/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to server.py

  • Committer: Teddy Hogeborn
  • Date: 2008-08-04 16:05:01 UTC
  • mfrom: (24.1.15 mandos)
  • Revision ID: teddy@fukt.bsnet.se-20080804160501-woej7nf8amgrbc2e
* plugins.d/mandosclient.c (start_mandos_communication): Change "to"
                                    to be a union.  All users changed.

Show diffs side-by-side

added added

removed removed

Lines of Context:
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>.  This includes the
9
 
# methods "add", "remove", "server_state_changed",
10
 
# "entry_group_state_changed", "cleanup", and "activate" in the
11
 
# "AvahiService" class, and some lines in "main".
 
9
# following functions: "AvahiService.add", "AvahiService.remove",
 
10
# "server_state_changed", "entry_group_state_changed", and some lines
 
11
# in "main".
12
12
13
13
# Everything else is
14
 
# Copyright © 2008,2009 Teddy Hogeborn
15
 
# Copyright © 2008,2009 Björn Påhlsson
 
14
# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
16
15
17
16
# This program is free software: you can redistribute it and/or modify
18
17
# it under the terms of the GNU General Public License as published by
25
24
#     GNU General Public License for more details.
26
25
27
26
# You should have received a copy of the GNU General Public License
28
 
# along with this program.  If not, see
29
 
# <http://www.gnu.org/licenses/>.
 
27
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
30
28
31
29
# Contact the authors at <mandos@fukt.bsnet.se>.
32
30
33
31
 
34
 
from __future__ import division, with_statement, absolute_import
 
32
from __future__ import division
35
33
 
36
 
import SocketServer as socketserver
 
34
import SocketServer
37
35
import socket
38
 
import optparse
 
36
import select
 
37
from optparse import OptionParser
39
38
import datetime
40
39
import errno
41
40
import gnutls.crypto
44
43
import gnutls.library.functions
45
44
import gnutls.library.constants
46
45
import gnutls.library.types
47
 
import ConfigParser as configparser
 
46
import ConfigParser
48
47
import sys
49
48
import re
50
49
import os
51
50
import signal
 
51
from sets import Set
52
52
import subprocess
53
53
import atexit
54
54
import stat
55
55
import logging
56
56
import logging.handlers
57
 
import pwd
58
 
import contextlib
59
 
import struct
60
 
import fcntl
61
 
import functools
62
 
import cPickle as pickle
63
57
 
64
58
import dbus
65
 
import dbus.service
66
59
import gobject
67
60
import avahi
68
61
from dbus.mainloop.glib import DBusGMainLoop
69
62
import ctypes
70
 
import ctypes.util
71
 
import xml.dom.minidom
72
 
import inspect
73
 
 
74
 
try:
75
 
    SO_BINDTODEVICE = socket.SO_BINDTODEVICE
76
 
except AttributeError:
77
 
    try:
78
 
        from IN import SO_BINDTODEVICE
79
 
    except ImportError:
80
 
        SO_BINDTODEVICE = None
81
 
 
82
 
 
83
 
version = "1.0.14"
84
 
 
85
 
logger = logging.Logger(u'mandos')
86
 
syslogger = (logging.handlers.SysLogHandler
87
 
             (facility = logging.handlers.SysLogHandler.LOG_DAEMON,
88
 
              address = "/dev/log"))
89
 
syslogger.setFormatter(logging.Formatter
90
 
                       (u'Mandos [%(process)d]: %(levelname)s:'
91
 
                        u' %(message)s'))
 
63
 
 
64
# Brief description of the operation of this program:
 
65
 
66
# This server announces itself as a Zeroconf service.  Connecting
 
67
# clients use the TLS protocol, with the unusual quirk that this
 
68
# server program acts as a TLS "client" while a connecting client acts
 
69
# as a TLS "server".  The client (acting as a TLS "server") must
 
70
# supply an OpenPGP certificate, and the fingerprint of this
 
71
# certificate is used by this server to look up (in a list read from a
 
72
# file at start time) which binary blob to give the client.  No other
 
73
# authentication or authorization is done by this server.
 
74
 
 
75
 
 
76
logger = logging.Logger('mandos')
 
77
syslogger = logging.handlers.SysLogHandler\
 
78
            (facility = logging.handlers.SysLogHandler.LOG_DAEMON)
 
79
syslogger.setFormatter(logging.Formatter\
 
80
                        ('%(levelname)s: %(message)s'))
92
81
logger.addHandler(syslogger)
 
82
del syslogger
93
83
 
94
 
console = logging.StreamHandler()
95
 
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
96
 
                                       u' %(levelname)s:'
97
 
                                       u' %(message)s'))
98
 
logger.addHandler(console)
99
84
 
100
85
class AvahiError(Exception):
101
 
    def __init__(self, value, *args, **kwargs):
 
86
    def __init__(self, value):
102
87
        self.value = value
103
 
        super(AvahiError, self).__init__(value, *args, **kwargs)
104
 
    def __unicode__(self):
105
 
        return unicode(repr(self.value))
 
88
    def __str__(self):
 
89
        return repr(self.value)
106
90
 
107
91
class AvahiServiceError(AvahiError):
108
92
    pass
112
96
 
113
97
 
114
98
class AvahiService(object):
115
 
    """An Avahi (Zeroconf) service.
116
 
    
117
 
    Attributes:
 
99
    """
118
100
    interface: integer; avahi.IF_UNSPEC or an interface index.
119
101
               Used to optionally bind to the specified interface.
120
 
    name: string; Example: u'Mandos'
121
 
    type: string; Example: u'_mandos._tcp'.
122
 
                  See <http://www.dns-sd.org/ServiceTypes.html>
123
 
    port: integer; what port to announce
124
 
    TXT: list of strings; TXT record for the service
125
 
    domain: string; Domain to publish on, default to .local if empty.
126
 
    host: string; Host to publish records for, default is localhost
127
 
    max_renames: integer; maximum number of renames
128
 
    rename_count: integer; counter so we only rename after collisions
129
 
                  a sensible number of times
130
 
    group: D-Bus Entry Group
131
 
    server: D-Bus Server
132
 
    bus: dbus.SystemBus()
 
102
    name = string; Example: "Mandos"
 
103
    type = string; Example: "_mandos._tcp".
 
104
                   See <http://www.dns-sd.org/ServiceTypes.html>
 
105
    port = integer; what port to announce
 
106
    TXT = list of strings; TXT record for the service
 
107
    domain = string; Domain to publish on, default to .local if empty.
 
108
    host = string; Host to publish records for, default to localhost
 
109
                   if empty.
 
110
    max_renames = integer; maximum number of renames
 
111
    rename_count = integer; counter so we only rename after collisions
 
112
                   a sensible number of times
133
113
    """
134
114
    def __init__(self, interface = avahi.IF_UNSPEC, name = None,
135
 
                 servicetype = None, port = None, TXT = None,
136
 
                 domain = u"", host = u"", max_renames = 32768,
137
 
                 protocol = avahi.PROTO_UNSPEC, bus = None):
 
115
                 type = None, port = None, TXT = None, domain = "",
 
116
                 host = "", max_renames = 12):
 
117
        """An Avahi (Zeroconf) service. """
138
118
        self.interface = interface
139
119
        self.name = name
140
 
        self.type = servicetype
 
120
        self.type = type
141
121
        self.port = port
142
 
        self.TXT = TXT if TXT is not None else []
 
122
        if TXT is None:
 
123
            self.TXT = []
 
124
        else:
 
125
            self.TXT = TXT
143
126
        self.domain = domain
144
127
        self.host = host
145
128
        self.rename_count = 0
146
 
        self.max_renames = max_renames
147
 
        self.protocol = protocol
148
 
        self.group = None       # our entry group
149
 
        self.server = None
150
 
        self.bus = bus
151
129
    def rename(self):
152
130
        """Derived from the Avahi example code"""
153
131
        if self.rename_count >= self.max_renames:
154
 
            logger.critical(u"No suitable Zeroconf service name found"
155
 
                            u" after %i retries, exiting.",
156
 
                            self.rename_count)
157
 
            raise AvahiServiceError(u"Too many renames")
158
 
        self.name = self.server.GetAlternativeServiceName(self.name)
159
 
        logger.info(u"Changing Zeroconf service name to %r ...",
160
 
                    unicode(self.name))
161
 
        syslogger.setFormatter(logging.Formatter
162
 
                               (u'Mandos (%s) [%%(process)d]:'
163
 
                                u' %%(levelname)s: %%(message)s'
164
 
                                % self.name))
 
132
            logger.critical(u"No suitable service name found after %i"
 
133
                            u" retries, exiting.", rename_count)
 
134
            raise AvahiServiceError("Too many renames")
 
135
        name = server.GetAlternativeServiceName(name)
 
136
        logger.notice(u"Changing name to %r ...", name)
165
137
        self.remove()
166
138
        self.add()
167
139
        self.rename_count += 1
168
140
    def remove(self):
169
141
        """Derived from the Avahi example code"""
170
 
        if self.group is not None:
171
 
            self.group.Reset()
 
142
        if group is not None:
 
143
            group.Reset()
172
144
    def add(self):
173
145
        """Derived from the Avahi example code"""
174
 
        if self.group is None:
175
 
            self.group = dbus.Interface(
176
 
                self.bus.get_object(avahi.DBUS_NAME,
177
 
                                    self.server.EntryGroupNew()),
178
 
                avahi.DBUS_INTERFACE_ENTRY_GROUP)
179
 
            self.group.connect_to_signal('StateChanged',
180
 
                                         self
181
 
                                         .entry_group_state_changed)
182
 
        logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
183
 
                     self.name, self.type)
184
 
        self.group.AddService(
185
 
            self.interface,
186
 
            self.protocol,
187
 
            dbus.UInt32(0),     # flags
188
 
            self.name, self.type,
189
 
            self.domain, self.host,
190
 
            dbus.UInt16(self.port),
191
 
            avahi.string_array_to_txt_array(self.TXT))
192
 
        self.group.Commit()
193
 
    def entry_group_state_changed(self, state, error):
194
 
        """Derived from the Avahi example code"""
195
 
        logger.debug(u"Avahi state change: %i", state)
196
 
        
197
 
        if state == avahi.ENTRY_GROUP_ESTABLISHED:
198
 
            logger.debug(u"Zeroconf service established.")
199
 
        elif state == avahi.ENTRY_GROUP_COLLISION:
200
 
            logger.warning(u"Zeroconf service name collision.")
201
 
            self.rename()
202
 
        elif state == avahi.ENTRY_GROUP_FAILURE:
203
 
            logger.critical(u"Avahi: Error in group state changed %s",
204
 
                            unicode(error))
205
 
            raise AvahiGroupError(u"State changed: %s"
206
 
                                  % unicode(error))
207
 
    def cleanup(self):
208
 
        """Derived from the Avahi example code"""
209
 
        if self.group is not None:
210
 
            self.group.Free()
211
 
            self.group = None
212
 
    def server_state_changed(self, state):
213
 
        """Derived from the Avahi example code"""
214
 
        if state == avahi.SERVER_COLLISION:
215
 
            logger.error(u"Zeroconf server name collision")
216
 
            self.remove()
217
 
        elif state == avahi.SERVER_RUNNING:
218
 
            self.add()
219
 
    def activate(self):
220
 
        """Derived from the Avahi example code"""
221
 
        if self.server is None:
222
 
            self.server = dbus.Interface(
223
 
                self.bus.get_object(avahi.DBUS_NAME,
224
 
                                    avahi.DBUS_PATH_SERVER),
225
 
                avahi.DBUS_INTERFACE_SERVER)
226
 
        self.server.connect_to_signal(u"StateChanged",
227
 
                                 self.server_state_changed)
228
 
        self.server_state_changed(self.server.GetState())
 
146
        global group
 
147
        if group is None:
 
148
            group = dbus.Interface\
 
149
                    (bus.get_object(avahi.DBUS_NAME,
 
150
                                    server.EntryGroupNew()),
 
151
                     avahi.DBUS_INTERFACE_ENTRY_GROUP)
 
152
            group.connect_to_signal('StateChanged',
 
153
                                    entry_group_state_changed)
 
154
        logger.debug(u"Adding service '%s' of type '%s' ...",
 
155
                     service.name, service.type)
 
156
        group.AddService(
 
157
                self.interface,         # interface
 
158
                avahi.PROTO_INET6,      # protocol
 
159
                dbus.UInt32(0),         # flags
 
160
                self.name, self.type,
 
161
                self.domain, self.host,
 
162
                dbus.UInt16(self.port),
 
163
                avahi.string_array_to_txt_array(self.TXT))
 
164
        group.Commit()
 
165
 
 
166
# From the Avahi example code:
 
167
group = None                            # our entry group
 
168
# End of Avahi example code
229
169
 
230
170
 
231
171
class Client(object):
232
172
    """A representation of a client host served by this server.
233
 
    
234
173
    Attributes:
235
 
    name:       string; from the config file, used in log messages and
236
 
                        D-Bus identifiers
 
174
    name:      string; from the config file, used in log messages
237
175
    fingerprint: string (40 or 32 hexadecimal digits); used to
238
176
                 uniquely identify the client
239
 
    secret:     bytestring; sent verbatim (over TLS) to client
240
 
    host:       string; available for use by the checker command
241
 
    created:    datetime.datetime(); (UTC) object creation
242
 
    last_enabled: datetime.datetime(); (UTC)
243
 
    enabled:    bool()
244
 
    last_checked_ok: datetime.datetime(); (UTC) or None
245
 
    timeout:    datetime.timedelta(); How long from last_checked_ok
246
 
                                      until this client is disabled
247
 
    interval:   datetime.timedelta(); How often to start a new checker
248
 
    disable_hook:  If set, called by disable() as disable_hook(self)
249
 
    checker:    subprocess.Popen(); a running checker process used
250
 
                                    to see if the client lives.
251
 
                                    'None' if no process is running.
 
177
    secret:    bytestring; sent verbatim (over TLS) to client
 
178
    fqdn:      string (FQDN); available for use by the checker command
 
179
    created:   datetime.datetime(); object creation, not client host
 
180
    last_checked_ok: datetime.datetime() or None if not yet checked OK
 
181
    timeout:   datetime.timedelta(); How long from last_checked_ok
 
182
                                     until this client is invalid
 
183
    interval:  datetime.timedelta(); How often to start a new checker
 
184
    stop_hook: If set, called by stop() as stop_hook(self)
 
185
    checker:   subprocess.Popen(); a running checker process used
 
186
                                   to see if the client lives.
 
187
                                   'None' if no process is running.
252
188
    checker_initiator_tag: a gobject event source tag, or None
253
 
    disable_initiator_tag: - '' -
 
189
    stop_initiator_tag:    - '' -
254
190
    checker_callback_tag:  - '' -
255
191
    checker_command: string; External command which is run to check if
256
192
                     client lives.  %() expansions are done at
257
193
                     runtime with vars(self) as dict, so that for
258
194
                     instance %(name)s can be used in the command.
259
 
    current_checker_command: string; current running checker_command
 
195
    Private attibutes:
 
196
    _timeout: Real variable for 'timeout'
 
197
    _interval: Real variable for 'interval'
 
198
    _timeout_milliseconds: Used when calling gobject.timeout_add()
 
199
    _interval_milliseconds: - '' -
260
200
    """
261
 
    
262
 
    @staticmethod
263
 
    def _timedelta_to_milliseconds(td):
264
 
        "Convert a datetime.timedelta() to milliseconds"
265
 
        return ((td.days * 24 * 60 * 60 * 1000)
266
 
                + (td.seconds * 1000)
267
 
                + (td.microseconds // 1000))
268
 
    
269
 
    def timeout_milliseconds(self):
270
 
        "Return the 'timeout' attribute in milliseconds"
271
 
        return self._timedelta_to_milliseconds(self.timeout)
272
 
    
273
 
    def interval_milliseconds(self):
274
 
        "Return the 'interval' attribute in milliseconds"
275
 
        return self._timedelta_to_milliseconds(self.interval)
276
 
    
277
 
    def __init__(self, name = None, disable_hook=None, config=None):
278
 
        """Note: the 'checker' key in 'config' sets the
279
 
        'checker_command' attribute and *not* the 'checker'
280
 
        attribute."""
 
201
    def _set_timeout(self, timeout):
 
202
        "Setter function for 'timeout' attribute"
 
203
        self._timeout = timeout
 
204
        self._timeout_milliseconds = ((self.timeout.days
 
205
                                       * 24 * 60 * 60 * 1000)
 
206
                                      + (self.timeout.seconds * 1000)
 
207
                                      + (self.timeout.microseconds
 
208
                                         // 1000))
 
209
    timeout = property(lambda self: self._timeout,
 
210
                       _set_timeout)
 
211
    del _set_timeout
 
212
    def _set_interval(self, interval):
 
213
        "Setter function for 'interval' attribute"
 
214
        self._interval = interval
 
215
        self._interval_milliseconds = ((self.interval.days
 
216
                                        * 24 * 60 * 60 * 1000)
 
217
                                       + (self.interval.seconds
 
218
                                          * 1000)
 
219
                                       + (self.interval.microseconds
 
220
                                          // 1000))
 
221
    interval = property(lambda self: self._interval,
 
222
                        _set_interval)
 
223
    del _set_interval
 
224
    def __init__(self, name=None, stop_hook=None, fingerprint=None,
 
225
                 secret=None, secfile=None, fqdn=None, timeout=None,
 
226
                 interval=-1, checker=None):
 
227
        """Note: the 'checker' argument sets the 'checker_command'
 
228
        attribute and not the 'checker' attribute.."""
281
229
        self.name = name
282
 
        if config is None:
283
 
            config = {}
284
230
        logger.debug(u"Creating client %r", self.name)
285
 
        # Uppercase and remove spaces from fingerprint for later
286
 
        # comparison purposes with return value from the fingerprint()
287
 
        # function
288
 
        self.fingerprint = (config[u"fingerprint"].upper()
289
 
                            .replace(u" ", u""))
 
231
        # Uppercase and remove spaces from fingerprint
 
232
        # for later comparison purposes with return value of
 
233
        # the fingerprint() function
 
234
        self.fingerprint = fingerprint.upper().replace(u" ", u"")
290
235
        logger.debug(u"  Fingerprint: %s", self.fingerprint)
291
 
        if u"secret" in config:
292
 
            self.secret = config[u"secret"].decode(u"base64")
293
 
        elif u"secfile" in config:
294
 
            with open(os.path.expanduser(os.path.expandvars
295
 
                                         (config[u"secfile"])),
296
 
                      "rb") as secfile:
297
 
                self.secret = secfile.read()
 
236
        if secret:
 
237
            self.secret = secret.decode(u"base64")
 
238
        elif secfile:
 
239
            sf = open(secfile)
 
240
            self.secret = sf.read()
 
241
            sf.close()
298
242
        else:
299
243
            raise TypeError(u"No secret or secfile for client %s"
300
244
                            % self.name)
301
 
        self.host = config.get(u"host", u"")
302
 
        self.created = datetime.datetime.utcnow()
303
 
        self.enabled = False
304
 
        self.last_enabled = None
 
245
        self.fqdn = fqdn
 
246
        self.created = datetime.datetime.now()
305
247
        self.last_checked_ok = None
306
 
        self.timeout = string_to_delta(config[u"timeout"])
307
 
        self.interval = string_to_delta(config[u"interval"])
308
 
        self.disable_hook = disable_hook
 
248
        self.timeout = string_to_delta(timeout)
 
249
        self.interval = string_to_delta(interval)
 
250
        self.stop_hook = stop_hook
309
251
        self.checker = None
310
252
        self.checker_initiator_tag = None
311
 
        self.disable_initiator_tag = None
 
253
        self.stop_initiator_tag = None
312
254
        self.checker_callback_tag = None
313
 
        self.checker_command = config[u"checker"]
314
 
        self.current_checker_command = None
315
 
        self.last_connect = None
316
 
    
317
 
    def enable(self):
 
255
        self.check_command = checker
 
256
    def start(self):
318
257
        """Start this client's checker and timeout hooks"""
319
 
        if getattr(self, u"enabled", False):
320
 
            # Already enabled
321
 
            return
322
 
        self.last_enabled = datetime.datetime.utcnow()
323
258
        # Schedule a new checker to be started an 'interval' from now,
324
259
        # and every interval from then on.
325
 
        self.checker_initiator_tag = (gobject.timeout_add
326
 
                                      (self.interval_milliseconds(),
327
 
                                       self.start_checker))
328
 
        # Schedule a disable() when 'timeout' has passed
329
 
        self.disable_initiator_tag = (gobject.timeout_add
330
 
                                   (self.timeout_milliseconds(),
331
 
                                    self.disable))
332
 
        self.enabled = True
 
260
        self.checker_initiator_tag = gobject.timeout_add\
 
261
                                     (self._interval_milliseconds,
 
262
                                      self.start_checker)
333
263
        # Also start a new checker *right now*.
334
264
        self.start_checker()
335
 
    
336
 
    def disable(self, quiet=True):
337
 
        """Disable this client."""
338
 
        if not getattr(self, "enabled", False):
 
265
        # Schedule a stop() when 'timeout' has passed
 
266
        self.stop_initiator_tag = gobject.timeout_add\
 
267
                                  (self._timeout_milliseconds,
 
268
                                   self.stop)
 
269
    def stop(self):
 
270
        """Stop this client.
 
271
        The possibility that a client might be restarted is left open,
 
272
        but not currently used."""
 
273
        # If this client doesn't have a secret, it is already stopped.
 
274
        if self.secret:
 
275
            logger.debug(u"Stopping client %s", self.name)
 
276
            self.secret = None
 
277
        else:
339
278
            return False
340
 
        if not quiet:
341
 
            logger.info(u"Disabling client %s", self.name)
342
 
        if getattr(self, u"disable_initiator_tag", False):
343
 
            gobject.source_remove(self.disable_initiator_tag)
344
 
            self.disable_initiator_tag = None
345
 
        if getattr(self, u"checker_initiator_tag", False):
 
279
        if getattr(self, "stop_initiator_tag", False):
 
280
            gobject.source_remove(self.stop_initiator_tag)
 
281
            self.stop_initiator_tag = None
 
282
        if getattr(self, "checker_initiator_tag", False):
346
283
            gobject.source_remove(self.checker_initiator_tag)
347
284
            self.checker_initiator_tag = None
348
285
        self.stop_checker()
349
 
        if self.disable_hook:
350
 
            self.disable_hook(self)
351
 
        self.enabled = False
 
286
        if self.stop_hook:
 
287
            self.stop_hook(self)
352
288
        # Do not run this again if called by a gobject.timeout_add
353
289
        return False
354
 
    
355
290
    def __del__(self):
356
 
        self.disable_hook = None
357
 
        self.disable()
358
 
    
359
 
    def checker_callback(self, pid, condition, command):
 
291
        self.stop_hook = None
 
292
        self.stop()
 
293
    def checker_callback(self, pid, condition):
360
294
        """The checker has completed, so take appropriate actions."""
 
295
        now = datetime.datetime.now()
361
296
        self.checker_callback_tag = None
362
297
        self.checker = None
363
 
        if os.WIFEXITED(condition):
364
 
            exitstatus = os.WEXITSTATUS(condition)
365
 
            if exitstatus == 0:
366
 
                logger.info(u"Checker for %(name)s succeeded",
367
 
                            vars(self))
368
 
                self.checked_ok()
369
 
            else:
370
 
                logger.info(u"Checker for %(name)s failed",
371
 
                            vars(self))
372
 
        else:
 
298
        if os.WIFEXITED(condition) \
 
299
               and (os.WEXITSTATUS(condition) == 0):
 
300
            logger.debug(u"Checker for %(name)s succeeded",
 
301
                         vars(self))
 
302
            self.last_checked_ok = now
 
303
            gobject.source_remove(self.stop_initiator_tag)
 
304
            self.stop_initiator_tag = gobject.timeout_add\
 
305
                                      (self._timeout_milliseconds,
 
306
                                       self.stop)
 
307
        elif not os.WIFEXITED(condition):
373
308
            logger.warning(u"Checker for %(name)s crashed?",
374
309
                           vars(self))
375
 
    
376
 
    def checked_ok(self):
377
 
        """Bump up the timeout for this client.
378
 
        
379
 
        This should only be called when the client has been seen,
380
 
        alive and well.
381
 
        """
382
 
        self.last_checked_ok = datetime.datetime.utcnow()
383
 
        gobject.source_remove(self.disable_initiator_tag)
384
 
        self.disable_initiator_tag = (gobject.timeout_add
385
 
                                      (self.timeout_milliseconds(),
386
 
                                       self.disable))
387
 
    
 
310
        else:
 
311
            logger.debug(u"Checker for %(name)s failed",
 
312
                         vars(self))
388
313
    def start_checker(self):
389
314
        """Start a new checker subprocess if one is not running.
390
 
        
391
315
        If a checker already exists, leave it running and do
392
316
        nothing."""
393
317
        # The reason for not killing a running checker is that if we
396
320
        # client would inevitably timeout, since no checker would get
397
321
        # a chance to run to completion.  If we instead leave running
398
322
        # checkers alone, the checker would have to take more time
399
 
        # than 'timeout' for the client to be disabled, which is as it
400
 
        # should be.
401
 
        
402
 
        # If a checker exists, make sure it is not a zombie
403
 
        try:
404
 
            pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
405
 
        except (AttributeError, OSError), error:
406
 
            if (isinstance(error, OSError)
407
 
                and error.errno != errno.ECHILD):
408
 
                raise error
409
 
        else:
410
 
            if pid:
411
 
                logger.warning(u"Checker was a zombie")
412
 
                gobject.source_remove(self.checker_callback_tag)
413
 
                self.checker_callback(pid, status,
414
 
                                      self.current_checker_command)
415
 
        # Start a new checker if needed
 
323
        # than 'timeout' for the client to be declared invalid, which
 
324
        # is as it should be.
416
325
        if self.checker is None:
417
326
            try:
418
 
                # In case checker_command has exactly one % operator
419
 
                command = self.checker_command % self.host
 
327
                # In case check_command has exactly one % operator
 
328
                command = self.check_command % self.fqdn
420
329
            except TypeError:
421
330
                # Escape attributes for the shell
422
 
                escaped_attrs = dict((key,
423
 
                                      re.escape(unicode(str(val),
424
 
                                                        errors=
425
 
                                                        u'replace')))
 
331
                escaped_attrs = dict((key, re.escape(str(val)))
426
332
                                     for key, val in
427
333
                                     vars(self).iteritems())
428
334
                try:
429
 
                    command = self.checker_command % escaped_attrs
 
335
                    command = self.check_command % escaped_attrs
430
336
                except TypeError, error:
431
337
                    logger.error(u'Could not format string "%s":'
432
 
                                 u' %s', self.checker_command, error)
 
338
                                 u' %s', self.check_command, error)
433
339
                    return True # Try again later
434
 
            self.current_checker_command = command
435
340
            try:
436
 
                logger.info(u"Starting checker %r for %s",
437
 
                            command, self.name)
438
 
                # We don't need to redirect stdout and stderr, since
439
 
                # in normal mode, that is already done by daemon(),
440
 
                # and in debug mode we don't want to.  (Stdin is
441
 
                # always replaced by /dev/null.)
 
341
                logger.debug(u"Starting checker %r for %s",
 
342
                             command, self.name)
442
343
                self.checker = subprocess.Popen(command,
443
344
                                                close_fds=True,
444
 
                                                shell=True, cwd=u"/")
445
 
                self.checker_callback_tag = (gobject.child_watch_add
446
 
                                             (self.checker.pid,
447
 
                                              self.checker_callback,
448
 
                                              data=command))
449
 
                # The checker may have completed before the gobject
450
 
                # watch was added.  Check for this.
451
 
                pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
452
 
                if pid:
453
 
                    gobject.source_remove(self.checker_callback_tag)
454
 
                    self.checker_callback(pid, status, command)
455
 
            except OSError, error:
 
345
                                                shell=True, cwd="/")
 
346
                self.checker_callback_tag = gobject.child_watch_add\
 
347
                                            (self.checker.pid,
 
348
                                             self.checker_callback)
 
349
            except subprocess.OSError, error:
456
350
                logger.error(u"Failed to start subprocess: %s",
457
351
                             error)
458
352
        # Re-run this periodically if run by gobject.timeout_add
459
353
        return True
460
 
    
461
354
    def stop_checker(self):
462
355
        """Force the checker process, if any, to stop."""
463
356
        if self.checker_callback_tag:
464
357
            gobject.source_remove(self.checker_callback_tag)
465
358
            self.checker_callback_tag = None
466
 
        if getattr(self, u"checker", None) is None:
 
359
        if getattr(self, "checker", None) is None:
467
360
            return
468
 
        logger.debug(u"Stopping checker for %(name)s", vars(self))
 
361
        logger.debug("Stopping checker for %(name)s", vars(self))
469
362
        try:
470
363
            os.kill(self.checker.pid, signal.SIGTERM)
471
 
            #time.sleep(0.5)
 
364
            #os.sleep(0.5)
472
365
            #if self.checker.poll() is None:
473
366
            #    os.kill(self.checker.pid, signal.SIGKILL)
474
367
        except OSError, error:
475
368
            if error.errno != errno.ESRCH: # No such process
476
369
                raise
477
370
        self.checker = None
478
 
 
479
 
 
480
 
def dbus_service_property(dbus_interface, signature=u"v",
481
 
                          access=u"readwrite", byte_arrays=False):
482
 
    """Decorators for marking methods of a DBusObjectWithProperties to
483
 
    become properties on the D-Bus.
484
 
    
485
 
    The decorated method will be called with no arguments by "Get"
486
 
    and with one argument by "Set".
487
 
    
488
 
    The parameters, where they are supported, are the same as
489
 
    dbus.service.method, except there is only "signature", since the
490
 
    type from Get() and the type sent to Set() is the same.
491
 
    """
492
 
    # Encoding deeply encoded byte arrays is not supported yet by the
493
 
    # "Set" method, so we fail early here:
494
 
    if byte_arrays and signature != u"ay":
495
 
        raise ValueError(u"Byte arrays not supported for non-'ay'"
496
 
                         u" signature %r" % signature)
497
 
    def decorator(func):
498
 
        func._dbus_is_property = True
499
 
        func._dbus_interface = dbus_interface
500
 
        func._dbus_signature = signature
501
 
        func._dbus_access = access
502
 
        func._dbus_name = func.__name__
503
 
        if func._dbus_name.endswith(u"_dbus_property"):
504
 
            func._dbus_name = func._dbus_name[:-14]
505
 
        func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
506
 
        return func
507
 
    return decorator
508
 
 
509
 
 
510
 
class DBusPropertyException(dbus.exceptions.DBusException):
511
 
    """A base class for D-Bus property-related exceptions
512
 
    """
513
 
    def __unicode__(self):
514
 
        return unicode(str(self))
515
 
 
516
 
 
517
 
class DBusPropertyAccessException(DBusPropertyException):
518
 
    """A property's access permissions disallows an operation.
519
 
    """
520
 
    pass
521
 
 
522
 
 
523
 
class DBusPropertyNotFound(DBusPropertyException):
524
 
    """An attempt was made to access a non-existing property.
525
 
    """
526
 
    pass
527
 
 
528
 
 
529
 
class DBusObjectWithProperties(dbus.service.Object):
530
 
    """A D-Bus object with properties.
531
 
 
532
 
    Classes inheriting from this can use the dbus_service_property
533
 
    decorator to expose methods as D-Bus properties.  It exposes the
534
 
    standard Get(), Set(), and GetAll() methods on the D-Bus.
535
 
    """
536
 
    
537
 
    @staticmethod
538
 
    def _is_dbus_property(obj):
539
 
        return getattr(obj, u"_dbus_is_property", False)
540
 
    
541
 
    def _get_all_dbus_properties(self):
542
 
        """Returns a generator of (name, attribute) pairs
543
 
        """
544
 
        return ((prop._dbus_name, prop)
545
 
                for name, prop in
546
 
                inspect.getmembers(self, self._is_dbus_property))
547
 
    
548
 
    def _get_dbus_property(self, interface_name, property_name):
549
 
        """Returns a bound method if one exists which is a D-Bus
550
 
        property with the specified name and interface.
551
 
        """
552
 
        for name in (property_name,
553
 
                     property_name + u"_dbus_property"):
554
 
            prop = getattr(self, name, None)
555
 
            if (prop is None
556
 
                or not self._is_dbus_property(prop)
557
 
                or prop._dbus_name != property_name
558
 
                or (interface_name and prop._dbus_interface
559
 
                    and interface_name != prop._dbus_interface)):
560
 
                continue
561
 
            return prop
562
 
        # No such property
563
 
        raise DBusPropertyNotFound(self.dbus_object_path + u":"
564
 
                                   + interface_name + u"."
565
 
                                   + property_name)
566
 
    
567
 
    @dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
568
 
                         out_signature=u"v")
569
 
    def Get(self, interface_name, property_name):
570
 
        """Standard D-Bus property Get() method, see D-Bus standard.
571
 
        """
572
 
        prop = self._get_dbus_property(interface_name, property_name)
573
 
        if prop._dbus_access == u"write":
574
 
            raise DBusPropertyAccessException(property_name)
575
 
        value = prop()
576
 
        if not hasattr(value, u"variant_level"):
577
 
            return value
578
 
        return type(value)(value, variant_level=value.variant_level+1)
579
 
    
580
 
    @dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
581
 
    def Set(self, interface_name, property_name, value):
582
 
        """Standard D-Bus property Set() method, see D-Bus standard.
583
 
        """
584
 
        prop = self._get_dbus_property(interface_name, property_name)
585
 
        if prop._dbus_access == u"read":
586
 
            raise DBusPropertyAccessException(property_name)
587
 
        if prop._dbus_get_args_options[u"byte_arrays"]:
588
 
            # The byte_arrays option is not supported yet on
589
 
            # signatures other than "ay".
590
 
            if prop._dbus_signature != u"ay":
591
 
                raise ValueError
592
 
            value = dbus.ByteArray(''.join(unichr(byte)
593
 
                                           for byte in value))
594
 
        prop(value)
595
 
    
596
 
    @dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
597
 
                         out_signature=u"a{sv}")
598
 
    def GetAll(self, interface_name):
599
 
        """Standard D-Bus property GetAll() method, see D-Bus
600
 
        standard.
601
 
 
602
 
        Note: Will not include properties with access="write".
603
 
        """
604
 
        all = {}
605
 
        for name, prop in self._get_all_dbus_properties():
606
 
            if (interface_name
607
 
                and interface_name != prop._dbus_interface):
608
 
                # Interface non-empty but did not match
609
 
                continue
610
 
            # Ignore write-only properties
611
 
            if prop._dbus_access == u"write":
612
 
                continue
613
 
            value = prop()
614
 
            if not hasattr(value, u"variant_level"):
615
 
                all[name] = value
616
 
                continue
617
 
            all[name] = type(value)(value, variant_level=
618
 
                                    value.variant_level+1)
619
 
        return dbus.Dictionary(all, signature=u"sv")
620
 
    
621
 
    @dbus.service.method(dbus.INTROSPECTABLE_IFACE,
622
 
                         out_signature=u"s",
623
 
                         path_keyword='object_path',
624
 
                         connection_keyword='connection')
625
 
    def Introspect(self, object_path, connection):
626
 
        """Standard D-Bus method, overloaded to insert property tags.
627
 
        """
628
 
        xmlstring = dbus.service.Object.Introspect(self, object_path,
629
 
                                                   connection)
630
 
        try:
631
 
            document = xml.dom.minidom.parseString(xmlstring)
632
 
            def make_tag(document, name, prop):
633
 
                e = document.createElement(u"property")
634
 
                e.setAttribute(u"name", name)
635
 
                e.setAttribute(u"type", prop._dbus_signature)
636
 
                e.setAttribute(u"access", prop._dbus_access)
637
 
                return e
638
 
            for if_tag in document.getElementsByTagName(u"interface"):
639
 
                for tag in (make_tag(document, name, prop)
640
 
                            for name, prop
641
 
                            in self._get_all_dbus_properties()
642
 
                            if prop._dbus_interface
643
 
                            == if_tag.getAttribute(u"name")):
644
 
                    if_tag.appendChild(tag)
645
 
                # Add the names to the return values for the
646
 
                # "org.freedesktop.DBus.Properties" methods
647
 
                if (if_tag.getAttribute(u"name")
648
 
                    == u"org.freedesktop.DBus.Properties"):
649
 
                    for cn in if_tag.getElementsByTagName(u"method"):
650
 
                        if cn.getAttribute(u"name") == u"Get":
651
 
                            for arg in cn.getElementsByTagName(u"arg"):
652
 
                                if (arg.getAttribute(u"direction")
653
 
                                    == u"out"):
654
 
                                    arg.setAttribute(u"name", u"value")
655
 
                        elif cn.getAttribute(u"name") == u"GetAll":
656
 
                            for arg in cn.getElementsByTagName(u"arg"):
657
 
                                if (arg.getAttribute(u"direction")
658
 
                                    == u"out"):
659
 
                                    arg.setAttribute(u"name", u"props")
660
 
            xmlstring = document.toxml(u"utf-8")
661
 
            document.unlink()
662
 
        except (AttributeError, xml.dom.DOMException,
663
 
                xml.parsers.expat.ExpatError), error:
664
 
            logger.error(u"Failed to override Introspection method",
665
 
                         error)
666
 
        return xmlstring
667
 
 
668
 
 
669
 
class ClientDBus(Client, DBusObjectWithProperties):
670
 
    """A Client class using D-Bus
671
 
    
672
 
    Attributes:
673
 
    dbus_object_path: dbus.ObjectPath
674
 
    bus: dbus.SystemBus()
675
 
    """
676
 
    # dbus.service.Object doesn't use super(), so we can't either.
677
 
    
678
 
    def __init__(self, bus = None, *args, **kwargs):
679
 
        self.bus = bus
680
 
        Client.__init__(self, *args, **kwargs)
681
 
        # Only now, when this client is initialized, can it show up on
682
 
        # the D-Bus
683
 
        self.dbus_object_path = (dbus.ObjectPath
684
 
                                 (u"/clients/"
685
 
                                  + self.name.replace(u".", u"_")))
686
 
        DBusObjectWithProperties.__init__(self, self.bus,
687
 
                                          self.dbus_object_path)
688
 
    
689
 
    @staticmethod
690
 
    def _datetime_to_dbus(dt, variant_level=0):
691
 
        """Convert a UTC datetime.datetime() to a D-Bus type."""
692
 
        return dbus.String(dt.isoformat(),
693
 
                           variant_level=variant_level)
694
 
    
695
 
    def enable(self):
696
 
        oldstate = getattr(self, u"enabled", False)
697
 
        r = Client.enable(self)
698
 
        if oldstate != self.enabled:
699
 
            # Emit D-Bus signals
700
 
            self.PropertyChanged(dbus.String(u"enabled"),
701
 
                                 dbus.Boolean(True, variant_level=1))
702
 
            self.PropertyChanged(
703
 
                dbus.String(u"last_enabled"),
704
 
                self._datetime_to_dbus(self.last_enabled,
705
 
                                       variant_level=1))
706
 
        return r
707
 
    
708
 
    def disable(self, quiet = False):
709
 
        oldstate = getattr(self, u"enabled", False)
710
 
        r = Client.disable(self, quiet=quiet)
711
 
        if not quiet and oldstate != self.enabled:
712
 
            # Emit D-Bus signal
713
 
            self.PropertyChanged(dbus.String(u"enabled"),
714
 
                                 dbus.Boolean(False, variant_level=1))
715
 
        return r
716
 
    
717
 
    def __del__(self, *args, **kwargs):
718
 
        try:
719
 
            self.remove_from_connection()
720
 
        except LookupError:
721
 
            pass
722
 
        if hasattr(DBusObjectWithProperties, u"__del__"):
723
 
            DBusObjectWithProperties.__del__(self, *args, **kwargs)
724
 
        Client.__del__(self, *args, **kwargs)
725
 
    
726
 
    def checker_callback(self, pid, condition, command,
727
 
                         *args, **kwargs):
728
 
        self.checker_callback_tag = None
729
 
        self.checker = None
730
 
        # Emit D-Bus signal
731
 
        self.PropertyChanged(dbus.String(u"checker_running"),
732
 
                             dbus.Boolean(False, variant_level=1))
733
 
        if os.WIFEXITED(condition):
734
 
            exitstatus = os.WEXITSTATUS(condition)
735
 
            # Emit D-Bus signal
736
 
            self.CheckerCompleted(dbus.Int16(exitstatus),
737
 
                                  dbus.Int64(condition),
738
 
                                  dbus.String(command))
739
 
        else:
740
 
            # Emit D-Bus signal
741
 
            self.CheckerCompleted(dbus.Int16(-1),
742
 
                                  dbus.Int64(condition),
743
 
                                  dbus.String(command))
744
 
        
745
 
        return Client.checker_callback(self, pid, condition, command,
746
 
                                       *args, **kwargs)
747
 
    
748
 
    def checked_ok(self, *args, **kwargs):
749
 
        r = Client.checked_ok(self, *args, **kwargs)
750
 
        # Emit D-Bus signal
751
 
        self.PropertyChanged(
752
 
            dbus.String(u"last_checked_ok"),
753
 
            (self._datetime_to_dbus(self.last_checked_ok,
754
 
                                    variant_level=1)))
755
 
        return r
756
 
    
757
 
    def start_checker(self, *args, **kwargs):
758
 
        old_checker = self.checker
759
 
        if self.checker is not None:
760
 
            old_checker_pid = self.checker.pid
761
 
        else:
762
 
            old_checker_pid = None
763
 
        r = Client.start_checker(self, *args, **kwargs)
764
 
        # Only if new checker process was started
765
 
        if (self.checker is not None
766
 
            and old_checker_pid != self.checker.pid):
767
 
            # Emit D-Bus signal
768
 
            self.CheckerStarted(self.current_checker_command)
769
 
            self.PropertyChanged(
770
 
                dbus.String(u"checker_running"),
771
 
                dbus.Boolean(True, variant_level=1))
772
 
        return r
773
 
    
774
 
    def stop_checker(self, *args, **kwargs):
775
 
        old_checker = getattr(self, u"checker", None)
776
 
        r = Client.stop_checker(self, *args, **kwargs)
777
 
        if (old_checker is not None
778
 
            and getattr(self, u"checker", None) is None):
779
 
            self.PropertyChanged(dbus.String(u"checker_running"),
780
 
                                 dbus.Boolean(False, variant_level=1))
781
 
        return r
782
 
    
783
 
    ## D-Bus methods, signals & properties
784
 
    _interface = u"se.bsnet.fukt.Mandos.Client"
785
 
    
786
 
    ## Signals
787
 
    
788
 
    # CheckerCompleted - signal
789
 
    @dbus.service.signal(_interface, signature=u"nxs")
790
 
    def CheckerCompleted(self, exitcode, waitstatus, command):
791
 
        "D-Bus signal"
792
 
        pass
793
 
    
794
 
    # CheckerStarted - signal
795
 
    @dbus.service.signal(_interface, signature=u"s")
796
 
    def CheckerStarted(self, command):
797
 
        "D-Bus signal"
798
 
        pass
799
 
    
800
 
    # PropertyChanged - signal
801
 
    @dbus.service.signal(_interface, signature=u"sv")
802
 
    def PropertyChanged(self, property, value):
803
 
        "D-Bus signal"
804
 
        pass
805
 
    
806
 
    # GotSecret - signal
807
 
    @dbus.service.signal(_interface)
808
 
    def GotSecret(self):
809
 
        "D-Bus signal"
810
 
        pass
811
 
    
812
 
    # Rejected - signal
813
 
    @dbus.service.signal(_interface)
814
 
    def Rejected(self):
815
 
        "D-Bus signal"
816
 
        pass
817
 
    
818
 
    ## Methods
819
 
    
820
 
    # CheckedOK - method
821
 
    @dbus.service.method(_interface)
822
 
    def CheckedOK(self):
823
 
        return self.checked_ok()
824
 
    
825
 
    # Enable - method
826
 
    @dbus.service.method(_interface)
827
 
    def Enable(self):
828
 
        "D-Bus method"
829
 
        self.enable()
830
 
    
831
 
    # StartChecker - method
832
 
    @dbus.service.method(_interface)
833
 
    def StartChecker(self):
834
 
        "D-Bus method"
835
 
        self.start_checker()
836
 
    
837
 
    # Disable - method
838
 
    @dbus.service.method(_interface)
839
 
    def Disable(self):
840
 
        "D-Bus method"
841
 
        self.disable()
842
 
    
843
 
    # StopChecker - method
844
 
    @dbus.service.method(_interface)
845
 
    def StopChecker(self):
846
 
        self.stop_checker()
847
 
    
848
 
    ## Properties
849
 
    
850
 
    # name - property
851
 
    @dbus_service_property(_interface, signature=u"s", access=u"read")
852
 
    def name_dbus_property(self):
853
 
        return dbus.String(self.name)
854
 
    
855
 
    # fingerprint - property
856
 
    @dbus_service_property(_interface, signature=u"s", access=u"read")
857
 
    def fingerprint_dbus_property(self):
858
 
        return dbus.String(self.fingerprint)
859
 
    
860
 
    # host - property
861
 
    @dbus_service_property(_interface, signature=u"s",
862
 
                           access=u"readwrite")
863
 
    def host_dbus_property(self, value=None):
864
 
        if value is None:       # get
865
 
            return dbus.String(self.host)
866
 
        self.host = value
867
 
        # Emit D-Bus signal
868
 
        self.PropertyChanged(dbus.String(u"host"),
869
 
                             dbus.String(value, variant_level=1))
870
 
    
871
 
    # created - property
872
 
    @dbus_service_property(_interface, signature=u"s", access=u"read")
873
 
    def created_dbus_property(self):
874
 
        return dbus.String(self._datetime_to_dbus(self.created))
875
 
    
876
 
    # last_enabled - property
877
 
    @dbus_service_property(_interface, signature=u"s", access=u"read")
878
 
    def last_enabled_dbus_property(self):
879
 
        if self.last_enabled is None:
880
 
            return dbus.String(u"")
881
 
        return dbus.String(self._datetime_to_dbus(self.last_enabled))
882
 
    
883
 
    # enabled - property
884
 
    @dbus_service_property(_interface, signature=u"b",
885
 
                           access=u"readwrite")
886
 
    def enabled_dbus_property(self, value=None):
887
 
        if value is None:       # get
888
 
            return dbus.Boolean(self.enabled)
889
 
        if value:
890
 
            self.enable()
891
 
        else:
892
 
            self.disable()
893
 
    
894
 
    # last_checked_ok - property
895
 
    @dbus_service_property(_interface, signature=u"s",
896
 
                           access=u"readwrite")
897
 
    def last_checked_ok_dbus_property(self, value=None):
898
 
        if value is not None:
899
 
            self.checked_ok()
900
 
            return
 
371
    def still_valid(self):
 
372
        """Has the timeout not yet passed for this client?"""
 
373
        now = datetime.datetime.now()
901
374
        if self.last_checked_ok is None:
902
 
            return dbus.String(u"")
903
 
        return dbus.String(self._datetime_to_dbus(self
904
 
                                                  .last_checked_ok))
905
 
    
906
 
    # timeout - property
907
 
    @dbus_service_property(_interface, signature=u"t",
908
 
                           access=u"readwrite")
909
 
    def timeout_dbus_property(self, value=None):
910
 
        if value is None:       # get
911
 
            return dbus.UInt64(self.timeout_milliseconds())
912
 
        self.timeout = datetime.timedelta(0, 0, 0, value)
913
 
        # Emit D-Bus signal
914
 
        self.PropertyChanged(dbus.String(u"timeout"),
915
 
                             dbus.UInt64(value, variant_level=1))
916
 
        if getattr(self, u"disable_initiator_tag", None) is None:
917
 
            return
918
 
        # Reschedule timeout
919
 
        gobject.source_remove(self.disable_initiator_tag)
920
 
        self.disable_initiator_tag = None
921
 
        time_to_die = (self.
922
 
                       _timedelta_to_milliseconds((self
923
 
                                                   .last_checked_ok
924
 
                                                   + self.timeout)
925
 
                                                  - datetime.datetime
926
 
                                                  .utcnow()))
927
 
        if time_to_die <= 0:
928
 
            # The timeout has passed
929
 
            self.disable()
930
 
        else:
931
 
            self.disable_initiator_tag = (gobject.timeout_add
932
 
                                          (time_to_die, self.disable))
933
 
    
934
 
    # interval - property
935
 
    @dbus_service_property(_interface, signature=u"t",
936
 
                           access=u"readwrite")
937
 
    def interval_dbus_property(self, value=None):
938
 
        if value is None:       # get
939
 
            return dbus.UInt64(self.interval_milliseconds())
940
 
        self.interval = datetime.timedelta(0, 0, 0, value)
941
 
        # Emit D-Bus signal
942
 
        self.PropertyChanged(dbus.String(u"interval"),
943
 
                             dbus.UInt64(value, variant_level=1))
944
 
        if getattr(self, u"checker_initiator_tag", None) is None:
945
 
            return
946
 
        # Reschedule checker run
947
 
        gobject.source_remove(self.checker_initiator_tag)
948
 
        self.checker_initiator_tag = (gobject.timeout_add
949
 
                                      (value, self.start_checker))
950
 
        self.start_checker()    # Start one now, too
951
 
 
952
 
    # checker - property
953
 
    @dbus_service_property(_interface, signature=u"s",
954
 
                           access=u"readwrite")
955
 
    def checker_dbus_property(self, value=None):
956
 
        if value is None:       # get
957
 
            return dbus.String(self.checker_command)
958
 
        self.checker_command = value
959
 
        # Emit D-Bus signal
960
 
        self.PropertyChanged(dbus.String(u"checker"),
961
 
                             dbus.String(self.checker_command,
962
 
                                         variant_level=1))
963
 
    
964
 
    # checker_running - property
965
 
    @dbus_service_property(_interface, signature=u"b",
966
 
                           access=u"readwrite")
967
 
    def checker_running_dbus_property(self, value=None):
968
 
        if value is None:       # get
969
 
            return dbus.Boolean(self.checker is not None)
970
 
        if value:
971
 
            self.start_checker()
972
 
        else:
973
 
            self.stop_checker()
974
 
    
975
 
    # object_path - property
976
 
    @dbus_service_property(_interface, signature=u"o", access=u"read")
977
 
    def object_path_dbus_property(self):
978
 
        return self.dbus_object_path # is already a dbus.ObjectPath
979
 
    
980
 
    # secret = property
981
 
    @dbus_service_property(_interface, signature=u"ay",
982
 
                           access=u"write", byte_arrays=True)
983
 
    def secret_dbus_property(self, value):
984
 
        self.secret = str(value)
985
 
    
986
 
    del _interface
987
 
 
988
 
 
989
 
class ClientHandler(socketserver.BaseRequestHandler, object):
990
 
    """A class to handle client connections.
991
 
    
992
 
    Instantiated once for each connection to handle it.
 
375
            return now < (self.created + self.timeout)
 
376
        else:
 
377
            return now < (self.last_checked_ok + self.timeout)
 
378
 
 
379
 
 
380
def peer_certificate(session):
 
381
    "Return the peer's OpenPGP certificate as a bytestring"
 
382
    # If not an OpenPGP certificate...
 
383
    if gnutls.library.functions.gnutls_certificate_type_get\
 
384
            (session._c_object) \
 
385
           != gnutls.library.constants.GNUTLS_CRT_OPENPGP:
 
386
        # ...do the normal thing
 
387
        return session.peer_certificate
 
388
    list_size = ctypes.c_uint()
 
389
    cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
 
390
        (session._c_object, ctypes.byref(list_size))
 
391
    if list_size.value == 0:
 
392
        return None
 
393
    cert = cert_list[0]
 
394
    return ctypes.string_at(cert.data, cert.size)
 
395
 
 
396
 
 
397
def fingerprint(openpgp):
 
398
    "Convert an OpenPGP bytestring to a hexdigit fingerprint string"
 
399
    # New empty GnuTLS certificate
 
400
    crt = gnutls.library.types.gnutls_openpgp_crt_t()
 
401
    gnutls.library.functions.gnutls_openpgp_crt_init\
 
402
        (ctypes.byref(crt))
 
403
    # New GnuTLS "datum" with the OpenPGP public key
 
404
    datum = gnutls.library.types.gnutls_datum_t\
 
405
        (ctypes.cast(ctypes.c_char_p(openpgp),
 
406
                     ctypes.POINTER(ctypes.c_ubyte)),
 
407
         ctypes.c_uint(len(openpgp)))
 
408
    # Import the OpenPGP public key into the certificate
 
409
    ret = gnutls.library.functions.gnutls_openpgp_crt_import\
 
410
        (crt,
 
411
         ctypes.byref(datum),
 
412
         gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
 
413
    # New buffer for the fingerprint
 
414
    buffer = ctypes.create_string_buffer(20)
 
415
    buffer_length = ctypes.c_size_t()
 
416
    # Get the fingerprint from the certificate into the buffer
 
417
    gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
 
418
        (crt, ctypes.byref(buffer), ctypes.byref(buffer_length))
 
419
    # Deinit the certificate
 
420
    gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
 
421
    # Convert the buffer to a Python bytestring
 
422
    fpr = ctypes.string_at(buffer, buffer_length.value)
 
423
    # Convert the bytestring to hexadecimal notation
 
424
    hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
 
425
    return hex_fpr
 
426
 
 
427
 
 
428
class tcp_handler(SocketServer.BaseRequestHandler, object):
 
429
    """A TCP request handler class.
 
430
    Instantiated by IPv6_TCPServer for each request to handle it.
993
431
    Note: This will run in its own forked process."""
994
432
    
995
433
    def handle(self):
996
 
        logger.info(u"TCP connection from: %s",
997
 
                    unicode(self.client_address))
998
 
        logger.debug(u"IPC Pipe FD: %d",
999
 
                     self.server.child_pipe[1].fileno())
1000
 
        # Open IPC pipe to parent process
1001
 
        with contextlib.nested(self.server.child_pipe[1],
1002
 
                               self.server.parent_pipe[0]
1003
 
                               ) as (ipc, ipc_return):
1004
 
            session = (gnutls.connection
1005
 
                       .ClientSession(self.request,
1006
 
                                      gnutls.connection
1007
 
                                      .X509Credentials()))
1008
 
            
1009
 
            line = self.request.makefile().readline()
1010
 
            logger.debug(u"Protocol version: %r", line)
1011
 
            try:
1012
 
                if int(line.strip().split()[0]) > 1:
1013
 
                    raise RuntimeError
1014
 
            except (ValueError, IndexError, RuntimeError), error:
1015
 
                logger.error(u"Unknown protocol version: %s", error)
1016
 
                return
1017
 
            
1018
 
            # Note: gnutls.connection.X509Credentials is really a
1019
 
            # generic GnuTLS certificate credentials object so long as
1020
 
            # no X.509 keys are added to it.  Therefore, we can use it
1021
 
            # here despite using OpenPGP certificates.
1022
 
            
1023
 
            #priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1024
 
            #                      u"+AES-256-CBC", u"+SHA1",
1025
 
            #                      u"+COMP-NULL", u"+CTYPE-OPENPGP",
1026
 
            #                      u"+DHE-DSS"))
1027
 
            # Use a fallback default, since this MUST be set.
1028
 
            priority = self.server.gnutls_priority
1029
 
            if priority is None:
1030
 
                priority = u"NORMAL"
1031
 
            (gnutls.library.functions
1032
 
             .gnutls_priority_set_direct(session._c_object,
1033
 
                                         priority, None))
1034
 
            
1035
 
            try:
1036
 
                session.handshake()
1037
 
            except gnutls.errors.GNUTLSError, error:
1038
 
                logger.warning(u"Handshake failed: %s", error)
1039
 
                # Do not run session.bye() here: the session is not
1040
 
                # established.  Just abandon the request.
1041
 
                return
1042
 
            logger.debug(u"Handshake succeeded")
1043
 
            try:
1044
 
                try:
1045
 
                    fpr = self.fingerprint(self.peer_certificate
1046
 
                                           (session))
1047
 
                except (TypeError, gnutls.errors.GNUTLSError), error:
1048
 
                    logger.warning(u"Bad certificate: %s", error)
1049
 
                    return
1050
 
                logger.debug(u"Fingerprint: %s", fpr)
1051
 
 
1052
 
                for c in self.server.clients:
1053
 
                    if c.fingerprint == fpr:
1054
 
                        client = c
1055
 
                        break
1056
 
                else:
1057
 
                    ipc.write(u"NOTFOUND %s %s\n"
1058
 
                              % (fpr, unicode(self.client_address)))
1059
 
                    return
1060
 
                # Have to check if client.enabled, since it is
1061
 
                # possible that the client was disabled since the
1062
 
                # GnuTLS session was established.
1063
 
                ipc.write(u"GETATTR enabled %s\n" % fpr)
1064
 
                enabled = pickle.load(ipc_return)
1065
 
                if not enabled:
1066
 
                    ipc.write(u"DISABLED %s\n" % client.name)
1067
 
                    return
1068
 
                ipc.write(u"SENDING %s\n" % client.name)
1069
 
                sent_size = 0
1070
 
                while sent_size < len(client.secret):
1071
 
                    sent = session.send(client.secret[sent_size:])
1072
 
                    logger.debug(u"Sent: %d, remaining: %d",
1073
 
                                 sent, len(client.secret)
1074
 
                                 - (sent_size + sent))
1075
 
                    sent_size += sent
1076
 
            finally:
1077
 
                session.bye()
1078
 
    
1079
 
    @staticmethod
1080
 
    def peer_certificate(session):
1081
 
        "Return the peer's OpenPGP certificate as a bytestring"
1082
 
        # If not an OpenPGP certificate...
1083
 
        if (gnutls.library.functions
1084
 
            .gnutls_certificate_type_get(session._c_object)
1085
 
            != gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1086
 
            # ...do the normal thing
1087
 
            return session.peer_certificate
1088
 
        list_size = ctypes.c_uint(1)
1089
 
        cert_list = (gnutls.library.functions
1090
 
                     .gnutls_certificate_get_peers
1091
 
                     (session._c_object, ctypes.byref(list_size)))
1092
 
        if not bool(cert_list) and list_size.value != 0:
1093
 
            raise gnutls.errors.GNUTLSError(u"error getting peer"
1094
 
                                            u" certificate")
1095
 
        if list_size.value == 0:
1096
 
            return None
1097
 
        cert = cert_list[0]
1098
 
        return ctypes.string_at(cert.data, cert.size)
1099
 
    
1100
 
    @staticmethod
1101
 
    def fingerprint(openpgp):
1102
 
        "Convert an OpenPGP bytestring to a hexdigit fingerprint"
1103
 
        # New GnuTLS "datum" with the OpenPGP public key
1104
 
        datum = (gnutls.library.types
1105
 
                 .gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1106
 
                                             ctypes.POINTER
1107
 
                                             (ctypes.c_ubyte)),
1108
 
                                 ctypes.c_uint(len(openpgp))))
1109
 
        # New empty GnuTLS certificate
1110
 
        crt = gnutls.library.types.gnutls_openpgp_crt_t()
1111
 
        (gnutls.library.functions
1112
 
         .gnutls_openpgp_crt_init(ctypes.byref(crt)))
1113
 
        # Import the OpenPGP public key into the certificate
1114
 
        (gnutls.library.functions
1115
 
         .gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1116
 
                                    gnutls.library.constants
1117
 
                                    .GNUTLS_OPENPGP_FMT_RAW))
1118
 
        # Verify the self signature in the key
1119
 
        crtverify = ctypes.c_uint()
1120
 
        (gnutls.library.functions
1121
 
         .gnutls_openpgp_crt_verify_self(crt, 0,
1122
 
                                         ctypes.byref(crtverify)))
1123
 
        if crtverify.value != 0:
1124
 
            gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1125
 
            raise (gnutls.errors.CertificateSecurityError
1126
 
                   (u"Verify failed"))
1127
 
        # New buffer for the fingerprint
1128
 
        buf = ctypes.create_string_buffer(20)
1129
 
        buf_len = ctypes.c_size_t()
1130
 
        # Get the fingerprint from the certificate into the buffer
1131
 
        (gnutls.library.functions
1132
 
         .gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1133
 
                                             ctypes.byref(buf_len)))
1134
 
        # Deinit the certificate
1135
 
        gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1136
 
        # Convert the buffer to a Python bytestring
1137
 
        fpr = ctypes.string_at(buf, buf_len.value)
1138
 
        # Convert the bytestring to hexadecimal notation
1139
 
        hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1140
 
        return hex_fpr
1141
 
 
1142
 
 
1143
 
class ForkingMixInWithPipes(socketserver.ForkingMixIn, object):
1144
 
    """Like socketserver.ForkingMixIn, but also pass a pipe pair."""
1145
 
    def process_request(self, request, client_address):
1146
 
        """Overrides and wraps the original process_request().
1147
 
        
1148
 
        This function creates a new pipe in self.pipe
1149
 
        """
1150
 
        # Child writes to child_pipe
1151
 
        self.child_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1152
 
        # Parent writes to parent_pipe
1153
 
        self.parent_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1154
 
        super(ForkingMixInWithPipes,
1155
 
              self).process_request(request, client_address)
1156
 
        # Close unused ends for parent
1157
 
        self.parent_pipe[0].close() # close read end
1158
 
        self.child_pipe[1].close()  # close write end
1159
 
        self.add_pipe_fds(self.child_pipe[0], self.parent_pipe[1])
1160
 
    def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1161
 
        """Dummy function; override as necessary"""
1162
 
        child_pipe_fd.close()
1163
 
        parent_pipe_fd.close()
1164
 
 
1165
 
 
1166
 
class IPv6_TCPServer(ForkingMixInWithPipes,
1167
 
                     socketserver.TCPServer, object):
1168
 
    """IPv6-capable TCP server.  Accepts 'None' as address and/or port
1169
 
    
 
434
        logger.debug(u"TCP connection from: %s",
 
435
                     unicode(self.client_address))
 
436
        session = gnutls.connection.ClientSession\
 
437
                  (self.request, gnutls.connection.X509Credentials())
 
438
        
 
439
        line = self.request.makefile().readline()
 
440
        logger.debug(u"Protocol version: %r", line)
 
441
        try:
 
442
            if int(line.strip().split()[0]) > 1:
 
443
                raise RuntimeError
 
444
        except (ValueError, IndexError, RuntimeError), error:
 
445
            logger.error(u"Unknown protocol version: %s", error)
 
446
            return
 
447
        
 
448
        # Note: gnutls.connection.X509Credentials is really a generic
 
449
        # GnuTLS certificate credentials object so long as no X.509
 
450
        # keys are added to it.  Therefore, we can use it here despite
 
451
        # using OpenPGP certificates.
 
452
        
 
453
        #priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
 
454
        #                "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
 
455
        #                "+DHE-DSS"))
 
456
        priority = "NORMAL"             # Fallback default, since this
 
457
                                        # MUST be set.
 
458
        if self.server.settings["priority"]:
 
459
            priority = self.server.settings["priority"]
 
460
        gnutls.library.functions.gnutls_priority_set_direct\
 
461
            (session._c_object, priority, None);
 
462
        
 
463
        try:
 
464
            session.handshake()
 
465
        except gnutls.errors.GNUTLSError, error:
 
466
            logger.debug(u"Handshake failed: %s", error)
 
467
            # Do not run session.bye() here: the session is not
 
468
            # established.  Just abandon the request.
 
469
            return
 
470
        try:
 
471
            fpr = fingerprint(peer_certificate(session))
 
472
        except (TypeError, gnutls.errors.GNUTLSError), error:
 
473
            logger.debug(u"Bad certificate: %s", error)
 
474
            session.bye()
 
475
            return
 
476
        logger.debug(u"Fingerprint: %s", fpr)
 
477
        client = None
 
478
        for c in self.server.clients:
 
479
            if c.fingerprint == fpr:
 
480
                client = c
 
481
                break
 
482
        if not client:
 
483
            logger.debug(u"Client not found for fingerprint: %s", fpr)
 
484
            session.bye()
 
485
            return
 
486
        # Have to check if client.still_valid(), since it is possible
 
487
        # that the client timed out while establishing the GnuTLS
 
488
        # session.
 
489
        if not client.still_valid():
 
490
            logger.debug(u"Client %(name)s is invalid", vars(client))
 
491
            session.bye()
 
492
            return
 
493
        sent_size = 0
 
494
        while sent_size < len(client.secret):
 
495
            sent = session.send(client.secret[sent_size:])
 
496
            logger.debug(u"Sent: %d, remaining: %d",
 
497
                         sent, len(client.secret)
 
498
                         - (sent_size + sent))
 
499
            sent_size += sent
 
500
        session.bye()
 
501
 
 
502
 
 
503
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
 
504
    """IPv6 TCP server.  Accepts 'None' as address and/or port.
1170
505
    Attributes:
1171
 
        enabled:        Boolean; whether this server is activated yet
1172
 
        interface:      None or a network interface name (string)
1173
 
        use_ipv6:       Boolean; to use IPv6 or not
 
506
        settings:       Server settings
 
507
        clients:        Set() of Client objects
1174
508
    """
1175
 
    def __init__(self, server_address, RequestHandlerClass,
1176
 
                 interface=None, use_ipv6=True):
1177
 
        self.interface = interface
1178
 
        if use_ipv6:
1179
 
            self.address_family = socket.AF_INET6
1180
 
        socketserver.TCPServer.__init__(self, server_address,
1181
 
                                        RequestHandlerClass)
 
509
    address_family = socket.AF_INET6
 
510
    def __init__(self, *args, **kwargs):
 
511
        if "settings" in kwargs:
 
512
            self.settings = kwargs["settings"]
 
513
            del kwargs["settings"]
 
514
        if "clients" in kwargs:
 
515
            self.clients = kwargs["clients"]
 
516
            del kwargs["clients"]
 
517
        return super(type(self), self).__init__(*args, **kwargs)
1182
518
    def server_bind(self):
1183
519
        """This overrides the normal server_bind() function
1184
520
        to bind to an interface if one was specified, and also NOT to
1185
521
        bind to an address or port if they were not specified."""
1186
 
        if self.interface is not None:
1187
 
            if SO_BINDTODEVICE is None:
1188
 
                logger.error(u"SO_BINDTODEVICE does not exist;"
1189
 
                             u" cannot bind to interface %s",
1190
 
                             self.interface)
1191
 
            else:
1192
 
                try:
1193
 
                    self.socket.setsockopt(socket.SOL_SOCKET,
1194
 
                                           SO_BINDTODEVICE,
1195
 
                                           str(self.interface
1196
 
                                               + u'\0'))
1197
 
                except socket.error, error:
1198
 
                    if error[0] == errno.EPERM:
1199
 
                        logger.error(u"No permission to"
1200
 
                                     u" bind to interface %s",
1201
 
                                     self.interface)
1202
 
                    elif error[0] == errno.ENOPROTOOPT:
1203
 
                        logger.error(u"SO_BINDTODEVICE not available;"
1204
 
                                     u" cannot bind to interface %s",
1205
 
                                     self.interface)
1206
 
                    else:
1207
 
                        raise
 
522
        if self.settings["interface"]:
 
523
            # 25 is from /usr/include/asm-i486/socket.h
 
524
            SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
 
525
            try:
 
526
                self.socket.setsockopt(socket.SOL_SOCKET,
 
527
                                       SO_BINDTODEVICE,
 
528
                                       self.settings["interface"])
 
529
            except socket.error, error:
 
530
                if error[0] == errno.EPERM:
 
531
                    logger.warning(u"No permission to"
 
532
                                   u" bind to interface %s",
 
533
                                   self.settings["interface"])
 
534
                else:
 
535
                    raise error
1208
536
        # Only bind(2) the socket if we really need to.
1209
537
        if self.server_address[0] or self.server_address[1]:
1210
538
            if not self.server_address[0]:
1211
 
                if self.address_family == socket.AF_INET6:
1212
 
                    any_address = u"::" # in6addr_any
1213
 
                else:
1214
 
                    any_address = socket.INADDR_ANY
1215
 
                self.server_address = (any_address,
 
539
                in6addr_any = "::"
 
540
                self.server_address = (in6addr_any,
1216
541
                                       self.server_address[1])
1217
 
            elif not self.server_address[1]:
 
542
            elif self.server_address[1] is None:
1218
543
                self.server_address = (self.server_address[0],
1219
544
                                       0)
1220
 
#                 if self.interface:
1221
 
#                     self.server_address = (self.server_address[0],
1222
 
#                                            0, # port
1223
 
#                                            0, # flowinfo
1224
 
#                                            if_nametoindex
1225
 
#                                            (self.interface))
1226
 
            return socketserver.TCPServer.server_bind(self)
1227
 
 
1228
 
 
1229
 
class MandosServer(IPv6_TCPServer):
1230
 
    """Mandos server.
1231
 
    
1232
 
    Attributes:
1233
 
        clients:        set of Client objects
1234
 
        gnutls_priority GnuTLS priority string
1235
 
        use_dbus:       Boolean; to emit D-Bus signals or not
1236
 
    
1237
 
    Assumes a gobject.MainLoop event loop.
1238
 
    """
1239
 
    def __init__(self, server_address, RequestHandlerClass,
1240
 
                 interface=None, use_ipv6=True, clients=None,
1241
 
                 gnutls_priority=None, use_dbus=True):
1242
 
        self.enabled = False
1243
 
        self.clients = clients
1244
 
        if self.clients is None:
1245
 
            self.clients = set()
1246
 
        self.use_dbus = use_dbus
1247
 
        self.gnutls_priority = gnutls_priority
1248
 
        IPv6_TCPServer.__init__(self, server_address,
1249
 
                                RequestHandlerClass,
1250
 
                                interface = interface,
1251
 
                                use_ipv6 = use_ipv6)
1252
 
    def server_activate(self):
1253
 
        if self.enabled:
1254
 
            return socketserver.TCPServer.server_activate(self)
1255
 
    def enable(self):
1256
 
        self.enabled = True
1257
 
    def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1258
 
        # Call "handle_ipc" for both data and EOF events
1259
 
        gobject.io_add_watch(child_pipe_fd.fileno(),
1260
 
                             gobject.IO_IN | gobject.IO_HUP,
1261
 
                             functools.partial(self.handle_ipc,
1262
 
                                               reply = parent_pipe_fd,
1263
 
                                               sender= child_pipe_fd))
1264
 
    def handle_ipc(self, source, condition, reply=None, sender=None):
1265
 
        condition_names = {
1266
 
            gobject.IO_IN: u"IN",   # There is data to read.
1267
 
            gobject.IO_OUT: u"OUT", # Data can be written (without
1268
 
                                    # blocking).
1269
 
            gobject.IO_PRI: u"PRI", # There is urgent data to read.
1270
 
            gobject.IO_ERR: u"ERR", # Error condition.
1271
 
            gobject.IO_HUP: u"HUP"  # Hung up (the connection has been
1272
 
                                    # broken, usually for pipes and
1273
 
                                    # sockets).
1274
 
            }
1275
 
        conditions_string = ' | '.join(name
1276
 
                                       for cond, name in
1277
 
                                       condition_names.iteritems()
1278
 
                                       if cond & condition)
1279
 
        logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1280
 
                     conditions_string)
1281
 
        
1282
 
        # Read a line from the file object
1283
 
        cmdline = sender.readline()
1284
 
        if not cmdline:             # Empty line means end of file
1285
 
            # close the IPC pipes
1286
 
            sender.close()
1287
 
            reply.close()
1288
 
            
1289
 
            # Stop calling this function
1290
 
            return False
1291
 
        
1292
 
        logger.debug(u"IPC command: %r", cmdline)
1293
 
        
1294
 
        # Parse and act on command
1295
 
        cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1296
 
        
1297
 
        if cmd == u"NOTFOUND":
1298
 
            fpr, address = args.split(None, 1)
1299
 
            logger.warning(u"Client not found for fingerprint: %s, ad"
1300
 
                           u"dress: %s", fpr, address)
1301
 
            if self.use_dbus:
1302
 
                # Emit D-Bus signal
1303
 
                mandos_dbus_service.ClientNotFound(fpr, address)
1304
 
        elif cmd == u"DISABLED":
1305
 
            for client in self.clients:
1306
 
                if client.name == args:
1307
 
                    logger.warning(u"Client %s is disabled", args)
1308
 
                    if self.use_dbus:
1309
 
                        # Emit D-Bus signal
1310
 
                        client.Rejected()
1311
 
                    break
1312
 
            else:
1313
 
                logger.error(u"Unknown client %s is disabled", args)
1314
 
        elif cmd == u"SENDING":
1315
 
            for client in self.clients:
1316
 
                if client.name == args:
1317
 
                    logger.info(u"Sending secret to %s", client.name)
1318
 
                    client.checked_ok()
1319
 
                    if self.use_dbus:
1320
 
                        # Emit D-Bus signal
1321
 
                        client.GotSecret()
1322
 
                    break
1323
 
            else:
1324
 
                logger.error(u"Sending secret to unknown client %s",
1325
 
                             args)
1326
 
        elif cmd == u"GETATTR":
1327
 
            attr_name, fpr = args.split(None, 1)
1328
 
            for client in self.clients:
1329
 
                if client.fingerprint == fpr:
1330
 
                    attr_value = getattr(client, attr_name, None)
1331
 
                    logger.debug("IPC reply: %r", attr_value)
1332
 
                    pickle.dump(attr_value, reply)
1333
 
                    break
1334
 
            else:
1335
 
                logger.error(u"Client %s on address %s requesting "
1336
 
                             u"attribute %s not found", fpr, address,
1337
 
                             attr_name)
1338
 
                pickle.dump(None, reply)
1339
 
        else:
1340
 
            logger.error(u"Unknown IPC command: %r", cmdline)
1341
 
        
1342
 
        # Keep calling this function
1343
 
        return True
 
545
            return super(type(self), self).server_bind()
1344
546
 
1345
547
 
1346
548
def string_to_delta(interval):
1347
549
    """Parse a string and return a datetime.timedelta
1348
 
    
1349
 
    >>> string_to_delta(u'7d')
 
550
 
 
551
    >>> string_to_delta('7d')
1350
552
    datetime.timedelta(7)
1351
 
    >>> string_to_delta(u'60s')
 
553
    >>> string_to_delta('60s')
1352
554
    datetime.timedelta(0, 60)
1353
 
    >>> string_to_delta(u'60m')
 
555
    >>> string_to_delta('60m')
1354
556
    datetime.timedelta(0, 3600)
1355
 
    >>> string_to_delta(u'24h')
 
557
    >>> string_to_delta('24h')
1356
558
    datetime.timedelta(1)
1357
559
    >>> string_to_delta(u'1w')
1358
560
    datetime.timedelta(7)
1359
 
    >>> string_to_delta(u'5m 30s')
1360
 
    datetime.timedelta(0, 330)
1361
561
    """
1362
 
    timevalue = datetime.timedelta(0)
1363
 
    for s in interval.split():
1364
 
        try:
1365
 
            suffix = unicode(s[-1])
1366
 
            value = int(s[:-1])
1367
 
            if suffix == u"d":
1368
 
                delta = datetime.timedelta(value)
1369
 
            elif suffix == u"s":
1370
 
                delta = datetime.timedelta(0, value)
1371
 
            elif suffix == u"m":
1372
 
                delta = datetime.timedelta(0, 0, 0, 0, value)
1373
 
            elif suffix == u"h":
1374
 
                delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1375
 
            elif suffix == u"w":
1376
 
                delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1377
 
            else:
1378
 
                raise ValueError(u"Unknown suffix %r" % suffix)
1379
 
        except (ValueError, IndexError), e:
1380
 
            raise ValueError(e.message)
1381
 
        timevalue += delta
1382
 
    return timevalue
1383
 
 
 
562
    try:
 
563
        suffix=unicode(interval[-1])
 
564
        value=int(interval[:-1])
 
565
        if suffix == u"d":
 
566
            delta = datetime.timedelta(value)
 
567
        elif suffix == u"s":
 
568
            delta = datetime.timedelta(0, value)
 
569
        elif suffix == u"m":
 
570
            delta = datetime.timedelta(0, 0, 0, 0, value)
 
571
        elif suffix == u"h":
 
572
            delta = datetime.timedelta(0, 0, 0, 0, 0, value)
 
573
        elif suffix == u"w":
 
574
            delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
 
575
        else:
 
576
            raise ValueError
 
577
    except (ValueError, IndexError):
 
578
        raise ValueError
 
579
    return delta
 
580
 
 
581
 
 
582
def server_state_changed(state):
 
583
    """Derived from the Avahi example code"""
 
584
    if state == avahi.SERVER_COLLISION:
 
585
        logger.warning(u"Server name collision")
 
586
        service.remove()
 
587
    elif state == avahi.SERVER_RUNNING:
 
588
        service.add()
 
589
 
 
590
 
 
591
def entry_group_state_changed(state, error):
 
592
    """Derived from the Avahi example code"""
 
593
    logger.debug(u"state change: %i", state)
 
594
    
 
595
    if state == avahi.ENTRY_GROUP_ESTABLISHED:
 
596
        logger.debug(u"Service established.")
 
597
    elif state == avahi.ENTRY_GROUP_COLLISION:
 
598
        logger.warning(u"Service name collision.")
 
599
        service.rename()
 
600
    elif state == avahi.ENTRY_GROUP_FAILURE:
 
601
        logger.critical(u"Error in group state changed %s",
 
602
                        unicode(error))
 
603
        raise AvahiGroupError("State changed: %s", str(error))
1384
604
 
1385
605
def if_nametoindex(interface):
1386
 
    """Call the C function if_nametoindex(), or equivalent
1387
 
    
1388
 
    Note: This function cannot accept a unicode string."""
 
606
    """Call the C function if_nametoindex(), or equivalent"""
1389
607
    global if_nametoindex
1390
608
    try:
1391
 
        if_nametoindex = (ctypes.cdll.LoadLibrary
1392
 
                          (ctypes.util.find_library(u"c"))
1393
 
                          .if_nametoindex)
 
609
        if "ctypes.util" not in sys.modules:
 
610
            import ctypes.util
 
611
        if_nametoindex = ctypes.cdll.LoadLibrary\
 
612
            (ctypes.util.find_library("c")).if_nametoindex
1394
613
    except (OSError, AttributeError):
1395
 
        logger.warning(u"Doing if_nametoindex the hard way")
 
614
        if "struct" not in sys.modules:
 
615
            import struct
 
616
        if "fcntl" not in sys.modules:
 
617
            import fcntl
1396
618
        def if_nametoindex(interface):
1397
619
            "Get an interface index the hard way, i.e. using fcntl()"
1398
620
            SIOCGIFINDEX = 0x8933  # From /usr/include/linux/sockios.h
1399
 
            with contextlib.closing(socket.socket()) as s:
1400
 
                ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1401
 
                                    struct.pack(str(u"16s16x"),
1402
 
                                                interface))
1403
 
            interface_index = struct.unpack(str(u"I"),
1404
 
                                            ifreq[16:20])[0]
 
621
            s = socket.socket()
 
622
            ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
 
623
                                struct.pack("16s16x", interface))
 
624
            s.close()
 
625
            interface_index = struct.unpack("I", ifreq[16:20])[0]
1405
626
            return interface_index
1406
627
    return if_nametoindex(interface)
1407
628
 
1408
629
 
1409
 
def daemon(nochdir = False, noclose = False):
 
630
def daemon(nochdir, noclose):
1410
631
    """See daemon(3).  Standard BSD Unix function.
1411
 
    
1412
632
    This should really exist as os.daemon, but it doesn't (yet)."""
1413
633
    if os.fork():
1414
634
        sys.exit()
1415
635
    os.setsid()
1416
636
    if not nochdir:
1417
 
        os.chdir(u"/")
1418
 
    if os.fork():
1419
 
        sys.exit()
 
637
        os.chdir("/")
1420
638
    if not noclose:
1421
639
        # Close all standard open file descriptors
1422
640
        null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1423
641
        if not stat.S_ISCHR(os.fstat(null).st_mode):
1424
642
            raise OSError(errno.ENODEV,
1425
 
                          u"%s not a character device"
1426
 
                          % os.path.devnull)
 
643
                          "/dev/null not a character device")
1427
644
        os.dup2(null, sys.stdin.fileno())
1428
645
        os.dup2(null, sys.stdout.fileno())
1429
646
        os.dup2(null, sys.stderr.fileno())
1432
649
 
1433
650
 
1434
651
def main():
1435
 
    
1436
 
    ##################################################################
1437
 
    # Parsing of options, both command line and config file
1438
 
    
1439
 
    parser = optparse.OptionParser(version = "%%prog %s" % version)
1440
 
    parser.add_option("-i", u"--interface", type=u"string",
1441
 
                      metavar="IF", help=u"Bind to interface IF")
1442
 
    parser.add_option("-a", u"--address", type=u"string",
1443
 
                      help=u"Address to listen for requests on")
1444
 
    parser.add_option("-p", u"--port", type=u"int",
1445
 
                      help=u"Port number to receive requests on")
1446
 
    parser.add_option("--check", action=u"store_true",
1447
 
                      help=u"Run self-test")
1448
 
    parser.add_option("--debug", action=u"store_true",
1449
 
                      help=u"Debug mode; run in foreground and log to"
1450
 
                      u" terminal")
1451
 
    parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1452
 
                      u" priority string (see GnuTLS documentation)")
1453
 
    parser.add_option("--servicename", type=u"string",
1454
 
                      metavar=u"NAME", help=u"Zeroconf service name")
1455
 
    parser.add_option("--configdir", type=u"string",
1456
 
                      default=u"/etc/mandos", metavar=u"DIR",
1457
 
                      help=u"Directory to search for configuration"
1458
 
                      u" files")
1459
 
    parser.add_option("--no-dbus", action=u"store_false",
1460
 
                      dest=u"use_dbus", help=u"Do not provide D-Bus"
1461
 
                      u" system bus interface")
1462
 
    parser.add_option("--no-ipv6", action=u"store_false",
1463
 
                      dest=u"use_ipv6", help=u"Do not use IPv6")
1464
 
    options = parser.parse_args()[0]
 
652
    global main_loop_started
 
653
    main_loop_started = False
 
654
    
 
655
    parser = OptionParser()
 
656
    parser.add_option("-i", "--interface", type="string",
 
657
                      metavar="IF", help="Bind to interface IF")
 
658
    parser.add_option("-a", "--address", type="string",
 
659
                      help="Address to listen for requests on")
 
660
    parser.add_option("-p", "--port", type="int",
 
661
                      help="Port number to receive requests on")
 
662
    parser.add_option("--check", action="store_true", default=False,
 
663
                      help="Run self-test")
 
664
    parser.add_option("--debug", action="store_true", default=False,
 
665
                      help="Debug mode; run in foreground and log to"
 
666
                      " terminal")
 
667
    parser.add_option("--priority", type="string", help="GnuTLS"
 
668
                      " priority string (see GnuTLS documentation)")
 
669
    parser.add_option("--servicename", type="string", metavar="NAME",
 
670
                      help="Zeroconf service name")
 
671
    parser.add_option("--configdir", type="string",
 
672
                      default="/etc/mandos", metavar="DIR",
 
673
                      help="Directory to search for configuration"
 
674
                      " files")
 
675
    (options, args) = parser.parse_args()
1465
676
    
1466
677
    if options.check:
1467
678
        import doctest
1469
680
        sys.exit()
1470
681
    
1471
682
    # Default values for config file for server-global settings
1472
 
    server_defaults = { u"interface": u"",
1473
 
                        u"address": u"",
1474
 
                        u"port": u"",
1475
 
                        u"debug": u"False",
1476
 
                        u"priority":
1477
 
                        u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1478
 
                        u"servicename": u"Mandos",
1479
 
                        u"use_dbus": u"True",
1480
 
                        u"use_ipv6": u"True",
 
683
    server_defaults = { "interface": "",
 
684
                        "address": "",
 
685
                        "port": "",
 
686
                        "debug": "False",
 
687
                        "priority":
 
688
                        "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
 
689
                        "servicename": "Mandos",
1481
690
                        }
1482
691
    
1483
692
    # Parse config file for server-global settings
1484
 
    server_config = configparser.SafeConfigParser(server_defaults)
 
693
    server_config = ConfigParser.SafeConfigParser(server_defaults)
1485
694
    del server_defaults
1486
 
    server_config.read(os.path.join(options.configdir,
1487
 
                                    u"mandos.conf"))
 
695
    server_config.read(os.path.join(options.configdir, "server.conf"))
 
696
    server_section = "server"
1488
697
    # Convert the SafeConfigParser object to a dict
1489
 
    server_settings = server_config.defaults()
1490
 
    # Use the appropriate methods on the non-string config options
1491
 
    for option in (u"debug", u"use_dbus", u"use_ipv6"):
1492
 
        server_settings[option] = server_config.getboolean(u"DEFAULT",
1493
 
                                                           option)
1494
 
    if server_settings["port"]:
1495
 
        server_settings["port"] = server_config.getint(u"DEFAULT",
1496
 
                                                       u"port")
 
698
    server_settings = dict(server_config.items(server_section))
 
699
    # Use getboolean on the boolean config option
 
700
    server_settings["debug"] = server_config.getboolean\
 
701
                               (server_section, "debug")
1497
702
    del server_config
1498
703
    
1499
704
    # Override the settings from the config file with command line
1500
705
    # options, if set.
1501
 
    for option in (u"interface", u"address", u"port", u"debug",
1502
 
                   u"priority", u"servicename", u"configdir",
1503
 
                   u"use_dbus", u"use_ipv6"):
 
706
    for option in ("interface", "address", "port", "debug",
 
707
                   "priority", "servicename", "configdir"):
1504
708
        value = getattr(options, option)
1505
709
        if value is not None:
1506
710
            server_settings[option] = value
1507
711
    del options
1508
 
    # Force all strings to be unicode
1509
 
    for option in server_settings.keys():
1510
 
        if type(server_settings[option]) is str:
1511
 
            server_settings[option] = unicode(server_settings[option])
1512
712
    # Now we have our good server settings in "server_settings"
1513
713
    
1514
 
    ##################################################################
1515
 
    
1516
 
    # For convenience
1517
 
    debug = server_settings[u"debug"]
1518
 
    use_dbus = server_settings[u"use_dbus"]
1519
 
    use_ipv6 = server_settings[u"use_ipv6"]
1520
 
    
1521
 
    if not debug:
1522
 
        syslogger.setLevel(logging.WARNING)
1523
 
        console.setLevel(logging.WARNING)
1524
 
    
1525
 
    if server_settings[u"servicename"] != u"Mandos":
1526
 
        syslogger.setFormatter(logging.Formatter
1527
 
                               (u'Mandos (%s) [%%(process)d]:'
1528
 
                                u' %%(levelname)s: %%(message)s'
1529
 
                                % server_settings[u"servicename"]))
1530
 
    
1531
714
    # Parse config file with clients
1532
 
    client_defaults = { u"timeout": u"1h",
1533
 
                        u"interval": u"5m",
1534
 
                        u"checker": u"fping -q -- %%(host)s",
1535
 
                        u"host": u"",
 
715
    client_defaults = { "timeout": "1h",
 
716
                        "interval": "5m",
 
717
                        "checker": "fping -q -- %%(fqdn)s",
1536
718
                        }
1537
 
    client_config = configparser.SafeConfigParser(client_defaults)
1538
 
    client_config.read(os.path.join(server_settings[u"configdir"],
1539
 
                                    u"clients.conf"))
1540
 
    
1541
 
    global mandos_dbus_service
1542
 
    mandos_dbus_service = None
1543
 
    
1544
 
    tcp_server = MandosServer((server_settings[u"address"],
1545
 
                               server_settings[u"port"]),
1546
 
                              ClientHandler,
1547
 
                              interface=server_settings[u"interface"],
1548
 
                              use_ipv6=use_ipv6,
1549
 
                              gnutls_priority=
1550
 
                              server_settings[u"priority"],
1551
 
                              use_dbus=use_dbus)
1552
 
    pidfilename = u"/var/run/mandos.pid"
1553
 
    try:
1554
 
        pidfile = open(pidfilename, u"w")
1555
 
    except IOError:
1556
 
        logger.error(u"Could not open file %r", pidfilename)
1557
 
    
1558
 
    try:
1559
 
        uid = pwd.getpwnam(u"_mandos").pw_uid
1560
 
        gid = pwd.getpwnam(u"_mandos").pw_gid
1561
 
    except KeyError:
1562
 
        try:
1563
 
            uid = pwd.getpwnam(u"mandos").pw_uid
1564
 
            gid = pwd.getpwnam(u"mandos").pw_gid
1565
 
        except KeyError:
1566
 
            try:
1567
 
                uid = pwd.getpwnam(u"nobody").pw_uid
1568
 
                gid = pwd.getpwnam(u"nobody").pw_gid
1569
 
            except KeyError:
1570
 
                uid = 65534
1571
 
                gid = 65534
1572
 
    try:
1573
 
        os.setgid(gid)
1574
 
        os.setuid(uid)
1575
 
    except OSError, error:
1576
 
        if error[0] != errno.EPERM:
1577
 
            raise error
1578
 
    
1579
 
    # Enable all possible GnuTLS debugging
1580
 
    if debug:
1581
 
        # "Use a log level over 10 to enable all debugging options."
1582
 
        # - GnuTLS manual
1583
 
        gnutls.library.functions.gnutls_global_set_log_level(11)
1584
 
        
1585
 
        @gnutls.library.types.gnutls_log_func
1586
 
        def debug_gnutls(level, string):
1587
 
            logger.debug(u"GnuTLS: %s", string[:-1])
1588
 
        
1589
 
        (gnutls.library.functions
1590
 
         .gnutls_global_set_log_function(debug_gnutls))
 
719
    client_config = ConfigParser.SafeConfigParser(client_defaults)
 
720
    client_config.read(os.path.join(server_settings["configdir"],
 
721
                                    "clients.conf"))
 
722
    
 
723
    global service
 
724
    service = AvahiService(name = server_settings["servicename"],
 
725
                           type = "_mandos._tcp", );
 
726
    if server_settings["interface"]:
 
727
        service.interface = if_nametoindex(server_settings["interface"])
1591
728
    
1592
729
    global main_loop
 
730
    global bus
 
731
    global server
1593
732
    # From the Avahi example code
1594
733
    DBusGMainLoop(set_as_default=True )
1595
734
    main_loop = gobject.MainLoop()
1596
735
    bus = dbus.SystemBus()
 
736
    server = dbus.Interface(
 
737
            bus.get_object( avahi.DBUS_NAME, avahi.DBUS_PATH_SERVER ),
 
738
            avahi.DBUS_INTERFACE_SERVER )
1597
739
    # End of Avahi example code
1598
 
    if use_dbus:
1599
 
        try:
1600
 
            bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1601
 
                                            bus, do_not_queue=True)
1602
 
        except dbus.exceptions.NameExistsException, e:
1603
 
            logger.error(unicode(e) + u", disabling D-Bus")
1604
 
            use_dbus = False
1605
 
            server_settings[u"use_dbus"] = False
1606
 
            tcp_server.use_dbus = False
1607
 
    protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1608
 
    service = AvahiService(name = server_settings[u"servicename"],
1609
 
                           servicetype = u"_mandos._tcp",
1610
 
                           protocol = protocol, bus = bus)
1611
 
    if server_settings["interface"]:
1612
 
        service.interface = (if_nametoindex
1613
 
                             (str(server_settings[u"interface"])))
1614
740
    
1615
 
    client_class = Client
1616
 
    if use_dbus:
1617
 
        client_class = functools.partial(ClientDBus, bus = bus)
1618
 
    tcp_server.clients.update(set(
1619
 
            client_class(name = section,
1620
 
                         config= dict(client_config.items(section)))
1621
 
            for section in client_config.sections()))
1622
 
    if not tcp_server.clients:
1623
 
        logger.warning(u"No clients defined")
 
741
    debug = server_settings["debug"]
1624
742
    
1625
743
    if debug:
1626
 
        # Redirect stdin so all checkers get /dev/null
1627
 
        null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1628
 
        os.dup2(null, sys.stdin.fileno())
1629
 
        if null > 2:
1630
 
            os.close(null)
1631
 
    else:
1632
 
        # No console logging
1633
 
        logger.removeHandler(console)
1634
 
        # Close all input and output, do double fork, etc.
1635
 
        daemon()
1636
 
    
1637
 
    try:
1638
 
        with pidfile:
1639
 
            pid = os.getpid()
1640
 
            pidfile.write(str(pid) + "\n")
1641
 
        del pidfile
1642
 
    except IOError:
1643
 
        logger.error(u"Could not write to file %r with PID %d",
1644
 
                     pidfilename, pid)
1645
 
    except NameError:
1646
 
        # "pidfile" was never created
1647
 
        pass
1648
 
    del pidfilename
 
744
        console = logging.StreamHandler()
 
745
        # console.setLevel(logging.DEBUG)
 
746
        console.setFormatter(logging.Formatter\
 
747
                             ('%(levelname)s: %(message)s'))
 
748
        logger.addHandler(console)
 
749
        del console
 
750
    
 
751
    clients = Set()
 
752
    def remove_from_clients(client):
 
753
        clients.remove(client)
 
754
        if not clients:
 
755
            logger.debug(u"No clients left, exiting")
 
756
            sys.exit()
 
757
    
 
758
    clients.update(Set(Client(name=section,
 
759
                              stop_hook = remove_from_clients,
 
760
                              **(dict(client_config\
 
761
                                      .items(section))))
 
762
                       for section in client_config.sections()))
 
763
    
 
764
    if not debug:
 
765
        daemon(False, False)
 
766
    
 
767
    def cleanup():
 
768
        "Cleanup function; run on exit"
 
769
        global group
 
770
        # From the Avahi example code
 
771
        if not group is None:
 
772
            group.Free()
 
773
            group = None
 
774
        # End of Avahi example code
 
775
        
 
776
        while clients:
 
777
            client = clients.pop()
 
778
            client.stop_hook = None
 
779
            client.stop()
 
780
    
 
781
    atexit.register(cleanup)
1649
782
    
1650
783
    if not debug:
1651
784
        signal.signal(signal.SIGINT, signal.SIG_IGN)
1652
785
    signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1653
786
    signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1654
787
    
1655
 
    if use_dbus:
1656
 
        class MandosDBusService(dbus.service.Object):
1657
 
            """A D-Bus proxy object"""
1658
 
            def __init__(self):
1659
 
                dbus.service.Object.__init__(self, bus, u"/")
1660
 
            _interface = u"se.bsnet.fukt.Mandos"
1661
 
            
1662
 
            @dbus.service.signal(_interface, signature=u"o")
1663
 
            def ClientAdded(self, objpath):
1664
 
                "D-Bus signal"
1665
 
                pass
1666
 
            
1667
 
            @dbus.service.signal(_interface, signature=u"ss")
1668
 
            def ClientNotFound(self, fingerprint, address):
1669
 
                "D-Bus signal"
1670
 
                pass
1671
 
            
1672
 
            @dbus.service.signal(_interface, signature=u"os")
1673
 
            def ClientRemoved(self, objpath, name):
1674
 
                "D-Bus signal"
1675
 
                pass
1676
 
            
1677
 
            @dbus.service.method(_interface, out_signature=u"ao")
1678
 
            def GetAllClients(self):
1679
 
                "D-Bus method"
1680
 
                return dbus.Array(c.dbus_object_path
1681
 
                                  for c in tcp_server.clients)
1682
 
            
1683
 
            @dbus.service.method(_interface,
1684
 
                                 out_signature=u"a{oa{sv}}")
1685
 
            def GetAllClientsWithProperties(self):
1686
 
                "D-Bus method"
1687
 
                return dbus.Dictionary(
1688
 
                    ((c.dbus_object_path, c.GetAll(u""))
1689
 
                     for c in tcp_server.clients),
1690
 
                    signature=u"oa{sv}")
1691
 
            
1692
 
            @dbus.service.method(_interface, in_signature=u"o")
1693
 
            def RemoveClient(self, object_path):
1694
 
                "D-Bus method"
1695
 
                for c in tcp_server.clients:
1696
 
                    if c.dbus_object_path == object_path:
1697
 
                        tcp_server.clients.remove(c)
1698
 
                        c.remove_from_connection()
1699
 
                        # Don't signal anything except ClientRemoved
1700
 
                        c.disable(quiet=True)
1701
 
                        # Emit D-Bus signal
1702
 
                        self.ClientRemoved(object_path, c.name)
1703
 
                        return
1704
 
                raise KeyError(object_path)
1705
 
            
1706
 
            del _interface
1707
 
        
1708
 
        mandos_dbus_service = MandosDBusService()
1709
 
    
1710
 
    def cleanup():
1711
 
        "Cleanup function; run on exit"
1712
 
        service.cleanup()
1713
 
        
1714
 
        while tcp_server.clients:
1715
 
            client = tcp_server.clients.pop()
1716
 
            if use_dbus:
1717
 
                client.remove_from_connection()
1718
 
            client.disable_hook = None
1719
 
            # Don't signal anything except ClientRemoved
1720
 
            client.disable(quiet=True)
1721
 
            if use_dbus:
1722
 
                # Emit D-Bus signal
1723
 
                mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1724
 
                                                  client.name)
1725
 
    
1726
 
    atexit.register(cleanup)
1727
 
    
1728
 
    for client in tcp_server.clients:
1729
 
        if use_dbus:
1730
 
            # Emit D-Bus signal
1731
 
            mandos_dbus_service.ClientAdded(client.dbus_object_path)
1732
 
        client.enable()
1733
 
    
1734
 
    tcp_server.enable()
1735
 
    tcp_server.server_activate()
1736
 
    
 
788
    for client in clients:
 
789
        client.start()
 
790
    
 
791
    tcp_server = IPv6_TCPServer((server_settings["address"],
 
792
                                 server_settings["port"]),
 
793
                                tcp_handler,
 
794
                                settings=server_settings,
 
795
                                clients=clients)
1737
796
    # Find out what port we got
1738
797
    service.port = tcp_server.socket.getsockname()[1]
1739
 
    if use_ipv6:
1740
 
        logger.info(u"Now listening on address %r, port %d,"
1741
 
                    " flowinfo %d, scope_id %d"
1742
 
                    % tcp_server.socket.getsockname())
1743
 
    else:                       # IPv4
1744
 
        logger.info(u"Now listening on address %r, port %d"
1745
 
                    % tcp_server.socket.getsockname())
 
798
    logger.debug(u"Now listening on address %r, port %d, flowinfo %d,"
 
799
                 u" scope_id %d" % tcp_server.socket.getsockname())
1746
800
    
1747
801
    #service.interface = tcp_server.socket.getsockname()[3]
1748
802
    
1749
803
    try:
1750
804
        # From the Avahi example code
 
805
        server.connect_to_signal("StateChanged", server_state_changed)
1751
806
        try:
1752
 
            service.activate()
 
807
            server_state_changed(server.GetState())
1753
808
        except dbus.exceptions.DBusException, error:
1754
809
            logger.critical(u"DBusException: %s", error)
1755
 
            cleanup()
1756
810
            sys.exit(1)
1757
811
        # End of Avahi example code
1758
812
        
1759
813
        gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
1760
814
                             lambda *args, **kwargs:
1761
 
                             (tcp_server.handle_request
1762
 
                              (*args[2:], **kwargs) or True))
 
815
                             tcp_server.handle_request\
 
816
                             (*args[2:], **kwargs) or True)
1763
817
        
1764
 
        logger.debug(u"Starting main loop")
 
818
        logger.debug("Starting main loop")
 
819
        main_loop_started = True
1765
820
        main_loop.run()
1766
821
    except AvahiError, error:
1767
 
        logger.critical(u"AvahiError: %s", error)
1768
 
        cleanup()
 
822
        logger.critical(u"AvahiError: %s" + unicode(error))
1769
823
        sys.exit(1)
1770
824
    except KeyboardInterrupt:
1771
825
        if debug:
1772
 
            print >> sys.stderr
1773
 
        logger.debug(u"Server received KeyboardInterrupt")
1774
 
    logger.debug(u"Server exiting")
1775
 
    # Must run before the D-Bus bus name gets deregistered
1776
 
    cleanup()
 
826
            print
1777
827
 
1778
828
if __name__ == '__main__':
1779
829
    main()