To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.56
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.56
- Committer: Teddy Hogeborn
- Date: 2011-10-05 16:32:24 UTC
- mfrom: (237.11.3 teddy)
- mto: (237.12.2 mandos-persistent) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 286.
- Revision ID: teddy@recompile.se-20111005163224-5q9kteemc9msmf14
* mandos: Break long lines.
- files removed:
- debian/source/local-options
- network-hooks.d
- files modified:
- DBUS-API
added
removed
mandos
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2012 Teddy Hogeborn
15
# Copyright © 2008-2012 Björn Påhlsson
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
63
63
import cPickle as pickle
64
64
import multiprocessing
65
65
import types
66
import binascii
67
import tempfile
68
66
69
67
import dbus
70
68
import dbus.service
75
73
import ctypes.util
76
74
import xml.dom.minidom
77
75
import inspect
78
import GnuPGInterface
79
76
80
77
try:
81
78
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
85
82
except ImportError:
86
83
SO_BINDTODEVICE = None
87
84
88
version = "1.5.3"
89
stored_state_file = "clients.pickle"
90
91
logger = logging.getLogger()
85
86
version = "1.3.1"
87
88
#logger = logging.getLogger('mandos')
89
logger = logging.Logger('mandos')
92
90
syslogger = (logging.handlers.SysLogHandler
93
91
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
94
92
address = str("/dev/log")))
95
96
try:
97
if_nametoindex = (ctypes.cdll.LoadLibrary
98
(ctypes.util.find_library("c"))
99
.if_nametoindex)
100
except (OSError, AttributeError):
101
def if_nametoindex(interface):
102
"Get an interface index the hard way, i.e. using fcntl()"
103
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
104
with contextlib.closing(socket.socket()) as s:
105
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
106
struct.pack(str("16s16x"),
107
interface))
108
interface_index = struct.unpack(str("I"),
109
ifreq[16:20])[0]
110
return interface_index
111
112
113
def initlogger(debug, level=logging.WARNING):
114
"""init logger and add loglevel"""
115
116
syslogger.setFormatter(logging.Formatter
117
('Mandos [%(process)d]: %(levelname)s:'
118
' %(message)s'))
119
logger.addHandler(syslogger)
120
121
if debug:
122
console = logging.StreamHandler()
123
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
124
' [%(process)d]:'
125
' %(levelname)s:'
126
' %(message)s'))
127
logger.addHandler(console)
128
logger.setLevel(level)
129
130
131
class PGPError(Exception):
132
"""Exception if encryption/decryption fails"""
133
pass
134
135
136
class PGPEngine(object):
137
"""A simple class for OpenPGP symmetric encryption & decryption"""
138
def __init__(self):
139
self.gnupg = GnuPGInterface.GnuPG()
140
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
141
self.gnupg = GnuPGInterface.GnuPG()
142
self.gnupg.options.meta_interactive = False
143
self.gnupg.options.homedir = self.tempdir
144
self.gnupg.options.extra_args.extend(['--force-mdc',
145
'--quiet',
146
'--no-use-agent'])
147
148
def __enter__(self):
149
return self
150
151
def __exit__ (self, exc_type, exc_value, traceback):
152
self._cleanup()
153
return False
154
155
def __del__(self):
156
self._cleanup()
157
158
def _cleanup(self):
159
if self.tempdir is not None:
160
# Delete contents of tempdir
161
for root, dirs, files in os.walk(self.tempdir,
162
topdown = False):
163
for filename in files:
164
os.remove(os.path.join(root, filename))
165
for dirname in dirs:
166
os.rmdir(os.path.join(root, dirname))
167
# Remove tempdir
168
os.rmdir(self.tempdir)
169
self.tempdir = None
170
171
def password_encode(self, password):
172
# Passphrase can not be empty and can not contain newlines or
173
# NUL bytes. So we prefix it and hex encode it.
174
return b"mandos" + binascii.hexlify(password)
175
176
def encrypt(self, data, password):
177
self.gnupg.passphrase = self.password_encode(password)
178
with open(os.devnull, "w") as devnull:
179
try:
180
proc = self.gnupg.run(['--symmetric'],
181
create_fhs=['stdin', 'stdout'],
182
attach_fhs={'stderr': devnull})
183
with contextlib.closing(proc.handles['stdin']) as f:
184
f.write(data)
185
with contextlib.closing(proc.handles['stdout']) as f:
186
ciphertext = f.read()
187
proc.wait()
188
except IOError as e:
189
raise PGPError(e)
190
self.gnupg.passphrase = None
191
return ciphertext
192
193
def decrypt(self, data, password):
194
self.gnupg.passphrase = self.password_encode(password)
195
with open(os.devnull, "w") as devnull:
196
try:
197
proc = self.gnupg.run(['--decrypt'],
198
create_fhs=['stdin', 'stdout'],
199
attach_fhs={'stderr': devnull})
200
with contextlib.closing(proc.handles['stdin']) as f:
201
f.write(data)
202
with contextlib.closing(proc.handles['stdout']) as f:
203
decrypted_plaintext = f.read()
204
proc.wait()
205
except IOError as e:
206
raise PGPError(e)
207
self.gnupg.passphrase = None
208
return decrypted_plaintext
209
210
93
syslogger.setFormatter(logging.Formatter
94
('Mandos [%(process)d]: %(levelname)s:'
95
' %(message)s'))
96
logger.addHandler(syslogger)
97
98
console = logging.StreamHandler()
99
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
100
' %(levelname)s:'
101
' %(message)s'))
102
logger.addHandler(console)
211
103
212
104
class AvahiError(Exception):
213
105
def __init__(self, value, *args, **kwargs):
272
164
.GetAlternativeServiceName(self.name))
273
165
logger.info("Changing Zeroconf service name to %r ...",
274
166
self.name)
167
syslogger.setFormatter(logging.Formatter
168
('Mandos (%s) [%%(process)d]:'
169
' %%(levelname)s: %%(message)s'
170
% self.name))
275
171
self.remove()
276
172
try:
277
173
self.add()
297
193
avahi.DBUS_INTERFACE_ENTRY_GROUP)
298
194
self.entry_group_state_changed_match = (
299
195
self.group.connect_to_signal(
300
'StateChanged', self.entry_group_state_changed))
196
'StateChanged', self .entry_group_state_changed))
301
197
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
302
198
self.name, self.type)
303
199
self.group.AddService(
329
225
try:
330
226
self.group.Free()
331
227
except (dbus.exceptions.UnknownMethodException,
332
dbus.exceptions.DBusException):
228
dbus.exceptions.DBusException) as e:
333
229
pass
334
230
self.group = None
335
231
self.remove()
369
265
self.server_state_changed)
370
266
self.server_state_changed(self.server.GetState())
371
267
372
class AvahiServiceToSyslog(AvahiService):
373
def rename(self):
374
"""Add the new name to the syslog messages"""
375
ret = AvahiService.rename(self)
376
syslogger.setFormatter(logging.Formatter
377
('Mandos (%s) [%%(process)d]:'
378
' %%(levelname)s: %%(message)s'
379
% self.name))
380
return ret
381
268
382
def timedelta_to_milliseconds(td):
269
def _timedelta_to_milliseconds(td):
383
270
"Convert a datetime.timedelta() to milliseconds"
384
271
return ((td.days * 24 * 60 * 60 * 1000)
385
272
+ (td.seconds * 1000)
389
276
"""A representation of a client host served by this server.
390
277
391
278
Attributes:
392
approved: bool(); 'None' if not yet approved/disapproved
279
_approved: bool(); 'None' if not yet approved/disapproved
393
280
approval_delay: datetime.timedelta(); Time to wait for approval
394
281
approval_duration: datetime.timedelta(); Duration of one approval
395
282
checker: subprocess.Popen(); a running checker process used
402
289
instance %(name)s can be used in the command.
403
290
checker_initiator_tag: a gobject event source tag, or None
404
291
created: datetime.datetime(); (UTC) object creation
405
client_structure: Object describing what attributes a client has
406
and is used for storing the client at exit
407
292
current_checker_command: string; current running checker_command
293
disable_hook: If set, called by disable() as disable_hook(self)
408
294
disable_initiator_tag: a gobject event source tag, or None
409
295
enabled: bool()
410
296
fingerprint: string (40 or 32 hexadecimal digits); used to
413
299
interval: datetime.timedelta(); How often to start a new checker
414
300
last_approval_request: datetime.datetime(); (UTC) or None
415
301
last_checked_ok: datetime.datetime(); (UTC) or None
416
last_checker_status: integer between 0 and 255 reflecting exit
417
status of last checker. -1 reflects crashed
418
checker, -2 means no checker completed yet.
419
last_enabled: datetime.datetime(); (UTC) or None
302
last_enabled: datetime.datetime(); (UTC)
420
303
name: string; from the config file, used in log messages and
421
304
D-Bus identifiers
422
305
secret: bytestring; sent verbatim (over TLS) to client
423
306
timeout: datetime.timedelta(); How long from last_checked_ok
424
307
until this client is disabled
425
extended_timeout: extra long timeout when secret has been sent
308
extended_timeout: extra long timeout when password has been sent
426
309
runtime_expansions: Allowed attributes for runtime expansion.
427
310
expires: datetime.datetime(); time (UTC) when a client will be
428
311
disabled, or None
432
315
"created", "enabled", "fingerprint",
433
316
"host", "interval", "last_checked_ok",
434
317
"last_enabled", "name", "timeout")
435
client_defaults = { "timeout": "5m",
436
"extended_timeout": "15m",
437
"interval": "2m",
438
"checker": "fping -q -- %%(host)s",
439
"host": "",
440
"approval_delay": "0s",
441
"approval_duration": "1s",
442
"approved_by_default": "True",
443
"enabled": "True",
444
}
445
318
446
319
def timeout_milliseconds(self):
447
320
"Return the 'timeout' attribute in milliseconds"
448
return timedelta_to_milliseconds(self.timeout)
321
return _timedelta_to_milliseconds(self.timeout)
449
322
450
323
def extended_timeout_milliseconds(self):
451
324
"Return the 'extended_timeout' attribute in milliseconds"
452
return timedelta_to_milliseconds(self.extended_timeout)
325
return _timedelta_to_milliseconds(self.extended_timeout)
453
326
454
327
def interval_milliseconds(self):
455
328
"Return the 'interval' attribute in milliseconds"
456
return timedelta_to_milliseconds(self.interval)
329
return _timedelta_to_milliseconds(self.interval)
457
330
458
331
def approval_delay_milliseconds(self):
459
return timedelta_to_milliseconds(self.approval_delay)
460
461
@staticmethod
462
def config_parser(config):
463
"""Construct a new dict of client settings of this form:
464
{ client_name: {setting_name: value, ...}, ...}
465
with exceptions for any special settings as defined above.
466
NOTE: Must be a pure function. Must return the same result
467
value given the same arguments.
468
"""
469
settings = {}
470
for client_name in config.sections():
471
section = dict(config.items(client_name))
472
client = settings[client_name] = {}
473
474
client["host"] = section["host"]
475
# Reformat values from string types to Python types
476
client["approved_by_default"] = config.getboolean(
477
client_name, "approved_by_default")
478
client["enabled"] = config.getboolean(client_name,
479
"enabled")
480
481
client["fingerprint"] = (section["fingerprint"].upper()
482
.replace(" ", ""))
483
if "secret" in section:
484
client["secret"] = section["secret"].decode("base64")
485
elif "secfile" in section:
486
with open(os.path.expanduser(os.path.expandvars
487
(section["secfile"])),
488
"rb") as secfile:
489
client["secret"] = secfile.read()
490
else:
491
raise TypeError("No secret or secfile for section %s"
492
% section)
493
client["timeout"] = string_to_delta(section["timeout"])
494
client["extended_timeout"] = string_to_delta(
495
section["extended_timeout"])
496
client["interval"] = string_to_delta(section["interval"])
497
client["approval_delay"] = string_to_delta(
498
section["approval_delay"])
499
client["approval_duration"] = string_to_delta(
500
section["approval_duration"])
501
client["checker_command"] = section["checker"]
502
client["last_approval_request"] = None
503
client["last_checked_ok"] = None
504
client["last_checker_status"] = -2
505
506
return settings
507
508
509
def __init__(self, settings, name = None):
332
return _timedelta_to_milliseconds(self.approval_delay)
333
334
def __init__(self, name = None, disable_hook=None, config=None):
510
335
"""Note: the 'checker' key in 'config' sets the
511
336
'checker_command' attribute and *not* the 'checker'
512
337
attribute."""
513
338
self.name = name
514
# adding all client settings
515
for setting, value in settings.iteritems():
516
setattr(self, setting, value)
517
518
if self.enabled:
519
if not hasattr(self, "last_enabled"):
520
self.last_enabled = datetime.datetime.utcnow()
521
if not hasattr(self, "expires"):
522
self.expires = (datetime.datetime.utcnow()
523
+ self.timeout)
524
else:
525
self.last_enabled = None
526
self.expires = None
527
339
if config is None:
340
config = {}
528
341
logger.debug("Creating client %r", self.name)
529
342
# Uppercase and remove spaces from fingerprint for later
530
343
# comparison purposes with return value from the fingerprint()
531
344
# function
345
self.fingerprint = (config["fingerprint"].upper()
346
.replace(" ", ""))
532
347
logger.debug(" Fingerprint: %s", self.fingerprint)
533
self.created = settings.get("created",
534
datetime.datetime.utcnow())
535
536
# attributes specific for this server instance
348
if "secret" in config:
349
self.secret = config["secret"].decode("base64")
350
elif "secfile" in config:
351
with open(os.path.expanduser(os.path.expandvars
352
(config["secfile"])),
353
"rb") as secfile:
354
self.secret = secfile.read()
355
else:
356
raise TypeError("No secret or secfile for client %s"
357
% self.name)
358
self.host = config.get("host", "")
359
self.created = datetime.datetime.utcnow()
360
self.enabled = False
361
self.last_approval_request = None
362
self.last_enabled = None
363
self.last_checked_ok = None
364
self.timeout = string_to_delta(config["timeout"])
365
self.extended_timeout = string_to_delta(config
366
["extended_timeout"])
367
self.interval = string_to_delta(config["interval"])
368
self.disable_hook = disable_hook
537
369
self.checker = None
538
370
self.checker_initiator_tag = None
539
371
self.disable_initiator_tag = None
372
self.expires = None
540
373
self.checker_callback_tag = None
374
self.checker_command = config["checker"]
541
375
self.current_checker_command = None
542
self.approved = None
376
self.last_connect = None
377
self._approved = None
378
self.approved_by_default = config.get("approved_by_default",
379
True)
543
380
self.approvals_pending = 0
381
self.approval_delay = string_to_delta(
382
config["approval_delay"])
383
self.approval_duration = string_to_delta(
384
config["approval_duration"])
544
385
self.changedstate = (multiprocessing_manager
545
386
.Condition(multiprocessing_manager
546
387
.Lock()))
547
self.client_structure = [attr for attr in
548
self.__dict__.iterkeys()
549
if not attr.startswith("_")]
550
self.client_structure.append("client_structure")
551
552
for name, t in inspect.getmembers(type(self),
553
lambda obj:
554
isinstance(obj,
555
property)):
556
if not name.startswith("_"):
557
self.client_structure.append(name)
558
388
559
# Send notice to process children that client state has changed
560
389
def send_changedstate(self):
561
with self.changedstate:
562
self.changedstate.notify_all()
390
self.changedstate.acquire()
391
self.changedstate.notify_all()
392
self.changedstate.release()
563
393
564
394
def enable(self):
565
395
"""Start this client's checker and timeout hooks"""
567
397
# Already enabled
568
398
return
569
399
self.send_changedstate()
400
# Schedule a new checker to be started an 'interval' from now,
401
# and every interval from then on.
402
self.checker_initiator_tag = (gobject.timeout_add
403
(self.interval_milliseconds(),
404
self.start_checker))
405
# Schedule a disable() when 'timeout' has passed
570
406
self.expires = datetime.datetime.utcnow() + self.timeout
407
self.disable_initiator_tag = (gobject.timeout_add
408
(self.timeout_milliseconds(),
409
self.disable))
571
410
self.enabled = True
572
411
self.last_enabled = datetime.datetime.utcnow()
573
self.init_checker()
412
# Also start a new checker *right now*.
413
self.start_checker()
574
414
575
415
def disable(self, quiet=True):
576
416
"""Disable this client."""
588
428
gobject.source_remove(self.checker_initiator_tag)
589
429
self.checker_initiator_tag = None
590
430
self.stop_checker()
431
if self.disable_hook:
432
self.disable_hook(self)
591
433
self.enabled = False
592
434
# Do not run this again if called by a gobject.timeout_add
593
435
return False
594
436
595
437
def __del__(self):
438
self.disable_hook = None
596
439
self.disable()
597
440
598
def init_checker(self):
599
# Schedule a new checker to be started an 'interval' from now,
600
# and every interval from then on.
601
self.checker_initiator_tag = (gobject.timeout_add
602
(self.interval_milliseconds(),
603
self.start_checker))
604
# Schedule a disable() when 'timeout' has passed
605
self.disable_initiator_tag = (gobject.timeout_add
606
(self.timeout_milliseconds(),
607
self.disable))
608
# Also start a new checker *right now*.
609
self.start_checker()
610
611
441
def checker_callback(self, pid, condition, command):
612
442
"""The checker has completed, so take appropriate actions."""
613
443
self.checker_callback_tag = None
614
444
self.checker = None
615
445
if os.WIFEXITED(condition):
616
self.last_checker_status = os.WEXITSTATUS(condition)
617
if self.last_checker_status == 0:
446
exitstatus = os.WEXITSTATUS(condition)
447
if exitstatus == 0:
618
448
logger.info("Checker for %(name)s succeeded",
619
449
vars(self))
620
450
self.checked_ok()
622
452
logger.info("Checker for %(name)s failed",
623
453
vars(self))
624
454
else:
625
self.last_checker_status = -1
626
455
logger.warning("Checker for %(name)s crashed?",
627
456
vars(self))
628
457
629
def checked_ok(self):
630
"""Assert that the client has been seen, alive and well."""
631
self.last_checked_ok = datetime.datetime.utcnow()
632
self.last_checker_status = 0
633
self.bump_timeout()
634
635
def bump_timeout(self, timeout=None):
636
"""Bump up the timeout for this client."""
458
def checked_ok(self, timeout=None):
459
"""Bump up the timeout for this client.
460
461
This should only be called when the client has been seen,
462
alive and well.
463
"""
637
464
if timeout is None:
638
465
timeout = self.timeout
639
if self.disable_initiator_tag is not None:
640
gobject.source_remove(self.disable_initiator_tag)
641
if getattr(self, "enabled", False):
642
self.disable_initiator_tag = (gobject.timeout_add
643
(timedelta_to_milliseconds
644
(timeout), self.disable))
645
self.expires = datetime.datetime.utcnow() + timeout
466
self.last_checked_ok = datetime.datetime.utcnow()
467
gobject.source_remove(self.disable_initiator_tag)
468
self.expires = datetime.datetime.utcnow() + timeout
469
self.disable_initiator_tag = (gobject.timeout_add
470
(_timedelta_to_milliseconds
471
(timeout), self.disable))
646
472
647
473
def need_approval(self):
648
474
self.last_approval_request = datetime.datetime.utcnow()
851
677
# signatures other than "ay".
852
678
if prop._dbus_signature != "ay":
853
679
raise ValueError
854
value = dbus.ByteArray(b''.join(chr(byte)
855
for byte in value))
680
value = dbus.ByteArray(''.join(unichr(byte)
681
for byte in value))
856
682
prop(value)
857
683
858
684
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
863
689
864
690
Note: Will not include properties with access="write".
865
691
"""
866
properties = {}
692
all = {}
867
693
for name, prop in self._get_all_dbus_properties():
868
694
if (interface_name
869
695
and interface_name != prop._dbus_interface):
874
700
continue
875
701
value = prop()
876
702
if not hasattr(value, "variant_level"):
877
properties[name] = value
703
all[name] = value
878
704
continue
879
properties[name] = type(value)(value, variant_level=
880
value.variant_level+1)
881
return dbus.Dictionary(properties, signature="sv")
705
all[name] = type(value)(value, variant_level=
706
value.variant_level+1)
707
return dbus.Dictionary(all, signature="sv")
882
708
883
709
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
884
710
out_signature="s",
935
761
return dbus.String(dt.isoformat(),
936
762
variant_level=variant_level)
937
763
938
939
764
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
940
765
.__metaclass__):
941
766
"""Applied to an empty subclass of a D-Bus object, this metaclass
1033
858
attribute.func_closure)))
1034
859
return type.__new__(mcs, name, bases, attr)
1035
860
1036
1037
861
class ClientDBus(Client, DBusObjectWithProperties):
1038
862
"""A Client class using D-Bus
1039
863
1048
872
# dbus.service.Object doesn't use super(), so we can't either.
1049
873
1050
874
def __init__(self, bus = None, *args, **kwargs):
875
self._approvals_pending = 0
1051
876
self.bus = bus
1052
877
Client.__init__(self, *args, **kwargs)
1053
878
# Only now, when this client is initialized, can it show up on
1065
890
variant_level=1):
1066
891
""" Modify a variable so that it's a property which announces
1067
892
its changes to DBus.
1068
1069
transform_fun: Function that takes a value and a variant_level
1070
and transforms it to a D-Bus type.
893
894
transform_fun: Function that takes a value and transforms it
895
to a D-Bus type.
1071
896
dbus_name: D-Bus name of the variable
1072
897
type_func: Function that transform the value before sending it
1073
898
to the D-Bus. Default: no transform
1074
899
variant_level: D-Bus variant level. Default: 1
1075
900
"""
1076
attrname = "_{0}".format(dbus_name)
901
real_value = [None,]
1077
902
def setter(self, value):
903
old_value = real_value[0]
904
real_value[0] = value
1078
905
if hasattr(self, "dbus_object_path"):
1079
if (not hasattr(self, attrname) or
1080
type_func(getattr(self, attrname, None))
1081
!= type_func(value)):
1082
dbus_value = transform_func(type_func(value),
1083
variant_level
1084
=variant_level)
906
if type_func(old_value) != type_func(real_value[0]):
907
dbus_value = transform_func(type_func
908
(real_value[0]),
909
variant_level)
1085
910
self.PropertyChanged(dbus.String(dbus_name),
1086
911
dbus_value)
1087
setattr(self, attrname, value)
1088
912
1089
return property(lambda self: getattr(self, attrname), setter)
913
return property(lambda self: real_value[0], setter)
1090
914
1091
915
1092
916
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1101
925
checker is not None)
1102
926
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1103
927
"LastCheckedOK")
1104
last_checker_status = notifychangeproperty(dbus.Int16,
1105
"LastCheckerStatus")
1106
928
last_approval_request = notifychangeproperty(
1107
929
datetime_to_dbus, "LastApprovalRequest")
1108
930
approved_by_default = notifychangeproperty(dbus.Boolean,
1109
931
"ApprovedByDefault")
1110
approval_delay = notifychangeproperty(dbus.UInt64,
932
approval_delay = notifychangeproperty(dbus.UInt16,
1111
933
"ApprovalDelay",
1112
934
type_func =
1113
timedelta_to_milliseconds)
935
_timedelta_to_milliseconds)
1114
936
approval_duration = notifychangeproperty(
1115
dbus.UInt64, "ApprovalDuration",
1116
type_func = timedelta_to_milliseconds)
937
dbus.UInt16, "ApprovalDuration",
938
type_func = _timedelta_to_milliseconds)
1117
939
host = notifychangeproperty(dbus.String, "Host")
1118
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
940
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
1119
941
type_func =
1120
timedelta_to_milliseconds)
942
_timedelta_to_milliseconds)
1121
943
extended_timeout = notifychangeproperty(
1122
dbus.UInt64, "ExtendedTimeout",
1123
type_func = timedelta_to_milliseconds)
1124
interval = notifychangeproperty(dbus.UInt64,
944
dbus.UInt16, "ExtendedTimeout",
945
type_func = _timedelta_to_milliseconds)
946
interval = notifychangeproperty(dbus.UInt16,
1125
947
"Interval",
1126
948
type_func =
1127
timedelta_to_milliseconds)
949
_timedelta_to_milliseconds)
1128
950
checker_command = notifychangeproperty(dbus.String, "Checker")
1129
951
1130
952
del notifychangeproperty
1172
994
return r
1173
995
1174
996
def _reset_approved(self):
1175
self.approved = None
997
self._approved = None
1176
998
return False
1177
999
1178
1000
def approve(self, value=True):
1179
1001
self.send_changedstate()
1180
self.approved = value
1181
gobject.timeout_add(timedelta_to_milliseconds
1002
self._approved = value
1003
gobject.timeout_add(_timedelta_to_milliseconds
1182
1004
(self.approval_duration),
1183
1005
self._reset_approved)
1184
1006
1290
1112
access="readwrite")
1291
1113
def ApprovalDuration_dbus_property(self, value=None):
1292
1114
if value is None: # get
1293
return dbus.UInt64(timedelta_to_milliseconds(
1115
return dbus.UInt64(_timedelta_to_milliseconds(
1294
1116
self.approval_duration))
1295
1117
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1296
1118
1310
1132
def Host_dbus_property(self, value=None):
1311
1133
if value is None: # get
1312
1134
return dbus.String(self.host)
1313
self.host = unicode(value)
1135
self.host = value
1314
1136
1315
1137
# Created - property
1316
1138
@dbus_service_property(_interface, signature="s", access="read")
1317
1139
def Created_dbus_property(self):
1318
return datetime_to_dbus(self.created)
1140
return dbus.String(datetime_to_dbus(self.created))
1319
1141
1320
1142
# LastEnabled - property
1321
1143
@dbus_service_property(_interface, signature="s", access="read")
1342
1164
return
1343
1165
return datetime_to_dbus(self.last_checked_ok)
1344
1166
1345
# LastCheckerStatus - property
1346
@dbus_service_property(_interface, signature="n",
1347
access="read")
1348
def LastCheckerStatus_dbus_property(self):
1349
return dbus.Int16(self.last_checker_status)
1350
1351
1167
# Expires - property
1352
1168
@dbus_service_property(_interface, signature="s", access="read")
1353
1169
def Expires_dbus_property(self):
1365
1181
if value is None: # get
1366
1182
return dbus.UInt64(self.timeout_milliseconds())
1367
1183
self.timeout = datetime.timedelta(0, 0, 0, value)
1184
if getattr(self, "disable_initiator_tag", None) is None:
1185
return
1368
1186
# Reschedule timeout
1369
if self.enabled:
1370
now = datetime.datetime.utcnow()
1371
time_to_die = timedelta_to_milliseconds(
1372
(self.last_checked_ok + self.timeout) - now)
1373
if time_to_die <= 0:
1374
# The timeout has passed
1375
self.disable()
1376
else:
1377
self.expires = (now +
1378
datetime.timedelta(milliseconds =
1379
time_to_die))
1380
if (getattr(self, "disable_initiator_tag", None)
1381
is None):
1382
return
1383
gobject.source_remove(self.disable_initiator_tag)
1384
self.disable_initiator_tag = (gobject.timeout_add
1385
(time_to_die,
1386
self.disable))
1187
gobject.source_remove(self.disable_initiator_tag)
1188
self.disable_initiator_tag = None
1189
self.expires = None
1190
time_to_die = (self.
1191
_timedelta_to_milliseconds((self
1192
.last_checked_ok
1193
+ self.timeout)
1194
- datetime.datetime
1195
.utcnow()))
1196
if time_to_die <= 0:
1197
# The timeout has passed
1198
self.disable()
1199
else:
1200
self.expires = (datetime.datetime.utcnow()
1201
+ datetime.timedelta(milliseconds =
1202
time_to_die))
1203
self.disable_initiator_tag = (gobject.timeout_add
1204
(time_to_die, self.disable))
1387
1205
1388
1206
# ExtendedTimeout - property
1389
1207
@dbus_service_property(_interface, signature="t",
1402
1220
self.interval = datetime.timedelta(0, 0, 0, value)
1403
1221
if getattr(self, "checker_initiator_tag", None) is None:
1404
1222
return
1405
if self.enabled:
1406
# Reschedule checker run
1407
gobject.source_remove(self.checker_initiator_tag)
1408
self.checker_initiator_tag = (gobject.timeout_add
1409
(value, self.start_checker))
1410
self.start_checker() # Start one now, too
1223
# Reschedule checker run
1224
gobject.source_remove(self.checker_initiator_tag)
1225
self.checker_initiator_tag = (gobject.timeout_add
1226
(value, self.start_checker))
1227
self.start_checker() # Start one now, too
1411
1228
1412
1229
# Checker - property
1413
1230
@dbus_service_property(_interface, signature="s",
1415
1232
def Checker_dbus_property(self, value=None):
1416
1233
if value is None: # get
1417
1234
return dbus.String(self.checker_command)
1418
self.checker_command = unicode(value)
1235
self.checker_command = value
1419
1236
1420
1237
# CheckerRunning - property
1421
1238
@dbus_service_property(_interface, signature="b",
1450
1267
raise KeyError()
1451
1268
1452
1269
def __getattribute__(self, name):
1453
if name == '_pipe':
1270
if(name == '_pipe'):
1454
1271
return super(ProxyClient, self).__getattribute__(name)
1455
1272
self._pipe.send(('getattr', name))
1456
1273
data = self._pipe.recv()
1463
1280
return func
1464
1281
1465
1282
def __setattr__(self, name, value):
1466
if name == '_pipe':
1283
if(name == '_pipe'):
1467
1284
return super(ProxyClient, self).__setattr__(name, value)
1468
1285
self._pipe.send(('setattr', name, value))
1469
1286
1470
1471
1287
class ClientDBusTransitional(ClientDBus):
1472
1288
__metaclass__ = AlternateDBusNamesMetaclass
1473
1289
1474
1475
1290
class ClientHandler(socketserver.BaseRequestHandler, object):
1476
1291
"""A class to handle client connections.
1477
1292
1559
1374
client.Rejected("Disabled")
1560
1375
return
1561
1376
1562
if client.approved or not client.approval_delay:
1377
if client._approved or not client.approval_delay:
1563
1378
#We are approved or approval is disabled
1564
1379
break
1565
elif client.approved is None:
1380
elif client._approved is None:
1566
1381
logger.info("Client %s needs approval",
1567
1382
client.name)
1568
1383
if self.server.use_dbus:
1579
1394
return
1580
1395
1581
1396
#wait until timeout or approved
1397
#x = float(client
1398
# ._timedelta_to_milliseconds(delay))
1582
1399
time = datetime.datetime.now()
1583
1400
client.changedstate.acquire()
1584
1401
(client.changedstate.wait
1585
(float(client.timedelta_to_milliseconds(delay)
1402
(float(client._timedelta_to_milliseconds(delay)
1586
1403
/ 1000)))
1587
1404
client.changedstate.release()
1588
1405
time2 = datetime.datetime.now()
1613
1430
sent_size += sent
1614
1431
1615
1432
logger.info("Sending secret to %s", client.name)
1616
# bump the timeout using extended_timeout
1617
client.bump_timeout(client.extended_timeout)
1433
# bump the timeout as if seen
1434
client.checked_ok(client.extended_timeout)
1618
1435
if self.server.use_dbus:
1619
1436
# Emit D-Bus signal
1620
1437
client.GotSecret()
1687
1504
# Convert the buffer to a Python bytestring
1688
1505
fpr = ctypes.string_at(buf, buf_len.value)
1689
1506
# Convert the bytestring to hexadecimal notation
1690
hex_fpr = binascii.hexlify(fpr).upper()
1507
hex_fpr = ''.join("%02X" % ord(char) for char in fpr)
1691
1508
return hex_fpr
1692
1509
1693
1510
1696
1513
def sub_process_main(self, request, address):
1697
1514
try:
1698
1515
self.finish_request(request, address)
1699
except Exception:
1516
except:
1700
1517
self.handle_error(request, address)
1701
1518
self.close_request(request)
1702
1519
1703
1520
def process_request(self, request, address):
1704
1521
"""Start a new process to process the request."""
1705
proc = multiprocessing.Process(target = self.sub_process_main,
1706
args = (request,
1707
address))
1708
proc.start()
1709
return proc
1522
multiprocessing.Process(target = self.sub_process_main,
1523
args = (request, address)).start()
1710
1524
1711
1525
1712
1526
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1718
1532
"""
1719
1533
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1720
1534
1721
proc = MultiprocessingMixIn.process_request(self, request,
1722
client_address)
1535
super(MultiprocessingMixInWithPipe,
1536
self).process_request(request, client_address)
1723
1537
self.child_pipe.close()
1724
self.add_pipe(parent_pipe, proc)
1538
self.add_pipe(parent_pipe)
1725
1539
1726
def add_pipe(self, parent_pipe, proc):
1540
def add_pipe(self, parent_pipe):
1727
1541
"""Dummy function; override as necessary"""
1728
1542
raise NotImplementedError
1729
1543
1807
1621
self.enabled = False
1808
1622
self.clients = clients
1809
1623
if self.clients is None:
1810
self.clients = {}
1624
self.clients = set()
1811
1625
self.use_dbus = use_dbus
1812
1626
self.gnutls_priority = gnutls_priority
1813
1627
IPv6_TCPServer.__init__(self, server_address,
1817
1631
def server_activate(self):
1818
1632
if self.enabled:
1819
1633
return socketserver.TCPServer.server_activate(self)
1820
1821
1634
def enable(self):
1822
1635
self.enabled = True
1823
1824
def add_pipe(self, parent_pipe, proc):
1636
def add_pipe(self, parent_pipe):
1825
1637
# Call "handle_ipc" for both data and EOF events
1826
1638
gobject.io_add_watch(parent_pipe.fileno(),
1827
1639
gobject.IO_IN | gobject.IO_HUP,
1828
1640
functools.partial(self.handle_ipc,
1829
1641
parent_pipe =
1830
parent_pipe,
1831
proc = proc))
1832
1642
parent_pipe))
1643
1833
1644
def handle_ipc(self, source, condition, parent_pipe=None,
1834
proc = None, client_object=None):
1645
client_object=None):
1835
1646
condition_names = {
1836
1647
gobject.IO_IN: "IN", # There is data to read.
1837
1648
gobject.IO_OUT: "OUT", # Data can be written (without
1846
1657
for cond, name in
1847
1658
condition_names.iteritems()
1848
1659
if cond & condition)
1849
# error, or the other end of multiprocessing.Pipe has closed
1660
# error or the other end of multiprocessing.Pipe has closed
1850
1661
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1851
# Wait for other process to exit
1852
proc.join()
1853
1662
return False
1854
1663
1855
1664
# Read a request from the child
1860
1669
fpr = request[1]
1861
1670
address = request[2]
1862
1671
1863
for c in self.clients.itervalues():
1672
for c in self.clients:
1864
1673
if c.fingerprint == fpr:
1865
1674
client = c
1866
1675
break
1879
1688
functools.partial(self.handle_ipc,
1880
1689
parent_pipe =
1881
1690
parent_pipe,
1882
proc = proc,
1883
1691
client_object =
1884
1692
client))
1885
1693
parent_pipe.send(True)
1950
1758
return timevalue
1951
1759
1952
1760
1761
def if_nametoindex(interface):
1762
"""Call the C function if_nametoindex(), or equivalent
1763
1764
Note: This function cannot accept a unicode string."""
1765
global if_nametoindex
1766
try:
1767
if_nametoindex = (ctypes.cdll.LoadLibrary
1768
(ctypes.util.find_library("c"))
1769
.if_nametoindex)
1770
except (OSError, AttributeError):
1771
logger.warning("Doing if_nametoindex the hard way")
1772
def if_nametoindex(interface):
1773
"Get an interface index the hard way, i.e. using fcntl()"
1774
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1775
with contextlib.closing(socket.socket()) as s:
1776
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1777
struct.pack(str("16s16x"),
1778
interface))
1779
interface_index = struct.unpack(str("I"),
1780
ifreq[16:20])[0]
1781
return interface_index
1782
return if_nametoindex(interface)
1783
1784
1953
1785
def daemon(nochdir = False, noclose = False):
1954
1786
"""See daemon(3). Standard BSD Unix function.
1955
1787
1963
1795
sys.exit()
1964
1796
if not noclose:
1965
1797
# Close all standard open file descriptors
1966
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1798
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1967
1799
if not stat.S_ISCHR(os.fstat(null).st_mode):
1968
1800
raise OSError(errno.ENODEV,
1969
1801
"%s not a character device"
1970
% os.devnull)
1802
% os.path.devnull)
1971
1803
os.dup2(null, sys.stdin.fileno())
1972
1804
os.dup2(null, sys.stdout.fileno())
1973
1805
os.dup2(null, sys.stderr.fileno())
2010
1842
" system bus interface")
2011
1843
parser.add_argument("--no-ipv6", action="store_false",
2012
1844
dest="use_ipv6", help="Do not use IPv6")
2013
parser.add_argument("--no-restore", action="store_false",
2014
dest="restore", help="Do not restore stored"
2015
" state")
2016
parser.add_argument("--statedir", metavar="DIR",
2017
help="Directory to save/restore state in")
2018
2019
1845
options = parser.parse_args()
2020
1846
2021
1847
if options.check:
2034
1860
"use_dbus": "True",
2035
1861
"use_ipv6": "True",
2036
1862
"debuglevel": "",
2037
"restore": "True",
2038
"statedir": "/var/lib/mandos"
2039
1863
}
2040
1864
2041
1865
# Parse config file for server-global settings
2058
1882
# options, if set.
2059
1883
for option in ("interface", "address", "port", "debug",
2060
1884
"priority", "servicename", "configdir",
2061
"use_dbus", "use_ipv6", "debuglevel", "restore",
2062
"statedir"):
1885
"use_dbus", "use_ipv6", "debuglevel"):
2063
1886
value = getattr(options, option)
2064
1887
if value is not None:
2065
1888
server_settings[option] = value
2077
1900
debuglevel = server_settings["debuglevel"]
2078
1901
use_dbus = server_settings["use_dbus"]
2079
1902
use_ipv6 = server_settings["use_ipv6"]
2080
stored_state_path = os.path.join(server_settings["statedir"],
2081
stored_state_file)
2082
2083
if debug:
2084
initlogger(debug, logging.DEBUG)
2085
else:
2086
if not debuglevel:
2087
initlogger(debug)
2088
else:
2089
level = getattr(logging, debuglevel.upper())
2090
initlogger(debug, level)
2091
1903
2092
1904
if server_settings["servicename"] != "Mandos":
2093
1905
syslogger.setFormatter(logging.Formatter
2096
1908
% server_settings["servicename"]))
2097
1909
2098
1910
# Parse config file with clients
2099
client_config = configparser.SafeConfigParser(Client
2100
.client_defaults)
1911
client_defaults = { "timeout": "5m",
1912
"extended_timeout": "15m",
1913
"interval": "2m",
1914
"checker": "fping -q -- %%(host)s",
1915
"host": "",
1916
"approval_delay": "0s",
1917
"approval_duration": "1s",
1918
}
1919
client_config = configparser.SafeConfigParser(client_defaults)
2101
1920
client_config.read(os.path.join(server_settings["configdir"],
2102
1921
"clients.conf"))
2103
1922
2141
1960
if error[0] != errno.EPERM:
2142
1961
raise error
2143
1962
1963
if not debug and not debuglevel:
1964
syslogger.setLevel(logging.WARNING)
1965
console.setLevel(logging.WARNING)
1966
if debuglevel:
1967
level = getattr(logging, debuglevel.upper())
1968
syslogger.setLevel(level)
1969
console.setLevel(level)
1970
2144
1971
if debug:
2145
1972
# Enable all possible GnuTLS debugging
2146
1973
2156
1983
.gnutls_global_set_log_function(debug_gnutls))
2157
1984
2158
1985
# Redirect stdin so all checkers get /dev/null
2159
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1986
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2160
1987
os.dup2(null, sys.stdin.fileno())
2161
1988
if null > 2:
2162
1989
os.close(null)
1990
else:
1991
# No console logging
1992
logger.removeHandler(console)
2163
1993
2164
1994
# Need to fork before connecting to D-Bus
2165
1995
if not debug:
2166
1996
# Close all input and output, do double fork, etc.
2167
1997
daemon()
2168
1998
2169
gobject.threads_init()
2170
2171
1999
global main_loop
2172
2000
# From the Avahi example code
2173
DBusGMainLoop(set_as_default=True)
2001
DBusGMainLoop(set_as_default=True )
2174
2002
main_loop = gobject.MainLoop()
2175
2003
bus = dbus.SystemBus()
2176
2004
# End of Avahi example code
2187
2015
server_settings["use_dbus"] = False
2188
2016
tcp_server.use_dbus = False
2189
2017
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2190
service = AvahiServiceToSyslog(name =
2191
server_settings["servicename"],
2192
servicetype = "_mandos._tcp",
2193
protocol = protocol, bus = bus)
2018
service = AvahiService(name = server_settings["servicename"],
2019
servicetype = "_mandos._tcp",
2020
protocol = protocol, bus = bus)
2194
2021
if server_settings["interface"]:
2195
2022
service.interface = (if_nametoindex
2196
2023
(str(server_settings["interface"])))
2201
2028
client_class = Client
2202
2029
if use_dbus:
2203
2030
client_class = functools.partial(ClientDBusTransitional,
2204
bus = bus)
2205
2206
client_settings = Client.config_parser(client_config)
2207
old_client_settings = {}
2208
clients_data = {}
2209
2210
# Get client data and settings from last running state.
2211
if server_settings["restore"]:
2212
try:
2213
with open(stored_state_path, "rb") as stored_state:
2214
clients_data, old_client_settings = (pickle.load
2215
(stored_state))
2216
os.remove(stored_state_path)
2217
except IOError as e:
2218
logger.warning("Could not load persistent state: {0}"
2219
.format(e))
2220
if e.errno != errno.ENOENT:
2221
raise
2222
except EOFError as e:
2223
logger.warning("Could not load persistent state: "
2224
"EOFError: {0}".format(e))
2225
2226
with PGPEngine() as pgp:
2227
for client_name, client in clients_data.iteritems():
2228
# Decide which value to use after restoring saved state.
2229
# We have three different values: Old config file,
2230
# new config file, and saved state.
2231
# New config value takes precedence if it differs from old
2232
# config value, otherwise use saved state.
2233
for name, value in client_settings[client_name].items():
2234
try:
2235
# For each value in new config, check if it
2236
# differs from the old config value (Except for
2237
# the "secret" attribute)
2238
if (name != "secret" and
2239
value != old_client_settings[client_name]
2240
[name]):
2241
client[name] = value
2242
except KeyError:
2243
pass
2244
2245
# Clients who has passed its expire date can still be
2246
# enabled if its last checker was successful. Clients
2247
# whose checker succeeded before we stored its state is
2248
# assumed to have successfully run all checkers during
2249
# downtime.
2250
if client["enabled"]:
2251
if datetime.datetime.utcnow() >= client["expires"]:
2252
if not client["last_checked_ok"]:
2253
logger.warning(
2254
"disabling client {0} - Client never "
2255
"performed a successful checker"
2256
.format(client_name))
2257
client["enabled"] = False
2258
elif client["last_checker_status"] != 0:
2259
logger.warning(
2260
"disabling client {0} - Client "
2261
"last checker failed with error code {1}"
2262
.format(client_name,
2263
client["last_checker_status"]))
2264
client["enabled"] = False
2265
else:
2266
client["expires"] = (datetime.datetime
2267
.utcnow()
2268
+ client["timeout"])
2269
logger.debug("Last checker succeeded,"
2270
" keeping {0} enabled"
2271
.format(client_name))
2031
bus = bus)
2032
def client_config_items(config, section):
2033
special_settings = {
2034
"approved_by_default":
2035
lambda: config.getboolean(section,
2036
"approved_by_default"),
2037
}
2038
for name, value in config.items(section):
2272
2039
try:
2273
client["secret"] = (
2274
pgp.decrypt(client["encrypted_secret"],
2275
client_settings[client_name]
2276
["secret"]))
2277
except PGPError:
2278
# If decryption fails, we use secret from new settings
2279
logger.debug("Failed to decrypt {0} old secret"
2280
.format(client_name))
2281
client["secret"] = (
2282
client_settings[client_name]["secret"])
2283
2284
2285
# Add/remove clients based on new changes made to config
2286
for client_name in (set(old_client_settings)
2287
- set(client_settings)):
2288
del clients_data[client_name]
2289
for client_name in (set(client_settings)
2290
- set(old_client_settings)):
2291
clients_data[client_name] = client_settings[client_name]
2292
2293
# Create all client objects
2294
for client_name, client in clients_data.iteritems():
2295
tcp_server.clients[client_name] = client_class(
2296
name = client_name, settings = client)
2297
2040
yield (name, special_settings[name]())
2041
except KeyError:
2042
yield (name, value)
2043
2044
tcp_server.clients.update(set(
2045
client_class(name = section,
2046
config= dict(client_config_items(
2047
client_config, section)))
2048
for section in client_config.sections()))
2298
2049
if not tcp_server.clients:
2299
2050
logger.warning("No clients defined")
2300
2051
2311
2062
# "pidfile" was never created
2312
2063
pass
2313
2064
del pidfilename
2065
2314
2066
signal.signal(signal.SIGINT, signal.SIG_IGN)
2315
2067
2316
2068
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2342
2094
def GetAllClients(self):
2343
2095
"D-Bus method"
2344
2096
return dbus.Array(c.dbus_object_path
2345
for c in
2346
tcp_server.clients.itervalues())
2097
for c in tcp_server.clients)
2347
2098
2348
2099
@dbus.service.method(_interface,
2349
2100
out_signature="a{oa{sv}}")
2351
2102
"D-Bus method"
2352
2103
return dbus.Dictionary(
2353
2104
((c.dbus_object_path, c.GetAll(""))
2354
for c in tcp_server.clients.itervalues()),
2105
for c in tcp_server.clients),
2355
2106
signature="oa{sv}")
2356
2107
2357
2108
@dbus.service.method(_interface, in_signature="o")
2358
2109
def RemoveClient(self, object_path):
2359
2110
"D-Bus method"
2360
for c in tcp_server.clients.itervalues():
2111
for c in tcp_server.clients:
2361
2112
if c.dbus_object_path == object_path:
2362
del tcp_server.clients[c.name]
2113
tcp_server.clients.remove(c)
2363
2114
c.remove_from_connection()
2364
2115
# Don't signal anything except ClientRemoved
2365
2116
c.disable(quiet=True)
2378
2129
"Cleanup function; run on exit"
2379
2130
service.cleanup()
2380
2131
2381
multiprocessing.active_children()
2382
if not (tcp_server.clients or client_settings):
2383
return
2384
2385
# Store client before exiting. Secrets are encrypted with key
2386
# based on what config file has. If config file is
2387
# removed/edited, old secret will thus be unrecovable.
2388
clients = {}
2389
with PGPEngine() as pgp:
2390
for client in tcp_server.clients.itervalues():
2391
key = client_settings[client.name]["secret"]
2392
client.encrypted_secret = pgp.encrypt(client.secret,
2393
key)
2394
client_dict = {}
2395
2396
# A list of attributes that can not be pickled
2397
# + secret.
2398
exclude = set(("bus", "changedstate", "secret",
2399
"checker"))
2400
for name, typ in (inspect.getmembers
2401
(dbus.service.Object)):
2402
exclude.add(name)
2403
2404
client_dict["encrypted_secret"] = (client
2405
.encrypted_secret)
2406
for attr in client.client_structure:
2407
if attr not in exclude:
2408
client_dict[attr] = getattr(client, attr)
2409
2410
clients[client.name] = client_dict
2411
del client_settings[client.name]["secret"]
2412
2413
try:
2414
tempfd, tempname = tempfile.mkstemp(suffix=".pickle",
2415
prefix="clients-",
2416
dir=os.path.dirname
2417
(stored_state_path))
2418
with os.fdopen(tempfd, "wb") as stored_state:
2419
pickle.dump((clients, client_settings), stored_state)
2420
os.rename(tempname, stored_state_path)
2421
except (IOError, OSError) as e:
2422
logger.warning("Could not save persistent state: {0}"
2423
.format(e))
2424
if not debug:
2425
try:
2426
os.remove(tempname)
2427
except NameError:
2428
pass
2429
if e.errno not in set((errno.ENOENT, errno.EACCES,
2430
errno.EEXIST)):
2431
raise e
2432
2433
# Delete all clients, and settings from config
2434
2132
while tcp_server.clients:
2435
name, client = tcp_server.clients.popitem()
2133
client = tcp_server.clients.pop()
2436
2134
if use_dbus:
2437
2135
client.remove_from_connection()
2136
client.disable_hook = None
2438
2137
# Don't signal anything except ClientRemoved
2439
2138
client.disable(quiet=True)
2440
2139
if use_dbus:
2442
2141
mandos_dbus_service.ClientRemoved(client
2443
2142
.dbus_object_path,
2444
2143
client.name)
2445
client_settings.clear()
2446
2144
2447
2145
atexit.register(cleanup)
2448
2146
2449
for client in tcp_server.clients.itervalues():
2147
for client in tcp_server.clients:
2450
2148
if use_dbus:
2451
2149
# Emit D-Bus signal
2452
2150
mandos_dbus_service.ClientAdded(client.dbus_object_path)
2453
# Need to initiate checking of clients
2454
if client.enabled:
2455
client.init_checker()
2151
client.enable()
2456
2152
2457
2153
tcp_server.enable()
2458
2154
tcp_server.server_activate()
2498
2194
# Must run before the D-Bus bus name gets deregistered
2499
2195
cleanup()
2500
2196
2197
2501
2198
if __name__ == '__main__':
2502
2199
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0