/mandos/release : revision 237.7.333

1

#!/usr/bin/python

1

#!/usr/bin/python2.7

2

# -*- mode: python; coding: utf-8 -*-

3

#

4

# Mandos server - give out binary blobs to connecting clients.

11

# "AvahiService" class, and some lines in "main".

12

#

13

# Everything else is

14

15

14

15

16

#

17

# This program is free software: you can redistribute it and/or modify

18

# it under the terms of the GNU General Public License as published by

36

37

from future_builtins import *

38

39

import SocketServer as socketserver

39

try:

40

import SocketServer as socketserver

41

except ImportError:

42

import socketserver

40

43

import socket

41

44

import argparse

42

45

import datetime

47

50

import gnutls.library.functions

48

51

import gnutls.library.constants

49

52

import gnutls.library.types

50

import ConfigParser as configparser

53

try:

54

import ConfigParser as configparser

55

except ImportError:

56

import configparser

51

57

import sys

52

58

import re

53

59

import os

62

68

import struct

63

69

import fcntl

64

70

import functools

65

import cPickle as pickle

71

try:

72

import cPickle as pickle

73

except ImportError:

74

import pickle

66

75

import multiprocessing

67

76

import types

68

77

import binascii

69

78

import tempfile

70

79

import itertools

71

80

import collections

81

import codecs

72

82

73

83

import dbus

74

84

import dbus.service

75

import gobject

85

try:

86

import gobject

87

except ImportError:

88

from gi.repository import GObject as gobject

76

89

import avahi

77

90

from dbus.mainloop.glib import DBusGMainLoop

78

91

import ctypes

88

101

except ImportError:

89

102

SO_BINDTODEVICE = None

90

103

91

version = "1.6.5"

104

if sys.version_info.major == 2:

105

str = unicode

106

107

version = "1.6.9"

92

108

stored_state_file = "clients.pickle"

93

109

94

110

logger = logging.getLogger()

95

111

syslogger = None

96

112

97

113

try:

98

if_nametoindex = (ctypes.cdll.LoadLibrary

99

(ctypes.util.find_library("c"))

100

.if_nametoindex)

114

if_nametoindex = ctypes.cdll.LoadLibrary(

115

ctypes.util.find_library("c")).if_nametoindex

101

116

except (OSError, AttributeError):

117

102

118

def if_nametoindex(interface):

103

119

"Get an interface index the hard way, i.e. using fcntl()"

104

120

SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h

105

121

with contextlib.closing(socket.socket()) as s:

106

122

ifreq = fcntl.ioctl(s, SIOCGIFINDEX,

107

struct.pack(str("16s16x"),

108

interface))

109

interface_index = struct.unpack(str("I"),

110

ifreq[16:20])[0]

123

struct.pack(b"16s16x", interface))

124

interface_index = struct.unpack("I", ifreq[16:20])[0]

111

125

return interface_index

112

126

113

127

115

129

"""init logger and add loglevel"""

116

130

117

131

global syslogger

118

syslogger = (logging.handlers.SysLogHandler

119

(facility =

120

logging.handlers.SysLogHandler.LOG_DAEMON,

121

address = str("/dev/log")))

132

syslogger = (logging.handlers.SysLogHandler(

133

facility = logging.handlers.SysLogHandler.LOG_DAEMON,

134

address = "/dev/log"))

122

135

syslogger.setFormatter(logging.Formatter

123

136

('Mandos [%(process)d]: %(levelname)s:'

124

137

' %(message)s'))

141

154

142

155

class PGPEngine(object):

143

156

"""A simple class for OpenPGP symmetric encryption & decryption"""

157

144

158

def __init__(self):

145

159

self.tempdir = tempfile.mkdtemp(prefix="mandos-")

146

160

self.gnupgargs = ['--batch',

185

199

186

200

def encrypt(self, data, password):

187

201

passphrase = self.password_encode(password)

188

with tempfile.NamedTemporaryFile(dir=self.tempdir

189

) as passfile:

202

with tempfile.NamedTemporaryFile(

203

dir=self.tempdir) as passfile:

190

204

passfile.write(passphrase)

191

205

passfile.flush()

192

206

proc = subprocess.Popen(['gpg', '--symmetric',

203

217

204

218

def decrypt(self, data, password):

205

219

passphrase = self.password_encode(password)

206

with tempfile.NamedTemporaryFile(dir = self.tempdir

207

) as passfile:

220

with tempfile.NamedTemporaryFile(

221

dir = self.tempdir) as passfile:

208

222

passfile.write(passphrase)

209

223

passfile.flush()

210

224

proc = subprocess.Popen(['gpg', '--decrypt',

214

228

stdin = subprocess.PIPE,

215

229

stdout = subprocess.PIPE,

216

230

stderr = subprocess.PIPE)

217

decrypted_plaintext, err = proc.communicate(input

218

= data)

231

decrypted_plaintext, err = proc.communicate(input = data)

219

232

if proc.returncode != 0:

220

233

raise PGPError(err)

221

234

return decrypted_plaintext

224

237

class AvahiError(Exception):

225

238

def __init__(self, value, *args, **kwargs):

226

239

self.value = value

227

super(AvahiError, self).__init__(value, *args, **kwargs)

228

def __unicode__(self):

229

return unicode(repr(self.value))

240

return super(AvahiError, self).__init__(value, *args,

241

**kwargs)

242

230

243

231

244

class AvahiServiceError(AvahiError):

232

245

pass

233

246

247

234

248

class AvahiGroupError(AvahiError):

235

249

pass

236

250

256

270

bus: dbus.SystemBus()

257

271

"""

258

272

259

def __init__(self, interface = avahi.IF_UNSPEC, name = None,

260

servicetype = None, port = None, TXT = None,

261

domain = "", host = "", max_renames = 32768,

262

protocol = avahi.PROTO_UNSPEC, bus = None):

273

def __init__(self,

274

interface = avahi.IF_UNSPEC,

275

name = None,

276

servicetype = None,

277

port = None,

278

TXT = None,

279

domain = "",

280

host = "",

281

max_renames = 32768,

282

protocol = avahi.PROTO_UNSPEC,

283

bus = None):

263

284

self.interface = interface

264

285

self.name = name

265

286

self.type = servicetype

275

296

self.bus = bus

276

297

self.entry_group_state_changed_match = None

277

298

278

def rename(self):

299

def rename(self, remove=True):

279

300

"""Derived from the Avahi example code"""

280

301

if self.rename_count >= self.max_renames:

281

302

logger.critical("No suitable Zeroconf service name found"

282

303

" after %i retries, exiting.",

283

304

self.rename_count)

284

305

raise AvahiServiceError("Too many renames")

285

self.name = unicode(self.server

286

.GetAlternativeServiceName(self.name))

306

self.name = str(

307

self.server.GetAlternativeServiceName(self.name))

308

self.rename_count += 1

287

309

logger.info("Changing Zeroconf service name to %r ...",

288

310

self.name)

289

self.remove()

311

if remove:

312

self.remove()

290

313

try:

291

314

self.add()

292

315

except dbus.exceptions.DBusException as error:

293

logger.critical("D-Bus Exception", exc_info=error)

294

self.cleanup()

295

os._exit(1)

296

self.rename_count += 1

316

if (error.get_dbus_name()

317

== "org.freedesktop.Avahi.CollisionError"):

318

logger.info("Local Zeroconf service name collision.")

319

return self.rename(remove=False)

320

else:

321

logger.critical("D-Bus Exception", exc_info=error)

322

self.cleanup()

323

os._exit(1)

297

324

298

325

def remove(self):

299

326

"""Derived from the Avahi example code"""

337

364

self.rename()

338

365

elif state == avahi.ENTRY_GROUP_FAILURE:

339

366

logger.critical("Avahi: Error in group state changed %s",

340

unicode(error))

341

raise AvahiGroupError("State changed: {0!s}"

342

.format(error))

367

str(error))

368

raise AvahiGroupError("State changed: {!s}".format(error))

343

369

344

370

def cleanup(self):

345

371

"""Derived from the Avahi example code"""

355

381

def server_state_changed(self, state, error=None):

356

382

"""Derived from the Avahi example code"""

357

383

logger.debug("Avahi server state change: %i", state)

358

bad_states = { avahi.SERVER_INVALID:

359

"Zeroconf server invalid",

360

avahi.SERVER_REGISTERING: None,

361

avahi.SERVER_COLLISION:

362

"Zeroconf server name collision",

363

avahi.SERVER_FAILURE:

364

"Zeroconf server failure" }

384

bad_states = {

385

avahi.SERVER_INVALID: "Zeroconf server invalid",

386

avahi.SERVER_REGISTERING: None,

387

avahi.SERVER_COLLISION: "Zeroconf server name collision",

388

avahi.SERVER_FAILURE: "Zeroconf server failure",

389

}

365

390

if state in bad_states:

366

391

if bad_states[state] is not None:

367

392

if error is None:

370

395

logger.error(bad_states[state] + ": %r", error)

371

396

self.cleanup()

372

397

elif state == avahi.SERVER_RUNNING:

373

self.add()

398

try:

399

self.add()

400

except dbus.exceptions.DBusException as error:

401

if (error.get_dbus_name()

402

== "org.freedesktop.Avahi.CollisionError"):

403

logger.info("Local Zeroconf service name"

404

" collision.")

405

return self.rename(remove=False)

406

else:

407

logger.critical("D-Bus Exception", exc_info=error)

408

self.cleanup()

409

os._exit(1)

374

410

else:

375

411

if error is None:

376

412

logger.debug("Unknown state: %r", state)

386

422

follow_name_owner_changes=True),

387

423

avahi.DBUS_INTERFACE_SERVER)

388

424

self.server.connect_to_signal("StateChanged",

389

self.server_state_changed)

425

self.server_state_changed)

390

426

self.server_state_changed(self.server.GetState())

391

427

392

428

393

429

class AvahiServiceToSyslog(AvahiService):

394

def rename(self):

430

def rename(self, *args, **kwargs):

395

431

"""Add the new name to the syslog messages"""

396

ret = AvahiService.rename(self)

397

syslogger.setFormatter(logging.Formatter

398

('Mandos ({0}) [%(process)d]:'

399

' %(levelname)s: %(message)s'

400

.format(self.name)))

432

ret = AvahiService.rename(self, *args, **kwargs)

433

syslogger.setFormatter(logging.Formatter(

434

'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'

435

.format(self.name)))

401

436

return ret

402

437

403

404

def timedelta_to_milliseconds(td):

405

"Convert a datetime.timedelta() to milliseconds"

406

return ((td.days * 24 * 60 * 60 * 1000)

407

+ (td.seconds * 1000)

408

+ (td.microseconds // 1000))

409

438

def call_pipe(connection, # : multiprocessing.Connection

439

func, *args, **kwargs):

440

"""This function is meant to be called by multiprocessing.Process

441

442

This function runs func(*args, **kwargs), and writes the resulting

443

return value on the provided multiprocessing.Connection.

444

"""

445

connection.send(func(*args, **kwargs))

446

connection.close()

410

447

411

448

class Client(object):

412

449

"""A representation of a client host served by this server.

439

476

last_checker_status: integer between 0 and 255 reflecting exit

440

477

status of last checker. -1 reflects crashed

441

478

checker, -2 means no checker completed yet.

479

last_checker_signal: The signal which killed the last checker, if

480

last_checker_status is -1

442

481

last_enabled: datetime.datetime(); (UTC) or None

443

482

name: string; from the config file, used in log messages and

444

483

D-Bus identifiers

457

496

"fingerprint", "host", "interval",

458

497

"last_approval_request", "last_checked_ok",

459

498

"last_enabled", "name", "timeout")

460

client_defaults = { "timeout": "PT5M",

461

"extended_timeout": "PT15M",

462

"interval": "PT2M",

463

"checker": "fping -q -- %%(host)s",

464

"host": "",

465

"approval_delay": "PT0S",

466

"approval_duration": "PT1S",

467

"approved_by_default": "True",

468

"enabled": "True",

469

}

470

471

def timeout_milliseconds(self):

472

"Return the 'timeout' attribute in milliseconds"

473

return timedelta_to_milliseconds(self.timeout)

474

475

def extended_timeout_milliseconds(self):

476

"Return the 'extended_timeout' attribute in milliseconds"

477

return timedelta_to_milliseconds(self.extended_timeout)

478

479

def interval_milliseconds(self):

480

"Return the 'interval' attribute in milliseconds"

481

return timedelta_to_milliseconds(self.interval)

482

483

def approval_delay_milliseconds(self):

484

return timedelta_to_milliseconds(self.approval_delay)

499

client_defaults = {

500

"timeout": "PT5M",

501

"extended_timeout": "PT15M",

502

"interval": "PT2M",

503

"checker": "fping -q -- %%(host)s",

504

"host": "",

505

"approval_delay": "PT0S",

506

"approval_duration": "PT1S",

507

"approved_by_default": "True",

508

"enabled": "True",

509

}

485

510

486

511

@staticmethod

487

512

def config_parser(config):

503

528

client["enabled"] = config.getboolean(client_name,

504

529

"enabled")

505

530

531

# Uppercase and remove spaces from fingerprint for later

532

# comparison purposes with return value from the

533

# fingerprint() function

506

534

client["fingerprint"] = (section["fingerprint"].upper()

507

535

.replace(" ", ""))

508

536

if "secret" in section:

513

541

"rb") as secfile:

514

542

client["secret"] = secfile.read()

515

543

else:

516

raise TypeError("No secret or secfile for section {0}"

544

raise TypeError("No secret or secfile for section {}"

517

545

.format(section))

518

546

client["timeout"] = string_to_delta(section["timeout"])

519

547

client["extended_timeout"] = string_to_delta(

536

564

server_settings = {}

537

565

self.server_settings = server_settings

538

566

# adding all client settings

539

for setting, value in settings.iteritems():

567

for setting, value in settings.items():

540

568

setattr(self, setting, value)

541

569

542

570

if self.enabled:

550

578

self.expires = None

551

579

552

580

logger.debug("Creating client %r", self.name)

553

# Uppercase and remove spaces from fingerprint for later

554

# comparison purposes with return value from the fingerprint()

555

# function

556

581

logger.debug(" Fingerprint: %s", self.fingerprint)

557

582

self.created = settings.get("created",

558

583

datetime.datetime.utcnow())

565

590

self.current_checker_command = None

566

591

self.approved = None

567

592

self.approvals_pending = 0

568

self.changedstate = (multiprocessing_manager

569

.Condition(multiprocessing_manager

570

.Lock()))

571

self.client_structure = [attr for attr in

572

self.__dict__.iterkeys()

593

self.changedstate = multiprocessing_manager.Condition(

594

multiprocessing_manager.Lock())

595

self.client_structure = [attr

596

for attr in self.__dict__.iterkeys()

573

597

if not attr.startswith("_")]

574

598

self.client_structure.append("client_structure")

575

599

576

for name, t in inspect.getmembers(type(self),

577

lambda obj:

578

isinstance(obj,

579

property)):

600

for name, t in inspect.getmembers(

601

type(self), lambda obj: isinstance(obj, property)):

580

602

if not name.startswith("_"):

581

603

self.client_structure.append(name)

582

604

624

646

# and every interval from then on.

625

647

if self.checker_initiator_tag is not None:

626

648

gobject.source_remove(self.checker_initiator_tag)

627

self.checker_initiator_tag = (gobject.timeout_add

628

(self.interval_milliseconds(),

629

self.start_checker))

649

self.checker_initiator_tag = gobject.timeout_add(

650

int(self.interval.total_seconds() * 1000),

651

self.start_checker)

630

652

# Schedule a disable() when 'timeout' has passed

631

653

if self.disable_initiator_tag is not None:

632

654

gobject.source_remove(self.disable_initiator_tag)

633

self.disable_initiator_tag = (gobject.timeout_add

634

(self.timeout_milliseconds(),

635

self.disable))

655

self.disable_initiator_tag = gobject.timeout_add(

656

int(self.timeout.total_seconds() * 1000), self.disable)

636

657

# Also start a new checker *right now*.

637

658

self.start_checker()

638

659

639

def checker_callback(self, pid, condition, command):

660

def checker_callback(self, source, condition, connection,

661

command):

640

662

"""The checker has completed, so take appropriate actions."""

641

663

self.checker_callback_tag = None

642

664

self.checker = None

643

if os.WIFEXITED(condition):

644

self.last_checker_status = os.WEXITSTATUS(condition)

665

# Read return code from connection (see call_pipe)

666

returncode = connection.recv()

667

connection.close()

668

669

if returncode >= 0:

670

self.last_checker_status = returncode

671

self.last_checker_signal = None

645

672

if self.last_checker_status == 0:

646

673

logger.info("Checker for %(name)s succeeded",

647

674

vars(self))

648

675

self.checked_ok()

649

676

else:

650

logger.info("Checker for %(name)s failed",

651

vars(self))

677

logger.info("Checker for %(name)s failed", vars(self))

652

678

else:

653

679

self.last_checker_status = -1

680

self.last_checker_signal = -returncode

654

681

logger.warning("Checker for %(name)s crashed?",

655

682

vars(self))

683

return False

656

684

657

685

def checked_ok(self):

658

686

"""Assert that the client has been seen, alive and well."""

659

687

self.last_checked_ok = datetime.datetime.utcnow()

660

688

self.last_checker_status = 0

689

self.last_checker_signal = None

661

690

self.bump_timeout()

662

691

663

692

def bump_timeout(self, timeout=None):

668

697

gobject.source_remove(self.disable_initiator_tag)

669

698

self.disable_initiator_tag = None

670

699

if getattr(self, "enabled", False):

671

self.disable_initiator_tag = (gobject.timeout_add

672

(timedelta_to_milliseconds

673

(timeout), self.disable))

700

self.disable_initiator_tag = gobject.timeout_add(

701

int(timeout.total_seconds() * 1000), self.disable)

674

702

self.expires = datetime.datetime.utcnow() + timeout

675

703

676

704

def need_approval(self):

690

718

# than 'timeout' for the client to be disabled, which is as it

691

719

# should be.

692

720

693

# If a checker exists, make sure it is not a zombie

694

try:

695

pid, status = os.waitpid(self.checker.pid, os.WNOHANG)

696

except AttributeError:

697

pass

698

except OSError as error:

699

if error.errno != errno.ECHILD:

700

raise

701

else:

702

if pid:

703

logger.warning("Checker was a zombie")

704

gobject.source_remove(self.checker_callback_tag)

705

self.checker_callback(pid, status,

706

self.current_checker_command)

721

if self.checker is not None and not self.checker.is_alive():

722

logger.warning("Checker was not alive; joining")

723

self.checker.join()

724

self.checker = None

707

725

# Start a new checker if needed

708

726

if self.checker is None:

709

727

# Escape attributes for the shell

710

escaped_attrs = dict(

711

(attr, re.escape(unicode(getattr(self, attr))))

712

for attr in

713

self.runtime_expansions)

728

escaped_attrs = {

729

attr: re.escape(str(getattr(self, attr)))

730

for attr in self.runtime_expansions }

714

731

try:

715

732

command = self.checker_command % escaped_attrs

716

733

except TypeError as error:

717

734

logger.error('Could not format string "%s"',

718

self.checker_command, exc_info=error)

719

return True # Try again later

735

self.checker_command,

736

exc_info=error)

737

return True # Try again later

720

738

self.current_checker_command = command

721

try:

722

logger.info("Starting checker %r for %s",

723

command, self.name)

724

# We don't need to redirect stdout and stderr, since

725

# in normal mode, that is already done by daemon(),

726

# and in debug mode we don't want to. (Stdin is

727

# always replaced by /dev/null.)

728

# The exception is when not debugging but nevertheless

729

# running in the foreground; use the previously

730

# created wnull.

731

popen_args = {}

732

if (not self.server_settings["debug"]

733

and self.server_settings["foreground"]):

734

popen_args.update({"stdout": wnull,

735

"stderr": wnull })

736

self.checker = subprocess.Popen(command,

737

close_fds=True,

738

shell=True, cwd="/",

739

**popen_args)

740

except OSError as error:

741

logger.error("Failed to start subprocess",

742

exc_info=error)

743

return True

744

self.checker_callback_tag = (gobject.child_watch_add

745

(self.checker.pid,

746

self.checker_callback,

747

data=command))

748

# The checker may have completed before the gobject

749

# watch was added. Check for this.

750

try:

751

pid, status = os.waitpid(self.checker.pid, os.WNOHANG)

752

except OSError as error:

753

if error.errno == errno.ECHILD:

754

# This should never happen

755

logger.error("Child process vanished",

756

exc_info=error)

757

return True

758

raise

759

if pid:

760

gobject.source_remove(self.checker_callback_tag)

761

self.checker_callback(pid, status, command)

739

logger.info("Starting checker %r for %s", command,

740

self.name)

741

# We don't need to redirect stdout and stderr, since

742

# in normal mode, that is already done by daemon(),

743

# and in debug mode we don't want to. (Stdin is

744

# always replaced by /dev/null.)

745

# The exception is when not debugging but nevertheless

746

# running in the foreground; use the previously

747

# created wnull.

748

popen_args = { "close_fds": True,

749

"shell": True,

750

"cwd": "/" }

751

if (not self.server_settings["debug"]

752

and self.server_settings["foreground"]):

753

popen_args.update({"stdout": wnull,

754

"stderr": wnull })

755

pipe = multiprocessing.Pipe(duplex = False)

756

self.checker = multiprocessing.Process(

757

target = call_pipe,

758

args = (pipe[1], subprocess.call, command),

759

kwargs = popen_args)

760

self.checker.start()

761

self.checker_callback_tag = gobject.io_add_watch(

762

pipe[0].fileno(), gobject.IO_IN,

763

self.checker_callback, pipe[0], command)

762

764

# Re-run this periodically if run by gobject.timeout_add

763

765

return True

764

766

770

772

if getattr(self, "checker", None) is None:

771

773

return

772

774

logger.debug("Stopping checker for %(name)s", vars(self))

773

try:

774

self.checker.terminate()

775

#time.sleep(0.5)

776

#if self.checker.poll() is None:

777

# self.checker.kill()

778

except OSError as error:

779

if error.errno != errno.ESRCH: # No such process

780

raise

775

self.checker.terminate()

781

776

self.checker = None

782

777

783

778

784

def dbus_service_property(dbus_interface, signature="v",

785

access="readwrite", byte_arrays=False):

779

def dbus_service_property(dbus_interface,

780

signature="v",

781

access="readwrite",

782

byte_arrays=False):

786

783

"""Decorators for marking methods of a DBusObjectWithProperties to

787

784

become properties on the D-Bus.

788

785

797

794

# "Set" method, so we fail early here:

798

795

if byte_arrays and signature != "ay":

799

796

raise ValueError("Byte arrays not supported for non-'ay'"

800

" signature {0!r}".format(signature))

797

" signature {!r}".format(signature))

798

801

799

def decorator(func):

802

800

func._dbus_is_property = True

803

801

func._dbus_interface = dbus_interface

808

806

func._dbus_name = func._dbus_name[:-14]

809

807

func._dbus_get_args_options = {'byte_arrays': byte_arrays }

810

808

return func

809

811

810

return decorator

812

811

813

812

822

821

"org.freedesktop.DBus.Property.EmitsChangedSignal":

823

822

"false"}

824

823

"""

824

825

def decorator(func):

826

func._dbus_is_interface = True

827

func._dbus_interface = dbus_interface

828

func._dbus_name = dbus_interface

829

return func

830

831

return decorator

831

832

833

834

835

"""Decorator to annotate D-Bus methods, signals or properties

835

836

Usage:

836

837

838

@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",

839

"org.freedesktop.DBus.Property."

840

"EmitsChangedSignal": "false"})

837

841

@dbus_service_property("org.example.Interface", signature="b",

838

842

access="r")

839

@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",

840

"org.freedesktop.DBus.Property."

841

"EmitsChangedSignal": "false"})

842

843

def Property_dbus_property(self):

843

844

return dbus.Boolean(False)

845

846

See also the DBusObjectWithAnnotations class.

844

847

"""

848

845

849

def decorator(func):

846

850

func._dbus_annotations = annotations

847

851

return func

852

848

853

return decorator

849

854

850

855

851

856

class DBusPropertyException(dbus.exceptions.DBusException):

852

857

"""A base class for D-Bus property-related exceptions

853

858

"""

854

def __unicode__(self):

855

return unicode(str(self))

859

pass

856

860

857

861

858

862

class DBusPropertyAccessException(DBusPropertyException):

867

871

pass

868

872

869

873

870

class DBusObjectWithProperties(dbus.service.Object):

871

"""A D-Bus object with properties.

874

class DBusObjectWithAnnotations(dbus.service.Object):

875

"""A D-Bus object with annotations.

872

876

873

Classes inheriting from this can use the dbus_service_property

874

decorator to expose methods as D-Bus properties. It exposes the

875

standard Get(), Set(), and GetAll() methods on the D-Bus.

877

Classes inheriting from this can use the dbus_annotations

878

decorator to add annotations to methods or signals.

876

879

"""

877

880

878

881

@staticmethod

882

885

If called like _is_dbus_thing("method") it returns a function

883

886

suitable for use as predicate to inspect.getmembers().

884

887

"""

885

return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),

888

return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),

886

889

False)

887

890

888

891

def _get_all_dbus_things(self, thing):

889

892

"""Returns a generator of (name, attribute) pairs

890

893

"""

891

return ((getattr(athing.__get__(self), "_dbus_name",

892

name),

894

return ((getattr(athing.__get__(self), "_dbus_name", name),

893

895

athing.__get__(self))

894

896

for cls in self.__class__.__mro__

895

897

for name, athing in

896

inspect.getmembers(cls,

897

self._is_dbus_thing(thing)))

898

inspect.getmembers(cls, self._is_dbus_thing(thing)))

899

900

@dbus.service.method(dbus.INTROSPECTABLE_IFACE,

901

out_signature = "s",

902

path_keyword = 'object_path',

903

connection_keyword = 'connection')

904

def Introspect(self, object_path, connection):

905

"""Overloading of standard D-Bus method.

906

907

Inserts annotation tags on methods and signals.

908

"""

909

xmlstring = dbus.service.Object.Introspect(self, object_path,

910

connection)

911

try:

912

document = xml.dom.minidom.parseString(xmlstring)

913

914

for if_tag in document.getElementsByTagName("interface"):

915

# Add annotation tags

916

for typ in ("method", "signal"):

917

for tag in if_tag.getElementsByTagName(typ):

918

annots = dict()

919

for name, prop in (self.

920

_get_all_dbus_things(typ)):

921

if (name == tag.getAttribute("name")

922

and prop._dbus_interface

923

== if_tag.getAttribute("name")):

924

annots.update(getattr(

925

prop, "_dbus_annotations", {}))

926

for name, value in annots.items():

927

ann_tag = document.createElement(

928

"annotation")

929

ann_tag.setAttribute("name", name)

930

ann_tag.setAttribute("value", value)

931

tag.appendChild(ann_tag)

932

# Add interface annotation tags

933

for annotation, value in dict(

934

itertools.chain.from_iterable(

935

annotations().items()

936

for name, annotations

937

in self._get_all_dbus_things("interface")

938

if name == if_tag.getAttribute("name")

939

)).items():

940

ann_tag = document.createElement("annotation")

941

ann_tag.setAttribute("name", annotation)

942

ann_tag.setAttribute("value", value)

943

if_tag.appendChild(ann_tag)

944

# Fix argument name for the Introspect method itself

945

if (if_tag.getAttribute("name")

946

== dbus.INTROSPECTABLE_IFACE):

947

for cn in if_tag.getElementsByTagName("method"):

948

if cn.getAttribute("name") == "Introspect":

949

for arg in cn.getElementsByTagName("arg"):

950

if (arg.getAttribute("direction")

951

== "out"):

952

arg.setAttribute("name",

953

"xml_data")

954

xmlstring = document.toxml("utf-8")

955

document.unlink()

956

except (AttributeError, xml.dom.DOMException,

957

xml.parsers.expat.ExpatError) as error:

958

logger.error("Failed to override Introspection method",

959

exc_info=error)

960

return xmlstring

961

962

963

class DBusObjectWithProperties(DBusObjectWithAnnotations):

964

"""A D-Bus object with properties.

965

966

Classes inheriting from this can use the dbus_service_property

967

decorator to expose methods as D-Bus properties. It exposes the

968

standard Get(), Set(), and GetAll() methods on the D-Bus.

969

"""

898

970

899

971

def _get_dbus_property(self, interface_name, property_name):

900

972

"""Returns a bound method if one exists which is a D-Bus

901

973

property with the specified name and interface.

902

974

"""

903

for cls in self.__class__.__mro__:

904

for name, value in (inspect.getmembers

905

(cls,

906

self._is_dbus_thing("property"))):

975

for cls in self.__class__.__mro__:

976

for name, value in inspect.getmembers(

977

cls, self._is_dbus_thing("property")):

907

978

if (value._dbus_name == property_name

908

979

and value._dbus_interface == interface_name):

909

980

return value.__get__(self)

910

981

911

982

# No such property

912

raise DBusPropertyNotFound(self.dbus_object_path + ":"

913

+ interface_name + "."

914

+ property_name)

915

916

@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",

983

raise DBusPropertyNotFound("{}:{}.{}".format(

984

self.dbus_object_path, interface_name, property_name))

985

986

@classmethod

987

def _get_all_interface_names(cls):

988

"""Get a sequence of all interfaces supported by an object"""

989

return (name for name in set(getattr(getattr(x, attr),

990

"_dbus_interface", None)

991

for x in (inspect.getmro(cls))

992

for attr in dir(x))

993

if name is not None)

994

995

@dbus.service.method(dbus.PROPERTIES_IFACE,

996

in_signature="ss",

917

997

out_signature="v")

918

998

def Get(self, interface_name, property_name):

919

999

"""Standard D-Bus property Get() method, see D-Bus standard.

938

1018

# signatures other than "ay".

939

1019

if prop._dbus_signature != "ay":

940

1020

raise ValueError("Byte arrays not supported for non-"

941

"'ay' signature {0!r}"

1021

"'ay' signature {!r}"

942

1022

.format(prop._dbus_signature))

943

1023

value = dbus.ByteArray(b''.join(chr(byte)

944

1024

for byte in value))

945

1025

prop(value)

946

1026

947

@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",

1027

@dbus.service.method(dbus.PROPERTIES_IFACE,

1028

in_signature="s",

948

1029

out_signature="a{sv}")

949

1030

def GetAll(self, interface_name):

950

1031

"""Standard D-Bus property GetAll() method, see D-Bus

965

1046

if not hasattr(value, "variant_level"):

966

1047

properties[name] = value

967

1048

continue

968

properties[name] = type(value)(value, variant_level=

969

value.variant_level+1)

1049

properties[name] = type(value)(

1050

value, variant_level = value.variant_level + 1)

970

1051

return dbus.Dictionary(properties, signature="sv")

971

1052

1053

@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")

1054

def PropertiesChanged(self, interface_name, changed_properties,

1055

invalidated_properties):

1056

"""Standard D-Bus PropertiesChanged() signal, see D-Bus

1057

standard.

1058

"""

1059

pass

1060

972

1061

@dbus.service.method(dbus.INTROSPECTABLE_IFACE,

973

1062

out_signature="s",

974

1063

path_keyword='object_path',

978

1067

979

1068

Inserts property tags and interface annotation tags.

980

1069

"""

981

xmlstring = dbus.service.Object.Introspect(self, object_path,

982

connection)

1070

xmlstring = DBusObjectWithAnnotations.Introspect(self,

1071

object_path,

1072

connection)

983

1073

try:

984

1074

document = xml.dom.minidom.parseString(xmlstring)

1075

985

1076

def make_tag(document, name, prop):

986

1077

e = document.createElement("property")

987

1078

e.setAttribute("name", name)

988

1079

e.setAttribute("type", prop._dbus_signature)

989

1080

e.setAttribute("access", prop._dbus_access)

990

1081

return e

1082

991

1083

for if_tag in document.getElementsByTagName("interface"):

992

1084

# Add property tags

993

1085

for tag in (make_tag(document, name, prop)

996

1088

if prop._dbus_interface

997

1089

== if_tag.getAttribute("name")):

998

1090

if_tag.appendChild(tag)

999

# Add annotation tags

1000

for typ in ("method", "signal", "property"):

1001

for tag in if_tag.getElementsByTagName(typ):

1002

annots = dict()

1003

for name, prop in (self.

1004

_get_all_dbus_things(typ)):

1005

if (name == tag.getAttribute("name")

1006

and prop._dbus_interface

1007

== if_tag.getAttribute("name")):

1008

annots.update(getattr

1009

(prop,

1010

"_dbus_annotations",

1011

{}))

1012

for name, value in annots.iteritems():

1013

ann_tag = document.createElement(

1014

"annotation")

1015

ann_tag.setAttribute("name", name)

1016

ann_tag.setAttribute("value", value)

1017

tag.appendChild(ann_tag)

1018

# Add interface annotation tags

1019

for annotation, value in dict(

1020

itertools.chain.from_iterable(

1021

annotations().iteritems()

1022

for name, annotations in

1023

self._get_all_dbus_things("interface")

1024

if name == if_tag.getAttribute("name")

1025

)).iteritems():

1026

ann_tag = document.createElement("annotation")

1027

ann_tag.setAttribute("name", annotation)

1028

ann_tag.setAttribute("value", value)

1029

if_tag.appendChild(ann_tag)

1091

# Add annotation tags for properties

1092

for tag in if_tag.getElementsByTagName("property"):

1093

annots = dict()

1094

for name, prop in self._get_all_dbus_things(

1095

"property"):

1096

if (name == tag.getAttribute("name")

1097

and prop._dbus_interface

1098

== if_tag.getAttribute("name")):

1099

annots.update(getattr(

1100

prop, "_dbus_annotations", {}))

1101

for name, value in annots.items():

1102

ann_tag = document.createElement(

1103

"annotation")

1104

ann_tag.setAttribute("name", name)

1105

ann_tag.setAttribute("value", value)

1106

tag.appendChild(ann_tag)

1030

1107

# Add the names to the return values for the

1031

1108

# "org.freedesktop.DBus.Properties" methods

1032

1109

if (if_tag.getAttribute("name")

1050

1127

exc_info=error)

1051

1128

return xmlstring

1052

1129

1130

try:

1131

dbus.OBJECT_MANAGER_IFACE

1132

except AttributeError:

1133

dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"

1134

1135

class DBusObjectWithObjectManager(DBusObjectWithAnnotations):

1136

"""A D-Bus object with an ObjectManager.

1137

1138

Classes inheriting from this exposes the standard

1139

GetManagedObjects call and the InterfacesAdded and

1140

InterfacesRemoved signals on the standard

1141

"org.freedesktop.DBus.ObjectManager" interface.

1142

1143

Note: No signals are sent automatically; they must be sent

1144

manually.

1145

"""

1146

@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,

1147

out_signature = "a{oa{sa{sv}}}")

1148

def GetManagedObjects(self):

1149

"""This function must be overridden"""

1150

raise NotImplementedError()

1151

1152

@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,

1153

signature = "oa{sa{sv}}")

1154

def InterfacesAdded(self, object_path, interfaces_and_properties):

1155

pass

1156

1157

@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,

1158

signature = "oas")

1159

def InterfacesRemoved(self, object_path, interfaces):

1160

pass

1161

1162

@dbus.service.method(dbus.INTROSPECTABLE_IFACE,

1163

out_signature = "s",

1164

path_keyword = 'object_path',

1165

connection_keyword = 'connection')

1166

def Introspect(self, object_path, connection):

1167

"""Overloading of standard D-Bus method.

1168

1169

Override return argument name of GetManagedObjects to be

1170

"objpath_interfaces_and_properties"

1171

"""

1172

xmlstring = DBusObjectWithAnnotations(self, object_path,

1173

connection)

1174

try:

1175

document = xml.dom.minidom.parseString(xmlstring)

1176

1177

for if_tag in document.getElementsByTagName("interface"):

1178

# Fix argument name for the GetManagedObjects method

1179

if (if_tag.getAttribute("name")

1180

== dbus.OBJECT_MANAGER_IFACE):

1181

for cn in if_tag.getElementsByTagName("method"):

1182

if (cn.getAttribute("name")

1183

== "GetManagedObjects"):

1184

for arg in cn.getElementsByTagName("arg"):

1185

if (arg.getAttribute("direction")

1186

== "out"):

1187

arg.setAttribute(

1188

"name",

1189

"objpath_interfaces"

1190

"_and_properties")

1191

xmlstring = document.toxml("utf-8")

1192

document.unlink()

1193

except (AttributeError, xml.dom.DOMException,

1194

xml.parsers.expat.ExpatError) as error:

1195

logger.error("Failed to override Introspection method",

1196

exc_info = error)

1197

return xmlstring

1053

1198

1054

1199

def datetime_to_dbus(dt, variant_level=0):

1055

1200

"""Convert a UTC datetime.datetime() to a D-Bus type."""

1056

1201

if dt is None:

1057

1202

return dbus.String("", variant_level = variant_level)

1058

return dbus.String(dt.isoformat(),

1059

variant_level=variant_level)

1203

return dbus.String(dt.isoformat(), variant_level=variant_level)

1060

1204

1061

1205

1062

1206

def alternate_dbus_interfaces(alt_interface_names, deprecate=True):

1082

1226

(from DBusObjectWithProperties) and interfaces (from the

1083

1227

dbus_interface_annotations decorator).

1084

1228

"""

1229

1085

1230

def wrapper(cls):

1086

1231

for orig_interface_name, alt_interface_name in (

1087

alt_interface_names.iteritems()):

1232

alt_interface_names.items()):

1088

1233

attr = {}

1089

1234

interface_names = set()

1090

1235

# Go though all attributes of the class

1092

1237

# Ignore non-D-Bus attributes, and D-Bus attributes

1093

1238

# with the wrong interface name

1094

1239

if (not hasattr(attribute, "_dbus_interface")

1095

or not attribute._dbus_interface

1096

.startswith(orig_interface_name)):

1240

or not attribute._dbus_interface.startswith(

1241

orig_interface_name)):

1097

1242

continue

1098

1243

# Create an alternate D-Bus interface name based on

1099

1244

# the current name

1100

alt_interface = (attribute._dbus_interface

1101

.replace(orig_interface_name,

1102

alt_interface_name))

1245

alt_interface = attribute._dbus_interface.replace(

1246

orig_interface_name, alt_interface_name)

1103

1247

interface_names.add(alt_interface)

1104

1248

# Is this a D-Bus signal?

1105

1249

if getattr(attribute, "_dbus_is_signal", False):

1106

# Extract the original non-method undecorated

1107

# function by black magic

1108

nonmethod_func = (dict(

1250

if sys.version_info.major == 2:

1251

# Extract the original non-method undecorated

1252

# function by black magic

1253

nonmethod_func = (dict(

1109

1254

zip(attribute.func_code.co_freevars,

1110

attribute.__closure__))["func"]

1111

.cell_contents)

1255

attribute.__closure__))

1256

["func"].cell_contents)

1257

else:

1258

nonmethod_func = attribute

1112

1259

# Create a new, but exactly alike, function

1113

1260

# object, and decorate it to be a new D-Bus signal

1114

1261

# with the alternate D-Bus interface name

1115

new_function = (dbus.service.signal

1116

(alt_interface,

1117

attribute._dbus_signature)

1118

(types.FunctionType(

1119

nonmethod_func.func_code,

1120

nonmethod_func.func_globals,

1121

nonmethod_func.func_name,

1122

nonmethod_func.func_defaults,

1123

nonmethod_func.func_closure)))

1262

if sys.version_info.major == 2:

1263

new_function = types.FunctionType(

1264

nonmethod_func.func_code,

1265

nonmethod_func.func_globals,

1266

nonmethod_func.func_name,

1267

nonmethod_func.func_defaults,

1268

nonmethod_func.func_closure)

1269

else:

1270

new_function = types.FunctionType(

1271

nonmethod_func.__code__,

1272

nonmethod_func.__globals__,

1273

nonmethod_func.__name__,

1274

nonmethod_func.__defaults__,

1275

nonmethod_func.__closure__)

1276

new_function = (dbus.service.signal(

1277

alt_interface,

1278

attribute._dbus_signature)(new_function))

1124

1279

# Copy annotations, if any

1125

1280

try:

1126

new_function._dbus_annotations = (

1127

dict(attribute._dbus_annotations))

1281

new_function._dbus_annotations = dict(

1282

attribute._dbus_annotations)

1128

1283

except AttributeError:

1129

1284

pass

1130

1285

# Define a creator of a function to call both the

1135

1290

"""This function is a scope container to pass

1136

1291

func1 and func2 to the "call_both" function

1137

1292

outside of its arguments"""

1293

1138

1294

def call_both(*args, **kwargs):

1139

1295

"""This function will emit two D-Bus

1140

1296

signals by calling func1 and func2"""

1141

1297

func1(*args, **kwargs)

1142

1298

func2(*args, **kwargs)

1299

1143

1300

return call_both

1144

1301

# Create the "call_both" function and add it to

1145

1302

# the class

1150

1307

# object. Decorate it to be a new D-Bus method

1151

1308

# with the alternate D-Bus interface name. Add it

1152

1309

# to the class.

1153

attr[attrname] = (dbus.service.method

1154

(alt_interface,

1155

attribute._dbus_in_signature,

1156

attribute._dbus_out_signature)

1157

(types.FunctionType

1158

(attribute.func_code,

1159

attribute.func_globals,

1160

attribute.func_name,

1161

attribute.func_defaults,

1162

attribute.func_closure)))

1310

attr[attrname] = (

1311

dbus.service.method(

1312

alt_interface,

1313

attribute._dbus_in_signature,

1314

attribute._dbus_out_signature)

1315

(types.FunctionType(attribute.func_code,

1316

attribute.func_globals,

1317

attribute.func_name,

1318

attribute.func_defaults,

1319

attribute.func_closure)))

1163

1320

# Copy annotations, if any

1164

1321

try:

1165

attr[attrname]._dbus_annotations = (

1166

dict(attribute._dbus_annotations))

1322

attr[attrname]._dbus_annotations = dict(

1323

attribute._dbus_annotations)

1167

1324

except AttributeError:

1168

1325

pass

1169

1326

# Is this a D-Bus property?

1172

1329

# object, and decorate it to be a new D-Bus

1173

1330

# property with the alternate D-Bus interface

1174

1331

# name. Add it to the class.

1175

attr[attrname] = (dbus_service_property

1176

(alt_interface,

1177

attribute._dbus_signature,

1178

attribute._dbus_access,

1179

attribute

1180

._dbus_get_args_options

1181

["byte_arrays"])

1182

(types.FunctionType

1183

(attribute.func_code,

1184

attribute.func_globals,

1185

attribute.func_name,

1186

attribute.func_defaults,

1187

attribute.func_closure)))

1332

attr[attrname] = (dbus_service_property(

1333

alt_interface, attribute._dbus_signature,

1334

attribute._dbus_access,

1335

attribute._dbus_get_args_options

1336

["byte_arrays"])

1337

(types.FunctionType(

1338

attribute.func_code,

1339

attribute.func_globals,

1340

attribute.func_name,

1341

attribute.func_defaults,

1342

attribute.func_closure)))

1188

1343

# Copy annotations, if any

1189

1344

try:

1190

attr[attrname]._dbus_annotations = (

1191

dict(attribute._dbus_annotations))

1345

attr[attrname]._dbus_annotations = dict(

1346

attribute._dbus_annotations)

1192

1347

except AttributeError:

1193

1348

pass

1194

1349

# Is this a D-Bus interface?

1197

1352

# object. Decorate it to be a new D-Bus interface

1198

1353

# with the alternate D-Bus interface name. Add it

1199

1354

# to the class.

1200

attr[attrname] = (dbus_interface_annotations

1201

(alt_interface)

1202

(types.FunctionType

1203

(attribute.func_code,

1204

attribute.func_globals,

1205

attribute.func_name,

1206

attribute.func_defaults,

1207

attribute.func_closure)))

1355

attr[attrname] = (

1356

dbus_interface_annotations(alt_interface)

1357

(types.FunctionType(attribute.func_code,

1358

attribute.func_globals,

1359

attribute.func_name,

1360

attribute.func_defaults,

1361

attribute.func_closure)))

1208

1362

if deprecate:

1209

1363

# Deprecate all alternate interfaces

1210

iname="_AlternateDBusNames_interface_annotation{0}"

1364

iname="_AlternateDBusNames_interface_annotation{}"

1211

1365

for interface_name in interface_names:

1366

1212

1367

@dbus_interface_annotations(interface_name)

1213

1368

def func(self):

1214

1369

return { "org.freedesktop.DBus.Deprecated":

1215

"true" }

1370

"true" }

1216

1371

# Find an unused name

1217

1372

for aname in (iname.format(i)

1218

1373

for i in itertools.count()):

1222

1377

if interface_names:

1223

1378

# Replace the class with a new subclass of it with

1224

1379

# methods, signals, etc. as created above.

1225

cls = type(b"{0}Alternate".format(cls.__name__),

1226

(cls,), attr)

1380

cls = type(b"{}Alternate".format(cls.__name__),

1381

(cls, ), attr)

1227

1382

return cls

1383

1228

1384

return wrapper

1229

1385

1230

1386

1231

1387

@alternate_dbus_interfaces({"se.recompile.Mandos":

1232

"se.bsnet.fukt.Mandos"})

1388

"se.bsnet.fukt.Mandos"})

1233

1389

class ClientDBus(Client, DBusObjectWithProperties):

1234

1390

"""A Client class using D-Bus

1235

1391

1239

1395

"""

1240

1396

1241

1397

runtime_expansions = (Client.runtime_expansions

1242

+ ("dbus_object_path",))

1398

+ ("dbus_object_path", ))

1399

1400

_interface = "se.recompile.Mandos.Client"

1243

1401

1244

1402

# dbus.service.Object doesn't use super(), so we can't either.

1245

1403

1248

1406

Client.__init__(self, *args, **kwargs)

1249

1407

# Only now, when this client is initialized, can it show up on

1250

1408

# the D-Bus

1251

client_object_name = unicode(self.name).translate(

1409

client_object_name = str(self.name).translate(

1252

1410

{ord("."): ord("_"),

1253

1411

ord("-"): ord("_")})

1254

self.dbus_object_path = (dbus.ObjectPath

1255

("/clients/" + client_object_name))

1412

self.dbus_object_path = dbus.ObjectPath(

1413

"/clients/" + client_object_name)

1256

1414

DBusObjectWithProperties.__init__(self, self.bus,

1257

1415

self.dbus_object_path)

1258

1416

1259

def notifychangeproperty(transform_func,

1260

dbus_name, type_func=lambda x: x,

1261

variant_level=1):

1417

def notifychangeproperty(transform_func, dbus_name,

1418

type_func=lambda x: x,

1419

variant_level=1,

1420

invalidate_only=False,

1421

_interface=_interface):

1262

1422

""" Modify a variable so that it's a property which announces

1263

1423

its changes to DBus.

1264

1424

1269

1429

to the D-Bus. Default: no transform

1270

1430

variant_level: D-Bus variant level. Default: 1

1271

1431

"""

1272

attrname = "_{0}".format(dbus_name)

1432

attrname = "_{}".format(dbus_name)

1433

1273

1434

def setter(self, value):

1274

1435

if hasattr(self, "dbus_object_path"):

1275

1436

if (not hasattr(self, attrname) or

1276

1437

type_func(getattr(self, attrname, None))

1277

1438

!= type_func(value)):

1278

dbus_value = transform_func(type_func(value),

1279

variant_level

1280

=variant_level)

1281

self.PropertyChanged(dbus.String(dbus_name),

1282

dbus_value)

1439

if invalidate_only:

1440

self.PropertiesChanged(

1441

_interface, dbus.Dictionary(),

1442

dbus.Array((dbus_name, )))

1443

else:

1444

dbus_value = transform_func(

1445

type_func(value),

1446

variant_level = variant_level)

1447

self.PropertyChanged(dbus.String(dbus_name),

1448

dbus_value)

1449

self.PropertiesChanged(

1450

_interface,

1451

dbus.Dictionary({ dbus.String(dbus_name):

1452

dbus_value }),

1453

dbus.Array())

1283

1454

setattr(self, attrname, value)

1284

1455

1285

1456

return property(lambda self: getattr(self, attrname), setter)

1291

1462

enabled = notifychangeproperty(dbus.Boolean, "Enabled")

1292

1463

last_enabled = notifychangeproperty(datetime_to_dbus,

1293

1464

"LastEnabled")

1294

checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",

1295

type_func = lambda checker:

1296

checker is not None)

1465

checker = notifychangeproperty(

1466

dbus.Boolean, "CheckerRunning",

1467

type_func = lambda checker: checker is not None)

1297

1468

last_checked_ok = notifychangeproperty(datetime_to_dbus,

1298

1469

"LastCheckedOK")

1299

1470

last_checker_status = notifychangeproperty(dbus.Int16,

1302

1473

datetime_to_dbus, "LastApprovalRequest")

1303

1474

approved_by_default = notifychangeproperty(dbus.Boolean,

1304

1475

"ApprovedByDefault")

1305

approval_delay = notifychangeproperty(dbus.UInt64,

1306

"ApprovalDelay",

1307

type_func =

1308

timedelta_to_milliseconds)

1476

approval_delay = notifychangeproperty(

1477

dbus.UInt64, "ApprovalDelay",

1478

type_func = lambda td: td.total_seconds() * 1000)

1309

1479

approval_duration = notifychangeproperty(

1310

1480

dbus.UInt64, "ApprovalDuration",

1311

type_func = timedelta_to_milliseconds)

1481

type_func = lambda td: td.total_seconds() * 1000)

1312

1482

host = notifychangeproperty(dbus.String, "Host")

1313

timeout = notifychangeproperty(dbus.UInt64, "Timeout",

1314

type_func =

1315

timedelta_to_milliseconds)

1483

timeout = notifychangeproperty(

1484

dbus.UInt64, "Timeout",

1485

type_func = lambda td: td.total_seconds() * 1000)

1316

1486

extended_timeout = notifychangeproperty(

1317

1487

dbus.UInt64, "ExtendedTimeout",

1318

type_func = timedelta_to_milliseconds)

1319

interval = notifychangeproperty(dbus.UInt64,

1320

"Interval",

1321

type_func =

1322

timedelta_to_milliseconds)

1488

type_func = lambda td: td.total_seconds() * 1000)

1489

interval = notifychangeproperty(

1490

dbus.UInt64, "Interval",

1491

type_func = lambda td: td.total_seconds() * 1000)

1323

1492

checker_command = notifychangeproperty(dbus.String, "Checker")

1493

secret = notifychangeproperty(dbus.ByteArray, "Secret",

1494

invalidate_only=True)

1324

1495

1325

1496

del notifychangeproperty

1326

1497

1333

1504

DBusObjectWithProperties.__del__(self, *args, **kwargs)

1334

1505

Client.__del__(self, *args, **kwargs)

1335

1506

1336

def checker_callback(self, pid, condition, command,

1337

*args, **kwargs):

1338

self.checker_callback_tag = None

1339

self.checker = None

1340

if os.WIFEXITED(condition):

1341

exitstatus = os.WEXITSTATUS(condition)

1507

def checker_callback(self, source, condition,

1508

connection, command, *args, **kwargs):

1509

ret = Client.checker_callback(self, source, condition,

1510

connection, command, *args,

1511

**kwargs)

1512

exitstatus = self.last_checker_status

1513

if exitstatus >= 0:

1342

1514

# Emit D-Bus signal

1343

1515

self.CheckerCompleted(dbus.Int16(exitstatus),

1344

dbus.Int64(condition),

1516

# This is specific to GNU libC

1517

dbus.Int64(exitstatus << 8),

1345

1518

dbus.String(command))

1346

1519

else:

1347

1520

# Emit D-Bus signal

1348

1521

self.CheckerCompleted(dbus.Int16(-1),

1349

dbus.Int64(condition),

1522

dbus.Int64(

1523

# This is specific to GNU libC

1524

(exitstatus << 8)

1525

| self.last_checker_signal),

1350

1526

dbus.String(command))

1351

1352

return Client.checker_callback(self, pid, condition, command,

1353

*args, **kwargs)

1527

return ret

1354

1528

1355

1529

def start_checker(self, *args, **kwargs):

1356

1530

old_checker_pid = getattr(self.checker, "pid", None)

1368

1542

1369

1543

def approve(self, value=True):

1370

1544

self.approved = value

1371

gobject.timeout_add(timedelta_to_milliseconds

1372

(self.approval_duration),

1373

self._reset_approved)

1545

gobject.timeout_add(int(self.approval_duration.total_seconds()

1546

* 1000), self._reset_approved)

1374

1547

self.send_changedstate()

1375

1548

1376

1549

## D-Bus methods, signals & properties

1377

_interface = "se.recompile.Mandos.Client"

1378

1550

1379

1551

## Interfaces

1380

1552

1381

@dbus_interface_annotations(_interface)

1382

def _foo(self):

1383

return { "org.freedesktop.DBus.Property.EmitsChangedSignal":

1384

"false"}

1385

1386

1553

## Signals

1387

1554

1388

1555

# CheckerCompleted - signal

1398

1565

pass

1399

1566

1400

1567

# PropertyChanged - signal

1568

@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})

1401

1569

@dbus.service.signal(_interface, signature="sv")

1402

1570

def PropertyChanged(self, property, value):

1403

1571

"D-Bus signal"

1437

1605

self.checked_ok()

1438

1606

1439

1607

# Enable - method

1608

@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})

1440

1609

@dbus.service.method(_interface)

1441

1610

def Enable(self):

1442

1611

"D-Bus method"

1443

1612

self.enable()

1444

1613

1445

1614

# StartChecker - method

1615

@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})

1446

1616

@dbus.service.method(_interface)

1447

1617

def StartChecker(self):

1448

1618

"D-Bus method"

1449

1619

self.start_checker()

1450

1620

1451

1621

# Disable - method

1622

@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})

1452

1623

@dbus.service.method(_interface)

1453

1624

def Disable(self):

1454

1625

"D-Bus method"

1455

1626

self.disable()

1456

1627

1457

1628

# StopChecker - method

1629

@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})

1458

1630

@dbus.service.method(_interface)

1459

1631

def StopChecker(self):

1460

1632

self.stop_checker()

1467

1639

return dbus.Boolean(bool(self.approvals_pending))

1468

1640

1469

1641

# ApprovedByDefault - property

1470

@dbus_service_property(_interface, signature="b",

1642

@dbus_service_property(_interface,

1643

signature="b",

1471

1644

access="readwrite")

1472

1645

def ApprovedByDefault_dbus_property(self, value=None):

1473

1646

if value is None: # get

1475

1648

self.approved_by_default = bool(value)

1476

1649

1477

1650

# ApprovalDelay - property

1478

@dbus_service_property(_interface, signature="t",

1651

@dbus_service_property(_interface,

1652

signature="t",

1479

1653

access="readwrite")

1480

1654

def ApprovalDelay_dbus_property(self, value=None):

1481

1655

if value is None: # get

1482

return dbus.UInt64(self.approval_delay_milliseconds())

1656

return dbus.UInt64(self.approval_delay.total_seconds()

1657

* 1000)

1483

1658

self.approval_delay = datetime.timedelta(0, 0, 0, value)

1484

1659

1485

1660

# ApprovalDuration - property

1486

@dbus_service_property(_interface, signature="t",

1661

@dbus_service_property(_interface,

1662

signature="t",

1487

1663

access="readwrite")

1488

1664

def ApprovalDuration_dbus_property(self, value=None):

1489

1665

if value is None: # get

1490

return dbus.UInt64(timedelta_to_milliseconds(

1491

self.approval_duration))

1666

return dbus.UInt64(self.approval_duration.total_seconds()

1667

* 1000)

1492

1668

self.approval_duration = datetime.timedelta(0, 0, 0, value)

1493

1669

1494

1670

# Name - property

1671

@dbus_annotations(

1672

{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})

1495

1673

@dbus_service_property(_interface, signature="s", access="read")

1496

1674

def Name_dbus_property(self):

1497

1675

return dbus.String(self.name)

1498

1676

1499

1677

# Fingerprint - property

1678

@dbus_annotations(

1679

{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})

1500

1680

@dbus_service_property(_interface, signature="s", access="read")

1501

1681

def Fingerprint_dbus_property(self):

1502

1682

return dbus.String(self.fingerprint)

1503

1683

1504

1684

# Host - property

1505

@dbus_service_property(_interface, signature="s",

1685

@dbus_service_property(_interface,

1686

signature="s",

1506

1687

access="readwrite")

1507

1688

def Host_dbus_property(self, value=None):

1508

1689

if value is None: # get

1509

1690

return dbus.String(self.host)

1510

self.host = unicode(value)

1691

self.host = str(value)

1511

1692

1512

1693

# Created - property

1694

@dbus_annotations(

1695

{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})

1513

1696

@dbus_service_property(_interface, signature="s", access="read")

1514

1697

def Created_dbus_property(self):

1515

1698

return datetime_to_dbus(self.created)

1520

1703

return datetime_to_dbus(self.last_enabled)

1521

1704

1522

1705

# Enabled - property

1523

@dbus_service_property(_interface, signature="b",

1706

@dbus_service_property(_interface,

1707

signature="b",

1524

1708

access="readwrite")

1525

1709

def Enabled_dbus_property(self, value=None):

1526

1710

if value is None: # get

1531

1715

self.disable()

1532

1716

1533

1717

# LastCheckedOK - property

1534

@dbus_service_property(_interface, signature="s",

1718

@dbus_service_property(_interface,

1719

signature="s",

1535

1720

access="readwrite")

1536

1721

def LastCheckedOK_dbus_property(self, value=None):

1537

1722

if value is not None:

1540

1725

return datetime_to_dbus(self.last_checked_ok)

1541

1726

1542

1727

# LastCheckerStatus - property

1543

@dbus_service_property(_interface, signature="n",

1544

access="read")

1728

@dbus_service_property(_interface, signature="n", access="read")

1545

1729

def LastCheckerStatus_dbus_property(self):

1546

1730

return dbus.Int16(self.last_checker_status)

1547

1731

1556

1740

return datetime_to_dbus(self.last_approval_request)

1557

1741

1558

1742

# Timeout - property

1559

@dbus_service_property(_interface, signature="t",

1743

@dbus_service_property(_interface,

1744

signature="t",

1560

1745

access="readwrite")

1561

1746

def Timeout_dbus_property(self, value=None):

1562

1747

if value is None: # get

1563

return dbus.UInt64(self.timeout_milliseconds())

1748

return dbus.UInt64(self.timeout.total_seconds() * 1000)

1564

1749

old_timeout = self.timeout

1565

1750

self.timeout = datetime.timedelta(0, 0, 0, value)

1566

1751

# Reschedule disabling

1575

1760

is None):

1576

1761

return

1577

1762

gobject.source_remove(self.disable_initiator_tag)

1578

self.disable_initiator_tag = (

1579

gobject.timeout_add(

1580

timedelta_to_milliseconds(self.expires - now),

1581

self.disable))

1763

self.disable_initiator_tag = gobject.timeout_add(

1764

int((self.expires - now).total_seconds() * 1000),

1765

self.disable)

1582

1766

1583

1767

# ExtendedTimeout - property

1584

@dbus_service_property(_interface, signature="t",

1768

@dbus_service_property(_interface,

1769

signature="t",

1585

1770

access="readwrite")

1586

1771

def ExtendedTimeout_dbus_property(self, value=None):

1587

1772

if value is None: # get

1588

return dbus.UInt64(self.extended_timeout_milliseconds())

1773

return dbus.UInt64(self.extended_timeout.total_seconds()

1774

* 1000)

1589

1775

self.extended_timeout = datetime.timedelta(0, 0, 0, value)

1590

1776

1591

1777

# Interval - property

1592

@dbus_service_property(_interface, signature="t",

1778

@dbus_service_property(_interface,

1779

signature="t",

1593

1780

access="readwrite")

1594

1781

def Interval_dbus_property(self, value=None):

1595

1782

if value is None: # get

1596

return dbus.UInt64(self.interval_milliseconds())

1783

return dbus.UInt64(self.interval.total_seconds() * 1000)

1597

1784

self.interval = datetime.timedelta(0, 0, 0, value)

1598

1785

if getattr(self, "checker_initiator_tag", None) is None:

1599

1786

return

1600

1787

if self.enabled:

1601

1788

# Reschedule checker run

1602

1789

gobject.source_remove(self.checker_initiator_tag)

1603

self.checker_initiator_tag = (gobject.timeout_add

1604

(value, self.start_checker))

1605

self.start_checker() # Start one now, too

1790

self.checker_initiator_tag = gobject.timeout_add(

1791

value, self.start_checker)

1792

self.start_checker() # Start one now, too

1606

1793

1607

1794

# Checker - property

1608

@dbus_service_property(_interface, signature="s",

1795

@dbus_service_property(_interface,

1796

signature="s",

1609

1797

access="readwrite")

1610

1798

def Checker_dbus_property(self, value=None):

1611

1799

if value is None: # get

1612

1800

return dbus.String(self.checker_command)

1613

self.checker_command = unicode(value)

1801

self.checker_command = str(value)

1614

1802

1615

1803

# CheckerRunning - property

1616

@dbus_service_property(_interface, signature="b",

1804

@dbus_service_property(_interface,

1805

signature="b",

1617

1806

access="readwrite")

1618

1807

def CheckerRunning_dbus_property(self, value=None):

1619

1808

if value is None: # get

1624

1813

self.stop_checker()

1625

1814

1626

1815

# ObjectPath - property

1816

@dbus_annotations(

1817

{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",

1818

"org.freedesktop.DBus.Deprecated": "true"})

1627

1819

@dbus_service_property(_interface, signature="o", access="read")

1628

1820

def ObjectPath_dbus_property(self):

1629

1821

return self.dbus_object_path # is already a dbus.ObjectPath

1630

1822

1631

1823

# Secret = property

1632

@dbus_service_property(_interface, signature="ay",

1633

access="write", byte_arrays=True)

1824

@dbus_annotations(

1825

{"org.freedesktop.DBus.Property.EmitsChangedSignal":

1826

"invalidates"})

1827

@dbus_service_property(_interface,

1828

signature="ay",

1829

access="write",

1830

byte_arrays=True)

1634

1831

def Secret_dbus_property(self, value):

1635

self.secret = str(value)

1832

self.secret = bytes(value)

1636

1833

1637

1834

del _interface

1638

1835

1642

1839

self._pipe = child_pipe

1643

1840

self._pipe.send(('init', fpr, address))

1644

1841

if not self._pipe.recv():

1645

raise KeyError()

1842

raise KeyError(fpr)

1646

1843

1647

1844

def __getattribute__(self, name):

1648

1845

if name == '_pipe':

1652

1849

if data[0] == 'data':

1653

1850

return data[1]

1654

1851

if data[0] == 'function':

1852

1655

1853

def func(*args, **kwargs):

1656

1854

self._pipe.send(('funcall', name, args, kwargs))

1657

1855

return self._pipe.recv()[1]

1856

1658

1857

return func

1659

1858

1660

1859

def __setattr__(self, name, value):

1672

1871

def handle(self):

1673

1872

with contextlib.closing(self.server.child_pipe) as child_pipe:

1674

1873

logger.info("TCP connection from: %s",

1675

unicode(self.client_address))

1874

str(self.client_address))

1676

1875

logger.debug("Pipe FD: %d",

1677

1876

self.server.child_pipe.fileno())

1678

1877

1679

session = (gnutls.connection

1680

.ClientSession(self.request,

1681

gnutls.connection

1682

.X509Credentials()))

1878

session = gnutls.connection.ClientSession(

1879

self.request, gnutls.connection .X509Credentials())

1683

1880

1684

1881

# Note: gnutls.connection.X509Credentials is really a

1685

1882

# generic GnuTLS certificate credentials object so long as

1694

1891

priority = self.server.gnutls_priority

1695

1892

if priority is None:

1696

1893

priority = "NORMAL"

1697

(gnutls.library.functions

1698

.gnutls_priority_set_direct(session._c_object,

1699

priority, None))

1894

gnutls.library.functions.gnutls_priority_set_direct(

1895

session._c_object, priority, None)

1700

1896

1701

1897

# Start communication using the Mandos protocol

1702

1898

# Get protocol number

1722

1918

approval_required = False

1723

1919

try:

1724

1920

try:

1725

fpr = self.fingerprint(self.peer_certificate

1726

(session))

1921

fpr = self.fingerprint(

1922

self.peer_certificate(session))

1727

1923

except (TypeError,

1728

1924

gnutls.errors.GNUTLSError) as error:

1729

1925

logger.warning("Bad certificate: %s", error)

1744

1940

while True:

1745

1941

if not client.enabled:

1746

1942

logger.info("Client %s is disabled",

1747

client.name)

1943

client.name)

1748

1944

if self.server.use_dbus:

1749

1945

# Emit D-Bus signal

1750

1946

client.Rejected("Disabled")

1759

1955

if self.server.use_dbus:

1760

1956

# Emit D-Bus signal

1761

1957

client.NeedApproval(

1762

client.approval_delay_milliseconds(),

1763

client.approved_by_default)

1958

client.approval_delay.total_seconds()

1959

* 1000, client.approved_by_default)

1764

1960

else:

1765

1961

logger.warning("Client %s was not approved",

1766

1962

client.name)

1772

1968

#wait until timeout or approved

1773

1969

time = datetime.datetime.now()

1774

1970

client.changedstate.acquire()

1775

client.changedstate.wait(

1776

float(timedelta_to_milliseconds(delay)

1777

/ 1000))

1971

client.changedstate.wait(delay.total_seconds())

1778

1972

client.changedstate.release()

1779

1973

time2 = datetime.datetime.now()

1780

1974

if (time2 - time) >= delay:

1799

1993

logger.warning("gnutls send failed",

1800

1994

exc_info=error)

1801

1995

return

1802

logger.debug("Sent: %d, remaining: %d",

1803

sent, len(client.secret)

1804

- (sent_size + sent))

1996

logger.debug("Sent: %d, remaining: %d", sent,

1997

len(client.secret) - (sent_size

1998

+ sent))

1805

1999

sent_size += sent

1806

2000

1807

2001

logger.info("Sending secret to %s", client.name)

1824

2018

def peer_certificate(session):

1825

2019

"Return the peer's OpenPGP certificate as a bytestring"

1826

2020

# If not an OpenPGP certificate...

1827

if (gnutls.library.functions

1828

.gnutls_certificate_type_get(session._c_object)

2021

if (gnutls.library.functions.gnutls_certificate_type_get(

2022

session._c_object)

1829

2023

!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):

1830

2024

# ...do the normal thing

1831

2025

return session.peer_certificate

1845

2039

def fingerprint(openpgp):

1846

2040

"Convert an OpenPGP bytestring to a hexdigit fingerprint"

1847

2041

# New GnuTLS "datum" with the OpenPGP public key

1848

datum = (gnutls.library.types

1849

.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),

1850

ctypes.POINTER

1851

(ctypes.c_ubyte)),

1852

ctypes.c_uint(len(openpgp))))

2042

datum = gnutls.library.types.gnutls_datum_t(

2043

ctypes.cast(ctypes.c_char_p(openpgp),

2044

ctypes.POINTER(ctypes.c_ubyte)),

2045

ctypes.c_uint(len(openpgp)))

1853

2046

# New empty GnuTLS certificate

1854

2047

crt = gnutls.library.types.gnutls_openpgp_crt_t()

1855

(gnutls.library.functions

1856

.gnutls_openpgp_crt_init(ctypes.byref(crt)))

2048

gnutls.library.functions.gnutls_openpgp_crt_init(

2049

ctypes.byref(crt))

1857

2050

# Import the OpenPGP public key into the certificate

1858

(gnutls.library.functions

1859

.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),

1860

gnutls.library.constants

1861

.GNUTLS_OPENPGP_FMT_RAW))

2051

gnutls.library.functions.gnutls_openpgp_crt_import(

2052

crt, ctypes.byref(datum),

2053

gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)

1862

2054

# Verify the self signature in the key

1863

2055

crtverify = ctypes.c_uint()

1864

(gnutls.library.functions

1865

.gnutls_openpgp_crt_verify_self(crt, 0,

1866

ctypes.byref(crtverify)))

2056

gnutls.library.functions.gnutls_openpgp_crt_verify_self(

2057

crt, 0, ctypes.byref(crtverify))

1867

2058

if crtverify.value != 0:

1868

2059

gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)

1869

raise (gnutls.errors.CertificateSecurityError

1870

("Verify failed"))

2060

raise gnutls.errors.CertificateSecurityError(

2061

"Verify failed")

1871

2062

# New buffer for the fingerprint

1872

2063

buf = ctypes.create_string_buffer(20)

1873

2064

buf_len = ctypes.c_size_t()

1874

2065

# Get the fingerprint from the certificate into the buffer

1875

(gnutls.library.functions

1876

.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),

1877

ctypes.byref(buf_len)))

2066

gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(

2067

crt, ctypes.byref(buf), ctypes.byref(buf_len))

1878

2068

# Deinit the certificate

1879

2069

gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)

1880

2070

# Convert the buffer to a Python bytestring

1886

2076

1887

2077

class MultiprocessingMixIn(object):

1888

2078

"""Like socketserver.ThreadingMixIn, but with multiprocessing"""

2079

1889

2080

def sub_process_main(self, request, address):

1890

2081

try:

1891

2082

self.finish_request(request, address)

1903

2094

1904

2095

class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):

1905

2096

""" adds a pipe to the MixIn """

2097

1906

2098

def process_request(self, request, client_address):

1907

2099

"""Overrides and wraps the original process_request().

1908

2100

1929

2121

interface: None or a network interface name (string)

1930

2122

use_ipv6: Boolean; to use IPv6 or not

1931

2123

"""

2124

1932

2125

def __init__(self, server_address, RequestHandlerClass,

1933

interface=None, use_ipv6=True, socketfd=None):

2126

interface=None,

2127

use_ipv6=True,

2128

socketfd=None):

1934

2129

"""If socketfd is set, use that file descriptor instead of

1935

2130

creating a new one with socket.socket().

1936

2131

"""

1977

2172

self.interface)

1978

2173

else:

1979

2174

try:

1980

self.socket.setsockopt(socket.SOL_SOCKET,

1981

SO_BINDTODEVICE,

1982

str(self.interface + '\0'))

2175

self.socket.setsockopt(

2176

socket.SOL_SOCKET, SO_BINDTODEVICE,

2177

(self.interface + "\0").encode("utf-8"))

1983

2178

except socket.error as error:

1984

2179

if error.errno == errno.EPERM:

1985

2180

logger.error("No permission to bind to"

2003

2198

self.server_address = (any_address,

2004

2199

self.server_address[1])

2005

2200

elif not self.server_address[1]:

2006

self.server_address = (self.server_address[0],

2007

0)

2201

self.server_address = (self.server_address[0], 0)

2008

2202

# if self.interface:

2009

2203

# self.server_address = (self.server_address[0],

2010

2204

# 0, # port

2024

2218

2025

2219

Assumes a gobject.MainLoop event loop.

2026

2220

"""

2221

2027

2222

def __init__(self, server_address, RequestHandlerClass,

2028

interface=None, use_ipv6=True, clients=None,

2029

gnutls_priority=None, use_dbus=True, socketfd=None):

2223

interface=None,

2224

use_ipv6=True,

2225

clients=None,

2226

gnutls_priority=None,

2227

use_dbus=True,

2228

socketfd=None):

2030

2229

self.enabled = False

2031

2230

self.clients = clients

2032

2231

if self.clients is None:

2038

2237

interface = interface,

2039

2238

use_ipv6 = use_ipv6,

2040

2239

socketfd = socketfd)

2240

2041

2241

def server_activate(self):

2042

2242

if self.enabled:

2043

2243

return socketserver.TCPServer.server_activate(self)

2047

2247

2048

2248

def add_pipe(self, parent_pipe, proc):

2049

2249

# Call "handle_ipc" for both data and EOF events

2050

gobject.io_add_watch(parent_pipe.fileno(),

2051

gobject.IO_IN | gobject.IO_HUP,

2052

functools.partial(self.handle_ipc,

2053

parent_pipe =

2054

parent_pipe,

2055

proc = proc))

2250

gobject.io_add_watch(

2251

parent_pipe.fileno(),

2252

gobject.IO_IN | gobject.IO_HUP,

2253

functools.partial(self.handle_ipc,

2254

parent_pipe = parent_pipe,

2255

proc = proc))

2056

2256

2057

def handle_ipc(self, source, condition, parent_pipe=None,

2058

proc = None, client_object=None):

2257

def handle_ipc(self, source, condition,

2258

parent_pipe=None,

2259

proc = None,

2260

client_object=None):

2059

2261

# error, or the other end of multiprocessing.Pipe has closed

2060

2262

if condition & (gobject.IO_ERR | gobject.IO_HUP):

2061

2263

# Wait for other process to exit

2084

2286

parent_pipe.send(False)

2085

2287

return False

2086

2288

2087

gobject.io_add_watch(parent_pipe.fileno(),

2088

gobject.IO_IN | gobject.IO_HUP,

2089

functools.partial(self.handle_ipc,

2090

parent_pipe =

2091

parent_pipe,

2092

proc = proc,

2093

client_object =

2094

client))

2289

gobject.io_add_watch(

2290

parent_pipe.fileno(),

2291

gobject.IO_IN | gobject.IO_HUP,

2292

functools.partial(self.handle_ipc,

2293

parent_pipe = parent_pipe,

2294

proc = proc,

2295

client_object = client))

2095

2296

parent_pipe.send(True)

2096

2297

# remove the old hook in favor of the new above hook on

2097

2298

# same fileno

2103

2304

2104

2305

parent_pipe.send(('data', getattr(client_object,

2105

2306

funcname)(*args,

2106

**kwargs)))

2307

**kwargs)))

2107

2308

2108

2309

if command == 'getattr':

2109

2310

attrname = request[1]

2110

if callable(client_object.__getattribute__(attrname)):

2111

parent_pipe.send(('function',))

2311

if isinstance(client_object.__getattribute__(attrname),

2312

collections.Callable):

2313

parent_pipe.send(('function', ))

2112

2314

else:

2113

parent_pipe.send(('data', client_object

2114

.__getattribute__(attrname)))

2315

parent_pipe.send((

2316

'data', client_object.__getattribute__(attrname)))

2115

2317

2116

2318

if command == 'setattr':

2117

2319

attrname = request[1]

2148

2350

# avoid excessive use of external libraries.

2149

2351

2150

2352

# New type for defining tokens, syntax, and semantics all-in-one

2151

Token = collections.namedtuple("Token",

2152

("regexp", # To match token; if

2153

# "value" is not None,

2154

# must have a "group"

2155

# containing digits

2156

"value", # datetime.timedelta or

2157

# None

2158

"followers")) # Tokens valid after

2159

# this token

2353

Token = collections.namedtuple("Token", (

2354

"regexp", # To match token; if "value" is not None, must have

2355

# a "group" containing digits

2356

"value", # datetime.timedelta or None

2357

"followers")) # Tokens valid after this token

2160

2358

# RFC 3339 "duration" tokens, syntax, and semantics; taken from

2161

2359

# the "duration" ABNF definition in RFC 3339, Appendix A.

2162

2360

token_end = Token(re.compile(r"$"), None, frozenset())

2163

2361

token_second = Token(re.compile(r"(\d+)S"),

2164

2362

datetime.timedelta(seconds=1),

2165

frozenset((token_end,)))

2363

frozenset((token_end, )))

2166

2364

token_minute = Token(re.compile(r"(\d+)M"),

2167

2365

datetime.timedelta(minutes=1),

2168

2366

frozenset((token_second, token_end)))

2184

2382

frozenset((token_month, token_end)))

2185

2383

token_week = Token(re.compile(r"(\d+)W"),

2186

2384

datetime.timedelta(weeks=1),

2187

frozenset((token_end,)))

2385

frozenset((token_end, )))

2188

2386

token_duration = Token(re.compile(r"P"), None,

2189

2387

frozenset((token_year, token_month,

2190

2388

token_day, token_time,

2191

token_week))),

2389

token_week)))

2192

2390

# Define starting values

2193

2391

value = datetime.timedelta() # Value so far

2194

2392

found_token = None

2195

followers = frozenset(token_duration,) # Following valid tokens

2393

followers = frozenset((token_duration, )) # Following valid tokens

2196

2394

s = duration # String left to parse

2197

2395

# Loop until end token is found

2198

2396

while found_token is not token_end:

2215

2413

break

2216

2414

else:

2217

2415

# No currently valid tokens were found

2218

raise ValueError("Invalid RFC 3339 duration")

2416

raise ValueError("Invalid RFC 3339 duration: {!r}"

2417

.format(duration))

2219

2418

# End token found

2220

2419

return value

2221

2420

2245

2444

timevalue = datetime.timedelta(0)

2246

2445

for s in interval.split():

2247

2446

try:

2248

suffix = unicode(s[-1])

2447

suffix = s[-1]

2249

2448

value = int(s[:-1])

2250

2449

if suffix == "d":

2251

2450

delta = datetime.timedelta(value)

2258

2457

elif suffix == "w":

2259

2458

delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)

2260

2459

else:

2261

raise ValueError("Unknown suffix {0!r}"

2262

.format(suffix))

2460

raise ValueError("Unknown suffix {!r}".format(suffix))

2263

2461

except IndexError as e:

2264

2462

raise ValueError(*(e.args))

2265

2463

timevalue += delta

2282

2480

null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)

2283

2481

if not stat.S_ISCHR(os.fstat(null).st_mode):

2284

2482

raise OSError(errno.ENODEV,

2285

"{0} not a character device"

2483

"{} not a character device"

2286

2484

.format(os.devnull))

2287

2485

os.dup2(null, sys.stdin.fileno())

2288

2486

os.dup2(null, sys.stdout.fileno())

2298

2496

2299

2497

parser = argparse.ArgumentParser()

2300

2498

parser.add_argument("-v", "--version", action="version",

2301

version = "%(prog)s {0}".format(version),

2499

version = "%(prog)s {}".format(version),

2302

2500

help="show version number and exit")

2303

2501

parser.add_argument("-i", "--interface", metavar="IF",

2304

2502

help="Bind to interface IF")

2337

2535

help="Directory to save/restore state in")

2338

2536

parser.add_argument("--foreground", action="store_true",

2339

2537

help="Run in foreground", default=None)

2538

parser.add_argument("--no-zeroconf", action="store_false",

2539

dest="zeroconf", help="Do not use Zeroconf",

2540

default=None)

2340

2541

2341

2542

options = parser.parse_args()

2342

2543

2351

2552

"port": "",

2352

2553

"debug": "False",

2353

2554

"priority":

2354

"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",

2555

"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"

2556

":+SIGN-DSA-SHA256",

2355

2557

"servicename": "Mandos",

2356

2558

"use_dbus": "True",

2357

2559

"use_ipv6": "True",

2360

2562

"socket": "",

2361

2563

"statedir": "/var/lib/mandos",

2362

2564

"foreground": "False",

2363

}

2565

"zeroconf": "True",

2566

}

2364

2567

2365

2568

# Parse config file for server-global settings

2366

2569

server_config = configparser.SafeConfigParser(server_defaults)

2367

2570

del server_defaults

2368

server_config.read(os.path.join(options.configdir,

2369

"mandos.conf"))

2571

server_config.read(os.path.join(options.configdir, "mandos.conf"))

2370

2572

# Convert the SafeConfigParser object to a dict

2371

2573

server_settings = server_config.defaults()

2372

2574

# Use the appropriate methods on the non-string config options

2390

2592

# Override the settings from the config file with command line

2391

2593

# options, if set.

2392

2594

for option in ("interface", "address", "port", "debug",

2393

"priority", "servicename", "configdir",

2394

"use_dbus", "use_ipv6", "debuglevel", "restore",

2395

"statedir", "socket", "foreground"):

2595

"priority", "servicename", "configdir", "use_dbus",

2596

"use_ipv6", "debuglevel", "restore", "statedir",

2597

"socket", "foreground", "zeroconf"):

2396

2598

value = getattr(options, option)

2397

2599

if value is not None:

2398

2600

server_settings[option] = value

2399

2601

del options

2400

2602

# Force all strings to be unicode

2401

2603

for option in server_settings.keys():

2402

if type(server_settings[option]) is str:

2403

server_settings[option] = unicode(server_settings[option])

2604

if isinstance(server_settings[option], bytes):

2605

server_settings[option] = (server_settings[option]

2606

.decode("utf-8"))

2404

2607

# Force all boolean options to be boolean

2405

2608

for option in ("debug", "use_dbus", "use_ipv6", "restore",

2406

"foreground"):

2609

"foreground", "zeroconf"):

2407

2610

server_settings[option] = bool(server_settings[option])

2408

2611

# Debug implies foreground

2409

2612

if server_settings["debug"]:

2412

2615

2413

2616

##################################################################

2414

2617

2618

if (not server_settings["zeroconf"]

2619

and not (server_settings["port"]

2620

or server_settings["socket"] != "")):

2621

parser.error("Needs port or socket to work without Zeroconf")

2622

2415

2623

# For convenience

2416

2624

debug = server_settings["debug"]

2417

2625

debuglevel = server_settings["debuglevel"]

2420

2628

stored_state_path = os.path.join(server_settings["statedir"],

2421

2629

stored_state_file)

2422

2630

foreground = server_settings["foreground"]

2631

zeroconf = server_settings["zeroconf"]

2423

2632

2424

2633

if debug:

2425

2634

initlogger(debug, logging.DEBUG)

2431

2640

initlogger(debug, level)

2432

2641

2433

2642

if server_settings["servicename"] != "Mandos":

2434

syslogger.setFormatter(logging.Formatter

2435

('Mandos ({0}) [%(process)d]:'

2436

' %(levelname)s: %(message)s'

2437

.format(server_settings

2438

["servicename"])))

2643

syslogger.setFormatter(

2644

logging.Formatter('Mandos ({}) [%(process)d]:'

2645

' %(levelname)s: %(message)s'.format(

2646

server_settings["servicename"])))

2439

2647

2440

2648

# Parse config file with clients

2441

2649

client_config = configparser.SafeConfigParser(Client

2446

2654

global mandos_dbus_service

2447

2655

mandos_dbus_service = None

2448

2656

2449

tcp_server = MandosServer((server_settings["address"],

2450

server_settings["port"]),

2451

ClientHandler,

2452

interface=(server_settings["interface"]

2453

or None),

2454

use_ipv6=use_ipv6,

2455

gnutls_priority=

2456

server_settings["priority"],

2457

use_dbus=use_dbus,

2458

socketfd=(server_settings["socket"]

2459

or None))

2657

socketfd = None

2658

if server_settings["socket"] != "":

2659

socketfd = server_settings["socket"]

2660

tcp_server = MandosServer(

2661

(server_settings["address"], server_settings["port"]),

2662

ClientHandler,

2663

interface=(server_settings["interface"] or None),

2664

use_ipv6=use_ipv6,

2665

gnutls_priority=server_settings["priority"],

2666

use_dbus=use_dbus,

2667

socketfd=socketfd)

2460

2668

if not foreground:

2461

2669

pidfilename = "/run/mandos.pid"

2462

2670

if not os.path.isdir("/run/."):

2463

2671

pidfilename = "/var/run/mandos.pid"

2464

2672

pidfile = None

2465

2673

try:

2466

pidfile = open(pidfilename, "w")

2674

pidfile = codecs.open(pidfilename, "w", encoding="utf-8")

2467

2675

except IOError as e:

2468

2676

logger.error("Could not open file %r", pidfilename,

2469

2677

exc_info=e)

2496

2704

def debug_gnutls(level, string):

2497

2705

logger.debug("GnuTLS: %s", string[:-1])

2498

2706

2499

(gnutls.library.functions

2500

.gnutls_global_set_log_function(debug_gnutls))

2707

gnutls.library.functions.gnutls_global_set_log_function(

2708

debug_gnutls)

2501

2709

2502

2710

# Redirect stdin so all checkers get /dev/null

2503

2711

null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)

2523

2731

if use_dbus:

2524

2732

try:

2525

2733

bus_name = dbus.service.BusName("se.recompile.Mandos",

2526

bus, do_not_queue=True)

2527

old_bus_name = (dbus.service.BusName

2528

("se.bsnet.fukt.Mandos", bus,

2529

do_not_queue=True))

2530

except dbus.exceptions.NameExistsException as e:

2734

bus,

2735

do_not_queue=True)

2736

old_bus_name = dbus.service.BusName(

2737

"se.bsnet.fukt.Mandos", bus,

2738

do_not_queue=True)

2739

except dbus.exceptions.DBusException as e:

2531

2740

logger.error("Disabling D-Bus:", exc_info=e)

2532

2741

use_dbus = False

2533

2742

server_settings["use_dbus"] = False

2534

2743

tcp_server.use_dbus = False

2535

protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET

2536

service = AvahiServiceToSyslog(name =

2537

server_settings["servicename"],

2538

servicetype = "_mandos._tcp",

2539

protocol = protocol, bus = bus)

2540

if server_settings["interface"]:

2541

service.interface = (if_nametoindex

2542

(str(server_settings["interface"])))

2744

if zeroconf:

2745

protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET

2746

service = AvahiServiceToSyslog(

2747

name = server_settings["servicename"],

2748

servicetype = "_mandos._tcp",

2749

protocol = protocol,

2750

bus = bus)

2751

if server_settings["interface"]:

2752

service.interface = if_nametoindex(

2753

server_settings["interface"].encode("utf-8"))

2543

2754

2544

2755

global multiprocessing_manager

2545

2756

multiprocessing_manager = multiprocessing.Manager()

2564

2775

if server_settings["restore"]:

2565

2776

try:

2566

2777

with open(stored_state_path, "rb") as stored_state:

2567

clients_data, old_client_settings = (pickle.load

2568

(stored_state))

2778

clients_data, old_client_settings = pickle.load(

2779

stored_state)

2569

2780

os.remove(stored_state_path)

2570

2781

except IOError as e:

2571

2782

if e.errno == errno.ENOENT:

2572

logger.warning("Could not load persistent state: {0}"

2573

.format(os.strerror(e.errno)))

2783

logger.warning("Could not load persistent state:"

2784

" {}".format(os.strerror(e.errno)))

2574

2785

else:

2575

2786

logger.critical("Could not load persistent state:",

2576

2787

exc_info=e)

2577

2788

raise

2578

2789

except EOFError as e:

2579

2790

logger.warning("Could not load persistent state: "

2580

"EOFError:", exc_info=e)

2791

"EOFError:",

2792

exc_info=e)

2581

2793

2582

2794

with PGPEngine() as pgp:

2583

for client_name, client in clients_data.iteritems():

2795

for client_name, client in clients_data.items():

2584

2796

# Skip removed clients

2585

2797

if client_name not in client_settings:

2586

2798

continue

2595

2807

# For each value in new config, check if it

2596

2808

# differs from the old config value (Except for

2597

2809

# the "secret" attribute)

2598

if (name != "secret" and

2599

value != old_client_settings[client_name]

2600

[name]):

2810

if (name != "secret"

2811

and (value !=

2812

old_client_settings[client_name][name])):

2601

2813

client[name] = value

2602

2814

except KeyError:

2603

2815

pass

2604

2816

2605

2817

# Clients who has passed its expire date can still be

2606

# enabled if its last checker was successful. Clients

2818

# enabled if its last checker was successful. A Client

2607

2819

# whose checker succeeded before we stored its state is

2608

2820

# assumed to have successfully run all checkers during

2609

2821

# downtime.

2611

2823

if datetime.datetime.utcnow() >= client["expires"]:

2612

2824

if not client["last_checked_ok"]:

2613

2825

logger.warning(

2614

"disabling client {0} - Client never "

2615

"performed a successful checker"

2616

.format(client_name))

2826

"disabling client {} - Client never "

2827

"performed a successful checker".format(

2828

client_name))

2617

2829

client["enabled"] = False

2618

2830

elif client["last_checker_status"] != 0:

2619

2831

logger.warning(

2620

"disabling client {0} - Client "

2621

"last checker failed with error code {1}"

2622

.format(client_name,

2623

client["last_checker_status"]))

2832

"disabling client {} - Client last"

2833

" checker failed with error code"

2834

" {}".format(

2835

client_name,

2836

client["last_checker_status"]))

2624

2837

client["enabled"] = False

2625

2838

else:

2626

client["expires"] = (datetime.datetime

2627

.utcnow()

2628

+ client["timeout"])

2839

client["expires"] = (

2840

datetime.datetime.utcnow()

2841

+ client["timeout"])

2629

2842

logger.debug("Last checker succeeded,"

2630

" keeping {0} enabled"

2631

.format(client_name))

2843

" keeping {} enabled".format(

2844

client_name))

2632

2845

try:

2633

client["secret"] = (

2634

pgp.decrypt(client["encrypted_secret"],

2635

client_settings[client_name]

2636

["secret"]))

2846

client["secret"] = pgp.decrypt(

2847

client["encrypted_secret"],

2848

client_settings[client_name]["secret"])

2637

2849

except PGPError:

2638

2850

# If decryption fails, we use secret from new settings

2639

logger.debug("Failed to decrypt {0} old secret"

2640

.format(client_name))

2641

client["secret"] = (

2642

client_settings[client_name]["secret"])

2851

logger.debug("Failed to decrypt {} old secret".format(

2852

client_name))

2853

client["secret"] = (client_settings[client_name]

2854

["secret"])

2643

2855

2644

2856

# Add/remove clients based on new changes made to config

2645

2857

for client_name in (set(old_client_settings)

2650

2862

clients_data[client_name] = client_settings[client_name]

2651

2863

2652

2864

# Create all client objects

2653

for client_name, client in clients_data.iteritems():

2865

for client_name, client in clients_data.items():

2654

2866

tcp_server.clients[client_name] = client_class(

2655

name = client_name, settings = client,

2867

name = client_name,

2868

settings = client,

2656

2869

server_settings = server_settings)

2657

2870

2658

2871

if not tcp_server.clients:

2660

2873

2661

2874

if not foreground:

2662

2875

if pidfile is not None:

2876

pid = os.getpid()

2663

2877

try:

2664

2878

with pidfile:

2665

pid = os.getpid()

2666

pidfile.write(str(pid) + "\n".encode("utf-8"))

2879

print(pid, file=pidfile)

2667

2880

except IOError:

2668

2881

logger.error("Could not write to file %r with PID %d",

2669

2882

pidfilename, pid)

2674

2887

signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())

2675

2888

2676

2889

if use_dbus:

2677

@alternate_dbus_interfaces({"se.recompile.Mandos":

2678

"se.bsnet.fukt.Mandos"})

2679

class MandosDBusService(DBusObjectWithProperties):

2890

2891

@alternate_dbus_interfaces(

2892

{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })

2893

class MandosDBusService(DBusObjectWithObjectManager):

2680

2894

"""A D-Bus proxy object"""

2895

2681

2896

def __init__(self):

2682

2897

dbus.service.Object.__init__(self, bus, "/")

2898

2683

2899

_interface = "se.recompile.Mandos"

2684

2900

2685

@dbus_interface_annotations(_interface)

2686

def _foo(self):

2687

return { "org.freedesktop.DBus.Property"

2688

".EmitsChangedSignal":

2689

"false"}

2690

2691

2901

@dbus.service.signal(_interface, signature="o")

2692

2902

def ClientAdded(self, objpath):

2693

2903

"D-Bus signal"

2698

2908

"D-Bus signal"

2699

2909

pass

2700

2910

2911

@dbus_annotations({"org.freedesktop.DBus.Deprecated":

2912

"true"})

2701

2913

@dbus.service.signal(_interface, signature="os")

2702

2914

def ClientRemoved(self, objpath, name):

2703

2915

"D-Bus signal"

2704

2916

pass

2705

2917

2918

@dbus_annotations({"org.freedesktop.DBus.Deprecated":

2919

"true"})

2706

2920

@dbus.service.method(_interface, out_signature="ao")

2707

2921

def GetAllClients(self):

2708

2922

"D-Bus method"

2709

return dbus.Array(c.dbus_object_path

2710

for c in

2923

return dbus.Array(c.dbus_object_path for c in

2711

2924

tcp_server.clients.itervalues())

2712

2925

2926

@dbus_annotations({"org.freedesktop.DBus.Deprecated":

2927

"true"})

2713

2928

@dbus.service.method(_interface,

2714

2929

out_signature="a{oa{sv}}")

2715

2930

def GetAllClientsWithProperties(self):

2716

2931

"D-Bus method"

2717

2932

return dbus.Dictionary(

2718

((c.dbus_object_path, c.GetAll(""))

2719

for c in tcp_server.clients.itervalues()),

2933

{ c.dbus_object_path: c.GetAll(

2934

"se.recompile.Mandos.Client")

2935

for c in tcp_server.clients.itervalues() },

2720

2936

signature="oa{sv}")

2721

2937

2722

2938

@dbus.service.method(_interface, in_signature="o")

2726

2942

if c.dbus_object_path == object_path:

2727

2943

del tcp_server.clients[c.name]

2728

2944

c.remove_from_connection()

2729

# Don't signal anything except ClientRemoved

2945

# Don't signal the disabling

2730

2946

c.disable(quiet=True)

2731

# Emit D-Bus signal

2732

self.ClientRemoved(object_path, c.name)

2947

# Emit D-Bus signal for removal

2948

self.client_removed_signal(c)

2733

2949

return

2734

2950

raise KeyError(object_path)

2735

2951

2736

2952

del _interface

2953

2954

@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,

2955

out_signature = "a{oa{sa{sv}}}")

2956

def GetManagedObjects(self):

2957

"""D-Bus method"""

2958

return dbus.Dictionary(

2959

{ client.dbus_object_path:

2960

dbus.Dictionary(

2961

{ interface: client.GetAll(interface)

2962

for interface in

2963

client._get_all_interface_names()})

2964

for client in tcp_server.clients.values()})

2965

2966

def client_added_signal(self, client):

2967

"""Send the new standard signal and the old signal"""

2968

if use_dbus:

2969

# New standard signal

2970

self.InterfacesAdded(

2971

client.dbus_object_path,

2972

dbus.Dictionary(

2973

{ interface: client.GetAll(interface)

2974

for interface in

2975

client._get_all_interface_names()}))

2976

# Old signal

2977

self.ClientAdded(client.dbus_object_path)

2978

2979

def client_removed_signal(self, client):

2980

"""Send the new standard signal and the old signal"""

2981

if use_dbus:

2982

# New standard signal

2983

self.InterfacesRemoved(

2984

client.dbus_object_path,

2985

client._get_all_interface_names())

2986

# Old signal

2987

self.ClientRemoved(client.dbus_object_path,

2988

client.name)

2737

2989

2738

2990

mandos_dbus_service = MandosDBusService()

2739

2991

2740

2992

def cleanup():

2741

2993

"Cleanup function; run on exit"

2742

service.cleanup()

2994

if zeroconf:

2995

service.cleanup()

2743

2996

2744

2997

multiprocessing.active_children()

2745

2998

wnull.close()

2759

3012

2760

3013

# A list of attributes that can not be pickled

2761

3014

# + secret.

2762

exclude = set(("bus", "changedstate", "secret",

2763

"checker", "server_settings"))

2764

for name, typ in (inspect.getmembers

2765

(dbus.service.Object)):

3015

exclude = { "bus", "changedstate", "secret",

3016

"checker", "server_settings" }

3017

for name, typ in inspect.getmembers(dbus.service

3018

.Object):

2766

3019

exclude.add(name)

2767

3020

2768

3021

client_dict["encrypted_secret"] = (client

2775

3028

del client_settings[client.name]["secret"]

2776

3029

2777

3030

try:

2778

with (tempfile.NamedTemporaryFile

2779

(mode='wb', suffix=".pickle", prefix='clients-',

2780

dir=os.path.dirname(stored_state_path),

2781

delete=False)) as stored_state:

3031

with tempfile.NamedTemporaryFile(

3032

mode='wb',

3033

suffix=".pickle",

3034

prefix='clients-',

3035

dir=os.path.dirname(stored_state_path),

3036

delete=False) as stored_state:

2782

3037

pickle.dump((clients, client_settings), stored_state)

2783

tempname=stored_state.name

3038

tempname = stored_state.name

2784

3039

os.rename(tempname, stored_state_path)

2785

3040

except (IOError, OSError) as e:

2786

3041

if not debug:

2789

3044

except NameError:

2790

3045

pass

2791

3046

if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):

2792

logger.warning("Could not save persistent state: {0}"

3047

logger.warning("Could not save persistent state: {}"

2793

3048

.format(os.strerror(e.errno)))

2794

3049

else:

2795

3050

logger.warning("Could not save persistent state:",

2801

3056

name, client = tcp_server.clients.popitem()

2802

3057

if use_dbus:

2803

3058

client.remove_from_connection()

2804

# Don't signal anything except ClientRemoved

3059

# Don't signal the disabling

2805

3060

client.disable(quiet=True)

2806

if use_dbus:

2807

# Emit D-Bus signal

2808

mandos_dbus_service.ClientRemoved(client

2809

.dbus_object_path,

2810

client.name)

3061

# Emit D-Bus signal for removal

3062

mandos_dbus_service.client_removed_signal(client)

2811

3063

client_settings.clear()

2812

3064

2813

3065

atexit.register(cleanup)

2814

3066

2815

3067

for client in tcp_server.clients.itervalues():

2816

3068

if use_dbus:

2817

# Emit D-Bus signal

2818

mandos_dbus_service.ClientAdded(client.dbus_object_path)

3069

# Emit D-Bus signal for adding

3070

mandos_dbus_service.client_added_signal(client)

2819

3071

# Need to initiate checking of clients

2820

3072

if client.enabled:

2821

3073

client.init_checker()

2824

3076

tcp_server.server_activate()

2825

3077

2826

3078

# Find out what port we got

2827

service.port = tcp_server.socket.getsockname()[1]

3079

if zeroconf:

3080

service.port = tcp_server.socket.getsockname()[1]

2828

3081

if use_ipv6:

2829

3082

logger.info("Now listening on address %r, port %d,"

2830

3083

" flowinfo %d, scope_id %d",

2836

3089

#service.interface = tcp_server.socket.getsockname()[3]

2837

3090

2838

3091

try:

2839

# From the Avahi example code

2840

try:

2841

service.activate()

2842

except dbus.exceptions.DBusException as error:

2843

logger.critical("D-Bus Exception", exc_info=error)

2844

cleanup()

2845

sys.exit(1)

2846

# End of Avahi example code

3092

if zeroconf:

3093

# From the Avahi example code

3094

try:

3095

service.activate()

3096

except dbus.exceptions.DBusException as error:

3097

logger.critical("D-Bus Exception", exc_info=error)

3098

cleanup()

3099

sys.exit(1)

3100

# End of Avahi example code

2847

3101

2848

3102

gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,

2849

3103

lambda *args, **kwargs:

2864

3118

# Must run before the D-Bus bus name gets deregistered

2865

3119

cleanup()

2866

3120

3121

2867

3122

if __name__ == '__main__':

2868

3123

main()