To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 295
- compare with another revision
- download diff
- download tarball
- view history from revision 295
- Committer: Teddy Hogeborn
- Date: 2012-01-08 10:19:33 UTC
- Revision ID: teddy@recompile.se-20120108101933-xbtodqgepxax8hn1
Tags: version-1.5.2-1
* Makefile (version): Changed to "1.5.2".
* NEWS (Version 1.5.2): New entry.
* debian/changelog (1.5.2-1): - '' -
* NEWS (Version 1.5.2): New entry.
* debian/changelog (1.5.2-1): - '' -
- files added:
- network-hooks.d
- files modified:
- DBUS-API
added
removed
mandos
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
14
# Copyright © 2008-2012 Teddy Hogeborn
15
# Copyright © 2008-2012 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
85
85
except ImportError:
86
86
SO_BINDTODEVICE = None
87
87
88
89
version = "1.4.1"
90
stored_state_path = "/var/lib/mandos/clients.pickle"
88
version = "1.5.2"
89
stored_state_file = "clients.pickle"
91
90
92
91
logger = logging.getLogger()
93
92
syslogger = (logging.handlers.SysLogHandler
111
110
return interface_index
112
111
113
112
114
def initlogger(level=logging.WARNING):
113
def initlogger(debug, level=logging.WARNING):
115
114
"""init logger and add loglevel"""
116
115
117
116
syslogger.setFormatter(logging.Formatter
119
118
' %(message)s'))
120
119
logger.addHandler(syslogger)
121
120
122
console = logging.StreamHandler()
123
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
124
' [%(process)d]:'
125
' %(levelname)s:'
126
' %(message)s'))
127
logger.addHandler(console)
121
if debug:
122
console = logging.StreamHandler()
123
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
124
' [%(process)d]:'
125
' %(levelname)s:'
126
' %(message)s'))
127
logger.addHandler(console)
128
128
logger.setLevel(level)
129
129
130
130
131
class CryptoError(Exception):
131
class PGPError(Exception):
132
"""Exception if encryption/decryption fails"""
132
133
pass
133
134
134
135
135
class Crypto(object):
136
class PGPEngine(object):
136
137
"""A simple class for OpenPGP symmetric encryption & decryption"""
137
138
def __init__(self):
138
139
self.gnupg = GnuPGInterface.GnuPG()
141
142
self.gnupg.options.meta_interactive = False
142
143
self.gnupg.options.homedir = self.tempdir
143
144
self.gnupg.options.extra_args.extend(['--force-mdc',
144
'--quiet'])
145
'--quiet',
146
'--no-use-agent'])
145
147
146
148
def __enter__(self):
147
149
return self
184
186
ciphertext = f.read()
185
187
proc.wait()
186
188
except IOError as e:
187
raise CryptoError(e)
189
raise PGPError(e)
188
190
self.gnupg.passphrase = None
189
191
return ciphertext
190
192
201
203
decrypted_plaintext = f.read()
202
204
proc.wait()
203
205
except IOError as e:
204
raise CryptoError(e)
206
raise PGPError(e)
205
207
self.gnupg.passphrase = None
206
208
return decrypted_plaintext
207
209
377
379
% self.name))
378
380
return ret
379
381
380
def _timedelta_to_milliseconds(td):
382
def timedelta_to_milliseconds(td):
381
383
"Convert a datetime.timedelta() to milliseconds"
382
384
return ((td.days * 24 * 60 * 60 * 1000)
383
385
+ (td.seconds * 1000)
387
389
"""A representation of a client host served by this server.
388
390
389
391
Attributes:
390
_approved: bool(); 'None' if not yet approved/disapproved
392
approved: bool(); 'None' if not yet approved/disapproved
391
393
approval_delay: datetime.timedelta(); Time to wait for approval
392
394
approval_duration: datetime.timedelta(); Duration of one approval
393
395
checker: subprocess.Popen(); a running checker process used
411
413
interval: datetime.timedelta(); How often to start a new checker
412
414
last_approval_request: datetime.datetime(); (UTC) or None
413
415
last_checked_ok: datetime.datetime(); (UTC) or None
414
415
416
last_checker_status: integer between 0 and 255 reflecting exit
416
417
status of last checker. -1 reflects crashed
417
418
checker, or None.
418
last_enabled: datetime.datetime(); (UTC)
419
last_enabled: datetime.datetime(); (UTC) or None
419
420
name: string; from the config file, used in log messages and
420
421
D-Bus identifiers
421
422
secret: bytestring; sent verbatim (over TLS) to client
422
423
timeout: datetime.timedelta(); How long from last_checked_ok
423
424
until this client is disabled
424
extended_timeout: extra long timeout when password has been sent
425
extended_timeout: extra long timeout when secret has been sent
425
426
runtime_expansions: Allowed attributes for runtime expansion.
426
427
expires: datetime.datetime(); time (UTC) when a client will be
427
428
disabled, or None
431
432
"created", "enabled", "fingerprint",
432
433
"host", "interval", "last_checked_ok",
433
434
"last_enabled", "name", "timeout")
435
client_defaults = { "timeout": "5m",
436
"extended_timeout": "15m",
437
"interval": "2m",
438
"checker": "fping -q -- %%(host)s",
439
"host": "",
440
"approval_delay": "0s",
441
"approval_duration": "1s",
442
"approved_by_default": "True",
443
"enabled": "True",
444
}
434
445
435
446
def timeout_milliseconds(self):
436
447
"Return the 'timeout' attribute in milliseconds"
437
return _timedelta_to_milliseconds(self.timeout)
448
return timedelta_to_milliseconds(self.timeout)
438
449
439
450
def extended_timeout_milliseconds(self):
440
451
"Return the 'extended_timeout' attribute in milliseconds"
441
return _timedelta_to_milliseconds(self.extended_timeout)
452
return timedelta_to_milliseconds(self.extended_timeout)
442
453
443
454
def interval_milliseconds(self):
444
455
"Return the 'interval' attribute in milliseconds"
445
return _timedelta_to_milliseconds(self.interval)
456
return timedelta_to_milliseconds(self.interval)
446
457
447
458
def approval_delay_milliseconds(self):
448
return _timedelta_to_milliseconds(self.approval_delay)
449
450
def __init__(self, name = None, config=None):
459
return timedelta_to_milliseconds(self.approval_delay)
460
461
@staticmethod
462
def config_parser(config):
463
"""Construct a new dict of client settings of this form:
464
{ client_name: {setting_name: value, ...}, ...}
465
with exceptions for any special settings as defined above.
466
NOTE: Must be a pure function. Must return the same result
467
value given the same arguments.
468
"""
469
settings = {}
470
for client_name in config.sections():
471
section = dict(config.items(client_name))
472
client = settings[client_name] = {}
473
474
client["host"] = section["host"]
475
# Reformat values from string types to Python types
476
client["approved_by_default"] = config.getboolean(
477
client_name, "approved_by_default")
478
client["enabled"] = config.getboolean(client_name,
479
"enabled")
480
481
client["fingerprint"] = (section["fingerprint"].upper()
482
.replace(" ", ""))
483
if "secret" in section:
484
client["secret"] = section["secret"].decode("base64")
485
elif "secfile" in section:
486
with open(os.path.expanduser(os.path.expandvars
487
(section["secfile"])),
488
"rb") as secfile:
489
client["secret"] = secfile.read()
490
else:
491
raise TypeError("No secret or secfile for section %s"
492
% section)
493
client["timeout"] = string_to_delta(section["timeout"])
494
client["extended_timeout"] = string_to_delta(
495
section["extended_timeout"])
496
client["interval"] = string_to_delta(section["interval"])
497
client["approval_delay"] = string_to_delta(
498
section["approval_delay"])
499
client["approval_duration"] = string_to_delta(
500
section["approval_duration"])
501
client["checker_command"] = section["checker"]
502
client["last_approval_request"] = None
503
client["last_checked_ok"] = None
504
client["last_checker_status"] = None
505
506
return settings
507
508
509
def __init__(self, settings, name = None):
451
510
"""Note: the 'checker' key in 'config' sets the
452
511
'checker_command' attribute and *not* the 'checker'
453
512
attribute."""
454
513
self.name = name
455
if config is None:
456
config = {}
514
# adding all client settings
515
for setting, value in settings.iteritems():
516
setattr(self, setting, value)
517
518
if self.enabled:
519
if not hasattr(self, "last_enabled"):
520
self.last_enabled = datetime.datetime.utcnow()
521
if not hasattr(self, "expires"):
522
self.expires = (datetime.datetime.utcnow()
523
+ self.timeout)
524
else:
525
self.last_enabled = None
526
self.expires = None
527
457
528
logger.debug("Creating client %r", self.name)
458
529
# Uppercase and remove spaces from fingerprint for later
459
530
# comparison purposes with return value from the fingerprint()
460
531
# function
461
self.fingerprint = (config["fingerprint"].upper()
462
.replace(" ", ""))
463
532
logger.debug(" Fingerprint: %s", self.fingerprint)
464
if "secret" in config:
465
self.secret = config["secret"].decode("base64")
466
elif "secfile" in config:
467
with open(os.path.expanduser(os.path.expandvars
468
(config["secfile"])),
469
"rb") as secfile:
470
self.secret = secfile.read()
471
else:
472
raise TypeError("No secret or secfile for client %s"
473
% self.name)
474
self.host = config.get("host", "")
475
self.created = datetime.datetime.utcnow()
476
self.enabled = True
477
self.last_approval_request = None
478
self.last_enabled = datetime.datetime.utcnow()
479
self.last_checked_ok = None
480
self.last_checker_status = None
481
self.timeout = string_to_delta(config["timeout"])
482
self.extended_timeout = string_to_delta(config
483
["extended_timeout"])
484
self.interval = string_to_delta(config["interval"])
533
self.created = settings.get("created",
534
datetime.datetime.utcnow())
535
536
# attributes specific for this server instance
485
537
self.checker = None
486
538
self.checker_initiator_tag = None
487
539
self.disable_initiator_tag = None
488
self.expires = datetime.datetime.utcnow() + self.timeout
489
540
self.checker_callback_tag = None
490
self.checker_command = config["checker"]
491
541
self.current_checker_command = None
492
self._approved = None
493
self.approved_by_default = config.get("approved_by_default",
494
True)
542
self.approved = None
495
543
self.approvals_pending = 0
496
self.approval_delay = string_to_delta(
497
config["approval_delay"])
498
self.approval_duration = string_to_delta(
499
config["approval_duration"])
500
544
self.changedstate = (multiprocessing_manager
501
545
.Condition(multiprocessing_manager
502
546
.Lock()))
569
613
self.checker_callback_tag = None
570
614
self.checker = None
571
615
if os.WIFEXITED(condition):
572
self.last_checker_status = os.WEXITSTATUS(condition)
616
self.last_checker_status = os.WEXITSTATUS(condition)
573
617
if self.last_checker_status == 0:
574
618
logger.info("Checker for %(name)s succeeded",
575
619
vars(self))
595
639
gobject.source_remove(self.disable_initiator_tag)
596
640
if getattr(self, "enabled", False):
597
641
self.disable_initiator_tag = (gobject.timeout_add
598
(_timedelta_to_milliseconds
642
(timedelta_to_milliseconds
599
643
(timeout), self.disable))
600
644
self.expires = datetime.datetime.utcnow() + timeout
601
645
806
850
# signatures other than "ay".
807
851
if prop._dbus_signature != "ay":
808
852
raise ValueError
809
value = dbus.ByteArray(''.join(unichr(byte)
810
for byte in value))
853
value = dbus.ByteArray(b''.join(chr(byte)
854
for byte in value))
811
855
prop(value)
812
856
813
857
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
1005
1049
def __init__(self, bus = None, *args, **kwargs):
1006
1050
self.bus = bus
1007
1051
Client.__init__(self, *args, **kwargs)
1008
1009
self._approvals_pending = 0
1010
1052
# Only now, when this client is initialized, can it show up on
1011
1053
# the D-Bus
1012
1054
client_object_name = unicode(self.name).translate(
1062
1104
datetime_to_dbus, "LastApprovalRequest")
1063
1105
approved_by_default = notifychangeproperty(dbus.Boolean,
1064
1106
"ApprovedByDefault")
1065
approval_delay = notifychangeproperty(dbus.UInt16,
1107
approval_delay = notifychangeproperty(dbus.UInt64,
1066
1108
"ApprovalDelay",
1067
1109
type_func =
1068
_timedelta_to_milliseconds)
1110
timedelta_to_milliseconds)
1069
1111
approval_duration = notifychangeproperty(
1070
dbus.UInt16, "ApprovalDuration",
1071
type_func = _timedelta_to_milliseconds)
1112
dbus.UInt64, "ApprovalDuration",
1113
type_func = timedelta_to_milliseconds)
1072
1114
host = notifychangeproperty(dbus.String, "Host")
1073
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
1115
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1074
1116
type_func =
1075
_timedelta_to_milliseconds)
1117
timedelta_to_milliseconds)
1076
1118
extended_timeout = notifychangeproperty(
1077
dbus.UInt16, "ExtendedTimeout",
1078
type_func = _timedelta_to_milliseconds)
1079
interval = notifychangeproperty(dbus.UInt16,
1119
dbus.UInt64, "ExtendedTimeout",
1120
type_func = timedelta_to_milliseconds)
1121
interval = notifychangeproperty(dbus.UInt64,
1080
1122
"Interval",
1081
1123
type_func =
1082
_timedelta_to_milliseconds)
1124
timedelta_to_milliseconds)
1083
1125
checker_command = notifychangeproperty(dbus.String, "Checker")
1084
1126
1085
1127
del notifychangeproperty
1127
1169
return r
1128
1170
1129
1171
def _reset_approved(self):
1130
self._approved = None
1172
self.approved = None
1131
1173
return False
1132
1174
1133
1175
def approve(self, value=True):
1134
1176
self.send_changedstate()
1135
self._approved = value
1136
gobject.timeout_add(_timedelta_to_milliseconds
1177
self.approved = value
1178
gobject.timeout_add(timedelta_to_milliseconds
1137
1179
(self.approval_duration),
1138
1180
self._reset_approved)
1139
1181
1182
1224
"D-Bus signal"
1183
1225
return self.need_approval()
1184
1226
1185
# NeRwequest - signal
1186
@dbus.service.signal(_interface, signature="s")
1187
def NewRequest(self, ip):
1188
"""D-Bus signal
1189
Is sent after a client request a password.
1190
"""
1191
pass
1192
1193
1227
## Methods
1194
1228
1195
1229
# Approve - method
1253
1287
access="readwrite")
1254
1288
def ApprovalDuration_dbus_property(self, value=None):
1255
1289
if value is None: # get
1256
return dbus.UInt64(_timedelta_to_milliseconds(
1290
return dbus.UInt64(timedelta_to_milliseconds(
1257
1291
self.approval_duration))
1258
1292
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1259
1293
1273
1307
def Host_dbus_property(self, value=None):
1274
1308
if value is None: # get
1275
1309
return dbus.String(self.host)
1276
self.host = value
1310
self.host = unicode(value)
1277
1311
1278
1312
# Created - property
1279
1313
@dbus_service_property(_interface, signature="s", access="read")
1280
1314
def Created_dbus_property(self):
1281
return dbus.String(datetime_to_dbus(self.created))
1315
return datetime_to_dbus(self.created)
1282
1316
1283
1317
# LastEnabled - property
1284
1318
@dbus_service_property(_interface, signature="s", access="read")
1322
1356
if value is None: # get
1323
1357
return dbus.UInt64(self.timeout_milliseconds())
1324
1358
self.timeout = datetime.timedelta(0, 0, 0, value)
1325
if getattr(self, "disable_initiator_tag", None) is None:
1326
return
1327
1359
# Reschedule timeout
1328
gobject.source_remove(self.disable_initiator_tag)
1329
self.disable_initiator_tag = None
1330
self.expires = None
1331
time_to_die = _timedelta_to_milliseconds((self
1332
.last_checked_ok
1333
+ self.timeout)
1334
- datetime.datetime
1335
.utcnow())
1336
if time_to_die <= 0:
1337
# The timeout has passed
1338
self.disable()
1339
else:
1340
self.expires = (datetime.datetime.utcnow()
1341
+ datetime.timedelta(milliseconds =
1342
time_to_die))
1343
self.disable_initiator_tag = (gobject.timeout_add
1344
(time_to_die, self.disable))
1360
if self.enabled:
1361
now = datetime.datetime.utcnow()
1362
time_to_die = timedelta_to_milliseconds(
1363
(self.last_checked_ok + self.timeout) - now)
1364
if time_to_die <= 0:
1365
# The timeout has passed
1366
self.disable()
1367
else:
1368
self.expires = (now +
1369
datetime.timedelta(milliseconds =
1370
time_to_die))
1371
if (getattr(self, "disable_initiator_tag", None)
1372
is None):
1373
return
1374
gobject.source_remove(self.disable_initiator_tag)
1375
self.disable_initiator_tag = (gobject.timeout_add
1376
(time_to_die,
1377
self.disable))
1345
1378
1346
1379
# ExtendedTimeout - property
1347
1380
@dbus_service_property(_interface, signature="t",
1360
1393
self.interval = datetime.timedelta(0, 0, 0, value)
1361
1394
if getattr(self, "checker_initiator_tag", None) is None:
1362
1395
return
1363
# Reschedule checker run
1364
gobject.source_remove(self.checker_initiator_tag)
1365
self.checker_initiator_tag = (gobject.timeout_add
1366
(value, self.start_checker))
1367
self.start_checker() # Start one now, too
1396
if self.enabled:
1397
# Reschedule checker run
1398
gobject.source_remove(self.checker_initiator_tag)
1399
self.checker_initiator_tag = (gobject.timeout_add
1400
(value, self.start_checker))
1401
self.start_checker() # Start one now, too
1368
1402
1369
1403
# Checker - property
1370
1404
@dbus_service_property(_interface, signature="s",
1372
1406
def Checker_dbus_property(self, value=None):
1373
1407
if value is None: # get
1374
1408
return dbus.String(self.checker_command)
1375
self.checker_command = value
1409
self.checker_command = unicode(value)
1376
1410
1377
1411
# CheckerRunning - property
1378
1412
@dbus_service_property(_interface, signature="b",
1407
1441
raise KeyError()
1408
1442
1409
1443
def __getattribute__(self, name):
1410
if(name == '_pipe'):
1444
if name == '_pipe':
1411
1445
return super(ProxyClient, self).__getattribute__(name)
1412
1446
self._pipe.send(('getattr', name))
1413
1447
data = self._pipe.recv()
1420
1454
return func
1421
1455
1422
1456
def __setattr__(self, name, value):
1423
if(name == '_pipe'):
1457
if name == '_pipe':
1424
1458
return super(ProxyClient, self).__setattr__(name, value)
1425
1459
self._pipe.send(('setattr', name, value))
1426
1460
1495
1529
logger.warning("Bad certificate: %s", error)
1496
1530
return
1497
1531
logger.debug("Fingerprint: %s", fpr)
1498
if self.server.use_dbus:
1499
# Emit D-Bus signal
1500
client.NewRequest(str(self.client_address))
1501
1532
1502
1533
try:
1503
1534
client = ProxyClient(child_pipe, fpr,
1519
1550
client.Rejected("Disabled")
1520
1551
return
1521
1552
1522
if client._approved or not client.approval_delay:
1553
if client.approved or not client.approval_delay:
1523
1554
#We are approved or approval is disabled
1524
1555
break
1525
elif client._approved is None:
1556
elif client.approved is None:
1526
1557
logger.info("Client %s needs approval",
1527
1558
client.name)
1528
1559
if self.server.use_dbus:
1542
1573
time = datetime.datetime.now()
1543
1574
client.changedstate.acquire()
1544
1575
(client.changedstate.wait
1545
(float(client._timedelta_to_milliseconds(delay)
1576
(float(client.timedelta_to_milliseconds(delay)
1546
1577
/ 1000)))
1547
1578
client.changedstate.release()
1548
1579
time2 = datetime.datetime.now()
1656
1687
def sub_process_main(self, request, address):
1657
1688
try:
1658
1689
self.finish_request(request, address)
1659
except:
1690
except Exception:
1660
1691
self.handle_error(request, address)
1661
1692
self.close_request(request)
1662
1693
1972
2003
dest="use_ipv6", help="Do not use IPv6")
1973
2004
parser.add_argument("--no-restore", action="store_false",
1974
2005
dest="restore", help="Do not restore stored"
1975
" state", default=True)
2006
" state")
2007
parser.add_argument("--statedir", metavar="DIR",
2008
help="Directory to save/restore state in")
1976
2009
1977
2010
options = parser.parse_args()
1978
2011
1992
2025
"use_dbus": "True",
1993
2026
"use_ipv6": "True",
1994
2027
"debuglevel": "",
2028
"restore": "True",
2029
"statedir": "/var/lib/mandos"
1995
2030
}
1996
2031
1997
2032
# Parse config file for server-global settings
2014
2049
# options, if set.
2015
2050
for option in ("interface", "address", "port", "debug",
2016
2051
"priority", "servicename", "configdir",
2017
"use_dbus", "use_ipv6", "debuglevel", "restore"):
2052
"use_dbus", "use_ipv6", "debuglevel", "restore",
2053
"statedir"):
2018
2054
value = getattr(options, option)
2019
2055
if value is not None:
2020
2056
server_settings[option] = value
2032
2068
debuglevel = server_settings["debuglevel"]
2033
2069
use_dbus = server_settings["use_dbus"]
2034
2070
use_ipv6 = server_settings["use_ipv6"]
2071
stored_state_path = os.path.join(server_settings["statedir"],
2072
stored_state_file)
2035
2073
2036
2074
if debug:
2037
initlogger(logging.DEBUG)
2075
initlogger(debug, logging.DEBUG)
2038
2076
else:
2039
2077
if not debuglevel:
2040
initlogger()
2078
initlogger(debug)
2041
2079
else:
2042
2080
level = getattr(logging, debuglevel.upper())
2043
initlogger(level)
2081
initlogger(debug, level)
2044
2082
2045
2083
if server_settings["servicename"] != "Mandos":
2046
2084
syslogger.setFormatter(logging.Formatter
2049
2087
% server_settings["servicename"]))
2050
2088
2051
2089
# Parse config file with clients
2052
client_defaults = { "timeout": "5m",
2053
"extended_timeout": "15m",
2054
"interval": "2m",
2055
"checker": "fping -q -- %%(host)s",
2056
"host": "",
2057
"approval_delay": "0s",
2058
"approval_duration": "1s",
2059
}
2060
client_config = configparser.SafeConfigParser(client_defaults)
2090
client_config = configparser.SafeConfigParser(Client
2091
.client_defaults)
2061
2092
client_config.read(os.path.join(server_settings["configdir"],
2062
2093
"clients.conf"))
2063
2094
2120
2151
os.dup2(null, sys.stdin.fileno())
2121
2152
if null > 2:
2122
2153
os.close(null)
2123
else:
2124
# No console logging
2125
logger.removeHandler(console)
2126
2154
2127
2155
# Need to fork before connecting to D-Bus
2128
2156
if not debug:
2129
2157
# Close all input and output, do double fork, etc.
2130
2158
daemon()
2131
2159
2160
gobject.threads_init()
2161
2132
2162
global main_loop
2133
2163
# From the Avahi example code
2134
2164
DBusGMainLoop(set_as_default=True )
2164
2194
client_class = functools.partial(ClientDBusTransitional,
2165
2195
bus = bus)
2166
2196
2167
special_settings = {
2168
# Some settings need to be accessd by special methods;
2169
# booleans need .getboolean(), etc. Here is a list of them:
2170
"approved_by_default":
2171
lambda section:
2172
client_config.getboolean(section, "approved_by_default"),
2173
}
2174
# Construct a new dict of client settings of this form:
2175
# { client_name: {setting_name: value, ...}, ...}
2176
# with exceptions for any special settings as defined above
2177
client_settings = dict((clientname,
2178
dict((setting,
2179
(value
2180
if setting not in special_settings
2181
else special_settings[setting]
2182
(clientname)))
2183
for setting, value in
2184
client_config.items(clientname)))
2185
for clientname in client_config.sections())
2186
2197
client_settings = Client.config_parser(client_config)
2187
2198
old_client_settings = {}
2188
clients_data = []
2199
clients_data = {}
2189
2200
2190
2201
# Get client data and settings from last running state.
2191
2202
if server_settings["restore"]:
2199
2210
.format(e))
2200
2211
if e.errno != errno.ENOENT:
2201
2212
raise
2213
except EOFError as e:
2214
logger.warning("Could not load persistent state: "
2215
"EOFError: {0}".format(e))
2202
2216
2203
with Crypto() as crypt:
2204
for client in clients_data:
2205
client_name = client["name"]
2206
2217
with PGPEngine() as pgp:
2218
for client_name, client in clients_data.iteritems():
2207
2219
# Decide which value to use after restoring saved state.
2208
2220
# We have three different values: Old config file,
2209
2221
# new config file, and saved state.
2217
2229
if (name != "secret" and
2218
2230
value != old_client_settings[client_name]
2219
2231
[name]):
2220
setattr(client, name, value)
2232
client[name] = value
2221
2233
except KeyError:
2222
2234
pass
2223
2235
2224
2236
# Clients who has passed its expire date can still be
2225
# enabled if its last checker was sucessful. Clients
2226
# whose checker failed before we stored its state is
2227
# assumed to have failed all checkers during downtime.
2228
if client["enabled"] and client["last_checked_ok"]:
2229
if ((datetime.datetime.utcnow()
2230
- client["last_checked_ok"])
2231
> client["interval"]):
2232
if client["last_checker_status"] != 0:
2237
# enabled if its last checker was successful. Clients
2238
# whose checker succeeded before we stored its state is
2239
# assumed to have successfully run all checkers during
2240
# downtime.
2241
if client["enabled"]:
2242
if datetime.datetime.utcnow() >= client["expires"]:
2243
if not client["last_checked_ok"]:
2244
logger.warning(
2245
"disabling client {0} - Client never "
2246
"performed a successful checker"
2247
.format(client_name))
2248
client["enabled"] = False
2249
elif client["last_checker_status"] != 0:
2250
logger.warning(
2251
"disabling client {0} - Client "
2252
"last checker failed with error code {1}"
2253
.format(client_name,
2254
client["last_checker_status"]))
2233
2255
client["enabled"] = False
2234
2256
else:
2235
2257
client["expires"] = (datetime.datetime
2236
2258
.utcnow()
2237
2259
+ client["timeout"])
2238
2239
client["changedstate"] = (multiprocessing_manager
2240
.Condition
2241
(multiprocessing_manager
2242
.Lock()))
2243
if use_dbus:
2244
new_client = (ClientDBusTransitional.__new__
2245
(ClientDBusTransitional))
2246
tcp_server.clients[client_name] = new_client
2247
new_client.bus = bus
2248
for name, value in client.iteritems():
2249
setattr(new_client, name, value)
2250
client_object_name = unicode(client_name).translate(
2251
{ord("."): ord("_"),
2252
ord("-"): ord("_")})
2253
new_client.dbus_object_path = (dbus.ObjectPath
2254
("/clients/"
2255
+ client_object_name))
2256
DBusObjectWithProperties.__init__(new_client,
2257
new_client.bus,
2258
new_client
2259
.dbus_object_path)
2260
else:
2261
tcp_server.clients[client_name] = (Client.__new__
2262
(Client))
2263
for name, value in client.iteritems():
2264
setattr(tcp_server.clients[client_name],
2265
name, value)
2266
2260
logger.debug("Last checker succeeded,"
2261
" keeping {0} enabled"
2262
.format(client_name))
2267
2263
try:
2268
tcp_server.clients[client_name].secret = (
2269
crypt.decrypt(tcp_server.clients[client_name]
2270
.encrypted_secret,
2271
client_settings[client_name]
2272
["secret"]))
2273
except CryptoError:
2264
client["secret"] = (
2265
pgp.decrypt(client["encrypted_secret"],
2266
client_settings[client_name]
2267
["secret"]))
2268
except PGPError:
2274
2269
# If decryption fails, we use secret from new settings
2275
tcp_server.clients[client_name].secret = (
2270
logger.debug("Failed to decrypt {0} old secret"
2271
.format(client_name))
2272
client["secret"] = (
2276
2273
client_settings[client_name]["secret"])
2274
2277
2275
2278
# Create/remove clients based on new changes made to config
2279
for clientname in set(old_client_settings) - set(client_settings):
2280
del tcp_server.clients[clientname]
2281
for clientname in set(client_settings) - set(old_client_settings):
2282
tcp_server.clients[clientname] = (client_class(name
2283
= clientname,
2284
config =
2285
client_settings
2286
[clientname]))
2276
# Add/remove clients based on new changes made to config
2277
for client_name in (set(old_client_settings)
2278
- set(client_settings)):
2279
del clients_data[client_name]
2280
for client_name in (set(client_settings)
2281
- set(old_client_settings)):
2282
clients_data[client_name] = client_settings[client_name]
2283
2284
# Create all client objects
2285
for client_name, client in clients_data.iteritems():
2286
tcp_server.clients[client_name] = client_class(
2287
name = client_name, settings = client)
2287
2288
2288
2289
if not tcp_server.clients:
2289
2290
logger.warning("No clients defined")
2301
2302
# "pidfile" was never created
2302
2303
pass
2303
2304
del pidfilename
2304
2305
2305
signal.signal(signal.SIGINT, signal.SIG_IGN)
2306
2306
2307
2307
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2376
2376
# Store client before exiting. Secrets are encrypted with key
2377
2377
# based on what config file has. If config file is
2378
2378
# removed/edited, old secret will thus be unrecovable.
2379
clients = []
2380
with Crypto() as crypt:
2379
clients = {}
2380
with PGPEngine() as pgp:
2381
2381
for client in tcp_server.clients.itervalues():
2382
2382
key = client_settings[client.name]["secret"]
2383
client.encrypted_secret = crypt.encrypt(client.secret,
2384
key)
2383
client.encrypted_secret = pgp.encrypt(client.secret,
2384
key)
2385
2385
client_dict = {}
2386
2386
2387
# A list of attributes that will not be stored when
2388
# shutting down.
2389
exclude = set(("bus", "changedstate", "secret"))
2387
# A list of attributes that can not be pickled
2388
# + secret.
2389
exclude = set(("bus", "changedstate", "secret",
2390
"checker"))
2390
2391
for name, typ in (inspect.getmembers
2391
2392
(dbus.service.Object)):
2392
2393
exclude.add(name)
2397
2398
if attr not in exclude:
2398
2399
client_dict[attr] = getattr(client, attr)
2399
2400
2400
clients.append(client_dict)
2401
clients[client.name] = client_dict
2401
2402
del client_settings[client.name]["secret"]
2402
2403
2403
2404
try:
2404
with os.fdopen(os.open(stored_state_path,
2405
os.O_CREAT|os.O_WRONLY|os.O_TRUNC,
2406
0600), "wb") as stored_state:
2405
tempfd, tempname = tempfile.mkstemp(suffix=".pickle",
2406
prefix="clients-",
2407
dir=os.path.dirname
2408
(stored_state_path))
2409
with os.fdopen(tempfd, "wb") as stored_state:
2407
2410
pickle.dump((clients, client_settings), stored_state)
2411
os.rename(tempname, stored_state_path)
2408
2412
except (IOError, OSError) as e:
2409
2413
logger.warning("Could not save persistent state: {0}"
2410
2414
.format(e))
2411
if e.errno not in (errno.ENOENT, errno.EACCES):
2412
raise
2415
if not debug:
2416
try:
2417
os.remove(tempname)
2418
except NameError:
2419
pass
2420
if e.errno not in set((errno.ENOENT, errno.EACCES,
2421
errno.EEXIST)):
2422
raise e
2413
2423
2414
2424
# Delete all clients, and settings from config
2415
2425
while tcp_server.clients:
2479
2489
# Must run before the D-Bus bus name gets deregistered
2480
2490
cleanup()
2481
2491
2482
2483
2492
if __name__ == '__main__':
2484
2493
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0