To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.195
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.195
- Committer: Teddy Hogeborn
- Date: 2013-12-31 16:02:18 UTC
- mto: (237.7.272 trunk)
- mto: This revision was merged to the branch mainline in revision 307.
- Revision ID: teddy@recompile.se-20131231160218-plmmb0o0iifkd5l2
Specify BusName in systemd service file.
* mandos.service (BusName): Uncommented.
* mandos.service (BusName): Uncommented.
- files added:
- debian/mandos-client.examples
- network-hooks.d
- files modified:
- .bzrignore
added
removed
mandos
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
14
# Copyright © 2008-2013 Teddy Hogeborn
15
# Copyright © 2008-2013 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
37
from future_builtins import *
38
37
39
import SocketServer as socketserver
38
40
import socket
39
41
import argparse
65
67
import types
66
68
import binascii
67
69
import tempfile
70
import itertools
71
import collections
68
72
69
73
import dbus
70
74
import dbus.service
75
79
import ctypes.util
76
80
import xml.dom.minidom
77
81
import inspect
78
import GnuPGInterface
79
82
80
83
try:
81
84
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
85
88
except ImportError:
86
89
SO_BINDTODEVICE = None
87
90
88
89
version = "1.4.1"
91
version = "1.6.2"
90
92
stored_state_file = "clients.pickle"
91
93
92
94
logger = logging.getLogger()
111
113
return interface_index
112
114
113
115
114
def initlogger(level=logging.WARNING):
116
def initlogger(debug, level=logging.WARNING):
115
117
"""init logger and add loglevel"""
116
118
117
119
syslogger.setFormatter(logging.Formatter
119
121
' %(message)s'))
120
122
logger.addHandler(syslogger)
121
123
122
console = logging.StreamHandler()
123
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
124
' [%(process)d]:'
125
' %(levelname)s:'
126
' %(message)s'))
127
logger.addHandler(console)
124
if debug:
125
console = logging.StreamHandler()
126
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
127
' [%(process)d]:'
128
' %(levelname)s:'
129
' %(message)s'))
130
logger.addHandler(console)
128
131
logger.setLevel(level)
129
132
130
133
131
class CryptoError(Exception):
134
class PGPError(Exception):
135
"""Exception if encryption/decryption fails"""
132
136
pass
133
137
134
138
135
class Crypto(object):
139
class PGPEngine(object):
136
140
"""A simple class for OpenPGP symmetric encryption & decryption"""
137
141
def __init__(self):
138
self.gnupg = GnuPGInterface.GnuPG()
139
142
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
140
self.gnupg = GnuPGInterface.GnuPG()
141
self.gnupg.options.meta_interactive = False
142
self.gnupg.options.homedir = self.tempdir
143
self.gnupg.options.extra_args.extend(['--force-mdc',
144
'--quiet'])
143
self.gnupgargs = ['--batch',
144
'--home', self.tempdir,
145
'--force-mdc',
146
'--quiet',
147
'--no-use-agent']
145
148
146
149
def __enter__(self):
147
150
return self
148
151
149
def __exit__ (self, exc_type, exc_value, traceback):
152
def __exit__(self, exc_type, exc_value, traceback):
150
153
self._cleanup()
151
154
return False
152
155
169
172
def password_encode(self, password):
170
173
# Passphrase can not be empty and can not contain newlines or
171
174
# NUL bytes. So we prefix it and hex encode it.
172
return b"mandos" + binascii.hexlify(password)
175
encoded = b"mandos" + binascii.hexlify(password)
176
if len(encoded) > 2048:
177
# GnuPG can't handle long passwords, so encode differently
178
encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
179
.replace(b"\n", b"\\n")
180
.replace(b"\0", b"\\x00"))
181
return encoded
173
182
174
183
def encrypt(self, data, password):
175
self.gnupg.passphrase = self.password_encode(password)
176
with open(os.devnull) as devnull:
177
try:
178
proc = self.gnupg.run(['--symmetric'],
179
create_fhs=['stdin', 'stdout'],
180
attach_fhs={'stderr': devnull})
181
with contextlib.closing(proc.handles['stdin']) as f:
182
f.write(data)
183
with contextlib.closing(proc.handles['stdout']) as f:
184
ciphertext = f.read()
185
proc.wait()
186
except IOError as e:
187
raise CryptoError(e)
188
self.gnupg.passphrase = None
184
passphrase = self.password_encode(password)
185
with tempfile.NamedTemporaryFile(dir=self.tempdir
186
) as passfile:
187
passfile.write(passphrase)
188
passfile.flush()
189
proc = subprocess.Popen(['gpg', '--symmetric',
190
'--passphrase-file',
191
passfile.name]
192
+ self.gnupgargs,
193
stdin = subprocess.PIPE,
194
stdout = subprocess.PIPE,
195
stderr = subprocess.PIPE)
196
ciphertext, err = proc.communicate(input = data)
197
if proc.returncode != 0:
198
raise PGPError(err)
189
199
return ciphertext
190
200
191
201
def decrypt(self, data, password):
192
self.gnupg.passphrase = self.password_encode(password)
193
with open(os.devnull) as devnull:
194
try:
195
proc = self.gnupg.run(['--decrypt'],
196
create_fhs=['stdin', 'stdout'],
197
attach_fhs={'stderr': devnull})
198
with contextlib.closing(proc.handles['stdin'] ) as f:
199
f.write(data)
200
with contextlib.closing(proc.handles['stdout']) as f:
201
decrypted_plaintext = f.read()
202
proc.wait()
203
except IOError as e:
204
raise CryptoError(e)
205
self.gnupg.passphrase = None
202
passphrase = self.password_encode(password)
203
with tempfile.NamedTemporaryFile(dir = self.tempdir
204
) as passfile:
205
passfile.write(passphrase)
206
passfile.flush()
207
proc = subprocess.Popen(['gpg', '--decrypt',
208
'--passphrase-file',
209
passfile.name]
210
+ self.gnupgargs,
211
stdin = subprocess.PIPE,
212
stdout = subprocess.PIPE,
213
stderr = subprocess.PIPE)
214
decrypted_plaintext, err = proc.communicate(input
215
= data)
216
if proc.returncode != 0:
217
raise PGPError(err)
206
218
return decrypted_plaintext
207
219
208
220
209
210
221
class AvahiError(Exception):
211
222
def __init__(self, value, *args, **kwargs):
212
223
self.value = value
229
240
Used to optionally bind to the specified interface.
230
241
name: string; Example: 'Mandos'
231
242
type: string; Example: '_mandos._tcp'.
232
See <http://www.dns-sd.org/ServiceTypes.html>
243
See <https://www.iana.org/assignments/service-names-port-numbers>
233
244
port: integer; what port to announce
234
245
TXT: list of strings; TXT record for the service
235
246
domain: string; Domain to publish on, default to .local if empty.
241
252
server: D-Bus Server
242
253
bus: dbus.SystemBus()
243
254
"""
255
244
256
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
245
257
servicetype = None, port = None, TXT = None,
246
258
domain = "", host = "", max_renames = 32768,
259
271
self.server = None
260
272
self.bus = bus
261
273
self.entry_group_state_changed_match = None
274
262
275
def rename(self):
263
276
"""Derived from the Avahi example code"""
264
277
if self.rename_count >= self.max_renames:
274
287
try:
275
288
self.add()
276
289
except dbus.exceptions.DBusException as error:
277
logger.critical("DBusException: %s", error)
290
logger.critical("D-Bus Exception", exc_info=error)
278
291
self.cleanup()
279
292
os._exit(1)
280
293
self.rename_count += 1
294
281
295
def remove(self):
282
296
"""Derived from the Avahi example code"""
283
297
if self.entry_group_state_changed_match is not None:
285
299
self.entry_group_state_changed_match = None
286
300
if self.group is not None:
287
301
self.group.Reset()
302
288
303
def add(self):
289
304
"""Derived from the Avahi example code"""
290
305
self.remove()
307
322
dbus.UInt16(self.port),
308
323
avahi.string_array_to_txt_array(self.TXT))
309
324
self.group.Commit()
325
310
326
def entry_group_state_changed(self, state, error):
311
327
"""Derived from the Avahi example code"""
312
328
logger.debug("Avahi entry group state change: %i", state)
319
335
elif state == avahi.ENTRY_GROUP_FAILURE:
320
336
logger.critical("Avahi: Error in group state changed %s",
321
337
unicode(error))
322
raise AvahiGroupError("State changed: %s"
323
% unicode(error))
338
raise AvahiGroupError("State changed: {0!s}"
339
.format(error))
340
324
341
def cleanup(self):
325
342
"""Derived from the Avahi example code"""
326
343
if self.group is not None:
331
348
pass
332
349
self.group = None
333
350
self.remove()
351
334
352
def server_state_changed(self, state, error=None):
335
353
"""Derived from the Avahi example code"""
336
354
logger.debug("Avahi server state change: %i", state)
355
373
logger.debug("Unknown state: %r", state)
356
374
else:
357
375
logger.debug("Unknown state: %r: %r", state, error)
376
358
377
def activate(self):
359
378
"""Derived from the Avahi example code"""
360
379
if self.server is None:
367
386
self.server_state_changed)
368
387
self.server_state_changed(self.server.GetState())
369
388
389
370
390
class AvahiServiceToSyslog(AvahiService):
371
391
def rename(self):
372
392
"""Add the new name to the syslog messages"""
373
393
ret = AvahiService.rename(self)
374
394
syslogger.setFormatter(logging.Formatter
375
('Mandos (%s) [%%(process)d]:'
376
' %%(levelname)s: %%(message)s'
377
% self.name))
395
('Mandos ({0}) [%(process)d]:'
396
' %(levelname)s: %(message)s'
397
.format(self.name)))
378
398
return ret
379
399
380
def _timedelta_to_milliseconds(td):
400
401
def timedelta_to_milliseconds(td):
381
402
"Convert a datetime.timedelta() to milliseconds"
382
403
return ((td.days * 24 * 60 * 60 * 1000)
383
404
+ (td.seconds * 1000)
384
405
+ (td.microseconds // 1000))
385
406
407
386
408
class Client(object):
387
409
"""A representation of a client host served by this server.
388
410
389
411
Attributes:
390
_approved: bool(); 'None' if not yet approved/disapproved
412
approved: bool(); 'None' if not yet approved/disapproved
391
413
approval_delay: datetime.timedelta(); Time to wait for approval
392
414
approval_duration: datetime.timedelta(); Duration of one approval
393
415
checker: subprocess.Popen(); a running checker process used
411
433
interval: datetime.timedelta(); How often to start a new checker
412
434
last_approval_request: datetime.datetime(); (UTC) or None
413
435
last_checked_ok: datetime.datetime(); (UTC) or None
414
415
436
last_checker_status: integer between 0 and 255 reflecting exit
416
437
status of last checker. -1 reflects crashed
417
checker, or None.
418
last_enabled: datetime.datetime(); (UTC)
438
checker, -2 means no checker completed yet.
439
last_enabled: datetime.datetime(); (UTC) or None
419
440
name: string; from the config file, used in log messages and
420
441
D-Bus identifiers
421
442
secret: bytestring; sent verbatim (over TLS) to client
422
443
timeout: datetime.timedelta(); How long from last_checked_ok
423
444
until this client is disabled
424
extended_timeout: extra long timeout when password has been sent
445
extended_timeout: extra long timeout when secret has been sent
425
446
runtime_expansions: Allowed attributes for runtime expansion.
426
447
expires: datetime.datetime(); time (UTC) when a client will be
427
448
disabled, or None
449
server_settings: The server_settings dict from main()
428
450
"""
429
451
430
452
runtime_expansions = ("approval_delay", "approval_duration",
431
"created", "enabled", "fingerprint",
432
"host", "interval", "last_checked_ok",
453
"created", "enabled", "expires",
454
"fingerprint", "host", "interval",
455
"last_approval_request", "last_checked_ok",
433
456
"last_enabled", "name", "timeout")
457
client_defaults = { "timeout": "PT5M",
458
"extended_timeout": "PT15M",
459
"interval": "PT2M",
460
"checker": "fping -q -- %%(host)s",
461
"host": "",
462
"approval_delay": "PT0S",
463
"approval_duration": "PT1S",
464
"approved_by_default": "True",
465
"enabled": "True",
466
}
434
467
435
468
def timeout_milliseconds(self):
436
469
"Return the 'timeout' attribute in milliseconds"
437
return _timedelta_to_milliseconds(self.timeout)
470
return timedelta_to_milliseconds(self.timeout)
438
471
439
472
def extended_timeout_milliseconds(self):
440
473
"Return the 'extended_timeout' attribute in milliseconds"
441
return _timedelta_to_milliseconds(self.extended_timeout)
474
return timedelta_to_milliseconds(self.extended_timeout)
442
475
443
476
def interval_milliseconds(self):
444
477
"Return the 'interval' attribute in milliseconds"
445
return _timedelta_to_milliseconds(self.interval)
478
return timedelta_to_milliseconds(self.interval)
446
479
447
480
def approval_delay_milliseconds(self):
448
return _timedelta_to_milliseconds(self.approval_delay)
449
450
def __init__(self, name = None, config=None):
451
"""Note: the 'checker' key in 'config' sets the
452
'checker_command' attribute and *not* the 'checker'
453
attribute."""
481
return timedelta_to_milliseconds(self.approval_delay)
482
483
@staticmethod
484
def config_parser(config):
485
"""Construct a new dict of client settings of this form:
486
{ client_name: {setting_name: value, ...}, ...}
487
with exceptions for any special settings as defined above.
488
NOTE: Must be a pure function. Must return the same result
489
value given the same arguments.
490
"""
491
settings = {}
492
for client_name in config.sections():
493
section = dict(config.items(client_name))
494
client = settings[client_name] = {}
495
496
client["host"] = section["host"]
497
# Reformat values from string types to Python types
498
client["approved_by_default"] = config.getboolean(
499
client_name, "approved_by_default")
500
client["enabled"] = config.getboolean(client_name,
501
"enabled")
502
503
client["fingerprint"] = (section["fingerprint"].upper()
504
.replace(" ", ""))
505
if "secret" in section:
506
client["secret"] = section["secret"].decode("base64")
507
elif "secfile" in section:
508
with open(os.path.expanduser(os.path.expandvars
509
(section["secfile"])),
510
"rb") as secfile:
511
client["secret"] = secfile.read()
512
else:
513
raise TypeError("No secret or secfile for section {0}"
514
.format(section))
515
client["timeout"] = string_to_delta(section["timeout"])
516
client["extended_timeout"] = string_to_delta(
517
section["extended_timeout"])
518
client["interval"] = string_to_delta(section["interval"])
519
client["approval_delay"] = string_to_delta(
520
section["approval_delay"])
521
client["approval_duration"] = string_to_delta(
522
section["approval_duration"])
523
client["checker_command"] = section["checker"]
524
client["last_approval_request"] = None
525
client["last_checked_ok"] = None
526
client["last_checker_status"] = -2
527
528
return settings
529
530
def __init__(self, settings, name = None, server_settings=None):
454
531
self.name = name
455
if config is None:
456
config = {}
532
if server_settings is None:
533
server_settings = {}
534
self.server_settings = server_settings
535
# adding all client settings
536
for setting, value in settings.iteritems():
537
setattr(self, setting, value)
538
539
if self.enabled:
540
if not hasattr(self, "last_enabled"):
541
self.last_enabled = datetime.datetime.utcnow()
542
if not hasattr(self, "expires"):
543
self.expires = (datetime.datetime.utcnow()
544
+ self.timeout)
545
else:
546
self.last_enabled = None
547
self.expires = None
548
457
549
logger.debug("Creating client %r", self.name)
458
550
# Uppercase and remove spaces from fingerprint for later
459
551
# comparison purposes with return value from the fingerprint()
460
552
# function
461
self.fingerprint = (config["fingerprint"].upper()
462
.replace(" ", ""))
463
553
logger.debug(" Fingerprint: %s", self.fingerprint)
464
if "secret" in config:
465
self.secret = config["secret"].decode("base64")
466
elif "secfile" in config:
467
with open(os.path.expanduser(os.path.expandvars
468
(config["secfile"])),
469
"rb") as secfile:
470
self.secret = secfile.read()
471
else:
472
raise TypeError("No secret or secfile for client %s"
473
% self.name)
474
self.host = config.get("host", "")
475
self.created = datetime.datetime.utcnow()
476
self.enabled = True
477
self.last_approval_request = None
478
self.last_enabled = datetime.datetime.utcnow()
479
self.last_checked_ok = None
480
self.last_checker_status = None
481
self.timeout = string_to_delta(config["timeout"])
482
self.extended_timeout = string_to_delta(config
483
["extended_timeout"])
484
self.interval = string_to_delta(config["interval"])
554
self.created = settings.get("created",
555
datetime.datetime.utcnow())
556
557
# attributes specific for this server instance
485
558
self.checker = None
486
559
self.checker_initiator_tag = None
487
560
self.disable_initiator_tag = None
488
self.expires = datetime.datetime.utcnow() + self.timeout
489
561
self.checker_callback_tag = None
490
self.checker_command = config["checker"]
491
562
self.current_checker_command = None
492
self._approved = None
493
self.approved_by_default = config.get("approved_by_default",
494
True)
563
self.approved = None
495
564
self.approvals_pending = 0
496
self.approval_delay = string_to_delta(
497
config["approval_delay"])
498
self.approval_duration = string_to_delta(
499
config["approval_duration"])
500
565
self.changedstate = (multiprocessing_manager
501
566
.Condition(multiprocessing_manager
502
567
.Lock()))
522
587
if getattr(self, "enabled", False):
523
588
# Already enabled
524
589
return
525
self.send_changedstate()
526
590
self.expires = datetime.datetime.utcnow() + self.timeout
527
591
self.enabled = True
528
592
self.last_enabled = datetime.datetime.utcnow()
529
593
self.init_checker()
594
self.send_changedstate()
530
595
531
596
def disable(self, quiet=True):
532
597
"""Disable this client."""
533
598
if not getattr(self, "enabled", False):
534
599
return False
535
600
if not quiet:
536
self.send_changedstate()
537
if not quiet:
538
601
logger.info("Disabling client %s", self.name)
539
if getattr(self, "disable_initiator_tag", False):
602
if getattr(self, "disable_initiator_tag", None) is not None:
540
603
gobject.source_remove(self.disable_initiator_tag)
541
604
self.disable_initiator_tag = None
542
605
self.expires = None
543
if getattr(self, "checker_initiator_tag", False):
606
if getattr(self, "checker_initiator_tag", None) is not None:
544
607
gobject.source_remove(self.checker_initiator_tag)
545
608
self.checker_initiator_tag = None
546
609
self.stop_checker()
547
610
self.enabled = False
611
if not quiet:
612
self.send_changedstate()
548
613
# Do not run this again if called by a gobject.timeout_add
549
614
return False
550
615
554
619
def init_checker(self):
555
620
# Schedule a new checker to be started an 'interval' from now,
556
621
# and every interval from then on.
622
if self.checker_initiator_tag is not None:
623
gobject.source_remove(self.checker_initiator_tag)
557
624
self.checker_initiator_tag = (gobject.timeout_add
558
625
(self.interval_milliseconds(),
559
626
self.start_checker))
560
627
# Schedule a disable() when 'timeout' has passed
628
if self.disable_initiator_tag is not None:
629
gobject.source_remove(self.disable_initiator_tag)
561
630
self.disable_initiator_tag = (gobject.timeout_add
562
631
(self.timeout_milliseconds(),
563
632
self.disable))
569
638
self.checker_callback_tag = None
570
639
self.checker = None
571
640
if os.WIFEXITED(condition):
572
self.last_checker_status = os.WEXITSTATUS(condition)
641
self.last_checker_status = os.WEXITSTATUS(condition)
573
642
if self.last_checker_status == 0:
574
643
logger.info("Checker for %(name)s succeeded",
575
644
vars(self))
582
651
logger.warning("Checker for %(name)s crashed?",
583
652
vars(self))
584
653
585
def checked_ok(self, timeout=None):
586
"""Bump up the timeout for this client.
587
588
This should only be called when the client has been seen,
589
alive and well.
590
"""
654
def checked_ok(self):
655
"""Assert that the client has been seen, alive and well."""
656
self.last_checked_ok = datetime.datetime.utcnow()
657
self.last_checker_status = 0
658
self.bump_timeout()
659
660
def bump_timeout(self, timeout=None):
661
"""Bump up the timeout for this client."""
591
662
if timeout is None:
592
663
timeout = self.timeout
593
self.last_checked_ok = datetime.datetime.utcnow()
594
664
if self.disable_initiator_tag is not None:
595
665
gobject.source_remove(self.disable_initiator_tag)
666
self.disable_initiator_tag = None
596
667
if getattr(self, "enabled", False):
597
668
self.disable_initiator_tag = (gobject.timeout_add
598
(_timedelta_to_milliseconds
669
(timedelta_to_milliseconds
599
670
(timeout), self.disable))
600
671
self.expires = datetime.datetime.utcnow() + timeout
601
672
608
679
If a checker already exists, leave it running and do
609
680
nothing."""
610
681
# The reason for not killing a running checker is that if we
611
# did that, then if a checker (for some reason) started
612
# running slowly and taking more than 'interval' time, the
613
# client would inevitably timeout, since no checker would get
614
# a chance to run to completion. If we instead leave running
682
# did that, and if a checker (for some reason) started running
683
# slowly and taking more than 'interval' time, then the client
684
# would inevitably timeout, since no checker would get a
685
# chance to run to completion. If we instead leave running
615
686
# checkers alone, the checker would have to take more time
616
687
# than 'timeout' for the client to be disabled, which is as it
617
688
# should be.
619
690
# If a checker exists, make sure it is not a zombie
620
691
try:
621
692
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
622
except (AttributeError, OSError) as error:
623
if (isinstance(error, OSError)
624
and error.errno != errno.ECHILD):
625
raise error
693
except AttributeError:
694
pass
695
except OSError as error:
696
if error.errno != errno.ECHILD:
697
raise
626
698
else:
627
699
if pid:
628
700
logger.warning("Checker was a zombie")
631
703
self.current_checker_command)
632
704
# Start a new checker if needed
633
705
if self.checker is None:
706
# Escape attributes for the shell
707
escaped_attrs = dict(
708
(attr, re.escape(unicode(getattr(self, attr))))
709
for attr in
710
self.runtime_expansions)
634
711
try:
635
# In case checker_command has exactly one % operator
636
command = self.checker_command % self.host
637
except TypeError:
638
# Escape attributes for the shell
639
escaped_attrs = dict(
640
(attr,
641
re.escape(unicode(str(getattr(self, attr, "")),
642
errors=
643
'replace')))
644
for attr in
645
self.runtime_expansions)
646
647
try:
648
command = self.checker_command % escaped_attrs
649
except TypeError as error:
650
logger.error('Could not format string "%s":'
651
' %s', self.checker_command, error)
652
return True # Try again later
712
command = self.checker_command % escaped_attrs
713
except TypeError as error:
714
logger.error('Could not format string "%s"',
715
self.checker_command, exc_info=error)
716
return True # Try again later
653
717
self.current_checker_command = command
654
718
try:
655
719
logger.info("Starting checker %r for %s",
658
722
# in normal mode, that is already done by daemon(),
659
723
# and in debug mode we don't want to. (Stdin is
660
724
# always replaced by /dev/null.)
725
# The exception is when not debugging but nevertheless
726
# running in the foreground; use the previously
727
# created wnull.
728
popen_args = {}
729
if (not self.server_settings["debug"]
730
and self.server_settings["foreground"]):
731
popen_args.update({"stdout": wnull,
732
"stderr": wnull })
661
733
self.checker = subprocess.Popen(command,
662
734
close_fds=True,
663
shell=True, cwd="/")
664
self.checker_callback_tag = (gobject.child_watch_add
665
(self.checker.pid,
666
self.checker_callback,
667
data=command))
668
# The checker may have completed before the gobject
669
# watch was added. Check for this.
735
shell=True, cwd="/",
736
**popen_args)
737
except OSError as error:
738
logger.error("Failed to start subprocess",
739
exc_info=error)
740
return True
741
self.checker_callback_tag = (gobject.child_watch_add
742
(self.checker.pid,
743
self.checker_callback,
744
data=command))
745
# The checker may have completed before the gobject
746
# watch was added. Check for this.
747
try:
670
748
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
671
if pid:
672
gobject.source_remove(self.checker_callback_tag)
673
self.checker_callback(pid, status, command)
674
749
except OSError as error:
675
logger.error("Failed to start subprocess: %s",
676
error)
750
if error.errno == errno.ECHILD:
751
# This should never happen
752
logger.error("Child process vanished",
753
exc_info=error)
754
return True
755
raise
756
if pid:
757
gobject.source_remove(self.checker_callback_tag)
758
self.checker_callback(pid, status, command)
677
759
# Re-run this periodically if run by gobject.timeout_add
678
760
return True
679
761
686
768
return
687
769
logger.debug("Stopping checker for %(name)s", vars(self))
688
770
try:
689
os.kill(self.checker.pid, signal.SIGTERM)
771
self.checker.terminate()
690
772
#time.sleep(0.5)
691
773
#if self.checker.poll() is None:
692
# os.kill(self.checker.pid, signal.SIGKILL)
774
# self.checker.kill()
693
775
except OSError as error:
694
776
if error.errno != errno.ESRCH: # No such process
695
777
raise
712
794
# "Set" method, so we fail early here:
713
795
if byte_arrays and signature != "ay":
714
796
raise ValueError("Byte arrays not supported for non-'ay'"
715
" signature %r" % signature)
797
" signature {0!r}".format(signature))
716
798
def decorator(func):
717
799
func._dbus_is_property = True
718
800
func._dbus_interface = dbus_interface
726
808
return decorator
727
809
728
810
811
def dbus_interface_annotations(dbus_interface):
812
"""Decorator for marking functions returning interface annotations
813
814
Usage:
815
816
@dbus_interface_annotations("org.example.Interface")
817
def _foo(self): # Function name does not matter
818
return {"org.freedesktop.DBus.Deprecated": "true",
819
"org.freedesktop.DBus.Property.EmitsChangedSignal":
820
"false"}
821
"""
822
def decorator(func):
823
func._dbus_is_interface = True
824
func._dbus_interface = dbus_interface
825
func._dbus_name = dbus_interface
826
return func
827
return decorator
828
829
830
def dbus_annotations(annotations):
831
"""Decorator to annotate D-Bus methods, signals or properties
832
Usage:
833
834
@dbus_service_property("org.example.Interface", signature="b",
835
access="r")
836
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
837
"org.freedesktop.DBus.Property."
838
"EmitsChangedSignal": "false"})
839
def Property_dbus_property(self):
840
return dbus.Boolean(False)
841
"""
842
def decorator(func):
843
func._dbus_annotations = annotations
844
return func
845
return decorator
846
847
729
848
class DBusPropertyException(dbus.exceptions.DBusException):
730
849
"""A base class for D-Bus property-related exceptions
731
850
"""
754
873
"""
755
874
756
875
@staticmethod
757
def _is_dbus_property(obj):
758
return getattr(obj, "_dbus_is_property", False)
876
def _is_dbus_thing(thing):
877
"""Returns a function testing if an attribute is a D-Bus thing
878
879
If called like _is_dbus_thing("method") it returns a function
880
suitable for use as predicate to inspect.getmembers().
881
"""
882
return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
883
False)
759
884
760
def _get_all_dbus_properties(self):
885
def _get_all_dbus_things(self, thing):
761
886
"""Returns a generator of (name, attribute) pairs
762
887
"""
763
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
888
return ((getattr(athing.__get__(self), "_dbus_name",
889
name),
890
athing.__get__(self))
764
891
for cls in self.__class__.__mro__
765
for name, prop in
766
inspect.getmembers(cls, self._is_dbus_property))
892
for name, athing in
893
inspect.getmembers(cls,
894
self._is_dbus_thing(thing)))
767
895
768
896
def _get_dbus_property(self, interface_name, property_name):
769
897
"""Returns a bound method if one exists which is a D-Bus
771
899
"""
772
900
for cls in self.__class__.__mro__:
773
901
for name, value in (inspect.getmembers
774
(cls, self._is_dbus_property)):
902
(cls,
903
self._is_dbus_thing("property"))):
775
904
if (value._dbus_name == property_name
776
905
and value._dbus_interface == interface_name):
777
906
return value.__get__(self)
806
935
# signatures other than "ay".
807
936
if prop._dbus_signature != "ay":
808
937
raise ValueError
809
value = dbus.ByteArray(''.join(unichr(byte)
810
for byte in value))
938
value = dbus.ByteArray(b''.join(chr(byte)
939
for byte in value))
811
940
prop(value)
812
941
813
942
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
819
948
Note: Will not include properties with access="write".
820
949
"""
821
950
properties = {}
822
for name, prop in self._get_all_dbus_properties():
951
for name, prop in self._get_all_dbus_things("property"):
823
952
if (interface_name
824
953
and interface_name != prop._dbus_interface):
825
954
# Interface non-empty but did not match
840
969
path_keyword='object_path',
841
970
connection_keyword='connection')
842
971
def Introspect(self, object_path, connection):
843
"""Standard D-Bus method, overloaded to insert property tags.
972
"""Overloading of standard D-Bus method.
973
974
Inserts property tags and interface annotation tags.
844
975
"""
845
976
xmlstring = dbus.service.Object.Introspect(self, object_path,
846
977
connection)
853
984
e.setAttribute("access", prop._dbus_access)
854
985
return e
855
986
for if_tag in document.getElementsByTagName("interface"):
987
# Add property tags
856
988
for tag in (make_tag(document, name, prop)
857
989
for name, prop
858
in self._get_all_dbus_properties()
990
in self._get_all_dbus_things("property")
859
991
if prop._dbus_interface
860
992
== if_tag.getAttribute("name")):
861
993
if_tag.appendChild(tag)
994
# Add annotation tags
995
for typ in ("method", "signal", "property"):
996
for tag in if_tag.getElementsByTagName(typ):
997
annots = dict()
998
for name, prop in (self.
999
_get_all_dbus_things(typ)):
1000
if (name == tag.getAttribute("name")
1001
and prop._dbus_interface
1002
== if_tag.getAttribute("name")):
1003
annots.update(getattr
1004
(prop,
1005
"_dbus_annotations",
1006
{}))
1007
for name, value in annots.iteritems():
1008
ann_tag = document.createElement(
1009
"annotation")
1010
ann_tag.setAttribute("name", name)
1011
ann_tag.setAttribute("value", value)
1012
tag.appendChild(ann_tag)
1013
# Add interface annotation tags
1014
for annotation, value in dict(
1015
itertools.chain.from_iterable(
1016
annotations().iteritems()
1017
for name, annotations in
1018
self._get_all_dbus_things("interface")
1019
if name == if_tag.getAttribute("name")
1020
)).iteritems():
1021
ann_tag = document.createElement("annotation")
1022
ann_tag.setAttribute("name", annotation)
1023
ann_tag.setAttribute("value", value)
1024
if_tag.appendChild(ann_tag)
862
1025
# Add the names to the return values for the
863
1026
# "org.freedesktop.DBus.Properties" methods
864
1027
if (if_tag.getAttribute("name")
879
1042
except (AttributeError, xml.dom.DOMException,
880
1043
xml.parsers.expat.ExpatError) as error:
881
1044
logger.error("Failed to override Introspection method",
882
error)
1045
exc_info=error)
883
1046
return xmlstring
884
1047
885
1048
886
def datetime_to_dbus (dt, variant_level=0):
1049
def datetime_to_dbus(dt, variant_level=0):
887
1050
"""Convert a UTC datetime.datetime() to a D-Bus type."""
888
1051
if dt is None:
889
1052
return dbus.String("", variant_level = variant_level)
891
1054
variant_level=variant_level)
892
1055
893
1056
894
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
895
.__metaclass__):
896
"""Applied to an empty subclass of a D-Bus object, this metaclass
897
will add additional D-Bus attributes matching a certain pattern.
1057
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1058
"""A class decorator; applied to a subclass of
1059
dbus.service.Object, it will add alternate D-Bus attributes with
1060
interface names according to the "alt_interface_names" mapping.
1061
Usage:
1062
1063
@alternate_dbus_interfaces({"org.example.Interface":
1064
"net.example.AlternateInterface"})
1065
class SampleDBusObject(dbus.service.Object):
1066
@dbus.service.method("org.example.Interface")
1067
def SampleDBusMethod():
1068
pass
1069
1070
The above "SampleDBusMethod" on "SampleDBusObject" will be
1071
reachable via two interfaces: "org.example.Interface" and
1072
"net.example.AlternateInterface", the latter of which will have
1073
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1074
"true", unless "deprecate" is passed with a False value.
1075
1076
This works for methods and signals, and also for D-Bus properties
1077
(from DBusObjectWithProperties) and interfaces (from the
1078
dbus_interface_annotations decorator).
898
1079
"""
899
def __new__(mcs, name, bases, attr):
900
# Go through all the base classes which could have D-Bus
901
# methods, signals, or properties in them
902
for base in (b for b in bases
903
if issubclass(b, dbus.service.Object)):
904
# Go though all attributes of the base class
905
for attrname, attribute in inspect.getmembers(base):
1080
def wrapper(cls):
1081
for orig_interface_name, alt_interface_name in (
1082
alt_interface_names.iteritems()):
1083
attr = {}
1084
interface_names = set()
1085
# Go though all attributes of the class
1086
for attrname, attribute in inspect.getmembers(cls):
906
1087
# Ignore non-D-Bus attributes, and D-Bus attributes
907
1088
# with the wrong interface name
908
1089
if (not hasattr(attribute, "_dbus_interface")
909
1090
or not attribute._dbus_interface
910
.startswith("se.recompile.Mandos")):
1091
.startswith(orig_interface_name)):
911
1092
continue
912
1093
# Create an alternate D-Bus interface name based on
913
1094
# the current name
914
1095
alt_interface = (attribute._dbus_interface
915
.replace("se.recompile.Mandos",
916
"se.bsnet.fukt.Mandos"))
1096
.replace(orig_interface_name,
1097
alt_interface_name))
1098
interface_names.add(alt_interface)
917
1099
# Is this a D-Bus signal?
918
1100
if getattr(attribute, "_dbus_is_signal", False):
919
# Extract the original non-method function by
920
# black magic
1101
# Extract the original non-method undecorated
1102
# function by black magic
921
1103
nonmethod_func = (dict(
922
1104
zip(attribute.func_code.co_freevars,
923
1105
attribute.__closure__))["func"]
934
1116
nonmethod_func.func_name,
935
1117
nonmethod_func.func_defaults,
936
1118
nonmethod_func.func_closure)))
1119
# Copy annotations, if any
1120
try:
1121
new_function._dbus_annotations = (
1122
dict(attribute._dbus_annotations))
1123
except AttributeError:
1124
pass
937
1125
# Define a creator of a function to call both the
938
# old and new functions, so both the old and new
939
# signals gets sent when the function is called
1126
# original and alternate functions, so both the
1127
# original and alternate signals gets sent when
1128
# the function is called
940
1129
def fixscope(func1, func2):
941
1130
"""This function is a scope container to pass
942
1131
func1 and func2 to the "call_both" function
949
1138
return call_both
950
1139
# Create the "call_both" function and add it to
951
1140
# the class
952
attr[attrname] = fixscope(attribute,
953
new_function)
1141
attr[attrname] = fixscope(attribute, new_function)
954
1142
# Is this a D-Bus method?
955
1143
elif getattr(attribute, "_dbus_is_method", False):
956
1144
# Create a new, but exactly alike, function
967
1155
attribute.func_name,
968
1156
attribute.func_defaults,
969
1157
attribute.func_closure)))
1158
# Copy annotations, if any
1159
try:
1160
attr[attrname]._dbus_annotations = (
1161
dict(attribute._dbus_annotations))
1162
except AttributeError:
1163
pass
970
1164
# Is this a D-Bus property?
971
1165
elif getattr(attribute, "_dbus_is_property", False):
972
1166
# Create a new, but exactly alike, function
986
1180
attribute.func_name,
987
1181
attribute.func_defaults,
988
1182
attribute.func_closure)))
989
return type.__new__(mcs, name, bases, attr)
990
991
1183
# Copy annotations, if any
1184
try:
1185
attr[attrname]._dbus_annotations = (
1186
dict(attribute._dbus_annotations))
1187
except AttributeError:
1188
pass
1189
# Is this a D-Bus interface?
1190
elif getattr(attribute, "_dbus_is_interface", False):
1191
# Create a new, but exactly alike, function
1192
# object. Decorate it to be a new D-Bus interface
1193
# with the alternate D-Bus interface name. Add it
1194
# to the class.
1195
attr[attrname] = (dbus_interface_annotations
1196
(alt_interface)
1197
(types.FunctionType
1198
(attribute.func_code,
1199
attribute.func_globals,
1200
attribute.func_name,
1201
attribute.func_defaults,
1202
attribute.func_closure)))
1203
if deprecate:
1204
# Deprecate all alternate interfaces
1205
iname="_AlternateDBusNames_interface_annotation{0}"
1206
for interface_name in interface_names:
1207
@dbus_interface_annotations(interface_name)
1208
def func(self):
1209
return { "org.freedesktop.DBus.Deprecated":
1210
"true" }
1211
# Find an unused name
1212
for aname in (iname.format(i)
1213
for i in itertools.count()):
1214
if aname not in attr:
1215
attr[aname] = func
1216
break
1217
if interface_names:
1218
# Replace the class with a new subclass of it with
1219
# methods, signals, etc. as created above.
1220
cls = type(b"{0}Alternate".format(cls.__name__),
1221
(cls,), attr)
1222
return cls
1223
return wrapper
1224
1225
1226
@alternate_dbus_interfaces({"se.recompile.Mandos":
1227
"se.bsnet.fukt.Mandos"})
992
1228
class ClientDBus(Client, DBusObjectWithProperties):
993
1229
"""A Client class using D-Bus
994
1230
1005
1241
def __init__(self, bus = None, *args, **kwargs):
1006
1242
self.bus = bus
1007
1243
Client.__init__(self, *args, **kwargs)
1008
1009
self._approvals_pending = 0
1010
1244
# Only now, when this client is initialized, can it show up on
1011
1245
# the D-Bus
1012
1246
client_object_name = unicode(self.name).translate(
1016
1250
("/clients/" + client_object_name))
1017
1251
DBusObjectWithProperties.__init__(self, self.bus,
1018
1252
self.dbus_object_path)
1019
1253
1020
1254
def notifychangeproperty(transform_func,
1021
1255
dbus_name, type_func=lambda x: x,
1022
1256
variant_level=1):
1045
1279
1046
1280
return property(lambda self: getattr(self, attrname), setter)
1047
1281
1048
1049
1282
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1050
1283
approvals_pending = notifychangeproperty(dbus.Boolean,
1051
1284
"ApprovalPending",
1058
1291
checker is not None)
1059
1292
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1060
1293
"LastCheckedOK")
1294
last_checker_status = notifychangeproperty(dbus.Int16,
1295
"LastCheckerStatus")
1061
1296
last_approval_request = notifychangeproperty(
1062
1297
datetime_to_dbus, "LastApprovalRequest")
1063
1298
approved_by_default = notifychangeproperty(dbus.Boolean,
1064
1299
"ApprovedByDefault")
1065
approval_delay = notifychangeproperty(dbus.UInt16,
1300
approval_delay = notifychangeproperty(dbus.UInt64,
1066
1301
"ApprovalDelay",
1067
1302
type_func =
1068
_timedelta_to_milliseconds)
1303
timedelta_to_milliseconds)
1069
1304
approval_duration = notifychangeproperty(
1070
dbus.UInt16, "ApprovalDuration",
1071
type_func = _timedelta_to_milliseconds)
1305
dbus.UInt64, "ApprovalDuration",
1306
type_func = timedelta_to_milliseconds)
1072
1307
host = notifychangeproperty(dbus.String, "Host")
1073
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
1308
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1074
1309
type_func =
1075
_timedelta_to_milliseconds)
1310
timedelta_to_milliseconds)
1076
1311
extended_timeout = notifychangeproperty(
1077
dbus.UInt16, "ExtendedTimeout",
1078
type_func = _timedelta_to_milliseconds)
1079
interval = notifychangeproperty(dbus.UInt16,
1312
dbus.UInt64, "ExtendedTimeout",
1313
type_func = timedelta_to_milliseconds)
1314
interval = notifychangeproperty(dbus.UInt64,
1080
1315
"Interval",
1081
1316
type_func =
1082
_timedelta_to_milliseconds)
1317
timedelta_to_milliseconds)
1083
1318
checker_command = notifychangeproperty(dbus.String, "Checker")
1084
1319
1085
1320
del notifychangeproperty
1127
1362
return r
1128
1363
1129
1364
def _reset_approved(self):
1130
self._approved = None
1365
self.approved = None
1131
1366
return False
1132
1367
1133
1368
def approve(self, value=True):
1134
self.send_changedstate()
1135
self._approved = value
1136
gobject.timeout_add(_timedelta_to_milliseconds
1369
self.approved = value
1370
gobject.timeout_add(timedelta_to_milliseconds
1137
1371
(self.approval_duration),
1138
1372
self._reset_approved)
1139
1373
self.send_changedstate()
1140
1374
1141
1375
## D-Bus methods, signals & properties
1142
1376
_interface = "se.recompile.Mandos.Client"
1143
1377
1378
## Interfaces
1379
1380
@dbus_interface_annotations(_interface)
1381
def _foo(self):
1382
return { "org.freedesktop.DBus.Property.EmitsChangedSignal":
1383
"false"}
1384
1144
1385
## Signals
1145
1386
1146
1387
# CheckerCompleted - signal
1182
1423
"D-Bus signal"
1183
1424
return self.need_approval()
1184
1425
1185
# NeRwequest - signal
1186
@dbus.service.signal(_interface, signature="s")
1187
def NewRequest(self, ip):
1188
"""D-Bus signal
1189
Is sent after a client request a password.
1190
"""
1191
pass
1192
1193
1426
## Methods
1194
1427
1195
1428
# Approve - method
1253
1486
access="readwrite")
1254
1487
def ApprovalDuration_dbus_property(self, value=None):
1255
1488
if value is None: # get
1256
return dbus.UInt64(_timedelta_to_milliseconds(
1489
return dbus.UInt64(timedelta_to_milliseconds(
1257
1490
self.approval_duration))
1258
1491
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1259
1492
1273
1506
def Host_dbus_property(self, value=None):
1274
1507
if value is None: # get
1275
1508
return dbus.String(self.host)
1276
self.host = value
1509
self.host = unicode(value)
1277
1510
1278
1511
# Created - property
1279
1512
@dbus_service_property(_interface, signature="s", access="read")
1280
1513
def Created_dbus_property(self):
1281
return dbus.String(datetime_to_dbus(self.created))
1514
return datetime_to_dbus(self.created)
1282
1515
1283
1516
# LastEnabled - property
1284
1517
@dbus_service_property(_interface, signature="s", access="read")
1305
1538
return
1306
1539
return datetime_to_dbus(self.last_checked_ok)
1307
1540
1541
# LastCheckerStatus - property
1542
@dbus_service_property(_interface, signature="n",
1543
access="read")
1544
def LastCheckerStatus_dbus_property(self):
1545
return dbus.Int16(self.last_checker_status)
1546
1308
1547
# Expires - property
1309
1548
@dbus_service_property(_interface, signature="s", access="read")
1310
1549
def Expires_dbus_property(self):
1321
1560
def Timeout_dbus_property(self, value=None):
1322
1561
if value is None: # get
1323
1562
return dbus.UInt64(self.timeout_milliseconds())
1563
old_timeout = self.timeout
1324
1564
self.timeout = datetime.timedelta(0, 0, 0, value)
1325
if getattr(self, "disable_initiator_tag", None) is None:
1326
return
1327
# Reschedule timeout
1328
gobject.source_remove(self.disable_initiator_tag)
1329
self.disable_initiator_tag = None
1330
self.expires = None
1331
time_to_die = _timedelta_to_milliseconds((self
1332
.last_checked_ok
1333
+ self.timeout)
1334
- datetime.datetime
1335
.utcnow())
1336
if time_to_die <= 0:
1337
# The timeout has passed
1338
self.disable()
1339
else:
1340
self.expires = (datetime.datetime.utcnow()
1341
+ datetime.timedelta(milliseconds =
1342
time_to_die))
1343
self.disable_initiator_tag = (gobject.timeout_add
1344
(time_to_die, self.disable))
1565
# Reschedule disabling
1566
if self.enabled:
1567
now = datetime.datetime.utcnow()
1568
self.expires += self.timeout - old_timeout
1569
if self.expires <= now:
1570
# The timeout has passed
1571
self.disable()
1572
else:
1573
if (getattr(self, "disable_initiator_tag", None)
1574
is None):
1575
return
1576
gobject.source_remove(self.disable_initiator_tag)
1577
self.disable_initiator_tag = (
1578
gobject.timeout_add(
1579
timedelta_to_milliseconds(self.expires - now),
1580
self.disable))
1345
1581
1346
1582
# ExtendedTimeout - property
1347
1583
@dbus_service_property(_interface, signature="t",
1360
1596
self.interval = datetime.timedelta(0, 0, 0, value)
1361
1597
if getattr(self, "checker_initiator_tag", None) is None:
1362
1598
return
1363
# Reschedule checker run
1364
gobject.source_remove(self.checker_initiator_tag)
1365
self.checker_initiator_tag = (gobject.timeout_add
1366
(value, self.start_checker))
1367
self.start_checker() # Start one now, too
1599
if self.enabled:
1600
# Reschedule checker run
1601
gobject.source_remove(self.checker_initiator_tag)
1602
self.checker_initiator_tag = (gobject.timeout_add
1603
(value, self.start_checker))
1604
self.start_checker() # Start one now, too
1368
1605
1369
1606
# Checker - property
1370
1607
@dbus_service_property(_interface, signature="s",
1372
1609
def Checker_dbus_property(self, value=None):
1373
1610
if value is None: # get
1374
1611
return dbus.String(self.checker_command)
1375
self.checker_command = value
1612
self.checker_command = unicode(value)
1376
1613
1377
1614
# CheckerRunning - property
1378
1615
@dbus_service_property(_interface, signature="b",
1407
1644
raise KeyError()
1408
1645
1409
1646
def __getattribute__(self, name):
1410
if(name == '_pipe'):
1647
if name == '_pipe':
1411
1648
return super(ProxyClient, self).__getattribute__(name)
1412
1649
self._pipe.send(('getattr', name))
1413
1650
data = self._pipe.recv()
1420
1657
return func
1421
1658
1422
1659
def __setattr__(self, name, value):
1423
if(name == '_pipe'):
1660
if name == '_pipe':
1424
1661
return super(ProxyClient, self).__setattr__(name, value)
1425
1662
self._pipe.send(('setattr', name, value))
1426
1663
1427
1664
1428
class ClientDBusTransitional(ClientDBus):
1429
__metaclass__ = AlternateDBusNamesMetaclass
1430
1431
1432
1665
class ClientHandler(socketserver.BaseRequestHandler, object):
1433
1666
"""A class to handle client connections.
1434
1667
1470
1703
logger.debug("Protocol version: %r", line)
1471
1704
try:
1472
1705
if int(line.strip().split()[0]) > 1:
1473
raise RuntimeError
1706
raise RuntimeError(line)
1474
1707
except (ValueError, IndexError, RuntimeError) as error:
1475
1708
logger.error("Unknown protocol version: %s", error)
1476
1709
return
1495
1728
logger.warning("Bad certificate: %s", error)
1496
1729
return
1497
1730
logger.debug("Fingerprint: %s", fpr)
1498
if self.server.use_dbus:
1499
# Emit D-Bus signal
1500
client.NewRequest(str(self.client_address))
1501
1731
1502
1732
try:
1503
1733
client = ProxyClient(child_pipe, fpr,
1519
1749
client.Rejected("Disabled")
1520
1750
return
1521
1751
1522
if client._approved or not client.approval_delay:
1752
if client.approved or not client.approval_delay:
1523
1753
#We are approved or approval is disabled
1524
1754
break
1525
elif client._approved is None:
1755
elif client.approved is None:
1526
1756
logger.info("Client %s needs approval",
1527
1757
client.name)
1528
1758
if self.server.use_dbus:
1541
1771
#wait until timeout or approved
1542
1772
time = datetime.datetime.now()
1543
1773
client.changedstate.acquire()
1544
(client.changedstate.wait
1545
(float(client._timedelta_to_milliseconds(delay)
1546
/ 1000)))
1774
client.changedstate.wait(
1775
float(timedelta_to_milliseconds(delay)
1776
/ 1000))
1547
1777
client.changedstate.release()
1548
1778
time2 = datetime.datetime.now()
1549
1779
if (time2 - time) >= delay:
1565
1795
try:
1566
1796
sent = session.send(client.secret[sent_size:])
1567
1797
except gnutls.errors.GNUTLSError as error:
1568
logger.warning("gnutls send failed")
1798
logger.warning("gnutls send failed",
1799
exc_info=error)
1569
1800
return
1570
1801
logger.debug("Sent: %d, remaining: %d",
1571
1802
sent, len(client.secret)
1574
1805
1575
1806
logger.info("Sending secret to %s", client.name)
1576
1807
# bump the timeout using extended_timeout
1577
client.checked_ok(client.extended_timeout)
1808
client.bump_timeout(client.extended_timeout)
1578
1809
if self.server.use_dbus:
1579
1810
# Emit D-Bus signal
1580
1811
client.GotSecret()
1585
1816
try:
1586
1817
session.bye()
1587
1818
except gnutls.errors.GNUTLSError as error:
1588
logger.warning("GnuTLS bye failed")
1819
logger.warning("GnuTLS bye failed",
1820
exc_info=error)
1589
1821
1590
1822
@staticmethod
1591
1823
def peer_certificate(session):
1656
1888
def sub_process_main(self, request, address):
1657
1889
try:
1658
1890
self.finish_request(request, address)
1659
except:
1891
except Exception:
1660
1892
self.handle_error(request, address)
1661
1893
self.close_request(request)
1662
1894
1663
1895
def process_request(self, request, address):
1664
1896
"""Start a new process to process the request."""
1665
1897
proc = multiprocessing.Process(target = self.sub_process_main,
1666
args = (request,
1667
address))
1898
args = (request, address))
1668
1899
proc.start()
1669
1900
return proc
1670
1901
1685
1916
1686
1917
def add_pipe(self, parent_pipe, proc):
1687
1918
"""Dummy function; override as necessary"""
1688
raise NotImplementedError
1919
raise NotImplementedError()
1689
1920
1690
1921
1691
1922
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1698
1929
use_ipv6: Boolean; to use IPv6 or not
1699
1930
"""
1700
1931
def __init__(self, server_address, RequestHandlerClass,
1701
interface=None, use_ipv6=True):
1932
interface=None, use_ipv6=True, socketfd=None):
1933
"""If socketfd is set, use that file descriptor instead of
1934
creating a new one with socket.socket().
1935
"""
1702
1936
self.interface = interface
1703
1937
if use_ipv6:
1704
1938
self.address_family = socket.AF_INET6
1939
if socketfd is not None:
1940
# Save the file descriptor
1941
self.socketfd = socketfd
1942
# Save the original socket.socket() function
1943
self.socket_socket = socket.socket
1944
# To implement --socket, we monkey patch socket.socket.
1945
#
1946
# (When socketserver.TCPServer is a new-style class, we
1947
# could make self.socket into a property instead of monkey
1948
# patching socket.socket.)
1949
#
1950
# Create a one-time-only replacement for socket.socket()
1951
@functools.wraps(socket.socket)
1952
def socket_wrapper(*args, **kwargs):
1953
# Restore original function so subsequent calls are
1954
# not affected.
1955
socket.socket = self.socket_socket
1956
del self.socket_socket
1957
# This time only, return a new socket object from the
1958
# saved file descriptor.
1959
return socket.fromfd(self.socketfd, *args, **kwargs)
1960
# Replace socket.socket() function with wrapper
1961
socket.socket = socket_wrapper
1962
# The socketserver.TCPServer.__init__ will call
1963
# socket.socket(), which might be our replacement,
1964
# socket_wrapper(), if socketfd was set.
1705
1965
socketserver.TCPServer.__init__(self, server_address,
1706
1966
RequestHandlerClass)
1967
1707
1968
def server_bind(self):
1708
1969
"""This overrides the normal server_bind() function
1709
1970
to bind to an interface if one was specified, and also NOT to
1717
1978
try:
1718
1979
self.socket.setsockopt(socket.SOL_SOCKET,
1719
1980
SO_BINDTODEVICE,
1720
str(self.interface
1721
+ '\0'))
1981
str(self.interface + '\0'))
1722
1982
except socket.error as error:
1723
if error[0] == errno.EPERM:
1724
logger.error("No permission to"
1725
" bind to interface %s",
1726
self.interface)
1727
elif error[0] == errno.ENOPROTOOPT:
1983
if error.errno == errno.EPERM:
1984
logger.error("No permission to bind to"
1985
" interface %s", self.interface)
1986
elif error.errno == errno.ENOPROTOOPT:
1728
1987
logger.error("SO_BINDTODEVICE not available;"
1729
1988
" cannot bind to interface %s",
1730
1989
self.interface)
1990
elif error.errno == errno.ENODEV:
1991
logger.error("Interface %s does not exist,"
1992
" cannot bind", self.interface)
1731
1993
else:
1732
1994
raise
1733
1995
# Only bind(2) the socket if we really need to.
1736
1998
if self.address_family == socket.AF_INET6:
1737
1999
any_address = "::" # in6addr_any
1738
2000
else:
1739
any_address = socket.INADDR_ANY
2001
any_address = "0.0.0.0" # INADDR_ANY
1740
2002
self.server_address = (any_address,
1741
2003
self.server_address[1])
1742
2004
elif not self.server_address[1]:
1763
2025
"""
1764
2026
def __init__(self, server_address, RequestHandlerClass,
1765
2027
interface=None, use_ipv6=True, clients=None,
1766
gnutls_priority=None, use_dbus=True):
2028
gnutls_priority=None, use_dbus=True, socketfd=None):
1767
2029
self.enabled = False
1768
2030
self.clients = clients
1769
2031
if self.clients is None:
1773
2035
IPv6_TCPServer.__init__(self, server_address,
1774
2036
RequestHandlerClass,
1775
2037
interface = interface,
1776
use_ipv6 = use_ipv6)
2038
use_ipv6 = use_ipv6,
2039
socketfd = socketfd)
1777
2040
def server_activate(self):
1778
2041
if self.enabled:
1779
2042
return socketserver.TCPServer.server_activate(self)
1792
2055
1793
2056
def handle_ipc(self, source, condition, parent_pipe=None,
1794
2057
proc = None, client_object=None):
1795
condition_names = {
1796
gobject.IO_IN: "IN", # There is data to read.
1797
gobject.IO_OUT: "OUT", # Data can be written (without
1798
# blocking).
1799
gobject.IO_PRI: "PRI", # There is urgent data to read.
1800
gobject.IO_ERR: "ERR", # Error condition.
1801
gobject.IO_HUP: "HUP" # Hung up (the connection has been
1802
# broken, usually for pipes and
1803
# sockets).
1804
}
1805
conditions_string = ' | '.join(name
1806
for cond, name in
1807
condition_names.iteritems()
1808
if cond & condition)
1809
2058
# error, or the other end of multiprocessing.Pipe has closed
1810
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
2059
if condition & (gobject.IO_ERR | gobject.IO_HUP):
1811
2060
# Wait for other process to exit
1812
2061
proc.join()
1813
2062
return False
1871
2120
return True
1872
2121
1873
2122
2123
def rfc3339_duration_to_delta(duration):
2124
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2125
2126
>>> rfc3339_duration_to_delta("P7D")
2127
datetime.timedelta(7)
2128
>>> rfc3339_duration_to_delta("PT60S")
2129
datetime.timedelta(0, 60)
2130
>>> rfc3339_duration_to_delta("PT60M")
2131
datetime.timedelta(0, 3600)
2132
>>> rfc3339_duration_to_delta("PT24H")
2133
datetime.timedelta(1)
2134
>>> rfc3339_duration_to_delta("P1W")
2135
datetime.timedelta(7)
2136
>>> rfc3339_duration_to_delta("PT5M30S")
2137
datetime.timedelta(0, 330)
2138
>>> rfc3339_duration_to_delta("P1DT3M20S")
2139
datetime.timedelta(1, 200)
2140
"""
2141
2142
# Parsing an RFC 3339 duration with regular expressions is not
2143
# possible - there would have to be multiple places for the same
2144
# values, like seconds. The current code, while more esoteric, is
2145
# cleaner without depending on a parsing library. If Python had a
2146
# built-in library for parsing we would use it, but we'd like to
2147
# avoid excessive use of external libraries.
2148
2149
# New type for defining tokens, syntax, and semantics all-in-one
2150
Token = collections.namedtuple("Token",
2151
("regexp", # To match token; if
2152
# "value" is not None,
2153
# must have a "group"
2154
# containing digits
2155
"value", # datetime.timedelta or
2156
# None
2157
"followers")) # Tokens valid after
2158
# this token
2159
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2160
# the "duration" ABNF definition in RFC 3339, Appendix A.
2161
token_end = Token(re.compile(r"$"), None, frozenset())
2162
token_second = Token(re.compile(r"(\d+)S"),
2163
datetime.timedelta(seconds=1),
2164
frozenset((token_end,)))
2165
token_minute = Token(re.compile(r"(\d+)M"),
2166
datetime.timedelta(minutes=1),
2167
frozenset((token_second, token_end)))
2168
token_hour = Token(re.compile(r"(\d+)H"),
2169
datetime.timedelta(hours=1),
2170
frozenset((token_minute, token_end)))
2171
token_time = Token(re.compile(r"T"),
2172
None,
2173
frozenset((token_hour, token_minute,
2174
token_second)))
2175
token_day = Token(re.compile(r"(\d+)D"),
2176
datetime.timedelta(days=1),
2177
frozenset((token_time, token_end)))
2178
token_month = Token(re.compile(r"(\d+)M"),
2179
datetime.timedelta(weeks=4),
2180
frozenset((token_day, token_end)))
2181
token_year = Token(re.compile(r"(\d+)Y"),
2182
datetime.timedelta(weeks=52),
2183
frozenset((token_month, token_end)))
2184
token_week = Token(re.compile(r"(\d+)W"),
2185
datetime.timedelta(weeks=1),
2186
frozenset((token_end,)))
2187
token_duration = Token(re.compile(r"P"), None,
2188
frozenset((token_year, token_month,
2189
token_day, token_time,
2190
token_week))),
2191
# Define starting values
2192
value = datetime.timedelta() # Value so far
2193
found_token = None
2194
followers = frozenset(token_duration,) # Following valid tokens
2195
s = duration # String left to parse
2196
# Loop until end token is found
2197
while found_token is not token_end:
2198
# Search for any currently valid tokens
2199
for token in followers:
2200
match = token.regexp.match(s)
2201
if match is not None:
2202
# Token found
2203
if token.value is not None:
2204
# Value found, parse digits
2205
factor = int(match.group(1), 10)
2206
# Add to value so far
2207
value += factor * token.value
2208
# Strip token from string
2209
s = token.regexp.sub("", s, 1)
2210
# Go to found token
2211
found_token = token
2212
# Set valid next tokens
2213
followers = found_token.followers
2214
break
2215
else:
2216
# No currently valid tokens were found
2217
raise ValueError("Invalid RFC 3339 duration")
2218
# End token found
2219
return value
2220
2221
1874
2222
def string_to_delta(interval):
1875
2223
"""Parse a string and return a datetime.timedelta
1876
2224
1887
2235
>>> string_to_delta('5m 30s')
1888
2236
datetime.timedelta(0, 330)
1889
2237
"""
2238
2239
try:
2240
return rfc3339_duration_to_delta(interval)
2241
except ValueError:
2242
pass
2243
1890
2244
timevalue = datetime.timedelta(0)
1891
2245
for s in interval.split():
1892
2246
try:
1903
2257
elif suffix == "w":
1904
2258
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1905
2259
else:
1906
raise ValueError("Unknown suffix %r" % suffix)
1907
except (ValueError, IndexError) as e:
2260
raise ValueError("Unknown suffix {0!r}"
2261
.format(suffix))
2262
except IndexError as e:
1908
2263
raise ValueError(*(e.args))
1909
2264
timevalue += delta
1910
2265
return timevalue
1923
2278
sys.exit()
1924
2279
if not noclose:
1925
2280
# Close all standard open file descriptors
1926
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2281
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1927
2282
if not stat.S_ISCHR(os.fstat(null).st_mode):
1928
2283
raise OSError(errno.ENODEV,
1929
"%s not a character device"
1930
% os.path.devnull)
2284
"{0} not a character device"
2285
.format(os.devnull))
1931
2286
os.dup2(null, sys.stdin.fileno())
1932
2287
os.dup2(null, sys.stdout.fileno())
1933
2288
os.dup2(null, sys.stderr.fileno())
1942
2297
1943
2298
parser = argparse.ArgumentParser()
1944
2299
parser.add_argument("-v", "--version", action="version",
1945
version = "%%(prog)s %s" % version,
2300
version = "%(prog)s {0}".format(version),
1946
2301
help="show version number and exit")
1947
2302
parser.add_argument("-i", "--interface", metavar="IF",
1948
2303
help="Bind to interface IF")
1954
2309
help="Run self-test")
1955
2310
parser.add_argument("--debug", action="store_true",
1956
2311
help="Debug mode; run in foreground and log"
1957
" to terminal")
2312
" to terminal", default=None)
1958
2313
parser.add_argument("--debuglevel", metavar="LEVEL",
1959
2314
help="Debug level for stdout output")
1960
2315
parser.add_argument("--priority", help="GnuTLS"
1967
2322
" files")
1968
2323
parser.add_argument("--no-dbus", action="store_false",
1969
2324
dest="use_dbus", help="Do not provide D-Bus"
1970
" system bus interface")
2325
" system bus interface", default=None)
1971
2326
parser.add_argument("--no-ipv6", action="store_false",
1972
dest="use_ipv6", help="Do not use IPv6")
2327
dest="use_ipv6", help="Do not use IPv6",
2328
default=None)
1973
2329
parser.add_argument("--no-restore", action="store_false",
1974
2330
dest="restore", help="Do not restore stored"
1975
" state")
2331
" state", default=None)
2332
parser.add_argument("--socket", type=int,
2333
help="Specify a file descriptor to a network"
2334
" socket to use instead of creating one")
1976
2335
parser.add_argument("--statedir", metavar="DIR",
1977
2336
help="Directory to save/restore state in")
2337
parser.add_argument("--foreground", action="store_true",
2338
help="Run in foreground", default=None)
1978
2339
1979
2340
options = parser.parse_args()
1980
2341
1989
2350
"port": "",
1990
2351
"debug": "False",
1991
2352
"priority":
1992
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
2353
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
1993
2354
"servicename": "Mandos",
1994
2355
"use_dbus": "True",
1995
2356
"use_ipv6": "True",
1996
2357
"debuglevel": "",
1997
2358
"restore": "True",
1998
"statedir": "/var/lib/mandos"
2359
"socket": "",
2360
"statedir": "/var/lib/mandos",
2361
"foreground": "False",
1999
2362
}
2000
2363
2001
2364
# Parse config file for server-global settings
2006
2369
# Convert the SafeConfigParser object to a dict
2007
2370
server_settings = server_config.defaults()
2008
2371
# Use the appropriate methods on the non-string config options
2009
for option in ("debug", "use_dbus", "use_ipv6"):
2372
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2010
2373
server_settings[option] = server_config.getboolean("DEFAULT",
2011
2374
option)
2012
2375
if server_settings["port"]:
2013
2376
server_settings["port"] = server_config.getint("DEFAULT",
2014
2377
"port")
2378
if server_settings["socket"]:
2379
server_settings["socket"] = server_config.getint("DEFAULT",
2380
"socket")
2381
# Later, stdin will, and stdout and stderr might, be dup'ed
2382
# over with an opened os.devnull. But we don't want this to
2383
# happen with a supplied network socket.
2384
if 0 <= server_settings["socket"] <= 2:
2385
server_settings["socket"] = os.dup(server_settings
2386
["socket"])
2015
2387
del server_config
2016
2388
2017
2389
# Override the settings from the config file with command line
2019
2391
for option in ("interface", "address", "port", "debug",
2020
2392
"priority", "servicename", "configdir",
2021
2393
"use_dbus", "use_ipv6", "debuglevel", "restore",
2022
"statedir"):
2394
"statedir", "socket", "foreground"):
2023
2395
value = getattr(options, option)
2024
2396
if value is not None:
2025
2397
server_settings[option] = value
2028
2400
for option in server_settings.keys():
2029
2401
if type(server_settings[option]) is str:
2030
2402
server_settings[option] = unicode(server_settings[option])
2403
# Force all boolean options to be boolean
2404
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2405
"foreground"):
2406
server_settings[option] = bool(server_settings[option])
2407
# Debug implies foreground
2408
if server_settings["debug"]:
2409
server_settings["foreground"] = True
2031
2410
# Now we have our good server settings in "server_settings"
2032
2411
2033
2412
##################################################################
2039
2418
use_ipv6 = server_settings["use_ipv6"]
2040
2419
stored_state_path = os.path.join(server_settings["statedir"],
2041
2420
stored_state_file)
2421
foreground = server_settings["foreground"]
2042
2422
2043
2423
if debug:
2044
initlogger(logging.DEBUG)
2424
initlogger(debug, logging.DEBUG)
2045
2425
else:
2046
2426
if not debuglevel:
2047
initlogger()
2427
initlogger(debug)
2048
2428
else:
2049
2429
level = getattr(logging, debuglevel.upper())
2050
initlogger(level)
2430
initlogger(debug, level)
2051
2431
2052
2432
if server_settings["servicename"] != "Mandos":
2053
2433
syslogger.setFormatter(logging.Formatter
2054
('Mandos (%s) [%%(process)d]:'
2055
' %%(levelname)s: %%(message)s'
2056
% server_settings["servicename"]))
2434
('Mandos ({0}) [%(process)d]:'
2435
' %(levelname)s: %(message)s'
2436
.format(server_settings
2437
["servicename"])))
2057
2438
2058
2439
# Parse config file with clients
2059
client_defaults = { "timeout": "5m",
2060
"extended_timeout": "15m",
2061
"interval": "2m",
2062
"checker": "fping -q -- %%(host)s",
2063
"host": "",
2064
"approval_delay": "0s",
2065
"approval_duration": "1s",
2066
}
2067
client_config = configparser.SafeConfigParser(client_defaults)
2440
client_config = configparser.SafeConfigParser(Client
2441
.client_defaults)
2068
2442
client_config.read(os.path.join(server_settings["configdir"],
2069
2443
"clients.conf"))
2070
2444
2079
2453
use_ipv6=use_ipv6,
2080
2454
gnutls_priority=
2081
2455
server_settings["priority"],
2082
use_dbus=use_dbus)
2083
if not debug:
2084
pidfilename = "/var/run/mandos.pid"
2456
use_dbus=use_dbus,
2457
socketfd=(server_settings["socket"]
2458
or None))
2459
if not foreground:
2460
pidfilename = "/run/mandos.pid"
2461
if not os.path.isdir("/run/."):
2462
pidfilename = "/var/run/mandos.pid"
2463
pidfile = None
2085
2464
try:
2086
2465
pidfile = open(pidfilename, "w")
2087
except IOError:
2088
logger.error("Could not open file %r", pidfilename)
2466
except IOError as e:
2467
logger.error("Could not open file %r", pidfilename,
2468
exc_info=e)
2089
2469
2090
try:
2091
uid = pwd.getpwnam("_mandos").pw_uid
2092
gid = pwd.getpwnam("_mandos").pw_gid
2093
except KeyError:
2470
for name in ("_mandos", "mandos", "nobody"):
2094
2471
try:
2095
uid = pwd.getpwnam("mandos").pw_uid
2096
gid = pwd.getpwnam("mandos").pw_gid
2472
uid = pwd.getpwnam(name).pw_uid
2473
gid = pwd.getpwnam(name).pw_gid
2474
break
2097
2475
except KeyError:
2098
try:
2099
uid = pwd.getpwnam("nobody").pw_uid
2100
gid = pwd.getpwnam("nobody").pw_gid
2101
except KeyError:
2102
uid = 65534
2103
gid = 65534
2476
continue
2477
else:
2478
uid = 65534
2479
gid = 65534
2104
2480
try:
2105
2481
os.setgid(gid)
2106
2482
os.setuid(uid)
2107
2483
except OSError as error:
2108
if error[0] != errno.EPERM:
2109
raise error
2484
if error.errno != errno.EPERM:
2485
raise
2110
2486
2111
2487
if debug:
2112
2488
# Enable all possible GnuTLS debugging
2123
2499
.gnutls_global_set_log_function(debug_gnutls))
2124
2500
2125
2501
# Redirect stdin so all checkers get /dev/null
2126
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2502
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2127
2503
os.dup2(null, sys.stdin.fileno())
2128
2504
if null > 2:
2129
2505
os.close(null)
2130
else:
2131
# No console logging
2132
logger.removeHandler(console)
2133
2506
2134
2507
# Need to fork before connecting to D-Bus
2135
if not debug:
2508
if not foreground:
2136
2509
# Close all input and output, do double fork, etc.
2137
2510
daemon()
2138
2511
2512
# multiprocessing will use threads, so before we use gobject we
2513
# need to inform gobject that threads will be used.
2514
gobject.threads_init()
2515
2139
2516
global main_loop
2140
2517
# From the Avahi example code
2141
DBusGMainLoop(set_as_default=True )
2518
DBusGMainLoop(set_as_default=True)
2142
2519
main_loop = gobject.MainLoop()
2143
2520
bus = dbus.SystemBus()
2144
2521
# End of Avahi example code
2150
2527
("se.bsnet.fukt.Mandos", bus,
2151
2528
do_not_queue=True))
2152
2529
except dbus.exceptions.NameExistsException as e:
2153
logger.error(unicode(e) + ", disabling D-Bus")
2530
logger.error("Disabling D-Bus:", exc_info=e)
2154
2531
use_dbus = False
2155
2532
server_settings["use_dbus"] = False
2156
2533
tcp_server.use_dbus = False
2168
2545
2169
2546
client_class = Client
2170
2547
if use_dbus:
2171
client_class = functools.partial(ClientDBusTransitional,
2172
bus = bus)
2173
2174
special_settings = {
2175
# Some settings need to be accessd by special methods;
2176
# booleans need .getboolean(), etc. Here is a list of them:
2177
"approved_by_default":
2178
lambda section:
2179
client_config.getboolean(section, "approved_by_default"),
2180
}
2181
# Construct a new dict of client settings of this form:
2182
# { client_name: {setting_name: value, ...}, ...}
2183
# with exceptions for any special settings as defined above
2184
client_settings = dict((clientname,
2185
dict((setting,
2186
(value
2187
if setting not in special_settings
2188
else special_settings[setting]
2189
(clientname)))
2190
for setting, value in
2191
client_config.items(clientname)))
2192
for clientname in client_config.sections())
2193
2548
client_class = functools.partial(ClientDBus, bus = bus)
2549
2550
client_settings = Client.config_parser(client_config)
2194
2551
old_client_settings = {}
2195
clients_data = []
2552
clients_data = {}
2553
2554
# This is used to redirect stdout and stderr for checker processes
2555
global wnull
2556
wnull = open(os.devnull, "w") # A writable /dev/null
2557
# Only used if server is running in foreground but not in debug
2558
# mode
2559
if debug or not foreground:
2560
wnull.close()
2196
2561
2197
2562
# Get client data and settings from last running state.
2198
2563
if server_settings["restore"]:
2202
2567
(stored_state))
2203
2568
os.remove(stored_state_path)
2204
2569
except IOError as e:
2205
logger.warning("Could not load persistent state: {0}"
2206
.format(e))
2207
if e.errno != errno.ENOENT:
2570
if e.errno == errno.ENOENT:
2571
logger.warning("Could not load persistent state: {0}"
2572
.format(os.strerror(e.errno)))
2573
else:
2574
logger.critical("Could not load persistent state:",
2575
exc_info=e)
2208
2576
raise
2577
except EOFError as e:
2578
logger.warning("Could not load persistent state: "
2579
"EOFError:", exc_info=e)
2209
2580
2210
with Crypto() as crypt:
2211
for client in clients_data:
2212
client_name = client["name"]
2581
with PGPEngine() as pgp:
2582
for client_name, client in clients_data.iteritems():
2583
# Skip removed clients
2584
if client_name not in client_settings:
2585
continue
2213
2586
2214
2587
# Decide which value to use after restoring saved state.
2215
2588
# We have three different values: Old config file,
2224
2597
if (name != "secret" and
2225
2598
value != old_client_settings[client_name]
2226
2599
[name]):
2227
setattr(client, name, value)
2600
client[name] = value
2228
2601
except KeyError:
2229
2602
pass
2230
2603
2231
2604
# Clients who has passed its expire date can still be
2232
# enabled if its last checker was sucessful. Clients
2233
# whose checker failed before we stored its state is
2234
# assumed to have failed all checkers during downtime.
2235
if client["enabled"] and client["last_checked_ok"]:
2236
if ((datetime.datetime.utcnow()
2237
- client["last_checked_ok"])
2238
> client["interval"]):
2239
if client["last_checker_status"] != 0:
2605
# enabled if its last checker was successful. Clients
2606
# whose checker succeeded before we stored its state is
2607
# assumed to have successfully run all checkers during
2608
# downtime.
2609
if client["enabled"]:
2610
if datetime.datetime.utcnow() >= client["expires"]:
2611
if not client["last_checked_ok"]:
2612
logger.warning(
2613
"disabling client {0} - Client never "
2614
"performed a successful checker"
2615
.format(client_name))
2616
client["enabled"] = False
2617
elif client["last_checker_status"] != 0:
2618
logger.warning(
2619
"disabling client {0} - Client "
2620
"last checker failed with error code {1}"
2621
.format(client_name,
2622
client["last_checker_status"]))
2240
2623
client["enabled"] = False
2241
2624
else:
2242
2625
client["expires"] = (datetime.datetime
2243
2626
.utcnow()
2244
2627
+ client["timeout"])
2245
2246
client["changedstate"] = (multiprocessing_manager
2247
.Condition
2248
(multiprocessing_manager
2249
.Lock()))
2250
if use_dbus:
2251
new_client = (ClientDBusTransitional.__new__
2252
(ClientDBusTransitional))
2253
tcp_server.clients[client_name] = new_client
2254
new_client.bus = bus
2255
for name, value in client.iteritems():
2256
setattr(new_client, name, value)
2257
client_object_name = unicode(client_name).translate(
2258
{ord("."): ord("_"),
2259
ord("-"): ord("_")})
2260
new_client.dbus_object_path = (dbus.ObjectPath
2261
("/clients/"
2262
+ client_object_name))
2263
DBusObjectWithProperties.__init__(new_client,
2264
new_client.bus,
2265
new_client
2266
.dbus_object_path)
2267
else:
2268
tcp_server.clients[client_name] = (Client.__new__
2269
(Client))
2270
for name, value in client.iteritems():
2271
setattr(tcp_server.clients[client_name],
2272
name, value)
2273
2628
logger.debug("Last checker succeeded,"
2629
" keeping {0} enabled"
2630
.format(client_name))
2274
2631
try:
2275
tcp_server.clients[client_name].secret = (
2276
crypt.decrypt(tcp_server.clients[client_name]
2277
.encrypted_secret,
2278
client_settings[client_name]
2279
["secret"]))
2280
except CryptoError:
2632
client["secret"] = (
2633
pgp.decrypt(client["encrypted_secret"],
2634
client_settings[client_name]
2635
["secret"]))
2636
except PGPError:
2281
2637
# If decryption fails, we use secret from new settings
2282
tcp_server.clients[client_name].secret = (
2638
logger.debug("Failed to decrypt {0} old secret"
2639
.format(client_name))
2640
client["secret"] = (
2283
2641
client_settings[client_name]["secret"])
2284
2642
2285
# Create/remove clients based on new changes made to config
2286
for clientname in set(old_client_settings) - set(client_settings):
2287
del tcp_server.clients[clientname]
2288
for clientname in set(client_settings) - set(old_client_settings):
2289
tcp_server.clients[clientname] = (client_class(name
2290
= clientname,
2291
config =
2292
client_settings
2293
[clientname]))
2643
# Add/remove clients based on new changes made to config
2644
for client_name in (set(old_client_settings)
2645
- set(client_settings)):
2646
del clients_data[client_name]
2647
for client_name in (set(client_settings)
2648
- set(old_client_settings)):
2649
clients_data[client_name] = client_settings[client_name]
2650
2651
# Create all client objects
2652
for client_name, client in clients_data.iteritems():
2653
tcp_server.clients[client_name] = client_class(
2654
name = client_name, settings = client,
2655
server_settings = server_settings)
2294
2656
2295
2657
if not tcp_server.clients:
2296
2658
logger.warning("No clients defined")
2297
2298
if not debug:
2299
try:
2300
with pidfile:
2301
pid = os.getpid()
2302
pidfile.write(str(pid) + "\n".encode("utf-8"))
2303
del pidfile
2304
except IOError:
2305
logger.error("Could not write to file %r with PID %d",
2306
pidfilename, pid)
2307
except NameError:
2308
# "pidfile" was never created
2309
pass
2659
2660
if not foreground:
2661
if pidfile is not None:
2662
try:
2663
with pidfile:
2664
pid = os.getpid()
2665
pidfile.write(str(pid) + "\n".encode("utf-8"))
2666
except IOError:
2667
logger.error("Could not write to file %r with PID %d",
2668
pidfilename, pid)
2669
del pidfile
2310
2670
del pidfilename
2311
2312
signal.signal(signal.SIGINT, signal.SIG_IGN)
2313
2671
2314
2672
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2315
2673
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2316
2674
2317
2675
if use_dbus:
2318
class MandosDBusService(dbus.service.Object):
2676
@alternate_dbus_interfaces({"se.recompile.Mandos":
2677
"se.bsnet.fukt.Mandos"})
2678
class MandosDBusService(DBusObjectWithProperties):
2319
2679
"""A D-Bus proxy object"""
2320
2680
def __init__(self):
2321
2681
dbus.service.Object.__init__(self, bus, "/")
2322
2682
_interface = "se.recompile.Mandos"
2323
2683
2684
@dbus_interface_annotations(_interface)
2685
def _foo(self):
2686
return { "org.freedesktop.DBus.Property"
2687
".EmitsChangedSignal":
2688
"false"}
2689
2324
2690
@dbus.service.signal(_interface, signature="o")
2325
2691
def ClientAdded(self, objpath):
2326
2692
"D-Bus signal"
2368
2734
2369
2735
del _interface
2370
2736
2371
class MandosDBusServiceTransitional(MandosDBusService):
2372
__metaclass__ = AlternateDBusNamesMetaclass
2373
mandos_dbus_service = MandosDBusServiceTransitional()
2737
mandos_dbus_service = MandosDBusService()
2374
2738
2375
2739
def cleanup():
2376
2740
"Cleanup function; run on exit"
2377
2741
service.cleanup()
2378
2742
2379
2743
multiprocessing.active_children()
2744
wnull.close()
2380
2745
if not (tcp_server.clients or client_settings):
2381
2746
return
2382
2747
2383
2748
# Store client before exiting. Secrets are encrypted with key
2384
2749
# based on what config file has. If config file is
2385
2750
# removed/edited, old secret will thus be unrecovable.
2386
clients = []
2387
with Crypto() as crypt:
2751
clients = {}
2752
with PGPEngine() as pgp:
2388
2753
for client in tcp_server.clients.itervalues():
2389
2754
key = client_settings[client.name]["secret"]
2390
client.encrypted_secret = crypt.encrypt(client.secret,
2391
key)
2755
client.encrypted_secret = pgp.encrypt(client.secret,
2756
key)
2392
2757
client_dict = {}
2393
2758
2394
# A list of attributes that will not be stored when
2395
# shutting down.
2396
exclude = set(("bus", "changedstate", "secret"))
2759
# A list of attributes that can not be pickled
2760
# + secret.
2761
exclude = set(("bus", "changedstate", "secret",
2762
"checker", "server_settings"))
2397
2763
for name, typ in (inspect.getmembers
2398
2764
(dbus.service.Object)):
2399
2765
exclude.add(name)
2404
2770
if attr not in exclude:
2405
2771
client_dict[attr] = getattr(client, attr)
2406
2772
2407
clients.append(client_dict)
2773
clients[client.name] = client_dict
2408
2774
del client_settings[client.name]["secret"]
2409
2775
2410
2776
try:
2411
with os.fdopen(os.open(stored_state_path,
2412
os.O_CREAT|os.O_WRONLY|os.O_TRUNC,
2413
0600), "wb") as stored_state:
2777
with (tempfile.NamedTemporaryFile
2778
(mode='wb', suffix=".pickle", prefix='clients-',
2779
dir=os.path.dirname(stored_state_path),
2780
delete=False)) as stored_state:
2414
2781
pickle.dump((clients, client_settings), stored_state)
2782
tempname=stored_state.name
2783
os.rename(tempname, stored_state_path)
2415
2784
except (IOError, OSError) as e:
2416
logger.warning("Could not save persistent state: {0}"
2417
.format(e))
2418
if e.errno not in (errno.ENOENT, errno.EACCES):
2785
if not debug:
2786
try:
2787
os.remove(tempname)
2788
except NameError:
2789
pass
2790
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2791
logger.warning("Could not save persistent state: {0}"
2792
.format(os.strerror(e.errno)))
2793
else:
2794
logger.warning("Could not save persistent state:",
2795
exc_info=e)
2419
2796
raise
2420
2797
2421
2798
# Delete all clients, and settings from config
2449
2826
service.port = tcp_server.socket.getsockname()[1]
2450
2827
if use_ipv6:
2451
2828
logger.info("Now listening on address %r, port %d,"
2452
" flowinfo %d, scope_id %d"
2453
% tcp_server.socket.getsockname())
2829
" flowinfo %d, scope_id %d",
2830
*tcp_server.socket.getsockname())
2454
2831
else: # IPv4
2455
logger.info("Now listening on address %r, port %d"
2456
% tcp_server.socket.getsockname())
2832
logger.info("Now listening on address %r, port %d",
2833
*tcp_server.socket.getsockname())
2457
2834
2458
2835
#service.interface = tcp_server.socket.getsockname()[3]
2459
2836
2462
2839
try:
2463
2840
service.activate()
2464
2841
except dbus.exceptions.DBusException as error:
2465
logger.critical("DBusException: %s", error)
2842
logger.critical("D-Bus Exception", exc_info=error)
2466
2843
cleanup()
2467
2844
sys.exit(1)
2468
2845
# End of Avahi example code
2475
2852
logger.debug("Starting main loop")
2476
2853
main_loop.run()
2477
2854
except AvahiError as error:
2478
logger.critical("AvahiError: %s", error)
2855
logger.critical("Avahi Error", exc_info=error)
2479
2856
cleanup()
2480
2857
sys.exit(1)
2481
2858
except KeyboardInterrupt:
2486
2863
# Must run before the D-Bus bus name gets deregistered
2487
2864
cleanup()
2488
2865
2489
2490
2866
if __name__ == '__main__':
2491
2867
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0