To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.349
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.349
- Committer: Teddy Hogeborn
- Date: 2016-02-28 03:01:43 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 331.
- Revision ID: teddy@recompile.se-20160228030143-i6w90r7wzkvlx9kq
Stop using python-gnutls. Use GnuTLS 3.3 or later directly.
* INSTALL: Document dependency on GnuTLS 3.3 and remove dependency on
Python-GnuTLS.
* debian/control (Source: mandos/Build-Depends): Add (>= 3.3.0) to
"libgnutls28-dev" and
"gnutls-dev".
(Source: mandos/Build-Depends-Indep): Remove "python2.7-gnutls".
(Package: mandos/Depends): Remove "python-gnutls" and
"python2.7-gnutls", add "libgnutls28-dev
(>= 3.3.0) | libgnutls30 (>= 3.3.0)"
* mandos: Remove imports of "gnutls" and all submodules.
(GnuTLS, gnutls): New; simulate a "gnutls" module. Change all
callers to match new shorter names.
* INSTALL: Document dependency on GnuTLS 3.3 and remove dependency on
Python-GnuTLS.
* debian/control (Source: mandos/Build-Depends): Add (>= 3.3.0) to
"libgnutls28-dev" and
"gnutls-dev".
(Source: mandos/Build-Depends-Indep): Remove "python2.7-gnutls".
(Package: mandos/Depends): Remove "python-gnutls" and
"python2.7-gnutls", add "libgnutls28-dev
(>= 3.3.0) | libgnutls30 (>= 3.3.0)"
* mandos: Remove imports of "gnutls" and all submodules.
(GnuTLS, gnutls): New; simulate a "gnutls" module. Change all
callers to match new shorter names.
- files added:
- debian/upstream
- plugin-helpers
- files modified:
- DBUS-API
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2013 Teddy Hogeborn
15
# Copyright © 2008-2013 Björn Påhlsson
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
36
36
37
37
from future_builtins import *
38
38
39
import SocketServer as socketserver
39
try:
40
import SocketServer as socketserver
41
except ImportError:
42
import socketserver
40
43
import socket
41
44
import argparse
42
45
import datetime
43
46
import errno
44
import gnutls.crypto
45
import gnutls.connection
46
import gnutls.errors
47
import gnutls.library.functions
48
import gnutls.library.constants
49
import gnutls.library.types
50
import ConfigParser as configparser
47
try:
48
import ConfigParser as configparser
49
except ImportError:
50
import configparser
51
51
import sys
52
52
import re
53
53
import os
62
62
import struct
63
63
import fcntl
64
64
import functools
65
import cPickle as pickle
65
try:
66
import cPickle as pickle
67
except ImportError:
68
import pickle
66
69
import multiprocessing
67
70
import types
68
71
import binascii
69
72
import tempfile
70
73
import itertools
71
74
import collections
75
import codecs
72
76
73
77
import dbus
74
78
import dbus.service
75
import gobject
79
try:
80
import gobject
81
except ImportError:
82
from gi.repository import GObject as gobject
76
83
import avahi
77
84
from dbus.mainloop.glib import DBusGMainLoop
78
85
import ctypes
88
95
except ImportError:
89
96
SO_BINDTODEVICE = None
90
97
91
version = "1.6.1"
98
if sys.version_info.major == 2:
99
str = unicode
100
101
version = "1.7.1"
92
102
stored_state_file = "clients.pickle"
93
103
94
104
logger = logging.getLogger()
95
syslogger = (logging.handlers.SysLogHandler
96
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
97
address = str("/dev/log")))
105
syslogger = None
98
106
99
107
try:
100
if_nametoindex = (ctypes.cdll.LoadLibrary
101
(ctypes.util.find_library("c"))
102
.if_nametoindex)
108
if_nametoindex = ctypes.cdll.LoadLibrary(
109
ctypes.util.find_library("c")).if_nametoindex
103
110
except (OSError, AttributeError):
111
104
112
def if_nametoindex(interface):
105
113
"Get an interface index the hard way, i.e. using fcntl()"
106
114
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
107
115
with contextlib.closing(socket.socket()) as s:
108
116
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
109
struct.pack(str("16s16x"),
110
interface))
111
interface_index = struct.unpack(str("I"),
112
ifreq[16:20])[0]
117
struct.pack(b"16s16x", interface))
118
interface_index = struct.unpack("I", ifreq[16:20])[0]
113
119
return interface_index
114
120
115
121
116
122
def initlogger(debug, level=logging.WARNING):
117
123
"""init logger and add loglevel"""
118
124
125
global syslogger
126
syslogger = (logging.handlers.SysLogHandler(
127
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
128
address = "/dev/log"))
119
129
syslogger.setFormatter(logging.Formatter
120
130
('Mandos [%(process)d]: %(levelname)s:'
121
131
' %(message)s'))
138
148
139
149
class PGPEngine(object):
140
150
"""A simple class for OpenPGP symmetric encryption & decryption"""
151
141
152
def __init__(self):
142
153
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
143
154
self.gnupgargs = ['--batch',
182
193
183
194
def encrypt(self, data, password):
184
195
passphrase = self.password_encode(password)
185
with tempfile.NamedTemporaryFile(dir=self.tempdir
186
) as passfile:
196
with tempfile.NamedTemporaryFile(
197
dir=self.tempdir) as passfile:
187
198
passfile.write(passphrase)
188
199
passfile.flush()
189
200
proc = subprocess.Popen(['gpg', '--symmetric',
200
211
201
212
def decrypt(self, data, password):
202
213
passphrase = self.password_encode(password)
203
with tempfile.NamedTemporaryFile(dir = self.tempdir
204
) as passfile:
214
with tempfile.NamedTemporaryFile(
215
dir = self.tempdir) as passfile:
205
216
passfile.write(passphrase)
206
217
passfile.flush()
207
218
proc = subprocess.Popen(['gpg', '--decrypt',
211
222
stdin = subprocess.PIPE,
212
223
stdout = subprocess.PIPE,
213
224
stderr = subprocess.PIPE)
214
decrypted_plaintext, err = proc.communicate(input
215
= data)
225
decrypted_plaintext, err = proc.communicate(input = data)
216
226
if proc.returncode != 0:
217
227
raise PGPError(err)
218
228
return decrypted_plaintext
221
231
class AvahiError(Exception):
222
232
def __init__(self, value, *args, **kwargs):
223
233
self.value = value
224
super(AvahiError, self).__init__(value, *args, **kwargs)
225
def __unicode__(self):
226
return unicode(repr(self.value))
234
return super(AvahiError, self).__init__(value, *args,
235
**kwargs)
236
227
237
228
238
class AvahiServiceError(AvahiError):
229
239
pass
230
240
241
231
242
class AvahiGroupError(AvahiError):
232
243
pass
233
244
253
264
bus: dbus.SystemBus()
254
265
"""
255
266
256
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
257
servicetype = None, port = None, TXT = None,
258
domain = "", host = "", max_renames = 32768,
259
protocol = avahi.PROTO_UNSPEC, bus = None):
267
def __init__(self,
268
interface = avahi.IF_UNSPEC,
269
name = None,
270
servicetype = None,
271
port = None,
272
TXT = None,
273
domain = "",
274
host = "",
275
max_renames = 32768,
276
protocol = avahi.PROTO_UNSPEC,
277
bus = None):
260
278
self.interface = interface
261
279
self.name = name
262
280
self.type = servicetype
272
290
self.bus = bus
273
291
self.entry_group_state_changed_match = None
274
292
275
def rename(self):
293
def rename(self, remove=True):
276
294
"""Derived from the Avahi example code"""
277
295
if self.rename_count >= self.max_renames:
278
296
logger.critical("No suitable Zeroconf service name found"
279
297
" after %i retries, exiting.",
280
298
self.rename_count)
281
299
raise AvahiServiceError("Too many renames")
282
self.name = unicode(self.server
283
.GetAlternativeServiceName(self.name))
300
self.name = str(
301
self.server.GetAlternativeServiceName(self.name))
302
self.rename_count += 1
284
303
logger.info("Changing Zeroconf service name to %r ...",
285
304
self.name)
286
self.remove()
305
if remove:
306
self.remove()
287
307
try:
288
308
self.add()
289
309
except dbus.exceptions.DBusException as error:
290
logger.critical("D-Bus Exception", exc_info=error)
291
self.cleanup()
292
os._exit(1)
293
self.rename_count += 1
310
if (error.get_dbus_name()
311
== "org.freedesktop.Avahi.CollisionError"):
312
logger.info("Local Zeroconf service name collision.")
313
return self.rename(remove=False)
314
else:
315
logger.critical("D-Bus Exception", exc_info=error)
316
self.cleanup()
317
os._exit(1)
294
318
295
319
def remove(self):
296
320
"""Derived from the Avahi example code"""
334
358
self.rename()
335
359
elif state == avahi.ENTRY_GROUP_FAILURE:
336
360
logger.critical("Avahi: Error in group state changed %s",
337
unicode(error))
338
raise AvahiGroupError("State changed: {0!s}"
339
.format(error))
361
str(error))
362
raise AvahiGroupError("State changed: {!s}".format(error))
340
363
341
364
def cleanup(self):
342
365
"""Derived from the Avahi example code"""
352
375
def server_state_changed(self, state, error=None):
353
376
"""Derived from the Avahi example code"""
354
377
logger.debug("Avahi server state change: %i", state)
355
bad_states = { avahi.SERVER_INVALID:
356
"Zeroconf server invalid",
357
avahi.SERVER_REGISTERING: None,
358
avahi.SERVER_COLLISION:
359
"Zeroconf server name collision",
360
avahi.SERVER_FAILURE:
361
"Zeroconf server failure" }
378
bad_states = {
379
avahi.SERVER_INVALID: "Zeroconf server invalid",
380
avahi.SERVER_REGISTERING: None,
381
avahi.SERVER_COLLISION: "Zeroconf server name collision",
382
avahi.SERVER_FAILURE: "Zeroconf server failure",
383
}
362
384
if state in bad_states:
363
385
if bad_states[state] is not None:
364
386
if error is None:
367
389
logger.error(bad_states[state] + ": %r", error)
368
390
self.cleanup()
369
391
elif state == avahi.SERVER_RUNNING:
370
self.add()
392
try:
393
self.add()
394
except dbus.exceptions.DBusException as error:
395
if (error.get_dbus_name()
396
== "org.freedesktop.Avahi.CollisionError"):
397
logger.info("Local Zeroconf service name"
398
" collision.")
399
return self.rename(remove=False)
400
else:
401
logger.critical("D-Bus Exception", exc_info=error)
402
self.cleanup()
403
os._exit(1)
371
404
else:
372
405
if error is None:
373
406
logger.debug("Unknown state: %r", state)
383
416
follow_name_owner_changes=True),
384
417
avahi.DBUS_INTERFACE_SERVER)
385
418
self.server.connect_to_signal("StateChanged",
386
self.server_state_changed)
419
self.server_state_changed)
387
420
self.server_state_changed(self.server.GetState())
388
421
389
422
390
423
class AvahiServiceToSyslog(AvahiService):
391
def rename(self):
424
def rename(self, *args, **kwargs):
392
425
"""Add the new name to the syslog messages"""
393
ret = AvahiService.rename(self)
394
syslogger.setFormatter(logging.Formatter
395
('Mandos ({0}) [%(process)d]:'
396
' %(levelname)s: %(message)s'
397
.format(self.name)))
426
ret = AvahiService.rename(self, *args, **kwargs)
427
syslogger.setFormatter(logging.Formatter(
428
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
429
.format(self.name)))
398
430
return ret
399
431
400
401
def timedelta_to_milliseconds(td):
402
"Convert a datetime.timedelta() to milliseconds"
403
return ((td.days * 24 * 60 * 60 * 1000)
404
+ (td.seconds * 1000)
405
+ (td.microseconds // 1000))
406
432
# Pretend that we have a GnuTLS module
433
class GnuTLS(object):
434
"""This isn't so much a class as it is a module-like namespace.
435
It is instantiated once, and simulates having a GnuTLS module."""
436
437
_library = ctypes.cdll.LoadLibrary(
438
ctypes.util.find_library("gnutls"))
439
_need_version = "3.3.0"
440
def __init__(self):
441
# Need to use class name "GnuTLS" here, since this method is
442
# called before the assignment to the "gnutls" global variable
443
# happens.
444
if GnuTLS.check_version(self._need_version) is None:
445
raise GnuTLS.Error("Needs GnuTLS {} or later"
446
.format(self._need_version))
447
448
# Unless otherwise indicated, the constants and types below are
449
# all from the gnutls/gnutls.h C header file.
450
451
# Constants
452
E_SUCCESS = 0
453
CRT_OPENPGP = 2
454
CLIENT = 2
455
SHUT_RDWR = 0
456
CRD_CERTIFICATE = 1
457
E_NO_CERTIFICATE_FOUND = -49
458
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
459
460
# Types
461
class session_int(ctypes.Structure):
462
_fields_ = []
463
session_t = ctypes.POINTER(session_int)
464
class certificate_credentials_st(ctypes.Structure):
465
_fields_ = []
466
certificate_credentials_t = ctypes.POINTER(
467
certificate_credentials_st)
468
certificate_type_t = ctypes.c_int
469
class datum_t(ctypes.Structure):
470
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
471
('size', ctypes.c_uint)]
472
class openpgp_crt_int(ctypes.Structure):
473
_fields_ = []
474
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
475
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
476
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
477
credentials_type_t = ctypes.c_int #
478
transport_ptr_t = ctypes.c_void_p
479
close_request_t = ctypes.c_int
480
481
# Exceptions
482
class Error(Exception):
483
# We need to use the class name "GnuTLS" here, since this
484
# exception might be raised from within GnuTLS.__init__,
485
# which is called before the assignment to the "gnutls"
486
# global variable happens.
487
def __init__(self, message = None, code = None, args=()):
488
# Default usage is by a message string, but if a return
489
# code is passed, convert it to a string with
490
# gnutls.strerror()
491
if message is None and code is not None:
492
message = GnuTLS.strerror(code)
493
return super(GnuTLS.Error, self).__init__(
494
message, *args)
495
496
class CertificateSecurityError(Error):
497
pass
498
499
# Classes
500
class Credentials(object):
501
def __init__(self):
502
self._c_object = gnutls.certificate_credentials_t()
503
gnutls.certificate_allocate_credentials(
504
ctypes.byref(self._c_object))
505
self.type = gnutls.CRD_CERTIFICATE
506
507
def __del__(self):
508
gnutls.certificate_free_credentials(self._c_object)
509
510
class ClientSession(object):
511
def __init__(self, socket, credentials = None):
512
self._c_object = gnutls.session_t()
513
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
514
gnutls.set_default_priority(self._c_object)
515
gnutls.transport_set_ptr(self._c_object, socket.fileno())
516
gnutls.handshake_set_private_extensions(self._c_object,
517
True)
518
self.socket = socket
519
if credentials is None:
520
credentials = gnutls.Credentials()
521
gnutls.credentials_set(self._c_object, credentials.type,
522
ctypes.cast(credentials._c_object,
523
ctypes.c_void_p))
524
self.credentials = credentials
525
526
def __del__(self):
527
gnutls.deinit(self._c_object)
528
529
def handshake(self):
530
return gnutls.handshake(self._c_object)
531
532
def send(self, data):
533
data = bytes(data)
534
if not data:
535
return 0
536
return gnutls.record_send(self._c_object, data, len(data))
537
538
def bye(self):
539
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
540
541
# Error handling function
542
def _error_code(result):
543
"""A function to raise exceptions on errors, suitable
544
for the 'restype' attribute on ctypes functions"""
545
if result >= 0:
546
return result
547
if result == gnutls.E_NO_CERTIFICATE_FOUND:
548
raise gnutls.CertificateSecurityError(code = result)
549
raise gnutls.Error(code = result)
550
551
# Unless otherwise indicated, the function declarations below are
552
# all from the gnutls/gnutls.h C header file.
553
554
# Functions
555
priority_set_direct = _library.gnutls_priority_set_direct
556
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
557
ctypes.POINTER(ctypes.c_char_p)]
558
priority_set_direct.restype = _error_code
559
560
init = _library.gnutls_init
561
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
562
init.restype = _error_code
563
564
set_default_priority = _library.gnutls_set_default_priority
565
set_default_priority.argtypes = [session_t]
566
set_default_priority.restype = _error_code
567
568
record_send = _library.gnutls_record_send
569
record_send.argtypes = [session_t, ctypes.c_void_p,
570
ctypes.c_size_t]
571
record_send.restype = ctypes.c_ssize_t
572
573
certificate_allocate_credentials = (
574
_library.gnutls_certificate_allocate_credentials)
575
certificate_allocate_credentials.argtypes = [
576
ctypes.POINTER(certificate_credentials_t)]
577
certificate_allocate_credentials.restype = _error_code
578
579
certificate_free_credentials = (
580
_library.gnutls_certificate_free_credentials)
581
certificate_free_credentials.argtypes = [certificate_credentials_t]
582
certificate_free_credentials.restype = None
583
584
handshake_set_private_extensions = (
585
_library.gnutls_handshake_set_private_extensions)
586
handshake_set_private_extensions.argtypes = [session_t,
587
ctypes.c_int]
588
handshake_set_private_extensions.restype = None
589
590
credentials_set = _library.gnutls_credentials_set
591
credentials_set.argtypes = [session_t, credentials_type_t,
592
ctypes.c_void_p]
593
credentials_set.restype = _error_code
594
595
strerror = _library.gnutls_strerror
596
strerror.argtypes = [ctypes.c_int]
597
strerror.restype = ctypes.c_char_p
598
599
certificate_type_get = _library.gnutls_certificate_type_get
600
certificate_type_get.argtypes = [session_t]
601
certificate_type_get.restype = _error_code
602
603
certificate_get_peers = _library.gnutls_certificate_get_peers
604
certificate_get_peers.argtypes = [session_t,
605
ctypes.POINTER(ctypes.c_uint)]
606
certificate_get_peers.restype = ctypes.POINTER(datum_t)
607
608
global_set_log_level = _library.gnutls_global_set_log_level
609
global_set_log_level.argtypes = [ctypes.c_int]
610
global_set_log_level.restype = None
611
612
global_set_log_function = _library.gnutls_global_set_log_function
613
global_set_log_function.argtypes = [log_func]
614
global_set_log_function.restype = None
615
616
deinit = _library.gnutls_deinit
617
deinit.argtypes = [session_t]
618
deinit.restype = None
619
620
handshake = _library.gnutls_handshake
621
handshake.argtypes = [session_t]
622
handshake.restype = _error_code
623
624
transport_set_ptr = _library.gnutls_transport_set_ptr
625
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
626
transport_set_ptr.restype = None
627
628
bye = _library.gnutls_bye
629
bye.argtypes = [session_t, close_request_t]
630
bye.restype = _error_code
631
632
check_version = _library.gnutls_check_version
633
check_version.argtypes = [ctypes.c_char_p]
634
check_version.restype = ctypes.c_char_p
635
636
# All the function declarations below are from gnutls/openpgp.h
637
638
openpgp_crt_init = _library.gnutls_openpgp_crt_init
639
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
640
openpgp_crt_init.restype = _error_code
641
642
openpgp_crt_import = _library.gnutls_openpgp_crt_import
643
openpgp_crt_import.argtypes = [openpgp_crt_t,
644
ctypes.POINTER(datum_t),
645
openpgp_crt_fmt_t]
646
openpgp_crt_import.restype = _error_code
647
648
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
649
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
650
ctypes.POINTER(ctypes.c_uint)]
651
openpgp_crt_verify_self.restype = _error_code
652
653
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
654
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
655
openpgp_crt_deinit.restype = None
656
657
openpgp_crt_get_fingerprint = (
658
_library.gnutls_openpgp_crt_get_fingerprint)
659
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
660
ctypes.c_void_p,
661
ctypes.POINTER(
662
ctypes.c_size_t)]
663
openpgp_crt_get_fingerprint.restype = _error_code
664
665
# Remove non-public function
666
del _error_code
667
# Create the global "gnutls" object, simulating a module
668
gnutls = GnuTLS()
669
670
def call_pipe(connection, # : multiprocessing.Connection
671
func, *args, **kwargs):
672
"""This function is meant to be called by multiprocessing.Process
673
674
This function runs func(*args, **kwargs), and writes the resulting
675
return value on the provided multiprocessing.Connection.
676
"""
677
connection.send(func(*args, **kwargs))
678
connection.close()
407
679
408
680
class Client(object):
409
681
"""A representation of a client host served by this server.
436
708
last_checker_status: integer between 0 and 255 reflecting exit
437
709
status of last checker. -1 reflects crashed
438
710
checker, -2 means no checker completed yet.
711
last_checker_signal: The signal which killed the last checker, if
712
last_checker_status is -1
439
713
last_enabled: datetime.datetime(); (UTC) or None
440
714
name: string; from the config file, used in log messages and
441
715
D-Bus identifiers
454
728
"fingerprint", "host", "interval",
455
729
"last_approval_request", "last_checked_ok",
456
730
"last_enabled", "name", "timeout")
457
client_defaults = { "timeout": "PT5M",
458
"extended_timeout": "PT15M",
459
"interval": "PT2M",
460
"checker": "fping -q -- %%(host)s",
461
"host": "",
462
"approval_delay": "PT0S",
463
"approval_duration": "PT1S",
464
"approved_by_default": "True",
465
"enabled": "True",
466
}
467
468
def timeout_milliseconds(self):
469
"Return the 'timeout' attribute in milliseconds"
470
return timedelta_to_milliseconds(self.timeout)
471
472
def extended_timeout_milliseconds(self):
473
"Return the 'extended_timeout' attribute in milliseconds"
474
return timedelta_to_milliseconds(self.extended_timeout)
475
476
def interval_milliseconds(self):
477
"Return the 'interval' attribute in milliseconds"
478
return timedelta_to_milliseconds(self.interval)
479
480
def approval_delay_milliseconds(self):
481
return timedelta_to_milliseconds(self.approval_delay)
731
client_defaults = {
732
"timeout": "PT5M",
733
"extended_timeout": "PT15M",
734
"interval": "PT2M",
735
"checker": "fping -q -- %%(host)s",
736
"host": "",
737
"approval_delay": "PT0S",
738
"approval_duration": "PT1S",
739
"approved_by_default": "True",
740
"enabled": "True",
741
}
482
742
483
743
@staticmethod
484
744
def config_parser(config):
500
760
client["enabled"] = config.getboolean(client_name,
501
761
"enabled")
502
762
763
# Uppercase and remove spaces from fingerprint for later
764
# comparison purposes with return value from the
765
# fingerprint() function
503
766
client["fingerprint"] = (section["fingerprint"].upper()
504
767
.replace(" ", ""))
505
768
if "secret" in section:
510
773
"rb") as secfile:
511
774
client["secret"] = secfile.read()
512
775
else:
513
raise TypeError("No secret or secfile for section {0}"
776
raise TypeError("No secret or secfile for section {}"
514
777
.format(section))
515
778
client["timeout"] = string_to_delta(section["timeout"])
516
779
client["extended_timeout"] = string_to_delta(
533
796
server_settings = {}
534
797
self.server_settings = server_settings
535
798
# adding all client settings
536
for setting, value in settings.iteritems():
799
for setting, value in settings.items():
537
800
setattr(self, setting, value)
538
801
539
802
if self.enabled:
547
810
self.expires = None
548
811
549
812
logger.debug("Creating client %r", self.name)
550
# Uppercase and remove spaces from fingerprint for later
551
# comparison purposes with return value from the fingerprint()
552
# function
553
813
logger.debug(" Fingerprint: %s", self.fingerprint)
554
814
self.created = settings.get("created",
555
815
datetime.datetime.utcnow())
562
822
self.current_checker_command = None
563
823
self.approved = None
564
824
self.approvals_pending = 0
565
self.changedstate = (multiprocessing_manager
566
.Condition(multiprocessing_manager
567
.Lock()))
568
self.client_structure = [attr for attr in
569
self.__dict__.iterkeys()
825
self.changedstate = multiprocessing_manager.Condition(
826
multiprocessing_manager.Lock())
827
self.client_structure = [attr
828
for attr in self.__dict__.iterkeys()
570
829
if not attr.startswith("_")]
571
830
self.client_structure.append("client_structure")
572
831
573
for name, t in inspect.getmembers(type(self),
574
lambda obj:
575
isinstance(obj,
576
property)):
832
for name, t in inspect.getmembers(
833
type(self), lambda obj: isinstance(obj, property)):
577
834
if not name.startswith("_"):
578
835
self.client_structure.append(name)
579
836
621
878
# and every interval from then on.
622
879
if self.checker_initiator_tag is not None:
623
880
gobject.source_remove(self.checker_initiator_tag)
624
self.checker_initiator_tag = (gobject.timeout_add
625
(self.interval_milliseconds(),
626
self.start_checker))
881
self.checker_initiator_tag = gobject.timeout_add(
882
int(self.interval.total_seconds() * 1000),
883
self.start_checker)
627
884
# Schedule a disable() when 'timeout' has passed
628
885
if self.disable_initiator_tag is not None:
629
886
gobject.source_remove(self.disable_initiator_tag)
630
self.disable_initiator_tag = (gobject.timeout_add
631
(self.timeout_milliseconds(),
632
self.disable))
887
self.disable_initiator_tag = gobject.timeout_add(
888
int(self.timeout.total_seconds() * 1000), self.disable)
633
889
# Also start a new checker *right now*.
634
890
self.start_checker()
635
891
636
def checker_callback(self, pid, condition, command):
892
def checker_callback(self, source, condition, connection,
893
command):
637
894
"""The checker has completed, so take appropriate actions."""
638
895
self.checker_callback_tag = None
639
896
self.checker = None
640
if os.WIFEXITED(condition):
641
self.last_checker_status = os.WEXITSTATUS(condition)
897
# Read return code from connection (see call_pipe)
898
returncode = connection.recv()
899
connection.close()
900
901
if returncode >= 0:
902
self.last_checker_status = returncode
903
self.last_checker_signal = None
642
904
if self.last_checker_status == 0:
643
905
logger.info("Checker for %(name)s succeeded",
644
906
vars(self))
645
907
self.checked_ok()
646
908
else:
647
logger.info("Checker for %(name)s failed",
648
vars(self))
909
logger.info("Checker for %(name)s failed", vars(self))
649
910
else:
650
911
self.last_checker_status = -1
912
self.last_checker_signal = -returncode
651
913
logger.warning("Checker for %(name)s crashed?",
652
914
vars(self))
915
return False
653
916
654
917
def checked_ok(self):
655
918
"""Assert that the client has been seen, alive and well."""
656
919
self.last_checked_ok = datetime.datetime.utcnow()
657
920
self.last_checker_status = 0
921
self.last_checker_signal = None
658
922
self.bump_timeout()
659
923
660
924
def bump_timeout(self, timeout=None):
665
929
gobject.source_remove(self.disable_initiator_tag)
666
930
self.disable_initiator_tag = None
667
931
if getattr(self, "enabled", False):
668
self.disable_initiator_tag = (gobject.timeout_add
669
(timedelta_to_milliseconds
670
(timeout), self.disable))
932
self.disable_initiator_tag = gobject.timeout_add(
933
int(timeout.total_seconds() * 1000), self.disable)
671
934
self.expires = datetime.datetime.utcnow() + timeout
672
935
673
936
def need_approval(self):
687
950
# than 'timeout' for the client to be disabled, which is as it
688
951
# should be.
689
952
690
# If a checker exists, make sure it is not a zombie
691
try:
692
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
693
except (AttributeError, OSError) as error:
694
if (isinstance(error, OSError)
695
and error.errno != errno.ECHILD):
696
raise error
697
else:
698
if pid:
699
logger.warning("Checker was a zombie")
700
gobject.source_remove(self.checker_callback_tag)
701
self.checker_callback(pid, status,
702
self.current_checker_command)
953
if self.checker is not None and not self.checker.is_alive():
954
logger.warning("Checker was not alive; joining")
955
self.checker.join()
956
self.checker = None
703
957
# Start a new checker if needed
704
958
if self.checker is None:
705
959
# Escape attributes for the shell
706
escaped_attrs = dict(
707
(attr, re.escape(unicode(getattr(self, attr))))
708
for attr in
709
self.runtime_expansions)
960
escaped_attrs = {
961
attr: re.escape(str(getattr(self, attr)))
962
for attr in self.runtime_expansions }
710
963
try:
711
964
command = self.checker_command % escaped_attrs
712
965
except TypeError as error:
713
966
logger.error('Could not format string "%s"',
714
self.checker_command, exc_info=error)
715
return True # Try again later
967
self.checker_command,
968
exc_info=error)
969
return True # Try again later
716
970
self.current_checker_command = command
717
try:
718
logger.info("Starting checker %r for %s",
719
command, self.name)
720
# We don't need to redirect stdout and stderr, since
721
# in normal mode, that is already done by daemon(),
722
# and in debug mode we don't want to. (Stdin is
723
# always replaced by /dev/null.)
724
# The exception is when not debugging but nevertheless
725
# running in the foreground; use the previously
726
# created wnull.
727
popen_args = {}
728
if (not self.server_settings["debug"]
729
and self.server_settings["foreground"]):
730
popen_args.update({"stdout": wnull,
731
"stderr": wnull })
732
self.checker = subprocess.Popen(command,
733
close_fds=True,
734
shell=True, cwd="/",
735
**popen_args)
736
except OSError as error:
737
logger.error("Failed to start subprocess",
738
exc_info=error)
739
return True
740
self.checker_callback_tag = (gobject.child_watch_add
741
(self.checker.pid,
742
self.checker_callback,
743
data=command))
744
# The checker may have completed before the gobject
745
# watch was added. Check for this.
746
try:
747
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
748
except OSError as error:
749
if error.errno == errno.ECHILD:
750
# This should never happen
751
logger.error("Child process vanished",
752
exc_info=error)
753
return True
754
raise
755
if pid:
756
gobject.source_remove(self.checker_callback_tag)
757
self.checker_callback(pid, status, command)
971
logger.info("Starting checker %r for %s", command,
972
self.name)
973
# We don't need to redirect stdout and stderr, since
974
# in normal mode, that is already done by daemon(),
975
# and in debug mode we don't want to. (Stdin is
976
# always replaced by /dev/null.)
977
# The exception is when not debugging but nevertheless
978
# running in the foreground; use the previously
979
# created wnull.
980
popen_args = { "close_fds": True,
981
"shell": True,
982
"cwd": "/" }
983
if (not self.server_settings["debug"]
984
and self.server_settings["foreground"]):
985
popen_args.update({"stdout": wnull,
986
"stderr": wnull })
987
pipe = multiprocessing.Pipe(duplex = False)
988
self.checker = multiprocessing.Process(
989
target = call_pipe,
990
args = (pipe[1], subprocess.call, command),
991
kwargs = popen_args)
992
self.checker.start()
993
self.checker_callback_tag = gobject.io_add_watch(
994
pipe[0].fileno(), gobject.IO_IN,
995
self.checker_callback, pipe[0], command)
758
996
# Re-run this periodically if run by gobject.timeout_add
759
997
return True
760
998
766
1004
if getattr(self, "checker", None) is None:
767
1005
return
768
1006
logger.debug("Stopping checker for %(name)s", vars(self))
769
try:
770
self.checker.terminate()
771
#time.sleep(0.5)
772
#if self.checker.poll() is None:
773
# self.checker.kill()
774
except OSError as error:
775
if error.errno != errno.ESRCH: # No such process
776
raise
1007
self.checker.terminate()
777
1008
self.checker = None
778
1009
779
1010
780
def dbus_service_property(dbus_interface, signature="v",
781
access="readwrite", byte_arrays=False):
1011
def dbus_service_property(dbus_interface,
1012
signature="v",
1013
access="readwrite",
1014
byte_arrays=False):
782
1015
"""Decorators for marking methods of a DBusObjectWithProperties to
783
1016
become properties on the D-Bus.
784
1017
793
1026
# "Set" method, so we fail early here:
794
1027
if byte_arrays and signature != "ay":
795
1028
raise ValueError("Byte arrays not supported for non-'ay'"
796
" signature {0!r}".format(signature))
1029
" signature {!r}".format(signature))
1030
797
1031
def decorator(func):
798
1032
func._dbus_is_property = True
799
1033
func._dbus_interface = dbus_interface
804
1038
func._dbus_name = func._dbus_name[:-14]
805
1039
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
806
1040
return func
1041
807
1042
return decorator
808
1043
809
1044
818
1053
"org.freedesktop.DBus.Property.EmitsChangedSignal":
819
1054
"false"}
820
1055
"""
1056
821
1057
def decorator(func):
822
1058
func._dbus_is_interface = True
823
1059
func._dbus_interface = dbus_interface
824
1060
func._dbus_name = dbus_interface
825
1061
return func
1062
826
1063
return decorator
827
1064
828
1065
830
1067
"""Decorator to annotate D-Bus methods, signals or properties
831
1068
Usage:
832
1069
1070
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1071
"org.freedesktop.DBus.Property."
1072
"EmitsChangedSignal": "false"})
833
1073
@dbus_service_property("org.example.Interface", signature="b",
834
1074
access="r")
835
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
836
"org.freedesktop.DBus.Property."
837
"EmitsChangedSignal": "false"})
838
1075
def Property_dbus_property(self):
839
1076
return dbus.Boolean(False)
1077
1078
See also the DBusObjectWithAnnotations class.
840
1079
"""
1080
841
1081
def decorator(func):
842
1082
func._dbus_annotations = annotations
843
1083
return func
1084
844
1085
return decorator
845
1086
846
1087
847
1088
class DBusPropertyException(dbus.exceptions.DBusException):
848
1089
"""A base class for D-Bus property-related exceptions
849
1090
"""
850
def __unicode__(self):
851
return unicode(str(self))
1091
pass
852
1092
853
1093
854
1094
class DBusPropertyAccessException(DBusPropertyException):
863
1103
pass
864
1104
865
1105
866
class DBusObjectWithProperties(dbus.service.Object):
867
"""A D-Bus object with properties.
1106
class DBusObjectWithAnnotations(dbus.service.Object):
1107
"""A D-Bus object with annotations.
868
1108
869
Classes inheriting from this can use the dbus_service_property
870
decorator to expose methods as D-Bus properties. It exposes the
871
standard Get(), Set(), and GetAll() methods on the D-Bus.
1109
Classes inheriting from this can use the dbus_annotations
1110
decorator to add annotations to methods or signals.
872
1111
"""
873
1112
874
1113
@staticmethod
878
1117
If called like _is_dbus_thing("method") it returns a function
879
1118
suitable for use as predicate to inspect.getmembers().
880
1119
"""
881
return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
1120
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
882
1121
False)
883
1122
884
1123
def _get_all_dbus_things(self, thing):
885
1124
"""Returns a generator of (name, attribute) pairs
886
1125
"""
887
return ((getattr(athing.__get__(self), "_dbus_name",
888
name),
1126
return ((getattr(athing.__get__(self), "_dbus_name", name),
889
1127
athing.__get__(self))
890
1128
for cls in self.__class__.__mro__
891
1129
for name, athing in
892
inspect.getmembers(cls,
893
self._is_dbus_thing(thing)))
1130
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1131
1132
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1133
out_signature = "s",
1134
path_keyword = 'object_path',
1135
connection_keyword = 'connection')
1136
def Introspect(self, object_path, connection):
1137
"""Overloading of standard D-Bus method.
1138
1139
Inserts annotation tags on methods and signals.
1140
"""
1141
xmlstring = dbus.service.Object.Introspect(self, object_path,
1142
connection)
1143
try:
1144
document = xml.dom.minidom.parseString(xmlstring)
1145
1146
for if_tag in document.getElementsByTagName("interface"):
1147
# Add annotation tags
1148
for typ in ("method", "signal"):
1149
for tag in if_tag.getElementsByTagName(typ):
1150
annots = dict()
1151
for name, prop in (self.
1152
_get_all_dbus_things(typ)):
1153
if (name == tag.getAttribute("name")
1154
and prop._dbus_interface
1155
== if_tag.getAttribute("name")):
1156
annots.update(getattr(
1157
prop, "_dbus_annotations", {}))
1158
for name, value in annots.items():
1159
ann_tag = document.createElement(
1160
"annotation")
1161
ann_tag.setAttribute("name", name)
1162
ann_tag.setAttribute("value", value)
1163
tag.appendChild(ann_tag)
1164
# Add interface annotation tags
1165
for annotation, value in dict(
1166
itertools.chain.from_iterable(
1167
annotations().items()
1168
for name, annotations
1169
in self._get_all_dbus_things("interface")
1170
if name == if_tag.getAttribute("name")
1171
)).items():
1172
ann_tag = document.createElement("annotation")
1173
ann_tag.setAttribute("name", annotation)
1174
ann_tag.setAttribute("value", value)
1175
if_tag.appendChild(ann_tag)
1176
# Fix argument name for the Introspect method itself
1177
if (if_tag.getAttribute("name")
1178
== dbus.INTROSPECTABLE_IFACE):
1179
for cn in if_tag.getElementsByTagName("method"):
1180
if cn.getAttribute("name") == "Introspect":
1181
for arg in cn.getElementsByTagName("arg"):
1182
if (arg.getAttribute("direction")
1183
== "out"):
1184
arg.setAttribute("name",
1185
"xml_data")
1186
xmlstring = document.toxml("utf-8")
1187
document.unlink()
1188
except (AttributeError, xml.dom.DOMException,
1189
xml.parsers.expat.ExpatError) as error:
1190
logger.error("Failed to override Introspection method",
1191
exc_info=error)
1192
return xmlstring
1193
1194
1195
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1196
"""A D-Bus object with properties.
1197
1198
Classes inheriting from this can use the dbus_service_property
1199
decorator to expose methods as D-Bus properties. It exposes the
1200
standard Get(), Set(), and GetAll() methods on the D-Bus.
1201
"""
894
1202
895
1203
def _get_dbus_property(self, interface_name, property_name):
896
1204
"""Returns a bound method if one exists which is a D-Bus
897
1205
property with the specified name and interface.
898
1206
"""
899
for cls in self.__class__.__mro__:
900
for name, value in (inspect.getmembers
901
(cls,
902
self._is_dbus_thing("property"))):
1207
for cls in self.__class__.__mro__:
1208
for name, value in inspect.getmembers(
1209
cls, self._is_dbus_thing("property")):
903
1210
if (value._dbus_name == property_name
904
1211
and value._dbus_interface == interface_name):
905
1212
return value.__get__(self)
906
1213
907
1214
# No such property
908
raise DBusPropertyNotFound(self.dbus_object_path + ":"
909
+ interface_name + "."
910
+ property_name)
911
912
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
1215
raise DBusPropertyNotFound("{}:{}.{}".format(
1216
self.dbus_object_path, interface_name, property_name))
1217
1218
@classmethod
1219
def _get_all_interface_names(cls):
1220
"""Get a sequence of all interfaces supported by an object"""
1221
return (name for name in set(getattr(getattr(x, attr),
1222
"_dbus_interface", None)
1223
for x in (inspect.getmro(cls))
1224
for attr in dir(x))
1225
if name is not None)
1226
1227
@dbus.service.method(dbus.PROPERTIES_IFACE,
1228
in_signature="ss",
913
1229
out_signature="v")
914
1230
def Get(self, interface_name, property_name):
915
1231
"""Standard D-Bus property Get() method, see D-Bus standard.
933
1249
# The byte_arrays option is not supported yet on
934
1250
# signatures other than "ay".
935
1251
if prop._dbus_signature != "ay":
936
raise ValueError
1252
raise ValueError("Byte arrays not supported for non-"
1253
"'ay' signature {!r}"
1254
.format(prop._dbus_signature))
937
1255
value = dbus.ByteArray(b''.join(chr(byte)
938
1256
for byte in value))
939
1257
prop(value)
940
1258
941
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
1259
@dbus.service.method(dbus.PROPERTIES_IFACE,
1260
in_signature="s",
942
1261
out_signature="a{sv}")
943
1262
def GetAll(self, interface_name):
944
1263
"""Standard D-Bus property GetAll() method, see D-Bus
959
1278
if not hasattr(value, "variant_level"):
960
1279
properties[name] = value
961
1280
continue
962
properties[name] = type(value)(value, variant_level=
963
value.variant_level+1)
1281
properties[name] = type(value)(
1282
value, variant_level = value.variant_level + 1)
964
1283
return dbus.Dictionary(properties, signature="sv")
965
1284
1285
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1286
def PropertiesChanged(self, interface_name, changed_properties,
1287
invalidated_properties):
1288
"""Standard D-Bus PropertiesChanged() signal, see D-Bus
1289
standard.
1290
"""
1291
pass
1292
966
1293
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
967
1294
out_signature="s",
968
1295
path_keyword='object_path',
972
1299
973
1300
Inserts property tags and interface annotation tags.
974
1301
"""
975
xmlstring = dbus.service.Object.Introspect(self, object_path,
976
connection)
1302
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1303
object_path,
1304
connection)
977
1305
try:
978
1306
document = xml.dom.minidom.parseString(xmlstring)
1307
979
1308
def make_tag(document, name, prop):
980
1309
e = document.createElement("property")
981
1310
e.setAttribute("name", name)
982
1311
e.setAttribute("type", prop._dbus_signature)
983
1312
e.setAttribute("access", prop._dbus_access)
984
1313
return e
1314
985
1315
for if_tag in document.getElementsByTagName("interface"):
986
1316
# Add property tags
987
1317
for tag in (make_tag(document, name, prop)
990
1320
if prop._dbus_interface
991
1321
== if_tag.getAttribute("name")):
992
1322
if_tag.appendChild(tag)
993
# Add annotation tags
994
for typ in ("method", "signal", "property"):
995
for tag in if_tag.getElementsByTagName(typ):
996
annots = dict()
997
for name, prop in (self.
998
_get_all_dbus_things(typ)):
999
if (name == tag.getAttribute("name")
1000
and prop._dbus_interface
1001
== if_tag.getAttribute("name")):
1002
annots.update(getattr
1003
(prop,
1004
"_dbus_annotations",
1005
{}))
1006
for name, value in annots.iteritems():
1007
ann_tag = document.createElement(
1008
"annotation")
1009
ann_tag.setAttribute("name", name)
1010
ann_tag.setAttribute("value", value)
1011
tag.appendChild(ann_tag)
1012
# Add interface annotation tags
1013
for annotation, value in dict(
1014
itertools.chain.from_iterable(
1015
annotations().iteritems()
1016
for name, annotations in
1017
self._get_all_dbus_things("interface")
1018
if name == if_tag.getAttribute("name")
1019
)).iteritems():
1020
ann_tag = document.createElement("annotation")
1021
ann_tag.setAttribute("name", annotation)
1022
ann_tag.setAttribute("value", value)
1023
if_tag.appendChild(ann_tag)
1323
# Add annotation tags for properties
1324
for tag in if_tag.getElementsByTagName("property"):
1325
annots = dict()
1326
for name, prop in self._get_all_dbus_things(
1327
"property"):
1328
if (name == tag.getAttribute("name")
1329
and prop._dbus_interface
1330
== if_tag.getAttribute("name")):
1331
annots.update(getattr(
1332
prop, "_dbus_annotations", {}))
1333
for name, value in annots.items():
1334
ann_tag = document.createElement(
1335
"annotation")
1336
ann_tag.setAttribute("name", name)
1337
ann_tag.setAttribute("value", value)
1338
tag.appendChild(ann_tag)
1024
1339
# Add the names to the return values for the
1025
1340
# "org.freedesktop.DBus.Properties" methods
1026
1341
if (if_tag.getAttribute("name")
1044
1359
exc_info=error)
1045
1360
return xmlstring
1046
1361
1362
try:
1363
dbus.OBJECT_MANAGER_IFACE
1364
except AttributeError:
1365
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1366
1367
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1368
"""A D-Bus object with an ObjectManager.
1369
1370
Classes inheriting from this exposes the standard
1371
GetManagedObjects call and the InterfacesAdded and
1372
InterfacesRemoved signals on the standard
1373
"org.freedesktop.DBus.ObjectManager" interface.
1374
1375
Note: No signals are sent automatically; they must be sent
1376
manually.
1377
"""
1378
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1379
out_signature = "a{oa{sa{sv}}}")
1380
def GetManagedObjects(self):
1381
"""This function must be overridden"""
1382
raise NotImplementedError()
1383
1384
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1385
signature = "oa{sa{sv}}")
1386
def InterfacesAdded(self, object_path, interfaces_and_properties):
1387
pass
1388
1389
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1390
def InterfacesRemoved(self, object_path, interfaces):
1391
pass
1392
1393
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1394
out_signature = "s",
1395
path_keyword = 'object_path',
1396
connection_keyword = 'connection')
1397
def Introspect(self, object_path, connection):
1398
"""Overloading of standard D-Bus method.
1399
1400
Override return argument name of GetManagedObjects to be
1401
"objpath_interfaces_and_properties"
1402
"""
1403
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1404
object_path,
1405
connection)
1406
try:
1407
document = xml.dom.minidom.parseString(xmlstring)
1408
1409
for if_tag in document.getElementsByTagName("interface"):
1410
# Fix argument name for the GetManagedObjects method
1411
if (if_tag.getAttribute("name")
1412
== dbus.OBJECT_MANAGER_IFACE):
1413
for cn in if_tag.getElementsByTagName("method"):
1414
if (cn.getAttribute("name")
1415
== "GetManagedObjects"):
1416
for arg in cn.getElementsByTagName("arg"):
1417
if (arg.getAttribute("direction")
1418
== "out"):
1419
arg.setAttribute(
1420
"name",
1421
"objpath_interfaces"
1422
"_and_properties")
1423
xmlstring = document.toxml("utf-8")
1424
document.unlink()
1425
except (AttributeError, xml.dom.DOMException,
1426
xml.parsers.expat.ExpatError) as error:
1427
logger.error("Failed to override Introspection method",
1428
exc_info = error)
1429
return xmlstring
1047
1430
1048
1431
def datetime_to_dbus(dt, variant_level=0):
1049
1432
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1050
1433
if dt is None:
1051
1434
return dbus.String("", variant_level = variant_level)
1052
return dbus.String(dt.isoformat(),
1053
variant_level=variant_level)
1435
return dbus.String(dt.isoformat(), variant_level=variant_level)
1054
1436
1055
1437
1056
1438
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1076
1458
(from DBusObjectWithProperties) and interfaces (from the
1077
1459
dbus_interface_annotations decorator).
1078
1460
"""
1461
1079
1462
def wrapper(cls):
1080
1463
for orig_interface_name, alt_interface_name in (
1081
alt_interface_names.iteritems()):
1464
alt_interface_names.items()):
1082
1465
attr = {}
1083
1466
interface_names = set()
1084
1467
# Go though all attributes of the class
1086
1469
# Ignore non-D-Bus attributes, and D-Bus attributes
1087
1470
# with the wrong interface name
1088
1471
if (not hasattr(attribute, "_dbus_interface")
1089
or not attribute._dbus_interface
1090
.startswith(orig_interface_name)):
1472
or not attribute._dbus_interface.startswith(
1473
orig_interface_name)):
1091
1474
continue
1092
1475
# Create an alternate D-Bus interface name based on
1093
1476
# the current name
1094
alt_interface = (attribute._dbus_interface
1095
.replace(orig_interface_name,
1096
alt_interface_name))
1477
alt_interface = attribute._dbus_interface.replace(
1478
orig_interface_name, alt_interface_name)
1097
1479
interface_names.add(alt_interface)
1098
1480
# Is this a D-Bus signal?
1099
1481
if getattr(attribute, "_dbus_is_signal", False):
1100
# Extract the original non-method undecorated
1101
# function by black magic
1102
nonmethod_func = (dict(
1482
if sys.version_info.major == 2:
1483
# Extract the original non-method undecorated
1484
# function by black magic
1485
nonmethod_func = (dict(
1103
1486
zip(attribute.func_code.co_freevars,
1104
attribute.__closure__))["func"]
1105
.cell_contents)
1487
attribute.__closure__))
1488
["func"].cell_contents)
1489
else:
1490
nonmethod_func = attribute
1106
1491
# Create a new, but exactly alike, function
1107
1492
# object, and decorate it to be a new D-Bus signal
1108
1493
# with the alternate D-Bus interface name
1109
new_function = (dbus.service.signal
1110
(alt_interface,
1111
attribute._dbus_signature)
1112
(types.FunctionType(
1113
nonmethod_func.func_code,
1114
nonmethod_func.func_globals,
1115
nonmethod_func.func_name,
1116
nonmethod_func.func_defaults,
1117
nonmethod_func.func_closure)))
1494
if sys.version_info.major == 2:
1495
new_function = types.FunctionType(
1496
nonmethod_func.func_code,
1497
nonmethod_func.func_globals,
1498
nonmethod_func.func_name,
1499
nonmethod_func.func_defaults,
1500
nonmethod_func.func_closure)
1501
else:
1502
new_function = types.FunctionType(
1503
nonmethod_func.__code__,
1504
nonmethod_func.__globals__,
1505
nonmethod_func.__name__,
1506
nonmethod_func.__defaults__,
1507
nonmethod_func.__closure__)
1508
new_function = (dbus.service.signal(
1509
alt_interface,
1510
attribute._dbus_signature)(new_function))
1118
1511
# Copy annotations, if any
1119
1512
try:
1120
new_function._dbus_annotations = (
1121
dict(attribute._dbus_annotations))
1513
new_function._dbus_annotations = dict(
1514
attribute._dbus_annotations)
1122
1515
except AttributeError:
1123
1516
pass
1124
1517
# Define a creator of a function to call both the
1129
1522
"""This function is a scope container to pass
1130
1523
func1 and func2 to the "call_both" function
1131
1524
outside of its arguments"""
1525
1526
@functools.wraps(func2)
1132
1527
def call_both(*args, **kwargs):
1133
1528
"""This function will emit two D-Bus
1134
1529
signals by calling func1 and func2"""
1135
1530
func1(*args, **kwargs)
1136
1531
func2(*args, **kwargs)
1532
# Make wrapper function look like a D-Bus signal
1533
for name, attr in inspect.getmembers(func2):
1534
if name.startswith("_dbus_"):
1535
setattr(call_both, name, attr)
1536
1137
1537
return call_both
1138
1538
# Create the "call_both" function and add it to
1139
1539
# the class
1144
1544
# object. Decorate it to be a new D-Bus method
1145
1545
# with the alternate D-Bus interface name. Add it
1146
1546
# to the class.
1147
attr[attrname] = (dbus.service.method
1148
(alt_interface,
1149
attribute._dbus_in_signature,
1150
attribute._dbus_out_signature)
1151
(types.FunctionType
1152
(attribute.func_code,
1153
attribute.func_globals,
1154
attribute.func_name,
1155
attribute.func_defaults,
1156
attribute.func_closure)))
1547
attr[attrname] = (
1548
dbus.service.method(
1549
alt_interface,
1550
attribute._dbus_in_signature,
1551
attribute._dbus_out_signature)
1552
(types.FunctionType(attribute.func_code,
1553
attribute.func_globals,
1554
attribute.func_name,
1555
attribute.func_defaults,
1556
attribute.func_closure)))
1157
1557
# Copy annotations, if any
1158
1558
try:
1159
attr[attrname]._dbus_annotations = (
1160
dict(attribute._dbus_annotations))
1559
attr[attrname]._dbus_annotations = dict(
1560
attribute._dbus_annotations)
1161
1561
except AttributeError:
1162
1562
pass
1163
1563
# Is this a D-Bus property?
1166
1566
# object, and decorate it to be a new D-Bus
1167
1567
# property with the alternate D-Bus interface
1168
1568
# name. Add it to the class.
1169
attr[attrname] = (dbus_service_property
1170
(alt_interface,
1171
attribute._dbus_signature,
1172
attribute._dbus_access,
1173
attribute
1174
._dbus_get_args_options
1175
["byte_arrays"])
1176
(types.FunctionType
1177
(attribute.func_code,
1178
attribute.func_globals,
1179
attribute.func_name,
1180
attribute.func_defaults,
1181
attribute.func_closure)))
1569
attr[attrname] = (dbus_service_property(
1570
alt_interface, attribute._dbus_signature,
1571
attribute._dbus_access,
1572
attribute._dbus_get_args_options
1573
["byte_arrays"])
1574
(types.FunctionType(
1575
attribute.func_code,
1576
attribute.func_globals,
1577
attribute.func_name,
1578
attribute.func_defaults,
1579
attribute.func_closure)))
1182
1580
# Copy annotations, if any
1183
1581
try:
1184
attr[attrname]._dbus_annotations = (
1185
dict(attribute._dbus_annotations))
1582
attr[attrname]._dbus_annotations = dict(
1583
attribute._dbus_annotations)
1186
1584
except AttributeError:
1187
1585
pass
1188
1586
# Is this a D-Bus interface?
1191
1589
# object. Decorate it to be a new D-Bus interface
1192
1590
# with the alternate D-Bus interface name. Add it
1193
1591
# to the class.
1194
attr[attrname] = (dbus_interface_annotations
1195
(alt_interface)
1196
(types.FunctionType
1197
(attribute.func_code,
1198
attribute.func_globals,
1199
attribute.func_name,
1200
attribute.func_defaults,
1201
attribute.func_closure)))
1592
attr[attrname] = (
1593
dbus_interface_annotations(alt_interface)
1594
(types.FunctionType(attribute.func_code,
1595
attribute.func_globals,
1596
attribute.func_name,
1597
attribute.func_defaults,
1598
attribute.func_closure)))
1202
1599
if deprecate:
1203
1600
# Deprecate all alternate interfaces
1204
iname="_AlternateDBusNames_interface_annotation{0}"
1601
iname="_AlternateDBusNames_interface_annotation{}"
1205
1602
for interface_name in interface_names:
1603
1206
1604
@dbus_interface_annotations(interface_name)
1207
1605
def func(self):
1208
1606
return { "org.freedesktop.DBus.Deprecated":
1209
"true" }
1607
"true" }
1210
1608
# Find an unused name
1211
1609
for aname in (iname.format(i)
1212
1610
for i in itertools.count()):
1216
1614
if interface_names:
1217
1615
# Replace the class with a new subclass of it with
1218
1616
# methods, signals, etc. as created above.
1219
cls = type(b"{0}Alternate".format(cls.__name__),
1220
(cls,), attr)
1617
cls = type(b"{}Alternate".format(cls.__name__),
1618
(cls, ), attr)
1221
1619
return cls
1620
1222
1621
return wrapper
1223
1622
1224
1623
1225
1624
@alternate_dbus_interfaces({"se.recompile.Mandos":
1226
"se.bsnet.fukt.Mandos"})
1625
"se.bsnet.fukt.Mandos"})
1227
1626
class ClientDBus(Client, DBusObjectWithProperties):
1228
1627
"""A Client class using D-Bus
1229
1628
1233
1632
"""
1234
1633
1235
1634
runtime_expansions = (Client.runtime_expansions
1236
+ ("dbus_object_path",))
1635
+ ("dbus_object_path", ))
1636
1637
_interface = "se.recompile.Mandos.Client"
1237
1638
1238
1639
# dbus.service.Object doesn't use super(), so we can't either.
1239
1640
1242
1643
Client.__init__(self, *args, **kwargs)
1243
1644
# Only now, when this client is initialized, can it show up on
1244
1645
# the D-Bus
1245
client_object_name = unicode(self.name).translate(
1646
client_object_name = str(self.name).translate(
1246
1647
{ord("."): ord("_"),
1247
1648
ord("-"): ord("_")})
1248
self.dbus_object_path = (dbus.ObjectPath
1249
("/clients/" + client_object_name))
1649
self.dbus_object_path = dbus.ObjectPath(
1650
"/clients/" + client_object_name)
1250
1651
DBusObjectWithProperties.__init__(self, self.bus,
1251
1652
self.dbus_object_path)
1252
1653
1253
def notifychangeproperty(transform_func,
1254
dbus_name, type_func=lambda x: x,
1255
variant_level=1):
1654
def notifychangeproperty(transform_func, dbus_name,
1655
type_func=lambda x: x,
1656
variant_level=1,
1657
invalidate_only=False,
1658
_interface=_interface):
1256
1659
""" Modify a variable so that it's a property which announces
1257
1660
its changes to DBus.
1258
1661
1263
1666
to the D-Bus. Default: no transform
1264
1667
variant_level: D-Bus variant level. Default: 1
1265
1668
"""
1266
attrname = "_{0}".format(dbus_name)
1669
attrname = "_{}".format(dbus_name)
1670
1267
1671
def setter(self, value):
1268
1672
if hasattr(self, "dbus_object_path"):
1269
1673
if (not hasattr(self, attrname) or
1270
1674
type_func(getattr(self, attrname, None))
1271
1675
!= type_func(value)):
1272
dbus_value = transform_func(type_func(value),
1273
variant_level
1274
=variant_level)
1275
self.PropertyChanged(dbus.String(dbus_name),
1276
dbus_value)
1676
if invalidate_only:
1677
self.PropertiesChanged(
1678
_interface, dbus.Dictionary(),
1679
dbus.Array((dbus_name, )))
1680
else:
1681
dbus_value = transform_func(
1682
type_func(value),
1683
variant_level = variant_level)
1684
self.PropertyChanged(dbus.String(dbus_name),
1685
dbus_value)
1686
self.PropertiesChanged(
1687
_interface,
1688
dbus.Dictionary({ dbus.String(dbus_name):
1689
dbus_value }),
1690
dbus.Array())
1277
1691
setattr(self, attrname, value)
1278
1692
1279
1693
return property(lambda self: getattr(self, attrname), setter)
1285
1699
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1286
1700
last_enabled = notifychangeproperty(datetime_to_dbus,
1287
1701
"LastEnabled")
1288
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1289
type_func = lambda checker:
1290
checker is not None)
1702
checker = notifychangeproperty(
1703
dbus.Boolean, "CheckerRunning",
1704
type_func = lambda checker: checker is not None)
1291
1705
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1292
1706
"LastCheckedOK")
1293
1707
last_checker_status = notifychangeproperty(dbus.Int16,
1296
1710
datetime_to_dbus, "LastApprovalRequest")
1297
1711
approved_by_default = notifychangeproperty(dbus.Boolean,
1298
1712
"ApprovedByDefault")
1299
approval_delay = notifychangeproperty(dbus.UInt64,
1300
"ApprovalDelay",
1301
type_func =
1302
timedelta_to_milliseconds)
1713
approval_delay = notifychangeproperty(
1714
dbus.UInt64, "ApprovalDelay",
1715
type_func = lambda td: td.total_seconds() * 1000)
1303
1716
approval_duration = notifychangeproperty(
1304
1717
dbus.UInt64, "ApprovalDuration",
1305
type_func = timedelta_to_milliseconds)
1718
type_func = lambda td: td.total_seconds() * 1000)
1306
1719
host = notifychangeproperty(dbus.String, "Host")
1307
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1308
type_func =
1309
timedelta_to_milliseconds)
1720
timeout = notifychangeproperty(
1721
dbus.UInt64, "Timeout",
1722
type_func = lambda td: td.total_seconds() * 1000)
1310
1723
extended_timeout = notifychangeproperty(
1311
1724
dbus.UInt64, "ExtendedTimeout",
1312
type_func = timedelta_to_milliseconds)
1313
interval = notifychangeproperty(dbus.UInt64,
1314
"Interval",
1315
type_func =
1316
timedelta_to_milliseconds)
1725
type_func = lambda td: td.total_seconds() * 1000)
1726
interval = notifychangeproperty(
1727
dbus.UInt64, "Interval",
1728
type_func = lambda td: td.total_seconds() * 1000)
1317
1729
checker_command = notifychangeproperty(dbus.String, "Checker")
1730
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1731
invalidate_only=True)
1318
1732
1319
1733
del notifychangeproperty
1320
1734
1327
1741
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1328
1742
Client.__del__(self, *args, **kwargs)
1329
1743
1330
def checker_callback(self, pid, condition, command,
1331
*args, **kwargs):
1332
self.checker_callback_tag = None
1333
self.checker = None
1334
if os.WIFEXITED(condition):
1335
exitstatus = os.WEXITSTATUS(condition)
1744
def checker_callback(self, source, condition,
1745
connection, command, *args, **kwargs):
1746
ret = Client.checker_callback(self, source, condition,
1747
connection, command, *args,
1748
**kwargs)
1749
exitstatus = self.last_checker_status
1750
if exitstatus >= 0:
1336
1751
# Emit D-Bus signal
1337
1752
self.CheckerCompleted(dbus.Int16(exitstatus),
1338
dbus.Int64(condition),
1753
# This is specific to GNU libC
1754
dbus.Int64(exitstatus << 8),
1339
1755
dbus.String(command))
1340
1756
else:
1341
1757
# Emit D-Bus signal
1342
1758
self.CheckerCompleted(dbus.Int16(-1),
1343
dbus.Int64(condition),
1759
dbus.Int64(
1760
# This is specific to GNU libC
1761
(exitstatus << 8)
1762
| self.last_checker_signal),
1344
1763
dbus.String(command))
1345
1346
return Client.checker_callback(self, pid, condition, command,
1347
*args, **kwargs)
1764
return ret
1348
1765
1349
1766
def start_checker(self, *args, **kwargs):
1350
old_checker = self.checker
1351
if self.checker is not None:
1352
old_checker_pid = self.checker.pid
1353
else:
1354
old_checker_pid = None
1767
old_checker_pid = getattr(self.checker, "pid", None)
1355
1768
r = Client.start_checker(self, *args, **kwargs)
1356
1769
# Only if new checker process was started
1357
1770
if (self.checker is not None
1366
1779
1367
1780
def approve(self, value=True):
1368
1781
self.approved = value
1369
gobject.timeout_add(timedelta_to_milliseconds
1370
(self.approval_duration),
1371
self._reset_approved)
1782
gobject.timeout_add(int(self.approval_duration.total_seconds()
1783
* 1000), self._reset_approved)
1372
1784
self.send_changedstate()
1373
1785
1374
1786
## D-Bus methods, signals & properties
1375
_interface = "se.recompile.Mandos.Client"
1376
1787
1377
1788
## Interfaces
1378
1789
1379
@dbus_interface_annotations(_interface)
1380
def _foo(self):
1381
return { "org.freedesktop.DBus.Property.EmitsChangedSignal":
1382
"false"}
1383
1384
1790
## Signals
1385
1791
1386
1792
# CheckerCompleted - signal
1396
1802
pass
1397
1803
1398
1804
# PropertyChanged - signal
1805
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1399
1806
@dbus.service.signal(_interface, signature="sv")
1400
1807
def PropertyChanged(self, property, value):
1401
1808
"D-Bus signal"
1435
1842
self.checked_ok()
1436
1843
1437
1844
# Enable - method
1845
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1438
1846
@dbus.service.method(_interface)
1439
1847
def Enable(self):
1440
1848
"D-Bus method"
1441
1849
self.enable()
1442
1850
1443
1851
# StartChecker - method
1852
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1444
1853
@dbus.service.method(_interface)
1445
1854
def StartChecker(self):
1446
1855
"D-Bus method"
1447
1856
self.start_checker()
1448
1857
1449
1858
# Disable - method
1859
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1450
1860
@dbus.service.method(_interface)
1451
1861
def Disable(self):
1452
1862
"D-Bus method"
1453
1863
self.disable()
1454
1864
1455
1865
# StopChecker - method
1866
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1456
1867
@dbus.service.method(_interface)
1457
1868
def StopChecker(self):
1458
1869
self.stop_checker()
1465
1876
return dbus.Boolean(bool(self.approvals_pending))
1466
1877
1467
1878
# ApprovedByDefault - property
1468
@dbus_service_property(_interface, signature="b",
1879
@dbus_service_property(_interface,
1880
signature="b",
1469
1881
access="readwrite")
1470
1882
def ApprovedByDefault_dbus_property(self, value=None):
1471
1883
if value is None: # get
1473
1885
self.approved_by_default = bool(value)
1474
1886
1475
1887
# ApprovalDelay - property
1476
@dbus_service_property(_interface, signature="t",
1888
@dbus_service_property(_interface,
1889
signature="t",
1477
1890
access="readwrite")
1478
1891
def ApprovalDelay_dbus_property(self, value=None):
1479
1892
if value is None: # get
1480
return dbus.UInt64(self.approval_delay_milliseconds())
1893
return dbus.UInt64(self.approval_delay.total_seconds()
1894
* 1000)
1481
1895
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1482
1896
1483
1897
# ApprovalDuration - property
1484
@dbus_service_property(_interface, signature="t",
1898
@dbus_service_property(_interface,
1899
signature="t",
1485
1900
access="readwrite")
1486
1901
def ApprovalDuration_dbus_property(self, value=None):
1487
1902
if value is None: # get
1488
return dbus.UInt64(timedelta_to_milliseconds(
1489
self.approval_duration))
1903
return dbus.UInt64(self.approval_duration.total_seconds()
1904
* 1000)
1490
1905
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1491
1906
1492
1907
# Name - property
1908
@dbus_annotations(
1909
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1493
1910
@dbus_service_property(_interface, signature="s", access="read")
1494
1911
def Name_dbus_property(self):
1495
1912
return dbus.String(self.name)
1496
1913
1497
1914
# Fingerprint - property
1915
@dbus_annotations(
1916
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1498
1917
@dbus_service_property(_interface, signature="s", access="read")
1499
1918
def Fingerprint_dbus_property(self):
1500
1919
return dbus.String(self.fingerprint)
1501
1920
1502
1921
# Host - property
1503
@dbus_service_property(_interface, signature="s",
1922
@dbus_service_property(_interface,
1923
signature="s",
1504
1924
access="readwrite")
1505
1925
def Host_dbus_property(self, value=None):
1506
1926
if value is None: # get
1507
1927
return dbus.String(self.host)
1508
self.host = unicode(value)
1928
self.host = str(value)
1509
1929
1510
1930
# Created - property
1931
@dbus_annotations(
1932
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1511
1933
@dbus_service_property(_interface, signature="s", access="read")
1512
1934
def Created_dbus_property(self):
1513
1935
return datetime_to_dbus(self.created)
1518
1940
return datetime_to_dbus(self.last_enabled)
1519
1941
1520
1942
# Enabled - property
1521
@dbus_service_property(_interface, signature="b",
1943
@dbus_service_property(_interface,
1944
signature="b",
1522
1945
access="readwrite")
1523
1946
def Enabled_dbus_property(self, value=None):
1524
1947
if value is None: # get
1529
1952
self.disable()
1530
1953
1531
1954
# LastCheckedOK - property
1532
@dbus_service_property(_interface, signature="s",
1955
@dbus_service_property(_interface,
1956
signature="s",
1533
1957
access="readwrite")
1534
1958
def LastCheckedOK_dbus_property(self, value=None):
1535
1959
if value is not None:
1538
1962
return datetime_to_dbus(self.last_checked_ok)
1539
1963
1540
1964
# LastCheckerStatus - property
1541
@dbus_service_property(_interface, signature="n",
1542
access="read")
1965
@dbus_service_property(_interface, signature="n", access="read")
1543
1966
def LastCheckerStatus_dbus_property(self):
1544
1967
return dbus.Int16(self.last_checker_status)
1545
1968
1554
1977
return datetime_to_dbus(self.last_approval_request)
1555
1978
1556
1979
# Timeout - property
1557
@dbus_service_property(_interface, signature="t",
1980
@dbus_service_property(_interface,
1981
signature="t",
1558
1982
access="readwrite")
1559
1983
def Timeout_dbus_property(self, value=None):
1560
1984
if value is None: # get
1561
return dbus.UInt64(self.timeout_milliseconds())
1985
return dbus.UInt64(self.timeout.total_seconds() * 1000)
1562
1986
old_timeout = self.timeout
1563
1987
self.timeout = datetime.timedelta(0, 0, 0, value)
1564
1988
# Reschedule disabling
1573
1997
is None):
1574
1998
return
1575
1999
gobject.source_remove(self.disable_initiator_tag)
1576
self.disable_initiator_tag = (
1577
gobject.timeout_add(
1578
timedelta_to_milliseconds(self.expires - now),
1579
self.disable))
2000
self.disable_initiator_tag = gobject.timeout_add(
2001
int((self.expires - now).total_seconds() * 1000),
2002
self.disable)
1580
2003
1581
2004
# ExtendedTimeout - property
1582
@dbus_service_property(_interface, signature="t",
2005
@dbus_service_property(_interface,
2006
signature="t",
1583
2007
access="readwrite")
1584
2008
def ExtendedTimeout_dbus_property(self, value=None):
1585
2009
if value is None: # get
1586
return dbus.UInt64(self.extended_timeout_milliseconds())
2010
return dbus.UInt64(self.extended_timeout.total_seconds()
2011
* 1000)
1587
2012
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1588
2013
1589
2014
# Interval - property
1590
@dbus_service_property(_interface, signature="t",
2015
@dbus_service_property(_interface,
2016
signature="t",
1591
2017
access="readwrite")
1592
2018
def Interval_dbus_property(self, value=None):
1593
2019
if value is None: # get
1594
return dbus.UInt64(self.interval_milliseconds())
2020
return dbus.UInt64(self.interval.total_seconds() * 1000)
1595
2021
self.interval = datetime.timedelta(0, 0, 0, value)
1596
2022
if getattr(self, "checker_initiator_tag", None) is None:
1597
2023
return
1598
2024
if self.enabled:
1599
2025
# Reschedule checker run
1600
2026
gobject.source_remove(self.checker_initiator_tag)
1601
self.checker_initiator_tag = (gobject.timeout_add
1602
(value, self.start_checker))
1603
self.start_checker() # Start one now, too
2027
self.checker_initiator_tag = gobject.timeout_add(
2028
value, self.start_checker)
2029
self.start_checker() # Start one now, too
1604
2030
1605
2031
# Checker - property
1606
@dbus_service_property(_interface, signature="s",
2032
@dbus_service_property(_interface,
2033
signature="s",
1607
2034
access="readwrite")
1608
2035
def Checker_dbus_property(self, value=None):
1609
2036
if value is None: # get
1610
2037
return dbus.String(self.checker_command)
1611
self.checker_command = unicode(value)
2038
self.checker_command = str(value)
1612
2039
1613
2040
# CheckerRunning - property
1614
@dbus_service_property(_interface, signature="b",
2041
@dbus_service_property(_interface,
2042
signature="b",
1615
2043
access="readwrite")
1616
2044
def CheckerRunning_dbus_property(self, value=None):
1617
2045
if value is None: # get
1622
2050
self.stop_checker()
1623
2051
1624
2052
# ObjectPath - property
2053
@dbus_annotations(
2054
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2055
"org.freedesktop.DBus.Deprecated": "true"})
1625
2056
@dbus_service_property(_interface, signature="o", access="read")
1626
2057
def ObjectPath_dbus_property(self):
1627
2058
return self.dbus_object_path # is already a dbus.ObjectPath
1628
2059
1629
2060
# Secret = property
1630
@dbus_service_property(_interface, signature="ay",
1631
access="write", byte_arrays=True)
2061
@dbus_annotations(
2062
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2063
"invalidates"})
2064
@dbus_service_property(_interface,
2065
signature="ay",
2066
access="write",
2067
byte_arrays=True)
1632
2068
def Secret_dbus_property(self, value):
1633
self.secret = str(value)
2069
self.secret = bytes(value)
1634
2070
1635
2071
del _interface
1636
2072
1640
2076
self._pipe = child_pipe
1641
2077
self._pipe.send(('init', fpr, address))
1642
2078
if not self._pipe.recv():
1643
raise KeyError()
2079
raise KeyError(fpr)
1644
2080
1645
2081
def __getattribute__(self, name):
1646
2082
if name == '_pipe':
1650
2086
if data[0] == 'data':
1651
2087
return data[1]
1652
2088
if data[0] == 'function':
2089
1653
2090
def func(*args, **kwargs):
1654
2091
self._pipe.send(('funcall', name, args, kwargs))
1655
2092
return self._pipe.recv()[1]
2093
1656
2094
return func
1657
2095
1658
2096
def __setattr__(self, name, value):
1670
2108
def handle(self):
1671
2109
with contextlib.closing(self.server.child_pipe) as child_pipe:
1672
2110
logger.info("TCP connection from: %s",
1673
unicode(self.client_address))
2111
str(self.client_address))
1674
2112
logger.debug("Pipe FD: %d",
1675
2113
self.server.child_pipe.fileno())
1676
2114
1677
session = (gnutls.connection
1678
.ClientSession(self.request,
1679
gnutls.connection
1680
.X509Credentials()))
1681
1682
# Note: gnutls.connection.X509Credentials is really a
1683
# generic GnuTLS certificate credentials object so long as
1684
# no X.509 keys are added to it. Therefore, we can use it
1685
# here despite using OpenPGP certificates.
2115
session = gnutls.ClientSession(self.request)
1686
2116
1687
2117
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1688
2118
# "+AES-256-CBC", "+SHA1",
1692
2122
priority = self.server.gnutls_priority
1693
2123
if priority is None:
1694
2124
priority = "NORMAL"
1695
(gnutls.library.functions
1696
.gnutls_priority_set_direct(session._c_object,
1697
priority, None))
2125
gnutls.priority_set_direct(session._c_object, priority,
2126
None)
1698
2127
1699
2128
# Start communication using the Mandos protocol
1700
2129
# Get protocol number
1702
2131
logger.debug("Protocol version: %r", line)
1703
2132
try:
1704
2133
if int(line.strip().split()[0]) > 1:
1705
raise RuntimeError
2134
raise RuntimeError(line)
1706
2135
except (ValueError, IndexError, RuntimeError) as error:
1707
2136
logger.error("Unknown protocol version: %s", error)
1708
2137
return
1710
2139
# Start GnuTLS connection
1711
2140
try:
1712
2141
session.handshake()
1713
except gnutls.errors.GNUTLSError as error:
2142
except gnutls.Error as error:
1714
2143
logger.warning("Handshake failed: %s", error)
1715
2144
# Do not run session.bye() here: the session is not
1716
2145
# established. Just abandon the request.
1720
2149
approval_required = False
1721
2150
try:
1722
2151
try:
1723
fpr = self.fingerprint(self.peer_certificate
1724
(session))
1725
except (TypeError,
1726
gnutls.errors.GNUTLSError) as error:
2152
fpr = self.fingerprint(
2153
self.peer_certificate(session))
2154
except (TypeError, gnutls.Error) as error:
1727
2155
logger.warning("Bad certificate: %s", error)
1728
2156
return
1729
2157
logger.debug("Fingerprint: %s", fpr)
1742
2170
while True:
1743
2171
if not client.enabled:
1744
2172
logger.info("Client %s is disabled",
1745
client.name)
2173
client.name)
1746
2174
if self.server.use_dbus:
1747
2175
# Emit D-Bus signal
1748
2176
client.Rejected("Disabled")
1757
2185
if self.server.use_dbus:
1758
2186
# Emit D-Bus signal
1759
2187
client.NeedApproval(
1760
client.approval_delay_milliseconds(),
1761
client.approved_by_default)
2188
client.approval_delay.total_seconds()
2189
* 1000, client.approved_by_default)
1762
2190
else:
1763
2191
logger.warning("Client %s was not approved",
1764
2192
client.name)
1770
2198
#wait until timeout or approved
1771
2199
time = datetime.datetime.now()
1772
2200
client.changedstate.acquire()
1773
client.changedstate.wait(
1774
float(timedelta_to_milliseconds(delay)
1775
/ 1000))
2201
client.changedstate.wait(delay.total_seconds())
1776
2202
client.changedstate.release()
1777
2203
time2 = datetime.datetime.now()
1778
2204
if (time2 - time) >= delay:
1793
2219
while sent_size < len(client.secret):
1794
2220
try:
1795
2221
sent = session.send(client.secret[sent_size:])
1796
except gnutls.errors.GNUTLSError as error:
2222
except gnutls.Error as error:
1797
2223
logger.warning("gnutls send failed",
1798
2224
exc_info=error)
1799
2225
return
1800
logger.debug("Sent: %d, remaining: %d",
1801
sent, len(client.secret)
1802
- (sent_size + sent))
2226
logger.debug("Sent: %d, remaining: %d", sent,
2227
len(client.secret) - (sent_size
2228
+ sent))
1803
2229
sent_size += sent
1804
2230
1805
2231
logger.info("Sending secret to %s", client.name)
1814
2240
client.approvals_pending -= 1
1815
2241
try:
1816
2242
session.bye()
1817
except gnutls.errors.GNUTLSError as error:
2243
except gnutls.Error as error:
1818
2244
logger.warning("GnuTLS bye failed",
1819
2245
exc_info=error)
1820
2246
1822
2248
def peer_certificate(session):
1823
2249
"Return the peer's OpenPGP certificate as a bytestring"
1824
2250
# If not an OpenPGP certificate...
1825
if (gnutls.library.functions
1826
.gnutls_certificate_type_get(session._c_object)
1827
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1828
# ...do the normal thing
1829
return session.peer_certificate
2251
if (gnutls.certificate_type_get(session._c_object)
2252
!= gnutls.CRT_OPENPGP):
2253
# ...return invalid data
2254
return b""
1830
2255
list_size = ctypes.c_uint(1)
1831
cert_list = (gnutls.library.functions
1832
.gnutls_certificate_get_peers
2256
cert_list = (gnutls.certificate_get_peers
1833
2257
(session._c_object, ctypes.byref(list_size)))
1834
2258
if not bool(cert_list) and list_size.value != 0:
1835
raise gnutls.errors.GNUTLSError("error getting peer"
1836
" certificate")
2259
raise gnutls.Error("error getting peer certificate")
1837
2260
if list_size.value == 0:
1838
2261
return None
1839
2262
cert = cert_list[0]
1843
2266
def fingerprint(openpgp):
1844
2267
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1845
2268
# New GnuTLS "datum" with the OpenPGP public key
1846
datum = (gnutls.library.types
1847
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1848
ctypes.POINTER
1849
(ctypes.c_ubyte)),
1850
ctypes.c_uint(len(openpgp))))
2269
datum = gnutls.datum_t(
2270
ctypes.cast(ctypes.c_char_p(openpgp),
2271
ctypes.POINTER(ctypes.c_ubyte)),
2272
ctypes.c_uint(len(openpgp)))
1851
2273
# New empty GnuTLS certificate
1852
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1853
(gnutls.library.functions
1854
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
2274
crt = gnutls.openpgp_crt_t()
2275
gnutls.openpgp_crt_init(ctypes.byref(crt))
1855
2276
# Import the OpenPGP public key into the certificate
1856
(gnutls.library.functions
1857
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1858
gnutls.library.constants
1859
.GNUTLS_OPENPGP_FMT_RAW))
2277
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2278
gnutls.OPENPGP_FMT_RAW)
1860
2279
# Verify the self signature in the key
1861
2280
crtverify = ctypes.c_uint()
1862
(gnutls.library.functions
1863
.gnutls_openpgp_crt_verify_self(crt, 0,
1864
ctypes.byref(crtverify)))
2281
gnutls.openpgp_crt_verify_self(crt, 0,
2282
ctypes.byref(crtverify))
1865
2283
if crtverify.value != 0:
1866
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1867
raise (gnutls.errors.CertificateSecurityError
1868
("Verify failed"))
2284
gnutls.openpgp_crt_deinit(crt)
2285
raise gnutls.CertificateSecurityError("Verify failed")
1869
2286
# New buffer for the fingerprint
1870
2287
buf = ctypes.create_string_buffer(20)
1871
2288
buf_len = ctypes.c_size_t()
1872
2289
# Get the fingerprint from the certificate into the buffer
1873
(gnutls.library.functions
1874
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1875
ctypes.byref(buf_len)))
2290
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2291
ctypes.byref(buf_len))
1876
2292
# Deinit the certificate
1877
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2293
gnutls.openpgp_crt_deinit(crt)
1878
2294
# Convert the buffer to a Python bytestring
1879
2295
fpr = ctypes.string_at(buf, buf_len.value)
1880
2296
# Convert the bytestring to hexadecimal notation
1884
2300
1885
2301
class MultiprocessingMixIn(object):
1886
2302
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2303
1887
2304
def sub_process_main(self, request, address):
1888
2305
try:
1889
2306
self.finish_request(request, address)
1901
2318
1902
2319
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1903
2320
""" adds a pipe to the MixIn """
2321
1904
2322
def process_request(self, request, client_address):
1905
2323
"""Overrides and wraps the original process_request().
1906
2324
1915
2333
1916
2334
def add_pipe(self, parent_pipe, proc):
1917
2335
"""Dummy function; override as necessary"""
1918
raise NotImplementedError
2336
raise NotImplementedError()
1919
2337
1920
2338
1921
2339
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1927
2345
interface: None or a network interface name (string)
1928
2346
use_ipv6: Boolean; to use IPv6 or not
1929
2347
"""
2348
1930
2349
def __init__(self, server_address, RequestHandlerClass,
1931
interface=None, use_ipv6=True, socketfd=None):
2350
interface=None,
2351
use_ipv6=True,
2352
socketfd=None):
1932
2353
"""If socketfd is set, use that file descriptor instead of
1933
2354
creating a new one with socket.socket().
1934
2355
"""
1975
2396
self.interface)
1976
2397
else:
1977
2398
try:
1978
self.socket.setsockopt(socket.SOL_SOCKET,
1979
SO_BINDTODEVICE,
1980
str(self.interface + '\0'))
2399
self.socket.setsockopt(
2400
socket.SOL_SOCKET, SO_BINDTODEVICE,
2401
(self.interface + "\0").encode("utf-8"))
1981
2402
except socket.error as error:
1982
2403
if error.errno == errno.EPERM:
1983
2404
logger.error("No permission to bind to"
2001
2422
self.server_address = (any_address,
2002
2423
self.server_address[1])
2003
2424
elif not self.server_address[1]:
2004
self.server_address = (self.server_address[0],
2005
0)
2425
self.server_address = (self.server_address[0], 0)
2006
2426
# if self.interface:
2007
2427
# self.server_address = (self.server_address[0],
2008
2428
# 0, # port
2022
2442
2023
2443
Assumes a gobject.MainLoop event loop.
2024
2444
"""
2445
2025
2446
def __init__(self, server_address, RequestHandlerClass,
2026
interface=None, use_ipv6=True, clients=None,
2027
gnutls_priority=None, use_dbus=True, socketfd=None):
2447
interface=None,
2448
use_ipv6=True,
2449
clients=None,
2450
gnutls_priority=None,
2451
use_dbus=True,
2452
socketfd=None):
2028
2453
self.enabled = False
2029
2454
self.clients = clients
2030
2455
if self.clients is None:
2036
2461
interface = interface,
2037
2462
use_ipv6 = use_ipv6,
2038
2463
socketfd = socketfd)
2464
2039
2465
def server_activate(self):
2040
2466
if self.enabled:
2041
2467
return socketserver.TCPServer.server_activate(self)
2045
2471
2046
2472
def add_pipe(self, parent_pipe, proc):
2047
2473
# Call "handle_ipc" for both data and EOF events
2048
gobject.io_add_watch(parent_pipe.fileno(),
2049
gobject.IO_IN | gobject.IO_HUP,
2050
functools.partial(self.handle_ipc,
2051
parent_pipe =
2052
parent_pipe,
2053
proc = proc))
2474
gobject.io_add_watch(
2475
parent_pipe.fileno(),
2476
gobject.IO_IN | gobject.IO_HUP,
2477
functools.partial(self.handle_ipc,
2478
parent_pipe = parent_pipe,
2479
proc = proc))
2054
2480
2055
def handle_ipc(self, source, condition, parent_pipe=None,
2056
proc = None, client_object=None):
2481
def handle_ipc(self, source, condition,
2482
parent_pipe=None,
2483
proc = None,
2484
client_object=None):
2057
2485
# error, or the other end of multiprocessing.Pipe has closed
2058
2486
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2059
2487
# Wait for other process to exit
2082
2510
parent_pipe.send(False)
2083
2511
return False
2084
2512
2085
gobject.io_add_watch(parent_pipe.fileno(),
2086
gobject.IO_IN | gobject.IO_HUP,
2087
functools.partial(self.handle_ipc,
2088
parent_pipe =
2089
parent_pipe,
2090
proc = proc,
2091
client_object =
2092
client))
2513
gobject.io_add_watch(
2514
parent_pipe.fileno(),
2515
gobject.IO_IN | gobject.IO_HUP,
2516
functools.partial(self.handle_ipc,
2517
parent_pipe = parent_pipe,
2518
proc = proc,
2519
client_object = client))
2093
2520
parent_pipe.send(True)
2094
2521
# remove the old hook in favor of the new above hook on
2095
2522
# same fileno
2101
2528
2102
2529
parent_pipe.send(('data', getattr(client_object,
2103
2530
funcname)(*args,
2104
**kwargs)))
2531
**kwargs)))
2105
2532
2106
2533
if command == 'getattr':
2107
2534
attrname = request[1]
2108
if callable(client_object.__getattribute__(attrname)):
2109
parent_pipe.send(('function',))
2535
if isinstance(client_object.__getattribute__(attrname),
2536
collections.Callable):
2537
parent_pipe.send(('function', ))
2110
2538
else:
2111
parent_pipe.send(('data', client_object
2112
.__getattribute__(attrname)))
2539
parent_pipe.send((
2540
'data', client_object.__getattribute__(attrname)))
2113
2541
2114
2542
if command == 'setattr':
2115
2543
attrname = request[1]
2146
2574
# avoid excessive use of external libraries.
2147
2575
2148
2576
# New type for defining tokens, syntax, and semantics all-in-one
2149
Token = collections.namedtuple("Token",
2150
("regexp", # To match token; if
2151
# "value" is not None,
2152
# must have a "group"
2153
# containing digits
2154
"value", # datetime.timedelta or
2155
# None
2156
"followers")) # Tokens valid after
2157
# this token
2577
Token = collections.namedtuple("Token", (
2578
"regexp", # To match token; if "value" is not None, must have
2579
# a "group" containing digits
2580
"value", # datetime.timedelta or None
2581
"followers")) # Tokens valid after this token
2158
2582
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2159
2583
# the "duration" ABNF definition in RFC 3339, Appendix A.
2160
2584
token_end = Token(re.compile(r"$"), None, frozenset())
2161
2585
token_second = Token(re.compile(r"(\d+)S"),
2162
2586
datetime.timedelta(seconds=1),
2163
frozenset((token_end,)))
2587
frozenset((token_end, )))
2164
2588
token_minute = Token(re.compile(r"(\d+)M"),
2165
2589
datetime.timedelta(minutes=1),
2166
2590
frozenset((token_second, token_end)))
2182
2606
frozenset((token_month, token_end)))
2183
2607
token_week = Token(re.compile(r"(\d+)W"),
2184
2608
datetime.timedelta(weeks=1),
2185
frozenset((token_end,)))
2609
frozenset((token_end, )))
2186
2610
token_duration = Token(re.compile(r"P"), None,
2187
2611
frozenset((token_year, token_month,
2188
2612
token_day, token_time,
2189
token_week))),
2613
token_week)))
2190
2614
# Define starting values
2191
2615
value = datetime.timedelta() # Value so far
2192
2616
found_token = None
2193
followers = frozenset(token_duration,) # Following valid tokens
2617
followers = frozenset((token_duration, )) # Following valid tokens
2194
2618
s = duration # String left to parse
2195
2619
# Loop until end token is found
2196
2620
while found_token is not token_end:
2213
2637
break
2214
2638
else:
2215
2639
# No currently valid tokens were found
2216
raise ValueError("Invalid RFC 3339 duration")
2640
raise ValueError("Invalid RFC 3339 duration: {!r}"
2641
.format(duration))
2217
2642
# End token found
2218
2643
return value
2219
2644
2243
2668
timevalue = datetime.timedelta(0)
2244
2669
for s in interval.split():
2245
2670
try:
2246
suffix = unicode(s[-1])
2671
suffix = s[-1]
2247
2672
value = int(s[:-1])
2248
2673
if suffix == "d":
2249
2674
delta = datetime.timedelta(value)
2256
2681
elif suffix == "w":
2257
2682
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
2258
2683
else:
2259
raise ValueError("Unknown suffix {0!r}"
2260
.format(suffix))
2261
except (ValueError, IndexError) as e:
2684
raise ValueError("Unknown suffix {!r}".format(suffix))
2685
except IndexError as e:
2262
2686
raise ValueError(*(e.args))
2263
2687
timevalue += delta
2264
2688
return timevalue
2280
2704
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2281
2705
if not stat.S_ISCHR(os.fstat(null).st_mode):
2282
2706
raise OSError(errno.ENODEV,
2283
"{0} not a character device"
2707
"{} not a character device"
2284
2708
.format(os.devnull))
2285
2709
os.dup2(null, sys.stdin.fileno())
2286
2710
os.dup2(null, sys.stdout.fileno())
2296
2720
2297
2721
parser = argparse.ArgumentParser()
2298
2722
parser.add_argument("-v", "--version", action="version",
2299
version = "%(prog)s {0}".format(version),
2723
version = "%(prog)s {}".format(version),
2300
2724
help="show version number and exit")
2301
2725
parser.add_argument("-i", "--interface", metavar="IF",
2302
2726
help="Bind to interface IF")
2335
2759
help="Directory to save/restore state in")
2336
2760
parser.add_argument("--foreground", action="store_true",
2337
2761
help="Run in foreground", default=None)
2762
parser.add_argument("--no-zeroconf", action="store_false",
2763
dest="zeroconf", help="Do not use Zeroconf",
2764
default=None)
2338
2765
2339
2766
options = parser.parse_args()
2340
2767
2341
2768
if options.check:
2342
2769
import doctest
2343
doctest.testmod()
2344
sys.exit()
2770
fail_count, test_count = doctest.testmod()
2771
sys.exit(os.EX_OK if fail_count == 0 else 1)
2345
2772
2346
2773
# Default values for config file for server-global settings
2347
2774
server_defaults = { "interface": "",
2349
2776
"port": "",
2350
2777
"debug": "False",
2351
2778
"priority":
2352
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
2779
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2780
":+SIGN-DSA-SHA256",
2353
2781
"servicename": "Mandos",
2354
2782
"use_dbus": "True",
2355
2783
"use_ipv6": "True",
2358
2786
"socket": "",
2359
2787
"statedir": "/var/lib/mandos",
2360
2788
"foreground": "False",
2361
}
2789
"zeroconf": "True",
2790
}
2362
2791
2363
2792
# Parse config file for server-global settings
2364
2793
server_config = configparser.SafeConfigParser(server_defaults)
2365
2794
del server_defaults
2366
server_config.read(os.path.join(options.configdir,
2367
"mandos.conf"))
2795
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2368
2796
# Convert the SafeConfigParser object to a dict
2369
2797
server_settings = server_config.defaults()
2370
2798
# Use the appropriate methods on the non-string config options
2388
2816
# Override the settings from the config file with command line
2389
2817
# options, if set.
2390
2818
for option in ("interface", "address", "port", "debug",
2391
"priority", "servicename", "configdir",
2392
"use_dbus", "use_ipv6", "debuglevel", "restore",
2393
"statedir", "socket", "foreground"):
2819
"priority", "servicename", "configdir", "use_dbus",
2820
"use_ipv6", "debuglevel", "restore", "statedir",
2821
"socket", "foreground", "zeroconf"):
2394
2822
value = getattr(options, option)
2395
2823
if value is not None:
2396
2824
server_settings[option] = value
2397
2825
del options
2398
2826
# Force all strings to be unicode
2399
2827
for option in server_settings.keys():
2400
if type(server_settings[option]) is str:
2401
server_settings[option] = unicode(server_settings[option])
2828
if isinstance(server_settings[option], bytes):
2829
server_settings[option] = (server_settings[option]
2830
.decode("utf-8"))
2402
2831
# Force all boolean options to be boolean
2403
2832
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2404
"foreground"):
2833
"foreground", "zeroconf"):
2405
2834
server_settings[option] = bool(server_settings[option])
2406
2835
# Debug implies foreground
2407
2836
if server_settings["debug"]:
2410
2839
2411
2840
##################################################################
2412
2841
2842
if (not server_settings["zeroconf"]
2843
and not (server_settings["port"]
2844
or server_settings["socket"] != "")):
2845
parser.error("Needs port or socket to work without Zeroconf")
2846
2413
2847
# For convenience
2414
2848
debug = server_settings["debug"]
2415
2849
debuglevel = server_settings["debuglevel"]
2418
2852
stored_state_path = os.path.join(server_settings["statedir"],
2419
2853
stored_state_file)
2420
2854
foreground = server_settings["foreground"]
2855
zeroconf = server_settings["zeroconf"]
2421
2856
2422
2857
if debug:
2423
2858
initlogger(debug, logging.DEBUG)
2429
2864
initlogger(debug, level)
2430
2865
2431
2866
if server_settings["servicename"] != "Mandos":
2432
syslogger.setFormatter(logging.Formatter
2433
('Mandos ({0}) [%(process)d]:'
2434
' %(levelname)s: %(message)s'
2435
.format(server_settings
2436
["servicename"])))
2867
syslogger.setFormatter(
2868
logging.Formatter('Mandos ({}) [%(process)d]:'
2869
' %(levelname)s: %(message)s'.format(
2870
server_settings["servicename"])))
2437
2871
2438
2872
# Parse config file with clients
2439
2873
client_config = configparser.SafeConfigParser(Client
2444
2878
global mandos_dbus_service
2445
2879
mandos_dbus_service = None
2446
2880
2447
tcp_server = MandosServer((server_settings["address"],
2448
server_settings["port"]),
2449
ClientHandler,
2450
interface=(server_settings["interface"]
2451
or None),
2452
use_ipv6=use_ipv6,
2453
gnutls_priority=
2454
server_settings["priority"],
2455
use_dbus=use_dbus,
2456
socketfd=(server_settings["socket"]
2457
or None))
2881
socketfd = None
2882
if server_settings["socket"] != "":
2883
socketfd = server_settings["socket"]
2884
tcp_server = MandosServer(
2885
(server_settings["address"], server_settings["port"]),
2886
ClientHandler,
2887
interface=(server_settings["interface"] or None),
2888
use_ipv6=use_ipv6,
2889
gnutls_priority=server_settings["priority"],
2890
use_dbus=use_dbus,
2891
socketfd=socketfd)
2458
2892
if not foreground:
2459
2893
pidfilename = "/run/mandos.pid"
2894
if not os.path.isdir("/run/."):
2895
pidfilename = "/var/run/mandos.pid"
2460
2896
pidfile = None
2461
2897
try:
2462
pidfile = open(pidfilename, "w")
2898
pidfile = codecs.open(pidfilename, "w", encoding="utf-8")
2463
2899
except IOError as e:
2464
2900
logger.error("Could not open file %r", pidfilename,
2465
2901
exc_info=e)
2479
2915
os.setuid(uid)
2480
2916
except OSError as error:
2481
2917
if error.errno != errno.EPERM:
2482
raise error
2918
raise
2483
2919
2484
2920
if debug:
2485
2921
# Enable all possible GnuTLS debugging
2486
2922
2487
2923
# "Use a log level over 10 to enable all debugging options."
2488
2924
# - GnuTLS manual
2489
gnutls.library.functions.gnutls_global_set_log_level(11)
2925
gnutls.global_set_log_level(11)
2490
2926
2491
@gnutls.library.types.gnutls_log_func
2927
@gnutls.log_func
2492
2928
def debug_gnutls(level, string):
2493
2929
logger.debug("GnuTLS: %s", string[:-1])
2494
2930
2495
(gnutls.library.functions
2496
.gnutls_global_set_log_function(debug_gnutls))
2931
gnutls.global_set_log_function(debug_gnutls)
2497
2932
2498
2933
# Redirect stdin so all checkers get /dev/null
2499
2934
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2519
2954
if use_dbus:
2520
2955
try:
2521
2956
bus_name = dbus.service.BusName("se.recompile.Mandos",
2522
bus, do_not_queue=True)
2523
old_bus_name = (dbus.service.BusName
2524
("se.bsnet.fukt.Mandos", bus,
2525
do_not_queue=True))
2526
except dbus.exceptions.NameExistsException as e:
2957
bus,
2958
do_not_queue=True)
2959
old_bus_name = dbus.service.BusName(
2960
"se.bsnet.fukt.Mandos", bus,
2961
do_not_queue=True)
2962
except dbus.exceptions.DBusException as e:
2527
2963
logger.error("Disabling D-Bus:", exc_info=e)
2528
2964
use_dbus = False
2529
2965
server_settings["use_dbus"] = False
2530
2966
tcp_server.use_dbus = False
2531
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2532
service = AvahiServiceToSyslog(name =
2533
server_settings["servicename"],
2534
servicetype = "_mandos._tcp",
2535
protocol = protocol, bus = bus)
2536
if server_settings["interface"]:
2537
service.interface = (if_nametoindex
2538
(str(server_settings["interface"])))
2967
if zeroconf:
2968
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2969
service = AvahiServiceToSyslog(
2970
name = server_settings["servicename"],
2971
servicetype = "_mandos._tcp",
2972
protocol = protocol,
2973
bus = bus)
2974
if server_settings["interface"]:
2975
service.interface = if_nametoindex(
2976
server_settings["interface"].encode("utf-8"))
2539
2977
2540
2978
global multiprocessing_manager
2541
2979
multiprocessing_manager = multiprocessing.Manager()
2560
2998
if server_settings["restore"]:
2561
2999
try:
2562
3000
with open(stored_state_path, "rb") as stored_state:
2563
clients_data, old_client_settings = (pickle.load
2564
(stored_state))
3001
clients_data, old_client_settings = pickle.load(
3002
stored_state)
2565
3003
os.remove(stored_state_path)
2566
3004
except IOError as e:
2567
3005
if e.errno == errno.ENOENT:
2568
logger.warning("Could not load persistent state: {0}"
2569
.format(os.strerror(e.errno)))
3006
logger.warning("Could not load persistent state:"
3007
" {}".format(os.strerror(e.errno)))
2570
3008
else:
2571
3009
logger.critical("Could not load persistent state:",
2572
3010
exc_info=e)
2573
3011
raise
2574
3012
except EOFError as e:
2575
3013
logger.warning("Could not load persistent state: "
2576
"EOFError:", exc_info=e)
3014
"EOFError:",
3015
exc_info=e)
2577
3016
2578
3017
with PGPEngine() as pgp:
2579
for client_name, client in clients_data.iteritems():
3018
for client_name, client in clients_data.items():
2580
3019
# Skip removed clients
2581
3020
if client_name not in client_settings:
2582
3021
continue
2591
3030
# For each value in new config, check if it
2592
3031
# differs from the old config value (Except for
2593
3032
# the "secret" attribute)
2594
if (name != "secret" and
2595
value != old_client_settings[client_name]
2596
[name]):
3033
if (name != "secret"
3034
and (value !=
3035
old_client_settings[client_name][name])):
2597
3036
client[name] = value
2598
3037
except KeyError:
2599
3038
pass
2600
3039
2601
3040
# Clients who has passed its expire date can still be
2602
# enabled if its last checker was successful. Clients
3041
# enabled if its last checker was successful. A Client
2603
3042
# whose checker succeeded before we stored its state is
2604
3043
# assumed to have successfully run all checkers during
2605
3044
# downtime.
2607
3046
if datetime.datetime.utcnow() >= client["expires"]:
2608
3047
if not client["last_checked_ok"]:
2609
3048
logger.warning(
2610
"disabling client {0} - Client never "
2611
"performed a successful checker"
2612
.format(client_name))
3049
"disabling client {} - Client never "
3050
"performed a successful checker".format(
3051
client_name))
2613
3052
client["enabled"] = False
2614
3053
elif client["last_checker_status"] != 0:
2615
3054
logger.warning(
2616
"disabling client {0} - Client "
2617
"last checker failed with error code {1}"
2618
.format(client_name,
2619
client["last_checker_status"]))
3055
"disabling client {} - Client last"
3056
" checker failed with error code"
3057
" {}".format(
3058
client_name,
3059
client["last_checker_status"]))
2620
3060
client["enabled"] = False
2621
3061
else:
2622
client["expires"] = (datetime.datetime
2623
.utcnow()
2624
+ client["timeout"])
3062
client["expires"] = (
3063
datetime.datetime.utcnow()
3064
+ client["timeout"])
2625
3065
logger.debug("Last checker succeeded,"
2626
" keeping {0} enabled"
2627
.format(client_name))
3066
" keeping {} enabled".format(
3067
client_name))
2628
3068
try:
2629
client["secret"] = (
2630
pgp.decrypt(client["encrypted_secret"],
2631
client_settings[client_name]
2632
["secret"]))
3069
client["secret"] = pgp.decrypt(
3070
client["encrypted_secret"],
3071
client_settings[client_name]["secret"])
2633
3072
except PGPError:
2634
3073
# If decryption fails, we use secret from new settings
2635
logger.debug("Failed to decrypt {0} old secret"
2636
.format(client_name))
2637
client["secret"] = (
2638
client_settings[client_name]["secret"])
3074
logger.debug("Failed to decrypt {} old secret".format(
3075
client_name))
3076
client["secret"] = (client_settings[client_name]
3077
["secret"])
2639
3078
2640
3079
# Add/remove clients based on new changes made to config
2641
3080
for client_name in (set(old_client_settings)
2646
3085
clients_data[client_name] = client_settings[client_name]
2647
3086
2648
3087
# Create all client objects
2649
for client_name, client in clients_data.iteritems():
3088
for client_name, client in clients_data.items():
2650
3089
tcp_server.clients[client_name] = client_class(
2651
name = client_name, settings = client,
3090
name = client_name,
3091
settings = client,
2652
3092
server_settings = server_settings)
2653
3093
2654
3094
if not tcp_server.clients:
2656
3096
2657
3097
if not foreground:
2658
3098
if pidfile is not None:
3099
pid = os.getpid()
2659
3100
try:
2660
3101
with pidfile:
2661
pid = os.getpid()
2662
pidfile.write(str(pid) + "\n".encode("utf-8"))
3102
print(pid, file=pidfile)
2663
3103
except IOError:
2664
3104
logger.error("Could not write to file %r with PID %d",
2665
3105
pidfilename, pid)
2670
3110
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2671
3111
2672
3112
if use_dbus:
2673
@alternate_dbus_interfaces({"se.recompile.Mandos":
2674
"se.bsnet.fukt.Mandos"})
2675
class MandosDBusService(DBusObjectWithProperties):
3113
3114
@alternate_dbus_interfaces(
3115
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3116
class MandosDBusService(DBusObjectWithObjectManager):
2676
3117
"""A D-Bus proxy object"""
3118
2677
3119
def __init__(self):
2678
3120
dbus.service.Object.__init__(self, bus, "/")
3121
2679
3122
_interface = "se.recompile.Mandos"
2680
3123
2681
@dbus_interface_annotations(_interface)
2682
def _foo(self):
2683
return { "org.freedesktop.DBus.Property"
2684
".EmitsChangedSignal":
2685
"false"}
2686
2687
3124
@dbus.service.signal(_interface, signature="o")
2688
3125
def ClientAdded(self, objpath):
2689
3126
"D-Bus signal"
2694
3131
"D-Bus signal"
2695
3132
pass
2696
3133
3134
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3135
"true"})
2697
3136
@dbus.service.signal(_interface, signature="os")
2698
3137
def ClientRemoved(self, objpath, name):
2699
3138
"D-Bus signal"
2700
3139
pass
2701
3140
3141
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3142
"true"})
2702
3143
@dbus.service.method(_interface, out_signature="ao")
2703
3144
def GetAllClients(self):
2704
3145
"D-Bus method"
2705
return dbus.Array(c.dbus_object_path
2706
for c in
3146
return dbus.Array(c.dbus_object_path for c in
2707
3147
tcp_server.clients.itervalues())
2708
3148
3149
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3150
"true"})
2709
3151
@dbus.service.method(_interface,
2710
3152
out_signature="a{oa{sv}}")
2711
3153
def GetAllClientsWithProperties(self):
2712
3154
"D-Bus method"
2713
3155
return dbus.Dictionary(
2714
((c.dbus_object_path, c.GetAll(""))
2715
for c in tcp_server.clients.itervalues()),
3156
{ c.dbus_object_path: c.GetAll(
3157
"se.recompile.Mandos.Client")
3158
for c in tcp_server.clients.itervalues() },
2716
3159
signature="oa{sv}")
2717
3160
2718
3161
@dbus.service.method(_interface, in_signature="o")
2722
3165
if c.dbus_object_path == object_path:
2723
3166
del tcp_server.clients[c.name]
2724
3167
c.remove_from_connection()
2725
# Don't signal anything except ClientRemoved
3168
# Don't signal the disabling
2726
3169
c.disable(quiet=True)
2727
# Emit D-Bus signal
2728
self.ClientRemoved(object_path, c.name)
3170
# Emit D-Bus signal for removal
3171
self.client_removed_signal(c)
2729
3172
return
2730
3173
raise KeyError(object_path)
2731
3174
2732
3175
del _interface
3176
3177
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3178
out_signature = "a{oa{sa{sv}}}")
3179
def GetManagedObjects(self):
3180
"""D-Bus method"""
3181
return dbus.Dictionary(
3182
{ client.dbus_object_path:
3183
dbus.Dictionary(
3184
{ interface: client.GetAll(interface)
3185
for interface in
3186
client._get_all_interface_names()})
3187
for client in tcp_server.clients.values()})
3188
3189
def client_added_signal(self, client):
3190
"""Send the new standard signal and the old signal"""
3191
if use_dbus:
3192
# New standard signal
3193
self.InterfacesAdded(
3194
client.dbus_object_path,
3195
dbus.Dictionary(
3196
{ interface: client.GetAll(interface)
3197
for interface in
3198
client._get_all_interface_names()}))
3199
# Old signal
3200
self.ClientAdded(client.dbus_object_path)
3201
3202
def client_removed_signal(self, client):
3203
"""Send the new standard signal and the old signal"""
3204
if use_dbus:
3205
# New standard signal
3206
self.InterfacesRemoved(
3207
client.dbus_object_path,
3208
client._get_all_interface_names())
3209
# Old signal
3210
self.ClientRemoved(client.dbus_object_path,
3211
client.name)
2733
3212
2734
3213
mandos_dbus_service = MandosDBusService()
2735
3214
2736
3215
def cleanup():
2737
3216
"Cleanup function; run on exit"
2738
service.cleanup()
3217
if zeroconf:
3218
service.cleanup()
2739
3219
2740
3220
multiprocessing.active_children()
2741
3221
wnull.close()
2755
3235
2756
3236
# A list of attributes that can not be pickled
2757
3237
# + secret.
2758
exclude = set(("bus", "changedstate", "secret",
2759
"checker", "server_settings"))
2760
for name, typ in (inspect.getmembers
2761
(dbus.service.Object)):
3238
exclude = { "bus", "changedstate", "secret",
3239
"checker", "server_settings" }
3240
for name, typ in inspect.getmembers(dbus.service
3241
.Object):
2762
3242
exclude.add(name)
2763
3243
2764
3244
client_dict["encrypted_secret"] = (client
2771
3251
del client_settings[client.name]["secret"]
2772
3252
2773
3253
try:
2774
with (tempfile.NamedTemporaryFile
2775
(mode='wb', suffix=".pickle", prefix='clients-',
2776
dir=os.path.dirname(stored_state_path),
2777
delete=False)) as stored_state:
3254
with tempfile.NamedTemporaryFile(
3255
mode='wb',
3256
suffix=".pickle",
3257
prefix='clients-',
3258
dir=os.path.dirname(stored_state_path),
3259
delete=False) as stored_state:
2778
3260
pickle.dump((clients, client_settings), stored_state)
2779
tempname=stored_state.name
3261
tempname = stored_state.name
2780
3262
os.rename(tempname, stored_state_path)
2781
3263
except (IOError, OSError) as e:
2782
3264
if not debug:
2785
3267
except NameError:
2786
3268
pass
2787
3269
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2788
logger.warning("Could not save persistent state: {0}"
3270
logger.warning("Could not save persistent state: {}"
2789
3271
.format(os.strerror(e.errno)))
2790
3272
else:
2791
3273
logger.warning("Could not save persistent state:",
2792
3274
exc_info=e)
2793
raise e
3275
raise
2794
3276
2795
3277
# Delete all clients, and settings from config
2796
3278
while tcp_server.clients:
2797
3279
name, client = tcp_server.clients.popitem()
2798
3280
if use_dbus:
2799
3281
client.remove_from_connection()
2800
# Don't signal anything except ClientRemoved
3282
# Don't signal the disabling
2801
3283
client.disable(quiet=True)
3284
# Emit D-Bus signal for removal
2802
3285
if use_dbus:
2803
# Emit D-Bus signal
2804
mandos_dbus_service.ClientRemoved(client
2805
.dbus_object_path,
2806
client.name)
3286
mandos_dbus_service.client_removed_signal(client)
2807
3287
client_settings.clear()
2808
3288
2809
3289
atexit.register(cleanup)
2810
3290
2811
3291
for client in tcp_server.clients.itervalues():
2812
3292
if use_dbus:
2813
# Emit D-Bus signal
2814
mandos_dbus_service.ClientAdded(client.dbus_object_path)
3293
# Emit D-Bus signal for adding
3294
mandos_dbus_service.client_added_signal(client)
2815
3295
# Need to initiate checking of clients
2816
3296
if client.enabled:
2817
3297
client.init_checker()
2820
3300
tcp_server.server_activate()
2821
3301
2822
3302
# Find out what port we got
2823
service.port = tcp_server.socket.getsockname()[1]
3303
if zeroconf:
3304
service.port = tcp_server.socket.getsockname()[1]
2824
3305
if use_ipv6:
2825
3306
logger.info("Now listening on address %r, port %d,"
2826
3307
" flowinfo %d, scope_id %d",
2832
3313
#service.interface = tcp_server.socket.getsockname()[3]
2833
3314
2834
3315
try:
2835
# From the Avahi example code
2836
try:
2837
service.activate()
2838
except dbus.exceptions.DBusException as error:
2839
logger.critical("D-Bus Exception", exc_info=error)
2840
cleanup()
2841
sys.exit(1)
2842
# End of Avahi example code
3316
if zeroconf:
3317
# From the Avahi example code
3318
try:
3319
service.activate()
3320
except dbus.exceptions.DBusException as error:
3321
logger.critical("D-Bus Exception", exc_info=error)
3322
cleanup()
3323
sys.exit(1)
3324
# End of Avahi example code
2843
3325
2844
3326
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
2845
3327
lambda *args, **kwargs:
2860
3342
# Must run before the D-Bus bus name gets deregistered
2861
3343
cleanup()
2862
3344
3345
2863
3346
if __name__ == '__main__':
2864
3347
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0