/mandos/release : revision 237.7.47

11

# "AvahiService" class, and some lines in "main".

12

#

13

# Everything else is

14

15

14

15

16

#

17

# This program is free software: you can redistribute it and/or modify

18

# it under the terms of the GNU General Public License as published by

31

# Contact the authors at <mandos@fukt.bsnet.se>.

32

#

33

34

from __future__ import division, with_statement, absolute_import

34

from __future__ import (division, absolute_import, print_function,

35

unicode_literals)

35

36

37

import SocketServer as socketserver

37

38

import socket

38

import optparse

39

import argparse

39

40

import datetime

40

41

import errno

41

42

import gnutls.crypto

55

56

import logging

56

57

import logging.handlers

57

58

import pwd

58

from contextlib import closing

59

import contextlib

59

60

import struct

60

61

import fcntl

61

62

import functools

63

import cPickle as pickle

64

import multiprocessing

62

65

63

66

import dbus

64

67

import dbus.service

67

70

from dbus.mainloop.glib import DBusGMainLoop

68

71

import ctypes

69

72

import ctypes.util

73

import xml.dom.minidom

74

import inspect

70

75

71

76

try:

72

77

SO_BINDTODEVICE = socket.SO_BINDTODEVICE

77

82

SO_BINDTODEVICE = None

78

83

79

84

80

version = "1.0.11"

85

version = "1.3.1"

81

86

82

logger = logging.Logger(u'mandos')

87

#logger = logging.getLogger('mandos')

88

logger = logging.Logger('mandos')

83

89

syslogger = (logging.handlers.SysLogHandler

84

90

(facility = logging.handlers.SysLogHandler.LOG_DAEMON,

85

address = "/dev/log"))

91

address = str("/dev/log")))

86

92

syslogger.setFormatter(logging.Formatter

87

(u'Mandos [%(process)d]: %(levelname)s:'

88

u' %(message)s'))

93

('Mandos [%(process)d]: %(levelname)s:'

94

' %(message)s'))

89

95

logger.addHandler(syslogger)

90

96

91

97

console = logging.StreamHandler()

92

console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'

93

u' %(levelname)s:'

94

u' %(message)s'))

98

console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'

99

' %(levelname)s:'

100

' %(message)s'))

95

101

logger.addHandler(console)

96

102

97

103

class AvahiError(Exception):

114

120

Attributes:

115

121

interface: integer; avahi.IF_UNSPEC or an interface index.

116

122

Used to optionally bind to the specified interface.

117

118

type: string; Example: u'_mandos._tcp'.

123

124

type: string; Example: '_mandos._tcp'.

119

125

See <http://www.dns-sd.org/ServiceTypes.html>

120

126

port: integer; what port to announce

121

127

TXT: list of strings; TXT record for the service

130

136

"""

131

137

def __init__(self, interface = avahi.IF_UNSPEC, name = None,

132

138

servicetype = None, port = None, TXT = None,

133

domain = u"", host = u"", max_renames = 32768,

139

domain = "", host = "", max_renames = 32768,

134

140

protocol = avahi.PROTO_UNSPEC, bus = None):

135

141

self.interface = interface

136

142

self.name = name

145

151

self.group = None # our entry group

146

152

self.server = None

147

153

self.bus = bus

154

self.entry_group_state_changed_match = None

148

155

def rename(self):

149

156

"""Derived from the Avahi example code"""

150

157

if self.rename_count >= self.max_renames:

151

logger.critical(u"No suitable Zeroconf service name found"

152

u" after %i retries, exiting.",

158

logger.critical("No suitable Zeroconf service name found"

159

" after %i retries, exiting.",

153

160

self.rename_count)

154

raise AvahiServiceError(u"Too many renames")

155

self.name = self.server.GetAlternativeServiceName(self.name)

156

logger.info(u"Changing Zeroconf service name to %r ...",

157

unicode(self.name))

161

raise AvahiServiceError("Too many renames")

162

self.name = unicode(self.server.GetAlternativeServiceName(self.name))

163

logger.info("Changing Zeroconf service name to %r ...",

164

self.name)

158

165

syslogger.setFormatter(logging.Formatter

159

(u'Mandos (%s) [%%(process)d]:'

160

u' %%(levelname)s: %%(message)s'

166

('Mandos (%s) [%%(process)d]:'

167

' %%(levelname)s: %%(message)s'

161

168

% self.name))

162

169

self.remove()

163

self.add()

170

try:

171

self.add()

172

except dbus.exceptions.DBusException as error:

173

logger.critical("DBusException: %s", error)

174

self.cleanup()

175

os._exit(1)

164

176

self.rename_count += 1

165

177

def remove(self):

166

178

"""Derived from the Avahi example code"""

179

if self.entry_group_state_changed_match is not None:

180

self.entry_group_state_changed_match.remove()

181

self.entry_group_state_changed_match = None

167

182

if self.group is not None:

168

183

self.group.Reset()

169

184

def add(self):

170

185

"""Derived from the Avahi example code"""

186

self.remove()

171

187

if self.group is None:

172

188

self.group = dbus.Interface(

173

189

self.bus.get_object(avahi.DBUS_NAME,

174

190

self.server.EntryGroupNew()),

175

191

avahi.DBUS_INTERFACE_ENTRY_GROUP)

176

self.group.connect_to_signal('StateChanged',

177

self.entry_group_state_changed)

178

logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",

192

self.entry_group_state_changed_match = (

193

self.group.connect_to_signal(

194

'StateChanged', self .entry_group_state_changed))

195

logger.debug("Adding Zeroconf service '%s' of type '%s' ...",

179

196

self.name, self.type)

180

197

self.group.AddService(

181

198

self.interface,

188

205

self.group.Commit()

189

206

def entry_group_state_changed(self, state, error):

190

207

"""Derived from the Avahi example code"""

191

logger.debug(u"Avahi state change: %i", state)

208

logger.debug("Avahi entry group state change: %i", state)

192

209

193

210

if state == avahi.ENTRY_GROUP_ESTABLISHED:

194

logger.debug(u"Zeroconf service established.")

211

logger.debug("Zeroconf service established.")

195

212

elif state == avahi.ENTRY_GROUP_COLLISION:

196

logger.warning(u"Zeroconf service name collision.")

213

logger.info("Zeroconf service name collision.")

197

214

self.rename()

198

215

elif state == avahi.ENTRY_GROUP_FAILURE:

199

logger.critical(u"Avahi: Error in group state changed %s",

216

logger.critical("Avahi: Error in group state changed %s",

200

217

unicode(error))

201

raise AvahiGroupError(u"State changed: %s"

218

raise AvahiGroupError("State changed: %s"

202

219

% unicode(error))

203

220

def cleanup(self):

204

221

"""Derived from the Avahi example code"""

205

222

if self.group is not None:

206

self.group.Free()

223

try:

224

self.group.Free()

225

except (dbus.exceptions.UnknownMethodException,

226

dbus.exceptions.DBusException) as e:

227

pass

207

228

self.group = None

208

def server_state_changed(self, state):

229

self.remove()

230

def server_state_changed(self, state, error=None):

209

231

"""Derived from the Avahi example code"""

210

if state == avahi.SERVER_COLLISION:

211

logger.error(u"Zeroconf server name collision")

212

self.remove()

232

logger.debug("Avahi server state change: %i", state)

233

bad_states = { avahi.SERVER_INVALID:

234

"Zeroconf server invalid",

235

avahi.SERVER_REGISTERING: None,

236

avahi.SERVER_COLLISION:

237

"Zeroconf server name collision",

238

avahi.SERVER_FAILURE:

239

"Zeroconf server failure" }

240

if state in bad_states:

241

if bad_states[state] is not None:

242

if error is None:

243

logger.error(bad_states[state])

244

else:

245

logger.error(bad_states[state] + ": %r", error)

246

self.cleanup()

213

247

elif state == avahi.SERVER_RUNNING:

214

248

self.add()

249

else:

250

if error is None:

251

logger.debug("Unknown state: %r", state)

252

else:

253

logger.debug("Unknown state: %r: %r", state, error)

215

254

def activate(self):

216

255

"""Derived from the Avahi example code"""

217

256

if self.server is None:

218

257

self.server = dbus.Interface(

219

258

self.bus.get_object(avahi.DBUS_NAME,

220

avahi.DBUS_PATH_SERVER),

259

avahi.DBUS_PATH_SERVER,

260

follow_name_owner_changes=True),

221

261

avahi.DBUS_INTERFACE_SERVER)

222

self.server.connect_to_signal(u"StateChanged",

262

self.server.connect_to_signal("StateChanged",

223

263

self.server_state_changed)

224

264

self.server_state_changed(self.server.GetState())

225

265

228

268

"""A representation of a client host served by this server.

229

269

230

270

Attributes:

231

232

D-Bus identifiers

233

fingerprint: string (40 or 32 hexadecimal digits); used to

234

uniquely identify the client

235

secret: bytestring; sent verbatim (over TLS) to client

236

host: string; available for use by the checker command

237

created: datetime.datetime(); (UTC) object creation

238

last_enabled: datetime.datetime(); (UTC)

239

enabled: bool()

240

last_checked_ok: datetime.datetime(); (UTC) or None

241

timeout: datetime.timedelta(); How long from last_checked_ok

242

until this client is invalid

243

interval: datetime.timedelta(); How often to start a new checker

244

disable_hook: If set, called by disable() as disable_hook(self)

271

_approved: bool(); 'None' if not yet approved/disapproved

272

approval_delay: datetime.timedelta(); Time to wait for approval

273

approval_duration: datetime.timedelta(); Duration of one approval

245

274

checker: subprocess.Popen(); a running checker process used

246

275

to see if the client lives.

247

276

'None' if no process is running.

248

checker_initiator_tag: a gobject event source tag, or None

249

disable_initiator_tag: - '' -

250

checker_callback_tag: - '' -

251

checker_command: string; External command which is run to check if

252

client lives. %() expansions are done at

277

checker_callback_tag: a gobject event source tag, or None

278

checker_command: string; External command which is run to check

279

if client lives. %() expansions are done at

253

280

runtime with vars(self) as dict, so that for

254

281

instance %(name)s can be used in the command.

282

checker_initiator_tag: a gobject event source tag, or None

283

created: datetime.datetime(); (UTC) object creation

255

284

current_checker_command: string; current running checker_command

285

disable_hook: If set, called by disable() as disable_hook(self)

286

disable_initiator_tag: a gobject event source tag, or None

287

enabled: bool()

288

fingerprint: string (40 or 32 hexadecimal digits); used to

289

uniquely identify the client

290

host: string; available for use by the checker command

291

interval: datetime.timedelta(); How often to start a new checker

292

last_approval_request: datetime.datetime(); (UTC) or None

293

last_checked_ok: datetime.datetime(); (UTC) or None

294

last_enabled: datetime.datetime(); (UTC)

295

296

D-Bus identifiers

297

secret: bytestring; sent verbatim (over TLS) to client

298

timeout: datetime.timedelta(); How long from last_checked_ok

299

until this client is disabled

300

extended_timeout: extra long timeout when password has been sent

301

runtime_expansions: Allowed attributes for runtime expansion.

302

expires: datetime.datetime(); time (UTC) when a client will be

303

disabled, or None

256

304

"""

257

305

306

runtime_expansions = ("approval_delay", "approval_duration",

307

"created", "enabled", "fingerprint",

308

"host", "interval", "last_checked_ok",

309

"last_enabled", "name", "timeout")

310

258

311

@staticmethod

259

def _datetime_to_milliseconds(dt):

260

"Convert a datetime.datetime() to milliseconds"

261

return ((dt.days * 24 * 60 * 60 * 1000)

262

+ (dt.seconds * 1000)

263

+ (dt.microseconds // 1000))

312

def _timedelta_to_milliseconds(td):

313

"Convert a datetime.timedelta() to milliseconds"

314

return ((td.days * 24 * 60 * 60 * 1000)

315

+ (td.seconds * 1000)

316

+ (td.microseconds // 1000))

264

317

265

318

def timeout_milliseconds(self):

266

319

"Return the 'timeout' attribute in milliseconds"

267

return self._datetime_to_milliseconds(self.timeout)

320

return self._timedelta_to_milliseconds(self.timeout)

321

322

def extended_timeout_milliseconds(self):

323

"Return the 'extended_timeout' attribute in milliseconds"

324

return self._timedelta_to_milliseconds(self.extended_timeout)

268

325

269

326

def interval_milliseconds(self):

270

327

"Return the 'interval' attribute in milliseconds"

271

return self._datetime_to_milliseconds(self.interval)

328

return self._timedelta_to_milliseconds(self.interval)

329

330

def approval_delay_milliseconds(self):

331

return self._timedelta_to_milliseconds(self.approval_delay)

272

332

273

333

def __init__(self, name = None, disable_hook=None, config=None):

274

334

"""Note: the 'checker' key in 'config' sets the

277

337

self.name = name

278

338

if config is None:

279

339

config = {}

280

logger.debug(u"Creating client %r", self.name)

340

logger.debug("Creating client %r", self.name)

281

341

# Uppercase and remove spaces from fingerprint for later

282

342

# comparison purposes with return value from the fingerprint()

283

343

# function

284

self.fingerprint = (config[u"fingerprint"].upper()

285

.replace(u" ", u""))

286

logger.debug(u" Fingerprint: %s", self.fingerprint)

287

if u"secret" in config:

288

self.secret = config[u"secret"].decode(u"base64")

289

elif u"secfile" in config:

290

with closing(open(os.path.expanduser

291

(os.path.expandvars

292

(config[u"secfile"])))) as secfile:

344

self.fingerprint = (config["fingerprint"].upper()

345

.replace(" ", ""))

346

logger.debug(" Fingerprint: %s", self.fingerprint)

347

if "secret" in config:

348

self.secret = config["secret"].decode("base64")

349

elif "secfile" in config:

350

with open(os.path.expanduser(os.path.expandvars

351

(config["secfile"])),

352

"rb") as secfile:

293

353

self.secret = secfile.read()

294

354

else:

295

raise TypeError(u"No secret or secfile for client %s"

355

raise TypeError("No secret or secfile for client %s"

296

356

% self.name)

297

self.host = config.get(u"host", u"")

357

self.host = config.get("host", "")

298

358

self.created = datetime.datetime.utcnow()

299

359

self.enabled = False

360

self.last_approval_request = None

300

361

self.last_enabled = None

301

362

self.last_checked_ok = None

302

self.timeout = string_to_delta(config[u"timeout"])

303

self.interval = string_to_delta(config[u"interval"])

363

self.timeout = string_to_delta(config["timeout"])

364

self.extended_timeout = string_to_delta(config["extended_timeout"])

365

self.interval = string_to_delta(config["interval"])

304

366

self.disable_hook = disable_hook

305

367

self.checker = None

306

368

self.checker_initiator_tag = None

307

369

self.disable_initiator_tag = None

370

self.expires = None

308

371

self.checker_callback_tag = None

309

self.checker_command = config[u"checker"]

372

self.checker_command = config["checker"]

310

373

self.current_checker_command = None

311

374

self.last_connect = None

375

self._approved = None

376

self.approved_by_default = config.get("approved_by_default",

377

True)

378

self.approvals_pending = 0

379

self.approval_delay = string_to_delta(

380

config["approval_delay"])

381

self.approval_duration = string_to_delta(

382

config["approval_duration"])

383

self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())

312

384

385

def send_changedstate(self):

386

self.changedstate.acquire()

387

self.changedstate.notify_all()

388

self.changedstate.release()

389

313

390

def enable(self):

314

391

"""Start this client's checker and timeout hooks"""

315

if getattr(self, u"enabled", False):

392

if getattr(self, "enabled", False):

316

393

# Already enabled

317

394

return

395

self.send_changedstate()

318

396

self.last_enabled = datetime.datetime.utcnow()

319

397

# Schedule a new checker to be started an 'interval' from now,

320

398

# and every interval from then on.

321

399

self.checker_initiator_tag = (gobject.timeout_add

322

400

(self.interval_milliseconds(),

323

401

self.start_checker))

324

# Also start a new checker *right now*.

325

self.start_checker()

326

402

# Schedule a disable() when 'timeout' has passed

403

self.expires = datetime.datetime.utcnow() + self.timeout

327

404

self.disable_initiator_tag = (gobject.timeout_add

328

405

(self.timeout_milliseconds(),

329

406

self.disable))

330

407

self.enabled = True

408

# Also start a new checker *right now*.

409

self.start_checker()

331

410

332

def disable(self):

411

def disable(self, quiet=True):

333

412

"""Disable this client."""

334

413

if not getattr(self, "enabled", False):

335

414

return False

336

logger.info(u"Disabling client %s", self.name)

337

if getattr(self, u"disable_initiator_tag", False):

415

if not quiet:

416

self.send_changedstate()

417

if not quiet:

418

logger.info("Disabling client %s", self.name)

419

if getattr(self, "disable_initiator_tag", False):

338

420

gobject.source_remove(self.disable_initiator_tag)

339

421

self.disable_initiator_tag = None

340

if getattr(self, u"checker_initiator_tag", False):

422

self.expires = None

423

if getattr(self, "checker_initiator_tag", False):

341

424

gobject.source_remove(self.checker_initiator_tag)

342

425

self.checker_initiator_tag = None

343

426

self.stop_checker()

358

441

if os.WIFEXITED(condition):

359

442

exitstatus = os.WEXITSTATUS(condition)

360

443

if exitstatus == 0:

361

logger.info(u"Checker for %(name)s succeeded",

444

logger.info("Checker for %(name)s succeeded",

362

445

vars(self))

363

446

self.checked_ok()

364

447

else:

365

logger.info(u"Checker for %(name)s failed",

448

logger.info("Checker for %(name)s failed",

366

449

vars(self))

367

450

else:

368

logger.warning(u"Checker for %(name)s crashed?",

451

logger.warning("Checker for %(name)s crashed?",

369

452

vars(self))

370

453

371

def checked_ok(self):

454

def checked_ok(self, timeout=None):

372

455

"""Bump up the timeout for this client.

373

456

374

457

This should only be called when the client has been seen,

375

458

alive and well.

376

459

"""

460

if timeout is None:

461

timeout = self.timeout

377

462

self.last_checked_ok = datetime.datetime.utcnow()

378

463

gobject.source_remove(self.disable_initiator_tag)

464

self.expires = datetime.datetime.utcnow() + timeout

379

465

self.disable_initiator_tag = (gobject.timeout_add

380

(self.timeout_milliseconds(),

466

(self._timedelta_to_milliseconds(timeout),

381

467

self.disable))

382

468

469

def need_approval(self):

470

self.last_approval_request = datetime.datetime.utcnow()

471

383

472

def start_checker(self):

384

473

"""Start a new checker subprocess if one is not running.

385

474

391

480

# client would inevitably timeout, since no checker would get

392

481

# a chance to run to completion. If we instead leave running

393

482

# checkers alone, the checker would have to take more time

394

# than 'timeout' for the client to be declared invalid, which

395

# is as it should be.

483

# than 'timeout' for the client to be disabled, which is as it

484

# should be.

396

485

397

486

# If a checker exists, make sure it is not a zombie

398

if self.checker is not None:

487

try:

399

488

pid, status = os.waitpid(self.checker.pid, os.WNOHANG)

489

except (AttributeError, OSError) as error:

490

if (isinstance(error, OSError)

491

and error.errno != errno.ECHILD):

492

raise error

493

else:

400

494

if pid:

401

logger.warning(u"Checker was a zombie")

495

logger.warning("Checker was a zombie")

402

496

gobject.source_remove(self.checker_callback_tag)

403

497

self.checker_callback(pid, status,

404

498

self.current_checker_command)

409

503

command = self.checker_command % self.host

410

504

except TypeError:

411

505

# Escape attributes for the shell

412

escaped_attrs = dict((key,

413

re.escape(unicode(str(val),

414

errors=

415

u'replace')))

416

for key, val in

417

vars(self).iteritems())

506

escaped_attrs = dict(

507

(attr,

508

re.escape(unicode(str(getattr(self, attr, "")),

509

errors=

510

'replace')))

511

for attr in

512

self.runtime_expansions)

513

418

514

try:

419

515

command = self.checker_command % escaped_attrs

420

except TypeError, error:

421

logger.error(u'Could not format string "%s":'

422

u' %s', self.checker_command, error)

516

except TypeError as error:

517

logger.error('Could not format string "%s":'

518

' %s', self.checker_command, error)

423

519

return True # Try again later

424

520

self.current_checker_command = command

425

521

try:

426

logger.info(u"Starting checker %r for %s",

522

logger.info("Starting checker %r for %s",

427

523

command, self.name)

428

524

# We don't need to redirect stdout and stderr, since

429

525

# in normal mode, that is already done by daemon(),

431

527

# always replaced by /dev/null.)

432

528

self.checker = subprocess.Popen(command,

433

529

close_fds=True,

434

shell=True, cwd=u"/")

530

shell=True, cwd="/")

435

531

self.checker_callback_tag = (gobject.child_watch_add

436

532

(self.checker.pid,

437

533

self.checker_callback,

442

538

if pid:

443

539

gobject.source_remove(self.checker_callback_tag)

444

540

self.checker_callback(pid, status, command)

445

except OSError, error:

446

logger.error(u"Failed to start subprocess: %s",

541

except OSError as error:

542

logger.error("Failed to start subprocess: %s",

447

543

error)

448

544

# Re-run this periodically if run by gobject.timeout_add

449

545

return True

453

549

if self.checker_callback_tag:

454

550

gobject.source_remove(self.checker_callback_tag)

455

551

self.checker_callback_tag = None

456

if getattr(self, u"checker", None) is None:

552

if getattr(self, "checker", None) is None:

457

553

return

458

logger.debug(u"Stopping checker for %(name)s", vars(self))

554

logger.debug("Stopping checker for %(name)s", vars(self))

459

555

try:

460

556

os.kill(self.checker.pid, signal.SIGTERM)

461

#os.sleep(0.5)

557

#time.sleep(0.5)

462

558

#if self.checker.poll() is None:

463

559

# os.kill(self.checker.pid, signal.SIGKILL)

464

except OSError, error:

560

except OSError as error:

465

561

if error.errno != errno.ESRCH: # No such process

466

562

raise

467

563

self.checker = None

468

469

def still_valid(self):

470

"""Has the timeout not yet passed for this client?"""

471

if not getattr(self, u"enabled", False):

472

return False

473

now = datetime.datetime.utcnow()

474

if self.last_checked_ok is None:

475

return now < (self.created + self.timeout)

476

else:

477

return now < (self.last_checked_ok + self.timeout)

478

479

480

class ClientDBus(Client, dbus.service.Object):

564

565

def dbus_service_property(dbus_interface, signature="v",

566

access="readwrite", byte_arrays=False):

567

"""Decorators for marking methods of a DBusObjectWithProperties to

568

become properties on the D-Bus.

569

570

The decorated method will be called with no arguments by "Get"

571

and with one argument by "Set".

572

573

The parameters, where they are supported, are the same as

574

dbus.service.method, except there is only "signature", since the

575

type from Get() and the type sent to Set() is the same.

576

"""

577

# Encoding deeply encoded byte arrays is not supported yet by the

578

# "Set" method, so we fail early here:

579

if byte_arrays and signature != "ay":

580

raise ValueError("Byte arrays not supported for non-'ay'"

581

" signature %r" % signature)

582

def decorator(func):

583

func._dbus_is_property = True

584

func._dbus_interface = dbus_interface

585

func._dbus_signature = signature

586

func._dbus_access = access

587

func._dbus_name = func.__name__

588

if func._dbus_name.endswith("_dbus_property"):

589

func._dbus_name = func._dbus_name[:-14]

590

func._dbus_get_args_options = {'byte_arrays': byte_arrays }

591

return func

592

return decorator

593

594

595

class DBusPropertyException(dbus.exceptions.DBusException):

596

"""A base class for D-Bus property-related exceptions

597

"""

598

def __unicode__(self):

599

return unicode(str(self))

600

601

602

class DBusPropertyAccessException(DBusPropertyException):

603

"""A property's access permissions disallows an operation.

604

"""

605

pass

606

607

608

class DBusPropertyNotFound(DBusPropertyException):

609

"""An attempt was made to access a non-existing property.

610

"""

611

pass

612

613

614

class DBusObjectWithProperties(dbus.service.Object):

615

"""A D-Bus object with properties.

616

617

Classes inheriting from this can use the dbus_service_property

618

decorator to expose methods as D-Bus properties. It exposes the

619

standard Get(), Set(), and GetAll() methods on the D-Bus.

620

"""

621

622

@staticmethod

623

def _is_dbus_property(obj):

624

return getattr(obj, "_dbus_is_property", False)

625

626

def _get_all_dbus_properties(self):

627

"""Returns a generator of (name, attribute) pairs

628

"""

629

return ((prop._dbus_name, prop)

630

for name, prop in

631

inspect.getmembers(self, self._is_dbus_property))

632

633

def _get_dbus_property(self, interface_name, property_name):

634

"""Returns a bound method if one exists which is a D-Bus

635

property with the specified name and interface.

636

"""

637

for name in (property_name,

638

property_name + "_dbus_property"):

639

prop = getattr(self, name, None)

640

if (prop is None

641

or not self._is_dbus_property(prop)

642

or prop._dbus_name != property_name

643

or (interface_name and prop._dbus_interface

644

and interface_name != prop._dbus_interface)):

645

continue

646

return prop

647

# No such property

648

raise DBusPropertyNotFound(self.dbus_object_path + ":"

649

+ interface_name + "."

650

+ property_name)

651

652

@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",

653

out_signature="v")

654

def Get(self, interface_name, property_name):

655

"""Standard D-Bus property Get() method, see D-Bus standard.

656

"""

657

prop = self._get_dbus_property(interface_name, property_name)

658

if prop._dbus_access == "write":

659

raise DBusPropertyAccessException(property_name)

660

value = prop()

661

if not hasattr(value, "variant_level"):

662

return value

663

return type(value)(value, variant_level=value.variant_level+1)

664

665

@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")

666

def Set(self, interface_name, property_name, value):

667

"""Standard D-Bus property Set() method, see D-Bus standard.

668

"""

669

prop = self._get_dbus_property(interface_name, property_name)

670

if prop._dbus_access == "read":

671

raise DBusPropertyAccessException(property_name)

672

if prop._dbus_get_args_options["byte_arrays"]:

673

# The byte_arrays option is not supported yet on

674

# signatures other than "ay".

675

if prop._dbus_signature != "ay":

676

raise ValueError

677

value = dbus.ByteArray(''.join(unichr(byte)

678

for byte in value))

679

prop(value)

680

681

@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",

682

out_signature="a{sv}")

683

def GetAll(self, interface_name):

684

"""Standard D-Bus property GetAll() method, see D-Bus

685

standard.

686

687

Note: Will not include properties with access="write".

688

"""

689

all = {}

690

for name, prop in self._get_all_dbus_properties():

691

if (interface_name

692

and interface_name != prop._dbus_interface):

693

# Interface non-empty but did not match

694

continue

695

# Ignore write-only properties

696

if prop._dbus_access == "write":

697

continue

698

value = prop()

699

if not hasattr(value, "variant_level"):

700

all[name] = value

701

continue

702

all[name] = type(value)(value, variant_level=

703

value.variant_level+1)

704

return dbus.Dictionary(all, signature="sv")

705

706

@dbus.service.method(dbus.INTROSPECTABLE_IFACE,

707

out_signature="s",

708

path_keyword='object_path',

709

connection_keyword='connection')

710

def Introspect(self, object_path, connection):

711

"""Standard D-Bus method, overloaded to insert property tags.

712

"""

713

xmlstring = dbus.service.Object.Introspect(self, object_path,

714

connection)

715

try:

716

document = xml.dom.minidom.parseString(xmlstring)

717

def make_tag(document, name, prop):

718

e = document.createElement("property")

719

e.setAttribute("name", name)

720

e.setAttribute("type", prop._dbus_signature)

721

e.setAttribute("access", prop._dbus_access)

722

return e

723

for if_tag in document.getElementsByTagName("interface"):

724

for tag in (make_tag(document, name, prop)

725

for name, prop

726

in self._get_all_dbus_properties()

727

if prop._dbus_interface

728

== if_tag.getAttribute("name")):

729

if_tag.appendChild(tag)

730

# Add the names to the return values for the

731

# "org.freedesktop.DBus.Properties" methods

732

if (if_tag.getAttribute("name")

733

== "org.freedesktop.DBus.Properties"):

734

for cn in if_tag.getElementsByTagName("method"):

735

if cn.getAttribute("name") == "Get":

736

for arg in cn.getElementsByTagName("arg"):

737

if (arg.getAttribute("direction")

738

== "out"):

739

arg.setAttribute("name", "value")

740

elif cn.getAttribute("name") == "GetAll":

741

for arg in cn.getElementsByTagName("arg"):

742

if (arg.getAttribute("direction")

743

== "out"):

744

arg.setAttribute("name", "props")

745

xmlstring = document.toxml("utf-8")

746

document.unlink()

747

except (AttributeError, xml.dom.DOMException,

748

xml.parsers.expat.ExpatError) as error:

749

logger.error("Failed to override Introspection method",

750

error)

751

return xmlstring

752

753

754

class ClientDBus(Client, DBusObjectWithProperties):

481

755

"""A Client class using D-Bus

482

756

483

757

Attributes:

484

758

dbus_object_path: dbus.ObjectPath

485

759

bus: dbus.SystemBus()

486

760

"""

761

762

runtime_expansions = (Client.runtime_expansions

763

+ ("dbus_object_path",))

764

487

765

# dbus.service.Object doesn't use super(), so we can't either.

488

766

489

767

def __init__(self, bus = None, *args, **kwargs):

768

self._approvals_pending = 0

490

769

self.bus = bus

491

770

Client.__init__(self, *args, **kwargs)

492

771

# Only now, when this client is initialized, can it show up on

493

772

# the D-Bus

773

client_object_name = unicode(self.name).translate(

774

{ord("."): ord("_"),

775

ord("-"): ord("_")})

494

776

self.dbus_object_path = (dbus.ObjectPath

495

(u"/clients/"

496

+ self.name.replace(u".", u"_")))

497

dbus.service.Object.__init__(self, self.bus,

498

self.dbus_object_path)

777

("/clients/" + client_object_name))

778

DBusObjectWithProperties.__init__(self, self.bus,

779

self.dbus_object_path)

780

def _set_expires(self, value):

781

old_value = getattr(self, "_expires", None)

782

self._expires = value

783

if hasattr(self, "dbus_object_path") and old_value != value:

784

dbus_time = (self._datetime_to_dbus(self._expires,

785

variant_level=1))

786

self.PropertyChanged(dbus.String("Expires"),

787

dbus_time)

788

expires = property(lambda self: self._expires, _set_expires)

789

del _set_expires

790

791

def _get_approvals_pending(self):

792

return self._approvals_pending

793

def _set_approvals_pending(self, value):

794

old_value = self._approvals_pending

795

self._approvals_pending = value

796

bval = bool(value)

797

if (hasattr(self, "dbus_object_path")

798

and bval is not bool(old_value)):

799

dbus_bool = dbus.Boolean(bval, variant_level=1)

800

self.PropertyChanged(dbus.String("ApprovalPending"),

801

dbus_bool)

802

803

approvals_pending = property(_get_approvals_pending,

804

_set_approvals_pending)

805

del _get_approvals_pending, _set_approvals_pending

499

806

500

807

@staticmethod

501

808

def _datetime_to_dbus(dt, variant_level=0):

502

809

"""Convert a UTC datetime.datetime() to a D-Bus type."""

810

if dt is None:

811

return dbus.String("", variant_level = variant_level)

503

812

return dbus.String(dt.isoformat(),

504

813

variant_level=variant_level)

505

814

506

815

def enable(self):

507

oldstate = getattr(self, u"enabled", False)

816

oldstate = getattr(self, "enabled", False)

508

817

r = Client.enable(self)

509

818

if oldstate != self.enabled:

510

819

# Emit D-Bus signals

511

self.PropertyChanged(dbus.String(u"enabled"),

820

self.PropertyChanged(dbus.String("Enabled"),

512

821

dbus.Boolean(True, variant_level=1))

513

822

self.PropertyChanged(

514

dbus.String(u"last_enabled"),

823

dbus.String("LastEnabled"),

515

824

self._datetime_to_dbus(self.last_enabled,

516

825

variant_level=1))

517

826

return r

518

827

519

def disable(self, signal = True):

520

oldstate = getattr(self, u"enabled", False)

521

r = Client.disable(self)

522

if signal and oldstate != self.enabled:

828

def disable(self, quiet = False):

829

oldstate = getattr(self, "enabled", False)

830

r = Client.disable(self, quiet=quiet)

831

if not quiet and oldstate != self.enabled:

523

832

# Emit D-Bus signal

524

self.PropertyChanged(dbus.String(u"enabled"),

833

self.PropertyChanged(dbus.String("Enabled"),

525

834

dbus.Boolean(False, variant_level=1))

526

835

return r

527

836

530

839

self.remove_from_connection()

531

840

except LookupError:

532

841

pass

533

if hasattr(dbus.service.Object, u"__del__"):

534

dbus.service.Object.__del__(self, *args, **kwargs)

842

if hasattr(DBusObjectWithProperties, "__del__"):

843

DBusObjectWithProperties.__del__(self, *args, **kwargs)

535

844

Client.__del__(self, *args, **kwargs)

536

845

537

846

def checker_callback(self, pid, condition, command,

539

848

self.checker_callback_tag = None

540

849

self.checker = None

541

850

# Emit D-Bus signal

542

self.PropertyChanged(dbus.String(u"checker_running"),

851

self.PropertyChanged(dbus.String("CheckerRunning"),

543

852

dbus.Boolean(False, variant_level=1))

544

853

if os.WIFEXITED(condition):

545

854

exitstatus = os.WEXITSTATUS(condition)

557

866

*args, **kwargs)

558

867

559

868

def checked_ok(self, *args, **kwargs):

560

r = Client.checked_ok(self, *args, **kwargs)

869

Client.checked_ok(self, *args, **kwargs)

561

870

# Emit D-Bus signal

562

871

self.PropertyChanged(

563

dbus.String(u"last_checked_ok"),

872

dbus.String("LastCheckedOK"),

564

873

(self._datetime_to_dbus(self.last_checked_ok,

565

874

variant_level=1)))

875

876

def need_approval(self, *args, **kwargs):

877

r = Client.need_approval(self, *args, **kwargs)

878

# Emit D-Bus signal

879

self.PropertyChanged(

880

dbus.String("LastApprovalRequest"),

881

(self._datetime_to_dbus(self.last_approval_request,

882

variant_level=1)))

566

883

return r

567

884

568

885

def start_checker(self, *args, **kwargs):

578

895

# Emit D-Bus signal

579

896

self.CheckerStarted(self.current_checker_command)

580

897

self.PropertyChanged(

581

dbus.String(u"checker_running"),

898

dbus.String("CheckerRunning"),

582

899

dbus.Boolean(True, variant_level=1))

583

900

return r

584

901

585

902

def stop_checker(self, *args, **kwargs):

586

old_checker = getattr(self, u"checker", None)

903

old_checker = getattr(self, "checker", None)

587

904

r = Client.stop_checker(self, *args, **kwargs)

588

905

if (old_checker is not None

589

and getattr(self, u"checker", None) is None):

590

self.PropertyChanged(dbus.String(u"checker_running"),

906

and getattr(self, "checker", None) is None):

907

self.PropertyChanged(dbus.String("CheckerRunning"),

591

908

dbus.Boolean(False, variant_level=1))

592

909

return r

593

594

## D-Bus methods & signals

595

_interface = u"se.bsnet.fukt.Mandos.Client"

596

597

# CheckedOK - method

598

@dbus.service.method(_interface)

599

def CheckedOK(self):

600

return self.checked_ok()

910

911

def _reset_approved(self):

912

self._approved = None

913

return False

914

915

def approve(self, value=True):

916

self.send_changedstate()

917

self._approved = value

918

gobject.timeout_add(self._timedelta_to_milliseconds

919

(self.approval_duration),

920

self._reset_approved)

921

922

923

## D-Bus methods, signals & properties

924

_interface = "se.bsnet.fukt.Mandos.Client"

925

926

## Signals

601

927

602

928

# CheckerCompleted - signal

603

@dbus.service.signal(_interface, signature=u"nxs")

929

@dbus.service.signal(_interface, signature="nxs")

604

930

def CheckerCompleted(self, exitcode, waitstatus, command):

605

931

"D-Bus signal"

606

932

pass

607

933

608

934

# CheckerStarted - signal

609

@dbus.service.signal(_interface, signature=u"s")

935

@dbus.service.signal(_interface, signature="s")

610

936

def CheckerStarted(self, command):

611

937

"D-Bus signal"

612

938

pass

613

939

614

# GetAllProperties - method

615

@dbus.service.method(_interface, out_signature=u"a{sv}")

616

def GetAllProperties(self):

617

"D-Bus method"

618

return dbus.Dictionary({

619

dbus.String(u"name"):

620

dbus.String(self.name, variant_level=1),

621

dbus.String(u"fingerprint"):

622

dbus.String(self.fingerprint, variant_level=1),

623

dbus.String(u"host"):

624

dbus.String(self.host, variant_level=1),

625

dbus.String(u"created"):

626

self._datetime_to_dbus(self.created,

627

variant_level=1),

628

dbus.String(u"last_enabled"):

629

(self._datetime_to_dbus(self.last_enabled,

630

variant_level=1)

631

if self.last_enabled is not None

632

else dbus.Boolean(False, variant_level=1)),

633

dbus.String(u"enabled"):

634

dbus.Boolean(self.enabled, variant_level=1),

635

dbus.String(u"last_checked_ok"):

636

(self._datetime_to_dbus(self.last_checked_ok,

637

variant_level=1)

638

if self.last_checked_ok is not None

639

else dbus.Boolean (False, variant_level=1)),

640

dbus.String(u"timeout"):

641

dbus.UInt64(self.timeout_milliseconds(),

642

variant_level=1),

643

dbus.String(u"interval"):

644

dbus.UInt64(self.interval_milliseconds(),

645

variant_level=1),

646

dbus.String(u"checker"):

647

dbus.String(self.checker_command,

648

variant_level=1),

649

dbus.String(u"checker_running"):

650

dbus.Boolean(self.checker is not None,

651

variant_level=1),

652

dbus.String(u"object_path"):

653

dbus.ObjectPath(self.dbus_object_path,

654

variant_level=1)

655

}, signature=u"sv")

656

657

# IsStillValid - method

658

@dbus.service.method(_interface, out_signature=u"b")

659

def IsStillValid(self):

660

return self.still_valid()

661

662

940

# PropertyChanged - signal

663

@dbus.service.signal(_interface, signature=u"sv")

941

@dbus.service.signal(_interface, signature="sv")

664

942

def PropertyChanged(self, property, value):

665

943

"D-Bus signal"

666

944

pass

667

945

668

# ReceivedSecret - signal

946

# GotSecret - signal

669

947

@dbus.service.signal(_interface)

670

def ReceivedSecret(self):

671

"D-Bus signal"

948

def GotSecret(self):

949

"""D-Bus signal

950

Is sent after a successful transfer of secret from the Mandos

951

server to mandos-client

952

"""

672

953

pass

673

954

674

955

# Rejected - signal

675

@dbus.service.signal(_interface)

676

def Rejected(self):

956

@dbus.service.signal(_interface, signature="s")

957

def Rejected(self, reason):

677

958

"D-Bus signal"

678

959

pass

679

960

680

# SetChecker - method

681

@dbus.service.method(_interface, in_signature=u"s")

682

def SetChecker(self, checker):

683

"D-Bus setter method"

684

self.checker_command = checker

685

# Emit D-Bus signal

686

self.PropertyChanged(dbus.String(u"checker"),

687

dbus.String(self.checker_command,

688

variant_level=1))

689

690

# SetHost - method

691

@dbus.service.method(_interface, in_signature=u"s")

692

def SetHost(self, host):

693

"D-Bus setter method"

694

self.host = host

695

# Emit D-Bus signal

696

self.PropertyChanged(dbus.String(u"host"),

697

dbus.String(self.host, variant_level=1))

698

699

# SetInterval - method

700

@dbus.service.method(_interface, in_signature=u"t")

701

def SetInterval(self, milliseconds):

702

self.interval = datetime.timedelta(0, 0, 0, milliseconds)

703

# Emit D-Bus signal

704

self.PropertyChanged(dbus.String(u"interval"),

705

(dbus.UInt64(self.interval_milliseconds(),

706

variant_level=1)))

707

708

# SetSecret - method

709

@dbus.service.method(_interface, in_signature=u"ay",

710

byte_arrays=True)

711

def SetSecret(self, secret):

712

"D-Bus setter method"

713

self.secret = str(secret)

714

715

# SetTimeout - method

716

@dbus.service.method(_interface, in_signature=u"t")

717

def SetTimeout(self, milliseconds):

718

self.timeout = datetime.timedelta(0, 0, 0, milliseconds)

719

# Emit D-Bus signal

720

self.PropertyChanged(dbus.String(u"timeout"),

721

(dbus.UInt64(self.timeout_milliseconds(),

722

variant_level=1)))

961

# NeedApproval - signal

962

@dbus.service.signal(_interface, signature="tb")

963

def NeedApproval(self, timeout, default):

964

"D-Bus signal"

965

return self.need_approval()

966

967

## Methods

968

969

# Approve - method

970

@dbus.service.method(_interface, in_signature="b")

971

def Approve(self, value):

972

self.approve(value)

973

974

# CheckedOK - method

975

@dbus.service.method(_interface)

976

def CheckedOK(self):

977

self.checked_ok()

723

978

724

979

# Enable - method

725

980

@dbus.service.method(_interface)

744

999

def StopChecker(self):

745

1000

self.stop_checker()

746

1001

1002

## Properties

1003

1004

# ApprovalPending - property

1005

@dbus_service_property(_interface, signature="b", access="read")

1006

def ApprovalPending_dbus_property(self):

1007

return dbus.Boolean(bool(self.approvals_pending))

1008

1009

# ApprovedByDefault - property

1010

@dbus_service_property(_interface, signature="b",

1011

access="readwrite")

1012

def ApprovedByDefault_dbus_property(self, value=None):

1013

if value is None: # get

1014

return dbus.Boolean(self.approved_by_default)

1015

old_value = self.approved_by_default

1016

self.approved_by_default = bool(value)

1017

# Emit D-Bus signal

1018

if old_value != self.approved_by_default:

1019

self.PropertyChanged(dbus.String("ApprovedByDefault"),

1020

dbus.Boolean(value, variant_level=1))

1021

1022

# ApprovalDelay - property

1023

@dbus_service_property(_interface, signature="t",

1024

access="readwrite")

1025

def ApprovalDelay_dbus_property(self, value=None):

1026

if value is None: # get

1027

return dbus.UInt64(self.approval_delay_milliseconds())

1028

old_value = self.approval_delay

1029

self.approval_delay = datetime.timedelta(0, 0, 0, value)

1030

# Emit D-Bus signal

1031

if old_value != self.approval_delay:

1032

self.PropertyChanged(dbus.String("ApprovalDelay"),

1033

dbus.UInt64(value, variant_level=1))

1034

1035

# ApprovalDuration - property

1036

@dbus_service_property(_interface, signature="t",

1037

access="readwrite")

1038

def ApprovalDuration_dbus_property(self, value=None):

1039

if value is None: # get

1040

return dbus.UInt64(self._timedelta_to_milliseconds(

1041

self.approval_duration))

1042

old_value = self.approval_duration

1043

self.approval_duration = datetime.timedelta(0, 0, 0, value)

1044

# Emit D-Bus signal

1045

if old_value != self.approval_duration:

1046

self.PropertyChanged(dbus.String("ApprovalDuration"),

1047

dbus.UInt64(value, variant_level=1))

1048

1049

# Name - property

1050

@dbus_service_property(_interface, signature="s", access="read")

1051

def Name_dbus_property(self):

1052

return dbus.String(self.name)

1053

1054

# Fingerprint - property

1055

@dbus_service_property(_interface, signature="s", access="read")

1056

def Fingerprint_dbus_property(self):

1057

return dbus.String(self.fingerprint)

1058

1059

# Host - property

1060

@dbus_service_property(_interface, signature="s",

1061

access="readwrite")

1062

def Host_dbus_property(self, value=None):

1063

if value is None: # get

1064

return dbus.String(self.host)

1065

old_value = self.host

1066

self.host = value

1067

# Emit D-Bus signal

1068

if old_value != self.host:

1069

self.PropertyChanged(dbus.String("Host"),

1070

dbus.String(value, variant_level=1))

1071

1072

# Created - property

1073

@dbus_service_property(_interface, signature="s", access="read")

1074

def Created_dbus_property(self):

1075

return dbus.String(self._datetime_to_dbus(self.created))

1076

1077

# LastEnabled - property

1078

@dbus_service_property(_interface, signature="s", access="read")

1079

def LastEnabled_dbus_property(self):

1080

return self._datetime_to_dbus(self.last_enabled)

1081

1082

# Enabled - property

1083

@dbus_service_property(_interface, signature="b",

1084

access="readwrite")

1085

def Enabled_dbus_property(self, value=None):

1086

if value is None: # get

1087

return dbus.Boolean(self.enabled)

1088

if value:

1089

self.enable()

1090

else:

1091

self.disable()

1092

1093

# LastCheckedOK - property

1094

@dbus_service_property(_interface, signature="s",

1095

access="readwrite")

1096

def LastCheckedOK_dbus_property(self, value=None):

1097

if value is not None:

1098

self.checked_ok()

1099

return

1100

return self._datetime_to_dbus(self.last_checked_ok)

1101

1102

# Expires - property

1103

@dbus_service_property(_interface, signature="s", access="read")

1104

def Expires_dbus_property(self):

1105

return self._datetime_to_dbus(self.expires)

1106

1107

# LastApprovalRequest - property

1108

@dbus_service_property(_interface, signature="s", access="read")

1109

def LastApprovalRequest_dbus_property(self):

1110

return self._datetime_to_dbus(self.last_approval_request)

1111

1112

# Timeout - property

1113

@dbus_service_property(_interface, signature="t",

1114

access="readwrite")

1115

def Timeout_dbus_property(self, value=None):

1116

if value is None: # get

1117

return dbus.UInt64(self.timeout_milliseconds())

1118

old_value = self.timeout

1119

self.timeout = datetime.timedelta(0, 0, 0, value)

1120

# Emit D-Bus signal

1121

if old_value != self.timeout:

1122

self.PropertyChanged(dbus.String("Timeout"),

1123

dbus.UInt64(value, variant_level=1))

1124

if getattr(self, "disable_initiator_tag", None) is None:

1125

return

1126

# Reschedule timeout

1127

gobject.source_remove(self.disable_initiator_tag)

1128

self.disable_initiator_tag = None

1129

self.expires = None

1130

time_to_die = (self.

1131

_timedelta_to_milliseconds((self

1132

.last_checked_ok

1133

+ self.timeout)

1134

- datetime.datetime

1135

.utcnow()))

1136

if time_to_die <= 0:

1137

# The timeout has passed

1138

self.disable()

1139

else:

1140

self.expires = (datetime.datetime.utcnow()

1141

+ datetime.timedelta(milliseconds = time_to_die))

1142

self.disable_initiator_tag = (gobject.timeout_add

1143

(time_to_die, self.disable))

1144

1145

# ExtendedTimeout - property

1146

@dbus_service_property(_interface, signature="t",

1147

access="readwrite")

1148

def ExtendedTimeout_dbus_property(self, value=None):

1149

if value is None: # get

1150

return dbus.UInt64(self.extended_timeout_milliseconds())

1151

old_value = self.extended_timeout

1152

self.extended_timeout = datetime.timedelta(0, 0, 0, value)

1153

# Emit D-Bus signal

1154

if old_value != self.extended_timeout:

1155

self.PropertyChanged(dbus.String("ExtendedTimeout"),

1156

dbus.UInt64(value, variant_level=1))

1157

1158

# Interval - property

1159

@dbus_service_property(_interface, signature="t",

1160

access="readwrite")

1161

def Interval_dbus_property(self, value=None):

1162

if value is None: # get

1163

return dbus.UInt64(self.interval_milliseconds())

1164

old_value = self.interval

1165

self.interval = datetime.timedelta(0, 0, 0, value)

1166

# Emit D-Bus signal

1167

if old_value != self.interval:

1168

self.PropertyChanged(dbus.String("Interval"),

1169

dbus.UInt64(value, variant_level=1))

1170

if getattr(self, "checker_initiator_tag", None) is None:

1171

return

1172

# Reschedule checker run

1173

gobject.source_remove(self.checker_initiator_tag)

1174

self.checker_initiator_tag = (gobject.timeout_add

1175

(value, self.start_checker))

1176

self.start_checker() # Start one now, too

1177

1178

# Checker - property

1179

@dbus_service_property(_interface, signature="s",

1180

access="readwrite")

1181

def Checker_dbus_property(self, value=None):

1182

if value is None: # get

1183

return dbus.String(self.checker_command)

1184

old_value = self.checker_command

1185

self.checker_command = value

1186

# Emit D-Bus signal

1187

if old_value != self.checker_command:

1188

self.PropertyChanged(dbus.String("Checker"),

1189

dbus.String(self.checker_command,

1190

variant_level=1))

1191

1192

# CheckerRunning - property

1193

@dbus_service_property(_interface, signature="b",

1194

access="readwrite")

1195

def CheckerRunning_dbus_property(self, value=None):

1196

if value is None: # get

1197

return dbus.Boolean(self.checker is not None)

1198

if value:

1199

self.start_checker()

1200

else:

1201

self.stop_checker()

1202

1203

# ObjectPath - property

1204

@dbus_service_property(_interface, signature="o", access="read")

1205

def ObjectPath_dbus_property(self):

1206

return self.dbus_object_path # is already a dbus.ObjectPath

1207

1208

# Secret = property

1209

@dbus_service_property(_interface, signature="ay",

1210

access="write", byte_arrays=True)

1211

def Secret_dbus_property(self, value):

1212

self.secret = str(value)

1213

747

1214

del _interface

748

1215

749

1216

1217

class ProxyClient(object):

1218

def __init__(self, child_pipe, fpr, address):

1219

self._pipe = child_pipe

1220

self._pipe.send(('init', fpr, address))

1221

if not self._pipe.recv():

1222

raise KeyError()

1223

1224

def __getattribute__(self, name):

1225

if(name == '_pipe'):

1226

return super(ProxyClient, self).__getattribute__(name)

1227

self._pipe.send(('getattr', name))

1228

data = self._pipe.recv()

1229

if data[0] == 'data':

1230

return data[1]

1231

if data[0] == 'function':

1232

def func(*args, **kwargs):

1233

self._pipe.send(('funcall', name, args, kwargs))

1234

return self._pipe.recv()[1]

1235

return func

1236

1237

def __setattr__(self, name, value):

1238

if(name == '_pipe'):

1239

return super(ProxyClient, self).__setattr__(name, value)

1240

self._pipe.send(('setattr', name, value))

1241

1242

750

1243

class ClientHandler(socketserver.BaseRequestHandler, object):

751

1244

"""A class to handle client connections.

752

1245

754

1247

Note: This will run in its own forked process."""

755

1248

756

1249

def handle(self):

757

logger.info(u"TCP connection from: %s",

758

unicode(self.client_address))

759

logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])

760

# Open IPC pipe to parent process

761

with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:

1250

with contextlib.closing(self.server.child_pipe) as child_pipe:

1251

logger.info("TCP connection from: %s",

1252

unicode(self.client_address))

1253

logger.debug("Pipe FD: %d",

1254

self.server.child_pipe.fileno())

1255

762

1256

session = (gnutls.connection

763

1257

.ClientSession(self.request,

764

1258

gnutls.connection

765

1259

.X509Credentials()))

766

767

line = self.request.makefile().readline()

768

logger.debug(u"Protocol version: %r", line)

769

try:

770

if int(line.strip().split()[0]) > 1:

771

raise RuntimeError

772

except (ValueError, IndexError, RuntimeError), error:

773

logger.error(u"Unknown protocol version: %s", error)

774

return

775

1260

776

1261

# Note: gnutls.connection.X509Credentials is really a

777

1262

# generic GnuTLS certificate credentials object so long as

778

1263

# no X.509 keys are added to it. Therefore, we can use it

779

1264

# here despite using OpenPGP certificates.

780

781

#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",

782

# u"+AES-256-CBC", u"+SHA1",

783

# u"+COMP-NULL", u"+CTYPE-OPENPGP",

784

# u"+DHE-DSS"))

1265

1266

#priority = ':'.join(("NONE", "+VERS-TLS1.1",

1267

# "+AES-256-CBC", "+SHA1",

1268

# "+COMP-NULL", "+CTYPE-OPENPGP",

1269

# "+DHE-DSS"))

785

1270

# Use a fallback default, since this MUST be set.

786

1271

priority = self.server.gnutls_priority

787

1272

if priority is None:

788

priority = u"NORMAL"

1273

priority = "NORMAL"

789

1274

(gnutls.library.functions

790

1275

.gnutls_priority_set_direct(session._c_object,

791

1276

priority, None))

792

1277

1278

# Start communication using the Mandos protocol

1279

# Get protocol number

1280

line = self.request.makefile().readline()

1281

logger.debug("Protocol version: %r", line)

1282

try:

1283

if int(line.strip().split()[0]) > 1:

1284

raise RuntimeError

1285

except (ValueError, IndexError, RuntimeError) as error:

1286

logger.error("Unknown protocol version: %s", error)

1287

return

1288

1289

# Start GnuTLS connection

793

1290

try:

794

1291

session.handshake()

795

except gnutls.errors.GNUTLSError, error:

796

logger.warning(u"Handshake failed: %s", error)

1292

except gnutls.errors.GNUTLSError as error:

1293

logger.warning("Handshake failed: %s", error)

797

1294

# Do not run session.bye() here: the session is not

798

1295

# established. Just abandon the request.

799

1296

return

800

logger.debug(u"Handshake succeeded")

1297

logger.debug("Handshake succeeded")

1298

1299

approval_required = False

801

1300

try:

802

fpr = self.fingerprint(self.peer_certificate(session))

803

except (TypeError, gnutls.errors.GNUTLSError), error:

804

logger.warning(u"Bad certificate: %s", error)

805

session.bye()

806

return

807

logger.debug(u"Fingerprint: %s", fpr)

1301

try:

1302

fpr = self.fingerprint(self.peer_certificate

1303

(session))

1304

except (TypeError,

1305

gnutls.errors.GNUTLSError) as error:

1306

logger.warning("Bad certificate: %s", error)

1307

return

1308

logger.debug("Fingerprint: %s", fpr)

1309

1310

try:

1311

client = ProxyClient(child_pipe, fpr,

1312

self.client_address)

1313

except KeyError:

1314

return

1315

1316

if client.approval_delay:

1317

delay = client.approval_delay

1318

client.approvals_pending += 1

1319

approval_required = True

1320

1321

while True:

1322

if not client.enabled:

1323

logger.info("Client %s is disabled",

1324

client.name)

1325

if self.server.use_dbus:

1326

# Emit D-Bus signal

1327

client.Rejected("Disabled")

1328

return

1329

1330

if client._approved or not client.approval_delay:

1331

#We are approved or approval is disabled

1332

break

1333

elif client._approved is None:

1334

logger.info("Client %s needs approval",

1335

client.name)

1336

if self.server.use_dbus:

1337

# Emit D-Bus signal

1338

client.NeedApproval(

1339

client.approval_delay_milliseconds(),

1340

client.approved_by_default)

1341

else:

1342

logger.warning("Client %s was not approved",

1343

client.name)

1344

if self.server.use_dbus:

1345

# Emit D-Bus signal

1346

client.Rejected("Denied")

1347

return

1348

1349

#wait until timeout or approved

1350

#x = float(client._timedelta_to_milliseconds(delay))

1351

time = datetime.datetime.now()

1352

client.changedstate.acquire()

1353

client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))

1354

client.changedstate.release()

1355

time2 = datetime.datetime.now()

1356

if (time2 - time) >= delay:

1357

if not client.approved_by_default:

1358

logger.warning("Client %s timed out while"

1359

" waiting for approval",

1360

client.name)

1361

if self.server.use_dbus:

1362

# Emit D-Bus signal

1363

client.Rejected("Approval timed out")

1364

return

1365

else:

1366

break

1367

else:

1368

delay -= time2 - time

1369

1370

sent_size = 0

1371

while sent_size < len(client.secret):

1372

try:

1373

sent = session.send(client.secret[sent_size:])

1374

except gnutls.errors.GNUTLSError as error:

1375

logger.warning("gnutls send failed")

1376

return

1377

logger.debug("Sent: %d, remaining: %d",

1378

sent, len(client.secret)

1379

- (sent_size + sent))

1380

sent_size += sent

1381

1382

logger.info("Sending secret to %s", client.name)

1383

# bump the timeout as if seen

1384

client.checked_ok(client.extended_timeout)

1385

if self.server.use_dbus:

1386

# Emit D-Bus signal

1387

client.GotSecret()

808

1388

809

for c in self.server.clients:

810

if c.fingerprint == fpr:

811

client = c

812

break

813

else:

814

ipc.write(u"NOTFOUND %s %s\n"

815

% (fpr, unicode(self.client_address)))

816

session.bye()

817

return

818

# Have to check if client.still_valid(), since it is

819

# possible that the client timed out while establishing

820

# the GnuTLS session.

821

if not client.still_valid():

822

ipc.write(u"INVALID %s\n" % client.name)

823

session.bye()

824

return

825

ipc.write(u"SENDING %s\n" % client.name)

826

sent_size = 0

827

while sent_size < len(client.secret):

828

sent = session.send(client.secret[sent_size:])

829

logger.debug(u"Sent: %d, remaining: %d",

830

sent, len(client.secret)

831

- (sent_size + sent))

832

sent_size += sent

833

session.bye()

1389

finally:

1390

if approval_required:

1391

client.approvals_pending -= 1

1392

try:

1393

session.bye()

1394

except gnutls.errors.GNUTLSError as error:

1395

logger.warning("GnuTLS bye failed")

834

1396

835

1397

@staticmethod

836

1398

def peer_certificate(session):

846

1408

.gnutls_certificate_get_peers

847

1409

(session._c_object, ctypes.byref(list_size)))

848

1410

if not bool(cert_list) and list_size.value != 0:

849

raise gnutls.errors.GNUTLSError(u"error getting peer"

850

u" certificate")

1411

raise gnutls.errors.GNUTLSError("error getting peer"

1412

" certificate")

851

1413

if list_size.value == 0:

852

1414

return None

853

1415

cert = cert_list[0]

879

1441

if crtverify.value != 0:

880

1442

gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)

881

1443

raise (gnutls.errors.CertificateSecurityError

882

(u"Verify failed"))

1444

("Verify failed"))

883

1445

# New buffer for the fingerprint

884

1446

buf = ctypes.create_string_buffer(20)

885

1447

buf_len = ctypes.c_size_t()

892

1454

# Convert the buffer to a Python bytestring

893

1455

fpr = ctypes.string_at(buf, buf_len.value)

894

1456

# Convert the bytestring to hexadecimal notation

895

hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)

1457

hex_fpr = ''.join("%02X" % ord(char) for char in fpr)

896

1458

return hex_fpr

897

1459

898

1460

899

class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):

900

"""Like socketserver.ForkingMixIn, but also pass a pipe."""

1461

class MultiprocessingMixIn(object):

1462

"""Like socketserver.ThreadingMixIn, but with multiprocessing"""

1463

def sub_process_main(self, request, address):

1464

try:

1465

self.finish_request(request, address)

1466

except:

1467

self.handle_error(request, address)

1468

self.close_request(request)

1469

1470

def process_request(self, request, address):

1471

"""Start a new process to process the request."""

1472

multiprocessing.Process(target = self.sub_process_main,

1473

args = (request, address)).start()

1474

1475

class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):

1476

""" adds a pipe to the MixIn """

901

1477

def process_request(self, request, client_address):

902

1478

"""Overrides and wraps the original process_request().

903

1479

904

This function creates a new pipe in self.pipe

1480

This function creates a new pipe in self.pipe

905

1481

"""

906

self.pipe = os.pipe()

907

super(ForkingMixInWithPipe,

1482

parent_pipe, self.child_pipe = multiprocessing.Pipe()

1483

1484

super(MultiprocessingMixInWithPipe,

908

1485

self).process_request(request, client_address)

909

os.close(self.pipe[1]) # close write end

910

self.add_pipe(self.pipe[0])

911

def add_pipe(self, pipe):

1486

self.child_pipe.close()

1487

self.add_pipe(parent_pipe)

1488

1489

def add_pipe(self, parent_pipe):

912

1490

"""Dummy function; override as necessary"""

913

os.close(pipe)

914

915

916

class IPv6_TCPServer(ForkingMixInWithPipe,

1491

raise NotImplementedError

1492

1493

class IPv6_TCPServer(MultiprocessingMixInWithPipe,

917

1494

socketserver.TCPServer, object):

918

1495

"""IPv6-capable TCP server. Accepts 'None' as address and/or port

919

1496

935

1512

bind to an address or port if they were not specified."""

936

1513

if self.interface is not None:

937

1514

if SO_BINDTODEVICE is None:

938

logger.error(u"SO_BINDTODEVICE does not exist;"

939

u" cannot bind to interface %s",

1515

logger.error("SO_BINDTODEVICE does not exist;"

1516

" cannot bind to interface %s",

940

1517

self.interface)

941

1518

else:

942

1519

try:

943

1520

self.socket.setsockopt(socket.SOL_SOCKET,

944

1521

SO_BINDTODEVICE,

945

1522

str(self.interface

946

+ u'\0'))

947

except socket.error, error:

1523

+ '\0'))

1524

except socket.error as error:

948

1525

if error[0] == errno.EPERM:

949

logger.error(u"No permission to"

950

u" bind to interface %s",

1526

logger.error("No permission to"

1527

" bind to interface %s",

951

1528

self.interface)

952

1529

elif error[0] == errno.ENOPROTOOPT:

953

logger.error(u"SO_BINDTODEVICE not available;"

954

u" cannot bind to interface %s",

1530

logger.error("SO_BINDTODEVICE not available;"

1531

" cannot bind to interface %s",

955

1532

self.interface)

956

1533

else:

957

1534

raise

959

1536

if self.server_address[0] or self.server_address[1]:

960

1537

if not self.server_address[0]:

961

1538

if self.address_family == socket.AF_INET6:

962

any_address = u"::" # in6addr_any

1539

any_address = "::" # in6addr_any

963

1540

else:

964

1541

any_address = socket.INADDR_ANY

965

1542

self.server_address = (any_address,

983

1560

clients: set of Client objects

984

1561

gnutls_priority GnuTLS priority string

985

1562

use_dbus: Boolean; to emit D-Bus signals or not

986

clients: set of Client objects

987

gnutls_priority GnuTLS priority string

988

use_dbus: Boolean; to emit D-Bus signals or not

989

1563

990

1564

Assumes a gobject.MainLoop event loop.

991

1565

"""

1007

1581

return socketserver.TCPServer.server_activate(self)

1008

1582

def enable(self):

1009

1583

self.enabled = True

1010

def add_pipe(self, pipe):

1584

def add_pipe(self, parent_pipe):

1011

1585

# Call "handle_ipc" for both data and EOF events

1012

gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,

1013

self.handle_ipc)

1014

def handle_ipc(self, source, condition, file_objects={}):

1586

gobject.io_add_watch(parent_pipe.fileno(),

1587

gobject.IO_IN | gobject.IO_HUP,

1588

functools.partial(self.handle_ipc,

1589

parent_pipe = parent_pipe))

1590

1591

def handle_ipc(self, source, condition, parent_pipe=None,

1592

client_object=None):

1015

1593

condition_names = {

1016

gobject.IO_IN: u"IN", # There is data to read.

1017

gobject.IO_OUT: u"OUT", # Data can be written (without

1594

gobject.IO_IN: "IN", # There is data to read.

1595

gobject.IO_OUT: "OUT", # Data can be written (without

1018

1596

# blocking).

1019

gobject.IO_PRI: u"PRI", # There is urgent data to read.

1020

gobject.IO_ERR: u"ERR", # Error condition.

1021

gobject.IO_HUP: u"HUP" # Hung up (the connection has been

1597

gobject.IO_PRI: "PRI", # There is urgent data to read.

1598

gobject.IO_ERR: "ERR", # Error condition.

1599

gobject.IO_HUP: "HUP" # Hung up (the connection has been

1022

1600

# broken, usually for pipes and

1023

1601

# sockets).

1024

1602

}

1026

1604

for cond, name in

1027

1605

condition_names.iteritems()

1028

1606

if cond & condition)

1029

logger.debug(u"Handling IPC: FD = %d, condition = %s", source,

1030

conditions_string)

1031

1032

# Turn the pipe file descriptor into a Python file object

1033

if source not in file_objects:

1034

file_objects[source] = os.fdopen(source, u"r", 1)

1035

1036

# Read a line from the file object

1037

cmdline = file_objects[source].readline()

1038

if not cmdline: # Empty line means end of file

1039

# close the IPC pipe

1040

file_objects[source].close()

1041

del file_objects[source]

1042

1043

# Stop calling this function

1044

return False

1045

1046

logger.debug(u"IPC command: %r", cmdline)

1047

1048

# Parse and act on command

1049

cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)

1050

1051

if cmd == u"NOTFOUND":

1052

logger.warning(u"Client not found for fingerprint: %s",

1053

args)

1054

if self.use_dbus:

1055

# Emit D-Bus signal

1056

mandos_dbus_service.ClientNotFound(args)

1057

elif cmd == u"INVALID":

1058

for client in self.clients:

1059

if client.name == args:

1060

logger.warning(u"Client %s is invalid", args)

1061

if self.use_dbus:

1062

# Emit D-Bus signal

1063

client.Rejected()

1064

break

1065

else:

1066

logger.error(u"Unknown client %s is invalid", args)

1067

elif cmd == u"SENDING":

1068

for client in self.clients:

1069

if client.name == args:

1070

logger.info(u"Sending secret to %s", client.name)

1071

client.checked_ok()

1072

if self.use_dbus:

1073

# Emit D-Bus signal

1074

client.ReceivedSecret()

1075

break

1076

else:

1077

logger.error(u"Sending secret to unknown client %s",

1078

args)

1079

else:

1080

logger.error(u"Unknown IPC command: %r", cmdline)

1081

1082

# Keep calling this function

1607

# error or the other end of multiprocessing.Pipe has closed

1608

if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):

1609

return False

1610

1611

# Read a request from the child

1612

request = parent_pipe.recv()

1613

command = request[0]

1614

1615

if command == 'init':

1616

fpr = request[1]

1617

address = request[2]

1618

1619

for c in self.clients:

1620

if c.fingerprint == fpr:

1621

client = c

1622

break

1623

else:

1624

logger.info("Client not found for fingerprint: %s, ad"

1625

"dress: %s", fpr, address)

1626

if self.use_dbus:

1627

# Emit D-Bus signal

1628

mandos_dbus_service.ClientNotFound(fpr, address[0])

1629

parent_pipe.send(False)

1630

return False

1631

1632

gobject.io_add_watch(parent_pipe.fileno(),

1633

gobject.IO_IN | gobject.IO_HUP,

1634

functools.partial(self.handle_ipc,

1635

parent_pipe = parent_pipe,

1636

client_object = client))

1637

parent_pipe.send(True)

1638

# remove the old hook in favor of the new above hook on same fileno

1639

return False

1640

if command == 'funcall':

1641

funcname = request[1]

1642

args = request[2]

1643

kwargs = request[3]

1644

1645

parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))

1646

1647

if command == 'getattr':

1648

attrname = request[1]

1649

if callable(client_object.__getattribute__(attrname)):

1650

parent_pipe.send(('function',))

1651

else:

1652

parent_pipe.send(('data', client_object.__getattribute__(attrname)))

1653

1654

if command == 'setattr':

1655

attrname = request[1]

1656

value = request[2]

1657

setattr(client_object, attrname, value)

1658

1083

1659

return True

1084

1660

1085

1661

1086

1662

def string_to_delta(interval):

1087

1663

"""Parse a string and return a datetime.timedelta

1088

1664

1089

>>> string_to_delta(u'7d')

1665

>>> string_to_delta('7d')

1090

1666

datetime.timedelta(7)

1091

>>> string_to_delta(u'60s')

1667

>>> string_to_delta('60s')

1092

1668

datetime.timedelta(0, 60)

1093

>>> string_to_delta(u'60m')

1669

>>> string_to_delta('60m')

1094

1670

datetime.timedelta(0, 3600)

1095

>>> string_to_delta(u'24h')

1671

>>> string_to_delta('24h')

1096

1672

datetime.timedelta(1)

1097

>>> string_to_delta(u'1w')

1673

>>> string_to_delta('1w')

1098

1674

datetime.timedelta(7)

1099

>>> string_to_delta(u'5m 30s')

1675

>>> string_to_delta('5m 30s')

1100

1676

datetime.timedelta(0, 330)

1101

1677

"""

1102

1678

timevalue = datetime.timedelta(0)

1104

1680

try:

1105

1681

suffix = unicode(s[-1])

1106

1682

value = int(s[:-1])

1107

if suffix == u"d":

1683

if suffix == "d":

1108

1684

delta = datetime.timedelta(value)

1109

elif suffix == u"s":

1685

elif suffix == "s":

1110

1686

delta = datetime.timedelta(0, value)

1111

elif suffix == u"m":

1687

elif suffix == "m":

1112

1688

delta = datetime.timedelta(0, 0, 0, 0, value)

1113

elif suffix == u"h":

1689

elif suffix == "h":

1114

1690

delta = datetime.timedelta(0, 0, 0, 0, 0, value)

1115

elif suffix == u"w":

1691

elif suffix == "w":

1116

1692

delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)

1117

1693

else:

1118

raise ValueError

1119

except (ValueError, IndexError):

1120

raise ValueError

1694

raise ValueError("Unknown suffix %r" % suffix)

1695

except (ValueError, IndexError) as e:

1696

raise ValueError(*(e.args))

1121

1697

timevalue += delta

1122

1698

return timevalue

1123

1699

1129

1705

global if_nametoindex

1130

1706

try:

1131

1707

if_nametoindex = (ctypes.cdll.LoadLibrary

1132

(ctypes.util.find_library(u"c"))

1708

(ctypes.util.find_library("c"))

1133

1709

.if_nametoindex)

1134

1710

except (OSError, AttributeError):

1135

logger.warning(u"Doing if_nametoindex the hard way")

1711

logger.warning("Doing if_nametoindex the hard way")

1136

1712

def if_nametoindex(interface):

1137

1713

"Get an interface index the hard way, i.e. using fcntl()"

1138

1714

SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h

1139

with closing(socket.socket()) as s:

1715

with contextlib.closing(socket.socket()) as s:

1140

1716

ifreq = fcntl.ioctl(s, SIOCGIFINDEX,

1141

struct.pack(str(u"16s16x"),

1717

struct.pack(str("16s16x"),

1142

1718

interface))

1143

interface_index = struct.unpack(str(u"I"),

1719

interface_index = struct.unpack(str("I"),

1144

1720

ifreq[16:20])[0]

1145

1721

return interface_index

1146

1722

return if_nametoindex(interface)

1154

1730

sys.exit()

1155

1731

os.setsid()

1156

1732

if not nochdir:

1157

os.chdir(u"/")

1733

os.chdir("/")

1158

1734

if os.fork():

1159

1735

sys.exit()

1160

1736

if not noclose:

1162

1738

null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)

1163

1739

if not stat.S_ISCHR(os.fstat(null).st_mode):

1164

1740

raise OSError(errno.ENODEV,

1165

u"/dev/null not a character device")

1741

"%s not a character device"

1742

% os.path.devnull)

1166

1743

os.dup2(null, sys.stdin.fileno())

1167

1744

os.dup2(null, sys.stdout.fileno())

1168

1745

os.dup2(null, sys.stderr.fileno())

1172

1749

1173

1750

def main():

1174

1751

1175

######################################################################

1752

##################################################################

1176

1753

# Parsing of options, both command line and config file

1177

1754

1178

parser = optparse.OptionParser(version = "%%prog %s" % version)

1179

parser.add_option("-i", u"--interface", type=u"string",

1180

metavar="IF", help=u"Bind to interface IF")

1181

parser.add_option("-a", u"--address", type=u"string",

1182

help=u"Address to listen for requests on")

1183

parser.add_option("-p", u"--port", type=u"int",

1184

help=u"Port number to receive requests on")

1185

parser.add_option("--check", action=u"store_true",

1186

help=u"Run self-test")

1187

parser.add_option("--debug", action=u"store_true",

1188

help=u"Debug mode; run in foreground and log to"

1189

u" terminal")

1190

parser.add_option("--priority", type=u"string", help=u"GnuTLS"

1191

u" priority string (see GnuTLS documentation)")

1192

parser.add_option("--servicename", type=u"string",

1193

metavar=u"NAME", help=u"Zeroconf service name")

1194

parser.add_option("--configdir", type=u"string",

1195

default=u"/etc/mandos", metavar=u"DIR",

1196

help=u"Directory to search for configuration"

1197

u" files")

1198

parser.add_option("--no-dbus", action=u"store_false",

1199

dest=u"use_dbus", help=u"Do not provide D-Bus"

1200

u" system bus interface")

1201

parser.add_option("--no-ipv6", action=u"store_false",

1202

dest=u"use_ipv6", help=u"Do not use IPv6")

1203

options = parser.parse_args()[0]

1755

parser = argparse.ArgumentParser()

1756

parser.add_argument("-v", "--version", action="version",

1757

version = "%%(prog)s %s" % version,

1758

help="show version number and exit")

1759

parser.add_argument("-i", "--interface", metavar="IF",

1760

help="Bind to interface IF")

1761

parser.add_argument("-a", "--address",

1762

help="Address to listen for requests on")

1763

parser.add_argument("-p", "--port", type=int,

1764

help="Port number to receive requests on")

1765

parser.add_argument("--check", action="store_true",

1766

help="Run self-test")

1767

parser.add_argument("--debug", action="store_true",

1768

help="Debug mode; run in foreground and log"

1769

" to terminal")

1770

parser.add_argument("--debuglevel", metavar="LEVEL",

1771

help="Debug level for stdout output")

1772

parser.add_argument("--priority", help="GnuTLS"

1773

" priority string (see GnuTLS documentation)")

1774

parser.add_argument("--servicename",

1775

metavar="NAME", help="Zeroconf service name")

1776

parser.add_argument("--configdir",

1777

default="/etc/mandos", metavar="DIR",

1778

help="Directory to search for configuration"

1779

" files")

1780

parser.add_argument("--no-dbus", action="store_false",

1781

dest="use_dbus", help="Do not provide D-Bus"

1782

" system bus interface")

1783

parser.add_argument("--no-ipv6", action="store_false",

1784

dest="use_ipv6", help="Do not use IPv6")

1785

options = parser.parse_args()

1204

1786

1205

1787

if options.check:

1206

1788

import doctest

1208

1790

sys.exit()

1209

1791

1210

1792

# Default values for config file for server-global settings

1211

server_defaults = { u"interface": u"",

1212

u"address": u"",

1213

u"port": u"",

1214

u"debug": u"False",

1215

u"priority":

1216

u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",

1217

u"servicename": u"Mandos",

1218

u"use_dbus": u"True",

1219

u"use_ipv6": u"True",

1793

server_defaults = { "interface": "",

1794

"address": "",

1795

"port": "",

1796

"debug": "False",

1797

"priority":

1798

"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",

1799

"servicename": "Mandos",

1800

"use_dbus": "True",

1801

"use_ipv6": "True",

1802

"debuglevel": "",

1220

1803

}

1221

1804

1222

1805

# Parse config file for server-global settings

1223

1806

server_config = configparser.SafeConfigParser(server_defaults)

1224

1807

del server_defaults

1225

1808

server_config.read(os.path.join(options.configdir,

1226

u"mandos.conf"))

1809

"mandos.conf"))

1227

1810

# Convert the SafeConfigParser object to a dict

1228

1811

server_settings = server_config.defaults()

1229

1812

# Use the appropriate methods on the non-string config options

1230

for option in (u"debug", u"use_dbus", u"use_ipv6"):

1231

server_settings[option] = server_config.getboolean(u"DEFAULT",

1813

for option in ("debug", "use_dbus", "use_ipv6"):

1814

server_settings[option] = server_config.getboolean("DEFAULT",

1232

1815

option)

1233

1816

if server_settings["port"]:

1234

server_settings["port"] = server_config.getint(u"DEFAULT",

1235

u"port")

1817

server_settings["port"] = server_config.getint("DEFAULT",

1818

"port")

1236

1819

del server_config

1237

1820

1238

1821

# Override the settings from the config file with command line

1239

1822

# options, if set.

1240

for option in (u"interface", u"address", u"port", u"debug",

1241

u"priority", u"servicename", u"configdir",

1242

u"use_dbus", u"use_ipv6"):

1823

for option in ("interface", "address", "port", "debug",

1824

"priority", "servicename", "configdir",

1825

"use_dbus", "use_ipv6", "debuglevel"):

1243

1826

value = getattr(options, option)

1244

1827

if value is not None:

1245

1828

server_settings[option] = value

1253

1836

##################################################################

1254

1837

1255

1838

# For convenience

1256

debug = server_settings[u"debug"]

1257

use_dbus = server_settings[u"use_dbus"]

1258

use_ipv6 = server_settings[u"use_ipv6"]

1259

1260

if not debug:

1261

syslogger.setLevel(logging.WARNING)

1262

console.setLevel(logging.WARNING)

1263

1264

if server_settings[u"servicename"] != u"Mandos":

1839

debug = server_settings["debug"]

1840

debuglevel = server_settings["debuglevel"]

1841

use_dbus = server_settings["use_dbus"]

1842

use_ipv6 = server_settings["use_ipv6"]

1843

1844

if server_settings["servicename"] != "Mandos":

1265

1845

syslogger.setFormatter(logging.Formatter

1266

(u'Mandos (%s) [%%(process)d]:'

1267

u' %%(levelname)s: %%(message)s'

1268

% server_settings[u"servicename"]))

1846

('Mandos (%s) [%%(process)d]:'

1847

' %%(levelname)s: %%(message)s'

1848

% server_settings["servicename"]))

1269

1849

1270

1850

# Parse config file with clients

1271

client_defaults = { u"timeout": u"1h",

1272

u"interval": u"5m",

1273

u"checker": u"fping -q -- %%(host)s",

1274

u"host": u"",

1851

client_defaults = { "timeout": "5m",

1852

"extended_timeout": "15m",

1853

"interval": "2m",

1854

"checker": "fping -q -- %%(host)s",

1855

"host": "",

1856

"approval_delay": "0s",

1857

"approval_duration": "1s",

1275

1858

}

1276

1859

client_config = configparser.SafeConfigParser(client_defaults)

1277

client_config.read(os.path.join(server_settings[u"configdir"],

1278

u"clients.conf"))

1860

client_config.read(os.path.join(server_settings["configdir"],

1861

"clients.conf"))

1279

1862

1280

1863

global mandos_dbus_service

1281

1864

mandos_dbus_service = None

1282

1865

1283

tcp_server = MandosServer((server_settings[u"address"],

1284

server_settings[u"port"]),

1866

tcp_server = MandosServer((server_settings["address"],

1867

server_settings["port"]),

1285

1868

ClientHandler,

1286

interface=server_settings[u"interface"],

1869

interface=(server_settings["interface"]

1870

or None),

1287

1871

use_ipv6=use_ipv6,

1288

1872

gnutls_priority=

1289

server_settings[u"priority"],

1873

server_settings["priority"],

1290

1874

use_dbus=use_dbus)

1291

pidfilename = u"/var/run/mandos.pid"

1292

try:

1293

pidfile = open(pidfilename, u"w")

1294

except IOError:

1295

logger.error(u"Could not open file %r", pidfilename)

1875

if not debug:

1876

pidfilename = "/var/run/mandos.pid"

1877

try:

1878

pidfile = open(pidfilename, "w")

1879

except IOError:

1880

logger.error("Could not open file %r", pidfilename)

1296

1881

1297

1882

try:

1298

uid = pwd.getpwnam(u"_mandos").pw_uid

1299

gid = pwd.getpwnam(u"_mandos").pw_gid

1883

uid = pwd.getpwnam("_mandos").pw_uid

1884

gid = pwd.getpwnam("_mandos").pw_gid

1300

1885

except KeyError:

1301

1886

try:

1302

uid = pwd.getpwnam(u"mandos").pw_uid

1303

gid = pwd.getpwnam(u"mandos").pw_gid

1887

uid = pwd.getpwnam("mandos").pw_uid

1888

gid = pwd.getpwnam("mandos").pw_gid

1304

1889

except KeyError:

1305

1890

try:

1306

uid = pwd.getpwnam(u"nobody").pw_uid

1307

gid = pwd.getpwnam(u"nobody").pw_gid

1891

uid = pwd.getpwnam("nobody").pw_uid

1892

gid = pwd.getpwnam("nobody").pw_gid

1308

1893

except KeyError:

1309

1894

uid = 65534

1310

1895

gid = 65534

1311

1896

try:

1312

1897

os.setgid(gid)

1313

1898

os.setuid(uid)

1314

except OSError, error:

1899

except OSError as error:

1315

1900

if error[0] != errno.EPERM:

1316

1901

raise error

1317

1902

1318

# Enable all possible GnuTLS debugging

1903

if not debug and not debuglevel:

1904

syslogger.setLevel(logging.WARNING)

1905

console.setLevel(logging.WARNING)

1906

if debuglevel:

1907

level = getattr(logging, debuglevel.upper())

1908

syslogger.setLevel(level)

1909

console.setLevel(level)

1910

1319

1911

if debug:

1912

# Enable all possible GnuTLS debugging

1913

1320

1914

# "Use a log level over 10 to enable all debugging options."

1321

1915

# - GnuTLS manual

1322

1916

gnutls.library.functions.gnutls_global_set_log_level(11)

1323

1917

1324

1918

@gnutls.library.types.gnutls_log_func

1325

1919

def debug_gnutls(level, string):

1326

logger.debug(u"GnuTLS: %s", string[:-1])

1920

logger.debug("GnuTLS: %s", string[:-1])

1327

1921

1328

1922

(gnutls.library.functions

1329

1923

.gnutls_global_set_log_function(debug_gnutls))

1924

1925

# Redirect stdin so all checkers get /dev/null

1926

null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)

1927

os.dup2(null, sys.stdin.fileno())

1928

if null > 2:

1929

os.close(null)

1930

else:

1931

# No console logging

1932

logger.removeHandler(console)

1933

1934

# Need to fork before connecting to D-Bus

1935

if not debug:

1936

# Close all input and output, do double fork, etc.

1937

daemon()

1330

1938

1331

1939

global main_loop

1332

1940

# From the Avahi example code

1335

1943

bus = dbus.SystemBus()

1336

1944

# End of Avahi example code

1337

1945

if use_dbus:

1338

bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)

1946

try:

1947

bus_name = dbus.service.BusName("se.bsnet.fukt.Mandos",

1948

bus, do_not_queue=True)

1949

except dbus.exceptions.NameExistsException as e:

1950

logger.error(unicode(e) + ", disabling D-Bus")

1951

use_dbus = False

1952

server_settings["use_dbus"] = False

1953

tcp_server.use_dbus = False

1339

1954

protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET

1340

service = AvahiService(name = server_settings[u"servicename"],

1341

servicetype = u"_mandos._tcp",

1955

service = AvahiService(name = server_settings["servicename"],

1956

servicetype = "_mandos._tcp",

1342

1957

protocol = protocol, bus = bus)

1343

1958

if server_settings["interface"]:

1344

1959

service.interface = (if_nametoindex

1345

(str(server_settings[u"interface"])))

1960

(str(server_settings["interface"])))

1961

1962

global multiprocessing_manager

1963

multiprocessing_manager = multiprocessing.Manager()

1346

1964

1347

1965

client_class = Client

1348

1966

if use_dbus:

1349

1967

client_class = functools.partial(ClientDBus, bus = bus)

1968

def client_config_items(config, section):

1969

special_settings = {

1970

"approved_by_default":

1971

lambda: config.getboolean(section,

1972

"approved_by_default"),

1973

}

1974

for name, value in config.items(section):

1975

try:

1976

yield (name, special_settings[name]())

1977

except KeyError:

1978

yield (name, value)

1979

1350

1980

tcp_server.clients.update(set(

1351

1981

client_class(name = section,

1352

config= dict(client_config.items(section)))

1982

config= dict(client_config_items(

1983

client_config, section)))

1353

1984

for section in client_config.sections()))

1354

1985

if not tcp_server.clients:

1355

logger.warning(u"No clients defined")

1356

1357

if debug:

1358

# Redirect stdin so all checkers get /dev/null

1359

null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)

1360

os.dup2(null, sys.stdin.fileno())

1361

if null > 2:

1362

os.close(null)

1363

else:

1364

# No console logging

1365

logger.removeHandler(console)

1366

# Close all input and output, do double fork, etc.

1367

daemon()

1368

1369

try:

1370

with closing(pidfile):

1371

pid = os.getpid()

1372

pidfile.write(str(pid) + "\n")

1373

del pidfile

1374

except IOError:

1375

logger.error(u"Could not write to file %r with PID %d",

1376

pidfilename, pid)

1377

except NameError:

1378

# "pidfile" was never created

1379

pass

1380

del pidfilename

1381

1382

def cleanup():

1383

"Cleanup function; run on exit"

1384

service.cleanup()

1986

logger.warning("No clients defined")

1385

1987

1386

while tcp_server.clients:

1387

client = tcp_server.clients.pop()

1388

client.disable_hook = None

1389

client.disable()

1390

1391

atexit.register(cleanup)

1392

1393

1988

if not debug:

1989

try:

1990

with pidfile:

1991

pid = os.getpid()

1992

pidfile.write(str(pid) + "\n".encode("utf-8"))

1993

del pidfile

1994

except IOError:

1995

logger.error("Could not write to file %r with PID %d",

1996

pidfilename, pid)

1997

except NameError:

1998

# "pidfile" was never created

1999

pass

2000

del pidfilename

2001

1394

2002

signal.signal(signal.SIGINT, signal.SIG_IGN)

2003

1395

2004

signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())

1396

2005

signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())

1397

2006

1399

2008

class MandosDBusService(dbus.service.Object):

1400

2009

"""A D-Bus proxy object"""

1401

2010

def __init__(self):

1402

dbus.service.Object.__init__(self, bus, u"/")

1403

_interface = u"se.bsnet.fukt.Mandos"

1404

1405

@dbus.service.signal(_interface, signature=u"oa{sv}")

1406

def ClientAdded(self, objpath, properties):

1407

"D-Bus signal"

1408

pass

1409

1410

@dbus.service.signal(_interface, signature=u"s")

1411

def ClientNotFound(self, fingerprint):

1412

"D-Bus signal"

1413

pass

1414

1415

@dbus.service.signal(_interface, signature=u"os")

2011

dbus.service.Object.__init__(self, bus, "/")

2012

_interface = "se.bsnet.fukt.Mandos"

2013

2014

@dbus.service.signal(_interface, signature="o")

2015

def ClientAdded(self, objpath):

2016

"D-Bus signal"

2017

pass

2018

2019

@dbus.service.signal(_interface, signature="ss")

2020

def ClientNotFound(self, fingerprint, address):

2021

"D-Bus signal"

2022

pass

2023

2024

@dbus.service.signal(_interface, signature="os")

1416

2025

def ClientRemoved(self, objpath, name):

1417

2026

"D-Bus signal"

1418

2027

pass

1419

2028

1420

@dbus.service.method(_interface, out_signature=u"ao")

2029

@dbus.service.method(_interface, out_signature="ao")

1421

2030

def GetAllClients(self):

1422

2031

"D-Bus method"

1423

2032

return dbus.Array(c.dbus_object_path

1424

2033

for c in tcp_server.clients)

1425

2034

1426

2035

@dbus.service.method(_interface,

1427

out_signature=u"a{oa{sv}}")

2036

out_signature="a{oa{sv}}")

1428

2037

def GetAllClientsWithProperties(self):

1429

2038

"D-Bus method"

1430

2039

return dbus.Dictionary(

1431

((c.dbus_object_path, c.GetAllProperties())

2040

((c.dbus_object_path, c.GetAll(""))

1432

2041

for c in tcp_server.clients),

1433

signature=u"oa{sv}")

2042

signature="oa{sv}")

1434

2043

1435

@dbus.service.method(_interface, in_signature=u"o")

2044

@dbus.service.method(_interface, in_signature="o")

1436

2045

def RemoveClient(self, object_path):

1437

2046

"D-Bus method"

1438

2047

for c in tcp_server.clients:

1440

2049

tcp_server.clients.remove(c)

1441

2050

c.remove_from_connection()

1442

2051

# Don't signal anything except ClientRemoved

1443

c.disable(signal=False)

2052

c.disable(quiet=True)

1444

2053

# Emit D-Bus signal

1445

2054

self.ClientRemoved(object_path, c.name)

1446

2055

return

1447

raise KeyError

2056

raise KeyError(object_path)

1448

2057

1449

2058

del _interface

1450

2059

1451

2060

mandos_dbus_service = MandosDBusService()

1452

2061

2062

def cleanup():

2063

"Cleanup function; run on exit"

2064

service.cleanup()

2065

2066

while tcp_server.clients:

2067

client = tcp_server.clients.pop()

2068

if use_dbus:

2069

client.remove_from_connection()

2070

client.disable_hook = None

2071

# Don't signal anything except ClientRemoved

2072

client.disable(quiet=True)

2073

if use_dbus:

2074

# Emit D-Bus signal

2075

mandos_dbus_service.ClientRemoved(client.dbus_object_path,

2076

client.name)

2077

2078

atexit.register(cleanup)

2079

1453

2080

for client in tcp_server.clients:

1454

2081

if use_dbus:

1455

2082

# Emit D-Bus signal

1456

mandos_dbus_service.ClientAdded(client.dbus_object_path,

1457

client.GetAllProperties())

2083

mandos_dbus_service.ClientAdded(client.dbus_object_path)

1458

2084

client.enable()

1459

2085

1460

2086

tcp_server.enable()

1463

2089

# Find out what port we got

1464

2090

service.port = tcp_server.socket.getsockname()[1]

1465

2091

if use_ipv6:

1466

logger.info(u"Now listening on address %r, port %d,"

2092

logger.info("Now listening on address %r, port %d,"

1467

2093

" flowinfo %d, scope_id %d"

1468

2094

% tcp_server.socket.getsockname())

1469

2095

else: # IPv4

1470

logger.info(u"Now listening on address %r, port %d"

2096

logger.info("Now listening on address %r, port %d"

1471

2097

% tcp_server.socket.getsockname())

1472

2098

1473

2099

#service.interface = tcp_server.socket.getsockname()[3]

1476

2102

# From the Avahi example code

1477

2103

try:

1478

2104

service.activate()

1479

except dbus.exceptions.DBusException, error:

1480

logger.critical(u"DBusException: %s", error)

2105

except dbus.exceptions.DBusException as error:

2106

logger.critical("DBusException: %s", error)

2107

cleanup()

1481

2108

sys.exit(1)

1482

2109

# End of Avahi example code

1483

2110

1486

2113

(tcp_server.handle_request

1487

2114

(*args[2:], **kwargs) or True))

1488

2115

1489

logger.debug(u"Starting main loop")

2116

logger.debug("Starting main loop")

1490

2117

main_loop.run()

1491

except AvahiError, error:

1492

logger.critical(u"AvahiError: %s", error)

2118

except AvahiError as error:

2119

logger.critical("AvahiError: %s", error)

2120

cleanup()

1493

2121

sys.exit(1)

1494

2122

except KeyboardInterrupt:

1495

2123

if debug:

1496

print >> sys.stderr

1497

logger.debug(u"Server received KeyboardInterrupt")

1498

logger.debug(u"Server exiting")

2124

print("", file=sys.stderr)

2125

logger.debug("Server received KeyboardInterrupt")

2126

logger.debug("Server exiting")

2127

# Must run before the D-Bus bus name gets deregistered

2128

cleanup()

1499

2129

1500

2130

if __name__ == '__main__':

1501

2131

main()