146
124
self.rename_count = 0
147
125
self.max_renames = max_renames
148
self.protocol = protocol
149
self.group = None # our entry group
152
126
def rename(self):
153
127
"""Derived from the Avahi example code"""
154
128
if self.rename_count >= self.max_renames:
155
129
logger.critical(u"No suitable Zeroconf service name found"
156
130
u" after %i retries, exiting.",
157
131
self.rename_count)
158
raise AvahiServiceError(u"Too many renames")
159
self.name = self.server.GetAlternativeServiceName(self.name)
132
raise AvahiServiceError("Too many renames")
133
self.name = server.GetAlternativeServiceName(self.name)
160
134
logger.info(u"Changing Zeroconf service name to %r ...",
162
136
syslogger.setFormatter(logging.Formatter
163
(u'Mandos (%s) [%%(process)d]:'
164
u' %%(levelname)s: %%(message)s'
137
('Mandos (%s): %%(levelname)s:'
138
' %%(message)s' % self.name))
168
141
self.rename_count += 1
169
142
def remove(self):
170
143
"""Derived from the Avahi example code"""
171
if self.group is not None:
144
if group is not None:
174
147
"""Derived from the Avahi example code"""
175
if self.group is None:
176
self.group = dbus.Interface(
177
self.bus.get_object(avahi.DBUS_NAME,
178
self.server.EntryGroupNew()),
179
avahi.DBUS_INTERFACE_ENTRY_GROUP)
180
self.group.connect_to_signal('StateChanged',
182
.entry_group_state_changed)
150
group = dbus.Interface(bus.get_object
152
server.EntryGroupNew()),
153
avahi.DBUS_INTERFACE_ENTRY_GROUP)
154
group.connect_to_signal('StateChanged',
155
entry_group_state_changed)
183
156
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
184
self.name, self.type)
185
self.group.AddService(
188
dbus.UInt32(0), # flags
189
self.name, self.type,
190
self.domain, self.host,
191
dbus.UInt16(self.port),
192
avahi.string_array_to_txt_array(self.TXT))
194
def entry_group_state_changed(self, state, error):
195
"""Derived from the Avahi example code"""
196
logger.debug(u"Avahi state change: %i", state)
198
if state == avahi.ENTRY_GROUP_ESTABLISHED:
199
logger.debug(u"Zeroconf service established.")
200
elif state == avahi.ENTRY_GROUP_COLLISION:
201
logger.warning(u"Zeroconf service name collision.")
203
elif state == avahi.ENTRY_GROUP_FAILURE:
204
logger.critical(u"Avahi: Error in group state changed %s",
206
raise AvahiGroupError(u"State changed: %s"
209
"""Derived from the Avahi example code"""
210
if self.group is not None:
213
def server_state_changed(self, state):
214
"""Derived from the Avahi example code"""
215
if state == avahi.SERVER_COLLISION:
216
logger.error(u"Zeroconf server name collision")
218
elif state == avahi.SERVER_RUNNING:
221
"""Derived from the Avahi example code"""
222
if self.server is None:
223
self.server = dbus.Interface(
224
self.bus.get_object(avahi.DBUS_NAME,
225
avahi.DBUS_PATH_SERVER),
226
avahi.DBUS_INTERFACE_SERVER)
227
self.server.connect_to_signal(u"StateChanged",
228
self.server_state_changed)
229
self.server_state_changed(self.server.GetState())
232
class Client(object):
157
service.name, service.type)
159
self.interface, # interface
160
avahi.PROTO_INET6, # protocol
161
dbus.UInt32(0), # flags
162
self.name, self.type,
163
self.domain, self.host,
164
dbus.UInt16(self.port),
165
avahi.string_array_to_txt_array(self.TXT))
168
# From the Avahi example code:
169
group = None # our entry group
170
# End of Avahi example code
173
def _datetime_to_dbus_struct(dt, variant_level=0):
174
"""Convert a UTC datetime.datetime() to a D-Bus struct.
175
The format is special to this application, since we could not find
176
any other standard way."""
177
return dbus.Struct((dbus.Int16(dt.year),
181
dbus.Byte(dt.minute),
182
dbus.Byte(dt.second),
183
dbus.UInt32(dt.microsecond)),
185
variant_level=variant_level)
188
class Client(dbus.service.Object):
233
189
"""A representation of a client host served by this server.
236
name: string; from the config file, used in log messages and
191
name: string; from the config file, used in log messages
238
192
fingerprint: string (40 or 32 hexadecimal digits); used to
239
193
uniquely identify the client
240
194
secret: bytestring; sent verbatim (over TLS) to client
241
195
host: string; available for use by the checker command
242
196
created: datetime.datetime(); (UTC) object creation
243
last_enabled: datetime.datetime(); (UTC)
197
last_started: datetime.datetime(); (UTC)
245
199
last_checked_ok: datetime.datetime(); (UTC) or None
246
200
timeout: datetime.timedelta(); How long from last_checked_ok
247
until this client is disabled
201
until this client is invalid
248
202
interval: datetime.timedelta(); How often to start a new checker
249
disable_hook: If set, called by disable() as disable_hook(self)
203
stop_hook: If set, called by stop() as stop_hook(self)
250
204
checker: subprocess.Popen(); a running checker process used
251
205
to see if the client lives.
252
206
'None' if no process is running.
253
207
checker_initiator_tag: a gobject event source tag, or None
254
disable_initiator_tag: - '' -
208
stop_initiator_tag: - '' -
255
209
checker_callback_tag: - '' -
256
210
checker_command: string; External command which is run to check if
257
211
client lives. %() expansions are done at
258
212
runtime with vars(self) as dict, so that for
259
213
instance %(name)s can be used in the command.
260
current_checker_command: string; current running checker_command
214
dbus_object_path: dbus.ObjectPath
216
_timeout: Real variable for 'timeout'
217
_interval: Real variable for 'interval'
218
_timeout_milliseconds: Used when calling gobject.timeout_add()
219
_interval_milliseconds: - '' -
264
def _timedelta_to_milliseconds(td):
265
"Convert a datetime.timedelta() to milliseconds"
266
return ((td.days * 24 * 60 * 60 * 1000)
267
+ (td.seconds * 1000)
268
+ (td.microseconds // 1000))
270
def timeout_milliseconds(self):
271
"Return the 'timeout' attribute in milliseconds"
272
return self._timedelta_to_milliseconds(self.timeout)
274
def interval_milliseconds(self):
275
"Return the 'interval' attribute in milliseconds"
276
return self._timedelta_to_milliseconds(self.interval)
278
def __init__(self, name = None, disable_hook=None, config=None):
221
def _set_timeout(self, timeout):
222
"Setter function for the 'timeout' attribute"
223
self._timeout = timeout
224
self._timeout_milliseconds = ((self.timeout.days
225
* 24 * 60 * 60 * 1000)
226
+ (self.timeout.seconds * 1000)
227
+ (self.timeout.microseconds
230
self.PropertyChanged(dbus.String(u"timeout"),
231
(dbus.UInt64(self._timeout_milliseconds,
233
timeout = property(lambda self: self._timeout, _set_timeout)
236
def _set_interval(self, interval):
237
"Setter function for the 'interval' attribute"
238
self._interval = interval
239
self._interval_milliseconds = ((self.interval.days
240
* 24 * 60 * 60 * 1000)
241
+ (self.interval.seconds
243
+ (self.interval.microseconds
246
self.PropertyChanged(dbus.String(u"interval"),
247
(dbus.UInt64(self._interval_milliseconds,
249
interval = property(lambda self: self._interval, _set_interval)
252
def __init__(self, name = None, stop_hook=None, config=None):
279
253
"""Note: the 'checker' key in 'config' sets the
280
254
'checker_command' attribute and *not* the 'checker'
256
self.dbus_object_path = (dbus.ObjectPath
258
+ name.replace(".", "_")))
259
dbus.service.Object.__init__(self, bus,
260
self.dbus_object_path)
283
261
if config is None:
285
264
logger.debug(u"Creating client %r", self.name)
286
265
# Uppercase and remove spaces from fingerprint for later
287
266
# comparison purposes with return value from the fingerprint()
289
self.fingerprint = (config[u"fingerprint"].upper()
268
self.fingerprint = (config["fingerprint"].upper()
290
269
.replace(u" ", u""))
291
270
logger.debug(u" Fingerprint: %s", self.fingerprint)
292
if u"secret" in config:
293
self.secret = config[u"secret"].decode(u"base64")
294
elif u"secfile" in config:
295
with open(os.path.expanduser(os.path.expandvars
296
(config[u"secfile"])),
271
if "secret" in config:
272
self.secret = config["secret"].decode(u"base64")
273
elif "secfile" in config:
274
with closing(open(os.path.expanduser
276
(config["secfile"])))) as secfile:
298
277
self.secret = secfile.read()
300
279
raise TypeError(u"No secret or secfile for client %s"
302
self.host = config.get(u"host", u"")
281
self.host = config.get("host", "")
303
282
self.created = datetime.datetime.utcnow()
305
self.last_enabled = None
284
self.last_started = None
306
285
self.last_checked_ok = None
307
self.timeout = string_to_delta(config[u"timeout"])
308
self.interval = string_to_delta(config[u"interval"])
309
self.disable_hook = disable_hook
286
self.timeout = string_to_delta(config["timeout"])
287
self.interval = string_to_delta(config["interval"])
288
self.stop_hook = stop_hook
310
289
self.checker = None
311
290
self.checker_initiator_tag = None
312
self.disable_initiator_tag = None
291
self.stop_initiator_tag = None
313
292
self.checker_callback_tag = None
314
self.checker_command = config[u"checker"]
315
self.current_checker_command = None
316
self.last_connect = None
293
self.checker_command = config["checker"]
319
296
"""Start this client's checker and timeout hooks"""
320
if getattr(self, u"enabled", False):
323
self.last_enabled = datetime.datetime.utcnow()
297
self.last_started = datetime.datetime.utcnow()
324
298
# Schedule a new checker to be started an 'interval' from now,
325
299
# and every interval from then on.
326
300
self.checker_initiator_tag = (gobject.timeout_add
327
(self.interval_milliseconds(),
301
(self._interval_milliseconds,
328
302
self.start_checker))
329
# Schedule a disable() when 'timeout' has passed
330
self.disable_initiator_tag = (gobject.timeout_add
331
(self.timeout_milliseconds(),
334
303
# Also start a new checker *right now*.
335
304
self.start_checker()
305
# Schedule a stop() when 'timeout' has passed
306
self.stop_initiator_tag = (gobject.timeout_add
307
(self._timeout_milliseconds,
311
self.PropertyChanged(dbus.String(u"started"),
312
dbus.Boolean(True, variant_level=1))
313
self.PropertyChanged(dbus.String(u"last_started"),
314
(_datetime_to_dbus_struct
315
(self.last_started, variant_level=1)))
337
def disable(self, quiet=True):
338
"""Disable this client."""
339
if not getattr(self, "enabled", False):
318
"""Stop this client."""
319
if not getattr(self, "started", False):
342
logger.info(u"Disabling client %s", self.name)
343
if getattr(self, u"disable_initiator_tag", False):
344
gobject.source_remove(self.disable_initiator_tag)
345
self.disable_initiator_tag = None
346
if getattr(self, u"checker_initiator_tag", False):
321
logger.info(u"Stopping client %s", self.name)
322
if getattr(self, "stop_initiator_tag", False):
323
gobject.source_remove(self.stop_initiator_tag)
324
self.stop_initiator_tag = None
325
if getattr(self, "checker_initiator_tag", False):
347
326
gobject.source_remove(self.checker_initiator_tag)
348
327
self.checker_initiator_tag = None
349
328
self.stop_checker()
350
if self.disable_hook:
351
self.disable_hook(self)
333
self.PropertyChanged(dbus.String(u"started"),
334
dbus.Boolean(False, variant_level=1))
353
335
# Do not run this again if called by a gobject.timeout_add
356
338
def __del__(self):
357
self.disable_hook = None
339
self.stop_hook = None
360
342
def checker_callback(self, pid, condition, command):
361
343
"""The checker has completed, so take appropriate actions."""
362
344
self.checker_callback_tag = None
363
345
self.checker = None
364
if os.WIFEXITED(condition):
365
exitstatus = os.WEXITSTATUS(condition)
367
logger.info(u"Checker for %(name)s succeeded",
371
logger.info(u"Checker for %(name)s failed",
347
self.PropertyChanged(dbus.String(u"checker_running"),
348
dbus.Boolean(False, variant_level=1))
349
if (os.WIFEXITED(condition)
350
and (os.WEXITSTATUS(condition) == 0)):
351
logger.info(u"Checker for %(name)s succeeded",
354
self.CheckerCompleted(dbus.Boolean(True),
355
dbus.UInt16(condition),
356
dbus.String(command))
358
elif not os.WIFEXITED(condition):
374
359
logger.warning(u"Checker for %(name)s crashed?",
362
self.CheckerCompleted(dbus.Boolean(False),
363
dbus.UInt16(condition),
364
dbus.String(command))
366
logger.info(u"Checker for %(name)s failed",
369
self.CheckerCompleted(dbus.Boolean(False),
370
dbus.UInt16(condition),
371
dbus.String(command))
377
def checked_ok(self):
373
def bump_timeout(self):
378
374
"""Bump up the timeout for this client.
380
375
This should only be called when the client has been seen,
383
378
self.last_checked_ok = datetime.datetime.utcnow()
384
gobject.source_remove(self.disable_initiator_tag)
385
self.disable_initiator_tag = (gobject.timeout_add
386
(self.timeout_milliseconds(),
379
gobject.source_remove(self.stop_initiator_tag)
380
self.stop_initiator_tag = (gobject.timeout_add
381
(self._timeout_milliseconds,
383
self.PropertyChanged(dbus.String(u"last_checked_ok"),
384
(_datetime_to_dbus_struct
385
(self.last_checked_ok,
389
388
def start_checker(self):
390
389
"""Start a new checker subprocess if one is not running.
392
390
If a checker already exists, leave it running and do
394
392
# The reason for not killing a running checker is that if we
464
441
if self.checker_callback_tag:
465
442
gobject.source_remove(self.checker_callback_tag)
466
443
self.checker_callback_tag = None
467
if getattr(self, u"checker", None) is None:
444
if getattr(self, "checker", None) is None:
469
446
logger.debug(u"Stopping checker for %(name)s", vars(self))
471
448
os.kill(self.checker.pid, signal.SIGTERM)
473
450
#if self.checker.poll() is None:
474
451
# os.kill(self.checker.pid, signal.SIGKILL)
475
452
except OSError, error:
476
453
if error.errno != errno.ESRCH: # No such process
478
455
self.checker = None
481
def dbus_service_property(dbus_interface, signature=u"v",
482
access=u"readwrite", byte_arrays=False):
483
"""Decorators for marking methods of a DBusObjectWithProperties to
484
become properties on the D-Bus.
486
The decorated method will be called with no arguments by "Get"
487
and with one argument by "Set".
489
The parameters, where they are supported, are the same as
490
dbus.service.method, except there is only "signature", since the
491
type from Get() and the type sent to Set() is the same.
493
# Encoding deeply encoded byte arrays is not supported yet by the
494
# "Set" method, so we fail early here:
495
if byte_arrays and signature != u"ay":
496
raise ValueError(u"Byte arrays not supported for non-'ay'"
497
u" signature %r" % signature)
499
func._dbus_is_property = True
500
func._dbus_interface = dbus_interface
501
func._dbus_signature = signature
502
func._dbus_access = access
503
func._dbus_name = func.__name__
504
if func._dbus_name.endswith(u"_dbus_property"):
505
func._dbus_name = func._dbus_name[:-14]
506
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
511
class DBusPropertyException(dbus.exceptions.DBusException):
512
"""A base class for D-Bus property-related exceptions
514
def __unicode__(self):
515
return unicode(str(self))
518
class DBusPropertyAccessException(DBusPropertyException):
519
"""A property's access permissions disallows an operation.
524
class DBusPropertyNotFound(DBusPropertyException):
525
"""An attempt was made to access a non-existing property.
530
class DBusObjectWithProperties(dbus.service.Object):
531
"""A D-Bus object with properties.
533
Classes inheriting from this can use the dbus_service_property
534
decorator to expose methods as D-Bus properties. It exposes the
535
standard Get(), Set(), and GetAll() methods on the D-Bus.
539
def _is_dbus_property(obj):
540
return getattr(obj, u"_dbus_is_property", False)
542
def _get_all_dbus_properties(self):
543
"""Returns a generator of (name, attribute) pairs
545
return ((prop._dbus_name, prop)
547
inspect.getmembers(self, self._is_dbus_property))
549
def _get_dbus_property(self, interface_name, property_name):
550
"""Returns a bound method if one exists which is a D-Bus
551
property with the specified name and interface.
553
for name in (property_name,
554
property_name + u"_dbus_property"):
555
prop = getattr(self, name, None)
557
or not self._is_dbus_property(prop)
558
or prop._dbus_name != property_name
559
or (interface_name and prop._dbus_interface
560
and interface_name != prop._dbus_interface)):
564
raise DBusPropertyNotFound(self.dbus_object_path + u":"
565
+ interface_name + u"."
568
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
570
def Get(self, interface_name, property_name):
571
"""Standard D-Bus property Get() method, see D-Bus standard.
573
prop = self._get_dbus_property(interface_name, property_name)
574
if prop._dbus_access == u"write":
575
raise DBusPropertyAccessException(property_name)
577
if not hasattr(value, u"variant_level"):
579
return type(value)(value, variant_level=value.variant_level+1)
581
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
582
def Set(self, interface_name, property_name, value):
583
"""Standard D-Bus property Set() method, see D-Bus standard.
585
prop = self._get_dbus_property(interface_name, property_name)
586
if prop._dbus_access == u"read":
587
raise DBusPropertyAccessException(property_name)
588
if prop._dbus_get_args_options[u"byte_arrays"]:
589
# The byte_arrays option is not supported yet on
590
# signatures other than "ay".
591
if prop._dbus_signature != u"ay":
593
value = dbus.ByteArray(''.join(unichr(byte)
597
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
598
out_signature=u"a{sv}")
599
def GetAll(self, interface_name):
600
"""Standard D-Bus property GetAll() method, see D-Bus
603
Note: Will not include properties with access="write".
606
for name, prop in self._get_all_dbus_properties():
608
and interface_name != prop._dbus_interface):
609
# Interface non-empty but did not match
611
# Ignore write-only properties
612
if prop._dbus_access == u"write":
615
if not hasattr(value, u"variant_level"):
618
all[name] = type(value)(value, variant_level=
619
value.variant_level+1)
620
return dbus.Dictionary(all, signature=u"sv")
622
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
624
path_keyword='object_path',
625
connection_keyword='connection')
626
def Introspect(self, object_path, connection):
627
"""Standard D-Bus method, overloaded to insert property tags.
629
xmlstring = dbus.service.Object.Introspect(self, object_path,
632
document = xml.dom.minidom.parseString(xmlstring)
633
def make_tag(document, name, prop):
634
e = document.createElement(u"property")
635
e.setAttribute(u"name", name)
636
e.setAttribute(u"type", prop._dbus_signature)
637
e.setAttribute(u"access", prop._dbus_access)
639
for if_tag in document.getElementsByTagName(u"interface"):
640
for tag in (make_tag(document, name, prop)
642
in self._get_all_dbus_properties()
643
if prop._dbus_interface
644
== if_tag.getAttribute(u"name")):
645
if_tag.appendChild(tag)
646
# Add the names to the return values for the
647
# "org.freedesktop.DBus.Properties" methods
648
if (if_tag.getAttribute(u"name")
649
== u"org.freedesktop.DBus.Properties"):
650
for cn in if_tag.getElementsByTagName(u"method"):
651
if cn.getAttribute(u"name") == u"Get":
652
for arg in cn.getElementsByTagName(u"arg"):
653
if (arg.getAttribute(u"direction")
655
arg.setAttribute(u"name", u"value")
656
elif cn.getAttribute(u"name") == u"GetAll":
657
for arg in cn.getElementsByTagName(u"arg"):
658
if (arg.getAttribute(u"direction")
660
arg.setAttribute(u"name", u"props")
661
xmlstring = document.toxml(u"utf-8")
663
except (AttributeError, xml.dom.DOMException,
664
xml.parsers.expat.ExpatError), error:
665
logger.error(u"Failed to override Introspection method",
670
class ClientDBus(Client, DBusObjectWithProperties):
671
"""A Client class using D-Bus
674
dbus_object_path: dbus.ObjectPath
675
bus: dbus.SystemBus()
677
# dbus.service.Object doesn't use super(), so we can't either.
679
def __init__(self, bus = None, *args, **kwargs):
681
Client.__init__(self, *args, **kwargs)
682
# Only now, when this client is initialized, can it show up on
684
self.dbus_object_path = (dbus.ObjectPath
686
+ self.name.replace(u".", u"_")))
687
DBusObjectWithProperties.__init__(self, self.bus,
688
self.dbus_object_path)
691
def _datetime_to_dbus(dt, variant_level=0):
692
"""Convert a UTC datetime.datetime() to a D-Bus type."""
693
return dbus.String(dt.isoformat(),
694
variant_level=variant_level)
697
oldstate = getattr(self, u"enabled", False)
698
r = Client.enable(self)
699
if oldstate != self.enabled:
701
self.PropertyChanged(dbus.String(u"enabled"),
702
dbus.Boolean(True, variant_level=1))
703
self.PropertyChanged(
704
dbus.String(u"last_enabled"),
705
self._datetime_to_dbus(self.last_enabled,
709
def disable(self, quiet = False):
710
oldstate = getattr(self, u"enabled", False)
711
r = Client.disable(self, quiet=quiet)
712
if not quiet and oldstate != self.enabled:
714
self.PropertyChanged(dbus.String(u"enabled"),
715
dbus.Boolean(False, variant_level=1))
718
def __del__(self, *args, **kwargs):
720
self.remove_from_connection()
723
if hasattr(DBusObjectWithProperties, u"__del__"):
724
DBusObjectWithProperties.__del__(self, *args, **kwargs)
725
Client.__del__(self, *args, **kwargs)
727
def checker_callback(self, pid, condition, command,
729
self.checker_callback_tag = None
732
456
self.PropertyChanged(dbus.String(u"checker_running"),
733
457
dbus.Boolean(False, variant_level=1))
734
if os.WIFEXITED(condition):
735
exitstatus = os.WEXITSTATUS(condition)
737
self.CheckerCompleted(dbus.Int16(exitstatus),
738
dbus.Int64(condition),
739
dbus.String(command))
742
self.CheckerCompleted(dbus.Int16(-1),
743
dbus.Int64(condition),
744
dbus.String(command))
746
return Client.checker_callback(self, pid, condition, command,
749
def checked_ok(self, *args, **kwargs):
750
r = Client.checked_ok(self, *args, **kwargs)
752
self.PropertyChanged(
753
dbus.String(u"last_checked_ok"),
754
(self._datetime_to_dbus(self.last_checked_ok,
758
def start_checker(self, *args, **kwargs):
759
old_checker = self.checker
760
if self.checker is not None:
761
old_checker_pid = self.checker.pid
763
old_checker_pid = None
764
r = Client.start_checker(self, *args, **kwargs)
765
# Only if new checker process was started
766
if (self.checker is not None
767
and old_checker_pid != self.checker.pid):
769
self.CheckerStarted(self.current_checker_command)
770
self.PropertyChanged(
771
dbus.String(u"checker_running"),
772
dbus.Boolean(True, variant_level=1))
775
def stop_checker(self, *args, **kwargs):
776
old_checker = getattr(self, u"checker", None)
777
r = Client.stop_checker(self, *args, **kwargs)
778
if (old_checker is not None
779
and getattr(self, u"checker", None) is None):
780
self.PropertyChanged(dbus.String(u"checker_running"),
781
dbus.Boolean(False, variant_level=1))
784
## D-Bus methods, signals & properties
785
_interface = u"se.bsnet.fukt.Mandos.Client"
459
def still_valid(self):
460
"""Has the timeout not yet passed for this client?"""
461
if not getattr(self, "started", False):
463
now = datetime.datetime.utcnow()
464
if self.last_checked_ok is None:
465
return now < (self.created + self.timeout)
467
return now < (self.last_checked_ok + self.timeout)
469
## D-Bus methods & signals
470
_interface = u"org.mandos_system.Mandos.Client"
472
# BumpTimeout - method
473
BumpTimeout = dbus.service.method(_interface)(bump_timeout)
474
BumpTimeout.__name__ = "BumpTimeout"
789
476
# CheckerCompleted - signal
790
@dbus.service.signal(_interface, signature=u"nxs")
791
def CheckerCompleted(self, exitcode, waitstatus, command):
477
@dbus.service.signal(_interface, signature="bqs")
478
def CheckerCompleted(self, success, condition, command):
795
482
# CheckerStarted - signal
796
@dbus.service.signal(_interface, signature=u"s")
483
@dbus.service.signal(_interface, signature="s")
797
484
def CheckerStarted(self, command):
488
# GetAllProperties - method
489
@dbus.service.method(_interface, out_signature="a{sv}")
490
def GetAllProperties(self):
492
return dbus.Dictionary({
494
dbus.String(self.name, variant_level=1),
495
dbus.String("fingerprint"):
496
dbus.String(self.fingerprint, variant_level=1),
498
dbus.String(self.host, variant_level=1),
499
dbus.String("created"):
500
_datetime_to_dbus_struct(self.created,
502
dbus.String("last_started"):
503
(_datetime_to_dbus_struct(self.last_started,
505
if self.last_started is not None
506
else dbus.Boolean(False, variant_level=1)),
507
dbus.String("started"):
508
dbus.Boolean(self.started, variant_level=1),
509
dbus.String("last_checked_ok"):
510
(_datetime_to_dbus_struct(self.last_checked_ok,
512
if self.last_checked_ok is not None
513
else dbus.Boolean (False, variant_level=1)),
514
dbus.String("timeout"):
515
dbus.UInt64(self._timeout_milliseconds,
517
dbus.String("interval"):
518
dbus.UInt64(self._interval_milliseconds,
520
dbus.String("checker"):
521
dbus.String(self.checker_command,
523
dbus.String("checker_running"):
524
dbus.Boolean(self.checker is not None,
528
# IsStillValid - method
529
IsStillValid = (dbus.service.method(_interface, out_signature="b")
531
IsStillValid.__name__ = "IsStillValid"
801
533
# PropertyChanged - signal
802
@dbus.service.signal(_interface, signature=u"sv")
534
@dbus.service.signal(_interface, signature="sv")
803
535
def PropertyChanged(self, property, value):
808
@dbus.service.signal(_interface)
814
@dbus.service.signal(_interface)
822
@dbus.service.method(_interface)
824
return self.checked_ok()
827
@dbus.service.method(_interface)
539
# SetChecker - method
540
@dbus.service.method(_interface, in_signature="s")
541
def SetChecker(self, checker):
542
"D-Bus setter method"
543
self.checker_command = checker
546
@dbus.service.method(_interface, in_signature="s")
547
def SetHost(self, host):
548
"D-Bus setter method"
551
# SetInterval - method
552
@dbus.service.method(_interface, in_signature="t")
553
def SetInterval(self, milliseconds):
554
self.interval = datetime.timdeelta(0, 0, 0, milliseconds)
557
@dbus.service.method(_interface, in_signature="ay",
559
def SetSecret(self, secret):
560
"D-Bus setter method"
561
self.secret = str(secret)
563
# SetTimeout - method
564
@dbus.service.method(_interface, in_signature="t")
565
def SetTimeout(self, milliseconds):
566
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
569
Start = dbus.service.method(_interface)(start)
570
Start.__name__ = "Start"
832
572
# StartChecker - method
833
573
@dbus.service.method(_interface)
836
576
self.start_checker()
839
579
@dbus.service.method(_interface)
844
584
# StopChecker - method
845
@dbus.service.method(_interface)
846
def StopChecker(self):
852
@dbus_service_property(_interface, signature=u"s", access=u"read")
853
def name_dbus_property(self):
854
return dbus.String(self.name)
856
# fingerprint - property
857
@dbus_service_property(_interface, signature=u"s", access=u"read")
858
def fingerprint_dbus_property(self):
859
return dbus.String(self.fingerprint)
862
@dbus_service_property(_interface, signature=u"s",
864
def host_dbus_property(self, value=None):
865
if value is None: # get
866
return dbus.String(self.host)
869
self.PropertyChanged(dbus.String(u"host"),
870
dbus.String(value, variant_level=1))
873
@dbus_service_property(_interface, signature=u"s", access=u"read")
874
def created_dbus_property(self):
875
return dbus.String(self._datetime_to_dbus(self.created))
877
# last_enabled - property
878
@dbus_service_property(_interface, signature=u"s", access=u"read")
879
def last_enabled_dbus_property(self):
880
if self.last_enabled is None:
881
return dbus.String(u"")
882
return dbus.String(self._datetime_to_dbus(self.last_enabled))
885
@dbus_service_property(_interface, signature=u"b",
887
def enabled_dbus_property(self, value=None):
888
if value is None: # get
889
return dbus.Boolean(self.enabled)
895
# last_checked_ok - property
896
@dbus_service_property(_interface, signature=u"s",
898
def last_checked_ok_dbus_property(self, value=None):
899
if value is not None:
902
if self.last_checked_ok is None:
903
return dbus.String(u"")
904
return dbus.String(self._datetime_to_dbus(self
908
@dbus_service_property(_interface, signature=u"t",
910
def timeout_dbus_property(self, value=None):
911
if value is None: # get
912
return dbus.UInt64(self.timeout_milliseconds())
913
self.timeout = datetime.timedelta(0, 0, 0, value)
915
self.PropertyChanged(dbus.String(u"timeout"),
916
dbus.UInt64(value, variant_level=1))
917
if getattr(self, u"disable_initiator_tag", None) is None:
920
gobject.source_remove(self.disable_initiator_tag)
921
self.disable_initiator_tag = None
923
_timedelta_to_milliseconds((self
929
# The timeout has passed
932
self.disable_initiator_tag = (gobject.timeout_add
933
(time_to_die, self.disable))
935
# interval - property
936
@dbus_service_property(_interface, signature=u"t",
938
def interval_dbus_property(self, value=None):
939
if value is None: # get
940
return dbus.UInt64(self.interval_milliseconds())
941
self.interval = datetime.timedelta(0, 0, 0, value)
943
self.PropertyChanged(dbus.String(u"interval"),
944
dbus.UInt64(value, variant_level=1))
945
if getattr(self, u"checker_initiator_tag", None) is None:
947
# Reschedule checker run
948
gobject.source_remove(self.checker_initiator_tag)
949
self.checker_initiator_tag = (gobject.timeout_add
950
(value, self.start_checker))
951
self.start_checker() # Start one now, too
954
@dbus_service_property(_interface, signature=u"s",
956
def checker_dbus_property(self, value=None):
957
if value is None: # get
958
return dbus.String(self.checker_command)
959
self.checker_command = value
961
self.PropertyChanged(dbus.String(u"checker"),
962
dbus.String(self.checker_command,
965
# checker_running - property
966
@dbus_service_property(_interface, signature=u"b",
968
def checker_running_dbus_property(self, value=None):
969
if value is None: # get
970
return dbus.Boolean(self.checker is not None)
976
# object_path - property
977
@dbus_service_property(_interface, signature=u"o", access=u"read")
978
def object_path_dbus_property(self):
979
return self.dbus_object_path # is already a dbus.ObjectPath
982
@dbus_service_property(_interface, signature=u"ay",
983
access=u"write", byte_arrays=True)
984
def secret_dbus_property(self, value):
985
self.secret = str(value)
585
StopChecker = dbus.service.method(_interface)(stop_checker)
586
StopChecker.__name__ = "StopChecker"
990
class ClientHandler(socketserver.BaseRequestHandler, object):
991
"""A class to handle client connections.
993
Instantiated once for each connection to handle it.
591
def peer_certificate(session):
592
"Return the peer's OpenPGP certificate as a bytestring"
593
# If not an OpenPGP certificate...
594
if (gnutls.library.functions
595
.gnutls_certificate_type_get(session._c_object)
596
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
597
# ...do the normal thing
598
return session.peer_certificate
599
list_size = ctypes.c_uint()
600
cert_list = (gnutls.library.functions
601
.gnutls_certificate_get_peers
602
(session._c_object, ctypes.byref(list_size)))
603
if list_size.value == 0:
606
return ctypes.string_at(cert.data, cert.size)
609
def fingerprint(openpgp):
610
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
611
# New GnuTLS "datum" with the OpenPGP public key
612
datum = (gnutls.library.types
613
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
616
ctypes.c_uint(len(openpgp))))
617
# New empty GnuTLS certificate
618
crt = gnutls.library.types.gnutls_openpgp_crt_t()
619
(gnutls.library.functions
620
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
621
# Import the OpenPGP public key into the certificate
622
(gnutls.library.functions
623
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
624
gnutls.library.constants
625
.GNUTLS_OPENPGP_FMT_RAW))
626
# Verify the self signature in the key
627
crtverify = ctypes.c_uint()
628
(gnutls.library.functions
629
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
630
if crtverify.value != 0:
631
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
632
raise gnutls.errors.CertificateSecurityError("Verify failed")
633
# New buffer for the fingerprint
634
buf = ctypes.create_string_buffer(20)
635
buf_len = ctypes.c_size_t()
636
# Get the fingerprint from the certificate into the buffer
637
(gnutls.library.functions
638
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
639
ctypes.byref(buf_len)))
640
# Deinit the certificate
641
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
642
# Convert the buffer to a Python bytestring
643
fpr = ctypes.string_at(buf, buf_len.value)
644
# Convert the bytestring to hexadecimal notation
645
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
649
class TCP_handler(SocketServer.BaseRequestHandler, object):
650
"""A TCP request handler class.
651
Instantiated by IPv6_TCPServer for each request to handle it.
994
652
Note: This will run in its own forked process."""
996
654
def handle(self):
997
655
logger.info(u"TCP connection from: %s",
998
656
unicode(self.client_address))
999
logger.debug(u"IPC Pipe FD: %d",
1000
self.server.child_pipe[1].fileno())
1001
# Open IPC pipe to parent process
1002
with contextlib.nested(self.server.child_pipe[1],
1003
self.server.parent_pipe[0]
1004
) as (ipc, ipc_return):
1005
session = (gnutls.connection
1006
.ClientSession(self.request,
1008
.X509Credentials()))
1010
# Note: gnutls.connection.X509Credentials is really a
1011
# generic GnuTLS certificate credentials object so long as
1012
# no X.509 keys are added to it. Therefore, we can use it
1013
# here despite using OpenPGP certificates.
1015
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1016
# u"+AES-256-CBC", u"+SHA1",
1017
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1019
# Use a fallback default, since this MUST be set.
1020
priority = self.server.gnutls_priority
1021
if priority is None:
1022
priority = u"NORMAL"
1023
(gnutls.library.functions
1024
.gnutls_priority_set_direct(session._c_object,
1027
# Start communication using the Mandos protocol
1028
# Get protocol number
1029
line = self.request.makefile().readline()
1030
logger.debug(u"Protocol version: %r", line)
1032
if int(line.strip().split()[0]) > 1:
1034
except (ValueError, IndexError, RuntimeError), error:
1035
logger.error(u"Unknown protocol version: %s", error)
1038
# Start GnuTLS connection
1041
except gnutls.errors.GNUTLSError, error:
1042
logger.warning(u"Handshake failed: %s", error)
1043
# Do not run session.bye() here: the session is not
1044
# established. Just abandon the request.
1046
logger.debug(u"Handshake succeeded")
1049
fpr = self.fingerprint(self.peer_certificate
1051
except (TypeError, gnutls.errors.GNUTLSError), error:
1052
logger.warning(u"Bad certificate: %s", error)
1054
logger.debug(u"Fingerprint: %s", fpr)
1056
for c in self.server.clients:
1057
if c.fingerprint == fpr:
1061
ipc.write(u"NOTFOUND %s %s\n"
1062
% (fpr, unicode(self.client_address)))
1065
class ClientProxy(object):
1066
"""Client proxy object. Not for calling methods."""
1067
def __init__(self, client):
1068
self.client = client
1069
def __getattr__(self, name):
1070
if name.startswith("ipc_"):
1072
ipc.write("%s %s\n" % (name[4:].upper(),
1075
if not hasattr(self.client, name):
1076
raise AttributeError
1077
ipc.write(u"GETATTR %s %s\n"
1078
% (name, self.client.fingerprint))
1079
return pickle.load(ipc_return)
1080
clientproxy = ClientProxy(client)
1081
# Have to check if client.enabled, since it is
1082
# possible that the client was disabled since the
1083
# GnuTLS session was established.
1084
if not clientproxy.enabled:
1085
clientproxy.ipc_disabled()
1088
clientproxy.ipc_sending()
1090
while sent_size < len(client.secret):
1091
sent = session.send(client.secret[sent_size:])
1092
logger.debug(u"Sent: %d, remaining: %d",
1093
sent, len(client.secret)
1094
- (sent_size + sent))
1100
def peer_certificate(session):
1101
"Return the peer's OpenPGP certificate as a bytestring"
1102
# If not an OpenPGP certificate...
1103
if (gnutls.library.functions
1104
.gnutls_certificate_type_get(session._c_object)
1105
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1106
# ...do the normal thing
1107
return session.peer_certificate
1108
list_size = ctypes.c_uint(1)
1109
cert_list = (gnutls.library.functions
1110
.gnutls_certificate_get_peers
1111
(session._c_object, ctypes.byref(list_size)))
1112
if not bool(cert_list) and list_size.value != 0:
1113
raise gnutls.errors.GNUTLSError(u"error getting peer"
1115
if list_size.value == 0:
1118
return ctypes.string_at(cert.data, cert.size)
1121
def fingerprint(openpgp):
1122
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1123
# New GnuTLS "datum" with the OpenPGP public key
1124
datum = (gnutls.library.types
1125
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1128
ctypes.c_uint(len(openpgp))))
1129
# New empty GnuTLS certificate
1130
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1131
(gnutls.library.functions
1132
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1133
# Import the OpenPGP public key into the certificate
1134
(gnutls.library.functions
1135
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1136
gnutls.library.constants
1137
.GNUTLS_OPENPGP_FMT_RAW))
1138
# Verify the self signature in the key
1139
crtverify = ctypes.c_uint()
1140
(gnutls.library.functions
1141
.gnutls_openpgp_crt_verify_self(crt, 0,
1142
ctypes.byref(crtverify)))
1143
if crtverify.value != 0:
1144
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1145
raise (gnutls.errors.CertificateSecurityError
1147
# New buffer for the fingerprint
1148
buf = ctypes.create_string_buffer(20)
1149
buf_len = ctypes.c_size_t()
1150
# Get the fingerprint from the certificate into the buffer
1151
(gnutls.library.functions
1152
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1153
ctypes.byref(buf_len)))
1154
# Deinit the certificate
1155
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1156
# Convert the buffer to a Python bytestring
1157
fpr = ctypes.string_at(buf, buf_len.value)
1158
# Convert the bytestring to hexadecimal notation
1159
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1163
class ForkingMixInWithPipes(socketserver.ForkingMixIn, object):
1164
"""Like socketserver.ForkingMixIn, but also pass a pipe pair."""
1165
def process_request(self, request, client_address):
1166
"""Overrides and wraps the original process_request().
1168
This function creates a new pipe in self.pipe
1170
# Child writes to child_pipe
1171
self.child_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1172
# Parent writes to parent_pipe
1173
self.parent_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1174
super(ForkingMixInWithPipes,
1175
self).process_request(request, client_address)
1176
# Close unused ends for parent
1177
self.parent_pipe[0].close() # close read end
1178
self.child_pipe[1].close() # close write end
1179
self.add_pipe_fds(self.child_pipe[0], self.parent_pipe[1])
1180
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1181
"""Dummy function; override as necessary"""
1182
child_pipe_fd.close()
1183
parent_pipe_fd.close()
1186
class IPv6_TCPServer(ForkingMixInWithPipes,
1187
socketserver.TCPServer, object):
1188
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
657
session = (gnutls.connection
658
.ClientSession(self.request,
662
line = self.request.makefile().readline()
663
logger.debug(u"Protocol version: %r", line)
665
if int(line.strip().split()[0]) > 1:
667
except (ValueError, IndexError, RuntimeError), error:
668
logger.error(u"Unknown protocol version: %s", error)
671
# Note: gnutls.connection.X509Credentials is really a generic
672
# GnuTLS certificate credentials object so long as no X.509
673
# keys are added to it. Therefore, we can use it here despite
674
# using OpenPGP certificates.
676
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
677
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
679
# Use a fallback default, since this MUST be set.
680
priority = self.server.settings.get("priority", "NORMAL")
681
(gnutls.library.functions
682
.gnutls_priority_set_direct(session._c_object,
687
except gnutls.errors.GNUTLSError, error:
688
logger.warning(u"Handshake failed: %s", error)
689
# Do not run session.bye() here: the session is not
690
# established. Just abandon the request.
693
fpr = fingerprint(peer_certificate(session))
694
except (TypeError, gnutls.errors.GNUTLSError), error:
695
logger.warning(u"Bad certificate: %s", error)
698
logger.debug(u"Fingerprint: %s", fpr)
699
for c in self.server.clients:
700
if c.fingerprint == fpr:
704
logger.warning(u"Client not found for fingerprint: %s",
708
# Have to check if client.still_valid(), since it is possible
709
# that the client timed out while establishing the GnuTLS
711
if not client.still_valid():
712
logger.warning(u"Client %(name)s is invalid",
716
## This won't work here, since we're in a fork.
717
# client.bump_timeout()
719
while sent_size < len(client.secret):
720
sent = session.send(client.secret[sent_size:])
721
logger.debug(u"Sent: %d, remaining: %d",
722
sent, len(client.secret)
723
- (sent_size + sent))
728
class IPv6_TCPServer(SocketServer.ForkingMixIn,
729
SocketServer.TCPServer, object):
730
"""IPv6 TCP server. Accepts 'None' as address and/or port.
732
settings: Server settings
733
clients: Set() of Client objects
1191
734
enabled: Boolean; whether this server is activated yet
1192
interface: None or a network interface name (string)
1193
use_ipv6: Boolean; to use IPv6 or not
1195
def __init__(self, server_address, RequestHandlerClass,
1196
interface=None, use_ipv6=True):
1197
self.interface = interface
1199
self.address_family = socket.AF_INET6
1200
socketserver.TCPServer.__init__(self, server_address,
1201
RequestHandlerClass)
736
address_family = socket.AF_INET6
737
def __init__(self, *args, **kwargs):
738
if "settings" in kwargs:
739
self.settings = kwargs["settings"]
740
del kwargs["settings"]
741
if "clients" in kwargs:
742
self.clients = kwargs["clients"]
743
del kwargs["clients"]
745
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1202
746
def server_bind(self):
1203
747
"""This overrides the normal server_bind() function
1204
748
to bind to an interface if one was specified, and also NOT to
1205
749
bind to an address or port if they were not specified."""
1206
if self.interface is not None:
1207
if SO_BINDTODEVICE is None:
1208
logger.error(u"SO_BINDTODEVICE does not exist;"
1209
u" cannot bind to interface %s",
1213
self.socket.setsockopt(socket.SOL_SOCKET,
1217
except socket.error, error:
1218
if error[0] == errno.EPERM:
1219
logger.error(u"No permission to"
1220
u" bind to interface %s",
1222
elif error[0] == errno.ENOPROTOOPT:
1223
logger.error(u"SO_BINDTODEVICE not available;"
1224
u" cannot bind to interface %s",
750
if self.settings["interface"]:
751
# 25 is from /usr/include/asm-i486/socket.h
752
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
754
self.socket.setsockopt(socket.SOL_SOCKET,
756
self.settings["interface"])
757
except socket.error, error:
758
if error[0] == errno.EPERM:
759
logger.error(u"No permission to"
760
u" bind to interface %s",
761
self.settings["interface"])
1228
764
# Only bind(2) the socket if we really need to.
1229
765
if self.server_address[0] or self.server_address[1]:
1230
766
if not self.server_address[0]:
1231
if self.address_family == socket.AF_INET6:
1232
any_address = u"::" # in6addr_any
1234
any_address = socket.INADDR_ANY
1235
self.server_address = (any_address,
768
self.server_address = (in6addr_any,
1236
769
self.server_address[1])
1237
770
elif not self.server_address[1]:
1238
771
self.server_address = (self.server_address[0],
1240
# if self.interface:
773
# if self.settings["interface"]:
1241
774
# self.server_address = (self.server_address[0],
1244
777
# if_nametoindex
1246
return socketserver.TCPServer.server_bind(self)
1249
class MandosServer(IPv6_TCPServer):
1253
clients: set of Client objects
1254
gnutls_priority GnuTLS priority string
1255
use_dbus: Boolean; to emit D-Bus signals or not
1257
Assumes a gobject.MainLoop event loop.
1259
def __init__(self, server_address, RequestHandlerClass,
1260
interface=None, use_ipv6=True, clients=None,
1261
gnutls_priority=None, use_dbus=True):
1262
self.enabled = False
1263
self.clients = clients
1264
if self.clients is None:
1265
self.clients = set()
1266
self.use_dbus = use_dbus
1267
self.gnutls_priority = gnutls_priority
1268
IPv6_TCPServer.__init__(self, server_address,
1269
RequestHandlerClass,
1270
interface = interface,
1271
use_ipv6 = use_ipv6)
780
return super(IPv6_TCPServer, self).server_bind()
1272
781
def server_activate(self):
1273
782
if self.enabled:
1274
return socketserver.TCPServer.server_activate(self)
783
return super(IPv6_TCPServer, self).server_activate()
1275
784
def enable(self):
1276
785
self.enabled = True
1277
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1278
# Call "handle_ipc" for both data and EOF events
1279
gobject.io_add_watch(child_pipe_fd.fileno(),
1280
gobject.IO_IN | gobject.IO_HUP,
1281
functools.partial(self.handle_ipc,
1282
reply = parent_pipe_fd,
1283
sender= child_pipe_fd))
1284
def handle_ipc(self, source, condition, reply=None, sender=None):
1286
gobject.IO_IN: u"IN", # There is data to read.
1287
gobject.IO_OUT: u"OUT", # Data can be written (without
1289
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1290
gobject.IO_ERR: u"ERR", # Error condition.
1291
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1292
# broken, usually for pipes and
1295
conditions_string = ' | '.join(name
1297
condition_names.iteritems()
1298
if cond & condition)
1299
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1302
# Read a line from the file object
1303
cmdline = sender.readline()
1304
if not cmdline: # Empty line means end of file
1305
# close the IPC pipes
1309
# Stop calling this function
1312
logger.debug(u"IPC command: %r", cmdline)
1314
# Parse and act on command
1315
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1317
if cmd == u"NOTFOUND":
1318
fpr, address = args.split(None, 1)
1319
logger.warning(u"Client not found for fingerprint: %s, ad"
1320
u"dress: %s", fpr, address)
1323
mandos_dbus_service.ClientNotFound(fpr, address)
1324
elif cmd == u"DISABLED":
1325
for client in self.clients:
1326
if client.name == args:
1327
logger.warning(u"Client %s is disabled", args)
1333
logger.error(u"Unknown client %s is disabled", args)
1334
elif cmd == u"SENDING":
1335
for client in self.clients:
1336
if client.name == args:
1337
logger.info(u"Sending secret to %s", client.name)
1344
logger.error(u"Sending secret to unknown client %s",
1346
elif cmd == u"GETATTR":
1347
attr_name, fpr = args.split(None, 1)
1348
for client in self.clients:
1349
if client.fingerprint == fpr:
1350
attr_value = getattr(client, attr_name, None)
1351
logger.debug("IPC reply: %r", attr_value)
1352
pickle.dump(attr_value, reply)
1355
logger.error(u"Client %s on address %s requesting "
1356
u"attribute %s not found", fpr, address,
1358
pickle.dump(None, reply)
1360
logger.error(u"Unknown IPC command: %r", cmdline)
1362
# Keep calling this function
1366
788
def string_to_delta(interval):
1367
789
"""Parse a string and return a datetime.timedelta
1369
>>> string_to_delta(u'7d')
791
>>> string_to_delta('7d')
1370
792
datetime.timedelta(7)
1371
>>> string_to_delta(u'60s')
793
>>> string_to_delta('60s')
1372
794
datetime.timedelta(0, 60)
1373
>>> string_to_delta(u'60m')
795
>>> string_to_delta('60m')
1374
796
datetime.timedelta(0, 3600)
1375
>>> string_to_delta(u'24h')
797
>>> string_to_delta('24h')
1376
798
datetime.timedelta(1)
1377
799
>>> string_to_delta(u'1w')
1378
800
datetime.timedelta(7)
1379
>>> string_to_delta(u'5m 30s')
801
>>> string_to_delta('5m 30s')
1380
802
datetime.timedelta(0, 330)
1382
804
timevalue = datetime.timedelta(0)
1491
924
# Default values for config file for server-global settings
1492
server_defaults = { u"interface": u"",
1497
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1498
u"servicename": u"Mandos",
1499
u"use_dbus": u"True",
1500
u"use_ipv6": u"True",
925
server_defaults = { "interface": "",
930
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
931
"servicename": "Mandos",
1503
934
# Parse config file for server-global settings
1504
server_config = configparser.SafeConfigParser(server_defaults)
935
server_config = ConfigParser.SafeConfigParser(server_defaults)
1505
936
del server_defaults
1506
server_config.read(os.path.join(options.configdir,
937
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1508
938
# Convert the SafeConfigParser object to a dict
1509
939
server_settings = server_config.defaults()
1510
# Use the appropriate methods on the non-string config options
1511
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1512
server_settings[option] = server_config.getboolean(u"DEFAULT",
1514
if server_settings["port"]:
1515
server_settings["port"] = server_config.getint(u"DEFAULT",
940
# Use getboolean on the boolean config option
941
server_settings["debug"] = (server_config.getboolean
942
("DEFAULT", "debug"))
1517
943
del server_config
1519
945
# Override the settings from the config file with command line
1520
946
# options, if set.
1521
for option in (u"interface", u"address", u"port", u"debug",
1522
u"priority", u"servicename", u"configdir",
1523
u"use_dbus", u"use_ipv6"):
947
for option in ("interface", "address", "port", "debug",
948
"priority", "servicename", "configdir"):
1524
949
value = getattr(options, option)
1525
950
if value is not None:
1526
951
server_settings[option] = value
1528
# Force all strings to be unicode
1529
for option in server_settings.keys():
1530
if type(server_settings[option]) is str:
1531
server_settings[option] = unicode(server_settings[option])
1532
953
# Now we have our good server settings in "server_settings"
1534
##################################################################
1537
debug = server_settings[u"debug"]
1538
use_dbus = server_settings[u"use_dbus"]
1539
use_ipv6 = server_settings[u"use_ipv6"]
955
debug = server_settings["debug"]
1542
958
syslogger.setLevel(logging.WARNING)
1543
959
console.setLevel(logging.WARNING)
1545
if server_settings[u"servicename"] != u"Mandos":
961
if server_settings["servicename"] != "Mandos":
1546
962
syslogger.setFormatter(logging.Formatter
1547
(u'Mandos (%s) [%%(process)d]:'
1548
u' %%(levelname)s: %%(message)s'
1549
% server_settings[u"servicename"]))
963
('Mandos (%s): %%(levelname)s:'
965
% server_settings["servicename"]))
1551
967
# Parse config file with clients
1552
client_defaults = { u"timeout": u"1h",
1554
u"checker": u"fping -q -- %%(host)s",
968
client_defaults = { "timeout": "1h",
970
"checker": "fping -q -- %(host)s",
1557
client_config = configparser.SafeConfigParser(client_defaults)
1558
client_config.read(os.path.join(server_settings[u"configdir"],
1561
global mandos_dbus_service
1562
mandos_dbus_service = None
1564
tcp_server = MandosServer((server_settings[u"address"],
1565
server_settings[u"port"]),
1567
interface=server_settings[u"interface"],
1570
server_settings[u"priority"],
1572
pidfilename = u"/var/run/mandos.pid"
1574
pidfile = open(pidfilename, u"w")
1576
logger.error(u"Could not open file %r", pidfilename)
1579
uid = pwd.getpwnam(u"_mandos").pw_uid
1580
gid = pwd.getpwnam(u"_mandos").pw_gid
973
client_config = ConfigParser.SafeConfigParser(client_defaults)
974
client_config.read(os.path.join(server_settings["configdir"],
978
tcp_server = IPv6_TCPServer((server_settings["address"],
979
server_settings["port"]),
981
settings=server_settings,
983
pidfilename = "/var/run/mandos.pid"
985
pidfile = open(pidfilename, "w")
986
except IOError, error:
987
logger.error("Could not open file %r", pidfilename)
990
uid = pwd.getpwnam("_mandos").pw_uid
1581
991
except KeyError:
1583
uid = pwd.getpwnam(u"mandos").pw_uid
1584
gid = pwd.getpwnam(u"mandos").pw_gid
993
uid = pwd.getpwnam("mandos").pw_uid
1585
994
except KeyError:
1587
uid = pwd.getpwnam(u"nobody").pw_uid
1588
gid = pwd.getpwnam(u"nobody").pw_gid
996
uid = pwd.getpwnam("nobody").pw_uid
1589
997
except KeyError:
1000
gid = pwd.getpwnam("_mandos").pw_gid
1003
gid = pwd.getpwnam("mandos").pw_gid
1006
gid = pwd.getpwnam("nogroup").pw_gid
1595
1012
except OSError, error:
1596
1013
if error[0] != errno.EPERM:
1599
# Enable all possible GnuTLS debugging
1601
# "Use a log level over 10 to enable all debugging options."
1603
gnutls.library.functions.gnutls_global_set_log_level(11)
1605
@gnutls.library.types.gnutls_log_func
1606
def debug_gnutls(level, string):
1607
logger.debug(u"GnuTLS: %s", string[:-1])
1609
(gnutls.library.functions
1610
.gnutls_global_set_log_function(debug_gnutls))
1017
service = AvahiService(name = server_settings["servicename"],
1018
servicetype = "_mandos._tcp", )
1019
if server_settings["interface"]:
1020
service.interface = (if_nametoindex
1021
(server_settings["interface"]))
1612
1023
global main_loop
1613
1026
# From the Avahi example code
1614
1027
DBusGMainLoop(set_as_default=True )
1615
1028
main_loop = gobject.MainLoop()
1616
1029
bus = dbus.SystemBus()
1030
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1031
avahi.DBUS_PATH_SERVER),
1032
avahi.DBUS_INTERFACE_SERVER)
1617
1033
# End of Avahi example code
1620
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1621
bus, do_not_queue=True)
1622
except dbus.exceptions.NameExistsException, e:
1623
logger.error(unicode(e) + u", disabling D-Bus")
1625
server_settings[u"use_dbus"] = False
1626
tcp_server.use_dbus = False
1627
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1628
service = AvahiService(name = server_settings[u"servicename"],
1629
servicetype = u"_mandos._tcp",
1630
protocol = protocol, bus = bus)
1631
if server_settings["interface"]:
1632
service.interface = (if_nametoindex
1633
(str(server_settings[u"interface"])))
1034
bus_name = dbus.service.BusName(u"org.mandos-system.Mandos", bus)
1635
client_class = Client
1637
client_class = functools.partial(ClientDBus, bus = bus)
1638
tcp_server.clients.update(set(
1639
client_class(name = section,
1640
config= dict(client_config.items(section)))
1641
for section in client_config.sections()))
1642
if not tcp_server.clients:
1643
logger.warning(u"No clients defined")
1036
clients.update(Set(Client(name = section,
1038
= dict(client_config.items(section)))
1039
for section in client_config.sections()))
1041
logger.critical(u"No clients defined")
1646
1045
# Redirect stdin so all checkers get /dev/null
1668
1067
del pidfilename
1070
"Cleanup function; run on exit"
1072
# From the Avahi example code
1073
if not group is None:
1076
# End of Avahi example code
1079
client = clients.pop()
1080
client.stop_hook = None
1083
atexit.register(cleanup)
1671
1086
signal.signal(signal.SIGINT, signal.SIG_IGN)
1672
1087
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1673
1088
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1676
class MandosDBusService(dbus.service.Object):
1677
"""A D-Bus proxy object"""
1679
dbus.service.Object.__init__(self, bus, u"/")
1680
_interface = u"se.bsnet.fukt.Mandos"
1682
@dbus.service.signal(_interface, signature=u"o")
1683
def ClientAdded(self, objpath):
1687
@dbus.service.signal(_interface, signature=u"ss")
1688
def ClientNotFound(self, fingerprint, address):
1692
@dbus.service.signal(_interface, signature=u"os")
1693
def ClientRemoved(self, objpath, name):
1697
@dbus.service.method(_interface, out_signature=u"ao")
1698
def GetAllClients(self):
1700
return dbus.Array(c.dbus_object_path
1701
for c in tcp_server.clients)
1703
@dbus.service.method(_interface,
1704
out_signature=u"a{oa{sv}}")
1705
def GetAllClientsWithProperties(self):
1707
return dbus.Dictionary(
1708
((c.dbus_object_path, c.GetAll(u""))
1709
for c in tcp_server.clients),
1710
signature=u"oa{sv}")
1712
@dbus.service.method(_interface, in_signature=u"o")
1713
def RemoveClient(self, object_path):
1715
for c in tcp_server.clients:
1716
if c.dbus_object_path == object_path:
1717
tcp_server.clients.remove(c)
1718
c.remove_from_connection()
1719
# Don't signal anything except ClientRemoved
1720
c.disable(quiet=True)
1722
self.ClientRemoved(object_path, c.name)
1724
raise KeyError(object_path)
1728
mandos_dbus_service = MandosDBusService()
1731
"Cleanup function; run on exit"
1734
while tcp_server.clients:
1735
client = tcp_server.clients.pop()
1737
client.remove_from_connection()
1738
client.disable_hook = None
1739
# Don't signal anything except ClientRemoved
1740
client.disable(quiet=True)
1743
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1746
atexit.register(cleanup)
1748
for client in tcp_server.clients:
1751
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1090
class MandosServer(dbus.service.Object):
1091
"""A D-Bus proxy object"""
1093
dbus.service.Object.__init__(self, bus,
1095
_interface = u"org.mandos_system.Mandos"
1097
@dbus.service.signal(_interface, signature="oa{sv}")
1098
def ClientAdded(self, objpath, properties):
1102
@dbus.service.signal(_interface, signature="o")
1103
def ClientRemoved(self, objpath):
1107
@dbus.service.method(_interface, out_signature="ao")
1108
def GetAllClients(self):
1109
return dbus.Array(c.dbus_object_path for c in clients)
1111
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1112
def GetAllClientsWithProperties(self):
1113
return dbus.Dictionary(
1114
((c.dbus_object_path, c.GetAllProperties())
1118
@dbus.service.method(_interface, in_signature="o")
1119
def RemoveClient(self, object_path):
1121
if c.dbus_object_path == object_path:
1129
mandos_server = MandosServer()
1131
for client in clients:
1133
mandos_server.ClientAdded(client.dbus_object_path,
1134
client.GetAllProperties())
1754
1137
tcp_server.enable()
1755
1138
tcp_server.server_activate()
1757
1140
# Find out what port we got
1758
1141
service.port = tcp_server.socket.getsockname()[1]
1760
logger.info(u"Now listening on address %r, port %d,"
1761
" flowinfo %d, scope_id %d"
1762
% tcp_server.socket.getsockname())
1764
logger.info(u"Now listening on address %r, port %d"
1765
% tcp_server.socket.getsockname())
1142
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1143
u" scope_id %d" % tcp_server.socket.getsockname())
1767
1145
#service.interface = tcp_server.socket.getsockname()[3]
1770
1148
# From the Avahi example code
1149
server.connect_to_signal("StateChanged", server_state_changed)
1151
server_state_changed(server.GetState())
1773
1152
except dbus.exceptions.DBusException, error:
1774
1153
logger.critical(u"DBusException: %s", error)
1777
1155
# End of Avahi example code