/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-ctl

  • Committer: Teddy Hogeborn
  • Date: 2019-03-07 21:41:04 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 382.
  • Revision ID: teddy@recompile.se-20190307214104-covfbvw1ch6ermzl
mandos-ctl.xml: Use RFC3339 duration values in examples

* mandos-ctl.xml (EXAMPLE): Use RFC3339 duration values.

Show diffs side-by-side

added added

removed removed

Lines of Context:
mandos-ctl
44
44
import logging
45
45
import io
46
46
import tempfile
47
 
import contextlib
48
47
 
49
48
import dbus
50
49
 
294
293
                    "ApprovalDuration", "Checker", "ExtendedTimeout",
295
294
                    "Expires", "LastCheckerStatus")
296
295
    def run(self, mandos, clients):
297
 
        print(self.output(clients.values()))
 
296
        print(self.output(clients))
298
297
 
299
298
class PropertyCmd(Command):
300
299
    """Abstract class for Actions for setting one client property"""
301
300
    def run_on_one_client(self, client, properties):
302
301
        """Set the Client's D-Bus property"""
303
 
        log.debug("D-Bus: %s:%s:%s.Set(%r, %r, %r)", busname,
304
 
                  client.__dbus_object_path__,
305
 
                  dbus.PROPERTIES_IFACE, client_interface,
306
 
                  self.property, self.value_to_set
307
 
                  if not isinstance(self.value_to_set, dbus.Boolean)
308
 
                  else bool(self.value_to_set))
309
302
        client.Set(client_interface, self.property, self.value_to_set,
310
303
                   dbus_interface=dbus.PROPERTIES_IFACE)
311
304
 
336
329
        keywords = default_keywords
337
330
        if self.verbose:
338
331
            keywords = self.all_keywords
339
 
        return str(self.TableOfClients(clients, keywords))
 
332
        return str(self.TableOfClients(clients.values(), keywords))
340
333
 
341
334
    class TableOfClients(object):
342
335
        tableheaders = {
433
426
            sys.exit(0)
434
427
        sys.exit(1)
435
428
    def is_enabled(self, client, properties):
436
 
        log.debug("D-Bus: %s:%s:%s.Get(%r, %r)", busname,
437
 
                  client.__dbus_object_path__,
438
 
                  dbus.PROPERTIES_IFACE, client_interface,
439
 
                  "Enabled")
440
 
        return bool(client.Get(client_interface, "Enabled",
441
 
                               dbus_interface=dbus.PROPERTIES_IFACE))
 
429
        return bool(properties["Enabled"])
442
430
 
443
431
class RemoveCmd(Command):
444
432
    def run_on_one_client(self, client, properties):
445
 
        log.debug("D-Bus: %s:%s:%s.RemoveClient(%r)", busname,
446
 
                  server_path, server_interface,
447
 
                  str(client.__dbus_object_path__))
448
433
        self.mandos.RemoveClient(client.__dbus_object_path__)
449
434
 
450
435
class ApproveCmd(Command):
451
436
    def run_on_one_client(self, client, properties):
452
 
        log.debug("D-Bus: %s:%s.Approve(True)",
453
 
                  client.__dbus_object_path__, client_interface)
454
437
        client.Approve(dbus.Boolean(True),
455
438
                       dbus_interface=client_interface)
456
439
 
457
440
class DenyCmd(Command):
458
441
    def run_on_one_client(self, client, properties):
459
 
        log.debug("D-Bus: %s:%s.Approve(False)",
460
 
                  client.__dbus_object_path__, client_interface)
461
442
        client.Approve(dbus.Boolean(False),
462
443
                       dbus_interface=client_interface)
463
444
 
584
565
        help="Approve any current client request")
585
566
    approve_deny.add_argument("-D", "--deny", action="store_true",
586
567
                              help="Deny any current client request")
587
 
    parser.add_argument("--debug", action="store_true",
588
 
                        help="Debug mode (show D-Bus commands)")
589
568
    parser.add_argument("--check", action="store_true",
590
569
                        help="Run self-test")
591
570
    parser.add_argument("client", nargs="*", help="Client name")
616
595
    if options.is_enabled:
617
596
        commands.append(IsEnabledCmd())
618
597
 
 
598
    if options.remove:
 
599
        commands.append(RemoveCmd())
 
600
 
619
601
    if options.checker is not None:
620
602
        commands.append(SetCheckerCmd(options.checker))
621
603
 
654
636
    if options.deny:
655
637
        commands.append(DenyCmd())
656
638
 
657
 
    if options.remove:
658
 
        commands.append(RemoveCmd())
659
 
 
660
639
    # If no command option has been given, show table of clients,
661
640
    # optionally verbosely
662
641
    if not commands:
666
645
 
667
646
 
668
647
def check_option_syntax(parser, options):
669
 
    """Apply additional restrictions on options, not expressible in
670
 
argparse"""
671
648
 
672
649
    def has_actions(options):
673
650
        return any((options.enable,
700
677
        parser.error("--all requires an action.")
701
678
    if options.is_enabled and len(options.client) > 1:
702
679
        parser.error("--is-enabled requires exactly one client")
703
 
    if options.remove:
704
 
        options.remove = False
705
 
        if has_actions(options) and not options.deny:
706
 
            parser.error("--remove can only be combined with --deny")
707
 
        options.remove = True
708
680
 
709
681
 
710
682
def main():
718
690
 
719
691
    clientnames = options.client
720
692
 
721
 
    if options.debug:
722
 
        log.setLevel(logging.DEBUG)
723
 
 
724
693
    try:
725
694
        bus = dbus.SystemBus()
726
 
        log.debug("D-Bus: Connect to: (name=%r, path=%r)", busname,
727
 
                  server_path)
728
695
        mandos_dbus_objc = bus.get_object(busname, server_path)
729
696
    except dbus.exceptions.DBusException:
730
697
        log.critical("Could not connect to Mandos server")
743
710
    dbus_filter = NullFilter()
744
711
    try:
745
712
        dbus_logger.addFilter(dbus_filter)
746
 
        log.debug("D-Bus: %s:%s:%s.GetManagedObjects()", busname,
747
 
                  server_path, dbus.OBJECT_MANAGER_IFACE)
748
713
        mandos_clients = {path: ifs_and_props[client_interface]
749
714
                          for path, ifs_and_props in
750
715
                          mandos_serv_object_manager
762
727
    clients = {}
763
728
 
764
729
    if not clientnames:
765
 
        clients = {(log.debug("D-Bus: Connect to: (name=%r, path=%r)",
766
 
                              busname, str(path)) and False) or
767
 
                   bus.get_object(busname, path): properties
 
730
        clients = {bus.get_object(busname, path): properties
768
731
                   for path, properties in mandos_clients.items()}
769
732
    else:
770
733
        for name in clientnames:
771
734
            for path, client in mandos_clients.items():
772
735
                if client["Name"] == name:
773
 
                    log.debug("D-Bus: Connect to: (name=%r, path=%r)",
774
 
                              busname, str(path))
775
736
                    client_objc = bus.get_object(busname, path)
776
737
                    clients[client_objc] = client
777
738
                    break
912
873
 
913
874
class TestPrintTableCmd(TestCmd):
914
875
    def test_normal(self):
915
 
        output = PrintTableCmd().output(self.clients.values())
 
876
        output = PrintTableCmd().output(self.clients)
916
877
        expected_output = """
917
878
Name   Enabled Timeout  Last Successful Check
918
879
foo    Yes     00:05:00 2019-02-03T00:00:00  
920
881
"""[1:-1]
921
882
        self.assertEqual(output, expected_output)
922
883
    def test_verbose(self):
923
 
        output = PrintTableCmd(verbose=True).output(
924
 
            self.clients.values())
 
884
        output = PrintTableCmd(verbose=True).output(self.clients)
925
885
        expected_output = """
926
886
Name   Enabled Timeout  Last Successful Check Created             Interval Host            Key ID                                                           Fingerprint                              Check Is Running Last Enabled        Approval Is Pending Approved By Default Last Approval Request Approval Delay Approval Duration Checker              Extended Timeout Expires             Last Checker Status
927
887
foo    Yes     00:05:00 2019-02-03T00:00:00   2019-01-02T00:00:00 00:02:00 foo.example.org 92ed150794387c03ce684574b1139a6594a34f895daaaf09fd8ea90a27cddb12 778827225BA7DE539C5A7CFA59CFF7CDBD9A5920 No               2019-01-03T00:00:00 No                  Yes                                       00:00:00       00:00:01          fping -q -- %(host)s 00:15:00         2019-02-04T00:00:00 0                  
929
889
"""[1:-1]
930
890
        self.assertEqual(output, expected_output)
931
891
    def test_one_client(self):
932
 
        output = PrintTableCmd().output(self.one_client.values())
 
892
        output = PrintTableCmd().output(self.one_client)
933
893
        expected_output = """
934
894
Name Enabled Timeout  Last Successful Check
935
895
foo  Yes     00:05:00 2019-02-03T00:00:00  
1138
1098
class TestSetSecretCmd(TestValueArgumentPropertyCmd):
1139
1099
    command = SetSecretCmd
1140
1100
    property = "Secret"
1141
 
    values_to_set = [io.BytesIO(b""),
 
1101
    values_to_set = [open("/dev/null", "rb"),
1142
1102
                     io.BytesIO(b"secret\0xyzzy\nbar")]
1143
1103
    values_to_get = [b"", b"secret\0xyzzy\nbar"]
1144
1104
 
1370
1330
    def test_is_enabled_short(self):
1371
1331
        self.assert_command_from_args(["-V", "foo"], IsEnabledCmd)
1372
1332
 
1373
 
    def test_deny_before_remove(self):
1374
 
        options = self.parser.parse_args(["--deny", "--remove", "foo"])
1375
 
        check_option_syntax(self.parser, options)
1376
 
        commands = commands_from_options(options)
1377
 
        self.assertEqual(len(commands), 2)
1378
 
        self.assertIsInstance(commands[0], DenyCmd)
1379
 
        self.assertIsInstance(commands[1], RemoveCmd)
1380
 
 
1381
 
    def test_deny_before_remove_reversed(self):
1382
 
        options = self.parser.parse_args(["--remove", "--deny", "--all"])
1383
 
        check_option_syntax(self.parser, options)
1384
 
        commands = commands_from_options(options)
1385
 
        self.assertEqual(len(commands), 2)
1386
 
        self.assertIsInstance(commands[0], DenyCmd)
1387
 
        self.assertIsInstance(commands[1], RemoveCmd)
1388
 
 
1389
 
 
1390
 
class Test_check_option_syntax(unittest.TestCase):
1391
 
    # This mostly corresponds to the definition from has_actions() in
1392
 
    # check_option_syntax()
1393
 
    actions = {
1394
 
        # The actual values set here are not that important, but we do
1395
 
        # at least stick to the correct types, even though they are
1396
 
        # never used
1397
 
        "enable": True,
1398
 
        "disable": True,
1399
 
        "bump_timeout": True,
1400
 
        "start_checker": True,
1401
 
        "stop_checker": True,
1402
 
        "is_enabled": True,
1403
 
        "remove": True,
1404
 
        "checker": "x",
1405
 
        "timeout": datetime.timedelta(),
1406
 
        "extended_timeout": datetime.timedelta(),
1407
 
        "interval": datetime.timedelta(),
1408
 
        "approved_by_default": True,
1409
 
        "approval_delay": datetime.timedelta(),
1410
 
        "approval_duration": datetime.timedelta(),
1411
 
        "host": "x",
1412
 
        "secret": io.BytesIO(b"x"),
1413
 
        "approve": True,
1414
 
        "deny": True,
1415
 
    }
1416
 
 
1417
 
    def setUp(self):
1418
 
        self.parser = argparse.ArgumentParser()
1419
 
        add_command_line_options(self.parser)
1420
 
 
1421
 
    @contextlib.contextmanager
1422
 
    def assertParseError(self):
1423
 
        with self.assertRaises(SystemExit) as e:
1424
 
            with self.temporarily_suppress_stderr():
1425
 
                yield
1426
 
        # Exit code from argparse is guaranteed to be "2".  Reference:
1427
 
        # https://docs.python.org/3/library/argparse.html#exiting-methods
1428
 
        self.assertEqual(e.exception.code, 2)
1429
 
 
1430
 
    @staticmethod
1431
 
    @contextlib.contextmanager
1432
 
    def temporarily_suppress_stderr():
1433
 
        null = os.open(os.path.devnull, os.O_RDWR)
1434
 
        stderrcopy = os.dup(sys.stderr.fileno())
1435
 
        os.dup2(null, sys.stderr.fileno())
1436
 
        os.close(null)
1437
 
        try:
1438
 
            yield
1439
 
        finally:
1440
 
            # restore stderr
1441
 
            os.dup2(stderrcopy, sys.stderr.fileno())
1442
 
            os.close(stderrcopy)
1443
 
 
1444
 
    def check_option_syntax(self, options):
1445
 
        check_option_syntax(self.parser, options)
1446
 
 
1447
 
    def test_actions_requires_client_or_all(self):
1448
 
        for action, value in self.actions.items():
1449
 
            options = self.parser.parse_args()
1450
 
            setattr(options, action, value)
1451
 
            with self.assertParseError():
1452
 
                self.check_option_syntax(options)
1453
 
 
1454
 
    def test_actions_conflicts_with_verbose(self):
1455
 
        for action, value in self.actions.items():
1456
 
            options = self.parser.parse_args()
1457
 
            setattr(options, action, value)
1458
 
            options.verbose = True
1459
 
            with self.assertParseError():
1460
 
                self.check_option_syntax(options)
1461
 
 
1462
 
    def test_dump_json_conflicts_with_verbose(self):
1463
 
        options = self.parser.parse_args()
1464
 
        options.dump_json = True
1465
 
        options.verbose = True
1466
 
        with self.assertParseError():
1467
 
            self.check_option_syntax(options)
1468
 
 
1469
 
    def test_dump_json_conflicts_with_action(self):
1470
 
        for action, value in self.actions.items():
1471
 
            options = self.parser.parse_args()
1472
 
            setattr(options, action, value)
1473
 
            options.dump_json = True
1474
 
            with self.assertParseError():
1475
 
                self.check_option_syntax(options)
1476
 
 
1477
 
    def test_all_can_not_be_alone(self):
1478
 
        options = self.parser.parse_args()
1479
 
        options.all = True
1480
 
        with self.assertParseError():
1481
 
            self.check_option_syntax(options)
1482
 
 
1483
 
    def test_all_is_ok_with_any_action(self):
1484
 
        for action, value in self.actions.items():
1485
 
            options = self.parser.parse_args()
1486
 
            setattr(options, action, value)
1487
 
            options.all = True
1488
 
            self.check_option_syntax(options)
1489
 
 
1490
 
    def test_is_enabled_fails_without_client(self):
1491
 
        options = self.parser.parse_args()
1492
 
        options.is_enabled = True
1493
 
        with self.assertParseError():
1494
 
            self.check_option_syntax(options)
1495
 
 
1496
 
    def test_is_enabled_works_with_one_client(self):
1497
 
        options = self.parser.parse_args()
1498
 
        options.is_enabled = True
1499
 
        options.client = ["foo"]
1500
 
        self.check_option_syntax(options)
1501
 
 
1502
 
    def test_is_enabled_fails_with_two_clients(self):
1503
 
        options = self.parser.parse_args()
1504
 
        options.is_enabled = True
1505
 
        options.client = ["foo", "barbar"]
1506
 
        with self.assertParseError():
1507
 
            self.check_option_syntax(options)
1508
 
 
1509
 
    def test_remove_can_only_be_combined_with_action_deny(self):
1510
 
        for action, value in self.actions.items():
1511
 
            if action in {"remove", "deny"}:
1512
 
                continue
1513
 
            options = self.parser.parse_args()
1514
 
            setattr(options, action, value)
1515
 
            options.all = True
1516
 
            options.remove = True
1517
 
            with self.assertParseError():
1518
 
                self.check_option_syntax(options)
1519
 
 
1520
1333
 
1521
1334
 
1522
1335
def should_only_run_tests():