To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 291
- compare with another revision
- download diff
- download tarball
- view history from revision 291
- Committer: Teddy Hogeborn
- Date: 2009-01-31 10:33:17 UTC
- mfrom: (24.1.129 mandos)
- Revision ID: teddy@fukt.bsnet.se-20090131103317-wzqvyr532sjcjt7u
Merge from Björn:
* mandos-ctl: New option "--remove-client". Only default to listing
clients if no clients were given on the command line.
* plugins.d/mandos-client.c: Lower kernel log level while bringing up
network interface. New option "--delay"
to control the maximum delay to wait for
running interface.
* plugins.d/mandos-client.xml (SYNOPSIS, OPTIONS): New option
"--delay".
* mandos-ctl: New option "--remove-client". Only default to listing
clients if no clients were given on the command line.
* plugins.d/mandos-client.c: Lower kernel log level while bringing up
network interface. New option "--delay"
to control the maximum delay to wait for
running interface.
* plugins.d/mandos-client.xml (SYNOPSIS, OPTIONS): New option
"--delay".
- files removed:
- DBUS-API
- debian/source
- files modified:
- .bzrignore
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
31
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
32
#
33
33
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
34
from __future__ import division, with_statement, absolute_import
36
35
37
import SocketServer as socketserver
36
import SocketServer
38
37
import socket
39
import argparse
38
import optparse
40
39
import datetime
41
40
import errno
42
41
import gnutls.crypto
45
44
import gnutls.library.functions
46
45
import gnutls.library.constants
47
46
import gnutls.library.types
48
import ConfigParser as configparser
47
import ConfigParser
49
48
import sys
50
49
import re
51
50
import os
52
51
import signal
52
from sets import Set
53
53
import subprocess
54
54
import atexit
55
55
import stat
56
56
import logging
57
57
import logging.handlers
58
58
import pwd
59
import contextlib
60
import struct
61
import fcntl
62
import functools
63
import cPickle as pickle
64
import multiprocessing
65
import types
59
from contextlib import closing
66
60
67
61
import dbus
68
62
import dbus.service
71
65
from dbus.mainloop.glib import DBusGMainLoop
72
66
import ctypes
73
67
import ctypes.util
74
import xml.dom.minidom
75
import inspect
76
77
try:
78
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
79
except AttributeError:
80
try:
81
from IN import SO_BINDTODEVICE
82
except ImportError:
83
SO_BINDTODEVICE = None
84
85
86
version = "1.3.1"
87
88
#logger = logging.getLogger('mandos')
68
69
version = "1.0.5"
70
89
71
logger = logging.Logger('mandos')
90
72
syslogger = (logging.handlers.SysLogHandler
91
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
92
address = str("/dev/log")))
74
address = "/dev/log"))
93
75
syslogger.setFormatter(logging.Formatter
94
('Mandos [%(process)d]: %(levelname)s:'
95
' %(message)s'))
76
('Mandos: %(levelname)s: %(message)s'))
96
77
logger.addHandler(syslogger)
97
78
98
79
console = logging.StreamHandler()
99
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
100
' %(levelname)s:'
80
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
101
81
' %(message)s'))
102
82
logger.addHandler(console)
103
83
117
97
118
98
class AvahiService(object):
119
99
"""An Avahi (Zeroconf) service.
120
121
100
Attributes:
122
101
interface: integer; avahi.IF_UNSPEC or an interface index.
123
102
Used to optionally bind to the specified interface.
131
110
max_renames: integer; maximum number of renames
132
111
rename_count: integer; counter so we only rename after collisions
133
112
a sensible number of times
134
group: D-Bus Entry Group
135
server: D-Bus Server
136
bus: dbus.SystemBus()
137
113
"""
138
114
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
139
115
servicetype = None, port = None, TXT = None,
140
domain = "", host = "", max_renames = 32768,
141
protocol = avahi.PROTO_UNSPEC, bus = None):
116
domain = "", host = "", max_renames = 32768):
142
117
self.interface = interface
143
118
self.name = name
144
119
self.type = servicetype
148
123
self.host = host
149
124
self.rename_count = 0
150
125
self.max_renames = max_renames
151
self.protocol = protocol
152
self.group = None # our entry group
153
self.server = None
154
self.bus = bus
155
self.entry_group_state_changed_match = None
156
126
def rename(self):
157
127
"""Derived from the Avahi example code"""
158
128
if self.rename_count >= self.max_renames:
159
logger.critical("No suitable Zeroconf service name found"
160
" after %i retries, exiting.",
129
logger.critical(u"No suitable Zeroconf service name found"
130
u" after %i retries, exiting.",
161
131
self.rename_count)
162
raise AvahiServiceError("Too many renames")
163
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
164
logger.info("Changing Zeroconf service name to %r ...",
165
self.name)
132
raise AvahiServiceError(u"Too many renames")
133
self.name = server.GetAlternativeServiceName(self.name)
134
logger.info(u"Changing Zeroconf service name to %r ...",
135
str(self.name))
166
136
syslogger.setFormatter(logging.Formatter
167
('Mandos (%s) [%%(process)d]:'
168
' %%(levelname)s: %%(message)s'
169
% self.name))
137
('Mandos (%s): %%(levelname)s:'
138
' %%(message)s' % self.name))
170
139
self.remove()
171
try:
172
self.add()
173
except dbus.exceptions.DBusException as error:
174
logger.critical("DBusException: %s", error)
175
self.cleanup()
176
os._exit(1)
140
self.add()
177
141
self.rename_count += 1
178
142
def remove(self):
179
143
"""Derived from the Avahi example code"""
180
if self.entry_group_state_changed_match is not None:
181
self.entry_group_state_changed_match.remove()
182
self.entry_group_state_changed_match = None
183
if self.group is not None:
184
self.group.Reset()
144
if group is not None:
145
group.Reset()
185
146
def add(self):
186
147
"""Derived from the Avahi example code"""
187
self.remove()
188
if self.group is None:
189
self.group = dbus.Interface(
190
self.bus.get_object(avahi.DBUS_NAME,
191
self.server.EntryGroupNew()),
192
avahi.DBUS_INTERFACE_ENTRY_GROUP)
193
self.entry_group_state_changed_match = (
194
self.group.connect_to_signal(
195
'StateChanged', self .entry_group_state_changed))
196
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
197
self.name, self.type)
198
self.group.AddService(
199
self.interface,
200
self.protocol,
201
dbus.UInt32(0), # flags
202
self.name, self.type,
203
self.domain, self.host,
204
dbus.UInt16(self.port),
205
avahi.string_array_to_txt_array(self.TXT))
206
self.group.Commit()
207
def entry_group_state_changed(self, state, error):
208
"""Derived from the Avahi example code"""
209
logger.debug("Avahi entry group state change: %i", state)
210
211
if state == avahi.ENTRY_GROUP_ESTABLISHED:
212
logger.debug("Zeroconf service established.")
213
elif state == avahi.ENTRY_GROUP_COLLISION:
214
logger.info("Zeroconf service name collision.")
215
self.rename()
216
elif state == avahi.ENTRY_GROUP_FAILURE:
217
logger.critical("Avahi: Error in group state changed %s",
218
unicode(error))
219
raise AvahiGroupError("State changed: %s"
220
% unicode(error))
221
def cleanup(self):
222
"""Derived from the Avahi example code"""
223
if self.group is not None:
224
try:
225
self.group.Free()
226
except (dbus.exceptions.UnknownMethodException,
227
dbus.exceptions.DBusException) as e:
228
pass
229
self.group = None
230
self.remove()
231
def server_state_changed(self, state, error=None):
232
"""Derived from the Avahi example code"""
233
logger.debug("Avahi server state change: %i", state)
234
bad_states = { avahi.SERVER_INVALID:
235
"Zeroconf server invalid",
236
avahi.SERVER_REGISTERING: None,
237
avahi.SERVER_COLLISION:
238
"Zeroconf server name collision",
239
avahi.SERVER_FAILURE:
240
"Zeroconf server failure" }
241
if state in bad_states:
242
if bad_states[state] is not None:
243
if error is None:
244
logger.error(bad_states[state])
245
else:
246
logger.error(bad_states[state] + ": %r", error)
247
self.cleanup()
248
elif state == avahi.SERVER_RUNNING:
249
self.add()
250
else:
251
if error is None:
252
logger.debug("Unknown state: %r", state)
253
else:
254
logger.debug("Unknown state: %r: %r", state, error)
255
def activate(self):
256
"""Derived from the Avahi example code"""
257
if self.server is None:
258
self.server = dbus.Interface(
259
self.bus.get_object(avahi.DBUS_NAME,
260
avahi.DBUS_PATH_SERVER,
261
follow_name_owner_changes=True),
262
avahi.DBUS_INTERFACE_SERVER)
263
self.server.connect_to_signal("StateChanged",
264
self.server_state_changed)
265
self.server_state_changed(self.server.GetState())
266
267
268
def _timedelta_to_milliseconds(td):
269
"Convert a datetime.timedelta() to milliseconds"
270
return ((td.days * 24 * 60 * 60 * 1000)
271
+ (td.seconds * 1000)
272
+ (td.microseconds // 1000))
273
274
class Client(object):
148
global group
149
if group is None:
150
group = dbus.Interface(bus.get_object
151
(avahi.DBUS_NAME,
152
server.EntryGroupNew()),
153
avahi.DBUS_INTERFACE_ENTRY_GROUP)
154
group.connect_to_signal('StateChanged',
155
entry_group_state_changed)
156
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
157
service.name, service.type)
158
group.AddService(
159
self.interface, # interface
160
avahi.PROTO_INET6, # protocol
161
dbus.UInt32(0), # flags
162
self.name, self.type,
163
self.domain, self.host,
164
dbus.UInt16(self.port),
165
avahi.string_array_to_txt_array(self.TXT))
166
group.Commit()
167
168
# From the Avahi example code:
169
group = None # our entry group
170
# End of Avahi example code
171
172
173
def _datetime_to_dbus(dt, variant_level=0):
174
"""Convert a UTC datetime.datetime() to a D-Bus type."""
175
return dbus.String(dt.isoformat(), variant_level=variant_level)
176
177
178
class Client(dbus.service.Object):
275
179
"""A representation of a client host served by this server.
276
277
180
Attributes:
278
_approved: bool(); 'None' if not yet approved/disapproved
279
approval_delay: datetime.timedelta(); Time to wait for approval
280
approval_duration: datetime.timedelta(); Duration of one approval
181
name: string; from the config file, used in log messages and
182
D-Bus identifiers
183
fingerprint: string (40 or 32 hexadecimal digits); used to
184
uniquely identify the client
185
secret: bytestring; sent verbatim (over TLS) to client
186
host: string; available for use by the checker command
187
created: datetime.datetime(); (UTC) object creation
188
last_enabled: datetime.datetime(); (UTC)
189
enabled: bool()
190
last_checked_ok: datetime.datetime(); (UTC) or None
191
timeout: datetime.timedelta(); How long from last_checked_ok
192
until this client is invalid
193
interval: datetime.timedelta(); How often to start a new checker
194
disable_hook: If set, called by disable() as disable_hook(self)
281
195
checker: subprocess.Popen(); a running checker process used
282
196
to see if the client lives.
283
197
'None' if no process is running.
284
checker_callback_tag: a gobject event source tag, or None
285
checker_command: string; External command which is run to check
286
if client lives. %() expansions are done at
198
checker_initiator_tag: a gobject event source tag, or None
199
disable_initiator_tag: - '' -
200
checker_callback_tag: - '' -
201
checker_command: string; External command which is run to check if
202
client lives. %() expansions are done at
287
203
runtime with vars(self) as dict, so that for
288
204
instance %(name)s can be used in the command.
289
checker_initiator_tag: a gobject event source tag, or None
290
created: datetime.datetime(); (UTC) object creation
291
current_checker_command: string; current running checker_command
292
disable_hook: If set, called by disable() as disable_hook(self)
293
disable_initiator_tag: a gobject event source tag, or None
294
enabled: bool()
295
fingerprint: string (40 or 32 hexadecimal digits); used to
296
uniquely identify the client
297
host: string; available for use by the checker command
298
interval: datetime.timedelta(); How often to start a new checker
299
last_approval_request: datetime.datetime(); (UTC) or None
300
last_checked_ok: datetime.datetime(); (UTC) or None
301
last_enabled: datetime.datetime(); (UTC)
302
name: string; from the config file, used in log messages and
303
D-Bus identifiers
304
secret: bytestring; sent verbatim (over TLS) to client
305
timeout: datetime.timedelta(); How long from last_checked_ok
306
until this client is disabled
307
extended_timeout: extra long timeout when password has been sent
308
runtime_expansions: Allowed attributes for runtime expansion.
309
expires: datetime.datetime(); time (UTC) when a client will be
310
disabled, or None
205
use_dbus: bool(); Whether to provide D-Bus interface and signals
206
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
311
207
"""
312
313
runtime_expansions = ("approval_delay", "approval_duration",
314
"created", "enabled", "fingerprint",
315
"host", "interval", "last_checked_ok",
316
"last_enabled", "name", "timeout")
317
318
208
def timeout_milliseconds(self):
319
209
"Return the 'timeout' attribute in milliseconds"
320
return _timedelta_to_milliseconds(self.timeout)
321
322
def extended_timeout_milliseconds(self):
323
"Return the 'extended_timeout' attribute in milliseconds"
324
return _timedelta_to_milliseconds(self.extended_timeout)
210
return ((self.timeout.days * 24 * 60 * 60 * 1000)
211
+ (self.timeout.seconds * 1000)
212
+ (self.timeout.microseconds // 1000))
325
213
326
214
def interval_milliseconds(self):
327
215
"Return the 'interval' attribute in milliseconds"
328
return _timedelta_to_milliseconds(self.interval)
329
330
def approval_delay_milliseconds(self):
331
return _timedelta_to_milliseconds(self.approval_delay)
332
333
def __init__(self, name = None, disable_hook=None, config=None):
216
return ((self.interval.days * 24 * 60 * 60 * 1000)
217
+ (self.interval.seconds * 1000)
218
+ (self.interval.microseconds // 1000))
219
220
def __init__(self, name = None, disable_hook=None, config=None,
221
use_dbus=True):
334
222
"""Note: the 'checker' key in 'config' sets the
335
223
'checker_command' attribute and *not* the 'checker'
336
224
attribute."""
337
225
self.name = name
338
226
if config is None:
339
227
config = {}
340
logger.debug("Creating client %r", self.name)
228
logger.debug(u"Creating client %r", self.name)
229
self.use_dbus = False # During __init__
341
230
# Uppercase and remove spaces from fingerprint for later
342
231
# comparison purposes with return value from the fingerprint()
343
232
# function
344
233
self.fingerprint = (config["fingerprint"].upper()
345
.replace(" ", ""))
346
logger.debug(" Fingerprint: %s", self.fingerprint)
234
.replace(u" ", u""))
235
logger.debug(u" Fingerprint: %s", self.fingerprint)
347
236
if "secret" in config:
348
self.secret = config["secret"].decode("base64")
237
self.secret = config["secret"].decode(u"base64")
349
238
elif "secfile" in config:
350
with open(os.path.expanduser(os.path.expandvars
351
(config["secfile"])),
352
"rb") as secfile:
239
with closing(open(os.path.expanduser
240
(os.path.expandvars
241
(config["secfile"])))) as secfile:
353
242
self.secret = secfile.read()
354
243
else:
355
raise TypeError("No secret or secfile for client %s"
244
raise TypeError(u"No secret or secfile for client %s"
356
245
% self.name)
357
246
self.host = config.get("host", "")
358
247
self.created = datetime.datetime.utcnow()
359
248
self.enabled = False
360
self.last_approval_request = None
361
249
self.last_enabled = None
362
250
self.last_checked_ok = None
363
251
self.timeout = string_to_delta(config["timeout"])
364
self.extended_timeout = string_to_delta(config["extended_timeout"])
365
252
self.interval = string_to_delta(config["interval"])
366
253
self.disable_hook = disable_hook
367
254
self.checker = None
368
255
self.checker_initiator_tag = None
369
256
self.disable_initiator_tag = None
370
self.expires = None
371
257
self.checker_callback_tag = None
372
258
self.checker_command = config["checker"]
373
self.current_checker_command = None
374
259
self.last_connect = None
375
self._approved = None
376
self.approved_by_default = config.get("approved_by_default",
377
True)
378
self.approvals_pending = 0
379
self.approval_delay = string_to_delta(
380
config["approval_delay"])
381
self.approval_duration = string_to_delta(
382
config["approval_duration"])
383
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
260
# Only now, when this client is initialized, can it show up on
261
# the D-Bus
262
self.use_dbus = use_dbus
263
if self.use_dbus:
264
self.dbus_object_path = (dbus.ObjectPath
265
("/clients/"
266
+ self.name.replace(".", "_")))
267
dbus.service.Object.__init__(self, bus,
268
self.dbus_object_path)
384
269
385
def send_changedstate(self):
386
self.changedstate.acquire()
387
self.changedstate.notify_all()
388
self.changedstate.release()
389
390
270
def enable(self):
391
271
"""Start this client's checker and timeout hooks"""
392
if getattr(self, "enabled", False):
393
# Already enabled
394
return
395
self.send_changedstate()
272
self.last_enabled = datetime.datetime.utcnow()
396
273
# Schedule a new checker to be started an 'interval' from now,
397
274
# and every interval from then on.
398
275
self.checker_initiator_tag = (gobject.timeout_add
399
276
(self.interval_milliseconds(),
400
277
self.start_checker))
278
# Also start a new checker *right now*.
279
self.start_checker()
401
280
# Schedule a disable() when 'timeout' has passed
402
self.expires = datetime.datetime.utcnow() + self.timeout
403
281
self.disable_initiator_tag = (gobject.timeout_add
404
282
(self.timeout_milliseconds(),
405
283
self.disable))
406
284
self.enabled = True
407
self.last_enabled = datetime.datetime.utcnow()
408
# Also start a new checker *right now*.
409
self.start_checker()
285
if self.use_dbus:
286
# Emit D-Bus signals
287
self.PropertyChanged(dbus.String(u"enabled"),
288
dbus.Boolean(True, variant_level=1))
289
self.PropertyChanged(dbus.String(u"last_enabled"),
290
(_datetime_to_dbus(self.last_enabled,
291
variant_level=1)))
410
292
411
def disable(self, quiet=True):
293
def disable(self):
412
294
"""Disable this client."""
413
295
if not getattr(self, "enabled", False):
414
296
return False
415
if not quiet:
416
self.send_changedstate()
417
if not quiet:
418
logger.info("Disabling client %s", self.name)
297
logger.info(u"Disabling client %s", self.name)
419
298
if getattr(self, "disable_initiator_tag", False):
420
299
gobject.source_remove(self.disable_initiator_tag)
421
300
self.disable_initiator_tag = None
422
self.expires = None
423
301
if getattr(self, "checker_initiator_tag", False):
424
302
gobject.source_remove(self.checker_initiator_tag)
425
303
self.checker_initiator_tag = None
427
305
if self.disable_hook:
428
306
self.disable_hook(self)
429
307
self.enabled = False
308
if self.use_dbus:
309
# Emit D-Bus signal
310
self.PropertyChanged(dbus.String(u"enabled"),
311
dbus.Boolean(False, variant_level=1))
430
312
# Do not run this again if called by a gobject.timeout_add
431
313
return False
432
314
438
320
"""The checker has completed, so take appropriate actions."""
439
321
self.checker_callback_tag = None
440
322
self.checker = None
323
if self.use_dbus:
324
# Emit D-Bus signal
325
self.PropertyChanged(dbus.String(u"checker_running"),
326
dbus.Boolean(False, variant_level=1))
441
327
if os.WIFEXITED(condition):
442
328
exitstatus = os.WEXITSTATUS(condition)
443
329
if exitstatus == 0:
444
logger.info("Checker for %(name)s succeeded",
330
logger.info(u"Checker for %(name)s succeeded",
445
331
vars(self))
446
332
self.checked_ok()
447
333
else:
448
logger.info("Checker for %(name)s failed",
334
logger.info(u"Checker for %(name)s failed",
449
335
vars(self))
336
if self.use_dbus:
337
# Emit D-Bus signal
338
self.CheckerCompleted(dbus.Int16(exitstatus),
339
dbus.Int64(condition),
340
dbus.String(command))
450
341
else:
451
logger.warning("Checker for %(name)s crashed?",
342
logger.warning(u"Checker for %(name)s crashed?",
452
343
vars(self))
344
if self.use_dbus:
345
# Emit D-Bus signal
346
self.CheckerCompleted(dbus.Int16(-1),
347
dbus.Int64(condition),
348
dbus.String(command))
453
349
454
def checked_ok(self, timeout=None):
350
def checked_ok(self):
455
351
"""Bump up the timeout for this client.
456
457
352
This should only be called when the client has been seen,
458
353
alive and well.
459
354
"""
460
if timeout is None:
461
timeout = self.timeout
462
355
self.last_checked_ok = datetime.datetime.utcnow()
463
356
gobject.source_remove(self.disable_initiator_tag)
464
self.expires = datetime.datetime.utcnow() + timeout
465
357
self.disable_initiator_tag = (gobject.timeout_add
466
(_timedelta_to_milliseconds(timeout),
358
(self.timeout_milliseconds(),
467
359
self.disable))
468
469
def need_approval(self):
470
self.last_approval_request = datetime.datetime.utcnow()
360
if self.use_dbus:
361
# Emit D-Bus signal
362
self.PropertyChanged(
363
dbus.String(u"last_checked_ok"),
364
(_datetime_to_dbus(self.last_checked_ok,
365
variant_level=1)))
471
366
472
367
def start_checker(self):
473
368
"""Start a new checker subprocess if one is not running.
474
475
369
If a checker already exists, leave it running and do
476
370
nothing."""
477
371
# The reason for not killing a running checker is that if we
480
374
# client would inevitably timeout, since no checker would get
481
375
# a chance to run to completion. If we instead leave running
482
376
# checkers alone, the checker would have to take more time
483
# than 'timeout' for the client to be disabled, which is as it
484
# should be.
485
486
# If a checker exists, make sure it is not a zombie
487
try:
488
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
489
except (AttributeError, OSError) as error:
490
if (isinstance(error, OSError)
491
and error.errno != errno.ECHILD):
492
raise error
493
else:
494
if pid:
495
logger.warning("Checker was a zombie")
496
gobject.source_remove(self.checker_callback_tag)
497
self.checker_callback(pid, status,
498
self.current_checker_command)
499
# Start a new checker if needed
377
# than 'timeout' for the client to be declared invalid, which
378
# is as it should be.
500
379
if self.checker is None:
501
380
try:
502
381
# In case checker_command has exactly one % operator
503
382
command = self.checker_command % self.host
504
383
except TypeError:
505
384
# Escape attributes for the shell
506
escaped_attrs = dict(
507
(attr,
508
re.escape(unicode(str(getattr(self, attr, "")),
509
errors=
510
'replace')))
511
for attr in
512
self.runtime_expansions)
513
385
escaped_attrs = dict((key, re.escape(str(val)))
386
for key, val in
387
vars(self).iteritems())
514
388
try:
515
389
command = self.checker_command % escaped_attrs
516
except TypeError as error:
517
logger.error('Could not format string "%s":'
518
' %s', self.checker_command, error)
390
except TypeError, error:
391
logger.error(u'Could not format string "%s":'
392
u' %s', self.checker_command, error)
519
393
return True # Try again later
520
self.current_checker_command = command
521
394
try:
522
logger.info("Starting checker %r for %s",
395
logger.info(u"Starting checker %r for %s",
523
396
command, self.name)
524
397
# We don't need to redirect stdout and stderr, since
525
398
# in normal mode, that is already done by daemon(),
528
401
self.checker = subprocess.Popen(command,
529
402
close_fds=True,
530
403
shell=True, cwd="/")
404
if self.use_dbus:
405
# Emit D-Bus signal
406
self.CheckerStarted(command)
407
self.PropertyChanged(
408
dbus.String("checker_running"),
409
dbus.Boolean(True, variant_level=1))
531
410
self.checker_callback_tag = (gobject.child_watch_add
532
411
(self.checker.pid,
533
412
self.checker_callback,
534
413
data=command))
535
# The checker may have completed before the gobject
536
# watch was added. Check for this.
537
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
538
if pid:
539
gobject.source_remove(self.checker_callback_tag)
540
self.checker_callback(pid, status, command)
541
except OSError as error:
542
logger.error("Failed to start subprocess: %s",
414
except OSError, error:
415
logger.error(u"Failed to start subprocess: %s",
543
416
error)
544
417
# Re-run this periodically if run by gobject.timeout_add
545
418
return True
551
424
self.checker_callback_tag = None
552
425
if getattr(self, "checker", None) is None:
553
426
return
554
logger.debug("Stopping checker for %(name)s", vars(self))
427
logger.debug(u"Stopping checker for %(name)s", vars(self))
555
428
try:
556
429
os.kill(self.checker.pid, signal.SIGTERM)
557
#time.sleep(0.5)
430
#os.sleep(0.5)
558
431
#if self.checker.poll() is None:
559
432
# os.kill(self.checker.pid, signal.SIGKILL)
560
except OSError as error:
433
except OSError, error:
561
434
if error.errno != errno.ESRCH: # No such process
562
435
raise
563
436
self.checker = None
564
565
566
def dbus_service_property(dbus_interface, signature="v",
567
access="readwrite", byte_arrays=False):
568
"""Decorators for marking methods of a DBusObjectWithProperties to
569
become properties on the D-Bus.
570
571
The decorated method will be called with no arguments by "Get"
572
and with one argument by "Set".
573
574
The parameters, where they are supported, are the same as
575
dbus.service.method, except there is only "signature", since the
576
type from Get() and the type sent to Set() is the same.
577
"""
578
# Encoding deeply encoded byte arrays is not supported yet by the
579
# "Set" method, so we fail early here:
580
if byte_arrays and signature != "ay":
581
raise ValueError("Byte arrays not supported for non-'ay'"
582
" signature %r" % signature)
583
def decorator(func):
584
func._dbus_is_property = True
585
func._dbus_interface = dbus_interface
586
func._dbus_signature = signature
587
func._dbus_access = access
588
func._dbus_name = func.__name__
589
if func._dbus_name.endswith("_dbus_property"):
590
func._dbus_name = func._dbus_name[:-14]
591
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
592
return func
593
return decorator
594
595
596
class DBusPropertyException(dbus.exceptions.DBusException):
597
"""A base class for D-Bus property-related exceptions
598
"""
599
def __unicode__(self):
600
return unicode(str(self))
601
602
603
class DBusPropertyAccessException(DBusPropertyException):
604
"""A property's access permissions disallows an operation.
605
"""
606
pass
607
608
609
class DBusPropertyNotFound(DBusPropertyException):
610
"""An attempt was made to access a non-existing property.
611
"""
612
pass
613
614
615
class DBusObjectWithProperties(dbus.service.Object):
616
"""A D-Bus object with properties.
617
618
Classes inheriting from this can use the dbus_service_property
619
decorator to expose methods as D-Bus properties. It exposes the
620
standard Get(), Set(), and GetAll() methods on the D-Bus.
621
"""
622
623
@staticmethod
624
def _is_dbus_property(obj):
625
return getattr(obj, "_dbus_is_property", False)
626
627
def _get_all_dbus_properties(self):
628
"""Returns a generator of (name, attribute) pairs
629
"""
630
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
631
for cls in self.__class__.__mro__
632
for name, prop in inspect.getmembers(cls, self._is_dbus_property))
633
634
def _get_dbus_property(self, interface_name, property_name):
635
"""Returns a bound method if one exists which is a D-Bus
636
property with the specified name and interface.
637
"""
638
for cls in self.__class__.__mro__:
639
for name, value in inspect.getmembers(cls, self._is_dbus_property):
640
if value._dbus_name == property_name and value._dbus_interface == interface_name:
641
return value.__get__(self)
642
643
# No such property
644
raise DBusPropertyNotFound(self.dbus_object_path + ":"
645
+ interface_name + "."
646
+ property_name)
647
648
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
649
out_signature="v")
650
def Get(self, interface_name, property_name):
651
"""Standard D-Bus property Get() method, see D-Bus standard.
652
"""
653
prop = self._get_dbus_property(interface_name, property_name)
654
if prop._dbus_access == "write":
655
raise DBusPropertyAccessException(property_name)
656
value = prop()
657
if not hasattr(value, "variant_level"):
658
return value
659
return type(value)(value, variant_level=value.variant_level+1)
660
661
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
662
def Set(self, interface_name, property_name, value):
663
"""Standard D-Bus property Set() method, see D-Bus standard.
664
"""
665
prop = self._get_dbus_property(interface_name, property_name)
666
if prop._dbus_access == "read":
667
raise DBusPropertyAccessException(property_name)
668
if prop._dbus_get_args_options["byte_arrays"]:
669
# The byte_arrays option is not supported yet on
670
# signatures other than "ay".
671
if prop._dbus_signature != "ay":
672
raise ValueError
673
value = dbus.ByteArray(''.join(unichr(byte)
674
for byte in value))
675
prop(value)
676
677
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
678
out_signature="a{sv}")
679
def GetAll(self, interface_name):
680
"""Standard D-Bus property GetAll() method, see D-Bus
681
standard.
682
683
Note: Will not include properties with access="write".
684
"""
685
all = {}
686
for name, prop in self._get_all_dbus_properties():
687
if (interface_name
688
and interface_name != prop._dbus_interface):
689
# Interface non-empty but did not match
690
continue
691
# Ignore write-only properties
692
if prop._dbus_access == "write":
693
continue
694
value = prop()
695
if not hasattr(value, "variant_level"):
696
all[name] = value
697
continue
698
all[name] = type(value)(value, variant_level=
699
value.variant_level+1)
700
return dbus.Dictionary(all, signature="sv")
701
702
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
703
out_signature="s",
704
path_keyword='object_path',
705
connection_keyword='connection')
706
def Introspect(self, object_path, connection):
707
"""Standard D-Bus method, overloaded to insert property tags.
708
"""
709
xmlstring = dbus.service.Object.Introspect(self, object_path,
710
connection)
711
try:
712
document = xml.dom.minidom.parseString(xmlstring)
713
def make_tag(document, name, prop):
714
e = document.createElement("property")
715
e.setAttribute("name", name)
716
e.setAttribute("type", prop._dbus_signature)
717
e.setAttribute("access", prop._dbus_access)
718
return e
719
for if_tag in document.getElementsByTagName("interface"):
720
for tag in (make_tag(document, name, prop)
721
for name, prop
722
in self._get_all_dbus_properties()
723
if prop._dbus_interface
724
== if_tag.getAttribute("name")):
725
if_tag.appendChild(tag)
726
# Add the names to the return values for the
727
# "org.freedesktop.DBus.Properties" methods
728
if (if_tag.getAttribute("name")
729
== "org.freedesktop.DBus.Properties"):
730
for cn in if_tag.getElementsByTagName("method"):
731
if cn.getAttribute("name") == "Get":
732
for arg in cn.getElementsByTagName("arg"):
733
if (arg.getAttribute("direction")
734
== "out"):
735
arg.setAttribute("name", "value")
736
elif cn.getAttribute("name") == "GetAll":
737
for arg in cn.getElementsByTagName("arg"):
738
if (arg.getAttribute("direction")
739
== "out"):
740
arg.setAttribute("name", "props")
741
xmlstring = document.toxml("utf-8")
742
document.unlink()
743
except (AttributeError, xml.dom.DOMException,
744
xml.parsers.expat.ExpatError) as error:
745
logger.error("Failed to override Introspection method",
746
error)
747
return xmlstring
748
749
750
def datetime_to_dbus (dt, variant_level=0):
751
"""Convert a UTC datetime.datetime() to a D-Bus type."""
752
if dt is None:
753
return dbus.String("", variant_level = variant_level)
754
return dbus.String(dt.isoformat(),
755
variant_level=variant_level)
756
757
class AlternateDBusNamesMetaclass(DBusObjectWithProperties.__metaclass__):
758
"""Applied to an empty subclass of a D-Bus object, this metaclass
759
will add additional D-Bus attributes matching a certain pattern.
760
"""
761
def __new__(mcs, name, bases, attr):
762
# Go through all the base classes which could have D-Bus
763
# methods, signals, or properties in them
764
for base in (b for b in bases
765
if issubclass(b, dbus.service.Object)):
766
# Go though all attributes of the base class
767
for attrname, attribute in inspect.getmembers(base):
768
# Ignore non-D-Bus attributes, and D-Bus attributes
769
# with the wrong interface name
770
if (not hasattr(attribute, "_dbus_interface")
771
or not attribute._dbus_interface
772
.startswith("se.recompile.Mandos")):
773
continue
774
# Create an alternate D-Bus interface name based on
775
# the current name
776
alt_interface = (attribute._dbus_interface
777
.replace("se.recompile.Mandos",
778
"se.bsnet.fukt.Mandos"))
779
# Is this a D-Bus signal?
780
if getattr(attribute, "_dbus_is_signal", False):
781
# Extract the original non-method function by
782
# black magic
783
nonmethod_func = (dict(
784
zip(attribute.func_code.co_freevars,
785
attribute.__closure__))["func"]
786
.cell_contents)
787
# Create a new, but exactly alike, function
788
# object, and decorate it to be a new D-Bus signal
789
# with the alternate D-Bus interface name
790
new_function = (dbus.service.signal
791
(alt_interface,
792
attribute._dbus_signature)
793
(types.FunctionType(
794
nonmethod_func.func_code,
795
nonmethod_func.func_globals,
796
nonmethod_func.func_name,
797
nonmethod_func.func_defaults,
798
nonmethod_func.func_closure)))
799
# Define a creator of a function to call both the
800
# old and new functions, so both the old and new
801
# signals gets sent when the function is called
802
def fixscope(func1, func2):
803
"""This function is a scope container to pass
804
func1 and func2 to the "call_both" function
805
outside of its arguments"""
806
def call_both(*args, **kwargs):
807
"""This function will emit two D-Bus
808
signals by calling func1 and func2"""
809
func1(*args, **kwargs)
810
func2(*args, **kwargs)
811
return call_both
812
# Create the "call_both" function and add it to
813
# the class
814
attr[attrname] = fixscope(attribute,
815
new_function)
816
# Is this a D-Bus method?
817
elif getattr(attribute, "_dbus_is_method", False):
818
# Create a new, but exactly alike, function
819
# object. Decorate it to be a new D-Bus method
820
# with the alternate D-Bus interface name. Add it
821
# to the class.
822
attr[attrname] = (dbus.service.method
823
(alt_interface,
824
attribute._dbus_in_signature,
825
attribute._dbus_out_signature)
826
(types.FunctionType
827
(attribute.func_code,
828
attribute.func_globals,
829
attribute.func_name,
830
attribute.func_defaults,
831
attribute.func_closure)))
832
# Is this a D-Bus property?
833
elif getattr(attribute, "_dbus_is_property", False):
834
# Create a new, but exactly alike, function
835
# object, and decorate it to be a new D-Bus
836
# property with the alternate D-Bus interface
837
# name. Add it to the class.
838
attr[attrname] = (dbus_service_property
839
(alt_interface,
840
attribute._dbus_signature,
841
attribute._dbus_access,
842
attribute
843
._dbus_get_args_options
844
["byte_arrays"])
845
(types.FunctionType
846
(attribute.func_code,
847
attribute.func_globals,
848
attribute.func_name,
849
attribute.func_defaults,
850
attribute.func_closure)))
851
return type.__new__(mcs, name, bases, attr)
852
853
class ClientDBus(Client, DBusObjectWithProperties):
854
"""A Client class using D-Bus
855
856
Attributes:
857
dbus_object_path: dbus.ObjectPath
858
bus: dbus.SystemBus()
859
"""
860
861
runtime_expansions = (Client.runtime_expansions
862
+ ("dbus_object_path",))
863
864
# dbus.service.Object doesn't use super(), so we can't either.
865
866
def __init__(self, bus = None, *args, **kwargs):
867
self._approvals_pending = 0
868
self.bus = bus
869
Client.__init__(self, *args, **kwargs)
870
# Only now, when this client is initialized, can it show up on
871
# the D-Bus
872
client_object_name = unicode(self.name).translate(
873
{ord("."): ord("_"),
874
ord("-"): ord("_")})
875
self.dbus_object_path = (dbus.ObjectPath
876
("/clients/" + client_object_name))
877
DBusObjectWithProperties.__init__(self, self.bus,
878
self.dbus_object_path)
879
880
def notifychangeproperty(transform_func,
881
dbus_name, type_func=lambda x: x,
882
variant_level=1):
883
""" Modify a variable so that it's a property which announces
884
its changes to DBus.
885
886
transform_fun: Function that takes a value and transforms it
887
to a D-Bus type.
888
dbus_name: D-Bus name of the variable
889
type_func: Function that transform the value before sending it
890
to the D-Bus. Default: no transform
891
variant_level: D-Bus variant level. Default: 1
892
"""
893
real_value = [None,]
894
def setter(self, value):
895
old_value = real_value[0]
896
real_value[0] = value
897
if hasattr(self, "dbus_object_path"):
898
if type_func(old_value) != type_func(real_value[0]):
899
dbus_value = transform_func(type_func(real_value[0]),
900
variant_level)
901
self.PropertyChanged(dbus.String(dbus_name),
902
dbus_value)
903
904
return property(lambda self: real_value[0], setter)
905
906
907
expires = notifychangeproperty(datetime_to_dbus, "Expires")
908
approvals_pending = notifychangeproperty(dbus.Boolean,
909
"ApprovalPending",
910
type_func = bool)
911
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
912
last_enabled = notifychangeproperty(datetime_to_dbus,
913
"LastEnabled")
914
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
915
type_func = lambda checker: checker is not None)
916
last_checked_ok = notifychangeproperty(datetime_to_dbus,
917
"LastCheckedOK")
918
last_approval_request = notifychangeproperty(datetime_to_dbus,
919
"LastApprovalRequest")
920
approved_by_default = notifychangeproperty(dbus.Boolean,
921
"ApprovedByDefault")
922
approval_delay = notifychangeproperty(dbus.UInt16, "ApprovalDelay",
923
type_func = _timedelta_to_milliseconds)
924
approval_duration = notifychangeproperty(dbus.UInt16, "ApprovalDuration",
925
type_func = _timedelta_to_milliseconds)
926
host = notifychangeproperty(dbus.String, "Host")
927
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
928
type_func = _timedelta_to_milliseconds)
929
extended_timeout = notifychangeproperty(dbus.UInt16, "ExtendedTimeout",
930
type_func = _timedelta_to_milliseconds)
931
interval = notifychangeproperty(dbus.UInt16, "Interval",
932
type_func = _timedelta_to_milliseconds)
933
checker_command = notifychangeproperty(dbus.String, "Checker")
934
935
del notifychangeproperty
936
937
def __del__(self, *args, **kwargs):
938
try:
939
self.remove_from_connection()
940
except LookupError:
941
pass
942
if hasattr(DBusObjectWithProperties, "__del__"):
943
DBusObjectWithProperties.__del__(self, *args, **kwargs)
944
Client.__del__(self, *args, **kwargs)
945
946
def checker_callback(self, pid, condition, command,
947
*args, **kwargs):
948
self.checker_callback_tag = None
949
self.checker = None
950
if os.WIFEXITED(condition):
951
exitstatus = os.WEXITSTATUS(condition)
952
# Emit D-Bus signal
953
self.CheckerCompleted(dbus.Int16(exitstatus),
954
dbus.Int64(condition),
955
dbus.String(command))
956
else:
957
# Emit D-Bus signal
958
self.CheckerCompleted(dbus.Int16(-1),
959
dbus.Int64(condition),
960
dbus.String(command))
961
962
return Client.checker_callback(self, pid, condition, command,
963
*args, **kwargs)
964
965
def start_checker(self, *args, **kwargs):
966
old_checker = self.checker
967
if self.checker is not None:
968
old_checker_pid = self.checker.pid
969
else:
970
old_checker_pid = None
971
r = Client.start_checker(self, *args, **kwargs)
972
# Only if new checker process was started
973
if (self.checker is not None
974
and old_checker_pid != self.checker.pid):
975
# Emit D-Bus signal
976
self.CheckerStarted(self.current_checker_command)
977
return r
978
979
def _reset_approved(self):
980
self._approved = None
981
return False
982
983
def approve(self, value=True):
984
self.send_changedstate()
985
self._approved = value
986
gobject.timeout_add(_timedelta_to_milliseconds
987
(self.approval_duration),
988
self._reset_approved)
989
990
991
## D-Bus methods, signals & properties
992
_interface = "se.recompile.Mandos.Client"
993
994
## Signals
437
if self.use_dbus:
438
self.PropertyChanged(dbus.String(u"checker_running"),
439
dbus.Boolean(False, variant_level=1))
440
441
def still_valid(self):
442
"""Has the timeout not yet passed for this client?"""
443
if not getattr(self, "enabled", False):
444
return False
445
now = datetime.datetime.utcnow()
446
if self.last_checked_ok is None:
447
return now < (self.created + self.timeout)
448
else:
449
return now < (self.last_checked_ok + self.timeout)
450
451
## D-Bus methods & signals
452
_interface = u"se.bsnet.fukt.Mandos.Client"
453
454
# CheckedOK - method
455
CheckedOK = dbus.service.method(_interface)(checked_ok)
456
CheckedOK.__name__ = "CheckedOK"
995
457
996
458
# CheckerCompleted - signal
997
459
@dbus.service.signal(_interface, signature="nxs")
1005
467
"D-Bus signal"
1006
468
pass
1007
469
470
# GetAllProperties - method
471
@dbus.service.method(_interface, out_signature="a{sv}")
472
def GetAllProperties(self):
473
"D-Bus method"
474
return dbus.Dictionary({
475
dbus.String("name"):
476
dbus.String(self.name, variant_level=1),
477
dbus.String("fingerprint"):
478
dbus.String(self.fingerprint, variant_level=1),
479
dbus.String("host"):
480
dbus.String(self.host, variant_level=1),
481
dbus.String("created"):
482
_datetime_to_dbus(self.created, variant_level=1),
483
dbus.String("last_enabled"):
484
(_datetime_to_dbus(self.last_enabled,
485
variant_level=1)
486
if self.last_enabled is not None
487
else dbus.Boolean(False, variant_level=1)),
488
dbus.String("enabled"):
489
dbus.Boolean(self.enabled, variant_level=1),
490
dbus.String("last_checked_ok"):
491
(_datetime_to_dbus(self.last_checked_ok,
492
variant_level=1)
493
if self.last_checked_ok is not None
494
else dbus.Boolean (False, variant_level=1)),
495
dbus.String("timeout"):
496
dbus.UInt64(self.timeout_milliseconds(),
497
variant_level=1),
498
dbus.String("interval"):
499
dbus.UInt64(self.interval_milliseconds(),
500
variant_level=1),
501
dbus.String("checker"):
502
dbus.String(self.checker_command,
503
variant_level=1),
504
dbus.String("checker_running"):
505
dbus.Boolean(self.checker is not None,
506
variant_level=1),
507
dbus.String("object_path"):
508
dbus.ObjectPath(self.dbus_object_path,
509
variant_level=1)
510
}, signature="sv")
511
512
# IsStillValid - method
513
IsStillValid = (dbus.service.method(_interface, out_signature="b")
514
(still_valid))
515
IsStillValid.__name__ = "IsStillValid"
516
1008
517
# PropertyChanged - signal
1009
518
@dbus.service.signal(_interface, signature="sv")
1010
519
def PropertyChanged(self, property, value):
1011
520
"D-Bus signal"
1012
521
pass
1013
522
1014
# GotSecret - signal
1015
@dbus.service.signal(_interface)
1016
def GotSecret(self):
1017
"""D-Bus signal
1018
Is sent after a successful transfer of secret from the Mandos
1019
server to mandos-client
1020
"""
1021
pass
1022
1023
# Rejected - signal
1024
@dbus.service.signal(_interface, signature="s")
1025
def Rejected(self, reason):
1026
"D-Bus signal"
1027
pass
1028
1029
# NeedApproval - signal
1030
@dbus.service.signal(_interface, signature="tb")
1031
def NeedApproval(self, timeout, default):
1032
"D-Bus signal"
1033
return self.need_approval()
1034
1035
## Methods
1036
1037
# Approve - method
1038
@dbus.service.method(_interface, in_signature="b")
1039
def Approve(self, value):
1040
self.approve(value)
1041
1042
# CheckedOK - method
1043
@dbus.service.method(_interface)
1044
def CheckedOK(self):
1045
self.checked_ok()
523
# SetChecker - method
524
@dbus.service.method(_interface, in_signature="s")
525
def SetChecker(self, checker):
526
"D-Bus setter method"
527
self.checker_command = checker
528
# Emit D-Bus signal
529
self.PropertyChanged(dbus.String(u"checker"),
530
dbus.String(self.checker_command,
531
variant_level=1))
532
533
# SetHost - method
534
@dbus.service.method(_interface, in_signature="s")
535
def SetHost(self, host):
536
"D-Bus setter method"
537
self.host = host
538
# Emit D-Bus signal
539
self.PropertyChanged(dbus.String(u"host"),
540
dbus.String(self.host, variant_level=1))
541
542
# SetInterval - method
543
@dbus.service.method(_interface, in_signature="t")
544
def SetInterval(self, milliseconds):
545
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
546
# Emit D-Bus signal
547
self.PropertyChanged(dbus.String(u"interval"),
548
(dbus.UInt64(self.interval_milliseconds(),
549
variant_level=1)))
550
551
# SetSecret - method
552
@dbus.service.method(_interface, in_signature="ay",
553
byte_arrays=True)
554
def SetSecret(self, secret):
555
"D-Bus setter method"
556
self.secret = str(secret)
557
558
# SetTimeout - method
559
@dbus.service.method(_interface, in_signature="t")
560
def SetTimeout(self, milliseconds):
561
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
562
# Emit D-Bus signal
563
self.PropertyChanged(dbus.String(u"timeout"),
564
(dbus.UInt64(self.timeout_milliseconds(),
565
variant_level=1)))
1046
566
1047
567
# Enable - method
1048
@dbus.service.method(_interface)
1049
def Enable(self):
1050
"D-Bus method"
1051
self.enable()
568
Enable = dbus.service.method(_interface)(enable)
569
Enable.__name__ = "Enable"
1052
570
1053
571
# StartChecker - method
1054
572
@dbus.service.method(_interface)
1063
581
self.disable()
1064
582
1065
583
# StopChecker - method
1066
@dbus.service.method(_interface)
1067
def StopChecker(self):
1068
self.stop_checker()
1069
1070
## Properties
1071
1072
# ApprovalPending - property
1073
@dbus_service_property(_interface, signature="b", access="read")
1074
def ApprovalPending_dbus_property(self):
1075
return dbus.Boolean(bool(self.approvals_pending))
1076
1077
# ApprovedByDefault - property
1078
@dbus_service_property(_interface, signature="b",
1079
access="readwrite")
1080
def ApprovedByDefault_dbus_property(self, value=None):
1081
if value is None: # get
1082
return dbus.Boolean(self.approved_by_default)
1083
self.approved_by_default = bool(value)
1084
1085
# ApprovalDelay - property
1086
@dbus_service_property(_interface, signature="t",
1087
access="readwrite")
1088
def ApprovalDelay_dbus_property(self, value=None):
1089
if value is None: # get
1090
return dbus.UInt64(self.approval_delay_milliseconds())
1091
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1092
1093
# ApprovalDuration - property
1094
@dbus_service_property(_interface, signature="t",
1095
access="readwrite")
1096
def ApprovalDuration_dbus_property(self, value=None):
1097
if value is None: # get
1098
return dbus.UInt64(_timedelta_to_milliseconds(
1099
self.approval_duration))
1100
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1101
1102
# Name - property
1103
@dbus_service_property(_interface, signature="s", access="read")
1104
def Name_dbus_property(self):
1105
return dbus.String(self.name)
1106
1107
# Fingerprint - property
1108
@dbus_service_property(_interface, signature="s", access="read")
1109
def Fingerprint_dbus_property(self):
1110
return dbus.String(self.fingerprint)
1111
1112
# Host - property
1113
@dbus_service_property(_interface, signature="s",
1114
access="readwrite")
1115
def Host_dbus_property(self, value=None):
1116
if value is None: # get
1117
return dbus.String(self.host)
1118
self.host = value
1119
1120
# Created - property
1121
@dbus_service_property(_interface, signature="s", access="read")
1122
def Created_dbus_property(self):
1123
return dbus.String(datetime_to_dbus(self.created))
1124
1125
# LastEnabled - property
1126
@dbus_service_property(_interface, signature="s", access="read")
1127
def LastEnabled_dbus_property(self):
1128
return datetime_to_dbus(self.last_enabled)
1129
1130
# Enabled - property
1131
@dbus_service_property(_interface, signature="b",
1132
access="readwrite")
1133
def Enabled_dbus_property(self, value=None):
1134
if value is None: # get
1135
return dbus.Boolean(self.enabled)
1136
if value:
1137
self.enable()
1138
else:
1139
self.disable()
1140
1141
# LastCheckedOK - property
1142
@dbus_service_property(_interface, signature="s",
1143
access="readwrite")
1144
def LastCheckedOK_dbus_property(self, value=None):
1145
if value is not None:
1146
self.checked_ok()
1147
return
1148
return datetime_to_dbus(self.last_checked_ok)
1149
1150
# Expires - property
1151
@dbus_service_property(_interface, signature="s", access="read")
1152
def Expires_dbus_property(self):
1153
return datetime_to_dbus(self.expires)
1154
1155
# LastApprovalRequest - property
1156
@dbus_service_property(_interface, signature="s", access="read")
1157
def LastApprovalRequest_dbus_property(self):
1158
return datetime_to_dbus(self.last_approval_request)
1159
1160
# Timeout - property
1161
@dbus_service_property(_interface, signature="t",
1162
access="readwrite")
1163
def Timeout_dbus_property(self, value=None):
1164
if value is None: # get
1165
return dbus.UInt64(self.timeout_milliseconds())
1166
self.timeout = datetime.timedelta(0, 0, 0, value)
1167
if getattr(self, "disable_initiator_tag", None) is None:
1168
return
1169
# Reschedule timeout
1170
gobject.source_remove(self.disable_initiator_tag)
1171
self.disable_initiator_tag = None
1172
self.expires = None
1173
time_to_die = (self.
1174
_timedelta_to_milliseconds((self
1175
.last_checked_ok
1176
+ self.timeout)
1177
- datetime.datetime
1178
.utcnow()))
1179
if time_to_die <= 0:
1180
# The timeout has passed
1181
self.disable()
1182
else:
1183
self.expires = (datetime.datetime.utcnow()
1184
+ datetime.timedelta(milliseconds = time_to_die))
1185
self.disable_initiator_tag = (gobject.timeout_add
1186
(time_to_die, self.disable))
1187
1188
# ExtendedTimeout - property
1189
@dbus_service_property(_interface, signature="t",
1190
access="readwrite")
1191
def ExtendedTimeout_dbus_property(self, value=None):
1192
if value is None: # get
1193
return dbus.UInt64(self.extended_timeout_milliseconds())
1194
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1195
1196
# Interval - property
1197
@dbus_service_property(_interface, signature="t",
1198
access="readwrite")
1199
def Interval_dbus_property(self, value=None):
1200
if value is None: # get
1201
return dbus.UInt64(self.interval_milliseconds())
1202
self.interval = datetime.timedelta(0, 0, 0, value)
1203
if getattr(self, "checker_initiator_tag", None) is None:
1204
return
1205
# Reschedule checker run
1206
gobject.source_remove(self.checker_initiator_tag)
1207
self.checker_initiator_tag = (gobject.timeout_add
1208
(value, self.start_checker))
1209
self.start_checker() # Start one now, too
1210
1211
# Checker - property
1212
@dbus_service_property(_interface, signature="s",
1213
access="readwrite")
1214
def Checker_dbus_property(self, value=None):
1215
if value is None: # get
1216
return dbus.String(self.checker_command)
1217
self.checker_command = value
1218
1219
# CheckerRunning - property
1220
@dbus_service_property(_interface, signature="b",
1221
access="readwrite")
1222
def CheckerRunning_dbus_property(self, value=None):
1223
if value is None: # get
1224
return dbus.Boolean(self.checker is not None)
1225
if value:
1226
self.start_checker()
1227
else:
1228
self.stop_checker()
1229
1230
# ObjectPath - property
1231
@dbus_service_property(_interface, signature="o", access="read")
1232
def ObjectPath_dbus_property(self):
1233
return self.dbus_object_path # is already a dbus.ObjectPath
1234
1235
# Secret = property
1236
@dbus_service_property(_interface, signature="ay",
1237
access="write", byte_arrays=True)
1238
def Secret_dbus_property(self, value):
1239
self.secret = str(value)
584
StopChecker = dbus.service.method(_interface)(stop_checker)
585
StopChecker.__name__ = "StopChecker"
1240
586
1241
587
del _interface
1242
588
1243
589
1244
class ProxyClient(object):
1245
def __init__(self, child_pipe, fpr, address):
1246
self._pipe = child_pipe
1247
self._pipe.send(('init', fpr, address))
1248
if not self._pipe.recv():
1249
raise KeyError()
1250
1251
def __getattribute__(self, name):
1252
if(name == '_pipe'):
1253
return super(ProxyClient, self).__getattribute__(name)
1254
self._pipe.send(('getattr', name))
1255
data = self._pipe.recv()
1256
if data[0] == 'data':
1257
return data[1]
1258
if data[0] == 'function':
1259
def func(*args, **kwargs):
1260
self._pipe.send(('funcall', name, args, kwargs))
1261
return self._pipe.recv()[1]
1262
return func
1263
1264
def __setattr__(self, name, value):
1265
if(name == '_pipe'):
1266
return super(ProxyClient, self).__setattr__(name, value)
1267
self._pipe.send(('setattr', name, value))
1268
1269
class ClientDBusTransitional(ClientDBus):
1270
__metaclass__ = AlternateDBusNamesMetaclass
1271
1272
class ClientHandler(socketserver.BaseRequestHandler, object):
1273
"""A class to handle client connections.
1274
1275
Instantiated once for each connection to handle it.
590
def peer_certificate(session):
591
"Return the peer's OpenPGP certificate as a bytestring"
592
# If not an OpenPGP certificate...
593
if (gnutls.library.functions
594
.gnutls_certificate_type_get(session._c_object)
595
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
596
# ...do the normal thing
597
return session.peer_certificate
598
list_size = ctypes.c_uint(1)
599
cert_list = (gnutls.library.functions
600
.gnutls_certificate_get_peers
601
(session._c_object, ctypes.byref(list_size)))
602
if not bool(cert_list) and list_size.value != 0:
603
raise gnutls.errors.GNUTLSError("error getting peer"
604
" certificate")
605
if list_size.value == 0:
606
return None
607
cert = cert_list[0]
608
return ctypes.string_at(cert.data, cert.size)
609
610
611
def fingerprint(openpgp):
612
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
613
# New GnuTLS "datum" with the OpenPGP public key
614
datum = (gnutls.library.types
615
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
616
ctypes.POINTER
617
(ctypes.c_ubyte)),
618
ctypes.c_uint(len(openpgp))))
619
# New empty GnuTLS certificate
620
crt = gnutls.library.types.gnutls_openpgp_crt_t()
621
(gnutls.library.functions
622
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
623
# Import the OpenPGP public key into the certificate
624
(gnutls.library.functions
625
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
626
gnutls.library.constants
627
.GNUTLS_OPENPGP_FMT_RAW))
628
# Verify the self signature in the key
629
crtverify = ctypes.c_uint()
630
(gnutls.library.functions
631
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
632
if crtverify.value != 0:
633
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
634
raise gnutls.errors.CertificateSecurityError("Verify failed")
635
# New buffer for the fingerprint
636
buf = ctypes.create_string_buffer(20)
637
buf_len = ctypes.c_size_t()
638
# Get the fingerprint from the certificate into the buffer
639
(gnutls.library.functions
640
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
641
ctypes.byref(buf_len)))
642
# Deinit the certificate
643
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
644
# Convert the buffer to a Python bytestring
645
fpr = ctypes.string_at(buf, buf_len.value)
646
# Convert the bytestring to hexadecimal notation
647
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
648
return hex_fpr
649
650
651
class TCP_handler(SocketServer.BaseRequestHandler, object):
652
"""A TCP request handler class.
653
Instantiated by IPv6_TCPServer for each request to handle it.
1276
654
Note: This will run in its own forked process."""
1277
655
1278
656
def handle(self):
1279
with contextlib.closing(self.server.child_pipe) as child_pipe:
1280
logger.info("TCP connection from: %s",
1281
unicode(self.client_address))
1282
logger.debug("Pipe FD: %d",
1283
self.server.child_pipe.fileno())
1284
1285
session = (gnutls.connection
1286
.ClientSession(self.request,
1287
gnutls.connection
1288
.X509Credentials()))
1289
1290
# Note: gnutls.connection.X509Credentials is really a
1291
# generic GnuTLS certificate credentials object so long as
1292
# no X.509 keys are added to it. Therefore, we can use it
1293
# here despite using OpenPGP certificates.
1294
1295
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1296
# "+AES-256-CBC", "+SHA1",
1297
# "+COMP-NULL", "+CTYPE-OPENPGP",
1298
# "+DHE-DSS"))
1299
# Use a fallback default, since this MUST be set.
1300
priority = self.server.gnutls_priority
1301
if priority is None:
1302
priority = "NORMAL"
1303
(gnutls.library.functions
1304
.gnutls_priority_set_direct(session._c_object,
1305
priority, None))
1306
1307
# Start communication using the Mandos protocol
1308
# Get protocol number
1309
line = self.request.makefile().readline()
1310
logger.debug("Protocol version: %r", line)
1311
try:
1312
if int(line.strip().split()[0]) > 1:
1313
raise RuntimeError
1314
except (ValueError, IndexError, RuntimeError) as error:
1315
logger.error("Unknown protocol version: %s", error)
1316
return
1317
1318
# Start GnuTLS connection
1319
try:
1320
session.handshake()
1321
except gnutls.errors.GNUTLSError as error:
1322
logger.warning("Handshake failed: %s", error)
1323
# Do not run session.bye() here: the session is not
1324
# established. Just abandon the request.
1325
return
1326
logger.debug("Handshake succeeded")
1327
1328
approval_required = False
1329
try:
1330
try:
1331
fpr = self.fingerprint(self.peer_certificate
1332
(session))
1333
except (TypeError,
1334
gnutls.errors.GNUTLSError) as error:
1335
logger.warning("Bad certificate: %s", error)
1336
return
1337
logger.debug("Fingerprint: %s", fpr)
1338
1339
try:
1340
client = ProxyClient(child_pipe, fpr,
1341
self.client_address)
1342
except KeyError:
1343
return
1344
1345
if client.approval_delay:
1346
delay = client.approval_delay
1347
client.approvals_pending += 1
1348
approval_required = True
1349
1350
while True:
1351
if not client.enabled:
1352
logger.info("Client %s is disabled",
1353
client.name)
1354
if self.server.use_dbus:
1355
# Emit D-Bus signal
1356
client.Rejected("Disabled")
1357
return
1358
1359
if client._approved or not client.approval_delay:
1360
#We are approved or approval is disabled
1361
break
1362
elif client._approved is None:
1363
logger.info("Client %s needs approval",
1364
client.name)
1365
if self.server.use_dbus:
1366
# Emit D-Bus signal
1367
client.NeedApproval(
1368
client.approval_delay_milliseconds(),
1369
client.approved_by_default)
1370
else:
1371
logger.warning("Client %s was not approved",
1372
client.name)
1373
if self.server.use_dbus:
1374
# Emit D-Bus signal
1375
client.Rejected("Denied")
1376
return
1377
1378
#wait until timeout or approved
1379
#x = float(client._timedelta_to_milliseconds(delay))
1380
time = datetime.datetime.now()
1381
client.changedstate.acquire()
1382
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1383
client.changedstate.release()
1384
time2 = datetime.datetime.now()
1385
if (time2 - time) >= delay:
1386
if not client.approved_by_default:
1387
logger.warning("Client %s timed out while"
1388
" waiting for approval",
1389
client.name)
1390
if self.server.use_dbus:
1391
# Emit D-Bus signal
1392
client.Rejected("Approval timed out")
1393
return
1394
else:
1395
break
1396
else:
1397
delay -= time2 - time
1398
1399
sent_size = 0
1400
while sent_size < len(client.secret):
1401
try:
1402
sent = session.send(client.secret[sent_size:])
1403
except gnutls.errors.GNUTLSError as error:
1404
logger.warning("gnutls send failed")
1405
return
1406
logger.debug("Sent: %d, remaining: %d",
1407
sent, len(client.secret)
1408
- (sent_size + sent))
1409
sent_size += sent
1410
1411
logger.info("Sending secret to %s", client.name)
1412
# bump the timeout as if seen
1413
client.checked_ok(client.extended_timeout)
1414
if self.server.use_dbus:
1415
# Emit D-Bus signal
1416
client.GotSecret()
1417
1418
finally:
1419
if approval_required:
1420
client.approvals_pending -= 1
1421
try:
1422
session.bye()
1423
except gnutls.errors.GNUTLSError as error:
1424
logger.warning("GnuTLS bye failed")
1425
1426
@staticmethod
1427
def peer_certificate(session):
1428
"Return the peer's OpenPGP certificate as a bytestring"
1429
# If not an OpenPGP certificate...
1430
if (gnutls.library.functions
1431
.gnutls_certificate_type_get(session._c_object)
1432
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1433
# ...do the normal thing
1434
return session.peer_certificate
1435
list_size = ctypes.c_uint(1)
1436
cert_list = (gnutls.library.functions
1437
.gnutls_certificate_get_peers
1438
(session._c_object, ctypes.byref(list_size)))
1439
if not bool(cert_list) and list_size.value != 0:
1440
raise gnutls.errors.GNUTLSError("error getting peer"
1441
" certificate")
1442
if list_size.value == 0:
1443
return None
1444
cert = cert_list[0]
1445
return ctypes.string_at(cert.data, cert.size)
1446
1447
@staticmethod
1448
def fingerprint(openpgp):
1449
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1450
# New GnuTLS "datum" with the OpenPGP public key
1451
datum = (gnutls.library.types
1452
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1453
ctypes.POINTER
1454
(ctypes.c_ubyte)),
1455
ctypes.c_uint(len(openpgp))))
1456
# New empty GnuTLS certificate
1457
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1458
(gnutls.library.functions
1459
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1460
# Import the OpenPGP public key into the certificate
1461
(gnutls.library.functions
1462
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1463
gnutls.library.constants
1464
.GNUTLS_OPENPGP_FMT_RAW))
1465
# Verify the self signature in the key
1466
crtverify = ctypes.c_uint()
1467
(gnutls.library.functions
1468
.gnutls_openpgp_crt_verify_self(crt, 0,
1469
ctypes.byref(crtverify)))
1470
if crtverify.value != 0:
1471
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1472
raise (gnutls.errors.CertificateSecurityError
1473
("Verify failed"))
1474
# New buffer for the fingerprint
1475
buf = ctypes.create_string_buffer(20)
1476
buf_len = ctypes.c_size_t()
1477
# Get the fingerprint from the certificate into the buffer
1478
(gnutls.library.functions
1479
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1480
ctypes.byref(buf_len)))
1481
# Deinit the certificate
1482
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1483
# Convert the buffer to a Python bytestring
1484
fpr = ctypes.string_at(buf, buf_len.value)
1485
# Convert the bytestring to hexadecimal notation
1486
hex_fpr = ''.join("%02X" % ord(char) for char in fpr)
1487
return hex_fpr
1488
1489
1490
class MultiprocessingMixIn(object):
1491
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1492
def sub_process_main(self, request, address):
1493
try:
1494
self.finish_request(request, address)
1495
except:
1496
self.handle_error(request, address)
1497
self.close_request(request)
1498
1499
def process_request(self, request, address):
1500
"""Start a new process to process the request."""
1501
multiprocessing.Process(target = self.sub_process_main,
1502
args = (request, address)).start()
1503
1504
1505
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1506
""" adds a pipe to the MixIn """
1507
def process_request(self, request, client_address):
1508
"""Overrides and wraps the original process_request().
1509
1510
This function creates a new pipe in self.pipe
1511
"""
1512
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1513
1514
super(MultiprocessingMixInWithPipe,
1515
self).process_request(request, client_address)
1516
self.child_pipe.close()
1517
self.add_pipe(parent_pipe)
1518
1519
def add_pipe(self, parent_pipe):
1520
"""Dummy function; override as necessary"""
1521
raise NotImplementedError
1522
1523
1524
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1525
socketserver.TCPServer, object):
1526
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1527
657
logger.info(u"TCP connection from: %s",
658
unicode(self.client_address))
659
session = (gnutls.connection
660
.ClientSession(self.request,
661
gnutls.connection
662
.X509Credentials()))
663
664
line = self.request.makefile().readline()
665
logger.debug(u"Protocol version: %r", line)
666
try:
667
if int(line.strip().split()[0]) > 1:
668
raise RuntimeError
669
except (ValueError, IndexError, RuntimeError), error:
670
logger.error(u"Unknown protocol version: %s", error)
671
return
672
673
# Note: gnutls.connection.X509Credentials is really a generic
674
# GnuTLS certificate credentials object so long as no X.509
675
# keys are added to it. Therefore, we can use it here despite
676
# using OpenPGP certificates.
677
678
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
679
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
680
# "+DHE-DSS"))
681
# Use a fallback default, since this MUST be set.
682
priority = self.server.settings.get("priority", "NORMAL")
683
(gnutls.library.functions
684
.gnutls_priority_set_direct(session._c_object,
685
priority, None))
686
687
try:
688
session.handshake()
689
except gnutls.errors.GNUTLSError, error:
690
logger.warning(u"Handshake failed: %s", error)
691
# Do not run session.bye() here: the session is not
692
# established. Just abandon the request.
693
return
694
logger.debug(u"Handshake succeeded")
695
try:
696
fpr = fingerprint(peer_certificate(session))
697
except (TypeError, gnutls.errors.GNUTLSError), error:
698
logger.warning(u"Bad certificate: %s", error)
699
session.bye()
700
return
701
logger.debug(u"Fingerprint: %s", fpr)
702
703
for c in self.server.clients:
704
if c.fingerprint == fpr:
705
client = c
706
break
707
else:
708
logger.warning(u"Client not found for fingerprint: %s",
709
fpr)
710
session.bye()
711
return
712
# Have to check if client.still_valid(), since it is possible
713
# that the client timed out while establishing the GnuTLS
714
# session.
715
if not client.still_valid():
716
logger.warning(u"Client %(name)s is invalid",
717
vars(client))
718
session.bye()
719
return
720
## This won't work here, since we're in a fork.
721
# client.checked_ok()
722
sent_size = 0
723
while sent_size < len(client.secret):
724
sent = session.send(client.secret[sent_size:])
725
logger.debug(u"Sent: %d, remaining: %d",
726
sent, len(client.secret)
727
- (sent_size + sent))
728
sent_size += sent
729
session.bye()
730
731
732
class IPv6_TCPServer(SocketServer.ForkingMixIn,
733
SocketServer.TCPServer, object):
734
"""IPv6 TCP server. Accepts 'None' as address and/or port.
1528
735
Attributes:
736
settings: Server settings
737
clients: Set() of Client objects
1529
738
enabled: Boolean; whether this server is activated yet
1530
interface: None or a network interface name (string)
1531
use_ipv6: Boolean; to use IPv6 or not
1532
739
"""
1533
def __init__(self, server_address, RequestHandlerClass,
1534
interface=None, use_ipv6=True):
1535
self.interface = interface
1536
if use_ipv6:
1537
self.address_family = socket.AF_INET6
1538
socketserver.TCPServer.__init__(self, server_address,
1539
RequestHandlerClass)
740
address_family = socket.AF_INET6
741
def __init__(self, *args, **kwargs):
742
if "settings" in kwargs:
743
self.settings = kwargs["settings"]
744
del kwargs["settings"]
745
if "clients" in kwargs:
746
self.clients = kwargs["clients"]
747
del kwargs["clients"]
748
self.enabled = False
749
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1540
750
def server_bind(self):
1541
751
"""This overrides the normal server_bind() function
1542
752
to bind to an interface if one was specified, and also NOT to
1543
753
bind to an address or port if they were not specified."""
1544
if self.interface is not None:
1545
if SO_BINDTODEVICE is None:
1546
logger.error("SO_BINDTODEVICE does not exist;"
1547
" cannot bind to interface %s",
1548
self.interface)
1549
else:
1550
try:
1551
self.socket.setsockopt(socket.SOL_SOCKET,
1552
SO_BINDTODEVICE,
1553
str(self.interface
1554
+ '\0'))
1555
except socket.error as error:
1556
if error[0] == errno.EPERM:
1557
logger.error("No permission to"
1558
" bind to interface %s",
1559
self.interface)
1560
elif error[0] == errno.ENOPROTOOPT:
1561
logger.error("SO_BINDTODEVICE not available;"
1562
" cannot bind to interface %s",
1563
self.interface)
1564
else:
1565
raise
754
if self.settings["interface"]:
755
# 25 is from /usr/include/asm-i486/socket.h
756
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
757
try:
758
self.socket.setsockopt(socket.SOL_SOCKET,
759
SO_BINDTODEVICE,
760
self.settings["interface"])
761
except socket.error, error:
762
if error[0] == errno.EPERM:
763
logger.error(u"No permission to"
764
u" bind to interface %s",
765
self.settings["interface"])
766
else:
767
raise error
1566
768
# Only bind(2) the socket if we really need to.
1567
769
if self.server_address[0] or self.server_address[1]:
1568
770
if not self.server_address[0]:
1569
if self.address_family == socket.AF_INET6:
1570
any_address = "::" # in6addr_any
1571
else:
1572
any_address = socket.INADDR_ANY
1573
self.server_address = (any_address,
771
in6addr_any = "::"
772
self.server_address = (in6addr_any,
1574
773
self.server_address[1])
1575
774
elif not self.server_address[1]:
1576
775
self.server_address = (self.server_address[0],
1577
776
0)
1578
# if self.interface:
777
# if self.settings["interface"]:
1579
778
# self.server_address = (self.server_address[0],
1580
779
# 0, # port
1581
780
# 0, # flowinfo
1582
781
# if_nametoindex
1583
# (self.interface))
1584
return socketserver.TCPServer.server_bind(self)
1585
1586
1587
class MandosServer(IPv6_TCPServer):
1588
"""Mandos server.
1589
1590
Attributes:
1591
clients: set of Client objects
1592
gnutls_priority GnuTLS priority string
1593
use_dbus: Boolean; to emit D-Bus signals or not
1594
1595
Assumes a gobject.MainLoop event loop.
1596
"""
1597
def __init__(self, server_address, RequestHandlerClass,
1598
interface=None, use_ipv6=True, clients=None,
1599
gnutls_priority=None, use_dbus=True):
1600
self.enabled = False
1601
self.clients = clients
1602
if self.clients is None:
1603
self.clients = set()
1604
self.use_dbus = use_dbus
1605
self.gnutls_priority = gnutls_priority
1606
IPv6_TCPServer.__init__(self, server_address,
1607
RequestHandlerClass,
1608
interface = interface,
1609
use_ipv6 = use_ipv6)
782
# (self.settings
783
# ["interface"]))
784
return super(IPv6_TCPServer, self).server_bind()
1610
785
def server_activate(self):
1611
786
if self.enabled:
1612
return socketserver.TCPServer.server_activate(self)
787
return super(IPv6_TCPServer, self).server_activate()
1613
788
def enable(self):
1614
789
self.enabled = True
1615
def add_pipe(self, parent_pipe):
1616
# Call "handle_ipc" for both data and EOF events
1617
gobject.io_add_watch(parent_pipe.fileno(),
1618
gobject.IO_IN | gobject.IO_HUP,
1619
functools.partial(self.handle_ipc,
1620
parent_pipe = parent_pipe))
1621
1622
def handle_ipc(self, source, condition, parent_pipe=None,
1623
client_object=None):
1624
condition_names = {
1625
gobject.IO_IN: "IN", # There is data to read.
1626
gobject.IO_OUT: "OUT", # Data can be written (without
1627
# blocking).
1628
gobject.IO_PRI: "PRI", # There is urgent data to read.
1629
gobject.IO_ERR: "ERR", # Error condition.
1630
gobject.IO_HUP: "HUP" # Hung up (the connection has been
1631
# broken, usually for pipes and
1632
# sockets).
1633
}
1634
conditions_string = ' | '.join(name
1635
for cond, name in
1636
condition_names.iteritems()
1637
if cond & condition)
1638
# error or the other end of multiprocessing.Pipe has closed
1639
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1640
return False
1641
1642
# Read a request from the child
1643
request = parent_pipe.recv()
1644
command = request[0]
1645
1646
if command == 'init':
1647
fpr = request[1]
1648
address = request[2]
1649
1650
for c in self.clients:
1651
if c.fingerprint == fpr:
1652
client = c
1653
break
1654
else:
1655
logger.info("Client not found for fingerprint: %s, ad"
1656
"dress: %s", fpr, address)
1657
if self.use_dbus:
1658
# Emit D-Bus signal
1659
mandos_dbus_service.ClientNotFound(fpr, address[0])
1660
parent_pipe.send(False)
1661
return False
1662
1663
gobject.io_add_watch(parent_pipe.fileno(),
1664
gobject.IO_IN | gobject.IO_HUP,
1665
functools.partial(self.handle_ipc,
1666
parent_pipe = parent_pipe,
1667
client_object = client))
1668
parent_pipe.send(True)
1669
# remove the old hook in favor of the new above hook on same fileno
1670
return False
1671
if command == 'funcall':
1672
funcname = request[1]
1673
args = request[2]
1674
kwargs = request[3]
1675
1676
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1677
1678
if command == 'getattr':
1679
attrname = request[1]
1680
if callable(client_object.__getattribute__(attrname)):
1681
parent_pipe.send(('function',))
1682
else:
1683
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1684
1685
if command == 'setattr':
1686
attrname = request[1]
1687
value = request[2]
1688
setattr(client_object, attrname, value)
1689
1690
return True
1691
790
1692
791
1693
792
def string_to_delta(interval):
1701
800
datetime.timedelta(0, 3600)
1702
801
>>> string_to_delta('24h')
1703
802
datetime.timedelta(1)
1704
>>> string_to_delta('1w')
803
>>> string_to_delta(u'1w')
1705
804
datetime.timedelta(7)
1706
805
>>> string_to_delta('5m 30s')
1707
806
datetime.timedelta(0, 330)
1711
810
try:
1712
811
suffix = unicode(s[-1])
1713
812
value = int(s[:-1])
1714
if suffix == "d":
813
if suffix == u"d":
1715
814
delta = datetime.timedelta(value)
1716
elif suffix == "s":
815
elif suffix == u"s":
1717
816
delta = datetime.timedelta(0, value)
1718
elif suffix == "m":
817
elif suffix == u"m":
1719
818
delta = datetime.timedelta(0, 0, 0, 0, value)
1720
elif suffix == "h":
819
elif suffix == u"h":
1721
820
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1722
elif suffix == "w":
821
elif suffix == u"w":
1723
822
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1724
823
else:
1725
raise ValueError("Unknown suffix %r" % suffix)
1726
except (ValueError, IndexError) as e:
1727
raise ValueError(*(e.args))
824
raise ValueError
825
except (ValueError, IndexError):
826
raise ValueError
1728
827
timevalue += delta
1729
828
return timevalue
1730
829
1731
830
831
def server_state_changed(state):
832
"""Derived from the Avahi example code"""
833
if state == avahi.SERVER_COLLISION:
834
logger.error(u"Zeroconf server name collision")
835
service.remove()
836
elif state == avahi.SERVER_RUNNING:
837
service.add()
838
839
840
def entry_group_state_changed(state, error):
841
"""Derived from the Avahi example code"""
842
logger.debug(u"Avahi state change: %i", state)
843
844
if state == avahi.ENTRY_GROUP_ESTABLISHED:
845
logger.debug(u"Zeroconf service established.")
846
elif state == avahi.ENTRY_GROUP_COLLISION:
847
logger.warning(u"Zeroconf service name collision.")
848
service.rename()
849
elif state == avahi.ENTRY_GROUP_FAILURE:
850
logger.critical(u"Avahi: Error in group state changed %s",
851
unicode(error))
852
raise AvahiGroupError(u"State changed: %s" % unicode(error))
853
1732
854
def if_nametoindex(interface):
1733
"""Call the C function if_nametoindex(), or equivalent
1734
1735
Note: This function cannot accept a unicode string."""
855
"""Call the C function if_nametoindex(), or equivalent"""
1736
856
global if_nametoindex
1737
857
try:
1738
858
if_nametoindex = (ctypes.cdll.LoadLibrary
1739
859
(ctypes.util.find_library("c"))
1740
860
.if_nametoindex)
1741
861
except (OSError, AttributeError):
1742
logger.warning("Doing if_nametoindex the hard way")
862
if "struct" not in sys.modules:
863
import struct
864
if "fcntl" not in sys.modules:
865
import fcntl
1743
866
def if_nametoindex(interface):
1744
867
"Get an interface index the hard way, i.e. using fcntl()"
1745
868
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1746
with contextlib.closing(socket.socket()) as s:
869
with closing(socket.socket()) as s:
1747
870
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1748
struct.pack(str("16s16x"),
1749
interface))
1750
interface_index = struct.unpack(str("I"),
1751
ifreq[16:20])[0]
871
struct.pack("16s16x", interface))
872
interface_index = struct.unpack("I", ifreq[16:20])[0]
1752
873
return interface_index
1753
874
return if_nametoindex(interface)
1754
875
1755
876
1756
877
def daemon(nochdir = False, noclose = False):
1757
878
"""See daemon(3). Standard BSD Unix function.
1758
1759
879
This should really exist as os.daemon, but it doesn't (yet)."""
1760
880
if os.fork():
1761
881
sys.exit()
1769
889
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1770
890
if not stat.S_ISCHR(os.fstat(null).st_mode):
1771
891
raise OSError(errno.ENODEV,
1772
"%s not a character device"
1773
% os.path.devnull)
892
"/dev/null not a character device")
1774
893
os.dup2(null, sys.stdin.fileno())
1775
894
os.dup2(null, sys.stdout.fileno())
1776
895
os.dup2(null, sys.stderr.fileno())
1779
898
1780
899
1781
900
def main():
1782
1783
##################################################################
1784
# Parsing of options, both command line and config file
1785
1786
parser = argparse.ArgumentParser()
1787
parser.add_argument("-v", "--version", action="version",
1788
version = "%%(prog)s %s" % version,
1789
help="show version number and exit")
1790
parser.add_argument("-i", "--interface", metavar="IF",
1791
help="Bind to interface IF")
1792
parser.add_argument("-a", "--address",
1793
help="Address to listen for requests on")
1794
parser.add_argument("-p", "--port", type=int,
1795
help="Port number to receive requests on")
1796
parser.add_argument("--check", action="store_true",
1797
help="Run self-test")
1798
parser.add_argument("--debug", action="store_true",
1799
help="Debug mode; run in foreground and log"
1800
" to terminal")
1801
parser.add_argument("--debuglevel", metavar="LEVEL",
1802
help="Debug level for stdout output")
1803
parser.add_argument("--priority", help="GnuTLS"
1804
" priority string (see GnuTLS documentation)")
1805
parser.add_argument("--servicename",
1806
metavar="NAME", help="Zeroconf service name")
1807
parser.add_argument("--configdir",
1808
default="/etc/mandos", metavar="DIR",
1809
help="Directory to search for configuration"
1810
" files")
1811
parser.add_argument("--no-dbus", action="store_false",
1812
dest="use_dbus", help="Do not provide D-Bus"
1813
" system bus interface")
1814
parser.add_argument("--no-ipv6", action="store_false",
1815
dest="use_ipv6", help="Do not use IPv6")
1816
options = parser.parse_args()
901
parser = optparse.OptionParser(version = "%%prog %s" % version)
902
parser.add_option("-i", "--interface", type="string",
903
metavar="IF", help="Bind to interface IF")
904
parser.add_option("-a", "--address", type="string",
905
help="Address to listen for requests on")
906
parser.add_option("-p", "--port", type="int",
907
help="Port number to receive requests on")
908
parser.add_option("--check", action="store_true",
909
help="Run self-test")
910
parser.add_option("--debug", action="store_true",
911
help="Debug mode; run in foreground and log to"
912
" terminal")
913
parser.add_option("--priority", type="string", help="GnuTLS"
914
" priority string (see GnuTLS documentation)")
915
parser.add_option("--servicename", type="string", metavar="NAME",
916
help="Zeroconf service name")
917
parser.add_option("--configdir", type="string",
918
default="/etc/mandos", metavar="DIR",
919
help="Directory to search for configuration"
920
" files")
921
parser.add_option("--no-dbus", action="store_false",
922
dest="use_dbus",
923
help="Do not provide D-Bus system bus"
924
" interface")
925
options = parser.parse_args()[0]
1817
926
1818
927
if options.check:
1819
928
import doctest
1829
938
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1830
939
"servicename": "Mandos",
1831
940
"use_dbus": "True",
1832
"use_ipv6": "True",
1833
"debuglevel": "",
1834
941
}
1835
942
1836
943
# Parse config file for server-global settings
1837
server_config = configparser.SafeConfigParser(server_defaults)
944
server_config = ConfigParser.SafeConfigParser(server_defaults)
1838
945
del server_defaults
1839
server_config.read(os.path.join(options.configdir,
1840
"mandos.conf"))
946
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1841
947
# Convert the SafeConfigParser object to a dict
1842
948
server_settings = server_config.defaults()
1843
949
# Use the appropriate methods on the non-string config options
1844
for option in ("debug", "use_dbus", "use_ipv6"):
1845
server_settings[option] = server_config.getboolean("DEFAULT",
1846
option)
950
server_settings["debug"] = server_config.getboolean("DEFAULT",
951
"debug")
952
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
953
"use_dbus")
1847
954
if server_settings["port"]:
1848
955
server_settings["port"] = server_config.getint("DEFAULT",
1849
956
"port")
1853
960
# options, if set.
1854
961
for option in ("interface", "address", "port", "debug",
1855
962
"priority", "servicename", "configdir",
1856
"use_dbus", "use_ipv6", "debuglevel"):
963
"use_dbus"):
1857
964
value = getattr(options, option)
1858
965
if value is not None:
1859
966
server_settings[option] = value
1860
967
del options
1861
# Force all strings to be unicode
1862
for option in server_settings.keys():
1863
if type(server_settings[option]) is str:
1864
server_settings[option] = unicode(server_settings[option])
1865
968
# Now we have our good server settings in "server_settings"
1866
969
1867
##################################################################
1868
1869
970
# For convenience
1870
971
debug = server_settings["debug"]
1871
debuglevel = server_settings["debuglevel"]
1872
972
use_dbus = server_settings["use_dbus"]
1873
use_ipv6 = server_settings["use_ipv6"]
973
974
def sigsegvhandler(signum, frame):
975
raise RuntimeError('Segmentation fault')
976
977
if not debug:
978
syslogger.setLevel(logging.WARNING)
979
console.setLevel(logging.WARNING)
980
else:
981
signal.signal(signal.SIGSEGV, sigsegvhandler)
1874
982
1875
983
if server_settings["servicename"] != "Mandos":
1876
984
syslogger.setFormatter(logging.Formatter
1877
('Mandos (%s) [%%(process)d]:'
1878
' %%(levelname)s: %%(message)s'
985
('Mandos (%s): %%(levelname)s:'
986
' %%(message)s'
1879
987
% server_settings["servicename"]))
1880
988
1881
989
# Parse config file with clients
1882
client_defaults = { "timeout": "5m",
1883
"extended_timeout": "15m",
1884
"interval": "2m",
990
client_defaults = { "timeout": "1h",
991
"interval": "5m",
1885
992
"checker": "fping -q -- %%(host)s",
1886
993
"host": "",
1887
"approval_delay": "0s",
1888
"approval_duration": "1s",
1889
994
}
1890
client_config = configparser.SafeConfigParser(client_defaults)
995
client_config = ConfigParser.SafeConfigParser(client_defaults)
1891
996
client_config.read(os.path.join(server_settings["configdir"],
1892
997
"clients.conf"))
1893
998
1894
global mandos_dbus_service
1895
mandos_dbus_service = None
1896
1897
tcp_server = MandosServer((server_settings["address"],
1898
server_settings["port"]),
1899
ClientHandler,
1900
interface=(server_settings["interface"]
1901
or None),
1902
use_ipv6=use_ipv6,
1903
gnutls_priority=
1904
server_settings["priority"],
1905
use_dbus=use_dbus)
1906
if not debug:
1907
pidfilename = "/var/run/mandos.pid"
1908
try:
1909
pidfile = open(pidfilename, "w")
1910
except IOError:
1911
logger.error("Could not open file %r", pidfilename)
999
clients = Set()
1000
tcp_server = IPv6_TCPServer((server_settings["address"],
1001
server_settings["port"]),
1002
TCP_handler,
1003
settings=server_settings,
1004
clients=clients)
1005
pidfilename = "/var/run/mandos.pid"
1006
try:
1007
pidfile = open(pidfilename, "w")
1008
except IOError, error:
1009
logger.error("Could not open file %r", pidfilename)
1912
1010
1913
1011
try:
1914
1012
uid = pwd.getpwnam("_mandos").pw_uid
1920
1018
except KeyError:
1921
1019
try:
1922
1020
uid = pwd.getpwnam("nobody").pw_uid
1923
gid = pwd.getpwnam("nobody").pw_gid
1021
gid = pwd.getpwnam("nogroup").pw_gid
1924
1022
except KeyError:
1925
1023
uid = 65534
1926
1024
gid = 65534
1927
1025
try:
1928
1026
os.setgid(gid)
1929
1027
os.setuid(uid)
1930
except OSError as error:
1028
except OSError, error:
1931
1029
if error[0] != errno.EPERM:
1932
1030
raise error
1933
1031
1934
if not debug and not debuglevel:
1935
syslogger.setLevel(logging.WARNING)
1936
console.setLevel(logging.WARNING)
1937
if debuglevel:
1938
level = getattr(logging, debuglevel.upper())
1939
syslogger.setLevel(level)
1940
console.setLevel(level)
1941
1032
# Enable all possible GnuTLS debugging
1942
1033
if debug:
1943
# Enable all possible GnuTLS debugging
1944
1945
1034
# "Use a log level over 10 to enable all debugging options."
1946
1035
# - GnuTLS manual
1947
1036
gnutls.library.functions.gnutls_global_set_log_level(11)
1952
1041
1953
1042
(gnutls.library.functions
1954
1043
.gnutls_global_set_log_function(debug_gnutls))
1955
1956
# Redirect stdin so all checkers get /dev/null
1957
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1958
os.dup2(null, sys.stdin.fileno())
1959
if null > 2:
1960
os.close(null)
1961
else:
1962
# No console logging
1963
logger.removeHandler(console)
1964
1044
1965
# Need to fork before connecting to D-Bus
1966
if not debug:
1967
# Close all input and output, do double fork, etc.
1968
daemon()
1045
global service
1046
service = AvahiService(name = server_settings["servicename"],
1047
servicetype = "_mandos._tcp", )
1048
if server_settings["interface"]:
1049
service.interface = (if_nametoindex
1050
(server_settings["interface"]))
1969
1051
1970
1052
global main_loop
1053
global bus
1054
global server
1971
1055
# From the Avahi example code
1972
1056
DBusGMainLoop(set_as_default=True )
1973
1057
main_loop = gobject.MainLoop()
1974
1058
bus = dbus.SystemBus()
1059
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1060
avahi.DBUS_PATH_SERVER),
1061
avahi.DBUS_INTERFACE_SERVER)
1975
1062
# End of Avahi example code
1976
1063
if use_dbus:
1977
try:
1978
bus_name = dbus.service.BusName("se.recompile.Mandos",
1979
bus, do_not_queue=True)
1980
old_bus_name = dbus.service.BusName("se.bsnet.fukt.Mandos",
1981
bus, do_not_queue=True)
1982
except dbus.exceptions.NameExistsException as e:
1983
logger.error(unicode(e) + ", disabling D-Bus")
1984
use_dbus = False
1985
server_settings["use_dbus"] = False
1986
tcp_server.use_dbus = False
1987
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1988
service = AvahiService(name = server_settings["servicename"],
1989
servicetype = "_mandos._tcp",
1990
protocol = protocol, bus = bus)
1991
if server_settings["interface"]:
1992
service.interface = (if_nametoindex
1993
(str(server_settings["interface"])))
1994
1995
global multiprocessing_manager
1996
multiprocessing_manager = multiprocessing.Manager()
1997
1998
client_class = Client
1999
if use_dbus:
2000
client_class = functools.partial(ClientDBusTransitional, bus = bus)
2001
def client_config_items(config, section):
2002
special_settings = {
2003
"approved_by_default":
2004
lambda: config.getboolean(section,
2005
"approved_by_default"),
2006
}
2007
for name, value in config.items(section):
2008
try:
2009
yield (name, special_settings[name]())
2010
except KeyError:
2011
yield (name, value)
2012
2013
tcp_server.clients.update(set(
2014
client_class(name = section,
2015
config= dict(client_config_items(
2016
client_config, section)))
2017
for section in client_config.sections()))
2018
if not tcp_server.clients:
2019
logger.warning("No clients defined")
1064
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1065
1066
clients.update(Set(Client(name = section,
1067
config
1068
= dict(client_config.items(section)),
1069
use_dbus = use_dbus)
1070
for section in client_config.sections()))
1071
if not clients:
1072
logger.warning(u"No clients defined")
1073
1074
if debug:
1075
# Redirect stdin so all checkers get /dev/null
1076
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1077
os.dup2(null, sys.stdin.fileno())
1078
if null > 2:
1079
os.close(null)
1080
else:
1081
# No console logging
1082
logger.removeHandler(console)
1083
# Close all input and output, do double fork, etc.
1084
daemon()
1085
1086
try:
1087
pid = os.getpid()
1088
pidfile.write(str(pid) + "\n")
1089
pidfile.close()
1090
del pidfile
1091
except IOError:
1092
logger.error(u"Could not write to file %r with PID %d",
1093
pidfilename, pid)
1094
except NameError:
1095
# "pidfile" was never created
1096
pass
1097
del pidfilename
1098
1099
def cleanup():
1100
"Cleanup function; run on exit"
1101
global group
1102
# From the Avahi example code
1103
if not group is None:
1104
group.Free()
1105
group = None
1106
# End of Avahi example code
2020
1107
1108
while clients:
1109
client = clients.pop()
1110
client.disable_hook = None
1111
client.disable()
1112
1113
atexit.register(cleanup)
1114
2021
1115
if not debug:
2022
try:
2023
with pidfile:
2024
pid = os.getpid()
2025
pidfile.write(str(pid) + "\n".encode("utf-8"))
2026
del pidfile
2027
except IOError:
2028
logger.error("Could not write to file %r with PID %d",
2029
pidfilename, pid)
2030
except NameError:
2031
# "pidfile" was never created
2032
pass
2033
del pidfilename
2034
2035
1116
signal.signal(signal.SIGINT, signal.SIG_IGN)
2036
2037
1117
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2038
1118
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2039
1119
2040
1120
if use_dbus:
2041
class MandosDBusService(dbus.service.Object):
1121
class MandosServer(dbus.service.Object):
2042
1122
"""A D-Bus proxy object"""
2043
1123
def __init__(self):
2044
1124
dbus.service.Object.__init__(self, bus, "/")
2045
_interface = "se.recompile.Mandos"
2046
2047
@dbus.service.signal(_interface, signature="o")
2048
def ClientAdded(self, objpath):
2049
"D-Bus signal"
2050
pass
2051
2052
@dbus.service.signal(_interface, signature="ss")
2053
def ClientNotFound(self, fingerprint, address):
1125
_interface = u"se.bsnet.fukt.Mandos"
1126
1127
@dbus.service.signal(_interface, signature="oa{sv}")
1128
def ClientAdded(self, objpath, properties):
2054
1129
"D-Bus signal"
2055
1130
pass
2056
1131
2062
1137
@dbus.service.method(_interface, out_signature="ao")
2063
1138
def GetAllClients(self):
2064
1139
"D-Bus method"
2065
return dbus.Array(c.dbus_object_path
2066
for c in tcp_server.clients)
1140
return dbus.Array(c.dbus_object_path for c in clients)
2067
1141
2068
@dbus.service.method(_interface,
2069
out_signature="a{oa{sv}}")
1142
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
2070
1143
def GetAllClientsWithProperties(self):
2071
1144
"D-Bus method"
2072
1145
return dbus.Dictionary(
2073
((c.dbus_object_path, c.GetAll(""))
2074
for c in tcp_server.clients),
1146
((c.dbus_object_path, c.GetAllProperties())
1147
for c in clients),
2075
1148
signature="oa{sv}")
2076
1149
2077
1150
@dbus.service.method(_interface, in_signature="o")
2078
1151
def RemoveClient(self, object_path):
2079
1152
"D-Bus method"
2080
for c in tcp_server.clients:
1153
for c in clients:
2081
1154
if c.dbus_object_path == object_path:
2082
tcp_server.clients.remove(c)
2083
c.remove_from_connection()
1155
clients.remove(c)
2084
1156
# Don't signal anything except ClientRemoved
2085
c.disable(quiet=True)
1157
c.use_dbus = False
1158
c.disable()
2086
1159
# Emit D-Bus signal
2087
1160
self.ClientRemoved(object_path, c.name)
2088
1161
return
2089
raise KeyError(object_path)
1162
raise KeyError
2090
1163
2091
1164
del _interface
2092
1165
2093
class MandosDBusServiceTransitional(MandosDBusService):
2094
__metaclass__ = AlternateDBusNamesMetaclass
2095
mandos_dbus_service = MandosDBusServiceTransitional()
2096
2097
def cleanup():
2098
"Cleanup function; run on exit"
2099
service.cleanup()
2100
2101
while tcp_server.clients:
2102
client = tcp_server.clients.pop()
2103
if use_dbus:
2104
client.remove_from_connection()
2105
client.disable_hook = None
2106
# Don't signal anything except ClientRemoved
2107
client.disable(quiet=True)
2108
if use_dbus:
2109
# Emit D-Bus signal
2110
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
2111
client.name)
2112
2113
atexit.register(cleanup)
2114
2115
for client in tcp_server.clients:
1166
mandos_server = MandosServer()
1167
1168
for client in clients:
2116
1169
if use_dbus:
2117
1170
# Emit D-Bus signal
2118
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1171
mandos_server.ClientAdded(client.dbus_object_path,
1172
client.GetAllProperties())
2119
1173
client.enable()
2120
1174
2121
1175
tcp_server.enable()
2123
1177
2124
1178
# Find out what port we got
2125
1179
service.port = tcp_server.socket.getsockname()[1]
2126
if use_ipv6:
2127
logger.info("Now listening on address %r, port %d,"
2128
" flowinfo %d, scope_id %d"
2129
% tcp_server.socket.getsockname())
2130
else: # IPv4
2131
logger.info("Now listening on address %r, port %d"
2132
% tcp_server.socket.getsockname())
1180
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1181
u" scope_id %d" % tcp_server.socket.getsockname())
2133
1182
2134
1183
#service.interface = tcp_server.socket.getsockname()[3]
2135
1184
2136
1185
try:
2137
1186
# From the Avahi example code
1187
server.connect_to_signal("StateChanged", server_state_changed)
2138
1188
try:
2139
service.activate()
2140
except dbus.exceptions.DBusException as error:
2141
logger.critical("DBusException: %s", error)
2142
cleanup()
1189
server_state_changed(server.GetState())
1190
except dbus.exceptions.DBusException, error:
1191
logger.critical(u"DBusException: %s", error)
2143
1192
sys.exit(1)
2144
1193
# End of Avahi example code
2145
1194
2148
1197
(tcp_server.handle_request
2149
1198
(*args[2:], **kwargs) or True))
2150
1199
2151
logger.debug("Starting main loop")
1200
logger.debug(u"Starting main loop")
2152
1201
main_loop.run()
2153
except AvahiError as error:
2154
logger.critical("AvahiError: %s", error)
2155
cleanup()
1202
except AvahiError, error:
1203
logger.critical(u"AvahiError: %s", error)
2156
1204
sys.exit(1)
2157
1205
except KeyboardInterrupt:
2158
1206
if debug:
2159
print("", file=sys.stderr)
2160
logger.debug("Server received KeyboardInterrupt")
2161
logger.debug("Server exiting")
2162
# Must run before the D-Bus bus name gets deregistered
2163
cleanup()
2164
1207
print
2165
1208
2166
1209
if __name__ == '__main__':
2167
1210
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0