteArray(''.join(unichr(byte)
594
for byte in value))
595
prop(value)
596
597
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
598
out_signature=u"a{sv}")
599
def GetAll(self, interface_name):
600
"""Standard D-Bus property GetAll() method, see D-Bus
601
standard.
602
603
Note: Will not include properties with access="write".
604
"""
605
all = {}
606
for name, prop in self._get_all_dbus_properties():
607
if (interface_name
608
and interface_name != prop._dbus_interface):
609
# Interface non-empty but did not match
610
continue
611
# Ignore write-only properties
612
if prop._dbus_access == u"write":
613
continue
614
value = prop()
615
if not hasattr(value, u"variant_level"):
616
all[name] = value
617
continue
618
all[name] = type(value)(value, variant_level=
619
value.variant_level+1)
620
return dbus.Dictionary(all, signature=u"sv")
621
622
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
623
out_signature=u"s",
624
path_keyword='object_path',
625
connection_keyword='connection')
626
def Introspect(self, object_path, connection):
627
"""Standard D-Bus method, overloaded to insert property tags.
628
"""
629
xmlstring = dbus.service.Object.Introspect(self, object_path,
630
connection)
631
try:
632
document = xml.dom.minidom.parseString(xmlstring)
633
def make_tag(document, name, prop):
634
e = document.createElement(u"property")
635
e.setAttribute(u"name", name)
636
e.setAttribute(u"type", prop._dbus_signature)
637
e.setAttribute(u"access", prop._dbus_access)
638
return e
639
for if_tag in document.getElementsByTagName(u"interface"):
640
for tag in (make_tag(document, name, prop)
641
for name, prop
642
in self._get_all_dbus_properties()
643
if prop._dbus_interface
644
== if_tag.getAttribute(u"name")):
645
if_tag.appendChild(tag)
646
# Add the names to the return values for the
647
# "org.freedesktop.DBus.Properties" methods
648
if (if_tag.getAttribute(u"name")
649
== u"org.freedesktop.DBus.Properties"):
650
for cn in if_tag.getElementsByTagName(u"method"):
651
if cn.getAttribute(u"name") == u"Get":
652
for arg in cn.getElementsByTagName(u"arg"):
653
if (arg.getAttribute(u"direction")
654
== u"out"):
655
arg.setAttribute(u"name", u"value")
656
elif cn.getAttribute(u"name") == u"GetAll":
657
for arg in cn.getElementsByTagName(u"arg"):
658
if (arg.getAttribute(u"direction")
659
== u"out"):
660
arg.setAttribute(u"name", u"props")
661
xmlstring = document.toxml(u"utf-8")
662
document.unlink()
663
except (AttributeError, xml.dom.DOMException,
664
xml.parsers.expat.ExpatError), error:
665
logger.error(u"Failed to override Introspection method",
666
error)
667
return xmlstring
668
669
670
class ClientDBus(Client, DBusObjectWithProperties):
671
"""A Client class using D-Bus
672
673
Attributes:
674
dbus_object_path: dbus.ObjectPath
675
bus: dbus.SystemBus()
676
"""
677
# dbus.service.Object doesn't use super(), so we can't either.
678
679
def __init__(self, bus = None, *args, **kwargs):
680
self.bus = bus
681
Client.__init__(self, *args, **kwargs)
682
# Only now, when this client is initialized, can it show up on
683
# the D-Bus
684
self.dbus_object_path = (dbus.ObjectPath
685
(u"/clients/"
686
+ self.name.replace(u".", u"_")))
687
DBusObjectWithProperties.__init__(self, self.bus,
688
self.dbus_object_path)
689
690
@staticmethod
691
def _datetime_to_dbus(dt, variant_level=0):
692
"""Convert a UTC datetime.datetime() to a D-Bus type."""
693
return dbus.String(dt.isoformat(),
694
variant_level=variant_level)
695
696
def enable(self):
697
oldstate = getattr(self, u"enabled", False)
698
r = Client.enable(self)
699
if oldstate != self.enabled:
700
# Emit D-Bus signals
701
self.PropertyChanged(dbus.String(u"enabled"),
702
dbus.Boolean(True, variant_level=1))
703
self.PropertyChanged(
704
dbus.String(u"last_enabled"),
705
self._datetime_to_dbus(self.last_enabled,
706
variant_level=1))
707
return r
708
709
def disable(self, quiet = False):
710
oldstate = getattr(self, u"enabled", False)
711
r = Client.disable(self, quiet=quiet)
712
if not quiet and oldstate != self.enabled:
713
# Emit D-Bus signal
714
self.PropertyChanged(dbus.String(u"enabled"),
715
dbus.Boolean(False, variant_level=1))
716
return r
717
718
def __del__(self, *args, **kwargs):
719
try:
720
self.remove_from_connection()
721
except LookupError:
722
pass
723
if hasattr(DBusObjectWithProperties, u"__del__"):
724
DBusObjectWithProperties.__del__(self, *args, **kwargs)
725
Client.__del__(self, *args, **kwargs)
726
727
def checker_callback(self, pid, condition, command,
728
*args, **kwargs):
729
self.checker_callback_tag = None
730
self.checker = None
731
# Emit D-Bus signal
732
456
self.PropertyChanged(dbus.String(u"checker_running"),
733
457
dbus.Boolean(False, variant_level=1))
734
if os.WIFEXITED(condition):
735
exitstatus = os.WEXITSTATUS(condition)
736
# Emit D-Bus signal
737
self.CheckerCompleted(dbus.Int16(exitstatus),
738
dbus.Int64(condition),
739
dbus.String(command))
740
else:
741
# Emit D-Bus signal
742
self.CheckerCompleted(dbus.Int16(-1),
743
dbus.Int64(condition),
744
dbus.String(command))
745
746
return Client.checker_callback(self, pid, condition, command,
747
*args, **kwargs)
748
749
def checked_ok(self, *args, **kwargs):
750
r = Client.checked_ok(self, *args, **kwargs)
751
# Emit D-Bus signal
752
self.PropertyChanged(
753
dbus.String(u"last_checked_ok"),
754
(self._datetime_to_dbus(self.last_checked_ok,
755
variant_level=1)))
756
return r
757
758
def start_checker(self, *args, **kwargs):
759
old_checker = self.checker
760
if self.checker is not None:
761
old_checker_pid = self.checker.pid
762
else:
763
old_checker_pid = None
764
r = Client.start_checker(self, *args, **kwargs)
765
# Only if new checker process was started
766
if (self.checker is not None
767
and old_checker_pid != self.checker.pid):
768
# Emit D-Bus signal
769
self.CheckerStarted(self.current_checker_command)
770
self.PropertyChanged(
771
dbus.String(u"checker_running"),
772
dbus.Boolean(True, variant_level=1))
773
return r
774
775
def stop_checker(self, *args, **kwargs):
776
old_checker = getattr(self, u"checker", None)
777
r = Client.stop_checker(self, *args, **kwargs)
778
if (old_checker is not None
779
and getattr(self, u"checker", None) is None):
780
self.PropertyChanged(dbus.String(u"checker_running"),
781
dbus.Boolean(False, variant_level=1))
782
return r
783
784
## D-Bus methods, signals & properties
785
_interface = u"se.bsnet.fukt.Mandos.Client"
786
787
## Signals
458
459
def still_valid(self):
460
"""Has the timeout not yet passed for this client?"""
461
if not getattr(self, "started", False):
462
return False
463
now = datetime.datetime.utcnow()
464
if self.last_checked_ok is None:
465
return now < (self.created + self.timeout)
466
else:
467
return now < (self.last_checked_ok + self.timeout)
468
469
## D-Bus methods & signals
470
_interface = u"org.mandos_system.Mandos.Client"
471
472
# BumpTimeout - method
473
BumpTimeout = dbus.service.method(_interface)(bump_timeout)
474
BumpTimeout.__name__ = "BumpTimeout"
788
475
789
476
# CheckerCompleted - signal
790
@dbus.service.signal(_interface, signature=u"nxs")
791
def CheckerCompleted(self, exitcode, waitstatus, command):
477
@dbus.service.signal(_interface, signature="bqs")
478
def CheckerCompleted(self, success, condition, command):
792
479
"D-Bus signal"
793
480
pass
794
481
795
482
# CheckerStarted - signal
796
@dbus.service.signal(_interface, signature=u"s")
483
@dbus.service.signal(_interface, signature="s")
797
484
def CheckerStarted(self, command):
798
485
"D-Bus signal"
799
486
pass
800
487
488
# GetAllProperties - method
489
@dbus.service.method(_interface, out_signature="a{sv}")
490
def GetAllProperties(self):
491
"D-Bus method"
492
return dbus.Dictionary({
493
dbus.String("name"):
494
dbus.String(self.name, variant_level=1),
495
dbus.String("fingerprint"):
496
dbus.String(self.fingerprint, variant_level=1),
497
dbus.String("host"):
498
dbus.String(self.host, variant_level=1),
499
dbus.String("created"):
500
_datetime_to_dbus_struct(self.created,
501
variant_level=1),
502
dbus.String("last_started"):
503
(_datetime_to_dbus_struct(self.last_started,
504
variant_level=1)
505
if self.last_started is not None
506
else dbus.Boolean(False, variant_level=1)),
507
dbus.String("started"):
508
dbus.Boolean(self.started, variant_level=1),
509
dbus.String("last_checked_ok"):
510
(_datetime_to_dbus_struct(self.last_checked_ok,
511
variant_level=1)
512
if self.last_checked_ok is not None
513
else dbus.Boolean (False, variant_level=1)),
514
dbus.String("timeout"):
515
dbus.UInt64(self._timeout_milliseconds,
516
variant_level=1),
517
dbus.String("interval"):
518
dbus.UInt64(self._interval_milliseconds,
519
variant_level=1),
520
dbus.String("checker"):
521
dbus.String(self.checker_command,
522
variant_level=1),
523
dbus.String("checker_running"):
524
dbus.Boolean(self.checker is not None,
525
variant_level=1),
526
}, signature="sv")
527
528
# IsStillValid - method
529
IsStillValid = (dbus.service.method(_interface, out_signature="b")
530
(still_valid))
531
IsStillValid.__name__ = "IsStillValid"
532
801
533
# PropertyChanged - signal
802
@dbus.service.signal(_interface, signature=u"sv")
534
@dbus.service.signal(_interface, signature="sv")
803
535
def PropertyChanged(self, property, value):
804
536
"D-Bus signal"
805
537
pass
806
538
807
# GotSecret - signal
808
@dbus.service.signal(_interface)
809
def GotSecret(self):
810
"D-Bus signal"
811
pass
812
813
# Rejected - signal
814
@dbus.service.signal(_interface)
815
def Rejected(self):
816
"D-Bus signal"
817
pass
818
819
## Methods
820
821
# CheckedOK - method
822
@dbus.service.method(_interface)
823
def CheckedOK(self):
824
return self.checked_ok()
825
826
# Enable - method
827
@dbus.service.method(_interface)
828
def Enable(self):
829
"D-Bus method"
830
self.enable()
539
# SetChecker - method
540
@dbus.service.method(_interface, in_signature="s")
541
def SetChecker(self, checker):
542
"D-Bus setter method"
543
self.checker_command = checker
544
545
# SetHost - method
546
@dbus.service.method(_interface, in_signature="s")
547
def SetHost(self, host):
548
"D-Bus setter method"
549
self.host = host
550
551
# SetInterval - method
552
@dbus.service.method(_interface, in_signature="t")
553
def SetInterval(self, milliseconds):
554
self.interval = datetime.timdeelta(0, 0, 0, milliseconds)
555
556
# SetSecret - method
557
@dbus.service.method(_interface, in_signature="ay",
558
byte_arrays=True)
559
def SetSecret(self, secret):
560
"D-Bus setter method"
561
self.secret = str(secret)
562
563
# SetTimeout - method
564
@dbus.service.method(_interface, in_signature="t")
565
def SetTimeout(self, milliseconds):
566
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
567
568
# Start - method
569
Start = dbus.service.method(_interface)(start)
570
Start.__name__ = "Start"
831
571
832
572
# StartChecker - method
833
573
@dbus.service.method(_interface)
835
575
"D-Bus method"
836
576
self.start_checker()
837
577
838
# Disable - method
578
# Stop - method
839
579
@dbus.service.method(_interface)
840
def Disable(self):
580
def Stop(self):
841
581
"D-Bus method"
842
self.disable()
582
self.stop()
843
583
844
584
# StopChecker - method
845
@dbus.service.method(_interface)
846
def StopChecker(self):
847
self.stop_checker()
848
849
## Properties
850
851
# name - property
852
@dbus_service_property(_interface, signature=u"s", access=u"read")
853
def name_dbus_property(self):
854
return dbus.String(self.name)
855
856
# fingerprint - property
857
@dbus_service_property(_interface, signature=u"s", access=u"read")
858
def fingerprint_dbus_property(self):
859
return dbus.String(self.fingerprint)
860
861
# host - property
862
@dbus_service_property(_interface, signature=u"s",
863
access=u"readwrite")
864
def host_dbus_property(self, value=None):
865
if value is None: # get
866
return dbus.String(self.host)
867
self.host = value
868
# Emit D-Bus signal
869
self.PropertyChanged(dbus.String(u"host"),
870
dbus.String(value, variant_level=1))
871
872
# created - property
873
@dbus_service_property(_interface, signature=u"s", access=u"read")
874
def created_dbus_property(self):
875
return dbus.String(self._datetime_to_dbus(self.created))
876
877
# last_enabled - property
878
@dbus_service_property(_interface, signature=u"s", access=u"read")
879
def last_enabled_dbus_property(self):
880
if self.last_enabled is None:
881
return dbus.String(u"")
882
return dbus.String(self._datetime_to_dbus(self.last_enabled))
883
884
# enabled - property
885
@dbus_service_property(_interface, signature=u"b",
886
access=u"readwrite")
887
def enabled_dbus_property(self, value=None):
888
if value is None: # get
889
return dbus.Boolean(self.enabled)
890
if value:
891
self.enable()
892
else:
893
self.disable()
894
895
# last_checked_ok - property
896
@dbus_service_property(_interface, signature=u"s",
897
access=u"readwrite")
898
def last_checked_ok_dbus_property(self, value=None):
899
if value is not None:
900
self.checked_ok()
901
return
902
if self.last_checked_ok is None:
903
return dbus.String(u"")
904
return dbus.String(self._datetime_to_dbus(self
905
.last_checked_ok))
906
907
# timeout - property
908
@dbus_service_property(_interface, signature=u"t",
909
access=u"readwrite")
910
def timeout_dbus_property(self, value=None):
911
if value is None: # get
912
return dbus.UInt64(self.timeout_milliseconds())
913
self.timeout = datetime.timedelta(0, 0, 0, value)
914
# Emit D-Bus signal
915
self.PropertyChanged(dbus.String(u"timeout"),
916
dbus.UInt64(value, variant_level=1))
917
if getattr(self, u"disable_initiator_tag", None) is None:
918
return
919
# Reschedule timeout
920
gobject.source_remove(self.disable_initiator_tag)
921
self.disable_initiator_tag = None
922
time_to_die = (self.
923
_timedelta_to_milliseconds((self
924
.last_checked_ok
925
+ self.timeout)
926
- datetime.datetime
927
.utcnow()))
928
if time_to_die <= 0:
929
# The timeout has passed
930
self.disable()
931
else:
932
self.disable_initiator_tag = (gobject.timeout_add
933
(time_to_die, self.disable))
934
935
# interval - property
936
@dbus_service_property(_interface, signature=u"t",
937
access=u"readwrite")
938
def interval_dbus_property(self, value=None):
939
if value is None: # get
940
return dbus.UInt64(self.interval_milliseconds())
941
self.interval = datetime.timedelta(0, 0, 0, value)
942
# Emit D-Bus signal
943
self.PropertyChanged(dbus.String(u"interval"),
944
dbus.UInt64(value, variant_level=1))
945
if getattr(self, u"checker_initiator_tag", None) is None:
946
return
947
# Reschedule checker run
948
gobject.source_remove(self.checker_initiator_tag)
949
self.checker_initiator_tag = (gobject.timeout_add
950
(value, self.start_checker))
951
self.start_checker() # Start one now, too
952
953
# checker - property
954
@dbus_service_property(_interface, signature=u"s",
955
access=u"readwrite")
956
def checker_dbus_property(self, value=None):
957
if value is None: # get
958
return dbus.String(self.checker_command)
959
self.checker_command = value
960
# Emit D-Bus signal
961
self.PropertyChanged(dbus.String(u"checker"),
962
dbus.String(self.checker_command,
963
variant_level=1))
964
965
# checker_running - property
966
@dbus_service_property(_interface, signature=u"b",
967
access=u"readwrite")
968
def checker_running_dbus_property(self, value=None):
969
if value is None: # get
970
return dbus.Boolean(self.checker is not None)
971
if value:
972
self.start_checker()
973
else:
974
self.stop_checker()
975
976
# object_path - property
977
@dbus_service_property(_interface, signature=u"o", access=u"read")
978
def object_path_dbus_property(self):
979
return self.dbus_object_path # is already a dbus.ObjectPath
980
981
# secret = property
982
@dbus_service_property(_interface, signature=u"ay",
983
access=u"write", byte_arrays=True)
984
def secret_dbus_property(self, value):
985
self.secret = str(value)
585
StopChecker = dbus.service.method(_interface)(stop_checker)
586
StopChecker.__name__ = "StopChecker"
986
587
987
588
del _interface
988
589
989
590
990
class ClientHandler(socketserver.BaseRequestHandler, object):
991
"""A class to handle client connections.
992
993
Instantiated once for each connection to handle it.
591
def peer_certificate(session):
592
"Return the peer's OpenPGP certificate as a bytestring"
593
# If not an OpenPGP certificate...
594
if (gnutls.library.functions
595
.gnutls_certificate_type_get(session._c_object)
596
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
597
# ...do the normal thing
598
return session.peer_certificate
599
list_size = ctypes.c_uint()
600
cert_list = (gnutls.library.functions
601
.gnutls_certificate_get_peers
602
(session._c_object, ctypes.byref(list_size)))
603
if list_size.value == 0:
604
return None
605
cert = cert_list[0]
606
return ctypes.string_at(cert.data, cert.size)
607
608
609
def fingerprint(openpgp):
610
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
611
# New GnuTLS "datum" with the OpenPGP public key
612
datum = (gnutls.library.types
613
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
614
ctypes.POINTER
615
(ctypes.c_ubyte)),
616
ctypes.c_uint(len(openpgp))))
617
# New empty GnuTLS certificate
618
crt = gnutls.library.types.gnutls_openpgp_crt_t()
619
(gnutls.library.functions
620
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
621
# Import the OpenPGP public key into the certificate
622
(gnutls.library.functions
623
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
624
gnutls.library.constants
625
.GNUTLS_OPENPGP_FMT_RAW))
626
# Verify the self signature in the key
627
crtverify = ctypes.c_uint()
628
(gnutls.library.functions
629
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
630
if crtverify.value != 0:
631
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
632
raise gnutls.errors.CertificateSecurityError("Verify failed")
633
# New buffer for the fingerprint
634
buf = ctypes.create_string_buffer(20)
635
buf_len = ctypes.c_size_t()
636
# Get the fingerprint from the certificate into the buffer
637
(gnutls.library.functions
638
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
639
ctypes.byref(buf_len)))
640
# Deinit the certificate
641
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
642
# Convert the buffer to a Python bytestring
643
fpr = ctypes.string_at(buf, buf_len.value)
644
# Convert the bytestring to hexadecimal notation
645
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
646
return hex_fpr
647
648
649
class TCP_handler(SocketServer.BaseRequestHandler, object):
650
"""A TCP request handler class.
651
Instantiated by IPv6_TCPServer for each request to handle it.
994
652
Note: This will run in its own forked process."""
995
653
996
654
def handle(self):
997
655
logger.info(u"TCP connection from: %s",
998
656
unicode(self.client_address))
999
logger.debug(u"IPC Pipe FD: %d",
1000
self.server.child_pipe[1].fileno())
1001
# Open IPC pipe to parent process
1002
with contextlib.nested(self.server.child_pipe[1],
1003
self.server.parent_pipe[0]
1004
) as (ipc, ipc_return):
1005
session = (gnutls.connection
1006
.ClientSession(self.request,
1007
gnutls.connection
1008
.X509Credentials()))
1009
1010
# Note: gnutls.connection.X509Credentials is really a
1011
# generic GnuTLS certificate credentials object so long as
1012
# no X.509 keys are added to it. Therefore, we can use it
1013
# here despite using OpenPGP certificates.
1014
1015
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1016
# u"+AES-256-CBC", u"+SHA1",
1017
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1018
# u"+DHE-DSS"))
1019
# Use a fallback default, since this MUST be set.
1020
priority = self.server.gnutls_priority
1021
if priority is None:
1022
priority = u"NORMAL"
1023
(gnutls.library.functions
1024
.gnutls_priority_set_direct(session._c_object,
1025
priority, None))
1026
1027
# Start communication using the Mandos protocol
1028
# Get protocol number
1029
line = self.request.makefile().readline()
1030
logger.debug(u"Protocol version: %r", line)
1031
try:
1032
if int(line.strip().split()[0]) > 1:
1033
raise RuntimeError
1034
except (ValueError, IndexError, RuntimeError), error:
1035
logger.error(u"Unknown protocol version: %s", error)
1036
return
1037
1038
# Start GnuTLS connection
1039
try:
1040
session.handshake()
1041
except gnutls.errors.GNUTLSError, error:
1042
logger.warning(u"Handshake failed: %s", error)
1043
# Do not run session.bye() here: the session is not
1044
# established. Just abandon the request.
1045
return
1046
logger.debug(u"Handshake succeeded")
1047
try:
1048
try:
1049
fpr = self.fingerprint(self.peer_certificate
1050
(session))
1051
except (TypeError, gnutls.errors.GNUTLSError), error:
1052
logger.warning(u"Bad certificate: %s", error)
1053
return
1054
logger.debug(u"Fingerprint: %s", fpr)
1055
1056
for c in self.server.clients:
1057
if c.fingerprint == fpr:
1058
client = c
1059
break
1060
else:
1061
ipc.write(u"NOTFOUND %s %s\n"
1062
% (fpr, unicode(self.client_address)))
1063
return
1064
1065
class ClientProxy(object):
1066
"""Client proxy object. Not for calling methods."""
1067
def __init__(self, client):
1068
self.client = client
1069
def __getattr__(self, name):
1070
if name.startswith("ipc_"):
1071
def tempfunc():
1072
ipc.write("%s %s\n" % (name[4:].upper(),
1073
self.client.name))
1074
return tempfunc
1075
if not hasattr(self.client, name):
1076
raise AttributeError
1077
ipc.write(u"GETATTR %s %s\n"
1078
% (name, self.client.fingerprint))
1079
return pickle.load(ipc_return)
1080
clientproxy = ClientProxy(client)
1081
# Have to check if client.enabled, since it is
1082
# possible that the client was disabled since the
1083
# GnuTLS session was established.
1084
if not clientproxy.enabled:
1085
clientproxy.ipc_disabled()
1086
return
1087
1088
clientproxy.ipc_sending()
1089
sent_size = 0
1090
while sent_size < len(client.secret):
1091
sent = session.send(client.secret[sent_size:])
1092
logger.debug(u"Sent: %d, remaining: %d",
1093
sent, len(client.secret)
1094
- (sent_size + sent))
1095
sent_size += sent
1096
finally:
1097
session.bye()
1098
1099
@staticmethod
1100
def peer_certificate(session):
1101
"Return the peer's OpenPGP certificate as a bytestring"
1102
# If not an OpenPGP certificate...
1103
if (gnutls.library.functions
1104
.gnutls_certificate_type_get(session._c_object)
1105
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1106
# ...do the normal thing
1107
return session.peer_certificate
1108
list_size = ctypes.c_uint(1)
1109
cert_list = (gnutls.library.functions
1110
.gnutls_certificate_get_peers
1111
(session._c_object, ctypes.byref(list_size)))
1112
if not bool(cert_list) and list_size.value != 0:
1113
raise gnutls.errors.GNUTLSError(u"error getting peer"
1114
u" certificate")
1115
if list_size.value == 0:
1116
return None
1117
cert = cert_list[0]
1118
return ctypes.string_at(cert.data, cert.size)
1119
1120
@staticmethod
1121
def fingerprint(openpgp):
1122
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1123
# New GnuTLS "datum" with the OpenPGP public key
1124
datum = (gnutls.library.types
1125
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1126
ctypes.POINTER
1127
(ctypes.c_ubyte)),
1128
ctypes.c_uint(len(openpgp))))
1129
# New empty GnuTLS certificate
1130
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1131
(gnutls.library.functions
1132
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1133
# Import the OpenPGP public key into the certificate
1134
(gnutls.library.functions
1135
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1136
gnutls.library.constants
1137
.GNUTLS_OPENPGP_FMT_RAW))
1138
# Verify the self signature in the key
1139
crtverify = ctypes.c_uint()
1140
(gnutls.library.functions
1141
.gnutls_openpgp_crt_verify_self(crt, 0,
1142
ctypes.byref(crtverify)))
1143
if crtverify.value != 0:
1144
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1145
raise (gnutls.errors.CertificateSecurityError
1146
(u"Verify failed"))
1147
# New buffer for the fingerprint
1148
buf = ctypes.create_string_buffer(20)
1149
buf_len = ctypes.c_size_t()
1150
# Get the fingerprint from the certificate into the buffer
1151
(gnutls.library.functions
1152
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1153
ctypes.byref(buf_len)))
1154
# Deinit the certificate
1155
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1156
# Convert the buffer to a Python bytestring
1157
fpr = ctypes.string_at(buf, buf_len.value)
1158
# Convert the bytestring to hexadecimal notation
1159
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1160
return hex_fpr
1161
1162
1163
class ForkingMixInWithPipes(socketserver.ForkingMixIn, object):
1164
"""Like socketserver.ForkingMixIn, but also pass a pipe pair."""
1165
def process_request(self, request, client_address):
1166
"""Overrides and wraps the original process_request().
1167
1168
This function creates a new pipe in self.pipe
1169
"""
1170
# Child writes to child_pipe
1171
self.child_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1172
# Parent writes to parent_pipe
1173
self.parent_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1174
super(ForkingMixInWithPipes,
1175
self).process_request(request, client_address)
1176
# Close unused ends for parent
1177
self.parent_pipe[0].close() # close read end
1178
self.child_pipe[1].close() # close write end
1179
self.add_pipe_fds(self.child_pipe[0], self.parent_pipe[1])
1180
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1181
"""Dummy function; override as necessary"""
1182
child_pipe_fd.close()
1183
parent_pipe_fd.close()
1184
1185
1186
class IPv6_TCPServer(ForkingMixInWithPipes,
1187
socketserver.TCPServer, object):
1188
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1189
657
session = (gnutls.connection
658
.ClientSession(self.request,
659
gnutls.connection
660
.X509Credentials()))
661
662
line = self.request.makefile().readline()
663
logger.debug(u"Protocol version: %r", line)
664
try:
665
if int(line.strip().split()[0]) > 1:
666
raise RuntimeError
667
except (ValueError, IndexError, RuntimeError), error:
668
logger.error(u"Unknown protocol version: %s", error)
669
return
670
671
# Note: gnutls.connection.X509Credentials is really a generic
672
# GnuTLS certificate credentials object so long as no X.509
673
# keys are added to it. Therefore, we can use it here despite
674
# using OpenPGP certificates.
675
676
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
677
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
678
# "+DHE-DSS"))
679
# Use a fallback default, since this MUST be set.
680
priority = self.server.settings.get("priority", "NORMAL")
681
(gnutls.library.functions
682
.gnutls_priority_set_direct(session._c_object,
683
priority, None))
684
685
try:
686
session.handshake()
687
except gnutls.errors.GNUTLSError, error:
688
logger.warning(u"Handshake failed: %s", error)
689
# Do not run session.bye() here: the session is not
690
# established. Just abandon the request.
691
return
692
try:
693
fpr = fingerprint(peer_certificate(session))
694
except (TypeError, gnutls.errors.GNUTLSError), error:
695
logger.warning(u"Bad certificate: %s", error)
696
session.bye()
697
return
698
logger.debug(u"Fingerprint: %s", fpr)
699
for c in self.server.clients:
700
if c.fingerprint == fpr:
701
client = c
702
break
703
else:
704
logger.warning(u"Client not found for fingerprint: %s",
705
fpr)
706
session.bye()
707
return
708
# Have to check if client.still_valid(), since it is possible
709
# that the client timed out while establishing the GnuTLS
710
# session.
711
if not client.still_valid():
712
logger.warning(u"Client %(name)s is invalid",
713
vars(client))
714
session.bye()
715
return
716
## This won't work here, since we're in a fork.
717
# client.bump_timeout()
718
sent_size = 0
719
while sent_size < len(client.secret):
720
sent = session.send(client.secret[sent_size:])
721
logger.debug(u"Sent: %d, remaining: %d",
722
sent, len(client.secret)
723
- (sent_size + sent))
724
sent_size += sent
725
session.bye()
726
727
728
class IPv6_TCPServer(SocketServer.ForkingMixIn,
729
SocketServer.TCPServer, object):
730
"""IPv6 TCP server. Accepts 'None' as address and/or port.
1190
731
Attributes:
732
settings: Server settings
733
clients: Set() of Client objects
1191
734
enabled: Boolean; whether this server is activated yet
1192
interface: None or a network interface name (string)
1193
use_ipv6: Boolean; to use IPv6 or not
1194
735
"""
1195
def __init__(self, server_address, RequestHandlerClass,
1196
interface=None, use_ipv6=True):
1197
self.interface = interface
1198
if use_ipv6:
1199
self.address_family = socket.AF_INET6
1200
socketserver.TCPServer.__init__(self, server_address,
1201
RequestHandlerClass)
736
address_family = socket.AF_INET6
737
def __init__(self, *args, **kwargs):
738
if "settings" in kwargs:
739
self.settings = kwargs["settings"]
740
del kwargs["settings"]
741
if "clients" in kwargs:
742
self.clients = kwargs["clients"]
743
del kwargs["clients"]
744
self.enabled = False
745
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1202
746
def server_bind(self):
1203
747
"""This overrides the normal server_bind() function
1204
748
to bind to an interface if one was specified, and also NOT to
1205
749
bind to an address or port if they were not specified."""
1206
if self.interface is not None:
1207
if SO_BINDTODEVICE is None:
1208
logger.error(u"SO_BINDTODEVICE does not exist;"
1209
u" cannot bind to interface %s",
1210
self.interface)
1211
else:
1212
try:
1213
self.socket.setsockopt(socket.SOL_SOCKET,
1214
SO_BINDTODEVICE,
1215
str(self.interface
1216
+ u'\0'))
1217
except socket.error, error:
1218
if error[0] == errno.EPERM:
1219
logger.error(u"No permission to"
1220
u" bind to interface %s",
1221
self.interface)
1222
elif error[0] == errno.ENOPROTOOPT:
1223
logger.error(u"SO_BINDTODEVICE not available;"
1224
u" cannot bind to interface %s",
1225
self.interface)
1226
else:
1227
raise
750
if self.settings["interface"]:
751
# 25 is from /usr/include/asm-i486/socket.h
752
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
753
try:
754
self.socket.setsockopt(socket.SOL_SOCKET,
755
SO_BINDTODEVICE,
756
self.settings["interface"])
757
except socket.error, error:
758
if error[0] == errno.EPERM:
759
logger.error(u"No permission to"
760
u" bind to interface %s",
761
self.settings["interface"])
762
else:
763
raise error
1228
764
# Only bind(2) the socket if we really need to.
1229
765
if self.server_address[0] or self.server_address[1]:
1230
766
if not self.server_address[0]:
1231
if self.address_family == socket.AF_INET6:
1232
any_address = u"::" # in6addr_any
1233
else:
1234
any_address = socket.INADDR_ANY
1235
self.server_address = (any_address,
767
in6addr_any = "::"
768
self.server_address = (in6addr_any,
1236
769
self.server_address[1])
1237
770
elif not self.server_address[1]:
1238
771
self.server_address = (self.server_address[0],
1239
772
0)
1240
# if self.interface:
773
# if self.settings["interface"]:
1241
774
# self.server_address = (self.server_address[0],
1242
775
# 0, # port
1243
776
# 0, # flowinfo
1244
777
# if_nametoindex
1245
# (self.interface))
1246
return socketserver.TCPServer.server_bind(self)
1247
1248
1249
class MandosServer(IPv6_TCPServer):
1250
"""Mandos server.
1251
1252
Attributes:
1253
clients: set of Client objects
1254
gnutls_priority GnuTLS priority string
1255
use_dbus: Boolean; to emit D-Bus signals or not
1256
1257
Assumes a gobject.MainLoop event loop.
1258
"""
1259
def __init__(self, server_address, RequestHandlerClass,
1260
interface=None, use_ipv6=True, clients=None,
1261
gnutls_priority=None, use_dbus=True):
1262
self.enabled = False
1263
self.clients = clients
1264
if self.clients is None:
1265
self.clients = set()
1266
self.use_dbus = use_dbus
1267
self.gnutls_priority = gnutls_priority
1268
IPv6_TCPServer.__init__(self, server_address,
1269
RequestHandlerClass,
1270
interface = interface,
1271
use_ipv6 = use_ipv6)
778
# (self.settings
779
# ["interface"]))
780
return super(IPv6_TCPServer, self).server_bind()
1272
781
def server_activate(self):
1273
782
if self.enabled:
1274
return socketserver.TCPServer.server_activate(self)
783
return super(IPv6_TCPServer, self).server_activate()
1275
784
def enable(self):
1276
785
self.enabled = True
1277
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1278
# Call "handle_ipc" for both data and EOF events
1279
gobject.io_add_watch(child_pipe_fd.fileno(),
1280
gobject.IO_IN | gobject.IO_HUP,
1281
functools.partial(self.handle_ipc,
1282
reply = parent_pipe_fd,
1283
sender= child_pipe_fd))
1284
def handle_ipc(self, source, condition, reply=None, sender=None):
1285
condition_names = {
1286
gobject.IO_IN: u"IN", # There is data to read.
1287
gobject.IO_OUT: u"OUT", # Data can be written (without
1288
# blocking).
1289
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1290
gobject.IO_ERR: u"ERR", # Error condition.
1291
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1292
# broken, usually for pipes and
1293
# sockets).
1294
}
1295
conditions_string = ' | '.join(name
1296
for cond, name in
1297
condition_names.iteritems()
1298
if cond & condition)
1299
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1300
conditions_string)
1301
1302
# Read a line from the file object
1303
cmdline = sender.readline()
1304
if not cmdline: # Empty line means end of file
1305
# close the IPC pipes
1306
sender.close()
1307
reply.close()
1308
1309
# Stop calling this function
1310
return False
1311
1312
logger.debug(u"IPC command: %r", cmdline)
1313
1314
# Parse and act on command
1315
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1316
1317
if cmd == u"NOTFOUND":
1318
fpr, address = args.split(None, 1)
1319
logger.warning(u"Client not found for fingerprint: %s, ad"
1320
u"dress: %s", fpr, address)
1321
if self.use_dbus:
1322
# Emit D-Bus signal
1323
mandos_dbus_service.ClientNotFound(fpr, address)
1324
elif cmd == u"DISABLED":
1325
for client in self.clients:
1326
if client.name == args:
1327
logger.warning(u"Client %s is disabled", args)
1328
if self.use_dbus:
1329
# Emit D-Bus signal
1330
client.Rejected()
1331
break
1332
else:
1333
logger.error(u"Unknown client %s is disabled", args)
1334
elif cmd == u"SENDING":
1335
for client in self.clients:
1336
if client.name == args:
1337
logger.info(u"Sending secret to %s", client.name)
1338
client.checked_ok()
1339
if self.use_dbus:
1340
# Emit D-Bus signal
1341
client.GotSecret()
1342
break
1343
else:
1344
logger.error(u"Sending secret to unknown client %s",
1345
args)
1346
elif cmd == u"GETATTR":
1347
attr_name, fpr = args.split(None, 1)
1348
for client in self.clients:
1349
if client.fingerprint == fpr:
1350
attr_value = getattr(client, attr_name, None)
1351
logger.debug("IPC reply: %r", attr_value)
1352
pickle.dump(attr_value, reply)
1353
break
1354
else:
1355
logger.error(u"Client %s on address %s requesting "
1356
u"attribute %s not found", fpr, address,
1357
attr_name)
1358
pickle.dump(None, reply)
1359
else:
1360
logger.error(u"Unknown IPC command: %r", cmdline)
1361
1362
# Keep calling this function
1363
return True
1364
786
1365
787
1366
788
def string_to_delta(interval):
1367
789
"""Parse a string and return a datetime.timedelta
1368
1369
>>> string_to_delta(u'7d')
790
791
>>> string_to_delta('7d')
1370
792
datetime.timedelta(7)
1371
>>> string_to_delta(u'60s')
793
>>> string_to_delta('60s')
1372
794
datetime.timedelta(0, 60)
1373
>>> string_to_delta(u'60m')
795
>>> string_to_delta('60m')
1374
796
datetime.timedelta(0, 3600)
1375
>>> string_to_delta(u'24h')
797
>>> string_to_delta('24h')
1376
798
datetime.timedelta(1)
1377
799
>>> string_to_delta(u'1w')
1378
800
datetime.timedelta(7)
1379
>>> string_to_delta(u'5m 30s')
801
>>> string_to_delta('5m 30s')
1380
802
datetime.timedelta(0, 330)
1381
803
"""
1382
804
timevalue = datetime.timedelta(0)
1395
817
elif suffix == u"w":
1396
818
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1397
819
else:
1398
raise ValueError(u"Unknown suffix %r" % suffix)
1399
except (ValueError, IndexError), e:
1400
raise ValueError(e.message)
820
raise ValueError
821
except (ValueError, IndexError):
822
raise ValueError
1401
823
timevalue += delta
1402
824
return timevalue
1403
825
1404
826
827
def server_state_changed(state):
828
"""Derived from the Avahi example code"""
829
if state == avahi.SERVER_COLLISION:
830
logger.error(u"Zeroconf server name collision")
831
service.remove()
832
elif state == avahi.SERVER_RUNNING:
833
service.add()
834
835
836
def entry_group_state_changed(state, error):
837
"""Derived from the Avahi example code"""
838
logger.debug(u"Avahi state change: %i", state)
839
840
if state == avahi.ENTRY_GROUP_ESTABLISHED:
841
logger.debug(u"Zeroconf service established.")
842
elif state == avahi.ENTRY_GROUP_COLLISION:
843
logger.warning(u"Zeroconf service name collision.")
844
service.rename()
845
elif state == avahi.ENTRY_GROUP_FAILURE:
846
logger.critical(u"Avahi: Error in group state changed %s",
847
unicode(error))
848
raise AvahiGroupError("State changed: %s", str(error))
849
1405
850
def if_nametoindex(interface):
1406
"""Call the C function if_nametoindex(), or equivalent
1407
1408
Note: This function cannot accept a unicode string."""
851
"""Call the C function if_nametoindex(), or equivalent"""
1409
852
global if_nametoindex
1410
853
try:
1411
854
if_nametoindex = (ctypes.cdll.LoadLibrary
1412
(ctypes.util.find_library(u"c"))
855
(ctypes.util.find_library("c"))
1413
856
.if_nametoindex)
1414
857
except (OSError, AttributeError):
1415
logger.warning(u"Doing if_nametoindex the hard way")
858
if "struct" not in sys.modules:
859
import struct
860
if "fcntl" not in sys.modules:
861
import fcntl
1416
862
def if_nametoindex(interface):
1417
863
"Get an interface index the hard way, i.e. using fcntl()"
1418
864
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1419
with contextlib.closing(socket.socket()) as s:
865
with closing(socket.socket()) as s:
1420
866
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1421
struct.pack(str(u"16s16x"),
1422
interface))
1423
interface_index = struct.unpack(str(u"I"),
1424
ifreq[16:20])[0]
867
struct.pack("16s16x", interface))
868
interface_index = struct.unpack("I", ifreq[16:20])[0]
1425
869
return interface_index
1426
870
return if_nametoindex(interface)
1427
871
1428
872
1429
873
def daemon(nochdir = False, noclose = False):
1430
874
"""See daemon(3). Standard BSD Unix function.
1431
1432
875
This should really exist as os.daemon, but it doesn't (yet)."""
1433
876
if os.fork():
1434
877
sys.exit()
1435
878
os.setsid()
1436
879
if not nochdir:
1437
os.chdir(u"/")
880
os.chdir("/")
1438
881
if os.fork():
1439
882
sys.exit()
1440
883
if not noclose:
1442
885
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1443
886
if not stat.S_ISCHR(os.fstat(null).st_mode):
1444
887
raise OSError(errno.ENODEV,
1445
u"%s not a character device"
1446
% os.path.devnull)
888
"/dev/null not a character device")
1447
889
os.dup2(null, sys.stdin.fileno())
1448
890
os.dup2(null, sys.stdout.fileno())
1449
891
os.dup2(null, sys.stderr.fileno())
1452
894
1453
895
1454
896
def main():
1455
1456
##################################################################
1457
# Parsing of options, both command line and config file
1458
1459
parser = optparse.OptionParser(version = "%%prog %s" % version)
1460
parser.add_option("-i", u"--interface", type=u"string",
1461
metavar="IF", help=u"Bind to interface IF")
1462
parser.add_option("-a", u"--address", type=u"string",
1463
help=u"Address to listen for requests on")
1464
parser.add_option("-p", u"--port", type=u"int",
1465
help=u"Port number to receive requests on")
1466
parser.add_option("--check", action=u"store_true",
1467
help=u"Run self-test")
1468
parser.add_option("--debug", action=u"store_true",
1469
help=u"Debug mode; run in foreground and log to"
1470
u" terminal")
1471
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1472
u" priority string (see GnuTLS documentation)")
1473
parser.add_option("--servicename", type=u"string",
1474
metavar=u"NAME", help=u"Zeroconf service name")
1475
parser.add_option("--configdir", type=u"string",
1476
default=u"/etc/mandos", metavar=u"DIR",
1477
help=u"Directory to search for configuration"
1478
u" files")
1479
parser.add_option("--no-dbus", action=u"store_false",
1480
dest=u"use_dbus", help=u"Do not provide D-Bus"
1481
u" system bus interface")
1482
parser.add_option("--no-ipv6", action=u"store_false",
1483
dest=u"use_ipv6", help=u"Do not use IPv6")
897
parser = OptionParser(version = "%%prog %s" % version)
898
parser.add_option("-i", "--interface", type="string",
899
metavar="IF", help="Bind to interface IF")
900
parser.add_option("-a", "--address", type="string",
901
help="Address to listen for requests on")
902
parser.add_option("-p", "--port", type="int",
903
help="Port number to receive requests on")
904
parser.add_option("--check", action="store_true", default=False,
905
help="Run self-test")
906
parser.add_option("--debug", action="store_true",
907
help="Debug mode; run in foreground and log to"
908
" terminal")
909
parser.add_option("--priority", type="string", help="GnuTLS"
910
" priority string (see GnuTLS documentation)")
911
parser.add_option("--servicename", type="string", metavar="NAME",
912
help="Zeroconf service name")
913
parser.add_option("--configdir", type="string",
914
default="/etc/mandos", metavar="DIR",
915
help="Directory to search for configuration"
916
" files")
1484
917
options = parser.parse_args()[0]
1485
918
1486
919
if options.check:
1489
922
sys.exit()
1490
923
1491
924
# Default values for config file for server-global settings
1492
server_defaults = { u"interface": u"",
1493
u"address": u"",
1494
u"port": u"",
1495
u"debug": u"False",
1496
u"priority":
1497
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1498
u"servicename": u"Mandos",
1499
u"use_dbus": u"True",
1500
u"use_ipv6": u"True",
925
server_defaults = { "interface": "",
926
"address": "",
927
"port": "",
928
"debug": "False",
929
"priority":
930
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
931
"servicename": "Mandos",
1501
932
}
1502
933
1503
934
# Parse config file for server-global settings
1504
server_config = configparser.SafeConfigParser(server_defaults)
935
server_config = ConfigParser.SafeConfigParser(server_defaults)
1505
936
del server_defaults
1506
server_config.read(os.path.join(options.configdir,
1507
u"mandos.conf"))
937
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1508
938
# Convert the SafeConfigParser object to a dict
1509
939
server_settings = server_config.defaults()
1510
# Use the appropriate methods on the non-string config options
1511
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1512
server_settings[option] = server_config.getboolean(u"DEFAULT",
1513
option)
1514
if server_settings["port"]:
1515
server_settings["port"] = server_config.getint(u"DEFAULT",
1516
u"port")
940
# Use getboolean on the boolean config option
941
server_settings["debug"] = (server_config.getboolean
942
("DEFAULT", "debug"))
1517
943
del server_config
1518
944
1519
945
# Override the settings from the config file with command line
1520
946
# options, if set.
1521
for option in (u"interface", u"address", u"port", u"debug",
1522
u"priority", u"servicename", u"configdir",
1523
u"use_dbus", u"use_ipv6"):
947
for option in ("interface", "address", "port", "debug",
948
"priority", "servicename", "configdir"):
1524
949
value = getattr(options, option)
1525
950
if value is not None:
1526
951
server_settings[option] = value
1527
952
del options
1528
# Force all strings to be unicode
1529
for option in server_settings.keys():
1530
if type(server_settings[option]) is str:
1531
server_settings[option] = unicode(server_settings[option])
1532
953
# Now we have our good server settings in "server_settings"
1533
954
1534
##################################################################
1535
1536
# For convenience
1537
debug = server_settings[u"debug"]
1538
use_dbus = server_settings[u"use_dbus"]
1539
use_ipv6 = server_settings[u"use_ipv6"]
955
debug = server_settings["debug"]
1540
956
1541
957
if not debug:
1542
958
syslogger.setLevel(logging.WARNING)
1543
959
console.setLevel(logging.WARNING)
1544
960
1545
if server_settings[u"servicename"] != u"Mandos":
961
if server_settings["servicename"] != "Mandos":
1546
962
syslogger.setFormatter(logging.Formatter
1547
(u'Mandos (%s) [%%(process)d]:'
1548
u' %%(levelname)s: %%(message)s'
1549
% server_settings[u"servicename"]))
963
('Mandos (%s): %%(levelname)s:'
964
' %%(message)s'
965
% server_settings["servicename"]))
1550
966
1551
967
# Parse config file with clients
1552
client_defaults = { u"timeout": u"1h",
1553
u"interval": u"5m",
1554
u"checker": u"fping -q -- %%(host)s",
1555
u"host": u"",
968
client_defaults = { "timeout": "1h",
969
"interval": "5m",
970
"checker": "fping -q -- %(host)s",
971
"host": "",
1556
972
}
1557
client_config = configparser.SafeConfigParser(client_defaults)
1558
client_config.read(os.path.join(server_settings[u"configdir"],
1559
u"clients.conf"))
1560
1561
global mandos_dbus_service
1562
mandos_dbus_service = None
1563
1564
tcp_server = MandosServer((server_settings[u"address"],
1565
server_settings[u"port"]),
1566
ClientHandler,
1567
interface=server_settings[u"interface"],
1568
use_ipv6=use_ipv6,
1569
gnutls_priority=
1570
server_settings[u"priority"],
1571
use_dbus=use_dbus)
1572
pidfilename = u"/var/run/mandos.pid"
1573
try:
1574
pidfile = open(pidfilename, u"w")
1575
except IOError:
1576
logger.error(u"Could not open file %r", pidfilename)
1577
1578
try:
1579
uid = pwd.getpwnam(u"_mandos").pw_uid
1580
gid = pwd.getpwnam(u"_mandos").pw_gid
973
client_config = ConfigParser.SafeConfigParser(client_defaults)
974
client_config.read(os.path.join(server_settings["configdir"],
975
"clients.conf"))
976
977
clients = Set()
978
tcp_server = IPv6_TCPServer((server_settings["address"],
979
server_settings["port"]),
980
TCP_handler,
981
settings=server_settings,
982
clients=clients)
983
pidfilename = "/var/run/mandos.pid"
984
try:
985
pidfile = open(pidfilename, "w")
986
except IOError, error:
987
logger.error("Could not open file %r", pidfilename)
988
989
try:
990
uid = pwd.getpwnam("_mandos").pw_uid
1581
991
except KeyError:
1582
992
try:
1583
uid = pwd.getpwnam(u"mandos").pw_uid
1584
gid = pwd.getpwnam(u"mandos").pw_gid
993
uid = pwd.getpwnam("mandos").pw_uid
1585
994
except KeyError:
1586
995
try:
1587
uid = pwd.getpwnam(u"nobody").pw_uid
1588
gid = pwd.getpwnam(u"nobody").pw_gid
996
uid = pwd.getpwnam("nobody").pw_uid
1589
997
except KeyError:
1590
998
uid = 65534
999
try:
1000
gid = pwd.getpwnam("_mandos").pw_gid
1001
except KeyError:
1002
try:
1003
gid = pwd.getpwnam("mandos").pw_gid
1004
except KeyError:
1005
try:
1006
gid = pwd.getpwnam("nogroup").pw_gid
1007
except KeyError:
1591
1008
gid = 65534
1592
1009
try:
1010
os.setuid(uid)
1593
1011
os.setgid(gid)
1594
os.setuid(uid)
1595
1012
except OSError, error:
1596
1013
if error[0] != errno.EPERM:
1597
1014
raise error
1598
1015
1599
# Enable all possible GnuTLS debugging
1600
if debug:
1601
# "Use a log level over 10 to enable all debugging options."
1602
# - GnuTLS manual
1603
gnutls.library.functions.gnutls_global_set_log_level(11)
1604
1605
@gnutls.library.types.gnutls_log_func
1606
def debug_gnutls(level, string):
1607
logger.debug(u"GnuTLS: %s", string[:-1])
1608
1609
(gnutls.library.functions
1610
.gnutls_global_set_log_function(debug_gnutls))
1016
global service
1017
service = AvahiService(name = server_settings["servicename"],
1018
servicetype = "_mandos._tcp", )
1019
if server_settings["interface"]:
1020
service.interface = (if_nametoindex
1021
(server_settings["interface"]))
1611
1022
1612
1023
global main_loop
1024
global bus
1025
global server
1613
1026
# From the Avahi example code
1614
1027
DBusGMainLoop(set_as_default=True )
1615
1028
main_loop = gobject.MainLoop()
1616
1029
bus = dbus.SystemBus()
1030
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1031
avahi.DBUS_PATH_SERVER),
1032
avahi.DBUS_INTERFACE_SERVER)
1617
1033
# End of Avahi example code
1618
if use_dbus:
1619
try:
1620
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1621
bus, do_not_queue=True)
1622
except dbus.exceptions.NameExistsException, e:
1623
logger.error(unicode(e) + u", disabling D-Bus")
1624
use_dbus = False
1625
server_settings[u"use_dbus"] = False
1626
tcp_server.use_dbus = False
1627
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1628
service = AvahiService(name = server_settings[u"servicename"],
1629
servicetype = u"_mandos._tcp",
1630
protocol = protocol, bus = bus)
1631
if server_settings["interface"]:
1632
service.interface = (if_nametoindex
1633
(str(server_settings[u"interface"])))
1034
bus_name = dbus.service.BusName(u"org.mandos-system.Mandos", bus)
1634
1035
1635
client_class = Client
1636
if use_dbus:
1637
client_class = functools.partial(ClientDBus, bus = bus)
1638
tcp_server.clients.update(set(
1639
client_class(name = section,
1640
config= dict(client_config.items(section)))
1641
for section in client_config.sections()))
1642
if not tcp_server.clients:
1643
logger.warning(u"No clients defined")
1036
clients.update(Set(Client(name = section,
1037
config
1038
= dict(client_config.items(section)))
1039
for section in client_config.sections()))
1040
if not clients:
1041
logger.critical(u"No clients defined")
1042
sys.exit(1)
1644
1043
1645
1044
if debug:
1646
1045
# Redirect stdin so all checkers get /dev/null
1655
1054
daemon()
1656
1055
1657
1056
try:
1658
with pidfile:
1659
pid = os.getpid()
1660
pidfile.write(str(pid) + "\n")
1057
pid = os.getpid()
1058
pidfile.write(str(pid) + "\n")
1059
pidfile.close()
1661
1060
del pidfile
1662
1061
except IOError:
1663
1062
logger.error(u"Could not write to file %r with PID %d",
1667
1066
pass
1668
1067
del pidfilename
1669
1068
1069
def cleanup():
1070
"Cleanup function; run on exit"
1071
global group
1072
# From the Avahi example code
1073
if not group is None:
1074
group.Free()
1075
group = None
1076
# End of Avahi example code
1077
1078
while clients:
1079
client = clients.pop()
1080
client.stop_hook = None
1081
client.stop()
1082
1083
atexit.register(cleanup)
1084
1670
1085
if not debug:
1671
1086
signal.signal(signal.SIGINT, signal.SIG_IGN)
1672
1087
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1673
1088
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1674
1089
1675
if use_dbus:
1676
class MandosDBusService(dbus.service.Object):
1677
"""A D-Bus proxy object"""
1678
def __init__(self):
1679
dbus.service.Object.__init__(self, bus, u"/")
1680
_interface = u"se.bsnet.fukt.Mandos"
1681
1682
@dbus.service.signal(_interface, signature=u"o")
1683
def ClientAdded(self, objpath):
1684
"D-Bus signal"
1685
pass
1686
1687
@dbus.service.signal(_interface, signature=u"ss")
1688
def ClientNotFound(self, fingerprint, address):
1689
"D-Bus signal"
1690
pass
1691
1692
@dbus.service.signal(_interface, signature=u"os")
1693
def ClientRemoved(self, objpath, name):
1694
"D-Bus signal"
1695
pass
1696
1697
@dbus.service.method(_interface, out_signature=u"ao")
1698
def GetAllClients(self):
1699
"D-Bus method"
1700
return dbus.Array(c.dbus_object_path
1701
for c in tcp_server.clients)
1702
1703
@dbus.service.method(_interface,
1704
out_signature=u"a{oa{sv}}")
1705
def GetAllClientsWithProperties(self):
1706
"D-Bus method"
1707
return dbus.Dictionary(
1708
((c.dbus_object_path, c.GetAll(u""))
1709
for c in tcp_server.clients),
1710
signature=u"oa{sv}")
1711
1712
@dbus.service.method(_interface, in_signature=u"o")
1713
def RemoveClient(self, object_path):
1714
"D-Bus method"
1715
for c in tcp_server.clients:
1716
if c.dbus_object_path == object_path:
1717
tcp_server.clients.remove(c)
1718
c.remove_from_connection()
1719
# Don't signal anything except ClientRemoved
1720
c.disable(quiet=True)
1721
# Emit D-Bus signal
1722
self.ClientRemoved(object_path, c.name)
1723
return
1724
raise KeyError(object_path)
1725
1726
del _interface
1727
1728
mandos_dbus_service = MandosDBusService()
1729
1730
def cleanup():
1731
"Cleanup function; run on exit"
1732
service.cleanup()
1733
1734
while tcp_server.clients:
1735
client = tcp_server.clients.pop()
1736
if use_dbus:
1737
client.remove_from_connection()
1738
client.disable_hook = None
1739
# Don't signal anything except ClientRemoved
1740
client.disable(quiet=True)
1741
if use_dbus:
1742
# Emit D-Bus signal
1743
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1744
client.name)
1745
1746
atexit.register(cleanup)
1747
1748
for client in tcp_server.clients:
1749
if use_dbus:
1750
# Emit D-Bus signal
1751
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1752
client.enable()
1090
class MandosServer(dbus.service.Object):
1091
"""A D-Bus proxy object"""
1092
def __init__(self):
1093
dbus.service.Object.__init__(self, bus,
1094
"/Mandos")
1095
_interface = u"org.mandos_system.Mandos"
1096
1097
@dbus.service.signal(_interface, signature="oa{sv}")
1098
def ClientAdded(self, objpath, properties):
1099
"D-Bus signal"
1100
pass
1101
1102
@dbus.service.signal(_interface, signature="o")
1103
def ClientRemoved(self, objpath):
1104
"D-Bus signal"
1105
pass
1106
1107
@dbus.service.method(_interface, out_signature="ao")
1108
def GetAllClients(self):
1109
return dbus.Array(c.dbus_object_path for c in clients)
1110
1111
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1112
def GetAllClientsWithProperties(self):
1113
return dbus.Dictionary(
1114
((c.dbus_object_path, c.GetAllProperties())
1115
for c in clients),
1116
signature="oa{sv}")
1117
1118
@dbus.service.method(_interface, in_signature="o")
1119
def RemoveClient(self, object_path):
1120
for c in clients:
1121
if c.dbus_object_path == object_path:
1122
c.stop()
1123
clients.remove(c)
1124
return
1125
raise KeyError
1126
1127
del _interface
1128
1129
mandos_server = MandosServer()
1130
1131
for client in clients:
1132
# Emit D-Bus signal
1133
mandos_server.ClientAdded(client.dbus_object_path,
1134
client.GetAllProperties())
1135
client.start()
1753
1136
1754
1137
tcp_server.enable()
1755
1138
tcp_server.server_activate()
1756
1139
1757
1140
# Find out what port we got
1758
1141
service.port = tcp_server.socket.getsockname()[1]
1759
if use_ipv6:
1760
logger.info(u"Now listening on address %r, port %d,"
1761
" flowinfo %d, scope_id %d"
1762
% tcp_server.socket.getsockname())
1763
else: # IPv4
1764
logger.info(u"Now listening on address %r, port %d"
1765
% tcp_server.socket.getsockname())
1142
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1143
u" scope_id %d" % tcp_server.socket.getsockname())
1766
1144
1767
1145
#service.interface = tcp_server.socket.getsockname()[3]
1768
1146
1769
1147
try:
1770
1148
# From the Avahi example code
1149
server.connect_to_signal("StateChanged", server_state_changed)
1771
1150
try:
1772
service.activate()
1151
server_state_changed(server.GetState())
1773
1152
except dbus.exceptions.DBusException, error:
1774
1153
logger.critical(u"DBusException: %s", error)
1775
cleanup()
1776
1154
sys.exit(1)
1777
1155
# End of Avahi example code
1778
1156
1784
1162
logger.debug(u"Starting main loop")
1785
1163
main_loop.run()
1786
1164
except AvahiError, error:
1787
logger.critical(u"AvahiError: %s", error)
1788
cleanup()
1165
logger.critical(u"AvahiError: %s" + unicode(error))
1789
1166
sys.exit(1)
1790
1167
except KeyboardInterrupt:
1791
1168
if debug:
1792
print >> sys.stderr
1793
logger.debug(u"Server received KeyboardInterrupt")
1794
logger.debug(u"Server exiting")
1795
# Must run before the D-Bus bus name gets deregistered
1796
cleanup()
1169
print
1797
1170
1798
1171
if __name__ == '__main__':
1799
1172
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0